From e9baddfd6b3e2124373ed225f1b5df1b279455a8 Mon Sep 17 00:00:00 2001
From: Liang Zhu <liangzhu@icsi.berkeley.edu>
Date: Mon, 15 Jun 2015 11:05:04 -0700
Subject: [PATCH 001/631] add a file analyzer to parse ocsp request and
 response add two events: ocsp_request and ocsp_response

---
 scripts/base/files/ocsp/README                |   1 +
 scripts/base/files/ocsp/__load__.bro          |   1 +
 scripts/base/files/ocsp/main.bro              |  11 +
 scripts/base/init-bare.bro                    |  44 ++
 scripts/base/init-default.bro                 |   1 +
 src/SerialTypes.h                             |   2 +
 src/Type.h                                    |   2 +
 src/file_analysis/analyzer/CMakeLists.txt     |   1 +
 .../analyzer/ocsp/CMakeLists.txt              |  10 +
 src/file_analysis/analyzer/ocsp/OCSP.cc       | 637 ++++++++++++++++++
 src/file_analysis/analyzer/ocsp/OCSP.h        |  66 ++
 src/file_analysis/analyzer/ocsp/Plugin.cc     |  25 +
 src/file_analysis/analyzer/ocsp/events.bif    |  23 +
 src/file_analysis/analyzer/ocsp/types.bif     |   4 +
 src/main.cc                                   |   6 +-
 15 files changed, 833 insertions(+), 1 deletion(-)
 create mode 100644 scripts/base/files/ocsp/README
 create mode 100644 scripts/base/files/ocsp/__load__.bro
 create mode 100644 scripts/base/files/ocsp/main.bro
 create mode 100644 src/file_analysis/analyzer/ocsp/CMakeLists.txt
 create mode 100644 src/file_analysis/analyzer/ocsp/OCSP.cc
 create mode 100644 src/file_analysis/analyzer/ocsp/OCSP.h
 create mode 100644 src/file_analysis/analyzer/ocsp/Plugin.cc
 create mode 100644 src/file_analysis/analyzer/ocsp/events.bif
 create mode 100644 src/file_analysis/analyzer/ocsp/types.bif

diff --git a/scripts/base/files/ocsp/README b/scripts/base/files/ocsp/README
new file mode 100644
index 0000000000..beabe8a3fc
--- /dev/null
+++ b/scripts/base/files/ocsp/README
@@ -0,0 +1 @@
+Support for ocsp file analysis framework.
diff --git a/scripts/base/files/ocsp/__load__.bro b/scripts/base/files/ocsp/__load__.bro
new file mode 100644
index 0000000000..d551be57d3
--- /dev/null
+++ b/scripts/base/files/ocsp/__load__.bro
@@ -0,0 +1 @@
+@load ./main
\ No newline at end of file
diff --git a/scripts/base/files/ocsp/main.bro b/scripts/base/files/ocsp/main.bro
new file mode 100644
index 0000000000..1b3dfdeffc
--- /dev/null
+++ b/scripts/base/files/ocsp/main.bro
@@ -0,0 +1,11 @@
+@load base/frameworks/files
+@load base/utils/paths
+
+module FileOCSP;
+
+export {
+	## add one more argument to indicate is ocsp response or request
+	redef record Files::AnalyzerArgs += {
+		ocsp_type: string &optional;
+	};
+}
diff --git a/scripts/base/init-bare.bro b/scripts/base/init-bare.bro
index 23f4fd43dd..fdc05f2df4 100644
--- a/scripts/base/init-bare.bro
+++ b/scripts/base/init-bare.bro
@@ -2927,6 +2927,50 @@ export {
 	};
 }
 
+
+module OCSP;
+export {
+	type OneReq: record {
+		hashAlgorithm:      string  &log;
+		issuerNameHash:     string  &log;
+		issuerKeyHash:      string  &log;
+		serialNumber:       string  &log;
+		#RequestExtensions: xxx
+		};
+	type Request: record {
+		version:            count   &log &optional;
+		requestorName:      string  &log &optional;
+		requestList:        vector of OneReq;
+		#requestExtensions: xxx
+                };
+	type SingleResp: record {
+		hashAlgorithm:      string  &log;
+		issuerNameHash:     string  &log;
+		issuerKeyHash:      string  &log;
+		serialNumber:       string  &log;
+		certStatus:         string  &log;
+		thisUpdate:         string  &log;
+		nextUpdate:         string  &log  &optional;
+		#Extensions: xxx
+		};
+	type Response: record {
+		responseStatus:     string  &log;
+		responseType:       string  &log;
+		version:            count   &log;
+		responderID:        string  &log;
+		producedAt:         string  &log;
+		responses:          vector of SingleResp;
+		#responseExtensions:xxx
+		signatureAlgorithm: string  &log;
+		signature:          string;  #&log;
+		};
+	}
+
+module GLOBAL;
+type ocsp_req_vec: vector of OCSP::OneReq;
+type ocsp_resp_vec: vector of OCSP::SingleResp;
+
+			
 module SOCKS;
 export {
 	## This record is for a SOCKS client or server to provide either a
diff --git a/scripts/base/init-default.bro b/scripts/base/init-default.bro
index 473d94fc84..61cd41a189 100644
--- a/scripts/base/init-default.bro
+++ b/scripts/base/init-default.bro
@@ -65,6 +65,7 @@
 @load base/files/extract
 @load base/files/unified2
 @load base/files/x509
+@load base/files/ocsp
 
 @load base/misc/find-checksum-offloading
 @load base/misc/find-filtered-trace
diff --git a/src/SerialTypes.h b/src/SerialTypes.h
index cf2c52a08b..6b81227464 100644
--- a/src/SerialTypes.h
+++ b/src/SerialTypes.h
@@ -115,6 +115,8 @@ SERIAL_VAL(CARDINALITY_VAL, 22)
 SERIAL_VAL(X509_VAL, 23)
 SERIAL_VAL(COMM_STORE_HANDLE_VAL, 24)
 SERIAL_VAL(COMM_DATA_VAL, 25)
+SERIAL_VAL(OCSP_REQ_VAL, 26)
+SERIAL_VAL(OCSP_RESP_VAL, 27)
 
 #define SERIAL_EXPR(name, val) SERIAL_CONST(name, val, EXPR)
 SERIAL_EXPR(EXPR, 1)
diff --git a/src/Type.h b/src/Type.h
index f902b0d907..3f886f55dc 100644
--- a/src/Type.h
+++ b/src/Type.h
@@ -627,6 +627,8 @@ extern OpaqueType* cardinality_type;
 extern OpaqueType* topk_type;
 extern OpaqueType* bloomfilter_type;
 extern OpaqueType* x509_opaque_type;
+extern OpaqueType* ocsp_req_opaque_type;
+extern OpaqueType* ocsp_resp_opaque_type;
 
 // Returns the Bro basic (non-parameterized) type with the given type.
 // The reference count of the type is not increased.
diff --git a/src/file_analysis/analyzer/CMakeLists.txt b/src/file_analysis/analyzer/CMakeLists.txt
index 225504c56a..bd5428a49e 100644
--- a/src/file_analysis/analyzer/CMakeLists.txt
+++ b/src/file_analysis/analyzer/CMakeLists.txt
@@ -4,3 +4,4 @@ add_subdirectory(hash)
 add_subdirectory(pe)
 add_subdirectory(unified2)
 add_subdirectory(x509)
+add_subdirectory(ocsp)
\ No newline at end of file
diff --git a/src/file_analysis/analyzer/ocsp/CMakeLists.txt b/src/file_analysis/analyzer/ocsp/CMakeLists.txt
new file mode 100644
index 0000000000..d1cff9d157
--- /dev/null
+++ b/src/file_analysis/analyzer/ocsp/CMakeLists.txt
@@ -0,0 +1,10 @@
+
+include(BroPlugin)
+
+include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR}
+                           ${CMAKE_CURRENT_BINARY_DIR})
+
+bro_plugin_begin(Bro OCSP)
+bro_plugin_cc(OCSP.cc Plugin.cc)
+bro_plugin_bif(events.bif types.bif)
+bro_plugin_end()
diff --git a/src/file_analysis/analyzer/ocsp/OCSP.cc b/src/file_analysis/analyzer/ocsp/OCSP.cc
new file mode 100644
index 0000000000..08df3e4ce6
--- /dev/null
+++ b/src/file_analysis/analyzer/ocsp/OCSP.cc
@@ -0,0 +1,637 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include <string>
+
+#include "OCSP.h"
+#include "Event.h"
+
+#include "events.bif.h"
+#include "types.bif.h"
+
+#include "file_analysis/Manager.h"
+
+#include <openssl/x509.h>
+#include <openssl/x509v3.h>
+#include <openssl/asn1.h>
+#include <openssl/opensslconf.h>
+
+using namespace file_analysis;
+
+IMPLEMENT_SERIAL(OCSP_REQVal, SER_OCSP_REQ_VAL);
+IMPLEMENT_SERIAL(OCSP_RESPVal, SER_OCSP_RESP_VAL);
+
+#define OCSP_STRING_BUF_SIZE 2048
+
+//this function is copied from src/file_analysis/analyzer/extract/Extract.cc
+static Val* get_extract_field_val(RecordVal* args, const char* name)
+	{
+	Val* rval = args->Lookup(name);
+	if ( ! rval )
+		reporter->Error("File extraction analyzer missing arg field: %s", name);
+	return rval;
+	}
+
+//convert different ANS1 type to c string
+static int ANS1_to_cstr(char *buf, int buf_len, void *data, int type)
+	{
+	if (data == NULL || buf == NULL || buf_len <=0)
+		return -1;
+	int new_len = -1;
+	BIO *bio = BIO_new(BIO_s_mem());
+	memset(buf, 0, buf_len);
+	
+	if (type == V_ASN1_OCTET_STRING)
+		{
+		if (i2a_ASN1_STRING(bio, (ASN1_STRING *)data, V_ASN1_OCTET_STRING) <= 0)
+			goto err;
+		}
+	else if (type == V_ASN1_BIT_STRING)
+		{
+		if (i2a_ASN1_STRING(bio, (ASN1_STRING *)data, V_ASN1_BIT_STRING) <= 0)
+			goto err;
+		}
+	else if (type == V_ASN1_INTEGER)
+		{
+		if (i2a_ASN1_INTEGER(bio, (ASN1_INTEGER *)data) <= 0)
+			goto err;
+		}
+	else if (type == V_ASN1_OBJECT)
+		{
+		if (i2a_ASN1_OBJECT(bio, (ASN1_OBJECT *)data) <= 0)
+			goto err;
+		}
+	else if (type == V_ASN1_GENERALIZEDTIME)
+		{
+		// TODO: convert ASN1_GENERALIZEDTIME to epoch time?
+		//       new API: ASN1_TIME_diff() requires openssl 1.0.2
+		//       epoch time might be better for post processing
+		
+		// NOTE: this is for human readable time format
+		//if (!ASN1_GENERALIZEDTIME_print(bio, (ASN1_GENERALIZEDTIME *)data))
+		//	goto err;
+		
+		// NOTE: this is printing the raw string which is also understandable
+		//       since this is smaller, let's keep ASN1_GENERALIZEDTIME as this for now?
+		ASN1_GENERALIZEDTIME *tmp = (ASN1_GENERALIZEDTIME *)data;
+		BIO_write(bio, tmp->data, tmp->length);	
+		}
+
+	else
+		goto err;
+	
+	new_len = BIO_read(bio, buf, buf_len);
+err:	
+	BIO_free_all(bio);
+	return new_len;
+	}
+
+//ANS1 OCTET string to c string
+static int ASN1_OCTET_STRING_to_cstr(char *buf, int len, void *data)
+	{
+	return ANS1_to_cstr(buf, len, data, V_ASN1_OCTET_STRING);
+	}
+
+//ANS1 BIT string to c string
+static int ASN1_BIT_STRING_to_cstr(char *buf, int len, void *data)
+	{
+	return ANS1_to_cstr(buf, len, data, V_ASN1_BIT_STRING);
+	}
+
+//ANS1 integer to c string
+static int ASN1_INTEGER_to_cstr(char *buf, int len, void *data)
+	{
+	return ANS1_to_cstr(buf, len, data, V_ASN1_INTEGER);
+	}
+
+//ANS1 object to c string
+static int ASN1_OBJECT_to_cstr(char *buf, int len, void *data)
+	{
+	return ANS1_to_cstr(buf, len, data, V_ASN1_OBJECT);
+	}
+
+//ASN1_GENERALIZEDTIME to c string
+static int ASN1_GENERALIZEDTIME_to_cstr(char *buf, int len, void *data)
+	{
+	return ANS1_to_cstr(buf, len, data, V_ASN1_GENERALIZEDTIME);
+	}
+
+//CENERAL XXX to c string
+static int GENERAL_NAME_to_cstr(char *buf, int buf_len, void *data)
+	{
+	if (data == NULL || buf == NULL || buf_len <= 0)
+		return -1;
+	int new_len = -1;
+	BIO *bio = BIO_new(BIO_s_mem());
+	memset(buf, 0, buf_len);
+	if (GENERAL_NAME_print(bio, (GENERAL_NAME *)data) <= 0)
+		goto err;
+	new_len = BIO_read(bio, buf, buf_len);
+err:
+	BIO_free_all(bio);
+	return new_len;
+	}
+
+//OCSP respond id to c string
+static int OCSP_RESPID_to_cstr(char *buf, int buf_len, OCSP_RESPID *resp_id)
+	{
+	if (resp_id == NULL || buf == NULL || buf_len <= 0)
+		return -1;
+	int new_len = -1;
+	BIO *bio = BIO_new(BIO_s_mem());
+	memset(buf, 0, buf_len);
+	if (resp_id->type == V_OCSP_RESPID_NAME)
+		{
+		if (X509_NAME_print_ex(bio, resp_id->value.byName, 0, XN_FLAG_ONELINE) <=0)
+			goto err;
+		}
+	else if (resp_id->type == V_OCSP_RESPID_KEY)
+		{
+		if (i2a_ASN1_STRING(bio, resp_id->value.byKey, V_ASN1_OCTET_STRING) <= 0)
+			goto err;
+		}
+	else
+		goto err;
+	new_len = BIO_read(bio, buf, buf_len);
+err:
+	BIO_free_all(bio);
+	return new_len;
+	}
+
+//print out a cert id for debug
+static void ocsp_print_cert_id(OCSP_CERTID *cid)
+	{
+	if (cid == NULL)
+		return;
+	char buf[OCSP_STRING_BUF_SIZE];
+	int len = sizeof(buf);
+	memset(buf, 0, len);
+	int new_len = -1;
+	
+	//print hashAlgorithm
+	new_len = ASN1_OBJECT_to_cstr(buf, len, (void *)(cid->hashAlgorithm->algorithm));
+	StringVal hashAlgorithm = StringVal(new_len, buf);
+	printf("[%d]hashAlgorithm: %s\n", new_len, hashAlgorithm.CheckString());
+
+	//print issuerNameHash
+	new_len = ASN1_OCTET_STRING_to_cstr(buf, len, (void *)(cid->issuerNameHash));
+	StringVal issuerNameHash = StringVal(new_len, buf);
+	printf("[%d]issuerNameHash: %s\n", new_len, issuerNameHash.CheckString());
+
+	//print issuerKeyHash
+	new_len = ASN1_OCTET_STRING_to_cstr(buf, len, (void *)(cid->issuerKeyHash));
+	StringVal issuerKeyHash = StringVal(new_len, buf);
+	printf("[%d]issuerKeyHash: %s\n", new_len, issuerKeyHash.CheckString());
+
+	//print serialNumber
+	new_len = ASN1_INTEGER_to_cstr(buf, len, (void *)(cid->issuerKeyHash));
+	StringVal serialNumber = StringVal(new_len, buf);
+	printf("[%d]serialNumber: %s\n", new_len, serialNumber.CheckString());
+	}
+
+//fill in cert id
+static void ocsp_fill_cert_id(OCSP_CERTID *cert_id, RecordVal *d)
+	{
+	if (d == NULL || cert_id == NULL)
+		return;
+	char buf[OCSP_STRING_BUF_SIZE];
+	int buf_len = sizeof(buf);
+	memset(buf, 0, buf_len);
+
+	//hashAlgorithm
+	int len = -1;
+	len = ASN1_OBJECT_to_cstr(buf, buf_len, (void *)(cert_id->hashAlgorithm->algorithm));
+	if (len > 0)
+		d->Assign(0, new StringVal(len, buf));
+	
+	//issuerNameHash
+	len = -1;
+	len = ASN1_OCTET_STRING_to_cstr(buf, buf_len, (void *)(cert_id->issuerNameHash));
+	if (len > 0)
+		d->Assign(1, new StringVal(len, buf));
+	
+	//issuerKeyHash
+	len = -1;
+	len = ASN1_OCTET_STRING_to_cstr(buf, buf_len, (void *)(cert_id->issuerKeyHash));
+	if (len > 0)
+		d->Assign(2, new StringVal(len, buf));
+	
+	//serialNumber
+	len = -1;
+	len = ASN1_INTEGER_to_cstr(buf, buf_len, (void *)(cert_id->issuerKeyHash));
+	if (len > 0)
+		d->Assign(3, new StringVal(len, buf));
+	}
+
+file_analysis::Analyzer* OCSP::Instantiate(RecordVal* args, File* file)
+	{
+	Val* ocsp_type = get_extract_field_val(args, "ocsp_type");
+        if (! ocsp_type )
+		return 0;
+	return new OCSP(args, file, ocsp_type->AsString()->CheckString());
+	}
+
+file_analysis::OCSP::OCSP(RecordVal* args, file_analysis::File* file, const string& arg_ocsp_type)
+	: file_analysis::Analyzer(file_mgr->GetComponentTag("OCSP"), args, file)
+	{
+	ocsp_type = arg_ocsp_type;
+	ocsp_data.clear();
+	}
+
+bool file_analysis::OCSP::DeliverStream(const u_char* data, uint64 len)
+	{
+	ocsp_data.append(reinterpret_cast<const char*>(data), len);
+	return true;
+	}
+
+bool file_analysis::OCSP::Undelivered(uint64 offset, uint64 len)
+	{
+	return false;
+	}
+
+// parse OCSP request or response and send data to bro scriptland
+bool file_analysis::OCSP::EndOfFile()
+	{
+	OCSP_REQUEST  *req     = NULL;
+	OCSP_RESPONSE *resp    = NULL;
+	
+	const unsigned char* ocsp_char = reinterpret_cast<const unsigned char*>(ocsp_data.data());
+	
+	if (ocsp_type == "request")
+		{
+		req = d2i_OCSP_REQUEST(NULL, &ocsp_char, ocsp_data.size());
+		if (!req)
+			{
+			reporter->Weird(fmt("OPENSSL Could not parse OCSP request (fuid %s)", GetFile()->GetID().c_str()));
+			goto ocsp_cleanup;
+			}
+		
+		//parse request into record
+		OCSP_REQVal* req_val = new OCSP_REQVal(req);
+		RecordVal* req_record = ParseRequest(req_val);
+		if (!req_record)
+			{
+			reporter->Weird(fmt("Internal fail to parse OCSP request (fuid %s)", GetFile()->GetID().c_str()));
+			Unref(req_val);
+			goto ocsp_cleanup;
+			}
+
+		// and send the record on to scriptland
+		val_list* vl = new val_list();
+		vl->append(GetFile()->GetVal()->Ref());
+		vl->append(req_val->Ref());
+		vl->append(req_record->Ref());
+		mgr.QueueEvent(ocsp_request, vl);		
+
+		Unref(req_val);
+		Unref(req_record);
+		}
+	else if (ocsp_type == "response")
+		{
+		resp = d2i_OCSP_RESPONSE(NULL, &ocsp_char, ocsp_data.size());
+		if (!resp)
+			{
+			reporter->Weird(fmt("OPENSSL Could not parse OCSP response (fuid %s)", GetFile()->GetID().c_str()));
+			goto ocsp_cleanup;
+			}
+		
+		//parse request into record
+		OCSP_RESPVal* resp_val = new OCSP_RESPVal(resp);
+		RecordVal* resp_record = ParseResponse(resp_val);
+		if (!resp_record)
+			{
+			reporter->Weird(fmt("Internal fail to parse OCSP response (fuid %s)", GetFile()->GetID().c_str()));
+			Unref(resp_val);
+			goto ocsp_cleanup;
+			}
+
+		// and send the record on to scriptland
+		val_list* vl = new val_list();
+		vl->append(GetFile()->GetVal()->Ref());
+		vl->append(resp_val->Ref());
+		vl->append(resp_record->Ref());
+		mgr.QueueEvent(ocsp_response, vl);
+
+		Unref(resp_val);
+		Unref(resp_record);
+		}
+	else
+	  reporter->Weird(fmt("the given argument of ocsp_type (%s) is not recognized", ocsp_type.c_str()));
+ocsp_cleanup:
+	//if (resp)
+	//	OCSP_RESPONSE_free(resp);
+	//if (req)
+	//	OCSP_REQUEST_free(req);
+	return false;
+}
+
+// parse OCSP request and trigger event
+RecordVal *file_analysis::OCSP::ParseRequest(OCSP_REQVal *req_val)
+	{
+	if (req_val == NULL)
+		return NULL;
+	OCSP_REQUEST *req     = NULL;
+	OCSP_ONEREQ  *one_req = NULL;
+	OCSP_CERTID  *cert_id = NULL;
+	OCSP_REQINFO *inf     = NULL;
+	//OCSP_SIGNATURE *sig  = NULL;
+
+	RecordVal* ocsp_req_record = NULL;
+	VectorVal* all_req_bro = NULL;
+	
+	int req_count = -1, i = -1, len = -1;
+	long version = -1;
+
+	req = req_val->GetReq();
+	if (req == NULL)
+		return NULL;
+	
+	char buf[OCSP_STRING_BUF_SIZE];
+	int buf_len = sizeof(buf);
+	memset(buf, 0, buf_len);
+	
+	inf = req->tbsRequest;
+	//sig = req->optionalSignature;
+	if (inf == NULL)
+		return NULL;
+
+	ocsp_req_record = new RecordVal(BifType::Record::OCSP::Request);
+	if (!ocsp_req_record)
+		{
+		reporter->Error("Cannot create OCSP request structure: Internal memory error");
+		return NULL;
+		}
+
+	//version
+	version = ASN1_INTEGER_get(inf->version);
+	if (version != -1)
+		ocsp_req_record->Assign(0, new Val((uint64)version, TYPE_COUNT));
+	
+	//requestorName
+	if (inf->requestorName != NULL)
+		{
+		len = -1;
+		len = GENERAL_NAME_to_cstr(buf, buf_len, (void *)(inf->requestorName));
+		if (len > 1)
+			ocsp_req_record->Assign(1, new StringVal(len, buf));
+		}
+	
+	//deal with details of the request
+	req_count = OCSP_request_onereq_count(req);
+	if (req_count <= 0)
+		goto clean_up;
+	for (i=0; i<req_count; i++)
+		{
+		one_req = OCSP_request_onereq_get0(req, i);
+		cert_id = OCSP_onereq_get0_id(one_req);
+		if (all_req_bro == NULL)
+			all_req_bro = new VectorVal(internal_type("ocsp_req_vec")->AsVectorType());
+		RecordVal *one_req_bro = new RecordVal(BifType::Record::OCSP::OneReq);
+
+		ocsp_fill_cert_id(cert_id, one_req_bro);		
+		all_req_bro->Assign(all_req_bro->Size(), one_req_bro);
+		}
+	
+	if (all_req_bro != NULL)
+		ocsp_req_record->Assign(2, all_req_bro);
+clean_up:
+	return ocsp_req_record;
+}
+
+// parse OCSP response and trigger event
+RecordVal *file_analysis::OCSP::ParseResponse(OCSP_RESPVal *resp_val)
+	{
+	if (resp_val == NULL)
+		return NULL;
+
+	OCSP_RESPONSE   *resp        = NULL;
+	OCSP_RESPBYTES  *resp_bytes  = NULL;
+	OCSP_CERTID     *cert_id     = NULL;
+	OCSP_BASICRESP  *basic_resp  = NULL;
+	OCSP_RESPDATA   *resp_data   = NULL;
+	OCSP_RESPID     *resp_id     = NULL;
+	OCSP_SINGLERESP *single_resp = NULL;	
+	
+	//OCSP_CERTSTATUS *cst = NULL;
+	//OCSP_REVOKEDINFO *rev = NULL;
+
+        RecordVal *ocsp_resp_record = NULL;
+	VectorVal *all_resp_bro  = NULL;
+	
+	int resp_count = -1, status = -1, i = -1, len = -1;
+	long version = -1;
+	
+	resp = resp_val->GetResp();
+	if (resp == NULL)
+		return NULL;	
+
+  	char buf[OCSP_STRING_BUF_SIZE];
+	int buf_len = sizeof(buf);
+	memset(buf, 0, buf_len);
+
+	ocsp_resp_record = new RecordVal(BifType::Record::OCSP::Response);
+	if (!ocsp_resp_record)
+		{
+		reporter->Error("Cannot create OCSP response structure: Internal memory error");
+		return NULL;
+		}
+
+	//responseStatus
+	status = OCSP_response_status(resp);
+	const char *status_str = OCSP_response_status_str(status);
+	ocsp_resp_record->Assign(0, new StringVal(strlen(status_str), status_str));	
+
+	//responseType
+	resp_bytes = resp->responseBytes;
+	if (!resp_bytes)
+		goto clean_up;
+	len = -1;
+	len = ASN1_OBJECT_to_cstr(buf, buf_len, (void *)(resp_bytes->responseType));
+	if (len > 0)
+		ocsp_resp_record->Assign(1, new StringVal(len, buf));
+	
+	//get the basic response
+	basic_resp = OCSP_response_get1_basic(resp);
+	if (!basic_resp)
+		goto clean_up;
+	resp_data = basic_resp->tbsResponseData;
+	if (!resp_data)
+		goto clean_up;
+
+	//version
+	version = ASN1_INTEGER_get(resp_data->version);
+	if (version != -1)
+		ocsp_resp_record->Assign(2, new Val((uint64)version, TYPE_COUNT));
+
+	//responderID
+	resp_id = resp_data->responderId;
+	len = -1;
+	len = OCSP_RESPID_to_cstr(buf, buf_len, resp_id);
+	if (len > 0)
+		ocsp_resp_record->Assign(3, new StringVal(len, buf));
+
+	//producedAt
+	len = -1;
+	len = ASN1_GENERALIZEDTIME_to_cstr(buf, buf_len, (void *)(resp_data->producedAt));
+	if (len > 0)
+		ocsp_resp_record->Assign(4, new StringVal(len, buf));
+
+	//responses
+	resp_count = sk_OCSP_SINGLERESP_num(resp_data->responses);
+	if (resp_count <= 0)
+		goto clean_up;
+	for (i=0; i<resp_count; i++)
+		{
+		single_resp = sk_OCSP_SINGLERESP_value(resp_data->responses, i);
+		if (!single_resp)
+			continue;
+		if (all_resp_bro == NULL)
+			all_resp_bro = new VectorVal(internal_type("ocsp_resp_vec")->AsVectorType());
+		RecordVal *single_resp_bro = new RecordVal(BifType::Record::OCSP::SingleResp);
+
+		//cert id
+		cert_id = single_resp->certId;
+		ocsp_fill_cert_id(cert_id, single_resp_bro);
+
+		//certStatus
+		const char *cert_status_str = OCSP_cert_status_str(single_resp->certStatus->type);
+		single_resp_bro->Assign(4, new StringVal(strlen(cert_status_str), cert_status_str));
+
+		//thisUpdate
+		len = -1;
+		len = ASN1_GENERALIZEDTIME_to_cstr(buf, buf_len, (void *)(single_resp->thisUpdate));
+		if (len > 0)
+			single_resp_bro->Assign(5, new StringVal(len, buf));
+
+		//nextUpdate
+		len = -1;
+		len = ASN1_GENERALIZEDTIME_to_cstr(buf, buf_len, (void *)(single_resp->nextUpdate));
+		if (len > 0)
+			single_resp_bro->Assign(6, new StringVal(len, buf));
+
+		all_resp_bro->Assign(all_resp_bro->Size(), single_resp_bro);
+		}
+	if (all_resp_bro != NULL)
+		ocsp_resp_record->Assign(5, all_resp_bro);
+
+	//signatureAlgorithm
+	if (basic_resp->signatureAlgorithm)
+		{
+		len = -1;
+		len = ASN1_OBJECT_to_cstr(buf, buf_len, (void *)(basic_resp->signatureAlgorithm->algorithm));
+		if (len > 0)
+			ocsp_resp_record->Assign(6, new StringVal(len, buf));
+		}
+	//signature
+	if (basic_resp->signature)
+		{
+		len = -1;
+		len = ASN1_BIT_STRING_to_cstr(buf, buf_len, (void *)(basic_resp->signature));
+		if (len > 0)
+			ocsp_resp_record->Assign(7, new StringVal(len, buf));
+		}
+clean_up:
+	return ocsp_resp_record;
+}
+
+//OCSP_REQVal
+OCSP_REQVal::OCSP_REQVal(OCSP_REQUEST* arg_ocsp_req) : OpaqueVal(ocsp_req_opaque_type)
+	{
+	ocsp_req = arg_ocsp_req;
+	}
+
+OCSP_REQVal::OCSP_REQVal() : OpaqueVal(ocsp_req_opaque_type)
+	{
+	ocsp_req = NULL;
+	}
+
+OCSP_REQVal::~OCSP_REQVal()
+	{
+	if (ocsp_req)
+		OCSP_REQUEST_free(ocsp_req);
+	}
+
+OCSP_REQUEST* OCSP_REQVal::GetReq() const
+	{
+	return ocsp_req;
+	}
+
+bool OCSP_REQVal::DoSerialize(SerialInfo* info) const
+	{
+	DO_SERIALIZE(SER_OCSP_REQ_VAL, OpaqueVal);
+	unsigned char *buf = NULL;
+	int length = i2d_OCSP_REQUEST(ocsp_req, &buf);
+	if ( length < 0 )
+		return false;
+	bool res = SERIALIZE_STR(reinterpret_cast<const char*>(buf), length);
+	OPENSSL_free(buf);
+	return res;
+	}
+
+bool OCSP_REQVal::DoUnserialize(UnserialInfo* info)
+	{
+	DO_UNSERIALIZE(OpaqueVal)
+
+	int length;
+	unsigned char *ocsp_req_buf, *opensslbuf;
+	
+	if ( ! UNSERIALIZE_STR(reinterpret_cast<char **>(&ocsp_req_buf), &length) )
+		return false;
+	opensslbuf = ocsp_req_buf; // OpenSSL likes to shift pointers around. really.
+	ocsp_req = d2i_OCSP_REQUEST(NULL, const_cast<const unsigned char**>(&opensslbuf), length);
+	delete[] ocsp_req_buf;
+	if ( !ocsp_req )
+		return false;
+	return true;
+	}
+
+
+//OCSP_RESPVal
+OCSP_RESPVal::OCSP_RESPVal(OCSP_RESPONSE* arg_ocsp_resp) : OpaqueVal(ocsp_resp_opaque_type)
+	{
+	ocsp_resp = arg_ocsp_resp;
+	}
+
+OCSP_RESPVal::OCSP_RESPVal() : OpaqueVal(ocsp_resp_opaque_type)
+	{
+	ocsp_resp = NULL;
+	}
+
+OCSP_RESPVal::~OCSP_RESPVal()
+	{
+	if (ocsp_resp)
+		OCSP_RESPONSE_free(ocsp_resp);
+	}
+
+OCSP_RESPONSE* OCSP_RESPVal::GetResp() const
+	{
+	return ocsp_resp;
+	}
+
+bool OCSP_RESPVal::DoSerialize(SerialInfo* info) const
+	{
+	DO_SERIALIZE(SER_OCSP_RESP_VAL, OpaqueVal);
+	unsigned char *buf = NULL;
+	int length = i2d_OCSP_RESPONSE(ocsp_resp, &buf);
+	if ( length < 0 )
+		return false;
+	bool res = SERIALIZE_STR(reinterpret_cast<const char*>(buf), length);
+	OPENSSL_free(buf);
+	return res;
+	}
+
+bool OCSP_RESPVal::DoUnserialize(UnserialInfo* info)
+	{
+	DO_UNSERIALIZE(OpaqueVal)
+
+	int length;
+	unsigned char *ocsp_resp_buf, *opensslbuf;
+	
+	if ( ! UNSERIALIZE_STR(reinterpret_cast<char **>(&ocsp_resp_buf), &length) )
+		return false;
+	opensslbuf = ocsp_resp_buf; // OpenSSL likes to shift pointers around. really.
+	ocsp_resp = d2i_OCSP_RESPONSE(NULL, const_cast<const unsigned char**>(&opensslbuf), length);
+	delete[] ocsp_resp_buf;
+	if ( !ocsp_resp )
+		return false;
+	return true;
+	}
diff --git a/src/file_analysis/analyzer/ocsp/OCSP.h b/src/file_analysis/analyzer/ocsp/OCSP.h
new file mode 100644
index 0000000000..ecdba6582d
--- /dev/null
+++ b/src/file_analysis/analyzer/ocsp/OCSP.h
@@ -0,0 +1,66 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#ifndef FILE_ANALYSIS_OCSP_H
+#define FILE_ANALYSIS_OCSP_H
+
+#include <string>
+
+#include "Val.h"
+#include "../File.h"
+#include "Analyzer.h"
+
+#include <openssl/ocsp.h>
+#include <openssl/x509.h>
+#include <openssl/asn1.h>
+
+namespace file_analysis {
+
+class OCSP_REQVal;
+class OCSP_RESPVal;
+
+class OCSP : public file_analysis::Analyzer {
+public:
+	virtual bool DeliverStream(const u_char* data, uint64 len);
+	virtual bool Undelivered(uint64 offset, uint64 len);
+	virtual bool EndOfFile();
+
+	static RecordVal *ParseResponse(OCSP_RESPVal *);
+	static RecordVal *ParseRequest(OCSP_REQVal *);
+
+	static file_analysis::Analyzer* Instantiate(RecordVal* args, File* file);
+
+protected:
+	OCSP(RecordVal* args, File* file, const string& ocsp_type);
+
+private:
+	std::string ocsp_data;
+	std::string ocsp_type;
+};
+
+class OCSP_REQVal: public OpaqueVal {
+public:
+	explicit OCSP_REQVal(OCSP_REQUEST *);
+	~OCSP_REQVal();
+        OCSP_REQUEST *GetReq() const;
+protected:
+	OCSP_REQVal();
+private:
+	OCSP_REQUEST *ocsp_req;
+	DECLARE_SERIAL(OCSP_REQVal);
+};
+
+class OCSP_RESPVal: public OpaqueVal {
+public:
+	explicit OCSP_RESPVal(OCSP_RESPONSE *);
+	~OCSP_RESPVal();
+	OCSP_RESPONSE *GetResp() const;
+protected:
+	OCSP_RESPVal();
+private:
+	OCSP_RESPONSE *ocsp_resp;
+	DECLARE_SERIAL(OCSP_RESPVal);
+};
+
+}
+
+#endif
diff --git a/src/file_analysis/analyzer/ocsp/Plugin.cc b/src/file_analysis/analyzer/ocsp/Plugin.cc
new file mode 100644
index 0000000000..f7edbd1d6d
--- /dev/null
+++ b/src/file_analysis/analyzer/ocsp/Plugin.cc
@@ -0,0 +1,25 @@
+// See the file  in the main distribution directory for copyright.
+
+
+#include "plugin/Plugin.h"
+
+#include "OCSP.h"
+
+namespace plugin {
+namespace Bro_OCSP {
+
+class Plugin : public plugin::Plugin {
+public:
+	plugin::Configuration Configure()
+		{
+		AddComponent(new ::file_analysis::Component("OCSP", ::file_analysis::OCSP::Instantiate));
+
+		plugin::Configuration config;
+		config.name = "Bro::OCSP";
+		config.description = "OCSP analyzer";
+		return config;
+		}
+} plugin;
+
+}
+}
diff --git a/src/file_analysis/analyzer/ocsp/events.bif b/src/file_analysis/analyzer/ocsp/events.bif
new file mode 100644
index 0000000000..b956e2c12e
--- /dev/null
+++ b/src/file_analysis/analyzer/ocsp/events.bif
@@ -0,0 +1,23 @@
+## Generated for encountered OCSP request
+##
+##
+## f: The file.
+##
+## req_ref: An opaque pointer to the underlying OpenSSL data structure of the
+##          OCSP request
+##
+## req: The parsed OCSP request information.
+##
+event ocsp_request%(f: fa_file, req_ref: opaque of ocsp_req, req: OCSP::Request%);
+
+## Generated for encountered OCSP response
+##
+##
+## f: The file.
+##
+## req_ref: An opaque pointer to the underlying OpenSSL data structure of the
+##          OCSP response
+##
+## req: The parsed OCSP response information.
+##
+event ocsp_response%(f: fa_file, resp_ref: opaque of ocsp_resp, resp: OCSP::Response%);
diff --git a/src/file_analysis/analyzer/ocsp/types.bif b/src/file_analysis/analyzer/ocsp/types.bif
new file mode 100644
index 0000000000..e005f1274e
--- /dev/null
+++ b/src/file_analysis/analyzer/ocsp/types.bif
@@ -0,0 +1,4 @@
+type OCSP::Request: record;
+type OCSP::Response: record;
+type OCSP::OneReq: record;
+type OCSP::SingleResp: record;
\ No newline at end of file
diff --git a/src/main.cc b/src/main.cc
index 61cc35f198..be38f6ca39 100644
--- a/src/main.cc
+++ b/src/main.cc
@@ -131,6 +131,8 @@ OpaqueType* cardinality_type = 0;
 OpaqueType* topk_type = 0;
 OpaqueType* bloomfilter_type = 0;
 OpaqueType* x509_opaque_type = 0;
+OpaqueType* ocsp_req_opaque_type = 0;
+OpaqueType* ocsp_resp_opaque_type = 0;
 
 // Keep copy of command line
 int bro_argc;
@@ -873,7 +875,9 @@ int main(int argc, char** argv)
 	topk_type = new OpaqueType("topk");
 	bloomfilter_type = new OpaqueType("bloomfilter");
 	x509_opaque_type = new OpaqueType("x509");
-
+        ocsp_req_opaque_type = new OpaqueType("ocsp_req");
+	ocsp_resp_opaque_type = new OpaqueType("ocsp_resp");
+	
 	// The leak-checker tends to produce some false
 	// positives (memory which had already been
 	// allocated before we start the checking is

From d84d1d24e80e14d29bad8217261a1a4e1979d883 Mon Sep 17 00:00:00 2001
From: Liang Zhu <liangzhu@icsi.berkeley.edu>
Date: Wed, 17 Jun 2015 19:18:37 -0700
Subject: [PATCH 002/631] add ocsp logging

---
 scripts/base/files/ocsp/main.bro          | 233 +++++++++++++++++++++-
 scripts/base/init-bare.bro                |  10 +-
 src/file_analysis/analyzer/ocsp/types.bif |   3 +-
 3 files changed, 241 insertions(+), 5 deletions(-)

diff --git a/scripts/base/files/ocsp/main.bro b/scripts/base/files/ocsp/main.bro
index 1b3dfdeffc..a6b91529ba 100644
--- a/scripts/base/files/ocsp/main.bro
+++ b/scripts/base/files/ocsp/main.bro
@@ -1,11 +1,240 @@
 @load base/frameworks/files
 @load base/utils/paths
+@load base/utils/queue
 
-module FileOCSP;
+module OCSP;
 
 export {
-	## add one more argument to indicate is ocsp response or request
+	## add one more argument to tell ocsp response or request
 	redef record Files::AnalyzerArgs += {
 		ocsp_type: string &optional;
 	};
+
+        ## ocsp logging
+	redef enum Log::ID += { LOG };
+
+	## tyep for pending ocsp request
+	type PendingRequests: table[OCSP::CertId] of Queue::Queue;
+
+	## NOTE: one file could contain several requests
+	## one ocsp request record
+	type Info_req: record {
+		## time for the request
+	        ts:                 time;
+		## file id for this request
+		id:                 string  &log;
+		## version
+		version:            count   &log &optional;
+		## requestor name
+		requestorName:      string  &log &optional;
+		## NOTE: the above are for one file which may constain
+		##       several ocsp requests
+		## request cert id
+		certId:             OCSP::CertId  &log  &optional;
+	};
+
+	## NOTE: one file could contain several response
+	## one ocsp response record
+	type Info_resp: record {
+		## time for the response
+	        ts:                 time;
+		## file id for this response
+		id:                 string  &log;
+		## responseStatus (different from cert status?)
+		responseStatus:     string  &log;
+		## responseType
+		responseType:       string  &log;
+		## version
+		version:            count   &log;
+		## responderID
+		responderID:        string  &log;
+		## producedAt
+		producedAt:         string  &log;
+
+		## NOTE: the following are specific to one cert id
+		##       the above are for one file which may contain
+		##       several responses
+
+		## certStatus (this is the response to look at)
+		certStatus:         string  &log  &optional;
+		## thisUpdate
+		thisUpdate:         string  &log  &optional;
+		## nextUpdate
+		nextUpdate:         string  &log  &optional;
+	};
+
+	type Info: record {
+		## timestamp for request if both request is present
+		## OR timestamp for response if request is not found
+		ts:                 time    &log;
+		req: Info_req        &log &optional;
+		resp: Info_resp      &log &optional;
+	};
+
+        ## Event for accessing logged OCSP records.
+	global log_ocsp: event(rec: Info);
 }
+
+redef record connection += {
+	## keep track of pending requests received so for
+	ocsp_requests: PendingRequests &optional;
+	};
+
+event bro_init() &priority=5
+	{
+	Log::create_stream(LOG, [$columns=Info, $ev=log_ocsp, $path="ocsp"]);
+	}
+
+function get_http_info(f: fa_file, meta: fa_metadata)
+	{
+	if (f$source != "HTTP" || !meta?$mime_type)
+		return;
+
+	# call OCSP file analyzer
+	if (meta$mime_type == "application/ocsp-request")
+		Files::add_analyzer(f, Files::ANALYZER_OCSP, [$ocsp_type = "request"]);
+	else if (meta$mime_type == "application/ocsp-response")
+		Files::add_analyzer(f, Files::ANALYZER_OCSP, [$ocsp_type = "response"]);
+	}
+
+event file_sniff(f: fa_file, meta: fa_metadata) &priority = 5
+	{
+	if (f$source == "HTTP")
+		get_http_info(f, meta);
+	}
+
+event ocsp_request(f: fa_file, req_ref: opaque of ocsp_req, req: OCSP::Request) &priority = 5
+	{
+	local conn: connection;
+	local cid: conn_id;
+
+	# there should be only one loop: one connection
+	for (id in f$conns)
+		{
+		cid = id;
+		conn = f$conns[id];
+		}
+
+	if (req?$requestList)
+		{
+		for (x in req$requestList)
+			{
+			local one_req = req$requestList[x];
+			local cert_id: OCSP::CertId = [$hashAlgorithm  = one_req$hashAlgorithm,
+						       $issuerNameHash = one_req$issuerNameHash,
+						       $issuerKeyHash  = one_req$issuerKeyHash,
+						       $serialNumber   = one_req$serialNumber];
+
+			local req_rec: Info_req = [$ts=network_time(), $id=f$id, $certId=cert_id];
+
+			if (req?$version)
+				req_rec$version = req$version;
+
+			if (req?$requestorName)
+				req_rec$requestorName = req$requestorName;
+
+			if (!conn?$ocsp_requests)
+				conn$ocsp_requests = table();
+
+			if (cert_id !in conn$ocsp_requests)
+				conn$ocsp_requests[cert_id] = Queue::init();
+
+			Queue::put(conn$ocsp_requests[cert_id], req_rec);
+			}
+		}
+	else
+		{
+		# no request content? this is weird but log it anyway
+		local req_rec_empty: Info_req = [$ts=network_time(), $id=f$id];
+		if (req?$version)
+			req_rec_empty$version = req$version;
+		if (req?$requestorName)
+			req_rec_empty$requestorName = req$requestorName;
+		Log::write(LOG, [$ts=req_rec_empty$ts, $req=req_rec_empty]);
+		}
+	}
+
+event ocsp_response(f: fa_file, resp_ref: opaque of ocsp_resp, resp: OCSP::Response) &priority = 5
+	{
+	local conn: connection;
+	local cid: conn_id;
+
+	# there should be only one loop
+	for (id in f$conns)
+		{
+		cid = id;
+		conn = f$conns[id];
+		}
+
+	if (resp?$responses)
+		{
+		for (x in resp$responses)
+			{
+			local single_resp: OCSP::SingleResp = resp$responses[x];
+			local cert_id: OCSP::CertId = [$hashAlgorithm  = single_resp$hashAlgorithm,
+						       $issuerNameHash = single_resp$issuerNameHash,
+						       $issuerKeyHash  = single_resp$issuerKeyHash,
+						       $serialNumber   = single_resp$serialNumber];
+			local resp_rec: Info_resp = [$ts = network_time(), $id = f$id,
+						     $responseStatus = resp$responseStatus,
+						     $responseType   = resp$responseType,
+						     $version        = resp$version,
+						     $responderID    = resp$responderID,
+						     $producedAt     = resp$producedAt,
+						     $certStatus     = single_resp$certStatus,
+						     $thisUpdate     = single_resp$thisUpdate];
+			if (single_resp?$nextUpdate)
+				resp_rec$nextUpdate = single_resp$nextUpdate;
+
+			if (cert_id in conn$ocsp_requests)
+				{
+				# find a match
+				local req_rec: Info_req = Queue::get(conn$ocsp_requests[cert_id]);
+				Log::write(LOG, [$ts=req_rec$ts, $req=req_rec, $resp=resp_rec]);
+				if (Queue::len(conn$ocsp_requests[cert_id]) == 0)
+					delete conn$ocsp_requests[cert_id]; #if queue is empty, delete it?
+				}
+			else
+				{
+				# do not find a match; this is weird but log it
+				Log::write(LOG, [$ts=resp_rec$ts, $resp=resp_rec]);
+				}
+			}
+		}
+	else
+		{
+                # no response content? this is weird but log it anyway
+		local resp_rec_empty: Info_resp = [$ts=network_time(), $id=f$id,
+						   $responseStatus = resp$responseStatus,
+						   $responseType   = resp$responseType,
+						   $version        = resp$version,
+						   $responderID    = resp$responderID,
+						   $producedAt     = resp$producedAt];
+		Log::write(LOG, [$ts=resp_rec_empty$ts, $resp=resp_rec_empty]);
+		}
+	}
+
+function log_unmatched_msgs_queue(q: Queue::Queue)
+	{
+	local reqs: vector of Info_req;
+	Queue::get_vector(q, reqs);
+
+	for ( i in reqs )
+		Log::write(LOG, [$ts=reqs[i]$ts, $req=reqs[i]]);
+	}
+
+function log_unmatched_msgs(msgs: PendingRequests)
+	{
+	for ( cert_id in msgs )
+		log_unmatched_msgs_queue(msgs[cert_id]);
+
+	clear_table(msgs);
+	}
+
+# need to log unmatched ocsp request if any
+event connection_state_remove(c: connection) &priority= -5
+	{
+	if (! c?$ocsp_requests)
+		return;
+	log_unmatched_msgs(c$ocsp_requests);
+	}
diff --git a/scripts/base/init-bare.bro b/scripts/base/init-bare.bro
index fdc05f2df4..a1dfe2ee06 100644
--- a/scripts/base/init-bare.bro
+++ b/scripts/base/init-bare.bro
@@ -2961,8 +2961,14 @@ export {
 		producedAt:         string  &log;
 		responses:          vector of SingleResp;
 		#responseExtensions:xxx
-		signatureAlgorithm: string  &log;
-		signature:          string;  #&log;
+		signatureAlgorithm: string  &log &optional;
+		signature:          string  &optional;  #&log;
+		};
+	type CertId: record {
+		hashAlgorithm:      string  &log;
+		issuerNameHash:     string  &log;
+		issuerKeyHash:      string  &log;
+		serialNumber:       string  &log;
 		};
 	}
 
diff --git a/src/file_analysis/analyzer/ocsp/types.bif b/src/file_analysis/analyzer/ocsp/types.bif
index e005f1274e..8d8cb5dd9b 100644
--- a/src/file_analysis/analyzer/ocsp/types.bif
+++ b/src/file_analysis/analyzer/ocsp/types.bif
@@ -1,4 +1,5 @@
 type OCSP::Request: record;
 type OCSP::Response: record;
 type OCSP::OneReq: record;
-type OCSP::SingleResp: record;
\ No newline at end of file
+type OCSP::SingleResp: record;
+type OCSP::CertId: record;

From d1c568663ca58808e8d7b9a104efe094de121c74 Mon Sep 17 00:00:00 2001
From: Liang Zhu <liangzhu@icsi.berkeley.edu>
Date: Fri, 19 Jun 2015 09:37:10 -0700
Subject: [PATCH 003/631] add btest and fix bug

---
 scripts/base/files/ocsp/main.bro              |  19 ++++++++++--------
 src/file_analysis/analyzer/ocsp/OCSP.cc       |   8 +++++---
 .../ocsp.log                                  |  10 +++++++++
 .../ocsp.log                                  |  10 +++++++++
 .../ocsp.log                                  |  10 +++++++++
 .../btest/Traces/tls/ocsp-request-only.pcap   | Bin 0 -> 1207 bytes
 .../Traces/tls/ocsp-request-response.pcap     | Bin 0 -> 3565 bytes
 .../btest/Traces/tls/ocsp-response-only.pcap  | Bin 0 -> 3054 bytes
 .../base/protocols/ssl/ocsp-request-only.test |   4 ++++
 .../protocols/ssl/ocsp-request-response.test  |   4 ++++
 .../protocols/ssl/ocsp-response-only.test     |   4 ++++
 11 files changed, 58 insertions(+), 11 deletions(-)
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-only/ocsp.log
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-response/ocsp.log
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-response-only/ocsp.log
 create mode 100644 testing/btest/Traces/tls/ocsp-request-only.pcap
 create mode 100644 testing/btest/Traces/tls/ocsp-request-response.pcap
 create mode 100644 testing/btest/Traces/tls/ocsp-response-only.pcap
 create mode 100644 testing/btest/scripts/base/protocols/ssl/ocsp-request-only.test
 create mode 100644 testing/btest/scripts/base/protocols/ssl/ocsp-request-response.test
 create mode 100644 testing/btest/scripts/base/protocols/ssl/ocsp-response-only.test

diff --git a/scripts/base/files/ocsp/main.bro b/scripts/base/files/ocsp/main.bro
index a6b91529ba..7417c6f6fb 100644
--- a/scripts/base/files/ocsp/main.bro
+++ b/scripts/base/files/ocsp/main.bro
@@ -30,7 +30,7 @@ export {
 		## NOTE: the above are for one file which may constain
 		##       several ocsp requests
 		## request cert id
-		certId:             OCSP::CertId  &log  &optional;
+		certId:             OCSP::CertId &optional;
 	};
 
 	## NOTE: one file could contain several response
@@ -54,7 +54,8 @@ export {
 		## NOTE: the following are specific to one cert id
 		##       the above are for one file which may contain
 		##       several responses
-
+		##cert id
+		certId:             OCSP::CertId  &optional;
 		## certStatus (this is the response to look at)
 		certStatus:         string  &log  &optional;
 		## thisUpdate
@@ -67,8 +68,9 @@ export {
 		## timestamp for request if both request is present
 		## OR timestamp for response if request is not found
 		ts:                 time    &log;
-		req: Info_req        &log &optional;
-		resp: Info_resp      &log &optional;
+		certId:             OCSP::CertId  &log  &optional;
+		req:                Info_req      &log  &optional;
+		resp:               Info_resp     &log  &optional;
 	};
 
         ## Event for accessing logged OCSP records.
@@ -181,23 +183,24 @@ event ocsp_response(f: fa_file, resp_ref: opaque of ocsp_resp, resp: OCSP::Respo
 						     $version        = resp$version,
 						     $responderID    = resp$responderID,
 						     $producedAt     = resp$producedAt,
+						     $certId         = cert_id,
 						     $certStatus     = single_resp$certStatus,
 						     $thisUpdate     = single_resp$thisUpdate];
 			if (single_resp?$nextUpdate)
 				resp_rec$nextUpdate = single_resp$nextUpdate;
 
-			if (cert_id in conn$ocsp_requests)
+			if (conn?$ocsp_requests && cert_id in conn$ocsp_requests)
 				{
 				# find a match
 				local req_rec: Info_req = Queue::get(conn$ocsp_requests[cert_id]);
-				Log::write(LOG, [$ts=req_rec$ts, $req=req_rec, $resp=resp_rec]);
+				Log::write(LOG, [$ts=req_rec$ts, $certId=req_rec$certId, $req=req_rec, $resp=resp_rec]);
 				if (Queue::len(conn$ocsp_requests[cert_id]) == 0)
 					delete conn$ocsp_requests[cert_id]; #if queue is empty, delete it?
 				}
 			else
 				{
 				# do not find a match; this is weird but log it
-				Log::write(LOG, [$ts=resp_rec$ts, $resp=resp_rec]);
+				Log::write(LOG, [$ts=resp_rec$ts, $certId=resp_rec$certId, $resp=resp_rec]);
 				}
 			}
 		}
@@ -220,7 +223,7 @@ function log_unmatched_msgs_queue(q: Queue::Queue)
 	Queue::get_vector(q, reqs);
 
 	for ( i in reqs )
-		Log::write(LOG, [$ts=reqs[i]$ts, $req=reqs[i]]);
+		Log::write(LOG, [$ts=reqs[i]$ts, $certId=reqs[i]$certId, $req=reqs[i]]);
 	}
 
 function log_unmatched_msgs(msgs: PendingRequests)
diff --git a/src/file_analysis/analyzer/ocsp/OCSP.cc b/src/file_analysis/analyzer/ocsp/OCSP.cc
index 08df3e4ce6..ea90967cfc 100644
--- a/src/file_analysis/analyzer/ocsp/OCSP.cc
+++ b/src/file_analysis/analyzer/ocsp/OCSP.cc
@@ -52,6 +52,8 @@ static int ANS1_to_cstr(char *buf, int buf_len, void *data, int type)
 		}
 	else if (type == V_ASN1_INTEGER)
 		{
+		// NOTE: this will print the hex number
+		//       wireshark may display decimal number
 		if (i2a_ASN1_INTEGER(bio, (ASN1_INTEGER *)data) <= 0)
 			goto err;
 		}
@@ -183,7 +185,7 @@ static void ocsp_print_cert_id(OCSP_CERTID *cid)
 	printf("[%d]issuerKeyHash: %s\n", new_len, issuerKeyHash.CheckString());
 
 	//print serialNumber
-	new_len = ASN1_INTEGER_to_cstr(buf, len, (void *)(cid->issuerKeyHash));
+	new_len = ASN1_INTEGER_to_cstr(buf, len, (void *)(cid->serialNumber));
 	StringVal serialNumber = StringVal(new_len, buf);
 	printf("[%d]serialNumber: %s\n", new_len, serialNumber.CheckString());
 	}
@@ -217,7 +219,7 @@ static void ocsp_fill_cert_id(OCSP_CERTID *cert_id, RecordVal *d)
 	
 	//serialNumber
 	len = -1;
-	len = ASN1_INTEGER_to_cstr(buf, buf_len, (void *)(cert_id->issuerKeyHash));
+	len = ASN1_INTEGER_to_cstr(buf, buf_len, (void *)(cert_id->serialNumber));
 	if (len > 0)
 		d->Assign(3, new StringVal(len, buf));
 	}
@@ -387,7 +389,7 @@ RecordVal *file_analysis::OCSP::ParseRequest(OCSP_REQVal *req_val)
 			all_req_bro = new VectorVal(internal_type("ocsp_req_vec")->AsVectorType());
 		RecordVal *one_req_bro = new RecordVal(BifType::Record::OCSP::OneReq);
 
-		ocsp_fill_cert_id(cert_id, one_req_bro);		
+		ocsp_fill_cert_id(cert_id, one_req_bro);
 		all_req_bro->Assign(all_req_bro->Size(), one_req_bro);
 		}
 	
diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-only/ocsp.log b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-only/ocsp.log
new file mode 100644
index 0000000000..9881f143c1
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-only/ocsp.log
@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	ocsp
+#open	2015-06-19-16-32-33
+#fields	ts	certId.hashAlgorithm	certId.issuerNameHash	certId.issuerKeyHash	certId.serialNumber	req.id	req.version	req.requestorName	resp.id	resp.responseStatus	resp.responseType	resp.version	resp.responderID	resp.producedAt	resp.certStatus	resp.thisUpdate	resp.nextUpdate
+#types	time	string	string	string	string	string	count	string	string	string	string	count	string	string	string	string	string
+1434666864.046145	sha1	B6080D5F6C6B76EB13E438A5F8660BA85233344E	40C2BD278ECC348330A233D7FB6CB3F0B42C80CE	081C862DC8AAC9	FMbJOe2y5n1E7iSVsg	0	-	-	-	-	-	-	-	-	-	-
+#close	2015-06-19-16-32-33
diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-response/ocsp.log b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-response/ocsp.log
new file mode 100644
index 0000000000..b21cadda9a
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-response/ocsp.log
@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	ocsp
+#open	2015-06-19-16-32-23
+#fields	ts	certId.hashAlgorithm	certId.issuerNameHash	certId.issuerKeyHash	certId.serialNumber	req.id	req.version	req.requestorName	resp.id	resp.responseStatus	resp.responseType	resp.version	resp.responderID	resp.producedAt	resp.certStatus	resp.thisUpdate	resp.nextUpdate
+#types	time	string	string	string	string	string	count	string	string	string	string	count	string	string	string	string	string
+1434666864.046145	sha1	B6080D5F6C6B76EB13E438A5F8660BA85233344E	40C2BD278ECC348330A233D7FB6CB3F0B42C80CE	081C862DC8AAC9	FMbJOe2y5n1E7iSVsg	0	-	Fb215u2y5byABaV747	successful	Basic OCSP Response	0	C = US, ST = Arizona, L = Scottsdale, O = GoDaddy Inc., CN = Go Daddy Validation Authority - G2	20150618220334Z	good	20150618220334Z	20150620100334Z
+#close	2015-06-19-16-32-23
diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-response-only/ocsp.log b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-response-only/ocsp.log
new file mode 100644
index 0000000000..f5a5c43c7c
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-response-only/ocsp.log
@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	ocsp
+#open	2015-06-19-16-32-39
+#fields	ts	certId.hashAlgorithm	certId.issuerNameHash	certId.issuerKeyHash	certId.serialNumber	req.id	req.version	req.requestorName	resp.id	resp.responseStatus	resp.responseType	resp.version	resp.responderID	resp.producedAt	resp.certStatus	resp.thisUpdate	resp.nextUpdate
+#types	time	string	string	string	string	string	count	string	string	string	string	count	string	string	string	string	string
+1434666864.070748	sha1	B6080D5F6C6B76EB13E438A5F8660BA85233344E	40C2BD278ECC348330A233D7FB6CB3F0B42C80CE	081C862DC8AAC9	-	-	-	Fb215u2y5byABaV747	successful	Basic OCSP Response	0	C = US, ST = Arizona, L = Scottsdale, O = GoDaddy Inc., CN = Go Daddy Validation Authority - G2	20150618220334Z	good	20150618220334Z	20150620100334Z
+#close	2015-06-19-16-32-39
diff --git a/testing/btest/Traces/tls/ocsp-request-only.pcap b/testing/btest/Traces/tls/ocsp-request-only.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..1d4e85da0796981c6b52571c94741d32a9dd0f0f
GIT binary patch
literal 1207
zcmZvcQAiVU9LN8gbFPckW)=}8M-OSb?QVISYpa+pb%f=}EleS~ZvV||x4UyY$CMsM
zg7i>5_0*FEq6M{@;!6Zk1ZL?&7(Hi6M2Nj4Q7`@fH{9jiaew&V@Bia-pZov6+{)|1
zeLXM$?J@uzdXT%uBOfCGoI`Uwz_FX(Zr`{i_b*tln?MHurvgv>z;9f+`f|pY3{KZ>
zOw@x=W9t(JH&5zQmZ3KQ=nd6#2EB;@#QHs4*Hu;3VDhhmMlLdo{300uKX4iwteA@F
zAT&|GIK6%i(Or|Z2PVlijeIF{cOKKX$X8|oXh(0tV}~;n$g9qLnX?Pg6FCc5gJI;T
zQ+*4Vj9uI20N6lVf=4+~_c`zs6F)q!NIVGEh_UU&P)~1|q{v`69HN{Kr<n*!X~j!Q
zTv~R-r6?PXjygCgX(l3Rn6kIUp@>$`OJlqsu$0R|lZ|~&r;qG}Q7Ogx$ZlR7$&y)*
zd(h4J$W+GL;&IT&$u7txB<ck1q|xmpJNXohNm&Xnnu#`!gEFEjFso2QN>Z?~vMlf%
ztMHOYWpSlBTV72HzTwlf<D{*LYEoyOEs(vN72_jp9C}G8+9SO-D5?#vQbUKxNl{*m
zd&&41FWbl{j0vm)%|t*F74(7jZYai;Aurj=XtnUDjEMi6;XSga;P41cD{7wzIjrm@
z6A;RFR^T&;X(s3(-ASLN+i5?&%UIpKr%HdQ8W`&4P3A!%k@>Ojt7qzWZ1>E?7UqJX
z&j0E~!=3lcIQ^jI(_dls=bSCKtgkU0p0F=GdW(<$&t6?AP&=Z^j85UGK2DcKHPP6b
zUqyj(N6!?GABAZd#k7Elt92T&JWzlMJX0eY-yW#^>f-cfPtKw<^-HBdy~9*Y?Axyq
zD>%-mj`DWL%^ua!3fu#icRGS28nJ?7L3NB(a17<F$T3lJT-tK9WHn+1$A_w;ROX0&
SDETjV9|w+>9KWM|T>1x>LwBP9

literal 0
HcmV?d00001

diff --git a/testing/btest/Traces/tls/ocsp-request-response.pcap b/testing/btest/Traces/tls/ocsp-request-response.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..77306ea1902a40af35750385c92707a79227a672
GIT binary patch
literal 3565
zcmc(idsGuw9>-^r5Fi)<V}WX=S5^fjA$O7xVkk-o2q;Ku0*bKekW5HQ$iyTdptgXB
zkGj~ZwARNFTSe--h_0<g@v-%Vk5#JH>ee?^Q528V>T35+C=b!@p0oSM=H#9;_jm7n
z<~#TIojbp2I#|1wg>kU%9|yxx#}+>)_4`x|8;g#ah7FtF{Fl;2w#i3)XL(?881{~O
zYcv+kZOUq>;pQf6=+{~vh-pG1w#t~vRV=%Y>2Dau;<(juSROo#cW(s~$JuOmhWxm;
zo7}<d;CGNQEE*%Y!M+TYp<|lzz+)Tky@%-GRsH;`z|C%QTK=+K484;)We0}Eper%$
z70ojBHkW2|FU{eIo>T0D-K2C#Bks~$%a9qZsyYm7MN7i8-bDPWdOJfrv*)$M0PH5O
z=w+fNMXLj1kf76P#6%du=Oxe%rxMV5hb=6dHjoBGVVIuI<?~V<lwG9CrmSc*nJzM0
zETlL*41$nJ1Q7|wPzKsgMuH@>HLm~^DCAS+vPfXhS4tIOa5#vk^f|Ox0ttxz1Q=ts
zQ%1T#%nb5*D!rbvA*z!qaEeXNT#Jyj*(_!~=`_<;aRCzvE$AK1wM0&jf?*?tBg7+I
zM~Y66D2cRY=aJcz5>QrAs#Zu@T@%8)Cd66ww83o6R)XvzvrPyLl+i*uDLzk4Tb<|z
zMM;!3+i6mQ2w8VbS7<}Tp30at64|Ngd6dKHnrEf-jASLqp(vY(w3zb|lh1<*a14xv
zF)$i>a@|7vvRMP%Fi!tn9{j16ocz0j8;bQ$j9xVpq_Xjx{?P~OgDV<kbKvLF^Uo|h
z9@GhoPqN%S-YORz*?5#m|5I<g%TTXaRaUs3vFa8_FRSK+L~Of;3?(;=>PSB_(@A90
zT85a}AIFAyA}^uVo9G!(Sj`aERlJrMfXPF5y-e(M5|BU$QpWLlv1n<PKxfJm0zv`C
z=2_7Q5e_60rBtSr$UuCuj?dFl_I%2&1S%V;H}%Mb&Q4k#M&!KioW+=}q`eR=I5Shk
zq|8oRlpvQZ5TT?;5fVZwmk5C^FAI4{2&}Zo>4MPqTp`HKb2w4X@=<aOu9PQ{D3FZo
zU^G*P*UN-bq_jh3T!9T)*P#Sj(kVpu(S17vRQ8;wBayp;Bw2>=2!)=Ik2FHUK#nw$
zP%1G*D2$SDD4~opV|chhFPAEU_&kkNqXcSAR8V598pLWfK%FuHB&j9>b?OA5icJQw
zacMxON(36M3bj~}n5IH479=EUK?<6qRV4#WY79t<iwCLW6Vds}V7w{~Xmu)t@9k_N
zLLq<Ivw92d=(+HJWOs*+wlWiuuS>b@JRGYk<+h^3yIjvuF7D>$4so1Q%Dsd_7huV+
zYl~n3;f0LPPUUa~tW+)G1N$-^4}rVNZZ4v&Bq4ylOvGKl)9Pub(_tVj6!8WWFhQQ6
zPdpvVY(pT?st+SV;czC*76ir9pd+5vkxcaD0ac#UMBB~ILLdV1k^pbUX;4lmBoZi<
z$|l42py_{q3X8E<z*WATA=e(~x)z`7IiftF{1-lsRt001;y6~f&qI*f^3&mCYe)3U
zm2C*8-+7q)r(l6}K=XGPzfw)USm`zIZp(~|(`J8p`4cju=GT8z&$h^Km2LQptj&$S
zwJ=$AZrSCpPkLs0JY8FTaInEJ^31|DH`6~HJeR%pMpb&-&ox(@{Aawlo-=gsxm_j8
z+7%x4qwWvizPBc$G5YxMM>XET`t6xlN8t&<4L9z6Qp71gljgT`$(!Wy%_FHN6R+rZ
zmMvacG0)F=$^SH|Wj9}gNAOCHDdq42@oZkjbkm*2wZSV!JNuu{KNq<3!KlR=(;)xd
z4c`n|G?6`16PvN|%z+iFXBJt)-CM_ICVw+2r6J`e@ode<JUDgh^1pw)d!D(flyeA{
zavD(k7M8NtRk2w(i{&A#DSD7#IUNXlESZ-Z221MxE9VS=0Ugfq{oOgt3ryHy9}x^?
z#=HbWOirgwDHiJ~yVKG0O((WfHrio!()L0zA%#ST+eUP`O-t$X>=aO=^U$7wUQ$#q
z*TF!4K60Iuki!Uwev?sG-lO~fdmdmZ9@KM<ahEN<F%;*q7=IovphFHk@-BP#-8<8g
z+TNe@sBzc^pAvHWn5L+wXFudL8lw6R^1oIQRK2~)t^LQ*%?~RxS%JG&Z#vmHf7PBW
zPV92Qg}+*&S`)PW#{a->{Jg$Z)$eg+%SSDn)x&wG8bVs{>lU><{OH`HP2Q7KqVYeJ
z)ZfY>z?`M6&)mrDgKZauvYMos_Y>FgO>yJ0&Nq#lxBl7T{Ral$4!L`MZbW6<={DQR
zl-<5ZC#^m(mDSK*`TePrs}$Q}u6XBU$d;BJd9>(jH>`Pn8&$VFK+OAKWAl_o?TvL2
zs-0O+>6ktNnSq~`HF@rl4E3I+_uW{mI=<<x6=QN5b@lTlvi&fodRwt=E{lz0_!p(P
z7g`Z_*axM4kO0Sj<FFv++O!6FGd&KQ#chCtn9-peKiHq^(XsKd@vbA!j^Vx>KTdzo
zl)JoDkN5QpXf_U5dWKqAX|G%by}NfyHx3JVJ&D1+&546*sHz%W6;&SDX;8c6kL;O?
z-d&Xa_bN?db~y4-Q4^-OTi{rR1~`ZXM{~WVl_%ik&vS8ie;oNStWzZm_Y3;Z7wKsj
z^iaC?v4w)OSkTbg;OgC0=|5M75$=tNH|pcRuuhmXx3K!fzAa1DhWpBKPcNje9N3V!
z#HRYiHszpU?&X$yi=z}_OAB`l@!#C?u=PpXSg%b(f{)BTnt$r}0^@>VS$i%YI`?A!
z2N*p)Bl31s_VYe>R}Q|!vt`b>nB7!8d&#j`_dd=2ZF0J2%XgTxt+8<Ef%{<U_~1YD
z2lh?#vtu^m&V%P=XWIq)9>FWs<h_yZEzf4}4jH%f?LJ<Sn@yXKm9*;K)UVmH=h9ae
zt$v?iKV6x0-DB^yBlj!3iqfAQnt)O(R|a|iq|NwN<bHnI6It>J#m_$yi-n<^B?EQ4
zyw_)q`n3N25@IM*HC;nh)4wU~zj77!*)Nyj+pZnk(4JE4gL_P-yUOt6OfAL`C%w^4
z>|KXpvceiyWoLW24r@<wRd&9ZJR|+(I*cJ=gSv^mKNT>Uy4I!9_!^CxVqc^&r%U6B
kPK`bV-Ne^u{L-b7?xhiZhHbmfRG%3^T^etr>hr|E0KMCyO8@`>

literal 0
HcmV?d00001

diff --git a/testing/btest/Traces/tls/ocsp-response-only.pcap b/testing/btest/Traces/tls/ocsp-response-only.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..63fbdde25a3589aa5aef7fa96eec83ca7978aa94
GIT binary patch
literal 3054
zcmc(hdsGuw9>-^r5JE5p2nDKzj;sjE>rN5^#-fBk0p*dJfFi6qB!Q%aOqv7~lok;2
zQ5Rd0)`}jXRiKJuQCVAyBDxh7(N(I}>ek|eDldg2wYu89laz<(?w+&%?3{DYnftrH
z`P}c^`QAIfjuQ=4G=zbSUJL|<9YfTr#P1UkWG=j?8ZvEd*I$Y@7#6iUu4EyR2=bP6
zUl<a`>_}^_WoAX!IQ5r!ATpoeeL^a^l4f+!{0%{944Z=t8jFpvd$&??luoy$$d4LE
z$yTP7ZzUs07=kms9VseBM`R@)XKH%ih4i3GCznd>&L}x4XLBP(A0{t8fFR*;CaS%p
zStzZyXx5I?90ci^1rEp^wE}8HEqWU$GNtti7abwKq*a)^i_*H+G)`-#PjG!FB#KnC
ztwcy`hdLW5VyZKWOtXXXU>i@gbIYx!h&xMPNpwR*zKt&uqZJBSARd5Yd;qY7c^q~G
zVOEPVg(lk%!$YvS*?KsF2Vs1^SRfShg;-Rag2R@pjX7$g7?T(XrAEzROG&+1tvCBC
zjD+5lt~UBd>XoEQtIrT);aWXm%!MgbrazTvBz0mei&*YYWT-=NJ}waP{V+pznog_q
z!}O%T*#aSrS$<enw#n>oROb*ntqSVmuww}rh=b^Kty=YJnLq%QT4hEqH)xG&lNgf|
zW<U5IqpyPl@z^{C0hN04(^NshAxc~{GacY6VrDu41bkI+NIE|V@YU(U^q?S>QX~lR
z<gjG|nHZDGLOo+5q*#PphDj6VW3iG2m^5)dCW(l{A|jJ8g(L=($tAEwU@=J&*dnm#
z7&(>zbL5gZOqLjq#YRS9iSaS;`8X_Il7z_>5{MsO&seoS!>kcwcyNfw64k4fW-X}~
zV@e%q8oThh2Kdzog8?ogL1hGzN|OODoykDzsYDJN6fuX`C{kI(?1#7AOgmpDYGY#y
zP?S-`ybeQGLE&#zd0;ti5A2xqL<W;bOO)ddU?SCF@oXhVZ62v7a2{}^BDOrXTuGYE
zCKaJm<F5f86=d@!M3E7MN|lSn=#>GuFPKh+={(OU60^pWtRE9<#3b2f4QbSxb1{D`
zitomyoCZXA2%irG0^uU?F3^B5D8|NjBAqtL24OfivN%h0nK|9O+abFir`y-g7YO4S
z&S5Q0-lc8ARp4{Mm8ZG`4-Wbjw9{-^Z<P4A?mk_ByacXv91g)5fpsnp({4sdbjhzA
z6s`(FFG5k|;4v02vFE2#XR2m6WeID7$hRKG{mGjrnAG(h!YP*$&nxWLboVT~wlx3C
z8=nv<wZHwNI$tNcTU_%Q(U28(cYU1X^5z>~x7($%o>Wzzn4(h6ytsbHo#YRvtfp7p
zu1p^IrS|6z*JaOdWqKXG+*r7ID1_BCyKnmbqqQk*VP~fg)^fd-`%{0OjYfMn-|qb+
zk5O_l$>q?d*NL-rGu4k5+*BSa-dIt(#>ITy^#UQMcXfhRw49+yIJGV?pI!Q%=6+k1
z_trUP=PNmvJq|sXy-}udcRk$v&D0GG=qqFqDZ4MWY~8*hPZwm{KQ}e*n}rF@33u?P
zJ3eNECHuDg{o})Hw3S7Slc0#v4BNM$h`zIuPD5!lmS1h&gJ|6a4=`rQ>}?QGc<_I6
z&LrSwb&lg7&IwSGaO+#_;}3kPF?-%rjoEAv2L>wDMzbj(gH%x#qY?v+Y6EG~nn`1B
zAT9v7)on9I+$L8mvyEy@3ZH{#2HYF!ajpX%t{mt(0WJc;0A7n=S2U*k|Jx6s2=yGh
z#;C=XTm;71G|Hc+mXkg$gWTeG-nqXtcHsS0gKg7l914m3Z+C<~x%45UO%*!P-L<pS
zvwDAr&Cri?x*nFN(mWcs?`dyayX{CCBVr5h>R)xC{n2u#_#fzPpEvbOoF2{U`KYH(
zI-PyK*{8oxv7zVTN0$fpa2HDa<9{e@x|@k(tIGPH+7KBh2Cn%DYhzdR#q8v0BIl)D
z>6o`>*V9wSTc+Ie>Atl(xP0KkfT2C%u;b~4+gp~<nup52Ki|GBq(1y6H#0?8R@^$c
z;cFYDYwdvg;1;()_6NJW7PrZ7?+lh4N_#?vPjE~1_^i0Y?g-zDyHe@6yFhYw&l_9c
z&TLaOt>p`kgYfG50>f$=9YxSDicovFBDP=x{PgZT6#bn+1Bm6&a_3S#2A#%i2JY0T
z7sCZOGg;PykB*Mq*;$7tGF%wWb_w0=ZI6yQxpk#aD!ZtzC^wdG1KiQm(uP5UUXP`4
zZ!#i*6i6!PRECz!8aAj=_wVeP1^-=Y;~(DTYfYwX_=5~k8g*bUMZ*}71?DjAmzG4M
zCC{=@TUQkNF<@9F4R!JS?~{x*4BV8Kb8J2D65{FA;9Y%KFZgFg0B+kBbGs?(3;q0s
zt8=TLAKP0dRrQJIJ-M1(F}XQrlR@&UVetvo>Ki@18$&|^%5o1(b*<}p*#CH7uKk{=
z-mUqkbIzY#m%eUV+L0S4FF#-V0Ybi)GV5Mw#<L0C6;rOW4XMknWpq^MZ#uKG_tUK3
z7bV;Ee1`}I+H$>G`miPO-hbvyo|xofL=5=-2hWNx4e^c*f}7Pu?@ZgCr}>9{=9RrU
z!G2bqrtVB(zv6Y}j=e{&f2ETvkMWL^<*~O|M>|{lO6~KKpPrl#KdngY$^A*5@~yw^
zm8Fk`apyvQ`4Qjf=Ud00tZ3x!N}K&@)BA<E7gaTN!m8;%RCZrkD!YsqE4%v6Gc`jA
z1r8`{5jj%Xouz6qin#E#QR4VI3=!tmS}Hrki*?vgf~B%^L_{gcFV<lc5pf?SzM}eU
yuxLzwg+^I{Bh;8VqVe3YMu+92#8+ti(xQ<ZrxDiS^|z?%GsSa6<2_h?p8FTT5&FXb

literal 0
HcmV?d00001

diff --git a/testing/btest/scripts/base/protocols/ssl/ocsp-request-only.test b/testing/btest/scripts/base/protocols/ssl/ocsp-request-only.test
new file mode 100644
index 0000000000..69e1023479
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/ssl/ocsp-request-only.test
@@ -0,0 +1,4 @@
+# This tests a OCSP request missing response
+
+# @TEST-EXEC: bro -C -r $TRACES/tls/ocsp-request-only.pcap %INPUT
+# @TEST-EXEC: btest-diff ocsp.log
diff --git a/testing/btest/scripts/base/protocols/ssl/ocsp-request-response.test b/testing/btest/scripts/base/protocols/ssl/ocsp-request-response.test
new file mode 100644
index 0000000000..f9173292dc
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/ssl/ocsp-request-response.test
@@ -0,0 +1,4 @@
+# This tests a pair of normal OCSP request and response
+
+# @TEST-EXEC: bro -C -r $TRACES/tls/ocsp-request-response.pcap %INPUT
+# @TEST-EXEC: btest-diff ocsp.log
diff --git a/testing/btest/scripts/base/protocols/ssl/ocsp-response-only.test b/testing/btest/scripts/base/protocols/ssl/ocsp-response-only.test
new file mode 100644
index 0000000000..539a7bf1d6
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/ssl/ocsp-response-only.test
@@ -0,0 +1,4 @@
+# This tests a normal OCSP response missing request
+
+# @TEST-EXEC: bro -C -r $TRACES/tls/ocsp-response-only.pcap %INPUT
+# @TEST-EXEC: btest-diff ocsp.log

From 356480745c269ac3db156d0ae69e70ed24f6f7e0 Mon Sep 17 00:00:00 2001
From: Liang Zhu <liangzhu@icsi.berkeley.edu>
Date: Fri, 19 Jun 2015 15:01:31 -0700
Subject: [PATCH 004/631] add function to get hash of cert issuer name

---
 scripts/base/files/ocsp/main.bro              |  8 +-
 src/file_analysis/analyzer/x509/functions.bif | 87 +++++++++++++++++++
 2 files changed, 91 insertions(+), 4 deletions(-)

diff --git a/scripts/base/files/ocsp/main.bro b/scripts/base/files/ocsp/main.bro
index 7417c6f6fb..602f23bcc5 100644
--- a/scripts/base/files/ocsp/main.bro
+++ b/scripts/base/files/ocsp/main.bro
@@ -13,7 +13,7 @@ export {
         ## ocsp logging
 	redef enum Log::ID += { LOG };
 
-	## tyep for pending ocsp request
+	## type for pending ocsp request
 	type PendingRequests: table[OCSP::CertId] of Queue::Queue;
 
 	## NOTE: one file could contain several requests
@@ -27,7 +27,7 @@ export {
 		version:            count   &log &optional;
 		## requestor name
 		requestorName:      string  &log &optional;
-		## NOTE: the above are for one file which may constain
+		## NOTE: the above are for one file which may contain
 		##       several ocsp requests
 		## request cert id
 		certId:             OCSP::CertId &optional;
@@ -65,8 +65,8 @@ export {
 	};
 
 	type Info: record {
-		## timestamp for request if both request is present
-		## OR timestamp for response if request is not found
+		## timestamp for request if a corresponding request is present
+		## OR timestamp for response if a corresponding request is not found
 		ts:                 time    &log;
 		certId:             OCSP::CertId  &log  &optional;
 		req:                Info_req      &log  &optional;
diff --git a/src/file_analysis/analyzer/x509/functions.bif b/src/file_analysis/analyzer/x509/functions.bif
index 216f4c69cc..bb04f27ed8 100644
--- a/src/file_analysis/analyzer/x509/functions.bif
+++ b/src/file_analysis/analyzer/x509/functions.bif
@@ -537,3 +537,90 @@ x509_verify_chainerror:
 
 	return rrecord;
 	%}
+
+## Get the hash of issuer name of a certificate
+##
+## cert: The X509 certificate opaque handle.
+##
+## hash_alg: the hash algorithm to use
+## 
+## Returns: A string of hash of issuer name.
+## 
+## .. bro:see:: x509_certificate x509_extension x509_ext_basic_constraints
+##              x509_ext_subject_alternative_name x509_parse
+##              x509_get_certificate_string x509_verify
+function x509_issuer_name_hash%(cert: opaque of x509, hash_alg: string%): string
+        %{
+	assert(cert);
+	assert(hash_alg);
+
+	file_analysis::X509Val *cert_handle = (file_analysis::X509Val *) cert;
+	X509 *cert_x509 = cert_handle->GetCertificate();
+	if (cert_x509 == NULL)
+		{
+		builtin_error("cannot get cert from opaque");
+		return NULL;
+		}
+
+	X509_NAME *issuer_name = NULL;
+	StringVal *issuer_name_str = NULL;
+	issuer_name = X509_get_issuer_name(cert_x509);
+	if (issuer_name == NULL)
+		{
+		builtin_error("fail to get issuer name from certificate");
+		return NULL;
+		}
+
+	const char* h = hash_alg->CheckString();
+	if (h == NULL)
+		{
+		builtin_error("fail to get hash algorithm from input");
+		return NULL;
+		}
+
+	const EVP_MD *dgst; 
+	if (strcmp(h, "sha1") == 0)
+		dgst = EVP_sha1();
+	else if (strcmp(h, "sha224") == 0)
+		dgst = EVP_sha224();
+	else if (strcmp(h, "sha256") == 0)
+		dgst = EVP_sha256();
+	else if (strcmp(h, "sha384") == 0)
+		dgst = EVP_sha384();
+	else if (strcmp(h, "sha512") == 0)
+		dgst = EVP_sha512();
+	else
+		{
+		reporter->Error("Unknown digest!");
+		return NULL;
+		}
+	if (dgst == NULL)
+		{
+		builtin_error("fail to allocate digest");
+		return NULL;
+		}
+
+	unsigned char md[EVP_MAX_MD_SIZE];
+	unsigned int len = 0;
+	ASN1_OCTET_STRING *oct_str = ASN1_STRING_type_new(V_ASN1_OCTET_STRING);
+	int new_len = -1;
+	BIO *bio = BIO_new(BIO_s_mem());
+	char buf[1024];
+	memset(buf, 0, sizeof(buf));
+
+	if (!X509_NAME_digest(issuer_name, dgst, md, &len))
+		goto err;
+	if (!ASN1_OCTET_STRING_set(oct_str, md, len))
+		goto err;
+	if (i2a_ASN1_STRING(bio, oct_str, V_ASN1_OCTET_STRING) <= 0)
+		goto err;
+	new_len = BIO_read(bio, buf, sizeof(buf));
+	if (new_len > 0)
+		issuer_name_str = new StringVal(new_len, buf);
+
+	//NOTE: the result string may contain "\\x0a" for sha384 and sha512
+	//      probably need to remove it from here?
+err:
+	BIO_free_all(bio);
+        return issuer_name_str;
+	%}

From 2743966fcc8628e525996eb2d3cab0dc1f2463e8 Mon Sep 17 00:00:00 2001
From: Liang Zhu <liangzhu@icsi.berkeley.edu>
Date: Wed, 1 Jul 2015 17:00:41 -0700
Subject: [PATCH 005/631] add a script to combine ocsp with ssl

---
 .../policy/protocols/ssl/ocsp-measurement.bro | 467 ++++++++++++++++++
 1 file changed, 467 insertions(+)
 create mode 100644 scripts/policy/protocols/ssl/ocsp-measurement.bro

diff --git a/scripts/policy/protocols/ssl/ocsp-measurement.bro b/scripts/policy/protocols/ssl/ocsp-measurement.bro
new file mode 100644
index 0000000000..a426e7e048
--- /dev/null
+++ b/scripts/policy/protocols/ssl/ocsp-measurement.bro
@@ -0,0 +1,467 @@
+#! Match OCSP request and response to SSL connection for performance analysis
+
+@load base/protocols/http
+@load base/frameworks/files
+@load base/files/x509
+@load base/protocols/ssl
+@load base/utils/queue
+
+module OCSP_MEASUREMENT;
+
+export {
+	redef enum Log::ID += { LOG };
+
+	type Info: record {
+		## cert id for the OCSP request
+		cert_id:        OCSP::CertId      &log  &optional;
+
+		## request
+		## NOTE: this is only one request if multiple requests
+		## are sent together in one HTTP message, they will be
+		## logged separately
+		req:            OCSP::Info_req    &log  &optional;
+
+		## response
+		## NOTE: similar to request, if multiple responses are
+		## sent together in one HTTP message, they will be
+		## logged separately
+		resp:           OCSP::Info_resp   &log  &optional;
+
+		## HTTP connection uid
+		cuid:            string     &log;
+
+		## for 1st request, this is the time between first TCP
+		## SYN and resp_ts; for the rest of the requests in
+		## the same connection, this is the time btween req_ts
+		## and res_ts
+		delay:           interval   &log       &optional;
+
+		## the size of HTTP request body
+	        req_size:        count      &log       &optional;
+
+		## the size of HTTP request header
+		req_hdr_size:    count      &log       &optional;
+
+		## the size of HTTP response body
+		resp_size:       count      &log       &optional;
+
+		## the size of HTTP response header
+		resp_hdr_size:   count      &log       &optional;
+
+		## the HTTP code in the HTTP response
+		http_code:       count      &log       &optional;
+
+		## OCSP host, this is host in HTTP request
+		host:            string     &log;
+
+		## OCSP uri, this is uri in HTTP request
+		uri:             string     &log;
+
+		## number of ocsp requests in this connection
+		## including this one
+		num_ocsp:        count      &log       &optional;
+
+		## the time when the corresponding certificate is
+                ## received
+		cert_recv_ts:    time       &log       &optional;
+
+		## SSL connection uid
+		ssl_cuid:        string     &log       &optional;
+
+		## SSL connection id
+		ssl_cid:         conn_id               &optional;
+
+		## the time when client receives change cipher message
+		## from server
+		ssl_change_cipher_ts:  time &log       &optional;
+
+		## the time when SSL connection is established
+		ssl_establish_ts:      time &log       &optional;
+		};
+
+	## - map to OCSP_MEASUREMENT::Info
+	## - indexed by source ip(addr), ocsp uri(string), issuer name
+	##   hash(string), serialNumber(string)
+	## - is it possible server sends two same certificate? To be
+	##   safe, let's use a queue to store OCSP_MEASUREMENT::Info
+	type OCSP_Mapping: table[addr, string, string, string] of Queue::Queue &optional &read_expire=5mins;
+
+	## a group of constant string for hash algorithm
+	## to save memory, remove any unseen hash algorithm 
+	global hash_algorithm = vector("sha1", "sha224", "sha256", "sha384", "sha512");
+
+	## Event from a worker to the manager that it has encountered
+        ## an OCSP response
+	global new_ocsp_info: event(c: connection) &redef;
+
+	## Event from the manager to the workers that a new OCSP info
+	## is to be added.
+        global ocsp_info_add: event(c: connection);
+}
+
+# by different hash algorithm, OCSP_Mapping
+global ocsp_map: table[string] of OCSP_MEASUREMENT::OCSP_Mapping;
+
+# track number of ocsp requests in this connection
+redef record connection += {
+	num_ocsp:  count                &optional &default=0;
+	};
+
+# add additional information to http info
+redef record HTTP::Info += {
+	## header length
+	request_header_len:       count  &optional &default=0;
+	response_header_len:      count  &optional &default=0;
+
+	## OCSP file id
+	ocsp_request_fuid:        string &optional;
+	ocsp_response_fuid:       string &optional;
+
+	## OCSP request and response timestamp
+	ocsp_request_ts:          time   &optional;
+	ocsp_response_ts:         time   &optional;
+
+	## store OCSP requests and responses
+	ocsp_request:   OCSP::Request    &optional;
+	ocsp_response:  OCSP::Response   &optional;
+};
+
+# add additional information to ssl info
+redef record SSL::Info += {
+	## connection start time
+	connection_start_ts:      time  &optional;
+
+	## client hello time
+	client_hello_ts:          time  &optional;
+
+	## ssl connection establish time
+	ssl_establish_ts:         time  &optional;
+
+	## the time when server sends change-cipher-spec
+	change_cipher_ts:         time  &optional;
+
+	## - the time when a cert is received AND the cert has ocsp
+        ##   extension
+	## - the 2nd level table indexed by source ip(addr), ocsp
+        ##   uri(string), issuer name hash(string), serialNumber
+        ##   (string)
+	## - the 1st level table indexed by different hash algorithm
+        ##   for issuer name hash
+	## - is it possible a server sends two same certificate? To be
+	##   safe, let's use a queue to store the time
+	cert_ts: table[string] of table[addr, string, string, string] of Queue::Queue &optional;
+};
+
+# set up cluster event
+@if ( Cluster::is_enabled() )
+@load base/frameworks/cluster
+redef Cluster::manager2worker_events += /OCSP_MEASUREMENT::ocsp_info_add/;
+redef Cluster::worker2manager_events += /OCSP_MEASUREMENT::new_ocsp_info/;
+@endif
+
+# get all the requests in one HTTP request
+function get_all_requests(http: HTTP::Info): table[OCSP::CertId] of Queue::Queue
+	{
+	local pending_requests: table[OCSP::CertId] of Queue::Queue = table();
+	if ( http?$ocsp_request && http$ocsp_request?$requestList )
+		{
+		local req = http$ocsp_request;
+                for (x in req$requestList)
+			{
+			local one_req = req$requestList[x];
+			local cert_id: OCSP::CertId = [$hashAlgorithm  = one_req$hashAlgorithm,
+			                               $issuerNameHash = one_req$issuerNameHash,
+			                               $issuerKeyHash  = one_req$issuerKeyHash,
+			                               $serialNumber   = one_req$serialNumber];
+
+		        local req_rec: OCSP::Info_req = [$ts=http$ocsp_request_ts, $id=http$ocsp_request_fuid, $certId=cert_id];
+
+		        if (req?$version)
+				req_rec$version = req$version;
+
+			if (req?$requestorName)
+				req_rec$requestorName = req$requestorName;
+
+			if (cert_id !in pending_requests)
+				pending_requests[cert_id] = Queue::init();
+				
+			Queue::put(pending_requests[cert_id], req_rec);
+			}
+		}	
+	return pending_requests;
+	}
+
+# remove the last '/'
+function clean_uri(s: string): string
+	{
+	local s_len = |s|;
+	s_len -= 1;
+	if (s[-1] == "/")
+		return clean_uri(s[0:s_len]);
+	else
+		return s;
+	}	
+
+# fill in OCSP/HTTP information
+function fill_ocsp_info(c: connection)
+	{
+	local http: HTTP::Info = c$http;
+	
+	# get all the requests which will be matched to response later
+	local pending_requests: table[OCSP::CertId] of Queue::Queue = get_all_requests(http);
+
+	# get all the responses and match them to the requests
+	if ( http?$ocsp_response && http$ocsp_response?$responses )
+		{
+		local resp = http$ocsp_response;
+                for (x in resp$responses)
+			{
+			local single_resp: OCSP::SingleResp = resp$responses[x];
+			local cert_id: OCSP::CertId = [$hashAlgorithm  = single_resp$hashAlgorithm,
+			                               $issuerNameHash = single_resp$issuerNameHash,
+			                               $issuerKeyHash  = single_resp$issuerKeyHash,
+			                               $serialNumber   = single_resp$serialNumber];
+
+			local resp_rec: OCSP::Info_resp = [$ts = http$ocsp_response_ts, $id = http$ocsp_response_fuid,
+			                             $responseStatus = resp$responseStatus,
+			                             $responseType   = resp$responseType,
+			                             $version        = resp$version,
+			                             $responderID    = resp$responderID,
+			                             $producedAt     = resp$producedAt,
+			                             $certId         = cert_id,
+			                             $certStatus     = single_resp$certStatus,
+			                             $thisUpdate     = single_resp$thisUpdate];
+
+			if (single_resp?$nextUpdate)
+				resp_rec$nextUpdate = single_resp$nextUpdate;
+
+			local ocsp_info: OCSP_MEASUREMENT::Info = [$cert_id = cert_id,
+			                                           $cuid = http$uid, $host = http$host,
+				                                   $uri = http$uri, $resp = resp_rec,
+				                                   $req_size = http$request_body_len,
+								   $req_hdr_size = http$request_header_len,
+								   $resp_size = http$response_body_len,
+								   $resp_hdr_size = http$response_header_len,
+								   $http_code = http$status_code];
+			if (cert_id in pending_requests)
+				{
+				# find a match
+				local req_rec: OCSP::Info_req = Queue::get(pending_requests[cert_id]);
+				ocsp_info$req = req_rec;
+				ocsp_info$num_ocsp = c$num_ocsp;
+				
+				if (c$num_ocsp == 0)
+					ocsp_info$delay = ocsp_info$req$ts - c$start_time;
+				else
+					ocsp_info$delay = ocsp_info$resp$ts - ocsp_info$req$ts;
+
+				if (Queue::len(pending_requests[cert_id]) == 0)
+					delete pending_requests[cert_id]; #if queue is empty, delete it?
+				}
+
+			# add to ocsp map
+			local full_uri: string = clean_uri(http$host + http$uri);
+			local h = cert_id$hashAlgorithm;
+			local src_ip: addr = c$id$orig_h;
+
+			if ( [src_ip, full_uri, cert_id$issuerNameHash, cert_id$serialNumber] !in ocsp_map[h] )
+				ocsp_map[h][src_ip, full_uri, cert_id$issuerNameHash, cert_id$serialNumber] = Queue::init();
+
+			Queue::put(ocsp_map[h][src_ip, full_uri, cert_id$issuerNameHash, cert_id$serialNumber], ocsp_info);	
+			}
+		
+		}
+	}
+
+# work event
+@if ( Cluster::is_enabled() && Cluster::local_node_type() != Cluster::MANAGER )
+event OCSP_MEASUREMENT::ocsp_info_add(c: connection)
+	{
+	fill_ocsp_info(c);
+	}
+@endif
+
+# manager event
+@if ( Cluster::is_enabled() && Cluster::local_node_type() == Cluster::MANAGER )
+event OCSP_MEASUREMENT::new_ocsp_info(c: connection)
+	{
+	event OCSP_MEASUREMENT::ocsp_info_add(c);
+	}
+@endif
+
+# record the header length
+event http_message_done(c: connection, is_orig: bool, stat: http_message_stat)
+	{
+	# proceed only this http connection has ocsp request or response
+	if ( ! c$http?$ocsp_request && ! c$http?$ocsp_response )
+		return;
+
+	if ( is_orig )
+		{
+		c$http$request_header_len = stat$header_length;
+		c$num_ocsp += 1;
+		}
+	else
+		{
+		c$http$response_header_len = stat$header_length;
+		# here, a http request-response is done
+		# if any ocsp info is present, put it in ocsp_map
+@if ( ! Cluster::is_enabled() )
+	        fill_ocsp_info(c);
+@endif
+
+@if ( Cluster::is_enabled() )
+                # send this ocsp info to manager and manager will send
+                # it to all the workder
+                event OCSP_MEASUREMENT::new_ocsp_info(c);
+@endif
+		}
+	}
+
+# add ocsp request to http record
+event ocsp_request(f: fa_file, req_ref: opaque of ocsp_req, req: OCSP::Request)
+	{
+	if ( !f?$http )
+		return;
+	f$http$ocsp_request = req;
+	f$http$ocsp_request_ts = network_time();
+	f$http$ocsp_request_fuid = f$id;
+	}
+
+# add ocsp response to http record
+event ocsp_response(f: fa_file, resp_ref: opaque of ocsp_resp, resp: OCSP::Response)
+	{
+	if ( !f?$http )
+		return;
+	f$http$ocsp_response  = resp;
+	f$http$ocsp_response_ts = network_time();
+	f$http$ocsp_response_fuid = f$id;
+	}
+
+# add client hello time and connection start time
+event ssl_client_hello(c: connection, version: count, possible_ts: time, client_random: string, session_id: string, ciphers: index_vec)
+	{
+	c$ssl$client_hello_ts = network_time();
+	c$ssl$connection_start_ts = c$start_time;
+	}
+
+# add time stamp for server's change cipher message
+event ssl_change_cipher_spec(c: connection, is_orig: bool)
+	{
+	if ( is_orig )
+		return;
+	c$ssl$change_cipher_ts = network_time();
+	}
+
+# add ssl established time
+event ssl_established(c: connection)
+	{
+	c$ssl$ssl_establish_ts = network_time();
+	}
+
+# extract the full ocsp uri from certificate extension
+function get_ocsp_uri(s: string): string
+	{
+	s = strip(s);
+	s = to_lower(s);
+	local parts = split_string(s, /\x0a/);
+	for (x in parts)
+		{
+		local f4c = sub_bytes(parts[x], 0, 4);
+		if (f4c == "ocsp")
+			{
+			local w = split_string(parts[x], /\/\//);
+			return w[1];
+			}
+		}
+	return "";
+	}
+
+# create ocsp index if ocsp extension is encountered
+# record the time when certificate is received
+event x509_extension(f: fa_file, ext: X509::Extension) &priority= -10 {
+	if (!ext?$name || ext$name != "Authority Information Access")
+		return;
+
+	if ( !f?$info || !f$info?$x509 || !f$info$x509?$handle || !f$info$x509?$certificate)
+		return;
+
+	local ocsp_uri: string = clean_uri(get_ocsp_uri(ext$value));
+	if ( |ocsp_uri| == 0 )
+		return;
+		
+	local cert: X509::Certificate = f$info$x509$certificate;
+	local serial_number: string = cert$serial;
+	local cert_ref: opaque of x509 = f$info$x509$handle;
+
+	# get connection
+	local c: connection;
+	# there should be only one loop
+	for ( id in f$conns )
+		c = f$conns[id];
+
+	if ( !c$ssl?$cert_ts )
+		c$ssl$cert_ts = table();
+	
+	local current_ts: time = network_time();
+	local source_ip: addr = c$id$orig_h;
+
+	local issuer_name: table[string] of string;
+	# loop through each hash algorithm
+	for (i in hash_algorithm)
+		{
+		local h: string = hash_algorithm[i];
+		issuer_name[h] = x509_issuer_name_hash(cert_ref, h);
+
+		# if given hash algorithm is not in record, create a new table
+		if ( h !in c$ssl$cert_ts )
+			c$ssl$cert_ts[h] = table();
+
+		# if given index is not in record, create a new queue
+		if ( [source_ip, ocsp_uri, issuer_name[h], serial_number] !in c$ssl$cert_ts[h] )
+			c$ssl$cert_ts[h][source_ip, ocsp_uri, issuer_name[h], serial_number] = Queue::init();
+
+		# put the timing information in the queue of ssl info
+		Queue::put(c$ssl$cert_ts[h][source_ip, ocsp_uri, issuer_name[h], serial_number], current_ts);
+		}
+	}
+
+# log information when ssl connection is removed
+event connection_state_remove(c: connection) &priority= -20
+	{
+	if ( ! c?$ssl || ! c$ssl?$cert_ts )
+		return;
+
+	for (i in hash_algorithm)
+		{
+		local h = hash_algorithm[i];
+		for ( [src_ip, ocsp_uri, issuer_name, serial_number] in c$ssl$cert_ts[h] )
+			{
+			if ( [src_ip, ocsp_uri, issuer_name, serial_number] in ocsp_map[h] )
+				{
+				# find a ocsp to ssl match
+				local ocsp_info: OCSP_MEASUREMENT::Info = Queue::get(ocsp_map[h][src_ip, ocsp_uri, issuer_name, serial_number]);
+				if (Queue::len(ocsp_map[h][src_ip, ocsp_uri, issuer_name, serial_number]) == 0)
+					delete ocsp_map[h][src_ip, ocsp_uri, issuer_name, serial_number];
+				local cert_recv_ts: time = Queue::get(c$ssl$cert_ts[h][src_ip, ocsp_uri, issuer_name, serial_number]);
+				if (Queue::len(c$ssl$cert_ts[h][src_ip, ocsp_uri, issuer_name, serial_number]) == 0)
+					delete c$ssl$cert_ts[h][src_ip, ocsp_uri, issuer_name, serial_number];
+				ocsp_info$cert_recv_ts = cert_recv_ts;
+				ocsp_info$ssl_cuid = c$uid;
+				ocsp_info$ssl_cid = c$id;
+				ocsp_info$ssl_change_cipher_ts = c$ssl$change_cipher_ts;
+				ocsp_info$ssl_establish_ts = c$ssl$ssl_establish_ts;
+				Log::write(LOG, ocsp_info);
+				}
+			}
+		}
+	}
+		
+event bro_init()
+	{
+	# initialize ocsp_map
+	for (i in hash_algorithm)
+		ocsp_map[hash_algorithm[i]] = table();
+		
+	Log::create_stream(LOG, [$columns=Info, $path="ocsp-measurement"]);
+	}

From 386a5b811d667b6169f1f0fe8eff6a994681d2aa Mon Sep 17 00:00:00 2001
From: Liang Zhu <liangzhu@icsi.berkeley.edu>
Date: Thu, 2 Jul 2015 14:23:38 -0700
Subject: [PATCH 006/631] add optional logging for parsed ocsp stapling message

---
 .../policy/protocols/ssl/ocsp-stapling.bro    | 113 ++++++++++++++++++
 .../analyzer/ocsp/CMakeLists.txt              |   2 +-
 src/file_analysis/analyzer/ocsp/functions.bif |  36 ++++++
 3 files changed, 150 insertions(+), 1 deletion(-)
 create mode 100644 scripts/policy/protocols/ssl/ocsp-stapling.bro
 create mode 100644 src/file_analysis/analyzer/ocsp/functions.bif

diff --git a/scripts/policy/protocols/ssl/ocsp-stapling.bro b/scripts/policy/protocols/ssl/ocsp-stapling.bro
new file mode 100644
index 0000000000..0a0c92da1c
--- /dev/null
+++ b/scripts/policy/protocols/ssl/ocsp-stapling.bro
@@ -0,0 +1,113 @@
+#! Log ocsp stapling information
+
+module OCSP_STAPLING;
+
+export {
+	redef enum Log::ID += { LOG };
+	type Info: record {
+		## timestamp
+		ts:                 time    &log;
+		
+		## connection uid
+		cid:                conn_id &log;
+
+		## connection uid
+		cuid:               string  &log;
+
+		## size of this response
+		size:               count   &log;
+		
+		## responseStatus
+		responseStatus:     string  &log;
+
+		## responseType
+		responseType:       string  &log;
+
+		## version
+		version:            count   &log;
+
+		## responderID
+		responderID:        string  &log;
+
+		## producedAt
+		producedAt:         string  &log;
+		
+                ## NOTE: the following are specific to one cert id
+		##       the above are for one message which may contain
+		##       several responses
+
+		## index
+		idx:                count   &log  &optional;
+		
+		## cert id
+		cert_id:            OCSP::CertId  &log &optional;
+
+		## certStatus (this is the response to look at)
+		certStatus:         string  &log  &optional;
+
+		## thisUpdate
+		thisUpdate:         string  &log  &optional;
+
+		## nextUpdate
+		nextUpdate:         string  &log  &optional;
+		};
+}
+
+event ssl_stapled_ocsp(c: connection, is_orig: bool, response: string)
+	{
+	local resp: OCSP::Response = ocsp_parse_response(response);
+
+	# TOCHECK: is this right?
+	local resp_size: count =|response|;
+
+	if (resp?$responses)
+		{
+		local num: count = 0;
+		for (x in resp$responses)
+			{
+			num += 1;
+			local single_resp: OCSP::SingleResp = resp$responses[x];
+			local cert_id: OCSP::CertId = [$hashAlgorithm  = single_resp$hashAlgorithm,
+			                               $issuerNameHash = single_resp$issuerNameHash,
+				                       $issuerKeyHash  = single_resp$issuerKeyHash,
+			                               $serialNumber   = single_resp$serialNumber];
+
+			local resp_rec: Info = [$ts             = network_time(),
+				                $cid            = c$id,
+				                $cuid           = c$uid,
+						$size           = resp_size,
+						$responseStatus = resp$responseStatus,
+						$responseType   = resp$responseType,
+						$version        = resp$version,
+						$responderID    = resp$responderID,
+						$producedAt     = resp$producedAt,
+						$idx            = num,
+						$cert_id        = cert_id,
+						$certStatus     = single_resp$certStatus,
+						$thisUpdate     = single_resp$thisUpdate];
+
+			if (single_resp?$nextUpdate)
+				resp_rec$nextUpdate = single_resp$nextUpdate;
+			Log::write(LOG, resp_rec);
+			}
+		}
+	else
+		{
+                # no response content? this is weird but log it anyway
+		local resp_rec_empty: Info = [$ts             = network_time(),
+			                      $cid            = c$id,
+					      $cuid           = c$uid,
+			                      $size           = resp_size,
+			                      $responseStatus = resp$responseStatus,
+					      $responseType   = resp$responseType,
+					      $version        = resp$version,
+					      $responderID    = resp$responderID,
+					      $producedAt     = resp$producedAt];
+		Log::write(LOG, resp_rec_empty);
+		}
+	}
+
+event bro_init()
+	{
+	Log::create_stream(LOG, [$columns=Info, $path="ocsp-stapling"]);
+	}
diff --git a/src/file_analysis/analyzer/ocsp/CMakeLists.txt b/src/file_analysis/analyzer/ocsp/CMakeLists.txt
index d1cff9d157..12c54c1c84 100644
--- a/src/file_analysis/analyzer/ocsp/CMakeLists.txt
+++ b/src/file_analysis/analyzer/ocsp/CMakeLists.txt
@@ -6,5 +6,5 @@ include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR}
 
 bro_plugin_begin(Bro OCSP)
 bro_plugin_cc(OCSP.cc Plugin.cc)
-bro_plugin_bif(events.bif types.bif)
+bro_plugin_bif(events.bif types.bif functions.bif)
 bro_plugin_end()
diff --git a/src/file_analysis/analyzer/ocsp/functions.bif b/src/file_analysis/analyzer/ocsp/functions.bif
new file mode 100644
index 0000000000..19d9ac1cb5
--- /dev/null
+++ b/src/file_analysis/analyzer/ocsp/functions.bif
@@ -0,0 +1,36 @@
+%%{
+#include "file_analysis/analyzer/ocsp/OCSP.h"
+#include "types.bif.h"
+%%}
+
+## Parses a OCSP response into an OCSP::Response structure.
+##
+## ocsp_reply: OCSP data.
+##
+## Returns: A OCSP::Response structure.
+##
+## .. bro:see:: ssl_stapled_ocsp
+function ocsp_parse_response%(ocsp_reply: string%): OCSP::Response
+        %{
+	const unsigned char* start = ocsp_reply->Bytes();
+	OCSP_RESPONSE *resp = NULL;
+	file_analysis::OCSP_RESPVal* resp_val = NULL;
+	RecordVal* resp_record = NULL;
+	resp = d2i_OCSP_RESPONSE(NULL, &start, ocsp_reply->Len());
+	if ( ! resp )
+		{
+		reporter->Weird("OPENSSL Could not parse OCSP response");
+		return NULL;
+		}
+	resp_val = new file_analysis::OCSP_RESPVal(resp);
+	resp_record = file_analysis::OCSP::ParseResponse(resp_val);
+	if (!resp_record)
+		{
+		reporter->Weird("Internal fail to parse OCSP response");
+		Unref(resp_val);
+		return NULL;
+		}
+	Unref(resp_val);
+	//Unref(resp_record);
+	return resp_record;
+	%}

From de17c12656d0a223d38c3c83fa866d2f6b54226f Mon Sep 17 00:00:00 2001
From: Liang Zhu <liangzhu@icsi.berkeley.edu>
Date: Thu, 2 Jul 2015 14:51:07 -0700
Subject: [PATCH 007/631] add btest for ocsp-stapling logging

---
 .../ocsp-stapling.log                                  | 10 ++++++++++
 .../scripts/policy/protocols/ssl/ocsp-stapling.bro     |  6 ++++++
 2 files changed, 16 insertions(+)
 create mode 100644 testing/btest/Baseline/scripts.policy.protocols.ssl.ocsp-stapling/ocsp-stapling.log
 create mode 100644 testing/btest/scripts/policy/protocols/ssl/ocsp-stapling.bro

diff --git a/testing/btest/Baseline/scripts.policy.protocols.ssl.ocsp-stapling/ocsp-stapling.log b/testing/btest/Baseline/scripts.policy.protocols.ssl.ocsp-stapling/ocsp-stapling.log
new file mode 100644
index 0000000000..03964f7191
--- /dev/null
+++ b/testing/btest/Baseline/scripts.policy.protocols.ssl.ocsp-stapling/ocsp-stapling.log
@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	ocsp-stapling
+#open	2015-07-02-21-49-21
+#fields	ts	cid.orig_h	cid.orig_p	cid.resp_h	cid.resp_p	cuid	size	responseStatus	responseType	version	responderID	producedAt	idx	cert_id.hashAlgorithm	cert_id.issuerNameHash	cert_id.issuerKeyHash	cert_id.serialNumber	certStatus	thisUpdate	nextUpdate
+#types	time	addr	port	addr	port	string	count	string	string	count	string	string	count	string	string	string	string	string	string	string
+1398367809.961683	192.168.4.149	56253	131.253.61.82	443	CXWv6p3arKYeMETxOg	1995	successful	Basic OCSP Response	0	C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = Terms of use at https://www.verisign.com/rpa (c)06, CN = VeriSign Class 3 Extended Validation SSL SGC OCSP Responder	20140421080410Z	1	sha1	39AF18B41C021F39109656FDC6D358EF74858B99	4E43C81D76EF37537A4FF2586F94F338E2D5BDDF	62035C00776A614EAF430C6A5C56E2BD	good	20140421080410Z	20140428080410Z
+#close	2015-07-02-21-49-21
diff --git a/testing/btest/scripts/policy/protocols/ssl/ocsp-stapling.bro b/testing/btest/scripts/policy/protocols/ssl/ocsp-stapling.bro
new file mode 100644
index 0000000000..63b7e29e03
--- /dev/null
+++ b/testing/btest/scripts/policy/protocols/ssl/ocsp-stapling.bro
@@ -0,0 +1,6 @@
+# This tests logging of ocsp stapling message
+
+# @TEST-EXEC: bro -C -r $TRACES/tls/ocsp-stapling.trace %INPUT
+# @TEST-EXEC: btest-diff ocsp-stapling.log
+
+@load protocols/ssl/ocsp-stapling

From 8844d344af4428819d8844ab83c3037679e5d3e3 Mon Sep 17 00:00:00 2001
From: Liang Zhu <liangzhu@icsi.berkeley.edu>
Date: Thu, 2 Jul 2015 17:46:43 -0700
Subject: [PATCH 008/631] add connection in ocsp log

---
 scripts/base/files/ocsp/main.bro              | 40 ++++++++++++++-----
 .../policy/protocols/ssl/ocsp-stapling.bro    |  2 +-
 .../ocsp.log                                  | 10 ++---
 .../ocsp.log                                  | 10 ++---
 .../ocsp.log                                  | 10 ++---
 5 files changed, 47 insertions(+), 25 deletions(-)

diff --git a/scripts/base/files/ocsp/main.bro b/scripts/base/files/ocsp/main.bro
index 602f23bcc5..c5ccd6df7f 100644
--- a/scripts/base/files/ocsp/main.bro
+++ b/scripts/base/files/ocsp/main.bro
@@ -23,6 +23,10 @@ export {
 	        ts:                 time;
 		## file id for this request
 		id:                 string  &log;
+		## connection id
+		cid:                conn_id &optional;
+		## connection uid
+		cuid:               string  &optional;
 		## version
 		version:            count   &log &optional;
 		## requestor name
@@ -37,9 +41,13 @@ export {
 	## one ocsp response record
 	type Info_resp: record {
 		## time for the response
-	        ts:                 time;
+	        ts:                 time    &log;
 		## file id for this response
 		id:                 string  &log;
+		## connection id
+		cid:                conn_id &optional;
+		## connection uid
+		cuid:               string  &optional;
 		## responseStatus (different from cert status?)
 		responseStatus:     string  &log;
 		## responseType
@@ -67,9 +75,21 @@ export {
 	type Info: record {
 		## timestamp for request if a corresponding request is present
 		## OR timestamp for response if a corresponding request is not found
-		ts:                 time    &log;
+		ts:                 time          &log;
+
+		## connection id
+		cid:                conn_id       &log;
+
+		## connection uid
+		cuid:               string        &log;
+
+		## cert id
 		certId:             OCSP::CertId  &log  &optional;
+
+		## request
 		req:                Info_req      &log  &optional;
+
+		## response
 		resp:               Info_resp     &log  &optional;
 	};
 
@@ -127,7 +147,7 @@ event ocsp_request(f: fa_file, req_ref: opaque of ocsp_req, req: OCSP::Request)
 						       $issuerKeyHash  = one_req$issuerKeyHash,
 						       $serialNumber   = one_req$serialNumber];
 
-			local req_rec: Info_req = [$ts=network_time(), $id=f$id, $certId=cert_id];
+			local req_rec: Info_req = [$ts=network_time(), $id=f$id, $certId=cert_id, $cid=conn$id, $cuid=conn$uid];
 
 			if (req?$version)
 				req_rec$version = req$version;
@@ -147,12 +167,12 @@ event ocsp_request(f: fa_file, req_ref: opaque of ocsp_req, req: OCSP::Request)
 	else
 		{
 		# no request content? this is weird but log it anyway
-		local req_rec_empty: Info_req = [$ts=network_time(), $id=f$id];
+		local req_rec_empty: Info_req = [$ts=network_time(), $id=f$id, $cid=conn$id, $cuid=conn$uid];
 		if (req?$version)
 			req_rec_empty$version = req$version;
 		if (req?$requestorName)
 			req_rec_empty$requestorName = req$requestorName;
-		Log::write(LOG, [$ts=req_rec_empty$ts, $req=req_rec_empty]);
+		Log::write(LOG, [$ts=req_rec_empty$ts, $req=req_rec_empty, $cid=conn$id, $cuid=conn$uid]);
 		}
 	}
 
@@ -178,6 +198,7 @@ event ocsp_response(f: fa_file, resp_ref: opaque of ocsp_resp, resp: OCSP::Respo
 						       $issuerKeyHash  = single_resp$issuerKeyHash,
 						       $serialNumber   = single_resp$serialNumber];
 			local resp_rec: Info_resp = [$ts = network_time(), $id = f$id,
+						     $cid=conn$id, $cuid=conn$uid,
 						     $responseStatus = resp$responseStatus,
 						     $responseType   = resp$responseType,
 						     $version        = resp$version,
@@ -193,14 +214,14 @@ event ocsp_response(f: fa_file, resp_ref: opaque of ocsp_resp, resp: OCSP::Respo
 				{
 				# find a match
 				local req_rec: Info_req = Queue::get(conn$ocsp_requests[cert_id]);
-				Log::write(LOG, [$ts=req_rec$ts, $certId=req_rec$certId, $req=req_rec, $resp=resp_rec]);
+				Log::write(LOG, [$ts=req_rec$ts, $certId=req_rec$certId, $req=req_rec, $resp=resp_rec, $cid=conn$id, $cuid=conn$uid]);
 				if (Queue::len(conn$ocsp_requests[cert_id]) == 0)
 					delete conn$ocsp_requests[cert_id]; #if queue is empty, delete it?
 				}
 			else
 				{
 				# do not find a match; this is weird but log it
-				Log::write(LOG, [$ts=resp_rec$ts, $certId=resp_rec$certId, $resp=resp_rec]);
+				Log::write(LOG, [$ts=resp_rec$ts, $certId=resp_rec$certId, $resp=resp_rec, $cid=conn$id, $cuid=conn$uid]);
 				}
 			}
 		}
@@ -208,12 +229,13 @@ event ocsp_response(f: fa_file, resp_ref: opaque of ocsp_resp, resp: OCSP::Respo
 		{
                 # no response content? this is weird but log it anyway
 		local resp_rec_empty: Info_resp = [$ts=network_time(), $id=f$id,
+			                           $cid=conn$id, $cuid=conn$uid,
 						   $responseStatus = resp$responseStatus,
 						   $responseType   = resp$responseType,
 						   $version        = resp$version,
 						   $responderID    = resp$responderID,
 						   $producedAt     = resp$producedAt];
-		Log::write(LOG, [$ts=resp_rec_empty$ts, $resp=resp_rec_empty]);
+		Log::write(LOG, [$ts=resp_rec_empty$ts, $resp=resp_rec_empty, $cid=conn$id, $cuid=conn$uid]);
 		}
 	}
 
@@ -223,7 +245,7 @@ function log_unmatched_msgs_queue(q: Queue::Queue)
 	Queue::get_vector(q, reqs);
 
 	for ( i in reqs )
-		Log::write(LOG, [$ts=reqs[i]$ts, $certId=reqs[i]$certId, $req=reqs[i]]);
+		Log::write(LOG, [$ts=reqs[i]$ts, $certId=reqs[i]$certId, $req=reqs[i], $cid=reqs[i]$cid, $cuid=reqs[i]$cuid]);
 	}
 
 function log_unmatched_msgs(msgs: PendingRequests)
diff --git a/scripts/policy/protocols/ssl/ocsp-stapling.bro b/scripts/policy/protocols/ssl/ocsp-stapling.bro
index 0a0c92da1c..64c3d198f2 100644
--- a/scripts/policy/protocols/ssl/ocsp-stapling.bro
+++ b/scripts/policy/protocols/ssl/ocsp-stapling.bro
@@ -8,7 +8,7 @@ export {
 		## timestamp
 		ts:                 time    &log;
 		
-		## connection uid
+		## connection id
 		cid:                conn_id &log;
 
 		## connection uid
diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-only/ocsp.log b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-only/ocsp.log
index 9881f143c1..c9a4964207 100644
--- a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-only/ocsp.log
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-only/ocsp.log
@@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	ocsp
-#open	2015-06-19-16-32-33
-#fields	ts	certId.hashAlgorithm	certId.issuerNameHash	certId.issuerKeyHash	certId.serialNumber	req.id	req.version	req.requestorName	resp.id	resp.responseStatus	resp.responseType	resp.version	resp.responderID	resp.producedAt	resp.certStatus	resp.thisUpdate	resp.nextUpdate
-#types	time	string	string	string	string	string	count	string	string	string	string	count	string	string	string	string	string
-1434666864.046145	sha1	B6080D5F6C6B76EB13E438A5F8660BA85233344E	40C2BD278ECC348330A233D7FB6CB3F0B42C80CE	081C862DC8AAC9	FMbJOe2y5n1E7iSVsg	0	-	-	-	-	-	-	-	-	-	-
-#close	2015-06-19-16-32-33
+#open	2015-07-03-00-39-57
+#fields	ts	cid.orig_h	cid.orig_p	cid.resp_h	cid.resp_p	cuid	certId.hashAlgorithm	certId.issuerNameHash	certId.issuerKeyHash	certId.serialNumber	req.id	req.version	req.requestorName	resp.ts	resp.id	resp.responseStatus	resp.responseType	resp.version	resp.responderID	resp.producedAt	resp.certStatus	resp.thisUpdate	resp.nextUpdate
+#types	time	addr	port	addr	port	string	string	string	string	string	string	count	string	time	string	string	string	count	string	string	string	string	string
+1434666864.046145	192.168.6.109	34334	72.167.18.239	80	CXWv6p3arKYeMETxOg	sha1	B6080D5F6C6B76EB13E438A5F8660BA85233344E	40C2BD278ECC348330A233D7FB6CB3F0B42C80CE	081C862DC8AAC9	FMbJOe2y5n1E7iSVsg	0	-	-	-	-	-	-	-	-	-	-	-
+#close	2015-07-03-00-39-57
diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-response/ocsp.log b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-response/ocsp.log
index b21cadda9a..feb466e43f 100644
--- a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-response/ocsp.log
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-response/ocsp.log
@@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	ocsp
-#open	2015-06-19-16-32-23
-#fields	ts	certId.hashAlgorithm	certId.issuerNameHash	certId.issuerKeyHash	certId.serialNumber	req.id	req.version	req.requestorName	resp.id	resp.responseStatus	resp.responseType	resp.version	resp.responderID	resp.producedAt	resp.certStatus	resp.thisUpdate	resp.nextUpdate
-#types	time	string	string	string	string	string	count	string	string	string	string	count	string	string	string	string	string
-1434666864.046145	sha1	B6080D5F6C6B76EB13E438A5F8660BA85233344E	40C2BD278ECC348330A233D7FB6CB3F0B42C80CE	081C862DC8AAC9	FMbJOe2y5n1E7iSVsg	0	-	Fb215u2y5byABaV747	successful	Basic OCSP Response	0	C = US, ST = Arizona, L = Scottsdale, O = GoDaddy Inc., CN = Go Daddy Validation Authority - G2	20150618220334Z	good	20150618220334Z	20150620100334Z
-#close	2015-06-19-16-32-23
+#open	2015-07-03-00-40-58
+#fields	ts	cid.orig_h	cid.orig_p	cid.resp_h	cid.resp_p	cuid	certId.hashAlgorithm	certId.issuerNameHash	certId.issuerKeyHash	certId.serialNumber	req.id	req.version	req.requestorName	resp.ts	resp.id	resp.responseStatus	resp.responseType	resp.version	resp.responderID	resp.producedAt	resp.certStatus	resp.thisUpdate	resp.nextUpdate
+#types	time	addr	port	addr	port	string	string	string	string	string	string	count	string	time	string	string	string	count	string	string	string	string	string
+1434666864.046145	192.168.6.109	34334	72.167.18.239	80	CXWv6p3arKYeMETxOg	sha1	B6080D5F6C6B76EB13E438A5F8660BA85233344E	40C2BD278ECC348330A233D7FB6CB3F0B42C80CE	081C862DC8AAC9	FMbJOe2y5n1E7iSVsg	0	-	1434666864.070748	Fb215u2y5byABaV747	successful	Basic OCSP Response	0	C = US, ST = Arizona, L = Scottsdale, O = GoDaddy Inc., CN = Go Daddy Validation Authority - G2	20150618220334Z	good	20150618220334Z	20150620100334Z
+#close	2015-07-03-00-40-58
diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-response-only/ocsp.log b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-response-only/ocsp.log
index f5a5c43c7c..7b86586eb8 100644
--- a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-response-only/ocsp.log
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-response-only/ocsp.log
@@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	ocsp
-#open	2015-06-19-16-32-39
-#fields	ts	certId.hashAlgorithm	certId.issuerNameHash	certId.issuerKeyHash	certId.serialNumber	req.id	req.version	req.requestorName	resp.id	resp.responseStatus	resp.responseType	resp.version	resp.responderID	resp.producedAt	resp.certStatus	resp.thisUpdate	resp.nextUpdate
-#types	time	string	string	string	string	string	count	string	string	string	string	count	string	string	string	string	string
-1434666864.070748	sha1	B6080D5F6C6B76EB13E438A5F8660BA85233344E	40C2BD278ECC348330A233D7FB6CB3F0B42C80CE	081C862DC8AAC9	-	-	-	Fb215u2y5byABaV747	successful	Basic OCSP Response	0	C = US, ST = Arizona, L = Scottsdale, O = GoDaddy Inc., CN = Go Daddy Validation Authority - G2	20150618220334Z	good	20150618220334Z	20150620100334Z
-#close	2015-06-19-16-32-39
+#open	2015-07-03-00-38-40
+#fields	ts	cid.orig_h	cid.orig_p	cid.resp_h	cid.resp_p	cuid	certId.hashAlgorithm	certId.issuerNameHash	certId.issuerKeyHash	certId.serialNumber	req.id	req.version	req.requestorName	resp.ts	resp.id	resp.responseStatus	resp.responseType	resp.version	resp.responderID	resp.producedAt	resp.certStatus	resp.thisUpdate	resp.nextUpdate
+#types	time	addr	port	addr	port	string	string	string	string	string	string	count	string	time	string	string	string	count	string	string	string	string	string
+1434666864.070748	192.168.6.109	34334	72.167.18.239	80	CXWv6p3arKYeMETxOg	sha1	B6080D5F6C6B76EB13E438A5F8660BA85233344E	40C2BD278ECC348330A233D7FB6CB3F0B42C80CE	081C862DC8AAC9	-	-	-	1434666864.070748	Fb215u2y5byABaV747	successful	Basic OCSP Response	0	C = US, ST = Arizona, L = Scottsdale, O = GoDaddy Inc., CN = Go Daddy Validation Authority - G2	20150618220334Z	good	20150618220334Z	20150620100334Z
+#close	2015-07-03-00-38-40

From d18a96bc8d94a645bd443b0b1784c6ba48fe88b3 Mon Sep 17 00:00:00 2001
From: Liang Zhu <liangzhu@icsi.berkeley.edu>
Date: Mon, 6 Jul 2015 16:12:52 -0700
Subject: [PATCH 009/631] separated field for ocsp response timestamp and
 update baseline

---
 scripts/base/files/ocsp/main.bro                      | 11 +++++++----
 .../ocsp.log                                          |  6 +++---
 .../ocsp.log                                          |  6 +++---
 .../ocsp.log                                          |  6 +++---
 4 files changed, 16 insertions(+), 13 deletions(-)

diff --git a/scripts/base/files/ocsp/main.bro b/scripts/base/files/ocsp/main.bro
index c5ccd6df7f..62a414d3cf 100644
--- a/scripts/base/files/ocsp/main.bro
+++ b/scripts/base/files/ocsp/main.bro
@@ -41,7 +41,7 @@ export {
 	## one ocsp response record
 	type Info_resp: record {
 		## time for the response
-	        ts:                 time    &log;
+	        ts:                 time;
 		## file id for this response
 		id:                 string  &log;
 		## connection id
@@ -89,6 +89,9 @@ export {
 		## request
 		req:                Info_req      &log  &optional;
 
+		## response timestamp
+		resp_ts:            time          &log  &optional;
+
 		## response
 		resp:               Info_resp     &log  &optional;
 	};
@@ -214,14 +217,14 @@ event ocsp_response(f: fa_file, resp_ref: opaque of ocsp_resp, resp: OCSP::Respo
 				{
 				# find a match
 				local req_rec: Info_req = Queue::get(conn$ocsp_requests[cert_id]);
-				Log::write(LOG, [$ts=req_rec$ts, $certId=req_rec$certId, $req=req_rec, $resp=resp_rec, $cid=conn$id, $cuid=conn$uid]);
+				Log::write(LOG, [$ts=req_rec$ts, $certId=req_rec$certId, $req=req_rec, $resp_ts=resp_rec$ts, $resp=resp_rec, $cid=conn$id, $cuid=conn$uid]);
 				if (Queue::len(conn$ocsp_requests[cert_id]) == 0)
 					delete conn$ocsp_requests[cert_id]; #if queue is empty, delete it?
 				}
 			else
 				{
 				# do not find a match; this is weird but log it
-				Log::write(LOG, [$ts=resp_rec$ts, $certId=resp_rec$certId, $resp=resp_rec, $cid=conn$id, $cuid=conn$uid]);
+				Log::write(LOG, [$ts=resp_rec$ts, $certId=resp_rec$certId, $resp_ts=resp_rec$ts, $resp=resp_rec, $cid=conn$id, $cuid=conn$uid]);
 				}
 			}
 		}
@@ -235,7 +238,7 @@ event ocsp_response(f: fa_file, resp_ref: opaque of ocsp_resp, resp: OCSP::Respo
 						   $version        = resp$version,
 						   $responderID    = resp$responderID,
 						   $producedAt     = resp$producedAt];
-		Log::write(LOG, [$ts=resp_rec_empty$ts, $resp=resp_rec_empty, $cid=conn$id, $cuid=conn$uid]);
+		Log::write(LOG, [$ts=resp_rec_empty$ts, $resp_ts=resp_rec_empty$ts, $resp=resp_rec_empty, $cid=conn$id, $cuid=conn$uid]);
 		}
 	}
 
diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-only/ocsp.log b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-only/ocsp.log
index c9a4964207..3ac21e3f22 100644
--- a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-only/ocsp.log
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-only/ocsp.log
@@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	ocsp
-#open	2015-07-03-00-39-57
-#fields	ts	cid.orig_h	cid.orig_p	cid.resp_h	cid.resp_p	cuid	certId.hashAlgorithm	certId.issuerNameHash	certId.issuerKeyHash	certId.serialNumber	req.id	req.version	req.requestorName	resp.ts	resp.id	resp.responseStatus	resp.responseType	resp.version	resp.responderID	resp.producedAt	resp.certStatus	resp.thisUpdate	resp.nextUpdate
+#open	2015-07-06-23-03-35
+#fields	ts	cid.orig_h	cid.orig_p	cid.resp_h	cid.resp_p	cuid	certId.hashAlgorithm	certId.issuerNameHash	certId.issuerKeyHash	certId.serialNumber	req.id	req.version	req.requestorName	resp_ts	resp.id	resp.responseStatus	resp.responseType	resp.version	resp.responderID	resp.producedAt	resp.certStatus	resp.thisUpdate	resp.nextUpdate
 #types	time	addr	port	addr	port	string	string	string	string	string	string	count	string	time	string	string	string	count	string	string	string	string	string
 1434666864.046145	192.168.6.109	34334	72.167.18.239	80	CXWv6p3arKYeMETxOg	sha1	B6080D5F6C6B76EB13E438A5F8660BA85233344E	40C2BD278ECC348330A233D7FB6CB3F0B42C80CE	081C862DC8AAC9	FMbJOe2y5n1E7iSVsg	0	-	-	-	-	-	-	-	-	-	-	-
-#close	2015-07-03-00-39-57
+#close	2015-07-06-23-03-35
diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-response/ocsp.log b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-response/ocsp.log
index feb466e43f..53c2b598d5 100644
--- a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-response/ocsp.log
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-response/ocsp.log
@@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	ocsp
-#open	2015-07-03-00-40-58
-#fields	ts	cid.orig_h	cid.orig_p	cid.resp_h	cid.resp_p	cuid	certId.hashAlgorithm	certId.issuerNameHash	certId.issuerKeyHash	certId.serialNumber	req.id	req.version	req.requestorName	resp.ts	resp.id	resp.responseStatus	resp.responseType	resp.version	resp.responderID	resp.producedAt	resp.certStatus	resp.thisUpdate	resp.nextUpdate
+#open	2015-07-06-23-05-10
+#fields	ts	cid.orig_h	cid.orig_p	cid.resp_h	cid.resp_p	cuid	certId.hashAlgorithm	certId.issuerNameHash	certId.issuerKeyHash	certId.serialNumber	req.id	req.version	req.requestorName	resp_ts	resp.id	resp.responseStatus	resp.responseType	resp.version	resp.responderID	resp.producedAt	resp.certStatus	resp.thisUpdate	resp.nextUpdate
 #types	time	addr	port	addr	port	string	string	string	string	string	string	count	string	time	string	string	string	count	string	string	string	string	string
 1434666864.046145	192.168.6.109	34334	72.167.18.239	80	CXWv6p3arKYeMETxOg	sha1	B6080D5F6C6B76EB13E438A5F8660BA85233344E	40C2BD278ECC348330A233D7FB6CB3F0B42C80CE	081C862DC8AAC9	FMbJOe2y5n1E7iSVsg	0	-	1434666864.070748	Fb215u2y5byABaV747	successful	Basic OCSP Response	0	C = US, ST = Arizona, L = Scottsdale, O = GoDaddy Inc., CN = Go Daddy Validation Authority - G2	20150618220334Z	good	20150618220334Z	20150620100334Z
-#close	2015-07-03-00-40-58
+#close	2015-07-06-23-05-10
diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-response-only/ocsp.log b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-response-only/ocsp.log
index 7b86586eb8..4889fdc434 100644
--- a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-response-only/ocsp.log
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-response-only/ocsp.log
@@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	ocsp
-#open	2015-07-03-00-38-40
-#fields	ts	cid.orig_h	cid.orig_p	cid.resp_h	cid.resp_p	cuid	certId.hashAlgorithm	certId.issuerNameHash	certId.issuerKeyHash	certId.serialNumber	req.id	req.version	req.requestorName	resp.ts	resp.id	resp.responseStatus	resp.responseType	resp.version	resp.responderID	resp.producedAt	resp.certStatus	resp.thisUpdate	resp.nextUpdate
+#open	2015-07-06-23-05-43
+#fields	ts	cid.orig_h	cid.orig_p	cid.resp_h	cid.resp_p	cuid	certId.hashAlgorithm	certId.issuerNameHash	certId.issuerKeyHash	certId.serialNumber	req.id	req.version	req.requestorName	resp_ts	resp.id	resp.responseStatus	resp.responseType	resp.version	resp.responderID	resp.producedAt	resp.certStatus	resp.thisUpdate	resp.nextUpdate
 #types	time	addr	port	addr	port	string	string	string	string	string	string	count	string	time	string	string	string	count	string	string	string	string	string
 1434666864.070748	192.168.6.109	34334	72.167.18.239	80	CXWv6p3arKYeMETxOg	sha1	B6080D5F6C6B76EB13E438A5F8660BA85233344E	40C2BD278ECC348330A233D7FB6CB3F0B42C80CE	081C862DC8AAC9	-	-	-	1434666864.070748	Fb215u2y5byABaV747	successful	Basic OCSP Response	0	C = US, ST = Arizona, L = Scottsdale, O = GoDaddy Inc., CN = Go Daddy Validation Authority - G2	20150618220334Z	good	20150618220334Z	20150620100334Z
-#close	2015-07-03-00-38-40
+#close	2015-07-06-23-05-43

From e2c30f0005c26931d88488b806146cb497600f7c Mon Sep 17 00:00:00 2001
From: Liang Zhu <liangzhu@icsi.berkeley.edu>
Date: Mon, 6 Jul 2015 17:52:13 -0700
Subject: [PATCH 010/631] record more timestamp for ocsp measurement

---
 .../policy/protocols/ssl/ocsp-measurement.bro | 61 ++++++++++++-------
 1 file changed, 39 insertions(+), 22 deletions(-)

diff --git a/scripts/policy/protocols/ssl/ocsp-measurement.bro b/scripts/policy/protocols/ssl/ocsp-measurement.bro
index a426e7e048..c95fd9b83e 100644
--- a/scripts/policy/protocols/ssl/ocsp-measurement.bro
+++ b/scripts/policy/protocols/ssl/ocsp-measurement.bro
@@ -15,12 +15,18 @@ export {
 		## cert id for the OCSP request
 		cert_id:        OCSP::CertId      &log  &optional;
 
+		## request timestamp
+		req_ts:         time              &log  &optional;
+
 		## request
 		## NOTE: this is only one request if multiple requests
 		## are sent together in one HTTP message, they will be
 		## logged separately
 		req:            OCSP::Info_req    &log  &optional;
 
+		## response timestamp
+		resp_ts:        time              &log  &optional;
+
 		## response
 		## NOTE: similar to request, if multiple responses are
 		## sent together in one HTTP message, they will be
@@ -30,10 +36,13 @@ export {
 		## HTTP connection uid
 		cuid:            string     &log;
 
+		## HTTP connection start time
+		conn_start_ts:   time       &log;
+
 		## for 1st request, this is the time between first TCP
 		## SYN and resp_ts; for the rest of the requests in
 		## the same connection, this is the time btween req_ts
-		## and res_ts
+		## and resp_ts
 		delay:           interval   &log       &optional;
 
 		## the size of HTTP request body
@@ -57,8 +66,10 @@ export {
 		## OCSP uri, this is uri in HTTP request
 		uri:             string     &log;
 
-		## number of ocsp requests in this connection
-		## including this one
+		## number of HTTP request containing ocsp requests in
+		## this connection including this one; this may be
+		## different from number of OCSP requests since one
+		## HTTP request may contain several OCSP requests
 		num_ocsp:        count      &log       &optional;
 
 		## the time when the corresponding certificate is
@@ -222,36 +233,42 @@ function fill_ocsp_info(c: connection)
 			                               $issuerKeyHash  = single_resp$issuerKeyHash,
 			                               $serialNumber   = single_resp$serialNumber];
 
-			local resp_rec: OCSP::Info_resp = [$ts = http$ocsp_response_ts, $id = http$ocsp_response_fuid,
-			                             $responseStatus = resp$responseStatus,
-			                             $responseType   = resp$responseType,
-			                             $version        = resp$version,
-			                             $responderID    = resp$responderID,
-			                             $producedAt     = resp$producedAt,
-			                             $certId         = cert_id,
-			                             $certStatus     = single_resp$certStatus,
-			                             $thisUpdate     = single_resp$thisUpdate];
+			local resp_rec: OCSP::Info_resp = [$ts             = http$ocsp_response_ts,
+						           $id             = http$ocsp_response_fuid,
+							   $responseStatus = resp$responseStatus,
+							   $responseType   = resp$responseType,
+							   $version        = resp$version,
+							   $responderID    = resp$responderID,
+							   $producedAt     = resp$producedAt,
+							   $certId         = cert_id,
+							   $certStatus     = single_resp$certStatus,
+							   $thisUpdate     = single_resp$thisUpdate];
 
 			if (single_resp?$nextUpdate)
 				resp_rec$nextUpdate = single_resp$nextUpdate;
 
-			local ocsp_info: OCSP_MEASUREMENT::Info = [$cert_id = cert_id,
-			                                           $cuid = http$uid, $host = http$host,
-				                                   $uri = http$uri, $resp = resp_rec,
-				                                   $req_size = http$request_body_len,
-								   $req_hdr_size = http$request_header_len,
-								   $resp_size = http$response_body_len,
+			local ocsp_info: OCSP_MEASUREMENT::Info = [$cert_id       = cert_id,
+			                                           $cuid          = http$uid,
+								   $conn_start_ts = c$start_time,
+								   $host          = http$host,
+				                                   $uri           = http$uri,
+								   $resp_ts       = resp_rec$ts,
+								   $resp          = resp_rec,
+				                                   $req_size      = http$request_body_len,
+								   $req_hdr_size  = http$request_header_len,
+								   $resp_size     = http$response_body_len,
 								   $resp_hdr_size = http$response_header_len,
-								   $http_code = http$status_code];
+								   $http_code     = http$status_code];
 			if (cert_id in pending_requests)
 				{
 				# find a match
 				local req_rec: OCSP::Info_req = Queue::get(pending_requests[cert_id]);
-				ocsp_info$req = req_rec;
+				ocsp_info$req      = req_rec;
+				ocsp_info$req_ts   = req_rec$ts;
 				ocsp_info$num_ocsp = c$num_ocsp;
 				
-				if (c$num_ocsp == 0)
-					ocsp_info$delay = ocsp_info$req$ts - c$start_time;
+				if (c$num_ocsp == 1)
+					ocsp_info$delay = ocsp_info$resp$ts - c$start_time;
 				else
 					ocsp_info$delay = ocsp_info$resp$ts - ocsp_info$req$ts;
 

From 07891b3b66fbf86a188325a0eaedc24db9571b13 Mon Sep 17 00:00:00 2001
From: Liang Zhu <liangzhu@icsi.berkeley.edu>
Date: Wed, 8 Jul 2015 12:27:02 -0700
Subject: [PATCH 011/631] parse multiple OCSP stapling responses

---
 .../protocol/ssl/tls-handshake-analyzer.pac    |  5 ++---
 .../protocol/ssl/tls-handshake-protocol.pac    | 18 +++++++++++++++---
 2 files changed, 17 insertions(+), 6 deletions(-)

diff --git a/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac b/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac
index 17432fa5cb..afca5dd77f 100644
--- a/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac
+++ b/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac
@@ -168,14 +168,13 @@ refine connection Handshake_Conn += {
 
 	function proc_certificate_status(rec : HandshakeRecord, status_type: uint8, response: bytestring) : bool
 		%{
-		 if ( status_type == 1 ) // ocsp
+		 if ( status_type == 1 || status_type == 2 ) // ocsp
 			{
 			BifEvent::generate_ssl_stapled_ocsp(bro_analyzer(),
 							    bro_analyzer()->Conn(), ${rec.is_orig},
 							    new StringVal(response.length(),
 							    (const char*) response.data()));
 			}
-
 		return true;
 		%}
 
@@ -255,7 +254,7 @@ refine typeattr ServerNameExt += &let {
 	proc : bool = $context.connection.proc_server_name(rec, server_names);
 };
 
-refine typeattr CertificateStatus += &let {
+refine typeattr OCSPResponse += &let {
 	proc : bool = $context.connection.proc_certificate_status(rec, status_type, response);
 };
 
diff --git a/src/analyzer/protocol/ssl/tls-handshake-protocol.pac b/src/analyzer/protocol/ssl/tls-handshake-protocol.pac
index b24352d099..722b6f1f59 100644
--- a/src/analyzer/protocol/ssl/tls-handshake-protocol.pac
+++ b/src/analyzer/protocol/ssl/tls-handshake-protocol.pac
@@ -139,11 +139,23 @@ type Certificate(rec: HandshakeRecord) = record {
 } &length = to_int()(length)+3;
 
 # OCSP Stapling
+type OCSPResponse(rec: HandshakeRecord, status_type: uint8) = record {
+	length : uint24;
+	response : bytestring &length = to_int()(length);
+} &length = to_int()(length)+3;
+
+type OCSPResponseList(rec: HandshakeRecord, status_type: uint8) = record {
+	length : uint24;
+	response_list : OCSPResponse(rec, status_type)[] &until($input.length() == 0);
+} &length = to_int()(length)+3;
 
 type CertificateStatus(rec: HandshakeRecord) = record {
-	status_type: uint8; # 1 = ocsp, everything else is undefined
-	length : uint24;
-	response: bytestring &restofdata;
+	status_type: uint8; # 1 = ocsp, 2 = ocsp_multi, everything else is undefined
+	which_type: case status_type of {
+		1       -> ocsp_response : OCSPResponse(rec, status_type);
+		2       -> ocsp_response_list : OCSPResponseList(rec, status_type);
+		default -> data : bytestring &restofdata &transient; # unknown
+	};
 };
 
 ######################################################################

From 15bf098e7a5c284ae84ac6910b7eb2afbc4e3aba Mon Sep 17 00:00:00 2001
From: Liang Zhu <liangzhu@icsi.berkeley.edu>
Date: Wed, 8 Jul 2015 13:39:24 -0700
Subject: [PATCH 012/631] rename proc_certificate_status to proc_ocsp_response

---
 src/analyzer/protocol/ssl/tls-handshake-analyzer.pac | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac b/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac
index afca5dd77f..84a7936daf 100644
--- a/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac
+++ b/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac
@@ -166,7 +166,7 @@ refine connection Handshake_Conn += {
 		return true;
 		%}
 
-	function proc_certificate_status(rec : HandshakeRecord, status_type: uint8, response: bytestring) : bool
+	function proc_ocsp_response(rec : HandshakeRecord, status_type: uint8, response: bytestring) : bool
 		%{
 		 if ( status_type == 1 || status_type == 2 ) // ocsp
 			{
@@ -255,7 +255,7 @@ refine typeattr ServerNameExt += &let {
 };
 
 refine typeattr OCSPResponse += &let {
-	proc : bool = $context.connection.proc_certificate_status(rec, status_type, response);
+	proc : bool = $context.connection.proc_ocsp_response(rec, status_type, response);
 };
 
 refine typeattr EcServerKeyExchange += &let {

From 545848d9067c9ce35e8825961ce82943d3c945ff Mon Sep 17 00:00:00 2001
From: Liang Zhu <liangzhu@icsi.berkeley.edu>
Date: Wed, 8 Jul 2015 14:11:14 -0700
Subject: [PATCH 013/631] add parameter 'status_type' to event ssl_stapled_ocsp

---
 scripts/policy/protocols/ssl/ocsp-stapling.bro              | 2 +-
 scripts/policy/protocols/ssl/validate-ocsp.bro              | 2 +-
 src/analyzer/protocol/ssl/events.bif                        | 4 +++-
 src/analyzer/protocol/ssl/tls-handshake-analyzer.pac        | 3 ++-
 testing/btest/core/leaks/x509_ocsp_verify.bro               | 2 +-
 testing/btest/scripts/base/protocols/ssl/ocsp-stapling.test | 2 +-
 6 files changed, 9 insertions(+), 6 deletions(-)

diff --git a/scripts/policy/protocols/ssl/ocsp-stapling.bro b/scripts/policy/protocols/ssl/ocsp-stapling.bro
index 64c3d198f2..298f6d3990 100644
--- a/scripts/policy/protocols/ssl/ocsp-stapling.bro
+++ b/scripts/policy/protocols/ssl/ocsp-stapling.bro
@@ -53,7 +53,7 @@ export {
 		};
 }
 
-event ssl_stapled_ocsp(c: connection, is_orig: bool, response: string)
+event ssl_stapled_ocsp(c: connection, is_orig: bool, response: string, status_type: count)
 	{
 	local resp: OCSP::Response = ocsp_parse_response(response);
 
diff --git a/scripts/policy/protocols/ssl/validate-ocsp.bro b/scripts/policy/protocols/ssl/validate-ocsp.bro
index 3beabbe59c..6667d9fbae 100644
--- a/scripts/policy/protocols/ssl/validate-ocsp.bro
+++ b/scripts/policy/protocols/ssl/validate-ocsp.bro
@@ -27,7 +27,7 @@ export {
 # certificate chain is seen.
 global recently_ocsp_validated: table[string] of string = table() &read_expire=5mins;
 
-event ssl_stapled_ocsp(c: connection, is_orig: bool, response: string) &priority=3
+event ssl_stapled_ocsp(c: connection, is_orig: bool, response: string, status_type: count) &priority=3
 	{
 	c$ssl$ocsp_response = response;
 	}
diff --git a/src/analyzer/protocol/ssl/events.bif b/src/analyzer/protocol/ssl/events.bif
index 18704d25ec..09e9c2d75e 100644
--- a/src/analyzer/protocol/ssl/events.bif
+++ b/src/analyzer/protocol/ssl/events.bif
@@ -294,7 +294,9 @@ event ssl_encrypted_data%(c: connection, is_orig: bool, content_type: count, len
 ## is_orig: True if event is raised for originator side of the connection.
 ##
 ## response: OCSP data.
-event ssl_stapled_ocsp%(c: connection, is_orig: bool, response: string%);
+##
+## status_type: status_type in received OCSP stapled response
+event ssl_stapled_ocsp%(c: connection, is_orig: bool, response: string, status_type: count%);
 
 ## This event is raised for each unencrypted SSL/TLS handshake message.
 ##
diff --git a/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac b/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac
index 84a7936daf..89177dfb51 100644
--- a/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac
+++ b/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac
@@ -173,7 +173,8 @@ refine connection Handshake_Conn += {
 			BifEvent::generate_ssl_stapled_ocsp(bro_analyzer(),
 							    bro_analyzer()->Conn(), ${rec.is_orig},
 							    new StringVal(response.length(),
-							    (const char*) response.data()));
+							    (const char*) response.data()),
+							    status_type);
 			}
 		return true;
 		%}
diff --git a/testing/btest/core/leaks/x509_ocsp_verify.bro b/testing/btest/core/leaks/x509_ocsp_verify.bro
index ab24f28ee8..4a4d081e09 100644
--- a/testing/btest/core/leaks/x509_ocsp_verify.bro
+++ b/testing/btest/core/leaks/x509_ocsp_verify.bro
@@ -9,7 +9,7 @@
 
 @load base/protocols/ssl
 
-event ssl_stapled_ocsp(c: connection, is_orig: bool, response: string)
+event ssl_stapled_ocsp(c: connection, is_orig: bool, response: string, status_type: count)
 	{
 	local chain: vector of opaque of x509 = vector();
 	for ( i in c$ssl$cert_chain )
diff --git a/testing/btest/scripts/base/protocols/ssl/ocsp-stapling.test b/testing/btest/scripts/base/protocols/ssl/ocsp-stapling.test
index 6424f263f1..440b1b2ebf 100644
--- a/testing/btest/scripts/base/protocols/ssl/ocsp-stapling.test
+++ b/testing/btest/scripts/base/protocols/ssl/ocsp-stapling.test
@@ -5,7 +5,7 @@ redef SSL::root_certs += {
 	["OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US"] = "\x30\x82\x02\x3C\x30\x82\x01\xA5\x02\x10\x70\xBA\xE4\x1D\x10\xD9\x29\x34\xB6\x38\xCA\x7B\x03\xCC\xBA\xBF\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x02\x05\x00\x30\x5F\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x17\x30\x15\x06\x03\x55\x04\x0A\x13\x0E\x56\x65\x72\x69\x53\x69\x67\x6E\x2C\x20\x49\x6E\x63\x2E\x31\x37\x30\x35\x06\x03\x55\x04\x0B\x13\x2E\x43\x6C\x61\x73\x73\x20\x33\x20\x50\x75\x62\x6C\x69\x63\x20\x50\x72\x69\x6D\x61\x72\x79\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x30\x1E\x17\x0D\x39\x36\x30\x31\x32\x39\x30\x30\x30\x30\x30\x30\x5A\x17\x0D\x32\x38\x30\x38\x30\x31\x32\x33\x35\x39\x35\x39\x5A\x30\x5F\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x17\x30\x15\x06\x03\x55\x04\x0A\x13\x0E\x56\x65\x72\x69\x53\x69\x67\x6E\x2C\x20\x49\x6E\x63\x2E\x31\x37\x30\x35\x06\x03\x55\x04\x0B\x13\x2E\x43\x6C\x61\x73\x73\x20\x33\x20\x50\x75\x62\x6C\x69\x63\x20\x50\x72\x69\x6D\x61\x72\x79\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x30\x81\x9F\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x81\x8D\x00\x30\x81\x89\x02\x81\x81\x00\xC9\x5C\x59\x9E\xF2\x1B\x8A\x01\x14\xB4\x10\xDF\x04\x40\xDB\xE3\x57\xAF\x6A\x45\x40\x8F\x84\x0C\x0B\xD1\x33\xD9\xD9\x11\xCF\xEE\x02\x58\x1F\x25\xF7\x2A\xA8\x44\x05\xAA\xEC\x03\x1F\x78\x7F\x9E\x93\xB9\x9A\x00\xAA\x23\x7D\xD6\xAC\x85\xA2\x63\x45\xC7\x72\x27\xCC\xF4\x4C\xC6\x75\x71\xD2\x39\xEF\x4F\x42\xF0\x75\xDF\x0A\x90\xC6\x8E\x20\x6F\x98\x0F\xF8\xAC\x23\x5F\x70\x29\x36\xA4\xC9\x86\xE7\xB1\x9A\x20\xCB\x53\xA5\x85\xE7\x3D\xBE\x7D\x9A\xFE\x24\x45\x33\xDC\x76\x15\xED\x0F\xA2\x71\x64\x4C\x65\x2E\x81\x68\x45\xA7\x02\x03\x01\x00\x01\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x02\x05\x00\x03\x81\x81\x00\xBB\x4C\x12\x2B\xCF\x2C\x26\x00\x4F\x14\x13\xDD\xA6\xFB\xFC\x0A\x11\x84\x8C\xF3\x28\x1C\x67\x92\x2F\x7C\xB6\xC5\xFA\xDF\xF0\xE8\x95\xBC\x1D\x8F\x6C\x2C\xA8\x51\xCC\x73\xD8\xA4\xC0\x53\xF0\x4E\xD6\x26\xC0\x76\x01\x57\x81\x92\x5E\x21\xF1\xD1\xB1\xFF\xE7\xD0\x21\x58\xCD\x69\x17\xE3\x44\x1C\x9C\x19\x44\x39\x89\x5C\xDC\x9C\x00\x0F\x56\x8D\x02\x99\xED\xA2\x90\x45\x4C\xE4\xBB\x10\xA4\x3D\xF0\x32\x03\x0E\xF1\xCE\xF8\xE8\xC9\x51\x8C\xE6\x62\x9F\xE6\x9F\xC0\x7D\xB7\x72\x9C\xC9\x36\x3A\x6B\x9F\x4E\xA8\xFF\x64\x0D\x64",
 };
 
-event ssl_stapled_ocsp(c: connection, is_orig: bool, response: string)
+event ssl_stapled_ocsp(c: connection, is_orig: bool, response: string, status_type: count)
 	{
 	local chain: vector of opaque of x509 = vector();
 	for ( i in c$ssl$cert_chain )

From 694738752224b4579c028e6f4ccb155d2d38f3ed Mon Sep 17 00:00:00 2001
From: Liang Zhu <liangzhu@icsi.berkeley.edu>
Date: Wed, 8 Jul 2015 14:21:53 -0700
Subject: [PATCH 014/631] add status_type to ocsp stapling log

---
 scripts/policy/protocols/ssl/ocsp-stapling.bro         |  9 +++++++--
 .../ocsp-stapling.log                                  | 10 +++++-----
 2 files changed, 12 insertions(+), 7 deletions(-)

diff --git a/scripts/policy/protocols/ssl/ocsp-stapling.bro b/scripts/policy/protocols/ssl/ocsp-stapling.bro
index 298f6d3990..30f69e3b9a 100644
--- a/scripts/policy/protocols/ssl/ocsp-stapling.bro
+++ b/scripts/policy/protocols/ssl/ocsp-stapling.bro
@@ -7,7 +7,10 @@ export {
 	type Info: record {
 		## timestamp
 		ts:                 time    &log;
-		
+
+		## status type
+		status_type:        count   &log;
+
 		## connection id
 		cid:                conn_id &log;
 
@@ -73,7 +76,8 @@ event ssl_stapled_ocsp(c: connection, is_orig: bool, response: string, status_ty
 			                               $serialNumber   = single_resp$serialNumber];
 
 			local resp_rec: Info = [$ts             = network_time(),
-				                $cid            = c$id,
+				                $status_type    = status_type,
+						$cid            = c$id,
 				                $cuid           = c$uid,
 						$size           = resp_size,
 						$responseStatus = resp$responseStatus,
@@ -95,6 +99,7 @@ event ssl_stapled_ocsp(c: connection, is_orig: bool, response: string, status_ty
 		{
                 # no response content? this is weird but log it anyway
 		local resp_rec_empty: Info = [$ts             = network_time(),
+			                      $status_type    = status_type,
 			                      $cid            = c$id,
 					      $cuid           = c$uid,
 			                      $size           = resp_size,
diff --git a/testing/btest/Baseline/scripts.policy.protocols.ssl.ocsp-stapling/ocsp-stapling.log b/testing/btest/Baseline/scripts.policy.protocols.ssl.ocsp-stapling/ocsp-stapling.log
index 03964f7191..c8d4c9d8e6 100644
--- a/testing/btest/Baseline/scripts.policy.protocols.ssl.ocsp-stapling/ocsp-stapling.log
+++ b/testing/btest/Baseline/scripts.policy.protocols.ssl.ocsp-stapling/ocsp-stapling.log
@@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	ocsp-stapling
-#open	2015-07-02-21-49-21
-#fields	ts	cid.orig_h	cid.orig_p	cid.resp_h	cid.resp_p	cuid	size	responseStatus	responseType	version	responderID	producedAt	idx	cert_id.hashAlgorithm	cert_id.issuerNameHash	cert_id.issuerKeyHash	cert_id.serialNumber	certStatus	thisUpdate	nextUpdate
-#types	time	addr	port	addr	port	string	count	string	string	count	string	string	count	string	string	string	string	string	string	string
-1398367809.961683	192.168.4.149	56253	131.253.61.82	443	CXWv6p3arKYeMETxOg	1995	successful	Basic OCSP Response	0	C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = Terms of use at https://www.verisign.com/rpa (c)06, CN = VeriSign Class 3 Extended Validation SSL SGC OCSP Responder	20140421080410Z	1	sha1	39AF18B41C021F39109656FDC6D358EF74858B99	4E43C81D76EF37537A4FF2586F94F338E2D5BDDF	62035C00776A614EAF430C6A5C56E2BD	good	20140421080410Z	20140428080410Z
-#close	2015-07-02-21-49-21
+#open	2015-07-08-21-19-54
+#fields	ts	status_type	cid.orig_h	cid.orig_p	cid.resp_h	cid.resp_p	cuid	size	responseStatus	responseType	version	responderID	producedAt	idx	cert_id.hashAlgorithm	cert_id.issuerNameHash	cert_id.issuerKeyHash	cert_id.serialNumber	certStatus	thisUpdate	nextUpdate
+#types	time	count	addr	port	addr	port	string	count	string	string	count	string	string	count	string	string	string	string	string	string	string
+1398367809.961683	1	192.168.4.149	56253	131.253.61.82	443	CXWv6p3arKYeMETxOg	1995	successful	Basic OCSP Response	0	C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = Terms of use at https://www.verisign.com/rpa (c)06, CN = VeriSign Class 3 Extended Validation SSL SGC OCSP Responder	20140421080410Z	1	sha1	39AF18B41C021F39109656FDC6D358EF74858B99	4E43C81D76EF37537A4FF2586F94F338E2D5BDDF	62035C00776A614EAF430C6A5C56E2BD	good	20140421080410Z	20140428080410Z
+#close	2015-07-08-21-19-54

From 535525e28364f1547de095688000b5032e7758d9 Mon Sep 17 00:00:00 2001
From: Liang Zhu <liangzhu@icsi.berkeley.edu>
Date: Wed, 8 Jul 2015 18:20:29 -0700
Subject: [PATCH 015/631] fix a memory leak

---
 src/file_analysis/analyzer/ocsp/OCSP.cc | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/file_analysis/analyzer/ocsp/OCSP.cc b/src/file_analysis/analyzer/ocsp/OCSP.cc
index ea90967cfc..d49d8d4beb 100644
--- a/src/file_analysis/analyzer/ocsp/OCSP.cc
+++ b/src/file_analysis/analyzer/ocsp/OCSP.cc
@@ -532,6 +532,8 @@ RecordVal *file_analysis::OCSP::ParseResponse(OCSP_RESPVal *resp_val)
 			ocsp_resp_record->Assign(7, new StringVal(len, buf));
 		}
 clean_up:
+	if (basic_resp)
+		OCSP_BASICRESP_free(basic_resp);
 	return ocsp_resp_record;
 }
 

From 406fec9ef41fae467ff258ef965ca03ef7cc5b9a Mon Sep 17 00:00:00 2001
From: Liang Zhu <liangzhu@icsi.berkeley.edu>
Date: Thu, 9 Jul 2015 11:56:58 -0700
Subject: [PATCH 016/631] potentially fix a memory problem ocsp-measurement

---
 .../policy/protocols/ssl/ocsp-measurement.bro | 37 +++++++++----------
 1 file changed, 17 insertions(+), 20 deletions(-)

diff --git a/scripts/policy/protocols/ssl/ocsp-measurement.bro b/scripts/policy/protocols/ssl/ocsp-measurement.bro
index c95fd9b83e..b883a36fdc 100644
--- a/scripts/policy/protocols/ssl/ocsp-measurement.bro
+++ b/scripts/policy/protocols/ssl/ocsp-measurement.bro
@@ -88,14 +88,10 @@ export {
 
 		## the time when SSL connection is established
 		ssl_establish_ts:      time &log       &optional;
-		};
 
-	## - map to OCSP_MEASUREMENT::Info
-	## - indexed by source ip(addr), ocsp uri(string), issuer name
-	##   hash(string), serialNumber(string)
-	## - is it possible server sends two same certificate? To be
-	##   safe, let's use a queue to store OCSP_MEASUREMENT::Info
-	type OCSP_Mapping: table[addr, string, string, string] of Queue::Queue &optional &read_expire=5mins;
+		## the time when event connection_state_remove happens
+		ssl_end_ts:            time &log       &optional;
+		};
 
 	## a group of constant string for hash algorithm
 	## to save memory, remove any unseen hash algorithm 
@@ -110,8 +106,12 @@ export {
         global ocsp_info_add: event(c: connection);
 }
 
-# by different hash algorithm, OCSP_Mapping
-global ocsp_map: table[string] of OCSP_MEASUREMENT::OCSP_Mapping;
+## - map to OCSP_MEASUREMENT::Info
+## - indexed by hash algorithm(string), source ip(addr), ocsp
+##   uri(string), issuer name hash(string), serialNumber(string)
+## - is it possible server sends two same certificate? To be
+##   safe, let's use a queue to store OCSP_MEASUREMENT::Info
+global ocsp_map: table[string, addr, string, string, string] of Queue::Queue &read_expire=6mins;
 
 # track number of ocsp requests in this connection
 redef record connection += {
@@ -281,10 +281,10 @@ function fill_ocsp_info(c: connection)
 			local h = cert_id$hashAlgorithm;
 			local src_ip: addr = c$id$orig_h;
 
-			if ( [src_ip, full_uri, cert_id$issuerNameHash, cert_id$serialNumber] !in ocsp_map[h] )
-				ocsp_map[h][src_ip, full_uri, cert_id$issuerNameHash, cert_id$serialNumber] = Queue::init();
+			if ( [h, src_ip, full_uri, cert_id$issuerNameHash, cert_id$serialNumber] !in ocsp_map )
+				ocsp_map[h, src_ip, full_uri, cert_id$issuerNameHash, cert_id$serialNumber] = Queue::init();
 
-			Queue::put(ocsp_map[h][src_ip, full_uri, cert_id$issuerNameHash, cert_id$serialNumber], ocsp_info);	
+			Queue::put(ocsp_map[h, src_ip, full_uri, cert_id$issuerNameHash, cert_id$serialNumber], ocsp_info);
 			}
 		
 		}
@@ -454,12 +454,12 @@ event connection_state_remove(c: connection) &priority= -20
 		local h = hash_algorithm[i];
 		for ( [src_ip, ocsp_uri, issuer_name, serial_number] in c$ssl$cert_ts[h] )
 			{
-			if ( [src_ip, ocsp_uri, issuer_name, serial_number] in ocsp_map[h] )
+			if ( [h, src_ip, ocsp_uri, issuer_name, serial_number] in ocsp_map )
 				{
 				# find a ocsp to ssl match
-				local ocsp_info: OCSP_MEASUREMENT::Info = Queue::get(ocsp_map[h][src_ip, ocsp_uri, issuer_name, serial_number]);
-				if (Queue::len(ocsp_map[h][src_ip, ocsp_uri, issuer_name, serial_number]) == 0)
-					delete ocsp_map[h][src_ip, ocsp_uri, issuer_name, serial_number];
+				local ocsp_info: OCSP_MEASUREMENT::Info = Queue::get(ocsp_map[h, src_ip, ocsp_uri, issuer_name, serial_number]);
+				if (Queue::len(ocsp_map[h, src_ip, ocsp_uri, issuer_name, serial_number]) == 0)
+					delete ocsp_map[h, src_ip, ocsp_uri, issuer_name, serial_number];
 				local cert_recv_ts: time = Queue::get(c$ssl$cert_ts[h][src_ip, ocsp_uri, issuer_name, serial_number]);
 				if (Queue::len(c$ssl$cert_ts[h][src_ip, ocsp_uri, issuer_name, serial_number]) == 0)
 					delete c$ssl$cert_ts[h][src_ip, ocsp_uri, issuer_name, serial_number];
@@ -468,6 +468,7 @@ event connection_state_remove(c: connection) &priority= -20
 				ocsp_info$ssl_cid = c$id;
 				ocsp_info$ssl_change_cipher_ts = c$ssl$change_cipher_ts;
 				ocsp_info$ssl_establish_ts = c$ssl$ssl_establish_ts;
+				ocsp_info$ssl_end_ts = network_time();
 				Log::write(LOG, ocsp_info);
 				}
 			}
@@ -476,9 +477,5 @@ event connection_state_remove(c: connection) &priority= -20
 		
 event bro_init()
 	{
-	# initialize ocsp_map
-	for (i in hash_algorithm)
-		ocsp_map[hash_algorithm[i]] = table();
-		
 	Log::create_stream(LOG, [$columns=Info, $path="ocsp-measurement"]);
 	}

From 9553c8aefc1452947183631e6852ab367cc232bb Mon Sep 17 00:00:00 2001
From: Liang Zhu <liangzhu@icsi.berkeley.edu>
Date: Sun, 12 Jul 2015 13:52:26 -0700
Subject: [PATCH 017/631] separated logging for ocsp and ssl

---
 .../policy/protocols/ssl/ocsp-ssl-split.bro   | 577 ++++++++++++++++++
 1 file changed, 577 insertions(+)
 create mode 100644 scripts/policy/protocols/ssl/ocsp-ssl-split.bro

diff --git a/scripts/policy/protocols/ssl/ocsp-ssl-split.bro b/scripts/policy/protocols/ssl/ocsp-ssl-split.bro
new file mode 100644
index 0000000000..8f24fa2d47
--- /dev/null
+++ b/scripts/policy/protocols/ssl/ocsp-ssl-split.bro
@@ -0,0 +1,577 @@
+#! log OCSP request, response and related HTTP information
+#! log SSL connection which has cert with OCSP uri
+
+@load base/protocols/http
+@load base/frameworks/files
+@load base/files/x509
+@load base/protocols/ssl
+@load base/utils/queue
+
+module OCSP_SSL_SPLIT;
+
+export {
+	redef enum Log::ID += { LOG_OCSP };
+	redef enum Log::ID += { LOG_SSL };
+
+	type PendingRequests: table[OCSP::CertId] of Queue::Queue;
+	
+	type OCSP_Request_Type: record {
+		ts:             time;
+		fuid:           string;
+		req:            OCSP::Request;
+		};
+
+	type OCSP_Response_Type: record {
+		ts:             time;
+		fuid:           string;
+		resp:           OCSP::Response;
+		};
+	
+	type Info_OCSP: record {
+		## cert id for the OCSP request
+		cert_id:        OCSP::CertId      &log  &optional;
+
+		## request timestamp
+		req_ts:         time              &log  &optional;
+
+		## one OCSP request may contain several OCSP requests
+                ## with different cert id; this is the index of the
+                ## OCSP request with cert_id in the big OCSP request
+		req_index:      count             &log  &optional;
+		
+		## request
+		## NOTE: this is only one request if multiple requests
+		## are sent together in one HTTP message, they will be
+		## logged separately
+		req:            OCSP::Info_req    &log  &optional;
+
+		## response timestamp
+		resp_ts:        time              &log  &optional;
+
+		## one OCSP response may contain several OCSP responses
+                ## with different cert id; this is the index of the
+                ## OCSP response with cert_id in the big OCSP response
+		resp_index:      count             &log  &optional;
+
+		## response
+		## NOTE: similar to request, if multiple responses are
+		## sent together in one HTTP message, they will be
+		## logged separately
+		resp:           OCSP::Info_resp   &log  &optional;
+
+		## HTTP connection id
+		cid:            conn_id    &log;
+
+		## HTTP connection uid
+		cuid:           string     &log;
+
+		## HTTP connection start time
+		conn_start_ts:  time       &log;
+
+		## the time between req_ts and resp_ts
+		delay:          interval   &log       &optional;
+
+		## the size of HTTP request body
+	        req_size:       count      &log       &optional;
+
+		## the size of HTTP request header
+		req_hdr_size:   count      &log       &optional;
+
+		## the size of HTTP response body
+		resp_size:      count      &log       &optional;
+
+		## the size of HTTP response header
+		resp_hdr_size:  count      &log       &optional;
+
+		## the HTTP code in the HTTP response
+		http_code:      count      &log       &optional;
+
+		## OCSP host, this is host in HTTP request
+		host:           string     &log       &optional;
+
+		## OCSP uri, this is uri in HTTP request
+		uri:            string     &log       &optional;
+
+		## number of HTTP requests containing ocsp requests in
+		## this connection including this one; this may be
+		## different from number of OCSP requests since one
+		## HTTP request may contain several OCSP requests;
+		## this is copied from connection
+		num_ocsp:       count      &log       &optional;
+		};
+
+	type Info_SSL: record {
+		## connection id
+		id:                conn_id    &log;
+
+		## uid
+		uid:               string     &log;
+
+		## connection start time
+		conn_start_ts:     time       &log       &optional;
+
+		## client hello time
+		client_hello_ts:   time       &log       &optional;
+		
+		## the time when client receives change cipher message
+		## from server
+		change_cipher_ts:  time       &log       &optional;
+
+		## the time when SSL connection is established
+		establish_ts:      time       &log       &optional;
+
+		## the time when event connection_state_remove happens
+		end_ts:            time       &log       &optional;
+
+		## the above are common information for SSL connection
+		## the following is specific to an cert
+
+		## ocsp_uri
+		ocsp_uri:          string     &log       &optional;
+
+		## serial_number
+		serial_number:     string     &log       &optional;
+		
+		## the time when the corresponding certificate is
+                ## received; formatted as: str(time),str(time)
+		cert_recv_ts:      string     &log       &optional;
+		
+	        ## issuer_name
+	        ## formatted as: hash_algorithm1:value1,hash_algorithm2:value2
+	        issuer_name:       string     &log       &optional;
+		};
+
+	## a group of constant string for hash algorithm; to save
+	## memory, remove any unseen hash algorithm
+	global hash_algorithm = vector("sha1", "sha224", "sha256", "sha384", "sha512");
+}
+
+redef record connection += {
+	## track number of ocsp requests in this connection
+	num_ocsp:  count                &optional &default=0;
+	};
+
+# add additional information to http info
+redef record HTTP::Info += {
+	## header length
+	request_header_len:       count  &optional &default=0;
+	response_header_len:      count  &optional &default=0;
+
+	## OCSP_Request_Type
+	ocsp_requests:            vector of OCSP_Request_Type  &optional;
+
+	## OCSP_Response_Type
+	ocsp_responses:           vector of OCSP_Response_Type &optional;
+
+	## connection start time, copied from connection
+	conn_start_ts:            time  &optional;
+
+	## number of OCSP requests so far, copied from connection
+	num_ocsp:                 count &optional;
+};
+
+# add additional information to ssl info
+redef record SSL::Info += {
+	## connection start time
+	conn_start_ts:            time  &optional;
+
+	## the time when client hello event happens
+	client_hello_ts:          time  &optional;
+
+	## the time when ssl connection is established
+	establish_ts:             time  &optional;
+
+	## the time when server sends change-cipher-spec
+	change_cipher_ts:         time  &optional;
+
+	## indexed by ocsp_uri(string), serialNumber(string), issuer
+	## name hash(string). issuer name hash is formatted as:
+	## hash_algorithm1:value1,hash_algorithm2:value2
+	cert_ts: table[string, string, string] of Queue::Queue &optional;
+};
+
+# remove the last '/'
+function clean_uri(s: string): string
+	{
+	local s_len = |s|;
+	s_len -= 1;
+	if (s[-1] == "/")
+		return clean_uri(s[0:s_len]);
+	else
+		return s;
+	}	
+
+# record the header length and update num_ocsp and conn_start_ts
+event http_message_done(c: connection, is_orig: bool, stat: http_message_stat)
+	{
+	# proceed only this http connection has ocsp request or response
+	if ( ! c$http?$ocsp_requests && ! c$http?$ocsp_responses )
+		return;
+
+	if ( is_orig )
+		{
+		c$http$request_header_len = stat$header_length;
+		c$num_ocsp += 1;
+		}
+	else
+		{
+		c$http$response_header_len = stat$header_length;
+		}
+	c$http$num_ocsp = c$num_ocsp;
+	c$http$conn_start_ts = c$start_time;
+	}
+
+# add ocsp request to http record
+event ocsp_request(f: fa_file, req_ref: opaque of ocsp_req, req: OCSP::Request)
+	{
+	if ( ! f?$http )
+		return;
+	local request: OCSP_Request_Type = [$ts   = network_time(),
+		                            $fuid = f$id,
+					    $req  = req];
+	if ( ! f$http?$ocsp_requests )
+		f$http$ocsp_requests = vector();
+	f$http$ocsp_requests[|f$http$ocsp_requests|] = request;
+	}
+
+# add ocsp response to http record
+event ocsp_response(f: fa_file, resp_ref: opaque of ocsp_resp, resp: OCSP::Response)
+	{
+	if ( ! f?$http )
+		return;
+	local response: OCSP_Response_Type = [$ts   = network_time(),
+		                              $fuid = f$id,
+					      $resp = resp];
+	if ( ! f$http?$ocsp_responses )
+		f$http$ocsp_responses = vector();
+	f$http$ocsp_responses[|f$http$ocsp_responses|] = response;
+	}
+
+# add client hello time and connection start time
+event ssl_client_hello(c: connection, version: count, possible_ts: time, client_random: string, session_id: string, ciphers: index_vec)
+	{
+	c$ssl$client_hello_ts = network_time();
+	c$ssl$conn_start_ts = c$start_time;
+	}
+
+# add time stamp for server's change cipher message
+event ssl_change_cipher_spec(c: connection, is_orig: bool)
+	{
+	if ( ! is_orig )
+		c$ssl$change_cipher_ts = network_time();
+	}
+
+# add ssl established time
+event ssl_established(c: connection)
+	{
+	c$ssl$establish_ts = network_time();
+	}
+
+# extract the full ocsp uri from certificate extension
+function get_ocsp_uri(s: string): string
+	{
+	s = strip(s);
+	s = to_lower(s);
+	local parts = split_string(s, /\x0a/);
+	for (x in parts)
+		{
+		local f4c = sub_bytes(parts[x], 0, 4);
+		if (f4c == "ocsp")
+			{
+			local w = split_string(parts[x], /\/\//);
+			return w[1];
+			}
+		}
+	return "";
+	}
+
+# create ocsp index if ocsp extension is encountered
+# record the time when certificate is received
+event x509_extension(f: fa_file, ext: X509::Extension) &priority= -10 {
+	if ( ! ext?$name || ext$name != "Authority Information Access")
+		return;
+
+	if ( ! f?$info || ! f$info?$x509 || ! f$info$x509?$handle || ! f$info$x509?$certificate)
+		return;
+
+	local ocsp_uri: string = clean_uri(get_ocsp_uri(ext$value));
+	if ( |ocsp_uri| == 0 )
+		return;
+		
+	local cert: X509::Certificate = f$info$x509$certificate;
+	local serial_number: string = cert$serial;
+	local cert_ref: opaque of x509 = f$info$x509$handle;
+
+	# get connection TODO:TOCHECK
+	local c: connection;
+	# there should be only one loop?
+	for ( id in f$conns )
+		c = f$conns[id];
+
+	if ( ! c$ssl?$cert_ts )
+		c$ssl$cert_ts = table();
+	
+	local current_ts: time = network_time();
+	local issuer_name: string = "";
+	
+	# loop through each hash algorithm
+	for ( i in hash_algorithm )
+		{
+		local h: string = hash_algorithm[i];
+		
+		# formatted as: hash_algorithm1:value1,hash_algorithm2:value2
+		issuer_name += h + ":" + x509_issuer_name_hash(cert_ref, h);
+		if ( i != (|hash_algorithm| - 1))
+			issuer_name += ",";
+		}
+
+	# if given index is not in record, create a new queue
+	if ( [ocsp_uri, serial_number, issuer_name] !in c$ssl$cert_ts )
+		c$ssl$cert_ts[ocsp_uri, serial_number, issuer_name] = Queue::init();
+		
+	# put the timing information in the queue
+	Queue::put(c$ssl$cert_ts[ocsp_uri, serial_number, issuer_name], current_ts);
+	}
+
+# log unmatched ocsp request or response
+function log_unmatched_ocsp_queue (q: Queue::Queue)
+	{
+	local rec: vector of OCSP_SSL_SPLIT::Info_OCSP;
+	Queue::get_vector(q, rec);
+	for ( i in rec )
+		Log::write(LOG_OCSP, rec[i]);
+	}
+
+# log unmatched ocsp request or response
+function log_unmatched_ocsp(ocsp: table[OCSP::CertId] of Queue::Queue)
+	{
+	for ( cert_id in ocsp )
+		log_unmatched_ocsp_queue(ocsp[cert_id]);
+	clear_table(ocsp);
+	}
+
+# update http data in ocsp info record
+function update_http_info(ocsp: OCSP_SSL_SPLIT::Info_OCSP, http: HTTP::Info)
+	{
+	if ( http?$host )
+		ocsp$host = http$host;
+
+	if ( http?$uri )
+		ocsp$uri = http$uri;
+
+	if ( http?$status_code )
+		ocsp$http_code = http$status_code;
+		
+	if ( http?$request_body_len )
+		ocsp$req_size = http$request_body_len;
+
+	if ( http?$request_header_len )
+		ocsp$req_hdr_size = http$request_header_len;	
+
+	if ( http?$response_body_len )
+		ocsp$resp_size = http$response_body_len;
+
+	if ( http?$response_header_len )
+		ocsp$resp_hdr_size = http$response_header_len;
+	}
+
+# get all the ocsp requests
+function get_ocsp_requests(http: HTTP::Info): PendingRequests
+	{
+	local pending_ocsp_requests: PendingRequests = table();
+
+	if ( ! http?$ocsp_requests )
+		return pending_ocsp_requests;
+		
+	for ( x in http$ocsp_requests )
+		{
+		local request: OCSP_Request_Type = http$ocsp_requests[x];
+		if ( ! request?$req )
+			next;
+			
+		local req: OCSP::Request = request$req;
+		if ( ! req?$requestList )
+			next;
+			
+		local req_index: count = 0;
+		for ( y in req$requestList )
+			{
+			req_index += 1;
+			local one_req = req$requestList[y];
+			local cert_id: OCSP::CertId = [$hashAlgorithm  = one_req$hashAlgorithm,
+			                               $issuerNameHash = one_req$issuerNameHash,
+			                               $issuerKeyHash  = one_req$issuerKeyHash,
+			                               $serialNumber   = one_req$serialNumber];
+
+		        local req_rec: OCSP::Info_req = [$ts=request$ts, $id=request$fuid, $certId=cert_id];
+
+		        if (req?$version)
+				req_rec$version = req$version;
+
+			if (req?$requestorName)
+				req_rec$requestorName = req$requestorName;
+
+			local ocsp_info_rec: OCSP_SSL_SPLIT::Info_OCSP = [$cert_id       = cert_id,
+				                                          $req_ts        = request$ts,
+									  $req_index     = req_index,
+									  $req           = req_rec,
+									  $cid           = http$id,
+									  $cuid          = http$uid,
+									  $conn_start_ts = http$conn_start_ts,
+									  $num_ocsp      = http$num_ocsp];
+			update_http_info(ocsp_info_rec, http);
+
+			if ( cert_id !in pending_ocsp_requests )
+				pending_ocsp_requests[cert_id] = Queue::init();
+
+			Queue::put(pending_ocsp_requests[cert_id], ocsp_info_rec);
+			}
+		}
+	return pending_ocsp_requests;
+	}
+
+# log OCSP
+function start_log_ocsp(http: HTTP::Info)
+	{
+	if ( ! http?$ocsp_requests && ! http?$ocsp_responses )
+		return;
+		
+	local pending_ocsp_requests: PendingRequests = get_ocsp_requests(http);
+	
+	if ( ! http?$ocsp_responses )
+		{
+		log_unmatched_ocsp(pending_ocsp_requests);
+		return;
+		}
+	
+	for ( x in http$ocsp_responses )
+		{
+                local response: OCSP_Response_Type = http$ocsp_responses[x];
+		if ( ! response?$resp )
+			next;
+
+		local resp: OCSP::Response = response$resp;
+		if ( ! resp?$responses )
+			next;
+
+		local resp_index: count = 0;
+		for ( y in resp$responses )
+			{
+			resp_index += 1;
+			local single_resp: OCSP::SingleResp = resp$responses[y];
+			local cert_id: OCSP::CertId = [$hashAlgorithm  = single_resp$hashAlgorithm,
+			                               $issuerNameHash = single_resp$issuerNameHash,
+			                               $issuerKeyHash  = single_resp$issuerKeyHash,
+			                               $serialNumber   = single_resp$serialNumber];
+
+			local resp_rec: OCSP::Info_resp = [$ts             = response$ts,
+						           $id             = response$fuid,
+							   $responseStatus = resp$responseStatus,
+							   $responseType   = resp$responseType,
+							   $version        = resp$version,
+							   $responderID    = resp$responderID,
+							   $producedAt     = resp$producedAt,
+							   $certId         = cert_id,
+							   $certStatus     = single_resp$certStatus,
+							   $thisUpdate     = single_resp$thisUpdate];
+			if ( single_resp?$nextUpdate )
+				resp_rec$nextUpdate = single_resp$nextUpdate;
+
+			if ( cert_id in pending_ocsp_requests)
+				{
+				# find a match
+				local ocsp_info: OCSP_SSL_SPLIT::Info_OCSP = Queue::get(pending_ocsp_requests[cert_id]);
+				ocsp_info$resp       = resp_rec;
+				ocsp_info$resp_ts    = response$ts;
+				ocsp_info$resp_index = resp_index;
+
+				# update http info, previously filled in fill_ocsp_request
+				update_http_info(ocsp_info, http);
+				
+				ocsp_info$delay = ocsp_info$resp$ts - ocsp_info$req$ts;
+
+				if (Queue::len(pending_ocsp_requests[cert_id]) == 0)
+					delete pending_ocsp_requests[cert_id];
+
+				Log::write(LOG_OCSP, ocsp_info);
+				}
+			else
+				{
+				local ocsp_info_noreq: OCSP_SSL_SPLIT::Info_OCSP = [$cert_id       = cert_id,
+					                                            $resp_ts       = resp_rec$ts,
+										    $resp_index    = resp_index,
+										    $resp          = resp_rec,
+										    $cid           = http$id,
+										    $cuid          = http$uid,
+										    $conn_start_ts = http$conn_start_ts,
+										    $num_ocsp      = http$num_ocsp];
+				update_http_info(ocsp_info_noreq, http);
+				Log::write(LOG_OCSP, ocsp_info_noreq);
+				}
+			}
+		}
+	if ( |pending_ocsp_requests| != 0 )
+		log_unmatched_ocsp(pending_ocsp_requests);
+	}
+
+# log OCSP information
+event HTTP::log_http(rec: HTTP::Info)
+	{
+	start_log_ocsp(rec);
+	}
+
+# update ssl info
+function update_ssl_info(ssl_rec: OCSP_SSL_SPLIT::Info_SSL, ssl: SSL::Info)
+	{
+	if ( ssl?$conn_start_ts )
+		ssl_rec$conn_start_ts = ssl$conn_start_ts;
+
+	if ( ssl?$client_hello_ts )
+		ssl_rec$client_hello_ts = ssl$client_hello_ts;
+
+	if ( ssl?$establish_ts )
+		ssl_rec$establish_ts = ssl$establish_ts;
+
+	if ( ssl?$change_cipher_ts )
+		ssl_rec$change_cipher_ts = ssl$change_cipher_ts;
+	}
+
+# log SSL information when ssl connection is removed
+event connection_state_remove(c: connection) &priority= -20
+	{
+	if ( ! c?$ssl || ! c$ssl?$cert_ts )
+		return;
+		
+	for ( [ocsp_uri, serial_number, issuer_name] in c$ssl$cert_ts )
+		{
+		local ssl_info_rec: OCSP_SSL_SPLIT::Info_SSL = [$id     = c$id,
+		                                                $uid    = c$uid,
+								$end_ts = network_time()];
+		
+		ssl_info_rec$ocsp_uri      = ocsp_uri;
+		ssl_info_rec$serial_number = serial_number;
+		ssl_info_rec$issuer_name   = issuer_name;
+
+		# convert all the elements in the queue to a formatted string
+		local cert_recv_ts_str: string = "";
+		local elem: vector of time;
+		Queue::get_vector(c$ssl$cert_ts[ocsp_uri, serial_number, issuer_name], elem);
+		for ( i in elem )
+			{
+			cert_recv_ts_str += fmt("%f",elem[i]);
+			if ( i != (|elem| - 1))
+				issuer_name += ",";
+			}
+		ssl_info_rec$cert_recv_ts = cert_recv_ts_str;
+		update_ssl_info(ssl_info_rec, c$ssl);
+		Log::write(LOG_SSL, ssl_info_rec);
+		#delete c$ssl$cert_ts[ocsp_uri, serial_number, issuer_name];
+		}
+	clear_table(c$ssl$cert_ts);		
+	}
+		
+event bro_init()
+	{
+	Log::create_stream(LOG_OCSP, [$columns=Info_OCSP, $path="ocsp-to-match"]);
+	Log::create_stream(LOG_SSL, [$columns=Info_SSL, $path="ssl-to-match"]);
+	}

From 1f5a7aecbc1a2c348c1d2e6efa575d3afead754e Mon Sep 17 00:00:00 2001
From: Liang Zhu <liangzhu@icsi.berkeley.edu>
Date: Mon, 13 Jul 2015 15:23:56 -0700
Subject: [PATCH 018/631] change log schema for ocsp-ssl-split.bro

---
 .../policy/protocols/ssl/ocsp-ssl-split.bro   | 125 ++++++++++++------
 1 file changed, 87 insertions(+), 38 deletions(-)

diff --git a/scripts/policy/protocols/ssl/ocsp-ssl-split.bro b/scripts/policy/protocols/ssl/ocsp-ssl-split.bro
index 8f24fa2d47..d292697a69 100644
--- a/scripts/policy/protocols/ssl/ocsp-ssl-split.bro
+++ b/scripts/policy/protocols/ssl/ocsp-ssl-split.bro
@@ -86,11 +86,9 @@ export {
 		## the HTTP code in the HTTP response
 		http_code:      count      &log       &optional;
 
-		## OCSP host, this is host in HTTP request
-		host:           string     &log       &optional;
-
-		## OCSP uri, this is uri in HTTP request
-		uri:            string     &log       &optional;
+		## host in HTTP request + uri in HTTP request
+		## last '/' is removed
+		ocsp_uri:       string     &log       &optional;
 
 		## number of HTTP requests containing ocsp requests in
 		## this connection including this one; this may be
@@ -100,6 +98,14 @@ export {
 		num_ocsp:       count      &log       &optional;
 		};
 
+	type Issuer_Name_Type: record {
+		sha1:              string     &log       &optional;
+		sha224:            string     &log       &optional;
+		sha256:            string     &log       &optional;
+		sha384:            string     &log       &optional;
+		sha512:            string     &log       &optional;
+		};
+
 	type Info_SSL: record {
 		## connection id
 		id:                conn_id    &log;
@@ -112,14 +118,22 @@ export {
 
 		## client hello time
 		client_hello_ts:   time       &log       &optional;
+
+		## server hello time
+		server_hello_ts:   time       &log       &optional;
 		
-		## the time when client receives change cipher message
-		## from server
-		change_cipher_ts:  time       &log       &optional;
+		## the time for client change cipher message
+		client_change_cipher_ts:  time       &log       &optional;
+
+		## the time for server change cipher message
+		server_change_cipher_ts:  time       &log       &optional;
 
 		## the time when SSL connection is established
 		establish_ts:      time       &log       &optional;
 
+		## the time for the first encrypted application data
+		client_first_encrypt_ts:   time       &log       &optional;
+		
 		## the time when event connection_state_remove happens
 		end_ts:            time       &log       &optional;
 
@@ -137,15 +151,12 @@ export {
 		cert_recv_ts:      string     &log       &optional;
 		
 	        ## issuer_name
-	        ## formatted as: hash_algorithm1:value1,hash_algorithm2:value2
-	        issuer_name:       string     &log       &optional;
+	        issuer_name:       Issuer_Name_Type     &log       &optional;
 		};
-
-	## a group of constant string for hash algorithm; to save
-	## memory, remove any unseen hash algorithm
-	global hash_algorithm = vector("sha1", "sha224", "sha256", "sha384", "sha512");
 }
 
+redef SSL::disable_analyzer_after_detection=F;
+
 redef record connection += {
 	## track number of ocsp requests in this connection
 	num_ocsp:  count                &optional &default=0;
@@ -178,22 +189,32 @@ redef record SSL::Info += {
 	## the time when client hello event happens
 	client_hello_ts:          time  &optional;
 
+	## server hello time
+	server_hello_ts:          time  &optional;
+	
 	## the time when ssl connection is established
 	establish_ts:             time  &optional;
 
-	## the time when server sends change-cipher-spec
-	change_cipher_ts:         time  &optional;
-
+	## the time for client change cipher message
+	client_change_cipher_ts:  time  &optional;
+	
+	## the time for server change cipher message
+	server_change_cipher_ts:  time  &optional;
+	
 	## indexed by ocsp_uri(string), serialNumber(string), issuer
-	## name hash(string). issuer name hash is formatted as:
-	## hash_algorithm1:value1,hash_algorithm2:value2
-	cert_ts: table[string, string, string] of Queue::Queue &optional;
+	## name hash(string)
+	cert_ts: table[string, string, OCSP_SSL_SPLIT::Issuer_Name_Type] of Queue::Queue &optional;
+
+	## the time for the first encrypted application data
+	client_first_encrypt_ts:          time  &optional;
 };
 
 # remove the last '/'
 function clean_uri(s: string): string
 	{
 	local s_len = |s|;
+	if ( s_len == 0 )
+		return s;
 	s_len -= 1;
 	if (s[-1] == "/")
 		return clean_uri(s[0:s_len]);
@@ -247,6 +268,12 @@ event ocsp_response(f: fa_file, resp_ref: opaque of ocsp_resp, resp: OCSP::Respo
 	f$http$ocsp_responses[|f$http$ocsp_responses|] = response;
 	}
 
+# add server hello time
+event ssl_server_hello(c: connection, version: count, possible_ts: time, server_random: string, session_id: string, cipher: count, comp_method: count)&priority=5
+	{
+	c$ssl$server_hello_ts = network_time();
+	}
+
 # add client hello time and connection start time
 event ssl_client_hello(c: connection, version: count, possible_ts: time, client_random: string, session_id: string, ciphers: index_vec)
 	{
@@ -257,8 +284,10 @@ event ssl_client_hello(c: connection, version: count, possible_ts: time, client_
 # add time stamp for server's change cipher message
 event ssl_change_cipher_spec(c: connection, is_orig: bool)
 	{
-	if ( ! is_orig )
-		c$ssl$change_cipher_ts = network_time();
+	if ( is_orig )
+		c$ssl$client_change_cipher_ts = network_time();
+	else
+		c$ssl$server_change_cipher_ts = network_time();
 	}
 
 # add ssl established time
@@ -267,6 +296,16 @@ event ssl_established(c: connection)
 	c$ssl$establish_ts = network_time();
 	}
 
+# add time when first encrypted application data is sent from client
+event ssl_encrypted_data(c: connection, is_orig: bool, content_type: count, length: count)
+	{
+	if ( ! c?$ssl )
+		return;
+		
+	if ( content_type == SSL::APPLICATION_DATA && length > 0 && is_orig && ! c$ssl?$client_first_encrypt_ts )
+		c$ssl$client_first_encrypt_ts = network_time();
+	}
+
 # extract the full ocsp uri from certificate extension
 function get_ocsp_uri(s: string): string
 	{
@@ -312,18 +351,13 @@ event x509_extension(f: fa_file, ext: X509::Extension) &priority= -10 {
 		c$ssl$cert_ts = table();
 	
 	local current_ts: time = network_time();
-	local issuer_name: string = "";
-	
-	# loop through each hash algorithm
-	for ( i in hash_algorithm )
-		{
-		local h: string = hash_algorithm[i];
 		
-		# formatted as: hash_algorithm1:value1,hash_algorithm2:value2
-		issuer_name += h + ":" + x509_issuer_name_hash(cert_ref, h);
-		if ( i != (|hash_algorithm| - 1))
-			issuer_name += ",";
-		}
+	local issuer_name: Issuer_Name_Type;
+	issuer_name$sha1 = x509_issuer_name_hash(cert_ref, "sha1");
+	issuer_name$sha224 = x509_issuer_name_hash(cert_ref, "sha224");
+	issuer_name$sha256 = x509_issuer_name_hash(cert_ref, "sha256");
+	issuer_name$sha384 = x509_issuer_name_hash(cert_ref, "sha384");
+	issuer_name$sha512 = x509_issuer_name_hash(cert_ref, "sha512");
 
 	# if given index is not in record, create a new queue
 	if ( [ocsp_uri, serial_number, issuer_name] !in c$ssl$cert_ts )
@@ -354,10 +388,16 @@ function log_unmatched_ocsp(ocsp: table[OCSP::CertId] of Queue::Queue)
 function update_http_info(ocsp: OCSP_SSL_SPLIT::Info_OCSP, http: HTTP::Info)
 	{
 	if ( http?$host )
-		ocsp$host = http$host;
+		ocsp$ocsp_uri = http$host;
 
 	if ( http?$uri )
-		ocsp$uri = http$uri;
+		if ( ocsp?$ocsp_uri )
+			ocsp$ocsp_uri += http$uri;
+		else
+			ocsp$ocsp_uri = http$uri;
+
+	if ( ocsp?$ocsp_uri )
+		ocsp$ocsp_uri = clean_uri(ocsp$ocsp_uri);
 
 	if ( http?$status_code )
 		ocsp$http_code = http$status_code;
@@ -529,11 +569,20 @@ function update_ssl_info(ssl_rec: OCSP_SSL_SPLIT::Info_SSL, ssl: SSL::Info)
 	if ( ssl?$client_hello_ts )
 		ssl_rec$client_hello_ts = ssl$client_hello_ts;
 
+	if ( ssl?$client_first_encrypt_ts )
+		ssl_rec$client_first_encrypt_ts = ssl$client_first_encrypt_ts;
+
+	if ( ssl?$server_hello_ts )
+		ssl_rec$server_hello_ts = ssl$server_hello_ts;
+
 	if ( ssl?$establish_ts )
 		ssl_rec$establish_ts = ssl$establish_ts;
 
-	if ( ssl?$change_cipher_ts )
-		ssl_rec$change_cipher_ts = ssl$change_cipher_ts;
+	if ( ssl?$client_change_cipher_ts )
+		ssl_rec$client_change_cipher_ts = ssl$client_change_cipher_ts;
+
+	if ( ssl?$server_change_cipher_ts )
+		ssl_rec$server_change_cipher_ts = ssl$server_change_cipher_ts;
 	}
 
 # log SSL information when ssl connection is removed
@@ -560,7 +609,7 @@ event connection_state_remove(c: connection) &priority= -20
 			{
 			cert_recv_ts_str += fmt("%f",elem[i]);
 			if ( i != (|elem| - 1))
-				issuer_name += ",";
+				cert_recv_ts_str += ",";
 			}
 		ssl_info_rec$cert_recv_ts = cert_recv_ts_str;
 		update_ssl_info(ssl_info_rec, c$ssl);

From 01094bfc43545267ffff3679fbdac12656069777 Mon Sep 17 00:00:00 2001
From: Liang Zhu <liangzhu@icsi.berkeley.edu>
Date: Wed, 15 Jul 2015 00:40:39 -0700
Subject: [PATCH 019/631] add parsing ocsp request in get url

---
 scripts/base/files/ocsp/main.bro              | 292 +++++++++++++-----
 src/file_analysis/analyzer/ocsp/OCSP.cc       |   2 +-
 src/file_analysis/analyzer/ocsp/functions.bif |  34 +-
 3 files changed, 253 insertions(+), 75 deletions(-)

diff --git a/scripts/base/files/ocsp/main.bro b/scripts/base/files/ocsp/main.bro
index 62a414d3cf..62d7d2e785 100644
--- a/scripts/base/files/ocsp/main.bro
+++ b/scripts/base/files/ocsp/main.bro
@@ -14,7 +14,7 @@ export {
 	redef enum Log::ID += { LOG };
 
 	## type for pending ocsp request
-	type PendingRequests: table[OCSP::CertId] of Queue::Queue;
+	type PendingQueue: table[OCSP::CertId] of Queue::Queue;
 
 	## NOTE: one file could contain several requests
 	## one ocsp request record
@@ -22,7 +22,7 @@ export {
 		## time for the request
 	        ts:                 time;
 		## file id for this request
-		id:                 string  &log;
+		id:                 string  &log &optional;
 		## connection id
 		cid:                conn_id &optional;
 		## connection uid
@@ -35,6 +35,8 @@ export {
 		##       several ocsp requests
 		## request cert id
 		certId:             OCSP::CertId &optional;
+		## HTTP method
+		method:             string &optional;
 	};
 
 	## NOTE: one file could contain several response
@@ -94,52 +96,68 @@ export {
 
 		## response
 		resp:               Info_resp     &log  &optional;
+
+		## HTTP method
+		method:             string        &log  &optional;
 	};
 
         ## Event for accessing logged OCSP records.
 	global log_ocsp: event(rec: Info);
 }
 
-redef record connection += {
-	## keep track of pending requests received so for
-	ocsp_requests: PendingRequests &optional;
+redef record HTTP::Info += {
+	# there should be one request and response but use Queue here
+	# just in case
+	ocsp_requests:            PendingQueue  &optional;
+	ocsp_responses:           PendingQueue  &optional;
+
+	current_content_type:     string        &optional &default="";
+	original_uri:             string        &optional;
+
+	# flag for checking get uri
+	checked_get:              bool          &optional &default=F;
 	};
 
-event bro_init() &priority=5
+event http_request(c: connection, method: string, original_URI: string, unescaped_URI: string, version: string)
 	{
-	Log::create_stream(LOG, [$columns=Info, $ev=log_ocsp, $path="ocsp"]);
+	c$http$original_uri = original_URI;
 	}
 
-function get_http_info(f: fa_file, meta: fa_metadata)
+event http_content_type(c: connection, is_orig: bool, ty: string, subty: string)
 	{
-	if (f$source != "HTTP" || !meta?$mime_type)
+	c$http$current_content_type = to_lower(ty + "/" + subty);
+	}
+
+function check_ocsp_file(f: fa_file, meta: fa_metadata)
+	{
+	if ( f$source != "HTTP" || ! f?$http )
 		return;
 
 	# call OCSP file analyzer
-	if (meta$mime_type == "application/ocsp-request")
+	if ( (meta?$mime_type && meta$mime_type == "application/ocsp-request") || f$http$current_content_type == "application/ocsp-request")
+		{
 		Files::add_analyzer(f, Files::ANALYZER_OCSP, [$ocsp_type = "request"]);
-	else if (meta$mime_type == "application/ocsp-response")
+		}
+	else if ( (meta?$mime_type && meta$mime_type == "application/ocsp-response") || f$http$current_content_type == "application/ocsp-response")
+		{
 		Files::add_analyzer(f, Files::ANALYZER_OCSP, [$ocsp_type = "response"]);
+		}
 	}
 
 event file_sniff(f: fa_file, meta: fa_metadata) &priority = 5
 	{
 	if (f$source == "HTTP")
-		get_http_info(f, meta);
+		check_ocsp_file(f, meta);
 	}
 
-event ocsp_request(f: fa_file, req_ref: opaque of ocsp_req, req: OCSP::Request) &priority = 5
+function update_http_info(http: HTTP::Info, req_rec: OCSP::Info_req)
 	{
-	local conn: connection;
-	local cid: conn_id;
-
-	# there should be only one loop: one connection
-	for (id in f$conns)
-		{
-		cid = id;
-		conn = f$conns[id];
-		}
+	if ( http?$method )
+		req_rec$method = http$method;
+	}
 
+function enq_request(http: HTTP::Info, req: OCSP::Request, file_id: string, req_ts: time)
+	{
 	if (req?$requestList)
 		{
 		for (x in req$requestList)
@@ -149,47 +167,57 @@ event ocsp_request(f: fa_file, req_ref: opaque of ocsp_req, req: OCSP::Request)
 						       $issuerNameHash = one_req$issuerNameHash,
 						       $issuerKeyHash  = one_req$issuerKeyHash,
 						       $serialNumber   = one_req$serialNumber];
-
-			local req_rec: Info_req = [$ts=network_time(), $id=f$id, $certId=cert_id, $cid=conn$id, $cuid=conn$uid];
-
-			if (req?$version)
+			local req_rec: OCSP::Info_req = [$ts     = req_ts,
+							 $certId = cert_id,
+							 $cid    = http$id,
+							 $cuid   = http$uid];
+			if ( |file_id| > 0 && http$method != "GET" )
+				req_rec$id = file_id;
+			
+			if ( req?$version )
 				req_rec$version = req$version;
 
-			if (req?$requestorName)
+			if ( req?$requestorName )
 				req_rec$requestorName = req$requestorName;
 
-			if (!conn?$ocsp_requests)
-				conn$ocsp_requests = table();
+			if ( ! http?$ocsp_requests )
+				http$ocsp_requests = table();
 
-			if (cert_id !in conn$ocsp_requests)
-				conn$ocsp_requests[cert_id] = Queue::init();
+			if ( cert_id !in http$ocsp_requests )
+				http$ocsp_requests[cert_id] = Queue::init();
 
-			Queue::put(conn$ocsp_requests[cert_id], req_rec);
+			update_http_info(http, req_rec);
+			Queue::put(http$ocsp_requests[cert_id], req_rec);
 			}
 		}
 	else
 		{
 		# no request content? this is weird but log it anyway
-		local req_rec_empty: Info_req = [$ts=network_time(), $id=f$id, $cid=conn$id, $cuid=conn$uid];
+		local req_rec_empty: OCSP::Info_req = [$ts   = req_ts,
+			                               $cid  = http$id,
+						       $cuid = http$uid];
+		if ( |file_id| > 0 && http$method != "GET" )
+			req_rec_empty$id = file_id;
 		if (req?$version)
 			req_rec_empty$version = req$version;
 		if (req?$requestorName)
 			req_rec_empty$requestorName = req$requestorName;
-		Log::write(LOG, [$ts=req_rec_empty$ts, $req=req_rec_empty, $cid=conn$id, $cuid=conn$uid]);
+		update_http_info(http, req_rec_empty);
+		Log::write(LOG, [$ts=req_rec_empty$ts, $req=req_rec_empty, $cid=http$id, $cuid=http$uid, $method=http$method]);
 		}
+	}	
+
+event ocsp_request(f: fa_file, req_ref: opaque of ocsp_req, req: OCSP::Request) &priority = 5
+	{
+        if ( ! f?$http )
+		return;
+	enq_request(f$http, req, f$id, network_time());
 	}
 
 event ocsp_response(f: fa_file, resp_ref: opaque of ocsp_resp, resp: OCSP::Response) &priority = 5
 	{
-	local conn: connection;
-	local cid: conn_id;
-
-	# there should be only one loop
-	for (id in f$conns)
-		{
-		cid = id;
-		conn = f$conns[id];
-		}
+	if ( ! f?$http )
+		return;
 
 	if (resp?$responses)
 		{
@@ -200,8 +228,10 @@ event ocsp_response(f: fa_file, resp_ref: opaque of ocsp_resp, resp: OCSP::Respo
 						       $issuerNameHash = single_resp$issuerNameHash,
 						       $issuerKeyHash  = single_resp$issuerKeyHash,
 						       $serialNumber   = single_resp$serialNumber];
-			local resp_rec: Info_resp = [$ts = network_time(), $id = f$id,
-						     $cid=conn$id, $cuid=conn$uid,
+			local resp_rec: Info_resp = [$ts             = network_time(),
+						     $id             = f$id,
+						     $cid            = f$http$id,
+						     $cuid           = f$http$uid,
 						     $responseStatus = resp$responseStatus,
 						     $responseType   = resp$responseType,
 						     $version        = resp$version,
@@ -213,56 +243,172 @@ event ocsp_response(f: fa_file, resp_ref: opaque of ocsp_resp, resp: OCSP::Respo
 			if (single_resp?$nextUpdate)
 				resp_rec$nextUpdate = single_resp$nextUpdate;
 
-			if (conn?$ocsp_requests && cert_id in conn$ocsp_requests)
-				{
-				# find a match
-				local req_rec: Info_req = Queue::get(conn$ocsp_requests[cert_id]);
-				Log::write(LOG, [$ts=req_rec$ts, $certId=req_rec$certId, $req=req_rec, $resp_ts=resp_rec$ts, $resp=resp_rec, $cid=conn$id, $cuid=conn$uid]);
-				if (Queue::len(conn$ocsp_requests[cert_id]) == 0)
-					delete conn$ocsp_requests[cert_id]; #if queue is empty, delete it?
-				}
-			else
-				{
-				# do not find a match; this is weird but log it
-				Log::write(LOG, [$ts=resp_rec$ts, $certId=resp_rec$certId, $resp_ts=resp_rec$ts, $resp=resp_rec, $cid=conn$id, $cuid=conn$uid]);
-				}
+			if ( ! f$http?$ocsp_responses )
+				f$http$ocsp_responses = table();
+					
+			if ( cert_id !in f$http$ocsp_responses )
+				f$http$ocsp_responses[cert_id] = Queue::init();
+
+			Queue::put(f$http$ocsp_responses[cert_id], resp_rec);				
 			}
 		}
 	else
 		{
                 # no response content? this is weird but log it anyway
-		local resp_rec_empty: Info_resp = [$ts=network_time(), $id=f$id,
-			                           $cid=conn$id, $cuid=conn$uid,
+		local resp_rec_empty: Info_resp = [$ts             = network_time(),
+			                           $id             = f$id,
+			                           $cid            = f$http$id,
+						   $cuid           = f$http$uid,
 						   $responseStatus = resp$responseStatus,
 						   $responseType   = resp$responseType,
 						   $version        = resp$version,
 						   $responderID    = resp$responderID,
 						   $producedAt     = resp$producedAt];
-		Log::write(LOG, [$ts=resp_rec_empty$ts, $resp_ts=resp_rec_empty$ts, $resp=resp_rec_empty, $cid=conn$id, $cuid=conn$uid]);
+		local info_rec: Info = [$ts      = resp_rec_empty$ts,
+					$resp_ts = resp_rec_empty$ts,
+					$resp    = resp_rec_empty,
+					$cid     = f$http$id,
+					$cuid    = f$http$uid];
+		if ( f$http?$method )
+			info_rec$method = f$http$method;
+		Log::write(LOG, info_rec);
 		}
 	}
 
-function log_unmatched_msgs_queue(q: Queue::Queue)
+function log_unmatched_reqs_queue(q: Queue::Queue)
 	{
 	local reqs: vector of Info_req;
 	Queue::get_vector(q, reqs);
-
 	for ( i in reqs )
-		Log::write(LOG, [$ts=reqs[i]$ts, $certId=reqs[i]$certId, $req=reqs[i], $cid=reqs[i]$cid, $cuid=reqs[i]$cuid]);
+		{
+		local info_rec: Info = [$ts     = reqs[i]$ts,
+			                $certId = reqs[i]$certId,
+					$req    = reqs[i],
+					$cid    = reqs[i]$cid,
+					$cuid   = reqs[i]$cuid];
+		if ( reqs[i]?$method )
+			info_rec$method = reqs[i]$method;
+		Log::write(LOG, info_rec);
+		}
 	}
 
-function log_unmatched_msgs(msgs: PendingRequests)
+function log_unmatched_reqs(reqs: PendingQueue)
 	{
-	for ( cert_id in msgs )
-		log_unmatched_msgs_queue(msgs[cert_id]);
-
-	clear_table(msgs);
+	for ( cert_id in reqs )
+		log_unmatched_reqs_queue(reqs[cert_id]);
+	clear_table(reqs);
 	}
 
-# need to log unmatched ocsp request if any
-event connection_state_remove(c: connection) &priority= -5
+function remove_first_slash(s: string): string
 	{
-	if (! c?$ocsp_requests)
+	local s_len = |s|;
+	if (s[0] == "/")
+		return s[1:s_len];
+	else
+		return s;
+	}
+
+function get_uri_prefix(s: string): string
+	{
+	s = remove_first_slash(s);
+	local w = split_string(s, /\//);
+	if (|w| > 1)
+		return w[0];
+	else
+		return "";
+	}			
+
+function check_ocsp_request_uri(http: HTTP::Info): OCSP::Request
+	{
+	local parsed_req: OCSP::Request;
+	if ( ! http?$original_uri )
+		return parsed_req;;
+
+	local uri: string = remove_first_slash(http$uri);
+	local uri_prefix: string = get_uri_prefix(http$original_uri);
+	local ocsp_req_str: string;
+	
+	if ( |uri_prefix| == 0 )
+		{
+		ocsp_req_str = uri;
+		}
+	else if (|uri_prefix| > 0)
+		{
+		uri_prefix += "/";
+		ocsp_req_str = uri[|uri_prefix|:];
+		}
+	parsed_req = ocsp_parse_request(decode_base64(ocsp_req_str));
+	return parsed_req;
+	}
+
+function start_log_ocsp(http: HTTP::Info)
+	{
+	if ( ! http?$ocsp_requests && ! http?$ocsp_responses )
 		return;
-	log_unmatched_msgs(c$ocsp_requests);
+
+	if ( ! http?$ocsp_responses )
+		{
+		log_unmatched_reqs(http$ocsp_requests);
+		return;
+		}
+	
+	for ( cert_id in http$ocsp_responses )
+		{
+		while ( Queue::len(http$ocsp_responses[cert_id]) != 0 )
+			{
+			# have unmatched responses
+			local resp_rec: Info_resp = Queue::get(http$ocsp_responses[cert_id]);
+			local info_rec: Info = [$ts      = resp_rec$ts,
+			                        $certId  = resp_rec$certId,
+						$resp_ts = resp_rec$ts,
+						$resp    = resp_rec,
+						$cid     = http$id,
+						$cuid    = http$uid,
+						$method  = http$method];				
+
+			if ( http?$ocsp_requests && cert_id in http$ocsp_requests )
+				{
+				# find a match
+				local req_rec: Info_req = Queue::get(http$ocsp_requests[cert_id]);
+				info_rec$req = req_rec;
+				info_rec$ts  = req_rec$ts;
+				if (Queue::len(http$ocsp_requests[cert_id]) == 0)
+					delete http$ocsp_requests[cert_id];
+				}
+			else
+				{
+				if ( http$method == "GET" && ! http$checked_get )
+					{
+					http$checked_get = T;
+					local req_get: OCSP::Request = check_ocsp_request_uri(http);
+					enq_request(http, req_get, "", http$ts);
+					if ( http?$ocsp_requests && cert_id in http$ocsp_requests )
+						{
+						# find a match
+						local req_rec_tmp: Info_req = Queue::get(http$ocsp_requests[cert_id]);
+						info_rec$req = req_rec_tmp;
+						info_rec$ts  = req_rec_tmp$ts;
+						if (Queue::len(http$ocsp_requests[cert_id]) == 0)
+							delete http$ocsp_requests[cert_id];
+						}
+					}
+				}
+			Log::write(LOG, info_rec);
+			}
+		if ( Queue::len(http$ocsp_responses[cert_id]) == 0 )
+			delete http$ocsp_responses[cert_id];
+		}
+	if ( http?$ocsp_requests && |http$ocsp_requests| != 0 )
+		log_unmatched_reqs(http$ocsp_requests);
+	}
+	
+# log OCSP information
+event HTTP::log_http(rec: HTTP::Info)
+	{
+	start_log_ocsp(rec);
+	}
+
+event bro_init() &priority=5
+	{
+	Log::create_stream(LOG, [$columns=Info, $ev=log_ocsp, $path="ocsp"]);
 	}
diff --git a/src/file_analysis/analyzer/ocsp/OCSP.cc b/src/file_analysis/analyzer/ocsp/OCSP.cc
index d49d8d4beb..d0b1a62f90 100644
--- a/src/file_analysis/analyzer/ocsp/OCSP.cc
+++ b/src/file_analysis/analyzer/ocsp/OCSP.cc
@@ -373,7 +373,7 @@ RecordVal *file_analysis::OCSP::ParseRequest(OCSP_REQVal *req_val)
 		{
 		len = -1;
 		len = GENERAL_NAME_to_cstr(buf, buf_len, (void *)(inf->requestorName));
-		if (len > 1)
+		if (len > 0)
 			ocsp_req_record->Assign(1, new StringVal(len, buf));
 		}
 	
diff --git a/src/file_analysis/analyzer/ocsp/functions.bif b/src/file_analysis/analyzer/ocsp/functions.bif
index 19d9ac1cb5..164b4a63ec 100644
--- a/src/file_analysis/analyzer/ocsp/functions.bif
+++ b/src/file_analysis/analyzer/ocsp/functions.bif
@@ -9,7 +9,7 @@
 ##
 ## Returns: A OCSP::Response structure.
 ##
-## .. bro:see:: ssl_stapled_ocsp
+## .. bro:see:: ssl_stapled_ocsp  ocsp_parse_request
 function ocsp_parse_response%(ocsp_reply: string%): OCSP::Response
         %{
 	const unsigned char* start = ocsp_reply->Bytes();
@@ -34,3 +34,35 @@ function ocsp_parse_response%(ocsp_reply: string%): OCSP::Response
 	//Unref(resp_record);
 	return resp_record;
 	%}
+
+## Parses a OCSP request into an OCSP::Request structure.
+##
+## ocsp_req: OCSP data.
+##
+## Returns: A OCSP::Request structure.
+##
+## .. bro:see:: ssl_stapled_ocsp ocsp_parse_response
+function ocsp_parse_request%(ocsp_req: string%): OCSP::Request
+        %{
+	const unsigned char* start = ocsp_req->Bytes();
+	OCSP_REQUEST *req = NULL;
+	file_analysis::OCSP_REQVal* req_val = NULL;
+	RecordVal* req_record = NULL;
+	req = d2i_OCSP_REQUEST(NULL, &start, ocsp_req->Len());
+	if ( ! req )
+		{
+		reporter->Weird("OPENSSL Could not parse OCSP request");
+		return NULL;
+		}
+	req_val = new file_analysis::OCSP_REQVal(req);
+	req_record = file_analysis::OCSP::ParseRequest(req_val);
+	if (!req_record)
+		{
+		reporter->Weird("Internal fail to parse OCSP request");
+		Unref(req_val);
+		return NULL;
+		}
+	Unref(req_val);
+	//Unref(req_record);
+	return req_record;
+	%}

From c2f1c428f0b460923d27df5f2134dd6bb10e68fc Mon Sep 17 00:00:00 2001
From: Liang Zhu <liangzhu@icsi.berkeley.edu>
Date: Wed, 15 Jul 2015 01:06:12 -0700
Subject: [PATCH 020/631] fix a bug and update baseline

---
 scripts/base/files/ocsp/main.bro                       |  7 ++++---
 .../ocsp.log                                           | 10 +++++-----
 .../ocsp.log                                           | 10 +++++-----
 .../ocsp.log                                           | 10 +++++-----
 4 files changed, 19 insertions(+), 18 deletions(-)

diff --git a/scripts/base/files/ocsp/main.bro b/scripts/base/files/ocsp/main.bro
index 62d7d2e785..f567b7fb8a 100644
--- a/scripts/base/files/ocsp/main.bro
+++ b/scripts/base/files/ocsp/main.bro
@@ -363,8 +363,7 @@ function start_log_ocsp(http: HTTP::Info)
 						$resp_ts = resp_rec$ts,
 						$resp    = resp_rec,
 						$cid     = http$id,
-						$cuid    = http$uid,
-						$method  = http$method];				
+						$cuid    = http$uid];
 
 			if ( http?$ocsp_requests && cert_id in http$ocsp_requests )
 				{
@@ -377,7 +376,7 @@ function start_log_ocsp(http: HTTP::Info)
 				}
 			else
 				{
-				if ( http$method == "GET" && ! http$checked_get )
+				if ( http?$method && http$method == "GET" && ! http$checked_get )
 					{
 					http$checked_get = T;
 					local req_get: OCSP::Request = check_ocsp_request_uri(http);
@@ -393,6 +392,8 @@ function start_log_ocsp(http: HTTP::Info)
 						}
 					}
 				}
+			if ( http?$method )
+				info_rec$method = http$method;
 			Log::write(LOG, info_rec);
 			}
 		if ( Queue::len(http$ocsp_responses[cert_id]) == 0 )
diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-only/ocsp.log b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-only/ocsp.log
index 3ac21e3f22..555d7436f1 100644
--- a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-only/ocsp.log
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-only/ocsp.log
@@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	ocsp
-#open	2015-07-06-23-03-35
-#fields	ts	cid.orig_h	cid.orig_p	cid.resp_h	cid.resp_p	cuid	certId.hashAlgorithm	certId.issuerNameHash	certId.issuerKeyHash	certId.serialNumber	req.id	req.version	req.requestorName	resp_ts	resp.id	resp.responseStatus	resp.responseType	resp.version	resp.responderID	resp.producedAt	resp.certStatus	resp.thisUpdate	resp.nextUpdate
-#types	time	addr	port	addr	port	string	string	string	string	string	string	count	string	time	string	string	string	count	string	string	string	string	string
-1434666864.046145	192.168.6.109	34334	72.167.18.239	80	CXWv6p3arKYeMETxOg	sha1	B6080D5F6C6B76EB13E438A5F8660BA85233344E	40C2BD278ECC348330A233D7FB6CB3F0B42C80CE	081C862DC8AAC9	FMbJOe2y5n1E7iSVsg	0	-	-	-	-	-	-	-	-	-	-	-
-#close	2015-07-06-23-03-35
+#open	2015-07-15-07-54-54
+#fields	ts	cid.orig_h	cid.orig_p	cid.resp_h	cid.resp_p	cuid	certId.hashAlgorithm	certId.issuerNameHash	certId.issuerKeyHash	certId.serialNumber	req.id	req.version	req.requestorName	resp_ts	resp.id	resp.responseStatus	resp.responseType	resp.version	resp.responderID	resp.producedAt	resp.certStatus	resp.thisUpdate	resp.nextUpdate	method
+#types	time	addr	port	addr	port	string	string	string	string	string	string	count	string	time	string	string	string	count	string	string	string	string	string	string
+1434666864.046145	192.168.6.109	34334	72.167.18.239	80	CXWv6p3arKYeMETxOg	sha1	B6080D5F6C6B76EB13E438A5F8660BA85233344E	40C2BD278ECC348330A233D7FB6CB3F0B42C80CE	081C862DC8AAC9	FMbJOe2y5n1E7iSVsg	0	-	-	-	-	-	-	-	-	-	-	-	POST
+#close	2015-07-15-07-54-54
diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-response/ocsp.log b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-response/ocsp.log
index 53c2b598d5..a57882aa1c 100644
--- a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-response/ocsp.log
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-response/ocsp.log
@@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	ocsp
-#open	2015-07-06-23-05-10
-#fields	ts	cid.orig_h	cid.orig_p	cid.resp_h	cid.resp_p	cuid	certId.hashAlgorithm	certId.issuerNameHash	certId.issuerKeyHash	certId.serialNumber	req.id	req.version	req.requestorName	resp_ts	resp.id	resp.responseStatus	resp.responseType	resp.version	resp.responderID	resp.producedAt	resp.certStatus	resp.thisUpdate	resp.nextUpdate
-#types	time	addr	port	addr	port	string	string	string	string	string	string	count	string	time	string	string	string	count	string	string	string	string	string
-1434666864.046145	192.168.6.109	34334	72.167.18.239	80	CXWv6p3arKYeMETxOg	sha1	B6080D5F6C6B76EB13E438A5F8660BA85233344E	40C2BD278ECC348330A233D7FB6CB3F0B42C80CE	081C862DC8AAC9	FMbJOe2y5n1E7iSVsg	0	-	1434666864.070748	Fb215u2y5byABaV747	successful	Basic OCSP Response	0	C = US, ST = Arizona, L = Scottsdale, O = GoDaddy Inc., CN = Go Daddy Validation Authority - G2	20150618220334Z	good	20150618220334Z	20150620100334Z
-#close	2015-07-06-23-05-10
+#open	2015-07-15-07-55-45
+#fields	ts	cid.orig_h	cid.orig_p	cid.resp_h	cid.resp_p	cuid	certId.hashAlgorithm	certId.issuerNameHash	certId.issuerKeyHash	certId.serialNumber	req.id	req.version	req.requestorName	resp_ts	resp.id	resp.responseStatus	resp.responseType	resp.version	resp.responderID	resp.producedAt	resp.certStatus	resp.thisUpdate	resp.nextUpdate	method
+#types	time	addr	port	addr	port	string	string	string	string	string	string	count	string	time	string	string	string	count	string	string	string	string	string	string
+1434666864.046145	192.168.6.109	34334	72.167.18.239	80	CXWv6p3arKYeMETxOg	sha1	B6080D5F6C6B76EB13E438A5F8660BA85233344E	40C2BD278ECC348330A233D7FB6CB3F0B42C80CE	081C862DC8AAC9	FMbJOe2y5n1E7iSVsg	0	-	1434666864.070748	Fb215u2y5byABaV747	successful	Basic OCSP Response	0	C = US, ST = Arizona, L = Scottsdale, O = GoDaddy Inc., CN = Go Daddy Validation Authority - G2	20150618220334Z	good	20150618220334Z	20150620100334Z	POST
+#close	2015-07-15-07-55-45
diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-response-only/ocsp.log b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-response-only/ocsp.log
index 4889fdc434..d4c551027e 100644
--- a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-response-only/ocsp.log
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-response-only/ocsp.log
@@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	ocsp
-#open	2015-07-06-23-05-43
-#fields	ts	cid.orig_h	cid.orig_p	cid.resp_h	cid.resp_p	cuid	certId.hashAlgorithm	certId.issuerNameHash	certId.issuerKeyHash	certId.serialNumber	req.id	req.version	req.requestorName	resp_ts	resp.id	resp.responseStatus	resp.responseType	resp.version	resp.responderID	resp.producedAt	resp.certStatus	resp.thisUpdate	resp.nextUpdate
-#types	time	addr	port	addr	port	string	string	string	string	string	string	count	string	time	string	string	string	count	string	string	string	string	string
-1434666864.070748	192.168.6.109	34334	72.167.18.239	80	CXWv6p3arKYeMETxOg	sha1	B6080D5F6C6B76EB13E438A5F8660BA85233344E	40C2BD278ECC348330A233D7FB6CB3F0B42C80CE	081C862DC8AAC9	-	-	-	1434666864.070748	Fb215u2y5byABaV747	successful	Basic OCSP Response	0	C = US, ST = Arizona, L = Scottsdale, O = GoDaddy Inc., CN = Go Daddy Validation Authority - G2	20150618220334Z	good	20150618220334Z	20150620100334Z
-#close	2015-07-06-23-05-43
+#open	2015-07-15-08-02-35
+#fields	ts	cid.orig_h	cid.orig_p	cid.resp_h	cid.resp_p	cuid	certId.hashAlgorithm	certId.issuerNameHash	certId.issuerKeyHash	certId.serialNumber	req.id	req.version	req.requestorName	resp_ts	resp.id	resp.responseStatus	resp.responseType	resp.version	resp.responderID	resp.producedAt	resp.certStatus	resp.thisUpdate	resp.nextUpdate	method
+#types	time	addr	port	addr	port	string	string	string	string	string	string	count	string	time	string	string	string	count	string	string	string	string	string	string
+1434666864.070748	192.168.6.109	34334	72.167.18.239	80	CXWv6p3arKYeMETxOg	sha1	B6080D5F6C6B76EB13E438A5F8660BA85233344E	40C2BD278ECC348330A233D7FB6CB3F0B42C80CE	081C862DC8AAC9	-	-	-	1434666864.070748	Fb215u2y5byABaV747	successful	Basic OCSP Response	0	C = US, ST = Arizona, L = Scottsdale, O = GoDaddy Inc., CN = Go Daddy Validation Authority - G2	20150618220334Z	good	20150618220334Z	20150620100334Z	-
+#close	2015-07-15-08-02-35

From fc35ab9bf5b78f088a795f35c01e54ec82c01b84 Mon Sep 17 00:00:00 2001
From: Liang Zhu <liangzhu@icsi.berkeley.edu>
Date: Wed, 15 Jul 2015 01:30:46 -0700
Subject: [PATCH 021/631] add a btest for ocsp http get

---
 .../ocsp.log                                     |  10 ++++++++++
 testing/btest/Traces/tls/ocsp-http-get.pcap      | Bin 0 -> 1812 bytes
 .../base/protocols/ssl/ocsp-http-get.test        |   4 ++++
 3 files changed, 14 insertions(+)
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-http-get/ocsp.log
 create mode 100644 testing/btest/Traces/tls/ocsp-http-get.pcap
 create mode 100644 testing/btest/scripts/base/protocols/ssl/ocsp-http-get.test

diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-http-get/ocsp.log b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-http-get/ocsp.log
new file mode 100644
index 0000000000..8ceb5e9770
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-http-get/ocsp.log
@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	ocsp
+#open	2015-07-15-08-22-46
+#fields	ts	cid.orig_h	cid.orig_p	cid.resp_h	cid.resp_p	cuid	certId.hashAlgorithm	certId.issuerNameHash	certId.issuerKeyHash	certId.serialNumber	req.id	req.version	req.requestorName	resp_ts	resp.id	resp.responseStatus	resp.responseType	resp.version	resp.responderID	resp.producedAt	resp.certStatus	resp.thisUpdate	resp.nextUpdate	method
+#types	time	addr	port	addr	port	string	string	string	string	string	string	count	string	time	string	string	string	count	string	string	string	string	string	string
+1436909712.307162	192.168.6.109	54690	216.58.192.46	80	CXWv6p3arKYeMETxOg	sha1	F2E06AF9858A1D8D709B4919237AA9B51A287E64	4ADD06161BBCF668B576F581B6BB621ABA5A812F	3D474496FF942316	-	0	-	1436909712.329517	Ft368Gc1ce0Juvj0d	successful	Basic OCSP Response	0	4ADD06161BBCF668B576F581B6BB621ABA5A812F	20150711011056Z	good	20150711011056Z	20150718011056Z	GET
+#close	2015-07-15-08-22-46
diff --git a/testing/btest/Traces/tls/ocsp-http-get.pcap b/testing/btest/Traces/tls/ocsp-http-get.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..e264d59f2b0ed64290cd7fc9c43d68c23bbb0eae
GIT binary patch
literal 1812
zcmaKs4@?tx6vyvMTeVt6M;PGTZetk!mEJ*H%OOgEwty6nwt<p3DDBVo?Dg)rUa|Z$
z&`f1Uotca+*=B%jM%=&X{4?DabTh`xxy>ojY{9uL=!|69Ow_nd-S1ZdPIPPfOMdt6
z-RHgEd*9zX|Hb}6879Xb{Nxx8A9i%V<8+qEu?o0H3tQTIbz5|+&~R#D=WNW3Vat=p
zi?AZ)@%m$Xl);Piv7FH%tVZrybR9Vl$i(<AEr!YDiUV@lY!!BQ?tEm&<Kku^vhu?R
z<Vofvf0Aq(!!U#LmnK9-bgX7{sN+IcJ)}<zEZUvDb4QHakI3cMMG4WT$TmnWhLO;E
zBxhanl~~S=Gjg7QbXRvgHtu6#j(9BJbVNqEeh-NkVM)-MNyNWQzKVz=ryfg8!p6_+
zpC)D?qSfpmw7e%IXl>@e`r7tli_L6XzuIA{DE2wUQlG8F>T{Zkiydt`tEl(8c<;LU
zl4g5tU>#@)QdY*FmRsClTJ5w;q}AdN8}ow<<!!AimPCoMih|o`H<px?Qf0Lj&1tz7
zw!~IPlsOzVS}KQ9tIGJ0L=zsC0h|<~a(q1RV?mCG52{tp5D+ycAACU*Hol!<S+`c7
zLlWur6jeZ2fR`8D1w<vog(F17XlOL(3J9^4&dbjsGYBj21bA&ONs;hR5f(-SYx#&4
zy;Q4A9uE*8RRR%7>z9ITwp$Qb#^aV4p3_E<B`Y%18e|Jv3dx-O>`ZNDY-gMTX)4{E
zFYNXKngE=}Y0m~+%t1fxVCFo$m*IRg;cI7vY{CoHvTg~eRV6&f0S^jG69E7Ojhkg!
zp<S&)eLk*GOe^ORP3lZnVw!B6p-GqAl@RTY$DLr+WS?P=w?jQ<AfjfL0&9rFVrwQb
zuF`ZB5ieUFOH9I@M^YXpPPLK9B}t-sRqQwt?3c#TCct9+yQoNC8WDs9o(sYAmBQ20
zgxxJ=6BI>MgjtB7^aN?7^#+>CC9F1wT4jz1ux%llr~_W;r~fZMI}lreNE0YV<75mk
z5Fcby2{@nRrwN@QPpzug)Z6Wv8j+W#>JG&e<h`J<ndLnJ<X{oqL7=G?P+MShyUAv*
zt}VBgS3#uP;|ChpHA&=Inh?UxP&U~_&>hjh{uk!y^ac_M3~3>c)GgDY2UY?i2M-*J
z%6rg<Mv`s`!!LzG=%7}SQT((D#|EPK3AjC`oRg)*6^dCTj?1I?K4^NM?CBp$lqXb-
zDH9ieddq*X^=8kZPnuJXHuPwd7NFXZ%P1&xiqsn#$N<TZCUTBaku^U~mZHGq2{$gU
zyR&i2l5N5p<;kh-!v|B+H+UaUlg%!)miFK8OHJ&?9w84boHiM!f~l2rGB=fNx~;}x
z%2-?!$FZ05qCea_lG>T+%O8C@J+3>LHL-$uFC%=Xul&;9+pA>WXxGT1(!X=76aU;}
z`rttNjd_OMs=4>`WR9IZKR#p4I-53pVTc*gZdv~B^UXco1K$<>wrj`zy<4ls#yd`b
zd`5G2Ueet)eLY*egJ0dNyqG);GM_ri22Mv8I@3ITV=pz0zOr)O#z1n1>)JPM;lsC^
zGFEus+P7iz>Pz`Wul@Dpf+rTI?`d@1db8=<GcR6Fv451>wBOV=$o;Nbded|E*(Lh$
z&-<P`8Go>PT-|%(>y53t`a`{)CkKZ=+jVJqRlitR`Kn{&-0Ry*%3qlH{HJqbVSeh#
z-G@7`b)Dzlu9B{_(RX^$O{;@9?SH2Jud%7W=HVHg5be0o-2$inAI&|}GkPVuzyAQq
CCRr%}

literal 0
HcmV?d00001

diff --git a/testing/btest/scripts/base/protocols/ssl/ocsp-http-get.test b/testing/btest/scripts/base/protocols/ssl/ocsp-http-get.test
new file mode 100644
index 0000000000..10ccc80c63
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/ssl/ocsp-http-get.test
@@ -0,0 +1,4 @@
+# This tests a normal OCSP request sent through HTTP GET
+
+# @TEST-EXEC: bro -C -r $TRACES/tls/ocsp-http-get.pcap %INPUT
+# @TEST-EXEC: btest-diff ocsp.log

From fb757d96a6724f199d9d194148c331ba51c8145a Mon Sep 17 00:00:00 2001
From: Liang Zhu <liangzhu@icsi.berkeley.edu>
Date: Wed, 15 Jul 2015 10:39:46 -0700
Subject: [PATCH 022/631] clean up ocsp/main.bro

---
 scripts/base/files/ocsp/main.bro | 110 ++++++++++++++-----------------
 1 file changed, 50 insertions(+), 60 deletions(-)

diff --git a/scripts/base/files/ocsp/main.bro b/scripts/base/files/ocsp/main.bro
index f567b7fb8a..6c23bb2de9 100644
--- a/scripts/base/files/ocsp/main.bro
+++ b/scripts/base/files/ocsp/main.bro
@@ -214,6 +214,48 @@ event ocsp_request(f: fa_file, req_ref: opaque of ocsp_req, req: OCSP::Request)
 	enq_request(f$http, req, f$id, network_time());
 	}
 
+function remove_first_slash(s: string): string
+	{
+	local s_len = |s|;
+	if (s[0] == "/")
+		return s[1:s_len];
+	else
+		return s;
+	}
+
+function get_uri_prefix(s: string): string
+	{
+	s = remove_first_slash(s);
+	local w = split_string(s, /\//);
+	if (|w| > 1)
+		return w[0];
+	else
+		return "";
+	}
+
+function check_ocsp_request_uri(http: HTTP::Info): OCSP::Request
+	{
+	local parsed_req: OCSP::Request;
+	if ( ! http?$original_uri )
+		return parsed_req;;
+
+	local uri: string = remove_first_slash(http$uri);
+	local uri_prefix: string = get_uri_prefix(http$original_uri);
+	local ocsp_req_str: string;
+
+	if ( |uri_prefix| == 0 )
+		{
+		ocsp_req_str = uri;
+		}
+	else if (|uri_prefix| > 0)
+		{
+		uri_prefix += "/";
+		ocsp_req_str = uri[|uri_prefix|:];
+		}
+	parsed_req = ocsp_parse_request(decode_base64(ocsp_req_str));
+	return parsed_req;
+	}
+
 event ocsp_response(f: fa_file, resp_ref: opaque of ocsp_resp, resp: OCSP::Response) &priority = 5
 	{
 	if ( ! f?$http )
@@ -273,6 +315,14 @@ event ocsp_response(f: fa_file, resp_ref: opaque of ocsp_resp, resp: OCSP::Respo
 			info_rec$method = f$http$method;
 		Log::write(LOG, info_rec);
 		}
+
+	# check if there is a OCSP GET request
+	if ( f$http?$method && f$http$method == "GET" && ! f$http$checked_get )
+		{
+		f$http$checked_get = T;
+		local req_get: OCSP::Request = check_ocsp_request_uri(f$http);
+		enq_request(f$http, req_get, "", f$http$ts);
+		}
 	}
 
 function log_unmatched_reqs_queue(q: Queue::Queue)
@@ -299,48 +349,6 @@ function log_unmatched_reqs(reqs: PendingQueue)
 	clear_table(reqs);
 	}
 
-function remove_first_slash(s: string): string
-	{
-	local s_len = |s|;
-	if (s[0] == "/")
-		return s[1:s_len];
-	else
-		return s;
-	}
-
-function get_uri_prefix(s: string): string
-	{
-	s = remove_first_slash(s);
-	local w = split_string(s, /\//);
-	if (|w| > 1)
-		return w[0];
-	else
-		return "";
-	}			
-
-function check_ocsp_request_uri(http: HTTP::Info): OCSP::Request
-	{
-	local parsed_req: OCSP::Request;
-	if ( ! http?$original_uri )
-		return parsed_req;;
-
-	local uri: string = remove_first_slash(http$uri);
-	local uri_prefix: string = get_uri_prefix(http$original_uri);
-	local ocsp_req_str: string;
-	
-	if ( |uri_prefix| == 0 )
-		{
-		ocsp_req_str = uri;
-		}
-	else if (|uri_prefix| > 0)
-		{
-		uri_prefix += "/";
-		ocsp_req_str = uri[|uri_prefix|:];
-		}
-	parsed_req = ocsp_parse_request(decode_base64(ocsp_req_str));
-	return parsed_req;
-	}
-
 function start_log_ocsp(http: HTTP::Info)
 	{
 	if ( ! http?$ocsp_requests && ! http?$ocsp_responses )
@@ -374,24 +382,6 @@ function start_log_ocsp(http: HTTP::Info)
 				if (Queue::len(http$ocsp_requests[cert_id]) == 0)
 					delete http$ocsp_requests[cert_id];
 				}
-			else
-				{
-				if ( http?$method && http$method == "GET" && ! http$checked_get )
-					{
-					http$checked_get = T;
-					local req_get: OCSP::Request = check_ocsp_request_uri(http);
-					enq_request(http, req_get, "", http$ts);
-					if ( http?$ocsp_requests && cert_id in http$ocsp_requests )
-						{
-						# find a match
-						local req_rec_tmp: Info_req = Queue::get(http$ocsp_requests[cert_id]);
-						info_rec$req = req_rec_tmp;
-						info_rec$ts  = req_rec_tmp$ts;
-						if (Queue::len(http$ocsp_requests[cert_id]) == 0)
-							delete http$ocsp_requests[cert_id];
-						}
-					}
-				}
 			if ( http?$method )
 				info_rec$method = http$method;
 			Log::write(LOG, info_rec);

From f0c642cd25550a6d8dcd4bad82662e4f36a1c475 Mon Sep 17 00:00:00 2001
From: Liang Zhu <liangzhu@icsi.berkeley.edu>
Date: Wed, 15 Jul 2015 13:31:41 -0700
Subject: [PATCH 023/631] update logging for ocsp and baseline

---
 scripts/base/files/ocsp/main.bro              |  63 +++--
 .../policy/protocols/ssl/ocsp-ssl-split.bro   | 243 +++---------------
 .../ocsp.log                                  |  10 +-
 .../ocsp.log                                  |  10 +-
 .../ocsp.log                                  |  10 +-
 5 files changed, 98 insertions(+), 238 deletions(-)

diff --git a/scripts/base/files/ocsp/main.bro b/scripts/base/files/ocsp/main.bro
index 6c23bb2de9..39b4671bb9 100644
--- a/scripts/base/files/ocsp/main.bro
+++ b/scripts/base/files/ocsp/main.bro
@@ -21,7 +21,8 @@ export {
 	type Info_req: record {
 		## time for the request
 	        ts:                 time;
-		## file id for this request
+		## file id for this request or
+		## hash of the GET url if it's GET request
 		id:                 string  &log &optional;
 		## connection id
 		cid:                conn_id &optional;
@@ -31,8 +32,14 @@ export {
 		version:            count   &log &optional;
 		## requestor name
 		requestorName:      string  &log &optional;
+
 		## NOTE: the above are for one file which may contain
 		##       several ocsp requests
+
+		## one OCSP request may contain several OCSP requests
+		## with different cert id; this is the index of the
+		## OCSP request with cert_id in the big OCSP request
+		index:              count   &log &optional;
 		## request cert id
 		certId:             OCSP::CertId &optional;
 		## HTTP method
@@ -64,6 +71,11 @@ export {
 		## NOTE: the following are specific to one cert id
 		##       the above are for one file which may contain
 		##       several responses
+
+		## one OCSP response may contain several OCSP responses
+		## with different cert id; this is the index of the
+		## OCSP response with cert_id in the big OCSP response
+		index:              count   &log  &optional;
 		##cert id
 		certId:             OCSP::CertId  &optional;
 		## certStatus (this is the response to look at)
@@ -99,10 +111,15 @@ export {
 
 		## HTTP method
 		method:             string        &log  &optional;
+
+		## HTTP record
+		http:               HTTP::Info    &optional;
 	};
 
         ## Event for accessing logged OCSP records.
 	global log_ocsp: event(rec: Info);
+
+        global get_uri_prefix: function(s: string): string;
 }
 
 redef record HTTP::Info += {
@@ -156,10 +173,12 @@ function update_http_info(http: HTTP::Info, req_rec: OCSP::Info_req)
 		req_rec$method = http$method;
 	}
 
-function enq_request(http: HTTP::Info, req: OCSP::Request, file_id: string, req_ts: time)
+function enq_request(http: HTTP::Info, req: OCSP::Request, req_id: string, req_ts: time)
 	{
+	local index: count = 0;
 	if (req?$requestList)
 		{
+		index += 1;
 		for (x in req$requestList)
 			{
 			local one_req = req$requestList[x];
@@ -170,10 +189,10 @@ function enq_request(http: HTTP::Info, req: OCSP::Request, file_id: string, req_
 			local req_rec: OCSP::Info_req = [$ts     = req_ts,
 							 $certId = cert_id,
 							 $cid    = http$id,
-							 $cuid   = http$uid];
-			if ( |file_id| > 0 && http$method != "GET" )
-				req_rec$id = file_id;
-			
+							 $cuid   = http$uid,
+							 $index  = index,
+							 $id     = req_id];
+
 			if ( req?$version )
 				req_rec$version = req$version;
 
@@ -195,15 +214,14 @@ function enq_request(http: HTTP::Info, req: OCSP::Request, file_id: string, req_
 		# no request content? this is weird but log it anyway
 		local req_rec_empty: OCSP::Info_req = [$ts   = req_ts,
 			                               $cid  = http$id,
-						       $cuid = http$uid];
-		if ( |file_id| > 0 && http$method != "GET" )
-			req_rec_empty$id = file_id;
+						       $cuid = http$uid,
+						       $id   = req_id];
 		if (req?$version)
 			req_rec_empty$version = req$version;
 		if (req?$requestorName)
 			req_rec_empty$requestorName = req$requestorName;
 		update_http_info(http, req_rec_empty);
-		Log::write(LOG, [$ts=req_rec_empty$ts, $req=req_rec_empty, $cid=http$id, $cuid=http$uid, $method=http$method]);
+		Log::write(LOG, [$ts=req_rec_empty$ts, $req=req_rec_empty, $cid=http$id, $cuid=http$uid, $method=http$method, $http=http]);
 		}
 	}	
 
@@ -263,8 +281,10 @@ event ocsp_response(f: fa_file, resp_ref: opaque of ocsp_resp, resp: OCSP::Respo
 
 	if (resp?$responses)
 		{
+		local index: count = 0;
 		for (x in resp$responses)
 			{
+			index += 1;
 			local single_resp: OCSP::SingleResp = resp$responses[x];
 			local cert_id: OCSP::CertId = [$hashAlgorithm  = single_resp$hashAlgorithm,
 						       $issuerNameHash = single_resp$issuerNameHash,
@@ -279,6 +299,7 @@ event ocsp_response(f: fa_file, resp_ref: opaque of ocsp_resp, resp: OCSP::Respo
 						     $version        = resp$version,
 						     $responderID    = resp$responderID,
 						     $producedAt     = resp$producedAt,
+						     $index          = index,
 						     $certId         = cert_id,
 						     $certStatus     = single_resp$certStatus,
 						     $thisUpdate     = single_resp$thisUpdate];
@@ -310,7 +331,8 @@ event ocsp_response(f: fa_file, resp_ref: opaque of ocsp_resp, resp: OCSP::Respo
 					$resp_ts = resp_rec_empty$ts,
 					$resp    = resp_rec_empty,
 					$cid     = f$http$id,
-					$cuid    = f$http$uid];
+					$cuid    = f$http$uid,
+					$http    = f$http];
 		if ( f$http?$method )
 			info_rec$method = f$http$method;
 		Log::write(LOG, info_rec);
@@ -321,11 +343,11 @@ event ocsp_response(f: fa_file, resp_ref: opaque of ocsp_resp, resp: OCSP::Respo
 		{
 		f$http$checked_get = T;
 		local req_get: OCSP::Request = check_ocsp_request_uri(f$http);
-		enq_request(f$http, req_get, "", f$http$ts);
+		enq_request(f$http, req_get, "H" + sha1_hash(f$http$original_uri), f$http$ts);
 		}
 	}
 
-function log_unmatched_reqs_queue(q: Queue::Queue)
+function log_unmatched_reqs_queue(q: Queue::Queue, http: HTTP::Info)
 	{
 	local reqs: vector of Info_req;
 	Queue::get_vector(q, reqs);
@@ -335,17 +357,19 @@ function log_unmatched_reqs_queue(q: Queue::Queue)
 			                $certId = reqs[i]$certId,
 					$req    = reqs[i],
 					$cid    = reqs[i]$cid,
-					$cuid   = reqs[i]$cuid];
+					$cuid   = reqs[i]$cuid,
+					$http   = http];
 		if ( reqs[i]?$method )
 			info_rec$method = reqs[i]$method;
 		Log::write(LOG, info_rec);
 		}
 	}
 
-function log_unmatched_reqs(reqs: PendingQueue)
+function log_unmatched_reqs(http: HTTP::Info)
 	{
+	local reqs: PendingQueue = http$ocsp_requests;
 	for ( cert_id in reqs )
-		log_unmatched_reqs_queue(reqs[cert_id]);
+		log_unmatched_reqs_queue(reqs[cert_id], http);
 	clear_table(reqs);
 	}
 
@@ -356,7 +380,7 @@ function start_log_ocsp(http: HTTP::Info)
 
 	if ( ! http?$ocsp_responses )
 		{
-		log_unmatched_reqs(http$ocsp_requests);
+		log_unmatched_reqs(http);
 		return;
 		}
 	
@@ -371,7 +395,8 @@ function start_log_ocsp(http: HTTP::Info)
 						$resp_ts = resp_rec$ts,
 						$resp    = resp_rec,
 						$cid     = http$id,
-						$cuid    = http$uid];
+						$cuid    = http$uid,
+						$http    = http];
 
 			if ( http?$ocsp_requests && cert_id in http$ocsp_requests )
 				{
@@ -390,7 +415,7 @@ function start_log_ocsp(http: HTTP::Info)
 			delete http$ocsp_responses[cert_id];
 		}
 	if ( http?$ocsp_requests && |http$ocsp_requests| != 0 )
-		log_unmatched_reqs(http$ocsp_requests);
+		log_unmatched_reqs(http);
 	}
 	
 # log OCSP information
diff --git a/scripts/policy/protocols/ssl/ocsp-ssl-split.bro b/scripts/policy/protocols/ssl/ocsp-ssl-split.bro
index d292697a69..4594c55cfc 100644
--- a/scripts/policy/protocols/ssl/ocsp-ssl-split.bro
+++ b/scripts/policy/protocols/ssl/ocsp-ssl-split.bro
@@ -13,31 +13,12 @@ export {
 	redef enum Log::ID += { LOG_OCSP };
 	redef enum Log::ID += { LOG_SSL };
 
-	type PendingRequests: table[OCSP::CertId] of Queue::Queue;
-	
-	type OCSP_Request_Type: record {
-		ts:             time;
-		fuid:           string;
-		req:            OCSP::Request;
-		};
-
-	type OCSP_Response_Type: record {
-		ts:             time;
-		fuid:           string;
-		resp:           OCSP::Response;
-		};
-	
 	type Info_OCSP: record {
 		## cert id for the OCSP request
 		cert_id:        OCSP::CertId      &log  &optional;
 
 		## request timestamp
 		req_ts:         time              &log  &optional;
-
-		## one OCSP request may contain several OCSP requests
-                ## with different cert id; this is the index of the
-                ## OCSP request with cert_id in the big OCSP request
-		req_index:      count             &log  &optional;
 		
 		## request
 		## NOTE: this is only one request if multiple requests
@@ -48,11 +29,6 @@ export {
 		## response timestamp
 		resp_ts:        time              &log  &optional;
 
-		## one OCSP response may contain several OCSP responses
-                ## with different cert id; this is the index of the
-                ## OCSP response with cert_id in the big OCSP response
-		resp_index:      count             &log  &optional;
-
 		## response
 		## NOTE: similar to request, if multiple responses are
 		## sent together in one HTTP message, they will be
@@ -86,8 +62,12 @@ export {
 		## the HTTP code in the HTTP response
 		http_code:      count      &log       &optional;
 
+		## HTTP method
+		method:         string     &log       &optional;
+
 		## host in HTTP request + uri in HTTP request
 		## last '/' is removed
+		## for GET request, OCSP request is remove from url
 		ocsp_uri:       string     &log       &optional;
 
 		## number of HTTP requests containing ocsp requests in
@@ -168,12 +148,6 @@ redef record HTTP::Info += {
 	request_header_len:       count  &optional &default=0;
 	response_header_len:      count  &optional &default=0;
 
-	## OCSP_Request_Type
-	ocsp_requests:            vector of OCSP_Request_Type  &optional;
-
-	## OCSP_Response_Type
-	ocsp_responses:           vector of OCSP_Response_Type &optional;
-
 	## connection start time, copied from connection
 	conn_start_ts:            time  &optional;
 
@@ -242,32 +216,6 @@ event http_message_done(c: connection, is_orig: bool, stat: http_message_stat)
 	c$http$conn_start_ts = c$start_time;
 	}
 
-# add ocsp request to http record
-event ocsp_request(f: fa_file, req_ref: opaque of ocsp_req, req: OCSP::Request)
-	{
-	if ( ! f?$http )
-		return;
-	local request: OCSP_Request_Type = [$ts   = network_time(),
-		                            $fuid = f$id,
-					    $req  = req];
-	if ( ! f$http?$ocsp_requests )
-		f$http$ocsp_requests = vector();
-	f$http$ocsp_requests[|f$http$ocsp_requests|] = request;
-	}
-
-# add ocsp response to http record
-event ocsp_response(f: fa_file, resp_ref: opaque of ocsp_resp, resp: OCSP::Response)
-	{
-	if ( ! f?$http )
-		return;
-	local response: OCSP_Response_Type = [$ts   = network_time(),
-		                              $fuid = f$id,
-					      $resp = resp];
-	if ( ! f$http?$ocsp_responses )
-		f$http$ocsp_responses = vector();
-	f$http$ocsp_responses[|f$http$ocsp_responses|] = response;
-	}
-
 # add server hello time
 event ssl_server_hello(c: connection, version: count, possible_ts: time, server_random: string, session_id: string, cipher: count, comp_method: count)&priority=5
 	{
@@ -367,26 +315,14 @@ event x509_extension(f: fa_file, ext: X509::Extension) &priority= -10 {
 	Queue::put(c$ssl$cert_ts[ocsp_uri, serial_number, issuer_name], current_ts);
 	}
 
-# log unmatched ocsp request or response
-function log_unmatched_ocsp_queue (q: Queue::Queue)
-	{
-	local rec: vector of OCSP_SSL_SPLIT::Info_OCSP;
-	Queue::get_vector(q, rec);
-	for ( i in rec )
-		Log::write(LOG_OCSP, rec[i]);
-	}
-
-# log unmatched ocsp request or response
-function log_unmatched_ocsp(ocsp: table[OCSP::CertId] of Queue::Queue)
-	{
-	for ( cert_id in ocsp )
-		log_unmatched_ocsp_queue(ocsp[cert_id]);
-	clear_table(ocsp);
-	}
-
-# update http data in ocsp info record
 function update_http_info(ocsp: OCSP_SSL_SPLIT::Info_OCSP, http: HTTP::Info)
 	{
+	if ( http?$num_ocsp )
+		ocsp$num_ocsp = http$num_ocsp;
+
+	if ( http?$method )
+		ocsp$method = http$method;
+
 	if ( http?$host )
 		ocsp$ocsp_uri = http$host;
 
@@ -396,9 +332,18 @@ function update_http_info(ocsp: OCSP_SSL_SPLIT::Info_OCSP, http: HTTP::Info)
 		else
 			ocsp$ocsp_uri = http$uri;
 
+	if ( http?$method && http$method == "GET" && http?$original_uri )
+		{
+		local uri_prefix: string = OCSP::get_uri_prefix(http$original_uri);
+		if ( http?$host )
+			ocsp$ocsp_uri = http$host;
+		if ( |uri_prefix| > 0)
+			ocsp$ocsp_uri += "/" + uri_prefix; 
+		}
+
 	if ( ocsp?$ocsp_uri )
 		ocsp$ocsp_uri = clean_uri(ocsp$ocsp_uri);
-
+		
 	if ( http?$status_code )
 		ocsp$http_code = http$status_code;
 		
@@ -415,147 +360,37 @@ function update_http_info(ocsp: OCSP_SSL_SPLIT::Info_OCSP, http: HTTP::Info)
 		ocsp$resp_hdr_size = http$response_header_len;
 	}
 
-# get all the ocsp requests
-function get_ocsp_requests(http: HTTP::Info): PendingRequests
+function start_log_ocsp(rec: OCSP::Info)
 	{
-	local pending_ocsp_requests: PendingRequests = table();
+	local http: HTTP::Info = rec$http;
+	local info_ocsp_rec: OCSP_SSL_SPLIT::Info_OCSP = [$cid = http$id,
+		                                          $cuid = http$uid,
+							  $conn_start_ts = http$conn_start_ts];
 
-	if ( ! http?$ocsp_requests )
-		return pending_ocsp_requests;
-		
-	for ( x in http$ocsp_requests )
+	if ( rec?$certId )
+		info_ocsp_rec$cert_id = rec$certId;
+
+	if ( rec?$req )
 		{
-		local request: OCSP_Request_Type = http$ocsp_requests[x];
-		if ( ! request?$req )
-			next;
-			
-		local req: OCSP::Request = request$req;
-		if ( ! req?$requestList )
-			next;
-			
-		local req_index: count = 0;
-		for ( y in req$requestList )
-			{
-			req_index += 1;
-			local one_req = req$requestList[y];
-			local cert_id: OCSP::CertId = [$hashAlgorithm  = one_req$hashAlgorithm,
-			                               $issuerNameHash = one_req$issuerNameHash,
-			                               $issuerKeyHash  = one_req$issuerKeyHash,
-			                               $serialNumber   = one_req$serialNumber];
-
-		        local req_rec: OCSP::Info_req = [$ts=request$ts, $id=request$fuid, $certId=cert_id];
-
-		        if (req?$version)
-				req_rec$version = req$version;
-
-			if (req?$requestorName)
-				req_rec$requestorName = req$requestorName;
-
-			local ocsp_info_rec: OCSP_SSL_SPLIT::Info_OCSP = [$cert_id       = cert_id,
-				                                          $req_ts        = request$ts,
-									  $req_index     = req_index,
-									  $req           = req_rec,
-									  $cid           = http$id,
-									  $cuid          = http$uid,
-									  $conn_start_ts = http$conn_start_ts,
-									  $num_ocsp      = http$num_ocsp];
-			update_http_info(ocsp_info_rec, http);
-
-			if ( cert_id !in pending_ocsp_requests )
-				pending_ocsp_requests[cert_id] = Queue::init();
-
-			Queue::put(pending_ocsp_requests[cert_id], ocsp_info_rec);
-			}
+		info_ocsp_rec$req = rec$req;
+		info_ocsp_rec$req_ts = rec$req$ts;
 		}
-	return pending_ocsp_requests;
-	}
 
-# log OCSP
-function start_log_ocsp(http: HTTP::Info)
-	{
-	if ( ! http?$ocsp_requests && ! http?$ocsp_responses )
-		return;
-		
-	local pending_ocsp_requests: PendingRequests = get_ocsp_requests(http);
-	
-	if ( ! http?$ocsp_responses )
+	if ( rec?$resp )
 		{
-		log_unmatched_ocsp(pending_ocsp_requests);
-		return;
+		info_ocsp_rec$resp = rec$resp;
+		info_ocsp_rec$resp_ts = rec$resp$ts;
 		}
-	
-	for ( x in http$ocsp_responses )
-		{
-                local response: OCSP_Response_Type = http$ocsp_responses[x];
-		if ( ! response?$resp )
-			next;
 
-		local resp: OCSP::Response = response$resp;
-		if ( ! resp?$responses )
-			next;
+	if ( rec?$req && rec?$resp )
+		info_ocsp_rec$delay = info_ocsp_rec$resp_ts - info_ocsp_rec$req_ts;
 
-		local resp_index: count = 0;
-		for ( y in resp$responses )
-			{
-			resp_index += 1;
-			local single_resp: OCSP::SingleResp = resp$responses[y];
-			local cert_id: OCSP::CertId = [$hashAlgorithm  = single_resp$hashAlgorithm,
-			                               $issuerNameHash = single_resp$issuerNameHash,
-			                               $issuerKeyHash  = single_resp$issuerKeyHash,
-			                               $serialNumber   = single_resp$serialNumber];
-
-			local resp_rec: OCSP::Info_resp = [$ts             = response$ts,
-						           $id             = response$fuid,
-							   $responseStatus = resp$responseStatus,
-							   $responseType   = resp$responseType,
-							   $version        = resp$version,
-							   $responderID    = resp$responderID,
-							   $producedAt     = resp$producedAt,
-							   $certId         = cert_id,
-							   $certStatus     = single_resp$certStatus,
-							   $thisUpdate     = single_resp$thisUpdate];
-			if ( single_resp?$nextUpdate )
-				resp_rec$nextUpdate = single_resp$nextUpdate;
-
-			if ( cert_id in pending_ocsp_requests)
-				{
-				# find a match
-				local ocsp_info: OCSP_SSL_SPLIT::Info_OCSP = Queue::get(pending_ocsp_requests[cert_id]);
-				ocsp_info$resp       = resp_rec;
-				ocsp_info$resp_ts    = response$ts;
-				ocsp_info$resp_index = resp_index;
-
-				# update http info, previously filled in fill_ocsp_request
-				update_http_info(ocsp_info, http);
-				
-				ocsp_info$delay = ocsp_info$resp$ts - ocsp_info$req$ts;
-
-				if (Queue::len(pending_ocsp_requests[cert_id]) == 0)
-					delete pending_ocsp_requests[cert_id];
-
-				Log::write(LOG_OCSP, ocsp_info);
-				}
-			else
-				{
-				local ocsp_info_noreq: OCSP_SSL_SPLIT::Info_OCSP = [$cert_id       = cert_id,
-					                                            $resp_ts       = resp_rec$ts,
-										    $resp_index    = resp_index,
-										    $resp          = resp_rec,
-										    $cid           = http$id,
-										    $cuid          = http$uid,
-										    $conn_start_ts = http$conn_start_ts,
-										    $num_ocsp      = http$num_ocsp];
-				update_http_info(ocsp_info_noreq, http);
-				Log::write(LOG_OCSP, ocsp_info_noreq);
-				}
-			}
-		}
-	if ( |pending_ocsp_requests| != 0 )
-		log_unmatched_ocsp(pending_ocsp_requests);
+	update_http_info(info_ocsp_rec, http);
+	Log::write(LOG_OCSP, info_ocsp_rec);
 	}
 
 # log OCSP information
-event HTTP::log_http(rec: HTTP::Info)
+event OCSP::log_ocsp(rec: OCSP::Info)
 	{
 	start_log_ocsp(rec);
 	}
diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-only/ocsp.log b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-only/ocsp.log
index 555d7436f1..1cb587ca17 100644
--- a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-only/ocsp.log
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-only/ocsp.log
@@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	ocsp
-#open	2015-07-15-07-54-54
-#fields	ts	cid.orig_h	cid.orig_p	cid.resp_h	cid.resp_p	cuid	certId.hashAlgorithm	certId.issuerNameHash	certId.issuerKeyHash	certId.serialNumber	req.id	req.version	req.requestorName	resp_ts	resp.id	resp.responseStatus	resp.responseType	resp.version	resp.responderID	resp.producedAt	resp.certStatus	resp.thisUpdate	resp.nextUpdate	method
-#types	time	addr	port	addr	port	string	string	string	string	string	string	count	string	time	string	string	string	count	string	string	string	string	string	string
-1434666864.046145	192.168.6.109	34334	72.167.18.239	80	CXWv6p3arKYeMETxOg	sha1	B6080D5F6C6B76EB13E438A5F8660BA85233344E	40C2BD278ECC348330A233D7FB6CB3F0B42C80CE	081C862DC8AAC9	FMbJOe2y5n1E7iSVsg	0	-	-	-	-	-	-	-	-	-	-	-	POST
-#close	2015-07-15-07-54-54
+#open	2015-07-15-20-25-27
+#fields	ts	cid.orig_h	cid.orig_p	cid.resp_h	cid.resp_p	cuid	certId.hashAlgorithm	certId.issuerNameHash	certId.issuerKeyHash	certId.serialNumber	req.id	req.version	req.requestorName	req.index	resp_ts	resp.id	resp.responseStatus	resp.responseType	resp.version	resp.responderID	resp.producedAt	resp.index	resp.certStatus	resp.thisUpdate	resp.nextUpdate	method
+#types	time	addr	port	addr	port	string	string	string	string	string	string	count	string	count	time	string	string	string	count	string	string	count	string	string	string	string
+1434666864.046145	192.168.6.109	34334	72.167.18.239	80	CXWv6p3arKYeMETxOg	sha1	B6080D5F6C6B76EB13E438A5F8660BA85233344E	40C2BD278ECC348330A233D7FB6CB3F0B42C80CE	081C862DC8AAC9	FMbJOe2y5n1E7iSVsg	0	-	1	-	-	-	-	-	-	-	-	-	-	-	POST
+#close	2015-07-15-20-25-27
diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-response/ocsp.log b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-response/ocsp.log
index a57882aa1c..881f614583 100644
--- a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-response/ocsp.log
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-response/ocsp.log
@@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	ocsp
-#open	2015-07-15-07-55-45
-#fields	ts	cid.orig_h	cid.orig_p	cid.resp_h	cid.resp_p	cuid	certId.hashAlgorithm	certId.issuerNameHash	certId.issuerKeyHash	certId.serialNumber	req.id	req.version	req.requestorName	resp_ts	resp.id	resp.responseStatus	resp.responseType	resp.version	resp.responderID	resp.producedAt	resp.certStatus	resp.thisUpdate	resp.nextUpdate	method
-#types	time	addr	port	addr	port	string	string	string	string	string	string	count	string	time	string	string	string	count	string	string	string	string	string	string
-1434666864.046145	192.168.6.109	34334	72.167.18.239	80	CXWv6p3arKYeMETxOg	sha1	B6080D5F6C6B76EB13E438A5F8660BA85233344E	40C2BD278ECC348330A233D7FB6CB3F0B42C80CE	081C862DC8AAC9	FMbJOe2y5n1E7iSVsg	0	-	1434666864.070748	Fb215u2y5byABaV747	successful	Basic OCSP Response	0	C = US, ST = Arizona, L = Scottsdale, O = GoDaddy Inc., CN = Go Daddy Validation Authority - G2	20150618220334Z	good	20150618220334Z	20150620100334Z	POST
-#close	2015-07-15-07-55-45
+#open	2015-07-15-20-24-10
+#fields	ts	cid.orig_h	cid.orig_p	cid.resp_h	cid.resp_p	cuid	certId.hashAlgorithm	certId.issuerNameHash	certId.issuerKeyHash	certId.serialNumber	req.id	req.version	req.requestorName	req.index	resp_ts	resp.id	resp.responseStatus	resp.responseType	resp.version	resp.responderID	resp.producedAt	resp.index	resp.certStatus	resp.thisUpdate	resp.nextUpdate	method
+#types	time	addr	port	addr	port	string	string	string	string	string	string	count	string	count	time	string	string	string	count	string	string	count	string	string	string	string
+1434666864.046145	192.168.6.109	34334	72.167.18.239	80	CXWv6p3arKYeMETxOg	sha1	B6080D5F6C6B76EB13E438A5F8660BA85233344E	40C2BD278ECC348330A233D7FB6CB3F0B42C80CE	081C862DC8AAC9	FMbJOe2y5n1E7iSVsg	0	-	1	1434666864.070748	Fb215u2y5byABaV747	successful	Basic OCSP Response	0	C = US, ST = Arizona, L = Scottsdale, O = GoDaddy Inc., CN = Go Daddy Validation Authority - G2	20150618220334Z	1	good	20150618220334Z	20150620100334Z	POST
+#close	2015-07-15-20-24-11
diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-response-only/ocsp.log b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-response-only/ocsp.log
index d4c551027e..4027016f1d 100644
--- a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-response-only/ocsp.log
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-response-only/ocsp.log
@@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	ocsp
-#open	2015-07-15-08-02-35
-#fields	ts	cid.orig_h	cid.orig_p	cid.resp_h	cid.resp_p	cuid	certId.hashAlgorithm	certId.issuerNameHash	certId.issuerKeyHash	certId.serialNumber	req.id	req.version	req.requestorName	resp_ts	resp.id	resp.responseStatus	resp.responseType	resp.version	resp.responderID	resp.producedAt	resp.certStatus	resp.thisUpdate	resp.nextUpdate	method
-#types	time	addr	port	addr	port	string	string	string	string	string	string	count	string	time	string	string	string	count	string	string	string	string	string	string
-1434666864.070748	192.168.6.109	34334	72.167.18.239	80	CXWv6p3arKYeMETxOg	sha1	B6080D5F6C6B76EB13E438A5F8660BA85233344E	40C2BD278ECC348330A233D7FB6CB3F0B42C80CE	081C862DC8AAC9	-	-	-	1434666864.070748	Fb215u2y5byABaV747	successful	Basic OCSP Response	0	C = US, ST = Arizona, L = Scottsdale, O = GoDaddy Inc., CN = Go Daddy Validation Authority - G2	20150618220334Z	good	20150618220334Z	20150620100334Z	-
-#close	2015-07-15-08-02-35
+#open	2015-07-15-20-26-35
+#fields	ts	cid.orig_h	cid.orig_p	cid.resp_h	cid.resp_p	cuid	certId.hashAlgorithm	certId.issuerNameHash	certId.issuerKeyHash	certId.serialNumber	req.id	req.version	req.requestorName	req.index	resp_ts	resp.id	resp.responseStatus	resp.responseType	resp.version	resp.responderID	resp.producedAt	resp.index	resp.certStatus	resp.thisUpdate	resp.nextUpdate	method
+#types	time	addr	port	addr	port	string	string	string	string	string	string	count	string	count	time	string	string	string	count	string	string	count	string	string	string	string
+1434666864.070748	192.168.6.109	34334	72.167.18.239	80	CXWv6p3arKYeMETxOg	sha1	B6080D5F6C6B76EB13E438A5F8660BA85233344E	40C2BD278ECC348330A233D7FB6CB3F0B42C80CE	081C862DC8AAC9	-	-	-	-	1434666864.070748	Fb215u2y5byABaV747	successful	Basic OCSP Response	0	C = US, ST = Arizona, L = Scottsdale, O = GoDaddy Inc., CN = Go Daddy Validation Authority - G2	20150618220334Z	1	good	20150618220334Z	20150620100334Z	-
+#close	2015-07-15-20-26-36

From 00a0313967b71ac496e468fac84c89d51b987749 Mon Sep 17 00:00:00 2001
From: Liang Zhu <liangzhu@icsi.berkeley.edu>
Date: Thu, 16 Jul 2015 18:10:05 -0700
Subject: [PATCH 024/631] fix a bug for parsing OCSP Get request

---
 scripts/base/files/ocsp/main.bro | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/scripts/base/files/ocsp/main.bro b/scripts/base/files/ocsp/main.bro
index 39b4671bb9..b605374d51 100644
--- a/scripts/base/files/ocsp/main.bro
+++ b/scripts/base/files/ocsp/main.bro
@@ -236,7 +236,7 @@ function remove_first_slash(s: string): string
 	{
 	local s_len = |s|;
 	if (s[0] == "/")
-		return s[1:s_len];
+		return remove_first_slash(s[1:s_len]);
 	else
 		return s;
 	}

From cb0aa7725ee2e3b131305b3777b29bf8b2ad894d Mon Sep 17 00:00:00 2001
From: Liang Zhu <liangzhu@icsi.berkeley.edu>
Date: Thu, 16 Jul 2015 18:20:57 -0700
Subject: [PATCH 025/631] fix a few bug for logging

---
 .../policy/protocols/ssl/ocsp-ssl-split.bro   | 59 ++++++++++++-------
 .../ocsp.log                                  | 10 ++--
 2 files changed, 44 insertions(+), 25 deletions(-)

diff --git a/scripts/policy/protocols/ssl/ocsp-ssl-split.bro b/scripts/policy/protocols/ssl/ocsp-ssl-split.bro
index 4594c55cfc..2862a96dfb 100644
--- a/scripts/policy/protocols/ssl/ocsp-ssl-split.bro
+++ b/scripts/policy/protocols/ssl/ocsp-ssl-split.bro
@@ -148,11 +148,8 @@ redef record HTTP::Info += {
 	request_header_len:       count  &optional &default=0;
 	response_header_len:      count  &optional &default=0;
 
-	## connection start time, copied from connection
-	conn_start_ts:            time  &optional;
-
-	## number of OCSP requests so far, copied from connection
-	num_ocsp:                 count &optional;
+	## connection used to get num_ocsp and connection start time
+	conn:                     connection &optional;
 };
 
 # add additional information to ssl info
@@ -196,24 +193,47 @@ function clean_uri(s: string): string
 		return s;
 	}	
 
-# record the header length and update num_ocsp and conn_start_ts
+event ocsp_response(f: fa_file, resp_ref: opaque of ocsp_resp, resp: OCSP::Response)
+	{
+        if ( ! f?$http )
+		return;
+        # check if there is a OCSP GET request
+	if ( f$http?$method && f$http$method == "GET" )
+		f$http$conn$num_ocsp += 1;
+	}
+
+event ocsp_request(f: fa_file, req_ref: opaque of ocsp_req, req: OCSP::Request)
+	{
+        if ( ! f?$http )
+		return;
+	f$http$conn$num_ocsp += 1;
+	}
+
+event http_reply (c: connection, version: string, code: count, reason: string)
+	{
+	if ( ! c?$http )
+		return;
+	if ( ! c$http?$conn )
+		c$http$conn = c;
+	}
+
+event http_request(c: connection, method: string, original_URI: string, unescaped_URI: string, version: string)
+	{
+	if ( ! c?$http )
+		return;
+	if ( ! c$http?$conn )
+		c$http$conn = c;
+	}
+
+# record the header length
 event http_message_done(c: connection, is_orig: bool, stat: http_message_stat)
 	{
-	# proceed only this http connection has ocsp request or response
-	if ( ! c$http?$ocsp_requests && ! c$http?$ocsp_responses )
-		return;
-
+	if ( ! c?$http )
+		return;	
 	if ( is_orig )
-		{
 		c$http$request_header_len = stat$header_length;
-		c$num_ocsp += 1;
-		}
 	else
-		{
 		c$http$response_header_len = stat$header_length;
-		}
-	c$http$num_ocsp = c$num_ocsp;
-	c$http$conn_start_ts = c$start_time;
 	}
 
 # add server hello time
@@ -317,8 +337,7 @@ event x509_extension(f: fa_file, ext: X509::Extension) &priority= -10 {
 
 function update_http_info(ocsp: OCSP_SSL_SPLIT::Info_OCSP, http: HTTP::Info)
 	{
-	if ( http?$num_ocsp )
-		ocsp$num_ocsp = http$num_ocsp;
+	ocsp$num_ocsp = http$conn$num_ocsp;
 
 	if ( http?$method )
 		ocsp$method = http$method;
@@ -365,7 +384,7 @@ function start_log_ocsp(rec: OCSP::Info)
 	local http: HTTP::Info = rec$http;
 	local info_ocsp_rec: OCSP_SSL_SPLIT::Info_OCSP = [$cid = http$id,
 		                                          $cuid = http$uid,
-							  $conn_start_ts = http$conn_start_ts];
+							  $conn_start_ts = http$conn$start_time];
 
 	if ( rec?$certId )
 		info_ocsp_rec$cert_id = rec$certId;
diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-http-get/ocsp.log b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-http-get/ocsp.log
index 8ceb5e9770..692581c871 100644
--- a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-http-get/ocsp.log
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-http-get/ocsp.log
@@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	ocsp
-#open	2015-07-15-08-22-46
-#fields	ts	cid.orig_h	cid.orig_p	cid.resp_h	cid.resp_p	cuid	certId.hashAlgorithm	certId.issuerNameHash	certId.issuerKeyHash	certId.serialNumber	req.id	req.version	req.requestorName	resp_ts	resp.id	resp.responseStatus	resp.responseType	resp.version	resp.responderID	resp.producedAt	resp.certStatus	resp.thisUpdate	resp.nextUpdate	method
-#types	time	addr	port	addr	port	string	string	string	string	string	string	count	string	time	string	string	string	count	string	string	string	string	string	string
-1436909712.307162	192.168.6.109	54690	216.58.192.46	80	CXWv6p3arKYeMETxOg	sha1	F2E06AF9858A1D8D709B4919237AA9B51A287E64	4ADD06161BBCF668B576F581B6BB621ABA5A812F	3D474496FF942316	-	0	-	1436909712.329517	Ft368Gc1ce0Juvj0d	successful	Basic OCSP Response	0	4ADD06161BBCF668B576F581B6BB621ABA5A812F	20150711011056Z	good	20150711011056Z	20150718011056Z	GET
-#close	2015-07-15-08-22-46
+#open	2015-07-15-20-38-15
+#fields	ts	cid.orig_h	cid.orig_p	cid.resp_h	cid.resp_p	cuid	certId.hashAlgorithm	certId.issuerNameHash	certId.issuerKeyHash	certId.serialNumber	req.id	req.version	req.requestorName	req.index	resp_ts	resp.id	resp.responseStatus	resp.responseType	resp.version	resp.responderID	resp.producedAt	resp.index	resp.certStatus	resp.thisUpdate	resp.nextUpdate	method
+#types	time	addr	port	addr	port	string	string	string	string	string	string	count	string	count	time	string	string	string	count	string	string	count	string	string	string	string
+1436909712.307162	192.168.6.109	54690	216.58.192.46	80	CXWv6p3arKYeMETxOg	sha1	F2E06AF9858A1D8D709B4919237AA9B51A287E64	4ADD06161BBCF668B576F581B6BB621ABA5A812F	3D474496FF942316	H4c4c3b287beafd8d7f4806a0b14d2ee1de88e4be	0	-	1	1436909712.329517	Ft368Gc1ce0Juvj0d	successful	Basic OCSP Response	0	4ADD06161BBCF668B576F581B6BB621ABA5A812F	20150711011056Z	1	good	20150711011056Z	20150718011056Z	GET
+#close	2015-07-15-20-38-15

From d20925f230bf9ced2f167af9c3fb030db5277cee Mon Sep 17 00:00:00 2001
From: Liang Zhu <liangzhu@icsi.berkeley.edu>
Date: Thu, 16 Jul 2015 19:07:13 -0700
Subject: [PATCH 026/631] make parsing GET url more robust

---
 scripts/base/files/ocsp/main.bro | 32 ++++++++++++++------------------
 1 file changed, 14 insertions(+), 18 deletions(-)

diff --git a/scripts/base/files/ocsp/main.bro b/scripts/base/files/ocsp/main.bro
index b605374d51..d93ee7a673 100644
--- a/scripts/base/files/ocsp/main.bro
+++ b/scripts/base/files/ocsp/main.bro
@@ -232,6 +232,15 @@ event ocsp_request(f: fa_file, req_ref: opaque of ocsp_req, req: OCSP::Request)
 	enq_request(f$http, req, f$id, network_time());
 	}
 
+function get_first_slash(s: string): string
+	{
+	local s_len = |s|;
+	if (s[0] == "/")
+		return "/" + get_first_slash(s[1:s_len]);
+	else
+		return "";
+	}
+
 function remove_first_slash(s: string): string
 	{
 	local s_len = |s|;
@@ -243,12 +252,11 @@ function remove_first_slash(s: string): string
 
 function get_uri_prefix(s: string): string
 	{
-	s = remove_first_slash(s);
-	local w = split_string(s, /\//);
+	local uri_prefix = get_first_slash(s);
+	local w = split_string(s[|uri_prefix|:], /\//);
 	if (|w| > 1)
-		return w[0];
-	else
-		return "";
+		uri_prefix += w[0] + "/";
+	return uri_prefix;
 	}
 
 function check_ocsp_request_uri(http: HTTP::Info): OCSP::Request
@@ -256,20 +264,8 @@ function check_ocsp_request_uri(http: HTTP::Info): OCSP::Request
 	local parsed_req: OCSP::Request;
 	if ( ! http?$original_uri )
 		return parsed_req;;
-
-	local uri: string = remove_first_slash(http$uri);
 	local uri_prefix: string = get_uri_prefix(http$original_uri);
-	local ocsp_req_str: string;
-
-	if ( |uri_prefix| == 0 )
-		{
-		ocsp_req_str = uri;
-		}
-	else if (|uri_prefix| > 0)
-		{
-		uri_prefix += "/";
-		ocsp_req_str = uri[|uri_prefix|:];
-		}
+	local ocsp_req_str: string = http$uri[|uri_prefix|:];
 	parsed_req = ocsp_parse_request(decode_base64(ocsp_req_str));
 	return parsed_req;
 	}

From 569e637eb15b737f7622f81f050ba356c6f4eef5 Mon Sep 17 00:00:00 2001
From: Liang Zhu <liangzhu@icsi.berkeley.edu>
Date: Thu, 16 Jul 2015 19:31:58 -0700
Subject: [PATCH 027/631] small changes for parsing GET url

---
 scripts/base/files/ocsp/main.bro | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/scripts/base/files/ocsp/main.bro b/scripts/base/files/ocsp/main.bro
index d93ee7a673..020ba096cf 100644
--- a/scripts/base/files/ocsp/main.bro
+++ b/scripts/base/files/ocsp/main.bro
@@ -254,8 +254,12 @@ function get_uri_prefix(s: string): string
 	{
 	local uri_prefix = get_first_slash(s);
 	local w = split_string(s[|uri_prefix|:], /\//);
-	if (|w| > 1)
-		uri_prefix += w[0] + "/";
+	local i = 0;
+	while ( i < (|w| - 1) )
+		{
+		uri_prefix += w[i] + "/";
+		i += 1;
+		}
 	return uri_prefix;
 	}
 

From 6c9b49a5d7e6eb7116afb45c1f0a6bc90baeac0f Mon Sep 17 00:00:00 2001
From: Liang Zhu <liangzhu@icsi.berkeley.edu>
Date: Fri, 17 Jul 2015 16:00:18 -0700
Subject: [PATCH 028/631] fix a bug for ocsp-ssl-split.bro

---
 .../policy/protocols/ssl/ocsp-ssl-split.bro   | 31 +++++++++++--------
 1 file changed, 18 insertions(+), 13 deletions(-)

diff --git a/scripts/policy/protocols/ssl/ocsp-ssl-split.bro b/scripts/policy/protocols/ssl/ocsp-ssl-split.bro
index 2862a96dfb..2dee529cf1 100644
--- a/scripts/policy/protocols/ssl/ocsp-ssl-split.bro
+++ b/scripts/policy/protocols/ssl/ocsp-ssl-split.bro
@@ -439,6 +439,21 @@ function update_ssl_info(ssl_rec: OCSP_SSL_SPLIT::Info_SSL, ssl: SSL::Info)
 		ssl_rec$server_change_cipher_ts = ssl$server_change_cipher_ts;
 	}
 
+# convert all the elements in the queue to a formatted string
+function convert_time_q2str(q: Queue::Queue, sep: string): string
+	{
+	local s = "";
+	local elem: vector of time = vector();
+	Queue::get_vector(q, elem);
+	for ( i in elem )
+		{
+		s += fmt("%f",elem[i]);
+		if ( i != (|elem| - 1))
+			s += sep;
+		}
+	return s;
+	}
+
 # log SSL information when ssl connection is removed
 event connection_state_remove(c: connection) &priority= -20
 	{
@@ -450,22 +465,12 @@ event connection_state_remove(c: connection) &priority= -20
 		local ssl_info_rec: OCSP_SSL_SPLIT::Info_SSL = [$id     = c$id,
 		                                                $uid    = c$uid,
 								$end_ts = network_time()];
-		
 		ssl_info_rec$ocsp_uri      = ocsp_uri;
 		ssl_info_rec$serial_number = serial_number;
 		ssl_info_rec$issuer_name   = issuer_name;
-
-		# convert all the elements in the queue to a formatted string
-		local cert_recv_ts_str: string = "";
-		local elem: vector of time;
-		Queue::get_vector(c$ssl$cert_ts[ocsp_uri, serial_number, issuer_name], elem);
-		for ( i in elem )
-			{
-			cert_recv_ts_str += fmt("%f",elem[i]);
-			if ( i != (|elem| - 1))
-				cert_recv_ts_str += ",";
-			}
-		ssl_info_rec$cert_recv_ts = cert_recv_ts_str;
+		local cert_recv_ts_str:string = convert_time_q2str(c$ssl$cert_ts[ocsp_uri, serial_number, issuer_name], ",");
+		if (|cert_recv_ts_str| > 0)
+			ssl_info_rec$cert_recv_ts = cert_recv_ts_str;
 		update_ssl_info(ssl_info_rec, c$ssl);
 		Log::write(LOG_SSL, ssl_info_rec);
 		#delete c$ssl$cert_ts[ocsp_uri, serial_number, issuer_name];

From 0c3b03ac8da95edbf730611b17c2886565573be5 Mon Sep 17 00:00:00 2001
From: Liang Zhu <liangzhu@icsi.berkeley.edu>
Date: Sat, 18 Jul 2015 01:06:31 -0700
Subject: [PATCH 029/631] log original uri and fix GET url parsing

---
 scripts/base/files/ocsp/main.bro               | 18 ++++++++++++++++--
 .../policy/protocols/ssl/ocsp-ssl-split.bro    |  6 ++++++
 2 files changed, 22 insertions(+), 2 deletions(-)

diff --git a/scripts/base/files/ocsp/main.bro b/scripts/base/files/ocsp/main.bro
index 020ba096cf..551322b4bc 100644
--- a/scripts/base/files/ocsp/main.bro
+++ b/scripts/base/files/ocsp/main.bro
@@ -176,7 +176,7 @@ function update_http_info(http: HTTP::Info, req_rec: OCSP::Info_req)
 function enq_request(http: HTTP::Info, req: OCSP::Request, req_id: string, req_ts: time)
 	{
 	local index: count = 0;
-	if (req?$requestList)
+	if ( req?$requestList && |req$requestList| > 0 )
 		{
 		index += 1;
 		for (x in req$requestList)
@@ -271,6 +271,20 @@ function check_ocsp_request_uri(http: HTTP::Info): OCSP::Request
 	local uri_prefix: string = get_uri_prefix(http$original_uri);
 	local ocsp_req_str: string = http$uri[|uri_prefix|:];
 	parsed_req = ocsp_parse_request(decode_base64(ocsp_req_str));
+	if ( ! parsed_req?$requestList || |parsed_req$requestList| == 0 )
+		{
+		# normal parse fails, bug url, natively try each part
+		local w = split_string(http$original_uri, /\//);
+		local s = "";
+		for ( i in w )
+			{
+			s += "/" + w[i];
+			ocsp_req_str = http$uri[|s|:];
+			parsed_req = ocsp_parse_request(decode_base64(ocsp_req_str));
+			if ( parsed_req?$requestList && |parsed_req$requestList| > 0 )
+				break;
+			}
+		}
 	return parsed_req;
 	}
 
@@ -279,7 +293,7 @@ event ocsp_response(f: fa_file, resp_ref: opaque of ocsp_resp, resp: OCSP::Respo
 	if ( ! f?$http )
 		return;
 
-	if (resp?$responses)
+	if ( resp?$responses && |resp$responses| > 0 )
 		{
 		local index: count = 0;
 		for (x in resp$responses)
diff --git a/scripts/policy/protocols/ssl/ocsp-ssl-split.bro b/scripts/policy/protocols/ssl/ocsp-ssl-split.bro
index 2dee529cf1..69bffb19ed 100644
--- a/scripts/policy/protocols/ssl/ocsp-ssl-split.bro
+++ b/scripts/policy/protocols/ssl/ocsp-ssl-split.bro
@@ -76,6 +76,9 @@ export {
 		## HTTP request may contain several OCSP requests;
 		## this is copied from connection
 		num_ocsp:       count      &log       &optional;
+
+		## the original_uri in HTTP request
+		original_uri:   string     &log       &optional;		
 		};
 
 	type Issuer_Name_Type: record {
@@ -342,6 +345,9 @@ function update_http_info(ocsp: OCSP_SSL_SPLIT::Info_OCSP, http: HTTP::Info)
 	if ( http?$method )
 		ocsp$method = http$method;
 
+	if ( http?$original_uri )
+		ocsp$original_uri = http$original_uri;
+	
 	if ( http?$host )
 		ocsp$ocsp_uri = http$host;
 

From 4e8d15d8d19f82e04f2cffb48e9fcc976efe1950 Mon Sep 17 00:00:00 2001
From: Liang Zhu <liangzhu@icsi.berkeley.edu>
Date: Sat, 18 Jul 2015 01:53:28 -0700
Subject: [PATCH 030/631] small bug fix

---
 scripts/base/files/ocsp/main.bro                | 7 +++++++
 scripts/policy/protocols/ssl/ocsp-ssl-split.bro | 9 +++++----
 2 files changed, 12 insertions(+), 4 deletions(-)

diff --git a/scripts/base/files/ocsp/main.bro b/scripts/base/files/ocsp/main.bro
index 551322b4bc..80fd356f29 100644
--- a/scripts/base/files/ocsp/main.bro
+++ b/scripts/base/files/ocsp/main.bro
@@ -133,6 +133,9 @@ redef record HTTP::Info += {
 
 	# flag for checking get uri
 	checked_get:              bool          &optional &default=F;
+
+	# uri prefix: this the GET url without ocsp request
+	uri_prefix:               string        &optional;
 	};
 
 event http_request(c: connection, method: string, original_URI: string, unescaped_URI: string, version: string)
@@ -269,6 +272,7 @@ function check_ocsp_request_uri(http: HTTP::Info): OCSP::Request
 	if ( ! http?$original_uri )
 		return parsed_req;;
 	local uri_prefix: string = get_uri_prefix(http$original_uri);
+	http$uri_prefix = uri_prefix;	
 	local ocsp_req_str: string = http$uri[|uri_prefix|:];
 	parsed_req = ocsp_parse_request(decode_base64(ocsp_req_str));
 	if ( ! parsed_req?$requestList || |parsed_req$requestList| == 0 )
@@ -282,7 +286,10 @@ function check_ocsp_request_uri(http: HTTP::Info): OCSP::Request
 			ocsp_req_str = http$uri[|s|:];
 			parsed_req = ocsp_parse_request(decode_base64(ocsp_req_str));
 			if ( parsed_req?$requestList && |parsed_req$requestList| > 0 )
+				{
+				http$uri_prefix = s;
 				break;
+				}
 			}
 		}
 	return parsed_req;
diff --git a/scripts/policy/protocols/ssl/ocsp-ssl-split.bro b/scripts/policy/protocols/ssl/ocsp-ssl-split.bro
index 69bffb19ed..69bdfb8548 100644
--- a/scripts/policy/protocols/ssl/ocsp-ssl-split.bro
+++ b/scripts/policy/protocols/ssl/ocsp-ssl-split.bro
@@ -357,13 +357,14 @@ function update_http_info(ocsp: OCSP_SSL_SPLIT::Info_OCSP, http: HTTP::Info)
 		else
 			ocsp$ocsp_uri = http$uri;
 
-	if ( http?$method && http$method == "GET" && http?$original_uri )
+	if ( http?$method && http$method == "GET" && http?$uri_prefix )
 		{
-		local uri_prefix: string = OCSP::get_uri_prefix(http$original_uri);
+		if ( |http$uri_prefix| > 0)
+			ocsp$ocsp_uri = "";
 		if ( http?$host )
 			ocsp$ocsp_uri = http$host;
-		if ( |uri_prefix| > 0)
-			ocsp$ocsp_uri += "/" + uri_prefix; 
+		if ( |http$uri_prefix| > 0)
+			ocsp$ocsp_uri += http$uri_prefix; 
 		}
 
 	if ( ocsp?$ocsp_uri )

From b4fce308f0bef06c73152fd192a00d961a0351af Mon Sep 17 00:00:00 2001
From: Liang Zhu <liangzhu@icsi.berkeley.edu>
Date: Sat, 18 Jul 2015 19:36:47 -0700
Subject: [PATCH 031/631] minor change to deal with empty request

---
 scripts/base/files/ocsp/main.bro | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/scripts/base/files/ocsp/main.bro b/scripts/base/files/ocsp/main.bro
index 80fd356f29..5c01951a66 100644
--- a/scripts/base/files/ocsp/main.bro
+++ b/scripts/base/files/ocsp/main.bro
@@ -212,15 +212,15 @@ function enq_request(http: HTTP::Info, req: OCSP::Request, req_id: string, req_t
 			Queue::put(http$ocsp_requests[cert_id], req_rec);
 			}
 		}
-	else
+	else if ( req?$version )
 		{
-		# no request content? this is weird but log it anyway
+		# it's ocsp request but has no request content
+		# this is weird but log it anyway
 		local req_rec_empty: OCSP::Info_req = [$ts   = req_ts,
 			                               $cid  = http$id,
 						       $cuid = http$uid,
-						       $id   = req_id];
-		if (req?$version)
-			req_rec_empty$version = req$version;
+						       $id   = req_id,
+						       $version = req$version];
 		if (req?$requestorName)
 			req_rec_empty$requestorName = req$requestorName;
 		update_http_info(http, req_rec_empty);

From fa654121ec5f77b75329c56884633f85a0df6446 Mon Sep 17 00:00:00 2001
From: Liang Zhu <liangzhu@icsi.berkeley.edu>
Date: Mon, 20 Jul 2015 15:46:21 -0700
Subject: [PATCH 032/631] fix url parsing bug

---
 scripts/base/files/ocsp/main.bro                |  4 ++--
 scripts/policy/protocols/ssl/ocsp-ssl-split.bro | 17 ++++++++++++++---
 2 files changed, 16 insertions(+), 5 deletions(-)

diff --git a/scripts/base/files/ocsp/main.bro b/scripts/base/files/ocsp/main.bro
index 5c01951a66..1ae854b991 100644
--- a/scripts/base/files/ocsp/main.bro
+++ b/scripts/base/files/ocsp/main.bro
@@ -277,12 +277,12 @@ function check_ocsp_request_uri(http: HTTP::Info): OCSP::Request
 	parsed_req = ocsp_parse_request(decode_base64(ocsp_req_str));
 	if ( ! parsed_req?$requestList || |parsed_req$requestList| == 0 )
 		{
-		# normal parse fails, bug url, natively try each part
+		# normal parse fails, bug url, naively try each part
 		local w = split_string(http$original_uri, /\//);
 		local s = "";
 		for ( i in w )
 			{
-			s += "/" + w[i];
+			s += w[i] + "/";
 			ocsp_req_str = http$uri[|s|:];
 			parsed_req = ocsp_parse_request(decode_base64(ocsp_req_str));
 			if ( parsed_req?$requestList && |parsed_req$requestList| > 0 )
diff --git a/scripts/policy/protocols/ssl/ocsp-ssl-split.bro b/scripts/policy/protocols/ssl/ocsp-ssl-split.bro
index 69bdfb8548..e8318e145e 100644
--- a/scripts/policy/protocols/ssl/ocsp-ssl-split.bro
+++ b/scripts/policy/protocols/ssl/ocsp-ssl-split.bro
@@ -78,7 +78,10 @@ export {
 		num_ocsp:       count      &log       &optional;
 
 		## the original_uri in HTTP request
-		original_uri:   string     &log       &optional;		
+		original_uri:   string     &log       &optional;
+
+		## host in HTTP request
+		host:           string     &log       &optional;
 		};
 
 	type Issuer_Name_Type: record {
@@ -349,13 +352,21 @@ function update_http_info(ocsp: OCSP_SSL_SPLIT::Info_OCSP, http: HTTP::Info)
 		ocsp$original_uri = http$original_uri;
 	
 	if ( http?$host )
+		{
+		ocsp$host = http$host;
 		ocsp$ocsp_uri = http$host;
+		}
 
 	if ( http?$uri )
+		{
+		local uri_str = http$uri;
+		if ( http$uri == "http://" + http$host )
+			uri_str = "/"; #deal with software bug: make the full url empty
 		if ( ocsp?$ocsp_uri )
-			ocsp$ocsp_uri += http$uri;
+			ocsp$ocsp_uri += uri_str;
 		else
-			ocsp$ocsp_uri = http$uri;
+			ocsp$ocsp_uri = uri_str;
+		}
 
 	if ( http?$method && http$method == "GET" && http?$uri_prefix )
 		{

From 5f2cb840d7e7d01327a390771a3738db9cde1acb Mon Sep 17 00:00:00 2001
From: Liang Zhu <liangzhu@icsi.berkeley.edu>
Date: Mon, 20 Jul 2015 16:55:19 -0700
Subject: [PATCH 033/631] add user_agent to ocsp-to-match log

---
 scripts/policy/protocols/ssl/ocsp-ssl-split.bro | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/scripts/policy/protocols/ssl/ocsp-ssl-split.bro b/scripts/policy/protocols/ssl/ocsp-ssl-split.bro
index e8318e145e..38587496a4 100644
--- a/scripts/policy/protocols/ssl/ocsp-ssl-split.bro
+++ b/scripts/policy/protocols/ssl/ocsp-ssl-split.bro
@@ -82,6 +82,9 @@ export {
 
 		## host in HTTP request
 		host:           string     &log       &optional;
+
+		## user_agent
+		user_agent:     string     &log       &optional;
 		};
 
 	type Issuer_Name_Type: record {
@@ -348,6 +351,9 @@ function update_http_info(ocsp: OCSP_SSL_SPLIT::Info_OCSP, http: HTTP::Info)
 	if ( http?$method )
 		ocsp$method = http$method;
 
+	if ( http?$user_agent )
+		ocsp$user_agent = http$user_agent;
+
 	if ( http?$original_uri )
 		ocsp$original_uri = http$original_uri;
 	

From 462f6608a8659a6cfbfb9ea6974a0589de6ad1f5 Mon Sep 17 00:00:00 2001
From: Liang Zhu <liangzhu@icsi.berkeley.edu>
Date: Tue, 21 Jul 2015 14:44:33 -0700
Subject: [PATCH 034/631] log the time for server first encrypted application
 data

---
 .../policy/protocols/ssl/ocsp-ssl-split.bro   | 22 +++++++++++++++----
 1 file changed, 18 insertions(+), 4 deletions(-)

diff --git a/scripts/policy/protocols/ssl/ocsp-ssl-split.bro b/scripts/policy/protocols/ssl/ocsp-ssl-split.bro
index 38587496a4..76b244cfe5 100644
--- a/scripts/policy/protocols/ssl/ocsp-ssl-split.bro
+++ b/scripts/policy/protocols/ssl/ocsp-ssl-split.bro
@@ -120,8 +120,11 @@ export {
 		## the time when SSL connection is established
 		establish_ts:      time       &log       &optional;
 
-		## the time for the first encrypted application data
+		## the time for the first encrypted client application data
 		client_first_encrypt_ts:   time       &log       &optional;
+
+		## the time for the first encrypted server application data
+		server_first_encrypt_ts:   time       &log       &optional;
 		
 		## the time when event connection_state_remove happens
 		end_ts:            time       &log       &optional;
@@ -185,8 +188,11 @@ redef record SSL::Info += {
 	## name hash(string)
 	cert_ts: table[string, string, OCSP_SSL_SPLIT::Issuer_Name_Type] of Queue::Queue &optional;
 
-	## the time for the first encrypted application data
+	## the time for the first encrypted client application data
 	client_first_encrypt_ts:          time  &optional;
+
+	## the time for the first encrypted server application data
+	server_first_encrypt_ts:          time  &optional;
 };
 
 # remove the last '/'
@@ -279,8 +285,13 @@ event ssl_encrypted_data(c: connection, is_orig: bool, content_type: count, leng
 	if ( ! c?$ssl )
 		return;
 		
-	if ( content_type == SSL::APPLICATION_DATA && length > 0 && is_orig && ! c$ssl?$client_first_encrypt_ts )
-		c$ssl$client_first_encrypt_ts = network_time();
+	if ( content_type == SSL::APPLICATION_DATA && length > 0 )
+		{
+		if ( is_orig && ! c$ssl?$client_first_encrypt_ts )
+			c$ssl$client_first_encrypt_ts = network_time();
+		else if ( ! is_orig && ! c$ssl?$server_first_encrypt_ts )
+			c$ssl$server_first_encrypt_ts = network_time();
+		}
 	}
 
 # extract the full ocsp uri from certificate extension
@@ -450,6 +461,9 @@ function update_ssl_info(ssl_rec: OCSP_SSL_SPLIT::Info_SSL, ssl: SSL::Info)
 	if ( ssl?$client_first_encrypt_ts )
 		ssl_rec$client_first_encrypt_ts = ssl$client_first_encrypt_ts;
 
+	if ( ssl?$server_first_encrypt_ts )
+		ssl_rec$server_first_encrypt_ts = ssl$server_first_encrypt_ts;
+
 	if ( ssl?$server_hello_ts )
 		ssl_rec$server_hello_ts = ssl$server_hello_ts;
 

From cea1b62a9a13fba851c2dcc9ca09a0eb12ae4dc2 Mon Sep 17 00:00:00 2001
From: Liang Zhu <liangzhu@icsi.berkeley.edu>
Date: Tue, 21 Jul 2015 23:38:56 -0700
Subject: [PATCH 035/631] small bug fix

---
 scripts/policy/protocols/ssl/ocsp-ssl-split.bro | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/scripts/policy/protocols/ssl/ocsp-ssl-split.bro b/scripts/policy/protocols/ssl/ocsp-ssl-split.bro
index 76b244cfe5..853f4d65b1 100644
--- a/scripts/policy/protocols/ssl/ocsp-ssl-split.bro
+++ b/scripts/policy/protocols/ssl/ocsp-ssl-split.bro
@@ -377,7 +377,7 @@ function update_http_info(ocsp: OCSP_SSL_SPLIT::Info_OCSP, http: HTTP::Info)
 	if ( http?$uri )
 		{
 		local uri_str = http$uri;
-		if ( http$uri == "http://" + http$host )
+		if ( http?$host && http$uri == "http://" + http$host )
 			uri_str = "/"; #deal with software bug: make the full url empty
 		if ( ocsp?$ocsp_uri )
 			ocsp$ocsp_uri += uri_str;

From 49c570593a817d398108e5be3d27b60c64c0b3ba Mon Sep 17 00:00:00 2001
From: Liang Zhu <liangzhu@icsi.berkeley.edu>
Date: Thu, 23 Jul 2015 15:46:23 -0700
Subject: [PATCH 036/631] check value before assign

---
 scripts/base/files/ocsp/main.bro | 150 +++++++++++++++++++++----------
 scripts/base/init-bare.bro       |   8 +-
 2 files changed, 107 insertions(+), 51 deletions(-)

diff --git a/scripts/base/files/ocsp/main.bro b/scripts/base/files/ocsp/main.bro
index 1ae854b991..1362330cf1 100644
--- a/scripts/base/files/ocsp/main.bro
+++ b/scripts/base/files/ocsp/main.bro
@@ -58,15 +58,15 @@ export {
 		## connection uid
 		cuid:               string  &optional;
 		## responseStatus (different from cert status?)
-		responseStatus:     string  &log;
+		responseStatus:     string  &log   &optional;
 		## responseType
-		responseType:       string  &log;
+		responseType:       string  &log   &optional;
 		## version
-		version:            count   &log;
+		version:            count   &log   &optional;
 		## responderID
-		responderID:        string  &log;
+		responderID:        string  &log   &optional;
 		## producedAt
-		producedAt:         string  &log;
+		producedAt:         string  &log   &optional;
 
 		## NOTE: the following are specific to one cert id
 		##       the above are for one file which may contain
@@ -176,6 +176,33 @@ function update_http_info(http: HTTP::Info, req_rec: OCSP::Info_req)
 		req_rec$method = http$method;
 	}
 
+function update_request_info(rec: Info_req, req: OCSP::Request)
+	{
+	if ( req?$version )
+		rec$version = req$version;
+
+	if ( req?$requestorName )
+		rec$requestorName = req$requestorName;
+	}
+
+function cert_id_from_request(one_req: OCSP::OneReq): OCSP::CertId
+	{
+	local cert_id: OCSP::CertId = [];
+	if ( one_req?$hashAlgorithm )
+		cert_id$hashAlgorithm = one_req$hashAlgorithm;
+
+	if ( one_req?$issuerNameHash )
+		cert_id$issuerNameHash = one_req$issuerNameHash;
+
+	if ( one_req?$issuerKeyHash )
+		cert_id$issuerKeyHash = one_req$issuerKeyHash;
+
+	if ( one_req?$serialNumber )
+		cert_id$serialNumber = one_req$serialNumber;
+
+	return cert_id;
+	}
+
 function enq_request(http: HTTP::Info, req: OCSP::Request, req_id: string, req_ts: time)
 	{
 	local index: count = 0;
@@ -185,22 +212,14 @@ function enq_request(http: HTTP::Info, req: OCSP::Request, req_id: string, req_t
 		for (x in req$requestList)
 			{
 			local one_req = req$requestList[x];
-			local cert_id: OCSP::CertId = [$hashAlgorithm  = one_req$hashAlgorithm,
-						       $issuerNameHash = one_req$issuerNameHash,
-						       $issuerKeyHash  = one_req$issuerKeyHash,
-						       $serialNumber   = one_req$serialNumber];
+			local cert_id: OCSP::CertId = cert_id_from_request(one_req);
 			local req_rec: OCSP::Info_req = [$ts     = req_ts,
 							 $certId = cert_id,
 							 $cid    = http$id,
 							 $cuid   = http$uid,
 							 $index  = index,
 							 $id     = req_id];
-
-			if ( req?$version )
-				req_rec$version = req$version;
-
-			if ( req?$requestorName )
-				req_rec$requestorName = req$requestorName;
+			update_request_info(req_rec, req);
 
 			if ( ! http?$ocsp_requests )
 				http$ocsp_requests = table();
@@ -219,10 +238,8 @@ function enq_request(http: HTTP::Info, req: OCSP::Request, req_id: string, req_t
 		local req_rec_empty: OCSP::Info_req = [$ts   = req_ts,
 			                               $cid  = http$id,
 						       $cuid = http$uid,
-						       $id   = req_id,
-						       $version = req$version];
-		if (req?$requestorName)
-			req_rec_empty$requestorName = req$requestorName;
+						       $id   = req_id];
+		update_request_info(req_rec_empty, req);
 		update_http_info(http, req_rec_empty);
 		Log::write(LOG, [$ts=req_rec_empty$ts, $req=req_rec_empty, $cid=http$id, $cuid=http$uid, $method=http$method, $http=http]);
 		}
@@ -295,6 +312,60 @@ function check_ocsp_request_uri(http: HTTP::Info): OCSP::Request
 	return parsed_req;
 	}
 
+function update_response_info_single(rec: Info_resp, single_resp: OCSP::SingleResp)
+	{
+	if ( single_resp?$certStatus )
+		rec$certStatus = single_resp$certStatus;
+
+	if ( single_resp?$thisUpdate )
+		rec$thisUpdate = single_resp$thisUpdate;
+
+	if ( single_resp?$nextUpdate )
+		rec$nextUpdate = single_resp$nextUpdate;
+	}
+
+function update_response_info(rec: Info_resp, resp: OCSP::Response)
+	{
+	if ( resp?$responseStatus )
+		rec$responseStatus = resp$responseStatus;
+
+	if ( resp?$responseType )
+		rec$responseType = resp$responseType;
+
+	if ( resp?$version )
+		rec$version = resp$version;
+
+	if ( resp?$responderID )
+		rec$responderID = resp$responderID;
+
+	if ( resp?$producedAt )
+		rec$producedAt = resp$producedAt;
+	}
+
+function update_response_info_with_single(rec: Info_resp, resp: OCSP::Response, single_resp: OCSP::SingleResp)
+	{
+	update_response_info(rec, resp);
+	update_response_info_single(rec, single_resp);
+	}
+
+function cert_id_from_response(single_resp: OCSP::SingleResp): OCSP::CertId
+	{
+	local cert_id: OCSP::CertId = [];
+	if ( single_resp?$hashAlgorithm )
+		cert_id$hashAlgorithm = single_resp$hashAlgorithm;
+
+	if ( single_resp?$issuerNameHash )
+		cert_id$issuerNameHash = single_resp$issuerNameHash;
+
+	if ( single_resp?$issuerKeyHash )
+		cert_id$issuerKeyHash = single_resp$issuerKeyHash;
+
+	if ( single_resp?$serialNumber )
+		cert_id$serialNumber = single_resp$serialNumber;
+
+	return cert_id;
+	}
+
 event ocsp_response(f: fa_file, resp_ref: opaque of ocsp_resp, resp: OCSP::Response) &priority = 5
 	{
 	if ( ! f?$http )
@@ -307,25 +378,14 @@ event ocsp_response(f: fa_file, resp_ref: opaque of ocsp_resp, resp: OCSP::Respo
 			{
 			index += 1;
 			local single_resp: OCSP::SingleResp = resp$responses[x];
-			local cert_id: OCSP::CertId = [$hashAlgorithm  = single_resp$hashAlgorithm,
-						       $issuerNameHash = single_resp$issuerNameHash,
-						       $issuerKeyHash  = single_resp$issuerKeyHash,
-						       $serialNumber   = single_resp$serialNumber];
-			local resp_rec: Info_resp = [$ts             = network_time(),
-						     $id             = f$id,
-						     $cid            = f$http$id,
-						     $cuid           = f$http$uid,
-						     $responseStatus = resp$responseStatus,
-						     $responseType   = resp$responseType,
-						     $version        = resp$version,
-						     $responderID    = resp$responderID,
-						     $producedAt     = resp$producedAt,
-						     $index          = index,
-						     $certId         = cert_id,
-						     $certStatus     = single_resp$certStatus,
-						     $thisUpdate     = single_resp$thisUpdate];
-			if (single_resp?$nextUpdate)
-				resp_rec$nextUpdate = single_resp$nextUpdate;
+			local cert_id: OCSP::CertId = cert_id_from_response(single_resp);
+			local resp_rec: Info_resp = [$ts     = network_time(),
+						     $id     = f$id,
+						     $cid    = f$http$id,
+						     $cuid   = f$http$uid,
+						     $index  = index,
+						     $certId = cert_id];
+			update_response_info_with_single(resp_rec, resp, single_resp);
 
 			if ( ! f$http?$ocsp_responses )
 				f$http$ocsp_responses = table();
@@ -339,15 +399,11 @@ event ocsp_response(f: fa_file, resp_ref: opaque of ocsp_resp, resp: OCSP::Respo
 	else
 		{
                 # no response content? this is weird but log it anyway
-		local resp_rec_empty: Info_resp = [$ts             = network_time(),
-			                           $id             = f$id,
-			                           $cid            = f$http$id,
-						   $cuid           = f$http$uid,
-						   $responseStatus = resp$responseStatus,
-						   $responseType   = resp$responseType,
-						   $version        = resp$version,
-						   $responderID    = resp$responderID,
-						   $producedAt     = resp$producedAt];
+		local resp_rec_empty: Info_resp = [$ts   = network_time(),
+			                           $id   = f$id,
+			                           $cid  = f$http$id,
+						   $cuid = f$http$uid];
+		update_response_info(resp_rec_empty, resp);
 		local info_rec: Info = [$ts      = resp_rec_empty$ts,
 					$resp_ts = resp_rec_empty$ts,
 					$resp    = resp_rec_empty,
diff --git a/scripts/base/init-bare.bro b/scripts/base/init-bare.bro
index 6ec756c28e..61fd2b5094 100644
--- a/scripts/base/init-bare.bro
+++ b/scripts/base/init-bare.bro
@@ -2998,10 +2998,10 @@ export {
 		signature:          string  &optional;  #&log;
 		};
 	type CertId: record {
-		hashAlgorithm:      string  &log;
-		issuerNameHash:     string  &log;
-		issuerKeyHash:      string  &log;
-		serialNumber:       string  &log;
+		hashAlgorithm:      string  &log &optional;
+		issuerNameHash:     string  &log &optional;
+		issuerKeyHash:      string  &log &optional;
+		serialNumber:       string  &log &optional;
 		};
 	}
 

From 5d168792ee82b79e1419d475e94f5ac952b74357 Mon Sep 17 00:00:00 2001
From: Liang Zhu <liangzhu@icsi.berkeley.edu>
Date: Tue, 28 Jul 2015 16:20:38 -0700
Subject: [PATCH 037/631] deal with bug url

---
 .../policy/protocols/ssl/ocsp-ssl-split.bro   | 44 ++++++++++++++++---
 1 file changed, 38 insertions(+), 6 deletions(-)

diff --git a/scripts/policy/protocols/ssl/ocsp-ssl-split.bro b/scripts/policy/protocols/ssl/ocsp-ssl-split.bro
index 853f4d65b1..7f743e6594 100644
--- a/scripts/policy/protocols/ssl/ocsp-ssl-split.bro
+++ b/scripts/policy/protocols/ssl/ocsp-ssl-split.bro
@@ -355,6 +355,28 @@ event x509_extension(f: fa_file, ext: X509::Extension) &priority= -10 {
 	Queue::put(c$ssl$cert_ts[ocsp_uri, serial_number, issuer_name], current_ts);
 	}
 
+function clean_bug_host(host: string): string
+	{
+	local s: string = host;
+	s = clean_uri(s);
+	if ( s[0:7] == "http://" )
+		s = s[7:];
+	return s;
+	}
+
+function clean_bug_uri(uri: string, host: string): string
+	{
+	local s: string = uri;
+	s = clean_uri(s);
+	if ( s[0:7] == "http://" )
+		s = s[7:];
+
+	if ( |host| > 0 && s[0:|host|] == host )
+		s = s[|host|:];
+
+	return s;
+	}
+
 function update_http_info(ocsp: OCSP_SSL_SPLIT::Info_OCSP, http: HTTP::Info)
 	{
 	ocsp$num_ocsp = http$conn$num_ocsp;
@@ -368,17 +390,27 @@ function update_http_info(ocsp: OCSP_SSL_SPLIT::Info_OCSP, http: HTTP::Info)
 	if ( http?$original_uri )
 		ocsp$original_uri = http$original_uri;
 	
+	local host_str: string = "";
+	if ( http?$host )
+		host_str = clean_bug_host(http$host);
+
+	local uri_str: string = "";
+	if ( http?$uri)
+		{
+		if (http?$host)
+			uri_str = clean_bug_uri(http$uri, host_str);
+		else
+			uri_str = clean_bug_uri(http$uri, "");
+		}
+
 	if ( http?$host )
 		{
-		ocsp$host = http$host;
-		ocsp$ocsp_uri = http$host;
+		ocsp$host = host_str;
+		ocsp$ocsp_uri = host_str;
 		}
 
 	if ( http?$uri )
 		{
-		local uri_str = http$uri;
-		if ( http?$host && http$uri == "http://" + http$host )
-			uri_str = "/"; #deal with software bug: make the full url empty
 		if ( ocsp?$ocsp_uri )
 			ocsp$ocsp_uri += uri_str;
 		else
@@ -390,7 +422,7 @@ function update_http_info(ocsp: OCSP_SSL_SPLIT::Info_OCSP, http: HTTP::Info)
 		if ( |http$uri_prefix| > 0)
 			ocsp$ocsp_uri = "";
 		if ( http?$host )
-			ocsp$ocsp_uri = http$host;
+			ocsp$ocsp_uri = host_str;
 		if ( |http$uri_prefix| > 0)
 			ocsp$ocsp_uri += http$uri_prefix; 
 		}

From 61f7276c80c5ace581f3e040af04c5f876dcb105 Mon Sep 17 00:00:00 2001
From: Liang Zhu <liangzhu@icsi.berkeley.edu>
Date: Fri, 31 Jul 2015 13:39:25 -0700
Subject: [PATCH 038/631] parse revocation time and reason in ocsp response

---
 src/file_analysis/analyzer/ocsp/OCSP.cc       |  30 ++++++++++++++++--
 .../ocsp.log                                  |  13 ++++++++
 testing/btest/Traces/tls/ocsp-revoked.pcap    | Bin 0 -> 12864 bytes
 .../base/protocols/ssl/ocsp-revoked.test      |   4 +++
 4 files changed, 44 insertions(+), 3 deletions(-)
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-revoked/ocsp.log
 create mode 100644 testing/btest/Traces/tls/ocsp-revoked.pcap
 create mode 100644 testing/btest/scripts/base/protocols/ssl/ocsp-revoked.test

diff --git a/src/file_analysis/analyzer/ocsp/OCSP.cc b/src/file_analysis/analyzer/ocsp/OCSP.cc
index d0b1a62f90..df0dbc5599 100644
--- a/src/file_analysis/analyzer/ocsp/OCSP.cc
+++ b/src/file_analysis/analyzer/ocsp/OCSP.cc
@@ -411,7 +411,8 @@ RecordVal *file_analysis::OCSP::ParseResponse(OCSP_RESPVal *resp_val)
 	OCSP_BASICRESP  *basic_resp  = NULL;
 	OCSP_RESPDATA   *resp_data   = NULL;
 	OCSP_RESPID     *resp_id     = NULL;
-	OCSP_SINGLERESP *single_resp = NULL;	
+	OCSP_SINGLERESP *single_resp = NULL;
+	OCSP_REVOKEDINFO *revoked_info = NULL;
 	
 	//OCSP_CERTSTATUS *cst = NULL;
 	//OCSP_REVOKEDINFO *rev = NULL;
@@ -495,8 +496,31 @@ RecordVal *file_analysis::OCSP::ParseResponse(OCSP_RESPVal *resp_val)
 		ocsp_fill_cert_id(cert_id, single_resp_bro);
 
 		//certStatus
-		const char *cert_status_str = OCSP_cert_status_str(single_resp->certStatus->type);
-		single_resp_bro->Assign(4, new StringVal(strlen(cert_status_str), cert_status_str));
+		string cert_status_str = OCSP_cert_status_str(single_resp->certStatus->type);
+		string revoke_reason = "";
+		string revoke_time = "";
+
+		//add revocation time and reason if it is revoked
+		if (single_resp->certStatus->type == V_OCSP_CERTSTATUS_REVOKED)
+			{
+			revoked_info = single_resp->certStatus->value.revoked;
+			len = -1;
+			len = ASN1_GENERALIZEDTIME_to_cstr(buf, buf_len, (void *)(revoked_info->revocationTime));
+			if (len > 0)
+				revoke_time.assign((const char *)buf, len);
+
+			if (revoked_info->revocationReason)
+				{
+				long l = ASN1_ENUMERATED_get(revoked_info->revocationReason);
+				revoke_reason = OCSP_crl_reason_str(l);
+				}
+			}
+		if (revoke_time.length() > 0)
+			cert_status_str += " " + revoke_time;
+		if (revoke_reason.length() > 0)
+			cert_status_str += " " + revoke_reason;
+
+		single_resp_bro->Assign(4, new StringVal(cert_status_str.length(), cert_status_str.c_str()));
 
 		//thisUpdate
 		len = -1;
diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-revoked/ocsp.log b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-revoked/ocsp.log
new file mode 100644
index 0000000000..8876f251e7
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-revoked/ocsp.log
@@ -0,0 +1,13 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	ocsp
+#open	2015-07-31-20-35-18
+#fields	ts	cid.orig_h	cid.orig_p	cid.resp_h	cid.resp_p	cuid	certId.hashAlgorithm	certId.issuerNameHash	certId.issuerKeyHash	certId.serialNumber	req.id	req.version	req.requestorName	req.index	resp_ts	resp.id	resp.responseStatus	resp.responseType	resp.version	resp.responderID	resp.producedAt	resp.index	resp.certStatus	resp.thisUpdate	resp.nextUpdate	method
+#types	time	addr	port	addr	port	string	string	string	string	string	string	count	string	count	time	string	string	string	count	string	string	count	string	string	string	string
+1438374032.518621	192.168.6.109	41812	23.5.251.27	80	CXWv6p3arKYeMETxOg	sha1	74241467069FF5E0983F5E3E1A6BA0652A541575	0159ABE7DD3A0B59A66463D6CF200757D591E76A	010BF45E184C4169AB61B41168DF802E	FDsgjS1bTYOzDpRJT4	0	-	1	1438374032.607628	Ftl4F41OsGtUDrOTWc	successful	Basic OCSP Response	0	F6215E926EB3EC41FE08FC25F09FB1B9A0344A10	20150707162834Z	1	revoked 20150514145849Z superseded	20150707162834Z	20150929011242Z	POST
+1438374032.650255	192.168.6.109	41813	23.5.251.27	80	CjhGID4nQcgTWjvg4c	sha1	74241467069FF5E0983F5E3E1A6BA0652A541575	0159ABE7DD3A0B59A66463D6CF200757D591E76A	013D34BFD6348EBA231D6925768ACD87	F5Tv7Z16QkNApNg0yl	0	-	1	1438374032.732035	FXISxH2UuTiDn0qCa1	successful	Basic OCSP Response	0	F6215E926EB3EC41FE08FC25F09FB1B9A0344A10	20150707212334Z	1	revoked 20150127203801Z unspecified	20150707212334Z	20150930071359Z	POST
+1438374032.759133	192.168.6.109	41814	23.5.251.27	80	CCvvfg3TEfuqmmG4bh	sha1	74241467069FF5E0983F5E3E1A6BA0652A541575	0159ABE7DD3A0B59A66463D6CF200757D591E76A	0150C0C06D53F9D39205D84EFB5F2BA4	FGzVem3KYelVVdAze	0	-	1	1438374032.848522	F3OYfx3A0JvMX787V3	successful	Basic OCSP Response	0	F6215E926EB3EC41FE08FC25F09FB1B9A0344A10	20150707030344Z	1	revoked 20150528055348Z (UNKNOWN)	20150707030344Z	20150928205739Z	POST
+1438374032.875001	192.168.6.109	41815	23.5.251.27	80	CsRx2w45OKnoww6xl4	sha1	74241467069FF5E0983F5E3E1A6BA0652A541575	0159ABE7DD3A0B59A66463D6CF200757D591E76A	017447CB30072EE15B9C1B057B731C5A	FbmX4PpDIRU82YGK8	0	-	1	1438374033.033504	FVty9v3KTnCvbg0Xf2	successful	Basic OCSP Response	0	F6215E926EB3EC41FE08FC25F09FB1B9A0344A10	20150708020344Z	1	revoked 20150117113259Z keyCompromise	20150708020344Z	20150928165507Z	POST
+#close	2015-07-31-20-35-18
diff --git a/testing/btest/Traces/tls/ocsp-revoked.pcap b/testing/btest/Traces/tls/ocsp-revoked.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..a2cd4509ad0a13b4636fc54488c2b76f452344c4
GIT binary patch
literal 12864
zcmeI2dpuO>AIHxb<2I5@g<Nt}F1en$xlARckW@ChAsUQKF*L@do0vB3My*S2yRBlW
zU6oq43+YA|TTw*UT`DCBZFJE^@q3;lGt5l(_uE&$*Q-BxIj<MTnfLje@AG}W&-ddw
z*U$a_GYKIh;x96Sf?rZ^pO{})rHHtLpW%U+eDipVFeTFGqQ+V!WCnsvTDiyxaZ+fv
zD$P>}*Ou?n%k@S)gVPt~!;7;?eD%l{1R;^-kB~`96y(i>m+(9)C#ML>XPd?3US=;J
zkd=^02;zj;Dy)cyR7giWbG<vNN-hBU!E8<Y)IDRxWO|+PACL~n@{p|dL=l+=?gS4h
z&5V_c3C#=%%?AO!JV70KL`er4Q9|!KNQT6EK%{_>z(b1oex(m2K3gG^sDnJ3_U%BT
z=Ugvu%m#Dw_V%=)TH~q|=LnvF!xLC}uZrZbFm_~Q7&nM5;70IlB7&kKt@xak(VQrO
z_&N^`Z<!#Jg;8nX!>SZK1{dJ7@mcsxTv<WhVz?YhR~{jc6pSCaOd;#l{U4_IJL;~;
z=9qhriYAXl7aw?B&r(_ZOK{N5Dok<VjkL$hN$RM|OMe}YsoVqXBO0Oi60CE^;YPTj
zg0h7IDle~yqa?B>SzUQy9Qm$k@z`c-pLnytnZsaYwxLR*SWAr}BTEU6V&yuCQ7jKm
zUmTsFjy5Ts?TrkG^Hnf{?;!EzbY<kQJVG3jMESj0%8>YnicF#o+H`q-AJGJZ#J(V7
zG#tm~&Qhg#ariMDJ`3Y5<MQG__!-uA;=q1#0HPuzcu^ejg`yF#r8=lmf<BI)fY0Vd
zg>d**99~dFFqgNCg#~hXZ2l_nL3U6m#|jQKKO&5Ug|p+V*vmMRnN%v1O2;j+$ml>Y
z=$05S!m5`N!4J2@!lR=EVEAL$VccN00Nme$4NlAk><}&|n1y*qb1X4C%sn~`JRg;b
zQEgc?dlsF6xz6@hrOb$n<nlRDA1|XhU|yWa-s^BGi%MfLXua1>2WS@N!sl9IbgCFe
z!&%^){_!FpoyQ4+Ny);3!XjWWK;{V*=7KqqEmUv=KTa3t3rZF$Fu^G*o_H)ri#)Q^
z$UmKTxNT~;(tG3ftit2j40m-MHK-Z4!|kZHG<!P32T$CLCvN(TS^Trs$9piT3@U?Z
z&v5X`mZP9#sXJ$Dd_3hqbHJ%o8iVG8t12j)C%GlPRz<-SK;(odiui4;*Uvg^w0Ufe
zc2$J&&g$-alY|Q{=5dzjcdIsM8!oC)(5Gv5dgP{mf4}I_-8mD((^EV36PnUaP+wSG
zJowPDP@U(n_!;v}Mnk)HOYrLP{_Nw2mNZXtTepZ-a3J<X{xqT0O+(j!-A-Yn=?9;8
zxI5dIvwuAO*y3@?WoM&O$NN1N=F7b9c&sYzjGmx+!XdoesX~{NSgk2|u;NX+Ub*j?
zzwhn$pzZuy_eBvsc5Q`q^Xip3?0tpr%DP?JHa0Xoh<Y{qFP+-2`N_<~r=C51-)e?Y
z>p7Yu3$!ve`8lp~D5XA)H*VG;<;{upa{2@NrT*>H18&I{w~X_O4%k)gU67qEBrnB<
zWIu2$!i929*>WV5L{c|pG-T8-e{??j)i<-bD<4knA37Cz1dpYvfWjm<pR6!~G~bJA
zfa}3uC?iICtqNy@$`^z=NAM#f_(aL08sY}<&nhFdM1S_?gL#0>;Rs?Q_$#PpxCy*K
zZiJ!e0_QMxR1`+XW-P$GygV@HshAb!O2@}&s}c!jixXcy@K-91GiY?C1Jl6=cc9wg
z%wCrDKd`X5&R(9_JPs@b!5ls=M921jOq9qFH3XcekYK93PjlR{F}9d~ttup~V3IJ&
z<2Tba%JWv{#%o?ZQiJk+(-5tvx)Z~C9tgjx`}OGNsbwL%+P}MTaKxrDB}iWMwKD4$
zNu#u;P>UaU$K6yl&fImUqTTn;QuVW`O7#t!9kf!e+rK)R(i)+?Gn3uspPH(5#rPKG
zyx9|)!W+kPN_xeShm*H_FXRO#mH19PmAb?H;*stJ=hJvP1-nxg8}PfCN4J)G-g{Pf
z<h(Zf@Ue?8+HTJ&KcG~49euojA3pwGtGnfCywyI}&hSHG`d=yEE_G2Z)5z|=b)kFe
z?%Ae`J5G=NaoaB^O}7cgB=R5V+nz7DThweGyF;aEZAdyS;VCne5g`d74#^Tu5@b<e
z3BNpXU<og^BNhcv!e8nQEa7cA32x*uuSjwzg60ZQeGp?ETuoeS<jEwEWMjcN8fcL9
z@X>p;@ln(fxJK{5QoLOkSUFo!afTgO(7-k0$U3-Ig3NW0$UKAL<WCeVd>H)v2o&uh
zlW+v*!QU|QGMs}4DX1(>azm5e%s>^j<#2D1p-R0=CkfTk4HXC?SvEGYv9Z=sAmgJ2
zq1HhW;Wj~$QMkG2IubrcS0BSZaV<ZRjgNr$GbRtiDSaQ3Q^tqGlWI^BS&pQb&_5@^
z)FZ0auB{U;Ug0@zf1;M9hs3YD@<wgWvn;uzrc2nXRE{ckqG!F1>6QGn{_?$);fC^u
zlG+cgW=tu}%1>?Po_y`{YTV`<VRLg^uz8QwEFDu5)z;^qk7jDl-!*zv1bbS$*`$ti
zuC~dMqj6{67Q9v&z46E@Za|Ad4yK)c+Y9vzQ#TKsuiD~>JyorUnV^)g-8?3t+h+A7
zmj-(6{4MhgbwVp_JuHM~TU;#HtzFA6|6BWR#{FSucO+%`WOjvUk#FA5Xnf#pcgc9H
z@Vj}9hB+e**>|j4FEh>@o9kk6boi24FZQ{ckW$C5IB;oo{EM;MdkRi2pKWE8zqfq6
zzG~~T#-?=n$h|Nl^Fc-q(h~X-Eg@}S1GhN3qpH*nw1n^E()t=Wb8mW`2?mLG2PgUw
zM5;9LY%FMe)X|C3M3ReGqvWhX7+ESrE46yytT`J?%o+`}2{}D*)<BJ4^&?8Pt&EjR
z2#vT5jd2MYK%;}SMy-HBH4Y;*u9DCg2Q<dOb`S9rX*5ONn0rHwUtd!m#9(x-gBnAW
zL>lKKo{jWt6xi8AgAo@ZwgG?`3(xl%47pY@St_2g495KSH9t`ST?HD9N>IQ0tP2?P
zS&-gmFnECc>1^tXCp4=`XjTDq8Z;QRm7=)DLo$qlTAT792BT{|BywD25`n?E&^nO#
zB^r#$j59YGTT8|naE)U&U)dznU`)?=rrP5uARoM?=j3-pt^`JAiyTE1YpGFWoC<;&
zcW7+CjDw>{1EW|AGY-!YW!zU_1mhubu7wKH0t^N`B#H8Mr-C6duYV2?AR7NAB4$G3
zmu@g<G&&8p`&<TtMrG0H(gtH8Cm47Kyr03aV^QfWro$IvFlba7{j(Shi7XZw3@Xiz
zhSTkFDq%1XvBCIwXR*Pc<G}BL{!^yG2<+TxU$gwq9;+)y>b73;UAjK-;j8G9AXY`$
z*1)}^UsrDRyrrFct<fgfy<SMgln;4CZ`CnYI;4jD5?88k@MA`J(eVg-Mg5hXew%*V
zv%;`gzLvHrc~*Cjf9J%%wa4uWZ*)JpJ)E-VopylZjOr?V-yJ0fE9rV3J+6zMm=qRt
z(psn*xWS{iu2=JHTuVYbH~;QoWtyvK=QC$_p3nW(nkLtnGd)WeMtmRU@-_xlNDA0O
zuRf#g-aR}hY~P;E2VyD>bk=YivyE&+X8k6&D^59d%jnaNf8T9e$Vs<YjYf{sN%0Q9
z*}49KQwF7O+>^a^Zms8*9!@-&_!M8TBz$S9-~J(kF=R0Q$zc3TI{+*H22lBDfpr}o
zl9it{`4k6M{(S9$Yf1K>#99J;iLS1w^6!F`f5>1A84QuZC<CcANK2SNw1lb>4P0&e
zn(RM8OW0-MCTifSK}(nkllAf7#6*HPOq!VU5HvoT6HEsXcR`|q<)9jc1W`pMQ3DW7
zq>113BT7yvgmEf_XwD1=PN<xR#DoHt#ca>O2?aGC>PM8eEL|H2jT8xu*W1_RG!jp3
zEUl3?L;Tb-G%h1Fj*-yV2sB=Y4Wt>^_<*|sU{v;iNnZ^$E?=WEh-HZ`f*M<|iZm`j
zJTGkz@PgI^S{Cvgv9SQeMtHu@vNUcJlcluEvMdWa^i017bZ=-`E^ii-f!<<B@3SnU
zw~M179oOh$Lh}s?&E9~%5n2}ftthUokPM@+1Q0*HClY;}Ad2&|HwwK(U|H_W97y~U
zEsJMqX}H(h+I0EbbGia7_Q<p>PkuLC(y=1F`-k=GQ`Tj;S-{A=KPZm1)F?90i7?}q
z&+3<Pa1=LQ+P+jDW}J<=DC16p5p0D-zvsgS*%Lu0L1OS7nMAN~6}j{gO*J6#OSdez
zgM&Tovso6L&H~>I$vu(T5j;zbW-qoZV6TH|$D)5JmIbHdbjIh{6OqVbk!4}h>~SWO
z&afvei?Z0Ve7v*Rve4{lIMa?U+p_#>I_vuyIlXd9c%I`{v!hcJ0zLBfKW}s1m-B1B
zX0CG`SFMI_JbiTA^<|@8#)ndFU!9}&ROL$2!HpqaRZpAVZ66zer#s$eous8we1|97
zPX4YZ<J{YaRjRCeUDKaGs&mlXnS`!7zNwPGcK`Vs4SH*|htpywq#ggNVYJbO<o2kb
zgxIZFHEqY!?oLqpJ-*}RL7zCSGRnH=CQG_+<$O143l?U-{6${Zlo{JPGIzJ_sBL=Z
zzVGfL&5oC`44ZpXGE|EEd)AufS2vZJ7CLOp6z(@dq7R$YDD8@Ps%rh<PWSohks9*~
zZgED<%sD<?`T3jQJD<GNLw(FDg_UbB2kk%oVf>I~8L}+@WLaPd-waB)5cm#wNG=K_
z0Xi9$@KEJ}CET);SQMc5*f6k!|4S1zWLbtRi^#I<2O0Tk%Mx8eG;p;8Tf(LK9eS3X
za8G1{s3o+RPOmf7fI0qnaN-GqSR+leu?3Bfx@k^dOK35pk2vwgpc+pS#A`B%U<bqW
zXKCWBeniQ6h%it`qB(OLI1g=XiFpVti|I#$0rmAYXPkaS8LjmxLSwarMuQGL8?d(o
zG-gX{Y#F918W|ZHrw|%lB{bRrjRvrRG&v`#6*|Zpiy3fa%AHgPu`ETzPSAcck;a9H
zXVtb$d1y_bWhnz@vTrX05EsGoeU@d(Vli1tt1Qd1u)3Rf70?x+Wr?{XCQr&!bcggl
z%kmQ-e>y*l{9#=8+em0u0Q4$oS?XOyaSecE7=^ch_-V^h6ab0)LSzzwW%2(QSD=v~
zeu<Vv;97wzS~vJ+>dCK(()W>RS+uTP-1~>&gB{72lr9#YJ(&d~<IESwT51#-+$@-J
z=;MAF2S>3AjN(<8aesk*H)xVUoWU-OML-%L?oC9HM<9dXAxV_K#m$Dq_tRt&!FuN(
zB_cLM;umjO?3pw>=D*!#A+}HK#cy8WwExbsfY-g4OcrkU-|Vu`doTJwzQ$#bgDsHH
zVp$}zSY%nKR68n_P6L}K@HH+}WLf&|+~2ZLZJFTRGMT$9iTMT-+9)mY<|9US#QA6X
zkpqQ-%onQ+&tABh>1lS=z3koL4WlfVhyP$76ZqW8@@~uU?Lo<EzQX79i!~vYa`P*T
zdCQa9bJyQ{P?NBle(g!)<a6#n(98YD+*`C}d}fp8ok&k3dHsrww`ad;d+%@}DztFT
z<Z73W*QrOeIzF(@J}<0#TQQmIqgL(hkfKDHx2Pdscf?iylzD}3M}4SonVI|n*=pO^
zu;Xe<GjK+_WyQr2xNETC+_~RgDYzTAvsl%mr{J9+{KN+5)#1J;|I*?gA13%#E04n5
zZIs5VjP+WpaKHKXu~)A*cqX5GZT3scj_mrB_Rg8f=2aDKI$D<XMnjfm$g=#CW%=I?
z1}ysHguQQF!)05#6)IXvEZO3>#e3U~tJU2CKKw8E4e<ZV-Z!r;K7gg984~XUq9>{M
zkX%Mc)3`swWu)ikz-2_hCl)5KjGTTZT1KA0Wn}2ZF!(y_(2HTcFNVSVA^~F!vlSka
z`GqjJIYi^rI559r5{Uc)cA(a3V17ZOQ9q)LIlw07fTcu}3Fbgd0%)Z)Yl8>OfhUm2
z9-J6R5G`a76Txd-nzd{Zu^Y@Pf>`p?piiAkJoQ6~r%nV<4O(losb-Vtsh@#a)%_o|
C*fs0`

literal 0
HcmV?d00001

diff --git a/testing/btest/scripts/base/protocols/ssl/ocsp-revoked.test b/testing/btest/scripts/base/protocols/ssl/ocsp-revoked.test
new file mode 100644
index 0000000000..3b3bf0a61b
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/ssl/ocsp-revoked.test
@@ -0,0 +1,4 @@
+# This tests a OCSP request missing response
+
+# @TEST-EXEC: bro -C -r $TRACES/tls/ocsp-revoked.pcap %INPUT
+# @TEST-EXEC: btest-diff ocsp.log

From 1abd41c413e054bb21b7343d94c1621b48fa7cbc Mon Sep 17 00:00:00 2001
From: Liang Zhu <liangzhu@icsi.berkeley.edu>
Date: Fri, 31 Jul 2015 13:50:48 -0700
Subject: [PATCH 039/631] copy paste error

---
 testing/btest/scripts/base/protocols/ssl/ocsp-revoked.test | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/testing/btest/scripts/base/protocols/ssl/ocsp-revoked.test b/testing/btest/scripts/base/protocols/ssl/ocsp-revoked.test
index 3b3bf0a61b..1125484cdf 100644
--- a/testing/btest/scripts/base/protocols/ssl/ocsp-revoked.test
+++ b/testing/btest/scripts/base/protocols/ssl/ocsp-revoked.test
@@ -1,4 +1,4 @@
-# This tests a OCSP request missing response
+# This tests OCSP response with revocation
 
 # @TEST-EXEC: bro -C -r $TRACES/tls/ocsp-revoked.pcap %INPUT
 # @TEST-EXEC: btest-diff ocsp.log

From ce47024dd966dae8a59e3ec775ce89291c06cebf Mon Sep 17 00:00:00 2001
From: Liang Zhu <liangzhu@icsi.berkeley.edu>
Date: Tue, 18 Aug 2015 16:00:55 -0700
Subject: [PATCH 040/631] simplify some code

---
 src/file_analysis/analyzer/ocsp/OCSP.cc | 20 ++++++++------------
 1 file changed, 8 insertions(+), 12 deletions(-)

diff --git a/src/file_analysis/analyzer/ocsp/OCSP.cc b/src/file_analysis/analyzer/ocsp/OCSP.cc
index df0dbc5599..340838eb1a 100644
--- a/src/file_analysis/analyzer/ocsp/OCSP.cc
+++ b/src/file_analysis/analyzer/ocsp/OCSP.cc
@@ -413,9 +413,7 @@ RecordVal *file_analysis::OCSP::ParseResponse(OCSP_RESPVal *resp_val)
 	OCSP_RESPID     *resp_id     = NULL;
 	OCSP_SINGLERESP *single_resp = NULL;
 	OCSP_REVOKEDINFO *revoked_info = NULL;
-	
-	//OCSP_CERTSTATUS *cst = NULL;
-	//OCSP_REVOKEDINFO *rev = NULL;
+	OCSP_CERTSTATUS *cert_status = NULL;
 
         RecordVal *ocsp_resp_record = NULL;
 	VectorVal *all_resp_bro  = NULL;
@@ -496,24 +494,22 @@ RecordVal *file_analysis::OCSP::ParseResponse(OCSP_RESPVal *resp_val)
 		ocsp_fill_cert_id(cert_id, single_resp_bro);
 
 		//certStatus
-		string cert_status_str = OCSP_cert_status_str(single_resp->certStatus->type);
-		string revoke_reason = "";
-		string revoke_time = "";
+		cert_status = single_resp->certStatus;
+		std::string cert_status_str = OCSP_cert_status_str(cert_status->type);
+		std::string revoke_reason = "";
+		std::string revoke_time = "";
 
 		//add revocation time and reason if it is revoked
-		if (single_resp->certStatus->type == V_OCSP_CERTSTATUS_REVOKED)
+		if (cert_status->type == V_OCSP_CERTSTATUS_REVOKED)
 			{
-			revoked_info = single_resp->certStatus->value.revoked;
+			revoked_info = cert_status->value.revoked;
 			len = -1;
 			len = ASN1_GENERALIZEDTIME_to_cstr(buf, buf_len, (void *)(revoked_info->revocationTime));
 			if (len > 0)
 				revoke_time.assign((const char *)buf, len);
 
 			if (revoked_info->revocationReason)
-				{
-				long l = ASN1_ENUMERATED_get(revoked_info->revocationReason);
-				revoke_reason = OCSP_crl_reason_str(l);
-				}
+				revoke_reason = OCSP_crl_reason_str(ASN1_ENUMERATED_get(revoked_info->revocationReason));
 			}
 		if (revoke_time.length() > 0)
 			cert_status_str += " " + revoke_time;

From 1989f34a0af7b9a10a2ea8e2f05c8b65e7c89795 Mon Sep 17 00:00:00 2001
From: Liang Zhu <liangzhu@icsi.berkeley.edu>
Date: Tue, 18 Aug 2015 19:35:43 -0700
Subject: [PATCH 041/631] add parsing certificates in OCSP responses

---
 scripts/base/init-bare.bro                    |  1 +
 src/file_analysis/analyzer/ocsp/OCSP.cc       | 26 ++++++++++++++++++-
 .../.stdout                                   |  1 +
 .../protocols/ssl/ocsp-response-cert.test     | 15 +++++++++++
 4 files changed, 42 insertions(+), 1 deletion(-)
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-response-cert/.stdout
 create mode 100644 testing/btest/scripts/base/protocols/ssl/ocsp-response-cert.test

diff --git a/scripts/base/init-bare.bro b/scripts/base/init-bare.bro
index 0a07685fa5..11e5232d95 100644
--- a/scripts/base/init-bare.bro
+++ b/scripts/base/init-bare.bro
@@ -3003,6 +3003,7 @@ export {
 		#responseExtensions:xxx
 		signatureAlgorithm: string  &log &optional;
 		signature:          string  &optional;  #&log;
+		certs:              vector of opaque of x509 &optional;
 		};
 	type CertId: record {
 		hashAlgorithm:      string  &log &optional;
diff --git a/src/file_analysis/analyzer/ocsp/OCSP.cc b/src/file_analysis/analyzer/ocsp/OCSP.cc
index 340838eb1a..d54f1f345b 100644
--- a/src/file_analysis/analyzer/ocsp/OCSP.cc
+++ b/src/file_analysis/analyzer/ocsp/OCSP.cc
@@ -15,6 +15,16 @@
 #include <openssl/asn1.h>
 #include <openssl/opensslconf.h>
 
+// helper function of sk_X509_value to avoid namespace problem
+// sk_X509_value(X,Y) = > SKM_sk_value(X509,X,Y)
+// X509 => file_analysis::X509
+X509 *helper_sk_X509_value(STACK_OF(X509) *certs, int i)
+	{
+	return sk_X509_value(certs, i);
+	}
+
+#include "file_analysis/analyzer/x509/X509.h"
+
 using namespace file_analysis;
 
 IMPLEMENT_SERIAL(OCSP_REQVal, SER_OCSP_REQ_VAL);
@@ -404,7 +414,6 @@ RecordVal *file_analysis::OCSP::ParseResponse(OCSP_RESPVal *resp_val)
 	{
 	if (resp_val == NULL)
 		return NULL;
-
 	OCSP_RESPONSE   *resp        = NULL;
 	OCSP_RESPBYTES  *resp_bytes  = NULL;
 	OCSP_CERTID     *cert_id     = NULL;
@@ -551,6 +560,21 @@ RecordVal *file_analysis::OCSP::ParseResponse(OCSP_RESPVal *resp_val)
 		if (len > 0)
 			ocsp_resp_record->Assign(7, new StringVal(len, buf));
 		}
+	//certs
+	if (basic_resp->certs)
+		{
+		VectorVal *certs_vector = new VectorVal(internal_type("x509_opaque_vector")->AsVectorType());
+		int num_certs = sk_X509_num(basic_resp->certs);
+		for (i=0; i<num_certs; i++) {
+			::X509 *this_cert = X509_dup(helper_sk_X509_value(basic_resp->certs, i));
+			//::X509 *this_cert = X509_dup(sk_X509_value(basic_resp->certs, i));
+			if (this_cert)
+				certs_vector->Assign(i, new file_analysis::X509Val(this_cert));
+			else
+				reporter->Weird("OpenSSL returned null certificate");
+		}
+		ocsp_resp_record->Assign(8, certs_vector);
+	  }
 clean_up:
 	if (basic_resp)
 		OCSP_BASICRESP_free(basic_resp);
diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-response-cert/.stdout b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-response-cert/.stdout
new file mode 100644
index 0000000000..b6a95f4f0c
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-response-cert/.stdout
@@ -0,0 +1 @@
+[version=3, serial=2CA87AF0486CD01E, subject=CN=Go Daddy Validation Authority - G2,O=GoDaddy Inc.,L=Scottsdale,ST=Arizona,C=US, issuer=CN=Go Daddy Secure Certificate Authority - G2,OU=http://certs.godaddy.com/repository/,O=GoDaddy.com\, Inc.,L=Scottsdale,ST=Arizona,C=US, cn=Go Daddy Validation Authority - G2, not_valid_before=1426489200.0, not_valid_after=1458111600.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>]
diff --git a/testing/btest/scripts/base/protocols/ssl/ocsp-response-cert.test b/testing/btest/scripts/base/protocols/ssl/ocsp-response-cert.test
new file mode 100644
index 0000000000..5ed2bf3253
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/ssl/ocsp-response-cert.test
@@ -0,0 +1,15 @@
+# This tests OCSP response containing a certificate
+
+# @TEST-EXEC: bro -C -r $TRACES/tls/ocsp-response-only.pcap %INPUT
+# @TEST-EXEC: btest-diff .stdout
+
+event ocsp_response(f: fa_file, resp_ref: opaque of ocsp_resp, resp: OCSP::Response)
+{
+if (resp?$certs)
+        {
+	for (x in resp$certs)
+		{
+		print x509_parse(resp$certs[x]);
+		}
+	}
+}
\ No newline at end of file

From d45558d2a18dce0b1aafe592beaaef226c896577 Mon Sep 17 00:00:00 2001
From: Liang Zhu <liangzhu@icsi.berkeley.edu>
Date: Tue, 18 Aug 2015 21:44:52 -0700
Subject: [PATCH 042/631] log the number of certs in OCSP response

---
 scripts/base/files/ocsp/main.bro                | 5 +++++
 scripts/policy/protocols/ssl/ocsp-ssl-split.bro | 5 +++++
 2 files changed, 10 insertions(+)

diff --git a/scripts/base/files/ocsp/main.bro b/scripts/base/files/ocsp/main.bro
index 1362330cf1..3474e3a797 100644
--- a/scripts/base/files/ocsp/main.bro
+++ b/scripts/base/files/ocsp/main.bro
@@ -67,6 +67,8 @@ export {
 		responderID:        string  &log   &optional;
 		## producedAt
 		producedAt:         string  &log   &optional;
+		## certificates
+		certs:              vector of opaque of x509 &optional;
 
 		## NOTE: the following are specific to one cert id
 		##       the above are for one file which may contain
@@ -340,6 +342,9 @@ function update_response_info(rec: Info_resp, resp: OCSP::Response)
 
 	if ( resp?$producedAt )
 		rec$producedAt = resp$producedAt;
+
+	if ( resp?$certs )
+		rec$certs = resp$certs;
 	}
 
 function update_response_info_with_single(rec: Info_resp, resp: OCSP::Response, single_resp: OCSP::SingleResp)
diff --git a/scripts/policy/protocols/ssl/ocsp-ssl-split.bro b/scripts/policy/protocols/ssl/ocsp-ssl-split.bro
index 7f743e6594..0efad933c9 100644
--- a/scripts/policy/protocols/ssl/ocsp-ssl-split.bro
+++ b/scripts/policy/protocols/ssl/ocsp-ssl-split.bro
@@ -85,6 +85,9 @@ export {
 
 		## user_agent
 		user_agent:     string     &log       &optional;
+
+		## number of certificates in response
+		resp_certs_num: count      &log &default=0;
 		};
 
 	type Issuer_Name_Type: record {
@@ -466,6 +469,8 @@ function start_log_ocsp(rec: OCSP::Info)
 		{
 		info_ocsp_rec$resp = rec$resp;
 		info_ocsp_rec$resp_ts = rec$resp$ts;
+		if ( rec$resp?$certs )
+			info_ocsp_rec$resp_certs_num = |rec$resp$certs|;
 		}
 
 	if ( rec?$req && rec?$resp )

From cdc812074c9994fba5c91c418d12ddd6494284f2 Mon Sep 17 00:00:00 2001
From: Liang Zhu <liangzhu@icsi.berkeley.edu>
Date: Wed, 19 Aug 2015 11:38:34 -0700
Subject: [PATCH 043/631] fix data structure recursion

---
 .../policy/protocols/ssl/ocsp-ssl-split.bro   | 39 +++++++++++++------
 1 file changed, 28 insertions(+), 11 deletions(-)

diff --git a/scripts/policy/protocols/ssl/ocsp-ssl-split.bro b/scripts/policy/protocols/ssl/ocsp-ssl-split.bro
index 0efad933c9..8f10745066 100644
--- a/scripts/policy/protocols/ssl/ocsp-ssl-split.bro
+++ b/scripts/policy/protocols/ssl/ocsp-ssl-split.bro
@@ -163,8 +163,11 @@ redef record HTTP::Info += {
 	request_header_len:       count  &optional &default=0;
 	response_header_len:      count  &optional &default=0;
 
-	## connection used to get num_ocsp and connection start time
-	conn:                     connection &optional;
+	## number of OCSP requests so far, copied from connection
+	num_ocsp:                 count  &optional;
+
+	## connection start time, copied from connection
+	conn_start_ts:            time   &optional;
 };
 
 # add additional information to ssl info
@@ -215,32 +218,44 @@ event ocsp_response(f: fa_file, resp_ref: opaque of ocsp_resp, resp: OCSP::Respo
 	{
         if ( ! f?$http )
 		return;
-        # check if there is a OCSP GET request
+
+	# get connection id TODO:TOCHECK
+	local cid: conn_id;
+	for ( id in f$conns )
+		cid = id;
+
+	# check if there is a OCSP GET request
 	if ( f$http?$method && f$http$method == "GET" )
-		f$http$conn$num_ocsp += 1;
+		f$conns[cid]$num_ocsp += 1;
 	}
 
 event ocsp_request(f: fa_file, req_ref: opaque of ocsp_req, req: OCSP::Request)
 	{
         if ( ! f?$http )
 		return;
-	f$http$conn$num_ocsp += 1;
+
+	# get connection id TODO:TOCHECK
+	local cid: conn_id;
+	for ( id in f$conns )
+		cid = id;
+
+	f$conns[cid]$num_ocsp += 1;
 	}
 
 event http_reply (c: connection, version: string, code: count, reason: string)
 	{
 	if ( ! c?$http )
 		return;
-	if ( ! c$http?$conn )
-		c$http$conn = c;
+	if ( ! c$http?$conn_start_ts )
+		c$http$conn_start_ts = c$start_time;
 	}
 
 event http_request(c: connection, method: string, original_URI: string, unescaped_URI: string, version: string)
 	{
 	if ( ! c?$http )
 		return;
-	if ( ! c$http?$conn )
-		c$http$conn = c;
+	if ( ! c$http?$conn_start_ts )
+		c$http$conn_start_ts = c$start_time;
 	}
 
 # record the header length
@@ -252,6 +267,7 @@ event http_message_done(c: connection, is_orig: bool, stat: http_message_stat)
 		c$http$request_header_len = stat$header_length;
 	else
 		c$http$response_header_len = stat$header_length;
+	c$http$num_ocsp = c$num_ocsp;
 	}
 
 # add server hello time
@@ -382,7 +398,8 @@ function clean_bug_uri(uri: string, host: string): string
 
 function update_http_info(ocsp: OCSP_SSL_SPLIT::Info_OCSP, http: HTTP::Info)
 	{
-	ocsp$num_ocsp = http$conn$num_ocsp;
+	if ( http?$num_ocsp )
+		ocsp$num_ocsp = http$num_ocsp;
 
 	if ( http?$method )
 		ocsp$method = http$method;
@@ -454,7 +471,7 @@ function start_log_ocsp(rec: OCSP::Info)
 	local http: HTTP::Info = rec$http;
 	local info_ocsp_rec: OCSP_SSL_SPLIT::Info_OCSP = [$cid = http$id,
 		                                          $cuid = http$uid,
-							  $conn_start_ts = http$conn$start_time];
+							  $conn_start_ts = http$conn_start_ts];
 
 	if ( rec?$certId )
 		info_ocsp_rec$cert_id = rec$certId;

From c93a9fbebdab2386c16b49af0e0c88381eaaf69a Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@icir.org>
Date: Tue, 8 Dec 2015 14:55:50 -0800
Subject: [PATCH 044/631] Log only local-originated IPs.

---
 scripts/policy/protocols/ssl/ocsp-ssl-split.bro | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/scripts/policy/protocols/ssl/ocsp-ssl-split.bro b/scripts/policy/protocols/ssl/ocsp-ssl-split.bro
index 8f10745066..33085f79db 100644
--- a/scripts/policy/protocols/ssl/ocsp-ssl-split.bro
+++ b/scripts/policy/protocols/ssl/ocsp-ssl-split.bro
@@ -494,6 +494,10 @@ function start_log_ocsp(rec: OCSP::Info)
 		info_ocsp_rec$delay = info_ocsp_rec$resp_ts - info_ocsp_rec$req_ts;
 
 	update_http_info(info_ocsp_rec, http);
+
+	if ( Site::is_private_addr(info_ocsp_rec$cid$orig_h) || !Site::is_local_addr(info_ocsp_rec$cid$orig_h) )
+		return;
+
 	Log::write(LOG_OCSP, info_ocsp_rec);
 	}
 
@@ -564,6 +568,10 @@ event connection_state_remove(c: connection) &priority= -20
 		if (|cert_recv_ts_str| > 0)
 			ssl_info_rec$cert_recv_ts = cert_recv_ts_str;
 		update_ssl_info(ssl_info_rec, c$ssl);
+
+		if ( Site::is_private_addr(ssl_info_rec$id$orig_h) || !Site::is_local_addr(ssl_info_rec$id$orig_h) )
+			return;
+
 		Log::write(LOG_SSL, ssl_info_rec);
 		#delete c$ssl$cert_ts[ocsp_uri, serial_number, issuer_name];
 		}

From d92fd52b35a907924e85a7413d37ae9393a18394 Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@icir.org>
Date: Mon, 14 Dec 2015 16:06:31 -0800
Subject: [PATCH 045/631] Remove measurement scripts

---
 .../policy/protocols/ssl/ocsp-measurement.bro | 481 --------------
 .../policy/protocols/ssl/ocsp-ssl-split.bro   | 585 ------------------
 2 files changed, 1066 deletions(-)
 delete mode 100644 scripts/policy/protocols/ssl/ocsp-measurement.bro
 delete mode 100644 scripts/policy/protocols/ssl/ocsp-ssl-split.bro

diff --git a/scripts/policy/protocols/ssl/ocsp-measurement.bro b/scripts/policy/protocols/ssl/ocsp-measurement.bro
deleted file mode 100644
index b883a36fdc..0000000000
--- a/scripts/policy/protocols/ssl/ocsp-measurement.bro
+++ /dev/null
@@ -1,481 +0,0 @@
-#! Match OCSP request and response to SSL connection for performance analysis
-
-@load base/protocols/http
-@load base/frameworks/files
-@load base/files/x509
-@load base/protocols/ssl
-@load base/utils/queue
-
-module OCSP_MEASUREMENT;
-
-export {
-	redef enum Log::ID += { LOG };
-
-	type Info: record {
-		## cert id for the OCSP request
-		cert_id:        OCSP::CertId      &log  &optional;
-
-		## request timestamp
-		req_ts:         time              &log  &optional;
-
-		## request
-		## NOTE: this is only one request if multiple requests
-		## are sent together in one HTTP message, they will be
-		## logged separately
-		req:            OCSP::Info_req    &log  &optional;
-
-		## response timestamp
-		resp_ts:        time              &log  &optional;
-
-		## response
-		## NOTE: similar to request, if multiple responses are
-		## sent together in one HTTP message, they will be
-		## logged separately
-		resp:           OCSP::Info_resp   &log  &optional;
-
-		## HTTP connection uid
-		cuid:            string     &log;
-
-		## HTTP connection start time
-		conn_start_ts:   time       &log;
-
-		## for 1st request, this is the time between first TCP
-		## SYN and resp_ts; for the rest of the requests in
-		## the same connection, this is the time btween req_ts
-		## and resp_ts
-		delay:           interval   &log       &optional;
-
-		## the size of HTTP request body
-	        req_size:        count      &log       &optional;
-
-		## the size of HTTP request header
-		req_hdr_size:    count      &log       &optional;
-
-		## the size of HTTP response body
-		resp_size:       count      &log       &optional;
-
-		## the size of HTTP response header
-		resp_hdr_size:   count      &log       &optional;
-
-		## the HTTP code in the HTTP response
-		http_code:       count      &log       &optional;
-
-		## OCSP host, this is host in HTTP request
-		host:            string     &log;
-
-		## OCSP uri, this is uri in HTTP request
-		uri:             string     &log;
-
-		## number of HTTP request containing ocsp requests in
-		## this connection including this one; this may be
-		## different from number of OCSP requests since one
-		## HTTP request may contain several OCSP requests
-		num_ocsp:        count      &log       &optional;
-
-		## the time when the corresponding certificate is
-                ## received
-		cert_recv_ts:    time       &log       &optional;
-
-		## SSL connection uid
-		ssl_cuid:        string     &log       &optional;
-
-		## SSL connection id
-		ssl_cid:         conn_id               &optional;
-
-		## the time when client receives change cipher message
-		## from server
-		ssl_change_cipher_ts:  time &log       &optional;
-
-		## the time when SSL connection is established
-		ssl_establish_ts:      time &log       &optional;
-
-		## the time when event connection_state_remove happens
-		ssl_end_ts:            time &log       &optional;
-		};
-
-	## a group of constant string for hash algorithm
-	## to save memory, remove any unseen hash algorithm 
-	global hash_algorithm = vector("sha1", "sha224", "sha256", "sha384", "sha512");
-
-	## Event from a worker to the manager that it has encountered
-        ## an OCSP response
-	global new_ocsp_info: event(c: connection) &redef;
-
-	## Event from the manager to the workers that a new OCSP info
-	## is to be added.
-        global ocsp_info_add: event(c: connection);
-}
-
-## - map to OCSP_MEASUREMENT::Info
-## - indexed by hash algorithm(string), source ip(addr), ocsp
-##   uri(string), issuer name hash(string), serialNumber(string)
-## - is it possible server sends two same certificate? To be
-##   safe, let's use a queue to store OCSP_MEASUREMENT::Info
-global ocsp_map: table[string, addr, string, string, string] of Queue::Queue &read_expire=6mins;
-
-# track number of ocsp requests in this connection
-redef record connection += {
-	num_ocsp:  count                &optional &default=0;
-	};
-
-# add additional information to http info
-redef record HTTP::Info += {
-	## header length
-	request_header_len:       count  &optional &default=0;
-	response_header_len:      count  &optional &default=0;
-
-	## OCSP file id
-	ocsp_request_fuid:        string &optional;
-	ocsp_response_fuid:       string &optional;
-
-	## OCSP request and response timestamp
-	ocsp_request_ts:          time   &optional;
-	ocsp_response_ts:         time   &optional;
-
-	## store OCSP requests and responses
-	ocsp_request:   OCSP::Request    &optional;
-	ocsp_response:  OCSP::Response   &optional;
-};
-
-# add additional information to ssl info
-redef record SSL::Info += {
-	## connection start time
-	connection_start_ts:      time  &optional;
-
-	## client hello time
-	client_hello_ts:          time  &optional;
-
-	## ssl connection establish time
-	ssl_establish_ts:         time  &optional;
-
-	## the time when server sends change-cipher-spec
-	change_cipher_ts:         time  &optional;
-
-	## - the time when a cert is received AND the cert has ocsp
-        ##   extension
-	## - the 2nd level table indexed by source ip(addr), ocsp
-        ##   uri(string), issuer name hash(string), serialNumber
-        ##   (string)
-	## - the 1st level table indexed by different hash algorithm
-        ##   for issuer name hash
-	## - is it possible a server sends two same certificate? To be
-	##   safe, let's use a queue to store the time
-	cert_ts: table[string] of table[addr, string, string, string] of Queue::Queue &optional;
-};
-
-# set up cluster event
-@if ( Cluster::is_enabled() )
-@load base/frameworks/cluster
-redef Cluster::manager2worker_events += /OCSP_MEASUREMENT::ocsp_info_add/;
-redef Cluster::worker2manager_events += /OCSP_MEASUREMENT::new_ocsp_info/;
-@endif
-
-# get all the requests in one HTTP request
-function get_all_requests(http: HTTP::Info): table[OCSP::CertId] of Queue::Queue
-	{
-	local pending_requests: table[OCSP::CertId] of Queue::Queue = table();
-	if ( http?$ocsp_request && http$ocsp_request?$requestList )
-		{
-		local req = http$ocsp_request;
-                for (x in req$requestList)
-			{
-			local one_req = req$requestList[x];
-			local cert_id: OCSP::CertId = [$hashAlgorithm  = one_req$hashAlgorithm,
-			                               $issuerNameHash = one_req$issuerNameHash,
-			                               $issuerKeyHash  = one_req$issuerKeyHash,
-			                               $serialNumber   = one_req$serialNumber];
-
-		        local req_rec: OCSP::Info_req = [$ts=http$ocsp_request_ts, $id=http$ocsp_request_fuid, $certId=cert_id];
-
-		        if (req?$version)
-				req_rec$version = req$version;
-
-			if (req?$requestorName)
-				req_rec$requestorName = req$requestorName;
-
-			if (cert_id !in pending_requests)
-				pending_requests[cert_id] = Queue::init();
-				
-			Queue::put(pending_requests[cert_id], req_rec);
-			}
-		}	
-	return pending_requests;
-	}
-
-# remove the last '/'
-function clean_uri(s: string): string
-	{
-	local s_len = |s|;
-	s_len -= 1;
-	if (s[-1] == "/")
-		return clean_uri(s[0:s_len]);
-	else
-		return s;
-	}	
-
-# fill in OCSP/HTTP information
-function fill_ocsp_info(c: connection)
-	{
-	local http: HTTP::Info = c$http;
-	
-	# get all the requests which will be matched to response later
-	local pending_requests: table[OCSP::CertId] of Queue::Queue = get_all_requests(http);
-
-	# get all the responses and match them to the requests
-	if ( http?$ocsp_response && http$ocsp_response?$responses )
-		{
-		local resp = http$ocsp_response;
-                for (x in resp$responses)
-			{
-			local single_resp: OCSP::SingleResp = resp$responses[x];
-			local cert_id: OCSP::CertId = [$hashAlgorithm  = single_resp$hashAlgorithm,
-			                               $issuerNameHash = single_resp$issuerNameHash,
-			                               $issuerKeyHash  = single_resp$issuerKeyHash,
-			                               $serialNumber   = single_resp$serialNumber];
-
-			local resp_rec: OCSP::Info_resp = [$ts             = http$ocsp_response_ts,
-						           $id             = http$ocsp_response_fuid,
-							   $responseStatus = resp$responseStatus,
-							   $responseType   = resp$responseType,
-							   $version        = resp$version,
-							   $responderID    = resp$responderID,
-							   $producedAt     = resp$producedAt,
-							   $certId         = cert_id,
-							   $certStatus     = single_resp$certStatus,
-							   $thisUpdate     = single_resp$thisUpdate];
-
-			if (single_resp?$nextUpdate)
-				resp_rec$nextUpdate = single_resp$nextUpdate;
-
-			local ocsp_info: OCSP_MEASUREMENT::Info = [$cert_id       = cert_id,
-			                                           $cuid          = http$uid,
-								   $conn_start_ts = c$start_time,
-								   $host          = http$host,
-				                                   $uri           = http$uri,
-								   $resp_ts       = resp_rec$ts,
-								   $resp          = resp_rec,
-				                                   $req_size      = http$request_body_len,
-								   $req_hdr_size  = http$request_header_len,
-								   $resp_size     = http$response_body_len,
-								   $resp_hdr_size = http$response_header_len,
-								   $http_code     = http$status_code];
-			if (cert_id in pending_requests)
-				{
-				# find a match
-				local req_rec: OCSP::Info_req = Queue::get(pending_requests[cert_id]);
-				ocsp_info$req      = req_rec;
-				ocsp_info$req_ts   = req_rec$ts;
-				ocsp_info$num_ocsp = c$num_ocsp;
-				
-				if (c$num_ocsp == 1)
-					ocsp_info$delay = ocsp_info$resp$ts - c$start_time;
-				else
-					ocsp_info$delay = ocsp_info$resp$ts - ocsp_info$req$ts;
-
-				if (Queue::len(pending_requests[cert_id]) == 0)
-					delete pending_requests[cert_id]; #if queue is empty, delete it?
-				}
-
-			# add to ocsp map
-			local full_uri: string = clean_uri(http$host + http$uri);
-			local h = cert_id$hashAlgorithm;
-			local src_ip: addr = c$id$orig_h;
-
-			if ( [h, src_ip, full_uri, cert_id$issuerNameHash, cert_id$serialNumber] !in ocsp_map )
-				ocsp_map[h, src_ip, full_uri, cert_id$issuerNameHash, cert_id$serialNumber] = Queue::init();
-
-			Queue::put(ocsp_map[h, src_ip, full_uri, cert_id$issuerNameHash, cert_id$serialNumber], ocsp_info);
-			}
-		
-		}
-	}
-
-# work event
-@if ( Cluster::is_enabled() && Cluster::local_node_type() != Cluster::MANAGER )
-event OCSP_MEASUREMENT::ocsp_info_add(c: connection)
-	{
-	fill_ocsp_info(c);
-	}
-@endif
-
-# manager event
-@if ( Cluster::is_enabled() && Cluster::local_node_type() == Cluster::MANAGER )
-event OCSP_MEASUREMENT::new_ocsp_info(c: connection)
-	{
-	event OCSP_MEASUREMENT::ocsp_info_add(c);
-	}
-@endif
-
-# record the header length
-event http_message_done(c: connection, is_orig: bool, stat: http_message_stat)
-	{
-	# proceed only this http connection has ocsp request or response
-	if ( ! c$http?$ocsp_request && ! c$http?$ocsp_response )
-		return;
-
-	if ( is_orig )
-		{
-		c$http$request_header_len = stat$header_length;
-		c$num_ocsp += 1;
-		}
-	else
-		{
-		c$http$response_header_len = stat$header_length;
-		# here, a http request-response is done
-		# if any ocsp info is present, put it in ocsp_map
-@if ( ! Cluster::is_enabled() )
-	        fill_ocsp_info(c);
-@endif
-
-@if ( Cluster::is_enabled() )
-                # send this ocsp info to manager and manager will send
-                # it to all the workder
-                event OCSP_MEASUREMENT::new_ocsp_info(c);
-@endif
-		}
-	}
-
-# add ocsp request to http record
-event ocsp_request(f: fa_file, req_ref: opaque of ocsp_req, req: OCSP::Request)
-	{
-	if ( !f?$http )
-		return;
-	f$http$ocsp_request = req;
-	f$http$ocsp_request_ts = network_time();
-	f$http$ocsp_request_fuid = f$id;
-	}
-
-# add ocsp response to http record
-event ocsp_response(f: fa_file, resp_ref: opaque of ocsp_resp, resp: OCSP::Response)
-	{
-	if ( !f?$http )
-		return;
-	f$http$ocsp_response  = resp;
-	f$http$ocsp_response_ts = network_time();
-	f$http$ocsp_response_fuid = f$id;
-	}
-
-# add client hello time and connection start time
-event ssl_client_hello(c: connection, version: count, possible_ts: time, client_random: string, session_id: string, ciphers: index_vec)
-	{
-	c$ssl$client_hello_ts = network_time();
-	c$ssl$connection_start_ts = c$start_time;
-	}
-
-# add time stamp for server's change cipher message
-event ssl_change_cipher_spec(c: connection, is_orig: bool)
-	{
-	if ( is_orig )
-		return;
-	c$ssl$change_cipher_ts = network_time();
-	}
-
-# add ssl established time
-event ssl_established(c: connection)
-	{
-	c$ssl$ssl_establish_ts = network_time();
-	}
-
-# extract the full ocsp uri from certificate extension
-function get_ocsp_uri(s: string): string
-	{
-	s = strip(s);
-	s = to_lower(s);
-	local parts = split_string(s, /\x0a/);
-	for (x in parts)
-		{
-		local f4c = sub_bytes(parts[x], 0, 4);
-		if (f4c == "ocsp")
-			{
-			local w = split_string(parts[x], /\/\//);
-			return w[1];
-			}
-		}
-	return "";
-	}
-
-# create ocsp index if ocsp extension is encountered
-# record the time when certificate is received
-event x509_extension(f: fa_file, ext: X509::Extension) &priority= -10 {
-	if (!ext?$name || ext$name != "Authority Information Access")
-		return;
-
-	if ( !f?$info || !f$info?$x509 || !f$info$x509?$handle || !f$info$x509?$certificate)
-		return;
-
-	local ocsp_uri: string = clean_uri(get_ocsp_uri(ext$value));
-	if ( |ocsp_uri| == 0 )
-		return;
-		
-	local cert: X509::Certificate = f$info$x509$certificate;
-	local serial_number: string = cert$serial;
-	local cert_ref: opaque of x509 = f$info$x509$handle;
-
-	# get connection
-	local c: connection;
-	# there should be only one loop
-	for ( id in f$conns )
-		c = f$conns[id];
-
-	if ( !c$ssl?$cert_ts )
-		c$ssl$cert_ts = table();
-	
-	local current_ts: time = network_time();
-	local source_ip: addr = c$id$orig_h;
-
-	local issuer_name: table[string] of string;
-	# loop through each hash algorithm
-	for (i in hash_algorithm)
-		{
-		local h: string = hash_algorithm[i];
-		issuer_name[h] = x509_issuer_name_hash(cert_ref, h);
-
-		# if given hash algorithm is not in record, create a new table
-		if ( h !in c$ssl$cert_ts )
-			c$ssl$cert_ts[h] = table();
-
-		# if given index is not in record, create a new queue
-		if ( [source_ip, ocsp_uri, issuer_name[h], serial_number] !in c$ssl$cert_ts[h] )
-			c$ssl$cert_ts[h][source_ip, ocsp_uri, issuer_name[h], serial_number] = Queue::init();
-
-		# put the timing information in the queue of ssl info
-		Queue::put(c$ssl$cert_ts[h][source_ip, ocsp_uri, issuer_name[h], serial_number], current_ts);
-		}
-	}
-
-# log information when ssl connection is removed
-event connection_state_remove(c: connection) &priority= -20
-	{
-	if ( ! c?$ssl || ! c$ssl?$cert_ts )
-		return;
-
-	for (i in hash_algorithm)
-		{
-		local h = hash_algorithm[i];
-		for ( [src_ip, ocsp_uri, issuer_name, serial_number] in c$ssl$cert_ts[h] )
-			{
-			if ( [h, src_ip, ocsp_uri, issuer_name, serial_number] in ocsp_map )
-				{
-				# find a ocsp to ssl match
-				local ocsp_info: OCSP_MEASUREMENT::Info = Queue::get(ocsp_map[h, src_ip, ocsp_uri, issuer_name, serial_number]);
-				if (Queue::len(ocsp_map[h, src_ip, ocsp_uri, issuer_name, serial_number]) == 0)
-					delete ocsp_map[h, src_ip, ocsp_uri, issuer_name, serial_number];
-				local cert_recv_ts: time = Queue::get(c$ssl$cert_ts[h][src_ip, ocsp_uri, issuer_name, serial_number]);
-				if (Queue::len(c$ssl$cert_ts[h][src_ip, ocsp_uri, issuer_name, serial_number]) == 0)
-					delete c$ssl$cert_ts[h][src_ip, ocsp_uri, issuer_name, serial_number];
-				ocsp_info$cert_recv_ts = cert_recv_ts;
-				ocsp_info$ssl_cuid = c$uid;
-				ocsp_info$ssl_cid = c$id;
-				ocsp_info$ssl_change_cipher_ts = c$ssl$change_cipher_ts;
-				ocsp_info$ssl_establish_ts = c$ssl$ssl_establish_ts;
-				ocsp_info$ssl_end_ts = network_time();
-				Log::write(LOG, ocsp_info);
-				}
-			}
-		}
-	}
-		
-event bro_init()
-	{
-	Log::create_stream(LOG, [$columns=Info, $path="ocsp-measurement"]);
-	}
diff --git a/scripts/policy/protocols/ssl/ocsp-ssl-split.bro b/scripts/policy/protocols/ssl/ocsp-ssl-split.bro
deleted file mode 100644
index 33085f79db..0000000000
--- a/scripts/policy/protocols/ssl/ocsp-ssl-split.bro
+++ /dev/null
@@ -1,585 +0,0 @@
-#! log OCSP request, response and related HTTP information
-#! log SSL connection which has cert with OCSP uri
-
-@load base/protocols/http
-@load base/frameworks/files
-@load base/files/x509
-@load base/protocols/ssl
-@load base/utils/queue
-
-module OCSP_SSL_SPLIT;
-
-export {
-	redef enum Log::ID += { LOG_OCSP };
-	redef enum Log::ID += { LOG_SSL };
-
-	type Info_OCSP: record {
-		## cert id for the OCSP request
-		cert_id:        OCSP::CertId      &log  &optional;
-
-		## request timestamp
-		req_ts:         time              &log  &optional;
-		
-		## request
-		## NOTE: this is only one request if multiple requests
-		## are sent together in one HTTP message, they will be
-		## logged separately
-		req:            OCSP::Info_req    &log  &optional;
-
-		## response timestamp
-		resp_ts:        time              &log  &optional;
-
-		## response
-		## NOTE: similar to request, if multiple responses are
-		## sent together in one HTTP message, they will be
-		## logged separately
-		resp:           OCSP::Info_resp   &log  &optional;
-
-		## HTTP connection id
-		cid:            conn_id    &log;
-
-		## HTTP connection uid
-		cuid:           string     &log;
-
-		## HTTP connection start time
-		conn_start_ts:  time       &log;
-
-		## the time between req_ts and resp_ts
-		delay:          interval   &log       &optional;
-
-		## the size of HTTP request body
-	        req_size:       count      &log       &optional;
-
-		## the size of HTTP request header
-		req_hdr_size:   count      &log       &optional;
-
-		## the size of HTTP response body
-		resp_size:      count      &log       &optional;
-
-		## the size of HTTP response header
-		resp_hdr_size:  count      &log       &optional;
-
-		## the HTTP code in the HTTP response
-		http_code:      count      &log       &optional;
-
-		## HTTP method
-		method:         string     &log       &optional;
-
-		## host in HTTP request + uri in HTTP request
-		## last '/' is removed
-		## for GET request, OCSP request is remove from url
-		ocsp_uri:       string     &log       &optional;
-
-		## number of HTTP requests containing ocsp requests in
-		## this connection including this one; this may be
-		## different from number of OCSP requests since one
-		## HTTP request may contain several OCSP requests;
-		## this is copied from connection
-		num_ocsp:       count      &log       &optional;
-
-		## the original_uri in HTTP request
-		original_uri:   string     &log       &optional;
-
-		## host in HTTP request
-		host:           string     &log       &optional;
-
-		## user_agent
-		user_agent:     string     &log       &optional;
-
-		## number of certificates in response
-		resp_certs_num: count      &log &default=0;
-		};
-
-	type Issuer_Name_Type: record {
-		sha1:              string     &log       &optional;
-		sha224:            string     &log       &optional;
-		sha256:            string     &log       &optional;
-		sha384:            string     &log       &optional;
-		sha512:            string     &log       &optional;
-		};
-
-	type Info_SSL: record {
-		## connection id
-		id:                conn_id    &log;
-
-		## uid
-		uid:               string     &log;
-
-		## connection start time
-		conn_start_ts:     time       &log       &optional;
-
-		## client hello time
-		client_hello_ts:   time       &log       &optional;
-
-		## server hello time
-		server_hello_ts:   time       &log       &optional;
-		
-		## the time for client change cipher message
-		client_change_cipher_ts:  time       &log       &optional;
-
-		## the time for server change cipher message
-		server_change_cipher_ts:  time       &log       &optional;
-
-		## the time when SSL connection is established
-		establish_ts:      time       &log       &optional;
-
-		## the time for the first encrypted client application data
-		client_first_encrypt_ts:   time       &log       &optional;
-
-		## the time for the first encrypted server application data
-		server_first_encrypt_ts:   time       &log       &optional;
-		
-		## the time when event connection_state_remove happens
-		end_ts:            time       &log       &optional;
-
-		## the above are common information for SSL connection
-		## the following is specific to an cert
-
-		## ocsp_uri
-		ocsp_uri:          string     &log       &optional;
-
-		## serial_number
-		serial_number:     string     &log       &optional;
-		
-		## the time when the corresponding certificate is
-                ## received; formatted as: str(time),str(time)
-		cert_recv_ts:      string     &log       &optional;
-		
-	        ## issuer_name
-	        issuer_name:       Issuer_Name_Type     &log       &optional;
-		};
-}
-
-redef SSL::disable_analyzer_after_detection=F;
-
-redef record connection += {
-	## track number of ocsp requests in this connection
-	num_ocsp:  count                &optional &default=0;
-	};
-
-# add additional information to http info
-redef record HTTP::Info += {
-	## header length
-	request_header_len:       count  &optional &default=0;
-	response_header_len:      count  &optional &default=0;
-
-	## number of OCSP requests so far, copied from connection
-	num_ocsp:                 count  &optional;
-
-	## connection start time, copied from connection
-	conn_start_ts:            time   &optional;
-};
-
-# add additional information to ssl info
-redef record SSL::Info += {
-	## connection start time
-	conn_start_ts:            time  &optional;
-
-	## the time when client hello event happens
-	client_hello_ts:          time  &optional;
-
-	## server hello time
-	server_hello_ts:          time  &optional;
-	
-	## the time when ssl connection is established
-	establish_ts:             time  &optional;
-
-	## the time for client change cipher message
-	client_change_cipher_ts:  time  &optional;
-	
-	## the time for server change cipher message
-	server_change_cipher_ts:  time  &optional;
-	
-	## indexed by ocsp_uri(string), serialNumber(string), issuer
-	## name hash(string)
-	cert_ts: table[string, string, OCSP_SSL_SPLIT::Issuer_Name_Type] of Queue::Queue &optional;
-
-	## the time for the first encrypted client application data
-	client_first_encrypt_ts:          time  &optional;
-
-	## the time for the first encrypted server application data
-	server_first_encrypt_ts:          time  &optional;
-};
-
-# remove the last '/'
-function clean_uri(s: string): string
-	{
-	local s_len = |s|;
-	if ( s_len == 0 )
-		return s;
-	s_len -= 1;
-	if (s[-1] == "/")
-		return clean_uri(s[0:s_len]);
-	else
-		return s;
-	}	
-
-event ocsp_response(f: fa_file, resp_ref: opaque of ocsp_resp, resp: OCSP::Response)
-	{
-        if ( ! f?$http )
-		return;
-
-	# get connection id TODO:TOCHECK
-	local cid: conn_id;
-	for ( id in f$conns )
-		cid = id;
-
-	# check if there is a OCSP GET request
-	if ( f$http?$method && f$http$method == "GET" )
-		f$conns[cid]$num_ocsp += 1;
-	}
-
-event ocsp_request(f: fa_file, req_ref: opaque of ocsp_req, req: OCSP::Request)
-	{
-        if ( ! f?$http )
-		return;
-
-	# get connection id TODO:TOCHECK
-	local cid: conn_id;
-	for ( id in f$conns )
-		cid = id;
-
-	f$conns[cid]$num_ocsp += 1;
-	}
-
-event http_reply (c: connection, version: string, code: count, reason: string)
-	{
-	if ( ! c?$http )
-		return;
-	if ( ! c$http?$conn_start_ts )
-		c$http$conn_start_ts = c$start_time;
-	}
-
-event http_request(c: connection, method: string, original_URI: string, unescaped_URI: string, version: string)
-	{
-	if ( ! c?$http )
-		return;
-	if ( ! c$http?$conn_start_ts )
-		c$http$conn_start_ts = c$start_time;
-	}
-
-# record the header length
-event http_message_done(c: connection, is_orig: bool, stat: http_message_stat)
-	{
-	if ( ! c?$http )
-		return;	
-	if ( is_orig )
-		c$http$request_header_len = stat$header_length;
-	else
-		c$http$response_header_len = stat$header_length;
-	c$http$num_ocsp = c$num_ocsp;
-	}
-
-# add server hello time
-event ssl_server_hello(c: connection, version: count, possible_ts: time, server_random: string, session_id: string, cipher: count, comp_method: count)&priority=5
-	{
-	c$ssl$server_hello_ts = network_time();
-	}
-
-# add client hello time and connection start time
-event ssl_client_hello(c: connection, version: count, possible_ts: time, client_random: string, session_id: string, ciphers: index_vec)
-	{
-	c$ssl$client_hello_ts = network_time();
-	c$ssl$conn_start_ts = c$start_time;
-	}
-
-# add time stamp for server's change cipher message
-event ssl_change_cipher_spec(c: connection, is_orig: bool)
-	{
-	if ( is_orig )
-		c$ssl$client_change_cipher_ts = network_time();
-	else
-		c$ssl$server_change_cipher_ts = network_time();
-	}
-
-# add ssl established time
-event ssl_established(c: connection)
-	{
-	c$ssl$establish_ts = network_time();
-	}
-
-# add time when first encrypted application data is sent from client
-event ssl_encrypted_data(c: connection, is_orig: bool, content_type: count, length: count)
-	{
-	if ( ! c?$ssl )
-		return;
-		
-	if ( content_type == SSL::APPLICATION_DATA && length > 0 )
-		{
-		if ( is_orig && ! c$ssl?$client_first_encrypt_ts )
-			c$ssl$client_first_encrypt_ts = network_time();
-		else if ( ! is_orig && ! c$ssl?$server_first_encrypt_ts )
-			c$ssl$server_first_encrypt_ts = network_time();
-		}
-	}
-
-# extract the full ocsp uri from certificate extension
-function get_ocsp_uri(s: string): string
-	{
-	s = strip(s);
-	s = to_lower(s);
-	local parts = split_string(s, /\x0a/);
-	for (x in parts)
-		{
-		local f4c = sub_bytes(parts[x], 0, 4);
-		if (f4c == "ocsp")
-			{
-			local w = split_string(parts[x], /\/\//);
-			return w[1];
-			}
-		}
-	return "";
-	}
-
-# create ocsp index if ocsp extension is encountered
-# record the time when certificate is received
-event x509_extension(f: fa_file, ext: X509::Extension) &priority= -10 {
-	if ( ! ext?$name || ext$name != "Authority Information Access")
-		return;
-
-	if ( ! f?$info || ! f$info?$x509 || ! f$info$x509?$handle || ! f$info$x509?$certificate)
-		return;
-
-	local ocsp_uri: string = clean_uri(get_ocsp_uri(ext$value));
-	if ( |ocsp_uri| == 0 )
-		return;
-		
-	local cert: X509::Certificate = f$info$x509$certificate;
-	local serial_number: string = cert$serial;
-	local cert_ref: opaque of x509 = f$info$x509$handle;
-
-	# get connection TODO:TOCHECK
-	local c: connection;
-	# there should be only one loop?
-	for ( id in f$conns )
-		c = f$conns[id];
-
-	if ( ! c$ssl?$cert_ts )
-		c$ssl$cert_ts = table();
-	
-	local current_ts: time = network_time();
-		
-	local issuer_name: Issuer_Name_Type;
-	issuer_name$sha1 = x509_issuer_name_hash(cert_ref, "sha1");
-	issuer_name$sha224 = x509_issuer_name_hash(cert_ref, "sha224");
-	issuer_name$sha256 = x509_issuer_name_hash(cert_ref, "sha256");
-	issuer_name$sha384 = x509_issuer_name_hash(cert_ref, "sha384");
-	issuer_name$sha512 = x509_issuer_name_hash(cert_ref, "sha512");
-
-	# if given index is not in record, create a new queue
-	if ( [ocsp_uri, serial_number, issuer_name] !in c$ssl$cert_ts )
-		c$ssl$cert_ts[ocsp_uri, serial_number, issuer_name] = Queue::init();
-		
-	# put the timing information in the queue
-	Queue::put(c$ssl$cert_ts[ocsp_uri, serial_number, issuer_name], current_ts);
-	}
-
-function clean_bug_host(host: string): string
-	{
-	local s: string = host;
-	s = clean_uri(s);
-	if ( s[0:7] == "http://" )
-		s = s[7:];
-	return s;
-	}
-
-function clean_bug_uri(uri: string, host: string): string
-	{
-	local s: string = uri;
-	s = clean_uri(s);
-	if ( s[0:7] == "http://" )
-		s = s[7:];
-
-	if ( |host| > 0 && s[0:|host|] == host )
-		s = s[|host|:];
-
-	return s;
-	}
-
-function update_http_info(ocsp: OCSP_SSL_SPLIT::Info_OCSP, http: HTTP::Info)
-	{
-	if ( http?$num_ocsp )
-		ocsp$num_ocsp = http$num_ocsp;
-
-	if ( http?$method )
-		ocsp$method = http$method;
-
-	if ( http?$user_agent )
-		ocsp$user_agent = http$user_agent;
-
-	if ( http?$original_uri )
-		ocsp$original_uri = http$original_uri;
-	
-	local host_str: string = "";
-	if ( http?$host )
-		host_str = clean_bug_host(http$host);
-
-	local uri_str: string = "";
-	if ( http?$uri)
-		{
-		if (http?$host)
-			uri_str = clean_bug_uri(http$uri, host_str);
-		else
-			uri_str = clean_bug_uri(http$uri, "");
-		}
-
-	if ( http?$host )
-		{
-		ocsp$host = host_str;
-		ocsp$ocsp_uri = host_str;
-		}
-
-	if ( http?$uri )
-		{
-		if ( ocsp?$ocsp_uri )
-			ocsp$ocsp_uri += uri_str;
-		else
-			ocsp$ocsp_uri = uri_str;
-		}
-
-	if ( http?$method && http$method == "GET" && http?$uri_prefix )
-		{
-		if ( |http$uri_prefix| > 0)
-			ocsp$ocsp_uri = "";
-		if ( http?$host )
-			ocsp$ocsp_uri = host_str;
-		if ( |http$uri_prefix| > 0)
-			ocsp$ocsp_uri += http$uri_prefix; 
-		}
-
-	if ( ocsp?$ocsp_uri )
-		ocsp$ocsp_uri = clean_uri(ocsp$ocsp_uri);
-		
-	if ( http?$status_code )
-		ocsp$http_code = http$status_code;
-		
-	if ( http?$request_body_len )
-		ocsp$req_size = http$request_body_len;
-
-	if ( http?$request_header_len )
-		ocsp$req_hdr_size = http$request_header_len;	
-
-	if ( http?$response_body_len )
-		ocsp$resp_size = http$response_body_len;
-
-	if ( http?$response_header_len )
-		ocsp$resp_hdr_size = http$response_header_len;
-	}
-
-function start_log_ocsp(rec: OCSP::Info)
-	{
-	local http: HTTP::Info = rec$http;
-	local info_ocsp_rec: OCSP_SSL_SPLIT::Info_OCSP = [$cid = http$id,
-		                                          $cuid = http$uid,
-							  $conn_start_ts = http$conn_start_ts];
-
-	if ( rec?$certId )
-		info_ocsp_rec$cert_id = rec$certId;
-
-	if ( rec?$req )
-		{
-		info_ocsp_rec$req = rec$req;
-		info_ocsp_rec$req_ts = rec$req$ts;
-		}
-
-	if ( rec?$resp )
-		{
-		info_ocsp_rec$resp = rec$resp;
-		info_ocsp_rec$resp_ts = rec$resp$ts;
-		if ( rec$resp?$certs )
-			info_ocsp_rec$resp_certs_num = |rec$resp$certs|;
-		}
-
-	if ( rec?$req && rec?$resp )
-		info_ocsp_rec$delay = info_ocsp_rec$resp_ts - info_ocsp_rec$req_ts;
-
-	update_http_info(info_ocsp_rec, http);
-
-	if ( Site::is_private_addr(info_ocsp_rec$cid$orig_h) || !Site::is_local_addr(info_ocsp_rec$cid$orig_h) )
-		return;
-
-	Log::write(LOG_OCSP, info_ocsp_rec);
-	}
-
-# log OCSP information
-event OCSP::log_ocsp(rec: OCSP::Info)
-	{
-	start_log_ocsp(rec);
-	}
-
-# update ssl info
-function update_ssl_info(ssl_rec: OCSP_SSL_SPLIT::Info_SSL, ssl: SSL::Info)
-	{
-	if ( ssl?$conn_start_ts )
-		ssl_rec$conn_start_ts = ssl$conn_start_ts;
-
-	if ( ssl?$client_hello_ts )
-		ssl_rec$client_hello_ts = ssl$client_hello_ts;
-
-	if ( ssl?$client_first_encrypt_ts )
-		ssl_rec$client_first_encrypt_ts = ssl$client_first_encrypt_ts;
-
-	if ( ssl?$server_first_encrypt_ts )
-		ssl_rec$server_first_encrypt_ts = ssl$server_first_encrypt_ts;
-
-	if ( ssl?$server_hello_ts )
-		ssl_rec$server_hello_ts = ssl$server_hello_ts;
-
-	if ( ssl?$establish_ts )
-		ssl_rec$establish_ts = ssl$establish_ts;
-
-	if ( ssl?$client_change_cipher_ts )
-		ssl_rec$client_change_cipher_ts = ssl$client_change_cipher_ts;
-
-	if ( ssl?$server_change_cipher_ts )
-		ssl_rec$server_change_cipher_ts = ssl$server_change_cipher_ts;
-	}
-
-# convert all the elements in the queue to a formatted string
-function convert_time_q2str(q: Queue::Queue, sep: string): string
-	{
-	local s = "";
-	local elem: vector of time = vector();
-	Queue::get_vector(q, elem);
-	for ( i in elem )
-		{
-		s += fmt("%f",elem[i]);
-		if ( i != (|elem| - 1))
-			s += sep;
-		}
-	return s;
-	}
-
-# log SSL information when ssl connection is removed
-event connection_state_remove(c: connection) &priority= -20
-	{
-	if ( ! c?$ssl || ! c$ssl?$cert_ts )
-		return;
-		
-	for ( [ocsp_uri, serial_number, issuer_name] in c$ssl$cert_ts )
-		{
-		local ssl_info_rec: OCSP_SSL_SPLIT::Info_SSL = [$id     = c$id,
-		                                                $uid    = c$uid,
-								$end_ts = network_time()];
-		ssl_info_rec$ocsp_uri      = ocsp_uri;
-		ssl_info_rec$serial_number = serial_number;
-		ssl_info_rec$issuer_name   = issuer_name;
-		local cert_recv_ts_str:string = convert_time_q2str(c$ssl$cert_ts[ocsp_uri, serial_number, issuer_name], ",");
-		if (|cert_recv_ts_str| > 0)
-			ssl_info_rec$cert_recv_ts = cert_recv_ts_str;
-		update_ssl_info(ssl_info_rec, c$ssl);
-
-		if ( Site::is_private_addr(ssl_info_rec$id$orig_h) || !Site::is_local_addr(ssl_info_rec$id$orig_h) )
-			return;
-
-		Log::write(LOG_SSL, ssl_info_rec);
-		#delete c$ssl$cert_ts[ocsp_uri, serial_number, issuer_name];
-		}
-	clear_table(c$ssl$cert_ts);		
-	}
-		
-event bro_init()
-	{
-	Log::create_stream(LOG_OCSP, [$columns=Info_OCSP, $path="ocsp-to-match"]);
-	Log::create_stream(LOG_SSL, [$columns=Info_SSL, $path="ssl-to-match"]);
-	}

From 832f6d34b4beb7548ef56a97b02f5f427da75f0c Mon Sep 17 00:00:00 2001
From: "John E. Rollinson" <j.e.rollinson@gmail.com>
Date: Sun, 29 Jan 2017 09:39:12 +0900
Subject: [PATCH 046/631] Add ciphertext to ticket data structures

---
 scripts/base/init-bare.bro              | 2 ++
 src/analyzer/protocol/krb/krb-types.pac | 1 +
 2 files changed, 3 insertions(+)

diff --git a/scripts/base/init-bare.bro b/scripts/base/init-bare.bro
index ffee527bb7..b5bf5d298d 100644
--- a/scripts/base/init-bare.bro
+++ b/scripts/base/init-bare.bro
@@ -3955,6 +3955,8 @@ export {
 		service_name	: string;
 		## Cipher the ticket was encrypted with
 		cipher		: count;
+		## Cipher text of the ticket
+		ciphertext  : string &optional;
 	};
 
 	type KRB::Ticket_Vector: vector of KRB::Ticket;
diff --git a/src/analyzer/protocol/krb/krb-types.pac b/src/analyzer/protocol/krb/krb-types.pac
index a5b2eb1041..bb2bfba3e8 100644
--- a/src/analyzer/protocol/krb/krb-types.pac
+++ b/src/analyzer/protocol/krb/krb-types.pac
@@ -95,6 +95,7 @@ RecordVal* proc_ticket(const KRB_Ticket* ticket)
 	rv->Assign(1, bytestring_to_val(ticket->realm()->data()->content()));
 	rv->Assign(2, GetStringFromPrincipalName(ticket->sname()));
 	rv->Assign(3, asn1_integer_to_val(ticket->enc_part()->data()->etype()->data(), TYPE_COUNT));
+	rv->Assign(4, bytestring_to_val(ticket->enc_part()->data()->ciphertext()));
 
 	return rv;
 }

From 68e3f0d96ac404a2abdcc4f975b4d9ce088b0eca Mon Sep 17 00:00:00 2001
From: "John E. Rollinson" <j.e.rollinson@gmail.com>
Date: Sun, 29 Jan 2017 09:39:40 +0900
Subject: [PATCH 047/631] Ensure TGS req does not stomp out AP data

---
 scripts/base/protocols/krb/main.bro | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/scripts/base/protocols/krb/main.bro b/scripts/base/protocols/krb/main.bro
index 13200a559e..fc6abc5bff 100644
--- a/scripts/base/protocols/krb/main.bro
+++ b/scripts/base/protocols/krb/main.bro
@@ -164,9 +164,16 @@ event krb_tgs_request(c: connection, msg: KDC_Request) &priority=5
 		return;
 
 	local info: Info;
-	info$ts  = network_time();
-	info$uid = c$uid;
-	info$id  = c$id;
+
+	if ( !c?$krb )
+		{
+		info$ts  = network_time();
+		info$uid = c$uid;
+		info$id  = c$id;
+		}
+	else
+		info = c$krb;
+
 	info$request_type = "TGS";
 	info$service = msg$service_name;
 	if ( msg?$from ) info$from = msg$from;

From 7caf5071631ce69620c462826d99e367f0140354 Mon Sep 17 00:00:00 2001
From: "John E. Rollinson" <j.e.rollinson@gmail.com>
Date: Sun, 29 Jan 2017 09:40:11 +0900
Subject: [PATCH 048/631] Add script to log ticket hashes in krb log

---
 .../policy/protocols/krb/ticket-logging.bro   | 43 +++++++++++++++++++
 1 file changed, 43 insertions(+)
 create mode 100644 scripts/policy/protocols/krb/ticket-logging.bro

diff --git a/scripts/policy/protocols/krb/ticket-logging.bro b/scripts/policy/protocols/krb/ticket-logging.bro
new file mode 100644
index 0000000000..e254b6dc26
--- /dev/null
+++ b/scripts/policy/protocols/krb/ticket-logging.bro
@@ -0,0 +1,43 @@
+module KRB;
+
+redef record Info += {
+	## Hash of ticket used to authorize request/transaction
+	auth_ticket: string &log &optional;
+	## Hash of ticket returned by the KDC
+	new_ticket:  string &log &optional;
+};
+
+event krb_ap_request(c: connection, ticket: KRB::Ticket, opts: KRB::AP_Options)
+	{
+	if ( c?$krb && c$krb$logged )
+		return;
+	
+	local info: Info;
+
+	if ( !c?$krb )
+		{
+		info$ts  = network_time();
+		info$uid = c$uid;
+		info$id  = c$id;
+		}
+	else
+		info = c$krb;
+
+	info$request_type = "AP"; # Will be overwritten when request is a TGS
+	if ( ticket?$ciphertext )
+		info$auth_ticket = md5_hash(ticket$ciphertext);
+
+	c$krb = info;
+	}
+
+event krb_as_response(c: connection, msg: KDC_Response)
+	{
+	if ( msg$ticket?$ciphertext )
+		c$krb$new_ticket = md5_hash(msg$ticket$ciphertext);
+	}
+
+event krb_tgs_response(c: connection, msg: KDC_Response)
+	{
+	if ( msg$ticket?$ciphertext )
+		c$krb$new_ticket = md5_hash(msg$ticket$ciphertext);
+	}
\ No newline at end of file

From 7feaf4499f5fef5e465957c01f148ec12ead826a Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@icir.org>
Date: Mon, 30 Jan 2017 15:13:56 -0800
Subject: [PATCH 049/631] Fix layer 2 connection flipping.

If connection flipping occured in Sessions.cc code (invoked e.g. when
the original SYN is missing), layer 2 flipping was not performed. This
change switches to always use the connection flipping code in Conn.cc
which performs the switch correctly.
---
 src/Sessions.cc                               | 19 +------------------
 .../btest/Baseline/core.history-flip/conn.log | 10 +++++-----
 .../all-events.log                            |  8 ++++----
 testing/btest/core/history-flip.bro           |  2 ++
 4 files changed, 12 insertions(+), 27 deletions(-)

diff --git a/src/Sessions.cc b/src/Sessions.cc
index 9361b7cde2..e2a5fba489 100644
--- a/src/Sessions.cc
+++ b/src/Sessions.cc
@@ -1212,28 +1212,11 @@ Connection* NetSessions::NewConn(HashKey* k, double t, const ConnID* id,
 	if ( ! WantConnection(src_h, dst_h, tproto, flags, flip) )
 		return 0;
 
-	ConnID flip_id = *id;
-
-	if ( flip )
-		{
-		// Make a guess that we're seeing the tail half of
-		// an analyzable connection.
-		const IPAddr ta = flip_id.src_addr;
-		flip_id.src_addr = flip_id.dst_addr;
-		flip_id.dst_addr = ta;
-
-		uint32 t = flip_id.src_port;
-		flip_id.src_port = flip_id.dst_port;
-		flip_id.dst_port = t;
-
-		id = &flip_id;
-		}
-
 	Connection* conn = new Connection(this, k, t, id, flow_label, pkt, encapsulation);
 	conn->SetTransport(tproto);
 
 	if ( flip )
-		conn->AddHistory('^');
+		conn->FlipRoles();
 
 	if ( ! analyzer_mgr->BuildInitialAnalyzerTree(conn) )
 		{
diff --git a/testing/btest/Baseline/core.history-flip/conn.log b/testing/btest/Baseline/core.history-flip/conn.log
index b04a28b1cb..4c22a6484b 100644
--- a/testing/btest/Baseline/core.history-flip/conn.log
+++ b/testing/btest/Baseline/core.history-flip/conn.log
@@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	conn
-#open	2016-07-13-17-58-11
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
-#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
-1128727435.633408	CHhAvVGS1DHFjwGM9	141.42.64.125	56730	125.190.109.199	80	tcp	http	1.550793	98	9417	SF	-	-	0	^hADdFaf	11	670	10	9945	(empty)
-#close	2016-07-13-17-58-11
+#open	2017-01-30-23-13-15
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	orig_l2_addr	resp_l2_addr
+#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]	string	string
+1128727435.633408	CHhAvVGS1DHFjwGM9	141.42.64.125	56730	125.190.109.199	80	tcp	http	1.550793	98	9417	SF	-	-	0	^hADdFaf	11	670	10	9945	(empty)	00:d0:03:3b:f4:00	00:b0:c2:86:ec:00
+#close	2017-01-30-23-13-15
diff --git a/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events.log b/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events.log
index 22a652ac37..a42b891e6a 100644
--- a/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events.log
+++ b/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events.log
@@ -743,10 +743,10 @@
                   [5] cont_resp: bool    = F
 
 1437831798.533593 new_connection
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49336/tcp, resp_h=74.125.71.189, resp_p=443/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=cc:b2:55:f4:62:92], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=58:b0:35:86:54:8d], start_time=1437831798.533593, duration=0.0, service={\x0a\x0a}, history=^, uid=CP5puj4I8PtEU4qzYg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49336/tcp, resp_h=74.125.71.189, resp_p=443/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831798.533593, duration=0.0, service={\x0a\x0a}, history=^, uid=CP5puj4I8PtEU4qzYg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1437831798.533765 partial_connection
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49336/tcp, resp_h=74.125.71.189, resp_p=443/tcp], orig=[size=0, state=3, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=cc:b2:55:f4:62:92], resp=[size=85, state=3, num_pkts=3, num_bytes_ip=411, flow_label=0, l2_addr=58:b0:35:86:54:8d], start_time=1437831798.533593, duration=0.000172, service={\x0a\x0a}, history=^dA, uid=CP5puj4I8PtEU4qzYg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49336/tcp, resp_h=74.125.71.189, resp_p=443/tcp], orig=[size=0, state=3, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=85, state=3, num_pkts=3, num_bytes_ip=411, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831798.533593, duration=0.000172, service={\x0a\x0a}, history=^dA, uid=CP5puj4I8PtEU4qzYg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1437831799.262632 new_connection
                   [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49153/tcp, resp_h=17.172.238.21, resp_p=5223/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.262632, duration=0.0, service={\x0a\x0a}, history=, uid=C37jN32gN3y3AZzyf6, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
@@ -1013,10 +1013,10 @@
                   [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=17, num_bytes_ip=1865, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=162, state=4, num_pkts=10, num_bytes_ip=690, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.05732, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.914113, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=2, helo=[192.168.133.100], mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=<uninitialized>, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=1, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1437831800.217854 connection_pending
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49336/tcp, resp_h=74.125.71.189, resp_p=443/tcp], orig=[size=0, state=3, num_pkts=3, num_bytes_ip=156, flow_label=0, l2_addr=cc:b2:55:f4:62:92], resp=[size=85, state=3, num_pkts=3, num_bytes_ip=411, flow_label=0, l2_addr=58:b0:35:86:54:8d], start_time=1437831798.533593, duration=0.000221, service={\x0a\x0a}, history=^dA, uid=CP5puj4I8PtEU4qzYg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49336/tcp, resp_h=74.125.71.189, resp_p=443/tcp], orig=[size=0, state=3, num_pkts=3, num_bytes_ip=156, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=85, state=3, num_pkts=3, num_bytes_ip=411, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831798.533593, duration=0.000221, service={\x0a\x0a}, history=^dA, uid=CP5puj4I8PtEU4qzYg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1437831800.217854 connection_state_remove
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49336/tcp, resp_h=74.125.71.189, resp_p=443/tcp], orig=[size=0, state=3, num_pkts=3, num_bytes_ip=156, flow_label=0, l2_addr=cc:b2:55:f4:62:92], resp=[size=85, state=3, num_pkts=3, num_bytes_ip=411, flow_label=0, l2_addr=58:b0:35:86:54:8d], start_time=1437831798.533593, duration=0.000221, service={\x0a\x0a}, history=^dA, uid=CP5puj4I8PtEU4qzYg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49336/tcp, resp_h=74.125.71.189, resp_p=443/tcp], orig=[size=0, state=3, num_pkts=3, num_bytes_ip=156, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=85, state=3, num_pkts=3, num_bytes_ip=411, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831798.533593, duration=0.000221, service={\x0a\x0a}, history=^dA, uid=CP5puj4I8PtEU4qzYg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1437831800.217854 connection_pending
                   [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=2249, state=4, num_pkts=15, num_bytes_ip=2873, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=3653, state=4, num_pkts=13, num_bytes_ip=4185, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.756702, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=T, logged=T, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
diff --git a/testing/btest/core/history-flip.bro b/testing/btest/core/history-flip.bro
index f34767eee8..e9769d99b5 100644
--- a/testing/btest/core/history-flip.bro
+++ b/testing/btest/core/history-flip.bro
@@ -1,2 +1,4 @@
 # @TEST-EXEC: bro -C -r $TRACES/tcp/missing-syn.pcap %INPUT
 # @TEST-EXEC: btest-diff conn.log
+
+@load policy/protocols/conn/mac-logging

From 9370db8980e64b1b9e7b679ccd3ed676ea197abb Mon Sep 17 00:00:00 2001
From: Daniel Thayer <dnthayer@illinois.edu>
Date: Thu, 2 Feb 2017 11:58:38 -0600
Subject: [PATCH 050/631] Add tests for the to_json() function

---
 .../Baseline/scripts.base.utils.json/output   |  39 ++++++
 testing/btest/scripts/base/utils/json.test    | 122 ++++++++++++++++++
 2 files changed, 161 insertions(+)
 create mode 100644 testing/btest/Baseline/scripts.base.utils.json/output
 create mode 100644 testing/btest/scripts/base/utils/json.test

diff --git a/testing/btest/Baseline/scripts.base.utils.json/output b/testing/btest/Baseline/scripts.base.utils.json/output
new file mode 100644
index 0000000000..a1f6875417
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.utils.json/output
@@ -0,0 +1,39 @@
+T
+123
+-999
+1.123457
+-1.123456e+308
+0
+1.0
+""
+"hello"
+""
+65535
+1
+123
+0
+"1.2.3.4"
+"ffff:1234::1"
+"123.123.123.123"
+"192.0.0.0/8"
+"fe80::/64"
+Red
+{"s": "test", "c": 100}
+{"s": "test"}
+{"s": "test"}
+{"m": {"s": "test"}}
+[]
+[2, 1]
+["1.2.3.4"]
+[[T, F]]
+[{"s": "test"}]
+[]
+[2, 1]
+["1.2.3.4"]
+[{"s": "test"}]
+[{"s": "test"}]
+{}
+{"2": "10.2.2.2", "1": "10.1.1.1"}
+{"10.1.1.1": {"a": 1}, "10.2.2.2": {"b": 2}}
+{"10.1.1.1": [1, 2], "10.2.2.2": [3, 5]}
+{"1": {"s": "test"}}
diff --git a/testing/btest/scripts/base/utils/json.test b/testing/btest/scripts/base/utils/json.test
new file mode 100644
index 0000000000..369ba0ebb7
--- /dev/null
+++ b/testing/btest/scripts/base/utils/json.test
@@ -0,0 +1,122 @@
+# Test the to_json() function on every basic data type.  For container types,
+# test with no elements, with one element, and with more than one element.
+# Test that the "only_loggable" option works (output only record fields with
+# the &log attribute).
+# @TEST-EXEC: bro %INPUT >output
+# @TEST-EXEC: btest-diff output
+
+type color: enum { Red, White, Blue };
+
+type myrec1: record {
+	c: count &optional;
+	s: string &log;
+};
+
+type myrec2: record {
+	m: myrec1 &log;
+};
+
+event bro_init()
+	{
+	# #####################################
+	# Test the basic (non-container) types:
+
+	local b: bool = T;
+	print to_json(b);
+
+	local c: count = 123;
+	print to_json(c);
+
+	local i: int = -999;
+	print to_json(i);
+
+	local d1: double = 1.123456789;
+	local d2: double = -1.123456e308;
+	local d3: double = 9.876543e-308;
+	print to_json(d1);
+	print to_json(d2);
+	print to_json(d3);
+
+	local t: time = double_to_time(1.0);
+	print to_json(t);
+
+	local ti: interval = -12hr;
+	print to_json(ti);
+
+	local s1: string = "hello";
+	local s2: string = "";
+	print to_json(s1);
+	print to_json(s2);
+
+	local p1: port = 65535/tcp;
+	local p2: port = 1/udp;
+	local p3: port = 123/icmp;
+	local p4: port = 0/unknown;
+	print to_json(p1);
+	print to_json(p2);
+	print to_json(p3);
+	print to_json(p4);
+
+	local a1: addr = 1.2.3.4;
+	local a2: addr = [ffff:1234::1];
+	local a3: addr = [::ffff:123.123.123.123];
+	print to_json(a1);
+	print to_json(a2);
+	print to_json(a3);
+
+	local su1: subnet = 192.0.0.0/8;
+	local su2: subnet = [fe80::]/64;
+	print to_json(su1);
+	print to_json(su2);
+
+	local e: color = Red;
+	print to_json(e);
+
+	# #########################
+	# Test the container types:
+
+	# Records
+	local re1 = myrec1($c=100, $s="test");
+	local re2 = myrec1($s="test");
+	local re3 = myrec2($m=myrec1($c=15, $s="test"));
+	print to_json(re1);
+	print to_json(re1, T);
+	print to_json(re2);
+	print to_json(re3, T);
+
+	# Vectors
+	local ve1: vector of count = vector();
+	local ve2: vector of count = vector(2, 1);
+	local ve3: vector of addr = vector(1.2.3.4);
+	local ve4: vector of set[bool] = vector(set(T, F));
+	local ve5: vector of myrec1 = vector(myrec1($s="test", $c=2));
+	print to_json(ve1);
+	print to_json(ve2);
+	print to_json(ve3);
+	print to_json(ve4);
+	print to_json(ve5, T);
+
+	# Sets
+	local st1: set[count] = set();
+	local st2: set[count] = set(2, 1);
+	local st3: set[addr] = set(1.2.3.4);
+	local st4: set[myrec1] = set(myrec1($s="test"));
+	local st5: set[myrec1] = set(myrec1($s="test", $c=2));
+	print to_json(st1);
+	print to_json(st2);
+	print to_json(st3);
+	print to_json(st4);
+	print to_json(st5, T);
+
+	# Tables
+	local ta1: table[count] of addr = table();
+	local ta2: table[count] of addr = {[1] = 10.1.1.1, [2] = 10.2.2.2};
+	local ta3: table[addr] of table[string] of count = {[10.1.1.1] = table(["a"] = 1), [10.2.2.2] = table(["b"] = 2)};
+	local ta4: table[addr] of vector of count = {[10.1.1.1] = vector(1, 2), [10.2.2.2] = vector(3, 5)};
+	local ta5: table[count] of myrec1 = {[1] = myrec1($s="test", $c=2)};
+	print to_json(ta1);
+	print to_json(ta2);
+	print to_json(ta3);
+	print to_json(ta4);
+	print to_json(ta5, T);
+	}

From 65d6e5a4f724842b7f5357435ec14b5c9de9d654 Mon Sep 17 00:00:00 2001
From: Daniel Thayer <dnthayer@illinois.edu>
Date: Thu, 2 Feb 2017 12:09:40 -0600
Subject: [PATCH 051/631] Fix the to_json() function for bool, enum, and
 interval types

---
 scripts/base/utils/json.bro                          | 12 ++++++++----
 .../btest/Baseline/scripts.base.utils.json/output    |  8 ++++----
 2 files changed, 12 insertions(+), 8 deletions(-)

diff --git a/scripts/base/utils/json.bro b/scripts/base/utils/json.bro
index b6d0093b58..5b66f3ad02 100644
--- a/scripts/base/utils/json.bro
+++ b/scripts/base/utils/json.bro
@@ -25,6 +25,10 @@ function to_json(v: any, only_loggable: bool &default=F, field_escape_pattern: p
 		case "port":
 		return cat(port_to_count(to_port(cat(v))));
 
+		case "enum":
+		fallthrough;
+		case "interval":
+		fallthrough;
 		case "addr":
 		fallthrough;
 		case "subnet":
@@ -37,12 +41,12 @@ function to_json(v: any, only_loggable: bool &default=F, field_escape_pattern: p
 		case "time":
 		fallthrough;
 		case "double":
-		fallthrough;
-		case "bool":
-		fallthrough;
-		case "enum":
 		return cat(v);
 
+		case "bool":
+		local bval: bool = v;
+		return bval ? "true" : "false";
+
 		default:
 		break;
 		}
diff --git a/testing/btest/Baseline/scripts.base.utils.json/output b/testing/btest/Baseline/scripts.base.utils.json/output
index a1f6875417..f7a16cb2bb 100644
--- a/testing/btest/Baseline/scripts.base.utils.json/output
+++ b/testing/btest/Baseline/scripts.base.utils.json/output
@@ -1,11 +1,11 @@
-T
+true
 123
 -999
 1.123457
 -1.123456e+308
 0
 1.0
-""
+"-12.0 hrs"
 "hello"
 ""
 65535
@@ -17,7 +17,7 @@ T
 "123.123.123.123"
 "192.0.0.0/8"
 "fe80::/64"
-Red
+"Red"
 {"s": "test", "c": 100}
 {"s": "test"}
 {"s": "test"}
@@ -25,7 +25,7 @@ Red
 []
 [2, 1]
 ["1.2.3.4"]
-[[T, F]]
+[[true, false]]
 [{"s": "test"}]
 []
 [2, 1]

From 6812a7febeb019277dc889792f54fe6a821f7f7d Mon Sep 17 00:00:00 2001
From: Daniel Thayer <dnthayer@illinois.edu>
Date: Thu, 2 Feb 2017 13:03:05 -0600
Subject: [PATCH 052/631] Fix to_json() to not lose precision for values of
 type double

Also changed a few values in the tests for better numerical diversity.
---
 scripts/base/utils/json.bro                           | 5 +++--
 testing/btest/Baseline/scripts.base.utils.json/output | 8 ++++----
 testing/btest/scripts/base/utils/json.test            | 8 ++++----
 3 files changed, 11 insertions(+), 10 deletions(-)

diff --git a/scripts/base/utils/json.bro b/scripts/base/utils/json.bro
index 5b66f3ad02..05dcff1e27 100644
--- a/scripts/base/utils/json.bro
+++ b/scripts/base/utils/json.bro
@@ -39,10 +39,11 @@ function to_json(v: any, only_loggable: bool &default=F, field_escape_pattern: p
 		case "count":
 		fallthrough;
 		case "time":
-		fallthrough;
-		case "double":
 		return cat(v);
 
+		case "double":
+		return fmt("%.16g", v);
+
 		case "bool":
 		local bval: bool = v;
 		return bval ? "true" : "false";
diff --git a/testing/btest/Baseline/scripts.base.utils.json/output b/testing/btest/Baseline/scripts.base.utils.json/output
index f7a16cb2bb..43513e43f9 100644
--- a/testing/btest/Baseline/scripts.base.utils.json/output
+++ b/testing/btest/Baseline/scripts.base.utils.json/output
@@ -1,10 +1,10 @@
 true
 123
 -999
-1.123457
--1.123456e+308
-0
-1.0
+3.14
+-1.23456789e+308
+9e-308
+1480788576.868945
 "-12.0 hrs"
 "hello"
 ""
diff --git a/testing/btest/scripts/base/utils/json.test b/testing/btest/scripts/base/utils/json.test
index 369ba0ebb7..264151136a 100644
--- a/testing/btest/scripts/base/utils/json.test
+++ b/testing/btest/scripts/base/utils/json.test
@@ -30,14 +30,14 @@ event bro_init()
 	local i: int = -999;
 	print to_json(i);
 
-	local d1: double = 1.123456789;
-	local d2: double = -1.123456e308;
-	local d3: double = 9.876543e-308;
+	local d1: double = 3.14;
+	local d2: double = -1.23456789e308;
+	local d3: double = 9e-308;
 	print to_json(d1);
 	print to_json(d2);
 	print to_json(d3);
 
-	local t: time = double_to_time(1.0);
+	local t: time = double_to_time(1480788576.868945);
 	print to_json(t);
 
 	local ti: interval = -12hr;

From 3882ba6fbfdbdc2d25ab6cee6401de2e0684acce Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@icir.org>
Date: Fri, 3 Feb 2017 11:23:49 -0800
Subject: [PATCH 053/631] Add support for the signed_certificate_timestamp TLS
 extension.

---
 src/analyzer/protocol/ssl/events.bif          |  23 +++++++++++++++++-
 .../protocol/ssl/tls-handshake-analyzer.pac   |  22 ++++++++++++++++-
 .../protocol/ssl/tls-handshake-protocol.pac   |  20 +++++++++++++++
 .../.stdout                                   |   3 +++
 .../tls/signed_certificate_timestamp.pcap     | Bin 0 -> 36501 bytes
 .../ssl/signed_certificate_timestamp.test     |   7 ++++++
 6 files changed, 73 insertions(+), 2 deletions(-)
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.ssl.signed_certificate_timestamp/.stdout
 create mode 100644 testing/btest/Traces/tls/signed_certificate_timestamp.pcap
 create mode 100644 testing/btest/scripts/base/protocols/ssl/signed_certificate_timestamp.test

diff --git a/src/analyzer/protocol/ssl/events.bif b/src/analyzer/protocol/ssl/events.bif
index 2855dd7fe9..3fb565b8aa 100644
--- a/src/analyzer/protocol/ssl/events.bif
+++ b/src/analyzer/protocol/ssl/events.bif
@@ -192,7 +192,7 @@ event ssl_dh_server_params%(c: connection, p: string, q: string, Ys: string%);
 ## the initial handshake. It contains the list of client supported application
 ## protocols by the client or the server, respectively.
 ##
-## At the moment it is mostly used to negotiate the use of SPDY / HTTP2-drafts.
+## At the moment it is mostly used to negotiate the use of SPDY / HTTP2.
 ##
 ## c: The connection.
 ##
@@ -225,6 +225,27 @@ event ssl_extension_application_layer_protocol_negotiation%(c: connection, is_or
 ##    ssl_extension_key_share
 event ssl_extension_server_name%(c: connection, is_orig: bool, names: string_vec%);
 
+## Generated for the signed_certificate_timestamp TLS extension as defined in
+## :rfc:`6962`. The extension is used to transmit signed proofs that are
+## used for Certificate Transparency.
+##
+## c: The connection.
+##
+## is_orig: True if event is raised for originator side of the connection.
+##
+## version: the version of the protocol to which the SCT conforms. Always
+##          should be 0 (representing version 1)
+##
+## logid: 32 bit key id
+##
+## timestamp: the current NTP Time
+##
+## signature_and_hashalgorithm: signature and hash algorithm used for the
+##                              digitally_signed struct
+##
+## signature: signature part of the digitally_signed struct
+event ssl_extension_signed_certificate_timestamp%(c: connection, is_orig: bool, version: count, logid: string, timestamp: time, signature_and_hashalgorithm: SSL::SignatureAndHashAlgorithm, signature: string%);
+
 ## Generated at the end of an SSL/TLS handshake. SSL/TLS sessions start with
 ## an unencrypted handshake, and Bro extracts as much information out of that
 ## as it can. This event signals the time when an SSL/TLS has finished the
diff --git a/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac b/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac
index a4f4f94c6f..7f4eb2ba3c 100644
--- a/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac
+++ b/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac
@@ -231,6 +231,24 @@ refine connection Handshake_Conn += {
 		return true;
 		%}
 
+	function proc_signedcertificatetimestamp(rec: HandshakeRecord, version: uint8, logid: const_bytestring, timestamp: uint64, digitally_signed_algorithms: SignatureAndHashAlgorithm, digitally_signed_signature: const_bytestring) : bool
+		%{
+		RecordVal* ha = new RecordVal(BifType::Record::SSL::SignatureAndHashAlgorithm);
+		ha->Assign(0, new Val(digitally_signed_algorithms->HashAlgorithm(), TYPE_COUNT));
+		ha->Assign(1, new Val(digitally_signed_algorithms->SignatureAlgorithm(), TYPE_COUNT));
+
+		BifEvent::generate_ssl_extension_signed_certificate_timestamp(bro_analyzer(),
+			bro_analyzer()->Conn(), ${rec.is_orig},
+			version,
+			new StringVal(logid.length(), reinterpret_cast<const char*>(logid.begin())),
+			((double)timestamp)/1000,
+			ha,
+			new StringVal(digitally_signed_signature.length(), reinterpret_cast<const char*>(digitally_signed_signature.begin()))
+		);
+
+		return true;
+		%}
+
 	function proc_dh_server_key_exchange(rec: HandshakeRecord, p: bytestring, g: bytestring, Ys: bytestring) : bool
 		%{
 		BifEvent::generate_ssl_dh_server_params(bro_analyzer(),
@@ -251,7 +269,6 @@ refine connection Handshake_Conn += {
 		return true;
 		%}
 
-
 };
 
 refine typeattr ClientHello += &let {
@@ -333,3 +350,6 @@ refine typeattr Handshake += &let {
 	proc : bool = $context.connection.proc_handshake(rec.is_orig, rec.msg_type, rec.msg_length);
 };
 
+refine typeattr SignedCertificateTimestamp += &let {
+	proc : bool = $context.connection.proc_signedcertificatetimestamp(rec, version, logid, timestamp, digitally_signed_algorithms, digitally_signed_signature);
+};
diff --git a/src/analyzer/protocol/ssl/tls-handshake-protocol.pac b/src/analyzer/protocol/ssl/tls-handshake-protocol.pac
index da01a27f1d..65da41e0db 100644
--- a/src/analyzer/protocol/ssl/tls-handshake-protocol.pac
+++ b/src/analyzer/protocol/ssl/tls-handshake-protocol.pac
@@ -485,11 +485,31 @@ type SSLExtension(rec: HandshakeRecord) = record {
 #		EXT_STATUS_REQUEST -> status_request: StatusRequest(rec)[] &until($element == 0 || $element != 0);
 		EXT_SERVER_NAME -> server_name: ServerNameExt(rec)[] &until($element == 0 || $element != 0);
 		EXT_SIGNATURE_ALGORITHMS -> signature_algorithm: SignatureAlgorithm(rec)[] &until($element == 0 || $element != 0);
+		EXT_SIGNED_CERTIFICATE_TIMESTAMP -> certificate_timestamp: SignedCertificateTimestampList(rec)[] &until($element == 0 || $element != 0);
 		EXT_KEY_SHARE -> key_share: KeyShare(rec)[] &until($element == 0 || $element != 0);
 		default -> data: bytestring &restofdata;
 	};
 } &length=data_len+4 &exportsourcedata;
 
+type SignedCertificateTimestampList(rec: HandshakeRecord) = record {
+	length: uint16;
+	SCTs: SignedCertificateTimestamp(rec)[] &until($input.length() == 0);
+} &length=length+2;
+
+type SignedCertificateTimestamp(rec: HandshakeRecord) = record {
+	# before - framing
+	length: uint16;
+	# from here: SignedCertificateTimestamp
+	version: uint8;
+	logid: bytestring &length=32;
+	timestamp: uint64;
+	extensions_length: uint16; # extensions are not actually defined yet, so we cannot parse them
+	extensions: bytestring &length=extensions_length;
+	digitally_signed_algorithms: SignatureAndHashAlgorithm;
+	digitally_signed_signature_length: uint16;
+	digitally_signed_signature: bytestring &length=digitally_signed_signature_length;
+} &length=length+2;
+
 type ServerNameHostName() = record {
 	length: uint16;
 	host_name: bytestring &length=length;
diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.signed_certificate_timestamp/.stdout b/testing/btest/Baseline/scripts.base.protocols.ssl.signed_certificate_timestamp/.stdout
new file mode 100644
index 0000000000..abed68df42
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.signed_certificate_timestamp/.stdout
@@ -0,0 +1,3 @@
+0, 1406997753.366, [HashAlgorithm=4, SignatureAlgorithm=3]
+0, 1407002457.456, [HashAlgorithm=4, SignatureAlgorithm=3]
+0, 1410299366.023, [HashAlgorithm=4, SignatureAlgorithm=3]
diff --git a/testing/btest/Traces/tls/signed_certificate_timestamp.pcap b/testing/btest/Traces/tls/signed_certificate_timestamp.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..50efed9cea5db93fddffb4cdb338f03479625b98
GIT binary patch
literal 36501
zcmd?QWmH_t*6-bodvGVXTjTET5L`lV3GN!)B{;!@yL)hgI|L67fe@S!+-{S-v(L`i
z=Q+>&<sIXWahp*iYpq`EKWkOZ`psEYotd8690&ju;9nmo01$kl9PXx7wT%o=1Rp<@
zjDbQLetLJ7?tY<<Z~zGaKsX;s7$6M8x!F}*D`RLCX??H`Y`xUv+kaB3hIoAZp#=ay
zKtb07At9lGKsW@Bj!1#0@1P(602Q!$=^g|?7JU9x{?Pry#!q#AumJ!k%$M&^%1;)6
ztq1Gqju6~n3kTWg4kXyEKh?{jAm9)}hc_Ue)WMcupOkOF%A#P^r}B?_v#(%2)%$+?
z-|Bq;R_F0UMP(?^0|5T0Z<N}T@{{7pJ_JAtT<@py?}`vS%tud(C9wZd5f_!Aui|$_
zY)BvkxRHT(kdPum1OY`|Dmv8s&8M_LH0(SL6c}@IihCDcHdmqS5=sDoN>&yFhyj5C
z*+t*Q+{MrZ8Z8+u9>pBR=)&m21Y`g*0n7jn00LO90v{g$cmyASUmJh|Kmq{Z9W9-m
zO&ytB%>g*zYvka948R1SLqWnpK>?v5;h>>`a4;}H2p|9&0R8hh06O?4)ThTGELh<z
zoSp5NS(sQ{l)+aK0pR-pGyr-4Eidnr6(Ru1@te6}5>>*Y0o`TExT21%{cvT8Q7Kfy
zmy*(Syy9oD07mdbK=31o2&JXI=#Y?*5RgCs0{9OOtU&~>7B2V?3S57Ph=?amEWi%f
z)c*sYC%3|jg#OD>|1kvEw<4Z~0MP#5h5*l{rogEmDqz3n>mP0fcG5bIjwrP!MMALR
zCN$t@`FBO=nXSkt#oO`!NzrZKcSUSSNMJYERofvUjU?ZG^AE_n2gta;v4kZ=-58#Q
zI^uTNd5&F8o<1Pd3Fu-50F$2j?GFz`1VBLoz;6EJbKv>_(1DgfbASsV{{wt%J+2mJ
zXe&nUsJT4?KSv7GHNjf*mfIN0Ao4OQxB^n|Qjf5~oPY#Kg2W+62;~A^CfS<nE<q*9
zU5x)=6%6t8WG%xra9)M`3>_!W3_;?gMqulkQ~d_5ZRaeQ`JEa5WyBX$${6$?c0A8M
zW#OIxTmcprDObcM0Uf+iM;~a2<nJ6*UYaM&h)*Gym$xb@-S+-8yU}3()2tLo0)m8<
z6q6ff!I237GQr>6wNcdBSQLF8AeT%TK1+o$opA#}3W!0cF;P(xpN+ybBCi!oV1qsr
zQ_opE8tZf5h+C1FLIm4Al51~r88>Lz5Va&O+sHD@d*<`1+HoNe(CZcMS$sbNwkxe?
z5)t|@yR_kR)vD8<zQwhjHVAh-XZosF?@WCdlMeCi=A(Q|ZU@+Im6*v32P|4G;kW@f
z>}1GdrvlS#>t<;UokrR~6C1ir@c2ap!2dOP!M%vOfCxaH0iaF+pv6G}(88bqD4J|Y
z2p|Lms+Yl7ik7U#K?bQrFOu372!sp+PZuH`a)}HCB0>W|{;@2GAb1!^bto7N2q{q(
z0ubKQ2^<Exl%uI3m@Xs=hPK8QrcU5P7E}<*)0eOqu&RdEW_FGyEchVYrz;2;XktnV
zO5#c+Vj?8+mNu5orY0<$Aoi#4ATb#K{O*OS2#L6zjiIG2iH4!IrHP@lrJXH_s;RMy
zqbc|wM^~^lF%i&n9Ap-D5EmN@=;ucVe98kp1+lVm@Nn?xfD~9rLBvnWh#0tk%8A+8
zIy>4~|B?k8#{{AOaSNidos*@rrK_o`syqui2=$LD{R^F-03g}l8wCgrfD8aW1Awn1
zKm>r{){>+}!<`N<bE0*lmWFM?(5`O8biB9Qxi=Q1am!Q}nKLgoDCITw;`Ns4tmL``
ziqp`r+OsO1noDDA<KTM`>(F(!JB7>Ej>h%f9zMqdo~GAG&q3`1jB*tXT}H9OTa_2o
zyHi3X*#;i?fdi>Ww~`|zuEsdWjhy<Uw|4TFb;UICdaI2$+3bDiA!!7VTyn~7f-=vo
z-ft+81_VUrUqU<<V$7As&UJGnEbw46rZiaz(b9Zf>`G6m|1$Q`J*8e*N$8!jiEpx+
zQXsI(0JrCQNYrHe?ZJ0)HpItp&Wr7d3-~N5B~WD}5o-=aQ-y&Cx@;TwBpaMU;0S;F
z>!c^51M>oabKn;F^t0iK$f0mS*nXI?Rj+vybr2U~_s}(**2L<0X+D1i5rG?+2n7lo
z3bV;<vzD5l)`;~RPm$W0?`Ly;D3+fNMDz>@e1w96gn-TlAwAuW@pKLW0{rnXB@{LY
z69$eR1_%ue3km$|2m+-1bTbK*3`h#Z2ZIE@0SZ{l0uFDGP#}5`?XMdlfY?M&k<E#h
znc3;5b1@m)+1Q!bG1;0rGm9y!g1|x1+#d=2AV}>=kr+w=BnOhomdch05qo+P{GhR;
z^`B1}8$KN{|KY=67yiTL{^h`b`0pR?D<;AOeh}mz{HrcNAe0Bl4W#tz90c(<3(o(G
zg(u<@{deL={UrX_@5F~){1ro}p9lm_&VI#^UxV%+b#?|({8dF@2=1SaU}x-P|63hF
z<WKE|21N+M5BS#*3P5&qb7T4|8TtEY0wV@Int%Wo6>)BSGCaGkSS&4Jt2L(xp|fxT
zuKnIK^+Z{{<%Wmn7TPK%xWQ6!TF{h)B70tbe5b@=0FtaU`rI;Y=PXe78^E%+%L3t`
z3ZK8|P(<gVa~=>qc2n0-SmK&KAKT^icdeDav7P9#AAwdd2r0`Y9>ScTEeEU!2hRGQ
z^`(iFcTXqZdS`sGRJX!%G^~RZE)_%B7=Xv#M>C=q1|m<5JIU2$K+xPl-lev*qfh#&
zw3&Ph8Z=tS6O<9<EGoqqIypFr9?@vzS#t4_GkPq1=eb)PjNEiHctPUp60J;Z_Tid|
zKG|0J;*HNP$O3d(jeUVEwehL6PaZGJ%S*)+0D}YyfPn)AK%V>wW_l*uy+s#JYs?7S
zr9AH_*uS?L(i512|9=DX(^&ZlX0pG5S<KYY+0x9?_zx(HxHwzbfqT^BPa3nbu>M73
zRvr*53(GGW|6dqD{x_n({Rn}#k*%G-&&?6da1WfEmgzDXKs17uz~(K^?m~j_B^q7o
z&9QNV%zGAcy#<pYi0B`YE<;cO*>NMc6h(44JFai~RuH*L{$q8Mg#HU=_El*LlX{U#
zz`M&1^VO_L&mvVnKJSY2WOciDQV8C`k!0_p>w?ykH7D(H4U%Jy7-17Kb6SR{#=O4u
z(xuUm#wpmvD^V7F_vBciT9z!BEZ63UdQ^-PQx?)rcy6sidZdL}_TZxIE+}737=m$Q
zmD0A(m-syR#WG|91+MJ~wTi@!{VJtcKJtca!C|A%;F!%36A`u3%Vi0WU+Gq@2x3*c
zc<AR3+XR`umD|Aq1;2=H3MRVYZ$xjc@_`VzDLmy5dRuYCopP|q$~yBmqW?$WKcxhJ
z5gi!vGw%LDbT|+U80_F##s9{2f+q<QC~(XM!N5R)4*`EewEWYT#846-F_1{MP_{q_
z-~Wo}-+cKmSN@4+hhLZjli3tx42~mz1{yG#ng0_0pU5m?Vxs2g;^h33^Z#F&`L~P<
zJg^}Hzzw2E@2V6}Xv7)b;?_+K{ey5$JhLQCuypo`_{3o1Lx6MYr}FPPKGct`=qKXe
zmH$qBWRIW3#|7*QApcH$Gc%yzp3F`zN88QCO48d@juaG5T$h@a6=g^7%4N5(@n@H@
zB*S^;OvD<#UK`?jqDj3kk%7vRSl|7_wXGvoqE69sqIpFlQm*9Ky{P%%>g_1_95aob
zwfOO^g_H)+(gusq8@P^9CHk!w*Y%UA>h>%0J{<WXrI~R!u^K3DuS6I!*uFq>vq+xC
zby2|r5IBdeYz%NiiP3z+zF&l%c_~G0Fn7z%XYH7qcqNLzc4!9^CGimkQ2J$ed9h)`
z$^GDhe0gfc`YnD;!Je9Ta#PQP`rBw3{X3J^3BmT{eao@Vb?H;10Mu<HNzLzUpC<>6
z5BrG|p_66t<EAe6Ct_YyBEu~T7H6w`>kf6E9lCTbV^Y0s^}Kzzc|}YWQ}-!*olBR7
zk7XN0lToL+!lPWD#0<aSLtz6?_j!ug<I#0d(f!ddg@7M+FHTHEw?Ph4rLLG%oZM_0
z&a3O0(C&{>O<y;kf$+FO%GZ}gA$JmsGb`_(QK%%2$HPtCDW5<JdxdEqqO6pEatmNz
zhDm~0h`naq<C?`cm^3GuUl2u<s0y%HT`{BJilt4&lf<KJ_M0D>388r{ZcjySRPsK=
zuCpc9{*#7Vu>0{IWeLu>vSSp0w{&aCnEm|~j012pfMn*uuDu2T?GDcToxz#E-k$-6
z+U!VUU*_y>*}Q%3UC`=pN$yjCvHM$mQI+_WFe6|f{&I2>5m6Q@a9;2;(<b`ss)Rdu
zDqw49O`@izOrmJ&>}Ka^#X<%mdAbi01Mi>rfu{s7?ChMMA_+K#aIk?`K<wOX+~B+(
z98>;v`hQKt3xN2ot$t1jAf6@!5a0;`c<{#Us>Odo(5NX#rda8l5I1*DrRU0fLv9an
zXj5J5y`e*ok@H2>Xn$|-*ktHCB=-!bNMNfP%JAqB?cKnS5J7|+LA~pQ9d^$}OslUM
zb-~#Io~~66vGWJ_$Tu0*H*3`aKQMi+J9-P5m3&iu8}7`-9NUoqbK(0|4AX}(DTJ71
zKHFQicMHW|;we6hSs68}-|uy|SvN+Wp+u*BNw>C4y>gcZNz7JkAoEKY+_5IBP`8=)
z3^O%a?MV&{kYv{oo32X3wd5<7d=Hf53fkWt^_LbiS9GLH*K3z2po!2U^QtdPSv*=-
z3G9KFRJ0LHy-C9P?9HYr!XK@2h}fuC#bAuTra36o_U&bFdX+@#W}Xg3eM^akz=U1t
zql{L^N%7;4=8A7zw=K;-5P7e6#YCTnF9eNXoG!L*gc~$R(P)%o5@jHKb=aRkSrI5n
z&XI2CzpQFNCX??%^FPqwyO_@1)NQJTB72eKm+(YHlK-9qzx|m5kNi$V^uN|oY`}|+
zf9AjqPwOa_yKm)9PvamN?VTa^BF(XAEnh&i&aWxIR+sF|&Z9B(wV&+CEoC4rl^UnX
zfRS+R48WzXpRKGPQQoooAs^xZ`c}Ax9kRagD7<nzDH`UR$HvQ~_gn<c-*_C?!HWK%
zFrtY?kN36IdXI<p90`8a_tz<<j%}K<pX4%IQSYkdMYa!#1oUY#Ge$e>R6Z9;Z3n6T
z5s>|Vfc#H?3&$1hDW2^0RF^lsRBFeN?dudHYWRN($Nw=}|9d!o_7pyUPOzXskl=6(
zLVLPE0)+qqhvz?ot@zU=VkiL+ABZQLE1M&P?XO5^&E(<)&J3S|-p^^!ui^cR0%9Uh
zWBX@l<@gm!!J(BFL=B?+bq)fC;Qf6@@tfkm<-I>=3nra`r?1k2C&!v|Xf=^{buOpA
z34V8lvORra-};>YQ32Wc^{9UU<#bOr-AnoNmdG5NUNv}^fh}s3mq8v}!WeGn_2q<<
zd}TQ3bI0tsKJ?!_rpq)Xkg8~ICYQFAlfqipf;BDQ#4o%UcJl8eJlkouHA920d!ESX
z8<!NXeJVem7v~`FErrB~h<A}wV;v%>SK7-IFmer>+#;<I`#o{6#3^?l#)~|2HTO(G
z{k^B5L<+9OfWEL5`MHPZaa4m<WRsob53f@JIjDsMKW&|L5elN(7%T%Vsik9E$$PBx
z#aC%{OAF0kgzLuM@l*!461{C(4o#mbJU->KL*=#uFX=#>VFMtJfdGhoFn7L!*MGAE
zAlAW$%P{bNOpHO`Rt|s|178{fr*Sp8;0gDCO3!egv4U8*KrAdQ;G~_6om&Tda}c=r
zfn>nTKG5_ikP!IL04Pk)4Z+>)UOI+)nvt)C(2{t<n>pY9v*JJ3l>7kyu#%1T*CmcW
z4d(;^5y6IG!37cq;pgOi&I7!I0OkJ!%KsE_{QubM;otrK*DN`59~SieF`qhR@N%L^
zMCg@5&Uv{l3y%5~x~}3e6_U!Q*kOPTp?~sK>OtWcWIv&#n;E;;V>MPAs`aR=R(6w)
zPfLER<!9eW!Xan~?Q8sR-Zfi#m8lWsx_nGJ2Bhwk&U$w*Mb{AdtYzqQiPWUoL%(>N
zVw43O%GkQ?Fx#tfeN9J~e%UES(+`P>v>H<<uV8(`1fLz~d^@iu-+Ot`db;<J{G9OX
zi4d^JDj~v})ztNH*U16xofzb^q|Qi2C*^@^`N*$qf%+Xj`S87CF<gUE95ypeFzblm
zWg$F)mc?Z;0^Z0Cxeb<SEKUCK&HTKO4;dX|FOB3v`ix+HJS|8oJQ1H1O#Bq^cEMBm
z_Z%1)u@&<~d;r$(#K-w#)dQRZKdS#ud?Wx+1`>cH0_7uK9~_lg%gybXK_yVh+-`}x
zJO4<<$mF{TD&;Q8d9>0*Ov2}-@0_xoI&hAn1K7v9>e3@^Hn42UvIyWxx`U@PfNG}e
zSbL`>m$1-;un%7=RP}_`vu#p6o~M7}%o;YLj^)_X=L}X|!is@^BadI}%aI0?=TDS-
z;T}-zeJolThMOMJS2at(y!?)zyJKL6z}|RX3Y8>^Qbr-eB`zFvJycl|)xx+IwF0C0
zTnF3W;Q_oe^$hFin`vk=`vZu%)MB{*XpoL!_dD(K#MQuI^aVfS8J51VQ!T1@eWUmD
zQC<~~_irMYg)USN@d`3(ynTjMJ6!L-VW;$W3<hty$YY7=p`^ZDbkOv8aAE{6oMYNC
zioKN=<ynj_3#TL@Uea0C8WL7`JsQUC(urO=<(Iy2E04c0Ly~Lg_}m{78m121M*t`k
z@RI*iKe>bZ>1iA8sr>uK8GwD@@M+@=1NrxjGl5fdM`RB_)MuaGVg1oh;Hdogv_kd2
zE7F)eDb^<cQxP4!x%aF*-s_)=b^o=F;)G9%$*ccV#A604I!A&xBLCbje5zx^Qyu@i
zV$sr*A{+64Rzw9vGXGOCAO;%H1#ZKq@{e|`og{ivM0oWd6>(7kHqU-3MgyMe_|!#`
z;H?%>5hw%`Y#W8zWEzDOyDp9>;#-o4^Rt$kA$6mqRBt+NQl*R)NM1DaF(J-S`i@He
zBjaX|H$)l4SF!oBt=C5Z&=QznDIoAkkOo|}pC1*M(j11{y1eLhmr9@mBW#%l#q>mz
z!z<>d9qPx?cV$m4bUp|T*anZ?r}FRb1Dt<D`Sd<|tiQjHpdGp+xXr=uBg*~P`yfBP
z4-Oa$S$|pw?y0ICE6C_9k`9=_ox64U*$wM{A{3>U?zz*@+($g#@=bs)^aCn&>z!p7
zx!Cl`Y3%~HHL~oP8V+IZ;%>I&b*+oqwYKDBYN6T<RDI8rt{0T1hb~R@Qh-ZGic#C&
z{b_c&L|984;xI+#8NTzuumDGS!$44M%Me`ny7=}fu^H-jc5g_9(q-*wOf|l0?m)V_
zi$ndu16D?jN++3UXDj*NWvmFAdelT_$g+R6_sS4y5L3J5HJenvrT+9_6A9m!J4I@q
z9hL5VjQzIxtYL$*$bsI-L+RlDJ2~Aol@B3I1sSQv(Z&bH{sD<ZXABr^ay14cTI$2B
z3e_^DRw`j<c1L49`qk>y0^1vY{pb0YLPnGNCQt*+=i=0DpTFolhbDipEnb1hdK}oO
zq+o#RC|Ge?H9;s+S%=5Nv87r!c|~n~6u8*Ulq9r}6-*LLVJdjuh%}P0vVDt8@2oZ<
zbdatrp6O;gZz`d&tUfwBoZkK#1F?N~?UhX!nzPHf_v(2Raem-;hH*NiM+se}3hMXD
zPn|AI3kOgGclcBJ2ec)(Vt+zg>vw45F<)v5+WCQ@ZQS@rr-u%2>T`5N1D<^DGx&!K
zbKuJifXQ#)n&I|yw|tJO0{OD{FQ2cQ@y-s6W18~4Shi~|FWx$3Z^5+E%3UalH6r*n
zy=^m)@m`SHgd`iq5Xpv6JrT}{?!@7sNp`sjEke?`e?vLbb~8`0rOcK3=8eP~6HJkh
zO*)+0rrc8m`pkVt<oBR?^Xth<{>gY*wD^$5=a*&@h~`^2Z#M3@B>CwN!+B8}tfut3
z9~jXlp}AQQ_~=rx&M&)h&xQQj*_Gp7l|+qvl8_%wrs-Sb=T&bSGhj{jE`xf2!!yM`
z(35c7x1XQ;+rS!L9=xOCA~GM3N3i)KAFzp~U-m_wS$%m2D(4s?J_S+o)uH#BthAh`
zHkJan@#g=$0UY;pDm3_e8{>;yY6_!+x0KJ20{&`aXK))Mg9jF5`k&@4hIvwM$r}|;
z;a_YNJvi%WvZ-usiL$yRB>%V$=7??SNOIG-7f`7!5EH?(B(X#;Nu|G=cV~OPBZo=e
zbUmd3F*r^qs{A=tXIsTzlL(K0Am4%4Q#jfY=3r!zD=R%6?jAXzqu5F<&gr{wG#-S?
zE!+YJJ%FW}<!i=<4;qsL9or)|M~zmT2z`=&uiAH3@18~jQ}Yl9AY=Nw@l5GNTa7}-
zShl!cmomiL&J<7ow;5_0d@UBMp*LZsy;^S~ZZeYdamR{}BjWXAv?@9?%&o}n;e;A-
zwCJGt*@=fXY+g>cv`VU`Hign65j`L(=i-c;T=>ehN5}|ueBP)@ysW7EgqZMVZmrp9
zHR<YN$*EbQ<nE%3&2mGH_&vRxflytE@$~jbh16R2j}5w&%+>G10Bx#5os>GyV<fvQ
z05+13ivjK``I&Mes<7#rDD`B}8ITFu-y)dJEi)9aK=8@u8Zd_6#3ymRE)7wIMo3gI
zn-_;XAx*vcTL$JW)!5TE-N-Iqz`TydacI7QT5WuzC{a!r%2!(>P7;Ly;e&Gb!O(~L
zUZx3IURNBs$d8$9UnuuSS9DinAUY=tR_&Vis~%huQ=jF}Y3V1@5%E<Tedw5*E>u#=
z_s{4T^}RC^4N4_OJdT{o9df>{yobfm5t5P9pDU|P7P5LptfjIRoqLqY!z7BrbZz1t
z$bMnA3d{1{+b=C%2$k#nWK$vGB|B6}T;ywV4}r|iW0KdJR*7mjb=|i#W~V0go^^sU
zzO0s4gu{>g44yt1!Lwe^#vss5LGNP@hdAEnL=cQSR%xB)aw1)0_04FjvUrAfE5_g}
zhoN~v7Wdw)Af;exHr(k6zdz0G6NuaF3L}Lm!t1O9$v3t2?xxU6Og(>0(m75?*t2d4
z$;3K-z}`T8mO}t95W;T|>LO4Xdqz;ex{4oI3S5Kcfv+bnC4oh1b~w{}U)|MST5+xG
z6FyugBeZ~XKQ4{Qt)m>EzK$r+-&5Tp@;X$lo^@7)0`8!egjLv)X4!i=4lS^=7Ag%*
zuk~_dfq82uY2FKAU=h*~XHr-eFMsfenUrDA1I|$5L!Ep*7iaFaOSr(1rYJ-~X@o>2
z&SK2??en$l)_i%+3sgg-Pqg`Sy$c(GBy}myNp`@fhlVH{M@;S|(EL{1pz$o=#<$ZT
zRvdm`$deUd$3g8_j)D{q3$mXL2o%Q%cXkv9k5A&}KgXwKnc-G+!L4B-0W4x4MNrNj
z+hXbs>jS2S@k9gMOV~4>w1+u@AyI}*H2t2Ly-55?>cRV9RS&@zky~r|$SK&u@6<I7
z$VpA}(|IojLA;6uuW$Uih}TtbA{kGL&K5M-f=(RFTA~Bv%^F1Hk<8YJJ(717uVHZ}
z)+Bpa6@ECokuq~;>)@KT&@eY?_D=ec9XJ$FVAHML%VHk{UIl$GqoS&*z$4>+r$Pbp
z#FW$A03AsPhI)Mx+bF}(zcqsXewh*2yKbAH6T$%uy3Ej#YV?`IE~fM&`^uQ9>1kW9
zW~n~`ADy=Lk`IniL%zc3Mr<A%$#-Z~n?Fi;7;D<CK&fXF4{JkDHZN3O)UG$CVJ0gh
z=8h5@hDHk&?zK|ye0pm>pT)omCrv#yB&CkPrF8f=zJpGFl*T?PEQ+KysaP_h1Lq8r
z<Og0S#V!s%m?rWE1!Pi5sm|O<m4G;ffmcf1Sws_tsHw{6d)~Y~`bdo(%?2YD@56j@
zA}es_+Kx%aU)l`|TlwlDu_5Pw8a99;)Og6(xg}23R`KcgJ2)=BCn*MP$A^R+wyit{
zi@y$jDd+hz>_QTecK()nJKhqCg+7zp=KDvQXk1iv_`b1Ze&;)RNXZ`^M2o!BivDz*
z#Jo812Nc_EpBWuyxHvwSa6A!T`o9xD{wMJVekVTh#xLRzGX75d3Q%FsgeQ!N0YPzV
z<hzsCh<zK@9fDII#l^;Y-gIE#v2C|(GXt{eUX#BJtKsYac0;0HkEkG^Vua{-0rvya
zx6N$FnGE=)-!5I6EVX8hYIsasM*&b4ha|*`Jl&=*5!4uOPns3u!;5SAnqOM)hRyF?
z;`3|G@?P!v;Gy?ok_02=j8;xptP?_53-)P2J{H!S#~EKJJygHt)h#koEI@h~ImPl^
zB7Zbn2!rZpsi>dJ7FbADi1Cl0WODN{d{|!fkQ}5fmT)6xeBq#N3n^%Mffdjhj>tai
zci42&i@r4v0jG@CkN=*+{lHXTEo)~E)R@ZV^5dhE)>NU3vnm}Y;=yS{TAdrJ&73D*
zi68m5rOp^CH#g&kp@<LNs3BYCIy2TyaTr=9@gMjxD|)3R96MuPFUo#WT(9$SHmPZu
zy%zN~RGhl+9IJIahos(-?19Fg7=A`tU0iMCGrwi?O-|5JE;%FlA$U`*3dbd#C%}~;
zB;6SQYkaWSnyw7f#cc$1jaYcw!uDtCUf}gS>>Ky$@w-{kn&I$uHT_QY^l09Zv^?^I
z)mPr>jR-`L6FwiqMY}pSh3Gk26enU@aI+3KGE*}py&NXq9f>^p8|eCxDv|c8uM=O)
z5ht-wM)B$hC4@0g;7stp%D*xTTsV^xS(c4ES|AN~EY)YLV-Nl~=eJcMIv992#}a?5
z-ROJFi+SfPS?~GdS$`0~o8MLCvLF*zBv>6f7vgQ`zK=yej>hgmj78U_JCeDq1V%^f
z2ps%;DZtcEeJj)>O!GyxMghHOCdAIiCGm+j<}&@GR0|vHQZFXseaXZXBQj8II$9wI
zcx??LAg-1eoJt`C0kl6zVp0vm%7YOh1Ga19%>5@g%ZX!ZGFt{>^czy;LvSlJPq*CZ
z@E$Z)iPn#pKdN{Pvg#{3uaoX5bP!*@Vn{srL@n<Ao#(Y3?x#6y<HTN^S4`F?6sdis
z2p&>Z!b>9x%={+^_wWSHUGd&;<oDyfzhj!QKnN`v$axgcV2+_gj+Yq<<?m6F4U8vI
zdEqx_G|8N&eW!Mx(K&`0bzQR=44>RHyw)U;y@~8(-8Cu~ff^bJY*^65&W2zjGDNMi
zyK;{}0c~^y9-g;!L^9Uyj>5*|(fX8%a&5bvxwwU9S<FC1CVrNz=S|%dcop#Gx`iyH
zj>_bEONF-Pen(xvV%M+#z_(CKl=09R+3yvhc235WHxmL?7aJ3QwnA7;0Nn&j#5)?b
zw~ecQX%Wb8i|J+G^xbKvaj+M6g-WwEeP@{}+%vzzFNJqH?l4ArE~YA7s`9};M}SZ!
z0fg)8@Hr-z!)PMMSJYYF_{IGSA%oYo!DixNl=ZMbjQ$H%&{Bl-kf8}?gW1l}s5zr_
zY6<@j4usMjSTtpR@#MQ(DpvMThK8???MB`zWlBU{%lR3_2gm&*Kf)3+$v6-co8Ot6
zz`i-YA|+5gMaA7_e__{CbPp?^yZA*n{Hy>A>44eY?JnK{`g!|em#2!D3am7P>l`fV
zHv89QE=om%WLxqp)ifd+etA~-VH(wq*LHA~TJ<@${U5S}ZX~o$%7lpq@R+w=y4k6%
zhYW`?&|hw`DA|-|y^}DDS8AO6wobuYqF{W-OxP68946=YBA4_%zCWO}H3g=y#9K5I
zc|4&@;Eja%8f6{Z7>(gY(7xRLiNFq&Dz8|P<+6A*A$~-+G{I;9MbxXD2h5e^&hcuP
zVnx<qj7exBCgG7c*fdCVLZ~N4<y+M2PM{2!hiiJP<5wb6v{-CaXc7!r?giUdK3Vp@
zu;RvNjYi5RDG*@_p?jU(5b*cV5XZ9upe0sERHB&pU}2A2acsn8PM`9VoCRBFn;^zr
z^EJy@MH1863`6+YXyQR^IiwTM(Pd6{Oe0Srb4tc#;1ls>{yXs#eiFa`cj8m}{~~@-
z?C->P!@WNgdBG^E2O`qVerd6VgtkNQcs%WbkobWuX+&*zT4sBRR3UI?)AUV+W0J;W
zcoKw=J&Tgy0bPa@nQUCSYWYVEMIqlXvM#hPLO?(u1H0W_4rYvZm0)q;x@{XBiQlsb
zqIqiNjZq8jt3`BrQ$RNXe*q4@-x_^(llWB(z7uLQ>ut~qP4=4^pEsR8_ET^W3=_*`
z>q_VupQ^&}`f@W6v1R6b`ajBF5PZ81`++}qv9T`49*O~ivwRWMqUhfohVcn+$wuxQ
z!w@P5M()5?HSch{q)0Td!<FkgQOi#3Mft3Jf_u7${xrn)sJ@i|nyQ*zWF?(Ojb7TG
zN9vJv!)Q~KPY_;^glSqz(2=e@&&!^haL&5CrVL49%|M0K)RG5Xt{9Uu4GA$Kbqu`?
zqvV1pyBp0TA&(=MR<jq*B+d~;PIrs1x&Q{QZaSPQ%WAbK-b|?q-788`ai!z;pQG8=
z>}g*?3<%3h^{KgER5KyU@}(g}g@SNLP8{Q??Q#=l6JBx$75R+0ObT+2gQDIyqD+@_
z_Ej|0lHqkA=FPd)!}4dGbN8IOjsfy6+zAaY`NU51JAzvuCLsFHe$=o}qV--fa7>4H
zoCgVCb?du}vvYNzJ!B3^LaKi}24=*+II@?`JNZ8DqyJKx2J&-Iman=Y>oB4XaO2q(
zPTV5`C$768&EW)+>?<UDr{v(B>*8h-Q^1=>owDjkUMx|GqNV`<xws$0njxtq_N6Es
zR*(q8ghAu;{aK%G)MWU+99yA?9ue)cmn*nDYZ3bn4Zky$*X`$ADprcMg3P19Xq0Eu
zn`uWCD<I4ck06(z%QoSi<vd<)VUyZypMm`qewt;(j!)1PPiG(Wm@x)TrQ@XHVz{{L
zd3OvyIg&?2yAA6K*))wiiOyJ~ZIgzJpXYDd^*Y@n3*U4ulDYGlU#P65vHN^%NJbwI
z<lFaEdEAz>bg9$viHdSq0H8d&jeJ%(BO5RqkyPw~k}ABX6<TBuoBugb+t=*2H(J~Z
zRt|~i;N%z;bJn*)_w#3S|8XqHl+0)1jIq&_EL0<*uXr464GERnajMh3I`OAV8CH^B
z0{oh*s9BP0zpc66meQ29?6_1uBdQ<K3I^=0iATOn@`~1FvW$Mw_K`RKz`Y_3xS|!i
z!o?GSHcuWzepbgG6gS=A7^|MU67PWsA5N_4*pN^89hYw^H~1j}XzLkJe)`4a)_6?P
z|1`LI=PuV@s<0O;w66SZW^&%=&UOWw+plG1jc5~Nj2(Ws?@!{sx|;LE-d?dPD_fHd
zKv>^d=AaDSytlYM_!wEJIa+C6=5&u@ND_k-<VRJilc^a&;XraGG``dNe%0p7Bx2b3
z;E_}b$1`M2Rx9~ET^4S_Jlf&A3rqtc$>7h(g(2)t^=)K^7l(6~>7aEKy%|Jjp2X=)
zzz&9pk5$B2iC0?R>}NOD3xzAxEhJmJ={zi8M1kJ3786&!YTlwAj7<sz9j`9Fm^A}T
z{E$*sZU#R0s4>@UcUjkiBBAP8QogJU)%`6%qUYAcF0)zn&{lV6>#A7TWXct)C-8?>
zBoM7QqmpmCs**g=E+=HSx!}RZV{Fd`Fp;23VoX%C*g7kfXN&@LZq7Z82tqyY)P(qo
zN3O6LL42wg7-l;iJL_WMEY~zwz+U~)vp!QO8$cXQM+;9w<NYO~yz0BT8brRp!;d--
zMKQCku%zY*L;RF1_Eh(%^hprSN9spS<hlll#Yi9i9H3s{Ik9>o{I1U$oS2j0a)r8c
zqwPWICsNHRsG~HE0z7s0U|hcnYz~xcx7^0u_3TlhU|cNJ3nl4mUX>pwZ(UuY66qCW
z?X~GE8<reVN)BF(ntx}i^pV*lyqSJm5W!pfMH|<U#S)shc+h`%1M-4}UE+!Ovj3g<
zi9d<o_dD_FNq-SvGV*ug<60EW0a<X*l}KL@J;1M$-q?TKebMi}Cx)qx?~YEw7+g>I
zMW(x({VL%m*&%{ewgC&sleN%Kc-N#&l!psB9!TXIK<u}g6+iY7tp%Af9BNx|;1S_7
z3mp(A<ehf}ja9Z|7)O7QnIg($s~+F_{%gF5FR(?t*u3Y_@wZMZ?#ecc6be7O?-3=$
zbK~slPrV@F!rA0xwiFHqx~SpE1F$pZ*oxl2=$-cp1_V&gAI`buJj&7R7Fkex_ZI7v
zAg}d{P#||!Na?8ChNTquOnyGVUaZndRM;>&+8EvuP->BO!<yJ!yW@BazcUdUnuI^F
zWIB?5(;U%MY5S^dLnZ#Q+GUE(JdNfRfP5rssDcmav+!b{VCsw{sqNv|>fT{q)sEno
zerST_Ks=la3ifISmowDone;~?g4*aBwgvo|F$?eMK+Afp`}xW8%5;w6A94$Eu?Ws_
zJib(5GmDi{m$pmI^etjd;{jmem2iosRj9<K@lkE|-q~s2^^t!bB$Iw<rT*T?3*#YZ
zSM{zq%9`xaEWp&x=BrSnZU&S?aIT<L1+gERwcB&=&O*T@y&$$(b=U#97i?lAaPMHa
zE;>oc9_)u7N1S;As+;qWbi(;!-1iTngM$Pa8gY##oK+z@m$NK^v;4`;ZV2&;*0NER
zZHlJz&Jj28mhXz-MrSK>UkB(l+833_4Qh1{-R}jD%-Xv}8$_jkqkKh8rKXsWNYK}#
z!y|KEF5o6#Q{=owX@7ZZlZvL~SCf*S6WW{X<esxJp&gCKn(3Xkj&zkdqk}bGz3Cxo
z#oe|(nVM=UhOECC5{-xK9XFsdl1@&Py7ZD6LXwQwMaoM7fuo+_{Na#XGcyKTaf#6Q
zD5Vg<95DGcvLtK~3&CS!;t(Y}%Igess<^}1RK;h6uu*=BYX9D89h%B>d6Qb$({oG9
zmJtxA<hu%yv1#%#1ih6FH$O2uQ8na)f_x69kC(imYnA!eP^IALk$cdExCp+jNE?H>
zx5M|@LHr<R7Pdq7TimH2_^N%W-8=bIsSEEZ7h?5N3k{Tufa}g9g?p%M`<+QKve)Mu
z%6)LbVL(8!F_$AR(DajQ)a$HXa@kW_Mo`>UvGR1Fz5K{3?UYyw#2fZqk+)ipTv{h*
zQW1sSnqiClUee*Br&(6BqOmxPmbcGvsCG!R3ufglxB0t4HHA5D6WR;}aR_Otd|Fwv
zT)i)#356@4YuC$QB0rA{Q>PhgeDw|l@9<ggKxa{Tu5FN@k}T;uaV=I+uXV%HQlQn4
zhN6%7$kyKH%cKKI#dZsiZxxL#midQwP%?NgDf0$mJNlRDbk~qqv1Jb1AH<mqvk0Lv
zOdT^nD~U~Msow@|wOU&jVn#V#9qA;;YqKM^WX+S_(kH*ycpLlnrK5&qXHU2Kw=3+T
zH`+5<+Z#gN2^O!p?EOZ6$UUk#Pcf8U;?W=(vkD>*<D^nFRZ)*|fA|3b1y>eew>`5D
zbz(b91mmOfodaXsf2$hwAck$i?fKF>9BZ7WChj}>JA#!T=Q6;TgXBuxDT?-r?5AY_
z<;7f*&gS0cYNaR%J=FGR<LOih+%&5kF`YJdsJaJ2E5^()wMJh3Cup-d^shg}N=9Q|
zgofi>-Dc?CrJQcA;i%%EDSsHDNJ!xm->Z#dkWIG`>i&#6)TG^kc0-S8dA@2*cUuGd
z%r9xpLd;cP^%Q}i78>XK<_qG@x3Bzf?$w&I!-x)wKjy@#5A<J>joWR&a?hSb=$Z$~
zEro=y(P>oop@au8KS#RyJQ}rsUGhv%SegoSzNFdX;n>5GW*SZnI~}g5Yrm<m+F*|x
z_-!mx1X#rJOwN{xtnzE)s)bs1ElC1e^MTrJvgc=!o4HIPzOKZpag!y$gl(dfZDn%2
zMFVGszeHN!$rJJA{yXuLeiFa;cjAM(e-YoI>UZKN+ghK0dbvd97w;w`up3D_$klK%
z)o$9Jb(-=0<d!WlhQH_C8{JuT@%4l+*Vkf8j8QoQq_g*>10FT3A3zAi6;c-lZ{=lU
zm(YS+%`GNAxwQI542Yb5Vz(=wLDxi~p5N{L+LnduKK5XiM%>VlrtENgLLNw}x@Xx$
zRigg3e9>P~&_V3@03yCobp4)4`ov0b=&r6>F3qE2-CU3&-A{FXdev!8O~T_5S0c6&
zw<TOc+6^Gyef2zkO$z?A>yS|h5|gP$NY{ESDnuKZ2R-u!ekHGJi6ccN$EH&MZON2i
zfoSU0&8o_JFDr3?=ax!lFzkn@*I}EY?-}$?C^J)-XH#MCL~9vD09koQQ+kGe-xJ=&
zzVW*TZpIs3lD-Fg7A=Mxf3YgESFZ8}XO)Jb&fEOEJE5?lM?fsE>MqLVF-}9LO9s&C
zn{WK!7oM)<mrLm&lCYAlDVC!}X58zQ9C}7m)Cx()b&y<}i`Wl6mi+8M;vYbxhWlko
zqLc<~pNX{<i7wWNQ`^_cTZ<Sv4CCJ<#LO@Nxj`T9=#qGmCKNu#ZcDiC)E1>8pWuyP
zv#+dr&4yKx$m9$q(^8EZ*5H1;MJgoVvDhru^bxR&ou}k-G>OnF;pyEu8n+Uhm3$Vk
z4JBaLvD6-g@S1R=4<6{4y}%6`s$r_wz<3m~alAm3x*fvV!x~h+4K+cWp)qkXAdd9j
z-<-has92!e?|b{~NXVu>umtk)TkA7K{`*5uu^%4&7lpxT=0!p>7h&}j?`~tyJZf44
z23i~A`yw0VHYta$Fp<`Okf7$Tlr$JKC8={1y?@_XSRouJJm)ut^Qz$W)weO2QDfMV
z_#A+A&CL#q$eA4L6iw|zbwlTi^~By<7j;-U1;v0oxgGJ;SGivXFE~dHY;%U%8C>Ki
zCa)piZf@fG7qg5icXc8r>6z#}^sRoX9<K4z86;lIZR4vCC4C?dDp7SgQQ8%KxA}%d
z+>n>Ja(XfsMC*kqz}mdA6#*CdDj{+&lI$F!ed-}MCtQ($VKW?~s;5MS>R}@&J54(X
zfwQg;NXoV=z6ZRmLT=*Ar8|w+9b`lJDuqquBJ#~&`go}P+{yfXvZ7V1w10GIH2cwV
zs&YbaT5|kE0(rCPcrf9Vm?=u4xnQG`pi7R|LP`;grD#je2h}bbCjE;aq|e{dTwnLc
z-UK)s#5^u7N5*YxD~a394BN85K8janYwx6C`XFMz28Aj?F%v5uH$I7`fo>*+=F<2O
zL>f}p9^Q@mxTQC|>dcA`y|C6ZNSQgZ=<0aXp}h4lLW}A<&$J!0V2nY8mjET;DVIgr
z{&slSaSj9<w{yk|D8s?6d}touhjK1uaImHJ$BwtooUOf`Xq%%IfGn{Ty^CwDg)o@O
z7=hzPsO$Wp^n5g?;Jq%&nJx)w=y>@%>pMZ(Hdj{OrAv4-%mZe968-n$bZ;$S;NY~I
zuFGxY7BvBxZS?T`Dg$>3?=s&dR}{GOeo?b`?IjU-cE`p@cu817&YZbVIQS#Z^pggl
z!A`4fbPv9Yq1`D7=3Mb*Vg;2J1MlJI)?0b1a_1DDQm<oKmasmLK#SW@$7O1<ASoZC
zuT--6%nAF-OG}=u9}`Z=!&LA6<53ThkIB^op;ZG~yK`Ug`U)8m9fS{r`U_`#KmGt}
zuyUX+eTSv$;1V;9E3xLzC3hq(kuQRl*xF8=do8?5)2*`%>K&e6LCbAk0tV9**b#X8
z;XBZ2TjRpKaC$r#((DLl>s9EA_(&>5*}7Ckd*sn{cfLns79A5aCm-UswR?hrv+50F
z@$U1fQfq8xd${RBmb^Y`%4W=d+uQeXs^qS4bCv8)5@ch3reuorOpvl8uU}4uyyXZb
z-l^&fNqsGb$GE%`?LJEQA%0!DaK=7|^@;fM|DE{BKZ)P-JMlRUe-WRN=Xc^S)o>+B
zS9B}7C9?HHZ#=h<BM6I|a=T02Uwd7B0uPx~wp`&Uo9m{<_FU<>#bQP^ksyf;t1)Xu
zg}J$A<Y7|EJd7}Di_~6Ir@#w|IItyM(lPyuJnqaw?S}4&e+D~&VB1KKT4nf<tz{y0
z`kwClv)z40O?zk-GVp&cX^wFxcOcrN`lil;?bcsD#a!$bU>VZd=@mm8);5_Efl$~Z
zrz9MY5SO%t8{)|Q-4~F-P5C^@jUZQ{fwIRYnzQb;coC%gT%cZ27g2thL@WLa8@-Kq
z<r$GTxnXZ9)5N#)Q`>>1?#C~~5=}UELO+fC@KG1*YSLEO=uzz|N)j+;CMwkT1wfB;
zUw;vGLzfja!(@w&O@p2&;LJ9o>L(tI6dje8J+K~3t{rZ}8r17SZdm~_4uASEkNTK~
zg(wurmn0V)SO8DnO1-q;9?rPST_0|PC8p$#eyq50_&y6>4@xmf5#3edTN|CMkF@);
zrPQW4rNa#du(}_=r4h1eBxBYwfA$5b?H56DlNfF&#d&MJVLKU_h1$WLkCKcWo)+ET
zqA<TsN}nTHNI~cDQj-NI1AWNM@Q`-=4HG^o2O7!DvK~hZHF^vTJH!VXD;Q_@g<MqO
z2WDn7oANZP4MV@G8egij9?+B#@AcZ#xXho=f%CBw`lPyXKVt%YhpdbGLG68f-pCRE
z-6WY4dJMNF9z8EW)e`Rl-{?wrMI-$In>z4C8>n=!Tc~8!i>wW~gU(s?<HBMn)7&cs
z-~FD1*&ZKy*TdBXQ@qKrxn;d;KwWvD&f+7TCx6tN%o6V`?w00R6j*H3k-R~eVsuYo
z4l|^J4^gJ@44^`~Q}Oh&-l5&CoC0L>V)g_ideoIxd;5=<ExCpqiG#@Tkqci_={gNw
zUI5xp9pJy#G&)<%ogcn}Y$tXofH)*$ZNf4jORzBVfRxn<g(mNHZoe=`%S0kqsB3KK
zK4r8VntYE@bb$)%!ugJ$v)oEi0bj{5kTq=jMPgQVa+6Sv;_Z9whl2J!*yojxYuw1<
zEyuPiuE|SktNFqD^7!qAadQg_krZS#PD$1kaxLBj@7~tnz1DDF6Tr5M;t-t8Xrts?
z2p?U`=fA;0QtVku?cd9DL~^Lk9dh6~Sn5xbyj~(SYq+qxb30{e(5rRX86WMj!8YPf
zN>eawBqDa9gEo>x1+q)(3)HWw(s$LY>xzDk@0sM$qe|L&y%xV?n2%b~=j*IztAn65
z9vT_ZmC@yQ(N~qk>k0xYb$q-yt;c$A=i6^=xfolaG{pa7utCdHV8cIK23{?UR=L$D
z`<31jy*)zEz+o9&pySFiF&mv#I~vjMks*nflDcJ)OtN@;W#PpB#hO?VSCNV501y4z
z#3RqWV_fw3Su%Wu?WPLZc$Vh)XPzNq*iAOE14i0Uoyzo)4&?0<T*_pE+F!`&EcjA(
zKQ*wxte4YLdqWe?_8ZBqhvVX`^-I$A9%M+q!^e18_Xzv4+=yF#MisIydW1eQaOM0`
z<kha&rY|Cy8YjTON+B2DkoKbSa+|pq=z&94v@&?p7tSgct=z&YL=1yWLAF!!$f^*k
z$A>*4U5rsHYkcKvS*>g_X~^%2no7;!=k!3V>FJxgqHwZ0@`E_Jq|i!8@tR@ih2EK2
zjcF)3UHh|F7ow{cMpG_u&ksg@=qwVtQf>X4X@w5f)8RC}EO4-z>UL6X8TRk%KHk87
zCCXWC%li^aIX^2+BSwi|mTBTw&5=qc!4CU<Hdg9lZwHMIYk^?hpKv<Qawn?Je}fbb
zy#jjIsB^@!0ffQYWaiLT%2@bJE86gQDqd734#9|Rm{*16Naj|S_HZl-1$!GGew_RM
zBoxR0(=$86_9Y%V|4SMLqR#?IN$4>z^S{LAE`E&h#aQ6Fs^%<xBEABc_-o+bLOqp#
z{2pp*>)jLaAOCGthadQp__%<xY~SCBUyq}a`#6(T@2W)4rG>lbrW5acUan{GtoJ@i
zb>{=8-C_6#AQaX2#}@ze_9Fh0UYt>j?aNEFl{M?fQ0zKbM)PK_YkoJk-3^2e)R(hC
z>LioX#)>R&W>9$)F`^b~xgyR3>A$<v3K3PZ`%JH;^_=VwL7)-kAk4=~l?&pDg>;`P
zl(JfV#<aB|&`Vt?YdRxVGEsug)|E!4`l?Ll@ENPP#wCNISwQ3VOZ%$kHynbq=ElmT
z&t0sM^gY4|k8GSYIYVu}E*@qzCd+VW?$UN%_~(n_>nF@5iC>|%oX!eMudi&AZstYx
zE5;B(9x~9WG%<(U1KkfWH?n8<jT8N`0%dMPm{BM_c>EJsJ0%X!EZ7wUh4buebDMb-
z;i>B0X0XLVHSrRBh^*W8;^6=drGen*H#-hks`Hk}9%ZR)2t8p~g&B<|-EK1|Itr7$
z1y1Wn7{Z*RZy<<}&rB$*iXY08#$M^=wCWR9&I^<c37EEh(H_+m`3wnXdGHqHto~D0
z2@Kb^W#9&%Y0Hd;{lcbY%$7V?46$A1Q+F%=_W+;rGr)KM9^eJCeg$~bhTpsU??3%`
zUASP4bu2j^=3DWQF!Q`V?Wk&zHZ8`H)oZsT)gZ*<xw`!0$=Ca&P(CD|QT14!cqYx%
z1DNNUz_AEbb1^@13cPQYR;++NBD@2YI+NZvs_#Dx&jPUKk7Od<V@(oTi?#9l_YizZ
ziG4onYm$;;STVPiaVA4u)lZtsPR8kSONq=;VGD|}n(1NS)VIW=t{lZf5Kc&*-NLXl
zU-dX37SrYM_vM*fvo3I~LUV<0wua>n+sd;uPA-_jY0c=nr&v#jln5cWq!S2im-V`K
zzx|lx4%@(Nk{+6kL;rE&gEB>>D-Ld<wyWyPX(M^2BPazG=J-ja-X)Tf-EOrN(ejKb
zVaJ89(yA}IT|tEhC*vCEaS)QV;(2;slvmS<*yR17);w7!jlGMDT8M5~XEp+RD35Oo
z2VCI%@x!SNG2$V^cqv$GaedaR3p4twyM}o(rY8og^VU{B3E|mTN;so`n(Uegdsmt}
z!8c-rMGOf$^eyvE|4t@vrl)71rGkwee<oR0*lcsmf}iqjpU3hp+K{coMHpG*wdf0j
zLe6v~JI1ysb%Hb!#G^^_vAE(O^g6u0V?Uo$)v3)BSOj|6Di&e9`0MsB>iiVRn+sKf
zGiUm~yk=O0D|D1lRmSgC1r>hG5BTaom^*8wW>w(EW1C(WR2L^Q8Fjgr+onBQ?)zP%
zHU~seh`kqL;^|y0_)aOnWOt-^d?ZqfyLjVxg&<D>p`4*Ze6cj-G?D#bMH*HMRZVY8
zBchWp_meddit_2`hy4l`@mB(av@xoc7nOc0=nS*kW{_NYIKC^F4tg0fZJudjf`|To
z-A*P}yktYB@SYVbtC1cm?9?^309|irm*q(8lP{FB!YTSAAF)NVuv_K(bD-2?VfQ^i
zw0)^{hbI{Bxr0&tu5NaM2i)f>u0*xw1r-e-oVRE}RwDZ-UPAhxw8>D6QIm3G53OvA
zgbF!BUKwbh@1B+7qj`gRVMOkvbfwHqp+vr##HzM_IK<08WFf8>X+cZ<f{3~V>rF@e
z{i-Bf?uY@4>!sM^_HLo=yzAVJsMqs>ij29g;!MwKS4gQ5WG&bn{b%A{ah??&nk6d`
z4}8mB0}C@AEt9-73@QV))w`<UTkjO6_P5=qn<}SSaw0SP5tEVA-^Y~?e3&tdX_7)U
zW&MJcaMPWhAzB+ChX@Nnx<0<ykL*y$?_)64JR3-Yh{c~y)Pqvv`@GU@kLzr#|9q{3
zO&K+=Jtx})n3L=yQ9kj=GM2KqUei5wRsCGsw`$31R!g?u>=a(V)>PM?fVtBec}s>u
z11kDKN<R^hvc8ZXJIV2eY0hr0Yh|(_#<3@kKT`RYNzrx29*0vKDnyt}S$&fiMZE|2
zGL{I9UN`-OLoxJ-w{twshLGe9+Ey}%j8Pfo-Q*$Vjb=jL_Ysw<v=padqT%~v<h8ag
z?C>DYyMh#CoFDY|a6}97BFLR03!ekDdN62w)nD=RrJ9JGnGe+YsY-CVG&0~0=_A27
zen3i)#`$Qo)iWMf!}$a1^M_Wrd~xg#6k`KB`eJ(<ZwmL5PT$+4-0<9+B~^Hm&{?};
z!!aTYBLi!Q*@(3bD!W>=Y8ZFh2tY7LF^gvWFt$_+m?zEA(TStWX4;|>jI892WCRgO
zQX6TJY#5R9r(@<iVxPViz)M(<F-`f8kL1tC^Q|%BFAfr>V!|AnQJZg)RgAC}JsOol
zrWNqs?lh3hZ-r6^PLQi;wJ!#kF48iz%=>v(@;9d7BE-WdLGL4JEGEMeMr=<{3Owc=
zGQ<c&nR1DY${e!5-k)0r3&0(G_jC^E4t8-NqMy~4h_op$kiCqqmKoGHh<22?rb55A
znZB_<N=rqhl<Z=vpMpCQPxtm<t_~*Ud-t$eA|dxge5L<R{M4Vs@A{qiVuHVjkN0oe
zHtPgTjnuv5LkVQ9)#gPgqhB585~qdww5D<An`quL^`KwE3Uq5M-@sXIdt;)kKkNU<
z1sCH;VUqt)y|FkKO-({sq|);dQJ|qcgScSn`Pyw4?Tm=hiK$+-UXtwtswnQ;hq9R~
zcI}C+NYBpR?^q5c!i8lqfD~T7jRHl^E%j}ce3^3R2gc=tp<4+W3$Aq%6%Vm?6&b!k
ziP~WTwF2nX?5p03$5n{uwXdeCWQ*5l@MiiL1H{@z_LQAzO|(8H&C!EUmFcrN$AXMY
zExUb2BF>bNj2p1&(L%9W24@#n^fD}#OVklxVU*a5AEJ(ieFcb5JLURkm7M;c%HA=^
zvaM^kP1}{W?MmCuO53(=R@%00+qPY4+vcs>=Y3DyefK##?)PK;Z8650GurGiqCb7G
z>^|k>K5lIr(>wwt_s_rR{_y&EJsP3?wtuyaI~zy8`;OXz+h`H`<4jcnNy66h?nNX<
zgsP=uJ;E-eVDU`hJXH^rFv$^$8_-Risj4T4Yv-1MKbhy__Y0Qu5IfYk`~#*Nbo&XU
zGUTRn)S)ErEBIFcWJQ>w@8c>3k$tzQ&;c0CYOQH9NOZ%AiR&jBlgJW<f;7aA3MDpJ
zUlaYg#&yW+Gg02sNI35;Ljuw@l-Xzv6tW0GO>*cO3Mq>kcAsiW>o(J_u;C~I;`)l<
z(mW0{J}*8!AS_s{`nih||IvxXqv;eB5Et3i<Z765$h^1E>XE|@bI9(F!WV&N!k6)M
zwen$k4|{+74DA|>>!&=%R~xU;ommp|1#>56&x;t<Br@{%Btw9u0j_d>R#3&3;k}UA
zgoV<KDNttU+Q8u38Tl;yrS|gmR*RMDk}hc#Yu>BtY0~&WBxOIg^XlvJ1Pen+q?mFc
z^$~HecdEKmCkI0YQjh123E&^GOSx)X0H4fIF7`~rxVb27?a}-X5fmf9Rni}A)+J@5
z$h`5UT^h#4&kaEO=*QEA=)F))g|e>Zv8JD0c>HGe_C5lfOT5*)#IqrBx8^-XypWIv
zAy+hN;EBMDXKnPun1$iNUZzE20Jp+@M=ue+R7c+o(DwV%o8W_YBcATx*At|H@!a6l
ztbV{T)1SedUsbBg0_V|UW9K=jKCAO4-F}|Tg~@9BIy#$(g%1V|jhI@TeO_d@?oE_`
zFv6z{DJ}yNO*G1~I<TOv8#A$=>`;QGynB0?^kDa*>r2JFH@UcxVmLTRs*tQ_!iK+`
z6rjH>tZ9iZW+gHsoo5mRqr`spLkm5cLyh3ErYcHWs(wK22Q1E=l4+-kz&c_3lQoO>
z7F86Sf>nBa8;u4J8#8~`sbGKBoVx52zU95(-)*8EJbAz0q_g@$S);$KK}_15oiiy0
z>bJB8Uyunukfr9m2c_6afr76RQR}YhXcEKI-+URDQt=R_*ob_h??c`svD$<}w^QeK
zjhRn-gfW5Qwa3#IugCnR27O#Ww9X{K4j!s;XPG5|h#f~vt*X5etLfw(!9J>otebD8
zcrM$o?yBj|)zc@7_AHPV3#c!Ji7nC#SRGI1B%+gPro^oLT^E!n)Iie)zO3`$%&wM6
z#Js;8W4=ZDMuP%ZZPSmYhk!Tw$03$O%|0gubcJi+8^Bt?nOwb;Fa;@P5V%BGb2m_f
zO@`=(+j&ZZT*?i2v=f5gK-GMMPonKqXrrl%_?f82dUzcAq(M|hp7#ePd^}KE;R@X)
znZP4#<wCd$kmHi_`+A_y;I%pIgR%z;8f`|cHLx^a>2nCc*QtT^4Q}b7=-O3nH+S>s
zje4~wwdsV|!-Gu<Lx(aUY;_b-F)PER_u1E6W1ykS6K?E71A$JX8rJHd`irB$NaA;8
z;=C#wiw-iEC)4&*82v$)+pI~_TzRwgFN6}!12O;7p4taM_t!@lh+o;~#0)IZ+U5%D
zOPdzmrb3w2ujoB++dV=QM{nA@#zY&w&R7VLKfatS$$!w<-ST}u9yOJ;g8F0pxZlSA
zzvtZ+!2aZ#!0!K^YvMyfvd85Aoh5q;s{da#{_p5T$)A|ZAL8=A5?@~a5O)CnNhI<6
zO)T=L`Ww;l4{_yRiEU<oi1@MpB+~c(CQ8|k{7;FOcYlcIVE-g?0s11q-5TxwPl-t!
ze~3ao|0Hr}{U#n5%KwwN|F63?{~bQ!1G6>%CsAzkH!)nz@}I=(e<j*!{2`iU|DTBn
z04h)aBvSN4{abh^?XP;F`|tIF*yexhh3lXHix@n%2lnR;>WASJUGphu6M3>dsRdwr
zG`RqXtu??xp9-zD$gzUS;CMLWV7LxD5t$mZQBPPtJSU0Px_B4>20xpQc=SwQ1+`i9
z$U+Sj3kdth80?iXl%#e>y-5|w5yG$)11uvoAa*aj&7Q|RWr(9}8Qtqz(WDUI(XVo@
z?rU8g_9}&MSw$#kYtiy0;fI0;icpW{29r4?3J+QO9Z82z=IFT_9ze(26f$(OG&LUf
z8u0qi=D}XlC60aJnrz_NJT@Z9dSx5R?cNU~Er5J_s=4_l;>BVG7nbLlR-ihVsfaO%
z`4+-k46+RWrV^t_(kltQLv+(JrF6Q#Tp-35?fYR^x!sq&Z*|!&sO>2y<bF3zCMb?Q
zSw#D2`jJ+5jy6t{cfz4c4-h>YbiHb}ZX_rGHX6JbR66)v=8w(0dVj}irds}r#vDJY
zc`mlt$zs7Khdud0ZzvvfSP**O(4ZuW<E*iyqtuCYd+{L<OcVm-Alb?vlmcuE@ooY-
z!1@G3pU3;gJL~$KF|<?DCYS(<j`y5g@v=4c)Ow#A`o(52LE1O3dA1&2FQ}3|X{nTN
zEEDOA1J40kqAoZCa3Z^kMs}ts*WB_ea<tL9b>*_vHl~yaV*Bg|u5|a2A-kM$CDYQS
zcb3@8$t(?l0+Nh0YnGo5KXb#oue}$)ySsm<6U+#>qp|!ZeW^CP_{MJz9}c|Rc@81Z
zoJpiA;b<e018#X;Coe(>M{rq#A>hk(1ydpmtn*&_D|kQ0gZme$VRQXL!zypf&*$~F
zwh8W)DffPT;k=0GcfP@Cx$w&UulMTOL97}PLTxTXGd``x(eYSZq@g#>RG6g;!k3~{
znOk)=%xWpQsmyQ;bsv7oQHLMoOEVj`lyHZ34LY)sz|SPl;61=)o{IesXVQ}kZ=j|#
zjyymLWqx$M6V<|%n;6~WttKzeagPs=FkL9#8DyLni*@=yi6lfQlRVf9f*qfl4d?YK
zb5lHTz%CD`w)rBkZ#78KXoo}r6w<ZLX2HT!lWw1dbbR_cI_5=dviFj6l>xRn#3U!N
zuPwmS;kELwshy<*$<9C&tatOoos6x)VUTT3_WRRJL3~lSu+s(1n_cF3UVE;S2wDAN
zx3pkJubFz|?nuI@+YlohO6-pk0M=O+C`-?_+_Xh|vQ&^-?Z{hKLoCaj2xsNom${Us
zKV9}{CK#aE>RWc1xR*mg(0?>xH9+SZ)YxFMNe^IzDIYL=+zd@5-c@9qOWUV8y}l6V
z+blNg;i{_V4byl@$k=;Z7iO6qj40iu^~v|UwB$-Y@$qKVDwrcuFbr~R$E!~|e+p@d
zD!}r6jr7@m7g}=dT5mSt&Qzvgt^}@V)j+^^u#+2Rx;)|`P-78BkSG%^M%>|?VAXPH
z71)`^4FhgvE=o7!Uj<a?rFa1QwUjk3mj_Pe0_H?No>)9y%@zk`2OC;{?(WzP%Xeps
ze?LP0!A=B;nsURBVptDcGpYorw<8Wukt47*@c=%5L;F}XRA)#nVKM|*b3He=kPR+*
z;9$mSX1kERYT*m{aXOvQ>PXtEvfOW@5Nw-k^eE>wvD)~<hRyJ?SLqx9@;YT)fw+zP
z0h_QyZ!Y~+$%6~a8ixV$k|x{<rK~Y26A1x^uk)rO^7<(8=6MY_j%%D@zj3EXs-e!U
z6lh`|J7YR$VcXpf(#EGlzZ=jy9nZRLhPJtWGk48Pw%SnPQ1f@2{<aOv(9)28Q&rWR
zuYjFN+S9C&W%tN~EmLS&@Haem`CmsSSdZL#Rm>w!z>pMnTubGI<U3>LLmH_BN`A!)
zt^4{dZr#sWOml7c>U86(+#sB|W&4@GC}G?HP`|F+kmItJ+&}SC2pN8Wya$5xUFk$k
zUen?-R2k1X@a4KBP@K{X!b5~UPv=Je`4&_EyYbWiGJe<JjsL^@zsBbi{JZhvFXKLn
zbqha#TFr82oMND0#^3xtZ$V`wj>eo*mAh5XmF8MM#z|8$7PkaOG3Glw2Oqn2iES*|
zf#*2dZxE3V)Gom<&n?;a#VfdH_HSL<Cc#wab)np3U?R1R`V>@EVr$En1zfL5V2dRl
z$xA0s(ywE`g`|8NkWM(-I9nz~DD&&gxdT*$>{zC@pY8c}m`>q0ZX!sA1`0IRx|DbL
z>T|~*aV3jw8>?;GUFTI20nx5O2*JIoJ0e}&IjA|(r!&DttBpzV`m;ScN~=Lof!pp3
zro2<Q7N#-EQr`aa3Wl+Q?i?o`_QNjY)i0T=#($6NKHP+yA^MapMQvh!F#9pN`BJGR
z9W;wr=<S;RTbNYA+(8a|v+a3sFWoRip^|+r87k4-yuR5NK2h|e2lVS|^s-$+;IL?V
zAK6D|&9A`i@K8#TkC>{oLp#+x6<P}%oT-7-`d+iES-o(OD<B>W7$)oY;I$hr!<|!&
z3M#Iu9#qg#i^f()%)K|l$n2O0b_SCR)4{G9tnvVf)5{MvvQWlx^BS+LZpyJ-S2K**
zQE0n&8N;3-i>@Y;^+iPL_8U&A)^F=KfT1YB`qjb~zv>mpsGU2JDH<1|%1N|f&myw0
zN12TzRK}fu`n9hiGK%79GP4lroKq60kaW{%wt_*tqL882be8RYEoozOI9*XaTP9cm
zx{_<XU;(#RJ&emjH)|nYx+Q#qN^QjTQBcx=Nl&R0#TH=qJLt1-z;1wNQZIW~u|{UF
zvB1MXIv+8+JqOJeqkY>U8ZMnO62%`vvxU9#v5g#&BF@bCQRN8db~L04tEk?~dED8L
z;n^eKcY^c#9No?d7VU*;sC1gWg8&bH^G1FGY^J^ThgD2{$FpC!9|uo=jI8WXpF;w{
z-u08b_zct_^>Fm-B)XX2op+nRXv~*D=TwXACaJpEOo%CvqkQ#X*3nI_wPYXBpq)iZ
zzy}f6<}|8|qTso1-S9Z@^>l6OdD8?)I-}r7?w*C7_P*!^rB}$73Ftvgx56tEhZB4d
z6c5{h7+c?bnk(kTTuYZ}0tAa?TJz@^$sw-Aply(3F5%){L<2MlE3<7sGfGaPF4yKO
zH!S$!h;W~M{le%aYnJ0TP8uFGln6`OyISeqZco)%H;%2V*}iPEq;VmJOauDpiNOfo
zUrs_zrm1Aw{5aK8{Awo$P|H8{=4bumW#Fgslex-Vh-HOF$|-95AcECR((jeF0%5_^
zK5W@fn=kBYlqh-xkd-0w22pl&RDs72C#iZ{RyI%aMgTrKG}t3JenQ>M^$*O_zL}#6
zF^Hb?DCAf++~vtOfEiS&r^$b-xzMc*Q%_I#gQt-`lgx(D!R?#0h*kc^>`kj<m(66n
zL=(#oGRVN9s*QP?IK3K97857PLgn865v-^wWajjHc-7EH*XzxI6*t+pjIYyCQ_nG1
zG(h!R{6-V$_qn8uv|pqqr0odG<7F99TCwdD=cR!&WtC5~QVS2cSw9BkM_Dw@GHKr5
z4923AXY(ZsFKe<r*;Xdo3q3-+q8*{RuUZdEzAd|e>v8ezH|S&D+0Ey@*kz<h_uw$z
zi+!(oa3S)h!iXWRG`ANpkS3Y-H_8iYc$py0s+B5`hbU{$KYPo;WgD<kD5C_uM?-v^
zFw0Rsc)WRfME1BLNs$%kFo;q6ks5VDZ7!@)GR6Y_LWG21h}<tBoY2$zc*F-#aR}AM
zMOPq*9$zh6lu>l<3(BXnspj!k<&Y2k0-Lq%u$rQvGpbaD^7`@Cq+Zj1p?QzR)?s6!
z=A1MLf>5so!sv)IDeNPLQsLNw!NYXnkwMU)e`h8SM~-TA+5bx_Ygylin&A*RZ-ORV
z!7Anw4Z)lzHEcA9MMDrkMO~e6*2Y`cwv$_E?;g~rq4@ZZ@oE0u_!)m0zw__LSH%6V
z@lopjxADRM)c7Pt6hj^nKew8{;tWid(B*3{F#1AujSgh?z_zyU*>_Bh<EM};a3-QD
zAAk%@(9Q~oFd_<kC#@HaBukUvWjKj6W6nftZ4-`w?@JZFzHZ_nVhlF$sa{5`aZ7m+
zy=+_{ssO+pbFY1bVl1-pyL|XJwuIZU`+N%9f%>Bj;RHON_K*~5sJ67<l$GoJ47l2q
zz%|SWVi*^b@#&SdP!k8v&AS=TZp9lJN2SxEOI}3~mzU$iZqC?Ksn)doc87q69oNC4
zlh4RV@O5M+JrY6OR7jyv#+cFqiES_%7bksb`*SfV*M1EI%H&>zeDq4@=+9MKGIUll
z-R@e#qeVoV%CH^@c89rj+v0+sfJL@@0neKrTCIWP-EVwgxa*Vc>y7U;2#4k3h-*xD
zCLq-(ZeX<oae#5p>MY`G$6#dN55xD;_~t=<fv%4rL<#ST{_HBV9>cn~Yni-M7dtTm
zr$K16M&wa?yaC^9?@Dw^QY+CnExei(W5dRsztG?dS}!DF_k6F&+Y;qG7U?J_^ui^Z
zWyvzD^kVvjnPz7DPyz{<!dmbG#`ESt!dhaM!Zd|T*^bA=3c`R{o5ZQJK8--#^MoN3
z+>lg3EQuStU2@O}5vA_CLV(!&+|3ASn1A{ptD&B3ZGjlu>E)!8(8<Afj@c}{!VyD{
zn;5rwAOaglSO>=83-B>N?B++@!Blp@E*TN`16pumHoGpBoOD5<zF8`1MKIsUfnIG!
zPkY)eGb}n$0FL)iR`Ruy{2Ov_Ic_QBF4+c^RiMm_@7WaqPTrUC)IJ^W{#tBwx<c0)
zBml0p-Q-qXN&W=Z1tKSsYCvwyN!|K%cJ>By%o<)Aq8%dcMy0r07CSzFOe;^RZ*_Mr
zI-LpFOA(g4pdZ}218`+ik$NM6p--=64MIiW&Ppv2KW&`4BVtF3j3!E}aL=KYfu6Lw
z{<&)ZyLzav+!4^ad%wZ5-%v>zX^9%lw!*Sq7`_F+DzP|*&GRZXV{a{U_f*#cta%tx
zj?!ynUHU^(FG6E9I6EqeBEU~AXhK0t7ZXLHb1n8N;<ZsHrh`7Qm`I$YZIDFWpN+Z0
z#Wl^(zT?~F#>l^r8$4h%f1w??7Rw;glFeQqP6@<zR^~e(wRF+yYf}+<LTTmQNc%wR
z5hx)>ic*J^u5|(8%{o)QMrrm~gc(a$4)@hF=Lh9@S;EG$J;s$;0t%rW7V}9Nk$Vj@
z1aL*Wc2CVb<_VxvXQ2S1P))z+a{B{cR@mUYurqFD0MT#w2~PS$z(hVbWQA?MYPHx@
zx5g^EK98YZ^}ha887T+PhilT})!5{Kg{fjbi?v0RUK;+mcelfLoZKOAB9=7+EpQF;
zl_#Suk)UN%m=peKKx1ol@G%2lWh?w#q0lb%6qDuuOGVlP3<h4)NuRU=61fpJhck9q
zH)7;NGC%(+S1u~~<B20dLD5`ow;_FC&!n*)+fz->?&SA@CX(8(MWCx(Noe-*xO|MU
zPJE1)sQgLI!ugk3_O75|7e<{=!VYSRd95w$feHa=)R?-rJqI<ESI1VVW7dKWNxJl+
zD?7Rw$fD*9PK|SxDWdB+Few1=w#{46ohN~_G+2mwwqYiiQ_Ex8oWn5<46;^1QbdUO
z0$5<KrW-FXW0;BLucT{Ass2p%G7!I)zG_(l5>J^?jt=@Qw}%b<%~}sZY0mG2jyWQ}
zKxm{2@Wc^=AgVKtVVZQ>dR_T5i3C93MV#CF-=m5;dZy6Mn4Ic5Ysh=YDb(q(_Q<=D
zIBt$3$u^-?CQlR%sF1tKU>^|qBG_u<Uhq<s%#kj$C0C0-m?raWDK#DKgJ+)06c3O*
zNY(Nq-sSp5_pO>T?qtdw8OTMkvzq5W36pVPkF}s<*y~@bU>H}Ze7Xi_xw&dp{urO`
z-;JO7m+?FPZhW<_{~A9h{_n;wPdEg!@pGylIFKrd6q9Lk8Z`k^^~4(qo^mV4uC)Oo
zDBkQo%!=`pC*=HWy!&?4Cr~XHkm+&O(a?-%IQo1!CH%b3uwT7BTs(L(S$sN;A&4N^
z%s{tqxZ|GK%15F>_oA7~%8iw=cFH9wV~Er#3JMOPDWP@I%Qdj&&Dd2_3)5GgphnE-
z47T`exDt=>bJ+M`p8o=2fXRx2i17Si12pPFnDDmpUROk~H2&%+9i}1e%Zt)?b!+TK
zd}dO8;o-HZXJ{Z5K+cHlnHtr1Ka%@|@*yFd{Y15{*o%;H%j=Qyqx$Q6Hs!%o%_YI4
zaYEq0x$p8iI)bs9hU(n}vs)%pN@l+ew!n_SB~({g?*XZn3&dckCiUD=jbIe>uuop$
z7;t=8pR{=|kv}Mm@GMQrR9i-3kowBCd~ml|tfad%ynfU$V!lO;f606b1moPMm__%j
z0c8hg^vo?@_)>-t4Yw;@+Jis_MgSZh?#tG8U|{8N8-lbYUt!ce9AYd8zuoV6({7h4
z%}sBebP*1b$aXXIlpdIX$An6K{)^m0QASgX*e=Qpx;q8NGj%JeQJ;SXi6;6jTsEW!
ztH~g|45f9)tsCIaCA@VHf(iVo0W|E6ZE_tRLv#@^o&XadXWVSBIz%u>J89vKgS-qz
z`9%)e&V?hQpOl9K<)q7dPBqk;?Cg3ODwR|dg!{m<IX4mRN8xbc{V$=@5DuX53g#S8
zc*s7a(Ol_^1(eFl<O+qQM|XWdx!J#aI4#o<ZacMy{3F+O@TZO^Y*g(udK<Rl;u>(y
z+^h@37U{MVbWAc!VR)nvoW4C3Jc1uIH|NI^ShRgbJJVAKvH>?YSM6JT-!i$rM@K4!
zG=AkmRmp`i!|@U@a-%rcbM;^8@BG>gj@J;NMlK5-CkrlY-U~UHCRqJG+NBg#pqU*w
z1WX^oP}0*4zSP*>&ID;`%yV9+A|DKDKkzbnsT2f5|8+ZNP}rsIijug>1+}%ilR_vO
zO5TuPNLJiKW0~`mO|%IeQYKG35{RSUSMnXrN}G@wcQ6#E#}x`YMe)pXOF$91|HQWU
zd=xq^v>7IXFOj&-Rfn#>mgTx;NgS`+!FCwG*Jy=w5pLM50Oi+A<`rdwkxO>aOnR7g
zw9ULI0uuOq1gG|1I8ih4SANGEkFBZINbV#ZY3ykc9dVoVW_nO)eCt!kU8GT9e~Oa#
z01YM^QFaiiY2xpu9NgUh%ww^@HvzyC{2nDxV$$^UNT%v-Z=UH1o0&?w883ssZG?-_
zxMmzlk{HqkpcFrQvNwAUQ)!Pw#~*zHiA^{QdY4erFTM7G0vz|1YpjASpoF^};5+U4
zx09}c$aVnWkf}q#{oC*9Oc6LZ{;N)Vt#0!~7?<YLszXk(_)|TCLyc$mnstKU?$P8V
zVgc=*9s&3YqrJ;^R%l<tL*0y%DjktJ^U{ex_DZ~~a_ZB%oG^(XmO(p|mqH5Q$09gB
zw?i#b_2|yqK6Us71U-YVV#s^^&M5R<fKSrHP(EvjTGM)tIsl<s^AN}4CYBxKtRh+i
zy>@4Q@w};EKU#?WTdHN805sfox2VXqwhq9ml*6!W%kA4^B)&x^zuF_!2-#H7w|LzE
zJ)Qf39+W441dda))v*TE4L1$J4@&wFlBZSN5mJeO5LezwPplpl9`0Sl<896&+lS<?
zz}e~;cV|d{e8hB$N%H11rAW6Z^&V=XP2@zfUFCmnwS8yD$gmEG6S@rhfM7o4*FJi7
z3Ms&izS9-lLOk+b5s;f^k5YbBZ)P#5?%$praf#oKuAI>f#j&Z}_=d`pi)jP#O*UC&
z6YSojbl3t3e5G+SRhKHNK7r5Q&~(@Yc)NzBliD1UJ>Ajus7EEY?(w|=H12c_Q-oG)
zDyR1Uhw-!iGJgBtjjyBqU*p@}{oVMVhB`ByQkf6#{7jTIGvdJ5Dmo%7GAYy4MQl@7
zxui!tqG<-7-YJ6sC$B*#Y3)kZpGvDB4i&b{<*0=j697$sRy>YW!lqb_Fuy{tQv{@@
z@G|Ek++bYCoN>{1Dbi=;{ZRx%vRh0UPIjWijD8d=Cn~hy%GUNftnqCX5;?HHIe9lF
zjxXfik%G@{5B8dp{$y=f;s-0DaOE*>p<-Og5(gK2E`%7VX)`;v#nyMo&kuBB#dyh#
zro24u0ZGZxkAFQII;qp(XLY9rM;t!(Ho*yW_FS}ugbvmmu@Jgs*=^(-W0^)5`WYKy
zbG;|^Hf=NSTe=Ou-y}B$Wgyj;mb7Kk^_2n28oeor<@4n%gftmnp@e2J*;|yX)iv7(
zK1nad>1jD*9|s=H5I$G1GWBG0QNe*(6#1gF#W(pFxScR1M^|$fz;&H11_LHQ&q|Wu
zI_cHDJt&PizV^$1*FcynaD|GT7lJHZ6izv+{-8uoXz#70sl;RW+`}?m*RD?>v(=qV
z7JlTd-yz20rW97AE&hniBB&^hqY{_o4Fbxo5ZQ8?@n?pY(p~skw@c>pjXhr&QA1UW
zPRhx8s0Eh<H_+no+Ja!{xW`KS563DUljGAVR>Vy$!J#i8y{P^*mrF3R2#WPiDq^}p
zVo+~LmGxK8mdjPoYC3JV&O%}Fiwb9hZ<r%kiS=;4mK3{YinZ|9#TyQJWhmGyyX;0+
ztzRxqQu4lu-y$)F<S{u1+Z^9PZ^kPMfzC(n#(SrC7Y;<-;Ud*@{WI<X84aS;iqWpT
z_|%Semi*C5ESWkMf2GaW2N6|Mdm`OA8?|NUnX<0qWkvG`zEX>)9)hl9+xmrKCZ}tP
z!+0r5qFAx1iORf^8ZXV1)fIbgtZoT(*j1saYOG069b)j}sfe|iqcd)~0*DCL`oFFv
zV?qtV$6^zR_&k$DPC21Ir8!l4hoKmP$kPow`TJA<u0zt)3EknNFWiCYlsg|9<Rzqm
z8yF)|`+6vrbZI^}^6+)7$Maa##(#2IOi6Q^fG>d|HLxn$%vWpD(Iy&-(nXUY-dSZc
zD1|3YY#haBZ!s;q24p>!_X%DYZNVU@;)`ri9A?GS*Vd(aE_M)C)Xjic<;~p&Qf*(C
z{xl6)4^^LXcR5r0l6R7HB&LAAHgwT#9_?QZ)0X0iscEBRQ@!o#>ueDqJ9{p(;BHaX
zRsb`*t8vtwjy)p9)nKD}-g$PqXtl!^8U0n~SxC6={gDTcF+Yr8k)DwP{rjFiV^Bd7
z5{i(ZaRSV7hm)){F>Y_oyE|zfPWQZz3E62);&qHy<fmZ<Q%-!ZfEJvbZVOrYg|`?d
zUnN38t&{A295|Kup;I@{D|fd9mlQO*l;NY{&VpZvy$0|?9mUT}>yy>M+XjNQcxmj3
z9!MZ5^ExaExsw`wRpr4c0(H{~QQRXi2Cc6#Cys;P)>@c_30w!!?s|s!Xxba8GHxrq
znV9wqMuM-p4S-MhCN1R}4xwP)EhP;PbXIw`2Nwt9YG2q`fG!-W^6b$*Fby}34~U<N
zP8PR`P2vpHy0!f^c=I`^>lVDb$X!mEW(7uCxQ2~bj`b0g*XV@QDmF(;uc8WwAI3zc
z>9zG*$M+L>Q7_ooXDzT<Lstdf)%H9E<oe>t=zC2+VpAJK(H^K;+ugjZaVthz$m)Gp
zII$8OvuNbV-!<p8oA?%cm3#>uf3oS)!I6rRhO}3ie6r_Ay?WS#L<+(iKYoUnV{C%x
zh&h32YnL(zY^g(0tD?%ydEnG4p*%adUQUNhN^B4}@(2N?T^Pt~5~THZDmty-5dE;~
z5hQiw%PTx|u6{R%%}i>+)BuVv*|JDK4d7$nKMvO>TVgnQ_gma4U*9`J#!UjqX(kKx
z+S5=#D_jz3M*d@b`hTzSv;Q)F+ux0E`1xPsKk)wD_?;eKs^em_B4Ti;?M(+vHMo&-
z1H(NtY`eI{w?ZsYtuEs1q@QETb+8PDED&Id^i@7T1%GnE_+gAaIykc)P2O{roHg#h
z5C-A-RlZZ;mcoMpM8vh+O&s5KhU56A>OAi`!f^<GV<S5Bl?$cS$Jx~*4G!ubL%B?a
z5NX}d<`MpYQ~4@^R0=Dje@GdZ%i2>l^+tku*ZBxMtc(}!QmCP(phk)CaPg|H)ri;F
ztah3R*7!Z6#J+?_3ocU8;?7R}JB+1wxGv^y=fyp9klD$Wce&iz?6ktKfZ_#_Ky2o#
z8Hw?{@oU==NDQH^Us;4sP`f~MM*C`W2kgxVpp#~)_F~9x8Nx<If%~J&q9>WO3DF1b
z{M__sAu;&uLPg1qz^N4zFJC!IoeR%xg+B)@e>!*qds$P7ZUIiBrmRuMbR^q&dxCqL
zIRNVr$n)@F@Q3%1I1~BD4_H74ZH=D6PhHTSc5OL?cFJSfUg{Ik=BnVni7d{tIx9k~
zleq#7gx8n{Lc!|D3Dh66ZjKU>J)wvomvDs6e^Pb<8A33y9I_YIf}cE#g85%6U%^L$
zeQY04jc|w=`}^C@nWbv(#EwO{n||-gWxUeVSy?LT7&gXGG}i_<i3$ASaguyIpl`iW
z{6^+Fva<y|#h&WFOv_}~$|>uCX{C$VDWoMv$fx2Y=*+HjBNZ=$8RhE(m{{?PtDn7D
zDQG6gQfj{nIN=<J5O|4myyyZcc?_+kZf<e(_nAHhOws&ktUMfX7M1mhgUMB^2bj~!
za@k%MjdmG<lMyek!1ioY)-ZwdJgV>LTG!?8NMv_ZYz@ta$TH%b#yI}|y^`aoa0SX^
zCfQMo9`j+47|Ss>CoWajPN6ikLhEc@^`Tz%k`PPg@)8}_Zp{)L;8~jkK7>e+TjY`C
z#05-+v*1$C=w~v@faFJ{Evt@ssW9JR$d9BB=9G%Ax-Mwcr$}B%4&b~{%QAyzZ#Iz>
zRgnBodiU}mt3cTjgc85UGKtGIla8$xSa9)BqihW*GwMs3y{xx<w$-B2BKL!a)eC1Z
zB*S>>D}m&?F0ZF;K2R+dt&SgfU?f8~iWM2>%)f_f^pSg{zHHf&+(vxnn=w~|y1hbi
ziXd0C{_;3WFonbVJPZ|x>m_S^263VoHmsNk^m%R)tgp07V>W-X2lo<;uP<po&zzul
z;HWKg`;t+U9ihF7#L#{t<SBYE(Uuppk8_oyzc=$VRr&dYm0(iAvJ-w?))B72l9KP3
z7KVjU={zJK1MpV5kOJYYvIo;;ISj}`s8%J=tQHjs*GC(P(vX|8-*y0lI>uqWztNv5
zzNN~x_SXub87FwH=b448noDde*-d0LSn|^DJUWz8H1HuQc$3lwqiEDj2&@9W#W&2Q
zRpF=|S5!EJkAPoHY_n5F#qIpL@b66DfPtQaBXaa=?CQ=VBEgXijuM{W!kc3T+tgN_
zPhO>vswXSk*?|2Q({r&lzhh3B7x?l~4-a&u+B8N-G>Kz~JQliE8M`SicvZ^)lqIV}
z`zw`apU&_0|B(4=$;%o7b=sP4V2xCw%TMF2!f$qU)cy2HXm8g-GRRqJ?ps6OYrF=C
z2$y4|#W-B_FkI@s2B}E(-$$5cmIQiSJay!HM6&sWyHHQ9qA>`4s*Be#g!U9uyuG8E
z_o5ZRoV0@zaU8(2+8iD{{al$&-{XDnNcqfT&MXS}Db?<7k=+%5?vKes=zwwXu2(u*
zgG&&Fc>MUdfnYz$<iBGVPE8X{ARY={PZuo^qB+}Mo^BY>r=?ty^;K;{@IU}VzK}4r
z-N_$nVXg{9!A4`ej*X@2H%-Hb0QK5?kxr3dk^@mdP)2bVL{%Q*uwOo~w+(QNjGegZ
zSP>tCi;ntZa&B{Tu*Nct(sQWh^pEiw|K0dGe;L2^@5VRJ`mgbO|95Zi-e2eVcV!9E
zge7Q1d$<hNcH)Os-z_IK%@eZw%a0R_(SphFfgGFX1zAK2TG2MF_~*U3&fmSO1rHqx
zw^Bk%ZzmNW>`ho3oV+0{NZW#Q0QTvi8S1j~`WDEs(-mABJ3JV08p=uxZp*pHHpacI
zlS6b4dp{Y3`FF}tBF2QsV7%`Xm3_s9%YnYuv`jYL+N6y=6Lv4~JKrK#{P7GO6b(!@
zi&rravT=cDPvazhGE~6FH0z7Z|7`fKqBZvc@J%H*vZ3Lr^Sy0tptz)^Yw~D8?#Gki
zNwOnzhhwVRe%3o+Q?`tM>N8Q?63NLzN@CEQ9bt;TIztbN^ayy6@$ORC&>kTz<8g43
zol*s$6(%{gP?c@VvvWcl83Mo>`E;-?UvdW_Zy-@?%koLSE|a&izLS2SWKQ)iy{2?j
zT?2i+Ay9QG4v-4IG06U%Kp@jPm*GNQM#2)1C4Pb69Y{&9Sm+K}5UK(w9V_$tQwsn=
zzY*ck8}UpU&$cwAhW&;>Fnn=&^rjADnrCS8b{106nP(SiY`4D^S>lgIg#?+ry_ZUX
z-{ZkQSEp#AwJST?ogB!%F1R$00m_Oab9G>jC%EHKSK)4b8Oe4{-dWzzE`{(^cK1hR
zaas5jOKixE3dLp7%kPFZzVo`q7oEnp0dg;dWt3(~A;<a&dliE42j&ZHB|hg<w|h6N
z1l*Y~kNF@61c=U|{wl4)9W%hn_^gARTueh$h?ifiKpNtD@~A@LIhclZ30ZaO{=UIo
z-!6E6K`C*G?!B%}KtD3y`Zm%wwJ*%L>limIpk6y-W(nrNwz~a1mwu$|$mzb)kV3kO
zGEnonGDQW;sC^f>aVB<w@C;#YA=Y&_<WS~#JD^$8LH3rD;@L2#He6Uy<Z%b3_<2<#
zrDMK?5mPpykiG23*RWJ-?XSrqJaI$k<<$bZdE6xK<U9rj{DTS)B$7D%MlV^`w=xyI
zz>VE1{j4(SUN>(a0o&g<kcYqi2jLP<>*E(seLT^1q`bFdGsgY0&q#4$<(&i`Su1t<
zJwxvX<GzglM24sS5;AH=8eWfZeyBxec66+5Z8D=_m#HcBBc+cppY@&~XD1&V%ke<R
zx1|h?5QoY<%WwIgv)_bMx?#lzoyf)ezWhTFj$Bp+*Vb_}{g2|g?|)Bp#uxpmC7r?H
z)O>UHSep^W2nR~~y_+U_BGM;r`o=z^C+$+__Cq#RQ~ym{jz?VK3PWr5r=zbh{Di4?
zO;)SQYiGyzlU`s8*`Oe5<D5MCQ7j9GPo@KYNx%TacGmHudx>IR12*q8(^h0?uHru8
zqNaSA_L4D+4R6`{I!qAg6mH;WnlExdAZKUj<1Ikl(*Zy(qLzufk=>~^YbR;#2DCoP
zB($`zDhA+enFXkmxKdBE+2Pgcnww{c`-y$l)TTypG%7}|hF{_WIsyj>BzLh?_Pe7>
zxrPb*9p&y>W-%388iIk}XGy~H6P+gsTN$pF@;12_AfaqkF7IQ9{87pctlM3hP-ius
z){Z(g=XHN1=u4VO0UnI^iulNpBXLMa8Tg3!6Tb1yYfU<z*f&Ntkdi<Eo6<y@sdkDX
zKVzZ2J^Ot~ltYPKnV+waIof$JijebHVSc|Z&(!=5?%eY{iL^_YEbZ<K%B%=JE9VYx
z{-gM1nMLf)oTiw09xC(p^Nb&WVZ}VK68mk%1Mc+~lI>Dd`Z5T*IJzf--vo$#ZPxS1
zs1k3X=~b&POJ{EyFSw*+aper#Y<F3oD{^Q5{xKh{e!)IwrSZ*8QuyIu(acyR?=e?k
zla^`O{6?S`95OsOok&z}pca`9u(lt8{B%@OwKH_H@dfg)Z4OgmY<b>HNN)bJZ+T&;
zt*EZ|<c1u3LUkQH=GG|)zp8Gv4meYV<&d|fXHAk2>}nKg{}})KzZ*aIFXOlT-T1aV
z|26)V;@@k00wQkNl;)T<J85j)t!PS3I18&8vkg?0DA+9BDYt!k-(NFcf_t-U%IX%+
zQv{yoHYj+Q#4RCRy<nJaO6%=_4pD0Ij~3sYc<Eq>l3?A6Mbqrbm2fkqL3RwIl}j3*
zc6^AqZ&uBEgazZ0Ck^ylT{#Bpxj`wk+v)wR$+L1Lx*TA%__nhpeKJ`nH6qLV)!N3=
z-&_jegy2-UmrU5hB{nS!z{qKuH9%EwF07u898>p@`|}@#SDMkyo%Ro_9Qve%>#Sp+
zR9H{BGHA!(0l{fl6fd<J5c4L%pKf~O^N#XBT*hvK?TIIKBvT(|ythQaPSlv!8p+>S
z;HkMmF`{r2#{usgv0JNs)C-|vU9A*CAE3h6x(!vG-@}3DKf546Fod-A+B_G@2Ss6H
zYJ3QAem8Vlhu0#ZJHhG|;NCkH%r?ujed?fq7@VXFQlcN&k8=i(^SGZUQqxxg5MZIj
zgYHlCmqCpv=oY&oIt}bC*VCVpQW;?oS$)Ba5?(b9Nn3feFc2k*^y-~$q`?+3>Go>!
zEK_~=jm9jM@9r^;Jk(;1XW^dEB08zRYQj+HOEDclqe+zFiDi2Lbj7*xbtsH5t}oVr
zXzqU_UDHbR({BEp2nKV)(I1>Mh$^_>{BmnjaVvw{c04D%iR@^Sq#<8Xt;&zZ+^6T@
z0(i98nDQ)lx9d-7HD0WPr_wwBcn-;H=2H&Fa)()CGoI6=7zblQA{&=X{(5FUI@-=9
z;tjoYhg@7o;<XP;5irlME;9xG$OYlj!wO$5T;&nWMgz%Ma7>7!Kww={F=fe-$CC&J
z9s%{NbTm)}G<(a;CvpOriqcLT?mZ&EdoKdRP-GKlz@@jO-K9?SEdtP<BIWJl#;Q1?
zainocz?8ZliGO~ehRf$))a5~PdUzwjDq(R?*!hx${%FsmL`+?hb<6DkUhXxY9!dW)
zSjn|C(7`if6#~4TU7*ekc5LQx4KgJss<CfyMp0xEO&&G2#dh?Zdo;*kS-+BBOuyPW
za#gjovmJbl2P!^oFERoo%q&~9T@hODgUJfGsG)Rg26`6?y9p?Xck)ym2~J%H?1QCg
zWAGNA&S;dMzv<$Ibo)b5K4*X@R8p@4{Pqcma8DAXF0xP$@XmV(=z%@q)Mec1_u$s$
zu-?5o&t1ULJptuGSIDc*{%W=7UENLii&WRP7PE`NpCBScPuweKo_YF3(fhjnhy{3~
z@YPnqTCkFrp9A`s1oE<{PYES>rfMnR?`n!&1k&uD#-z=R&{pms;f?;_t)j7tg3FhX
z$*oq6GPi1RTI}Q?@N!geS!zHV`Oo*1F5;;Dt|)hcxrw0w04N5g*w+==RRG<4#k{>w
z_F|g1*nt;0l%C(rTMXnApN_r*>M`0_k}@ZCBRvBoV0JaiAZuZg8?Rbw>BFRnzdVJC
ztk*|$X}nO_1{sW!BOOP(bq}XC0)Cc{fjPZ{8abbxzCT6wE5f@?8;m~u5JP*8PJvFb
zd+F?2-E~3II0xg~7)J4DuYHsuO~Uwa_UA*+CiUBUa3z4chy~fG7+TblR)qnT2m)8B
ztH%y#U`9h`@B0Qq){4rOJ-rB^TK<ZM*LjbB^E``HWP9LYuup5pBjM_Gx;IRYa3*9#
zWIIEm0z=&}s6)X=J+`%}mecPdlkU8EL8<K3`%ZpHPyddnW{HKfYdhttj%O}K_Y2k6
zX!MF-O>dX{+H5j8CAYf_Ew;-|v&;5SW33sk4ukgfiCpKwY*gB)P%9=~kDA3jLquF%
ziPW`U&#i6->}zQQ!m_1`^S#oRPUck#u?-4AQ~||Ci$JC1=zDSi0P~2U;*b}45h|({
zBs{e>R(hBkO@BEJ=37>M=}{s%u~cY_XpFBQf)OuPKgsK2>UVkA&vXz8b)Y}SXZm;J
z=lx~;=D!=?Y4g9vN9q2%@z;H@6mv{J2NT~yAoukKO@T&fm+HoZI~KYRN`NdZAj_%M
zd~{7j*fi3S&o4GcSI6B%QsXJ7CuI?o)L+V0IIP^lM;LNqMSV&qrEml3wYk<Bem0NI
zL8Puc<aHeQ42`BN$FVNd`OojwmDe*P<&c`%;3eUK_AJ=~$;_FA_a!t>W~R26@N)AX
z2GrWxGI%|dirhY?BB_94r4&5Z80=&p+X<Yw&Dy;l>|uI{xMq!0EuzPbi9v#wG{}O4
znXE5*ne#9e-EXcjl9^ixa|lxY6zA%l`v&|d_!Zy~!LjP4;>e2OHlpe4k!w{_4vhtE
z-P`I@+Mb|aZCPjI2hX0*HOG>>i-_xUwF{O-%|qU&rWcEpy-mydi}d?U(eiDj>y`lb
z2KRI7)-6M*g!*FLv>Lo9gxLg?HzBUL{8sP1(pdKMZk%jpLCIUCO^L;bEa3*RlHx>t
z6D-!UI->-7CDmH|$*NLn1HpZuZZx1;M1O0J9hz{XP#$i}-V$acDvwae?%PRg@BNk~
z2xQ+2?%rxK>NAWPVKeK=YLqqyS>$V2S#?=YqU2{9_4-wF&1e}}8Y<aAy`e2NAed7!
z#Tk_hMGVsx{?vH5sbR_|>sVzEnB$!Z7HFL8FC}Ee`lwkc#`4w^2t~@zsNgw#chx)d
z0dlt%L|Tg=aP^|_a9n|VhDv7v`Q}N-;9wk-R$@hp&l<e<*i5PMK;45Hnlk|Fq0*FE
zzs?32f8C{g<=){wfK+W;nkuxpoH7r{LD%6W!rY{Wu3{}=6`hoW4<c`DrtuxJ8`Hkm
zmR$<5THnn8s|N?3vk6%qy|LWbHfawi^x4wa5?NR|3mO->nMsA+n7|xKJ)?Mp(tS^i
zUUf`LT_TE54hIN3GLTyYas8P7WLs_I-u5<~B;(fKL*L-m^=xZf-IY3;d|>pi^NqtD
zM4`-Fb#~-3*JC3#byfS&(hj5iLsrI3-wKS%UJFpwv@tvlz*<0$m0eT-i%BiGb~r%W
zO-7nFXEz`PUVY4Q4Cv-eMJ`+m5qUm1%b|!v5oDl1qt5p-5jo~Uv;}r2CpQW!N~`Nj
zin3v%iq;?yNUVq&;krhV%<==g68&8W%qf20W**Q91n|Dca~hzVB1_A<9H}U}9x2R6
zDDqXH1D1ngafLp&hvPtqsP~1vXnVzg;ik5&tzFQx{z{hMrr4=;KPx!hu`&)uy8Vde
zAK(H3^+~FmG#-GGu;Uo5Oco~{Ie%1-b#7x7`aI&WfvNLvteE_n@3S+arLJ4<vsT7(
z6w;8_&;_Ir3XS)Yf&03k+F#Up4e+(x*;B@W0iW52A|+dhr}Wq-TRzUO;pSLaDF{@T
z1#&@Uk+iJPb1g$_!m8JE<+;<#opHEWHVN=qc0MFXmg=1K1-qw!UKOa=LQh$@=RgXV
zb-25Z^s+7sYD(;bYqW5@-gU6jk0oO@U{5_ep#1Y-;T}_&LMvN>4&=c?zG%jV!7?if
zb$kzHxPqZI2#zFXXj2amjwn1m^bXUEW&qH@vw2%<ueC#*wNvAe56xOME{^YQG;>Ay
z?Kw_@`u70b^7$=oJQgP29~1+8nkQ2Y0?-kPu@Io!d7XsHw9zm1E3!zq0oweT!lhU9
zXeNqjYUN!n=le*&)ppdBSQlfF?L>>Ii)TM3H@#oX?HEF861~1zgum@~$Ib2QPdE<2
zEFGpzz_dajN|?3}devBTOLx6{rNWwmg%6#>X^~e8d?>{QxS%YLY$H&erp!0TvW&(O
z0WQ!sm267@j2ibQ#@Wp+aN+^6`rIJ9e2f~b-xvd9`6kR}RBizKV*wy+ABytisO0x^
zXx~i}>yXOi;dI1CXWEbiEMEaaQkwD2?xNK9m9^<f2CO|=ZvP7LxAKqX=Fh_&=L-D>
z5J(62$N0>@jeq+4Cb2)i|L;f^fc3rnKgI{B{=4x#y#F%(?~yD<|4E7cPGJ3Ys<Y7?
zZxfPB^c|^xWCDJCxvE_V^tMon^_wGgVYNhhrp=?mLDW2Xy7jsS9$z`lu-0M@Yqrvq
zfxnQ>(BKo0iMY=GwJk85u8_0Az8|1s1V;lr-)qXn;+o;{`HmuK?0g-%AMhAw6=|jH
zsB9o91t|ulo}#<4!e-U*9B%vvrJZRD$?uK?0Q~=SBv_`l8@@dWmA-3+ZBO>Ta_FM%
zL2p+<^;!Pe`On`w|Gy^}Z9@K}*(~h;nPyYO{gX44{BsKzAOsY1SCrhJ{MjF3(7zIA
zPyY}h5&q9a1OQ3Te-c;zm1yyML>eEMjp09uI@*8M$d~vxBKV&*{yS02_7Bl3?4Lx#
zPhSKC0FLzkDG|x*4{^lnpF~@pKWn7>&y<({{EvUFarIw!&3yicSP1t|qSNMYq8sJ!
zhx-3|GXFn_KbZdzBL@FT^zi;olp>z~pAvI^cRcWcacKUN=t=sUC_?<7OKASP>;DHq
C-BJz!

literal 0
HcmV?d00001

diff --git a/testing/btest/scripts/base/protocols/ssl/signed_certificate_timestamp.test b/testing/btest/scripts/base/protocols/ssl/signed_certificate_timestamp.test
new file mode 100644
index 0000000000..80a041c316
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/ssl/signed_certificate_timestamp.test
@@ -0,0 +1,7 @@
+# @TEST-EXEC: bro -r $TRACES/tls/signed_certificate_timestamp.pcap %INPUT
+# @TEST-EXEC: btest-diff .stdout
+
+event ssl_extension_signed_certificate_timestamp(c: connection, is_orig: bool, version: count, logid: string, timestamp: time, signature_and_hashalgorithm: SSL::SignatureAndHashAlgorithm, signature: string)
+	{
+	print version, timestamp, signature_and_hashalgorithm;
+	}

From 59f0477d29b168673b0e706fd3f458bef0116f04 Mon Sep 17 00:00:00 2001
From: Seth Hall <seth@icir.org>
Date: Fri, 3 Feb 2017 12:29:22 -0800
Subject: [PATCH 054/631] Implement ERSPAN support.

This is a small caveat to this implementation.  The ethernet
header that is carried over the tunnel is ignored.  If a user
tries to do MAC address logging, it will only show the MAC
addresses for the outer tunnel and the inner MAC addresses
will be stripped and not available anywhere.
---
 src/Sessions.cc                               |  27 ++++++++++++------
 testing/btest/Baseline/core.erspan/tunnel.log |  10 +++++++
 testing/btest/Traces/erspan.trace             | Bin 0 -> 117979 bytes
 testing/btest/core/erspan.bro                 |   4 +++
 4 files changed, 33 insertions(+), 8 deletions(-)
 create mode 100644 testing/btest/Baseline/core.erspan/tunnel.log
 create mode 100644 testing/btest/Traces/erspan.trace
 create mode 100644 testing/btest/core/erspan.bro

diff --git a/src/Sessions.cc b/src/Sessions.cc
index 9361b7cde2..ad82f1c736 100644
--- a/src/Sessions.cc
+++ b/src/Sessions.cc
@@ -431,7 +431,6 @@ void NetSessions::DoNextPacket(double t, const Packet* pkt, const IP_Hdr* ip_hdr
 		return;
 		}
 #endif
-
 	int proto = ip_hdr->NextProto();
 
 	if ( CheckHeaderTrunc(proto, len, caplen, pkt, encapsulation) )
@@ -509,6 +508,8 @@ void NetSessions::DoNextPacket(double t, const Packet* pkt, const IP_Hdr* ip_hdr
 		uint16 flags_ver = ntohs(*((uint16*)(data + 0)));
 		uint16 proto_typ = ntohs(*((uint16*)(data + 2)));
 		int gre_version = flags_ver & 0x0007;
+		// If a carried packet has ethernet, this will help skip it.
+		unsigned int eth_len = 0;
 
 		if ( gre_version != 0 && gre_version != 1 )
 			{
@@ -519,7 +520,18 @@ void NetSessions::DoNextPacket(double t, const Packet* pkt, const IP_Hdr* ip_hdr
 
 		if ( gre_version == 0 )
 			{
-			if ( proto_typ != 0x0800 && proto_typ != 0x86dd )
+			if ( proto_typ == 0x6558 )
+				{
+				// transparent ethernet bridging
+				eth_len = 14;
+				proto_typ = ntohs(*((uint16*)(data + gre_header_len(flags_ver) + 12)));
+				}
+			
+			if ( proto_typ == 0x0800 )
+				proto = IPPROTO_IPV4;
+			else if ( proto_typ == 0x86dd )
+				proto = IPPROTO_IPV6;
+			else
 				{
 				// Not IPv4/IPv6 payload.
 				Weird(fmt("unknown_gre_protocol_%" PRIu16, proto_typ), ip_hdr,
@@ -527,7 +539,6 @@ void NetSessions::DoNextPacket(double t, const Packet* pkt, const IP_Hdr* ip_hdr
 				return;
 				}
 
-			proto = (proto_typ == 0x0800) ? IPPROTO_IPV4 : IPPROTO_IPV6;
 			}
 
 		else // gre_version == 1
@@ -559,7 +570,7 @@ void NetSessions::DoNextPacket(double t, const Packet* pkt, const IP_Hdr* ip_hdr
 		unsigned int gre_len = gre_header_len(flags_ver);
 		unsigned int ppp_len = gre_version == 1 ? 1 : 0;
 
-		if ( len < gre_len + ppp_len || caplen < gre_len + ppp_len )
+		if ( len < gre_len + ppp_len + eth_len || caplen < gre_len + ppp_len + eth_len )
 			{
 			Weird("truncated_GRE", ip_hdr, encapsulation);
 			return;
@@ -578,9 +589,9 @@ void NetSessions::DoNextPacket(double t, const Packet* pkt, const IP_Hdr* ip_hdr
 			proto = (ppp_proto == 0x0021) ? IPPROTO_IPV4 : IPPROTO_IPV6;
 			}
 
-		data += gre_len + ppp_len;
-		len -= gre_len + ppp_len;
-		caplen -= gre_len + ppp_len;
+		data += gre_len + ppp_len + eth_len;
+		len -= gre_len + ppp_len + eth_len;
+		caplen -= gre_len + ppp_len + eth_len;
 
 		// Treat GRE tunnel like IP tunnels, fallthrough to logic below now
 		// that GRE header is stripped and only payload packet remains.
@@ -607,7 +618,6 @@ void NetSessions::DoNextPacket(double t, const Packet* pkt, const IP_Hdr* ip_hdr
 		// Check for a valid inner packet first.
 		IP_Hdr* inner = 0;
 		int result = ParseIPPacket(caplen, data, proto, inner);
-
 		if ( result < 0 )
 			Weird("truncated_inner_IP", ip_hdr, encapsulation);
 
@@ -794,6 +804,7 @@ void NetSessions::DoNextInnerPacket(double t, const Packet* pkt,
 	// Construct fake packet for DoNextPacket
 	Packet p;
 	p.Init(DLT_RAW, &ts, caplen, len, data, false, "");
+
 	DoNextPacket(t, &p, inner, outer);
 
 	delete inner;
diff --git a/testing/btest/Baseline/core.erspan/tunnel.log b/testing/btest/Baseline/core.erspan/tunnel.log
new file mode 100644
index 0000000000..76d2784a7a
--- /dev/null
+++ b/testing/btest/Baseline/core.erspan/tunnel.log
@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	tunnel
+#open	2017-02-03-20-27-11
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	tunnel_type	action
+#types	time	string	addr	port	addr	port	enum	enum
+1442309933.472798	CHhAvVGS1DHFjwGM9	10.200.0.3	0	10.200.0.224	0	Tunnel::GRE	Tunnel::DISCOVER
+#close	2017-02-03-20-27-11
diff --git a/testing/btest/Traces/erspan.trace b/testing/btest/Traces/erspan.trace
new file mode 100644
index 0000000000000000000000000000000000000000..64382645ec07aabfa8a1dd94f2dcd1c2d3a399cf
GIT binary patch
literal 117979
zcmeF430zF=-|(kGM0T<lH$uy_?=_}XR8yj4DJ|2cnzXMo2q8ovN{zjn5JI$#5Ryup
zRBCA7r)6qt*7rKca-XEB|L1<6_wziT_vyY*Qq%mt=X?FmbzSFLj`CNJt_q?ip?-ew
zcqo(r_=`*nV|$&7Fv<^n4IQW%>o<P9hg!Kz7Hc>aWq?9CmuR9;7<6o=$UBq}IKE1t
z@H?OvqRg!hO)Y^wOKpW;sU>s|g*qT0mHy&y0}*ftPDO1tM+pc`w|8)K!aKXTy1DQ3
z@bn^h@AvWb^A8C8^=*h@mMUKcEtnw#$sqWHL2B!FlJ5-C`yd9vVJJStfkJJa5Q8jW
zSntJ`0RuCnBN@i<a3A*Y6yX5}Jk0oY!ee-V7<Te!*a$N`MKX-x!2|X%gzzvS1~ilp
z*vTkoaB9#oDj#-~fTRHVKtVD<FC38%Q&0j^QBx*?6oc~vE(thaARhSDBR)Y<(Yk!2
z8p2U?kWojS`Om0=-&x>T|HK~=5&8=hb;~WjWxffHdLJ1TejE5)zMtEV+)ste{0VfX
zP+XAvW}wVP$18J)A&ftRG0boe$uR27p(|BO+7m8w1{5FS0J%S5h9fr9QE$PiLC2^v
ze_pZ$X4vsNgQ6lR;UBh-*6xLV*JX|X_W<+-3Z=yG*1kJg?-LJM;^6gys|5c-ximWn
zoIdJ_nhO4&1>R*QI0Tl@5jpuIkAzS&W`ZxjzZ3W@iJF6&yv<PG(p=Ejd$I??(H>;@
zZ18I+0aesgQ%l2b63Vi2s43tL7oo(!izVfNTH|WI#cK+m)@|fz!2w4X?*q7aA0vv_
z6cq2w@roB>ILV*E3}*Nn$uLIodcnmzh$!9(F~|dkyj=qPE@^X^;W1x^pBEQ=Nlz_-
zD863+-&5^ZLH+mwipt<0)dG&1hKxGO{?Dk$SbQoHD5}7msr;HVOE~IvzER=JN$4S5
z=4psBHvwfnYrHat81(rwY=arDAsNOfa{^rE1Bf!85Q73>*k{Do18BrSHJ*fI7-j#v
zhexo7M+gsFfQQ-Rd4L#-`7_wS42ejFF+6y~9_R=U6Jk&V4ChIFJ?w@V;*ktvcu0di
zJVbcd3_Q#k&jZBJ%%5Qo%y0?GFouWyu!nwxhY2w#0fy!2d_53hh9D%v7#<$O9v&b(
z7y}P;$MXO&*z;!~!3=>&hA}+&z#jS#9wx+~3>bXd`Fe<g8TKI=#_;e2_K=G3unBmW
zH=YNG;WdATlQ4rjl3@%FzOaX0gog<+r~n4_mDBjulc4qk^@9PDVGIvXVGs8a9*ls8
z`Qv$j7;5=5fSLy|=pz}%@Br>zK)1gK;bB4ys(|5w6<-gaM+6wqNQN;yq{ANWAv_oY
z4-3Zg05N>y&+rarkVP_#;lUsFKtp(#FoOpFF5m}<A*S+ohJVuqY|#DL1)TilzoZMO
z2GnYu;aj}Luv$svX^m05&*0*{izr?LP`nGrD_)4<0)K{&FvD6T!x+UI02gmJqIf67
zpbi*5zv1hl3}*NX$uNe8=dgzqga>`#L2Nt^5X0)Xd>P7NhE+(0F+2pq9=Z@7Cd8lt
z7))4v87g50aU{bS9x`ALcMu-*fQLond4L$6^Jn-BGps-|jNu^&_Rxv&Fd+s_z(7(G
z;aB~Cff<${8OHFC346GW@SqDkEFRAT#L&y1p%!LXjAR(YLon>21L0vp3|fF8!Hutn
zZ!p6GB*PdUvS1H?BRpV%hb7~AfEcL!8R}t%`ACK_JcPg=+7TWm#GnlrF5Tekp$TS~
zgJc-PLpJOo8R20g@UV0|4-i8Se}-n5VK$Os3=g5Ohc<+V2{GsZ2IUIA9@=4s8AygP
zJmkP0ZXrBifQMz{d4L#N_%n3C4AYSeV|WOIJ+vY`Oo#yk7!syW=T|>4Achzol3@%F
z6xhQ}ga;kqVflC-Acna!_%aN^3|u6`7#_l54=o4}6Jpp17|!YPWnjY$OeDh?9$vs6
zZXi5p0}m_4^8hgr_4qPyV1{8N!x$dGO&;hbHzPbuhye>297Fgql!D0wkPib$hA}+k
z!XB<8JZJ$A;^TRM7}EJOfRhFcbR@$V9>9$z@X&<tFd+tAz%cazUk{UEhF&DY7#?22
z9<CugXaWxs<9UD>)cG?^ff;&`3}bjW0DEXec$g4_9$?66;_E>aW@tk)jN#!G?BOcH
zg9h-hay$<Z!?b3;3}A2=<U=cxVGIukVGj)m4-;b02MpcfGx*e#rAuLk8YIIQ9$v#9
zt{^<90}rdl^8hiZN$_P@1~XJ68OHE%2=-8q@Gv0;1Hh1M$(KO_X843;7{fyz?17B%
zpawkrHJ%5Ep^`ttN|>Pn$uNe82-w3ngog<+7y^d;<9t1=h8aqc3}bkB1A9n9cu)l%
zR*&ZaVrV(RmthUeP=aI_!^2_N!&iid2{9M}25IJ0K2r{*vZM216vNNK{|QbxKvB>0
zkBT0h0i*2yj5@(72Po>ZUHoRxO6B0FzQ6naH$x}2f<K2&W-R+J89ISZD<+q38p*?_
zm4`g7Q8K^JAb>G6urMGIk;*C{mDh}y$`C^?e+C7Z;Wd(BR2qGs96bW3G8K`^6Jpo|
z7;J|5dVpt?VkR=91jg}zhsy{L%D}_g@jO5bk^C9p8Kszs%qSg&J=7sQOo+i4Fj$~P
z`89Rca9NO%WiduR<ij2k5FV6(2g&g~Kn$7u8Fs)7BWAV6$cISSLoLF?gcvphhPzID
zJ?w@VCNiV+9`+EA@Bk*%h1QMd0b;1-&#(t(n8=LMG1$Wwgog<+Yyk`#;`w@Tgc)Kd
zkPij0hf4?#3c$nq@jO5bk_mhnoM46+B*Pf_a2)nfgYYmR1{1(Azk)A=3(OFWWEkVR
z0AuW+ez=J6AP+oj7|#R5u!lc`E6i{j$uNe86R?MBgog<+m;#2+!ZZ2R4`6NrbjJ@O
z8OHEX2z!V_c#s1gq{j0AF?^WHmjMi*1BL@ghA}*Vc|dTBScUK~AqF$R5U9hK0Ss0G
zhHxaq7#@mX4;K&~(7=QAcpe~zF8&N)pb#*GAsNQ-0OlfrhtCKP6Jo#t2K_+39>Aas
zU<gJsjNt)H(tzvYJi>!4@E|ju2Z&)-5MKs();ngztoIlmPQe~35gsPQU=A48-Q&vu
zZZ?325#7TvJb;NJ;Ncv?gADK>JDvxKfzF=+bo2p(53(%A@NgRT@Co5zLJSsw!Q&fW
z51>T`3<M;@7#>Ps53vXj(!c|HJP#1VW&RAHH3SS^NQN;yM8h5`5FRGPuoW=GFPg=#
zo`h%rV@AyWkKv&d_7H>cAO$?gjpqSkXyDHPvK@GEn}CNiu!nMlhY2xk0}MxJd|z}7
zChtctI&?0Lg&7=?3}bizlb7JSIE(PG0eFxf&jZA85DZj7@yB2|2QxSz8OF$mv#^IU
zgog<+YzGV|L%t06U<P9(!x$dQVGm~z9@Ya73gdZz7%uQ<xDPXILNbiuAqMtPitsQY
z1}nfo0MnUcmqnQl#BlZ*l3@%F6|jeBgoky&gW`A|AO-`_I`d(G7lEH0u?Tz&4<LI%
zy9uw8ggC%r+zByQ1BPC(?u8G-71)E-1U!6#J)A~(kOUr-#`6F%pup-TJ`7i3hV4j(
zF+7}uJ$yvu!-N=I0D}zQ6)B%UON2q69x*iwG5nihm5+yh4y!D>{9iJxvLBq*wz?^N
zM#erbfKKZq4XGANa~}NhW6k-`F)HNxdgw(cNHhG!h)+<|0sc`J!cn`CQAZW%&!|6E
ze8aK$tgnZniczPaJOB%Hj9OQ2`&kT*+JcM<ga5t&TS=&LBkI7Ej$fDb3lWrg2m1?X
zra*cLN}#5L4vgTW$&UqugaicyCJ92ZSMiU%2#(#1j6Ld%p`jxs>GM$Rm;YSK<}XB!
zS^L}s@lPL^J0kYfpRwgYY-hj*9iz^B$LGax><(mX=!HMlzQa!8eFf`;KEvnzYlz^-
zd7lRHZ<){DxPCgQGQWR7XZ&!IFv<j+1a$l!RZ!>i5-4iar17E(&KIhJqPG27$~GeE
zqK)fC!ELpX!8QrB#HMZA%+d0)@}eSGM@PK3pN53Jx3`CzqrIOS!3!NE<LN7d_=dEE
zo2R`C9_{Xpcaa|XN_$TasUS~}pRaInbN>0I_a9yjy>F0%y|=W)2K0uXv1Lr`y<Ggk
z`)f$xy=44-MMbvz;(cVWE_g4%Wl9Kf^YE}oE6K`9taBuIdILlU54@&?sim=jgqp0J
zri8VdmlGk-SHf(Ygo>;@_&d&8MM+a)n~$3lcnjz^H6<)f^z;-oC1lOO>Fb$nl~9nC
zlU0^eRZvBIPf=D`RuOzpeZ=?Vetyps@8o7Lp$Fa)?;~NZ2V%*s|8))qUXBDOH!l|r
z36~HzaDHItl!v_^UQ}cg!55r`yt;y{yo#Evin^?VsE8iH%M0%asn(F#g2#KyU_IOd
zz-zJoey#)`w-C4#G{E_om`ZH(*lN1X%52+qELIl_K6I6gjR`K$SED|Runq=J(0BC%
zwY5b>L`9(7QkN1&?E`rQ9iwt<&u4g^>qH|mx1bk(udlx6HI&hUiqaRL+<Ni*)pV<a
zT^C}$NB|`YZijwmm4uR<yu@}d`yZ!+cM=t`#QOx`eL!)#Ir<QM3C?~p#>SRtRas^5
zBlE5J{r-4gKO=uPCk+WFc}FJ|Wd~&$WxS%2jFO{@BDi71tIDXUt2wLT<($=2)W9!U
zTU*OOx<F|_SqpOKcUyXp382gXs}JikbRl@Usd^fzZ`)*LukU9H{rLNbkrLLy1*-=A
zMc2hBXp;r>mHIZUA^5`u{Jx<n_Pc!o)(Wd@gf+0hZV%K2ud)C?)D6LI!eUKabbYZ#
zYFL{<U01A8AQl^lb;KH4V7I#H{``G^>?Tw2O{_okbB91(cdU^C)&UEm07%C`-9W4!
z;K1qzV2w<%HWuLhz^nDJdOJK-?cLS=(H0;a^Z`nChm1KP5buL`lF<#;kic4+LuoB4
z^2@EItGy52oZ#l=w+(Oa38{B;#QTCQ1eXH%PgPDH7~COaYAIvv6+qaB$9j8%A8JZK
z<>2On--@?)!g+ZFi;C#OX1Dp{r6uH*B`opY5(?mV!6ywxbqz%|2_sVw7G$#@C<Yl5
zyqAlgtA>Q!&(zCR5=QNwgo2OXQ*V;lXLx$^SRXR=pv?QdGM%(qs2WPWmS5xV->bE{
zkYm<<56u^0Zp{K6p8u`Z{>N5p`cPIIVX-z?V;ks88|bR>g0EQ%aBb+q-!yW;+G7pD
zg#}%8;DT}bRR!uPKo^Ft%@$BC+UWXjm4jYmZmDY{@8Ge+Vw0<)s<)Y|iZa?^v*Hfu
z0)#G53#@~Mt~VB3`1Tgi1#E$JbOGN7e}W4$7`ouWg>Hy71Sl3*Kd2(GfI~xXJ?6&_
zD?>F$tg@3O&euc5KuzCFO2x_)Yhm!?7Z4Y+jk{BbfsM0?|BfF&G=|Redxc|x-SS(-
z0qU5sDhN|h_vmiN8UW58zYi*+KUPSfy0RFf0s_^S3)Vx~Ux9#j2#~`XfT93GVZSa|
zP)#Dv{5vl6dApyfwYgNVldtKPU@2o)CxVCic4d15Pc_{ge%=nITm0Qkwk!KNZ+1~P
z-U9Le`C}i}*hSYEI$z-10;{KnHMPJhWA%+eg^CTr>f2y(P=yKoX#xFdJnC(J)-~~}
zBK$gTl5oeZ7FpN)shLBqla7PxnwS5~C%~OXzlR;{`T+CUDE2=cHy_Zr&eoZZx(wb3
zI)1O=1W$k721Pv)GG0_cC+UlD;|eVr_`U@c8FdkgE&3SIxGKsifSTF~RMd`s|J1(Q
zg1tc_=!XyTL%aHUdT2^Gf=0j>@29<eo1u)FsE7&Sd*@C=!qv~uTLX<oc1h5dZhm-k
z&;|2FZz6c&W$k^vgZ`5?TM@6Iq@b>(BBP|J<|Lz}qO2;T?kuM)W3S>UrzEH1q$+Q(
z4z)P{G)$ZD_8xw&mW~7;Kn+?9bG(nQn=jmsK+QTh6CZ!jBl>UB(y9NsrIS|yojFkv
zEmzQB>S+17`FY@V^a+mso}f7d9oGQ7lNS2>ceT*)Yecjh2u{H|TCVasI0tu7em`FY
zzOl{K%~!(d=Wl!32TM5MC7cQVUQQBP_7a=68W?J?nqbkb(s2d711+?@jusjY2<7TC
zuo!U;$W!PTm8(LZ;aT7)L1eB%jq&fTu|Snj4V0^G&|*Y*%k=lwxIW;RbwC$rjm1RQ
z|7eZ>kW>GA-|^q_zC%<5N{}Fj8K|S6#G&K&1VIIThNs6*9z!Mwlu7@LZ%i$L?|sdr
zFQHHe<_JKWuA$0|hdK`a)0mNTy-8p;7@UDWBn&qhVhwZ+3_u6>5C37YD3k<B0HQ(}
z&E!|H+rt(6h(#O_)$jK&pkj}QEB1dT#NaA6psR!3C<!Wd=06p?FNoTBb}By?7vQL7
z6L66LyMQ*~{!15rfXXs=5<jXJFxBb_P+f+p9{zhOe?TR+T!0@{Gei|NYPI(t@+J|c
zf;Om*bk+Qy<_$!Zdx~#1b787cqey?CN`k4N?V|sZDgaPLX7S6bDloAETz#HE36fzd
zX!GX3qzVI65(Iv(s<L6K5qs^%xbm;SRM7a-NUE0qv;@Ne)rKU#uBu?FQM)PrP=Z%s
zDrg7bzoa4pD&Hc0*I*R`qB_wvffBq1Q$hRj{v{O&P;H#Y?;5OzyT2#0CqQ)_rh<0I
zjihS*PfHM@nis(@uc|l0u0|}l8Y8c6z*Nv)wSP%<08l-D$S<#|-C?Rxo%TQE)lHZR
z+Bx<wsSX0F17LyN*sX6hSmp%sYS#ox@D@x3?c*9r)%Ks3;2}UY-EJB`s@pJ?<^-sc
zVJc`>)xV^Q093C|P3A|H15=IKm-~kj{2Qi%_Bj1Zs>6Uvww3QSI0#W4A2n0+2P$9{
z^q-&|M<c1)|I-qLs3dms%d481Fx80l{bO8%cVH@L|IfdqIs&LLC-~)6jRs70X99VZ
z0#jZ4_f)3<mFP=;HNzJ$EsH@Pn>hihS1{FyQB)oOX$eA9A6|)~z{V%|7}YP||D_S8
z5=K&i7mvDeLm3HmLsU|`02O@WR-}YdMk!9eh7u3}Ph*0A2PL2&sG=?eW-5fh@PM$J
zmyErWlg}i3A8*jlo`DiL4RC~M{2IV7a03`Qkp}QJEa~{amlO@CD*1LoYo|k!BCC*+
z#z^x#nCjU79V*RqehpylI+!YJ0#t8cs>o4Po&RY<odK>?n)#)9ExcYM^40{X-ojKz
z|2@@NK(%Edze>FpZk8h_(k#D&sgC@6s#rj^e60{F6kHq7G3w&;to;m^pcv8>d?Ecl
z5w0ghgQ%oz0oC`5PZ?Z%=;=u)!GA73p}@evNkRJ@orJ(VC*pBw;0bFG%6>^9)HCqz
z&@l?-PA%LYJ~}GJN8Je@kj{rt1dV<O5<w{!DWg25*PsNCM8Nd`AmW3900RpPP^g)+
zQR^rBIXn4!zmODh1+$%=_Fx>(=LP6<qSV1V9R@S}J5T}^2cVZi=b^riuhME*>4@ba
z&<X!O5QWkc>VcK+`K46lhf<;Om4eMT5K0a};iI$$LOD9>*(rZe`W{wlh)}8mD-{}F
zDM0zxO3$wsLiqqk&@n1CoNB+oN|%kBr5ZxLuu}XlrK&*b+Ue&}lg3aAH5>xxfk_ud
zegt)5u*q)|An1b$oPH6g{UDe;CIJw55fE%L=J%|;I=BOUG!#hywE!c^^5;UC32t12
zqQ>%%dICQ05w#W+bVM@$j5@)MYfx0ty^~Nx@HWsfs=U4H&cRW4{C=+R3M--Sv41@F
zamBcgeH40kV15T`#hj#@N+1>}1n6T@ptrpfT=o#nFrWd|GklDq*<E)YrWx^MF37w9
z$`*xUf2V;54i%)qeiDH>w~V2y=qvbHc?=Y}`P0~ug_<Vw^8f}S!S!qT|H=av(D3mP
z57RjRPV)y3A7BrgChozzpI?h!2X5+t2kh^W|8VP32wi;w2cXE{_-E+0>p$&hTmpH~
zXf%mW$F(jUrc(NyYQz-@E#xwiF4_pFUWWXjf*LHP?;Y2Jhkj<{I2~6ACuSAD4o2N`
z7)R=NoIgl{wl&NVApUzv@qo(Sg5O<ZT{%oO>e(rOpn^6T%n=CxzeDx1mS4xU4j$7z
zGLbP|XvzN^fv{0j-T!GqB>-1yBK+<esgogBN2n7h!BUti^xsom22>k0_~jK9Zu*WC
zPJjwp4nIfWXPW<W@%_iHk^oiPmPvfN1XL^7)%Y7vHKfZo0;-n>f4G7!KGpACf`2Z)
z5xqsYS-1iSIQ$9XU;_K!y^Om2HKZ$Gf}fQVM4$!}OdgW}bP19HLHvOksCJMQ(D8f2
zH2KT7#S$Q2Y+c49n0`k36Cjw9uJp^n?{i0>E&R3iO+ijh0=ETB%-cJ<;$@)4Q9c9@
z4GC`_w*au3N?O9xK1c@4v}=P&@1HBD#+<wN_j88k?ti{+<RU{+5rZIaunGVy>@p>I
zNlPfoOJMz7My$~KF>h@GdgL;uV11&q8y>8%8*4q+k5^mS`#`J8;B}!gKSTZ}s{!Ox
z)YR0J<sD?~@rnvyHGqP=jGC&Fy$l}jtl}hZZ?CMZGR|s%9Wq#7Z!^4~j1{yj09q#b
zYu*$B@dH{3``p0F0cb*ejUsl9f+6@H3|XvEFaU!W;IoQ4_yqoHsPE?M2xj7ag0-y)
zKKp#V?H%#Z#I%{cCtiE|rp?|C)`r1&D>H8=qwU&jN4#XakB7GXrmb?0`h)<J5CdgX
zH>DsmcNc#%_kI4RF517ndYc<~LsNHbkeQ`iAkI=Q$jr(j*i@e&2aXWv<(d-s@5QCP
z&D9@TPbY(O^pp9yo=yoYsZ)Sf8E8s?6|Sz@XuAMEH#-M6FZ8by0IM=Q!K#e^21_D-
z!Tyt)KNtTgswv2U!W9(}kD3ZDI?z=_b!7|hU1oe?&04hQ`%u#6fz6d){jN?uuy@|-
z&u2Ey?#w+_*c{Wj+|B5(^(h+;zQ<eP_c$-y_@OH?i%}O!%l`f;Lo?A#l0oHRb~`%>
zcnlV8uFg+ddEm}FaSSm`9J7kp(AZ03(hFi$Da8e4es!|%=}p$SBy!>naZhSCt2R_J
zkfsyfuf)lwaGIl9+PZ@z!)rg~J<bkg(DRHa`}<0=JguX<>#{R4me|!UwI0Z;RZZ>A
z5xTf1E1BY@$}SE1RHUPEjoV|-^s<mmFsg77zt_=p-C3hp%qA^+-7Wu$Z7p4ck9TU_
zDJqU~yN}V?T;LJhTV*ut6IvT~uIL0aE&Bb_g$IIFG()o9)to%~@&40(yT`J!7*;Ez
zj@ur@y0P=_qo)_oO|su9QxjH294x77a}gH5890!LfBFu*s=rJuIrTI(Z20{?#*tjf
zaP8uDHh#NwO?PNYM#ehlx-IwHhBAj6@mA^Rw5Txl<M{hx<u9^n4I!%t1j=*U;bTvS
zGY4f`{V$qL^N39+->d2OoE0qot}S!BMT`D&7I&tqN7T~~$IUT@yigmlsJl7DJ&%Jk
z5{a2R8!7vBS7%9iu87O)^W53e<RY%z<$p=FUrX}ju9ut7UQ(GvvTbQ0hx;)Y=(G;^
zS`{#e(OsJ<h5iyAaeK87)wAzzQqf!bOPWPX965WqmXY+KqqDXqAR{!)JL7{6h15GN
zM&%x-a_TIZRHMM?7{a6elzLD5Oxy6`*pv{?JZk<Ys#gj%)P)yj8_s2347te*FI$e2
zYTr-w=d@`rVK9XWeU;Qp-CZ)IzJ4)`KUDJz9~`IVe~v-#x&O1~=LuVjl`C>)C6-;*
z^19{!(48}rq>=fd(b9V;dXKX|lSSq=a;;t3T-<i0_UkcwdiS^;oT7SQQ+J)IIPX4H
zGdP6ZJQSL5VzWPN`@E$d;aS5?k8dYu+lv)kTh4oY@}ZWDPHm#9B<&XNbTPV^RG)`i
z&g%{>UZR+06ip*uCdLq@zn<2~@f{kN9aKolexKmJ2iL!U&}%UCgU-GcUy6zKVil?6
z@Q}Xt;UWzd$HgwJI*BS}oYI-Y$xga#O(2m|W$lu5WW>33RX7r}$6uSu;{-a35zuzT
zjCX11=>Gcp`dTr&ZFV}L-n~t@iYDAAYc#Q*kx$d+g(vO#@W_KXFDjDKT0?OisL1!?
zhNhCp$;C<cD87TW5!8-C8iz&U98abc=f`zLqzvPDU#n=b6k7uCb>nbn7mlaHsLn@+
z^n`Mp(pb~e^4cG8I=^VmauH?}r{O5_hdwX9bjCewpL2tx4zG`)&NZ{S7e%wx3f*2r
z;lwtHQR3_e33obLcZabuYlJbiNn9O_c5n#u8hbD>DJ)ro7fy8Nvceb)z{=LKE++EC
zk}(5p28q*|UoXkXVQn|u!P!g5Nhi??2&4*POM713EMh8In%Kh<r}DZRYX~k)wEl<!
z4wc8y3GNNG<LJz~Zx)xFQbr!)kgaFwaE=SJQW~f({(bW>10gL@!HTTz{ElQsK+dzE
z{#q(2he!9|UC|)*MFghOD*I_*(maIQS1?d!=QsRyNE0)h*xA;UM(wET9n88z=Ganr
z+{U)tqEM6B`Na$hF8<}Q%k49wH#vROnY%pZyr(TX?ZW)$7K`INds(;>O|{MyA5J*$
zJeB4=Ff(KEwSth{C-aTBU#PlqC*NUvL1l3GrOG6gzzb`_V_l-oeb^#m;DwszrL(o}
z!_~><?-Vk_Vk)Rb1r>3VvSpozY3J=?t%h4OQ|-vIE_TZ0cwA=B-pq(t;-iW?(zj0b
z)MmKp*lRpcUU_)h^ZB39*R%_+xfS<^y}2=@om6H=ZVH_hxS}rM3lChUX5w|^(r6B=
zN{HFp!(KsLX5!3X3<d`1Xa}jCm7nKD$FRvB7xf-pHTFvGP?0$nz`36<ICpbkaoUzJ
z%q`MX#}zY3z6>ArrMs*r+0C1waQ$xkla-cn=d@z|wLA+F6RAA>CDVR_b(3@|<=u%U
z8t;aCje9SPc7vjJbNx+Re#-h3X30Ev#-KSSV}o-SyQI54ari)JFg;^KRFyq*%QAXO
z#Vnoq^Gh~$E|6Danb31@#P3N~DtjG74u8B_cU!@u_s;q!`u(Om-YZHc@|*__$A>=;
zGoyy3-&$PUq1i@b+Aw=V)C-EE@H(s^vnBhU__v%HO8*ewoE9z1$j|$$Ss=fZ-W$9f
zeQa^=z-xhmtZ+l|uyZkTAEere+m&y4K3YH2o)-NzS?)TD;;d~mfA!4M&&4Z(w=5AC
z6j(>$#T8V3Ihu){x+L2@<Vu}*@rf<$br+=S=gjC!i*C;IxKO4w-Ow(J8?$#YwTnSA
zerIy5G}Wed+PkIkyPccjQ3v;XwYQlL`wX)vMFnBi&1tmzMei<^&s;^#LVqDk_od8E
z3cKe08Jo4>N@ah0yMNu&yuL#>s)QF2uOA@e@p?|r77w-9*fbA3S>D|5ur)TqJ#!J;
zRx^aGleFNYZR+}EHnwz)sg$r;ttN*h_stDpZaX-Iy#6l!N!F!R6pWU&cez-_$(=&G
zTmCu{pm>AIqf6rKvVwit?fqq{BJ0_$+AB+T*@a^<LOZ%&)#!!#Gw0bQ<`DbooxaS<
zjU8cse+;PWqAkDNnbi43vr1j<b8rvci9v6y>gKpG$jdPtdR21hEXE3*T52t6h~8Ev
z%wmuelXQZaoo!_ip~(z!o#3IbLsiMR0Nh|wl2({ck5kJKeW;CF$K|$_%{%n4zq6{0
z#V}hz451CRaT1pwVn8+jJy7#&fqn;c{NCqBZTPlWzz2gql>D>i_u!Q!;sO~nPm?=q
zLwg#7Xim`~%etUnh2HB0crR!0HFS)6uN~i(KzA?^?LXgZ%zt5Nolrk?|Ik4K_Yd&k
z|Mw-6jgrT#4{aa08w`s2j(^*=6uxW0BcqNQ$OOYC3x}kupr|SNBkx)cZU4364cxWV
z;p|#c{0Nc6s+!=(lzvy5eMYuk@hQDEhHAF4Izn444p(l&b6I-RN@#Kt3iPE**RS`g
zsL7|1G^DDN_n}x`+bP;;sks4VrtF%UmzY<o^Kq|st;Py}EHX+z;-tPL)p^U-eW*`7
z`qLg;%IkfpyL`5sbEojO^c{(Euia6~b+T1;+Hxa>5rTdAEby--`t_CQigjUUWo}0@
z8Kj*`Qhk~d8R);y`jJwOR(Hi_WMm|+?K-FxZoP3mrZA!2VcLsV*+%j1yq5IsjUsan
zuZi85w88XBfEa6YE_F(u?_dp)G`wFSS!?#P%|~R&0hBOOtIHNr&&r;j%$k>L;|dqa
z2rLTo4qb=wMo*hhi>T4P`jFntF7Wx}sNv^b^R${FEVpjj-r9DTk0!4V3WiKQl`A$s
zZkOV|SqevVn8#l(H(XUp&(7d+#O5!5Oeg*Q)!6_mbfm126g%Dc>y`Z<`wQ<qE=wr<
z==r$TCIPKB*ib~Ji5fUD4E2dTDo?W5jKX3T_9j@iNe*qy{gSN_K1^><Noyh83Psml
z?xGCk()#<7L6awm@$c>FN{dR1Z6JRnTho1s(in76Qn-t}CTJVIncY#eoFG<SOK}m2
zOxCGo^-0bOu+18F=P|gsHG!Cc$6CC;erih{PCI;S)=+K=nH#>)r84=gFg09(O5#?u
z6yGP2Y28EyW4JrBmdwniJmVU?Eo*2XtLf+vgX5ASB<Tq{){^w%-auTSHKjP4w%d%c
zLe?2{$(`t29H%k1pfi&Zm_*hZ?#6NIsKeO7+Q^PLf>~e^kKW6SiseW#*=?Pfv;b!c
zBk+A3HQTO;NV6_)+3q{oncq!I3rc5(2ds1E=3B>A)!|A*%K-H)X(Bm0wJyB3*=D#Y
zf&7fymuaWvcsZ#%=Uon~KE#KX*MyTHIdCfK!gThq8*wIs@0Gvxh4RV+DgE;(#WYYQ
zEGdh5^XL}2yx2>f#g<H^N+&(R48&rT$>vtA11-hGGvTa?%S_qD-MzRZo=)hjg#2Ey
zvefSLm@9)_{pn~~Nis!>L=H{0ip^$Wg18r$)d@7V4wYlpZ;9D&NLxl~89Kq$<{nQ5
zX41*o&oJ4HJD0O^cz%x<_lIxOay|<zzg5X7CX%Tv17#N5Mt+!`La;1rh)t)-0^>PM
zHsh*FY^V#Bo1cfX#WCI&<mX+ktIfV9f39qJ9+4(FxFTl_v-Bd#eZW%bbgbo@2GhaN
z)c2Cf`sq|wR58h?_hcy+Gb|*?Ip-ZR*eDsFCOQ-rx%a8%wL(w~E`-RpyWX&PeYGiQ
z@(Q+Xd1Y_D!9ZwPbVDq8?<!);G@{l@yV#_8Y$BT#X2x4at_!s=)8XZlleGWZK}qL?
z>kNb1Uee@Mq@7tnlEqi1ci^KdGzu%Wqbi*;ba`?2v#iTRZfplNl#qT|n!?=uwfjD?
zy=vY|US3+hpdTkc9Vfei$sS@b-D#4+cQFIC*3@8sHcKnH_%x2fa*t+S->;LI6waE~
z>y`gF$R{_EXPdeZuc!2k*dP47=suAwMz88kD`UlBdTUu7`Pt;%ppY<C-1)r>KNq5U
zO}PJXqXT*8GG1dsDDHj!uCD{J#iVwIESaqnihkdgEhg1d(bj8SemLlGlBAe0oz`3a
zHDGY~RYzK}-FZtEBhA^T&&fdTaajsA(rBonJLQDa?HjcFr1pW>fySK_3h|L1g(tyc
zf6G>U$>^*}z0=9y);m01S5P$&TR`5B)agVf`R}*N`TK<t#=ox-l)8hp+fH*z9Hm%$
zadB14>d*q(hvb6v4oTmnr?j4nCnV9WtXfIm=KiSE98>nDN5%@lSaRBz*<U92LN$Nw
zcr`zC*K+q~&EK8Z**|>3o9R|B-|ookw_Mw1!^*?4bxct82gx@`r=zLM!nmD>h)Iv_
z=5YJTOtz#fQG7`yNQ|<mPR10n?H-`%aIvlL{=o}=uLr6oe<h#C1S=1-zp<0eil!Qs
zn!bJ8L0-K=BXqF7bHExiP(gdrA8QACwz!<N8oTH2NhP*tvR)i-JsLdRUe91Idyw?y
zFAhDxhma9MENM(m#yp7+OK9a?sOHsCFBR)ZR_!A0=agZv>mr!iwTyXeR!s^mE1yK@
z`BW6&cx`14%Pl;RbD~x6ffc2AfMZ!|@xe}?$D$OM(M)nO_u+dBJ8P&mrVGoC_OJxn
zE_dX&;IYh-vILiFiX`SUb<LZ>tihDpw)&LF*gRZ!X=Z<Z{({1{xVgn~7)}UHlE!On
znYC|8|0`-sax#NRR>cgLq3hT>w4AX1ydqq-dL6G%GBBRj?eVd44L)JZwf4RWV3V47
z{>D<B;!U`DvS{OGP)|~qX6z;Rd`A8Cf|F1_j0P1NE)2U3bGqYglzK;U>fn1Esa<jt
zZMj%#G^w=oQuSmFTFvY9CO-=<-S_>2c`~VPr;|)cH1g`@+qxU=&UUl1kI$s5-}7TH
zE2``^@mtX*`tF2QGMg1xlr*EmU2$#ntUzL4ZD(fjl9+p}*C}^s6yM%F+|zl}lfxeB
zDcSJK2P*O!8N}YQ*ifq5BU)0)GR`*jJvkDeS+gkXf;^Poq(qUQF=Bx{Ofbii5O6!1
zd?S#otRF?bc-C}vh^{bExoTfQK8_YcmQSDzb&F-9iA*|I3=_1S*h{b1$<`HGxuD03
z7e!q<*vLrIK0;ix`##CNx4jFuoSYq!!I(!4?^9=Klf~^W*C#VEnEgH<FeLH5h?zN|
zpmph=cLVKe8(7y_5;iYfvHjE=Uu8{hKJCLh$)WY7XN$$0_A!#=#V>2uJ|8NobJy9W
z#mc4m(lk@r(n<B88XLfc8*pD8YHk_`V<s*yO`v8|*tf}-?>)+nX{s*_%=h9nR>Zu?
zP~5|H8V=2NyI_}7!wV1L(7s51Zi;EV#m=X)Gz()@Q;8+C{!rfhst&QrDjLVBWlOwj
z{X?3`1&l!$Z~H(f`9o5S^gR-&r%1HU%&rsc^G&$$C!xjx0nFv`^Xkd9<PgqaZaUgF
ze87^z2y4m5ohv4u7&`Cd%C!u&Ym(Hw@oK)x8%AS=-f)tKVAYJ$e1@_0+1f_|SJ}B$
z>BF@H>C<Cw7H=s%n`&!Tm-B*MVYgoT+O)!a#rn`|-(;(*Xx#D*l1roH&(^J_#J2Jp
zzpghHh%U~mTuu!Puq!mqvE!E4Cr{;aVuGmjVP^6%RkxG0B=WKb(35%_a0_Q$R+Z3@
zf?kNZiCMXHwH<*-=CoiqtS=;PnTwL}+b%IDsU(WJXOY>hq0r&Pj`S9s4)1usWGLn=
zMmsT<tovx!65AnnZY&v-LTXQmj3Tef*7Na+=hUIgkM6lbU{hc0o->QvSQZFI0MgOU
z)SCew1&WLN3tYsu6Z<OC$ZJVog)LiC$wTe={edhrsh+`|Ic%i3m99j3t%@<AOQskH
zG*=Dy_4d?t(7NXqlKMK6b9R-gP5YF|vCh?e;W>QmvUUPGN1HV0l))})@<{f$#26&H
zW1j}LWMX==bm~F}28ZgWUzqmSQZ5yZi*Jy`U~lWZ;eA^g6JB5IV(mmhA4lgiG(rQI
zv1sBUzvh{}RbiWT&h>W4rQ$Z-PtvO5u_d<=l6IqsXdnHf{+LeTLiNHH<+d7eEy-QF
z4Pkm&dOhUhp3?VSk372ZJZLB)zYbTTx!Udqg~DWibAPnjsG?GtKs-dB(UHI?y@@7n
zRB6bh4!4m*A{Mo#u+T|KwY>2Ar;Bkpntz4JCvJ)hJ3=-|wqy=>r95KZmc&@Zx+SYv
za?R);0vF<_B`t5!bvnWRlz7kqfoguKLwv`pmaYVMExY@F*8CN5dAUuU{p1kM>_B!~
z94<QFDl40P!qrg81|zvgfiswwW_d!?nX1F34-dRrUW&(D)VViEQ49XuoGLz-osJGR
z`zTp5T(j)$9P!!N(JjJM0h0E&;&o41(|W2F_f~alVZx0<!k@-2C$$LFX~qUcSAUiK
zW}MMCRNt9z$z?P0$zcowJ(XTzoGmGmt^de+%klktGn06AXpwlaYqi#0ppg+1D-&ny
zZwWI{p&1NxMGYpC+B0cO9?c;blkSq*+fyX%w5mvEVRa@soca^>^J5a)(i&9tQ|b@6
zP1dMS{&@23s-Qssuhtb!U<}wRiNsi0_)RR%PKFr6%%JqghT;=BtNROPojV$s&*SEH
zwsl8X6N<V?z4WeG#QJ24JE>ln5J;*IacRl3PG%%g)?;|}!exU6Wi<0Tjz>#W^4m~5
z9T{8^Mal=uDZ5-uUBP>N_INrow%%Qj#NCx6_T_kz2}Lnp=;SxaK1o6gez4X?Ikfc5
zlb8LCT-=$(w<JLl@8wn$RpsaPDiR~#g!hE*Ih)Nr?nq>;KXsg4tcuCwzE*r4m@J7K
zw9C5sg!G6~>{CjK%}eP^)*<KC)u#LYJv6!h1bO<?BZn2EzcHADdAt4I;JA$gjYBC_
z{k4%wElq2NtuaA4k{XU7oHJi7PwM$@)cK&m>ZbV;eR?ZmD^myU4iY4(GNc#WbML$^
zkyw&RJX;EGz$xN#OtERsl)YOo8~d2$ly{3foLRM~@5#HOGvTXP&sOSCG9D1W;AmN)
zD}BuRxH`nVBJFn!nx1^U*y;|<Kyz1-7-kQbF5e=bwcjG6kHHK-t$Mm8rB+gMwG=(D
zXGL40D6{*pbkYDT$JmY$C6=1Qa#z+2H&O~8Sl$;|-KN<(xxOR)TEa1Lx=UQ(RlPy#
znbT<F?qjoTd%`|GTROOlc+F<P+hUau(_2hCH5;WU!|msW1vNN%PPFaD4K+R7;`*$d
zmum7k5movA{ap<-?rWMadmd)kvoCaM3@6<#oa<$#(SEXLb<JR6>RLupm@#*1p;VLd
zOIp!dMo!v$vCc}RbJMF?MQPS?WtJ%^FWxTe=QiSaueZcxy5P)O;^r$-!h3pzaY@8s
z1ztTnB~%P&m0I_h+}*{~v8KwlHxw&%1X?ewXj8R`t(+v`6B$^$S^EN&Ru|6BB+?q&
zdJ`IGoHzM+tK=@Nw}-5mHX13n_T61`s<@5T94ema&x)pyhL%d^1!oLox`V+cH1|~O
zxfPrmQcboYniE4+Q@2AWzq@pc!lPkQ)*Y<Yxq6;?j~!E;liwbdwfrXg?f&pwl(Yxs
zmHfRz3!huAW#r*YekrVPpAzYT9O<S>J<C}dE6U6(w>;b%!gT)d+)VdU=7MEYx4ReN
zT9$_#soe1@ea54+j2WAm3oH(B0~y_57_yucX6<~4m`8Gc8XvOxw)Ojclo3PCnY`v_
z!vW!ai46nYWd+VwN$kd=<T%Vj?cuikSH%fb7m7NWS6<-W8_U2+66|V=``ZGO*yZR9
z+snkjmK0-dC`E^tn-@nQi?eOfm0fkT{;tHb2wIX%4#$bn<PNm?F~ppsD(qQR$&5ip
zx42f2cTXFan_HKg8^MV_deH?neDKpE-^hw}WSpaZH+RjNXISaG;<Jsztuz~NiBWiW
ziW0)q3vqE(H$J$O-?>-$e0cCq{ueQ=-a6G{Tv1Z#+e}SHcQ83ewwi64a|M4+1@mg3
zIEC2Hd>iNyS>702@)#RiTN~LoKqGNuS$2uxZ`Sot3q>41ve{LAS=T;MhBlD1iaH9i
zi09`Wt5@LNkrlrw&dKRWOw8_&He4UhyZq_hCwlW=hJ<rwmHwt-<(!K<iT<~uu0#(S
zNijv<B^Is-r$_Z?M{3TZnRXL!U<lQVMlD|9fzhHc_OkXWWKz;8Y5i@vukz8u$Do>j
z8>sm|gZXLb_<f9N^80T~1*I_PFq5A(KQ&iDAUjQSXW32xUW_x|HvQCG+MHOgbES6-
zbLRBly;0F#X<#h#zTTlO=Wa^gop5^Z(pB%?QW`(LADX5-e<Ow0om&Tn*1k|{Rta3+
zFLHB}#_`E=B@|wn$SFzlDdM;qAD5QE>!d&$NlTYiiGFLBc#86jXe&)sNj;H&W9L!Q
zv;naccjNM<mFz0{hP_u#KQ1Wo*>mBq6|IS{=y5x?k$6XD(Spwx4nFN>zd7zc%cO63
zuGU^V37PA5^==*ecsQ-7j=3lj&%x&Llo~~5c!%TH@|6W|51$O>#061sX#pCzbTjH4
z6}lvbvMA&*@fJnD;(ZGH(9p_MJL|N2(VWwm6*tAH9FE()GoQ>7GUYY6etO~4=bwz1
z(0b0z?(0~wXo*g>#oL^@Gz-tl>(y<UVHsZi=#J#qhLv_QHP>z&Q7jd9y;%H|NubTi
zID8{)uX%&4@#~~*X&vb2Rf=8WBG(tEeku&>XwZ4Ehq%kUO($RyPO5(SPTg0R58#e<
z9Ahk`)a21HwY9a0TkrO>Z~>U`Ar_5FA@#5<U-$GdFlr>ZnoC-r$!2RqcdfRf_bt9q
zwZ!3=y;qLR>*$rY7dE!0RGfSqeMPN$vA~8I&2D?F2c|MxW-3lU`Ii#GKS$YQol2DW
zy|^@X){fE>%HO02Gbx8uCFH*NJ-cL*Yt$&CQ&`<883k_3Gj^utI6c?zh?bkD6iuf@
zQOWVWm8t#Pt;$-74vDG#&Haz!oz@sHGBmiyQt6vAFIJ1YCq3Op8^hyJ-o<rLdB&eM
z?k|bSa`oga8a!aN$@t+>a+<-#mL1D(qPy#A>(-u0?_NGNaK;xJxCJXJ>bLH=d3C|M
zv&H(8mMm#gplpur(8yfN_!^eosN&X=c(1?doRR`XvA&4LcBr@8A9-l80HHBWlfJx7
zI2;Uik&o{?Fo#e#gL|f~A-Sl=Kf4h_n#LiY-z&RH)HEp8FZ9ghwdN|cNY^(Z8y1TU
zyvm5D{Do7heHl18Jj-_zW<}Xl&A(#mCdWGOZZ3!lFf+vrukM`t&V$GZ&11av9LUOe
z-!ZR#btz-@427f~-zg{G3ceKzwUj=7zAca#<P_BT?qXS+5OJ-4Qg##N*~*^SqciFb
zb;r2(FVdHr>~?9=ndtd1PVx>^Tze~6oS#z5Tx2Jt=`f{KQaqX5lS+@EujfQp8&|qt
z+BCVu(Z01te3y3r!_bCvT67JuFY{C8P&PIjlu$GJqe%IQuj~YsLiHSN*M9!E$!u@V
z%xJ}@61}t~wAIVDW{J-3opiA}U*e#~TFmv_%Ia2d+tp&JFF?;`^@WNrJs?gZFPR%(
zOFOcS?zx#-Fg3%p?qkq1f%v`NUnEXHdJqwQskPJM?B!=}bxL18-eDYVj(FjDZGnRv
z>vh84i*7|5d+3!0R1I6L>V9=&?Vgf19RVjNt>x+*R}G93Cd?jaQ+4;U8%UOP-7s&C
zin8JYrPqERQ?YuN&^31>b{@8VzJ8vh&TPSA!QL%``}W2M4GuS4RbP8`%F}bnEKV_c
zsX14SL|4KTf5K1SRToBY4W){QAGXWC+-}#{_EB71o7u|9W|g4TJD2Wb>JeM8Up(ZN
z|D}>5R)yb>J)N5#l~vT<#tzwMQ`ncBw`TqHKD4c`d6?m5AyW2->fv>JDx22H<O}QU
za-V;zJfcDO#unTi4a_cED?<Oh=<^~PuWbp9oy0Eg->34!W=o-$pn39}G1opCN32s@
z>V102aDPq3p=)gCfz!*^48}57hhq*gSMPBes3}vho4q8}?QucWy~|vU1a<4>eWK59
z^tcJ;?8=g{eWGrwo^X~rWOJo>Wly%DtB}g-Gn0zUm*Z}@{XOsIdeKYVu5@nF6_LsL
zgE7Y&X5G)1?MJ&F7@k2m^D?99%DZ@01oH^x%trquS53prm7Y5dKij?&b-XBnIb{V+
zMk}@M^42iLM9NjDp0@+_JfFFQW$;|Wh=212nsoTSJofvVs2@+3qr-Cv(CWkA<`OQg
z89kTa#XstDIBLt!)`iau#sC}@T3z^C)HiwNvsGmO**y=Pt3Us!E8wUj_Fj*1u7hw?
zX!YR8s5@rqn9p84Yh=`(1ipsF;iyd$I9CQ76<Qtmhp5PB_d(~nr*8&o2AF_>j^EpF
z0q!>mDC!}d@uCWp3k^Y0+lu}e6?%5x>K~8Qu=B7FCiwgLqUGfj716$a!5-kLE!$l2
zp7!9ecxYd|y^o`-tfQ|l#s?puy={$xuB(rI&^|v$d90d&m%Wj)i;?Lji#3Y+;Qv27
zjst!!-&VXcczy_YTH6GlH}dN#cq5+Vx83sp-zWKria@zx+CPKOQ#8M=gfnu)Ly7))
z9ViJ6!x`!MD>tU2%(dsyRiRh^=_#5}Y*+rVSHZErAoKE1vxwj+ns9yd(g(zbmV|@n
zcfOdu&}g9_h_Cjir)Wa4gF$RQb=_ZZ?D02)tP^6w=N<Ihd8>i={-f)<D*k5-t{*U4
zTa7&9F>JHosQZ3Joq;kJuGXgVv#mtuTheRb*yHcbQj&)2*_Znfwr9-soV^Cb|2md!
zZ4jG}?X__1x^d5Yoe&#7?||RV`zwgQcC_uC{LdJE;y}cRty5#z=D<<ienk~UnX|hB
z;Z1I1<+eTl*zmT>h*5i*N3ASYl7`!tm);25q7O)Kc7XWL$Fl9k-}ZXg_W1v9+&UpH
zeBOS)o%eGP-)6M!LB<S}6}Uj5<M&oZaMQO9P}GCtu0#-AA;g2Cw*AwNf3HctUr|si
z<29jHCeUr4+pjjp8)xP1<8QIq-hY!HVTYWOvn#>K68pa`%>S%s#X|MA*w74A49GC(
z7?ov*ze&Mac5l3zL~!RM6r5!nf93Y~8uWWj0%h5qA6aINci4*eCHVU|f@jVJIboc%
zmA7GiH~Hvo#`??a2lzU9=vm3B1X##8xI3sD`PwM?I=k*PCwN*Z8#wISs*J}wZr0to
zKiJd2T5h`oeut%Vhzo9?iP{!(e?JAAO>zcm*2bQjbmh&x74-BS<=6UYt0*cdD66Te
zs;MX`sVS&|W$FLh2l}7#G-D`3UxR;6Z70Z1=opouCf}st3?1<_<3F`Jf~zJ8z!@6&
zD?`7xI^SzwC_}+cTKJK&{CnHb;|l|n{;3I76hVL6KV%!;a<ij?f|r$%*-qt<K$rim
z3;*ZUg`rbL`RyH&kpL~O?WnD#zxOe~-XZvIGJPJRj{)`Q)(Tf|oNGQ?05yFgdx!iT
zz_Z!^*=+HBzYyX9?cj;+?)CxpzK%X_-iT*{{@lFt{h{QD{X*7wC$IxW>E{!jRiGz2
zBQ|yXwqMB7AM7qtke4tc1VFos<Rs)2H58P<|KFdA`Je9>;=8@)zxVzYWd#ML|L5CV
ziYg1-c5N%5gB>0=+tEZ`-1ah^{96Rd?r#mwQj`yIT?uz{-ql#VCoQWK>zK@0b~Db#
z=7YlHeiAS1{-+d+c=<1>?LOz8Dhq^JnN}9AOS~{Sn-u~UEO#Z+#dvRwH{&$X@$y1(
zNu|X%q=q{l)V$lfH~tcZb9AP-dlUDVs{Of$0QPa}=b4f5RaDLtuQTN@Ip0)!-<q9b
zV{TWWhfl@Ud1&4H5Ehp1+Tv`sVc0D{@KObx6v0f%vWYuD{nT;!>(+?JYPiB(bq{1v
zTCSzGseSEX9r%E=Jg(%)THNLawi&a^rS0t$N_2#3uiBNTtf}Xw&NOM&Jh67gDk083
zB1)=q$6n#Y>j!gdHm3LcN^<sKwqSOmU50}nesB@5H70#S`yGBz_|g5j?CoHB$No!b
zbaimZx$ZC1m~YC8d_SCfddr?+ON$nr)uUp%Je~f+(Y@fV+wiVKUKs@i%a&2YXxG8k
z01}bSEKEb=azZ#IjO?7AEA#Z0O<!X+pQW6Gcc6Rc3LO*iHoSLGD4MQ-S#a{Ag<$I(
zu)rpA?@@m<N5#gymuBiyNm@(dCD93Ce=nVFKKsUs`gKMcxe-_6A8ux;H8pC6DVwPD
z)9p`3RjqwM2XFfB+uNnjAF=4iJ-^L3xdL~%yxBg+QR&;>3stLhZ>B~qyONCwIUB7h
z9!zRaWeN!?>~7uHvUe&pWtg_J>gixmz<h;A@@9r_Ev)I72Vem`E48ob?hf0_PI&c|
zuCsga#PcgE{R6U(h~2R9&AwdJ;cjzpsgl847yY`x^03gjor|AzUJ`vQ^zPJP0#8XM
zU&*>ag%nxbk#VQCrDH8-ipT|#7w!i0gW{ho{?^0daqpbpxPaR^&#eV>BiZaU8AI|3
z>kCcP=5$`C&x`78^VwPGQ<fOrleq4RU8_X47SW%bck0E516Xsx7io7F>4hhOrDIX5
zm|!-$6U?8cq3y!x;hJVz0hh_MEiEe(KP6~T%Of9T<Q`jeh>Oq2*>x_p&+c(iLV!~c
z<z8y|$=%bhX@714EAWQXYXWYHD^Sf9h5X{5lnpO5zA1c7Xbx^xyZpm)JU5i2KHL^o
z?G;WpkiVC5OM~#XwYxAOPW%$F$JH*#fzwvW6nf>+XO+ncNGj}OMr9>hr<Da7l<A6S
zRYHA?((!73Xcb=k&tCA&hz?P-S8#)be;ap6pq)~y)Yh4v9Mldo{|(dRHeGuxM~EjF
z6cs+UtocgwYPh{=v2qzTLsYQsx^phI_RZo+u}c;&uAqfCp1LEqn|XI#fr~-y<F|1(
z7S6E>q&-$$R(4Cz8h*4ZJhoDulG1i!(;9MpuIkeH3v3Q|)qb6<#gV0`&S+pMO}dCR
zm>gX+Kj|BzRatQccNeuX@L*t^V%P-{@4;uccYZ1#%y7$3Ni0fhn*8CyRXL^+NwUIW
zd-J_-PFhpWKa4OyXJE2!b-&tg;8)FTZHh~!hUu4_`+LEl{p?_@)rU#ndh0q)dvsi%
z*Yo93Em6-oVQ=`kdscXC7Vb=UPEAfmMzxOQ=bDcAtm*60s_ZwvN}2Z2rDHIRC2@v%
zCArC?pmj6FG%>xS`tY93bhSCF<~FDGrfKYIbiv(T*=Fg8N;=EM91&5u$6o)Y=DskI
zT=!JxtGbSBj!Ru5tvG3k*pidInE`bx_D<mzMQW|7b3GOKe4ymgUbiVnlKcCH?p!=8
zWu#Zban(x+w%z>!d#A84XfN(g{Mu!nfhtedFiP`<Nq&QVdcHwUv;o~R+qmJ2i>{-h
zN>aq}v9~r<dge@%3QoB<JC^h~J2NdUgi&I8uYi5o_<Ess>+<P`gwvw18@I^KK2dh4
zN*R}$x}^Fk>rUn36?k8*y42P9t4DGjgPpe)-haFL)M_Ki{%e<mkDd&b|8kvnD1G|e
zrg-*L-PSuhitb3oyc{&ad{Hp_w$Oha?Q7e{o7OT@KBz?W9T48uAvpD<G)YNicEsu4
zbr;GMiru4<7av)CCHUx-)2Z!;6sCz!?mO(#bHvR?`FX|q=EWYeJs6@EL9D67@k2q0
z<GMV*+<<Rs(Z>>MqED|7E2zjYox=+oEXlf9*w<vVzOg|OhtcNs4YhT|TDzb@$yyq&
zpt^{EtH?ZHgqbw7r@O6T*Iz?P4OqKEu;VFpO2jR##}doczTS0v(%iZ8YZZAL-uV5c
zItd%S*2TdVWpfh=Q-z%NA9I}6T(puCB)#WjDmkpwah{gQvFcf0d$M1)nDige8>m>f
zLu+GW*1LjB8(iBR&jjo-<<>V@6GBe9tPpQq6ox$`>hh&|f!wU@YeW6y^x#v&??a<`
zD}wfWUr{o6zdA{zFY~zQPXDvP8l*!-hL<iECIvs3T7}j3GU!$Nywp{vXYRX`ahE?P
zX=gX3n7D<+al)tBXrgD%RNPDpQmxHp`GsGavx6dUulTto^z2jN;S1$mluAjt$gXtZ
z*=MRI^(Uqa3umAGn4ObRen7`!V4i5h_04a{5`|&0FZ(jD=FV6ZmSXcV?RnJFThoh0
zQD3tBBRSj$ALe^qyQy^I#fsGxZ=RoWEM3#MHt~r0OHy2qxPFsWn#$DSqxnmS#f4|j
z-b)k1;YhR^p}q0*4qq{7>B_|tZeaBKSnXRIoF9lv+6m!|S~}uRmewv0Gb1fE3Y239
ztdPTYtFPj$KD?h0QgnQAy#DP;*LYs77dD3b*{&j~vtQ3T)K*{?N~@87__>p*tT1zj
zV-?MXQ&LM?l4snfpDoto@!_&}$fYG!k*%h@YRT%w*_FoSUj?cPKL@=Ob{t;Sck3@9
z$`-=TfR!mJ%LW^nA9}^pHA6+#u3R)Ia7yFFHK(@6i&G!PhXi5Q&xwyT@V_)YJuu!s
zwBt;HcPp4l-@Nj{%J@8+<}bq6P_4q8)VFP_FXS5p1v;{9O5!K2Ye{eSxu_J<P#SY3
zZaC=VwvYQWpZpaSX8P=L#06*dzsn3}7I;4BOr2%$Stm#cec(EC8Kq4oQl;(et$W9}
zqzBNR-ME#bXkge`iz;ce>q|NAzUcB1v6z*~bAnv2HqBnlHtFtq_my%`%*$vBPbM;;
z|C>_}bF!tf`f-C#R`Uy^avp?R+#pj}ePJEf$<yvi94iYxK4pQisE|h0TIwN;%RQ6C
zj~%9F!x5j~1sE>B(LGe#ARt27SCaM4_RN}Neo)On1ZsXhdxvD;y+g4-YyOYPvPn~Q
z4jWH8_#m*<Idjj+*0h<c+o1bR=)DA|iSiqjm4)t9M~+ec=}r~3ZjvB8P6&-rexHqk
z$5J-Vo$I;u^yqQIMIb7lCmx{TyB3R|X8_IjK{wLB-?fO;NW&xV>3JjXT9%%M?^?jW
z_5<CuT-2d<t%?$!8fc3uStl@8Z$564O~skR{cFXfOEp*Q?a6#2Fth%EBv<6yUVp~D
zFKc<nBeHTyePjVt(b@L7cp>RE_^;g8-)4y#<5O6#5AJX|MP%9;?KS%9FgKDOld3{U
zj$^C#=<Y^eaw)5kUr(HM@cF4#inz!Pb!4U#=L&D&L+6VVHb?OxJ7wak9!5mc7mFQT
zZdP2?Xg!6q#iWGx-t=8mMy%N;wGW5HuNv^)v*>HE<z54!HqPIOx7V8waY#J;6L$ST
z8JZHb)!JG#b+U)slz>Zn7K&X#?_d}hcAM_fPQCA=u;iWe&MwY=uGe-ee_PUrTc_zt
zxnf`6vo^iA&yPGnnq<)y-lh;xK52{A+eLyby0!*cX8PNO7ZgzWRl0&#4!qR}>bR46
zfq9DflK%E>-7-08<`ccJ@Uzwankz%3)U*zKau&O?<Vl5!BWLxE>x_lBtZEL#i0|*a
z=v1JGnk6K;cwl82d4+@)>dmzeS6+09-^BDQGFOFP+bK8XabCG_`}X1<x2dAh!d@E1
z$ppy?O(nn7%Bs76PqizZJVoB?V)3SS&^tc4QK``N$Z@)!{=?F!#FB>Ny)S!B<~l4~
z`}oNMEsH3fhrMU!f26R3D39g|^$q)$%)Zk0!s%V0<le;uvpWlhp1ulieyGJLqfhDm
zf}2+yytg%CX3HgEnycQ$xgiPM9u}(($2#e{V#eFhQwtCFgqqRjNjZ9|eG*F|oG1^{
zTGG(Vr4vtW74O{gaQmlZp6WsJpc$r>v~<DgBhs@c$6%*fMij5V{d(b|6DFOf&ik;G
zuOC*SUuP_jxQQN4CTd<mQ&fAN`z-f3aAax3Yxm*U;?BLeU@Ub;Tx4*hNvjcgW%CNx
z*RDP(c2m1nT(@r#UF5ZMUBSLBnkGR-r*cC4k6t!;a^v<Ry9SGn3PRJt>)p54ILB~r
zPLs4cvC;Kb)rROC1KulXE|<c)>$>-)i)7=v^8dr$TL#skE!)DlySr;}cXxLW8r)Wb
zOJL#d5Fofi5`s&DOCY!t+zIY1Y+)bdoW1Wp`<%Pa{obp0U)8Hi)%-`Tt_3~E>>k}c
zTBrXKp{|JW=Zd$iZ};1GxvZxdZPWa>A*T{*Nv0Q1!LR@yl3DHU-K?OtrQ(H*aMYEz
z>_)!xF7~S8BUbp-2ML`;3R~=(k&gtU<ubRrCi!@z*}-Y0NT}#=<L3lHd?#jy3*e*d
z7Nt5MXLcT4>p(mjs+uR%Da>kQzC6@AyC2U^=QoNWZS@*t>+ea~Q^<1_pBY81Y;+z-
zh_PNJ=^I_bAJ!w%4G6zU1?Su(&>ttOQB;cd-~#R?n63a(GA5rHkzAOsw8a_p*S|h>
zu9b@HqIL_4XNXerW9A$}vIj@ICP)}8ob$sOFf3<Te=kk5kQ?UE1e>BOxRjrl-gq~#
zF3|5cd`>kI=nBRZFwj@8HMVfM$vj=S1BZZMtR1g%?#a;Mrl!oO?G)OXqPyNFj>43$
zhrkB__3R_*j6lhTRqjZB0w=LHpMsoE^BgRA_)se0g?D~hLl)9QNK#irN$BsJ=`SN-
zg1@l`dq;GED*Y@p!)&Us<+H^vtx(k9IeW1sDZMr4kVVPW2C49LmP6jPd>=?}L(0jb
zcgbKW^}ewbq0}v;^vc>2>(H9#bE@|-(EAiaMQ+g{gj90=rcMgCKK;bka@_PHysgl7
zJX~btQ5ayVrr<oVk~yo?59!8N8`(82A2&7vJZ2jmRRF59f$DeLgw7!xZRYL@?m|9r
zk-N7O^Tn*6-z`QKc;n!n_lD`=@(D+gll5|lJ8BO1nJkZ?5;=u@76XY8sDLfg@7hPh
z6CbZ`C=(u4>XE8C3e(f^!&bD1P8dAA2)ZFy#x8nI#%!@|@AE5B#~<81-Xov(Yq6Y6
zI~ebC-9y(7bLCf5AWw=tJYmxeeP!F*hr6d(d=$gtL6m&Ifb&CmCt|lNSJ{dX+MaHK
zP2QE6VMG{nD(&-o!~2B%N>4q6&*#s~D6GgD8^lxA;?MUR@+(j?C<{wL_~)8Ke49iP
zPlOVQ1x$@ZTfcnAmG5oJgDvJUpNHtH(uuM|6Ry%snkn1uQ#FcWdO2$z0n=EpHa6H;
zU>frpu6?+O>+{%-?E3rO2GatZdxuQa<YU~=iyCpNC%iarDbNp@unISG2s~?Sn@yqI
z327d$UNMDcC%X4oBE+%^XS>X}HwLOYlnRY?4i~ocy8%tCYV#uxxTQX!a?RP@KWIg|
z&(KdduQ0Vgcr;|a^Jb}tK16-Bs^)wW*b`i+x&!b(S+}O^psq~hmnT0fg%4FP0p9GY
zl9AZ~OzHIuRWwLoUe{oERiX_+0mCc7Mc<+MA=BT~7vawTgr#NODTXlF))CJ3JSe(}
zN7;EiN88S9(r-z{#Y;>8;lo#+g>ML&zMJD-X}Z0=ZyTl;lX`qyIx>lwh!<<ahW8nY
zHU)f4PU0Mj$W*qE)3qLwYoKP|b~By<)jO#b-K9Uc3NWCnz{*qy@XE4A8BRhVX6y%;
zNiR2;5@QwmPH<)^?G~)ziIfGa36Cx22L{aj45RUGp|Fq*D-CCHpCpHBSJ+erqE{x%
zC8m9S1)lLQ;2&cid-TCRePODd_LVe#_xf>r^0o9XvJk7V$jcAO1e#0!#LeI@Tv!Kg
z3A^-Y{5hzAGY3%Wp;0nDXq<Ie>PqJ3ERGOI<;8s^U*%?U8QIS-rr$kfd6nc)E%YC=
z+}_X3H*^+iijGY|ADrX^BlC*(f<+k=sxaC89z~FcH!<JZf}ubHeo8BjBp~Ac?*uUY
zCxh^K@F&Usb6&NFX57R97*H@l@MSAJ>_S_f*+rnTZfil9$pc>@a={T5{){*gn!s0A
z4#FnbfFRP7JPxv+H<Ln^dN-x{xMV~q_k-~(v??O(=MOY|>jhsw=uJ9Hsez?TTW}R}
z@ixW#EAb%F4Q>g^j$H>#Fa4+wXB;G#Cb#b}h(K&&^Ul<qID(RxEfnx0DB6@yJ$mn)
zMCz8;DGW_bI}Nia(cPETU&Izc?h|DfzqoNmxrm0y7Udu}rz|=j*WsYPJoXbFjgA&r
z%^dZE(j~!d-_$THKiL`F5pY~k*t8YO!)`!!MI$I1tC>+3yqY%|U$@P%u!|5yPv|Nn
zO*(r}rhJiwX5m$L=w9g*K|&Uu7lpOP2n=32l}NWbYC+3TbUha&naAtDh?gJg>h%K0
zCRR!;fOuoK4+~n{Hw@l<t!6P;4f4m(a2`jpJW@d-qiqo5IEqF4dSdGfbSV;98@E%P
zka?V!Gi*jo5;#0fY%3PiAAXgAa`i3*uh-#$&PI$NZGBq_!sJwN3{UhJ8^dYUb6?_u
zgQC6X7A{^Abo;jS<mBnji)QJwCahhj8(*#Mpp&O0oHds#2+#L@U$Iufaw{PvoW^dj
zVK-@<pM6nORWClX6-A^q`n}SwQi0Da{S<yf=aiN0YjfZ+%(avHm5D__6b6}JVR-vh
z6sYichhj>*ZvlksM^cO1)jpEK1Zo4UX}=2(ehVQbBce|2TwfAVsp~bR3yGQRAIb(L
zgU4Wup#i+8%e}&yib5BTx%jEFr|y6Hx=>#6;Y7?A$G?PE>y*l3yj@zjB)=}Na%Y1K
z)zrwBsdkltfy??0hyaOt+SH23iCVam&w2SGO>H7x_t@<21MNxCqf<xZ`+hf}0urKo
zJE7YQ0uBsGdH*(Y(e}pO*C~P`AfD3z6B=&$i*|gZ_V`_g6hYie9u0~fC4vNw-B%}%
z5aVfCo`M>G3*`s@I+SPs70OTj2Ce^j6CDinuTUQF&!Ie>#6O4fsvM{g`7jW_&YuAt
zCV7qX*(xyYk5>OxC=X-D{Hv{_jpq-c{Br}3y9o9r>+|AH^e5rNe<xn{n`Rjo2M-r7
zJNv(uE_>=Z`;QXEpGyyaDk=ObK>SBZf%Cbf!2VQ&;Qd=k;qT&Onoo;ipXJRgyxpvx
zK3hiH{As@`6+1tdH8(G>0QW1tSC$-t>{O^o|0^Yk|LZF>|4?xGP2lY}6)j%=UyH^5
zTQ#(f{F(0W2kkg+4+@vEeXm3nfscbN&QbOXz~gw&UUUx+(fb`fRsYBBX>O)moI!)?
z7WsDfD?ZiUXzSaLUPha>1)qO7nLPIPKaaXR^Kc7tzE`@(Xuyrl7Q==GmDAw6@y?Gt
zz+9W?f);=2rJ))t-hn+TCOMS`$A-)n){zf$AMK-3)xA<wGCtDGf((XVlXK2C7>YDC
zcDG|)uK2#I9B|Bd;-Yi__2+LX+eN`UcDn6LOAkTpFWE$!&iy2Xvb8UmE6EQlmWyGU
z(u>6&c3Z=*a*nVWZtQ(E>z(So>dI4h8irTu7YqzuGLx&E)5a!=PKL!`CYt>iAwT5c
zOm+lc7F7HgoGWxUcK(~9l|zAwYoop;zPGEV%V~xF%NV`E==h@|_qKsrk6YuW`_1!}
z+k>Y`{6{`h|C_sWz3*zkM|#tT<x#cVR!WjrrmZ(;v{wxS*6A^aoMHfS#8#k!jp3f7
zcOw3vm5I&60m7~qr<cp-agF}gf&?=9OCz11G@m99##;*BcYg<CLR)hVpD|waVaw6<
zIY7`b@Tnz^45x^JPf7iEWGZhN*AzF^YKg&7tyBanM?Heynbo%QjJl}{^%jEkP2UIT
z#~U*3l8fXqLNQ?)mE4N<w<#gC6fpu5S<bX_A`eSto@VW>^Y|JB8KZX>95uHV@2ruW
z#lF}5RQXhdgXi}Y5f-nVBZ@UjoG#?eun3VI#cw6##NMyLU!5yGX|6p&5>B7Yhd+VT
za|9YD@Ry7S*DshH|07^MQxDJF1H$;<7>K`hIK#mFf=TD!Ve;3`@Sl?r`hq^{7$Q6W
z*!4@G`<ILd_b<ld_xYLsjPXEDV1a$M+6emxn0)R9Gq^kSuKlmpY5%)ml8gPn0+SpT
zycRr`|1ZNNHwQPz(_8f4EH?PR3Y2uy2R?2l)6u4P#Pm-Jdkm@Z9?#&IcGuhQHSXA`
zqoZ1r(I!-xdU)yGz%Z~c2ji2<!e!r^%iDu~CI|m1^}+ev^YD^6SJ(ZA=5~DQG-qi%
z;@9KW0X-|;VYQDn9~<Yr+Y(I4{XmENIwntQeTQ<MZE6g~S`XLXJw3<{L<I8F5Z?`T
z|9rxh2gE{W)BT?@Ym2jMr*0W+3rq2`cWe9Jyo2O^bzGu5mq0OK1c&CM$rb2)y<q4U
z5wI|wgz;6z=Bgpr`eLEw2P>V9$`{dj<5s22kIdG)@yAQeKtPRL>k`!L!{zzY0NR#{
zLx<I5Bfh%~%&hL_=;&zeZb}E{nG-LgD*z_sR2V)$?)FOWxGdHJdkD8%z~~8M10XzG
zuExvsRR=GaOFf(#Xk3KBJ;!8+F%{%~P0d_?R{`sL(%DdI(ib(H`T0Z66Zpv4T=B!n
zwNYGbc&Wdq+2Rd{3Cq)ako@E3#pwK@=k6t%hFvBES4Geggf~I+l8Q7X!kef?6wgXI
zcgjq@$n9njIb9+c;##KdB@o)!QSF6AgG^m%X5g|kdSD0nef#S+RQ0tfQR7Ju*&<^r
zE`~ZekgEMd`zV0mT`v$p0JTsqu$V9qI|&8DJ-8`De7)&K;^PtHNX6NFO!BmM<G1op
zbC*qDKH4`EB9FWFaAr32SdG}moEUGqN~(SEi~rz67y8g;nf^G*Cx{-GyC7)9`>CAn
zXILf62199>sp)Vu?@CE~sQ~3$9UCTaRd`K!dU(~<?%_CY0oMy?tQw}h>`f1K&CBCM
z4_Yh0Rb~PX)PcD`2T@S5OW?lhF0pM;EQYp(`$4)gRes{bbqYBYukj3OYvac#+WJy-
zw=hexrkGkgRcb(ybnJEcI&n}b7cvwi%U#hU@{mUuUnk=Wi}S2a82zfUnw_Le$WN#6
zB6Caf^c>??4efn4JwEwvnw-an2cu|YSTJF}v@h8|3=sNByJP~GULE)ke0d?~oOa`V
zyCZR;F?_hmMT7;Xjfc7xn3yt0!)C`%d<xU;F%=}khL(uvZ?LJSVuIzVN2T`wuTI~J
z?rn%bOvZ)XScwnRv=tJph%P7Lp*dVoF~K)ee131d{vGl^*J*!e>w9`KS#71?OSKap
zUG?h5pztlt9&F)3l|2fex>3&=`12xBiEtmpihCVNqG>6>)JAhZczGnKaN4^5Bt(F|
z=aE*Ed}+>4&CbL+{)2pl;f!!HXqk^R@rN?{m)dl!2nhLFi7LkChYk-RB?Ym?9RQb8
z3WMTQcD672k?&hn+s@fj^U7_bvw)s(q5TE;ad;d@<}(kI=W)?6TM2EV2AtgGm1D!G
zrC>mpCWcuKZl`B}e-uD_oS4<`i%|B`f!_-ncUgAFYpSaw;sg%{IOh6X_Vaz=$c5$s
z`DCfmm4aH|C|<&KXZm>mtbi3_DD=Z-B|nDNe)v2OVxi4AXUab4>_ZM;cd^!Obqa-&
zMnHVmZGOUf@F1f5RqZr%SS`E*33=Il*kTi2?kcpTjV^b{V0~#w5vEB|Wubr29%*%Q
zvn2oddxC+H@E}wWj^EBgK5wR8G&8sOo!^Y}heH$1Wg4d4?pST^7Q|^wT1AD~`maG5
zF=_M){>Ax#1E@Stspve?1GUrK{SH0<>&!mmx^>y%J$s%{6?qo#G%-Tl;vdlOCBy)*
za3%rpP?brAUH%03ZWJwgWnZ_eVM)C|$Fv>t;7*(bgyWo)hJhPrx;OPbFHZROtA&aU
ztv}HLE&cN=m4Te1GsHxbc@*BD8;HmzY)<yd5NV)E>r6ovRkG5^i|+i~#_(6KEl5}W
z$ehZvky@9T=JhrByq8R#G))1(jgWw<>l*&!t?0loJE8A3`0gCOwSxf2;KOoe*3|es
zs~wTGuPW;V18Znvpn{qyDJsJI;w94~cm(lIOz*D_YaVCPy74rK1>_Lu_un9@+Yqf#
z<V)L%8<$>-92U=ycr67sE%37@7W*zGE;V1N>!iCqx`T_;wlR*-cUBN$)sii~8Ul^q
zp7<MW3+yP?9PW|<c<Ywf4Dlx$tr|>Jw;4<E`%R0s8VO^;%)RUgX|Cw2Z`Ll!>Ae>&
ztd@__f$&~n0<Trc%sr{q%j?(gjTOJivDMmwKSwa7T@Ue6oycNB=+u;MJx;_5UQjyA
zG5Rq-PTU49!%bOax54XB=j4s&*Q%XE)9v~OH2<V&g_jP`3$U!l^9s1z*!JBfk1D>#
z(U891rM}PZVjWWh({bX8rg85hz6=mq$Iigmwe4n}*OQUh<btA{WQ5RWJUX~L0zI(E
zf<MGfX;kvHT2hHw)t{K`V6gI`!7(cw#(WZF{It8^rL_L$t@PMCljdC*<8;07+X!=c
zw&f`9Dp69h69M}MzB%CPnZ9xbWn*MPV?}$B8ENa>2I1>q;e+q^JvVZmWk$z3Z(_*$
z<DIIqSKYcH03260rGzn`%N%$R&%!a`-?BJfoj`s$N=>G?+iL<PPwvJ_r<V_M0{9Xv
z40Zu)jh{X;@=Kv#BqYt}SMnuADOkQtcp`URk4cHgKv4i-d@|dYF8V_OJLm-?5Ii(e
z8-936at3dyYs~b6KaEh_D1yeKr#MzuxLK%LL(nc*Yrzi#-=boA+P<qn#fsenWBdAW
zOsY7N-gD(Lln#amfgvc<A*_)?j0sF)td@x}ym*lmPDvU>$ynTis)fI|Wy-E*h^$0R
z(p_47_kRt`Jn?v#y1rbhl%X?FrG*sIR_M>-sa2YCppT&zFW*i;k3g<*OeV*^g2Im7
zda_BZEnwZ{Rv`Uqj17dV79}{9B%6<J#~;;D4Gi(2$QhuLrbhF-C-9;U3?0>e&1V3$
zA$p-cw_k8Jd`Uk)8Id;@@%qGO<~2U01p-rn;Mj-_^f_TGlb7qGl;G|p`jkSYT5fJm
zi+~?^{hI!JZm!5H*(7K9zT%}9t<L%St(75!eyDun=t(F<ZC7-!gxFzxj)Q3fLnuPI
z$7Za%pcJZhS;&oaNZ!1Za^ElnlJd}VlOx478`@ND=eom|-b*B&@&gV^YqMMdHNc16
zdypp!9+RQVP-=RdbDH2Y@_&Cq{=cZxa{sE+#{8CP2yWQmE4j5Voldb}H4@j1HFE9T
z-^V<s9?zdO|MXdZF+IccD{C43?X&)Z-1(J1?ElA%)~}9Y@7gNhc;`QpJL`Y_cJcno
zS``0i^<R-Yc-Jfl&soc-jDO5p#ykI*wXDYs_syP$591(@)>8UgaZ591NQ7iqGVGfz
zzx#1AKRcTw*{OD=NDxzdT;i6OhN>5wc?#TB7LOt<RolguP!FAT4Or6qXmI~S#aE?Y
z=M>r^#5UW^b1cbjZ5d1yrxWuYm);E8KA<TbG*LtF-jIKH4-O4Mug(KdUEoe!Wo*T$
zttEe4zgd!y^&U%|TN2tCZ0G-Y7tpb*cg$r>%n{MY^nt?AAJyCuPdOLcnLe}eAa&Jf
z`sMcIzTJDZsN$Wi*pv5peodEjiy1)LozEi3&>FUCT*WD+jHe`9S8y;Ragv-#Xty$&
zaqkGftbm3oV)YGxB86^ZLkbMl9v*0D1#nWhD{#urqqt!d4Qj$LEerH21q^oJI6>Lm
za^u`ukK&vZ3t>L#YTH`3INX;dnA;gvk%5o88B5MR7!jVcH*3q?=O~+aPD4m!kKyOl
zO6_BOqM{Z!-%79*qlE92{DY^ycn^L*;^lhbSW+<deq4=wRV-*#0gh=I(rKs+X}4{-
z%=z`mCj4zM@hNs3*M~9G8lUDnwqTBK_c6F{gAu?NwKS*=3SV}(=(uZTs<S3v1ivWS
zNhv0@S(#BPMCd1|xkFt?dfCYfH@!0yGGE06rFt;t2~&!m(lp#UIphYL02hnyyq5sq
zLi~{+o5DSVU4T<11>6giAlD;IjHW}`w;~q8`mra=BiMU>K6eAD{1NKXI&Kw7RFum1
z>S!f%aiSoTmGsfTS@wIzjxMDQstl=jE(4)Fcvq^2ZIz|#1kZMH;ejd_cRy63fUhLj
zH#wVRzq({&AzxB?8gH^ZOULOPGTm{80t>vqR*0%kBE|bSAKb`g28uk4f%T)nb<xmG
zE`O_4XXXELJHa*;+Q88I?!#yJOx&LVmqleMS?WQc%`5PoowDnE$2-VR;ro7UFQ#pO
zIDjXHu&@=&vu+~HI}W^ZF{KkSMaS3b#ls~bQ5>mND9fcjMv(^*7E=TJ47KrG7z^kT
z7H|U0dhW*cm7Vdkxi{)Tu?+9+;OvdFjzsQ2lZZG%qp79!lGbNnY-4ZN${m)EEQt1v
zTp6_$QFS5~z0OC&F&a;3N+0(A^P3|7d4sV@?`)Q{L{=wv(H=P_i;<I8T>}^F9Ye{{
zo;?Nl@13yQix+Nlk&^worCyyyZ3g;)5K(yrS&2Gc3e#Nde4sSE2!9ccJ+-`_Cdbe2
zn3QLo^ZD#lt<rWCX3kfwOq{u-J#@uzt<5t&g;7`#Y*O9A24qadld3|?_h8~&)}6B>
z|72l^mwXsD<-9!f=@SllQ(R<A7cp@r2W<Gl#fN)QCu%OKqWYR|Y&{g&$=_9hs{0nO
zF4z#IK^~q4@N0hdg!}OY?^c<53EH^@ij`{`3WiqAn)4;xh_O{aCXy$9>Nkf(MDZ8g
zj4(KpX~@9EQ7|Vl=r;z5S@XHJGM7xpK%HCY3J>5XFP^85753z~O(q#j%1y`KjT9!N
zvF<rGjN1n~IKQe(*+uvI(r9*cOS*-(B7Q);Q!>(Bx{Yqbb*;ngOzFk$Vul~HV4E7K
zvkH*!Y-KxBBq?pw?sOuH&OcLWvhnrIt$`b`6VsbL-w%11IU?_l_o&n?Mo7vi9`#{>
zBxj0ROuB%3*vsFsy>{(qAs1aXd(B;8lve|+wJMp;i+RP>qcx^Z`#G262%IR9CWZ~r
zsn$VaY#1xVS<w(zExT;4Z%{V%kixCD;bvdAGfDm6Vg_-J*WKPKgIfKC#TLCzj^Vu-
zRTw_<_!ss71)gT!-~!5o+5wJqLFodIddA)tZ!%-jS>&#yK=}7T{c<92V-xkMyf-zn
zP{2DX;G3<cFSrD2*4Xq6<B^UUoqH6+x(O$-Sob1Zxo_CVgNdWe83$0tp5L46e~0|f
zSxe$?$nT1spaSia+gZkqwQfB3>QJ7Ax1gF4!y;aZTB2Z%*(fZ3^{Dh99Fd$tHdH1^
zDJB;L+c-s1I^5xbY56_;6%^a1rpkFe2Oq<DWuvqtl$@kYds9~QWcZ3oZ&+qcmGQ_G
zFR)c5j^yVMAJ3bWrmTd=))}c5iPCsgYNDtb5ZRk#;@XurCqa@IO|gDUyWF;t#?DzB
z))&s;d^WLKgSN~S`WPL86hh_)U&o!`oSWpq$aMx(LD1?bD}6|zVoaHRwdoeMZbtT~
zyofm2E_QSv24ws9CUxeQg$w3XoKng=`z10QneUc&^xW$U@MeaENBfm>H@Jw{Jq1pd
zE^7qY6sh>#`?~V5oLq&FnwT^2l%|9mg9@RXe^fEfpcW_C7>ESJajsx1lfu}3ql@ni
z%q50YbA}K;g+O-y#>7e9FRU>olWWHY8M%9C^m?5FJ_%eBZU%s%B6=$}^pbHD3o-^O
z_ds~@5ho)eY(O!x`bXl9>7@G-MxTyM^n$kv`8T+C=2&S(6l~|2TB?txgywR*w)!HL
zPkFj#K{cKBPAjS(L!Xtu%qfcmk^T`LLYFSp9(bL~v_b$weOuYKTRv-T1Hs8djELp8
zbWc|H3&D#y4U~{g>)8~<wAYKh#32bF<v#S$D1)r3NedzEnsJitT<i2yvO~Tgo2pb-
z%NnZ!j-N2N=#YqZl?~Q<6OfAPH9XgtWA9*dxxcUSsRH0uCf?eT`%Y|xiE1LP;}{l^
zA1?&9jRk?VWCI~FE(*ybGC$`s5}8yWji9u)CiW$iEsfFtFj&Z47lR_1p1z|LGEEAX
zGqr!wF$#)YmlCWu<|8fFcXGSk<r?AgnT=gvZsSGLy9p_32u=RECPBas1FLjdv8{)+
zXfzgYFs&G10Tk;7!gR1RR9iMFCDW!x`sW|x$Pg=YS@B->`5pRkuaBCH+Sy%>%L#2{
zw^p5>8-vjYqseq+DpdART0d!jcva{XB}sMsUeu+IqLJ*I`rCb8z^9K{mOR(*2xrg&
z;V{IzY=eteV!N@6ClDvy)OjVfm>ts+uuHNOOR%m!rq{a?Ab^df!xHn+Es?IHV`mq|
z9pzreuSdNcLLT^0RNzp6qTp+!XVona_|`EN%+U{DOK<Y1Az+qEA0_FN(r|DxHcIq3
zgg~1VMtQ83M8&~w#oIqPesX0glm^-;v5tA+AErMpcDH4H0KqNm&DjDVu5qQgKF=yS
z#S7{!_>BD-MP7nbWD0vQ)ILrk^c&FO8{Y>-%Z38i$xd{}8+A3<b!kLBpW(MKnHXPk
z*H%v>gWj2!Hr2h>VnUPxD9~7qR6Hzn149VWo5;0^Llk%>cY5Aw-@M~ko~_1I_7YAQ
zT!N1Z+~Ijet}qfC?gfT<#B`kess_K8TdKVMu6Lytp{8XB8p--pRvS=N&EXc|3J6TB
znh(DmJxS5=?T>``P?<@~;e*oWCeXuL`P~=CBnG79Gs7AII3USJi>$fy7O?4jqLqO)
zN)6d;x`*}tU2TmIakh9&`rz%>6SZ@e?i11E>lweM8m`6S``)#xFFiJHHQ|p45R)%f
zH6Fed=8O;}{?IEaQs0qM!s&gNa8S4RaS>U8_oc0{p9EzbWv^xPaEzMBoC%-zaC_xu
zEbiw<dk9Iv9Km`16QiMx9%&ttwXUHi%sdw>{LNNh^j2k?ES|d+_*qMA9Z>jNsgOvl
z$R?T!Nc!De)3nhdq4?ReMk_J3cj7q>I_Sr7or;T+I%8^4NJM@@Y;25H0>iSXustvh
ztiq5-8YuFR8u#b>XwcUt!~NpU$!r|Mk)f4)%&U6Na)5ocD^@?ezzDa5bm243>);z+
zlBRcW2ah4R?$2dg^nyA*rY9wRI=42)YDDysT>2V~X}Z|BV_DszHWiaNs7RiX2#%=D
zXa9UEYK1MCX0%cu{Y^WJux*6=BFQ#DGMg%q4Eh=QmGu6yQo;L6<8k&k<j<%4yvCrK
zc|t$1*qWM+gADwkCN{r}Vi>kFrB3Q|dc=p+@KK&2rlQ{aOZ?OS;Jp6(&0XW!SAKWs
zA(r&uo#hypF;$X&MIBNMvIKt|l%zf-a&G{#vw2wmCH>;iVx{^jWig2wC&fZig#WG~
zp$USaz6tFY#knJ!oD__zfE`K_@DI11Zg9#%dOVH5i*q|sEfYG>ZZ}3cg9a2MDc1Il
ziuR|CG`TbxDZviKwPAZQN3#}fVoAh);9aM{LtzEnL1B0xKUIa%O{U;+n<AGzDYjp`
zKJzFZJ|L$i)1izK2Wuc>G(|Goj!8lFbRpL4fOt~}y}h#*w?%w-xy3<fxI--4+iYJ}
z#WIOuShk<!K1ov~OBBCH(n&v0zvCN#mxKSYlN%cVH9JPnr)JLYionL-G4?Rp@4b$}
zk-gHr^5$(*PAWv9cwK=Q4wg!GWbdX`i6#2-EtPT{l1N1+GJ_aTy)P#*u>>bHaeDq)
zUZt_@6nQCJ4)NMY{30lesp38MpK_YqbP<Am^vSN}(M~V}9X^t!;+^_r-_FCY<0*)G
zCsm<&Byvdo6Go-A&%<p?HHj~0yr(du{UFUs^m-LR?}Cz!S6)SV{V2>4pkj%uR|a$v
z@Ij$&mntcRZX|NGry)~2h761?dj>HZuMYTc6wO_WQu`nu#ZTy+>du6C$pd}b8n%P4
z?yYpAiN`nA7(JpUN^8|d$;BlS-vv}U7SL0%`q^qwNkN5n8)I3o<;LXsyI~`(w3Sp5
zqDpal{Ehb~Gx+Ia{qfaW0D=+sAyN7@kXZYgtE(6}jxM<QxC>>7M+#Mp<MoAB&|R&F
z;-P|Ufxed)Y_4Zj@^PCT33XBJr}Dw*FwMe2WL^CjQ68L20{h_V#o0cTgWj+yS@`y9
zLcvxQp~+*X`6g@0tJqi(80Yb(;INj{`t6HJW0SS1uhcsywunTX2TE<%s&#Qyx6PBL
zvZmvnq&9^9m_2k4a_f7cxgQFUNqIWWh=U7YO}nIVZmG?_ezff~YZhdSWKUZaJaRD7
z>_>WSl+qN85QRxI2_QG`R5jts<yeiwvX(z+!1nP2fAN40q~h5JQHg|~hNDS=dC55i
z&ngb#c$eRzkFDihqf%Df$ooW(1hst1yY=|CAGsEl2@u8layC~Y{2l2Vf=VSM<ek+w
zVnPA#k|CnI7mg3ih2NNBM8#nGFZa+lf}8N;x3t_v%fAzH?A??y>zl$G^1s;Vf6FhO
zy-T33#E7aVlEl$myD)%>39CBwB!`;dG8<v}Z6og_h|H(j!E6fQNi<OE(E7$(_5&kW
z95bve@mz`^$>n?kcqO2HPS2O+EET0LoL(zsfHRUhS~jZd%0NYqqa1DkZ}{U)F16J7
zZ9pbw6Cai>TLv^Zg}f`2-powWdBlC*e8&yhe_7mX0`RSRJA^3}Ug(-_XW(^mB|#+r
zozZ49t0-}X1xojd2jr568S#=I5gv4IkyR&J!%f~orrb;Awg)?`U~uV8>I#Kf*hM<A
zlrhU9fj`_9-f;0^JH4_B|C^Qw)h-B4ys`zN73T9#B|}D%>36Y4<(4NQS6d<l5R3<$
zf%sQZBUH8+L{m&{Zt3DFE6C{7G#|IcG1dBq(N1#nx=7!dwnGbz$ca>a!ljGp*yBDp
z9u&4clLw(MW}MeF&A0KsC%)}(mUA`C8b|}Ze{cBSnJ;$&6{vV0!FRbE_xAG=0>E}b
z;RlXZi6}DkaMdZpt~(!IcC85(-$t4>R|cW|C{an~*Hv_#!!hwZkD<~Wmw9<x4ug!d
z1`=9^MB_2q&ydX+7T!Xp1f)wp?l9a#$ajVIl=yW73!R6A&DWb7LTq*uuZy?1*tet}
zLd+nsKG$n^q#>4Aa?cBm%`J8mGCVG2$HW%maUO?mh>De(AM3l-{7kwwS7c)``jHRE
zbEx3zGS&3dC9rVg!(m_zTYk*)jQr+L$p04_kG#J$9yxwP{-z`5{OEE~O+t|`d~^M!
zA9gr`*ajkf7^5S{_uSok26#cRKKnA9a%Uf95>0Vvymzut(Gn~r_#D?PH^!S-8%3Ym
z6}6Z(KQC;tR;F@$B9`{|c-6OD@2J}U=+dl`P;^!HlGlR<tyWx$Qhk!iZDmY7ER6T)
zZNBpL`}FdGzxZZXEa)S5ZBwjhlZ>1(X|H%kG@O51{Nplm`a7-A-bLqC6`Skh;MGW=
zHN*%5B~S2-t8YN|xP?6mH%e-_&^Klp_pUdOZ0m%H`AcY%i^SGM_F`)k@(iziOU857
z-LzNHJxgm{X%JSRH9e#3#^4q~lXnkaGc*kmP`Hsl_hMb|%k?BpSACq2Yu-#MEqA$9
zfaHk5ip7$yu^Z%ox-$6Db(^_)eo&L=&!Hk#VZZr(e3g;si>s}V8(r@yf?Y3<LEq3M
z{S+^+7nvLIpw(M&MM!MbyTE@oML~{jp9F1z*w*|AB^A{_=p1WScP`%b%wAVzd<>uS
zVaYcSt=kGe51lxd^WZun@>Sm5uJ0YjzEtj4xD~(Mu?;$Vx^jtibRp|Q6&k}S1uMo_
zYi1e&b5ZJ%-M3VGlBHR`xQ?E)`e8eodolb9oZ&~*!zHKs=~X${7)d>?-OI8d)C|)V
zr-YfDgqh*bq(M0xdYqWjbXvOj1_BxAvaiuB2Wl4}nfFu8g$Vih7W=*if9-<z#g-OZ
z>h$O@%x07U>>V2DVBK!j2Aa?}rxY$8K)|*7#|kJc2())hY2kU~#I2~#1}|{DYfs$G
zJQgf7Kfc5CtZS?dj&a!TY0WfUY$f+SU1l*^jBfn`jK(i4TW-JU3C>;-Ic&Y!9X|H+
zX`du7k5+8FqkQ!L$}DroTT?h&?rVNmiKk?6X3l$`!qebizL)AA?>|*HW5wFW;#c;i
zb!hLBr&vb8JdqQ|D8gtjtY+|zCXvM9t8paJEkv8~bPxJYD<npcCI+(q)z3yi{oN?s
zr{l@=PO*(r^wf}GJO7;4;YwXPui07buE5qfsoL8P5OaujkLowvZQA?ON&4$}j4`|r
zz4xCp?h<c8+xFJO#42<F))Zu8SZ5LS>g=s?KI11}=IAN3YHABC3HHqJS1|O|-w~6j
zt<9snjcmO5G_%*Vm)k&_U-yPH<XFhNGGF5E`r+ZU*5-8|2gKfvy}KldJVXv&S{T$o
zuj6Fs6gV>7?M8kDcz;$ZpN*YyUHJK<OA_WpmBWzsSv{#?5#hzm#<b{%T^2~0$pEoc
z*x~n*eUgx>b<LRzob`;!Gq+t(opRN1V436dk?1p#SeFf&sDtH!?V?8?>CVbd_M4|5
z^XulsBZYsa3009Vfnx^IojqL46WfQB^@Z)SS(v2m0~Rh2r4jYC7593Cse7pkscnfs
zMue4!X4N@o;F_qTRqa@0N$#!*GXMcp3jQcx!`Ah*R>Sis5Z)R3r**222l!x>kvphq
zQ?*UTuv#73uqUF=6hp#CURHr2xiERXgV0QvdYReTS-z=g<wxdjUiC~(H}T38GNoX)
zXV{p<<pO`Su&*o|f%D!dWzW0j8$Y>SdWVVIK|t-wg>ky_kwVP&(Suj~E0ix}n|A70
z!O%ir>GKueSBR1+l=7yPWQl?3qFRGBT+7?>^(**<#WIz=7p#N6CDadv@!=k42;Rn_
zi@}Vnb&y4~7ZM7UzRiNxp?73b7KPU|0NB7VU);Qu@2`h5E`nk<FWi<eP|7FNxxf&*
z$%kc|au?VjR?QOf2=jUfmd21lR=K7JDKUq;?)84O{URT^dvj1xDSuWq%okK&nV0Zt
zsldAs@}QnT16@4)K{*1P4f{6?wF+@{YB<Ob2}>_CNWs3;y6V}aMJc1zQQMUpZ@yc!
zhxsheCdcIh9VZg?F}WNpvi%udipR8*u<kh265q=6I~|y~fkX~<Z<~6$A`b_jaX#<~
z=l`OX@TAxFH1qWjn}DCI5dWeB3hq}2l;iImP`}p_b`t-&mQeiHR{4Kf9s2Ec`HKn$
z{4cBjp?mh5)c`yWbqwy#f9$)ec(N)24e{&zxjhw{ZB5|WY5?euR{vE60~(fv>e*_$
z>pxU50`$K9R>45ifq-ZqG4z08PUdu+-Zj_wocUJQI5dl?ZluKN&3kxL27%iZY0-JQ
zV7yy5woArjb<xMB;CnZplilDd9h)lQa&=;fcn5&GP|*||Wdi2_ot0=ZBVv{386oeP
zGE2sr$F1PX1x{P|n)mH|+(rp=yg+pB=Dq>W%F4gBz5EzNFcPvr92Yq!PWsFzVxj~V
z<epml#1V!3O8=#uyzlXa75{eN{u?Qyt$5U6!f&Ji;=UEQLuuF9ieb+!K;3t4M!cOL
zrQC15z-$K<;RLj9C**$9ogp`oe$YZsGqVkz$0`+`#~P*~?~ggy`gU2H10UGapO);X
zh)<1%y-hq9C;yf=f#h0m(ps+TKoh@wg&Q4r&-vP#dHQf>xp_;7i@Ix%Pn?Ei+F0XC
z(Ha?8<^bMEZtcHE{81_RMamku@eNwM4b4{@1hhXy^-G(=^pl*ub}I(#bo&G6ZY+U8
zU-c^OO&P*F7hfc4=D*Z|CE*5B1bHetvi14eF8lV8h7Na&%N)S9@{V0iXF0NZ+sxqz
zlzbBG#=xbV#sURidcQ)j@o}DSLeTF%3w(<$r(y2G#t8|I1W}P|ustk57f!#Q#m!w9
z;#>1>hNzJXP_3+>hGmgQc05ls^UD=0yh3cMCxGcHMdRM+t;|QkW$p`*Sbc=K4hu{-
z;CtFEmR=tpz<iHM{IiklO^~y%Altwk{kew*=eGB3Ncv&i@)c@KPu{e-Z0AU^AYYdR
z1flA=3Lwu$N(Lh)C|7$K=fwaGmftQm^!xd7Q_Ma{AxmGJsl3n!_7w@a<g<cudRbnu
zID_ot2W@d^ec07TcxK%!82aVFn=x^+u49o-0vLtUi;I$Q9?Trk2(u;TK0+jV)XDN>
zx^rr_%y{X(17=vSs06rGB+1E)q+w2*ZmV04u&=j_ghy(K^rUehHh%Xor{NQb#uX^z
zn}|bE_qjl|6dDHT4phIgM9uJL;OO}4D=hfy3J?78GW{pO@v9uTZ~srg5n!0FjzL}g
zk5?G&<zEsKLKII|*hJ=!R{zx%Mi*kCe!jxB!vA=M4fB6p;lB@yw(~lQEH|s2+O1Av
z2>Q<m;}ZLp;0s=}%^15YJ5O7UCq%x-#7X4L!=BcO;)G!jg_JFjs?Q=UB3#0im=CM=
z;r?)baLD^m67P%Tq@%F{3+u`wpmuV!Q%f)pISx%mS*No7@kxI?1_||x_{1C-a~y%X
z7~O(&8JSCdiB*K)hkyBD6g31l4%=i$Lu6gF_0^=gZDH*3G-(C839WQRlz|W*cp9T?
zsLQ&D7xfLc=GCQhcnT|qT*BE3>@|cwgXY%Z7m#>GXDCPk0#7}4pB3fYWvY0B5OzU$
zzTR+w0`4^_m0QA(qjK_4H9>$|e;C~z*4mC|rOB%ZYn63X@-}?c)P&>kcYd)af~9s#
zZCJ(J9~2Qz(Q#pK=ZlOdwg)dRnE@r61?zrYYK6`ByZ63V)Qo&BZvX(pEyC-XL4-R2
z)KA%y<iZmr*Af+mfj7ftubxtrD^N&?G>nlOy@5fmT#^w;l?LO2(@^Af%FJG80S!7W
z>24?jGuxzmjD?exn4O&Z@QzS{+s3CrfW&JYA&n2Z*UkavZB!WRwJ;4LXF)5wDo(?C
zQz>N#%aq)Hkyy+Z$(8Y5dZVaXQ!TU*wcx1PG!qKl-Ap@~eOYO#bkU?b>v)`ZSeIKK
zl7&XxmgK=FWCUfep^BvLL&--y&z4@kzqLMzVGA@JGt-$kiXQKv55)b7D@>?|@LFvr
zTn%Qm^sMtUM8@gHA*B~M5FWr=Ta>N3<8)pUV;PW|-w;no>u)56`6D4dD5tS{Z{NM$
zm|1WC2W2(Wks@%*`pP<YBq2GmvJRdw6X4VzPIPhu)&6OFw<iT3$I@+atVf!{P?6<?
zRhwDj3X2EH!Ump+mJ+h2siLBR)@Z-?b1jV)-KCBk?G!4fvL)uc{i&@{FC)yHG?Vz4
zMkv|2ESAnb9*KCNbz{982azs~+m-BqR%?Fb`+F591m$ouxNS5b(q0r(zHIOmEkP7d
zcs^rj2!B(AJj9M%8Zi}9IO*#NWAw7wd3N2X4x3uyhWW8+@rw73Z!YWcUy5@sn5JvC
ziXh5#hgH?XUMpsLJI>n8%U!leH78(pAKT)fY4j}lQIOa@<fsawqKH{2b8sWH#Yu~0
zD${Kbu}U;vHYS8zZjcdeH3s7I=D+*A@S;dOBHuQsDm1(tp6G?st*{Z!&x^u%lWlyR
z9Dn!A@f{W3O1!xp`tzr@(pn9vN!ipgR&f;nP?3pX9rzP(*<R<bbkm5gd>ArvM9mV(
zLeyJHOO8;IQ<43x<4G3i9{n(5;m{qV`1_?@12Bsg=_>N!6-H(Z7_b!HlIm5UO!Ov3
zb5VE<t)4a|xX1@hZt}zdRYZ(ZG?|~1+P9)<J09SdHm{GDmxD#VjD5VNl#Yt>r}7$*
zBRx3qk{GG*oZU?ilZSwVgN~c_&`L5evBWScHVKZ?eLNepm7qHR9HXy~LtqqKkIq|M
znO-a!gN$1Ifld9r=&nL6Qtia?4;&|Wns;yvQk<(+{P|O`@_D$@X`<+>$=?-*+RCg|
zYhRH}DO0E^5+U7BLvQVBf#-t-vRi7YRLj8F&XdvR=P7UUwxH%X@@C2ns@IP#^4)0n
zzIn+<`Z~C1(Jve}dz_&eBeImmniE!Yfx_Mvi-+jLK~C0Q!|kL$sGCfsq_Cetp9-Sx
zV_<iOZ$3s}?_D#qr0<HxsM*M<JP5m~&PiqoV`?c2)rqIT87^A8siN^+>p~2`EN=$n
zYcy_;d_#g7xi~W|{^HVF)1WH$UPo_8OxQJ(4mVhH8A)K#%tC$4d@yT|+vQS=J3wwB
z4y+lB3C00QI1=Dlxj&7WUYMfDA{RNI<}jq1VId@i2g%iAJTWH5cV4`i2MKz1{yr)q
z7AqzDW*E=!jqJZe{^ug(?+rAK2QLMyvKMmC1bEPe@Jv#UpyLupdp0iG6G|XU7N^$j
zFucFqo;*mUr>TYy&0sQcFQZL5+X_e%k~+8R`Pj5#=}VA<1kC#RG$M|%6~^?c{Ts(+
z%8eeV=J(-yaQxNk?s$y5FbH=K_b@+Ee((fm_N^{3C6R!~g1sgB<6GM30;0HsoT?e`
zKJ7t1v_8&zMAH^8@Rfp)zs4M1I!KPOu18|cVbc~U%0G57Cs~7%p!gtK8~MJrh0|I?
zel+la{RnL38@mtgzjz3Q^)W@shMI0)Cf+H%g&c$DG$uy?L83n97w$q6RzWQ--DF7n
z$#Y$FU`}^vRL%F#1nsTO2iiZp1ynWravOo-q2H=S*g@>)9;08cp`HGS3%*rfBntIa
zdjR{GUBP!A4Vs#wAKXh+UHz=Aguk4WsLCBMZG>D<@ayPTw<65wh7_R}loQe2FO#{Q
z9Vx?y?ro_=IR4cor#IA?&vBhG=>v{p>vzC0Erf(E6{Y3%R-l~EYqUjlVC{w@NQ--A
z+R{MgES8h4c1cg@$1|n!UE5I0Eyo632#(zg;HyfCZMBu68s8$4>F=}97|u=s<FVl(
zZ5|+Q%tX~0tts;eb^RKPH|Ss<gYt9GRQocv<xCKQD}(&~zK8^pjebHd8G8ac)LcCo
zr#7rYQWvm|UfK4h!vg^a_M`Dz)O2()(jdEsw`zHooDs=T&6LvIW*4JZu*ji=`ltq>
z>Sb4(m6g!kRfJHofzN*mcv~|Lm>8&5HlQDAUSKN*I}%9i#(_)SB~cHW2*X(ajZU&S
zYsDM#73e7WGWR`zy>s#CzP4lT3_Vkg4u>Cdaq2l$VKv&fg1#7a-{NSBa?9~{-T;fG
z6@!=aV{dg|YWf~Vl|$E~HET{UJP{HP5h~%g>L$>=XC?kae!}3>$=1pH$&m~+;7@nc
zjw04t2-H&|T;v-m2;Uz}b>+l@5q=}Ow7Gr?kMohB_V2zy2_Pm@QShnF(`MphKO#8u
zc}aHqyB+Etk|~sh2j)D&3AMyE*^r}JElDqoP^jv4y4*sF@8Pvj^izpHf#5p*rcuPO
zIOFsmC?*d?L9zhE3X1otjB5+kyCB8VPY+71JZ3)qt!K2Kd7eraz+;0=k@nh7K6ru3
z{@uy)&wDHU`By$6JRz9PTT0D0z<A3|qe?_=^icBLO|1bP^$l{2k=i>_gN8VzP(7WC
zR;{hYX0>dP5l<3baY<r1G<{YvaCqRxcGLI9e;M;N`lg3b9j)e}byd-Xdjel@3`MPL
zo2P$n+eG_S>DBR4<J>wE<#ExA{9J_m`ge@vw9MK(AxR823Au*EcL?a<=w;Hk$@dE3
zM3gdvrTa~b;GLsmH4c~$OIyy>eXM6&&aGd{YUhqhH>S_l3x({mE6>W8+Ef$WRQeef
zXSJ3%zqjkzfK(gB;)0#WDP5IH8;MQxAC_-FA6gsg(Xs@y1C$4a3*V)E%${^m_o}*F
zn6bX^^_Se07=@l?|7vG|;xBjq4wiO(F5RhdhRK1l@Qwm#JiKc>P-Uf6*Y=UCcr&bA
zG?8{GV7&wuvc=vXa6+fR&%&^LiQAIzw{(fiY_iTnHG=*^z7S>ft%{vYlDP4Vo36On
zQb~Wm;SVoKNfT}M+EQ{3<c!e+!>UF@C+oT4YJ3l93cq!2(tC~&Q$--^YD6W0T691o
zfm47~tF#$1jQ@fqvY<lvh|;Flk^jJ<&J`zpC|%z9fZv%;D<2JRF(88ehqw6^nfrQs
z0a|8TA<*6Qi5u@wPUK+gH_cA_7Jq3n5g=ze(f(A`SU6~{Bmb5U*4r+=4Ow1pyPEKm
zkT;#DMwSG+n_$H+_$s`D_hVd6mabb?Lbt>LPe|=Ho?~?l!i!SYy>Ba`pkjj+31!<g
zT~>0^dFQl-S4d^enK`izpZ?BiWyY9sX&4{W$WfYtI-fhX;%AOi_iH`2{S)$UJf-c=
z=bzH{={2F})=B^0MbbTF$cYT*mge>&3aC`CN4(}bGGMW&j;PynSH!+6E$caUlJyK{
zK;30I8c95)rZ=3pGYwm;T@&BPGE;mYyqksFQdDKYiL}IMC=&B$?*Sh925kcG*}nsi
z9I~JER$`+bTv?=7yiv&(zXPYt5*ma==%%Xyrs}R#*0#xEYkgOK{JU?{@**Uy<&<YD
z22t)jN7MGYpa3t*)*e<x_FG2D*2V1UVW_y8hP1Yx#0HiPI6OydtaGq^)h>6$>huWn
zk9W`yHA0kol?X{`?5LMKAC^TcU%c6&rpD=*a=VZ(D<I!d9<*sZqNde@JgS2-cgDs5
zM^=TG*<?tsYt-e7Igj@g+2RxSJ+`rpxVSV&;Yx=t>ngKbytBWDfgnG`0)B~yda+}}
z3FCbZr`#~tT_}1(pO_^gk^>umOm!@gk~=*IWwP$Afn`Phd2g>EUBn0Mn=2vKB0=Nv
zGzxTz5BoJm#eF%>bd<}`ZVBnyd8!WQvoS{VBKdHXVGDIl{M9juvsNzBZ6Sc@T8^{4
zdF5#=)5UN|^fn@>&X>HnT`baB%4z5L{&eKJb7Z8H{AnlI@ncH?Y$$z^fkNLTU<p>B
zkDi(>2{ruO(7*$x#!dna-JcQJ`32Xv!E#-jvEv56Ua?tBD^=1$%!HB)l!TX{k6i~m
z4M68^sSPxq31gkC=#%Dk;Ma??M-9QT)6YgeEF_%0BFJ}~+|(b>Gf)#1dbdOq#UO2@
zRc{Y`6t>*<fb+qW!1ZRx#q|I<A^;2k_>%*zv%cMhsYH5baPo@#?8zxD?=D9V_wKS*
zs!FELhq9}$-bZL^xt~H~tw9*fT&efbIDHsB;&0XKr*hngl}i>JU3T68_z*@U6`Z2v
zz;3TePT3hs`VHivutj_lJweitFsZIR@O$rc9Vgp3Rr!^#tD+FD8~;n9#0MFW(xFfC
zW~+GXzP1vKoV~1IEax~y)G=hRhIVoO3zN^m4jVTP<X3k*vH{wgE^jrmfQzS7-!Q5D
z$5y%kr04l7Qx)~S2vU>fh2Ymj-c{E!_Zz&c=`W8)Ga0+3YKy9=sejPXQN3(iHapl~
zycD5ee;^lLx+@?}xhfeto5=<MEMU|om!sz?9pf9wMc?kcMDR%#ul(`pgjTKay|pC4
zVHd`v3S@gbg`OO#N}4e0#EV^eMl7Zk>dD7BxfGq7o!gJoB+(o+U=!ounrZVkHj;aY
zy&CAGd7w&y?k$J3hWVZufzD5d(MojS7)YbB4eJgF!9#qc+<XZ2tHas<>B|2FEBVw&
z{lrT4{V~n|PsjztU;N;ol=`1KoCECY)G^3c|B+mfGyO}eBEPJD|1VfY`eoJjcS_?Q
zra}L_jb+8`FRhCHvfBG!u!{W4s?G0Kf9FD<zbm!$KYmvwx4*P1_RDI|f59rsFRRx7
z+UlRbt9m3V#5p9yuk&Xphy1xF{%keqcg2_gjQ53XhCzL{x;yc^)!!Ayo@5E0wXl)@
ztc7jiXzuL5YX7$tGa7Pg1`>*n0Czh*8(B?9TX|ha6{Y`?|F`=;D|!951v5J-s1R#U
zq}=oQvkO2?u1P$*K%o2|9q(T;cu*f$=$>7meelTzep~YLBvMT$0Y5KMtWE&&h<fwC
zuMzS8U#|L3nh{#&Zcj4Qd=x6?E`OJy<`(4U5#;&14E0}YM(|p4So3o7^1rftW&Z!B
zW&|e(|9|@^^l!q{pSCM&@9g(S*xH8n>cEcgO^Z!c{RMLy!l%>Qe3NaW@#m->4+`0$
z?2LJ)y))Z#Y}_AeUZgsK%bzry2_gJw4s&s>SP$u~8r}*$>~0ly3j$^?I6tES`vF;Z
zVmZQ&k6usy{Y+dypQA$DJYnAR`Ln}A?yt%I!aSxwI{ee`{ZoYvvJ(dF7v?=X{2z9F
z{as_=8S^mzjCsGdZP_{7x&4NFjxu(<9Ja1fUaur2tUatXR1GC)Ib~h{XSLRU3-Xmd
zIYQ_Ym_46AI|7vFn%pns%lUVX0Hp$h{>u?We|Lmm3vn)4@#Kga)Ct50P_zH;2wK0i
z_5ZZ3#FdZ7T;q+4mMpK7rZT&`xv8ZJubVZOqq~bUhl7%&HNe3@$3tC4+EGB?+@4oJ
z%f*)4l-<(C!9$(b$;w<!!phFZ#!E#7peD;_qh{#hsO#dXs$pQorEDN;V`*;wO2bLu
zjr^O}I#L`~`tAnOva;@q3VQrX+WMvr8qx+*YHoa<w)Q@<23A_`EE*QdmJap?Ty7R`
z_>^>ApSPV@|Mnwb$<JeL&ig;RPX15rI{DjkYz9Jw$ar$d=krfa8M7w;%PAxNty5aS
zVEl4QhTom?kJ0BdI@SD@Q_AbH@Y}n|7}#4#%cwfaD@rN?tPKop4fIS6Bn>=eO;u$K
zl})u|C7pCR^>oaif;AsbTTX5+HF+I3MNd^uA0=HoA5#e)JqvjUOGg7A4{lR^DOG(>
z13pg~XPMVB8m7tsK3)wz?$;6qucb5$wb)f`T`l#bw4}M%Rcy5NOl`TP6}b5U){;J6
zT0Abcii%3g>T2%NZ#?)U6m=ENr9EVoWF=T^0WPvirrZ|N{OteZsqCy=?0lR8LKG@i
zmj5mAiA3`MvG<-qQEuDXC@2C-5JfUbQa}ZooP$V~C@2zyme}N+LxUiol7k?z6%-^#
z0Z9!aISZ1ZNs^(-O-F9Sxog#4d++03KkoT%eO0I6eW{}9`BXFJe8wDejQ1Iozl#ag
z&t_^^!+)Bocy;1yXESxv{Lh(s9-XZ^zA`L+qf5mr{MR^1oaMKu56@BS{|4&ybJXYm
ziaH^wOU17GS5zt1-=b=qqkjDxsMP1Ez<-Z=tLU$&Ik$d`s(FrD_cu^)oTHlkd(?l9
z37v|5i>h^wTKhLpY0gni|3p1!pn&c2keCTwD*4jCepbdWl)qD*)@H-cCNrUbL_H(O
z|I&Q=uj;2W<tMxblg1fp4HS?1M;L;as$;B?r9RQur6RzcsZReVsXEvHe|zOT_Oixz
z))D=qvySLLb=J|hcK1GOtg2;a>F(m;V&loDuC5Od=NF~8@_%tt93gQL5yAiC!3VAr
ziePOF@IgDsL*3jF&i;BOrJH!+p*$0ApCA8ktf2uJFDe|E$}x@|S*q0h`Y374FKIj#
z=@?z>vSqQm(Cp;WDWBEEbn1D)#639Hd&dWfmv-Jhx_hROHYg{=3iezJlI5$)Ll&2e
ze?@y5uNq}Q@ZDAL&3ELb#|LY<a<>Kmr3c=o0DbgA7BDdFryb7709Z_itaR$IZf>+)
zjci96fU7xygL3FO#MQwff3jdr`Dw{axq++skU)3Panm|tw&<{PVJko~$o=!IX2+!c
z6EnQRT@FM44(2*~FS$HPr%D>Soa*TooSurjg!QZg<*Jh-w8ba87O&s$rz<+1!W<c$
z?9us2m)Vr&OG76D_7Kp%9t)LsjeQ%A!*vEo+q)mTDTPS{9J6cvg7ivK`D%$3UgIWx
zpOl!@iU<x4S#8F$KRMPQf5ELZ-@P=W`TgZuag_jej?PG$6>vp!<uQ{Zd=80Q!&FWB
zs_zc<IyMT;vf?|-1g&C{2IWw5st`x5nto}>)*Ny<7am;AfGEKPB*Eisat}=Aoo&3o
z^7ksBj6zR5`>b3?28G(4L~{2cs|A39d?94)wB(7zlGv?wf5Gm}JvzKi;ipNRgHS2i
zzFsb!0wla=yNJfWuSdE{N6vi5;C&njuYbOR;LQ4YFsO}hRb$F36z4-Z7^&t8cDPd4
zs-rq-%g>^%LZ?JPivEn*^1+%`xm7qGL^a;Tw|=+zxmexTI+1%RxV)<rvJCiK)YhGM
zCs2`~AS3FLq`$PWE{I-2{fCt;eG)Kd<9Vh=aLE0caJi!-fa5sP=3>>LoFx}J97@&o
zbanmE2fI}jH`Z$eHsd{*RE6%+EncMhMTh%Vf&qb7d}N`VoH#qym9*HJUHL$J5~oSR
zV!;5%x)WC$B}?@jK{Srfwu1RrF61Un?!hpIy6Zc+g)3R%Om^#VOj&JS?(Ii7K0Em|
z+rv*Ed*sN}E)9SKIyWO3PUv)!>0<2BJ&om}4IXub)?MA82Pl&V9Ute&Js;{nOyLHW
z()oZZ#OeFciORdV(y~LEn91`-^CRAY3B4qfEIb`d9lH(iA3UQ}zaUzjMfLXgJg+>&
zmEQl=*vFp^L8fU=F__)?VUe~%?~iL*L?4>2=+CDLTpB99<?+)`)r(+Gk$aWg*Z3?R
zxA{-Ze^yA~_XqRyO<R0jajqQ*HusK{lZEO#2YbirJak_2+0_86r;-9orvZaN>t3>W
z4yGpOO$$H4yk<J1h9gux1GFbYaLvEQss`0v{46Q-mX;1tK<me^9@JlHLuIC2goT%^
zMSB%?pT8L*f0$oyymB;R-@|jAMtyPuX7oLHeDJaA=^=>Da<R$Lv_>8;G=-l-bh`1Q
z`wi{x2Bs_n@@PAIG+FQhy#8o}whMp>r<}*%c0Bqbu}hSLDpIGKg3a_gg_B-9EP1b)
zD1w5ok`AD^R1QTCMOY=BDidDzEPQ{e>`~)5<tW(?m3iun<wE*DT#IVQw}*G_R@wG}
zVNKIsxL9Niv^@54-U8^FU6}RZLng&-(Piu3VSW8{rFx2dj$VQTeRg&-L;5CcOK(nO
zQW-a?`MB_if&FQcG{a2$<(cmkr7w@|BIwrietv)i5pgg(M2+~2WICa9lQT2d;etV<
zw-clUsQ1IbuwSZ>@0a47WY-k<yFbt~1s^WEVJ&<O;}(O0MJnO)J>c%Fw#gv^&@ADD
z%{dvh>dGt%${Qu%V`8TH-6N8%6G_kT=x}n99plJ02=->x+^(q!*SEtlB`U;BtyMEg
z*wu+>XW~??X)lAqAGC!lweRh%LgbuY3sLgxOR?s7&VBM+i|Xs5ON$<@w`PAk{39PA
z-Q`oMBiCC(r)BIGszXc+Cqy|95A0R#@r~Oq8VM3!d7dynj3AetwcoILUwts~_J>jQ
zk5;xI#=+zc+xtX=uoAV5RbiaRzJ{1TmgSAf>Xyyx8Z8%Ehv`F*P7QjZ5gI~vbFNFv
zwo_Ji$)&B;2C8a9a?gbt@^V5u$WdBA4t1NUBs=HHEAgXWcT<%Hs6scqCcWD}d$T*M
z_*3m{4*?CfCoOK5YP38h+y{gjw0({o662I3IPkWO{BS@uWp4JIew)hp>NdeP;k#O;
zX(c*y4SD%x-b>dFmxyB?0FOXmt`p*#FuDCXNx(z5CW|sZ;4zH1;8R`9uuoXoq)j)0
z(N!ymWOYY>A@3C5=WFf;^1aQq2iQkAqoGr7R$0_q66I)Hkz|lV2b6t``!r217;(Fg
z^uq)7yAN4K4;Gn?Zmh#oUpe<Q*Y-Y2`IhO`DH;`R^<bS}k7xurHVgA`z?4YG)qr7>
z+&<vihGqtcC!v;9$O8+V5S7%3@7`M4l*ePs0RgbcU<Z}?eit#^`kU+Sn%zM6&j}%L
z(_U59uVpf)Qsm5y&q^wOB;PIJAukvosVNk!hly5^x5mEl3nx}9pdJTsNM4N^<h{wI
z_EugND*gSJa?26F#|)WQrqSu`Nc(uq@cB@U!<!)O6?{js7YM3NL$&5?D#047>|5B^
z%WPo63~Sm;BuO>}&Mud{K%UgRsDOo{3#@8cXBw|Avsf$`wvq(-aC++O15jZNTK;@J
zRMM1KeU;}HaV24g1NpWJPYd_UAEKkj%EIbSw^LF^n**!8vJ*O2^2aHPD|4QKaa&mS
z(2EuXXf2ir_rsB~z(6I`M!tH?#Ilx3w}Q>R3}}VaS}qWCO;R!0=omjYPDrnN;e1!|
z1U_l`rZImR9-C45F0||_x7BqR$72Y~qp*_6r2`0(!9IZ7Q9S*TP}cSJDxG6Wtv73_
zL=*#iM@a65E&aIsgJL=7T8SVfTR{Po-@8W!Q_XSO1>7AWG;_?m?=%#ozCTPB$Zlwr
z;o!rK6%<8vN<%v_!!rTaAWt_?b%V!hlIg?B#mzXmE6vdNkK%=QM_>V)_m<3A9uDx5
zTuyRxsoxoT#lh-AvvJI6qEeyMBDo)X`WhB!k*VnXX{Qu<6Y|Jq>a}KjX}7OtaQ8w|
z;oSq?XBs1ea{JAPqlw7)Zib)TRLv#QqnigCZ!potFYXbJGap(!s<2Nvt%MOaW3L2b
z65H~ZeJ*t^gvIrB-Zb97T;iFK5@@sv90L?ZRPI?_I%EFtc;^3&29x%=29x_A%#S^~
z(Vi&ui*r$GXU60!XK4kQ#z-gKSrBkGRzH5M-()Ct&ZCwue~k6tWwP+mDD8RF^6by3
z<@_-3M4wib>*l{cH^E%<+o(nNJZcg6N7R28wcs_Fw9inB9{)9J;kx;cQA^`1&?jZ1
zq|k+x!VouE?wyYnpIC!1!<?68I(}ejgL0NT?cc1cojfr^1_i_Bqz|v<t@`v=e^|NB
zI!ViMhrs$^TUe3pN>Aml;v$f*DV2fSh1kG6-a8j>`NQXi6EyqOY*=N5Xk9S=W<UAf
zLy0mHRoS$%{k5|3YQ^BF8nR`riZv0x5yBrXdwmXj(Mnfl4^4vhhB=Ye3!<l?hu<-F
z-YjBHfyJZ+coAT?_s}>(|LvxI^s-TZh?a@4>~>?RNcT8}=r0`#*T<-B4i^az0@mdK
z-?_@p2I=%^NMKF46~~-8<bp`629@3Qz3pzeww6(RY@Vg@ELTML#$HCzhMn7^>gb^3
zfma4KS}_z{X{|5cH^0<`_5ieDB{JPA1~0$bV$fyJ!lV}<kl~*45jC86^@@|!PLLZ<
z;yB1+=k2qFf~rvy7&<5z3PbpygF2z`S};rp41+BpuxT(v02Gc0hLyk&18{UyFbuel
zm3HL@1O36ZvvIddQ@8G|JWxBeGEEjXuEnk)I30FJs%>=0e560__^5bnvznP4i2<*8
zCnu*BC_+U!9TK6v`M0n>n)OlnpKcMgCuYUjSh(`AKPXWb9PS%|M7DEZk;}{IvWZIL
z10!Tp)ZSctJOi?7f=lG)=k!1r?LKwx79uw34t=4)hh3o<+f4*E2m*Fr<@_?IVrDW@
zzg>ehsNEKo%~GiXHlAwK_YVvX29)e58y_)lA2E4NdouZoxaQVCjf|R)KN^FP$F<uo
zE2+pCoQ-Jjw-Ld@hm2?wI!P1^KCHY;B7dSVv=snx3_e8+)x<4^bugi(=Zg*p01NHE
z+{7}Ru!pZCmr}nQY8myrZ?NoUhM^h?TG$LdvLDQYqFhBGfkd4fbit3SLIMxhw%2l_
z>W#}@k;`K>C<DG>C&OPu_+?m@UK@VrY$nUYF(6L|`@qDF7~%a>2yzkB5+omXitP);
z3FFD}xHfoYTE5B<)3*ppUjd~<?4}`h!4VR0&@L3hUU*85^BF(vuagC_-lg3j1<%-O
zq$FsoHI+H+(+}Q5HFfA^gKtQzP)djdnObE94wTGKKP3r>f6B5<*7J0*zusl7+X~Ve
zlf|UN74WPjSS-5_6OdLsJ%?=nTBmIRY&6q`J?cpHmlz*C{l4L1Mu;&L)sW--70DoK
z^H{`3k*k|biZsdSMv`ru@B{uI1vsvIp0nf3TIs{058kg-sRZfXoLUq%Hl)yHHkFEj
zr!|(eub~FkvJ8!}Ywo;#;MG|AkO;Q`IxY=*!JW;Gs@{rML`HOh4<|Wsf~l-@`xkMm
zi8$c!sR!!R1X;JEx%{RX)e3qV5m?kIFY%0F-x|_{p4*^Sr?l=!Xh6;NR8gu#4goyq
zuvVm=yJMKWok2_=W^K+{;0lnU;5Iwzh29pfTx<GzhG<aZfv~)=?9?o2OH;5++9;4D
zqU>k8DQRbAQ-JjSfeS+}t1kvyvqvp%e8cxzY5$^nb)A7YkdF#|tGR!AV0p-;ij?Z(
zi8o@0YH$}wAUQ3f4H|2fCD6UUHOoY_;CK^T6CGlB;rsp?Znr!$<|C|-^wkx%LM^rn
zokYS=8?qysNj~Z)V~~>9Qc-)ofb115w~9WVs}pt?!k?Ue1J>b8hj)C-XW3|%LzY<%
zp`V()W7(HgGi(qtI8+HNwh`Rx(=Oe3vX$SNlUo*4(a?gXQ-wJDPdAZw2LTDTj-LMj
zU(-teI0BbTym1K73s(`Y93Ocf&a@49Fl9>eOlEFw7M%vU6YH&5O2du!mE+BN7uqX(
zpS#H4Yd%`1EP?nI43@;z$k!hPIHtz+#4_1539v*(W@f!%@B5ew{N{)0266dXmOL-+
zJo7hV|B3m}q86V&m>&sh+}dn+*R@)iE(q+stKXcSQMR&AL*Q&ao3|H|S!LNmJNkuP
zZ}8%lK)AQ$112+%hA8I-Mx;E?dmS|jbr7s{%u7*YrT0;|Kn!CO#kU-TNBLc!`n%aD
z=KRr@gD)^)!tB$6{lMDK%g44`muUAlvvhbrOgBJwLdJ5BeNH{|>Es)dU95thOuK&*
zPqb{Bq^R1-+P<AVgp~>k=eLIDYo*OGm$C*}e7yAR0f`i$Up2lSb3O%lLbhtji?IvK
zWyvtUn5Z^r&MPL`H5@SU4a~hW*SMt0vQp6%M4U1~^&*Zd(uQr_v)5XR+?#bf@KD|6
zshJEf_;t`W2Z|Az51G5bsEhXzx=Rc44d&p1Moh7*n=H~NyzZrBVlUSR)7XLFI1hCq
z86jbh)!lsY6@oc?%6T8z@k}u+Zlo!&#ZQFQb*`7Bj_BJvB}Vm;l>nJ6l@2H@2GW-L
ze(Rt&bSP_fKL~!bp5kz&$s>Pc%wfuo-c3gKqv7R<y3b}?&qsoWnfe1-Ud5_0jp*Ia
z_p{P1-Of9FZMRK+zt-=@wQ**3=#F&I$t>LiL{j5GH;A~}9tO+0Axlo`dF4~=I^b%I
zdVVK@NZ>Lo0^e^n_uIPXuiEVza+V3@z$-Bd8)9)<ADoy_U%&&M3gE0Hs{vFzb_`o1
z>*HhVX%!qCXEfg=mwrjxg(R6|9jlP`DVE;>Sx`q7r)_N{;;j}2fbDE|@QT5Y=Abko
z*%wz0t2P7TfeUr+4*Ms<#>eQFV^_NAFfVT$1O}QJSP`C#JN^iPqmAmzNWk@?qYAgY
zPFhVp>rbr2h)c^n+$#iN#7u$mBJ_1;K06ain$K0Q;t!OP8YvCdmviH0p3XhY0(&dU
z4K(^SL}#`wu4v9^#dB&u-+coW(wjxLQ#UN$kwb(!p=M!m9$(rM$0DMRQ9cbO6QoHm
zWbWPLb@!Z`^g}c`q60zb1%&*16Cu7QE_0E6qgAp9#B0we<O61p1KKsU_@mhQTFoR6
zlPa`95m`W{WFm=;&%BQ5j*~kJYUg8MZ?lq25E|aP{u0SI!LPSpSTI~CyGi@2T-DI-
z%jR)4ec#@7zGD&yq<%1XZ>tKkn=g5Ia@+O!UadYywH0b)2ks%%xpkza>Y^Go=-CuO
zkS-|KpWn`Luf)m~Kz1mEb@b*@ms$_Uc{lOy4EY?x+qo6zqoq$Y%8PHaSJ<H>-6Kk2
zdpb|s-8VV4`T+7#;s<(%n^{>)ELQ9K>{`2_L4<-+EaS+^5gp_tCdrPf?=1x16!j!m
z=Q}3_N8_TH@ac%q0coP$hIKtsyiel!Dr-<Ebe+}wwNP?4%;&fS<`W%U>yAYy;dkh8
zZ*ea58($+Au^a)z3DZ2WI19-ObXr=29eJ}3m2WsT#gUug$a&o+_%l;@klqg^lnz(5
z#cPQEFbv@v6Rb&m{|7mB6cW)z9xq@_+mkF_)4z|&f=~Z^e6?lt;;uS#%P8S4Z}(ho
zH+RdHYoYw^Lh1X}UkVXa(H6g&#9uyTPRlZbvN{EMk`#7O9&#GbzR9iJjHvfnMR%|T
z!8z^sgFr;!nyL#;U@+~$g{EdPYhoKi0tH^l+#3K=ui=5)!XYA+HpE~QKD>e8xP&kM
z1i{d@X}BHM7&+rb2rLLWjIi?yThWr6S<$IQF3|*OzKN7?m%oEEbzXvaW;6qb5KyMz
z<Az~*XhvWb&iPR5wRo_&-&+%mGx>tgQfh4qG^6FaNv{(Q;WNFWqlc+*VqZ{1DS{m}
z;4@ZHa+jj{>^)a=;SJ1}xa_3T@e|d?$YwvyytS=+X?@{kidE&H4U`1Lc+(m(q?6&|
zdM7Hh+FbDN9qXFww}nrOU$zHnM0x!LZH1H+7L}OxsLrt8-6i?B-R*-}cX{HoW01+l
zlMZs_-Y;p-lCCaR?r{20<Rib`-_66RtiiLooMyWsddB?JwZGr<pKCBR|H1s+E{m@F
zMwDbS*uDYu4&2-{D)aGfma25*&g~zV<E*}55-rxCTViNBx1L1$H98RF@(16`QDzt-
zKj6UYt>?-Bbe~<gH1xY|LIM4_Qw~Ry9D|npBulHh68d#>vn-1dR<R)SHP!-Dt@Zx7
z>5%;9jrNMVwpqKP2a<*YyyOv+pdy`0U=D1})drGQTI17A_d%y@MLEr-KUOY@U!-45
zK3ySxAmGBXYequtUiW^I$AigKi1tNoL%-((+iNz{9vl%bI0P(UHwS9uGpc@qpD_wy
zEd<7=;jGQr<s{&~#)f&{1XIr|zY8uxbUVU(A<KC-)dWYwBXP;IR{i}v?{ZDw?D28;
zSLe=3XL5idd+Gbq=x(MLzg4f4Z`WH;?Twqb%>}XyKu}6XEoTKL#&Pw~9Mb4=ly=Kc
z4}=-o+0SPN9(IXlTxS>hSunC0yZ6*V4C}b?MbLY$=FY9SiWr4@n~fP+KK?f~>;-qe
zv29R(*kX)=8DQ94{8<@cedru`1ZwG7x?3}8=U3ERNRhLuo$V$u^+`cS<f8O@srYv~
z_VRNwuii3z?{%fpVEo?On4L(-%&7b;eMaEP)JEQdxoBME=j|{-Vu)WDxj8~bvUgBe
zXg+Sr&(!o&zL(ZqeI18MIihS|<uowS4u6pT=6)8PA0K<q^xzJE@CpJu3${Unz&`Gq
zM$}#-!_c*=S~Dqs?O->lbkA)h_wJq%Y4ETuE}&18)u~C4cI_)y#uK4cGmbRF==(1h
zj~ezsvFbn|fa^)!a&3uL;JBpiZiB<c+u0%I>fr}Kcb)<STM`@oe4}|^=yIo5mMKZe
z`JrG_&7|XT8YTr0JS+u77eo%fjGjP5Qy_7m>hD%S|F?Vqf2YnOFJaY){Kgd>O|+f*
z*Rht%BKPH|-JEzDu2=7E(SdL=pp4<~JO`VqZ)gxvucA|~@*4I?gW4<C-!nGa=9-~a
zy39p-8;C0433sySR{7jzf20`hiDV35HPv<k)EM}RGEMaT-^t3!_jPGl)O@n;hg<U&
zzN^`g$x19eeZ`!WsdpQ>l`D;WmpPayGr9h%z+UP}V-QfB_42}v>j1D{{EZ+XgC7+Y
zPx0hms-~4Rp6GO7A2_W0UCokf&^)pL8--Lnsy#Vylt#}^?pS{;5)w>|+G4?E=-6J7
zK@6e7DQhPYT(GMo4|@v_89rp1thT=Tc3jHjnKTYoQb@PI5)m4wvM<Zf+8|USjV$Ob
zzLkrNV&C2`S}1@sk%;CGeo1@rXf<j>NX=c#dQs>tbDR80XaOP2)`DvB6>K-A)9k{r
z1oJ}ys)qyR7WFxlg+<cLwq5W{OW9;tr^~Bsh^#(a<Vi1COpBzB+IV0>?SVZlF@m}+
zn5%o8aWP={4Ygu!!L=;`Oa*IIqmTd9=cvHK8=h&;MA~}OMMQ|QC7#1Frqp}%7DL5M
zv|CkemZ7T0uSOnCMFg|9MBcHfaAPkJ$WzLLo_-f0_dP@q%&2B@Re-zpdN(~Ds`wRl
zMsEbbShYN_Os3UP3$nit4@&s7ADfWFP()=}NeTM+z(yr}8KMOhx1`x`h_H{#yUneB
zl<bSs;F^hPpH;C*P$;MP`dW8v;^j-!8mA)H$op}{3d6U^P;#JU!7st?EMOme+)w{)
z>ayD4LH)e?I2+T3hTAfgPC(V6G<$evl?)??_56p$z+T(V*lf|eEidms3V~o3fjRua
z!50QOseLKm(rvu<NaS-{rP#g<5bU|=5eAo3+f35!`XN(P6rP{soRh_px&DwO$0jxJ
zN001M_*zBWIMu`DFq_-RsQ53j{!A(wO=e|Gy0M2kt0S?Dj3+55cge_`5&dZkje*C@
z^_yNi0aomar+tI-7qw4NZBK1Z-1kS2)xX|y*jDr%;~H?K$-L15DEwjla9sOExP#sU
zqbGBzs~=G5ClWgK5;{2&itVU#&2T<E^Z!PJN%vfXiS7^PPnJGfHSzr@%%iHuc;i)T
z*)`J({Frd404AXK%bQ2+sEWoB&Ieh*8x*3F=72H1kRR-vxqLFcPlr!7j*>&Eu06?*
zQ8Lx)=g!vWt;u&F<jT7(=V#~dtKMz&k#TPkpg?ti&oeq0&lKw%epw07?@<V{mYc%&
zuxbrM2~41RLW{qB@SsDejf0Nb)7P(iF?k?lXF6}ncz4`kcWJv^O@GTyi7-h(N%gI=
z>QVFPpg(;txuZ%=k$B+Jjl1zXB9|y5^ATKbPFA4M@3)Q`sXzr;mK+0UIHO*OT+;}8
zxoRDd_RD&X*uE%g9Wd;cG|^Oex5lNva8r$lki1jdM99c%_f5iwob|50@nKJc6LT^{
zTi!znbfDqY6hTLT_cPXsC|K{07LgfR74it6YOjhD=6X^LbRZR?{L6AuqW0E}w>stC
zwrt)XyP~myNMZT5=6hAiHKLEd(e*h*Z@^E{gC^Mq>8m>=uKJ{{JDo6Ls&MPUR2gzg
ze@9?s8z9KLxw<B}fJm6}mXPG?gUU(J^@5?og|Co@K6?w4i;4{|=L5bZ!IMDZ=<LO)
zKEl(ZNx-qq&b1qzUF#{TT;qyH#X8>o>HJ4s3paQd2eRIk2Lg^icx6_#IVNc^7uMok
zpAE$NRu^N=wfTPfU?n~|#ycmfLAw|%fWgaedl-->XJHr|Q4t7%N(C5;6cu)JS%)A1
z>)`bpKS2qA0B?)UTy5%f-9Qcpew{I8$=<fixOm%e(SgBe<25dVUBY+I!05GHSXfDn
zQ700Y3ujR5WS63PD{q%bWrU#GB~i|1zhg)x9`OUw2%F73O-yJ!%G?bo6L<L$u+K!X
zn+vPO1>I><E3(4$0vOyX`#^*c=ZsGIyXhnCg-yq>8iV1^IOP@uB9Pzv(1tv?yDN~2
zDug2xe>`n^OUU4DgKMnJk#dr4YN03FwLYyRAji}<hgD?<;fX<k=Szm+$nPrM`af=u
zbczkH{L0`W&8eTO0Iz_pGpszs^_QJ*_2as^BcosFXd3V)<Hf8N0^WAUU%m)^Ld0#m
zoAA;2u@PntD0AvPU24XTov8N7fp~jdp*AMN<@nX|AnFz}!~va%4(V!NCh$oD+(IwA
zZ%|Ep@{8l9L#{^(@`=BU@*E10a{oD*Uyn4@Dt+%8O+h@{&(KG*AC~1ltwvuMmhUVU
zN%7M_Zd4YcVe<DjFpd7>*b^`B?4Qbr5r8_O&Fs}Gvi&f>{m{5oqXQ90F@S#`<(2V;
z**efWyY=U8h5{hCrjI|0jMs?m<x4J#^k*wxipwd=O(1LKP1;s6`8zP!WwZ1r`rbp(
z&o)R<=3_5-aY3tKd5ztRxE}yBNLC)}tYl7K3t%VCnOfN;u4vPz^}sh(dKMJ~f?%30
zQL6*9(uN4)(rfXm5SIHneRZLPH-nDn2j=H<U1nsSFdL_R+Uu{@zgZt}Z{Kd|>ihHu
zCqeLIo^i|Kxaw_H*qU$Loxy})aR|mtIiNu>N+hTyzUij*go)4&%+h!H$Es>A({-|%
zSnC7bx?drPI~zwu!d|N2U@rI0y$T3=rxgxJ!M(gNUPvC(B+P*^7`MBo`}Bs)%CCLx
zUApTEhcz3!1ueL9#(HKzr_vw58V)z0ud-_oj_%&G_q#3XD0%Th*#Rn%_nlwsspHJp
zd+N!OgjghnoGWL|q|d!C%kQ!u#;$Z9O*(FJf)(!E?zpGOmEX^gN}$-<%ou^8`}c}Q
zmg07-ENeC)fnw~DBs-KG(e++gy^M5fxCRTO)v9hhD?7S>VkrYHAHmsIsv1IhowBWy
zyEC&~6)%hhqX%*`fUK9*?W6{x{3~dJU!=OL(>zs4TrZKnegvVu5pRh7N*Nw}e7P@{
zDc&_JF+}8+M#ojMiCOUE6O5p!SL9NAoDE8{{YkDEGsG*tP5V{e*$!U;&-1^@B|JLM
zB~<;v^S{X@(4FTJO#U^OAhYwYxdgS}qw1ZbR{jlC`g2s{e?_&A)uj^S|7+cqM%{0t
z8U6DN2H!uT{<{nY%T2y#XQ-dp{+hwCk3G*|(EnH6mC=<o-(qt%+|TifPZ@KwR(eNG
z<D2UugLVr<Q~rrsFv{bZcPR=`rn%atX>sWw`K1YDN9^tIl>RLKBi;q(Uyo~Z4iDLU
z1Mjr7+0fF;5#JJZC~bF4j^kHZ&0X)JFDWqH)4LsZRn9o6Z|H|iprz^O84<$7UV)oA
z;Ueqz(+}Cgm97amU)FB5ViDL_?EE?;$*pL?b?fpS!Ah#_oOB53i8IOf^1Hhk6q^^@
zTMNQ#Uw+fU7oda=NwW4UM`?x1yciLVOmgL`YtTj-l`o%+Xnol#6{zIPo=s!lp_vw3
ziUX&oSn%&Wn_s%T8rIc5wZS=Ww_j2ViD$=tblH7Hrz${Y(TQ)~3rCIkfZcGo2>Xuc
z)-gEUX=2>YvLQVUk>A(MtqCh;q8^h^RuSL@z)P+8JR6%;+Y-(D#G3hRd<Aq}ZPBl%
zO+wfrPTC*dbsm}smo<ip`4J?QCy8aX_qnE6DH*;knqFy8mWFNgPpSH-S$wRu-yf+C
zRbET~RKBYvAUF2DQG5+BG84F5X6u~x_U9#|Tk{yPSmE6vnvcVns@ivi5}kbt9&Y~d
z!;{BGSy}_MAX$|pd~MK3Jhe8o$yt32Hd@`N5}etbv2u?*Z6wvZ08X2n7M*4XxQXxL
zh3Ol7#vJ5*RsK>zffUX6!2^>8?w#-S_YRDDd9P~tT2HOyd^URw6ruYluF5)mWl?pW
zGw!NfgG8ntk87;eD;8C^d;y4&&S8GLwcr$S5$L<AJa$q`qH(x`NR#V$<>`a!$zZ7P
z?37Y0zuCtWt8#p;LJxU^V6s1Z3j0wAL)NvCB+I634)D=-@;5iZWFh@|5*>-u2Xeb0
zYKd<a)8Jt5gvudhMCUvzE%BkX^y)ME=#8p^P-9XZunjFKQ*RnX%dvQSFF&TG$p|*b
zqI7Fz_`_)oKMUiD17^)?qP0S6nTBQPc>s3q+xW0^XqlF#UR!QQL|??Xy>GU&7(R95
zM@iUOqaxE6b+8{H<}^B$F5d~2cUzKlgM#N9<};?+saIt9)BB&8)hfpZ?g1tzrcVka
zxUwBvICC2hI%;LWf~EZjcQaZ)R~l8#arX6h)mu(l%Z<LoDqeri#I|)Z=g53ARPF44
z$JNV)VA|9?N(_#|3=7VM*d2ZnxG_Oq6J=M8ERj9NJ92jumD@36qG1s|s;e8jF%sAI
z8xoIt<j`vejk5f`sVVE(Pma3lOS{8D8qmWFFKJ1}wli@Nc733e!(MCkNgYEGLA;^^
zCspTI9MQO)x)>1n)y9sqNN{Q*wehp|Ta3Bd1Fl<41=Irmc}q8=E+Rz$2V|)3vR7Ae
z=%*SG)}0v~O@)__3SPb#4ABdt&`M=RX?8UX^e4U~Hnkp0)L$W0>X-TkUM<gZVVqSh
z6Q?p%#YIVWIp4Il#94C+x`<mqXz;@3jTW!JSHIVstu_XjP~8*Sj`e={WgUO|gnN}s
zY?;TMT%Rs8AbRR9fn26mgkb`xwN0_5Rd8z<^dKs3Q>q~%Nt;(En^bO8q^PGmS$C~J
zg8R)4CT#WVD6k-3Thjb9-Bqsc5uLkN`dNqX3w~FXrnEceyQ0K#Y39u&NFE!2Ipk)I
zkw;mfY_Ej8h&7<W`k9tIUCNQ<^datz1!lMLTr(%iuMNW_6F%|Iw%)l4koy2+;Eo!S
zr26r>4C9DvI)JlkuR#VMuBvf3@rsD77e}`|l-i`zX%<K0Kp~jdw?UvoI;hgq%6j7-
zYU0ij8JCDWA1mYzR&(}4&er=AJDz@lps%42Qkm%0DG5@*-8Yv^Qgd!&6o1Yi5Qpzq
zHh*BanA59zT{y^7u~S@P2(<t0p2`JbZOO2>=Eq&vXYIku2q1tnDY#Sp%8KvZsIW6H
zm-e5S|15*y`3LiB|4NJx6bt{T_Cq+INdA{>pQEEtyonErg5<hzy0#qmZosu&^JA+T
z>%3?gTuYl!&U3DtDfrO-IWLfq<jVN&_;Nr)LTv6NYpxwvZHs8GTwbl}kMT4)gl06M
zN*Th?;YFCQDK&JY@AVM1Lk0O<nscztXDdZ_d6O^C09+rjcYIR15ikMjAAJHG5hS3O
zzR?~zl)Y#VZE(?Ki2b1WATe*HJkx2J6+`4ln)P?em0}6S!{kQNE;J;(NqS*OZV2;(
zEg?e&m)jP+NJ!d-OQZWj+57%bnlB6~gWvbHpg!ydGzBq;a((Jbeg3O>u{Wx6`3y|r
zWzB=H^w|YC=f2IE&r9oCgu1tCnC#Kl%4C%EE@!>s4=j>@M>(<9EAxZxS}XYto^{Pi
z%8zNnsC?mpkiHD!b@8qCyv~7BPLaM>#EPS~2eu!lvfiF#)JAJB0m>{CHk2zG*&luq
zyAj;1nu$V_Xje*fn(s1hA9k#X9vg56Zi{|p2giJY6O}8rK^bNz983en!(!Q(16rRy
z6B(W7fMoHJRFLJZ$hHAFQdmzdjxLpUXl6>-$<sRsmN-2Q7k!{~H!d%iMt%Otlfn5t
zck;u;F%`B<4My9enl4uB+UVlY^+s#kcKF0Zp)ilq)7wcitl~4VlTIBP@JT`#m~@T^
z2FAZhoU|ievCW0Y)%U9PVHK^sug7MZJ8uJ$P$`zcLhp%nHs3Xcz>$Gz>Wfp8M?p$s
zBXHTe?l1=H(G9T3!&e0#5U$7WZ80xAJ(BsI4Qj$+uL~44=pY8Po^Bp}?z?ct;w9WS
zpoF0IF^#0kPnsqUwvGcSd2XHWzGG`fMDtDc-onkp{g^}SY#$T%oedjjm9giWmrE7j
zjhV%N<=`El=x<(l70T=r;>Dcy=)S_)&68SHFPYkFjAX0N$w;Upx{uhKg{-u##OQ+m
z;~S$NJ6*kEC5Cz59Zx1q4r}SALh|I~+b!ZH<gI-Z*3f30Y$9F90ZxHR#h<Pg*wFSm
z>$Njw9k1Q1J(^vjbb*D()ojk=3hUboW5;dV5(nTw{i=w{bW_wx8SID2G4M62tBp)D
zx}70Z5!-SQ8UqT{ms_*Z*^m6{=%L|4rRBGqP?Na5TwE=sGLuO3-u8X)K+1dH5Qr`R
zs<LFg^DNR#jO$a~M7^+c(dthcK}p|*0YpsLF8-{7y3P)_NY4EJj<A8}hkzkFw2aG(
zsUhQ*lB~L`CdB4jPymcj`d2}TG_WoAfTg1JsZZ`_O!0~P!Xc{dzROMMF2Z@C<&!Os
zX_D+QV|t*OiUWNT+z+Tr`LRuSk=jd|o%&k&SG0}g&Qx7?b@X0ChkFdH`V+z<viW)+
z>SCx+CFRDTij8r<jrP2Y=4^uSViD295}g_<V7N`sYKIHI0#?h0$&%h#NS-OCa(uTY
zZ$carba5*vfYiHU_TbI@-Ha95OJW6m;r!5Fa!kS84Si-hn-)LQ2M?xd$G!W+8-?$O
zFwNDAKCGUT9o$&a@|x1DdV;$Pl?Wn<o8N50$pHq`f<1g>C@|CZn@c4yIH(zc#x@@Y
zp5kjZ(BPNA9l1{tP&mBd%NJ}wpv!rJ>TA_efDFp41{=1t4ME`shv4`>Kz9#1!WQ7*
zJsjZcK>(&13TFYw&7Jxl4z~xybF3<4K39Uwf<q6#;0&8PPfqc#H)Lfwp?naNh|7@0
zrag04Nb1j9_gsii<=U|8dB(@(xU~Q%Y;72TyL~piZ2HBV^%H!>My<SL|NeoykxSVK
z41qAkHA7vnXk7C)Lf-#$K*<Dg`DmE7LohFGl|ATmpmxq@g)womG2*-2y?u9LJM302
z>=Y4s)t==i(~Fiz$I6dyuyi%feTXFHg>Fy5j<;M8TQ2D1TKu=pw#(I%+RLZY`%n#Z
zR-pgD>Dcke49?pbJpH9^%lMf$AAbXF>KXH6{{!=%XE6SJa>q2Px3t}Qe6bSUg7bbJ
z9AF#VyX8WSo*u=CRY8p~-h=Y>O@}1*VbPl)qNQVDnqi}Nd2!9Gu0p=+vR_9>2(IY9
zpJBW&Q926`KHgJh4Q@*HGCTwe6vn}xieT6U%i})KOUKSP$$Dc(bwtdbnDXt;sf$`h
zF4f3Jh;+$K=6Zc8Lsb5FeqHzZ{!yn+NO|5Wb1W0gxeuORg~1npLW-l@S4=#5d|=4-
zNePpZ{a=m_4|XbbsaiYGh{MpQgSjl$UDfe)1|oy+iv{laaODBFljQ3AbI@PvdPW?-
z7Bk-j6n?r-d#jP=%k&b!mwaA_@Yg7t=1iB|FQ<UrzJ<E}3|d8OJA4n^Vr-*@s2cR%
znV}`%$#pJo#`*fd=PAbuHv^x1lWyeuoNdR7OlTz5gOg|)X4aXk!qiTpZv`Ho%;6UL
zl6FlV&?YiG$_@f{IMeQP`&eB9uFhZHV{&ViXn6k)Lb@5;k%<tN_t38bDQC$S%?YY!
zJW*fHo?$rke8LM$Dp#3#djklHSbSsaIXy1zi%A4pOlFJNv0VTvevhag`rN|7f#!?s
ze=@AS>V5QLIW`Azn2X=}Bdf7%*CHW@aipla_wSx^zyX5`D#NL@v{B~$?df|%yjGvD
zU~Nzvn@i=wU(8`@K-m~t@7r#E#oVA9a;TeWylTtIAKg&C7C-nPfkM_SVzN_Tml)&b
z+M3(nSvc&=_5@j{yEoJwXfUtA^;;;u58vS^V%o*M!$2BrYnAJ#gxzi&KtDt?8c875
zJ8$^RhHFD~6L+=&*Jclz;Bf<XT`COMT2l(>D*`oV$DA%U*2<w~dDw+N^(j;&AJse)
zZR1lPI>H4n0KV%D4`cyl&~tcS9(Y>CfP5EuvRd_wcI@x~liHFwmll&zxRM-xdlZ0E
z8w&*+KQ*0M&SKS$;mXp#X{Aza)BZU}49<UugfQ7*U#ahoWJ!Yhz{dLyaKRHCX3z@v
zfwGZZ7NuL0ey<O>C^!mu6!CCYwKAE@(Ur#@)Lpocs|ugRhG_4Zi}Pj!FCK?HLznm8
zJwab&)ziITdSD$_uhh`wU@yJT8`5nt{hjuzZUdBW9yfY#CrA6)&8Y(qmzX2oxOuID
z_l~2>BVK$(jVIHH!9X3cBET4#JHBt{gL~a5N!8<mi^27VU&cdOt^GG0)W0;F1a%C-
z#+k||3x`#q)BIh%QhPqr4V+Php&0z(NbMz%K47uyx-mTF5%&in)T<kx_1;jAOKC_-
z;!N<#-owjBd)=xpcK{#SmG{YfWj7t-p9pWjKFm>6Wm9pEtPQ5DzRl1#o@Q}lRTehm
zU=e;x)W8!8$}G<>kC(sbX0CNOQcNOd_~_Qifru}=p`6DiEBh#y;lgF;$Y}6t_@Hh7
z7Fng*LH?vDUz_d~Z^@nxs804zOaXfBDASQdcO#I<a3^>5=RSwyOPz0GgSLx(6Epc`
z*;!jVJF^Gxsdw?Ug4jGDA6ex~EdxpsB)CpxgrS0$cW*7!>vpU<v-$YPikHOwS##X=
zxCsN`g0Oc?4aY6I9(RM;yEl$<Me5cR#=PXhqvv&YWwSLmrWYJdh<zJ$T%x4sx&UM-
z*JHUhR~8D2aEa{>1>FpSAWV?S_kwLcw@ag1L{N&nsZ!M~MC%0S(RPA(mJ-Rl&w4o|
zz3ZKUK;tNVNxjx~&)QO2X{-(G>M-nqUU!bDTNcr1g^m7&>9}~|es8%SC&#&moW=bI
z4wVB_<E56yZ%Z@YwL(7)?-m1^9H_+RLdU5uA$6xdK6+mk)0`*Yw*IIAo=b03y5DR-
zG8#-s9PVmdgIWOXDYyh-qU0|;T>hR|v}JiTjISvk#)oAGzYbA$a(uK#$m%+tsg+#S
zfZQGNGLO)dFEn3sSYs{^86Dgmv;p$>ZpPhg-S!3qnmyh8>5y}y6*-4rT5{KQsu6o<
z+02Elpqt<J&X}L{>+er{IPS><o?ZB3&tK1i&ngB6HNAU$JE*HK#1k8}6^@MuBc__W
z0Jipkn7gNI!?CRei2hRLP3xaGW>XJ~cx15Aq;XcMZ7$P+`w0$*^>v1eMRDXegEmMY
zK6Y?w&k(ssheuU6V{g96i^)0ZR`nhYVr~P}s}YY(x9UNwNHIJ6lXS}JMP1G|2=5*9
z)|E@t{hpYnxLt-6mvYyz+f03ODR$-e!#*+a_Q+sfNxTO7HD!x94VOy#23DgrR9M4v
zNbgACLYYMwD{_1>mw3_=Q0dm9&8Inr&0Lq%O9`tB8nw2;gWEa?Z}=?qbiI{Q9?IQx
ztb9BmdX&C13$2A#`NYvy-dt1|S=!GjywhXEMgW=<4w|~Ey-BV(_o=n<YoV{qmZ~+}
zme~9F=JBui4ifU9H?U95*)(1k?;(F7eGV{uRblJotc}L0lEL(DA4$JOXFrn4_yinE
zG8;((qo?C&qg1sN%cUuetDD5gTKxs2a2!G1Wdr5Uj)gL_Qr~3_eM#ciiX(1?A(m93
z@Xn}9r?%;b2<*uLU=GvFI?`(jO$um`&X|3o*`WPdfd<$<t7!kiCm0r2i@%^Jp}~DN
z__vLk(ouxIKwywBG-sBBRixKq_V8om`-YeTO<*hQ1WQLj7rTCLil#hXmz}Tc*kAVX
z7&`3_q@XM$i-r)bpdWt7l<Wz}g5hgMO~G$r%XCH@Z96uTqR?EZZhj0#g$2+L9}Oyj
zUZ>nA`%qE3w}}WFmdL-(63E@Ami@~x0?TpndS_93Fv%<Ut}V2Re-DYeaQ}b?i~e<^
zw-->Tfl7VMgpJbnj~_Scr~j2?9Q=ttkDlL4k6?{%@{4EELELqx&$(U~Pez|+c-TY+
z6fcW!{0vkx%>WJu!)D$Xh&&)4wM~)d2IPe5#~UC0<Q`f@CVF88Z+@_l#pqr>)&RdQ
zj<+M;L!4ss%|5eOF~D1{l0$tc^_ypK8%L`08fHn$?}B4z@?aF-(FvW)F-TCGB`Trw
z@YFr-we>D&*jkU<<`#eVvze^w@CQu$>7h@nO-ZE)4m@@wW@neh2%oeb1Yy!opGs=8
z<!41B4l}{al2~Z3hh7qzbKLG?dzaV7r}XbCbIG<>8b3={>pfj@x`{F%M;2A>B?V@i
z(mr9aT9$&vED)_FvhDkKG0zRtkX(pSrZXl<5Sg>Wpz(=4VlWJzKD#H6+6wU9MptTP
z1`QS`sEh5VdL~?<)tbL7_pN^D)%ChOVDRiML%Jb&@MUp+8?bb$%V9&hjrHr{ptF>7
zhb42+EkN%DBk#_S@>fk$3>%PXkjtkx>4Zm6xpA6_mD7vV`&hY!tHTr#sth9u$fhce
zTYx39ixWXPA5YJ-rI!RIo|l*OjoR)r3`;sp3HJ*p#kFy!V@e@T@VV}_Y2sLwCQ+mn
zB9@8yYO`dOhx~MXuAi$X%E;#Fqu|RWf!+yXWT2_z)M)0bNX~|zyme16ySQBLOVC>3
zW-C{BJ53xewl#QifScV2cu+*(T~6i0N!yrmCk-bBj4zLDky)R2guWe*PY_Mrv1Czy
z902USvZnsU@QKF!Oh6WuI8@#|X=Obmp_D8Bey|HFNP47FhWRtGMSNa=$_S>{qnzd1
zJfh1`6Mf>(B3248_3D<9qNhF0-ZttI=d<H6QRwY&lKD!k4aq9&7sB$0FQp?rAr`|g
zL4(Danzp}|F~YeJO76J9tK8M@51jV9-a*BYxGa3Xs<iMFcyNRc`Hp_nk`Aqw;2qob
zWmJ^?$_E;Ls}cJn{IftKlpmOUXP?F%SfnJ8$dvR5nOrM^Q#M%|t|VW;H={9UGM#@v
zsMAG0_Jl$6$;nSAUPbSBG5J^S4DAy~lr49I6^g3TPqBcDjW^p>Uw#Pwth}~<kny&5
zt&u8P{`IAj%WvDaG>plXeirjRKfUXs_EUHFT`frX=aJOnyPDLp2SEVH(HZmK{!h%m
zEDtbI|AYDY;_cdd@SVwMt^M{cC2Z~5n<Y~{KD1ixFcv>(WhV~{*i7|h>6&kNXYv*R
zyuWT4l4Z1|6F0CqV((U1_rqa<*JrfsP@ZVQt>B`hvsf6jwG<0^HNGIRm*NEZUW{Yx
z(l>hRs!8>caxj!IdR*uNXo855J<x@W-aYl2YsNqnQw6^RNz8H;P^d6PXN)?hbKUw`
zrsxx0kaCi$iT_xyu`Qvtn3NUnJplaZSIAdb@LsBJoMV%VB)j=iS7!Ckc4a>kTk|Ek
z>TJCjG%?C)Q1m2*dO{F=JyNE~@u9}p=&q$8>BmMnbUUl{Q9EN+c7juV*ERI1l|ku&
zr@}RDDRu}rjdq{rx*Y`oCSO)LNq58lhSey~$9vq9hkW=TjApf<TCKvj5iw5($6QC=
zz9etmUddj!Z+3<Flcq+yyKkfM+xBFddwte!VC>W}QIe$gHJdz<`fA%B#k@sDfy6J>
z_@25jybe5GDSXE<C)1rm6eg|q3+?&n=lnxPO=W|d0JC37<9<QvE;7BZUf2)^p?J$i
zE@^1F+*q9vY06PzQ0N`;s2u$Hq@q#HgZ{PZI$#can{Z3Gf)Qp{_{(S0@r%U;*i2kG
z@6ksC?oT4-V%mE-)$i;Sg}x9~H4#6dRURRDdr)sI;0^P`{)#$$Sl=Gs|5!r>&UqQ|
zN)zAH!akkz+v{gH`mPX+A_2y9qBvq<KPt2M{_@O4f|lg>X?NqOEg8J}L@1*GO}7;1
z>C{0#zJD|-bh*$a2~vVs39H96n?15eG(Nx3!)<3N_pq$8BmS;fEuavP9%XXPjBA3m
zFln;c_M;9I!y(G3|Lz)3W^-@8Lr?CVES*9xNsTnl&CGq4!)(pF^ry;mvCs@1vumI3
zcv;UaOWtyxLf+QY<`VG5sB1s&R(Dk&$lx#1-#oO>2G~t4qn9)oDX#m>QyNstl-o57
zJiK|CP+|odLPbGtH7e(^&;8a<YlOdqlm{i2dyVQP@Qn}q<qzLT+a1+3==HAoX`}=Z
zD3~R3MJEHltoZq+t&{j#PKF-6X3z6b<$E}|@<pODKZ>U0MYU*mMD9di5M;$RUTo%@
zTXyVRvv19_5)-HP<O}Z}yi0MHxTU_I-ASsJVz4Q<^h|(tv@rhFb113D{RfD!#?l%3
zSnlMZ<U7H$HeQ?MgS#=B-p+<Lr97gxjQi!v&kcV4SYsx?C~DAh_4f5fPNUG}@yUIT
zxWr+7>qkOw{6llxX9cWVqKoxj>b!p|!x+@y^i)1=ocd$+(Nmq=`+`FmN?d8T7`c<9
z#f?rzF6*k^dMWW0e8*p!n)K;0i;Yhm8Ehb>N~p~1J<&t?@+vJkhGcf-OPgeZ1li^!
zM7~Zdw}%B{lglVRm_6<Vkyg1INjWeN#NJN*Na0sN`S7g?@&NhP)N*_C`DS_e8(os4
zHxyBK^D=&Z_@cOVsS8uVr=~;EHm_reU|f$9!W_`iyB1{?3r%QL+<B>2xXs(E?QUU}
zzEPTh;_s&ehbq~Z*mi$yGW%tx<3VmH=sz88|8zRy?vchmiCI*a(&3%POTZkiNpkI@
zr(Rz*O7<L3KZ{o7+Nv_}aeRQdV{>hVpGt6_9itRr)`NaHc|dO&^P@pmiuzJJe#Ut(
zon($)De&xZM?d>1#h36w*|=I0tu9wWYZZ5LsmNB;;q(X3Y%=u=HdVDcuW8-SrCT?1
zvqV~w6;wGch8mea%H2VJdF9)sWVxYJnr|&Y$;t9|_d?V`G9!)t;^+Z$RR7mud;Ke9
z#n4B~yz;B{U8vzy4HYts8a=;>@3m#eFUXunz;CO*`QzP3T(%b76RXQK#<+Ny@yE^2
z^{~xHaE++2yL1uxudRUD(9noa<I#$W-#!67#+5|F7&k323k-%gBdHw>-%X}ES~#by
z(8dfCZuYa?`2^pL`p*5f+k;*hSl40tkbJo1j$ei-;dVp(&$ioqd3P=DI&hpZzW|>3
zo$*h}on8N|C`9mlLH}YFzRM2zAIu-$FgB3XC)rD4G+2A1^s&xCH|l`}?I#J`DG`v<
zrl3noJq)&#3w&_xn#B`6lAn@#;y&PUyfVSWMo%1khKp1ZuN;~>9FXVxlJNYwJUKl2
zZ*u96&$HU)f1v*+m(FmW)i(Oqtaju}T`K<Fzh<?Se~*gq2ZYzADf=6!jOVC^{~lH7
z@n2CbevfK!j#~ORP?^qApZ<H)f7WZc&w7<$3a@2%cKx$`3Hug|&rn0f{u3%;4iWPi
z>iW!|sOK7<3ZJe!@qEL}n7tz3|7SfrJ129HwFlt8q&z`(Hvg*)_CKo)X3zFpOPicq
zTJ&#Nn&sTm(|=m}PsJs?_7Pqi?7y|N4am+3#P8}1`d>@`&ssWB;_B~od7qtIn&}@c
z{qL%B2pjk;&Me&$gtzn`YDjodR-SJpQ;Mv3QC94kF7JO*Lvk|r<-@OYSz$p@VKD&#
z0g5Y%F3z6T&Ypaa{amf3*v?r1fM5O;SN=(D^{KTLFPnfEn~tR?Uc*R0giSy|N=Qr!
z{~J}U#}rq7ueNF}ENLz%C~RSFVJY%oYOB8$KGJpZv39q%;(OpH#ipRI%df4BNBC1B
zN#EAo-CEbh&e`*^wYk&TKz5ea9#U+ABK!jQFL43EbM+)GeLi((Zx;t^1y@)6i_&a*
z)^1*Q?$&zN=2kk+j(!wZl*~QxANfBhH2v}a(X@63dD=>`i3pzw8>y<RNJyF!5)cxE
z5D=W6p5ob>9Z7UX+6263x3gCWE?iI|B#=IH+ryGq38wMCIlKOa*83Ms&!@m&1hLKr
z`R7J}gt<gF&lmgTpNst;Ww_|&OUV!ZJ6Z?%{_kr4Kcb{Ji#PReJh<84G<6OU>pz+L
zPwfKy9_e?y?qTg{@xQ#zridrC|5;wwle+r5-7xUX(qW(ek=Os-qQ<LKu$@_YQ}543
zeeS{6R$dwLh~xWg*8X*0`b*}wsL#()KmH9=_H)!n{~lF>>942)a#slq@owqt`ey>W
z@NmKW4E06DKcfCSA9jI_&;1Owh4deM7+%pY@}(>_vj5zNx&D9U!|)rMfAL{jF3xx{
zJ_)>HxZjx%lVlSTk`fe>5|Q{jK1^J|TG&!d)Jnoq^8a!dCMY6u=EGj=YO7LQVZ4I3
zD22M3622z+%xMu^Cnd(;)1Ov1;(suBDjRz0<8=vr@IIG7!OF$Lnoa#IQaJOXes0~?
zXOb^M>PiZaeWxrict^;~MNAyw!?t+u)yXA}cM9KuRC^?E>&Q63A+O-B7h18Gxxs`)
z{||eA85CEyZI8p<cyJ3Yjk~+M1PBg+0Kql52X_nZ?oM#G;O+r}yE_C)@PCu@d(M6C
zxyL@d=dHR`_rs!Ss@Suu$K0dGnse;AZ~!?p7__K@qaNV@2E37w7q1Z2^LzQCG!a7i
zXOklhK;S(4K=iNj49<hW;U&+S%l?#SNH4Q0A5J{Yz<KuY?@W&T_q5XA%d@{XnVyve
zESLVBJmchIWj5jBWdE<p^#5zM5(^g>SYiI7OoKxBooO;%Jr4i?O!e<1`f!r$Zkb?8
zIM6Y1CQ!t+_-$nI8zWYVl@#em6Aki<sG(m2eIXYRABMlfgcM-&z31!U)R1pilpMq@
zQ;&rdfe>d`lV!>e(+g3NDT^TI4Rsv#E6DIK7icFKzxMPJ>>#+~%ouYX4kxi&6B4|A
zVw||&{xos9iY(Za{F<K#Mc+XxIM5<%A|j}v!Dy%e?i=Fb^whff2)Q36|J-8g=e?h&
zV?Au{x-=koGtp^;RoHR`>-p%2j7(2r3h3nYqIz+H7%QzXK%r}~l~#_|#8;`RWIVjl
z?X=W3o?n&@_cCAHcN6Ttlw5l)4!d3rNyWT7C>P&VS+yZOC|lKOx`=$@?l1hrLBYaS
zDB2RAoD-_Q&b^GhPx|dk9S|WtXl-I4zh2em2r)du4o@;!<s8oeJt%oa&qP+ZN$OG0
z79p;H9u*QahRPfQy_vpD0Gjj*WN7eN<G@m$<UCceJEn}ofehLrSZ^ob^OO|;^mojT
ziYG$*Idl^QU-U~-G7Ep<fP<h3fs}MP*3d|Rm}q3SZLf)CQLYZO^S1a^nDvGRf+alx
z5{BL<V9^c{$d_#MLBpwEG~FcPUiBt}2qxI856TP<fb1+gm^`uoSi4P$tKGBrC4M%w
zzL7%chp$84dR8Pp9PUVd0|epV?FsXAZX!RY>v=^b1`hZ~+qmKI-+208K*|ZzBE~{n
zL!xEfBg(SDiNhp9pA&x_T=%WSK@>2y{Z!VaTZU9IgR8w_Zd<;vPTczIG-L`J_l!=W
zyR{M_jZ14&ySSplSvEPKw6qkHor9x5h7rlh$?0Ie!Ac7T4-b!(qLHA!zJ6i;tEW5i
z;n9%;#ZN$k^-5}RYHF%SckK0pf)wt(n>9;hJ8z%*V=V(i6TgMSLvV}T)*_xV%Tj;k
zy)F}pdNq#QeWhSXEq3LOit1YEW_RG+HzY}AM8>A|TY$p-S6Ocx3hDr95$Mnq(^s8{
zcXz>Do1^Qq15@_{bRQ?#t|VFHb%}<;CfuV^Gc!%PoJ5!k3k%=(dg6L@JhODY_nShm
zX7{8vQNMUQJ=KL36cn_)e}pd|X;YG!Q(gB9`3N6pyf<a-nF4<grgA&?Y<7d+QP(Z6
zv$V8iDB$>weQSvA?&g|$>{3lgZa!wSfjH{MOo@two%@gNAyEQ8XG`d@*YLKRy`dfi
z0&eUmf>~!k0wFJcY^g|sp{^XU;2OL0^)7lEdMPa}Ey|m-wJZ_T`o_khtxjLak#qz;
zhSRnWHl=a0Xt2#8aT(gm%R}{N+uC+iE-+M52tO0vJEko(c;bvcpx1q8f_HxP!B)Fg
zuPFP&c|Ln3cB8x^BQ=JHcr?@O&ZhDU^XCYo0FJ?;;br{~g|WI}0029feGLC#emj)A
z9X^ImCdwPsPBaX8&RA~0?<9W8Fyb(iBI|o`N3W{<VT`)RwTy)a#H(>R<51EwM<Lus
zu{xohNr0Y}(OPh$EPkQ^n24PaqHyjAPS9UlMZH7e;LvN~H~FC52%ELxa_gm&HVQ-;
zgNlUrdTL{9;m~mJDM_V;ry+|e0i2X~O0S+lwB(JU$!H`%6PR<TLdH#%a}+&>1<vl|
zmH=fr#2lPje+{6wkUcelWWWz!oDI%gY2miM6;XP+V0t_m08kaKrCUd2bCXJoM)Rw(
z$bMz>NKTeKEu>I}vfOA6Y7@L>fDx`cM|DC}UPCHQ)f-5q@SH-3yyB&RwBlQSG-`wH
zMJj2aJ}G2dXetL~W8Mt=JM1`w3b;VDNJZ9IG8_>#c$_o_@@xX#B$S1(r_S3%r(P)l
zLecRJMid%#k+`E$Dicj6J0G|vGEe*v4%ld?{MPj42Er=kj`M3(qlYRsY-p-+M#ybG
zL12PY`H!6KE3p&m6OVmkW%!x_G|ItvMOvTWR&^^f6Zqt>u@U0=kklu%I;N?HBJqxi
z9;0>q+5xi}We!SS4Ia4P@4i#A^Q4a7!>t$lhM^kS1N21{QKK!Eff0LL5Mv!HpfO61
z8;@I^pC@aW!0SExx7Ww42vO{t9W<PG#3F2U-_z$EQjxg5&bEJ=hxQq?xvF7CNMe_h
zqKCG%`q*-Na1B`Ezz1p&NRxj2dAh=|x!b|Rvc@m8qy2fS6QSp}6cdXFUab4p`%QSy
zycR|{RDL}pnuq9l)4GEnya+?`Ee}u8JybB15ZV>I7uB!Yb*HW-_WQoT#H$t%$X7NR
z^Lg4loCnE<rD*G<(TS3hiU+}~W1NIkA~|L1HaR0h$5*SiHZb2$#y7&~hk2J%R~A(J
z_;j6w`W2F?Z`3Pwc-AMRvF}mngPA)=f2(?$z`6fV>gtBSHGR$>x&Ke<>ZHFlz2aXr
z{qORCr&*OxBK`k-Ms4t)M+MK;2Jc_8|Ba|*zoRPrHR^xczx=tvT@1d@Ddhox6|l~H
zS$}(<11C1X9|O3;P4%y$0t=wXU!opN{Wa?E3bz<Bx)rS&xWY}2c>NDbAr9t_#%~O5
ztpBg{`Jde)zkpo~2746@^vn7mU{7wC{sx=kUxHl-Me!T#iNAvV=M;M>hTQxEu&rzy
z9R9D+{r`tUBwo<&1f#tMM*3y_545K?%zmRy_Ak*cf};G5_Sj$1{$2XI9mA3e^#I@6
zWr#oj0otZE4#xWShGr}r|95l$=Wp&cFx=~4s9)Cqfcx8q`ER&M{w3VSP*lI+{;#vQ
z{`{@=a&!Os2XMRCS{YkA>D$}excnd9|9QL-!9B@C=)bJL#T$Bg!vgeDo5A`s-hZzK
z2pi7e^n!Ow3i$T^Qy+^~4R%pH{Xbuuk+e4lpBnhbfgFFS0W!1jvNQiXwHY>jPGdt>
zRs%NUKTZw&-&>pEVEae484&n>2K}zhIJmi8fnWSPRY2(Uzf=M1-f4v-s9`=mjWkDY
z8MhT2<f|Gf8-9o-nwjimG@43KcB45Ii4OAv>B1noh4fOx<-)q7y(xwZs6vn~jM<@}
zWqI|nu5hZEeS9bV)~40w(LIaj`F1beu+Z9MjAw7{NcZE3jpxUcc82;^Bm(*Tb3bUy
zI(qt;wWe<Wo2bZJi=T9@GB)jxnhSZl6cai!z`lpMn}_<5DON4f9Ouv|$WJG%EB0>&
zCr!|t^%xispWCm-OuxF?pR&7WT#G-0{6pxU+>t(WT1t4KGrOjH!S2t^jVH9oJ)`@K
z3Bhd0LocdBV2|hh99$)2%OZ45h%-(S<kal@===3i_<$WX@|)dYGv&A#p6Y09E@WCu
z<eGREFP2jV5NUt3mASx7pxb5%$|Ol-JQxqiPy35vs|`Xo1I@^sS|lb~6Y<v);TBzl
zADq*B3b?ZHaQ|kH<h<}jmJQJ;$zn{Ir}BPu98(@r=YinPR3=|dmrH^1+lAe;Fslo+
z@UCd>-Wm>xH%-)GC3rnE(jKM3GtHmqa@sJG?GdVu33L17f2m)(7%p{}Wm5`SKadO#
z(RO1V*OW&4N{W(ywG2#6?z<_KH({OYR=#N|Yl~K$$D~S#oy?BGfdR_G#sqvB#f-2s
z_AP%0%JQO=r*ivR@*aoOPO9aaRm@*B9sSVVx%}-#js@f-oHz}XI1Qybn#Lp1hRN;2
z561Ip=k{T;r7N4X%A|XCUW13iu}&lf$j1Sno{8yxX@)F1puD&+hLbi#Xd=oI7r@~=
zYcy8&ma!;!?2Df=Z{<5isKh$%^3GU!y>Fslf1=v1Z1JAy4?E`{g0j(>)s#uYQob+R
zvRP72Y3jXJO7Up-Qa3=o=d!a-t@t@SIQ9(z!`u0rwE&c;+Go*G_2IKDixA^00`fYc
zqdf#7sKT{E<JI=g@TH+ZA)m|Ox0RqP9rrRG;>M4HNA{pl9}{xsWoVB!2s4T=o&(pa
zOPd#)B`jniC+>jcmXMPjCQ=8+sYs?E;hHD#7(C-%{QOJ9S<`3KK*$L-29JAE+tX;x
zPq_O9r)J-pzj4Mr>Ony0`_VVp)%|d)NexGqX_<jKT_yIJAcpZ;>bd1gc8R^*me06%
zYW4Z3?jXijGW33Z+|8Nzd{%O0wIHikFqapu*I26PYiaJ3myqc~NR3LJ11?))?LEWy
zOGv6>q1+BWM59$V#-ePezGlQvln!>-YKy_81HjOpsJeMd<A|FC_!w2EtTz~R?I;J|
zIB)XYfP<7IXm06F<w5xR96F^JXOeeBeXlY7cxleZUWA>#HURJd{+54Pf6M&9(+!K4
z+KjL4AIxu!a~6WFse}%6qJhJ?_k9NooRD>-E9kLEgxDCO`Tpr5WFy?d4d=^2Nah*{
zy7c|i7_!(F9KmAFHN5j>-WF7Ew;Q=?i-`mju<Z7N^E)orFJc~mp^(#f-2i^jky(lO
zG143t_j1`DVV<t9+Ff73me!kzQ2D;EYL)N=UPd+VA#{7L(72Ls)an<p$E$EN4Ccf6
z;#h*Q4&5E=js*3brOLe~qTCq2bKNkQiULS#KEXntJ}PB)OZD*M{(LH>5a`wLb&Ire
zmc}E{M|iq)XE-2{eqD0*t@+pBcJvo~p2V!`nr7%^{*0+9JK-Tyr*=1yVVn#To#`!%
zJn1|^r$<!*8C$=2D`c+ntC+E{h121Ry+~*a)77&>@ui3hqqf_@K5>b$vJGWMsz~#L
zzT4$hg)K|(x*}!#?}_d|nokt!i5!b6HG($zJwLzt<QUma=Rgxb%g5vSgGj)CD)TIo
zahdgez8PW4r;2v<%bbf*7_p`GC-e88AI%v3wd`I?F1({^am!Qq?ugvJ#)gA5WS7WF
z=^}QXOC3JkkFDluXlLgX6fI*-sa*TPgXgV|F&!5c{@BvgGcK*uLj>+kB>)oOR9ftU
z2DeB7M*OcGnwMNC0_TD()L+)$<^q(!#>W@c=Uw+lF1*w#{+<ee!eDTDQ2}33|D*!I
zoxo5J0gQV&unM?G0arc#f8%EPdmWnJZWi#dTry6Uf9V9WaPzWp^0NI~oj?;478CIK
zd<Go<>qP+PU)(HzrxS<?h8^R#28a%4s0Y9JcQgP5#UGu(tAlB87+MI)Y+saOt926#
zyg`Uw(~^^JJp)XyyFSIHr$wy|t;!Au8aVq0xJfK8y5XVu&tt+EqCr+o7u6+t(>nJq
zYfrXaz1*6~UbC&k#1pL83?k|yP`%F=8&tYa6h;-TCs3@T%9&?&5w#CAu*SZyYtIjc
zWec~R&J&N7&4Y&`Fsz$B*R4eFJsz*41imRg+>MJzWV32r9KWr$$Vo~3mh}8^KQU9Y
z7sF8FMkxugzI$YY4ywdl9O9S6VycR3MnUg*K5fOR;YL6~nJ`a&?(n!Z@FntEJ|2A*
zzRLS4^ob)-BUyj*=b9I6a1n@V1RDg6ZTjo^SqSFo_L8dSY^?+L>EX6VvGs8rIVe})
zS#2ru>(~3;qu~zkXIB2lbI%I5`|1IZU8Uxp3)zuzS85^-Zr4?1$1@J{@@+Pp!J5~l
zj(FLTQ8p&=QrTXX*9G{Iu_&F8&pRh|pjj(wH<7|z$mk<4NP$EC%kEhW6d`lpUR4Qh
zUBTO5D(ClS-j-iR!@a}vKQS?e&S;Y`4X*YK4-fmyjp%-THex;z`h>hqf$E&;bwfIM
z5Aryj3g(Os?C^So*diA4%HHog6y5p?K6gtXP#l$cEMqCoS`SerSkC_({N{1Ed3Y||
zQ>tB=G*FYHqlkxD>qI%>i~ubYO-)Vb_~4PCi{yIQm!n8(3Zmb`twG@^a&Etn@{8+o
z8himj7=Yl|hj~}!KJej#|D9Tv!PN3k%Al4n)Z(A~XKH!5!r!{2z=jIy7iu|@`D^{)
zcWF>O9o>qh`M;MzUkGg%9QB`UYpi~6YcT#C_3sfH5hH`^OVqrpKM@-Ii-qIp;n3(m
zzpeR8%bEGV4nt>Q=jCAKW&5|bH3lZkCY)@BhTQ+_35|=56>R?dyB%i`*xumwo6%fx
z-cJDl1V;a_<D3rb7-!m0VLTW>4y8OYlpY_KE(g!^QQn@1oSX_WMe!6d1v8l$Xu|3n
zO#}i@@PZ>3?hepHWW+S|kN9{dVQqhwXl2_4gU_{GrS|1L{m}jCqh<%Ggq~DG^jyZi
z){#zZbkdsXS>+S)NLo@-5^PUTkFzW_Cd34A%o@<FjT{&lSS=wT;gErxJ!Ll7#wsM_
z{R)@+wQzwl5D(jMn{KG{01)pyL(6K*3y}DrsCbTx%Z=|tiXwVx1?T2J4V>i013Ejv
z$U{yZUB};`LY<3trllkMDBb6J06HTO(_xrdSw(m66@do_2W*3#DS-4(%FfO=I!5cN
zKC7!AAO_dJoyq~m`H}UX{1MZUgm?Fv>l9uAD$W!x3tQCQz2l-wkV!yJb50L3l+@DJ
zrgxwQIQMKB8ymlBTAOwxaQMWDgXja`4K@`4p|)u#DJjWoRZf`^U}V?Tsmj94L2kYd
z80<NnBn!9%N^_HWz5DRtgKv-TXgZ1y?6~gwv4)nWW=g4gSws^L&#O+XP0xVA-r99I
zQEqG>|4yq<Qfg|ibw49TWFQEKMMh?3rlqw)>Z8Yq1VK(W1IW`aYi*r9G_|zS0#>G?
zjshHj(yqL2%ye`gO=V?eiS>FUMoIw77N1Z|$h>TAqXAcKC1y=_E4~NV>xj4;Z`H&u
z2NcWs-#OU6*A)%S;VtU+KtZP8KRYvxT9=P%%g+yBsMdDi6vmN=v>FCb-<3djmOIM;
zwE>I(Y##)lR^rWV4}cp~&lV@u9_0F`tns__bYx*uz=)|3_;nt)i0vINL=!+8;7TX?
z5m=N(;)4LF+%yy0WZwY@b&Q4dcg91A-`w2D69PVnGWHHQl+nu#K|_mNU0<VxTmqZq
z6kW1gbX>$M_(<mnV-Px_*CA|IqMNLxwG{>!0dv#U2%Szs>n+5#D=1B;u&xz1wR1Jb
zBR+KoeegFHx1S#Gu5ES3h5}4_>Qhx|DUy#Mt4+r6Oqf5Ab%LMrK&+5GWWY~yKAo+Z
z+B=H%T1=*2tQW+HcVP25X)*Qb2V9@w#OUs^bUKM?X)Pr~Mze0lJAvrw!zD5k6Z@Tl
z31j$d<tC5fD?-{zEVNs6>`S|A838oxd9VDY@l*Vik4UHskmac|+Mjep`(enKk?;YI
z)Dd2)z)+4kVgOkK%R7{)VWx`1J4nS+Cn45%x!b%xc}m9X$4`5Ancoy}Z9TBed}4s1
zN8Yk_DeE;Nn!lb@Ig5sRqFLtFw4c50xW|;$SJnyDq5Nrm=wy5zy&i@j6=j;KX;uh2
zo4*68D~?D2tR}G*0Dk|=p>*@JDWd^^?LmPTB@Qcv!wd5(fql3Cl=)wVX1)J|`H_9t
zl8Sx5jgPwTAVXve?kHRORUbf%rz<O%Q#pLAAhU~u?G&s}H(7R%Eno?iZ8ZcIEAWW<
zZG>Bm4b9-K69?x~q3H1xpa!uuvQuhGzU?Q+2S{}(3dK>sM^CY@VRss$NGklGUsBKW
z>eF>64NC`586FQ*UW~>XmIf-T!-X;)i`Mc2ZnDXg#P%>LS|hVWt<Q;MNkePn>x0F9
z*5?WRy`iO720vnovLMUlpZ#wKQ2=gRa7*7_;|U-hNhKFc{GfZao>V-P5D)i8Kz26~
zU}iw>P&)%h^$y8jHOFwu<w^#`{51qXB)r0^f5|pfpI$9-)d0|j5oc}3U3YaI-v&Tn
ze6$=5zJ|efID}w?G#UrGW(*~B3k!SHM>MZ8L!b?%Oirx~q%1iCP4s>MysAa<9UvuB
z615N=uqu64G6#S{_ETEUUE6H7{4IwTF%ITZaQq~)+XMg=Ns&;)mQJqH?tX25W~(H3
z{a!ezAZE$1?}#83YQ3j4@4!j&r|p(bzV7eZT$VomUS09dhwdih;cqBAN%a}-1xd=H
z)BJ8AU4s&h79ww^VphDGQAm|pFY43SI7iH&G+IyST%X2VvRieBB_>qgdlESxUzdsc
zdrPhGQ~JDfZC1O230E!SV#cU9!CAw%O8jsblt;os@3ywCF&vq2J1(|?`IuMiuE@0r
zojowg&I_Rj89fFVkt7o$_njbJtGWkBW5Uo~G70z%J+Mr(@?&sV$@xH1-9pp!S>e!V
z*WxO@C%}+UtFJmZ^2g*!^+r+NN#1R=-`zUs_b;l+KJ<eKnlUn7f}e7|$PzN?rxRR-
zH{HCQ-)p%TwYe)%iKaG17ni8@TN?YqNz^QZfW62hCM(5-NaJKC$e(z-QaGc~xW~^N
zQT!_R4*j#GV}2SZQ40LqV0KWVxkw=q?#Kgj+yRo2<pQ*`$V@7T8lN|wpw+}y8unW?
z>~aR><pHOX0#xo{ZfrR74opSIz~=`OlT#m)AnrN+NY^%?%V*>5$N-R-{2XhR_4Hh1
zz^{HTnpC+ry2n2&CH<f4n4bg7o3}`;S>Bd=a~*t`k#o3`H?uC3w&6UGL^nO9N9#nK
zc}qD~rEQeXz*YNXyf`#Sz>S-N<b}3iOUjQQ8ED#7JxR}vml}HS3FDgAHlE)T)9J|V
z!Ha~PAp;quQnHQ~4gaLXGr<G3ZeeBAD_S@qNd~``4F~9gKJOEPq<W_}h61z<pNdV1
z#SLXMo$!-G%&ry#F5SR(MxM#bw|&PgShYl^bnvTUrWBKRgB*qujsU6KEDnGuVLRn~
zKjQ=jk+X8z?n)Nw_n-h)(0yWq=&JN~f<i^og#lrSp|Wi5J91;9hGai+tf3XxO8mCJ
z$-ACjqu}%g0K&=hBxa1{S@GGXaDm3`kTZ4Cph|hDP>L1QR3{*j_r=?LP^6TR?-U|{
zQ|ag}+EGx1-1|7VPS3Mf8toTHWrtLd1PCJyL}r*Qp}EF2?3~&2Q-pz)?;+#x*2?N7
zr``SA0h(AeR1Qa~Y=$PoxOt%qGkS?KhOytRedHV#`C6Q+Y;`dBZ;LEiufDHo<>V<K
z$kYQ18c}=_wf##fbtNz78relAe31Jst~}KfFgZP${IA_5n4jAvH9}G0>xqo3FhJzf
z9w_JA!xsC8bM}H;qL$ns{|N!3D(f@QNPu<$)dK9gKVasJ05I2<*HTGSVI@c(j6@_B
z{|W{q=8*F3gO8pd*CwuyK*XrfL(w22b3Os(0#fJO+K(pd?;}R%PMZy2qG?fub81mK
z`M5LEw&>yA@lq-mW({GY2c4+-fNg%?Xdc-oUg@>r>eV|`NL~s(m5(5T5)Xv=(E#P+
zAqKd5(`AO~DU&l5{$w%eCQrc(Cj<b2{+wedZa=^>yc7U)EG-MU`_Rfj<2fO|5D))^
zVy|hmYH(~<maCyt5~FiHI?;%@bK`~i&Hn}S{~nt4SHnf85}+Qs6K|YAU$Q7Q9*KJ`
znWUJ%(pSif#o{Xz_?g#bOBkH!L&Y12bV)!%CO!|Kwz)O%wv~IG*&hEA`#V=>KV%-@
z-6VlAu@6<IBS+!NF%5<f;cl_yM?h!>z;Tq)VQ~m<{n3;3{Ri)w+f=6e^@#Ee#BAMM
zkp-k^8C(#cA!pRHk?8vgZnm7Z8a@x9@Zeegd4D2u@})Bp{oNPjyT14P7)!5&QE)8?
zmj)KDv~Hu+vBp$v^7fq`PLfmR>S-sn#cGI!4S5x*IqEVZPt8~{%a7{XWVU-il2Zgl
z_qo9DbC#V-!*BZw-%UXQW}vcXr+xiGfz)WiUBG>_gjy)!0~~Ro6d87t%MYzU2<7#x
z0W$p_MkbAVeUvFaaj=3qINa+%Ob#c2V4i9)Z%o<(w7A``=Z&3KS)A~4J8wccekM1`
z`-!YugI2#o{M=&)pn81V=y{tZCNIyKPfjH&Cr6-N{)UlLcsZzpwY_$H#SS3l5#<{k
z#iV^~<}c08R94(D)QOx$YO?G#PdI+6hZ+gFAGa=l(*=9p+PLax)3N%Bl}w}FcU65*
zei^zNH^KIFseJTdu<cVMB(=aV4kIR4cv^uQvHsRG;h7c&lgl0|LlB!Yois21y66SW
ze1|tSn{NBEFYchuHM}F?JhGoDanKj+XMA*Twh00rp$ABl)%c%8<XH~_%kF!Y`xZ8S
z&-Y0T;EO+PstmgBDusCb5IJwR!V>pvOH3((ZnrZ0IzZ+#PXMn+#;Wkjb*#Uwy&$NK
z5J4CLe#|^9WI9xZM6v%Fxy7O(WlYz5kBqe*{mhL60tc5xG=9R~<g4N1w8BOD0;km~
z^2nN78fn05Sz_-Wx-IHXR9Is0{iL@{a<2fh_}Lcx8Zm^ZMvc?J&KXBu!UTV+kY*JK
z;oKj3^Atc87@rjp0JAZ`t$p?OFS4~0T2Co7G>n*=xHA_W!%BJ_w(3i7{;Wj?im>?}
zJ4G5=ioG&zf{@sY#O<s>jg=|*En?|qMM`E5v+#XROxWuI@PP&vz?Rllu;z!7e+4M_
zyK>Epi@Qu$0ooo;8Q#w5C@Lb+s^T0{AV7kZ>rv#OlhihZEfB1QxyUQ<(SJ+VYsX`-
zoPANQ+CL#H?tM$J0di#}&8`Yw#*b|wGk#q1lE&qNXbIK3W*Wn~?V_7&e2%=QWGK(Y
z3J`g0?+Uh61+X(1+K>Rt1O|+l@ZKbtA6gjdi%%m*Hx~<Lk+2_+7_~R&*c<X^GCPvh
zr{`1c8cHZyYfeQaP4s6)o{PixNWVcpr$j5=W|NV+&{<ogCg|8bUF5g@xHYbSd!Jx2
zmff`+4kIAL$8R}_bmTOa)MD{KrYyuyn0DiArhJMY2SZ)f>Zt21(WeuWLh(F1`OQwd
zd@4i&y}8<35r(t`o!1Qp)R;>|It`!Gb_(G|G&955&~O(>b$4<B@8}}EsDePN+gnE*
zKWL<5QI32E6SQvM0fnc<C`R6aDjMrR!dZqH3DqZ(n@!MiCw`Yla$%nKlVFu^qs}z%
zle*@k3d;e-gnGtD!Qxr-`)!%}>RJV;6*Kv%xpW&y1@`NxH^Il77V~!N+^(<#kWb+o
zu4ba8_e2vmlu(LOlTS9dxCJhfMOZ>AYs+4ulyg_bGw;>+3r!Uv9u07%cVx`Ynj!2o
zC93AA;2OM+An!f=g%#Bybsk9{tD~EYezr^9ELeTeUS|LNEfZAiQQfxtz-1rU0;{2q
z|2iaS+w6-$Y?&%ZBxJXNF=S`Y*F}-tBnO_2400%1+nb-8(^wRDkf!Y3iMwOpT>mjp
zjI}xUBMzO8nImsDBD1+ybZY*rAEF3MpR!`<OmCPE{9`p6%RIEyF>J^Lqjz3I35PIc
zk_&FcF^c9CVxtMe>#wYeuRwIw@5RaVta-_V>C~29g~>0qOdNe|1&XRb5mT!kzA(S%
zzhM5Cp;=n{e`tP^&i<!5DbqVLb*+@=e$`-9820bEjM_vv@}niCeO>#Hk3;7X&X57*
zdu?k}==I23J3c0^P&4E(26V5(z7AmDd~KF0jU1z`JU@^6MNS?0>?Y^7LD~wm75T(g
zly7oWP~mHUB$>|%Kr|1h_Kz_7bq25AV-Lk>u$adh=FlcTV97@mdv0%8y1uc^zp>&B
zNp6HCgn`=UP1-En)Lvp*)u2_%s;zYBJHtdAB-k8TqRWCvT8}1Pie|P?fD?(K`rQpy
z(&{Ht<R?Lv*6oFDqmACf2#LL&6})k5e!}?VW)OY3p4iu_=A45XjWwDn(O_u=D}M{h
zyJd=55zi!P{5UoBi^tIO2rsmuj;OZ`ZtToVHugKK%9pfH4BRxAXdPACfkj)j9otEq
zs<TcZ;a2{5W`v3&Y0^Eao(Ex!w6)}Oe9X?RXDPpux+nPs+C3T!WgaQ^RtQrP?>oMB
zg-&Eejy<$yA8y_jS`XPKIpXBabuHY8SSf$4x|uAIcB$-ax*g&vc%~8%@PwIAV&LU<
zbJG)DJ;`~MGVv?8fF2=aY?-mxvf|@u0xn)Fj1%{wEWd(;RpA-+NqTe7>j9=FA#R$j
zYQv2;mFeLd#0YQ3gz%G-Rkj@{t+OUlim?q;YOTJV+EVCIk}B8e3Zi3PCS?Ra2rlj%
zJm=_Ye3QXD(cWf!Jd&B8tZywWftBvQTv42zM@m3S%E^6V%>=e)Uujce&ee(KoTG26
zHwZgxvKe7=h+2FgBsX~nYcF9(X>2{+1VJrHM)$gC4&QdE@Wc&A6_1cw?R_*22Wn5H
z-(<i8YUv~!Nyx`E$g<uX(_Od8sRdy^iwecK=G2VTUNIRsd80n&vs6VM@aDF>xq1Cn
z*&B1tcX>RL3~_nQa<2?Z&|!M*xe3!?In{o7S#SnKd<SU1#;UzNFK$N9OQfr3&R6so
zFNBCu1-_eXQy}+`Q}PSN?)hS|-*D<sHh2I7O}016V$UKeXvTU*OyHMEr_4>1$zul~
zI7r-e475pbE(qkoz6D4KQu`B4_k32c<;_f1*>Kb*2`E%gO-Ou)RMM<gGys)t&Iz$>
z#ubj-q+cf3DBb$aa@C6U>=+HK<5l;MTf&9PAi}$3pjaq{4;JJd7O%CpElbVIM>Q8I
z%&cYHu~S{H!m`WVQOnpUQh<0&NWyK|Xop&Na6YUooWgciu$Z$AS}A25STQJekdYGO
zqng|81}3MUXmMj}WY+CnP)y|fP5a+#+z%zuJ&@XK<czLw|ELDCh8?aT1XxACb9z-X
z!XzsB1|$D9r|_q@7)j1?x2Wl1<B)fKs_cDy)EOyMMwnt+?y!hqy_PYhr8bb2otV^E
znWlgz7HC7r<U_bsYuf7@08N;#`s*w;BxAU)w;W;1Ov-@nMYsL^{p|QS776*?D=3MN
z!Odqow1kl7@Z&hxoe?1VVV+o%oKqwPnj!;NvvC*#wF84)(rT!DG5bRYH>12kt5F`G
z$AK;V-0OX7@i9TdGzC=4I+gO+@$nH*?BHMse2IM_=dO13Oa@U7b4j=By@D}H7Tkp2
zjWwF<hPF-f%sA=X!2l-}+OJ*Dr#Oi9Tgk+pomC)#hWYwXA%2qY#aK!DdbhDn2OAB5
zHdlsCgi=MA4}8qjFaU|$eU!@O^G$-nrm)vr;)+*ztd!LfBbNMMZwccdew_u<Wi9Mv
zaEG883HRS5ukD7!ZcJx+ZJ=Bht5d-08}ol{7PD5iNoISV-J=H`bGooYrNpKiStE!P
zlAES1iPCF+b>6Yjy}z_T&w$M^whm%G!L5Cp`bl6+$DV^Lu29pA_ve!vGQUYnO5@eI
zRU5^Kk~@8UMx)Us*6OAN!Y2e95KoOd3)^a!R+}}fjrmuhGp6XSCAj*w4BO0~uR~mk
zjy-X0V8t&5eIDE9^5GmzrXvu%I9yJb-z0r@Uh3AmI)2x-mi2bi^M(0i{uT4T49#Nt
zgZUxaYXwB^LWB?nFc7~LL5ke{qKRJi#O!55#(*0_+#b<_URqB4^(FQ8!P8-Pv^mDF
zYKegCgH%WH7MhJ>TO4vJ!)^8hcUpT=r8LCC*`{y<2t8;w&=0Dsmy5U>BInETZu{cJ
z0TPqY^LY=-nvnvJexp@efd~m#2TEAIhvFF><m?)PNHYyK<`J7nHSg=~N-7^qJ4D1s
z8z@A9&$yos*`=Q#Nle_eL>0NvdM5|C=+mD&AyI54>IS0tw-Zr>uO&!|QB?iz%Fq?9
zm;gIPJlU>EC_fU0K;9fgMody&lb8CS$7|f^C-~Ma5uxa1_wbPbq~0HCS?)fd{zK%(
z@-~Vn*YhX1Ql`%$4*7VDi49`<x1UhsXT(fI81mr*qN6o|Q|1Mznc7fYub_`byM^8Z
zD0EG`I&}m=sXNf5jbfZz5Ch^<>F&GBck_l(V@<o&X_9V7M_t)G>Im2)d<Vx;C}oCW
znXpFoNUG@{A-_stT}@mCbm4yiO0&xfrrj)YDDYqO(x;YkPTA}+JX-CqWchsWKxSX%
zP}EuDt!VyWWAqdHkrcPi8A({wOwe(~15mLnT=@NP!&6E}>F0i4)T*TaH%d1=R|Z*m
z|J`2ANmuxs{5CH+hZcrBK7U{}#3Cb#=t`h<$g2&prSQi|u19y)dL?EXhBlXJ8!SDp
z(I@b6zLKBekT@f37>YY8p+xk@k^vTD%sO(_QkOxAAE^13kYlQG71<}SOZQ-fw`{uC
zH*=}?T@UkTXC9WVrhvl`<tV#Xt(RB=GLETnd-LlmXO%vVzUQgCS8FcHDe#Ox-((*s
z3#op05w@0KgBmarwOi#WF1PgEy(2OcSVPzunpM}F-)t!Ul@m<V;%^eb<3{jUIcZVE
z<BT;!q?Wy^1@me_?H#crFJ$YNeZuIjz#BS{<#E8n@aJfCMU(+Q6(7>vv;78%!Ws1R
z*FIEdQ95Q`RAX>-fK*z%EIdW;cdtrUC_qc3J`b_)2gfUYdPmVi#^_D4)$I#R94DQS
zg{`KIsnHuCI*QRm(d{=nFU(*RQ=O0_pN8;%sFZ>lOK0JI)aR(YZ%0~-@hySK2qKSG
zJjG8+Q1C9mkTqHV)dZHwYYXapSZuM`W-Od&>iKCq%fx7!AYFKtA&7NT?9R??xNUo$
zRpJmS8wocU5}vbTHJ~l!@;Fegs64(!_#hMZP@o`t(U)$`ln10c06R1+j>_;kh>j`P
zcO73ae(r;jKO;*!#3FBt2t8KMYjz^cH^P+fd?d>Z=R9VLTWrKFQr=?odp&QtVE9PD
zB#svZ`Xy@2R%}j1?2#Qsn3{<|U5$Z<<HCLu)(Ccyrf{NP5woYDR>Na0q!Xx^WTh)C
zn#3Vt=A47qOIzARhsZ85gUL=f0G%<E{BkB%d^~xNufQ#xB><UI6b6D!+F`r6#c9Tg
zw>Y{7#cIDPfV>7-n)&amJ*msqv@X$6l^}R|u6eSJO-BRvL3W{yD0va}tFDQfHvDKC
zqRt{TNi_2-(dtEe;b>68Ig$=3$N|?@s5fs=9mn~N>Io_{F1qQU^y=}@eeSO$KASUS
zL&BucJ*C6^*a-z`;UUzltvB#-LFGF@be&CusQH&5Es$37?P*|3kHdHGlrDp0QEM&`
z>n3jM-iNtdBsy*EcO(J4+KA=y$S_Y~q2r-1GQNH}+o{yQ!<OioMA*oq%At}Mn-ddU
zZ@<ziHj9N|46^JjVRwtBE~YF`lpxwBLM(S-cBnOr-r6w208R!O)#9Rc79Ld6=a`H3
zZZ3Ju`-(N#Ud@m_R)V4hu>i5K55kU7Os))%FvEBh%=t5M8qI?i;SY$Zjmrn-4wUnU
z4NV&{Qbf%tuxkQyi?K!1*jg)z9%7z-F|tHIde}gzLazrSKg8Zg)goT6y1~gmZopw?
z-~&Vscm`<%5lFIN#g?oxIa}8o+qjIpTW-B~?OvE42RwAa3v69_S$}I;0ora@y$sFr
z+Wdq0r?d!Et!jloUa2=qkR-E~QTH|y059lmP}dHjNqIx$4gEjL#oUUl!Y{P4eRwZE
zHBBT;WVi~gjCI=a{G`>;#2^?pU>oLxc#QS7Iit<k#3A*5d5~CP`T*9vcAoj9vCM88
zdFQg>!N?G=mpiR^LKZAld6piJ&FC@eG}`P2p85Ar8}?h7K6RY+R*Sgvrp$}WqR=O^
zu<mwvZ~5&Q$$83~H-;}W!tt^vBgfX7pA=4y?oEGK2wlMtk)<t~C}QH3R<XSJV(KMP
zNRD^HzTSUynYB!DHNuTL?Yk-eUQs&Uz->poAL?vBc-DNGKBr<s&rFw!`Hl->N4@FU
zd;91J!ElHMFlROny?=OE6F&{KR6cX`@$mu3@(_b4Df?ySy@>p64~uf%*}^|)@S8T$
zaO|-g@Ah}5tq-Jv4~RJOD`9>1o?y;;qx&{O82p+4Hv<s~7!7f73;kvNEgBG<8`dvf
ze&41)(D+9NA_znVua|y%=bsHk;77a@=^swK_FoJ{NZ`Kyf6hSk7aK9pe~l7g;pAlp
zj}rK|9`R=9;^yEo<}x&9{@*`Kfc5u0oWJ8B0z1V4kiYxwTAY1g3;)06AOaBnKL^n^
z%gxh-4@|O8GTPhlm{<M6g+K^IfOZWq4!!Sq0erRpmQ(EDocbru5u4x6k%T|z)XNqA
zj&p?Ow{zspU!5brpEEi%3el7l_@B;^*a84xAIvE)>u)m|xVT~W64ejwUquC0LD9ZM
zJ?Q*v)Ia-Gzz;wmfiEv5p$cNswbcJ)<K*bT^#6vnnb}ww+k%HNsOVeSS{f^w**MxT
zTG;;IK(GJc;Fp*0lkb)PG~4WdXIt#Q!X4~WqWhg~QvV%yNpf^6%>qSK!M6Vz!SWJS
zqvoG>s~te#Z2N%p=cs?rr-Wz75d0FgsOnEXCGZ$A%>vj(NpeLTAmC**2J)q-9mKkO
zV;w`@vX%8E+g|QXN)kfST*xVl$<S7v#1xN+Q{BA(`+zt&9(nERt_CE#Z!;a+-q=)T
z2`(aB*1Loli3VPe@J0N>g-$e1Cn@uRIWRScjN(m=uFrt=D<^0g`z~9T=63Pz6C$Oz
zo&BJ3Y&#`HE_x4{nv+;cD;YaDBC+px)i9f42w}$Ye)z5-MQz%Sikz~M#)#+_jEMT*
z78U_$NpA5!53fq8gt0j2v%`WV^^;HSOue;$)E=^*sTJCUf~G`h!Mpn?6i+c7wY|s$
z<OQQwn>6C^bOlapIlF`~uyxXf+)HyQjpArTdWuOH;v57QC5uoMQKDbGQP%0@&jtFh
z!XUHd4QDUdMS;lr#TJOXYciuI^Wvj;12SJq`SMULtavi+PB=j=Vk)5>1Ins<*=3@v
z>*t-u6(qAP4={sClXA>f2a1uV0-PX6I8*y;EPW^LOt=-NPw72MxEh7f281k{33E}h
ziNcW;gyGSj;ku@nb$Aj8yR+MFQj_o#rq%=ToLD^B1x6Bir-I3-fAE@^pXv>#Ef2{S
zt4xI+pwt{O4*9drY;KSaxVSg%suLx?zS)=U6+e<B=r65@J6nLY-f=Y#g_!;sdfr{`
z8K?ict0W&&R{R2itp_#a6+K<}1UcjFgl_mRsjp!F3stvypOl~i2lCoCPuIxCgW{iF
zwMV_o{cUn`lFf%6R0Dahg`O7ya6m{%pb%;TAQZOl&d&hK5HBI51dV9h)epXwVLs^s
z152i_7Yy~Ul#&72&-;c<EXNcXGj%~pHzLv@xW-ejSv=o4(9$H+77{pCG$lMB`=;c6
zI)i5j+Qq8o#-Na>TK&lfh(Z!$49UQ2ycKve3gR4oEt$(ds)C_84+;g4Q;9R^;`Z`@
z+#pr0)kZ1gN}rg1n7h!{W4IRE**;Ewo(1=}RlV&EvKusHUXL^#JQic)C+<Q=hI)_T
zz>yv&e~RqvKn+zc-YbkT(t`vvmT2yiQN6d>B$ZUNrdcZarorqXVT_n)bVas^7ypap
zf}{8>FaI)cSABeoR$Iv2yXQ@S03+X(n^C(rWKKalf4}xSUHRUE8v{rOXM^312lk*2
z|9qDuDANo=*F$kCG=Y$Me6O#~Y4j`;5)&7~CTOD-VKFDz#cEbohZclV%;A3fX+<n{
zC_A}qAxYCPI_-qAy(e?h^~v~YRBRtA&lS5>rJW%2CfCk+{oxa}@iC$<r=ldnwL~>T
zCqyd=-wX)Pv@L5rdEBYc((t_vCI=bjaQ5Vd+Rj+khsXpKjJv62xPVWTn+Z;lp2ot>
zG+uFp;B++UzwU!DPY6}*u~kv@*?$dFB=DMRk|UYy`<X+p0bL*3ssU10?FoPHL=7?s
z=5@33N<VtVeYA!@bAl(N+R5CGpyF}!Wfsq6q-GFKPv3yn)$-jXQrVKj(deB6L9NTK
ziHQkeoB%On`10?Z0lwr6gz%J=IG3*Zj^OmLXHn$|>$*qB&@&+W89?>q|KR`eOlXke
z9=zk!$-c%g=Q;rYIsLw4NZ<ATZL*-ywn6y4cg&IL(u2=?*v4CowPo*UiB~_K0iYIz
zq+9-HfWt$kcizmUCs9$>{xyGxR59h(sL-pZTfvxT0HtPBQD_HKQK)B@(Ya^rz2Fe|
zmpiCC;tQrjp^|H%P2Cx9l|%2|j_jv`N2zP3!;TVfwMW@IrbBEco9Q~yY48vEq;v3v
zzA~tOlv?$wA@D{pV_c$;4#E!O7U)gAe{~MGRL-$@LW7|p8KjnM?}yQ}nU?h4xLM4j
ztG3r&x}5onR$Koafz!8c?TX1kL*$$tB4`vREGTTJAnishcpknwirN|VDy$H#j)sEC
zecc!4PyAQR|Kd|p{e$^!i;Uz+y<tV->Eu|r8~1XYY+$bmI*Teu5h$RG#Az%HWB7%&
zWF7W)xmUB*Y16Exq44Ry2f;F1QHC;_Xe7=+mWQo>mK2mi&2~^4EifvUC4&pwnu4De
z;hr2ISL695x0bACVc&N%T5Ekha&DpnLV^gcp{ukmyA*u}l>6W$NfDjDjkl~n>ECK$
z5pVhtKL&&;QhDv^kUD8R2>*po={!bLkv}6;s@i7K)O<<HRjO*^3AjT7FPJDBJP>>=
zirow?s#?$bI2oVGtvJwOc#1<~osKHvzj)sXH@vuxzX5-SX~mUA$1dzVbsGPf32Ahi
z-a*0ki!*;`KirzApptdLZ2-3q!|qUT=|?(}a}CNuO^brl`0AB+ve*z|w43+6J~zkq
zgxRD>iP^|_yGSbRDlSCmokj#P3>R{R8x_+TI`YestgG5Tgei(?Zv*w6P1<wb`U(e#
z5YLcUwOnHX8%_(*-VA8kqg{NlOY7R^>yojVcxM4ExHiA<m9w1bYVgY6fjEvZ(Wh)_
zlu!LWfhoB)H8Ot|2yD2b+I;0SzR_%#;7>ch7F+BWc=*9$6E%Nix~@q*ld9)6#+$B^
zNdC?aeP*sv9J~-j=wKsqD&rqAK@Ai^@66-VLG??mgk{_)hB}+jQ1c*&hDO;-Xl+>1
zs!!To@uEGX=!6Ncq<dF9&$w@;9s;(u{7~g*dW{c$`V;npQZLzbHkJv6lJ%uH4R$EU
zJlAozvK}I!$HIQdB7-19St0{U_?`iVId=p0s!>Mh7f93GPZUg%T*Wr&jGnFGZkn_g
z%gi8S?j(bT4S2)vdCeyzA*_hrpD5_lD=_ATBesZoLiB3$+(E)D?`X~x%}=}6&k8N-
z?6fP*9cJCmIbgyle&kiTgjwfdk>Sm*mg%y@O}+j=NfkK!fQF`me0d||YY<0wOM0MS
zmlYab+WoU>nQwPXr{R+5Az42`aFEACcI<rQjkfawYqPU8;+{OQ9h2pgiB7~t)=!*~
z6vyCw!omIE)g*Kv3O$`b%)Cm>K@jR{veGMGcbOkN?})OQ0TojKEyDsE(@(1O!DEu^
zh3tyUvYB6`i7HS!SKq{A;kLLYB8$CFLF_G_Ir~w?FV&1W)N^R5I9Yi}TDbVm41n#m
z#zx)8iZuLo4e&s#X5oIGxjO0TV%RsLucUyu9M59_**$BYNwS!Gd|V6Y(Fs1Jt&SP%
zO8xXWY@j0X6q>W8l3q4ZCrTDnJF3kovhm((lXbJ6j}T?^sdw75;7%`qeT`WaC+qWe
zzzhLMuA7~fBmu=%+Bd<<P0ON*9_tr8YTv8}dCT_M)+itRVqn<#_V!2agy<#o$m~2#
zT3oS68;e_CwGW=+?D*~}BNT;I5-{b>p5hg^0+MApF{QMKlu1~TmI!%@7B=%~P>i(A
ziEk?SM-wWhx~1SZmRs}UI@pM>{CA70Y%gf5c7CPe!ZPbpAceBj^f(6}lTCR>27?LE
zfPC;IXro6_^Hrk7<jHF(UeB146fsM+)E}KUBf^|L!9EEfPriy{uAk_ar?(n=j29e*
zFjcoroAm1LvZNT@fDT(t>h+Z$0-^^}<2%XBqkip2ZhYfLE<qHx>Rc(oHmyo&h*Kf&
zPZZ56aHVA!>IJv4Q-!#a@j;f4ofb&<2IuutShX-nc`POQ`XBUS=!HDHa7U8m@M=(c
z>LgDNNdk*KJ{Qd>4bC5&;r_~66Z_>|jr(>XEzAf;gXFVY{C?0yBb&L=aj{a}+!|Cj
z3gOnSmn?HWUTOtJZqmldZIU9O=u<G{CEWcjC5EDS>h4gaQ;oL1P-pkO?-^<lDw*8^
zS9_EteK`RhoO~5cIZ<AjZ9F{+b3)jAHAz2hdxTY9s!Hgaz<A{VHe-ZKtamXaOHC5g
z`ympXCa_+DKh_C;NOb)QV*3@(+NDq9djXIj$@Kl>jiS>MeG5E&Vg90j!Ti5{N@;&E
zzmx@()vuH&t>W|9ov%lJhP3Ll<9bUv4hWu$s>kICP5WhbimP!#&E)nvLa(G&nHQQ<
z(=3m#KDQYYy$+Re4k*m}Ca9PAJ@Xi9fUBuw;WJ-=MS}a6Y^7_a6AbpeWnn${FZ4pC
zr7aDlb)ceTxDc}5N-vp^hM<X%(Q`bzMJ?JO*`-}Od*K!R6WXsXY*l;;j_;TRo&omo
zWE^^rlE-`!wamB=hb(3bTDSY&*f$h%sgwk>4y!6o$y@fTI4+RZYcp!cyM$CG8=!dF
zUukLi_ygCNnj;84C(3p8KG!2eR@r@fF#IftEf`1#fjRFzrQS8@Z3Alf0DKX)M9K@|
zBe7od(IqwPd!v=DpY2`4l=Q{A@W!H&t?@5MtC@F}Nw~Q;Im5ZN1cqYIFaXQPdNtE5
zu){x-uo-gMb9EfBzLec(>+>NPj((R3`>Kxw{V6J1LVMYjb^YRLJoqSM$o`0blyS&m
z69HGQRlECfXZ$L<`>b4?qoD5OV%5TgZ=?-kc0E|l4b@L!7{!$wp}tTluDjNuZDNXv
zmaG=>wKm;QYQ^YR2W$!H49!udn$LMI%ZVD@%|0O*@fI883v<a|&>v)(m)im>?GM-a
zdKP+Vc1?K!DL{5kD%Tp-k3`<C=Z1^yd{yN&#ex14A(D6^Xc`X0$Og3aKB#ZxytQ~y
zb8YV7D%P<R*x2njBE6-z1Mr<jKUt<T`@u2SJ63<l4y?`#-qrfZ?!bW1i&BU5y0T8P
zf0y3{p8|CamV8QZ0`bdFMRT04AB{Hwz6G#(+2hh862x`I41u_YsCYa+l308RnTE7u
zHS-s!kD!rt{1G4m0OA_L*Bv6(ICRCdPL{sFW)p-6G1sJAPef(r_Su_%WFRDTga3k_
zxI#XDiJy1|otFy!QP!}Rg6`Zirq!5^d_ecS=Mv!yTWPT)YwT14Z4hFw^#GboDB2!K
zdW2MMy#ogOV}8-D5}g|{K^51mo-1!u(Slu62ZyhvyNDld!XOBkHq5L(T?_Vp>-2M8
z?ovT+wO4VInP&7W#V@vDGcZJoI$&f9xY!4Br@^gM=^t3C_|ozE<f8R^^fv73d@o8@
z_tws!Iuxq#3*8n~oh}MqR!bxZj;o_8HtiX;Rr(0rNj{5PNqFx|9}Mu6%3Y78JJeV%
z<6FR4c7aLT<v>8n0w0b-r1cC4F*{ysy26qDmNQYquROm&7o;?-`o5_GwDWosP2U9f
z-1y#!Xm$FYlywreY11=j{v)2j(RM?&b8Y!Y*1pcAeMXI~!E+Id51z6O+TNr%3#Nz8
z8Hda#W4bqvYuQiPfg2PuUp9Pr<;EJ9TAO-lCKcLjL*nj&D#C<VEUb#eaJQPxB*pMr
zvsjvSb|@?LH}R3*3e2Z(2{EmMryLA~*-OY?5)ivW#<_lgAgD4uZ{LM6E<DA<_<{W(
z=R5e6d`-V{YlqhNO}E4ufrXfc`WRdFQ%0HdyG7`*mK$bQC9iRfYH1A7y+o{0xu{rU
zLq2!(w&tMrXTZX=R}GvuVr@I$3B0Ul@Is=8fVK&rl>P-PJ^t-3+o#L|vfL*<$rLB?
z{*OpiaOgQ*&j6Ds9iD5{N_}e>RCc~%O6VqIjpQh$ByNV!s|jT=`#F!J6~i>8nD2oJ
zC=nxdKcH}Opj`kYm<W3O16CSP!_*u2$@tR4vu??7p0nzE6k1En#q`{$gl)a+_nrE8
z3)3I3yp{9cxk}<w($z`yUwO)FRy<w`%@7aaAo59|*Kd8w?D5rgfP?uo__&Li`9W0^
z5k@n&Rd#>nJ9S^}CN>*w5`5hy8S#dmvfo^l#4MJ77L9FNO7Z+*X;G~p1qtsnz!@u(
zOR=JaB0)XJyv*0^?A;;EYp&p4GWBPGB&AerEDtZlZDQ9Vr1cK)40TMbLE{<@ZwZqt
zo;6~&gX*o_!Xw&S(E@*Q%=(+83+T5jw|gj-F%vJ$FI@Z2t3AJcN`LKHU`Y)zi1{~;
z<e>*!N@qu+?++-(8WLj*A+gb_<9d(K=G(n1=I&a_XqWJi;yHVOJ7^-7-&9m+T;&kP
zta%ziZM+B_e%CFEO5K??N~Z7prQAO^w5G50UJ+jC+^0;2Xczht#||IRGm5=vZYZL_
z60szXrOp#&g^&|iyWdM{XX&|vCodAry0fE>YHdTZ%Q{zKK=hqo=ZOTW&3}@<;&Ora
zSE7WYzZAW>rRF-LF<2$PLu<jlq$eT?<7ALJ?PAtnA|UQ)W7-t*CBT~eMPhb@{WBQh
zgqU`CVl-Ri!?E*%&sKc^2cJTs2E;I<&If!Le$-`n;ZwmJMPrpCDAiuQX!xKE)Cw2E
zJfBUj-AH}d52#b{U5f)^#uwg--za3GYd2rt2<wu66ryh4SpWapyAG(RlBGR>5pWoW
zAc$cEK}2#CQ2|Mc%Az1<lq5j}1O*H%h$x_fVG%Gq1x%o>u!4%KhygR^u%>kd6kS9m
zhyjrMe>LOiNZNhp?fcL9&-weD;@;`5s;|1byZZLbrCa?}l}^==aEbcTJNuPB7`I&T
zD=o4<a#XU4yEmxdha|OF*X=(%e$TKjPZEF8{pp?a79XZs<(x6tbJVb`mOZ7!r}y<k
z#mkk7T?c4q{^ZcOYPv7?-jU58*ZyF5%30-dVb9;?ERt_MmUQ)EiC20Y%!?eG_+(4d
z841=o_5F7uOAFWNmM?dcQ>|EAs~q|$aBcr1=YlhfT^d*YEY`2fmR%{4t6vOW9NuNn
zP=&6CO&oe3l3lZ)PCYz4ZHM%&W4wq(&f*sO%~la{C#qy0M%zwY(Di6}puv=vtB+Yb
z++X3ZR}iLladF||`E$zLdn|Dt`jLBGXZC`vQkKu|kF<A*tr(+X^=N>McJPS_j#zMa
z*{NTtkgzn|p>)~Vjjzou-zlYcTkAMyhQ;}H>4S>z*e^M??26>$pJPgv%DTTYJG&z5
z_Pc;NbA$RUOs(jfwDxX^mfauzQ<ctan>o$VT+jQ-!CsHwlm(q@yq-SJJ>$=nx#L~$
z%k|uHRN?CKkI5GG4Y7;Eo2?9z!ZKs~h4=^GWVu}9JU7yc)7QqAZKETcS~QB@{}|MJ
zQ$}v-?iG%uhb%0!+~ZHAo^PJ0vZrtNo{I|aKGtCy&5jLx&A#MU=`}rO^Zdlr!_QYM
zJZaLF{yo1bF2L#7xPAw^`&vi&X6tsHrkADtIq{8~zxyZKeScP$dq&r(mYpqkITiLe
z!PO#pn|aBc{eKun&UKHO9X9NBB`e1+NGC-nch!iDnM(2_XGd@^YxucO%byr`sIXAY
zE!;?KUr?^MT&R@#m9!qx&Ijt&1xXyzHA|}*=Q1I}WZD#y3%g`4D<}2UzpEaxIbe&!
zGsA~c=L$ynhKxAbbA?iQ*s$`M$4dj>q?e?obv<sRJ0j3+rPEBi;=G41^$s*hpU(9g
zUAVJw@0Ib<+s1^l^8WR4)4uJ_wtJt%6<)kL(pN(z-lJv6{n@FzpUh4yC_Qc#JJ?{M
zcFz!tvxkqR#rsW^G_98@^>|P#f28C!dtK=48R9WMGrR0IvTM!~D_m%QufOF2cG@n_
z``H!4;~rm|ZL3f+v|3>xH+O?Wws*jQ!&my8Uc)YNN%lO-d6_bRlX%0UF75sAVfvvy
zHTfAQciyRf>8ausesR;YfvbDZ^j|q{nX*UV^nA04Ntv%#s4XdXyX01#zhT5rP6Jjv
zSULKR$wR{##ohMwwF-KcSeAJH&&p|A9Um-<RGVKg;y3MHtLOi2rnRkycvaugwehMm
z3++?W@-9g1;5Oa6q3!v?l)Eq0MK-Xqc+d;p4mC65*$I;Q*8<M0({E7goz7lgu5)na
zu$2)8^Kve!WHsITY1}#mSx05n2yU@K#*AXQn3WZYP66AONL7urkyf;tTzzM6+yE(e
z6S3Tw-u3;D_d7Tze!1A#;@LU*zLg65w<FR;{&7>Q>ERf5glt9k#X0xnes#F@DC6~j
zaT6Mob5^{loI2}irMInRdglH*N0t&>{q*W{v#JZmC2211y|Gt#JkMudz@qe&6Codz
z>xZf-j*0b3m#-~%IU1OjFQuJ&=e%YP`_3)7t!o0_Jns={m|jz|z$DNvJ3MXM#cLPj
zj%PEhUn*S&#P+XI_x@q9bwHzuE=B$ci2O?>1l0OhC5icEVd8jCDeCKgLHme5e3UbN
z)t-!JxrMf_zot8!V4dz^lOgFAANM@c^CqwC+1raLHthPd<DGc<_qcZ~UO&`y*wVd}
z<slh$X8mtLEvl0zCum4WrWiLbR81*LKR&xoF>8UX=HSIqSwpp++-mSND4F_UhFHwz
zWxsJ!%t!0qHN1R6H)!VNV?j~B$QDU%eRux&0_R7o6#Il<b<j~inK`i}YM;J#_klBQ
zRahV9CRxZnj@R3Kd-|xPaVz4|+!I$A{F+zGQM8mQJ{ik>wUg5zf9CL|Zi>AxZ`d$*
z+uAwDbB&foJXcpU=LJvoNlEUS@Zjk!H7OrY9i7LM6raASvP_-xw1IQu{N(tY@TqTu
zr(NHYI%#cAux(=a;d1f7tlid&5>}d}ADcGbsiai#VT1P1ZwC82D$6h4GjalZ!x1BI
z{R#H3DiYsUMQyB*mRgePUM)Lx()*y>X9WgsF5BAQGv$Qdn0b!5x1z^b`WZ!a3o_zK
zsmxGP9=URpWq1Ej-_Sk@Y!&yhj`Ox%@jUoPiL;-^#i46rGTl-b)<j-#`mh=f$7s~q
z1#D~o0S^rKPr0PzpnJkP*w66fz@md12hC$M{1=C1DOmUVIB=`qwH_5W4p~$?1~1B1
zJyzK_VAd)7&C?!oc27L*o0jcUF?y$XvW6<ROX-mH(jl3Fjst(45wInsR&u`9FvI9s
z+{Wz)MYc9Uzc_c3>Xw+e{_3TN{S<ghG}R}HPrsx2ENJGg0!^)c8Lk|Oa|UjK=5IbG
zbhAw@VqMj~ZB*X>hFkXOOWiIi`DgUsY5$OOKh`MhivFaX6K@A8_P$l>w!nSPl#L!*
zKZPC(lJ3oR>bA5*&1Q4nTIIBa<vS<+8Mn}Cm)6!Kb){f~8y|b-7pRs;&+YkiT$tFX
zb(e0sSX=1?SdMMEo(YfKeHT@}a_U>X_t9@GA26&ehUHO^|HM)(x7lTo-v-;!O$pC8
zNWNT{Z7D5bH)}7?G3$K%75}wbJ3S%~UJX%eP-#AReaGgbtcNlojX4hr<awN5Y>F=W
zutpWVi0?aJs`i7|=?`A&uir{!m_AA^o7LiXtZ3<FgYd4t@3VHy{-9WJ^2QN{WgM9`
zC3=fOUR2h{aOIY=sOJqW<!+|tsnt=-t{b~Y?|oeVdDM$k-tIGLBbMb?iur^VxesO@
z&`_L%q1egK$_x2F^sN^zzdPBNRh$1qpMBdO`of+%bB5`B|3jbCsZLQB@ln_P4OAUI
zs$Ki278|}tjp-aUoR6CPH&Au?sJ88+w%!dkAX}`ngK;7VHCE}bP;oGh9-;nu@hd8S
z%gCnjiVjJ>{L@nEJNOCRe}0gkcc||FA9(g(JuZa?)22Kz76<bhQJZ;9yeyKMI_B$&
zro;Ds?(3|jrY<%`Qwz5b#Ku8Mz9Z$DFVOGTY|Ve_y`T1u!Q#L7V_+t-aS(P5GRIaM
ze`otZPcJVcleyle|L3>aFfug%b_$j>OPY0e5DVKF)YsRyw0uUYsd<ak(D1Idw)XAY
zH}BrPYi@3?tE;WAuWM}l^zL1KZ7n!nH#IdjG(f1PuCAt~rKO>v;nSy2O-)T7KYsl1
z;eB0Q9d@j!si}GW`t_?<uim_QQ(awMRaJ#kMi>@TT3U*J^baP%`CWqq=XX(^Sl#AY
zP4XY3E$OiHGAr!nRHcn&ev8Ehu`@WHny0*3%bnc1C@<03n*2hIE4wPKWKUjY!ss=b
z-Bh>_Y<S&l*j{}H^zW+D$3{L-HNKyUVlSI6(Y$_QEM-X>xgIi7-TElYN{XwGw%b3*
znq@)bBXg4kD-iV|YCS$!?q$*Z037{Sp^#<VMV}vlX?#fX#|WF{Y|GNsBegN&JeE`(
zPA2QpwE#chi;IbM5hv_tony!Fv40fBZtvX^ma$F}VV|b+$%JE*9XDs`e&FlJaKFRu
zA;f+K>`o@x<$UZFqS#cEcHZ4G;Md!_RlW6rf1vHVTg^b-i1)ULT6<e8t}K>NW8MA=
zRcv|}Lqe@$w~I=f*Y4|J;+gA#W9zUBIsWj3uPF+T(HqXw($f-t(6I~h3ikF7@*U3e
zUE&|2&GYt|8;FzZdPz<W^9j|l_C@3#&YKXt#6K|5Ll0-*@ie`H=ZAPK^!E((vEWT`
z8EeNIrmJtko8lkj9UKwHb8_XG>Kfql4^vEyEqJb>{@zeQk`_Fd@isPw7Cbs}k7qM}
z63-9^>Y3=98JdaY8R?qnV*4{g^Y8NXg?SU&-EDeIa2TvKFgMgSFde3AYOZU@KYB38
z$7`W~aL{nxI3J%79qT~<aMY`pB=t$dOo`5R=UBl*3(fj0+CuI1NvZWZ$<#tembL1W
z2W(k-p3WS>`%c0JpuOODKa7KE9$tPvI&}75XmH?g-rqY4C{l-7w9Tng`~wED5tHMh
zpf9IR84SnnOvc84XUZ`1z--}VHrM?B{F|aC#)1uJ>69sP7LP|)9xI!}VrgIqa&V>3
ze%M;@8tyTP;}eTz1)_XPG05*EiJ=VAtnQ$mAUfFUpCr;rx(S1@L=$zr9w1qe5~%Ng
ziAXnL5Ej3?<0{rw$4-iq_Toow*2i1iy$ti;Ala-B_hgbEtP+<|R0XEO7aPQSI0SZ=
z-_>+=%u$B%KFu)xXBo!x6vJSXxqpO67wPnYZo-huXt*ZMR!{>z7t{rIMUO3HnE7WI
z#_0$)-^*i|;RhLJ*w3H?|2dgM59uV`^I(f3us9ojPX@L!`GC8p<qzK?*an`VI~iu+
z4u<LfFNW!}nPC)v`ks_h8K&<xhUtg$)});NJuk^p9_b>Tq?<5&PN02veyRXA^|794
z>*hJ|i%AxAr!kDuCWetoWEkm{?Grm5I2#3g#7j6b3GMTe4k{xa(oGn%;RnL}f-gyZ
zZR#(u5A~H#hHq9gOfO&<;PZUgB}&dYf-<sC4!lHkPyCh{0$z&zYyK+o)B8@g!pJX*
zKw3x}X(emODzc8O6t&p(Aj7Dqd_gA*K)+SfgJs)fuvJh_I{DV(s*uDm@0;54QXZ9&
zKH?>e$!N9K_%7&Gs_O+_@3jW}YZ<1ZuB|@Gv4ibYF1_jtKkoaWMLJ4U#^*=t5ys@)
zw)n2VAGnTTq~aKc4L`AQ-x0ojj-Xr`ekB`-R|P$}qeNxIBL#fIaBHXjQ_v;@VH@$V
zab=@Nc8I@UP`(tSFXf8hUIingqeNw-PYSjY#<cvl^`C{FIS_u5LhqKrRR--;QQy8s
zd-#gVFH|y2%}2p~-!1L)QZAJdzZBY^Fx-!|#rMJ}9)uCaMqA3jUoyDw5I<K?e&Gf1
zKMC&pA}Vy0sEqWn(GLm3yQnSxT=-HQk%$97aWF<Wu(>0AheLvLAwKc;!#L|GQ5o@Y
zP<O)cL*#DV|Gj}fI1~A>k3)9A=8AXiYjh|OlwWu$s6X-cLp1CtQ5o@&Zo=?8+ZNvo
zHfiog1Om3~cJS|DnACd=^Xany<9f9~d+94+fse|`_f0K=dpXpxutE?6i1+1t0YBwY
z8S#^D!tg6;i|>s*&1~?1j|+ZT*vTilN8VTZQs#X|pr8H*Ul8zezTglRpG5SKPSQ;n
z0T<ii`#^{0KJWmSh)V<+E@TG4W-GKg-4j`0thP>Lj{+0?z2R%ie6%xS1m7Og@kJ-;
zC5(BOk+=8z`0H~CZF2zmkmnO-7K;33i2NfEsEJyy%2--uE5t&vDjO+`{N!mpM2G4R
z0{cqPLliSflyo&hS10RAtb(zdY>ZG>Ctuzg(fZ+)<@YN*J<qr~@$zlgmEu{Qu3A>|
zS1nDVsQkw`XSdj)lLTwp9xOYSl&8)HLOrtg`&CQ4Jb%^l<-au0cJKi8Nzr77wvmND
zFINe2-(gM~i8i9Vul|PL$^Y|8+qTVI<PFCB$lW6#xm}pk(3Vli7fsgCN%{MqFbs_W
zqQmI_ve2!Em?fGLZVB>bp-ZTjFy>uvi|=!lVKnl<kG@MJ2Rjs@GX#BBG#Nmi@~OXl
z9Y1uB{@Wk@u35w{p_n%)Ul#pPsFyJ2-E0RRHffN*(6flR(4_>s)nH2z<^b~NYRFNZ
zBGm_eRR_<I17ALq-+;3edY;rX%+F<*6G#tXgHNcJFamE2^3i4KX^#Ii<pbU7M=+jH
zKOrdqTNzlbNe*>NzWdE9PwE8z;)1_55w=htT?r!)vaQFaH*8WzACiH8L`fcX=uLK@
zesq<`n3u!#GTL1<X(L`xzR-7c<<K13N*`g&L(FZ1e+To{ub98!pUy}Qb&!Y8_m_V|
zuWiJ$(U<(rWT}iW0`9lP_k&FuCt&Yk;CDi@(4l~Su3yM7#Z?S*yM|$AUKHfX!3Ukm
zl5WBXdhi`S|7o7`hMa=`ptl!%)EUW<4Zsp5dBkou+O{(}(oGnPe&^%U)BM-f%;JYw
zL1C;Z7opwYqh81G+}8=o0!t3{k;gpECEQMUsf=`zZo-Iq44GYx<-n)aTvzmkIQJWZ
zcCo-5p;dyucm`t+q<Z>4Bho>-Nat|q4tc~dGZ1TJx4c>hY+Bum0l%m6FHGrljNJwB
zLooa^7kr+eIh_#AH)e?ZxA0G|M6Ktpt|etFSy;71ecesAGi|~$4<HhH2qG+5Gwm8$
zdSByp$*HU8I{@MOp9QNWxO+Z_VJ&(U_st;wsQO2*dp=*2&3qqD>wWSRh@Vd3pL}CP
zJ_~aHSN@6tSAxDLqOXN`AmR5!R`d-`tHfEui~+p>G5;o!49PyTL}YP54>v_bGeI;Z
z8if&PiJmVcQ$!?TnH}XrhGYrTcn3zwYKAfY7sHIeJrS+16%qx+!M)MeZ)Nh3G1~sk
zUQIkvT4Kf%O*1k2dqIv?y&9>aC0I{ml&hwHlh=Z*J!}?Do`^8~l_lhd09!PLAVR5$
z;On4n_Nb3&@;c5iM=(l`g0%27BAONy!zRoYRCgi+L<w3=h$gR-f|UoYKD02yiKYb@
ztwRL<<I9`Cp3(5PXmbA||L1#*Zp?<FDfleTqemME@vSZkW-T+!MC#e_Ep*GlC&DL%
z8PKnXI;z2DGn6T1p?wi4NM3#&un`qhPzQC4uavv^P6+-@M6?p7T^Ot8Xpij=P*==&
zql?jAh%h9tu%2OT@f6e#^`DOjMCr^6hSAy2Fgw6cWCqzC&_QX<ZS*s=jU_OJ@;1O6
z1RHf>W8PEDHmJLD4#V(J7d2c}(6%<m1Wz1>@Y7`2KH{c8UJ3XP_uykheKpw4%f&r-
zRe(=VG~@#V$XFD^=cwaY*ys(}5wL^s`)y<xSF#cL#%Pye=inPqAJ|OwAR3CX;aZCC
zh~N`1$ofOp9yXJF|Mj2VxFCNz>gS4BHuW*X%tD_rg+2|~GX%C+Tws`m<qQ)6iUft>
z$;s*pU!KOGCFm0AYD3A0;-EJ90$!4_Y!wdv?T-}U9T4F=Sy8OwuPDCzm5dLAXZs#E
z>DhkhBzm^T|9u<tR}`b#t|&G-wOvu{*xe~=JRdbmbVbntstF%;<X2SwF^fOG%!^6q
tICCuXzJDF$gM8P{>bi}O>i0KLP5G!JzM}G9%xJ!#=&-&wP@}$~{tt{|S8xCT

literal 0
HcmV?d00001

diff --git a/testing/btest/core/erspan.bro b/testing/btest/core/erspan.bro
new file mode 100644
index 0000000000..eb05cdcf5a
--- /dev/null
+++ b/testing/btest/core/erspan.bro
@@ -0,0 +1,4 @@
+# @TEST-EXEC: bro -C -b -r $TRACES/erspan.trace %INPUT 
+# @TEST-EXEC: btest-diff tunnel.log
+
+@load base/frameworks/tunnels

From d32e4b25f1d0cea8504dba55c7d321bc29cf18ef Mon Sep 17 00:00:00 2001
From: Seth Hall <seth@icir.org>
Date: Fri, 3 Feb 2017 12:34:39 -0800
Subject: [PATCH 055/631] Small change to avoid potentially over reading
 memory.

---
 src/Sessions.cc | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/src/Sessions.cc b/src/Sessions.cc
index ad82f1c736..4ca5235a2c 100644
--- a/src/Sessions.cc
+++ b/src/Sessions.cc
@@ -508,8 +508,11 @@ void NetSessions::DoNextPacket(double t, const Packet* pkt, const IP_Hdr* ip_hdr
 		uint16 flags_ver = ntohs(*((uint16*)(data + 0)));
 		uint16 proto_typ = ntohs(*((uint16*)(data + 2)));
 		int gre_version = flags_ver & 0x0007;
+		
 		// If a carried packet has ethernet, this will help skip it.
 		unsigned int eth_len = 0;
+		unsigned int gre_len = gre_header_len(flags_ver);
+		unsigned int ppp_len = gre_version == 1 ? 1 : 0;
 
 		if ( gre_version != 0 && gre_version != 1 )
 			{
@@ -520,11 +523,11 @@ void NetSessions::DoNextPacket(double t, const Packet* pkt, const IP_Hdr* ip_hdr
 
 		if ( gre_version == 0 )
 			{
-			if ( proto_typ == 0x6558 )
+			if ( proto_typ == 0x6558 && len > gre_len + 14 )
 				{
 				// transparent ethernet bridging
 				eth_len = 14;
-				proto_typ = ntohs(*((uint16*)(data + gre_header_len(flags_ver) + 12)));
+				proto_typ = ntohs(*((uint16*)(data + gre_len + 12)));
 				}
 			
 			if ( proto_typ == 0x0800 )
@@ -567,9 +570,6 @@ void NetSessions::DoNextPacket(double t, const Packet* pkt, const IP_Hdr* ip_hdr
 			return;
 			}
 
-		unsigned int gre_len = gre_header_len(flags_ver);
-		unsigned int ppp_len = gre_version == 1 ? 1 : 0;
-
 		if ( len < gre_len + ppp_len + eth_len || caplen < gre_len + ppp_len + eth_len )
 			{
 			Weird("truncated_GRE", ip_hdr, encapsulation);

From 8863fd4242cc6d7e3ac4e1cc35dbc18eaf416168 Mon Sep 17 00:00:00 2001
From: Robin Sommer <robin@icir.org>
Date: Fri, 3 Feb 2017 12:38:14 -0800
Subject: [PATCH 056/631] Updating submodule.

---
 aux/btest | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/aux/btest b/aux/btest
index 32e582514a..9d5c7bcac9 160000
--- a/aux/btest
+++ b/aux/btest
@@ -1 +1 @@
-Subproject commit 32e582514ae044befa8e0511083bf11a51408a1d
+Subproject commit 9d5c7bcac9b04710931bc8a42b545f0691561b2f

From 647eb9703f1c27a1fa43baccd83d8b53ca273980 Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@icir.org>
Date: Fri, 3 Feb 2017 14:10:11 -0800
Subject: [PATCH 057/631] Change snaplens of a few more tests.

Recent pcap versions do not like the huge snaplens that the header in
these files uses.
---
 .../btest/Traces/dnp3/dnp3_udp_en_spon.pcap   | Bin 326 -> 326 bytes
 testing/btest/Traces/dnp3/dnp3_udp_read.pcap  | Bin 5800 -> 5800 bytes
 .../Traces/dnp3/dnp3_udp_select_operate.pcap  | Bin 1427 -> 1427 bytes
 testing/btest/Traces/dnp3/dnp3_udp_write.pcap | Bin 179 -> 179 bytes
 testing/btest/Traces/dns-huge-ttl.pcap        | Bin 993 -> 993 bytes
 5 files changed, 0 insertions(+), 0 deletions(-)

diff --git a/testing/btest/Traces/dnp3/dnp3_udp_en_spon.pcap b/testing/btest/Traces/dnp3/dnp3_udp_en_spon.pcap
index 79881f62e734c6714ea1a20d36ce60e3cd7f3941..f9e6078f5175af93eda370017e1e3f036df13a81 100755
GIT binary patch
delta 29
ecmX@cbc{*l%Hd55nHX3YVBr6M28N9yMvMT0c?XLC

delta 29
bcmX@cbc{*l%Hd55nHX3YkO1RG5hF$bbBzU#

diff --git a/testing/btest/Traces/dnp3/dnp3_udp_read.pcap b/testing/btest/Traces/dnp3/dnp3_udp_read.pcap
index 7bc9d4add2dd73d0eb883d0dd37cbc26e07b9791..f089d12f51e72b42cde927c00840df26f1f39a5b 100755
GIT binary patch
delta 29
ecmZ3XyFypw%Hd55nHX3YVBr6M28N9yQ^Wv;)Ce2^

delta 29
bcmZ3XyFypw%Hd55nHX3YkO1RGktt#TcIXBl

diff --git a/testing/btest/Traces/dnp3/dnp3_udp_select_operate.pcap b/testing/btest/Traces/dnp3/dnp3_udp_select_operate.pcap
index 384b5137d68d864024cf9b223cb9ae54bc0d1eec..70b0e2cde4da68f06974bc23c1d677c26694984f 100755
GIT binary patch
delta 29
ecmbQtJ(*kN%Hd55nHX3YVBr6M28N9y^{fDS)dz?G

delta 29
bcmbQtJ(*kN%Hd55nHX3YkO1RGk$P4DYUu@w

diff --git a/testing/btest/Traces/dnp3/dnp3_udp_write.pcap b/testing/btest/Traces/dnp3/dnp3_udp_write.pcap
index a2dd31b3b721409e32b617bb2b43ef8609ec5ca3..dc9125f691acc43db7588f15e82f250dfefa234a 100755
GIT binary patch
delta 28
dcmdnYxS3Jp%Hd55nHX3YVBr6M28M|u^8t3n2d@AC

delta 28
acmdnYxS3Jp%Hd55nHX3YkO1REk@)~=)&;Tv

diff --git a/testing/btest/Traces/dns-huge-ttl.pcap b/testing/btest/Traces/dns-huge-ttl.pcap
index 27849b904b047d24923e3fa480b8c75e72f22f05..5e9afdaf96a0a052c16e14d3c85367e70b21ea94 100644
GIT binary patch
delta 29
ecmaFJ{*Ybd%Hd55nHX3YVBr6M28N9yXPE(trwC{O

delta 29
bcmaFJ{*Ybd%Hd55nHX3YkO1RGk+aMId%Ff}


From 7beac6e40457a82c26b204545a32385bfaf63125 Mon Sep 17 00:00:00 2001
From: Robin Sommer <robin@icir.org>
Date: Fri, 3 Feb 2017 16:41:32 -0800
Subject: [PATCH 058/631] Updating submodule(s).

 [nomail]
---
 aux/binpac   | 2 +-
 aux/bro-aux  | 2 +-
 aux/broccoli | 2 +-
 aux/broctl   | 2 +-
 aux/broker   | 2 +-
 aux/plugins  | 2 +-
 6 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/aux/binpac b/aux/binpac
index a0990e61ad..0f1ecfa972 160000
--- a/aux/binpac
+++ b/aux/binpac
@@ -1 +1 @@
-Subproject commit a0990e61ad4a3705bda4cc5a20059af2d1bda4c3
+Subproject commit 0f1ecfa97236635fb93e013404e6b30d6c506ddd
diff --git a/aux/bro-aux b/aux/bro-aux
index 7660b5f4c5..b1e75f6a21 160000
--- a/aux/bro-aux
+++ b/aux/bro-aux
@@ -1 +1 @@
-Subproject commit 7660b5f4c5be40aa5f3a7c8746fdcf68331f9b93
+Subproject commit b1e75f6a212250b1730a438f27fc778618b67ec3
diff --git a/aux/broccoli b/aux/broccoli
index 765eab50f7..ed52e3414b 160000
--- a/aux/broccoli
+++ b/aux/broccoli
@@ -1 +1 @@
-Subproject commit 765eab50f7796fdb3c308fe9232cd7891f098c67
+Subproject commit ed52e3414b31b05ec9abed627b4153c8e2243441
diff --git a/aux/broctl b/aux/broctl
index f6d451520e..73dbc79ac2 160000
--- a/aux/broctl
+++ b/aux/broctl
@@ -1 +1 @@
-Subproject commit f6d451520eaaaae97aab6df2bb4e0aecb6b63e66
+Subproject commit 73dbc79ac24cdfef07d8574a4da5d43056ba5fa5
diff --git a/aux/broker b/aux/broker
index 68a36ed814..23def70c44 160000
--- a/aux/broker
+++ b/aux/broker
@@ -1 +1 @@
-Subproject commit 68a36ed81480ba935268bcaf7b6f2249d23436da
+Subproject commit 23def70c44128d19138029615dd154359286e111
diff --git a/aux/plugins b/aux/plugins
index 0a2f021527..2322840bcd 160000
--- a/aux/plugins
+++ b/aux/plugins
@@ -1 +1 @@
-Subproject commit 0a2f0215270e6ceaf9c1312f705b95d2cce1b530
+Subproject commit 2322840bcdbd618ae7bd24e22d874fb30ab89bbb

From 1de6cfc2e335ab965e65ea8955336e1afdcede90 Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@icir.org>
Date: Sat, 4 Feb 2017 16:47:07 -0800
Subject: [PATCH 059/631] Fix memory leak in file analyzer.

This undoes the changes applied in merge 9db27a6d60dbc0bdc77cb64d4f770489455043cd
and goes back to the state in the branch as of the merge 5ab3b86.

Getting rid of the additional layer of removing analyzers and just
keeping them in the set introduced subtle differences in behavior since
a few calls were still passed along. Skipping all of these with SetSkip
introduced yet other subtle behavioral differences.
---
 src/file_analysis/AnalyzerSet.cc | 5 +++--
 src/file_analysis/File.cc        | 8 ++++++++
 src/file_analysis/File.h         | 6 ++++++
 3 files changed, 17 insertions(+), 2 deletions(-)

diff --git a/src/file_analysis/AnalyzerSet.cc b/src/file_analysis/AnalyzerSet.cc
index 5b7bdd875c..35968c9a02 100644
--- a/src/file_analysis/AnalyzerSet.cc
+++ b/src/file_analysis/AnalyzerSet.cc
@@ -129,11 +129,12 @@ bool AnalyzerSet::Remove(file_analysis::Tag tag, HashKey* key)
 	        file->GetID().c_str(),
 	        file_mgr->GetComponentName(tag).c_str());
 
+	a->Done();
 
 	// We don't delete the analyzer object right here because the remove
 	// operation may execute at a time when it can still be accessed.
-	// Instead we let disable it; it will be deleted together with the AnalyzerSet.
-	a->SetSkip(true);
+	// Instead we let the file know to delete the analyzer later.
+	file->DoneWithAnalyzer(a);
 
 	return true;
 	}
diff --git a/src/file_analysis/File.cc b/src/file_analysis/File.cc
index ff65eb0c32..46e67f7cd8 100644
--- a/src/file_analysis/File.cc
+++ b/src/file_analysis/File.cc
@@ -107,6 +107,9 @@ File::~File()
 	DBG_LOG(DBG_FILE_ANALYSIS, "[%s] Destroying File object", id.c_str());
 	Unref(val);
 	delete file_reassembler;
+
+	for ( auto a : done_analyzers )
+		delete a;
 	}
 
 void File::UpdateLastActivityTime()
@@ -494,6 +497,11 @@ void File::DeliverChunk(const u_char* data, uint64 len, uint64 offset)
 		EndOfFile();
 	}
 
+void File::DoneWithAnalyzer(Analyzer* analyzer)
+	{
+	done_analyzers.push_back(analyzer);
+	}
+
 void File::DataIn(const u_char* data, uint64 len, uint64 offset)
 	{
 	analyzers.DrainModifications();
diff --git a/src/file_analysis/File.h b/src/file_analysis/File.h
index 6ad90e986b..c799907a8f 100644
--- a/src/file_analysis/File.h
+++ b/src/file_analysis/File.h
@@ -119,6 +119,11 @@ public:
 	 */
 	bool RemoveAnalyzer(file_analysis::Tag tag, RecordVal* args);
 
+	/**
+	 * Signal that this analyzer can be deleted once it's safe to do so.
+	 */
+	void DoneWithAnalyzer(Analyzer* analyzer);
+
 	/**
 	 * Pass in non-sequential data and deliver to attached analyzers.
 	 * @param data pointer to start of a chunk of file data.
@@ -287,6 +292,7 @@ protected:
 	bool postpone_timeout;     /**< Whether postponing timeout is requested. */
 	bool done;                 /**< If this object is about to be deleted. */
 	AnalyzerSet analyzers;     /**< A set of attached file analyzers. */
+	std::list<Analyzer *> done_analyzers; /**< Analyzers we're done with, remembered here until they can be safely deleted. */
 
 	struct BOF_Buffer {
 		BOF_Buffer() : full(false), size(0) {}

From c857f5c4dd2195c80b8bb2f6f20db184e499da2e Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Mon, 6 Feb 2017 23:30:54 -0600
Subject: [PATCH 060/631] BIT-1785: fix scripts able to access uninitialized
 variables.

---
 src/Frame.cc                                  |  9 +++++++
 src/Frame.h                                   |  1 +
 src/Func.cc                                   |  1 +
 .../language.uninitialized-local2/out         |  2 ++
 .../btest/language/uninitialized-local2.bro   | 25 +++++++++++++++++++
 5 files changed, 38 insertions(+)
 create mode 100644 testing/btest/Baseline/language.uninitialized-local2/out
 create mode 100644 testing/btest/language/uninitialized-local2.bro

diff --git a/src/Frame.cc b/src/Frame.cc
index e97b948dbe..f30312aaec 100644
--- a/src/Frame.cc
+++ b/src/Frame.cc
@@ -33,6 +33,15 @@ Frame::~Frame()
 	Release();
 	}
 
+void Frame::Reset(int startIdx)
+	{
+	for ( int i = startIdx; i < size; ++i )
+		{
+		Unref(frame[i]);
+		frame[i] = 0;
+		}
+	}
+
 void Frame::Release()
 	{
 	for ( int i = 0; i < size; ++i )
diff --git a/src/Frame.h b/src/Frame.h
index 85e1dbec2e..0c22fa0e4e 100644
--- a/src/Frame.h
+++ b/src/Frame.h
@@ -24,6 +24,7 @@ public:
 		frame[n] = v;
 		}
 
+	void Reset(int startIdx);
 	void Release();
 
 	void Describe(ODesc* d) const;
diff --git a/src/Func.cc b/src/Func.cc
index ccb2570f70..88da9a7a04 100644
--- a/src/Func.cc
+++ b/src/Func.cc
@@ -397,6 +397,7 @@ Val* BroFunc::Call(val_list* args, Frame* parent) const
 				bodies[i].stmts->GetLocationInfo());
 
 		Unref(result);
+		f->Reset(args->length());
 
 		try
 			{
diff --git a/testing/btest/Baseline/language.uninitialized-local2/out b/testing/btest/Baseline/language.uninitialized-local2/out
new file mode 100644
index 0000000000..75d09294e6
--- /dev/null
+++ b/testing/btest/Baseline/language.uninitialized-local2/out
@@ -0,0 +1,2 @@
+error in /home/jon/projects/bro/bro/testing/btest/.tmp/language.uninitialized-local2/uninitialized-local2.bro, line 19: value used but not set (var_b)
+var_a is, baz
diff --git a/testing/btest/language/uninitialized-local2.bro b/testing/btest/language/uninitialized-local2.bro
new file mode 100644
index 0000000000..f11a5fda10
--- /dev/null
+++ b/testing/btest/language/uninitialized-local2.bro
@@ -0,0 +1,25 @@
+# @TEST-EXEC: bro -b %INPUT >out 2>&1
+# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff out
+
+event test()
+	{
+	local var_a: string = "foo";
+	}
+
+event test()
+	{
+	if ( F )
+		{
+		local var_b: string = "bar";
+		}
+
+	local var_a: string = "baz";
+
+	print "var_a is", var_a;
+	print "var_b is", var_b;
+	}
+
+event bro_init()
+	{
+	event test();
+	}

From a51ee9e1555381e252ea4c26066c67ce93b3ad4b Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@icir.org>
Date: Tue, 7 Feb 2017 10:43:45 -0800
Subject: [PATCH 061/631] Pull signed_certificate_timestamp into a separate pac
 file.

That allows us to use the same code to parse the signed certificate
timestamp X.509 extension in the X.509 file analyzer.
---
 .../protocol/ssl/tls-handshake-protocol.pac   | 19 +--------------
 ...handshake-signed_certificate_timestamp.pac | 23 +++++++++++++++++++
 2 files changed, 24 insertions(+), 18 deletions(-)
 create mode 100644 src/analyzer/protocol/ssl/tls-handshake-signed_certificate_timestamp.pac

diff --git a/src/analyzer/protocol/ssl/tls-handshake-protocol.pac b/src/analyzer/protocol/ssl/tls-handshake-protocol.pac
index 65da41e0db..1f3d418717 100644
--- a/src/analyzer/protocol/ssl/tls-handshake-protocol.pac
+++ b/src/analyzer/protocol/ssl/tls-handshake-protocol.pac
@@ -491,24 +491,7 @@ type SSLExtension(rec: HandshakeRecord) = record {
 	};
 } &length=data_len+4 &exportsourcedata;
 
-type SignedCertificateTimestampList(rec: HandshakeRecord) = record {
-	length: uint16;
-	SCTs: SignedCertificateTimestamp(rec)[] &until($input.length() == 0);
-} &length=length+2;
-
-type SignedCertificateTimestamp(rec: HandshakeRecord) = record {
-	# before - framing
-	length: uint16;
-	# from here: SignedCertificateTimestamp
-	version: uint8;
-	logid: bytestring &length=32;
-	timestamp: uint64;
-	extensions_length: uint16; # extensions are not actually defined yet, so we cannot parse them
-	extensions: bytestring &length=extensions_length;
-	digitally_signed_algorithms: SignatureAndHashAlgorithm;
-	digitally_signed_signature_length: uint16;
-	digitally_signed_signature: bytestring &length=digitally_signed_signature_length;
-} &length=length+2;
+%include tls-handshake-signed_certificate_timestamp.pac
 
 type ServerNameHostName() = record {
 	length: uint16;
diff --git a/src/analyzer/protocol/ssl/tls-handshake-signed_certificate_timestamp.pac b/src/analyzer/protocol/ssl/tls-handshake-signed_certificate_timestamp.pac
new file mode 100644
index 0000000000..ad9b9d5651
--- /dev/null
+++ b/src/analyzer/protocol/ssl/tls-handshake-signed_certificate_timestamp.pac
@@ -0,0 +1,23 @@
+# We keep this extension separate, because it also can be included in X.509 certificates.
+# If included there, it uses the exact same syntax and we just symlink it from the X.509
+# file analyzer tree.
+
+type SignedCertificateTimestampList(rec: HandshakeRecord) = record {
+	length: uint16;
+	SCTs: SignedCertificateTimestamp(rec)[] &until($input.length() == 0);
+} &length=length+2;
+
+type SignedCertificateTimestamp(rec: HandshakeRecord) = record {
+	# before - framing
+	length: uint16;
+	# from here: SignedCertificateTimestamp
+	version: uint8;
+	logid: bytestring &length=32;
+	timestamp: uint64;
+	extensions_length: uint16; # extensions are not actually defined yet, so we cannot parse them
+	extensions: bytestring &length=extensions_length;
+	digitally_signed_algorithms: SignatureAndHashAlgorithm;
+	digitally_signed_signature_length: uint16;
+	digitally_signed_signature: bytestring &length=digitally_signed_signature_length;
+} &length=length+2;
+

From 5dd19f84a71ca37ebcaa9fbd3b4e6571c95fa329 Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@icir.org>
Date: Tue, 7 Feb 2017 13:31:21 -0800
Subject: [PATCH 062/631] Add parsing of signed certificate timestamps out of
 X.509 certs.

This is a tiny bit evil because it uses parts of the SSL protocol
analyzer in the X.509 certificate parser. Which is the fault of the
protocol, which replicates the functionality.
---
 src/analyzer/protocol/ssl/CMakeLists.txt      |   1 +
 .../protocol/ssl/tls-handshake-protocol.pac   |   5 --
 ...handshake-signed_certificate_timestamp.pac |   5 ++
 .../analyzer/x509/CMakeLists.txt              |   1 +
 src/file_analysis/analyzer/x509/X509.cc       |  47 +++++++++++++++
 src/file_analysis/analyzer/x509/X509.h        |   1 +
 src/file_analysis/analyzer/x509/events.bif    |  19 ++++++
 .../analyzer/x509/x509-extension.pac          |  54 ++++++++++++++++++
 .../x509-signed_certificate_timestamp.pac     |   1 +
 .../.stdout                                   |   4 ++
 .../Traces/tls/certificate-with-sct.pcap      | Bin 0 -> 7584 bytes
 .../x509/signed_certificate_timestamp.test    |   7 +++
 12 files changed, 140 insertions(+), 5 deletions(-)
 create mode 100644 src/file_analysis/analyzer/x509/x509-extension.pac
 create mode 120000 src/file_analysis/analyzer/x509/x509-signed_certificate_timestamp.pac
 create mode 100644 testing/btest/Baseline/scripts.base.files.x509.signed_certificate_timestamp/.stdout
 create mode 100644 testing/btest/Traces/tls/certificate-with-sct.pcap
 create mode 100644 testing/btest/scripts/base/files/x509/signed_certificate_timestamp.test

diff --git a/src/analyzer/protocol/ssl/CMakeLists.txt b/src/analyzer/protocol/ssl/CMakeLists.txt
index 0f45aa1f32..14e41892c8 100644
--- a/src/analyzer/protocol/ssl/CMakeLists.txt
+++ b/src/analyzer/protocol/ssl/CMakeLists.txt
@@ -12,6 +12,7 @@ bro_plugin_pac(tls-handshake.pac tls-handshake-protocol.pac tls-handshake-analyz
 	proc-client-hello.pac
 	proc-server-hello.pac
 	proc-certificate.pac
+	tls-handshake-signed_certificate_timestamp.pac
 )
 bro_plugin_pac(ssl.pac ssl-dtls-analyzer.pac ssl-analyzer.pac ssl-dtls-protocol.pac ssl-protocol.pac ssl-defs.pac
 	proc-client-hello.pac
diff --git a/src/analyzer/protocol/ssl/tls-handshake-protocol.pac b/src/analyzer/protocol/ssl/tls-handshake-protocol.pac
index 1f3d418717..911ad96bd7 100644
--- a/src/analyzer/protocol/ssl/tls-handshake-protocol.pac
+++ b/src/analyzer/protocol/ssl/tls-handshake-protocol.pac
@@ -554,11 +554,6 @@ type KeyShare(rec: HandshakeRecord) = case rec.msg_type of {
 	default -> other : bytestring &restofdata &transient;
 };
 
-type SignatureAndHashAlgorithm() = record {
-	HashAlgorithm: uint8;
-	SignatureAlgorithm: uint8;
-}
-
 type SignatureAlgorithm(rec: HandshakeRecord) = record {
 	length: uint16;
 	supported_signature_algorithms: SignatureAndHashAlgorithm[] &until($input.length() == 0);
diff --git a/src/analyzer/protocol/ssl/tls-handshake-signed_certificate_timestamp.pac b/src/analyzer/protocol/ssl/tls-handshake-signed_certificate_timestamp.pac
index ad9b9d5651..f921db0790 100644
--- a/src/analyzer/protocol/ssl/tls-handshake-signed_certificate_timestamp.pac
+++ b/src/analyzer/protocol/ssl/tls-handshake-signed_certificate_timestamp.pac
@@ -2,6 +2,11 @@
 # If included there, it uses the exact same syntax and we just symlink it from the X.509
 # file analyzer tree.
 
+type SignatureAndHashAlgorithm() = record {
+	HashAlgorithm: uint8;
+	SignatureAlgorithm: uint8;
+}
+
 type SignedCertificateTimestampList(rec: HandshakeRecord) = record {
 	length: uint16;
 	SCTs: SignedCertificateTimestamp(rec)[] &until($input.length() == 0);
diff --git a/src/file_analysis/analyzer/x509/CMakeLists.txt b/src/file_analysis/analyzer/x509/CMakeLists.txt
index aa663cfa6e..9a2d936c57 100644
--- a/src/file_analysis/analyzer/x509/CMakeLists.txt
+++ b/src/file_analysis/analyzer/x509/CMakeLists.txt
@@ -7,4 +7,5 @@ include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR}
 bro_plugin_begin(Bro X509)
 bro_plugin_cc(X509.cc Plugin.cc)
 bro_plugin_bif(events.bif types.bif functions.bif)
+bro_plugin_pac(x509-extension.pac x509-signed_certificate_timestamp.pac)
 bro_plugin_end()
diff --git a/src/file_analysis/analyzer/x509/X509.cc b/src/file_analysis/analyzer/x509/X509.cc
index da3c6635a8..e85bc5615d 100644
--- a/src/file_analysis/analyzer/x509/X509.cc
+++ b/src/file_analysis/analyzer/x509/X509.cc
@@ -4,6 +4,7 @@
 
 #include "X509.h"
 #include "Event.h"
+#include "x509-extension_pac.h"
 
 #include "events.bif.h"
 #include "types.bif.h"
@@ -298,6 +299,52 @@ void file_analysis::X509::ParseExtension(X509_EXTENSION* ex)
 
 	else if ( OBJ_obj2nid(ext_asn) == NID_subject_alt_name )
 		ParseSAN(ex);
+
+	else if ( OBJ_obj2nid(ext_asn) == NID_ct_cert_scts || OBJ_obj2nid(ext_asn) == NID_ct_precert_scts )
+		ParseSignedCertificateTimestamps(ex);
+	}
+
+void file_analysis::X509::ParseSignedCertificateTimestamps(X509_EXTENSION* ext)
+	{
+	// Ok, signed certificate timestamps are a bit of an odd case out; we don't
+	// want to use the (basically nonexistant) OpenSSL functionality to parse them.
+	// Instead we have our own, self-written binpac parser to parse just them,
+	// which we will initialize here and tear down immediately again.
+
+	ASN1_OCTET_STRING* ext_val = X509_EXTENSION_get_data(ext);
+	// the octet string of the extension contains the octet string which in turn
+	// contains the SCT. Obviously.
+
+	unsigned char* ext_val_copy = (unsigned char*) OPENSSL_malloc(ext_val->length);
+	unsigned char* ext_val_second_pointer = ext_val_copy;
+	memcpy(ext_val_copy, ext_val->data, ext_val->length);
+
+	ASN1_OCTET_STRING* inner = d2i_ASN1_OCTET_STRING(NULL, (const unsigned char**) &ext_val_copy, ext_val->length);
+	if ( !inner )
+		{
+		reporter->Error("X509::ParseSignedCertificateTimestamps could not parse inner octet string");
+		return;
+		}
+
+	binpac::X509Extension::MockConnection* conn = new binpac::X509Extension::MockConnection(this);
+	binpac::X509Extension::SignedCertTimestampExt* interp = new binpac::X509Extension::SignedCertTimestampExt(conn);
+
+	try
+		{
+		interp->NewData(inner->data, inner->data + inner->length);
+		}
+	catch( const binpac::Exception& e )
+		{
+		// throw a warning or sth
+		reporter->Error("X509::ParseSignedCertificateTimestamps could not parse SCT");
+		}
+
+	OPENSSL_free(ext_val_second_pointer);
+
+	interp->FlowEOF();
+
+	delete interp;
+	delete conn;
 	}
 
 void file_analysis::X509::ParseBasicConstraints(X509_EXTENSION* ex)
diff --git a/src/file_analysis/analyzer/x509/X509.h b/src/file_analysis/analyzer/x509/X509.h
index c671c68a99..ca024ecf64 100644
--- a/src/file_analysis/analyzer/x509/X509.h
+++ b/src/file_analysis/analyzer/x509/X509.h
@@ -58,6 +58,7 @@ private:
 	void ParseExtension(X509_EXTENSION* ex);
 	void ParseBasicConstraints(X509_EXTENSION* ex);
 	void ParseSAN(X509_EXTENSION* ex);
+	void ParseSignedCertificateTimestamps(X509_EXTENSION* ext);
 
 	std::string cert_data;
 
diff --git a/src/file_analysis/analyzer/x509/events.bif b/src/file_analysis/analyzer/x509/events.bif
index fcdeaa31d1..8b2e2aa525 100644
--- a/src/file_analysis/analyzer/x509/events.bif
+++ b/src/file_analysis/analyzer/x509/events.bif
@@ -55,3 +55,22 @@ event x509_ext_basic_constraints%(f: fa_file, ext: X509::BasicConstraints%);
 ##              x509_parse x509_verify
 ##              x509_get_certificate_string
 event x509_ext_subject_alternative_name%(f: fa_file, ext: X509::SubjectAlternativeName%);
+
+## Generated for the signed_certificate_timestamp X509 extension as defined in
+## :rfc:`6962`. The extension is used to transmit signed proofs that are
+## used for Certificate Transparency.
+##
+## f: The file.
+##
+## version: the version of the protocol to which the SCT conforms. Always
+##          should be 0 (representing version 1)
+##
+## logid: 32 bit key id
+##
+## timestamp: the timestamp of the sct
+##
+## signature_and_hashalgorithm: signature and hash algorithm used for the
+##                              digitally_signed struct
+##
+## signature: signature part of the digitally_signed struct
+event x509_ext_signed_certificate_timestamp%(f: fa_file, version: count, logid: string, timestamp: time, hash_algorithm: count, signature_algorithm: count, signature: string%);
diff --git a/src/file_analysis/analyzer/x509/x509-extension.pac b/src/file_analysis/analyzer/x509/x509-extension.pac
new file mode 100644
index 0000000000..56ca27d909
--- /dev/null
+++ b/src/file_analysis/analyzer/x509/x509-extension.pac
@@ -0,0 +1,54 @@
+# Binpac analyzer for X.509 extensions
+# we just use it for the SignedCertificateTimestamp at the moment
+
+%include binpac.pac
+%include bro.pac
+
+%extern{
+#include "types.bif.h"
+#include "file_analysis/File.h"
+#include "events.bif.h"
+%}
+
+analyzer X509Extension withcontext {
+	connection: MockConnection;
+	flow:       SignedCertTimestampExt;
+};
+
+connection MockConnection(bro_analyzer: BroFileAnalyzer) {
+	upflow = SignedCertTimestampExt;
+	downflow = SignedCertTimestampExt;
+};
+
+%include x509-signed_certificate_timestamp.pac
+
+# The base record
+type HandshakeRecord() = record {
+  signed_certificate_timestamp_list: SignedCertificateTimestampList(this)[] &transient;
+} &byteorder = bigendian;
+
+flow SignedCertTimestampExt {
+	flowunit = HandshakeRecord withcontext(connection, this);
+};
+
+refine connection MockConnection += {
+
+	function proc_signedcertificatetimestamp(rec: HandshakeRecord, version: uint8, logid: const_bytestring, timestamp: uint64, digitally_signed_algorithms: SignatureAndHashAlgorithm, digitally_signed_signature: const_bytestring) : bool
+		%{
+		BifEvent::generate_x509_ext_signed_certificate_timestamp((analyzer::Analyzer *) bro_analyzer(),
+			bro_analyzer()->GetFile()->GetVal()->Ref(),
+			version,
+			new StringVal(logid.length(), reinterpret_cast<const char*>(logid.begin())),
+			((double)timestamp)/1000,
+			digitally_signed_algorithms->HashAlgorithm(),
+			digitally_signed_algorithms->SignatureAlgorithm(),
+			new StringVal(digitally_signed_signature.length(), reinterpret_cast<const char*>(digitally_signed_signature.begin()))
+		);
+
+		return true;
+		%}
+};
+
+refine typeattr SignedCertificateTimestamp += &let {
+	proc : bool = $context.connection.proc_signedcertificatetimestamp(rec, version, logid, timestamp, digitally_signed_algorithms, digitally_signed_signature);
+};
diff --git a/src/file_analysis/analyzer/x509/x509-signed_certificate_timestamp.pac b/src/file_analysis/analyzer/x509/x509-signed_certificate_timestamp.pac
new file mode 120000
index 0000000000..88305ed8fd
--- /dev/null
+++ b/src/file_analysis/analyzer/x509/x509-signed_certificate_timestamp.pac
@@ -0,0 +1 @@
+../../../analyzer/protocol/ssl/tls-handshake-signed_certificate_timestamp.pac
\ No newline at end of file
diff --git a/testing/btest/Baseline/scripts.base.files.x509.signed_certificate_timestamp/.stdout b/testing/btest/Baseline/scripts.base.files.x509.signed_certificate_timestamp/.stdout
new file mode 100644
index 0000000000..4b81b287a6
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.files.x509.signed_certificate_timestamp/.stdout
@@ -0,0 +1,4 @@
+0, 1474927230.876, 4, 3
+0, 1474927232.863, 4, 3
+0, 1474927232.112, 4, 3
+0, 1474927232.304, 4, 3
diff --git a/testing/btest/Traces/tls/certificate-with-sct.pcap b/testing/btest/Traces/tls/certificate-with-sct.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..0b6c1b166e608e97f24de3a487a37ff3abe69499
GIT binary patch
literal 7584
zcmbVR30O?+`+m>NG^J(Q7cCmJNy}+pXw@R6P|+go%V?WwDk^EyLP?8CXps_92t~=X
z5UE5vLW*b+LTUY<Q$q25-}V1>^<FdYob%q#bDr~@`+lDHwAEhC#Q+@m^@jrxGBIJx
zv>1NI0F06E=l~+I0|^oPWUB9J)X)K405o0gG=V05YM5GxcXt~;=l&`IstCHG{|G(#
za?RY_kU0Pt9L+Tdi=}}eI(j{k*m(394zqyXDar`8Aaisq;4avhN8gAT0CITpb`%-4
z09Cw7Xzb$YMJ%-B?C>ED1uUTBFm&`g9Naijbi@)K^_x?S5ojZ*==j5L`8A@b-&(TE
z{BA+eUx%@<a0Ukf@WbD16nQ=p2x1}<7IZ8_#6aPl7g5B+d;W^Z!@|i*UW&+tg`mw4
zfON3f_m5WDT*26U3Z-+W7=*m>iuXCkQ=XL?KN50i|C6Zv4giX%FjayoMiruRQ0YNF
z$OE|`8@PkLfCSut3Qz`0KoP`(7!VB(QDv!8RB@^Zm6=KdP6IWd0HUbU)b&(R>RKv0
zbp<#J&VU?{1zeHvY5;X02V{W^fI%iW0Wv^3a$|MCCZJ7~p-NKMQH7}lDh`|i8-X-P
z16qKV%1WiBGEy;s2H>b{R64)~*Z~V*qB2pjfF8_Ykob5ZA>u@S1}uSrfl?kM5Bor8
z4~mqRGX*dJ92P(r<V=3R3%J2b<dYBZAm6zF0WcxQ8NmwV=voAV2@t_5JcP&Kk@TU#
z&|q;84uivDAuI-q#XuMg1`C*x8-?DUr+U9`_#dexPyULg(wyV6RC*nB#Xum81?q?;
zE!-aDX7eCvl#L?#J1~Ml8ZbYWA!2BrlfR*e-^>3AvAu68A{Q15^e{+5VzE(bPl)@K
zYtqZNt5?qEwDqny`o#g-ojG(lq2#{Xk+d>El?F&WkiR)3L%`3Fp&>yp7lC4{X8>%q
zfQ<_9=imr@9vne)BxgP(EXvjX^7IpDTGr%AwD=FTe1n<rE5xHWM~^c>5CaW>&1D$i
z6?m*U4$qF+WGurA^Pm%YcGg|qrX*J{;wCMk5y_K8adwgshsDriSoYPwj_LV2I}=S!
zjfk6^eJLatlA}GvnW!%dui|EsQG``w6=h{)U^!(gWUBJp6c+l;thuQSC(J$%&B*wB
zcEAzPn&16}XaF_>Vg|_X^q2?;0vG)TDq|Up@6Rcy6y?h?c6m+@e82hVFm1pAC-qZ9
zGx{QF+&=s4o$9EHR*xE~pAzbswVAzJgRMKWp3qO!$C@eQp3>}9e}C>ajnZZYl>uG?
zCE3a9U_s}gzD>z)m0IsFO_SQ#$15-4=)JwInVL2oeXe?_=4MB2Up}QMwN1>pvY1S`
zVxoWF#y`4>Ldc(nw-%Y(c6V*PCF)aS+PW`g1T(WPl<s1pcxGm%?#>N+kH1$PR*|vi
zi@V6Ti`VGk3%wm&m)ZpLE1fRZ>XXl~mQ9YjrZ~03M@V$o2)M_D8hToZeeQun!E>ML
z7CD!lcSTFmlf<fDYeyBn#Oc5fT`^cBBl04!S#Sh46DA-b6kvv+IUEj)p~-;-(77;<
z3+BMnt;a(&G_+XE&u`HDT^C@-VPLRuCIQEV<KPxd<$q@|#`qntNa6PoidDFTKMM<@
zKx=V4FjpAIlXG0ekdp4>SwoxXSAKqVlR_x0hYu{mLJ-ae_J-vb=P(p4=0>5ARi&l9
z9sS5MQi0xnNLEQXdV5Mc+AB)?Ir|1U`^reWAZY|E{al5KUjJj2J;{FgBB>vXq|ilD
zj?TWY8tR`QP7#)eWpm&hsc4BGs~vqk{FX15{IOheVY#md%#AK*#j(JIh^6Ugf*v5^
zHp6-_9Uku*&In;3SQXEJ1QQ2EoZJpU7<fIrZqaQF#3k^<Fv@ekT`JkzgXFkh8p+!)
zc>4L(9s4l|cSS(`$an?40REt7NML;slSu*bNcg32H*%=d(bG`-?$`u1*1Dz}!&Qw4
zf9!ILJa`I`ON2UL9Sl)@vtIZ&zDFEs2ibL3**-C<KVy*ngsPBHkbzH*)JTuR5NSi$
zgdO>A5{k^2+zj@33H8?77&PRnHF-$|3y$fh(jjI)7~U@PZ??PDt4$KT*qh~&#~f;V
z*|#ea)CI={70x_dFdJk0%j{}DSIzz6PV7ReeU;-^Ge0@SXf}#7MDovlo~{&i;4{Jy
z4Zd}|R0Ezh6Oc2rc71yDo3_69)tg64)eq!4sZJ<0f&k$5En`B^DWXa>{=-c%0i$W3
z?KZ9{Z90$XU5hGAOs47<%tj$HiCnEdtcxM~5-qB;PJB(AQ|x@Fl0s{7XVXc!kh|wa
zV_i16e+#X>fmsdWb~V%3`gN)4KcjK>+#D5<sckp&C4mx`OSzWDp2uE@*gbo5#j$HV
z7924Z>}MKX$@Ci)GH~DdUY7R-HWBVKJ!e_4dk9{%i!y)Mzcc^%JoA?=W&Tx%7quj*
z4Z%c;okcCd5E)B^I+<vF)FmEn?s_3aZY$C8FZ(*!y6#<zL~}J(O$WJ>S|+2hzEgyU
zCRVxO5_?qZC1tg#RpllVS9}6)`fbe({hbvN7DreS0xeIU^o)LT$%wMmP^UO0Tlg1+
z8Z=ON_-7Qj_Zq%WVK^*tIL}*BXlqz_O*Ea1;&{s#iTgoi-{Gwx*!|YyaV2{q^`_tC
z)=G{D#+QbNkxCRqeaR{=vw;I#Y~_L!S(TNkqa)#?#reT6tGcW7jyB)*k(%ysvZuZ1
z%xTNjHB;1tjW#=GraQC~T#Yb$9);PEX0XBgl}y-sTY48i1JV4mylMLCw2p1+(zBIW
zTfXo$tF<L)T192A#>B>+o0@5OckRg7^(moxxosrnR_O<f9ZollpI>q|{y3<gF+(tF
z{cy+gQH-eYxplEuU#gHbo&`wsh<1K?i($}GQ+e_p+6`zfBf3|FP+{t#_I=Z>er=N^
z(Y#^33Y!dtX<5|%H|_f+bR=&tqLx3!&D)nm*-!L#Auh<`y!Oc>vZoBg3d#zo_Q|UJ
zHvQks{<q}*mss{)3nRG0+aja|2TtFa2+<ZEDYma0ijG-(kX4YHV#}9&Y*k=<Wx)6p
zeSZ6aqUVM@T^3R=_1xu|b)D>@YKAfi+uOv=wyTS7aB_?G4siz?Pkb{f)D^vy|8Tw1
zh-K{#Ba;{Mr#_cGp0s%Q#v#jGZ+F?<1Z5$G(R7IrXBMW>>~y;JH>GSr$vv~N%!y}9
zZr|-t9M|G|XW0`yr*LPa|8Y)=*Y?5_4`23F`NY;fz2e*$e7w#jvC0^K@T6(H`^M&U
zkqAL<_?E`~7mW<L*GAdYQXbO51H2jOVX7igiL-u`<EG5puU?4T^(9TymtCOWHN!aZ
zo+iUr0Y+WPSMAA>Kg1FWKxo)^saQhz{}M|!R0`NpZKZ?p$Olr^!tjFZtb;{i;heQO
ztD^<~S$1Tk5G{gz7o`HxNf+1&7G0bpI?4BA@n3XO23GlbA|_h$$BBPRql~NUGIc}5
zalQ(e*Y>|k_wU-?>+*>3_*1E28J@^78^hNAZFWi>)?W}oO;{b?h-X@qK0H!xL;pYV
zTUvNxBajfLS-nh4;&wY`BYjPlGYpGmc+X$v=kc^~GPS2iU4Fe(Sc=DFfom&YP=r=<
z)||%Z)yTbB)3P%<V-YSF9_dJzDrtS(&(?<#jozGG^=N13!_I+K!l$*K(GSS6SzJ2a
zmDN^ueBG_txtC#Q1Fbn7m`M{co|M5uX98@pk4s@I4}U*g6z;U`GlQ<-a5}6)d2=q5
zOUPmUwokjeOq!%n=2vk1)kQ38@&J(6%}1L&fon^fJOhEoE+N@47Ul|Xkp<>QI*3as
z`=f}bT>iC-n3&g+8%woBNOn<6T=JG`$r&EuyykC$c0HUgh@5<cgC&Q$HH&D)<$JbY
z<}G|n$hLi^M}GUYTbTc&z#Hvc$u+0FSRW)5I9C!b1o++GX(v6U5q&fNtK4WiyP$!Q
zGHsUS8moHaZegKYrsQcy<Y6DGHPkxL|8Ap1et^}TZlgk`;vHW3HW_Lj$2|85){>7$
z(`uOY4IU16a>z`SDG3%2O<q%bw9&Mv{?rN9^_w+z_^kJ$_LkDW!8&xt@rW7GCulI}
z#)Th=J)2T<Q0L7mYfUgM-MC?5?|zvX9gZ7`n-3XXq(5DuL_fWK<*QlCy&Dqk9L~{3
zl+d~4e12+&8SIh|-Q|;eeU{WY)nj#PY_4vwi87f=Zna2mE@A8U8tN%85qRy~rZ>o-
z-seW3HxiB9mW00-JTZAvWJH4CTJG^iBE!=*NUSz$BbI6WHMTdk#zJ&rYq+KKrx5!G
zyKHVhKNZ&E^fDx7-=VjuN61HL^!x7z1H2v5QtgH#a5@XJLc6l&5d40F;&L@P@LNk`
zU?hW<-SeFklPSgCm$J#*lW0V7l9E9SM&x$}_BE!?j{d&RL>-bViDK`uq=Q0RFOrw5
z48kqw$yj#cPmq7mA5?W<q~nrNl9iQLlvAAVxMXDIkbeag1r@9RO?Cdk*l%JNf%&sV
z!=No125HfdNBnj}LQ#1V=g#zC_uWA?FWkFxFW0iHojjL&wNYkLy}MwYH<#Kg_la^%
z+h;0;Am~WWR<i>&YxYeaT~S_msI&2Sx*?@2EA%7iC&U#Si0SaMoRDP}jx{~YRLaao
z$Hjp45#>MF`|Qb#t6Lq74L!kz+}V|$Q)#M|nUwG)OVK4LbZ7N3+qYNTh>B<9g(M{O
z87u=_;OkW{MiM7Zw^l&#+s|W!R}#r#V~4(r9lmBJl{qpVFwN=4HMGTJNQy17?a?e_
z{cZt<P#W2)J(pLAYqvizK2~bUR1p-~)J|u0?O+!_iS@fEb1=TdERrX<x5q4KyPH?w
z^u0Sfwz%l!UUlWI$TJDdsj``y-pR1ZH}F_P*7wgUUzyH-8SES=Ws!!pl~y;x<Ok6i
z%#9XXBP$NP;mub{xKSjV4pbd|gjQuK)y+}bl&G&~WA*G<d+0Q_DPAlOI(yt<uh-><
zy{oNAV`EbSWR>G%=e!ES<8ou~Zt!Wy+wmc?VkRf>OTYJk_A}2dCl1SRuH=5+A4a$4
z#%CF-22On_o4CKD9Pi|Wk?B0&v|}ntm$U+iKQ}*8hu1TtZV^~vts*va{$exuF16WE
z<SlHJZ_#i~C&FYPX_Z{<<&-(r>F_5Ff<Ehd0!)&HO9aBpn5E-u@r}}=d0YAkCvJtT
z(iJ>-VWn=`%(U8~>e3>ri-rG`QOw_!cwVsnsz<*ImNCO9?^#Xjd~Q+<+#v6^sYR>!
zGfZ04N<?IBVC#PrSt&pCx%Bh%_|c6bdj6wLhB47XzeIM~dB{G8AJV%bdQO35QEe2&
zA&)dHnuF8;(W`$|0KYFong0yJ{FPWRKbG$wVT;M%QRbiOTgv?Fp3XBr57ZG|xRm)l
zrTtv|=DqM(#zXVMdc$*qJoTE%D5I3tfb%P^&ZD8>t6L7;ESu*k9R9(j%%mOa`|5Uo
z$Tk!B(D!K%{J@}B<yFCHMUP#RZ{<zQ-^CP4^w4~=U`u+}&@8qu@g?mcDF3-`8ckc+
z)%7%)4>R+Ryi#?2>!)9}Wk&Q$?C9HuM+pRx>`B{Q`!0FT7N1n0yHb0r8f-B<z;S#0
zQ>!^oQHvZo*0XMf4@bdzli2V92B37F^FU}Pl%^qF66{b+zvYghij)G&ky)Hd|3+2D
z6+1OmuYaj=W4!)-N7IMX6B*O{1}yXw`TZ<Nau?@%ULF;K0y9>sUUu1E*-Mv4Fsa6s
zjzRZ_S}pk%o}{cIJ4YOR_Gs$<2{yZ09dFez!_KPJ7dV2P9`-10(zTYA(*4+NDd^7g
zG333u;!1nl>jyq1+>Y({H_Ye}z1$zABW@qHizb3q@PdNH7?Dt7IXY?X>&qn4a?;eG
zs98zM*?#WZFyG*}PX(=yuLoBtd|6XnnE>5(+Y`woJ>2oskx}%qnR<U=YqOzjc~a`!
zl(m7RKTqK;pUe%#-PH3YF-apwg58N3aVn7}VRfWN?g#gctNPF9hX;`HIN7F1=P#89
z)Y&Vayz_RvaDBtmglO4_eW$w{=kDxsqKt^C={RuO8;+-5W)gSh|M>7^e)63OEvsrZ
zyOHdQa?g{^=l61Hgbw0AA$x+*Rz?6BU;(!lu0ZvrbK7P4SxXG@qtC2In#l8;?^hpq
zX7ak8z9)sDtRS8@NlSG`?R?htoLk1141C-D?KlSg+U+%^V6%JURcT1U3#?YQVN%`8
zqE^xC%{)`CXXLfZ)5KQYzJ2ayIm?OeE$;pzn4)s=_~BFRA2*%d5Xdk&WnJC-&DZ&Q
zBV<rwU16$eTkNQIr6<K}$fVhf-(c20CE2fC{>0$-afzKyjUB>MdLg>aPkIZ4WhScg
za=Pp#g}MbaSTu6ided?T;f8DcSg*Yw9*Xym2{PEvD%hKQ;a#_8-!os1M6V0s88*Ei
z6+Xj{vUgt1ekRnjL%GPG!{d(dlyD1ucqbt}wWaLqc_vcU^$j<;$0JRYEkC=}PzXs)
zms(Al4@{q~sT#IUcQoANa&+>(_gwgh-xcdK_xLYf*{>)eH<1~B{9=e~O3E0zVT&Um
zTdwG{+=)EP=&J;D{8<+!o1t~#W89y0p`;m77v6B8`&kzjFV=;O!Hj^4fT3d<A_iQ&
z<%uE|&cF6R8DinZ3R-C*h&(J{==o2?QWSB1cNy8s(AL7)uAXY0JDf4F^>sBl^nFma
zNM=dD@!mMe5B`oLzWrhLM}r(atjQ<1UPG2nuYHBnI-W^ot8NozOr6rRXE9vs%7I+>
z{2nt9gF!|9#oVW?jl1I9Ze-EYZu`)HZS_8$b<%t@6aPVQ=<e%8F21S5GxHHT#|U(g
z&1!TkXFEudJc+X1tkqJslQcuv?qnFkc2BZ@vYh}@J(r@_(}28@x`+HM0jLhioXSn7
zI9t1oVqTO*Md%fG3}1h@DZ19p(zE`-PBVY!xwzqbeW~{)8lucQOk<0-R-7>V80c%d
zK~H~=(8}`Bxh>I}-|GnDqnBHQbX9y9r_Y3h3mn!Bq|vR|cSzXw=tHI|Zta!?)+%wE
zQ%9SOgVlUW&SJ6z<F6f!X&N#xm)?6e!cEp=5}UoRSncg_ajL+3Z6nrk@37P^hagG3
zr9^M7c=_I=m0S)JS;hO;guLmz78`1P19+dhqLi<YLh1c2rs4Vecy3;+c9v{&iPf}q
zmD_gLALt87HcfZ%Rpt>%Uh$G{gh%=LU=kYBtipfGx^{UqM~(_D%es?|T~a%dtQ&Wd
z{h1?GNR9|>LlB+T(F1!V;n49%)|sxELJ>99{)&iXT|wz0Vmv?*Igz`>`y)x%?%%Z}
zt;1x0ojB)T+vl62Q{RUgTrWZYFAokKJ8IBcZ<)bc^OwNN0_^IS8blHAZuy0{EYXk_
zjf`9Z@}kFPX`)H(L=x>*7%SA_C9r^qxc^B{Bp#rM?1sM(mjwkud>n!LnAGtXA9sbZ
oGSAr#{q&IzMMV)ye?$C>kJIx$?q25OF2u(Q^ktM6|56|S51>yUasU7T

literal 0
HcmV?d00001

diff --git a/testing/btest/scripts/base/files/x509/signed_certificate_timestamp.test b/testing/btest/scripts/base/files/x509/signed_certificate_timestamp.test
new file mode 100644
index 0000000000..63be26448f
--- /dev/null
+++ b/testing/btest/scripts/base/files/x509/signed_certificate_timestamp.test
@@ -0,0 +1,7 @@
+# @TEST-EXEC: bro -r $TRACES/tls/certificate-with-sct.pcap %INPUT
+# @TEST-EXEC: btest-diff .stdout
+
+event x509_ext_signed_certificate_timestamp(f: fa_file, version: count, logid: string, timestamp: time, hash_algorithm: count, signature_algorithm: count, signature: string)
+	{
+	print version, timestamp, hash_algorithm, signature_algorithm;
+	}

From 2d64b4539466e1c52d4cc303712a02dbae03388a Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@icir.org>
Date: Tue, 7 Feb 2017 16:05:47 -0800
Subject: [PATCH 063/631] X509: make SCT parsing work with older OpenSSL
 versions

---
 src/file_analysis/analyzer/x509/X509.cc | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/file_analysis/analyzer/x509/X509.cc b/src/file_analysis/analyzer/x509/X509.cc
index e85bc5615d..1189e55eaa 100644
--- a/src/file_analysis/analyzer/x509/X509.cc
+++ b/src/file_analysis/analyzer/x509/X509.cc
@@ -300,7 +300,11 @@ void file_analysis::X509::ParseExtension(X509_EXTENSION* ex)
 	else if ( OBJ_obj2nid(ext_asn) == NID_subject_alt_name )
 		ParseSAN(ex);
 
+#ifdef NID_ct_cert_scts
 	else if ( OBJ_obj2nid(ext_asn) == NID_ct_cert_scts || OBJ_obj2nid(ext_asn) == NID_ct_precert_scts )
+#else
+	else if ( strcmp(oid, "1.3.6.1.4.1.11129.2.4.2") == 0 || strcmp(oid, "1.3.6.1.4.1.11129.2.4.4") == 0 )
+#endif
 		ParseSignedCertificateTimestamps(ex);
 	}
 

From 209a560cc68cc197546c2449651de99a21eddd1e Mon Sep 17 00:00:00 2001
From: Jan Grashoefer <jan.grashoefer@gmail.com>
Date: Thu, 9 Feb 2017 19:36:05 +0100
Subject: [PATCH 064/631] Fixed intel expiration reset.

Reinserting the same indicator did not reset the expiration timer for
the indicator in the underlying data store.

Addresses BIT-1790
---
 scripts/base/frameworks/intel/main.bro | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/scripts/base/frameworks/intel/main.bro b/scripts/base/frameworks/intel/main.bro
index aa51af5ee0..30f9a6bf75 100644
--- a/scripts/base/frameworks/intel/main.bro
+++ b/scripts/base/frameworks/intel/main.bro
@@ -407,7 +407,11 @@ function insert(item: Item)
 			if ( host !in data_store$host_data )
 				data_store$host_data[host] = table();
 			else
+				{
 				is_new = F;
+				# Reset expiration timer.
+				data_store$host_data[host] = data_store$host_data[host];
+				}
 
 			meta_tbl = data_store$host_data[host];
 			}
@@ -422,7 +426,11 @@ function insert(item: Item)
 			if ( !check_subnet(net, data_store$subnet_data) )
 				data_store$subnet_data[net] = table();
 			else
+				{
 				is_new = F;
+				# Reset expiration timer.
+				data_store$subnet_data[net] = data_store$subnet_data[net];
+				}
 
 			meta_tbl = data_store$subnet_data[net];
 			}
@@ -436,7 +444,12 @@ function insert(item: Item)
 			if ( [lower_indicator, item$indicator_type] !in data_store$string_data )
 				data_store$string_data[lower_indicator, item$indicator_type] = table();
 			else
+				{
 				is_new = F;
+				# Reset expiration timer.
+				data_store$string_data[lower_indicator, item$indicator_type] =
+					data_store$string_data[lower_indicator, item$indicator_type];
+				}
 
 			meta_tbl = data_store$string_data[lower_indicator, item$indicator_type];
 			}

From c6b16ad2ca9b3c1b7f561a711d8a62156f708884 Mon Sep 17 00:00:00 2001
From: Jan Grashoefer <jan.grashoefer@gmail.com>
Date: Thu, 9 Feb 2017 19:40:25 +0100
Subject: [PATCH 065/631] Updated expiration test case to cover reinsertion.

Addresses BIT-1790
---
 .../output                                    | 25 +++++++++++++------
 .../base/frameworks/intel/expire-item.bro     | 19 +++++++++++++-
 2 files changed, 36 insertions(+), 8 deletions(-)

diff --git a/testing/btest/Baseline/scripts.base.frameworks.intel.expire-item/output b/testing/btest/Baseline/scripts.base.frameworks.intel.expire-item/output
index dfa922f88f..a01d119b81 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.intel.expire-item/output
+++ b/testing/btest/Baseline/scripts.base.frameworks.intel.expire-item/output
@@ -3,20 +3,31 @@
 #empty_field	(empty)
 #unset_field	-
 #path	intel
-#open	2016-06-15-19-11-06
+#open	2017-02-09-18-29-44
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	seen.indicator	seen.indicator_type	seen.where	seen.node	matched	sources	fuid	file_mime_type	file_desc
 #types	time	string	addr	port	addr	port	string	enum	enum	string	set[enum]	set[string]	string	string	string
-1466017866.348490	-	-	-	-	-	1.2.3.4	Intel::ADDR	SOMEWHERE	bro	Intel::ADDR	source1	-	-	-
-1466017867.349583	-	-	-	-	-	1.2.3.4	Intel::ADDR	SOMEWHERE	bro	Intel::ADDR	source1	-	-	-
-1466017868.349656	-	-	-	-	-	1.2.3.4	Intel::ADDR	SOMEWHERE	bro	Intel::ADDR	source1	-	-	-
-#close	2016-06-15-19-11-12
+1486664984.510411	-	-	-	-	-	1.2.3.4	Intel::ADDR	SOMEWHERE	bro	Intel::ADDR	source1	-	-	-
+1486664987.510937	-	-	-	-	-	1.2.3.4	Intel::ADDR	SOMEWHERE	bro	Intel::ADDR	source1	-	-	-
+1486664990.511265	-	-	-	-	-	1.2.3.4	Intel::ADDR	SOMEWHERE	bro	Intel::ADDR	source1,source2	-	-	-
+1486664993.512024	-	-	-	-	-	1.2.3.4	Intel::ADDR	SOMEWHERE	bro	Intel::ADDR	source1,source2	-	-	-
+1486664996.512265	-	-	-	-	-	1.2.3.4	Intel::ADDR	SOMEWHERE	bro	Intel::ADDR	source1,source2	-	-	-
+#close	2017-02-09-18-30-03
+-- Run 1 --
 Trigger: 1.2.3.4
 Seen: 1.2.3.4
+-- Run 2 --
+Trigger: 1.2.3.4
+Reinsert: 1.2.3.4
+Seen: 1.2.3.4
+-- Run 3 --
 Trigger: 1.2.3.4
 Seen: 1.2.3.4
+-- Run 4 --
+Trigger: 1.2.3.4
+Seen: 1.2.3.4
+-- Run 5 --
 Trigger: 1.2.3.4
 Seen: 1.2.3.4
 Expired: 1.2.3.4
-Trigger: 1.2.3.4
-Trigger: 1.2.3.4
+-- Run 6 --
 Trigger: 1.2.3.4
diff --git a/testing/btest/scripts/base/frameworks/intel/expire-item.bro b/testing/btest/scripts/base/frameworks/intel/expire-item.bro
index df9170b669..dd915b3a03 100644
--- a/testing/btest/scripts/base/frameworks/intel/expire-item.bro
+++ b/testing/btest/scripts/base/frameworks/intel/expire-item.bro
@@ -20,11 +20,28 @@ redef table_expire_interval = 3sec;
 global runs = 0;
 event do_it()
 	{
+	++runs;
+	print fmt("-- Run %s --", runs);
+
 	print "Trigger: 1.2.3.4";
 	Intel::seen([$host=1.2.3.4,
 	             $where=SOMEWHERE]);
 
-	++runs;
+	if ( runs == 2 )
+		{
+		# Reinserting the indicator should reset the expiration
+		print "Reinsert: 1.2.3.4";
+		local item = [
+			$indicator="1.2.3.4",
+			$indicator_type=Intel::ADDR,
+			$meta=[
+				$source="source2",
+				$desc="this host is still bad",
+				$url="http://some-data-distributor.com/2"]
+			];
+		Intel::insert(item);
+		}
+
 	if ( runs < 6 )
 		schedule 3sec { do_it() };
 	}

From c670613996435d7e833eec724a77c91a8b3f0969 Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@icir.org>
Date: Wed, 8 Feb 2017 10:57:30 -0800
Subject: [PATCH 066/631] Make OCSP analyzer part of the X.509 analyzer

This allows the easier integration of shared functionality. And it also
makes logical sense, given that OCSP is not interesting without X.509.
---
 scripts/base/files/ocsp/README                |  1 -
 scripts/base/files/ocsp/__load__.bro          |  1 -
 scripts/base/files/x509/README                |  1 +
 .../files/{ocsp/main.bro => x509/ocsp.bro}    |  2 ++
 scripts/base/init-default.bro                 |  1 -
 .../policy/protocols/ssl/validate-ocsp.bro    |  2 +-
 src/file_analysis/analyzer/CMakeLists.txt     |  1 -
 .../analyzer/ocsp/CMakeLists.txt              | 10 --------
 src/file_analysis/analyzer/ocsp/Plugin.cc     | 25 -------------------
 .../analyzer/x509/CMakeLists.txt              |  4 +--
 .../analyzer/{ocsp => x509}/OCSP.cc           |  4 +--
 .../analyzer/{ocsp => x509}/OCSP.h            |  0
 src/file_analysis/analyzer/x509/Plugin.cc     |  4 ++-
 .../{ocsp/events.bif => x509/ocsp_events.bif} |  0
 .../functions.bif => x509/ocsp_functions.bif} |  4 +--
 .../{ocsp/types.bif => x509/ocsp_types.bif}   |  0
 16 files changed, 13 insertions(+), 47 deletions(-)
 delete mode 100644 scripts/base/files/ocsp/README
 delete mode 100644 scripts/base/files/ocsp/__load__.bro
 rename scripts/base/files/{ocsp/main.bro => x509/ocsp.bro} (99%)
 delete mode 100644 src/file_analysis/analyzer/ocsp/CMakeLists.txt
 delete mode 100644 src/file_analysis/analyzer/ocsp/Plugin.cc
 rename src/file_analysis/analyzer/{ocsp => x509}/OCSP.cc (99%)
 rename src/file_analysis/analyzer/{ocsp => x509}/OCSP.h (100%)
 rename src/file_analysis/analyzer/{ocsp/events.bif => x509/ocsp_events.bif} (100%)
 rename src/file_analysis/analyzer/{ocsp/functions.bif => x509/ocsp_functions.bif} (95%)
 rename src/file_analysis/analyzer/{ocsp/types.bif => x509/ocsp_types.bif} (100%)

diff --git a/scripts/base/files/ocsp/README b/scripts/base/files/ocsp/README
deleted file mode 100644
index beabe8a3fc..0000000000
--- a/scripts/base/files/ocsp/README
+++ /dev/null
@@ -1 +0,0 @@
-Support for ocsp file analysis framework.
diff --git a/scripts/base/files/ocsp/__load__.bro b/scripts/base/files/ocsp/__load__.bro
deleted file mode 100644
index d551be57d3..0000000000
--- a/scripts/base/files/ocsp/__load__.bro
+++ /dev/null
@@ -1 +0,0 @@
-@load ./main
\ No newline at end of file
diff --git a/scripts/base/files/x509/README b/scripts/base/files/x509/README
index 8b50366cd2..b523eb4fc4 100644
--- a/scripts/base/files/x509/README
+++ b/scripts/base/files/x509/README
@@ -1 +1,2 @@
 Support for X509 certificates with the file analysis framework.
+Also supposrts OCSP requests and responses.
diff --git a/scripts/base/files/ocsp/main.bro b/scripts/base/files/x509/ocsp.bro
similarity index 99%
rename from scripts/base/files/ocsp/main.bro
rename to scripts/base/files/x509/ocsp.bro
index 3474e3a797..4a4836eee5 100644
--- a/scripts/base/files/ocsp/main.bro
+++ b/scripts/base/files/x509/ocsp.bro
@@ -2,6 +2,8 @@
 @load base/utils/paths
 @load base/utils/queue
 
+# Note - this needs some cleaning up and is currently not loaded by default.
+
 module OCSP;
 
 export {
diff --git a/scripts/base/init-default.bro b/scripts/base/init-default.bro
index 82379ec31c..65b41305c7 100644
--- a/scripts/base/init-default.bro
+++ b/scripts/base/init-default.bro
@@ -77,7 +77,6 @@
 @load base/files/extract
 @load base/files/unified2
 @load base/files/x509
-@load base/files/ocsp
 
 @load base/misc/find-checksum-offloading
 @load base/misc/find-filtered-trace
diff --git a/scripts/policy/protocols/ssl/validate-ocsp.bro b/scripts/policy/protocols/ssl/validate-ocsp.bro
index 6667d9fbae..8f0da3ef2f 100644
--- a/scripts/policy/protocols/ssl/validate-ocsp.bro
+++ b/scripts/policy/protocols/ssl/validate-ocsp.bro
@@ -1,4 +1,4 @@
-##! Perform OCSP response validation.
+##! Perform validation of stapled OCSP responses.
 
 @load base/frameworks/notice
 @load base/protocols/ssl
diff --git a/src/file_analysis/analyzer/CMakeLists.txt b/src/file_analysis/analyzer/CMakeLists.txt
index 9296f4e6de..ef17247997 100644
--- a/src/file_analysis/analyzer/CMakeLists.txt
+++ b/src/file_analysis/analyzer/CMakeLists.txt
@@ -5,4 +5,3 @@ add_subdirectory(hash)
 add_subdirectory(pe)
 add_subdirectory(unified2)
 add_subdirectory(x509)
-add_subdirectory(ocsp)
\ No newline at end of file
diff --git a/src/file_analysis/analyzer/ocsp/CMakeLists.txt b/src/file_analysis/analyzer/ocsp/CMakeLists.txt
deleted file mode 100644
index 12c54c1c84..0000000000
--- a/src/file_analysis/analyzer/ocsp/CMakeLists.txt
+++ /dev/null
@@ -1,10 +0,0 @@
-
-include(BroPlugin)
-
-include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR}
-                           ${CMAKE_CURRENT_BINARY_DIR})
-
-bro_plugin_begin(Bro OCSP)
-bro_plugin_cc(OCSP.cc Plugin.cc)
-bro_plugin_bif(events.bif types.bif functions.bif)
-bro_plugin_end()
diff --git a/src/file_analysis/analyzer/ocsp/Plugin.cc b/src/file_analysis/analyzer/ocsp/Plugin.cc
deleted file mode 100644
index f7edbd1d6d..0000000000
--- a/src/file_analysis/analyzer/ocsp/Plugin.cc
+++ /dev/null
@@ -1,25 +0,0 @@
-// See the file  in the main distribution directory for copyright.
-
-
-#include "plugin/Plugin.h"
-
-#include "OCSP.h"
-
-namespace plugin {
-namespace Bro_OCSP {
-
-class Plugin : public plugin::Plugin {
-public:
-	plugin::Configuration Configure()
-		{
-		AddComponent(new ::file_analysis::Component("OCSP", ::file_analysis::OCSP::Instantiate));
-
-		plugin::Configuration config;
-		config.name = "Bro::OCSP";
-		config.description = "OCSP analyzer";
-		return config;
-		}
-} plugin;
-
-}
-}
diff --git a/src/file_analysis/analyzer/x509/CMakeLists.txt b/src/file_analysis/analyzer/x509/CMakeLists.txt
index aa663cfa6e..e95b4ae6e6 100644
--- a/src/file_analysis/analyzer/x509/CMakeLists.txt
+++ b/src/file_analysis/analyzer/x509/CMakeLists.txt
@@ -5,6 +5,6 @@ include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR}
                            ${CMAKE_CURRENT_BINARY_DIR})
 
 bro_plugin_begin(Bro X509)
-bro_plugin_cc(X509.cc Plugin.cc)
-bro_plugin_bif(events.bif types.bif functions.bif)
+bro_plugin_cc(X509.cc OCSP.cc Plugin.cc)
+bro_plugin_bif(events.bif types.bif functions.bif ocsp_events.bif ocsp_types.bif ocsp_functions.bif)
 bro_plugin_end()
diff --git a/src/file_analysis/analyzer/ocsp/OCSP.cc b/src/file_analysis/analyzer/x509/OCSP.cc
similarity index 99%
rename from src/file_analysis/analyzer/ocsp/OCSP.cc
rename to src/file_analysis/analyzer/x509/OCSP.cc
index d54f1f345b..926f30cf37 100644
--- a/src/file_analysis/analyzer/ocsp/OCSP.cc
+++ b/src/file_analysis/analyzer/x509/OCSP.cc
@@ -5,8 +5,8 @@
 #include "OCSP.h"
 #include "Event.h"
 
-#include "events.bif.h"
-#include "types.bif.h"
+#include "ocsp_events.bif.h"
+#include "ocsp_types.bif.h"
 
 #include "file_analysis/Manager.h"
 
diff --git a/src/file_analysis/analyzer/ocsp/OCSP.h b/src/file_analysis/analyzer/x509/OCSP.h
similarity index 100%
rename from src/file_analysis/analyzer/ocsp/OCSP.h
rename to src/file_analysis/analyzer/x509/OCSP.h
diff --git a/src/file_analysis/analyzer/x509/Plugin.cc b/src/file_analysis/analyzer/x509/Plugin.cc
index d9d1b71ab4..5a0b67136a 100644
--- a/src/file_analysis/analyzer/x509/Plugin.cc
+++ b/src/file_analysis/analyzer/x509/Plugin.cc
@@ -4,6 +4,7 @@
 #include "plugin/Plugin.h"
 
 #include "X509.h"
+#include "OCSP.h"
 
 namespace plugin {
 namespace Bro_X509 {
@@ -13,10 +14,11 @@ public:
 	plugin::Configuration Configure()
 		{
 		AddComponent(new ::file_analysis::Component("X509", ::file_analysis::X509::Instantiate));
+		AddComponent(new ::file_analysis::Component("OCSP", ::file_analysis::OCSP::Instantiate));
 
 		plugin::Configuration config;
 		config.name = "Bro::X509";
-		config.description = "X509 analyzer";
+		config.description = "X509 and OCSP analyzer";
 		return config;
 		}
 } plugin;
diff --git a/src/file_analysis/analyzer/ocsp/events.bif b/src/file_analysis/analyzer/x509/ocsp_events.bif
similarity index 100%
rename from src/file_analysis/analyzer/ocsp/events.bif
rename to src/file_analysis/analyzer/x509/ocsp_events.bif
diff --git a/src/file_analysis/analyzer/ocsp/functions.bif b/src/file_analysis/analyzer/x509/ocsp_functions.bif
similarity index 95%
rename from src/file_analysis/analyzer/ocsp/functions.bif
rename to src/file_analysis/analyzer/x509/ocsp_functions.bif
index 164b4a63ec..a5f31f9411 100644
--- a/src/file_analysis/analyzer/ocsp/functions.bif
+++ b/src/file_analysis/analyzer/x509/ocsp_functions.bif
@@ -1,6 +1,6 @@
 %%{
-#include "file_analysis/analyzer/ocsp/OCSP.h"
-#include "types.bif.h"
+#include "file_analysis/analyzer/x509/OCSP.h"
+#include "ocsp_types.bif.h"
 %%}
 
 ## Parses a OCSP response into an OCSP::Response structure.
diff --git a/src/file_analysis/analyzer/ocsp/types.bif b/src/file_analysis/analyzer/x509/ocsp_types.bif
similarity index 100%
rename from src/file_analysis/analyzer/ocsp/types.bif
rename to src/file_analysis/analyzer/x509/ocsp_types.bif

From b021fe75623a55148c8aab94d7f4c43693bf3350 Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@icir.org>
Date: Wed, 8 Feb 2017 16:24:52 -0800
Subject: [PATCH 067/631] Rewrite of big parts of the OCSP analyzer.

Less redundancy, style closer to the X.509 analyzer, times being parsed
as real times, and lots of other changes.
---
 scripts/base/files/x509/__load__.bro          |   1 +
 scripts/base/files/x509/ocsp.bro              |   7 +-
 scripts/base/init-bare.bro                    |  29 +-
 src/file_analysis/analyzer/x509/Asn1Time.h    | 157 +++++
 src/file_analysis/analyzer/x509/OCSP.cc       | 596 +++++-------------
 src/file_analysis/analyzer/x509/OCSP.h        |   4 +-
 src/file_analysis/analyzer/x509/X509.cc       | 164 +----
 src/file_analysis/analyzer/x509/X509.h        |   1 -
 .../ocsp.log                                  |   8 +-
 .../ocsp.log                                  |   8 +-
 .../ocsp.log                                  |   8 +-
 .../ocsp.log                                  |   8 +-
 .../ocsp.log                                  |  14 +-
 13 files changed, 376 insertions(+), 629 deletions(-)
 create mode 100644 src/file_analysis/analyzer/x509/Asn1Time.h

diff --git a/scripts/base/files/x509/__load__.bro b/scripts/base/files/x509/__load__.bro
index a10fe855df..15c5754b1f 100644
--- a/scripts/base/files/x509/__load__.bro
+++ b/scripts/base/files/x509/__load__.bro
@@ -1 +1,2 @@
 @load ./main
+@load ./ocsp
diff --git a/scripts/base/files/x509/ocsp.bro b/scripts/base/files/x509/ocsp.bro
index 4a4836eee5..f417cd6113 100644
--- a/scripts/base/files/x509/ocsp.bro
+++ b/scripts/base/files/x509/ocsp.bro
@@ -1,3 +1,4 @@
+@load base/protocols/http
 @load base/frameworks/files
 @load base/utils/paths
 @load base/utils/queue
@@ -68,7 +69,7 @@ export {
 		## responderID
 		responderID:        string  &log   &optional;
 		## producedAt
-		producedAt:         string  &log   &optional;
+		producedAt:         time    &log   &optional;
 		## certificates
 		certs:              vector of opaque of x509 &optional;
 
@@ -85,9 +86,9 @@ export {
 		## certStatus (this is the response to look at)
 		certStatus:         string  &log  &optional;
 		## thisUpdate
-		thisUpdate:         string  &log  &optional;
+		thisUpdate:         time    &log  &optional;
 		## nextUpdate
-		nextUpdate:         string  &log  &optional;
+		nextUpdate:         time    &log  &optional;
 	};
 
 	type Info: record {
diff --git a/scripts/base/init-bare.bro b/scripts/base/init-bare.bro
index e73e1ec849..d31bf8f0b6 100644
--- a/scripts/base/init-bare.bro
+++ b/scripts/base/init-bare.bro
@@ -3651,49 +3651,52 @@ export {
 		issuerNameHash:     string  &log;
 		issuerKeyHash:      string  &log;
 		serialNumber:       string  &log;
-		#RequestExtensions: xxx
 		};
+
 	type Request: record {
 		version:            count   &log &optional;
 		requestorName:      string  &log &optional;
 		requestList:        vector of OneReq;
-		#requestExtensions: xxx
-                };
+	 };
+
 	type SingleResp: record {
 		hashAlgorithm:      string  &log;
 		issuerNameHash:     string  &log;
 		issuerKeyHash:      string  &log;
 		serialNumber:       string  &log;
 		certStatus:         string  &log;
-		thisUpdate:         string  &log;
-		nextUpdate:         string  &log  &optional;
-		#Extensions: xxx
+		revoketime:         time    &log &optional;
+		revokereason:       string  &log &optional;
+		thisUpdate:         time    &log;
+		nextUpdate:         time    &log &optional;
 		};
+
 	type Response: record {
 		responseStatus:     string  &log;
-		responseType:       string  &log;
-		version:            count   &log;
-		responderID:        string  &log;
-		producedAt:         string  &log;
+		responseType:       string  &log &optional;
+		version:            count   &log &optional;
+		responderID:        string  &log &optional;
+		producedAt:         time    &log &optional;
 		responses:          vector of SingleResp;
-		#responseExtensions:xxx
 		signatureAlgorithm: string  &log &optional;
-		signature:          string  &optional;  #&log;
+		#signature:          string  &optional;  #&log;
 		certs:              vector of opaque of x509 &optional;
 		};
+
 	type CertId: record {
 		hashAlgorithm:      string  &log &optional;
 		issuerNameHash:     string  &log &optional;
 		issuerKeyHash:      string  &log &optional;
 		serialNumber:       string  &log &optional;
 		};
+
 	}
 
 module GLOBAL;
 type ocsp_req_vec: vector of OCSP::OneReq;
 type ocsp_resp_vec: vector of OCSP::SingleResp;
 
-			
+
 module SOCKS;
 export {
 	## This record is for a SOCKS client or server to provide either a
diff --git a/src/file_analysis/analyzer/x509/Asn1Time.h b/src/file_analysis/analyzer/x509/Asn1Time.h
new file mode 100644
index 0000000000..31013ec2a7
--- /dev/null
+++ b/src/file_analysis/analyzer/x509/Asn1Time.h
@@ -0,0 +1,157 @@
+static double GetTimeFromAsn1(const ASN1_TIME* atime, const char* arg_fid, Reporter* reporter)
+	{
+	const char *fid = arg_fid ? arg_fid : "";
+	time_t lResult = 0;
+
+	char lBuffer[26];
+	char* pBuffer = lBuffer;
+
+	const char *pString = (const char *) atime->data;
+	unsigned int remaining = atime->length;
+
+	if ( atime->type == V_ASN1_UTCTIME )
+		{
+		if ( remaining < 11 || remaining > 17 )
+			{
+			reporter->Weird(fmt("Could not parse time in X509 certificate (fuid %s) -- UTCTime has wrong length", fid));
+			return 0;
+			}
+
+		if ( pString[remaining-1] != 'Z' )
+			{
+			// not valid according to RFC 2459 4.1.2.5.1
+			reporter->Weird(fmt("Could not parse UTC time in non-YY-format in X509 certificate (x509 %s)", fid));
+			return 0;
+			}
+
+		// year is first two digits in YY format. Buffer expects YYYY format.
+		if ( pString[0] < '5' ) // RFC 2459 4.1.2.5.1
+			{
+			*(pBuffer++) = '2';
+			*(pBuffer++) = '0';
+			}
+		else
+			{
+			*(pBuffer++) = '1';
+			*(pBuffer++) = '9';
+			}
+
+		memcpy(pBuffer, pString, 10);
+		pBuffer += 10;
+		pString += 10;
+		remaining -= 10;
+		}
+	else if ( atime->type == V_ASN1_GENERALIZEDTIME )
+		{
+		// generalized time. We apparently ignore the YYYYMMDDHH case
+		// for now and assume we always have minutes and seconds.
+		// This should be ok because it is specified as a requirement in RFC 2459 4.1.2.5.2
+
+		if ( remaining < 12 || remaining > 23 )
+			{
+			reporter->Weird(fmt("Could not parse time in X509 certificate (fuid %s) -- Generalized time has wrong length", fid));
+			return 0;
+			}
+
+		memcpy(pBuffer, pString, 12);
+		pBuffer += 12;
+		pString += 12;
+		remaining -= 12;
+		}
+	else
+		{
+		reporter->Weird(fmt("Invalid time type in X509 certificate (fuid %s)", fid));
+		return 0;
+		}
+
+	if ( (remaining == 0) || (*pString == 'Z') || (*pString == '-') || (*pString == '+') )
+		{
+		*(pBuffer++) = '0';
+		*(pBuffer++) = '0';
+		}
+
+	else if ( remaining >= 2 )
+		{
+		*(pBuffer++) = *(pString++);
+		*(pBuffer++) = *(pString++);
+
+		remaining -= 2;
+
+		// Skip any fractional seconds...
+		if ( (remaining > 0) && (*pString == '.') )
+			{
+			pString++;
+			remaining--;
+
+			while ( (remaining > 0) && (*pString >= '0') && (*pString <= '9') )
+				{
+				pString++;
+				remaining--;
+				}
+			}
+		}
+
+	else
+		{
+		reporter->Weird(fmt("Could not parse time in X509 certificate (fuid %s) -- additional char after time", fid));
+		return 0;
+		}
+
+	*(pBuffer++) = 'Z';
+	*(pBuffer++) = '\0';
+
+	time_t lSecondsFromUTC;
+
+	if ( remaining == 0 || *pString == 'Z' )
+		lSecondsFromUTC = 0;
+	else
+		{
+		if ( remaining < 5 )
+			{
+			reporter->Weird(fmt("Could not parse time in X509 certificate (fuid %s) -- not enough bytes remaining for offset", fid));
+			return 0;
+			}
+
+		if ((*pString != '+') && (*pString != '-'))
+			{
+			reporter->Weird(fmt("Could not parse time in X509 certificate (fuid %s) -- unknown offset type", fid));
+			return 0;
+			}
+
+		lSecondsFromUTC = ((pString[1] - '0') * 10 + (pString[2] - '0')) * 60;
+		lSecondsFromUTC += (pString[3] - '0') * 10 + (pString[4] - '0');
+
+		if (*pString == '-')
+			lSecondsFromUTC = -lSecondsFromUTC;
+		}
+
+	tm lTime;
+	lTime.tm_sec  = ((lBuffer[12] - '0') * 10) + (lBuffer[13] - '0');
+	lTime.tm_min  = ((lBuffer[10] - '0') * 10) + (lBuffer[11] - '0');
+	lTime.tm_hour = ((lBuffer[8] - '0') * 10) + (lBuffer[9] - '0');
+	lTime.tm_mday = ((lBuffer[6] - '0') * 10) + (lBuffer[7] - '0');
+	lTime.tm_mon  = (((lBuffer[4] - '0') * 10) + (lBuffer[5] - '0')) - 1;
+	lTime.tm_year = (lBuffer[0] - '0') * 1000 + (lBuffer[1] - '0') * 100 + ((lBuffer[2] - '0') * 10) + (lBuffer[3] - '0');
+
+	if ( lTime.tm_year > 1900)
+		lTime.tm_year -= 1900;
+
+	lTime.tm_wday = 0;
+	lTime.tm_yday = 0;
+	lTime.tm_isdst = 0;  // No DST adjustment requested
+
+	lResult = mktime(&lTime);
+
+	if ( lResult )
+		{
+		if ( lTime.tm_isdst  != 0 )
+			lResult -= 3600;  // mktime may adjust for DST  (OS dependent)
+
+		lResult += lSecondsFromUTC;
+		}
+
+	else
+		lResult = 0;
+
+	return lResult;
+}
diff --git a/src/file_analysis/analyzer/x509/OCSP.cc b/src/file_analysis/analyzer/x509/OCSP.cc
index 926f30cf37..c7747f54ce 100644
--- a/src/file_analysis/analyzer/x509/OCSP.cc
+++ b/src/file_analysis/analyzer/x509/OCSP.cc
@@ -15,6 +15,9 @@
 #include <openssl/asn1.h>
 #include <openssl/opensslconf.h>
 
+#include "file_analysis/analyzer/x509/X509.h"
+#include "Asn1Time.h"
+
 // helper function of sk_X509_value to avoid namespace problem
 // sk_X509_value(X,Y) = > SKM_sk_value(X509,X,Y)
 // X509 => file_analysis::X509
@@ -23,8 +26,6 @@ X509 *helper_sk_X509_value(STACK_OF(X509) *certs, int i)
 	return sk_X509_value(certs, i);
 	}
 
-#include "file_analysis/analyzer/x509/X509.h"
-
 using namespace file_analysis;
 
 IMPLEMENT_SERIAL(OCSP_REQVal, SER_OCSP_REQ_VAL);
@@ -32,213 +33,59 @@ IMPLEMENT_SERIAL(OCSP_RESPVal, SER_OCSP_RESP_VAL);
 
 #define OCSP_STRING_BUF_SIZE 2048
 
-//this function is copied from src/file_analysis/analyzer/extract/Extract.cc
-static Val* get_extract_field_val(RecordVal* args, const char* name)
+static Val* get_ocsp_type(RecordVal* args, const char* name)
 	{
 	Val* rval = args->Lookup(name);
+
 	if ( ! rval )
 		reporter->Error("File extraction analyzer missing arg field: %s", name);
+
 	return rval;
 	}
 
-//convert different ANS1 type to c string
-static int ANS1_to_cstr(char *buf, int buf_len, void *data, int type)
+static void OCSP_RESPID_bio(OCSP_RESPID *resp_id, BIO* bio)
 	{
-	if (data == NULL || buf == NULL || buf_len <=0)
-		return -1;
-	int new_len = -1;
-	BIO *bio = BIO_new(BIO_s_mem());
-	memset(buf, 0, buf_len);
-	
-	if (type == V_ASN1_OCTET_STRING)
-		{
-		if (i2a_ASN1_STRING(bio, (ASN1_STRING *)data, V_ASN1_OCTET_STRING) <= 0)
-			goto err;
-		}
-	else if (type == V_ASN1_BIT_STRING)
-		{
-		if (i2a_ASN1_STRING(bio, (ASN1_STRING *)data, V_ASN1_BIT_STRING) <= 0)
-			goto err;
-		}
-	else if (type == V_ASN1_INTEGER)
-		{
-		// NOTE: this will print the hex number
-		//       wireshark may display decimal number
-		if (i2a_ASN1_INTEGER(bio, (ASN1_INTEGER *)data) <= 0)
-			goto err;
-		}
-	else if (type == V_ASN1_OBJECT)
-		{
-		if (i2a_ASN1_OBJECT(bio, (ASN1_OBJECT *)data) <= 0)
-			goto err;
-		}
-	else if (type == V_ASN1_GENERALIZEDTIME)
-		{
-		// TODO: convert ASN1_GENERALIZEDTIME to epoch time?
-		//       new API: ASN1_TIME_diff() requires openssl 1.0.2
-		//       epoch time might be better for post processing
-		
-		// NOTE: this is for human readable time format
-		//if (!ASN1_GENERALIZEDTIME_print(bio, (ASN1_GENERALIZEDTIME *)data))
-		//	goto err;
-		
-		// NOTE: this is printing the raw string which is also understandable
-		//       since this is smaller, let's keep ASN1_GENERALIZEDTIME as this for now?
-		ASN1_GENERALIZEDTIME *tmp = (ASN1_GENERALIZEDTIME *)data;
-		BIO_write(bio, tmp->data, tmp->length);	
-		}
-
-	else
-		goto err;
-	
-	new_len = BIO_read(bio, buf, buf_len);
-err:	
-	BIO_free_all(bio);
-	return new_len;
-	}
-
-//ANS1 OCTET string to c string
-static int ASN1_OCTET_STRING_to_cstr(char *buf, int len, void *data)
-	{
-	return ANS1_to_cstr(buf, len, data, V_ASN1_OCTET_STRING);
-	}
-
-//ANS1 BIT string to c string
-static int ASN1_BIT_STRING_to_cstr(char *buf, int len, void *data)
-	{
-	return ANS1_to_cstr(buf, len, data, V_ASN1_BIT_STRING);
-	}
-
-//ANS1 integer to c string
-static int ASN1_INTEGER_to_cstr(char *buf, int len, void *data)
-	{
-	return ANS1_to_cstr(buf, len, data, V_ASN1_INTEGER);
-	}
-
-//ANS1 object to c string
-static int ASN1_OBJECT_to_cstr(char *buf, int len, void *data)
-	{
-	return ANS1_to_cstr(buf, len, data, V_ASN1_OBJECT);
-	}
-
-//ASN1_GENERALIZEDTIME to c string
-static int ASN1_GENERALIZEDTIME_to_cstr(char *buf, int len, void *data)
-	{
-	return ANS1_to_cstr(buf, len, data, V_ASN1_GENERALIZEDTIME);
-	}
-
-//CENERAL XXX to c string
-static int GENERAL_NAME_to_cstr(char *buf, int buf_len, void *data)
-	{
-	if (data == NULL || buf == NULL || buf_len <= 0)
-		return -1;
-	int new_len = -1;
-	BIO *bio = BIO_new(BIO_s_mem());
-	memset(buf, 0, buf_len);
-	if (GENERAL_NAME_print(bio, (GENERAL_NAME *)data) <= 0)
-		goto err;
-	new_len = BIO_read(bio, buf, buf_len);
-err:
-	BIO_free_all(bio);
-	return new_len;
-	}
-
-//OCSP respond id to c string
-static int OCSP_RESPID_to_cstr(char *buf, int buf_len, OCSP_RESPID *resp_id)
-	{
-	if (resp_id == NULL || buf == NULL || buf_len <= 0)
-		return -1;
-	int new_len = -1;
-	BIO *bio = BIO_new(BIO_s_mem());
-	memset(buf, 0, buf_len);
 	if (resp_id->type == V_OCSP_RESPID_NAME)
-		{
-		if (X509_NAME_print_ex(bio, resp_id->value.byName, 0, XN_FLAG_ONELINE) <=0)
-			goto err;
-		}
+		X509_NAME_print_ex(bio, resp_id->value.byName, 0, XN_FLAG_ONELINE);
 	else if (resp_id->type == V_OCSP_RESPID_KEY)
-		{
-		if (i2a_ASN1_STRING(bio, resp_id->value.byKey, V_ASN1_OCTET_STRING) <= 0)
-			goto err;
-		}
-	else
-		goto err;
-	new_len = BIO_read(bio, buf, buf_len);
-err:
-	BIO_free_all(bio);
-	return new_len;
+		i2a_ASN1_STRING(bio, resp_id->value.byKey, V_ASN1_OCTET_STRING);
 	}
 
-//print out a cert id for debug
-static void ocsp_print_cert_id(OCSP_CERTID *cid)
+static RecordVal* ocsp_fill_cert_id(OCSP_CERTID *cert_id, RecordType* type, BIO* bio)
 	{
-	if (cid == NULL)
-		return;
+	RecordVal *d = new RecordVal(type);
 	char buf[OCSP_STRING_BUF_SIZE];
-	int len = sizeof(buf);
-	memset(buf, 0, len);
-	int new_len = -1;
-	
-	//print hashAlgorithm
-	new_len = ASN1_OBJECT_to_cstr(buf, len, (void *)(cid->hashAlgorithm->algorithm));
-	StringVal hashAlgorithm = StringVal(new_len, buf);
-	printf("[%d]hashAlgorithm: %s\n", new_len, hashAlgorithm.CheckString());
+	memset(buf, 0, sizeof(buf));
 
-	//print issuerNameHash
-	new_len = ASN1_OCTET_STRING_to_cstr(buf, len, (void *)(cid->issuerNameHash));
-	StringVal issuerNameHash = StringVal(new_len, buf);
-	printf("[%d]issuerNameHash: %s\n", new_len, issuerNameHash.CheckString());
+	i2a_ASN1_OBJECT(bio, cert_id->hashAlgorithm->algorithm);
+	int len = BIO_read(bio, buf, sizeof(buf));
+	d->Assign(0, new StringVal(len, buf));
+	BIO_reset(bio);
 
-	//print issuerKeyHash
-	new_len = ASN1_OCTET_STRING_to_cstr(buf, len, (void *)(cid->issuerKeyHash));
-	StringVal issuerKeyHash = StringVal(new_len, buf);
-	printf("[%d]issuerKeyHash: %s\n", new_len, issuerKeyHash.CheckString());
+	i2a_ASN1_STRING(bio, cert_id->issuerNameHash, V_ASN1_OCTET_STRING);
+	len = BIO_read(bio, buf, sizeof(buf));
+	d->Assign(1, new StringVal(len, buf));
+	BIO_reset(bio);
 
-	//print serialNumber
-	new_len = ASN1_INTEGER_to_cstr(buf, len, (void *)(cid->serialNumber));
-	StringVal serialNumber = StringVal(new_len, buf);
-	printf("[%d]serialNumber: %s\n", new_len, serialNumber.CheckString());
-	}
+	i2a_ASN1_STRING(bio, cert_id->issuerKeyHash, V_ASN1_OCTET_STRING);
+	len = BIO_read(bio, buf, sizeof(buf));
+	d->Assign(2, new StringVal(len, buf));
+	BIO_reset(bio);
 
-//fill in cert id
-static void ocsp_fill_cert_id(OCSP_CERTID *cert_id, RecordVal *d)
-	{
-	if (d == NULL || cert_id == NULL)
-		return;
-	char buf[OCSP_STRING_BUF_SIZE];
-	int buf_len = sizeof(buf);
-	memset(buf, 0, buf_len);
+	i2a_ASN1_INTEGER(bio, cert_id->serialNumber);
+	d->Assign(3, new StringVal(len, buf));
+	BIO_reset(bio);
 
-	//hashAlgorithm
-	int len = -1;
-	len = ASN1_OBJECT_to_cstr(buf, buf_len, (void *)(cert_id->hashAlgorithm->algorithm));
-	if (len > 0)
-		d->Assign(0, new StringVal(len, buf));
-	
-	//issuerNameHash
-	len = -1;
-	len = ASN1_OCTET_STRING_to_cstr(buf, buf_len, (void *)(cert_id->issuerNameHash));
-	if (len > 0)
-		d->Assign(1, new StringVal(len, buf));
-	
-	//issuerKeyHash
-	len = -1;
-	len = ASN1_OCTET_STRING_to_cstr(buf, buf_len, (void *)(cert_id->issuerKeyHash));
-	if (len > 0)
-		d->Assign(2, new StringVal(len, buf));
-	
-	//serialNumber
-	len = -1;
-	len = ASN1_INTEGER_to_cstr(buf, buf_len, (void *)(cert_id->serialNumber));
-	if (len > 0)
-		d->Assign(3, new StringVal(len, buf));
+	return d;
 	}
 
 file_analysis::Analyzer* OCSP::Instantiate(RecordVal* args, File* file)
 	{
-	Val* ocsp_type = get_extract_field_val(args, "ocsp_type");
-        if (! ocsp_type )
+	Val* ocsp_type = get_ocsp_type(args, "ocsp_type");
+
+	if (! ocsp_type )
 		return 0;
+
 	return new OCSP(args, file, ocsp_type->AsString()->CheckString());
 	}
 
@@ -260,328 +107,223 @@ bool file_analysis::OCSP::Undelivered(uint64 offset, uint64 len)
 	return false;
 	}
 
-// parse OCSP request or response and send data to bro scriptland
+// we parse the entire OCSP response in EOF, because we just pass it on
+// to OpenSSL.
 bool file_analysis::OCSP::EndOfFile()
 	{
-	OCSP_REQUEST  *req     = NULL;
-	OCSP_RESPONSE *resp    = NULL;
-	
 	const unsigned char* ocsp_char = reinterpret_cast<const unsigned char*>(ocsp_data.data());
-	
+
 	if (ocsp_type == "request")
 		{
-		req = d2i_OCSP_REQUEST(NULL, &ocsp_char, ocsp_data.size());
+		OCSP_REQUEST *req = d2i_OCSP_REQUEST(NULL, &ocsp_char, ocsp_data.size());
+
 		if (!req)
 			{
 			reporter->Weird(fmt("OPENSSL Could not parse OCSP request (fuid %s)", GetFile()->GetID().c_str()));
-			goto ocsp_cleanup;
-			}
-		
-		//parse request into record
-		OCSP_REQVal* req_val = new OCSP_REQVal(req);
-		RecordVal* req_record = ParseRequest(req_val);
-		if (!req_record)
-			{
-			reporter->Weird(fmt("Internal fail to parse OCSP request (fuid %s)", GetFile()->GetID().c_str()));
-			Unref(req_val);
-			goto ocsp_cleanup;
+			return false;
 			}
 
+		OCSP_REQVal* req_val = new OCSP_REQVal(req); // req_val takes ownership
+
+		RecordVal* req_record = ParseRequest(req_val, GetFile()->GetID().c_str());
+
 		// and send the record on to scriptland
 		val_list* vl = new val_list();
 		vl->append(GetFile()->GetVal()->Ref());
-		vl->append(req_val->Ref());
-		vl->append(req_record->Ref());
-		mgr.QueueEvent(ocsp_request, vl);		
-
-		Unref(req_val);
-		Unref(req_record);
+		vl->append(req_val);
+		vl->append(req_record);
+		mgr.QueueEvent(ocsp_request, vl);
 		}
 	else if (ocsp_type == "response")
 		{
-		resp = d2i_OCSP_RESPONSE(NULL, &ocsp_char, ocsp_data.size());
+		OCSP_RESPONSE *resp = d2i_OCSP_RESPONSE(NULL, &ocsp_char, ocsp_data.size());
 		if (!resp)
 			{
 			reporter->Weird(fmt("OPENSSL Could not parse OCSP response (fuid %s)", GetFile()->GetID().c_str()));
-			goto ocsp_cleanup;
-			}
-		
-		//parse request into record
-		OCSP_RESPVal* resp_val = new OCSP_RESPVal(resp);
-		RecordVal* resp_record = ParseResponse(resp_val);
-		if (!resp_record)
-			{
-			reporter->Weird(fmt("Internal fail to parse OCSP response (fuid %s)", GetFile()->GetID().c_str()));
-			Unref(resp_val);
-			goto ocsp_cleanup;
+			return false;
 			}
 
+		OCSP_RESPVal* resp_val = new OCSP_RESPVal(resp); // resp_val takes ownership
+		RecordVal* resp_record = ParseResponse(resp_val, GetFile()->GetID().c_str());
+
 		// and send the record on to scriptland
 		val_list* vl = new val_list();
 		vl->append(GetFile()->GetVal()->Ref());
-		vl->append(resp_val->Ref());
-		vl->append(resp_record->Ref());
+		vl->append(resp_val);
+		vl->append(resp_record);
 		mgr.QueueEvent(ocsp_response, vl);
-
-		Unref(resp_val);
-		Unref(resp_record);
 		}
 	else
+		{
 	  reporter->Weird(fmt("the given argument of ocsp_type (%s) is not recognized", ocsp_type.c_str()));
-ocsp_cleanup:
-	//if (resp)
-	//	OCSP_RESPONSE_free(resp);
-	//if (req)
-	//	OCSP_REQUEST_free(req);
-	return false;
+		return false;
+		}
+
+	return true;
 }
 
-// parse OCSP request and trigger event
-RecordVal *file_analysis::OCSP::ParseRequest(OCSP_REQVal *req_val)
+RecordVal *file_analysis::OCSP::ParseRequest(OCSP_REQVal *req_val, const char* fid)
 	{
-	if (req_val == NULL)
-		return NULL;
-	OCSP_REQUEST *req     = NULL;
-	OCSP_ONEREQ  *one_req = NULL;
-	OCSP_CERTID  *cert_id = NULL;
-	OCSP_REQINFO *inf     = NULL;
-	//OCSP_SIGNATURE *sig  = NULL;
+	OCSP_REQUEST *req     = req_val->GetReq();
+	OCSP_REQINFO *inf     = req->tbsRequest;
 
-	RecordVal* ocsp_req_record = NULL;
-	VectorVal* all_req_bro = NULL;
-	
-	int req_count = -1, i = -1, len = -1;
-	long version = -1;
+	char buf[OCSP_STRING_BUF_SIZE]; // we need a buffer for some of the openssl functions
+	memset(buf, 0, sizeof(buf));
 
-	req = req_val->GetReq();
-	if (req == NULL)
-		return NULL;
-	
-	char buf[OCSP_STRING_BUF_SIZE];
-	int buf_len = sizeof(buf);
-	memset(buf, 0, buf_len);
-	
-	inf = req->tbsRequest;
-	//sig = req->optionalSignature;
-	if (inf == NULL)
-		return NULL;
+	RecordVal* ocsp_req_record = new RecordVal(BifType::Record::OCSP::Request);
 
-	ocsp_req_record = new RecordVal(BifType::Record::OCSP::Request);
-	if (!ocsp_req_record)
-		{
-		reporter->Error("Cannot create OCSP request structure: Internal memory error");
-		return NULL;
-		}
+	ocsp_req_record->Assign(0, new Val((uint64)ASN1_INTEGER_get(inf->version), TYPE_COUNT));
+	BIO *bio = BIO_new(BIO_s_mem());
 
-	//version
-	version = ASN1_INTEGER_get(inf->version);
-	if (version != -1)
-		ocsp_req_record->Assign(0, new Val((uint64)version, TYPE_COUNT));
-	
-	//requestorName
 	if (inf->requestorName != NULL)
 		{
-		len = -1;
-		len = GENERAL_NAME_to_cstr(buf, buf_len, (void *)(inf->requestorName));
-		if (len > 0)
-			ocsp_req_record->Assign(1, new StringVal(len, buf));
+		GENERAL_NAME_print(bio, inf->requestorName);
+		int len = BIO_read(bio, buf, sizeof(buf));
+		ocsp_req_record->Assign(1, new StringVal(len, buf));
+		BIO_reset(bio);
 		}
-	
-	//deal with details of the request
-	req_count = OCSP_request_onereq_count(req);
-	if (req_count <= 0)
-		goto clean_up;
-	for (i=0; i<req_count; i++)
-		{
-		one_req = OCSP_request_onereq_get0(req, i);
-		cert_id = OCSP_onereq_get0_id(one_req);
-		if (all_req_bro == NULL)
-			all_req_bro = new VectorVal(internal_type("ocsp_req_vec")->AsVectorType());
-		RecordVal *one_req_bro = new RecordVal(BifType::Record::OCSP::OneReq);
 
-		ocsp_fill_cert_id(cert_id, one_req_bro);
-		all_req_bro->Assign(all_req_bro->Size(), one_req_bro);
+	VectorVal* all_req_bro = new VectorVal(internal_type("ocsp_req_vec")->AsVectorType());
+	ocsp_req_record->Assign(2, all_req_bro);
+
+	int req_count = OCSP_request_onereq_count(req);
+	for ( int i=0; i<req_count; i++ )
+		{
+		OCSP_ONEREQ *one_req = OCSP_request_onereq_get0(req, i);
+		OCSP_CERTID *cert_id = OCSP_onereq_get0_id(one_req);
+
+		RecordVal* one_req_bro = ocsp_fill_cert_id(cert_id, BifType::Record::OCSP::OneReq, bio);
+		all_req_bro->Assign(i, one_req_bro);
 		}
-	
-	if (all_req_bro != NULL)
-		ocsp_req_record->Assign(2, all_req_bro);
-clean_up:
+
+	BIO_free(bio);
+
 	return ocsp_req_record;
 }
 
-// parse OCSP response and trigger event
-RecordVal *file_analysis::OCSP::ParseResponse(OCSP_RESPVal *resp_val)
+RecordVal *file_analysis::OCSP::ParseResponse(OCSP_RESPVal *resp_val, const char* fid)
 	{
-	if (resp_val == NULL)
-		return NULL;
-	OCSP_RESPONSE   *resp        = NULL;
-	OCSP_RESPBYTES  *resp_bytes  = NULL;
-	OCSP_CERTID     *cert_id     = NULL;
-	OCSP_BASICRESP  *basic_resp  = NULL;
-	OCSP_RESPDATA   *resp_data   = NULL;
-	OCSP_RESPID     *resp_id     = NULL;
-	OCSP_SINGLERESP *single_resp = NULL;
-	OCSP_REVOKEDINFO *revoked_info = NULL;
-	OCSP_CERTSTATUS *cert_status = NULL;
+	OCSP_RESPONSE   *resp       = resp_val->GetResp();
+	OCSP_RESPBYTES  *resp_bytes = resp->responseBytes;
+	OCSP_BASICRESP  *basic_resp = nullptr;
+	OCSP_RESPDATA   *resp_data  = nullptr;
+	OCSP_RESPID     *resp_id    = nullptr;
 
-        RecordVal *ocsp_resp_record = NULL;
-	VectorVal *all_resp_bro  = NULL;
-	
-	int resp_count = -1, status = -1, i = -1, len = -1;
-	long version = -1;
-	
-	resp = resp_val->GetResp();
-	if (resp == NULL)
-		return NULL;	
+	int resp_count = 0;
+	VectorVal *all_resp_bro = nullptr;
 
-  	char buf[OCSP_STRING_BUF_SIZE];
-	int buf_len = sizeof(buf);
-	memset(buf, 0, buf_len);
+ 	char buf[OCSP_STRING_BUF_SIZE];
+	memset(buf, 0, sizeof(buf));
 
-	ocsp_resp_record = new RecordVal(BifType::Record::OCSP::Response);
-	if (!ocsp_resp_record)
-		{
-		reporter->Error("Cannot create OCSP response structure: Internal memory error");
-		return NULL;
-		}
+	RecordVal *ocsp_resp_record = new RecordVal(BifType::Record::OCSP::Response);
 
-	//responseStatus
-	status = OCSP_response_status(resp);
-	const char *status_str = OCSP_response_status_str(status);
-	ocsp_resp_record->Assign(0, new StringVal(strlen(status_str), status_str));	
+	const char *status_str = OCSP_response_status_str(OCSP_response_status(resp));
+	ocsp_resp_record->Assign(0, new StringVal(strlen(status_str), status_str));
 
-	//responseType
-	resp_bytes = resp->responseBytes;
 	if (!resp_bytes)
-		goto clean_up;
-	len = -1;
-	len = ASN1_OBJECT_to_cstr(buf, buf_len, (void *)(resp_bytes->responseType));
-	if (len > 0)
-		ocsp_resp_record->Assign(1, new StringVal(len, buf));
-	
-	//get the basic response
+		return ocsp_resp_record;
+
+	BIO *bio = BIO_new(BIO_s_mem());
+	i2a_ASN1_OBJECT(bio, resp_bytes->responseType);
+	int len = BIO_read(bio, buf, sizeof(buf));
+	ocsp_resp_record->Assign(1, new StringVal(len, buf));
+	BIO_reset(bio);
+
+	// get the basic response
 	basic_resp = OCSP_response_get1_basic(resp);
-	if (!basic_resp)
+	if ( !basic_resp )
 		goto clean_up;
+
 	resp_data = basic_resp->tbsResponseData;
-	if (!resp_data)
+	if ( !resp_data )
 		goto clean_up;
 
-	//version
-	version = ASN1_INTEGER_get(resp_data->version);
-	if (version != -1)
-		ocsp_resp_record->Assign(2, new Val((uint64)version, TYPE_COUNT));
-
-	//responderID
+	ocsp_resp_record->Assign(2, new Val((uint64)ASN1_INTEGER_get(resp_data->version), TYPE_COUNT));
+	// responderID
 	resp_id = resp_data->responderId;
-	len = -1;
-	len = OCSP_RESPID_to_cstr(buf, buf_len, resp_id);
-	if (len > 0)
-		ocsp_resp_record->Assign(3, new StringVal(len, buf));
+	OCSP_RESPID_bio(resp_id, bio);
+	len = BIO_read(bio, buf, sizeof(buf));
+	ocsp_resp_record->Assign(3, new StringVal(len, buf));
+	BIO_reset(bio);
 
-	//producedAt
-	len = -1;
-	len = ASN1_GENERALIZEDTIME_to_cstr(buf, buf_len, (void *)(resp_data->producedAt));
-	if (len > 0)
-		ocsp_resp_record->Assign(4, new StringVal(len, buf));
+	// producedAt
+	ocsp_resp_record->Assign(4, new Val(GetTimeFromAsn1(resp_data->producedAt, fid, reporter), TYPE_TIME));
 
-	//responses
+	all_resp_bro = new VectorVal(internal_type("ocsp_resp_vec")->AsVectorType());
+	ocsp_resp_record->Assign(5, all_resp_bro);
+
+	// responses
 	resp_count = sk_OCSP_SINGLERESP_num(resp_data->responses);
-	if (resp_count <= 0)
-		goto clean_up;
-	for (i=0; i<resp_count; i++)
+	for ( int i=0; i<resp_count; i++ )
 		{
-		single_resp = sk_OCSP_SINGLERESP_value(resp_data->responses, i);
-		if (!single_resp)
+		OCSP_SINGLERESP *single_resp = sk_OCSP_SINGLERESP_value(resp_data->responses, i);
+		if ( !single_resp )
 			continue;
-		if (all_resp_bro == NULL)
-			all_resp_bro = new VectorVal(internal_type("ocsp_resp_vec")->AsVectorType());
-		RecordVal *single_resp_bro = new RecordVal(BifType::Record::OCSP::SingleResp);
 
-		//cert id
-		cert_id = single_resp->certId;
-		ocsp_fill_cert_id(cert_id, single_resp_bro);
+		// cert id
+		OCSP_CERTID *cert_id = single_resp->certId;
+		RecordVal *single_resp_bro = ocsp_fill_cert_id(cert_id, BifType::Record::OCSP::SingleResp, bio);
+		BIO_reset(bio);
 
-		//certStatus
-		cert_status = single_resp->certStatus;
-		std::string cert_status_str = OCSP_cert_status_str(cert_status->type);
-		std::string revoke_reason = "";
-		std::string revoke_time = "";
+		// certStatus
+		OCSP_CERTSTATUS *cert_status = single_resp->certStatus;
+		const char* cert_status_str = OCSP_cert_status_str(cert_status->type);
+		single_resp_bro->Assign(4, new StringVal(strlen(cert_status_str), cert_status_str));
 
-		//add revocation time and reason if it is revoked
-		if (cert_status->type == V_OCSP_CERTSTATUS_REVOKED)
+		// revocation time and reason if revoked
+		if ( cert_status->type == V_OCSP_CERTSTATUS_REVOKED )
 			{
-			revoked_info = cert_status->value.revoked;
-			len = -1;
-			len = ASN1_GENERALIZEDTIME_to_cstr(buf, buf_len, (void *)(revoked_info->revocationTime));
-			if (len > 0)
-				revoke_time.assign((const char *)buf, len);
+			OCSP_REVOKEDINFO *revoked_info = cert_status->value.revoked;
+			single_resp_bro->Assign(5, new Val(GetTimeFromAsn1(revoked_info->revocationTime, fid, reporter), TYPE_TIME));
 
-			if (revoked_info->revocationReason)
-				revoke_reason = OCSP_crl_reason_str(ASN1_ENUMERATED_get(revoked_info->revocationReason));
+			if ( revoked_info->revocationReason )
+				{
+				const char* revoke_reason = OCSP_crl_reason_str(ASN1_ENUMERATED_get(revoked_info->revocationReason));
+				single_resp_bro->Assign(6, new StringVal(strlen(revoke_reason), revoke_reason));
+				}
 			}
-		if (revoke_time.length() > 0)
-			cert_status_str += " " + revoke_time;
-		if (revoke_reason.length() > 0)
-			cert_status_str += " " + revoke_reason;
 
-		single_resp_bro->Assign(4, new StringVal(cert_status_str.length(), cert_status_str.c_str()));
+		single_resp_bro->Assign(7, new Val(GetTimeFromAsn1(single_resp->thisUpdate, fid, reporter), TYPE_TIME));
+		if ( single_resp->nextUpdate )
+			single_resp_bro->Assign(8, new Val(GetTimeFromAsn1(single_resp->nextUpdate, fid, reporter), TYPE_TIME));
 
-		//thisUpdate
-		len = -1;
-		len = ASN1_GENERALIZEDTIME_to_cstr(buf, buf_len, (void *)(single_resp->thisUpdate));
-		if (len > 0)
-			single_resp_bro->Assign(5, new StringVal(len, buf));
-
-		//nextUpdate
-		len = -1;
-		len = ASN1_GENERALIZEDTIME_to_cstr(buf, buf_len, (void *)(single_resp->nextUpdate));
-		if (len > 0)
-			single_resp_bro->Assign(6, new StringVal(len, buf));
-
-		all_resp_bro->Assign(all_resp_bro->Size(), single_resp_bro);
+		all_resp_bro->Assign(i, single_resp_bro);
 		}
-	if (all_resp_bro != NULL)
-		ocsp_resp_record->Assign(5, all_resp_bro);
 
-	//signatureAlgorithm
-	if (basic_resp->signatureAlgorithm)
-		{
-		len = -1;
-		len = ASN1_OBJECT_to_cstr(buf, buf_len, (void *)(basic_resp->signatureAlgorithm->algorithm));
-		if (len > 0)
-			ocsp_resp_record->Assign(6, new StringVal(len, buf));
-		}
-	//signature
-	if (basic_resp->signature)
-		{
-		len = -1;
-		len = ASN1_BIT_STRING_to_cstr(buf, buf_len, (void *)(basic_resp->signature));
-		if (len > 0)
-			ocsp_resp_record->Assign(7, new StringVal(len, buf));
-		}
+	i2a_ASN1_OBJECT(bio, basic_resp->signatureAlgorithm->algorithm);
+	len = BIO_read(bio, buf, sizeof(buf));
+	ocsp_resp_record->Assign(6, new StringVal(len, buf));
+	BIO_reset(bio);
+
+	//i2a_ASN1_OBJECT(bio, basic_resp->signature);
+	//len = BIO_read(bio, buf, sizeof(buf));
+	//ocsp_resp_record->Assign(7, new StringVal(len, buf));
+	//BIO_reset(bio);
+
 	//certs
-	if (basic_resp->certs)
+	if ( basic_resp->certs )
 		{
 		VectorVal *certs_vector = new VectorVal(internal_type("x509_opaque_vector")->AsVectorType());
 		int num_certs = sk_X509_num(basic_resp->certs);
-		for (i=0; i<num_certs; i++) {
+		for ( int i=0; i<num_certs; i++ )
+			{
 			::X509 *this_cert = X509_dup(helper_sk_X509_value(basic_resp->certs, i));
 			//::X509 *this_cert = X509_dup(sk_X509_value(basic_resp->certs, i));
 			if (this_cert)
 				certs_vector->Assign(i, new file_analysis::X509Val(this_cert));
 			else
 				reporter->Weird("OpenSSL returned null certificate");
-		}
-		ocsp_resp_record->Assign(8, certs_vector);
+			}
+		ocsp_resp_record->Assign(7, certs_vector);
 	  }
+
 clean_up:
 	if (basic_resp)
 		OCSP_BASICRESP_free(basic_resp);
+	BIO_free(bio);
 	return ocsp_resp_record;
 }
 
-//OCSP_REQVal
 OCSP_REQVal::OCSP_REQVal(OCSP_REQUEST* arg_ocsp_req) : OpaqueVal(ocsp_req_opaque_type)
 	{
 	ocsp_req = arg_ocsp_req;
@@ -589,7 +331,7 @@ OCSP_REQVal::OCSP_REQVal(OCSP_REQUEST* arg_ocsp_req) : OpaqueVal(ocsp_req_opaque
 
 OCSP_REQVal::OCSP_REQVal() : OpaqueVal(ocsp_req_opaque_type)
 	{
-	ocsp_req = NULL;
+	ocsp_req = nullptr;
 	}
 
 OCSP_REQVal::~OCSP_REQVal()
@@ -606,7 +348,7 @@ OCSP_REQUEST* OCSP_REQVal::GetReq() const
 bool OCSP_REQVal::DoSerialize(SerialInfo* info) const
 	{
 	DO_SERIALIZE(SER_OCSP_REQ_VAL, OpaqueVal);
-	unsigned char *buf = NULL;
+	unsigned char *buf = nullptr;
 	int length = i2d_OCSP_REQUEST(ocsp_req, &buf);
 	if ( length < 0 )
 		return false;
@@ -621,11 +363,11 @@ bool OCSP_REQVal::DoUnserialize(UnserialInfo* info)
 
 	int length;
 	unsigned char *ocsp_req_buf, *opensslbuf;
-	
+
 	if ( ! UNSERIALIZE_STR(reinterpret_cast<char **>(&ocsp_req_buf), &length) )
 		return false;
 	opensslbuf = ocsp_req_buf; // OpenSSL likes to shift pointers around. really.
-	ocsp_req = d2i_OCSP_REQUEST(NULL, const_cast<const unsigned char**>(&opensslbuf), length);
+	ocsp_req = d2i_OCSP_REQUEST(nullptr, const_cast<const unsigned char**>(&opensslbuf), length);
 	delete[] ocsp_req_buf;
 	if ( !ocsp_req )
 		return false;
@@ -641,7 +383,7 @@ OCSP_RESPVal::OCSP_RESPVal(OCSP_RESPONSE* arg_ocsp_resp) : OpaqueVal(ocsp_resp_o
 
 OCSP_RESPVal::OCSP_RESPVal() : OpaqueVal(ocsp_resp_opaque_type)
 	{
-	ocsp_resp = NULL;
+	ocsp_resp = nullptr;
 	}
 
 OCSP_RESPVal::~OCSP_RESPVal()
@@ -658,7 +400,7 @@ OCSP_RESPONSE* OCSP_RESPVal::GetResp() const
 bool OCSP_RESPVal::DoSerialize(SerialInfo* info) const
 	{
 	DO_SERIALIZE(SER_OCSP_RESP_VAL, OpaqueVal);
-	unsigned char *buf = NULL;
+	unsigned char *buf = nullptr;
 	int length = i2d_OCSP_RESPONSE(ocsp_resp, &buf);
 	if ( length < 0 )
 		return false;
@@ -673,11 +415,11 @@ bool OCSP_RESPVal::DoUnserialize(UnserialInfo* info)
 
 	int length;
 	unsigned char *ocsp_resp_buf, *opensslbuf;
-	
+
 	if ( ! UNSERIALIZE_STR(reinterpret_cast<char **>(&ocsp_resp_buf), &length) )
 		return false;
 	opensslbuf = ocsp_resp_buf; // OpenSSL likes to shift pointers around. really.
-	ocsp_resp = d2i_OCSP_RESPONSE(NULL, const_cast<const unsigned char**>(&opensslbuf), length);
+	ocsp_resp = d2i_OCSP_RESPONSE(nullptr, const_cast<const unsigned char**>(&opensslbuf), length);
 	delete[] ocsp_resp_buf;
 	if ( !ocsp_resp )
 		return false;
diff --git a/src/file_analysis/analyzer/x509/OCSP.h b/src/file_analysis/analyzer/x509/OCSP.h
index ecdba6582d..ab40c13bca 100644
--- a/src/file_analysis/analyzer/x509/OCSP.h
+++ b/src/file_analysis/analyzer/x509/OCSP.h
@@ -24,8 +24,8 @@ public:
 	virtual bool Undelivered(uint64 offset, uint64 len);
 	virtual bool EndOfFile();
 
-	static RecordVal *ParseResponse(OCSP_RESPVal *);
-	static RecordVal *ParseRequest(OCSP_REQVal *);
+	static RecordVal *ParseResponse(OCSP_RESPVal *, const char* fid = 0);
+	static RecordVal *ParseRequest(OCSP_REQVal *, const char* fid = 0);
 
 	static file_analysis::Analyzer* Instantiate(RecordVal* args, File* file);
 
diff --git a/src/file_analysis/analyzer/x509/X509.cc b/src/file_analysis/analyzer/x509/X509.cc
index da3c6635a8..a98b96f244 100644
--- a/src/file_analysis/analyzer/x509/X509.cc
+++ b/src/file_analysis/analyzer/x509/X509.cc
@@ -16,6 +16,8 @@
 #include <openssl/opensslconf.h>
 #include <openssl/err.h>
 
+#include "Asn1Time.h"
+
 using namespace file_analysis;
 
 IMPLEMENT_SERIAL(X509Val, SER_X509_VAL);
@@ -133,8 +135,8 @@ RecordVal* file_analysis::X509::ParseCertificate(X509Val* cert_val, const char*
 	pX509Cert->Assign(3, new StringVal(len, buf));
 	BIO_free(bio);
 
-	pX509Cert->Assign(5, new Val(GetTimeFromAsn1(X509_get_notBefore(ssl_cert), fid), TYPE_TIME));
-	pX509Cert->Assign(6, new Val(GetTimeFromAsn1(X509_get_notAfter(ssl_cert), fid), TYPE_TIME));
+	pX509Cert->Assign(5, new Val(GetTimeFromAsn1(X509_get_notBefore(ssl_cert), fid, reporter), TYPE_TIME));
+	pX509Cert->Assign(6, new Val(GetTimeFromAsn1(X509_get_notAfter(ssl_cert), fid, reporter), TYPE_TIME));
 
 	// we only read 255 bytes because byte 256 is always 0.
 	// if the string is longer than 255, that will be our null-termination,
@@ -517,164 +519,6 @@ unsigned int file_analysis::X509::KeyLength(EVP_PKEY *key)
 	reporter->InternalError("cannot be reached");
 	}
 
-double file_analysis::X509::GetTimeFromAsn1(const ASN1_TIME* atime, const char* arg_fid)
-	{
-	const char *fid = arg_fid ? arg_fid : "";
-	time_t lResult = 0;
-
-	char lBuffer[26];
-	char* pBuffer = lBuffer;
-
-	const char *pString = (const char *) atime->data;
-	unsigned int remaining = atime->length;
-
-	if ( atime->type == V_ASN1_UTCTIME )
-		{
-		if ( remaining < 11 || remaining > 17 )
-			{
-			reporter->Weird(fmt("Could not parse time in X509 certificate (fuid %s) -- UTCTime has wrong length", fid));
-			return 0;
-			}
-
-		if ( pString[remaining-1] != 'Z' )
-			{
-			// not valid according to RFC 2459 4.1.2.5.1
-			reporter->Weird(fmt("Could not parse UTC time in non-YY-format in X509 certificate (x509 %s)", fid));
-			return 0;
-			}
-
-		// year is first two digits in YY format. Buffer expects YYYY format.
-		if ( pString[0] < '5' ) // RFC 2459 4.1.2.5.1
-			{
-			*(pBuffer++) = '2';
-			*(pBuffer++) = '0';
-			}
-		else
-			{
-			*(pBuffer++) = '1';
-			*(pBuffer++) = '9';
-			}
-
-		memcpy(pBuffer, pString, 10);
-		pBuffer += 10;
-		pString += 10;
-		remaining -= 10;
-		}
-	else if ( atime->type == V_ASN1_GENERALIZEDTIME )
-		{
-		// generalized time. We apparently ignore the YYYYMMDDHH case
-		// for now and assume we always have minutes and seconds.
-		// This should be ok because it is specified as a requirement in RFC 2459 4.1.2.5.2
-
-		if ( remaining < 12 || remaining > 23 )
-			{
-			reporter->Weird(fmt("Could not parse time in X509 certificate (fuid %s) -- Generalized time has wrong length", fid));
-			return 0;
-			}
-
-		memcpy(pBuffer, pString, 12);
-		pBuffer += 12;
-		pString += 12;
-		remaining -= 12;
-		}
-	else
-		{
-		reporter->Weird(fmt("Invalid time type in X509 certificate (fuid %s)", fid));
-		return 0;
-		}
-
-	if ( (remaining == 0) || (*pString == 'Z') || (*pString == '-') || (*pString == '+') )
-		{
-		*(pBuffer++) = '0';
-		*(pBuffer++) = '0';
-		}
-
-	else if ( remaining >= 2 )
-		{
-		*(pBuffer++) = *(pString++);
-		*(pBuffer++) = *(pString++);
-
-		remaining -= 2;
-
-		// Skip any fractional seconds...
-		if ( (remaining > 0) && (*pString == '.') )
-			{
-			pString++;
-			remaining--;
-
-			while ( (remaining > 0) && (*pString >= '0') && (*pString <= '9') )
-				{
-				pString++;
-				remaining--;
-				}
-			}
-		}
-
-	else
-		{
-		reporter->Weird(fmt("Could not parse time in X509 certificate (fuid %s) -- additional char after time", fid));
-		return 0;
-		}
-
-	*(pBuffer++) = 'Z';
-	*(pBuffer++) = '\0';
-
-	time_t lSecondsFromUTC;
-
-	if ( remaining == 0 || *pString == 'Z' )
-		lSecondsFromUTC = 0;
-	else
-		{
-		if ( remaining < 5 )
-			{
-			reporter->Weird(fmt("Could not parse time in X509 certificate (fuid %s) -- not enough bytes remaining for offset", fid));
-			return 0;
-			}
-
-		if ((*pString != '+') && (*pString != '-'))
-			{
-			reporter->Weird(fmt("Could not parse time in X509 certificate (fuid %s) -- unknown offset type", fid));
-			return 0;
-			}
-
-		lSecondsFromUTC = ((pString[1] - '0') * 10 + (pString[2] - '0')) * 60;
-		lSecondsFromUTC += (pString[3] - '0') * 10 + (pString[4] - '0');
-
-		if (*pString == '-')
-			lSecondsFromUTC = -lSecondsFromUTC;
-		}
-
-	tm lTime;
-	lTime.tm_sec  = ((lBuffer[12] - '0') * 10) + (lBuffer[13] - '0');
-	lTime.tm_min  = ((lBuffer[10] - '0') * 10) + (lBuffer[11] - '0');
-	lTime.tm_hour = ((lBuffer[8] - '0') * 10) + (lBuffer[9] - '0');
-	lTime.tm_mday = ((lBuffer[6] - '0') * 10) + (lBuffer[7] - '0');
-	lTime.tm_mon  = (((lBuffer[4] - '0') * 10) + (lBuffer[5] - '0')) - 1;
-	lTime.tm_year = (lBuffer[0] - '0') * 1000 + (lBuffer[1] - '0') * 100 + ((lBuffer[2] - '0') * 10) + (lBuffer[3] - '0');
-
-	if ( lTime.tm_year > 1900)
-		lTime.tm_year -= 1900;
-
-	lTime.tm_wday = 0;
-	lTime.tm_yday = 0;
-	lTime.tm_isdst = 0;  // No DST adjustment requested
-
-	lResult = mktime(&lTime);
-
-	if ( lResult )
-		{
-		if ( lTime.tm_isdst  != 0 )
-			lResult -= 3600;  // mktime may adjust for DST  (OS dependent)
-
-		lResult += lSecondsFromUTC;
-		}
-
-	else
-		lResult = 0;
-
-	return lResult;
-}
-
 X509Val::X509Val(::X509* arg_certificate) : OpaqueVal(x509_opaque_type)
 	{
 	certificate = arg_certificate;
diff --git a/src/file_analysis/analyzer/x509/X509.h b/src/file_analysis/analyzer/x509/X509.h
index c671c68a99..2681038fc3 100644
--- a/src/file_analysis/analyzer/x509/X509.h
+++ b/src/file_analysis/analyzer/x509/X509.h
@@ -62,7 +62,6 @@ private:
 	std::string cert_data;
 
 	// Helpers for ParseCertificate.
-	static double GetTimeFromAsn1(const ASN1_TIME * atime, const char* fid);
 	static StringVal* KeyCurve(EVP_PKEY *key);
 	static unsigned int KeyLength(EVP_PKEY *key);
 };
diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-http-get/ocsp.log b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-http-get/ocsp.log
index 692581c871..97a1eba12e 100644
--- a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-http-get/ocsp.log
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-http-get/ocsp.log
@@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	ocsp
-#open	2015-07-15-20-38-15
+#open	2017-02-09-00-23-43
 #fields	ts	cid.orig_h	cid.orig_p	cid.resp_h	cid.resp_p	cuid	certId.hashAlgorithm	certId.issuerNameHash	certId.issuerKeyHash	certId.serialNumber	req.id	req.version	req.requestorName	req.index	resp_ts	resp.id	resp.responseStatus	resp.responseType	resp.version	resp.responderID	resp.producedAt	resp.index	resp.certStatus	resp.thisUpdate	resp.nextUpdate	method
-#types	time	addr	port	addr	port	string	string	string	string	string	string	count	string	count	time	string	string	string	count	string	string	count	string	string	string	string
-1436909712.307162	192.168.6.109	54690	216.58.192.46	80	CXWv6p3arKYeMETxOg	sha1	F2E06AF9858A1D8D709B4919237AA9B51A287E64	4ADD06161BBCF668B576F581B6BB621ABA5A812F	3D474496FF942316	H4c4c3b287beafd8d7f4806a0b14d2ee1de88e4be	0	-	1	1436909712.329517	Ft368Gc1ce0Juvj0d	successful	Basic OCSP Response	0	4ADD06161BBCF668B576F581B6BB621ABA5A812F	20150711011056Z	1	good	20150711011056Z	20150718011056Z	GET
-#close	2015-07-15-20-38-15
+#types	time	addr	port	addr	port	string	string	string	string	string	string	count	string	count	time	string	string	string	count	string	time	count	string	time	time	string
+1436909712.307162	192.168.6.109	54690	216.58.192.46	80	CHhAvVGS1DHFjwGM9	sha1	F2E06AF9858A1D8D709B4919237AA9B51A287E64	4ADD06161BBCF668B576F581B6BB621ABA5A812F	4ADD06161BBCF668B576F581B6BB621ABA5A812F	H4c4c3b287beafd8d7f4806a0b14d2ee1de88e4be	0	-	1	1436909712.329517	Ft368Gc1ce0Juvj0d	successful	Basic OCSP Response	0	4ADD06161BBCF668B576F581B6BB621ABA5A812F	1436577056.000000	1	good	1436577056.000000	1437181856.000000	GET
+#close	2017-02-09-00-23-43
diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-only/ocsp.log b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-only/ocsp.log
index 1cb587ca17..366671298b 100644
--- a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-only/ocsp.log
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-only/ocsp.log
@@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	ocsp
-#open	2015-07-15-20-25-27
+#open	2017-02-09-00-24-29
 #fields	ts	cid.orig_h	cid.orig_p	cid.resp_h	cid.resp_p	cuid	certId.hashAlgorithm	certId.issuerNameHash	certId.issuerKeyHash	certId.serialNumber	req.id	req.version	req.requestorName	req.index	resp_ts	resp.id	resp.responseStatus	resp.responseType	resp.version	resp.responderID	resp.producedAt	resp.index	resp.certStatus	resp.thisUpdate	resp.nextUpdate	method
-#types	time	addr	port	addr	port	string	string	string	string	string	string	count	string	count	time	string	string	string	count	string	string	count	string	string	string	string
-1434666864.046145	192.168.6.109	34334	72.167.18.239	80	CXWv6p3arKYeMETxOg	sha1	B6080D5F6C6B76EB13E438A5F8660BA85233344E	40C2BD278ECC348330A233D7FB6CB3F0B42C80CE	081C862DC8AAC9	FMbJOe2y5n1E7iSVsg	0	-	1	-	-	-	-	-	-	-	-	-	-	-	POST
-#close	2015-07-15-20-25-27
+#types	time	addr	port	addr	port	string	string	string	string	string	string	count	string	count	time	string	string	string	count	string	time	count	string	time	time	string
+1434666864.046145	192.168.6.109	34334	72.167.18.239	80	CHhAvVGS1DHFjwGM9	sha1	B6080D5F6C6B76EB13E438A5F8660BA85233344E	40C2BD278ECC348330A233D7FB6CB3F0B42C80CE	40C2BD278ECC348330A233D7FB6CB3F0B42C80CE	FMbJOe2y5n1E7iSVsg	0	-	1	-	-	-	-	-	-	-	-	-	-	-	POST
+#close	2017-02-09-00-24-29
diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-response/ocsp.log b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-response/ocsp.log
index 881f614583..dc1f8f6657 100644
--- a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-response/ocsp.log
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-response/ocsp.log
@@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	ocsp
-#open	2015-07-15-20-24-10
+#open	2017-02-09-00-24-32
 #fields	ts	cid.orig_h	cid.orig_p	cid.resp_h	cid.resp_p	cuid	certId.hashAlgorithm	certId.issuerNameHash	certId.issuerKeyHash	certId.serialNumber	req.id	req.version	req.requestorName	req.index	resp_ts	resp.id	resp.responseStatus	resp.responseType	resp.version	resp.responderID	resp.producedAt	resp.index	resp.certStatus	resp.thisUpdate	resp.nextUpdate	method
-#types	time	addr	port	addr	port	string	string	string	string	string	string	count	string	count	time	string	string	string	count	string	string	count	string	string	string	string
-1434666864.046145	192.168.6.109	34334	72.167.18.239	80	CXWv6p3arKYeMETxOg	sha1	B6080D5F6C6B76EB13E438A5F8660BA85233344E	40C2BD278ECC348330A233D7FB6CB3F0B42C80CE	081C862DC8AAC9	FMbJOe2y5n1E7iSVsg	0	-	1	1434666864.070748	Fb215u2y5byABaV747	successful	Basic OCSP Response	0	C = US, ST = Arizona, L = Scottsdale, O = GoDaddy Inc., CN = Go Daddy Validation Authority - G2	20150618220334Z	1	good	20150618220334Z	20150620100334Z	POST
-#close	2015-07-15-20-24-11
+#types	time	addr	port	addr	port	string	string	string	string	string	string	count	string	count	time	string	string	string	count	string	time	count	string	time	time	string
+1434666864.046145	192.168.6.109	34334	72.167.18.239	80	CHhAvVGS1DHFjwGM9	sha1	B6080D5F6C6B76EB13E438A5F8660BA85233344E	40C2BD278ECC348330A233D7FB6CB3F0B42C80CE	40C2BD278ECC348330A233D7FB6CB3F0B42C80CE	FMbJOe2y5n1E7iSVsg	0	-	1	1434666864.070748	Fb215u2y5byABaV747	successful	Basic OCSP Response	0	C = US, ST = Arizona, L = Scottsdale, O = GoDaddy Inc., CN = Go Daddy Validation Authority - G2	1434665014.000000	1	good	1434665014.000000	1434794614.000000	POST
+#close	2017-02-09-00-24-32
diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-response-only/ocsp.log b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-response-only/ocsp.log
index 4027016f1d..eab0e0579b 100644
--- a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-response-only/ocsp.log
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-response-only/ocsp.log
@@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	ocsp
-#open	2015-07-15-20-26-35
+#open	2017-02-09-00-24-34
 #fields	ts	cid.orig_h	cid.orig_p	cid.resp_h	cid.resp_p	cuid	certId.hashAlgorithm	certId.issuerNameHash	certId.issuerKeyHash	certId.serialNumber	req.id	req.version	req.requestorName	req.index	resp_ts	resp.id	resp.responseStatus	resp.responseType	resp.version	resp.responderID	resp.producedAt	resp.index	resp.certStatus	resp.thisUpdate	resp.nextUpdate	method
-#types	time	addr	port	addr	port	string	string	string	string	string	string	count	string	count	time	string	string	string	count	string	string	count	string	string	string	string
-1434666864.070748	192.168.6.109	34334	72.167.18.239	80	CXWv6p3arKYeMETxOg	sha1	B6080D5F6C6B76EB13E438A5F8660BA85233344E	40C2BD278ECC348330A233D7FB6CB3F0B42C80CE	081C862DC8AAC9	-	-	-	-	1434666864.070748	Fb215u2y5byABaV747	successful	Basic OCSP Response	0	C = US, ST = Arizona, L = Scottsdale, O = GoDaddy Inc., CN = Go Daddy Validation Authority - G2	20150618220334Z	1	good	20150618220334Z	20150620100334Z	-
-#close	2015-07-15-20-26-36
+#types	time	addr	port	addr	port	string	string	string	string	string	string	count	string	count	time	string	string	string	count	string	time	count	string	time	time	string
+1434666864.070748	192.168.6.109	34334	72.167.18.239	80	CHhAvVGS1DHFjwGM9	sha1	B6080D5F6C6B76EB13E438A5F8660BA85233344E	40C2BD278ECC348330A233D7FB6CB3F0B42C80CE	40C2BD278ECC348330A233D7FB6CB3F0B42C80CE	-	-	-	-	1434666864.070748	Fb215u2y5byABaV747	successful	Basic OCSP Response	0	C = US, ST = Arizona, L = Scottsdale, O = GoDaddy Inc., CN = Go Daddy Validation Authority - G2	1434665014.000000	1	good	1434665014.000000	1434794614.000000	-
+#close	2017-02-09-00-24-34
diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-revoked/ocsp.log b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-revoked/ocsp.log
index 8876f251e7..f3889662ee 100644
--- a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-revoked/ocsp.log
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-revoked/ocsp.log
@@ -3,11 +3,11 @@
 #empty_field	(empty)
 #unset_field	-
 #path	ocsp
-#open	2015-07-31-20-35-18
+#open	2017-02-09-00-24-36
 #fields	ts	cid.orig_h	cid.orig_p	cid.resp_h	cid.resp_p	cuid	certId.hashAlgorithm	certId.issuerNameHash	certId.issuerKeyHash	certId.serialNumber	req.id	req.version	req.requestorName	req.index	resp_ts	resp.id	resp.responseStatus	resp.responseType	resp.version	resp.responderID	resp.producedAt	resp.index	resp.certStatus	resp.thisUpdate	resp.nextUpdate	method
-#types	time	addr	port	addr	port	string	string	string	string	string	string	count	string	count	time	string	string	string	count	string	string	count	string	string	string	string
-1438374032.518621	192.168.6.109	41812	23.5.251.27	80	CXWv6p3arKYeMETxOg	sha1	74241467069FF5E0983F5E3E1A6BA0652A541575	0159ABE7DD3A0B59A66463D6CF200757D591E76A	010BF45E184C4169AB61B41168DF802E	FDsgjS1bTYOzDpRJT4	0	-	1	1438374032.607628	Ftl4F41OsGtUDrOTWc	successful	Basic OCSP Response	0	F6215E926EB3EC41FE08FC25F09FB1B9A0344A10	20150707162834Z	1	revoked 20150514145849Z superseded	20150707162834Z	20150929011242Z	POST
-1438374032.650255	192.168.6.109	41813	23.5.251.27	80	CjhGID4nQcgTWjvg4c	sha1	74241467069FF5E0983F5E3E1A6BA0652A541575	0159ABE7DD3A0B59A66463D6CF200757D591E76A	013D34BFD6348EBA231D6925768ACD87	F5Tv7Z16QkNApNg0yl	0	-	1	1438374032.732035	FXISxH2UuTiDn0qCa1	successful	Basic OCSP Response	0	F6215E926EB3EC41FE08FC25F09FB1B9A0344A10	20150707212334Z	1	revoked 20150127203801Z unspecified	20150707212334Z	20150930071359Z	POST
-1438374032.759133	192.168.6.109	41814	23.5.251.27	80	CCvvfg3TEfuqmmG4bh	sha1	74241467069FF5E0983F5E3E1A6BA0652A541575	0159ABE7DD3A0B59A66463D6CF200757D591E76A	0150C0C06D53F9D39205D84EFB5F2BA4	FGzVem3KYelVVdAze	0	-	1	1438374032.848522	F3OYfx3A0JvMX787V3	successful	Basic OCSP Response	0	F6215E926EB3EC41FE08FC25F09FB1B9A0344A10	20150707030344Z	1	revoked 20150528055348Z (UNKNOWN)	20150707030344Z	20150928205739Z	POST
-1438374032.875001	192.168.6.109	41815	23.5.251.27	80	CsRx2w45OKnoww6xl4	sha1	74241467069FF5E0983F5E3E1A6BA0652A541575	0159ABE7DD3A0B59A66463D6CF200757D591E76A	017447CB30072EE15B9C1B057B731C5A	FbmX4PpDIRU82YGK8	0	-	1	1438374033.033504	FVty9v3KTnCvbg0Xf2	successful	Basic OCSP Response	0	F6215E926EB3EC41FE08FC25F09FB1B9A0344A10	20150708020344Z	1	revoked 20150117113259Z keyCompromise	20150708020344Z	20150928165507Z	POST
-#close	2015-07-31-20-35-18
+#types	time	addr	port	addr	port	string	string	string	string	string	string	count	string	count	time	string	string	string	count	string	time	count	string	time	time	string
+1438374032.518621	192.168.6.109	41812	23.5.251.27	80	CHhAvVGS1DHFjwGM9	sha1	74241467069FF5E0983F5E3E1A6BA0652A541575	0159ABE7DD3A0B59A66463D6CF200757D591E76A	0159ABE7DD3A0B59A66463D6CF200757D591E76A	FDsgjS1bTYOzDpRJT4	0	-	1	1438374032.607628	Ftl4F41OsGtUDrOTWc	successful	Basic OCSP Response	0	F6215E926EB3EC41FE08FC25F09FB1B9A0344A10	1436286514.000000	1	revoked	1436286514.000000	1443489162.000000	POST
+1438374032.650255	192.168.6.109	41813	23.5.251.27	80	ClEkJM2Vm5giqnMf4h	sha1	74241467069FF5E0983F5E3E1A6BA0652A541575	0159ABE7DD3A0B59A66463D6CF200757D591E76A	0159ABE7DD3A0B59A66463D6CF200757D591E76A	F5Tv7Z16QkNApNg0yl	0	-	1	1438374032.732035	FXISxH2UuTiDn0qCa1	successful	Basic OCSP Response	0	F6215E926EB3EC41FE08FC25F09FB1B9A0344A10	1436304214.000000	1	revoked	1436304214.000000	1443597239.000000	POST
+1438374032.759133	192.168.6.109	41814	23.5.251.27	80	C4J4Th3PJpwUYZZ6gc	sha1	74241467069FF5E0983F5E3E1A6BA0652A541575	0159ABE7DD3A0B59A66463D6CF200757D591E76A	0159ABE7DD3A0B59A66463D6CF200757D591E76A	FGzVem3KYelVVdAze	0	-	1	1438374032.848522	F3OYfx3A0JvMX787V3	successful	Basic OCSP Response	0	F6215E926EB3EC41FE08FC25F09FB1B9A0344A10	1436238224.000000	1	revoked	1436238224.000000	1443473859.000000	POST
+1438374032.875001	192.168.6.109	41815	23.5.251.27	80	CtPZjS20MLrsMUOJi2	sha1	74241467069FF5E0983F5E3E1A6BA0652A541575	0159ABE7DD3A0B59A66463D6CF200757D591E76A	0159ABE7DD3A0B59A66463D6CF200757D591E76A	FbmX4PpDIRU82YGK8	0	-	1	1438374033.033504	FVty9v3KTnCvbg0Xf2	successful	Basic OCSP Response	0	F6215E926EB3EC41FE08FC25F09FB1B9A0344A10	1436321024.000000	1	revoked	1436321024.000000	1443459307.000000	POST
+#close	2017-02-09-00-24-36

From 9c6cebf32415aed69d407a2bf173cbc9fdeecb3c Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@icir.org>
Date: Thu, 9 Feb 2017 12:28:00 -0800
Subject: [PATCH 068/631] OCSP: a bunch of whitespace fixes

---
 scripts/base/files/x509/ocsp.bro                   | 12 ++++++------
 scripts/policy/protocols/ssl/ocsp-stapling.bro     |  6 +++---
 src/file_analysis/analyzer/x509/functions.bif      |  8 ++++----
 src/file_analysis/analyzer/x509/ocsp_functions.bif |  4 ++--
 src/main.cc                                        |  4 ++--
 5 files changed, 17 insertions(+), 17 deletions(-)

diff --git a/scripts/base/files/x509/ocsp.bro b/scripts/base/files/x509/ocsp.bro
index f417cd6113..078d7f730f 100644
--- a/scripts/base/files/x509/ocsp.bro
+++ b/scripts/base/files/x509/ocsp.bro
@@ -248,7 +248,7 @@ function enq_request(http: HTTP::Info, req: OCSP::Request, req_id: string, req_t
 		update_http_info(http, req_rec_empty);
 		Log::write(LOG, [$ts=req_rec_empty$ts, $req=req_rec_empty, $cid=http$id, $cuid=http$uid, $method=http$method, $http=http]);
 		}
-	}	
+	}
 
 event ocsp_request(f: fa_file, req_ref: opaque of ocsp_req, req: OCSP::Request) &priority = 5
 	{
@@ -294,7 +294,7 @@ function check_ocsp_request_uri(http: HTTP::Info): OCSP::Request
 	if ( ! http?$original_uri )
 		return parsed_req;;
 	local uri_prefix: string = get_uri_prefix(http$original_uri);
-	http$uri_prefix = uri_prefix;	
+	http$uri_prefix = uri_prefix;
 	local ocsp_req_str: string = http$uri[|uri_prefix|:];
 	parsed_req = ocsp_parse_request(decode_base64(ocsp_req_str));
 	if ( ! parsed_req?$requestList || |parsed_req$requestList| == 0 )
@@ -397,11 +397,11 @@ event ocsp_response(f: fa_file, resp_ref: opaque of ocsp_resp, resp: OCSP::Respo
 
 			if ( ! f$http?$ocsp_responses )
 				f$http$ocsp_responses = table();
-					
+
 			if ( cert_id !in f$http$ocsp_responses )
 				f$http$ocsp_responses[cert_id] = Queue::init();
 
-			Queue::put(f$http$ocsp_responses[cert_id], resp_rec);				
+			Queue::put(f$http$ocsp_responses[cert_id], resp_rec);
 			}
 		}
 	else
@@ -468,7 +468,7 @@ function start_log_ocsp(http: HTTP::Info)
 		log_unmatched_reqs(http);
 		return;
 		}
-	
+
 	for ( cert_id in http$ocsp_responses )
 		{
 		while ( Queue::len(http$ocsp_responses[cert_id]) != 0 )
@@ -502,7 +502,7 @@ function start_log_ocsp(http: HTTP::Info)
 	if ( http?$ocsp_requests && |http$ocsp_requests| != 0 )
 		log_unmatched_reqs(http);
 	}
-	
+
 # log OCSP information
 event HTTP::log_http(rec: HTTP::Info)
 	{
diff --git a/scripts/policy/protocols/ssl/ocsp-stapling.bro b/scripts/policy/protocols/ssl/ocsp-stapling.bro
index 30f69e3b9a..58e378ab65 100644
--- a/scripts/policy/protocols/ssl/ocsp-stapling.bro
+++ b/scripts/policy/protocols/ssl/ocsp-stapling.bro
@@ -19,7 +19,7 @@ export {
 
 		## size of this response
 		size:               count   &log;
-		
+
 		## responseStatus
 		responseStatus:     string  &log;
 
@@ -34,14 +34,14 @@ export {
 
 		## producedAt
 		producedAt:         string  &log;
-		
+
                 ## NOTE: the following are specific to one cert id
 		##       the above are for one message which may contain
 		##       several responses
 
 		## index
 		idx:                count   &log  &optional;
-		
+
 		## cert id
 		cert_id:            OCSP::CertId  &log &optional;
 
diff --git a/src/file_analysis/analyzer/x509/functions.bif b/src/file_analysis/analyzer/x509/functions.bif
index e1bddd72e9..0fe65c7d55 100644
--- a/src/file_analysis/analyzer/x509/functions.bif
+++ b/src/file_analysis/analyzer/x509/functions.bif
@@ -548,14 +548,14 @@ x509_verify_chainerror:
 ## cert: The X509 certificate opaque handle.
 ##
 ## hash_alg: the hash algorithm to use
-## 
+##
 ## Returns: A string of hash of issuer name.
-## 
+##
 ## .. bro:see:: x509_certificate x509_extension x509_ext_basic_constraints
 ##              x509_ext_subject_alternative_name x509_parse
 ##              x509_get_certificate_string x509_verify
 function x509_issuer_name_hash%(cert: opaque of x509, hash_alg: string%): string
-        %{
+	%{
 	assert(cert);
 	assert(hash_alg);
 
@@ -583,7 +583,7 @@ function x509_issuer_name_hash%(cert: opaque of x509, hash_alg: string%): string
 		return NULL;
 		}
 
-	const EVP_MD *dgst; 
+	const EVP_MD *dgst;
 	if (strcmp(h, "sha1") == 0)
 		dgst = EVP_sha1();
 	else if (strcmp(h, "sha224") == 0)
diff --git a/src/file_analysis/analyzer/x509/ocsp_functions.bif b/src/file_analysis/analyzer/x509/ocsp_functions.bif
index a5f31f9411..1901b90569 100644
--- a/src/file_analysis/analyzer/x509/ocsp_functions.bif
+++ b/src/file_analysis/analyzer/x509/ocsp_functions.bif
@@ -11,7 +11,7 @@
 ##
 ## .. bro:see:: ssl_stapled_ocsp  ocsp_parse_request
 function ocsp_parse_response%(ocsp_reply: string%): OCSP::Response
-        %{
+	%{
 	const unsigned char* start = ocsp_reply->Bytes();
 	OCSP_RESPONSE *resp = NULL;
 	file_analysis::OCSP_RESPVal* resp_val = NULL;
@@ -43,7 +43,7 @@ function ocsp_parse_response%(ocsp_reply: string%): OCSP::Response
 ##
 ## .. bro:see:: ssl_stapled_ocsp ocsp_parse_response
 function ocsp_parse_request%(ocsp_req: string%): OCSP::Request
-        %{
+	%{
 	const unsigned char* start = ocsp_req->Bytes();
 	OCSP_REQUEST *req = NULL;
 	file_analysis::OCSP_REQVal* req_val = NULL;
diff --git a/src/main.cc b/src/main.cc
index 3e1a228644..efda617ba4 100644
--- a/src/main.cc
+++ b/src/main.cc
@@ -841,9 +841,9 @@ int main(int argc, char** argv)
 	topk_type = new OpaqueType("topk");
 	bloomfilter_type = new OpaqueType("bloomfilter");
 	x509_opaque_type = new OpaqueType("x509");
-        ocsp_req_opaque_type = new OpaqueType("ocsp_req");
+	ocsp_req_opaque_type = new OpaqueType("ocsp_req");
 	ocsp_resp_opaque_type = new OpaqueType("ocsp_resp");
-	
+
 	// The leak-checker tends to produce some false
 	// positives (memory which had already been
 	// allocated before we start the checking is

From e1bcc4509f9393dc16151a744ac26f6db7407511 Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@icir.org>
Date: Thu, 9 Feb 2017 15:43:37 -0800
Subject: [PATCH 069/631] OCSP: rewrite events and data structures.

Instead of having a big event, that tries to parse all the data into a
huge datastructure, we do the more common thing and use a series of
smaller events to parse requests and responses.

The new events are:

ocsp_request -> raised for an ocsp request, giving version and requestor

ocsp_request_certificate -> raised n times per request, once per cert

ocsp_response_status -> raised for each ocsp response, giving status

ocsp_response_bytes -> raised for each ocsp response with information

ocsp_response_certificate -> raised for each cert in an ocsp response
---
 scripts/base/files/x509/__load__.bro          |   2 +-
 scripts/base/init-bare.bro                    |  54 -----
 src/SerialTypes.h                             |   3 +-
 src/Type.h                                    |   1 -
 .../analyzer/x509/CMakeLists.txt              |   2 +-
 src/file_analysis/analyzer/x509/OCSP.cc       | 189 +++++++-----------
 src/file_analysis/analyzer/x509/OCSP.h        |  18 +-
 src/file_analysis/analyzer/x509/events.bif    |   2 +-
 .../analyzer/x509/ocsp_events.bif             |  21 +-
 .../analyzer/x509/ocsp_functions.bif          |  68 -------
 .../analyzer/x509/ocsp_types.bif              |   5 -
 src/main.cc                                   |   2 -
 12 files changed, 90 insertions(+), 277 deletions(-)
 delete mode 100644 src/file_analysis/analyzer/x509/ocsp_functions.bif
 delete mode 100644 src/file_analysis/analyzer/x509/ocsp_types.bif

diff --git a/scripts/base/files/x509/__load__.bro b/scripts/base/files/x509/__load__.bro
index 15c5754b1f..cff81e7254 100644
--- a/scripts/base/files/x509/__load__.bro
+++ b/scripts/base/files/x509/__load__.bro
@@ -1,2 +1,2 @@
 @load ./main
-@load ./ocsp
+#@load ./ocsp
diff --git a/scripts/base/init-bare.bro b/scripts/base/init-bare.bro
index d31bf8f0b6..ffee527bb7 100644
--- a/scripts/base/init-bare.bro
+++ b/scripts/base/init-bare.bro
@@ -3643,60 +3643,6 @@ export {
 	};
 }
 
-
-module OCSP;
-export {
-	type OneReq: record {
-		hashAlgorithm:      string  &log;
-		issuerNameHash:     string  &log;
-		issuerKeyHash:      string  &log;
-		serialNumber:       string  &log;
-		};
-
-	type Request: record {
-		version:            count   &log &optional;
-		requestorName:      string  &log &optional;
-		requestList:        vector of OneReq;
-	 };
-
-	type SingleResp: record {
-		hashAlgorithm:      string  &log;
-		issuerNameHash:     string  &log;
-		issuerKeyHash:      string  &log;
-		serialNumber:       string  &log;
-		certStatus:         string  &log;
-		revoketime:         time    &log &optional;
-		revokereason:       string  &log &optional;
-		thisUpdate:         time    &log;
-		nextUpdate:         time    &log &optional;
-		};
-
-	type Response: record {
-		responseStatus:     string  &log;
-		responseType:       string  &log &optional;
-		version:            count   &log &optional;
-		responderID:        string  &log &optional;
-		producedAt:         time    &log &optional;
-		responses:          vector of SingleResp;
-		signatureAlgorithm: string  &log &optional;
-		#signature:          string  &optional;  #&log;
-		certs:              vector of opaque of x509 &optional;
-		};
-
-	type CertId: record {
-		hashAlgorithm:      string  &log &optional;
-		issuerNameHash:     string  &log &optional;
-		issuerKeyHash:      string  &log &optional;
-		serialNumber:       string  &log &optional;
-		};
-
-	}
-
-module GLOBAL;
-type ocsp_req_vec: vector of OCSP::OneReq;
-type ocsp_resp_vec: vector of OCSP::SingleResp;
-
-
 module SOCKS;
 export {
 	## This record is for a SOCKS client or server to provide either a
diff --git a/src/SerialTypes.h b/src/SerialTypes.h
index 6b81227464..8a1a2abf51 100644
--- a/src/SerialTypes.h
+++ b/src/SerialTypes.h
@@ -115,8 +115,7 @@ SERIAL_VAL(CARDINALITY_VAL, 22)
 SERIAL_VAL(X509_VAL, 23)
 SERIAL_VAL(COMM_STORE_HANDLE_VAL, 24)
 SERIAL_VAL(COMM_DATA_VAL, 25)
-SERIAL_VAL(OCSP_REQ_VAL, 26)
-SERIAL_VAL(OCSP_RESP_VAL, 27)
+SERIAL_VAL(OCSP_RESP_VAL, 26)
 
 #define SERIAL_EXPR(name, val) SERIAL_CONST(name, val, EXPR)
 SERIAL_EXPR(EXPR, 1)
diff --git a/src/Type.h b/src/Type.h
index f456d1fba2..ab52e10734 100644
--- a/src/Type.h
+++ b/src/Type.h
@@ -628,7 +628,6 @@ extern OpaqueType* cardinality_type;
 extern OpaqueType* topk_type;
 extern OpaqueType* bloomfilter_type;
 extern OpaqueType* x509_opaque_type;
-extern OpaqueType* ocsp_req_opaque_type;
 extern OpaqueType* ocsp_resp_opaque_type;
 
 // Returns the Bro basic (non-parameterized) type with the given type.
diff --git a/src/file_analysis/analyzer/x509/CMakeLists.txt b/src/file_analysis/analyzer/x509/CMakeLists.txt
index e95b4ae6e6..409fb3d4ba 100644
--- a/src/file_analysis/analyzer/x509/CMakeLists.txt
+++ b/src/file_analysis/analyzer/x509/CMakeLists.txt
@@ -6,5 +6,5 @@ include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR}
 
 bro_plugin_begin(Bro X509)
 bro_plugin_cc(X509.cc OCSP.cc Plugin.cc)
-bro_plugin_bif(events.bif types.bif functions.bif ocsp_events.bif ocsp_types.bif ocsp_functions.bif)
+bro_plugin_bif(events.bif types.bif functions.bif ocsp_events.bif)
 bro_plugin_end()
diff --git a/src/file_analysis/analyzer/x509/OCSP.cc b/src/file_analysis/analyzer/x509/OCSP.cc
index c7747f54ce..a5a1d268e6 100644
--- a/src/file_analysis/analyzer/x509/OCSP.cc
+++ b/src/file_analysis/analyzer/x509/OCSP.cc
@@ -6,7 +6,6 @@
 #include "Event.h"
 
 #include "ocsp_events.bif.h"
-#include "ocsp_types.bif.h"
 
 #include "file_analysis/Manager.h"
 
@@ -28,7 +27,6 @@ X509 *helper_sk_X509_value(STACK_OF(X509) *certs, int i)
 
 using namespace file_analysis;
 
-IMPLEMENT_SERIAL(OCSP_REQVal, SER_OCSP_REQ_VAL);
 IMPLEMENT_SERIAL(OCSP_RESPVal, SER_OCSP_RESP_VAL);
 
 #define OCSP_STRING_BUF_SIZE 2048
@@ -51,32 +49,29 @@ static void OCSP_RESPID_bio(OCSP_RESPID *resp_id, BIO* bio)
 		i2a_ASN1_STRING(bio, resp_id->value.byKey, V_ASN1_OCTET_STRING);
 	}
 
-static RecordVal* ocsp_fill_cert_id(OCSP_CERTID *cert_id, RecordType* type, BIO* bio)
+void ocsp_add_cert_id(OCSP_CERTID *cert_id, val_list* vl, BIO* bio)
 	{
-	RecordVal *d = new RecordVal(type);
 	char buf[OCSP_STRING_BUF_SIZE];
 	memset(buf, 0, sizeof(buf));
 
 	i2a_ASN1_OBJECT(bio, cert_id->hashAlgorithm->algorithm);
 	int len = BIO_read(bio, buf, sizeof(buf));
-	d->Assign(0, new StringVal(len, buf));
+	vl->append(new StringVal(len, buf));
 	BIO_reset(bio);
 
 	i2a_ASN1_STRING(bio, cert_id->issuerNameHash, V_ASN1_OCTET_STRING);
 	len = BIO_read(bio, buf, sizeof(buf));
-	d->Assign(1, new StringVal(len, buf));
+	vl->append(new StringVal(len, buf));
 	BIO_reset(bio);
 
 	i2a_ASN1_STRING(bio, cert_id->issuerKeyHash, V_ASN1_OCTET_STRING);
 	len = BIO_read(bio, buf, sizeof(buf));
-	d->Assign(2, new StringVal(len, buf));
+	vl->append(new StringVal(len, buf));
 	BIO_reset(bio);
 
 	i2a_ASN1_INTEGER(bio, cert_id->serialNumber);
-	d->Assign(3, new StringVal(len, buf));
+	vl->append(new StringVal(len, buf));
 	BIO_reset(bio);
-
-	return d;
 	}
 
 file_analysis::Analyzer* OCSP::Instantiate(RecordVal* args, File* file)
@@ -123,16 +118,8 @@ bool file_analysis::OCSP::EndOfFile()
 			return false;
 			}
 
-		OCSP_REQVal* req_val = new OCSP_REQVal(req); // req_val takes ownership
-
-		RecordVal* req_record = ParseRequest(req_val, GetFile()->GetID().c_str());
-
-		// and send the record on to scriptland
-		val_list* vl = new val_list();
-		vl->append(GetFile()->GetVal()->Ref());
-		vl->append(req_val);
-		vl->append(req_record);
-		mgr.QueueEvent(ocsp_request, vl);
+		ParseRequest(req, GetFile()->GetID().c_str());
+		OCSP_REQUEST_free(req);
 		}
 	else if (ocsp_type == "response")
 		{
@@ -144,14 +131,8 @@ bool file_analysis::OCSP::EndOfFile()
 			}
 
 		OCSP_RESPVal* resp_val = new OCSP_RESPVal(resp); // resp_val takes ownership
-		RecordVal* resp_record = ParseResponse(resp_val, GetFile()->GetID().c_str());
-
-		// and send the record on to scriptland
-		val_list* vl = new val_list();
-		vl->append(GetFile()->GetVal()->Ref());
-		vl->append(resp_val);
-		vl->append(resp_record);
-		mgr.QueueEvent(ocsp_response, vl);
+		ParseResponse(resp_val, GetFile()->GetID().c_str());
+		Unref(resp_val);
 		}
 	else
 		{
@@ -162,46 +143,48 @@ bool file_analysis::OCSP::EndOfFile()
 	return true;
 }
 
-RecordVal *file_analysis::OCSP::ParseRequest(OCSP_REQVal *req_val, const char* fid)
+void file_analysis::OCSP::ParseRequest(OCSP_REQUEST *req, const char* fid)
 	{
-	OCSP_REQUEST *req     = req_val->GetReq();
 	OCSP_REQINFO *inf     = req->tbsRequest;
 
 	char buf[OCSP_STRING_BUF_SIZE]; // we need a buffer for some of the openssl functions
 	memset(buf, 0, sizeof(buf));
 
-	RecordVal* ocsp_req_record = new RecordVal(BifType::Record::OCSP::Request);
-
-	ocsp_req_record->Assign(0, new Val((uint64)ASN1_INTEGER_get(inf->version), TYPE_COUNT));
+	// build up our response as we go along...
+	val_list* vl = new val_list();
+	vl->append(GetFile()->GetVal()->Ref());
+	vl->append(new Val((uint64)ASN1_INTEGER_get(inf->version), TYPE_COUNT));
 	BIO *bio = BIO_new(BIO_s_mem());
 
 	if (inf->requestorName != NULL)
 		{
 		GENERAL_NAME_print(bio, inf->requestorName);
 		int len = BIO_read(bio, buf, sizeof(buf));
-		ocsp_req_record->Assign(1, new StringVal(len, buf));
+		vl->append(new StringVal(len, buf));
 		BIO_reset(bio);
 		}
+	else
+		vl->append(new StringVal(0, ""));
 
-	VectorVal* all_req_bro = new VectorVal(internal_type("ocsp_req_vec")->AsVectorType());
-	ocsp_req_record->Assign(2, all_req_bro);
+	mgr.QueueEvent(ocsp_request, vl);
 
 	int req_count = OCSP_request_onereq_count(req);
 	for ( int i=0; i<req_count; i++ )
 		{
+		val_list* rvl = new val_list();
+		rvl->append(GetFile()->GetVal()->Ref());
+
 		OCSP_ONEREQ *one_req = OCSP_request_onereq_get0(req, i);
 		OCSP_CERTID *cert_id = OCSP_onereq_get0_id(one_req);
 
-		RecordVal* one_req_bro = ocsp_fill_cert_id(cert_id, BifType::Record::OCSP::OneReq, bio);
-		all_req_bro->Assign(i, one_req_bro);
+		ocsp_add_cert_id(cert_id, rvl, bio);
+		mgr.QueueEvent(ocsp_request_certificate, rvl);
 		}
 
 	BIO_free(bio);
-
-	return ocsp_req_record;
 }
 
-RecordVal *file_analysis::OCSP::ParseResponse(OCSP_RESPVal *resp_val, const char* fid)
+void file_analysis::OCSP::ParseResponse(OCSP_RESPVal *resp_val, const char* fid)
 	{
 	OCSP_RESPONSE   *resp       = resp_val->GetResp();
 	OCSP_RESPBYTES  *resp_bytes = resp->responseBytes;
@@ -210,24 +193,31 @@ RecordVal *file_analysis::OCSP::ParseResponse(OCSP_RESPVal *resp_val, const char
 	OCSP_RESPID     *resp_id    = nullptr;
 
 	int resp_count = 0;
-	VectorVal *all_resp_bro = nullptr;
+	VectorVal *certs_vector = nullptr;
+	int len = 0;
 
  	char buf[OCSP_STRING_BUF_SIZE];
 	memset(buf, 0, sizeof(buf));
 
-	RecordVal *ocsp_resp_record = new RecordVal(BifType::Record::OCSP::Response);
+	val_list* vl = new val_list();
+	vl->append(GetFile()->GetVal()->Ref());
 
 	const char *status_str = OCSP_response_status_str(OCSP_response_status(resp));
-	ocsp_resp_record->Assign(0, new StringVal(strlen(status_str), status_str));
+	StringVal* status_val = new StringVal(strlen(status_str), status_str);
+	vl->append(status_val->Ref());
+	mgr.QueueEvent(ocsp_response_status, vl);
+	vl = nullptr;
 
 	if (!resp_bytes)
-		return ocsp_resp_record;
+		{
+		Unref(status_val);
+		return;
+		}
 
 	BIO *bio = BIO_new(BIO_s_mem());
-	i2a_ASN1_OBJECT(bio, resp_bytes->responseType);
-	int len = BIO_read(bio, buf, sizeof(buf));
-	ocsp_resp_record->Assign(1, new StringVal(len, buf));
-	BIO_reset(bio);
+	//i2a_ASN1_OBJECT(bio, resp_bytes->responseType);
+	//int len = BIO_read(bio, buf, sizeof(buf));
+	//BIO_reset(bio);
 
 	// get the basic response
 	basic_resp = OCSP_response_get1_basic(resp);
@@ -238,19 +228,21 @@ RecordVal *file_analysis::OCSP::ParseResponse(OCSP_RESPVal *resp_val, const char
 	if ( !resp_data )
 		goto clean_up;
 
-	ocsp_resp_record->Assign(2, new Val((uint64)ASN1_INTEGER_get(resp_data->version), TYPE_COUNT));
+	vl = new val_list();
+	vl->append(GetFile()->GetVal()->Ref());
+	vl->append(resp_val->Ref());
+	vl->append(status_val);
+	vl->append(new Val((uint64)ASN1_INTEGER_get(resp_data->version), TYPE_COUNT));
+
 	// responderID
 	resp_id = resp_data->responderId;
 	OCSP_RESPID_bio(resp_id, bio);
 	len = BIO_read(bio, buf, sizeof(buf));
-	ocsp_resp_record->Assign(3, new StringVal(len, buf));
+	vl->append(new StringVal(len, buf));
 	BIO_reset(bio);
 
 	// producedAt
-	ocsp_resp_record->Assign(4, new Val(GetTimeFromAsn1(resp_data->producedAt, fid, reporter), TYPE_TIME));
-
-	all_resp_bro = new VectorVal(internal_type("ocsp_resp_vec")->AsVectorType());
-	ocsp_resp_record->Assign(5, all_resp_bro);
+	vl->append(new Val(GetTimeFromAsn1(resp_data->producedAt, fid, reporter), TYPE_TIME));
 
 	// responses
 	resp_count = sk_OCSP_SINGLERESP_num(resp_data->responses);
@@ -260,39 +252,51 @@ RecordVal *file_analysis::OCSP::ParseResponse(OCSP_RESPVal *resp_val, const char
 		if ( !single_resp )
 			continue;
 
+		val_list* rvl = new val_list();
+		rvl->append(GetFile()->GetVal()->Ref());
+
 		// cert id
 		OCSP_CERTID *cert_id = single_resp->certId;
-		RecordVal *single_resp_bro = ocsp_fill_cert_id(cert_id, BifType::Record::OCSP::SingleResp, bio);
+		ocsp_add_cert_id(cert_id, rvl, bio);
 		BIO_reset(bio);
 
 		// certStatus
 		OCSP_CERTSTATUS *cert_status = single_resp->certStatus;
 		const char* cert_status_str = OCSP_cert_status_str(cert_status->type);
-		single_resp_bro->Assign(4, new StringVal(strlen(cert_status_str), cert_status_str));
+		rvl->append(new StringVal(strlen(cert_status_str), cert_status_str));
 
 		// revocation time and reason if revoked
 		if ( cert_status->type == V_OCSP_CERTSTATUS_REVOKED )
 			{
 			OCSP_REVOKEDINFO *revoked_info = cert_status->value.revoked;
-			single_resp_bro->Assign(5, new Val(GetTimeFromAsn1(revoked_info->revocationTime, fid, reporter), TYPE_TIME));
+			rvl->append(new Val(GetTimeFromAsn1(revoked_info->revocationTime, fid, reporter), TYPE_TIME));
 
 			if ( revoked_info->revocationReason )
 				{
 				const char* revoke_reason = OCSP_crl_reason_str(ASN1_ENUMERATED_get(revoked_info->revocationReason));
-				single_resp_bro->Assign(6, new StringVal(strlen(revoke_reason), revoke_reason));
+				rvl->append(new StringVal(strlen(revoke_reason), revoke_reason));
 				}
+			else
+				rvl->append(new StringVal(0, ""));
+			}
+		else
+			{
+			rvl->append(new Val(0, TYPE_TIME));
+			rvl->append(new StringVal(0, ""));
 			}
 
-		single_resp_bro->Assign(7, new Val(GetTimeFromAsn1(single_resp->thisUpdate, fid, reporter), TYPE_TIME));
+		rvl->append(new Val(GetTimeFromAsn1(single_resp->thisUpdate, fid, reporter), TYPE_TIME));
 		if ( single_resp->nextUpdate )
-			single_resp_bro->Assign(8, new Val(GetTimeFromAsn1(single_resp->nextUpdate, fid, reporter), TYPE_TIME));
+			rvl->append(new Val(GetTimeFromAsn1(single_resp->nextUpdate, fid, reporter), TYPE_TIME));
+		else
+			rvl->append(new Val(0, TYPE_TIME));
 
-		all_resp_bro->Assign(i, single_resp_bro);
+		mgr.QueueEvent(ocsp_response_certificate, rvl);
 		}
 
 	i2a_ASN1_OBJECT(bio, basic_resp->signatureAlgorithm->algorithm);
 	len = BIO_read(bio, buf, sizeof(buf));
-	ocsp_resp_record->Assign(6, new StringVal(len, buf));
+	vl->append(new StringVal(len, buf));
 	BIO_reset(bio);
 
 	//i2a_ASN1_OBJECT(bio, basic_resp->signature);
@@ -300,10 +304,10 @@ RecordVal *file_analysis::OCSP::ParseResponse(OCSP_RESPVal *resp_val, const char
 	//ocsp_resp_record->Assign(7, new StringVal(len, buf));
 	//BIO_reset(bio);
 
-	//certs
+	certs_vector = new VectorVal(internal_type("x509_opaque_vector")->AsVectorType());
+	vl->append(certs_vector);
 	if ( basic_resp->certs )
 		{
-		VectorVal *certs_vector = new VectorVal(internal_type("x509_opaque_vector")->AsVectorType());
 		int num_certs = sk_X509_num(basic_resp->certs);
 		for ( int i=0; i<num_certs; i++ )
 			{
@@ -314,68 +318,15 @@ RecordVal *file_analysis::OCSP::ParseResponse(OCSP_RESPVal *resp_val, const char
 			else
 				reporter->Weird("OpenSSL returned null certificate");
 			}
-		ocsp_resp_record->Assign(7, certs_vector);
 	  }
+	mgr.QueueEvent(ocsp_response_bytes, vl);
 
 clean_up:
 	if (basic_resp)
 		OCSP_BASICRESP_free(basic_resp);
 	BIO_free(bio);
-	return ocsp_resp_record;
 }
 
-OCSP_REQVal::OCSP_REQVal(OCSP_REQUEST* arg_ocsp_req) : OpaqueVal(ocsp_req_opaque_type)
-	{
-	ocsp_req = arg_ocsp_req;
-	}
-
-OCSP_REQVal::OCSP_REQVal() : OpaqueVal(ocsp_req_opaque_type)
-	{
-	ocsp_req = nullptr;
-	}
-
-OCSP_REQVal::~OCSP_REQVal()
-	{
-	if (ocsp_req)
-		OCSP_REQUEST_free(ocsp_req);
-	}
-
-OCSP_REQUEST* OCSP_REQVal::GetReq() const
-	{
-	return ocsp_req;
-	}
-
-bool OCSP_REQVal::DoSerialize(SerialInfo* info) const
-	{
-	DO_SERIALIZE(SER_OCSP_REQ_VAL, OpaqueVal);
-	unsigned char *buf = nullptr;
-	int length = i2d_OCSP_REQUEST(ocsp_req, &buf);
-	if ( length < 0 )
-		return false;
-	bool res = SERIALIZE_STR(reinterpret_cast<const char*>(buf), length);
-	OPENSSL_free(buf);
-	return res;
-	}
-
-bool OCSP_REQVal::DoUnserialize(UnserialInfo* info)
-	{
-	DO_UNSERIALIZE(OpaqueVal)
-
-	int length;
-	unsigned char *ocsp_req_buf, *opensslbuf;
-
-	if ( ! UNSERIALIZE_STR(reinterpret_cast<char **>(&ocsp_req_buf), &length) )
-		return false;
-	opensslbuf = ocsp_req_buf; // OpenSSL likes to shift pointers around. really.
-	ocsp_req = d2i_OCSP_REQUEST(nullptr, const_cast<const unsigned char**>(&opensslbuf), length);
-	delete[] ocsp_req_buf;
-	if ( !ocsp_req )
-		return false;
-	return true;
-	}
-
-
-//OCSP_RESPVal
 OCSP_RESPVal::OCSP_RESPVal(OCSP_RESPONSE* arg_ocsp_resp) : OpaqueVal(ocsp_resp_opaque_type)
 	{
 	ocsp_resp = arg_ocsp_resp;
diff --git a/src/file_analysis/analyzer/x509/OCSP.h b/src/file_analysis/analyzer/x509/OCSP.h
index ab40c13bca..2ab9b014fd 100644
--- a/src/file_analysis/analyzer/x509/OCSP.h
+++ b/src/file_analysis/analyzer/x509/OCSP.h
@@ -15,7 +15,6 @@
 
 namespace file_analysis {
 
-class OCSP_REQVal;
 class OCSP_RESPVal;
 
 class OCSP : public file_analysis::Analyzer {
@@ -24,8 +23,6 @@ public:
 	virtual bool Undelivered(uint64 offset, uint64 len);
 	virtual bool EndOfFile();
 
-	static RecordVal *ParseResponse(OCSP_RESPVal *, const char* fid = 0);
-	static RecordVal *ParseRequest(OCSP_REQVal *, const char* fid = 0);
 
 	static file_analysis::Analyzer* Instantiate(RecordVal* args, File* file);
 
@@ -33,22 +30,13 @@ protected:
 	OCSP(RecordVal* args, File* file, const string& ocsp_type);
 
 private:
+	void ParseResponse(OCSP_RESPVal *, const char* fid = 0);
+	void ParseRequest(OCSP_REQUEST *, const char* fid = 0);
+
 	std::string ocsp_data;
 	std::string ocsp_type;
 };
 
-class OCSP_REQVal: public OpaqueVal {
-public:
-	explicit OCSP_REQVal(OCSP_REQUEST *);
-	~OCSP_REQVal();
-        OCSP_REQUEST *GetReq() const;
-protected:
-	OCSP_REQVal();
-private:
-	OCSP_REQUEST *ocsp_req;
-	DECLARE_SERIAL(OCSP_REQVal);
-};
-
 class OCSP_RESPVal: public OpaqueVal {
 public:
 	explicit OCSP_RESPVal(OCSP_RESPONSE *);
diff --git a/src/file_analysis/analyzer/x509/events.bif b/src/file_analysis/analyzer/x509/events.bif
index fcdeaa31d1..5f435faad8 100644
--- a/src/file_analysis/analyzer/x509/events.bif
+++ b/src/file_analysis/analyzer/x509/events.bif
@@ -1,4 +1,4 @@
-## Generated for encountered X509 certificates, e.g., in the clear SSL/TLS 
+## Generated for encountered X509 certificates, e.g., in the clear SSL/TLS
 ## connection handshake.
 ##
 ## See `Wikipedia <http://en.wikipedia.org/wiki/X.509>`__ for more information
diff --git a/src/file_analysis/analyzer/x509/ocsp_events.bif b/src/file_analysis/analyzer/x509/ocsp_events.bif
index b956e2c12e..2a1e5805c9 100644
--- a/src/file_analysis/analyzer/x509/ocsp_events.bif
+++ b/src/file_analysis/analyzer/x509/ocsp_events.bif
@@ -1,18 +1,19 @@
-## Generated for encountered OCSP request
-##
+## Event that is raised when encountering an OCSP request, e.g. in an HTTP
+## connection. See :rfc:`6960` for more details.
 ##
 ## f: The file.
 ##
-## req_ref: An opaque pointer to the underlying OpenSSL data structure of the
-##          OCSP request
+## req: version: the version of the OCSP request. Typically 0 (Version 1).
 ##
-## req: The parsed OCSP request information.
+## requestorName: name of the OCSP requestor. This attribute is optional; if
+##                it is not set, an empty string is returned here.
 ##
-event ocsp_request%(f: fa_file, req_ref: opaque of ocsp_req, req: OCSP::Request%);
+event ocsp_request%(f: fa_file, version: count, requestorName: string%);
+
+event ocsp_request_certificate%(f: fa_file, hashAlgorithm: string, issuerNameHash: string, issuerKeyHash: string, serialNumber: string%);
 
 ## Generated for encountered OCSP response
 ##
-##
 ## f: The file.
 ##
 ## req_ref: An opaque pointer to the underlying OpenSSL data structure of the
@@ -20,4 +21,8 @@ event ocsp_request%(f: fa_file, req_ref: opaque of ocsp_req, req: OCSP::Request%
 ##
 ## req: The parsed OCSP response information.
 ##
-event ocsp_response%(f: fa_file, resp_ref: opaque of ocsp_resp, resp: OCSP::Response%);
+event ocsp_response_status%(f: fa_file, status: string%);
+
+event ocsp_response_bytes%(f: fa_file, resp_ref: opaque of ocsp_resp, status: string, version: count, responderId: string, producedAt: time, signatureAlgorithm: string, certs: x509_opaque_vector%);
+
+event ocsp_response_certificate%(f: fa_file, hashAlgorithm: string, issuerNameHash: string, issuerKeyHash: string, serialNumber: string, certStatus: string, revoketime: time, revokereason: string, thisUpdate: time, nextUpdate: time%);
diff --git a/src/file_analysis/analyzer/x509/ocsp_functions.bif b/src/file_analysis/analyzer/x509/ocsp_functions.bif
deleted file mode 100644
index 1901b90569..0000000000
--- a/src/file_analysis/analyzer/x509/ocsp_functions.bif
+++ /dev/null
@@ -1,68 +0,0 @@
-%%{
-#include "file_analysis/analyzer/x509/OCSP.h"
-#include "ocsp_types.bif.h"
-%%}
-
-## Parses a OCSP response into an OCSP::Response structure.
-##
-## ocsp_reply: OCSP data.
-##
-## Returns: A OCSP::Response structure.
-##
-## .. bro:see:: ssl_stapled_ocsp  ocsp_parse_request
-function ocsp_parse_response%(ocsp_reply: string%): OCSP::Response
-	%{
-	const unsigned char* start = ocsp_reply->Bytes();
-	OCSP_RESPONSE *resp = NULL;
-	file_analysis::OCSP_RESPVal* resp_val = NULL;
-	RecordVal* resp_record = NULL;
-	resp = d2i_OCSP_RESPONSE(NULL, &start, ocsp_reply->Len());
-	if ( ! resp )
-		{
-		reporter->Weird("OPENSSL Could not parse OCSP response");
-		return NULL;
-		}
-	resp_val = new file_analysis::OCSP_RESPVal(resp);
-	resp_record = file_analysis::OCSP::ParseResponse(resp_val);
-	if (!resp_record)
-		{
-		reporter->Weird("Internal fail to parse OCSP response");
-		Unref(resp_val);
-		return NULL;
-		}
-	Unref(resp_val);
-	//Unref(resp_record);
-	return resp_record;
-	%}
-
-## Parses a OCSP request into an OCSP::Request structure.
-##
-## ocsp_req: OCSP data.
-##
-## Returns: A OCSP::Request structure.
-##
-## .. bro:see:: ssl_stapled_ocsp ocsp_parse_response
-function ocsp_parse_request%(ocsp_req: string%): OCSP::Request
-	%{
-	const unsigned char* start = ocsp_req->Bytes();
-	OCSP_REQUEST *req = NULL;
-	file_analysis::OCSP_REQVal* req_val = NULL;
-	RecordVal* req_record = NULL;
-	req = d2i_OCSP_REQUEST(NULL, &start, ocsp_req->Len());
-	if ( ! req )
-		{
-		reporter->Weird("OPENSSL Could not parse OCSP request");
-		return NULL;
-		}
-	req_val = new file_analysis::OCSP_REQVal(req);
-	req_record = file_analysis::OCSP::ParseRequest(req_val);
-	if (!req_record)
-		{
-		reporter->Weird("Internal fail to parse OCSP request");
-		Unref(req_val);
-		return NULL;
-		}
-	Unref(req_val);
-	//Unref(req_record);
-	return req_record;
-	%}
diff --git a/src/file_analysis/analyzer/x509/ocsp_types.bif b/src/file_analysis/analyzer/x509/ocsp_types.bif
deleted file mode 100644
index 8d8cb5dd9b..0000000000
--- a/src/file_analysis/analyzer/x509/ocsp_types.bif
+++ /dev/null
@@ -1,5 +0,0 @@
-type OCSP::Request: record;
-type OCSP::Response: record;
-type OCSP::OneReq: record;
-type OCSP::SingleResp: record;
-type OCSP::CertId: record;
diff --git a/src/main.cc b/src/main.cc
index efda617ba4..11df1af0c2 100644
--- a/src/main.cc
+++ b/src/main.cc
@@ -129,7 +129,6 @@ OpaqueType* cardinality_type = 0;
 OpaqueType* topk_type = 0;
 OpaqueType* bloomfilter_type = 0;
 OpaqueType* x509_opaque_type = 0;
-OpaqueType* ocsp_req_opaque_type = 0;
 OpaqueType* ocsp_resp_opaque_type = 0;
 
 // Keep copy of command line
@@ -841,7 +840,6 @@ int main(int argc, char** argv)
 	topk_type = new OpaqueType("topk");
 	bloomfilter_type = new OpaqueType("bloomfilter");
 	x509_opaque_type = new OpaqueType("x509");
-	ocsp_req_opaque_type = new OpaqueType("ocsp_req");
 	ocsp_resp_opaque_type = new OpaqueType("ocsp_resp");
 
 	// The leak-checker tends to produce some false

From 1b19ab78b63ee212434f932e3d49fa229ef8631c Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@icir.org>
Date: Thu, 9 Feb 2017 16:14:08 -0800
Subject: [PATCH 070/631] OCSP: split into two analysers in scriptland.

Instead of having an additional string argument specifying if we are
sending a request or a reply, we now have an ANALYZER_OCSP_REQUEST and
an ANALYZER_OCSP_REPLY
---
 scripts/base/files/x509/ocsp.bro          |  4 ++--
 src/file_analysis/analyzer/x509/OCSP.cc   | 29 +++++++++--------------
 src/file_analysis/analyzer/x509/OCSP.h    |  8 +++----
 src/file_analysis/analyzer/x509/Plugin.cc |  3 ++-
 4 files changed, 19 insertions(+), 25 deletions(-)

diff --git a/scripts/base/files/x509/ocsp.bro b/scripts/base/files/x509/ocsp.bro
index 078d7f730f..cb8c340c64 100644
--- a/scripts/base/files/x509/ocsp.bro
+++ b/scripts/base/files/x509/ocsp.bro
@@ -13,7 +13,7 @@ export {
 		ocsp_type: string &optional;
 	};
 
-        ## ocsp logging
+	## ocsp logging
 	redef enum Log::ID += { LOG };
 
 	## type for pending ocsp request
@@ -23,7 +23,7 @@ export {
 	## one ocsp request record
 	type Info_req: record {
 		## time for the request
-	        ts:                 time;
+		ts:                 time;
 		## file id for this request or
 		## hash of the GET url if it's GET request
 		id:                 string  &log &optional;
diff --git a/src/file_analysis/analyzer/x509/OCSP.cc b/src/file_analysis/analyzer/x509/OCSP.cc
index a5a1d268e6..e3ac124260 100644
--- a/src/file_analysis/analyzer/x509/OCSP.cc
+++ b/src/file_analysis/analyzer/x509/OCSP.cc
@@ -74,21 +74,19 @@ void ocsp_add_cert_id(OCSP_CERTID *cert_id, val_list* vl, BIO* bio)
 	BIO_reset(bio);
 	}
 
-file_analysis::Analyzer* OCSP::Instantiate(RecordVal* args, File* file)
+file_analysis::Analyzer* OCSP::InstantiateRequest(RecordVal* args, File* file)
 	{
-	Val* ocsp_type = get_ocsp_type(args, "ocsp_type");
-
-	if (! ocsp_type )
-		return 0;
-
-	return new OCSP(args, file, ocsp_type->AsString()->CheckString());
+	return new OCSP(args, file, true);
 	}
 
-file_analysis::OCSP::OCSP(RecordVal* args, file_analysis::File* file, const string& arg_ocsp_type)
-	: file_analysis::Analyzer(file_mgr->GetComponentTag("OCSP"), args, file)
+file_analysis::Analyzer* OCSP::InstantiateReply(RecordVal* args, File* file)
+	{
+	return new OCSP(args, file, false);
+	}
+
+file_analysis::OCSP::OCSP(RecordVal* args, file_analysis::File* file, bool arg_request)
+	: file_analysis::Analyzer(file_mgr->GetComponentTag("OCSP"), args, file), request(arg_request)
 	{
-	ocsp_type = arg_ocsp_type;
-	ocsp_data.clear();
 	}
 
 bool file_analysis::OCSP::DeliverStream(const u_char* data, uint64 len)
@@ -108,7 +106,7 @@ bool file_analysis::OCSP::EndOfFile()
 	{
 	const unsigned char* ocsp_char = reinterpret_cast<const unsigned char*>(ocsp_data.data());
 
-	if (ocsp_type == "request")
+	if ( request )
 		{
 		OCSP_REQUEST *req = d2i_OCSP_REQUEST(NULL, &ocsp_char, ocsp_data.size());
 
@@ -121,7 +119,7 @@ bool file_analysis::OCSP::EndOfFile()
 		ParseRequest(req, GetFile()->GetID().c_str());
 		OCSP_REQUEST_free(req);
 		}
-	else if (ocsp_type == "response")
+	else
 		{
 		OCSP_RESPONSE *resp = d2i_OCSP_RESPONSE(NULL, &ocsp_char, ocsp_data.size());
 		if (!resp)
@@ -134,11 +132,6 @@ bool file_analysis::OCSP::EndOfFile()
 		ParseResponse(resp_val, GetFile()->GetID().c_str());
 		Unref(resp_val);
 		}
-	else
-		{
-	  reporter->Weird(fmt("the given argument of ocsp_type (%s) is not recognized", ocsp_type.c_str()));
-		return false;
-		}
 
 	return true;
 }
diff --git a/src/file_analysis/analyzer/x509/OCSP.h b/src/file_analysis/analyzer/x509/OCSP.h
index 2ab9b014fd..4c3ebed525 100644
--- a/src/file_analysis/analyzer/x509/OCSP.h
+++ b/src/file_analysis/analyzer/x509/OCSP.h
@@ -23,18 +23,18 @@ public:
 	virtual bool Undelivered(uint64 offset, uint64 len);
 	virtual bool EndOfFile();
 
-
-	static file_analysis::Analyzer* Instantiate(RecordVal* args, File* file);
+	static file_analysis::Analyzer* InstantiateRequest(RecordVal* args, File* file);
+	static file_analysis::Analyzer* InstantiateReply(RecordVal* args, File* file);
 
 protected:
-	OCSP(RecordVal* args, File* file, const string& ocsp_type);
+	OCSP(RecordVal* args, File* file, bool request);
 
 private:
 	void ParseResponse(OCSP_RESPVal *, const char* fid = 0);
 	void ParseRequest(OCSP_REQUEST *, const char* fid = 0);
 
 	std::string ocsp_data;
-	std::string ocsp_type;
+	bool request = false; // true if ocsp request, false if reply
 };
 
 class OCSP_RESPVal: public OpaqueVal {
diff --git a/src/file_analysis/analyzer/x509/Plugin.cc b/src/file_analysis/analyzer/x509/Plugin.cc
index 5a0b67136a..31dbe346a8 100644
--- a/src/file_analysis/analyzer/x509/Plugin.cc
+++ b/src/file_analysis/analyzer/x509/Plugin.cc
@@ -14,7 +14,8 @@ public:
 	plugin::Configuration Configure()
 		{
 		AddComponent(new ::file_analysis::Component("X509", ::file_analysis::X509::Instantiate));
-		AddComponent(new ::file_analysis::Component("OCSP", ::file_analysis::OCSP::Instantiate));
+		AddComponent(new ::file_analysis::Component("OCSP_REQUEST", ::file_analysis::OCSP::InstantiateRequest));
+		AddComponent(new ::file_analysis::Component("OCSP_REPLY", ::file_analysis::OCSP::InstantiateReply));
 
 		plugin::Configuration config;
 		config.name = "Bro::X509";

From 9fd78165018aeb036787dc788b10daa0f5eb73fc Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@icir.org>
Date: Fri, 10 Feb 2017 12:34:23 -0800
Subject: [PATCH 071/631] Allow File analyzers to direcly pass mime type.

This makes it much easier for protocols where the mime type is known in
advance like, for example, TLS. We now do no longer have to perform deep
script-level magic.
---
 scripts/base/files/x509/main.bro              |  9 ++++++++
 scripts/base/init-bare.bro                    |  3 +++
 scripts/base/protocols/krb/files.bro          |  6 -----
 scripts/base/protocols/rdp/main.bro           |  4 ----
 scripts/base/protocols/ssl/files.bro          |  6 -----
 src/analyzer/protocol/krb/krb-padata.pac      |  8 +++----
 src/analyzer/protocol/rdp/rdp-analyzer.pac    |  2 +-
 .../protocol/ssl/proc-certificate.pac         |  5 +++-
 src/file_analysis/File.cc                     | 23 +++++++++++++++++++
 src/file_analysis/File.h                      | 20 ++++++++++++++++
 src/file_analysis/Manager.cc                  | 11 +++++++--
 src/file_analysis/Manager.h                   | 18 +++++++++++++--
 12 files changed, 89 insertions(+), 26 deletions(-)

diff --git a/scripts/base/files/x509/main.bro b/scripts/base/files/x509/main.bro
index bbf99f6a4d..44ea83fc39 100644
--- a/scripts/base/files/x509/main.bro
+++ b/scripts/base/files/x509/main.bro
@@ -38,6 +38,15 @@ export {
 event bro_init() &priority=5
 	{
 	Log::create_stream(X509::LOG, [$columns=Info, $ev=log_x509, $path="x509"]);
+
+	Files::register_for_mime_type(Files::ANALYZER_X509, "application/x-x509-user-cert");
+	Files::register_for_mime_type(Files::ANALYZER_X509, "application/x-x509-ca-cert");
+	# Always calculate hashes. They are not necessary for base scripts
+	# but very useful for identification, and required for policy scripts
+	Files::register_for_mime_type(Files::ANALYZER_MD5, "application/x-x509-user-cert");
+	Files::register_for_mime_type(Files::ANALYZER_MD5, "application/x-x509-ca-cert");
+	Files::register_for_mime_type(Files::ANALYZER_SHA1, "application/x-x509-user-cert");
+	Files::register_for_mime_type(Files::ANALYZER_SHA1, "application/x-x509-ca-cert");
 	}
 
 redef record Files::Info += {
diff --git a/scripts/base/init-bare.bro b/scripts/base/init-bare.bro
index ffee527bb7..f3421fd557 100644
--- a/scripts/base/init-bare.bro
+++ b/scripts/base/init-bare.bro
@@ -446,6 +446,9 @@ type fa_metadata: record {
 	mime_type: string &optional;
 	## All matching mime types if any were discovered.
 	mime_types: mime_matches &optional;
+	## Specifies if the mime type was inferred using signatures,
+	## or provided by the protocol the file appeared in.
+	inferred: bool &default=T;
 };
 
 ## Fields of a SYN packet.
diff --git a/scripts/base/protocols/krb/files.bro b/scripts/base/protocols/krb/files.bro
index cd2127c605..947c2db41a 100644
--- a/scripts/base/protocols/krb/files.bro
+++ b/scripts/base/protocols/krb/files.bro
@@ -101,12 +101,6 @@ event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) &priori
 		}
 
 	c$krb = info;
-
-	Files::add_analyzer(f, Files::ANALYZER_X509);
-	# Always calculate hashes. They are not necessary for base scripts
-	# but very useful for identification, and required for policy scripts
-	Files::add_analyzer(f, Files::ANALYZER_MD5);
-	Files::add_analyzer(f, Files::ANALYZER_SHA1);
 	}
 
 function fill_in_subjects(c: connection)
diff --git a/scripts/base/protocols/rdp/main.bro b/scripts/base/protocols/rdp/main.bro
index c6d550c3f7..f543fd2cae 100644
--- a/scripts/base/protocols/rdp/main.bro
+++ b/scripts/base/protocols/rdp/main.bro
@@ -236,10 +236,6 @@ event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) &priori
 		{
 		# Count up X509 certs.
 		++c$rdp$cert_count;
-
-		Files::add_analyzer(f, Files::ANALYZER_X509);
-		Files::add_analyzer(f, Files::ANALYZER_MD5);
-		Files::add_analyzer(f, Files::ANALYZER_SHA1);
 		}
 	}
 
diff --git a/scripts/base/protocols/ssl/files.bro b/scripts/base/protocols/ssl/files.bro
index fad0fa0483..8a1380a270 100644
--- a/scripts/base/protocols/ssl/files.bro
+++ b/scripts/base/protocols/ssl/files.bro
@@ -114,12 +114,6 @@ event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) &priori
 		c$ssl$cert_chain[|c$ssl$cert_chain|] = f$info;
 		c$ssl$cert_chain_fuids[|c$ssl$cert_chain_fuids|] = f$id;
 		}
-
-	Files::add_analyzer(f, Files::ANALYZER_X509);
-	# Always calculate hashes. They are not necessary for base scripts
-	# but very useful for identification, and required for policy scripts.
-	Files::add_analyzer(f, Files::ANALYZER_MD5);
-	Files::add_analyzer(f, Files::ANALYZER_SHA1);
 	}
 
 event ssl_established(c: connection) &priority=6
diff --git a/src/analyzer/protocol/krb/krb-padata.pac b/src/analyzer/protocol/krb/krb-padata.pac
index b178239f4d..4667ab1677 100644
--- a/src/analyzer/protocol/krb/krb-padata.pac
+++ b/src/analyzer/protocol/krb/krb-padata.pac
@@ -75,8 +75,8 @@ VectorVal* proc_padata(const KRB_PA_Data_Sequence* data, const BroAnalyzer bro_a
 				string file_id = file_mgr->HashHandle(file_handle.Description());
 
 				file_mgr->DataIn(reinterpret_cast<const u_char*>(cert.data()),
-			                 	 cert.length(), bro_analyzer->GetAnalyzerTag(),
-			                 	 bro_analyzer->Conn(), true, file_id);
+				                 cert.length(), bro_analyzer->GetAnalyzerTag(),
+				                 bro_analyzer->Conn(), true, file_id, "application/x-x509-user-cert");
 				file_mgr->EndOfFile(file_id);
 
 				break;
@@ -99,8 +99,8 @@ VectorVal* proc_padata(const KRB_PA_Data_Sequence* data, const BroAnalyzer bro_a
 				string file_id = file_mgr->HashHandle(file_handle.Description());
 
 				file_mgr->DataIn(reinterpret_cast<const u_char*>(cert.data()),
-	                 			 cert.length(), bro_analyzer->GetAnalyzerTag(),
-			 	                 bro_analyzer->Conn(), false, file_id);
+				                 cert.length(), bro_analyzer->GetAnalyzerTag(),
+				                 bro_analyzer->Conn(), true, file_id, "application/x-x509-user-cert");
 				file_mgr->EndOfFile(file_id);
 
 				break;
diff --git a/src/analyzer/protocol/rdp/rdp-analyzer.pac b/src/analyzer/protocol/rdp/rdp-analyzer.pac
index 01b47e9478..1ba2c465d8 100644
--- a/src/analyzer/protocol/rdp/rdp-analyzer.pac
+++ b/src/analyzer/protocol/rdp/rdp-analyzer.pac
@@ -142,7 +142,7 @@ refine flow RDP_Flow += {
 		                 connection()->bro_analyzer()->GetAnalyzerTag(),
 		                 connection()->bro_analyzer()->Conn(),
 		                 false, // It seems there are only server certs?
-		                 file_id);
+		                 file_id, "application/x-x509-user-cert");
 		file_mgr->EndOfFile(file_id);
 
 		return true;
diff --git a/src/analyzer/protocol/ssl/proc-certificate.pac b/src/analyzer/protocol/ssl/proc-certificate.pac
index c2353e3a88..ee2247e5be 100644
--- a/src/analyzer/protocol/ssl/proc-certificate.pac
+++ b/src/analyzer/protocol/ssl/proc-certificate.pac
@@ -9,6 +9,9 @@
 		common.AddRaw(is_orig ? "T" : "F", 1);
 		bro_analyzer()->Conn()->IDString(&common);
 
+		string user_mime = "application/x-x509-user-cert";
+		string ca_mime = "application/x-x509-ca-cert";
+
 		for ( unsigned int i = 0; i < certificates->size(); ++i )
 			{
 			const bytestring& cert = (*certificates)[i];
@@ -21,7 +24,7 @@
 
 			file_mgr->DataIn(reinterpret_cast<const u_char*>(cert.data()),
 			                 cert.length(), bro_analyzer()->GetAnalyzerTag(),
-			                 bro_analyzer()->Conn(), is_orig, file_id);
+			                 bro_analyzer()->Conn(), is_orig, file_id, i == 0 ? user_mime : ca_mime);
 			file_mgr->EndOfFile(file_id);
 			}
 		return true;
diff --git a/src/file_analysis/File.cc b/src/file_analysis/File.cc
index 46e67f7cd8..2d9017a338 100644
--- a/src/file_analysis/File.cc
+++ b/src/file_analysis/File.cc
@@ -55,6 +55,7 @@ int File::bof_buffer_size_idx = -1;
 int File::bof_buffer_idx = -1;
 int File::meta_mime_type_idx = -1;
 int File::meta_mime_types_idx = -1;
+int File::meta_inferred_idx = -1;
 
 void File::StaticInit()
 	{
@@ -76,6 +77,7 @@ void File::StaticInit()
 	bof_buffer_idx = Idx("bof_buffer", fa_file_type);
 	meta_mime_type_idx = Idx("mime_type", fa_metadata_type);
 	meta_mime_types_idx = Idx("mime_types", fa_metadata_type);
+	meta_inferred_idx = Idx("inferred", fa_metadata_type);
 	}
 
 File::File(const string& file_id, const string& source_name, Connection* conn,
@@ -290,6 +292,27 @@ void File::SetReassemblyBuffer(uint64 max)
 	reassembly_max_buffer = max;
 	}
 
+bool File::SetMime(const string& mime_type)
+	{
+	if ( mime_type.empty() || bof_buffer.size != 0 )
+		return false;
+
+	did_metadata_inference = true;
+	bof_buffer.full = true;
+
+	if ( ! FileEventAvailable(file_sniff) )
+		return false;
+
+	val_list* vl = new val_list();
+	vl->append(val->Ref());
+	RecordVal* meta = new RecordVal(fa_metadata_type);
+	vl->append(meta);
+	meta->Assign(meta_mime_type_idx, new StringVal(mime_type));
+	meta->Assign(meta_inferred_idx, new Val(0, TYPE_BOOL));
+	FileEvent(file_sniff, vl);
+	return true;
+	}
+
 void File::InferMetadata()
 	{
 	did_metadata_inference = true;
diff --git a/src/file_analysis/File.h b/src/file_analysis/File.h
index c799907a8f..c52d9efbc4 100644
--- a/src/file_analysis/File.h
+++ b/src/file_analysis/File.h
@@ -171,6 +171,25 @@ public:
 	 */
 	void FileEvent(EventHandlerPtr h, val_list* vl);
 
+
+	/**
+	 * Sets the MIME type for a file to a specific value.
+	 *
+	 * Setting the MIME type has to be done before the MIME type is
+	 * inferred from the content. After a MIME type has been set once,
+	 * it cannot be changed anymore.
+	 *
+	 * This function should only be called when it does not make sense
+	 * to perform automated MIME type detections. This is e.g. the case
+	 * in protocols where the file type is fixed in the protocol description.
+	 * This is for example the case for TLS and X.509 certificates.
+	 *
+	 * @param mime_type mime type to set
+	 * @return true if the mime type was set. False if it could not be set because
+	 *         a mime type was already set or inferred.
+	 */
+	bool SetMime(const string& mime_type);
+
 protected:
 	friend class Manager;
 	friend class FileReassembler;
@@ -319,6 +338,7 @@ protected:
 	static int bof_buffer_idx;
 	static int mime_type_idx;
 	static int mime_types_idx;
+	static int meta_inferred_idx;
 
 	static int meta_mime_type_idx;
 	static int meta_mime_types_idx;
diff --git a/src/file_analysis/Manager.cc b/src/file_analysis/Manager.cc
index 217c901969..3140a1e9db 100644
--- a/src/file_analysis/Manager.cc
+++ b/src/file_analysis/Manager.cc
@@ -110,7 +110,7 @@ void Manager::SetHandle(const string& handle)
 
 string Manager::DataIn(const u_char* data, uint64 len, uint64 offset,
                        analyzer::Tag tag, Connection* conn, bool is_orig,
-                       const string& precomputed_id)
+                       const string& precomputed_id, const string& mime_type)
 	{
 	string id = precomputed_id.empty() ? GetFileID(tag, conn, is_orig) : precomputed_id;
 	File* file = GetFile(id, conn, tag, is_orig);
@@ -118,6 +118,9 @@ string Manager::DataIn(const u_char* data, uint64 len, uint64 offset,
 	if ( ! file )
 		return "";
 
+	if ( ! mime_type.empty() )
+		file->SetMime(mime_type);
+
 	file->DataIn(data, len, offset);
 
 	if ( file->IsComplete() )
@@ -130,7 +133,8 @@ string Manager::DataIn(const u_char* data, uint64 len, uint64 offset,
 	}
 
 string Manager::DataIn(const u_char* data, uint64 len, analyzer::Tag tag,
-                       Connection* conn, bool is_orig, const string& precomputed_id)
+                       Connection* conn, bool is_orig, const string& precomputed_id,
+											 const string& mime_type)
 	{
 	string id = precomputed_id.empty() ? GetFileID(tag, conn, is_orig) : precomputed_id;
 	// Sequential data input shouldn't be going over multiple conns, so don't
@@ -140,6 +144,9 @@ string Manager::DataIn(const u_char* data, uint64 len, analyzer::Tag tag,
 	if ( ! file )
 		return "";
 
+	if ( ! mime_type.empty() )
+		file->SetMime(mime_type);
+
 	file->DataIn(data, len);
 
 	if ( file->IsComplete() )
diff --git a/src/file_analysis/Manager.h b/src/file_analysis/Manager.h
index bcc8ac5dd2..d4ab6c8dfc 100644
--- a/src/file_analysis/Manager.h
+++ b/src/file_analysis/Manager.h
@@ -93,6 +93,12 @@ public:
 	 *        or false if is being sent in the opposite direction.
 	 * @param precomputed_file_id may be set to a previous return value in order to
 	 *        bypass costly file handle lookups.
+	 * @param mime_type may be set to the mime type of the file, if already known due
+	 *        to the protocol. This is, e.g., the case in TLS connections where X.509
+	 *        certificates are passed as files; here the type of the file is set by
+	 *        the protocol. If this parameter is give, mime type detection will be
+	 *        disabled.
+	 *        This parameter is only used for the first bit of data for each file.
 	 * @return a unique file ID string which, in certain contexts, may be
 	 *         cached and passed back in to a subsequent function call in order
 	 *         to avoid costly file handle lookups (which have to go through
@@ -101,7 +107,8 @@ public:
 	 */
 	std::string DataIn(const u_char* data, uint64 len, uint64 offset,
 	                   analyzer::Tag tag, Connection* conn, bool is_orig,
-	                   const std::string& precomputed_file_id = "");
+	                   const std::string& precomputed_file_id = "",
+	                   const std::string& mime_type = "");
 
 	/**
 	 * Pass in sequential file data.
@@ -113,6 +120,12 @@ public:
 	 *        or false if is being sent in the opposite direction.
 	 * @param precomputed_file_id may be set to a previous return value in order to
 	 *        bypass costly file handle lookups.
+	 * @param mime_type may be set to the mime type of the file, if already known due
+	 *        to the protocol. This is, e.g., the case in TLS connections where X.509
+	 *        certificates are passed as files; here the type of the file is set by
+	 *        the protocol. If this parameter is give, mime type detection will be
+	 *        disabled.
+	 *        This parameter is only used for the first bit of data for each file.
 	 * @return a unique file ID string which, in certain contexts, may be
 	 *         cached and passed back in to a subsequent function call in order
 	 *         to avoid costly file handle lookups (which have to go through
@@ -121,7 +134,8 @@ public:
 	 */
 	std::string DataIn(const u_char* data, uint64 len, analyzer::Tag tag,
 	                   Connection* conn, bool is_orig,
-	                   const std::string& precomputed_file_id = "");
+	                   const std::string& precomputed_file_id = "",
+	                   const std::string& mime_type = "");
 
 	/**
 	 * Pass in sequential file data from external source (e.g. input framework).

From 8b50a1e09b21ae57632091542d668e626a4a1ee8 Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@icir.org>
Date: Fri, 10 Feb 2017 12:47:24 -0800
Subject: [PATCH 072/631] SSL: parse OCSP stapled extension as file

---
 .../protocol/ssl/tls-handshake-analyzer.pac   | 20 ++++++++++++++++++-
 1 file changed, 19 insertions(+), 1 deletion(-)

diff --git a/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac b/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac
index e16606a0b0..799162a32f 100644
--- a/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac
+++ b/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac
@@ -211,13 +211,31 @@ refine connection Handshake_Conn += {
 
 	function proc_ocsp_response(rec : HandshakeRecord, status_type: uint8, response: bytestring) : bool
 		%{
-		 if ( status_type == 1 || status_type == 2 ) // ocsp
+		ODesc common;
+		common.AddRaw("Analyzer::ANALYZER_SSL");
+		common.Add(bro_analyzer()->Conn()->StartTime());
+		common.AddRaw("F");
+		bro_analyzer()->Conn()->IDString(&common);
+
+		if ( status_type == 1 || status_type == 2 ) // ocsp
 			{
+			ODesc file_handle;
+			file_handle.Add(common.Description());
+			file_handle.Add("ocsp");
+
+			string file_id = file_mgr->HashHandle(file_handle.Description());
+
+			file_mgr->DataIn(reinterpret_cast<const u_char*>(response.data()),
+			                 response.length(), bro_analyzer()->GetAnalyzerTag(),
+			                 bro_analyzer()->Conn(), false, file_id, "application/ocsp-response");
+
 			BifEvent::generate_ssl_stapled_ocsp(bro_analyzer(),
 							    bro_analyzer()->Conn(), ${rec.is_orig},
 							    new StringVal(response.length(),
 							    (const char*) response.data()),
 							    status_type);
+
+
 			}
 		return true;
 		%}

From cdcc21ea4bfc57c8adf53685868d8fea5b0d1613 Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@icir.org>
Date: Fri, 10 Feb 2017 13:31:15 -0800
Subject: [PATCH 073/631] OCSP: generic extension parsing.

Raises ocsp_extension event if an extension is present in the reply or
in one of the singlereplies.
---
 src/file_analysis/analyzer/x509/OCSP.cc       | 75 ++++++++++++++++++-
 src/file_analysis/analyzer/x509/OCSP.h        |  1 +
 src/file_analysis/analyzer/x509/X509.cc       |  1 +
 .../analyzer/x509/ocsp_events.bif             |  2 +
 4 files changed, 78 insertions(+), 1 deletion(-)

diff --git a/src/file_analysis/analyzer/x509/OCSP.cc b/src/file_analysis/analyzer/x509/OCSP.cc
index e3ac124260..704df3a6db 100644
--- a/src/file_analysis/analyzer/x509/OCSP.cc
+++ b/src/file_analysis/analyzer/x509/OCSP.cc
@@ -3,8 +3,10 @@
 #include <string>
 
 #include "OCSP.h"
+#include "X509.h"
 #include "Event.h"
 
+#include "types.bif.h"
 #include "ocsp_events.bif.h"
 
 #include "file_analysis/Manager.h"
@@ -185,7 +187,7 @@ void file_analysis::OCSP::ParseResponse(OCSP_RESPVal *resp_val, const char* fid)
 	OCSP_RESPDATA   *resp_data  = nullptr;
 	OCSP_RESPID     *resp_id    = nullptr;
 
-	int resp_count = 0;
+	int resp_count, num_ext = 0;
 	VectorVal *certs_vector = nullptr;
 	int len = 0;
 
@@ -285,6 +287,16 @@ void file_analysis::OCSP::ParseResponse(OCSP_RESPVal *resp_val, const char* fid)
 			rvl->append(new Val(0, TYPE_TIME));
 
 		mgr.QueueEvent(ocsp_response_certificate, rvl);
+
+		num_ext = OCSP_SINGLERESP_get_ext_count(single_resp);
+		for ( int k = 0; k < num_ext; ++k )
+			{
+			X509_EXTENSION* ex = OCSP_SINGLERESP_get_ext(single_resp, k);
+			if ( ! ex )
+				continue;
+
+			ParseExtension(ex, false);
+			}
 		}
 
 	i2a_ASN1_OBJECT(bio, basic_resp->signatureAlgorithm->algorithm);
@@ -314,12 +326,73 @@ void file_analysis::OCSP::ParseResponse(OCSP_RESPVal *resp_val, const char* fid)
 	  }
 	mgr.QueueEvent(ocsp_response_bytes, vl);
 
+	// ok, now that we are done with the actual certificate - let's parse extensions :)
+	num_ext = OCSP_BASICRESP_get_ext_count(basic_resp);
+	for ( int k = 0; k < num_ext; ++k )
+		{
+		X509_EXTENSION* ex = OCSP_BASICRESP_get_ext(basic_resp, k);
+		if ( ! ex )
+			continue;
+
+		ParseExtension(ex, true);
+		}
+
+
 clean_up:
 	if (basic_resp)
 		OCSP_BASICRESP_free(basic_resp);
 	BIO_free(bio);
 }
 
+// This is a near copy from X509
+void file_analysis::OCSP::ParseExtension(X509_EXTENSION* ex, bool global)
+	{
+	char name[256];
+	char oid[256];
+
+	ASN1_OBJECT* ext_asn = X509_EXTENSION_get_object(ex);
+	const char* short_name = OBJ_nid2sn(OBJ_obj2nid(ext_asn));
+
+	OBJ_obj2txt(name, 255, ext_asn, 0);
+	OBJ_obj2txt(oid, 255, ext_asn, 1);
+
+	int critical = 0;
+	if ( X509_EXTENSION_get_critical(ex) != 0 )
+		critical = 1;
+
+	BIO *bio = BIO_new(BIO_s_mem());
+	if( ! X509V3_EXT_print(bio, ex, 0, 0))
+		M_ASN1_OCTET_STRING_print(bio,ex->value);
+
+	StringVal* ext_val = X509::GetExtensionFromBIO(bio);
+
+	if ( ! ext_val )
+		ext_val = new StringVal(0, "");
+
+	RecordVal* pX509Ext = new RecordVal(BifType::Record::X509::Extension);
+	pX509Ext->Assign(0, new StringVal(name));
+
+	if ( short_name and strlen(short_name) > 0 )
+		pX509Ext->Assign(1, new StringVal(short_name));
+
+	pX509Ext->Assign(2, new StringVal(oid));
+	pX509Ext->Assign(3, new Val(critical, TYPE_BOOL));
+	pX509Ext->Assign(4, ext_val);
+
+	// send off generic extension event
+	//
+	// and then look if we have a specialized event for the extension we just
+	// parsed. And if we have it, we send the specialized event on top of the
+	// generic event that we just had. I know, that is... kind of not nice,
+	// but I am not sure if there is a better way to do it...
+	val_list* vl = new val_list();
+	vl->append(GetFile()->GetVal()->Ref());
+	vl->append(pX509Ext);
+	vl->append(new Val(global ? 1 : 0, TYPE_BOOL));
+
+	mgr.QueueEvent(ocsp_extension, vl);
+	}
+
 OCSP_RESPVal::OCSP_RESPVal(OCSP_RESPONSE* arg_ocsp_resp) : OpaqueVal(ocsp_resp_opaque_type)
 	{
 	ocsp_resp = arg_ocsp_resp;
diff --git a/src/file_analysis/analyzer/x509/OCSP.h b/src/file_analysis/analyzer/x509/OCSP.h
index 4c3ebed525..f3560ecea4 100644
--- a/src/file_analysis/analyzer/x509/OCSP.h
+++ b/src/file_analysis/analyzer/x509/OCSP.h
@@ -32,6 +32,7 @@ protected:
 private:
 	void ParseResponse(OCSP_RESPVal *, const char* fid = 0);
 	void ParseRequest(OCSP_REQUEST *, const char* fid = 0);
+	void ParseExtension(X509_EXTENSION*, bool global);
 
 	std::string ocsp_data;
 	bool request = false; // true if ocsp request, false if reply
diff --git a/src/file_analysis/analyzer/x509/X509.cc b/src/file_analysis/analyzer/x509/X509.cc
index a98b96f244..5c6eb2a5ee 100644
--- a/src/file_analysis/analyzer/x509/X509.cc
+++ b/src/file_analysis/analyzer/x509/X509.cc
@@ -248,6 +248,7 @@ StringVal* file_analysis::X509::GetExtensionFromBIO(BIO* bio)
 	return ext_val;
 	}
 
+// this is nearly replicated in the OCSP analyzer
 void file_analysis::X509::ParseExtension(X509_EXTENSION* ex)
 	{
 	char name[256];
diff --git a/src/file_analysis/analyzer/x509/ocsp_events.bif b/src/file_analysis/analyzer/x509/ocsp_events.bif
index 2a1e5805c9..76208c210e 100644
--- a/src/file_analysis/analyzer/x509/ocsp_events.bif
+++ b/src/file_analysis/analyzer/x509/ocsp_events.bif
@@ -26,3 +26,5 @@ event ocsp_response_status%(f: fa_file, status: string%);
 event ocsp_response_bytes%(f: fa_file, resp_ref: opaque of ocsp_resp, status: string, version: count, responderId: string, producedAt: time, signatureAlgorithm: string, certs: x509_opaque_vector%);
 
 event ocsp_response_certificate%(f: fa_file, hashAlgorithm: string, issuerNameHash: string, issuerKeyHash: string, serialNumber: string, certStatus: string, revoketime: time, revokereason: string, thisUpdate: time, nextUpdate: time%);
+
+event ocsp_extension%(f: fa_file, ext: X509::Extension, global_resp: bool%);

From c550521221561809050cddfa7e8d2a11dcaaae84 Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@icir.org>
Date: Fri, 10 Feb 2017 15:18:52 -0800
Subject: [PATCH 074/631] OCSP: parse signed certificate timestamps

With this change, we also parse signed certificate timestamps from OCSP
replies. This introduces a common base class between the OCSP and X509
analyzer, which now share a bit of common code. The event for signed
certificate timestamps is raised by both and thus renamed do:

x509_ocsp_ext_signed_certificate_timestamp
---
 src/file_analysis/analyzer/x509/Asn1Time.h    | 157 ---------
 .../analyzer/x509/CMakeLists.txt              |   2 +-
 src/file_analysis/analyzer/x509/OCSP.cc       |  61 +---
 src/file_analysis/analyzer/x509/OCSP.h        |  13 +-
 src/file_analysis/analyzer/x509/X509.cc       | 170 ++--------
 src/file_analysis/analyzer/x509/X509.h        |  27 +-
 src/file_analysis/analyzer/x509/X509Common.cc | 315 ++++++++++++++++++
 src/file_analysis/analyzer/x509/X509Common.h  |  44 +++
 src/file_analysis/analyzer/x509/events.bif    |   2 +-
 .../analyzer/x509/x509-extension.pac          |   2 +-
 .../x509/signed_certificate_timestamp.test    |   2 +-
 11 files changed, 404 insertions(+), 391 deletions(-)
 delete mode 100644 src/file_analysis/analyzer/x509/Asn1Time.h
 create mode 100644 src/file_analysis/analyzer/x509/X509Common.cc
 create mode 100644 src/file_analysis/analyzer/x509/X509Common.h

diff --git a/src/file_analysis/analyzer/x509/Asn1Time.h b/src/file_analysis/analyzer/x509/Asn1Time.h
deleted file mode 100644
index 31013ec2a7..0000000000
--- a/src/file_analysis/analyzer/x509/Asn1Time.h
+++ /dev/null
@@ -1,157 +0,0 @@
-static double GetTimeFromAsn1(const ASN1_TIME* atime, const char* arg_fid, Reporter* reporter)
-	{
-	const char *fid = arg_fid ? arg_fid : "";
-	time_t lResult = 0;
-
-	char lBuffer[26];
-	char* pBuffer = lBuffer;
-
-	const char *pString = (const char *) atime->data;
-	unsigned int remaining = atime->length;
-
-	if ( atime->type == V_ASN1_UTCTIME )
-		{
-		if ( remaining < 11 || remaining > 17 )
-			{
-			reporter->Weird(fmt("Could not parse time in X509 certificate (fuid %s) -- UTCTime has wrong length", fid));
-			return 0;
-			}
-
-		if ( pString[remaining-1] != 'Z' )
-			{
-			// not valid according to RFC 2459 4.1.2.5.1
-			reporter->Weird(fmt("Could not parse UTC time in non-YY-format in X509 certificate (x509 %s)", fid));
-			return 0;
-			}
-
-		// year is first two digits in YY format. Buffer expects YYYY format.
-		if ( pString[0] < '5' ) // RFC 2459 4.1.2.5.1
-			{
-			*(pBuffer++) = '2';
-			*(pBuffer++) = '0';
-			}
-		else
-			{
-			*(pBuffer++) = '1';
-			*(pBuffer++) = '9';
-			}
-
-		memcpy(pBuffer, pString, 10);
-		pBuffer += 10;
-		pString += 10;
-		remaining -= 10;
-		}
-	else if ( atime->type == V_ASN1_GENERALIZEDTIME )
-		{
-		// generalized time. We apparently ignore the YYYYMMDDHH case
-		// for now and assume we always have minutes and seconds.
-		// This should be ok because it is specified as a requirement in RFC 2459 4.1.2.5.2
-
-		if ( remaining < 12 || remaining > 23 )
-			{
-			reporter->Weird(fmt("Could not parse time in X509 certificate (fuid %s) -- Generalized time has wrong length", fid));
-			return 0;
-			}
-
-		memcpy(pBuffer, pString, 12);
-		pBuffer += 12;
-		pString += 12;
-		remaining -= 12;
-		}
-	else
-		{
-		reporter->Weird(fmt("Invalid time type in X509 certificate (fuid %s)", fid));
-		return 0;
-		}
-
-	if ( (remaining == 0) || (*pString == 'Z') || (*pString == '-') || (*pString == '+') )
-		{
-		*(pBuffer++) = '0';
-		*(pBuffer++) = '0';
-		}
-
-	else if ( remaining >= 2 )
-		{
-		*(pBuffer++) = *(pString++);
-		*(pBuffer++) = *(pString++);
-
-		remaining -= 2;
-
-		// Skip any fractional seconds...
-		if ( (remaining > 0) && (*pString == '.') )
-			{
-			pString++;
-			remaining--;
-
-			while ( (remaining > 0) && (*pString >= '0') && (*pString <= '9') )
-				{
-				pString++;
-				remaining--;
-				}
-			}
-		}
-
-	else
-		{
-		reporter->Weird(fmt("Could not parse time in X509 certificate (fuid %s) -- additional char after time", fid));
-		return 0;
-		}
-
-	*(pBuffer++) = 'Z';
-	*(pBuffer++) = '\0';
-
-	time_t lSecondsFromUTC;
-
-	if ( remaining == 0 || *pString == 'Z' )
-		lSecondsFromUTC = 0;
-	else
-		{
-		if ( remaining < 5 )
-			{
-			reporter->Weird(fmt("Could not parse time in X509 certificate (fuid %s) -- not enough bytes remaining for offset", fid));
-			return 0;
-			}
-
-		if ((*pString != '+') && (*pString != '-'))
-			{
-			reporter->Weird(fmt("Could not parse time in X509 certificate (fuid %s) -- unknown offset type", fid));
-			return 0;
-			}
-
-		lSecondsFromUTC = ((pString[1] - '0') * 10 + (pString[2] - '0')) * 60;
-		lSecondsFromUTC += (pString[3] - '0') * 10 + (pString[4] - '0');
-
-		if (*pString == '-')
-			lSecondsFromUTC = -lSecondsFromUTC;
-		}
-
-	tm lTime;
-	lTime.tm_sec  = ((lBuffer[12] - '0') * 10) + (lBuffer[13] - '0');
-	lTime.tm_min  = ((lBuffer[10] - '0') * 10) + (lBuffer[11] - '0');
-	lTime.tm_hour = ((lBuffer[8] - '0') * 10) + (lBuffer[9] - '0');
-	lTime.tm_mday = ((lBuffer[6] - '0') * 10) + (lBuffer[7] - '0');
-	lTime.tm_mon  = (((lBuffer[4] - '0') * 10) + (lBuffer[5] - '0')) - 1;
-	lTime.tm_year = (lBuffer[0] - '0') * 1000 + (lBuffer[1] - '0') * 100 + ((lBuffer[2] - '0') * 10) + (lBuffer[3] - '0');
-
-	if ( lTime.tm_year > 1900)
-		lTime.tm_year -= 1900;
-
-	lTime.tm_wday = 0;
-	lTime.tm_yday = 0;
-	lTime.tm_isdst = 0;  // No DST adjustment requested
-
-	lResult = mktime(&lTime);
-
-	if ( lResult )
-		{
-		if ( lTime.tm_isdst  != 0 )
-			lResult -= 3600;  // mktime may adjust for DST  (OS dependent)
-
-		lResult += lSecondsFromUTC;
-		}
-
-	else
-		lResult = 0;
-
-	return lResult;
-}
diff --git a/src/file_analysis/analyzer/x509/CMakeLists.txt b/src/file_analysis/analyzer/x509/CMakeLists.txt
index 1eb3732022..a4c5767e56 100644
--- a/src/file_analysis/analyzer/x509/CMakeLists.txt
+++ b/src/file_analysis/analyzer/x509/CMakeLists.txt
@@ -5,7 +5,7 @@ include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR}
                            ${CMAKE_CURRENT_BINARY_DIR})
 
 bro_plugin_begin(Bro X509)
-bro_plugin_cc(X509.cc OCSP.cc Plugin.cc)
+bro_plugin_cc(X509Common.cc X509.cc OCSP.cc Plugin.cc)
 bro_plugin_bif(events.bif types.bif functions.bif ocsp_events.bif)
 bro_plugin_pac(x509-extension.pac x509-signed_certificate_timestamp.pac)
 bro_plugin_end()
diff --git a/src/file_analysis/analyzer/x509/OCSP.cc b/src/file_analysis/analyzer/x509/OCSP.cc
index 704df3a6db..1c27720e36 100644
--- a/src/file_analysis/analyzer/x509/OCSP.cc
+++ b/src/file_analysis/analyzer/x509/OCSP.cc
@@ -17,7 +17,6 @@
 #include <openssl/opensslconf.h>
 
 #include "file_analysis/analyzer/x509/X509.h"
-#include "Asn1Time.h"
 
 // helper function of sk_X509_value to avoid namespace problem
 // sk_X509_value(X,Y) = > SKM_sk_value(X509,X,Y)
@@ -87,7 +86,7 @@ file_analysis::Analyzer* OCSP::InstantiateReply(RecordVal* args, File* file)
 	}
 
 file_analysis::OCSP::OCSP(RecordVal* args, file_analysis::File* file, bool arg_request)
-	: file_analysis::Analyzer(file_mgr->GetComponentTag("OCSP"), args, file), request(arg_request)
+	: file_analysis::X509Common::X509Common(file_mgr->GetComponentTag("OCSP"), args, file), request(arg_request)
 	{
 	}
 
@@ -295,7 +294,7 @@ void file_analysis::OCSP::ParseResponse(OCSP_RESPVal *resp_val, const char* fid)
 			if ( ! ex )
 				continue;
 
-			ParseExtension(ex, false);
+			ParseExtension(ex, ocsp_extension, false);
 			}
 		}
 
@@ -334,63 +333,23 @@ void file_analysis::OCSP::ParseResponse(OCSP_RESPVal *resp_val, const char* fid)
 		if ( ! ex )
 			continue;
 
-		ParseExtension(ex, true);
+		ParseExtension(ex, ocsp_extension, true);
 		}
 
-
 clean_up:
 	if (basic_resp)
 		OCSP_BASICRESP_free(basic_resp);
 	BIO_free(bio);
 }
 
-// This is a near copy from X509
-void file_analysis::OCSP::ParseExtension(X509_EXTENSION* ex, bool global)
+void file_analysis::OCSP::ParseExtensionsSpecific(X509_EXTENSION* ex, bool global, ASN1_OBJECT* ext_asn, const char* oid)
 	{
-	char name[256];
-	char oid[256];
-
-	ASN1_OBJECT* ext_asn = X509_EXTENSION_get_object(ex);
-	const char* short_name = OBJ_nid2sn(OBJ_obj2nid(ext_asn));
-
-	OBJ_obj2txt(name, 255, ext_asn, 0);
-	OBJ_obj2txt(oid, 255, ext_asn, 1);
-
-	int critical = 0;
-	if ( X509_EXTENSION_get_critical(ex) != 0 )
-		critical = 1;
-
-	BIO *bio = BIO_new(BIO_s_mem());
-	if( ! X509V3_EXT_print(bio, ex, 0, 0))
-		M_ASN1_OCTET_STRING_print(bio,ex->value);
-
-	StringVal* ext_val = X509::GetExtensionFromBIO(bio);
-
-	if ( ! ext_val )
-		ext_val = new StringVal(0, "");
-
-	RecordVal* pX509Ext = new RecordVal(BifType::Record::X509::Extension);
-	pX509Ext->Assign(0, new StringVal(name));
-
-	if ( short_name and strlen(short_name) > 0 )
-		pX509Ext->Assign(1, new StringVal(short_name));
-
-	pX509Ext->Assign(2, new StringVal(oid));
-	pX509Ext->Assign(3, new Val(critical, TYPE_BOOL));
-	pX509Ext->Assign(4, ext_val);
-
-	// send off generic extension event
-	//
-	// and then look if we have a specialized event for the extension we just
-	// parsed. And if we have it, we send the specialized event on top of the
-	// generic event that we just had. I know, that is... kind of not nice,
-	// but I am not sure if there is a better way to do it...
-	val_list* vl = new val_list();
-	vl->append(GetFile()->GetVal()->Ref());
-	vl->append(pX509Ext);
-	vl->append(new Val(global ? 1 : 0, TYPE_BOOL));
-
-	mgr.QueueEvent(ocsp_extension, vl);
+#ifdef NID_ct_cert_scts
+	if ( OBJ_obj2nid(ext_asn) == NID_ct_cert_scts || OBJ_obj2nid(ext_asn) == NID_ct_precert_scts )
+#else
+	if ( strcmp(oid, "1.3.6.1.4.1.11129.2.4.2") == 0 || strcmp(oid, "1.3.6.1.4.1.11129.2.4.4") == 0 )
+#endif
+		ParseSignedCertificateTimestamps(ex);
 	}
 
 OCSP_RESPVal::OCSP_RESPVal(OCSP_RESPONSE* arg_ocsp_resp) : OpaqueVal(ocsp_resp_opaque_type)
diff --git a/src/file_analysis/analyzer/x509/OCSP.h b/src/file_analysis/analyzer/x509/OCSP.h
index f3560ecea4..d1d15dd14f 100644
--- a/src/file_analysis/analyzer/x509/OCSP.h
+++ b/src/file_analysis/analyzer/x509/OCSP.h
@@ -8,20 +8,19 @@
 #include "Val.h"
 #include "../File.h"
 #include "Analyzer.h"
+#include "X509Common.h"
 
 #include <openssl/ocsp.h>
-#include <openssl/x509.h>
-#include <openssl/asn1.h>
 
 namespace file_analysis {
 
 class OCSP_RESPVal;
 
-class OCSP : public file_analysis::Analyzer {
+class OCSP : public file_analysis::X509Common {
 public:
-	virtual bool DeliverStream(const u_char* data, uint64 len);
-	virtual bool Undelivered(uint64 offset, uint64 len);
-	virtual bool EndOfFile();
+	bool DeliverStream(const u_char* data, uint64 len) override;
+	bool Undelivered(uint64 offset, uint64 len) override;
+	bool EndOfFile() override;
 
 	static file_analysis::Analyzer* InstantiateRequest(RecordVal* args, File* file);
 	static file_analysis::Analyzer* InstantiateReply(RecordVal* args, File* file);
@@ -32,7 +31,7 @@ protected:
 private:
 	void ParseResponse(OCSP_RESPVal *, const char* fid = 0);
 	void ParseRequest(OCSP_REQUEST *, const char* fid = 0);
-	void ParseExtension(X509_EXTENSION*, bool global);
+	void ParseExtensionsSpecific(X509_EXTENSION* ex, bool, ASN1_OBJECT*, const char*) override;
 
 	std::string ocsp_data;
 	bool request = false; // true if ocsp request, false if reply
diff --git a/src/file_analysis/analyzer/x509/X509.cc b/src/file_analysis/analyzer/x509/X509.cc
index 4a2a9cc5c2..f9ec91c9d1 100644
--- a/src/file_analysis/analyzer/x509/X509.cc
+++ b/src/file_analysis/analyzer/x509/X509.cc
@@ -4,7 +4,6 @@
 
 #include "X509.h"
 #include "Event.h"
-#include "x509-extension_pac.h"
 
 #include "events.bif.h"
 #include "types.bif.h"
@@ -17,14 +16,12 @@
 #include <openssl/opensslconf.h>
 #include <openssl/err.h>
 
-#include "Asn1Time.h"
-
 using namespace file_analysis;
 
 IMPLEMENT_SERIAL(X509Val, SER_X509_VAL);
 
 file_analysis::X509::X509(RecordVal* args, file_analysis::File* file)
-	: file_analysis::Analyzer(file_mgr->GetComponentTag("X509"), args, file)
+	: file_analysis::X509Common::X509Common(file_mgr->GetComponentTag("X509"), args, file)
 	{
 	cert_data.clear();
 	}
@@ -75,7 +72,7 @@ bool file_analysis::X509::EndOfFile()
 		if ( ! ex )
 			continue;
 
-		ParseExtension(ex);
+		ParseExtension(ex, x509_extension, false);
 		}
 
 	// X509_free(ssl_cert); We do _not_ free the certificate here. It is refcounted
@@ -208,152 +205,6 @@ RecordVal* file_analysis::X509::ParseCertificate(X509Val* cert_val, const char*
 	return pX509Cert;
 	}
 
-StringVal* file_analysis::X509::GetExtensionFromBIO(BIO* bio)
-	{
-	BIO_flush(bio);
-	ERR_clear_error();
-	int length = BIO_pending(bio);
-
-	if ( ERR_peek_error() != 0 )
-		{
-		char tmp[120];
-		ERR_error_string_n(ERR_get_error(), tmp, sizeof(tmp));
-		reporter->Weird(fmt("X509::GetExtensionFromBIO: %s", tmp));
-		BIO_free_all(bio);
-		return 0;
-		}
-
-	if ( length == 0 )
-		{
-		BIO_free_all(bio);
-		return new StringVal("");
-		}
-
-	char* buffer = (char*) malloc(length);
-
-	if ( ! buffer )
-		{
-		// Just emit an error here and try to continue instead of aborting
-		// because it's unclear the length value is very reliable.
-		reporter->Error("X509::GetExtensionFromBIO malloc(%d) failed", length);
-		BIO_free_all(bio);
-		return 0;
-		}
-
-	BIO_read(bio, (void*) buffer, length);
-	StringVal* ext_val = new StringVal(length, buffer);
-
-	free(buffer);
-	BIO_free_all(bio);
-
-	return ext_val;
-	}
-
-// this is nearly replicated in the OCSP analyzer
-void file_analysis::X509::ParseExtension(X509_EXTENSION* ex)
-	{
-	char name[256];
-	char oid[256];
-
-	ASN1_OBJECT* ext_asn = X509_EXTENSION_get_object(ex);
-	const char* short_name = OBJ_nid2sn(OBJ_obj2nid(ext_asn));
-
-	OBJ_obj2txt(name, 255, ext_asn, 0);
-	OBJ_obj2txt(oid, 255, ext_asn, 1);
-
-	int critical = 0;
-	if ( X509_EXTENSION_get_critical(ex) != 0 )
-		critical = 1;
-
-	BIO *bio = BIO_new(BIO_s_mem());
-	if( ! X509V3_EXT_print(bio, ex, 0, 0))
-		M_ASN1_OCTET_STRING_print(bio,ex->value);
-
-	StringVal* ext_val = GetExtensionFromBIO(bio);
-
-	if ( ! ext_val )
-		ext_val = new StringVal(0, "");
-
-	RecordVal* pX509Ext = new RecordVal(BifType::Record::X509::Extension);
-	pX509Ext->Assign(0, new StringVal(name));
-
-	if ( short_name and strlen(short_name) > 0 )
-		pX509Ext->Assign(1, new StringVal(short_name));
-
-	pX509Ext->Assign(2, new StringVal(oid));
-	pX509Ext->Assign(3, new Val(critical, TYPE_BOOL));
-	pX509Ext->Assign(4, ext_val);
-
-	// send off generic extension event
-	//
-	// and then look if we have a specialized event for the extension we just
-	// parsed. And if we have it, we send the specialized event on top of the
-	// generic event that we just had. I know, that is... kind of not nice,
-	// but I am not sure if there is a better way to do it...
-	val_list* vl = new val_list();
-	vl->append(GetFile()->GetVal()->Ref());
-	vl->append(pX509Ext);
-
-	mgr.QueueEvent(x509_extension, vl);
-
-	// look if we have a specialized handler for this event...
-	if ( OBJ_obj2nid(ext_asn) == NID_basic_constraints )
-		ParseBasicConstraints(ex);
-
-	else if ( OBJ_obj2nid(ext_asn) == NID_subject_alt_name )
-		ParseSAN(ex);
-
-#ifdef NID_ct_cert_scts
-	else if ( OBJ_obj2nid(ext_asn) == NID_ct_cert_scts || OBJ_obj2nid(ext_asn) == NID_ct_precert_scts )
-#else
-	else if ( strcmp(oid, "1.3.6.1.4.1.11129.2.4.2") == 0 || strcmp(oid, "1.3.6.1.4.1.11129.2.4.4") == 0 )
-#endif
-		ParseSignedCertificateTimestamps(ex);
-	}
-
-void file_analysis::X509::ParseSignedCertificateTimestamps(X509_EXTENSION* ext)
-	{
-	// Ok, signed certificate timestamps are a bit of an odd case out; we don't
-	// want to use the (basically nonexistant) OpenSSL functionality to parse them.
-	// Instead we have our own, self-written binpac parser to parse just them,
-	// which we will initialize here and tear down immediately again.
-
-	ASN1_OCTET_STRING* ext_val = X509_EXTENSION_get_data(ext);
-	// the octet string of the extension contains the octet string which in turn
-	// contains the SCT. Obviously.
-
-	unsigned char* ext_val_copy = (unsigned char*) OPENSSL_malloc(ext_val->length);
-	unsigned char* ext_val_second_pointer = ext_val_copy;
-	memcpy(ext_val_copy, ext_val->data, ext_val->length);
-
-	ASN1_OCTET_STRING* inner = d2i_ASN1_OCTET_STRING(NULL, (const unsigned char**) &ext_val_copy, ext_val->length);
-	if ( !inner )
-		{
-		reporter->Error("X509::ParseSignedCertificateTimestamps could not parse inner octet string");
-		return;
-		}
-
-	binpac::X509Extension::MockConnection* conn = new binpac::X509Extension::MockConnection(this);
-	binpac::X509Extension::SignedCertTimestampExt* interp = new binpac::X509Extension::SignedCertTimestampExt(conn);
-
-	try
-		{
-		interp->NewData(inner->data, inner->data + inner->length);
-		}
-	catch( const binpac::Exception& e )
-		{
-		// throw a warning or sth
-		reporter->Error("X509::ParseSignedCertificateTimestamps could not parse SCT");
-		}
-
-	OPENSSL_free(ext_val_second_pointer);
-
-	interp->FlowEOF();
-
-	delete interp;
-	delete conn;
-	}
-
 void file_analysis::X509::ParseBasicConstraints(X509_EXTENSION* ex)
 	{
 	assert(OBJ_obj2nid(X509_EXTENSION_get_object(ex)) == NID_basic_constraints);
@@ -380,6 +231,23 @@ void file_analysis::X509::ParseBasicConstraints(X509_EXTENSION* ex)
 		reporter->Weird(fmt("Certificate with invalid BasicConstraint. fuid %s", GetFile()->GetID().c_str()));
 	}
 
+void file_analysis::X509::ParseExtensionsSpecific(X509_EXTENSION* ex, bool global, ASN1_OBJECT* ext_asn, const char* oid)
+	{
+	// look if we have a specialized handler for this event...
+	if ( OBJ_obj2nid(ext_asn) == NID_basic_constraints )
+		ParseBasicConstraints(ex);
+
+	else if ( OBJ_obj2nid(ext_asn) == NID_subject_alt_name )
+		ParseSAN(ex);
+
+#ifdef NID_ct_cert_scts
+	else if ( OBJ_obj2nid(ext_asn) == NID_ct_cert_scts || OBJ_obj2nid(ext_asn) == NID_ct_precert_scts )
+#else
+	else if ( strcmp(oid, "1.3.6.1.4.1.11129.2.4.2") == 0 || strcmp(oid, "1.3.6.1.4.1.11129.2.4.4") == 0 )
+#endif
+		ParseSignedCertificateTimestamps(ex);
+	}
+
 void file_analysis::X509::ParseSAN(X509_EXTENSION* ext)
 	{
 	assert(OBJ_obj2nid(X509_EXTENSION_get_object(ext)) == NID_subject_alt_name);
diff --git a/src/file_analysis/analyzer/x509/X509.h b/src/file_analysis/analyzer/x509/X509.h
index 9bbc0827cd..325e8becac 100644
--- a/src/file_analysis/analyzer/x509/X509.h
+++ b/src/file_analysis/analyzer/x509/X509.h
@@ -6,21 +6,18 @@
 #include <string>
 
 #include "Val.h"
-#include "../File.h"
-#include "Analyzer.h"
+#include "X509Common.h"
 
-#include <openssl/x509.h>
-#include <openssl/asn1.h>
 
 namespace file_analysis {
 
 class X509Val;
 
-class X509 : public file_analysis::Analyzer {
+class X509 : public file_analysis::X509Common {
 public:
-	virtual bool DeliverStream(const u_char* data, uint64 len);
-	virtual bool Undelivered(uint64 offset, uint64 len);
-	virtual bool EndOfFile();
+	bool DeliverStream(const u_char* data, uint64 len) override;
+	bool Undelivered(uint64 offset, uint64 len) override;
+	bool EndOfFile() override;
 
 	/**
 	 * Converts an X509 certificate into a \c X509::Certificate record
@@ -40,25 +37,13 @@ public:
 	static file_analysis::Analyzer* Instantiate(RecordVal* args, File* file)
 		{ return new X509(args, file); }
 
-	/**
-	 * Retrieve an X509 extension value from an OpenSSL BIO to which it was
-	 * written.
-	 *
-	 * @param bio the OpenSSL BIO to read. It will be freed by the function,
-	 * including when an error occurs.
-	 *
-	 * @return The X509 extension value.
-	 */
-	static StringVal* GetExtensionFromBIO(BIO* bio);
-
 protected:
 	X509(RecordVal* args, File* file);
 
 private:
-	void ParseExtension(X509_EXTENSION* ex);
 	void ParseBasicConstraints(X509_EXTENSION* ex);
 	void ParseSAN(X509_EXTENSION* ex);
-	void ParseSignedCertificateTimestamps(X509_EXTENSION* ext);
+	void ParseExtensionsSpecific(X509_EXTENSION* ex, bool, ASN1_OBJECT*, const char*) override;
 
 	std::string cert_data;
 
diff --git a/src/file_analysis/analyzer/x509/X509Common.cc b/src/file_analysis/analyzer/x509/X509Common.cc
new file mode 100644
index 0000000000..367b7e562a
--- /dev/null
+++ b/src/file_analysis/analyzer/x509/X509Common.cc
@@ -0,0 +1,315 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include "X509Common.h"
+#include "x509-extension_pac.h"
+
+#include "events.bif.h"
+#include "ocsp_events.bif.h"
+#include "types.bif.h"
+
+#include <openssl/x509.h>
+#include <openssl/x509v3.h>
+#include <openssl/asn1.h>
+#include <openssl/opensslconf.h>
+#include <openssl/err.h>
+
+using namespace file_analysis;
+
+X509Common::X509Common(file_analysis::Tag arg_tag, RecordVal* arg_args, File* arg_file)
+	: file_analysis::Analyzer(arg_tag, arg_args, arg_file)
+	{
+	}
+
+double X509Common::GetTimeFromAsn1(const ASN1_TIME* atime, const char* arg_fid, Reporter* reporter)
+	{
+	const char *fid = arg_fid ? arg_fid : "";
+	time_t lResult = 0;
+
+	char lBuffer[26];
+	char* pBuffer = lBuffer;
+
+	const char *pString = (const char *) atime->data;
+	unsigned int remaining = atime->length;
+
+	if ( atime->type == V_ASN1_UTCTIME )
+		{
+		if ( remaining < 11 || remaining > 17 )
+			{
+			reporter->Weird(fmt("Could not parse time in X509 certificate (fuid %s) -- UTCTime has wrong length", fid));
+			return 0;
+			}
+
+		if ( pString[remaining-1] != 'Z' )
+			{
+			// not valid according to RFC 2459 4.1.2.5.1
+			reporter->Weird(fmt("Could not parse UTC time in non-YY-format in X509 certificate (x509 %s)", fid));
+			return 0;
+			}
+
+		// year is first two digits in YY format. Buffer expects YYYY format.
+		if ( pString[0] < '5' ) // RFC 2459 4.1.2.5.1
+			{
+			*(pBuffer++) = '2';
+			*(pBuffer++) = '0';
+			}
+		else
+			{
+			*(pBuffer++) = '1';
+			*(pBuffer++) = '9';
+			}
+
+		memcpy(pBuffer, pString, 10);
+		pBuffer += 10;
+		pString += 10;
+		remaining -= 10;
+		}
+	else if ( atime->type == V_ASN1_GENERALIZEDTIME )
+		{
+		// generalized time. We apparently ignore the YYYYMMDDHH case
+		// for now and assume we always have minutes and seconds.
+		// This should be ok because it is specified as a requirement in RFC 2459 4.1.2.5.2
+
+		if ( remaining < 12 || remaining > 23 )
+			{
+			reporter->Weird(fmt("Could not parse time in X509 certificate (fuid %s) -- Generalized time has wrong length", fid));
+			return 0;
+			}
+
+		memcpy(pBuffer, pString, 12);
+		pBuffer += 12;
+		pString += 12;
+		remaining -= 12;
+		}
+	else
+		{
+		reporter->Weird(fmt("Invalid time type in X509 certificate (fuid %s)", fid));
+		return 0;
+		}
+
+	if ( (remaining == 0) || (*pString == 'Z') || (*pString == '-') || (*pString == '+') )
+		{
+		*(pBuffer++) = '0';
+		*(pBuffer++) = '0';
+		}
+
+	else if ( remaining >= 2 )
+		{
+		*(pBuffer++) = *(pString++);
+		*(pBuffer++) = *(pString++);
+
+		remaining -= 2;
+
+		// Skip any fractional seconds...
+		if ( (remaining > 0) && (*pString == '.') )
+			{
+			pString++;
+			remaining--;
+
+			while ( (remaining > 0) && (*pString >= '0') && (*pString <= '9') )
+				{
+				pString++;
+				remaining--;
+				}
+			}
+		}
+
+	else
+		{
+		reporter->Weird(fmt("Could not parse time in X509 certificate (fuid %s) -- additional char after time", fid));
+		return 0;
+		}
+
+	*(pBuffer++) = 'Z';
+	*(pBuffer++) = '\0';
+
+	time_t lSecondsFromUTC;
+
+	if ( remaining == 0 || *pString == 'Z' )
+		lSecondsFromUTC = 0;
+	else
+		{
+		if ( remaining < 5 )
+			{
+			reporter->Weird(fmt("Could not parse time in X509 certificate (fuid %s) -- not enough bytes remaining for offset", fid));
+			return 0;
+			}
+
+		if ((*pString != '+') && (*pString != '-'))
+			{
+			reporter->Weird(fmt("Could not parse time in X509 certificate (fuid %s) -- unknown offset type", fid));
+			return 0;
+			}
+
+		lSecondsFromUTC = ((pString[1] - '0') * 10 + (pString[2] - '0')) * 60;
+		lSecondsFromUTC += (pString[3] - '0') * 10 + (pString[4] - '0');
+
+		if (*pString == '-')
+			lSecondsFromUTC = -lSecondsFromUTC;
+		}
+
+	tm lTime;
+	lTime.tm_sec  = ((lBuffer[12] - '0') * 10) + (lBuffer[13] - '0');
+	lTime.tm_min  = ((lBuffer[10] - '0') * 10) + (lBuffer[11] - '0');
+	lTime.tm_hour = ((lBuffer[8] - '0') * 10) + (lBuffer[9] - '0');
+	lTime.tm_mday = ((lBuffer[6] - '0') * 10) + (lBuffer[7] - '0');
+	lTime.tm_mon  = (((lBuffer[4] - '0') * 10) + (lBuffer[5] - '0')) - 1;
+	lTime.tm_year = (lBuffer[0] - '0') * 1000 + (lBuffer[1] - '0') * 100 + ((lBuffer[2] - '0') * 10) + (lBuffer[3] - '0');
+
+	if ( lTime.tm_year > 1900)
+		lTime.tm_year -= 1900;
+
+	lTime.tm_wday = 0;
+	lTime.tm_yday = 0;
+	lTime.tm_isdst = 0;  // No DST adjustment requested
+
+	lResult = mktime(&lTime);
+
+	if ( lResult )
+		{
+		if ( lTime.tm_isdst  != 0 )
+			lResult -= 3600;  // mktime may adjust for DST  (OS dependent)
+
+		lResult += lSecondsFromUTC;
+		}
+
+	else
+		lResult = 0;
+
+	return lResult;
+}
+
+void file_analysis::X509Common::ParseSignedCertificateTimestamps(X509_EXTENSION* ext)
+	{
+	// Ok, signed certificate timestamps are a bit of an odd case out; we don't
+	// want to use the (basically nonexistant) OpenSSL functionality to parse them.
+	// Instead we have our own, self-written binpac parser to parse just them,
+	// which we will initialize here and tear down immediately again.
+
+	ASN1_OCTET_STRING* ext_val = X509_EXTENSION_get_data(ext);
+	// the octet string of the extension contains the octet string which in turn
+	// contains the SCT. Obviously.
+
+	unsigned char* ext_val_copy = (unsigned char*) OPENSSL_malloc(ext_val->length);
+	unsigned char* ext_val_second_pointer = ext_val_copy;
+	memcpy(ext_val_copy, ext_val->data, ext_val->length);
+
+	ASN1_OCTET_STRING* inner = d2i_ASN1_OCTET_STRING(NULL, (const unsigned char**) &ext_val_copy, ext_val->length);
+	if ( !inner )
+		{
+		reporter->Error("X509::ParseSignedCertificateTimestamps could not parse inner octet string");
+		return;
+		}
+
+	binpac::X509Extension::MockConnection* conn = new binpac::X509Extension::MockConnection(this);
+	binpac::X509Extension::SignedCertTimestampExt* interp = new binpac::X509Extension::SignedCertTimestampExt(conn);
+
+	try
+		{
+		interp->NewData(inner->data, inner->data + inner->length);
+		}
+	catch( const binpac::Exception& e )
+		{
+		// throw a warning or sth
+		reporter->Error("X509::ParseSignedCertificateTimestamps could not parse SCT");
+		}
+
+	OPENSSL_free(ext_val_second_pointer);
+
+	interp->FlowEOF();
+
+	delete interp;
+	delete conn;
+	}
+
+void file_analysis::X509Common::ParseExtension(X509_EXTENSION* ex, EventHandlerPtr h, bool global)
+	{
+	char name[256];
+	char oid[256];
+
+	ASN1_OBJECT* ext_asn = X509_EXTENSION_get_object(ex);
+	const char* short_name = OBJ_nid2sn(OBJ_obj2nid(ext_asn));
+
+	OBJ_obj2txt(name, 255, ext_asn, 0);
+	OBJ_obj2txt(oid, 255, ext_asn, 1);
+
+	int critical = 0;
+	if ( X509_EXTENSION_get_critical(ex) != 0 )
+		critical = 1;
+
+	BIO *bio = BIO_new(BIO_s_mem());
+	if( ! X509V3_EXT_print(bio, ex, 0, 0))
+		M_ASN1_OCTET_STRING_print(bio,ex->value);
+
+	StringVal* ext_val = GetExtensionFromBIO(bio);
+
+	if ( ! ext_val )
+		ext_val = new StringVal(0, "");
+
+	RecordVal* pX509Ext = new RecordVal(BifType::Record::X509::Extension);
+	pX509Ext->Assign(0, new StringVal(name));
+
+	if ( short_name and strlen(short_name) > 0 )
+		pX509Ext->Assign(1, new StringVal(short_name));
+
+	pX509Ext->Assign(2, new StringVal(oid));
+	pX509Ext->Assign(3, new Val(critical, TYPE_BOOL));
+	pX509Ext->Assign(4, ext_val);
+
+	// send off generic extension event
+	//
+	// and then look if we have a specialized event for the extension we just
+	// parsed. And if we have it, we send the specialized event on top of the
+	// generic event that we just had. I know, that is... kind of not nice,
+	// but I am not sure if there is a better way to do it...
+	val_list* vl = new val_list();
+	vl->append(GetFile()->GetVal()->Ref());
+	vl->append(pX509Ext);
+	if ( h == ocsp_extension )
+		vl->append(new Val(global ? 1 : 0, TYPE_BOOL));
+
+	mgr.QueueEvent(h, vl);
+
+	// let individual analyzers parse more.
+	ParseExtensionsSpecific(ex, global, ext_asn, oid);
+	}
+
+StringVal* file_analysis::X509Common::GetExtensionFromBIO(BIO* bio)
+	{
+	BIO_flush(bio);
+	ERR_clear_error();
+	int length = BIO_pending(bio);
+
+	if ( ERR_peek_error() != 0 )
+		{
+		char tmp[120];
+		ERR_error_string_n(ERR_get_error(), tmp, sizeof(tmp));
+		reporter->Weird(fmt("X509::GetExtensionFromBIO: %s", tmp));
+		BIO_free_all(bio);
+		return 0;
+		}
+
+	if ( length == 0 )
+		{
+		BIO_free_all(bio);
+		return new StringVal("");
+		}
+
+	char* buffer = (char*) malloc(length);
+
+	if ( ! buffer )
+		{
+		// Just emit an error here and try to continue instead of aborting
+		// because it's unclear the length value is very reliable.
+		reporter->Error("X509::GetExtensionFromBIO malloc(%d) failed", length);
+		BIO_free_all(bio);
+		return 0;
+		}
+
+	BIO_read(bio, (void*) buffer, length);
+	StringVal* ext_val = new StringVal(length, buffer);
+
+	free(buffer);
+	BIO_free_all(bio);
+
+	return ext_val;
+	}
diff --git a/src/file_analysis/analyzer/x509/X509Common.h b/src/file_analysis/analyzer/x509/X509Common.h
new file mode 100644
index 0000000000..1e1a9b94ee
--- /dev/null
+++ b/src/file_analysis/analyzer/x509/X509Common.h
@@ -0,0 +1,44 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+// Common base class for the X509 and OCSP analyzer, which share a fair amount of
+// code
+
+#ifndef FILE_ANALYSIS_X509_COMMON
+#define FILE_ANALYSIS_X509_COMMON
+
+#include "../File.h"
+#include "Analyzer.h"
+
+#include <openssl/x509.h>
+#include <openssl/asn1.h>
+
+namespace file_analysis {
+
+class X509Common : public file_analysis::Analyzer {
+public:
+	virtual ~X509Common() {};
+
+	/**
+	 * Retrieve an X509 extension value from an OpenSSL BIO to which it was
+	 * written.
+	 *
+	 * @param bio the OpenSSL BIO to read. It will be freed by the function,
+	 * including when an error occurs.
+	 *
+	 * @return The X509 extension value.
+	 */
+	static StringVal* GetExtensionFromBIO(BIO* bio);
+
+	static double GetTimeFromAsn1(const ASN1_TIME* atime, const char* arg_fid, Reporter* reporter);
+
+protected:
+	X509Common(file_analysis::Tag arg_tag, RecordVal* arg_args, File* arg_file);
+
+	void ParseExtension(X509_EXTENSION* ex, EventHandlerPtr h, bool global);
+	void ParseSignedCertificateTimestamps(X509_EXTENSION* ext);
+	virtual void ParseExtensionsSpecific(X509_EXTENSION* ex, bool, ASN1_OBJECT*, const char*) = 0;
+};
+
+}
+
+#endif /* FILE_ANALYSIS_X509_COMMON */
diff --git a/src/file_analysis/analyzer/x509/events.bif b/src/file_analysis/analyzer/x509/events.bif
index 6e4df4393f..f8084fa864 100644
--- a/src/file_analysis/analyzer/x509/events.bif
+++ b/src/file_analysis/analyzer/x509/events.bif
@@ -73,4 +73,4 @@ event x509_ext_subject_alternative_name%(f: fa_file, ext: X509::SubjectAlternati
 ##                              digitally_signed struct
 ##
 ## signature: signature part of the digitally_signed struct
-event x509_ext_signed_certificate_timestamp%(f: fa_file, version: count, logid: string, timestamp: time, hash_algorithm: count, signature_algorithm: count, signature: string%);
+event x509_ocsp_ext_signed_certificate_timestamp%(f: fa_file, version: count, logid: string, timestamp: time, hash_algorithm: count, signature_algorithm: count, signature: string%);
diff --git a/src/file_analysis/analyzer/x509/x509-extension.pac b/src/file_analysis/analyzer/x509/x509-extension.pac
index 56ca27d909..e77a82307a 100644
--- a/src/file_analysis/analyzer/x509/x509-extension.pac
+++ b/src/file_analysis/analyzer/x509/x509-extension.pac
@@ -35,7 +35,7 @@ refine connection MockConnection += {
 
 	function proc_signedcertificatetimestamp(rec: HandshakeRecord, version: uint8, logid: const_bytestring, timestamp: uint64, digitally_signed_algorithms: SignatureAndHashAlgorithm, digitally_signed_signature: const_bytestring) : bool
 		%{
-		BifEvent::generate_x509_ext_signed_certificate_timestamp((analyzer::Analyzer *) bro_analyzer(),
+		BifEvent::generate_x509_ocsp_ext_signed_certificate_timestamp((analyzer::Analyzer *) bro_analyzer(),
 			bro_analyzer()->GetFile()->GetVal()->Ref(),
 			version,
 			new StringVal(logid.length(), reinterpret_cast<const char*>(logid.begin())),
diff --git a/testing/btest/scripts/base/files/x509/signed_certificate_timestamp.test b/testing/btest/scripts/base/files/x509/signed_certificate_timestamp.test
index 63be26448f..5203bda7ee 100644
--- a/testing/btest/scripts/base/files/x509/signed_certificate_timestamp.test
+++ b/testing/btest/scripts/base/files/x509/signed_certificate_timestamp.test
@@ -1,7 +1,7 @@
 # @TEST-EXEC: bro -r $TRACES/tls/certificate-with-sct.pcap %INPUT
 # @TEST-EXEC: btest-diff .stdout
 
-event x509_ext_signed_certificate_timestamp(f: fa_file, version: count, logid: string, timestamp: time, hash_algorithm: count, signature_algorithm: count, signature: string)
+event x509_ocsp_ext_signed_certificate_timestamp(f: fa_file, version: count, logid: string, timestamp: time, hash_algorithm: count, signature_algorithm: count, signature: string)
 	{
 	print version, timestamp, hash_algorithm, signature_algorithm;
 	}

From c431d14eed69ebec424f95927e83779bad795a83 Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@icir.org>
Date: Fri, 10 Feb 2017 16:01:13 -0800
Subject: [PATCH 075/631] OCSP: re-enable logging, fix tests, fix x509 issue

Re-enable logging, now in policy because it probably is interesting to
no-one. We also only log ocsp replies.

Fix all tests.

Fix an issue where ocsp replies were added to the x.509 certificate
list.
---
 scripts/base/files/x509/main.bro              |   6 +-
 scripts/base/files/x509/ocsp.bro              | 515 ------------------
 scripts/base/protocols/ssl/files.bro          |  18 +-
 scripts/policy/files/x509/log-ocsp.bro        |  54 ++
 .../.stdout                                   |   3 +
 .../ocsp.log                                  |  10 +-
 .../.stdout                                   |   2 +
 .../ocsp.log                                  |  10 -
 .../.stdout                                   |   5 +
 .../ocsp.log                                  |  10 +-
 .../.stdout                                   |   1 -
 .../.stdout                                   |   3 +
 .../ocsp.log                                  |  10 +-
 .../.stdout                                   |  20 +
 .../ocsp.log                                  |  16 +-
 .../base/protocols/ssl/ocsp-http-get.test     |  39 ++
 .../base/protocols/ssl/ocsp-request-only.test |  40 +-
 .../protocols/ssl/ocsp-request-response.test  |  39 ++
 .../protocols/ssl/ocsp-response-cert.test     |  15 -
 .../protocols/ssl/ocsp-response-only.test     |  39 ++
 .../base/protocols/ssl/ocsp-revoked.test      |  39 ++
 21 files changed, 323 insertions(+), 571 deletions(-)
 delete mode 100644 scripts/base/files/x509/ocsp.bro
 create mode 100644 scripts/policy/files/x509/log-ocsp.bro
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-http-get/.stdout
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-only/.stdout
 delete mode 100644 testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-only/ocsp.log
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-response/.stdout
 delete mode 100644 testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-response-cert/.stdout
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-response-only/.stdout
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-revoked/.stdout
 delete mode 100644 testing/btest/scripts/base/protocols/ssl/ocsp-response-cert.test

diff --git a/scripts/base/files/x509/main.bro b/scripts/base/files/x509/main.bro
index 44ea83fc39..a7d3ca7a04 100644
--- a/scripts/base/files/x509/main.bro
+++ b/scripts/base/files/x509/main.bro
@@ -41,12 +41,15 @@ event bro_init() &priority=5
 
 	Files::register_for_mime_type(Files::ANALYZER_X509, "application/x-x509-user-cert");
 	Files::register_for_mime_type(Files::ANALYZER_X509, "application/x-x509-ca-cert");
+	Files::register_for_mime_type(Files::ANALYZER_X509, "application/pkix-cert");
 	# Always calculate hashes. They are not necessary for base scripts
 	# but very useful for identification, and required for policy scripts
 	Files::register_for_mime_type(Files::ANALYZER_MD5, "application/x-x509-user-cert");
 	Files::register_for_mime_type(Files::ANALYZER_MD5, "application/x-x509-ca-cert");
+	Files::register_for_mime_type(Files::ANALYZER_MD5, "application/pkix-cert");
 	Files::register_for_mime_type(Files::ANALYZER_SHA1, "application/x-x509-user-cert");
 	Files::register_for_mime_type(Files::ANALYZER_SHA1, "application/x-x509-ca-cert");
+	Files::register_for_mime_type(Files::ANALYZER_SHA1, "application/pkix-cert");
 	}
 
 redef record Files::Info += {
@@ -57,9 +60,6 @@ redef record Files::Info += {
 
 event x509_certificate(f: fa_file, cert_ref: opaque of x509, cert: X509::Certificate) &priority=5
 	{
-	if ( ! f$info?$mime_type )
-		f$info$mime_type = "application/pkix-cert";
-
 	f$info$x509 = [$ts=f$info$ts, $id=f$id, $certificate=cert, $handle=cert_ref];
 	}
 
diff --git a/scripts/base/files/x509/ocsp.bro b/scripts/base/files/x509/ocsp.bro
deleted file mode 100644
index cb8c340c64..0000000000
--- a/scripts/base/files/x509/ocsp.bro
+++ /dev/null
@@ -1,515 +0,0 @@
-@load base/protocols/http
-@load base/frameworks/files
-@load base/utils/paths
-@load base/utils/queue
-
-# Note - this needs some cleaning up and is currently not loaded by default.
-
-module OCSP;
-
-export {
-	## add one more argument to tell ocsp response or request
-	redef record Files::AnalyzerArgs += {
-		ocsp_type: string &optional;
-	};
-
-	## ocsp logging
-	redef enum Log::ID += { LOG };
-
-	## type for pending ocsp request
-	type PendingQueue: table[OCSP::CertId] of Queue::Queue;
-
-	## NOTE: one file could contain several requests
-	## one ocsp request record
-	type Info_req: record {
-		## time for the request
-		ts:                 time;
-		## file id for this request or
-		## hash of the GET url if it's GET request
-		id:                 string  &log &optional;
-		## connection id
-		cid:                conn_id &optional;
-		## connection uid
-		cuid:               string  &optional;
-		## version
-		version:            count   &log &optional;
-		## requestor name
-		requestorName:      string  &log &optional;
-
-		## NOTE: the above are for one file which may contain
-		##       several ocsp requests
-
-		## one OCSP request may contain several OCSP requests
-		## with different cert id; this is the index of the
-		## OCSP request with cert_id in the big OCSP request
-		index:              count   &log &optional;
-		## request cert id
-		certId:             OCSP::CertId &optional;
-		## HTTP method
-		method:             string &optional;
-	};
-
-	## NOTE: one file could contain several response
-	## one ocsp response record
-	type Info_resp: record {
-		## time for the response
-	        ts:                 time;
-		## file id for this response
-		id:                 string  &log;
-		## connection id
-		cid:                conn_id &optional;
-		## connection uid
-		cuid:               string  &optional;
-		## responseStatus (different from cert status?)
-		responseStatus:     string  &log   &optional;
-		## responseType
-		responseType:       string  &log   &optional;
-		## version
-		version:            count   &log   &optional;
-		## responderID
-		responderID:        string  &log   &optional;
-		## producedAt
-		producedAt:         time    &log   &optional;
-		## certificates
-		certs:              vector of opaque of x509 &optional;
-
-		## NOTE: the following are specific to one cert id
-		##       the above are for one file which may contain
-		##       several responses
-
-		## one OCSP response may contain several OCSP responses
-		## with different cert id; this is the index of the
-		## OCSP response with cert_id in the big OCSP response
-		index:              count   &log  &optional;
-		##cert id
-		certId:             OCSP::CertId  &optional;
-		## certStatus (this is the response to look at)
-		certStatus:         string  &log  &optional;
-		## thisUpdate
-		thisUpdate:         time    &log  &optional;
-		## nextUpdate
-		nextUpdate:         time    &log  &optional;
-	};
-
-	type Info: record {
-		## timestamp for request if a corresponding request is present
-		## OR timestamp for response if a corresponding request is not found
-		ts:                 time          &log;
-
-		## connection id
-		cid:                conn_id       &log;
-
-		## connection uid
-		cuid:               string        &log;
-
-		## cert id
-		certId:             OCSP::CertId  &log  &optional;
-
-		## request
-		req:                Info_req      &log  &optional;
-
-		## response timestamp
-		resp_ts:            time          &log  &optional;
-
-		## response
-		resp:               Info_resp     &log  &optional;
-
-		## HTTP method
-		method:             string        &log  &optional;
-
-		## HTTP record
-		http:               HTTP::Info    &optional;
-	};
-
-        ## Event for accessing logged OCSP records.
-	global log_ocsp: event(rec: Info);
-
-        global get_uri_prefix: function(s: string): string;
-}
-
-redef record HTTP::Info += {
-	# there should be one request and response but use Queue here
-	# just in case
-	ocsp_requests:            PendingQueue  &optional;
-	ocsp_responses:           PendingQueue  &optional;
-
-	current_content_type:     string        &optional &default="";
-	original_uri:             string        &optional;
-
-	# flag for checking get uri
-	checked_get:              bool          &optional &default=F;
-
-	# uri prefix: this the GET url without ocsp request
-	uri_prefix:               string        &optional;
-	};
-
-event http_request(c: connection, method: string, original_URI: string, unescaped_URI: string, version: string)
-	{
-	c$http$original_uri = original_URI;
-	}
-
-event http_content_type(c: connection, is_orig: bool, ty: string, subty: string)
-	{
-	c$http$current_content_type = to_lower(ty + "/" + subty);
-	}
-
-function check_ocsp_file(f: fa_file, meta: fa_metadata)
-	{
-	if ( f$source != "HTTP" || ! f?$http )
-		return;
-
-	# call OCSP file analyzer
-	if ( (meta?$mime_type && meta$mime_type == "application/ocsp-request") || f$http$current_content_type == "application/ocsp-request")
-		{
-		Files::add_analyzer(f, Files::ANALYZER_OCSP, [$ocsp_type = "request"]);
-		}
-	else if ( (meta?$mime_type && meta$mime_type == "application/ocsp-response") || f$http$current_content_type == "application/ocsp-response")
-		{
-		Files::add_analyzer(f, Files::ANALYZER_OCSP, [$ocsp_type = "response"]);
-		}
-	}
-
-event file_sniff(f: fa_file, meta: fa_metadata) &priority = 5
-	{
-	if (f$source == "HTTP")
-		check_ocsp_file(f, meta);
-	}
-
-function update_http_info(http: HTTP::Info, req_rec: OCSP::Info_req)
-	{
-	if ( http?$method )
-		req_rec$method = http$method;
-	}
-
-function update_request_info(rec: Info_req, req: OCSP::Request)
-	{
-	if ( req?$version )
-		rec$version = req$version;
-
-	if ( req?$requestorName )
-		rec$requestorName = req$requestorName;
-	}
-
-function cert_id_from_request(one_req: OCSP::OneReq): OCSP::CertId
-	{
-	local cert_id: OCSP::CertId = [];
-	if ( one_req?$hashAlgorithm )
-		cert_id$hashAlgorithm = one_req$hashAlgorithm;
-
-	if ( one_req?$issuerNameHash )
-		cert_id$issuerNameHash = one_req$issuerNameHash;
-
-	if ( one_req?$issuerKeyHash )
-		cert_id$issuerKeyHash = one_req$issuerKeyHash;
-
-	if ( one_req?$serialNumber )
-		cert_id$serialNumber = one_req$serialNumber;
-
-	return cert_id;
-	}
-
-function enq_request(http: HTTP::Info, req: OCSP::Request, req_id: string, req_ts: time)
-	{
-	local index: count = 0;
-	if ( req?$requestList && |req$requestList| > 0 )
-		{
-		index += 1;
-		for (x in req$requestList)
-			{
-			local one_req = req$requestList[x];
-			local cert_id: OCSP::CertId = cert_id_from_request(one_req);
-			local req_rec: OCSP::Info_req = [$ts     = req_ts,
-							 $certId = cert_id,
-							 $cid    = http$id,
-							 $cuid   = http$uid,
-							 $index  = index,
-							 $id     = req_id];
-			update_request_info(req_rec, req);
-
-			if ( ! http?$ocsp_requests )
-				http$ocsp_requests = table();
-
-			if ( cert_id !in http$ocsp_requests )
-				http$ocsp_requests[cert_id] = Queue::init();
-
-			update_http_info(http, req_rec);
-			Queue::put(http$ocsp_requests[cert_id], req_rec);
-			}
-		}
-	else if ( req?$version )
-		{
-		# it's ocsp request but has no request content
-		# this is weird but log it anyway
-		local req_rec_empty: OCSP::Info_req = [$ts   = req_ts,
-			                               $cid  = http$id,
-						       $cuid = http$uid,
-						       $id   = req_id];
-		update_request_info(req_rec_empty, req);
-		update_http_info(http, req_rec_empty);
-		Log::write(LOG, [$ts=req_rec_empty$ts, $req=req_rec_empty, $cid=http$id, $cuid=http$uid, $method=http$method, $http=http]);
-		}
-	}
-
-event ocsp_request(f: fa_file, req_ref: opaque of ocsp_req, req: OCSP::Request) &priority = 5
-	{
-        if ( ! f?$http )
-		return;
-	enq_request(f$http, req, f$id, network_time());
-	}
-
-function get_first_slash(s: string): string
-	{
-	local s_len = |s|;
-	if (s[0] == "/")
-		return "/" + get_first_slash(s[1:s_len]);
-	else
-		return "";
-	}
-
-function remove_first_slash(s: string): string
-	{
-	local s_len = |s|;
-	if (s[0] == "/")
-		return remove_first_slash(s[1:s_len]);
-	else
-		return s;
-	}
-
-function get_uri_prefix(s: string): string
-	{
-	local uri_prefix = get_first_slash(s);
-	local w = split_string(s[|uri_prefix|:], /\//);
-	local i = 0;
-	while ( i < (|w| - 1) )
-		{
-		uri_prefix += w[i] + "/";
-		i += 1;
-		}
-	return uri_prefix;
-	}
-
-function check_ocsp_request_uri(http: HTTP::Info): OCSP::Request
-	{
-	local parsed_req: OCSP::Request;
-	if ( ! http?$original_uri )
-		return parsed_req;;
-	local uri_prefix: string = get_uri_prefix(http$original_uri);
-	http$uri_prefix = uri_prefix;
-	local ocsp_req_str: string = http$uri[|uri_prefix|:];
-	parsed_req = ocsp_parse_request(decode_base64(ocsp_req_str));
-	if ( ! parsed_req?$requestList || |parsed_req$requestList| == 0 )
-		{
-		# normal parse fails, bug url, naively try each part
-		local w = split_string(http$original_uri, /\//);
-		local s = "";
-		for ( i in w )
-			{
-			s += w[i] + "/";
-			ocsp_req_str = http$uri[|s|:];
-			parsed_req = ocsp_parse_request(decode_base64(ocsp_req_str));
-			if ( parsed_req?$requestList && |parsed_req$requestList| > 0 )
-				{
-				http$uri_prefix = s;
-				break;
-				}
-			}
-		}
-	return parsed_req;
-	}
-
-function update_response_info_single(rec: Info_resp, single_resp: OCSP::SingleResp)
-	{
-	if ( single_resp?$certStatus )
-		rec$certStatus = single_resp$certStatus;
-
-	if ( single_resp?$thisUpdate )
-		rec$thisUpdate = single_resp$thisUpdate;
-
-	if ( single_resp?$nextUpdate )
-		rec$nextUpdate = single_resp$nextUpdate;
-	}
-
-function update_response_info(rec: Info_resp, resp: OCSP::Response)
-	{
-	if ( resp?$responseStatus )
-		rec$responseStatus = resp$responseStatus;
-
-	if ( resp?$responseType )
-		rec$responseType = resp$responseType;
-
-	if ( resp?$version )
-		rec$version = resp$version;
-
-	if ( resp?$responderID )
-		rec$responderID = resp$responderID;
-
-	if ( resp?$producedAt )
-		rec$producedAt = resp$producedAt;
-
-	if ( resp?$certs )
-		rec$certs = resp$certs;
-	}
-
-function update_response_info_with_single(rec: Info_resp, resp: OCSP::Response, single_resp: OCSP::SingleResp)
-	{
-	update_response_info(rec, resp);
-	update_response_info_single(rec, single_resp);
-	}
-
-function cert_id_from_response(single_resp: OCSP::SingleResp): OCSP::CertId
-	{
-	local cert_id: OCSP::CertId = [];
-	if ( single_resp?$hashAlgorithm )
-		cert_id$hashAlgorithm = single_resp$hashAlgorithm;
-
-	if ( single_resp?$issuerNameHash )
-		cert_id$issuerNameHash = single_resp$issuerNameHash;
-
-	if ( single_resp?$issuerKeyHash )
-		cert_id$issuerKeyHash = single_resp$issuerKeyHash;
-
-	if ( single_resp?$serialNumber )
-		cert_id$serialNumber = single_resp$serialNumber;
-
-	return cert_id;
-	}
-
-event ocsp_response(f: fa_file, resp_ref: opaque of ocsp_resp, resp: OCSP::Response) &priority = 5
-	{
-	if ( ! f?$http )
-		return;
-
-	if ( resp?$responses && |resp$responses| > 0 )
-		{
-		local index: count = 0;
-		for (x in resp$responses)
-			{
-			index += 1;
-			local single_resp: OCSP::SingleResp = resp$responses[x];
-			local cert_id: OCSP::CertId = cert_id_from_response(single_resp);
-			local resp_rec: Info_resp = [$ts     = network_time(),
-						     $id     = f$id,
-						     $cid    = f$http$id,
-						     $cuid   = f$http$uid,
-						     $index  = index,
-						     $certId = cert_id];
-			update_response_info_with_single(resp_rec, resp, single_resp);
-
-			if ( ! f$http?$ocsp_responses )
-				f$http$ocsp_responses = table();
-
-			if ( cert_id !in f$http$ocsp_responses )
-				f$http$ocsp_responses[cert_id] = Queue::init();
-
-			Queue::put(f$http$ocsp_responses[cert_id], resp_rec);
-			}
-		}
-	else
-		{
-                # no response content? this is weird but log it anyway
-		local resp_rec_empty: Info_resp = [$ts   = network_time(),
-			                           $id   = f$id,
-			                           $cid  = f$http$id,
-						   $cuid = f$http$uid];
-		update_response_info(resp_rec_empty, resp);
-		local info_rec: Info = [$ts      = resp_rec_empty$ts,
-					$resp_ts = resp_rec_empty$ts,
-					$resp    = resp_rec_empty,
-					$cid     = f$http$id,
-					$cuid    = f$http$uid,
-					$http    = f$http];
-		if ( f$http?$method )
-			info_rec$method = f$http$method;
-		Log::write(LOG, info_rec);
-		}
-
-	# check if there is a OCSP GET request
-	if ( f$http?$method && f$http$method == "GET" && ! f$http$checked_get )
-		{
-		f$http$checked_get = T;
-		local req_get: OCSP::Request = check_ocsp_request_uri(f$http);
-		enq_request(f$http, req_get, "H" + sha1_hash(f$http$original_uri), f$http$ts);
-		}
-	}
-
-function log_unmatched_reqs_queue(q: Queue::Queue, http: HTTP::Info)
-	{
-	local reqs: vector of Info_req;
-	Queue::get_vector(q, reqs);
-	for ( i in reqs )
-		{
-		local info_rec: Info = [$ts     = reqs[i]$ts,
-			                $certId = reqs[i]$certId,
-					$req    = reqs[i],
-					$cid    = reqs[i]$cid,
-					$cuid   = reqs[i]$cuid,
-					$http   = http];
-		if ( reqs[i]?$method )
-			info_rec$method = reqs[i]$method;
-		Log::write(LOG, info_rec);
-		}
-	}
-
-function log_unmatched_reqs(http: HTTP::Info)
-	{
-	local reqs: PendingQueue = http$ocsp_requests;
-	for ( cert_id in reqs )
-		log_unmatched_reqs_queue(reqs[cert_id], http);
-	clear_table(reqs);
-	}
-
-function start_log_ocsp(http: HTTP::Info)
-	{
-	if ( ! http?$ocsp_requests && ! http?$ocsp_responses )
-		return;
-
-	if ( ! http?$ocsp_responses )
-		{
-		log_unmatched_reqs(http);
-		return;
-		}
-
-	for ( cert_id in http$ocsp_responses )
-		{
-		while ( Queue::len(http$ocsp_responses[cert_id]) != 0 )
-			{
-			# have unmatched responses
-			local resp_rec: Info_resp = Queue::get(http$ocsp_responses[cert_id]);
-			local info_rec: Info = [$ts      = resp_rec$ts,
-			                        $certId  = resp_rec$certId,
-						$resp_ts = resp_rec$ts,
-						$resp    = resp_rec,
-						$cid     = http$id,
-						$cuid    = http$uid,
-						$http    = http];
-
-			if ( http?$ocsp_requests && cert_id in http$ocsp_requests )
-				{
-				# find a match
-				local req_rec: Info_req = Queue::get(http$ocsp_requests[cert_id]);
-				info_rec$req = req_rec;
-				info_rec$ts  = req_rec$ts;
-				if (Queue::len(http$ocsp_requests[cert_id]) == 0)
-					delete http$ocsp_requests[cert_id];
-				}
-			if ( http?$method )
-				info_rec$method = http$method;
-			Log::write(LOG, info_rec);
-			}
-		if ( Queue::len(http$ocsp_responses[cert_id]) == 0 )
-			delete http$ocsp_responses[cert_id];
-		}
-	if ( http?$ocsp_requests && |http$ocsp_requests| != 0 )
-		log_unmatched_reqs(http);
-	}
-
-# log OCSP information
-event HTTP::log_http(rec: HTTP::Info)
-	{
-	start_log_ocsp(rec);
-	}
-
-event bro_init() &priority=5
-	{
-	Log::create_stream(LOG, [$columns=Info, $ev=log_ocsp, $path="ocsp"]);
-	}
diff --git a/scripts/base/protocols/ssl/files.bro b/scripts/base/protocols/ssl/files.bro
index 8a1380a270..b440927381 100644
--- a/scripts/base/protocols/ssl/files.bro
+++ b/scripts/base/protocols/ssl/files.bro
@@ -91,11 +91,23 @@ event bro_init() &priority=5
 	                          $describe        = SSL::describe_file]);
 	}
 
-event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) &priority=5
+event file_sniff(f: fa_file, meta: fa_metadata) &priority=5
 	{
-	if ( ! c?$ssl )
+	if ( |f$conns| != 1 )
 		return;
 
+	if ( ! ( f$info$mime_type == "application/x-x509-ca-cert" || f$info$mime_type == "application/x-x509-user-cert"
+	         || f$info$mime_type == "application/pkix-cert" ) )
+		return;
+
+	for ( cid in f$conns )
+		{
+		if ( ! f$conns[cid]?$ssl )
+			return;
+
+		local c = f$conns[cid];
+		}
+
 	if ( ! c$ssl?$cert_chain )
 		{
 		c$ssl$cert_chain = vector();
@@ -104,7 +116,7 @@ event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) &priori
 		c$ssl$client_cert_chain_fuids = string_vec();
 		}
 
-	if ( is_orig )
+	if ( f$is_orig )
 		{
 		c$ssl$client_cert_chain[|c$ssl$client_cert_chain|] = f$info;
 		c$ssl$client_cert_chain_fuids[|c$ssl$client_cert_chain_fuids|] = f$id;
diff --git a/scripts/policy/files/x509/log-ocsp.bro b/scripts/policy/files/x509/log-ocsp.bro
new file mode 100644
index 0000000000..f9e72dd832
--- /dev/null
+++ b/scripts/policy/files/x509/log-ocsp.bro
@@ -0,0 +1,54 @@
+##! Enable basic OCSP logging.
+
+# This is in policy because probably just about no one is interested
+# in logging OCSP responses.
+
+module OCSP;
+
+export {
+	redef enum Log::ID += { LOG };
+
+	type Info: record {
+	## Current timestamp.
+	ts: time &log;
+
+	## File id of the ocsp reply.
+	id: string &log;
+
+	hashAlgorithm: string &log;
+	issuerNameHash: string &log;
+	issuerKeyHash: string &log;
+	serialNumber: string &log;
+	certStatus: string &log;
+	revoketime: time &log &optional;
+	revokereason: string &log &optional;
+	thisUpdate: time &log;
+	nextUpdate: time &log &optional;
+	};
+
+	global log_ocsp: event(rec: Info);
+}
+
+event bro_init()
+	{
+	Log::create_stream(LOG, [$columns=Info, $ev=log_ocsp, $path="ocsp"]);
+	Files::register_for_mime_type(Files::ANALYZER_OCSP_REPLY, "application/ocsp-response");
+	}
+
+event ocsp_response_certificate(f: fa_file, hashAlgorithm: string, issuerNameHash: string, issuerKeyHash: string, serialNumber: string, certStatus: string, revoketime: time, revokereason: string, thisUpdate: time, nextUpdate: time)
+	{
+	local wr = OCSP::Info($ts=f$info$ts, $id=f$id, $hashAlgorithm=hashAlgorithm, $issuerNameHash=issuerNameHash,
+	                      $issuerKeyHash=issuerKeyHash, $serialNumber=serialNumber, $certStatus=certStatus,
+												$thisUpdate=thisUpdate);
+
+	if ( revokereason != "" )
+		wr$revokereason = revokereason;
+
+	if ( time_to_double(revoketime) != 0 )
+		wr$revoketime = revoketime;
+
+	if ( time_to_double(nextUpdate) != 0 )
+		wr$nextUpdate = nextUpdate;
+
+	Log::write(LOG, wr);
+	}
diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-http-get/.stdout b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-http-get/.stdout
new file mode 100644
index 0000000000..4678baf15d
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-http-get/.stdout
@@ -0,0 +1,3 @@
+ocsp_response_status, successful
+ocsp_response_certificate, sha1, F2E06AF9858A1D8D709B4919237AA9B51A287E64, 4ADD06161BBCF668B576F581B6BB621ABA5A812F, 4ADD06161BBCF668B576F581B6BB621ABA5A812F, good, 0.0, , 1436577056.0, 1437181856.0
+ocsp_response_bytes, successful, 0, 4ADD06161BBCF668B576F581B6BB621ABA5A812F, 1436577056.0, sha1WithRSAEncryption
diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-http-get/ocsp.log b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-http-get/ocsp.log
index 97a1eba12e..bdb8384676 100644
--- a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-http-get/ocsp.log
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-http-get/ocsp.log
@@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	ocsp
-#open	2017-02-09-00-23-43
-#fields	ts	cid.orig_h	cid.orig_p	cid.resp_h	cid.resp_p	cuid	certId.hashAlgorithm	certId.issuerNameHash	certId.issuerKeyHash	certId.serialNumber	req.id	req.version	req.requestorName	req.index	resp_ts	resp.id	resp.responseStatus	resp.responseType	resp.version	resp.responderID	resp.producedAt	resp.index	resp.certStatus	resp.thisUpdate	resp.nextUpdate	method
-#types	time	addr	port	addr	port	string	string	string	string	string	string	count	string	count	time	string	string	string	count	string	time	count	string	time	time	string
-1436909712.307162	192.168.6.109	54690	216.58.192.46	80	CHhAvVGS1DHFjwGM9	sha1	F2E06AF9858A1D8D709B4919237AA9B51A287E64	4ADD06161BBCF668B576F581B6BB621ABA5A812F	4ADD06161BBCF668B576F581B6BB621ABA5A812F	H4c4c3b287beafd8d7f4806a0b14d2ee1de88e4be	0	-	1	1436909712.329517	Ft368Gc1ce0Juvj0d	successful	Basic OCSP Response	0	4ADD06161BBCF668B576F581B6BB621ABA5A812F	1436577056.000000	1	good	1436577056.000000	1437181856.000000	GET
-#close	2017-02-09-00-23-43
+#open	2017-02-10-23-35-49
+#fields	ts	id	hashAlgorithm	issuerNameHash	issuerKeyHash	serialNumber	certStatus	revoketime	revokereason	thisUpdate	nextUpdate
+#types	time	string	string	string	string	string	string	time	string	time	time
+1436909712.329517	Ft368Gc1ce0Juvj0d	sha1	F2E06AF9858A1D8D709B4919237AA9B51A287E64	4ADD06161BBCF668B576F581B6BB621ABA5A812F	4ADD06161BBCF668B576F581B6BB621ABA5A812F	good	-	-	1436577056.000000	1437181856.000000
+#close	2017-02-10-23-35-50
diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-only/.stdout b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-only/.stdout
new file mode 100644
index 0000000000..ca94887c05
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-only/.stdout
@@ -0,0 +1,2 @@
+request, 0, 
+request cert, sha1, B6080D5F6C6B76EB13E438A5F8660BA85233344E, 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE, 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE
diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-only/ocsp.log b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-only/ocsp.log
deleted file mode 100644
index 366671298b..0000000000
--- a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-only/ocsp.log
+++ /dev/null
@@ -1,10 +0,0 @@
-#separator \x09
-#set_separator	,
-#empty_field	(empty)
-#unset_field	-
-#path	ocsp
-#open	2017-02-09-00-24-29
-#fields	ts	cid.orig_h	cid.orig_p	cid.resp_h	cid.resp_p	cuid	certId.hashAlgorithm	certId.issuerNameHash	certId.issuerKeyHash	certId.serialNumber	req.id	req.version	req.requestorName	req.index	resp_ts	resp.id	resp.responseStatus	resp.responseType	resp.version	resp.responderID	resp.producedAt	resp.index	resp.certStatus	resp.thisUpdate	resp.nextUpdate	method
-#types	time	addr	port	addr	port	string	string	string	string	string	string	count	string	count	time	string	string	string	count	string	time	count	string	time	time	string
-1434666864.046145	192.168.6.109	34334	72.167.18.239	80	CHhAvVGS1DHFjwGM9	sha1	B6080D5F6C6B76EB13E438A5F8660BA85233344E	40C2BD278ECC348330A233D7FB6CB3F0B42C80CE	40C2BD278ECC348330A233D7FB6CB3F0B42C80CE	FMbJOe2y5n1E7iSVsg	0	-	1	-	-	-	-	-	-	-	-	-	-	-	POST
-#close	2017-02-09-00-24-29
diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-response/.stdout b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-response/.stdout
new file mode 100644
index 0000000000..3996bbd84f
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-response/.stdout
@@ -0,0 +1,5 @@
+request, 0, 
+request cert, sha1, B6080D5F6C6B76EB13E438A5F8660BA85233344E, 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE, 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE
+ocsp_response_status, successful
+ocsp_response_certificate, sha1, B6080D5F6C6B76EB13E438A5F8660BA85233344E, 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE, 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE, good, 0.0, , 1434665014.0, 1434794614.0
+ocsp_response_bytes, successful, 0, C = US, ST = Arizona, L = Scottsdale, O = GoDaddy Inc., CN = Go Daddy Validation Authority - G2, 1434665014.0, sha1WithRSAEncryption
diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-response/ocsp.log b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-response/ocsp.log
index dc1f8f6657..3707e84c48 100644
--- a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-response/ocsp.log
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-response/ocsp.log
@@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	ocsp
-#open	2017-02-09-00-24-32
-#fields	ts	cid.orig_h	cid.orig_p	cid.resp_h	cid.resp_p	cuid	certId.hashAlgorithm	certId.issuerNameHash	certId.issuerKeyHash	certId.serialNumber	req.id	req.version	req.requestorName	req.index	resp_ts	resp.id	resp.responseStatus	resp.responseType	resp.version	resp.responderID	resp.producedAt	resp.index	resp.certStatus	resp.thisUpdate	resp.nextUpdate	method
-#types	time	addr	port	addr	port	string	string	string	string	string	string	count	string	count	time	string	string	string	count	string	time	count	string	time	time	string
-1434666864.046145	192.168.6.109	34334	72.167.18.239	80	CHhAvVGS1DHFjwGM9	sha1	B6080D5F6C6B76EB13E438A5F8660BA85233344E	40C2BD278ECC348330A233D7FB6CB3F0B42C80CE	40C2BD278ECC348330A233D7FB6CB3F0B42C80CE	FMbJOe2y5n1E7iSVsg	0	-	1	1434666864.070748	Fb215u2y5byABaV747	successful	Basic OCSP Response	0	C = US, ST = Arizona, L = Scottsdale, O = GoDaddy Inc., CN = Go Daddy Validation Authority - G2	1434665014.000000	1	good	1434665014.000000	1434794614.000000	POST
-#close	2017-02-09-00-24-32
+#open	2017-02-11-00-00-41
+#fields	ts	id	hashAlgorithm	issuerNameHash	issuerKeyHash	serialNumber	certStatus	revoketime	revokereason	thisUpdate	nextUpdate
+#types	time	string	string	string	string	string	string	time	string	time	time
+1434666864.070748	Fb215u2y5byABaV747	sha1	B6080D5F6C6B76EB13E438A5F8660BA85233344E	40C2BD278ECC348330A233D7FB6CB3F0B42C80CE	40C2BD278ECC348330A233D7FB6CB3F0B42C80CE	good	-	-	1434665014.000000	1434794614.000000
+#close	2017-02-11-00-00-41
diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-response-cert/.stdout b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-response-cert/.stdout
deleted file mode 100644
index b6a95f4f0c..0000000000
--- a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-response-cert/.stdout
+++ /dev/null
@@ -1 +0,0 @@
-[version=3, serial=2CA87AF0486CD01E, subject=CN=Go Daddy Validation Authority - G2,O=GoDaddy Inc.,L=Scottsdale,ST=Arizona,C=US, issuer=CN=Go Daddy Secure Certificate Authority - G2,OU=http://certs.godaddy.com/repository/,O=GoDaddy.com\, Inc.,L=Scottsdale,ST=Arizona,C=US, cn=Go Daddy Validation Authority - G2, not_valid_before=1426489200.0, not_valid_after=1458111600.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>]
diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-response-only/.stdout b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-response-only/.stdout
new file mode 100644
index 0000000000..230e80b4cd
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-response-only/.stdout
@@ -0,0 +1,3 @@
+ocsp_response_status, successful
+ocsp_response_certificate, sha1, B6080D5F6C6B76EB13E438A5F8660BA85233344E, 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE, 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE, good, 0.0, , 1434665014.0, 1434794614.0
+ocsp_response_bytes, successful, 0, C = US, ST = Arizona, L = Scottsdale, O = GoDaddy Inc., CN = Go Daddy Validation Authority - G2, 1434665014.0, sha1WithRSAEncryption
diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-response-only/ocsp.log b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-response-only/ocsp.log
index eab0e0579b..e897453b5c 100644
--- a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-response-only/ocsp.log
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-response-only/ocsp.log
@@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	ocsp
-#open	2017-02-09-00-24-34
-#fields	ts	cid.orig_h	cid.orig_p	cid.resp_h	cid.resp_p	cuid	certId.hashAlgorithm	certId.issuerNameHash	certId.issuerKeyHash	certId.serialNumber	req.id	req.version	req.requestorName	req.index	resp_ts	resp.id	resp.responseStatus	resp.responseType	resp.version	resp.responderID	resp.producedAt	resp.index	resp.certStatus	resp.thisUpdate	resp.nextUpdate	method
-#types	time	addr	port	addr	port	string	string	string	string	string	string	count	string	count	time	string	string	string	count	string	time	count	string	time	time	string
-1434666864.070748	192.168.6.109	34334	72.167.18.239	80	CHhAvVGS1DHFjwGM9	sha1	B6080D5F6C6B76EB13E438A5F8660BA85233344E	40C2BD278ECC348330A233D7FB6CB3F0B42C80CE	40C2BD278ECC348330A233D7FB6CB3F0B42C80CE	-	-	-	-	1434666864.070748	Fb215u2y5byABaV747	successful	Basic OCSP Response	0	C = US, ST = Arizona, L = Scottsdale, O = GoDaddy Inc., CN = Go Daddy Validation Authority - G2	1434665014.000000	1	good	1434665014.000000	1434794614.000000	-
-#close	2017-02-09-00-24-34
+#open	2017-02-11-00-00-52
+#fields	ts	id	hashAlgorithm	issuerNameHash	issuerKeyHash	serialNumber	certStatus	revoketime	revokereason	thisUpdate	nextUpdate
+#types	time	string	string	string	string	string	string	time	string	time	time
+1434666864.070748	Fb215u2y5byABaV747	sha1	B6080D5F6C6B76EB13E438A5F8660BA85233344E	40C2BD278ECC348330A233D7FB6CB3F0B42C80CE	40C2BD278ECC348330A233D7FB6CB3F0B42C80CE	good	-	-	1434665014.000000	1434794614.000000
+#close	2017-02-11-00-00-52
diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-revoked/.stdout b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-revoked/.stdout
new file mode 100644
index 0000000000..545f761acc
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-revoked/.stdout
@@ -0,0 +1,20 @@
+request, 0, 
+request cert, sha1, 74241467069FF5E0983F5E3E1A6BA0652A541575, 0159ABE7DD3A0B59A66463D6CF200757D591E76A, 0159ABE7DD3A0B59A66463D6CF200757D591E76A
+ocsp_response_status, successful
+ocsp_response_certificate, sha1, 74241467069FF5E0983F5E3E1A6BA0652A541575, 0159ABE7DD3A0B59A66463D6CF200757D591E76A, 0159ABE7DD3A0B59A66463D6CF200757D591E76A, revoked, 1431615529.0, superseded, 1436286514.0, 1443489162.0
+ocsp_response_bytes, successful, 0, F6215E926EB3EC41FE08FC25F09FB1B9A0344A10, 1436286514.0, sha1WithRSAEncryption
+request, 0, 
+request cert, sha1, 74241467069FF5E0983F5E3E1A6BA0652A541575, 0159ABE7DD3A0B59A66463D6CF200757D591E76A, 0159ABE7DD3A0B59A66463D6CF200757D591E76A
+ocsp_response_status, successful
+ocsp_response_certificate, sha1, 74241467069FF5E0983F5E3E1A6BA0652A541575, 0159ABE7DD3A0B59A66463D6CF200757D591E76A, 0159ABE7DD3A0B59A66463D6CF200757D591E76A, revoked, 1422391081.0, unspecified, 1436304214.0, 1443597239.0
+ocsp_response_bytes, successful, 0, F6215E926EB3EC41FE08FC25F09FB1B9A0344A10, 1436304214.0, sha1WithRSAEncryption
+request, 0, 
+request cert, sha1, 74241467069FF5E0983F5E3E1A6BA0652A541575, 0159ABE7DD3A0B59A66463D6CF200757D591E76A, 0159ABE7DD3A0B59A66463D6CF200757D591E76A
+ocsp_response_status, successful
+ocsp_response_certificate, sha1, 74241467069FF5E0983F5E3E1A6BA0652A541575, 0159ABE7DD3A0B59A66463D6CF200757D591E76A, 0159ABE7DD3A0B59A66463D6CF200757D591E76A, revoked, 1432792428.0, (UNKNOWN), 1436238224.0, 1443473859.0
+ocsp_response_bytes, successful, 0, F6215E926EB3EC41FE08FC25F09FB1B9A0344A10, 1436238224.0, sha1WithRSAEncryption
+request, 0, 
+request cert, sha1, 74241467069FF5E0983F5E3E1A6BA0652A541575, 0159ABE7DD3A0B59A66463D6CF200757D591E76A, 0159ABE7DD3A0B59A66463D6CF200757D591E76A
+ocsp_response_status, successful
+ocsp_response_certificate, sha1, 74241467069FF5E0983F5E3E1A6BA0652A541575, 0159ABE7DD3A0B59A66463D6CF200757D591E76A, 0159ABE7DD3A0B59A66463D6CF200757D591E76A, revoked, 1421494379.0, keyCompromise, 1436321024.0, 1443459307.0
+ocsp_response_bytes, successful, 0, F6215E926EB3EC41FE08FC25F09FB1B9A0344A10, 1436321024.0, sha1WithRSAEncryption
diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-revoked/ocsp.log b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-revoked/ocsp.log
index f3889662ee..58b226320d 100644
--- a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-revoked/ocsp.log
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-revoked/ocsp.log
@@ -3,11 +3,11 @@
 #empty_field	(empty)
 #unset_field	-
 #path	ocsp
-#open	2017-02-09-00-24-36
-#fields	ts	cid.orig_h	cid.orig_p	cid.resp_h	cid.resp_p	cuid	certId.hashAlgorithm	certId.issuerNameHash	certId.issuerKeyHash	certId.serialNumber	req.id	req.version	req.requestorName	req.index	resp_ts	resp.id	resp.responseStatus	resp.responseType	resp.version	resp.responderID	resp.producedAt	resp.index	resp.certStatus	resp.thisUpdate	resp.nextUpdate	method
-#types	time	addr	port	addr	port	string	string	string	string	string	string	count	string	count	time	string	string	string	count	string	time	count	string	time	time	string
-1438374032.518621	192.168.6.109	41812	23.5.251.27	80	CHhAvVGS1DHFjwGM9	sha1	74241467069FF5E0983F5E3E1A6BA0652A541575	0159ABE7DD3A0B59A66463D6CF200757D591E76A	0159ABE7DD3A0B59A66463D6CF200757D591E76A	FDsgjS1bTYOzDpRJT4	0	-	1	1438374032.607628	Ftl4F41OsGtUDrOTWc	successful	Basic OCSP Response	0	F6215E926EB3EC41FE08FC25F09FB1B9A0344A10	1436286514.000000	1	revoked	1436286514.000000	1443489162.000000	POST
-1438374032.650255	192.168.6.109	41813	23.5.251.27	80	ClEkJM2Vm5giqnMf4h	sha1	74241467069FF5E0983F5E3E1A6BA0652A541575	0159ABE7DD3A0B59A66463D6CF200757D591E76A	0159ABE7DD3A0B59A66463D6CF200757D591E76A	F5Tv7Z16QkNApNg0yl	0	-	1	1438374032.732035	FXISxH2UuTiDn0qCa1	successful	Basic OCSP Response	0	F6215E926EB3EC41FE08FC25F09FB1B9A0344A10	1436304214.000000	1	revoked	1436304214.000000	1443597239.000000	POST
-1438374032.759133	192.168.6.109	41814	23.5.251.27	80	C4J4Th3PJpwUYZZ6gc	sha1	74241467069FF5E0983F5E3E1A6BA0652A541575	0159ABE7DD3A0B59A66463D6CF200757D591E76A	0159ABE7DD3A0B59A66463D6CF200757D591E76A	FGzVem3KYelVVdAze	0	-	1	1438374032.848522	F3OYfx3A0JvMX787V3	successful	Basic OCSP Response	0	F6215E926EB3EC41FE08FC25F09FB1B9A0344A10	1436238224.000000	1	revoked	1436238224.000000	1443473859.000000	POST
-1438374032.875001	192.168.6.109	41815	23.5.251.27	80	CtPZjS20MLrsMUOJi2	sha1	74241467069FF5E0983F5E3E1A6BA0652A541575	0159ABE7DD3A0B59A66463D6CF200757D591E76A	0159ABE7DD3A0B59A66463D6CF200757D591E76A	FbmX4PpDIRU82YGK8	0	-	1	1438374033.033504	FVty9v3KTnCvbg0Xf2	successful	Basic OCSP Response	0	F6215E926EB3EC41FE08FC25F09FB1B9A0344A10	1436321024.000000	1	revoked	1436321024.000000	1443459307.000000	POST
-#close	2017-02-09-00-24-36
+#open	2017-02-11-00-00-56
+#fields	ts	id	hashAlgorithm	issuerNameHash	issuerKeyHash	serialNumber	certStatus	revoketime	revokereason	thisUpdate	nextUpdate
+#types	time	string	string	string	string	string	string	time	string	time	time
+1438374032.607476	Ftl4F41OsGtUDrOTWc	sha1	74241467069FF5E0983F5E3E1A6BA0652A541575	0159ABE7DD3A0B59A66463D6CF200757D591E76A	0159ABE7DD3A0B59A66463D6CF200757D591E76A	revoked	1431615529.000000	superseded	1436286514.000000	1443489162.000000
+1438374032.731983	FXISxH2UuTiDn0qCa1	sha1	74241467069FF5E0983F5E3E1A6BA0652A541575	0159ABE7DD3A0B59A66463D6CF200757D591E76A	0159ABE7DD3A0B59A66463D6CF200757D591E76A	revoked	1422391081.000000	unspecified	1436304214.000000	1443597239.000000
+1438374032.848476	F3OYfx3A0JvMX787V3	sha1	74241467069FF5E0983F5E3E1A6BA0652A541575	0159ABE7DD3A0B59A66463D6CF200757D591E76A	0159ABE7DD3A0B59A66463D6CF200757D591E76A	revoked	1432792428.000000	(UNKNOWN)	1436238224.000000	1443473859.000000
+1438374033.033189	FVty9v3KTnCvbg0Xf2	sha1	74241467069FF5E0983F5E3E1A6BA0652A541575	0159ABE7DD3A0B59A66463D6CF200757D591E76A	0159ABE7DD3A0B59A66463D6CF200757D591E76A	revoked	1421494379.000000	keyCompromise	1436321024.000000	1443459307.000000
+#close	2017-02-11-00-00-56
diff --git a/testing/btest/scripts/base/protocols/ssl/ocsp-http-get.test b/testing/btest/scripts/base/protocols/ssl/ocsp-http-get.test
index 10ccc80c63..ff48772b6a 100644
--- a/testing/btest/scripts/base/protocols/ssl/ocsp-http-get.test
+++ b/testing/btest/scripts/base/protocols/ssl/ocsp-http-get.test
@@ -2,3 +2,42 @@
 
 # @TEST-EXEC: bro -C -r $TRACES/tls/ocsp-http-get.pcap %INPUT
 # @TEST-EXEC: btest-diff ocsp.log
+# @TEST-EXEC: btest-diff .stdout
+
+@load files/x509/log-ocsp
+
+event bro_init()
+	{
+	Files::register_for_mime_type(Files::ANALYZER_OCSP_REQUEST, "application/ocsp-request");
+	Files::register_for_mime_type(Files::ANALYZER_OCSP_REPLY, "application/ocsp-response");
+	}
+
+event ocsp_extension(f: fa_file, ext: X509::Extension, global_resp: bool)
+	{
+	print "extension: ", ext, global_resp;
+	}
+
+event ocsp_request(f: fa_file, version: count, requestorName: string)
+	{
+	print "request", version, requestorName;
+	}
+
+event ocsp_request_certificate(f: fa_file, hashAlgorithm: string, issuerNameHash: string, issuerKeyHash: string, serialNumber: string)
+	{
+	print "request cert", hashAlgorithm, issuerNameHash, issuerKeyHash, serialNumber;
+	}
+
+event ocsp_response_status(f: fa_file, status: string)
+	{
+	print "ocsp_response_status", status;
+	}
+
+event ocsp_response_bytes(f: fa_file, resp_ref: opaque of ocsp_resp, status: string, version: count, responderId: string, producedAt: time, signatureAlgorithm: string, certs: x509_opaque_vector)
+	{
+	print "ocsp_response_bytes", status, version, responderId, producedAt, signatureAlgorithm;
+	}
+
+event ocsp_response_certificate(f: fa_file, hashAlgorithm: string, issuerNameHash: string, issuerKeyHash: string, serialNumber: string, certStatus: string, revoketime: time, revokereason: string, thisUpdate: time, nextUpdate: time)
+	{
+	print "ocsp_response_certificate", hashAlgorithm, issuerNameHash, issuerKeyHash, serialNumber, certStatus, revoketime, revokereason, thisUpdate, nextUpdate;
+	}
diff --git a/testing/btest/scripts/base/protocols/ssl/ocsp-request-only.test b/testing/btest/scripts/base/protocols/ssl/ocsp-request-only.test
index 69e1023479..0176716553 100644
--- a/testing/btest/scripts/base/protocols/ssl/ocsp-request-only.test
+++ b/testing/btest/scripts/base/protocols/ssl/ocsp-request-only.test
@@ -1,4 +1,42 @@
 # This tests a OCSP request missing response
 
 # @TEST-EXEC: bro -C -r $TRACES/tls/ocsp-request-only.pcap %INPUT
-# @TEST-EXEC: btest-diff ocsp.log
+# @TEST-EXEC: btest-diff .stdout
+
+@load files/x509/log-ocsp
+
+event bro_init()
+	{
+	Files::register_for_mime_type(Files::ANALYZER_OCSP_REQUEST, "application/ocsp-request");
+	Files::register_for_mime_type(Files::ANALYZER_OCSP_REPLY, "application/ocsp-response");
+	}
+
+event ocsp_extension(f: fa_file, ext: X509::Extension, global_resp: bool)
+	{
+	print "extension: ", ext, global_resp;
+	}
+
+event ocsp_request(f: fa_file, version: count, requestorName: string)
+	{
+	print "request", version, requestorName;
+	}
+
+event ocsp_request_certificate(f: fa_file, hashAlgorithm: string, issuerNameHash: string, issuerKeyHash: string, serialNumber: string)
+	{
+	print "request cert", hashAlgorithm, issuerNameHash, issuerKeyHash, serialNumber;
+	}
+
+event ocsp_response_status(f: fa_file, status: string)
+	{
+	print "ocsp_response_status", status;
+	}
+
+event ocsp_response_bytes(f: fa_file, resp_ref: opaque of ocsp_resp, status: string, version: count, responderId: string, producedAt: time, signatureAlgorithm: string, certs: x509_opaque_vector)
+	{
+	print "ocsp_response_bytes", status, version, responderId, producedAt, signatureAlgorithm;
+	}
+
+event ocsp_response_certificate(f: fa_file, hashAlgorithm: string, issuerNameHash: string, issuerKeyHash: string, serialNumber: string, certStatus: string, revoketime: time, revokereason: string, thisUpdate: time, nextUpdate: time)
+	{
+	print "ocsp_response_certificate", hashAlgorithm, issuerNameHash, issuerKeyHash, serialNumber, certStatus, revoketime, revokereason, thisUpdate, nextUpdate;
+	}
diff --git a/testing/btest/scripts/base/protocols/ssl/ocsp-request-response.test b/testing/btest/scripts/base/protocols/ssl/ocsp-request-response.test
index f9173292dc..3adfab9aa2 100644
--- a/testing/btest/scripts/base/protocols/ssl/ocsp-request-response.test
+++ b/testing/btest/scripts/base/protocols/ssl/ocsp-request-response.test
@@ -2,3 +2,42 @@
 
 # @TEST-EXEC: bro -C -r $TRACES/tls/ocsp-request-response.pcap %INPUT
 # @TEST-EXEC: btest-diff ocsp.log
+# @TEST-EXEC: btest-diff .stdout
+
+@load files/x509/log-ocsp
+
+event bro_init()
+	{
+	Files::register_for_mime_type(Files::ANALYZER_OCSP_REQUEST, "application/ocsp-request");
+	Files::register_for_mime_type(Files::ANALYZER_OCSP_REPLY, "application/ocsp-response");
+	}
+
+event ocsp_extension(f: fa_file, ext: X509::Extension, global_resp: bool)
+	{
+	print "extension: ", ext, global_resp;
+	}
+
+event ocsp_request(f: fa_file, version: count, requestorName: string)
+	{
+	print "request", version, requestorName;
+	}
+
+event ocsp_request_certificate(f: fa_file, hashAlgorithm: string, issuerNameHash: string, issuerKeyHash: string, serialNumber: string)
+	{
+	print "request cert", hashAlgorithm, issuerNameHash, issuerKeyHash, serialNumber;
+	}
+
+event ocsp_response_status(f: fa_file, status: string)
+	{
+	print "ocsp_response_status", status;
+	}
+
+event ocsp_response_bytes(f: fa_file, resp_ref: opaque of ocsp_resp, status: string, version: count, responderId: string, producedAt: time, signatureAlgorithm: string, certs: x509_opaque_vector)
+	{
+	print "ocsp_response_bytes", status, version, responderId, producedAt, signatureAlgorithm;
+	}
+
+event ocsp_response_certificate(f: fa_file, hashAlgorithm: string, issuerNameHash: string, issuerKeyHash: string, serialNumber: string, certStatus: string, revoketime: time, revokereason: string, thisUpdate: time, nextUpdate: time)
+	{
+	print "ocsp_response_certificate", hashAlgorithm, issuerNameHash, issuerKeyHash, serialNumber, certStatus, revoketime, revokereason, thisUpdate, nextUpdate;
+	}
diff --git a/testing/btest/scripts/base/protocols/ssl/ocsp-response-cert.test b/testing/btest/scripts/base/protocols/ssl/ocsp-response-cert.test
deleted file mode 100644
index 5ed2bf3253..0000000000
--- a/testing/btest/scripts/base/protocols/ssl/ocsp-response-cert.test
+++ /dev/null
@@ -1,15 +0,0 @@
-# This tests OCSP response containing a certificate
-
-# @TEST-EXEC: bro -C -r $TRACES/tls/ocsp-response-only.pcap %INPUT
-# @TEST-EXEC: btest-diff .stdout
-
-event ocsp_response(f: fa_file, resp_ref: opaque of ocsp_resp, resp: OCSP::Response)
-{
-if (resp?$certs)
-        {
-	for (x in resp$certs)
-		{
-		print x509_parse(resp$certs[x]);
-		}
-	}
-}
\ No newline at end of file
diff --git a/testing/btest/scripts/base/protocols/ssl/ocsp-response-only.test b/testing/btest/scripts/base/protocols/ssl/ocsp-response-only.test
index 539a7bf1d6..f99a71802c 100644
--- a/testing/btest/scripts/base/protocols/ssl/ocsp-response-only.test
+++ b/testing/btest/scripts/base/protocols/ssl/ocsp-response-only.test
@@ -2,3 +2,42 @@
 
 # @TEST-EXEC: bro -C -r $TRACES/tls/ocsp-response-only.pcap %INPUT
 # @TEST-EXEC: btest-diff ocsp.log
+# @TEST-EXEC: btest-diff .stdout
+
+@load files/x509/log-ocsp
+
+event bro_init()
+	{
+	Files::register_for_mime_type(Files::ANALYZER_OCSP_REQUEST, "application/ocsp-request");
+	Files::register_for_mime_type(Files::ANALYZER_OCSP_REPLY, "application/ocsp-response");
+	}
+
+event ocsp_extension(f: fa_file, ext: X509::Extension, global_resp: bool)
+	{
+	print "extension: ", ext, global_resp;
+	}
+
+event ocsp_request(f: fa_file, version: count, requestorName: string)
+	{
+	print "request", version, requestorName;
+	}
+
+event ocsp_request_certificate(f: fa_file, hashAlgorithm: string, issuerNameHash: string, issuerKeyHash: string, serialNumber: string)
+	{
+	print "request cert", hashAlgorithm, issuerNameHash, issuerKeyHash, serialNumber;
+	}
+
+event ocsp_response_status(f: fa_file, status: string)
+	{
+	print "ocsp_response_status", status;
+	}
+
+event ocsp_response_bytes(f: fa_file, resp_ref: opaque of ocsp_resp, status: string, version: count, responderId: string, producedAt: time, signatureAlgorithm: string, certs: x509_opaque_vector)
+	{
+	print "ocsp_response_bytes", status, version, responderId, producedAt, signatureAlgorithm;
+	}
+
+event ocsp_response_certificate(f: fa_file, hashAlgorithm: string, issuerNameHash: string, issuerKeyHash: string, serialNumber: string, certStatus: string, revoketime: time, revokereason: string, thisUpdate: time, nextUpdate: time)
+	{
+	print "ocsp_response_certificate", hashAlgorithm, issuerNameHash, issuerKeyHash, serialNumber, certStatus, revoketime, revokereason, thisUpdate, nextUpdate;
+	}
diff --git a/testing/btest/scripts/base/protocols/ssl/ocsp-revoked.test b/testing/btest/scripts/base/protocols/ssl/ocsp-revoked.test
index 1125484cdf..ae39640f3f 100644
--- a/testing/btest/scripts/base/protocols/ssl/ocsp-revoked.test
+++ b/testing/btest/scripts/base/protocols/ssl/ocsp-revoked.test
@@ -2,3 +2,42 @@
 
 # @TEST-EXEC: bro -C -r $TRACES/tls/ocsp-revoked.pcap %INPUT
 # @TEST-EXEC: btest-diff ocsp.log
+# @TEST-EXEC: btest-diff .stdout
+
+@load files/x509/log-ocsp
+
+event bro_init()
+	{
+	Files::register_for_mime_type(Files::ANALYZER_OCSP_REQUEST, "application/ocsp-request");
+	Files::register_for_mime_type(Files::ANALYZER_OCSP_REPLY, "application/ocsp-response");
+	}
+
+event ocsp_extension(f: fa_file, ext: X509::Extension, global_resp: bool)
+	{
+	print "extension: ", ext, global_resp;
+	}
+
+event ocsp_request(f: fa_file, version: count, requestorName: string)
+	{
+	print "request", version, requestorName;
+	}
+
+event ocsp_request_certificate(f: fa_file, hashAlgorithm: string, issuerNameHash: string, issuerKeyHash: string, serialNumber: string)
+	{
+	print "request cert", hashAlgorithm, issuerNameHash, issuerKeyHash, serialNumber;
+	}
+
+event ocsp_response_status(f: fa_file, status: string)
+	{
+	print "ocsp_response_status", status;
+	}
+
+event ocsp_response_bytes(f: fa_file, resp_ref: opaque of ocsp_resp, status: string, version: count, responderId: string, producedAt: time, signatureAlgorithm: string, certs: x509_opaque_vector)
+	{
+	print "ocsp_response_bytes", status, version, responderId, producedAt, signatureAlgorithm;
+	}
+
+event ocsp_response_certificate(f: fa_file, hashAlgorithm: string, issuerNameHash: string, issuerKeyHash: string, serialNumber: string, certStatus: string, revoketime: time, revokereason: string, thisUpdate: time, nextUpdate: time)
+	{
+	print "ocsp_response_certificate", hashAlgorithm, issuerNameHash, issuerKeyHash, serialNumber, certStatus, revoketime, revokereason, thisUpdate, nextUpdate;
+	}

From a5e9a535a5d2095e3409b238a8dc2299da5cd508 Mon Sep 17 00:00:00 2001
From: Robin Sommer <robin@icir.org>
Date: Tue, 31 Jan 2017 21:51:31 -0800
Subject: [PATCH 076/631] Changing semantics of Broker's remote logging to
 match old communication framework.

Broker had changed the semantics of remote logging: it sent over the
original Bro record containing the values to be logged, which on the
receiving side would then pass through the logging framework normally,
including triggering filters and events. The old communication system
however special-cases logs: it sends already processed log entries,
just as they go into the log files, and without any receiver-side
filtering etc. This more efficient as it short-cuts the processing
path, and also avoids the more expensive Val serialization. It also
lets the sender determine the specifics of what gets logged (and how).

This commit changes Broker over to now use the same semantics as the
old communication system.

TODOs:
     - The new Broker code doesn't have consistent #ifdefs yet.

     - Right now, when a new log receiver connects, all existing logs
     are broadcasted out again to all current clients. That doesn't so
     any harm, but is unncessary. Need to add a way to send the
     existing logs to just the new client.
---
 aux/binpac                                    |   2 +-
 aux/bro-aux                                   |   2 +-
 aux/broccoli                                  |   2 +-
 aux/broctl                                    |   2 +-
 aux/broker                                    |   2 +-
 aux/btest                                     |   2 +-
 aux/plugins                                   |   2 +-
 src/RemoteSerializer.cc                       |   5 +-
 src/broker/Data.cc                            | 430 ++++++++++++++++++
 src/broker/Data.h                             |  30 ++
 src/broker/Manager.cc                         | 357 +++++++++++----
 src/broker/Manager.h                          |  34 +-
 src/logging/Manager.cc                        |  65 ++-
 src/logging/Manager.h                         |  50 +-
 src/logging/WriterBackend.cc                  |  57 +++
 src/logging/WriterBackend.h                   |  11 +-
 src/logging/WriterFrontend.cc                 |  27 +-
 src/logging/WriterFrontend.h                  |   8 +-
 .../Baseline/broker.remote_log/recv.recv.out  |   6 -
 .../broker.remote_log_types/recv.recv.out     |   0
 .../broker.remote_log_types/recv.test.log     |  10 +
 .../broker.remote_log_types/send.send.out     |   1 +
 .../broker.remote_log_types/send.test.log     |  10 +
 testing/btest/broker/remote_log.test          |  89 ++--
 testing/btest/broker/remote_log_types.test    | 133 ++++++
 25 files changed, 1178 insertions(+), 159 deletions(-)
 create mode 100644 testing/btest/Baseline/broker.remote_log_types/recv.recv.out
 create mode 100644 testing/btest/Baseline/broker.remote_log_types/recv.test.log
 create mode 100644 testing/btest/Baseline/broker.remote_log_types/send.send.out
 create mode 100644 testing/btest/Baseline/broker.remote_log_types/send.test.log
 create mode 100644 testing/btest/broker/remote_log_types.test

diff --git a/aux/binpac b/aux/binpac
index 0f1ecfa972..a0990e61ad 160000
--- a/aux/binpac
+++ b/aux/binpac
@@ -1 +1 @@
-Subproject commit 0f1ecfa97236635fb93e013404e6b30d6c506ddd
+Subproject commit a0990e61ad4a3705bda4cc5a20059af2d1bda4c3
diff --git a/aux/bro-aux b/aux/bro-aux
index b1e75f6a21..7660b5f4c5 160000
--- a/aux/bro-aux
+++ b/aux/bro-aux
@@ -1 +1 @@
-Subproject commit b1e75f6a212250b1730a438f27fc778618b67ec3
+Subproject commit 7660b5f4c5be40aa5f3a7c8746fdcf68331f9b93
diff --git a/aux/broccoli b/aux/broccoli
index ed52e3414b..765eab50f7 160000
--- a/aux/broccoli
+++ b/aux/broccoli
@@ -1 +1 @@
-Subproject commit ed52e3414b31b05ec9abed627b4153c8e2243441
+Subproject commit 765eab50f7796fdb3c308fe9232cd7891f098c67
diff --git a/aux/broctl b/aux/broctl
index 73dbc79ac2..f6d451520e 160000
--- a/aux/broctl
+++ b/aux/broctl
@@ -1 +1 @@
-Subproject commit 73dbc79ac24cdfef07d8574a4da5d43056ba5fa5
+Subproject commit f6d451520eaaaae97aab6df2bb4e0aecb6b63e66
diff --git a/aux/broker b/aux/broker
index 23def70c44..68a36ed814 160000
--- a/aux/broker
+++ b/aux/broker
@@ -1 +1 @@
-Subproject commit 23def70c44128d19138029615dd154359286e111
+Subproject commit 68a36ed81480ba935268bcaf7b6f2249d23436da
diff --git a/aux/btest b/aux/btest
index 9d5c7bcac9..32e582514a 160000
--- a/aux/btest
+++ b/aux/btest
@@ -1 +1 @@
-Subproject commit 9d5c7bcac9b04710931bc8a42b545f0691561b2f
+Subproject commit 32e582514ae044befa8e0511083bf11a51408a1d
diff --git a/aux/plugins b/aux/plugins
index 2322840bcd..0a2f021527 160000
--- a/aux/plugins
+++ b/aux/plugins
@@ -1 +1 @@
-Subproject commit 2322840bcdbd618ae7bd24e22d874fb30ab89bbb
+Subproject commit 0a2f0215270e6ceaf9c1312f705b95d2cce1b530
diff --git a/src/RemoteSerializer.cc b/src/RemoteSerializer.cc
index 4842f819b6..2adecfc89a 100644
--- a/src/RemoteSerializer.cc
+++ b/src/RemoteSerializer.cc
@@ -2730,8 +2730,7 @@ bool RemoteSerializer::ProcessLogCreateWriter()
 	id_val = new EnumVal(id, internal_type("Log::ID")->AsEnumType());
 	writer_val = new EnumVal(writer, internal_type("Log::Writer")->AsEnumType());
 
-	if ( ! log_mgr->CreateWriter(id_val, writer_val, info, num_fields, fields,
-	                             true, false, true) )
+	if ( ! log_mgr->CreateWriterForRemoteLog(id_val, writer_val, info, num_fields, fields) )
 		{
 		delete_fields_up_to = num_fields;
 		goto error;
@@ -2803,7 +2802,7 @@ bool RemoteSerializer::ProcessLogWrite()
 		id_val = new EnumVal(id, internal_type("Log::ID")->AsEnumType());
 		writer_val = new EnumVal(writer, internal_type("Log::Writer")->AsEnumType());
 
-		success = log_mgr->Write(id_val, writer_val, path, num_fields, vals);
+		success = log_mgr->WriteFromRemote(id_val, writer_val, path, num_fields, vals);
 
 		Unref(id_val);
 		Unref(writer_val);
diff --git a/src/broker/Data.cc b/src/broker/Data.cc
index bc4197a974..35d815b9e8 100644
--- a/src/broker/Data.cc
+++ b/src/broker/Data.cc
@@ -709,3 +709,433 @@ bool bro_broker::DataVal::DoUnserialize(UnserialInfo* info)
 	delete [] serial;
 	return true;
 	}
+
+static broker::util::optional<broker::data> threading_val_to_data_internal(TypeTag type, const threading::Value::_val& val)
+	{
+	switch ( type ) {
+	case TYPE_BOOL:
+	        return {val.int_val != 0};
+
+	case TYPE_INT:
+	        return {val.int_val};
+
+	case TYPE_COUNT:
+	case TYPE_COUNTER:
+	        return {val.uint_val};
+
+	case TYPE_PORT:
+		return {broker::port(val.port_val.port, to_broker_port_proto(val.port_val.proto))};
+
+	case TYPE_ADDR:
+		{
+		IPAddr a;
+
+		switch ( val.addr_val.family ) {
+		case IPv4:
+			a = IPAddr(val.addr_val.in.in4);
+			break;
+
+		case IPv6:
+			a = IPAddr(val.addr_val.in.in6);
+			break;
+
+		default:
+			reporter->InternalError("unsupported protocol family in threading_val_to_data");
+		}
+
+		in6_addr tmp;
+		a.CopyIPv6(&tmp);
+		return {broker::address(reinterpret_cast<const uint32_t*>(&tmp),
+					broker::address::family::ipv6,
+					broker::address::byte_order::network)};
+		}
+
+	case TYPE_SUBNET:
+		{
+		IPAddr a;
+		int length;
+
+		switch ( val.subnet_val.prefix.family ) {
+		case IPv4:
+			a = IPAddr(val.subnet_val.prefix.in.in4);
+			length = (val.subnet_val.length - 96);
+			break;
+
+		case IPv6:
+			a = IPAddr(val.subnet_val.prefix.in.in6);
+			length = val.subnet_val.length;
+			break;
+
+		default:
+			reporter->InternalError("unsupported protocol family in threading_val_to_data");
+		}
+
+		in6_addr tmp;
+		a.CopyIPv6(&tmp);
+
+		auto s = broker::address(reinterpret_cast<const uint32_t*>(&tmp),
+		                         broker::address::family::ipv6,
+		                         broker::address::byte_order::network);
+		fprintf(stderr, "%d\n", val.subnet_val.length);
+		return {broker::subnet(s, length)};
+		}
+
+	case TYPE_DOUBLE:
+	        return {val.double_val};
+
+	case TYPE_TIME:
+		return {broker::time_point(val.double_val)};
+
+	case TYPE_INTERVAL:
+		return {broker::time_duration(val.double_val)};
+
+	case TYPE_ENUM:
+		return {broker::enum_value(std::string(val.string_val.data, val.string_val.length))};
+
+	case TYPE_STRING:
+	case TYPE_FILE:
+	case TYPE_FUNC:
+		return {std::string(val.string_val.data, val.string_val.length)};
+
+	case TYPE_TABLE:
+		{
+		auto s = broker::set();
+
+		for ( int i = 0; i < val.set_val.size; ++i )
+			{
+			auto c = bro_broker::threading_val_to_data(val.set_val.vals[i]);
+
+			if ( ! c )
+				return {};
+
+			s.emplace(*c);
+			}
+
+		return {move(s)};
+		}
+
+	case TYPE_VECTOR:
+		{
+		auto s = broker::vector();
+
+		for ( int i = 0; i < val.vector_val.size; ++i )
+			{
+			auto c = bro_broker::threading_val_to_data(val.vector_val.vals[i]);
+
+			if ( ! c )
+				return {};
+
+			s.emplace_back(*c);
+			}
+
+		return {move(s)};
+		}
+
+	default:
+		reporter->InternalError("unsupported type %s in threading_val_to_data",
+		                        type_name(type));
+	}
+
+	return {};
+	}
+
+
+broker::util::optional<broker::data> bro_broker::threading_val_to_data(const threading::Value* v)
+	{
+	broker::util::optional<broker::data> d;
+
+	if ( v->present )
+		{
+		d = threading_val_to_data_internal(v->type, v->val);
+
+		if ( ! d )
+			return {};
+		}
+
+	auto type = broker::record::field(static_cast<uint64_t>(v->type));
+	auto present = broker::record::field(v->present);
+	auto data = (v->present) ? broker::record::field(*d) : broker::util::optional<broker::data>();
+
+	return {broker::record({move(type), move(present), move(data)})};
+	};
+
+struct threading_val_converter {
+	using result_type = bool;
+
+	TypeTag type;
+        threading::Value::_val& val;
+
+	result_type operator()(bool a)
+		{
+		if ( type == TYPE_BOOL )
+			{
+			val.int_val = (a ? 1 : 0);
+			return true;
+			}
+
+		return false;
+		}
+
+	result_type operator()(uint64_t a)
+		{
+		if ( type == TYPE_COUNT || type == TYPE_COUNTER )
+			{
+			val.uint_val = a;
+			return true;
+			}
+
+		return false;
+		}
+
+	result_type operator()(int64_t a)
+		{
+		if ( type == TYPE_INT )
+			{
+			val.int_val = a;
+			return true;
+			}
+
+		return false;
+		}
+
+	result_type operator()(double a)
+		{
+		if ( type == TYPE_DOUBLE )
+			{
+			val.double_val = a;
+			return true;
+			}
+
+		return false;
+		}
+
+
+	result_type operator()(const std::string& a)
+		{
+		if ( type == TYPE_STRING || type == TYPE_FILE || type == TYPE_FUNC )
+			{
+			auto n = a.size();
+			val.string_val.length = n;
+			val.string_val.data = new char[n];
+			memcpy(val.string_val.data, a.data(), n);
+			return true;
+			}
+
+		return false;
+		}
+
+	result_type operator()(const broker::address& a)
+		{
+		if ( type == TYPE_ADDR )
+			{
+			auto bits = reinterpret_cast<const in6_addr*>(&a.bytes());
+			auto b = IPAddr(*bits);
+
+			if ( a.is_v4() )
+				{
+				val.addr_val.family = IPv4;
+				b.CopyIPv4(&val.addr_val.in.in4);
+				return true;
+				}
+
+			if ( a.is_v6() )
+				{
+				val.addr_val.family = IPv6;
+				b.CopyIPv6(&val.addr_val.in.in6);
+				return true;
+				}
+			}
+
+		return false;
+		}
+
+	result_type operator()(const broker::subnet& s)
+		{
+		if ( type == TYPE_SUBNET )
+			{
+			auto bits = reinterpret_cast<const in6_addr*>(&s.network().bytes());
+			auto a = IPAddr(*bits);
+
+			val.subnet_val.length = s.length();
+
+			if ( s.network().is_v4() )
+				{
+				val.subnet_val.prefix.family = IPv4;
+				a.CopyIPv4(&val.subnet_val.prefix.in.in4);
+				val.subnet_val.length += 96;
+				return true;
+				}
+
+			if ( s.network().is_v6() )
+				{
+				val.subnet_val.prefix.family = IPv6;
+				a.CopyIPv6(&val.subnet_val.prefix.in.in6);
+				return true;
+				}
+			}
+
+		return false;
+		}
+
+	result_type operator()(const broker::port& a)
+		{
+		if ( type == TYPE_PORT )
+			{
+			val.port_val.port = a.number();
+			val.port_val.proto = bro_broker::to_bro_port_proto(a.type());
+			return true;
+			}
+
+		return false;
+		}
+
+	result_type operator()(const broker::time_point& a)
+		{
+		if ( type == TYPE_TIME )
+			{
+			val.double_val = a.value;
+			return true;
+			}
+
+		return false;
+		}
+
+	result_type operator()(const broker::time_duration& a)
+		{
+		if ( type == TYPE_INTERVAL )
+			{
+			val.double_val = a.value;
+			return true;
+			}
+
+		return false;
+		}
+
+	result_type operator()(const broker::enum_value& a)
+		{
+		if ( type == TYPE_ENUM )
+			{
+			auto n = a.name.size();
+			val.string_val.length = n;
+			val.string_val.data = new char[n];
+			memcpy(val.string_val.data, a.name.data(), n);
+			return true;
+			}
+
+		return false;
+		}
+
+	result_type operator()(const broker::set& a)
+		{
+		if ( type == TYPE_TABLE )
+			{
+			val.set_val.size = a.size();
+			val.set_val.vals = new threading::Value* [val.set_val.size];
+
+			auto p = val.set_val.vals;
+
+			for ( auto& i : a )
+				*p++ = bro_broker::data_to_threading_val(move(i));
+
+			return true;
+			}
+
+		return false;
+		}
+
+	result_type operator()(const broker::table& a)
+		{
+		return false;
+		}
+
+	result_type operator()(const broker::vector& a)
+		{
+		if ( type == TYPE_VECTOR )
+			{
+			val.vector_val.size = a.size();
+			val.vector_val.vals = new threading::Value* [val.set_val.size];
+
+			auto p = val.set_val.vals;
+
+			for ( auto& i : a )
+				*p++ = bro_broker::data_to_threading_val(move(i));
+
+			return true;
+			}
+
+		return false;
+		}
+
+	result_type operator()(const broker::record& a)
+		{
+		return false;
+		}
+};
+
+threading::Value* bro_broker::data_to_threading_val(broker::data d)
+	{
+	auto r = broker::get<broker::record>(d);
+
+	if ( ! r )
+		return nullptr;
+
+	auto type = broker::get<uint64_t>(*r->get(0));;
+	auto present = broker::get<bool>(*r->get(1));;
+	auto data = *r->get(2);
+
+	if ( ! (type && present) )
+		return nullptr;
+
+	auto tv = new threading::Value;
+	tv->type = static_cast<TypeTag>(*type);
+	tv->present = *present;
+
+	if ( present && ! broker::visit(threading_val_converter{tv->type, tv->val}, data) )
+		{
+		delete tv;
+		return nullptr;
+		}
+
+	return tv;
+	}
+
+broker::data bro_broker::threading_field_to_data(const threading::Field* f)
+	{
+	auto name = broker::record::field(f->name);
+	auto type = broker::record::field(static_cast<uint64_t>(f->type));
+	auto subtype = broker::record::field(static_cast<uint64_t>(f->subtype));
+	auto optional = broker::record::field(f->optional);
+
+	broker::util::optional<broker::data> secondary;
+
+	if ( f->secondary_name )
+		secondary = {f->secondary_name};
+
+	return move(broker::record({name, secondary, type, subtype, optional}));
+	}
+
+threading::Field* bro_broker::data_to_threading_field(broker::data d)
+	{
+	auto r = broker::get<broker::record>(d);
+
+	if ( ! r )
+		return nullptr;
+
+	auto name = broker::get<std::string>(*r->get(0));
+	auto secondary = r->get(1);
+	auto type = broker::get<uint64_t>(*r->get(2));
+	auto subtype = broker::get<uint64_t>(*r->get(3));
+	auto optional = broker::get<bool>(*r->get(4));
+
+	if ( ! (name && type && subtype && optional) )
+		return nullptr;
+
+	if ( secondary && ! broker::is<std::string>(*secondary) )
+		return nullptr;
+
+	return new threading::Field(name->c_str(),
+				    secondary ? broker::get<std::string>(*secondary)->c_str() : nullptr,
+				    static_cast<TypeTag>(*type),
+				    static_cast<TypeTag>(*subtype),
+				    *optional);
+	}
diff --git a/src/broker/Data.h b/src/broker/Data.h
index 0045ad58ad..9e0c8120de 100644
--- a/src/broker/Data.h
+++ b/src/broker/Data.h
@@ -61,6 +61,36 @@ broker::util::optional<broker::data> val_to_data(Val* v);
  */
 Val* data_to_val(broker::data d, BroType* type, bool require_log_attr = false);
 
+/**
+ * Convert a Bro threading::Value to a Broker data value.
+ * @param v a Bro threading::Value.
+ * @return a Broker data value if the Bro threading::Value could be converted to one.
+ */
+broker::util::optional<broker::data> threading_val_to_data(const threading::Value* v);
+
+/**
+ * Convert a Bro threading::Field to a Broker data value.
+ * @param v a Bro threading::Field.
+ * @return a Broker data value if the Bro threading::Field could be converted to one.
+ */
+broker::data threading_field_to_data(const threading::Field* f);
+
+/**
+ * Convert a Broker data value to a Bro threading::Value.
+ * @param d a Broker data value.
+ * @return a pointer to a new Bro threading::Value or a nullptr if the conversion was not
+ * possible.
+ */
+threading::Value* data_to_threading_val(broker::data d);
+
+/**
+ * Convert a Broker data value to a Bro threading::Value.
+ * @param d a Broker data value.
+ * @return a pointer to a new Bro threading::Value or a nullptr if the conversion was not
+ * possible.
+ */
+threading::Field* data_to_threading_field(broker::data d);
+
 /**
  * A Bro value which wraps a Broker data value.
  */
diff --git a/src/broker/Manager.cc b/src/broker/Manager.cc
index 334b7f84f5..76040b129c 100644
--- a/src/broker/Manager.cc
+++ b/src/broker/Manager.cc
@@ -20,10 +20,17 @@ using namespace std;
 
 VectorType* bro_broker::Manager::vector_of_data_type;
 EnumType* bro_broker::Manager::log_id_type;
+EnumType* bro_broker::Manager::writer_id_type;
 int bro_broker::Manager::send_flags_self_idx;
 int bro_broker::Manager::send_flags_peers_idx;
 int bro_broker::Manager::send_flags_unsolicited_idx;
 
+struct unref_guard {
+	unref_guard(Val* v) : val(v) {}
+	~unref_guard() { Unref(val); }
+	Val* val;
+};
+
 bro_broker::Manager::Manager()
 	: iosource::IOSource(), next_timestamp(-1)
 	{
@@ -83,6 +90,7 @@ bool bro_broker::Manager::Enable(Val* broker_endpoint_flags)
 	send_flags_unsolicited_idx = require_field(send_flags_type, "unsolicited");
 
 	log_id_type = internal_type("Log::ID")->AsEnumType();
+	writer_id_type = internal_type("Log::Writer")->AsEnumType();
 
 	bro_broker::opaque_of_data_type = new OpaqueType("Broker::Data");
 	bro_broker::opaque_of_set_iterator = new OpaqueType("Broker::SetIterator");
@@ -206,8 +214,9 @@ bool bro_broker::Manager::Event(std::string topic, broker::message msg, int flag
 	return true;
 	}
 
-bool bro_broker::Manager::Log(EnumVal* stream, RecordVal* columns, RecordType* info,
-                        int flags)
+bool bro_broker::Manager::CreateLog(EnumVal* stream, EnumVal* writer, const logging::WriterBackend::WriterInfo& info,
+				    int num_fields, const threading::Field* const * fields, int flags,
+				    const string& peer)
 	{
 	if ( ! Enabled() )
 		return false;
@@ -221,40 +230,82 @@ bool bro_broker::Manager::Log(EnumVal* stream, RecordVal* columns, RecordType* i
 		return false;
 		}
 
-	broker::record column_data;
+	auto writer_name = writer->Type()->AsEnumType()->Lookup(writer->AsEnum());
 
-	for ( auto i = 0u; i < static_cast<size_t>(info->NumFields()); ++i )
+	if ( ! writer_name )
 		{
-		if ( ! info->FieldDecl(i)->FindAttr(ATTR_LOG) )
-			continue;
+		reporter->Error("Failed to remotely log: writer %d doesn't have name",
+		                writer->AsEnum());
+		return false;
+		}
 
-		auto field_val = columns->LookupWithDefault(i);
+	auto writer_info = info.ToBroker();
 
-		if ( ! field_val )
-			{
-			column_data.fields.emplace_back(broker::record::field{});
-			continue;
-			}
+	broker::vector fields_data;
 
-		auto opt_field_data = val_to_data(field_val);
-		Unref(field_val);
+	for ( auto i = 0; i < num_fields; ++i )
+		{
+		auto field_data = threading_field_to_data(fields[i]);
+		fields_data.push_back(move(field_data));
+		}
 
-		if ( ! opt_field_data )
+	// TODO: If peer is given, send message to just that one destination.
+
+	std::string topic = std::string("bro/log/") + stream_name;
+	auto bstream_name = broker::enum_value(move(stream_name));
+	auto bwriter_name = broker::enum_value(move(writer_name));
+	broker::message msg{move("create"), move(bstream_name), move(bwriter_name), move(writer_info), move(fields_data)};
+	endpoint->send(move(topic), move(msg), flags);
+
+	return true;
+	}
+
+bool bro_broker::Manager::Log(EnumVal* stream, EnumVal* writer, string path, int num_vals, const threading::Value* const * vals, int flags)
+	{
+	if ( ! Enabled() )
+		return false;
+
+	auto stream_name = stream->Type()->AsEnumType()->Lookup(stream->AsEnum());
+
+	if ( ! stream_name )
+		{
+		reporter->Error("Failed to remotely log: stream %d doesn't have name",
+		                stream->AsEnum());
+		return false;
+		}
+
+	auto writer_name = writer->Type()->AsEnumType()->Lookup(writer->AsEnum());
+
+	if ( ! writer_name )
+		{
+		reporter->Error("Failed to remotely log: writer %d doesn't have name",
+		                writer->AsEnum());
+		return false;
+		}
+
+	broker::vector vals_data;
+
+	for ( auto i = 0; i < num_vals; ++i )
+		{
+		auto field_data = threading_val_to_data(vals[i]);
+
+		if ( ! field_data )
 			{
 			reporter->Error("Failed to remotely log stream %s: "
-			                "unsupported type '%s'",
-			                stream_name,
-			                type_name(info->FieldDecl(i)->type->Tag()));
+			                "unsupported type for field #%d",
+			                stream_name, i);
 			return false;
 			}
 
-		column_data.fields.emplace_back(
-		            broker::record::field{move(*opt_field_data)});
+		vals_data.push_back(move(*field_data));
 		}
 
-	broker::message msg{broker::enum_value{stream_name}, move(column_data)};
 	std::string topic = std::string("bro/log/") + stream_name;
+	auto bstream_name = broker::enum_value(move(stream_name));
+	auto bwriter_name = broker::enum_value(move(writer_name));
+	broker::message msg{move("write"), move(bstream_name), move(bwriter_name), move(path), move(vals_data)};
 	endpoint->send(move(topic), move(msg), flags);
+
 	return true;
 	}
 
@@ -639,6 +690,8 @@ void bro_broker::Manager::Process()
 		{
 		switch ( u.status ) {
 		case broker::outgoing_connection_status::tag::established:
+			log_mgr->SendAllWritersTo(u.peer_name);
+
 			if ( Broker::outgoing_connection_established )
 				{
 				val_list* vl = new val_list;
@@ -684,6 +737,8 @@ void bro_broker::Manager::Process()
 		{
 		switch ( u.status ) {
 		case broker::incoming_connection_status::tag::established:
+			log_mgr->SendAllWritersTo(u.peer_name);
+
 			if ( Broker::incoming_connection_established )
 				{
 				val_list* vl = new val_list;
@@ -809,12 +864,6 @@ void bro_broker::Manager::Process()
 			}
 		}
 
-	struct unref_guard {
-		unref_guard(Val* v) : val(v) {}
-		~unref_guard() { Unref(val); }
-		Val* val;
-	};
-
 	for ( auto& ls : log_subscriptions )
 		{
 		auto log_messages = ls.second.q.want_pop();
@@ -826,59 +875,19 @@ void bro_broker::Manager::Process()
 
 		for ( auto& lm : log_messages )
 			{
-			if ( lm.size() != 2 )
+			if ( lm.size() < 1 )
 				{
-				reporter->Warning("got bad remote log size: %zd (expect 2)",
-				                  lm.size());
+				reporter->Warning("got bad remote log message, no type field");
 				continue;
 				}
 
-			if ( ! broker::get<broker::enum_value>(lm[0]) )
-				{
-				reporter->Warning("got remote log w/o stream id: %d",
-				                  static_cast<int>(broker::which(lm[0])));
-				continue;
-				}
-
-			if ( ! broker::get<broker::record>(lm[1]) )
-				{
-				reporter->Warning("got remote log w/o columns: %d",
-				                  static_cast<int>(broker::which(lm[1])));
-				continue;
-				}
-
-			auto stream_id = data_to_val(move(lm[0]), log_id_type);
-
-			if ( ! stream_id )
-				{
-				reporter->Warning("failed to unpack remote log stream id");
-				continue;
-				}
-
-			unref_guard stream_id_unreffer{stream_id};
-			auto columns_type = log_mgr->StreamColumns(stream_id->AsEnumVal());
-
-			if ( ! columns_type )
-				{
-				reporter->Warning("got remote log for unknown stream: %s",
-				                  stream_id->Type()->AsEnumType()->Lookup(
-				                      stream_id->AsEnum()));
-				continue;
-				}
-
-			auto columns = data_to_val(move(lm[1]), columns_type, true);
-
-			if ( ! columns )
-				{
-				reporter->Warning("failed to unpack remote log stream columns"
-				                  " for stream: %s",
-				                  stream_id->Type()->AsEnumType()->Lookup(
-				                      stream_id->AsEnum()));
-				continue;
-				}
-
-			log_mgr->Write(stream_id->AsEnumVal(), columns->AsRecordVal());
-			Unref(columns);
+			if ( lm[0] == "create" )
+				ProcessCreateLog(std::move(lm));
+			else if ( lm[0] == "write" )
+				ProcessWriteLog(std::move(lm));
+			else
+				reporter->Warning("got remote log w/o known type: %d",
+						  static_cast<int>(broker::which(lm[0])));
 			}
 		}
 
@@ -979,6 +988,202 @@ void bro_broker::Manager::Process()
 	next_timestamp = -1;
 	}
 
+bool bro_broker::Manager::ProcessCreateLog(broker::message msg)
+	{
+	if ( msg.size() != 5 )
+		{
+		reporter->Warning("got bad remote log create size: %zd (expected 5)",
+				  msg.size());
+		return false;
+		}
+
+	unsigned int idx = 1; // Skip type at index 0.
+
+	// Get stream ID.
+
+	if ( ! broker::get<broker::enum_value>(msg[idx]) )
+		{
+		reporter->Warning("got remote log create  w/o stream id: %d",
+				  static_cast<int>(broker::which(msg[idx])));
+		return false;
+		}
+
+	auto stream_id = data_to_val(move(msg[idx]), log_id_type);
+
+	if ( ! stream_id )
+		{
+		reporter->Warning("failed to unpack remote log stream id");
+		return false;
+		}
+
+	unref_guard stream_id_unreffer{stream_id};
+	++idx;
+
+	// Get writer ID.
+
+	if ( ! broker::get<broker::enum_value>(msg[idx]) )
+		{
+		reporter->Warning("got remote log w/o writer id: %d",
+				  static_cast<int>(broker::which(msg[idx])));
+		return false;
+		}
+
+	auto writer_id = data_to_val(move(msg[idx]), writer_id_type);
+
+	if ( ! writer_id )
+		{
+		reporter->Warning("failed to unpack remote log writer id");
+		return false;
+		}
+
+	unref_guard writer_id_unreffer{writer_id};
+	++idx;
+
+	// Get writer info.
+
+	if ( ! broker::get<broker::record>(msg[idx]) )
+		{
+		reporter->Warning("got remote log create w/o writer info id: %d",
+				  static_cast<int>(broker::which(msg[idx])));
+		return false;
+		}
+
+	auto writer_info = std::unique_ptr<logging::WriterBackend::WriterInfo>(new logging::WriterBackend::WriterInfo);
+
+	if ( ! writer_info->FromBroker(std::move(msg[idx])) )
+		{
+		reporter->Warning("failed to unpack remote log writer info");
+		return false;
+		}
+
+	++idx;
+
+	// Get log fields.
+
+	auto fields_data = broker::get<broker::vector>(msg[idx]);
+
+	if ( ! fields_data )
+		{
+		reporter->Warning("failed to unpack remote log fields");
+		return false;
+		}
+
+	auto num_fields = fields_data->size();
+	auto fields = new threading::Field* [num_fields];
+
+	for ( auto i = 0u; i < num_fields; ++i )
+		{
+		if ( auto field = data_to_threading_field((*fields_data)[i]) )
+			fields[i] = field;
+		else
+			{
+			reporter->Warning("failed to convert remote log field # %d", i);
+			return false;
+			}
+		}
+
+	if ( ! log_mgr->CreateWriterForRemoteLog(stream_id->AsEnumVal(), writer_id->AsEnumVal(), writer_info.get(), num_fields, fields) )
+		{
+		ODesc d;
+		stream_id->Describe(&d);
+		reporter->Warning("failed to create remote log stream for %s locally", d.Description());
+		}
+
+	writer_info.release(); // log_mgr took ownership.
+	return true;
+	}
+
+bool bro_broker::Manager::ProcessWriteLog(broker::message msg)
+	{
+	if ( msg.size() != 5 )
+		{
+		reporter->Warning("got bad remote log size: %zd (expected 5)",
+				  msg.size());
+		return false;
+		}
+
+	unsigned int idx = 1; // Skip type at index 0.
+
+	// Get stream ID.
+
+	if ( ! broker::get<broker::enum_value>(msg[idx]) )
+		{
+		reporter->Warning("got remote log w/o stream id: %d",
+				  static_cast<int>(broker::which(msg[idx])));
+		return false;
+		}
+
+	auto stream_id = data_to_val(move(msg[idx]), log_id_type);
+
+	if ( ! stream_id )
+		{
+		reporter->Warning("failed to unpack remote log stream id");
+		return false;
+		}
+
+	unref_guard stream_id_unreffer{stream_id};
+	++idx;
+
+	// Get writer ID.
+
+	if ( ! broker::get<broker::enum_value>(msg[idx]) )
+		{
+		reporter->Warning("got remote log w/o writer id: %d",
+				  static_cast<int>(broker::which(msg[idx])));
+		return false;
+		}
+
+	auto writer_id = data_to_val(move(msg[idx]), writer_id_type);
+
+	if ( ! writer_id )
+		{
+		reporter->Warning("failed to unpack remote log writer id");
+		return false;
+		}
+
+	unref_guard writer_id_unreffer{writer_id};
+	++idx;
+
+	// Get path.
+
+	auto path = broker::get<std::string>(msg[idx]);
+
+	if ( ! path )
+		{
+		reporter->Warning("failed to unpack remote log path");
+		return false;
+		}
+
+	++idx;
+
+	// Get log values.
+
+	auto vals_data = broker::get<broker::vector>(msg[idx]);
+
+	if ( ! vals_data )
+		{
+		reporter->Warning("failed to unpack remote log values");
+		return false;
+		}
+
+	auto num_vals = vals_data->size();
+	auto vals = new threading::Value* [num_vals];
+
+	for ( auto i = 0u; i < num_vals; ++i )
+		{
+		if ( auto val = data_to_threading_val((*vals_data)[i]) )
+			vals[i] = val;
+		else
+			{
+			reporter->Warning("failed to convert remote log arg # %d", i);
+			return false;
+			}
+		}
+
+	log_mgr->WriteFromRemote(stream_id->AsEnumVal(), writer_id->AsEnumVal(), *path, num_vals, vals);
+	return true;
+	}
+
 bool bro_broker::Manager::AddStore(StoreHandleVal* handle)
 	{
 	if ( ! Enabled() )
diff --git a/src/broker/Manager.h b/src/broker/Manager.h
index 9fb7b9e328..10d5019b74 100644
--- a/src/broker/Manager.h
+++ b/src/broker/Manager.h
@@ -156,15 +156,34 @@ public:
 	/**
 	 * Send a log entry to any interested peers.  The topic name used is
 	 * implicitly "bro/log/<stream-name>".
-	 * @param stream_id the stream to which the log entry belongs.
-	 * @param columns the data which comprises the log entry.
-	 * @param info the record type corresponding to the log's columns.
+	 * @param stream the stream to which the log entry belongs.
+	 * @param writer the writer to use for outputting this log entry.
+	 * @param path the log path to output the log entry to.
+	 * @param num_vals the number of fields to log.
+	 * @param vals the log values to log, of size num_vals.
 	 * @param flags tune the behavior of how the message is send.
 	 * See the Broker::SendFlags record type.
 	 * @return true if the message is sent successfully.
 	 */
-	bool Log(EnumVal* stream_id, RecordVal* columns, RecordType* info,
-	         int flags);
+	bool Log(EnumVal* stream, EnumVal* writer, string path, int num_vals,
+		 const threading::Value* const * vals, int flags);
+
+	/**
+         * Send a message to create a log stream to any interested peers.
+         * The log stream may or may not already exist on the receiving side.
+         * The topic name used is implicitly "bro/log/<stream-name>".
+	 * @param stream the stream to which the log entry belongs.
+	 * @param writer the writer to use for outputting this log entry.
+	 * @param info backend initialization information for the writer.
+	 * @param num_fields the number of fields the log has.
+	 * @param fields the log's fields of size num_fields.
+	 * @param flags tune the behavior of how the message is send.
+	 * See the Broker::SendFlags record type.
+	 * @param peer If given, send the message only to this peer.
+	 * @return true if the message is sent successfully.
+	 */
+	bool CreateLog(EnumVal* id, EnumVal* writer, const logging::WriterBackend::WriterInfo& info,
+		       int num_fields, const threading::Field* const * fields, int flags, const string& peer = "");
 
 	/**
 	 * Automatically send an event to any interested peers whenever it is
@@ -325,7 +344,6 @@ public:
 	static int send_flags_to_int(Val* flags);
 
 private:
-
 	// IOSource interface overrides:
 	void GetFds(iosource::FD_Set* read, iosource::FD_Set* write,
 	            iosource::FD_Set* except) override;
@@ -340,6 +358,9 @@ private:
 	broker::endpoint& Endpoint()
 		{ return *endpoint; }
 
+	bool ProcessCreateLog(broker::message msg);
+	bool ProcessWriteLog(broker::message msg);
+
 	struct QueueWithStats {
 		broker::message_queue q;
 		size_t received = 0;
@@ -360,6 +381,7 @@ private:
 
 	static VectorType* vector_of_data_type;
 	static EnumType* log_id_type;
+	static EnumType* writer_id_type;
 	static int send_flags_self_idx;
 	static int send_flags_peers_idx;
 	static int send_flags_unsolicited_idx;
diff --git a/src/logging/Manager.cc b/src/logging/Manager.cc
index e1a314d4d6..5bebdebdfb 100644
--- a/src/logging/Manager.cc
+++ b/src/logging/Manager.cc
@@ -919,12 +919,6 @@ bool Manager::Write(EnumVal* id, RecordVal* columns)
 #endif
 		}
 
-#ifdef ENABLE_BROKER
-	if ( stream->enable_remote &&
-	     ! broker_mgr->Log(id, columns, stream->columns, stream->remote_flags) )
-			stream->enable_remote = false;
-#endif
-
 	Unref(columns);
 
 	return true;
@@ -1121,23 +1115,46 @@ threading::Value** Manager::RecordToFilterVals(Stream* stream, Filter* filter,
 	return vals;
 	}
 
+bool Manager::CreateWriterForRemoteLog(EnumVal* id, EnumVal* writer, WriterBackend::WriterInfo* info,
+			   int num_fields, const threading::Field* const* fields)
+	{
+	return CreateWriter(id, writer, info, num_fields, fields, true, false, true);
+	}
+
+static void delete_info_and_fields(WriterBackend::WriterInfo* info, int num_fields, const threading::Field* const* fields)
+	{
+	for ( int i = 0; i < num_fields; i++ )
+		delete fields[i];
+
+	delete [] fields;
+	delete info;
+	}
+
 WriterFrontend* Manager::CreateWriter(EnumVal* id, EnumVal* writer, WriterBackend::WriterInfo* info,
-				int num_fields, const threading::Field* const*  fields, bool local, bool remote, bool from_remote,
+				int num_fields, const threading::Field* const* fields, bool local, bool remote, bool from_remote,
 				const string& instantiating_filter)
 	{
+	WriterFrontend* result = 0;
+
 	Stream* stream = FindStream(id);
 
 	if ( ! stream )
+		{
 		// Don't know this stream.
+		delete_info_and_fields(info, num_fields, fields);
 		return 0;
+		}
 
 	Stream::WriterMap::iterator w =
 		stream->writers.find(Stream::WriterPathPair(writer->AsEnum(), info->path));
 
 	if ( w != stream->writers.end() )
+		{
 		// If we already have a writer for this. That's fine, we just
 		// return it.
+		delete_info_and_fields(info, num_fields, fields);
 		return w->second->writer;
+		}
 
 	WriterInfo* winfo = new WriterInfo;
 	winfo->type = writer->Ref()->AsEnumVal();
@@ -1190,7 +1207,7 @@ WriterFrontend* Manager::CreateWriter(EnumVal* id, EnumVal* writer, WriterBacken
 	winfo->info->rotation_interval = winfo->interval;
 	winfo->info->rotation_base = parse_rotate_base_time(base_time);
 
-	winfo->writer = new WriterFrontend(*winfo->info, id, writer, local, remote);
+	winfo->writer = new WriterFrontend(*winfo->info, id, writer, local, remote, stream->remote_flags);
 	winfo->writer->Init(num_fields, fields);
 
 	InstallRotationTimer(winfo);
@@ -1207,8 +1224,8 @@ void Manager::DeleteVals(int num_fields, threading::Value** vals)
 	delete [] vals;
 	}
 
-bool Manager::Write(EnumVal* id, EnumVal* writer, string path, int num_fields,
-		   threading::Value** vals)
+bool Manager::WriteFromRemote(EnumVal* id, EnumVal* writer, string path, int num_fields,
+			      threading::Value** vals)
 	{
 	Stream* stream = FindStream(id);
 
@@ -1280,6 +1297,34 @@ void Manager::SendAllWritersTo(RemoteSerializer::PeerID peer)
 		}
 	}
 
+void Manager::SendAllWritersTo(const string& peer)
+	{
+#ifdef ENABLE_BROKER
+	for ( vector<Stream *>::iterator s = streams.begin(); s != streams.end(); ++s )
+		{
+		Stream* stream = (*s);
+
+		if ( ! stream )
+			continue;
+
+		for ( Stream::WriterMap::iterator i = stream->writers.begin();
+		      i != stream->writers.end(); i++ )
+			{
+			WriterFrontend* writer = i->second->writer;
+
+			EnumVal writer_val(i->first.first, internal_type("Log::Writer")->AsEnumType());
+			broker_mgr->CreateLog((*s)->id,
+					      &writer_val,
+					      *i->second->info,
+					      writer->NumFields(),
+					      writer->Fields(),
+					      stream->remote_flags,
+					      peer);
+			}
+		}
+#endif
+	}
+
 bool Manager::SetBuf(EnumVal* id, bool enabled)
 	{
 	Stream* stream = FindStream(id);
diff --git a/src/logging/Manager.h b/src/logging/Manager.h
index 5d3372fb9b..6852160169 100644
--- a/src/logging/Manager.h
+++ b/src/logging/Manager.h
@@ -129,6 +129,52 @@ public:
 	 */
 	bool Write(EnumVal* id, RecordVal* columns);
 
+	/**
+	 * Create a new log writer frontend. This is exposed so that the
+	 * communication system can recreated remote log streams locally.
+	 *
+	 * @param stream The enum value corresponding the log stream.
+	 *
+	 * @param writer The enum value corresponding the desired log writer.
+	 *
+	 * @param info A fully initialized object defining the
+	 * characteristics of the backend writer instance. The method takes
+	 * ownership of this.
+	 *
+	 * @param num_fields The number of log fields to write.
+	 *
+	 * @param vals An arry of log fields to write, of size num_fields.
+	 * The method takes ownership of the arry.
+	 *
+	 * @return Returns true if the writer was successfully created.
+	 */
+	bool CreateWriterForRemoteLog(EnumVal* id, EnumVal* writer, WriterBackend::WriterInfo* info,
+				      int num_fields, const threading::Field* const* fields);
+
+	/**
+	 * Writes out log entries that have already passed through all
+	 * filters, and have raised any events. This is meant called for logs
+	 * received alrready processed from remote.
+	 *
+	 * @param stream The enum value corresponding the log stream.
+	 *
+	 * @param writer The enum value corresponding the desired log writer.
+	 *
+	 * @param path The path of the target log stream to write to.
+	 *
+	 * @param num_fields The number of log values to write.
+	 *
+	 * @param vals An arry of log values to write, of size num_fields.
+	 * The method takes ownership of the arry.
+	 */
+	bool WriteFromRemote(EnumVal* stream, EnumVal* writer, string path,
+			     int num_fields, threading::Value** vals);
+
+	/**
+	 * Announces all instantiated writers to a given Broker peer.
+	 */
+	void SendAllWritersTo(const string& peer);
+
 	/**
 	 * Sets log streams buffering state. This adjusts all associated
 	 * writers to the new state.
@@ -203,10 +249,6 @@ protected:
 				int num_fields, const threading::Field* const* fields,
 				bool local, bool remote, bool from_remote, const string& instantiating_filter="");
 
-	// Takes ownership of values..
-	bool Write(EnumVal* id, EnumVal* writer, string path,
-		   int num_fields, threading::Value** vals);
-
 	// Announces all instantiated writers to peer.
 	void SendAllWritersTo(RemoteSerializer::PeerID peer);
 
diff --git a/src/logging/WriterBackend.cc b/src/logging/WriterBackend.cc
index 3e868f067a..624b66b8e8 100644
--- a/src/logging/WriterBackend.cc
+++ b/src/logging/WriterBackend.cc
@@ -119,6 +119,63 @@ bool WriterBackend::WriterInfo::Write(SerializationFormat* fmt) const
 	return true;
 	}
 
+broker::data WriterBackend::WriterInfo::ToBroker() const
+	{
+	auto bpath = broker::record::field(path);
+	auto brotation_base = broker::record::field(rotation_base);
+	auto brotation_interval = broker::record::field(rotation_interval);
+	auto bnetwork_time = broker::record::field(network_time);
+
+	auto t = broker::table();
+
+	for ( config_map::const_iterator i = config.begin(); i != config.end(); ++i )
+                {
+		auto key = std::string(i->first);
+		auto value = std::string(i->second);
+		t.insert(std::make_pair(key, value));
+                }
+
+	auto bconfig = broker::record::field(move(t));
+
+	return move(broker::record({bpath, brotation_base, brotation_interval, bnetwork_time, bconfig}));
+	}
+
+bool WriterBackend::WriterInfo::FromBroker(broker::data d)
+	{
+	auto r = broker::get<broker::record>(d);
+
+	if ( ! r )
+		return false;
+
+	auto bpath = broker::get<std::string>(*r->get(0));
+	auto brotation_base = broker::get<double>(*r->get(1));
+	auto brotation_interval = broker::get<double>(*r->get(2));
+	auto bnetwork_time = broker::get<double>(*r->get(3));
+	auto bconfig = broker::get<broker::table>(*r->get(4));
+
+	if ( ! (bpath && brotation_base && brotation_interval && bnetwork_time && bconfig) )
+		return false;
+
+	path = copy_string(bpath->c_str());
+	rotation_base = *brotation_base;
+	rotation_interval = *brotation_interval;
+	network_time = *bnetwork_time;
+
+	for ( auto i : *bconfig )
+		{
+		auto k = broker::get<std::string>(i.first);
+		auto v = broker::get<std::string>(i.second);
+
+		if ( ! (k && v) )
+			return false;
+
+		auto p = std::make_pair(copy_string(k->c_str()), copy_string(v->c_str()));
+		config.insert(p);
+		}
+
+	return true;
+	}
+
 WriterBackend::WriterBackend(WriterFrontend* arg_frontend) : MsgThread()
 	{
 	num_fields = 0;
diff --git a/src/logging/WriterBackend.h b/src/logging/WriterBackend.h
index 2a93e8fefc..e17b7070c1 100644
--- a/src/logging/WriterBackend.h
+++ b/src/logging/WriterBackend.h
@@ -6,6 +6,7 @@
 #define LOGGING_WRITERBACKEND_H
 
 #include "threading/MsgThread.h"
+#include "broker/Data.h"
 
 #include "Component.h"
 
@@ -110,15 +111,15 @@ public:
 				}
 			}
 
-		private:
-		const WriterInfo& operator=(const WriterInfo& other); // Disable.
-
-		friend class ::RemoteSerializer;
-
 		// Note, these need to be adapted when changing the struct's
 		// fields. They serialize/deserialize the struct.
 		bool Read(SerializationFormat* fmt);
 		bool Write(SerializationFormat* fmt) const;
+		broker::data ToBroker() const;
+		bool FromBroker(broker::data d);
+
+		private:
+		const WriterInfo& operator=(const WriterInfo& other); // Disable.
 		};
 
 	/**
diff --git a/src/logging/WriterFrontend.cc b/src/logging/WriterFrontend.cc
index 14e131c755..05f4f6593a 100644
--- a/src/logging/WriterFrontend.cc
+++ b/src/logging/WriterFrontend.cc
@@ -2,6 +2,10 @@
 #include "Net.h"
 #include "threading/SerialTypes.h"
 
+#ifdef ENABLE_BROKER
+#include "broker/Manager.h"
+#endif
+
 #include "Manager.h"
 #include "WriterFrontend.h"
 #include "WriterBackend.h"
@@ -97,7 +101,7 @@ private:
 
 using namespace logging;
 
-WriterFrontend::WriterFrontend(const WriterBackend::WriterInfo& arg_info, EnumVal* arg_stream, EnumVal* arg_writer, bool arg_local, bool arg_remote)
+WriterFrontend::WriterFrontend(const WriterBackend::WriterInfo& arg_info, EnumVal* arg_stream, EnumVal* arg_writer, bool arg_local, bool arg_remote, int arg_remote_flags)
 	{
 	stream = arg_stream;
 	writer = arg_writer;
@@ -108,6 +112,7 @@ WriterFrontend::WriterFrontend(const WriterBackend::WriterInfo& arg_info, EnumVa
 	buf = true;
 	local = arg_local;
 	remote = arg_remote;
+	remote_flags = arg_remote_flags;
 	write_buffer = 0;
 	write_buffer_pos = 0;
 	info = new WriterBackend::WriterInfo(arg_info);
@@ -167,12 +172,23 @@ void WriterFrontend::Init(int arg_num_fields, const Field* const * arg_fields)
 		backend->SendIn(new InitMessage(backend, arg_num_fields, arg_fields));
 
 	if ( remote )
+		{
 		remote_serializer->SendLogCreateWriter(stream,
 						       writer,
 						       *info,
 						       arg_num_fields,
 						       arg_fields);
 
+#ifdef ENABLE_BROKER
+		broker_mgr->CreateLog(stream,
+				      writer,
+				      *info,
+				      arg_num_fields,
+				      arg_fields,
+				      remote_flags);
+#endif
+		}
+
 	}
 
 void WriterFrontend::Write(int arg_num_fields, Value** vals)
@@ -191,12 +207,21 @@ void WriterFrontend::Write(int arg_num_fields, Value** vals)
 		}
 
 	if ( remote )
+		{
 		remote_serializer->SendLogWrite(stream,
 						writer,
 						info->path,
 						num_fields,
 						vals);
 
+		broker_mgr->Log(stream,
+				writer,
+				info->path,
+				num_fields,
+				vals,
+				remote_flags);
+		}
+
 	if ( ! backend )
 		{
 		DeleteVals(arg_num_fields, vals);
diff --git a/src/logging/WriterFrontend.h b/src/logging/WriterFrontend.h
index e343f326bf..c39d2bdf3c 100644
--- a/src/logging/WriterFrontend.h
+++ b/src/logging/WriterFrontend.h
@@ -38,12 +38,15 @@ public:
 	 *
 	 * local: If true, the writer will instantiate a local backend.
 	 *
-	 * remote: If true, the writer will forward all data to remote
+	 * remote: If true, the writer will forward logs to remote
 	 * clients.
 	 *
+	 * remote_flags: Broker flags controlling where remote logs are
+	 * propagated to.
+	 *
 	 * Frontends must only be instantiated by the main thread.
 	 */
-	WriterFrontend(const WriterBackend::WriterInfo& info, EnumVal* stream, EnumVal* writer, bool local, bool remote);
+	WriterFrontend(const WriterBackend::WriterInfo& info, EnumVal* stream, EnumVal* writer, bool local, bool remote, int arg_remote_flags);
 
 	/**
 	 * Destructor.
@@ -214,6 +217,7 @@ protected:
 	bool buf;	// True if buffering is enabled (default).
 	bool local;	// True if logging locally.
 	bool remote;	// True if loggin remotely.
+	int remote_flags;	// Broker propagation flags.
 
 	const char* name;	// Descriptive name of the
 	WriterBackend::WriterInfo* info;	// The writer information.
diff --git a/testing/btest/Baseline/broker.remote_log/recv.recv.out b/testing/btest/Baseline/broker.remote_log/recv.recv.out
index 2f4a31df51..e69de29bb2 100644
--- a/testing/btest/Baseline/broker.remote_log/recv.recv.out
+++ b/testing/btest/Baseline/broker.remote_log/recv.recv.out
@@ -1,6 +0,0 @@
-wrote log, [msg=ping, nolog=no, num=0]
-wrote log, [msg=ping, nolog=no, num=1]
-wrote log, [msg=ping, nolog=no, num=2]
-wrote log, [msg=ping, nolog=no, num=3]
-wrote log, [msg=ping, nolog=no, num=4]
-wrote log, [msg=ping, nolog=no, num=5]
diff --git a/testing/btest/Baseline/broker.remote_log_types/recv.recv.out b/testing/btest/Baseline/broker.remote_log_types/recv.recv.out
new file mode 100644
index 0000000000..e69de29bb2
diff --git a/testing/btest/Baseline/broker.remote_log_types/recv.test.log b/testing/btest/Baseline/broker.remote_log_types/recv.test.log
new file mode 100644
index 0000000000..eb2b066cd4
--- /dev/null
+++ b/testing/btest/Baseline/broker.remote_log_types/recv.test.log
@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	test
+#open	2017-02-11-02-17-35
+#fields	b	i	e	c	p	sn	a	d	t	iv	s	sc	ss	se	vc	ve	f
+#types	bool	int	enum	count	port	subnet	addr	double	time	interval	string	set[count]	set[string]	set[string]	vector[count]	vector[string]	func
+T	-42	Test::LOG	21	123	10.0.0.0/24	1.2.3.4	3.14	1486779455.703438	100.000000	hurz	1	AA	(empty)	10,20,30	(empty)	foo\x0a{ \x0aif (0 < i) \x0a\x09return (Foo);\x0aelse\x0a\x09return (Bar);\x0a\x0a}
+#close	2017-02-11-02-17-35
diff --git a/testing/btest/Baseline/broker.remote_log_types/send.send.out b/testing/btest/Baseline/broker.remote_log_types/send.send.out
new file mode 100644
index 0000000000..632279e697
--- /dev/null
+++ b/testing/btest/Baseline/broker.remote_log_types/send.send.out
@@ -0,0 +1 @@
+Broker::outgoing_connection_established, 127.0.0.1, 9999/tcp
diff --git a/testing/btest/Baseline/broker.remote_log_types/send.test.log b/testing/btest/Baseline/broker.remote_log_types/send.test.log
new file mode 100644
index 0000000000..59987c5998
--- /dev/null
+++ b/testing/btest/Baseline/broker.remote_log_types/send.test.log
@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	test
+#open	2017-02-11-02-17-35
+#fields	b	i	e	c	p	sn	a	d	t	iv	s	sc	ss	se	vc	ve	f
+#types	bool	int	enum	count	port	subnet	addr	double	time	interval	string	set[count]	set[string]	set[string]	vector[count]	vector[string]	func
+T	-42	Test::LOG	21	123	10.0.0.0/24	1.2.3.4	3.14	1486779455.703438	100.000000	hurz	1	AA	(empty)	10,20,30	(empty)	foo\x0a{ \x0aif (0 < i) \x0a\x09return (Foo);\x0aelse\x0a\x09return (Bar);\x0a\x0a}
+#close	2017-02-11-02-17-36
diff --git a/testing/btest/broker/remote_log.test b/testing/btest/broker/remote_log.test
index 5881ad6d92..598f3f6e46 100644
--- a/testing/btest/broker/remote_log.test
+++ b/testing/btest/broker/remote_log.test
@@ -12,25 +12,28 @@
 
 @TEST-START-FILE common.bro
 
+
+global quit_receiver: event();
+global quit_sender: event();
+
+
 module Test;
 
 export {
-	redef enum Log::ID += { LOG };
+        redef enum Log::ID += { LOG };
 
-	type Info: record {
-		msg: string &log;
-		nolog: string &default="no";
-		num: count &log;
-	};
-
-	global log_test: event(rec: Test::Info);
+        type Info: record {
+                msg: string &log;
+                nolog: string &default="no";
+                num: count &log;
+        };
 }
 
 event bro_init() &priority=5
-	{
-	Broker::enable();
-	Log::create_stream(Test::LOG, [$columns=Test::Info, $ev=log_test]);
-	}
+        {
+        Broker::enable();
+        Log::create_stream(Test::LOG, [$columns=Test::Info]);
+        }
 
 @TEST-END-FILE
 
@@ -40,58 +43,66 @@ const broker_port: port &redef;
 redef exit_only_after_terminate = T;
 
 event bro_init()
-	{
-	Broker::subscribe_to_logs("bro/log/");
-	Broker::listen(broker_port, "127.0.0.1");
-	}
+        {
+        Broker::subscribe_to_logs("bro/log/");
+	Broker::subscribe_to_events("bro/event/");
+        Broker::listen(broker_port, "127.0.0.1");
+        }
 
-event Test::log_test(rec: Test::Info)
+event quit_receiver()
 	{
-	print "wrote log", rec;
-
-	if ( rec$num == 5 )
-		terminate();
+	terminate();
 	}
 
 @TEST-END-FILE
 
+
 @TEST-START-FILE send.bro
 
 const broker_port: port &redef;
 redef exit_only_after_terminate = T;
 
 event bro_init()
-	{
-	Broker::enable_remote_logs(Test::LOG);
-	Broker::connect("127.0.0.1", broker_port, 1secs);
-	}
+        {
+        Broker::enable_remote_logs(Test::LOG);
+        Broker::connect("127.0.0.1", broker_port, 1secs);
+        }
 
 global n = 0;
 
 event do_write()
-	{
-	if ( n == 6 )
-		return;
-	else
+        {
+        if ( n == 6 )
 		{
-		Log::write(Test::LOG, [$msg = "ping", $num = n]);
-		++n;
-		event do_write();
+		local args = Broker::event_args(quit_receiver);
+		Broker::send_event("bro/event/", args);
+		schedule 1sec { quit_sender() };
 		}
+        else
+                {
+                Log::write(Test::LOG, [$msg = "ping", $num = n]);
+                ++n;
+                event do_write();
+                }
+        }
+
+event quit_sender()
+	{
+	terminate();
 	}
 
 event Broker::outgoing_connection_established(peer_address: string,
                                             peer_port: port,
                                             peer_name: string)
-	{
-	print "Broker::outgoing_connection_established", peer_address, peer_port;
-	event do_write();
-	}
+        {
+        print "Broker::outgoing_connection_established", peer_address, peer_port;
+        event do_write();
+        }
 
 event Broker::outgoing_connection_broken(peer_address: string,
                                        peer_port: port)
-	{
-	terminate();
-	}
+        {
+        terminate();
+        }
 
 @TEST-END-FILE
diff --git a/testing/btest/broker/remote_log_types.test b/testing/btest/broker/remote_log_types.test
new file mode 100644
index 0000000000..9089e087cb
--- /dev/null
+++ b/testing/btest/broker/remote_log_types.test
@@ -0,0 +1,133 @@
+# @TEST-SERIALIZE: brokercomm
+# @TEST-REQUIRES: grep -q ENABLE_BROKER:BOOL=true $BUILD/CMakeCache.txt
+
+# @TEST-EXEC: btest-bg-run recv "bro -b ../common.bro ../recv.bro broker_port=$BROKER_PORT >recv.out"
+# @TEST-EXEC: btest-bg-run send "bro -b ../common.bro ../send.bro broker_port=$BROKER_PORT >send.out"
+
+# @TEST-EXEC: btest-bg-wait 20
+# @TEST-EXEC: btest-diff recv/recv.out
+# @TEST-EXEC: btest-diff recv/test.log
+# @TEST-EXEC: btest-diff send/send.out
+# @TEST-EXEC: btest-diff send/test.log
+
+@TEST-START-FILE common.bro
+
+
+global quit_receiver: event();
+global quit_sender: event();
+
+
+module Test;
+
+export {
+        redef enum Log::ID += { LOG };
+
+	type Info: record {
+		b: bool;
+		i: int;
+		e: Log::ID;
+		c: count;
+		p: port;
+		sn: subnet;
+		a: addr;
+		d: double;
+		t: time;
+		iv: interval;
+		s: string;
+		sc: set[count];
+		ss: set[string];
+		se: set[string];
+		vc: vector of count;
+		ve: vector of string;
+		f: function(i: count) : string;
+	} &log;
+
+}
+
+event bro_init() &priority=5
+        {
+        Broker::enable();
+        Log::create_stream(Test::LOG, [$columns=Test::Info]);
+        }
+
+@TEST-END-FILE
+
+@TEST-START-FILE recv.bro
+
+const broker_port: port &redef;
+redef exit_only_after_terminate = T;
+
+event bro_init()
+        {
+        Broker::subscribe_to_logs("bro/log/");
+	Broker::subscribe_to_events("bro/event/");
+        Broker::listen(broker_port, "127.0.0.1");
+        }
+
+event quit_receiver()
+	{
+	terminate();
+	}
+
+@TEST-END-FILE
+
+
+@TEST-START-FILE send.bro
+
+const broker_port: port &redef;
+redef exit_only_after_terminate = T;
+
+event bro_init()
+        {
+        Broker::enable_remote_logs(Test::LOG);
+        Broker::connect("127.0.0.1", broker_port, 1secs);
+        }
+
+event quit_sender()
+	{
+	terminate();
+	}
+
+function foo(i : count) : string
+	{
+	if ( i > 0 )
+		return "Foo";
+	else
+		return "Bar";
+	}
+
+event Broker::outgoing_connection_established(peer_address: string,
+                                            peer_port: port,
+                                            peer_name: string)
+        {
+        print "Broker::outgoing_connection_established", peer_address, peer_port;
+
+	local empty_set: set[string];
+	local empty_vector: vector of string;
+	
+	Log::write(Test::LOG, [
+		$b=T,
+		$i=-42,
+		$e=Test::LOG,
+		$c=21,
+		$p=123/tcp,
+		$sn=10.0.0.1/24,
+		$a=1.2.3.4,
+		$d=3.14,
+		$t=network_time(),
+		$iv=100secs,
+		$s="hurz",
+		$sc=set(1), # set(1,2,3,4),  # Output not stable for multi-element sets.
+		$ss=set("AA"), # set("AA", "BB", "CC") # Output not stable for multi-element sets.
+		$se=empty_set,
+		$vc=vector(10, 20, 30),
+		$ve=empty_vector,
+		$f=foo
+		]);
+
+	local args = Broker::event_args(quit_receiver);
+	Broker::send_event("bro/event/", args);
+	schedule 1sec { quit_sender() };
+        }
+
+@TEST-END-FILE

From 2b694a1881f97b0042fd4e05f77bd88fff6389dd Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@icir.org>
Date: Sat, 11 Feb 2017 08:36:47 -0800
Subject: [PATCH 077/631] Update failing intel framework test.

---
 .../output                                                  | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/testing/btest/Baseline/scripts.base.frameworks.intel.remove-non-existing/output b/testing/btest/Baseline/scripts.base.frameworks.intel.remove-non-existing/output
index 9cb4a7c9ff..69606c1407 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.intel.remove-non-existing/output
+++ b/testing/btest/Baseline/scripts.base.frameworks.intel.remove-non-existing/output
@@ -3,9 +3,9 @@
 #empty_field	(empty)
 #unset_field	-
 #path	reporter
-#open	2016-09-20-22-35-58
+#open	2017-02-11-16-36-40
 #fields	ts	level	message	location
 #types	time	enum	string	string
-0.000000	Reporter::INFO	Tried to remove non-existing item '192.168.1.1' (Intel::ADDR).	/home/jgras/devel/bro/scripts/base/frameworks/intel/./main.bro, lines 507-508
+0.000000	Reporter::INFO	Tried to remove non-existing item '192.168.1.1' (Intel::ADDR).	/home/johanna/bro/master/scripts/base/frameworks/intel/./main.bro, lines 520-521
 0.000000	Reporter::INFO	received termination signal	(empty)
-#close	2016-09-20-22-35-59
+#close	2017-02-11-16-36-40

From 809660d48a171533eb51db30ad25bcef121d9c04 Mon Sep 17 00:00:00 2001
From: Seth Hall <seth@icir.org>
Date: Tue, 14 Feb 2017 07:21:00 -0800
Subject: [PATCH 078/631] Tiny mime-type fix from Dan Caselden.

---
 scripts/base/frameworks/files/magic/general.sig | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/scripts/base/frameworks/files/magic/general.sig b/scripts/base/frameworks/files/magic/general.sig
index d3bed97efa..23b1c1d074 100644
--- a/scripts/base/frameworks/files/magic/general.sig
+++ b/scripts/base/frameworks/files/magic/general.sig
@@ -116,7 +116,7 @@ signature file-reg-utf16 {
 
 # Microsoft Registry format (typically DESKTOP.DAT)
 signature file-regf {
-	file-mime "application vnd.ms-regf", 49
+	file-mime "application/vnd.ms-regf", 49
 	file-magic /^\x72\x65\x67\x66/
 }
 

From 976677dba259ca02268141766329bccc4f99a5db Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@icir.org>
Date: Tue, 14 Feb 2017 12:19:08 -0800
Subject: [PATCH 079/631] Add missing end of file call for stapled ocsp
 responses.

---
 src/analyzer/protocol/ssl/tls-handshake-analyzer.pac | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac b/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac
index d2ccd796cb..6882e48cbb 100644
--- a/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac
+++ b/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac
@@ -235,7 +235,7 @@ refine connection Handshake_Conn += {
 							    (const char*) response.data()),
 							    status_type);
 
-
+			file_mgr->EndOfFile(file_id);
 			}
 		return true;
 		%}

From b3a18f3c80ced6168487c09fa950e0b9b2c9ea9a Mon Sep 17 00:00:00 2001
From: Vlad Grigorescu <grigorescu@gmail.com>
Date: Wed, 15 Feb 2017 16:24:21 -0600
Subject: [PATCH 080/631] Kerberos ciphertext had some additional ASN.1 content
 being lumped in.

---
 src/analyzer/protocol/krb/krb-types.pac | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/analyzer/protocol/krb/krb-types.pac b/src/analyzer/protocol/krb/krb-types.pac
index bb2bfba3e8..3b3b9d1f09 100644
--- a/src/analyzer/protocol/krb/krb-types.pac
+++ b/src/analyzer/protocol/krb/krb-types.pac
@@ -95,7 +95,7 @@ RecordVal* proc_ticket(const KRB_Ticket* ticket)
 	rv->Assign(1, bytestring_to_val(ticket->realm()->data()->content()));
 	rv->Assign(2, GetStringFromPrincipalName(ticket->sname()));
 	rv->Assign(3, asn1_integer_to_val(ticket->enc_part()->data()->etype()->data(), TYPE_COUNT));
-	rv->Assign(4, bytestring_to_val(ticket->enc_part()->data()->ciphertext()));
+	rv->Assign(4, bytestring_to_val(ticket->enc_part()->data()->ciphertext()->encoding()->content()));
 
 	return rv;
 }
@@ -162,7 +162,7 @@ type KRB_Encrypted_Data = record {
 		true   -> next_meta: ASN1EncodingMeta;
 		false  -> none_meta: empty;
 	};
-	ciphertext	: bytestring &length=have_kvno ? next_meta.length : kvno_meta.length;
+	ciphertext	: ASN1OctetString &length=have_kvno ? next_meta.length : kvno_meta.length;
 } &let {
 	have_kvno	: bool = kvno_meta.index == 1;
 };

From 5604f46dd3c249af2a3d1e61cd8b3c29de606ad0 Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@icir.org>
Date: Wed, 15 Feb 2017 17:38:56 -0800
Subject: [PATCH 081/631] OCSP SCT: use correct oid for old openssls

---
 src/file_analysis/analyzer/x509/OCSP.cc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/file_analysis/analyzer/x509/OCSP.cc b/src/file_analysis/analyzer/x509/OCSP.cc
index 1c27720e36..7a6a3c9a12 100644
--- a/src/file_analysis/analyzer/x509/OCSP.cc
+++ b/src/file_analysis/analyzer/x509/OCSP.cc
@@ -347,7 +347,7 @@ void file_analysis::OCSP::ParseExtensionsSpecific(X509_EXTENSION* ex, bool globa
 #ifdef NID_ct_cert_scts
 	if ( OBJ_obj2nid(ext_asn) == NID_ct_cert_scts || OBJ_obj2nid(ext_asn) == NID_ct_precert_scts )
 #else
-	if ( strcmp(oid, "1.3.6.1.4.1.11129.2.4.2") == 0 || strcmp(oid, "1.3.6.1.4.1.11129.2.4.4") == 0 )
+	if ( strcmp(oid, "1.3.6.1.4.1.11129.2.4.5") == 0 )
 #endif
 		ParseSignedCertificateTimestamps(ex);
 	}

From 511ca9e043c06729314db2f2c55cbb330b8d2d0f Mon Sep 17 00:00:00 2001
From: Robin Sommer <robin@icir.org>
Date: Fri, 17 Feb 2017 16:28:20 -0800
Subject: [PATCH 082/631] Adding Broker ifdefs for new remote logging code.

---
 src/logging/Manager.cc        | 4 ++++
 src/logging/Manager.h         | 4 ++--
 src/logging/WriterBackend.cc  | 2 ++
 src/logging/WriterBackend.h   | 6 ++++++
 src/logging/WriterFrontend.cc | 2 ++
 5 files changed, 16 insertions(+), 2 deletions(-)

diff --git a/src/logging/Manager.cc b/src/logging/Manager.cc
index 5bebdebdfb..8c720137e8 100644
--- a/src/logging/Manager.cc
+++ b/src/logging/Manager.cc
@@ -1207,7 +1207,11 @@ WriterFrontend* Manager::CreateWriter(EnumVal* id, EnumVal* writer, WriterBacken
 	winfo->info->rotation_interval = winfo->interval;
 	winfo->info->rotation_base = parse_rotate_base_time(base_time);
 
+#ifdef ENABLE_BROKER
 	winfo->writer = new WriterFrontend(*winfo->info, id, writer, local, remote, stream->remote_flags);
+#else
+	winfo->writer = new WriterFrontend(*winfo->info, id, writer, local, remote, 0);
+#endif
 	winfo->writer->Init(num_fields, fields);
 
 	InstallRotationTimer(winfo);
diff --git a/src/logging/Manager.h b/src/logging/Manager.h
index 6852160169..3334942a3a 100644
--- a/src/logging/Manager.h
+++ b/src/logging/Manager.h
@@ -131,7 +131,7 @@ public:
 
 	/**
 	 * Create a new log writer frontend. This is exposed so that the
-	 * communication system can recreated remote log streams locally.
+	 * communication system can recreate remote log streams locally.
 	 *
 	 * @param stream The enum value corresponding the log stream.
 	 *
@@ -153,7 +153,7 @@ public:
 
 	/**
 	 * Writes out log entries that have already passed through all
-	 * filters, and have raised any events. This is meant called for logs
+	 * filters (and have raised any events). This is meant called for logs
 	 * received alrready processed from remote.
 	 *
 	 * @param stream The enum value corresponding the log stream.
diff --git a/src/logging/WriterBackend.cc b/src/logging/WriterBackend.cc
index 624b66b8e8..e2afd360e7 100644
--- a/src/logging/WriterBackend.cc
+++ b/src/logging/WriterBackend.cc
@@ -119,6 +119,7 @@ bool WriterBackend::WriterInfo::Write(SerializationFormat* fmt) const
 	return true;
 	}
 
+#ifdef ENABLE_BROKER
 broker::data WriterBackend::WriterInfo::ToBroker() const
 	{
 	auto bpath = broker::record::field(path);
@@ -175,6 +176,7 @@ bool WriterBackend::WriterInfo::FromBroker(broker::data d)
 
 	return true;
 	}
+#endif
 
 WriterBackend::WriterBackend(WriterFrontend* arg_frontend) : MsgThread()
 	{
diff --git a/src/logging/WriterBackend.h b/src/logging/WriterBackend.h
index e17b7070c1..f6602cc8ca 100644
--- a/src/logging/WriterBackend.h
+++ b/src/logging/WriterBackend.h
@@ -6,7 +6,10 @@
 #define LOGGING_WRITERBACKEND_H
 
 #include "threading/MsgThread.h"
+
+#ifdef ENABLE_BROKER
 #include "broker/Data.h"
+#endif
 
 #include "Component.h"
 
@@ -115,8 +118,11 @@ public:
 		// fields. They serialize/deserialize the struct.
 		bool Read(SerializationFormat* fmt);
 		bool Write(SerializationFormat* fmt) const;
+
+#ifdef ENABLE_BROKER
 		broker::data ToBroker() const;
 		bool FromBroker(broker::data d);
+#endif
 
 		private:
 		const WriterInfo& operator=(const WriterInfo& other); // Disable.
diff --git a/src/logging/WriterFrontend.cc b/src/logging/WriterFrontend.cc
index 05f4f6593a..0c2378890f 100644
--- a/src/logging/WriterFrontend.cc
+++ b/src/logging/WriterFrontend.cc
@@ -214,12 +214,14 @@ void WriterFrontend::Write(int arg_num_fields, Value** vals)
 						num_fields,
 						vals);
 
+#ifdef ENABLE_BROKER
 		broker_mgr->Log(stream,
 				writer,
 				info->path,
 				num_fields,
 				vals,
 				remote_flags);
+#endif
 		}
 
 	if ( ! backend )

From 0b8b76cfabb5dd15547c437e1a1c12f81a10d591 Mon Sep 17 00:00:00 2001
From: Seth Hall <seth@icir.org>
Date: Sat, 18 Feb 2017 13:55:39 -0500
Subject: [PATCH 083/631] Refactor base krb scripts and update tests.

---
 scripts/base/protocols/krb/files.bro          |  23 +-
 scripts/base/protocols/krb/main.bro           | 227 ++++++++----------
 .../policy/protocols/krb/ticket-logging.bro   |  26 +-
 scripts/test-all-policy.bro                   |   1 +
 testing/btest/Baseline/plugins.hooks/output   |  15 +-
 .../scripts.base.protocols.krb.kinit/output   |   2 +-
 .../kerberos.log                              |  10 +
 .../policy/protocols/krb/ticket-logging.bro   |   6 +
 8 files changed, 135 insertions(+), 175 deletions(-)
 create mode 100644 testing/btest/Baseline/scripts.policy.protocols.krb.ticket-logging/kerberos.log
 create mode 100644 testing/btest/scripts/policy/protocols/krb/ticket-logging.bro

diff --git a/scripts/base/protocols/krb/files.bro b/scripts/base/protocols/krb/files.bro
index cd2127c605..a486a56290 100644
--- a/scripts/base/protocols/krb/files.bro
+++ b/scripts/base/protocols/krb/files.bro
@@ -78,30 +78,19 @@ event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) &priori
 	if ( f$source != "KRB_TCP" && f$source != "KRB" )
 		return;
 
-	local info: Info;
-
-	if ( ! c?$krb )
-		{
-		info$ts  = network_time();
-		info$uid = c$uid;
-		info$id  = c$id;
-		}
-	else
-		info = c$krb;
+	set_session(c);
 
 	if ( is_orig )
 		{
-		info$client_cert = f$info;
-		info$client_cert_fuid = f$id;
+		c$krb$client_cert = f$info;
+		c$krb$client_cert_fuid = f$id;
 		}
 	else
 		{
-		info$server_cert = f$info;
-		info$server_cert_fuid = f$id;
+		c$krb$server_cert = f$info;
+		c$krb$server_cert_fuid = f$id;
 		}
 
-	c$krb = info;
-
 	Files::add_analyzer(f, Files::ANALYZER_X509);
 	# Always calculate hashes. They are not necessary for base scripts
 	# but very useful for identification, and required for policy scripts
@@ -111,7 +100,7 @@ event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) &priori
 
 function fill_in_subjects(c: connection)
 	{
-	if ( !c?$krb )
+	if ( ! c?$krb )
 		return;
 
 	if ( c$krb?$client_cert && c$krb$client_cert?$x509 && c$krb$client_cert$x509?$certificate )
diff --git a/scripts/base/protocols/krb/main.bro b/scripts/base/protocols/krb/main.bro
index fc6abc5bff..02abced683 100644
--- a/scripts/base/protocols/krb/main.bro
+++ b/scripts/base/protocols/krb/main.bro
@@ -10,41 +10,41 @@ export {
 
 	type Info: record {
 		## Timestamp for when the event happened.
-		ts:			time    &log;
+		ts:            time     &log;
 		## Unique ID for the connection.
-		uid:			string  &log;
+		uid:           string   &log;
 		## The connection's 4-tuple of endpoint addresses/ports.
-		id:			conn_id &log;
+		id:            conn_id  &log;
 
 		## Request type - Authentication Service ("AS") or
 		## Ticket Granting Service ("TGS")
-		request_type:		string &log &optional;
+		request_type:  string   &log &optional;
 		## Client
-		client:			string &log &optional;
+		client:        string   &log &optional;
 		## Service
-		service:		string &log;
+		service:       string   &log &optional;
 
 		## Request result
-		success:		bool &log &optional;
+		success:       bool     &log &optional;
 		## Error code
-		error_code: 		count &optional;
+		error_code:    count    &optional;
 		## Error message
-		error_msg: 		string &log &optional;
+		error_msg:     string   &log &optional;
 
 		## Ticket valid from
-		from:			time &log &optional;
+		from:          time     &log &optional;
 		## Ticket valid till
-		till:			time &log &optional;
+		till:          time     &log &optional;
 		## Ticket encryption type
-		cipher:			string &log &optional;
+		cipher:        string   &log &optional;
 
 		## Forwardable ticket requested
-		forwardable: 		bool &log &optional;
+		forwardable:   bool     &log &optional;
 		## Renewable ticket requested
-		renewable:		bool &log &optional;
+		renewable:     bool     &log &optional;
 
 		## We've already logged this
-		logged: 		bool &default=F;
+		logged:        bool     &default=F;
 	};
 
 	## The server response error texts which are *not* logged.
@@ -80,179 +80,140 @@ event bro_init() &priority=5
 	Log::create_stream(KRB::LOG, [$columns=Info, $ev=log_krb, $path="kerberos"]);
 	}
 
-event krb_error(c: connection, msg: Error_Msg) &priority=5
+function set_session(c: connection): bool
 	{
-	local info: Info;
-
-	if ( msg?$error_text && msg$error_text in ignored_errors )
+	if ( ! c?$krb )
 		{
-		if ( c?$krb ) delete c$krb;
-		return;
+		c$krb = Info($ts  = network_time(),
+		             $uid = c$uid,
+		             $id  = c$id);
 		}
-
-	if ( c?$krb && c$krb$logged )
-		return;
-
-	if ( c?$krb )
-		info = c$krb;
-
-	if ( ! info?$ts )
-		{
-		info$ts  = network_time();
-		info$uid = c$uid;
-		info$id  = c$id;
-		}
-
-	if ( ! info?$client && ( msg?$client_name || msg?$client_realm ) )
-		info$client = fmt("%s%s", msg?$client_name ? msg$client_name + "/" : "",
-				 	  msg?$client_realm ? msg$client_realm : "");
-
-	info$service = msg$service_name;
-	info$success = F;
-
-	info$error_code = msg$error_code;
-
-	if ( msg?$error_text )			info$error_msg = msg$error_text;
-	else if ( msg$error_code in error_msg ) info$error_msg = error_msg[msg$error_code];
-
-	c$krb = info;
+	
+	return c$krb$logged;
 	}
 
-event krb_error(c: connection, msg: Error_Msg) &priority=-5
+function do_log(c: connection)
 	{
-	if ( c?$krb )
+	if ( c?$krb && ! c$krb$logged )
 		{
 		Log::write(KRB::LOG, c$krb);
 		c$krb$logged = T;
 		}
 	}
 
-event krb_as_request(c: connection, msg: KDC_Request) &priority=5
+event krb_error(c: connection, msg: Error_Msg) &priority=5
 	{
-	if ( c?$krb && c$krb$logged )
+	if ( set_session(c) )
 		return;
 
-	local info: Info;
-
-	if ( !c?$krb )
+	if ( msg?$error_text && msg$error_text in ignored_errors )
 		{
-		info$ts  = network_time();
-		info$uid = c$uid;
-		info$id  = c$id;
+		if ( c?$krb ) 
+			delete c$krb;
+
+		return;
 		}
-	else
-		info = c$krb;
 
-	info$request_type = "AS";
-	info$client = fmt("%s/%s", msg?$client_name ? msg$client_name : "", msg$service_realm);
-	info$service = msg$service_name;
+	if ( ! c$krb?$client && ( msg?$client_name || msg?$client_realm ) )
+		c$krb$client = fmt("%s%s", msg?$client_name ? msg$client_name + "/" : "",
+		                           msg?$client_realm ? msg$client_realm : "");
 
-	if ( msg?$from )
-		info$from = msg$from;
+	c$krb$service    = msg$service_name;
+	c$krb$success    = F;
+	c$krb$error_code = msg$error_code;
 
-	info$till = msg$till;
-
-	info$forwardable = msg$kdc_options$forwardable;
-	info$renewable = msg$kdc_options$renewable;
-
-	c$krb = info;
+	if ( msg?$error_text )
+		c$krb$error_msg = msg$error_text;
+	else if ( msg$error_code in error_msg )
+		c$krb$error_msg = error_msg[msg$error_code];
 	}
 
-event krb_tgs_request(c: connection, msg: KDC_Request) &priority=5
+event krb_error(c: connection, msg: Error_Msg) &priority=-5
 	{
-	if ( c?$krb && c$krb$logged )
+	do_log(c);
+	}
+
+event krb_as_request(c: connection, msg: KDC_Request) &priority=5
+	{
+	if ( set_session(c) )
 		return;
 
-	local info: Info;
+	c$krb$request_type = "AS";
+	c$krb$client       = fmt("%s/%s", msg?$client_name ? msg$client_name : "", msg$service_realm);
+	c$krb$service      = msg$service_name;
 
-	if ( !c?$krb )
-		{
-		info$ts  = network_time();
-		info$uid = c$uid;
-		info$id  = c$id;
-		}
-	else
-		info = c$krb;
+	if ( msg?$from )
+		c$krb$from = msg$from;
+	c$krb$till        = msg$till;
 
-	info$request_type = "TGS";
-	info$service = msg$service_name;
-	if ( msg?$from ) info$from = msg$from;
-	info$till = msg$till;
-
-	info$forwardable = msg$kdc_options$forwardable;
-	info$renewable = msg$kdc_options$renewable;
-
-	c$krb = info;
+	c$krb$forwardable = msg$kdc_options$forwardable;
+	c$krb$renewable   = msg$kdc_options$renewable;
 	}
 
 event krb_as_response(c: connection, msg: KDC_Response) &priority=5
 	{
-	local info: Info;
-
-	if ( c?$krb && c$krb$logged )
+	if ( set_session(c) )
 		return;
 
-	if ( c?$krb )
-		info = c$krb;
-
-	if ( ! info?$ts )
+	if ( ! c$krb?$client && ( msg?$client_name || msg?$client_realm ) )
 		{
-		info$ts  = network_time();
-		info$uid = c$uid;
-		info$id  = c$id;
+		c$krb$client = fmt("%s/%s", msg?$client_name ? msg$client_name : "", 
+	                                msg?$client_realm ? msg$client_realm : "");
 		}
 
-	if ( ! info?$client && ( msg?$client_name || msg?$client_realm ) )
-		info$client = fmt("%s/%s", msg?$client_name ? msg$client_name : "", msg?$client_realm ? msg$client_realm : "");
-
-	info$service = msg$ticket$service_name;
-	info$cipher  = cipher_name[msg$ticket$cipher];
-	info$success = T;
-
-	c$krb = info;
+	c$krb$service = msg$ticket$service_name;
+	c$krb$cipher  = cipher_name[msg$ticket$cipher];
+	c$krb$success = T;
 	}
 
 event krb_as_response(c: connection, msg: KDC_Response) &priority=-5
 	{
-	Log::write(KRB::LOG, c$krb);
-	c$krb$logged = T;
+	do_log(c);
+	}
+
+event krb_ap_request(c: connection, ticket: KRB::Ticket, opts: KRB::AP_Options) &priority=5
+	{
+	if ( set_session(c) )
+		return;
+	}
+
+event krb_tgs_request(c: connection, msg: KDC_Request) &priority=5
+	{
+	if ( set_session(c) )
+		return;
+
+	c$krb$request_type = "TGS";
+	c$krb$service = msg$service_name;
+	if ( msg?$from ) 
+		c$krb$from = msg$from;
+	c$krb$till = msg$till;
+
+	c$krb$forwardable = msg$kdc_options$forwardable;
+	c$krb$renewable   = msg$kdc_options$renewable;
 	}
 
 event krb_tgs_response(c: connection, msg: KDC_Response) &priority=5
 	{
-	local info: Info;
-
-	if ( c?$krb && c$krb$logged )
+	if ( set_session(c) )
 		return;
 
-	if ( c?$krb )
-		info = c$krb;
-
-	if ( ! info?$ts )
+	if ( ! c$krb?$client && ( msg?$client_name || msg?$client_realm ) )
 		{
-		info$ts  = network_time();
-		info$uid = c$uid;
-		info$id  = c$id;
+		c$krb$client = fmt("%s/%s", msg?$client_name ? msg$client_name : "", 
+	                                msg?$client_realm ? msg$client_realm : "");
 		}
 
-	if ( ! info?$client && ( msg?$client_name || msg?$client_realm ) )
-		info$client = fmt("%s/%s", msg?$client_name ? msg$client_name : "", msg?$client_realm ? msg$client_realm : "");
-
-	info$service = msg$ticket$service_name;
-	info$cipher  = cipher_name[msg$ticket$cipher];
-	info$success = T;
-
-	c$krb = info;
+	c$krb$service = msg$ticket$service_name;
+	c$krb$cipher  = cipher_name[msg$ticket$cipher];
+	c$krb$success = T;
 	}
 
 event krb_tgs_response(c: connection, msg: KDC_Response) &priority=-5
 	{
-	Log::write(KRB::LOG, c$krb);
-	c$krb$logged = T;
+	do_log(c);
 	}
 
 event connection_state_remove(c: connection) &priority=-5
 	{
-	if ( c?$krb && ! c$krb$logged )
-		Log::write(KRB::LOG, c$krb);
+	do_log(c);
 	}
diff --git a/scripts/policy/protocols/krb/ticket-logging.bro b/scripts/policy/protocols/krb/ticket-logging.bro
index e254b6dc26..22fd3c810b 100644
--- a/scripts/policy/protocols/krb/ticket-logging.bro
+++ b/scripts/policy/protocols/krb/ticket-logging.bro
@@ -1,3 +1,7 @@
+##! Add Kerberos ticket hashes to the krb.log
+
+@load base/protocols/krb
+
 module KRB;
 
 redef record Info += {
@@ -9,25 +13,11 @@ redef record Info += {
 
 event krb_ap_request(c: connection, ticket: KRB::Ticket, opts: KRB::AP_Options)
 	{
-	if ( c?$krb && c$krb$logged )
-		return;
-	
-	local info: Info;
+	# Will be overwritten when request is a TGS
+	c$krb$request_type = "AP";
 
-	if ( !c?$krb )
-		{
-		info$ts  = network_time();
-		info$uid = c$uid;
-		info$id  = c$id;
-		}
-	else
-		info = c$krb;
-
-	info$request_type = "AP"; # Will be overwritten when request is a TGS
 	if ( ticket?$ciphertext )
-		info$auth_ticket = md5_hash(ticket$ciphertext);
-
-	c$krb = info;
+		c$krb$auth_ticket = md5_hash(ticket$ciphertext);
 	}
 
 event krb_as_response(c: connection, msg: KDC_Response)
@@ -40,4 +30,4 @@ event krb_tgs_response(c: connection, msg: KDC_Response)
 	{
 	if ( msg$ticket?$ciphertext )
 		c$krb$new_ticket = md5_hash(msg$ticket$ciphertext);
-	}
\ No newline at end of file
+	}
diff --git a/scripts/test-all-policy.bro b/scripts/test-all-policy.bro
index 8d1a9ff054..a022060cd4 100644
--- a/scripts/test-all-policy.bro
+++ b/scripts/test-all-policy.bro
@@ -72,6 +72,7 @@
 @load protocols/http/software.bro
 @load protocols/http/var-extraction-cookies.bro
 @load protocols/http/var-extraction-uri.bro
+@load protocols/krb/ticket-logging.bro
 @load protocols/modbus/known-masters-slaves.bro
 @load protocols/modbus/track-memmap.bro
 @load protocols/mysql/software.bro
diff --git a/testing/btest/Baseline/plugins.hooks/output b/testing/btest/Baseline/plugins.hooks/output
index 9b22c34b71..c291302748 100644
--- a/testing/btest/Baseline/plugins.hooks/output
+++ b/testing/btest/Baseline/plugins.hooks/output
@@ -247,7 +247,7 @@
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1485327769.512366, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1487443758.386684, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (Cluster::LOG)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (Communication::LOG)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (Conn::LOG)) -> <no result>
@@ -377,7 +377,7 @@
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1485327769.512366, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1487443758.386684, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
 0.000000   MetaHookPost  CallFunction(NetControl::check_plugins, <frame>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(NetControl::init, <null>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(Notice::want_pp, <frame>, ()) -> <no result>
@@ -968,7 +968,7 @@
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird]))
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509]))
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql]))
-0.000000   MetaHookPre   CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1485327769.512366, node=bro, filter=ip or not ip, init=T, success=T]))
+0.000000   MetaHookPre   CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1487443758.386684, node=bro, filter=ip or not ip, init=T, success=T]))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (Cluster::LOG))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (Communication::LOG))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (Conn::LOG))
@@ -1098,7 +1098,7 @@
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird]))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509]))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql]))
-0.000000   MetaHookPre   CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1485327769.512366, node=bro, filter=ip or not ip, init=T, success=T]))
+0.000000   MetaHookPre   CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1487443758.386684, node=bro, filter=ip or not ip, init=T, success=T]))
 0.000000   MetaHookPre   CallFunction(NetControl::check_plugins, <frame>, ())
 0.000000   MetaHookPre   CallFunction(NetControl::init, <null>, ())
 0.000000   MetaHookPre   CallFunction(Notice::want_pp, <frame>, ())
@@ -1688,7 +1688,7 @@
 0.000000 | HookCallFunction Log::__create_stream(Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird])
 0.000000 | HookCallFunction Log::__create_stream(X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509])
 0.000000 | HookCallFunction Log::__create_stream(mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql])
-0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1485327769.512366, node=bro, filter=ip or not ip, init=T, success=T])
+0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1487443758.386684, node=bro, filter=ip or not ip, init=T, success=T])
 0.000000 | HookCallFunction Log::add_default_filter(Cluster::LOG)
 0.000000 | HookCallFunction Log::add_default_filter(Communication::LOG)
 0.000000 | HookCallFunction Log::add_default_filter(Conn::LOG)
@@ -1818,7 +1818,7 @@
 0.000000 | HookCallFunction Log::create_stream(Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird])
 0.000000 | HookCallFunction Log::create_stream(X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509])
 0.000000 | HookCallFunction Log::create_stream(mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql])
-0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1485327769.512366, node=bro, filter=ip or not ip, init=T, success=T])
+0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1487443758.386684, node=bro, filter=ip or not ip, init=T, success=T])
 0.000000 | HookCallFunction NetControl::check_plugins()
 0.000000 | HookCallFunction NetControl::init()
 0.000000 | HookCallFunction Notice::want_pp()
@@ -2297,6 +2297,7 @@
 1362692527.080972   MetaHookPost  CallFunction(Conn::determine_service, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])) -> <no result>
 1362692527.080972   MetaHookPost  CallFunction(Conn::set_conn, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <no result>
 1362692527.080972   MetaHookPost  CallFunction(HTTP::get_file_handle, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <no result>
+1362692527.080972   MetaHookPost  CallFunction(KRB::do_log, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])) -> <no result>
 1362692527.080972   MetaHookPost  CallFunction(KRB::fill_in_subjects, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])) -> <no result>
 1362692527.080972   MetaHookPost  CallFunction(Log::__write, <frame>, (Conn::LOG, [ts=1362692526.869344, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents={}])) -> <no result>
 1362692527.080972   MetaHookPost  CallFunction(Log::write, <frame>, (Conn::LOG, [ts=1362692526.869344, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents={}])) -> <no result>
@@ -2327,6 +2328,7 @@
 1362692527.080972   MetaHookPre   CallFunction(Conn::determine_service, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]))
 1362692527.080972   MetaHookPre   CallFunction(Conn::set_conn, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
 1362692527.080972   MetaHookPre   CallFunction(HTTP::get_file_handle, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
+1362692527.080972   MetaHookPre   CallFunction(KRB::do_log, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]))
 1362692527.080972   MetaHookPre   CallFunction(KRB::fill_in_subjects, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]))
 1362692527.080972   MetaHookPre   CallFunction(Log::__write, <frame>, (Conn::LOG, [ts=1362692526.869344, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents={}]))
 1362692527.080972   MetaHookPre   CallFunction(Log::write, <frame>, (Conn::LOG, [ts=1362692526.869344, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents={}]))
@@ -2358,6 +2360,7 @@
 1362692527.080972 | HookCallFunction Conn::determine_service([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])
 1362692527.080972 | HookCallFunction Conn::set_conn([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
 1362692527.080972 | HookCallFunction HTTP::get_file_handle([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
+1362692527.080972 | HookCallFunction KRB::do_log([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])
 1362692527.080972 | HookCallFunction KRB::fill_in_subjects([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])
 1362692527.080972 | HookCallFunction Log::__write(Conn::LOG, [ts=1362692526.869344, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents={}])
 1362692527.080972 | HookCallFunction Log::write(Conn::LOG, [ts=1362692526.869344, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents={}])
diff --git a/testing/btest/Baseline/scripts.base.protocols.krb.kinit/output b/testing/btest/Baseline/scripts.base.protocols.krb.kinit/output
index 0bec7ee13c..cf6a7a0616 100644
--- a/testing/btest/Baseline/scripts.base.protocols.krb.kinit/output
+++ b/testing/btest/Baseline/scripts.base.protocols.krb.kinit/output
@@ -1,3 +1,3 @@
 KRB_AP_REQUEST
-[pvno=5, realm=VLADG.NET, service_name=krbtgt/VLADG.NET, cipher=18]
+[pvno=5, realm=VLADG.NET, service_name=krbtgt/VLADG.NET, cipher=18, ciphertext=\x04\x81\xfa{\x9fY\xd0f\x8dS\xf4I\x88\x04\xfa\xc1\xd8m\xa2\xb7+\xbb\x19\xcag\x0c\x13\xd1g*\xfc\x18\xd1\xb1\x80!\xbd\x85\xec\xf9\x9b\xfa-\x18\xb6\xf5h\x91\xe7\x99\xf4\xdb\x93\xa0\xc7\x90\x1e\xa9\x95v\xd3\x12\xfa,9\x1d\x0b\xd0\xa1\xd25\x0f\x1f[G\xdf\xd0\xbbd\x06$2\xd1\xae\x130qZiY\x07@\xe9\xf9\xff\xa4\x9a\xd4\x09\xf0\x0d\xc1R\x10M\xbdKOV\xfd\xf6\x13\xf6\x9a\x95N\xdf!\xf6x\x94\xd8j\xa5\xdcp\xa8\x04\x99\x02x\xdb$\xd8\xfa_o\x8dV\xc8\x0a\xfe\x00\xf3&c\x0c8\xd1\xd0\xe9\x8e\xab\xfe&\xfe\x00\x8d$\x98I\xe5\x8d\x94rM4%\xd8\xfe\xa9\x08\x06\xc6\x95H7\xf7HCq\xb9\x0d$\x95?\x83B\x82\xdd\xea\xc3f3\xcc\xbb\x09\x0d-\x09;\xa6i%\xcd\xba\x11\xd4\xe0\x12w\xd0G&\xdaj\x82\x7f;\xf3\x1d\x10\xa4l\x06\x16l\x1bc\xa1\xd1\x15!\x00\x8a\xff\x8a\x06\xe7U^:<d\xba"\x02I\xf0\xce\xc7\xad\xb2]
 [use_session_key=F, mutual_required=F]
diff --git a/testing/btest/Baseline/scripts.policy.protocols.krb.ticket-logging/kerberos.log b/testing/btest/Baseline/scripts.policy.protocols.krb.ticket-logging/kerberos.log
new file mode 100644
index 0000000000..aee00fbf43
--- /dev/null
+++ b/testing/btest/Baseline/scripts.policy.protocols.krb.ticket-logging/kerberos.log
@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	kerberos
+#open	2017-02-18-18-38-58
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	request_type	client	service	success	error_msg	from	till	cipher	forwardable	renewable	client_cert_subject	client_cert_fuid	server_cert_subject	server_cert_fuid	auth_ticket	new_ticket
+#types	time	string	addr	port	addr	port	string	string	string	bool	string	time	time	string	bool	bool	string	string	string	string	string	string
+1429583645.478441	CHhAvVGS1DHFjwGM9	192.168.1.31	64889	192.168.1.32	88	TGS	vladg/VLADG.NET	krbtgt/VLADG.NET	T	-	-	0.000000	aes256-cts-hmac-sha1-96	T	F	-	-	-	-	ea0f395c3823e8cc7216d82e2405b428	fa8064009b03606f84e475feca5dcd12
+#close	2017-02-18-18-38-58
diff --git a/testing/btest/scripts/policy/protocols/krb/ticket-logging.bro b/testing/btest/scripts/policy/protocols/krb/ticket-logging.bro
new file mode 100644
index 0000000000..0bc0a33d5d
--- /dev/null
+++ b/testing/btest/scripts/policy/protocols/krb/ticket-logging.bro
@@ -0,0 +1,6 @@
+# This test makes sure that krb ticket hashes are logged correctly.
+
+# @TEST-EXEC: bro -b -r $TRACES/krb/auth.trace %INPUT
+# @TEST-EXEC: btest-diff kerberos.log
+
+@load protocols/krb/ticket-logging

From 623ebea655948bf99ef3a364325d83480f4b282b Mon Sep 17 00:00:00 2001
From: Seth Hall <seth@icir.org>
Date: Mon, 20 Feb 2017 00:07:14 -0500
Subject: [PATCH 084/631] Rework the RADIUS base script.

 - This fixes BIT-1769 by logging all requests even in the absence of a
   reply.  The way that request and replying matching were being handled
   was restructured to mostly ignore the transaction ids because they
   aren't that helpful for network monitoring and it makes the script
   structure more complicated.
 - Add `framed_addr` field to the radius log to indicate if the radius
   server is hinting at an address for the client.
 - Add `ttl` field to indicate how quickly the radius server is replying
   to the network access server.
 - Fix a bunch of indentation inconsistencies.
---
 scripts/base/protocols/radius/main.bro        | 151 ++++++++++--------
 .../radius.log                                |  10 +-
 .../radius.log                                |  16 ++
 .../Traces/radius/radius_localhost.pcapng     | Bin 0 -> 2952 bytes
 .../radius/radius-multiple-attempts.test      |   6 +
 5 files changed, 113 insertions(+), 70 deletions(-)
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.radius.radius-multiple-attempts/radius.log
 create mode 100644 testing/btest/Traces/radius/radius_localhost.pcapng
 create mode 100644 testing/btest/scripts/base/protocols/radius/radius-multiple-attempts.test

diff --git a/scripts/base/protocols/radius/main.bro b/scripts/base/protocols/radius/main.bro
index d9c2d08ca8..ea30b27911 100644
--- a/scripts/base/protocols/radius/main.bro
+++ b/scripts/base/protocols/radius/main.bro
@@ -10,52 +10,51 @@ export {
 
 	type Info: record {
 		## Timestamp for when the event happened.
-		ts		: time    &log;
+		ts           : time     &log;
 		## Unique ID for the connection.
-		uid		: string  &log;
+		uid          : string   &log;
 		## The connection's 4-tuple of endpoint addresses/ports.
-		id		: conn_id &log;
+		id           : conn_id  &log;
 		## The username, if present.
-		username	: string &log &optional;
+		username     : string   &log &optional;
 		## MAC address, if present.
-		mac		: string &log &optional;
-		## Remote IP address, if present.
-		remote_ip       : addr &log &optional;
+		mac          : string   &log &optional;
+		## The address given to the network access server, if
+		## present.  This is only a hint from the RADIUS server
+		## and the network access server is not required to honor 
+		## the address.
+		framed_addr  : addr     &log &optional;
+		## Remote IP address, if present.  This is collected
+		## from the Tunnel-Client-Endpoint attribute.
+		remote_ip    : addr     &log &optional;
 		## Connect info, if present.
-		connect_info	: string &log &optional;
+		connect_info : string   &log &optional;
+		## Reply message from the server challenge. This is 
+		## frequently shown to the user authenticating.
+		reply_msg    : string   &log &optional;
 		## Successful or failed authentication.
-		result		: string &log &optional;
-		## Whether this has already been logged and can be ignored.
-		logged		: bool &optional;
+		result       : string   &log &optional;
+		## The duration between the first request and
+		## either the "Access-Accept" message or an error.
+		## If the field is empty, it means that either
+		## the request or response was not seen.
+		ttl          : interval &log &optional;
 
+		## Whether this has already been logged and can be ignored.
+		logged       : bool     &default=F;
 	};
 
-	## The amount of time we wait for an authentication response before
-	## expiring it.
-	const expiration_interval = 10secs &redef;
-
-	## Logs an authentication attempt if we didn't see a response in time.
-	##
-	## t: A table of Info records.
-	##
-	## idx: The index of the connection$radius table corresponding to the
-	##      radius authentication about to expire.
-	##
-	## Returns: 0secs, which when this function is used as an
-	##          :bro:attr:`&expire_func`, indicates to remove the element at
-	##          *idx* immediately.
-	global expire: function(t: table[count] of Info, idx: count): interval;
-
 	## Event that can be handled to access the RADIUS record as it is sent on
-	## to the loggin framework.
+	## to the logging framework.
 	global log_radius: event(rec: Info);
 }
 
 redef record connection += {
-	radius: table[count] of Info &optional &write_expire=expiration_interval &expire_func=expire;
+	radius: Info &optional;
 };
 
 const ports = { 1812/udp };
+redef likely_server_ports += { ports };
 
 event bro_init() &priority=5
 	{
@@ -63,64 +62,86 @@ event bro_init() &priority=5
 	Analyzer::register_for_ports(Analyzer::ANALYZER_RADIUS, ports);
 	}
 
-event radius_message(c: connection, result: RADIUS::Message)
+event radius_message(c: connection, result: RADIUS::Message) &priority=5
 	{
-	local info: Info;
-
-	if ( c?$radius && result$trans_id in c$radius )
-		info = c$radius[result$trans_id];
-	else
+	if ( ! c?$radius )
 		{
-		c$radius = table();
-		info$ts  = network_time();
-		info$uid = c$uid;
-		info$id  = c$id;
+		c$radius = Info($ts  = network_time(),
+		                $uid = c$uid,
+		                $id  = c$id);
 		}
 
-	switch ( RADIUS::msg_types[result$code] ) {
+	switch ( RADIUS::msg_types[result$code] )
+		{
 		case "Access-Request":
-			if ( result?$attributes ) {
+			if ( result?$attributes )
+				{
 				# User-Name
-				if ( ! info?$username && 1 in result$attributes )
-					info$username = result$attributes[1][0];
+				if ( ! c$radius?$username && 1 in result$attributes )
+					c$radius$username = result$attributes[1][0];
 
 				# Calling-Station-Id (we expect this to be a MAC)
-				if ( ! info?$mac && 31 in result$attributes )
-					info$mac = normalize_mac(result$attributes[31][0]);
+				if ( ! c$radius?$mac && 31 in result$attributes )
+					c$radius$mac = normalize_mac(result$attributes[31][0]);
 
 				# Tunnel-Client-EndPoint (useful for VPNs)
-				if ( ! info?$remote_ip && 66 in result$attributes )
-					info$remote_ip = to_addr(result$attributes[66][0]);
+				if ( ! c$radius?$remote_ip && 66 in result$attributes )
+					c$radius$remote_ip = to_addr(result$attributes[66][0]);
 
 				# Connect-Info
-				if ( ! info?$connect_info && 77 in result$attributes )
-					info$connect_info = result$attributes[77][0];
-			}
+				if ( ! c$radius?$connect_info && 77 in result$attributes )
+					c$radius$connect_info = result$attributes[77][0];
+				}
+			break;
 
+		case "Access-Challenge":
+			if ( result?$attributes )
+				{
+				# Framed-IP-Address
+				if ( ! c$radius?$framed_addr && 8 in result$attributes )
+					c$radius$framed_addr = raw_bytes_to_v4_addr(result$attributes[8][0]);
+
+				if ( ! c$radius?$reply_msg && 18 in result$attributes )
+					c$radius$reply_msg = result$attributes[18][0];
+				}
 			break;
 
 		case "Access-Accept":
-			info$result = "success";
+			c$radius$result = "success";
 			break;
 
 		case "Access-Reject":
-			info$result = "failed";
+			c$radius$result = "failed";
 			break;
-	}
 
-	if ( info?$result && ! info?$logged )
-		{
-		info$logged = T;
-		Log::write(RADIUS::LOG, info);
+		# TODO: Support RADIUS accounting. (add port 1813/udp above too)
+		#case "Accounting-Request":
+		#	break;
+		#
+		#case "Accounting-Response":
+		#	break;
 		}
-
-	c$radius[result$trans_id] = info;
 	}
 
+event radius_message(c: connection, result: RADIUS::Message) &priority=-5
+	{
+	if ( c$radius?$result )
+		{
+		local ttl = network_time() - c$radius$ts;
+		if ( ttl != 0secs )
+			c$radius$ttl = ttl;
 
-function expire(t: table[count] of Info, idx: count): interval
-	 {
-	 t[idx]$result = "unknown";
-	 Log::write(RADIUS::LOG, t[idx]);
-	 return 0secs;
-	 }
+		Log::write(RADIUS::LOG, c$radius);
+
+		delete c$radius;
+		}
+	}
+
+event connection_state_remove(c: connection) &priority=-5
+	{
+	if ( c?$radius && ! c$radius$logged )
+		{
+		c$radius$result = "unknown";
+		Log::write(RADIUS::LOG, c$radius);
+		}
+	}
diff --git a/testing/btest/Baseline/scripts.base.protocols.radius.auth/radius.log b/testing/btest/Baseline/scripts.base.protocols.radius.auth/radius.log
index 944b5a3ad3..bd536ecca2 100644
--- a/testing/btest/Baseline/scripts.base.protocols.radius.auth/radius.log
+++ b/testing/btest/Baseline/scripts.base.protocols.radius.auth/radius.log
@@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	radius
-#open	2016-07-13-16-16-47
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	username	mac	remote_ip	connect_info	result
-#types	time	string	addr	port	addr	port	string	string	addr	string	string
-1217631137.916736	CHhAvVGS1DHFjwGM9	10.0.0.1	1645	10.0.0.100	1812	John.McGuirk	00:14:22:e9:54:5e	-	-	success
-#close	2016-07-13-16-16-47
+#open	2017-02-20-04-53-55
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	username	mac	framed_addr	remote_ip	connect_info	reply_msg	result	ttl
+#types	time	string	addr	port	addr	port	string	string	addr	addr	string	string	string	interval
+1217631137.872968	CHhAvVGS1DHFjwGM9	10.0.0.1	1645	10.0.0.100	1812	John.McGuirk	00:14:22:e9:54:5e	255.255.255.254	-	-	Hello, %u	success	0.043882
+#close	2017-02-20-04-53-55
diff --git a/testing/btest/Baseline/scripts.base.protocols.radius.radius-multiple-attempts/radius.log b/testing/btest/Baseline/scripts.base.protocols.radius.radius-multiple-attempts/radius.log
new file mode 100644
index 0000000000..8dac83de65
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.radius.radius-multiple-attempts/radius.log
@@ -0,0 +1,16 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	radius
+#open	2017-02-20-04-56-31
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	username	mac	framed_addr	remote_ip	connect_info	reply_msg	result	ttl
+#types	time	string	addr	port	addr	port	string	string	addr	addr	string	string	string	interval
+1440447766.440305	CHhAvVGS1DHFjwGM9	127.0.0.1	53031	127.0.0.1	1812	steve	-	172.16.3.33	-	-	-	failed	1.005906
+1440447839.947454	ClEkJM2Vm5giqnMf4h	127.0.0.1	65443	127.0.0.1	1812	steve	-	172.16.3.33	-	-	-	success	0.000779
+1440447848.196115	C4J4Th3PJpwUYZZ6gc	127.0.0.1	57717	127.0.0.1	1812	steve	-	-	-	-	-	success	0.000275
+1440447860.613743	CtPZjS20MLrsMUOJi2	127.0.0.1	64691	127.0.0.1	1812	steve	-	-	-	-	-	success	0.000273
+1440447880.931272	CUM0KZ3MLUfNB0cl11	127.0.0.1	52178	127.0.0.1	1812	steve	-	-	-	-	-	failed	1.001459
+1440447904.122012	CmES5u32sYpV7JYN	127.0.0.1	62956	127.0.0.1	1812	steve	-	-	-	-	-	unknown	-
+1440448190.335333	CP5puj4I8PtEU4qzYg	127.0.0.1	53127	127.0.0.1	1812	steve	-	-	-	-	-	success	0.000517
+#close	2017-02-20-04-56-31
diff --git a/testing/btest/Traces/radius/radius_localhost.pcapng b/testing/btest/Traces/radius/radius_localhost.pcapng
new file mode 100644
index 0000000000000000000000000000000000000000..0de5c46dcd1d31202b4190668fa90d613ae14108
GIT binary patch
literal 2952
zcmc(hdo+}39LJxTVMd11Gzm%5ML6UZQf<3ZF1a*rDVNf?&CoCxrcNd0-li6z>sA(<
zky}MJIjlBYO2tUZs!gG*Hm#IB?94vT?7MTk)1Ljq*>n0GU!Lck@jRd3_xV1Ix~8VO
zJ^;Y;3sXG;{3*i<JwtOo)Ze87h=2sRJWDVIzCwl%sbDGqqHsQg&lAQotn96<0nh-8
zfhQ}B!SrQpWLR06!!KJiMyM!?8_uw@akgH{FkZtFZjXwEGjm&WOA~B$v=3VIC^n}X
zr~*MLkF_1nk%&-E0K_Gv0^l$mfIScosm+K&2O&}+fekh|)Q0zrbR}J=XqXk{?XA;7
zpv1*TY>Ob$dagD9u(6Roq*|SkaLS^Vph9jE1ASGr-!3m&$h35q7cD0qB-uG~#@n5&
znHt1MpiYqguAB$GuNevz;wmoVv5Mdr3FA7QcO1_}p|=@<Oz9~q8>FNRKBp88&#n!s
z7@L2_VL>+;El8xG?*uh+xfW^O6f(3OsG}z&>Xf+naC1JNuK}m34>jd)W9q;LwN<oa
z)OTI|gwoc5n%KJ41AfQ7Xt6uoh#F4Uc#bZY4}=V@ljzXmc<E_zYRTJIx%CYjl-s<N
zv!himL7_rD_*C#%`EZPc^^l__#rGihcDFQ}zyYG_rxv5@&tw}<<=U)ij*VQQ@OJFb
z*p6?yyDW{obozt2nT2?7vuvs)x?8Fa877y#3YYyf{3#t%hbZstdh8ryAy3lO%GUE+
zsC{q|<U+iNn+t^sabG3wVR^tY62|Syx`yYLdv7CkA#s42Ak?!kn7Z-EN7ZG$x?+P$
zCRv3IRJ>?+_|lBhBQ>4_DYtbS3v=h8J<whg^VjGmiBQg8-w1v$SrL{$0oYL7zgN}v
zK-G5*o#SDzGn=<5Jeql7@c6;DFV#qKsb{aS#24`%F*TEAcB-uXMd=}d!fg5um_Po1
z=I^k(BtkiV=c4dj6uPWPo<9LdS@LJ{xX<iW#q_?>ejTGtPLs=@0Ojv8^?k|nS#be3
zzc)`juX&Q{MGN@zcN;%<*ZViDpEn5g#GN{{p5FJTdvb=_7YMSR@fP<|{xyF!9+C*<
z{4q)R9^~Gl{0V_*|GD%o^?`%}XP+|}TF)$hRe0O9;9yl^@v+X#K0{hTWzcoJw?9*7
z-E+SEv8mukS;O5x;oeW_VE*Kt*>$hTd*>)vmrvH75kB>949vnm`4hu2DwMw)o|1@k
zI7Y(qmptZ;=azdPD@`H_LFBXMfDe=~dPan;cX)X~9(^+2lSu*;*(jNMnNXW^+t@H>
zKonQkfLQ<l;zQXz0EG&1&M;<1ZiQncjFVk;AJ6$j1heZajU=#uyV2Lth24S^=k0FB
zcy}AVN>TXRzvs>9vl!FR=??ttI+Gz1-rvp3AD$YwUC4NGGtKOA2l0`d0kQ0ZLWNis
znJ^>SaEyepgk=QcSt#@;BEXb}5?R0{%fhd%-gL8lY>c5<StloF5}wKTSN4QgsKG|}
z90}v#=u7Y%<JHg;KPj6a1|IqKFM|9l)Qe&sOgoVfK;DgcLYg5~jjuFYwS3uEl#Bjr
zQyWSg@TQzBs8aJY;^)$|JB!<<Q-{&HD0{NENQ15HNnR<Qg+d>%mU|)wF5B);JAB7s
zv(v5~HP)>quWtQcp0t!Wa+Grt3oqux|FNwdSWZlVJ5Tg@U+BK9?9LA|-AbnYm?9^7
zT&LMr#ZHNCUd#HpuB&VDmYm&mE3h_yY-^SNVA|X*2J;m;@q^x=LOH2_>&>x&V<hZ+
zEYmo677D$!1L#XFNTz`9cu&fSIyqo%5ytc1`bcXSt)+bC-=-EvDfgEIKWt3wZ)6bb
z?-FnaZws8bl=U4=Ub*&-GFJyhf6jFj)|>EJW7{i{?ffy{*ZBTg-oG4JYdltYwLa%#
z^lFZWqQ8lE(xZ3i6BesCpNFMr<;rMfUvkqv4@<<2>Yd6gyGHRWZ5h}Z<pKA#b*5U;
zE<r2PIf>pg=>z48GXjf^m-@zNo6LEtQ^PH2ID|i=U(9_<y667!&Ni69*s`QcOL0aM
u|5in}R_|24m!ft&3;cYMA-|V-z-9C|fAj8<;N_7?M;9KWXl|J7z5EN^uNK(=

literal 0
HcmV?d00001

diff --git a/testing/btest/scripts/base/protocols/radius/radius-multiple-attempts.test b/testing/btest/scripts/base/protocols/radius/radius-multiple-attempts.test
new file mode 100644
index 0000000000..473e492355
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/radius/radius-multiple-attempts.test
@@ -0,0 +1,6 @@
+# Test a more complicated radius session with multiple attempts
+
+# @TEST-EXEC: bro -b -C -r $TRACES/radius/radius_localhost.pcapng %INPUT
+# @TEST-EXEC: btest-diff radius.log
+
+@load base/protocols/radius

From 205a28bad8714a19b37080f069034868ee6dda9e Mon Sep 17 00:00:00 2001
From: Seth Hall <seth@icir.org>
Date: Tue, 21 Feb 2017 15:06:39 -0500
Subject: [PATCH 085/631] Updated Windows version detection to include Windows
 10

Thanks to Fatema Bannatwala for finding it and Keith Lehigh
and Mike Patterson for verifying.
---
 scripts/policy/frameworks/software/windows-version-detection.bro | 1 +
 1 file changed, 1 insertion(+)

diff --git a/scripts/policy/frameworks/software/windows-version-detection.bro b/scripts/policy/frameworks/software/windows-version-detection.bro
index 7ed1ab359e..50177b2e9b 100644
--- a/scripts/policy/frameworks/software/windows-version-detection.bro
+++ b/scripts/policy/frameworks/software/windows-version-detection.bro
@@ -48,6 +48,7 @@ export {
                 ["Microsoft-CryptoAPI/6.2"]             = [$name="Windows", $version=[$major=6, $minor=2, $addl="8 or Server 2012"]],
                 ["Microsoft-CryptoAPI/6.3"]             = [$name="Windows", $version=[$major=6, $minor=3, $addl="8.1 or Server 2012 R2"]],
                 ["Microsoft-CryptoAPI/6.4"]             = [$name="Windows", $version=[$major=6, $minor=4, $addl="10 Technical Preview"]],
+                ["Microsoft-CryptoAPI/10.0"]            = [$name="Windows", $version=[$major=10, $minor=0]],
         } &redef;
 }
 

From b0d812812f7b8539bf2066683f8c4b6d4d827e6e Mon Sep 17 00:00:00 2001
From: Seth Hall <seth@icir.org>
Date: Tue, 21 Feb 2017 15:45:26 -0500
Subject: [PATCH 086/631] In progress on ascii writer behavior change.

---
 src/input/readers/ascii/Ascii.cc | 83 ++++++++++++++++++++++++--------
 src/input/readers/ascii/Ascii.h  |  5 ++
 2 files changed, 69 insertions(+), 19 deletions(-)

diff --git a/src/input/readers/ascii/Ascii.cc b/src/input/readers/ascii/Ascii.cc
index 8b609bda04..3d7d6415a5 100644
--- a/src/input/readers/ascii/Ascii.cc
+++ b/src/input/readers/ascii/Ascii.cc
@@ -61,6 +61,11 @@ void Ascii::DoClose()
 
 bool Ascii::DoInit(const ReaderInfo& info, int num_fields, const Field* const* fields)
 	{
+	continue_on_failure = true;
+	is_failed = false;
+
+	filename = info.source;
+
 	separator.assign( (const char*) BifConst::InputAscii::separator->Bytes(),
 	                 BifConst::InputAscii::separator->Len());
 
@@ -98,18 +103,10 @@ bool Ascii::DoInit(const ReaderInfo& info, int num_fields, const Field* const* f
 	formatter::Ascii::SeparatorInfo sep_info(separator, set_separator, unset_field, empty_field);
 	formatter = unique_ptr<threading::formatter::Formatter>(new formatter::Ascii(this, sep_info));
 
-	file.open(info.source);
-	if ( ! file.is_open() )
+	if ( ! OpenFile() )
 		{
-		Error(Fmt("Init: cannot open %s", info.source));
-		return false;
-		}
-
-	if ( ReadHeader(false) == false )
-		{
-		Error(Fmt("Init: cannot open %s; headers are incorrect", info.source));
-		file.close();
-		return false;
+		is_failed = true;
+		return continue_on_failure;
 		}
 
 	DoUpdate();
@@ -117,6 +114,26 @@ bool Ascii::DoInit(const ReaderInfo& info, int num_fields, const Field* const* f
 	return true;
 	}
 
+bool Ascii::OpenFile()
+	{
+	file.open(filename);
+	if ( ! file.is_open() )
+		{
+		Error(Fmt("Init: cannot open %s", filename.c_str()));
+		is_failed = true;
+		return continue_on_failure;
+		}
+
+	if ( ReadHeader(false) == false )
+		{
+		Error(Fmt("Init: cannot open %s; headers are incorrect", filename.c_str()));
+		file.close();
+		is_failed = true;
+		return continue_on_failure;
+		}
+
+	return true;
+	}
 
 bool Ascii::ReadHeader(bool useCached)
 	{
@@ -129,7 +146,8 @@ bool Ascii::ReadHeader(bool useCached)
 		if ( ! GetLine(line) )
 			{
 			Error("could not read first line");
-			return false;
+			is_failed = true;
+			return continue_on_failure;
 			}
 
 		headerline = line;
@@ -172,7 +190,9 @@ bool Ascii::ReadHeader(bool useCached)
 
 			Error(Fmt("Did not find requested field %s in input data file %s.",
 				  field->name, Info().source));
-			return false;
+
+			is_failed = true;
+			return continue_on_failure;
 			}
 
 		FieldMapping f(field->name, field->type, field->subtype, ifields[field->name]);
@@ -184,7 +204,9 @@ bool Ascii::ReadHeader(bool useCached)
 				{
 				Error(Fmt("Could not find requested port type field %s in input data file.",
 					  field->secondary_name));
-				return false;
+
+				is_failed = true;
+				return continue_on_failure;
 				}
 
 			f.secondary_position = ifields[field->secondary_name];
@@ -224,6 +246,12 @@ bool Ascii::GetLine(string& str)
 // read the entire file and send appropriate thingies back to InputMgr
 bool Ascii::DoUpdate()
 	{
+	if ( is_failed )
+		if ( ! OpenFile() )
+			{
+			printf("do updates after failure?!\n");
+			}
+
 	switch ( Info().mode ) {
 		case MODE_REREAD:
 			{
@@ -232,7 +260,8 @@ bool Ascii::DoUpdate()
 			if ( stat(Info().source, &sb) == -1 )
 				{
 				Error(Fmt("Could not get stat for %s", Info().source));
-				return false;
+				is_failed = true;
+				return continue_on_failure;
 				}
 
 			if ( sb.st_mtime <= mtime ) // no change
@@ -255,7 +284,10 @@ bool Ascii::DoUpdate()
 					{
 					file.clear(); // remove end of file evil bits
 					if ( !ReadHeader(true) )
-						return false; // header reading failed
+						{
+						is_failed = true;
+						return continue_on_failure; // header reading failed
+						}
 
 					break;
 					}
@@ -267,12 +299,14 @@ bool Ascii::DoUpdate()
 			if ( ! file.is_open() )
 				{
 				Error(Fmt("cannot open %s", Info().source));
-				return false;
+				is_failed = true;
+				return continue_on_failure;
 				}
 
 			if ( ReadHeader(false) == false )
 				{
-				return false;
+				is_failed = true;
+				return continue_on_failure;
 				}
 
 			break;
@@ -334,7 +368,9 @@ bool Ascii::DoUpdate()
 					delete fields[i];
 
 				delete [] fields;
-				return false;
+
+				is_failed = true;
+				return continue_on_failure;
 				}
 
 			Value* val = formatter->ParseValue(stringfields[(*fit).position], (*fit).name, (*fit).type, (*fit).subtype);
@@ -390,6 +426,15 @@ bool Ascii::DoUpdate()
 
 bool Ascii::DoHeartbeat(double network_time, double current_time)
 	{
+	printf("heartbeat\n");
+	is_failed = false;
+
+	if ( ! file.is_open() )
+		OpenFile();
+
+	//if ( is_failed )
+	//	return continue_on_failure;
+
 	switch ( Info().mode )
 		{
 		case MODE_MANUAL:
diff --git a/src/input/readers/ascii/Ascii.h b/src/input/readers/ascii/Ascii.h
index 20a459968d..102736d24e 100644
--- a/src/input/readers/ascii/Ascii.h
+++ b/src/input/readers/ascii/Ascii.h
@@ -55,7 +55,9 @@ protected:
 private:
 	bool ReadHeader(bool useCached);
 	bool GetLine(string& str);
+	bool OpenFile();
 
+	string filename;
 	ifstream file;
 	time_t mtime;
 
@@ -71,6 +73,9 @@ private:
 	string empty_field;
 	string unset_field;
 
+	bool continue_on_failure;
+	bool is_failed;
+
 	std::unique_ptr<threading::formatter::Formatter> formatter;
 };
 

From 2b15ec1069bf150ea29c2ff3b46edfba4acbb109 Mon Sep 17 00:00:00 2001
From: Seth Hall <seth@icir.org>
Date: Tue, 21 Feb 2017 23:35:29 -0500
Subject: [PATCH 087/631] Another resilient Ascii reader checkpoint.

This works correctly now (as a prototype at least). If a file
disappears, the thread complains once and once the file reappears
the thread will once again begin watching it.
---
 src/input/readers/ascii/Ascii.cc | 63 ++++++++++----------------------
 src/input/readers/ascii/Ascii.h  |  1 -
 2 files changed, 19 insertions(+), 45 deletions(-)

diff --git a/src/input/readers/ascii/Ascii.cc b/src/input/readers/ascii/Ascii.cc
index 3d7d6415a5..2f91ebe27a 100644
--- a/src/input/readers/ascii/Ascii.cc
+++ b/src/input/readers/ascii/Ascii.cc
@@ -64,8 +64,6 @@ bool Ascii::DoInit(const ReaderInfo& info, int num_fields, const Field* const* f
 	continue_on_failure = true;
 	is_failed = false;
 
-	filename = info.source;
-
 	separator.assign( (const char*) BifConst::InputAscii::separator->Bytes(),
 	                 BifConst::InputAscii::separator->Len());
 
@@ -103,11 +101,10 @@ bool Ascii::DoInit(const ReaderInfo& info, int num_fields, const Field* const* f
 	formatter::Ascii::SeparatorInfo sep_info(separator, set_separator, unset_field, empty_field);
 	formatter = unique_ptr<threading::formatter::Formatter>(new formatter::Ascii(this, sep_info));
 
-	if ( ! OpenFile() )
-		{
-		is_failed = true;
+	OpenFile();
+	
+	if ( is_failed ) 
 		return continue_on_failure;
-		}
 
 	DoUpdate();
 
@@ -116,22 +113,25 @@ bool Ascii::DoInit(const ReaderInfo& info, int num_fields, const Field* const* f
 
 bool Ascii::OpenFile()
 	{
-	file.open(filename);
+	file.open(Info().source);
 	if ( ! file.is_open() )
 		{
-		Error(Fmt("Init: cannot open %s", filename.c_str()));
+		if ( ! is_failed )
+			Warning(Fmt("Init: cannot open %s", Info().source));
 		is_failed = true;
 		return continue_on_failure;
 		}
 
 	if ( ReadHeader(false) == false )
 		{
-		Error(Fmt("Init: cannot open %s; headers are incorrect", filename.c_str()));
+		if ( ! is_failed )
+			Warning(Fmt("Init: cannot open %s; headers are incorrect", Info().source));
 		file.close();
 		is_failed = true;
 		return continue_on_failure;
 		}
 
+	is_failed = false;
 	return true;
 	}
 
@@ -141,14 +141,10 @@ bool Ascii::ReadHeader(bool useCached)
 	string line;
 	map<string, uint32_t> ifields;
 
-	if ( ! useCached )
+	if ( headerline == "" )
 		{
 		if ( ! GetLine(line) )
-			{
-			Error("could not read first line");
-			is_failed = true;
-			return continue_on_failure;
-			}
+			return false;
 
 		headerline = line;
 		}
@@ -188,7 +184,7 @@ bool Ascii::ReadHeader(bool useCached)
 				continue;
 				}
 
-			Error(Fmt("Did not find requested field %s in input data file %s.",
+			Warning(Fmt("Did not find requested field %s in input data file %s.",
 				  field->name, Info().source));
 
 			is_failed = true;
@@ -202,7 +198,7 @@ bool Ascii::ReadHeader(bool useCached)
 			map<string, uint32_t>::iterator fit2 = ifields.find(field->secondary_name);
 			if ( fit2 == ifields.end() )
 				{
-				Error(Fmt("Could not find requested port type field %s in input data file.",
+				Warning(Fmt("Could not find requested port type field %s in input data file.",
 					  field->secondary_name));
 
 				is_failed = true;
@@ -215,7 +211,6 @@ bool Ascii::ReadHeader(bool useCached)
 		columnMap.push_back(f);
 		}
 
-
 	// well, that seems to have worked...
 	return true;
 	}
@@ -246,12 +241,6 @@ bool Ascii::GetLine(string& str)
 // read the entire file and send appropriate thingies back to InputMgr
 bool Ascii::DoUpdate()
 	{
-	if ( is_failed )
-		if ( ! OpenFile() )
-			{
-			printf("do updates after failure?!\n");
-			}
-
 	switch ( Info().mode ) {
 		case MODE_REREAD:
 			{
@@ -259,7 +248,8 @@ bool Ascii::DoUpdate()
 			struct stat sb;
 			if ( stat(Info().source, &sb) == -1 )
 				{
-				Error(Fmt("Could not get stat for %s", Info().source));
+				Warning(Fmt("Could not get stat for %s", Info().source));
+				file.close();
 				is_failed = true;
 				return continue_on_failure;
 				}
@@ -295,19 +285,7 @@ bool Ascii::DoUpdate()
 				file.close();
 				}
 
-			file.open(Info().source);
-			if ( ! file.is_open() )
-				{
-				Error(Fmt("cannot open %s", Info().source));
-				is_failed = true;
-				return continue_on_failure;
-				}
-
-			if ( ReadHeader(false) == false )
-				{
-				is_failed = true;
-				return continue_on_failure;
-				}
+			OpenFile();
 
 			break;
 			}
@@ -361,7 +339,7 @@ bool Ascii::DoUpdate()
 
 			if ( (*fit).position > pos || (*fit).secondary_position > pos )
 				{
-				Error(Fmt("Not enough fields in line %s. Found %d fields, want positions %d and %d",
+				Warning(Fmt("Not enough fields in line %s. Found %d fields, want positions %d and %d",
 					  line.c_str(), pos,  (*fit).position, (*fit).secondary_position));
 
 				for ( int i = 0; i < fpos; i++ )
@@ -426,14 +404,11 @@ bool Ascii::DoUpdate()
 
 bool Ascii::DoHeartbeat(double network_time, double current_time)
 	{
-	printf("heartbeat\n");
-	is_failed = false;
-
 	if ( ! file.is_open() )
 		OpenFile();
 
-	//if ( is_failed )
-	//	return continue_on_failure;
+	if ( is_failed )
+		return continue_on_failure;
 
 	switch ( Info().mode )
 		{
diff --git a/src/input/readers/ascii/Ascii.h b/src/input/readers/ascii/Ascii.h
index 102736d24e..c9fd55f3d5 100644
--- a/src/input/readers/ascii/Ascii.h
+++ b/src/input/readers/ascii/Ascii.h
@@ -57,7 +57,6 @@ private:
 	bool GetLine(string& str);
 	bool OpenFile();
 
-	string filename;
 	ifstream file;
 	time_t mtime;
 

From 7bbaa911b0ba4e102a17fc8e0f882aeb6509c235 Mon Sep 17 00:00:00 2001
From: Seth Hall <seth@icir.org>
Date: Wed, 22 Feb 2017 00:02:51 -0500
Subject: [PATCH 088/631] I missed one test I needed to update for the kerberos
 commit that I just pushed.

---
 .../kerberos.log                                            | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/testing/btest/Baseline/scripts.policy.protocols.krb.ticket-logging/kerberos.log b/testing/btest/Baseline/scripts.policy.protocols.krb.ticket-logging/kerberos.log
index aee00fbf43..5645378a7e 100644
--- a/testing/btest/Baseline/scripts.policy.protocols.krb.ticket-logging/kerberos.log
+++ b/testing/btest/Baseline/scripts.policy.protocols.krb.ticket-logging/kerberos.log
@@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	kerberos
-#open	2017-02-18-18-38-58
+#open	2017-02-22-05-02-14
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	request_type	client	service	success	error_msg	from	till	cipher	forwardable	renewable	client_cert_subject	client_cert_fuid	server_cert_subject	server_cert_fuid	auth_ticket	new_ticket
 #types	time	string	addr	port	addr	port	string	string	string	bool	string	time	time	string	bool	bool	string	string	string	string	string	string
-1429583645.478441	CHhAvVGS1DHFjwGM9	192.168.1.31	64889	192.168.1.32	88	TGS	vladg/VLADG.NET	krbtgt/VLADG.NET	T	-	-	0.000000	aes256-cts-hmac-sha1-96	T	F	-	-	-	-	ea0f395c3823e8cc7216d82e2405b428	fa8064009b03606f84e475feca5dcd12
-#close	2017-02-18-18-38-58
+1429583645.478441	CHhAvVGS1DHFjwGM9	192.168.1.31	64889	192.168.1.32	88	TGS	vladg/VLADG.NET	krbtgt/VLADG.NET	T	-	-	0.000000	aes256-cts-hmac-sha1-96	T	F	-	-	-	-	a09fbd89918320cc12a26d4f0c4e6aa2	396a9d9e8975cc5024a83c6e86101f06
+#close	2017-02-22-05-02-14

From ae6dbf17a23ecaf7ed2c38068d3fd8f3373928bb Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@icir.org>
Date: Thu, 23 Feb 2017 09:59:48 -0800
Subject: [PATCH 089/631] Input Manager: tiny error message fix.

---
 src/input/Manager.cc                                            | 2 +-
 .../scripts.base.frameworks.input.missing-enum/bro..stderr      | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/input/Manager.cc b/src/input/Manager.cc
index b84d822101..d029e38092 100644
--- a/src/input/Manager.cc
+++ b/src/input/Manager.cc
@@ -2380,7 +2380,7 @@ Val* Manager::ValueToVal(const Stream* i, const Value* val, BroType* request_typ
 		bro_int_t index = request_type->AsEnumType()->Lookup(module, var.c_str());
 		if ( index == -1 )
 			{
-			Warning(i, "Value not '%s' for stream '%s' is not a valid enum.",
+			Warning(i, "Value '%s' for stream '%s' is not a valid enum.",
 			                        enum_string.c_str(), i->name.c_str());
 
 			have_error = true;
diff --git a/testing/btest/Baseline/scripts.base.frameworks.input.missing-enum/bro..stderr b/testing/btest/Baseline/scripts.base.frameworks.input.missing-enum/bro..stderr
index 20207bcf94..8cd0c5ab6c 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.input.missing-enum/bro..stderr
+++ b/testing/btest/Baseline/scripts.base.frameworks.input.missing-enum/bro..stderr
@@ -1,2 +1,2 @@
-warning: Value not 'IdoNot::Exist' for stream 'enum' is not a valid enum.
+warning: Value 'IdoNot::Exist' for stream 'enum' is not a valid enum.
 received termination signal

From e0a72b6e5c7bd9ad0b839d8a4b9297bb8a0211f7 Mon Sep 17 00:00:00 2001
From: Robin Sommer <robin@icir.org>
Date: Thu, 23 Feb 2017 10:18:57 -0800
Subject: [PATCH 090/631] Updating submodule.

---
 CHANGES   | 8 ++++++++
 VERSION   | 2 +-
 aux/btest | 2 +-
 3 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/CHANGES b/CHANGES
index 94f310e6b8..b9cef9e78a 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,12 @@
 
+2.5-76 | 2017-02-23 10:19:57 -0800
+
+  * Kerberos ciphertext had some additional ASN.1 content being lumped
+    in. (Vlad Grigorescu)
+
+  * Updated Windows version detection to include Windows 10. (Fatema
+    Bannatwala, Keith Lehigh, Mike, Seth Hall).
+
 2.5-70 | 2017-02-20 00:20:02 -0500
 
   * Rework the RADIUS base script.
diff --git a/VERSION b/VERSION
index b130560010..2087ec374d 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.5-70
+2.5-76
diff --git a/aux/btest b/aux/btest
index 9d5c7bcac9..2fb0e089b3 160000
--- a/aux/btest
+++ b/aux/btest
@@ -1 +1 @@
-Subproject commit 9d5c7bcac9b04710931bc8a42b545f0691561b2f
+Subproject commit 2fb0e089b37cc62b4616c8d4309ee80fb7fc6a27

From 5b7636619984b5fd4a56e13f13bf973d014d2b59 Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@icir.org>
Date: Thu, 23 Feb 2017 15:00:13 -0800
Subject: [PATCH 091/631] Plugin: add/fix documentation for
 HookSetupAnalyzerTree

---
 src/plugin/Plugin.h | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/src/plugin/Plugin.h b/src/plugin/Plugin.h
index 54451dcfb6..49fa7cdd84 100644
--- a/src/plugin/Plugin.h
+++ b/src/plugin/Plugin.h
@@ -39,7 +39,7 @@ enum HookType {
 	HOOK_DRAIN_EVENTS,		//< Activates Plugin::HookDrainEvents()
 	HOOK_UPDATE_NETWORK_TIME,	//< Activates Plugin::HookUpdateNetworkTime.
 	HOOK_BRO_OBJ_DTOR,		//< Activates Plugin::HookBroObjDtor.
-	HOOK_SETUP_ANALYZER_TREE,	//< Activates Plugin::HookAddToAnalyzerTree
+	HOOK_SETUP_ANALYZER_TREE,	//< Activates Plugin::HookSetupAnalyzerTree
 
 	// Meta hooks.
 	META_HOOK_PRE,			//< Activates Plugin::MetaHookPre().
@@ -642,6 +642,13 @@ protected:
 	 */
 	virtual void HookUpdateNetworkTime(double network_time);
 
+	/**
+	 * Hook that executes when a connection's initial analyzer tree
+	 * has been fully set up. The hook can manipulate the tree at this time,
+	 * for example by adding further analyzers.
+	 *
+	 * @param conn The connection.
+	 */
 	virtual void HookSetupAnalyzerTree(Connection *conn);
 
 	/**

From 5cf7803e685eb147808934a372538c6301035f97 Mon Sep 17 00:00:00 2001
From: Robin Sommer <robin@icir.org>
Date: Thu, 23 Feb 2017 17:18:43 -0800
Subject: [PATCH 092/631] Fix some minor issues.

From Daniel, thanks!
---
 aux/binpac                   |  2 +-
 aux/bro-aux                  |  2 +-
 aux/broccoli                 |  2 +-
 aux/broctl                   |  2 +-
 aux/broker                   |  2 +-
 aux/btest                    |  2 +-
 aux/plugins                  |  2 +-
 src/broker/Data.cc           | 11 +++++------
 src/broker/Data.h            |  2 +-
 src/broker/Manager.cc        | 11 ++++++-----
 src/broker/Manager.h         | 10 +++++-----
 src/logging/Manager.h        | 18 +++++++++---------
 src/logging/WriterBackend.cc |  4 ++--
 src/logging/WriterFrontend.h |  4 +---
 14 files changed, 36 insertions(+), 38 deletions(-)

diff --git a/aux/binpac b/aux/binpac
index a0990e61ad..0f1ecfa972 160000
--- a/aux/binpac
+++ b/aux/binpac
@@ -1 +1 @@
-Subproject commit a0990e61ad4a3705bda4cc5a20059af2d1bda4c3
+Subproject commit 0f1ecfa97236635fb93e013404e6b30d6c506ddd
diff --git a/aux/bro-aux b/aux/bro-aux
index 7660b5f4c5..b1e75f6a21 160000
--- a/aux/bro-aux
+++ b/aux/bro-aux
@@ -1 +1 @@
-Subproject commit 7660b5f4c5be40aa5f3a7c8746fdcf68331f9b93
+Subproject commit b1e75f6a212250b1730a438f27fc778618b67ec3
diff --git a/aux/broccoli b/aux/broccoli
index 765eab50f7..ed52e3414b 160000
--- a/aux/broccoli
+++ b/aux/broccoli
@@ -1 +1 @@
-Subproject commit 765eab50f7796fdb3c308fe9232cd7891f098c67
+Subproject commit ed52e3414b31b05ec9abed627b4153c8e2243441
diff --git a/aux/broctl b/aux/broctl
index f6d451520e..73dbc79ac2 160000
--- a/aux/broctl
+++ b/aux/broctl
@@ -1 +1 @@
-Subproject commit f6d451520eaaaae97aab6df2bb4e0aecb6b63e66
+Subproject commit 73dbc79ac24cdfef07d8574a4da5d43056ba5fa5
diff --git a/aux/broker b/aux/broker
index 68a36ed814..23def70c44 160000
--- a/aux/broker
+++ b/aux/broker
@@ -1 +1 @@
-Subproject commit 68a36ed81480ba935268bcaf7b6f2249d23436da
+Subproject commit 23def70c44128d19138029615dd154359286e111
diff --git a/aux/btest b/aux/btest
index 32e582514a..2fb0e089b3 160000
--- a/aux/btest
+++ b/aux/btest
@@ -1 +1 @@
-Subproject commit 32e582514ae044befa8e0511083bf11a51408a1d
+Subproject commit 2fb0e089b37cc62b4616c8d4309ee80fb7fc6a27
diff --git a/aux/plugins b/aux/plugins
index 0a2f021527..2322840bcd 160000
--- a/aux/plugins
+++ b/aux/plugins
@@ -1 +1 @@
-Subproject commit 0a2f0215270e6ceaf9c1312f705b95d2cce1b530
+Subproject commit 2322840bcdbd618ae7bd24e22d874fb30ab89bbb
diff --git a/src/broker/Data.cc b/src/broker/Data.cc
index 35d815b9e8..5da6f5d4e0 100644
--- a/src/broker/Data.cc
+++ b/src/broker/Data.cc
@@ -776,7 +776,6 @@ static broker::util::optional<broker::data> threading_val_to_data_internal(TypeT
 		auto s = broker::address(reinterpret_cast<const uint32_t*>(&tmp),
 		                         broker::address::family::ipv6,
 		                         broker::address::byte_order::network);
-		fprintf(stderr, "%d\n", val.subnet_val.length);
 		return {broker::subnet(s, length)};
 		}
 
@@ -863,7 +862,7 @@ struct threading_val_converter {
 	using result_type = bool;
 
 	TypeTag type;
-        threading::Value::_val& val;
+	threading::Value::_val& val;
 
 	result_type operator()(bool a)
 		{
@@ -1053,9 +1052,9 @@ struct threading_val_converter {
 		if ( type == TYPE_VECTOR )
 			{
 			val.vector_val.size = a.size();
-			val.vector_val.vals = new threading::Value* [val.set_val.size];
+			val.vector_val.vals = new threading::Value* [val.vector_val.size];
 
-			auto p = val.set_val.vals;
+			auto p = val.vector_val.vals;
 
 			for ( auto& i : a )
 				*p++ = bro_broker::data_to_threading_val(move(i));
@@ -1079,8 +1078,8 @@ threading::Value* bro_broker::data_to_threading_val(broker::data d)
 	if ( ! r )
 		return nullptr;
 
-	auto type = broker::get<uint64_t>(*r->get(0));;
-	auto present = broker::get<bool>(*r->get(1));;
+	auto type = broker::get<uint64_t>(*r->get(0));
+	auto present = broker::get<bool>(*r->get(1));
 	auto data = *r->get(2);
 
 	if ( ! (type && present) )
diff --git a/src/broker/Data.h b/src/broker/Data.h
index 9e0c8120de..526304b00c 100644
--- a/src/broker/Data.h
+++ b/src/broker/Data.h
@@ -70,7 +70,7 @@ broker::util::optional<broker::data> threading_val_to_data(const threading::Valu
 
 /**
  * Convert a Bro threading::Field to a Broker data value.
- * @param v a Bro threading::Field.
+ * @param f a Bro threading::Field.
  * @return a Broker data value if the Bro threading::Field could be converted to one.
  */
 broker::data threading_field_to_data(const threading::Field* f);
diff --git a/src/broker/Manager.cc b/src/broker/Manager.cc
index 76040b129c..eebcd2792f 100644
--- a/src/broker/Manager.cc
+++ b/src/broker/Manager.cc
@@ -214,9 +214,10 @@ bool bro_broker::Manager::Event(std::string topic, broker::message msg, int flag
 	return true;
 	}
 
-bool bro_broker::Manager::CreateLog(EnumVal* stream, EnumVal* writer, const logging::WriterBackend::WriterInfo& info,
-				    int num_fields, const threading::Field* const * fields, int flags,
-				    const string& peer)
+bool bro_broker::Manager::CreateLog(EnumVal* stream, EnumVal* writer,
+				    const logging::WriterBackend::WriterInfo& info,
+				    int num_fields, const threading::Field* const * fields,
+				    int flags, const string& peer)
 	{
 	if ( ! Enabled() )
 		return false;
@@ -1003,7 +1004,7 @@ bool bro_broker::Manager::ProcessCreateLog(broker::message msg)
 
 	if ( ! broker::get<broker::enum_value>(msg[idx]) )
 		{
-		reporter->Warning("got remote log create  w/o stream id: %d",
+		reporter->Warning("got remote log create w/o stream id: %d",
 				  static_cast<int>(broker::which(msg[idx])));
 		return false;
 		}
@@ -1023,7 +1024,7 @@ bool bro_broker::Manager::ProcessCreateLog(broker::message msg)
 
 	if ( ! broker::get<broker::enum_value>(msg[idx]) )
 		{
-		reporter->Warning("got remote log w/o writer id: %d",
+		reporter->Warning("got remote log create w/o writer id: %d",
 				  static_cast<int>(broker::which(msg[idx])));
 		return false;
 		}
diff --git a/src/broker/Manager.h b/src/broker/Manager.h
index 10d5019b74..d5701c56b1 100644
--- a/src/broker/Manager.h
+++ b/src/broker/Manager.h
@@ -169,20 +169,20 @@ public:
 		 const threading::Value* const * vals, int flags);
 
 	/**
-         * Send a message to create a log stream to any interested peers.
-         * The log stream may or may not already exist on the receiving side.
-         * The topic name used is implicitly "bro/log/<stream-name>".
+	 * Send a message to create a log stream to any interested peers.
+	 * The log stream may or may not already exist on the receiving side.
+	 * The topic name used is implicitly "bro/log/<stream-name>".
 	 * @param stream the stream to which the log entry belongs.
 	 * @param writer the writer to use for outputting this log entry.
 	 * @param info backend initialization information for the writer.
 	 * @param num_fields the number of fields the log has.
-	 * @param fields the log's fields of size num_fields.
+	 * @param fields the log's fields, of size num_fields.
 	 * @param flags tune the behavior of how the message is send.
 	 * See the Broker::SendFlags record type.
 	 * @param peer If given, send the message only to this peer.
 	 * @return true if the message is sent successfully.
 	 */
-	bool CreateLog(EnumVal* id, EnumVal* writer, const logging::WriterBackend::WriterInfo& info,
+	bool CreateLog(EnumVal* stream, EnumVal* writer, const logging::WriterBackend::WriterInfo& info,
 		       int num_fields, const threading::Field* const * fields, int flags, const string& peer = "");
 
 	/**
diff --git a/src/logging/Manager.h b/src/logging/Manager.h
index 3334942a3a..56626f39d3 100644
--- a/src/logging/Manager.h
+++ b/src/logging/Manager.h
@@ -133,9 +133,9 @@ public:
 	 * Create a new log writer frontend. This is exposed so that the
 	 * communication system can recreate remote log streams locally.
 	 *
-	 * @param stream The enum value corresponding the log stream.
+	 * @param id The enum value corresponding to the log stream.
 	 *
-	 * @param writer The enum value corresponding the desired log writer.
+	 * @param writer The enum value corresponding to the desired log writer.
 	 *
 	 * @param info A fully initialized object defining the
 	 * characteristics of the backend writer instance. The method takes
@@ -143,8 +143,8 @@ public:
 	 *
 	 * @param num_fields The number of log fields to write.
 	 *
-	 * @param vals An arry of log fields to write, of size num_fields.
-	 * The method takes ownership of the arry.
+	 * @param vals An array of log fields to write, of size num_fields.
+	 * The method takes ownership of the array.
 	 *
 	 * @return Returns true if the writer was successfully created.
 	 */
@@ -154,18 +154,18 @@ public:
 	/**
 	 * Writes out log entries that have already passed through all
 	 * filters (and have raised any events). This is meant called for logs
-	 * received alrready processed from remote.
+	 * received already processed from remote.
 	 *
-	 * @param stream The enum value corresponding the log stream.
+	 * @param stream The enum value corresponding to the log stream.
 	 *
-	 * @param writer The enum value corresponding the desired log writer.
+	 * @param writer The enum value corresponding to the desired log writer.
 	 *
 	 * @param path The path of the target log stream to write to.
 	 *
 	 * @param num_fields The number of log values to write.
 	 *
-	 * @param vals An arry of log values to write, of size num_fields.
-	 * The method takes ownership of the arry.
+	 * @param vals An array of log values to write, of size num_fields.
+	 * The method takes ownership of the array.
 	 */
 	bool WriteFromRemote(EnumVal* stream, EnumVal* writer, string path,
 			     int num_fields, threading::Value** vals);
diff --git a/src/logging/WriterBackend.cc b/src/logging/WriterBackend.cc
index e2afd360e7..ebf5165169 100644
--- a/src/logging/WriterBackend.cc
+++ b/src/logging/WriterBackend.cc
@@ -130,11 +130,11 @@ broker::data WriterBackend::WriterInfo::ToBroker() const
 	auto t = broker::table();
 
 	for ( config_map::const_iterator i = config.begin(); i != config.end(); ++i )
-                {
+		{
 		auto key = std::string(i->first);
 		auto value = std::string(i->second);
 		t.insert(std::make_pair(key, value));
-                }
+		}
 
 	auto bconfig = broker::record::field(move(t));
 
diff --git a/src/logging/WriterFrontend.h b/src/logging/WriterFrontend.h
index c39d2bdf3c..ae37613261 100644
--- a/src/logging/WriterFrontend.h
+++ b/src/logging/WriterFrontend.h
@@ -34,8 +34,6 @@ public:
 	 *
 	 * info: The meta information struct for the writer.
 	 *
-	 * writer_name: A descriptive name for the writer's type.
-	 *
 	 * local: If true, the writer will instantiate a local backend.
 	 *
 	 * remote: If true, the writer will forward logs to remote
@@ -46,7 +44,7 @@ public:
 	 *
 	 * Frontends must only be instantiated by the main thread.
 	 */
-	WriterFrontend(const WriterBackend::WriterInfo& info, EnumVal* stream, EnumVal* writer, bool local, bool remote, int arg_remote_flags);
+	WriterFrontend(const WriterBackend::WriterInfo& info, EnumVal* stream, EnumVal* writer, bool local, bool remote, int remote_flags);
 
 	/**
 	 * Destructor.

From 75744d22bc1d556c3c9a42cb458af8ce181f1536 Mon Sep 17 00:00:00 2001
From: Seth Hall <seth@icir.org>
Date: Thu, 23 Feb 2017 23:13:12 -0500
Subject: [PATCH 093/631] Input's ascii reader is now more resilient.

By default, the ASCII reader does not fail on errors anymore.
If there is a problem parsing a line, a reporter warning is
written and parsing continues.  If the file is missing or can't
be read, the input thread just tries again on the next heartbeat.

Options have been added to recreate the previous behavior...

const InputAscii::fail_on_invalid_lines: bool;
and
const InputAscii::fail_on_file_problem: bool;

They are both set to `F` by default which makes the input readers
resilient to failure.
---
 .../base/frameworks/input/readers/ascii.bro   | 13 +++
 src/input/readers/ascii/Ascii.cc              | 80 ++++++++++++-------
 src/input/readers/ascii/Ascii.h               |  7 +-
 src/input/readers/ascii/ascii.bif             |  2 +
 .../bro..stderr                               |  4 +
 .../bro..stdout                               |  2 +
 .../bro..stderr                               |  4 +-
 .../input/missing-file-initially.bro          | 47 +++++++++++
 8 files changed, 127 insertions(+), 32 deletions(-)
 create mode 100644 testing/btest/Baseline/scripts.base.frameworks.input.missing-file-initially/bro..stderr
 create mode 100644 testing/btest/Baseline/scripts.base.frameworks.input.missing-file-initially/bro..stdout
 create mode 100644 testing/btest/scripts/base/frameworks/input/missing-file-initially.bro

diff --git a/scripts/base/frameworks/input/readers/ascii.bro b/scripts/base/frameworks/input/readers/ascii.bro
index 1b486ddba0..521e8d4ca3 100644
--- a/scripts/base/frameworks/input/readers/ascii.bro
+++ b/scripts/base/frameworks/input/readers/ascii.bro
@@ -18,4 +18,17 @@ export {
 
 	## String to use for an unset &optional field.
 	const unset_field = Input::unset_field &redef;
+
+	## Choose if the ascii input reader should globally
+	## fail on invalid lines and continue parsing afterward.
+	## Individual readers can use a different value.
+	const fail_on_invalid_lines = F &redef;
+
+	## Set to true if you would like the old behavior of the 
+	## ascii reader where the reader thread would die if any file 
+	## errors occur (like permissions problems or file missing). 
+	## The default behavior is to continue attempting to open and read
+	## the file even in light of problems.
+	## Individual readers can use a different value.
+	const fail_on_file_problem = F &redef;
 }
diff --git a/src/input/readers/ascii/Ascii.cc b/src/input/readers/ascii/Ascii.cc
index 2f91ebe27a..5621a87eb4 100644
--- a/src/input/readers/ascii/Ascii.cc
+++ b/src/input/readers/ascii/Ascii.cc
@@ -61,7 +61,6 @@ void Ascii::DoClose()
 
 bool Ascii::DoInit(const ReaderInfo& info, int num_fields, const Field* const* fields)
 	{
-	continue_on_failure = true;
 	is_failed = false;
 
 	separator.assign( (const char*) BifConst::InputAscii::separator->Bytes(),
@@ -76,6 +75,9 @@ bool Ascii::DoInit(const ReaderInfo& info, int num_fields, const Field* const* f
 	unset_field.assign( (const char*) BifConst::InputAscii::unset_field->Bytes(),
 	                   BifConst::InputAscii::unset_field->Len());
 
+	fail_on_invalid_lines = BifConst::InputAscii::fail_on_invalid_lines;
+	fail_on_file_problem = BifConst::InputAscii::fail_on_file_problem;
+
 	// Set per-filter configuration options.
 	for ( ReaderInfo::config_map::const_iterator i = info.config.begin(); i != info.config.end(); i++ )
 		{
@@ -90,6 +92,12 @@ bool Ascii::DoInit(const ReaderInfo& info, int num_fields, const Field* const* f
 
 		else if ( strcmp(i->first, "unset_field") == 0 )
 			unset_field.assign(i->second);
+
+		else if ( strcmp(i->first, "fail_on_invalid_lines") == 0 )
+			fail_on_invalid_lines = (strncmp(i->second, "T", 1) == 0);
+
+		else if ( strcmp(i->first, "fail_on_file_problem") == 0 )
+			fail_on_file_problem = (strncmp(i->second, "T", 1) == 0);
 		}
 
 	if ( separator.size() != 1 )
@@ -101,34 +109,40 @@ bool Ascii::DoInit(const ReaderInfo& info, int num_fields, const Field* const* f
 	formatter::Ascii::SeparatorInfo sep_info(separator, set_separator, unset_field, empty_field);
 	formatter = unique_ptr<threading::formatter::Formatter>(new formatter::Ascii(this, sep_info));
 
-	OpenFile();
-	
-	if ( is_failed ) 
-		return continue_on_failure;
-
 	DoUpdate();
 
 	return true;
 	}
 
+void Ascii::FailWarn(bool is_error, const char *msg)
+	{
+	if ( is_error )
+		Error(msg);
+	else
+		Warning(msg);
+	}
+
 bool Ascii::OpenFile()
 	{
+	if ( file.is_open() && ! is_failed )
+		return true;
+
 	file.open(Info().source);
 	if ( ! file.is_open() )
 		{
 		if ( ! is_failed )
-			Warning(Fmt("Init: cannot open %s", Info().source));
+			FailWarn(fail_on_file_problem, Fmt("Init: cannot open %s", Info().source));
 		is_failed = true;
-		return continue_on_failure;
+		return !fail_on_file_problem;
 		}
 
 	if ( ReadHeader(false) == false )
 		{
 		if ( ! is_failed )
-			Warning(Fmt("Init: cannot open %s; headers are incorrect", Info().source));
+			FailWarn(fail_on_file_problem, Fmt("Init: cannot open %s; headers are incorrect", Info().source));
 		file.close();
 		is_failed = true;
-		return continue_on_failure;
+		return !fail_on_file_problem;
 		}
 
 	is_failed = false;
@@ -141,7 +155,7 @@ bool Ascii::ReadHeader(bool useCached)
 	string line;
 	map<string, uint32_t> ifields;
 
-	if ( headerline == "" )
+	if ( ! useCached )
 		{
 		if ( ! GetLine(line) )
 			return false;
@@ -184,11 +198,12 @@ bool Ascii::ReadHeader(bool useCached)
 				continue;
 				}
 
-			Warning(Fmt("Did not find requested field %s in input data file %s.",
-				  field->name, Info().source));
+			if ( ! is_failed )
+				FailWarn(fail_on_file_problem, Fmt("Did not find requested field %s in input data file %s.",
+				         field->name, Info().source));
 
 			is_failed = true;
-			return continue_on_failure;
+			return !fail_on_file_problem;
 			}
 
 		FieldMapping f(field->name, field->type, field->subtype, ifields[field->name]);
@@ -198,11 +213,12 @@ bool Ascii::ReadHeader(bool useCached)
 			map<string, uint32_t>::iterator fit2 = ifields.find(field->secondary_name);
 			if ( fit2 == ifields.end() )
 				{
-				Warning(Fmt("Could not find requested port type field %s in input data file.",
-					  field->secondary_name));
+				if ( ! is_failed )
+					FailWarn(fail_on_file_problem, Fmt("Could not find requested port type field %s in input data file.",
+					         field->secondary_name));
 
 				is_failed = true;
-				return continue_on_failure;
+				return !fail_on_file_problem;
 				}
 
 			f.secondary_position = ifields[field->secondary_name];
@@ -241,6 +257,9 @@ bool Ascii::GetLine(string& str)
 // read the entire file and send appropriate thingies back to InputMgr
 bool Ascii::DoUpdate()
 	{
+	if ( ! OpenFile() )
+		return !fail_on_file_problem;
+
 	switch ( Info().mode ) {
 		case MODE_REREAD:
 			{
@@ -248,10 +267,11 @@ bool Ascii::DoUpdate()
 			struct stat sb;
 			if ( stat(Info().source, &sb) == -1 )
 				{
-				Warning(Fmt("Could not get stat for %s", Info().source));
+				if ( ! is_failed )
+					FailWarn(fail_on_file_problem, Fmt("Could not get stat for %s", Info().source));
 				file.close();
 				is_failed = true;
-				return continue_on_failure;
+				return !fail_on_file_problem;
 				}
 
 			if ( sb.st_mtime <= mtime ) // no change
@@ -276,7 +296,7 @@ bool Ascii::DoUpdate()
 					if ( !ReadHeader(true) )
 						{
 						is_failed = true;
-						return continue_on_failure; // header reading failed
+						return !fail_on_file_problem; // header reading failed
 						}
 
 					break;
@@ -339,7 +359,7 @@ bool Ascii::DoUpdate()
 
 			if ( (*fit).position > pos || (*fit).secondary_position > pos )
 				{
-				Warning(Fmt("Not enough fields in line %s. Found %d fields, want positions %d and %d",
+				FailWarn(fail_on_invalid_lines, Fmt("Not enough fields in line %s. Found %d fields, want positions %d and %d",
 					  line.c_str(), pos,  (*fit).position, (*fit).secondary_position));
 
 				for ( int i = 0; i < fpos; i++ )
@@ -347,8 +367,15 @@ bool Ascii::DoUpdate()
 
 				delete [] fields;
 
-				is_failed = true;
-				return continue_on_failure;
+				if ( fail_on_invalid_lines )
+					{
+					return false;
+					}
+				else
+					{
+					error = true;
+					break;
+					}
 				}
 
 			Value* val = formatter->ParseValue(stringfields[(*fit).position], (*fit).name, (*fit).type, (*fit).subtype);
@@ -404,11 +431,8 @@ bool Ascii::DoUpdate()
 
 bool Ascii::DoHeartbeat(double network_time, double current_time)
 	{
-	if ( ! file.is_open() )
-		OpenFile();
-
-	if ( is_failed )
-		return continue_on_failure;
+	if ( ! OpenFile() )
+		return !fail_on_file_problem;
 
 	switch ( Info().mode )
 		{
diff --git a/src/input/readers/ascii/Ascii.h b/src/input/readers/ascii/Ascii.h
index c9fd55f3d5..9300382ca2 100644
--- a/src/input/readers/ascii/Ascii.h
+++ b/src/input/readers/ascii/Ascii.h
@@ -56,6 +56,8 @@ private:
 	bool ReadHeader(bool useCached);
 	bool GetLine(string& str);
 	bool OpenFile();
+	void FailWarn(bool is_error, const char *msg);
+
 
 	ifstream file;
 	time_t mtime;
@@ -71,8 +73,11 @@ private:
 	string set_separator;
 	string empty_field;
 	string unset_field;
+	bool fail_on_invalid_lines;
+	bool fail_on_file_problem;
 
-	bool continue_on_failure;
+	// this is an internal indicator in case the read is currently in a failed state
+	// it's used by the options for continuing instead of failing and killing the reader.
 	bool is_failed;
 
 	std::unique_ptr<threading::formatter::Formatter> formatter;
diff --git a/src/input/readers/ascii/ascii.bif b/src/input/readers/ascii/ascii.bif
index 8bb3a96492..80ff4611e7 100644
--- a/src/input/readers/ascii/ascii.bif
+++ b/src/input/readers/ascii/ascii.bif
@@ -5,3 +5,5 @@ const separator: string;
 const set_separator: string;
 const empty_field: string;
 const unset_field: string;
+const fail_on_invalid_lines: bool;
+const fail_on_file_problem: bool;
diff --git a/testing/btest/Baseline/scripts.base.frameworks.input.missing-file-initially/bro..stderr b/testing/btest/Baseline/scripts.base.frameworks.input.missing-file-initially/bro..stderr
new file mode 100644
index 0000000000..6c4d0f0194
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.input.missing-file-initially/bro..stderr
@@ -0,0 +1,4 @@
+warning: ../does-not-exist.dat/Input::READER_ASCII: Init: cannot open ../does-not-exist.dat
+error: ../does-not-exist.dat/Input::READER_ASCII: Init: cannot open ../does-not-exist.dat
+error: ../does-not-exist.dat/Input::READER_ASCII: terminating thread
+received termination signal
diff --git a/testing/btest/Baseline/scripts.base.frameworks.input.missing-file-initially/bro..stdout b/testing/btest/Baseline/scripts.base.frameworks.input.missing-file-initially/bro..stdout
new file mode 100644
index 0000000000..d96c6d457d
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.input.missing-file-initially/bro..stdout
@@ -0,0 +1,2 @@
+now it does
+and more!
diff --git a/testing/btest/Baseline/scripts.base.frameworks.input.missing-file/bro..stderr b/testing/btest/Baseline/scripts.base.frameworks.input.missing-file/bro..stderr
index 5093925d2d..f5d074fe7e 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.input.missing-file/bro..stderr
+++ b/testing/btest/Baseline/scripts.base.frameworks.input.missing-file/bro..stderr
@@ -1,4 +1,2 @@
-error: does-not-exist.dat/Input::READER_ASCII: Init: cannot open does-not-exist.dat
-error: does-not-exist.dat/Input::READER_ASCII: Init failed
-error: does-not-exist.dat/Input::READER_ASCII: terminating thread
+warning: does-not-exist.dat/Input::READER_ASCII: Init: cannot open does-not-exist.dat
 received termination signal
diff --git a/testing/btest/scripts/base/frameworks/input/missing-file-initially.bro b/testing/btest/scripts/base/frameworks/input/missing-file-initially.bro
new file mode 100644
index 0000000000..a7128a4455
--- /dev/null
+++ b/testing/btest/scripts/base/frameworks/input/missing-file-initially.bro
@@ -0,0 +1,47 @@
+# This tests files that don't exist initially and then do later during
+# runtime to make sure the ascii reader is resilient to files missing.
+# It does a second test at the same time which configures the old 
+# failing behavior.
+
+# @TEST-EXEC: btest-bg-run bro bro %INPUT
+# @TEST-EXEC: btest-bg-wait -k 5
+# @TEST-EXEC: btest-diff bro/.stdout
+# @TEST-EXEC: btest-diff bro/.stderr
+
+@TEST-START-FILE does-exist.dat
+#separator \x09
+#fields	line
+#types	string
+now it does
+and more!
+@TEST-END-FILE
+
+redef exit_only_after_terminate = T;
+
+@load base/frameworks/input
+
+module A;
+
+type Val: record {
+	line: string;
+};
+
+event line(description: Input::EventDescription, tpe: Input::Event, v: Val)
+	{
+	print v$line;
+	}
+
+event line2(description: Input::EventDescription, tpe: Input::Event, v: Val)
+	{
+	print "DONT PRINT THIS LINE";
+	}
+
+
+event bro_init()
+	{
+	Input::add_event([$source="../does-not-exist.dat", $name="input", $reader=Input::READER_ASCII, $mode=Input::REREAD, $fields=Val, $ev=line, $want_record=T]);
+	Input::add_event([$source="../does-not-exist.dat", $name="input2", $reader=Input::READER_ASCII, $mode=Input::REREAD, $fields=Val, $ev=line2, $want_record=T, 
+	                  $config=table(["fail_on_file_problem"] = "T")]);
+
+	system("sleep 2; mv ../does-exist.dat ../does-not-exist.dat;");
+	}

From 50781590804ee0ba2e3d54b186478f4613fa61a0 Mon Sep 17 00:00:00 2001
From: Seth Hall <seth@icir.org>
Date: Thu, 23 Feb 2017 23:13:48 -0500
Subject: [PATCH 094/631] Tiny fix to correct a warning message.

---
 src/input/Manager.cc                                            | 2 +-
 .../scripts.base.frameworks.input.missing-enum/bro..stderr      | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/input/Manager.cc b/src/input/Manager.cc
index b84d822101..d029e38092 100644
--- a/src/input/Manager.cc
+++ b/src/input/Manager.cc
@@ -2380,7 +2380,7 @@ Val* Manager::ValueToVal(const Stream* i, const Value* val, BroType* request_typ
 		bro_int_t index = request_type->AsEnumType()->Lookup(module, var.c_str());
 		if ( index == -1 )
 			{
-			Warning(i, "Value not '%s' for stream '%s' is not a valid enum.",
+			Warning(i, "Value '%s' for stream '%s' is not a valid enum.",
 			                        enum_string.c_str(), i->name.c_str());
 
 			have_error = true;
diff --git a/testing/btest/Baseline/scripts.base.frameworks.input.missing-enum/bro..stderr b/testing/btest/Baseline/scripts.base.frameworks.input.missing-enum/bro..stderr
index 20207bcf94..8cd0c5ab6c 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.input.missing-enum/bro..stderr
+++ b/testing/btest/Baseline/scripts.base.frameworks.input.missing-enum/bro..stderr
@@ -1,2 +1,2 @@
-warning: Value not 'IdoNot::Exist' for stream 'enum' is not a valid enum.
+warning: Value 'IdoNot::Exist' for stream 'enum' is not a valid enum.
 received termination signal

From 22c89a83f5cf95ed77dcde11898a7bc55df54499 Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@icir.org>
Date: Fri, 24 Feb 2017 09:02:16 -0800
Subject: [PATCH 095/631] Update submodule

 [nomail]
---
 aux/bro-aux | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/aux/bro-aux b/aux/bro-aux
index b1e75f6a21..9f33570d53 160000
--- a/aux/bro-aux
+++ b/aux/bro-aux
@@ -1 +1 @@
-Subproject commit b1e75f6a212250b1730a438f27fc778618b67ec3
+Subproject commit 9f33570d53e1b970d7905e305940fd55637c5c76

From 0f695a7316fe2586fb1010675f45d549ffd00568 Mon Sep 17 00:00:00 2001
From: Daniel Thayer <dnthayer@illinois.edu>
Date: Sat, 25 Feb 2017 21:53:02 -0600
Subject: [PATCH 096/631] Fix a test that sometimes fails on FreeBSD

---
 testing/btest/istate/pybroccoli.py | 1 +
 1 file changed, 1 insertion(+)

diff --git a/testing/btest/istate/pybroccoli.py b/testing/btest/istate/pybroccoli.py
index 7600c2b7d4..0d7106d592 100644
--- a/testing/btest/istate/pybroccoli.py
+++ b/testing/btest/istate/pybroccoli.py
@@ -4,6 +4,7 @@
 # @TEST-REQUIRES: test -e $BUILD/aux/broccoli/bindings/broccoli-python/_broccoli_intern.so
 #
 # @TEST-EXEC: btest-bg-run bro    bro %INPUT $DIST/aux/broccoli/bindings/broccoli-python/tests/test.bro
+# @TEST-EXEC: sleep 2
 # @TEST-EXEC: btest-bg-run python PYTHONPATH=$DIST/aux/broccoli/bindings/broccoli-python/:$BUILD/aux/broccoli/bindings/broccoli-python python $DIST/aux/broccoli/bindings/broccoli-python/tests/test.py
 # @TEST-EXEC: btest-bg-wait -k 20
 # @TEST-EXEC: btest-diff bro/.stdout

From 58a2d06c93189cea3f91efe2566fbe1703b9dc72 Mon Sep 17 00:00:00 2001
From: Robin Sommer <robin@icir.org>
Date: Mon, 27 Feb 2017 08:22:16 -0800
Subject: [PATCH 097/631] Another fix for the new Broker-based remote logging.

---
 src/broker/Data.cc                            |  7 ++--
 .../Baseline/broker.remote_log/recv.test.log  |  4 +--
 .../Baseline/broker.remote_log/send.test.log  |  4 +--
 testing/btest/broker/remote_log.test          | 33 ++++++++++---------
 testing/btest/broker/remote_log_types.test    |  3 +-
 5 files changed, 28 insertions(+), 23 deletions(-)

diff --git a/src/broker/Data.cc b/src/broker/Data.cc
index 5da6f5d4e0..6420144193 100644
--- a/src/broker/Data.cc
+++ b/src/broker/Data.cc
@@ -1080,16 +1080,19 @@ threading::Value* bro_broker::data_to_threading_val(broker::data d)
 
 	auto type = broker::get<uint64_t>(*r->get(0));
 	auto present = broker::get<bool>(*r->get(1));
-	auto data = *r->get(2);
+	auto data = r->get(2);
 
 	if ( ! (type && present) )
 		return nullptr;
 
+	if ( *present && ! data )
+		return nullptr;
+
 	auto tv = new threading::Value;
 	tv->type = static_cast<TypeTag>(*type);
 	tv->present = *present;
 
-	if ( present && ! broker::visit(threading_val_converter{tv->type, tv->val}, data) )
+	if ( *present && ! broker::visit(threading_val_converter{tv->type, tv->val}, *data) )
 		{
 		delete tv;
 		return nullptr;
diff --git a/testing/btest/Baseline/broker.remote_log/recv.test.log b/testing/btest/Baseline/broker.remote_log/recv.test.log
index 0d6dae756c..b79e1b53b9 100644
--- a/testing/btest/Baseline/broker.remote_log/recv.test.log
+++ b/testing/btest/Baseline/broker.remote_log/recv.test.log
@@ -3,7 +3,7 @@
 #empty_field	(empty)
 #unset_field	-
 #path	test
-#open	2015-01-26-22-47-11
+#open	2017-02-27-16-21-20
 #fields	msg	num
 #types	string	count
 ping	0
@@ -12,4 +12,4 @@ ping	2
 ping	3
 ping	4
 ping	5
-#close	2015-01-26-22-47-11
+#close	2017-02-27-16-21-20
diff --git a/testing/btest/Baseline/broker.remote_log/send.test.log b/testing/btest/Baseline/broker.remote_log/send.test.log
index 0d6dae756c..93862c656b 100644
--- a/testing/btest/Baseline/broker.remote_log/send.test.log
+++ b/testing/btest/Baseline/broker.remote_log/send.test.log
@@ -3,7 +3,7 @@
 #empty_field	(empty)
 #unset_field	-
 #path	test
-#open	2015-01-26-22-47-11
+#open	2017-02-27-16-21-19
 #fields	msg	num
 #types	string	count
 ping	0
@@ -12,4 +12,4 @@ ping	2
 ping	3
 ping	4
 ping	5
-#close	2015-01-26-22-47-11
+#close	2017-02-27-16-21-20
diff --git a/testing/btest/broker/remote_log.test b/testing/btest/broker/remote_log.test
index 598f3f6e46..df8f8d8d8a 100644
--- a/testing/btest/broker/remote_log.test
+++ b/testing/btest/broker/remote_log.test
@@ -45,14 +45,14 @@ redef exit_only_after_terminate = T;
 event bro_init()
         {
         Broker::subscribe_to_logs("bro/log/");
-	Broker::subscribe_to_events("bro/event/");
+        Broker::subscribe_to_events("bro/event/");
         Broker::listen(broker_port, "127.0.0.1");
         }
 
 event quit_receiver()
-	{
-	terminate();
-	}
+    {
+    terminate();
+    }
 
 @TEST-END-FILE
 
@@ -63,21 +63,22 @@ const broker_port: port &redef;
 redef exit_only_after_terminate = T;
 
 event bro_init()
-        {
-        Broker::enable_remote_logs(Test::LOG);
-        Broker::connect("127.0.0.1", broker_port, 1secs);
-        }
+    {
+    Broker::enable_remote_logs(Test::LOG);
+    Broker::publish_topic("bro/event/");
+    Broker::connect("127.0.0.1", broker_port, 1secs);
+    }
 
 global n = 0;
 
 event do_write()
         {
         if ( n == 6 )
-		{
-		local args = Broker::event_args(quit_receiver);
-		Broker::send_event("bro/event/", args);
-		schedule 1sec { quit_sender() };
-		}
+        {
+        local args = Broker::event_args(quit_receiver);
+        Broker::send_event("bro/event/", args);
+        schedule 1sec { quit_sender() };
+        }
         else
                 {
                 Log::write(Test::LOG, [$msg = "ping", $num = n]);
@@ -87,9 +88,9 @@ event do_write()
         }
 
 event quit_sender()
-	{
-	terminate();
-	}
+    {
+    terminate();
+    }
 
 event Broker::outgoing_connection_established(peer_address: string,
                                             peer_port: port,
diff --git a/testing/btest/broker/remote_log_types.test b/testing/btest/broker/remote_log_types.test
index 9089e087cb..48011a8c07 100644
--- a/testing/btest/broker/remote_log_types.test
+++ b/testing/btest/broker/remote_log_types.test
@@ -60,7 +60,7 @@ redef exit_only_after_terminate = T;
 event bro_init()
         {
         Broker::subscribe_to_logs("bro/log/");
-	Broker::subscribe_to_events("bro/event/");
+        Broker::subscribe_to_events("bro/event/");
         Broker::listen(broker_port, "127.0.0.1");
         }
 
@@ -80,6 +80,7 @@ redef exit_only_after_terminate = T;
 event bro_init()
         {
         Broker::enable_remote_logs(Test::LOG);
+        Broker::publish_topic("bro/event/");
         Broker::connect("127.0.0.1", broker_port, 1secs);
         }
 

From 01a39436353d6df202b152e307b6453c990c7fd2 Mon Sep 17 00:00:00 2001
From: Seth Hall <seth@icir.org>
Date: Tue, 28 Feb 2017 12:40:01 -0500
Subject: [PATCH 098/631] Do some updates to remove build time warnings.

The linker was complaining about linking files that didn't
have any symbols.  These were actually empty files so I just
got rid of them and removed references to them.
---
 src/analyzer/protocol/ayiya/AYIYA.cc          |  1 -
 src/analyzer/protocol/ayiya/CMakeLists.txt    |  1 -
 src/analyzer/protocol/ayiya/ayiya.pac         |  4 ----
 src/analyzer/protocol/ayiya/events.bif        |  0
 src/analyzer/protocol/gssapi/CMakeLists.txt   |  2 +-
 src/analyzer/protocol/gssapi/gssapi.pac       |  1 -
 src/analyzer/protocol/gssapi/types.bif        |  1 -
 src/analyzer/protocol/pia/CMakeLists.txt      |  1 -
 src/analyzer/protocol/pia/PIA.cc              |  2 --
 src/analyzer/protocol/pia/events.bif          |  0
 src/analyzer/protocol/zip/CMakeLists.txt      |  1 -
 src/analyzer/protocol/zip/ZIP.cc              |  2 --
 src/analyzer/protocol/zip/events.bif          |  0
 .../canonified_loaded_scripts.log             |  8 ++------
 .../canonified_loaded_scripts.log             |  8 ++------
 testing/btest/Baseline/plugins.hooks/output   | 20 ++++++-------------
 16 files changed, 11 insertions(+), 41 deletions(-)
 delete mode 100644 src/analyzer/protocol/ayiya/events.bif
 delete mode 100644 src/analyzer/protocol/gssapi/types.bif
 delete mode 100644 src/analyzer/protocol/pia/events.bif
 delete mode 100644 src/analyzer/protocol/zip/events.bif

diff --git a/src/analyzer/protocol/ayiya/AYIYA.cc b/src/analyzer/protocol/ayiya/AYIYA.cc
index a1e00e9b38..9c4ac237ab 100644
--- a/src/analyzer/protocol/ayiya/AYIYA.cc
+++ b/src/analyzer/protocol/ayiya/AYIYA.cc
@@ -1,7 +1,6 @@
 
 #include "AYIYA.h"
 #include "Func.h"
-#include "events.bif.h"
 
 using namespace analyzer::ayiya;
 
diff --git a/src/analyzer/protocol/ayiya/CMakeLists.txt b/src/analyzer/protocol/ayiya/CMakeLists.txt
index ae23c25e2d..50113b72d7 100644
--- a/src/analyzer/protocol/ayiya/CMakeLists.txt
+++ b/src/analyzer/protocol/ayiya/CMakeLists.txt
@@ -5,6 +5,5 @@ include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DI
 
 bro_plugin_begin(Bro AYIYA)
 bro_plugin_cc(AYIYA.cc Plugin.cc)
-bro_plugin_bif(events.bif)
 bro_plugin_pac(ayiya.pac ayiya-protocol.pac ayiya-analyzer.pac)
 bro_plugin_end()
diff --git a/src/analyzer/protocol/ayiya/ayiya.pac b/src/analyzer/protocol/ayiya/ayiya.pac
index b1f3a6ef77..ff0af4d47c 100644
--- a/src/analyzer/protocol/ayiya/ayiya.pac
+++ b/src/analyzer/protocol/ayiya/ayiya.pac
@@ -2,10 +2,6 @@
 %include binpac.pac
 %include bro.pac
 
-%extern{
-#include "events.bif.h"
-%}
-
 analyzer AYIYA withcontext {
 	connection:	AYIYA_Conn;
 	flow:		AYIYA_Flow;
diff --git a/src/analyzer/protocol/ayiya/events.bif b/src/analyzer/protocol/ayiya/events.bif
deleted file mode 100644
index e69de29bb2..0000000000
diff --git a/src/analyzer/protocol/gssapi/CMakeLists.txt b/src/analyzer/protocol/gssapi/CMakeLists.txt
index 222c3cdf4e..d826d36bf7 100644
--- a/src/analyzer/protocol/gssapi/CMakeLists.txt
+++ b/src/analyzer/protocol/gssapi/CMakeLists.txt
@@ -5,7 +5,7 @@ include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DI
 
 bro_plugin_begin(Bro GSSAPI)
 bro_plugin_cc(GSSAPI.cc Plugin.cc)
-bro_plugin_bif(types.bif events.bif)
+bro_plugin_bif(events.bif)
 bro_plugin_pac(
     gssapi.pac 
     gssapi-protocol.pac
diff --git a/src/analyzer/protocol/gssapi/gssapi.pac b/src/analyzer/protocol/gssapi/gssapi.pac
index 07759e8daa..55b7fe4255 100644
--- a/src/analyzer/protocol/gssapi/gssapi.pac
+++ b/src/analyzer/protocol/gssapi/gssapi.pac
@@ -5,7 +5,6 @@
 #include "analyzer/Manager.h"
 #include "analyzer/Analyzer.h"
 
-#include "types.bif.h"
 #include "events.bif.h"
 %}
 
diff --git a/src/analyzer/protocol/gssapi/types.bif b/src/analyzer/protocol/gssapi/types.bif
deleted file mode 100644
index 996cee9ad8..0000000000
--- a/src/analyzer/protocol/gssapi/types.bif
+++ /dev/null
@@ -1 +0,0 @@
-# Empty.
diff --git a/src/analyzer/protocol/pia/CMakeLists.txt b/src/analyzer/protocol/pia/CMakeLists.txt
index ff55bcf0aa..02397f7aff 100644
--- a/src/analyzer/protocol/pia/CMakeLists.txt
+++ b/src/analyzer/protocol/pia/CMakeLists.txt
@@ -5,5 +5,4 @@ include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DI
 
 bro_plugin_begin(Bro PIA)
 bro_plugin_cc(PIA.cc Plugin.cc)
-bro_plugin_bif(events.bif)
 bro_plugin_end()
diff --git a/src/analyzer/protocol/pia/PIA.cc b/src/analyzer/protocol/pia/PIA.cc
index 7d73624dd0..8f5e23a1ce 100644
--- a/src/analyzer/protocol/pia/PIA.cc
+++ b/src/analyzer/protocol/pia/PIA.cc
@@ -3,8 +3,6 @@
 #include "analyzer/protocol/tcp/TCP_Flags.h"
 #include "analyzer/protocol/tcp/TCP_Reassembler.h"
 
-#include "events.bif.h"
-
 using namespace analyzer::pia;
 
 PIA::PIA(analyzer::Analyzer* arg_as_analyzer)
diff --git a/src/analyzer/protocol/pia/events.bif b/src/analyzer/protocol/pia/events.bif
deleted file mode 100644
index e69de29bb2..0000000000
diff --git a/src/analyzer/protocol/zip/CMakeLists.txt b/src/analyzer/protocol/zip/CMakeLists.txt
index 814119f9f7..40c64afd6e 100644
--- a/src/analyzer/protocol/zip/CMakeLists.txt
+++ b/src/analyzer/protocol/zip/CMakeLists.txt
@@ -5,5 +5,4 @@ include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DI
 
 bro_plugin_begin(Bro ZIP)
 bro_plugin_cc(ZIP.cc Plugin.cc)
-bro_plugin_bif(events.bif)
 bro_plugin_end()
diff --git a/src/analyzer/protocol/zip/ZIP.cc b/src/analyzer/protocol/zip/ZIP.cc
index d14df95673..d44c6353cd 100644
--- a/src/analyzer/protocol/zip/ZIP.cc
+++ b/src/analyzer/protocol/zip/ZIP.cc
@@ -2,8 +2,6 @@
 
 #include "ZIP.h"
 
-#include "events.bif.h"
-
 using namespace analyzer::zip;
 
 ZIP_Analyzer::ZIP_Analyzer(Connection* conn, bool orig, Method arg_method)
diff --git a/src/analyzer/protocol/zip/events.bif b/src/analyzer/protocol/zip/events.bif
deleted file mode 100644
index e69de29bb2..0000000000
diff --git a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log
index 6587112ef2..d53b14ce58 100644
--- a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log
+++ b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log
@@ -3,7 +3,7 @@
 #empty_field	(empty)
 #unset_field	-
 #path	loaded_scripts
-#open	2016-11-02-17-25-26
+#open	2017-02-28-17-15-30
 #fields	name
 #types	string
 scripts/base/init-bare.bro
@@ -58,7 +58,6 @@ scripts/base/init-bare.bro
     build/scripts/base/bif/top-k.bif.bro
   build/scripts/base/bif/plugins/__load__.bro
     build/scripts/base/bif/plugins/Bro_ARP.events.bif.bro
-    build/scripts/base/bif/plugins/Bro_AYIYA.events.bif.bro
     build/scripts/base/bif/plugins/Bro_BackDoor.events.bif.bro
     build/scripts/base/bif/plugins/Bro_BitTorrent.events.bif.bro
     build/scripts/base/bif/plugins/Bro_ConnSize.events.bif.bro
@@ -74,7 +73,6 @@ scripts/base/init-bare.bro
     build/scripts/base/bif/plugins/Bro_FTP.events.bif.bro
     build/scripts/base/bif/plugins/Bro_FTP.functions.bif.bro
     build/scripts/base/bif/plugins/Bro_Gnutella.events.bif.bro
-    build/scripts/base/bif/plugins/Bro_GSSAPI.types.bif.bro
     build/scripts/base/bif/plugins/Bro_GSSAPI.events.bif.bro
     build/scripts/base/bif/plugins/Bro_GTPv1.events.bif.bro
     build/scripts/base/bif/plugins/Bro_HTTP.events.bif.bro
@@ -96,7 +94,6 @@ scripts/base/init-bare.bro
     build/scripts/base/bif/plugins/Bro_NTLM.types.bif.bro
     build/scripts/base/bif/plugins/Bro_NTLM.events.bif.bro
     build/scripts/base/bif/plugins/Bro_NTP.events.bif.bro
-    build/scripts/base/bif/plugins/Bro_PIA.events.bif.bro
     build/scripts/base/bif/plugins/Bro_POP3.events.bif.bro
     build/scripts/base/bif/plugins/Bro_RADIUS.events.bif.bro
     build/scripts/base/bif/plugins/Bro_RDP.events.bif.bro
@@ -150,7 +147,6 @@ scripts/base/init-bare.bro
     build/scripts/base/bif/plugins/Bro_Teredo.events.bif.bro
     build/scripts/base/bif/plugins/Bro_UDP.events.bif.bro
     build/scripts/base/bif/plugins/Bro_XMPP.events.bif.bro
-    build/scripts/base/bif/plugins/Bro_ZIP.events.bif.bro
     build/scripts/base/bif/plugins/Bro_FileEntropy.events.bif.bro
     build/scripts/base/bif/plugins/Bro_FileExtract.events.bif.bro
     build/scripts/base/bif/plugins/Bro_FileExtract.functions.bif.bro
@@ -171,4 +167,4 @@ scripts/base/init-bare.bro
     build/scripts/base/bif/plugins/Bro_SQLiteWriter.sqlite.bif.bro
 scripts/policy/misc/loaded-scripts.bro
   scripts/base/utils/paths.bro
-#close	2016-11-02-17-25-26
+#close	2017-02-28-17-15-30
diff --git a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
index 7a7b127752..e11edefe16 100644
--- a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
+++ b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
@@ -3,7 +3,7 @@
 #empty_field	(empty)
 #unset_field	-
 #path	loaded_scripts
-#open	2016-11-02-17-25-18
+#open	2017-02-28-17-19-41
 #fields	name
 #types	string
 scripts/base/init-bare.bro
@@ -58,7 +58,6 @@ scripts/base/init-bare.bro
     build/scripts/base/bif/top-k.bif.bro
   build/scripts/base/bif/plugins/__load__.bro
     build/scripts/base/bif/plugins/Bro_ARP.events.bif.bro
-    build/scripts/base/bif/plugins/Bro_AYIYA.events.bif.bro
     build/scripts/base/bif/plugins/Bro_BackDoor.events.bif.bro
     build/scripts/base/bif/plugins/Bro_BitTorrent.events.bif.bro
     build/scripts/base/bif/plugins/Bro_ConnSize.events.bif.bro
@@ -74,7 +73,6 @@ scripts/base/init-bare.bro
     build/scripts/base/bif/plugins/Bro_FTP.events.bif.bro
     build/scripts/base/bif/plugins/Bro_FTP.functions.bif.bro
     build/scripts/base/bif/plugins/Bro_Gnutella.events.bif.bro
-    build/scripts/base/bif/plugins/Bro_GSSAPI.types.bif.bro
     build/scripts/base/bif/plugins/Bro_GSSAPI.events.bif.bro
     build/scripts/base/bif/plugins/Bro_GTPv1.events.bif.bro
     build/scripts/base/bif/plugins/Bro_HTTP.events.bif.bro
@@ -96,7 +94,6 @@ scripts/base/init-bare.bro
     build/scripts/base/bif/plugins/Bro_NTLM.types.bif.bro
     build/scripts/base/bif/plugins/Bro_NTLM.events.bif.bro
     build/scripts/base/bif/plugins/Bro_NTP.events.bif.bro
-    build/scripts/base/bif/plugins/Bro_PIA.events.bif.bro
     build/scripts/base/bif/plugins/Bro_POP3.events.bif.bro
     build/scripts/base/bif/plugins/Bro_RADIUS.events.bif.bro
     build/scripts/base/bif/plugins/Bro_RDP.events.bif.bro
@@ -150,7 +147,6 @@ scripts/base/init-bare.bro
     build/scripts/base/bif/plugins/Bro_Teredo.events.bif.bro
     build/scripts/base/bif/plugins/Bro_UDP.events.bif.bro
     build/scripts/base/bif/plugins/Bro_XMPP.events.bif.bro
-    build/scripts/base/bif/plugins/Bro_ZIP.events.bif.bro
     build/scripts/base/bif/plugins/Bro_FileEntropy.events.bif.bro
     build/scripts/base/bif/plugins/Bro_FileExtract.events.bif.bro
     build/scripts/base/bif/plugins/Bro_FileExtract.functions.bif.bro
@@ -359,4 +355,4 @@ scripts/base/init-default.bro
   scripts/base/misc/find-filtered-trace.bro
   scripts/base/misc/version.bro
 scripts/policy/misc/loaded-scripts.bro
-#close	2016-11-02-17-25-18
+#close	2017-02-28-17-19-41
diff --git a/testing/btest/Baseline/plugins.hooks/output b/testing/btest/Baseline/plugins.hooks/output
index c291302748..420d20ae12 100644
--- a/testing/btest/Baseline/plugins.hooks/output
+++ b/testing/btest/Baseline/plugins.hooks/output
@@ -247,7 +247,7 @@
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1487443758.386684, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1488302456.440387, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (Cluster::LOG)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (Communication::LOG)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (Conn::LOG)) -> <no result>
@@ -377,7 +377,7 @@
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1487443758.386684, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1488302456.440387, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
 0.000000   MetaHookPost  CallFunction(NetControl::check_plugins, <frame>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(NetControl::init, <null>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(Notice::want_pp, <frame>, ()) -> <no result>
@@ -416,7 +416,6 @@
 0.000000   MetaHookPost  LoadFile(../main) -> -1
 0.000000   MetaHookPost  LoadFile(../plugin) -> -1
 0.000000   MetaHookPost  LoadFile(./Bro_ARP.events.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_AYIYA.events.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(./Bro_AsciiReader.ascii.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(./Bro_AsciiWriter.ascii.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(./Bro_BackDoor.events.bif.bro) -> -1
@@ -440,7 +439,6 @@
 0.000000   MetaHookPost  LoadFile(./Bro_FileHash.events.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(./Bro_Finger.events.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(./Bro_GSSAPI.events.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_GSSAPI.types.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(./Bro_GTPv1.events.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(./Bro_Gnutella.events.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(./Bro_HTTP.events.bif.bro) -> -1
@@ -465,7 +463,6 @@
 0.000000   MetaHookPost  LoadFile(./Bro_NetBIOS.functions.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(./Bro_NoneWriter.none.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(./Bro_PE.events.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_PIA.events.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(./Bro_POP3.events.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(./Bro_RADIUS.events.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(./Bro_RDP.events.bif.bro) -> -1
@@ -528,7 +525,6 @@
 0.000000   MetaHookPost  LoadFile(./Bro_X509.functions.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(./Bro_X509.types.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(./Bro_XMPP.events.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_ZIP.events.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(./acld) -> -1
 0.000000   MetaHookPost  LoadFile(./addrs) -> -1
 0.000000   MetaHookPost  LoadFile(./analyzer.bif.bro) -> -1
@@ -968,7 +964,7 @@
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird]))
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509]))
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql]))
-0.000000   MetaHookPre   CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1487443758.386684, node=bro, filter=ip or not ip, init=T, success=T]))
+0.000000   MetaHookPre   CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1488302456.440387, node=bro, filter=ip or not ip, init=T, success=T]))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (Cluster::LOG))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (Communication::LOG))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (Conn::LOG))
@@ -1098,7 +1094,7 @@
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird]))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509]))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql]))
-0.000000   MetaHookPre   CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1487443758.386684, node=bro, filter=ip or not ip, init=T, success=T]))
+0.000000   MetaHookPre   CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1488302456.440387, node=bro, filter=ip or not ip, init=T, success=T]))
 0.000000   MetaHookPre   CallFunction(NetControl::check_plugins, <frame>, ())
 0.000000   MetaHookPre   CallFunction(NetControl::init, <null>, ())
 0.000000   MetaHookPre   CallFunction(Notice::want_pp, <frame>, ())
@@ -1137,7 +1133,6 @@
 0.000000   MetaHookPre   LoadFile(../main)
 0.000000   MetaHookPre   LoadFile(../plugin)
 0.000000   MetaHookPre   LoadFile(./Bro_ARP.events.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_AYIYA.events.bif.bro)
 0.000000   MetaHookPre   LoadFile(./Bro_AsciiReader.ascii.bif.bro)
 0.000000   MetaHookPre   LoadFile(./Bro_AsciiWriter.ascii.bif.bro)
 0.000000   MetaHookPre   LoadFile(./Bro_BackDoor.events.bif.bro)
@@ -1161,7 +1156,6 @@
 0.000000   MetaHookPre   LoadFile(./Bro_FileHash.events.bif.bro)
 0.000000   MetaHookPre   LoadFile(./Bro_Finger.events.bif.bro)
 0.000000   MetaHookPre   LoadFile(./Bro_GSSAPI.events.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_GSSAPI.types.bif.bro)
 0.000000   MetaHookPre   LoadFile(./Bro_GTPv1.events.bif.bro)
 0.000000   MetaHookPre   LoadFile(./Bro_Gnutella.events.bif.bro)
 0.000000   MetaHookPre   LoadFile(./Bro_HTTP.events.bif.bro)
@@ -1186,7 +1180,6 @@
 0.000000   MetaHookPre   LoadFile(./Bro_NetBIOS.functions.bif.bro)
 0.000000   MetaHookPre   LoadFile(./Bro_NoneWriter.none.bif.bro)
 0.000000   MetaHookPre   LoadFile(./Bro_PE.events.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_PIA.events.bif.bro)
 0.000000   MetaHookPre   LoadFile(./Bro_POP3.events.bif.bro)
 0.000000   MetaHookPre   LoadFile(./Bro_RADIUS.events.bif.bro)
 0.000000   MetaHookPre   LoadFile(./Bro_RDP.events.bif.bro)
@@ -1249,7 +1242,6 @@
 0.000000   MetaHookPre   LoadFile(./Bro_X509.functions.bif.bro)
 0.000000   MetaHookPre   LoadFile(./Bro_X509.types.bif.bro)
 0.000000   MetaHookPre   LoadFile(./Bro_XMPP.events.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_ZIP.events.bif.bro)
 0.000000   MetaHookPre   LoadFile(./acld)
 0.000000   MetaHookPre   LoadFile(./addrs)
 0.000000   MetaHookPre   LoadFile(./analyzer.bif.bro)
@@ -1688,7 +1680,7 @@
 0.000000 | HookCallFunction Log::__create_stream(Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird])
 0.000000 | HookCallFunction Log::__create_stream(X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509])
 0.000000 | HookCallFunction Log::__create_stream(mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql])
-0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1487443758.386684, node=bro, filter=ip or not ip, init=T, success=T])
+0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1488302456.440387, node=bro, filter=ip or not ip, init=T, success=T])
 0.000000 | HookCallFunction Log::add_default_filter(Cluster::LOG)
 0.000000 | HookCallFunction Log::add_default_filter(Communication::LOG)
 0.000000 | HookCallFunction Log::add_default_filter(Conn::LOG)
@@ -1818,7 +1810,7 @@
 0.000000 | HookCallFunction Log::create_stream(Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird])
 0.000000 | HookCallFunction Log::create_stream(X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509])
 0.000000 | HookCallFunction Log::create_stream(mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql])
-0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1487443758.386684, node=bro, filter=ip or not ip, init=T, success=T])
+0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1488302456.440387, node=bro, filter=ip or not ip, init=T, success=T])
 0.000000 | HookCallFunction NetControl::check_plugins()
 0.000000 | HookCallFunction NetControl::init()
 0.000000 | HookCallFunction Notice::want_pp()

From 9341ff801c2bc0445553305a67d5c78442c0dbf3 Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@icir.org>
Date: Thu, 2 Mar 2017 08:53:38 -0800
Subject: [PATCH 099/631] Move threading to c++11 primitives (mostly).

This moves all threading code in Bro from pthreads to the c++11
primitives, which make for shorter, easier to use, and less error-prone
code.

pthreads is still used in 2 places in Bro currently. BasicThread uses
two bits of functionality that are not available using the c++ API
(setting thread names & setting signal masks). Since all c++
implementations that I am aware of still use an underlying pthreads
implementation, we just use native_handle to access the underlying
pthreads implementation for these cases. I do not expect this to lead to
problems in the forseable future. If we ever encounter a platform where
a different thread architecture is used, we might have to change that
around.

This code is guarded by static_asserts, so we will notice if a platform
uses a different implementation.

sqlite also uses pthreads directly.
---
 src/input/readers/raw/Plugin.cc |  12 +---
 src/input/readers/raw/Plugin.h  |   8 +--
 src/input/readers/raw/Raw.cc    |  30 +++------
 src/input/readers/raw/Raw.h     |   6 +-
 src/threading/BasicThread.cc    |  21 ++++---
 src/threading/BasicThread.h     |  10 +--
 src/threading/MsgThread.h       |   2 -
 src/threading/Queue.h           | 104 +++++++++++---------------------
 8 files changed, 70 insertions(+), 123 deletions(-)

diff --git a/src/input/readers/raw/Plugin.cc b/src/input/readers/raw/Plugin.cc
index c7af84e34e..e16a233fe6 100644
--- a/src/input/readers/raw/Plugin.cc
+++ b/src/input/readers/raw/Plugin.cc
@@ -8,7 +8,6 @@ using namespace plugin::Bro_RawReader;
 
 Plugin::Plugin()
 	{
-	init = false;
 	}
 
 plugin::Configuration Plugin::Configure()
@@ -23,21 +22,14 @@ plugin::Configuration Plugin::Configure()
 
 void Plugin::InitPreScript()
 	{
-	if ( pthread_mutex_init(&fork_mutex, 0) != 0 )
-		reporter->FatalError("cannot initialize raw reader's mutex");
-
-	init = true;
 	}
 
 void Plugin::Done()
 	{
-	pthread_mutex_destroy(&fork_mutex);
-	init = false;
 	}
 
-pthread_mutex_t* Plugin::ForkMutex()
+std::unique_lock<std::mutex> Plugin::ForkMutex()
 	{
-	assert(init);
-	return &fork_mutex;
+	return std::unique_lock<std::mutex>(fork_mutex, std::defer_lock);
 	}
 
diff --git a/src/input/readers/raw/Plugin.h b/src/input/readers/raw/Plugin.h
index 59a5dfd2be..7b621c9440 100644
--- a/src/input/readers/raw/Plugin.h
+++ b/src/input/readers/raw/Plugin.h
@@ -1,8 +1,9 @@
-// See the file  in the main distribution directory for copyright.
+// See the file in the main distribution directory for copyright.
 
 #include "plugin/Plugin.h"
 
 #include "Raw.h"
+#include <mutex>
 
 namespace plugin {
 namespace Bro_RawReader {
@@ -16,11 +17,10 @@ public:
 	virtual void InitPreScript();
 	virtual void Done();
 
-	pthread_mutex_t * ForkMutex();
+	std::unique_lock<std::mutex> ForkMutex();
 
 private:
-	bool init;
-	pthread_mutex_t fork_mutex;
+	std::mutex fork_mutex;
 
 };
 
diff --git a/src/input/readers/raw/Raw.cc b/src/input/readers/raw/Raw.cc
index cfa7b72602..c892c207cc 100644
--- a/src/input/readers/raw/Raw.cc
+++ b/src/input/readers/raw/Raw.cc
@@ -96,24 +96,16 @@ bool Raw::SetFDFlags(int fd, int cmd, int flags)
 	}
 
 
-bool Raw::LockForkMutex()
+std::unique_lock<std::mutex> Raw::AcquireForkMutex()
 	{
-	int res = pthread_mutex_lock(plugin::Bro_RawReader::plugin.ForkMutex());
-	if ( res == 0 )
-		return true;
-
-	Error(Fmt("cannot lock fork mutex: %d", res));
-	return false;
+	auto lock = plugin::Bro_RawReader::plugin.ForkMutex();
+	try {
+		lock.lock();
+	} catch(const std::system_error& e) {
+		reporter->FatalErrorWithCore("cannot lock fork mutex: %s", e.what());
 	}
 
-bool Raw::UnlockForkMutex()
-	{
-	int res = pthread_mutex_unlock(plugin::Bro_RawReader::plugin.ForkMutex());
-	if ( res == 0 )
-		return true;
-
-	Error(Fmt("cannot unlock fork mutex: %d", res));
-	return false;
+	return lock;
 	}
 
 bool Raw::Execute()
@@ -126,12 +118,10 @@ bool Raw::Execute()
 	// never crops up... ("never" meaning I haven't seen in it in
 	// hundreds of tests using 50+ threads where before I'd see the issue
 	// w/ just 2 threads ~33% of the time).
-	if ( ! LockForkMutex() )
-		return false;
+	auto lock = AcquireForkMutex();
 
 	if ( pipe(pipes) != 0 || pipe(pipes+2) || pipe(pipes+4) )
 		{
-		UnlockForkMutex();
 		Error(Fmt("Could not open pipe: %d", errno));
 		return false;
 		}
@@ -139,7 +129,6 @@ bool Raw::Execute()
 	childpid = fork();
 	if ( childpid < 0 )
 		{
-		UnlockForkMutex();
 		Error(Fmt("Could not create child process: %d", errno));
 		return false;
 		}
@@ -208,8 +197,7 @@ bool Raw::Execute()
 				}
 			}
 
-		if ( ! UnlockForkMutex() )
-			return false;
+		lock.unlock();
 
 		ClosePipeEnd(stdout_out);
 
diff --git a/src/input/readers/raw/Raw.h b/src/input/readers/raw/Raw.h
index 2a166ae322..ec50ade8fe 100644
--- a/src/input/readers/raw/Raw.h
+++ b/src/input/readers/raw/Raw.h
@@ -4,8 +4,8 @@
 #define INPUT_READERS_RAW_H
 
 #include <vector>
-#include <pthread.h>
 #include <memory>
+#include <mutex>
 
 #include "input/ReaderBackend.h"
 
@@ -37,8 +37,7 @@ protected:
 private:
 	void ClosePipeEnd(int i);
 	bool SetFDFlags(int fd, int cmd, int flags);
-	bool LockForkMutex();
-	bool UnlockForkMutex();
+	std::unique_lock<std::mutex> AcquireForkMutex();
 
 	bool OpenInput();
 	bool CloseInput();
@@ -87,7 +86,6 @@ private:
 	};
 
 	static const int block_size;
-	static pthread_mutex_t fork_mutex;
 };
 
 }
diff --git a/src/threading/BasicThread.cc b/src/threading/BasicThread.cc
index 86d7d7b560..ea6c8c433b 100644
--- a/src/threading/BasicThread.cc
+++ b/src/threading/BasicThread.cc
@@ -5,6 +5,7 @@
 #include "bro-config.h"
 #include "BasicThread.h"
 #include "Manager.h"
+#include "pthread.h"
 
 #ifdef HAVE_LINUX
 #include <sys/prctl.h>
@@ -21,7 +22,6 @@ BasicThread::BasicThread()
 	started = false;
 	terminating = false;
 	killed = false;
-	pthread = 0;
 
 	buf_len = STD_FMT_BUF_LEN;
 	buf = (char*) safe_malloc(buf_len);
@@ -50,6 +50,7 @@ void BasicThread::SetName(const char* arg_name)
 
 void BasicThread::SetOSName(const char* arg_name)
 	{
+	static_assert(std::is_same<std::thread::native_handle_type, pthread_t>::value, "libstdc++ doesn't use pthread_t");
 
 #ifdef HAVE_LINUX
 	prctl(PR_SET_NAME, arg_name, 0, 0, 0);
@@ -60,7 +61,7 @@ void BasicThread::SetOSName(const char* arg_name)
 #endif
 
 #ifdef FREEBSD
-	pthread_set_name_np(pthread_self(), arg_name, arg_name);
+	pthread_set_name_np(thread.native_handle(), arg_name, arg_name);
 #endif
 	}
 
@@ -108,9 +109,7 @@ void BasicThread::Start()
 
 	started = true;
 
-	int err = pthread_create(&pthread, 0, BasicThread::launcher, this);
-	if ( err != 0 )
-		reporter->FatalError("Cannot create thread %s: %s", name, Strerror(err));
+	thread = std::thread(&BasicThread::launcher, this);
 
 	DBG_LOG(DBG_THREADING, "Started thread %s", name);
 
@@ -147,17 +146,18 @@ void BasicThread::Join()
 	if ( ! started )
 		return;
 
-	if ( ! pthread )
+	if ( ! thread.joinable() )
 		return;
 
 	assert(terminating);
 
-	if ( pthread_join(pthread, 0) != 0  )
-		reporter->FatalError("Failure joining thread %s", name);
+	try {
+		thread.join();
+	} catch(const std::system_error& e) {
+		reporter->FatalError("Failure joining thread %s with error %s", name, e.what());
+	}
 
 	DBG_LOG(DBG_THREADING, "Joined with thread %s", name);
-
-	pthread = 0;
 	}
 
 void BasicThread::Kill()
@@ -180,6 +180,7 @@ void BasicThread::Done()
 
 void* BasicThread::launcher(void *arg)
 	{
+	static_assert(std::is_same<std::thread::native_handle_type, pthread_t>::value, "libstdc++ doesn't use pthread_t");
 	BasicThread* thread = (BasicThread *)arg;
 
 	// Block signals in thread. We handle signals only in the main
diff --git a/src/threading/BasicThread.h b/src/threading/BasicThread.h
index 6386e5ae66..ea829fce54 100644
--- a/src/threading/BasicThread.h
+++ b/src/threading/BasicThread.h
@@ -2,8 +2,7 @@
 #ifndef THREADING_BASICTHREAD_H
 #define THREADING_BASICTHREAD_H
 
-#include <pthread.h>
-#include <semaphore.h>
+#include <thread>
 
 #include "util.h"
 
@@ -35,6 +34,9 @@ public:
 	 */
 	BasicThread();
 
+	BasicThread(BasicThread const&) = delete;
+	BasicThread& operator =(BasicThread const&) = delete;
+
 	/**
 	 * Returns a descriptive name for the thread. If not set via
 	 * SetName(). If not set, a default name is choosen automatically.
@@ -192,11 +194,11 @@ protected:
 	void Done();
 
 private:
-	// pthread entry function.
+	// thread entry function.
 	static void* launcher(void *arg);
 
 	const char* name;
-	pthread_t pthread;
+	std::thread thread;
 	bool started; 		// Set to to true once running.
 	bool terminating;	// Set to to true to signal termination.
 	bool killed;	// Set to true once forcefully killed.
diff --git a/src/threading/MsgThread.h b/src/threading/MsgThread.h
index 96da68e1d0..480ab2974c 100644
--- a/src/threading/MsgThread.h
+++ b/src/threading/MsgThread.h
@@ -2,8 +2,6 @@
 #ifndef THREADING_MSGTHREAD_H
 #define THREADING_MSGTHREAD_H
 
-#include <pthread.h>
-
 #include "DebugLogger.h"
 
 #include "BasicThread.h"
diff --git a/src/threading/Queue.h b/src/threading/Queue.h
index 6d21bfd998..48b41ad81a 100644
--- a/src/threading/Queue.h
+++ b/src/threading/Queue.h
@@ -1,7 +1,8 @@
 #ifndef THREADING_QUEUE_H
 #define THREADING_QUEUE_H
 
-#include <pthread.h>
+#include <mutex>
+#include <condition_variable>
 #include <queue>
 #include <deque>
 #include <stdint.h>
@@ -22,7 +23,7 @@ namespace threading {
  *
  * All Queue instances must be instantiated by Bro's main thread.
  *
- * TODO: Unclear how critical performance is for this qeueue. We could like;y
+ * TODO: Unclear how critical performance is for this qeueue. We could likely
  * optimize it further if helpful.
  */
 template<typename T>
@@ -71,9 +72,10 @@ public:
 	 */
 	bool MaybeReady() { return (num_reads != num_writes); }
 
-	/** Wake up the reader if it's currently blocked for input. This is
-	 primarily to give it a chance to check termination quickly.
-	**/
+	/**
+	 * Wake up the reader if it's currently blocked for input. This is
+	 * primarily to give it a chance to check termination quickly.
+	 */
 	void WakeUp();
 
 	/**
@@ -94,14 +96,15 @@ public:
 	 * Returns statistics about the queue's usage.
 	 *
 	 * @param stats A pointer to a structure that will be filled with
-	 * current numbers. */
+	 * current numbers.
+	 */
 	void GetStats(Stats* stats);
 
 private:
 	static const int NUM_QUEUES = 8;
 
-	pthread_mutex_t mutex[NUM_QUEUES];	// Mutex protected shared accesses.
-	pthread_cond_t has_data[NUM_QUEUES];	// Signals when data becomes available
+	std::mutex mutex[NUM_QUEUES];	// Mutex protected shared accesses.
+	std::condition_variable has_data[NUM_QUEUES];	// Signals when data becomes available
 	std::queue<T> messages[NUM_QUEUES];	// Actually holds the queued messages
 
 	int read_ptr;	// Where the next operation will read from
@@ -115,17 +118,17 @@ private:
 	uint64_t num_writes;
 };
 
-inline static void safe_lock(pthread_mutex_t* mutex)
+inline static std::unique_lock<std::mutex> safe_lock(std::mutex& m)
 	{
-	int res = pthread_mutex_lock(mutex);
-	if ( res != 0 )
-		reporter->FatalErrorWithCore("cannot lock mutex: %d(%s)", res, strerror(res));
+	std::unique_lock<std::mutex> lock(m, std::defer_lock);
+
+	try {
+		lock.lock();
+	} catch(const std::system_error& e) {
+		reporter->FatalErrorWithCore("cannot lock mutex: %s", e.what());
 	}
 
-inline static void safe_unlock(pthread_mutex_t* mutex)
-	{
-	if ( pthread_mutex_unlock(mutex) != 0 )
-		reporter->FatalErrorWithCore("cannot unlock mutex");
+	return lock;
 	}
 
 template<typename T>
@@ -136,50 +139,28 @@ inline Queue<T>::Queue(BasicThread* arg_reader, BasicThread* arg_writer)
 	num_reads = num_writes = 0;
 	reader = arg_reader;
 	writer = arg_writer;
-
-	for( int i = 0; i < NUM_QUEUES; ++i )
-		{
-		if ( pthread_cond_init(&has_data[i], 0) != 0 )
-			reporter->FatalError("cannot init queue condition variable");
-
-		if ( pthread_mutex_init(&mutex[i], 0) != 0 )
-			reporter->FatalError("cannot init queue mutex");
-		}
 	}
 
 template<typename T>
 inline Queue<T>::~Queue()
 	{
-	for( int i = 0; i < NUM_QUEUES; ++i )
-		{
-		pthread_cond_destroy(&has_data[i]);
-		pthread_mutex_destroy(&mutex[i]);
-		}
 	}
 
 template<typename T>
 inline T Queue<T>::Get()
 	{
-	safe_lock(&mutex[read_ptr]);
+	auto lock = safe_lock(mutex[read_ptr]);
 
 	int old_read_ptr = read_ptr;
 
 	if ( messages[read_ptr].empty() && ! ((reader && reader->Killed()) || (writer && writer->Killed())) )
 		{
-		struct timespec ts;
-		ts.tv_sec = time(0) + 5;
-		ts.tv_nsec = 0;
-
-		pthread_cond_timedwait(&has_data[read_ptr], &mutex[read_ptr], &ts);
-		safe_unlock(&mutex[read_ptr]);
-		return 0;
+		if ( has_data[read_ptr].wait_for(lock, std::chrono::seconds(5)) == std::cv_status::timeout )
+			return nullptr;
 		}
 
-	else if ( messages[read_ptr].empty() )
-		{
-		safe_unlock(&mutex[read_ptr]);
-		return 0;
-		}
+	if ( messages[read_ptr].empty() )
+		return nullptr;
 
 	T data = messages[read_ptr].front();
 	messages[read_ptr].pop();
@@ -187,15 +168,13 @@ inline T Queue<T>::Get()
 	read_ptr = (read_ptr + 1) % NUM_QUEUES;
 	++num_reads;
 
-	safe_unlock(&mutex[old_read_ptr]);
-
 	return data;
 	}
 
 template<typename T>
 inline void Queue<T>::Put(T data)
 	{
-	safe_lock(&mutex[write_ptr]);
+	auto lock = safe_lock(mutex[write_ptr]);
 
 	int old_write_ptr = write_ptr;
 
@@ -203,25 +182,24 @@ inline void Queue<T>::Put(T data)
 
 	messages[write_ptr].push(data);
 
-	if ( need_signal )
-		pthread_cond_signal(&has_data[write_ptr]);
-
 	write_ptr = (write_ptr + 1) % NUM_QUEUES;
 	++num_writes;
 
-	safe_unlock(&mutex[old_write_ptr]);
+	if ( need_signal )
+		{
+		lock.unlock();
+		has_data[old_write_ptr].notify_one();
+		}
 	}
 
 
 template<typename T>
 inline bool Queue<T>::Ready()
 	{
-	safe_lock(&mutex[read_ptr]);
+	auto lock = safe_lock(mutex[read_ptr]);
 
 	bool ret = (messages[read_ptr].size());
 
-	safe_unlock(&mutex[read_ptr]);
-
 	return ret;
 	}
 
@@ -229,17 +207,15 @@ template<typename T>
 inline uint64_t Queue<T>::Size()
 	{
 	// Need to lock all queues.
+	std::vector<std::unique_lock<std::mutex>> locks;
 	for ( int i = 0; i < NUM_QUEUES; i++ )
-		safe_lock(&mutex[i]);
+		locks.push_back(safe_lock(mutex[i]));
 
 	uint64_t size = 0;
 
 	for ( int i = 0; i < NUM_QUEUES; i++ )
 		size += messages[i].size();
 
-	for ( int i = 0; i < NUM_QUEUES; i++ )
-		safe_unlock(&mutex[i]);
-
 	return size;
 	}
 
@@ -248,29 +224,21 @@ inline void Queue<T>::GetStats(Stats* stats)
 	{
 	// To be safe, we look all queues. That's probably unneccessary, but
 	// doesn't really hurt.
+	std::vector<std::unique_lock<std::mutex>> locks;
 	for ( int i = 0; i < NUM_QUEUES; i++ )
-		safe_lock(&mutex[i]);
+		locks.push_back(safe_lock(mutex[i]));
 
 	stats->num_reads = num_reads;
 	stats->num_writes = num_writes;
-
-	for ( int i = 0; i < NUM_QUEUES; i++ )
-		safe_unlock(&mutex[i]);
 	}
 
 template<typename T>
 inline void Queue<T>::WakeUp()
 	{
 	for ( int i = 0; i < NUM_QUEUES; i++ )
-		{
-		safe_lock(&mutex[i]);
-		pthread_cond_signal(&has_data[i]);
-		safe_unlock(&mutex[i]);
-		}
+		has_data[i].notify_all();
 	}
 
 }
 
-
 #endif
-

From 766bab077144e9341f4f29bdedebdf621ccee584 Mon Sep 17 00:00:00 2001
From: Robin Sommer <robin@icir.org>
Date: Thu, 2 Mar 2017 16:45:07 -0800
Subject: [PATCH 100/631] Updating submodule.

---
 aux/btest | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/aux/btest b/aux/btest
index 2fb0e089b3..14c18508bb 160000
--- a/aux/btest
+++ b/aux/btest
@@ -1 +1 @@
-Subproject commit 2fb0e089b37cc62b4616c8d4309ee80fb7fc6a27
+Subproject commit 14c18508bb385c8f55cd79738ee87ca2b85eba27

From f616903e5ffc1b28142bb6f4e94424993d772801 Mon Sep 17 00:00:00 2001
From: Robin Sommer <robin@icir.org>
Date: Fri, 3 Mar 2017 10:44:14 -0800
Subject: [PATCH 101/631] Updating submodule(s).

 [nomail]
---
 CHANGES     | 2 +-
 VERSION     | 2 +-
 aux/plugins | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/CHANGES b/CHANGES
index 9c58d9338f..862174c068 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,5 +1,5 @@
 
-2.5-91 | 2017-03-03 10:30:12 -0800
+2.5-92 | 2017-03-03 10:44:14 -0800
 
   * Move most threading to C++11 primitives (mostly). (Johanna Amann)
 
diff --git a/VERSION b/VERSION
index 2cca69f0f3..540a520883 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.5-91
+2.5-92
diff --git a/aux/plugins b/aux/plugins
index 2322840bcd..c4b5df3aa8 160000
--- a/aux/plugins
+++ b/aux/plugins
@@ -1 +1 @@
-Subproject commit 2322840bcdbd618ae7bd24e22d874fb30ab89bbb
+Subproject commit c4b5df3aa8e5c58a2dc5e5040c7da8369894f24d

From b6e6302b4031d36d6e297b25aba444b0dc26f1e8 Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@icir.org>
Date: Fri, 3 Mar 2017 12:40:37 -0800
Subject: [PATCH 102/631] Ascii reader error changes - fix small bugs

The changes are now a bit more succinct with less code changes required.
Behavior is tested a little bit more thoroughly and a memory problem
when reading incomplete lines was fixed. ReadHeader also always directly
returns if header reading failed.

Error messages now are back to what they were before the change, if the
new behavior is not used.

I also tweaked the documentation text a bit.
---
 .../base/frameworks/input/readers/ascii.bro   | 34 ++++++--
 src/input/readers/ascii/Ascii.cc              | 85 ++++++++++---------
 src/input/readers/ascii/Ascii.h               | 10 ++-
 .../out                                       | 26 ++++++
 .../bro..stderr                               |  4 +
 .../bro..stdout                               |  3 +
 .../bro..stderr                               |  4 +-
 .../base/frameworks/input/invalid-lines.bro   | 67 +++++++++++++++
 .../base/frameworks/input/invalidtext.bro     |  1 +
 .../input/missing-file-initially.bro          | 12 +--
 .../base/frameworks/input/missing-file.bro    |  1 +
 11 files changed, 187 insertions(+), 60 deletions(-)
 create mode 100644 testing/btest/Baseline/scripts.base.frameworks.input.invalid-lines/out
 create mode 100644 testing/btest/scripts/base/frameworks/input/invalid-lines.bro

diff --git a/scripts/base/frameworks/input/readers/ascii.bro b/scripts/base/frameworks/input/readers/ascii.bro
index 521e8d4ca3..83d8ced94b 100644
--- a/scripts/base/frameworks/input/readers/ascii.bro
+++ b/scripts/base/frameworks/input/readers/ascii.bro
@@ -19,16 +19,32 @@ export {
 	## String to use for an unset &optional field.
 	const unset_field = Input::unset_field &redef;
 
-	## Choose if the ascii input reader should globally
-	## fail on invalid lines and continue parsing afterward.
-	## Individual readers can use a different value.
+	## Fail on invalid lines. If set to false, the ascii
+	## input reader will jump over invalid lines, reporting
+	## warnings in reporter.log. If set to true, errors in
+	## input lines will be handled as fatal errors for the
+	## reader thread; reading will abort immediately and
+	## an error will be logged to reporter.log.
+	## Invidivual readers can use a different value using
+	## the $config table.
+	## fail_on_invalid_lines = T was the default behavior
+	## untill Bro 2.5.
 	const fail_on_invalid_lines = F &redef;
 
-	## Set to true if you would like the old behavior of the 
-	## ascii reader where the reader thread would die if any file 
-	## errors occur (like permissions problems or file missing). 
-	## The default behavior is to continue attempting to open and read
-	## the file even in light of problems.
-	## Individual readers can use a different value.
+	## Fail on file read problems. If set to true, the ascii
+	## input reader will fail when encountering any problems
+	## while reading a file different from invalid lines.
+	## Examples fur such problems are permission problems, or
+	## missing files.
+	## When set to false, these problems will be ignored. This
+	## has an especially big effect for the REREAD mode, which will
+	## seamlessly recover from read errors when a file is
+	## only temporarily inaccessible. For MANUAL or STREAM files,
+	## errors will most likely still be fatal since no automatic
+	## re-reading of the file is attempted.
+	## Invidivual readers can use a different value using
+	## the $config table.
+	## fail_on_file_problem = T was the default behavior
+	## untill Bro 2.5.
 	const fail_on_file_problem = F &redef;
 }
diff --git a/src/input/readers/ascii/Ascii.cc b/src/input/readers/ascii/Ascii.cc
index 5621a87eb4..bedddce075 100644
--- a/src/input/readers/ascii/Ascii.cc
+++ b/src/input/readers/ascii/Ascii.cc
@@ -61,7 +61,7 @@ void Ascii::DoClose()
 
 bool Ascii::DoInit(const ReaderInfo& info, int num_fields, const Field* const* fields)
 	{
-	is_failed = false;
+	suppress_warnings = false;
 
 	separator.assign( (const char*) BifConst::InputAscii::separator->Bytes(),
 	                 BifConst::InputAscii::separator->Len());
@@ -109,43 +109,48 @@ bool Ascii::DoInit(const ReaderInfo& info, int num_fields, const Field* const* f
 	formatter::Ascii::SeparatorInfo sep_info(separator, set_separator, unset_field, empty_field);
 	formatter = unique_ptr<threading::formatter::Formatter>(new formatter::Ascii(this, sep_info));
 
-	DoUpdate();
-
-	return true;
+	return DoUpdate();
 	}
 
-void Ascii::FailWarn(bool is_error, const char *msg)
+void Ascii::FailWarn(bool is_error, const char *msg, bool suppress_future)
 	{
 	if ( is_error )
 		Error(msg);
 	else
-		Warning(msg);
+		{
+		// suppress error message when we are already in error mode.
+		// There is no reason to repeat it every second.
+		if ( ! suppress_warnings )
+			Warning(msg);
+
+		if ( suppress_future )
+			suppress_warnings = true;
+		}
 	}
 
 bool Ascii::OpenFile()
 	{
-	if ( file.is_open() && ! is_failed )
+	if ( file.is_open() )
 		return true;
 
 	file.open(Info().source);
+
 	if ( ! file.is_open() )
 		{
-		if ( ! is_failed )
-			FailWarn(fail_on_file_problem, Fmt("Init: cannot open %s", Info().source));
-		is_failed = true;
-		return !fail_on_file_problem;
+		FailWarn(fail_on_file_problem, Fmt("Init: cannot open %s", Info().source), true);
+
+		return ! fail_on_file_problem;
 		}
 
 	if ( ReadHeader(false) == false )
 		{
-		if ( ! is_failed )
-			FailWarn(fail_on_file_problem, Fmt("Init: cannot open %s; headers are incorrect", Info().source));
+		FailWarn(fail_on_file_problem, Fmt("Init: cannot open %s; problem reading file header", Info().source), true);
+
 		file.close();
-		is_failed = true;
-		return !fail_on_file_problem;
+		return ! fail_on_file_problem;
 		}
 
-	is_failed = false;
+	suppress_warnings = false;
 	return true;
 	}
 
@@ -158,7 +163,11 @@ bool Ascii::ReadHeader(bool useCached)
 	if ( ! useCached )
 		{
 		if ( ! GetLine(line) )
+			{
+			FailWarn(fail_on_file_problem, Fmt("Could not read input data file %s; first line could not be read",
+							 Info().source), true);
 			return false;
+			}
 
 		headerline = line;
 		}
@@ -198,12 +207,10 @@ bool Ascii::ReadHeader(bool useCached)
 				continue;
 				}
 
-			if ( ! is_failed )
-				FailWarn(fail_on_file_problem, Fmt("Did not find requested field %s in input data file %s.",
-				         field->name, Info().source));
+			FailWarn(fail_on_file_problem, Fmt("Did not find requested field %s in input data file %s.",
+							 field->name, Info().source), true);
 
-			is_failed = true;
-			return !fail_on_file_problem;
+			return false;
 			}
 
 		FieldMapping f(field->name, field->type, field->subtype, ifields[field->name]);
@@ -213,12 +220,10 @@ bool Ascii::ReadHeader(bool useCached)
 			map<string, uint32_t>::iterator fit2 = ifields.find(field->secondary_name);
 			if ( fit2 == ifields.end() )
 				{
-				if ( ! is_failed )
-					FailWarn(fail_on_file_problem, Fmt("Could not find requested port type field %s in input data file.",
-					         field->secondary_name));
+				FailWarn(fail_on_file_problem, Fmt("Could not find requested port type field %s in input data file.",
+								 field->secondary_name), true);
 
-				is_failed = true;
-				return !fail_on_file_problem;
+				return false;
 				}
 
 			f.secondary_position = ifields[field->secondary_name];
@@ -258,7 +263,7 @@ bool Ascii::GetLine(string& str)
 bool Ascii::DoUpdate()
 	{
 	if ( ! OpenFile() )
-		return !fail_on_file_problem;
+		return ! fail_on_file_problem;
 
 	switch ( Info().mode ) {
 		case MODE_REREAD:
@@ -267,11 +272,10 @@ bool Ascii::DoUpdate()
 			struct stat sb;
 			if ( stat(Info().source, &sb) == -1 )
 				{
-				if ( ! is_failed )
-					FailWarn(fail_on_file_problem, Fmt("Could not get stat for %s", Info().source));
+				FailWarn(fail_on_file_problem, Fmt("Could not get stat for %s", Info().source), true);
+
 				file.close();
-				is_failed = true;
-				return !fail_on_file_problem;
+				return ! fail_on_file_problem;
 				}
 
 			if ( sb.st_mtime <= mtime ) // no change
@@ -293,10 +297,9 @@ bool Ascii::DoUpdate()
 				if ( Info().mode == MODE_STREAM )
 					{
 					file.clear(); // remove end of file evil bits
-					if ( !ReadHeader(true) )
+					if ( ! ReadHeader(true) )
 						{
-						is_failed = true;
-						return !fail_on_file_problem; // header reading failed
+						return ! fail_on_file_problem; // header reading failed
 						}
 
 					break;
@@ -360,15 +363,15 @@ bool Ascii::DoUpdate()
 			if ( (*fit).position > pos || (*fit).secondary_position > pos )
 				{
 				FailWarn(fail_on_invalid_lines, Fmt("Not enough fields in line %s. Found %d fields, want positions %d and %d",
-					  line.c_str(), pos,  (*fit).position, (*fit).secondary_position));
-
-				for ( int i = 0; i < fpos; i++ )
-					delete fields[i];
-
-				delete [] fields;
+					  line.c_str(), pos, (*fit).position, (*fit).secondary_position));
 
 				if ( fail_on_invalid_lines )
 					{
+					for ( int i = 0; i < fpos; i++ )
+						delete fields[i];
+
+					delete [] fields;
+
 					return false;
 					}
 				else
@@ -432,7 +435,7 @@ bool Ascii::DoUpdate()
 bool Ascii::DoHeartbeat(double network_time, double current_time)
 	{
 	if ( ! OpenFile() )
-		return !fail_on_file_problem;
+		return ! fail_on_file_problem;
 
 	switch ( Info().mode )
 		{
diff --git a/src/input/readers/ascii/Ascii.h b/src/input/readers/ascii/Ascii.h
index 9300382ca2..7a7fa52590 100644
--- a/src/input/readers/ascii/Ascii.h
+++ b/src/input/readers/ascii/Ascii.h
@@ -56,8 +56,10 @@ private:
 	bool ReadHeader(bool useCached);
 	bool GetLine(string& str);
 	bool OpenFile();
-	void FailWarn(bool is_error, const char *msg);
-
+	// Call Warning or Error, depending on the is_error boolean.
+	// In case of a warning, setting suppress_future to true will suppress all future warnings
+	// (by setting suppress_warnings to true, until suppress_warnings is set back to false)
+	void FailWarn(bool is_error, const char *msg, bool suppress_future = false);
 
 	ifstream file;
 	time_t mtime;
@@ -77,8 +79,8 @@ private:
 	bool fail_on_file_problem;
 
 	// this is an internal indicator in case the read is currently in a failed state
-	// it's used by the options for continuing instead of failing and killing the reader.
-	bool is_failed;
+	// it's used to suppress duplicate error messages.
+	bool suppress_warnings;
 
 	std::unique_ptr<threading::formatter::Formatter> formatter;
 };
diff --git a/testing/btest/Baseline/scripts.base.frameworks.input.invalid-lines/out b/testing/btest/Baseline/scripts.base.frameworks.input.invalid-lines/out
new file mode 100644
index 0000000000..3406639d29
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.input.invalid-lines/out
@@ -0,0 +1,26 @@
+{
+[-43] = [b=T, e=SSH::LOG, c=21, p=123/unknown, sn=10.0.0.0/24, a=1.2.3.4, d=3.14, t=1315801931.273616, iv=100.0, s=hurz, ns=4242 HOHOHO, sc={
+2,
+4,
+1,
+3
+}, ss={
+BB,
+AA,
+CC
+}, se={
+
+}, vc=[10, 20, 30], ve=[]],
+[-42] = [b=T, e=SSH::LOG, c=21, p=123/unknown, sn=10.0.0.0/24, a=1.2.3.4, d=3.14, t=1315801931.273616, iv=100.0, s=hurz, ns=4242, sc={
+2,
+4,
+1,
+3
+}, ss={
+BB,
+AA,
+CC
+}, se={
+
+}, vc=[10, 20, 30], ve=[]]
+}
diff --git a/testing/btest/Baseline/scripts.base.frameworks.input.missing-file-initially/bro..stderr b/testing/btest/Baseline/scripts.base.frameworks.input.missing-file-initially/bro..stderr
index 6c4d0f0194..337cdcda87 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.input.missing-file-initially/bro..stderr
+++ b/testing/btest/Baseline/scripts.base.frameworks.input.missing-file-initially/bro..stderr
@@ -1,4 +1,8 @@
 warning: ../does-not-exist.dat/Input::READER_ASCII: Init: cannot open ../does-not-exist.dat
+warning: ../does-not-exist.dat/Input::READER_ASCII: Init: cannot open ../does-not-exist.dat
+warning: ../does-not-exist.dat/Input::READER_ASCII: Init: cannot open ../does-not-exist.dat
 error: ../does-not-exist.dat/Input::READER_ASCII: Init: cannot open ../does-not-exist.dat
+error: ../does-not-exist.dat/Input::READER_ASCII: Init failed
 error: ../does-not-exist.dat/Input::READER_ASCII: terminating thread
+warning: ../does-not-exist.dat/Input::READER_ASCII: Could not get stat for ../does-not-exist.dat
 received termination signal
diff --git a/testing/btest/Baseline/scripts.base.frameworks.input.missing-file-initially/bro..stdout b/testing/btest/Baseline/scripts.base.frameworks.input.missing-file-initially/bro..stdout
index d96c6d457d..39309bc8cf 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.input.missing-file-initially/bro..stdout
+++ b/testing/btest/Baseline/scripts.base.frameworks.input.missing-file-initially/bro..stdout
@@ -1,2 +1,5 @@
 now it does
 and more!
+now it does
+and more!
+Streaming still works
diff --git a/testing/btest/Baseline/scripts.base.frameworks.input.missing-file/bro..stderr b/testing/btest/Baseline/scripts.base.frameworks.input.missing-file/bro..stderr
index f5d074fe7e..5093925d2d 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.input.missing-file/bro..stderr
+++ b/testing/btest/Baseline/scripts.base.frameworks.input.missing-file/bro..stderr
@@ -1,2 +1,4 @@
-warning: does-not-exist.dat/Input::READER_ASCII: Init: cannot open does-not-exist.dat
+error: does-not-exist.dat/Input::READER_ASCII: Init: cannot open does-not-exist.dat
+error: does-not-exist.dat/Input::READER_ASCII: Init failed
+error: does-not-exist.dat/Input::READER_ASCII: terminating thread
 received termination signal
diff --git a/testing/btest/scripts/base/frameworks/input/invalid-lines.bro b/testing/btest/scripts/base/frameworks/input/invalid-lines.bro
new file mode 100644
index 0000000000..83be1efd09
--- /dev/null
+++ b/testing/btest/scripts/base/frameworks/input/invalid-lines.bro
@@ -0,0 +1,67 @@
+# @TEST-EXEC: btest-bg-run bro bro -b %INPUT
+# @TEST-EXEC: btest-bg-wait 10
+# @TEST-EXEC: btest-diff out
+
+redef exit_only_after_terminate = T;
+redef InputAscii::fail_on_invalid_lines = F;
+
+@TEST-START-FILE input.log
+#separator \x09
+#path	ssh
+#fields	b	i	e	c	p	sn	a	d	t	iv	s	sc	ss	se	vc	ve	ns
+#types	bool	int	enum	count	port	subnet	addr	double	time	interval	string	table	table	table	vector	vector	string
+T	-42	SSH::LOG	21	123	10.0.0.0/24	1.2.3.4	3.14	1315801931.273616	100.000000	hurz	2,4,1,3	CC,AA,BB	EMPTY	10,20,30
+T	-42	SSH::LOG	21	123	10.0.0.0/24	1.2.3.4	3.14	1315801931.273616	100.000000	hurz	2,4,1,3	CC,AA,BB	EMPTY	10,20,30	EMPTY	4242
+T	-43	SSH::LOG	21	123	10.0.0.0/24	1.2.3.4	3.14	1315801931.273616	100.000000	hurz	2,4,1,3	CC,AA,BB	EMPTY	10,20,30	EMPTY	4242 HOHOHO
+T	-41
+@TEST-END-FILE
+
+@load base/protocols/ssh
+
+global outfile: file;
+
+redef InputAscii::empty_field = "EMPTY";
+
+module A;
+
+type Idx: record {
+	i: int;
+};
+
+type Val: record {
+	b: bool;
+	e: Log::ID;
+	c: count;
+	p: port;
+	sn: subnet;
+	a: addr;
+	d: double;
+	t: time;
+	iv: interval;
+	s: string;
+	ns: string;
+	sc: set[count];
+	ss: set[string];
+	se: set[string];
+	vc: vector of int;
+	ve: vector of int;
+};
+
+global servers: table[int] of Val = table();
+global servers2: table[int] of Val = table();
+
+event bro_init()
+	{
+	outfile = open("../out");
+	# first read in the old stuff into the table...
+	Input::add_table([$source="../input.log", $name="ssh", $idx=Idx, $val=Val, $destination=servers]);
+	Input::add_table([$source="../input.log", $name="ssh2", $idx=Idx, $val=Val, $destination=servers2, $config=table(["fail_on_invalid_lines"] = "T")]);
+	}
+
+event Input::end_of_data(name: string, source:string)
+	{
+	print outfile, servers;
+	Input::remove("ssh");
+	close(outfile);
+	terminate();
+	}
diff --git a/testing/btest/scripts/base/frameworks/input/invalidtext.bro b/testing/btest/scripts/base/frameworks/input/invalidtext.bro
index 1de4e96671..3f5b590dec 100644
--- a/testing/btest/scripts/base/frameworks/input/invalidtext.bro
+++ b/testing/btest/scripts/base/frameworks/input/invalidtext.bro
@@ -13,6 +13,7 @@
 @TEST-END-FILE
 
 redef exit_only_after_terminate = T;
+redef InputAscii::fail_on_invalid_lines = T;
 
 global outfile: file;
 
diff --git a/testing/btest/scripts/base/frameworks/input/missing-file-initially.bro b/testing/btest/scripts/base/frameworks/input/missing-file-initially.bro
index a7128a4455..73fd57284e 100644
--- a/testing/btest/scripts/base/frameworks/input/missing-file-initially.bro
+++ b/testing/btest/scripts/base/frameworks/input/missing-file-initially.bro
@@ -1,10 +1,12 @@
 # This tests files that don't exist initially and then do later during
 # runtime to make sure the ascii reader is resilient to files missing.
-# It does a second test at the same time which configures the old 
+# It does a second test at the same time which configures the old
 # failing behavior.
 
 # @TEST-EXEC: btest-bg-run bro bro %INPUT
-# @TEST-EXEC: btest-bg-wait -k 5
+# @TEST-EXEC: sleep 2; cp does-exist.dat does-not-exist.dat
+# @TEST-EXEC: sleep 2; mv does-not-exist.dat does-not-exist-again.dat; echo "Streaming still works" >> does-not-exist-again.dat
+# @TEST-EXEC: btest-bg-wait -k 3
 # @TEST-EXEC: btest-diff bro/.stdout
 # @TEST-EXEC: btest-diff bro/.stderr
 
@@ -40,8 +42,8 @@ event line2(description: Input::EventDescription, tpe: Input::Event, v: Val)
 event bro_init()
 	{
 	Input::add_event([$source="../does-not-exist.dat", $name="input", $reader=Input::READER_ASCII, $mode=Input::REREAD, $fields=Val, $ev=line, $want_record=T]);
-	Input::add_event([$source="../does-not-exist.dat", $name="input2", $reader=Input::READER_ASCII, $mode=Input::REREAD, $fields=Val, $ev=line2, $want_record=T, 
+	Input::add_event([$source="../does-not-exist.dat", $name="inputstream", $reader=Input::READER_ASCII, $mode=Input::STREAM, $fields=Val, $ev=line, $want_record=T]);
+	Input::add_event([$source="../does-not-exist.dat", $name="inputmanual", $reader=Input::READER_ASCII, $mode=Input::MANUAL, $fields=Val, $ev=line, $want_record=T]);
+	Input::add_event([$source="../does-not-exist.dat", $name="input2", $reader=Input::READER_ASCII, $mode=Input::REREAD, $fields=Val, $ev=line2, $want_record=T,
 	                  $config=table(["fail_on_file_problem"] = "T")]);
-
-	system("sleep 2; mv ../does-exist.dat ../does-not-exist.dat;");
 	}
diff --git a/testing/btest/scripts/base/frameworks/input/missing-file.bro b/testing/btest/scripts/base/frameworks/input/missing-file.bro
index 08adfe2150..2ec3bb937f 100644
--- a/testing/btest/scripts/base/frameworks/input/missing-file.bro
+++ b/testing/btest/scripts/base/frameworks/input/missing-file.bro
@@ -3,6 +3,7 @@
 # @TEST-EXEC: btest-diff bro/.stderr
 
 redef exit_only_after_terminate = T;
+redef InputAscii::fail_on_file_problem = T;
 
 global outfile: file;
 global try: count;

From dc2cfd8a1071ec3b30bd130d859758b3353f4b11 Mon Sep 17 00:00:00 2001
From: Robin Sommer <robin@icir.org>
Date: Fri, 3 Mar 2017 12:51:54 -0800
Subject: [PATCH 103/631] Updating submodule(s).

 [nomail]
---
 aux/btest | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/aux/btest b/aux/btest
index 14c18508bb..dceda16935 160000
--- a/aux/btest
+++ b/aux/btest
@@ -1 +1 @@
-Subproject commit 14c18508bb385c8f55cd79738ee87ca2b85eba27
+Subproject commit dceda169351ddd0c7fe7a5ae5496be1d7af2367b

From 5ec4e00fcd802445ed176258684aecbaf768f5a1 Mon Sep 17 00:00:00 2001
From: Daniel Thayer <dnthayer@illinois.edu>
Date: Wed, 8 Mar 2017 14:19:31 -0600
Subject: [PATCH 104/631] Fix some Coverity warnings

Fixed some Coverity warnings in RemoteSerializer::ProcessLogCreateWriter().
Upon failure, CreateWriterForRemoteLog() frees the "info" and "fields"
pointers, so they are now set to null in order to avoid freeing them
a second time.
---
 src/RemoteSerializer.cc | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/RemoteSerializer.cc b/src/RemoteSerializer.cc
index 2adecfc89a..7d8899d8b9 100644
--- a/src/RemoteSerializer.cc
+++ b/src/RemoteSerializer.cc
@@ -2732,7 +2732,8 @@ bool RemoteSerializer::ProcessLogCreateWriter()
 
 	if ( ! log_mgr->CreateWriterForRemoteLog(id_val, writer_val, info, num_fields, fields) )
 		{
-		delete_fields_up_to = num_fields;
+		info = 0;
+		fields = 0;
 		goto error;
 		}
 

From ff4d624ebe4bee14211ae49beb789b7221fe8e27 Mon Sep 17 00:00:00 2001
From: Seth Hall <seth@Blake.local>
Date: Thu, 9 Mar 2017 12:18:35 -0500
Subject: [PATCH 105/631] Minor documentation fixes.

---
 scripts/base/frameworks/input/readers/ascii.bro | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/scripts/base/frameworks/input/readers/ascii.bro b/scripts/base/frameworks/input/readers/ascii.bro
index 83d8ced94b..1d4072e118 100644
--- a/scripts/base/frameworks/input/readers/ascii.bro
+++ b/scripts/base/frameworks/input/readers/ascii.bro
@@ -25,16 +25,16 @@ export {
 	## input lines will be handled as fatal errors for the
 	## reader thread; reading will abort immediately and
 	## an error will be logged to reporter.log.
-	## Invidivual readers can use a different value using
+	## Individual readers can use a different value using
 	## the $config table.
 	## fail_on_invalid_lines = T was the default behavior
-	## untill Bro 2.5.
+	## until Bro 2.6.
 	const fail_on_invalid_lines = F &redef;
 
 	## Fail on file read problems. If set to true, the ascii
 	## input reader will fail when encountering any problems
 	## while reading a file different from invalid lines.
-	## Examples fur such problems are permission problems, or
+	## Examples of such problems are permission problems, or
 	## missing files.
 	## When set to false, these problems will be ignored. This
 	## has an especially big effect for the REREAD mode, which will
@@ -42,9 +42,9 @@ export {
 	## only temporarily inaccessible. For MANUAL or STREAM files,
 	## errors will most likely still be fatal since no automatic
 	## re-reading of the file is attempted.
-	## Invidivual readers can use a different value using
+	## Individual readers can use a different value using
 	## the $config table.
 	## fail_on_file_problem = T was the default behavior
-	## untill Bro 2.5.
+	## until Bro 2.6.
 	const fail_on_file_problem = F &redef;
 }

From d505670f599c09f21eed275b0d79f910eaa3bf2e Mon Sep 17 00:00:00 2001
From: Seth Hall <seth@corelight.com>
Date: Thu, 9 Mar 2017 12:43:41 -0500
Subject: [PATCH 106/631] Updating NEWS

---
 NEWS | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/NEWS b/NEWS
index 9aa1e35c7c..7fbc7cfd4f 100644
--- a/NEWS
+++ b/NEWS
@@ -4,6 +4,19 @@ release. For an exhaustive list of changes, see the ``CHANGES`` file
 (note that submodules, such as BroControl and Broccoli, come with
 their own ``CHANGES``.)
 
+Bro 2.6
+=======
+
+Changed Functionality
+---------------------
+
+- The input framework's Ascii reader is now more resilient. If an input
+  is marked to reread a file when it changes and the file didn't exist
+  during a check Bro would stop watching the file in previous versions.
+  The same could happen with bad data in a line of a file.  These 
+  situations do not cause Bro to stop watching input files anymore. The 
+  old behavior is available through settings in the Ascii reader.
+
 Bro 2.5
 =======
 

From 05746ab7fcfdbd966bb4e39403dd004e42a75fc4 Mon Sep 17 00:00:00 2001
From: Pete <petiepooo@gmail.com>
Date: Sun, 12 Mar 2017 12:53:12 -0400
Subject: [PATCH 107/631] print version string to stdout on --version

When running a *nix command from the prompt, and output is expected, that output should be sent to stdout, not stderr.  The --version option is such a case.  The outputted version string is not an indication of error or a diagnostic output; it is the expected output, thus should follow standard conventions and be output to stdout..
---
 src/main.cc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/main.cc b/src/main.cc
index 55636a9496..d9f8ff5b0b 100644
--- a/src/main.cc
+++ b/src/main.cc
@@ -595,7 +595,7 @@ int main(int argc, char** argv)
 			break;
 
 		case 'v':
-			fprintf(stderr, "%s version %s\n", prog, bro_version());
+			fprintf(stdout, "%s version %s\n", prog, bro_version());
 			exit(0);
 			break;
 

From a38f44b1fddac4c7fd3e8bdb59a64ce952c7703b Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@icir.org>
Date: Mon, 13 Mar 2017 11:16:15 -0700
Subject: [PATCH 108/631] Fix coverity warning in Ascii reader.

---
 src/input/readers/ascii/Ascii.cc | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/input/readers/ascii/Ascii.cc b/src/input/readers/ascii/Ascii.cc
index bedddce075..3440d9565d 100644
--- a/src/input/readers/ascii/Ascii.cc
+++ b/src/input/readers/ascii/Ascii.cc
@@ -49,6 +49,7 @@ FieldMapping FieldMapping::subType()
 Ascii::Ascii(ReaderFrontend *frontend) : ReaderBackend(frontend)
 	{
 	mtime = 0;
+	suppress_warnings = false;
 	}
 
 Ascii::~Ascii()

From 17fa1b6fede10765a8f483727358c98aa324e656 Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@icir.org>
Date: Mon, 13 Mar 2017 11:16:19 -0700
Subject: [PATCH 109/631] Fix compiler warnings raised by llvm 8.0.

Warning was:

warning: moving a temporary object prevents copy elision [-Wpessimizing-move]
---
 src/input/readers/raw/Plugin.cc | 2 +-
 src/threading/Queue.h           | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/input/readers/raw/Plugin.cc b/src/input/readers/raw/Plugin.cc
index 0dd1b47fc7..e16a233fe6 100644
--- a/src/input/readers/raw/Plugin.cc
+++ b/src/input/readers/raw/Plugin.cc
@@ -30,6 +30,6 @@ void Plugin::Done()
 
 std::unique_lock<std::mutex> Plugin::ForkMutex()
 	{
-	return std::move(std::unique_lock<std::mutex>(fork_mutex, std::defer_lock));
+	return std::unique_lock<std::mutex>(fork_mutex, std::defer_lock);
 	}
 
diff --git a/src/threading/Queue.h b/src/threading/Queue.h
index bf0f0db82c..9ac9268a7a 100644
--- a/src/threading/Queue.h
+++ b/src/threading/Queue.h
@@ -124,7 +124,7 @@ inline static std::unique_lock<std::mutex> acquire_lock(std::mutex& m)
 	{
 	try
 		{
-		return std::move(std::unique_lock<std::mutex>(m));
+		return std::unique_lock<std::mutex>(m);
 		}
 	catch ( const std::system_error& e )
 		{
@@ -224,7 +224,7 @@ inline std::vector<std::unique_lock<std::mutex>> Queue<T>::LocksForAllQueues()
 		throw std::exception();
 		}
 
-	return std::move(locks);
+	return locks;
 	}
 
 template<typename T>

From 7180c704f649d7aaa66a826daebb02c6efd10384 Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@icir.org>
Date: Mon, 13 Mar 2017 11:56:55 -0700
Subject: [PATCH 110/631] Update submodule

 [nomail]
---
 aux/broctl | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/aux/broctl b/aux/broctl
index 73dbc79ac2..58e9df0694 160000
--- a/aux/broctl
+++ b/aux/broctl
@@ -1 +1 @@
-Subproject commit 73dbc79ac24cdfef07d8574a4da5d43056ba5fa5
+Subproject commit 58e9df0694cc900b20decf26fbd7add6ee91212f

From 2d7c84956c0df80763f7b1eb4c5f9d15c21f3a4b Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@icir.org>
Date: Mon, 13 Mar 2017 16:08:14 -0700
Subject: [PATCH 111/631] Update submodule

 [nomail]
---
 aux/broctl | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/aux/broctl b/aux/broctl
index 58e9df0694..96583ab378 160000
--- a/aux/broctl
+++ b/aux/broctl
@@ -1 +1 @@
-Subproject commit 58e9df0694cc900b20decf26fbd7add6ee91212f
+Subproject commit 96583ab378b1de32ac9804246e1b0e2845fc8b3e

From 750e3e358f5c6e7ab80a6309bdf9d5a6854518ed Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@icir.org>
Date: Tue, 14 Mar 2017 06:58:42 -0700
Subject: [PATCH 112/631] Update submodule

 [nomail]
---
 aux/bro-aux | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/aux/bro-aux b/aux/bro-aux
index 9f33570d53..51bf79d3fc 160000
--- a/aux/bro-aux
+++ b/aux/bro-aux
@@ -1 +1 @@
-Subproject commit 9f33570d53e1b970d7905e305940fd55637c5c76
+Subproject commit 51bf79d3fc78b5e86c554afe7c24c44b025aa67f

From 6544e365645b75d85c3836894a20c2339e79c399 Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@icir.org>
Date: Wed, 15 Mar 2017 08:00:36 -0700
Subject: [PATCH 113/631] Remove cluster catch and release.

This test keeps failing intermittently because of timing issues that are
surprisingly hard to fix.
---
 .../manager-1.netcontrol.log                  |  23 ---
 .../manager-1.netcontrol_catch_release.log    |  18 ---
 .../worker-2..stdout                          |   9 --
 .../netcontrol/catch-and-release-cluster.bro  | 132 ------------------
 4 files changed, 182 deletions(-)
 delete mode 100644 testing/btest/Baseline/scripts.base.frameworks.netcontrol.catch-and-release-cluster/manager-1.netcontrol.log
 delete mode 100644 testing/btest/Baseline/scripts.base.frameworks.netcontrol.catch-and-release-cluster/manager-1.netcontrol_catch_release.log
 delete mode 100644 testing/btest/Baseline/scripts.base.frameworks.netcontrol.catch-and-release-cluster/worker-2..stdout
 delete mode 100644 testing/btest/scripts/base/frameworks/netcontrol/catch-and-release-cluster.bro

diff --git a/testing/btest/Baseline/scripts.base.frameworks.netcontrol.catch-and-release-cluster/manager-1.netcontrol.log b/testing/btest/Baseline/scripts.base.frameworks.netcontrol.catch-and-release-cluster/manager-1.netcontrol.log
deleted file mode 100644
index 974349e229..0000000000
--- a/testing/btest/Baseline/scripts.base.frameworks.netcontrol.catch-and-release-cluster/manager-1.netcontrol.log
+++ /dev/null
@@ -1,23 +0,0 @@
-#separator \x09
-#set_separator	,
-#empty_field	(empty)
-#unset_field	-
-#path	netcontrol
-#open	2016-08-12-17-38-49
-#fields	ts	rule_id	category	cmd	state	action	target	entity_type	entity	mod	msg	priority	expire	location	plugin
-#types	time	string	enum	string	enum	string	enum	string	string	string	string	int	interval	string	string
-1471023529.752740	-	NetControl::MESSAGE	-	-	-	-	-	-	-	activating plugin with priority 0	-	-	-	Debug-All
-1471023529.752740	-	NetControl::MESSAGE	-	-	-	-	-	-	-	activation finished	-	-	-	Debug-All
-1471023529.752740	-	NetControl::MESSAGE	-	-	-	-	-	-	-	plugin initialization done	-	-	-	-
-1471023532.819263	2	NetControl::RULE	ADD	NetControl::REQUESTED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	-	0	600.000000	connection drop worker-1	Debug-All
-1471023532.819263	worker-1:2	NetControl::RULE	ADD	NetControl::REQUESTED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	8.8.8.8/32	-	-	0	0.100000	direct drop worker-1	Debug-All
-1471023532.819263	2	NetControl::RULE	ADD	NetControl::SUCCEEDED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	-	0	600.000000	connection drop worker-1	Debug-All
-1471023532.819263	worker-1:2	NetControl::RULE	ADD	NetControl::SUCCEEDED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	8.8.8.8/32	-	-	0	0.100000	direct drop worker-1	Debug-All
-1471023532.920126	worker-1:2	NetControl::RULE	EXPIRE	NetControl::TIMEOUT	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	8.8.8.8/32	-	-	0	0.100000	direct drop worker-1	Debug-All
-1471023532.920126	worker-1:2	NetControl::RULE	REMOVE	NetControl::REQUESTED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	8.8.8.8/32	-	-	0	0.100000	direct drop worker-1	Debug-All
-1471023532.921768	worker-1:2	NetControl::RULE	REMOVE	NetControl::SUCCEEDED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	8.8.8.8/32	-	-	0	0.100000	direct drop worker-1	Debug-All
-1471023534.308087	2	NetControl::RULE	REMOVE	NetControl::REQUESTED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	worker-2	0	600.000000	connection drop worker-1	Debug-All
-1471023534.308087	2	NetControl::RULE	REMOVE	NetControl::SUCCEEDED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	-	0	600.000000	connection drop worker-1	Debug-All
-1471023534.308087	4	NetControl::RULE	ADD	NetControl::REQUESTED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	8.8.8.8/32	-	-	0	3600.000000	Re-drop by catch-and-release: direct cr worker-1	Debug-All
-1471023534.308087	4	NetControl::RULE	ADD	NetControl::SUCCEEDED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	8.8.8.8/32	-	-	0	3600.000000	Re-drop by catch-and-release: direct cr worker-1	Debug-All
-#close	2016-08-12-17-38-54
diff --git a/testing/btest/Baseline/scripts.base.frameworks.netcontrol.catch-and-release-cluster/manager-1.netcontrol_catch_release.log b/testing/btest/Baseline/scripts.base.frameworks.netcontrol.catch-and-release-cluster/manager-1.netcontrol_catch_release.log
deleted file mode 100644
index 54202fffbe..0000000000
--- a/testing/btest/Baseline/scripts.base.frameworks.netcontrol.catch-and-release-cluster/manager-1.netcontrol_catch_release.log
+++ /dev/null
@@ -1,18 +0,0 @@
-#separator \x09
-#set_separator	,
-#empty_field	(empty)
-#unset_field	-
-#path	netcontrol_catch_release
-#open	2016-08-12-17-38-52
-#fields	ts	rule_id	ip	action	block_interval	watch_interval	blocked_until	watched_until	num_blocked	location	message
-#types	time	string	addr	enum	interval	interval	time	time	count	string	string
-1471023532.819263	2	192.168.18.50	NetControl::DROP	600.000000	3600.000000	1471024132.819263	1471027132.819263	1	connection drop worker-1	-
-1471023532.819263	2	192.168.18.50	NetControl::DROPPED	600.000000	3600.000000	1471024132.819263	1471027132.819263	1	connection drop worker-1	-
-1471023532.819263	worker-1:2	8.8.8.8	NetControl::ADDED	600.000000	3600.000000	-	1471027132.819263	1	direct cr worker-1	Address already blocked outside of catch-and-release. Catch and release will monitor and only actively block if it appears in network traffic.
-1471023532.920126	worker-1:2	8.8.8.8	NetControl::UNBLOCK	600.000000	3600.000000	-	1471027132.819263	1	direct cr worker-1	-
-1471023534.308087	2	192.168.18.50	NetControl::INFO	600.000000	3600.000000	1471024132.819263	1471027132.819263	1	connection drop worker-1	Block seen while in rule_entities. No action taken.
-1471023534.308087	2	192.168.18.50	NetControl::UNBLOCK	600.000000	3600.000000	1471024132.819263	1471027132.819263	1	connection drop worker-1	worker-2
-1471023534.308087	4	8.8.8.8	NetControl::SEEN_AGAIN	3600.000000	86400.000000	1471027134.308087	1471109934.308087	2	direct cr worker-1	-
-1471023534.308087	4	8.8.8.8	NetControl::DROPPED	3600.000000	86400.000000	1471027134.308087	1471109934.308087	2	direct cr worker-1	-
-1471023532.239980	2	192.168.18.50	NetControl::INFO	600.000000	3600.000000	1471024132.819263	1471027132.819263	1	connection drop worker-1	Already blocked using catch-and-release - ignoring duplicate
-#close	2016-08-12-17-38-54
diff --git a/testing/btest/Baseline/scripts.base.frameworks.netcontrol.catch-and-release-cluster/worker-2..stdout b/testing/btest/Baseline/scripts.base.frameworks.netcontrol.catch-and-release-cluster/worker-2..stdout
deleted file mode 100644
index f61fe92474..0000000000
--- a/testing/btest/Baseline/scripts.base.frameworks.netcontrol.catch-and-release-cluster/worker-2..stdout
+++ /dev/null
@@ -1,9 +0,0 @@
-Suspend, worker-2
-New block, 192.168.18.50, [block_until=1471027194.791177, watch_until=1471030194.791177, num_reblocked=0, current_interval=0, current_block_id=2, location=connection drop worker-1]
-New block, 8.8.8.8, [block_until=<uninitialized>, watch_until=1471030194.791177, num_reblocked=0, current_interval=0, current_block_id=worker-1:2, location=direct cr worker-1]
-Resume, worker-2
-Connection established
-Info, [block_until=1471027194.791177, watch_until=1471030194.791177, num_reblocked=0, current_interval=0, current_block_id=2, location=connection drop worker-1]
-Delete block, 192.168.18.50
-New block, 8.8.8.8, [block_until=1471030196.295249, watch_until=1471112996.295249, num_reblocked=1, current_interval=1, current_block_id=4, location=direct cr worker-1]
-remote connection closed
diff --git a/testing/btest/scripts/base/frameworks/netcontrol/catch-and-release-cluster.bro b/testing/btest/scripts/base/frameworks/netcontrol/catch-and-release-cluster.bro
deleted file mode 100644
index fd7de7e442..0000000000
--- a/testing/btest/scripts/base/frameworks/netcontrol/catch-and-release-cluster.bro
+++ /dev/null
@@ -1,132 +0,0 @@
-# @TEST-SERIALIZE: comm
-#
-# @TEST-EXEC: btest-bg-run manager-1 "cp ../cluster-layout.bro . && CLUSTER_NODE=manager-1 bro %INPUT"
-# @TEST-EXEC: sleep 1
-# @TEST-EXEC: btest-bg-run worker-1  "cp ../cluster-layout.bro . && CLUSTER_NODE=worker-1 bro --pseudo-realtime -C -r $TRACES/tls/ecdhe.pcap %INPUT"
-# @TEST-EXEC: btest-bg-run worker-2  "cp ../cluster-layout.bro . && CLUSTER_NODE=worker-2 bro --pseudo-realtime -C -r $TRACES/tls/ecdhe.pcap %INPUT"
-# @TEST-EXEC: btest-bg-wait 20
-# @TEST-EXEC: TEST_DIFF_CANONIFIER='grep -v ^# | $SCRIPTS/diff-remove-timestamps' btest-diff manager-1/netcontrol.log
-# @TEST-EXEC: btest-diff manager-1/netcontrol_catch_release.log
-# @TEST-EXEC: btest-diff worker-2/.stdout
-
-@TEST-START-FILE cluster-layout.bro
-redef Cluster::nodes = {
-	["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=37757/tcp, $workers=set("worker-1", "worker-2")],
-	["worker-1"]  = [$node_type=Cluster::WORKER,  $ip=127.0.0.1, $p=37760/tcp, $manager="manager-1", $interface="eth0"],
-	["worker-2"]  = [$node_type=Cluster::WORKER,  $ip=127.0.0.1, $p=37761/tcp, $manager="manager-1", $interface="eth0"],
-};
-@TEST-END-FILE
-
-redef exit_only_after_terminate = T;
-
-redef Log::default_rotation_interval = 0secs;
-
-@load base/frameworks/netcontrol
-redef NetControl::catch_release_warn_blocked_ip_encountered = T;
-
-global ready_for_data_1: event();
-global ready_for_data_2: event();
-redef Cluster::manager2worker_events += /^ready_for_data_(1|2)$/;
-
-@if ( Cluster::local_node_type() == Cluster::MANAGER )
-
-global peer_count = 0;
-event remote_connection_handshake_done(p: event_peer) &priority=-5
-	{
-	++peer_count;
-	print "remote_connection_handshake_done", peer_count;
-	if ( peer_count == 2 )
-		{
-		event ready_for_data_1();
-		schedule 1.5sec { ready_for_data_2() };
-		}
-	}
-
-@endif
-
-@if ( Cluster::local_node_type() == Cluster::WORKER )
-event bro_init()
-	{
-	print "Suspend", Cluster::node;
-	suspend_processing();
-	}
-
-event remote_connection_closed(p: event_peer) {
-	print "remote connection closed";
-	terminate();
-}
-@endif
-
-@if ( Cluster::node == "worker-1" )
-event ready_for_data_1()
-	{
-	print "Resume", Cluster::node;
-	continue_processing();
-	}
-@endif
-
-@if ( Cluster::node == "worker-2" )
-event ready_for_data_2()
-	{
-	print "Resume", Cluster::node;
-	continue_processing();
-	}
-@endif
-
-event NetControl::init()
-	{
-	local netcontrol_debug = NetControl::create_debug(T);
-	NetControl::activate(netcontrol_debug, 0);
-	}
-
-global i: count = 0;
-
-event connection_established(c: connection)
-	{
-	print "Connection established";
-	local id = c$id;
-	local info = NetControl::get_catch_release_info(id$orig_h);
-	print "Info", info;
-	NetControl::drop_address_catch_release(id$orig_h, cat("connection drop ", Cluster::node));
-	if ( info$current_block_id != "" )
-		{
-		NetControl::unblock_address_catch_release(id$orig_h, Cluster::node);
-		}
-	}
-
-@if ( Cluster::node == "worker-1" )
-event connection_established(c: connection)
-	{
-	NetControl::drop_address(8.8.8.8, 0.1secs, cat("direct drop ", Cluster::node));
-	NetControl::drop_address_catch_release(8.8.8.8, cat("direct cr ", Cluster::node));
-	}
-@endif
-
-@if ( Cluster::node == "worker-2" )
-event connection_established(c: connection)
-	{
-	NetControl::catch_release_seen(8.8.8.8);
-	}
-@endif
-
-event NetControl::catch_release_block_new(a: addr, b: NetControl::BlockInfo)
-	{
-	print "New block", a, b;
-	}
-
-event NetControl::catch_release_block_delete(a: addr)
-	{
-	print "Delete block", a;
-	}
-
-event terminate_me() {
-	terminate();
-}
-
-@if ( Cluster::local_node_type() == Cluster::MANAGER )
-event NetControl::rule_added(r: NetControl::Rule, p: NetControl::PluginState, msg: string)
-	{
-	print "Scheduling terminate";
-	schedule 3sec { terminate_me() };
-	}
-@endif

From 2b3dcc273af53b5f917a97680dc1e464458f3499 Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@icir.org>
Date: Thu, 16 Mar 2017 12:29:50 -0700
Subject: [PATCH 114/631] KRB: Fix small recently introduced files bug.

is_orig was set incorrectly for responses.
---
 src/analyzer/protocol/krb/krb-padata.pac | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/analyzer/protocol/krb/krb-padata.pac b/src/analyzer/protocol/krb/krb-padata.pac
index 4667ab1677..271958fcb4 100644
--- a/src/analyzer/protocol/krb/krb-padata.pac
+++ b/src/analyzer/protocol/krb/krb-padata.pac
@@ -100,7 +100,7 @@ VectorVal* proc_padata(const KRB_PA_Data_Sequence* data, const BroAnalyzer bro_a
 
 				file_mgr->DataIn(reinterpret_cast<const u_char*>(cert.data()),
 				                 cert.length(), bro_analyzer->GetAnalyzerTag(),
-				                 bro_analyzer->Conn(), true, file_id, "application/x-x509-user-cert");
+				                 bro_analyzer->Conn(), false, file_id, "application/x-x509-user-cert");
 				file_mgr->EndOfFile(file_id);
 
 				break;

From dcf49078573e3070a07cc83e842fac90637f9651 Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@icir.org>
Date: Thu, 16 Mar 2017 13:50:32 -0700
Subject: [PATCH 115/631] Add CT log information to Bro

This commit add the table SSL::ct_logs to Bro. This table is populated
with information about the currently active certificate transparency
logs (data from Google). The data can, e.g., be used to identify which
Logs are being used in SCTs.
---
 scripts/base/protocols/ssl/__load__.bro       |  1 +
 scripts/base/protocols/ssl/ct-list.bro        | 34 +++++++++++++++++++
 scripts/base/protocols/ssl/main.bro           | 13 +++++++
 .../.stdout                                   |  8 ++---
 .../.stdout                                   |  6 ++--
 .../x509/signed_certificate_timestamp.test    |  2 +-
 .../ssl/signed_certificate_timestamp.test     |  2 +-
 7 files changed, 57 insertions(+), 9 deletions(-)
 create mode 100644 scripts/base/protocols/ssl/ct-list.bro

diff --git a/scripts/base/protocols/ssl/__load__.bro b/scripts/base/protocols/ssl/__load__.bro
index 42287fb039..b8e4d52523 100644
--- a/scripts/base/protocols/ssl/__load__.bro
+++ b/scripts/base/protocols/ssl/__load__.bro
@@ -1,6 +1,7 @@
 @load ./consts
 @load ./main
 @load ./mozilla-ca-list
+@load ./ct-list
 @load ./files
 
 @load-sigs ./dpd.sig
diff --git a/scripts/base/protocols/ssl/ct-list.bro b/scripts/base/protocols/ssl/ct-list.bro
new file mode 100644
index 0000000000..600b644df2
--- /dev/null
+++ b/scripts/base/protocols/ssl/ct-list.bro
@@ -0,0 +1,34 @@
+#
+# Do not edit this file. This file is automatically generated by gen-ct-list.pl
+# File generated at Thu Mar 16 13:41:00 2017
+# File generated from https://www.certificate-transparency.org/known-logs/all_logs_list.json?attredirects=0&d=1
+#
+
+@load base/protocols/ssl
+module SSL;
+redef ct_logs += {
+["\xa4\xb9\x09\x90\xb4\x18\x58\x14\x87\xbb\x13\xa2\xcc\x67\x70\x0a\x3c\x35\x98\x04\xf9\x1b\xdf\xb8\xe3\x77\xcd\x0e\xc8\x0d\xdc\x10"] = CTInfo($description="Google 'Pilot' log", $operator="Google", $url="ct.googleapis.com/pilot", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x7d\xa8\x4b\x12\x29\x80\xa3\x3d\xad\xd3\x5a\x77\xb8\xcc\xe2\x88\xb3\xa5\xfd\xf1\xd3\x0c\xcd\x18\x0c\xe8\x41\x46\xe8\x81\x01\x1b\x15\xe1\x4b\xf1\x1b\x62\xdd\x36\x0a\x08\x18\xba\xed\x0b\x35\x84\xd0\x9e\x40\x3c\x2d\x9e\x9b\x82\x65\xbd\x1f\x04\x10\x41\x4c\xa0"),
+["\x68\xf6\x98\xf8\x1f\x64\x82\xbe\x3a\x8c\xee\xb9\x28\x1d\x4c\xfc\x71\x51\x5d\x67\x93\xd4\x44\xd1\x0a\x67\xac\xbb\x4f\x4f\xfb\xc4"] = CTInfo($description="Google 'Aviator' log", $operator="Google", $url="ct.googleapis.com/aviator", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xd7\xf4\xcc\x69\xb2\xe4\x0e\x90\xa3\x8a\xea\x5a\x70\x09\x4f\xef\x13\x62\xd0\x8d\x49\x60\xff\x1b\x40\x50\x07\x0c\x6d\x71\x86\xda\x25\x49\x8d\x65\xe1\x08\x0d\x47\x34\x6b\xbd\x27\xbc\x96\x21\x3e\x34\xf5\x87\x76\x31\xb1\x7f\x1d\xc9\x85\x3b\x0d\xf7\x1f\x3f\xe9"),
+["\x56\x14\x06\x9a\x2f\xd7\xc2\xec\xd3\xf5\xe1\xbd\x44\xb2\x3e\xc7\x46\x76\xb9\xbc\x99\x11\x5c\xc0\xef\x94\x98\x55\xd6\x89\xd0\xdd"] = CTInfo($description="DigiCert Log Server", $operator="DigiCert", $url="ct1.digicert-ct.com/log", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x02\x46\xc5\xbe\x1b\xbb\x82\x40\x16\xe8\xc1\xd2\xac\x19\x69\x13\x59\xf8\xf8\x70\x85\x46\x40\xb9\x38\xb0\x23\x82\xa8\x64\x4c\x7f\xbf\xbb\x34\x9f\x4a\x5f\x28\x8a\xcf\x19\xc4\x00\xf6\x36\x06\x93\x65\xed\x4c\xf5\xa9\x21\x62\x5a\xd8\x91\xeb\x38\x24\x40\xac\xe8"),
+["\xee\x4b\xbd\xb7\x75\xce\x60\xba\xe1\x42\x69\x1f\xab\xe1\x9e\x66\xa3\x0f\x7e\x5f\xb0\x72\xd8\x83\x00\xc4\x7b\x89\x7a\xa8\xfd\xcb"] = CTInfo($description="Google 'Rocketeer' log", $operator="Google", $url="ct.googleapis.com/rocketeer", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x20\x5b\x18\xc8\x3c\xc1\x8b\xb3\x31\x08\x00\xbf\xa0\x90\x57\x2b\xb7\x47\x8c\x6f\xb5\x68\xb0\x8e\x90\x78\xe9\xa0\x73\xea\x4f\x28\x21\x2e\x9c\xc0\xf4\x16\x1b\xaa\xf9\xd5\xd7\xa9\x80\xc3\x4e\x2f\x52\x3c\x98\x01\x25\x46\x24\x25\x28\x23\x77\x2d\x05\xc2\x40\x7a"),
+["\xcd\xb5\x17\x9b\x7f\xc1\xc0\x46\xfe\xea\x31\x13\x6a\x3f\x8f\x00\x2e\x61\x82\xfa\xf8\x89\x6f\xec\xc8\xb2\xf5\xb5\xab\x60\x49\x00"] = CTInfo($description="Certly.IO log", $operator="Certly", $url="log.certly.io", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x0b\x23\xcb\x85\x62\x98\x61\x48\x04\x73\xeb\x54\x5d\xf3\xd0\x07\x8c\x2d\x19\x2d\x8c\x36\xf5\xeb\x8f\x01\x42\x0a\x7c\x98\x26\x27\xc1\xb5\xdd\x92\x93\xb0\xae\xf8\x9b\x3d\x0c\xd8\x4c\x4e\x1d\xf9\x15\xfb\x47\x68\x7b\xba\x66\xb7\x25\x9c\xd0\x4a\xc2\x66\xdb\x48"),
+["\x74\x61\xb4\xa0\x9c\xfb\x3d\x41\xd7\x51\x59\x57\x5b\x2e\x76\x49\xa4\x45\xa8\xd2\x77\x09\xb0\xcc\x56\x4a\x64\x82\xb7\xeb\x41\xa3"] = CTInfo($description="Izenpe log", $operator="Izenpe", $url="ct.izenpe.com", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x27\x64\x39\x0c\x2d\xdc\x50\x18\xf8\x21\x00\xa2\x0e\xed\x2c\xea\x3e\x75\xba\x9f\x93\x64\x09\x00\x11\xc4\x11\x17\xab\x5c\xcf\x0f\x74\xac\xb5\x97\x90\x93\x00\x5b\xb8\xeb\xf7\x27\x3d\xd9\xb2\x0a\x81\x5f\x2f\x0d\x75\x38\x94\x37\x99\x1e\xf6\x07\x76\xe0\xee\xbe"),
+["\xdd\xeb\x1d\x2b\x7a\x0d\x4f\xa6\x20\x8b\x81\xad\x81\x68\x70\x7e\x2e\x8e\x9d\x01\xd5\x5c\x88\x8d\x3d\x11\xc4\xcd\xb6\xec\xbe\xcc"] = CTInfo($description="Symantec log", $operator="Symantec", $url="ct.ws.symantec.com", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x96\xea\xac\x1c\x46\x0c\x1b\x55\xdc\x0d\xfc\xb5\x94\x27\x46\x57\x42\x70\x3a\x69\x18\xe2\xbf\x3b\xc4\xdb\xab\xa0\xf4\xb6\x6c\xc0\x53\x3f\x4d\x42\x10\x33\xf0\x58\x97\x8f\x6b\xbe\x72\xf4\x2a\xec\x1c\x42\xaa\x03\x2f\x1a\x7e\x28\x35\x76\x99\x08\x3d\x21\x14\x86"),
+["\xac\x3b\x9a\xed\x7f\xa9\x67\x47\x57\x15\x9e\x6d\x7d\x57\x56\x72\xf9\xd9\x81\x00\x94\x1e\x9b\xde\xff\xec\xa1\x31\x3b\x75\x78\x2d"] = CTInfo($description="Venafi log", $operator="Venafi", $url="ctlog.api.venafi.com", $maximum_merge_delay=86400, $key="\x30\x82\x01\x22\x30\x0d\x06\x09\x2a\x86\x48\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x00\x30\x82\x01\x0a\x02\x82\x01\x01\x00\xa2\x5a\x48\x1f\x17\x52\x95\x35\xcb\xa3\x5b\x3a\x1f\x53\x82\x76\x94\xa3\xff\x80\xf2\x1c\x37\x3c\xc0\xb1\xbd\xc1\x59\x8b\xab\x2d\x65\x93\xd7\xf3\xe0\x04\xd5\x9a\x6f\xbf\xd6\x23\x76\x36\x4f\x23\x99\xcb\x54\x28\xad\x8c\x15\x4b\x65\x59\x76\x41\x4a\x9c\xa6\xf7\xb3\x3b\x7e\xb1\xa5\x49\xa4\x17\x51\x6c\x80\xdc\x2a\x90\x50\x4b\x88\x24\xe9\xa5\x12\x32\x93\x04\x48\x90\x02\xfa\x5f\x0e\x30\x87\x8e\x55\x76\x05\xee\x2a\x4c\xce\xa3\x6a\x69\x09\x6e\x25\xad\x82\x76\x0f\x84\x92\xfa\x38\xd6\x86\x4e\x24\x8f\x9b\xb0\x72\xcb\x9e\xe2\x6b\x3f\xe1\x6d\xc9\x25\x75\x23\x88\xa1\x18\x58\x06\x23\x33\x78\xda\x00\xd0\x38\x91\x67\xd2\xa6\x7d\x27\x97\x67\x5a\xc1\xf3\x2f\x17\xe6\xea\xd2\x5b\xe8\x81\xcd\xfd\x92\x68\xe7\xf3\x06\xf0\xe9\x72\x84\xee\x01\xa5\xb1\xd8\x33\xda\xce\x83\xa5\xdb\xc7\xcf\xd6\x16\x7e\x90\x75\x18\xbf\x16\xdc\x32\x3b\x6d\x8d\xab\x82\x17\x1f\x89\x20\x8d\x1d\x9a\xe6\x4d\x23\x08\xdf\x78\x6f\xc6\x05\xbf\x5f\xae\x94\x97\xdb\x5f\x64\xd4\xee\x16\x8b\xa3\x84\x6c\x71\x2b\xf1\xab\x7f\x5d\x0d\x32\xee\x04\xe2\x90\xec\x41\x9f\xfb\x39\xc1\x02\x03\x01\x00\x01"),
+["\x9e\x4f\xf7\x3d\xc3\xce\x22\x0b\x69\x21\x7c\x89\x9e\x46\x80\x76\xab\xf8\xd7\x86\x36\xd5\xcc\xfc\x85\xa3\x1a\x75\x62\x8b\xa8\x8b"] = CTInfo($description="WoSign log", $operator="WoSign", $url="ct.wosign.com", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xd7\xec\x2f\x2b\x75\x4f\x37\xbc\xa3\x43\xba\x8b\x65\x66\x3c\x7d\x6a\xe5\x0c\x2a\xa6\xc2\xe5\x26\xfe\x0c\x7d\x4e\x7c\xf0\x3a\xbc\xe2\xd3\x22\xdc\x01\xd0\x1f\x6e\x43\x9c\x5c\x6e\x83\xad\x9c\x15\xf6\xc4\x8d\x60\xb5\x1d\xbb\xa3\x62\x69\x7e\xeb\xa7\xaa\x01\x9b"),
+["\x41\xb2\xdc\x2e\x89\xe6\x3c\xe4\xaf\x1b\xa7\xbb\x29\xbf\x68\xc6\xde\xe6\xf9\xf1\xcc\x04\x7e\x30\xdf\xfa\xe3\xb3\xba\x25\x92\x63"] = CTInfo($description="WoSign ctlog", $operator="WoSign", $url="ctlog.wosign.com", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xcc\x11\x88\x7b\x2d\x66\xcb\xae\x8f\x4d\x30\x66\x27\x19\x25\x22\x93\x21\x46\xb4\x2f\x01\xd3\xc6\xf9\x2b\xd5\xc8\xba\x73\x9b\x06\xa2\xf0\x8a\x02\x9c\xd0\x6b\x46\x18\x30\x85\xba\xe9\x24\x8b\x0e\xd1\x5b\x70\x28\x0c\x7e\xf1\x3a\x45\x7f\x5a\xf3\x82\x42\x60\x31"),
+["\xbc\x78\xe1\xdf\xc5\xf6\x3c\x68\x46\x49\x33\x4d\xa1\x0f\xa1\x5f\x09\x79\x69\x20\x09\xc0\x81\xb4\xf3\xf6\x91\x7f\x3e\xd9\xb8\xa5"] = CTInfo($description="Symantec VEGA log", $operator="Symantec", $url="vega.ws.symantec.com", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xea\x95\x9e\x02\xff\xee\xf1\x33\x6d\x4b\x87\xbc\xcd\xfd\x19\x17\x62\xff\x94\xd3\xd0\x59\x07\x3f\x02\x2d\x1c\x90\xfe\xc8\x47\x30\x3b\xf1\xdd\x0d\xb8\x11\x0c\x5d\x1d\x86\xdd\xab\xd3\x2b\x46\x66\xfb\x6e\x65\xb7\x3b\xfd\x59\x68\xac\xdf\xa6\xf8\xce\xd2\x18\x4d"),
+["\xa5\x77\xac\x9c\xed\x75\x48\xdd\x8f\x02\x5b\x67\xa2\x41\x08\x9d\xf8\x6e\x0f\x47\x6e\xc2\x03\xc2\xec\xbe\xdb\x18\x5f\x28\x26\x38"] = CTInfo($description="CNNIC CT log", $operator="CNNIC", $url="ctserver.cnnic.cn", $maximum_merge_delay=86400, $key="\x30\x82\x01\x22\x30\x0d\x06\x09\x2a\x86\x48\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x00\x30\x82\x01\x0a\x02\x82\x01\x01\x00\xbf\xb5\x08\x61\x9a\x29\x32\x04\xd3\x25\x63\xe9\xd8\x85\xe1\x86\xe0\x1f\xd6\x5e\x9a\xf7\x33\x3b\x80\x1b\xe7\xb6\x3e\x5f\x2d\xa1\x66\xf6\x95\x4a\x84\xa6\x21\x56\x79\xe8\xf7\x85\xee\x5d\xe3\x7c\x12\xc0\xe0\x89\x22\x09\x22\x3e\xba\x16\x95\x06\xbd\xa8\xb9\xb1\xa9\xb2\x7a\xd6\x61\x2e\x87\x11\xb9\x78\x40\x89\x75\xdb\x0c\xdc\x90\xe0\xa4\x79\xd6\xd5\x5e\x6e\xd1\x2a\xdb\x34\xf4\x99\x3f\x65\x89\x3b\x46\xc2\x29\x2c\x15\x07\x1c\xc9\x4b\x1a\x54\xf8\x6c\x1e\xaf\x60\x27\x62\x0a\x65\xd5\x9a\xb9\x50\x36\x16\x6e\x71\xf6\x1f\x01\xf7\x12\xa7\xfc\xbf\xf6\x21\xa3\x29\x90\x86\x2d\x77\xde\xbb\x4c\xd4\xcf\xfd\xd2\xcf\x82\x2c\x4d\xd4\xf2\xc2\x2d\xac\xa9\xbe\xea\xc3\x19\x25\x43\xb2\xe5\x9a\x6c\x0d\xc5\x1c\xa5\x8b\xf7\x3f\x30\xaf\xb9\x01\x91\xb7\x69\x12\x12\xe5\x83\x61\xfe\x34\x00\xbe\xf6\x71\x8a\xc7\xeb\x50\x92\xe8\x59\xfe\x15\x91\xeb\x96\x97\xf8\x23\x54\x3f\x2d\x8e\x07\xdf\xee\xda\xb3\x4f\xc8\x3c\x9d\x6f\xdf\x3c\x2c\x43\x57\xa1\x47\x0c\x91\x04\xf4\x75\x4d\xda\x89\x81\xa4\x14\x06\x34\xb9\x98\xc3\xda\xf1\xfd\xed\x33\x36\xd3\x16\x2d\x35\x02\x03\x01\x00\x01"),
+["\xc9\xcf\x89\x0a\x21\x10\x9c\x66\x6c\xc1\x7a\x3e\xd0\x65\xc9\x30\xd0\xe0\x13\x5a\x9f\xeb\xa8\x5a\xf1\x42\x10\xb8\x07\x24\x21\xaa"] = CTInfo($description="Wang Shengnan GDCA log", $operator="Wang Shengnan", $url="ct.gdca.com.cn", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xad\x0f\x30\xad\x9e\x79\xa4\x38\x89\x26\x54\x86\xab\x41\x72\x90\x6f\xfb\xca\x17\xa6\xac\xee\xc6\x9f\x7d\x02\x05\xec\x41\xa8\xc7\x41\x9d\x32\x49\xad\xb0\x39\xbd\x3a\x87\x3e\x7c\xee\x68\x6c\x60\xd1\x47\x2a\x93\xae\xe1\x40\xf4\x0b\xc8\x35\x3c\x1d\x0f\x65\xd3"),
+["\xa8\x99\xd8\x78\x0c\x92\x90\xaa\xf4\x62\xf3\x18\x80\xcc\xfb\xd5\x24\x51\xe9\x70\xd0\xfb\xf5\x91\xef\x75\xb0\xd9\x9b\x64\x56\x81"] = CTInfo($description="Google 'Submariner' log", $operator="Google", $url="ct.googleapis.com/submariner", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x39\xf8\x9f\x20\x62\xd4\x57\x55\x68\xa2\xef\x49\x2d\xf0\x39\x2d\x9a\xde\x44\xb4\x94\x30\xe0\x9e\x7a\x27\x3c\xab\x70\xf0\xd1\xfa\x51\x90\x63\x16\x57\x41\xad\xab\x6d\x1f\x80\x74\x30\x79\x02\x5e\x2d\x59\x84\x07\x24\x23\xf6\x9f\x35\xb8\x85\xb8\x42\x45\xa4\x4f"),
+["\x89\x41\x44\x9c\x70\x74\x2e\x06\xb9\xfc\x9c\xe7\xb1\x16\xba\x00\x24\xaa\x36\xd5\x9a\xf4\x4f\x02\x04\x40\x4f\x00\xf7\xea\x85\x66"] = CTInfo($description="Izenpe 2nd log", $operator="Izenpe", $url="ct.izenpe.eus", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xd7\xc8\x0e\x23\x3e\x9e\x02\x3c\x9a\xb8\x07\x4a\x2a\x05\xff\x4a\x4b\x88\xd4\x8a\x4d\x39\xce\xf7\xc5\xf2\xb6\x37\xe9\xa3\xed\xe4\xf5\x45\x09\x0e\x67\x14\xfd\x53\x24\xd5\x3a\x94\xf2\xea\xb5\x13\xd9\x1d\x8b\x5c\xa7\xc3\xf3\x6b\xd8\x3f\x2d\x3b\x65\x72\x58\xd6"),
+["\x34\xbb\x6a\xd6\xc3\xdf\x9c\x03\xee\xa8\xa4\x99\xff\x78\x91\x48\x6c\x9d\x5e\x5c\xac\x92\xd0\x1f\x7b\xfd\x1b\xce\x19\xdb\x48\xef"] = CTInfo($description="StartCom CT log", $operator="StartCom", $url="ct.startssl.com", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x48\xf3\x59\xf3\xf6\x05\x18\xd3\xdb\xb2\xed\x46\x7e\xcf\xc8\x11\xb5\x57\xb1\xa8\xd6\x4c\xe6\x9f\xb7\x4a\x1a\x14\x86\x43\xa9\x48\xb0\xcb\x5a\x3f\x3c\x4a\xca\xdf\xc4\x82\x14\x55\x9a\xf8\xf7\x8e\x40\x55\xdc\xf4\xd2\xaf\xea\x75\x74\xfb\x4e\x7f\x60\x86\x2e\x51"),
+["\xbb\xd9\xdf\xbc\x1f\x8a\x71\xb5\x93\x94\x23\x97\xaa\x92\x7b\x47\x38\x57\x95\x0a\xab\x52\xe8\x1a\x90\x96\x64\x36\x8e\x1e\xd1\x85"] = CTInfo($description="Google 'Skydiver' log", $operator="Google", $url="ct.googleapis.com/skydiver", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x12\x6c\x86\x0e\xf6\x17\xb1\x12\x6c\x37\x25\xd2\xad\x87\x3d\x0e\x31\xec\x21\xad\xb1\xcd\xbe\x14\x47\xb6\x71\x56\x85\x7a\x9a\xb7\x3d\x89\x90\x7b\xc6\x32\x3a\xf8\xda\xce\x8b\x01\xfe\x3f\xfc\x71\x91\x19\x8e\x14\x6e\x89\x7a\x5d\xb4\xab\x7e\xe1\x4e\x1e\x7c\xac"),
+["\x29\x3c\x51\x96\x54\xc8\x39\x65\xba\xaa\x50\xfc\x58\x07\xd4\xb7\x6f\xbf\x58\x7a\x29\x72\xdc\xa4\xc3\x0c\xf4\xe5\x45\x47\xf4\x78"] = CTInfo($description="Google 'Icarus' log", $operator="Google", $url="ct.googleapis.com/icarus", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x4e\xd2\xbc\xbf\xb3\x08\x0a\xf7\xb9\xea\xa4\xc7\x1c\x38\x61\x04\xeb\x95\xe0\x89\x54\x68\x44\xb1\x66\xbc\x82\x7e\x4f\x50\x6c\x6f\x5c\xa3\xf0\xaa\x3e\xf4\xec\x80\xf0\xdb\x0a\x9a\x7a\xa0\x5b\x72\x00\x7c\x25\x0e\x19\xef\xaf\xb2\x62\x8d\x74\x43\xf4\x26\xf6\x14"),
+["\x92\x4a\x30\xf9\x09\x33\x6f\xf4\x35\xd6\x99\x3a\x10\xac\x75\xa2\xc6\x41\x72\x8e\x7f\xc2\xd6\x59\xae\x61\x88\xff\xad\x40\xce\x01"] = CTInfo($description="GDCA log", $operator="GDCA", $url="ctlog.gdca.com.cn", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x5b\x4a\xc7\x01\xb7\x74\x54\xba\x40\x9c\x43\x75\x94\x3f\xac\xef\xb3\x71\x56\xb8\xd3\xe2\x7b\xae\xa1\xb1\x3e\x53\xaa\x97\x33\xa1\x82\xbb\x5f\x5d\x1c\x0b\xfa\x85\x0d\xbc\xf7\xe5\xa0\xe0\x22\xf0\xa0\x89\xd9\x0a\x7f\x5f\x26\x94\xd3\x24\xe3\x99\x2e\xe4\x15\x8d"),
+["\x1d\x02\x4b\x8e\xb1\x49\x8b\x34\x4d\xfd\x87\xea\x3e\xfc\x09\x96\xf7\x50\x6f\x23\x5d\x1d\x49\x70\x61\xa4\x77\x3c\x43\x9c\x25\xfb"] = CTInfo($description="Google 'Daedalus' log", $operator="Google", $url="ct.googleapis.com/daedalus", $maximum_merge_delay=604800, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x6e\x0c\x1c\xba\xee\x2b\x6a\x41\x85\x60\x1d\x7b\x7e\xab\x08\x2c\xfc\x0c\x0a\xa5\x08\xb3\x3e\xd5\x70\x24\xd1\x6d\x1d\x2d\xb6\xb7\xf3\x8b\x36\xdc\x23\x4d\x95\x63\x12\xbb\xe4\x86\x8d\xcc\xe9\xd1\xee\xa1\x40\xa2\xdf\x0b\xa3\x06\x0a\x30\xca\x8d\xac\xa4\x29\x56"),
+["\xe0\x12\x76\x29\xe9\x04\x96\x56\x4e\x3d\x01\x47\x98\x44\x98\xaa\x48\xf8\xad\xb1\x66\x00\xeb\x79\x02\xa1\xef\x99\x09\x90\x62\x73"] = CTInfo($description="PuChuangSiDa log", $operator="Beijing PuChuangSiDa Technology Ltd.", $url="www.certificatetransparency.cn/ct/", $maximum_merge_delay=86400, $key="\x30\x82\x01\x22\x30\x0d\x06\x09\x2a\x86\x48\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x00\x30\x82\x01\x0a\x02\x82\x01\x01\x00\xac\xcf\x2f\x4b\x70\xac\xf1\x0d\x96\xbf\xe8\x0a\xfe\x44\x9d\xd4\x8c\x17\x9d\xc3\x9a\x10\x11\x84\x13\xed\x8c\xf9\x37\x6d\x83\xe4\x00\x6f\xb1\x4b\xc0\xa6\x89\xc7\x61\x8f\x9a\x34\xbb\x56\x52\xca\x03\x56\x50\xef\x24\x7f\x4b\x49\xe9\x35\x81\xdd\xf0\xe7\x17\xf5\x72\xd2\x23\xc5\xe3\x13\x7f\xd7\x8e\x78\x35\x8f\x49\xde\x98\x04\x8a\x63\xaf\xad\xa2\x39\x70\x95\x84\x68\x4b\x91\x33\xfe\x4c\xe1\x32\x17\xc2\xf2\x61\xb8\x3a\x8d\x39\x7f\xd5\x95\x82\x3e\x56\x19\x50\x45\x6f\xcb\x08\x33\x0d\xd5\x19\x42\x08\x1a\x48\x42\x10\xf1\x68\xc3\xc3\x41\x13\xcb\x0d\x1e\xdb\x02\xb7\x24\x7a\x51\x96\x6e\xbc\x08\xea\x69\xaf\x6d\xef\x92\x98\x8e\x55\xf3\x65\xe5\xe8\x9c\xbe\x1a\x47\x60\x30\x7d\x7a\x80\xad\x56\x83\x7a\x93\xc3\xae\x93\x2b\x6a\x28\x8a\xa6\x5f\x63\x19\x0c\xbe\x7c\x7b\x21\x63\x41\x38\xb7\xf7\xe8\x76\x73\x6b\x85\xcc\xbc\x72\x2b\xc1\x52\xd0\x5b\x5d\x31\x4e\x9d\x2a\xf3\x4d\x9b\x64\x14\x99\x26\xc6\x71\xf8\x7b\xf8\x44\xd5\xe3\x23\x20\xf3\x0a\xd7\x8b\x51\x3e\x72\x80\xd2\x78\x78\x35\x2d\x4a\xe7\x40\x99\x11\x95\x34\xd4\x2f\x7f\xf9\x5f\x35\x37\x02\x03\x01\x00\x01"),
+["\x03\x01\x9d\xf3\xfd\x85\xa6\x9a\x8e\xbd\x1f\xac\xc6\xda\x9b\xa7\x3e\x46\x97\x74\xfe\x77\xf5\x79\xfc\x5a\x08\xb8\x32\x8c\x1d\x6b"] = CTInfo($description="Venafi Gen2 CT log", $operator="Venafi", $url="https://ctlog-gen2.api.venafi.com/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x8e\x27\x27\x7a\xb6\x55\x09\x74\xeb\x6c\x4b\x94\x84\x65\xbc\xe4\x15\xf1\xea\x5a\xd8\x7c\x0e\x37\xce\xba\x3f\x6c\x09\xda\xe7\x29\x96\xd3\x45\x50\x6f\xde\x1e\xb4\x1c\xd2\x83\x88\xff\x29\x2f\xce\xa9\xff\xdf\x34\xde\x75\x0f\xc0\xcc\x18\x0d\x94\x2e\xfc\x37\x01"),
+["\x15\x97\x04\x88\xd7\xb9\x97\xa0\x5b\xeb\x52\x51\x2a\xde\xe8\xd2\xe8\xb4\xa3\x16\x52\x64\x12\x1a\x9f\xab\xfb\xd5\xf8\x5a\xd9\x3f"] = CTInfo($description="Symantec SIRIUS log", $operator="Symantec", $url="sirius.ws.symantec.com", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xa3\x02\x64\x84\x22\xbb\x25\xec\x0d\xe3\xbc\xc2\xc9\x89\x7d\xdd\x45\xd0\xee\xe6\x15\x85\x8f\xd9\xe7\x17\x1b\x13\x80\xea\xed\xb2\x85\x37\xad\x6a\xc5\xd8\x25\x9d\xfa\xf4\xb4\xf3\x6e\x16\x28\x25\x37\xea\xa3\x37\x64\xb2\xc7\x0b\xfd\x51\xe5\xc1\x05\xf4\x0e\xb5"),
+["\x87\x75\xbf\xe7\x59\x7c\xf8\x8c\x43\x99\x5f\xbd\xf3\x6e\xff\x56\x8d\x47\x56\x36\xff\x4a\xb5\x60\xc1\xb4\xea\xff\x5e\xa0\x83\x0f"] = CTInfo($description="DigiCert CT2 log", $operator="DigiCert", $url="ct2.digicert-ct.com/log", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xcc\x5d\x39\x2f\x66\xb8\x4c\x7f\xc1\x2e\x03\xa1\x34\xa3\xe8\x8a\x86\x02\xae\x4a\x11\xc6\xf7\x26\x6a\x37\x9b\xf0\x38\xf8\x5d\x09\x8d\x63\xe8\x31\x6b\x86\x66\xcf\x79\xb3\x25\x3c\x1e\xdf\x78\xb4\xa8\xc5\x69\xfa\xb7\xf0\x82\x79\x62\x43\xf6\xcc\xfe\x81\x66\x84"),
+};
diff --git a/scripts/base/protocols/ssl/main.bro b/scripts/base/protocols/ssl/main.bro
index 858fa343bb..dbe5f2bccd 100644
--- a/scripts/base/protocols/ssl/main.bro
+++ b/scripts/base/protocols/ssl/main.bro
@@ -74,6 +74,19 @@ export {
 	## script sets this to Mozilla's root CA list.
 	const root_certs: table[string] of string = {} &redef;
 
+	type CTInfo: record {
+	  description:           string;
+	  operator:              string;
+		key:                   string;
+		maximum_merge_delay:   count;
+		url:                   string;
+	};
+
+	## The Certificate Transparency log bundle. By default, the ct-list.bro
+	## script sets this to the current list of known logs. Entries
+	## are indexex by (binary) log-id.
+	const ct_logs: table[string] of CTInfo = {} &redef;
+
 	## If true, detach the SSL analyzer from the connection to prevent
 	## continuing to process encrypted traffic. Helps with performance
 	## (especially with large file transfers).
diff --git a/testing/btest/Baseline/scripts.base.files.x509.signed_certificate_timestamp/.stdout b/testing/btest/Baseline/scripts.base.files.x509.signed_certificate_timestamp/.stdout
index 4b81b287a6..a27331e535 100644
--- a/testing/btest/Baseline/scripts.base.files.x509.signed_certificate_timestamp/.stdout
+++ b/testing/btest/Baseline/scripts.base.files.x509.signed_certificate_timestamp/.stdout
@@ -1,4 +1,4 @@
-0, 1474927230.876, 4, 3
-0, 1474927232.863, 4, 3
-0, 1474927232.112, 4, 3
-0, 1474927232.304, 4, 3
+0, Symantec log, 1474927230.876, 4, 3
+0, Google 'Rocketeer' log, 1474927232.863, 4, 3
+0, Google 'Aviator' log, 1474927232.112, 4, 3
+0, Google 'Pilot' log, 1474927232.304, 4, 3
diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.signed_certificate_timestamp/.stdout b/testing/btest/Baseline/scripts.base.protocols.ssl.signed_certificate_timestamp/.stdout
index abed68df42..bc56f161ab 100644
--- a/testing/btest/Baseline/scripts.base.protocols.ssl.signed_certificate_timestamp/.stdout
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.signed_certificate_timestamp/.stdout
@@ -1,3 +1,3 @@
-0, 1406997753.366, [HashAlgorithm=4, SignatureAlgorithm=3]
-0, 1407002457.456, [HashAlgorithm=4, SignatureAlgorithm=3]
-0, 1410299366.023, [HashAlgorithm=4, SignatureAlgorithm=3]
+0, Google 'Pilot' log, 1406997753.366, [HashAlgorithm=4, SignatureAlgorithm=3]
+0, Google 'Aviator' log, 1407002457.456, [HashAlgorithm=4, SignatureAlgorithm=3]
+0, Google 'Rocketeer' log, 1410299366.023, [HashAlgorithm=4, SignatureAlgorithm=3]
diff --git a/testing/btest/scripts/base/files/x509/signed_certificate_timestamp.test b/testing/btest/scripts/base/files/x509/signed_certificate_timestamp.test
index 5203bda7ee..5b4c02dd01 100644
--- a/testing/btest/scripts/base/files/x509/signed_certificate_timestamp.test
+++ b/testing/btest/scripts/base/files/x509/signed_certificate_timestamp.test
@@ -3,5 +3,5 @@
 
 event x509_ocsp_ext_signed_certificate_timestamp(f: fa_file, version: count, logid: string, timestamp: time, hash_algorithm: count, signature_algorithm: count, signature: string)
 	{
-	print version, timestamp, hash_algorithm, signature_algorithm;
+	print version, SSL::ct_logs[logid]$description, timestamp, hash_algorithm, signature_algorithm;
 	}
diff --git a/testing/btest/scripts/base/protocols/ssl/signed_certificate_timestamp.test b/testing/btest/scripts/base/protocols/ssl/signed_certificate_timestamp.test
index 80a041c316..bcc0a87637 100644
--- a/testing/btest/scripts/base/protocols/ssl/signed_certificate_timestamp.test
+++ b/testing/btest/scripts/base/protocols/ssl/signed_certificate_timestamp.test
@@ -3,5 +3,5 @@
 
 event ssl_extension_signed_certificate_timestamp(c: connection, is_orig: bool, version: count, logid: string, timestamp: time, signature_and_hashalgorithm: SSL::SignatureAndHashAlgorithm, signature: string)
 	{
-	print version, timestamp, signature_and_hashalgorithm;
+	print version, SSL::ct_logs[logid]$description, timestamp, signature_and_hashalgorithm;
 	}

From d50bddfbfbf196dc88ba097aa1c0095ff9c5c2eb Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@icir.org>
Date: Thu, 16 Mar 2017 18:18:39 -0700
Subject: [PATCH 116/631] SCT: pass timestamp as uint64 instead of time

For verification, we need the exact uint64 as it was seen on the wire;
converting it to a double might mean that we loose precision.
---
 src/analyzer/protocol/ssl/events.bif                         | 5 +++--
 src/analyzer/protocol/ssl/tls-handshake-analyzer.pac         | 2 +-
 src/file_analysis/analyzer/x509/events.bif                   | 5 +++--
 src/file_analysis/analyzer/x509/x509-extension.pac           | 2 +-
 .../base/files/x509/signed_certificate_timestamp.test        | 4 ++--
 .../base/protocols/ssl/signed_certificate_timestamp.test     | 4 ++--
 6 files changed, 12 insertions(+), 10 deletions(-)

diff --git a/src/analyzer/protocol/ssl/events.bif b/src/analyzer/protocol/ssl/events.bif
index 5f0e0c4557..721fcd249c 100644
--- a/src/analyzer/protocol/ssl/events.bif
+++ b/src/analyzer/protocol/ssl/events.bif
@@ -238,13 +238,14 @@ event ssl_extension_server_name%(c: connection, is_orig: bool, names: string_vec
 ##
 ## logid: 32 bit key id
 ##
-## timestamp: the current NTP Time
+## timestamp: the NTP Time when the entry was logged measured since
+##            the epoch, ignoring leap seconds, in milliseconds.
 ##
 ## signature_and_hashalgorithm: signature and hash algorithm used for the
 ##                              digitally_signed struct
 ##
 ## signature: signature part of the digitally_signed struct
-event ssl_extension_signed_certificate_timestamp%(c: connection, is_orig: bool, version: count, logid: string, timestamp: time, signature_and_hashalgorithm: SSL::SignatureAndHashAlgorithm, signature: string%);
+event ssl_extension_signed_certificate_timestamp%(c: connection, is_orig: bool, version: count, logid: string, timestamp: count, signature_and_hashalgorithm: SSL::SignatureAndHashAlgorithm, signature: string%);
 
 ## Generated at the end of an SSL/TLS handshake. SSL/TLS sessions start with
 ## an unencrypted handshake, and Bro extracts as much information out of that
diff --git a/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac b/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac
index 6882e48cbb..d7ccef45b6 100644
--- a/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac
+++ b/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac
@@ -259,7 +259,7 @@ refine connection Handshake_Conn += {
 			bro_analyzer()->Conn(), ${rec.is_orig},
 			version,
 			new StringVal(logid.length(), reinterpret_cast<const char*>(logid.begin())),
-			((double)timestamp)/1000,
+			timestamp,
 			ha,
 			new StringVal(digitally_signed_signature.length(), reinterpret_cast<const char*>(digitally_signed_signature.begin()))
 		);
diff --git a/src/file_analysis/analyzer/x509/events.bif b/src/file_analysis/analyzer/x509/events.bif
index f8084fa864..206555e9dd 100644
--- a/src/file_analysis/analyzer/x509/events.bif
+++ b/src/file_analysis/analyzer/x509/events.bif
@@ -67,10 +67,11 @@ event x509_ext_subject_alternative_name%(f: fa_file, ext: X509::SubjectAlternati
 ##
 ## logid: 32 bit key id
 ##
-## timestamp: the timestamp of the sct
+## timestamp: the NTP Time when the entry was logged measured since
+##            the epoch, ignoring leap seconds, in milliseconds.
 ##
 ## signature_and_hashalgorithm: signature and hash algorithm used for the
 ##                              digitally_signed struct
 ##
 ## signature: signature part of the digitally_signed struct
-event x509_ocsp_ext_signed_certificate_timestamp%(f: fa_file, version: count, logid: string, timestamp: time, hash_algorithm: count, signature_algorithm: count, signature: string%);
+event x509_ocsp_ext_signed_certificate_timestamp%(f: fa_file, version: count, logid: string, timestamp: count, hash_algorithm: count, signature_algorithm: count, signature: string%);
diff --git a/src/file_analysis/analyzer/x509/x509-extension.pac b/src/file_analysis/analyzer/x509/x509-extension.pac
index e77a82307a..937706fd3b 100644
--- a/src/file_analysis/analyzer/x509/x509-extension.pac
+++ b/src/file_analysis/analyzer/x509/x509-extension.pac
@@ -39,7 +39,7 @@ refine connection MockConnection += {
 			bro_analyzer()->GetFile()->GetVal()->Ref(),
 			version,
 			new StringVal(logid.length(), reinterpret_cast<const char*>(logid.begin())),
-			((double)timestamp)/1000,
+			timestamp,
 			digitally_signed_algorithms->HashAlgorithm(),
 			digitally_signed_algorithms->SignatureAlgorithm(),
 			new StringVal(digitally_signed_signature.length(), reinterpret_cast<const char*>(digitally_signed_signature.begin()))
diff --git a/testing/btest/scripts/base/files/x509/signed_certificate_timestamp.test b/testing/btest/scripts/base/files/x509/signed_certificate_timestamp.test
index 5b4c02dd01..c0fe06d4d3 100644
--- a/testing/btest/scripts/base/files/x509/signed_certificate_timestamp.test
+++ b/testing/btest/scripts/base/files/x509/signed_certificate_timestamp.test
@@ -1,7 +1,7 @@
 # @TEST-EXEC: bro -r $TRACES/tls/certificate-with-sct.pcap %INPUT
 # @TEST-EXEC: btest-diff .stdout
 
-event x509_ocsp_ext_signed_certificate_timestamp(f: fa_file, version: count, logid: string, timestamp: time, hash_algorithm: count, signature_algorithm: count, signature: string)
+event x509_ocsp_ext_signed_certificate_timestamp(f: fa_file, version: count, logid: string, timestamp: count, hash_algorithm: count, signature_algorithm: count, signature: string)
 	{
-	print version, SSL::ct_logs[logid]$description, timestamp, hash_algorithm, signature_algorithm;
+	print version, SSL::ct_logs[logid]$description, double_to_time(timestamp/1000.0), hash_algorithm, signature_algorithm;
 	}
diff --git a/testing/btest/scripts/base/protocols/ssl/signed_certificate_timestamp.test b/testing/btest/scripts/base/protocols/ssl/signed_certificate_timestamp.test
index bcc0a87637..d0eaacd096 100644
--- a/testing/btest/scripts/base/protocols/ssl/signed_certificate_timestamp.test
+++ b/testing/btest/scripts/base/protocols/ssl/signed_certificate_timestamp.test
@@ -1,7 +1,7 @@
 # @TEST-EXEC: bro -r $TRACES/tls/signed_certificate_timestamp.pcap %INPUT
 # @TEST-EXEC: btest-diff .stdout
 
-event ssl_extension_signed_certificate_timestamp(c: connection, is_orig: bool, version: count, logid: string, timestamp: time, signature_and_hashalgorithm: SSL::SignatureAndHashAlgorithm, signature: string)
+event ssl_extension_signed_certificate_timestamp(c: connection, is_orig: bool, version: count, logid: string, timestamp: count, signature_and_hashalgorithm: SSL::SignatureAndHashAlgorithm, signature: string)
 	{
-	print version, SSL::ct_logs[logid]$description, timestamp, signature_and_hashalgorithm;
+	print version, SSL::ct_logs[logid]$description, double_to_time(timestamp/1000.0), signature_and_hashalgorithm;
 	}

From 05915571dbc0bc8697c9a40b3f8f3d33beb37c6e Mon Sep 17 00:00:00 2001
From: Robin Sommer <robin@icir.org>
Date: Mon, 20 Mar 2017 12:17:40 -0700
Subject: [PATCH 117/631] Updating submodule(s).

 [nomail]
---
 aux/broctl | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/aux/broctl b/aux/broctl
index 96583ab378..cf7ea4e1ad 160000
--- a/aux/broctl
+++ b/aux/broctl
@@ -1 +1 @@
-Subproject commit 96583ab378b1de32ac9804246e1b0e2845fc8b3e
+Subproject commit cf7ea4e1ad18920058f32e95bbea3bdd765b6094

From ca51dfc9c7ea47bb63de5f00aa68a92d05eff0e1 Mon Sep 17 00:00:00 2001
From: Daniel Thayer <dnthayer@illinois.edu>
Date: Wed, 22 Mar 2017 14:37:37 -0500
Subject: [PATCH 118/631] Fix a test that was failing on some platforms

Fixed by sorting the .stderr file, since the ordering of lines was
not consistent on all platforms.
---
 .../scripts/base/frameworks/input/missing-file-initially.bro    | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/testing/btest/scripts/base/frameworks/input/missing-file-initially.bro b/testing/btest/scripts/base/frameworks/input/missing-file-initially.bro
index 73fd57284e..4db255b69d 100644
--- a/testing/btest/scripts/base/frameworks/input/missing-file-initially.bro
+++ b/testing/btest/scripts/base/frameworks/input/missing-file-initially.bro
@@ -8,7 +8,7 @@
 # @TEST-EXEC: sleep 2; mv does-not-exist.dat does-not-exist-again.dat; echo "Streaming still works" >> does-not-exist-again.dat
 # @TEST-EXEC: btest-bg-wait -k 3
 # @TEST-EXEC: btest-diff bro/.stdout
-# @TEST-EXEC: btest-diff bro/.stderr
+# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-sort btest-diff bro/.stderr
 
 @TEST-START-FILE does-exist.dat
 #separator \x09

From c403a7f4e69be16c71d74b307cf17064edbbaf37 Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@icir.org>
Date: Fri, 17 Mar 2017 11:40:49 -0700
Subject: [PATCH 119/631] SCT: add validation of proofs for extensions and
 OCSP.

This does not yet work for certificates, because this requires some
changing the ASN.1 structure before validation (we need to extract the
tbscert and remove the SCT extension before).

API will change in the future.
---
 src/analyzer/protocol/ssl/functions.bif       |  1 +
 src/file_analysis/analyzer/x509/functions.bif | 95 +++++++++++++++++++
 .../.stdout                                   |  6 ++
 .../.stdout                                   |  6 ++
 .../signed_certificate_timestamp_ocsp.test    | 31 ++++++
 .../ssl/signed_certificate_timestamp.test     | 32 +++++++
 6 files changed, 171 insertions(+)
 create mode 100644 testing/btest/Baseline/scripts.base.files.x509.signed_certificate_timestamp_ocsp/.stdout
 create mode 100644 testing/btest/scripts/base/files/x509/signed_certificate_timestamp_ocsp.test

diff --git a/src/analyzer/protocol/ssl/functions.bif b/src/analyzer/protocol/ssl/functions.bif
index f7fa76ca36..17720bcbb1 100644
--- a/src/analyzer/protocol/ssl/functions.bif
+++ b/src/analyzer/protocol/ssl/functions.bif
@@ -1,6 +1,7 @@
 
 %%{
 #include "analyzer/protocol/ssl/SSL.h"
+#include <openssl/x509.h>
 %%}
 
 ## Sets if the SSL analyzer should consider the connection established (handshake
diff --git a/src/file_analysis/analyzer/x509/functions.bif b/src/file_analysis/analyzer/x509/functions.bif
index 0fe65c7d55..161a009515 100644
--- a/src/file_analysis/analyzer/x509/functions.bif
+++ b/src/file_analysis/analyzer/x509/functions.bif
@@ -1,6 +1,7 @@
 %%{
 #include "file_analysis/analyzer/x509/X509.h"
 #include "types.bif.h"
+#include "net_util.h"
 
 #include <openssl/x509.h>
 #include <openssl/asn1.h>
@@ -543,6 +544,100 @@ x509_verify_chainerror:
 	return rrecord;
 	%}
 
+function sct_verify%(cert: opaque of x509, logid: string, log_key: string, signature: string, timestamp: count, hash_algorithm: count%): bool
+	%{
+	assert(cert);
+	file_analysis::X509Val* h = (file_analysis::X509Val*) cert;
+	X509* x = ((file_analysis::X509Val*) h)->GetCertificate();
+
+	assert(sizeof(timestamp) >= 8);
+	uint64_t timestamp_network = htonll(timestamp);
+
+	std::string data;
+	data.push_back(0); // version
+	data.push_back(0); // signature_type -> certificate_timestamp
+	data.append(reinterpret_cast<char*>(&timestamp_network), sizeof(timestamp_network)); // timestamp -> 64 bits
+	data.append("\0\0", 2); // entry-type: x509_entry
+
+	unsigned char *cert_out = nullptr;
+	uint32 cert_length = i2d_X509(x, &cert_out);
+	assert( cert_out );
+	uint32 cert_length_network = htonl(cert_length);
+	assert( sizeof(cert_length_network) == 4);
+
+	data.append(reinterpret_cast<char*>(&cert_length_network)+1, 3); // 3 bytes certificate length
+	data.append(reinterpret_cast<char*>(cert_out), cert_length); // der-encoded certificate
+	OPENSSL_free(cert_out);
+	data.append("\0\0", 2); // no extensions
+
+	// key is given as a DER-encoded SubjectPublicKeyInfo.
+	const unsigned char *key_char = log_key->Bytes();
+	EVP_PKEY* key = d2i_PUBKEY(nullptr, &key_char, log_key->Len());
+
+	EVP_MD_CTX *mdctx = EVP_MD_CTX_create();
+	assert(mdctx);
+
+	string errstr;
+	int success = 0;
+
+	const EVP_MD* hash;
+	// numbers from http://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-18
+	switch ( hash_algorithm )
+		{
+		case 1:
+			hash = EVP_md5();
+			break;
+		case 2:
+			hash = EVP_sha1();
+			break;
+		case 3:
+			hash = EVP_sha224();
+			break;
+		case 4:
+			hash = EVP_sha256();
+			break;
+		case 5:
+			hash = EVP_sha384();
+			break;
+		case 6:
+			hash = EVP_sha512();
+			break;
+		default:
+			errstr = "Unknown hash algorithm";
+			goto sct_verify_err;
+		}
+
+	if ( ! key )
+		{
+		errstr = "Could not load log key";
+		goto sct_verify_err;
+		}
+
+	if ( ! EVP_DigestVerifyInit(mdctx, NULL, hash, NULL, key) )
+		{
+		errstr = "Could not init signature verification";
+		goto sct_verify_err;
+		}
+
+	if ( ! EVP_DigestVerifyUpdate(mdctx, data.data(), data.size()) )
+		{
+		errstr = "Could not update digest for verification";
+		goto sct_verify_err;
+		}
+
+	success = EVP_DigestVerifyFinal(mdctx, signature->Bytes(), signature->Len());
+	EVP_MD_CTX_destroy(mdctx);
+
+	return new Val(success, TYPE_BOOL);
+
+sct_verify_err:
+	if (mdctx)
+		EVP_MD_CTX_destroy(mdctx);
+	cerr << errstr << endl;
+	reporter->Error("%s", errstr.c_str());
+	return new Val(0, TYPE_BOOL);
+	%}
+
 ## Get the hash of issuer name of a certificate
 ##
 ## cert: The X509 certificate opaque handle.
diff --git a/testing/btest/Baseline/scripts.base.files.x509.signed_certificate_timestamp_ocsp/.stdout b/testing/btest/Baseline/scripts.base.files.x509.signed_certificate_timestamp_ocsp/.stdout
new file mode 100644
index 0000000000..5384f4e6b7
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.files.x509.signed_certificate_timestamp_ocsp/.stdout
@@ -0,0 +1,6 @@
+0, Google 'Pilot' log, 1406997753.366, 4, 3
+Verify of, Google 'Pilot' log, T
+Bad verify of, Google 'Pilot' log, F
+0, Google 'Aviator' log, 1407002457.456, 4, 3
+Verify of, Google 'Aviator' log, T
+Bad verify of, Google 'Aviator' log, F
diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.signed_certificate_timestamp/.stdout b/testing/btest/Baseline/scripts.base.protocols.ssl.signed_certificate_timestamp/.stdout
index bc56f161ab..342228a1cf 100644
--- a/testing/btest/Baseline/scripts.base.protocols.ssl.signed_certificate_timestamp/.stdout
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.signed_certificate_timestamp/.stdout
@@ -1,3 +1,9 @@
 0, Google 'Pilot' log, 1406997753.366, [HashAlgorithm=4, SignatureAlgorithm=3]
 0, Google 'Aviator' log, 1407002457.456, [HashAlgorithm=4, SignatureAlgorithm=3]
 0, Google 'Rocketeer' log, 1410299366.023, [HashAlgorithm=4, SignatureAlgorithm=3]
+Verify of, Google 'Pilot' log, T
+Bad verify of, Google 'Pilot' log, F
+Verify of, Google 'Aviator' log, T
+Bad verify of, Google 'Aviator' log, F
+Verify of, Google 'Rocketeer' log, T
+Bad verify of, Google 'Rocketeer' log, F
diff --git a/testing/btest/scripts/base/files/x509/signed_certificate_timestamp_ocsp.test b/testing/btest/scripts/base/files/x509/signed_certificate_timestamp_ocsp.test
new file mode 100644
index 0000000000..01ed128541
--- /dev/null
+++ b/testing/btest/scripts/base/files/x509/signed_certificate_timestamp_ocsp.test
@@ -0,0 +1,31 @@
+# @TEST-EXEC: bro -r $TRACES/tls/signed_certificate_timestamp.pcap %INPUT
+# @TEST-EXEC: btest-diff .stdout
+
+event bro_init()
+	{
+	Files::register_for_mime_type(Files::ANALYZER_OCSP_REPLY, "application/ocsp-response");
+	}
+
+event x509_ocsp_ext_signed_certificate_timestamp(f: fa_file, version: count, logid: string, timestamp: count, hash_algorithm: count, signature_algorithm: count, signature: string)
+	{
+	print version, SSL::ct_logs[logid]$description, double_to_time(timestamp/1000.0), hash_algorithm, signature_algorithm;
+
+	if ( |f$conns| != 1 )
+		return;
+
+	for ( cid in f$conns )
+		{
+		if ( ! f$conns[cid]?$ssl )
+			return;
+
+		local c = f$conns[cid];
+		}
+
+	if ( ! c$ssl?$cert_chain || |c$ssl$cert_chain| == 0 || ! c$ssl$cert_chain[0]?$x509 )
+		return;
+
+	local cert = c$ssl$cert_chain[0]$x509$handle;
+
+	print "Verify of", SSL::ct_logs[logid]$description, sct_verify(cert, logid, SSL::ct_logs[logid]$key, signature, timestamp, hash_algorithm);
+	print "Bad verify of", SSL::ct_logs[logid]$description, sct_verify(cert, logid, SSL::ct_logs[logid]$key, signature, timestamp+1, hash_algorithm);
+	}
diff --git a/testing/btest/scripts/base/protocols/ssl/signed_certificate_timestamp.test b/testing/btest/scripts/base/protocols/ssl/signed_certificate_timestamp.test
index d0eaacd096..0b9c5fc157 100644
--- a/testing/btest/scripts/base/protocols/ssl/signed_certificate_timestamp.test
+++ b/testing/btest/scripts/base/protocols/ssl/signed_certificate_timestamp.test
@@ -1,7 +1,39 @@
 # @TEST-EXEC: bro -r $TRACES/tls/signed_certificate_timestamp.pcap %INPUT
 # @TEST-EXEC: btest-diff .stdout
 
+export {
+	type LogInfo: record {
+		version: count;
+		logid: string;
+		timestamp: count;
+		sig_alg: count;
+		hash_alg: count;
+		signature: string;
+	};
+}
+
+redef record SSL::Info += {
+	ct_proofs: vector of LogInfo &default=vector();
+};
+
 event ssl_extension_signed_certificate_timestamp(c: connection, is_orig: bool, version: count, logid: string, timestamp: count, signature_and_hashalgorithm: SSL::SignatureAndHashAlgorithm, signature: string)
 	{
 	print version, SSL::ct_logs[logid]$description, double_to_time(timestamp/1000.0), signature_and_hashalgorithm;
+	c$ssl$ct_proofs[|c$ssl$ct_proofs|] = LogInfo($version=version, $logid=logid, $timestamp=timestamp, $sig_alg=signature_and_hashalgorithm$SignatureAlgorithm, $hash_alg=signature_and_hashalgorithm$HashAlgorithm, $signature=signature);
+	}
+
+event ssl_established(c: connection)
+	{
+	if ( ! c$ssl?$cert_chain || |c$ssl$cert_chain| == 0 || ! c$ssl$cert_chain[0]?$x509 )
+		return;
+
+	local cert = c$ssl$cert_chain[0]$x509$handle;
+
+	for ( i in c$ssl$ct_proofs )
+		{
+		local log = c$ssl$ct_proofs[i];
+
+		print "Verify of", SSL::ct_logs[log$logid]$description, sct_verify(cert, log$logid, SSL::ct_logs[log$logid]$key, log$signature, log$timestamp, log$hash_alg);
+		print "Bad verify of", SSL::ct_logs[log$logid]$description, sct_verify(cert, log$logid, SSL::ct_logs[log$logid]$key, log$signature, log$timestamp+1, log$hash_alg);
+		}
 	}

From 41a2028dee5b6a885e645386d1c71f49000e8611 Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@icir.org>
Date: Fri, 17 Mar 2017 13:53:50 -0700
Subject: [PATCH 120/631] SCT: only compare correct OID/NID for Cert/OCSP.

The old way of doing it did not really cause problems - but now only the
OID that can be used in practice is checked.
---
 src/file_analysis/analyzer/x509/OCSP.cc | 2 +-
 src/file_analysis/analyzer/x509/X509.cc | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/file_analysis/analyzer/x509/OCSP.cc b/src/file_analysis/analyzer/x509/OCSP.cc
index 7a6a3c9a12..6ce51f9dd3 100644
--- a/src/file_analysis/analyzer/x509/OCSP.cc
+++ b/src/file_analysis/analyzer/x509/OCSP.cc
@@ -345,7 +345,7 @@ clean_up:
 void file_analysis::OCSP::ParseExtensionsSpecific(X509_EXTENSION* ex, bool global, ASN1_OBJECT* ext_asn, const char* oid)
 	{
 #ifdef NID_ct_cert_scts
-	if ( OBJ_obj2nid(ext_asn) == NID_ct_cert_scts || OBJ_obj2nid(ext_asn) == NID_ct_precert_scts )
+	if ( OBJ_obj2nid(ext_asn) == NID_ct_cert_scts )
 #else
 	if ( strcmp(oid, "1.3.6.1.4.1.11129.2.4.5") == 0 )
 #endif
diff --git a/src/file_analysis/analyzer/x509/X509.cc b/src/file_analysis/analyzer/x509/X509.cc
index f9ec91c9d1..b26bd4a1da 100644
--- a/src/file_analysis/analyzer/x509/X509.cc
+++ b/src/file_analysis/analyzer/x509/X509.cc
@@ -241,9 +241,9 @@ void file_analysis::X509::ParseExtensionsSpecific(X509_EXTENSION* ex, bool globa
 		ParseSAN(ex);
 
 #ifdef NID_ct_cert_scts
-	else if ( OBJ_obj2nid(ext_asn) == NID_ct_cert_scts || OBJ_obj2nid(ext_asn) == NID_ct_precert_scts )
+	else if ( OBJ_obj2nid(ext_asn) == NID_ct_precert_scts )
 #else
-	else if ( strcmp(oid, "1.3.6.1.4.1.11129.2.4.2") == 0 || strcmp(oid, "1.3.6.1.4.1.11129.2.4.4") == 0 )
+	else if ( strcmp(oid, "1.3.6.1.4.1.11129.2.4.2") == 0 )
 #endif
 		ParseSignedCertificateTimestamps(ex);
 	}

From 115a676d0838ed1e70b97b5943fcda652bdbdf57 Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@icir.org>
Date: Fri, 17 Mar 2017 15:53:47 -0700
Subject: [PATCH 121/631] SCT: Allow verification of SCTs in Certs.

This is much more complex than the TLS Extension/OCSP cases. We need to
first alter the certificate and remove the extension from it, before
extracting the tbscert. Furthermore, we need the key hash of the issuing
certificate to be able to validate the proof - which means that we need
a valid certificate chain.

Missing: documentation, nice integration so that we can just add a
script and use this in Bro.
---
 .../policy/protocols/ssl/validate-certs.bro   |  39 ++-
 src/file_analysis/analyzer/x509/functions.bif | 286 +++++++++++-------
 .../.stdout                                   |   8 +
 .../x509/signed_certificate_timestamp.test    |  55 ++++
 4 files changed, 277 insertions(+), 111 deletions(-)

diff --git a/scripts/policy/protocols/ssl/validate-certs.bro b/scripts/policy/protocols/ssl/validate-certs.bro
index 97072e4cab..5ab2017cc6 100644
--- a/scripts/policy/protocols/ssl/validate-certs.bro
+++ b/scripts/policy/protocols/ssl/validate-certs.bro
@@ -19,12 +19,17 @@ export {
 	redef record Info += {
 		## Result of certificate validation for this connection.
 		validation_status: string &log &optional;
+		## Result of certificate validation for this connection, given
+		## as OpenSSL validation code.
+		validation_code: count &optional;
+		## Ordered chain of validated certificate, if validation succeeded.
+		valid_chain: vector of opaque of x509 &optional;
 	};
 
-	## MD5 hash values for recently validated chains along with the
+	## Result values for recently validated chains along with the
 	## validation status are kept in this table to avoid constant
 	## validation every time the same certificate chain is seen.
-	global recently_validated_certs: table[string] of string = table()
+	global recently_validated_certs: table[string] of X509::Result = table()
 		&read_expire=5mins &redef;
 
 	## Use intermediate CA certificate caching when trying to validate
@@ -39,6 +44,11 @@ export {
 	## that you encounter. Only disable if you want to find misconfigured servers.
 	global ssl_cache_intermediate_ca: bool = T &redef;
 
+	## Store the valid chain in c$ssl$valid_chain if validation succeeds.
+	## This has a potentially high memory impact, depending on the local environment
+	## and is thus disabled by default.
+	global ssl_store_valid_chain: bool = F &redef;
+
 	## Event from a worker to the manager that it has encountered a new
 	## valid intermediate.
 	global intermediate_add: event(key: string, value: vector of opaque of x509);
@@ -83,7 +93,7 @@ event SSL::new_intermediate(key: string, value: vector of opaque of x509)
 	}
 @endif
 
-function cache_validate(chain: vector of opaque of x509): string
+function cache_validate(chain: vector of opaque of x509): X509::Result
 	{
 	local chain_hash: vector of string = vector();
 
@@ -97,7 +107,10 @@ function cache_validate(chain: vector of opaque of x509): string
 		return recently_validated_certs[chain_id];
 
 	local result = x509_verify(chain, root_certs);
-	recently_validated_certs[chain_id] = result$result_string;
+	if ( ! ssl_store_valid_chain && result?$chain_certs )
+		recently_validated_certs[chain_id] = X509::Result($result=result$result, $result_string=result$result_string);
+	else
+		recently_validated_certs[chain_id] = result;
 
 	# if we have a working chain where we did not store the intermediate certs
 	# in our cache yet - do so
@@ -120,7 +133,7 @@ function cache_validate(chain: vector of opaque of x509): string
 			}
 		}
 
-	return result$result_string;
+	return result;
 	}
 
 event ssl_established(c: connection) &priority=3
@@ -133,7 +146,7 @@ event ssl_established(c: connection) &priority=3
 	local intermediate_chain: vector of opaque of x509 = vector();
 	local issuer = c$ssl$cert_chain[0]$x509$certificate$issuer;
 	local hash = c$ssl$cert_chain[0]$sha1;
-	local result: string;
+	local result: X509::Result;
 
 	# Look if we already have a working chain for the issuer of this cert.
 	# If yes, try this chain first instead of using the chain supplied from
@@ -145,9 +158,12 @@ event ssl_established(c: connection) &priority=3
 			intermediate_chain[i+1] = intermediate_cache[issuer][i];
 
 		result = cache_validate(intermediate_chain);
-		if ( result == "ok" )
+		if ( result$result_string == "ok" )
 			{
-			c$ssl$validation_status = result;
+			c$ssl$validation_status = result$result_string;
+			c$ssl$validation_code = result$result;
+			if ( result?$chain_certs )
+				c$ssl$valid_chain = result$chain_certs;
 			return;
 			}
 		}
@@ -163,9 +179,12 @@ event ssl_established(c: connection) &priority=3
 		}
 
 	result = cache_validate(chain);
-	c$ssl$validation_status = result;
+	c$ssl$validation_status = result$result_string;
+	c$ssl$validation_code = result$result;
+	if ( result?$chain_certs )
+		c$ssl$valid_chain = result$chain_certs;
 
-	if ( result != "ok" )
+	if ( result$result_string != "ok" )
 		{
 		local message = fmt("SSL certificate validation failed with (%s)", c$ssl$validation_status);
 		NOTICE([$note=Invalid_Server_Cert, $msg=message,
diff --git a/src/file_analysis/analyzer/x509/functions.bif b/src/file_analysis/analyzer/x509/functions.bif
index 161a009515..83e73e5d46 100644
--- a/src/file_analysis/analyzer/x509/functions.bif
+++ b/src/file_analysis/analyzer/x509/functions.bif
@@ -140,6 +140,33 @@ X509* x509_get_ocsp_signer(STACK_OF(X509) *certs, OCSP_RESPID *rid)
 	return 0;
 	}
 
+const EVP_MD* hash_to_evp(int hash)
+	{
+	switch ( hash )
+		{
+		case 1:
+			return EVP_md5();
+			break;
+		case 2:
+			return EVP_sha1();
+			break;
+		case 3:
+			return EVP_sha224();
+			break;
+		case 4:
+			return EVP_sha256();
+			break;
+		case 5:
+			return EVP_sha384();
+			break;
+		case 6:
+			return EVP_sha512();
+			break;
+		default:
+			return nullptr;
+		}
+	}
+
 %%}
 
 ## Parses a certificate into an X509::Certificate structure.
@@ -544,7 +571,7 @@ x509_verify_chainerror:
 	return rrecord;
 	%}
 
-function sct_verify%(cert: opaque of x509, logid: string, log_key: string, signature: string, timestamp: count, hash_algorithm: count%): bool
+function sct_verify%(cert: opaque of x509, logid: string, log_key: string, signature: string, timestamp: count, hash_algorithm: count, issuer_key_hash: string &default=""%): bool
 	%{
 	assert(cert);
 	file_analysis::X509Val* h = (file_analysis::X509Val*) cert;
@@ -553,21 +580,73 @@ function sct_verify%(cert: opaque of x509, logid: string, log_key: string, signa
 	assert(sizeof(timestamp) >= 8);
 	uint64_t timestamp_network = htonll(timestamp);
 
+	bool precert = issuer_key_hash->Len() > 0;
+	if ( precert && issuer_key_hash->Len() != 32)
+		{
+		reporter->Error("Invalid issuer_key_hash length");
+		return new Val(0, TYPE_BOOL);
+		}
+
 	std::string data;
 	data.push_back(0); // version
 	data.push_back(0); // signature_type -> certificate_timestamp
-	data.append(reinterpret_cast<char*>(&timestamp_network), sizeof(timestamp_network)); // timestamp -> 64 bits
-	data.append("\0\0", 2); // entry-type: x509_entry
+	data.append(reinterpret_cast<const char*>(&timestamp_network), sizeof(timestamp_network)); // timestamp -> 64 bits
+	if ( precert )
+		data.append("\0\1", 2); // entry-type: precert_entry
+	else
+		data.append("\0\0", 2); // entry-type: x509_entry
+
+	if ( precert )
+		{
+		x = X509_dup(x);
+		assert(x);
+	#ifdef NID_ct_precert_scts
+		int pos = X509_get_ext_by_NID(x, NID_ct_precert_scts, -1);
+		if ( pos < 0 )
+			{
+			reporter->Error("NID_ct_precert_scts not found");
+			return new Val(0, TYPE_BOOL);
+			}
+	#else
+		int num_ext = X509_get_ext_count(x);
+		int pos = -1;
+		for ( int k = 0; k < num_ext; ++k )
+			{
+			char oid[256];
+			X509_EXTENSION* ex = X509_get_ext(x, k);
+			ASN1_OBJECT* ext_asn = X509_EXTENSION_get_object(ex);
+			OBJ_obj2txt(oid, 255, ext_asn, 1);
+			if ( strcmp(oid, "1.3.6.1.4.1.11129.2.4.2") == 0 )
+				{
+				pos = k;
+				break;
+				}
+			}
+	#endif
+		X509_EXTENSION_free(X509_delete_ext(x, pos));
+		assert( X509_get_ext_by_NID(x, NID_ct_precert_scts, -1) == -1 );
+		}
 
 	unsigned char *cert_out = nullptr;
-	uint32 cert_length = i2d_X509(x, &cert_out);
+	uint32 cert_length;
+	if ( precert )
+		{
+		// we also could use i2d_re_X509_tbs, for OpenSSL >= 1.0.2
+		x->cert_info->enc.modified = 1;
+		cert_length = i2d_X509_CINF(x->cert_info, &cert_out);
+		data.append(reinterpret_cast<const char*>(issuer_key_hash->Bytes()), issuer_key_hash->Len());
+		}
+	else
+		cert_length = i2d_X509(x, &cert_out);
 	assert( cert_out );
 	uint32 cert_length_network = htonl(cert_length);
 	assert( sizeof(cert_length_network) == 4);
 
-	data.append(reinterpret_cast<char*>(&cert_length_network)+1, 3); // 3 bytes certificate length
-	data.append(reinterpret_cast<char*>(cert_out), cert_length); // der-encoded certificate
+	data.append(reinterpret_cast<const char*>(&cert_length_network)+1, 3); // 3 bytes certificate length
+	data.append(reinterpret_cast<const char*>(cert_out), cert_length); // der-encoded certificate
 	OPENSSL_free(cert_out);
+	if ( precert )
+		X509_free(x);
 	data.append("\0\0", 2); // no extensions
 
 	// key is given as a DER-encoded SubjectPublicKeyInfo.
@@ -580,31 +659,11 @@ function sct_verify%(cert: opaque of x509, logid: string, log_key: string, signa
 	string errstr;
 	int success = 0;
 
-	const EVP_MD* hash;
-	// numbers from http://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-18
-	switch ( hash_algorithm )
+	const EVP_MD* hash = hash_to_evp(hash_algorithm);
+	if ( ! hash )
 		{
-		case 1:
-			hash = EVP_md5();
-			break;
-		case 2:
-			hash = EVP_sha1();
-			break;
-		case 3:
-			hash = EVP_sha224();
-			break;
-		case 4:
-			hash = EVP_sha256();
-			break;
-		case 5:
-			hash = EVP_sha384();
-			break;
-		case 6:
-			hash = EVP_sha512();
-			break;
-		default:
-			errstr = "Unknown hash algorithm";
-			goto sct_verify_err;
+		errstr = "Unknown hash algorithm";
+		goto sct_verify_err;
 		}
 
 	if ( ! key )
@@ -638,6 +697,93 @@ sct_verify_err:
 	return new Val(0, TYPE_BOOL);
 	%}
 
+
+%%{
+/**
+ * 0 -> subject name
+ * 1 -> issuer name
+ * 2 -> pubkey
+ */
+StringVal* x509_entity_hash(file_analysis::X509Val *cert_handle, unsigned int hash_alg, unsigned int type)
+	{
+	assert(cert_handle);
+
+	if ( type > 2 )
+		{
+		reporter->InternalError("Unknown type in x509_entity_hash");
+		return nullptr;
+		}
+
+	X509 *cert_x509 = cert_handle->GetCertificate();
+	if ( cert_x509 == nullptr )
+		{
+		builtin_error("cannot get cert from opaque");
+		return nullptr;
+		}
+
+	X509_NAME *subject_name = X509_get_subject_name(cert_x509);
+	X509_NAME *issuer_name = X509_get_issuer_name(cert_x509);
+	if ( subject_name == nullptr || issuer_name == nullptr )
+		{
+		builtin_error("fail to get subject/issuer name from certificate");
+		return nullptr;
+		}
+
+	const EVP_MD *dgst = hash_to_evp(hash_alg);
+	if ( dgst == nullptr )
+		{
+		builtin_error("Unknown hash algorithm.");
+		return nullptr;
+		}
+
+	unsigned char md[EVP_MAX_MD_SIZE];
+	memset(md, 0, sizeof(md));
+	unsigned int len = 0;
+
+	int res = 0;
+
+	ASN1_BIT_STRING *key = X509_get0_pubkey_bitstr(cert_x509);
+	if ( key == 0 )
+		{
+		printf("No key in X509_get0_pubkey_bitstr\n");
+		}
+
+	if ( type == 0 )
+		res = X509_NAME_digest(subject_name, dgst, md, &len);
+	else if ( type == 1 )
+		res = X509_NAME_digest(issuer_name, dgst, md, &len);
+	else if ( type == 2 )
+		{
+		unsigned char *spki = nullptr;
+		int pklen = i2d_X509_PUBKEY(X509_get_X509_PUBKEY(cert_x509), &spki);
+		if ( ! pklen )
+			{
+			builtin_error("Could not get SPKI");
+			return nullptr;
+			}
+		res = EVP_Digest(spki, pklen, md, &len, dgst, nullptr);
+		OPENSSL_free(spki);
+		}
+
+	if ( ! res )
+		{
+		builtin_error("Could not perform hash");
+		return nullptr;
+		}
+
+	assert( len <= sizeof(md) );
+
+	return new StringVal(len, reinterpret_cast<const char*>(md));
+	}
+%%}
+
+function x509_subject_name_hash%(cert: opaque of x509, hash_alg: count%): string
+	%{
+	file_analysis::X509Val *cert_handle = (file_analysis::X509Val *) cert;
+
+	return x509_entity_hash(cert_handle, hash_alg, 0);
+	%}
+
 ## Get the hash of issuer name of a certificate
 ##
 ## cert: The X509 certificate opaque handle.
@@ -649,78 +795,16 @@ sct_verify_err:
 ## .. bro:see:: x509_certificate x509_extension x509_ext_basic_constraints
 ##              x509_ext_subject_alternative_name x509_parse
 ##              x509_get_certificate_string x509_verify
-function x509_issuer_name_hash%(cert: opaque of x509, hash_alg: string%): string
+function x509_issuer_name_hash%(cert: opaque of x509, hash_alg: count%): string
 	%{
-	assert(cert);
-	assert(hash_alg);
-
 	file_analysis::X509Val *cert_handle = (file_analysis::X509Val *) cert;
-	X509 *cert_x509 = cert_handle->GetCertificate();
-	if (cert_x509 == NULL)
-		{
-		builtin_error("cannot get cert from opaque");
-		return NULL;
-		}
 
-	X509_NAME *issuer_name = NULL;
-	StringVal *issuer_name_str = NULL;
-	issuer_name = X509_get_issuer_name(cert_x509);
-	if (issuer_name == NULL)
-		{
-		builtin_error("fail to get issuer name from certificate");
-		return NULL;
-		}
-
-	const char* h = hash_alg->CheckString();
-	if (h == NULL)
-		{
-		builtin_error("fail to get hash algorithm from input");
-		return NULL;
-		}
-
-	const EVP_MD *dgst;
-	if (strcmp(h, "sha1") == 0)
-		dgst = EVP_sha1();
-	else if (strcmp(h, "sha224") == 0)
-		dgst = EVP_sha224();
-	else if (strcmp(h, "sha256") == 0)
-		dgst = EVP_sha256();
-	else if (strcmp(h, "sha384") == 0)
-		dgst = EVP_sha384();
-	else if (strcmp(h, "sha512") == 0)
-		dgst = EVP_sha512();
-	else
-		{
-		reporter->Error("Unknown digest!");
-		return NULL;
-		}
-	if (dgst == NULL)
-		{
-		builtin_error("fail to allocate digest");
-		return NULL;
-		}
-
-	unsigned char md[EVP_MAX_MD_SIZE];
-	unsigned int len = 0;
-	ASN1_OCTET_STRING *oct_str = ASN1_STRING_type_new(V_ASN1_OCTET_STRING);
-	int new_len = -1;
-	BIO *bio = BIO_new(BIO_s_mem());
-	char buf[1024];
-	memset(buf, 0, sizeof(buf));
-
-	if (!X509_NAME_digest(issuer_name, dgst, md, &len))
-		goto err;
-	if (!ASN1_OCTET_STRING_set(oct_str, md, len))
-		goto err;
-	if (i2a_ASN1_STRING(bio, oct_str, V_ASN1_OCTET_STRING) <= 0)
-		goto err;
-	new_len = BIO_read(bio, buf, sizeof(buf));
-	if (new_len > 0)
-		issuer_name_str = new StringVal(new_len, buf);
-
-	//NOTE: the result string may contain "\\x0a" for sha384 and sha512
-	//      probably need to remove it from here?
-err:
-	BIO_free_all(bio);
-        return issuer_name_str;
+	return x509_entity_hash(cert_handle, hash_alg, 1);
+	%}
+
+function x509_spki_hash%(cert: opaque of x509, hash_alg: count%): string
+	%{
+	file_analysis::X509Val *cert_handle = (file_analysis::X509Val *) cert;
+
+	return x509_entity_hash(cert_handle, hash_alg, 2);
 	%}
diff --git a/testing/btest/Baseline/scripts.base.files.x509.signed_certificate_timestamp/.stdout b/testing/btest/Baseline/scripts.base.files.x509.signed_certificate_timestamp/.stdout
index a27331e535..e11616d745 100644
--- a/testing/btest/Baseline/scripts.base.files.x509.signed_certificate_timestamp/.stdout
+++ b/testing/btest/Baseline/scripts.base.files.x509.signed_certificate_timestamp/.stdout
@@ -2,3 +2,11 @@
 0, Google 'Rocketeer' log, 1474927232.863, 4, 3
 0, Google 'Aviator' log, 1474927232.112, 4, 3
 0, Google 'Pilot' log, 1474927232.304, 4, 3
+Verify of, Symantec log, T
+Bad verify of, Symantec log, F
+Verify of, Google 'Rocketeer' log, T
+Bad verify of, Google 'Rocketeer' log, F
+Verify of, Google 'Aviator' log, T
+Bad verify of, Google 'Aviator' log, F
+Verify of, Google 'Pilot' log, T
+Bad verify of, Google 'Pilot' log, F
diff --git a/testing/btest/scripts/base/files/x509/signed_certificate_timestamp.test b/testing/btest/scripts/base/files/x509/signed_certificate_timestamp.test
index c0fe06d4d3..8bb920ee71 100644
--- a/testing/btest/scripts/base/files/x509/signed_certificate_timestamp.test
+++ b/testing/btest/scripts/base/files/x509/signed_certificate_timestamp.test
@@ -1,7 +1,62 @@
 # @TEST-EXEC: bro -r $TRACES/tls/certificate-with-sct.pcap %INPUT
 # @TEST-EXEC: btest-diff .stdout
 
+@load protocols/ssl/validate-certs
+
+redef SSL::ssl_store_valid_chain = T;
+
+export {
+	type LogInfo: record {
+		version: count;
+		logid: string;
+		timestamp: count;
+		sig_alg: count;
+		hash_alg: count;
+		signature: string;
+	};
+}
+
+redef record SSL::Info += {
+	ct_proofs: vector of LogInfo &default=vector();
+};
+
 event x509_ocsp_ext_signed_certificate_timestamp(f: fa_file, version: count, logid: string, timestamp: count, hash_algorithm: count, signature_algorithm: count, signature: string)
 	{
 	print version, SSL::ct_logs[logid]$description, double_to_time(timestamp/1000.0), hash_algorithm, signature_algorithm;
+
+	if ( |f$conns| != 1 )
+		return;
+
+	for ( cid in f$conns )
+		{
+		if ( ! f$conns[cid]?$ssl )
+			return;
+
+		local c = f$conns[cid];
+		}
+
+	if ( ! c$ssl?$cert_chain || |c$ssl$cert_chain| == 0 || ! c$ssl$cert_chain[0]?$x509 )
+		return;
+
+	c$ssl$ct_proofs[|c$ssl$ct_proofs|] = LogInfo($version=version, $logid=logid, $timestamp=timestamp, $sig_alg=signature_algorithm, $hash_alg=hash_algorithm, $signature=signature);
+	}
+
+event ssl_established(c: connection)
+	{
+	if ( ! c$ssl?$cert_chain || |c$ssl$cert_chain| == 0 || ! c$ssl$cert_chain[0]?$x509 )
+		return;
+
+	if ( |c$ssl$valid_chain| < 2 )
+		return;
+
+	local cert = c$ssl$cert_chain[0]$x509$handle;
+	local issuer_key_hash = x509_spki_hash(c$ssl$valid_chain[1], 4);
+
+	for ( i in c$ssl$ct_proofs )
+		{
+		local log = c$ssl$ct_proofs[i];
+
+		print "Verify of", SSL::ct_logs[log$logid]$description, sct_verify(cert, log$logid, SSL::ct_logs[log$logid]$key, log$signature, log$timestamp, log$hash_alg, issuer_key_hash);
+		print "Bad verify of", SSL::ct_logs[log$logid]$description, sct_verify(cert, log$logid, SSL::ct_logs[log$logid]$key, log$signature, log$timestamp+1, log$hash_alg, issuer_key_hash);
+		}
 	}

From 22b1eda472a3dc2c6584dc7734cbf6beb48b83b5 Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@icir.org>
Date: Tue, 21 Mar 2017 18:55:43 -0700
Subject: [PATCH 122/631] SCT: Add signed certificate timestamp validation
 script.

This also rewrites the certificate validation script (which we need for
this) slightly.

This could need a bit of caching, but should generally work very
reliably.
---
 .../policy/protocols/ssl/validate-certs.bro   |  27 ++-
 scripts/policy/protocols/ssl/validate-sct.bro | 173 ++++++++++++++++++
 .../.stdout                                   |  17 ++
 .../ssl-all.log                               |  20 ++
 .../tls/signed_certificate_timestamp-2.pcap   | Bin 0 -> 7982 bytes
 .../policy/protocols/ssl/validate-sct.bro     |  21 +++
 6 files changed, 249 insertions(+), 9 deletions(-)
 create mode 100644 scripts/policy/protocols/ssl/validate-sct.bro
 create mode 100644 testing/btest/Baseline/scripts.policy.protocols.ssl.validate-sct/.stdout
 create mode 100644 testing/btest/Baseline/scripts.policy.protocols.ssl.validate-sct/ssl-all.log
 create mode 100644 testing/btest/Traces/tls/signed_certificate_timestamp-2.pcap
 create mode 100644 testing/btest/scripts/policy/protocols/ssl/validate-sct.bro

diff --git a/scripts/policy/protocols/ssl/validate-certs.bro b/scripts/policy/protocols/ssl/validate-certs.bro
index 5ab2017cc6..4c100ac413 100644
--- a/scripts/policy/protocols/ssl/validate-certs.bro
+++ b/scripts/policy/protocols/ssl/validate-certs.bro
@@ -120,8 +120,8 @@ function cache_validate(chain: vector of opaque of x509): X509::Result
 		   |result$chain_certs| > 2 )
 		{
 		local result_chain = result$chain_certs;
-		local icert = x509_parse(result_chain[1]);
-		if ( icert$subject !in intermediate_cache )
+		local isnh = x509_subject_name_hash(result_chain[1], 4); # SHA256
+		if ( isnh !in intermediate_cache )
 			{
 			local cachechain: vector of opaque of x509;
 			for ( i in result_chain )
@@ -129,33 +129,42 @@ function cache_validate(chain: vector of opaque of x509): X509::Result
 				if ( i >=1 && i<=|result_chain|-2 )
 					cachechain[i-1] = result_chain[i];
 				}
-			add_to_cache(icert$subject, cachechain);
+			add_to_cache(isnh, cachechain);
 			}
 		}
 
 	return result;
 	}
 
-event ssl_established(c: connection) &priority=3
+# The server issues CCS only after sending the certificates. This should
+# be more robust than using SSL_established, on the off chance that we don't
+# get that event.
+#
+# This is not TLSv1.3 compatible - but we will not have certificates in
+# that case in any way, so it even saves us a few cycles.
+event ssl_change_cipher_spec(c: connection, is_orig: bool) &priority=3
 	{
+	if ( is_orig )
+		return;
+
 	# If there aren't any certs we can't very well do certificate validation.
 	if ( ! c$ssl?$cert_chain || |c$ssl$cert_chain| == 0 ||
 	     ! c$ssl$cert_chain[0]?$x509 )
 		return;
 
 	local intermediate_chain: vector of opaque of x509 = vector();
-	local issuer = c$ssl$cert_chain[0]$x509$certificate$issuer;
+	local issuer_name_hash = x509_issuer_name_hash(c$ssl$cert_chain[0]$x509$handle, 4); # SHA256
 	local hash = c$ssl$cert_chain[0]$sha1;
 	local result: X509::Result;
 
 	# Look if we already have a working chain for the issuer of this cert.
 	# If yes, try this chain first instead of using the chain supplied from
 	# the server.
-	if ( ssl_cache_intermediate_ca && issuer in intermediate_cache )
+	if ( ssl_cache_intermediate_ca && issuer_name_hash in intermediate_cache )
 		{
 		intermediate_chain[0] = c$ssl$cert_chain[0]$x509$handle;
-		for ( i in intermediate_cache[issuer] )
-			intermediate_chain[i+1] = intermediate_cache[issuer][i];
+		for ( i in intermediate_cache[issuer_name_hash] )
+			intermediate_chain[i+1] = intermediate_cache[issuer_name_hash][i];
 
 		result = cache_validate(intermediate_chain);
 		if ( result$result_string == "ok" )
@@ -188,7 +197,7 @@ event ssl_established(c: connection) &priority=3
 		{
 		local message = fmt("SSL certificate validation failed with (%s)", c$ssl$validation_status);
 		NOTICE([$note=Invalid_Server_Cert, $msg=message,
-		        $sub=c$ssl$subject, $conn=c,
+		        $sub=c$ssl$cert_chain[0]$x509$certificate$subject, $conn=c,
 		        $identifier=cat(c$id$resp_h,c$id$resp_p,hash,c$ssl$validation_status)]);
 		}
 	}
diff --git a/scripts/policy/protocols/ssl/validate-sct.bro b/scripts/policy/protocols/ssl/validate-sct.bro
new file mode 100644
index 0000000000..1d3db58494
--- /dev/null
+++ b/scripts/policy/protocols/ssl/validate-sct.bro
@@ -0,0 +1,173 @@
+##! Perform validation of Signed Certificate Timestamps, as used
+##! for Certificate Transparency. See https://tools.ietf.org/html/rfc6962
+##! for more details.
+
+@load base/protocols/ssl
+@load protocols/ssl/validate-certs
+
+# We need to know issuer certificates to be able to determine the IssuerKeyHash,
+# which is required for validating certificate extensions.
+redef SSL::ssl_store_valid_chain = T;
+
+module SSL;
+
+export {
+
+	type SctSource: enum {
+		SCT_X509_EXT,
+		SCT_TLS_EXT,
+		SCT_OCSP_EXT
+	};
+
+	type SctInfo: record {
+		version: count;
+		logid: string;
+		timestamp: count;
+		sig_alg: count;
+		hash_alg: count;
+		signature: string;
+		source: SctSource;
+		valid: bool &optional;
+	};
+
+	redef record Info += {
+		valid_scts: count &optional;
+		invalid_scts: count &optional;
+		valid_ct_logs: count &log &optional;
+		valid_ct_operators: count &log &optional;
+		valid_ct_operators_list: set[string] &optional;
+	};
+
+}
+
+redef record SSL::Info += {
+	ct_proofs: vector of SctInfo &default=vector();
+};
+
+event bro_init()
+	{
+	Files::register_for_mime_type(Files::ANALYZER_OCSP_REPLY, "application/ocsp-response");
+	}
+
+event ssl_extension_signed_certificate_timestamp(c: connection, is_orig: bool, version: count, logid: string, timestamp: count, signature_and_hashalgorithm: SSL::SignatureAndHashAlgorithm, signature: string) &priority=5
+	{
+	c$ssl$ct_proofs[|c$ssl$ct_proofs|] = SctInfo($version=version, $logid=logid, $timestamp=timestamp, $sig_alg=signature_and_hashalgorithm$SignatureAlgorithm, $hash_alg=signature_and_hashalgorithm$HashAlgorithm, $signature=signature, $source=SCT_TLS_EXT);
+	}
+
+event x509_ocsp_ext_signed_certificate_timestamp(f: fa_file, version: count, logid: string, timestamp: count, hash_algorithm: count, signature_algorithm: count, signature: string) &priority=5
+	{
+	local src: SctSource;
+	if ( ! f?$info )
+		return;
+
+	if ( f$source == "SSL" && f$info$mime_type == "application/ocsp-response" )
+		src = SCT_OCSP_EXT;
+	else if ( f$source == "SSL" && f$info$mime_type == "application/x-x509-user-cert" )
+		src = SCT_X509_EXT;
+	else
+		return;
+
+	if ( |f$conns| != 1 )
+		return;
+
+	for ( cid in f$conns )
+		{
+		if ( ! f$conns[cid]?$ssl )
+			return;
+
+		local c = f$conns[cid];
+		}
+
+	c$ssl$ct_proofs[|c$ssl$ct_proofs|] = SctInfo($version=version, $logid=logid, $timestamp=timestamp, $sig_alg=signature_algorithm, $hash_alg=hash_algorithm, $signature=signature, $source=src);
+	}
+
+# Priority = 2 will be handled after validation is done
+event ssl_change_cipher_spec(c: connection, is_orig: bool) &priority=2
+	{
+	if ( is_orig )
+		return;
+
+	if ( ! c$ssl?$cert_chain || |c$ssl$cert_chain| == 0 || ! c$ssl$cert_chain[0]?$x509 )
+		return;
+
+	local cert = c$ssl$cert_chain[0]$x509$handle;
+	local issuer_name_hash = x509_issuer_name_hash(cert, 4);
+	local valid_proofs = 0;
+	local invalid_proofs = 0;
+	c$ssl$valid_ct_operators_list = string_set();
+	local valid_logs = string_set();
+	local issuer_key_hash = "";
+
+	for ( i in c$ssl$ct_proofs )
+		{
+		local proof = c$ssl$ct_proofs[i];
+		if ( proof$logid !in SSL::ct_logs )
+			{
+			# Well, if we don't know the log, there is nothing to do here...
+			proof$valid = F;
+			next;
+			}
+		local log = SSL::ct_logs[proof$logid];
+
+		local valid = F;
+
+		if ( proof$source == SCT_TLS_EXT || proof$source == SCT_OCSP_EXT )
+			{
+			valid = sct_verify(cert, proof$logid, log$key, proof$signature, proof$timestamp, proof$hash_alg);
+			}
+		else
+			{
+			# X.509 proof. Here things get awkward because we need information about
+			# the issuer cert... and we need to try a few times, because we have to see if we got
+			# the right issuer cert.
+			#
+			# First - Let's try if a previous round already established the correct issuer key hash.
+
+			if ( issuer_key_hash != "" )
+				{
+				valid = sct_verify(cert, proof$logid, log$key, proof$signature, proof$timestamp, proof$hash_alg, issuer_key_hash);
+				}
+
+			# Second - let's see if we might already know the issuer cert through verification.
+			if ( ! valid && issuer_name_hash in intermediate_cache )
+				{
+				issuer_key_hash = x509_spki_hash(intermediate_cache[issuer_name_hash][0], 4);
+				valid = sct_verify(cert, proof$logid, log$key, proof$signature, proof$timestamp, proof$hash_alg, issuer_key_hash);
+				}
+			if ( ! valid && c$ssl?$valid_chain && |c$ssl$valid_chain| >= 2 )
+				{
+				issuer_key_hash = x509_spki_hash(c$ssl$valid_chain[1], 4);
+				valid = sct_verify(cert, proof$logid, log$key, proof$signature, proof$timestamp, proof$hash_alg, issuer_key_hash);
+				}
+			# ok, if it still did not work - let's just try with all the certs that were sent
+			# in the connection. Perhaps it will work with one of them.
+
+			if ( !valid )
+				for ( i in c$ssl$cert_chain )
+					{
+					if ( i == 0 ) # end-host-cert
+						next;
+
+					issuer_key_hash = x509_spki_hash(c$ssl$cert_chain[i]$x509$handle, 4);
+					valid = sct_verify(cert, proof$logid, log$key, proof$signature, proof$timestamp, proof$hash_alg, issuer_key_hash);
+					if ( valid )
+						break;
+					}
+			}
+
+		proof$valid = valid;
+		if ( valid )
+			{
+			++valid_proofs;
+			add c$ssl$valid_ct_operators_list[log$operator];
+			add valid_logs[proof$logid];
+			}
+		else
+			++invalid_proofs;
+		}
+
+	c$ssl$valid_scts = valid_proofs;
+	c$ssl$invalid_scts = invalid_proofs;
+	c$ssl$valid_ct_operators = |c$ssl$valid_ct_operators_list|;
+	c$ssl$valid_ct_logs = |valid_logs|;
+	}
diff --git a/testing/btest/Baseline/scripts.policy.protocols.ssl.validate-sct/.stdout b/testing/btest/Baseline/scripts.policy.protocols.ssl.validate-sct/.stdout
new file mode 100644
index 0000000000..ec22e1c01b
--- /dev/null
+++ b/testing/btest/Baseline/scripts.policy.protocols.ssl.validate-sct/.stdout
@@ -0,0 +1,17 @@
+[[version=0, logid=\xa4\xb9\x09\x90\xb4\x18X\x14\x87\xbb\x13\xa2\xccgp\x0a<5\x98\x04\xf9\x1b\xdf\xb8\xe3w\xcd\x0e\xc8\x0d\xdc\x10, timestamp=1406997753366, sig_alg=3, hash_alg=4, signature=0D\x02 \x1cK\x82]\x95ng[\xdb\x04\x95K\xf6\xce\xf42>\x86zz2\xab\x18`t\xde\x08\xda\x05\x91L/\x02 sT\x1bn\x7f\xa1\xb0}\x11\xbc\xe6\xf3\x85/\x97f\x1a\xf7\x8a\xe4\x10%\x8f\x12\xf4o9\x0f\xd2\x9e\x18\xf0, source=SSL::SCT_TLS_EXT, valid=T], [version=0, logid=h\xf6\x98\xf8\x1fd\x82\xbe:\x8c\xee\xb9(\x1dL\xfcqQ]g\x93\xd4D\xd1\x0ag\xac\xbbOO\xfb\xc4, timestamp=1407002457456, sig_alg=3, hash_alg=4, signature=0E\x02 2!\x148\x06\xd8r.\x000d\x1a\xe2\xe8mNZ\xe1\xd9B\x1e\x82K\x96%\x89\xd5&\x13\xd3\x9c\xfa\x02!\x00\x8f\x12(dQOD\xd5\x8c\x18b#\xb2C\x933\x05\xf3CU\xa1\xd9\xee\xcd\xc5q5\x91\xddI\xd1\x0b, source=SSL::SCT_TLS_EXT, valid=T], [version=0, logid=\xeeK\xbd\xb7u\xce`\xba\xe1Bi\x1f\xab\xe1\x9ef\xa3\x0f~_\xb0r\xd8\x83\x00\xc4{\x89z\xa8\xfd\xcb, timestamp=1410299366023, sig_alg=3, hash_alg=4, signature=0E\x02 )\x89\xd6\xb0S\xd3\xd2\xe9\x91\xbc\xf1\xb5@\xbe\x1e.\xe7\\xb4t'\xed\x8f\x9b\x02\xe9\xfa\xc2L\xba\xa2\xbe\x02!\x00\xafCdRq\x15)X@\x91\xc7\x08\x16\x96\x03\xa8s\xa5e\xa0l\xb8HVZ\xb6)\x83dm*\x9d, source=SSL::SCT_TLS_EXT, valid=T], [version=0, logid=\xa4\xb9\x09\x90\xb4\x18X\x14\x87\xbb\x13\xa2\xccgp\x0a<5\x98\x04\xf9\x1b\xdf\xb8\xe3w\xcd\x0e\xc8\x0d\xdc\x10, timestamp=1406997753366, sig_alg=3, hash_alg=4, signature=0D\x02 \x1cK\x82]\x95ng[\xdb\x04\x95K\xf6\xce\xf42>\x86zz2\xab\x18`t\xde\x08\xda\x05\x91L/\x02 sT\x1bn\x7f\xa1\xb0}\x11\xbc\xe6\xf3\x85/\x97f\x1a\xf7\x8a\xe4\x10%\x8f\x12\xf4o9\x0f\xd2\x9e\x18\xf0, source=SSL::SCT_OCSP_EXT, valid=T], [version=0, logid=h\xf6\x98\xf8\x1fd\x82\xbe:\x8c\xee\xb9(\x1dL\xfcqQ]g\x93\xd4D\xd1\x0ag\xac\xbbOO\xfb\xc4, timestamp=1407002457456, sig_alg=3, hash_alg=4, signature=0E\x02 2!\x148\x06\xd8r.\x000d\x1a\xe2\xe8mNZ\xe1\xd9B\x1e\x82K\x96%\x89\xd5&\x13\xd3\x9c\xfa\x02!\x00\x8f\x12(dQOD\xd5\x8c\x18b#\xb2C\x933\x05\xf3CU\xa1\xd9\xee\xcd\xc5q5\x91\xddI\xd1\x0b, source=SSL::SCT_OCSP_EXT, valid=T]]
+Google 'Pilot' log, T
+Google 'Aviator' log, T
+Google 'Rocketeer' log, T
+Google 'Pilot' log, T
+Google 'Aviator' log, T
+[[version=0, logid=\xa4\xb9\x09\x90\xb4\x18X\x14\x87\xbb\x13\xa2\xccgp\x0a<5\x98\x04\xf9\x1b\xdf\xb8\xe3w\xcd\x0e\xc8\x0d\xdc\x10, timestamp=1487726002208, sig_alg=3, hash_alg=4, signature=0F\x02!\x00\x89\x82s\x17\xd9\xcbo\xcf\xc3\xba\x91{\xeb\xe8\xf1\xbe\xc8)\x97\x1e\xe8A\x99P\x00\xaa\xb4\x15\xd97\x93\xca\x02!\x00\xca\xcd\xec\x9e\x12\xeed/v\xf5\xc32\xba\x92S\xe0 }\x85k\xe7\xd4TRp\xe8\x8d~\xba\x9d\x12\x16, source=SSL::SCT_TLS_EXT, valid=T], [version=0, logid=\xac;\x9a\xed\x7f\xa9gGW\x15\x9em}WVr\xf9\xd9\x81\x00\x94\x1e\x9b\xde\xff\xec\xa11;ux-, timestamp=1487726003188, sig_alg=1, hash_alg=4, signature=\x04\xed\x08\xca\x8e\x1b\x8ba$\xe5\xe8{Y\x96'+\x06\x86\x87o\x1a=i5\x91\xc3\xfd\xf6\xbe\xeao;\xc8\x1c\x01j\xc0\x14\xea\x06\xd3\xe3#w,\x07\x06\xc3\xd0\xdc\xf2L:\xb0{\xfd.\x00\xdf\xc2\xb8w(\xaak\xfe^\xa0\x05\xe1\x84\xad\x1a!\xf2@/J\xcc\xcb8\xbb\xfa`;CF\<e\x17\xdafE/zX\xeb\xd0y\x15[\xd5\xe2\xee\xaf\xf8k\xeeX\x92\xa48\x0c\xab\x15v\xa6\xa4\x00\xc5Sjo\xe9\xbcL\xde\x11\x1d\x93\x7f\x9b\xbe\xb1\x13\xfb\xf1\xcb\xfb4\x85\xf2j\xc1t\xb0\x82g;*\x05i\x99*h\xe1\xcc\x07\xd2u\xc8L\xd3\x97\xb9\x81[-\xd1\xff\x1e\xc0\xa4\x80^vv\xb8+\xc5q\xec\xc0\xe7\x90\x00\x11{\xfdY\xb4fk'{\xa4T\xf4HO\xfd\x1d\xf6\xce\xbe=\x08G\x91\xd54\x0a\x90\xe7\xd5\xeda\x8c\xeb|"\xc1r!\xd9\xfb\xbd~\xf8\xc1\x01\xb5@9|\x9e\x0ej\xd1S\x97\xa3\x0a\xf9h\x15\xd7}\x05\x8a\x1b+j\x13\xf5, source=SSL::SCT_TLS_EXT, valid=T], [version=0, logid=\x03\x01\x9d\xf3\xfd\x85\xa6\x9a\x8e\xbd\x1f\xac\xc6\xda\x9b\xa7>F\x97t\xfew\xf5y\xfcZ\x08\xb82\x8c\x1dk, timestamp=1487726024253, sig_alg=3, hash_alg=4, signature=0F\x02!\x00\x99\x8c\xa5+u\xe1t\x08\x0a\xa9!\xed)\x9b\xb6\xccx\x8d0VN,RZ2\xd93\xdc\xa7 \xa5\xd3\x02!\x00\xc8\xde\x96\x8d\x02\xd6\xfcx\xdbM \x06\x1cq\xe5\x10\xe3 \x18B\\x1d1\x88\xb0\xeb\xf3\xf2\x9b\x99X\xb4, source=SSL::SCT_TLS_EXT, valid=T], [version=0, logid=V\x14\x06\x9a/\xd7\xc2\xec\xd3\xf5\xe1\xbdD\xb2>\xc7Fv\xb9\xbc\x99\x11\\xc0\xef\x94\x98U\xd6\x89\xd0\xdd, timestamp=1487726001197, sig_alg=3, hash_alg=4, signature=0E\x02 F\xc2\xfb\x02\xfd\xa3RNy_\x16^\xb54-S\x90\xdbK\x97\x87\x00\x93\xa1\x0d'\xc0<\xbeu\xc4\xab\x02!\x00\xb4\x93\xbb\xe2\xee\x14X\xd4\xcf\xa4\xc1\xd8\xcf\xdaAoaD\xf0\xbbM7\xdb\xb0\xec\xca\x0f\x18\xcbe\x8d\xe9, source=SSL::SCT_TLS_EXT, valid=T], [version=0, logid=\xeeK\xbd\xb7u\xce`\xba\xe1Bi\x1f\xab\xe1\x9ef\xa3\x0f~_\xb0r\xd8\x83\x00\xc4{\x89z\xa8\xfd\xcb, timestamp=1487726002855, sig_alg=3, hash_alg=4, signature=0D\x02 I\x06\xb4\x84Zo\xf49\x85\xd2\xbb\xc8\x8bb\x9b\xac\xbd\x84\x00\xf2f\xd0\x14\x0cV\x15_\xc7\x09&\xc1\x9f\x02 M\x0c\x05\x01ab\xe5\x97\xf9\xf8'\x02\xf4\x198\x97\xd2>xa\xc2\xda\xc1saw\xd8]\xc8\x97\xd6], source=SSL::SCT_TLS_EXT, valid=T], [version=0, logid=\xbb\xd9\xdf\xbc\x1f\x8aq\xb5\x93\x94#\x97\xaa\x92{G8W\x95\x0a\xabR\xe8\x1a\x90\x96d6\x8e\x1e\xd1\x85, timestamp=1487726000774, sig_alg=3, hash_alg=4, signature=0E\x02!\x00\xb1\x1atJ4\x80\xbd\xc5\x97\x7f(\xae^N\xe3WE-AO\x14X\x0aB\x1e\xc4\xb36\x00TVg\x02 o1hk\xec\x9fFG\xa4\xd2&\x97>E\x87\x7f\xcf\x1c\xc8\xdb>j\xc9\xde\xf5\x1e\x97\xf8\xc3e\xcc\x11, source=SSL::SCT_TLS_EXT, valid=T], [version=0, logid=\xa4\xb9\x09\x90\xb4\x18X\x14\x87\xbb\x13\xa2\xccgp\x0a<5\x98\x04\xf9\x1b\xdf\xb8\xe3w\xcd\x0e\xc8\x0d\xdc\x10, timestamp=1487725321667, sig_alg=3, hash_alg=4, signature=0E\x02 S\xc6N8\xf0\x84\xe5\xc8\xf5C\x87\xf6\xedU\x10\x0b}u2\xd2\x08+\x04\xbbS\xf6a\xc1\xb0\x94\x04\xc3\x02!\x00\xf4\xa2g\xa5!_\xee\x13\xd5\x0f\xd1\xb2\xe8o\x99\x10m\xa9\x0f\xd7W\xd5IH\xaa\x89\xdews\xe3=\x95, source=SSL::SCT_X509_EXT, valid=T], [version=0, logid=V\x14\x06\x9a/\xd7\xc2\xec\xd3\xf5\xe1\xbdD\xb2>\xc7Fv\xb9\xbc\x99\x11\\xc0\xef\x94\x98U\xd6\x89\xd0\xdd, timestamp=1487725322003, sig_alg=3, hash_alg=4, signature=0D\x02 \x04\x9d.\x13Q\xed\xed\xf1l\x9f\xa1\x94\x9dd\xfe\x9c0V|\xb6\xa8|9L5/\xaa\x19\xc7*\xed\xcf\x02 0\x0e+\xe3\xa4S\xfe\x85\xa6X\xcc\x06\xf2\x13\xe9\x0a\x87\xa0I\xdf\x8dr\x13xb\x12\x8c\xe6\xdd\x8f\xa8\xde, source=SSL::SCT_X509_EXT, valid=T], [version=0, logid=\xeeK\xbd\xb7u\xce`\xba\xe1Bi\x1f\xab\xe1\x9ef\xa3\x0f~_\xb0r\xd8\x83\x00\xc4{\x89z\xa8\xfd\xcb, timestamp=1487725322768, sig_alg=3, hash_alg=4, signature=0F\x02!\x00\xd37.:`\x98\x08\xb8\xf8\xc0\xad\xb1z\xe2]\x00\xb8\x08"\x97\xc8P\xeb1\x97\x16\x95!\xd0T\xb5\xd6\x02!\x00\xfe\xb8\xa3\xbf\x12\xb6%\x97\x9b\x0f\x0f\x9fc\xccP\xa0\x07\x0c\xe9\xf2\xda\xe9\\x0a\x8e\xeag\x8a\x131\x96?, source=SSL::SCT_X509_EXT, valid=T], [version=0, logid=\xbb\xd9\xdf\xbc\x1f\x8aq\xb5\x93\x94#\x97\xaa\x92{G8W\x95\x0a\xabR\xe8\x1a\x90\x96d6\x8e\x1e\xd1\x85, timestamp=1487725321891, sig_alg=3, hash_alg=4, signature=0F\x02!\x00\xe7\x14'\xc8\x03?\xfc\xf1\xc6\x86\xe4g\xb6s\x034<\xf0\x96\xf0\xe0\x1a\xb8\x953\xe0\xf8U\x1d\x1c\xbf\xe6\x02!\x00\xcag\xf24\xcc\x86\x1aYd\xfb{\x82N\xeb,\xa3\xecu\xf1i\x01\xbc\xd4b\x1a\x9e\xa8\xc4\xca\x8f\x01\x8b, source=SSL::SCT_X509_EXT, valid=T]]
+Google 'Pilot' log, T
+Venafi log, T
+Venafi Gen2 CT log, T
+DigiCert Log Server, T
+Google 'Rocketeer' log, T
+Google 'Skydiver' log, T
+Google 'Pilot' log, T
+DigiCert Log Server, T
+Google 'Rocketeer' log, T
+Google 'Skydiver' log, T
diff --git a/testing/btest/Baseline/scripts.policy.protocols.ssl.validate-sct/ssl-all.log b/testing/btest/Baseline/scripts.policy.protocols.ssl.validate-sct/ssl-all.log
new file mode 100644
index 0000000000..0696d31ffe
--- /dev/null
+++ b/testing/btest/Baseline/scripts.policy.protocols.ssl.validate-sct/ssl-all.log
@@ -0,0 +1,20 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	ssl
+#open	2017-03-22-01-52-35
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	curve	server_name	resumed	last_alert	next_protocol	established	cert_chain_fuids	client_cert_chain_fuids	subject	issuer	client_subject	client_issuer	validation_status	valid_ct_logs	valid_ct_operators
+#types	time	string	addr	port	addr	port	string	string	string	string	bool	string	string	bool	vector[string]	vector[string]	string	string	string	string	string	count	count
+1484228945.191472	CHhAvVGS1DHFjwGM9	192.168.178.73	60640	97.107.139.108	443	TLSv12	TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256	secp256r1	ritter.vg	F	-	http/1.1	T	FDWgotac24NQJKrRi,FUHPFD4bNbAmVvzf99,FL5BECVkzTuWWefyh	(empty)	CN=ritter.vg,OU=PositiveSSL,OU=Domain Control Validated	CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB	-	-	ok	3	1
+#close	2017-03-22-01-52-35
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	ssl
+#open	2017-03-22-01-52-36
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	curve	server_name	resumed	last_alert	next_protocol	established	cert_chain_fuids	client_cert_chain_fuids	subject	issuer	client_subject	client_issuer	validation_status	valid_ct_logs	valid_ct_operators
+#types	time	string	addr	port	addr	port	string	string	string	string	bool	string	string	bool	vector[string]	vector[string]	string	string	string	string	string	count	count
+1490146178.647622	CHhAvVGS1DHFjwGM9	192.168.17.58	51995	97.107.139.108	443	TLSv12	TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256	secp256r1	ritter.vg	F	-	h2	T	Fui6LM65IdSB9LD25,FIwxeCtbWPXg98zO1	(empty)	CN=ritter.vg,O=Tom Ritter\\, LLC,L=Urbana,ST=Illinois,C=US,serialNumber=0600438893,jurisdictionST=New Jersey,jurisdictionC=US,businessCategory=Private Organization	CN=DigiCert SHA2 Extended Validation Server CA,OU=www.digicert.com,O=DigiCert Inc,C=US	-	-	ok	6	3
+#close	2017-03-22-01-52-36
diff --git a/testing/btest/Traces/tls/signed_certificate_timestamp-2.pcap b/testing/btest/Traces/tls/signed_certificate_timestamp-2.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..6d19d32049e4b5bcf2359f535836261fb4d8a2cf
GIT binary patch
literal 7982
zcmd^Ec{o+w+ur+39USA4c{q}x#M#G?LWT+<5@pI8$Iu}n^HkxKql7f7M8sQBN`(w5
z(jZi#Od&%98A3>eZ*5+^rM~y~{{H&@`1Zcmb?v?OUiba1wVri9&tCgw`OP#8goFM*
za1ab`m~}5~#tI0K8MsDEfn2YBv~@78?2*oWBBT#Ny7C3OkS@W}p!71Y2HoSZXO$>i
z{5qsv6-COy%*?P{AP9rQ=fYSl9)^kR@v^U#(Puc!9Qv6zY|vV8kCr*yISznMfdGmw
zq(q4Oh$5p5aB-FBVX9#aU{H(T3wqFCJco|MV6jAifZE#%5Lbe0wESYPytOTA@6wV5
z_NoEY!{$5`D4=N$<xvM4qzP<9%R&^4qC+u?B4YJh6d?)}FAG5eSQrBa5&nk7zIu2i
zLeyzM<3j9*CNB(fBBdr>ey_zgnmzfm&9;HK4-mAZxtR=;F=TA1LMgR$MJZC9S$(;b
zT*?ofgOVXCqz17As2f>X5HtfWK-VBHhy+1wzV811uD(iv3`h{vNrS=(@k4w#ED?u;
z@mL}r4-*Ll7z0Ci2tV5n;sY=7pv^IE%0xGR|J_uY5-q?S)N(-JJxCr>fR<HOqAcPN
zMP2BLSis{O7t(a1vqp)6if#VBqO15govZpixAduo>OhL15e%Aeu#1R<^I@@A3>Jpi
z!AS%d;=n8+aN;0N7!wnNVlIY00;>Nf2kMZu;Uq{4^cO9^xVU`bH0t7YUlzFd;nyLZ
z8s<Du|1sbla|ep`3SfQ2L$hTe7QUr$2E}@|_J6~2JcPO>7Tbn_u+3Pk>Miw5Rfp9B
zmXo($Jf(*5xCbn5I-iZfPn?-)IpS`46Dp-b*qbQ%oX>GUI4lI58uc<@1H^}o#l}EE
zP(~qJLavYve{?bVLN#MIyO!E%+*i>z1zkZ;xhgnYcpwP2bEfN3z^cbW8xRAG6m*E`
zC)iZw{k**BXjpIe(A|n<i4xs<XUw6j+{I1m$1A}rl~4Op_y%04furThMaL}LDSM+l
zKD^vwvAa8NUr{oj08E9hYM$*6&tw={FHYID*V@YWYf~h2LL#YcrZ0`A84#>EN4#zX
z5Ca#*^%E=OMGw=LzUvONJte0=U`2b2tZ`R6T0S*)_oKIFg&4fEl>Z~4u1h*-#Ues^
zP0R2`jhwJ4CFsrlf*|=UkLm5H_>KeFB2vS;RO9NZRmBsIn(GYgwOj?8cj!|?ZF*}$
z7H@miIdFa4W5DKE#wya4#eo+ypof+_y?gF#Y~vL_9-egf26=L*YEm_7cxRb^4wIp|
z9PfT+xm!o|qS}Cpjdh8Ik=qns%t(}GL~IWXEKqpp(^vW-0pbmtvd!J$As3dhWn{yq
zDe<vqch?XNkG@i6Px$bvpB~%0XGxi_RMTY1zVR|RPj~g66t0~wEECh&zq&1M*o%)5
zRoF=$1v7<(lRr;IT|66KB6;;ubJ8VkgGB%7pwW<TcEkeZSaFZJ0XwzkhnYGP`=>%c
zhd+@$Q>uSiQhs%C9Aag*!op6uNu}iy<<B}WQx$Ee;xP5!f?u0b2x30(c)BP;Ywg8p
z2XlHq4=0_m$%O(TD}KURYQz1$y3vl3^*6O28w3{KIm2sT`su{!t@Vd$TIYzhz>EPG
zF+}t+6odPdn5lFNvk(V??Rlz-mI<#-5~HExX`FJUT6Y5;Tmihf$BR1$_-$T3&nRnr
z-mK?MUq4uEs{T5suaaA+$~CSB3V;SoN^S={b1dpu>n?evBV|WA_dbUl-^TsWgRn!P
zm#3=cc-LN<<uyRoV<<+1+yi#rBdeooiz^O0C0#8!01fY`;U`%wc6iJtTXr5pF(u()
zy3@PFuj6u<5#d#dwc5e-`^{y3^q|H+DiZ7e0NpKadUHoI#wYLi3F*YFV_}A?tWUCE
zvFH{_IOVc3UgAa69IXcHdv~Rv8zTP3su3j*6T{`NZ8z(()>qWq#BamCR^q{}mCzO|
z28QBIbMxpsZ(x{FE1RgTA07T&tm3uy&L?f75{cvGuGPFi)bS7&h&ou}q?a5JsRklF
zg@~L8lgNfJ2}7w^42;3>aBEEyFSaI(sP8*CJYuS~5#c1TEoW_Dec^;*4m^Ye&^Qn_
z0(L8oK*nsfq%B6s=nXrWwBDWJzRuOxpJL?YOcO=~(P|DdPf$>hk_&j`3?3;td+(yD
zBFg9^ELq`u3(F09$`t)ze^)OTR~L#E-P7HL?(gpHMX_}C4RrOTtkXjz1UYHyh_W&b
znLX^l?J97)lBSH_+aZw;Y2t_|3d~L7H}`c9r2D&4Hu*B>Uhbi@STr)iOW;r-z&Mzx
zu7!cIv*wE;!ar7G$n0jWK@?+GUq9E7*%km0Pi99}B8aNWs#U91e(pUl!i`cA$wVVh
zPj@eGcRw087%)(^h)me(>qPgW(}WNKw1S<?y~TSM#bP!fub^z)xQ@n$@Ssny<iEo-
z!i1OnIN~svGA7IofqHff6R1=^C$Gj5&l@At%%w}N*|d4uO}jRr%3uGF%3m~_C_U5r
zS@}(M=A+0^A_NVR&)s=V-(0y^PxDYf+Gw8|PpKeR(5)wbzHgc&jC_1=)p+M^CC=Ln
z-i?(izAycfc)B%z^Sz7bg{M89$cqi)A=!c!k^Rl}e>%{OPesBd_6b$VLML-?J-wY?
zcxIX6(9N6T{q-)G`wqtO!#CfbYX6eFGlR*&L)?&6MK5KSRgSFpT9N3P!tWnrYrn6P
zL*j^xvs}@{=Ig>wiYlbVJjx|GrcJNLRDJQBcu_sHPuurt^0iK>NL;ZH*E;yrl7k<I
z4l&sS6e*O!!le98LcfJcVr&kd&%Q^|%bYYmt~@X(w6ykinp^v2)r}neXbu9WGjVGX
zCQciX1hXJ6jRO-E!M~=?{LlK-?19h5j_j^=QZL8H>$wqe^aU=Q0FIw2`0YhraLOIu
z2vS^&lZh<1!RJ^c0Da7h^FlnCf6pY76ZQP>`4^KkcNxe)7Xfp2S^QKZ;P1U_uEL4#
z=jXZ8MakO>ECHs_a;4utLAX#_ZWx}y;jkEd>YSA_I01y8Km>k{$1lRd->)!pR!X8)
zBC4s%sR&C6P3|<PRA*mLm7kU<)z6Kttmqo3=r_Ck6d5!n@XoKTRR2vY6VyryZauOV
zQ75oDvNpi1DNhWHEJx($jl;kKVyG>Cz?g+{L0xBVi7X=E8IdFyMj{W+w}D~Y9wZc5
zI)9JAETO;p<L&IX`zOl~i|=n?SO)XGrlX4F_tT5ic|}46X<m>1mZLc}TBip_!yh4`
z{UW2Ik3rDo`GvqfD=zgR7#s%2gg=1N1$O|o|5y2sRcrZowWnA<GFvrx;9bS&y6Ca~
ztvnoi1C(ot3b<m+F?w0f30ye{ZX*{Me@ZzFkY91XxY_M}hG$nMcZ2mSqYYVy+JgML
z)|>>v?Oz2|t2gAogBvbciM+YLf5`KE+KFVB>2rwHp8U&uR&P|JW(hxD-v1m!LAVsU
zGAyT~F4|NRhRHqb(Wypn;(W=$PJFTNTaR3B14+ccim6teAnp5}?$xO)X*ixH7L1o>
z-w5se11cacNvtsMr6mfSl&aa1R}cC-U66i{FJC4xiJSYpbG3QuB2v$AbB{fH{6|I%
znRZGC5dW*FYSoth1MvrbxeBb#x1mR@w~Ty0tg6=Fslj%Uf|Dxk<6FhW?!5=Zm5gE4
zYL<wt%VZeStan9vU%-$%eCMT;NXq30l}F&iKdLo|k3g+q=wj1o+-ZKEevj_#?5_g1
z)-6rmIYD!@G|ak3!Hm9cA>7YD(&^|nkW(OTwUMLIX)1I#DY^H6LB<~h)9juaA+54h
zZ7KDX_>N8C5_?Soq&`}F9=%5JjdH7Th-es(x#zQ{R_m1&S>@zmRQVf#@;?LL=4e@%
z^W#d3U^M4{ZvV6LTYR2Xej%uzV?P85N?sal&}H`*v`B?MS6iH5Sh}Au4v8)x>|t{w
zk@ucaZ75E;ThQPwnBIOCqA2z?1&U-(boM(qtGdUWrt5OPDYf+A$RIv_8PTJ#HQ7P$
zqSAHPqtZcj@~KIyl*tU?lQNY@`)Cp__rMY-BY~Z=TU(YeI&^&^ViQN3i@zMrs!{PM
z>Ub_#N9X^Fm{f>5ib=Fye-)ez;fjDf=OavP%3rw&DI{}!PAu<9$}ze_r-%6d1!IqR
z{v4hE``knUSq7Fhh{#Lkm4LFro#95&^YaVvrF%KMQuM7T7T(_e^C^i64b4gBau7jI
z<yAl2{$FKE|0#oLu*|@19zSzYV1o%mF6+2a&FX$qP7V}3#E@r2#l|}~-?^c?s<Upi
z?@zo?!5Zy{X9Sh|gkmR#NEcnCqN*10sODH4RFHH_s=aZ9FXvY6hl7%mpH>BJv2=(C
z(NPk~x-4O$z<K4ibD`Spz5I7<P2Oxau1)JCbtW*QcV7G0;8K5jYxmT35p&NicX)@V
zjE9qp!?{LY-HjJG#J9Dv)JJt-tVOZ!L9`4ju2Jf3jw$I-%W7G{*0F{YQH?mM-O1kG
zGxkNo9r{&P*7EzrIQ6WvZWqWE-*`K*{F9V)fJnAt5=$-iTu`20cH;@fx1UML17&7T
z`vgmUQdYDLedUoCR{1OT!$v@~^%1`BGEPJYK+VAp$IpQkX8otYsyZKCKunTHWdCJM
znvIK+vvE;3RXbISr7<6vd_5Ng)_Gq<UGcjo>RX|HI2(*Sku`Hcb|r!)*EkSwq5mqr
z{+-|aHvRcAKf0k^?v5S5X9&MMEh|FAd~$YCC||G)XC*K>zb1jz!NT-EOdV7e^Dm1F
ztY)!a9yE?wTdz}*X_~!<nEgKAyx@X}>A^)emPxgIXnv$6)!xNxwEJqPIGj<*t6_Zw
zRkuc<ZZx25X!%9mq>C`K>Nftfx>?WdjsSJrbpnF+S})i2pQ;m&5;A{dZ5WWYcPmB7
zP~F@&Hk>J1>vTjBYu8*}k@jqb#RbT@*RRN@!bna!(IqNn6<4;in^uuUq)kZr3eual
zUA?s7qSQT}Ln~f(lms16$39cet2i4eVtmX@)8K5>^!^K9Q)1JrIk(?h^Bfm^gr7f5
z`P^gZqWy!sw5@S=R&E(fc4uit`ZOh9*4G?)H+Erj>*Fw|Zf}x*Z$b0;y=cx5^P>q#
zLYhZy<%ZPc$ya3ez4{UgKGoni0ucNfq^k|UU+cg&Un&!>2A35Cwz(t^0dB{H3qe&L
z5}9%VB&olfL?Lcv1bjfL0I8y>f{!RW#1HX7jKHTHUV#gX5y3+^exs3+7@>QCgwqe(
zbQRq+eRjTm&-y*uub+t#&@T+Byx*(T5kw7qLfQS!Q%=;B6+SZ+)-GY&l}f$JbtYJA
zCGWWz;Zz-ovv!d(9O<XBnlfH6@SEP(?}=->UHut1n0t@rBxoui>3cip$v5dECpoOg
z4GKJBjN{G=I&5I+)7Nv&#1B{Ymdp%EUMlKus~QuC$abz-#{<{r9pf?gw}?6NP`xLa
zvyN(Vh3~EE)RVKJPecVCBxdY!B2Wz-#_IX$OT4yTvhmlj5kFWw)#^5&(kL)`-t~P-
zu+_N0?Suw~B-sVWZyWtWhh7&TvoXBE@KU9?ZBJf=rR|=2>f|!@eyQ7CA{Tl+#oL~r
zT^xS@=4C~$7#*l^X{P8QwM&QhXks=U&HA)~4S(7(<e)Y>$EG9*Ho`)JdN`X!;X7DY
zImewg!r@Y9+YgjIX5d#XT@m1w_U7zOj#xr^VK-G~Vwp9+|Jp}RhhK-q?bs0-rl>Ri
zm1R1yc*~#+&@f2OQmxRuOUAi&f02J#vFP!Q^e<JFlbCDjMCq)?IQ@fWr=GOd^Igj3
zcDZ(4MmcWH!AbKE)33MtBnO8G2iWP~5=plZ7_X?_l4IBZuzBkdvn{TY;*eg2;7TL@
zHdVv2da+RIqbF-39%W9-$?Q3`T06^9`V^#jVA+5^hp@6?oLiN$`$yq~9G;1h_3L{S
z^sFsI(!&<Dvq&j<-Dk@DHY-k7X?BH)7@k6?2Q!auI~;X<SBmgTd8MTzCX&l~6|OOo
zjh<gN8e(%|_G84eu^MmRRD7;kOXT!kZ!kV)k-KvJ*sj`c7x-?ut-PUkS;FeHZzTke
zde^}NF%6zd&nIs003!<FxWEo1Dj)(8q<`4&w@gQO>gD}@-l^}@I83$pY|bN@;Z`w+
zBKXfJPO~VvzoJ-!zXp;KE?fQ$3fDM_vP<Gulx-}4;^-JMhZ6UXwv;=fC<S@HN1;Ft
zfBnG_+)sjX!5E=s;U5g>qF@q=;ym?R6z~V5U14^s7%~89{8~NSjDdq(4K5kUx+_iH
zXD)qO@WM7*X24}LzV|0o1az`hrmQF1&T}je3fmjRb%%tJIVLhZkbYkMrZB}Z{YlHj
zX?`$cFpSQdJTPbW@cE)9v!hmzwO(Y(*Rs{H#kgpc=BjdGokhYfq~~4dAL!gNQb`cl
zl$<TU^x=<@60{G|(hK@faF`0l6ZAn8^g$3%B7ZT$`ev3+*72--AL;2U%xXGUd55T2
z@ouAgbxQijbj2*{jC60DjcMa9o2T{y4bk!owPW%pl)80b0d@a8HD%cxwaQ=Am<|D5
ziEvW+&4bFHZb>*N<ww3-Rxc?nw4+8ddh`=NpW?m8T}@{qLYm|Z*--Wj&~Zo57A?Q9
zTf~N<?4NvoX77@jXWtDraM6y-fY#`NeTRKkCc5&{wFJck<?AMI-^+1w-p+M;sjvnP
z6M2pDjR8Jm@N)(&3;AHJe(+yGmk@_pz_)3h@0tB9AK1p4J8+%}$<%fgF#~tsuX;k>
z2D+JXQEygr;bg6hkMD+#?zg<Qa(UX9<L&yG$HeDfNsro0@M0q?N^jk|`TEee=_iuw
z$@}w3lNa$zx~oGYwmEN44^N4fn|Ob$X`(PO_!!{>JNK9PwMI5B%2ybyONJS{*KX(a
zyglBE)0D4HDYWm%hvnms#OtdzT(>>FJ;%3%9Ez8|x{;&lx{WWT=VoK<e*5W6qI{=x
zd0%W??+km4Y-eD9l~>6a?J-+cjVrS{Gk4PG{)sC+EHwq$Yo<LT#KG&<8jU@Ek3No-
zb8<E4Wq#WhszXz>wN2x57}kAGVs}`<BiqocC8b%N*UXnIRb4&xMb%^IStB~Kc@o^v
z1~95<S(x9z8bw$%zo~8iIltM)0$*<h<{-ZbnEPV`HG}M^9_$*gfNJXF^1kIU?zqw8
zuPRHOTV0gDJU?;!b+cn;QDyap<JWO3ankLaTUKWytIvJ9!%z`Y+?}uE#N6w(G5wnf
zEGGV5`E6IzQM-!|&oLP-$U{n;&5QQp_~1$czloWoZ@0RIu!w(a*ybl9ZPC8t%J%zN
zFJc}H3}hQNq$mn8?xbIMJAS@Vx@xMcV!drgJ%3K?+LDJBdknUTE2bSt4(Z+GJhkE3
zjQG_<Po);^I<%vM(R+@&PyJQF*L6P94HVn#x;)*E(lpz%9xpmFxi*=93%RuX2We=0
z)V1IKl+osHwZ#JcQ9B%v3F;D3*2b_)O|RTK!jf{I45qlvG#k$DhZcfy^#<;SmWAUA
z(Ti~CxYiZ?Jg)Yq=f`y?c5a2J{zYjKc$fC!trC-uYIdbJAJRFLZyD@~eH_o8;1iab
U<uA&JkBF4-YB7}!SRRw`Kd~uuMgRZ+

literal 0
HcmV?d00001

diff --git a/testing/btest/scripts/policy/protocols/ssl/validate-sct.bro b/testing/btest/scripts/policy/protocols/ssl/validate-sct.bro
new file mode 100644
index 0000000000..0e6065f937
--- /dev/null
+++ b/testing/btest/scripts/policy/protocols/ssl/validate-sct.bro
@@ -0,0 +1,21 @@
+# @TEST-EXEC: bro -r $TRACES/tls/signed_certificate_timestamp.pcap $SCRIPTS/external-ca-list.bro %INPUT
+# @TEST-EXEC: cat ssl.log > ssl-all.log
+# @TEST-EXEC: bro -r $TRACES/tls/signed_certificate_timestamp-2.pcap $SCRIPTS/external-ca-list.bro %INPUT
+# @TEST-EXEC: cat ssl.log >> ssl-all.log
+# @TEST-EXEC: btest-diff .stdout
+# @TEST-EXEC: TEST_DIFF_CANONIFIER="$SCRIPTS/diff-remove-x509-names | $SCRIPTS/diff-remove-timestamps" btest-diff ssl-all.log
+
+@load protocols/ssl/validate-sct.bro
+
+module SSL;
+
+event ssl_established(c: connection)
+	{
+	print c$ssl$ct_proofs;
+	for ( i in c$ssl$ct_proofs )
+		{
+		local proof = c$ssl$ct_proofs[i];
+		local log = SSL::ct_logs[proof$logid];
+		print log$description, proof$valid;
+		}
+	}

From aec62aeee9c8a61251ea56b6d73ca0b523ff5d81 Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@icir.org>
Date: Tue, 21 Mar 2017 19:10:53 -0700
Subject: [PATCH 123/631] SCT: Add caching support for validation

---
 scripts/policy/protocols/ssl/validate-sct.bro | 20 +++++++++++++++++--
 1 file changed, 18 insertions(+), 2 deletions(-)

diff --git a/scripts/policy/protocols/ssl/validate-sct.bro b/scripts/policy/protocols/ssl/validate-sct.bro
index 1d3db58494..e28b89de88 100644
--- a/scripts/policy/protocols/ssl/validate-sct.bro
+++ b/scripts/policy/protocols/ssl/validate-sct.bro
@@ -40,6 +40,9 @@ export {
 
 }
 
+global recently_validated_scts: table[string] of bool = table()
+	&read_expire=5mins &redef;
+
 redef record SSL::Info += {
 	ct_proofs: vector of SctInfo &default=vector();
 };
@@ -91,6 +94,7 @@ event ssl_change_cipher_spec(c: connection, is_orig: bool) &priority=2
 		return;
 
 	local cert = c$ssl$cert_chain[0]$x509$handle;
+	local certhash = c$ssl$cert_chain[0]$sha1;
 	local issuer_name_hash = x509_issuer_name_hash(cert, 4);
 	local valid_proofs = 0;
 	local invalid_proofs = 0;
@@ -110,12 +114,20 @@ event ssl_change_cipher_spec(c: connection, is_orig: bool) &priority=2
 		local log = SSL::ct_logs[proof$logid];
 
 		local valid = F;
+		local found_cache = F;
 
-		if ( proof$source == SCT_TLS_EXT || proof$source == SCT_OCSP_EXT )
+		local validate_hash = sha1_hash(cat(certhash,proof$logid,proof$timestamp,proof$hash_alg,proof$signature));
+		if ( validate_hash in recently_validated_scts )
+			{
+			valid = recently_validated_scts[validate_hash];
+			found_cache = T;
+			}
+
+		if ( found_cache == F && ( proof$source == SCT_TLS_EXT || proof$source == SCT_OCSP_EXT ) )
 			{
 			valid = sct_verify(cert, proof$logid, log$key, proof$signature, proof$timestamp, proof$hash_alg);
 			}
-		else
+		else if ( found_cache == F )
 			{
 			# X.509 proof. Here things get awkward because we need information about
 			# the issuer cert... and we need to try a few times, because we have to see if we got
@@ -155,7 +167,11 @@ event ssl_change_cipher_spec(c: connection, is_orig: bool) &priority=2
 					}
 			}
 
+		if ( ! found_cache )
+			recently_validated_scts[validate_hash] = valid;
+
 		proof$valid = valid;
+
 		if ( valid )
 			{
 			++valid_proofs;

From b8e81029f87c858a79b86f85e879e54abebc4347 Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@icir.org>
Date: Mon, 27 Mar 2017 20:13:12 +0000
Subject: [PATCH 124/631] TLS-SCT: compile on old versions of OpenSSL
 (1.0.1...)

---
 src/file_analysis/analyzer/x509/functions.bif | 15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)

diff --git a/src/file_analysis/analyzer/x509/functions.bif b/src/file_analysis/analyzer/x509/functions.bif
index 83e73e5d46..80fc3bb9af 100644
--- a/src/file_analysis/analyzer/x509/functions.bif
+++ b/src/file_analysis/analyzer/x509/functions.bif
@@ -600,14 +600,14 @@ function sct_verify%(cert: opaque of x509, logid: string, log_key: string, signa
 		{
 		x = X509_dup(x);
 		assert(x);
-	#ifdef NID_ct_precert_scts
+#ifdef NID_ct_precert_scts
 		int pos = X509_get_ext_by_NID(x, NID_ct_precert_scts, -1);
 		if ( pos < 0 )
 			{
 			reporter->Error("NID_ct_precert_scts not found");
 			return new Val(0, TYPE_BOOL);
 			}
-	#else
+#else
 		int num_ext = X509_get_ext_count(x);
 		int pos = -1;
 		for ( int k = 0; k < num_ext; ++k )
@@ -622,9 +622,11 @@ function sct_verify%(cert: opaque of x509, logid: string, log_key: string, signa
 				break;
 				}
 			}
-	#endif
+#endif
 		X509_EXTENSION_free(X509_delete_ext(x, pos));
+#ifdef NID_ct_precert_scts
 		assert( X509_get_ext_by_NID(x, NID_ct_precert_scts, -1) == -1 );
+#endif
 		}
 
 	unsigned char *cert_out = nullptr;
@@ -684,7 +686,14 @@ function sct_verify%(cert: opaque of x509, logid: string, log_key: string, signa
 		goto sct_verify_err;
 		}
 
+#ifdef NID_ct_precert_scts
 	success = EVP_DigestVerifyFinal(mdctx, signature->Bytes(), signature->Len());
+#else
+	// older versions of OpenSSL use a non-const-char *sigh*
+	// I don't think they actually manipulate the value though.
+	// todo - this needs a cmake test
+	success = EVP_DigestVerifyFinal(mdctx, (unsigned char*) signature->Bytes(), signature->Len());
+#endif
 	EVP_MD_CTX_destroy(mdctx);
 
 	return new Val(success, TYPE_BOOL);

From d531a5405ae932425fef157aed0a544a08e986b0 Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@icir.org>
Date: Wed, 29 Mar 2017 12:40:14 -0700
Subject: [PATCH 125/631] SSL: Fix type of ssl validation result

---
 scripts/policy/protocols/ssl/validate-certs.bro | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/scripts/policy/protocols/ssl/validate-certs.bro b/scripts/policy/protocols/ssl/validate-certs.bro
index 4c100ac413..c50da10380 100644
--- a/scripts/policy/protocols/ssl/validate-certs.bro
+++ b/scripts/policy/protocols/ssl/validate-certs.bro
@@ -21,7 +21,7 @@ export {
 		validation_status: string &log &optional;
 		## Result of certificate validation for this connection, given
 		## as OpenSSL validation code.
-		validation_code: count &optional;
+		validation_code: int &optional;
 		## Ordered chain of validated certificate, if validation succeeded.
 		valid_chain: vector of opaque of x509 &optional;
 	};

From 04478acb596adb7824885440f99365b04c9b402e Mon Sep 17 00:00:00 2001
From: Julien Wallior <wallior@sig.com>
Date: Wed, 8 Feb 2017 17:25:51 -0500
Subject: [PATCH 126/631] Fix NFS protocol parser.

---
 src/analyzer/protocol/rpc/NFS.cc | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/analyzer/protocol/rpc/NFS.cc b/src/analyzer/protocol/rpc/NFS.cc
index 8a2620e2e5..a8434afb74 100644
--- a/src/analyzer/protocol/rpc/NFS.cc
+++ b/src/analyzer/protocol/rpc/NFS.cc
@@ -250,8 +250,8 @@ int NFS_Interp::RPC_BuildReply(RPC_CallInfo* c, BifEnum::rpc_status rpc_status,
 
 		analyzer->ConnectionEvent(event, vl);
 		}
-
-	Unref(reply);
+	else
+		Unref(reply);
 	return 1;
 	}
 
@@ -646,7 +646,7 @@ Val* NFS_Interp::ExtractBool(const u_char*& buf, int& n)
 
 
 NFS_Analyzer::NFS_Analyzer(Connection* conn)
-	: RPC_Analyzer("RPC", conn, new NFS_Interp(this))
+	: RPC_Analyzer("NFS", conn, new NFS_Interp(this))
 	{
 	orig_rpc = resp_rpc = 0;
 	}

From e69bb37cc79a684a8c66f1fef1b7376e2e973380 Mon Sep 17 00:00:00 2001
From: Julien Wallior <wallior@sig.com>
Date: Tue, 14 Feb 2017 10:23:34 -0500
Subject: [PATCH 127/631] Expand parsing of RPC Call packets to add Uid, Gid,
 Stamp, MachineName and AuxGIDs

---
 scripts/base/init-bare.bro       | 10 ++++++++++
 src/analyzer/protocol/rpc/NFS.cc | 10 ++++++++++
 src/analyzer/protocol/rpc/RPC.cc | 14 +++++++++++++-
 src/analyzer/protocol/rpc/RPC.h  | 11 ++++++++++-
 4 files changed, 43 insertions(+), 2 deletions(-)

diff --git a/scripts/base/init-bare.bro b/scripts/base/init-bare.bro
index b5bf5d298d..42f75f250c 100644
--- a/scripts/base/init-bare.bro
+++ b/scripts/base/init-bare.bro
@@ -2142,6 +2142,16 @@ export {
 		rep_dur: interval;
 		## The length in bytes of the reply.
 		rep_len: count;
+		## The user id of the reply.
+		rpc_uid: count;
+		## The group id of the reply.
+		rpc_gid: count;
+		## The stamp of the reply.
+		rpc_stamp: count;
+		## The machine name of the reply.
+		rpc_machine_name: string;
+		## The auxiliary ids of the reply.
+		rpc_auxgids: index_vec;
 	};
 
 	## NFS file attributes. Field names are based on RFC 1813.
diff --git a/src/analyzer/protocol/rpc/NFS.cc b/src/analyzer/protocol/rpc/NFS.cc
index a8434afb74..c4ab307364 100644
--- a/src/analyzer/protocol/rpc/NFS.cc
+++ b/src/analyzer/protocol/rpc/NFS.cc
@@ -1,6 +1,7 @@
 // See the file "COPYING" in the main distribution directory for copyright.
 
 #include <algorithm>
+#include <vector>
 
 #include "bro-config.h"
 
@@ -288,6 +289,10 @@ val_list* NFS_Interp::event_common_vl(RPC_CallInfo *c, BifEnum::rpc_status rpc_s
 	// These are the first parameters for each nfs_* event ...
 	val_list *vl = new val_list;
 	vl->append(analyzer->BuildConnVal());
+	VectorVal* auxgids = new VectorVal(internal_type("index_vec")->AsVectorType());
+	for (size_t i = 0; i < c->AuxGIDs().size(); ++i) {
+		auxgids->Assign(i, new Val(c->AuxGIDs()[i], TYPE_COUNT));
+	}
 
 	RecordVal *info = new RecordVal(BifType::Record::NFS3::info_t);
 	info->Assign(0, new EnumVal(rpc_status, BifType::Enum::rpc_status));
@@ -298,6 +303,11 @@ val_list* NFS_Interp::event_common_vl(RPC_CallInfo *c, BifEnum::rpc_status rpc_s
 	info->Assign(5, new Val(rep_start_time, TYPE_TIME));
 	info->Assign(6, new Val(rep_last_time-rep_start_time, TYPE_INTERVAL));
 	info->Assign(7, new Val(reply_len, TYPE_COUNT));
+	info->Assign(8, new Val(c->Uid(), TYPE_COUNT));
+	info->Assign(9, new Val(c->Gid(), TYPE_COUNT));
+	info->Assign(10, new Val(c->Stamp(), TYPE_COUNT));
+	info->Assign(11, new StringVal(c->MachineName()));
+	info->Assign(12, auxgids);
 
 	vl->append(info);
 	return vl;
diff --git a/src/analyzer/protocol/rpc/RPC.cc b/src/analyzer/protocol/rpc/RPC.cc
index aff6bfefc0..8f1952587e 100644
--- a/src/analyzer/protocol/rpc/RPC.cc
+++ b/src/analyzer/protocol/rpc/RPC.cc
@@ -40,7 +40,19 @@ RPC_CallInfo::RPC_CallInfo(uint32 arg_xid, const u_char*& buf, int& n, double ar
 	prog = extract_XDR_uint32(buf, n);
 	vers = extract_XDR_uint32(buf, n);
 	proc = extract_XDR_uint32(buf, n);
-	cred_flavor = skip_XDR_opaque_auth(buf, n);
+	cred_flavor = extract_XDR_uint32(buf, n);
+	int cred_opaque_n, machinename_n;
+	const u_char* cred_opaque = extract_XDR_opaque(buf, n, cred_opaque_n);
+	stamp = extract_XDR_uint32(cred_opaque, cred_opaque_n);
+	const u_char* tmp = extract_XDR_opaque(cred_opaque, cred_opaque_n, machinename_n);
+	machinename = std::string(reinterpret_cast<const char*>(tmp), machinename_n);
+	uid = extract_XDR_uint32(cred_opaque, cred_opaque_n);
+	gid = extract_XDR_uint32(cred_opaque, cred_opaque_n);
+	size_t number_of_gids = extract_XDR_uint32(cred_opaque, cred_opaque_n);
+	for (u_int i=0 ; i<number_of_gids ; ++i ){
+		auxgids.push_back(extract_XDR_uint32(cred_opaque, cred_opaque_n));
+	}
+
 	verf_flavor = skip_XDR_opaque_auth(buf, n);
 
 	header_len = call_n - n;
diff --git a/src/analyzer/protocol/rpc/RPC.h b/src/analyzer/protocol/rpc/RPC.h
index e87f8afa95..ab7b3968c7 100644
--- a/src/analyzer/protocol/rpc/RPC.h
+++ b/src/analyzer/protocol/rpc/RPC.h
@@ -62,6 +62,11 @@ public:
 	uint32 Program() const		{ return prog; }
 	uint32 Version() const		{ return vers; }
 	uint32 Proc() const		{ return proc; }
+	uint32 Uid() const { return uid; }
+	uint32 Gid() const { return gid; }
+	uint32 Stamp() const { return stamp; }
+	const std::string& MachineName() const { return machinename; }
+	const std::vector<int>& AuxGIDs() const { return auxgids; }
 
 	double StartTime() const	{ return start_time; }
 	void SetStartTime(double t)	{ start_time = t; }
@@ -78,8 +83,12 @@ public:
 
 protected:
 	uint32 xid, rpc_version, prog, vers, proc;
-	uint32 cred_flavor, verf_flavor;
+	uint32 cred_flavor, stamp;
+	uint32 uid, gid;
+	std::vector<int> auxgids;
+	uint32 verf_flavor;
 	u_char* call_buf;	// copy of original call buffer
+	std::string machinename;
 	double start_time;
 	double last_time;
 	int rpc_len;		// size of the full RPC call, incl. xid and msg_type

From 1ee9610b772087aaea17b1ea5bc825005079395c Mon Sep 17 00:00:00 2001
From: Roberto Del Valle Rodriguez <roberto.delvallerodriguez@sig.com>
Date: Tue, 28 Feb 2017 16:49:35 -0500
Subject: [PATCH 128/631] 	Added rename event to rpc/nfs protocol
 analyzer. 	This event identifies and reports information 	about nfs/rpc
 calls and replies of the type 	rename.

---
 scripts/base/init-bare.bro           | 20 +++++++++++++++++
 src/analyzer/protocol/rpc/NFS.cc     | 33 ++++++++++++++++++++++++++++
 src/analyzer/protocol/rpc/NFS.h      |  2 ++
 src/analyzer/protocol/rpc/events.bif | 28 +++++++++++++++++++++++
 src/types.bif                        |  4 +++-
 5 files changed, 86 insertions(+), 1 deletion(-)

diff --git a/scripts/base/init-bare.bro b/scripts/base/init-bare.bro
index 42f75f250c..12d1914c90 100644
--- a/scripts/base/init-bare.bro
+++ b/scripts/base/init-bare.bro
@@ -2182,6 +2182,16 @@ export {
 		fname: string;	##< The name of the file we are interested in.
 	};
 
+	## NFS *rename* arguments.
+	##
+	## .. bro:see:: nfs_proc_rename
+	type renameopargs_t : record {
+		src_dirfh : string;
+		src_fname : string;
+		dst_dirfh : string;
+		dst_fname : string;
+	};
+
 	## NFS lookup reply. If the lookup failed, *dir_attr* may be set. If the
 	## lookup succeeded, *fh* is always set and *obj_attr* and *dir_attr*
 	## may be set.
@@ -2274,6 +2284,16 @@ export {
 		dir_post_attr: fattr_t &optional;	##< Optional attributes associated w/ dir.
 	};
 
+	## NFS reply for *rename*. Corresponds to *wcc_data* in the spec.
+	##
+	## .. bro:see:: nfs_rename
+	type renameobj_reply_t: record {
+		src_dir_pre_attr: wcc_attr_t;
+		src_dir_post_attr: fattr_t;
+		dst_dir_pre_attr: wcc_attr_t;
+		dst_dir_post_attr: fattr_t;
+	};
+
 	## NFS *readdir* arguments. Used for both *readdir* and *readdirplus*.
 	##
 	## .. bro:see:: nfs_proc_readdir
diff --git a/src/analyzer/protocol/rpc/NFS.cc b/src/analyzer/protocol/rpc/NFS.cc
index c4ab307364..e4c21f6cfb 100644
--- a/src/analyzer/protocol/rpc/NFS.cc
+++ b/src/analyzer/protocol/rpc/NFS.cc
@@ -69,6 +69,10 @@ int NFS_Interp::RPC_BuildCall(RPC_CallInfo* c, const u_char*& buf, int& n)
 		callarg = nfs3_diropargs(buf, n);
 		break;
 
+	case BifEnum::NFS3::PROC_RENAME:
+		callarg = nfs3_renameopargs(buf, n);
+		break;
+
 	case BifEnum::NFS3::PROC_READDIR:
 		callarg = nfs3_readdirargs(false, buf, n);
 		break;
@@ -197,6 +201,11 @@ int NFS_Interp::RPC_BuildReply(RPC_CallInfo* c, BifEnum::rpc_status rpc_status,
 		event = nfs_proc_rmdir;
 		break;
 
+	case BifEnum::NFS3::PROC_RENAME:
+		reply = nfs3_renameobj_reply(buf, n);
+		event = nfs_proc_rename;
+		break;
+
 	case BifEnum::NFS3::PROC_READDIR:
 		reply = nfs3_readdir_reply(false, buf, n, nfs_status);
 		event = nfs_proc_readdir;
@@ -384,6 +393,17 @@ RecordVal *NFS_Interp::nfs3_diropargs(const u_char*& buf, int& n)
 	return diropargs;
 	}
 
+RecordVal *NFS_Interp::nfs3_renameopargs(const u_char*& buf, int& n)
+	{
+	RecordVal *renameopargs = new RecordVal(BifType::Record::NFS3::renameopargs_t);
+
+	renameopargs->Assign(0, nfs3_fh(buf, n));
+	renameopargs->Assign(1, nfs3_filename(buf, n));
+	renameopargs->Assign(2, nfs3_fh(buf, n));
+	renameopargs->Assign(3, nfs3_filename(buf, n));
+
+	return renameopargs;
+	}
 
 RecordVal* NFS_Interp::nfs3_post_op_attr(const u_char*& buf, int& n)
 	{
@@ -568,6 +588,19 @@ RecordVal* NFS_Interp::nfs3_delobj_reply(const u_char*& buf, int& n)
 	return rep;
 	}
 
+RecordVal* NFS_Interp::nfs3_renameobj_reply(const u_char*& buf, int& n)
+	{
+	RecordVal *rep = new RecordVal(BifType::Record::NFS3::renameobj_reply_t);
+
+        // wcc_data
+	rep->Assign(0, nfs3_pre_op_attr(buf, n));
+	rep->Assign(1, nfs3_post_op_attr(buf, n));
+	rep->Assign(2, nfs3_pre_op_attr(buf, n));
+	rep->Assign(3, nfs3_post_op_attr(buf, n));
+
+	return rep;
+	}
+
 RecordVal* NFS_Interp::nfs3_readdirargs(bool isplus, const u_char*& buf, int&n)
 	{
 	RecordVal *args = new RecordVal(BifType::Record::NFS3::readdirargs_t);
diff --git a/src/analyzer/protocol/rpc/NFS.h b/src/analyzer/protocol/rpc/NFS.h
index ba6cab38e2..85fb10ab49 100644
--- a/src/analyzer/protocol/rpc/NFS.h
+++ b/src/analyzer/protocol/rpc/NFS.h
@@ -37,6 +37,7 @@ protected:
 	EnumVal* nfs3_ftype(const u_char*& buf, int& n);
 	RecordVal* nfs3_wcc_attr(const u_char*& buf, int& n);
 	RecordVal* nfs3_diropargs(const u_char*&buf, int &n);
+	RecordVal* nfs3_renameopargs(const u_char*&buf, int &n);
 	StringVal* nfs3_filename(const u_char*& buf, int& n);
 	StringVal* nfs3_nfspath(const u_char*& buf, int& n)
 		{
@@ -54,6 +55,7 @@ protected:
 	RecordVal* nfs3_write_reply(const u_char*& buf, int& n, BifEnum::NFS3::status_t status);
 	RecordVal* nfs3_newobj_reply(const u_char*& buf, int&n, BifEnum::NFS3::status_t status);
 	RecordVal* nfs3_delobj_reply(const u_char*& buf, int& n);
+	RecordVal* nfs3_renameobj_reply(const u_char*& buf, int& n);
 	StringVal* nfs3_post_op_fh(const u_char*& buf, int& n);
 	RecordVal* nfs3_readdirargs(bool isplus, const u_char*& buf, int&n);
 	RecordVal* nfs3_readdir_reply(bool isplus, const u_char*& buf, int&n, BifEnum::NFS3::status_t status);
diff --git a/src/analyzer/protocol/rpc/events.bif b/src/analyzer/protocol/rpc/events.bif
index fc42aac6a6..881faface1 100644
--- a/src/analyzer/protocol/rpc/events.bif
+++ b/src/analyzer/protocol/rpc/events.bif
@@ -274,6 +274,34 @@ event nfs_proc_remove%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t
 ##    register a port for it or add a DPD payload signature.
 event nfs_proc_rmdir%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t, rep: NFS3::delobj_reply_t%);
 
+## Generated for NFSv3 request/reply dialogues of type *rename*. The event is
+## generated once we have either seen both the request and its corresponding
+## reply, or an unanswered request has timed out.
+##
+## NFS is a service running on top of RPC. See `Wikipedia
+## <http://en.wikipedia.org/wiki/Network_File_System_(protocol)>`__ for more
+## information about the service.
+##
+## c: The RPC connection.
+##
+## info: Reports the status of the dialogue, along with some meta information.
+##
+## req: TODO.
+##
+## rep: The response returned in the reply. The values may not be valid if the
+##      request was unsuccessful.
+##
+## .. bro:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir
+##    nfs_proc_not_implemented nfs_proc_null nfs_proc_read nfs_proc_readdir
+##    nfs_proc_readlink nfs_proc_remove nfs_proc_rename nfs_proc_write
+##    nfs_reply_status rpc_call rpc_dialogue rpc_reply
+##
+## .. todo:: Bro's current default configuration does not activate the protocol
+##    analyzer that generates this event; the corresponding script has not yet
+##    been ported to Bro 2.x. To still enable this event, one needs to
+##    register a port for it or add a DPD payload signature.
+event nfs_proc_rename%(c: connection, info: NFS3::info_t, req: NFS3::renameopargs_t, rep: NFS3::renameobj_reply_t%);
+
 ## Generated for NFSv3 request/reply dialogues of type *readdir*. The event is
 ## generated once we have either seen both the request and its corresponding
 ## reply, or an unanswered request has timed out.
diff --git a/src/types.bif b/src/types.bif
index 500c8c9851..20995ef105 100644
--- a/src/types.bif
+++ b/src/types.bif
@@ -30,7 +30,7 @@ enum proc_t %{	# NFSv3 procedures
 	PROC_MKNOD    = 11,	# not implemented
 	PROC_REMOVE   = 12,	# done
 	PROC_RMDIR    = 13,	# done
-	PROC_RENAME   = 14,	# not implemented
+	PROC_RENAME   = 14,	# done
 	PROC_LINK     = 15,	# not implemented
 	PROC_READDIR  = 16,	# done
 	PROC_READDIRPLUS  = 17,	# done
@@ -101,6 +101,7 @@ enum createmode_t %{
 type info_t: record;
 type fattr_t: record;
 type diropargs_t: record;
+type renameopargs_t: record;
 type lookup_reply_t: record;
 type readargs_t: record;
 type read_reply_t: record;
@@ -110,6 +111,7 @@ type wcc_attr_t: record;
 type write_reply_t: record;
 type newobj_reply_t: record;
 type delobj_reply_t: record;
+type renameobj_reply_t: record;
 type readdirargs_t: record;
 type direntry_t: record;
 type direntry_vec_t: vector;

From 0cd0ffed13746e80ced2fe01085a096368f08b22 Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@icir.org>
Date: Wed, 5 Apr 2017 08:58:08 -0700
Subject: [PATCH 129/631] SSL: update dpd signature for TLS1.3

The dpd signature missed a few cases that are used for TLS 1.3,
especially when draft versions (which are all that we are seeing at the
moment) are being negotiated.

This fix mostly allows draft versions in the server hello (identified by
7F[version]; since we do not know how many drafts there will be, we are
currently allowing a rather safe upper limit.
---
 scripts/base/protocols/ssl/dpd.sig              |   4 ++--
 .../scripts.base.protocols.ssl.dpd/.stdout      |   3 +++
 .../Traces/tls/tls-13draft19-early-data.pcap    | Bin 0 -> 15980 bytes
 .../btest/scripts/base/protocols/ssl/dpd.test   |   1 +
 4 files changed, 6 insertions(+), 2 deletions(-)
 create mode 100644 testing/btest/Traces/tls/tls-13draft19-early-data.pcap

diff --git a/scripts/base/protocols/ssl/dpd.sig b/scripts/base/protocols/ssl/dpd.sig
index 2ebe1cc634..1b8cad2f76 100644
--- a/scripts/base/protocols/ssl/dpd.sig
+++ b/scripts/base/protocols/ssl/dpd.sig
@@ -1,7 +1,7 @@
 signature dpd_ssl_server {
   ip-proto == tcp
   # Server hello.
-  payload /^((\x15\x03[\x00\x01\x02\x03]....)?\x16\x03[\x00\x01\x02\x03]..\x02...\x03[\x00\x01\x02\x03]|...?\x04..\x00\x02).*/
+  payload /^((\x15\x03[\x00\x01\x02\x03]....)?\x16\x03[\x00\x01\x02\x03]..\x02...((\x03[\x00\x01\x02\x03\x04])|(\x7F[\x00-\x50]))|...?\x04..\x00\x02).*/
   requires-reverse-signature dpd_ssl_client
   enable "ssl"
   tcp-state responder
@@ -10,7 +10,7 @@ signature dpd_ssl_server {
 signature dpd_ssl_client {
   ip-proto == tcp
   # Client hello.
-  payload /^(\x16\x03[\x00\x01\x02\x03]..\x01...\x03[\x00\x01\x02\x03]|...?\x01[\x00\x03][\x00\x01\x02\x03]).*/
+  payload /^(\x16\x03[\x00\x01\x02\x03]..\x01...\x03[\x00\x01\x02\x03]|...?\x01[\x00\x03][\x00\x01\x02\x03\x04]).*/
   tcp-state originator
 }
 
diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.dpd/.stdout b/testing/btest/Baseline/scripts.base.protocols.ssl.dpd/.stdout
index 7b2d255900..bbdfb4a3a6 100644
--- a/testing/btest/Baseline/scripts.base.protocols.ssl.dpd/.stdout
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.dpd/.stdout
@@ -8,3 +8,6 @@ Start test run
 Client hello, 10.0.0.80, 68.233.76.12, 771
 Start test run
 Client hello, 192.168.6.217, 67.207.128.99, 771
+Start test run
+Client hello, 192.168.6.240, 139.162.123.134, 771
+Client hello, 192.168.6.240, 139.162.123.134, 771
diff --git a/testing/btest/Traces/tls/tls-13draft19-early-data.pcap b/testing/btest/Traces/tls/tls-13draft19-early-data.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..042ca6aaf6d58481aa84ac84e2a8f71332c3a5bf
GIT binary patch
literal 15980
zcmch-Wl)_<(5}7E;O_1a+}$O(1a}Ya?(QCfyK5j2LXhCDf#484KyY_GYh}OL=S{Nr
zK7YRYpr#7ydFtwWx_kA^^qQ&e_xa!eNWlO7fdqg7|9OM9skyn02v7k24H^Kdi0`pM
z9xR=GLR~Nb2>?J?2tpVj3{8LDQ3ib+UEm$|w89?z1nH0gdbtMt>1pl(004)C`Tzz2
z0R;vI14qC-1`m1$2@U`x0qKd<U;r85|Df>~_b(ei==?wf07huvI}jOU0mxpdXE7rH
zTFA^pb0m2k`4=4$90m>*v3VCn2U>atA};{RqChHW{GpruTp6U>z2-OFnLs*W0165w
zNgDw0KYFV{WDt>%6%4=$bPH(wP6VTAAqEkvkN%N}gMt}Q_&2czM8tvs0~`TKdk_#D
z=ZbTl!TxF+3?<V9;fsZOhTi+Rk<Waa6V{#6yHA4v0KpFW4rV~^Ncl+FNJR%-2NNKt
zgQ9~5VBJC9K@BkPfa|~j@N~d-paa+d*?=r`aC8WCFn|DnAHV@%0z3iDgaF_HkPrYc
zZ~z?e7Y0BGzy{y~Z~)}MxgY{a07Q@wP!P}%Fpw}%Fwl@-P+-tt;1J+o;NXzpP~gzu
z04(5p*uX&tfQ9i#hk$?p2kK`40AB$BXaH0I3Luf>;=V7b;j-1VWiY}r$>82R1rhR7
z7Oebyq3MWBh=7eS$cxl95P!$zkBGA`fq^2P5B6Kc37;Sx;{#9tdyE}_c@Y)y69F*V
zH6Ws23j|;n3h-n6PJ~)q0tXQ@HUEv+S@JiL5JUvUMHw8J@BZi>;K70PO%o^At4WSA
zV3fYAC$n~AunroL=SB-*LzB_y;J~TV{55rkkTfRZao0<SM?CI<;R0I>MX&1I(pQ|c
zG0xZ$uo<q{KrHqasnoO^1C!&|F?1shS`mkS7d0Wl+<M?M*n##-tl4ELemTvg#TSIA
zFt<}vDRq()`srfdpSZv1+SrRxg_>RO9uXjA?LH~xHD)<a?u0-Mz{l|MWwDh9`LWVr
z>ee^J(YBv#C0y!bcZXu6IxPm|?H!2IpQ|wPA8wQ&)OmmHyU~)MX7fhcbDXv5=VKwP
ziO!y+Xt0wrYrzm#fwd&dN3*e5e3-%;=?W$=hx?fBI(k|WkE8_WFM9hN!mj#?Sh+t|
zB1`f-b-5D<To6Opp9e=N0>SW^fm^@cg%JLU9y?~s0jWl1KK^@ydBB+CGqK6>pfI+`
ziz^L9*u1d%hgMB5w#`<9apG6H``>eUtR|u?^6VZ?jc*CEoo}R}KUl0VHEC?e_|qG$
zGNGv=ZMoA23v8}z=SC+*eov2haDP3d0`bJ4_MH~7kjawu&V*WcwbXXMnks9cr9lc1
zN1;(5s9B=4L)XlrSu*`eUJEYHmbx(=k`X~B^IC13m%^Vytkl)a$)=H$F56XNV4RPR
z;63;kfOkSFZG*DyW9$|OyD9EX*+~hOY=$e}psmmIhqlv}9ivNxq=Cit^=+?ozN-Y`
zLDfQqrlUn+2IuzA#+C!3d8Kup33G*8_?*Ym=Y_zJXGjd+*{p`ZU@>E`U^F#P<i2=f
zVkx`~$AsjOReVsp^k}h;xkfK#`PK`%e$*6AI#CYEGR#Sm3d!JaT(-$g67hBxJ;AU(
zm2*Nzo*%pvjI}*oMx3)+xG-ZMxb$K^aAjza`7#zE?-?u1hX}0G%_BFVB}je_(}sy!
z|4_r{%GKI_e%tWfN<3Hb+fHROwVUrIwi+|;$4TO=@y9uRT-bV#q7NAr#kl0r=1@Fa
z$c1Aw2)Ay-+d37n7t?)X1nbcds!DHT=?*vNDFp0O<6l2JhOVebV>Qag>@Pa*kG!0Y
zlW*u!(9K)RQap>(_Oii9Wz@-?B-ng++1*I|k~Fx(vuRXI#><Pq);ko+YK%y_s!Oga
zl6XeyTWm~m%l&#Vn+SN=;!0#aNts1mtBo9sZXOsn3v^|5+Jn_XW-VNhV88S+kxvQ4
zytJiugrnk}1%LI|(MsGZMn*}u`ARUnsx`qG*3`k&V2lICA|17__gDff+Ddt;6hhxZ
zU+&@?GH!erp#`I!@`1Q&A#}DsL5O&{i}iLfhQ(y@Rh$AM3jv$OMPeeneHY?dlZ00J
zOy9>cCf^FH%8}ad?o$kRGHU4^Q#%AOs!e+nOHW)#guQK&9}p$iyY@2-bRz>3!$ofR
z7CFP=-L%i!Qv-R0I>fbjm9nATaL2J8zCe!Y(1tR1+Tf7Y@3P9(XwCV#_Df+iOvY!Q
zGD$jQG)J68Ini}}zTL{;WuIdWki5?s-winOjFI%cUHJyZf7&(&e#Ssx_-qEHu`~p2
z$0%cym<RBTX$&o=foeBZIaT4A<4YSQ_C7oI)an-T^Fr-nC1NeR`Qq)PcaxTWp?kG7
z0wm<?Z8LV^Fk})14P-u%epjBwk#8#Z2-0@1<-=o1CZrVf;}e!D+;4bs<5&m#MZ{7@
zMpW-}-k3_fA_-ZhZD!$J-4c<1(E~?PIB&{h2~Uld2tN>a+D7lc>f!$R<E9aL2KI(G
z^6j-N41B84*xDwY>IBEmyNQX9xm;Q15*VKT`rl@s&GzGKkDg26);BZ^bMHGo##K$s
z^xbbM+hxrIxJ1@upUy)ri(1E(jOV0gx8D;Ea(!wyLWf?0xhgt(S7FVW2_GrYyKU5W
zh^S#rCrB>k57?MC=*0uK_nf7Uivm^t!2hoN5I-uv#;=v%y7%W=G9&nF<rn#EOZmF_
zobZb|(Z~`isUVoz!={n1Y)WF>TbIa#nq};CG;~r#Ybr&_&XBcsL)2Bu<4NXS&1cGQ
znGZ(D^t=U)XTP8(6~{Il_q=o!xzplOHtatYO7u2Xd;Ne=-CI)Ksh+nElM`6ZkgoY^
z!v7ZUGELGXIX-;ehMa{EYy^3MEi680B%h7go!Q8qz0$55;?<~VN7-V-1y}om>_uI6
z|70{Gr+to~AADt2`=#T-B?Wh7t*)RX*-B0Zq8HqDo{SdjGJ%G8-opV)FO6Swtvp#_
ztUqNctb9Y^_GjP6yxJ(?!{K(QVVr*Fa0zLJf@Gg{Mf-GEy(VH-8TadmuD9OZxfa6;
zW5*#*oYMg4WSx}T&!4m!6<O5XA*|nAaZ_EqW$Z_Exnv0Mu4s_Z)Fad@D<mkLY)~k8
zmm70Esk_r9EfnECg<-{n0v?>09nGP-{Y(|b79AD^=PTJE*uX3C5^8XA)7l2pc<yWq
zO$8rL-f92!a~uT^^EUfT7sY$>hgg&-^V!Vpe8;G%tUTYG(bDvxw7{&j<L<iZ$-=o5
zs2G!{n!!H$Qgi%*5kZUm)YfIZZE(HD8#tmn6ArX<^WK5L5YCb4%I7`#^#`^?Ar~+s
zfU86y8_r{Yk|o?5FSQy3eXq{mvukOhW_ryEOgC@WQL>_X1^1qV!~>zh5A?a5?_gDI
z17_R=YA{=^72<c>jW*<=jP&FXwD~1TNJ{L!=L_pI&o7(MGp8(rS!6fxqA$BVlzg#@
z6SrY_HSWTVW*Aa>J$qRHJYanozQRXk9x?#n@!HeT;VAovK=abjm@mRAUI*+%eBHXj
z8YdKjAU>dKU1USXrH{!`GJ~A-6<e}n>RyI!2M%uF$x07vsDriMSdYUtHGPlCw!l!V
zeYf~!S5;?Sv+B?lMYvb|)u5p>EhW7jnc+lxidW;p38TdfHkRZvIL?cGuLImdCU<hn
z=W)*_$D3;vr__4$0?CKHIt2%1(na(MbFuy6q&4*D5knuT?Pcm7`(AoBo6leGnmBRE
z8=NC8v_H&~piitIx7dFeRb_TOrX?c&B)wjH$p5M#VDY<v+F){6BGto}Lj}4<%s9@O
zn$O^CvJkG-7FheodAD5+s%a)H=|)a3DWvhw62^}-r+fmd1Lha^`wxVO!(g6mDBg0_
z4!?#<h?qEj4({OeK^!;NrZS>;1P=`Ph@#rSsRhRW7+=aib05ZuA7B)m3puQQT{ZN1
z0X2nJZ*zUGrk&ae@vMFn1-$ve!VH(?{L>Br(LVOa)LUesL`CfYM?5t6SvCb^gE324
zJtD3bLI^O>xjRmJgIDucqgqmjOMBu(D-L~tUBcH>#2ed|3Cw$Vb%k|T?~Zz#VE1l(
z++<k|n2yS{*z!r#)jnRM^|6<6k6p90QJm?BDbS|f%#bmkG>f-oF)kg1o6#>Y^d6uX
zF3Le1@mLy4&&%$RW%VF6td4dw%U_AVB&wEL7AXgtLEv*?Y);Cb-<-dr6w^Dz)lJK}
zIiB9mK(>O6E0%O5TapJH!YkhqCr4Qj!wxR8^$B?bw})W3I-ekyc@A~-6_owH-VubQ
zXw|v&Aka;RmiWjc7nr7rV2;>W4`s-Y;-F3dNY5`G`|y=vTyoQ{9X=B<NH#kz@RVN+
zBjj(9TM%PCZ^NQ}gF_%>%xoARpBqKpKz)MMpunqti>CTzMb@z%;*P1u_<}5y15z1V
zzAh_Xrb5*aubLrXV#%BOEXVId#@Ut!a{jt;GYOhc2NTSQcPaDi=&em?Z&Dp}-T2%{
zR{5ax({nyD#?Tj?&mc3oGQ%;FxoCPR9noL18S`oTE}eK?fw}Qr=bWVF2!EX%`-sXA
z15x=jWoUt{WD@xK5P55NU)AdSUgd0D-%2+!35o8v2mupH1V?BM?6n|6WKiYr09O8g
zKi%DTgU(|1LcgBH9OLU*9Bl(okUyc{{yd9~s{v0Egdk#TD+B;^Yz2+qPZ5BaB}mX(
zl2`KUTH<K?V=ch}?A4L|x|Y;&13o9j=msA_SkKyIfHwaUUNANfGOx)$Dq>wfuB9}Y
z2;jn7Oui+VI5)0DV6;4QLeC0iXzv%Jwkk6k8o&yBU0lD%LoZoe^llVRQzP!0G2CDY
zDF>u<8mRQ&=PtwnnmhgHf0%nOaPE!h#edEn=L-ZN1~_lf`2A!H@Ow}K5$!Dgk%)r=
zaHap7s0H%okJ(~us!qUn%gp3Fs&bWYp<LWP><`N6r38E<<4$ulH34VHKRg}HWiS*n
zHW3r$Ev!A*$8-p<riER_@z3v;`06I@f47MVnyuPPXaEWDkO>;U#{~>+3F=2&h<}R<
zXpNr_0LEoU_3yYS5-^WzfwawkxZv`&Y|#Q6x`KZQD5>f}Eqn2yhf&2^{W$)C7tK$!
z?o1F$a{6}HrC;jYb%SRBqgBKO3Kr?^Vraltkv+uj3rAB{w?>l$*kaeR#36*0u6(I9
zJt=uPSxtlBjLn4ZE8R+*Ij^nn7w8`o&9X7f3G7`m^Lcim1C-d-%~V3|QE2&dme-h-
zpY$QGl3Bp|eG1jxmfao3O4Jl&;UtIKNR3B#SNB|(%ySsgqaHpHQ)sc!t706pnN)xB
z>pco(`}jh+kg^W5$aZ9>N;9;wz<`k2P9WkoQwHR(VxYhNJv*YNL9tw8_$`+6^(;<>
z!0fm|HTgT1_rO>xCIg8D!~lRcFfl;mkL-}^MgbAa7XFb4%nr5EpTtQ?5D^psbc%q|
z2EFa&WaTF6wVo8NSXEqSkfj}<rGM9+9SpMc+5b07CqJ~Kq5zPtf3*Z6O3Xn0t^N1x
z0mv;u|Hz(=U$e)l5STrupzQH|{xf@8*a(;>C4Xp-d=kENX!bG_f@Re|6_|lNta=1l
zdJVM133L!>{NW{<X;qN+l;+>GpMqXi0yf_GdI10sMQ|4CZx8&TmwoBk552$j!<;_-
z(2EM#BSiUCFNmlOB>uZD=5HWfeDwb>T^H@o{!16k4_&vv`SEXE1eJg5N(1>3q)WEr
z*?;H~s{`qx(fu!7X+R2V<Fo(hPUaYaD5J@LQ&!o7iI_S^KwbxRC)I&o|Ft{0x&?X$
z>P~{_Cc1F{kM1NBw9o&J#;SVSVGYp2D5yKRa`eBulO0L~%&S|V?j(rZ2PFS{rhkbB
z>CSNfP4_5}UJL3@+T;Dq^tCsrh#g8G;+X*);5kq?X#Adk;P|s}AmSU;e<T9ClXStq
z5`kSXuyrs1*fIo!h3wHBAB0=2gW7v3vshN}Put~9%uIVbLXUh_WBI1s{~vTG!QB7<
z=uXOr<u<bA1?i3U>vX)7DuOar<Jm}~rZR_PAer8+6rcpq0zLN}um|`Er~x~RK&#$E
z2RqOkgO9H|?Uc@CxLr%jZ3q$$RCGdWyDw~shX^}~tDfB~I6PZ!D8AI)!_k)(Q?e!X
zfn8OQ*hXHsJ}q+&!4}+{C&h(*{948ZH9O8JBe_>~bB!)UzW80H3Zq?xF>P+b3GApB
z!C+-jhpW`4G_QUk7z-u;>pH*Hqk@2|+T@uII7{u*$R};WN(_OafM=wp&~1GQNr@_B
zu5pP5OoPW#XXCefAE{IgY&ifd%!@J<06DbqL>_mESEj9(!|afj4jjqrnnOCW9==sl
zTGf>YUUfsV0(r0!%5brY8=%C|enR*=75^+bjKJ*#6STtT|Mk%ZC3!6oQ}+i@L)Pc-
z64?<#z`XVbM9c;f1Ax8+jo(ud;6yPAO2rqazougMhabreOhtkJX~+^VuL}W_I|Nj8
zdC1QFd#bOSv?Sjk`!m=0TaR84si7lS19!_)rz7-R2#?x)z3x)<neIWo5B;o9@gI_i
z9!s4gFX%veLLm?Vu)ysDX#6q5J4VhQGlc%f83Gpp2%VqBt0NRNLr{ZQ6Zj!h^+y-P
zKfQWR^^RMF#26E&Ox)z;Re7_4Nd}Hq0oME$j<h4NLCpBGLEP@THFnyxAX3d&mo?G9
z&fgKJ2>(TRpwZuSi2=3G4i%VrKqzRk_&Q@W3gg5ghw}t6hE!FIW)VG2E+VQvcg@qQ
zpyv{fR$7IR8hvmqLZKo&*3T%I=ZcEixd|5!)$2wTHDKK}h--E0^^>lOIjA^Um$Tf9
z+p=&2vrCHIW)(h8*Y`f^<!4MFfE@E4=onF8j6ma$K(Pyc00oLc@wY&os;3=!0ILwP
zweruJu`Ub@RA@Socn{n^*g*X?es?vLJ|h>%)zSsOy86fim`p#`+nu_<UEK%@KXA5C
zl%y}YF2|P+c10H(@6I`U#+<@m8?%^<1LDY{o4{%M!#ar<t*gqWrkzljOEF;fDbvN#
z!G|{n=z0o9;PL6H!o3ErVf_TxS{%Nr;6EpSS11L+DVR7T6lVWMvruvy;4JI0a5p_6
z6?Ca)s)0`_`r=TMt}csF;!8S5ms{mlAAT*NOUR%o-on<6;IKG~Wcvmjax~+JZ|Y=w
zgoyWI<5s;!Z*nJPvWHNnxZ26S-i3IW|2S%D9Yn@9<tUzBXQ2b}SGu^c?5djA*W02S
zLwdURoF@Jf&9NMWMLcOm&(v1!ZsKy9Ik6N!u{cG&w|pf@p{JPdY4bH{d_|HpO#0B6
zW-pO*PQ6VYvGz_f_qfPsvZ%&B+2>kuoyr5JvQ}}qLfI^F>ucd0CYeyxgU}U+em;w0
z9&P`ZN$5NN;&_5vRINb1K>G;{a{w*FY(72fMY^mYulXj&h1!fV)vjgK0HUkReSnyz
zL<O<i2i#^6wAyABrrLn>kI{^T%1K@HqnHm2+k0GQ40#Y%l#rGwpN+&*3|3L^(2-9r
zDv*1)WN`h6sbpVlqCzugSuJyJh~MAvG-gk}Gbc~Ru%BKybuzs6izcc+<0Ssv9-3Ns
z7_JgOtNSfQ4~oudZmP52&1YXT5xr~+E(Al`<{<p3(W@*H;r8Lmdq?n~MNaUd=(tgi
zn|a)%lfD<{eb1e3j&G`T_7@pghI@3E?o!XfY|1X`(~iws=FA4^v;&=v=gz8^`O-zC
znU_5WWh=gzrD&eARgCW!P!`}E9GaW`OCnv!B?Fx|(A}T4_CEq<ryf|7s_M~&=wcIy
z`7*2!ocFH{d+e~VY?p7HwE{75rtBC6NT@K06ZxEqB-t7I!s8X-UB(6iam6h6@1D=t
z`WZGiU5`)II2%DG6$=QK3~y9V(haPZkmoBDqccq--B@r*o~16@AQlNBQ9oZA)R?h2
z)L(|FNN4dU5!cUSP*2wbU!j+onbMz_Ghka;qu*e-zA~v}D*DR2fZmxpxR{29UfDHq
zmQ5c~P0?7EDHMOT?C{#E7}uFPmN51<Jlan7rQVsk(=D%+^0~~nSH1u|!sBMfL&z8M
zWc;bh1(~yI(19Lg*%ITA;O9AxT=O+868SRrBeiYk_sAnSB(Hi#lfF5+peQxxV8bF-
zU#!&d+}%O4iYeMVpi#uI1!A^FgUg$vh~qV7v~_`hLxfb+#z)-OW=YoHxDdQU1wi#v
z`(=khRWhJAQs{R#M<CE!KH=wuuT;4>)g<KR&`Q&kKj&FGz4nIH-E6@mlRT+#ER7MN
zJHYST?Qo5jqq_FUD}|lcq{{s~MYZcMXZs1#T=k<nUr@qgW{GRqaM4~d&+FDa-;hBu
zV}{QtowdaIi~(<11H7Fm2Etdq`DBGxI22Kvv|}G9M&75QXHQDMRPN?vVr(d2lszuf
zjwgS4`2AhIwU94F?^zVR=4Pg`0!l4mz*_89jgD0XJRZN8M@87@t+hY^R-m#Brk4AT
zOaz?9(rptL+h>{u3x&k%3pkzF8rwBOVsk^|3qF36kyb-fVVDk)NS5Ss<F0<Zj|@Jf
z)(kK?Hbe?qj<6=lB^#uyZ=Mx3+=leBts2x}xF}A|yu0*HXm@Q498U4jka^sSLHK|<
z#rDo_qrT8lWsl~?bqDo*)eVkl?SQat4}oP8vFJ?kv!^k*$r$Y+8rQcABD>J9ZBK`b
zOPd^q;L`%~YF@Q0V7A_uQ$J-lR1RA5aDi$snCXAkUhW^YH~-h#dtUIf_GVE0L+#y4
zlEa{;A?~{2jCz}*Bese-Lc`U<Z7WI3Y(hNj<}(>A#`0Rmb@+QWrUETP5Wqd1aEX9*
z7ACphH!h`7MSY4rL7U!k;u?xq|A;EPz^J+M{qA`)-3srT<I;`)<RFK~T&-&UUFZ&6
zzCBLg4f^UA8`EGiNdpOq@|FbbcVx>;GOqb@A6u;|YBv3jQ7q!@v8o6u5E6)D#;eNN
zRtumJPRU$Mne9j5(S)IG4&cWwOzfs!&I&rJpxX{2X_^SFy&!w58x?o&kWxspDY_iN
z*5$0nkUt#9L%$iub?m?ut?N8z)k@8|==i=@RM_#td1!oBw~)5Sbd-ua)SGNaXKCQP
z770VQbEWFd0hh0D(v+KG*<AP6fuI#{K_)vDeiPL}{mugRNYP2cWnCw0p=cH{=OMIa
zPq+q^RAry7)>;wgFTDAoqIO?m!xbk^ESK^t{FlF=arFW8-!-JJToJtAFSk_34{uEv
zhCyAn8VQ@WU*k*?V3!<3yOVukGN)dgJ<FRgmF&T%j99;c`w`mD@%-YeYrXd1Rp#Q`
z+3Z+KBveaSGkFSvrh$T+K|_h{V{H+yj5$QPx=4VuO%(bSt=6SC1O_&zugiKUZ0jLQ
z&~bdlklq5-JFpjICNY%Lb|z4JYKaj+GU2q*M-`C|NjwerAyKuSV?;Toy3b2K*|6pb
z!vZ49kR0W)-yh%(9Oy$8deo5deS}7?m7(std$F7Rxv*<55bV1*^34{PenAS?4W#DI
z4ReO(S1@nC!BJi_w;b)*e1A+Yr6>Na&#<3}X}1*eNoet`WBPCDV3nJKe3)cQ*_b`+
z#A^jUO~PO}Z@Tf87zWV6?;K2DIG95>vy;SaU`P{930^jQDKL-ln3}}nbuTr|FN8~R
za-1*hn?dxP&|1;Sl;3*tK;@uF=XPW-*m%^7;`2zim82-SMd0D8tF4^gKk!>5XL>Ph
zEUi-522N1rfSJ;At3#2*<2JJ^ocd6w>qM(nnaJT19Y=mh5U`8XFe825J^gk2-X*nR
zo+9vT;xUR@Y1s6AYp$&MN*<&~v|GJ_LyNCoZ%OGlv_f$V+|TAtF9y+IMCL@}J_>TJ
zgjO<tydu1SM}?h|QC@)G|At!2I47*AogY`B9Yt{LzGB;bzslQKtE?8djh0BLZI<_%
z#O8qPK*d(YA2*>uD_$k)4YQ$2!jfIFaI=~X00rY}+})I!a!!^rS`YDirF*2}Fc(dG
zoN75SACmjIQEH|l#mqu$SP(?}rs)PV6ckwSM`FeMxmDEWEI$>7Uj1Hz9f4OfNn?9T
ztt+_S)4+8f!b8=C4_^zpS{_entTy<6w~Y)S<-kVqh^Dv<NU^;C2+`)O@}<1#T}pj3
zwLRzI!VpF)p2YR`9+l)QU*<v&hhLnyl8d|%UR;~ZyNSN<+9xI599N&D>AaedeePMf
znyS3rPTzec?iohGJVf|HSB6zdI`fT+5C`)3!8qCviLBFcXex4|?Zs{=M5iyiC)G;<
zwI`#>CIwCE>j#<Z@TVfbY&(Z6N?$jR&<$?K$wD7MT9zzjlNa@Ugq*~SfZKY8q5jM<
zn^hL2qOU$k-)Nw;JOa@Pd_Tl~U58^ck+igmd^zXcE4gJVYjhD1ITBjM$6f<X`Eupt
z%!u;Z7Xey>oi~ljm(zxiJk;XpG3_|o9DYL-OUYT){HAsB#sZL!HAf^9Dv2j7q?>R0
z43d`EbrF*njJX>*dX+zGBEMdA&XCsxRC^VGwHJ79`7!?3NvDCkgLcxEG=J`-&kF)@
zkhfxit+l^y8?EmHchZfZT|TB9FTbx7LW9tEtd$hbo!)D#z)zkvKlcBUiP2&KZ@DhP
z;FyvdS7ki$66lq#>XDL%DxspHB2=W<SQrT58?(kfkd{;jJm)bioM=!xO5(rTWgbJb
z)$~*T@P)&*{io`G-~Y2ufK+p_{HnS~T|Mn)1lTKVF+}=RHHbLz-)j)hk2NUo*EQ&7
z<mVd1(ee*#(7LIXClOZL-r1ITOKMDH`P3^vuIciTK5z)c#oAZaH>=$r{Yu&8eOG78
z28UP-_a+)V*@FbQl~#yk{m~89=!q5cx(yibUv0af>Q6__^BMD&^y?+VfW4p4ou`eY
zJ_^WzVJlApuU~PuAOeTDK+P93(GXQ_(#D6YxaEE+G6eppwb|eh-){9bGl{Jwbml3e
zxtN^y;`%!lvdc5ep|M+D1qEV4Mb*x=8T3)gM#Z>crQw@yZ}n~;i)GQWFG#&Kc0!ER
zg6vBgU8}Dr>ug@C`LDTsj<HfH|KJfP1$HJXImdI^NLe|yedtK=VdwMPY6e9D$wkG-
zi0KzlL^ScoTJJo+f?b?u=N`RMp13O+C2Ga^kU&y63Wi5cWjjGNRGWM~u^@4?ZDb_l
z*Ytc}<1l#THG6CvuBK3_WA1xqH1yIS>rccf+cj#XL`hOmw1r)apDZ;q={m9KzppIs
z`}V?WHb0k<<tZM3BvvV?)8L~%Ro9V9$QKj4&X^NGg6SzEyfH1m$?&(?hK}`fc{kkc
z?^TPMs~<4W@#r7By*6sVOqxyG1?`tOq+_Az9q6PlYHw)K?S5G}`rgUnK>h&CBfynU
zx9t1pg#{lvGnSD&Ys`aIUxJz1w={}U0$!xu#}SOxV6G%tsNJs~WMpL{I!8Pg<C}y-
zJ3}sM#(hkQ9vWIJjtUhy*==l8rC;Fp?X3Dzmzi<Vu^Ef^){C$v`O_FLpkEy)VX1h^
z85B834!uvr)hXG=gbvlS5mXM>bRIm`aEX#2;iwuzYQxM_YHa9{vbWiRQo(hzso5a6
z)%Mb)Q#kru%u1t6vs%lVGs)vFTrDC^_}xcI7<HsCcPGI@528v3Bj-6vTyu_0NS9I)
zH@Q~Lrb~eY$u6Fd5B=6x&pw}UrYIEc84p2kSj}A2uS8{K(=9fy2`{taa{=!NIqG=R
zWE&=B8?8ICgK|abnvJD+xCPPh$ATqyFeYriPfB=nFo+pN*alwUhBKP#wpxZ>9ll&d
z!~3H6amLImYvBQ#MVf>iO#l3dfKbEaHPm288l3>%N`y`D{rz3fj7O~2I^QjLL(CTJ
zR77=%#A$|&Zp)_}+yoO{_&UKf?@Q+Z&G46l_iwy%n%qTip6VCm5GcNgYMTyjD!<KP
z%%LVEPb6PySh55z^~<SdozqBq0#UL267<NdwA0)fx!wRK2=yYN&*flG^@y)Z=ZOo3
zmV*UhsF8EJj)fN6j@F<>s`2L4=Btg?44lJ>SodMMmw0uJST$&5metF;)|Y|XBIQE)
z5%s`DIxL>V4^W&qP8;~f*ye9KAr$RxX||4izgL1|6%N_Vz9oZ(uks+>SsQ^1L(T+v
zhF8GGRuP}&A(ndH;%nVnda1uzHAAVkV->@H6s}yF%&PIZmQp#WhsH8ibnxs@y0yNr
z@Hr%}EPw5i<7$9Gt7MzIqd&)9O8E5)Av}JDPHAc5lG(cxc1bl~!SrPqk#|C8z5D49
z&il--i1c>fT0dMxUt<lqR_$3?_yiP@D5)#Oq(Cs@B{^`fkzh2G6yqOSU;FAYN$JNL
zHVndXTik9IKnrSCohFR0G(B`3X^1FJKQ`^<hI~R-fr%3+RuXYj$})WQ*kXja^=9qP
zl2f7j4s%VDcW;#Z14@^%yI2OvGSTU7^v9PO5+jWBGWV|OkGz4G*8s@s;n#KQ{zkAq
z;CgR8_2<0D<1>Z@8j-smkGJV_s4;k-xvT`p+tUrgXRm{5@9clqUfv(IH}}`t`*``Y
z_Uc*vL+vFl4`?bAVFL^D&L=&xq1*0J^enK1j8TTTV5^K8SLsGr={%;fy-bNt=ll$o
zZB4a|9rbZggfqZu8z*!BowCi$jjD$70lsAYsr<>aXAH}NDMLbjA#YWOn(-?xE1`UO
z#J2KYnliDVF;REDUf`xGdb7&?Ri==#+Q^b!j*p{2!yO*`P0f{aC0&9Ng7`~$QC1(5
z)GHbOBxfJJc_CfiNvi#<G=s)|ExWG$*>BrfxlA#;LuY88NMHGOP=Uc%wMS$rR$+xc
z$1oI9>RQUtZxK2j59#$rnM$`^p6gCaEILXE5|fDV&D?5%Zd!OSWPz&iw&FLNC(YFy
zAfGqA#E)Re3g(*17zi1%e#X*a{e+I(seTgH$sjd2veS0MG2InFv{}g<^Yu_k?=~&s
zH1Eq=>-nx2oK!dD2;1_kb)c4+U=XQ&obj%SuoA2_j$~@RQZkKAQu_P!`j&Uh_+bKt
zC8Z(6DxcFu6dHK7n6nmpPLy}B-V3|~XlV2994VTE;i>0<=iA!uA#%%qgS;*?N6Q?6
z=f>)EKG8CZF%GZp+JFmn9&=`If2a3k^Vtx$ACYTsvTXP$14ANysxS7l(i3BG{UVgW
zo#{42dz3zJu$WhN4~|8!ciI;<Y#XNcy<)1GG0QJKeM2SBB`=fQ{J9V?21uWB^b+Ye
z^%=TTSMjwjXCYtpON#ge?uuosb8teXG}d&g@1@Xw_cYZgNj%VFN5B-?kP{Y}U-g<G
z<zt8aVvVD0MAMuS`d&QU*JNcrt_wBA<zt*5oTgn_`S7?+IsCXoX6G!L;~@b8`X<=L
zv5^L|LxlVL+a_ydI8#9()ty3adZ_mwOQ7=bSX?+##UC>L;BOKswS0ull%BfNOchFX
zbJ6ZYMuO3gv@57&z$srmjG8KJi(<yH?tkeT{)EYcCEXGPJNYT#oeNj3dCRz5e#_Q0
zCk}5bR2Y9EY}Ccpg7AeF*=cMToDx9l_5B{tXA%9Plk+^tiO`zaLH~9}5xc@v&HMS+
zoq8PN%C0CRsm1oqRfa7~R^<=DPdGOF)v5=kA}hxdt-f5wJbVrFt6#}eWK_@zxB<9!
z&E0Q;6DgjZmZT`3I>U5okt>V{C{z!>&*$ApC1Hh1d#M$XVB05|K~?c3bwW_YAtm&N
zqBFJ}auV}Jb>VnzQ`EC<XNX%;h8_xqlr>r|EV<%$H{Tmr=#;skZ>4QKoAroS6sS<p
zN(I<X_Zh?qQa{~?n!|aerLQvJJAPu9$-1Le^)>#EMdK(4TiwOMknXRs%8?-Rk>Kq0
z%)MklfBAH77gKaxHU2I6C3g@y{>xg|vy8S#xn&o;E&5y?5A=FDZRsUyw-LE12SKmQ
zQ_3rqU^IA<RXMg}Rp^QDcFg_Gt|KPNBlvN*(Hh&l?lq7ps!q&uma6!lY})72JZ5Qv
zYDKvyz|9U2e1_&#8P!Aa4h7PT^mA>mbm`7nJ?K#Hr2)Pp-K$Or0S0O8OboBARBqDN
z(VQt=Qr&FckFN!`p`jNv4~(pD2h)iFEEPsfXiLJ%X?@9_ulWxqAjmqAuaajq31LQE
zS%18KTY!1qK1;iqpmEUPoGy>A&YW~1sEB9N>}YvY(n~JJ1aG$=KgC1e<f<A==}Fm0
z@JQo|DsX3pHO|x^Rw*=n74r}l4^JSCZ(f+C&d56|jSnrxLSZHB8SqVidLEl4xJ(y2
zQyV;D)htZQK048}A|Xw)e@s*K7ItTG3tdi$AM&#UsP@kNckSi-QG0WKslDltBtL5}
zG{-;GUgujcc0$W+L|XmLXtBz^yk5dlzJ~h)0p+%!@^N45jjX%nn6{plMwwlLxB*s7
zu9`*cpltKC^H?d9ga{JU>`n1`sy&?+(=xflP>t3v>+MRVL~P482ZTC?nX;;SyXTnS
zsEnRlGkZlWk4nGfnS#bTJ#VDyr1AyZx)aRYnc$<@a6J!DB(HexF>rsxePAytOO?J5
zR2vY5DWNM4HKgA}TR!7oo{jlhH1uxY>zkq2Ck@oLXP0CQn^iuCNW$<;2BmBHuYAAq
zU2X6$BoRfs1wS}@P_iDr(17-A7tug?)g#4s@#3WPRRNc>(Jno+jDBn8-tBj@)|t8t
zm5}0VL#&xK{w1(>cgjc}gy-NbH8T9l%=`6k`58y6w6nz!x_SKA!V7NBUq5wu6dxon
z-R;YhS-?<}Ka(GSPkwt@@}i6AN-5KFR4|bO<@zhz2|R=!Mbw7t>G1yD=F&qY6}V26
z{Znt;dhfZ@8@L;)7atDgqZQQ1XlsplUXzFJ4e{7To^(cIX;o=4Vu<ZglMZ33@J}6A
z&L!{MX9&7Ho(y2V1Nyi^;W5?87*W>h`k<)+;)?bnzQ0^=j@ME0rqE2g>Rl>Nx5vnv
z%o%OYdJ6G=+jB&vWLp)U5xUpxNVw2Dms95HZ=jh_cT)ONq9ces+{eiJ!T>Z>;2Y71
zxGGm8w*;OKID2e^hcsgkm7N-!0TWD9SYbE|<x~o*q^>zFy&kpR^+x)Vy-$u)W%;K*
zMD(T4Fd0=+q6xQ4lXcH4rtmKco%DG$ob!#g@`55db>_w_p)TE*c=~pt?Ks}VB1=<#
z)YyvNQHGv#q@*+3AR2cTvZ)p5`EqWoVuOqj3|?FC@@%E%Y4suR+7fdxJFjsKZ*f3z
zVW@(uCEu^IJH6A+^DB6g7xfa)$lGv_`a#%xcuS=y&raz3ClApc*zy?Br@VNwqv!9d
zJha$lUf?qY&d$@J={Qd*MNK1;QnYD?-TUSsT}KQgvN6BMVd-b8L$?r2mf!uR8oYi`
zwGMxW!?iQ-9HWSS+v|md0+UE{4R~8fzq>|~Ud(!fG<l3Om(M8kFqj0raI$(0uq#Ds
zf74sKm~kWh{y`vz^MUIqvqMPY(Rb^<CA}2aMwdvh!hJ<LA!(F9PL(c(RFEfK(9c@D
zbH0Dip({Gc;(NMb8+mv`$G8ePxL9&QY#?!7l6>gQNN^g(=G~sjX}>&{ZRi&HnW*oq
zTR!23=tt;-x~L{yy!_VifXjwwnqz)RK2_4$PUtV{;0(&e`~AK@bR&i&ZFsE0s06HI
zp~1JBR=@Y#froX>kuD<kUVT4ZiFJx@WH>`TCRadeyuvloF_O0?Q^gqm>F9$5i~^2+
z7o%_@8heN$0}~xFvauiC?aPU#qAXL|l_I%g3z@AhMspeDAe$;TJFW0!UdV$Xu<ss{
zhlI=vwU%A*b?Ei_5@a)n5AnB4ks@3)9_WpXMjGxfz&&1JK&00@o;8Be_rSkwXo|x`
zc1z?oU(9HFYdaPx5LoWEA)n7^GC7Kg?MNiZh>bX9!_g{r948U>{R2HwAz?_8<=M4s
z{+KB&_Cj4PJ48MSjIoL20P1{2zCp!gGrh{rbP1erHu`$fw{M;(5;DX^S$LP8Ni{(-
zacu_Z>eJW_v&Tp)OKp4|iMeUf<jz538_r<)G0#IW?E1$lcO)~5-tX*c#ek1P<N~lu
z*WF5r>*cnjQ%>h6qPC`)6hjNmXp9^f&MypzTS2uK?iBzK1pMw4G=Bfi5!{85A5?qg
z!hfy3urfbuZwIge0_weh`Y!+Tog+A3{?UboQ_mJZa_12g8F+~M=Fw_1)E%D<%P!2!
zq&5ce8>O$JP_E>=Lg4Y5g3NDgE~!h|2PUi=JnWCLQ*YkTN8h8eGm18okf}!4$_kB#
zi>2mEzcCHL&Gw+gN*@)T?2A=Kw1Z71TC_73Cts}3T-cCZE#1wL^re4;`TB@58=Mu@
zux}rGpJjsXt4`CbL5Xt6H`@nZOk2eX1n43Lp%FFN3p`jh@;;w#-FK7~_sm;o_>JFe
z8sIR97^DJ*m#cZvg5rYCxvAZU!|>6$FY!npp;76bJ_$VUaE^midOs|kRL%evKPL!{
z-oV*IJ0SplB%Z#36Vpq-Dxsb)Q3y86*3=Qn(Ggr%yoJjgyCpkrXt9J0;ijv3>Sgn;
zj<$nOz(TpX@E+{_II)9>M2z&Zit<#aTntt#8=;)|p}4QM@MU~x<AM<WV!D41l``hO
z&kL5h&QTc6)X_VY7UW8L<q8u!0kQ#SFZ!!i9cEdM6CvdLjdSeGJ#iN}if*~$0em6l
znC=&6G?4UmD@Q3oZ$5AkD<U^6+7Hc_Gr_s~M`v)EjmJfrMwMZxWJ?70?&P=F*S$SZ
zIxfXtM(qBg^=RJVmx03a(M7Pv2M5;#u$4EVe=nQ{RVxS3HHY4NL73bFQwh&q{jEm_
ztG>Auow>s#W6j1E>#E&8CUWACrCq`h9>qR1hoV(et_%L;ghhU&w=I>g+%`1TPw7I1
zaZHKGvnQ}WE%<)XW34`}BN0#3KPotSi2#(5=)jEp_r4keHK?y<u=r<R?eP-WSF6%K
z`zs@X+4!Ry`2Qx-^n-|E{C^OEdki2kL=AY)?0@$cK}7QZ)OZgIBHG{lNraUF61A27
zf%yDCi3YYHB0|caMEEEmQA(lbPmKfS|K&%zOb}7{|K3aeak~rHpG^Nj>`{>VlgNz#
z@gKKI83jPKLVo+#S^*zL#MGk>x(`UY^A{0VEA~Or0d-^N-?(QxiJzS17FWQe(f1SF
z&cXEOmJdAl{DvuT%7c{3ikQ74Kr;U}_+00e1yXgp&9^-@yl%z_Yt&M0u9Q5uodpq|
zScN(;_bV<<(_q9kLS3`N5{4x!_D9>E*)6!R#LTSs9O9wI;1p@MfkAbU9&04-2Q^ia
zs@>9^GcX~2Rnj~S2SFTfR-x~!NhiKNH-J9#IMk>Ta<kqjp(A*Uysm?$IkhPo?#Py-
zd5vy|JWMfW^leo}8O5&wE#R1KI<DyZSE!6unnfoz5k5a(uY+bZ=Vf%(JdaFJmLvoH
z_3xSNU<!)BUCy5|MX&(I^hQqQX9T`wfP4lbI$R<BeIxUaPPyE!9EceB&qUyDQhuDD
z#I1Y~5flORUQR)XDaEtQZ_e5tt94(>dmN)cmiTUw{zLo6AKL4Gw`8ZD4%803O)CBO
zt>(WhWdMo78sL9x|9zza$T13nvPYrn*X%*C0A`OpD0?)ce`Ze?JOT4o{txY7R1#Ty
zMr;Q7+!Rq3N?B}zaQq-kFMyVQ`uz_}?2JM`EcN_mDd2}C;5|?c*k3Jyh`B)GzuyCO
nqXGH-V(Yg^+Ji0zf$pac5dd$-11Wj`NvV1RqO^Jc7v=u|4k6Oq

literal 0
HcmV?d00001

diff --git a/testing/btest/scripts/base/protocols/ssl/dpd.test b/testing/btest/scripts/base/protocols/ssl/dpd.test
index dc514ff9d4..02f3905e48 100644
--- a/testing/btest/scripts/base/protocols/ssl/dpd.test
+++ b/testing/btest/scripts/base/protocols/ssl/dpd.test
@@ -2,6 +2,7 @@
 # @TEST-EXEC: bro -b -r $TRACES/tls/ssl.v3.trace %INPUT
 # @TEST-EXEC: bro -b -r $TRACES/tls/tls1.2.trace %INPUT
 # @TEST-EXEC: bro -b -r $TRACES/tls/tls-early-alert.trace %INPUT
+# @TEST-EXEC: bro -b -r $TRACES/tls/tls-13draft19-early-data.pcap %INPUT
 # @TEST-EXEC: btest-diff .stdout
 
 @load base/frameworks/dpd

From 6c9449c780518e45bdc05387288f7be81cafed79 Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@icir.org>
Date: Wed, 5 Apr 2017 11:54:53 -0700
Subject: [PATCH 130/631] Add support for two TLS 1.3 extensions.

New events:

event ssl_extension_supported_versions(c: connection, is_orig: bool, versions: index_vec)

event ssl_extension_psk_key_exchange_modes(c: connection, is_orig: bool, modes: index_vec)
---
 scripts/base/protocols/ssl/consts.bro         |  4 ++
 src/analyzer/protocol/ssl/events.bif          | 44 +++++++++++++
 src/analyzer/protocol/ssl/ssl-defs.pac        |  4 ++
 .../protocol/ssl/tls-handshake-analyzer.pac   | 40 +++++++++++
 .../protocol/ssl/tls-handshake-protocol.pac   | 12 ++++
 .../.stdout                                   | 66 +++++++++++++++++++
 .../protocols/ssl/tls-extension-events.test   | 15 +++++
 7 files changed, 185 insertions(+)

diff --git a/scripts/base/protocols/ssl/consts.bro b/scripts/base/protocols/ssl/consts.bro
index 2f646de516..9d9460906a 100644
--- a/scripts/base/protocols/ssl/consts.bro
+++ b/scripts/base/protocols/ssl/consts.bro
@@ -163,6 +163,10 @@ export {
 		[42] = "early_data", # new for 1.3, state of draft-16
 		[43] = "supported_versions", # new for 1.3, state of draft-16
 		[44] = "cookie", # new for 1.3, state of draft-16
+		[45] = "psk_key_exchange_modes", # new for 1.3, state of draft-18
+		[46] = "TicketEarlyDataInfo", # new for 1.3, state of draft-16
+		[47] = "certificate_authorities", # new for 1.3, state of draft-18
+		[48] = "oid_filters", # new for 1.3, state of draft-18
 		[13172] = "next_protocol_negotiation",
 		[13175] = "origin_bound_certificates",
 		[13180] = "encrypted_client_certificates",
diff --git a/src/analyzer/protocol/ssl/events.bif b/src/analyzer/protocol/ssl/events.bif
index 2855dd7fe9..8142f67c7d 100644
--- a/src/analyzer/protocol/ssl/events.bif
+++ b/src/analyzer/protocol/ssl/events.bif
@@ -87,6 +87,7 @@ event ssl_server_hello%(c: connection, version: count, possible_ts: time, server
 ##    ssl_session_ticket_handshake ssl_extension_ec_point_formats
 ##    ssl_extension_elliptic_curves ssl_extension_application_layer_protocol_negotiation
 ##    ssl_extension_server_name ssl_extension_signature_algorithm ssl_extension_key_share
+##    ssl_extension_psk_key_exchange_modes ssl_extension_supported_versions
 event ssl_extension%(c: connection, is_orig: bool, code: count, val: string%);
 
 ## Generated for an SSL/TLS Elliptic Curves extension. This TLS extension is
@@ -104,6 +105,7 @@ event ssl_extension%(c: connection, is_orig: bool, code: count, val: string%);
 ##    ssl_extension_ec_point_formats ssl_extension_application_layer_protocol_negotiation
 ##    ssl_extension_server_name ssl_server_curve ssl_extension_signature_algorithm
 ##    ssl_extension_key_share
+##    ssl_extension_psk_key_exchange_modes ssl_extension_supported_versions
 event ssl_extension_elliptic_curves%(c: connection, is_orig: bool, curves: index_vec%);
 
 ## Generated for an SSL/TLS Supported Point Formats extension. This TLS extension
@@ -122,6 +124,7 @@ event ssl_extension_elliptic_curves%(c: connection, is_orig: bool, curves: index
 ##    ssl_extension_elliptic_curves ssl_extension_application_layer_protocol_negotiation
 ##    ssl_extension_server_name ssl_server_curve ssl_extension_signature_algorithm
 ##    ssl_extension_key_share
+##    ssl_extension_psk_key_exchange_modes ssl_extension_supported_versions
 event ssl_extension_ec_point_formats%(c: connection, is_orig: bool, point_formats: index_vec%);
 
 ## Generated for an Signature Algorithms extension. This TLS extension
@@ -139,6 +142,7 @@ event ssl_extension_ec_point_formats%(c: connection, is_orig: bool, point_format
 ##    ssl_session_ticket_handshake ssl_extension
 ##    ssl_extension_elliptic_curves ssl_extension_application_layer_protocol_negotiation
 ##    ssl_extension_server_name ssl_server_curve ssl_extension_key_share
+##    ssl_extension_psk_key_exchange_modes ssl_extension_supported_versions
 event ssl_extension_signature_algorithm%(c: connection, is_orig: bool, signature_algorithms: signature_and_hashalgorithm_vec%);
 
 ## Generated for a Key Share extension. This TLS extension is defined in TLS1.3-draft16
@@ -155,6 +159,7 @@ event ssl_extension_signature_algorithm%(c: connection, is_orig: bool, signature
 ##    ssl_session_ticket_handshake ssl_extension
 ##    ssl_extension_elliptic_curves ssl_extension_application_layer_protocol_negotiation
 ##    ssl_extension_server_name ssl_server_curve
+##    ssl_extension_psk_key_exchange_modes ssl_extension_supported_versions
 event ssl_extension_key_share%(c: connection, is_orig: bool, curves: index_vec%);
 
 ## Generated if a named curve is chosen by the server for an SSL/TLS connection.
@@ -169,6 +174,7 @@ event ssl_extension_key_share%(c: connection, is_orig: bool, curves: index_vec%)
 ##    ssl_session_ticket_handshake ssl_extension
 ##    ssl_extension_elliptic_curves ssl_extension_application_layer_protocol_negotiation
 ##    ssl_extension_server_name ssl_extension_key_share
+##    ssl_extension_psk_key_exchange_modes ssl_extension_supported_versions
 event ssl_server_curve%(c: connection, curve: count%);
 
 ## Generated if a server uses a DH-anon or DHE cipher suite. This event contains
@@ -204,6 +210,7 @@ event ssl_dh_server_params%(c: connection, p: string, q: string, Ys: string%);
 ##    ssl_session_ticket_handshake ssl_extension
 ##    ssl_extension_elliptic_curves ssl_extension_ec_point_formats
 ##    ssl_extension_server_name ssl_extension_key_share
+##    ssl_extension_psk_key_exchange_modes ssl_extension_supported_versions
 event ssl_extension_application_layer_protocol_negotiation%(c: connection, is_orig: bool, protocols: string_vec%);
 
 ## Generated for an SSL/TLS Server Name extension. This SSL/TLS extension is
@@ -223,8 +230,45 @@ event ssl_extension_application_layer_protocol_negotiation%(c: connection, is_or
 ##    ssl_extension_elliptic_curves ssl_extension_ec_point_formats
 ##    ssl_extension_application_layer_protocol_negotiation
 ##    ssl_extension_key_share
+##    ssl_extension_psk_key_exchange_modes ssl_extension_supported_versions
 event ssl_extension_server_name%(c: connection, is_orig: bool, names: string_vec%);
 
+## Generated for an TLS Supported Versions extension. This TLS extension
+## is defined in the TLS 1.3 rfc and sent by the client in the initial handshake.
+## It contains the TLS versions that it supports. This informaion can be used by
+## the server to choose the best TLS version o use.
+##
+## c: The connection.
+##
+## is_orig: True if event is raised for originator side of the connection.
+##
+## versions: List of supported TLS versions.
+##
+## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello
+##    ssl_session_ticket_handshake ssl_extension
+##    ssl_extension_elliptic_curves ssl_extension_ec_point_formats
+##    ssl_extension_application_layer_protocol_negotiation
+##    ssl_extension_key_share ssl_extension_server_name
+##    ssl_extension_psk_key_exchange_modes
+event ssl_extension_supported_versions%(c: connection, is_orig: bool, versions: index_vec%);
+
+## Generated for an TLS Pre-Shared Key Exchange Modes extension. This TLS extension is defined
+## in the TLS 1.3 rfc and sent by the client in the initial handshake. It contains the
+## list of Pre-Shared Key Exchange Modes that it supports.
+## c: The connection.
+##
+## is_orig: True if event is raised for originator side of the connection.
+##
+## versions: List of supported Pre-Shared Key Exchange Modes.
+##
+## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello
+##    ssl_session_ticket_handshake ssl_extension
+##    ssl_extension_elliptic_curves ssl_extension_ec_point_formats
+##    ssl_extension_application_layer_protocol_negotiation
+##    ssl_extension_key_share ssl_extension_server_name
+##    ssl_extension_supported_versions
+event ssl_extension_psk_key_exchange_modes%(c: connection, is_orig: bool, modes: index_vec%);
+
 ## Generated at the end of an SSL/TLS handshake. SSL/TLS sessions start with
 ## an unencrypted handshake, and Bro extracts as much information out of that
 ## as it can. This event signals the time when an SSL/TLS has finished the
diff --git a/src/analyzer/protocol/ssl/ssl-defs.pac b/src/analyzer/protocol/ssl/ssl-defs.pac
index 405ec34fbf..26eb29bfc5 100644
--- a/src/analyzer/protocol/ssl/ssl-defs.pac
+++ b/src/analyzer/protocol/ssl/ssl-defs.pac
@@ -150,6 +150,10 @@ enum SSLExtensions {
 	EXT_EARLY_DATA = 42,
 	EXT_SUPPORTED_VERSIONS = 43,
 	EXT_COOKIE = 44,
+	EXT_PSK_KEY_EXCHANGE_MODES = 45,
+	EXT_TICKET_EARLY_DATA_INFO = 46,
+	EXT_CERTIFICATE_AUTHORITIES = 47,
+	EXT_OID_FILTERS = 48,
 	EXT_NEXT_PROTOCOL_NEGOTIATION = 13172,
 	EXT_ORIGIN_BOUND_CERTIFICATES = 13175,
 	EXT_ENCRYPTED_CLIENT_CERTIFICATES = 13180,
diff --git a/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac b/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac
index a4f4f94c6f..c85f3205ef 100644
--- a/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac
+++ b/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac
@@ -189,6 +189,38 @@ refine connection Handshake_Conn += {
 		return true;
 		%}
 
+	function proc_supported_versions(rec: HandshakeRecord, versions_list: uint16[]) : bool
+		%{
+		VectorVal* versions = new VectorVal(internal_type("index_vec")->AsVectorType());
+
+		if ( versions_list )
+			{
+			for ( int i = 0; i < versions_list->size(); ++i )
+				versions->Assign(i, new Val((*versions_list)[i], TYPE_COUNT));
+			}
+
+		BifEvent::generate_ssl_extension_supported_versions(bro_analyzer(), bro_analyzer()->Conn(),
+			${rec.is_orig}, versions);
+
+		return true;
+		%}
+
+	function proc_psk_key_exchange_modes(rec: HandshakeRecord, mode_list: uint8[]) : bool
+		%{
+		VectorVal* modes = new VectorVal(internal_type("index_vec")->AsVectorType());
+
+		if ( mode_list )
+			{
+			for ( int i = 0; i < mode_list->size(); ++i )
+				modes->Assign(i, new Val((*mode_list)[i], TYPE_COUNT));
+			}
+
+		BifEvent::generate_ssl_extension_psk_key_exchange_modes(bro_analyzer(), bro_analyzer()->Conn(),
+			${rec.is_orig}, modes);
+
+		return true;
+		%}
+
 	function proc_v3_certificate(is_orig: bool, cl : X509Certificate[]) : bool
 		%{
 		vector<X509Certificate*>* certs = cl;
@@ -329,6 +361,14 @@ refine typeattr DhServerKeyExchange += &let {
 	proc : bool = $context.connection.proc_dh_server_key_exchange(rec, dh_p, dh_g, dh_Ys);
 };
 
+refine typeattr SupportedVersions += &let {
+	proc : bool = $context.connection.proc_supported_versions(rec, versions);
+};
+
+refine typeattr PSKKeyExchangeModes += &let {
+	proc : bool = $context.connection.proc_psk_key_exchange_modes(rec, modes);
+};
+
 refine typeattr Handshake += &let {
 	proc : bool = $context.connection.proc_handshake(rec.is_orig, rec.msg_type, rec.msg_length);
 };
diff --git a/src/analyzer/protocol/ssl/tls-handshake-protocol.pac b/src/analyzer/protocol/ssl/tls-handshake-protocol.pac
index da01a27f1d..0f6287ea4a 100644
--- a/src/analyzer/protocol/ssl/tls-handshake-protocol.pac
+++ b/src/analyzer/protocol/ssl/tls-handshake-protocol.pac
@@ -486,10 +486,22 @@ type SSLExtension(rec: HandshakeRecord) = record {
 		EXT_SERVER_NAME -> server_name: ServerNameExt(rec)[] &until($element == 0 || $element != 0);
 		EXT_SIGNATURE_ALGORITHMS -> signature_algorithm: SignatureAlgorithm(rec)[] &until($element == 0 || $element != 0);
 		EXT_KEY_SHARE -> key_share: KeyShare(rec)[] &until($element == 0 || $element != 0);
+		EXT_SUPPORTED_VERSIONS -> supported_versions: SupportedVersions(rec)[] &until($element == 0 || $element != 0);
+		EXT_PSK_KEY_EXCHANGE_MODES -> psk_key_exchange_modes: PSKKeyExchangeModes(rec)[] &until($element == 0 || $element != 0);
 		default -> data: bytestring &restofdata;
 	};
 } &length=data_len+4 &exportsourcedata;
 
+type SupportedVersions(rec: HandshakeRecord) = record {
+	length: uint8;
+	versions: uint16[] &until($input.length() == 0);
+} &length=length+1;
+
+type PSKKeyExchangeModes(rec: HandshakeRecord) = record {
+	length: uint8;
+	modes: uint8[] &until($input.length() == 0);
+} &length=length+1;
+
 type ServerNameHostName() = record {
 	length: uint16;
 	host_name: bytestring &length=length;
diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.tls-extension-events/.stdout b/testing/btest/Baseline/scripts.base.protocols.ssl.tls-extension-events/.stdout
index c9434d9ddd..d5ab2cf618 100644
--- a/testing/btest/Baseline/scripts.base.protocols.ssl.tls-extension-events/.stdout
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.tls-extension-events/.stdout
@@ -20,3 +20,69 @@ uncompressed
 ansiX962_compressed_prime
 ansiX962_compressed_char2
 ALPN, 192.168.4.149, 74.125.239.152, [spdy/3.1]
+Point formats, 192.168.6.240, 139.162.123.134, T
+uncompressed
+ansiX962_compressed_prime
+ansiX962_compressed_char2
+Curves, 192.168.6.240, 139.162.123.134
+x25519
+secp256r1
+secp521r1
+secp384r1
+signature_algorithm, 192.168.6.240, 139.162.123.134
+sha256, ecdsa
+sha384, ecdsa
+sha512, ecdsa
+unknown-8, unknown-4
+unknown-8, unknown-5
+unknown-8, unknown-6
+sha256, rsa
+sha384, rsa
+sha512, rsa
+sha1, ecdsa
+sha1, rsa
+sha1, dsa
+sha256, dsa
+sha384, dsa
+sha512, dsa
+supported_versions(, 192.168.6.240, 139.162.123.134
+TLSv13-draft19
+TLSv12
+TLSv11
+TLSv10
+psk_key_exchange_modes, 192.168.6.240, 139.162.123.134
+1
+0
+Point formats, 192.168.6.240, 139.162.123.134, T
+uncompressed
+ansiX962_compressed_prime
+ansiX962_compressed_char2
+Curves, 192.168.6.240, 139.162.123.134
+x25519
+secp256r1
+secp521r1
+secp384r1
+signature_algorithm, 192.168.6.240, 139.162.123.134
+sha256, ecdsa
+sha384, ecdsa
+sha512, ecdsa
+unknown-8, unknown-4
+unknown-8, unknown-5
+unknown-8, unknown-6
+sha256, rsa
+sha384, rsa
+sha512, rsa
+sha1, ecdsa
+sha1, rsa
+sha1, dsa
+sha256, dsa
+sha384, dsa
+sha512, dsa
+supported_versions(, 192.168.6.240, 139.162.123.134
+TLSv13-draft19
+TLSv12
+TLSv11
+TLSv10
+psk_key_exchange_modes, 192.168.6.240, 139.162.123.134
+1
+0
diff --git a/testing/btest/scripts/base/protocols/ssl/tls-extension-events.test b/testing/btest/scripts/base/protocols/ssl/tls-extension-events.test
index 261a698833..b8f3d42242 100644
--- a/testing/btest/scripts/base/protocols/ssl/tls-extension-events.test
+++ b/testing/btest/scripts/base/protocols/ssl/tls-extension-events.test
@@ -1,4 +1,5 @@
 # @TEST-EXEC: bro -C -r $TRACES/tls/chrome-34-google.trace %INPUT
+# @TEST-EXEC: bro -C -r $TRACES/tls/tls-13draft19-early-data.pcap %INPUT
 # @TEST-EXEC: btest-diff .stdout
 
 event ssl_extension_elliptic_curves(c: connection, is_orig: bool, curves: index_vec)
@@ -33,3 +34,17 @@ event ssl_extension_signature_algorithm(c: connection, is_orig: bool, signature_
 		print SSL::hash_algorithms[signature_algorithms[i]$HashAlgorithm], SSL::signature_algorithms[signature_algorithms[i]$SignatureAlgorithm];
 		}
 	}
+
+event ssl_extension_supported_versions(c: connection, is_orig: bool, versions: index_vec)
+	{
+	print "supported_versions(", c$id$orig_h, c$id$resp_h;
+	for ( i in versions )
+		print SSL::version_strings[versions[i]];
+	}
+
+event ssl_extension_psk_key_exchange_modes(c: connection, is_orig: bool, modes: index_vec)
+	{
+	print "psk_key_exchange_modes", c$id$orig_h, c$id$resp_h;
+	for ( i in modes )
+		print modes[i];
+	}

From fcbf54f697f29b359a191cd6d8612bd013485028 Mon Sep 17 00:00:00 2001
From: Daniel Thayer <dnthayer@illinois.edu>
Date: Fri, 7 Apr 2017 12:24:29 -0500
Subject: [PATCH 131/631] Fix the test group name in some broker test files

Some broker leak tests were being ignored because the test group
name was incorrect.
---
 testing/btest/core/leaks/broker/clone_store.bro   | 2 +-
 testing/btest/core/leaks/broker/remote_event.test | 2 +-
 testing/btest/core/leaks/broker/remote_log.test   | 2 +-
 testing/btest/core/leaks/broker/remote_print.test | 2 +-
 4 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/testing/btest/core/leaks/broker/clone_store.bro b/testing/btest/core/leaks/broker/clone_store.bro
index c3b11a7a0d..4996d05bd2 100644
--- a/testing/btest/core/leaks/broker/clone_store.bro
+++ b/testing/btest/core/leaks/broker/clone_store.bro
@@ -1,7 +1,7 @@
 # @TEST-SERIALIZE: brokercomm
 # @TEST-REQUIRES: grep -q ENABLE_BROKER:BOOL=true $BUILD/CMakeCache.txt
 # @TEST-REQUIRES: bro --help 2>&1 | grep -q mem-leaks
-# @TEST-GROUP: leak
+# @TEST-GROUP: leaks
 
 # @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local btest-bg-run clone "bro -m -b ../clone.bro broker_port=$BROKER_PORT >clone.out"
 # @TEST-EXEC: btest-bg-run master "bro -b ../master.bro broker_port=$BROKER_PORT >master.out"
diff --git a/testing/btest/core/leaks/broker/remote_event.test b/testing/btest/core/leaks/broker/remote_event.test
index 3f63fcba76..a7f174f7fd 100644
--- a/testing/btest/core/leaks/broker/remote_event.test
+++ b/testing/btest/core/leaks/broker/remote_event.test
@@ -1,7 +1,7 @@
 # @TEST-SERIALIZE: brokercomm
 # @TEST-REQUIRES: grep -q ENABLE_BROKER:BOOL=true $BUILD/CMakeCache.txt
 # @TEST-REQUIRES: bro --help 2>&1 | grep -q mem-leaks
-# @TEST-GROUP: leak
+# @TEST-GROUP: leaks
 
 # @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local btest-bg-run recv "bro -m -b ../recv.bro broker_port=$BROKER_PORT >recv.out"
 # @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local btest-bg-run send "bro -m -b ../send.bro broker_port=$BROKER_PORT >send.out"
diff --git a/testing/btest/core/leaks/broker/remote_log.test b/testing/btest/core/leaks/broker/remote_log.test
index baeab906f1..0093e9db2e 100644
--- a/testing/btest/core/leaks/broker/remote_log.test
+++ b/testing/btest/core/leaks/broker/remote_log.test
@@ -1,7 +1,7 @@
 # @TEST-SERIALIZE: brokercomm
 # @TEST-REQUIRES: grep -q ENABLE_BROKER:BOOL=true $BUILD/CMakeCache.txt
 # @TEST-REQUIRES: bro --help 2>&1 | grep -q mem-leaks
-# @TEST-GROUP: leak
+# @TEST-GROUP: leaks
 
 # @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local btest-bg-run recv "bro -m -b ../common.bro ../recv.bro broker_port=$BROKER_PORT >recv.out"
 # @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local btest-bg-run send "bro -m -b ../common.bro ../send.bro broker_port=$BROKER_PORT >send.out"
diff --git a/testing/btest/core/leaks/broker/remote_print.test b/testing/btest/core/leaks/broker/remote_print.test
index 26e6317034..9ecc913f34 100644
--- a/testing/btest/core/leaks/broker/remote_print.test
+++ b/testing/btest/core/leaks/broker/remote_print.test
@@ -1,7 +1,7 @@
 # @TEST-SERIALIZE: brokercomm
 # @TEST-REQUIRES: grep -q ENABLE_BROKER:BOOL=true $BUILD/CMakeCache.txt
 # @TEST-REQUIRES: bro --help 2>&1 | grep -q mem-leaks
-# @TEST-GROUP: leak
+# @TEST-GROUP: leaks
 
 # @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local btest-bg-run recv "bro -m -b ../recv.bro broker_port=$BROKER_PORT >recv.out"
 # @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local btest-bg-run send "bro -m -b ../send.bro broker_port=$BROKER_PORT >send.out"

From bdc693e72a53345a7089401ffc3eb68b31887196 Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@icir.org>
Date: Fri, 7 Apr 2017 10:26:34 -0700
Subject: [PATCH 132/631] NetControl: small rule_error changes

* add rule_error test for acld plugin

* add namespace for rule_error calls in OpenFlow
---
 .../netcontrol/plugins/openflow.bro           |  4 +--
 .../send.netcontrol.log                       | 32 +++++++++----------
 .../send.send.out                             |  2 +-
 .../base/frameworks/netcontrol/acld.bro       | 10 +++++-
 4 files changed, 28 insertions(+), 20 deletions(-)

diff --git a/scripts/base/frameworks/netcontrol/plugins/openflow.bro b/scripts/base/frameworks/netcontrol/plugins/openflow.bro
index 07be594b57..c528a1ba3e 100644
--- a/scripts/base/frameworks/netcontrol/plugins/openflow.bro
+++ b/scripts/base/frameworks/netcontrol/plugins/openflow.bro
@@ -318,7 +318,7 @@ function openflow_add_rule(p: PluginState, r: Rule) : bool
 			++flow_mod$cookie;
 			}
 		else
-			event rule_error(r, p, "Error while executing OpenFlow::flow_mod");
+			event NetControl::rule_error(r, p, "Error while executing OpenFlow::flow_mod");
 		}
 
 	return T;
@@ -338,7 +338,7 @@ function openflow_remove_rule(p: PluginState, r: Rule, reason: string) : bool
 			of_messages[r$cid, flow_mod$command] = OfTable($p=p, $r=r);
 	else
 			{
-			event rule_error(r, p, "Error while executing OpenFlow::flow_mod");
+			event NetControl::rule_error(r, p, "Error while executing OpenFlow::flow_mod");
 			return F;
 			}
 
diff --git a/testing/btest/Baseline/scripts.base.frameworks.netcontrol.acld/send.netcontrol.log b/testing/btest/Baseline/scripts.base.frameworks.netcontrol.acld/send.netcontrol.log
index 70c1a28ee2..6170cb6ce0 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.netcontrol.acld/send.netcontrol.log
+++ b/testing/btest/Baseline/scripts.base.frameworks.netcontrol.acld/send.netcontrol.log
@@ -3,23 +3,23 @@
 #empty_field	(empty)
 #unset_field	-
 #path	netcontrol
-#open	2016-03-24-22-04-41
+#open	2017-04-07-17-26-05
 #fields	ts	rule_id	category	cmd	state	action	target	entity_type	entity	mod	msg	priority	expire	location	plugin
 #types	time	string	enum	string	enum	string	enum	string	string	string	string	int	interval	string	string
 0.000000	-	NetControl::MESSAGE	-	-	-	-	-	-	-	activating plugin with priority 0	-	-	-	Acld-bro/event/netcontroltest
 0.000000	-	NetControl::MESSAGE	-	-	-	-	-	-	-	waiting for plugins to initialize	-	-	-	-
-1458857080.863419	-	NetControl::MESSAGE	-	-	-	-	-	-	-	activation finished	-	-	-	Acld-bro/event/netcontroltest
-1458857080.863419	-	NetControl::MESSAGE	-	-	-	-	-	-	-	plugin initialization done	-	-	-	-
-1458857080.887618	2	NetControl::RULE	ADD	NetControl::REQUESTED	NetControl::DROP	NetControl::FORWARD	NetControl::FLOW	192.168.18.50/32/*->74.125.239.97/32/*	-	-	0	36000.000000	here	Acld-bro/event/netcontroltest
-1458857080.887618	3	NetControl::RULE	ADD	NetControl::REQUESTED	NetControl::DROP	NetControl::FORWARD	NetControl::FLOW	*/*->*/443	-	-	0	36000.000000	there	Acld-bro/event/netcontroltest
-1458857080.887618	4	NetControl::RULE	ADD	NetControl::REQUESTED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	-	0	36000.000000	-	Acld-bro/event/netcontroltest
-1458857080.888169	2	NetControl::RULE	ADD	NetControl::SUCCEEDED	NetControl::DROP	NetControl::FORWARD	NetControl::FLOW	192.168.18.50/32/*->74.125.239.97/32/*	-	blockhosthost	0	36000.000000	here	Acld-bro/event/netcontroltest
-1458857080.888169	2	NetControl::RULE	REMOVE	NetControl::REQUESTED	NetControl::DROP	NetControl::FORWARD	NetControl::FLOW	192.168.18.50/32/*->74.125.239.97/32/*	-	-	0	36000.000000	here	Acld-bro/event/netcontroltest
-1458857080.888169	3	NetControl::RULE	ADD	NetControl::EXISTS	NetControl::DROP	NetControl::FORWARD	NetControl::FLOW	*/*->*/443	-	droptcpport	0	36000.000000	there	Acld-bro/event/netcontroltest
-1458857080.888169	3	NetControl::RULE	REMOVE	NetControl::REQUESTED	NetControl::DROP	NetControl::FORWARD	NetControl::FLOW	*/*->*/443	-	-	0	36000.000000	there	Acld-bro/event/netcontroltest
-1458857080.888169	4	NetControl::RULE	ADD	NetControl::SUCCEEDED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	drop	0	36000.000000	-	Acld-bro/event/netcontroltest
-1458857080.888169	4	NetControl::RULE	REMOVE	NetControl::REQUESTED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	-	0	36000.000000	-	Acld-bro/event/netcontroltest
-1458857080.888169	2	NetControl::RULE	REMOVE	NetControl::SUCCEEDED	NetControl::DROP	NetControl::FORWARD	NetControl::FLOW	192.168.18.50/32/*->74.125.239.97/32/*	-	restorehosthost	0	36000.000000	here	Acld-bro/event/netcontroltest
-1458857080.888169	3	NetControl::RULE	REMOVE	NetControl::SUCCEEDED	NetControl::DROP	NetControl::FORWARD	NetControl::FLOW	*/*->*/443	-	restoretcpport	0	36000.000000	there	Acld-bro/event/netcontroltest
-1458857080.888169	4	NetControl::RULE	REMOVE	NetControl::SUCCEEDED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	restore	0	36000.000000	-	Acld-bro/event/netcontroltest
-#close	2016-03-24-22-04-41
+1491585965.002956	-	NetControl::MESSAGE	-	-	-	-	-	-	-	activation finished	-	-	-	Acld-bro/event/netcontroltest
+1491585965.002956	-	NetControl::MESSAGE	-	-	-	-	-	-	-	plugin initialization done	-	-	-	-
+1491585965.027155	2	NetControl::RULE	ADD	NetControl::REQUESTED	NetControl::DROP	NetControl::FORWARD	NetControl::FLOW	192.168.18.50/32/*->74.125.239.97/32/*	-	-	0	36000.000000	here	Acld-bro/event/netcontroltest
+1491585965.027155	3	NetControl::RULE	ADD	NetControl::REQUESTED	NetControl::DROP	NetControl::FORWARD	NetControl::FLOW	*/*->*/443	-	-	0	36000.000000	there	Acld-bro/event/netcontroltest
+1491585965.027155	4	NetControl::RULE	ADD	NetControl::REQUESTED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	-	0	36000.000000	-	Acld-bro/event/netcontroltest
+1491585965.027706	2	NetControl::RULE	ADD	NetControl::SUCCEEDED	NetControl::DROP	NetControl::FORWARD	NetControl::FLOW	192.168.18.50/32/*->74.125.239.97/32/*	-	blockhosthost	0	36000.000000	here	Acld-bro/event/netcontroltest
+1491585965.027706	2	NetControl::RULE	REMOVE	NetControl::REQUESTED	NetControl::DROP	NetControl::FORWARD	NetControl::FLOW	192.168.18.50/32/*->74.125.239.97/32/*	-	-	0	36000.000000	here	Acld-bro/event/netcontroltest
+1491585965.027706	3	NetControl::RULE	ADD	NetControl::EXISTS	NetControl::DROP	NetControl::FORWARD	NetControl::FLOW	*/*->*/443	-	droptcpport	0	36000.000000	there	Acld-bro/event/netcontroltest
+1491585965.027706	3	NetControl::RULE	REMOVE	NetControl::REQUESTED	NetControl::DROP	NetControl::FORWARD	NetControl::FLOW	*/*->*/443	-	-	0	36000.000000	there	Acld-bro/event/netcontroltest
+1491585965.027706	4	NetControl::RULE	ADD	NetControl::SUCCEEDED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	drop	0	36000.000000	-	Acld-bro/event/netcontroltest
+1491585965.027706	4	NetControl::RULE	REMOVE	NetControl::REQUESTED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	-	0	36000.000000	-	Acld-bro/event/netcontroltest
+1491585965.027706	2	NetControl::ERROR	-	-	NetControl::DROP	NetControl::FORWARD	NetControl::FLOW	192.168.18.50/32/*->74.125.239.97/32/*	-	restorehosthost	0	36000.000000	here	Acld-bro/event/netcontroltest
+1491585965.027706	3	NetControl::RULE	REMOVE	NetControl::SUCCEEDED	NetControl::DROP	NetControl::FORWARD	NetControl::FLOW	*/*->*/443	-	restoretcpport	0	36000.000000	there	Acld-bro/event/netcontroltest
+1491585965.027706	4	NetControl::RULE	REMOVE	NetControl::SUCCEEDED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	restore	0	36000.000000	-	Acld-bro/event/netcontroltest
+#close	2017-04-07-17-26-05
diff --git a/testing/btest/Baseline/scripts.base.frameworks.netcontrol.acld/send.send.out b/testing/btest/Baseline/scripts.base.frameworks.netcontrol.acld/send.send.out
index 0d0ce0fccd..a0a9354726 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.netcontrol.acld/send.send.out
+++ b/testing/btest/Baseline/scripts.base.frameworks.netcontrol.acld/send.send.out
@@ -2,6 +2,6 @@ Broker::outgoing_connection_established, 127.0.0.1, 9999/tcp
 rule added, [ty=NetControl::FLOW, conn=<uninitialized>, flow=[src_h=192.168.18.50/32, src_p=<uninitialized>, dst_h=74.125.239.97/32, dst_p=<uninitialized>, src_m=<uninitialized>, dst_m=<uninitialized>], ip=<uninitialized>, mac=<uninitialized>], NetControl::DROP
 rule exists, [ty=NetControl::FLOW, conn=<uninitialized>, flow=[src_h=<uninitialized>, src_p=<uninitialized>, dst_h=<uninitialized>, dst_p=443/tcp, src_m=<uninitialized>, dst_m=<uninitialized>], ip=<uninitialized>, mac=<uninitialized>], NetControl::DROP
 rule added, [ty=NetControl::ADDRESS, conn=<uninitialized>, flow=<uninitialized>, ip=192.168.18.50/32, mac=<uninitialized>], NetControl::DROP
-rule removed, [ty=NetControl::FLOW, conn=<uninitialized>, flow=[src_h=192.168.18.50/32, src_p=<uninitialized>, dst_h=74.125.239.97/32, dst_p=<uninitialized>, src_m=<uninitialized>, dst_m=<uninitialized>], ip=<uninitialized>, mac=<uninitialized>], NetControl::DROP
+rule error, [ty=NetControl::FLOW, conn=<uninitialized>, flow=[src_h=192.168.18.50/32, src_p=<uninitialized>, dst_h=74.125.239.97/32, dst_p=<uninitialized>, src_m=<uninitialized>, dst_m=<uninitialized>], ip=<uninitialized>, mac=<uninitialized>], NetControl::DROP
 rule removed, [ty=NetControl::FLOW, conn=<uninitialized>, flow=[src_h=<uninitialized>, src_p=<uninitialized>, dst_h=<uninitialized>, dst_p=443/tcp, src_m=<uninitialized>, dst_m=<uninitialized>], ip=<uninitialized>, mac=<uninitialized>], NetControl::DROP
 rule removed, [ty=NetControl::ADDRESS, conn=<uninitialized>, flow=<uninitialized>, ip=192.168.18.50/32, mac=<uninitialized>], NetControl::DROP
diff --git a/testing/btest/scripts/base/frameworks/netcontrol/acld.bro b/testing/btest/scripts/base/frameworks/netcontrol/acld.bro
index 364624e90e..e13b1d340e 100644
--- a/testing/btest/scripts/base/frameworks/netcontrol/acld.bro
+++ b/testing/btest/scripts/base/frameworks/netcontrol/acld.bro
@@ -79,6 +79,11 @@ event NetControl::rule_removed(r: NetControl::Rule, p: NetControl::PluginState,
 	print "rule removed", r$entity, r$ty;
 	}
 
+event NetControl::rule_error(r: NetControl::Rule, p: NetControl::PluginState, msg: string)
+	{
+	print "rule error", r$entity, r$ty;
+	}
+
 @TEST-END-FILE
 
 @TEST-START-FILE recv.bro
@@ -115,7 +120,10 @@ event NetControl::acld_remove_rule(id: count, r: NetControl::Rule, ar: NetContro
 	{
 	print "remove_rule", id, r$entity, r$ty, ar;
 
-	Broker::send_event("bro/event/netcontroltest", Broker::event_args(NetControl::acld_rule_removed, id, r, ar$command));
+	if ( r$cid != 2 )
+		Broker::send_event("bro/event/netcontroltest", Broker::event_args(NetControl::acld_rule_removed, id, r, ar$command));
+	else
+		Broker::send_event("bro/event/netcontroltest", Broker::event_args(NetControl::acld_rule_error, id, r, ar$command));
 
 	if ( r$cid == 4 )
 		terminate();

From 7826cbdfb684c8f2c03d5d1cf197be5aec7112c3 Mon Sep 17 00:00:00 2001
From: Robin Sommer <robin@icir.org>
Date: Sat, 8 Apr 2017 09:57:45 -0700
Subject: [PATCH 133/631] Fixing couple issues reported by Coverity.

---
 src/analyzer/protocol/smb/smb-time.pac | 1 +
 src/input/readers/ascii/Ascii.cc       | 2 ++
 2 files changed, 3 insertions(+)

diff --git a/src/analyzer/protocol/smb/smb-time.pac b/src/analyzer/protocol/smb/smb-time.pac
index 0ad97d20a3..52654c7a2b 100644
--- a/src/analyzer/protocol/smb/smb-time.pac
+++ b/src/analyzer/protocol/smb/smb-time.pac
@@ -30,6 +30,7 @@ function time_from_lanman(t: SMB_time, d: SMB_date, tz: uint16): Val
 	lTime.tm_mday = ${d.day};
 	lTime.tm_mon = ${d.month};
 	lTime.tm_year = 1980 + ${d.year};
+    lTime.tm_isdst = -1;
 	double lResult = mktime(&lTime);
 	return new Val(lResult + tz, TYPE_TIME);
 	%}
diff --git a/src/input/readers/ascii/Ascii.cc b/src/input/readers/ascii/Ascii.cc
index 3440d9565d..d9120b91ae 100644
--- a/src/input/readers/ascii/Ascii.cc
+++ b/src/input/readers/ascii/Ascii.cc
@@ -50,6 +50,8 @@ Ascii::Ascii(ReaderFrontend *frontend) : ReaderBackend(frontend)
 	{
 	mtime = 0;
 	suppress_warnings = false;
+	fail_on_file_problem = false;
+	fail_on_invalid_lines = false;
 	}
 
 Ascii::~Ascii()

From a7b1161c124084d79ed87f7168ee332c835f8a3a Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@icir.org>
Date: Mon, 10 Apr 2017 11:37:43 -0700
Subject: [PATCH 134/631] Threading Types: add a bit of documentation to subnet
 type.

This explains how the length field is currently handled when exchanging
data in both directions.
---
 src/threading/SerialTypes.h | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/src/threading/SerialTypes.h b/src/threading/SerialTypes.h
index e056f6c170..af3f92d416 100644
--- a/src/threading/SerialTypes.h
+++ b/src/threading/SerialTypes.h
@@ -98,7 +98,7 @@ struct Value {
 	typedef set_t vec_t;
 	struct port_t { bro_uint_t port; TransportProto proto; };
 
-        struct addr_t {
+	struct addr_t {
 		IPFamily family;
 		union {
 			struct in_addr in4;
@@ -106,6 +106,13 @@ struct Value {
 		} in;
 	};
 
+	// A small note for handling subnet values: Subnet values emitted from
+	// the logging framework will always have a length that is based on the
+	// internal IPv6 representation (so you have to substract 96 from it to
+	// get the correct value for IPv4).
+	// However, the Input framework expects the "normal" length for an IPv4
+	// address (so do not add 96 to it), because the underlying constructors
+	// for the SubNet type want it like this.
 	struct subnet_t { addr_t prefix; uint8_t length; };
 
 	/**

From 817b9e01a35b8d9aa9a2d81a041b9f2e8ba7a113 Mon Sep 17 00:00:00 2001
From: Daniel Thayer <dnthayer@illinois.edu>
Date: Mon, 10 Apr 2017 15:23:13 -0500
Subject: [PATCH 135/631] Fix some failing tests

Increase delay time before launching 2nd process to give bro more of a
chance to startup.
---
 testing/btest/istate/broccoli-ipv6-socket.bro | 2 +-
 testing/btest/istate/broccoli-ssl.bro         | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/testing/btest/istate/broccoli-ipv6-socket.bro b/testing/btest/istate/broccoli-ipv6-socket.bro
index be6266fdec..7365999bb0 100644
--- a/testing/btest/istate/broccoli-ipv6-socket.bro
+++ b/testing/btest/istate/broccoli-ipv6-socket.bro
@@ -4,7 +4,7 @@
 # @TEST-REQUIRES: ifconfig | grep -q -E "inet6 ::1|inet6 addr: ::1"
 #
 # @TEST-EXEC: btest-bg-run bro bro $DIST/aux/broccoli/test/broccoli-v6addrs.bro "Communication::listen_ipv6=T"
-# @TEST-EXEC: sleep 1
+# @TEST-EXEC: sleep 3
 # @TEST-EXEC: btest-bg-run broccoli $BUILD/aux/broccoli/test/broccoli-v6addrs -6 ::1
 # @TEST-EXEC: btest-bg-wait 20
 # @TEST-EXEC: btest-diff bro/.stdout
diff --git a/testing/btest/istate/broccoli-ssl.bro b/testing/btest/istate/broccoli-ssl.bro
index dcbea93150..13b17a0b7b 100644
--- a/testing/btest/istate/broccoli-ssl.bro
+++ b/testing/btest/istate/broccoli-ssl.bro
@@ -4,7 +4,7 @@
 #
 # @TEST-EXEC: chmod 600 broccoli.conf
 # @TEST-EXEC: btest-bg-run bro bro $DIST/aux/broccoli/test/broccoli-v6addrs.bro "Communication::listen_ssl=T" "ssl_ca_certificate=../ca_cert.pem" "ssl_private_key=../bro.pem"
-# @TEST-EXEC: sleep 1
+# @TEST-EXEC: sleep 5
 # @TEST-EXEC: btest-bg-run broccoli BROCCOLI_CONFIG_FILE=../broccoli.conf $BUILD/aux/broccoli/test/broccoli-v6addrs
 # @TEST-EXEC: btest-bg-wait 20
 # @TEST-EXEC: btest-diff bro/.stdout

From b3d7d8b1da7721ab69f4a172815201fdc6ebf38b Mon Sep 17 00:00:00 2001
From: Seth Hall <seth@icir.org>
Date: Mon, 17 Apr 2017 12:09:18 -0400
Subject: [PATCH 136/631] Documentation updates for loading Bro scripts.

---
 doc/quickstart/index.rst | 82 +++++++++++++++++++++++-----------------
 1 file changed, 48 insertions(+), 34 deletions(-)

diff --git a/doc/quickstart/index.rst b/doc/quickstart/index.rst
index 811fad53e1..d7e0491501 100644
--- a/doc/quickstart/index.rst
+++ b/doc/quickstart/index.rst
@@ -316,9 +316,8 @@ Analyzing live traffic from an interface is simple:
 
    bro -i en0 <list of scripts to load>
 
-``en0`` can be replaced by the interface of your choice and for the list of
-scripts, you can just use "all" for now to perform all the default analysis
-that's available.
+``en0`` can be replaced by the interface of your choice. A selection
+of common base scripts will be loaded by default.
 
 Bro will output log files into the working directory.
 
@@ -326,22 +325,6 @@ Bro will output log files into the working directory.
    capturing as an unprivileged user and checksum offloading are
    particularly relevant at this point.
 
-To use the site-specific ``local.bro`` script, just add it to the
-command-line:
-
-.. console::
-
-   bro -i en0 local
-
-This will cause Bro to print a warning about lacking the
-``Site::local_nets`` variable being configured. You can supply this
-information at the command line like this (supply your "local" subnets
-in place of the example subnets):
-
-.. console::
-
-   bro -r mypackets.trace local "Site::local_nets += { 1.2.3.0/24, 5.6.7.0/24 }"
-
 
 Reading Packet Capture (pcap) Files
 -----------------------------------
@@ -373,7 +356,6 @@ script that we include as a suggested configuration:
 
   bro -r mypackets.trace local
 
-
 Telling Bro Which Scripts to Load
 ---------------------------------
 
@@ -381,33 +363,65 @@ A command-line invocation of Bro typically looks like:
 
 .. console::
 
-   bro <options> <policies...>
+   bro <options> <scripts...>
 
 Where the last arguments are the specific policy scripts that this Bro
 instance will load.  These arguments don't have to include the ``.bro``
-file extension, and if the corresponding script resides under the default
-installation path, ``$PREFIX/share/bro``, then it requires no path
-qualification.  Further, a directory of scripts can be specified as
-an argument to be loaded as a "package" if it contains a ``__load__.bro``
-script that defines the scripts that are part of the package.
+file extension, and if the corresponding script resides in the default
+search path, then it requires no path qualification.  The following 
+directories are included in the default search path for Bro scripts::
+   
+   ./
+   <prefix>/share/bro/
+   <prefix>/share/bro/policy/
+   <prefix>/share/bro/site/
 
-This example does all of the base analysis (primarily protocol
-logging) and adds SSL certificate validation.
+These prefix paths can be used to load scripts like this:
 
 .. console::
 
-   bro -r mypackets.trace protocols/ssl/validate-certs
+   bro -r mypackets.trace frameworks/files/extract-all
+
+This will load the 
+``<prefix>/share/bro/policy/frameworks/files/extract-all.bro`` script which will
+cause Bro to extract all of the files it discovers in the PCAP.
+
+.. note:: If one wants Bro to be able to load scripts that live outside the
+   default directories in Bro's installation root, the full path to the file(s)
+   must be provided.  See the default search path by running ``bro --help``.
 
 You might notice that a script you load from the command line uses the
 ``@load`` directive in the Bro language to declare dependence on other scripts.
 This directive is similar to the ``#include`` of C/C++, except the semantics
 are, "load this script if it hasn't already been loaded."
 
-.. note:: If one wants Bro to be able to load scripts that live outside the
-   default directories in Bro's installation root, the ``BROPATH`` environment
-   variable will need to be extended to include all the directories that need
-   to be searched for scripts.  See the default search path by doing
-   ``bro --help``.
+Further, a directory of scripts can be specified as
+an argument to be loaded as a "package" if it contains a ``__load__.bro``
+script that defines the scripts that are part of the package.
+
+Local site customization
+------------------------
+
+There is one script that is installed which is considered "local site 
+customization" and is not overwritten when upgrades take place. To use 
+the site-specific ``local.bro`` script, just add it to the command-line (can
+also be loaded through scripts with @load):
+
+.. console::
+
+   bro -i en0 local
+
+This causes Bro to load a script that prints a warning about lacking the
+``Site::local_nets`` variable being configured. You can supply this
+information at the command line like this (supply your "local" subnets
+in place of the example subnets):
+
+.. console::
+
+   bro -r mypackets.trace local "Site::local_nets += { 1.2.3.0/24, 5.6.7.0/24 }"
+
+When running with Broctl, this value is set by configuring the ``networks.cfg``
+file.
 
 Running Bro Without Installing
 ------------------------------

From 15375ba1e371f99c054b1c948546a5f180093604 Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@corelight.com>
Date: Mon, 17 Apr 2017 21:46:58 +0200
Subject: [PATCH 137/631] Guard a few more format strings with
 __attribute__((format))

This will cause compile-time error messages to be raised if someone
passes incorrect parameters to these strings.
---
 src/Reporter.h      | 6 +++---
 src/input/Manager.h | 2 +-
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/src/Reporter.h b/src/Reporter.h
index 19cdbb7e82..85b9a483a2 100644
--- a/src/Reporter.h
+++ b/src/Reporter.h
@@ -66,11 +66,11 @@ public:
 
 	// Report a runtime error in evaluating a Bro script expression. This
 	// function will not return but raise an InterpreterException.
-	void ExprRuntimeError(const Expr* expr, const char* fmt, ...);
+	void ExprRuntimeError(const Expr* expr, const char* fmt, ...) __attribute__((format(printf, 3, 4)));
 
 	// Report a runtime error in evaluating a Bro script expression. This
 	// function will not return but raise an InterpreterException.
-	void RuntimeError(const Location* location, const char* fmt, ...);
+	void RuntimeError(const Location* location, const char* fmt, ...) __attribute__((format(printf, 3, 4)));
 
 	// Report a traffic weirdness, i.e., an unexpected protocol situation
 	// that may lead to incorrectly processing a connnection.
@@ -123,7 +123,7 @@ public:
 private:
 	void DoLog(const char* prefix, EventHandlerPtr event, FILE* out,
 		   Connection* conn, val_list* addl, bool location, bool time,
-		   const char* postfix, const char* fmt, va_list ap);
+		   const char* postfix, const char* fmt, va_list ap) __attribute__((format(printf, 10, 0)));
 
 	// The order if addl, name needs to be like that since fmt_name can
 	// contain format specifiers
diff --git a/src/input/Manager.h b/src/input/Manager.h
index e7a1ebe2d6..8296ce9f8b 100644
--- a/src/input/Manager.h
+++ b/src/input/Manager.h
@@ -240,7 +240,7 @@ private:
 
 	enum class ErrorType { INFO, WARNING, ERROR };
 	void ErrorHandler(const Stream* i, ErrorType et, bool reporter_send, const char* fmt, ...) __attribute__((format(printf, 5, 6)));
-	void ErrorHandler(const Stream* i, ErrorType et, bool reporter_send, const char* fmt, va_list ap);
+	void ErrorHandler(const Stream* i, ErrorType et, bool reporter_send, const char* fmt, va_list ap) __attribute__((format(printf, 5, 0)));
 
 	Stream* FindStream(const string &name);
 	Stream* FindStream(ReaderFrontend* reader);

From 81dbbbd3a2a61f59d849337c5213c708ae8394c6 Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@icir.org>
Date: Mon, 17 Apr 2017 22:02:39 +0200
Subject: [PATCH 138/631] Update submodule

 [nomail]
---
 src/3rdparty | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/3rdparty b/src/3rdparty
index 5d03436d9d..1dc8599df2 160000
--- a/src/3rdparty
+++ b/src/3rdparty
@@ -1 +1 @@
-Subproject commit 5d03436d9db8a6cbaee1f459d654f977ce722467
+Subproject commit 1dc8599df24112504aac5e1256b478eec5054848

From b307b29f422b45dafc98858dae1940e4976797da Mon Sep 17 00:00:00 2001
From: Robin Sommer <robin@icir.org>
Date: Fri, 21 Apr 2017 14:14:00 -0700
Subject: [PATCH 139/631] Updating CHANGES and VERSION.

---
 CHANGES | 4 ++++
 VERSION | 2 +-
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/CHANGES b/CHANGES
index 05043bbd04..e174fb0f1f 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,8 @@
 
+2.5-125 | 2017-04-17 22:02:39 +0200
+
+  * Documentation updates for loading Bro scripts. (Seth Hall)
+
 2.5-123 | 2017-04-10 13:30:14 -0700
 
   * Fix some failing tests by increasing delay times. (Daniel Thayer)
diff --git a/VERSION b/VERSION
index d59af9fdb3..5217718f6a 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.5-123
+2.5-125

From ad4b2d6880d734465c2dc5b27b9efabf3c14f189 Mon Sep 17 00:00:00 2001
From: Robin Sommer <robin@icir.org>
Date: Fri, 21 Apr 2017 14:27:16 -0700
Subject: [PATCH 140/631] Updating submodule(s).

 [nomail]
---
 CHANGES      | 10 ++++++++++
 VERSION      |  2 +-
 aux/broctl   |  2 +-
 aux/btest    |  2 +-
 aux/plugins  |  2 +-
 src/3rdparty |  2 +-
 6 files changed, 15 insertions(+), 5 deletions(-)

diff --git a/CHANGES b/CHANGES
index e174fb0f1f..2731cfc836 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,14 @@
 
+2.5-131 | 2017-04-21 14:27:16 -0700
+
+  * Guard more format strings with __attribute__((format)). (Johanna Amann)
+
+  * Add support for two TLS 1.3 extensions.
+
+    New events:
+        - event ssl_extension_supported_versions(c: connection, is_orig: bool, versions: index_vec)
+        - event ssl_extension_psk_key_exchange_modes(c: connection, is_orig: bool, modes: index_vec) (Johanna Amann)
+
 2.5-125 | 2017-04-17 22:02:39 +0200
 
   * Documentation updates for loading Bro scripts. (Seth Hall)
diff --git a/VERSION b/VERSION
index 5217718f6a..be40786416 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.5-125
+2.5-131
diff --git a/aux/broctl b/aux/broctl
index cf7ea4e1ad..bedd721378 160000
--- a/aux/broctl
+++ b/aux/broctl
@@ -1 +1 @@
-Subproject commit cf7ea4e1ad18920058f32e95bbea3bdd765b6094
+Subproject commit bedd7213784b3f1d2ce10ce73b1a9cf9efdc848a
diff --git a/aux/btest b/aux/btest
index dceda16935..54b92381c1 160000
--- a/aux/btest
+++ b/aux/btest
@@ -1 +1 @@
-Subproject commit dceda169351ddd0c7fe7a5ae5496be1d7af2367b
+Subproject commit 54b92381c1c133376c2c85eeb53b32b068f51067
diff --git a/aux/plugins b/aux/plugins
index c4b5df3aa8..62f32f0236 160000
--- a/aux/plugins
+++ b/aux/plugins
@@ -1 +1 @@
-Subproject commit c4b5df3aa8e5c58a2dc5e5040c7da8369894f24d
+Subproject commit 62f32f02364bd55d802922b33ce8a9d84b8c39f7
diff --git a/src/3rdparty b/src/3rdparty
index 5d03436d9d..1dc8599df2 160000
--- a/src/3rdparty
+++ b/src/3rdparty
@@ -1 +1 @@
-Subproject commit 5d03436d9db8a6cbaee1f459d654f977ce722467
+Subproject commit 1dc8599df24112504aac5e1256b478eec5054848

From 2c2c9c90521a7993abf5b4f90ff2d78e18860ba2 Mon Sep 17 00:00:00 2001
From: Robin Sommer <robin@icir.org>
Date: Sat, 22 Apr 2017 08:12:25 -0700
Subject: [PATCH 141/631] Updating submodule(s).

 [nomail]
---
 aux/plugins | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/aux/plugins b/aux/plugins
index 62f32f0236..5724f8edcc 160000
--- a/aux/plugins
+++ b/aux/plugins
@@ -1 +1 @@
-Subproject commit 62f32f02364bd55d802922b33ce8a9d84b8c39f7
+Subproject commit 5724f8edcc2b323062715dac8eec4affe1f96696

From 333bb71ed15038831ad6eb67edd9f6d02e26f8f0 Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@corelight.com>
Date: Mon, 24 Apr 2017 11:57:15 -0700
Subject: [PATCH 142/631] Add rename, unlink, and rmdir bifs.

---
 src/bro.bif                                   | 86 ++++++++++++++++++-
 .../Baseline/bifs.directory_operations/out    | 10 +++
 testing/btest/bifs/directory_operations.bro   | 24 ++++++
 3 files changed, 118 insertions(+), 2 deletions(-)
 create mode 100644 testing/btest/Baseline/bifs.directory_operations/out
 create mode 100644 testing/btest/bifs/directory_operations.bro

diff --git a/src/bro.bif b/src/bro.bif
index e168016f5e..24f0919bea 100644
--- a/src/bro.bif
+++ b/src/bro.bif
@@ -4039,6 +4039,7 @@ function set_inactivity_timeout%(cid: conn_id, t: interval%): interval
 ##
 ## .. bro:see:: active_file open_for_append close write_file
 ##              get_file_name set_buf flush_all mkdir enable_raw_output
+##              rmdir unlink rename
 function open%(f: string%): file
 	%{
 	const char* file = f->CheckString();
@@ -4058,6 +4059,7 @@ function open%(f: string%): file
 ##
 ## .. bro:see:: active_file open close write_file
 ##              get_file_name set_buf flush_all mkdir enable_raw_output
+##              rmdir unlink rename
 function open_for_append%(f: string%): file
 	%{
 	return new Val(new BroFile(f->CheckString(), "a"));
@@ -4071,6 +4073,7 @@ function open_for_append%(f: string%): file
 ##
 ## .. bro:see:: active_file open open_for_append write_file
 ##              get_file_name set_buf flush_all mkdir enable_raw_output
+##              rmdir unlink rename
 function close%(f: file%): bool
 	%{
 	return new Val(f->Close(), TYPE_BOOL);
@@ -4086,6 +4089,7 @@ function close%(f: file%): bool
 ##
 ## .. bro:see:: active_file open open_for_append close
 ##              get_file_name set_buf flush_all mkdir enable_raw_output
+##              rmdir unlink rename
 function write_file%(f: file, data: string%): bool
 	%{
 	if ( ! f )
@@ -4106,6 +4110,7 @@ function write_file%(f: file, data: string%): bool
 ##
 ## .. bro:see:: active_file open open_for_append close
 ##              get_file_name write_file flush_all mkdir enable_raw_output
+##              rmdir unlink rename
 function set_buf%(f: file, buffered: bool%): any
 	%{
 	f->SetBuf(buffered);
@@ -4118,6 +4123,7 @@ function set_buf%(f: file, buffered: bool%): any
 ##
 ## .. bro:see:: active_file open open_for_append close
 ##              get_file_name write_file set_buf mkdir enable_raw_output
+##              rmdir unlink rename
 function flush_all%(%): bool
 	%{
 	return new Val(fflush(0) == 0, TYPE_BOOL);
@@ -4132,12 +4138,88 @@ function flush_all%(%): bool
 ##
 ## .. bro:see:: active_file open_for_append close write_file
 ##              get_file_name set_buf flush_all enable_raw_output
+##              rmdir unlink rename
 function mkdir%(f: string%): bool
 	%{
 	const char* filename = f->CheckString();
-	if ( mkdir(filename, 0777) < 0 && errno != EEXIST )
+	if ( mkdir(filename, 0777) < 0 )
 		{
-		builtin_error("cannot create directory", @ARG@[0]);
+		int error = errno;
+		struct stat filestat;
+		// check if already exists and is directory.
+		if ( errno == EEXIST && stat(filename, &filestat) == 0 && S_ISDIR(filestat.st_mode) )
+			return new Val(1, TYPE_BOOL);
+
+		builtin_error(fmt("cannot create directory '%s': %s", filename, strerror(error)));
+		return new Val(0, TYPE_BOOL);
+		}
+	else
+		return new Val(1, TYPE_BOOL);
+	%}
+
+
+## Removes a directory.
+##
+## d: The directory name.
+##
+## Returns: Returns true if the operation succeeds, and false if the
+##          directory delete operation files.
+##
+## .. bro:see:: active_file open_for_append close write_file
+##              get_file_name set_buf flush_all enable_raw_output
+##              mkdir unlink rename
+function rmdir%(d: string%): bool
+	%{
+	const char* dirname = d->CheckString();
+	if ( rmdir(dirname) < 0 )
+		{
+		builtin_error(fmt("cannot remove directory '%s': %s", dirname, strerror(errno)));
+		return new Val(0, TYPE_BOOL);
+		}
+	else
+		return new Val(1, TYPE_BOOL);
+	%}
+
+## Removes a file from a directory.
+##
+## f: the file to delete.
+##
+## Returns: Returns true if the operation succeeds and the file was deleted,
+##          and false if the deletion fails.
+##
+## .. bro:see:: active_file open_for_append close write_file
+##              get_file_name set_buf flush_all enable_raw_output
+##              mkdir rmdir rename
+function unlink%(f: string%): bool
+	%{
+	const char* filename = f->CheckString();
+	if ( unlink(filename) < 0 )
+		{
+		builtin_error(fmt("cannot unlink file '%s': %s", filename, strerror(errno)));
+		return new Val(0, TYPE_BOOL);
+		}
+	else
+		return new Val(1, TYPE_BOOL);
+	%}
+
+## Renames a file from src_f to dst_f.
+##
+## src_f: the name of the file to rename.
+##
+## dest_f: the name of the file after the rename operation.
+##
+## Returns: Returns true if the rename succeeds and false otherwise.
+##
+## .. bro:see:: active_file open_for_append close write_file
+##              get_file_name set_buf flush_all enable_raw_output
+##              mkdir rmdir unlink
+function rename%(src_f: string, dst_f: string%): bool
+	%{
+	const char* src_filename = src_f->CheckString();
+	const char* dst_filename = dst_f->CheckString();
+	if ( rename(src_filename, dst_filename) < 0 )
+		{
+		builtin_error(fmt("cannot rename file '%s' to '%s': %s", src_filename, dst_filename, strerror(errno)));
 		return new Val(0, TYPE_BOOL);
 		}
 	else
diff --git a/testing/btest/Baseline/bifs.directory_operations/out b/testing/btest/Baseline/bifs.directory_operations/out
new file mode 100644
index 0000000000..8465596a92
--- /dev/null
+++ b/testing/btest/Baseline/bifs.directory_operations/out
@@ -0,0 +1,10 @@
+T
+T
+T
+T
+T
+T
+F
+F
+F
+F
diff --git a/testing/btest/bifs/directory_operations.bro b/testing/btest/bifs/directory_operations.bro
new file mode 100644
index 0000000000..9db34511b2
--- /dev/null
+++ b/testing/btest/bifs/directory_operations.bro
@@ -0,0 +1,24 @@
+#
+# @TEST-EXEC: bro -b %INPUT >out
+# @TEST-EXEC: btest-diff out
+
+event bro_init()
+	{
+	# Test succesful operations...
+	print mkdir("testdir");
+	print mkdir("testdir");
+	local a = open("testdir/testfile");
+	close(a);
+	print rename("testdir/testfile", "testdir/testfile2");
+	print rename("testdir", "testdir2");
+	print unlink("testdir2/testfile2");
+	print rmdir("testdir2");
+
+
+	print unlink("nonexisting");
+	print rename("a", "b");
+	print rmdir("nonexisting");
+	a = open("testfile");
+	close(a);
+	print mkdir("testfile");
+	}

From c868a19a282e81f2f9db55c20b1e53d9caca8920 Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@corelight.com>
Date: Mon, 24 Apr 2017 13:12:49 -0700
Subject: [PATCH 143/631] Add gzip log writing to the ascii writer.

This feature can be enabled globally for all logs by setting
LogAscii::gzip_level to a value greater than 0.

This feature can be enabled on a per-log basis by setting gzip-level in
$confic to a value greater than 0.
---
 .../base/frameworks/logging/writers/ascii.bro |  7 ++
 src/logging/writers/ascii/Ascii.cc            | 91 +++++++++++++++++--
 src/logging/writers/ascii/Ascii.h             |  5 +
 src/logging/writers/ascii/ascii.bif           |  1 +
 .../ssh-uncompressed.log                      | 10 ++
 .../ssh.log                                   | 10 ++
 .../base/frameworks/logging/ascii-gz.bro      | 75 +++++++++++++++
 7 files changed, 191 insertions(+), 8 deletions(-)
 create mode 100644 testing/btest/Baseline/scripts.base.frameworks.logging.ascii-gz/ssh-uncompressed.log
 create mode 100644 testing/btest/Baseline/scripts.base.frameworks.logging.ascii-gz/ssh.log
 create mode 100644 testing/btest/scripts/base/frameworks/logging/ascii-gz.bro

diff --git a/scripts/base/frameworks/logging/writers/ascii.bro b/scripts/base/frameworks/logging/writers/ascii.bro
index c10c86145e..c7599f9543 100644
--- a/scripts/base/frameworks/logging/writers/ascii.bro
+++ b/scripts/base/frameworks/logging/writers/ascii.bro
@@ -26,6 +26,13 @@ export {
 	## This option is also available as a per-filter ``$config`` option.
 	const use_json = F &redef;
 
+	## Define the gzip level to compress the logs.  If 0,
+	## the no gzip compression is performed. Enabling compression also changes
+	## the log file name extension to include ".gz".
+	##
+	## This option is also available as a per-filter ``$config`` option.
+	const gzip_level = 0 &redef;
+
 	## Format of timestamps when writing out JSON. By default, the JSON
 	## formatter will use double values for timestamps which represent the
 	## number of seconds from the UNIX epoch.
diff --git a/src/logging/writers/ascii/Ascii.cc b/src/logging/writers/ascii/Ascii.cc
index d6f5daa7e7..908991c8a3 100644
--- a/src/logging/writers/ascii/Ascii.cc
+++ b/src/logging/writers/ascii/Ascii.cc
@@ -24,6 +24,7 @@ Ascii::Ascii(WriterFrontend* frontend) : WriterBackend(frontend)
 	tsv = false;
 	use_json = false;
 	formatter = 0;
+	gzip_level = 0;
 
 	InitConfigOptions();
 	init_options = InitFilterOptions();
@@ -34,6 +35,7 @@ void Ascii::InitConfigOptions()
 	output_to_stdout = BifConst::LogAscii::output_to_stdout;
 	include_meta = BifConst::LogAscii::include_meta;
 	use_json = BifConst::LogAscii::use_json;
+	gzip_level = BifConst::LogAscii::gzip_level;
 
 	separator.assign(
 			(const char*) BifConst::LogAscii::separator->Bytes(),
@@ -89,6 +91,15 @@ bool Ascii::InitFilterOptions()
 				}
 			}
 
+		else if ( strcmp(i->first, "gzip_level" ) == 0 )
+			{
+			gzip_level = atoi(i->second);
+			if ( gzip_level < 0 || gzip_level > 9 )
+				{
+				Error("invalid value for 'gzip_level', must be a number between 0 and 9.");
+				return false;
+				}
+			}
 		else if ( strcmp(i->first, "use_json") == 0 )
 			{
 			if ( strcmp(i->second, "T") == 0 )
@@ -192,7 +203,7 @@ bool Ascii::WriteHeaderField(const string& key, const string& val)
 	{
 	string str = meta_prefix + key + separator + val + "\n";
 
-	return safe_write(fd, str.c_str(), str.length());
+	return InternalWrite(fd, str.c_str(), str.length());
 	}
 
 void Ascii::CloseFile(double t)
@@ -203,7 +214,7 @@ void Ascii::CloseFile(double t)
 	if ( include_meta && ! tsv )
 		WriteHeaderField("close", Timestamp(0));
 
-	safe_close(fd);
+	InternalClose(fd);
 	fd = 0;
 	}
 
@@ -219,7 +230,7 @@ bool Ascii::DoInit(const WriterInfo& info, int num_fields, const Field* const *
 	if ( output_to_stdout )
 		path = "/dev/stdout";
 
-	fname = IsSpecial(path) ? path : path + "." + LogExt();
+	fname = IsSpecial(path) ? path : path + "." + LogExt() + (( gzip_level > 0 ) ? ".gz" : "");
 
 	fd = open(fname.c_str(), O_WRONLY | O_CREAT | O_TRUNC, 0666);
 
@@ -231,6 +242,25 @@ bool Ascii::DoInit(const WriterInfo& info, int num_fields, const Field* const *
 		return false;
 		}
 
+	if ( gzip_level > 0 )
+		{
+		assert(gzip_level < 10);
+		char mode[4];
+		snprintf(mode, 3, "wb%d", gzip_level);
+		errno = 0; // errno will only be set under certain circumstances by gzdopen.
+		gzfile = gzdopen(fd, mode);
+		if ( gzfile == nullptr )
+			{
+			Error(Fmt("cannot gzip %s: %s", fname.c_str(), 
+			                                Strerror(errno)));
+			return false;
+			}
+		}
+	else
+		{
+		gzfile = 0;
+		}
+
 	if ( ! WriteHeader(path) )
 		{
 		Error(Fmt("error writing to %s: %s", fname.c_str(), Strerror(errno)));
@@ -264,7 +294,7 @@ bool Ascii::WriteHeader(const string& path)
 		{
 		// A single TSV-style line is all we need.
 		string str = names + "\n";
-		if ( ! safe_write(fd, str.c_str(), str.length()) )
+		if ( ! InternalWrite(fd, str.c_str(), str.length()) )
 			return false;
 
 		return true;
@@ -275,7 +305,7 @@ bool Ascii::WriteHeader(const string& path)
 		+ get_escaped_string(separator, false)
 		+ "\n";
 
-	if ( ! safe_write(fd, str.c_str(), str.length()) )
+	if ( ! InternalWrite(fd, str.c_str(), str.length()) )
 		return false;
 
 	if ( ! (WriteHeaderField("set_separator", get_escaped_string(set_separator, false)) &&
@@ -337,14 +367,14 @@ bool Ascii::DoWrite(int num_fields, const Field* const * fields,
 		char hex[4] = {'\\', 'x', '0', '0'};
 		bytetohex(bytes[0], hex + 2);
 
-		if ( ! safe_write(fd, hex, 4) )
+		if ( ! InternalWrite(fd, hex, 4) )
 			goto write_error;
 
 		++bytes;
 		--len;
 		}
 
-	if ( ! safe_write(fd, bytes, len) )
+	if ( ! InternalWrite(fd, bytes, len) )
 		goto write_error;
 
         if ( ! IsBuf() )
@@ -368,7 +398,7 @@ bool Ascii::DoRotate(const char* rotated_path, double open, double close, bool t
 
 	CloseFile(close);
 
-	string nname = string(rotated_path) + "." + LogExt();
+	string nname = string(rotated_path) + "." + LogExt() + (gzfile ? ".gz" : "");
 
 	if ( rename(fname.c_str(), nname.c_str()) != 0 )
 		{
@@ -434,4 +464,49 @@ string Ascii::Timestamp(double t)
 	return tmp;
 	}
 
+bool Ascii::InternalWrite(int fd, const char* data, int len)
+	{
+	if ( gzfile )
+		{
+		while ( len > 0 )
+			{
+			int n = gzwrite(gzfile, data, len);
+			
+			if ( n < 0 )
+				{
+				if ( n == Z_ERRNO )
+					Error(Fmt("Ascii::InternalWrite error: %s\n", Strerror(errno)));
+				else
+					Error(Fmt("Ascii::InternalWrite error: %s\n", gzerror(gzfile, &n)));
+
+				return false;
+				}
+
+			data += n;
+			len -= n;
+			}
+		}
+	else
+		return safe_write(fd, data, len);
+
+	return true;
+	}
+
+bool Ascii::InternalClose(int fd)
+	{
+	if ( gzfile )
+		{
+		if ( gzclose(gzfile) < 0 )
+			{
+			Error(Fmt("Ascii::InternalClose error: %s\n", Strerror(errno)));
+			return false;
+			}
+		}
+	else
+		{
+		safe_close(fd);
+		}
+
+	return true;
+	}
 
diff --git a/src/logging/writers/ascii/Ascii.h b/src/logging/writers/ascii/Ascii.h
index 8648070111..eabeda4242 100644
--- a/src/logging/writers/ascii/Ascii.h
+++ b/src/logging/writers/ascii/Ascii.h
@@ -8,6 +8,7 @@
 #include "logging/WriterBackend.h"
 #include "threading/formatters/Ascii.h"
 #include "threading/formatters/JSON.h"
+#include "zlib.h"
 
 namespace logging { namespace writer {
 
@@ -42,8 +43,11 @@ private:
 	void InitConfigOptions();
 	bool InitFilterOptions();
 	bool InitFormatter();
+	bool InternalWrite(int fd, const char* data, int len);
+	bool InternalClose(int fd);
 
 	int fd;
+	gzFile gzfile;
 	string fname;
 	ODesc desc;
 	bool ascii_done;
@@ -59,6 +63,7 @@ private:
 	string unset_field;
 	string meta_prefix;
 
+	int gzip_level; // level > 0 enables gzip compression
 	bool use_json;
 	string json_timestamps;
 
diff --git a/src/logging/writers/ascii/ascii.bif b/src/logging/writers/ascii/ascii.bif
index 2817511152..b12b14f1a0 100644
--- a/src/logging/writers/ascii/ascii.bif
+++ b/src/logging/writers/ascii/ascii.bif
@@ -12,3 +12,4 @@ const empty_field: string;
 const unset_field: string;
 const use_json: bool;
 const json_timestamps: JSON::TimestampFormat;
+const gzip_level: count;
diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.ascii-gz/ssh-uncompressed.log b/testing/btest/Baseline/scripts.base.frameworks.logging.ascii-gz/ssh-uncompressed.log
new file mode 100644
index 0000000000..c6979d60b9
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.logging.ascii-gz/ssh-uncompressed.log
@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	ssh-uncompressed
+#open	2017-04-18-16-16-16
+#fields	b	i	e	c	p	sn	a	d	t	iv	s	sc	ss	se	vc	ve	f
+#types	bool	int	enum	count	port	subnet	addr	double	time	interval	string	set[count]	set[string]	set[string]	vector[count]	vector[string]	func
+T	-42	SSH::LOG	21	123	10.0.0.0/24	1.2.3.4	3.14	1215620010.543210	100.000000	hurz	2,4,1,3	BB,AA,CC	(empty)	10,20,30	(empty)	SSH::foo\x0a{ \x0aif (0 < SSH::i) \x0a\x09return (Foo);\x0aelse\x0a\x09return (Bar);\x0a\x0a}
+#close	2017-04-18-16-16-16
diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.ascii-gz/ssh.log b/testing/btest/Baseline/scripts.base.frameworks.logging.ascii-gz/ssh.log
new file mode 100644
index 0000000000..22bac43cef
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.logging.ascii-gz/ssh.log
@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	ssh
+#open	2017-04-18-16-15-17
+#fields	b	i	e	c	p	sn	a	d	t	iv	s	sc	ss	se	vc	ve	f
+#types	bool	int	enum	count	port	subnet	addr	double	time	interval	string	set[count]	set[string]	set[string]	vector[count]	vector[string]	func
+T	-42	SSH::LOG	21	123	10.0.0.0/24	1.2.3.4	3.14	1215620010.543210	100.000000	hurz	2,4,1,3	BB,AA,CC	(empty)	10,20,30	(empty)	SSH::foo\x0a{ \x0aif (0 < SSH::i) \x0a\x09return (Foo);\x0aelse\x0a\x09return (Bar);\x0a\x0a}
+#close	2017-04-18-16-15-17
diff --git a/testing/btest/scripts/base/frameworks/logging/ascii-gz.bro b/testing/btest/scripts/base/frameworks/logging/ascii-gz.bro
new file mode 100644
index 0000000000..9563f42c40
--- /dev/null
+++ b/testing/btest/scripts/base/frameworks/logging/ascii-gz.bro
@@ -0,0 +1,75 @@
+#
+# @TEST-EXEC: bro -b %INPUT
+# @TEST-EXEC: gunzip ssh.log.gz
+# @TEST-EXEC: btest-diff ssh.log
+# @TEST-EXEC: btest-diff ssh-uncompressed.log
+#
+# Testing all possible types.
+
+redef LogAscii::gzip_level = 9;
+
+module SSH;
+
+export {
+	redef enum Log::ID += { LOG };
+
+	type Log: record {
+		b: bool;
+		i: int;
+		e: Log::ID;
+		c: count;
+		p: port;
+		sn: subnet;
+		a: addr;
+		d: double;
+		t: time;
+		iv: interval;
+		s: string;
+		sc: set[count];
+		ss: set[string];
+		se: set[string];
+		vc: vector of count;
+		ve: vector of string;
+		f: function(i: count) : string;
+	} &log;
+}
+
+function foo(i : count) : string
+	{
+	if ( i > 0 )
+		return "Foo";
+	else
+		return "Bar";
+	}
+
+event bro_init()
+{
+	Log::create_stream(SSH::LOG, [$columns=Log]);
+	local filter = Log::Filter($name="ssh-uncompressed", $path="ssh-uncompressed",
+	                           $config = table(["gzip_level"] = "0"));
+	Log::add_filter(SSH::LOG, filter);
+
+	local empty_set: set[string];
+	local empty_vector: vector of string;
+
+	Log::write(SSH::LOG, [
+		$b=T,
+		$i=-42,
+		$e=SSH::LOG,
+		$c=21,
+		$p=123/tcp,
+		$sn=10.0.0.1/24,
+		$a=1.2.3.4,
+		$d=3.14,
+		$t=(strptime("%Y-%m-%dT%H:%M:%SZ", "2008-07-09T16:13:30Z") + 0.543210 secs),
+		$iv=100secs,
+		$s="hurz",
+		$sc=set(1,2,3,4),
+		$ss=set("AA", "BB", "CC"),
+		$se=empty_set,
+		$vc=vector(10, 20, 30),
+		$ve=empty_vector,
+		$f=foo
+		]);
+}
+

From 684ea8aa37288407f53342a8af12c547de35d413 Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@corelight.com>
Date: Mon, 27 Feb 2017 10:01:14 -0800
Subject: [PATCH 144/631] Plugin: Add hooks for log init and writing.

The two hooks being added are:

void HookLogInit(const std::string& writer, const std::string& instantiating_filter, bool local, bool remote, const logging::WriterBackend::WriterInfo& info, int num_fields, const threading::Field* const* fields);

which is called when a writer is being instantiated and contains
information about the fields being logged, as well as

bool HookLogWrite(const std::string& writer, const std::string& filter, const logging::WriterBackend::WriterInfo& info, int num_fields, const threading::Field* const* fields, threading::Value** vals);

which is called for each log line being written by each writer. It
contains all the data being written. The data can be changed in the
function call and lines can be prevented from being written.

This commit also fixes a few small problems with plugin hooks itself,
and extends the tests that were already there, besides introducing tests
for the added functionality.
---
 src/logging/Manager.cc                        |  30 +++-
 src/plugin/Manager.cc                         |  72 +++++++++-
 src/plugin/Manager.h                          |  55 +++++++
 src/plugin/Plugin.cc                          |  62 ++++++++
 src/plugin/Plugin.h                           | 127 ++++++++++++++--
 src/threading/Formatter.cc                    |   6 +-
 src/threading/Formatter.h                     |   6 +-
 testing/btest/Baseline/plugins.hooks/output   |  39 ++++-
 .../Baseline/plugins.logging-hooks/output     |   1 +
 .../Baseline/plugins.logging-hooks/ssh.log    |  11 ++
 .../btest/plugins/hooks-plugin/src/Plugin.cc  | 136 ++++++++++++++++++
 .../btest/plugins/hooks-plugin/src/Plugin.h   |  23 +--
 .../logging-hooks-plugin/.btest-ignore        |   0
 .../logging-hooks-plugin/src/Plugin.cc        |  60 ++++++++
 .../plugins/logging-hooks-plugin/src/Plugin.h |  28 ++++
 testing/btest/plugins/logging-hooks.bro       |  72 ++++++++++
 16 files changed, 689 insertions(+), 39 deletions(-)
 create mode 100644 testing/btest/Baseline/plugins.logging-hooks/output
 create mode 100644 testing/btest/Baseline/plugins.logging-hooks/ssh.log
 create mode 100644 testing/btest/plugins/logging-hooks-plugin/.btest-ignore
 create mode 100644 testing/btest/plugins/logging-hooks-plugin/src/Plugin.cc
 create mode 100644 testing/btest/plugins/logging-hooks-plugin/src/Plugin.h
 create mode 100644 testing/btest/plugins/logging-hooks.bro

diff --git a/src/logging/Manager.cc b/src/logging/Manager.cc
index 8c720137e8..cb8970049e 100644
--- a/src/logging/Manager.cc
+++ b/src/logging/Manager.cc
@@ -15,6 +15,8 @@
 #include "WriterFrontend.h"
 #include "WriterBackend.h"
 #include "logging.bif.h"
+#include "../plugin/Plugin.h"
+#include "../plugin/Manager.h"
 
 #ifdef ENABLE_BROKER
 #include "broker/Manager.h"
@@ -62,6 +64,7 @@ struct Manager::WriterInfo {
 	WriterFrontend* writer;
 	WriterBackend::WriterInfo* info;
 	bool from_remote;
+	bool hook_initialized;
 	string instantiating_filter;
 	};
 
@@ -840,12 +843,21 @@ bool Manager::Write(EnumVal* id, RecordVal* columns)
 			path = filter->path = filter->path_val->AsString()->CheckString();
 			}
 
+		WriterBackend::WriterInfo* info = 0;
 		WriterFrontend* writer = 0;
 
 		if ( w != stream->writers.end() )
 			{
 			// We know this writer already.
 			writer = w->second->writer;
+			info = w->second->info;
+			if ( ! w->second->hook_initialized )
+				{
+				auto wi = w->second;
+				wi->hook_initialized = true;
+				PLUGIN_HOOK_VOID(HOOK_LOG_INIT, HookLogInit(filter->writer->Type()->AsEnumType()->Lookup(filter->writer->InternalInt()), wi->instantiating_filter, filter->local, filter->remote, *wi->info, filter->num_fields, filter->fields));
+				}
+
 			}
 
 		else
@@ -874,7 +886,7 @@ bool Manager::Write(EnumVal* id, RecordVal* columns)
 				arg_fields[j] = new threading::Field(*filter->fields[j]);
 				}
 
-			WriterBackend::WriterInfo* info = new WriterBackend::WriterInfo;
+			info = new WriterBackend::WriterInfo;
 			info->path = copy_string(path.c_str());
 			info->network_time = network_time;
 
@@ -909,6 +921,16 @@ bool Manager::Write(EnumVal* id, RecordVal* columns)
 
 		threading::Value** vals = RecordToFilterVals(stream, filter, columns);
 
+		if ( ! PLUGIN_HOOK_WITH_RESULT(HOOK_LOG_WRITE, HookLogWrite(filter->writer->Type()->AsEnumType()->Lookup(filter->writer->InternalInt()), filter->name, *info, filter->num_fields, filter->fields, vals), true) )
+			{
+			DeleteVals(filter->num_fields, vals);
+#ifdef DEBUG
+			DBG_LOG(DBG_LOGGING, "Hook prevented writing to filter '%s' on stream '%s'",
+				filter->name.c_str(), stream->name.c_str());
+#endif
+			return true;
+			}
+
 		// Write takes ownership of vals.
 		assert(writer);
 		writer->Write(filter->num_fields, vals);
@@ -1165,6 +1187,7 @@ WriterFrontend* Manager::CreateWriter(EnumVal* id, EnumVal* writer, WriterBacken
 	winfo->postprocessor = 0;
 	winfo->info = info;
 	winfo->from_remote = from_remote;
+	winfo->hook_initialized = false;
 	winfo->instantiating_filter = instantiating_filter;
 
 	// Search for a corresponding filter for the writer/path pair and use its
@@ -1214,6 +1237,11 @@ WriterFrontend* Manager::CreateWriter(EnumVal* id, EnumVal* writer, WriterBacken
 #endif
 	winfo->writer->Init(num_fields, fields);
 
+	if ( ! from_remote )
+		{
+		winfo->hook_initialized = true;
+		PLUGIN_HOOK_VOID(HOOK_LOG_INIT, HookLogInit(writer->Type()->AsEnumType()->Lookup(writer->InternalInt()), instantiating_filter, local, remote, *winfo->info, num_fields, fields));
+		}
 	InstallRotationTimer(winfo);
 
 	return winfo->writer;
diff --git a/src/plugin/Manager.cc b/src/plugin/Manager.cc
index c672614957..d616e23f6a 100644
--- a/src/plugin/Manager.cc
+++ b/src/plugin/Manager.cc
@@ -712,7 +712,7 @@ void Manager::HookSetupAnalyzerTree(Connection *conn) const
 
 	if ( HavePluginForHook(META_HOOK_PRE) )
 		{
-		args.push_back(conn);
+		args.push_back(HookArgument(conn));
 		MetaHookPre(HOOK_SETUP_ANALYZER_TREE, args);
 		}
 
@@ -739,7 +739,7 @@ void Manager::HookUpdateNetworkTime(double network_time) const
 
 	if ( HavePluginForHook(META_HOOK_PRE) )
 		{
-		args.push_back(network_time);
+		args.push_back(HookArgument(network_time));
 		MetaHookPre(HOOK_UPDATE_NETWORK_TIME, args);
 		}
 
@@ -762,7 +762,7 @@ void Manager::HookBroObjDtor(void* obj) const
 
 	if ( HavePluginForHook(META_HOOK_PRE) )
 		{
-		args.push_back(obj);
+		args.push_back(HookArgument(obj));
 		MetaHookPre(HOOK_BRO_OBJ_DTOR, args);
 		}
 
@@ -779,6 +779,72 @@ void Manager::HookBroObjDtor(void* obj) const
 		MetaHookPost(HOOK_BRO_OBJ_DTOR, args, HookArgument());
 	}
 
+void Manager::HookLogInit(const std::string& writer, const std::string& instantiating_filter, bool local, bool remote, const logging::WriterBackend::WriterInfo& info, int num_fields, const threading::Field* const* fields) const
+	{
+	HookArgumentList args;
+
+	if ( HavePluginForHook(META_HOOK_PRE) )
+		{
+		args.push_back(HookArgument(writer));
+		args.push_back(HookArgument(instantiating_filter));
+		args.push_back(HookArgument(local));
+		args.push_back(HookArgument(remote));
+		args.push_back(HookArgument(&info));
+		args.push_back(HookArgument(num_fields));
+		args.push_back(HookArgument(std::make_pair(num_fields, fields)));
+		MetaHookPre(HOOK_LOG_INIT, args);
+		}
+
+	hook_list* l = hooks[HOOK_LOG_INIT];
+
+	if ( l )
+		for ( hook_list::iterator i = l->begin(); i != l->end(); ++i )
+			{
+			Plugin* p = (*i).second;
+			p->HookLogInit(writer, instantiating_filter, local, remote, info, num_fields, fields);
+			}
+
+	if ( HavePluginForHook(META_HOOK_POST) )
+		MetaHookPost(HOOK_LOG_INIT, args, HookArgument());
+	}
+
+bool Manager::HookLogWrite(const std::string& writer, const std::string& filter, const logging::WriterBackend::WriterInfo& info, int num_fields, const threading::Field* const* fields, threading::Value** vals) const
+	{
+	HookArgumentList args;
+
+	if ( HavePluginForHook(META_HOOK_PRE) )
+		{
+		args.push_back(HookArgument(writer));
+		args.push_back(HookArgument(filter));
+		args.push_back(HookArgument(&info));
+		args.push_back(HookArgument(num_fields));
+		args.push_back(HookArgument(std::make_pair(num_fields, fields)));
+		args.push_back(HookArgument(vals));
+		MetaHookPre(HOOK_LOG_WRITE, args);
+		}
+
+	hook_list* l = hooks[HOOK_LOG_WRITE];
+
+	bool result = true;
+
+	if ( l )
+		for ( hook_list::iterator i = l->begin(); i != l->end(); ++i )
+			{
+			Plugin* p = (*i).second;
+
+			if ( ! p->HookLogWrite(writer, filter, info, num_fields, fields, vals) )
+				{
+				result = false;
+				break;
+				}
+			}
+
+	if ( HavePluginForHook(META_HOOK_POST) )
+		MetaHookPost(HOOK_LOG_WRITE, args, HookArgument(result));
+
+	return result;
+	}
+
 void Manager::MetaHookPre(HookType hook, const HookArgumentList& args) const
 	{
 	hook_list* l = hooks[HOOK_CALL_FUNCTION];
diff --git a/src/plugin/Manager.h b/src/plugin/Manager.h
index 2a394b39ee..f2bf5302bb 100644
--- a/src/plugin/Manager.h
+++ b/src/plugin/Manager.h
@@ -291,6 +291,61 @@ public:
 	 */
 	void HookBroObjDtor(void* obj) const;
 
+	/**
+	 * Hook into log initialization. This method will be called when a
+	 * logging writer is created. A writer represents a single logging
+	 * filter. The method is called in the main thread, on the node that
+	 * causes a log line to be written. It will _not_ be called on the logger
+	 * node. The function will be called each for every instantiated writer.
+	 *
+	 * @param writer The name of the writer being insantiated.
+	 *
+	 * @param instantiating_filter Name of the filter causing the
+	 *        writer instantiation.
+	 *
+	 * @param local True if the filter is logging locally (writer
+	 *              thread will be located in same process).
+	 *
+	 * @param remote True if filter is logging remotely (writer thread
+	 *               will be located in different thread, typically
+	 *               in manager or logger node).
+	 *
+	 * @param info WriterBackend::WriterInfo with information about the writer.
+	 *
+	 * @param num_fields number of fields in the record being written.
+	 *
+	 * @param fields threading::Field description of the fields being logged.
+	 */
+	void HookLogInit(const std::string& writer, const std::string& instantiating_filter, bool local, bool remote, const logging::WriterBackend::WriterInfo& info, int num_fields, const threading::Field* const* fields) const;
+
+	/**
+	 * Hook into log writing. This method will be called for each log line
+	 * being written by each writer. Each writer represents a single logging
+	 * filter. The method is called in the main thread, on the node that
+	 * causes a log line to be written. It will _not_ be called on the logger
+	 * node. The function will be called each for every instantiated writer.
+	 * This function allows plugins to modify or skip logging of information.
+	 * Note - once a log line is skipped (by returning false), it will not passed
+	 * on to hooks that have not yet been called.
+	 *
+	 * @param writer The name of the writer.
+	 *
+	 * @param filter Name of the filter being written to.
+	 *
+	 * @param info WriterBackend::WriterInfo with information about the writer.
+	 *
+	 * @param num_fields number of fields in the record being written.
+	 *
+	 * @param fields threading::Field description of the fields being logged.
+	 *
+	 * @param vals threading::Values containing the values being written. Values
+	 *             can be modified in the Hook.
+	 *
+	 * @return true if log line should be written, false if log line should be
+	 *         skipped and not passed on to the writer.
+	 */
+	bool HookLogWrite(const std::string& writer, const std::string& filter, const logging::WriterBackend::WriterInfo& info, int num_fields, const threading::Field* const* fields, threading::Value** vals) const;
+
 	/**
 	 * Internal method that registers a freshly instantiated plugin with
 	 * the manager.
diff --git a/src/plugin/Plugin.cc b/src/plugin/Plugin.cc
index b0eb19a628..75658f13de 100644
--- a/src/plugin/Plugin.cc
+++ b/src/plugin/Plugin.cc
@@ -10,6 +10,8 @@
 
 #include "../Desc.h"
 #include "../Event.h"
+#include "../Conn.h"
+#include "threading/SerialTypes.h"
 
 using namespace plugin;
 
@@ -24,6 +26,8 @@ const char* plugin::hook_name(HookType h)
 		"UpdateNetworkTime",
 		"BroObjDtor",
 		"SetupAnalyzerTree",
+		"LogInit",
+		"LogWrite",
 		// MetaHooks
 		"MetaHookPre",
 		"MetaHookPost",
@@ -84,6 +88,11 @@ void HookArgument::Describe(ODesc* d) const
 			d->Add("<null>");
 		break;
 
+	case CONN:
+		if ( arg.conn )
+			arg.conn->Describe(d);
+		break;
+
 	case FUNC_RESULT:
 		if ( func_result.first )
 			{
@@ -145,6 +154,50 @@ void HookArgument::Describe(ODesc* d) const
 	case VOIDP:
 		d->Add("<void ptr>");
 		break;
+
+	case WRITER_INFO:
+		d->Add(arg.winfo->path);
+		d->Add("(");
+		d->Add(arg.winfo->network_time);
+		d->Add(",");
+		d->Add(arg.winfo->rotation_interval);
+		d->Add(",");
+		d->Add(arg.winfo->rotation_base);
+		if ( arg.winfo->config.size() > 0 )
+			{
+			bool first = true;
+			d->Add("config: {");
+			for ( auto& v: arg.winfo->config )
+				{
+				if ( ! first )
+					d->Add(", ");
+
+				d->Add(v.first);
+				d->Add(": ");
+				d->Add(v.second);
+				first = false;
+				}
+			d->Add("}");
+			}
+		d->Add(")");
+		break;
+
+		case THREAD_FIELDS:
+			d->Add("{");
+			for ( int i=0; i < tfields.first; i++ )
+				{
+				const threading::Field* f = tfields.second[i];
+
+				if ( i > 0 )
+					d->Add(", ");
+
+				d->Add(f->name);
+				d->Add(" (");
+				d->Add(f->TypeName());
+				d->Add(")");
+				}
+			d->Add("}");
+			break;
 	}
 	}
 
@@ -319,6 +372,15 @@ void Plugin::HookBroObjDtor(void* obj)
 	{
 	}
 
+void Plugin::HookLogInit(const std::string& writer, const std::string& instantiating_filter, bool local, bool remote, const logging::WriterBackend::WriterInfo& info, int num_fields, const threading::Field* const* fields)
+	{
+	}
+
+bool Plugin::HookLogWrite(const std::string& writer, const std::string& filter, const logging::WriterBackend::WriterInfo& info, int num_fields, const threading::Field* const* fields, threading::Value** vals)
+	{
+	return true;
+	}
+
 void Plugin::MetaHookPre(HookType hook, const HookArgumentList& args)
 	{
 	}
diff --git a/src/plugin/Plugin.h b/src/plugin/Plugin.h
index 49fa7cdd84..e3e8764884 100644
--- a/src/plugin/Plugin.h
+++ b/src/plugin/Plugin.h
@@ -11,16 +11,21 @@
 #include "analyzer/Component.h"
 #include "file_analysis/Component.h"
 #include "iosource/Component.h"
+#include "logging/WriterBackend.h"
 
 // We allow to override this externally for testing purposes.
 #ifndef BRO_PLUGIN_API_VERSION
-#define BRO_PLUGIN_API_VERSION 4
+#define BRO_PLUGIN_API_VERSION 5
 #endif
 
 class ODesc;
 class Func;
 class Event;
 
+namespace threading {
+struct Field;
+}
+
 namespace plugin  {
 
 class Manager;
@@ -39,7 +44,9 @@ enum HookType {
 	HOOK_DRAIN_EVENTS,		//< Activates Plugin::HookDrainEvents()
 	HOOK_UPDATE_NETWORK_TIME,	//< Activates Plugin::HookUpdateNetworkTime.
 	HOOK_BRO_OBJ_DTOR,		//< Activates Plugin::HookBroObjDtor.
-	HOOK_SETUP_ANALYZER_TREE,	//< Activates Plugin::HookSetupAnalyzerTree
+	HOOK_SETUP_ANALYZER_TREE,	//< Activates Plugin::HookAddToAnalyzerTree
+	HOOK_LOG_INIT,			//< Activates Plugin::HookLogInit
+	HOOK_LOG_WRITE,			//< Activates Plugin::HookLogWrite
 
 	// Meta hooks.
 	META_HOOK_PRE,			//< Activates Plugin::MetaHookPre().
@@ -158,7 +165,8 @@ public:
 	 * Type of the argument.
 	 */
 	enum Type {
-		BOOL, DOUBLE, EVENT, FRAME, FUNC, FUNC_RESULT, INT, STRING, VAL, VAL_LIST, VOID, VOIDP
+		BOOL, DOUBLE, EVENT, FRAME, FUNC, FUNC_RESULT, INT, STRING, VAL, VAL_LIST, VOID, VOIDP,
+		WRITER_INFO, CONN, THREAD_FIELDS
 	};
 
 	/**
@@ -169,57 +177,72 @@ public:
 	/**
 	 * Constructor with a boolean argument.
 	 */
-	HookArgument(bool a)	{ type = BOOL; arg.bool_ = a; }
+	explicit HookArgument(bool a)	{ type = BOOL; arg.bool_ = a; }
 
 	/**
 	 * Constructor with a double argument.
 	 */
-	HookArgument(double a)	{ type = DOUBLE; arg.double_ = a; }
+	explicit HookArgument(double a)	{ type = DOUBLE; arg.double_ = a; }
 
 	/**
 	 * Constructor with an event argument.
 	 */
-	HookArgument(const Event* a)	{ type = EVENT; arg.event = a; }
+	explicit HookArgument(const Event* a)	{ type = EVENT; arg.event = a; }
+
+	/**
+	 * Constructor with an connection argument.
+	 */
+	explicit HookArgument(const Connection* c)	{ type = CONN; arg.conn = c; }
 
 	/**
 	 * Constructor with a function argument.
 	 */
-	HookArgument(const Func* a)	{ type = FUNC; arg.func = a; }
+	explicit HookArgument(const Func* a)	{ type = FUNC; arg.func = a; }
 
 	/**
 	 * Constructor with an integer  argument.
 	 */
-	HookArgument(int a)	{ type = INT; arg.int_ = a; }
+	explicit HookArgument(int a)	{ type = INT; arg.int_ = a; }
 
 	/**
 	 * Constructor with a string argument.
 	 */
-	HookArgument(const std::string& a)	{ type = STRING; arg_string = a; }
+	explicit HookArgument(const std::string& a)	{ type = STRING; arg_string = a; }
 
 	/**
 	 * Constructor with a Bro value argument.
 	 */
-	HookArgument(const Val* a)	{ type = VAL; arg.val = a; }
+	explicit HookArgument(const Val* a)	{ type = VAL; arg.val = a; }
 
 	/**
 	 * Constructor with a list of Bro values argument.
 	 */
-	HookArgument(const val_list* a)	{ type = VAL_LIST; arg.vals = a; }
+	explicit HookArgument(const val_list* a)	{ type = VAL_LIST; arg.vals = a; }
 
 	/**
 	 * Constructor with a void pointer argument.
 	 */
-	HookArgument(void* p)	{ type = VOIDP; arg.voidp = p; }
+	explicit HookArgument(void* p)	{ type = VOIDP; arg.voidp = p; }
 
 	/**
 	 * Constructor with a function result argument.
 	 */
-	HookArgument(std::pair<bool, Val*> fresult)	{ type = FUNC_RESULT; func_result = fresult; }
+	explicit HookArgument(std::pair<bool, Val*> fresult)	{ type = FUNC_RESULT; func_result = fresult; }
 
 	/**
 	 * Constructor with a Frame argument.
 	 */
-	HookArgument(Frame* f)	{ type = FRAME; arg.frame = f; }
+	explicit HookArgument(Frame* f)	{ type = FRAME; arg.frame = f; }
+
+	/**
+	 * Constructor with a WriterInfo argument.
+	 */
+	explicit HookArgument(const logging::WriterBackend::WriterInfo* i)	{ type = WRITER_INFO; arg.winfo = i; }
+
+	/**
+	 * Constructor with a threading field argument.
+	 */
+	explicit HookArgument(const std::pair<int, const threading::Field* const*> fpair)	{ type = THREAD_FIELDS; tfields = fpair; }
 
 	/**
 	 * Returns the value for a boolen argument. The argument's type must
@@ -239,6 +262,12 @@ public:
 	 */
 	const Event* AsEvent() const	{ assert(type == EVENT); return arg.event; }
 
+	/**
+	 * Returns the value for an connection argument. The argument's type must
+	 * match accordingly.
+	 */
+	const Connection* AsConnection() const	{ assert(type == CONN); return arg.conn; }
+
 	/**
 	 * Returns the value for a function argument. The argument's type must
 	 * match accordingly.
@@ -275,6 +304,18 @@ public:
 	 */
 	const Frame* AsFrame() const { assert(type == FRAME); return arg.frame; }
 
+	/**
+	 * Returns the value for a logging WriterInfo argument.  The argument's type must
+	 * match accordingly.
+	 */
+	const logging::WriterBackend::WriterInfo* AsWriterInfo() const { assert(type == WRITER_INFO); return arg.winfo; }
+
+	/**
+	 * Returns the value for a threading fields argument.  The argument's type must
+	 * match accordingly.
+	 */
+	const std::pair<int, const threading::Field* const*> AsThreadFields() const { assert(type == THREAD_FIELDS); return tfields; }
+
 	/**
 	 * Returns the value for a list of Bro values argument. The argument's type must
 	 * match accordingly.
@@ -305,16 +346,19 @@ private:
 		bool bool_;
 		double double_;
 		const Event* event;
+		const Connection* conn;
 		const Func* func;
 		const Frame* frame;
 		int int_;
 		const Val* val;
 		const val_list* vals;
 		const void* voidp;
+		const logging::WriterBackend::WriterInfo* winfo;
 	} arg;
 
 	// Outside union because these have dtors.
 	std::pair<bool, Val*> func_result;
+	std::pair<int, const threading::Field* const*> tfields;
 	std::string arg_string;
 };
 
@@ -663,6 +707,61 @@ protected:
 	 */
 	virtual void HookBroObjDtor(void* obj);
 
+	/**
+	 * Hook into log initialization. This method will be called when a
+	 * logging writer is created. A writer represents a single logging
+	 * filter. The method is called in the main thread, on the node that
+	 * causes a log line to be written. It will _not_ be called on the logger
+	 * node. The function will be called each for every instantiated writer.
+	 *
+	 * @param writer The name of the writer being insantiated.
+	 *
+	 * @param instantiating_filter Name of the filter causing the
+	 *        writer instantiation.
+	 *
+	 * @param local True if the filter is logging locally (writer
+	 *              thread will be located in same process).
+	 *
+	 * @param remote True if filter is logging remotely (writer thread
+	 *               will be located in different thread, typically
+	 *               in manager or logger node).
+	 *
+	 * @param info WriterBackend::WriterInfo with information about the writer.
+	 *
+	 * @param num_fields number of fields in the record being written.
+	 *
+	 * @param fields threading::Field description of the fields being logged.
+	 */
+	virtual void HookLogInit(const std::string& writer, const std::string& instantiating_filter, bool local, bool remote, const logging::WriterBackend::WriterInfo& info, int num_fields, const threading::Field* const* fields);
+
+	/**
+	 * Hook into log writing. This method will be called for each log line
+	 * being written by each writer. Each writer represents a single logging
+	 * filter. The method is called in the main thread, on the node that
+	 * causes a log line to be written. It will _not_ be called on the logger
+	 * node. The function will be called each for every instantiated writer.
+	 * This function allows plugins to modify or skip logging of information.
+	 * Note - once a log line is skipped (by returning false), it will not passed
+	 * on to hooks that have not yet been called.
+	 *
+	 * @param writer The name of the writer.
+	 *
+	 * @param filter Name of the filter being written to.
+	 *
+	 * @param info WriterBackend::WriterInfo with information about the writer.
+	 *
+	 * @param num_fields number of fields in the record being written.
+	 *
+	 * @param fields threading::Field description of the fields being logged.
+	 *
+	 * @param vals threading::Values containing the values being written. Values
+	 *             can be modified in the Hook.
+	 *
+	 * @return true if log line should be written, false if log line should be
+	 *         skipped and not passed on to the writer.
+	 */
+	virtual bool HookLogWrite(const std::string& writer, const std::string& filter, const logging::WriterBackend::WriterInfo& info, int num_fields, const threading::Field* const* fields, threading::Value** vals);
+
 	// Meta hooks.
 
 	/**
diff --git a/src/threading/Formatter.cc b/src/threading/Formatter.cc
index 3f366de90a..b881962732 100644
--- a/src/threading/Formatter.cc
+++ b/src/threading/Formatter.cc
@@ -22,7 +22,7 @@ Formatter::~Formatter()
 	{
 	}
 
-string Formatter::Render(const threading::Value::addr_t& addr) const
+string Formatter::Render(const threading::Value::addr_t& addr)
 	{
 	if ( addr.family == IPv4 )
 		{
@@ -90,7 +90,7 @@ threading::Value::addr_t Formatter::ParseAddr(const string &s) const
 	return val;
 	}
 
-string Formatter::Render(const threading::Value::subnet_t& subnet) const
+string Formatter::Render(const threading::Value::subnet_t& subnet)
 	{
 	char l[16];
 
@@ -104,7 +104,7 @@ string Formatter::Render(const threading::Value::subnet_t& subnet) const
 	return s;
 	}
 
-string Formatter::Render(double d) const
+string Formatter::Render(double d)
 	{
 	char buf[256];
 	modp_dtoa(d, buf, 6);
diff --git a/src/threading/Formatter.h b/src/threading/Formatter.h
index c8337959bf..c564f3c945 100644
--- a/src/threading/Formatter.h
+++ b/src/threading/Formatter.h
@@ -87,7 +87,7 @@ public:
 	 *
 	 * @return An ASCII representation of the address.
 	 */
-	string Render(const threading::Value::addr_t& addr) const;
+	static string Render(const threading::Value::addr_t& addr);
 
 	/**
 	 * Convert an subnet value into a string.
@@ -98,7 +98,7 @@ public:
 	 *
 	 * @return An ASCII representation of the subnet.
 	 */
-	string Render(const threading::Value::subnet_t& subnet) const;
+	static string Render(const threading::Value::subnet_t& subnet);
 
 	/**
 	 * Convert a double into a string. This renders the double with Bro's
@@ -110,7 +110,7 @@ public:
 	 *
 	 * @return An ASCII representation of the double.
 	 */
-	string Render(double d) const;
+	static string Render(double d);
 
 	/**
 	 * Convert a string into a TransportProto. The string must be one of
diff --git a/testing/btest/Baseline/plugins.hooks/output b/testing/btest/Baseline/plugins.hooks/output
index 420d20ae12..fcf29f2b04 100644
--- a/testing/btest/Baseline/plugins.hooks/output
+++ b/testing/btest/Baseline/plugins.hooks/output
@@ -247,7 +247,7 @@
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1488302456.440387, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1493067689.952434, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (Cluster::LOG)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (Communication::LOG)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (Conn::LOG)) -> <no result>
@@ -377,7 +377,7 @@
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1488302456.440387, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1493067689.952434, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
 0.000000   MetaHookPost  CallFunction(NetControl::check_plugins, <frame>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(NetControl::init, <null>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(Notice::want_pp, <frame>, ()) -> <no result>
@@ -712,6 +712,8 @@
 0.000000   MetaHookPost  LoadFile(base<...>/weird) -> -1
 0.000000   MetaHookPost  LoadFile(base<...>/x509) -> -1
 0.000000   MetaHookPost  LoadFile(base<...>/xmpp) -> -1
+0.000000   MetaHookPost  LogInit(Log::WRITER_ASCII, default, true, true, packet_filter(0.0,0.0,0.0), 5, {ts (time), node (string), filter (string), init (bool), success (bool)}) -> <void>
+0.000000   MetaHookPost  LogWrite(Log::WRITER_ASCII, default, packet_filter(0.0,0.0,0.0), 5, {ts (time), node (string), filter (string), init (bool), success (bool)}, <void ptr>) -> true
 0.000000   MetaHookPost  QueueEvent(NetControl::init()) -> false
 0.000000   MetaHookPost  QueueEvent(bro_init()) -> false
 0.000000   MetaHookPost  QueueEvent(filter_change_tracking()) -> false
@@ -964,7 +966,7 @@
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird]))
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509]))
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql]))
-0.000000   MetaHookPre   CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1488302456.440387, node=bro, filter=ip or not ip, init=T, success=T]))
+0.000000   MetaHookPre   CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1493067689.952434, node=bro, filter=ip or not ip, init=T, success=T]))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (Cluster::LOG))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (Communication::LOG))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (Conn::LOG))
@@ -1094,7 +1096,7 @@
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird]))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509]))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql]))
-0.000000   MetaHookPre   CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1488302456.440387, node=bro, filter=ip or not ip, init=T, success=T]))
+0.000000   MetaHookPre   CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1493067689.952434, node=bro, filter=ip or not ip, init=T, success=T]))
 0.000000   MetaHookPre   CallFunction(NetControl::check_plugins, <frame>, ())
 0.000000   MetaHookPre   CallFunction(NetControl::init, <null>, ())
 0.000000   MetaHookPre   CallFunction(Notice::want_pp, <frame>, ())
@@ -1429,6 +1431,8 @@
 0.000000   MetaHookPre   LoadFile(base<...>/weird)
 0.000000   MetaHookPre   LoadFile(base<...>/x509)
 0.000000   MetaHookPre   LoadFile(base<...>/xmpp)
+0.000000   MetaHookPre   LogInit(Log::WRITER_ASCII, default, true, true, packet_filter(0.0,0.0,0.0), 5, {ts (time), node (string), filter (string), init (bool), success (bool)})
+0.000000   MetaHookPre   LogWrite(Log::WRITER_ASCII, default, packet_filter(0.0,0.0,0.0), 5, {ts (time), node (string), filter (string), init (bool), success (bool)}, <void ptr>)
 0.000000   MetaHookPre   QueueEvent(NetControl::init())
 0.000000   MetaHookPre   QueueEvent(bro_init())
 0.000000   MetaHookPre   QueueEvent(filter_change_tracking())
@@ -1680,7 +1684,7 @@
 0.000000 | HookCallFunction Log::__create_stream(Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird])
 0.000000 | HookCallFunction Log::__create_stream(X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509])
 0.000000 | HookCallFunction Log::__create_stream(mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql])
-0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1488302456.440387, node=bro, filter=ip or not ip, init=T, success=T])
+0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1493067689.952434, node=bro, filter=ip or not ip, init=T, success=T])
 0.000000 | HookCallFunction Log::add_default_filter(Cluster::LOG)
 0.000000 | HookCallFunction Log::add_default_filter(Communication::LOG)
 0.000000 | HookCallFunction Log::add_default_filter(Conn::LOG)
@@ -1810,7 +1814,7 @@
 0.000000 | HookCallFunction Log::create_stream(Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird])
 0.000000 | HookCallFunction Log::create_stream(X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509])
 0.000000 | HookCallFunction Log::create_stream(mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql])
-0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1488302456.440387, node=bro, filter=ip or not ip, init=T, success=T])
+0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1493067689.952434, node=bro, filter=ip or not ip, init=T, success=T])
 0.000000 | HookCallFunction NetControl::check_plugins()
 0.000000 | HookCallFunction NetControl::init()
 0.000000 | HookCallFunction Notice::want_pp()
@@ -1851,6 +1855,8 @@
 0.000000 | HookLoadFile  <...>/bro
 0.000000 | HookLoadFile  base<...>/bif
 0.000000 | HookLoadFile  base<...>/bro
+0.000000 | HookLogInit   packet_filter 1/1 {ts (time), node (string), filter (string), init (bool), success (bool)}
+0.000000 | HookLogWrite  packet_filter [ts=1493067689.952434, node=bro, filter=ip or not ip, init=T, success=T]
 0.000000 | HookQueueEvent NetControl::init()
 0.000000 | HookQueueEvent bro_init()
 0.000000 | HookQueueEvent filter_change_tracking()
@@ -1865,6 +1871,7 @@
 1362692526.869344   MetaHookPost  QueueEvent(ChecksumOffloading::check()) -> false
 1362692526.869344   MetaHookPost  QueueEvent(filter_change_tracking()) -> false
 1362692526.869344   MetaHookPost  QueueEvent(new_connection([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.0, service={}, history=, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])) -> false
+1362692526.869344   MetaHookPost  SetupAnalyzerTree(1362692526.869344(1362692526.869344) TCP 141.142.228.5:59856 -> 192.150.187.43:80) -> <void>
 1362692526.869344   MetaHookPost  UpdateNetworkTime(1362692526.869344) -> <void>
 1362692526.869344   MetaHookPre   BroObjDtor(<void ptr>)
 1362692526.869344   MetaHookPre   CallFunction(ChecksumOffloading::check, <null>, ())
@@ -1877,6 +1884,7 @@
 1362692526.869344   MetaHookPre   QueueEvent(ChecksumOffloading::check())
 1362692526.869344   MetaHookPre   QueueEvent(filter_change_tracking())
 1362692526.869344   MetaHookPre   QueueEvent(new_connection([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.0, service={}, history=, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]))
+1362692526.869344   MetaHookPre   SetupAnalyzerTree(1362692526.869344(1362692526.869344) TCP 141.142.228.5:59856 -> 192.150.187.43:80)
 1362692526.869344   MetaHookPre   UpdateNetworkTime(1362692526.869344)
 1362692526.869344  | HookBroObjDtor
 1362692526.869344  | HookUpdateNetworkTime 1362692526.869344
@@ -1890,6 +1898,7 @@
 1362692526.869344 | HookQueueEvent ChecksumOffloading::check()
 1362692526.869344 | HookQueueEvent filter_change_tracking()
 1362692526.869344 | HookQueueEvent new_connection([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.0, service={}, history=, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])
+1362692526.869344 | HookSetupAnalyzerTree 1362692526.869344(1362692526.869344) TCP 141.142.228.5:59856 -> 192.150.187.43:80
 1362692526.869344 | RequestObjDtor ChecksumOffloading::check()
 1362692526.939084   MetaHookPost  CallFunction(NetControl::catch_release_seen, <frame>, (141.142.228.5)) -> <no result>
 1362692526.939084   MetaHookPost  CallFunction(addr_to_subnet, <frame>, (141.142.228.5)) -> <no result>
@@ -2204,6 +2213,10 @@
 1362692527.009775   MetaHookPost  CallFunction(id_string, <frame>, ([orig_h=141.142.228.5, orig_p=59856<...>/tcp])) -> <no result>
 1362692527.009775   MetaHookPost  CallFunction(set_file_handle, <frame>, (Analyzer::ANALYZER_HTTP1362692526.869344F11141.142.228.5:59856 > 192.150.187.43:80)) -> <no result>
 1362692527.009775   MetaHookPost  DrainEvents() -> <void>
+1362692527.009775   MetaHookPost  LogInit(Log::WRITER_ASCII, default, true, true, files(1362692527.009775,0.0,0.0), 25, {ts (time), fuid (string), tx_hosts (set[addr]), rx_hosts (set[addr]), conn_uids (set[string]), source (string), depth (count), analyzers (set[string]), mime_type (string), filename (string), duration (interval), local_orig (bool), is_orig (bool), seen_bytes (count), total_bytes (count), missing_bytes (count), overflow_bytes (count), timedout (bool), parent_fuid (string), md5 (string), sha1 (string), sha256 (string), extracted (string), extracted_cutoff (bool), extracted_size (count)}) -> <void>
+1362692527.009775   MetaHookPost  LogInit(Log::WRITER_ASCII, default, true, true, http(1362692527.009775,0.0,0.0), 29, {ts (time), uid (string), id.orig_h (addr), id.orig_p (port), id.resp_h (addr), id.resp_p (port), trans_depth (count), method (string), host (string), uri (string), referrer (string), version (string), user_agent (string), request_body_len (count), response_body_len (count), status_code (count), status_msg (string), info_code (count), info_msg (string), tags (set[enum]), username (string), password (string), proxied (set[string]), orig_fuids (vector[string]), orig_filenames (vector[string]), orig_mime_types (vector[string]), resp_fuids (vector[string]), resp_filenames (vector[string]), resp_mime_types (vector[string])}) -> <void>
+1362692527.009775   MetaHookPost  LogWrite(Log::WRITER_ASCII, default, files(1362692527.009775,0.0,0.0), 25, {ts (time), fuid (string), tx_hosts (set[addr]), rx_hosts (set[addr]), conn_uids (set[string]), source (string), depth (count), analyzers (set[string]), mime_type (string), filename (string), duration (interval), local_orig (bool), is_orig (bool), seen_bytes (count), total_bytes (count), missing_bytes (count), overflow_bytes (count), timedout (bool), parent_fuid (string), md5 (string), sha1 (string), sha256 (string), extracted (string), extracted_cutoff (bool), extracted_size (count)}, <void ptr>) -> true
+1362692527.009775   MetaHookPost  LogWrite(Log::WRITER_ASCII, default, http(1362692527.009775,0.0,0.0), 29, {ts (time), uid (string), id.orig_h (addr), id.orig_p (port), id.resp_h (addr), id.resp_p (port), trans_depth (count), method (string), host (string), uri (string), referrer (string), version (string), user_agent (string), request_body_len (count), response_body_len (count), status_code (count), status_msg (string), info_code (count), info_msg (string), tags (set[enum]), username (string), password (string), proxied (set[string]), orig_fuids (vector[string]), orig_filenames (vector[string]), orig_mime_types (vector[string]), resp_fuids (vector[string]), resp_filenames (vector[string]), resp_mime_types (vector[string])}, <void ptr>) -> true
 1362692527.009775   MetaHookPost  QueueEvent(file_sniff([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain]]])) -> false
 1362692527.009775   MetaHookPost  QueueEvent(file_state_remove([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>])) -> false
 1362692527.009775   MetaHookPost  QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> false
@@ -2229,6 +2242,10 @@
 1362692527.009775   MetaHookPre   CallFunction(id_string, <frame>, ([orig_h=141.142.228.5, orig_p=59856<...>/tcp]))
 1362692527.009775   MetaHookPre   CallFunction(set_file_handle, <frame>, (Analyzer::ANALYZER_HTTP1362692526.869344F11141.142.228.5:59856 > 192.150.187.43:80))
 1362692527.009775   MetaHookPre   DrainEvents()
+1362692527.009775   MetaHookPre   LogInit(Log::WRITER_ASCII, default, true, true, files(1362692527.009775,0.0,0.0), 25, {ts (time), fuid (string), tx_hosts (set[addr]), rx_hosts (set[addr]), conn_uids (set[string]), source (string), depth (count), analyzers (set[string]), mime_type (string), filename (string), duration (interval), local_orig (bool), is_orig (bool), seen_bytes (count), total_bytes (count), missing_bytes (count), overflow_bytes (count), timedout (bool), parent_fuid (string), md5 (string), sha1 (string), sha256 (string), extracted (string), extracted_cutoff (bool), extracted_size (count)})
+1362692527.009775   MetaHookPre   LogInit(Log::WRITER_ASCII, default, true, true, http(1362692527.009775,0.0,0.0), 29, {ts (time), uid (string), id.orig_h (addr), id.orig_p (port), id.resp_h (addr), id.resp_p (port), trans_depth (count), method (string), host (string), uri (string), referrer (string), version (string), user_agent (string), request_body_len (count), response_body_len (count), status_code (count), status_msg (string), info_code (count), info_msg (string), tags (set[enum]), username (string), password (string), proxied (set[string]), orig_fuids (vector[string]), orig_filenames (vector[string]), orig_mime_types (vector[string]), resp_fuids (vector[string]), resp_filenames (vector[string]), resp_mime_types (vector[string])})
+1362692527.009775   MetaHookPre   LogWrite(Log::WRITER_ASCII, default, files(1362692527.009775,0.0,0.0), 25, {ts (time), fuid (string), tx_hosts (set[addr]), rx_hosts (set[addr]), conn_uids (set[string]), source (string), depth (count), analyzers (set[string]), mime_type (string), filename (string), duration (interval), local_orig (bool), is_orig (bool), seen_bytes (count), total_bytes (count), missing_bytes (count), overflow_bytes (count), timedout (bool), parent_fuid (string), md5 (string), sha1 (string), sha256 (string), extracted (string), extracted_cutoff (bool), extracted_size (count)}, <void ptr>)
+1362692527.009775   MetaHookPre   LogWrite(Log::WRITER_ASCII, default, http(1362692527.009775,0.0,0.0), 29, {ts (time), uid (string), id.orig_h (addr), id.orig_p (port), id.resp_h (addr), id.resp_p (port), trans_depth (count), method (string), host (string), uri (string), referrer (string), version (string), user_agent (string), request_body_len (count), response_body_len (count), status_code (count), status_msg (string), info_code (count), info_msg (string), tags (set[enum]), username (string), password (string), proxied (set[string]), orig_fuids (vector[string]), orig_filenames (vector[string]), orig_mime_types (vector[string]), resp_fuids (vector[string]), resp_filenames (vector[string]), resp_mime_types (vector[string])}, <void ptr>)
 1362692527.009775   MetaHookPre   QueueEvent(file_sniff([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain]]]))
 1362692527.009775   MetaHookPre   QueueEvent(file_state_remove([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]))
 1362692527.009775   MetaHookPre   QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
@@ -2255,6 +2272,10 @@
 1362692527.009775 | HookCallFunction id_string([orig_h=141.142.228.5, orig_p=59856<...>/tcp])
 1362692527.009775 | HookCallFunction set_file_handle(Analyzer::ANALYZER_HTTP1362692526.869344F11141.142.228.5:59856 > 192.150.187.43:80)
 1362692527.009775 | HookDrainEvents
+1362692527.009775 | HookLogInit   files 1/1 {ts (time), fuid (string), tx_hosts (set[addr]), rx_hosts (set[addr]), conn_uids (set[string]), source (string), depth (count), analyzers (set[string]), mime_type (string), filename (string), duration (interval), local_orig (bool), is_orig (bool), seen_bytes (count), total_bytes (count), missing_bytes (count), overflow_bytes (count), timedout (bool), parent_fuid (string), md5 (string), sha1 (string), sha256 (string), extracted (string), extracted_cutoff (bool), extracted_size (count)}
+1362692527.009775 | HookLogInit   http 1/1 {ts (time), uid (string), id.orig_h (addr), id.orig_p (port), id.resp_h (addr), id.resp_p (port), trans_depth (count), method (string), host (string), uri (string), referrer (string), version (string), user_agent (string), request_body_len (count), response_body_len (count), status_code (count), status_msg (string), info_code (count), info_msg (string), tags (set[enum]), username (string), password (string), proxied (set[string]), orig_fuids (vector[string]), orig_filenames (vector[string]), orig_mime_types (vector[string]), resp_fuids (vector[string]), resp_filenames (vector[string]), resp_mime_types (vector[string])}
+1362692527.009775 | HookLogWrite  files [ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts=192.150.187.43, rx_hosts=141.142.228.5, conn_uids=CHhAvVGS1DHFjwGM9, source=HTTP, depth=0, analyzers=, mime_type=text/plain, filename=<uninitialized>, duration=0.000263, local_orig=<uninitialized>, is_orig=F, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]
+1362692527.009775 | HookLogWrite  http [ts=1362692526.939527, uid=CHhAvVGS1DHFjwGM9, id.orig_h=141.142.228.5, id.orig_p=59856, id.resp_h=192.150.187.43, id.resp_p=80, trans_depth=1, method=GET, host=bro.org, uri=<...>/plain]
 1362692527.009775 | HookQueueEvent file_sniff([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain]]])
 1362692527.009775 | HookQueueEvent file_state_remove([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>])
 1362692527.009775 | HookQueueEvent get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
@@ -2309,6 +2330,8 @@
 1362692527.080972   MetaHookPost  CallFunction(sub_bytes, <frame>, (HTTP, 0, 1)) -> <no result>
 1362692527.080972   MetaHookPost  CallFunction(to_lower, <frame>, (HTTP)) -> <no result>
 1362692527.080972   MetaHookPost  DrainEvents() -> <void>
+1362692527.080972   MetaHookPost  LogInit(Log::WRITER_ASCII, default, true, true, conn(1362692527.080972,0.0,0.0), 21, {ts (time), uid (string), id.orig_h (addr), id.orig_p (port), id.resp_h (addr), id.resp_p (port), proto (enum), service (string), duration (interval), orig_bytes (count), resp_bytes (count), conn_state (string), local_orig (bool), local_resp (bool), missed_bytes (count), history (string), orig_pkts (count), orig_ip_bytes (count), resp_pkts (count), resp_ip_bytes (count), tunnel_parents (set[string])}) -> <void>
+1362692527.080972   MetaHookPost  LogWrite(Log::WRITER_ASCII, default, conn(1362692527.080972,0.0,0.0), 21, {ts (time), uid (string), id.orig_h (addr), id.orig_p (port), id.resp_h (addr), id.resp_p (port), proto (enum), service (string), duration (interval), orig_bytes (count), resp_bytes (count), conn_state (string), local_orig (bool), local_resp (bool), missed_bytes (count), history (string), orig_pkts (count), orig_ip_bytes (count), resp_pkts (count), resp_ip_bytes (count), tunnel_parents (set[string])}, <void ptr>) -> true
 1362692527.080972   MetaHookPost  QueueEvent(ChecksumOffloading::check()) -> false
 1362692527.080972   MetaHookPost  QueueEvent(bro_done()) -> false
 1362692527.080972   MetaHookPost  QueueEvent(connection_state_remove([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])) -> false
@@ -2340,6 +2363,8 @@
 1362692527.080972   MetaHookPre   CallFunction(sub_bytes, <frame>, (HTTP, 0, 1))
 1362692527.080972   MetaHookPre   CallFunction(to_lower, <frame>, (HTTP))
 1362692527.080972   MetaHookPre   DrainEvents()
+1362692527.080972   MetaHookPre   LogInit(Log::WRITER_ASCII, default, true, true, conn(1362692527.080972,0.0,0.0), 21, {ts (time), uid (string), id.orig_h (addr), id.orig_p (port), id.resp_h (addr), id.resp_p (port), proto (enum), service (string), duration (interval), orig_bytes (count), resp_bytes (count), conn_state (string), local_orig (bool), local_resp (bool), missed_bytes (count), history (string), orig_pkts (count), orig_ip_bytes (count), resp_pkts (count), resp_ip_bytes (count), tunnel_parents (set[string])})
+1362692527.080972   MetaHookPre   LogWrite(Log::WRITER_ASCII, default, conn(1362692527.080972,0.0,0.0), 21, {ts (time), uid (string), id.orig_h (addr), id.orig_p (port), id.resp_h (addr), id.resp_p (port), proto (enum), service (string), duration (interval), orig_bytes (count), resp_bytes (count), conn_state (string), local_orig (bool), local_resp (bool), missed_bytes (count), history (string), orig_pkts (count), orig_ip_bytes (count), resp_pkts (count), resp_ip_bytes (count), tunnel_parents (set[string])}, <void ptr>)
 1362692527.080972   MetaHookPre   QueueEvent(ChecksumOffloading::check())
 1362692527.080972   MetaHookPre   QueueEvent(bro_done())
 1362692527.080972   MetaHookPre   QueueEvent(connection_state_remove([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]))
@@ -2372,6 +2397,8 @@
 1362692527.080972 | HookCallFunction sub_bytes(HTTP, 0, 1)
 1362692527.080972 | HookCallFunction to_lower(HTTP)
 1362692527.080972 | HookDrainEvents
+1362692527.080972 | HookLogInit   conn 1/1 {ts (time), uid (string), id.orig_h (addr), id.orig_p (port), id.resp_h (addr), id.resp_p (port), proto (enum), service (string), duration (interval), orig_bytes (count), resp_bytes (count), conn_state (string), local_orig (bool), local_resp (bool), missed_bytes (count), history (string), orig_pkts (count), orig_ip_bytes (count), resp_pkts (count), resp_ip_bytes (count), tunnel_parents (set[string])}
+1362692527.080972 | HookLogWrite  conn [ts=1362692526.869344, uid=CHhAvVGS1DHFjwGM9, id.orig_h=141.142.228.5, id.orig_p=59856, id.resp_h=192.150.187.43, id.resp_p=80, proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=]
 1362692527.080972 | HookQueueEvent ChecksumOffloading::check()
 1362692527.080972 | HookQueueEvent bro_done()
 1362692527.080972 | HookQueueEvent connection_state_remove([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])
diff --git a/testing/btest/Baseline/plugins.logging-hooks/output b/testing/btest/Baseline/plugins.logging-hooks/output
new file mode 100644
index 0000000000..54330845bc
--- /dev/null
+++ b/testing/btest/Baseline/plugins.logging-hooks/output
@@ -0,0 +1 @@
+1488216470.960453 | HookLogInit   ssh 1/1 {b (bool), i (int), e (enum), c (count), p (port), sn (subnet), a (addr), d (double), t (time), iv (interval), s (string), sc (set[count]), ss (set[string]), se (set[string]), vc (vector[count]), ve (vector[string]), f (func)}
diff --git a/testing/btest/Baseline/plugins.logging-hooks/ssh.log b/testing/btest/Baseline/plugins.logging-hooks/ssh.log
new file mode 100644
index 0000000000..4b62eb8aca
--- /dev/null
+++ b/testing/btest/Baseline/plugins.logging-hooks/ssh.log
@@ -0,0 +1,11 @@
+#separator \x09
+#set_separator	,
+#empty_field	EMPTY
+#unset_field	-
+#path	ssh
+#open	2017-02-27-17-27-50
+#fields	b	i	e	c	p	sn	a	d	t	iv	s	sc	ss	se	vc	ve	f
+#types	bool	int	enum	count	port	subnet	addr	double	time	interval	string	set[count]	set[string]	set[string]	vector[count]	vector[string]	func
+F	-2	SSH::LOG	21	123	10.0.0.0/24	1.2.3.4	3.14	1488216470.960453	100.000000	hurz	2,4,1,3	BB,AA,CC	EMPTY	10,20,30	EMPTY	SSH::foo\x0a{ \x0aif (0 < SSH::i) \x0a\x09return (Foo);\x0aelse\x0a\x09return (Bar);\x0a\x0a}
+T	-	SSH::LOG	21	123	10.0.0.0/24	1.2.3.4	3.14	1488216470.960453	100.000000	hurz	2,4,1,3	BB,AA,CC	EMPTY	10,20,30	EMPTY	SSH::foo\x0a{ \x0aif (0 < SSH::i) \x0a\x09return (Foo);\x0aelse\x0a\x09return (Bar);\x0a\x0a}
+#close	2017-02-27-17-27-50
diff --git a/testing/btest/plugins/hooks-plugin/src/Plugin.cc b/testing/btest/plugins/hooks-plugin/src/Plugin.cc
index 407ad1c242..d636e12b7c 100644
--- a/testing/btest/plugins/hooks-plugin/src/Plugin.cc
+++ b/testing/btest/plugins/hooks-plugin/src/Plugin.cc
@@ -3,6 +3,8 @@
 
 #include <Func.h>
 #include <Event.h>
+#include <Conn.h>
+#include <threading/Formatter.h>
 
 namespace plugin { namespace Demo_Hooks { Plugin plugin; } }
 
@@ -18,6 +20,9 @@ plugin::Configuration Plugin::Configure()
 	EnableHook(META_HOOK_PRE);
 	EnableHook(META_HOOK_POST);
 	EnableHook(HOOK_BRO_OBJ_DTOR);
+	EnableHook(HOOK_SETUP_ANALYZER_TREE);
+	EnableHook(HOOK_LOG_INIT);
+	EnableHook(HOOK_LOG_WRITE);
 
 	plugin::Configuration config;
 	config.name = "Demo::Hooks";
@@ -121,3 +126,134 @@ void Plugin::MetaHookPost(HookType hook, const HookArgumentList& args, HookArgum
 		hook_name(hook), d1.Description(),
 		d2.Description());
 	}
+
+void Plugin::HookSetupAnalyzerTree(Connection *conn)
+	{
+	ODesc d;
+	d.SetShort();
+	conn->Describe(&d);
+
+	fprintf(stderr, "%.6f %-15s %s\n", network_time, "| HookSetupAnalyzerTree", d.Description());
+	}
+
+void Plugin::HookLogInit(const std::string& writer, const std::string& instantiating_filter, bool local, bool remote, const logging::WriterBackend::WriterInfo& info, int num_fields, const threading::Field* const* fields)
+	{
+	ODesc d;
+
+	d.Add("{");
+	for ( int i=0; i < num_fields; i++ )
+		{
+		const threading::Field* f = fields[i];
+
+		if ( i > 0 )
+			d.Add(", ");
+
+		d.Add(f->name);
+		d.Add(" (");
+		d.Add(f->TypeName());
+		d.Add(")");
+		}
+	d.Add("}");
+
+	fprintf(stderr, "%.6f %-15s %s %d/%d %s\n", network_time, "| HookLogInit", info.path, local, remote, d.Description());
+	}
+
+void Plugin::RenderVal(const threading::Value* val, ODesc &d) const
+	{
+		if ( ! val->present )
+			{
+			d.Add("<uninitialized>");
+			return;
+			}
+
+		switch ( val->type ) {
+
+			case TYPE_BOOL:
+				d.Add(val->val.int_val ? "T" : "F");
+				break;
+
+			case TYPE_INT:
+				d.Add(val->val.int_val);
+				break;
+
+			case TYPE_COUNT:
+			case TYPE_COUNTER:
+				d.Add(val->val.uint_val);
+				break;
+
+			case TYPE_PORT:
+				d.Add(val->val.port_val.port);
+				break;
+
+			case TYPE_SUBNET:
+				d.Add(threading::formatter::Formatter::Render(val->val.subnet_val));
+				break;
+
+			case TYPE_ADDR:
+				d.Add(threading::formatter::Formatter::Render(val->val.addr_val));
+				break;
+
+			case TYPE_DOUBLE:
+				d.Add(val->val.double_val, true);
+				break;
+
+			case TYPE_INTERVAL:
+			case TYPE_TIME:
+				d.Add(threading::formatter::Formatter::Render(val->val.double_val));
+				break;
+
+			case TYPE_ENUM:
+			case TYPE_STRING:
+			case TYPE_FILE:
+			case TYPE_FUNC:
+				d.AddN(val->val.string_val.data, val->val.string_val.length);
+				break;
+
+			case TYPE_TABLE:
+				for ( int j = 0; j < val->val.set_val.size; j++ )
+					{
+					if ( j > 0 )
+						d.Add(",");
+
+					RenderVal(val->val.set_val.vals[j], d);
+					}
+				break;
+
+			case TYPE_VECTOR:
+				for ( int j = 0; j < val->val.vector_val.size; j++ )
+					{
+					if ( j > 0 )
+						d.Add(",");
+
+					RenderVal(val->val.vector_val.vals[j], d);
+					}
+				break;
+
+			default:
+				assert(false);
+		}
+	}
+
+bool Plugin::HookLogWrite(const std::string& writer, const std::string& filter, const logging::WriterBackend::WriterInfo& info, int num_fields, const threading::Field* const* fields, threading::Value** vals)
+	{
+	ODesc d;
+
+	d.Add("[");
+	for ( int i=0; i < num_fields; i++ )
+		{
+		const threading::Field* f = fields[i];
+		const threading::Value* val = vals[i];
+
+		if ( i > 0 )
+			d.Add(", ");
+
+		d.Add(f->name);
+		d.Add("=");
+
+		RenderVal(val, d);
+		}
+	d.Add("]");
+
+	fprintf(stderr, "%.6f %-15s %s %s\n", network_time, "| HookLogWrite", info.path, d.Description());
+	return true;
+	}
diff --git a/testing/btest/plugins/hooks-plugin/src/Plugin.h b/testing/btest/plugins/hooks-plugin/src/Plugin.h
index efbd25bc2d..64227c0660 100644
--- a/testing/btest/plugins/hooks-plugin/src/Plugin.h
+++ b/testing/btest/plugins/hooks-plugin/src/Plugin.h
@@ -10,17 +10,22 @@ namespace Demo_Hooks {
 class Plugin : public ::plugin::Plugin
 {
 protected:
-	virtual int HookLoadFile(const std::string& file, const std::string& ext);
-	virtual std::pair<bool, Val*> HookCallFunction(const Func* func, Frame* frame, val_list* args);
-	virtual bool HookQueueEvent(Event* event);
-	virtual void HookDrainEvents();
-	virtual void HookUpdateNetworkTime(double network_time);
-	virtual void HookBroObjDtor(void* obj);
-	virtual void MetaHookPre(HookType hook, const HookArgumentList& args);
-	virtual void MetaHookPost(HookType hook, const HookArgumentList& args, HookArgument result);
+	int HookLoadFile(const std::string& file, const std::string& ext) override;
+	std::pair<bool, Val*> HookCallFunction(const Func* func, Frame* frame, val_list* args) override;
+	bool HookQueueEvent(Event* event) override;
+	void HookDrainEvents() override;
+	void HookUpdateNetworkTime(double network_time) override;
+	void HookBroObjDtor(void* obj) override;
+	void HookLogInit(const std::string& writer, const std::string& instantiating_filter, bool local, bool remote, const logging::WriterBackend::WriterInfo& info, int num_fields, const threading::Field* const* fields) override;
+	bool HookLogWrite(const std::string& writer, const std::string& filter, const logging::WriterBackend::WriterInfo& info, int num_fields, const threading::Field* const* fields, threading::Value** vals) override;
+	void HookSetupAnalyzerTree(Connection *conn) override;
+	void MetaHookPre(HookType hook, const HookArgumentList& args) override;
+	void MetaHookPost(HookType hook, const HookArgumentList& args, HookArgument result) override;
+
+	void RenderVal(const threading::Value* val, ODesc &d) const;
 
 	// Overridden from plugin::Plugin.
-	virtual plugin::Configuration Configure();
+	plugin::Configuration Configure() override;
 };
 
 extern Plugin plugin;
diff --git a/testing/btest/plugins/logging-hooks-plugin/.btest-ignore b/testing/btest/plugins/logging-hooks-plugin/.btest-ignore
new file mode 100644
index 0000000000..e69de29bb2
diff --git a/testing/btest/plugins/logging-hooks-plugin/src/Plugin.cc b/testing/btest/plugins/logging-hooks-plugin/src/Plugin.cc
new file mode 100644
index 0000000000..32dd2b17b3
--- /dev/null
+++ b/testing/btest/plugins/logging-hooks-plugin/src/Plugin.cc
@@ -0,0 +1,60 @@
+
+#include "Plugin.h"
+
+#include <Func.h>
+#include <Event.h>
+#include <Conn.h>
+#include <threading/Formatter.h>
+
+namespace plugin { namespace Log_Hooks { Plugin plugin; } }
+
+using namespace plugin::Log_Hooks;
+
+plugin::Configuration Plugin::Configure()
+	{
+	round = 0;
+	EnableHook(HOOK_LOG_INIT);
+	EnableHook(HOOK_LOG_WRITE);
+
+	plugin::Configuration config;
+	config.name = "Log::Hooks";
+	config.description = "Exercises Log hooks";
+	config.version.major = 1;
+	config.version.minor = 0;
+	return config;
+	}
+
+void Plugin::HookLogInit(const std::string& writer, const std::string& instantiating_filter, bool local, bool remote, const logging::WriterBackend::WriterInfo& info, int num_fields, const threading::Field* const* fields)
+	{
+	ODesc d;
+
+	d.Add("{");
+	for ( int i=0; i < num_fields; i++ )
+		{
+		const threading::Field* f = fields[i];
+
+		if ( i > 0 )
+			d.Add(", ");
+
+		d.Add(f->name);
+		d.Add(" (");
+		d.Add(f->TypeName());
+		d.Add(")");
+		}
+	d.Add("}");
+
+	fprintf(stderr, "%.6f %-15s %s %d/%d %s\n", network_time, "| HookLogInit", info.path, local, remote, d.Description());
+	}
+
+bool Plugin::HookLogWrite(const std::string& writer, const std::string& filter, const logging::WriterBackend::WriterInfo& info, int num_fields, const threading::Field* const* fields, threading::Value** vals)
+	{
+	round++;
+	if ( round == 1 ) // do not output line
+		return false;
+	else if ( round == 2 )
+		vals[0]->val.int_val = 0;
+	else if ( round == 3 )
+		vals[1]->present = false;
+
+	return true;
+	}
diff --git a/testing/btest/plugins/logging-hooks-plugin/src/Plugin.h b/testing/btest/plugins/logging-hooks-plugin/src/Plugin.h
new file mode 100644
index 0000000000..12b821c22c
--- /dev/null
+++ b/testing/btest/plugins/logging-hooks-plugin/src/Plugin.h
@@ -0,0 +1,28 @@
+
+#ifndef BRO_PLUGIN_Log_Hooks
+#define BRO_PLUGIN_Log_Hooks
+
+#include <plugin/Plugin.h>
+
+namespace plugin {
+namespace Log_Hooks {
+
+class Plugin : public ::plugin::Plugin
+{
+protected:
+	void HookLogInit(const std::string& writer, const std::string& instantiating_filter, bool local, bool remote, const logging::WriterBackend::WriterInfo& info, int num_fields, const threading::Field* const* fields) override;
+	bool HookLogWrite(const std::string& writer, const std::string& filter, const logging::WriterBackend::WriterInfo& info, int num_fields, const threading::Field* const* fields, threading::Value** vals) override;
+
+	// Overridden from plugin::Plugin.
+	plugin::Configuration Configure() override;
+
+private:
+	int round;
+};
+
+extern Plugin plugin;
+
+}
+}
+
+#endif
diff --git a/testing/btest/plugins/logging-hooks.bro b/testing/btest/plugins/logging-hooks.bro
new file mode 100644
index 0000000000..f2ca926c06
--- /dev/null
+++ b/testing/btest/plugins/logging-hooks.bro
@@ -0,0 +1,72 @@
+# @TEST-EXEC: ${DIST}/aux/bro-aux/plugin-support/init-plugin -u . Log Hooks
+# @TEST-EXEC: cp -r %DIR/logging-hooks-plugin/* .
+# @TEST-EXEC: ./configure --bro-dist=${DIST} && make
+# @TEST-EXEC: BRO_PLUGIN_ACTIVATE="Log::Hooks" BRO_PLUGIN_PATH=`pwd` bro -b %INPUT 2>&1 | $SCRIPTS/diff-remove-abspath | sort | uniq  >output
+# @TEST-EXEC: btest-diff output
+# @TEST-EXEC: btest-diff ssh.log
+
+redef LogAscii::empty_field = "EMPTY";
+
+module SSH;
+
+export {
+	redef enum Log::ID += { LOG };
+
+	type Log: record {
+		b: bool;
+		i: int &optional;
+		e: Log::ID;
+		c: count;
+		p: port;
+		sn: subnet;
+		a: addr;
+		d: double;
+		t: time;
+		iv: interval;
+		s: string;
+		sc: set[count];
+		ss: set[string];
+		se: set[string];
+		vc: vector of count;
+		ve: vector of string;
+		f: function(i: count) : string;
+	} &log;
+}
+
+function foo(i : count) : string
+	{
+	if ( i > 0 )
+		return "Foo";
+	else
+		return "Bar";
+	}
+
+event bro_init()
+{
+	Log::create_stream(SSH::LOG, [$columns=Log]);
+
+	local empty_set: set[string];
+	local empty_vector: vector of string;
+
+	local i = 0;
+	while ( ++i < 4 )
+		Log::write(SSH::LOG, [
+			$b=T,
+			$i=-i,
+			$e=SSH::LOG,
+			$c=21,
+			$p=123/tcp,
+			$sn=10.0.0.1/24,
+			$a=1.2.3.4,
+			$d=3.14,
+			$t=network_time(),
+			$iv=100secs,
+			$s="hurz",
+			$sc=set(1,2,3,4),
+			$ss=set("AA", "BB", "CC"),
+			$se=empty_set,
+			$vc=vector(10, 20, 30),
+			$ve=empty_vector,
+			$f=foo
+			]);
+}

From 7f292dc4ad0239d34f6b849a00f37f9c87d822a4 Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@icir.org>
Date: Tue, 2 May 2017 11:51:36 -0700
Subject: [PATCH 145/631] TLS: Fix compile warning (comparison between
 signed/unsigned).

This was introduced with the addition of new TLS1.3 extensions.
---
 src/analyzer/protocol/ssl/tls-handshake-analyzer.pac | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac b/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac
index c85f3205ef..fc4c879e81 100644
--- a/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac
+++ b/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac
@@ -195,7 +195,7 @@ refine connection Handshake_Conn += {
 
 		if ( versions_list )
 			{
-			for ( int i = 0; i < versions_list->size(); ++i )
+			for ( unsigned int i = 0; i < versions_list->size(); ++i )
 				versions->Assign(i, new Val((*versions_list)[i], TYPE_COUNT));
 			}
 
@@ -211,7 +211,7 @@ refine connection Handshake_Conn += {
 
 		if ( mode_list )
 			{
-			for ( int i = 0; i < mode_list->size(); ++i )
+			for ( unsigned int i = 0; i < mode_list->size(); ++i )
 				modes->Assign(i, new Val((*mode_list)[i], TYPE_COUNT));
 			}
 

From ff998dfa435b2063b85b7a6ad4ffa477130f7df5 Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@icir.org>
Date: Wed, 3 May 2017 13:14:20 -0700
Subject: [PATCH 146/631] Lessen cluster node of notice suppression.

With this commit, the data structure that is transfered for notice
suppression is much smaller than before, not including potentially
complex data structures like the fa_file record.
---
 scripts/base/frameworks/notice/cluster.bro |  6 +++---
 scripts/base/frameworks/notice/main.bro    | 13 +++++++++----
 2 files changed, 12 insertions(+), 7 deletions(-)

diff --git a/scripts/base/frameworks/notice/cluster.bro b/scripts/base/frameworks/notice/cluster.bro
index 3c3fbc6d36..2a45f957a8 100644
--- a/scripts/base/frameworks/notice/cluster.bro
+++ b/scripts/base/frameworks/notice/cluster.bro
@@ -21,10 +21,10 @@ redef Cluster::manager2worker_events += /Notice::begin_suppression/;
 redef Cluster::worker2manager_events += /Notice::cluster_notice/;
 
 @if ( Cluster::local_node_type() != Cluster::MANAGER )
-event Notice::begin_suppression(n: Notice::Info)
+event Notice::begin_suppression(ts: time, suppress_for: interval, note: Type, identifier: string)
 	{
-	local suppress_until = n$ts + n$suppress_for;
-	suppressing[n$note, n$identifier] = suppress_until;
+	local suppress_until = ts + suppress_for;
+	suppressing[note, identifier] = suppress_until;
 	}
 @endif
 
diff --git a/scripts/base/frameworks/notice/main.bro b/scripts/base/frameworks/notice/main.bro
index a203f6a772..aa88c26174 100644
--- a/scripts/base/frameworks/notice/main.bro
+++ b/scripts/base/frameworks/notice/main.bro
@@ -261,9 +261,14 @@ export {
 
 	## This event is generated when a notice begins to be suppressed.
 	##
-	## n: The record containing notice data regarding the notice type
-	##    about to be suppressed.
-	global begin_suppression: event(n: Notice::Info);
+	## ts: time indicating then when the notice to be suppressed occured.
+	##
+	## suppress_for: length of time that this notice should be suppressed.
+	##
+	## note: The :bro:type:`Notice::Type` of the notice.
+	##
+	## identifier: The identifier string of the notice that should be suppressed.
+	global begin_suppression: event(ts: time, suppress_for: interval, note: Type, identifier: string);
 
 	## A function to determine if an event is supposed to be suppressed.
 	##
@@ -504,7 +509,7 @@ hook Notice::notice(n: Notice::Info) &priority=-5
 		{
 		local suppress_until = n$ts + n$suppress_for;
 		suppressing[n$note, n$identifier] = suppress_until;
-		event Notice::begin_suppression(n);
+		event Notice::begin_suppression(n$ts, n$suppress_for, n$note, n$identifier);
 		}
 	}
 

From a334247478574d130f748d27bbc40328a0415b8d Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@icir.org>
Date: Wed, 3 May 2017 22:06:24 -0700
Subject: [PATCH 147/631] SCT Validate: make caching a bit less aggressive.

This triggers a re-validation of the SCT when the certificate validation
status changed. This means that a SCT will show as valid if the
certificate chain could be validated and can now be used to determine
the correct issuer key hash.
---
 scripts/policy/protocols/ssl/validate-sct.bro | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/scripts/policy/protocols/ssl/validate-sct.bro b/scripts/policy/protocols/ssl/validate-sct.bro
index e28b89de88..385621afde 100644
--- a/scripts/policy/protocols/ssl/validate-sct.bro
+++ b/scripts/policy/protocols/ssl/validate-sct.bro
@@ -116,7 +116,10 @@ event ssl_change_cipher_spec(c: connection, is_orig: bool) &priority=2
 		local valid = F;
 		local found_cache = F;
 
-		local validate_hash = sha1_hash(cat(certhash,proof$logid,proof$timestamp,proof$hash_alg,proof$signature));
+		local validatestring = cat(certhash,proof$logid,proof$timestamp,proof$hash_alg,proof$signature,proof$source);
+		if ( proof$source == SCT_X509_EXT && c$ssl?$validation_code )
+			validatestring = cat(validatestring, c$ssl$validation_code);
+		local validate_hash = sha1_hash(validatestring);
 		if ( validate_hash in recently_validated_scts )
 			{
 			valid = recently_validated_scts[validate_hash];

From ff2c5b93455285c759fd4c88b9bc89e652c8e3d5 Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@icir.org>
Date: Fri, 5 May 2017 11:09:47 -0700
Subject: [PATCH 148/631] Update submodule

 [nomail]
---
 aux/broctl | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/aux/broctl b/aux/broctl
index bedd721378..aadc6d37aa 160000
--- a/aux/broctl
+++ b/aux/broctl
@@ -1 +1 @@
-Subproject commit bedd7213784b3f1d2ce10ce73b1a9cf9efdc848a
+Subproject commit aadc6d37aa12b9ab50e9b63c5f1dcf4fa1e2a180

From 876f492a355222f8e70a295cb4ca6f444c53c12a Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@icir.org>
Date: Tue, 2 May 2017 13:47:46 -0700
Subject: [PATCH 149/631] OCSP/TLS/SCT: Fix a number of test failures.

These were caused by earlier code updates.

This commit also removes the ocsp stapling logging script; it was
defunctional and the information provided by it wnever really has been
especially interesting.
---
 .../policy/protocols/ssl/ocsp-stapling.bro    | 118 ------------------
 scripts/test-all-policy.bro                   |   2 +
 .../canonified_loaded_scripts.log             |   5 +-
 .../canonified_loaded_scripts.log             |   6 +-
 testing/btest/Baseline/plugins.hooks/output   |  55 ++++++--
 .../out                                       |   8 +-
 .../intel-all.log                             |  16 +--
 .../all-events-no-args.log                    |   2 +
 .../all-events.log                            | 106 +++++++++-------
 .../ocsp-stapling.log                         |  10 --
 .../policy/protocols/ssl/ocsp-stapling.bro    |   6 -
 11 files changed, 122 insertions(+), 212 deletions(-)
 delete mode 100644 scripts/policy/protocols/ssl/ocsp-stapling.bro
 delete mode 100644 testing/btest/Baseline/scripts.policy.protocols.ssl.ocsp-stapling/ocsp-stapling.log
 delete mode 100644 testing/btest/scripts/policy/protocols/ssl/ocsp-stapling.bro

diff --git a/scripts/policy/protocols/ssl/ocsp-stapling.bro b/scripts/policy/protocols/ssl/ocsp-stapling.bro
deleted file mode 100644
index 58e378ab65..0000000000
--- a/scripts/policy/protocols/ssl/ocsp-stapling.bro
+++ /dev/null
@@ -1,118 +0,0 @@
-#! Log ocsp stapling information
-
-module OCSP_STAPLING;
-
-export {
-	redef enum Log::ID += { LOG };
-	type Info: record {
-		## timestamp
-		ts:                 time    &log;
-
-		## status type
-		status_type:        count   &log;
-
-		## connection id
-		cid:                conn_id &log;
-
-		## connection uid
-		cuid:               string  &log;
-
-		## size of this response
-		size:               count   &log;
-
-		## responseStatus
-		responseStatus:     string  &log;
-
-		## responseType
-		responseType:       string  &log;
-
-		## version
-		version:            count   &log;
-
-		## responderID
-		responderID:        string  &log;
-
-		## producedAt
-		producedAt:         string  &log;
-
-                ## NOTE: the following are specific to one cert id
-		##       the above are for one message which may contain
-		##       several responses
-
-		## index
-		idx:                count   &log  &optional;
-
-		## cert id
-		cert_id:            OCSP::CertId  &log &optional;
-
-		## certStatus (this is the response to look at)
-		certStatus:         string  &log  &optional;
-
-		## thisUpdate
-		thisUpdate:         string  &log  &optional;
-
-		## nextUpdate
-		nextUpdate:         string  &log  &optional;
-		};
-}
-
-event ssl_stapled_ocsp(c: connection, is_orig: bool, response: string, status_type: count)
-	{
-	local resp: OCSP::Response = ocsp_parse_response(response);
-
-	# TOCHECK: is this right?
-	local resp_size: count =|response|;
-
-	if (resp?$responses)
-		{
-		local num: count = 0;
-		for (x in resp$responses)
-			{
-			num += 1;
-			local single_resp: OCSP::SingleResp = resp$responses[x];
-			local cert_id: OCSP::CertId = [$hashAlgorithm  = single_resp$hashAlgorithm,
-			                               $issuerNameHash = single_resp$issuerNameHash,
-				                       $issuerKeyHash  = single_resp$issuerKeyHash,
-			                               $serialNumber   = single_resp$serialNumber];
-
-			local resp_rec: Info = [$ts             = network_time(),
-				                $status_type    = status_type,
-						$cid            = c$id,
-				                $cuid           = c$uid,
-						$size           = resp_size,
-						$responseStatus = resp$responseStatus,
-						$responseType   = resp$responseType,
-						$version        = resp$version,
-						$responderID    = resp$responderID,
-						$producedAt     = resp$producedAt,
-						$idx            = num,
-						$cert_id        = cert_id,
-						$certStatus     = single_resp$certStatus,
-						$thisUpdate     = single_resp$thisUpdate];
-
-			if (single_resp?$nextUpdate)
-				resp_rec$nextUpdate = single_resp$nextUpdate;
-			Log::write(LOG, resp_rec);
-			}
-		}
-	else
-		{
-                # no response content? this is weird but log it anyway
-		local resp_rec_empty: Info = [$ts             = network_time(),
-			                      $status_type    = status_type,
-			                      $cid            = c$id,
-					      $cuid           = c$uid,
-			                      $size           = resp_size,
-			                      $responseStatus = resp$responseStatus,
-					      $responseType   = resp$responseType,
-					      $version        = resp$version,
-					      $responderID    = resp$responderID,
-					      $producedAt     = resp$producedAt];
-		Log::write(LOG, resp_rec_empty);
-		}
-	}
-
-event bro_init()
-	{
-	Log::create_stream(LOG, [$columns=Info, $path="ocsp-stapling"]);
-	}
diff --git a/scripts/test-all-policy.bro b/scripts/test-all-policy.bro
index a022060cd4..7c828241d0 100644
--- a/scripts/test-all-policy.bro
+++ b/scripts/test-all-policy.bro
@@ -34,6 +34,7 @@
 @load frameworks/files/entropy-test-all-files.bro
 #@load frameworks/files/extract-all-files.bro
 @load frameworks/files/hash-all-files.bro
+@load files/x509/log-ocsp.bro
 @load frameworks/packet-filter/shunt.bro
 @load frameworks/software/version-changes.bro
 @load frameworks/software/vulnerable.bro
@@ -98,6 +99,7 @@
 #@load protocols/ssl/notary.bro
 @load protocols/ssl/validate-certs.bro
 @load protocols/ssl/validate-ocsp.bro
+@load protocols/ssl/validate-sct.bro
 @load protocols/ssl/weak-keys.bro
 @load tuning/__load__.bro
 @load tuning/defaults/__load__.bro
diff --git a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log
index d53b14ce58..52a660261c 100644
--- a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log
+++ b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log
@@ -3,7 +3,7 @@
 #empty_field	(empty)
 #unset_field	-
 #path	loaded_scripts
-#open	2017-02-28-17-15-30
+#open	2017-05-02-20-38-47
 #fields	name
 #types	string
 scripts/base/init-bare.bro
@@ -157,6 +157,7 @@ scripts/base/init-bare.bro
     build/scripts/base/bif/plugins/Bro_X509.events.bif.bro
     build/scripts/base/bif/plugins/Bro_X509.types.bif.bro
     build/scripts/base/bif/plugins/Bro_X509.functions.bif.bro
+    build/scripts/base/bif/plugins/Bro_X509.ocsp_events.bif.bro
     build/scripts/base/bif/plugins/Bro_AsciiReader.ascii.bif.bro
     build/scripts/base/bif/plugins/Bro_BenchmarkReader.benchmark.bif.bro
     build/scripts/base/bif/plugins/Bro_BinaryReader.binary.bif.bro
@@ -167,4 +168,4 @@ scripts/base/init-bare.bro
     build/scripts/base/bif/plugins/Bro_SQLiteWriter.sqlite.bif.bro
 scripts/policy/misc/loaded-scripts.bro
   scripts/base/utils/paths.bro
-#close	2017-02-28-17-15-30
+#close	2017-05-02-20-38-47
diff --git a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
index e11edefe16..75ef872a95 100644
--- a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
+++ b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
@@ -3,7 +3,7 @@
 #empty_field	(empty)
 #unset_field	-
 #path	loaded_scripts
-#open	2017-02-28-17-19-41
+#open	2017-05-02-20-39-05
 #fields	name
 #types	string
 scripts/base/init-bare.bro
@@ -157,6 +157,7 @@ scripts/base/init-bare.bro
     build/scripts/base/bif/plugins/Bro_X509.events.bif.bro
     build/scripts/base/bif/plugins/Bro_X509.types.bif.bro
     build/scripts/base/bif/plugins/Bro_X509.functions.bif.bro
+    build/scripts/base/bif/plugins/Bro_X509.ocsp_events.bif.bro
     build/scripts/base/bif/plugins/Bro_AsciiReader.ascii.bif.bro
     build/scripts/base/bif/plugins/Bro_BenchmarkReader.benchmark.bif.bro
     build/scripts/base/bif/plugins/Bro_BinaryReader.binary.bif.bro
@@ -284,6 +285,7 @@ scripts/base/init-default.bro
         scripts/base/protocols/ssl/consts.bro
         scripts/base/protocols/ssl/main.bro
         scripts/base/protocols/ssl/mozilla-ca-list.bro
+        scripts/base/protocols/ssl/ct-list.bro
         scripts/base/protocols/ssl/files.bro
           scripts/base/files/x509/__load__.bro
             scripts/base/files/x509/main.bro
@@ -355,4 +357,4 @@ scripts/base/init-default.bro
   scripts/base/misc/find-filtered-trace.bro
   scripts/base/misc/version.bro
 scripts/policy/misc/loaded-scripts.bro
-#close	2017-02-28-17-19-41
+#close	2017-05-02-20-39-05
diff --git a/testing/btest/Baseline/plugins.hooks/output b/testing/btest/Baseline/plugins.hooks/output
index 420d20ae12..a4250da2ca 100644
--- a/testing/btest/Baseline/plugins.hooks/output
+++ b/testing/btest/Baseline/plugins.hooks/output
@@ -151,7 +151,16 @@
 0.000000   MetaHookPost  CallFunction(Cluster::is_enabled, <frame>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(Cluster::is_enabled, <null>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(Files::register_analyzer_add_callback, <frame>, (Files::ANALYZER_EXTRACT, FileExtract::on_add{ if (!FileExtract::args?$extract_filename) FileExtract::args$extract_filename = cat(extract-, FileExtract::f$last_active, -, FileExtract::f$source, -, FileExtract::f$id)FileExtract::f$info$extracted = FileExtract::args$extract_filenameFileExtract::args$extract_filename = build_path_compressed(FileExtract::prefix, FileExtract::args$extract_filename)FileExtract::f$info$extracted_cutoff = Fmkdir(FileExtract::prefix)})) -> <no result>
+0.000000   MetaHookPost  CallFunction(Files::register_for_mime_type, <frame>, (Files::ANALYZER_MD5, application/pkix-cert)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Files::register_for_mime_type, <frame>, (Files::ANALYZER_MD5, application/x-x509-ca-cert)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Files::register_for_mime_type, <frame>, (Files::ANALYZER_MD5, application/x-x509-user-cert)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Files::register_for_mime_type, <frame>, (Files::ANALYZER_PE, application/x-dosexec)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Files::register_for_mime_type, <frame>, (Files::ANALYZER_SHA1, application/pkix-cert)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Files::register_for_mime_type, <frame>, (Files::ANALYZER_SHA1, application/x-x509-ca-cert)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Files::register_for_mime_type, <frame>, (Files::ANALYZER_SHA1, application/x-x509-user-cert)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Files::register_for_mime_type, <frame>, (Files::ANALYZER_X509, application/pkix-cert)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Files::register_for_mime_type, <frame>, (Files::ANALYZER_X509, application/x-x509-ca-cert)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Files::register_for_mime_type, <frame>, (Files::ANALYZER_X509, application/x-x509-user-cert)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Files::register_for_mime_types, <frame>, (Files::ANALYZER_PE, {application/x-dosexec})) -> <no result>
 0.000000   MetaHookPost  CallFunction(Files::register_protocol, <frame>, (Analyzer::ANALYZER_DTLS, [get_file_handle=SSL::get_file_handle{ return ()}, describe=SSL::describe_file{ <init> SSL::cid{ if (SSL::f$source != SSL || !SSL::f?$info || !SSL::f$info?$x509 || !SSL::f$info$x509?$certificate) return ()for ([SSL::cid] in SSL::f$conns) { if (SSL::f$conns[SSL::cid]?$ssl) { SSL::c = SSL::f$conns[SSL::cid]return (cat(SSL::c$id$resp_h, :, SSL::c$id$resp_p))}}return (cat(Serial: , SSL::f$info$x509$certificate$serial,  Subject: , SSL::f$info$x509$certificate$subject,  Issuer: , SSL::f$info$x509$certificate$issuer))}}])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Files::register_protocol, <frame>, (Analyzer::ANALYZER_FTP_DATA, [get_file_handle=FTP::get_file_handle{ if (!FTP::c$id$resp_h, FTP::c$id$resp_p in FTP::ftp_data_expected) return ()return (cat(Analyzer::ANALYZER_FTP_DATA, FTP::c$start_time, FTP::c$id, FTP::is_orig))}, describe=FTP::describe_file{ <init> FTP::cid{ if (FTP::f$source != FTP) return ()for ([FTP::cid] in FTP::f$conns) { if (FTP::f$conns[FTP::cid]?$ftp) return (FTP::describe(FTP::f$conns[FTP::cid]$ftp))}return ()}}])) -> <no result>
@@ -247,7 +256,7 @@
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1488302456.440387, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1493757624.27038, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (Cluster::LOG)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (Communication::LOG)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (Conn::LOG)) -> <no result>
@@ -377,7 +386,7 @@
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1488302456.440387, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1493757624.27038, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
 0.000000   MetaHookPost  CallFunction(NetControl::check_plugins, <frame>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(NetControl::init, <null>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(Notice::want_pp, <frame>, ()) -> <no result>
@@ -523,6 +532,7 @@
 0.000000   MetaHookPost  LoadFile(./Bro_Unified2.types.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(./Bro_X509.events.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(./Bro_X509.functions.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(./Bro_X509.ocsp_events.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(./Bro_X509.types.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(./Bro_XMPP.events.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(./acld) -> -1
@@ -542,6 +552,7 @@
 0.000000   MetaHookPost  LoadFile(./consts) -> -1
 0.000000   MetaHookPost  LoadFile(./consts.bro) -> -1
 0.000000   MetaHookPost  LoadFile(./contents) -> -1
+0.000000   MetaHookPost  LoadFile(./ct-list) -> -1
 0.000000   MetaHookPost  LoadFile(./data.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(./dcc-send) -> -1
 0.000000   MetaHookPost  LoadFile(./debug) -> -1
@@ -868,7 +879,16 @@
 0.000000   MetaHookPre   CallFunction(Cluster::is_enabled, <frame>, ())
 0.000000   MetaHookPre   CallFunction(Cluster::is_enabled, <null>, ())
 0.000000   MetaHookPre   CallFunction(Files::register_analyzer_add_callback, <frame>, (Files::ANALYZER_EXTRACT, FileExtract::on_add{ if (!FileExtract::args?$extract_filename) FileExtract::args$extract_filename = cat(extract-, FileExtract::f$last_active, -, FileExtract::f$source, -, FileExtract::f$id)FileExtract::f$info$extracted = FileExtract::args$extract_filenameFileExtract::args$extract_filename = build_path_compressed(FileExtract::prefix, FileExtract::args$extract_filename)FileExtract::f$info$extracted_cutoff = Fmkdir(FileExtract::prefix)}))
+0.000000   MetaHookPre   CallFunction(Files::register_for_mime_type, <frame>, (Files::ANALYZER_MD5, application/pkix-cert))
+0.000000   MetaHookPre   CallFunction(Files::register_for_mime_type, <frame>, (Files::ANALYZER_MD5, application/x-x509-ca-cert))
+0.000000   MetaHookPre   CallFunction(Files::register_for_mime_type, <frame>, (Files::ANALYZER_MD5, application/x-x509-user-cert))
 0.000000   MetaHookPre   CallFunction(Files::register_for_mime_type, <frame>, (Files::ANALYZER_PE, application/x-dosexec))
+0.000000   MetaHookPre   CallFunction(Files::register_for_mime_type, <frame>, (Files::ANALYZER_SHA1, application/pkix-cert))
+0.000000   MetaHookPre   CallFunction(Files::register_for_mime_type, <frame>, (Files::ANALYZER_SHA1, application/x-x509-ca-cert))
+0.000000   MetaHookPre   CallFunction(Files::register_for_mime_type, <frame>, (Files::ANALYZER_SHA1, application/x-x509-user-cert))
+0.000000   MetaHookPre   CallFunction(Files::register_for_mime_type, <frame>, (Files::ANALYZER_X509, application/pkix-cert))
+0.000000   MetaHookPre   CallFunction(Files::register_for_mime_type, <frame>, (Files::ANALYZER_X509, application/x-x509-ca-cert))
+0.000000   MetaHookPre   CallFunction(Files::register_for_mime_type, <frame>, (Files::ANALYZER_X509, application/x-x509-user-cert))
 0.000000   MetaHookPre   CallFunction(Files::register_for_mime_types, <frame>, (Files::ANALYZER_PE, {application/x-dosexec}))
 0.000000   MetaHookPre   CallFunction(Files::register_protocol, <frame>, (Analyzer::ANALYZER_DTLS, [get_file_handle=SSL::get_file_handle{ return ()}, describe=SSL::describe_file{ <init> SSL::cid{ if (SSL::f$source != SSL || !SSL::f?$info || !SSL::f$info?$x509 || !SSL::f$info$x509?$certificate) return ()for ([SSL::cid] in SSL::f$conns) { if (SSL::f$conns[SSL::cid]?$ssl) { SSL::c = SSL::f$conns[SSL::cid]return (cat(SSL::c$id$resp_h, :, SSL::c$id$resp_p))}}return (cat(Serial: , SSL::f$info$x509$certificate$serial,  Subject: , SSL::f$info$x509$certificate$subject,  Issuer: , SSL::f$info$x509$certificate$issuer))}}]))
 0.000000   MetaHookPre   CallFunction(Files::register_protocol, <frame>, (Analyzer::ANALYZER_FTP_DATA, [get_file_handle=FTP::get_file_handle{ if (!FTP::c$id$resp_h, FTP::c$id$resp_p in FTP::ftp_data_expected) return ()return (cat(Analyzer::ANALYZER_FTP_DATA, FTP::c$start_time, FTP::c$id, FTP::is_orig))}, describe=FTP::describe_file{ <init> FTP::cid{ if (FTP::f$source != FTP) return ()for ([FTP::cid] in FTP::f$conns) { if (FTP::f$conns[FTP::cid]?$ftp) return (FTP::describe(FTP::f$conns[FTP::cid]$ftp))}return ()}}]))
@@ -964,7 +984,7 @@
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird]))
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509]))
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql]))
-0.000000   MetaHookPre   CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1488302456.440387, node=bro, filter=ip or not ip, init=T, success=T]))
+0.000000   MetaHookPre   CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1493757624.27038, node=bro, filter=ip or not ip, init=T, success=T]))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (Cluster::LOG))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (Communication::LOG))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (Conn::LOG))
@@ -1094,7 +1114,7 @@
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird]))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509]))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql]))
-0.000000   MetaHookPre   CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1488302456.440387, node=bro, filter=ip or not ip, init=T, success=T]))
+0.000000   MetaHookPre   CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1493757624.27038, node=bro, filter=ip or not ip, init=T, success=T]))
 0.000000   MetaHookPre   CallFunction(NetControl::check_plugins, <frame>, ())
 0.000000   MetaHookPre   CallFunction(NetControl::init, <null>, ())
 0.000000   MetaHookPre   CallFunction(Notice::want_pp, <frame>, ())
@@ -1240,6 +1260,7 @@
 0.000000   MetaHookPre   LoadFile(./Bro_Unified2.types.bif.bro)
 0.000000   MetaHookPre   LoadFile(./Bro_X509.events.bif.bro)
 0.000000   MetaHookPre   LoadFile(./Bro_X509.functions.bif.bro)
+0.000000   MetaHookPre   LoadFile(./Bro_X509.ocsp_events.bif.bro)
 0.000000   MetaHookPre   LoadFile(./Bro_X509.types.bif.bro)
 0.000000   MetaHookPre   LoadFile(./Bro_XMPP.events.bif.bro)
 0.000000   MetaHookPre   LoadFile(./acld)
@@ -1259,6 +1280,7 @@
 0.000000   MetaHookPre   LoadFile(./consts)
 0.000000   MetaHookPre   LoadFile(./consts.bro)
 0.000000   MetaHookPre   LoadFile(./contents)
+0.000000   MetaHookPre   LoadFile(./ct-list)
 0.000000   MetaHookPre   LoadFile(./data.bif.bro)
 0.000000   MetaHookPre   LoadFile(./dcc-send)
 0.000000   MetaHookPre   LoadFile(./debug)
@@ -1584,7 +1606,16 @@
 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_XMPP, {5222<...>/tcp})
 0.000000 | HookCallFunction Cluster::is_enabled()
 0.000000 | HookCallFunction Files::register_analyzer_add_callback(Files::ANALYZER_EXTRACT, FileExtract::on_add{ if (!FileExtract::args?$extract_filename) FileExtract::args$extract_filename = cat(extract-, FileExtract::f$last_active, -, FileExtract::f$source, -, FileExtract::f$id)FileExtract::f$info$extracted = FileExtract::args$extract_filenameFileExtract::args$extract_filename = build_path_compressed(FileExtract::prefix, FileExtract::args$extract_filename)FileExtract::f$info$extracted_cutoff = Fmkdir(FileExtract::prefix)})
+0.000000 | HookCallFunction Files::register_for_mime_type(Files::ANALYZER_MD5, application/pkix-cert)
+0.000000 | HookCallFunction Files::register_for_mime_type(Files::ANALYZER_MD5, application/x-x509-ca-cert)
+0.000000 | HookCallFunction Files::register_for_mime_type(Files::ANALYZER_MD5, application/x-x509-user-cert)
 0.000000 | HookCallFunction Files::register_for_mime_type(Files::ANALYZER_PE, application/x-dosexec)
+0.000000 | HookCallFunction Files::register_for_mime_type(Files::ANALYZER_SHA1, application/pkix-cert)
+0.000000 | HookCallFunction Files::register_for_mime_type(Files::ANALYZER_SHA1, application/x-x509-ca-cert)
+0.000000 | HookCallFunction Files::register_for_mime_type(Files::ANALYZER_SHA1, application/x-x509-user-cert)
+0.000000 | HookCallFunction Files::register_for_mime_type(Files::ANALYZER_X509, application/pkix-cert)
+0.000000 | HookCallFunction Files::register_for_mime_type(Files::ANALYZER_X509, application/x-x509-ca-cert)
+0.000000 | HookCallFunction Files::register_for_mime_type(Files::ANALYZER_X509, application/x-x509-user-cert)
 0.000000 | HookCallFunction Files::register_for_mime_types(Files::ANALYZER_PE, {application/x-dosexec})
 0.000000 | HookCallFunction Files::register_protocol(Analyzer::ANALYZER_DTLS, [get_file_handle=SSL::get_file_handle{ return ()}, describe=SSL::describe_file{ <init> SSL::cid{ if (SSL::f$source != SSL || !SSL::f?$info || !SSL::f$info?$x509 || !SSL::f$info$x509?$certificate) return ()for ([SSL::cid] in SSL::f$conns) { if (SSL::f$conns[SSL::cid]?$ssl) { SSL::c = SSL::f$conns[SSL::cid]return (cat(SSL::c$id$resp_h, :, SSL::c$id$resp_p))}}return (cat(Serial: , SSL::f$info$x509$certificate$serial,  Subject: , SSL::f$info$x509$certificate$subject,  Issuer: , SSL::f$info$x509$certificate$issuer))}}])
 0.000000 | HookCallFunction Files::register_protocol(Analyzer::ANALYZER_FTP_DATA, [get_file_handle=FTP::get_file_handle{ if (!FTP::c$id$resp_h, FTP::c$id$resp_p in FTP::ftp_data_expected) return ()return (cat(Analyzer::ANALYZER_FTP_DATA, FTP::c$start_time, FTP::c$id, FTP::is_orig))}, describe=FTP::describe_file{ <init> FTP::cid{ if (FTP::f$source != FTP) return ()for ([FTP::cid] in FTP::f$conns) { if (FTP::f$conns[FTP::cid]?$ftp) return (FTP::describe(FTP::f$conns[FTP::cid]$ftp))}return ()}}])
@@ -1680,7 +1711,7 @@
 0.000000 | HookCallFunction Log::__create_stream(Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird])
 0.000000 | HookCallFunction Log::__create_stream(X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509])
 0.000000 | HookCallFunction Log::__create_stream(mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql])
-0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1488302456.440387, node=bro, filter=ip or not ip, init=T, success=T])
+0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1493757624.27038, node=bro, filter=ip or not ip, init=T, success=T])
 0.000000 | HookCallFunction Log::add_default_filter(Cluster::LOG)
 0.000000 | HookCallFunction Log::add_default_filter(Communication::LOG)
 0.000000 | HookCallFunction Log::add_default_filter(Conn::LOG)
@@ -1810,7 +1841,7 @@
 0.000000 | HookCallFunction Log::create_stream(Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird])
 0.000000 | HookCallFunction Log::create_stream(X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509])
 0.000000 | HookCallFunction Log::create_stream(mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql])
-0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1488302456.440387, node=bro, filter=ip or not ip, init=T, success=T])
+0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1493757624.27038, node=bro, filter=ip or not ip, init=T, success=T])
 0.000000 | HookCallFunction NetControl::check_plugins()
 0.000000 | HookCallFunction NetControl::init()
 0.000000 | HookCallFunction Notice::want_pp()
@@ -2195,7 +2226,7 @@
 1362692527.009775   MetaHookPost  CallFunction(Log::write, <frame>, (Files::LOG, [ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CHhAvVGS1DHFjwGM9}, source=HTTP, depth=0, analyzers={}, mime_type=text/plain, filename=<uninitialized>, duration=262.0 usecs, local_orig=<uninitialized>, is_orig=F, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>])) -> <no result>
 1362692527.009775   MetaHookPost  CallFunction(Log::write, <frame>, (HTTP::LOG, [ts=1362692526.939527, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1])) -> <no result>
 1362692527.009775   MetaHookPost  CallFunction(cat, <frame>, (Analyzer::ANALYZER_HTTP, 1362692526.869344, F, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80)) -> <no result>
-1362692527.009775   MetaHookPost  CallFunction(file_sniff, <null>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain]]])) -> <no result>
+1362692527.009775   MetaHookPost  CallFunction(file_sniff, <null>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain]], inferred=T])) -> <no result>
 1362692527.009775   MetaHookPost  CallFunction(file_state_remove, <null>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>])) -> <no result>
 1362692527.009775   MetaHookPost  CallFunction(fmt, <frame>, (%s:%d > %s:%d, 141.142.228.5, 59856<...>/tcp)) -> <no result>
 1362692527.009775   MetaHookPost  CallFunction(get_file_handle, <null>, (Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <no result>
@@ -2204,7 +2235,7 @@
 1362692527.009775   MetaHookPost  CallFunction(id_string, <frame>, ([orig_h=141.142.228.5, orig_p=59856<...>/tcp])) -> <no result>
 1362692527.009775   MetaHookPost  CallFunction(set_file_handle, <frame>, (Analyzer::ANALYZER_HTTP1362692526.869344F11141.142.228.5:59856 > 192.150.187.43:80)) -> <no result>
 1362692527.009775   MetaHookPost  DrainEvents() -> <void>
-1362692527.009775   MetaHookPost  QueueEvent(file_sniff([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain]]])) -> false
+1362692527.009775   MetaHookPost  QueueEvent(file_sniff([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain]], inferred=T])) -> false
 1362692527.009775   MetaHookPost  QueueEvent(file_state_remove([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>])) -> false
 1362692527.009775   MetaHookPost  QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> false
 1362692527.009775   MetaHookPost  QueueEvent(http_end_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> false
@@ -2220,7 +2251,7 @@
 1362692527.009775   MetaHookPre   CallFunction(Log::write, <frame>, (Files::LOG, [ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CHhAvVGS1DHFjwGM9}, source=HTTP, depth=0, analyzers={}, mime_type=text/plain, filename=<uninitialized>, duration=262.0 usecs, local_orig=<uninitialized>, is_orig=F, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]))
 1362692527.009775   MetaHookPre   CallFunction(Log::write, <frame>, (HTTP::LOG, [ts=1362692526.939527, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]))
 1362692527.009775   MetaHookPre   CallFunction(cat, <frame>, (Analyzer::ANALYZER_HTTP, 1362692526.869344, F, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80))
-1362692527.009775   MetaHookPre   CallFunction(file_sniff, <null>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain]]]))
+1362692527.009775   MetaHookPre   CallFunction(file_sniff, <null>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain]], inferred=T]))
 1362692527.009775   MetaHookPre   CallFunction(file_state_remove, <null>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]))
 1362692527.009775   MetaHookPre   CallFunction(fmt, <frame>, (%s:%d > %s:%d, 141.142.228.5, 59856<...>/tcp))
 1362692527.009775   MetaHookPre   CallFunction(get_file_handle, <null>, (Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
@@ -2229,7 +2260,7 @@
 1362692527.009775   MetaHookPre   CallFunction(id_string, <frame>, ([orig_h=141.142.228.5, orig_p=59856<...>/tcp]))
 1362692527.009775   MetaHookPre   CallFunction(set_file_handle, <frame>, (Analyzer::ANALYZER_HTTP1362692526.869344F11141.142.228.5:59856 > 192.150.187.43:80))
 1362692527.009775   MetaHookPre   DrainEvents()
-1362692527.009775   MetaHookPre   QueueEvent(file_sniff([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain]]]))
+1362692527.009775   MetaHookPre   QueueEvent(file_sniff([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain]], inferred=T]))
 1362692527.009775   MetaHookPre   QueueEvent(file_state_remove([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]))
 1362692527.009775   MetaHookPre   QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
 1362692527.009775   MetaHookPre   QueueEvent(http_end_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
@@ -2246,7 +2277,7 @@
 1362692527.009775 | HookCallFunction Log::write(Files::LOG, [ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CHhAvVGS1DHFjwGM9}, source=HTTP, depth=0, analyzers={}, mime_type=text/plain, filename=<uninitialized>, duration=262.0 usecs, local_orig=<uninitialized>, is_orig=F, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>])
 1362692527.009775 | HookCallFunction Log::write(HTTP::LOG, [ts=1362692526.939527, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1])
 1362692527.009775 | HookCallFunction cat(Analyzer::ANALYZER_HTTP, 1362692526.869344, F, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80)
-1362692527.009775 | HookCallFunction file_sniff([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain]]])
+1362692527.009775 | HookCallFunction file_sniff([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain]], inferred=T])
 1362692527.009775 | HookCallFunction file_state_remove([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>])
 1362692527.009775 | HookCallFunction fmt(%s:%d > %s:%d, 141.142.228.5, 59856<...>/tcp)
 1362692527.009775 | HookCallFunction get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
@@ -2255,7 +2286,7 @@
 1362692527.009775 | HookCallFunction id_string([orig_h=141.142.228.5, orig_p=59856<...>/tcp])
 1362692527.009775 | HookCallFunction set_file_handle(Analyzer::ANALYZER_HTTP1362692526.869344F11141.142.228.5:59856 > 192.150.187.43:80)
 1362692527.009775 | HookDrainEvents
-1362692527.009775 | HookQueueEvent file_sniff([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain]]])
+1362692527.009775 | HookQueueEvent file_sniff([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain]], inferred=T])
 1362692527.009775 | HookQueueEvent file_state_remove([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>])
 1362692527.009775 | HookQueueEvent get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
 1362692527.009775 | HookQueueEvent http_end_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
diff --git a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.smtp/out b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.smtp/out
index d7c0aef00d..90e5e79ef0 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.smtp/out
+++ b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.smtp/out
@@ -60,10 +60,8 @@ FILE_OVER_NEW_CONNECTION
 FILE_STATE_REMOVE
 file #4, 1406, 0
 [orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]
-FILE_BOF_BUFFER
-0\x82\x05z0\x82\x04b\xa0\x03\x02
 MIME_TYPE
-application/pkix-cert
+application/x-x509-user-cert
 source: SSL
 MD5: 1bf9696d9f337805383427e88781d001
 SHA1: f5ccb1a724133607548b00d8eb402efca3076d58
@@ -73,10 +71,8 @@ FILE_OVER_NEW_CONNECTION
 FILE_STATE_REMOVE
 file #5, 1092, 0
 [orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]
-FILE_BOF_BUFFER
-0\x82\x04@0\x82\x03(\xa0\x03\x02
 MIME_TYPE
-application/pkix-cert
+application/x-x509-ca-cert
 source: SSL
 MD5: 48f0e38385112eeca5fc9ffd402eaecd
 SHA1: 8e8321ca08b08e3726fe1d82996884eeb5f0d655
diff --git a/testing/btest/Baseline/scripts.policy.frameworks.intel.seen.certs/intel-all.log b/testing/btest/Baseline/scripts.policy.frameworks.intel.seen.certs/intel-all.log
index 6bb3e47e60..25c032e488 100644
--- a/testing/btest/Baseline/scripts.policy.frameworks.intel.seen.certs/intel-all.log
+++ b/testing/btest/Baseline/scripts.policy.frameworks.intel.seen.certs/intel-all.log
@@ -3,23 +3,23 @@
 #empty_field	(empty)
 #unset_field	-
 #path	intel
-#open	2016-08-05-13-22-37
+#open	2017-05-02-20-45-26
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	seen.indicator	seen.indicator_type	seen.where	seen.node	matched	sources	fuid	file_mime_type	file_desc
 #types	time	string	addr	port	addr	port	string	enum	enum	string	set[enum]	set[string]	string	string	string
-1416942644.593119	CHhAvVGS1DHFjwGM9	192.168.4.149	49422	23.92.19.75	443	www.pantz.org	Intel::DOMAIN	X509::IN_CERT	bro	Intel::DOMAIN	source1	Fi6J8q3lDJpbQWAnvi	application/pkix-cert	23.92.19.75:443/tcp
-#close	2016-08-05-13-22-37
+1416942644.593119	CHhAvVGS1DHFjwGM9	192.168.4.149	49422	23.92.19.75	443	www.pantz.org	Intel::DOMAIN	X509::IN_CERT	bro	Intel::DOMAIN	source1	Fi6J8q3lDJpbQWAnvi	application/x-x509-user-cert	23.92.19.75:443/tcp
+#close	2017-05-02-20-45-26
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	intel
-#open	2016-08-05-13-22-37
+#open	2017-05-02-20-45-27
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	seen.indicator	seen.indicator_type	seen.where	seen.node	matched	sources	fuid	file_mime_type	file_desc
 #types	time	string	addr	port	addr	port	string	enum	enum	string	set[enum]	set[string]	string	string	string
-1170717505.735416	CHhAvVGS1DHFjwGM9	192.150.187.164	58868	194.127.84.106	443	2c322ae2b7fe91391345e070b63668978bb1c9da	Intel::CERT_HASH	X509::IN_CERT	bro	Intel::CERT_HASH	source1	FeCwNK3rzqPnZ7eBQ5	application/pkix-cert	194.127.84.106:443/tcp
+1170717505.735416	CHhAvVGS1DHFjwGM9	192.150.187.164	58868	194.127.84.106	443	2c322ae2b7fe91391345e070b63668978bb1c9da	Intel::CERT_HASH	X509::IN_CERT	bro	Intel::CERT_HASH	source1	FeCwNK3rzqPnZ7eBQ5	application/x-x509-user-cert	194.127.84.106:443/tcp
 1170717505.934612	CHhAvVGS1DHFjwGM9	192.150.187.164	58868	194.127.84.106	443	www.dresdner-privat.de	Intel::DOMAIN	X509::IN_CERT	bro	Intel::DOMAIN	source1	FeCwNK3rzqPnZ7eBQ5	-	-
-1170717508.883051	ClEkJM2Vm5giqnMf4h	192.150.187.164	58869	194.127.84.106	443	2c322ae2b7fe91391345e070b63668978bb1c9da	Intel::CERT_HASH	X509::IN_CERT	bro	Intel::CERT_HASH	source1	FjkLnG4s34DVZlaBNc	application/pkix-cert	194.127.84.106:443/tcp
+1170717508.883051	ClEkJM2Vm5giqnMf4h	192.150.187.164	58869	194.127.84.106	443	2c322ae2b7fe91391345e070b63668978bb1c9da	Intel::CERT_HASH	X509::IN_CERT	bro	Intel::CERT_HASH	source1	FjkLnG4s34DVZlaBNc	application/x-x509-user-cert	194.127.84.106:443/tcp
 1170717509.082241	ClEkJM2Vm5giqnMf4h	192.150.187.164	58869	194.127.84.106	443	www.dresdner-privat.de	Intel::DOMAIN	X509::IN_CERT	bro	Intel::DOMAIN	source1	FjkLnG4s34DVZlaBNc	-	-
-1170717511.909717	C4J4Th3PJpwUYZZ6gc	192.150.187.164	58870	194.127.84.106	443	2c322ae2b7fe91391345e070b63668978bb1c9da	Intel::CERT_HASH	X509::IN_CERT	bro	Intel::CERT_HASH	source1	FQXAWgI2FB5STbrff	application/pkix-cert	194.127.84.106:443/tcp
+1170717511.909717	C4J4Th3PJpwUYZZ6gc	192.150.187.164	58870	194.127.84.106	443	2c322ae2b7fe91391345e070b63668978bb1c9da	Intel::CERT_HASH	X509::IN_CERT	bro	Intel::CERT_HASH	source1	FQXAWgI2FB5STbrff	application/x-x509-user-cert	194.127.84.106:443/tcp
 1170717512.108799	C4J4Th3PJpwUYZZ6gc	192.150.187.164	58870	194.127.84.106	443	www.dresdner-privat.de	Intel::DOMAIN	X509::IN_CERT	bro	Intel::DOMAIN	source1	FQXAWgI2FB5STbrff	-	-
-#close	2016-08-05-13-22-38
+#close	2017-05-02-20-45-27
diff --git a/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events-no-args.log b/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events-no-args.log
index 64cbb5f748..8cd2a5e56d 100644
--- a/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events-no-args.log
+++ b/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events-no-args.log
@@ -173,6 +173,7 @@
 1437831799.764576 file_new
 1437831799.764576 file_over_new_connection
 1437831799.764576 file_sniff
+1437831799.764576 file_hash
 1437831799.764576 x509_certificate
 1437831799.764576 x509_extension
 1437831799.764576 x509_extension
@@ -190,6 +191,7 @@
 1437831799.764576 file_new
 1437831799.764576 file_over_new_connection
 1437831799.764576 file_sniff
+1437831799.764576 file_hash
 1437831799.764576 x509_certificate
 1437831799.764576 x509_extension
 1437831799.764576 x509_extension
diff --git a/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events.log b/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events.log
index a42b891e6a..70ed522a0d 100644
--- a/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events.log
+++ b/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events.log
@@ -315,7 +315,7 @@
 
 1254722770.692743 file_sniff
                   [0] f: fa_file         = [id=Fel9gs4OtNEV6gUJZ5, parent_id=<uninitialized>, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a\x09}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a\x09}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a\x09}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1254722770.692743, seen_bytes=77, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=Hello\x0d\x0a\x0d\x0a \x0d\x0a\x0d\x0aI send u smtp pcap file \x0d\x0a\x0d\x0aFind the attachment\x0d\x0a\x0d\x0a \x0d\x0a\x0d\x0aGPS\x0d\x0a\x0d\x0a, info=[ts=1254722770.692743, fuid=Fel9gs4OtNEV6gUJZ5, tx_hosts={\x0a\x0910.10.1.4\x0a}, rx_hosts={\x0a\x0974.53.140.153\x0a}, conn_uids={\x0aClEkJM2Vm5giqnMf4h\x0a}, source=SMTP, depth=3, analyzers={\x0a\x0a}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=T, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
-                  [1] meta: fa_metadata  = [mime_type=text/plain, mime_types=[[strength=-20, mime=text/plain]]]
+                  [1] meta: fa_metadata  = [mime_type=text/plain, mime_types=[[strength=-20, mime=text/plain]], inferred=T]
 
 1254722770.692743 file_state_remove
                   [0] f: fa_file         = [id=Fel9gs4OtNEV6gUJZ5, parent_id=<uninitialized>, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a\x09}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a\x09}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a\x09}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1254722770.692743, seen_bytes=77, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=Hello\x0d\x0a\x0d\x0a \x0d\x0a\x0d\x0aI send u smtp pcap file \x0d\x0a\x0d\x0aFind the attachment\x0d\x0a\x0d\x0a \x0d\x0a\x0d\x0aGPS\x0d\x0a\x0d\x0a, info=[ts=1254722770.692743, fuid=Fel9gs4OtNEV6gUJZ5, tx_hosts={\x0a\x0910.10.1.4\x0a}, rx_hosts={\x0a\x0974.53.140.153\x0a}, conn_uids={\x0aClEkJM2Vm5giqnMf4h\x0a}, source=SMTP, depth=3, analyzers={\x0a\x0a}, mime_type=text/plain, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=T, seen_bytes=77, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
@@ -359,7 +359,7 @@
 
 1254722770.692804 file_sniff
                   [0] f: fa_file         = [id=Ft4M3f2yMvLlmwtbq9, parent_id=<uninitialized>, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163758, service={\x0aSMTP\x0a\x09}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a\x09}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a\x09}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1254722770.692804, seen_bytes=1868, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">\x0d\x0a\x0d\x0a<head>\x0d\x0a<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">\x0d\x0a<meta name=Generator content="Microsoft Word 12 (filtered medium)">\x0d\x0a<style>\x0d\x0a<!--\x0d\x0a /* Font Definitions */\x0d\x0a @font-face\x0d\x0a\x09{font-family:"Cambria Math";\x0d\x0a\x09panose-1:2 4 5 3 5 4 6 3 2 4;}\x0d\x0a@font-face\x0d\x0a\x09{font-family:Calibri;\x0d\x0a\x09panose-1:2 15 5 2 2 2 4 3 2 4;}\x0d\x0a /* Style Definitions */\x0d\x0a p.MsoNormal, li.MsoNormal, div.MsoNormal\x0d\x0a\x09{margin:0in;\x0d\x0a\x09margin-bottom:.0001pt;\x0d\x0a\x09font-size:11.0pt;\x0d\x0a\x09font-family:"Calibri","sans-serif";}\x0d\x0aa:link, span.MsoHyperlink\x0d\x0a\x09{mso-style-priority:99;\x0d\x0a\x09color:blue;\x0d\x0a\x09text-decoration:underline;}\x0d\x0aa:visited, span.MsoHyperlinkFollowed\x0d\x0a\x09{mso-style-priority:99;\x0d\x0a\x09color:purple;\x0d\x0a\x09text-decoration:underline;}\x0d\x0aspan.EmailStyle17\x0d\x0a\x09{mso-style-type:personal-compose;\x0d\x0a\x09font-family:"Calibri","sans-serif";\x0d\x0a\x09color:windowtext;}\x0d\x0a.MsoChpDefault\x0d\x0a\x09{mso-style-type:export-only;}\x0d\x0a@page Section1\x0d\x0a\x09{size:8.5in 11.0in;\x0d\x0a\x09margin:1.0in 1.0in 1.0in 1.0in;}\x0d\x0adiv.Section1\x0d\x0a\x09{page:Section1;}\x0d\x0a-->\x0d\x0a</style>\x0d\x0a<!--[if gte mso 9]><xml>\x0d\x0a <o:shapedefaults v:ext="edit" spidmax="1026" />\x0d\x0a</xml><![endif]--><!--[if gte mso 9]><xml>\x0d\x0a <o:shapelayout v:ext="edit">\x0d\x0a  <o:idmap v:ext="edit" data="1" />\x0d\x0a </o:shapelayout></xml><![endif]-->\x0d\x0a</head>\x0d\x0a\x0d\x0a<body lang=EN-US link=blue vlink=purple>\x0d\x0a\x0d\x0a<div class=Section1>\x0d\x0a\x0d\x0a<p class=MsoNormal>Hello<o:p></o:p></p>\x0d\x0a\x0d\x0a<p class=MsoNormal><o:p>&nbsp;</o:p></p>\x0d\x0a\x0d\x0a<p class=MsoNormal>I send u smtp pcap file <o:p></o:p></p>\x0d\x0a\x0d\x0a<p class=MsoNormal>Find the attachment<o:p></o:p></p>\x0d\x0a\x0d\x0a<p class=MsoNormal><o:p>&nbsp;</o:p></p>\x0d\x0a\x0d\x0a<p class=MsoNormal>GPS<o:p></o:p></p>\x0d\x0a\x0d\x0a</div>\x0d\x0a\x0d\x0a</body>\x0d\x0a\x0d\x0a</html>\x0d\x0a\x0d\x0a, info=[ts=1254722770.692743, fuid=Ft4M3f2yMvLlmwtbq9, tx_hosts={\x0a\x0910.10.1.4\x0a}, rx_hosts={\x0a\x0974.53.140.153\x0a}, conn_uids={\x0aClEkJM2Vm5giqnMf4h\x0a}, source=SMTP, depth=4, analyzers={\x0a\x0a}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=T, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
-                  [1] meta: fa_metadata  = [mime_type=text/html, mime_types=[[strength=100, mime=text/html], [strength=20, mime=text/html], [strength=-20, mime=text/plain]]]
+                  [1] meta: fa_metadata  = [mime_type=text/html, mime_types=[[strength=100, mime=text/html], [strength=20, mime=text/html], [strength=-20, mime=text/plain]], inferred=T]
 
 1254722770.692804 file_state_remove
                   [0] f: fa_file         = [id=Ft4M3f2yMvLlmwtbq9, parent_id=<uninitialized>, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163758, service={\x0aSMTP\x0a\x09}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a\x09}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a\x09}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1254722770.692804, seen_bytes=1868, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">\x0d\x0a\x0d\x0a<head>\x0d\x0a<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">\x0d\x0a<meta name=Generator content="Microsoft Word 12 (filtered medium)">\x0d\x0a<style>\x0d\x0a<!--\x0d\x0a /* Font Definitions */\x0d\x0a @font-face\x0d\x0a\x09{font-family:"Cambria Math";\x0d\x0a\x09panose-1:2 4 5 3 5 4 6 3 2 4;}\x0d\x0a@font-face\x0d\x0a\x09{font-family:Calibri;\x0d\x0a\x09panose-1:2 15 5 2 2 2 4 3 2 4;}\x0d\x0a /* Style Definitions */\x0d\x0a p.MsoNormal, li.MsoNormal, div.MsoNormal\x0d\x0a\x09{margin:0in;\x0d\x0a\x09margin-bottom:.0001pt;\x0d\x0a\x09font-size:11.0pt;\x0d\x0a\x09font-family:"Calibri","sans-serif";}\x0d\x0aa:link, span.MsoHyperlink\x0d\x0a\x09{mso-style-priority:99;\x0d\x0a\x09color:blue;\x0d\x0a\x09text-decoration:underline;}\x0d\x0aa:visited, span.MsoHyperlinkFollowed\x0d\x0a\x09{mso-style-priority:99;\x0d\x0a\x09color:purple;\x0d\x0a\x09text-decoration:underline;}\x0d\x0aspan.EmailStyle17\x0d\x0a\x09{mso-style-type:personal-compose;\x0d\x0a\x09font-family:"Calibri","sans-serif";\x0d\x0a\x09color:windowtext;}\x0d\x0a.MsoChpDefault\x0d\x0a\x09{mso-style-type:export-only;}\x0d\x0a@page Section1\x0d\x0a\x09{size:8.5in 11.0in;\x0d\x0a\x09margin:1.0in 1.0in 1.0in 1.0in;}\x0d\x0adiv.Section1\x0d\x0a\x09{page:Section1;}\x0d\x0a-->\x0d\x0a</style>\x0d\x0a<!--[if gte mso 9]><xml>\x0d\x0a <o:shapedefaults v:ext="edit" spidmax="1026" />\x0d\x0a</xml><![endif]--><!--[if gte mso 9]><xml>\x0d\x0a <o:shapelayout v:ext="edit">\x0d\x0a  <o:idmap v:ext="edit" data="1" />\x0d\x0a </o:shapelayout></xml><![endif]-->\x0d\x0a</head>\x0d\x0a\x0d\x0a<body lang=EN-US link=blue vlink=purple>\x0d\x0a\x0d\x0a<div class=Section1>\x0d\x0a\x0d\x0a<p class=MsoNormal>Hello<o:p></o:p></p>\x0d\x0a\x0d\x0a<p class=MsoNormal><o:p>&nbsp;</o:p></p>\x0d\x0a\x0d\x0a<p class=MsoNormal>I send u smtp pcap file <o:p></o:p></p>\x0d\x0a\x0d\x0a<p class=MsoNormal>Find the attachment<o:p></o:p></p>\x0d\x0a\x0d\x0a<p class=MsoNormal><o:p>&nbsp;</o:p></p>\x0d\x0a\x0d\x0a<p class=MsoNormal>GPS<o:p></o:p></p>\x0d\x0a\x0d\x0a</div>\x0d\x0a\x0d\x0a</body>\x0d\x0a\x0d\x0a</html>\x0d\x0a\x0d\x0a, info=[ts=1254722770.692743, fuid=Ft4M3f2yMvLlmwtbq9, tx_hosts={\x0a\x0910.10.1.4\x0a}, rx_hosts={\x0a\x0974.53.140.153\x0a}, conn_uids={\x0aClEkJM2Vm5giqnMf4h\x0a}, source=SMTP, depth=4, analyzers={\x0a\x0a}, mime_type=text/html, filename=<uninitialized>, duration=61.0 usecs, local_orig=<uninitialized>, is_orig=T, seen_bytes=1868, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
@@ -415,7 +415,7 @@
 
 1254722771.494181 file_sniff
                   [0] f: fa_file         = [id=FL9Y0d45OI4LpS6fmh, parent_id=<uninitialized>, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163758, service={\x0aSMTP\x0a\x09}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a\x09}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a\x09}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1254722771.494181, seen_bytes=4027, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=Version 4.9.9.1\x0d\x0a* Many bug fixes\x0d\x0a* Improved editor\x0d\x0a\x0d\x0aVersion 4.9.9.0\x0d\x0a* Support for latest Mingw compiler system builds\x0d\x0a* Bug fixes\x0d\x0a\x0d\x0aVersion 4.9.8.9\x0d\x0a* New code tooltip display\x0d\x0a* Improved Indent/Unindent and Remove Comment\x0d\x0a* Improved automatic indent\x0d\x0a* Added support for the "interface" keyword\x0d\x0a* WebUpdate should now report installation problems from PackMan\x0d\x0a* New splash screen and association icons\x0d\x0a* Improved installer\x0d\x0a* Many bug fixes\x0d\x0a\x0d\x0aVersion 4.9.8.7\x0d\x0a* Added support for GCC > 3.2\x0d\x0a* Debug variables are now resent during next debug session\x0d\x0a* Watched Variables not in correct context are now kept and updated when it is needed\x0d\x0a* Added new compiler/linker options: \x0d\x0a  - Strip executable\x0d\x0a  - Generate instructions for a specific machine (i386, i486, i586, i686, pentium, pentium-mmx, pentiumpro, pentium2, pentium3, pentium4, \x0d\x0a    k6, k6-2, k6-3, athlon, athlon-tbird, athlon-4, athlon-xp, athlon-mp, winchip-c6, winchip2, k8, c3 and c3-2)\x0d\x0a  - Enable use of processor specific built-in functions (mmmx, sse, sse2, pni, 3dnow)\x0d\x0a* "Default" button in Compiler Options is back\x0d\x0a* Error messages parsing improved\x0d\x0a* Bug fixes\x0d\x0a\x0d\x0aVersion 4.9.8.5\x0d\x0a* Added the possibility to modify the value of a variable during debugging (right click on a watch variable and select "Modify value")\x0d\x0a* During Dev-C++ First Time COnfiguration window, users can now choose between using or not class browser and code completion features.\x0d\x0a* Many bug fixes\x0d\x0a\x0d\x0aVersion 4.9.8.4\x0d\x0a* Added the possibility to specify an include directory for the code completion cache to be created at Dev-C++ first startup\x0d\x0a* Improved code completion cache\x0d\x0a* WebUpdate will now backup downloaded DevPaks in Dev-C++\Packages directory, and Dev-C++ executable in devcpp.exe.BACKUP\x0d\x0a* Big speed up in function parameters listing while editing\x0d\x0a* Bug fixes\x0d\x0a\x0d\x0aVersion 4.9.8.3\x0d\x0a* On Dev-C++ first time configuration dialog, a code completion cache of all the standard \x0d\x0a  include files can now be generated.\x0d\x0a* Improved WebUpdate module\x0d\x0a* Many bug fixes\x0d\x0a\x0d\x0aVersion 4.9.8.2\x0d\x0a* New debug feature for DLLs: attach to a running process\x0d\x0a* New project option: Use custom Makefile. \x0d\x0a* New WebUpdater module.\x0d\x0a* Allow user to specify an alternate configuration file in Environment Options \x0d\x0a  (still can be overriden by using "-c" command line parameter).\x0d\x0a* Lots of bug fixes.\x0d\x0a\x0d\x0aVersion 4.9.8.1\x0d\x0a* When creating a DLL, the created static lib respects now the project-defined output directory\x0d\x0a\x0d\x0aVersion 4.9.8.0\x0d\x0a* Changed position of compiler/linker parameters in Project Options.\x0d\x0a* Improved help file\x0d\x0a* Bug fixes\x0d\x0a\x0d\x0aVersion 4.9.7.9\x0d\x0a* Resource errors are now reported in the Resource sheet\x0d\x0a* Many bug fixes\x0d\x0a\x0d\x0aVersion 4.9.7.8\x0d\x0a* Made whole bottom report control floating instead of only debug output.\x0d\x0a* Many bug fixes\x0d\x0a\x0d\x0aVersion 4.9.7.7\x0d\x0a* Printing settings are now saved\x0d\x0a* New environment options : "watch variable under mouse" and "Report watch errors"\x0d\x0a* Bug fixes\x0d\x0a\x0d\x0aVersion 4.9.7.6\x0d\x0a* Debug variable browser\x0d\x0a* Added possibility to include in a Template the Project's directories (include, libs and ressources)\x0d\x0a* Changed tint of Class browser pictures colors to match the New Look style\x0d\x0a* Bug fixes\x0d\x0a\x0d\x0aVersion 4.9.7.5\x0d\x0a* Bug fixes\x0d\x0a\x0d\x0aVersion 4.9.7.4\x0d\x0a* When compiling with debugging symbols, an extra definition is passed to the\x0d\x0a  compiler: -D__DEBUG__\x0d\x0a* Each project creates a <project_name>_private.h file containing version\x0d\x0a  information definitions\x0d\x0a* When compiling the current file only, no dependency checks are performed\x0d\x0a* ~300% Speed-up in class parser\x0d\x0a* Added "External programs" in Tools/Environment Options (for units "Open with")\x0d\x0a* Added "Open with" in project units context menu\x0d\x0a* Added "Classes" toolbar\x0d\x0a* Fixed pre-compilation dependency checks to work correctly\x0d\x0a* Added new file menu entry: Save Project As\x0d\x0a* Bug-fix for double quotes in devcpp.cfg file read by vUpdate\x0d\x0a* Other bug fixes\x0d\x0a\x0d\x0aVersion 4.9.7.3\x0d\x0a* When adding debugging symbols on request, remove "-s" option from linker\x0d\x0a* Compiling progress window\x0d\x0a* Environment options : "Show progress window" and "Auto-close progress , info=[ts=1254722770.692804, fuid=FL9Y0d45OI4LpS6fmh, tx_hosts={\x0a\x0910.10.1.4\x0a}, rx_hosts={\x0a\x0974.53.140.153\x0a}, conn_uids={\x0aClEkJM2Vm5giqnMf4h\x0a}, source=SMTP, depth=5, analyzers={\x0a\x0a}, mime_type=<uninitialized>, filename=NEWS.txt, duration=0 secs, local_orig=<uninitialized>, is_orig=T, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
-                  [1] meta: fa_metadata  = [mime_type=text/plain, mime_types=[[strength=-20, mime=text/plain]]]
+                  [1] meta: fa_metadata  = [mime_type=text/plain, mime_types=[[strength=-20, mime=text/plain]], inferred=T]
 
 1254722771.858334 mime_end_entity
                   [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=4.329288, service={\x0aSMTP\x0a}, history=ShAdDaT, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
@@ -708,7 +708,7 @@
 
 1437831787.905375 file_sniff
                   [0] f: fa_file         = [id=FKX8fw2lEHCTK8syM3, parent_id=<uninitialized>, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.04848, service={\x0aSMTP\x0a\x09}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a\x09}, date=Sat, 25 Jul 2015 16:43:07 +0300, from=Albert Zaharovits <albert@example.com>, to={\x0aericlim220@yahoo.com\x0a\x09}, cc={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com\x0a\x09}, reply_to=<uninitialized>, msg_id=<A6202DF2-8E58-4E41-BE0B-C8D3989A4AEE@example.com>, in_reply_to=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>, subject=Re: Bro SMTP CC Header, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=Apple Mail (2.2102), tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[FKX8fw2lEHCTK8syM3]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831787.905375, seen_bytes=204, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=\x0d\x0a> On 25 Jul 2015, at 16:38, Albert Zaharovits <albert@example.com> wrote:\x0d\x0a> \x0d\x0a> \x0d\x0a>> On 25 Jul 2015, at 16:21, Albert Zaharovits <albert@example.com> wrote:\x0d\x0a>> \x0d\x0a>> Bro SMTP CC Header\x0d\x0a>> TEST\x0d\x0a> \x0d\x0a\x0d\x0a, info=[ts=1437831787.905375, fuid=FKX8fw2lEHCTK8syM3, tx_hosts={\x0a\x09192.168.133.100\x0a}, rx_hosts={\x0a\x09192.168.133.102\x0a}, conn_uids={\x0aCmES5u32sYpV7JYN\x0a}, source=SMTP, depth=1, analyzers={\x0a\x0a}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=T, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
-                  [1] meta: fa_metadata  = [mime_type=text/plain, mime_types=[[strength=-20, mime=text/plain]]]
+                  [1] meta: fa_metadata  = [mime_type=text/plain, mime_types=[[strength=-20, mime=text/plain]], inferred=T]
 
 1437831787.905375 file_state_remove
                   [0] f: fa_file         = [id=FKX8fw2lEHCTK8syM3, parent_id=<uninitialized>, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.04848, service={\x0aSMTP\x0a\x09}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a\x09}, date=Sat, 25 Jul 2015 16:43:07 +0300, from=Albert Zaharovits <albert@example.com>, to={\x0aericlim220@yahoo.com\x0a\x09}, cc={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com\x0a\x09}, reply_to=<uninitialized>, msg_id=<A6202DF2-8E58-4E41-BE0B-C8D3989A4AEE@example.com>, in_reply_to=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>, subject=Re: Bro SMTP CC Header, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=Apple Mail (2.2102), tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[FKX8fw2lEHCTK8syM3]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831787.905375, seen_bytes=204, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=\x0d\x0a> On 25 Jul 2015, at 16:38, Albert Zaharovits <albert@example.com> wrote:\x0d\x0a> \x0d\x0a> \x0d\x0a>> On 25 Jul 2015, at 16:21, Albert Zaharovits <albert@example.com> wrote:\x0d\x0a>> \x0d\x0a>> Bro SMTP CC Header\x0d\x0a>> TEST\x0d\x0a> \x0d\x0a\x0d\x0a, info=[ts=1437831787.905375, fuid=FKX8fw2lEHCTK8syM3, tx_hosts={\x0a\x09192.168.133.100\x0a}, rx_hosts={\x0a\x09192.168.133.102\x0a}, conn_uids={\x0aCmES5u32sYpV7JYN\x0a}, source=SMTP, depth=1, analyzers={\x0a\x0a}, mime_type=text/plain, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=T, seen_bytes=204, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
@@ -844,151 +844,161 @@
                   [2] is_orig: bool      = F
 
 1437831799.764576 file_sniff
-                  [0] f: fa_file         = [id=F1vce92FT1oRjKI328, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x05z0\x82\x04b\xa0\x03\x02\x01\x02\x02\x08\x05?\xce\x9b\xa6\x80[\x000\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x1e\x17\x0d150217144531Z\x17\x0d170318144531Z0u1\x150\x13\x06\x03U\x04\x03\x0c\x0c*.icloud.com1%0#\x06\x03U\x04\x0b\x0c\x1cmanagement:idms.group.5063641\x130\x11\x06\x03U\x04\x0a\x0c\x0aApple Inc.1\x130\x11\x06\x03U\x04\x08\x0c\x0aCalifornia1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xb8+L\xa2[\xca\xcd\x02\x1a/\x8b]\xaci\xe6\x0f#L\x98W\x87\x88\x94\x02\xae\xd0\xf4F\x15\xb4\xc2\xa9y\xab\x1b2\xdcT\xea\x8d\xf5\xf5c\xa7KR\xde \x0f=\x13\x89\xf2\x1dd\x85vhE\xc3\xd9vJ\x0eJV\x19\xa7\x0c2\x08\xf8\x10t\xa5[\xdc\x0b\x83\x93\x89\x0d\xa9\xc5t~mUvn\xcaV\xc8D2\xe8\xb4\xa2\x02\xef\x7f*\xba\xb9x\xa8G\x82\x1f\xac\x8e\xff\x93\x00\xb9y&\x84"vU\xf5\x9f\xa8\x86\xe8~m\x0f\x80\x95(\x0d\x0a\xdfESHC\xf8\xeb\x13n\x98\xac\xd6\x96\x19~j\x15XtD|7\x7ft\xe7\x1e\x8a\x96uP\xc9\x97\x8c\xb1]6y\x90\xb2\x06H\xa3\xd2\xe2\xd8/\xcb\xe8\x13\xa0\xe2es9s\xe5u'\xbe\xf4F\xaa\xc2n"\xe0\x13\x1d\xc3\x04\x90XnP\x07Lh\xca/lN\xc6\xb6 \xa7*J\xc9g\xb3&\x94\x05\x14\xe2\x0cU\x1c\xdban*\xd8z\xec\x8cs5\x04\x975w\x9di(sr\x14\xd2>\xf3\x13\x02\x03\x01\x00\x01\xa3\x82\x02\x1f0\x82\x02\x1b0H\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04<0:08\x06\x08+\x06\x01\x05\x05\x070\x01\x86,http://ocsp.apple.com/ocsp04-appleistca2g1010\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\x8eQ\xa1\x0e\x0a\x9b\x1c\x04\xf7Y\xd3i.#\x16\x91\x0e\xad\x06\xfb0\x0c\x06\x03U\x1d\x13\x01\x01\xff\x04\x020\x000\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x81\xff\x06\x03U\x1d \x04\x81\xf70\x81\xf40\x81\xf1\x06\x0a*\x86H\x86\xf7cd\x05\x0b\x040\x81\xe20\x81\xa4\x06\x08+\x06\x01\x05\x05\x07\x02\x020\x81\x97\x0c\x81\x94Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.09\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16-http://www.apple.com/certificateauthority/rpa07\x06\x03U\x1d\x1f\x0400.0,\xa0*\xa0(\x86&http://crl.apple.com/appleistca2g1.crl0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x05\xa00\x1d\x06\x03U\x1d%\x04\x160\x14\x06\x08+\x06\x01\x05\x05\x07\x03\x01\x06\x08+\x06\x01\x05\x05\x07\x03\x020\x17\x06\x03U\x1d\x11\x04\x100\x0e\x82\x0c*.icloud.com0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00@fi\xb2+\x8clA\xe2Bc\xde\x101\xa4.M\xc9 \xb3\x1c\xf3k)\xd1\x9eI\x17\xbf"\x8c\xcd\xb1H\x14\xd6\x8c\x8eO2\x84v`E\xbb(\x9cj\xea)\xd3\x191\xfb\x1ei\x9e\xd7\xf4\xb7\xa9\x1c\x92vY\xdeR*\xa2}>\x81d\x0dW\x07\xae\x17\x81{\xe2\x9c\x9fT-\x19\xe3c#\x8a\xfc\x08\xbb\x8eR\xf0-3\x81\x16bh\xaaY\x03\xcc\xd1\xea\x9e\xe6\xe6\xc11\xa0e\x02* \xad{\xdeI\x8fQ\x0f]\xf3"\x18\x19\xea\x04\x97y\x19\xa5\x9f#\xae\xaei\x84r6W\x93d\xe7\xdbF\xed\x8c\x13Yh\xb0g$\xfa\xaa,\xe4\xe7\xd7\xe7_G\x92\x14\xb2O\x0a\xc8Y\xa5\x9bx\xae\x88\xd1u\x19\xb6\x96\x88\x1a\xbf\xac\x91\x92\xc4B\x07\xc6\x8a\x03 \x01a\xe0\xfc\xd4\x86\x8d\x14c\x08}~\x97o\xa7\x90\xbb\x98~\xe2\xa8\x8d\xfai\x9d\xd3\xabI\xa0D\xa8\xe6\xf8#\xae\xbb\xd2\xf5\xf1\x87\xe0\x88\x0f\xe9\xf5\x91\xbb58Y@\xf7\x82\xc1\x80{\x92\x90\xc3, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
-                  [1] meta: fa_metadata  = [mime_type=<uninitialized>, mime_types=<uninitialized>]
+                  [0] f: fa_file         = [id=F1vce92FT1oRjKI328, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fuids=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fuids=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0a\x0a}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [1] meta: fa_metadata  = [mime_type=application/x-x509-user-cert, mime_types=<uninitialized>, inferred=F]
+
+1437831799.764576 file_hash
+                  [0] f: fa_file         = [id=F1vce92FT1oRjKI328, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [1] kind: string       = sha1
+                  [2] hash: string       = f5ccb1a724133607548b00d8eb402efca3076d58
 
 1437831799.764576 x509_certificate
-                  [0] f: fa_file         = [id=F1vce92FT1oRjKI328, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x05z0\x82\x04b\xa0\x03\x02\x01\x02\x02\x08\x05?\xce\x9b\xa6\x80[\x000\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x1e\x17\x0d150217144531Z\x17\x0d170318144531Z0u1\x150\x13\x06\x03U\x04\x03\x0c\x0c*.icloud.com1%0#\x06\x03U\x04\x0b\x0c\x1cmanagement:idms.group.5063641\x130\x11\x06\x03U\x04\x0a\x0c\x0aApple Inc.1\x130\x11\x06\x03U\x04\x08\x0c\x0aCalifornia1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xb8+L\xa2[\xca\xcd\x02\x1a/\x8b]\xaci\xe6\x0f#L\x98W\x87\x88\x94\x02\xae\xd0\xf4F\x15\xb4\xc2\xa9y\xab\x1b2\xdcT\xea\x8d\xf5\xf5c\xa7KR\xde \x0f=\x13\x89\xf2\x1dd\x85vhE\xc3\xd9vJ\x0eJV\x19\xa7\x0c2\x08\xf8\x10t\xa5[\xdc\x0b\x83\x93\x89\x0d\xa9\xc5t~mUvn\xcaV\xc8D2\xe8\xb4\xa2\x02\xef\x7f*\xba\xb9x\xa8G\x82\x1f\xac\x8e\xff\x93\x00\xb9y&\x84"vU\xf5\x9f\xa8\x86\xe8~m\x0f\x80\x95(\x0d\x0a\xdfESHC\xf8\xeb\x13n\x98\xac\xd6\x96\x19~j\x15XtD|7\x7ft\xe7\x1e\x8a\x96uP\xc9\x97\x8c\xb1]6y\x90\xb2\x06H\xa3\xd2\xe2\xd8/\xcb\xe8\x13\xa0\xe2es9s\xe5u'\xbe\xf4F\xaa\xc2n"\xe0\x13\x1d\xc3\x04\x90XnP\x07Lh\xca/lN\xc6\xb6 \xa7*J\xc9g\xb3&\x94\x05\x14\xe2\x0cU\x1c\xdban*\xd8z\xec\x8cs5\x04\x975w\x9di(sr\x14\xd2>\xf3\x13\x02\x03\x01\x00\x01\xa3\x82\x02\x1f0\x82\x02\x1b0H\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04<0:08\x06\x08+\x06\x01\x05\x05\x070\x01\x86,http://ocsp.apple.com/ocsp04-appleistca2g1010\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\x8eQ\xa1\x0e\x0a\x9b\x1c\x04\xf7Y\xd3i.#\x16\x91\x0e\xad\x06\xfb0\x0c\x06\x03U\x1d\x13\x01\x01\xff\x04\x020\x000\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x81\xff\x06\x03U\x1d \x04\x81\xf70\x81\xf40\x81\xf1\x06\x0a*\x86H\x86\xf7cd\x05\x0b\x040\x81\xe20\x81\xa4\x06\x08+\x06\x01\x05\x05\x07\x02\x020\x81\x97\x0c\x81\x94Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.09\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16-http://www.apple.com/certificateauthority/rpa07\x06\x03U\x1d\x1f\x0400.0,\xa0*\xa0(\x86&http://crl.apple.com/appleistca2g1.crl0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x05\xa00\x1d\x06\x03U\x1d%\x04\x160\x14\x06\x08+\x06\x01\x05\x05\x07\x03\x01\x06\x08+\x06\x01\x05\x05\x07\x03\x020\x17\x06\x03U\x1d\x11\x04\x100\x0e\x82\x0c*.icloud.com0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00@fi\xb2+\x8clA\xe2Bc\xde\x101\xa4.M\xc9 \xb3\x1c\xf3k)\xd1\x9eI\x17\xbf"\x8c\xcd\xb1H\x14\xd6\x8c\x8eO2\x84v`E\xbb(\x9cj\xea)\xd3\x191\xfb\x1ei\x9e\xd7\xf4\xb7\xa9\x1c\x92vY\xdeR*\xa2}>\x81d\x0dW\x07\xae\x17\x81{\xe2\x9c\x9fT-\x19\xe3c#\x8a\xfc\x08\xbb\x8eR\xf0-3\x81\x16bh\xaaY\x03\xcc\xd1\xea\x9e\xe6\xe6\xc11\xa0e\x02* \xad{\xdeI\x8fQ\x0f]\xf3"\x18\x19\xea\x04\x97y\x19\xa5\x9f#\xae\xaei\x84r6W\x93d\xe7\xdbF\xed\x8c\x13Yh\xb0g$\xfa\xaa,\xe4\xe7\xd7\xe7_G\x92\x14\xb2O\x0a\xc8Y\xa5\x9bx\xae\x88\xd1u\x19\xb6\x96\x88\x1a\xbf\xac\x91\x92\xc4B\x07\xc6\x8a\x03 \x01a\xe0\xfc\xd4\x86\x8d\x14c\x08}~\x97o\xa7\x90\xbb\x98~\xe2\xa8\x8d\xfai\x9d\xd3\xabI\xa0D\xa8\xe6\xf8#\xae\xbb\xd2\xf5\xf1\x87\xe0\x88\x0f\xe9\xf5\x91\xbb58Y@\xf7\x82\xc1\x80{\x92\x90\xc3, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=F1vce92FT1oRjKI328, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
                   [1] cert_ref: opaque of x509 = <no value description>
                   [2] cert: X509::Certificate = [version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>]
 
 1437831799.764576 x509_extension
-                  [0] f: fa_file         = [id=F1vce92FT1oRjKI328, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x05z0\x82\x04b\xa0\x03\x02\x01\x02\x02\x08\x05?\xce\x9b\xa6\x80[\x000\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x1e\x17\x0d150217144531Z\x17\x0d170318144531Z0u1\x150\x13\x06\x03U\x04\x03\x0c\x0c*.icloud.com1%0#\x06\x03U\x04\x0b\x0c\x1cmanagement:idms.group.5063641\x130\x11\x06\x03U\x04\x0a\x0c\x0aApple Inc.1\x130\x11\x06\x03U\x04\x08\x0c\x0aCalifornia1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xb8+L\xa2[\xca\xcd\x02\x1a/\x8b]\xaci\xe6\x0f#L\x98W\x87\x88\x94\x02\xae\xd0\xf4F\x15\xb4\xc2\xa9y\xab\x1b2\xdcT\xea\x8d\xf5\xf5c\xa7KR\xde \x0f=\x13\x89\xf2\x1dd\x85vhE\xc3\xd9vJ\x0eJV\x19\xa7\x0c2\x08\xf8\x10t\xa5[\xdc\x0b\x83\x93\x89\x0d\xa9\xc5t~mUvn\xcaV\xc8D2\xe8\xb4\xa2\x02\xef\x7f*\xba\xb9x\xa8G\x82\x1f\xac\x8e\xff\x93\x00\xb9y&\x84"vU\xf5\x9f\xa8\x86\xe8~m\x0f\x80\x95(\x0d\x0a\xdfESHC\xf8\xeb\x13n\x98\xac\xd6\x96\x19~j\x15XtD|7\x7ft\xe7\x1e\x8a\x96uP\xc9\x97\x8c\xb1]6y\x90\xb2\x06H\xa3\xd2\xe2\xd8/\xcb\xe8\x13\xa0\xe2es9s\xe5u'\xbe\xf4F\xaa\xc2n"\xe0\x13\x1d\xc3\x04\x90XnP\x07Lh\xca/lN\xc6\xb6 \xa7*J\xc9g\xb3&\x94\x05\x14\xe2\x0cU\x1c\xdban*\xd8z\xec\x8cs5\x04\x975w\x9di(sr\x14\xd2>\xf3\x13\x02\x03\x01\x00\x01\xa3\x82\x02\x1f0\x82\x02\x1b0H\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04<0:08\x06\x08+\x06\x01\x05\x05\x070\x01\x86,http://ocsp.apple.com/ocsp04-appleistca2g1010\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\x8eQ\xa1\x0e\x0a\x9b\x1c\x04\xf7Y\xd3i.#\x16\x91\x0e\xad\x06\xfb0\x0c\x06\x03U\x1d\x13\x01\x01\xff\x04\x020\x000\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x81\xff\x06\x03U\x1d \x04\x81\xf70\x81\xf40\x81\xf1\x06\x0a*\x86H\x86\xf7cd\x05\x0b\x040\x81\xe20\x81\xa4\x06\x08+\x06\x01\x05\x05\x07\x02\x020\x81\x97\x0c\x81\x94Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.09\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16-http://www.apple.com/certificateauthority/rpa07\x06\x03U\x1d\x1f\x0400.0,\xa0*\xa0(\x86&http://crl.apple.com/appleistca2g1.crl0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x05\xa00\x1d\x06\x03U\x1d%\x04\x160\x14\x06\x08+\x06\x01\x05\x05\x07\x03\x01\x06\x08+\x06\x01\x05\x05\x07\x03\x020\x17\x06\x03U\x1d\x11\x04\x100\x0e\x82\x0c*.icloud.com0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00@fi\xb2+\x8clA\xe2Bc\xde\x101\xa4.M\xc9 \xb3\x1c\xf3k)\xd1\x9eI\x17\xbf"\x8c\xcd\xb1H\x14\xd6\x8c\x8eO2\x84v`E\xbb(\x9cj\xea)\xd3\x191\xfb\x1ei\x9e\xd7\xf4\xb7\xa9\x1c\x92vY\xdeR*\xa2}>\x81d\x0dW\x07\xae\x17\x81{\xe2\x9c\x9fT-\x19\xe3c#\x8a\xfc\x08\xbb\x8eR\xf0-3\x81\x16bh\xaaY\x03\xcc\xd1\xea\x9e\xe6\xe6\xc11\xa0e\x02* \xad{\xdeI\x8fQ\x0f]\xf3"\x18\x19\xea\x04\x97y\x19\xa5\x9f#\xae\xaei\x84r6W\x93d\xe7\xdbF\xed\x8c\x13Yh\xb0g$\xfa\xaa,\xe4\xe7\xd7\xe7_G\x92\x14\xb2O\x0a\xc8Y\xa5\x9bx\xae\x88\xd1u\x19\xb6\x96\x88\x1a\xbf\xac\x91\x92\xc4B\x07\xc6\x8a\x03 \x01a\xe0\xfc\xd4\x86\x8d\x14c\x08}~\x97o\xa7\x90\xbb\x98~\xe2\xa8\x8d\xfai\x9d\xd3\xabI\xa0D\xa8\xe6\xf8#\xae\xbb\xd2\xf5\xf1\x87\xe0\x88\x0f\xe9\xf5\x91\xbb58Y@\xf7\x82\xc1\x80{\x92\x90\xc3, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=F1vce92FT1oRjKI328, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
                   [1] ext: X509::Extension = [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a]
 
 1437831799.764576 x509_extension
-                  [0] f: fa_file         = [id=F1vce92FT1oRjKI328, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09]], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x05z0\x82\x04b\xa0\x03\x02\x01\x02\x02\x08\x05?\xce\x9b\xa6\x80[\x000\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x1e\x17\x0d150217144531Z\x17\x0d170318144531Z0u1\x150\x13\x06\x03U\x04\x03\x0c\x0c*.icloud.com1%0#\x06\x03U\x04\x0b\x0c\x1cmanagement:idms.group.5063641\x130\x11\x06\x03U\x04\x0a\x0c\x0aApple Inc.1\x130\x11\x06\x03U\x04\x08\x0c\x0aCalifornia1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xb8+L\xa2[\xca\xcd\x02\x1a/\x8b]\xaci\xe6\x0f#L\x98W\x87\x88\x94\x02\xae\xd0\xf4F\x15\xb4\xc2\xa9y\xab\x1b2\xdcT\xea\x8d\xf5\xf5c\xa7KR\xde \x0f=\x13\x89\xf2\x1dd\x85vhE\xc3\xd9vJ\x0eJV\x19\xa7\x0c2\x08\xf8\x10t\xa5[\xdc\x0b\x83\x93\x89\x0d\xa9\xc5t~mUvn\xcaV\xc8D2\xe8\xb4\xa2\x02\xef\x7f*\xba\xb9x\xa8G\x82\x1f\xac\x8e\xff\x93\x00\xb9y&\x84"vU\xf5\x9f\xa8\x86\xe8~m\x0f\x80\x95(\x0d\x0a\xdfESHC\xf8\xeb\x13n\x98\xac\xd6\x96\x19~j\x15XtD|7\x7ft\xe7\x1e\x8a\x96uP\xc9\x97\x8c\xb1]6y\x90\xb2\x06H\xa3\xd2\xe2\xd8/\xcb\xe8\x13\xa0\xe2es9s\xe5u'\xbe\xf4F\xaa\xc2n"\xe0\x13\x1d\xc3\x04\x90XnP\x07Lh\xca/lN\xc6\xb6 \xa7*J\xc9g\xb3&\x94\x05\x14\xe2\x0cU\x1c\xdban*\xd8z\xec\x8cs5\x04\x975w\x9di(sr\x14\xd2>\xf3\x13\x02\x03\x01\x00\x01\xa3\x82\x02\x1f0\x82\x02\x1b0H\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04<0:08\x06\x08+\x06\x01\x05\x05\x070\x01\x86,http://ocsp.apple.com/ocsp04-appleistca2g1010\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\x8eQ\xa1\x0e\x0a\x9b\x1c\x04\xf7Y\xd3i.#\x16\x91\x0e\xad\x06\xfb0\x0c\x06\x03U\x1d\x13\x01\x01\xff\x04\x020\x000\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x81\xff\x06\x03U\x1d \x04\x81\xf70\x81\xf40\x81\xf1\x06\x0a*\x86H\x86\xf7cd\x05\x0b\x040\x81\xe20\x81\xa4\x06\x08+\x06\x01\x05\x05\x07\x02\x020\x81\x97\x0c\x81\x94Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.09\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16-http://www.apple.com/certificateauthority/rpa07\x06\x03U\x1d\x1f\x0400.0,\xa0*\xa0(\x86&http://crl.apple.com/appleistca2g1.crl0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x05\xa00\x1d\x06\x03U\x1d%\x04\x160\x14\x06\x08+\x06\x01\x05\x05\x07\x03\x01\x06\x08+\x06\x01\x05\x05\x07\x03\x020\x17\x06\x03U\x1d\x11\x04\x100\x0e\x82\x0c*.icloud.com0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00@fi\xb2+\x8clA\xe2Bc\xde\x101\xa4.M\xc9 \xb3\x1c\xf3k)\xd1\x9eI\x17\xbf"\x8c\xcd\xb1H\x14\xd6\x8c\x8eO2\x84v`E\xbb(\x9cj\xea)\xd3\x191\xfb\x1ei\x9e\xd7\xf4\xb7\xa9\x1c\x92vY\xdeR*\xa2}>\x81d\x0dW\x07\xae\x17\x81{\xe2\x9c\x9fT-\x19\xe3c#\x8a\xfc\x08\xbb\x8eR\xf0-3\x81\x16bh\xaaY\x03\xcc\xd1\xea\x9e\xe6\xe6\xc11\xa0e\x02* \xad{\xdeI\x8fQ\x0f]\xf3"\x18\x19\xea\x04\x97y\x19\xa5\x9f#\xae\xaei\x84r6W\x93d\xe7\xdbF\xed\x8c\x13Yh\xb0g$\xfa\xaa,\xe4\xe7\xd7\xe7_G\x92\x14\xb2O\x0a\xc8Y\xa5\x9bx\xae\x88\xd1u\x19\xb6\x96\x88\x1a\xbf\xac\x91\x92\xc4B\x07\xc6\x8a\x03 \x01a\xe0\xfc\xd4\x86\x8d\x14c\x08}~\x97o\xa7\x90\xbb\x98~\xe2\xa8\x8d\xfai\x9d\xd3\xabI\xa0D\xa8\xe6\xf8#\xae\xbb\xd2\xf5\xf1\x87\xe0\x88\x0f\xe9\xf5\x91\xbb58Y@\xf7\x82\xc1\x80{\x92\x90\xc3, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a]], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=F1vce92FT1oRjKI328, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09]], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a]], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
                   [1] ext: X509::Extension = [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB]
 
 1437831799.764576 x509_extension
-                  [0] f: fa_file         = [id=F1vce92FT1oRjKI328, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB]], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x05z0\x82\x04b\xa0\x03\x02\x01\x02\x02\x08\x05?\xce\x9b\xa6\x80[\x000\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x1e\x17\x0d150217144531Z\x17\x0d170318144531Z0u1\x150\x13\x06\x03U\x04\x03\x0c\x0c*.icloud.com1%0#\x06\x03U\x04\x0b\x0c\x1cmanagement:idms.group.5063641\x130\x11\x06\x03U\x04\x0a\x0c\x0aApple Inc.1\x130\x11\x06\x03U\x04\x08\x0c\x0aCalifornia1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xb8+L\xa2[\xca\xcd\x02\x1a/\x8b]\xaci\xe6\x0f#L\x98W\x87\x88\x94\x02\xae\xd0\xf4F\x15\xb4\xc2\xa9y\xab\x1b2\xdcT\xea\x8d\xf5\xf5c\xa7KR\xde \x0f=\x13\x89\xf2\x1dd\x85vhE\xc3\xd9vJ\x0eJV\x19\xa7\x0c2\x08\xf8\x10t\xa5[\xdc\x0b\x83\x93\x89\x0d\xa9\xc5t~mUvn\xcaV\xc8D2\xe8\xb4\xa2\x02\xef\x7f*\xba\xb9x\xa8G\x82\x1f\xac\x8e\xff\x93\x00\xb9y&\x84"vU\xf5\x9f\xa8\x86\xe8~m\x0f\x80\x95(\x0d\x0a\xdfESHC\xf8\xeb\x13n\x98\xac\xd6\x96\x19~j\x15XtD|7\x7ft\xe7\x1e\x8a\x96uP\xc9\x97\x8c\xb1]6y\x90\xb2\x06H\xa3\xd2\xe2\xd8/\xcb\xe8\x13\xa0\xe2es9s\xe5u'\xbe\xf4F\xaa\xc2n"\xe0\x13\x1d\xc3\x04\x90XnP\x07Lh\xca/lN\xc6\xb6 \xa7*J\xc9g\xb3&\x94\x05\x14\xe2\x0cU\x1c\xdban*\xd8z\xec\x8cs5\x04\x975w\x9di(sr\x14\xd2>\xf3\x13\x02\x03\x01\x00\x01\xa3\x82\x02\x1f0\x82\x02\x1b0H\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04<0:08\x06\x08+\x06\x01\x05\x05\x070\x01\x86,http://ocsp.apple.com/ocsp04-appleistca2g1010\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\x8eQ\xa1\x0e\x0a\x9b\x1c\x04\xf7Y\xd3i.#\x16\x91\x0e\xad\x06\xfb0\x0c\x06\x03U\x1d\x13\x01\x01\xff\x04\x020\x000\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x81\xff\x06\x03U\x1d \x04\x81\xf70\x81\xf40\x81\xf1\x06\x0a*\x86H\x86\xf7cd\x05\x0b\x040\x81\xe20\x81\xa4\x06\x08+\x06\x01\x05\x05\x07\x02\x020\x81\x97\x0c\x81\x94Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.09\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16-http://www.apple.com/certificateauthority/rpa07\x06\x03U\x1d\x1f\x0400.0,\xa0*\xa0(\x86&http://crl.apple.com/appleistca2g1.crl0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x05\xa00\x1d\x06\x03U\x1d%\x04\x160\x14\x06\x08+\x06\x01\x05\x05\x07\x03\x01\x06\x08+\x06\x01\x05\x05\x07\x03\x020\x17\x06\x03U\x1d\x11\x04\x100\x0e\x82\x0c*.icloud.com0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00@fi\xb2+\x8clA\xe2Bc\xde\x101\xa4.M\xc9 \xb3\x1c\xf3k)\xd1\x9eI\x17\xbf"\x8c\xcd\xb1H\x14\xd6\x8c\x8eO2\x84v`E\xbb(\x9cj\xea)\xd3\x191\xfb\x1ei\x9e\xd7\xf4\xb7\xa9\x1c\x92vY\xdeR*\xa2}>\x81d\x0dW\x07\xae\x17\x81{\xe2\x9c\x9fT-\x19\xe3c#\x8a\xfc\x08\xbb\x8eR\xf0-3\x81\x16bh\xaaY\x03\xcc\xd1\xea\x9e\xe6\xe6\xc11\xa0e\x02* \xad{\xdeI\x8fQ\x0f]\xf3"\x18\x19\xea\x04\x97y\x19\xa5\x9f#\xae\xaei\x84r6W\x93d\xe7\xdbF\xed\x8c\x13Yh\xb0g$\xfa\xaa,\xe4\xe7\xd7\xe7_G\x92\x14\xb2O\x0a\xc8Y\xa5\x9bx\xae\x88\xd1u\x19\xb6\x96\x88\x1a\xbf\xac\x91\x92\xc4B\x07\xc6\x8a\x03 \x01a\xe0\xfc\xd4\x86\x8d\x14c\x08}~\x97o\xa7\x90\xbb\x98~\xe2\xa8\x8d\xfai\x9d\xd3\xabI\xa0D\xa8\xe6\xf8#\xae\xbb\xd2\xf5\xf1\x87\xe0\x88\x0f\xe9\xf5\x91\xbb58Y@\xf7\x82\xc1\x80{\x92\x90\xc3, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB]], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=F1vce92FT1oRjKI328, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB]], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB]], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
                   [1] ext: X509::Extension = [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE]
 
 1437831799.764576 x509_ext_basic_constraints
-                  [0] f: fa_file         = [id=F1vce92FT1oRjKI328, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE]], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x05z0\x82\x04b\xa0\x03\x02\x01\x02\x02\x08\x05?\xce\x9b\xa6\x80[\x000\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x1e\x17\x0d150217144531Z\x17\x0d170318144531Z0u1\x150\x13\x06\x03U\x04\x03\x0c\x0c*.icloud.com1%0#\x06\x03U\x04\x0b\x0c\x1cmanagement:idms.group.5063641\x130\x11\x06\x03U\x04\x0a\x0c\x0aApple Inc.1\x130\x11\x06\x03U\x04\x08\x0c\x0aCalifornia1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xb8+L\xa2[\xca\xcd\x02\x1a/\x8b]\xaci\xe6\x0f#L\x98W\x87\x88\x94\x02\xae\xd0\xf4F\x15\xb4\xc2\xa9y\xab\x1b2\xdcT\xea\x8d\xf5\xf5c\xa7KR\xde \x0f=\x13\x89\xf2\x1dd\x85vhE\xc3\xd9vJ\x0eJV\x19\xa7\x0c2\x08\xf8\x10t\xa5[\xdc\x0b\x83\x93\x89\x0d\xa9\xc5t~mUvn\xcaV\xc8D2\xe8\xb4\xa2\x02\xef\x7f*\xba\xb9x\xa8G\x82\x1f\xac\x8e\xff\x93\x00\xb9y&\x84"vU\xf5\x9f\xa8\x86\xe8~m\x0f\x80\x95(\x0d\x0a\xdfESHC\xf8\xeb\x13n\x98\xac\xd6\x96\x19~j\x15XtD|7\x7ft\xe7\x1e\x8a\x96uP\xc9\x97\x8c\xb1]6y\x90\xb2\x06H\xa3\xd2\xe2\xd8/\xcb\xe8\x13\xa0\xe2es9s\xe5u'\xbe\xf4F\xaa\xc2n"\xe0\x13\x1d\xc3\x04\x90XnP\x07Lh\xca/lN\xc6\xb6 \xa7*J\xc9g\xb3&\x94\x05\x14\xe2\x0cU\x1c\xdban*\xd8z\xec\x8cs5\x04\x975w\x9di(sr\x14\xd2>\xf3\x13\x02\x03\x01\x00\x01\xa3\x82\x02\x1f0\x82\x02\x1b0H\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04<0:08\x06\x08+\x06\x01\x05\x05\x070\x01\x86,http://ocsp.apple.com/ocsp04-appleistca2g1010\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\x8eQ\xa1\x0e\x0a\x9b\x1c\x04\xf7Y\xd3i.#\x16\x91\x0e\xad\x06\xfb0\x0c\x06\x03U\x1d\x13\x01\x01\xff\x04\x020\x000\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x81\xff\x06\x03U\x1d \x04\x81\xf70\x81\xf40\x81\xf1\x06\x0a*\x86H\x86\xf7cd\x05\x0b\x040\x81\xe20\x81\xa4\x06\x08+\x06\x01\x05\x05\x07\x02\x020\x81\x97\x0c\x81\x94Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.09\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16-http://www.apple.com/certificateauthority/rpa07\x06\x03U\x1d\x1f\x0400.0,\xa0*\xa0(\x86&http://crl.apple.com/appleistca2g1.crl0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x05\xa00\x1d\x06\x03U\x1d%\x04\x160\x14\x06\x08+\x06\x01\x05\x05\x07\x03\x01\x06\x08+\x06\x01\x05\x05\x07\x03\x020\x17\x06\x03U\x1d\x11\x04\x100\x0e\x82\x0c*.icloud.com0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00@fi\xb2+\x8clA\xe2Bc\xde\x101\xa4.M\xc9 \xb3\x1c\xf3k)\xd1\x9eI\x17\xbf"\x8c\xcd\xb1H\x14\xd6\x8c\x8eO2\x84v`E\xbb(\x9cj\xea)\xd3\x191\xfb\x1ei\x9e\xd7\xf4\xb7\xa9\x1c\x92vY\xdeR*\xa2}>\x81d\x0dW\x07\xae\x17\x81{\xe2\x9c\x9fT-\x19\xe3c#\x8a\xfc\x08\xbb\x8eR\xf0-3\x81\x16bh\xaaY\x03\xcc\xd1\xea\x9e\xe6\xe6\xc11\xa0e\x02* \xad{\xdeI\x8fQ\x0f]\xf3"\x18\x19\xea\x04\x97y\x19\xa5\x9f#\xae\xaei\x84r6W\x93d\xe7\xdbF\xed\x8c\x13Yh\xb0g$\xfa\xaa,\xe4\xe7\xd7\xe7_G\x92\x14\xb2O\x0a\xc8Y\xa5\x9bx\xae\x88\xd1u\x19\xb6\x96\x88\x1a\xbf\xac\x91\x92\xc4B\x07\xc6\x8a\x03 \x01a\xe0\xfc\xd4\x86\x8d\x14c\x08}~\x97o\xa7\x90\xbb\x98~\xe2\xa8\x8d\xfai\x9d\xd3\xabI\xa0D\xa8\xe6\xf8#\xae\xbb\xd2\xf5\xf1\x87\xe0\x88\x0f\xe9\xf5\x91\xbb58Y@\xf7\x82\xc1\x80{\x92\x90\xc3, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE]], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=F1vce92FT1oRjKI328, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE]], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE]], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
                   [1] ext: X509::BasicConstraints = [ca=F, path_len=<uninitialized>]
 
 1437831799.764576 x509_extension
-                  [0] f: fa_file         = [id=F1vce92FT1oRjKI328, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x05z0\x82\x04b\xa0\x03\x02\x01\x02\x02\x08\x05?\xce\x9b\xa6\x80[\x000\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x1e\x17\x0d150217144531Z\x17\x0d170318144531Z0u1\x150\x13\x06\x03U\x04\x03\x0c\x0c*.icloud.com1%0#\x06\x03U\x04\x0b\x0c\x1cmanagement:idms.group.5063641\x130\x11\x06\x03U\x04\x0a\x0c\x0aApple Inc.1\x130\x11\x06\x03U\x04\x08\x0c\x0aCalifornia1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xb8+L\xa2[\xca\xcd\x02\x1a/\x8b]\xaci\xe6\x0f#L\x98W\x87\x88\x94\x02\xae\xd0\xf4F\x15\xb4\xc2\xa9y\xab\x1b2\xdcT\xea\x8d\xf5\xf5c\xa7KR\xde \x0f=\x13\x89\xf2\x1dd\x85vhE\xc3\xd9vJ\x0eJV\x19\xa7\x0c2\x08\xf8\x10t\xa5[\xdc\x0b\x83\x93\x89\x0d\xa9\xc5t~mUvn\xcaV\xc8D2\xe8\xb4\xa2\x02\xef\x7f*\xba\xb9x\xa8G\x82\x1f\xac\x8e\xff\x93\x00\xb9y&\x84"vU\xf5\x9f\xa8\x86\xe8~m\x0f\x80\x95(\x0d\x0a\xdfESHC\xf8\xeb\x13n\x98\xac\xd6\x96\x19~j\x15XtD|7\x7ft\xe7\x1e\x8a\x96uP\xc9\x97\x8c\xb1]6y\x90\xb2\x06H\xa3\xd2\xe2\xd8/\xcb\xe8\x13\xa0\xe2es9s\xe5u'\xbe\xf4F\xaa\xc2n"\xe0\x13\x1d\xc3\x04\x90XnP\x07Lh\xca/lN\xc6\xb6 \xa7*J\xc9g\xb3&\x94\x05\x14\xe2\x0cU\x1c\xdban*\xd8z\xec\x8cs5\x04\x975w\x9di(sr\x14\xd2>\xf3\x13\x02\x03\x01\x00\x01\xa3\x82\x02\x1f0\x82\x02\x1b0H\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04<0:08\x06\x08+\x06\x01\x05\x05\x070\x01\x86,http://ocsp.apple.com/ocsp04-appleistca2g1010\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\x8eQ\xa1\x0e\x0a\x9b\x1c\x04\xf7Y\xd3i.#\x16\x91\x0e\xad\x06\xfb0\x0c\x06\x03U\x1d\x13\x01\x01\xff\x04\x020\x000\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x81\xff\x06\x03U\x1d \x04\x81\xf70\x81\xf40\x81\xf1\x06\x0a*\x86H\x86\xf7cd\x05\x0b\x040\x81\xe20\x81\xa4\x06\x08+\x06\x01\x05\x05\x07\x02\x020\x81\x97\x0c\x81\x94Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.09\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16-http://www.apple.com/certificateauthority/rpa07\x06\x03U\x1d\x1f\x0400.0,\xa0*\xa0(\x86&http://crl.apple.com/appleistca2g1.crl0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x05\xa00\x1d\x06\x03U\x1d%\x04\x160\x14\x06\x08+\x06\x01\x05\x05\x07\x03\x01\x06\x08+\x06\x01\x05\x05\x07\x03\x020\x17\x06\x03U\x1d\x11\x04\x100\x0e\x82\x0c*.icloud.com0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00@fi\xb2+\x8clA\xe2Bc\xde\x101\xa4.M\xc9 \xb3\x1c\xf3k)\xd1\x9eI\x17\xbf"\x8c\xcd\xb1H\x14\xd6\x8c\x8eO2\x84v`E\xbb(\x9cj\xea)\xd3\x191\xfb\x1ei\x9e\xd7\xf4\xb7\xa9\x1c\x92vY\xdeR*\xa2}>\x81d\x0dW\x07\xae\x17\x81{\xe2\x9c\x9fT-\x19\xe3c#\x8a\xfc\x08\xbb\x8eR\xf0-3\x81\x16bh\xaaY\x03\xcc\xd1\xea\x9e\xe6\xe6\xc11\xa0e\x02* \xad{\xdeI\x8fQ\x0f]\xf3"\x18\x19\xea\x04\x97y\x19\xa5\x9f#\xae\xaei\x84r6W\x93d\xe7\xdbF\xed\x8c\x13Yh\xb0g$\xfa\xaa,\xe4\xe7\xd7\xe7_G\x92\x14\xb2O\x0a\xc8Y\xa5\x9bx\xae\x88\xd1u\x19\xb6\x96\x88\x1a\xbf\xac\x91\x92\xc4B\x07\xc6\x8a\x03 \x01a\xe0\xfc\xd4\x86\x8d\x14c\x08}~\x97o\xa7\x90\xbb\x98~\xe2\xa8\x8d\xfai\x9d\xd3\xabI\xa0D\xa8\xe6\xf8#\xae\xbb\xd2\xf5\xf1\x87\xe0\x88\x0f\xe9\xf5\x91\xbb58Y@\xf7\x82\xc1\x80{\x92\x90\xc3, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=F1vce92FT1oRjKI328, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
                   [1] ext: X509::Extension = [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a]
 
 1437831799.764576 x509_extension
-                  [0] f: fa_file         = [id=F1vce92FT1oRjKI328, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x05z0\x82\x04b\xa0\x03\x02\x01\x02\x02\x08\x05?\xce\x9b\xa6\x80[\x000\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x1e\x17\x0d150217144531Z\x17\x0d170318144531Z0u1\x150\x13\x06\x03U\x04\x03\x0c\x0c*.icloud.com1%0#\x06\x03U\x04\x0b\x0c\x1cmanagement:idms.group.5063641\x130\x11\x06\x03U\x04\x0a\x0c\x0aApple Inc.1\x130\x11\x06\x03U\x04\x08\x0c\x0aCalifornia1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xb8+L\xa2[\xca\xcd\x02\x1a/\x8b]\xaci\xe6\x0f#L\x98W\x87\x88\x94\x02\xae\xd0\xf4F\x15\xb4\xc2\xa9y\xab\x1b2\xdcT\xea\x8d\xf5\xf5c\xa7KR\xde \x0f=\x13\x89\xf2\x1dd\x85vhE\xc3\xd9vJ\x0eJV\x19\xa7\x0c2\x08\xf8\x10t\xa5[\xdc\x0b\x83\x93\x89\x0d\xa9\xc5t~mUvn\xcaV\xc8D2\xe8\xb4\xa2\x02\xef\x7f*\xba\xb9x\xa8G\x82\x1f\xac\x8e\xff\x93\x00\xb9y&\x84"vU\xf5\x9f\xa8\x86\xe8~m\x0f\x80\x95(\x0d\x0a\xdfESHC\xf8\xeb\x13n\x98\xac\xd6\x96\x19~j\x15XtD|7\x7ft\xe7\x1e\x8a\x96uP\xc9\x97\x8c\xb1]6y\x90\xb2\x06H\xa3\xd2\xe2\xd8/\xcb\xe8\x13\xa0\xe2es9s\xe5u'\xbe\xf4F\xaa\xc2n"\xe0\x13\x1d\xc3\x04\x90XnP\x07Lh\xca/lN\xc6\xb6 \xa7*J\xc9g\xb3&\x94\x05\x14\xe2\x0cU\x1c\xdban*\xd8z\xec\x8cs5\x04\x975w\x9di(sr\x14\xd2>\xf3\x13\x02\x03\x01\x00\x01\xa3\x82\x02\x1f0\x82\x02\x1b0H\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04<0:08\x06\x08+\x06\x01\x05\x05\x070\x01\x86,http://ocsp.apple.com/ocsp04-appleistca2g1010\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\x8eQ\xa1\x0e\x0a\x9b\x1c\x04\xf7Y\xd3i.#\x16\x91\x0e\xad\x06\xfb0\x0c\x06\x03U\x1d\x13\x01\x01\xff\x04\x020\x000\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x81\xff\x06\x03U\x1d \x04\x81\xf70\x81\xf40\x81\xf1\x06\x0a*\x86H\x86\xf7cd\x05\x0b\x040\x81\xe20\x81\xa4\x06\x08+\x06\x01\x05\x05\x07\x02\x020\x81\x97\x0c\x81\x94Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.09\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16-http://www.apple.com/certificateauthority/rpa07\x06\x03U\x1d\x1f\x0400.0,\xa0*\xa0(\x86&http://crl.apple.com/appleistca2g1.crl0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x05\xa00\x1d\x06\x03U\x1d%\x04\x160\x14\x06\x08+\x06\x01\x05\x05\x07\x03\x01\x06\x08+\x06\x01\x05\x05\x07\x03\x020\x17\x06\x03U\x1d\x11\x04\x100\x0e\x82\x0c*.icloud.com0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00@fi\xb2+\x8clA\xe2Bc\xde\x101\xa4.M\xc9 \xb3\x1c\xf3k)\xd1\x9eI\x17\xbf"\x8c\xcd\xb1H\x14\xd6\x8c\x8eO2\x84v`E\xbb(\x9cj\xea)\xd3\x191\xfb\x1ei\x9e\xd7\xf4\xb7\xa9\x1c\x92vY\xdeR*\xa2}>\x81d\x0dW\x07\xae\x17\x81{\xe2\x9c\x9fT-\x19\xe3c#\x8a\xfc\x08\xbb\x8eR\xf0-3\x81\x16bh\xaaY\x03\xcc\xd1\xea\x9e\xe6\xe6\xc11\xa0e\x02* \xad{\xdeI\x8fQ\x0f]\xf3"\x18\x19\xea\x04\x97y\x19\xa5\x9f#\xae\xaei\x84r6W\x93d\xe7\xdbF\xed\x8c\x13Yh\xb0g$\xfa\xaa,\xe4\xe7\xd7\xe7_G\x92\x14\xb2O\x0a\xc8Y\xa5\x9bx\xae\x88\xd1u\x19\xb6\x96\x88\x1a\xbf\xac\x91\x92\xc4B\x07\xc6\x8a\x03 \x01a\xe0\xfc\xd4\x86\x8d\x14c\x08}~\x97o\xa7\x90\xbb\x98~\xe2\xa8\x8d\xfai\x9d\xd3\xabI\xa0D\xa8\xe6\xf8#\xae\xbb\xd2\xf5\xf1\x87\xe0\x88\x0f\xe9\xf5\x91\xbb58Y@\xf7\x82\xc1\x80{\x92\x90\xc3, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=F1vce92FT1oRjKI328, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
                   [1] ext: X509::Extension = [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a]
 
 1437831799.764576 x509_extension
-                  [0] f: fa_file         = [id=F1vce92FT1oRjKI328, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x05z0\x82\x04b\xa0\x03\x02\x01\x02\x02\x08\x05?\xce\x9b\xa6\x80[\x000\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x1e\x17\x0d150217144531Z\x17\x0d170318144531Z0u1\x150\x13\x06\x03U\x04\x03\x0c\x0c*.icloud.com1%0#\x06\x03U\x04\x0b\x0c\x1cmanagement:idms.group.5063641\x130\x11\x06\x03U\x04\x0a\x0c\x0aApple Inc.1\x130\x11\x06\x03U\x04\x08\x0c\x0aCalifornia1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xb8+L\xa2[\xca\xcd\x02\x1a/\x8b]\xaci\xe6\x0f#L\x98W\x87\x88\x94\x02\xae\xd0\xf4F\x15\xb4\xc2\xa9y\xab\x1b2\xdcT\xea\x8d\xf5\xf5c\xa7KR\xde \x0f=\x13\x89\xf2\x1dd\x85vhE\xc3\xd9vJ\x0eJV\x19\xa7\x0c2\x08\xf8\x10t\xa5[\xdc\x0b\x83\x93\x89\x0d\xa9\xc5t~mUvn\xcaV\xc8D2\xe8\xb4\xa2\x02\xef\x7f*\xba\xb9x\xa8G\x82\x1f\xac\x8e\xff\x93\x00\xb9y&\x84"vU\xf5\x9f\xa8\x86\xe8~m\x0f\x80\x95(\x0d\x0a\xdfESHC\xf8\xeb\x13n\x98\xac\xd6\x96\x19~j\x15XtD|7\x7ft\xe7\x1e\x8a\x96uP\xc9\x97\x8c\xb1]6y\x90\xb2\x06H\xa3\xd2\xe2\xd8/\xcb\xe8\x13\xa0\xe2es9s\xe5u'\xbe\xf4F\xaa\xc2n"\xe0\x13\x1d\xc3\x04\x90XnP\x07Lh\xca/lN\xc6\xb6 \xa7*J\xc9g\xb3&\x94\x05\x14\xe2\x0cU\x1c\xdban*\xd8z\xec\x8cs5\x04\x975w\x9di(sr\x14\xd2>\xf3\x13\x02\x03\x01\x00\x01\xa3\x82\x02\x1f0\x82\x02\x1b0H\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04<0:08\x06\x08+\x06\x01\x05\x05\x070\x01\x86,http://ocsp.apple.com/ocsp04-appleistca2g1010\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\x8eQ\xa1\x0e\x0a\x9b\x1c\x04\xf7Y\xd3i.#\x16\x91\x0e\xad\x06\xfb0\x0c\x06\x03U\x1d\x13\x01\x01\xff\x04\x020\x000\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x81\xff\x06\x03U\x1d \x04\x81\xf70\x81\xf40\x81\xf1\x06\x0a*\x86H\x86\xf7cd\x05\x0b\x040\x81\xe20\x81\xa4\x06\x08+\x06\x01\x05\x05\x07\x02\x020\x81\x97\x0c\x81\x94Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.09\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16-http://www.apple.com/certificateauthority/rpa07\x06\x03U\x1d\x1f\x0400.0,\xa0*\xa0(\x86&http://crl.apple.com/appleistca2g1.crl0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x05\xa00\x1d\x06\x03U\x1d%\x04\x160\x14\x06\x08+\x06\x01\x05\x05\x07\x03\x01\x06\x08+\x06\x01\x05\x05\x07\x03\x020\x17\x06\x03U\x1d\x11\x04\x100\x0e\x82\x0c*.icloud.com0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00@fi\xb2+\x8clA\xe2Bc\xde\x101\xa4.M\xc9 \xb3\x1c\xf3k)\xd1\x9eI\x17\xbf"\x8c\xcd\xb1H\x14\xd6\x8c\x8eO2\x84v`E\xbb(\x9cj\xea)\xd3\x191\xfb\x1ei\x9e\xd7\xf4\xb7\xa9\x1c\x92vY\xdeR*\xa2}>\x81d\x0dW\x07\xae\x17\x81{\xe2\x9c\x9fT-\x19\xe3c#\x8a\xfc\x08\xbb\x8eR\xf0-3\x81\x16bh\xaaY\x03\xcc\xd1\xea\x9e\xe6\xe6\xc11\xa0e\x02* \xad{\xdeI\x8fQ\x0f]\xf3"\x18\x19\xea\x04\x97y\x19\xa5\x9f#\xae\xaei\x84r6W\x93d\xe7\xdbF\xed\x8c\x13Yh\xb0g$\xfa\xaa,\xe4\xe7\xd7\xe7_G\x92\x14\xb2O\x0a\xc8Y\xa5\x9bx\xae\x88\xd1u\x19\xb6\x96\x88\x1a\xbf\xac\x91\x92\xc4B\x07\xc6\x8a\x03 \x01a\xe0\xfc\xd4\x86\x8d\x14c\x08}~\x97o\xa7\x90\xbb\x98~\xe2\xa8\x8d\xfai\x9d\xd3\xabI\xa0D\xa8\xe6\xf8#\xae\xbb\xd2\xf5\xf1\x87\xe0\x88\x0f\xe9\xf5\x91\xbb58Y@\xf7\x82\xc1\x80{\x92\x90\xc3, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=F1vce92FT1oRjKI328, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
                   [1] ext: X509::Extension = [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a]
 
 1437831799.764576 x509_extension
-                  [0] f: fa_file         = [id=F1vce92FT1oRjKI328, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x05z0\x82\x04b\xa0\x03\x02\x01\x02\x02\x08\x05?\xce\x9b\xa6\x80[\x000\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x1e\x17\x0d150217144531Z\x17\x0d170318144531Z0u1\x150\x13\x06\x03U\x04\x03\x0c\x0c*.icloud.com1%0#\x06\x03U\x04\x0b\x0c\x1cmanagement:idms.group.5063641\x130\x11\x06\x03U\x04\x0a\x0c\x0aApple Inc.1\x130\x11\x06\x03U\x04\x08\x0c\x0aCalifornia1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xb8+L\xa2[\xca\xcd\x02\x1a/\x8b]\xaci\xe6\x0f#L\x98W\x87\x88\x94\x02\xae\xd0\xf4F\x15\xb4\xc2\xa9y\xab\x1b2\xdcT\xea\x8d\xf5\xf5c\xa7KR\xde \x0f=\x13\x89\xf2\x1dd\x85vhE\xc3\xd9vJ\x0eJV\x19\xa7\x0c2\x08\xf8\x10t\xa5[\xdc\x0b\x83\x93\x89\x0d\xa9\xc5t~mUvn\xcaV\xc8D2\xe8\xb4\xa2\x02\xef\x7f*\xba\xb9x\xa8G\x82\x1f\xac\x8e\xff\x93\x00\xb9y&\x84"vU\xf5\x9f\xa8\x86\xe8~m\x0f\x80\x95(\x0d\x0a\xdfESHC\xf8\xeb\x13n\x98\xac\xd6\x96\x19~j\x15XtD|7\x7ft\xe7\x1e\x8a\x96uP\xc9\x97\x8c\xb1]6y\x90\xb2\x06H\xa3\xd2\xe2\xd8/\xcb\xe8\x13\xa0\xe2es9s\xe5u'\xbe\xf4F\xaa\xc2n"\xe0\x13\x1d\xc3\x04\x90XnP\x07Lh\xca/lN\xc6\xb6 \xa7*J\xc9g\xb3&\x94\x05\x14\xe2\x0cU\x1c\xdban*\xd8z\xec\x8cs5\x04\x975w\x9di(sr\x14\xd2>\xf3\x13\x02\x03\x01\x00\x01\xa3\x82\x02\x1f0\x82\x02\x1b0H\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04<0:08\x06\x08+\x06\x01\x05\x05\x070\x01\x86,http://ocsp.apple.com/ocsp04-appleistca2g1010\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\x8eQ\xa1\x0e\x0a\x9b\x1c\x04\xf7Y\xd3i.#\x16\x91\x0e\xad\x06\xfb0\x0c\x06\x03U\x1d\x13\x01\x01\xff\x04\x020\x000\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x81\xff\x06\x03U\x1d \x04\x81\xf70\x81\xf40\x81\xf1\x06\x0a*\x86H\x86\xf7cd\x05\x0b\x040\x81\xe20\x81\xa4\x06\x08+\x06\x01\x05\x05\x07\x02\x020\x81\x97\x0c\x81\x94Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.09\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16-http://www.apple.com/certificateauthority/rpa07\x06\x03U\x1d\x1f\x0400.0,\xa0*\xa0(\x86&http://crl.apple.com/appleistca2g1.crl0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x05\xa00\x1d\x06\x03U\x1d%\x04\x160\x14\x06\x08+\x06\x01\x05\x05\x07\x03\x01\x06\x08+\x06\x01\x05\x05\x07\x03\x020\x17\x06\x03U\x1d\x11\x04\x100\x0e\x82\x0c*.icloud.com0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00@fi\xb2+\x8clA\xe2Bc\xde\x101\xa4.M\xc9 \xb3\x1c\xf3k)\xd1\x9eI\x17\xbf"\x8c\xcd\xb1H\x14\xd6\x8c\x8eO2\x84v`E\xbb(\x9cj\xea)\xd3\x191\xfb\x1ei\x9e\xd7\xf4\xb7\xa9\x1c\x92vY\xdeR*\xa2}>\x81d\x0dW\x07\xae\x17\x81{\xe2\x9c\x9fT-\x19\xe3c#\x8a\xfc\x08\xbb\x8eR\xf0-3\x81\x16bh\xaaY\x03\xcc\xd1\xea\x9e\xe6\xe6\xc11\xa0e\x02* \xad{\xdeI\x8fQ\x0f]\xf3"\x18\x19\xea\x04\x97y\x19\xa5\x9f#\xae\xaei\x84r6W\x93d\xe7\xdbF\xed\x8c\x13Yh\xb0g$\xfa\xaa,\xe4\xe7\xd7\xe7_G\x92\x14\xb2O\x0a\xc8Y\xa5\x9bx\xae\x88\xd1u\x19\xb6\x96\x88\x1a\xbf\xac\x91\x92\xc4B\x07\xc6\x8a\x03 \x01a\xe0\xfc\xd4\x86\x8d\x14c\x08}~\x97o\xa7\x90\xbb\x98~\xe2\xa8\x8d\xfai\x9d\xd3\xabI\xa0D\xa8\xe6\xf8#\xae\xbb\xd2\xf5\xf1\x87\xe0\x88\x0f\xe9\xf5\x91\xbb58Y@\xf7\x82\xc1\x80{\x92\x90\xc3, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=F1vce92FT1oRjKI328, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
                   [1] ext: X509::Extension = [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment]
 
 1437831799.764576 x509_extension
-                  [0] f: fa_file         = [id=F1vce92FT1oRjKI328, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x05z0\x82\x04b\xa0\x03\x02\x01\x02\x02\x08\x05?\xce\x9b\xa6\x80[\x000\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x1e\x17\x0d150217144531Z\x17\x0d170318144531Z0u1\x150\x13\x06\x03U\x04\x03\x0c\x0c*.icloud.com1%0#\x06\x03U\x04\x0b\x0c\x1cmanagement:idms.group.5063641\x130\x11\x06\x03U\x04\x0a\x0c\x0aApple Inc.1\x130\x11\x06\x03U\x04\x08\x0c\x0aCalifornia1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xb8+L\xa2[\xca\xcd\x02\x1a/\x8b]\xaci\xe6\x0f#L\x98W\x87\x88\x94\x02\xae\xd0\xf4F\x15\xb4\xc2\xa9y\xab\x1b2\xdcT\xea\x8d\xf5\xf5c\xa7KR\xde \x0f=\x13\x89\xf2\x1dd\x85vhE\xc3\xd9vJ\x0eJV\x19\xa7\x0c2\x08\xf8\x10t\xa5[\xdc\x0b\x83\x93\x89\x0d\xa9\xc5t~mUvn\xcaV\xc8D2\xe8\xb4\xa2\x02\xef\x7f*\xba\xb9x\xa8G\x82\x1f\xac\x8e\xff\x93\x00\xb9y&\x84"vU\xf5\x9f\xa8\x86\xe8~m\x0f\x80\x95(\x0d\x0a\xdfESHC\xf8\xeb\x13n\x98\xac\xd6\x96\x19~j\x15XtD|7\x7ft\xe7\x1e\x8a\x96uP\xc9\x97\x8c\xb1]6y\x90\xb2\x06H\xa3\xd2\xe2\xd8/\xcb\xe8\x13\xa0\xe2es9s\xe5u'\xbe\xf4F\xaa\xc2n"\xe0\x13\x1d\xc3\x04\x90XnP\x07Lh\xca/lN\xc6\xb6 \xa7*J\xc9g\xb3&\x94\x05\x14\xe2\x0cU\x1c\xdban*\xd8z\xec\x8cs5\x04\x975w\x9di(sr\x14\xd2>\xf3\x13\x02\x03\x01\x00\x01\xa3\x82\x02\x1f0\x82\x02\x1b0H\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04<0:08\x06\x08+\x06\x01\x05\x05\x070\x01\x86,http://ocsp.apple.com/ocsp04-appleistca2g1010\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\x8eQ\xa1\x0e\x0a\x9b\x1c\x04\xf7Y\xd3i.#\x16\x91\x0e\xad\x06\xfb0\x0c\x06\x03U\x1d\x13\x01\x01\xff\x04\x020\x000\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x81\xff\x06\x03U\x1d \x04\x81\xf70\x81\xf40\x81\xf1\x06\x0a*\x86H\x86\xf7cd\x05\x0b\x040\x81\xe20\x81\xa4\x06\x08+\x06\x01\x05\x05\x07\x02\x020\x81\x97\x0c\x81\x94Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.09\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16-http://www.apple.com/certificateauthority/rpa07\x06\x03U\x1d\x1f\x0400.0,\xa0*\xa0(\x86&http://crl.apple.com/appleistca2g1.crl0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x05\xa00\x1d\x06\x03U\x1d%\x04\x160\x14\x06\x08+\x06\x01\x05\x05\x07\x03\x01\x06\x08+\x06\x01\x05\x05\x07\x03\x020\x17\x06\x03U\x1d\x11\x04\x100\x0e\x82\x0c*.icloud.com0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00@fi\xb2+\x8clA\xe2Bc\xde\x101\xa4.M\xc9 \xb3\x1c\xf3k)\xd1\x9eI\x17\xbf"\x8c\xcd\xb1H\x14\xd6\x8c\x8eO2\x84v`E\xbb(\x9cj\xea)\xd3\x191\xfb\x1ei\x9e\xd7\xf4\xb7\xa9\x1c\x92vY\xdeR*\xa2}>\x81d\x0dW\x07\xae\x17\x81{\xe2\x9c\x9fT-\x19\xe3c#\x8a\xfc\x08\xbb\x8eR\xf0-3\x81\x16bh\xaaY\x03\xcc\xd1\xea\x9e\xe6\xe6\xc11\xa0e\x02* \xad{\xdeI\x8fQ\x0f]\xf3"\x18\x19\xea\x04\x97y\x19\xa5\x9f#\xae\xaei\x84r6W\x93d\xe7\xdbF\xed\x8c\x13Yh\xb0g$\xfa\xaa,\xe4\xe7\xd7\xe7_G\x92\x14\xb2O\x0a\xc8Y\xa5\x9bx\xae\x88\xd1u\x19\xb6\x96\x88\x1a\xbf\xac\x91\x92\xc4B\x07\xc6\x8a\x03 \x01a\xe0\xfc\xd4\x86\x8d\x14c\x08}~\x97o\xa7\x90\xbb\x98~\xe2\xa8\x8d\xfai\x9d\xd3\xabI\xa0D\xa8\xe6\xf8#\xae\xbb\xd2\xf5\xf1\x87\xe0\x88\x0f\xe9\xf5\x91\xbb58Y@\xf7\x82\xc1\x80{\x92\x90\xc3, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=F1vce92FT1oRjKI328, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
                   [1] ext: X509::Extension = [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication]
 
 1437831799.764576 x509_extension
-                  [0] f: fa_file         = [id=F1vce92FT1oRjKI328, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x05z0\x82\x04b\xa0\x03\x02\x01\x02\x02\x08\x05?\xce\x9b\xa6\x80[\x000\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x1e\x17\x0d150217144531Z\x17\x0d170318144531Z0u1\x150\x13\x06\x03U\x04\x03\x0c\x0c*.icloud.com1%0#\x06\x03U\x04\x0b\x0c\x1cmanagement:idms.group.5063641\x130\x11\x06\x03U\x04\x0a\x0c\x0aApple Inc.1\x130\x11\x06\x03U\x04\x08\x0c\x0aCalifornia1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xb8+L\xa2[\xca\xcd\x02\x1a/\x8b]\xaci\xe6\x0f#L\x98W\x87\x88\x94\x02\xae\xd0\xf4F\x15\xb4\xc2\xa9y\xab\x1b2\xdcT\xea\x8d\xf5\xf5c\xa7KR\xde \x0f=\x13\x89\xf2\x1dd\x85vhE\xc3\xd9vJ\x0eJV\x19\xa7\x0c2\x08\xf8\x10t\xa5[\xdc\x0b\x83\x93\x89\x0d\xa9\xc5t~mUvn\xcaV\xc8D2\xe8\xb4\xa2\x02\xef\x7f*\xba\xb9x\xa8G\x82\x1f\xac\x8e\xff\x93\x00\xb9y&\x84"vU\xf5\x9f\xa8\x86\xe8~m\x0f\x80\x95(\x0d\x0a\xdfESHC\xf8\xeb\x13n\x98\xac\xd6\x96\x19~j\x15XtD|7\x7ft\xe7\x1e\x8a\x96uP\xc9\x97\x8c\xb1]6y\x90\xb2\x06H\xa3\xd2\xe2\xd8/\xcb\xe8\x13\xa0\xe2es9s\xe5u'\xbe\xf4F\xaa\xc2n"\xe0\x13\x1d\xc3\x04\x90XnP\x07Lh\xca/lN\xc6\xb6 \xa7*J\xc9g\xb3&\x94\x05\x14\xe2\x0cU\x1c\xdban*\xd8z\xec\x8cs5\x04\x975w\x9di(sr\x14\xd2>\xf3\x13\x02\x03\x01\x00\x01\xa3\x82\x02\x1f0\x82\x02\x1b0H\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04<0:08\x06\x08+\x06\x01\x05\x05\x070\x01\x86,http://ocsp.apple.com/ocsp04-appleistca2g1010\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\x8eQ\xa1\x0e\x0a\x9b\x1c\x04\xf7Y\xd3i.#\x16\x91\x0e\xad\x06\xfb0\x0c\x06\x03U\x1d\x13\x01\x01\xff\x04\x020\x000\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x81\xff\x06\x03U\x1d \x04\x81\xf70\x81\xf40\x81\xf1\x06\x0a*\x86H\x86\xf7cd\x05\x0b\x040\x81\xe20\x81\xa4\x06\x08+\x06\x01\x05\x05\x07\x02\x020\x81\x97\x0c\x81\x94Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.09\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16-http://www.apple.com/certificateauthority/rpa07\x06\x03U\x1d\x1f\x0400.0,\xa0*\xa0(\x86&http://crl.apple.com/appleistca2g1.crl0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x05\xa00\x1d\x06\x03U\x1d%\x04\x160\x14\x06\x08+\x06\x01\x05\x05\x07\x03\x01\x06\x08+\x06\x01\x05\x05\x07\x03\x020\x17\x06\x03U\x1d\x11\x04\x100\x0e\x82\x0c*.icloud.com0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00@fi\xb2+\x8clA\xe2Bc\xde\x101\xa4.M\xc9 \xb3\x1c\xf3k)\xd1\x9eI\x17\xbf"\x8c\xcd\xb1H\x14\xd6\x8c\x8eO2\x84v`E\xbb(\x9cj\xea)\xd3\x191\xfb\x1ei\x9e\xd7\xf4\xb7\xa9\x1c\x92vY\xdeR*\xa2}>\x81d\x0dW\x07\xae\x17\x81{\xe2\x9c\x9fT-\x19\xe3c#\x8a\xfc\x08\xbb\x8eR\xf0-3\x81\x16bh\xaaY\x03\xcc\xd1\xea\x9e\xe6\xe6\xc11\xa0e\x02* \xad{\xdeI\x8fQ\x0f]\xf3"\x18\x19\xea\x04\x97y\x19\xa5\x9f#\xae\xaei\x84r6W\x93d\xe7\xdbF\xed\x8c\x13Yh\xb0g$\xfa\xaa,\xe4\xe7\xd7\xe7_G\x92\x14\xb2O\x0a\xc8Y\xa5\x9bx\xae\x88\xd1u\x19\xb6\x96\x88\x1a\xbf\xac\x91\x92\xc4B\x07\xc6\x8a\x03 \x01a\xe0\xfc\xd4\x86\x8d\x14c\x08}~\x97o\xa7\x90\xbb\x98~\xe2\xa8\x8d\xfai\x9d\xd3\xabI\xa0D\xa8\xe6\xf8#\xae\xbb\xd2\xf5\xf1\x87\xe0\x88\x0f\xe9\xf5\x91\xbb58Y@\xf7\x82\xc1\x80{\x92\x90\xc3, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=F1vce92FT1oRjKI328, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
                   [1] ext: X509::Extension = [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]
 
 1437831799.764576 x509_ext_subject_alternative_name
-                  [0] f: fa_file         = [id=F1vce92FT1oRjKI328, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x05z0\x82\x04b\xa0\x03\x02\x01\x02\x02\x08\x05?\xce\x9b\xa6\x80[\x000\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x1e\x17\x0d150217144531Z\x17\x0d170318144531Z0u1\x150\x13\x06\x03U\x04\x03\x0c\x0c*.icloud.com1%0#\x06\x03U\x04\x0b\x0c\x1cmanagement:idms.group.5063641\x130\x11\x06\x03U\x04\x0a\x0c\x0aApple Inc.1\x130\x11\x06\x03U\x04\x08\x0c\x0aCalifornia1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xb8+L\xa2[\xca\xcd\x02\x1a/\x8b]\xaci\xe6\x0f#L\x98W\x87\x88\x94\x02\xae\xd0\xf4F\x15\xb4\xc2\xa9y\xab\x1b2\xdcT\xea\x8d\xf5\xf5c\xa7KR\xde \x0f=\x13\x89\xf2\x1dd\x85vhE\xc3\xd9vJ\x0eJV\x19\xa7\x0c2\x08\xf8\x10t\xa5[\xdc\x0b\x83\x93\x89\x0d\xa9\xc5t~mUvn\xcaV\xc8D2\xe8\xb4\xa2\x02\xef\x7f*\xba\xb9x\xa8G\x82\x1f\xac\x8e\xff\x93\x00\xb9y&\x84"vU\xf5\x9f\xa8\x86\xe8~m\x0f\x80\x95(\x0d\x0a\xdfESHC\xf8\xeb\x13n\x98\xac\xd6\x96\x19~j\x15XtD|7\x7ft\xe7\x1e\x8a\x96uP\xc9\x97\x8c\xb1]6y\x90\xb2\x06H\xa3\xd2\xe2\xd8/\xcb\xe8\x13\xa0\xe2es9s\xe5u'\xbe\xf4F\xaa\xc2n"\xe0\x13\x1d\xc3\x04\x90XnP\x07Lh\xca/lN\xc6\xb6 \xa7*J\xc9g\xb3&\x94\x05\x14\xe2\x0cU\x1c\xdban*\xd8z\xec\x8cs5\x04\x975w\x9di(sr\x14\xd2>\xf3\x13\x02\x03\x01\x00\x01\xa3\x82\x02\x1f0\x82\x02\x1b0H\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04<0:08\x06\x08+\x06\x01\x05\x05\x070\x01\x86,http://ocsp.apple.com/ocsp04-appleistca2g1010\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\x8eQ\xa1\x0e\x0a\x9b\x1c\x04\xf7Y\xd3i.#\x16\x91\x0e\xad\x06\xfb0\x0c\x06\x03U\x1d\x13\x01\x01\xff\x04\x020\x000\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x81\xff\x06\x03U\x1d \x04\x81\xf70\x81\xf40\x81\xf1\x06\x0a*\x86H\x86\xf7cd\x05\x0b\x040\x81\xe20\x81\xa4\x06\x08+\x06\x01\x05\x05\x07\x02\x020\x81\x97\x0c\x81\x94Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.09\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16-http://www.apple.com/certificateauthority/rpa07\x06\x03U\x1d\x1f\x0400.0,\xa0*\xa0(\x86&http://crl.apple.com/appleistca2g1.crl0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x05\xa00\x1d\x06\x03U\x1d%\x04\x160\x14\x06\x08+\x06\x01\x05\x05\x07\x03\x01\x06\x08+\x06\x01\x05\x05\x07\x03\x020\x17\x06\x03U\x1d\x11\x04\x100\x0e\x82\x0c*.icloud.com0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00@fi\xb2+\x8clA\xe2Bc\xde\x101\xa4.M\xc9 \xb3\x1c\xf3k)\xd1\x9eI\x17\xbf"\x8c\xcd\xb1H\x14\xd6\x8c\x8eO2\x84v`E\xbb(\x9cj\xea)\xd3\x191\xfb\x1ei\x9e\xd7\xf4\xb7\xa9\x1c\x92vY\xdeR*\xa2}>\x81d\x0dW\x07\xae\x17\x81{\xe2\x9c\x9fT-\x19\xe3c#\x8a\xfc\x08\xbb\x8eR\xf0-3\x81\x16bh\xaaY\x03\xcc\xd1\xea\x9e\xe6\xe6\xc11\xa0e\x02* \xad{\xdeI\x8fQ\x0f]\xf3"\x18\x19\xea\x04\x97y\x19\xa5\x9f#\xae\xaei\x84r6W\x93d\xe7\xdbF\xed\x8c\x13Yh\xb0g$\xfa\xaa,\xe4\xe7\xd7\xe7_G\x92\x14\xb2O\x0a\xc8Y\xa5\x9bx\xae\x88\xd1u\x19\xb6\x96\x88\x1a\xbf\xac\x91\x92\xc4B\x07\xc6\x8a\x03 \x01a\xe0\xfc\xd4\x86\x8d\x14c\x08}~\x97o\xa7\x90\xbb\x98~\xe2\xa8\x8d\xfai\x9d\xd3\xabI\xa0D\xa8\xe6\xf8#\xae\xbb\xd2\xf5\xf1\x87\xe0\x88\x0f\xe9\xf5\x91\xbb58Y@\xf7\x82\xc1\x80{\x92\x90\xc3, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=F1vce92FT1oRjKI328, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
                   [1] ext: X509::SubjectAlternativeName = [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]
 
 1437831799.764576 file_hash
-                  [0] f: fa_file         = [id=F1vce92FT1oRjKI328, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x05z0\x82\x04b\xa0\x03\x02\x01\x02\x02\x08\x05?\xce\x9b\xa6\x80[\x000\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x1e\x17\x0d150217144531Z\x17\x0d170318144531Z0u1\x150\x13\x06\x03U\x04\x03\x0c\x0c*.icloud.com1%0#\x06\x03U\x04\x0b\x0c\x1cmanagement:idms.group.5063641\x130\x11\x06\x03U\x04\x0a\x0c\x0aApple Inc.1\x130\x11\x06\x03U\x04\x08\x0c\x0aCalifornia1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xb8+L\xa2[\xca\xcd\x02\x1a/\x8b]\xaci\xe6\x0f#L\x98W\x87\x88\x94\x02\xae\xd0\xf4F\x15\xb4\xc2\xa9y\xab\x1b2\xdcT\xea\x8d\xf5\xf5c\xa7KR\xde \x0f=\x13\x89\xf2\x1dd\x85vhE\xc3\xd9vJ\x0eJV\x19\xa7\x0c2\x08\xf8\x10t\xa5[\xdc\x0b\x83\x93\x89\x0d\xa9\xc5t~mUvn\xcaV\xc8D2\xe8\xb4\xa2\x02\xef\x7f*\xba\xb9x\xa8G\x82\x1f\xac\x8e\xff\x93\x00\xb9y&\x84"vU\xf5\x9f\xa8\x86\xe8~m\x0f\x80\x95(\x0d\x0a\xdfESHC\xf8\xeb\x13n\x98\xac\xd6\x96\x19~j\x15XtD|7\x7ft\xe7\x1e\x8a\x96uP\xc9\x97\x8c\xb1]6y\x90\xb2\x06H\xa3\xd2\xe2\xd8/\xcb\xe8\x13\xa0\xe2es9s\xe5u'\xbe\xf4F\xaa\xc2n"\xe0\x13\x1d\xc3\x04\x90XnP\x07Lh\xca/lN\xc6\xb6 \xa7*J\xc9g\xb3&\x94\x05\x14\xe2\x0cU\x1c\xdban*\xd8z\xec\x8cs5\x04\x975w\x9di(sr\x14\xd2>\xf3\x13\x02\x03\x01\x00\x01\xa3\x82\x02\x1f0\x82\x02\x1b0H\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04<0:08\x06\x08+\x06\x01\x05\x05\x070\x01\x86,http://ocsp.apple.com/ocsp04-appleistca2g1010\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\x8eQ\xa1\x0e\x0a\x9b\x1c\x04\xf7Y\xd3i.#\x16\x91\x0e\xad\x06\xfb0\x0c\x06\x03U\x1d\x13\x01\x01\xff\x04\x020\x000\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x81\xff\x06\x03U\x1d \x04\x81\xf70\x81\xf40\x81\xf1\x06\x0a*\x86H\x86\xf7cd\x05\x0b\x040\x81\xe20\x81\xa4\x06\x08+\x06\x01\x05\x05\x07\x02\x020\x81\x97\x0c\x81\x94Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.09\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16-http://www.apple.com/certificateauthority/rpa07\x06\x03U\x1d\x1f\x0400.0,\xa0*\xa0(\x86&http://crl.apple.com/appleistca2g1.crl0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x05\xa00\x1d\x06\x03U\x1d%\x04\x160\x14\x06\x08+\x06\x01\x05\x05\x07\x03\x01\x06\x08+\x06\x01\x05\x05\x07\x03\x020\x17\x06\x03U\x1d\x11\x04\x100\x0e\x82\x0c*.icloud.com0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00@fi\xb2+\x8clA\xe2Bc\xde\x101\xa4.M\xc9 \xb3\x1c\xf3k)\xd1\x9eI\x17\xbf"\x8c\xcd\xb1H\x14\xd6\x8c\x8eO2\x84v`E\xbb(\x9cj\xea)\xd3\x191\xfb\x1ei\x9e\xd7\xf4\xb7\xa9\x1c\x92vY\xdeR*\xa2}>\x81d\x0dW\x07\xae\x17\x81{\xe2\x9c\x9fT-\x19\xe3c#\x8a\xfc\x08\xbb\x8eR\xf0-3\x81\x16bh\xaaY\x03\xcc\xd1\xea\x9e\xe6\xe6\xc11\xa0e\x02* \xad{\xdeI\x8fQ\x0f]\xf3"\x18\x19\xea\x04\x97y\x19\xa5\x9f#\xae\xaei\x84r6W\x93d\xe7\xdbF\xed\x8c\x13Yh\xb0g$\xfa\xaa,\xe4\xe7\xd7\xe7_G\x92\x14\xb2O\x0a\xc8Y\xa5\x9bx\xae\x88\xd1u\x19\xb6\x96\x88\x1a\xbf\xac\x91\x92\xc4B\x07\xc6\x8a\x03 \x01a\xe0\xfc\xd4\x86\x8d\x14c\x08}~\x97o\xa7\x90\xbb\x98~\xe2\xa8\x8d\xfai\x9d\xd3\xabI\xa0D\xa8\xe6\xf8#\xae\xbb\xd2\xf5\xf1\x87\xe0\x88\x0f\xe9\xf5\x91\xbb58Y@\xf7\x82\xc1\x80{\x92\x90\xc3, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
-                  [1] kind: string       = sha1
-                  [2] hash: string       = f5ccb1a724133607548b00d8eb402efca3076d58
+                  [0] f: fa_file         = [id=F1vce92FT1oRjKI328, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [1] kind: string       = md5
+                  [2] hash: string       = 1bf9696d9f337805383427e88781d001
 
 1437831799.764576 file_state_remove
-                  [0] f: fa_file         = [id=F1vce92FT1oRjKI328, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x05z0\x82\x04b\xa0\x03\x02\x01\x02\x02\x08\x05?\xce\x9b\xa6\x80[\x000\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x1e\x17\x0d150217144531Z\x17\x0d170318144531Z0u1\x150\x13\x06\x03U\x04\x03\x0c\x0c*.icloud.com1%0#\x06\x03U\x04\x0b\x0c\x1cmanagement:idms.group.5063641\x130\x11\x06\x03U\x04\x0a\x0c\x0aApple Inc.1\x130\x11\x06\x03U\x04\x08\x0c\x0aCalifornia1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xb8+L\xa2[\xca\xcd\x02\x1a/\x8b]\xaci\xe6\x0f#L\x98W\x87\x88\x94\x02\xae\xd0\xf4F\x15\xb4\xc2\xa9y\xab\x1b2\xdcT\xea\x8d\xf5\xf5c\xa7KR\xde \x0f=\x13\x89\xf2\x1dd\x85vhE\xc3\xd9vJ\x0eJV\x19\xa7\x0c2\x08\xf8\x10t\xa5[\xdc\x0b\x83\x93\x89\x0d\xa9\xc5t~mUvn\xcaV\xc8D2\xe8\xb4\xa2\x02\xef\x7f*\xba\xb9x\xa8G\x82\x1f\xac\x8e\xff\x93\x00\xb9y&\x84"vU\xf5\x9f\xa8\x86\xe8~m\x0f\x80\x95(\x0d\x0a\xdfESHC\xf8\xeb\x13n\x98\xac\xd6\x96\x19~j\x15XtD|7\x7ft\xe7\x1e\x8a\x96uP\xc9\x97\x8c\xb1]6y\x90\xb2\x06H\xa3\xd2\xe2\xd8/\xcb\xe8\x13\xa0\xe2es9s\xe5u'\xbe\xf4F\xaa\xc2n"\xe0\x13\x1d\xc3\x04\x90XnP\x07Lh\xca/lN\xc6\xb6 \xa7*J\xc9g\xb3&\x94\x05\x14\xe2\x0cU\x1c\xdban*\xd8z\xec\x8cs5\x04\x975w\x9di(sr\x14\xd2>\xf3\x13\x02\x03\x01\x00\x01\xa3\x82\x02\x1f0\x82\x02\x1b0H\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04<0:08\x06\x08+\x06\x01\x05\x05\x070\x01\x86,http://ocsp.apple.com/ocsp04-appleistca2g1010\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\x8eQ\xa1\x0e\x0a\x9b\x1c\x04\xf7Y\xd3i.#\x16\x91\x0e\xad\x06\xfb0\x0c\x06\x03U\x1d\x13\x01\x01\xff\x04\x020\x000\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x81\xff\x06\x03U\x1d \x04\x81\xf70\x81\xf40\x81\xf1\x06\x0a*\x86H\x86\xf7cd\x05\x0b\x040\x81\xe20\x81\xa4\x06\x08+\x06\x01\x05\x05\x07\x02\x020\x81\x97\x0c\x81\x94Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.09\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16-http://www.apple.com/certificateauthority/rpa07\x06\x03U\x1d\x1f\x0400.0,\xa0*\xa0(\x86&http://crl.apple.com/appleistca2g1.crl0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x05\xa00\x1d\x06\x03U\x1d%\x04\x160\x14\x06\x08+\x06\x01\x05\x05\x07\x03\x01\x06\x08+\x06\x01\x05\x05\x07\x03\x020\x17\x06\x03U\x1d\x11\x04\x100\x0e\x82\x0c*.icloud.com0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00@fi\xb2+\x8clA\xe2Bc\xde\x101\xa4.M\xc9 \xb3\x1c\xf3k)\xd1\x9eI\x17\xbf"\x8c\xcd\xb1H\x14\xd6\x8c\x8eO2\x84v`E\xbb(\x9cj\xea)\xd3\x191\xfb\x1ei\x9e\xd7\xf4\xb7\xa9\x1c\x92vY\xdeR*\xa2}>\x81d\x0dW\x07\xae\x17\x81{\xe2\x9c\x9fT-\x19\xe3c#\x8a\xfc\x08\xbb\x8eR\xf0-3\x81\x16bh\xaaY\x03\xcc\xd1\xea\x9e\xe6\xe6\xc11\xa0e\x02* \xad{\xdeI\x8fQ\x0f]\xf3"\x18\x19\xea\x04\x97y\x19\xa5\x9f#\xae\xaei\x84r6W\x93d\xe7\xdbF\xed\x8c\x13Yh\xb0g$\xfa\xaa,\xe4\xe7\xd7\xe7_G\x92\x14\xb2O\x0a\xc8Y\xa5\x9bx\xae\x88\xd1u\x19\xb6\x96\x88\x1a\xbf\xac\x91\x92\xc4B\x07\xc6\x8a\x03 \x01a\xe0\xfc\xd4\x86\x8d\x14c\x08}~\x97o\xa7\x90\xbb\x98~\xe2\xa8\x8d\xfai\x9d\xd3\xabI\xa0D\xa8\xe6\xf8#\xae\xbb\xd2\xf5\xf1\x87\xe0\x88\x0f\xe9\xf5\x91\xbb58Y@\xf7\x82\xc1\x80{\x92\x90\xc3, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=F1vce92FT1oRjKI328, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
 
 1437831799.764576 file_new
-                  [0] f: fa_file         = [id=Fxp53s3wA5G3zdEJg8, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=Fxp53s3wA5G3zdEJg8, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
 
 1437831799.764576 file_over_new_connection
-                  [0] f: fa_file         = [id=Fxp53s3wA5G3zdEJg8, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0a}, rx_hosts={\x0a\x0a}, conn_uids={\x0a\x0a}, source=SSL, depth=0, analyzers={\x0a\x0a}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
-                  [1] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] f: fa_file         = [id=Fxp53s3wA5G3zdEJg8, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0a}, rx_hosts={\x0a\x0a}, conn_uids={\x0a\x0a}, source=SSL, depth=0, analyzers={\x0a\x0a}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [1] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = F
 
 1437831799.764576 file_sniff
-                  [0] f: fa_file         = [id=Fxp53s3wA5G3zdEJg8, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x04@0\x82\x03(\xa0\x03\x02\x01\x02\x02\x03\x02:t0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000B1\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x160\x14\x06\x03U\x04\x0a\x13\x0dGeoTrust Inc.1\x1b0\x19\x06\x03U\x04\x03\x13\x12GeoTrust Global CA0\x1e\x17\x0d140616154202Z\x17\x0d220520154202Z0b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xd0\x93\xa1\x1dGC \x16\xb2\x0bk\xeb\xc3\xd5\xb4\xe8\xc7\x98\xcd\xf3\xde\xbf\xe8M\xe9\xe36\x80\x07\xfcE\x1bj|E\x86\xaeV\xd3\xa4\x09\x7fa\x0dk]~Rk}\xb4\xc89\xc4\xf4g:\xf7\x83\xce\x19o\x86/~E~G\x1cgR\xca\x95\x05]\xe26Q\x85\xc0\xd4g\x805o\x15\xdd>\xfd\x1d\xd2\xfd\x8f4P\xd8\xecv*\xbe\xe3\xd3\xda\xe4\xfd\xc8\xeb(\x02\x96\x11\x97\x17a\x1c\xe9\xc4Y;B\xdc2\xd1\x09\x1d\xda\xa6\xd1C\x86\xff^\xb2\xbc\x8c\xcff\xdb\x01\x8b\x02\xae\x94H\xf38\x8f\xfd\xea2\xa8\x08\xec\x86\x97Q\x94$>II\x96S\xe8y\xa1@\x81\xe9\x05\xbb\x93\x95Q\xfc\xe3\xfd|\x11K\xf7\x9e\x08\xb3\x15I\x15\x07\xf9\xd17\xa0\x9bK2\xf6\xb5\xc4\xdcj\xd1\xfc\x0a\xed\xf6\xe0\xc5)\xa0\xa8\x8bq\xfe\x0d\x92\xbc\xfeTp\x18\x0am\xc7\xed\x0c\xfb\xc9-\x06\xc3\x8c\x85\xfc\xcb\x86\\xd66\x8e\x12\x8b\x09\x7f\xfb\x19\x1a8\xd5\xf0\x940z\x0f\xa6\x8c\xf3\x02\x03\x01\x00\x01\xa3\x82\x01\x1d0\x82\x01\x190\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xc0z\x98h\x8d\x89\xfb\xab\x05d\x0c\x11}\xaa}e\xb8\xca\xccN0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x12\x06\x03U\x1d\x13\x01\x01\xff\x04\x080\x06\x01\x01\xff\x02\x01\x000\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x0605\x06\x03U\x1d\x1f\x04.0,0*\xa0(\xa0&\x86$http://g.symcb.com/crls/gtglobal.crl0.\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04"0 0\x1e\x06\x08+\x06\x01\x05\x05\x070\x01\x86\x12http://g.symcd.com0L\x06\x03U\x1d \x04E0C0A\x06\x0a`\x86H\x01\x86\xf8E\x01\x0760301\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16%http://www.geotrust.com/resources/cps0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00\x16Gso\x85\xa2b\xe1\xe7*v\xbb\x89\x95B&\x97\xbcJ\xac\xacpS:?1\x83=<\x1c\xab\x9a\xe2\xb1]\x1cv\x1a\xa0<\x0crW\xbe\xd3\x9eP\xe0\xc8\x99\xd6X\xd7\x02\xea\xce\x0d)T|\xcd\xf5\xc2\xc6\x90)U\xa3o\x14\xa8\x0bB\x0d:\x98m\x06x\x9e\xf0j\xa3\x1d\x02\x0a\xa2(\xa4\x8d\xc2\x81F>mg\xda\xde?\xfe\x85\x0eB*\x12\xde\xb5\xb7\xfb\xb8\x1b\xa7\x96\xecw\x9f\xec\xd4S\x95z\xff\x07\xf4\xf2\x0a\x14\xc0QR\xb1\xd6\x8eP\x0b\x1a\x99\\xbc\x0b\xc9\xbd\xed\xed\xf8^\xc1V\xdbM~#\xa4\x11\xa1,\xd4\x1b\x05\x9a\xe4\x1bR\xf6|8\x99\x05K\xbar\x8dB\x89`\x04f*\xf4\xfdh\xd7k\xf7\x99A(\xd6l$\xab\xe6%S.\xc8\x82\x99\xe2\xa2\x8f#\xbe0\x83\xb1'\x8b\xfah\x7f\x01I\xe8\xc6\x98k\x10.\x98^\x8a\xd7\xcaK\xb1\xc7\xc9X\x9a\xd06\xdb\x96\x95\xec\xb6\x81\xe4\xf2\xcdo\x1by\x87L\x10<\x89\xe4M\xfaT\xdc\xaa\xa6, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
-                  [1] meta: fa_metadata  = [mime_type=<uninitialized>, mime_types=<uninitialized>]
+                  [0] f: fa_file         = [id=Fxp53s3wA5G3zdEJg8, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0a\x0a}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [1] meta: fa_metadata  = [mime_type=application/x-x509-ca-cert, mime_types=<uninitialized>, inferred=F]
+
+1437831799.764576 file_hash
+                  [0] f: fa_file         = [id=Fxp53s3wA5G3zdEJg8, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [1] kind: string       = sha1
+                  [2] hash: string       = 8e8321ca08b08e3726fe1d82996884eeb5f0d655
 
 1437831799.764576 x509_certificate
-                  [0] f: fa_file         = [id=Fxp53s3wA5G3zdEJg8, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x04@0\x82\x03(\xa0\x03\x02\x01\x02\x02\x03\x02:t0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000B1\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x160\x14\x06\x03U\x04\x0a\x13\x0dGeoTrust Inc.1\x1b0\x19\x06\x03U\x04\x03\x13\x12GeoTrust Global CA0\x1e\x17\x0d140616154202Z\x17\x0d220520154202Z0b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xd0\x93\xa1\x1dGC \x16\xb2\x0bk\xeb\xc3\xd5\xb4\xe8\xc7\x98\xcd\xf3\xde\xbf\xe8M\xe9\xe36\x80\x07\xfcE\x1bj|E\x86\xaeV\xd3\xa4\x09\x7fa\x0dk]~Rk}\xb4\xc89\xc4\xf4g:\xf7\x83\xce\x19o\x86/~E~G\x1cgR\xca\x95\x05]\xe26Q\x85\xc0\xd4g\x805o\x15\xdd>\xfd\x1d\xd2\xfd\x8f4P\xd8\xecv*\xbe\xe3\xd3\xda\xe4\xfd\xc8\xeb(\x02\x96\x11\x97\x17a\x1c\xe9\xc4Y;B\xdc2\xd1\x09\x1d\xda\xa6\xd1C\x86\xff^\xb2\xbc\x8c\xcff\xdb\x01\x8b\x02\xae\x94H\xf38\x8f\xfd\xea2\xa8\x08\xec\x86\x97Q\x94$>II\x96S\xe8y\xa1@\x81\xe9\x05\xbb\x93\x95Q\xfc\xe3\xfd|\x11K\xf7\x9e\x08\xb3\x15I\x15\x07\xf9\xd17\xa0\x9bK2\xf6\xb5\xc4\xdcj\xd1\xfc\x0a\xed\xf6\xe0\xc5)\xa0\xa8\x8bq\xfe\x0d\x92\xbc\xfeTp\x18\x0am\xc7\xed\x0c\xfb\xc9-\x06\xc3\x8c\x85\xfc\xcb\x86\\xd66\x8e\x12\x8b\x09\x7f\xfb\x19\x1a8\xd5\xf0\x940z\x0f\xa6\x8c\xf3\x02\x03\x01\x00\x01\xa3\x82\x01\x1d0\x82\x01\x190\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xc0z\x98h\x8d\x89\xfb\xab\x05d\x0c\x11}\xaa}e\xb8\xca\xccN0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x12\x06\x03U\x1d\x13\x01\x01\xff\x04\x080\x06\x01\x01\xff\x02\x01\x000\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x0605\x06\x03U\x1d\x1f\x04.0,0*\xa0(\xa0&\x86$http://g.symcb.com/crls/gtglobal.crl0.\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04"0 0\x1e\x06\x08+\x06\x01\x05\x05\x070\x01\x86\x12http://g.symcd.com0L\x06\x03U\x1d \x04E0C0A\x06\x0a`\x86H\x01\x86\xf8E\x01\x0760301\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16%http://www.geotrust.com/resources/cps0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00\x16Gso\x85\xa2b\xe1\xe7*v\xbb\x89\x95B&\x97\xbcJ\xac\xacpS:?1\x83=<\x1c\xab\x9a\xe2\xb1]\x1cv\x1a\xa0<\x0crW\xbe\xd3\x9eP\xe0\xc8\x99\xd6X\xd7\x02\xea\xce\x0d)T|\xcd\xf5\xc2\xc6\x90)U\xa3o\x14\xa8\x0bB\x0d:\x98m\x06x\x9e\xf0j\xa3\x1d\x02\x0a\xa2(\xa4\x8d\xc2\x81F>mg\xda\xde?\xfe\x85\x0eB*\x12\xde\xb5\xb7\xfb\xb8\x1b\xa7\x96\xecw\x9f\xec\xd4S\x95z\xff\x07\xf4\xf2\x0a\x14\xc0QR\xb1\xd6\x8eP\x0b\x1a\x99\\xbc\x0b\xc9\xbd\xed\xed\xf8^\xc1V\xdbM~#\xa4\x11\xa1,\xd4\x1b\x05\x9a\xe4\x1bR\xf6|8\x99\x05K\xbar\x8dB\x89`\x04f*\xf4\xfdh\xd7k\xf7\x99A(\xd6l$\xab\xe6%S.\xc8\x82\x99\xe2\xa2\x8f#\xbe0\x83\xb1'\x8b\xfah\x7f\x01I\xe8\xc6\x98k\x10.\x98^\x8a\xd7\xcaK\xb1\xc7\xc9X\x9a\xd06\xdb\x96\x95\xec\xb6\x81\xe4\xf2\xcdo\x1by\x87L\x10<\x89\xe4M\xfaT\xdc\xaa\xa6, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=Fxp53s3wA5G3zdEJg8, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
                   [1] cert_ref: opaque of x509 = <no value description>
                   [2] cert: X509::Certificate = [version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>]
 
 1437831799.764576 x509_extension
-                  [0] f: fa_file         = [id=Fxp53s3wA5G3zdEJg8, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x04@0\x82\x03(\xa0\x03\x02\x01\x02\x02\x03\x02:t0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000B1\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x160\x14\x06\x03U\x04\x0a\x13\x0dGeoTrust Inc.1\x1b0\x19\x06\x03U\x04\x03\x13\x12GeoTrust Global CA0\x1e\x17\x0d140616154202Z\x17\x0d220520154202Z0b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xd0\x93\xa1\x1dGC \x16\xb2\x0bk\xeb\xc3\xd5\xb4\xe8\xc7\x98\xcd\xf3\xde\xbf\xe8M\xe9\xe36\x80\x07\xfcE\x1bj|E\x86\xaeV\xd3\xa4\x09\x7fa\x0dk]~Rk}\xb4\xc89\xc4\xf4g:\xf7\x83\xce\x19o\x86/~E~G\x1cgR\xca\x95\x05]\xe26Q\x85\xc0\xd4g\x805o\x15\xdd>\xfd\x1d\xd2\xfd\x8f4P\xd8\xecv*\xbe\xe3\xd3\xda\xe4\xfd\xc8\xeb(\x02\x96\x11\x97\x17a\x1c\xe9\xc4Y;B\xdc2\xd1\x09\x1d\xda\xa6\xd1C\x86\xff^\xb2\xbc\x8c\xcff\xdb\x01\x8b\x02\xae\x94H\xf38\x8f\xfd\xea2\xa8\x08\xec\x86\x97Q\x94$>II\x96S\xe8y\xa1@\x81\xe9\x05\xbb\x93\x95Q\xfc\xe3\xfd|\x11K\xf7\x9e\x08\xb3\x15I\x15\x07\xf9\xd17\xa0\x9bK2\xf6\xb5\xc4\xdcj\xd1\xfc\x0a\xed\xf6\xe0\xc5)\xa0\xa8\x8bq\xfe\x0d\x92\xbc\xfeTp\x18\x0am\xc7\xed\x0c\xfb\xc9-\x06\xc3\x8c\x85\xfc\xcb\x86\\xd66\x8e\x12\x8b\x09\x7f\xfb\x19\x1a8\xd5\xf0\x940z\x0f\xa6\x8c\xf3\x02\x03\x01\x00\x01\xa3\x82\x01\x1d0\x82\x01\x190\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xc0z\x98h\x8d\x89\xfb\xab\x05d\x0c\x11}\xaa}e\xb8\xca\xccN0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x12\x06\x03U\x1d\x13\x01\x01\xff\x04\x080\x06\x01\x01\xff\x02\x01\x000\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x0605\x06\x03U\x1d\x1f\x04.0,0*\xa0(\xa0&\x86$http://g.symcb.com/crls/gtglobal.crl0.\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04"0 0\x1e\x06\x08+\x06\x01\x05\x05\x070\x01\x86\x12http://g.symcd.com0L\x06\x03U\x1d \x04E0C0A\x06\x0a`\x86H\x01\x86\xf8E\x01\x0760301\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16%http://www.geotrust.com/resources/cps0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00\x16Gso\x85\xa2b\xe1\xe7*v\xbb\x89\x95B&\x97\xbcJ\xac\xacpS:?1\x83=<\x1c\xab\x9a\xe2\xb1]\x1cv\x1a\xa0<\x0crW\xbe\xd3\x9eP\xe0\xc8\x99\xd6X\xd7\x02\xea\xce\x0d)T|\xcd\xf5\xc2\xc6\x90)U\xa3o\x14\xa8\x0bB\x0d:\x98m\x06x\x9e\xf0j\xa3\x1d\x02\x0a\xa2(\xa4\x8d\xc2\x81F>mg\xda\xde?\xfe\x85\x0eB*\x12\xde\xb5\xb7\xfb\xb8\x1b\xa7\x96\xecw\x9f\xec\xd4S\x95z\xff\x07\xf4\xf2\x0a\x14\xc0QR\xb1\xd6\x8eP\x0b\x1a\x99\\xbc\x0b\xc9\xbd\xed\xed\xf8^\xc1V\xdbM~#\xa4\x11\xa1,\xd4\x1b\x05\x9a\xe4\x1bR\xf6|8\x99\x05K\xbar\x8dB\x89`\x04f*\xf4\xfdh\xd7k\xf7\x99A(\xd6l$\xab\xe6%S.\xc8\x82\x99\xe2\xa2\x8f#\xbe0\x83\xb1'\x8b\xfah\x7f\x01I\xe8\xc6\x98k\x10.\x98^\x8a\xd7\xcaK\xb1\xc7\xc9X\x9a\xd06\xdb\x96\x95\xec\xb6\x81\xe4\xf2\xcdo\x1by\x87L\x10<\x89\xe4M\xfaT\xdc\xaa\xa6, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=Fxp53s3wA5G3zdEJg8, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
                   [1] ext: X509::Extension = [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a]
 
 1437831799.764576 x509_extension
-                  [0] f: fa_file         = [id=Fxp53s3wA5G3zdEJg8, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09]], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x04@0\x82\x03(\xa0\x03\x02\x01\x02\x02\x03\x02:t0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000B1\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x160\x14\x06\x03U\x04\x0a\x13\x0dGeoTrust Inc.1\x1b0\x19\x06\x03U\x04\x03\x13\x12GeoTrust Global CA0\x1e\x17\x0d140616154202Z\x17\x0d220520154202Z0b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xd0\x93\xa1\x1dGC \x16\xb2\x0bk\xeb\xc3\xd5\xb4\xe8\xc7\x98\xcd\xf3\xde\xbf\xe8M\xe9\xe36\x80\x07\xfcE\x1bj|E\x86\xaeV\xd3\xa4\x09\x7fa\x0dk]~Rk}\xb4\xc89\xc4\xf4g:\xf7\x83\xce\x19o\x86/~E~G\x1cgR\xca\x95\x05]\xe26Q\x85\xc0\xd4g\x805o\x15\xdd>\xfd\x1d\xd2\xfd\x8f4P\xd8\xecv*\xbe\xe3\xd3\xda\xe4\xfd\xc8\xeb(\x02\x96\x11\x97\x17a\x1c\xe9\xc4Y;B\xdc2\xd1\x09\x1d\xda\xa6\xd1C\x86\xff^\xb2\xbc\x8c\xcff\xdb\x01\x8b\x02\xae\x94H\xf38\x8f\xfd\xea2\xa8\x08\xec\x86\x97Q\x94$>II\x96S\xe8y\xa1@\x81\xe9\x05\xbb\x93\x95Q\xfc\xe3\xfd|\x11K\xf7\x9e\x08\xb3\x15I\x15\x07\xf9\xd17\xa0\x9bK2\xf6\xb5\xc4\xdcj\xd1\xfc\x0a\xed\xf6\xe0\xc5)\xa0\xa8\x8bq\xfe\x0d\x92\xbc\xfeTp\x18\x0am\xc7\xed\x0c\xfb\xc9-\x06\xc3\x8c\x85\xfc\xcb\x86\\xd66\x8e\x12\x8b\x09\x7f\xfb\x19\x1a8\xd5\xf0\x940z\x0f\xa6\x8c\xf3\x02\x03\x01\x00\x01\xa3\x82\x01\x1d0\x82\x01\x190\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xc0z\x98h\x8d\x89\xfb\xab\x05d\x0c\x11}\xaa}e\xb8\xca\xccN0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x12\x06\x03U\x1d\x13\x01\x01\xff\x04\x080\x06\x01\x01\xff\x02\x01\x000\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x0605\x06\x03U\x1d\x1f\x04.0,0*\xa0(\xa0&\x86$http://g.symcb.com/crls/gtglobal.crl0.\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04"0 0\x1e\x06\x08+\x06\x01\x05\x05\x070\x01\x86\x12http://g.symcd.com0L\x06\x03U\x1d \x04E0C0A\x06\x0a`\x86H\x01\x86\xf8E\x01\x0760301\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16%http://www.geotrust.com/resources/cps0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00\x16Gso\x85\xa2b\xe1\xe7*v\xbb\x89\x95B&\x97\xbcJ\xac\xacpS:?1\x83=<\x1c\xab\x9a\xe2\xb1]\x1cv\x1a\xa0<\x0crW\xbe\xd3\x9eP\xe0\xc8\x99\xd6X\xd7\x02\xea\xce\x0d)T|\xcd\xf5\xc2\xc6\x90)U\xa3o\x14\xa8\x0bB\x0d:\x98m\x06x\x9e\xf0j\xa3\x1d\x02\x0a\xa2(\xa4\x8d\xc2\x81F>mg\xda\xde?\xfe\x85\x0eB*\x12\xde\xb5\xb7\xfb\xb8\x1b\xa7\x96\xecw\x9f\xec\xd4S\x95z\xff\x07\xf4\xf2\x0a\x14\xc0QR\xb1\xd6\x8eP\x0b\x1a\x99\\xbc\x0b\xc9\xbd\xed\xed\xf8^\xc1V\xdbM~#\xa4\x11\xa1,\xd4\x1b\x05\x9a\xe4\x1bR\xf6|8\x99\x05K\xbar\x8dB\x89`\x04f*\xf4\xfdh\xd7k\xf7\x99A(\xd6l$\xab\xe6%S.\xc8\x82\x99\xe2\xa2\x8f#\xbe0\x83\xb1'\x8b\xfah\x7f\x01I\xe8\xc6\x98k\x10.\x98^\x8a\xd7\xcaK\xb1\xc7\xc9X\x9a\xd06\xdb\x96\x95\xec\xb6\x81\xe4\xf2\xcdo\x1by\x87L\x10<\x89\xe4M\xfaT\xdc\xaa\xa6, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a]], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=Fxp53s3wA5G3zdEJg8, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09]], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a]], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
                   [1] ext: X509::Extension = [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29]
 
 1437831799.764576 x509_extension
-                  [0] f: fa_file         = [id=Fxp53s3wA5G3zdEJg8, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29]], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x04@0\x82\x03(\xa0\x03\x02\x01\x02\x02\x03\x02:t0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000B1\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x160\x14\x06\x03U\x04\x0a\x13\x0dGeoTrust Inc.1\x1b0\x19\x06\x03U\x04\x03\x13\x12GeoTrust Global CA0\x1e\x17\x0d140616154202Z\x17\x0d220520154202Z0b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xd0\x93\xa1\x1dGC \x16\xb2\x0bk\xeb\xc3\xd5\xb4\xe8\xc7\x98\xcd\xf3\xde\xbf\xe8M\xe9\xe36\x80\x07\xfcE\x1bj|E\x86\xaeV\xd3\xa4\x09\x7fa\x0dk]~Rk}\xb4\xc89\xc4\xf4g:\xf7\x83\xce\x19o\x86/~E~G\x1cgR\xca\x95\x05]\xe26Q\x85\xc0\xd4g\x805o\x15\xdd>\xfd\x1d\xd2\xfd\x8f4P\xd8\xecv*\xbe\xe3\xd3\xda\xe4\xfd\xc8\xeb(\x02\x96\x11\x97\x17a\x1c\xe9\xc4Y;B\xdc2\xd1\x09\x1d\xda\xa6\xd1C\x86\xff^\xb2\xbc\x8c\xcff\xdb\x01\x8b\x02\xae\x94H\xf38\x8f\xfd\xea2\xa8\x08\xec\x86\x97Q\x94$>II\x96S\xe8y\xa1@\x81\xe9\x05\xbb\x93\x95Q\xfc\xe3\xfd|\x11K\xf7\x9e\x08\xb3\x15I\x15\x07\xf9\xd17\xa0\x9bK2\xf6\xb5\xc4\xdcj\xd1\xfc\x0a\xed\xf6\xe0\xc5)\xa0\xa8\x8bq\xfe\x0d\x92\xbc\xfeTp\x18\x0am\xc7\xed\x0c\xfb\xc9-\x06\xc3\x8c\x85\xfc\xcb\x86\\xd66\x8e\x12\x8b\x09\x7f\xfb\x19\x1a8\xd5\xf0\x940z\x0f\xa6\x8c\xf3\x02\x03\x01\x00\x01\xa3\x82\x01\x1d0\x82\x01\x190\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xc0z\x98h\x8d\x89\xfb\xab\x05d\x0c\x11}\xaa}e\xb8\xca\xccN0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x12\x06\x03U\x1d\x13\x01\x01\xff\x04\x080\x06\x01\x01\xff\x02\x01\x000\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x0605\x06\x03U\x1d\x1f\x04.0,0*\xa0(\xa0&\x86$http://g.symcb.com/crls/gtglobal.crl0.\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04"0 0\x1e\x06\x08+\x06\x01\x05\x05\x070\x01\x86\x12http://g.symcd.com0L\x06\x03U\x1d \x04E0C0A\x06\x0a`\x86H\x01\x86\xf8E\x01\x0760301\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16%http://www.geotrust.com/resources/cps0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00\x16Gso\x85\xa2b\xe1\xe7*v\xbb\x89\x95B&\x97\xbcJ\xac\xacpS:?1\x83=<\x1c\xab\x9a\xe2\xb1]\x1cv\x1a\xa0<\x0crW\xbe\xd3\x9eP\xe0\xc8\x99\xd6X\xd7\x02\xea\xce\x0d)T|\xcd\xf5\xc2\xc6\x90)U\xa3o\x14\xa8\x0bB\x0d:\x98m\x06x\x9e\xf0j\xa3\x1d\x02\x0a\xa2(\xa4\x8d\xc2\x81F>mg\xda\xde?\xfe\x85\x0eB*\x12\xde\xb5\xb7\xfb\xb8\x1b\xa7\x96\xecw\x9f\xec\xd4S\x95z\xff\x07\xf4\xf2\x0a\x14\xc0QR\xb1\xd6\x8eP\x0b\x1a\x99\\xbc\x0b\xc9\xbd\xed\xed\xf8^\xc1V\xdbM~#\xa4\x11\xa1,\xd4\x1b\x05\x9a\xe4\x1bR\xf6|8\x99\x05K\xbar\x8dB\x89`\x04f*\xf4\xfdh\xd7k\xf7\x99A(\xd6l$\xab\xe6%S.\xc8\x82\x99\xe2\xa2\x8f#\xbe0\x83\xb1'\x8b\xfah\x7f\x01I\xe8\xc6\x98k\x10.\x98^\x8a\xd7\xcaK\xb1\xc7\xc9X\x9a\xd06\xdb\x96\x95\xec\xb6\x81\xe4\xf2\xcdo\x1by\x87L\x10<\x89\xe4M\xfaT\xdc\xaa\xa6, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29]], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=Fxp53s3wA5G3zdEJg8, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29]], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29]], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
                   [1] ext: X509::Extension = [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0]
 
 1437831799.764576 x509_ext_basic_constraints
-                  [0] f: fa_file         = [id=Fxp53s3wA5G3zdEJg8, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0]], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x04@0\x82\x03(\xa0\x03\x02\x01\x02\x02\x03\x02:t0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000B1\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x160\x14\x06\x03U\x04\x0a\x13\x0dGeoTrust Inc.1\x1b0\x19\x06\x03U\x04\x03\x13\x12GeoTrust Global CA0\x1e\x17\x0d140616154202Z\x17\x0d220520154202Z0b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xd0\x93\xa1\x1dGC \x16\xb2\x0bk\xeb\xc3\xd5\xb4\xe8\xc7\x98\xcd\xf3\xde\xbf\xe8M\xe9\xe36\x80\x07\xfcE\x1bj|E\x86\xaeV\xd3\xa4\x09\x7fa\x0dk]~Rk}\xb4\xc89\xc4\xf4g:\xf7\x83\xce\x19o\x86/~E~G\x1cgR\xca\x95\x05]\xe26Q\x85\xc0\xd4g\x805o\x15\xdd>\xfd\x1d\xd2\xfd\x8f4P\xd8\xecv*\xbe\xe3\xd3\xda\xe4\xfd\xc8\xeb(\x02\x96\x11\x97\x17a\x1c\xe9\xc4Y;B\xdc2\xd1\x09\x1d\xda\xa6\xd1C\x86\xff^\xb2\xbc\x8c\xcff\xdb\x01\x8b\x02\xae\x94H\xf38\x8f\xfd\xea2\xa8\x08\xec\x86\x97Q\x94$>II\x96S\xe8y\xa1@\x81\xe9\x05\xbb\x93\x95Q\xfc\xe3\xfd|\x11K\xf7\x9e\x08\xb3\x15I\x15\x07\xf9\xd17\xa0\x9bK2\xf6\xb5\xc4\xdcj\xd1\xfc\x0a\xed\xf6\xe0\xc5)\xa0\xa8\x8bq\xfe\x0d\x92\xbc\xfeTp\x18\x0am\xc7\xed\x0c\xfb\xc9-\x06\xc3\x8c\x85\xfc\xcb\x86\\xd66\x8e\x12\x8b\x09\x7f\xfb\x19\x1a8\xd5\xf0\x940z\x0f\xa6\x8c\xf3\x02\x03\x01\x00\x01\xa3\x82\x01\x1d0\x82\x01\x190\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xc0z\x98h\x8d\x89\xfb\xab\x05d\x0c\x11}\xaa}e\xb8\xca\xccN0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x12\x06\x03U\x1d\x13\x01\x01\xff\x04\x080\x06\x01\x01\xff\x02\x01\x000\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x0605\x06\x03U\x1d\x1f\x04.0,0*\xa0(\xa0&\x86$http://g.symcb.com/crls/gtglobal.crl0.\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04"0 0\x1e\x06\x08+\x06\x01\x05\x05\x070\x01\x86\x12http://g.symcd.com0L\x06\x03U\x1d \x04E0C0A\x06\x0a`\x86H\x01\x86\xf8E\x01\x0760301\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16%http://www.geotrust.com/resources/cps0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00\x16Gso\x85\xa2b\xe1\xe7*v\xbb\x89\x95B&\x97\xbcJ\xac\xacpS:?1\x83=<\x1c\xab\x9a\xe2\xb1]\x1cv\x1a\xa0<\x0crW\xbe\xd3\x9eP\xe0\xc8\x99\xd6X\xd7\x02\xea\xce\x0d)T|\xcd\xf5\xc2\xc6\x90)U\xa3o\x14\xa8\x0bB\x0d:\x98m\x06x\x9e\xf0j\xa3\x1d\x02\x0a\xa2(\xa4\x8d\xc2\x81F>mg\xda\xde?\xfe\x85\x0eB*\x12\xde\xb5\xb7\xfb\xb8\x1b\xa7\x96\xecw\x9f\xec\xd4S\x95z\xff\x07\xf4\xf2\x0a\x14\xc0QR\xb1\xd6\x8eP\x0b\x1a\x99\\xbc\x0b\xc9\xbd\xed\xed\xf8^\xc1V\xdbM~#\xa4\x11\xa1,\xd4\x1b\x05\x9a\xe4\x1bR\xf6|8\x99\x05K\xbar\x8dB\x89`\x04f*\xf4\xfdh\xd7k\xf7\x99A(\xd6l$\xab\xe6%S.\xc8\x82\x99\xe2\xa2\x8f#\xbe0\x83\xb1'\x8b\xfah\x7f\x01I\xe8\xc6\x98k\x10.\x98^\x8a\xd7\xcaK\xb1\xc7\xc9X\x9a\xd06\xdb\x96\x95\xec\xb6\x81\xe4\xf2\xcdo\x1by\x87L\x10<\x89\xe4M\xfaT\xdc\xaa\xa6, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0]], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=Fxp53s3wA5G3zdEJg8, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0]], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0]], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
                   [1] ext: X509::BasicConstraints = [ca=T, path_len=0]
 
 1437831799.764576 x509_extension
-                  [0] f: fa_file         = [id=Fxp53s3wA5G3zdEJg8, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x04@0\x82\x03(\xa0\x03\x02\x01\x02\x02\x03\x02:t0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000B1\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x160\x14\x06\x03U\x04\x0a\x13\x0dGeoTrust Inc.1\x1b0\x19\x06\x03U\x04\x03\x13\x12GeoTrust Global CA0\x1e\x17\x0d140616154202Z\x17\x0d220520154202Z0b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xd0\x93\xa1\x1dGC \x16\xb2\x0bk\xeb\xc3\xd5\xb4\xe8\xc7\x98\xcd\xf3\xde\xbf\xe8M\xe9\xe36\x80\x07\xfcE\x1bj|E\x86\xaeV\xd3\xa4\x09\x7fa\x0dk]~Rk}\xb4\xc89\xc4\xf4g:\xf7\x83\xce\x19o\x86/~E~G\x1cgR\xca\x95\x05]\xe26Q\x85\xc0\xd4g\x805o\x15\xdd>\xfd\x1d\xd2\xfd\x8f4P\xd8\xecv*\xbe\xe3\xd3\xda\xe4\xfd\xc8\xeb(\x02\x96\x11\x97\x17a\x1c\xe9\xc4Y;B\xdc2\xd1\x09\x1d\xda\xa6\xd1C\x86\xff^\xb2\xbc\x8c\xcff\xdb\x01\x8b\x02\xae\x94H\xf38\x8f\xfd\xea2\xa8\x08\xec\x86\x97Q\x94$>II\x96S\xe8y\xa1@\x81\xe9\x05\xbb\x93\x95Q\xfc\xe3\xfd|\x11K\xf7\x9e\x08\xb3\x15I\x15\x07\xf9\xd17\xa0\x9bK2\xf6\xb5\xc4\xdcj\xd1\xfc\x0a\xed\xf6\xe0\xc5)\xa0\xa8\x8bq\xfe\x0d\x92\xbc\xfeTp\x18\x0am\xc7\xed\x0c\xfb\xc9-\x06\xc3\x8c\x85\xfc\xcb\x86\\xd66\x8e\x12\x8b\x09\x7f\xfb\x19\x1a8\xd5\xf0\x940z\x0f\xa6\x8c\xf3\x02\x03\x01\x00\x01\xa3\x82\x01\x1d0\x82\x01\x190\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xc0z\x98h\x8d\x89\xfb\xab\x05d\x0c\x11}\xaa}e\xb8\xca\xccN0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x12\x06\x03U\x1d\x13\x01\x01\xff\x04\x080\x06\x01\x01\xff\x02\x01\x000\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x0605\x06\x03U\x1d\x1f\x04.0,0*\xa0(\xa0&\x86$http://g.symcb.com/crls/gtglobal.crl0.\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04"0 0\x1e\x06\x08+\x06\x01\x05\x05\x070\x01\x86\x12http://g.symcd.com0L\x06\x03U\x1d \x04E0C0A\x06\x0a`\x86H\x01\x86\xf8E\x01\x0760301\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16%http://www.geotrust.com/resources/cps0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00\x16Gso\x85\xa2b\xe1\xe7*v\xbb\x89\x95B&\x97\xbcJ\xac\xacpS:?1\x83=<\x1c\xab\x9a\xe2\xb1]\x1cv\x1a\xa0<\x0crW\xbe\xd3\x9eP\xe0\xc8\x99\xd6X\xd7\x02\xea\xce\x0d)T|\xcd\xf5\xc2\xc6\x90)U\xa3o\x14\xa8\x0bB\x0d:\x98m\x06x\x9e\xf0j\xa3\x1d\x02\x0a\xa2(\xa4\x8d\xc2\x81F>mg\xda\xde?\xfe\x85\x0eB*\x12\xde\xb5\xb7\xfb\xb8\x1b\xa7\x96\xecw\x9f\xec\xd4S\x95z\xff\x07\xf4\xf2\x0a\x14\xc0QR\xb1\xd6\x8eP\x0b\x1a\x99\\xbc\x0b\xc9\xbd\xed\xed\xf8^\xc1V\xdbM~#\xa4\x11\xa1,\xd4\x1b\x05\x9a\xe4\x1bR\xf6|8\x99\x05K\xbar\x8dB\x89`\x04f*\xf4\xfdh\xd7k\xf7\x99A(\xd6l$\xab\xe6%S.\xc8\x82\x99\xe2\xa2\x8f#\xbe0\x83\xb1'\x8b\xfah\x7f\x01I\xe8\xc6\x98k\x10.\x98^\x8a\xd7\xcaK\xb1\xc7\xc9X\x9a\xd06\xdb\x96\x95\xec\xb6\x81\xe4\xf2\xcdo\x1by\x87L\x10<\x89\xe4M\xfaT\xdc\xaa\xa6, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=Fxp53s3wA5G3zdEJg8, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
                   [1] ext: X509::Extension = [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign]
 
 1437831799.764576 x509_extension
-                  [0] f: fa_file         = [id=Fxp53s3wA5G3zdEJg8, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x04@0\x82\x03(\xa0\x03\x02\x01\x02\x02\x03\x02:t0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000B1\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x160\x14\x06\x03U\x04\x0a\x13\x0dGeoTrust Inc.1\x1b0\x19\x06\x03U\x04\x03\x13\x12GeoTrust Global CA0\x1e\x17\x0d140616154202Z\x17\x0d220520154202Z0b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xd0\x93\xa1\x1dGC \x16\xb2\x0bk\xeb\xc3\xd5\xb4\xe8\xc7\x98\xcd\xf3\xde\xbf\xe8M\xe9\xe36\x80\x07\xfcE\x1bj|E\x86\xaeV\xd3\xa4\x09\x7fa\x0dk]~Rk}\xb4\xc89\xc4\xf4g:\xf7\x83\xce\x19o\x86/~E~G\x1cgR\xca\x95\x05]\xe26Q\x85\xc0\xd4g\x805o\x15\xdd>\xfd\x1d\xd2\xfd\x8f4P\xd8\xecv*\xbe\xe3\xd3\xda\xe4\xfd\xc8\xeb(\x02\x96\x11\x97\x17a\x1c\xe9\xc4Y;B\xdc2\xd1\x09\x1d\xda\xa6\xd1C\x86\xff^\xb2\xbc\x8c\xcff\xdb\x01\x8b\x02\xae\x94H\xf38\x8f\xfd\xea2\xa8\x08\xec\x86\x97Q\x94$>II\x96S\xe8y\xa1@\x81\xe9\x05\xbb\x93\x95Q\xfc\xe3\xfd|\x11K\xf7\x9e\x08\xb3\x15I\x15\x07\xf9\xd17\xa0\x9bK2\xf6\xb5\xc4\xdcj\xd1\xfc\x0a\xed\xf6\xe0\xc5)\xa0\xa8\x8bq\xfe\x0d\x92\xbc\xfeTp\x18\x0am\xc7\xed\x0c\xfb\xc9-\x06\xc3\x8c\x85\xfc\xcb\x86\\xd66\x8e\x12\x8b\x09\x7f\xfb\x19\x1a8\xd5\xf0\x940z\x0f\xa6\x8c\xf3\x02\x03\x01\x00\x01\xa3\x82\x01\x1d0\x82\x01\x190\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xc0z\x98h\x8d\x89\xfb\xab\x05d\x0c\x11}\xaa}e\xb8\xca\xccN0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x12\x06\x03U\x1d\x13\x01\x01\xff\x04\x080\x06\x01\x01\xff\x02\x01\x000\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x0605\x06\x03U\x1d\x1f\x04.0,0*\xa0(\xa0&\x86$http://g.symcb.com/crls/gtglobal.crl0.\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04"0 0\x1e\x06\x08+\x06\x01\x05\x05\x070\x01\x86\x12http://g.symcd.com0L\x06\x03U\x1d \x04E0C0A\x06\x0a`\x86H\x01\x86\xf8E\x01\x0760301\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16%http://www.geotrust.com/resources/cps0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00\x16Gso\x85\xa2b\xe1\xe7*v\xbb\x89\x95B&\x97\xbcJ\xac\xacpS:?1\x83=<\x1c\xab\x9a\xe2\xb1]\x1cv\x1a\xa0<\x0crW\xbe\xd3\x9eP\xe0\xc8\x99\xd6X\xd7\x02\xea\xce\x0d)T|\xcd\xf5\xc2\xc6\x90)U\xa3o\x14\xa8\x0bB\x0d:\x98m\x06x\x9e\xf0j\xa3\x1d\x02\x0a\xa2(\xa4\x8d\xc2\x81F>mg\xda\xde?\xfe\x85\x0eB*\x12\xde\xb5\xb7\xfb\xb8\x1b\xa7\x96\xecw\x9f\xec\xd4S\x95z\xff\x07\xf4\xf2\x0a\x14\xc0QR\xb1\xd6\x8eP\x0b\x1a\x99\\xbc\x0b\xc9\xbd\xed\xed\xf8^\xc1V\xdbM~#\xa4\x11\xa1,\xd4\x1b\x05\x9a\xe4\x1bR\xf6|8\x99\x05K\xbar\x8dB\x89`\x04f*\xf4\xfdh\xd7k\xf7\x99A(\xd6l$\xab\xe6%S.\xc8\x82\x99\xe2\xa2\x8f#\xbe0\x83\xb1'\x8b\xfah\x7f\x01I\xe8\xc6\x98k\x10.\x98^\x8a\xd7\xcaK\xb1\xc7\xc9X\x9a\xd06\xdb\x96\x95\xec\xb6\x81\xe4\xf2\xcdo\x1by\x87L\x10<\x89\xe4M\xfaT\xdc\xaa\xa6, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=Fxp53s3wA5G3zdEJg8, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
                   [1] ext: X509::Extension = [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a]
 
 1437831799.764576 x509_extension
-                  [0] f: fa_file         = [id=Fxp53s3wA5G3zdEJg8, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a\x09]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x04@0\x82\x03(\xa0\x03\x02\x01\x02\x02\x03\x02:t0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000B1\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x160\x14\x06\x03U\x04\x0a\x13\x0dGeoTrust Inc.1\x1b0\x19\x06\x03U\x04\x03\x13\x12GeoTrust Global CA0\x1e\x17\x0d140616154202Z\x17\x0d220520154202Z0b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xd0\x93\xa1\x1dGC \x16\xb2\x0bk\xeb\xc3\xd5\xb4\xe8\xc7\x98\xcd\xf3\xde\xbf\xe8M\xe9\xe36\x80\x07\xfcE\x1bj|E\x86\xaeV\xd3\xa4\x09\x7fa\x0dk]~Rk}\xb4\xc89\xc4\xf4g:\xf7\x83\xce\x19o\x86/~E~G\x1cgR\xca\x95\x05]\xe26Q\x85\xc0\xd4g\x805o\x15\xdd>\xfd\x1d\xd2\xfd\x8f4P\xd8\xecv*\xbe\xe3\xd3\xda\xe4\xfd\xc8\xeb(\x02\x96\x11\x97\x17a\x1c\xe9\xc4Y;B\xdc2\xd1\x09\x1d\xda\xa6\xd1C\x86\xff^\xb2\xbc\x8c\xcff\xdb\x01\x8b\x02\xae\x94H\xf38\x8f\xfd\xea2\xa8\x08\xec\x86\x97Q\x94$>II\x96S\xe8y\xa1@\x81\xe9\x05\xbb\x93\x95Q\xfc\xe3\xfd|\x11K\xf7\x9e\x08\xb3\x15I\x15\x07\xf9\xd17\xa0\x9bK2\xf6\xb5\xc4\xdcj\xd1\xfc\x0a\xed\xf6\xe0\xc5)\xa0\xa8\x8bq\xfe\x0d\x92\xbc\xfeTp\x18\x0am\xc7\xed\x0c\xfb\xc9-\x06\xc3\x8c\x85\xfc\xcb\x86\\xd66\x8e\x12\x8b\x09\x7f\xfb\x19\x1a8\xd5\xf0\x940z\x0f\xa6\x8c\xf3\x02\x03\x01\x00\x01\xa3\x82\x01\x1d0\x82\x01\x190\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xc0z\x98h\x8d\x89\xfb\xab\x05d\x0c\x11}\xaa}e\xb8\xca\xccN0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x12\x06\x03U\x1d\x13\x01\x01\xff\x04\x080\x06\x01\x01\xff\x02\x01\x000\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x0605\x06\x03U\x1d\x1f\x04.0,0*\xa0(\xa0&\x86$http://g.symcb.com/crls/gtglobal.crl0.\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04"0 0\x1e\x06\x08+\x06\x01\x05\x05\x070\x01\x86\x12http://g.symcd.com0L\x06\x03U\x1d \x04E0C0A\x06\x0a`\x86H\x01\x86\xf8E\x01\x0760301\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16%http://www.geotrust.com/resources/cps0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00\x16Gso\x85\xa2b\xe1\xe7*v\xbb\x89\x95B&\x97\xbcJ\xac\xacpS:?1\x83=<\x1c\xab\x9a\xe2\xb1]\x1cv\x1a\xa0<\x0crW\xbe\xd3\x9eP\xe0\xc8\x99\xd6X\xd7\x02\xea\xce\x0d)T|\xcd\xf5\xc2\xc6\x90)U\xa3o\x14\xa8\x0bB\x0d:\x98m\x06x\x9e\xf0j\xa3\x1d\x02\x0a\xa2(\xa4\x8d\xc2\x81F>mg\xda\xde?\xfe\x85\x0eB*\x12\xde\xb5\xb7\xfb\xb8\x1b\xa7\x96\xecw\x9f\xec\xd4S\x95z\xff\x07\xf4\xf2\x0a\x14\xc0QR\xb1\xd6\x8eP\x0b\x1a\x99\\xbc\x0b\xc9\xbd\xed\xed\xf8^\xc1V\xdbM~#\xa4\x11\xa1,\xd4\x1b\x05\x9a\xe4\x1bR\xf6|8\x99\x05K\xbar\x8dB\x89`\x04f*\xf4\xfdh\xd7k\xf7\x99A(\xd6l$\xab\xe6%S.\xc8\x82\x99\xe2\xa2\x8f#\xbe0\x83\xb1'\x8b\xfah\x7f\x01I\xe8\xc6\x98k\x10.\x98^\x8a\xd7\xcaK\xb1\xc7\xc9X\x9a\xd06\xdb\x96\x95\xec\xb6\x81\xe4\xf2\xcdo\x1by\x87L\x10<\x89\xe4M\xfaT\xdc\xaa\xa6, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=Fxp53s3wA5G3zdEJg8, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a\x09]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
                   [1] ext: X509::Extension = [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a]
 
 1437831799.764576 x509_extension
-                  [0] f: fa_file         = [id=Fxp53s3wA5G3zdEJg8, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a\x09], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a\x09]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x04@0\x82\x03(\xa0\x03\x02\x01\x02\x02\x03\x02:t0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000B1\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x160\x14\x06\x03U\x04\x0a\x13\x0dGeoTrust Inc.1\x1b0\x19\x06\x03U\x04\x03\x13\x12GeoTrust Global CA0\x1e\x17\x0d140616154202Z\x17\x0d220520154202Z0b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xd0\x93\xa1\x1dGC \x16\xb2\x0bk\xeb\xc3\xd5\xb4\xe8\xc7\x98\xcd\xf3\xde\xbf\xe8M\xe9\xe36\x80\x07\xfcE\x1bj|E\x86\xaeV\xd3\xa4\x09\x7fa\x0dk]~Rk}\xb4\xc89\xc4\xf4g:\xf7\x83\xce\x19o\x86/~E~G\x1cgR\xca\x95\x05]\xe26Q\x85\xc0\xd4g\x805o\x15\xdd>\xfd\x1d\xd2\xfd\x8f4P\xd8\xecv*\xbe\xe3\xd3\xda\xe4\xfd\xc8\xeb(\x02\x96\x11\x97\x17a\x1c\xe9\xc4Y;B\xdc2\xd1\x09\x1d\xda\xa6\xd1C\x86\xff^\xb2\xbc\x8c\xcff\xdb\x01\x8b\x02\xae\x94H\xf38\x8f\xfd\xea2\xa8\x08\xec\x86\x97Q\x94$>II\x96S\xe8y\xa1@\x81\xe9\x05\xbb\x93\x95Q\xfc\xe3\xfd|\x11K\xf7\x9e\x08\xb3\x15I\x15\x07\xf9\xd17\xa0\x9bK2\xf6\xb5\xc4\xdcj\xd1\xfc\x0a\xed\xf6\xe0\xc5)\xa0\xa8\x8bq\xfe\x0d\x92\xbc\xfeTp\x18\x0am\xc7\xed\x0c\xfb\xc9-\x06\xc3\x8c\x85\xfc\xcb\x86\\xd66\x8e\x12\x8b\x09\x7f\xfb\x19\x1a8\xd5\xf0\x940z\x0f\xa6\x8c\xf3\x02\x03\x01\x00\x01\xa3\x82\x01\x1d0\x82\x01\x190\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xc0z\x98h\x8d\x89\xfb\xab\x05d\x0c\x11}\xaa}e\xb8\xca\xccN0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x12\x06\x03U\x1d\x13\x01\x01\xff\x04\x080\x06\x01\x01\xff\x02\x01\x000\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x0605\x06\x03U\x1d\x1f\x04.0,0*\xa0(\xa0&\x86$http://g.symcb.com/crls/gtglobal.crl0.\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04"0 0\x1e\x06\x08+\x06\x01\x05\x05\x070\x01\x86\x12http://g.symcd.com0L\x06\x03U\x1d \x04E0C0A\x06\x0a`\x86H\x01\x86\xf8E\x01\x0760301\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16%http://www.geotrust.com/resources/cps0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00\x16Gso\x85\xa2b\xe1\xe7*v\xbb\x89\x95B&\x97\xbcJ\xac\xacpS:?1\x83=<\x1c\xab\x9a\xe2\xb1]\x1cv\x1a\xa0<\x0crW\xbe\xd3\x9eP\xe0\xc8\x99\xd6X\xd7\x02\xea\xce\x0d)T|\xcd\xf5\xc2\xc6\x90)U\xa3o\x14\xa8\x0bB\x0d:\x98m\x06x\x9e\xf0j\xa3\x1d\x02\x0a\xa2(\xa4\x8d\xc2\x81F>mg\xda\xde?\xfe\x85\x0eB*\x12\xde\xb5\xb7\xfb\xb8\x1b\xa7\x96\xecw\x9f\xec\xd4S\x95z\xff\x07\xf4\xf2\x0a\x14\xc0QR\xb1\xd6\x8eP\x0b\x1a\x99\\xbc\x0b\xc9\xbd\xed\xed\xf8^\xc1V\xdbM~#\xa4\x11\xa1,\xd4\x1b\x05\x9a\xe4\x1bR\xf6|8\x99\x05K\xbar\x8dB\x89`\x04f*\xf4\xfdh\xd7k\xf7\x99A(\xd6l$\xab\xe6%S.\xc8\x82\x99\xe2\xa2\x8f#\xbe0\x83\xb1'\x8b\xfah\x7f\x01I\xe8\xc6\x98k\x10.\x98^\x8a\xd7\xcaK\xb1\xc7\xc9X\x9a\xd06\xdb\x96\x95\xec\xb6\x81\xe4\xf2\xcdo\x1by\x87L\x10<\x89\xe4M\xfaT\xdc\xaa\xa6, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=Fxp53s3wA5G3zdEJg8, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a\x09], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a\x09]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
                   [1] ext: X509::Extension = [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]
 
 1437831799.764576 file_hash
-                  [0] f: fa_file         = [id=Fxp53s3wA5G3zdEJg8, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a\x09], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a\x09]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x04@0\x82\x03(\xa0\x03\x02\x01\x02\x02\x03\x02:t0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000B1\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x160\x14\x06\x03U\x04\x0a\x13\x0dGeoTrust Inc.1\x1b0\x19\x06\x03U\x04\x03\x13\x12GeoTrust Global CA0\x1e\x17\x0d140616154202Z\x17\x0d220520154202Z0b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xd0\x93\xa1\x1dGC \x16\xb2\x0bk\xeb\xc3\xd5\xb4\xe8\xc7\x98\xcd\xf3\xde\xbf\xe8M\xe9\xe36\x80\x07\xfcE\x1bj|E\x86\xaeV\xd3\xa4\x09\x7fa\x0dk]~Rk}\xb4\xc89\xc4\xf4g:\xf7\x83\xce\x19o\x86/~E~G\x1cgR\xca\x95\x05]\xe26Q\x85\xc0\xd4g\x805o\x15\xdd>\xfd\x1d\xd2\xfd\x8f4P\xd8\xecv*\xbe\xe3\xd3\xda\xe4\xfd\xc8\xeb(\x02\x96\x11\x97\x17a\x1c\xe9\xc4Y;B\xdc2\xd1\x09\x1d\xda\xa6\xd1C\x86\xff^\xb2\xbc\x8c\xcff\xdb\x01\x8b\x02\xae\x94H\xf38\x8f\xfd\xea2\xa8\x08\xec\x86\x97Q\x94$>II\x96S\xe8y\xa1@\x81\xe9\x05\xbb\x93\x95Q\xfc\xe3\xfd|\x11K\xf7\x9e\x08\xb3\x15I\x15\x07\xf9\xd17\xa0\x9bK2\xf6\xb5\xc4\xdcj\xd1\xfc\x0a\xed\xf6\xe0\xc5)\xa0\xa8\x8bq\xfe\x0d\x92\xbc\xfeTp\x18\x0am\xc7\xed\x0c\xfb\xc9-\x06\xc3\x8c\x85\xfc\xcb\x86\\xd66\x8e\x12\x8b\x09\x7f\xfb\x19\x1a8\xd5\xf0\x940z\x0f\xa6\x8c\xf3\x02\x03\x01\x00\x01\xa3\x82\x01\x1d0\x82\x01\x190\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xc0z\x98h\x8d\x89\xfb\xab\x05d\x0c\x11}\xaa}e\xb8\xca\xccN0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x12\x06\x03U\x1d\x13\x01\x01\xff\x04\x080\x06\x01\x01\xff\x02\x01\x000\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x0605\x06\x03U\x1d\x1f\x04.0,0*\xa0(\xa0&\x86$http://g.symcb.com/crls/gtglobal.crl0.\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04"0 0\x1e\x06\x08+\x06\x01\x05\x05\x070\x01\x86\x12http://g.symcd.com0L\x06\x03U\x1d \x04E0C0A\x06\x0a`\x86H\x01\x86\xf8E\x01\x0760301\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16%http://www.geotrust.com/resources/cps0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00\x16Gso\x85\xa2b\xe1\xe7*v\xbb\x89\x95B&\x97\xbcJ\xac\xacpS:?1\x83=<\x1c\xab\x9a\xe2\xb1]\x1cv\x1a\xa0<\x0crW\xbe\xd3\x9eP\xe0\xc8\x99\xd6X\xd7\x02\xea\xce\x0d)T|\xcd\xf5\xc2\xc6\x90)U\xa3o\x14\xa8\x0bB\x0d:\x98m\x06x\x9e\xf0j\xa3\x1d\x02\x0a\xa2(\xa4\x8d\xc2\x81F>mg\xda\xde?\xfe\x85\x0eB*\x12\xde\xb5\xb7\xfb\xb8\x1b\xa7\x96\xecw\x9f\xec\xd4S\x95z\xff\x07\xf4\xf2\x0a\x14\xc0QR\xb1\xd6\x8eP\x0b\x1a\x99\\xbc\x0b\xc9\xbd\xed\xed\xf8^\xc1V\xdbM~#\xa4\x11\xa1,\xd4\x1b\x05\x9a\xe4\x1bR\xf6|8\x99\x05K\xbar\x8dB\x89`\x04f*\xf4\xfdh\xd7k\xf7\x99A(\xd6l$\xab\xe6%S.\xc8\x82\x99\xe2\xa2\x8f#\xbe0\x83\xb1'\x8b\xfah\x7f\x01I\xe8\xc6\x98k\x10.\x98^\x8a\xd7\xcaK\xb1\xc7\xc9X\x9a\xd06\xdb\x96\x95\xec\xb6\x81\xe4\xf2\xcdo\x1by\x87L\x10<\x89\xe4M\xfaT\xdc\xaa\xa6, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
-                  [1] kind: string       = sha1
-                  [2] hash: string       = 8e8321ca08b08e3726fe1d82996884eeb5f0d655
+                  [0] f: fa_file         = [id=Fxp53s3wA5G3zdEJg8, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a\x09], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a\x09]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [1] kind: string       = md5
+                  [2] hash: string       = 48f0e38385112eeca5fc9ffd402eaecd
 
 1437831799.764576 file_state_remove
-                  [0] f: fa_file         = [id=Fxp53s3wA5G3zdEJg8, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a\x09], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a\x09]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x04@0\x82\x03(\xa0\x03\x02\x01\x02\x02\x03\x02:t0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000B1\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x160\x14\x06\x03U\x04\x0a\x13\x0dGeoTrust Inc.1\x1b0\x19\x06\x03U\x04\x03\x13\x12GeoTrust Global CA0\x1e\x17\x0d140616154202Z\x17\x0d220520154202Z0b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xd0\x93\xa1\x1dGC \x16\xb2\x0bk\xeb\xc3\xd5\xb4\xe8\xc7\x98\xcd\xf3\xde\xbf\xe8M\xe9\xe36\x80\x07\xfcE\x1bj|E\x86\xaeV\xd3\xa4\x09\x7fa\x0dk]~Rk}\xb4\xc89\xc4\xf4g:\xf7\x83\xce\x19o\x86/~E~G\x1cgR\xca\x95\x05]\xe26Q\x85\xc0\xd4g\x805o\x15\xdd>\xfd\x1d\xd2\xfd\x8f4P\xd8\xecv*\xbe\xe3\xd3\xda\xe4\xfd\xc8\xeb(\x02\x96\x11\x97\x17a\x1c\xe9\xc4Y;B\xdc2\xd1\x09\x1d\xda\xa6\xd1C\x86\xff^\xb2\xbc\x8c\xcff\xdb\x01\x8b\x02\xae\x94H\xf38\x8f\xfd\xea2\xa8\x08\xec\x86\x97Q\x94$>II\x96S\xe8y\xa1@\x81\xe9\x05\xbb\x93\x95Q\xfc\xe3\xfd|\x11K\xf7\x9e\x08\xb3\x15I\x15\x07\xf9\xd17\xa0\x9bK2\xf6\xb5\xc4\xdcj\xd1\xfc\x0a\xed\xf6\xe0\xc5)\xa0\xa8\x8bq\xfe\x0d\x92\xbc\xfeTp\x18\x0am\xc7\xed\x0c\xfb\xc9-\x06\xc3\x8c\x85\xfc\xcb\x86\\xd66\x8e\x12\x8b\x09\x7f\xfb\x19\x1a8\xd5\xf0\x940z\x0f\xa6\x8c\xf3\x02\x03\x01\x00\x01\xa3\x82\x01\x1d0\x82\x01\x190\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xc0z\x98h\x8d\x89\xfb\xab\x05d\x0c\x11}\xaa}e\xb8\xca\xccN0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x12\x06\x03U\x1d\x13\x01\x01\xff\x04\x080\x06\x01\x01\xff\x02\x01\x000\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x0605\x06\x03U\x1d\x1f\x04.0,0*\xa0(\xa0&\x86$http://g.symcb.com/crls/gtglobal.crl0.\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04"0 0\x1e\x06\x08+\x06\x01\x05\x05\x070\x01\x86\x12http://g.symcd.com0L\x06\x03U\x1d \x04E0C0A\x06\x0a`\x86H\x01\x86\xf8E\x01\x0760301\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16%http://www.geotrust.com/resources/cps0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00\x16Gso\x85\xa2b\xe1\xe7*v\xbb\x89\x95B&\x97\xbcJ\xac\xacpS:?1\x83=<\x1c\xab\x9a\xe2\xb1]\x1cv\x1a\xa0<\x0crW\xbe\xd3\x9eP\xe0\xc8\x99\xd6X\xd7\x02\xea\xce\x0d)T|\xcd\xf5\xc2\xc6\x90)U\xa3o\x14\xa8\x0bB\x0d:\x98m\x06x\x9e\xf0j\xa3\x1d\x02\x0a\xa2(\xa4\x8d\xc2\x81F>mg\xda\xde?\xfe\x85\x0eB*\x12\xde\xb5\xb7\xfb\xb8\x1b\xa7\x96\xecw\x9f\xec\xd4S\x95z\xff\x07\xf4\xf2\x0a\x14\xc0QR\xb1\xd6\x8eP\x0b\x1a\x99\\xbc\x0b\xc9\xbd\xed\xed\xf8^\xc1V\xdbM~#\xa4\x11\xa1,\xd4\x1b\x05\x9a\xe4\x1bR\xf6|8\x99\x05K\xbar\x8dB\x89`\x04f*\xf4\xfdh\xd7k\xf7\x99A(\xd6l$\xab\xe6%S.\xc8\x82\x99\xe2\xa2\x8f#\xbe0\x83\xb1'\x8b\xfah\x7f\x01I\xe8\xc6\x98k\x10.\x98^\x8a\xd7\xcaK\xb1\xc7\xc9X\x9a\xd06\xdb\x96\x95\xec\xb6\x81\xe4\xf2\xcdo\x1by\x87L\x10<\x89\xe4M\xfaT\xdc\xaa\xa6, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=Fxp53s3wA5G3zdEJg8, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a\x09], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a\x09]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
 
 1437831799.764576 ssl_handshake_message
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] msg_type: count    = 11
                   [3] length: count      = 2507
 
 1437831799.764576 ssl_handshake_message
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] msg_type: count    = 14
                   [3] length: count      = 0
 
 1437831799.838196 ssl_handshake_message
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=468, state=4, num_pkts=5, num_bytes_ip=425, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=3, num_bytes_ip=2733, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.377044, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=468, state=4, num_pkts=5, num_bytes_ip=425, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=3, num_bytes_ip=2733, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.377044, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] msg_type: count    = 16
                   [3] length: count      = 258
 
 1437831799.838197 ssl_change_cipher_spec
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=474, state=4, num_pkts=6, num_bytes_ip=732, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=3, num_bytes_ip=2733, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.377045, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=474, state=4, num_pkts=6, num_bytes_ip=732, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=3, num_bytes_ip=2733, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.377045, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
 
 1437831800.045701 ssl_change_cipher_spec
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=511, state=4, num_pkts=8, num_bytes_ip=855, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2644, state=4, num_pkts=6, num_bytes_ip=2853, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.584549, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=511, state=4, num_pkts=8, num_bytes_ip=855, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2644, state=4, num_pkts=6, num_bytes_ip=2853, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.584549, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
 
 1437831800.045701 ssl_established
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=511, state=4, num_pkts=8, num_bytes_ip=855, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2644, state=4, num_pkts=6, num_bytes_ip=2853, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.584549, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=511, state=4, num_pkts=8, num_bytes_ip=855, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2644, state=4, num_pkts=6, num_bytes_ip=2853, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.584549, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1437831800.217854 net_done
                   [0] t: time            = 1437831800.217854
@@ -1019,10 +1029,10 @@
                   [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49336/tcp, resp_h=74.125.71.189, resp_p=443/tcp], orig=[size=0, state=3, num_pkts=3, num_bytes_ip=156, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=85, state=3, num_pkts=3, num_bytes_ip=411, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831798.533593, duration=0.000221, service={\x0a\x0a}, history=^dA, uid=CP5puj4I8PtEU4qzYg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1437831800.217854 connection_pending
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=2249, state=4, num_pkts=15, num_bytes_ip=2873, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=3653, state=4, num_pkts=13, num_bytes_ip=4185, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.756702, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=T, logged=T, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=2249, state=4, num_pkts=15, num_bytes_ip=2873, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=3653, state=4, num_pkts=13, num_bytes_ip=4185, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.756702, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=T, logged=T, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1437831800.217854 connection_state_remove
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=2249, state=4, num_pkts=15, num_bytes_ip=2873, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=3653, state=4, num_pkts=13, num_bytes_ip=4185, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.756702, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=T, logged=T, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=2249, state=4, num_pkts=15, num_bytes_ip=2873, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=3653, state=4, num_pkts=13, num_bytes_ip=4185, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.756702, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=T, logged=T, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1437831800.217854 bro_done
 1437831800.217854 ChecksumOffloading::check
diff --git a/testing/btest/Baseline/scripts.policy.protocols.ssl.ocsp-stapling/ocsp-stapling.log b/testing/btest/Baseline/scripts.policy.protocols.ssl.ocsp-stapling/ocsp-stapling.log
deleted file mode 100644
index c8d4c9d8e6..0000000000
--- a/testing/btest/Baseline/scripts.policy.protocols.ssl.ocsp-stapling/ocsp-stapling.log
+++ /dev/null
@@ -1,10 +0,0 @@
-#separator \x09
-#set_separator	,
-#empty_field	(empty)
-#unset_field	-
-#path	ocsp-stapling
-#open	2015-07-08-21-19-54
-#fields	ts	status_type	cid.orig_h	cid.orig_p	cid.resp_h	cid.resp_p	cuid	size	responseStatus	responseType	version	responderID	producedAt	idx	cert_id.hashAlgorithm	cert_id.issuerNameHash	cert_id.issuerKeyHash	cert_id.serialNumber	certStatus	thisUpdate	nextUpdate
-#types	time	count	addr	port	addr	port	string	count	string	string	count	string	string	count	string	string	string	string	string	string	string
-1398367809.961683	1	192.168.4.149	56253	131.253.61.82	443	CXWv6p3arKYeMETxOg	1995	successful	Basic OCSP Response	0	C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = Terms of use at https://www.verisign.com/rpa (c)06, CN = VeriSign Class 3 Extended Validation SSL SGC OCSP Responder	20140421080410Z	1	sha1	39AF18B41C021F39109656FDC6D358EF74858B99	4E43C81D76EF37537A4FF2586F94F338E2D5BDDF	62035C00776A614EAF430C6A5C56E2BD	good	20140421080410Z	20140428080410Z
-#close	2015-07-08-21-19-54
diff --git a/testing/btest/scripts/policy/protocols/ssl/ocsp-stapling.bro b/testing/btest/scripts/policy/protocols/ssl/ocsp-stapling.bro
deleted file mode 100644
index 63b7e29e03..0000000000
--- a/testing/btest/scripts/policy/protocols/ssl/ocsp-stapling.bro
+++ /dev/null
@@ -1,6 +0,0 @@
-# This tests logging of ocsp stapling message
-
-# @TEST-EXEC: bro -C -r $TRACES/tls/ocsp-stapling.trace %INPUT
-# @TEST-EXEC: btest-diff ocsp-stapling.log
-
-@load protocols/ssl/ocsp-stapling

From eb50b3fed1e55cdf8df8320d116cacade0ce2e02 Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@icir.org>
Date: Thu, 11 May 2017 22:50:20 -0700
Subject: [PATCH 150/631] Change end-of-connection handling for validation

Move from using CCS (before: established) to just doing certificate
validation at the end of the connection.

This is (again) more robust in the case of aborted connection. I am
moving this into a hook because of the complexity of the
end-of-connection handling for SSL.

This should probably be extended to not just handle SSL validation, but
all other logging constructs that are currently called in _established.
---
 scripts/base/protocols/ssl/main.bro             | 14 ++++++++++++++
 scripts/policy/protocols/ssl/validate-certs.bro | 11 +----------
 scripts/policy/protocols/ssl/validate-sct.bro   |  7 ++-----
 3 files changed, 17 insertions(+), 15 deletions(-)

diff --git a/scripts/base/protocols/ssl/main.bro b/scripts/base/protocols/ssl/main.bro
index dbe5f2bccd..54ac8548ba 100644
--- a/scripts/base/protocols/ssl/main.bro
+++ b/scripts/base/protocols/ssl/main.bro
@@ -103,6 +103,9 @@ export {
 	## Event that can be handled to access the SSL
 	## record as it is sent on to the logging framework.
 	global log_ssl: event(rec: Info);
+
+	# do everything you want to do right before logging here
+	global ssl_finishing: hook(c: connection);
 }
 
 redef record connection += {
@@ -294,11 +297,22 @@ event ssl_established(c: connection) &priority=7
 	c$ssl$established = T;
 	}
 
+event ssl_established(c: connection) &priority=20
+	{
+	hook ssl_finishing(c);
+	}
+
 event ssl_established(c: connection) &priority=-5
 	{
 	finish(c, T);
 	}
 
+event connection_state_remove(c: connection) &priority=20
+	{
+	if ( c?$ssl && ! c$ssl$logged )
+		hook ssl_finishing(c);
+	}
+
 event connection_state_remove(c: connection) &priority=-5
 	{
 	if ( c?$ssl )
diff --git a/scripts/policy/protocols/ssl/validate-certs.bro b/scripts/policy/protocols/ssl/validate-certs.bro
index c50da10380..c2f4e569a2 100644
--- a/scripts/policy/protocols/ssl/validate-certs.bro
+++ b/scripts/policy/protocols/ssl/validate-certs.bro
@@ -136,17 +136,8 @@ function cache_validate(chain: vector of opaque of x509): X509::Result
 	return result;
 	}
 
-# The server issues CCS only after sending the certificates. This should
-# be more robust than using SSL_established, on the off chance that we don't
-# get that event.
-#
-# This is not TLSv1.3 compatible - but we will not have certificates in
-# that case in any way, so it even saves us a few cycles.
-event ssl_change_cipher_spec(c: connection, is_orig: bool) &priority=3
+hook ssl_finishing(c: connection) &priority=20
 	{
-	if ( is_orig )
-		return;
-
 	# If there aren't any certs we can't very well do certificate validation.
 	if ( ! c$ssl?$cert_chain || |c$ssl$cert_chain| == 0 ||
 	     ! c$ssl$cert_chain[0]?$x509 )
diff --git a/scripts/policy/protocols/ssl/validate-sct.bro b/scripts/policy/protocols/ssl/validate-sct.bro
index 385621afde..bf7d8745bb 100644
--- a/scripts/policy/protocols/ssl/validate-sct.bro
+++ b/scripts/policy/protocols/ssl/validate-sct.bro
@@ -84,12 +84,9 @@ event x509_ocsp_ext_signed_certificate_timestamp(f: fa_file, version: count, log
 	c$ssl$ct_proofs[|c$ssl$ct_proofs|] = SctInfo($version=version, $logid=logid, $timestamp=timestamp, $sig_alg=signature_algorithm, $hash_alg=hash_algorithm, $signature=signature, $source=src);
 	}
 
-# Priority = 2 will be handled after validation is done
-event ssl_change_cipher_spec(c: connection, is_orig: bool) &priority=2
+# Priority = 19 will be handled after validation is done
+hook ssl_finishing(c: connection) &priority=19
 	{
-	if ( is_orig )
-		return;
-
 	if ( ! c$ssl?$cert_chain || |c$ssl$cert_chain| == 0 || ! c$ssl$cert_chain[0]?$x509 )
 		return;
 

From e1d42ec99ca0dcf79ddc3901a0a58af4fb39c6e0 Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@icir.org>
Date: Sun, 14 May 2017 09:55:17 -0700
Subject: [PATCH 151/631] SCT validation: fix small memory leak (public keys
 were not freed)

---
 src/file_analysis/analyzer/x509/functions.bif | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/file_analysis/analyzer/x509/functions.bif b/src/file_analysis/analyzer/x509/functions.bif
index 80fc3bb9af..478332aecf 100644
--- a/src/file_analysis/analyzer/x509/functions.bif
+++ b/src/file_analysis/analyzer/x509/functions.bif
@@ -695,12 +695,15 @@ function sct_verify%(cert: opaque of x509, logid: string, log_key: string, signa
 	success = EVP_DigestVerifyFinal(mdctx, (unsigned char*) signature->Bytes(), signature->Len());
 #endif
 	EVP_MD_CTX_destroy(mdctx);
+	EVP_PKEY_free(key);
 
 	return new Val(success, TYPE_BOOL);
 
 sct_verify_err:
 	if (mdctx)
 		EVP_MD_CTX_destroy(mdctx);
+	if (key)
+	EVP_PKEY_free(key);
 	cerr << errstr << endl;
 	reporter->Error("%s", errstr.c_str());
 	return new Val(0, TYPE_BOOL);

From 7a1ec3501de5e345ceb4678cfbf60d63c9089a92 Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@icir.org>
Date: Sun, 14 May 2017 19:38:36 -0700
Subject: [PATCH 152/631] SCT: another memory leak in SCT parsing.

---
 src/file_analysis/analyzer/x509/X509Common.cc | 1 +
 src/file_analysis/analyzer/x509/functions.bif | 4 ++--
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/file_analysis/analyzer/x509/X509Common.cc b/src/file_analysis/analyzer/x509/X509Common.cc
index 367b7e562a..dba593a3eb 100644
--- a/src/file_analysis/analyzer/x509/X509Common.cc
+++ b/src/file_analysis/analyzer/x509/X509Common.cc
@@ -213,6 +213,7 @@ void file_analysis::X509Common::ParseSignedCertificateTimestamps(X509_EXTENSION*
 		reporter->Error("X509::ParseSignedCertificateTimestamps could not parse SCT");
 		}
 
+	M_ASN1_OCTET_STRING_free(inner);
 	OPENSSL_free(ext_val_second_pointer);
 
 	interp->FlowEOF();
diff --git a/src/file_analysis/analyzer/x509/functions.bif b/src/file_analysis/analyzer/x509/functions.bif
index 478332aecf..8212835e2e 100644
--- a/src/file_analysis/analyzer/x509/functions.bif
+++ b/src/file_analysis/analyzer/x509/functions.bif
@@ -703,8 +703,8 @@ sct_verify_err:
 	if (mdctx)
 		EVP_MD_CTX_destroy(mdctx);
 	if (key)
-	EVP_PKEY_free(key);
-	cerr << errstr << endl;
+		EVP_PKEY_free(key);
+
 	reporter->Error("%s", errstr.c_str());
 	return new Val(0, TYPE_BOOL);
 	%}

From 8af810e00b265f92556118a02f402a0746490e83 Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@icir.org>
Date: Sun, 14 May 2017 19:53:22 -0700
Subject: [PATCH 153/631] SCT: Fix script error when mime type of file unknown.

---
 scripts/base/protocols/ssl/files.bro | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/scripts/base/protocols/ssl/files.bro b/scripts/base/protocols/ssl/files.bro
index b440927381..8750645b36 100644
--- a/scripts/base/protocols/ssl/files.bro
+++ b/scripts/base/protocols/ssl/files.bro
@@ -96,6 +96,9 @@ event file_sniff(f: fa_file, meta: fa_metadata) &priority=5
 	if ( |f$conns| != 1 )
 		return;
 
+	if ( ! f?$info || ! f$info?$mime_type )
+		return;
+
 	if ( ! ( f$info$mime_type == "application/x-x509-ca-cert" || f$info$mime_type == "application/x-x509-user-cert"
 	         || f$info$mime_type == "application/pkix-cert" ) )
 		return;

From 9a75c52726b3eb776561e489f95393023904ac59 Mon Sep 17 00:00:00 2001
From: Julien Wallior <wallior@sig.com>
Date: Thu, 18 May 2017 08:41:52 -0400
Subject: [PATCH 154/631] Add nfs unittest. Includes an example for the new
 nfs_proc_rename.

---
 .../scripts.base.protocols.nfs.basic/.stdout  |  24 +++++++
 testing/btest/Traces/nfs/nfs_base.pcap        | Bin 0 -> 6794 bytes
 .../scripts/base/protocols/nfs/basic.test     |  66 ++++++++++++++++++
 3 files changed, 90 insertions(+)
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.nfs.basic/.stdout
 create mode 100644 testing/btest/Traces/nfs/nfs_base.pcap
 create mode 100755 testing/btest/scripts/base/protocols/nfs/basic.test

diff --git a/testing/btest/Baseline/scripts.base.protocols.nfs.basic/.stdout b/testing/btest/Baseline/scripts.base.protocols.nfs.basic/.stdout
new file mode 100644
index 0000000000..58d51a773a
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.nfs.basic/.stdout
@@ -0,0 +1,24 @@
+nfs_proc_not_implemented, [id=[orig_h=10.111.131.132, orig_p=972/tcp, resp_h=10.111.131.14, resp_p=2049/tcp], orig=[size=425, state=3, num_pkts=5, num_bytes_ip=624, flow_label=0, l2_addr=00:50:56:b2:78:69], resp=[size=520, state=3, num_pkts=3, num_bytes_ip=516, flow_label=0, l2_addr=00:50:56:b2:47:b9], start_time=1495059599.592055, duration=8.972795, service={
+
+}, history=AaDd, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>], [rpc_stat=RPC_SUCCESS, nfs_stat=NFS3::NFS3ERR_OK, req_start=1495059608.564809, req_dur=0.0, req_len=124, rep_start=1495059608.56485, rep_dur=0.0, rep_len=112, rpc_uid=1628, rpc_gid=200, rpc_stamp=47704458, rpc_machine_name=pddevbal801, rpc_auxgids=[10, 24, 200, 320, 5189, 5196]], NFS3::PROC_ACCESS
+nfs_proc_create, [id=[orig_h=10.111.131.132, orig_p=972/tcp, resp_h=10.111.131.14, resp_p=2049/tcp], orig=[size=581, state=3, num_pkts=6, num_bytes_ip=820, flow_label=0, l2_addr=00:50:56:b2:78:69], resp=[size=792, state=3, num_pkts=4, num_bytes_ip=680, flow_label=0, l2_addr=00:50:56:b2:47:b9], start_time=1495059599.592055, duration=8.97641, service={
+
+}, history=AaDd, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>], [rpc_stat=RPC_SUCCESS, nfs_stat=NFS3::NFS3ERR_OK, req_start=1495059608.565064, req_dur=0.0, req_len=144, rep_start=1495059608.568465, rep_dur=0.0, rep_len=260, rpc_uid=1628, rpc_gid=200, rpc_stamp=47704458, rpc_machine_name=pddevbal801, rpc_auxgids=[10, 24, 200, 320, 5189, 5196]], [dirfh=\x01\x00\x06\x01\x9e\xb5K+3\xeeB+\x82\xa7d\xc9%z\x82\s\xc4\xfa\x00\x09\x8c\xbc\xd8, fname=testfile], [fh=\x01\x00\x06\x01\x9e\xb5K+3\xeeB+\x82\xa7d\xc9%z\x82\w\x1ew\x01]\xb6\x00=, obj_attr=[ftype=NFS3::FTYPE_REG, mode=32768, nlink=1, uid=1628, gid=200, size=0, used=0, rdev1=0, rdev2=0, fsid=8629059712046797340, fileid=24583799, atime=2044592128.0, mtime=51501766.0, ctime=1495059608.558778], dir_pre_attr=[size=0, atime=1495059608.558778, mtime=1495059608.558778], dir_post_attr=[ftype=NFS3::FTYPE_DIR, mode=16877, nlink=2, uid=1628, gid=200, size=21, used=0, rdev1=0, rdev2=0, fsid=8629059712046797340, fileid=16434291, atime=1495059608.558778, mtime=1495059608.558778, ctime=1495059608.558778]]
+nfs_proc_not_implemented, [id=[orig_h=10.111.131.132, orig_p=972/tcp, resp_h=10.111.131.14, resp_p=2049/tcp], orig=[size=745, state=3, num_pkts=7, num_bytes_ip=1024, flow_label=0, l2_addr=00:50:56:b2:78:69], resp=[size=940, state=3, num_pkts=5, num_bytes_ip=992, flow_label=0, l2_addr=00:50:56:b2:47:b9], start_time=1495059599.592055, duration=8.982349, service={
+
+}, history=AaDd, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>], [rpc_stat=RPC_SUCCESS, nfs_stat=NFS3::NFS3ERR_OK, req_start=1495059608.568646, req_dur=0.0, req_len=152, rep_start=1495059608.574404, rep_dur=0.0, rep_len=136, rpc_uid=1628, rpc_gid=200, rpc_stamp=47704458, rpc_machine_name=pddevbal801, rpc_auxgids=[10, 24, 200, 320, 5189, 5196]], NFS3::PROC_SETATTR
+nfs_proc_lookup, [id=[orig_h=10.111.131.132, orig_p=972/tcp, resp_h=10.111.131.14, resp_p=2049/tcp], orig=[size=1185, state=3, num_pkts=10, num_bytes_ip=1584, flow_label=0, l2_addr=00:50:56:b2:78:69], resp=[size=1388, state=3, num_pkts=8, num_bytes_ip=1588, flow_label=0, l2_addr=00:50:56:b2:47:b9], start_time=1495059599.592055, duration=8.989157, service={
+
+}, history=AaDd, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>], [rpc_stat=RPC_SUCCESS, nfs_stat=NFS3::NFS3ERR_NOENT, req_start=1495059608.581163, req_dur=0.0, req_len=136, rep_start=1495059608.581212, rep_dur=0.0, rep_len=108, rpc_uid=1628, rpc_gid=200, rpc_stamp=47704458, rpc_machine_name=pddevbal801, rpc_auxgids=[10, 24, 200, 320, 5189, 5196]], [dirfh=\x01\x00\x06\x01\x9e\xb5K+3\xeeB+\x82\xa7d\xc9%z\x82\s\xc4\xfa\x00\x09\x8c\xbc\xd8, fname=testfile2], [fh=<uninitialized>, obj_attr=<uninitialized>, dir_attr=[ftype=NFS3::FTYPE_DIR, mode=16877, nlink=2, uid=1628, gid=200, size=21, used=0, rdev1=0, rdev2=0, fsid=8629059712046797340, fileid=16434291, atime=1495059608.558778, mtime=1495059608.558778, ctime=1495059608.558778]]
+nfs_proc_rename, [id=[orig_h=10.111.131.132, orig_p=972/tcp, resp_h=10.111.131.14, resp_p=2049/tcp], orig=[size=1377, state=3, num_pkts=11, num_bytes_ip=1816, flow_label=0, l2_addr=00:50:56:b2:78:69], resp=[size=1652, state=3, num_pkts=9, num_bytes_ip=1748, flow_label=0, l2_addr=00:50:56:b2:47:b9], start_time=1495059599.592055, duration=8.991291, service={
+
+}, history=AaDd, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>], [rpc_stat=RPC_SUCCESS, nfs_stat=NFS3::NFS3ERR_OK, req_start=1495059608.581412, req_dur=0.0, req_len=180, rep_start=1495059608.583346, rep_dur=0.0, rep_len=252, rpc_uid=1628, rpc_gid=200, rpc_stamp=47704458, rpc_machine_name=pddevbal801, rpc_auxgids=[10, 24, 200, 320, 5189, 5196]], [src_dirfh=\x01\x00\x06\x01\x9e\xb5K+3\xeeB+\x82\xa7d\xc9%z\x82\s\xc4\xfa\x00\x09\x8c\xbc\xd8, src_fname=testfile, dst_dirfh=\x01\x00\x06\x01\x9e\xb5K+3\xeeB+\x82\xa7d\xc9%z\x82\s\xc4\xfa\x00\x09\x8c\xbc\xd8, dst_fname=testfile2], [src_dir_pre_attr=[size=0, atime=1495059608.558778, mtime=1495059608.558778], src_dir_post_attr=[ftype=NFS3::FTYPE_DIR, mode=16877, nlink=2, uid=1628, gid=200, size=22, used=0, rdev1=0, rdev2=0, fsid=8629059712046797340, fileid=16434291, atime=1495059608.558778, mtime=1495059608.574778, ctime=1495059608.574778], dst_dir_pre_attr=[size=0, atime=1495059608.558778, mtime=1495059608.558778], dst_dir_post_attr=[ftype=NFS3::FTYPE_DIR, mode=16877, nlink=2, uid=1628, gid=200, size=22, used=0, rdev1=0, rdev2=0, fsid=8629059712046797340, fileid=16434291, atime=1495059608.558778, mtime=1495059608.574778, ctime=1495059608.574778]]
+nfs_proc_not_implemented, [id=[orig_h=10.111.131.132, orig_p=972/tcp, resp_h=10.111.131.14, resp_p=2049/tcp], orig=[size=1777, state=3, num_pkts=14, num_bytes_ip=2336, flow_label=0, l2_addr=00:50:56:b2:78:69], resp=[size=2008, state=3, num_pkts=12, num_bytes_ip=2364, flow_label=0, l2_addr=00:50:56:b2:47:b9], start_time=1495059599.592055, duration=8.993098, service={
+
+}, history=AaDd, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>], [rpc_stat=RPC_SUCCESS, nfs_stat=NFS3::NFS3ERR_OK, req_start=1495059608.585126, req_dur=0.0, req_len=124, rep_start=1495059608.585153, rep_dur=0.0, rep_len=112, rpc_uid=1628, rpc_gid=200, rpc_stamp=47704458, rpc_machine_name=pddevbal801, rpc_auxgids=[10, 24, 200, 320, 5189, 5196]], NFS3::PROC_ACCESS
+nfs_proc_remove, [id=[orig_h=10.111.131.132, orig_p=972/tcp, resp_h=10.111.131.14, resp_p=2049/tcp], orig=[size=1925, state=3, num_pkts=16, num_bytes_ip=2564, flow_label=0, l2_addr=00:50:56:b2:78:69], resp=[size=2156, state=3, num_pkts=13, num_bytes_ip=2528, flow_label=0, l2_addr=00:50:56:b2:47:b9], start_time=1495059599.592055, duration=9.813823, service={
+
+}, history=AaDd, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>], [rpc_stat=RPC_SUCCESS, nfs_stat=NFS3::NFS3ERR_OK, req_start=1495059609.400145, req_dur=0.0, req_len=136, rep_start=1495059609.405878, rep_dur=0.0, rep_len=136, rpc_uid=1628, rpc_gid=200, rpc_stamp=47704459, rpc_machine_name=pddevbal801, rpc_auxgids=[10, 24, 200, 320, 5189, 5196]], [dirfh=\x01\x00\x06\x01\x9e\xb5K+3\xeeB+\x82\xa7d\xc9%z\x82\s\xc4\xfa\x00\x09\x8c\xbc\xd8, fname=testfile2], [dir_pre_attr=[size=0, atime=1495059608.574778, mtime=1495059608.574778], dir_post_attr=[ftype=NFS3::FTYPE_DIR, mode=16877, nlink=2, uid=1628, gid=200, size=6, used=0, rdev1=0, rdev2=0, fsid=8629059712046797340, fileid=16434291, atime=1495059608.558778, mtime=1495059609.398797, ctime=1495059609.398797]]
+nfs_proc_rmdir, [id=[orig_h=10.111.131.132, orig_p=972/tcp, resp_h=10.111.131.14, resp_p=2049/tcp], orig=[size=2057, state=3, num_pkts=18, num_bytes_ip=2776, flow_label=0, l2_addr=00:50:56:b2:78:69], resp=[size=2304, state=3, num_pkts=14, num_bytes_ip=2716, flow_label=0, l2_addr=00:50:56:b2:47:b9], start_time=1495059599.592055, duration=9.818272, service={
+
+}, history=AaDd, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>], [rpc_stat=RPC_SUCCESS, nfs_stat=NFS3::NFS3ERR_OK, req_start=1495059609.407676, req_dur=0.0, req_len=120, rep_start=1495059609.410327, rep_dur=0.0, rep_len=136, rpc_uid=1628, rpc_gid=200, rpc_stamp=47704459, rpc_machine_name=pddevbal801, rpc_auxgids=[10, 24, 200, 320, 5189, 5196]], [dirfh=\x01\x00\x06\x00\x9e\xb5K+3\xeeB+\x82\xa7d\xc9%z\x82\, fname=test], [dir_pre_attr=[size=4096, atime=1495059608.558778, mtime=1495059608.558778], dir_post_attr=[ftype=NFS3::FTYPE_DIR, mode=17407, nlink=44, uid=0, gid=0, size=4096, used=4096, rdev1=0, rdev2=0, fsid=8629059712046797340, fileid=128, atime=0.0, mtime=1495059609.402797, ctime=1495059609.402797]]
diff --git a/testing/btest/Traces/nfs/nfs_base.pcap b/testing/btest/Traces/nfs/nfs_base.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..1707107c83cbf8998dc026a14ca4bdd542dec621
GIT binary patch
literal 6794
zcmc(kdr%cs9LLWtcv%b$4Y@b&O#>f1)DdaMVayz~0W!=X=`ot&;6M|MuK|4KAB3cq
z&SY6LsAQI0<)WFxl%^7D0$q!-nWj-ALnFk;=$$MdiH7~Y=kDI_*}JUc2y|wCoZYi`
ze|x^?^ZT8%d-&;S%_lMoW?FeTmNAJ=-feQs*r$ZD33Lo&nJ?9(@5kSz`3g&YoW)tM
zrLYuB$ke_IR+f?V4{A~*k8|5HmpgiTX1F9Lyn@?M;OiLq8b`-4uNSXJ^2J!3{4;zx
zR>KecDN;}q{E)xpnc?iTeJx|<<mJ%&3foH#U;#a<vR;Q5%lEn-E$2P5Niti-SP5e*
z25xCP00&fLCau~=br2Z_0n(G@lNaBi`k{rnxp|A{<jhS@980H`S@g$^1G2tkHt)HV
z!dL`}h?q*}T8WV8XIs9^82N-}^2pL1xyObtFU9>spyCdxsG$>Bz*tnu&3r8S8jM9p
zrj4~YLb!^hstWYjsGwbD?CHByj}m_nuAXW&V@nQy5ZO9rphLY-qWyk`qbbY2zvFqW
zrgpC2!wrgAWZZy)kY{xqI*7w@L`HnJ<{zVRgnXT#23P=7xAi7`SzLy`h-pMQAB~Df
zjG2a#&z@!)T%1=_?0t@O1tRnXDsNXPERA{s(=(Tn<zJxEzDURXxW`$!iI|^tY=%lH
zOjQXVMg{E-iabdlc}4XdEOcG%DY}l|P+UwxPpS4rHJ$RvM(ry?Ty)eIQ5=*<PfJbL
z*K~v0r*NjlidL)Fv{)SNbIuR67}RRhSQMU(QJu0yVRhsO77#motbg;^IV{Fb<tCRq
zrX|xRg?+n@$4*&<aqM*Gd~h!+JgW*xjmf-l8fqMh7$Y$)9;Y*gVx(1@7gRN7G13$K
zxq@dtR@je(0v5od-g=Ak*eUXG#<<)=XM#u8RnDV)kTDO1d_q-s%+L4Yp&+MU%b%M^
z&yyRQ2hjS^atjgn-Y(NT{uK)CMIxi2Gl@|hF>2HDSXF4o$gqb?1}~9b-OHX*M}qDz
zp+k&{kjH2fihmwU<YZZk_j1sH=0+T8`AmntK51=QtzPRYb_T(ZfAN1NGnqRus%f7o
zteI|x1;kC0wS&jar@FYQbGe5VP~2Eu349#3MjFQr^|)u_Mx-KDLWEzzi1JZ|()yzc
z`;Ho5`gMTS$}K#8JYxI|EATkC&!PBfcMRc5*Q-i>tl-SA_}aVROV{5-FR8x2xZ$y|
zc3P#rhO)wX)4BLIXZW?qaQhr$*hvhd4>fRQWmbXV>Xp<>yqiH0tT%E$3~DM!&7br@
zSOBLs`3&dOpySj@oGuZk3yyTI<||bVdTvzE-tGBBKEw16o0~ZL^#w)6^K<6qvBWWj
zdBue}^NVH|=g-TVJ+Fv8mztF|DLpmozq>F3iyBPl@;jVom5%2nmwWgD;yEhyNj?JQ
zHi4(_U7OxvdzPnPPHM6+4{*z&w|6MaJf*O2s1X*x_zU?gXM9a$Jp6#ixnmVEzT~iS
zg=<uWT``7lTq85gIrNB%@%s<vYX4k|>64R<bJTPb?v-E82r6cB>=7s$*&@y^!WUbu
z^&igcbCKDORWA34G-5XHhg_~`{iDXrv^?yM91PXg-z1U<WwS`xZaRhqu-YpB24#*A
zk=2MakFzR@SY38d-%A)PR+SmC!dRl6YQuNq2U_2Tol)2gat=f91uhq?ot#Ul$fYWZ
zxX@dJH17OC-uv1pV=n#4Cwkr+T>RgQ4Bt@vzBB?D*0d{ZBJ~ueXDB7gtr!LSVjaUe
zV%SU!J&p|+1u0k^1^6&3zIL8Be%~teV_fTsZ=~Lt+51b(<bs1d52;rD^4ojsnaGHw
z%L>Cb1}q?^c3JQ8n9{AcRn0DUY$L@~%D$OArb_I_F@=$W^>|D{$#hauO%H?V<APPl
zze9;5RE&$*Mvv2#O>yyuopv}%7+a_+L9dNUw{u6&ubMKjG0vb?%xhP+%N;i!3_e=s
zW#IUq7-(xGl!RR|WzfbM=)OJU#uI~9V(^#7KvmKe18VQaHIQ--J>O0}uOs5HfIQek
z!%Wd**{5UBN(^>`!R9HPLD^%*41&og)bv;$Xbk8XqoL*qsi~n8SU@gR%IBcQepk$e
zxZNISHGK)O>)IZGs>Xx^RCO;4>Tf?NIQW*?uCYyqf{=+KkLm)KJ3fK-22<=WKsd@q
z@-@J25x$m$b+gtM#M$ch2323gwtfv~yMC}STf8M}Y-xY_f%bdvYb}Jb#bZTfOY^<4
z%lE@;<#x`wUE~~}K%D7oiQUw`165^aoH3OA``%#9>S|8J4!2ND*20a}hWNK>-QzWs
z1tnQb_J(c2oc{zJ|4!mxNBlFQqO}LZ*NS9|$r@+t!};rSyV~o^CS}}y!#lqYG3MWo
zp446ZyV~#Pd&5w2a<VD!^PKlN9dCN~*;z`wZ)v<$CHLUX_h5y+QdKGOe&GKHY_!Qq
h7r`4fltrE}<!#}-$BVpomb%;t_%G3mHd?*C<zN4n-=_co

literal 0
HcmV?d00001

diff --git a/testing/btest/scripts/base/protocols/nfs/basic.test b/testing/btest/scripts/base/protocols/nfs/basic.test
new file mode 100755
index 0000000000..4940c095a5
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/nfs/basic.test
@@ -0,0 +1,66 @@
+# @TEST-EXEC: bro -b -r $TRACES/nfs/nfs_base.pcap %INPUT
+# @TEST-EXEC: btest-diff .stdout
+
+global nfs_ports: set[port] = { 2049/tcp, 2049/udp } &redef;
+redef ignore_checksums = T;
+
+event bro_init()
+	{
+	Analyzer::register_for_ports(Analyzer::ANALYZER_NFS, nfs_ports);
+	}
+
+event nfs_proc_lookup(c: connection , info: NFS3::info_t , req: NFS3::diropargs_t , rep: NFS3::lookup_reply_t )
+	{
+	print "nfs_proc_lookup", c, info, req, rep;
+	}
+
+event nfs_proc_read(c: connection , info: NFS3::info_t , req: NFS3::readargs_t , rep: NFS3::read_reply_t )
+	{
+	print "nfs_proc_read", c, info, req, rep;
+	}
+
+event nfs_proc_readlink(c: connection , info: NFS3::info_t , fh: string , rep: NFS3::readlink_reply_t )
+	{
+	print "nfs_proc_readlink", c, info, fh, rep;
+	}
+
+event nfs_proc_write(c: connection , info: NFS3::info_t , req: NFS3::writeargs_t , rep: NFS3::write_reply_t )
+	{
+	print "nfs_proc_write", c, info, req, rep;
+	}
+
+event nfs_proc_create(c: connection , info: NFS3::info_t , req: NFS3::diropargs_t , rep: NFS3::newobj_reply_t )
+	{
+	print "nfs_proc_create", c, info, req, rep;
+	}
+
+event nfs_proc_mkdir(c: connection , info: NFS3::info_t , req: NFS3::diropargs_t , rep: NFS3::newobj_reply_t )
+	{
+	print "nfs_proc_mkdir", c, info, req, rep;
+	}
+
+event nfs_proc_remove(c: connection , info: NFS3::info_t , req: NFS3::diropargs_t , rep: NFS3::delobj_reply_t )
+	{
+	print "nfs_proc_remove", c, info, req, rep;
+	}
+
+event nfs_proc_rmdir(c: connection , info: NFS3::info_t , req: NFS3::diropargs_t , rep: NFS3::delobj_reply_t )
+	{
+	print "nfs_proc_rmdir", c, info, req, rep;
+	}
+
+event nfs_proc_readdir(c: connection , info: NFS3::info_t , req: NFS3::readdirargs_t , rep: NFS3::readdir_reply_t )
+	{
+	print "nfs_proc_readdir", c, info, req, rep;
+	}
+
+event nfs_proc_rename(c: connection , info: NFS3::info_t , req: NFS3::renameopargs_t , rep: NFS3::renameobj_reply_t )
+	{
+	print "nfs_proc_rename", c, info, req, rep;
+	}
+
+event nfs_proc_not_implemented(c: connection , info: NFS3::info_t , proc: NFS3::proc_t )
+	{
+	print "nfs_proc_not_implemented", c, info, proc;
+	}
+

From f336aa5084c58dfa6aac45999078a8c004c19b31 Mon Sep 17 00:00:00 2001
From: Daniel Thayer <dnthayer@illinois.edu>
Date: Mon, 22 May 2017 14:32:59 -0500
Subject: [PATCH 155/631] Fix a race condition in some failing tests

The tests that were using the broccoli-v6addrs test program would
sometimes fail because broccoli-v6addrs would try to connect to Bro
and fail (presumably because Bro hadn't yet fully initialized).
Fixed by using the new broccoli-v6addrs "-r" option which will retry
upon failure to connect to Bro.
---
 testing/btest/istate/broccoli-ipv6-socket.bro | 3 +--
 testing/btest/istate/broccoli-ipv6.bro        | 3 +--
 testing/btest/istate/broccoli-ssl.bro         | 3 +--
 3 files changed, 3 insertions(+), 6 deletions(-)

diff --git a/testing/btest/istate/broccoli-ipv6-socket.bro b/testing/btest/istate/broccoli-ipv6-socket.bro
index 7365999bb0..0c8f1392cb 100644
--- a/testing/btest/istate/broccoli-ipv6-socket.bro
+++ b/testing/btest/istate/broccoli-ipv6-socket.bro
@@ -4,8 +4,7 @@
 # @TEST-REQUIRES: ifconfig | grep -q -E "inet6 ::1|inet6 addr: ::1"
 #
 # @TEST-EXEC: btest-bg-run bro bro $DIST/aux/broccoli/test/broccoli-v6addrs.bro "Communication::listen_ipv6=T"
-# @TEST-EXEC: sleep 3
-# @TEST-EXEC: btest-bg-run broccoli $BUILD/aux/broccoli/test/broccoli-v6addrs -6 ::1
+# @TEST-EXEC: btest-bg-run broccoli $BUILD/aux/broccoli/test/broccoli-v6addrs -r -6 ::1
 # @TEST-EXEC: btest-bg-wait 20
 # @TEST-EXEC: btest-diff bro/.stdout
 # @TEST-EXEC: btest-diff broccoli/.stdout
diff --git a/testing/btest/istate/broccoli-ipv6.bro b/testing/btest/istate/broccoli-ipv6.bro
index b4fdfb5fcf..8d56ef196f 100644
--- a/testing/btest/istate/broccoli-ipv6.bro
+++ b/testing/btest/istate/broccoli-ipv6.bro
@@ -3,8 +3,7 @@
 # @TEST-REQUIRES: test -e $BUILD/aux/broccoli/src/libbroccoli.so || test -e $BUILD/aux/broccoli/src/libbroccoli.dylib
 #
 # @TEST-EXEC: btest-bg-run bro bro $DIST/aux/broccoli/test/broccoli-v6addrs.bro
-# @TEST-EXEC: sleep 1
-# @TEST-EXEC: btest-bg-run broccoli $BUILD/aux/broccoli/test/broccoli-v6addrs
+# @TEST-EXEC: btest-bg-run broccoli $BUILD/aux/broccoli/test/broccoli-v6addrs -r
 # @TEST-EXEC: btest-bg-wait 20
 # @TEST-EXEC: btest-diff bro/.stdout
 # @TEST-EXEC: btest-diff broccoli/.stdout
diff --git a/testing/btest/istate/broccoli-ssl.bro b/testing/btest/istate/broccoli-ssl.bro
index 13b17a0b7b..ba510bf595 100644
--- a/testing/btest/istate/broccoli-ssl.bro
+++ b/testing/btest/istate/broccoli-ssl.bro
@@ -4,8 +4,7 @@
 #
 # @TEST-EXEC: chmod 600 broccoli.conf
 # @TEST-EXEC: btest-bg-run bro bro $DIST/aux/broccoli/test/broccoli-v6addrs.bro "Communication::listen_ssl=T" "ssl_ca_certificate=../ca_cert.pem" "ssl_private_key=../bro.pem"
-# @TEST-EXEC: sleep 5
-# @TEST-EXEC: btest-bg-run broccoli BROCCOLI_CONFIG_FILE=../broccoli.conf $BUILD/aux/broccoli/test/broccoli-v6addrs
+# @TEST-EXEC: btest-bg-run broccoli BROCCOLI_CONFIG_FILE=../broccoli.conf $BUILD/aux/broccoli/test/broccoli-v6addrs -r
 # @TEST-EXEC: btest-bg-wait 20
 # @TEST-EXEC: btest-diff bro/.stdout
 # @TEST-EXEC: btest-diff broccoli/.stdout

From 34551dda155114c2ac989a3b301f55e9e328fb10 Mon Sep 17 00:00:00 2001
From: Daniel Thayer <dnthayer@illinois.edu>
Date: Wed, 24 May 2017 13:10:26 -0500
Subject: [PATCH 156/631] The broccoli-v6addrs "-r" option was renamed to "-R"

---
 testing/btest/istate/broccoli-ipv6-socket.bro | 2 +-
 testing/btest/istate/broccoli-ipv6.bro        | 2 +-
 testing/btest/istate/broccoli-ssl.bro         | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/testing/btest/istate/broccoli-ipv6-socket.bro b/testing/btest/istate/broccoli-ipv6-socket.bro
index 0c8f1392cb..27df984471 100644
--- a/testing/btest/istate/broccoli-ipv6-socket.bro
+++ b/testing/btest/istate/broccoli-ipv6-socket.bro
@@ -4,7 +4,7 @@
 # @TEST-REQUIRES: ifconfig | grep -q -E "inet6 ::1|inet6 addr: ::1"
 #
 # @TEST-EXEC: btest-bg-run bro bro $DIST/aux/broccoli/test/broccoli-v6addrs.bro "Communication::listen_ipv6=T"
-# @TEST-EXEC: btest-bg-run broccoli $BUILD/aux/broccoli/test/broccoli-v6addrs -r -6 ::1
+# @TEST-EXEC: btest-bg-run broccoli $BUILD/aux/broccoli/test/broccoli-v6addrs -R -6 ::1
 # @TEST-EXEC: btest-bg-wait 20
 # @TEST-EXEC: btest-diff bro/.stdout
 # @TEST-EXEC: btest-diff broccoli/.stdout
diff --git a/testing/btest/istate/broccoli-ipv6.bro b/testing/btest/istate/broccoli-ipv6.bro
index 8d56ef196f..0e360df713 100644
--- a/testing/btest/istate/broccoli-ipv6.bro
+++ b/testing/btest/istate/broccoli-ipv6.bro
@@ -3,7 +3,7 @@
 # @TEST-REQUIRES: test -e $BUILD/aux/broccoli/src/libbroccoli.so || test -e $BUILD/aux/broccoli/src/libbroccoli.dylib
 #
 # @TEST-EXEC: btest-bg-run bro bro $DIST/aux/broccoli/test/broccoli-v6addrs.bro
-# @TEST-EXEC: btest-bg-run broccoli $BUILD/aux/broccoli/test/broccoli-v6addrs -r
+# @TEST-EXEC: btest-bg-run broccoli $BUILD/aux/broccoli/test/broccoli-v6addrs -R
 # @TEST-EXEC: btest-bg-wait 20
 # @TEST-EXEC: btest-diff bro/.stdout
 # @TEST-EXEC: btest-diff broccoli/.stdout
diff --git a/testing/btest/istate/broccoli-ssl.bro b/testing/btest/istate/broccoli-ssl.bro
index ba510bf595..fce5ed8535 100644
--- a/testing/btest/istate/broccoli-ssl.bro
+++ b/testing/btest/istate/broccoli-ssl.bro
@@ -4,7 +4,7 @@
 #
 # @TEST-EXEC: chmod 600 broccoli.conf
 # @TEST-EXEC: btest-bg-run bro bro $DIST/aux/broccoli/test/broccoli-v6addrs.bro "Communication::listen_ssl=T" "ssl_ca_certificate=../ca_cert.pem" "ssl_private_key=../bro.pem"
-# @TEST-EXEC: btest-bg-run broccoli BROCCOLI_CONFIG_FILE=../broccoli.conf $BUILD/aux/broccoli/test/broccoli-v6addrs -r
+# @TEST-EXEC: btest-bg-run broccoli BROCCOLI_CONFIG_FILE=../broccoli.conf $BUILD/aux/broccoli/test/broccoli-v6addrs -R
 # @TEST-EXEC: btest-bg-wait 20
 # @TEST-EXEC: btest-diff bro/.stdout
 # @TEST-EXEC: btest-diff broccoli/.stdout

From 961c247777261def79b3917d02ebb381f1712fb3 Mon Sep 17 00:00:00 2001
From: Daniel Thayer <dnthayer@illinois.edu>
Date: Wed, 24 May 2017 13:13:20 -0500
Subject: [PATCH 157/631] Fix a race condition in some failing tests

Use the new "-R" option for broccoli-vectors and broping so that
they will retry connecting to Bro until the connection is established.
This avoids a race condition and eliminates the need for a "sleep"
after starting Bro.
---
 testing/btest/istate/broccoli-vector.bro | 3 +--
 testing/btest/istate/broccoli.bro        | 3 +--
 2 files changed, 2 insertions(+), 4 deletions(-)

diff --git a/testing/btest/istate/broccoli-vector.bro b/testing/btest/istate/broccoli-vector.bro
index ce107f45d3..cf0b0c8642 100644
--- a/testing/btest/istate/broccoli-vector.bro
+++ b/testing/btest/istate/broccoli-vector.bro
@@ -3,8 +3,7 @@
 # @TEST-REQUIRES: test -e $BUILD/aux/broccoli/src/libbroccoli.so || test -e $BUILD/aux/broccoli/src/libbroccoli.dylib
 #
 # @TEST-EXEC: btest-bg-run bro bro $DIST/aux/broccoli/test/broccoli-vectors.bro
-# @TEST-EXEC: sleep 1
-# @TEST-EXEC: btest-bg-run broccoli $BUILD/aux/broccoli/test/broccoli-vectors
+# @TEST-EXEC: btest-bg-run broccoli $BUILD/aux/broccoli/test/broccoli-vectors -R
 # @TEST-EXEC: btest-bg-wait 20
 # @TEST-EXEC: btest-diff bro/.stdout
 # @TEST-EXEC: btest-diff broccoli/.stdout
diff --git a/testing/btest/istate/broccoli.bro b/testing/btest/istate/broccoli.bro
index 2fdd4cbda4..a6427412bf 100644
--- a/testing/btest/istate/broccoli.bro
+++ b/testing/btest/istate/broccoli.bro
@@ -3,8 +3,7 @@
 # @TEST-REQUIRES: test -e $BUILD/aux/broccoli/src/libbroccoli.so || test -e $BUILD/aux/broccoli/src/libbroccoli.dylib
 #
 # @TEST-EXEC: btest-bg-run bro bro %INPUT $DIST/aux/broccoli/test/broping-record.bro
-# @TEST-EXEC: sleep 1
-# @TEST-EXEC: btest-bg-run broccoli $BUILD/aux/broccoli/test/broping -r -c 3 127.0.0.1
+# @TEST-EXEC: btest-bg-run broccoli $BUILD/aux/broccoli/test/broping -R -r -c 3 127.0.0.1
 # @TEST-EXEC: btest-bg-wait 20
 # @TEST-EXEC: cat bro/ping.log | sed 's/one-way.*//g' >bro.log
 # @TEST-EXEC: cat broccoli/.stdout | sed 's/time=.*//g' >broccoli.log

From bd2d559fbf52a8243219a1de9856b685a9cb893a Mon Sep 17 00:00:00 2001
From: Daniel Thayer <dnthayer@illinois.edu>
Date: Wed, 24 May 2017 14:29:24 -0500
Subject: [PATCH 158/631] Fix race condition causing some tests to fail

Removed loading of the "frameworks/communication/listen" script for
a couple of tests that don't need this functionality.  This was causing
failures of some broccoli-related tests in the "istate" test directory
due to two instances of Bro trying to listen on the same port.
---
 .../Baseline/language.expire-expr-error/output     |  2 +-
 testing/btest/language/expire-expr-error.bro       | 14 ++++++--------
 testing/btest/language/expire-redef.bro            |  2 --
 3 files changed, 7 insertions(+), 11 deletions(-)

diff --git a/testing/btest/Baseline/language.expire-expr-error/output b/testing/btest/Baseline/language.expire-expr-error/output
index 544527fe23..cf43dd4c80 100644
--- a/testing/btest/Baseline/language.expire-expr-error/output
+++ b/testing/btest/Baseline/language.expire-expr-error/output
@@ -1,2 +1,2 @@
-error in /home/robin/bro/master/testing/btest/.tmp/language.expire-expr-error/expire-expr-error.bro, line 7: no such index (x[kaputt])
+error in /home/robin/bro/master/testing/btest/.tmp/language.expire-expr-error/expire-expr-error.bro, line 8: no such index (x[kaputt])
 received termination signal
diff --git a/testing/btest/language/expire-expr-error.bro b/testing/btest/language/expire-expr-error.bro
index c355bd58ed..7c9a3aa318 100644
--- a/testing/btest/language/expire-expr-error.bro
+++ b/testing/btest/language/expire-expr-error.bro
@@ -1,13 +1,12 @@
-# @TEST-EXEC: btest-bg-run broproc bro %INPUT
-# @TEST-EXEC: btest-bg-wait -k 5
-# @TEST-EXEC: cat broproc/.stderr > output
+# @TEST-EXEC: bro -b %INPUT
+# @TEST-EXEC: cp .stderr output
 # @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff output
 
+redef exit_only_after_terminate = T;
+
 global x: table[string] of interval;
 global data: table[int] of string &create_expire=x["kaputt"];
 
-@load frameworks/communication/listen
-
 global runs = 0;
 event do_it()
 	{
@@ -16,6 +15,8 @@ event do_it()
 	++runs;
 	if ( runs < 4 )
 		schedule 1sec { do_it() };
+	else
+		terminate();
 	}
 
 
@@ -24,6 +25,3 @@ event bro_init() &priority=-10
 	data[0] = "some data";
 	schedule 1sec { do_it() };
 	}
-
-
-
diff --git a/testing/btest/language/expire-redef.bro b/testing/btest/language/expire-redef.bro
index f08ac8d3f2..6bf43ae98a 100644
--- a/testing/btest/language/expire-redef.bro
+++ b/testing/btest/language/expire-redef.bro
@@ -3,8 +3,6 @@
 
 redef exit_only_after_terminate = T;
 
-@load frameworks/communication/listen
-
 const exp_val = -1sec &redef;
 
 global expired: function(tbl: table[int] of string, idx: int): interval;

From 361a5dc2d8eb27e1f6b88f7fe4fbbae5c4a2e62a Mon Sep 17 00:00:00 2001
From: Daniel Thayer <dnthayer@illinois.edu>
Date: Wed, 24 May 2017 21:25:01 -0500
Subject: [PATCH 159/631] Serialize tests that load listen.bro

Tests that load "frameworks/communication/listen" must be serialized
to prevent other tests failing due to multiple Bro instances trying
to listen on the same port.
---
 testing/btest/doc/broxygen/identifier.bro     | 1 +
 testing/btest/doc/broxygen/package.bro        | 1 +
 testing/btest/doc/broxygen/package_index.bro  | 1 +
 testing/btest/doc/broxygen/script_index.bro   | 1 +
 testing/btest/doc/broxygen/script_summary.bro | 1 +
 5 files changed, 5 insertions(+)

diff --git a/testing/btest/doc/broxygen/identifier.bro b/testing/btest/doc/broxygen/identifier.bro
index 3768b0c0c6..db5c2528ee 100644
--- a/testing/btest/doc/broxygen/identifier.bro
+++ b/testing/btest/doc/broxygen/identifier.bro
@@ -1,3 +1,4 @@
+# @TEST-SERIALIZE: comm
 # @TEST-EXEC: bro -b -X broxygen.config %INPUT
 # @TEST-EXEC: btest-diff test.rst
 
diff --git a/testing/btest/doc/broxygen/package.bro b/testing/btest/doc/broxygen/package.bro
index 6857d5e646..fd75a1ce21 100644
--- a/testing/btest/doc/broxygen/package.bro
+++ b/testing/btest/doc/broxygen/package.bro
@@ -1,3 +1,4 @@
+# @TEST-SERIALIZE: comm
 # @TEST-EXEC: bro -b -X broxygen.config %INPUT
 # @TEST-EXEC: btest-diff test.rst
 
diff --git a/testing/btest/doc/broxygen/package_index.bro b/testing/btest/doc/broxygen/package_index.bro
index e29479d49f..ef6cc4ab29 100644
--- a/testing/btest/doc/broxygen/package_index.bro
+++ b/testing/btest/doc/broxygen/package_index.bro
@@ -1,3 +1,4 @@
+# @TEST-SERIALIZE: comm
 # @TEST-EXEC: bro -b -X broxygen.config %INPUT
 # @TEST-EXEC: btest-diff test.rst
 
diff --git a/testing/btest/doc/broxygen/script_index.bro b/testing/btest/doc/broxygen/script_index.bro
index 91bb4b756f..86e1909863 100644
--- a/testing/btest/doc/broxygen/script_index.bro
+++ b/testing/btest/doc/broxygen/script_index.bro
@@ -1,3 +1,4 @@
+# @TEST-SERIALIZE: comm
 # @TEST-EXEC: bro -b -X broxygen.config %INPUT
 # @TEST-EXEC: btest-diff test.rst
 
diff --git a/testing/btest/doc/broxygen/script_summary.bro b/testing/btest/doc/broxygen/script_summary.bro
index 9d3cda012b..a7aafc65a0 100644
--- a/testing/btest/doc/broxygen/script_summary.bro
+++ b/testing/btest/doc/broxygen/script_summary.bro
@@ -1,3 +1,4 @@
+# @TEST-SERIALIZE: comm
 # @TEST-EXEC: bro -b -X broxygen.config %INPUT
 # @TEST-EXEC: btest-diff test.rst
 

From e9102f3de4d261eba3a7d9a54b4f673c73989beb Mon Sep 17 00:00:00 2001
From: Daniel Thayer <dnthayer@illinois.edu>
Date: Wed, 24 May 2017 21:28:56 -0500
Subject: [PATCH 160/631] Remove loading of listen.bro in tests that do not
 need it

Removed the loading of "frameworks/communication/listen" from some
tests that don't need that functionality.  This is to avoid
serializing these tests.
---
 testing/btest/scripts/base/frameworks/intel/expire-item.bro  | 5 ++++-
 testing/btest/scripts/base/frameworks/intel/match-subnet.bro | 2 +-
 .../scripts/base/frameworks/intel/remove-non-existing.bro    | 2 +-
 3 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/testing/btest/scripts/base/frameworks/intel/expire-item.bro b/testing/btest/scripts/base/frameworks/intel/expire-item.bro
index dd915b3a03..690a461ea4 100644
--- a/testing/btest/scripts/base/frameworks/intel/expire-item.bro
+++ b/testing/btest/scripts/base/frameworks/intel/expire-item.bro
@@ -9,9 +9,10 @@
 1.2.3.4	Intel::ADDR	source1	this host is bad	http://some-data-distributor.com/1
 # @TEST-END-FILE
 
-@load frameworks/communication/listen
 @load frameworks/intel/do_expire
 
+redef exit_only_after_terminate = T;
+
 redef Intel::read_files += { "../intel.dat" };
 redef enum Intel::Where += { SOMEWHERE };
 redef Intel::item_expiration = 9sec;
@@ -44,6 +45,8 @@ event do_it()
 
 	if ( runs < 6 )
 		schedule 3sec { do_it() };
+	else
+		terminate();
 	}
 
 event Intel::match(s: Intel::Seen, items: set[Intel::Item])
diff --git a/testing/btest/scripts/base/frameworks/intel/match-subnet.bro b/testing/btest/scripts/base/frameworks/intel/match-subnet.bro
index 1e25868de1..8e3fe74116 100644
--- a/testing/btest/scripts/base/frameworks/intel/match-subnet.bro
+++ b/testing/btest/scripts/base/frameworks/intel/match-subnet.bro
@@ -14,7 +14,7 @@
 192.168.128.0/18	Intel::SUBNET	source1	this subnetwork might be baaad	http://some-data-distributor.com/5
 # @TEST-END-FILE
 
-@load frameworks/communication/listen
+redef exit_only_after_terminate = T;
 
 redef Intel::read_files += { "../intel.dat" };
 redef enum Intel::Where += { SOMEWHERE };
diff --git a/testing/btest/scripts/base/frameworks/intel/remove-non-existing.bro b/testing/btest/scripts/base/frameworks/intel/remove-non-existing.bro
index 379d132834..1885f5bcf8 100644
--- a/testing/btest/scripts/base/frameworks/intel/remove-non-existing.bro
+++ b/testing/btest/scripts/base/frameworks/intel/remove-non-existing.bro
@@ -9,7 +9,7 @@
 192.168.1.1	Intel::ADDR	source1	this host is just plain baaad	http://some-data-distributor.com/1
 # @TEST-END-FILE
 
-@load frameworks/communication/listen
+redef exit_only_after_terminate = T;
 
 redef Intel::read_files += { "../intel.dat" };
 redef enum Intel::Where += { SOMEWHERE };

From 23d93a321332f0ad6960028b6fb4e79f2b7a2e3d Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Thu, 25 May 2017 18:39:31 -0500
Subject: [PATCH 161/631] Updating submodule(s).

 [nomail]
---
 aux/binpac   | 2 +-
 aux/bro-aux  | 2 +-
 aux/broccoli | 2 +-
 aux/broctl   | 2 +-
 aux/broker   | 2 +-
 aux/btest    | 2 +-
 aux/plugins  | 2 +-
 cmake        | 2 +-
 8 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/aux/binpac b/aux/binpac
index 0f1ecfa972..dddc652ca5 160000
--- a/aux/binpac
+++ b/aux/binpac
@@ -1 +1 @@
-Subproject commit 0f1ecfa97236635fb93e013404e6b30d6c506ddd
+Subproject commit dddc652ca58494d45325db230af3bd1ad985d75a
diff --git a/aux/bro-aux b/aux/bro-aux
index 51bf79d3fc..96c685beab 160000
--- a/aux/bro-aux
+++ b/aux/bro-aux
@@ -1 +1 @@
-Subproject commit 51bf79d3fc78b5e86c554afe7c24c44b025aa67f
+Subproject commit 96c685beab556ff22976edc7457fe83b099a5c95
diff --git a/aux/broccoli b/aux/broccoli
index ed52e3414b..ab3bea3859 160000
--- a/aux/broccoli
+++ b/aux/broccoli
@@ -1 +1 @@
-Subproject commit ed52e3414b31b05ec9abed627b4153c8e2243441
+Subproject commit ab3bea38593341607e129f85685908ba41ab1d58
diff --git a/aux/broctl b/aux/broctl
index aadc6d37aa..40185aa916 160000
--- a/aux/broctl
+++ b/aux/broctl
@@ -1 +1 @@
-Subproject commit aadc6d37aa12b9ab50e9b63c5f1dcf4fa1e2a180
+Subproject commit 40185aa91647b3b9ac4a554e393ade3c78fe31b5
diff --git a/aux/broker b/aux/broker
index 23def70c44..ff067419c4 160000
--- a/aux/broker
+++ b/aux/broker
@@ -1 +1 @@
-Subproject commit 23def70c44128d19138029615dd154359286e111
+Subproject commit ff067419c4f973d3d044bfea3450bd517d801c9f
diff --git a/aux/btest b/aux/btest
index 54b92381c1..32d6614502 160000
--- a/aux/btest
+++ b/aux/btest
@@ -1 +1 @@
-Subproject commit 54b92381c1c133376c2c85eeb53b32b068f51067
+Subproject commit 32d66145027c8da54a38ebdcc33d32881a2d041d
diff --git a/aux/plugins b/aux/plugins
index 5724f8edcc..f22a6636c8 160000
--- a/aux/plugins
+++ b/aux/plugins
@@ -1 +1 @@
-Subproject commit 5724f8edcc2b323062715dac8eec4affe1f96696
+Subproject commit f22a6636c8b40bec7de3695821ad8ca7489e9223
diff --git a/cmake b/cmake
index d29fbf6152..fbb347b3ac 160000
--- a/cmake
+++ b/cmake
@@ -1 +1 @@
-Subproject commit d29fbf6152e54fbb536910af02a80874b1917311
+Subproject commit fbb347b3ac09a78c227bb00e3971bf9888f2be55

From 368a50ed6de25bd973d51ab622463bac1f2b9c92 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Fri, 26 May 2017 08:29:12 -0500
Subject: [PATCH 162/631] Updating submodule(s).

 [nomail]
---
 aux/binpac   | 2 +-
 aux/bro-aux  | 2 +-
 aux/broccoli | 2 +-
 aux/broctl   | 2 +-
 aux/broker   | 2 +-
 cmake        | 2 +-
 6 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/aux/binpac b/aux/binpac
index dddc652ca5..b44734a02f 160000
--- a/aux/binpac
+++ b/aux/binpac
@@ -1 +1 @@
-Subproject commit dddc652ca58494d45325db230af3bd1ad985d75a
+Subproject commit b44734a02f8ab050d43bac3148f35079608081f1
diff --git a/aux/bro-aux b/aux/bro-aux
index 96c685beab..eef5ddea2f 160000
--- a/aux/bro-aux
+++ b/aux/bro-aux
@@ -1 +1 @@
-Subproject commit 96c685beab556ff22976edc7457fe83b099a5c95
+Subproject commit eef5ddea2f8e928418d0e65ff0b3c3b0d039d7a7
diff --git a/aux/broccoli b/aux/broccoli
index ab3bea3859..6a8464ff42 160000
--- a/aux/broccoli
+++ b/aux/broccoli
@@ -1 +1 @@
-Subproject commit ab3bea38593341607e129f85685908ba41ab1d58
+Subproject commit 6a8464ff42fbfb5e060102d74f1467cadd645061
diff --git a/aux/broctl b/aux/broctl
index 40185aa916..a37ddbcf0b 160000
--- a/aux/broctl
+++ b/aux/broctl
@@ -1 +1 @@
-Subproject commit 40185aa91647b3b9ac4a554e393ade3c78fe31b5
+Subproject commit a37ddbcf0b5f73a9289d421514a48b7fc8862d2f
diff --git a/aux/broker b/aux/broker
index ff067419c4..4a851db8a3 160000
--- a/aux/broker
+++ b/aux/broker
@@ -1 +1 @@
-Subproject commit ff067419c4f973d3d044bfea3450bd517d801c9f
+Subproject commit 4a851db8a3c51f74827dd7488305dccf6dcd34a7
diff --git a/cmake b/cmake
index fbb347b3ac..79f2b2e944 160000
--- a/cmake
+++ b/cmake
@@ -1 +1 @@
-Subproject commit fbb347b3ac09a78c227bb00e3971bf9888f2be55
+Subproject commit 79f2b2e944da77774675be4d5254156451967371

From 1ad5b12ef8fd13846574054e9fc212578131c3af Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@icir.org>
Date: Mon, 5 Jun 2017 14:41:03 -0700
Subject: [PATCH 163/631] Fix at_least in Version.bro.

at_least did extactly the opposite from what it said.
---
 scripts/base/misc/version.bro               | 2 +-
 testing/btest/scripts/base/misc/version.bro | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/scripts/base/misc/version.bro b/scripts/base/misc/version.bro
index 259b7b1127..1dce1310df 100644
--- a/scripts/base/misc/version.bro
+++ b/scripts/base/misc/version.bro
@@ -86,5 +86,5 @@ export {
 
 function at_least(version_string: string): bool
 	{
-	return Version::parse(version_string)$version_number >= Version::number;
+	return Version::number >= Version::parse(version_string)$version_number;
 	}
diff --git a/testing/btest/scripts/base/misc/version.bro b/testing/btest/scripts/base/misc/version.bro
index cd19f0ee30..238003f10d 100644
--- a/testing/btest/scripts/base/misc/version.bro
+++ b/testing/btest/scripts/base/misc/version.bro
@@ -36,6 +36,6 @@ print "yup";
 print "yup";
 @endif
 
-@if ( Version::at_least("2.4") )
+@if ( Version::at_least("2.9") )
 print "no";
 @endif

From f5d9f1847f514e23da19b216775f4089f9a2bf07 Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@icir.org>
Date: Mon, 5 Jun 2017 14:41:38 -0700
Subject: [PATCH 164/631] Remove non-existing links; this broke documentation
 build.

---
 doc/components/bro-plugins/af_packet/README.rst  | 1 -
 doc/components/bro-plugins/postgresql/README.rst | 1 -
 doc/components/bro-plugins/tcprs/README.rst      | 1 -
 3 files changed, 3 deletions(-)
 delete mode 120000 doc/components/bro-plugins/af_packet/README.rst
 delete mode 120000 doc/components/bro-plugins/postgresql/README.rst
 delete mode 120000 doc/components/bro-plugins/tcprs/README.rst

diff --git a/doc/components/bro-plugins/af_packet/README.rst b/doc/components/bro-plugins/af_packet/README.rst
deleted file mode 120000
index b8f745bed2..0000000000
--- a/doc/components/bro-plugins/af_packet/README.rst
+++ /dev/null
@@ -1 +0,0 @@
-../../../../aux/plugins/af_packet/README
\ No newline at end of file
diff --git a/doc/components/bro-plugins/postgresql/README.rst b/doc/components/bro-plugins/postgresql/README.rst
deleted file mode 120000
index b8c815c45b..0000000000
--- a/doc/components/bro-plugins/postgresql/README.rst
+++ /dev/null
@@ -1 +0,0 @@
-../../../../aux/plugins/postgresql/README
\ No newline at end of file
diff --git a/doc/components/bro-plugins/tcprs/README.rst b/doc/components/bro-plugins/tcprs/README.rst
deleted file mode 120000
index c0e84fd579..0000000000
--- a/doc/components/bro-plugins/tcprs/README.rst
+++ /dev/null
@@ -1 +0,0 @@
-../../../../aux/plugins/tcprs/README
\ No newline at end of file

From 046f3686222fc24f691554977379ca4eb3860622 Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@icir.org>
Date: Mon, 5 Jun 2017 15:16:49 -0700
Subject: [PATCH 165/631] Update version and submodules.

---
 CHANGES      | 7 +++++++
 VERSION      | 2 +-
 aux/binpac   | 2 +-
 aux/bro-aux  | 2 +-
 aux/broccoli | 2 +-
 aux/broctl   | 2 +-
 aux/broker   | 2 +-
 aux/btest    | 2 +-
 aux/plugins  | 2 +-
 9 files changed, 15 insertions(+), 8 deletions(-)

diff --git a/CHANGES b/CHANGES
index da80c4ca99..188e22466b 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,11 @@
 
+2.5-152 | 2017-06-05 15:16:49 -0700
+
+  * Remove non-existing links; this broke documentation build. (Johanna Amann)
+
+  * Fix at_least in Version.bro - it did exactly the oposite of the documented
+	  behavior. (Johanna Amann)
+
 2.5-147 | 2017-05-22 20:32:32 -0500
 
   * Add nfs unittest. (Julien Wallior)
diff --git a/VERSION b/VERSION
index 1babd71178..3916e2d327 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.5-147
+2.5-152
diff --git a/aux/binpac b/aux/binpac
index b44734a02f..27356ae52f 160000
--- a/aux/binpac
+++ b/aux/binpac
@@ -1 +1 @@
-Subproject commit b44734a02f8ab050d43bac3148f35079608081f1
+Subproject commit 27356ae52ff9ff639b53a7325ea3262e1a13b704
diff --git a/aux/bro-aux b/aux/bro-aux
index eef5ddea2f..8c2366edfc 160000
--- a/aux/bro-aux
+++ b/aux/bro-aux
@@ -1 +1 @@
-Subproject commit eef5ddea2f8e928418d0e65ff0b3c3b0d039d7a7
+Subproject commit 8c2366edfca18b6a6f4ec3c7be372ef1167f58bb
diff --git a/aux/broccoli b/aux/broccoli
index 6a8464ff42..1f22ba3716 160000
--- a/aux/broccoli
+++ b/aux/broccoli
@@ -1 +1 @@
-Subproject commit 6a8464ff42fbfb5e060102d74f1467cadd645061
+Subproject commit 1f22ba3716b2778ddaba3f73437a6126875d3278
diff --git a/aux/broctl b/aux/broctl
index a37ddbcf0b..84ac6aff36 160000
--- a/aux/broctl
+++ b/aux/broctl
@@ -1 +1 @@
-Subproject commit a37ddbcf0b5f73a9289d421514a48b7fc8862d2f
+Subproject commit 84ac6aff368ed166a0c6f7f11b2749f4356bfd78
diff --git a/aux/broker b/aux/broker
index 4a851db8a3..862c982f35 160000
--- a/aux/broker
+++ b/aux/broker
@@ -1 +1 @@
-Subproject commit 4a851db8a3c51f74827dd7488305dccf6dcd34a7
+Subproject commit 862c982f35e342fb10fa281120135cf61eca66bb
diff --git a/aux/btest b/aux/btest
index 32d6614502..e638fc65aa 160000
--- a/aux/btest
+++ b/aux/btest
@@ -1 +1 @@
-Subproject commit 32d66145027c8da54a38ebdcc33d32881a2d041d
+Subproject commit e638fc65aa12bd136594451b8c185a7a01ef3e9a
diff --git a/aux/plugins b/aux/plugins
index f22a6636c8..ee7429eb04 160000
--- a/aux/plugins
+++ b/aux/plugins
@@ -1 +1 @@
-Subproject commit f22a6636c8b40bec7de3695821ad8ca7489e9223
+Subproject commit ee7429eb042806cb814dc910a0e59b641012e1fe

From a69f5adc6480b572d185a0840d1a94d327cf0a74 Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@icir.org>
Date: Tue, 6 Jun 2017 13:17:23 -0700
Subject: [PATCH 166/631] Update submodules

 [nomail]
---
 aux/bro-aux | 2 +-
 aux/broctl  | 2 +-
 aux/plugins | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/aux/bro-aux b/aux/bro-aux
index 8c2366edfc..43f4b90bba 160000
--- a/aux/bro-aux
+++ b/aux/bro-aux
@@ -1 +1 @@
-Subproject commit 8c2366edfca18b6a6f4ec3c7be372ef1167f58bb
+Subproject commit 43f4b90bbaf87dae1a1073e7bf13301e58866011
diff --git a/aux/broctl b/aux/broctl
index 84ac6aff36..520fbc6060 160000
--- a/aux/broctl
+++ b/aux/broctl
@@ -1 +1 @@
-Subproject commit 84ac6aff368ed166a0c6f7f11b2749f4356bfd78
+Subproject commit 520fbc60602d08298ba5c14046c342e44592c44c
diff --git a/aux/plugins b/aux/plugins
index ee7429eb04..d96471bcec 160000
--- a/aux/plugins
+++ b/aux/plugins
@@ -1 +1 @@
-Subproject commit ee7429eb042806cb814dc910a0e59b641012e1fe
+Subproject commit d96471bcec84b45d3578ec2bacaa9b3e824838e7

From 7e651c252c6d8c1db92851d707118c4490be6d27 Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@icir.org>
Date: Tue, 13 Jun 2017 10:59:38 -0700
Subject: [PATCH 167/631] Update submodule

 [nomail]
---
 aux/plugins | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/aux/plugins b/aux/plugins
index d96471bcec..00d039442b 160000
--- a/aux/plugins
+++ b/aux/plugins
@@ -1 +1 @@
-Subproject commit d96471bcec84b45d3578ec2bacaa9b3e824838e7
+Subproject commit 00d039442b97ba545e6020200d96a3cba9d9181b

From 303c50e86762ccc261c8ab4d26429f22f7532d7c Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@icir.org>
Date: Tue, 13 Jun 2017 11:01:24 -0700
Subject: [PATCH 168/631] Remove link to no longer existing myricom plugin.

---
 doc/components/bro-plugins/myricom/README.rst | 1 -
 1 file changed, 1 deletion(-)
 delete mode 120000 doc/components/bro-plugins/myricom/README.rst

diff --git a/doc/components/bro-plugins/myricom/README.rst b/doc/components/bro-plugins/myricom/README.rst
deleted file mode 120000
index 3bfabcdae3..0000000000
--- a/doc/components/bro-plugins/myricom/README.rst
+++ /dev/null
@@ -1 +0,0 @@
-../../../../aux/plugins/myricom/README
\ No newline at end of file

From 251ed3a4d9c0e1e76c9f8c01a427d6f7b96225d0 Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@icir.org>
Date: Tue, 13 Jun 2017 11:01:56 -0700
Subject: [PATCH 169/631] Add 2.5.1 news file to master.

---
 CHANGES |  8 +++++++-
 NEWS    | 45 +++++++++++++++++++++++++++++++++++++++++----
 VERSION |  2 +-
 3 files changed, 49 insertions(+), 6 deletions(-)

diff --git a/CHANGES b/CHANGES
index 188e22466b..5fffea3198 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,10 +1,16 @@
 
+2.5-156 | 2017-06-13 11:01:56 -0700
+
+  * Add 2.5.1 news file to master. (Johanna Amann)
+
+  * Remove link to no longer existing myricom plugin. (Johanna Amann)
+
 2.5-152 | 2017-06-05 15:16:49 -0700
 
   * Remove non-existing links; this broke documentation build. (Johanna Amann)
 
   * Fix at_least in Version.bro - it did exactly the oposite of the documented
-	  behavior. (Johanna Amann)
+    behavior. (Johanna Amann)
 
 2.5-147 | 2017-05-22 20:32:32 -0500
 
diff --git a/NEWS b/NEWS
index 7fbc7cfd4f..8333ccf7f8 100644
--- a/NEWS
+++ b/NEWS
@@ -4,8 +4,35 @@ release. For an exhaustive list of changes, see the ``CHANGES`` file
 (note that submodules, such as BroControl and Broccoli, come with
 their own ``CHANGES``.)
 
-Bro 2.6
-=======
+Bro 2.5.1
+=========
+
+New Functionality
+-----------------
+
+- Bro now includes bifs for rename, unlink, and rmdir.
+
+- Bro now includes events for two extensions used by TLS 1.3:
+  ssl_extension_supported_versions and ssl_extension_psk_key_exchange_modes
+
+- Bro now includes hooks that can be used to interact with log processing
+  on the C++ level.
+
+- Bro now supports ERSPAN. Currently this ignores the ethernet header that is
+  carried over the tunnel; if a MAC is logged currently only the outer MAC
+  is returned.
+
+- Added a new BroControl option CrashExpireInterval to enable
+  "broctl cron" to remove crash directories that are older than the
+  specified number of days (the default value is 0, which means crash
+  directories never expire).
+
+- Added a new BroControl option MailReceivingPackets to control
+  whether or not "broctl cron" will mail a warning when it notices
+  that no packets were seen on an interface.
+
+- There is a new broctl command-line option "--version" which outputs
+  the BroControl version.
 
 Changed Functionality
 ---------------------
@@ -13,10 +40,20 @@ Changed Functionality
 - The input framework's Ascii reader is now more resilient. If an input
   is marked to reread a file when it changes and the file didn't exist
   during a check Bro would stop watching the file in previous versions.
-  The same could happen with bad data in a line of a file.  These 
-  situations do not cause Bro to stop watching input files anymore. The 
+  The same could happen with bad data in a line of a file.  These
+  situations do not cause Bro to stop watching input files anymore. The
   old behavior is available through settings in the Ascii reader.
 
+- The RADIUS scripts have been reworked. Requests are now logged even if
+  there is no response. The new framed_addr field in the log indicates
+  if the radius server is hinting at an address for the client. The ttl
+  field indicates how quickly the server is replying to the network access
+  server.
+
+- With the introduction of the Bro package manager, the Bro plugin repository
+  is considered deprecated. The af_packet, postgresql, and tcprs plugins have
+  already been removed and are available via bro-pkg.
+
 Bro 2.5
 =======
 
diff --git a/VERSION b/VERSION
index 3916e2d327..6d510ac694 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.5-152
+2.5-156

From 81af7887312b788e5be0b369b9122b275ca79322 Mon Sep 17 00:00:00 2001
From: Robin Sommer <robin@corelight.com>
Date: Wed, 14 Jun 2017 07:27:22 -0700
Subject: [PATCH 170/631] Updating submodule(s).

 [nomail]
---
 aux/bro-aux  | 2 +-
 aux/broccoli | 2 +-
 aux/broctl   | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/aux/bro-aux b/aux/bro-aux
index 43f4b90bba..2c197c72c5 160000
--- a/aux/bro-aux
+++ b/aux/bro-aux
@@ -1 +1 @@
-Subproject commit 43f4b90bbaf87dae1a1073e7bf13301e58866011
+Subproject commit 2c197c72c53aca61a2d9c501795c185c2be6b4dd
diff --git a/aux/broccoli b/aux/broccoli
index 1f22ba3716..c3c44cbcaa 160000
--- a/aux/broccoli
+++ b/aux/broccoli
@@ -1 +1 @@
-Subproject commit 1f22ba3716b2778ddaba3f73437a6126875d3278
+Subproject commit c3c44cbcaaab4c1b544672940d8403f30730af37
diff --git a/aux/broctl b/aux/broctl
index 520fbc6060..d3e6cdfba4 160000
--- a/aux/broctl
+++ b/aux/broctl
@@ -1 +1 @@
-Subproject commit 520fbc60602d08298ba5c14046c342e44592c44c
+Subproject commit d3e6cdfba496879bd55542c668ea959f524bd723

From ff4caaf50a0760e48269a53d1e70eb80aefd7ca4 Mon Sep 17 00:00:00 2001
From: Robin Sommer <robin@corelight.com>
Date: Wed, 14 Jun 2017 07:32:34 -0700
Subject: [PATCH 171/631] Updating submodule(s).

 [nomail]
---
 aux/bro-aux  | 2 +-
 aux/broccoli | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/aux/bro-aux b/aux/bro-aux
index 2c197c72c5..43f4b90bba 160000
--- a/aux/bro-aux
+++ b/aux/bro-aux
@@ -1 +1 @@
-Subproject commit 2c197c72c53aca61a2d9c501795c185c2be6b4dd
+Subproject commit 43f4b90bbaf87dae1a1073e7bf13301e58866011
diff --git a/aux/broccoli b/aux/broccoli
index c3c44cbcaa..25907f6b0a 160000
--- a/aux/broccoli
+++ b/aux/broccoli
@@ -1 +1 @@
-Subproject commit c3c44cbcaaab4c1b544672940d8403f30730af37
+Subproject commit 25907f6b0a5347304d1ec8213bfad3d114260ca0

From b527a9870da02e053e08803083f271b6f5eb28c1 Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@icir.org>
Date: Tue, 27 Jun 2017 14:54:48 -0700
Subject: [PATCH 172/631] Update submodule

 [nomail]
---
 aux/broctl | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/aux/broctl b/aux/broctl
index d3e6cdfba4..6682931a58 160000
--- a/aux/broctl
+++ b/aux/broctl
@@ -1 +1 @@
-Subproject commit d3e6cdfba496879bd55542c668ea959f524bd723
+Subproject commit 6682931a58a652d52bb166caaf59bf875d43403e

From a51047ec6d8c6ae55612557b96b0f7b252576f3c Mon Sep 17 00:00:00 2001
From: balintm <martina@balint.eu>
Date: Tue, 4 Jul 2017 10:42:18 +0100
Subject: [PATCH 173/631] padding comes before flags

I am not able to find it in RFC, but all of the pcaps I came across  (https://wiki.wireshark.org/SampleCaptures) contain padding in-front of flags.
---
 src/analyzer/protocol/krb/krb-protocol.pac | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/analyzer/protocol/krb/krb-protocol.pac b/src/analyzer/protocol/krb/krb-protocol.pac
index a237f6b0fa..0b336b3024 100644
--- a/src/analyzer/protocol/krb/krb-protocol.pac
+++ b/src/analyzer/protocol/krb/krb-protocol.pac
@@ -136,8 +136,8 @@ type KRB_AP_REQ(is_orig: bool) = record {
 
 type KRB_AP_Options = record {
 	meta 	: SequenceElement(false);
+		: padding[meta.meta.length - 4];
 	flags	: uint32;
-		: padding[1];
 } &let {
 	reserved	: bool = (flags & 0x80000000) > 0;
 	use_session_key	: bool = (flags & 0x40000000) > 0;

From cc90b24b1d35bd9aa0735e27b93a0f1143c77bfc Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@icir.org>
Date: Thu, 6 Jul 2017 11:13:24 -0700
Subject: [PATCH 174/631] Add new cipher suites from
 draft-ietf-tls-ecdhe-psk-aead-05

---
 scripts/base/protocols/ssl/consts.bro | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/scripts/base/protocols/ssl/consts.bro b/scripts/base/protocols/ssl/consts.bro
index 9d9460906a..b95d299dca 100644
--- a/scripts/base/protocols/ssl/consts.bro
+++ b/scripts/base/protocols/ssl/consts.bro
@@ -600,6 +600,11 @@ export {
 	const TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256 = 0xCCAC;
 	const TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256 = 0xCCAD;
 	const TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256 = 0xCCAE;
+	# draft-ietf-tls-ecdhe-psk-aead-05
+	const TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256 = 0xD001;
+	const TLS_ECDHE_PSK_WITH_AES_256_GCM_SHA384 = 0xD002;
+	const TLS_ECDHE_PSK_WITH_AES_128_CCM_8_SHA256 = 0xD003;
+	const TLS_ECDHE_PSK_WITH_AES_128_CCM_SHA256 = 0xD004;
 
 	const SSL_RSA_FIPS_WITH_DES_CBC_SHA = 0xFEFE;
 	const SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA = 0xFEFF;
@@ -978,6 +983,10 @@ export {
 		[TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256] = "TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256",
 		[TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256] = "TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256",
 		[TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256] = "TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256",
+		[TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256] = "TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256",
+		[TLS_ECDHE_PSK_WITH_AES_256_GCM_SHA384] = "TLS_ECDHE_PSK_WITH_AES_256_GCM_SHA384",
+		[TLS_ECDHE_PSK_WITH_AES_128_CCM_8_SHA256] = "TLS_ECDHE_PSK_WITH_AES_128_CCM_8_SHA256",
+		[TLS_ECDHE_PSK_WITH_AES_128_CCM_SHA256] = "TLS_ECDHE_PSK_WITH_AES_128_CCM_SHA256",
 		[SSL_RSA_FIPS_WITH_DES_CBC_SHA] = "SSL_RSA_FIPS_WITH_DES_CBC_SHA",
 		[SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA] = "SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA",
 		[SSL_RSA_FIPS_WITH_DES_CBC_SHA_2] = "SSL_RSA_FIPS_WITH_DES_CBC_SHA_2",

From 83ebdb65a90695e32fd472157613704b62eeae5a Mon Sep 17 00:00:00 2001
From: balintm <martina@balint.eu>
Date: Fri, 7 Jul 2017 11:31:58 +0100
Subject: [PATCH 175/631] Update krb-protocol.pac

---
 src/analyzer/protocol/krb/krb-protocol.pac | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/analyzer/protocol/krb/krb-protocol.pac b/src/analyzer/protocol/krb/krb-protocol.pac
index 0b336b3024..8f68bebe0d 100644
--- a/src/analyzer/protocol/krb/krb-protocol.pac
+++ b/src/analyzer/protocol/krb/krb-protocol.pac
@@ -136,7 +136,7 @@ type KRB_AP_REQ(is_orig: bool) = record {
 
 type KRB_AP_Options = record {
 	meta 	: SequenceElement(false);
-		: padding[meta.meta.length - 4];
+		: padding[1];
 	flags	: uint32;
 } &let {
 	reserved	: bool = (flags & 0x80000000) > 0;

From d7e9060f96da2458abb54fb65b36a13f06e847b1 Mon Sep 17 00:00:00 2001
From: Daniel Thayer <dnthayer@illinois.edu>
Date: Fri, 7 Jul 2017 14:05:14 -0500
Subject: [PATCH 176/631] Update install instructions for Debian 9

---
 doc/install/install.rst | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/doc/install/install.rst b/doc/install/install.rst
index 35a38da27b..e7ff45b4fe 100644
--- a/doc/install/install.rst
+++ b/doc/install/install.rst
@@ -60,6 +60,9 @@ To install the required dependencies, you can use:
 
      sudo apt-get install cmake make gcc g++ flex bison libpcap-dev libssl-dev python-dev swig zlib1g-dev
 
+  In order to build Bro on Debian 9, install ``libssl1.0-dev`` instead
+  of ``libssl-dev``.
+
 * FreeBSD:
 
   Most required dependencies should come with a minimal FreeBSD install

From c76fc7107751d4e477a852ca5cdd15f4086fc691 Mon Sep 17 00:00:00 2001
From: Robin Sommer <robin@icir.org>
Date: Fri, 7 Jul 2017 12:41:27 -0700
Subject: [PATCH 177/631] Updating submodule.

---
 aux/broctl | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/aux/broctl b/aux/broctl
index 6682931a58..5e0abd85c3 160000
--- a/aux/broctl
+++ b/aux/broctl
@@ -1 +1 @@
-Subproject commit 6682931a58a652d52bb166caaf59bf875d43403e
+Subproject commit 5e0abd85c33ae412d818ebae7d0a2db1033ba7e4

From 94192989e78400b2f6912f7235090ec62bc42785 Mon Sep 17 00:00:00 2001
From: Robin Sommer <robin@icir.org>
Date: Fri, 7 Jul 2017 13:48:15 -0700
Subject: [PATCH 178/631] Removing aux/plugins.

Most of the plugins are now Bro packages.
---
 CHANGES     |  7 +++++++
 NEWS        | 13 +++++++++++++
 VERSION     |  2 +-
 aux/plugins |  1 -
 4 files changed, 21 insertions(+), 2 deletions(-)
 delete mode 160000 aux/plugins

diff --git a/CHANGES b/CHANGES
index 0b28edd582..786faa0070 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,11 @@
 
+2.5-174 | 2017-07-07 12:56:23 -0700
+
+  * Removing aux/plugins. Most of the plugins are now Bro packages.
+    (Robin Sommer)
+
+  * Update install instructions for Debian 9. (Daniel Thayer)
+
 2.5-170 | 2017-07-07 12:20:19 -0700
 
   * Update krb-protocol.pac (balintm)
diff --git a/NEWS b/NEWS
index 8333ccf7f8..a884f4fe5a 100644
--- a/NEWS
+++ b/NEWS
@@ -4,6 +4,19 @@ release. For an exhaustive list of changes, see the ``CHANGES`` file
 (note that submodules, such as BroControl and Broccoli, come with
 their own ``CHANGES``.)
 
+
+Bro 2.6 (in progress)
+=====================
+
+Removed Functionality
+---------------------
+
+- We no longer maintain any Bro plugins as part of the Bro
+  distribution. Most of the plugins that used be in aux/plugins have
+  been moved over to use the Bro Package Manager instead. See
+  https://github.com/bro/packages for a list of Bro packages currently
+  available.
+
 Bro 2.5.1
 =========
 
diff --git a/VERSION b/VERSION
index f12955e154..1c98aeab0b 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.5-170
+2.5-174
diff --git a/aux/plugins b/aux/plugins
deleted file mode 160000
index 00d039442b..0000000000
--- a/aux/plugins
+++ /dev/null
@@ -1 +0,0 @@
-Subproject commit 00d039442b97ba545e6020200d96a3cba9d9181b

From ffa7480ce4ad9621ef6eaec7e3e02f5a44e05485 Mon Sep 17 00:00:00 2001
From: Robin Sommer <robin@icir.org>
Date: Fri, 7 Jul 2017 14:34:41 -0700
Subject: [PATCH 179/631] Fix documentation build.

(I had these locally, but not yet commited.)
---
 CHANGES                                             | 2 +-
 VERSION                                             | 2 +-
 doc/components/bro-plugins/README.rst               | 1 -
 doc/components/bro-plugins/elasticsearch/README.rst | 1 -
 doc/components/bro-plugins/kafka/README.rst         | 1 -
 doc/components/bro-plugins/netmap/README.rst        | 1 -
 doc/components/bro-plugins/pf_ring/README.rst       | 1 -
 doc/components/bro-plugins/redis/README.rst         | 1 -
 doc/frameworks/logging.rst                          | 9 ++-------
 9 files changed, 4 insertions(+), 15 deletions(-)
 delete mode 120000 doc/components/bro-plugins/README.rst
 delete mode 120000 doc/components/bro-plugins/elasticsearch/README.rst
 delete mode 120000 doc/components/bro-plugins/kafka/README.rst
 delete mode 120000 doc/components/bro-plugins/netmap/README.rst
 delete mode 120000 doc/components/bro-plugins/pf_ring/README.rst
 delete mode 120000 doc/components/bro-plugins/redis/README.rst

diff --git a/CHANGES b/CHANGES
index 786faa0070..a83787e209 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,5 +1,5 @@
 
-2.5-174 | 2017-07-07 12:56:23 -0700
+2.5-175 | 2017-07-07 14:35:11 -0700
 
   * Removing aux/plugins. Most of the plugins are now Bro packages.
     (Robin Sommer)
diff --git a/VERSION b/VERSION
index 1c98aeab0b..457b1c34f4 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.5-174
+2.5-175
diff --git a/doc/components/bro-plugins/README.rst b/doc/components/bro-plugins/README.rst
deleted file mode 120000
index 8f96f50909..0000000000
--- a/doc/components/bro-plugins/README.rst
+++ /dev/null
@@ -1 +0,0 @@
-../../../aux/plugins/README
\ No newline at end of file
diff --git a/doc/components/bro-plugins/elasticsearch/README.rst b/doc/components/bro-plugins/elasticsearch/README.rst
deleted file mode 120000
index 8a5b78d689..0000000000
--- a/doc/components/bro-plugins/elasticsearch/README.rst
+++ /dev/null
@@ -1 +0,0 @@
-../../../../aux/plugins/elasticsearch/README
\ No newline at end of file
diff --git a/doc/components/bro-plugins/kafka/README.rst b/doc/components/bro-plugins/kafka/README.rst
deleted file mode 120000
index 6ca2195f17..0000000000
--- a/doc/components/bro-plugins/kafka/README.rst
+++ /dev/null
@@ -1 +0,0 @@
-../../../../aux/plugins/kafka/README
\ No newline at end of file
diff --git a/doc/components/bro-plugins/netmap/README.rst b/doc/components/bro-plugins/netmap/README.rst
deleted file mode 120000
index 819a2bb0e9..0000000000
--- a/doc/components/bro-plugins/netmap/README.rst
+++ /dev/null
@@ -1 +0,0 @@
-../../../../aux/plugins/netmap/README
\ No newline at end of file
diff --git a/doc/components/bro-plugins/pf_ring/README.rst b/doc/components/bro-plugins/pf_ring/README.rst
deleted file mode 120000
index 5ea666e8c9..0000000000
--- a/doc/components/bro-plugins/pf_ring/README.rst
+++ /dev/null
@@ -1 +0,0 @@
-../../../../aux/plugins/pf_ring/README
\ No newline at end of file
diff --git a/doc/components/bro-plugins/redis/README.rst b/doc/components/bro-plugins/redis/README.rst
deleted file mode 120000
index c42051828e..0000000000
--- a/doc/components/bro-plugins/redis/README.rst
+++ /dev/null
@@ -1 +0,0 @@
-../../../../aux/plugins/redis/README
\ No newline at end of file
diff --git a/doc/frameworks/logging.rst b/doc/frameworks/logging.rst
index a5128da202..bcd84dde2b 100644
--- a/doc/frameworks/logging.rst
+++ b/doc/frameworks/logging.rst
@@ -532,10 +532,5 @@ Bro supports the following additional built-in output formats:
 
    logging-input-sqlite
 
-Additional writers are available as external plugins:
-
-.. toctree::
-   :maxdepth: 1
-
-   ../components/bro-plugins/README
-
+Additional writers are available as external plugins through the `Bro
+Package Manager <https://github.com/bro/bro-plugins>`_.

From 8ae30d8aac22e6c972ba6d3c365de5c6469e41b9 Mon Sep 17 00:00:00 2001
From: Robin Sommer <robin@icir.org>
Date: Fri, 7 Jul 2017 15:44:53 -0700
Subject: [PATCH 180/631] Extend plugin infrastructure to catch Bro version
 mismatches at link time.

People keep running into the problem that they upgrade Bro but forget
to recompile their plugins--which can lead to crashes. While the
plugins' API version was supposed to catch this, it's not reliable as
that check may come too late. This change takes a different tack: We
compile a C function into the Bro binary that has Bro's version number
encoded into its name. A plugin can then reference that function. If
the Bro version changes, the function goes away and the plugin won't
load anymore.

I've integrated that function reference into the plugin skeleton code
so that new plugins get it automatically (unless explicitly removed).
I couldn't see a way to do it transparently for already existing
plugins unfortunately.

The version number used for the function name is slightly normalized
to skip any git revision postfixes (i.e., "2.5-xxx" is always treated
as "2.5-git") so that one doesn't need to recompile all plugins after
every master commit. That seems good enough, usually people run into
this when upgrading to a new release.

If one loads an old plugin into a new Bro, the error message looks
like this:

    $ bro -NN Demo::Foo
    fatal error in /home/robin/bro/master/scripts/base/init-bare.bro, line 1:
    cannot load plugin library /home/robin/tmp/p/build//lib/Demo-Foo.linux-x86_64.so:
    /home/robin/tmp/p/build//lib/Demo-Foo.linux-x86_64.so: undefined symbol: bro_version_2_5_git_debug

Not the prettiest, but better than a crash!

TODO: I'm still unsure if we should remove the plugin API version
altogetger now. This link-time check should catch everything the API
version does, except for master commits.
---
 CMakeLists.txt      |  9 +++++++++
 aux/bro-aux         |  2 +-
 bro-config.h.in     | 11 +++++++++++
 src/plugin/Plugin.h |  9 +++++++++
 src/version.c.in    | 12 ++++++++++++
 5 files changed, 42 insertions(+), 1 deletion(-)

diff --git a/CMakeLists.txt b/CMakeLists.txt
index 5a7fba482e..29643c7b84 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -40,12 +40,21 @@ file(WRITE ${CMAKE_CURRENT_BINARY_DIR}/bro-path-dev.csh
      "setenv PATH \"${CMAKE_CURRENT_BINARY_DIR}/src\":$PATH\n")
 
 file(STRINGS "${CMAKE_CURRENT_SOURCE_DIR}/VERSION" VERSION LIMIT_COUNT 1)
+
 string(REPLACE "." " " version_numbers ${VERSION})
 separate_arguments(version_numbers)
 list(GET version_numbers 0 VERSION_MAJOR)
 list(GET version_numbers 1 VERSION_MINOR)
 set(VERSION_MAJ_MIN "${VERSION_MAJOR}.${VERSION_MINOR}")
 
+set(VERSION_C_IDENT "${VERSION}")
+string(REGEX REPLACE "-[0-9]*$" "_git" VERSION_C_IDENT "${VERSION_C_IDENT}")
+string(REGEX REPLACE "[^a-zA-Z0-9_]" "_" VERSION_C_IDENT "${VERSION_C_IDENT}")
+
+if(${ENABLE_DEBUG})
+    set(VERSION_C_IDENT "${VERSION_C_IDENT}_debug")
+endif()
+
 ########################################################################
 ## Dependency Configuration
 
diff --git a/aux/bro-aux b/aux/bro-aux
index 43f4b90bba..7a38763d7a 160000
--- a/aux/bro-aux
+++ b/aux/bro-aux
@@ -1 +1 @@
-Subproject commit 43f4b90bbaf87dae1a1073e7bf13301e58866011
+Subproject commit 7a38763d7a687dc8974bf6fd212dc75ba4a4b23c
diff --git a/bro-config.h.in b/bro-config.h.in
index 290dd31cae..003eea88b7 100644
--- a/bro-config.h.in
+++ b/bro-config.h.in
@@ -229,3 +229,14 @@
 #ifndef BRO_PLUGIN_INTERNAL_BUILD
 #define BRO_PLUGIN_INTERNAL_BUILD @BRO_PLUGIN_INTERNAL_BUILD@
 #endif
+
+/* A C function that has the Bro version encoded into its name. */
+#define BRO_VERSION_FUNCTION bro_version_@VERSION_C_IDENT@
+#ifdef __cplusplus
+extern "C" {
+#endif
+extern const char* BRO_VERSION_FUNCTION();
+#ifdef __cplusplus
+}
+#endif
+
diff --git a/src/plugin/Plugin.h b/src/plugin/Plugin.h
index aabec22bc4..37f2064644 100644
--- a/src/plugin/Plugin.h
+++ b/src/plugin/Plugin.h
@@ -18,6 +18,8 @@
 #define BRO_PLUGIN_API_VERSION 5
 #endif
 
+#define BRO_PLUGIN_BRO_VERSION BRO_VERSION_FUNCTION
+
 class ODesc;
 class Func;
 class Event;
@@ -93,6 +95,12 @@ public:
 	// strong hint.). The attribute seems generally available.
 	inline Configuration() __attribute__((always_inline));
 
+        /**
+         * One can assign BRO_PLUGIN_BRO_VERSION to this to catch
+         * version mismatches at link(!) time.
+         */
+	const char* (*bro_version)();
+
 private:
 	friend class Plugin;
 	int api_version;	// Current BRO_PLUGIN_API_VERSION. Automatically set.
@@ -103,6 +111,7 @@ inline Configuration::Configuration()
 		name = "";
 		description = "";
 		api_version = BRO_PLUGIN_API_VERSION;
+		bro_version = 0;
 		}
 
 /**
diff --git a/src/version.c.in b/src/version.c.in
index 86c4b16f24..65df65da00 100644
--- a/src/version.c.in
+++ b/src/version.c.in
@@ -1 +1,13 @@
+
+#include "bro-config.h"
+
 char version[] = "@VERSION@";
+
+// A C function that has the current version built into its name.
+// One can link a shared library against this to ensure that it won't
+// load if the version of the main Bro binary differs compared to
+// what the library was compiled against.
+const char* BRO_VERSION_FUNCTION()
+{
+    return "@VERSION_C_IDENT@";
+}

From a630c61f176944b7364a16bfe990f8a300334893 Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@icir.org>
Date: Tue, 11 Jul 2017 09:56:33 -0700
Subject: [PATCH 181/631] Remove another reference to now removed bro-plugins.

---
 doc/components/index.rst | 1 -
 1 file changed, 1 deletion(-)

diff --git a/doc/components/index.rst b/doc/components/index.rst
index 85527e9f9c..c1feda4a61 100644
--- a/doc/components/index.rst
+++ b/doc/components/index.rst
@@ -21,7 +21,6 @@ current, independent component releases.
    Broker - User Manual <broker/broker-manual.rst>
    BroControl - Interactive Bro management shell <broctl/README>
    Bro-Aux - Small auxiliary tools for Bro <bro-aux/README>
-   Bro-Plugins - A collection of plugins for Bro <bro-plugins/README>
    BTest - A unit testing framework <btest/README>
    Capstats - Command-line packet statistic tool <capstats/README>
    PySubnetTree - Python module for CIDR lookups<pysubnettree/README>

From 00d7e3a013bc677ca0b6998da5d2ccdd69285d32 Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@icir.org>
Date: Tue, 11 Jul 2017 09:57:31 -0700
Subject: [PATCH 182/631] Update submodule

 [nomail]
---
 aux/broctl | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/aux/broctl b/aux/broctl
index 5e0abd85c3..97e3f40646 160000
--- a/aux/broctl
+++ b/aux/broctl
@@ -1 +1 @@
-Subproject commit 5e0abd85c33ae412d818ebae7d0a2db1033ba7e4
+Subproject commit 97e3f40646c1a68ba35bcf6cf30237e1ba0dbe6e

From 71c9945f266096e1e375461758ade515e9336692 Mon Sep 17 00:00:00 2001
From: Seth Hall <seth@corelight.com>
Date: Thu, 13 Jul 2017 02:22:03 -0400
Subject: [PATCH 183/631] Several fixes and improvements for software version
 parsing.

 - Addresses Philip Romero's question from the Bro mailing list.
 - Adds Microsoft Edge as a detected browser.
 - We are now unescaping encoded characters in software names.
---
 scripts/base/frameworks/software/main.bro     | 39 +++++++++-
 .../output                                    | 77 ++++++++++---------
 .../frameworks/software/version-parsing.bro   | 11 +++
 3 files changed, 87 insertions(+), 40 deletions(-)

diff --git a/scripts/base/frameworks/software/main.bro b/scripts/base/frameworks/software/main.bro
index 0c1c4cd302..a3a15a2db8 100644
--- a/scripts/base/frameworks/software/main.bro
+++ b/scripts/base/frameworks/software/main.bro
@@ -84,6 +84,16 @@ export {
 	##           is compared lexicographically.
 	global cmp_versions: function(v1: Version, v2: Version): int;
 	
+	## Sometimes software will expose itself on the network with 
+	## slight naming variations.  This table provides a mechanism 
+	## for a piece of software to be renamed to a single name 
+	## even if it exposes itself with an alternate name.  The 
+	## yielded string is the name that will be logged and generally
+	## used for everything.
+	global alternate_names: table[string] of string {
+		["Flash Player"] = "Flash",
+	} &default=function(a: string): string { return a; };
+
 	## Type to represent a collection of :bro:type:`Software::Info` records.
 	## It's indexed with the name of a piece of software such as "Firefox" 
 	## and it yields a :bro:type:`Software::Info` record with more
@@ -125,7 +135,7 @@ function parse(unparsed_version: string): Description
 	local v: Version;
 	
 	# Parse browser-alike versions separately
-	if ( /^(Mozilla|Opera)\/[0-9]\./ in unparsed_version )
+	if ( /^(Mozilla|Opera)\/[0-9]+\./ in unparsed_version )
 		{
 		return parse_mozilla(unparsed_version);
 		}
@@ -133,11 +143,17 @@ function parse(unparsed_version: string): Description
 		{
 		# The regular expression should match the complete version number
 		# and software name.
-		local version_parts = split_string_n(unparsed_version, /\/?( [\(])?v?[0-9\-\._, ]{2,}/, T, 1);
+		local clean_unparsed_version = gsub(unparsed_version, /\\x/, "%");
+		clean_unparsed_version = unescape_URI(clean_unparsed_version);
+		local version_parts = split_string_n(clean_unparsed_version, /([\/\-_]|( [\(v]+))?[0-9\-\._, ]{2,}/, T, 1);
 		if ( 0 in version_parts )
 			{
+			# Remove any bits of junk at end of first part.
+			if ( /([\/\-_]|( [\(v]+))$/ in version_parts[0] )
+				version_parts[0] = strip(sub(version_parts[0], /([\/\-_]|( [\(v]+))/, ""));
+
 			if ( /^\(/ in version_parts[0] )
-				software_name = strip(sub(version_parts[0], /[\(]/, ""));
+				software_name = strip(sub(version_parts[0], /\(/, ""));
 			else
 				software_name = strip(version_parts[0]);
 			}
@@ -192,7 +208,7 @@ function parse(unparsed_version: string): Description
 			}
 		}
 	
-	return [$version=v, $unparsed_version=unparsed_version, $name=software_name];
+	return [$version=v, $unparsed_version=unparsed_version, $name=alternate_names[software_name]];
 	}
 
 
@@ -227,6 +243,13 @@ function parse_mozilla(unparsed_version: string): Description
 				v = parse(parts[1])$version;
 			}
 		}
+	else if ( /Edge\// in unparsed_version )
+		{
+		software_name="Edge";
+		parts = split_string_all(unparsed_version, /Edge\/[0-9\.]*/);
+		if ( 1 in parts )
+			v = parse(parts[1])$version;
+		}
 	else if ( /Version\/.*Safari\// in unparsed_version )
 		{
 		software_name = "Safari";
@@ -280,6 +303,14 @@ function parse_mozilla(unparsed_version: string): Description
 				v = parse(parts[1])$version;
 			}
 		}
+	else if ( /Flash%20Player/ in unparsed_version )
+		{
+		software_name = "Flash";
+		parts = split_string_all(unparsed_version, /[\/ ]/);
+		if ( 2 in parts )
+			v = parse(parts[2])$version;
+		}
+	
 	else if ( /AdobeAIR\/[0-9\.]*/ in unparsed_version )
 		{
 		software_name = "AdobeAIR";
diff --git a/testing/btest/Baseline/scripts.base.frameworks.software.version-parsing/output b/testing/btest/Baseline/scripts.base.frameworks.software.version-parsing/output
index 956b5a86e4..6f59b224b3 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.software.version-parsing/output
+++ b/testing/btest/Baseline/scripts.base.frameworks.software.version-parsing/output
@@ -1,46 +1,12 @@
-success on: wu-2.4.2-academ[BETA-18-VR14](1)
-success on: Python-urllib/3.1
-success on: libwww-perl/5.820
-success on: Apache
-success on: Apple iPhone v4.3.1 Weather v1.0.0.8G4
-success on: Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.9.2.11) Gecko/20101013 Lightning/1.0b2 Thunderbird/3.1.5
-success on: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 5.1; Media Center PC 3.0; .NET CLR 1.0.3705; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.1)
-success on: Mozilla/5.0 (Windows; U; en) AppleWebKit/420+ (KHTML, like Gecko) AdobeAIR/1.0
-success on: Java/1.6.0_13
-success on: The Bat! (v2.00.9) Personal
-success on: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_7; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
-success on: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3; Creative AutoUpdate v1.40.02)
-success on: curl/7.15.1 (i486-pc-linux-gnu) libcurl/7.15.1 OpenSSL/0.9.8a zlib/1.2.3 libidn/0.5.18
-success on: Mozilla/4.0 (compatible; MSIE 8.0; Android 2.2.2; Linux; Opera Mobi/ADR-1103311355; en) Opera 11.00
-success on: mt2/1.2.3.967 Oct 13 2010-13:40:24 ord-pixel-x2 pid 0x35a3 13731
-success on: CacheFlyServe v26b
-success on: Mozilla/5.0 (Linux; U; Android 2.3.3; zh-tw; HTC Pyramid Build/GRI40) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1
-success on: Mozilla/5.0 (iPod; U; CPU iPhone OS 4_0 like Mac OS X; en-us) AppleWebKit/532.9 (KHTML, like Gecko) Version/4.0.5 Mobile/8A293 Safari/6531.22.7
-success on: Total Commander
-success on: OpenSSH_5.2
-success on: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_6; en-us) AppleWebKit/533.20.25 (KHTML, like Gecko) Version/5.0.4 Safari/533.20.27
-success on: Opera/9.80 (J2ME/MIDP; Opera Mini/9.80 (S60; SymbOS; Opera Mobi/23.348; U; en) Presto/2.5.25 Version/10.54
-success on: Opera/9.80 (J2ME/MIDP; Opera Mini/5.0.18741/18.794; U; en) Presto/2.4.15
-success on: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; Tablet PC 2.0; InfoPath.2; InfoPath.3)
-success on: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; Trident/7.0; .NET4.0E; .NET4.0C)
-success on: Wget/1.9+cvs-stable (Red Hat modified)
-success on: Wget/1.11.4 (Red Hat modified)
-success on: Opera/9.80 (Windows NT 6.1; U; sv) Presto/2.7.62 Version/11.01
-success on: Java1.3.1_04
-success on: OpenSSH_4.4
-success on: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; GTB5; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.04506; InfoPath.2)
-success on: (vsFTPd 2.0.5)
-success on: wu-2.6.2(1)
-success on: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.2) Gecko/20040804 Netscape/7.2 (ax)
-success on: The Bat! (3.0.1 RC3) Professional
-success on: Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en) AppleWebKit/420+ (KHTML, like Gecko) AdobeAIR/1.0
 success on: Flash/10,2,153,1
 success on: Apache/2.0.46 (Win32) mod_ssl/2.0.46 OpenSSL/0.9.7b mod_jk2/2.0.4
 success on: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
+success on: %E6%9C%89%E9%81%93%E8%AF%8D%E5%85%B8/128 CFNetwork/760.2.6 Darwin/15.3.0 (x86_64)
 success on: Java1.2.2-JDeveloper
 success on: Zope/(Zope 2.7.8-final, python 2.3.5, darwin) ZServer/1.1 Plone/Unknown
 success on: iTunes/9.0 (Macintosh; Intel Mac OS X 10.5.8) AppleWebKit/531.9
 success on: ProFTPD 1.2.5rc1 Server (Debian)
+success on: Flash%20Player/26.0.0.137 CFNetwork/811.5.4 Darwin/16.6.0 (x86_64)
 success on: Mozilla/5.0 (iPhone; U; CPU iPhone OS 4_3_2 like Mac OS X; en-us) AppleWebKit/533.17.9 (KHTML, like Gecko) Version/5.0.2 Mobile/8H7 Safari/6533.18.5
 success on: Opera/9.80 (Windows NT 5.1; Opera Mobi/49; U; en) Presto/2.4.18 Version/10.00
 success on: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
@@ -48,3 +14,42 @@ success on: Apple Mail (2.1084)
 success on: Apache/2.0.63 (Unix) mod_auth_kerb/5.3 mod_ssl/2.0.63 OpenSSL/0.9.7a mod_fastcgi/2.4.2
 success on: Apache/1.3.19 (Unix)
 success on: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko
+success on: Wget/1.11.4 (Red Hat modified)
+success on: \xe6\xbc\xab\xe7\x94\xbb\xe4\xba\xba 2.6.2 rv:1.2 (iPhone; iOS 10.3.2; en_US)
+success on: wu-2.6.2(1)
+success on: QQ%E9%82%AE%E7%AE%B1/5.3.2.8 CFNetwork/811.5.4 Darwin/16.6.0
+success on: The Bat! (3.0.1 RC3) Professional
+success on: Mozilla/5.0 (iPod; U; CPU iPhone OS 4_0 like Mac OS X; en-us) AppleWebKit/532.9 (KHTML, like Gecko) Version/4.0.5 Mobile/8A293 Safari/6531.22.7
+success on: The Bat! (v2.00.9) Personal
+success on: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.2) Gecko/20040804 Netscape/7.2 (ax)
+success on: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 5.1; Media Center PC 3.0; .NET CLR 1.0.3705; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.1)
+success on: wu-2.4.2-academ[BETA-18-VR14](1)
+success on: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3; Creative AutoUpdate v1.40.02)
+success on: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; GTB5; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.04506; InfoPath.2)
+success on: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_7; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
+success on: Mozilla/5.0 (Windows Phone 10.0; Android 6.0.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Mobile Safari/537.36 Edge/15.15063
+success on: Total Commander
+success on: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; Trident/7.0; .NET4.0E; .NET4.0C)
+success on: libwww-perl/5.820
+success on: Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en) AppleWebKit/420+ (KHTML, like Gecko) AdobeAIR/1.0
+success on: Java/1.6.0_13
+success on: Python-urllib/3.1
+success on: Mozilla/4.0 (compatible; MSIE 8.0; Android 2.2.2; Linux; Opera Mobi/ADR-1103311355; en) Opera 11.00
+success on: CacheFlyServe v26b
+success on: Mozilla/5.0 (Linux; U; Android 2.3.3; zh-tw; HTC Pyramid Build/GRI40) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1
+success on: OpenSSH_5.2
+success on: (vsFTPd 2.0.5)
+success on: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_6; en-us) AppleWebKit/533.20.25 (KHTML, like Gecko) Version/5.0.4 Safari/533.20.27
+success on: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; Tablet PC 2.0; InfoPath.2; InfoPath.3)
+success on: Apache
+success on: Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.9.2.11) Gecko/20101013 Lightning/1.0b2 Thunderbird/3.1.5
+success on: Mozilla/5.0 (Windows; U; en) AppleWebKit/420+ (KHTML, like Gecko) AdobeAIR/1.0
+success on: curl/7.15.1 (i486-pc-linux-gnu) libcurl/7.15.1 OpenSSL/0.9.8a zlib/1.2.3 libidn/0.5.18
+success on: Apple iPhone v4.3.1 Weather v1.0.0.8G4
+success on: Java1.3.1_04
+success on: OpenSSH_4.4
+success on: mt2/1.2.3.967 Oct 13 2010-13:40:24 ord-pixel-x2 pid 0x35a3 13731
+success on: Opera/9.80 (J2ME/MIDP; Opera Mini/9.80 (S60; SymbOS; Opera Mobi/23.348; U; en) Presto/2.5.25 Version/10.54
+success on: Opera/9.80 (Windows NT 6.1; U; sv) Presto/2.7.62 Version/11.01
+success on: Opera/9.80 (J2ME/MIDP; Opera Mini/5.0.18741/18.794; U; en) Presto/2.4.15
+success on: Wget/1.9+cvs-stable (Red Hat modified)
diff --git a/testing/btest/scripts/base/frameworks/software/version-parsing.bro b/testing/btest/scripts/base/frameworks/software/version-parsing.bro
index f61e8a3a9e..9a54f3d966 100644
--- a/testing/btest/scripts/base/frameworks/software/version-parsing.bro
+++ b/testing/btest/scripts/base/frameworks/software/version-parsing.bro
@@ -40,6 +40,9 @@ global matched_software: table[string] of Software::Description = {
 		[$name="The Bat!", $version=[$major=2,$minor=0,$minor2=9,$addl="Personal"], $unparsed_version=""],
 	["Flash/10,2,153,1"] =
 		[$name="Flash", $version=[$major=10,$minor=2,$minor2=153,$minor3=1], $unparsed_version=""],
+	# The addl on the following entry isn't so great, but it'll do.
+	["Flash%20Player/26.0.0.137 CFNetwork/811.5.4 Darwin/16.6.0 (x86_64)"] =
+		[$name="Flash", $version=[$major=26,$minor=0,$minor2=0,$minor3=137,$addl="CFNetwork/811"], $unparsed_version=""],
 	["mt2/1.2.3.967 Oct 13 2010-13:40:24 ord-pixel-x2 pid 0x35a3 13731"] = 
 		[$name="mt2", $version=[$major=1,$minor=2,$minor2=3,$minor3=967,$addl="Oct"], $unparsed_version=""],
 	["CacheFlyServe v26b"] =
@@ -110,6 +113,14 @@ global matched_software: table[string] of Software::Description = {
 		[$name="AdobeAIR", $version=[$major=1,$minor=0], $unparsed_version=""],
 	["Mozilla/5.0 (Windows; U; en) AppleWebKit/420+ (KHTML, like Gecko) AdobeAIR/1.0"] = 
 		[$name="AdobeAIR", $version=[$major=1,$minor=0], $unparsed_version=""],
+	["\\xe6\\xbc\\xab\\xe7\\x94\\xbb\\xe4\\xba\\xba 2.6.2 rv:1.2 (iPhone; iOS 10.3.2; en_US)"] =
+		[$name="\xe6\xbc\xab\xe7\x94\xbb\xe4\xba\xba", $version=[$major=2,$minor=6,$minor2=2,$addl="rv:1"], $unparsed_version=""],
+	["%E6%9C%89%E9%81%93%E8%AF%8D%E5%85%B8/128 CFNetwork/760.2.6 Darwin/15.3.0 (x86_64)"] =
+		[$name="\xe6\x9c\x89\xe9\x81\x93\xe8\xaf\x8d\xe5\x85\xb8", $version=[$major=128,$addl="CFNetwork/760"], $unparsed_version=""],
+	["QQ%E9%82%AE%E7%AE%B1/5.3.2.8 CFNetwork/811.5.4 Darwin/16.6.0"] =
+		[$name="QQ\xe9\x82\xae\xe7\xae\xb1", $version=[$major=5,$minor=3,$minor2=2,$minor3=8,$addl="CFNetwork/811"], $unparsed_version=""],
+	["Mozilla/5.0 (Windows Phone 10.0; Android 6.0.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Mobile Safari/537.36 Edge/15.15063"] =
+		[$name="Edge", $version=[$major=15,$minor=15063], $unparsed_version=""],
 };
 
 event bro_init()

From 78f8ff432f984548fa2b88865c904109e121443a Mon Sep 17 00:00:00 2001
From: Robin Sommer <robin@icir.org>
Date: Fri, 21 Jul 2017 13:23:37 -0700
Subject: [PATCH 184/631] Adding plugin API number into versioned function
 name, and removing old runtime API version check.

---
 CMakeLists.txt                                 |  9 +++++++--
 src/plugin/Manager.cc                          |  4 ----
 src/plugin/Plugin.cc                           |  5 -----
 src/plugin/Plugin.h                            | 18 +++---------------
 .../plugins.api-version-mismatch/output        |  1 -
 testing/btest/plugins/api-version-mismatch.sh  |  8 --------
 6 files changed, 10 insertions(+), 35 deletions(-)
 delete mode 100644 testing/btest/Baseline/plugins.api-version-mismatch/output
 delete mode 100644 testing/btest/plugins/api-version-mismatch.sh

diff --git a/CMakeLists.txt b/CMakeLists.txt
index 29643c7b84..990c09b611 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -40,6 +40,11 @@ file(WRITE ${CMAKE_CURRENT_BINARY_DIR}/bro-path-dev.csh
      "setenv PATH \"${CMAKE_CURRENT_BINARY_DIR}/src\":$PATH\n")
 
 file(STRINGS "${CMAKE_CURRENT_SOURCE_DIR}/VERSION" VERSION LIMIT_COUNT 1)
+execute_process(COMMAND grep "^#define  *BRO_PLUGIN_API_VERSION"
+                INPUT_FILE ${CMAKE_CURRENT_SOURCE_DIR}/src/plugin/Plugin.h
+                OUTPUT_VARIABLE API_VERSION
+                OUTPUT_STRIP_TRAILING_WHITESPACE)
+string(REGEX REPLACE "^#define.*VERSION *" "" API_VERSION "${API_VERSION}")
 
 string(REPLACE "." " " version_numbers ${VERSION})
 separate_arguments(version_numbers)
@@ -47,9 +52,9 @@ list(GET version_numbers 0 VERSION_MAJOR)
 list(GET version_numbers 1 VERSION_MINOR)
 set(VERSION_MAJ_MIN "${VERSION_MAJOR}.${VERSION_MINOR}")
 
-set(VERSION_C_IDENT "${VERSION}")
+set(VERSION_C_IDENT "${VERSION}_plugin_${API_VERSION}")
 string(REGEX REPLACE "-[0-9]*$" "_git" VERSION_C_IDENT "${VERSION_C_IDENT}")
-string(REGEX REPLACE "[^a-zA-Z0-9_]" "_" VERSION_C_IDENT "${VERSION_C_IDENT}")
+string(REGEX REPLACE "[^a-zA-Z0-9_\$]" "_" VERSION_C_IDENT "${VERSION_C_IDENT}")
 
 if(${ENABLE_DEBUG})
     set(VERSION_C_IDENT "${VERSION_C_IDENT}_debug")
diff --git a/src/plugin/Manager.cc b/src/plugin/Manager.cc
index 104bcfbdd5..a6c564d4f2 100644
--- a/src/plugin/Manager.cc
+++ b/src/plugin/Manager.cc
@@ -243,10 +243,6 @@ bool Manager::ActivateDynamicPluginInternal(const std::string& name, bool ok_if_
 
 			plugins_by_path.insert(std::make_pair(normalize_path(dir), current_plugin));
 
-			if ( current_plugin->APIVersion() != BRO_PLUGIN_API_VERSION )
-				reporter->FatalError("plugin's API version does not match Bro (expected %d, got %d in %s)",
-						     BRO_PLUGIN_API_VERSION, current_plugin->APIVersion(), path);
-
 			// We execute the pre-script initialization here; this in
 			// fact could be *during* script initialization if we got
 			// triggered via @load-plugin.
diff --git a/src/plugin/Plugin.cc b/src/plugin/Plugin.cc
index 7af9b9dfee..f54749f837 100644
--- a/src/plugin/Plugin.cc
+++ b/src/plugin/Plugin.cc
@@ -242,11 +242,6 @@ VersionNumber Plugin::Version() const
 	return config.version;
 	}
 
-int Plugin::APIVersion() const
-	{
-	return config.api_version;
-	}
-
 bool Plugin::DynamicPlugin() const
 	{
 	return dynamic;
diff --git a/src/plugin/Plugin.h b/src/plugin/Plugin.h
index 37f2064644..c00831d1fd 100644
--- a/src/plugin/Plugin.h
+++ b/src/plugin/Plugin.h
@@ -13,10 +13,9 @@
 #include "iosource/Component.h"
 #include "logging/WriterBackend.h"
 
-// We allow to override this externally for testing purposes.
-#ifndef BRO_PLUGIN_API_VERSION
-#define BRO_PLUGIN_API_VERSION 5
-#endif
+// Increase this when making incompatible changes to the plugin API. Note
+// that the constant is never used in C code. It's picked up on by CMake.
+#define BRO_PLUGIN_API_VERSION 6
 
 #define BRO_PLUGIN_BRO_VERSION BRO_VERSION_FUNCTION
 
@@ -103,14 +102,12 @@ public:
 
 private:
 	friend class Plugin;
-	int api_version;	// Current BRO_PLUGIN_API_VERSION. Automatically set.
 };
 
 inline Configuration::Configuration()
 		{
 		name = "";
 		description = "";
-		api_version = BRO_PLUGIN_API_VERSION;
 		bro_version = 0;
 		}
 
@@ -451,15 +448,6 @@ public:
 	 **/
 	const std::string& PluginPath() const;
 
-	/**
-	 * Returns the internal version of the Bro API that this plugin
-	 * relies on. Only plugins that match Bro's current API version can
-	 * be used. For statically compiled plugins this is automatically the
-	 * case, but dynamically loaded plugins may cause a mismatch if they
-	 * were compiled for a different Bro version.
-	 */
-	int APIVersion() const;
-
 	/**
 	 * Returns a list of all components the plugin provides.
 	 */
diff --git a/testing/btest/Baseline/plugins.api-version-mismatch/output b/testing/btest/Baseline/plugins.api-version-mismatch/output
deleted file mode 100644
index 04f3cdd3a2..0000000000
--- a/testing/btest/Baseline/plugins.api-version-mismatch/output
+++ /dev/null
@@ -1 +0,0 @@
-fatal error in /home/robin/bro/plugins/scripts/base/init-bare.bro, line 1: plugin's API version does not match Bro (expected 2, got 42 in /home/robin/bro/plugins/testing/btest/.tmp/plugins.api-version-mismatch/build//lib/XXX)
diff --git a/testing/btest/plugins/api-version-mismatch.sh b/testing/btest/plugins/api-version-mismatch.sh
deleted file mode 100644
index 2483582359..0000000000
--- a/testing/btest/plugins/api-version-mismatch.sh
+++ /dev/null
@@ -1,8 +0,0 @@
-# @TEST-EXEC: ${DIST}/aux/bro-aux/plugin-support/init-plugin -u . Demo Foo
-# @TEST-EXEC: bash %INPUT
-# @TEST-EXEC: ./configure --bro-dist=${DIST} && make
-# @TEST-EXEC-FAIL: BRO_PLUGIN_PATH=`pwd` bro -NN Demo::Foo >tmp 2>&1
-# @TEST-EXEC: cat tmp | sed 's/Demo-Foo[-a-zA-Z0-9_.]*/XXX/' >>output
-# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff output
-
-( echo '#define BRO_PLUGIN_API_VERSION 42'; cat src/Plugin.cc; ) >src/Plugin.cc.tmp && mv src/Plugin.cc.tmp src/Plugin.cc

From 0d97e5451d3529790b4586b4fef92b78316c72b2 Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@icir.org>
Date: Thu, 27 Jul 2017 15:09:54 -0700
Subject: [PATCH 185/631] Revert "parse multiple OCSP stapling responses"

This reverts commit 07891b3b66fbf86a188325a0eaedc24db9571b13.

I suspect this never really was correctly implemented and just breaks
all scripts.
---
 .../protocol/ssl/tls-handshake-analyzer.pac    |  9 +++++----
 .../protocol/ssl/tls-handshake-protocol.pac    | 18 +++---------------
 2 files changed, 8 insertions(+), 19 deletions(-)

diff --git a/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac b/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac
index 60d03f3dce..024353432a 100644
--- a/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac
+++ b/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac
@@ -241,7 +241,7 @@ refine connection Handshake_Conn += {
 		return true;
 		%}
 
-	function proc_ocsp_response(rec : HandshakeRecord, status_type: uint8, response: bytestring) : bool
+	function proc_certificate_status(rec : HandshakeRecord, status_type: uint8, response: bytestring) : bool
 		%{
 		ODesc common;
 		common.AddRaw("Analyzer::ANALYZER_SSL");
@@ -249,7 +249,7 @@ refine connection Handshake_Conn += {
 		common.AddRaw("F");
 		bro_analyzer()->Conn()->IDString(&common);
 
-		if ( status_type == 1 || status_type == 2 ) // ocsp
+		if ( status_type == 1 ) // ocsp
 			{
 			ODesc file_handle;
 			file_handle.Add(common.Description());
@@ -269,6 +269,7 @@ refine connection Handshake_Conn += {
 
 			file_mgr->EndOfFile(file_id);
 			}
+
 		return true;
 		%}
 
@@ -384,8 +385,8 @@ refine typeattr ServerNameExt += &let {
 	proc : bool = $context.connection.proc_server_name(rec, server_names);
 };
 
-refine typeattr OCSPResponse += &let {
-	proc : bool = $context.connection.proc_ocsp_response(rec, status_type, response);
+refine typeattr CertificateStatus += &let {
+	proc : bool = $context.connection.proc_certificate_status(rec, status_type, response);
 };
 
 refine typeattr EcServerKeyExchange += &let {
diff --git a/src/analyzer/protocol/ssl/tls-handshake-protocol.pac b/src/analyzer/protocol/ssl/tls-handshake-protocol.pac
index d06d8ec57b..6a1988111e 100644
--- a/src/analyzer/protocol/ssl/tls-handshake-protocol.pac
+++ b/src/analyzer/protocol/ssl/tls-handshake-protocol.pac
@@ -165,23 +165,11 @@ type Certificate(rec: HandshakeRecord) = record {
 } &length = to_int()(length)+3;
 
 # OCSP Stapling
-type OCSPResponse(rec: HandshakeRecord, status_type: uint8) = record {
-	length : uint24;
-	response : bytestring &length = to_int()(length);
-} &length = to_int()(length)+3;
-
-type OCSPResponseList(rec: HandshakeRecord, status_type: uint8) = record {
-	length : uint24;
-	response_list : OCSPResponse(rec, status_type)[] &until($input.length() == 0);
-} &length = to_int()(length)+3;
 
 type CertificateStatus(rec: HandshakeRecord) = record {
-	status_type: uint8; # 1 = ocsp, 2 = ocsp_multi, everything else is undefined
-	which_type: case status_type of {
-		1       -> ocsp_response : OCSPResponse(rec, status_type);
-		2       -> ocsp_response_list : OCSPResponseList(rec, status_type);
-		default -> data : bytestring &restofdata &transient; # unknown
-	};
+	status_type: uint8; # 1 = ocsp, everything else is undefined
+	length : uint24;
+	response: bytestring &restofdata;
 };
 
 ######################################################################

From 912637658137630230562aaf41b6345f64fe5c74 Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@icir.org>
Date: Thu, 27 Jul 2017 15:12:19 -0700
Subject: [PATCH 186/631] Revert "add parameter 'status_type' to event
 ssl_stapled_ocsp"

This reverts commit 545848d9067c9ce35e8825961ce82943d3c945ff.

Revert further part of stapled OCSP response handling that probably
never worked.
---
 scripts/policy/protocols/ssl/validate-ocsp.bro              | 2 +-
 src/analyzer/protocol/ssl/events.bif                        | 4 +---
 src/analyzer/protocol/ssl/tls-handshake-analyzer.pac        | 3 +--
 testing/btest/core/leaks/x509_ocsp_verify.bro               | 2 +-
 testing/btest/scripts/base/protocols/ssl/ocsp-stapling.test | 2 +-
 5 files changed, 5 insertions(+), 8 deletions(-)

diff --git a/scripts/policy/protocols/ssl/validate-ocsp.bro b/scripts/policy/protocols/ssl/validate-ocsp.bro
index 8f0da3ef2f..81bbc3c9ea 100644
--- a/scripts/policy/protocols/ssl/validate-ocsp.bro
+++ b/scripts/policy/protocols/ssl/validate-ocsp.bro
@@ -27,7 +27,7 @@ export {
 # certificate chain is seen.
 global recently_ocsp_validated: table[string] of string = table() &read_expire=5mins;
 
-event ssl_stapled_ocsp(c: connection, is_orig: bool, response: string, status_type: count) &priority=3
+event ssl_stapled_ocsp(c: connection, is_orig: bool, response: string) &priority=3
 	{
 	c$ssl$ocsp_response = response;
 	}
diff --git a/src/analyzer/protocol/ssl/events.bif b/src/analyzer/protocol/ssl/events.bif
index 44e359dde6..755eccded7 100644
--- a/src/analyzer/protocol/ssl/events.bif
+++ b/src/analyzer/protocol/ssl/events.bif
@@ -416,9 +416,7 @@ event ssl_encrypted_data%(c: connection, is_orig: bool, content_type: count, len
 ## is_orig: True if event is raised for originator side of the connection.
 ##
 ## response: OCSP data.
-##
-## status_type: status_type in received OCSP stapled response
-event ssl_stapled_ocsp%(c: connection, is_orig: bool, response: string, status_type: count%);
+event ssl_stapled_ocsp%(c: connection, is_orig: bool, response: string%);
 
 ## This event is raised for each unencrypted SSL/TLS handshake message.
 ##
diff --git a/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac b/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac
index 024353432a..e3226551b4 100644
--- a/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac
+++ b/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac
@@ -264,8 +264,7 @@ refine connection Handshake_Conn += {
 			BifEvent::generate_ssl_stapled_ocsp(bro_analyzer(),
 							    bro_analyzer()->Conn(), ${rec.is_orig},
 							    new StringVal(response.length(),
-							    (const char*) response.data()),
-							    status_type);
+							    (const char*) response.data()));
 
 			file_mgr->EndOfFile(file_id);
 			}
diff --git a/testing/btest/core/leaks/x509_ocsp_verify.bro b/testing/btest/core/leaks/x509_ocsp_verify.bro
index 4a4d081e09..ab24f28ee8 100644
--- a/testing/btest/core/leaks/x509_ocsp_verify.bro
+++ b/testing/btest/core/leaks/x509_ocsp_verify.bro
@@ -9,7 +9,7 @@
 
 @load base/protocols/ssl
 
-event ssl_stapled_ocsp(c: connection, is_orig: bool, response: string, status_type: count)
+event ssl_stapled_ocsp(c: connection, is_orig: bool, response: string)
 	{
 	local chain: vector of opaque of x509 = vector();
 	for ( i in c$ssl$cert_chain )
diff --git a/testing/btest/scripts/base/protocols/ssl/ocsp-stapling.test b/testing/btest/scripts/base/protocols/ssl/ocsp-stapling.test
index 440b1b2ebf..6424f263f1 100644
--- a/testing/btest/scripts/base/protocols/ssl/ocsp-stapling.test
+++ b/testing/btest/scripts/base/protocols/ssl/ocsp-stapling.test
@@ -5,7 +5,7 @@ redef SSL::root_certs += {
 	["OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US"] = "\x30\x82\x02\x3C\x30\x82\x01\xA5\x02\x10\x70\xBA\xE4\x1D\x10\xD9\x29\x34\xB6\x38\xCA\x7B\x03\xCC\xBA\xBF\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x02\x05\x00\x30\x5F\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x17\x30\x15\x06\x03\x55\x04\x0A\x13\x0E\x56\x65\x72\x69\x53\x69\x67\x6E\x2C\x20\x49\x6E\x63\x2E\x31\x37\x30\x35\x06\x03\x55\x04\x0B\x13\x2E\x43\x6C\x61\x73\x73\x20\x33\x20\x50\x75\x62\x6C\x69\x63\x20\x50\x72\x69\x6D\x61\x72\x79\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x30\x1E\x17\x0D\x39\x36\x30\x31\x32\x39\x30\x30\x30\x30\x30\x30\x5A\x17\x0D\x32\x38\x30\x38\x30\x31\x32\x33\x35\x39\x35\x39\x5A\x30\x5F\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x17\x30\x15\x06\x03\x55\x04\x0A\x13\x0E\x56\x65\x72\x69\x53\x69\x67\x6E\x2C\x20\x49\x6E\x63\x2E\x31\x37\x30\x35\x06\x03\x55\x04\x0B\x13\x2E\x43\x6C\x61\x73\x73\x20\x33\x20\x50\x75\x62\x6C\x69\x63\x20\x50\x72\x69\x6D\x61\x72\x79\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x30\x81\x9F\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x81\x8D\x00\x30\x81\x89\x02\x81\x81\x00\xC9\x5C\x59\x9E\xF2\x1B\x8A\x01\x14\xB4\x10\xDF\x04\x40\xDB\xE3\x57\xAF\x6A\x45\x40\x8F\x84\x0C\x0B\xD1\x33\xD9\xD9\x11\xCF\xEE\x02\x58\x1F\x25\xF7\x2A\xA8\x44\x05\xAA\xEC\x03\x1F\x78\x7F\x9E\x93\xB9\x9A\x00\xAA\x23\x7D\xD6\xAC\x85\xA2\x63\x45\xC7\x72\x27\xCC\xF4\x4C\xC6\x75\x71\xD2\x39\xEF\x4F\x42\xF0\x75\xDF\x0A\x90\xC6\x8E\x20\x6F\x98\x0F\xF8\xAC\x23\x5F\x70\x29\x36\xA4\xC9\x86\xE7\xB1\x9A\x20\xCB\x53\xA5\x85\xE7\x3D\xBE\x7D\x9A\xFE\x24\x45\x33\xDC\x76\x15\xED\x0F\xA2\x71\x64\x4C\x65\x2E\x81\x68\x45\xA7\x02\x03\x01\x00\x01\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x02\x05\x00\x03\x81\x81\x00\xBB\x4C\x12\x2B\xCF\x2C\x26\x00\x4F\x14\x13\xDD\xA6\xFB\xFC\x0A\x11\x84\x8C\xF3\x28\x1C\x67\x92\x2F\x7C\xB6\xC5\xFA\xDF\xF0\xE8\x95\xBC\x1D\x8F\x6C\x2C\xA8\x51\xCC\x73\xD8\xA4\xC0\x53\xF0\x4E\xD6\x26\xC0\x76\x01\x57\x81\x92\x5E\x21\xF1\xD1\xB1\xFF\xE7\xD0\x21\x58\xCD\x69\x17\xE3\x44\x1C\x9C\x19\x44\x39\x89\x5C\xDC\x9C\x00\x0F\x56\x8D\x02\x99\xED\xA2\x90\x45\x4C\xE4\xBB\x10\xA4\x3D\xF0\x32\x03\x0E\xF1\xCE\xF8\xE8\xC9\x51\x8C\xE6\x62\x9F\xE6\x9F\xC0\x7D\xB7\x72\x9C\xC9\x36\x3A\x6B\x9F\x4E\xA8\xFF\x64\x0D\x64",
 };
 
-event ssl_stapled_ocsp(c: connection, is_orig: bool, response: string, status_type: count)
+event ssl_stapled_ocsp(c: connection, is_orig: bool, response: string)
 	{
 	local chain: vector of opaque of x509 = vector();
 	for ( i in c$ssl$cert_chain )

From 9594f695980f2ba451c3ad2cf2c33323ae517ceb Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@icir.org>
Date: Thu, 27 Jul 2017 16:21:47 -0700
Subject: [PATCH 187/631] SSL: Update OCSP/SCT scripts and documentation.

---
 doc/script-reference/log-files.rst            |   4 +
 scripts/base/files/x509/README                |   2 +-
 scripts/base/files/x509/__load__.bro          |   1 -
 scripts/base/files/x509/main.bro              |  11 +-
 scripts/base/protocols/ssl/README             |   2 +-
 scripts/base/protocols/ssl/main.bro           |  11 +-
 scripts/policy/files/x509/log-ocsp.bro        |  52 +++++----
 .../policy/protocols/ssl/validate-ocsp.bro    |   6 +-
 scripts/policy/protocols/ssl/validate-sct.bro |  39 +++++--
 src/analyzer/protocol/ssl/events.bif          |  14 ++-
 src/file_analysis/analyzer/x509/events.bif    |  18 +++-
 src/file_analysis/analyzer/x509/functions.bif |  60 +++++++++--
 .../analyzer/x509/ocsp_events.bif             | 102 ++++++++++++++++--
 .../btest/Baseline/coverage.find-bro-logs/out |   1 +
 14 files changed, 260 insertions(+), 63 deletions(-)

diff --git a/doc/script-reference/log-files.rst b/doc/script-reference/log-files.rst
index 795b33f6b8..e8550ee41c 100644
--- a/doc/script-reference/log-files.rst
+++ b/doc/script-reference/log-files.rst
@@ -76,6 +76,10 @@ Files
 +============================+=======================================+=================================+
 | files.log                  | File analysis results                 | :bro:type:`Files::Info`         |
 +----------------------------+---------------------------------------+---------------------------------+
+| ocsp.log                   | Online Certificate Status Protocol    | :bro:type:`OCSP::Info`          |
+|                            | (OCSP). Only created if policy script |                                 |
+|                            | is loaded.                            |                                 |
++----------------------------+---------------------------------------+---------------------------------+
 | pe.log                     | Portable Executable (PE)              | :bro:type:`PE::Info`            |
 +----------------------------+---------------------------------------+---------------------------------+
 | x509.log                   | X.509 certificate info                | :bro:type:`X509::Info`          |
diff --git a/scripts/base/files/x509/README b/scripts/base/files/x509/README
index b523eb4fc4..515b0e0b1c 100644
--- a/scripts/base/files/x509/README
+++ b/scripts/base/files/x509/README
@@ -1,2 +1,2 @@
 Support for X509 certificates with the file analysis framework.
-Also supposrts OCSP requests and responses.
+Also supports parsing OCSP requests and responses.
diff --git a/scripts/base/files/x509/__load__.bro b/scripts/base/files/x509/__load__.bro
index cff81e7254..a10fe855df 100644
--- a/scripts/base/files/x509/__load__.bro
+++ b/scripts/base/files/x509/__load__.bro
@@ -1,2 +1 @@
 @load ./main
-#@load ./ocsp
diff --git a/scripts/base/files/x509/main.bro b/scripts/base/files/x509/main.bro
index a7d3ca7a04..7cf1c4ab59 100644
--- a/scripts/base/files/x509/main.bro
+++ b/scripts/base/files/x509/main.bro
@@ -10,23 +10,17 @@ export {
 	type Info: record {
 		## Current timestamp.
 		ts: time &log;
-
 		## File id of this certificate.
 		id: string &log;
-
 		## Basic information about the certificate.
 		certificate: X509::Certificate &log;
-
 		## The opaque wrapping the certificate. Mainly used
 		## for the verify operations.
 		handle: opaque of x509;
-
 		## All extensions that were encountered in the certificate.
 		extensions: vector of X509::Extension &default=vector();
-
 		## Subject alternative name extension of the certificate.
 		san: X509::SubjectAlternativeName &optional &log;
-
 		## Basic constraints extension of the certificate.
 		basic_constraints: X509::BasicConstraints &optional &log;
 	};
@@ -39,6 +33,11 @@ event bro_init() &priority=5
 	{
 	Log::create_stream(X509::LOG, [$columns=Info, $ev=log_x509, $path="x509"]);
 
+	# We use mime types internally to distinguish between user and ca certificates.
+	# The first certificate in a connection always gets tagged as user-cert, all
+	# following certificates get tagged as CA certificates. Certificates gotten via
+	# other means (e.g. identified from HTTP traffic when they are transfered in plain
+	# text) get tagged as application/pkix-cert.
 	Files::register_for_mime_type(Files::ANALYZER_X509, "application/x-x509-user-cert");
 	Files::register_for_mime_type(Files::ANALYZER_X509, "application/x-x509-ca-cert");
 	Files::register_for_mime_type(Files::ANALYZER_X509, "application/pkix-cert");
diff --git a/scripts/base/protocols/ssl/README b/scripts/base/protocols/ssl/README
index 8fa99fd553..1fd0568101 100644
--- a/scripts/base/protocols/ssl/README
+++ b/scripts/base/protocols/ssl/README
@@ -1 +1 @@
-Support for Secure Sockets Layer (SSL) protocol analysis.
+Support for Secure Sockets Layer (SSL)/Transport Layer Security(TLS) protocol analysis.
diff --git a/scripts/base/protocols/ssl/main.bro b/scripts/base/protocols/ssl/main.bro
index 54ac8548ba..932505c3a8 100644
--- a/scripts/base/protocols/ssl/main.bro
+++ b/scripts/base/protocols/ssl/main.bro
@@ -64,7 +64,6 @@ export {
 		## Flag to indicate if this ssl session has been established
 		## successfully, or if it was aborted during the handshake.
 		established:      bool             &log &default=F;
-
 		## Flag to indicate if this record already has been logged, to
 		## prevent duplicates.
 		logged:           bool             &default=F;
@@ -74,11 +73,18 @@ export {
 	## script sets this to Mozilla's root CA list.
 	const root_certs: table[string] of string = {} &redef;
 
+	## The record type which contains the field for the Certificate
+	## Transparency log bundle.
 	type CTInfo: record {
+		## Description of the Log
 	  description:           string;
+		## Operator of the Log
 	  operator:              string;
+		## Public key of the Log.
 		key:                   string;
+		## Maximum merge delay of the Log
 		maximum_merge_delay:   count;
+		## URL of the Log
 		url:                   string;
 	};
 
@@ -104,7 +110,8 @@ export {
 	## record as it is sent on to the logging framework.
 	global log_ssl: event(rec: Info);
 
-	# do everything you want to do right before logging here
+	# Hook that can be used to perform actions right before the log record
+	# is written.
 	global ssl_finishing: hook(c: connection);
 }
 
diff --git a/scripts/policy/files/x509/log-ocsp.bro b/scripts/policy/files/x509/log-ocsp.bro
index f9e72dd832..349fa9a372 100644
--- a/scripts/policy/files/x509/log-ocsp.bro
+++ b/scripts/policy/files/x509/log-ocsp.bro
@@ -1,31 +1,41 @@
-##! Enable basic OCSP logging.
-
-# This is in policy because probably just about no one is interested
-# in logging OCSP responses.
+##! Enable logging of OCSP responses.
+#
+# This script is in policy and not loaded by default because OCSP logging
+# does not provide a lot of interesting information in most environments.
 
 module OCSP;
 
 export {
 	redef enum Log::ID += { LOG };
 
+	## The record type which contains the fields of the OCSP log.
 	type Info: record {
-	## Current timestamp.
-	ts: time &log;
-
-	## File id of the ocsp reply.
-	id: string &log;
-
-	hashAlgorithm: string &log;
-	issuerNameHash: string &log;
-	issuerKeyHash: string &log;
-	serialNumber: string &log;
-	certStatus: string &log;
-	revoketime: time &log &optional;
-	revokereason: string &log &optional;
-	thisUpdate: time &log;
-	nextUpdate: time &log &optional;
+		## Time when the OCSP reply was encountered.
+		ts: time &log;
+		## File id of the ocsp reply.
+		id: string &log;
+		## Hash algorithm used to generate issuerNameHash and issuerKeyHash.
+		hashAlgorithm: string &log;
+		## Hash of the issuer's distingueshed name.
+		issuerNameHash: string &log;
+		## Hash of the issuer's public key.
+		issuerKeyHash: string &log;
+		## Serial number of the affected certificate.
+		serialNumber: string &log;
+		## Status of the affected certificate.
+		certStatus: string &log;
+		## Time at which the certificate was revoked.
+		revoketime: time &log &optional;
+		## Reason for which the certificate was revoked.
+		revokereason: string &log &optional;
+		## The time at which the status being shows is known to have been correct.
+		thisUpdate: time &log;
+		## The latest time at which new information about the status of the certificate will be available.
+		nextUpdate: time &log &optional;
 	};
 
+	## Event that can be handled to access the OCSP record
+	## as it is sent to the logging framework.
 	global log_ocsp: event(rec: Info);
 }
 
@@ -39,14 +49,12 @@ event ocsp_response_certificate(f: fa_file, hashAlgorithm: string, issuerNameHas
 	{
 	local wr = OCSP::Info($ts=f$info$ts, $id=f$id, $hashAlgorithm=hashAlgorithm, $issuerNameHash=issuerNameHash,
 	                      $issuerKeyHash=issuerKeyHash, $serialNumber=serialNumber, $certStatus=certStatus,
-												$thisUpdate=thisUpdate);
+	                      $thisUpdate=thisUpdate);
 
 	if ( revokereason != "" )
 		wr$revokereason = revokereason;
-
 	if ( time_to_double(revoketime) != 0 )
 		wr$revoketime = revoketime;
-
 	if ( time_to_double(nextUpdate) != 0 )
 		wr$nextUpdate = nextUpdate;
 
diff --git a/scripts/policy/protocols/ssl/validate-ocsp.bro b/scripts/policy/protocols/ssl/validate-ocsp.bro
index 81bbc3c9ea..7cb8be9f0e 100644
--- a/scripts/policy/protocols/ssl/validate-ocsp.bro
+++ b/scripts/policy/protocols/ssl/validate-ocsp.bro
@@ -1,4 +1,9 @@
 ##! Perform validation of stapled OCSP responses.
+#!
+#! Note: this _only_ performs validation of stapled OCSP responsed. It does
+#! not validate OCSP responses that are retrieved via HTTP, because we do not
+#! have a mapping to certificates.
+
 
 @load base/frameworks/notice
 @load base/protocols/ssl
@@ -15,7 +20,6 @@ export {
 	redef record Info += {
 		## Result of ocsp validation for this connection.
 		ocsp_status: string &log &optional;
-
 		## ocsp response as string.
 		ocsp_response: string &optional;
 	};
diff --git a/scripts/policy/protocols/ssl/validate-sct.bro b/scripts/policy/protocols/ssl/validate-sct.bro
index bf7d8745bb..f45a8f7964 100644
--- a/scripts/policy/protocols/ssl/validate-sct.bro
+++ b/scripts/policy/protocols/ssl/validate-sct.bro
@@ -1,6 +1,5 @@
 ##! Perform validation of Signed Certificate Timestamps, as used
-##! for Certificate Transparency. See https://tools.ietf.org/html/rfc6962
-##! for more details.
+##! for Certificate Transparency. See RFC6962 for more details.
 
 @load base/protocols/ssl
 @load protocols/ssl/validate-certs
@@ -13,40 +12,63 @@ module SSL;
 
 export {
 
+	## List of the different sources for Signed Certificate Timestamp
 	type SctSource: enum {
+		## Signed Certificate Timestamp was encountered in the extension of
+		## an X.509 certificate.
 		SCT_X509_EXT,
+		## Signed Certificate Timestamp was encountered in an TLS session
+		## extension.
 		SCT_TLS_EXT,
+		## Signed Certificate Timestamp was encountered in the extension of
+		## an stapled OCSP reply.
 		SCT_OCSP_EXT
 	};
 
+	## This record is used to store information about the SCTs that are
+	## encountered in a SSL connection.
 	type SctInfo: record {
+		## The version of the encountered SCT (should always be 0 for v1).
 		version: count;
+		## The ID of the log issuing this SCT.
 		logid: string;
+		## The timestamp at which this SCT was issued measured since the 
+		## epoch (January 1, 1970, 00:00), ignoring leap seconds, in
+		## milliseconds. Not converted to a Bro timestamp because we need
+		## the exact value for validation.
 		timestamp: count;
+		## The signature algorithm used for this sct.
 		sig_alg: count;
+		## The hash algorithm used for this sct.
 		hash_alg: count;
+		## The signature of this SCT.
 		signature: string;
+		## Source of this SCT.
 		source: SctSource;
+		## Validation result of this SCT.
 		valid: bool &optional;
 	};
 
 	redef record Info += {
+		## Number of valid SCTs that were encountered in the connection.
 		valid_scts: count &optional;
+		## Number of SCTs that could not be validated that were encountered in the connection.
 		invalid_scts: count &optional;
+		## Number of different Logs for which valid SCTs were encountered in the connection.
 		valid_ct_logs: count &log &optional;
+		## Number of different Log operators of which valid SCTs were encountered in the connection.
 		valid_ct_operators: count &log &optional;
+		## List of operators for which valid SCTs were encountered in the connection.
 		valid_ct_operators_list: set[string] &optional;
+		## Information about all SCTs that were encountered in the connection.
+		ct_proofs: vector of SctInfo &default=vector();
 	};
-
 }
 
+# Used to cache validations for 5 minutes to lessen computational load.
 global recently_validated_scts: table[string] of bool = table()
 	&read_expire=5mins &redef;
 
-redef record SSL::Info += {
-	ct_proofs: vector of SctInfo &default=vector();
-};
-
 event bro_init()
 	{
 	Files::register_for_mime_type(Files::ANALYZER_OCSP_REPLY, "application/ocsp-response");
@@ -134,7 +156,6 @@ hook ssl_finishing(c: connection) &priority=19
 			# the right issuer cert.
 			#
 			# First - Let's try if a previous round already established the correct issuer key hash.
-
 			if ( issuer_key_hash != "" )
 				{
 				valid = sct_verify(cert, proof$logid, log$key, proof$signature, proof$timestamp, proof$hash_alg, issuer_key_hash);
@@ -151,9 +172,9 @@ hook ssl_finishing(c: connection) &priority=19
 				issuer_key_hash = x509_spki_hash(c$ssl$valid_chain[1], 4);
 				valid = sct_verify(cert, proof$logid, log$key, proof$signature, proof$timestamp, proof$hash_alg, issuer_key_hash);
 				}
+
 			# ok, if it still did not work - let's just try with all the certs that were sent
 			# in the connection. Perhaps it will work with one of them.
-
 			if ( !valid )
 				for ( i in c$ssl$cert_chain )
 					{
diff --git a/src/analyzer/protocol/ssl/events.bif b/src/analyzer/protocol/ssl/events.bif
index 755eccded7..7f0814ee27 100644
--- a/src/analyzer/protocol/ssl/events.bif
+++ b/src/analyzer/protocol/ssl/events.bif
@@ -211,6 +211,7 @@ event ssl_dh_server_params%(c: connection, p: string, q: string, Ys: string%);
 ##    ssl_extension_elliptic_curves ssl_extension_ec_point_formats
 ##    ssl_extension_server_name ssl_extension_key_share
 ##    ssl_extension_psk_key_exchange_modes ssl_extension_supported_versions
+##    ssl_extension_signed_certificate_timestamp
 event ssl_extension_application_layer_protocol_negotiation%(c: connection, is_orig: bool, protocols: string_vec%);
 
 ## Generated for an SSL/TLS Server Name extension. This SSL/TLS extension is
@@ -231,6 +232,7 @@ event ssl_extension_application_layer_protocol_negotiation%(c: connection, is_or
 ##    ssl_extension_application_layer_protocol_negotiation
 ##    ssl_extension_key_share
 ##    ssl_extension_psk_key_exchange_modes ssl_extension_supported_versions
+##    ssl_extension_signed_certificate_timestamp
 event ssl_extension_server_name%(c: connection, is_orig: bool, names: string_vec%);
 
 ## Generated for the signed_certificate_timestamp TLS extension as defined in
@@ -253,6 +255,14 @@ event ssl_extension_server_name%(c: connection, is_orig: bool, names: string_vec
 ##                              digitally_signed struct
 ##
 ## signature: signature part of the digitally_signed struct
+##
+## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello
+##    ssl_session_ticket_handshake ssl_extension
+##    ssl_extension_elliptic_curves ssl_extension_ec_point_formats
+##    ssl_extension_server_name ssl_extension_key_share
+##    ssl_extension_psk_key_exchange_modes ssl_extension_supported_versions
+##    ssl_extension_application_layer_protocol_negotiation
+##    x509_ocsp_ext_signed_certificate_timestamp sct_verify
 event ssl_extension_signed_certificate_timestamp%(c: connection, is_orig: bool, version: count, logid: string, timestamp: count, signature_and_hashalgorithm: SSL::SignatureAndHashAlgorithm, signature: string%);
 
 ## Generated for an TLS Supported Versions extension. This TLS extension
@@ -271,7 +281,7 @@ event ssl_extension_signed_certificate_timestamp%(c: connection, is_orig: bool,
 ##    ssl_extension_elliptic_curves ssl_extension_ec_point_formats
 ##    ssl_extension_application_layer_protocol_negotiation
 ##    ssl_extension_key_share ssl_extension_server_name
-##    ssl_extension_psk_key_exchange_modes
+##    ssl_extension_psk_key_exchange_modes ssl_extension_signed_certificate_timestamp
 event ssl_extension_supported_versions%(c: connection, is_orig: bool, versions: index_vec%);
 
 ## Generated for an TLS Pre-Shared Key Exchange Modes extension. This TLS extension is defined
@@ -288,7 +298,7 @@ event ssl_extension_supported_versions%(c: connection, is_orig: bool, versions:
 ##    ssl_extension_elliptic_curves ssl_extension_ec_point_formats
 ##    ssl_extension_application_layer_protocol_negotiation
 ##    ssl_extension_key_share ssl_extension_server_name
-##    ssl_extension_supported_versions
+##    ssl_extension_supported_versions ssl_extension_signed_certificate_timestamp
 event ssl_extension_psk_key_exchange_modes%(c: connection, is_orig: bool, modes: index_vec%);
 
 ## Generated at the end of an SSL/TLS handshake. SSL/TLS sessions start with
diff --git a/src/file_analysis/analyzer/x509/events.bif b/src/file_analysis/analyzer/x509/events.bif
index 206555e9dd..68afe5340a 100644
--- a/src/file_analysis/analyzer/x509/events.bif
+++ b/src/file_analysis/analyzer/x509/events.bif
@@ -13,7 +13,7 @@
 ##
 ## .. bro:see:: x509_extension x509_ext_basic_constraints
 ##              x509_ext_subject_alternative_name x509_parse x509_verify
-##              x509_get_certificate_string
+##              x509_get_certificate_string x509_ocsp_ext_signed_certificate_timestamp
 event x509_certificate%(f: fa_file, cert_ref: opaque of x509, cert: X509::Certificate%);
 
 ## Generated for X509 extensions seen in a certificate.
@@ -27,7 +27,7 @@ event x509_certificate%(f: fa_file, cert_ref: opaque of x509, cert: X509::Certif
 ##
 ## .. bro:see:: x509_certificate x509_ext_basic_constraints
 ##              x509_ext_subject_alternative_name x509_parse x509_verify
-##              x509_get_certificate_string
+##              x509_get_certificate_string x509_ocsp_ext_signed_certificate_timestamp
 event x509_extension%(f: fa_file, ext: X509::Extension%);
 
 ## Generated for the X509 basic constraints extension seen in a certificate.
@@ -39,7 +39,7 @@ event x509_extension%(f: fa_file, ext: X509::Extension%);
 ##
 ## .. bro:see:: x509_certificate x509_extension
 ##              x509_ext_subject_alternative_name x509_parse x509_verify
-##              x509_get_certificate_string
+##              x509_get_certificate_string x509_ocsp_ext_signed_certificate_timestamp
 event x509_ext_basic_constraints%(f: fa_file, ext: X509::BasicConstraints%);
 
 ## Generated for the X509 subject alternative name extension seen in a certificate.
@@ -52,13 +52,14 @@ event x509_ext_basic_constraints%(f: fa_file, ext: X509::BasicConstraints%);
 ## ext: The parsed subject alternative name extension.
 ##
 ## .. bro:see:: x509_certificate x509_extension x509_ext_basic_constraints
-##              x509_parse x509_verify
+##              x509_parse x509_verify x509_ocsp_ext_signed_certificate_timestamp
 ##              x509_get_certificate_string
 event x509_ext_subject_alternative_name%(f: fa_file, ext: X509::SubjectAlternativeName%);
 
 ## Generated for the signed_certificate_timestamp X509 extension as defined in
 ## :rfc:`6962`. The extension is used to transmit signed proofs that are
-## used for Certificate Transparency.
+## used for Certificate Transparency. Raised when the extension is encountered
+## in an X.509 certificate or in an OCSP reply.
 ##
 ## f: The file.
 ##
@@ -74,4 +75,11 @@ event x509_ext_subject_alternative_name%(f: fa_file, ext: X509::SubjectAlternati
 ##                              digitally_signed struct
 ##
 ## signature: signature part of the digitally_signed struct
+##
+## .. bro:see:: ssl_extension_signed_certificate_timestamp x509_extension x509_ext_basic_constraints
+##              x509_parse x509_verify x509_ext_subject_alternative_name
+##              x509_get_certificate_string ssl_extension_signed_certificate_timestamp
+##              sct_verify ocsp_request ocsp_request_certificate ocsp_response_status
+##              ocsp_response_bytes ocsp_response_certificate
+##              x509_ocsp_ext_signed_certificate_timestamp
 event x509_ocsp_ext_signed_certificate_timestamp%(f: fa_file, version: count, logid: string, timestamp: count, hash_algorithm: count, signature_algorithm: count, signature: string%);
diff --git a/src/file_analysis/analyzer/x509/functions.bif b/src/file_analysis/analyzer/x509/functions.bif
index 8212835e2e..e3fcb0ce11 100644
--- a/src/file_analysis/analyzer/x509/functions.bif
+++ b/src/file_analysis/analyzer/x509/functions.bif
@@ -140,6 +140,8 @@ X509* x509_get_ocsp_signer(STACK_OF(X509) *certs, OCSP_RESPID *rid)
 	return 0;
 	}
 
+// Convert hash algorithm registry numbers to the OpenSSL EVP_MD.
+// Mapping at https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-18
 const EVP_MD* hash_to_evp(int hash)
 	{
 	switch ( hash )
@@ -483,7 +485,7 @@ x509_ocsp_cleanup:
 ##
 ## .. bro:see:: x509_certificate x509_extension x509_ext_basic_constraints
 ##              x509_ext_subject_alternative_name x509_parse
-##              x509_get_certificate_string x509_ocsp_verify
+##              x509_get_certificate_string x509_ocsp_verify sct_verify
 function x509_verify%(certs: x509_opaque_vector, root_certs: table_string_of_string, verify_time: time &default=network_time()%): X509::Result
 	%{
 	X509_STORE* ctx = x509_get_root_store(root_certs->AsTableVal());
@@ -571,6 +573,28 @@ x509_verify_chainerror:
 	return rrecord;
 	%}
 
+## Verifies a Signed Certificate Timestamp as used for Certificate Transparency.
+## See RFC6962 for more details.
+##
+## cert: Certificate against which the SCT should be validated.
+##
+## logid: Log id of the SCT.
+##
+## log_key: Public key of the Log that issued the SCT proof.
+##
+## timestamp: Timestamp at which the proof was generated.
+##
+## hash_algorithm: Hash algorithm that was used for the SCT proof.
+##
+## issuer_key_hash: The SHA-256 hash of the certificate issuer's public key.
+##                  This only has to be provided if the SCT was encountered in an X.509
+##                  certificate extension; in that case, it is necessary for validation.
+##
+## Returns: T if the validation could be performed succesfully, F otherwhise.
+##
+## .. bro:see:: ssl_extension_signed_certificate_timestamp
+##              x509_ocsp_ext_signed_certificate_timestamp
+##              x509_verify
 function sct_verify%(cert: opaque of x509, logid: string, log_key: string, signature: string, timestamp: count, hash_algorithm: count, issuer_key_hash: string &default=""%): bool
 	%{
 	assert(cert);
@@ -789,6 +813,17 @@ StringVal* x509_entity_hash(file_analysis::X509Val *cert_handle, unsigned int ha
 	}
 %%}
 
+## Get the hash of the subject's distinguished name.
+##
+## cert: The X509 certificate opaque handle.
+##
+## hash_alg: the hash algorithm to use, according to the IANA mapping at
+##           https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-18
+##
+## Returns: The hash as a string.
+##
+## .. bro:see:: x509_issuer_name_hash x509_spki_hash
+##              x509_verify sct_verify
 function x509_subject_name_hash%(cert: opaque of x509, hash_alg: count%): string
 	%{
 	file_analysis::X509Val *cert_handle = (file_analysis::X509Val *) cert;
@@ -796,17 +831,17 @@ function x509_subject_name_hash%(cert: opaque of x509, hash_alg: count%): string
 	return x509_entity_hash(cert_handle, hash_alg, 0);
 	%}
 
-## Get the hash of issuer name of a certificate
+## Get the hash of the issuer's distinguished name.
 ##
 ## cert: The X509 certificate opaque handle.
 ##
-## hash_alg: the hash algorithm to use
+## hash_alg: the hash algorithm to use, according to the IANA mapping at
+##           https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-18
 ##
-## Returns: A string of hash of issuer name.
+## Returns: The hash as a string.
 ##
-## .. bro:see:: x509_certificate x509_extension x509_ext_basic_constraints
-##              x509_ext_subject_alternative_name x509_parse
-##              x509_get_certificate_string x509_verify
+## .. bro:see:: x509_subject_name_hash x509_spki_hash
+##              x509_verify sct_verify
 function x509_issuer_name_hash%(cert: opaque of x509, hash_alg: count%): string
 	%{
 	file_analysis::X509Val *cert_handle = (file_analysis::X509Val *) cert;
@@ -814,6 +849,17 @@ function x509_issuer_name_hash%(cert: opaque of x509, hash_alg: count%): string
 	return x509_entity_hash(cert_handle, hash_alg, 1);
 	%}
 
+## Get the hash of the Subject Public Key Information of the certificate.
+##
+## cert: The X509 certificate opaque handle.
+##
+## hash_alg: the hash algorithm to use, according to the IANA mapping at
+##           https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-18
+##
+## Returns: The hash as a string.
+##
+## .. bro:see:: x509_subject_name_hash x509_issuer_name_hash
+##              x509_verify sct_verify
 function x509_spki_hash%(cert: opaque of x509, hash_alg: count%): string
 	%{
 	file_analysis::X509Val *cert_handle = (file_analysis::X509Val *) cert;
diff --git a/src/file_analysis/analyzer/x509/ocsp_events.bif b/src/file_analysis/analyzer/x509/ocsp_events.bif
index 76208c210e..1c236bf177 100644
--- a/src/file_analysis/analyzer/x509/ocsp_events.bif
+++ b/src/file_analysis/analyzer/x509/ocsp_events.bif
@@ -1,6 +1,8 @@
 ## Event that is raised when encountering an OCSP request, e.g. in an HTTP
 ## connection. See :rfc:`6960` for more details.
 ##
+## This event is raised exactly once for each OCSP Request.
+##
 ## f: The file.
 ##
 ## req: version: the version of the OCSP request. Typically 0 (Version 1).
@@ -8,23 +10,111 @@
 ## requestorName: name of the OCSP requestor. This attribute is optional; if
 ##                it is not set, an empty string is returned here.
 ##
+## .. bro:see:: ocsp_request_certificate ocsp_response_status
+##              ocsp_response_bytes ocsp_response_certificate ocsp_extension
+##              x509_ocsp_ext_signed_certificate_timestamp
 event ocsp_request%(f: fa_file, version: count, requestorName: string%);
 
+## Event that is raised when encountering an OCSP request for a certificate, 
+## e.g. in an HTTP connection. See :rfc:`6960` for more details.
+##
+## Note that a single OCSP request can contain requests for several certificates.
+## Thus this event can fire several times for one OCSP request, each time
+## requesting information for a different (or in theory even the same) certificate.
+##
+## f: The file.
+##
+## hashAlgorithm: The hash algorithm used for the issuerKeyHash.
+##
+## issuerKeyHash: Hash of the issuers public key.
+##
+## serialNumber: Serial number of the certificate for which the status is requested.
+##
+## .. bro:see:: ocsp_request ocsp_response_status
+##              ocsp_response_bytes ocsp_response_certificate ocsp_extension
+##              x509_ocsp_ext_signed_certificate_timestamp
 event ocsp_request_certificate%(f: fa_file, hashAlgorithm: string, issuerNameHash: string, issuerKeyHash: string, serialNumber: string%);
 
-## Generated for encountered OCSP response
+## This event is raised when encountering an OCSP reply, e.g. in an HTTP
+## connection or a TLS extension. See :rfc:`6960` for more details.
+##
+## This event is raised exactly once for each OCSP reply.
+##
+## f: The file.
+##
+## status: The status of the OCSP response (e.g. succesful, malformedRequest, tryLater).
+##
+## .. bro:see:: ocsp_request ocsp_request_certificate
+##              ocsp_response_bytes ocsp_response_certificate ocsp_extension
+##              x509_ocsp_ext_signed_certificate_timestamp
+event ocsp_response_status%(f: fa_file, status: string%);
+
+## This event is raised when encountering an OCSP response that contains response information.
+## An OCSP reply can be encountered, for example, in an HTTP connection or
+## a TLS extension. See :rfc:`6960` for more details on OCSP.
 ##
 ## f: The file.
 ##
 ## req_ref: An opaque pointer to the underlying OpenSSL data structure of the
-##          OCSP response
+##          OCSP response.
 ##
-## req: The parsed OCSP response information.
+## status: The status of the OCSP response (e.g. succesful, malformedRequest, tryLater).
 ##
-event ocsp_response_status%(f: fa_file, status: string%);
-
+## version: Version of the OCSP response (typically - for version 1). 
+##
+## responderId: The id of the OCSP responder; either a public key hash or a distinguished name.
+##
+## producedAt: Time at which the reply was produced.
+##
+## signatureAlgorithm: Algorithm used for the OCSP signature.
+##
+## certs: Optional list of certificates that are sent with the OCSP response; these typically
+##        are needed to perform validation of the reply.
+##
+## .. bro:see:: ocsp_request ocsp_request_certificate ocsp_response_status
+##              ocsp_response_certificate ocsp_extension
+##              x509_ocsp_ext_signed_certificate_timestamp
 event ocsp_response_bytes%(f: fa_file, resp_ref: opaque of ocsp_resp, status: string, version: count, responderId: string, producedAt: time, signatureAlgorithm: string, certs: x509_opaque_vector%);
 
-event ocsp_response_certificate%(f: fa_file, hashAlgorithm: string, issuerNameHash: string, issuerKeyHash: string, serialNumber: string, certStatus: string, revoketime: time, revokereason: string, thisUpdate: time, nextUpdate: time%);
+## This event is raised for each SingleResponse contained in an OCSP response.
+## See :rfc:`6960` for more details on OCSP.
+##
+## f: The file.
+##
+## hashAlgorithm: The hash algorithm used for issuerNameHash and issuerKeyHash.
+##
+## issuerNameHash: Hash of the issuer's distinguished name.
+##
+## issuerKeyHash: Hash of the issuer's public key.
+##
+## serialNumber: Serial number of the affected certificate.
+##
+## certStatus: Status of the certificate.
+##
+## revokeTime: Time the certificate was revoked, 0 if not revoked.
+##
+## revokeTeason: Reason certificate was revoked; empty string if not revoked or not specified.
+##
+## thisUpdate: Time this response was generated.
+##
+## nextUpdate: Time next response will be ready; 0 if not supploed.
+##
+## .. bro:see:: ocsp_request ocsp_request_certificate ocsp_response_status
+##              ocsp_response_bytes ocsp_extension
+##              x509_ocsp_ext_signed_certificate_timestamp
+event ocsp_response_certificate%(f: fa_file, hashAlgorithm: string, issuerNameHash: string, issuerKeyHash: string, serialNumber: string, certStatus: string, revokeTime: time, revokeReason: string, thisUpdate: time, nextUpdate: time%);
 
+## This event is raised when an OCSP extension is encountered in an OCSP response.
+## See :rfc:`6960` for more details on OCSP.
+##
+## f: The file.
+##
+## ext: The parsed extension (same format as X.509 extensions).
+##
+## global_resp: T if extension encountered in the global response (in ResponseData),
+##              F when encountered in a SingleResponse.
+##
+## .. bro:see:: ocsp_request ocsp_request_certificate ocsp_response_status
+##              ocsp_response_bytes ocsp_response_certificate
+##              x509_ocsp_ext_signed_certificate_timestamp
 event ocsp_extension%(f: fa_file, ext: X509::Extension, global_resp: bool%);
diff --git a/testing/btest/Baseline/coverage.find-bro-logs/out b/testing/btest/Baseline/coverage.find-bro-logs/out
index 9ff209d2e6..09a08914fe 100644
--- a/testing/btest/Baseline/coverage.find-bro-logs/out
+++ b/testing/btest/Baseline/coverage.find-bro-logs/out
@@ -30,6 +30,7 @@ netcontrol_shunt
 notice
 notice_alarm
 ntlm
+ocsp
 open_flow
 packet_filter
 pe

From 5acbccf44417b82e9692118238e2763d5874cd44 Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@icir.org>
Date: Thu, 27 Jul 2017 17:07:22 -0700
Subject: [PATCH 188/631] Update CT Log list

---
 scripts/base/protocols/ssl/ct-list.bro | 66 ++++++++++++++++----------
 1 file changed, 40 insertions(+), 26 deletions(-)

diff --git a/scripts/base/protocols/ssl/ct-list.bro b/scripts/base/protocols/ssl/ct-list.bro
index 600b644df2..d48f58877c 100644
--- a/scripts/base/protocols/ssl/ct-list.bro
+++ b/scripts/base/protocols/ssl/ct-list.bro
@@ -1,34 +1,48 @@
 #
 # Do not edit this file. This file is automatically generated by gen-ct-list.pl
-# File generated at Thu Mar 16 13:41:00 2017
-# File generated from https://www.certificate-transparency.org/known-logs/all_logs_list.json?attredirects=0&d=1
+# File generated at Thu Jul 27 16:59:25 2017
+# File generated from https://www.gstatic.com/ct/log_list/all_logs_list.json
 #
 
 @load base/protocols/ssl
 module SSL;
 redef ct_logs += {
-["\xa4\xb9\x09\x90\xb4\x18\x58\x14\x87\xbb\x13\xa2\xcc\x67\x70\x0a\x3c\x35\x98\x04\xf9\x1b\xdf\xb8\xe3\x77\xcd\x0e\xc8\x0d\xdc\x10"] = CTInfo($description="Google 'Pilot' log", $operator="Google", $url="ct.googleapis.com/pilot", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x7d\xa8\x4b\x12\x29\x80\xa3\x3d\xad\xd3\x5a\x77\xb8\xcc\xe2\x88\xb3\xa5\xfd\xf1\xd3\x0c\xcd\x18\x0c\xe8\x41\x46\xe8\x81\x01\x1b\x15\xe1\x4b\xf1\x1b\x62\xdd\x36\x0a\x08\x18\xba\xed\x0b\x35\x84\xd0\x9e\x40\x3c\x2d\x9e\x9b\x82\x65\xbd\x1f\x04\x10\x41\x4c\xa0"),
-["\x68\xf6\x98\xf8\x1f\x64\x82\xbe\x3a\x8c\xee\xb9\x28\x1d\x4c\xfc\x71\x51\x5d\x67\x93\xd4\x44\xd1\x0a\x67\xac\xbb\x4f\x4f\xfb\xc4"] = CTInfo($description="Google 'Aviator' log", $operator="Google", $url="ct.googleapis.com/aviator", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xd7\xf4\xcc\x69\xb2\xe4\x0e\x90\xa3\x8a\xea\x5a\x70\x09\x4f\xef\x13\x62\xd0\x8d\x49\x60\xff\x1b\x40\x50\x07\x0c\x6d\x71\x86\xda\x25\x49\x8d\x65\xe1\x08\x0d\x47\x34\x6b\xbd\x27\xbc\x96\x21\x3e\x34\xf5\x87\x76\x31\xb1\x7f\x1d\xc9\x85\x3b\x0d\xf7\x1f\x3f\xe9"),
-["\x56\x14\x06\x9a\x2f\xd7\xc2\xec\xd3\xf5\xe1\xbd\x44\xb2\x3e\xc7\x46\x76\xb9\xbc\x99\x11\x5c\xc0\xef\x94\x98\x55\xd6\x89\xd0\xdd"] = CTInfo($description="DigiCert Log Server", $operator="DigiCert", $url="ct1.digicert-ct.com/log", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x02\x46\xc5\xbe\x1b\xbb\x82\x40\x16\xe8\xc1\xd2\xac\x19\x69\x13\x59\xf8\xf8\x70\x85\x46\x40\xb9\x38\xb0\x23\x82\xa8\x64\x4c\x7f\xbf\xbb\x34\x9f\x4a\x5f\x28\x8a\xcf\x19\xc4\x00\xf6\x36\x06\x93\x65\xed\x4c\xf5\xa9\x21\x62\x5a\xd8\x91\xeb\x38\x24\x40\xac\xe8"),
-["\xee\x4b\xbd\xb7\x75\xce\x60\xba\xe1\x42\x69\x1f\xab\xe1\x9e\x66\xa3\x0f\x7e\x5f\xb0\x72\xd8\x83\x00\xc4\x7b\x89\x7a\xa8\xfd\xcb"] = CTInfo($description="Google 'Rocketeer' log", $operator="Google", $url="ct.googleapis.com/rocketeer", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x20\x5b\x18\xc8\x3c\xc1\x8b\xb3\x31\x08\x00\xbf\xa0\x90\x57\x2b\xb7\x47\x8c\x6f\xb5\x68\xb0\x8e\x90\x78\xe9\xa0\x73\xea\x4f\x28\x21\x2e\x9c\xc0\xf4\x16\x1b\xaa\xf9\xd5\xd7\xa9\x80\xc3\x4e\x2f\x52\x3c\x98\x01\x25\x46\x24\x25\x28\x23\x77\x2d\x05\xc2\x40\x7a"),
-["\xcd\xb5\x17\x9b\x7f\xc1\xc0\x46\xfe\xea\x31\x13\x6a\x3f\x8f\x00\x2e\x61\x82\xfa\xf8\x89\x6f\xec\xc8\xb2\xf5\xb5\xab\x60\x49\x00"] = CTInfo($description="Certly.IO log", $operator="Certly", $url="log.certly.io", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x0b\x23\xcb\x85\x62\x98\x61\x48\x04\x73\xeb\x54\x5d\xf3\xd0\x07\x8c\x2d\x19\x2d\x8c\x36\xf5\xeb\x8f\x01\x42\x0a\x7c\x98\x26\x27\xc1\xb5\xdd\x92\x93\xb0\xae\xf8\x9b\x3d\x0c\xd8\x4c\x4e\x1d\xf9\x15\xfb\x47\x68\x7b\xba\x66\xb7\x25\x9c\xd0\x4a\xc2\x66\xdb\x48"),
-["\x74\x61\xb4\xa0\x9c\xfb\x3d\x41\xd7\x51\x59\x57\x5b\x2e\x76\x49\xa4\x45\xa8\xd2\x77\x09\xb0\xcc\x56\x4a\x64\x82\xb7\xeb\x41\xa3"] = CTInfo($description="Izenpe log", $operator="Izenpe", $url="ct.izenpe.com", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x27\x64\x39\x0c\x2d\xdc\x50\x18\xf8\x21\x00\xa2\x0e\xed\x2c\xea\x3e\x75\xba\x9f\x93\x64\x09\x00\x11\xc4\x11\x17\xab\x5c\xcf\x0f\x74\xac\xb5\x97\x90\x93\x00\x5b\xb8\xeb\xf7\x27\x3d\xd9\xb2\x0a\x81\x5f\x2f\x0d\x75\x38\x94\x37\x99\x1e\xf6\x07\x76\xe0\xee\xbe"),
-["\xdd\xeb\x1d\x2b\x7a\x0d\x4f\xa6\x20\x8b\x81\xad\x81\x68\x70\x7e\x2e\x8e\x9d\x01\xd5\x5c\x88\x8d\x3d\x11\xc4\xcd\xb6\xec\xbe\xcc"] = CTInfo($description="Symantec log", $operator="Symantec", $url="ct.ws.symantec.com", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x96\xea\xac\x1c\x46\x0c\x1b\x55\xdc\x0d\xfc\xb5\x94\x27\x46\x57\x42\x70\x3a\x69\x18\xe2\xbf\x3b\xc4\xdb\xab\xa0\xf4\xb6\x6c\xc0\x53\x3f\x4d\x42\x10\x33\xf0\x58\x97\x8f\x6b\xbe\x72\xf4\x2a\xec\x1c\x42\xaa\x03\x2f\x1a\x7e\x28\x35\x76\x99\x08\x3d\x21\x14\x86"),
-["\xac\x3b\x9a\xed\x7f\xa9\x67\x47\x57\x15\x9e\x6d\x7d\x57\x56\x72\xf9\xd9\x81\x00\x94\x1e\x9b\xde\xff\xec\xa1\x31\x3b\x75\x78\x2d"] = CTInfo($description="Venafi log", $operator="Venafi", $url="ctlog.api.venafi.com", $maximum_merge_delay=86400, $key="\x30\x82\x01\x22\x30\x0d\x06\x09\x2a\x86\x48\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x00\x30\x82\x01\x0a\x02\x82\x01\x01\x00\xa2\x5a\x48\x1f\x17\x52\x95\x35\xcb\xa3\x5b\x3a\x1f\x53\x82\x76\x94\xa3\xff\x80\xf2\x1c\x37\x3c\xc0\xb1\xbd\xc1\x59\x8b\xab\x2d\x65\x93\xd7\xf3\xe0\x04\xd5\x9a\x6f\xbf\xd6\x23\x76\x36\x4f\x23\x99\xcb\x54\x28\xad\x8c\x15\x4b\x65\x59\x76\x41\x4a\x9c\xa6\xf7\xb3\x3b\x7e\xb1\xa5\x49\xa4\x17\x51\x6c\x80\xdc\x2a\x90\x50\x4b\x88\x24\xe9\xa5\x12\x32\x93\x04\x48\x90\x02\xfa\x5f\x0e\x30\x87\x8e\x55\x76\x05\xee\x2a\x4c\xce\xa3\x6a\x69\x09\x6e\x25\xad\x82\x76\x0f\x84\x92\xfa\x38\xd6\x86\x4e\x24\x8f\x9b\xb0\x72\xcb\x9e\xe2\x6b\x3f\xe1\x6d\xc9\x25\x75\x23\x88\xa1\x18\x58\x06\x23\x33\x78\xda\x00\xd0\x38\x91\x67\xd2\xa6\x7d\x27\x97\x67\x5a\xc1\xf3\x2f\x17\xe6\xea\xd2\x5b\xe8\x81\xcd\xfd\x92\x68\xe7\xf3\x06\xf0\xe9\x72\x84\xee\x01\xa5\xb1\xd8\x33\xda\xce\x83\xa5\xdb\xc7\xcf\xd6\x16\x7e\x90\x75\x18\xbf\x16\xdc\x32\x3b\x6d\x8d\xab\x82\x17\x1f\x89\x20\x8d\x1d\x9a\xe6\x4d\x23\x08\xdf\x78\x6f\xc6\x05\xbf\x5f\xae\x94\x97\xdb\x5f\x64\xd4\xee\x16\x8b\xa3\x84\x6c\x71\x2b\xf1\xab\x7f\x5d\x0d\x32\xee\x04\xe2\x90\xec\x41\x9f\xfb\x39\xc1\x02\x03\x01\x00\x01"),
-["\x9e\x4f\xf7\x3d\xc3\xce\x22\x0b\x69\x21\x7c\x89\x9e\x46\x80\x76\xab\xf8\xd7\x86\x36\xd5\xcc\xfc\x85\xa3\x1a\x75\x62\x8b\xa8\x8b"] = CTInfo($description="WoSign log", $operator="WoSign", $url="ct.wosign.com", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xd7\xec\x2f\x2b\x75\x4f\x37\xbc\xa3\x43\xba\x8b\x65\x66\x3c\x7d\x6a\xe5\x0c\x2a\xa6\xc2\xe5\x26\xfe\x0c\x7d\x4e\x7c\xf0\x3a\xbc\xe2\xd3\x22\xdc\x01\xd0\x1f\x6e\x43\x9c\x5c\x6e\x83\xad\x9c\x15\xf6\xc4\x8d\x60\xb5\x1d\xbb\xa3\x62\x69\x7e\xeb\xa7\xaa\x01\x9b"),
-["\x41\xb2\xdc\x2e\x89\xe6\x3c\xe4\xaf\x1b\xa7\xbb\x29\xbf\x68\xc6\xde\xe6\xf9\xf1\xcc\x04\x7e\x30\xdf\xfa\xe3\xb3\xba\x25\x92\x63"] = CTInfo($description="WoSign ctlog", $operator="WoSign", $url="ctlog.wosign.com", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xcc\x11\x88\x7b\x2d\x66\xcb\xae\x8f\x4d\x30\x66\x27\x19\x25\x22\x93\x21\x46\xb4\x2f\x01\xd3\xc6\xf9\x2b\xd5\xc8\xba\x73\x9b\x06\xa2\xf0\x8a\x02\x9c\xd0\x6b\x46\x18\x30\x85\xba\xe9\x24\x8b\x0e\xd1\x5b\x70\x28\x0c\x7e\xf1\x3a\x45\x7f\x5a\xf3\x82\x42\x60\x31"),
-["\xbc\x78\xe1\xdf\xc5\xf6\x3c\x68\x46\x49\x33\x4d\xa1\x0f\xa1\x5f\x09\x79\x69\x20\x09\xc0\x81\xb4\xf3\xf6\x91\x7f\x3e\xd9\xb8\xa5"] = CTInfo($description="Symantec VEGA log", $operator="Symantec", $url="vega.ws.symantec.com", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xea\x95\x9e\x02\xff\xee\xf1\x33\x6d\x4b\x87\xbc\xcd\xfd\x19\x17\x62\xff\x94\xd3\xd0\x59\x07\x3f\x02\x2d\x1c\x90\xfe\xc8\x47\x30\x3b\xf1\xdd\x0d\xb8\x11\x0c\x5d\x1d\x86\xdd\xab\xd3\x2b\x46\x66\xfb\x6e\x65\xb7\x3b\xfd\x59\x68\xac\xdf\xa6\xf8\xce\xd2\x18\x4d"),
-["\xa5\x77\xac\x9c\xed\x75\x48\xdd\x8f\x02\x5b\x67\xa2\x41\x08\x9d\xf8\x6e\x0f\x47\x6e\xc2\x03\xc2\xec\xbe\xdb\x18\x5f\x28\x26\x38"] = CTInfo($description="CNNIC CT log", $operator="CNNIC", $url="ctserver.cnnic.cn", $maximum_merge_delay=86400, $key="\x30\x82\x01\x22\x30\x0d\x06\x09\x2a\x86\x48\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x00\x30\x82\x01\x0a\x02\x82\x01\x01\x00\xbf\xb5\x08\x61\x9a\x29\x32\x04\xd3\x25\x63\xe9\xd8\x85\xe1\x86\xe0\x1f\xd6\x5e\x9a\xf7\x33\x3b\x80\x1b\xe7\xb6\x3e\x5f\x2d\xa1\x66\xf6\x95\x4a\x84\xa6\x21\x56\x79\xe8\xf7\x85\xee\x5d\xe3\x7c\x12\xc0\xe0\x89\x22\x09\x22\x3e\xba\x16\x95\x06\xbd\xa8\xb9\xb1\xa9\xb2\x7a\xd6\x61\x2e\x87\x11\xb9\x78\x40\x89\x75\xdb\x0c\xdc\x90\xe0\xa4\x79\xd6\xd5\x5e\x6e\xd1\x2a\xdb\x34\xf4\x99\x3f\x65\x89\x3b\x46\xc2\x29\x2c\x15\x07\x1c\xc9\x4b\x1a\x54\xf8\x6c\x1e\xaf\x60\x27\x62\x0a\x65\xd5\x9a\xb9\x50\x36\x16\x6e\x71\xf6\x1f\x01\xf7\x12\xa7\xfc\xbf\xf6\x21\xa3\x29\x90\x86\x2d\x77\xde\xbb\x4c\xd4\xcf\xfd\xd2\xcf\x82\x2c\x4d\xd4\xf2\xc2\x2d\xac\xa9\xbe\xea\xc3\x19\x25\x43\xb2\xe5\x9a\x6c\x0d\xc5\x1c\xa5\x8b\xf7\x3f\x30\xaf\xb9\x01\x91\xb7\x69\x12\x12\xe5\x83\x61\xfe\x34\x00\xbe\xf6\x71\x8a\xc7\xeb\x50\x92\xe8\x59\xfe\x15\x91\xeb\x96\x97\xf8\x23\x54\x3f\x2d\x8e\x07\xdf\xee\xda\xb3\x4f\xc8\x3c\x9d\x6f\xdf\x3c\x2c\x43\x57\xa1\x47\x0c\x91\x04\xf4\x75\x4d\xda\x89\x81\xa4\x14\x06\x34\xb9\x98\xc3\xda\xf1\xfd\xed\x33\x36\xd3\x16\x2d\x35\x02\x03\x01\x00\x01"),
-["\xc9\xcf\x89\x0a\x21\x10\x9c\x66\x6c\xc1\x7a\x3e\xd0\x65\xc9\x30\xd0\xe0\x13\x5a\x9f\xeb\xa8\x5a\xf1\x42\x10\xb8\x07\x24\x21\xaa"] = CTInfo($description="Wang Shengnan GDCA log", $operator="Wang Shengnan", $url="ct.gdca.com.cn", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xad\x0f\x30\xad\x9e\x79\xa4\x38\x89\x26\x54\x86\xab\x41\x72\x90\x6f\xfb\xca\x17\xa6\xac\xee\xc6\x9f\x7d\x02\x05\xec\x41\xa8\xc7\x41\x9d\x32\x49\xad\xb0\x39\xbd\x3a\x87\x3e\x7c\xee\x68\x6c\x60\xd1\x47\x2a\x93\xae\xe1\x40\xf4\x0b\xc8\x35\x3c\x1d\x0f\x65\xd3"),
-["\xa8\x99\xd8\x78\x0c\x92\x90\xaa\xf4\x62\xf3\x18\x80\xcc\xfb\xd5\x24\x51\xe9\x70\xd0\xfb\xf5\x91\xef\x75\xb0\xd9\x9b\x64\x56\x81"] = CTInfo($description="Google 'Submariner' log", $operator="Google", $url="ct.googleapis.com/submariner", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x39\xf8\x9f\x20\x62\xd4\x57\x55\x68\xa2\xef\x49\x2d\xf0\x39\x2d\x9a\xde\x44\xb4\x94\x30\xe0\x9e\x7a\x27\x3c\xab\x70\xf0\xd1\xfa\x51\x90\x63\x16\x57\x41\xad\xab\x6d\x1f\x80\x74\x30\x79\x02\x5e\x2d\x59\x84\x07\x24\x23\xf6\x9f\x35\xb8\x85\xb8\x42\x45\xa4\x4f"),
-["\x89\x41\x44\x9c\x70\x74\x2e\x06\xb9\xfc\x9c\xe7\xb1\x16\xba\x00\x24\xaa\x36\xd5\x9a\xf4\x4f\x02\x04\x40\x4f\x00\xf7\xea\x85\x66"] = CTInfo($description="Izenpe 2nd log", $operator="Izenpe", $url="ct.izenpe.eus", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xd7\xc8\x0e\x23\x3e\x9e\x02\x3c\x9a\xb8\x07\x4a\x2a\x05\xff\x4a\x4b\x88\xd4\x8a\x4d\x39\xce\xf7\xc5\xf2\xb6\x37\xe9\xa3\xed\xe4\xf5\x45\x09\x0e\x67\x14\xfd\x53\x24\xd5\x3a\x94\xf2\xea\xb5\x13\xd9\x1d\x8b\x5c\xa7\xc3\xf3\x6b\xd8\x3f\x2d\x3b\x65\x72\x58\xd6"),
-["\x34\xbb\x6a\xd6\xc3\xdf\x9c\x03\xee\xa8\xa4\x99\xff\x78\x91\x48\x6c\x9d\x5e\x5c\xac\x92\xd0\x1f\x7b\xfd\x1b\xce\x19\xdb\x48\xef"] = CTInfo($description="StartCom CT log", $operator="StartCom", $url="ct.startssl.com", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x48\xf3\x59\xf3\xf6\x05\x18\xd3\xdb\xb2\xed\x46\x7e\xcf\xc8\x11\xb5\x57\xb1\xa8\xd6\x4c\xe6\x9f\xb7\x4a\x1a\x14\x86\x43\xa9\x48\xb0\xcb\x5a\x3f\x3c\x4a\xca\xdf\xc4\x82\x14\x55\x9a\xf8\xf7\x8e\x40\x55\xdc\xf4\xd2\xaf\xea\x75\x74\xfb\x4e\x7f\x60\x86\x2e\x51"),
-["\xbb\xd9\xdf\xbc\x1f\x8a\x71\xb5\x93\x94\x23\x97\xaa\x92\x7b\x47\x38\x57\x95\x0a\xab\x52\xe8\x1a\x90\x96\x64\x36\x8e\x1e\xd1\x85"] = CTInfo($description="Google 'Skydiver' log", $operator="Google", $url="ct.googleapis.com/skydiver", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x12\x6c\x86\x0e\xf6\x17\xb1\x12\x6c\x37\x25\xd2\xad\x87\x3d\x0e\x31\xec\x21\xad\xb1\xcd\xbe\x14\x47\xb6\x71\x56\x85\x7a\x9a\xb7\x3d\x89\x90\x7b\xc6\x32\x3a\xf8\xda\xce\x8b\x01\xfe\x3f\xfc\x71\x91\x19\x8e\x14\x6e\x89\x7a\x5d\xb4\xab\x7e\xe1\x4e\x1e\x7c\xac"),
-["\x29\x3c\x51\x96\x54\xc8\x39\x65\xba\xaa\x50\xfc\x58\x07\xd4\xb7\x6f\xbf\x58\x7a\x29\x72\xdc\xa4\xc3\x0c\xf4\xe5\x45\x47\xf4\x78"] = CTInfo($description="Google 'Icarus' log", $operator="Google", $url="ct.googleapis.com/icarus", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x4e\xd2\xbc\xbf\xb3\x08\x0a\xf7\xb9\xea\xa4\xc7\x1c\x38\x61\x04\xeb\x95\xe0\x89\x54\x68\x44\xb1\x66\xbc\x82\x7e\x4f\x50\x6c\x6f\x5c\xa3\xf0\xaa\x3e\xf4\xec\x80\xf0\xdb\x0a\x9a\x7a\xa0\x5b\x72\x00\x7c\x25\x0e\x19\xef\xaf\xb2\x62\x8d\x74\x43\xf4\x26\xf6\x14"),
-["\x92\x4a\x30\xf9\x09\x33\x6f\xf4\x35\xd6\x99\x3a\x10\xac\x75\xa2\xc6\x41\x72\x8e\x7f\xc2\xd6\x59\xae\x61\x88\xff\xad\x40\xce\x01"] = CTInfo($description="GDCA log", $operator="GDCA", $url="ctlog.gdca.com.cn", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x5b\x4a\xc7\x01\xb7\x74\x54\xba\x40\x9c\x43\x75\x94\x3f\xac\xef\xb3\x71\x56\xb8\xd3\xe2\x7b\xae\xa1\xb1\x3e\x53\xaa\x97\x33\xa1\x82\xbb\x5f\x5d\x1c\x0b\xfa\x85\x0d\xbc\xf7\xe5\xa0\xe0\x22\xf0\xa0\x89\xd9\x0a\x7f\x5f\x26\x94\xd3\x24\xe3\x99\x2e\xe4\x15\x8d"),
-["\x1d\x02\x4b\x8e\xb1\x49\x8b\x34\x4d\xfd\x87\xea\x3e\xfc\x09\x96\xf7\x50\x6f\x23\x5d\x1d\x49\x70\x61\xa4\x77\x3c\x43\x9c\x25\xfb"] = CTInfo($description="Google 'Daedalus' log", $operator="Google", $url="ct.googleapis.com/daedalus", $maximum_merge_delay=604800, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x6e\x0c\x1c\xba\xee\x2b\x6a\x41\x85\x60\x1d\x7b\x7e\xab\x08\x2c\xfc\x0c\x0a\xa5\x08\xb3\x3e\xd5\x70\x24\xd1\x6d\x1d\x2d\xb6\xb7\xf3\x8b\x36\xdc\x23\x4d\x95\x63\x12\xbb\xe4\x86\x8d\xcc\xe9\xd1\xee\xa1\x40\xa2\xdf\x0b\xa3\x06\x0a\x30\xca\x8d\xac\xa4\x29\x56"),
-["\xe0\x12\x76\x29\xe9\x04\x96\x56\x4e\x3d\x01\x47\x98\x44\x98\xaa\x48\xf8\xad\xb1\x66\x00\xeb\x79\x02\xa1\xef\x99\x09\x90\x62\x73"] = CTInfo($description="PuChuangSiDa log", $operator="Beijing PuChuangSiDa Technology Ltd.", $url="www.certificatetransparency.cn/ct/", $maximum_merge_delay=86400, $key="\x30\x82\x01\x22\x30\x0d\x06\x09\x2a\x86\x48\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x00\x30\x82\x01\x0a\x02\x82\x01\x01\x00\xac\xcf\x2f\x4b\x70\xac\xf1\x0d\x96\xbf\xe8\x0a\xfe\x44\x9d\xd4\x8c\x17\x9d\xc3\x9a\x10\x11\x84\x13\xed\x8c\xf9\x37\x6d\x83\xe4\x00\x6f\xb1\x4b\xc0\xa6\x89\xc7\x61\x8f\x9a\x34\xbb\x56\x52\xca\x03\x56\x50\xef\x24\x7f\x4b\x49\xe9\x35\x81\xdd\xf0\xe7\x17\xf5\x72\xd2\x23\xc5\xe3\x13\x7f\xd7\x8e\x78\x35\x8f\x49\xde\x98\x04\x8a\x63\xaf\xad\xa2\x39\x70\x95\x84\x68\x4b\x91\x33\xfe\x4c\xe1\x32\x17\xc2\xf2\x61\xb8\x3a\x8d\x39\x7f\xd5\x95\x82\x3e\x56\x19\x50\x45\x6f\xcb\x08\x33\x0d\xd5\x19\x42\x08\x1a\x48\x42\x10\xf1\x68\xc3\xc3\x41\x13\xcb\x0d\x1e\xdb\x02\xb7\x24\x7a\x51\x96\x6e\xbc\x08\xea\x69\xaf\x6d\xef\x92\x98\x8e\x55\xf3\x65\xe5\xe8\x9c\xbe\x1a\x47\x60\x30\x7d\x7a\x80\xad\x56\x83\x7a\x93\xc3\xae\x93\x2b\x6a\x28\x8a\xa6\x5f\x63\x19\x0c\xbe\x7c\x7b\x21\x63\x41\x38\xb7\xf7\xe8\x76\x73\x6b\x85\xcc\xbc\x72\x2b\xc1\x52\xd0\x5b\x5d\x31\x4e\x9d\x2a\xf3\x4d\x9b\x64\x14\x99\x26\xc6\x71\xf8\x7b\xf8\x44\xd5\xe3\x23\x20\xf3\x0a\xd7\x8b\x51\x3e\x72\x80\xd2\x78\x78\x35\x2d\x4a\xe7\x40\x99\x11\x95\x34\xd4\x2f\x7f\xf9\x5f\x35\x37\x02\x03\x01\x00\x01"),
-["\x03\x01\x9d\xf3\xfd\x85\xa6\x9a\x8e\xbd\x1f\xac\xc6\xda\x9b\xa7\x3e\x46\x97\x74\xfe\x77\xf5\x79\xfc\x5a\x08\xb8\x32\x8c\x1d\x6b"] = CTInfo($description="Venafi Gen2 CT log", $operator="Venafi", $url="https://ctlog-gen2.api.venafi.com/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x8e\x27\x27\x7a\xb6\x55\x09\x74\xeb\x6c\x4b\x94\x84\x65\xbc\xe4\x15\xf1\xea\x5a\xd8\x7c\x0e\x37\xce\xba\x3f\x6c\x09\xda\xe7\x29\x96\xd3\x45\x50\x6f\xde\x1e\xb4\x1c\xd2\x83\x88\xff\x29\x2f\xce\xa9\xff\xdf\x34\xde\x75\x0f\xc0\xcc\x18\x0d\x94\x2e\xfc\x37\x01"),
-["\x15\x97\x04\x88\xd7\xb9\x97\xa0\x5b\xeb\x52\x51\x2a\xde\xe8\xd2\xe8\xb4\xa3\x16\x52\x64\x12\x1a\x9f\xab\xfb\xd5\xf8\x5a\xd9\x3f"] = CTInfo($description="Symantec SIRIUS log", $operator="Symantec", $url="sirius.ws.symantec.com", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xa3\x02\x64\x84\x22\xbb\x25\xec\x0d\xe3\xbc\xc2\xc9\x89\x7d\xdd\x45\xd0\xee\xe6\x15\x85\x8f\xd9\xe7\x17\x1b\x13\x80\xea\xed\xb2\x85\x37\xad\x6a\xc5\xd8\x25\x9d\xfa\xf4\xb4\xf3\x6e\x16\x28\x25\x37\xea\xa3\x37\x64\xb2\xc7\x0b\xfd\x51\xe5\xc1\x05\xf4\x0e\xb5"),
-["\x87\x75\xbf\xe7\x59\x7c\xf8\x8c\x43\x99\x5f\xbd\xf3\x6e\xff\x56\x8d\x47\x56\x36\xff\x4a\xb5\x60\xc1\xb4\xea\xff\x5e\xa0\x83\x0f"] = CTInfo($description="DigiCert CT2 log", $operator="DigiCert", $url="ct2.digicert-ct.com/log", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xcc\x5d\x39\x2f\x66\xb8\x4c\x7f\xc1\x2e\x03\xa1\x34\xa3\xe8\x8a\x86\x02\xae\x4a\x11\xc6\xf7\x26\x6a\x37\x9b\xf0\x38\xf8\x5d\x09\x8d\x63\xe8\x31\x6b\x86\x66\xcf\x79\xb3\x25\x3c\x1e\xdf\x78\xb4\xa8\xc5\x69\xfa\xb7\xf0\x82\x79\x62\x43\xf6\xcc\xfe\x81\x66\x84"),
+["\x68\xf6\x98\xf8\x1f\x64\x82\xbe\x3a\x8c\xee\xb9\x28\x1d\x4c\xfc\x71\x51\x5d\x67\x93\xd4\x44\xd1\x0a\x67\xac\xbb\x4f\x4f\xfb\xc4"] = CTInfo($description="Google 'Aviator' log", $operator="Google", $url="ct.googleapis.com/aviator/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xd7\xf4\xcc\x69\xb2\xe4\x0e\x90\xa3\x8a\xea\x5a\x70\x09\x4f\xef\x13\x62\xd0\x8d\x49\x60\xff\x1b\x40\x50\x07\x0c\x6d\x71\x86\xda\x25\x49\x8d\x65\xe1\x08\x0d\x47\x34\x6b\xbd\x27\xbc\x96\x21\x3e\x34\xf5\x87\x76\x31\xb1\x7f\x1d\xc9\x85\x3b\x0d\xf7\x1f\x3f\xe9"),
+["\x29\x3c\x51\x96\x54\xc8\x39\x65\xba\xaa\x50\xfc\x58\x07\xd4\xb7\x6f\xbf\x58\x7a\x29\x72\xdc\xa4\xc3\x0c\xf4\xe5\x45\x47\xf4\x78"] = CTInfo($description="Google 'Icarus' log", $operator="Google", $url="ct.googleapis.com/icarus/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x4e\xd2\xbc\xbf\xb3\x08\x0a\xf7\xb9\xea\xa4\xc7\x1c\x38\x61\x04\xeb\x95\xe0\x89\x54\x68\x44\xb1\x66\xbc\x82\x7e\x4f\x50\x6c\x6f\x5c\xa3\xf0\xaa\x3e\xf4\xec\x80\xf0\xdb\x0a\x9a\x7a\xa0\x5b\x72\x00\x7c\x25\x0e\x19\xef\xaf\xb2\x62\x8d\x74\x43\xf4\x26\xf6\x14"),
+["\xa4\xb9\x09\x90\xb4\x18\x58\x14\x87\xbb\x13\xa2\xcc\x67\x70\x0a\x3c\x35\x98\x04\xf9\x1b\xdf\xb8\xe3\x77\xcd\x0e\xc8\x0d\xdc\x10"] = CTInfo($description="Google 'Pilot' log", $operator="Google", $url="ct.googleapis.com/pilot/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x7d\xa8\x4b\x12\x29\x80\xa3\x3d\xad\xd3\x5a\x77\xb8\xcc\xe2\x88\xb3\xa5\xfd\xf1\xd3\x0c\xcd\x18\x0c\xe8\x41\x46\xe8\x81\x01\x1b\x15\xe1\x4b\xf1\x1b\x62\xdd\x36\x0a\x08\x18\xba\xed\x0b\x35\x84\xd0\x9e\x40\x3c\x2d\x9e\x9b\x82\x65\xbd\x1f\x04\x10\x41\x4c\xa0"),
+["\xee\x4b\xbd\xb7\x75\xce\x60\xba\xe1\x42\x69\x1f\xab\xe1\x9e\x66\xa3\x0f\x7e\x5f\xb0\x72\xd8\x83\x00\xc4\x7b\x89\x7a\xa8\xfd\xcb"] = CTInfo($description="Google 'Rocketeer' log", $operator="Google", $url="ct.googleapis.com/rocketeer/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x20\x5b\x18\xc8\x3c\xc1\x8b\xb3\x31\x08\x00\xbf\xa0\x90\x57\x2b\xb7\x47\x8c\x6f\xb5\x68\xb0\x8e\x90\x78\xe9\xa0\x73\xea\x4f\x28\x21\x2e\x9c\xc0\xf4\x16\x1b\xaa\xf9\xd5\xd7\xa9\x80\xc3\x4e\x2f\x52\x3c\x98\x01\x25\x46\x24\x25\x28\x23\x77\x2d\x05\xc2\x40\x7a"),
+["\xbb\xd9\xdf\xbc\x1f\x8a\x71\xb5\x93\x94\x23\x97\xaa\x92\x7b\x47\x38\x57\x95\x0a\xab\x52\xe8\x1a\x90\x96\x64\x36\x8e\x1e\xd1\x85"] = CTInfo($description="Google 'Skydiver' log", $operator="Google", $url="ct.googleapis.com/skydiver/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x12\x6c\x86\x0e\xf6\x17\xb1\x12\x6c\x37\x25\xd2\xad\x87\x3d\x0e\x31\xec\x21\xad\xb1\xcd\xbe\x14\x47\xb6\x71\x56\x85\x7a\x9a\xb7\x3d\x89\x90\x7b\xc6\x32\x3a\xf8\xda\xce\x8b\x01\xfe\x3f\xfc\x71\x91\x19\x8e\x14\x6e\x89\x7a\x5d\xb4\xab\x7e\xe1\x4e\x1e\x7c\xac"),
+["\xa8\x99\xd8\x78\x0c\x92\x90\xaa\xf4\x62\xf3\x18\x80\xcc\xfb\xd5\x24\x51\xe9\x70\xd0\xfb\xf5\x91\xef\x75\xb0\xd9\x9b\x64\x56\x81"] = CTInfo($description="Google 'Submariner' log", $operator="Google", $url="ct.googleapis.com/submariner/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x39\xf8\x9f\x20\x62\xd4\x57\x55\x68\xa2\xef\x49\x2d\xf0\x39\x2d\x9a\xde\x44\xb4\x94\x30\xe0\x9e\x7a\x27\x3c\xab\x70\xf0\xd1\xfa\x51\x90\x63\x16\x57\x41\xad\xab\x6d\x1f\x80\x74\x30\x79\x02\x5e\x2d\x59\x84\x07\x24\x23\xf6\x9f\x35\xb8\x85\xb8\x42\x45\xa4\x4f"),
+["\x1d\x02\x4b\x8e\xb1\x49\x8b\x34\x4d\xfd\x87\xea\x3e\xfc\x09\x96\xf7\x50\x6f\x23\x5d\x1d\x49\x70\x61\xa4\x77\x3c\x43\x9c\x25\xfb"] = CTInfo($description="Google 'Daedalus' log", $operator="Google", $url="ct.googleapis.com/daedalus/", $maximum_merge_delay=604800, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x6e\x0c\x1c\xba\xee\x2b\x6a\x41\x85\x60\x1d\x7b\x7e\xab\x08\x2c\xfc\x0c\x0a\xa5\x08\xb3\x3e\xd5\x70\x24\xd1\x6d\x1d\x2d\xb6\xb7\xf3\x8b\x36\xdc\x23\x4d\x95\x63\x12\xbb\xe4\x86\x8d\xcc\xe9\xd1\xee\xa1\x40\xa2\xdf\x0b\xa3\x06\x0a\x30\xca\x8d\xac\xa4\x29\x56"),
+["\xb0\xcc\x83\xe5\xa5\xf9\x7d\x6b\xaf\x7c\x09\xcc\x28\x49\x04\x87\x2a\xc7\xe8\x8b\x13\x2c\x63\x50\xb7\xc6\xfd\x26\xe1\x6c\x6c\x77"] = CTInfo($description="Google 'Testtube' log", $operator="Google", $url="ct.googleapis.com/testtube/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xc3\xc8\xbc\x4b\xba\xa2\x18\x4b\x3d\x35\x7b\xf4\x64\x91\x61\xea\xeb\x8e\x99\x1d\x90\xed\xd3\xe9\xaf\x39\x3d\x5c\xd3\x46\x91\x45\xe3\xce\xac\x76\x48\x3b\xd1\x7e\x2c\x0a\x63\x00\x65\x8d\xf5\xae\x8e\x8c\xc7\x11\x25\x4f\x43\x2c\x9d\x19\xa1\xe1\x91\xa4\xb3\xfe"),
+["\x56\x14\x06\x9a\x2f\xd7\xc2\xec\xd3\xf5\xe1\xbd\x44\xb2\x3e\xc7\x46\x76\xb9\xbc\x99\x11\x5c\xc0\xef\x94\x98\x55\xd6\x89\xd0\xdd"] = CTInfo($description="DigiCert Log Server", $operator="DigiCert", $url="ct1.digicert-ct.com/log/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x02\x46\xc5\xbe\x1b\xbb\x82\x40\x16\xe8\xc1\xd2\xac\x19\x69\x13\x59\xf8\xf8\x70\x85\x46\x40\xb9\x38\xb0\x23\x82\xa8\x64\x4c\x7f\xbf\xbb\x34\x9f\x4a\x5f\x28\x8a\xcf\x19\xc4\x00\xf6\x36\x06\x93\x65\xed\x4c\xf5\xa9\x21\x62\x5a\xd8\x91\xeb\x38\x24\x40\xac\xe8"),
+["\x87\x75\xbf\xe7\x59\x7c\xf8\x8c\x43\x99\x5f\xbd\xf3\x6e\xff\x56\x8d\x47\x56\x36\xff\x4a\xb5\x60\xc1\xb4\xea\xff\x5e\xa0\x83\x0f"] = CTInfo($description="DigiCert Log Server 2", $operator="DigiCert", $url="ct2.digicert-ct.com/log/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xcc\x5d\x39\x2f\x66\xb8\x4c\x7f\xc1\x2e\x03\xa1\x34\xa3\xe8\x8a\x86\x02\xae\x4a\x11\xc6\xf7\x26\x6a\x37\x9b\xf0\x38\xf8\x5d\x09\x8d\x63\xe8\x31\x6b\x86\x66\xcf\x79\xb3\x25\x3c\x1e\xdf\x78\xb4\xa8\xc5\x69\xfa\xb7\xf0\x82\x79\x62\x43\xf6\xcc\xfe\x81\x66\x84"),
+["\xdd\xeb\x1d\x2b\x7a\x0d\x4f\xa6\x20\x8b\x81\xad\x81\x68\x70\x7e\x2e\x8e\x9d\x01\xd5\x5c\x88\x8d\x3d\x11\xc4\xcd\xb6\xec\xbe\xcc"] = CTInfo($description="Symantec log", $operator="Symantec", $url="ct.ws.symantec.com/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x96\xea\xac\x1c\x46\x0c\x1b\x55\xdc\x0d\xfc\xb5\x94\x27\x46\x57\x42\x70\x3a\x69\x18\xe2\xbf\x3b\xc4\xdb\xab\xa0\xf4\xb6\x6c\xc0\x53\x3f\x4d\x42\x10\x33\xf0\x58\x97\x8f\x6b\xbe\x72\xf4\x2a\xec\x1c\x42\xaa\x03\x2f\x1a\x7e\x28\x35\x76\x99\x08\x3d\x21\x14\x86"),
+["\xbc\x78\xe1\xdf\xc5\xf6\x3c\x68\x46\x49\x33\x4d\xa1\x0f\xa1\x5f\x09\x79\x69\x20\x09\xc0\x81\xb4\xf3\xf6\x91\x7f\x3e\xd9\xb8\xa5"] = CTInfo($description="Symantec 'Vega' log", $operator="Symantec", $url="vega.ws.symantec.com/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xea\x95\x9e\x02\xff\xee\xf1\x33\x6d\x4b\x87\xbc\xcd\xfd\x19\x17\x62\xff\x94\xd3\xd0\x59\x07\x3f\x02\x2d\x1c\x90\xfe\xc8\x47\x30\x3b\xf1\xdd\x0d\xb8\x11\x0c\x5d\x1d\x86\xdd\xab\xd3\x2b\x46\x66\xfb\x6e\x65\xb7\x3b\xfd\x59\x68\xac\xdf\xa6\xf8\xce\xd2\x18\x4d"),
+["\xa7\xce\x4a\x4e\x62\x07\xe0\xad\xde\xe5\xfd\xaa\x4b\x1f\x86\x76\x87\x67\xb5\xd0\x02\xa5\x5d\x47\x31\x0e\x7e\x67\x0a\x95\xea\xb2"] = CTInfo($description="Symantec Deneb", $operator="Symantec", $url="deneb.ws.symantec.com/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x96\x82\x1e\xa3\xcd\x3a\x80\x84\x1e\x97\xb8\xb7\x07\x19\xae\x76\x1a\x0e\xf8\x55\x76\x9d\x12\x33\x4e\x91\x88\xe4\xd0\x48\x50\x5c\xc1\x9f\x6a\x72\xd6\x01\xf5\x14\xd6\xd0\x38\x6e\xe1\x32\xbc\x67\x0d\x37\xe8\xba\x22\x10\xd1\x72\x86\x79\x28\x96\xf9\x17\x1e\x98"),
+["\x15\x97\x04\x88\xd7\xb9\x97\xa0\x5b\xeb\x52\x51\x2a\xde\xe8\xd2\xe8\xb4\xa3\x16\x52\x64\x12\x1a\x9f\xab\xfb\xd5\xf8\x5a\xd9\x3f"] = CTInfo($description="Symantec 'Sirius' log", $operator="Symantec", $url="sirius.ws.symantec.com/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xa3\x02\x64\x84\x22\xbb\x25\xec\x0d\xe3\xbc\xc2\xc9\x89\x7d\xdd\x45\xd0\xee\xe6\x15\x85\x8f\xd9\xe7\x17\x1b\x13\x80\xea\xed\xb2\x85\x37\xad\x6a\xc5\xd8\x25\x9d\xfa\xf4\xb4\xf3\x6e\x16\x28\x25\x37\xea\xa3\x37\x64\xb2\xc7\x0b\xfd\x51\xe5\xc1\x05\xf4\x0e\xb5"),
+["\xcd\xb5\x17\x9b\x7f\xc1\xc0\x46\xfe\xea\x31\x13\x6a\x3f\x8f\x00\x2e\x61\x82\xfa\xf8\x89\x6f\xec\xc8\xb2\xf5\xb5\xab\x60\x49\x00"] = CTInfo($description="Certly.IO log", $operator="Certly", $url="log.certly.io/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x0b\x23\xcb\x85\x62\x98\x61\x48\x04\x73\xeb\x54\x5d\xf3\xd0\x07\x8c\x2d\x19\x2d\x8c\x36\xf5\xeb\x8f\x01\x42\x0a\x7c\x98\x26\x27\xc1\xb5\xdd\x92\x93\xb0\xae\xf8\x9b\x3d\x0c\xd8\x4c\x4e\x1d\xf9\x15\xfb\x47\x68\x7b\xba\x66\xb7\x25\x9c\xd0\x4a\xc2\x66\xdb\x48"),
+["\x74\x61\xb4\xa0\x9c\xfb\x3d\x41\xd7\x51\x59\x57\x5b\x2e\x76\x49\xa4\x45\xa8\xd2\x77\x09\xb0\xcc\x56\x4a\x64\x82\xb7\xeb\x41\xa3"] = CTInfo($description="Izenpe log", $operator="Izenpe", $url="ct.izenpe.com/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x27\x64\x39\x0c\x2d\xdc\x50\x18\xf8\x21\x00\xa2\x0e\xed\x2c\xea\x3e\x75\xba\x9f\x93\x64\x09\x00\x11\xc4\x11\x17\xab\x5c\xcf\x0f\x74\xac\xb5\x97\x90\x93\x00\x5b\xb8\xeb\xf7\x27\x3d\xd9\xb2\x0a\x81\x5f\x2f\x0d\x75\x38\x94\x37\x99\x1e\xf6\x07\x76\xe0\xee\xbe"),
+["\x89\x41\x44\x9c\x70\x74\x2e\x06\xb9\xfc\x9c\xe7\xb1\x16\xba\x00\x24\xaa\x36\xd5\x9a\xf4\x4f\x02\x04\x40\x4f\x00\xf7\xea\x85\x66"] = CTInfo($description="Izenpe 'Argi' log", $operator="Izenpe", $url="ct.izenpe.eus/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xd7\xc8\x0e\x23\x3e\x9e\x02\x3c\x9a\xb8\x07\x4a\x2a\x05\xff\x4a\x4b\x88\xd4\x8a\x4d\x39\xce\xf7\xc5\xf2\xb6\x37\xe9\xa3\xed\xe4\xf5\x45\x09\x0e\x67\x14\xfd\x53\x24\xd5\x3a\x94\xf2\xea\xb5\x13\xd9\x1d\x8b\x5c\xa7\xc3\xf3\x6b\xd8\x3f\x2d\x3b\x65\x72\x58\xd6"),
+["\x9e\x4f\xf7\x3d\xc3\xce\x22\x0b\x69\x21\x7c\x89\x9e\x46\x80\x76\xab\xf8\xd7\x86\x36\xd5\xcc\xfc\x85\xa3\x1a\x75\x62\x8b\xa8\x8b"] = CTInfo($description="WoSign CT log #1", $operator="Wosign", $url="ct.wosign.com/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xd7\xec\x2f\x2b\x75\x4f\x37\xbc\xa3\x43\xba\x8b\x65\x66\x3c\x7d\x6a\xe5\x0c\x2a\xa6\xc2\xe5\x26\xfe\x0c\x7d\x4e\x7c\xf0\x3a\xbc\xe2\xd3\x22\xdc\x01\xd0\x1f\x6e\x43\x9c\x5c\x6e\x83\xad\x9c\x15\xf6\xc4\x8d\x60\xb5\x1d\xbb\xa3\x62\x69\x7e\xeb\xa7\xaa\x01\x9b"),
+["\x41\xb2\xdc\x2e\x89\xe6\x3c\xe4\xaf\x1b\xa7\xbb\x29\xbf\x68\xc6\xde\xe6\xf9\xf1\xcc\x04\x7e\x30\xdf\xfa\xe3\xb3\xba\x25\x92\x63"] = CTInfo($description="WoSign log", $operator="Wosign", $url="ctlog.wosign.com/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xcc\x11\x88\x7b\x2d\x66\xcb\xae\x8f\x4d\x30\x66\x27\x19\x25\x22\x93\x21\x46\xb4\x2f\x01\xd3\xc6\xf9\x2b\xd5\xc8\xba\x73\x9b\x06\xa2\xf0\x8a\x02\x9c\xd0\x6b\x46\x18\x30\x85\xba\xe9\x24\x8b\x0e\xd1\x5b\x70\x28\x0c\x7e\xf1\x3a\x45\x7f\x5a\xf3\x82\x42\x60\x31"),
+["\x63\xd0\x00\x60\x26\xdd\xe1\x0b\xb0\x60\x1f\x45\x24\x46\x96\x5e\xe2\xb6\xea\x2c\xd4\xfb\xc9\x5a\xc8\x66\xa5\x50\xaf\x90\x75\xb7"] = CTInfo($description="WoSign log 2", $operator="Wosign", $url="ctlog2.wosign.com/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xa5\x8c\xe8\x35\x2e\x8e\xe5\x6a\x75\xad\x5c\x4b\x31\x61\x29\x9d\x30\x57\x8e\x02\x13\x5f\xe9\xca\xbb\x52\xa8\x43\x05\x60\xbf\x0d\x73\x57\x77\xb2\x05\xd8\x67\xf6\xf0\x33\xc9\xf9\x44\xde\xb6\x53\x73\xaa\x0c\x55\xc2\x83\x0a\x4b\xce\x5e\x1a\xc7\x17\x1d\xb3\xcd"),
+["\xc9\xcf\x89\x0a\x21\x10\x9c\x66\x6c\xc1\x7a\x3e\xd0\x65\xc9\x30\xd0\xe0\x13\x5a\x9f\xeb\xa8\x5a\xf1\x42\x10\xb8\x07\x24\x21\xaa"] = CTInfo($description="GDCA CT log #1", $operator="Wang Shengnan", $url="ct.gdca.com.cn/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xad\x0f\x30\xad\x9e\x79\xa4\x38\x89\x26\x54\x86\xab\x41\x72\x90\x6f\xfb\xca\x17\xa6\xac\xee\xc6\x9f\x7d\x02\x05\xec\x41\xa8\xc7\x41\x9d\x32\x49\xad\xb0\x39\xbd\x3a\x87\x3e\x7c\xee\x68\x6c\x60\xd1\x47\x2a\x93\xae\xe1\x40\xf4\x0b\xc8\x35\x3c\x1d\x0f\x65\xd3"),
+["\x92\x4a\x30\xf9\x09\x33\x6f\xf4\x35\xd6\x99\x3a\x10\xac\x75\xa2\xc6\x41\x72\x8e\x7f\xc2\xd6\x59\xae\x61\x88\xff\xad\x40\xce\x01"] = CTInfo($description="GDCA CT log #2", $operator="GDCA", $url="ctlog.gdca.com.cn/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x5b\x4a\xc7\x01\xb7\x74\x54\xba\x40\x9c\x43\x75\x94\x3f\xac\xef\xb3\x71\x56\xb8\xd3\xe2\x7b\xae\xa1\xb1\x3e\x53\xaa\x97\x33\xa1\x82\xbb\x5f\x5d\x1c\x0b\xfa\x85\x0d\xbc\xf7\xe5\xa0\xe0\x22\xf0\xa0\x89\xd9\x0a\x7f\x5f\x26\x94\xd3\x24\xe3\x99\x2e\xe4\x15\x8d"),
+["\xdb\x76\xfd\xad\xac\x65\xe7\xd0\x95\x08\x88\x6e\x21\x59\xbd\x8b\x90\x35\x2f\x5f\xea\xd3\xe3\xdc\x5e\x22\xeb\x35\x0a\xcc\x7b\x98"] = CTInfo($description="Comodo 'Dodo' CT log", $operator="Comodo", $url="dodo.ct.comodo.com/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x2c\xf5\xc2\x31\xf5\x63\x43\x6a\x16\x4a\x0a\xde\xc2\xee\x1f\x21\x6e\x12\x7e\x1d\xe5\x72\x8f\x74\x0b\x02\x99\xd3\xad\x69\xbc\x02\x35\x79\xf9\x61\xe9\xcf\x00\x08\x4f\x74\xa4\xa3\x34\x9a\xe0\x43\x1c\x23\x7e\x8f\x41\xd5\xee\xc7\x1c\xa3\x82\x8a\x40\xfa\xaa\xe0"),
+["\xac\x3b\x9a\xed\x7f\xa9\x67\x47\x57\x15\x9e\x6d\x7d\x57\x56\x72\xf9\xd9\x81\x00\x94\x1e\x9b\xde\xff\xec\xa1\x31\x3b\x75\x78\x2d"] = CTInfo($description="Venafi log", $operator="Venafi", $url="ctlog.api.venafi.com/", $maximum_merge_delay=86400, $key="\x30\x82\x01\x22\x30\x0d\x06\x09\x2a\x86\x48\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x00\x30\x82\x01\x0a\x02\x82\x01\x01\x00\xa2\x5a\x48\x1f\x17\x52\x95\x35\xcb\xa3\x5b\x3a\x1f\x53\x82\x76\x94\xa3\xff\x80\xf2\x1c\x37\x3c\xc0\xb1\xbd\xc1\x59\x8b\xab\x2d\x65\x93\xd7\xf3\xe0\x04\xd5\x9a\x6f\xbf\xd6\x23\x76\x36\x4f\x23\x99\xcb\x54\x28\xad\x8c\x15\x4b\x65\x59\x76\x41\x4a\x9c\xa6\xf7\xb3\x3b\x7e\xb1\xa5\x49\xa4\x17\x51\x6c\x80\xdc\x2a\x90\x50\x4b\x88\x24\xe9\xa5\x12\x32\x93\x04\x48\x90\x02\xfa\x5f\x0e\x30\x87\x8e\x55\x76\x05\xee\x2a\x4c\xce\xa3\x6a\x69\x09\x6e\x25\xad\x82\x76\x0f\x84\x92\xfa\x38\xd6\x86\x4e\x24\x8f\x9b\xb0\x72\xcb\x9e\xe2\x6b\x3f\xe1\x6d\xc9\x25\x75\x23\x88\xa1\x18\x58\x06\x23\x33\x78\xda\x00\xd0\x38\x91\x67\xd2\xa6\x7d\x27\x97\x67\x5a\xc1\xf3\x2f\x17\xe6\xea\xd2\x5b\xe8\x81\xcd\xfd\x92\x68\xe7\xf3\x06\xf0\xe9\x72\x84\xee\x01\xa5\xb1\xd8\x33\xda\xce\x83\xa5\xdb\xc7\xcf\xd6\x16\x7e\x90\x75\x18\xbf\x16\xdc\x32\x3b\x6d\x8d\xab\x82\x17\x1f\x89\x20\x8d\x1d\x9a\xe6\x4d\x23\x08\xdf\x78\x6f\xc6\x05\xbf\x5f\xae\x94\x97\xdb\x5f\x64\xd4\xee\x16\x8b\xa3\x84\x6c\x71\x2b\xf1\xab\x7f\x5d\x0d\x32\xee\x04\xe2\x90\xec\x41\x9f\xfb\x39\xc1\x02\x03\x01\x00\x01"),
+["\x03\x01\x9d\xf3\xfd\x85\xa6\x9a\x8e\xbd\x1f\xac\xc6\xda\x9b\xa7\x3e\x46\x97\x74\xfe\x77\xf5\x79\xfc\x5a\x08\xb8\x32\x8c\x1d\x6b"] = CTInfo($description="Venafi Gen2 CT log", $operator="Venafi", $url="ctlog-gen2.api.venafi.com/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x8e\x27\x27\x7a\xb6\x55\x09\x74\xeb\x6c\x4b\x94\x84\x65\xbc\xe4\x15\xf1\xea\x5a\xd8\x7c\x0e\x37\xce\xba\x3f\x6c\x09\xda\xe7\x29\x96\xd3\x45\x50\x6f\xde\x1e\xb4\x1c\xd2\x83\x88\xff\x29\x2f\xce\xa9\xff\xdf\x34\xde\x75\x0f\xc0\xcc\x18\x0d\x94\x2e\xfc\x37\x01"),
+["\xa5\x77\xac\x9c\xed\x75\x48\xdd\x8f\x02\x5b\x67\xa2\x41\x08\x9d\xf8\x6e\x0f\x47\x6e\xc2\x03\xc2\xec\xbe\xdb\x18\x5f\x28\x26\x38"] = CTInfo($description="CNNIC CT log", $operator="CNNIC", $url="ctserver.cnnic.cn/", $maximum_merge_delay=86400, $key="\x30\x82\x01\x22\x30\x0d\x06\x09\x2a\x86\x48\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x00\x30\x82\x01\x0a\x02\x82\x01\x01\x00\xbf\xb5\x08\x61\x9a\x29\x32\x04\xd3\x25\x63\xe9\xd8\x85\xe1\x86\xe0\x1f\xd6\x5e\x9a\xf7\x33\x3b\x80\x1b\xe7\xb6\x3e\x5f\x2d\xa1\x66\xf6\x95\x4a\x84\xa6\x21\x56\x79\xe8\xf7\x85\xee\x5d\xe3\x7c\x12\xc0\xe0\x89\x22\x09\x22\x3e\xba\x16\x95\x06\xbd\xa8\xb9\xb1\xa9\xb2\x7a\xd6\x61\x2e\x87\x11\xb9\x78\x40\x89\x75\xdb\x0c\xdc\x90\xe0\xa4\x79\xd6\xd5\x5e\x6e\xd1\x2a\xdb\x34\xf4\x99\x3f\x65\x89\x3b\x46\xc2\x29\x2c\x15\x07\x1c\xc9\x4b\x1a\x54\xf8\x6c\x1e\xaf\x60\x27\x62\x0a\x65\xd5\x9a\xb9\x50\x36\x16\x6e\x71\xf6\x1f\x01\xf7\x12\xa7\xfc\xbf\xf6\x21\xa3\x29\x90\x86\x2d\x77\xde\xbb\x4c\xd4\xcf\xfd\xd2\xcf\x82\x2c\x4d\xd4\xf2\xc2\x2d\xac\xa9\xbe\xea\xc3\x19\x25\x43\xb2\xe5\x9a\x6c\x0d\xc5\x1c\xa5\x8b\xf7\x3f\x30\xaf\xb9\x01\x91\xb7\x69\x12\x12\xe5\x83\x61\xfe\x34\x00\xbe\xf6\x71\x8a\xc7\xeb\x50\x92\xe8\x59\xfe\x15\x91\xeb\x96\x97\xf8\x23\x54\x3f\x2d\x8e\x07\xdf\xee\xda\xb3\x4f\xc8\x3c\x9d\x6f\xdf\x3c\x2c\x43\x57\xa1\x47\x0c\x91\x04\xf4\x75\x4d\xda\x89\x81\xa4\x14\x06\x34\xb9\x98\xc3\xda\xf1\xfd\xed\x33\x36\xd3\x16\x2d\x35\x02\x03\x01\x00\x01"),
+["\x34\xbb\x6a\xd6\xc3\xdf\x9c\x03\xee\xa8\xa4\x99\xff\x78\x91\x48\x6c\x9d\x5e\x5c\xac\x92\xd0\x1f\x7b\xfd\x1b\xce\x19\xdb\x48\xef"] = CTInfo($description="StartCom log", $operator="StartSSL", $url="ct.startssl.com/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x48\xf3\x59\xf3\xf6\x05\x18\xd3\xdb\xb2\xed\x46\x7e\xcf\xc8\x11\xb5\x57\xb1\xa8\xd6\x4c\xe6\x9f\xb7\x4a\x1a\x14\x86\x43\xa9\x48\xb0\xcb\x5a\x3f\x3c\x4a\xca\xdf\xc4\x82\x14\x55\x9a\xf8\xf7\x8e\x40\x55\xdc\xf4\xd2\xaf\xea\x75\x74\xfb\x4e\x7f\x60\x86\x2e\x51"),
+["\xe0\x12\x76\x29\xe9\x04\x96\x56\x4e\x3d\x01\x47\x98\x44\x98\xaa\x48\xf8\xad\xb1\x66\x00\xeb\x79\x02\xa1\xef\x99\x09\x90\x62\x73"] = CTInfo($description="PuChuangSiDa CT log", $operator="Beijing PuChuangSiDa Technology Ltd.", $url="www.certificatetransparency.cn/ct/", $maximum_merge_delay=86400, $key="\x30\x82\x01\x22\x30\x0d\x06\x09\x2a\x86\x48\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x00\x30\x82\x01\x0a\x02\x82\x01\x01\x00\xac\xcf\x2f\x4b\x70\xac\xf1\x0d\x96\xbf\xe8\x0a\xfe\x44\x9d\xd4\x8c\x17\x9d\xc3\x9a\x10\x11\x84\x13\xed\x8c\xf9\x37\x6d\x83\xe4\x00\x6f\xb1\x4b\xc0\xa6\x89\xc7\x61\x8f\x9a\x34\xbb\x56\x52\xca\x03\x56\x50\xef\x24\x7f\x4b\x49\xe9\x35\x81\xdd\xf0\xe7\x17\xf5\x72\xd2\x23\xc5\xe3\x13\x7f\xd7\x8e\x78\x35\x8f\x49\xde\x98\x04\x8a\x63\xaf\xad\xa2\x39\x70\x95\x84\x68\x4b\x91\x33\xfe\x4c\xe1\x32\x17\xc2\xf2\x61\xb8\x3a\x8d\x39\x7f\xd5\x95\x82\x3e\x56\x19\x50\x45\x6f\xcb\x08\x33\x0d\xd5\x19\x42\x08\x1a\x48\x42\x10\xf1\x68\xc3\xc3\x41\x13\xcb\x0d\x1e\xdb\x02\xb7\x24\x7a\x51\x96\x6e\xbc\x08\xea\x69\xaf\x6d\xef\x92\x98\x8e\x55\xf3\x65\xe5\xe8\x9c\xbe\x1a\x47\x60\x30\x7d\x7a\x80\xad\x56\x83\x7a\x93\xc3\xae\x93\x2b\x6a\x28\x8a\xa6\x5f\x63\x19\x0c\xbe\x7c\x7b\x21\x63\x41\x38\xb7\xf7\xe8\x76\x73\x6b\x85\xcc\xbc\x72\x2b\xc1\x52\xd0\x5b\x5d\x31\x4e\x9d\x2a\xf3\x4d\x9b\x64\x14\x99\x26\xc6\x71\xf8\x7b\xf8\x44\xd5\xe3\x23\x20\xf3\x0a\xd7\x8b\x51\x3e\x72\x80\xd2\x78\x78\x35\x2d\x4a\xe7\x40\x99\x11\x95\x34\xd4\x2f\x7f\xf9\x5f\x35\x37\x02\x03\x01\x00\x01"),
+["\x55\x81\xd4\xc2\x16\x90\x36\x01\x4a\xea\x0b\x9b\x57\x3c\x53\xf0\xc0\xe4\x38\x78\x70\x25\x08\x17\x2f\xa3\xaa\x1d\x07\x13\xd3\x0c"] = CTInfo($description="Comodo 'Sabre' CT log", $operator="Comodo", $url="sabre.ct.comodo.com/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xf2\x6f\xd2\x89\x0f\x3f\xc5\xf8\x87\x1e\xab\x65\xb3\xd9\xbb\x17\x23\x8c\x06\x0e\x09\x55\x96\x3d\x0a\x08\xa2\xc5\x71\xb3\xd1\xa9\x2f\x28\x3e\x83\x10\xbf\x12\xd0\x44\x66\x15\xef\x54\xe1\x98\x80\xd0\xce\x24\x6d\x3e\x67\x9a\xe9\x37\x23\xce\x52\x93\x86\xda\x80"),
+["\x6f\x53\x76\xac\x31\xf0\x31\x19\xd8\x99\x00\xa4\x51\x15\xff\x77\x15\x1c\x11\xd9\x02\xc1\x00\x29\x06\x8d\xb2\x08\x9a\x37\xd9\x13"] = CTInfo($description="Comodo 'Mammoth' CT log", $operator="Comodo", $url="mammoth.ct.comodo.com/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xef\xe4\x7d\x74\x2e\x15\x15\xb6\xe9\xbb\x23\x8b\xfb\x2c\xb5\xe1\xc7\x80\x98\x47\xfb\x40\x69\x68\xfc\x49\xad\x61\x4e\x83\x47\x3c\x1a\xb7\x8d\xdf\xff\x7b\x30\xb4\xba\xff\x2f\xcb\xa0\x14\xe3\xad\xd5\x85\x3f\x44\x59\x8c\x8c\x60\x8b\xd7\xb8\xb1\xbf\xae\x8c\x67"),
+["\x53\x7b\x69\xa3\x56\x43\x35\xa9\xc0\x49\x04\xe3\x95\x93\xb2\xc2\x98\xeb\x8d\x7a\x6e\x83\x02\x36\x35\xc6\x27\x24\x8c\xd6\xb4\x40"] = CTInfo($description="Nordu 'flimsy' log", $operator="NORDUnet", $url="flimsy.ct.nordu.net:8080/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xe2\xa5\xaa\xe9\xa7\xe1\x05\x48\xb4\x39\xd7\x16\x51\x88\x72\x24\xb3\x57\x4e\x41\xaa\x43\xd3\xcc\x4b\x99\x6a\xa0\x28\x24\x57\x68\x75\x66\xfa\x4d\x8c\x11\xf6\xbb\xc5\x1b\x81\xc3\x90\xc2\xa0\xe8\xeb\xac\xfa\x05\x64\x09\x1a\x89\x68\xcd\x96\x26\x34\x71\x36\x91"),
+["\xaa\xe7\x0b\x7f\x3c\xb8\xd5\x66\xc8\x6c\x2f\x16\x97\x9c\x9f\x44\x5f\x69\xab\x0e\xb4\x53\x55\x89\xb2\xf7\x7a\x03\x01\x04\xf3\xcd"] = CTInfo($description="Nordu 'plausible' log", $operator="NORDUnet", $url="plausible.ct.nordu.net/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xf5\x45\x7d\xfa\x33\xb6\x30\x24\xf3\x91\xa6\xe8\x74\xed\x85\xec\xb3\x34\xdc\xc5\x01\x73\xc3\x2b\x74\x0b\x64\x71\x6e\xaf\xe8\x60\x3d\xb5\xa4\xd3\xc3\xd4\x09\xaa\x87\xe6\xd0\x16\xdd\x02\xc6\xed\x24\xbf\xee\x9f\x21\x1f\xd3\x32\x24\x46\x05\xe3\x8f\x36\x98\xa9"),
+["\xcf\x55\xe2\x89\x23\x49\x7c\x34\x0d\x52\x06\xd0\x53\x53\xae\xb2\x58\x34\xb5\x2f\x1f\x8d\xc9\x52\x68\x09\xf2\x12\xef\xdd\x7c\xa6"] = CTInfo($description="SHECA CT log 1", $operator="SHECA", $url="ctlog.sheca.com/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x11\xa9\x60\x2b\xb4\x71\x45\x66\xe0\x2e\xde\xd5\x87\x3b\xd5\xfe\xf0\x92\x37\xf4\x68\xc6\x92\xdd\x3f\x1a\xe2\xbc\x0c\x22\xd6\x99\x63\x29\x6e\x32\x28\x14\xc0\x76\x2c\x80\xa8\x22\x51\x91\xd6\xeb\xa6\xd8\xf1\xec\xf0\x07\x7e\xb0\xfc\x76\x70\x76\x72\x7c\x91\xe9"),
+["\x32\xdc\x59\xc2\xd4\xc4\x19\x68\xd5\x6e\x14\xbc\x61\xac\x8f\x0e\x45\xdb\x39\xfa\xf3\xc1\x55\xaa\x42\x52\xf5\x00\x1f\xa0\xc6\x23"] = CTInfo($description="SHECA CT log 2", $operator="SHECA", $url="ct.sheca.com/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xb1\x8e\x1d\x8a\xaa\x3a\xac\xce\x86\xcb\x53\x76\xe8\xa8\x9d\x59\xbe\x17\x88\x03\x07\xf2\x27\xe0\x82\xbe\xb1\xfc\x67\x3b\x46\xee\xd3\xf1\x8d\xd6\x77\xe8\xa3\xb4\xdb\x09\x5c\xa0\x09\x43\xfc\x5f\xd0\x68\x34\x23\x24\x08\xc2\x4f\xd8\xd2\xb6\x9d\xed\xd5\x8c\xdb"),
+["\x96\x06\xc0\x2c\x69\x00\x33\xaa\x1d\x14\x5f\x59\xc6\xe2\x64\x8d\x05\x49\xf0\xdf\x96\xaa\xb8\xdb\x91\x5a\x70\xd8\xec\xf3\x90\xa5"] = CTInfo($description="Akamai CT Log", $operator="Akamai", $url="ct.akamai.com/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x43\x79\xeb\x49\x5c\x50\x2a\x4a\x6a\x8f\x59\x93\xbc\xc3\x42\x76\xc2\x99\xf8\x27\x81\x3c\x06\x6c\xd2\xc8\x04\x8f\x74\x7b\xb4\xb5\x21\xf2\xe3\xa8\xdc\x33\xb9\xfe\x25\xe9\x3d\x04\xfc\x3f\xb4\xae\x40\xe3\x45\x7e\x84\x92\x2a\xd8\x52\xeb\x1f\x3f\x73\x13\xd0\xc8"),
+["\x39\x37\x6f\x54\x5f\x7b\x46\x07\xf5\x97\x42\xd7\x68\xcd\x5d\x24\x37\xbf\x34\x73\xb6\x53\x4a\x48\x34\xbc\xf7\x2e\x68\x1c\x83\xc9"] = CTInfo($description="Alpha CT Log", $operator="Matt Palmer", $url="alpha.ctlogs.org/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xa2\xf7\xed\x13\xe1\xd3\x5c\x02\x08\xc4\x8e\x8b\x9b\x8b\x3b\x39\x68\xc7\x92\x6a\x38\xa1\x4f\x23\xc5\xa5\x6f\x6f\xd7\x65\x81\xf8\xc1\x9b\xf4\x9f\xa9\x8b\x45\xf4\xb9\x4e\x1b\xc9\xa2\x69\x17\xa5\x78\x87\xd9\xce\x88\x6f\x41\x03\xbb\xa3\x2a\xe3\x77\x97\x8d\x78"),
+["\x29\x6a\xfa\x2d\x56\x8b\xca\x0d\x2e\xa8\x44\x95\x6a\xe9\x72\x1f\xc3\x5f\xa3\x55\xec\xda\x99\x69\x3a\xaf\xd4\x58\xa7\x1a\xef\xdd"] = CTInfo($description="Let's Encrypt 'Clicky' log", $operator="Let's Encrypt", $url="clicky.ct.letsencrypt.org/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x1f\x1a\x15\x83\x77\x00\x75\x62\xb9\x9f\xf6\x06\x05\xed\x95\x89\x83\x41\x81\x97\xe7\xe0\xd4\x33\xfe\x76\xba\x3b\xc9\x49\xc2\xcd\xf1\xcf\xfe\x12\x70\xd7\xbe\xa8\x22\x5f\xb2\xa4\x67\x02\x7b\x71\xae\x1d\xac\xa8\xe9\xd1\x08\xd5\xce\xef\x33\x7a\xc3\x5f\x00\xdc"),
+["\xb0\xb7\x84\xbc\x81\xc0\xdd\xc4\x75\x44\xe8\x83\xf0\x59\x85\xbb\x90\x77\xd1\x34\xd8\xab\x88\xb2\xb2\xe5\x33\x98\x0b\x8e\x50\x8b"] = CTInfo($description="Up In The Air 'Behind the Sofa' log", $operator="Up In The Air Consulting", $url="ct.filippo.io/behindthesofa/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x59\x39\xb2\xa6\x94\xc6\x32\xb9\xfe\x63\x69\x1e\x30\x3b\xa3\x5b\xd5\xb0\x43\xc9\x50\x1e\x95\xa5\x2d\xa7\x4c\x4a\x49\x8e\x8b\x8f\xb7\xf8\xcc\xe2\x5b\x97\x72\xd5\xea\x3f\xb1\x21\x48\xe8\x44\x6b\x7f\xea\xef\x22\xff\xdf\xf4\x5f\x3b\x6d\x77\x04\xb1\xaf\x90\x8f"),
 };

From ade9aa219b69c7a313293751ff9350cfc10f4a89 Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@icir.org>
Date: Thu, 27 Jul 2017 22:04:47 -0700
Subject: [PATCH 189/631] Better handling of % at end of line.

---
 src/analyzer/protocol/http/HTTP.cc              |  16 +++++++++++++---
 .../http.log                                    |  11 +++++++++++
 .../weird.log                                   |  11 +++++++++++
 .../btest/Traces/http/percent-end-of-line.pcap  | Bin 0 -> 3577 bytes
 .../base/protocols/http/percent-end-of-line.bro |   4 ++++
 5 files changed, 39 insertions(+), 3 deletions(-)
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.http.percent-end-of-line/http.log
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.http.percent-end-of-line/weird.log
 create mode 100644 testing/btest/Traces/http/percent-end-of-line.pcap
 create mode 100644 testing/btest/scripts/base/protocols/http/percent-end-of-line.bro

diff --git a/src/analyzer/protocol/http/HTTP.cc b/src/analyzer/protocol/http/HTTP.cc
index c1f4320c04..cae14586dd 100644
--- a/src/analyzer/protocol/http/HTTP.cc
+++ b/src/analyzer/protocol/http/HTTP.cc
@@ -1843,19 +1843,29 @@ BroString* analyzer::http::unescape_URI(const u_char* line, const u_char* line_e
 
 			if ( line == line_end )
 				{
-				// How to deal with % at end of line?
-				// *URI_p++ = '%';
+				*URI_p++ = '%';
 				if ( analyzer )
 					analyzer->Weird("illegal_%_at_end_of_URI");
 				break;
 				}
 
+			else if ( line + 1 == line_end )
+				{
+				// % + one character at end of line. Log weird
+				// and just add to unescpaped URI.
+				*URI_p++ = '%';
+				*URI_p++ = *line;
+				if ( analyzer )
+					analyzer->Weird("partial_escape_at_end_of_URI");
+				break;
+				}
+
 			else if ( *line == '%' )
 				{
 				// Double '%' might be either due to
 				// software bug, or more likely, an
 				// evasion (e.g. used by Nimda).
-				// *URI_p++ = '%';
+				*URI_p++ = '%';
 				if ( analyzer )
 					analyzer->Weird("double_%_in_URI");
 				--line;	// ignore the first '%'
diff --git a/testing/btest/Baseline/scripts.base.protocols.http.percent-end-of-line/http.log b/testing/btest/Baseline/scripts.base.protocols.http.percent-end-of-line/http.log
new file mode 100644
index 0000000000..8b2f960d80
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.http.percent-end-of-line/http.log
@@ -0,0 +1,11 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	http
+#open	2017-07-28-05-03-01
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	method	host	uri	referrer	version	user_agent	request_body_len	response_body_len	status_code	status_msg	info_code	info_msg	tags	username	password	proxied	orig_fuids	orig_filenames	orig_mime_types	resp_fuids	resp_filenames	resp_mime_types
+#types	time	string	addr	port	addr	port	count	string	string	string	string	string	string	count	count	count	string	count	string	set[enum]	string	string	set[string]	vector[string]	vector[string]	vector[string]	vector[string]	vector[string]	vector[string]
+1501217955.063524	CHhAvVGS1DHFjwGM9	192.168.0.9	57322	192.150.187.12	80	1	GET	icir.org	/%	-	1.1	Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:54.0) Gecko/20100101 Firefox/54.0	0	300	400	Bad Request	-	-	(empty)	-	-	-	-	-	-	Fp16kg2g0K5oCDByh2	-	text/html
+1501217957.423701	ClEkJM2Vm5giqnMf4h	192.168.0.9	57323	192.150.187.12	80	1	GET	icir.org	/%5	-	1.1	Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:54.0) Gecko/20100101 Firefox/54.0	0	300	400	Bad Request	-	-	(empty)	-	-	-	-	-	-	FAjakt4YvddFQlySjk	-	text/html
+#close	2017-07-28-05-03-01
diff --git a/testing/btest/Baseline/scripts.base.protocols.http.percent-end-of-line/weird.log b/testing/btest/Baseline/scripts.base.protocols.http.percent-end-of-line/weird.log
new file mode 100644
index 0000000000..df24831d15
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.http.percent-end-of-line/weird.log
@@ -0,0 +1,11 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	weird
+#open	2017-07-28-05-03-01
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
+#types	time	string	addr	port	addr	port	string	string	bool	string
+1501217955.063524	CHhAvVGS1DHFjwGM9	192.168.0.9	57322	192.150.187.12	80	illegal_%_at_end_of_URI	-	F	bro
+1501217957.423701	ClEkJM2Vm5giqnMf4h	192.168.0.9	57323	192.150.187.12	80	partial_escape_at_end_of_URI	-	F	bro
+#close	2017-07-28-05-03-01
diff --git a/testing/btest/Traces/http/percent-end-of-line.pcap b/testing/btest/Traces/http/percent-end-of-line.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..4d3854241a1b7d900c13c91790a929cf22889bda
GIT binary patch
literal 3577
zcmeH|e{2(F7{}k1GPctug8%{od5a)FTzhS4q3cTB*bi2+L4{7)9}te~yY|>|*WF#m
z7%|R3ObkB~FySx%&=?}bM2*3JR3<Xe5P?WSO#DIk&yZCJ28<-~!{@oK-FmGv82>S$
z>D%<)_wMsP@AG```Cc9Q<Xt;)knxX$*x=&5bA#Q>J|biT{Ks+Cap|7x;(+g~uU|Y{
zO<D<Q98nrcV^#R~Gbc#RnPZ<neSMU~qqp8Xjiit5j~*?3g%G=A>M7flDN}8>YHpSN
zZW`Ad_B=iD2O;a>8b_X+-vj8BL|_Brt8%s@8FwJ@>!b4>O>1C>;df^A(c7Qp=?;4}
zH+SCl8AyknreWM~19>e_ag@a!xbP>&9WX3$4+A|qR9ic1Xo!%pcn6V;#KrdrIRt6J
zVI|sLo30`;_i07qoZ4C0no{Dr)&%93(Dp<k&igz*C)cj(Mwm*Xq<K^=<>b0_rn#F^
zOo7=>bx@LJfe(7TbXlh$N{XTC=>{583?@^Upc^;SE!5}r`1}o2>kkJ59`ACxj)}c0
z@Avw=@b%F)Nn<_g0FR4Ku1OSG2G|B0F!;2wORf_#8CenqLsAuf0B2qpu+Hw18~WCG
zJ@s`f_!Z{APyyub5R_C_NU<<wio0ub9aGF3g2fwJ6;Vw}N-9iKgHooBCRvXx7|hAF
zY)FJDWT0796ei;KVcN@B#x2NFKdg6UQksxt?wF!8F{?56Cf1i_x}lp-IXNuOQ%$yF
zxyytUa6OAc`ZZt?QZ#z&K+RAs$sO*<7Y9nc1Vl85#F@=DvKVBF!%DQzcFjlP=t~ue
zb4c#|7e(UpNG#Nu2E1OnR!GvZGr;K~2VvT#Np;j8qU*CVg@Uc7-at55ANH-H>pBxo
zZZp&RnHHu^89_`l-tP%`{Hy7*HkMR1VY!()1C-+KU`onJhv`Z$RCr=OMOoD$l`v)A
zm)MhmO^c;(pki9kbY`rPbk!XS1?$~V4<{FKwQOuobjMpkr=1-%-nF(P)=U?<c|O*f
zXyf^oL`#0f@A2|{>xM;9E`q{|M$$}3!i6CjGK*Ty9O3iRT!c4oi|kO7d+<qLbV6oe
z(Fc>6Xt$cx=nhTY4KD=M;gnRMT3!LvNDBu1NIEQFhN!4!<s?;9gJzW^({w{nlAg#8
zjq<?aGq{TeKSDC8F<p;V&L_>Mn*zJ=KGL|V88qaL@P$VKXT}Y2;)zWaJ_DL5G##sE
zNWitgRH46AGtJag;dGKa2(1yD4ye%7461PB1fsR+kic6V*mQcID{VRlYUVqdDYUVw
zSD}TDwXuUpMPhtX;?fgH{QjE?M3+fyC@1c1A3t?@j59YOadbgN;&h0yzDPV&i1EV%
z<HQPiTxjOeXUU@r^2p)ad=N@7md6mhdxwt0sefBkHHnSwV;JM$!(xm%62Exky9MAK
zrj5leS#9jWF<e6%L;BqQs>idj+_pRK?}Hr{qK$1oH_^tV*ed&jV`yVY7J*z)RC#WX
z+{L)%y_UEa0)0Q)*zGq8xqa}#+<8(AiL-WBk;7nNIIKk5(4{R%<iD**1RHyKOrsE^
zNzB_=@QIK82R???Nqsq9?{ei|{sEOA?Vq50RMP&7H?HhN<v)xUlrL??3L()xGAZ##
zlbC%R;xr)sy)$0^35k)T6^Y=CE6<k3_-~yt^u!teC(ei}<R(|)&!!6XQq7#~F?9{j
zcz;)^W{~*$1fsQ%k-(Ot*vF1vEA3-fc5b_KvIl+aW>c{<o`%l2^`D8S9wIT;SAm!^
ziH+sN-1+f$uRO*Jvym9=u1ExDycsPLhYK<OQai2a2Nn9mH8YQzC66h{V=wlH`z^&h
JYS15s{{rb@ds6@a

literal 0
HcmV?d00001

diff --git a/testing/btest/scripts/base/protocols/http/percent-end-of-line.bro b/testing/btest/scripts/base/protocols/http/percent-end-of-line.bro
new file mode 100644
index 0000000000..a41dbab294
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/http/percent-end-of-line.bro
@@ -0,0 +1,4 @@
+# @TEST-EXEC: bro -Cr $TRACES/http/percent-end-of-line.pcap %INPUT
+# @TEST-EXEC: btest-diff http.log
+# @TEST-EXEC: btest-diff weird.log
+

From db15773c09ac90415057c0fd66dd3339e799b585 Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@icir.org>
Date: Fri, 28 Jul 2017 09:21:35 -0700
Subject: [PATCH 190/631] Tiny script changes for SSL.

log-hostcerts-only relied on old event ordering; the identifier key of
validate-certs is now shorter (no function change, just potentially a
tiny bit faster).
---
 .../protocols/ssl/log-hostcerts-only.bro      | 23 +++++++++++++++----
 .../policy/protocols/ssl/validate-certs.bro   |  2 +-
 2 files changed, 20 insertions(+), 5 deletions(-)

diff --git a/scripts/policy/protocols/ssl/log-hostcerts-only.bro b/scripts/policy/protocols/ssl/log-hostcerts-only.bro
index f537616e7f..0eb7da29b3 100644
--- a/scripts/policy/protocols/ssl/log-hostcerts-only.bro
+++ b/scripts/policy/protocols/ssl/log-hostcerts-only.bro
@@ -8,7 +8,7 @@ module X509;
 
 export {
 	redef record Info += {
-	# Logging is suppressed if field is set to F
+		## Logging of certificate is suppressed if set to F
 		logcert: bool &default=T;
 	};
 }
@@ -39,14 +39,29 @@ event bro_init() &priority=2
 	Log::add_filter(X509::LOG, f);
 	}
 
-event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) &priority=2
+event file_sniff(f: fa_file, meta: fa_metadata) &priority=4
 	{
-	if ( ! c?$ssl )
+	if ( |f$conns| != 1 )
 		return;
 
+	if ( ! f?$info || ! f$info?$mime_type )
+		return;
+
+	if ( ! ( f$info$mime_type == "application/x-x509-ca-cert" || f$info$mime_type == "application/x-x509-user-cert"
+	         || f$info$mime_type == "application/pkix-cert" ) )
+		return;
+
+	for ( cid in f$conns )
+		{
+		if ( ! f$conns[cid]?$ssl )
+			return;
+
+		local c = f$conns[cid];
+		}
+
 	local chain: vector of string;
 
-	if ( is_orig )
+	if ( f$is_orig )
 		chain = c$ssl$client_cert_chain_fuids;
 	else
 		chain = c$ssl$cert_chain_fuids;
diff --git a/scripts/policy/protocols/ssl/validate-certs.bro b/scripts/policy/protocols/ssl/validate-certs.bro
index c2f4e569a2..352ff4e863 100644
--- a/scripts/policy/protocols/ssl/validate-certs.bro
+++ b/scripts/policy/protocols/ssl/validate-certs.bro
@@ -189,6 +189,6 @@ hook ssl_finishing(c: connection) &priority=20
 		local message = fmt("SSL certificate validation failed with (%s)", c$ssl$validation_status);
 		NOTICE([$note=Invalid_Server_Cert, $msg=message,
 		        $sub=c$ssl$cert_chain[0]$x509$certificate$subject, $conn=c,
-		        $identifier=cat(c$id$resp_h,c$id$resp_p,hash,c$ssl$validation_status)]);
+		        $identifier=cat(c$id$resp_h,c$id$resp_p,hash,c$ssl$validation_code)]);
 		}
 	}

From 3bb05693d9bb09d3b9bedbe6e9d91cb6c3d141ea Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@icir.org>
Date: Fri, 28 Jul 2017 09:40:58 -0700
Subject: [PATCH 191/631] Add canonifier to catch and release test that should
 fix test failures.

---
 .../scripts/base/frameworks/netcontrol/catch-and-release.bro    | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/testing/btest/scripts/base/frameworks/netcontrol/catch-and-release.bro b/testing/btest/scripts/base/frameworks/netcontrol/catch-and-release.bro
index 4aaaaf6900..c48b3b3551 100644
--- a/testing/btest/scripts/base/frameworks/netcontrol/catch-and-release.bro
+++ b/testing/btest/scripts/base/frameworks/netcontrol/catch-and-release.bro
@@ -1,5 +1,5 @@
 # @TEST-EXEC: bro -r $TRACES/tls/ecdhe.pcap %INPUT
-# @TEST-EXEC: TEST_DIFF_CANONIFIER='grep -v ^# | $SCRIPTS/diff-sort' btest-diff netcontrol.log
+# @TEST-EXEC: TEST_DIFF_CANONIFIER='grep -v ^# | $SCRIPTS/diff-sort | $SCRIPTS/diff-remove-timestamps' btest-diff netcontrol.log
 # @TEST-EXEC: btest-diff netcontrol_catch_release.log
 
 @load base/frameworks/netcontrol

From a85a2821d7cffe89f395330fcda2b325f4698337 Mon Sep 17 00:00:00 2001
From: Robin Sommer <robin@icir.org>
Date: Fri, 28 Jul 2017 10:07:44 -0700
Subject: [PATCH 192/631] Updating submodule(s).

 [nomail]
---
 CHANGES    | 8 ++++++++
 VERSION    | 2 +-
 aux/broctl | 2 +-
 aux/btest  | 2 +-
 4 files changed, 11 insertions(+), 3 deletions(-)

diff --git a/CHANGES b/CHANGES
index 9eddfc4c6d..6cf1b84fd2 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,12 @@
 
+2.5-185 | 2017-07-28 10:07:44 -0700
+
+  * Improved handling of '%' at end of line in HTTP analyzer. (Johanna
+    Amann)
+
+  * Add canonifier to catch and release test that should fix test
+    failures. (Johanna Amann)
+
 2.5-181 | 2017-07-25 16:02:41 -0700
 
   * Extend plugin infrastructure to catch Bro version mismatches at link
diff --git a/VERSION b/VERSION
index 260fe8ff40..532039338e 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.5-181
+2.5-185
diff --git a/aux/broctl b/aux/broctl
index 97e3f40646..1ab5ed3d3b 160000
--- a/aux/broctl
+++ b/aux/broctl
@@ -1 +1 @@
-Subproject commit 97e3f40646c1a68ba35bcf6cf30237e1ba0dbe6e
+Subproject commit 1ab5ed3d3b0f2a3ff231de77816a697d55abccb8
diff --git a/aux/btest b/aux/btest
index e638fc65aa..2810ccee25 160000
--- a/aux/btest
+++ b/aux/btest
@@ -1 +1 @@
-Subproject commit e638fc65aa12bd136594451b8c185a7a01ef3e9a
+Subproject commit 2810ccee25f6f20be5cd241155f12d02a79d592a

From 310ef6974f31ae8e1d5a1480c23cb0198edf67f0 Mon Sep 17 00:00:00 2001
From: Robin Sommer <robin@icir.org>
Date: Fri, 28 Jul 2017 12:22:20 -0700
Subject: [PATCH 193/631] Small fix to revert to double-% handling in HTTP back
 to old behaviour.

---
 CHANGES                            | 2 +-
 VERSION                            | 2 +-
 src/analyzer/protocol/http/HTTP.cc | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/CHANGES b/CHANGES
index 6cf1b84fd2..731643588a 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,5 +1,5 @@
 
-2.5-185 | 2017-07-28 10:07:44 -0700
+2.5-186 | 2017-07-28 12:22:20 -0700
 
   * Improved handling of '%' at end of line in HTTP analyzer. (Johanna
     Amann)
diff --git a/VERSION b/VERSION
index 532039338e..aa91067d4a 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.5-185
+2.5-186
diff --git a/src/analyzer/protocol/http/HTTP.cc b/src/analyzer/protocol/http/HTTP.cc
index cae14586dd..badf8c1b54 100644
--- a/src/analyzer/protocol/http/HTTP.cc
+++ b/src/analyzer/protocol/http/HTTP.cc
@@ -1865,7 +1865,7 @@ BroString* analyzer::http::unescape_URI(const u_char* line, const u_char* line_e
 				// Double '%' might be either due to
 				// software bug, or more likely, an
 				// evasion (e.g. used by Nimda).
-				*URI_p++ = '%';
+				// *URI_p++ = '%';
 				if ( analyzer )
 					analyzer->Weird("double_%_in_URI");
 				--line;	// ignore the first '%'

From dbac2b1abb9b5ad123092efb5ad058d22188904a Mon Sep 17 00:00:00 2001
From: Seth Hall <seth@corelight.com>
Date: Tue, 1 Aug 2017 16:24:44 -0400
Subject: [PATCH 194/631] Addresses BIT-1831

There is apparently some situation where a field wasn't being populated
which resulted in a reporter messsage.

Thanks to the report from Chris Herdt!
---
 scripts/base/protocols/ssh/main.bro           | 10 ++------
 .../btest/Baseline/core.tunnels.gre/ssh.log   |  6 ++---
 .../scripts.base.protocols.ssh.basic/ssh.log  | 24 +++++++++----------
 3 files changed, 17 insertions(+), 23 deletions(-)

diff --git a/scripts/base/protocols/ssh/main.bro b/scripts/base/protocols/ssh/main.bro
index c421116d66..9b21b9414e 100644
--- a/scripts/base/protocols/ssh/main.bro
+++ b/scripts/base/protocols/ssh/main.bro
@@ -24,7 +24,7 @@ export {
 		## at least one, since some servers might support no authentication at all.
 		## It's important to note that not all of these are failures, since
 		## some servers require two-factor auth (e.g. password AND pubkey)
-		auth_attempts:   count        &log &optional;
+		auth_attempts:   count        &log &default=0;
 		## Direction of the connection. If the client was a local host
 		## logging into an external host, this would be OUTBOUND. INBOUND
 		## would be set for the opposite situation.
@@ -185,13 +185,7 @@ event ssh_auth_attempted(c: connection, authenticated: bool) &priority=5
 		return;
 
 	c$ssh$auth_success = authenticated;
-
-	if ( c$ssh?$auth_attempts )
-		c$ssh$auth_attempts += 1;
-	else
-		{
-		c$ssh$auth_attempts = 1;
-		}
+	c$ssh$auth_attempts += 1;
 
 	if ( authenticated && disable_analyzer_after_detection )
 		disable_analyzer(c$id, c$ssh$analyzer_id);
diff --git a/testing/btest/Baseline/core.tunnels.gre/ssh.log b/testing/btest/Baseline/core.tunnels.gre/ssh.log
index a3f6d0d738..7ffd15a845 100644
--- a/testing/btest/Baseline/core.tunnels.gre/ssh.log
+++ b/testing/btest/Baseline/core.tunnels.gre/ssh.log
@@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	ssh
-#open	2016-10-13-19-54-38
+#open	2017-08-01-16-46-22
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	auth_success	auth_attempts	direction	client	server	cipher_alg	mac_alg	compression_alg	kex_alg	host_key_alg	host_key
 #types	time	string	addr	port	addr	port	count	bool	count	enum	string	string	string	string	string	string	string	string
-1055289978.855137	CtPZjS20MLrsMUOJi2	66.59.111.190	40264	172.28.2.3	22	2	-	-	-	SSH-2.0-OpenSSH_3.6.1p1	SSH-1.99-OpenSSH_3.1p1	aes128-cbc	hmac-md5	none	diffie-hellman-group-exchange-sha1	ssh-rsa	20:7c:e5:96:b0:4e:ce:a4:db:e4:aa:29:e8:90:98:07
-#close	2016-10-13-19-54-38
+1055289978.855137	CtPZjS20MLrsMUOJi2	66.59.111.190	40264	172.28.2.3	22	2	-	0	-	SSH-2.0-OpenSSH_3.6.1p1	SSH-1.99-OpenSSH_3.1p1	aes128-cbc	hmac-md5	none	diffie-hellman-group-exchange-sha1	ssh-rsa	20:7c:e5:96:b0:4e:ce:a4:db:e4:aa:29:e8:90:98:07
+#close	2017-08-01-16-46-22
diff --git a/testing/btest/Baseline/scripts.base.protocols.ssh.basic/ssh.log b/testing/btest/Baseline/scripts.base.protocols.ssh.basic/ssh.log
index 6af991f2fd..37d33ec57c 100644
--- a/testing/btest/Baseline/scripts.base.protocols.ssh.basic/ssh.log
+++ b/testing/btest/Baseline/scripts.base.protocols.ssh.basic/ssh.log
@@ -3,22 +3,22 @@
 #empty_field	(empty)
 #unset_field	-
 #path	ssh
-#open	2016-10-13-19-57-11
+#open	2017-08-01-16-26-21
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	auth_success	auth_attempts	direction	client	server	cipher_alg	mac_alg	compression_alg	kex_alg	host_key_alg	host_key
 #types	time	string	addr	port	addr	port	count	bool	count	enum	string	string	string	string	string	string	string	string
 1324071333.792887	CHhAvVGS1DHFjwGM9	192.168.1.79	51880	131.159.21.1	22	2	F	2	-	SSH-2.0-OpenSSH_5.9	SSH-2.0-OpenSSH_5.8	aes128-ctr	hmac-md5	none	ecdh-sha2-nistp256	ssh-rsa	a7:26:62:3f:75:1f:33:8a:f3:32:90:8b:73:fd:2c:83
 1409516196.413240	ClEkJM2Vm5giqnMf4h	10.0.0.18	40184	128.2.6.88	41644	2	T	1	-	SSH-2.0-OpenSSH_6.6	SSH-2.0-OpenSSH_5.9p1 Debian-5ubuntu1.1	aes128-ctr	hmac-md5	none	ecdh-sha2-nistp256	ssh-rsa	8a:8d:55:28:1e:71:04:99:94:43:22:89:e5:ff:e9:03
 1419870189.489202	C4J4Th3PJpwUYZZ6gc	192.168.2.1	57189	192.168.2.158	22	2	T	3	-	SSH-2.0-OpenSSH_6.2	SSH-1.99-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2	aes128-ctr	hmac-md5-etm@openssh.com	none	diffie-hellman-group-exchange-sha256	ssh-rsa	28:78:65:c1:c3:26:f7:1b:65:6a:44:14:d0:04:8f:b3
-1419870206.111841	CtPZjS20MLrsMUOJi2	192.168.2.1	57191	192.168.2.158	22	1	-	-	-	SSH-1.5-OpenSSH_6.2	SSH-1.99-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2	-	-	-	-	-	a1:73:d1:e1:25:72:79:71:56:56:65:ed:81:bf:67:98
-1419996264.344957	CUM0KZ3MLUfNB0cl11	192.168.2.1	55179	192.168.2.158	2200	2	-	-	-	SSH-2.0-OpenSSH_6.2	SSH-2.0-paramiko_1.15.2	aes128-ctr	hmac-sha1	none	diffie-hellman-group14-sha1	ssh-rsa	60:73:38:44:cb:51:86:65:7f:de:da:a2:2b:5a:57:d5
-1420588548.729561	CmES5u32sYpV7JYN	192.168.2.1	56594	192.168.2.158	22	1	-	-	-	SSH-1.5-OpenSSH_5.3	SSH-1.99-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2	-	-	-	-	-	a1:73:d1:e1:25:72:79:71:56:56:65:ed:81:bf:67:98
-1420590124.885826	CP5puj4I8PtEU4qzYg	192.168.2.1	56821	192.168.2.158	22	1	-	-	-	SSH-1.5-OpenSSH_6.2	SSH-1.99-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2	-	-	-	-	-	a1:73:d1:e1:25:72:79:71:56:56:65:ed:81:bf:67:98
-1420590308.781231	C37jN32gN3y3AZzyf6	192.168.2.1	56837	192.168.2.158	22	1	-	-	-	SSH-1.5-OpenSSH_6.2	SSH-1.99-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2	-	-	-	-	-	a1:73:d1:e1:25:72:79:71:56:56:65:ed:81:bf:67:98
-1420590322.682536	C3eiCBGOLw3VtHfOj	192.168.2.1	56845	192.168.2.158	22	1	-	-	-	SSH-1.5-OpenSSH_6.2	SSH-1.99-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2	-	-	-	-	-	a1:73:d1:e1:25:72:79:71:56:56:65:ed:81:bf:67:98
-1420590636.482711	CwjjYJ2WqgTbAqiHl6	192.168.2.1	56875	192.168.2.158	22	1	-	-	-	SSH-1.5-OpenSSH_6.2	SSH-1.99-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2	-	-	-	-	-	a1:73:d1:e1:25:72:79:71:56:56:65:ed:81:bf:67:98
-1420590659.429570	C0LAHyvtKSQHyJxIl	192.168.2.1	56878	192.168.2.158	22	1	-	-	-	SSH-1.5-OpenSSH_6.2	SSH-1.99-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2	-	-	-	-	-	a1:73:d1:e1:25:72:79:71:56:56:65:ed:81:bf:67:98
-1420591379.658705	CFLRIC3zaTU1loLGxh	192.168.2.1	56940	192.168.2.158	22	1	-	-	-	SSH-1.5-OpenSSH_6.2	SSH-1.99-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2	-	-	-	-	-	a1:73:d1:e1:25:72:79:71:56:56:65:ed:81:bf:67:98
-1420599430.828441	C9rXSW3KSpTYvPrlI1	192.168.2.1	57831	192.168.2.158	22	1	-	-	-	SSH-1.5-OpenSSH_6.2	SSH-1.99-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2	-	-	-	-	-	a1:73:d1:e1:25:72:79:71:56:56:65:ed:81:bf:67:98
+1419870206.111841	CtPZjS20MLrsMUOJi2	192.168.2.1	57191	192.168.2.158	22	1	-	0	-	SSH-1.5-OpenSSH_6.2	SSH-1.99-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2	-	-	-	-	-	a1:73:d1:e1:25:72:79:71:56:56:65:ed:81:bf:67:98
+1419996264.344957	CUM0KZ3MLUfNB0cl11	192.168.2.1	55179	192.168.2.158	2200	2	-	0	-	SSH-2.0-OpenSSH_6.2	SSH-2.0-paramiko_1.15.2	aes128-ctr	hmac-sha1	none	diffie-hellman-group14-sha1	ssh-rsa	60:73:38:44:cb:51:86:65:7f:de:da:a2:2b:5a:57:d5
+1420588548.729561	CmES5u32sYpV7JYN	192.168.2.1	56594	192.168.2.158	22	1	-	0	-	SSH-1.5-OpenSSH_5.3	SSH-1.99-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2	-	-	-	-	-	a1:73:d1:e1:25:72:79:71:56:56:65:ed:81:bf:67:98
+1420590124.885826	CP5puj4I8PtEU4qzYg	192.168.2.1	56821	192.168.2.158	22	1	-	0	-	SSH-1.5-OpenSSH_6.2	SSH-1.99-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2	-	-	-	-	-	a1:73:d1:e1:25:72:79:71:56:56:65:ed:81:bf:67:98
+1420590308.781231	C37jN32gN3y3AZzyf6	192.168.2.1	56837	192.168.2.158	22	1	-	0	-	SSH-1.5-OpenSSH_6.2	SSH-1.99-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2	-	-	-	-	-	a1:73:d1:e1:25:72:79:71:56:56:65:ed:81:bf:67:98
+1420590322.682536	C3eiCBGOLw3VtHfOj	192.168.2.1	56845	192.168.2.158	22	1	-	0	-	SSH-1.5-OpenSSH_6.2	SSH-1.99-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2	-	-	-	-	-	a1:73:d1:e1:25:72:79:71:56:56:65:ed:81:bf:67:98
+1420590636.482711	CwjjYJ2WqgTbAqiHl6	192.168.2.1	56875	192.168.2.158	22	1	-	0	-	SSH-1.5-OpenSSH_6.2	SSH-1.99-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2	-	-	-	-	-	a1:73:d1:e1:25:72:79:71:56:56:65:ed:81:bf:67:98
+1420590659.429570	C0LAHyvtKSQHyJxIl	192.168.2.1	56878	192.168.2.158	22	1	-	0	-	SSH-1.5-OpenSSH_6.2	SSH-1.99-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2	-	-	-	-	-	a1:73:d1:e1:25:72:79:71:56:56:65:ed:81:bf:67:98
+1420591379.658705	CFLRIC3zaTU1loLGxh	192.168.2.1	56940	192.168.2.158	22	1	-	0	-	SSH-1.5-OpenSSH_6.2	SSH-1.99-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2	-	-	-	-	-	a1:73:d1:e1:25:72:79:71:56:56:65:ed:81:bf:67:98
+1420599430.828441	C9rXSW3KSpTYvPrlI1	192.168.2.1	57831	192.168.2.158	22	1	-	0	-	SSH-1.5-OpenSSH_6.2	SSH-1.99-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2	-	-	-	-	-	a1:73:d1:e1:25:72:79:71:56:56:65:ed:81:bf:67:98
 1420851448.310534	Ck51lg1bScffFj34Ri	192.168.2.1	59246	192.168.2.158	22	2	T	2	-	SSH-2.0-OpenSSH_6.2	SSH-1.99-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2	arcfour256	hmac-md5-etm@openssh.com	none	diffie-hellman-group-exchange-sha256	ssh-rsa	28:78:65:c1:c3:26:f7:1b:65:6a:44:14:d0:04:8f:b3
 1420860283.057451	C9mvWx3ezztgzcexV7	192.168.1.32	41164	128.2.10.238	22	2	T	5	-	SSH-2.0-OpenSSH_6.6p1-hpn14v4	SSH-1.99-OpenSSH_3.4+p1+gssapi+OpenSSH_3.7.1buf_fix+2006100301	aes128-cbc	hmac-md5	none	diffie-hellman-group-exchange-sha1	ssh-rsa	7f:e5:81:92:26:77:05:44:c4:60:fb:cd:89:c8:81:ee
 1420860616.428738	CNnMIj2QSd84NKf7U3	192.168.1.32	33910	128.2.13.133	22	2	T	1	-	SSH-2.0-OpenSSH_6.6p1-hpn14v4	SSH-2.0-OpenSSH_5.3	aes128-ctr	hmac-md5	none	diffie-hellman-group-exchange-sha256	ssh-rsa	93:d8:4c:0d:b2:c3:2e:da:b9:c0:67:db:e4:8f:95:04
@@ -28,4 +28,4 @@
 1421041177.031508	CLNN1k2QMum1aexUK7	192.168.1.32	58641	131.103.20.168	22	2	F	1	-	SSH-2.0-OpenSSH_6.7	SSH-2.0-OpenSSH_5.3	aes128-ctr	hmac-md5	none	diffie-hellman-group-exchange-sha256	ssh-rsa	97:8c:1b:f2:6f:14:6b:5c:3b:ec:aa:46:46:74:7c:40
 1421041299.777962	CBA8792iHmnhPLksKa	192.168.1.32	58646	131.103.20.168	22	2	T	1	-	SSH-2.0-OpenSSH_6.7	SSH-2.0-OpenSSH_5.3	aes128-ctr	hmac-md5	none	diffie-hellman-group-exchange-sha256	ssh-rsa	97:8c:1b:f2:6f:14:6b:5c:3b:ec:aa:46:46:74:7c:40
 1421041526.353524	CGLPPc35OzDQij1XX8	192.168.1.32	58649	131.103.20.168	22	2	T	1	-	SSH-2.0-OpenSSH_6.7	SSH-2.0-OpenSSH_5.3	aes128-ctr	hmac-md5	none	diffie-hellman-group-exchange-sha256	ssh-rsa	97:8c:1b:f2:6f:14:6b:5c:3b:ec:aa:46:46:74:7c:40
-#close	2016-10-13-19-57-11
+#close	2017-08-01-16-26-21

From 7242aada0c3f25ac2e24f2289a9d3e4b1b4cbfab Mon Sep 17 00:00:00 2001
From: Daniel Thayer <dnthayer@illinois.edu>
Date: Tue, 1 Aug 2017 15:54:26 -0500
Subject: [PATCH 195/631] Update install instructions for Fedora 26

---
 doc/install/install.rst | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/doc/install/install.rst b/doc/install/install.rst
index e7ff45b4fe..4c43ee9c73 100644
--- a/doc/install/install.rst
+++ b/doc/install/install.rst
@@ -54,6 +54,9 @@ To install the required dependencies, you can use:
 
      sudo yum install cmake make gcc gcc-c++ flex bison libpcap-devel openssl-devel python-devel swig zlib-devel
 
+  In order to build Bro on Fedora 26, install ``compat-openssl10-devel`` instead
+  of ``openssl-devel``.
+
 * DEB/Debian-based Linux:
 
   .. console::

From d5678418da92f9efd59c36189bd67b9349adc8e0 Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@icir.org>
Date: Tue, 1 Aug 2017 16:29:16 -0700
Subject: [PATCH 196/631] SSL SCT/OCSP: small fixes by robin; mostly update
 comments.

SetMime now only works on the first call (as it was documented) and
unused code was used from one of the x.509 functions.
---
 src/file_analysis/File.cc                     | 2 +-
 src/file_analysis/File.h                      | 6 ++++--
 src/file_analysis/Manager.cc                  | 6 ++++++
 src/file_analysis/Manager.h                   | 3 ++-
 src/file_analysis/analyzer/x509/OCSP.cc       | 3 +++
 src/file_analysis/analyzer/x509/X509.cc       | 5 ++++-
 src/file_analysis/analyzer/x509/functions.bif | 9 +++------
 7 files changed, 23 insertions(+), 11 deletions(-)

diff --git a/src/file_analysis/File.cc b/src/file_analysis/File.cc
index 2d9017a338..46624e23c0 100644
--- a/src/file_analysis/File.cc
+++ b/src/file_analysis/File.cc
@@ -294,7 +294,7 @@ void File::SetReassemblyBuffer(uint64 max)
 
 bool File::SetMime(const string& mime_type)
 	{
-	if ( mime_type.empty() || bof_buffer.size != 0 )
+	if ( mime_type.empty() || bof_buffer.size != 0 || did_metadata_inference )
 		return false;
 
 	did_metadata_inference = true;
diff --git a/src/file_analysis/File.h b/src/file_analysis/File.h
index c52d9efbc4..1d4fb03789 100644
--- a/src/file_analysis/File.h
+++ b/src/file_analysis/File.h
@@ -176,8 +176,10 @@ public:
 	 * Sets the MIME type for a file to a specific value.
 	 *
 	 * Setting the MIME type has to be done before the MIME type is
-	 * inferred from the content. After a MIME type has been set once,
-	 * it cannot be changed anymore.
+	 * inferred from the content, and before any data is passed to the
+	 * analyzer (the beginning of file buffer has to be empty). After
+	 * data has been sent or a MIME type has been set once, it cannot be
+	 * changed.
 	 *
 	 * This function should only be called when it does not make sense
 	 * to perform automated MIME type detections. This is e.g. the case
diff --git a/src/file_analysis/Manager.cc b/src/file_analysis/Manager.cc
index 3140a1e9db..1659230bff 100644
--- a/src/file_analysis/Manager.cc
+++ b/src/file_analysis/Manager.cc
@@ -118,6 +118,12 @@ string Manager::DataIn(const u_char* data, uint64 len, uint64 offset,
 	if ( ! file )
 		return "";
 
+	// This only has any effect when
+	// * called for the first time for a file
+	// * being called before file->DataIn is called for the first time (before data is
+	//   added to the bof buffer).
+	// Afterwards SetMime just ignores what is passed to it. Thus this only has effect during
+	// the first Manager::DataIn call for each file.
 	if ( ! mime_type.empty() )
 		file->SetMime(mime_type);
 
diff --git a/src/file_analysis/Manager.h b/src/file_analysis/Manager.h
index d4ab6c8dfc..ce39b8144c 100644
--- a/src/file_analysis/Manager.h
+++ b/src/file_analysis/Manager.h
@@ -98,7 +98,8 @@ public:
 	 *        certificates are passed as files; here the type of the file is set by
 	 *        the protocol. If this parameter is give, mime type detection will be
 	 *        disabled.
-	 *        This parameter is only used for the first bit of data for each file.
+	 *        This parameter only has any effect for the first DataIn call of each
+	 *        file. It is ignored for all subsequent calls.
 	 * @return a unique file ID string which, in certain contexts, may be
 	 *         cached and passed back in to a subsequent function call in order
 	 *         to avoid costly file handle lookups (which have to go through
diff --git a/src/file_analysis/analyzer/x509/OCSP.cc b/src/file_analysis/analyzer/x509/OCSP.cc
index 6ce51f9dd3..3770b5692c 100644
--- a/src/file_analysis/analyzer/x509/OCSP.cc
+++ b/src/file_analysis/analyzer/x509/OCSP.cc
@@ -344,6 +344,9 @@ clean_up:
 
 void file_analysis::OCSP::ParseExtensionsSpecific(X509_EXTENSION* ex, bool global, ASN1_OBJECT* ext_asn, const char* oid)
 	{
+// In OpenSSL 1.0.2+, we can get the extension by using NID_ct_cert_scts.
+// In OpenSSL <= 1.0.1, this is not yet defined yet, so we have to manually
+// look it up by performing a string comparison on the oid.
 #ifdef NID_ct_cert_scts
 	if ( OBJ_obj2nid(ext_asn) == NID_ct_cert_scts )
 #else
diff --git a/src/file_analysis/analyzer/x509/X509.cc b/src/file_analysis/analyzer/x509/X509.cc
index b26bd4a1da..2999007146 100644
--- a/src/file_analysis/analyzer/x509/X509.cc
+++ b/src/file_analysis/analyzer/x509/X509.cc
@@ -240,7 +240,10 @@ void file_analysis::X509::ParseExtensionsSpecific(X509_EXTENSION* ex, bool globa
 	else if ( OBJ_obj2nid(ext_asn) == NID_subject_alt_name )
 		ParseSAN(ex);
 
-#ifdef NID_ct_cert_scts
+// In OpenSSL 1.0.2+, we can get the extension by using NID_ct_precert_scts.
+// In OpenSSL <= 1.0.1, this is not yet defined yet, so we have to manually
+// look it up by performing a string comparison on the oid.
+#ifdef NID_ct_precert_scts
 	else if ( OBJ_obj2nid(ext_asn) == NID_ct_precert_scts )
 #else
 	else if ( strcmp(oid, "1.3.6.1.4.1.11129.2.4.2") == 0 )
diff --git a/src/file_analysis/analyzer/x509/functions.bif b/src/file_analysis/analyzer/x509/functions.bif
index e3fcb0ce11..a4901b31e5 100644
--- a/src/file_analysis/analyzer/x509/functions.bif
+++ b/src/file_analysis/analyzer/x509/functions.bif
@@ -624,6 +624,9 @@ function sct_verify%(cert: opaque of x509, logid: string, log_key: string, signa
 		{
 		x = X509_dup(x);
 		assert(x);
+// In OpenSSL 1.0.2+, we can get the extension by using NID_ct_precert_scts.
+// In OpenSSL <= 1.0.1, this is not yet defined yet, so we have to manually
+// look it up by performing a string comparison on the oid.
 #ifdef NID_ct_precert_scts
 		int pos = X509_get_ext_by_NID(x, NID_ct_precert_scts, -1);
 		if ( pos < 0 )
@@ -778,12 +781,6 @@ StringVal* x509_entity_hash(file_analysis::X509Val *cert_handle, unsigned int ha
 
 	int res = 0;
 
-	ASN1_BIT_STRING *key = X509_get0_pubkey_bitstr(cert_x509);
-	if ( key == 0 )
-		{
-		printf("No key in X509_get0_pubkey_bitstr\n");
-		}
-
 	if ( type == 0 )
 		res = X509_NAME_digest(subject_name, dgst, md, &len);
 	else if ( type == 1 )

From eab80c8834a5c60786b563c5eba3d33fd31cb93b Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@icir.org>
Date: Fri, 4 Aug 2017 07:04:28 -0700
Subject: [PATCH 197/631] HTTP: Recognize and skip upgrade/websocket
 connections.

This adds a slight patch to the HTTP analyzer, which recognizez when a connection is
upgraded to a different protocol (using a 101 reply with a few specific headers being
set).

In this case, the analyzer stops further processing of the connection (which will
result in DPD errors) and raises a new event:

event http_connection_upgrade(c: connection, protocol: string);

Protocol contains the name of the protocol that is being upgraded to, as specified in
one of the header values.
---
 src/analyzer/protocol/http/HTTP.cc            |  42 +++++++++++++--
 src/analyzer/protocol/http/HTTP.h             |  49 ++++++++++--------
 src/analyzer/protocol/http/events.bif         |  31 ++++++++---
 src/analyzer/protocol/mime/MIME.h             |  18 +++----
 .../.stdout                                   |   1 +
 .../http.log                                  |  10 ++++
 testing/btest/Traces/http/websocket.pcap      | Bin 0 -> 4224 bytes
 .../http/101-switching-protocols.bro          |  13 +++++
 8 files changed, 122 insertions(+), 42 deletions(-)
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.http.101-switching-protocols/.stdout
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.http.101-switching-protocols/http.log
 create mode 100644 testing/btest/Traces/http/websocket.pcap
 create mode 100644 testing/btest/scripts/base/protocols/http/101-switching-protocols.bro

diff --git a/src/analyzer/protocol/http/HTTP.cc b/src/analyzer/protocol/http/HTTP.cc
index badf8c1b54..65a511b8cb 100644
--- a/src/analyzer/protocol/http/HTTP.cc
+++ b/src/analyzer/protocol/http/HTTP.cc
@@ -822,6 +822,9 @@ HTTP_Analyzer::HTTP_Analyzer(Connection* conn)
 
 	connect_request = false;
 	pia = 0;
+	upgraded = false;
+	upgrade_connection = false;
+	upgrade_protocol.clear();
 
 	content_line_orig = new tcp::ContentLine_Analyzer(conn, true);
 	AddSupportAnalyzer(content_line_orig);
@@ -879,6 +882,9 @@ void HTTP_Analyzer::DeliverStream(int len, const u_char* data, bool is_orig)
 	if ( TCP() && TCP()->IsPartial() )
 		return;
 
+	if ( upgraded )
+		return;
+
 	if ( pia )
 		{
 		// There will be a PIA instance if this connection has been identified
@@ -1468,15 +1474,35 @@ void HTTP_Analyzer::ReplyMade(const int interrupted, const char* msg)
 		unanswered_requests.pop();
 		}
 
-	reply_code = 0;
-
 	if ( reply_reason_phrase )
 		{
 		Unref(reply_reason_phrase);
 		reply_reason_phrase = 0;
 		}
 
-	if ( interrupted )
+	// unanswered requests = 1 because there is no pop after 101.
+	if ( reply_code == 101 && unanswered_requests.size() == 1 && upgrade_connection &&
+	     upgrade_protocol.size() )
+		{
+		// Upgraded connection that switches immediately - e.g. websocket.
+		upgraded = true;
+		RemoveSupportAnalyzer(content_line_orig);
+		RemoveSupportAnalyzer(content_line_resp);
+
+		if ( http_connection_upgrade )
+			{
+			val_list* vl = new val_list();
+			vl->append(BuildConnVal());
+			vl->append(new StringVal(upgrade_protocol));
+			ConnectionEvent(http_connection_upgrade, vl);
+			}
+		}
+
+	reply_code = 0;
+	upgrade_connection = false;
+	upgrade_protocol.clear();
+
+	if ( interrupted || upgraded )
 		reply_state = EXPECT_REPLY_NOTHING;
 	else
 		reply_state = EXPECT_REPLY_LINE;
@@ -1611,11 +1637,17 @@ void HTTP_Analyzer::HTTP_Header(int is_orig, mime::MIME_Header* h)
 
 	if ( ! is_orig &&
 	     mime::strcasecmp_n(h->get_name(), "connection") == 0 )
-	        {
+		{
 		if ( mime::strcasecmp_n(h->get_value_token(), "close") == 0 )
-		        connection_close = 1;
+			connection_close = 1;
+		else if ( mime::strcasecmp_n(h->get_value_token(), "upgrade") == 0 )
+			upgrade_connection = true;
 		}
 
+	if ( ! is_orig &&
+	     mime::strcasecmp_n(h->get_name(), "upgrade") == 0 )
+	     upgrade_protocol.assign(h->get_value_token().data, h->get_value_token().length);
+
 	if ( http_header )
 		{
 		Rule::PatternType rule =
diff --git a/src/analyzer/protocol/http/HTTP.h b/src/analyzer/protocol/http/HTTP.h
index d55c10c4c1..bfc079187f 100644
--- a/src/analyzer/protocol/http/HTTP.h
+++ b/src/analyzer/protocol/http/HTTP.h
@@ -40,8 +40,8 @@ public:
 			{ zip->Done(); delete zip; }
 		}
 
-	void EndOfData();
-	void Deliver(int len, const char* data, int trailing_CRLF);
+	void EndOfData() override;
+	void Deliver(int len, const char* data, int trailing_CRLF) override;
 	int Undelivered(int64_t len);
 	int64_t BodyLength() const 		{ return body_length; }
 	int64_t HeaderLength() const 	{ return header_length; }
@@ -68,17 +68,17 @@ protected:
 	bool send_size; // whether to send size indication to FAF
 	std::string precomputed_file_id;
 
-	MIME_Entity* NewChildEntity() { return new HTTP_Entity(http_message, this, 1); }
+	MIME_Entity* NewChildEntity() override { return new HTTP_Entity(http_message, this, 1); }
 
 	void DeliverBody(int len, const char* data, int trailing_CRLF);
 	void DeliverBodyClear(int len, const char* data, int trailing_CRLF);
 
-	void SubmitData(int len, const char* buf);
+	void SubmitData(int len, const char* buf) override;
 
 	void SetPlainDelivery(int64_t length);
 
-	void SubmitHeader(mime::MIME_Header* h);
-	void SubmitAllHeaders();
+	void SubmitHeader(mime::MIME_Header* h) override;
+	void SubmitAllHeaders() override;
 };
 
 enum {
@@ -106,18 +106,18 @@ public:
 			 bool is_orig, int expect_body, int64_t init_header_length);
 	~HTTP_Message();
 	void Done(const int interrupted, const char* msg);
-	void Done() { Done(0, "message ends normally"); }
+	void Done() override { Done(0, "message ends normally"); }
 
 	int Undelivered(int64_t len);
 
-	void BeginEntity(mime::MIME_Entity* /* entity */);
-	void EndEntity(mime::MIME_Entity* entity);
-	void SubmitHeader(mime::MIME_Header* h);
-	void SubmitAllHeaders(mime::MIME_HeaderList& /* hlist */);
-	void SubmitData(int len, const char* buf);
-	int RequestBuffer(int* plen, char** pbuf);
+	void BeginEntity(mime::MIME_Entity* /* entity */) override;
+	void EndEntity(mime::MIME_Entity* entity) override;
+	void SubmitHeader(mime::MIME_Header* h) override;
+	void SubmitAllHeaders(mime::MIME_HeaderList& /* hlist */) override;
+	void SubmitData(int len, const char* buf) override;
+	int RequestBuffer(int* plen, char** pbuf) override;
 	void SubmitAllData();
-	void SubmitEvent(int event_type, const char* detail);
+	void SubmitEvent(int event_type, const char* detail) override;
 
 	void SubmitTrailingHeaders(mime::MIME_HeaderList& /* hlist */);
 	void SetPlainDelivery(int64_t length);
@@ -169,15 +169,15 @@ public:
 	int HTTP_ReplyCode() const { return reply_code; };
 
 	// Overriden from Analyzer.
-	virtual void Done();
-	virtual void DeliverStream(int len, const u_char* data, bool orig);
-	virtual void Undelivered(uint64 seq, int len, bool orig);
+	void Done() override;
+	void DeliverStream(int len, const u_char* data, bool orig) override;
+	void Undelivered(uint64 seq, int len, bool orig) override;
 
 	// Overriden from tcp::TCP_ApplicationAnalyzer
-	virtual void EndpointEOF(bool is_orig);
-	virtual void ConnectionFinished(int half_finished);
-	virtual void ConnectionReset();
-	virtual void PacketWithRST();
+	void EndpointEOF(bool is_orig) override;
+	void ConnectionFinished(int half_finished) override;
+	void ConnectionReset() override;
+	void PacketWithRST() override;
 
 	static analyzer::Analyzer* Instantiate(Connection* conn)
 		{ return new HTTP_Analyzer(conn); }
@@ -234,6 +234,13 @@ protected:
 
 	bool connect_request;
 	pia::PIA_TCP *pia;
+	// set to true after a connection was upgraded
+	bool upgraded;
+	// set to true when encountering an "connection" header in a reply.
+	bool upgrade_connection;
+	// set to the protocol string when encountering an "upgrade" header
+	// in a reply.
+	std::string upgrade_protocol;
 
 	Val* request_method;
 
diff --git a/src/analyzer/protocol/http/events.bif b/src/analyzer/protocol/http/events.bif
index 7a509c6d54..ab005ba8d6 100644
--- a/src/analyzer/protocol/http/events.bif
+++ b/src/analyzer/protocol/http/events.bif
@@ -19,7 +19,7 @@
 ##
 ## .. bro:see:: http_all_headers http_begin_entity http_content_type http_end_entity
 ##    http_entity_data http_event http_header http_message_done http_reply http_stats
-##    truncate_http_URI
+##    truncate_http_URI http_connection_upgrade
 event http_request%(c: connection, method: string, original_URI: string, unescaped_URI: string, version: string%);
 
 ## Generated for HTTP replies. Bro supports persistent and pipelined HTTP
@@ -40,7 +40,7 @@ event http_request%(c: connection, method: string, original_URI: string, unescap
 ##
 ## .. bro:see:: http_all_headers http_begin_entity http_content_type http_end_entity
 ##    http_entity_data http_event http_header http_message_done http_request
-##    http_stats
+##    http_stats http_connection_upgrade
 event http_reply%(c: connection, version: string, code: count, reason: string%);
 
 ## Generated for HTTP headers. Bro supports persistent and pipelined HTTP
@@ -60,7 +60,7 @@ event http_reply%(c: connection, version: string, code: count, reason: string%);
 ##
 ## .. bro:see:: http_all_headers http_begin_entity http_content_type http_end_entity
 ##    http_entity_data http_event  http_message_done http_reply http_request
-##    http_stats
+##    http_stats http_connection_upgrade
 ##
 ## .. note:: This event is also raised for headers found in nested body
 ##    entities.
@@ -83,6 +83,7 @@ event http_header%(c: connection, is_orig: bool, name: string, value: string%);
 ##
 ## .. bro:see::  http_begin_entity http_content_type http_end_entity http_entity_data
 ##    http_event http_header http_message_done http_reply http_request http_stats
+##    http_connection_upgrade
 ##
 ## .. note:: This event is also raised for headers found in nested body
 ##    entities.
@@ -104,7 +105,7 @@ event http_all_headers%(c: connection, is_orig: bool, hlist: mime_header_list%);
 ##
 ## .. bro:see:: http_all_headers  http_content_type http_end_entity http_entity_data
 ##    http_event http_header http_message_done http_reply http_request http_stats
-##    mime_begin_entity
+##    mime_begin_entity http_connection_upgrade
 event http_begin_entity%(c: connection, is_orig: bool%);
 
 ## Generated when finishing parsing an HTTP body entity. This event is generated
@@ -123,7 +124,7 @@ event http_begin_entity%(c: connection, is_orig: bool%);
 ##
 ## .. bro:see:: http_all_headers http_begin_entity http_content_type http_entity_data
 ##    http_event http_header http_message_done http_reply http_request
-##    http_stats   mime_end_entity
+##    http_stats mime_end_entity http_connection_upgrade
 event http_end_entity%(c: connection, is_orig: bool%);
 
 ## Generated when parsing an HTTP body entity, passing on the data. This event
@@ -152,6 +153,7 @@ event http_end_entity%(c: connection, is_orig: bool%);
 ## .. bro:see:: http_all_headers http_begin_entity http_content_type http_end_entity
 ##    http_event http_header http_message_done http_reply http_request http_stats
 ##    mime_entity_data http_entity_data_delivery_size skip_http_data
+##    http_connection_upgrade
 event http_entity_data%(c: connection, is_orig: bool, length: count, data: string%);
 
 ## Generated for reporting an HTTP body's content type.  This event is
@@ -173,6 +175,7 @@ event http_entity_data%(c: connection, is_orig: bool, length: count, data: strin
 ##
 ## .. bro:see:: http_all_headers http_begin_entity  http_end_entity http_entity_data
 ##    http_event http_header http_message_done http_reply http_request http_stats
+##    http_connection_upgrade
 ##
 ## .. note:: This event is also raised for headers found in nested body
 ##    entities.
@@ -198,6 +201,7 @@ event http_content_type%(c: connection, is_orig: bool, ty: string, subty: string
 ##
 ## .. bro:see:: http_all_headers http_begin_entity http_content_type http_end_entity
 ##    http_entity_data http_event http_header  http_reply http_request http_stats
+##    http_connection_upgrade
 event http_message_done%(c: connection, is_orig: bool, stat: http_message_stat%);
 
 ## Generated for errors found when decoding HTTP requests or replies.
@@ -214,7 +218,7 @@ event http_message_done%(c: connection, is_orig: bool, stat: http_message_stat%)
 ##
 ## .. bro:see:: http_all_headers http_begin_entity http_content_type http_end_entity
 ##    http_entity_data  http_header http_message_done http_reply http_request
-##    http_stats mime_event
+##    http_stats mime_event http_connection_upgrade
 event http_event%(c: connection, event_type: string, detail: string%);
 
 ## Generated at the end of an HTTP session to report statistics about it. This
@@ -228,5 +232,18 @@ event http_event%(c: connection, event_type: string, detail: string%);
 ##
 ## .. bro:see:: http_all_headers http_begin_entity http_content_type http_end_entity
 ##    http_entity_data http_event http_header http_message_done http_reply
-##    http_request
+##    http_request http_connection_upgrade
 event http_stats%(c: connection, stats: http_stats_rec%);
+
+## Generated when a HTTP session is upgraded to a different protocol (e.g. websocket).
+## This event is raised when a server replies with a HTTP 101 reply. No more HTTP events
+## will be raised after this event.
+##
+## c: The connection.
+##
+## protocol: The protocol to which the connection is switching.
+##
+## .. bro:see:: http_all_headers http_begin_entity http_content_type http_end_entity
+##    http_entity_data http_event http_header http_message_done http_reply
+##    http_request
+event http_connection_upgrade%(c: connection, protocol: string%);
diff --git a/src/analyzer/protocol/mime/MIME.h b/src/analyzer/protocol/mime/MIME.h
index 8c7fdd4326..fcc921993d 100644
--- a/src/analyzer/protocol/mime/MIME.h
+++ b/src/analyzer/protocol/mime/MIME.h
@@ -232,16 +232,16 @@ class MIME_Mail : public MIME_Message {
 public:
 	MIME_Mail(analyzer::Analyzer* mail_conn, bool is_orig, int buf_size = 0);
 	~MIME_Mail();
-	void Done();
+	void Done() override;
 
-	void BeginEntity(MIME_Entity* entity);
-	void EndEntity(MIME_Entity* entity);
-	void SubmitHeader(MIME_Header* h);
-	void SubmitAllHeaders(MIME_HeaderList& hlist);
-	void SubmitData(int len, const char* buf);
-	int RequestBuffer(int* plen, char** pbuf);
+	void BeginEntity(MIME_Entity* entity) override;
+	void EndEntity(MIME_Entity* entity) override;
+	void SubmitHeader(MIME_Header* h) override;
+	void SubmitAllHeaders(MIME_HeaderList& hlist) override;
+	void SubmitData(int len, const char* buf) override;
+	int RequestBuffer(int* plen, char** pbuf) override;
 	void SubmitAllData();
-	void SubmitEvent(int event_type, const char* detail);
+	void SubmitEvent(int event_type, const char* detail) override;
 	void Undelivered(int len);
 
 protected:
@@ -283,6 +283,6 @@ extern int MIME_get_value(int len, const char* data, BroString*& buf,
 extern int MIME_get_field_name(int len, const char* data, data_chunk_t* name);
 extern BroString* MIME_decode_quoted_pairs(data_chunk_t buf);
 
-} } // namespace analyzer::* 
+} } // namespace analyzer::*
 
 #endif
diff --git a/testing/btest/Baseline/scripts.base.protocols.http.101-switching-protocols/.stdout b/testing/btest/Baseline/scripts.base.protocols.http.101-switching-protocols/.stdout
new file mode 100644
index 0000000000..0e9c739b00
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.http.101-switching-protocols/.stdout
@@ -0,0 +1 @@
+Connection upgraded to websocket
diff --git a/testing/btest/Baseline/scripts.base.protocols.http.101-switching-protocols/http.log b/testing/btest/Baseline/scripts.base.protocols.http.101-switching-protocols/http.log
new file mode 100644
index 0000000000..a1e96de25e
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.http.101-switching-protocols/http.log
@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	http
+#open	2017-08-04-00-45-31
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	method	host	uri	referrer	version	user_agent	request_body_len	response_body_len	status_code	status_msg	info_code	info_msg	tags	username	password	proxied	orig_fuids	orig_filenames	orig_mime_types	resp_fuids	resp_filenames	resp_mime_types
+#types	time	string	addr	port	addr	port	count	string	string	string	string	string	string	count	count	count	string	count	string	set[enum]	string	string	set[string]	vector[string]	vector[string]	vector[string]	vector[string]	vector[string]	vector[string]
+1501770877.501001	CHhAvVGS1DHFjwGM9	192.168.0.5	50798	54.148.114.85	80	1	GET	sandbox.kaazing.net	/echo?.kl=Y	-	1.1	Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:54.0) Gecko/20100101 Firefox/54.0	0	0	101	Web Socket Protocol Handshake	101	Web Socket Protocol Handshake	(empty)	-	-	-	-	-	-	-	-	-
+#close	2017-08-04-00-45-31
diff --git a/testing/btest/Traces/http/websocket.pcap b/testing/btest/Traces/http/websocket.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..0a71c8a77dc92fabb9b265487d1b716ce72cee66
GIT binary patch
literal 4224
zcmeH~eNYr-9LFCH^xy^z3yG|zN2#fdy*EzO6+<!v0|Y$?b<A9j<!)u!J$CnA3q|zG
zrqWESAuTLv$bZUlnyINNOUs&G{%~q~H)*8)XnL{!vOm;*zdi2Y_Ks`(yMSl7+kKwT
z^LzXL_Sr8^9(%z=^2p>*9?5|({jMGB-A*%E4WDs*k@wk!d7p+I@13eSkx%LfSuP!2
zPL|K??0ffRGNWq0(tb)Jt*7_34<hNP>GI{HQ9?|4GhWNd&7F~xlW!@E&VLT?<(cC2
zbBE339{7$U&W-N@bV{mW1H#N4*U7j8X+0(Fj_@;KhaHEm_MIK`$LV>de9Oq5u|lN7
zPG+=w!HAjM1ymeqcDtIsMZ0&p4R-GUx_O|uc#iiMLMH5e6Uj&{c*#r#!EPKzqDfmk
zio~Z^W+avs&pBpECDzxqQ5)~^$u-s<aoKv>(AL&!b66ckmIhhXSgLYTSEn4d_HbNO
zki1rj*NQCdDz7lLUS5I;&2m%_Mb5U+YNxj~a~?s`WYxEnu97rfq;P?@xam6Tuv;C@
zrBn&B3td+G?X;fv^vE`+-C>762VE&Be7797;msmTt;fUrfvxdj&F0g3#R|^v7X=Te
z39@7h<CQzY#;d*J(!OPO>ynBEwgvj9#R(A8#7W)&=jB<-OH8}Ff|v9O3zHM-B#+z$
z?y=Mx75o*ni|-aWjW4pec@NXUce-Uy53e!z@`?%;u+&jmWNA?ZuK=HYn&xM1wnTtr
z#cN#Fs>qt`kwun<nTctP58|r&xSq5<>cSc?;Vvpm{k+o4t14K|Ok+_aA7N>*yRy?Q
zhPSL*vUZ^?tM_z=nr(~MEL&D&Ss_aj@4=|Cw1?;Y3?~XfzJj*<y$aU_d$%f_x0hq7
zBr_h)<AW<J@E-#UH3co6yfLwcr6Imk)#FiQDY9TiHqXu1>l<r4O+Bty394t)->Aze
z>M@_**Ku;7n0%+5iB}}l_cfrLH<7p|J8_Oqyl^GNXK6lp7!-rUXrn0-D@EeQV;PBM
z<h#L+q>UwLV?rfR)(#5wLE{BN6PczBlj+4`R@FpAnOaelL(B?=?*jP<oCs;wlmG-i
z<GcnQ(xku~4<rN@Fj~a_uXDM8=93j6s>|iyz+ontPX^>RQF~XiDi~MAl`Qd3C}Ns5
z*`zhKq?2WQH;9#`ZN5MSwO7*GfR{pNSwtN!wsH~caMJqbHlrvLJ;uI4tO_bst5;~U
zQY-ZaSE`Y!#ZsqR3)X>vQuUum@3cZzAQmibjQ2`f4_1Y^2=vRi+%ib#43s6x28Xek
z6Ibqw*vvnBG_{#`oZKDpHo@Z|*VCG8=HGyPN>DoQ%*!VYK*M1ybi&52)unSjwa~py
zx)`C*YmcQC`e5E4JC3hL?zh05-cqIpEj|2u220oKmco;D;z5?Qv^rKmz62|Ar1}0)
z(-Zomu^=O{tT^}F#ssn4iN0^YL>@bT^{g9S@7Pd%Hq@&PJ6AT0+%=E+p***AG$ghR
z_wkXPHJha2Zf@J~R#)}Kvil<YYSu@dtmU>H2t^%-Hgmq=KF<HKGq?0`sMj&Mrm<^h
zXtO-jzghm+8FU;_<?f*e1;<dZGjgWe+xJxe1HSLKl!x}JTHyIWxrp}$`Zqstu`IU~
z<M#N)0`d$r9UR7dm>!9h>5b=*As=f`?_1X~P)5eLj3x8oER2>r2e+Em{NH@0w5<P5
z^O<@um^?@L;nc$TWy!mg;z0_2o!GUmxDoAzGQAswh{IT>q$+lu-ZuV9EmL7MQKr9M
zGL)%)W`7cxSz6Ito%x%Ac_hKSbH0I@Y(?Y1oxT-4{0TOWRh_AgV_nDYh%h=(eAW5;
z&n6p3D>M!#iu9+f#22<9(e_FP;t`!Vae@JXCW*IQ%4TE18%X>xkb(HBPW&p>#;suE
zBf|w`J!A(*TDxo%?MUqUIU}*G7~hg68t|=i(d+GdH-5U`Tyo?>PvzKatxI0{&{s41
zr`nGjotR@G?JyljS}D}WuGiCc){wSWA#D<NtenpiY5UPy7`=7w_Sp?Q9C<46m=r%H
z&BIN)OD$P)=>8kM>312tfwwN<1jOg^hPRU5EE?JKqjdm?U*9q-S#4?YVQ1?RKQ3n^
zLVWHxoFLlGNZd8BcBt_t<bMC`tZd4-K@Z0thH#vKaA+8gFJDiD<D6I+wVQVlWZrUM
zRu=E8^$Ol^tY8hie;>VX*_E{Q=8-+;L?j-ZLQG4VD|Vx9rQxwJysuk1n~ZNdo@yl$
z-=0EDi>GV!AZF<Hy@q(AjUT`RpR_!bZlmpBHm`rOAo17v8Huxj7)vL1lw6gJW4hOQ
bGtuiYvmrMhfY$+d^BCVWl=NDI+}!*RPdSc~

literal 0
HcmV?d00001

diff --git a/testing/btest/scripts/base/protocols/http/101-switching-protocols.bro b/testing/btest/scripts/base/protocols/http/101-switching-protocols.bro
new file mode 100644
index 0000000000..b6aabb0de5
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/http/101-switching-protocols.bro
@@ -0,0 +1,13 @@
+# This tests that the HTTP analyzer does not generate a dpd error as a
+# result of seeing an upgraded connection.
+#
+# @TEST-EXEC: bro -r $TRACES/http/websocket.pcap %INPUT
+# @TEST-EXEC: test ! -f dpd.log
+# @TEST-EXEC: test ! -f weird.log
+# @TEST-EXEC: btest-diff http.log
+# @TEST-EXEC: btest-diff .stdout
+
+event http_connection_upgrade(c: connection, protocol: string)
+	{
+	print fmt("Connection upgraded to %s", protocol);
+	}

From 6ba710fbf79475b46b8c19a45d6986080018a0ce Mon Sep 17 00:00:00 2001
From: Robin Sommer <robin@icir.org>
Date: Fri, 4 Aug 2017 15:04:13 -0700
Subject: [PATCH 198/631] Updating CHANGES, NEWS, and VERSION.

---
 CHANGES | 42 ++++++++++++++++++++++++++++++++++++++++++
 NEWS    | 26 ++++++++++++++++++++++++++
 VERSION |  2 +-
 3 files changed, 69 insertions(+), 1 deletion(-)

diff --git a/CHANGES b/CHANGES
index 731643588a..86c4162f08 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,46 @@
 
+2.5-288 | 2017-08-04 14:17:10 -0700
+
+  * Fix field not being populated, which resulted in a reporter
+    messsage. Addresses BIT-1831. Reported by Chris Herdt. (Seth Hall)
+
+  * Support for OCSP and Signed Certificate Timestamp. (Liang
+    Zhu/Johanna Amann)
+
+      - OCSP parsing is added to the X.509 module.
+
+      - Signed Certificate Timestamp extraction, parsing, & validation
+        is added to the SSL, X.509, and OCSP analyzers. Validation is
+        added to the X.509 BIFs.
+
+    This adds the following events and BIFs:
+
+      - event ocsp_request(f: fa_file, version: count, requestorName: string);
+      - event ocsp_request_certificate(f: fa_file, hashAlgorithm: string, issuerNameHash: string, issuerKeyHash: string, serialNumber: string);
+      - event ocsp_response_status(f: fa_file, status: string);
+      - event ocsp_response_bytes(f: fa_file, resp_ref: opaque of ocsp_resp, status: string, version: count, responderId: string, producedAt: time, signatureAlgorithm: string, certs: x509_opaque_vector);
+      - event ocsp_response_certificate(f: fa_file, hashAlgorithm: string, issuerNameHash: string, issuerKeyHash: string, serialNumber: string, certStatus: string, revokeTime: time, revokeReason: string, thisUpdate: time, nextUpdate: time);
+      - event ocsp_extension(f: fa_file, ext: X509::Extension, global_resp: bool);
+      - event x509_ocsp_ext_signed_certificate_timestamp(f: fa_file, version: count, logid: string, timestamp: count, hash_algorithm: count, signature_algorithm: count, signature: string);
+      - event ssl_extension_signed_certificate_timestamp(c: connection, is_orig: bool, version: count, logid: string, timestamp: count, signature_and_hashalgorithm: SSL::SignatureAndHashAlgorithm, signature: string);
+      - function sct_verify(cert: opaque of x509, logid: string, log_key: string, signature: string, timestamp: count, hash_algorithm: count, issuer_key_hash: string &default=""): bool
+      - function x509_subject_name_hash(cert: opaque of x509, hash_alg: count): string
+      - function x509_issuer_name_hash(cert: opaque of x509, hash_alg: count): string
+      - function x509_spki_hash(cert: opaque of x509, hash_alg: count): string
+
+    This also changes the MIME types that we use to identify X.509
+    certificates in SSL connections from "application/pkix-cert" to
+    "application/x-x509-user-cert" for host certificates and
+    "application/x-x509-ca-cert" for CA certificates.
+
+  * The SSL scripts provide a new hook "ssl_finishing(c: connection)"
+    to trigger actions after the handshake has concluded. (Johanna
+    Amann)
+
+  * Add an internal API for protocol analyzers to provide the MIME
+    type of file data directly, disabling automatic inferrence.
+    (Johanna Amann).
+
 2.5-186 | 2017-07-28 12:22:20 -0700
 
   * Improved handling of '%' at end of line in HTTP analyzer. (Johanna
diff --git a/NEWS b/NEWS
index a884f4fe5a..6d35a8978b 100644
--- a/NEWS
+++ b/NEWS
@@ -8,6 +8,32 @@ their own ``CHANGES``.)
 Bro 2.6 (in progress)
 =====================
 
+New Functionality
+-----------------
+
+- Support for OCSP and Signed Certificate Timestamp. This adds the
+  following events and BIFs:
+
+  - Events: ocsp_request, ocsp_request_certificate,
+    ocsp_response_status, ocsp_response_bytes
+    ocsp_response_certificate ocsp_extension
+    x509_ocsp_ext_signed_certificate_timestamp
+    ssl_extension_signed_certificate_timestamp
+
+  - Functions: sct_verify, x509_subject_name_hash,
+    x509_issuer_name_hash x509_spki_hash
+
+- The SSL scripts provide a new hook "ssl_finishing(c: connection)"
+  to trigger actions after the handshake has concluded.
+
+Changed Functionality
+---------------------
+
+- The MIME types used to identify X.509 certificates in SSL
+  connections changed from "application/pkix-cert" to
+  "application/x-x509-user-cert" for host certificates and
+  "application/x-x509-ca-cert" for CA certificates.
+
 Removed Functionality
 ---------------------
 
diff --git a/VERSION b/VERSION
index aa91067d4a..4c6456e664 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.5-186
+2.5-288

From c251245538169c0e1053065e59c60e6bc4d995d4 Mon Sep 17 00:00:00 2001
From: Daniel Thayer <dnthayer@illinois.edu>
Date: Mon, 7 Aug 2017 16:10:46 -0500
Subject: [PATCH 199/631] Fix a netcontrol test that often fails

The catch-and-release.bro test was failing whenever three conditions
were all true:  sorting the netcontrol.log before comparing to
the baseline, the presence of LC_ALL=C in btest.cfg changes the sort
order, and sometimes the timestamp increases slightly beginning
with one of the rule_id == 5 lines.

As a result of these three conditions, the sorted order of the lines
with rule_id of 5 were different than the baseline.

Fixed by not sorting netcontrol.log, as this doesn't seem necessary.
---
 .../scripts/base/frameworks/netcontrol/catch-and-release.bro    | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/testing/btest/scripts/base/frameworks/netcontrol/catch-and-release.bro b/testing/btest/scripts/base/frameworks/netcontrol/catch-and-release.bro
index c48b3b3551..29c56c2535 100644
--- a/testing/btest/scripts/base/frameworks/netcontrol/catch-and-release.bro
+++ b/testing/btest/scripts/base/frameworks/netcontrol/catch-and-release.bro
@@ -1,5 +1,5 @@
 # @TEST-EXEC: bro -r $TRACES/tls/ecdhe.pcap %INPUT
-# @TEST-EXEC: TEST_DIFF_CANONIFIER='grep -v ^# | $SCRIPTS/diff-sort | $SCRIPTS/diff-remove-timestamps' btest-diff netcontrol.log
+# @TEST-EXEC: TEST_DIFF_CANONIFIER='grep -v ^# | $SCRIPTS/diff-remove-timestamps' btest-diff netcontrol.log
 # @TEST-EXEC: btest-diff netcontrol_catch_release.log
 
 @load base/frameworks/netcontrol

From 712780079191d0decf83a8e8c268e8da34d7248d Mon Sep 17 00:00:00 2001
From: Daniel Thayer <dnthayer@illinois.edu>
Date: Thu, 10 Aug 2017 12:47:14 -0500
Subject: [PATCH 200/631] Fix the expire-redef.bro test

The expire-redef.bro test was sometimes failing due to the second "Run"
message being printed after (should happen before) the "Expired"
message.  Fixed by increasing the time interval between events.

Also reduced the number of events raised to make the test finish more
quickly.
---
 testing/btest/Baseline/language.expire-redef/output |  2 --
 testing/btest/language/expire-redef.bro             | 10 +++++-----
 2 files changed, 5 insertions(+), 7 deletions(-)

diff --git a/testing/btest/Baseline/language.expire-redef/output b/testing/btest/Baseline/language.expire-redef/output
index d5a745e7f3..42bb1b485c 100644
--- a/testing/btest/Baseline/language.expire-redef/output
+++ b/testing/btest/Baseline/language.expire-redef/output
@@ -1,5 +1,3 @@
-Run 0
 Run 1
 Expired: 0 --> some data
 Run 2
-Run 3
diff --git a/testing/btest/language/expire-redef.bro b/testing/btest/language/expire-redef.bro
index 6bf43ae98a..5cbb00f313 100644
--- a/testing/btest/language/expire-redef.bro
+++ b/testing/btest/language/expire-redef.bro
@@ -9,16 +9,16 @@ global expired: function(tbl: table[int] of string, idx: int): interval;
 global data: table[int] of string &write_expire=exp_val &expire_func=expired;
 
 redef table_expire_interval = 1sec;
-redef exp_val = 5sec;
+redef exp_val = 6sec;
 
 global runs = 0;
 event do_it()
 	{
+	++runs;
 	print fmt("Run %s", runs);
 
-	++runs;
-	if ( runs < 4 )
-		schedule 2sec { do_it() };
+	if ( runs < 2 )
+		schedule 4sec { do_it() };
 	else
 		terminate();
 	}
@@ -33,5 +33,5 @@ function expired(tbl: table[int] of string, idx: int): interval
 event bro_init() &priority=-10
 	{
 	data[0] = "some data";
-	schedule 2sec { do_it() };
+	schedule 4sec { do_it() };
 	}

From fcd735cecd05899cb1115e23ca7718952e5e860b Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Fri, 11 Aug 2017 13:51:49 -0500
Subject: [PATCH 201/631] Fix core.truncation unit test on macOS.

The pcap file format has a global header and a header per packet.  The
global header of the pcap in question had a snaplen of 1, but with
packet headers indicating the full number of bytes saved within the
file.  It seems like the pcap file must of been artifically edited in
order for it to be this way.

When reporting the captured length of a packet, Apple's version of
libpcap now seems to report the full number of bytes saved within the
pcap's per-packet headers, but other versions seem to report the snaplen
from the global pcap header.  This caused the core.truncation test to
behave differently on macOS from other platforms.

I've manually hexedit'd the pcap so that the snaplen is still 1, but
contains just a single packet with a pcap header indicating a length of
8, which is less than the size of the link layer header and so should
still test the original code path that the unit test intended to
exercise.
---
 CHANGES                                   |   8 ++++++++
 VERSION                                   |   2 +-
 testing/btest/Traces/trunc/trunc-hdr.pcap | Bin 6435 -> 49 bytes
 3 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/CHANGES b/CHANGES
index 86c4162f08..a1b2729cf4 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,12 @@
 
+2.5-294 | 2017-08-11 13:51:49 -0500
+
+  * Fix core.truncation unit test on macOS. (Jon Siwek)
+
+  * Fix a netcontrol test that often fails (Daniel Thayer)
+
+  * Update install instructions for Fedora 26 (Daniel Thayer)
+
 2.5-288 | 2017-08-04 14:17:10 -0700
 
   * Fix field not being populated, which resulted in a reporter
diff --git a/VERSION b/VERSION
index 4c6456e664..303202a260 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.5-288
+2.5-294
diff --git a/testing/btest/Traces/trunc/trunc-hdr.pcap b/testing/btest/Traces/trunc/trunc-hdr.pcap
index 0ab12ee6c78e1c88093333c6638359514c28c750..689128f2bb5db52f0b06d74f641fa534b5bb3530 100644
GIT binary patch
delta 23
dcmZ2%WH>=Vkb{AN!4HTT)H<H`Hm*?M0suR<1(N^(

literal 6435
zcma)A2|Scr8$a)Cw!tu#QDo3XA@59fEo4_BBDA^;BO(mh3S&)*N=0Q!De5Z9(kIpQ
zMX8&*A(fJHtJ|d_NvrES?~Ex+b-(lbo!{?$&wJkg^PJ~-&a<^&K79xW2tYUx_<+s5
z2dmr^KS+V4@EMyxGvlxANo90@``dn^zy<&dWp4{$K>~nRMi@<yU#Zf(8aeksGmH;a
zi5nedmjHkx5UUY9o`4{t;?l*gtr!piCqQqWB@GtAcWh#~*Ov)s@X-w*0boRWxZEBh
zLkfG4bIq&!%A(XD1!AJCsi=G07&=10K?)>{U&?H0U<A>y`HkP}%lL>0@cYW|9t?Gi
zUm`?RccEAScBX)@XAngLiU6CFQ4o0@_3xo%3Q%YkAaET33U~y(fPX*5BlVZM8a`f=
z91!!2)tX~_89CtX>tLL`HuuPX%;=>m3Q&%0o*Yk{r_PfGroaSbfOMWTj|dDw3Qv|N
z%2Vb|2MU17ljPxnIFHH`<EipyfVqGP_Je$=25X)aj{x++USJ7CcrrW@9+`&&M5s`C
zAPdBR9FPH`fCTV>j)NSz0trCC0|W=efdK@O0+K)pu8{!^ZWf266#3gl;E(bUga|>X
z&>nCQKpIdWm<ALI5fCxi0Jwx8`=H?Cl>nFr-?0f*NuQuf?UqXx;PV6Hz5Yw|jBb+O
zna7s<@4$o(RXONF0q<JEF)VCgSbKE<=p_nf89j7@Sr8w#{1-C|(cXz>;e%lvaxb<0
zWcJ)Ur_^nllL2kSq=nTU9BMCXl|4XR$qnX{LRkXs*g_jzghz&I6?2s8R*ID^(FnYA
zdL(%3>!lV49#^`Bkp_L6-pYgko(urfMiD517vf`r69_<XcBp8HnG!&P4kT0nX*J3v
zd7)gQWicLy;BXXt?Fo)ZjY2=QzW0oLs~U<*lEh}G*{8jiL=XugKqDCvs2B<FP9RZn
z?rscul#0EGQ_0qW0fAPma1LsKEl5x)n>KBl;|CXg;o=<M&<zX&l!<-93wP4p>@Ase
zn`jOz#E<1i_wWf0^z-2ahKA7HSm9BuaJrQxIzv$s{%3%iqWs|vUyV=$29v?W-n~&S
zBEe8Wr(?L%WI31cz$hOMi|!mA;1d!U%LijnQ5j;N4hbP3T;o~r+6npgk{DZ@2M<mq
zxO05i!s8IBWJ9K@so`8>J(OX<WXPfvjDi?d%q=ny;v1qUV<xIDSewo?LQ(n(Rs;v0
zh2<N`35-erE<WKwn|xvzQYabQMWhl<;4$V-6rLn1fqfJmBQEL0e-)t;may1?3`JBP
z`zlVA5(-S0?hxWThoOWjVju8RMT~Oa??DiR2=H7)8bINQ<G2U{$|DKc605I4g8+@V
z!GESVnYA@Ev{_m4T1I|pSsTu<-OdY}A%CYi;Yo;YdfFMD%PC8J*+Xki6#h+XY?96y
zDjW6Ek3TH`oW_#sUXXe}nQ^(Y({R@d(n1^mqUw+O{%g7d#BcYyn`Q>xm$E2T@+{s?
zzmJ?9Ivu?CtQ~RBV)=Dx|AgMJ9_)7rQGLC2M(!<{UUOH5@)r-I->ZWT;EG(;cHXpg
z4AeXoSKFX(WWSv4EH#+(?8=?j`)k^+47;okS~cRo@b;}O3dLL#86bUarJpBf$(s@U
zn(}RORoVUioPuh?Z5IzwDe)4c3yGk;JBx<Ccymm*xciy>R@aIzS~%$1ki%TuVw8)s
zLsg;hR5S=QR3TArew#~aM{&jLw~p(?S#4_VA3k(Qqbk@2DS`q)jth<Wn*np>d_zN^
zv2w<l^>_p4%Ch_dSWN8ekC^3O1i?OoF%&j`4VA)(N+ZZ9fq=&miv>*lLQp{ENTSeA
zi9``R^7RQ9|MM}2&Eae`)7SS651u=Y+0YI85o{l(9xF;O0^TsoaJ>M=9JmKHC}tL;
zY2*GH9Zdw^4nE;8*4MulVJy=L=J0YFlf>4g*&}Hq!8in+jcN-y#UTpH7%vf!8NNT@
zj6=0@aYK{RN5+naAcS}{7M&^l6-Cl$W5)>fjo3Kh7^v&lT_S0=!o&Jto+e_#Mt$Mc
z!CZ~d(|mI@0zYGA35CGnUsM$;rU4uZCb>O47xVJ6y5qh4x8SclWy~5|=_`xt5JrsP
ze_)b=02|er=l+&^zIoP_pwFDyp?A9Ko;(~`NSYPz#A5ai`%#v*7C$|y(NK#jSA!3k
zE%+0OcXY0*A2e(T^6gOB)8khZDY9*eyI<sfMrLF0vg?liw>B7h^#!MBgr}%@(Kcr*
zZcJ^TSya63o_kYI{vQv)FF~`D9ktgyIH^p2iep=6>_cZ5cFzCp)NhQ8H@z<=hq&Vx
z0@wHN<7PI3#K;@koEhA5MI<kRbK2T%>Ik>metgS_cV8>d2q!+{87}SD%3+<A(yi7T
z)RvfPNq3hTxAbqWKeGMO{`*Ii4&*pX8LWxT1v~RY&iiq^|9oiVTouW+{jy(d1|Za<
zTtY3%#TSl6A#zN)b!C>!9{MhywLL*9$&=K922XUP!YIVgkN8mt^OQnIIUyEp>nlrh
zbD=DJhh<KAP^r0(h+r8E<8TJB0Z15)4EG7~WzlUs=&qrm9AOZe%RrgJsG}&!G#U3g
zIVRdoiHYCkCUI(Hr0NLm_5X>DTtt1mT%g+*pWycIx*Z`b`;dQB!G3Xo*74mAf0(`^
zS5|`bHv!sdsaZRGI~%GjOnTbhy(}ft&dy)Zl&{EqNz3~5hJ4gdE%kR1ib17ohK?%x
zKx<XDY~`8OzcN%+`%N}2cUzknvvAI|<7G1z>qwrc^Zk!u-DbH4uf^TV99s|dkb82t
z>FZDS-u3IqbAK^%YMM*%@&=i~5ywHwxdf@9I~R5+Y?XDt$MZ3GJ^WDbWn=m;Y1{9q
zJ*{*iZ+&R0sn|7qH#hYjL2Y9}Xz1vwdXpzMzk96E-l8mNx#D=;S*>$bPe0A>SJQ}`
zR-tzw%`ofWrkaR~d%1c~-;xVnUt0R>7DZlIq3)wMA1T^ObI061;s67o4JwOyEB^IH
zMqyToIo#zVLWhf_{foneS<N>;rHyL-pMGjFMpTtxjV?khiWd~mOEVKXtMFi901#wH
zUp<w5U;x`PB0^w=HXfJ_@*Pw#I$z*#Vg3UXDFSr8;HR#3T<WEdx!P}G?YmKLd|0en
za5)hF;i4VVo~JoY6xZ+Tr*nC{slh}LW*BOqp!ScPZ@H_%#N4&qsUlvq;(4vh*^+5a
z86s7))E@rTd1ap3<3D8_HvSf?f*iRnW40oH^NQIPoRKz_)M4lD6?Tz_HoMd3*crQo
zXC-i_xBi-~hxhKh+<fS!u4@VK?Te@nYj)7m*yop8Xd+eN%br*7n&cUCSeM-WXhR=k
zu)a7x_>FG+lk=NWjPW;_HO>2zraA6fYHqtf^`GRDkA+!>Z%D2=GyfJLI$KUIj(PAZ
zIJ&B_=8*e#Zx8kn^^NnA!tNK8*_aPK8!lPabv5qS7olWM-`P%*=;Mp&k})nja}LnV
zcVdx19!7!$ykL%%fy^HaQ>+BViaC5(OCweXNVrX`1ClcN5rPKZjp_m5rS-;8n|eZX
z%boYJFjGgm6@b(On7-VFM%*TjfMPCk13osB!~|IZ3gadh`43#GL6ZtgVAAqE?b4)~
zFp))#=Ax*Hp#hdSN1$P-11e@q)RDr&x&jd79EQ$k(k@1k@|qr5=&{Yi)<1ooHXh9a
z2s5OqRYD?|LZMh@Y{?iMS3f|rLBQ=I%HGVti0L*sxeSZc{;u6i<(dQT62=v{UrW;s
zQM#{78>^3su(M-Dy3bZCZTP%{x^Tg@FOM#rGZF2Z{Yqwpdv6x+=1%YFrexKqdF-1m
z39VO4XsI&>0v;at@L<38mLX}^8+%g*$S+ObzCG3{6@9VnpPmy63i5GAg@ax3FSq2+
zJ+*2m_nxO!`bxXNBLRJH88Z5hQ<fYo)gF~8IxOaMm^fXwj`=AiHZtLYy{(vf^n&EV
zKTlA~?=G?QYKf1l4l?YCz8qIwJNPp6_)g1C1(Qpyoi}L7PI_;ZiacYC6CzUEm%cA)
zthseGT6uf^x~_t=Lsdx~%Q59HCIe(W9w=H8w6e7e#U&WkFAmQ~MU-}l_$sNJm~R6)
zTVra>T}Vyub4w&Xzw9{JpGMC)x8mJtH0I>G1G|;$j%I1{IzPu|+CYcqObPeZTzNf?
zQ@OcnMMQjEoPtxH!JS-Lr^`=A2Atpdp7pM85=*_A@HqEm$MJ&+Vejs~vcBjVLg!TM
zGO;}`n*J($*6$jrcEOE@Hh%uS$05q?*=b(a+8{@9XPG?bqMKHr>`BwY0F$M5Lv}A;
zi|?T2G|xXb=jFLr^Q-<oDeaV*>gM^i1sD5$uh1l8m9|Ii%pxzB4}A-|N=n*~87PtK
zjEZ8eEb5NcTbaUi*q75EbeZK=e?;3F^eHBLuKAZb*v|G=&4tGSbn32*Itc}nrH{l~
zVv4Yi1wm@80$&Vo<PX~@+B2tpuK^M^*jJX636p`PSTca!Yv-vb#aN!lZ^mdJP8Oj2
z0b4tQX3Ud%?CuiFQraMj5__irMOI(Hi{U58+}9SA5akz<AMwIR=@s%aYz#mp0IyF$
zkSQo71=OFQU@aZk(!vB}OMy)TOTyDvg>rjqcg1;JBU;4fv;PhWxi&<~Yuop_DZOLK
z{epyByC_Z{BfPZFyWKEbtt?tloo)VEtn4;^G^}}*$qVb><ggM7!2oCO5%(-04JfYO
zt@>=(iON)ZX=XnV=EShx*s*}u7&dRQ{O*MtFj<;~0U!rUPHawYl_8{-Cd?N~o(Do_
zsK)P=rL;ZJ3=ejJ&hUJ--~h+rL5{-ASr-)lQNB`tQzYeH`ohphhHD7h?#El_*3_n)
zNl=e*oWCdEX*bUALs4wSJi@0hNl2&Sv5SY(%?^zodoE(fx(a&b3(Zzt4BO{H&&fJ|
zLm{zX!L8f>jf3OMih}$7J*>FV{`}b`t%bR7@5D+RwKwg5P+NNYL(CzA>&cru+Whxe
zfJHl|v+ss)>v=n%ZS=S1$E~_6v&D2%Ru|{s;%~R_ZYtikx+h|vP*56RrdFZ)HHz2f
zH(hVmQ&njm*Ou=LH9)eqTvOB;&i?WEvc|neDpGvF50haIl%de7iBl}8&;r^3yZ~6M
zQDBc)Gc!E6uPn6++T)-w#idmcfjcxJY)-KxI|k=_mNbR}Es0$YfFl0hgn@u*F@L$Z
z*R8t+_O-nWdsG1$U_-6}!cW#TIQi-drfDfTp`ry%(bOu)={8K!mx3^S1SIi>G*50`
zY<`4iJ-3&5iDGPS6p+Ncxx3u|M90<(ylZ7a_xxT-ghUUxcSq<KS;kw9dg?8km0U?S
z&@d{q|MgGXPn$E4!Qk#FW_YD$w3uf`p+?b}l8axIF0?wU-HalvjSD#pU^{SqO_z_f
z1kHHRQ%3rTXG2!>w)Zb;ZW-r!tisBH=&rBjz|^x?wOr+&C2@2@gE!4scoq)4v+{U^
z0!}|#w^OF!z1JhD*4__)4}B>eKIi5bfDwp+1je-;u~uQ0Fhu~`EzNuac@u?|=E^4^
z1Ku^1VLHSHhSd$Rgyu0tvD&9+Pgbl2W*%4tWDL#Yz0f?Kb`hTc7)9E4G78_wFcepa
z^0kiY`zbHa2F6fICYb8as<El2YGv;@ftQK($5?Nie?B)C%y3Kj$^Z%vP8RuIKz-I9
z3)Ap)-MB2SBrkgR26Ie+<*@ks@zK4t_~bMu-LIqk5>iIce8*4}q)C%i%D=1psBu?I
l1ygB_)g+a=VM=s?&P`$!_Jj=#OZjJ5+FCRCSd0E0>wgL>%KZQU


From 823fba1713d9dc95717b3e942953152d8044fbff Mon Sep 17 00:00:00 2001
From: Daniel Thayer <dnthayer@illinois.edu>
Date: Fri, 25 Aug 2017 15:39:12 -0500
Subject: [PATCH 202/631] Fix ascii writer to not discard a ".gz" file
 extension

When Bro writes a compressed log, it uses a file extension of ".gz".
However, upon log rotation the ascii writer script function
"default_rotation_postprocessor_func" was discarding the ".gz"
file extension.  Fixed so that the correct file extension is
preserved after rotation.
---
 scripts/base/frameworks/logging/writers/ascii.bro | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/scripts/base/frameworks/logging/writers/ascii.bro b/scripts/base/frameworks/logging/writers/ascii.bro
index bbf11c26e7..6f2b03aafd 100644
--- a/scripts/base/frameworks/logging/writers/ascii.bro
+++ b/scripts/base/frameworks/logging/writers/ascii.bro
@@ -79,9 +79,12 @@ export {
 # runs the writer's default postprocessor command on it.
 function default_rotation_postprocessor_func(info: Log::RotationInfo) : bool
 	{
+	# If the filename has a ".gz" extension, then keep it.
+	local gz = info$fname[-3:] == ".gz" ? ".gz" : "";
+
 	# Move file to name including both opening and closing time.
-	local dst = fmt("%s.%s.log", info$path,
-			strftime(Log::default_rotation_date_format, info$open));
+	local dst = fmt("%s.%s.log%s", info$path,
+			strftime(Log::default_rotation_date_format, info$open), gz);
 
 	system(fmt("/bin/mv %s %s", info$fname, dst));
 

From 8741d6323a0ba0c30a2837223bc9650bdcad4505 Mon Sep 17 00:00:00 2001
From: Alan <amesbury@oitsec.umn.edu>
Date: Mon, 28 Aug 2017 14:20:37 -0500
Subject: [PATCH 203/631] Fixed typo

---
 CHANGES | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/CHANGES b/CHANGES
index a1b2729cf4..d6f7125f33 100644
--- a/CHANGES
+++ b/CHANGES
@@ -850,7 +850,7 @@
 
 2.4-683 | 2016-07-08 14:55:04 -0700
 
-  * Extendign connection history field to flag with '^' when Bro flips
+  * Extending connection history field to flag with '^' when Bro flips
     a connection's endpoints. Addresses BIT-1629. (Robin Sommer)
 
 2.4-680 | 2016-07-06 09:18:21 -0700

From 1ede6bf7fe4df38b694959bf7bfd80715e3b6cd0 Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@icir.org>
Date: Sat, 9 Sep 2017 22:25:49 -0700
Subject: [PATCH 204/631] Add TLS 1.3 fix and testcase.

It turns out that Chrome supports an experimental mode to support TLS
1.3, which uses a non-standard way to negotiate TLS 1.3 with a server.
This non-standard way to negotiate TLS 1.3 breaks the current draft RFC
and re-uses an extension on the server-side with a different binary
formatting, causing us to throw a binpac exception.

This patch ignores the extension when sent by the server, continuing to
correctly parse the server_hello reply (as far as possible).

From what I can tell this seems to be google working around the fact
that MITM equipment cannot deal with TLS 1.3 server hellos; this change
makes the fact that TLS 1.3 is used completely opaque unless one looks
into a few extensions.

We currently log this as TLS 1.2.
---
 .../protocol/ssl/tls-handshake-protocol.pac     |   7 ++++++-
 .../.stdout                                     |   1 +
 .../ssl.log                                     |  10 ++++++++++
 ...hrome-63.0.3211.0-canary-tls_experiment.pcap | Bin 0 -> 5317 bytes
 .../base/protocols/ssl/tls13-experiment.test    |  16 ++++++++++++++++
 5 files changed, 33 insertions(+), 1 deletion(-)
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.ssl.tls13-experiment/.stdout
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.ssl.tls13-experiment/ssl.log
 create mode 100644 testing/btest/Traces/tls/chrome-63.0.3211.0-canary-tls_experiment.pcap
 create mode 100644 testing/btest/scripts/base/protocols/ssl/tls13-experiment.test

diff --git a/src/analyzer/protocol/ssl/tls-handshake-protocol.pac b/src/analyzer/protocol/ssl/tls-handshake-protocol.pac
index 6a1988111e..febfce68b9 100644
--- a/src/analyzer/protocol/ssl/tls-handshake-protocol.pac
+++ b/src/analyzer/protocol/ssl/tls-handshake-protocol.pac
@@ -487,7 +487,7 @@ type SSLExtension(rec: HandshakeRecord) = record {
 		EXT_SIGNATURE_ALGORITHMS -> signature_algorithm: SignatureAlgorithm(rec)[] &until($element == 0 || $element != 0);
 		EXT_SIGNED_CERTIFICATE_TIMESTAMP -> certificate_timestamp: SignedCertificateTimestampList(rec)[] &until($element == 0 || $element != 0);
 		EXT_KEY_SHARE -> key_share: KeyShare(rec)[] &until($element == 0 || $element != 0);
-		EXT_SUPPORTED_VERSIONS -> supported_versions: SupportedVersions(rec)[] &until($element == 0 || $element != 0);
+		EXT_SUPPORTED_VERSIONS -> supported_versions_selector: SupportedVersionsSelector(rec, data_len)[] &until($element == 0 || $element != 0);
 		EXT_PSK_KEY_EXCHANGE_MODES -> psk_key_exchange_modes: PSKKeyExchangeModes(rec)[] &until($element == 0 || $element != 0);
 		default -> data: bytestring &restofdata;
 	};
@@ -495,6 +495,11 @@ type SSLExtension(rec: HandshakeRecord) = record {
 
 %include tls-handshake-signed_certificate_timestamp.pac
 
+type SupportedVersionsSelector(rec: HandshakeRecord, data_len: uint16) = case rec.is_orig of {
+	true -> a: SupportedVersions(rec);
+	false -> b: bytestring &length=data_len &transient;
+}
+
 type SupportedVersions(rec: HandshakeRecord) = record {
 	length: uint8;
 	versions: uint16[] &until($input.length() == 0);
diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.tls13-experiment/.stdout b/testing/btest/Baseline/scripts.base.protocols.ssl.tls13-experiment/.stdout
new file mode 100644
index 0000000000..0b7bcb5742
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.tls13-experiment/.stdout
@@ -0,0 +1 @@
+7e01
diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.tls13-experiment/ssl.log b/testing/btest/Baseline/scripts.base.protocols.ssl.tls13-experiment/ssl.log
new file mode 100644
index 0000000000..c88237dd18
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.tls13-experiment/ssl.log
@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	ssl
+#open	2017-09-10-05-23-15
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	curve	server_name	resumed	last_alert	next_protocol	established	cert_chain_fuids	client_cert_chain_fuids	subject	issuer	client_subject	client_issuer
+#types	time	string	addr	port	addr	port	string	string	string	string	bool	string	string	bool	vector[string]	vector[string]	string	string	string	string
+1505019126.007778	CHhAvVGS1DHFjwGM9	192.168.0.2	62873	104.196.219.53	443	TLSv12	TLS_AES_128_GCM_SHA256	x25519	tls.ctf.network	T	-	-	T	-	-	-	-	-	-
+#close	2017-09-10-05-23-16
diff --git a/testing/btest/Traces/tls/chrome-63.0.3211.0-canary-tls_experiment.pcap b/testing/btest/Traces/tls/chrome-63.0.3211.0-canary-tls_experiment.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..2b8040b10907ac1de7dc37ddab9c21bb8cbd7595
GIT binary patch
literal 5317
zcmdUzcUTkMwudJPB~)nvM0)QXLg*j@QX)l^&_sGuiXb2;Afli^01*h%5g{~DdJ#gA
zqJW}QK@m}USER$4=)K?f=y&cpf8UvB<(bLOe%G44e|u%G8Ek)+3k67kzYh`s0^V$P
zRAC5|v;Z2sCfXoL-!@NgkW6c*MjISB1pu1uq?&*x*%ews5dd}T7+2WDK^jL*@mGkX
z3h2?1StS5KNl2?8Fc>KW0;iN+l*=Kukw5|92S`6)2LJ=`o@l?gzkGmnZa@`u0LYVR
zZ4=2v50J)9TnuSBGw8uThv72tSnnr2mIMl?v<+-nC(=Pr<V12X2LNb;RHFSOZh5;e
z#JERP{)pQjq_c$6(Fx0X1Hk{pyGbMyi4L3qpa;fHv_FYZ6vUcHlqLLIA}gIRV&``v
zGYkR+2N|*tgRQ(SNDr8V9SB@Y914h#U-5JAaxdJv#%Xw)DPTKbRg}B%{nqQFP`*%F
zT&JjaUCFnOGQz3|e5X|Wu*B^g*H|FHyRg6rVT3Zm2x0^&f;d6C7vEb%U?eaB89*i=
z1t<WNpsU2<VgNV-FTf!Im;eR<IOgwlMbgpVMe?$<f1tOYC%^)>@PS4{Y$t)iNk|~1
zFgPhG1WrZ<fkFUMfb?f?VrPI3parO*ZnAJUe}5k-8A+J{6YyIqaGn4_7!U(QUcMyy
z;sCgzVq4*D?B=w}+eyCERILR}utHU`>KRV-8ncGR%u{nf0_+3<yHHVHyLJPdLKqYV
z0Vu%}4l+2vuvo#91fYRH)6<De1keGx`hR~AWn~rt`Aew(SOW40F5(gppZa47u#B3P
z1c%cBUo{^5l9g>>BLyh`O(OAOECgsH1%BF}MA9k*H<2i0|9=tH?0zSLLItjYlD`Ur
z6^l)r<yBtlbhJHKM$~_fAIn{$d#?L}dxSKIoY%E<<i84)5u7?nP#gS2Q3zgdbH-&g
z2RD-dIng$Ye$N!hN4Y)~m-Htni#EOR4Flx>y#ZkY-9sQO;HMzRf}ObMqw{v(Z7`3h
zbbPbY?-<aH>MOjvNn`QFNHLwa!0=2#I3@T~N($V(w(fhC?`WmdbFq3FD;2w!lg@A2
z`HGv)A25D0X)2*6A;%DAKD8)I54u~?T*?xmP(<v;GA?Qv+M3lIDgxuYyj~eCqU;W1
zk#TeQ(cEHG_vOtwE@yuaKD|@Ik?O<YkLamG1{pJUooYMG!u%?$OrR=`wyAb3c1sGj
z@QgBsTC6rz_5%x`OeSJ&;r`uK=9;-sR=*pn$x@2hjbr6H3RmTV-uICnf9ooVJoqsx
zk4za=@<Ev~ewN-uzEg2g^=%h*yOF_CE^$R?`UM+(qRnLeZ1mtWu_2y;eYg?|m%EL@
zvlayX=o!yu9}<0>_PwZZNOpRIqeC8_>M@K$+nEYX_c69cA6@X;;*tzX{wgjbSEuN`
zMJ<H8`7LC5FQ@-Tx%TO&C1ys17++*ehTvea!NZk;T|sxOS3zVz|6-^l)B8cIM*~J$
zW_UI+S7|1_$r8@MI`U#8M`n|X3}xzXEJrq~m=8=*Ir*d0RzYgDXRSVFhK1oiD>j#&
zrErO|)wzT~CuHVuzPYI2iR!P`_~;t;op0&7M~$l3)1K1z4Fk6c&8KB=nFr@k*clFB
z5BnU;#wN=l+`Gqv+UL$N`S{6IS8;k<K#wppyh4VU>DLYGyV|Cax*uOb>_=}1Jv9tH
z^(DMk$&uTjFSA?&*XkY?X~yz0k*c&Man>!!==iOnlTm>TnP^gbz0+tj${_M@vR-bt
zU%|8k>+>pecRIunaE;;BbBqISy_0TXDQL@5a@EP^Bqg@E`zPiaLe@=lDFdy#W@V%K
zs+XN39+{>%(d@>##~cQ=*q@+No7BC|HTxj`Q}b+~TX!V?dfPb&wN;Uoy|Ka<e%iCo
z63;7zY;9D-3w(Ui*Oc@Qh838*$TJeV+L5SFT9F1^mnUA9+;dMFeq=&x+xdp0$VWO|
ze8gzf*q%Gy^Cs!0;AD^$13q9&MAcDZgBtze>}Z34;c@#1EC-dRB2Tq+CNiWjtFZn!
z908i3qdQa?3tnwf+Ra=w&lNlw=nD;)XY9|7cu-i3hz9l*lhM)rc(N8O?fnXaE&J9I
z`!OoH;?*Y2i2LO85REJh$8;%LG4T`X>S+3p&BSjPUiWZVBv@9Z=5<tGSnxND%BAeO
zyY_vLzv0I{!NQvP_}q^;yc>qWk@A=^GQ3N<Kc-vAK!v=l$qch~OSCH^LOm7%cbOBP
z6TTDn;T|u!j47g{M4f_dNz*5x%XDC&DGv$5dxp$uhpk4y-)8LADVfFPDm_TvjW8{$
zHP<LjO`?gzAJcL(u@ZhoZ+@zm+t~Ewo+C;rdlYrv5PQEiiC)mnYxt|t?CbHo4f9Cc
z-Vccnjr8=Au{hr2+&rjiicdTAmy1~G=qA1SvJ4v8hC5xf_+F4EQ;mwI!0>hzxkfhT
zQMyrQ%%ZlN!>_ZJk;q23mt9n<b-thGnp5)LEQS@4)&iATksydT-Uj5H^}H^m?Y<-V
z@+^fs91~`y7S8|DQqo<vnK|8Y*71$7laydt_Llg>e0r17vDFKr43oJ6Xj5Izljyc;
z1?E2M^O^ZtyOoH!4g^l>xg@*X`@l*9cZDW*RMB$F(`)!a`^Q0k*#0ZWu<v$Tp3i^E
ziskm?>{+aGsPM3r%*s^1bU@7L?eYIHqx1aC=ofy^=#{De`yatn{(DC67cYj;J{)-5
z_CU_qoDDKDzw7`rn4I$Tt1Py=7upsaZyuMfdcz9(jf8^)#u3tfGN`dEIf~qQNdwP)
zdwJ;Hr_Q`Gwf?=Y4h^aM;Wr}5*RIE0IIR}!N4+Gxd^3Wc!A(WM(;+x{JfS<;{H)kD
z2^hw#cZ4u>wM!zEg7cXki)?5kHas#^rO>W`d|<E5h0VgpegDac-7HDTX~4WkA;Nih
znqa$lIDtPrip?O@UpYOyazuA3+QxQGgS*u*ZgQvOV~x4@l@mA?RWz?l_2b3qjosw1
zP8tg=(5<aMGiODHbUun%*9}mtHQU{<%4q20`!?P(CohvO?8JyWIA^OtgX#_3Fgtqc
zf5yUKX++aV3q9whu5MZxR?F=#NXuNKIN9!=M46n}Q+npEYQ*%;F`5yJK9_}-Yk2R7
zrZd-Gzv_f$bOv_D?Qm^gvRo_7bV{?TI}h~E+?8pIoqxHx628#=_&sA*Vw)iSb$EI>
z$E}^aEGbdQ`6Jnkiye|_sp}e4vaADGm)r5YdZfZIk@JOEV?DtqgHc5y6LaR?Qws`C
z&(C+}T31T3T)NR^Ikhi9U3DGlnFTLsFYveY5|4(M(BH;vEbIR;;2T-oV?NXqz-vP7
zKP;rA?-kleD|1x0=4A?>Rd6?|vkJ|s6Pd6k|6a#7FuoX*tWJJmUWMeuhmRJwq8DbH
z`|dngGe~(Q^2J;nYlYC+cD+*4-VAjp&S6&)-eiB3v`^v_W|!fb)*54_P_BG56VuDp
zL;mh2Uudx47R!e092qNp%lLZk<Or#8k{Sd(5ch3u$%<Yr=jo>+jcm7<E=jz4HyJ*!
zyO0H6^_uX%@!&Y-wGaFEJv)y}nnIN;gKJdUJMs&h&T?(<PaAx`IAY9Le2ThI?cqnR
zSgRqy;wLA^UU*er=wsP5!gwcb#Vo#1wtuVK?E`lNWRa+~jlf6M`AN-B(Ra#5Ika9N
zeA2_&l_;cqaP3ZyM<ZR4txW@zR{VJm9<Q&AYmbZD_=UR@u=hIT!fYvTVcwQ*(>OgM
zopDbf==jbkDy0fyJEV?tFswWflpnR3e@7XhO2DKi-%4b`m<dSERxK}yANM@QdQ_{w
z?S$=QG?BiX@7u0(xQRvd86WPTpG;{ZCEq)EdwMmzHZq=ARZm4(V5RjK)dp>h<c6r8
z$D>Q2={r}8>!eTVP_u^6@uyj9DW6w}M2^DbrZ|p&TdSkq92f9Me%MPJ{ES<l@qdKw
zcd4st^LRB3Pm<5ue0rPnT^Xirx@0ic^rJ)tPeP7ERvbKBtV~RF_PMRm(E2z%4|2!;
zYaFecnf23p+P$5iKqlnKimQQms9$3ozRb^MdtZQ@?f$8u5C?Ll)UO^Jp7Hw9Zr<m4
zE@IO*U2^kYbBVSwo_4Cwm!H>}oOi#HYj$09bbp5dJ$Nzngfe?j9T1b3Kp!r6_Dzwr
z$h4gQIW{l0NO<5_NfaM%=N8Gaw65aw2fHC&A+F18!`cns2_~Wiv%*QmPXx?ZtS{v~
zl5pv-`Mim*ZE+tM-q7F1CGnUFQ>63UHZaO(jkF5RT@gCpT_?%JT_9vz#ATo8)fTFS
zlDN!6I}-U-&N`p*RbG*9KK1lF%WWqHe*Ts0&)GvTVZ+h+!7Uau>6ipvN)^d{C))gu
z?6C_^po0%CV{%pJic|xws@RpU3yFyO9<5rAFiwt4n?4G%U7R8$-(#D%#&KPgld*dE
z9M3ete`#30UEgBIYr9wEj9U2;>d@HBLvjbJEmX8uShINH-b^&@RjSrQaDNFouKh(Z
zQp!n}qG{>cdy^Xs0jb&Ziu*OkCA`ZyI~ip}-0#$AwM+>H9ph5JMh_?N-=@@@q_=mj
z-a>lGak>*TdMB9CEy3L|(f-_{LktkS#EdT1{d-2Q|F!F91-_O={hra0{ZS6peH+-u
z9{sBht*CXKTQ-6%G@1peStma7NUUYvzu4)c$8`X>=d|BResK0%L5GsEJc8pAd(`nT
z%MaVFF@x4KT)FNNp0yK)EcHTr5C$5JF+*cqyt3!fE+0xGl0IQfN$YMMHOhXRr?I;l
zH6!3adOy%ke%KYVXrY^v-fK<a?eJMHFU^w~LE(tHwPKol5rI0_U-w+lq)}+gOLpQ;
zNyU$0)oV=k$ioR<%%FTXM-u-nFFzjR#~JZ+e5h<IW#(}*%l>i^monC)cJKQQlupH6
z2Q+WuiCcdK*W5h>>grx;)uH8Wk4Caf`Xiy>ljI~RJd#g^I(js{LPj`=wQ5vVe$Bf3
zno~Na2b#a%LLBE+aGbTlI+1997VUt%b_cO&|7QJr(Owc9Ls}2M1~@h-VEAjCWf$d5
zh!xg<C%W$tiM@jVBsNHZ#4UcXaQ^jT;csF<0tC1T#z(Y&#OM!L5{U}Y|CY!~2l&?g
zPW-!IQh1(XqLJEVHqE%H(1ERz;&`#TLnEYSOTQsCFl&^9>3M0YMCLvvQ)XSE`E1QW
zBaW>jKTwqTj8mg9;2aeAX@9B{s*m6!s#CP*cXc*MfcuU5a8RB4cm7f*4{_v(Gk9>2
z*JGLiI4f#MtQ%UYw@F%MWYjtp(Wntj7TKS}++qW8vTnIc(546o%5tv*Gtupe7dsoy
zYAq8!t<tY~u%yZS8qaYvTrpM95Bj8DVf}3)cIFOU(@o!^UFVBktXp;Her^MAbq$PE
z_3Bs^br;-NRmW&cwM1P*@nTA42$fHSb+6A5+VRQ>^%n80iPM>H$j!INqc-&url3Pc
zqFVRkrl2Y0Vl)2eICYx0ThnsmuEP&$de}wlY<$}@^OjEep>cH{Zxw4qzB?jWaP%Ir
z6#29BPsMkgO%Cqflg?SJ<|(Jj8D)CeX2jV#V<OV@Olk^Oh<~O#BH>|0%o#Kk{w10>
zsown%U4rYM6r|kNMn)8d1%6RwJ+ZBMQefp!0Ak(Ncmi*7ckeMKQfRvB``cTQyybP_
zUZOXd7vv-hur=y9Q?i5a^xQs4fdio^GFR%2r3yqqk&SCcHhkZ=x~C?RHl!o)ERFBW
z#|(Dw7&LW7EhPu-#iPw#&Fd7$+7i$C6rMmX=RdifN#l47FhR_W<9OjD&uG}#G5dDd
zh%hC^sY`wzk}dDzvBj4wx|gGC@J)iARZH2rnnDQGkPE@GPlmTuwiB2FO&{*`WO&#!
zpS%xc=_M#h>bP}L5jy9h0N7>Iz4Y;^w&upiG8G|iVi7-7JR6vr+a^s(Drig1Tb80r
tnFm|)-w;)X8iW0ZwFz_j`9iJf58c<tkTz+7D`}O7?JwPb0oNwazW}tm&SU@p

literal 0
HcmV?d00001

diff --git a/testing/btest/scripts/base/protocols/ssl/tls13-experiment.test b/testing/btest/scripts/base/protocols/ssl/tls13-experiment.test
new file mode 100644
index 0000000000..d49cd928f6
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/ssl/tls13-experiment.test
@@ -0,0 +1,16 @@
+# @TEST-EXEC: bro -C -r $TRACES/tls/chrome-63.0.3211.0-canary-tls_experiment.pcap %INPUT
+# @TEST-EXEC: btest-diff ssl.log
+# @TEST-EXEC: btest-diff .stdout
+
+# This is a trace that uses a completely non-standard way of establishing TLS 1.3; this seems
+# to be an undocumented extension where the TLS version is negotiated via the server sending back
+# an supported_versions extension (which, according to the RFC is strictly prohibited).
+#
+# This only seems to happen with Chrome talking to google servers. We do not recognize this as
+# TLS 1.3, but we do not abort when encountering traffic like this.
+
+event ssl_extension(c: connection, is_orig: bool, code: count, val: string)
+	{
+	if ( ! is_orig && code == 43 )
+		print bytestring_to_hexstr(val);
+	}

From e1997144c2cb7bdca4f6079e1fe4228c1c380609 Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@icir.org>
Date: Mon, 11 Sep 2017 09:26:33 -0700
Subject: [PATCH 205/631] Fix small OCSP parser bug.

It turns out that the serial number field in all events was never
populated correctly. Instead, the previous field (issuer key hash) was
re-read and repeated in all events.
---
 src/file_analysis/analyzer/x509/OCSP.cc          |  1 +
 .../.stdout                                      |  2 +-
 .../ocsp.log                                     |  6 +++---
 .../.stdout                                      |  2 +-
 .../.stdout                                      |  4 ++--
 .../ocsp.log                                     |  6 +++---
 .../.stdout                                      |  2 +-
 .../ocsp.log                                     |  6 +++---
 .../.stdout                                      | 16 ++++++++--------
 .../ocsp.log                                     | 12 ++++++------
 10 files changed, 29 insertions(+), 28 deletions(-)

diff --git a/src/file_analysis/analyzer/x509/OCSP.cc b/src/file_analysis/analyzer/x509/OCSP.cc
index 2b3d9f5fd2..02c9274999 100644
--- a/src/file_analysis/analyzer/x509/OCSP.cc
+++ b/src/file_analysis/analyzer/x509/OCSP.cc
@@ -71,6 +71,7 @@ void ocsp_add_cert_id(OCSP_CERTID *cert_id, val_list* vl, BIO* bio)
 	BIO_reset(bio);
 
 	i2a_ASN1_INTEGER(bio, cert_id->serialNumber);
+	len = BIO_read(bio, buf, sizeof(buf));
 	vl->append(new StringVal(len, buf));
 	BIO_reset(bio);
 	}
diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-http-get/.stdout b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-http-get/.stdout
index 4678baf15d..45bec12af2 100644
--- a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-http-get/.stdout
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-http-get/.stdout
@@ -1,3 +1,3 @@
 ocsp_response_status, successful
-ocsp_response_certificate, sha1, F2E06AF9858A1D8D709B4919237AA9B51A287E64, 4ADD06161BBCF668B576F581B6BB621ABA5A812F, 4ADD06161BBCF668B576F581B6BB621ABA5A812F, good, 0.0, , 1436577056.0, 1437181856.0
+ocsp_response_certificate, sha1, F2E06AF9858A1D8D709B4919237AA9B51A287E64, 4ADD06161BBCF668B576F581B6BB621ABA5A812F, 3D474496FF942316, good, 0.0, , 1436577056.0, 1437181856.0
 ocsp_response_bytes, successful, 0, 4ADD06161BBCF668B576F581B6BB621ABA5A812F, 1436577056.0, sha1WithRSAEncryption
diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-http-get/ocsp.log b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-http-get/ocsp.log
index bdb8384676..3c092fce95 100644
--- a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-http-get/ocsp.log
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-http-get/ocsp.log
@@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	ocsp
-#open	2017-02-10-23-35-49
+#open	2017-09-11-16-24-17
 #fields	ts	id	hashAlgorithm	issuerNameHash	issuerKeyHash	serialNumber	certStatus	revoketime	revokereason	thisUpdate	nextUpdate
 #types	time	string	string	string	string	string	string	time	string	time	time
-1436909712.329517	Ft368Gc1ce0Juvj0d	sha1	F2E06AF9858A1D8D709B4919237AA9B51A287E64	4ADD06161BBCF668B576F581B6BB621ABA5A812F	4ADD06161BBCF668B576F581B6BB621ABA5A812F	good	-	-	1436577056.000000	1437181856.000000
-#close	2017-02-10-23-35-50
+1436909712.329517	Ft368Gc1ce0Juvj0d	sha1	F2E06AF9858A1D8D709B4919237AA9B51A287E64	4ADD06161BBCF668B576F581B6BB621ABA5A812F	3D474496FF942316	good	-	-	1436577056.000000	1437181856.000000
+#close	2017-09-11-16-24-17
diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-only/.stdout b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-only/.stdout
index ca94887c05..293ea05c75 100644
--- a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-only/.stdout
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-only/.stdout
@@ -1,2 +1,2 @@
 request, 0, 
-request cert, sha1, B6080D5F6C6B76EB13E438A5F8660BA85233344E, 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE, 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE
+request cert, sha1, B6080D5F6C6B76EB13E438A5F8660BA85233344E, 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE, 081C862DC8AAC9
diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-response/.stdout b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-response/.stdout
index 3996bbd84f..0f3ad8f536 100644
--- a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-response/.stdout
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-response/.stdout
@@ -1,5 +1,5 @@
 request, 0, 
-request cert, sha1, B6080D5F6C6B76EB13E438A5F8660BA85233344E, 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE, 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE
+request cert, sha1, B6080D5F6C6B76EB13E438A5F8660BA85233344E, 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE, 081C862DC8AAC9
 ocsp_response_status, successful
-ocsp_response_certificate, sha1, B6080D5F6C6B76EB13E438A5F8660BA85233344E, 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE, 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE, good, 0.0, , 1434665014.0, 1434794614.0
+ocsp_response_certificate, sha1, B6080D5F6C6B76EB13E438A5F8660BA85233344E, 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE, 081C862DC8AAC9, good, 0.0, , 1434665014.0, 1434794614.0
 ocsp_response_bytes, successful, 0, C = US, ST = Arizona, L = Scottsdale, O = GoDaddy Inc., CN = Go Daddy Validation Authority - G2, 1434665014.0, sha1WithRSAEncryption
diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-response/ocsp.log b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-response/ocsp.log
index 3707e84c48..a2ea3b6893 100644
--- a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-response/ocsp.log
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-response/ocsp.log
@@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	ocsp
-#open	2017-02-11-00-00-41
+#open	2017-09-11-16-24-41
 #fields	ts	id	hashAlgorithm	issuerNameHash	issuerKeyHash	serialNumber	certStatus	revoketime	revokereason	thisUpdate	nextUpdate
 #types	time	string	string	string	string	string	string	time	string	time	time
-1434666864.070748	Fb215u2y5byABaV747	sha1	B6080D5F6C6B76EB13E438A5F8660BA85233344E	40C2BD278ECC348330A233D7FB6CB3F0B42C80CE	40C2BD278ECC348330A233D7FB6CB3F0B42C80CE	good	-	-	1434665014.000000	1434794614.000000
-#close	2017-02-11-00-00-41
+1434666864.070748	Fb215u2y5byABaV747	sha1	B6080D5F6C6B76EB13E438A5F8660BA85233344E	40C2BD278ECC348330A233D7FB6CB3F0B42C80CE	081C862DC8AAC9	good	-	-	1434665014.000000	1434794614.000000
+#close	2017-09-11-16-24-41
diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-response-only/.stdout b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-response-only/.stdout
index 230e80b4cd..7ca240f05c 100644
--- a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-response-only/.stdout
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-response-only/.stdout
@@ -1,3 +1,3 @@
 ocsp_response_status, successful
-ocsp_response_certificate, sha1, B6080D5F6C6B76EB13E438A5F8660BA85233344E, 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE, 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE, good, 0.0, , 1434665014.0, 1434794614.0
+ocsp_response_certificate, sha1, B6080D5F6C6B76EB13E438A5F8660BA85233344E, 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE, 081C862DC8AAC9, good, 0.0, , 1434665014.0, 1434794614.0
 ocsp_response_bytes, successful, 0, C = US, ST = Arizona, L = Scottsdale, O = GoDaddy Inc., CN = Go Daddy Validation Authority - G2, 1434665014.0, sha1WithRSAEncryption
diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-response-only/ocsp.log b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-response-only/ocsp.log
index e897453b5c..306819f251 100644
--- a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-response-only/ocsp.log
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-response-only/ocsp.log
@@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	ocsp
-#open	2017-02-11-00-00-52
+#open	2017-09-11-16-24-53
 #fields	ts	id	hashAlgorithm	issuerNameHash	issuerKeyHash	serialNumber	certStatus	revoketime	revokereason	thisUpdate	nextUpdate
 #types	time	string	string	string	string	string	string	time	string	time	time
-1434666864.070748	Fb215u2y5byABaV747	sha1	B6080D5F6C6B76EB13E438A5F8660BA85233344E	40C2BD278ECC348330A233D7FB6CB3F0B42C80CE	40C2BD278ECC348330A233D7FB6CB3F0B42C80CE	good	-	-	1434665014.000000	1434794614.000000
-#close	2017-02-11-00-00-52
+1434666864.070748	Fb215u2y5byABaV747	sha1	B6080D5F6C6B76EB13E438A5F8660BA85233344E	40C2BD278ECC348330A233D7FB6CB3F0B42C80CE	081C862DC8AAC9	good	-	-	1434665014.000000	1434794614.000000
+#close	2017-09-11-16-24-53
diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-revoked/.stdout b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-revoked/.stdout
index 545f761acc..5e444491b2 100644
--- a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-revoked/.stdout
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-revoked/.stdout
@@ -1,20 +1,20 @@
 request, 0, 
-request cert, sha1, 74241467069FF5E0983F5E3E1A6BA0652A541575, 0159ABE7DD3A0B59A66463D6CF200757D591E76A, 0159ABE7DD3A0B59A66463D6CF200757D591E76A
+request cert, sha1, 74241467069FF5E0983F5E3E1A6BA0652A541575, 0159ABE7DD3A0B59A66463D6CF200757D591E76A, 010BF45E184C4169AB61B41168DF802E
 ocsp_response_status, successful
-ocsp_response_certificate, sha1, 74241467069FF5E0983F5E3E1A6BA0652A541575, 0159ABE7DD3A0B59A66463D6CF200757D591E76A, 0159ABE7DD3A0B59A66463D6CF200757D591E76A, revoked, 1431615529.0, superseded, 1436286514.0, 1443489162.0
+ocsp_response_certificate, sha1, 74241467069FF5E0983F5E3E1A6BA0652A541575, 0159ABE7DD3A0B59A66463D6CF200757D591E76A, 010BF45E184C4169AB61B41168DF802E, revoked, 1431615529.0, superseded, 1436286514.0, 1443489162.0
 ocsp_response_bytes, successful, 0, F6215E926EB3EC41FE08FC25F09FB1B9A0344A10, 1436286514.0, sha1WithRSAEncryption
 request, 0, 
-request cert, sha1, 74241467069FF5E0983F5E3E1A6BA0652A541575, 0159ABE7DD3A0B59A66463D6CF200757D591E76A, 0159ABE7DD3A0B59A66463D6CF200757D591E76A
+request cert, sha1, 74241467069FF5E0983F5E3E1A6BA0652A541575, 0159ABE7DD3A0B59A66463D6CF200757D591E76A, 013D34BFD6348EBA231D6925768ACD87
 ocsp_response_status, successful
-ocsp_response_certificate, sha1, 74241467069FF5E0983F5E3E1A6BA0652A541575, 0159ABE7DD3A0B59A66463D6CF200757D591E76A, 0159ABE7DD3A0B59A66463D6CF200757D591E76A, revoked, 1422391081.0, unspecified, 1436304214.0, 1443597239.0
+ocsp_response_certificate, sha1, 74241467069FF5E0983F5E3E1A6BA0652A541575, 0159ABE7DD3A0B59A66463D6CF200757D591E76A, 013D34BFD6348EBA231D6925768ACD87, revoked, 1422391081.0, unspecified, 1436304214.0, 1443597239.0
 ocsp_response_bytes, successful, 0, F6215E926EB3EC41FE08FC25F09FB1B9A0344A10, 1436304214.0, sha1WithRSAEncryption
 request, 0, 
-request cert, sha1, 74241467069FF5E0983F5E3E1A6BA0652A541575, 0159ABE7DD3A0B59A66463D6CF200757D591E76A, 0159ABE7DD3A0B59A66463D6CF200757D591E76A
+request cert, sha1, 74241467069FF5E0983F5E3E1A6BA0652A541575, 0159ABE7DD3A0B59A66463D6CF200757D591E76A, 0150C0C06D53F9D39205D84EFB5F2BA4
 ocsp_response_status, successful
-ocsp_response_certificate, sha1, 74241467069FF5E0983F5E3E1A6BA0652A541575, 0159ABE7DD3A0B59A66463D6CF200757D591E76A, 0159ABE7DD3A0B59A66463D6CF200757D591E76A, revoked, 1432792428.0, (UNKNOWN), 1436238224.0, 1443473859.0
+ocsp_response_certificate, sha1, 74241467069FF5E0983F5E3E1A6BA0652A541575, 0159ABE7DD3A0B59A66463D6CF200757D591E76A, 0150C0C06D53F9D39205D84EFB5F2BA4, revoked, 1432792428.0, (UNKNOWN), 1436238224.0, 1443473859.0
 ocsp_response_bytes, successful, 0, F6215E926EB3EC41FE08FC25F09FB1B9A0344A10, 1436238224.0, sha1WithRSAEncryption
 request, 0, 
-request cert, sha1, 74241467069FF5E0983F5E3E1A6BA0652A541575, 0159ABE7DD3A0B59A66463D6CF200757D591E76A, 0159ABE7DD3A0B59A66463D6CF200757D591E76A
+request cert, sha1, 74241467069FF5E0983F5E3E1A6BA0652A541575, 0159ABE7DD3A0B59A66463D6CF200757D591E76A, 017447CB30072EE15B9C1B057B731C5A
 ocsp_response_status, successful
-ocsp_response_certificate, sha1, 74241467069FF5E0983F5E3E1A6BA0652A541575, 0159ABE7DD3A0B59A66463D6CF200757D591E76A, 0159ABE7DD3A0B59A66463D6CF200757D591E76A, revoked, 1421494379.0, keyCompromise, 1436321024.0, 1443459307.0
+ocsp_response_certificate, sha1, 74241467069FF5E0983F5E3E1A6BA0652A541575, 0159ABE7DD3A0B59A66463D6CF200757D591E76A, 017447CB30072EE15B9C1B057B731C5A, revoked, 1421494379.0, keyCompromise, 1436321024.0, 1443459307.0
 ocsp_response_bytes, successful, 0, F6215E926EB3EC41FE08FC25F09FB1B9A0344A10, 1436321024.0, sha1WithRSAEncryption
diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-revoked/ocsp.log b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-revoked/ocsp.log
index 58b226320d..387342197a 100644
--- a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-revoked/ocsp.log
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-revoked/ocsp.log
@@ -3,11 +3,11 @@
 #empty_field	(empty)
 #unset_field	-
 #path	ocsp
-#open	2017-02-11-00-00-56
+#open	2017-09-11-16-25-05
 #fields	ts	id	hashAlgorithm	issuerNameHash	issuerKeyHash	serialNumber	certStatus	revoketime	revokereason	thisUpdate	nextUpdate
 #types	time	string	string	string	string	string	string	time	string	time	time
-1438374032.607476	Ftl4F41OsGtUDrOTWc	sha1	74241467069FF5E0983F5E3E1A6BA0652A541575	0159ABE7DD3A0B59A66463D6CF200757D591E76A	0159ABE7DD3A0B59A66463D6CF200757D591E76A	revoked	1431615529.000000	superseded	1436286514.000000	1443489162.000000
-1438374032.731983	FXISxH2UuTiDn0qCa1	sha1	74241467069FF5E0983F5E3E1A6BA0652A541575	0159ABE7DD3A0B59A66463D6CF200757D591E76A	0159ABE7DD3A0B59A66463D6CF200757D591E76A	revoked	1422391081.000000	unspecified	1436304214.000000	1443597239.000000
-1438374032.848476	F3OYfx3A0JvMX787V3	sha1	74241467069FF5E0983F5E3E1A6BA0652A541575	0159ABE7DD3A0B59A66463D6CF200757D591E76A	0159ABE7DD3A0B59A66463D6CF200757D591E76A	revoked	1432792428.000000	(UNKNOWN)	1436238224.000000	1443473859.000000
-1438374033.033189	FVty9v3KTnCvbg0Xf2	sha1	74241467069FF5E0983F5E3E1A6BA0652A541575	0159ABE7DD3A0B59A66463D6CF200757D591E76A	0159ABE7DD3A0B59A66463D6CF200757D591E76A	revoked	1421494379.000000	keyCompromise	1436321024.000000	1443459307.000000
-#close	2017-02-11-00-00-56
+1438374032.607476	Ftl4F41OsGtUDrOTWc	sha1	74241467069FF5E0983F5E3E1A6BA0652A541575	0159ABE7DD3A0B59A66463D6CF200757D591E76A	010BF45E184C4169AB61B41168DF802E	revoked	1431615529.000000	superseded	1436286514.000000	1443489162.000000
+1438374032.731983	FXISxH2UuTiDn0qCa1	sha1	74241467069FF5E0983F5E3E1A6BA0652A541575	0159ABE7DD3A0B59A66463D6CF200757D591E76A	013D34BFD6348EBA231D6925768ACD87	revoked	1422391081.000000	unspecified	1436304214.000000	1443597239.000000
+1438374032.848476	F3OYfx3A0JvMX787V3	sha1	74241467069FF5E0983F5E3E1A6BA0652A541575	0159ABE7DD3A0B59A66463D6CF200757D591E76A	0150C0C06D53F9D39205D84EFB5F2BA4	revoked	1432792428.000000	(UNKNOWN)	1436238224.000000	1443473859.000000
+1438374033.033189	FVty9v3KTnCvbg0Xf2	sha1	74241467069FF5E0983F5E3E1A6BA0652A541575	0159ABE7DD3A0B59A66463D6CF200757D591E76A	017447CB30072EE15B9C1B057B731C5A	revoked	1421494379.000000	keyCompromise	1436321024.000000	1443459307.000000
+#close	2017-09-11-16-25-05

From 1a6b6f2586556ca0fdaee2dbae6a04936cda08dd Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@icir.org>
Date: Mon, 11 Sep 2017 21:02:07 -0500
Subject: [PATCH 206/631] Updating CHANGES and VERSION.

---
 CHANGES | 7 +++++++
 VERSION | 2 +-
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/CHANGES b/CHANGES
index a1b2729cf4..2bd08b9cf1 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,11 @@
 
+2.5-297 | 2017-09-11 09:26:33 -0700
+
+  * Fix small OCSP parser bug; serial numbers were not passed to events
+    (Johanna Amann)
+
+  * Fix expire-redef.bro test. (Daniel Thayer)
+
 2.5-294 | 2017-08-11 13:51:49 -0500
 
   * Fix core.truncation unit test on macOS. (Jon Siwek)
diff --git a/VERSION b/VERSION
index 303202a260..a5ed34e608 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.5-294
+2.5-297

From 75647a448c2efa84c79b4788e4f1740572daf524 Mon Sep 17 00:00:00 2001
From: Daniel Thayer <dnthayer@illinois.edu>
Date: Fri, 15 Sep 2017 12:15:54 -0500
Subject: [PATCH 207/631] Add test to verify that log rotation works with
 gzipped logs

---
 .../frameworks/logging/ascii-gz-rotate.bro    | 25 +++++++++++++++++++
 1 file changed, 25 insertions(+)
 create mode 100644 testing/btest/scripts/base/frameworks/logging/ascii-gz-rotate.bro

diff --git a/testing/btest/scripts/base/frameworks/logging/ascii-gz-rotate.bro b/testing/btest/scripts/base/frameworks/logging/ascii-gz-rotate.bro
new file mode 100644
index 0000000000..2a1c388322
--- /dev/null
+++ b/testing/btest/scripts/base/frameworks/logging/ascii-gz-rotate.bro
@@ -0,0 +1,25 @@
+# Test that log rotation works with compressed logs.
+#
+# @TEST-EXEC: bro -b %INPUT
+# @TEST-EXEC: gunzip test.*.log.gz
+#
+
+module Test;
+
+export {
+	redef enum Log::ID += { LOG };
+
+	type Log: record {
+		s: string;
+	} &log;
+}
+
+redef Log::default_rotation_interval = 1hr;
+redef LogAscii::gzip_level = 1;
+
+event bro_init()
+{
+	Log::create_stream(Test::LOG, [$columns=Log]);
+
+	Log::write(Test::LOG, [$s="testing"]);
+}

From 7e374f8c3f800b7fc2cdd4cf36dab753d3013754 Mon Sep 17 00:00:00 2001
From: Vlad Grigorescu <grigorescu@gmail.com>
Date: Fri, 15 Sep 2017 20:30:39 -0500
Subject: [PATCH 208/631] Updates the SSH analyzer to support the
 "curve25519-sha256" KEX.

From the OpenSSH 7.4 changelog:

sshd(8), ssh(1): Support the "curve25519-sha256" key exchange
   method. This is identical to the currently-supported method named
   "curve25519-sha256@libssh.org".
---
 src/analyzer/protocol/ssh/ssh-protocol.pac | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/analyzer/protocol/ssh/ssh-protocol.pac b/src/analyzer/protocol/ssh/ssh-protocol.pac
index 28b0379999..3b147f6b6e 100644
--- a/src/analyzer/protocol/ssh/ssh-protocol.pac
+++ b/src/analyzer/protocol/ssh/ssh-protocol.pac
@@ -410,7 +410,7 @@ refine connection SSH_Conn += {
 						return true;
 					if ( update_kex_state_if_equal("ecmqv-sha2", KEX_ECC) )
 						return true;
-					if ( update_kex_state_if_equal("curve25519-sha256@libssh.org", KEX_ECC) )
+					if ( update_kex_state_if_startswith("curve25519-sha256", KEX_ECC) )
 						return true;
 
 

From 5afde3f0e56d17e706274fa6e0f67f7060fb80e8 Mon Sep 17 00:00:00 2001
From: "John E. Rollinson" <j.e.rollinson@gmail.com>
Date: Sun, 17 Sep 2017 14:59:41 -0400
Subject: [PATCH 209/631] Changes proposed in #104

---
 src/analyzer/protocol/gssapi/gssapi-analyzer.pac | 10 +++++-----
 src/analyzer/protocol/gssapi/gssapi-protocol.pac |  6 ++++--
 2 files changed, 9 insertions(+), 7 deletions(-)

diff --git a/src/analyzer/protocol/gssapi/gssapi-analyzer.pac b/src/analyzer/protocol/gssapi/gssapi-analyzer.pac
index 64e8dd5e50..4290c7bbef 100644
--- a/src/analyzer/protocol/gssapi/gssapi-analyzer.pac
+++ b/src/analyzer/protocol/gssapi/gssapi-analyzer.pac
@@ -28,8 +28,8 @@ refine connection GSSAPI_Conn += {
 
 	function forward_blob(val: GSSAPI_NEG_TOKEN_MECH_TOKEN, is_orig: bool): bool
 		%{
-		if ( ${val.mech_token}.length() >= 7 &&
-		     memcmp("NTLMSSP", ${val.mech_token}.begin(), 7) == 0 )
+		if ( val->oid()->meta()->length() >= 7 &&
+		     memcmp("NTLMSSP", val->oid()->content().begin(), 7) == 0 )
 			{
 			// ntlmssp
 			if ( ! ntlm )
@@ -38,9 +38,9 @@ refine connection GSSAPI_Conn += {
 			if ( ntlm )
 				ntlm->DeliverStream(${val.mech_token}.length(), ${val.mech_token}.begin(), is_orig);
 			}
-		else if ( ${val.mech_token}.length() == 9 &&
-		          (memcmp("\x2a\x86\x48\x86\xf7\x12\x01\x02\x02", ${val.mech_token}.begin(), ${val.mech_token}.length()) == 0 ||
-		           memcmp("\x2a\x86\x48\x82\xf7\x12\x01\x02\x02", ${val.mech_token}.begin(), ${val.mech_token}.length()) == 0 ) )
+		else if ( val->oid()->meta()->length() == 9 &&
+		          (memcmp("\x2a\x86\x48\x86\xf7\x12\x01\x02\x02", val->oid()->content().begin(), val->oid()->meta()->length()) == 0 ||
+		           memcmp("\x2a\x86\x48\x82\xf7\x12\x01\x02\x02", val->oid()->content().begin(), val->oid()->meta()->length()) == 0 ) )
 			{
 			// krb5 && ms-krb5
 			if ( ! krb5 )
diff --git a/src/analyzer/protocol/gssapi/gssapi-protocol.pac b/src/analyzer/protocol/gssapi/gssapi-protocol.pac
index abd58d7a4d..224ee1c886 100644
--- a/src/analyzer/protocol/gssapi/gssapi-protocol.pac
+++ b/src/analyzer/protocol/gssapi/gssapi-protocol.pac
@@ -50,7 +50,9 @@ type GSSAPI_NEG_TOKEN_RESP_Arg = record {
 };
 
 type GSSAPI_NEG_TOKEN_MECH_TOKEN(is_orig: bool) = record {
-	meta       : ASN1EncodingMeta;
-	mech_token : bytestring &length=meta.length;
+	meta            : ASN1EncodingMeta;
+	mech_token_meta : ASN1EncodingMeta;
+	oid             : ASN1Encoding;
+	mech_token      : bytestring &restofdata;
 };
 

From 9ad93a507704c24c91879f863f34d0fac64c9526 Mon Sep 17 00:00:00 2001
From: "John E. Rollinson" <j.e.rollinson@gmail.com>
Date: Sun, 17 Sep 2017 16:13:10 -0400
Subject: [PATCH 210/631] Initial btest structure

---
 testing/btest/Traces/krb/smb_gssapi.trace        | Bin 0 -> 2859 bytes
 .../scripts/base/protocols/krb/smb_gssapi.test   |  10 ++++++++++
 2 files changed, 10 insertions(+)
 create mode 100755 testing/btest/Traces/krb/smb_gssapi.trace
 create mode 100644 testing/btest/scripts/base/protocols/krb/smb_gssapi.test

diff --git a/testing/btest/Traces/krb/smb_gssapi.trace b/testing/btest/Traces/krb/smb_gssapi.trace
new file mode 100755
index 0000000000000000000000000000000000000000..140ce3a914c549bc97ebe2fc6e60e36f4dc8a275
GIT binary patch
literal 2859
zcmc&#c|4Ts7k}QFcLrmvY-JlNKM`J|kRl_lCB{z4ZV+NHxt6jGEy`XhlI*lx+*Bfa
zLMU$GC)8EarY?n)V($Bn&vkFQpWnZ~cRuHxGtW8a`<(N9&pfB^&b53TfWhAn3?TFe
zuT+fT)CoSIi|UvF-~u2$ASe^3D$WfI0YLbr^*}5!&5tCm_ktwOy&3L;>Lq(igfZVB
z9GmUL1ONvUu0s%v`vHxE0|Y!K<e(+Aqm6n%m$>I1hJ+zP^>9}iyZknaC=#^VAgD>>
zM>KQ^VDdw53jAbFZb2(@6G0K{EQQ!?XUD%QY((QR`2pouepw79_2s{!h@&WDoUkKo
z8*}{-Ocl53;H)ga*oz$11K=!ok!gmu4i?tC$(Gg@M%GkwvYHA4aAs7RIhDpy9ee}n
zj4&qIn-M~GV1)SlgfK#bm}GSoHFwm{Tup_t2SF%*g-}$~0FGu$HZvz9Dr%Hv!UoYD
zF<GMOA4lAIoO8tXsw<AT4n5*rOL2oBS|TUe+~so4L9v{b<=0X<s|bLLf;I^phZ!Jn
zaCmy{!XprSIu7h>lWK>^i(oGhK~1L;q7}=N^30V@9_YIn5s6Afh(N&Q=^)$l)*@m=
z9>t@^thv<?4o4)RCKzIA;&7xwX+$z_orJg--IwW)sJm~_Gq$j^F`*f$81J^BS{wb<
zN^c1OV6u`n!U(?{M%#(n6}07+u`66q@|`^euqdJsRwvq{C~aIQZTdFWHkNzM$k+l_
zXRH<<8we5MI109cJ`B!geE{V36Wmw?|K)mE1XqMb*!MqbDqs<Iz$}6m8n%T~_EApR
z5C~)u)}yg9d3YQ|$VXoS1zdOnAfwwAvS1^37Q72#!8@1CLJ|VsA4P#8qJWuj`Lc+N
z1nlYS&6E%`G%&H*ji^&q_A^46zJWd}`~8{jAwGpH{AYxPpTYda3Rw6Fn1z4ErX7-D
zsdfn#kJtGvx|H_uxQWPJYs?aR{H;bb>Twbs%F>gWyL~{(KCn5FcxYSPtrn=Rz^G$?
z2#n8h_yspB_N3;wc8iT~K7N&69pKO1k&>*m$AUrHJ~Bj#L~>e<i{l1zAGD^aD?Jw*
zEK1F%Tu!1F6*+M~Rhh3)##PJQ?CvtHyj-oxYwtWotKuJQ@zR&qi0%yDnsaAr6x_Sl
z^^^K0+vX1b&2_`xiwAc259a5kbfl}67IiX)%A^b&@))nv=jk$fF_F|Z>Bu7ML}5SU
z->c`dr>ADRN7CLjZ1IUSZ6Ut@mJmIDEWXr)I+a!?PI*(KO%}|Zu_*aAJfjTC&YZ~l
z_(y<aTbIlSzS)99+ac@veMxR@MFw570&KtP^Ck1(4*7ApzFlxap|q}EM>fcKWKgT@
zV%R!ZKX;Aa(LNcc_<Sgbd5KCoym%^?ni+QPJhdpk!Uc{d4d=X26Q>O_BPr^<B8(_z
z%1pM{o6F7jGh_0ZTidj}a_$?;lV*o}1}~o!UGo#@G5Ak?#VyZQ<pUO~o2d(NxXQrR
znY^LQVF&xtm^)n>z758@pDtDSJeeFzU7e_(TU?i+Z@^nT^Lb$4`d1z=TvyyQ?qWoA
z&^AJc{|(|E&6uK$FmwL&<XpS6vf~>vc$8?gV^*q;i@iG{KIK?0P6UW;*J>d}Mn|^V
zk&9BUmLB=?kv-QmqB-Fn#&pjHeinrt=}Ez|S;42*d={&%m*<mn`t888-iilv#Pkod
zBc06`&t{G}dv~4ffu`xY!T#x!&Q@>n=OqJF?37aq1&lM}oo~r;{VX%r<7zmy<{3$M
zaD&o>tMD(;irK7Prt)~lU5IsH3_aylPNPppS@HCcqeZ>oi@P6sOos>$T5EM6u4(Ra
z9i7uPV|T;FYLEIyKMWnkDfh^B)43u-NBVYBqs=_@TNyeT>6NNZC%o<((lw+k?wT&X
zE-6<HwrYTzN^FmfiF*5*E+o%aN!mj1E>4!(j%rf39DN#kLtTAh@%HvVPEmyf4)34e
zbX@9U=36`aW{=+=Fyx%XlDLW^OhhlFjvLNBEz4fWn)_^;rqDQZ<(ZyHM*q8;<gAD8
zAJQw*WfgAhec6668FuFCtq~MH>7qs(QS3h>|0$z@6kT~3>P(3B6z*2M{zZo;uRxWY
z&~^9gUdrvZ*~ZBtUcp(Zn1g1)9s%VC#@sX?8fF`5xAfS54)M$Q5MVVNG;6D(t+X+w
z`ekm_B}en2<dfa;>yoqE-%6Of_nZa!;jZs)`hApKpF|n8j;L0u48%#hx_UhJC^L3=
z|HP5Gvp)8<^QE#ze;vDKfh$FE4M^PWrGI{06&zRjTCme_ad)(B>UxFd)Q_j_@zntv
z?Mu34thSvK9eAc4_@rN0iqh~%R3n^Nalz@<)Q(BUc;}W=NK|K&wnTVUSkjzyf!WS{
z_1)xGiQ27}M`AYB$yJTZzyWKc=)C8f<e6rD{S|LEpV=mNp=8u5Qa6-^FZ0pbrc=S%
zXYP^%BO%O%!D3NG@1f%jo(-F<qmIBYQbxzyw_H5-U(<LVJp-lK44r;nUdBzU@>SvW
z>D3Ov7X&U(xHIVOh{?*E9~|dj&l&st-{1UKtvNTpINRB|763Y6fH1&B?^p^z&<_RG
zY=9RC0Y9U=c%m8^SORxc^XK?rei|H40G9IjH-xP~1*may!sgSLc0SMv0gkMk!%$r!
zXAaxyd_RXPTqJw1Uc=^aUke5Vr7h2=b6m#(kTkp8)2k3<h1t;g#2u>zvoRg;LS9fl
z3*tgp5Izr2f<QqOe8?^0A9Dr=7=Fn9r6Gb||AGZhh~rW>*uYlqJCbj)@>_>SJ829X
zKGLukR1*E`RlXYSE7^tgp+de!@<Q#vR&{gb+NO2JLAk4fCbg2oEnPHTzwg(mP&EyW
zlzAq))mP}gc*?iu@%T&p35EaP?N@SyF@vDTv~qokeFWv$3{U|L{WeEg4@AX>(+vO^
Q0}Eh>_J#>+H9`^o1Xu<DD*ylh

literal 0
HcmV?d00001

diff --git a/testing/btest/scripts/base/protocols/krb/smb_gssapi.test b/testing/btest/scripts/base/protocols/krb/smb_gssapi.test
new file mode 100644
index 0000000000..5cc223657b
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/krb/smb_gssapi.test
@@ -0,0 +1,10 @@
+# This test verifies that GSSAPI is correctly passing events to
+#   the Kerberos analyzer.  The specific trace example is a
+#   SMB authentication event and therfore relies on the SMB
+#   analyzer as well.
+
+# @TEST-EXEC: bro -b -r $TRACES/krb/smb_gssapi.trace %INPUT
+# @TEST-EXEC: btest-diff kerberos.log
+
+@load base/protocols/krb
+@load base/protocols/smb

From 45ee32db492cd1e1ffb516228901b3aaf0c500e9 Mon Sep 17 00:00:00 2001
From: jrolli <j.e.rollinson@gmail.com>
Date: Sun, 17 Sep 2017 21:25:59 +0000
Subject: [PATCH 211/631] Added and verified correct test results

---
 .../scripts.base.protocols.krb.smb_gssapi/kerberos.log | 10 ++++++++++
 .../btest/scripts/base/protocols/krb/smb_gssapi.test   |  5 +++--
 2 files changed, 13 insertions(+), 2 deletions(-)
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.krb.smb_gssapi/kerberos.log

diff --git a/testing/btest/Baseline/scripts.base.protocols.krb.smb_gssapi/kerberos.log b/testing/btest/Baseline/scripts.base.protocols.krb.smb_gssapi/kerberos.log
new file mode 100644
index 0000000000..d55cd5281a
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.krb.smb_gssapi/kerberos.log
@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	kerberos
+#open	2017-09-17-21-25-06
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	request_type	client	service	success	error_msg	from	till	cipher	forwardable	renewable	client_cert_subject	client_cert_fuid	server_cert_subject	server_cert_fuid
+#types	time	string	addr	port	addr	port	string	string	string	bool	string	time	time	string	bool	bool	string	string	string	string
+1165958411.822000	CHhAvVGS1DHFjwGM9	10.24.64.228	1227	10.24.8.44	445	-	-	-	-	-	-	-	-	-	-	-	-	-	-
+#close	2017-09-17-21-25-06
diff --git a/testing/btest/scripts/base/protocols/krb/smb_gssapi.test b/testing/btest/scripts/base/protocols/krb/smb_gssapi.test
index 5cc223657b..f4995cd2f6 100644
--- a/testing/btest/scripts/base/protocols/krb/smb_gssapi.test
+++ b/testing/btest/scripts/base/protocols/krb/smb_gssapi.test
@@ -3,8 +3,9 @@
 #   SMB authentication event and therfore relies on the SMB
 #   analyzer as well.
 
-# @TEST-EXEC: bro -b -r $TRACES/krb/smb_gssapi.trace %INPUT
+# @TEST-EXEC: bro -b -C -r $TRACES/krb/smb_gssapi.trace %INPUT
 # @TEST-EXEC: btest-diff kerberos.log
+# @TEST-EXEC: btest-diff-rst scripts.base.protocols.krb
 
 @load base/protocols/krb
-@load base/protocols/smb
+@load policy/protocols/smb

From a4d25c882870ee1517898896e02cc09a2821b623 Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@icir.org>
Date: Mon, 18 Sep 2017 11:38:14 -0700
Subject: [PATCH 212/631] Make "in" keyword work with binary data.

This switches in from using strstr to use strnstr (implementation from
FreeBSD on systems which do not bring their own implementation).

It is especially likely that users come accross this when using the
DATA_EVENT analyzer with files that contain binary data - the test uses
exactly this case.
---
 src/Expr.cc                                   |  5 ++---
 .../.stderr                                   |  0
 .../.stdout                                   |  3 +++
 .../scripts/base/files/data_event/basic.bro   | 20 +++++++++++++++++++
 4 files changed, 25 insertions(+), 3 deletions(-)
 create mode 100644 testing/btest/Baseline/scripts.base.files.data_event.basic/.stderr
 create mode 100644 testing/btest/Baseline/scripts.base.files.data_event.basic/.stdout
 create mode 100644 testing/btest/scripts/base/files/data_event/basic.bro

diff --git a/src/Expr.cc b/src/Expr.cc
index 9927ca52ec..bea43ff7c4 100644
--- a/src/Expr.cc
+++ b/src/Expr.cc
@@ -4351,9 +4351,8 @@ Val* InExpr::Fold(Val* v1, Val* v2) const
 		const BroString* s1 = v1->AsString();
 		const BroString* s2 = v2->AsString();
 
-		// Could do better here - either roll our own, to deal with
-		// NULs, and/or Boyer-Moore if done repeatedly.
-		return new Val(strstr(s2->CheckString(), s1->CheckString()) != 0, TYPE_BOOL);
+		// Could do better here e.g. Boyer-Moore if done repeatedly.
+		return new Val(strstr_n(s2->Len(), s2->Bytes(), s1->Len(), reinterpret_cast<const unsigned char*>(s1->CheckString())) != -1, TYPE_BOOL);
 		}
 
 	if ( v1->Type()->Tag() == TYPE_ADDR &&
diff --git a/testing/btest/Baseline/scripts.base.files.data_event.basic/.stderr b/testing/btest/Baseline/scripts.base.files.data_event.basic/.stderr
new file mode 100644
index 0000000000..e69de29bb2
diff --git a/testing/btest/Baseline/scripts.base.files.data_event.basic/.stdout b/testing/btest/Baseline/scripts.base.files.data_event.basic/.stdout
new file mode 100644
index 0000000000..ddfdf71f06
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.files.data_event.basic/.stdout
@@ -0,0 +1,3 @@
+Found
+Found
+Found
diff --git a/testing/btest/scripts/base/files/data_event/basic.bro b/testing/btest/scripts/base/files/data_event/basic.bro
new file mode 100644
index 0000000000..2877155ebb
--- /dev/null
+++ b/testing/btest/scripts/base/files/data_event/basic.bro
@@ -0,0 +1,20 @@
+# Just a very basic test to check if ANALYZER_DATA_EVENT works.
+# Also check if "in" works with binary data.
+# @TEST-EXEC: bro -r $TRACES/pe/pe.trace %INPUT
+# @TEST-EXEC: btest-diff .stdout
+# @TEST-EXEC: btest-diff .stderr
+
+event stream_data(f: fa_file, data: string)
+	{
+	if ( "Windows" in data )
+		{
+		print "Found";
+		}
+	}
+
+event file_new (f: fa_file)
+	{
+	Files::add_analyzer(f, Files::ANALYZER_DATA_EVENT,
+		[$stream_event=stream_data]);
+	}
+

From c1f8e3baec94752cc8d38bae64d03f4961beef8c Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@icir.org>
Date: Mon, 18 Sep 2017 14:07:12 -0700
Subject: [PATCH 213/631] Remove annoying error message from connsize bifs.

The connsize bifs used to output a reporter message when they could not
find the associated connection. This patch disables this message; it is
not useful and can happen during normal operation when trying to use
thresholding on short-lived connections. This case is still reported by
the boolean value that the respective functions return.
---
 src/analyzer/protocol/conn-size/functions.bif | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/src/analyzer/protocol/conn-size/functions.bif b/src/analyzer/protocol/conn-size/functions.bif
index a05359a17b..225e9db913 100644
--- a/src/analyzer/protocol/conn-size/functions.bif
+++ b/src/analyzer/protocol/conn-size/functions.bif
@@ -5,10 +5,7 @@ static analyzer::Analyzer* GetConnsizeAnalyzer(Val* cid)
 	{
 	Connection* c = sessions->FindConnection(cid);
 	if ( ! c )
-		{
-		reporter->Error("cannot find connection");
 		return 0;
-		}
 
 	analyzer::Analyzer* a = c->FindAnalyzer("CONNSIZE");
 	if ( ! a )

From 2a873f5aeddb1dc161c0ff64e566461bf225d9dc Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@icir.org>
Date: Mon, 18 Sep 2017 14:33:22 -0700
Subject: [PATCH 214/631] Prevent crash when calling bro -U [unwritable
 destination]

set_processing_status can be called before reporter is initialized or
after it is deleted. Work around by sending data to stderr instead.

Patch by Thomas Petersen.
---
 src/util.cc | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/src/util.cc b/src/util.cc
index acfcb19573..a035da1739 100644
--- a/src/util.cc
+++ b/src/util.cc
@@ -1397,8 +1397,12 @@ void _set_processing_status(const char* status)
 		{
 		char buf[256];
 		strerror_r(errno, buf, sizeof(buf));
-		reporter->Error("Failed to open process status file '%s': %s",
-		                proc_status_file, buf);
+		if ( reporter )
+			reporter->Error("Failed to open process status file '%s': %s",
+			                proc_status_file, buf);
+		else
+			fprintf(stderr, "Failed to open process status file '%s': %s\n",
+			                proc_status_file, buf);
 		errno = old_errno;
 		return;
 		}

From fc33bf2014704fe0ae512b76dae64de7fc5e83ac Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@icir.org>
Date: Mon, 18 Sep 2017 14:43:42 -0700
Subject: [PATCH 215/631] Make strerror_r portable.

This uses the same code that broker already uses to determine if we use
the XSI or gnu version of strerror_r. Patch by Thomas Petersen.
---
 CHANGES                                       | 18 +++++++++++++
 VERSION                                       |  2 +-
 src/File.cc                                   |  8 +++---
 src/Flare.cc                                  |  2 +-
 src/Pipe.cc                                   |  2 +-
 src/PolicyFile.cc                             |  2 +-
 src/analyzer/protocol/tcp/TCP_Endpoint.cc     |  2 +-
 src/file_analysis/analyzer/extract/Extract.cc |  2 +-
 src/input/readers/raw/Raw.cc                  |  6 ++---
 src/logging/writers/ascii/Ascii.cc            |  2 +-
 src/threading/BasicThread.cc                  |  2 +-
 src/util.cc                                   | 27 ++++++++++++++++---
 src/util.h                                    |  6 +++++
 13 files changed, 63 insertions(+), 18 deletions(-)

diff --git a/CHANGES b/CHANGES
index 3e2b575dd6..71be3f743b 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,22 @@
 
+2.5-306 | 2017-09-18 14:43:42 -0700
+
+  * Make strerror_r portable, supporting XSI/gnu versions. (Thomas Petersen)
+
+  * Prevent crash when calling bro -U. (Thomas Petersen)
+
+  * Remove annoying error message from connsize bifs. (Johanna Amann)
+
+  * Add test to verify that log rotation works with gzipped logs (Daniel Thayer)
+
+  * Fix ascii writer to not discard a ".gz" file extension. (Daniel Thayer)
+
+    When Bro writes a compressed log, it uses a file extension of ".gz".
+    However, upon log rotation the ascii writer script function
+    "default_rotation_postprocessor_func" was discarding the ".gz"
+    file extension.  Fixed so that the correct file extension is
+    preserved after rotation. (Daniel Thayer)
+
 2.5-297 | 2017-09-11 09:26:33 -0700
 
   * Fix small OCSP parser bug; serial numbers were not passed to events
diff --git a/VERSION b/VERSION
index a5ed34e608..e018451797 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.5-297
+2.5-306
diff --git a/src/File.cc b/src/File.cc
index 7c4a21d5e8..e0e0d63332 100644
--- a/src/File.cc
+++ b/src/File.cc
@@ -302,7 +302,7 @@ FILE* BroFile::BringIntoCache()
 
 	if ( ! f )
 		{
-		strerror_r(errno, buf, sizeof(buf));
+		bro_strerror_r(errno, buf, sizeof(buf));
 		reporter->Error("can't open %s: %s", name, buf);
 
 		f = fopen("/dev/null", "w");
@@ -313,7 +313,7 @@ FILE* BroFile::BringIntoCache()
 			return f;
 			}
 
-		strerror_r(errno, buf, sizeof(buf));
+		bro_strerror_r(errno, buf, sizeof(buf));
 		reporter->Error("can't open /dev/null: %s", buf);
 		return 0;
 		}
@@ -323,7 +323,7 @@ FILE* BroFile::BringIntoCache()
 
 	if ( fseek(f, position, SEEK_SET) < 0 )
 		{
-		strerror_r(errno, buf, sizeof(buf));
+		bro_strerror_r(errno, buf, sizeof(buf));
 		reporter->Error("reopen seek failed: %s", buf);
 		}
 
@@ -413,7 +413,7 @@ void BroFile::Suspend()
 	if ( (position = ftell(f)) < 0 )
 		{
 		char buf[256];
-		strerror_r(errno, buf, sizeof(buf));
+		bro_strerror_r(errno, buf, sizeof(buf));
 		reporter->Error("ftell failed: %s", buf);
 		position = 0;
 		}
diff --git a/src/Flare.cc b/src/Flare.cc
index 5df6d663aa..87dc946955 100644
--- a/src/Flare.cc
+++ b/src/Flare.cc
@@ -16,7 +16,7 @@ Flare::Flare()
 static void bad_pipe_op(const char* which)
 	{
 	char buf[256];
-	strerror_r(errno, buf, sizeof(buf));
+	bro_strerror_r(errno, buf, sizeof(buf));
 	reporter->FatalErrorWithCore("unexpected pipe %s failure: %s", which, buf);
 	}
 
diff --git a/src/Pipe.cc b/src/Pipe.cc
index 3f60409fdb..3775ca705d 100644
--- a/src/Pipe.cc
+++ b/src/Pipe.cc
@@ -12,7 +12,7 @@ using namespace bro;
 static void pipe_fail(int eno)
 	{
 	char tmp[256];
-	strerror_r(eno, tmp, sizeof(tmp));
+	bro_strerror_r(eno, tmp, sizeof(tmp));
 	reporter->FatalError("Pipe failure: %s", tmp);
 	}
 
diff --git a/src/PolicyFile.cc b/src/PolicyFile.cc
index bd41c15e9d..22f09e6970 100644
--- a/src/PolicyFile.cc
+++ b/src/PolicyFile.cc
@@ -84,7 +84,7 @@ bool LoadPolicyFileText(const char* policy_filename)
 	if ( fstat(fileno(f), &st) != 0 )
 		{
 		char buf[256];
-		strerror_r(errno, buf, sizeof(buf));
+		bro_strerror_r(errno, buf, sizeof(buf));
 		reporter->Error("fstat failed on %s: %s", policy_filename, buf);
 		fclose(f);
 		return false;
diff --git a/src/analyzer/protocol/tcp/TCP_Endpoint.cc b/src/analyzer/protocol/tcp/TCP_Endpoint.cc
index 7c359623f3..c3175ec9f5 100644
--- a/src/analyzer/protocol/tcp/TCP_Endpoint.cc
+++ b/src/analyzer/protocol/tcp/TCP_Endpoint.cc
@@ -229,7 +229,7 @@ int TCP_Endpoint::DataSent(double t, uint64 seq, int len, int caplen,
 		if ( fwrite(data, 1, len, f) < unsigned(len) )
 			{
 			char buf[256];
-			strerror_r(errno, buf, sizeof(buf));
+			bro_strerror_r(errno, buf, sizeof(buf));
 			reporter->Error("TCP contents write failed: %s", buf);
 
 			if ( contents_file_write_failure )
diff --git a/src/file_analysis/analyzer/extract/Extract.cc b/src/file_analysis/analyzer/extract/Extract.cc
index c758414a6e..f936a5156b 100644
--- a/src/file_analysis/analyzer/extract/Extract.cc
+++ b/src/file_analysis/analyzer/extract/Extract.cc
@@ -20,7 +20,7 @@ Extract::Extract(RecordVal* args, File* file, const string& arg_filename,
 		{
 		fd = 0;
 		char buf[128];
-		strerror_r(errno, buf, sizeof(buf));
+		bro_strerror_r(errno, buf, sizeof(buf));
 		reporter->Error("cannot open %s: %s", filename.c_str(), buf);
 		}
 	}
diff --git a/src/input/readers/raw/Raw.cc b/src/input/readers/raw/Raw.cc
index ae1f0939a8..27d8b0c685 100644
--- a/src/input/readers/raw/Raw.cc
+++ b/src/input/readers/raw/Raw.cc
@@ -90,7 +90,7 @@ bool Raw::SetFDFlags(int fd, int cmd, int flags)
 		return true;
 
 	char buf[256];
-	strerror_r(errno, buf, sizeof(buf));
+	bro_strerror_r(errno, buf, sizeof(buf));
 	Error(Fmt("failed to set fd flags: %s", buf));
 	return false;
 	}
@@ -197,7 +197,7 @@ bool Raw::Execute()
 			else
 				{
 				char buf[256];
-				strerror_r(errno, buf, sizeof(buf));
+				bro_strerror_r(errno, buf, sizeof(buf));
 				Warning(Fmt("Could not set child process group: %s", buf));
 				}
 			}
@@ -293,7 +293,7 @@ bool Raw::OpenInput()
 			if ( fseek(file.get(), pos, whence) < 0 )
 				{
 				char buf[256];
-				strerror_r(errno, buf, sizeof(buf));
+				bro_strerror_r(errno, buf, sizeof(buf));
 				Error(Fmt("Seek failed in init: %s", buf));
 				}
 			}
diff --git a/src/logging/writers/ascii/Ascii.cc b/src/logging/writers/ascii/Ascii.cc
index dec1689df4..baaba22665 100644
--- a/src/logging/writers/ascii/Ascii.cc
+++ b/src/logging/writers/ascii/Ascii.cc
@@ -414,7 +414,7 @@ bool Ascii::DoRotate(const char* rotated_path, double open, double close, bool t
 	if ( rename(fname.c_str(), nname.c_str()) != 0 )
 		{
 		char buf[256];
-		strerror_r(errno, buf, sizeof(buf));
+		bro_strerror_r(errno, buf, sizeof(buf));
 		Error(Fmt("failed to rename %s to %s: %s", fname.c_str(),
 		          nname.c_str(), buf));
 		FinishedRotation();
diff --git a/src/threading/BasicThread.cc b/src/threading/BasicThread.cc
index d63b307470..3b6f5d6532 100644
--- a/src/threading/BasicThread.cc
+++ b/src/threading/BasicThread.cc
@@ -98,7 +98,7 @@ const char* BasicThread::Strerror(int err)
 	if ( ! strerr_buffer )
 		strerr_buffer = new char[256];
 
-	strerror_r(err, strerr_buffer, 256);
+	bro_strerror_r(err, strerr_buffer, 256);
 	return strerr_buffer;
 	}
 
diff --git a/src/util.cc b/src/util.cc
index a035da1739..a2f0cb8c94 100644
--- a/src/util.cc
+++ b/src/util.cc
@@ -1012,7 +1012,7 @@ FILE* open_file(const string& path, const string& mode)
 	if ( ! rval )
 		{
 		char buf[256];
-		strerror_r(errno, buf, sizeof(buf));
+		bro_strerror_r(errno, buf, sizeof(buf));
 		reporter->Error("Failed to open file %s: %s", filename, buf);
 		}
 
@@ -1396,7 +1396,7 @@ void _set_processing_status(const char* status)
 	if ( fd < 0 )
 		{
 		char buf[256];
-		strerror_r(errno, buf, sizeof(buf));
+		bro_strerror_r(errno, buf, sizeof(buf));
 		if ( reporter )
 			reporter->Error("Failed to open process status file '%s': %s",
 			                proc_status_file, buf);
@@ -1616,7 +1616,7 @@ void safe_close(int fd)
 	if ( close(fd) < 0 && errno != EINTR )
 		{
 		char buf[128];
-		strerror_r(errno, buf, sizeof(buf));
+		bro_strerror_r(errno, buf, sizeof(buf));
 		fprintf(stderr, "safe_close error %d: %s\n", errno, buf);
 		abort();
 		}
@@ -1749,3 +1749,24 @@ std::string canonify_name(const std::string& name)
 
 	return nname;
 	}
+
+static void strerror_r_helper(char* result, char* buf, size_t buflen)
+	{
+	// Seems the GNU flavor of strerror_r may return a pointer to a static
+	// string. So try to copy as much as possible into desired buffer.
+	auto len = strlen(result);
+	strncpy(buf, result, buflen);
+
+	if ( len >= buflen )
+		buf[buflen - 1] = 0;
+	}
+
+static void strerror_r_helper(int result, char* buf, size_t buflen)
+	{ /* XSI flavor of strerror_r, no-op. */ }
+
+void bro_strerror_r(int bro_errno, char* buf, size_t buflen)
+	{
+	auto res = strerror_r(bro_errno, buf, buflen);
+	// GNU vs. XSI flavors make it harder to use strerror_r.
+	strerror_r_helper(res, buf, buflen);
+	}
diff --git a/src/util.h b/src/util.h
index a2c1b78db3..30ef8a61da 100644
--- a/src/util.h
+++ b/src/util.h
@@ -516,4 +516,10 @@ struct CompareString
  */
 std::string canonify_name(const std::string& name);
 
+/**
+ * Reentrant version of strerror(). Takes care of the difference between the
+ * XSI-compliant and the GNU-specific version of strerror_r().
+ */
+void bro_strerror_r(int bro_errno, char* buf, size_t buflen);
+
 #endif

From 5243a054efc192300fe70be8888bc5d491cbb766 Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@icir.org>
Date: Tue, 19 Sep 2017 09:23:09 -0700
Subject: [PATCH 216/631] Fix segmentation fault on eval condition with no
 return value.

Signatures using an eval-condition that had no return value caused a
segmentation fault. This fix just returns false in this case, as it is
done for an interpreter error.
---
 src/RuleCondition.cc                          |  9 +++++++--
 .../.stderr                                   |  3 +++
 .../.stdout                                   |  3 +++
 .../eval-condition-no-return-value.bro        | 20 +++++++++++++++++++
 4 files changed, 33 insertions(+), 2 deletions(-)
 create mode 100644 testing/btest/Baseline/signatures.eval-condition-no-return-value/.stderr
 create mode 100644 testing/btest/Baseline/signatures.eval-condition-no-return-value/.stdout
 create mode 100644 testing/btest/signatures/eval-condition-no-return-value.bro

diff --git a/src/RuleCondition.cc b/src/RuleCondition.cc
index 9df70f118b..bdf31b50bc 100644
--- a/src/RuleCondition.cc
+++ b/src/RuleCondition.cc
@@ -175,8 +175,13 @@ bool RuleConditionEval::DoMatch(Rule* rule, RuleEndpointState* state,
 	try
 		{
 		Val* val = id->ID_Val()->AsFunc()->Call(&args);
-		result = val->AsBool();
-		Unref(val);
+		if ( val )
+			{
+			result = val->AsBool();
+			Unref(val);
+			}
+		else
+			result = false;
 		}
 
 	catch ( InterpreterException& e )
diff --git a/testing/btest/Baseline/signatures.eval-condition-no-return-value/.stderr b/testing/btest/Baseline/signatures.eval-condition-no-return-value/.stderr
new file mode 100644
index 0000000000..a5c39c9247
--- /dev/null
+++ b/testing/btest/Baseline/signatures.eval-condition-no-return-value/.stderr
@@ -0,0 +1,3 @@
+1329843162.083353 warning: non-void function returns without a value: mark_conn
+1329843164.920456 warning: non-void function returns without a value: mark_conn
+1329843200.079930 warning: non-void function returns without a value: mark_conn
diff --git a/testing/btest/Baseline/signatures.eval-condition-no-return-value/.stdout b/testing/btest/Baseline/signatures.eval-condition-no-return-value/.stdout
new file mode 100644
index 0000000000..9f4b814adb
--- /dev/null
+++ b/testing/btest/Baseline/signatures.eval-condition-no-return-value/.stdout
@@ -0,0 +1,3 @@
+Called
+Called
+Called
diff --git a/testing/btest/signatures/eval-condition-no-return-value.bro b/testing/btest/signatures/eval-condition-no-return-value.bro
new file mode 100644
index 0000000000..b1a4f5781f
--- /dev/null
+++ b/testing/btest/signatures/eval-condition-no-return-value.bro
@@ -0,0 +1,20 @@
+# @TEST-EXEC: bro -r $TRACES/ftp/ipv4.trace %INPUT
+# @TEST-EXEC: btest-diff .stdout
+# @TEST-EXEC: btest-diff .stderr
+
+@load-sigs blah.sig
+
+@TEST-START-FILE blah.sig
+signature blah
+	{
+	ip-proto == tcp
+	src-port == 21
+	payload /.*/
+	eval mark_conn
+	}
+@TEST-END-FILE
+
+function mark_conn(state: signature_state, data: string): bool
+	{
+	print "Called";
+	}

From ed678dd72c25a15e050660f0304ca361e5704c13 Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@icir.org>
Date: Tue, 19 Sep 2017 09:38:08 -0700
Subject: [PATCH 217/631] Add -B scripts flag to allow debug output of script
 load order.

This patch adds a "scripts" option to -B, when Bro is enabled with
--enable-debug. This option will output information about the scripts
that are loaded to debug.log, showing their exact load order.
---
 src/DebugLogger.cc | 3 ++-
 src/DebugLogger.h  | 1 +
 src/scan.l         | 2 ++
 3 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/src/DebugLogger.cc b/src/DebugLogger.cc
index 6a095a15db..07590590df 100644
--- a/src/DebugLogger.cc
+++ b/src/DebugLogger.cc
@@ -19,7 +19,8 @@ DebugLogger::Stream DebugLogger::streams[NUM_DBGS] = {
 	{ "logging", 0, false }, {"input", 0, false },
 	{ "threading", 0, false }, { "file_analysis", 0, false },
 	{ "plugins", 0, false }, { "broxygen", 0, false },
-	{ "pktio", 0, false }, { "broker", 0, false }
+	{ "pktio", 0, false }, { "broker", 0, false },
+	{ "scripts", 0, false}
 };
 
 DebugLogger::DebugLogger()
diff --git a/src/DebugLogger.h b/src/DebugLogger.h
index 3ec3979e7f..1eb8e30417 100644
--- a/src/DebugLogger.h
+++ b/src/DebugLogger.h
@@ -33,6 +33,7 @@ enum DebugStream {
 	DBG_BROXYGEN,	// Broxygen
 	DBG_PKTIO,	// Packet sources and dumpers.
 	DBG_BROKER,	// Broker communication
+	DBG_SCRIPTS,	// Script initialization
 
 	NUM_DBGS // Has to be last
 };
diff --git a/src/scan.l b/src/scan.l
index 4fd2aac1c3..215b5d7c30 100644
--- a/src/scan.l
+++ b/src/scan.l
@@ -636,6 +636,8 @@ static int load_files(const char* orig_file)
 
 	broxygen_mgr->Script(file_path);
 
+	DBG_LOG(DBG_SCRIPTS, "Loading %s", file_path.c_str());
+
 	// "orig_file", could be an alias for yytext, which is ephemeral
 	//  and will be zapped after the yy_switch_to_buffer() below.
 	yy_switch_to_buffer(yy_create_buffer(f, YY_BUF_SIZE));

From 4ec7d66468be4b8756fba8458f451a857b03d5f1 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Wed, 20 Sep 2017 10:51:09 -0500
Subject: [PATCH 218/631] Updating submodule(s).

 [nomail]
---
 aux/broctl | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/aux/broctl b/aux/broctl
index 1ab5ed3d3b..e3fbf9145d 160000
--- a/aux/broctl
+++ b/aux/broctl
@@ -1 +1 @@
-Subproject commit 1ab5ed3d3b0f2a3ff231de77816a697d55abccb8
+Subproject commit e3fbf9145d9f4c8d23d369377a5b2a46450f4bed

From 8403fd9f942a45355dc3f1c56abe6717fb605411 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@illinois.edu>
Date: Wed, 20 Sep 2017 11:04:04 -0500
Subject: [PATCH 219/631] Updating CHANGES and VERSION.

---
 CHANGES | 5 +++++
 VERSION | 2 +-
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/CHANGES b/CHANGES
index 71be3f743b..9075752ca7 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,9 @@
 
+2.5-307 | 2017-09-20 10:51:09 -0500
+
+  * BIT-1846: Updating broctl submodule to include fix for symlinking
+    issue (Jon Siwek)
+
 2.5-306 | 2017-09-18 14:43:42 -0700
 
   * Make strerror_r portable, supporting XSI/gnu versions. (Thomas Petersen)
diff --git a/VERSION b/VERSION
index e018451797..0c08066503 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.5-306
+2.5-307

From 6b864d5dd24830672e2cdb030ab64e78f5f36d38 Mon Sep 17 00:00:00 2001
From: Justin Azoff <jazoff@illinois.edu>
Date: Thu, 21 Sep 2017 10:50:26 -0400
Subject: [PATCH 220/631] problem: gridftp threshold is being applied to all
 connections

The bytes_threshold_crossed event in the gridftp analyzer is not first
checking to see if the connection passed the initial criteria.  This
causes the script to add the gridftp-data service to any connection that
crosses a threshold that is the same as or greater than the gridftp
size_threshold.
---
 scripts/base/protocols/ftp/gridftp.bro | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/scripts/base/protocols/ftp/gridftp.bro b/scripts/base/protocols/ftp/gridftp.bro
index 68be66d53a..5090eebb3d 100644
--- a/scripts/base/protocols/ftp/gridftp.bro
+++ b/scripts/base/protocols/ftp/gridftp.bro
@@ -74,6 +74,8 @@ event ConnThreshold::bytes_threshold_crossed(c: connection, threshold: count, is
 	{
 	if ( threshold < size_threshold || "gridftp-data" in c$service || c$duration > max_time )
 		return;
+	if ( ! data_channel_initial_criteria(c) )
+		return;
 
 	add c$service["gridftp-data"];
 	event GridFTP::data_channel_detected(c);

From 411144bcf5fff8763d21ad48c44205d002262957 Mon Sep 17 00:00:00 2001
From: Robin Sommer <robin@icir.org>
Date: Thu, 21 Sep 2017 10:11:54 -0700
Subject: [PATCH 221/631] Updating submodule(s).

 [nomail]
---
 aux/broctl | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/aux/broctl b/aux/broctl
index e3fbf9145d..e960be2c19 160000
--- a/aux/broctl
+++ b/aux/broctl
@@ -1 +1 @@
-Subproject commit e3fbf9145d9f4c8d23d369377a5b2a46450f4bed
+Subproject commit e960be2c192a02f1244ebca3ec31ca57d64e23dc

From fa88646eec440d72c8f6b6924152f91f59fc2555 Mon Sep 17 00:00:00 2001
From: Justin Azoff <jazoff@illinois.edu>
Date: Thu, 28 Sep 2017 09:34:38 -0400
Subject: [PATCH 222/631] problem: broctl can trigger intel reporter error

a broctl print triggers this error

    Reporter::ERROR    no such index (Cluster::nodes[Intel::p$descr])
    /usr/local/bro/share/bro/base/frameworks/intel/./cluster.bro, line 39

when broctl connects p$descr is empty.  It should probably be set to
'control' somewhere inside broctl, but that would only fix broctl, not
other clients.

diff --git a/aux/bro-aux b/aux/bro-aux
index 02f710a43..43f4b90bb 160000
--- a/aux/bro-aux
+++ b/aux/bro-aux
@@ -1 +1 @@
-Subproject commit 02f710a436dfe285bae0d48d7f7bc498783e11a8
+Subproject commit 43f4b90bbaf87dae1a1073e7bf13301e58866011
diff --git a/aux/broctl b/aux/broctl
index e960be2c1..d3e6cdfba 160000
--- a/aux/broctl
+++ b/aux/broctl
@@ -1 +1 @@
-Subproject commit e960be2c192a02f1244ebca3ec31ca57d64e23dc
+Subproject commit d3e6cdfba496879bd55542c668ea959f524bd723
diff --git a/aux/btest b/aux/btest
index 2810ccee2..e638fc65a 160000
--- a/aux/btest
+++ b/aux/btest
@@ -1 +1 @@
-Subproject commit 2810ccee25f6f20be5cd241155f12d02a79d592a
+Subproject commit e638fc65aa12bd136594451b8c185a7a01ef3e9a
diff --git a/scripts/base/frameworks/intel/cluster.bro b/scripts/base/frameworks/intel/cluster.bro
index 820a5497a..e75bdd057 100644
--- a/scripts/base/frameworks/intel/cluster.bro
+++ b/scripts/base/frameworks/intel/cluster.bro
@@ -32,7 +32,7 @@ event remote_connection_handshake_done(p: event_peer)
 	{
 	# When a worker connects, send it the complete minimal data store.
 	# It will be kept up to date after this by the cluster_new_item event.
-	if ( Cluster::nodes[p$descr]$node_type == Cluster::WORKER )
+	if ( p$descr in Cluster::nodes && Cluster::nodes[p$descr]$node_type == Cluster::WORKER )
 		{
 		send_id(p, "Intel::min_data_store");
 		}
---
 scripts/base/frameworks/intel/cluster.bro | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/scripts/base/frameworks/intel/cluster.bro b/scripts/base/frameworks/intel/cluster.bro
index 820a5497a2..e75bdd0573 100644
--- a/scripts/base/frameworks/intel/cluster.bro
+++ b/scripts/base/frameworks/intel/cluster.bro
@@ -32,7 +32,7 @@ event remote_connection_handshake_done(p: event_peer)
 	{
 	# When a worker connects, send it the complete minimal data store.
 	# It will be kept up to date after this by the cluster_new_item event.
-	if ( Cluster::nodes[p$descr]$node_type == Cluster::WORKER )
+	if ( p$descr in Cluster::nodes && Cluster::nodes[p$descr]$node_type == Cluster::WORKER )
 		{
 		send_id(p, "Intel::min_data_store");
 		}

From d7fbaad0247d3c49e54db574e59af8447d2f4082 Mon Sep 17 00:00:00 2001
From: Vlad Grigorescu <grigorescu@gmail.com>
Date: Thu, 5 Oct 2017 14:36:13 -0500
Subject: [PATCH 223/631] Add btest for new SSH curve25519 KEX

---
 .../ssh.log                                     |  10 ++++++++++
 .../btest/Traces/ssh/ssh_kex_curve25519.pcap    | Bin 0 -> 12946 bytes
 .../base/protocols/ssh/curve25519_kex.test      |   6 ++++++
 3 files changed, 16 insertions(+)
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.ssh.curve25519_kex/ssh.log
 create mode 100644 testing/btest/Traces/ssh/ssh_kex_curve25519.pcap
 create mode 100644 testing/btest/scripts/base/protocols/ssh/curve25519_kex.test

diff --git a/testing/btest/Baseline/scripts.base.protocols.ssh.curve25519_kex/ssh.log b/testing/btest/Baseline/scripts.base.protocols.ssh.curve25519_kex/ssh.log
new file mode 100644
index 0000000000..4364419aff
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.ssh.curve25519_kex/ssh.log
@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	ssh
+#open	2017-10-05-19-34-53
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	auth_success	auth_attempts	direction	client	server	cipher_alg	mac_alg	compression_alg	kex_alg	host_key_alg	host_key
+#types	time	string	addr	port	addr	port	count	bool	count	enum	string	string	string	string	string	string	string	string
+1505524964.630115	CHhAvVGS1DHFjwGM9	192.168.1.100	60906	192.168.1.32	22	2	T	2	-	SSH-2.0-OpenSSH_7.4	SSH-2.0-OpenSSH_7.5	chacha20-poly1305@openssh.com	hmac-sha2-512-etm@openssh.com	none	curve25519-sha256	ssh-ed25519	e4:b1:8e:ca:6e:0e:e5:3c:7e:a4:0e:70:34:9d:b2:b1
+#close	2017-10-05-19-34-53
diff --git a/testing/btest/Traces/ssh/ssh_kex_curve25519.pcap b/testing/btest/Traces/ssh/ssh_kex_curve25519.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..ed31228eec65639580593c4b55e3209a0e068f85
GIT binary patch
literal 12946
zcmdsdcRZEv|Nm|8ooI+;q>wEmBYPw>QQ5~x*)k$38uln7GPC!lMaeEnRw|-ILMmkY
zUe}THemlnd^XKpJI}aE4x$o;dU(eU`HLmNvkB-{nWLyLv`R9d?;D9$@ydE1&M3EpG
z;24fJ%~&n|V?rVlZ#o-^5d{R1xm7HK$Pn`K*JR>YfWb08itJ2K$`*%6g}5s#i60OI
z7oVUM2M><`2Zxx{!qD9gUc<*-MSmDaf~bP`aIE64+CZaA0s{cOd>A4_3&_s#QK{VP
zFMtJ!Bw9xn!R%FZd|YBu1|tDshz=|fLEggv`8Ys@V*_uYg9#8hL<@_z1VFFzrKYB@
z^+k}seC;7JL^Quog6IP@I5r@vI2?qCip85EGE&p8JY0{cqod3tz{|&T(g9@$j*Ufm
zg(yg&8N8H#h;NWYsOUE|gTII+Nga?x)0Z0g+#bJb29Op3a@a$}n`QqH-+-u6G=)a|
zx+x+f@|mI?gD3$JHxd_KC0+o`Y^`|kGiZj37fT;apm;A@aW#xSE`YoQB<@v3g7gv~
z=z*;`!OMw4i1<8xQ$(P+oZfmw1R=OXwnIw)?QfIm$}|bn8^7&~DRIFZK66*6ODF+h
zVSX_lXKPadVG-^PXJjtem^nLJ^V&OEaih#FtkDyB>};G}9N>JcQ-Vi@uulmK@N-+(
zSX$bkc&t$uE?hLV<FRtGcXi-Fxtm*?+F7C2Om8-cUj$wi<`>u$g8%4tSJxTXoCCkm
zw#Ly{`MFW<E<84Nmi9d6Kr>b#1`o<&RWx&ylMBx!K7JW{kjzjebNh?jaDtPwDbJP{
z|9+YqPJ*)YK>sjrpsIf%pp<KK))e0y7JDLy!~ZrBMCX5-_&3<===_cLx^n;!w25F4
zTJR&l$Kzms!Gm9rPk5a~rYL8AfulU;E>7I=P)uO$5Lj6|gcGdHFJgZV&e-HM8qUld
z1GjpJhBE_U`+tv6r|U&ia~=^P9+b;^AJONbJJ=Vj;Rn$90^QpBD#)fSukvrW@|VUs
znb#<+JGst0_doAo@~*vuq5uEZvE6p|b|`L7&=1$?0#5+9x4#M|Y<$5^&-#!AIS;lR
za9}S{IA@EdVW-Dy$6BI#(Tg5fqNW#CJ3Ux8j)5i01-xS;-7&(S@SRDl%iU5iZsZ+D
z+$mt0W<y^GC(&(Ytr`7STLbf%wk_)aX~J5fpnD#6E<%L=nn1s45Wpw5ya29kctPbA
zfbv_f+Un?C&H0A)Yiz-YRIWcRShdL>N31FjRCk5yL&S=6q!>i(SRz72GwAKc-1=Dh
z<0dE-jDQWyT+3xlEUjQHA!0i~bOP+*z}^QS7E`I{eZZbgIWkg{xv^t7CIF6B0EC-x
zANb93BclFrqq0}s5jmzwa)u-3QF|Hv^&{o`C~Lkh+$GZB1arU(GI(mbtxtc@KFx0Q
zsgM!v6AQ*CYv5A?S|vwPWCrX$;J{W1ccf?*BI3$zipYq}c^F|3FF-`_Zi<K*{JsDP
zv-}T9%%aGe7h;tleK{Z(#r`st$mlY4-=%caXcN=yPp_KPoCb*V_R*nd<vr>avUknm
zOm@r)wdH=8e9|~lU!HV-X^Q-<J(#oh0$w20$4$-5Os!BX*7nXWEVd{Qa83XWI&1rj
zC|)Zk8!LM!l(V@j+(d!X<Y2+$<rg{1%g-warxBU0ejFSkx<xiG;ono?>MZc@zg~ji
znCxF3g10PXrS|(vuXujlGx3Y_&TbhdwKSa%l43+NRI=T3{tg9cV2;klkIC>fxgIV$
zvoe3V#>Uc2h|~@zV9KJ=KlDVIhQBC{f$EfCM0bgRZ=R{Z@vzI^)h}6mwiOXzy6gY0
zD6!XtD!v@-Oc9ojBNXAuFa6Y#RKh}&0-PR8RlgKkroEHh|7yS7fUytD7N(m|a!KMZ
z`V74D5pDSFF02|%&?_B$NU}H2$NEC6Vmo(UmlE>Uhg{DMPqTQwGi*OHbSmZhTc=3f
zeTB7Y98!1y_V0_Flz#0HK|F?<KUZB>?`K%%XAjo6Aa`MxV{Fmvslr#>k8*{z7Wdp$
zx~O16`FU39=+%TKb{wYV<fF!dY+3im^q;+-plpe^C&E41-y@N9Q}MFA3vce}`0lde
z<o=Q+zdK7Zx5_eKuzV8m4e`l8`pbltODz9j+V$g4ZdNc&e?QA*cHZo*cEyWtdVBUY
z6|5w=U)8@xUZ%lGEZ(B~K!Q_Z*N8rGwcy7AE-sqMt}3RGT2E(K1#dwWY~6i+et}g`
zN4mbU3mK(yZ<hN~Q_WOau2uo4fK*V~7a$_#EmA}q2m;53ULnt71`(sYH$`NmMhZY*
z_<P@%2@wIvI(?x90WmTRXY9%a{cR523ue|=?#=Q9rNV=-7c}l!wE)l)0q;zR=n4?w
zZ801hIGcp$LPT~3EY1hfDge$gV;IgI5OwdFq1cl_hi#*g>^F8zvhD=-v?6H@jG0Jl
zv#5+H%061<ArIl*vFkgfsE$JGW>VYwGmrLXdJ}(ip+61JG5#b0e>xzd6+m3`XM;i}
zMGI)e#!V4HZzB?0kJ$b7=~L#{i2|hW!`Yge0<K6EOqo7Ia2UT>H(d9;%QGviJk)RK
ztyfObr+*7tfATMXHmE5iBnquxtHe@M7pOT1a%#CU45MZzP%{Z49+f6TZh+Xpu>sNj
zcK}4JML(f{KCM0jDO^Pa@foaIkLZ?|_O$?K34c;}p1YuurQz{Qr>K^Nl)Q(+We1qq
zEYFrKbcBj7T#@Gp`}D)Fv8XLP&T5Ppf66O-<tzQg_c|#W1hu)4)lK<rRbE7^3|H=d
zJv+HM2=Xw-7pQFZ1*38@h+C(j_e`w(<*RhVMq<rjY+OSva!ST!B0m!E)h1;p$oyca
zu9L5g^rPV|qm68X*1rMkTUV|C7qsqIkEL>qRPHTGw95a~Sr<?_86vtWkRcji{|5)Q
z$~ZEa=zRnE_@;<JWfK;R%4kHNkUhPOqc2QJhbV|SJnuX3N^0xif8gsoWV@f%RC6HW
z8Jobh$!PC@GWMG|uPRzErb;>H8VYfwoSTlwsO+Gj%=IrUY0)|o|Mv5@T)kcA<_BsF
zulSz+$kJh3agVq|(!D;YA(k_nw5yIM?Lfwk%JhjB-hLP6D4DB6cPS8ZDAt#qQ20g>
z86@`Z%A-ilRt4qKX?4**+7TII@*l2OWj&Wo>F}@lMYY#4XSRNp-=sg%Uh|J<1?tD6
zC>cD;V_8TVG1+lKd^aUx`NnAtVF8`T-jRVh%P6n@kIC^$ik$kzk4yz@Dh{c?N&aT*
zm7u%inJ&tCBT6pd28y;RWRfft3GOERVi?F$XD=kx3e_#q-Zop7(Afgx^{;HXMVX*f
z^uU)9hk6A(X@h+c#3~JBOBdA%gL56GWd@PlO@T-7+^UT_qW)+E9hGm4XW*-DdnZ`s
z(J~=c#3^}SS)UJD{|&5foh^Slp!MqA>tkE=0A!0e%$D+gOl;pl1`zSQ4jEDoG6jwe
z*^-&c0TF5SHbn&4!U1m4{`Pq^VpaEDCj$<YwgbueG^%TdF3JtxP(AP_>ML?QPDEEP
zXGWyLiQOudx*=aO_fF0j=RJ=h@s0z{PAm@wT{Xk0EmBA6qf$^btnJ;I`-p38K2RI|
z=zV~nD#i0hE{!Rl^<%e+Y(gr@QA35;DDUfprV?cHbGO5-6(bpAm3K1B_bcA(@@76`
zbby0fwPPH2z{XYl9xoBsCy#iq$3e;uk9(UxM&@N&rOyzbF}_|sgd5yp(A@uMfR}rx
zc}i+bywdmC=+pa^_ur{}wq(Jmw(#cHifg$$#Vhrcr)N=DPw+kvt!4N#>D+a%4o{s@
ztBS1t1_4d5zEwx#8M?9<g`CUwd3I055A4)`@rWzhdOTO`_m#ySf+N=A71N70yfmkB
zb#Gc*kl^lSQn%_p&$rZZuOO!TokS0lWt##w8yBI;tJLYyfO+mvZt@R|+!NIEy!QMe
z=Wp&C)DC2uNURpx&ohxXeM&a+om=Tr;U|%lBMjdr-z)w3iBAusxOkcj2>}s=1AC>w
z@hw`0QN&Bb%1ZGBr4mMvl^mo(n5@hIS^4g6?{1Z7HSKr!N$s_R1oSEyBW6JnlQfOQ
z>DAJylPouw-X35lqj5&@KQNUhmmkaWJ7oUps#Z;O(lWPl*N5v-UGy0likv=oaQa4*
z4!1qn{fnf)Fh2uddJh}@?lDIlBK0~=YAqThj91!oEHz#G-QWx>rIB|=pGVGY!9bbF
z?oYG4-5+Ik*ZDQ7tA<7-JdTZbpj8=jeJFkD_b1`~CRuo2cezrGTyy$46JHwl05@tl
z`ec49E1smgWYM#$4_S+RDwV7QC@ZK@KYwTiy-qZsPn1>JUAve-lCm=2MuNjF``ahu
zu<>u{yVq#jI6_5pyp}xtd&>BFEcggNmk0Kj_#b@yYI4v(&iG)Jfa!>-uuF;so#~a9
z;Dp8x+Er6x#Hgg;xjVE2-0IJslJn8M&l`$5R!?N!w%g<GHD7{3lLwvm>Z)^pXXJfa
zMi^jp_8V+hwUZxUbn0o>*H{VIo!!0xs&=~cpZl&}P_-ElvDb<WX~jj*1G{Q*Yh2hM
zqKx#Wh@fg+N-$OX5h9*vvW-s>6q#Y7Iyl;8+j^$vd;GwMCeNyK9B<Q>KdTvjR}-9e
z>vRA4d=K$Jt;%$@v3l_V3vSI(!zQ24$6~$(+tD_Mg#?WxEEg6(l#%sGj4vvD|IPa?
zv+5m^d}W16O^OD=P~D@K)1+Q>$I05rP793u;gd-l*}3EE!0TrkL{{p#f;5BYQfz(@
zbt+sh^vR5@SG!##T`cI$J6adU;+Akff4*!*nm{yXa3)P99M621XvFagt5D{d7UCLQ
z5$&BtLw7sc&V8Rq_&$1*@Og9Pi@Czec7wC3h1R*w#x{rd`k!k5<*sR@CiC6KC6lU2
zp5)T}zJNHzspR*Ri41t3gU6TYR4jzJQzz7BUK=*wF16K^FQAcO<Lbpv?7rxdKQH^(
z-}gsF;VXLPioqwx5;#sWY6qTF%Tu_;_JearV!h@gnkqcb^KWM!e5)GhjlD|uzSm2u
zRLCT!m(IL0Er!YOv|vra9Pvz+wBD)nJU2sRR_bh-Nd-K99tyoi(qH@T(7`rEl6@X0
z^{)Aupd85@s$UH0*gYbgE<09#$6~p;H99+*b=1`5mB`TP*Cl3U+#U<&q4XpS_Y!#f
z4QG3Nr*roj7A{TNhFt0Ospc4SeLUPgHF&rA!Wk`P)@65{+!t)3m6Y1=sB?SA=O!gm
z(wi$P^C_aLi%0&1X=-GOeIzn33m0mk(f!0lPy0oy>Lqu5T_Vem<DOD+mu}H^nJbql
zyVj(=b<y!ZLeXaw0KPtwY*?7QIqrIjyr3xhNQ!g`pIMEFjD~SbgG*sp%~1H)*Mgk|
zUdoN;!nFAh8UKXuB@fRwV+pAZtJ_g5pX0gfxGSqp22RCo-^ZLg&Hr$GRTyR<@-iXl
zwK!&#IDa2zH^W6T#0cyW;lS=@h-T3W%x?US_1*0DjRd7KxW-C8JAvtDxuBbUq;=-X
zoT068<Se!idP6B6oSewQ(BN5VDR-{d8d{SB*0x?#a~YsD(w_CTR0h`6+bN(rSBlPK
zYN-#@5_(5@+Yzj(fIA!;_-7U)X#SV6_@}J#pDe)e&jbAXuD$QL$GB^{rQBf1<w#97
z&f6s?;~9PAWWSubBDuF$pg^hHK=;n<lm_;vM2}C{)A^I#dVODrNbLQql*4;c2X&<j
zzd5HiPxn>oC8*dFD1TZO-FcOfwv4SgBAv;4*O1mCT|?!l$&XowYSTSUEymerj(X}t
zU9y1}TkFEl4ZZNM-Ka~zPN2(T;UA1H{XmyIh$t3GhFk)gz=7Sh5bG0O5YYy!YeA&}
zBIsKB$r!}15YbRWqU_oHn-&Q#7W^UBW($h=tobiT#$1EE<-B=hBFRT}C)yS}g62B+
zwy9BvsT9ZmA!mgwP|@4%;EHk3(Rsc;IsxF@*s>m&UE1oH=v08{e07NF@g(&~t81Bk
zn`_&`6T5qVmQ~M6tKvA70_C|!NpykFQ}!L$ugN<viI2XojsVuTR#kBbT6e&@Q!ncQ
z8XSi^xWelg4TgaR70{nOF=WVdu<pZwr7AT}sR#N#TEY@5POFGO)l}B?h!^yZ9XS1r
zx&Ne=%a^A<@68WgH|)qmB@s3gnaom^k`O=cN5nr4J2z)EtL$k@e`Cc<?C#Dl;Lb{<
zti4Em#%wA+t9Vy5i^O6Wv%E&LU1>VQ(UZ4k%1df3RIH}rdTg(Kxf^np><XperPeE=
zb0p49(NpDzm<GuAo)V>fW3AR^&rrWq*WdgiN`yI+z)K-TtgW<7kNN3M%dW=v(WK2s
zdTCe>ztvNqE2eumB+fr))I4&1JdWOq^4LQ>L#`4^S3j|boB|J3P6@sf41KIocK1$u
zp~k6+-<MvUPVCHjLNJ!r^O($Moa*{P9aT4*%7zo3JNx<SjLog)KDlMrRxWc9rB&Je
z)R#~_8cRS`D91C#DRrm5tNR?O%#bZxxUy<S;aK}3k2kG_&r6~irsUemKWd58xaH%N
zjHrpyr6Q%lXC@72adE9~4@RhZD9`I;kJbKKtZ^hyvZ_$-?d}&oH$q8m`7+|PY-{9b
z`ZW&Giw8pY9&$rDiqU(;+0QR||M&_c%A7!k<bxW41FL^fBT2=$=nQql%FyEpN)@L;
zhU)xW#$;$E$k1W-a;JPQx#;Qhnim~S^IJ3>ZkNg?`dxkaZhk(=ygi%OEZ{)ZM4ThH
z|G4f2ii+$chvSlTSN1;<sT~ZLT@29VvJ5Wa(mg&sSH7U&u)F;8ujc6|q9w;|+vv=q
z2D0=|e;iUXI65~^Ax@)n^Z;bPAFxjV%;DI;KCBoI&E6M_ef}EzAOGw{(d@%S5|@+`
z9+}zpyeGX^SAclS2)<9gWX0{#_@*VPzDjD+^t_{=D!0eS)EUI*o{8128z)JBx#<sQ
z^3AHxXPsXh_vrFSM+O7Co3lg{k38F@tYhRp;~6E>(YCMv*(w3HTht>pBJ^knWV_J3
zzIrN7gL=$|T`oTwQ#~V~9xEZD^0tT-==Ed;>ze?G7)S~b=klf2BMt$?m01M20@Q?K
zgQ5<__-I8F*DD%Gx~8aV(ONzT4ugCcnYD4es;X;lM?gZOQcN-Se7Lyw^;jqWq`mm5
zx8<?-4<=JshanHyt^3?~bns%>XMbD{YDvfrW>n?3_JM3rbF2Ri0#(EAH;7OV`ngbF
z#zw^g6=4U<$y@W!lZ3%Ya2O(nsNf;X01b`}{!JDWp#9s2<)7l3e@fsX`072i&=m_q
zPm(=u`wgUiaX6NGo#nN6Xd4b{emu{7QuL57C66x8Dc6t+`^az|3jM^a3@+)#@!re_
z`F#_1l^-n3^^5R#>3=XEnuwx2oP3k2wxPqou^_fY#mvTk`P5=ZX-poEgN1TplaoeI
zz)W@2yrO+vuVs?zx5hnQ=eR6;*rSfIa@@H{zEUt}CV7b!wg2qVch;RWITWu|n1e3K
z-4fWVzQbmS%l3}t?9xXGZtgMP496@<egTKLdpoH78OP%hv9nN(NT7xtPy&t(YM2xg
zqSeS-uSO8~-e<M??E^4s_&_yO#GSrS{5~09HQZih@bdNoC$8QjF7}ZKA(s)iS5K2v
zX-5jg1C+~~$U38{p!E@8ed~HqL_ZI3sM;9aAn-jF)qK_~Omy!t7zthZZ^YP9=+9pG
zT=ZZ6`2_1Bh!-HvW~Hn{L}#F`8XjgJu|Xm0Vj{Fc53m&CT~p|X^m>IjF1PO&%d@Kw
z-j_%=IbA<DJ<9Tqt6II2mz0*ir<}_BgQcER7^+QH_HrA|>FF-_hTh*tpkMlc#Wqz*
zjAjvs#lmcjg>>M07H4B5I#{b3rxsK`hvF_4=F%R1b3^|$)%!bYq-OYj={=!R%o?(k
zsI<OTw+o#W(vDpz>1od1yW9-~vIHTU2*76RxRu?2Y;X)VQP~VuWtR0ul_R%Bq#K8b
zDZe&BOaO?BS-cw&N7(U^OJJ7*2X@?Wtcyt?B3=rXVhL-Cb$r1n26kSa_i73qG!7o3
zJC@#BDyGyD#$+A;P36US$g(SKD2wV--!rDwxn0JC8s~=l7f$DJ4)}_@35XIl#`Db)
z)>vqZ$L!8I<3`{>UTsr<=m)1ROUqJV;Qo|@ans~=&PNK#-{V@GRTmr3=}a$ebx_K!
zH({HU`(Z$v?a1Y{IGK;Hq126BJankR8$b6o*NmQ2EFw9z&u!=`b$>|!y9J6|`!HQ*
z*V&|IQa@u&t-8Je>BIGNCJJ4R6#T8!25eF9JXAsm8cMAychQ}?k9%sgFf=;dm-+m4
z?&-KxBQ2BW9a8i|b=RJ|aPHe3+m+Og`%P6YoG<$Mgy0B~hjCV`$VcY*%L=6>yVNBX
z_TRk!W#wnwYqK7qf+#B2i>Mfe{=$=c9n-#5;=bfa+o57yAx*VUmAmDRz@E`>FjK}r
z6t?Lvr0BfOS|5er_O&RKm93A0+u`r`WUK?!kE)O|mbPhsm~q7`8!3*{Ey8nuAF_|g
z?>pgxy|m|W#y=i!j)d0zIPka2Q%Q85rf$rt;C7HzGZ_(>tZD=OrQ*L4U(-Xx;igRx
zmjU8*#^2QgWE2LmMj9VU2RRDIhCGcaCPU|`1C~O|YYKII$0+m^qSiEMaO;NFpLk$-
zTwd_=^CVe~jF|}UovP%Y$<Fs*PL05o;u@Gr9UMGokJ56W?tl2;!)VKMUfzq{CJ*ZS
z`HXbiTAI%t5j=yt&s18??|W!M;yh~_<E<6riskc$huT>P$HWS|Tgh^q6o0nU?4Yj5
z=i~|Mx-&69JT>8z`@`X&+n+IhUT-B=3Ioy`t}-vR#dZ7Jf81m6AM|)s*<AEX^1e+1
zop2zF`E@_D+myHE!s9!3cwEbfv>NDE-%%*p7o2+H!e!FL9Abq^DV&C4;zF@!?EbHX
zD#s0G>6pU4pU)A>)?TUOV{)l|nQ7}3blCgd$lxC>f_~?R5dw?NXN3=QMaPDJND31_
zwxBne_r}G#<M%gN1F7K~QuJ!znPy33aTu9sA18P8;(?Cjh`8euQteiw;aOu5F`wqx
z8g9l{`>SRpN9*krJ0|Ad)qk9uELQLhm!_2n&V|RZT1^jypB^Qn);bLH;0K7>HhE2s
z&TF_Y`PY;AP)tAGE3!Un;s@C}9o-A@Z&xQJbLZVPHY++%nXou$nE8@GAD0=wb?Q}l
z`fqJZy#vgOQqcM|u)cNw?Y;%A_n+FBg`u$jPNjhz-s*F7Pw;J-&{K%WF0&otRU?Qf
ze03AV5P-Ox_Iy3!SAdu`OpaKBT?HH)c5bI-A3{V|oJ|qIoua^*HALTF$dM>eT7xhl
z?W~^S*y*vyP3(2lxYL7Yi6dj&v@fMUuriMDly8DodB@4OTdgV3aY?|6O9-eYFL*aI
z`nTd4jKupa41I%7pJly@EBfSC;<Hex54LmSSAG?`6IKS!o<B8IB(&=VYF<F7LeMVN
zw9Iw%T)y<u9BCzkBxGR=SZp01u?EP(n-R-*FR9$n=TObqaE$LEkO@TWzDR+j10~_W
z?h;5$F(ulsi&%a=U-OIc@G2reTLFHB=$_{HV;j8NmUV)@pys$>ww&gUUq)7A0fOe$
zR5G0wh)toTR+k9h&?QE-y);>J#rRtNr`S7<Y5NVE<^8H9nfw+?Im^{8_C7Pbo%nV|
zV64H6tliO;^vKOt0fLX`{Ecp<5*b6*ly(%`=y0J7vQ|B`QHL-Npu=L!6h;T|y}tMg
zM09YZKz;!Y;MkzUmtrck4zT9_Rd-<=YdRQX{?S?jfjYe0L0)p`pb2}uL6d0TE*D-6
z+O#UXOCGQ92k`}H);^JN3dv17lXI)1MqI?2>6yQQuM~qza?c5)kbRB37YuzwmXhm>
zo^%Rc9H5{O_VGX8*6VSN`@pRwIjt4_n-a0Fx_(j};;WA;<aBao$e-rv&h~qw?)tlt
zhpuBpc*bP$O6E8G6FMp4&ok~2sOeOHcDWzS%IcOsKW`TDCt4yDSNM~~YpE)_6k0qX
zw;IoPjnc270=IzzTj$nce5gR+`%N_M0-Dap$YV6kVla|GAR>zs#Wt0?iy9){&)F0a
zR4Rerdc-G`FBgRGe9!rGrtAX8Go0F-yx1O>VaBeQ^n0wkcbm0z9%%ant?B@)YdhKv
z{lS4_540L~3(IPfRBl)od_FhQx8ABr#OIe$$9BvOW=Om@C8u*v_M19DG?6u{{E@wp
zu}mZQQC#^qo1jPS<{u7P3nWs<1*){nn58kMu-__hfoyC6o2^y#M&Fr>wP3ONfM!EO
zjYNN3&jupicl!r%L#7H9qgBO!4G{mGsa+sbKl)PR=%n9TMFcUz1(})!5tFw^q(SF?
r>!ye_0P*HV#NmG-Zis<UAuU8Ce1+xpN8oig$fcF&UX0h-kmvsa!-=au

literal 0
HcmV?d00001

diff --git a/testing/btest/scripts/base/protocols/ssh/curve25519_kex.test b/testing/btest/scripts/base/protocols/ssh/curve25519_kex.test
new file mode 100644
index 0000000000..64641fe4af
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/ssh/curve25519_kex.test
@@ -0,0 +1,6 @@
+# This tests a successful login with pubkey using curve25519 as the KEX algorithm
+
+# @TEST-EXEC: bro -b -r $TRACES/ssh/ssh_kex_curve25519.pcap %INPUT
+# @TEST-EXEC: btest-diff ssh.log
+
+@load base/protocols/ssh
\ No newline at end of file

From 57bfbc02b111f8e6474e7b622cb39073c0ecbb35 Mon Sep 17 00:00:00 2001
From: Justin Oursler <justin.oursler@gmail.com>
Date: Wed, 11 Oct 2017 13:42:54 -0400
Subject: [PATCH 224/631] modified GSSAPI analyzer to parse NTLM and KRB tokens

---
 .../protocol/gssapi/gssapi-analyzer.pac       | 76 +++++++++++++------
 .../protocol/gssapi/gssapi-protocol.pac       |  7 +-
 2 files changed, 56 insertions(+), 27 deletions(-)

diff --git a/src/analyzer/protocol/gssapi/gssapi-analyzer.pac b/src/analyzer/protocol/gssapi/gssapi-analyzer.pac
index 4290c7bbef..e30756197d 100644
--- a/src/analyzer/protocol/gssapi/gssapi-analyzer.pac
+++ b/src/analyzer/protocol/gssapi/gssapi-analyzer.pac
@@ -28,31 +28,63 @@ refine connection GSSAPI_Conn += {
 
 	function forward_blob(val: GSSAPI_NEG_TOKEN_MECH_TOKEN, is_orig: bool): bool
 		%{
-		if ( val->oid()->meta()->length() >= 7 &&
-		     memcmp("NTLMSSP", val->oid()->content().begin(), 7) == 0 )
-			{
-			// ntlmssp
-			if ( ! ntlm )
-				ntlm = analyzer_mgr->InstantiateAnalyzer("NTLM", bro_analyzer()->Conn());
+        if ( ${val.token}.length() >= 7 &&
+             memcmp("NTLMSSP", ${val.token}.begin(), 7) == 0 )
+            {
+            // ntlmssp
+            if ( ! ntlm )
+                ntlm = analyzer_mgr->InstantiateAnalyzer("NTLM", bro_analyzer()->Conn());
 
-			if ( ntlm )
-				ntlm->DeliverStream(${val.mech_token}.length(), ${val.mech_token}.begin(), is_orig);
-			}
-		else if ( val->oid()->meta()->length() == 9 &&
-		          (memcmp("\x2a\x86\x48\x86\xf7\x12\x01\x02\x02", val->oid()->content().begin(), val->oid()->meta()->length()) == 0 ||
-		           memcmp("\x2a\x86\x48\x82\xf7\x12\x01\x02\x02", val->oid()->content().begin(), val->oid()->meta()->length()) == 0 ) )
-			{
-			// krb5 && ms-krb5
-			if ( ! krb5 )
-				krb5 = analyzer_mgr->InstantiateAnalyzer("KRB", bro_analyzer()->Conn());
+            if ( ntlm )
+                ntlm->DeliverStream(${val.token}.length(),
+                                    ${val.token}.begin(), is_orig);
+            }
 
-			// 0x0100 is a special marker
-			if ( krb5 && memcmp("\x01\x00", ${val.mech_token}.begin(), 2) == 0 )
-				{
-				krb5->DeliverPacket(${val.mech_token}.length()-2, ${val.mech_token}.begin()+2, is_orig, 0, 0, 0);
-				}
-			}
 
+        else if ( 0x60 == *(${val.token}.begin()) )
+            {
+            // probably KRB
+
+            const unsigned char *p = ${val.token}.begin();
+            int len_to_send = ${val.token}.length();
+            p++;
+            len_to_send--;
+
+            int shift = 1;
+            if ( ((*p) & 0x80) > 0 )
+                {
+                    shift += (*p) & 0x7f;
+                }
+
+            p += shift;  // eating an ASN.1 meta
+            len_to_send -= shift;
+
+            // should now be pointing at OID
+            if ( (*p) == 0x06 )
+                {
+                    p++;
+                    len_to_send--;
+                    len_to_send -= (*p) + 1;
+                    p += (*p) + 1;  // eating the OID.  assuming short form on
+                                    // OID len
+
+                    // should now be pointing at the type of KRB
+                    // 0x0100 or 0x0200
+                    // krb5 && ms-krb5
+                    if ( ! krb5 )
+                        krb5 = analyzer_mgr->InstantiateAnalyzer("KRB", bro_analyzer()->Conn());
+
+                    if ( krb5 && (
+                         memcmp("\x01\x00", p, 2) == 0 ||  // KRB5 AP REQ
+                         memcmp("\x02\x00", p, 2) == 0 )   // KRB5 AP REP
+                          )
+                        {
+                        krb5->DeliverPacket(len_to_send-2,
+                                            p+2, 
+                                            is_orig, 0, 0, 0);
+                        }
+                }
+            } 
 		return true;
 		%}
 
diff --git a/src/analyzer/protocol/gssapi/gssapi-protocol.pac b/src/analyzer/protocol/gssapi/gssapi-protocol.pac
index 224ee1c886..8038e52b25 100644
--- a/src/analyzer/protocol/gssapi/gssapi-protocol.pac
+++ b/src/analyzer/protocol/gssapi/gssapi-protocol.pac
@@ -50,9 +50,6 @@ type GSSAPI_NEG_TOKEN_RESP_Arg = record {
 };
 
 type GSSAPI_NEG_TOKEN_MECH_TOKEN(is_orig: bool) = record {
-	meta            : ASN1EncodingMeta;
-	mech_token_meta : ASN1EncodingMeta;
-	oid             : ASN1Encoding;
-	mech_token      : bytestring &restofdata;
+	meta    : ASN1EncodingMeta;
+	token   : bytestring &length=meta.length;
 };
-

From 3d2ec29d04a86c0f41c06e39de3286646345798f Mon Sep 17 00:00:00 2001
From: Justin Oursler <justin.oursler@gmail.com>
Date: Wed, 11 Oct 2017 14:18:58 -0400
Subject: [PATCH 225/631] removed check on kerberos request or response type. 
 allow the kerberos analyzer to handle what it can, gssapi shouldn't check
 this

---
 src/analyzer/protocol/gssapi/gssapi-analyzer.pac | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/src/analyzer/protocol/gssapi/gssapi-analyzer.pac b/src/analyzer/protocol/gssapi/gssapi-analyzer.pac
index e30756197d..28516bd9a3 100644
--- a/src/analyzer/protocol/gssapi/gssapi-analyzer.pac
+++ b/src/analyzer/protocol/gssapi/gssapi-analyzer.pac
@@ -74,10 +74,8 @@ refine connection GSSAPI_Conn += {
                     if ( ! krb5 )
                         krb5 = analyzer_mgr->InstantiateAnalyzer("KRB", bro_analyzer()->Conn());
 
-                    if ( krb5 && (
-                         memcmp("\x01\x00", p, 2) == 0 ||  // KRB5 AP REQ
-                         memcmp("\x02\x00", p, 2) == 0 )   // KRB5 AP REP
-                          )
+                    if ( krb5 ) // accepting all KRB types (REQ, REP, etc)
+                          
                         {
                         krb5->DeliverPacket(len_to_send-2,
                                             p+2, 

From 70456d9f6bf7fe0019a008b43fe526632d72b5e3 Mon Sep 17 00:00:00 2001
From: Robin Sommer <robin@icir.org>
Date: Mon, 16 Oct 2017 12:21:01 -0700
Subject: [PATCH 226/631] Updating submodule(s).

 [nomail]
---
 CHANGES    | 4 ++++
 VERSION    | 2 +-
 aux/broctl | 2 +-
 aux/btest  | 2 +-
 4 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/CHANGES b/CHANGES
index 2f517f5eda..378617437b 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,8 @@
 
+2.5-327 | 2017-10-16 12:21:01 -0700
+
+  * Updating submodule(s).
+
 2.5-326 | 2017-10-05 14:34:20 -0700
 
   * Update the SSH analyzer to support the "curve25519-sha256" KEX.
diff --git a/VERSION b/VERSION
index 4da989f1b2..8f5b04adbc 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.5-326
+2.5-327
diff --git a/aux/broctl b/aux/broctl
index e960be2c19..5c1cb0d54d 160000
--- a/aux/broctl
+++ b/aux/broctl
@@ -1 +1 @@
-Subproject commit e960be2c192a02f1244ebca3ec31ca57d64e23dc
+Subproject commit 5c1cb0d54d7814a58f1c0cc03c5be99aac0daf23
diff --git a/aux/btest b/aux/btest
index 2810ccee25..154dd9f9b2 160000
--- a/aux/btest
+++ b/aux/btest
@@ -1 +1 @@
-Subproject commit 2810ccee25f6f20be5cd241155f12d02a79d592a
+Subproject commit 154dd9f9b2011341d2f76a3d3fee1c9a5ac4e393

From 6c0f101a62489b1c5927b4ed63b0e1d37db40282 Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@icir.org>
Date: Mon, 16 Oct 2017 13:13:41 -0700
Subject: [PATCH 227/631] Patch OOB write in content-line analyzer.

A combination of packets can trigger an out of bound write of '0' byte
in the content-line analyzer.

This bug was found by Frank Meier.

Addresses BIT-1856.
---
 src/analyzer/protocol/tcp/ContentLine.cc | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/src/analyzer/protocol/tcp/ContentLine.cc b/src/analyzer/protocol/tcp/ContentLine.cc
index f5dd7aaf07..a830cc8a7d 100644
--- a/src/analyzer/protocol/tcp/ContentLine.cc
+++ b/src/analyzer/protocol/tcp/ContentLine.cc
@@ -250,6 +250,16 @@ int ContentLine_Analyzer::DoDeliverOnce(int len, const u_char* data)
 		case '\n':
 			if ( last_char == '\r' )
 				{
+				// Weird corner-case:
+				// this can happen if we see a \r at the end of a packet where crlf is
+				// set to CR_as_EOL | LF_as_EOL, with the packet causing crlf to be set to
+				// 0 and the next packet beginning with a \n. In this case we just swallow
+				// the character and re-set last_char.
+				if ( offset == 0 )
+					{
+					last_char = c;
+					break;
+					}
 				--offset; // remove '\r'
 				EMIT_LINE
 				}

From 9b59157d1928e2a1678bc81669d16a1dce358bc6 Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@icir.org>
Date: Mon, 16 Oct 2017 14:34:26 -0700
Subject: [PATCH 228/631] Updating CHANGES and VERSION.

---
 CHANGES | 8 ++++++++
 VERSION | 2 +-
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/CHANGES b/CHANGES
index 378617437b..f776f2817a 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,12 @@
 
+2.5-328 | 2017-10-16 13:13:41 -0700
+
+  * Patch OOB write in content-line analyzer.
+
+    A combination of packets can trigger an out of bound write of '0' byte
+    in the content-line analyzer. Addresses BIT-1856.
+    (Frank Meier/Johanna Amann)
+
 2.5-327 | 2017-10-16 12:21:01 -0700
 
   * Updating submodule(s).
diff --git a/VERSION b/VERSION
index 8f5b04adbc..a0bdbec59b 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.5-327
+2.5-328

From 924ed053c7149db3b89735a16626629d8d0fc893 Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@icir.org>
Date: Thu, 19 Oct 2017 10:27:11 -0700
Subject: [PATCH 229/631] Fix OOB read in Sessions.cc

IP packets that have a header length that is greater than the total
length of the packet cause a integer overflow, which cause range-checks
to fail, which causes OOB reads.

Furthermore Bro does not currently check the version field of IP packets
that are read from tunnels. I added this check - otherwhise Bro reports
bogus IP information in its error messages, just converting the data
from the place where the IP information is supposed to be to IPs.

This behavior brings us closer to what other software (e.g. Wireshark)
displays in these cases.
---
 src/Sessions.cc                               |  36 +-
 src/Sessions.h                                |   8 +-
 .../protocol/ayiya/ayiya-analyzer.pac         |   5 +
 .../protocol/gtpv1/gtpv1-analyzer.pac         |   3 +
 src/analyzer/protocol/teredo/Teredo.cc        |   2 +-
 .../Baseline/core.ip-broken-header/weird.log  | 465 ++++++++++++++++++
 testing/btest/Baseline/core.truncation/output |  50 +-
 .../core.tunnels.ip-in-ip-version/output      |  20 +
 .../ipv4-internally-truncated-header.pcap     | Bin 0 -> 74 bytes
 .../trunc/ipv4-truncated-broken-header.pcap   | Bin 0 -> 74 bytes
 .../trunc/mpls-6in6-6in6-4in6-trunc.pcap      | Bin 0 -> 168 bytes
 .../Traces/trunc/mpls-6in6-broken.pcap.xz     | Bin 0 -> 19204 bytes
 ...mpls-6in6-6in6-4in6-invalid-version-4.pcap | Bin 0 -> 168 bytes
 .../mpls-6in6-6in6-invalid-version-6.pcap     | Bin 0 -> 168 bytes
 testing/btest/core/ip-broken-header.bro       |   7 +
 testing/btest/core/truncation.test            |  15 +
 .../btest/core/tunnels/ip-in-ip-version.bro   |  14 +
 17 files changed, 606 insertions(+), 19 deletions(-)
 create mode 100644 testing/btest/Baseline/core.ip-broken-header/weird.log
 create mode 100644 testing/btest/Baseline/core.tunnels.ip-in-ip-version/output
 create mode 100644 testing/btest/Traces/trunc/ipv4-internally-truncated-header.pcap
 create mode 100644 testing/btest/Traces/trunc/ipv4-truncated-broken-header.pcap
 create mode 100644 testing/btest/Traces/trunc/mpls-6in6-6in6-4in6-trunc.pcap
 create mode 100644 testing/btest/Traces/trunc/mpls-6in6-broken.pcap.xz
 create mode 100644 testing/btest/Traces/tunnels/mpls-6in6-6in6-4in6-invalid-version-4.pcap
 create mode 100644 testing/btest/Traces/tunnels/mpls-6in6-6in6-invalid-version-6.pcap
 create mode 100644 testing/btest/core/ip-broken-header.bro
 create mode 100644 testing/btest/core/tunnels/ip-in-ip-version.bro

diff --git a/src/Sessions.cc b/src/Sessions.cc
index e0a47780dd..9e69a7b37a 100644
--- a/src/Sessions.cc
+++ b/src/Sessions.cc
@@ -337,11 +337,24 @@ void NetSessions::DoNextPacket(double t, const Packet* pkt, const IP_Hdr* ip_hdr
 		return;
 		}
 
+	// for both of these it is safe to pass ip_hdr because the presence
+	// is guaranteed for the functions that pass data to us.
+	int ip_hdr_len = ip_hdr->HdrLen();
+	if ( ip_hdr_len > len )
+		{
+		Weird("invalid_IP_header_size", ip_hdr, encapsulation);
+		return;
+		}
+	if ( ip_hdr_len > caplen )
+		{
+		Weird("internally_truncated_header", ip_hdr, encapsulation);
+		return;
+		}
+
 	// Ignore if packet matches packet filter.
 	if ( packet_filter && packet_filter->Match(ip_hdr, len, caplen) )
 		 return;
 
-	int ip_hdr_len = ip_hdr->HdrLen();
 	if ( ! ignore_checksums && ip4 &&
 	     ones_complement_checksum((void*) ip4, ip_hdr_len, 0) != 0xffff )
 		{
@@ -381,6 +394,12 @@ void NetSessions::DoNextPacket(double t, const Packet* pkt, const IP_Hdr* ip_hdr
 
 			caplen = len = ip_hdr->TotalLen();
 			ip_hdr_len = ip_hdr->HdrLen();
+
+			if ( ip_hdr_len > len )
+				{
+				Weird("invalid_IP_header_size", ip_hdr, encapsulation);
+				return;
+				}
 			}
 		}
 
@@ -618,9 +637,10 @@ void NetSessions::DoNextPacket(double t, const Packet* pkt, const IP_Hdr* ip_hdr
 		// Check for a valid inner packet first.
 		IP_Hdr* inner = 0;
 		int result = ParseIPPacket(caplen, data, proto, inner);
-		if ( result < 0 )
+		if ( result == -2 )
+			Weird("invalid_inner_IP_version", ip_hdr, encapsulation);
+		else if ( result < 0 )
 			Weird("truncated_inner_IP", ip_hdr, encapsulation);
-
 		else if ( result > 0 )
 			Weird("inner_IP_payload_length_mismatch", ip_hdr, encapsulation);
 
@@ -819,7 +839,10 @@ int NetSessions::ParseIPPacket(int caplen, const u_char* const pkt, int proto,
 		if ( caplen < (int)sizeof(struct ip6_hdr) )
 			return -1;
 
-		inner = new IP_Hdr((const struct ip6_hdr*) pkt, false, caplen);
+		const struct ip6_hdr* ip6 = (const struct ip6_hdr*) pkt;
+		inner = new IP_Hdr(ip6, false, caplen);
+		if ( ( ip6->ip6_ctlun.ip6_un2_vfc & 0xF0 ) != 0x60 )
+			return -2;
 		}
 
 	else if ( proto == IPPROTO_IPV4 )
@@ -827,7 +850,10 @@ int NetSessions::ParseIPPacket(int caplen, const u_char* const pkt, int proto,
 		if ( caplen < (int)sizeof(struct ip) )
 			return -1;
 
-		inner = new IP_Hdr((const struct ip*) pkt, false);
+		const struct ip* ip4 = (const struct ip*) pkt;
+		inner = new IP_Hdr(ip4, false);
+		if ( ip4->ip_v != 4 )
+			return -2;
 		}
 
 	else
diff --git a/src/Sessions.h b/src/Sessions.h
index 305c9c145f..37fa81016e 100644
--- a/src/Sessions.h
+++ b/src/Sessions.h
@@ -151,8 +151,9 @@ public:
 
 	/**
 	 * Returns a wrapper IP_Hdr object if \a pkt appears to be a valid IPv4
-	 * or IPv6 header based on whether it's long enough to contain such a header
-	 * and also that the payload length field of that header matches the actual
+	 * or IPv6 header based on whether it's long enough to contain such a header,
+	 * if version given in the header matches the proto argument, and also checks
+	 * that the payload length field of that header matches the actual
 	 * length of \a pkt given by \a caplen.
 	 *
 	 * @param caplen The length of \a pkt in bytes.
@@ -163,7 +164,8 @@ public:
 	 *        if \a pkt looks like a valid IP packet or at least long enough
 	 *        to hold an IP header.
 	 * @return 0 If the inner IP packet appeared valid, else -1 if \a caplen
-	 *         is greater than the supposed IP packet's payload length field or
+	 *         is greater than the supposed IP packet's payload length field, -2
+	 *         if the version of the inner header does not match proto or
 	 *         1 if \a caplen is less than the supposed packet's payload length.
 	 *         In the -1 case, \a inner may still be non-null if \a caplen was
 	 *         long enough to be an IP header, and \a inner is always non-null
diff --git a/src/analyzer/protocol/ayiya/ayiya-analyzer.pac b/src/analyzer/protocol/ayiya/ayiya-analyzer.pac
index 56fcc794bc..1d8cbe90b6 100644
--- a/src/analyzer/protocol/ayiya/ayiya-analyzer.pac
+++ b/src/analyzer/protocol/ayiya/ayiya-analyzer.pac
@@ -59,6 +59,11 @@ flow AYIYA_Flow
 		if ( result == 0 )
 			connection()->bro_analyzer()->ProtocolConfirmation();
 
+		else if ( result == -2 )
+			connection()->bro_analyzer()->ProtocolViolation(
+			    "AYIYA next header internal mismatch", (const char*)${pdu.packet}.data(),
+			     ${pdu.packet}.length());
+
 		else if ( result < 0 )
 			connection()->bro_analyzer()->ProtocolViolation(
 			    "Truncated AYIYA", (const char*) ${pdu.packet}.data(),
diff --git a/src/analyzer/protocol/gtpv1/gtpv1-analyzer.pac b/src/analyzer/protocol/gtpv1/gtpv1-analyzer.pac
index 23281c1bb8..c0d9b6e32f 100644
--- a/src/analyzer/protocol/gtpv1/gtpv1-analyzer.pac
+++ b/src/analyzer/protocol/gtpv1/gtpv1-analyzer.pac
@@ -740,6 +740,9 @@ flow GTPv1_Flow(is_orig: bool)
 				a->ProtocolConfirmation();
 			}
 
+		else if ( result == -2 )
+			violate("Invalid IP version in wrapped packet", pdu);
+
 		else if ( result < 0 )
 			violate("Truncated GTPv1", pdu);
 
diff --git a/src/analyzer/protocol/teredo/Teredo.cc b/src/analyzer/protocol/teredo/Teredo.cc
index 6ad00a82dc..663e61749d 100644
--- a/src/analyzer/protocol/teredo/Teredo.cc
+++ b/src/analyzer/protocol/teredo/Teredo.cc
@@ -195,7 +195,7 @@ void Teredo_Analyzer::DeliverPacket(int len, const u_char* data, bool orig,
 	else
 		{
 		delete inner;
-		ProtocolViolation("Truncated Teredo", (const char*) data, len);
+		ProtocolViolation("Truncated Teredo or invalid inner IP version", (const char*) data, len);
 		return;
 		}
 
diff --git a/testing/btest/Baseline/core.ip-broken-header/weird.log b/testing/btest/Baseline/core.ip-broken-header/weird.log
new file mode 100644
index 0000000000..a416f90e66
--- /dev/null
+++ b/testing/btest/Baseline/core.ip-broken-header/weird.log
@@ -0,0 +1,465 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	weird
+#open	2017-10-19-17-20-30
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
+#types	time	string	addr	port	addr	port	string	string	bool	string
+1500557630.000000	-	b100:7265::6904:2aff	0	3bbf:ff00:40:21:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557630.000000	-	9c00:7265:6374:6929::6127:fb	0	3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557630.000000	-	ffff:ffff:ffff:ffff::8004:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557630.000000	-	b100:7265:6300::8004:ef	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557630.000000	-	b100:7265:6374:6929::8004:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557630.000000	-	b100:7265:6374:2a29::6904:ff	0	3bbf:ff00:40:ff:ff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557630.000000	-	b100:7265:6374:6929::6904:ff	0	3b1e:400:ff:0:6929:0:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557630.000000	-	b100:7265:6374:6929::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557630.000000	-	b100:6500:72:6369:2a29:0:690a:ff	0	3bbf:ff00:40:0:ffef:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557630.000000	-	255.255.0.0	0	255.255.255.223	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6300:69:7429:0:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	9c00:7265:6374:6929::6927:ff	0	3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:6929::6904:ff	0	3b00:40:ffbf:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	9c00:722a:6374:6929::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:6929::4:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	9c00:722a:6374:6929:1000:0:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6300::8004:ff	0	3bbf:ff00:40:0:ffff:9ff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	9c00:7265:6374:6929::6127:ff	0	3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:6900:0:400:2a29:6aff	0	3bbf:ff00:40:21:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6300:2304:0:fffe:bfff:ff	0	ffff:0:ffff:ff3a:2000:82b:0:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:6929::8004:ff	0	3bbf:ff80:ffff:0:4000:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	9c00:7265:6374:6929::6927:ff	0	0:7265:6374:6929::6904:ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:2a29::6904:2aff	0	3bbf:ff00:40:21:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	9c20:722a:6374:6929:800:0:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:63ce:69:7429:0:690a:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	9c00:722a:6374:6929:400:0:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:28fd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:6500:72:6369:2a29::	0	0:80:40:0:ffef:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:6900:0:400:2a29:2aff	0	3bbf:ff00:40:21:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	9c00:7265:6374:6929::6927:ff	0	3bbf:ff00:40:0:ffff:ffff:fb2a:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:6929::8004:ff	0	3bbf:ff80:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	9c00:722a:6374:6929:400:0:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	9c00:7265:6374:6929::6127:fb	0	3bbf:ff00:40:0:ffff:ffbf:fbfd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:6929::8004:ff	0	3bbf:ff80:40:0:ffff:fcff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:2a29::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:6929::6904:ff	0	3bbf:ff02:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:6929::6904:ff	0	3bbf:ff32:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	9c00:722a:6374:6929:1000:0:6904:27ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:6929::8004:ff	0	3bbf:ff00:40:0:ffff:ffff:3afd:ffff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7200:400:65:6327:fffe:bfff:ff	0	ffff:0:ffff:ff3a:2000:82b:0:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:69ff:ffff:ffff:ffff:ffff	0	3b1e:400:ff:0:6929:c200:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6300:69:7429:0:6904:ff	0	3bbf:ff00:40:0:ffff:700:fe:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6300:69:7429:0:690a:ff	0	40:3bff:bf:0:ffff:ffff:fdff:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6300::8004:ff	0	3bbf:ff00:840:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:63ce:69:7429:0:690a:ff	0	3bbf:ff00:40:0:ffff:ffff:ffe6:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:6929:100:0:4:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:6929:100:0:4:ff	0	3bbf:ff00:40:0:21ff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:6929:ffff:ffff:4:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:6500:72:6369:2a29:0:690a:ff	0	3bbf:ff00:40:0:ffef:ffff:ff3a:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:2a29:ffff:ffff:ffff:ffff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6300:2704:0:fffe:bfff:ff	0	ffff:0:ffff:ff3a:2000:82b:0:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:6929::	0	80:ff00:40:0:ff7f:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6300:69:7429:0:690a:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:ff3a	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:0:ff00:69:2980:0:69	0	c400:ff3b:bfff:0:40ff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6300::8004:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	9c00:7265:e374:6929::6927:ff	0	0:7265:6374:6929::6904:ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6300:2705:0:fffe:bfff:ff	0	ffff:0:ffff:ff3a:2000:82b:0:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:63ce:80:7429:0:690a:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:2a29:0:4:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	9c00:722a:6374:6929::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:ffff:3af7	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	9c00:7265:6374:6929::6127:fb	0	3bbf:ff00:40:0:ffff:ffff:fbfd:f7df	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6300::8004:ff	0	3bbf:ff00:840:0:ffff:ff01::	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6300:0:100:0:8004:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:6929::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:71fd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:2a29::6904:ff	0	3bbf:ff00:40:2:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	0:7265:6374:6929:ff:0:27ff:28	0	126:0:143:4f4e:5445:4e54:535f:524c	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:6929::8004:ff	0	3bbf:ff80:fffe:0:4000:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:69ff:ff00:400:2a29:6aff	0	3bbf:ff00:40:21:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:2a29::6904:ff	0	3bbf:fef9:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	9c00:722a:6374:6929:400:0:6904:ff	0	3bbf:ff00:40:0:ffff:ff3a:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6300:69:7429:0:6904:40	0	bf:ff3b:0:ff00:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:6929::4:ff	0	3bbf:8000::ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	9c00:7265:6374:6929::6927:ff	0	38bf:ff00:40:0:ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:69ff:ffff:ffff:ffff:ffff	0	3b1e:400:ff:0:6929:0:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:6500:72:6369:2a29:0:690a:ff	0	3bbf:ff00:40:80:ffef:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:6929::6904:ff	0	3b00:40:ffbf:5:1ff:f7ff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:63ce:69:7429:db00:690a:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:6929:ff:ff00:6904:ff	0	3b1e:400:ff:0:6929:0:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	9c00:7265:6374:6929::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:6929:180::	0	bf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:0:ff00:69:2980:0:29	0	c400:ff3b:bfff:0:40ff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	9c00:7265:6374:6929:600:0:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	9c00:7463:2a72:6929:400:0:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b000:7265:6374:6929::8004:ff	0	3bbf:ff80:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	255.255.0.0	0	255.255.255.237	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	0:7265:6374:6929:ff:27:a800:ff	0	100:0:143:4f4e:5445:4e54:535f:524c	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:6929::6904:ff	0	3bbf:f9fe:ffbf:ffff:0:ff28:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	-	-	-	-	ip_hdr_len_zero	-	F	bro
+1500557631.000000	-	0.0.0.0	0	0.0.65.95	0	invalid_IP_header_size	-	F	bro
+1500557631.000000	-	b100:7265:6374:7129:ffff:ffff:ffff:ffff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b101:0:74:6929::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:6929::8004:ff	0	3bbf:ff80:ffff:0:4000:ffff:fffd:f7fd	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	9c00:7265:6374:6929::6127:fb	0	3bbf:ff00:40:0:ffff:ffff:fb03:12ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	400:fffe:bfff::ecec:ecfc:ecec	0	ecec:ecec:ecec:ec00:ffff:ffff:fffd:ffff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:6500:72:6369:aa29:0:690a:ff	0	3bbf:ff00:40:0:ffef:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:6929:2600:0:8004:ff	0	3bbf:ff80:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:6500:72:6369:2a29:0:690a:ff	0	3bbf:8000:40:0:16ef:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:6929:0:1000:6904:ff	0	3b00:40:ffbf:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:6929::6904:ff	0	ff00:bf3b:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b800:7265:6374:6929::8004:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:2a29::6904:ff	0	3bbf:ff00:f2:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:6929::6904:ff	0	3bbf:ff00:3a40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6300:91:8bd6:ff00:690a:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:2a29::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:5445:52ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:6929::6904:ff	0	3bbf:ff00:8b:0:ffff:ffff:f7fd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6300:69:7429:0:690a:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	ffff:ffff:ffff:ffff::8004:ff	0	3bbf:ff00:40:0:ffff:ffff:fff7:820	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:9d8b:d5d5:ffff:fffc:ffff:ffff	0	3bbf:ff00:40:6e:756d:5f70:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b198:7265:6374:2a29::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	9c00:7265:6374:6929:0:100:6127:fb	0	3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6300:0:100:0:480:ffbf	0	3bff:0:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:2a29:2:0:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6300:0:100:0:8004:ff	0	3bbf:ff00:40:0:ffff:fff8:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	9cc2:7265:6374:6929::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:6929::8004:ff	0	3bbf:f8fe:ffff:0:4000:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:2a29:ffff:ffff:ff21:ffff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	9c00:7265:6374:6929::6927:ff	0	0:7265:6b74:6929::6904:ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:ffff:6929::6904:ff	0	3b1e:400:ff:0:6929:0:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	9c00:7229:6374:6929::6927:ff	0	3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:6929::4:ff	0	3bbf:ff00:40:0:ffff:ffff:f7fd:ffff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b104:7265:6374:2a29::6904:ff	0	3bbf:ff03:40:0:ffff:ffff:f5fd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:6929:8000:0:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	0.0.0.0	0	0.0.255.255	0	invalid_IP_header_size	-	F	bro
+1500557631.000000	-	b100:7265:6374:6900:8000:400:2a29:2aff	0	3bbf:ff00:40:21:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:6929::4:ff	0	3bbf:4900:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:636f:6d29::5704:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:723a:6374:6929::6904:ff	0	3b00:40:ffbf:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:6929:100:0:4:ff	0	3bbf:ff00::ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	0:7265:6374:6929:ff:0:27ff:28	0	100:0:143:4f4e:5445:4e54:535f:524c	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	9c00:7265:6374:6929:100:0:6127:fb	0	3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:6929:0:ffff:6804:ff	0	3b1e:400:ff:0:6929:0:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	9c00:7265:6374:6929::6927:0	0	80bf:ff00:40:0:ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	9c00:7265:6374:6929::6827:ff	0	3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	9c00:7265:6374:6929::6127:ff	0	3bbf:ff00:440:0:ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	ffff:ffff:ffff:ffff::8004:ff	0	3bbf:ff00:40::80ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:6929::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:908	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6300:69:7429:0:690a:ff	0	3bbf:ff00::ffff:ff03:bffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:6500:72:6300:0:8000:690a:ff	0	3bbf:ff00:40:0:ffef:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:8e00:2704:0:fffe:bfff:ff	0	ffff:0:ffff:ff3a:2000:82b:0:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:9f74:2a29::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:6929::	0	80:ff00:40:0:ffff:ffff:fffd:f701	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6300::8004:ff	0	3b3f:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:2a29:ffff:ffff:ffff:ffff	0	3bbf:ff00:40:6e:7d6d:5f70:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:2a29::6904:ff	0	3bbf:ff00:40:0:fbff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	9c00:7265:6374:6929::ff	0	3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:6929::6904:ff	0	3b1e:400:ff:0:9529:0:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6300:0:100:0:8004:ff	0	3bbf:ff01:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7200:400:65:6327:fffe:bfff:ff	0	ffff:0:ffff:ff3a:3600:82b:0:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:6929::8004:ff	0	3bb7:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	0.0.0.0	0	0.53.0.0	0	invalid_IP_header_size	-	F	bro
+1500557631.000000	-	b100:7265:6374:6929::8004:ff	0	3bbf:ff00:39:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	9c00:722a:6374:6929::6904:ff	0	3bbf:ff00:40:ffff:fbfd:ffff:0:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	9c00:7265:6374:6929:0:8000:6927:ff	0	3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7228:6374:2a29::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	9c00:7265:6374:6929::6127:ff	0	3bbf:ff80::ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:6929::4:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7fc	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	9c00:7265:6374:6929::6927:ff	0	100:7265:6374:6929::6904:ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7200:6300:4:ff27:65fe:bfff:ff	0	ffff:0:ffff:ff3a:f700:8000:20:8ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:6929::6904:ff	0	3bbf:ff00:40:47:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	9c20:722a:6374:6929:800:0:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f706	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:6500:72:e369:2a29:0:690a:ff	0	3bbf:ff00:40:0:ffef:ffff:ff3a:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265::6904:2aff	0	c540:ff:ffbf:ffde:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6300::8001:0	0	::40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	0:7265:6374:6929:ff:27:2800:ff	0	100:0:143:4f4e:5445:4e54:535f:524c	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:6929::4:ff	0	3bbf:ff00:40:f8:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6300:69:7429:0:690a:ff	0	3bbf:ff00:40:900:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	9c20:722a:6374:6929:800:0:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7d8	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	ffff:ff27:ffff:ffff::8004:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:6929::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:f7ff:fdff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:6929:0:3a00:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:6929::6904:ff	0	3bbf:ff00:0:ff40:ff00:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:63ce:29:69:7400:690a:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:6500:72:6369:2a:2900:690a:ff	0	3bbf:ff00:40:0:ffef:ffff:ff3a:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:2100::8004:ef	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:2a29:ffff:ffff:ffff:ffff	0	3bbf:ff00:40:6e:756d:5f70:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6300:69:7429:0:6904:ff	0	3bbf:ff00:40:0:ffff:100::	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	0.0.0.0	0	0.0.0.0	0	invalid_IP_header_size	-	F	bro
+1500557631.000000	-	b100:7265:6374:6929:1:0:4:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:6929::6904:ff	0	3bbf:ff00:40:ff:ff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:6929:0:69:4:ff	0	3b1e:400:ff:0:6929:0:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:6929::ff:3bff	0	4bf:8080:ffff:0:4000:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6374:6929::6904:ff	0	3b1e:0:4ff:0:6929:0:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:63f4:6929::8004:ff	0	3bbf:ff80:ffff:0:4000:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6374:6900:0:400:2a29:2aff	0	3bbf:ff00:3a:21:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:637b:6929::6904:ff	0	3b00:40:ffbf:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:6500:72:6369:2a29:0:690a:ff	0	3bbf:ff00:340:80:ffef:ffff:fffd:f7fb	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b300:6500:72:6369:2a29:0:690a:ff	0	3bbf:ff00:40:0:ffef:ffff:ff3a:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	9c00:7265:ae74:6929:ffff:ffff:ffff:ffff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	9c00:7265:6374:6929::6927:ff	0	0:7265:6374:6929::6904:1	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6374:6929:ff:ffff:ffff:ffff	0	ffbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6374:2a29:ffff:ffff:ffff:ffff	0	3bbf:ff00:40:0:ffff:ff01:1:ffff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6374:6929:0:4:0:80ff	0	3bbf:ff80:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6374:6929::4:ff	0	3bbf:0:40ff:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6374:6929::8004:ff	0	3bbf:ff80:40:0:ffff:ff7a:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6374:434f:4e54:454e:5453:5f44	0	4ebf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6374:6929::6904:ff	0	3bbf:ff00:40:ff:ff:fff7:ffff:fdff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:0:80::8004:ff	0	3bbf:ff80:ffff:0:4000:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6374:6929::6904:ff	0	3bbf:ff01:40:0:ffff:ffff:fffd:900	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6374:6929::8004:ff	0	3b01::ff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6374:6929:3a00:0:6904:ff	0	3b1e:400:ff:0:6929:0:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6374:6929::692a:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6374:6929::8004:ff	0	3bbf:ff00:40:0:ffff:ffd8:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6300::8004:ff	0	3bbf:40:8:ff00:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	9c00:7265:6374:6929::6927:bf	0	3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6374:69a9::4:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:5265:6374:6929::6904:ff	0	3b1e:400:ff:0:6929:0:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6374:6929::97fb:ff00	0	c440:108:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	9c00:722a:6374:6929::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:ffff:8000	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	32.0.8.99	0	0.0.0.0	0	invalid_IP_header_size	-	F	bro
+1500557632.000000	-	b100:6500:72:6369:2a29:0:6980:ff	0	3bbf:8000:40:0:16ef:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6374:6929::693b:ff	0	3b1e:400:ff:0:6929:0:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	0.0.0.0	0	0.255.255.255	0	invalid_IP_header_size	-	F	bro
+1500557632.000000	-	b100:7265:6374:6929::6928:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:5049:415f:5544:5000:0:6904:5544	0	50bf:ff00:40:21:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6374:6929:0:1000:8004:ff	0	3bbf:ff80:ffff:0:4000:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6300::8004:ff	0	3bbf:ff00:3c0:ffff::fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	9c00:7265:6374:6929::6927:ff	0	fe:8d9a:948b:96d6:ff00:21:6904:ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6374:6929::8014:ff	0	3bbf:ff80:ffff:0:4000:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6301::6904:2aff	0	3bbf:ff00:40:21:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:63ce:69:7421:0:690a:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6300:69:d529:0:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6374:6929::6904:ff	0	3bbf:ff00:40:0:ffff:ff27:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6374:2a29::6904:ff	0	3bbf:ff02:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	ffff:ffff:ffff:ffff::8004:ff	0	ffff:ffff:ffff:ff00:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	7200:65:6374:6929::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	9c00:7263:692a:7429::6904:ff	0	3b:bf00:40ff:0:ffff:ffff:ffff:3af7	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	9c00:7265:6306:6929::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffe:1ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	50ff:7265:6374:6929::4:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	9c00:7265:6374:6900:2900:0:6927:ff	0	3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6305:69:7429:0:690a:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	101.99.116.105	0	41.0.255.0	0	invalid_IP_header_size	-	F	bro
+1500557632.000000	-	9c00:7265:6374:6929::6927:ff	0	::40:0:ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	0:7265:6374:6900:0:400:2a29:6aff	0	3bbf:ff00:40:21:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	2700:7265:6300:0:100:0:8004:ff00	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7200:400:65:6327:101:3ffe:ff	0	ffff:0:ffff:ff3a:2000:f8d4:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	9c00:7265:6374:6929::6127:ff	0	3bbf:ff00:ff:ff00:ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:637c:6900:0:400:2a29:2aff	0	3bbf:ff00:40:21:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:e374:6929::6904:ff	0	3bbf:ff00:40:a:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6374:6929::	0	80:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6374:6929::4:ff	0	3bbf:fd00:40:0:fffc:ffff:f720:fd3a	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	9c00:722a:2374:6929:400:0:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:6500:72:6369:2a29:0:690a:ff	0	3bbf:ff00:40:0:ffef:ffff:ff3a:f7ef	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6374:2a29:ffff:ffff:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6300:69:7429:0:690a:ff	0	3bbf:ff00:40:0:ffff:ffff:ff01:0	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6374:6929::8004:ff	0	3bbf:fff2:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6300:2704:40:fffe:bfff:ff	0	ffff:0:ffff:ff3a:2000:82b:0:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6300::8004:ff	0	6800:f265:6374:6929:11:27:c00:68	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:725f:6374:6929::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7200:400:65:6327:fffe:bfff:0	0	5000:ff:ffff:ffff:fdf7:ff3a:2000:800	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6374:6929::8004:ff	0	3bbf:ff80:ffff:0:4000:ffff:8000:0	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	9c00:722a:6374:6929:400:4:0:ff69	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6374:2a29:ffff:ffff:ffff:ffff	0	7dbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6300::8084:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6374:6929:0:ffff:ffff:ff	0	3b1e:400:ff:0:6929:0:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6374:2a29:100:0:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7200:400:65:6327:fffe:bfff:ff	0	ffff:0:ff00:ffff:3a20:82b:0:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:6500:72:6369:2a29:0:690a:ff	0	3bbf:ff00:40:0:ffef:ff7d:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:6500:72:6369:2a22:0:690a:ff	0	3bbf:ff00:40:0:ffef:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b300:7265:6374:6929::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	9c20:722a:6374:6929:800:0:6904:ff	0	3bbf:ff00:40::ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6300:2704:0:fffe:bfff:ff	0	ffff:0:80:ff3a:2000:82b:0:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6300::8004:3a	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6374:6929::6904:ff	0	3bbf:ff00:40:0:ffff:ff00:0:8080	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6374:6929::4:ff	0	3bbf:ff80:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6300:2704:0:fffe:bfff:ff	0	ffff:0:ffff:ff3a:2008:2b:0:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6300:69:7429:0:690a:ff	0	3bbf:ff01:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6374:6929::6904:ff	0	3b1e:3b00:ff:0:6929:0:f7fd:ffff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6374:6929:9:0:9704:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6374:2a29::6904:2aff	0	3bbf:ff00:40:21:ffff:ffff:80fd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6374:6929::6904:ff	0	3bbf:ffcc:c219:aa00:0:c9:640d:eb3c	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:a78b:2a29::6904:2aff	0	3bbf:ff00:40:21:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6374:6929::6904:ff	0	3bff:4000:bf00:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:5265:6300::8004:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7218:400:65:6327:fffe:bfff:ff	0	ffff:20:ffff:ff3a:2000:82b:0:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	71.97.99.109	0	0.16.0.41	0	invalid_IP_header_size	-	F	bro
+1500557632.000000	-	b100:7221:6374:2a29::6904:2aff	0	3bbf:ff00:40:21:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6374:6929:ffff:ffff:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:6500:72:6369:2a29:0:690a:ff	0	3bbf:ff00:40:0:7fef:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6374:d0d6:ffff:0:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6374:6929::8004:ff	0	3bbf:ff80:40:0:29ff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6300::8004:ff	0	3bbf:ff00:40:6:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6374:6929::6904:ff	0	3b00:40:ffbf:0:ecff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:6500:72:6369:2a29:0:690a:ff	0	3bbf:ff00:40:0:ffef:ffef:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6374:e929::8004:ff	0	3bbf:ff80:40:0:ffff:ffff:fffd:27ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	3a00:7265:6374:6929::8004:ff	0	c540:fe:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6374:6929::4:ff	0	3bbf:ff00:40:40:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6374:6929::4:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f728	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	65:63b1:7274:6929::8004:ff	0	3bbf:ff80:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6300::2104:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6328:6929::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	f100:7265:6374:6929::6904:ff	0	3b1e:400:ff:0:6929:0:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:6500:72:6328:2a29:0:690a:ff	0	3bbf:ff00:40:0:ffef:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7200:400:65:ffff:ffff:ffff:ffff	0	ffff:0:ffff:ff3a:2000:82b:0:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6300:69:7429:0:6904:ff	0	3bbf:ff00:40:0:ffff:fdff:ffff:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	9c00:7265:6374:6929::6127:fb	0	3bbf:6500:6fd:188:4747:4747:61fd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	0.0.0.255	0	11.0.255.0	0	invalid_IP_header_size_in_tunnel	-	F	bro
+1500557632.000000	-	b100:7265:63ce:69:7429:0:690a:ff	0	3bbf:ff00:40:0:7fff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6374:2a29::6904:2aff	0	3bbf:ff00:40:21:27ff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6374:6929::6904:ff	0	3bbf:ff00:40:0:ffff:ff4e:5654:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6374::80:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6300::8004:3b	0	ff:ffbf:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:6500:91:6369:2a29:0:690a:ff	0	3bbf:ff00:40:0:ffef:ffff:ff3a:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6300::8004:ff	0	3bbf:ff00:840:ff:ffff:feff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6301::8004:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6300:2704:0:fffe:bfff:ff	0	ffff:ffff:ffff:ff3a:2000:82b:0:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6300:69:7429:0:690a:ff	0	40:0:ff3b:bf:ffff:ffff:fdff:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	9c00:7265:6374:6929::6927:10ff	0	0:7265:6374:6929::6904:ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6329:ffff:2a74:ffff:ffff:ffff	0	3bbf:ff00:40:6e:756d:3b70:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	143.9.0.0	0	0.98.0.237	0	invalid_IP_header_size	-	F	bro
+1500557632.000000	-	b100:7265:6374:6929::4:ff	0	3bbf:ff00:40:0:ffff:feff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6300:2704:0:fffe:bfff:ff	0	fffb:0:ffff:ff3a:2000:82b:0:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7200:6365::8004:ff	0	3bbf:ff00:840:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	0:7265:6374:6929:ff:27:2800:ff	0	100:0:143:4f4e:5445:4e00:0:704c	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	9c00:7265:6374:6929::6927:ff	0	3bbf:ff02:40:0:ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6374:6909::8004:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6374:6929:100:0:4:ff	0	3bbf:ff00:40:0:feff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6374:2a29::6904:2a60	0	3bbf:ff00:40:21:ffff:ffff:ffbd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	9c00:7265:6374:6929::6127:ff	0	3bbf:ff00:8040:0:ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	2a72:6300:b165:7429:ffff:ffff:ffff:ffff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:639a:6929::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6374:6929::ff00:480	0	3bbf:ff80:ffff:0:4000:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6374:6929:0:8::	0	80:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b000:7265:63ce:69:7429:0:690a:ff	0	3bbf:ff00:40:0:ffff:ffff:21e6:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6301:0:29:0:690a:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6374:6929::6904:ff	0	3bbf:ff00:ff:ff40:0:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6374:6929::3b04:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6374:6929::8804:ff	0	3bbf:ff80:40:0:ffff:ffff:102:800	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:6500:72:6369:2a29:0:690a:ff	0	33bf:ff00:40:0:ffef:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6374:6929::8004:ff	0	3bbf:ff80:60:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6374:6929:800:0:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6374:2a29::6904:ff	0	3b9f:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b13b:bfff:0:4000:ff:ffff:ffff:fdf7	0	ff3a:2000:800:1e04:ff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6374:6929::6904:0	0	::80:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b165:6300:7274:6929::400:ff	0	3bbf:ff00:40:0:ffff:ffff:f7fd:ffff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6374:6929::6904:ff3b	0	0:bfff:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6374:6929::3b:bfff	0	ff04:0:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6300:69:74a9:0:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6300:69:7429:0:6904:ff	0	3bbf:ff00:40:0:ffff:2aff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:6374:65:69:7229:0:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6377:6929::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6300::4:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b128:7265:63ce:69:7429:db00:690a:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6374:6929:4:0:6904:ff	0	3b1e:400:ff:0:6929:2700:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	9c00:722a:6374:6929::6904:ff	0	3bbf:fd00:40:0:ffff:ffff:ffff:3af7	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	9c00:722a:6374:6929::6968:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6300:69:7429:0:6904:ff	0	3bff:bf00:40:0:ffff:ffff:fffd:e7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7261:6374:6929::6904:ff	0	3b1e:400:ff:0:6929:0:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6374:6929::6904:ff	0	3b1e:400:ff:0:7929:0:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6374:2a29::6904:2aff	0	3bbf:df00::80ff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7263:65ce:69:7429:0:690a:ff	0	3bbf:ff00:40:0:ffff:ffff:ffe6:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	ffff:ffff:ffff:ffff::8004:ff	0	3bbf:ff01:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6374:6929::6904:ff	0	3bbf:ff00:40:f8:0:ff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	9c00:7265:6374:692d::6927:ff	0	3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6374:6929::4:fd	0	c3bf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6374:2a29::6904:3b	0	bf:ffff:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6374:6900:ec00:400:2a29:6aff	0	3bbf:ff00:40:21:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6374:6929::6904:ff	0	e21e:400:ff:0:6929:0:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6374:6928:ffff:fd00:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6374:6929::6904:ff	0	3bbf:ff00:40:0:ffff:ff3b:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6374:6929::ff00:bfff	0	3b00:400:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6374:6929::6904:ff	0	3b1e:520:ff:0:6929:0:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6374:6929::6904:ffff	0	ffff:ffff:ffff:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6300:69:7429:0:690a:ff	0	3bbf:ff00:28:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6374:6929::80fb:ff	0	3bbf:ff80:ffff:0:4000:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6374:6929::ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	9c2a:7200:6374:6929:1000:0:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	9c00:7265:6374:693a::6127:ff	0	3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	9c20:722a:6374:6929:800:0:6904:ff	0	3bbf:ff00:40:0:ffff:ff7f:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	9c00:7265:6374:6929:0:fffe:bfff:ff	0	ffff:ff68:0:4000:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7200:400:65:6327:fffe:bfff:ff	0	ffff:0:ffff:ff3a:2000:82b:0:f7ef	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6374:6929::4:ff	0	3bbf:2700:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	9c00:7265:6374:6929::6904:ff	0	3bbf:ff00:40:27:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6374:6929::2a:0	0	::6a:ffff:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6374:6900:a:400:2a29:3b2a	0	ffbf:ff00:40:21:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b1ff:7265:6374:2a29:ffff:ffff:ffff:ffff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:6500:72:6369:2a29:3b00:690a:ff	0	3bbf:fb00:40:0:ffef:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	9c00:722a:6374::	0	ffff:ffff:ffff:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	9c00:722a:6374:6929:1000:0:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:2aff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6300:0:100:0:8004:ff	0	3bbf:ff00:60:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6374:2a29:ffff:ffff:ffff:ffff	0	3bbf:ff00:40:9500:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7200:63:65::8004:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6300:2704:0:fffe:bfff:fc	0	ffff:0:ffff:ff3a:2000:82b:0:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6374:6929::6900:0	0	80bf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:63ce:69:2129:0:690a:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:6500:72:6369:2a29:0:690a:ff	0	3bbf:ff00:40:3a:ffef:ff:ffff:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6374:6929::6904:ff	0	3bbf:ff00:c1:800:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:9265:6300:69:7429:0:690a:ff	0	40:3bff:bf:0:ffff:ffff:fdff:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6300:0:100:0:8004:ff	0	3bbf:ff00:40:0:ffff:ffff:dffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6374:6929::	0	80:ff00:40:0:1ff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:724a:6374:6929::	0	80:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6374:6929::6904:f6	0	3b1e:400:ff:0:6929:0:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6300:2704:0:fffe:bfff:0	0	ffff:ff:ffff:ff3a:2000:82b:0:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6500:0:100:0:8004:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6374:6929:0:a:4:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6374:6900::2900:0	0	80:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	68.80.95.104	0	109.115.117.0	0	invalid_IP_header_size	-	F	bro
+1500557633.000000	-	9c00:7265:6374:6929::6927:ff	0	0:7265:6374:692b::6904:ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6374:6900:29:0:6914:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:6500:72:e369:2a29:0:690a:ff	0	3bbf:ff00:40:0:ffef:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6374:2a29::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f728	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	8:1e:400:ff00:0:3200:8004:ff	0	3bff:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6374:2a29::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:ffff:f7fd	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6300:2704:0:fffe:bfff:ff	0	ffff:0:ffff:ff3a:2000:8ba:0:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6300::8004:ff	0	48bf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7365:6374:6929::6904:ff	0	3b1e:400:ff:0:6929:0:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6300:2704:0:fffe:bfff:ff	0	ffff:0:ffff:ff3a:5600:800:2b00:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6374:2a29::6904:2aff	0	3bbf:ff00:40:4021:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	0:7265:6374:6929:ff:6:27ff:28	0	100:0:143:4f4e:5445:4e54:535f:524c	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	9c00:7265:6374:6929::6927:ff	0	0:7265:6b74:6909::6904:ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6374:6929::4:ff	0	3bbf:ff00:40:0:ffff:ff48:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6300:7400:2969:0:690a:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6300:69:7429:0:690a:ff	0	40:3bff:c5:0:ffff:ffff:fdff:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265::6904:2a3a	0	3bbf:ff00:40:21:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6374:6929::6904:f9ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7261:6374:2a29::6904:2aff	0	3bbf:ff00:40:21:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6374:6929::6904:ff	0	3b1e:400:ff:0:9fd6:ffff:2:800	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6300:69:7429:8000:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	ffff:ffff:ffff:ffff::	0	::40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6374:6929::8004:ff	0	3bbf:ff80:40:400:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	9c00:7265:6374:6929::ff00:ff	0	3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6374:2a29::6904:2aff	0	3bbf:ff00:40:21:fffe:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6374:ffff::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	4f00:7265:6374:6929::6904:ff	0	3b1e:400:ff:0:6929:0:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6374:6929::6904:ff	0	3b1e:8000::6929:0:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6374:6929:1:400:8004:ff	0	3bbf:ff80:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	0.255.255.0	0	0.0.0.0	0	invalid_IP_header_size	-	F	bro
+1500557633.000000	-	b100:7265:6374:6929:4:0:6904:ff	0	3b1e:400:ff:0:6929:0:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7200:400:65:6327:fffe:bfff:ff	0	ffff:0:ffff:ff3a:2000:342b:0:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6374:6929:400:0:4:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	9c00:7265:6374:6929::6927:ff	0	3bbf:ffa8:40:0:ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6374:2a29::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:ffdd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:1::69	0	c400:ff3b:bfff:0:40ff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	9c00:722a:6374:6929:400:0:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:ffff:ffff	0	invalid_inner_IP_version	-	F	bro
+1500557634.000000	-	b100::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557634.000000	-	9c00:722a:6374:6929:1001:900:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557634.000000	-	b100:7265:6374:6929::8004:ff	0	3bbf:ff00:40:0:40:0:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557634.000000	-	9c00:722a:6374:6929::6904:eff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557634.000000	-	ffdb:ffff:3b00::ff:ffff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557634.000000	-	b100:7265:63ce:69:7429:db00:690a:ff	0	3bbf:ff00:60:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557634.000000	-	b100:7265:6374:6929:ffff:ffff:8004:ff	0	3bbf:ff80:ffff:0:4000:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557634.000000	-	b100:7265:6300:669:7429:0:690a:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557634.000000	-	b100:7265:6374:6929::693b:bdff	0	0:4000:ff:ffff:fdff:fff7:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557634.000000	-	0.71.103.97	0	99.116.0.128	0	invalid_IP_header_size	-	F	bro
+1500557634.000000	-	b100:7265:6300::8004:ff	0	3bbf:ff00:40:ff00:ff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557634.000000	-	b100:7265:63ce:69:7429:0:690a:b1	0	3bbf:ff00:40:0:ffff:ffff:ffe6:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557634.000000	-	b100:7265:63ce:69:7429:db00:690a:ff	0	3bbf:ff00:40:0:29ff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557634.000000	-	6500:0:6fd:188:4747:4747:6163:7400	0	0:2c29:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557634.000000	-	9c00:722a:6374:6929:8000:0:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557634.000000	-	b100:6500:72:6369:2900:2a00:690a:ff	0	3bbf:ff00:40:0:ffef:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557634.000000	-	b100:7265:6374:2a29::6904:ff	0	29bf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557634.000000	-	b100:7265:6374:6929::6904:ff	0	3b00:40:ffbf:10:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557634.000000	-	9c00:7265:6374:6929::612f:fb	0	3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557634.000000	-	b100:7265:6300:2704:0:fffe:bfff:ff	0	ffff:0:ffff:ffc3:2000:82b:0:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557634.000000	-	9c00:722a:6374:6929:1000:100:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f728	0	invalid_inner_IP_version	-	F	bro
+1500557634.000000	-	b100:7265:6374:6929:ff:ffff:ff04:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557634.000000	-	b100:7265:0:ff00:69:2980:0:69	0	c4ff:bf00:ff00:3b:40ff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557634.000000	-	9c00:7265:6374:69d1::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+#close	2017-10-19-17-20-30
diff --git a/testing/btest/Baseline/core.truncation/output b/testing/btest/Baseline/core.truncation/output
index 678a886c44..85acc259ff 100644
--- a/testing/btest/Baseline/core.truncation/output
+++ b/testing/btest/Baseline/core.truncation/output
@@ -3,48 +3,78 @@
 #empty_field	(empty)
 #unset_field	-
 #path	weird
-#open	2015-08-31-21-35-27
+#open	2017-10-19-17-18-27
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
 #types	time	string	addr	port	addr	port	string	string	bool	string
 1334160095.895421	-	-	-	-	-	truncated_IP	-	F	bro
-#close	2015-08-31-21-35-27
+#close	2017-10-19-17-18-28
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	weird
-#open	2015-08-31-21-35-27
+#open	2017-10-19-17-18-29
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
 #types	time	string	addr	port	addr	port	string	string	bool	string
 1334156241.519125	-	-	-	-	-	truncated_IP	-	F	bro
-#close	2015-08-31-21-35-27
+#close	2017-10-19-17-18-30
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	weird
-#open	2015-08-31-21-35-28
+#open	2017-10-19-17-18-32
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
 #types	time	string	addr	port	addr	port	string	string	bool	string
 1334094648.590126	-	-	-	-	-	truncated_IP	-	F	bro
-#close	2015-08-31-21-35-28
+#close	2017-10-19-17-18-32
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	weird
-#open	2015-08-31-21-35-30
+#open	2017-10-19-17-18-36
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
 #types	time	string	addr	port	addr	port	string	string	bool	string
 1338328954.078361	-	-	-	-	-	internally_truncated_header	-	F	bro
-#close	2015-08-31-21-35-30
+#close	2017-10-19-17-18-36
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	weird
-#open	2015-08-31-21-35-30
+#open	2017-10-19-17-18-37
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
 #types	time	string	addr	port	addr	port	string	string	bool	string
 0.000000	-	-	-	-	-	truncated_link_header	-	F	bro
-#close	2015-08-31-21-35-30
+#close	2017-10-19-17-18-38
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	weird
+#open	2017-10-19-17-18-39
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
+#types	time	string	addr	port	addr	port	string	string	bool	string
+1508360735.834163	-	163.253.48.183	0	192.150.187.43	0	invalid_IP_header_size	-	F	bro
+#close	2017-10-19-17-18-40
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	weird
+#open	2017-10-19-17-18-41
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
+#types	time	string	addr	port	addr	port	string	string	bool	string
+1508360735.834163	-	163.253.48.183	0	192.150.187.43	0	internally_truncated_header	-	F	bro
+#close	2017-10-19-17-18-42
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	weird
+#open	2017-10-19-17-18-43
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
+#types	time	string	addr	port	addr	port	string	string	bool	string
+1500557630.000000	-	0.255.0.255	0	15.254.2.1	0	invalid_IP_header_size_in_tunnel	-	F	bro
+#close	2017-10-19-17-18-44
diff --git a/testing/btest/Baseline/core.tunnels.ip-in-ip-version/output b/testing/btest/Baseline/core.tunnels.ip-in-ip-version/output
new file mode 100644
index 0000000000..728d8e4793
--- /dev/null
+++ b/testing/btest/Baseline/core.tunnels.ip-in-ip-version/output
@@ -0,0 +1,20 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	weird
+#open	2017-10-19-17-26-34
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
+#types	time	string	addr	port	addr	port	string	string	bool	string
+1500557630.000000	-	ff00:0:6929::6904:ff:3bbf	0	ffff:0:69:2900:0:69:400:ff3b	0	invalid_inner_IP_version_in_tunnel	-	F	bro
+#close	2017-10-19-17-26-35
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	weird
+#open	2017-10-19-17-26-36
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
+#types	time	string	addr	port	addr	port	string	string	bool	string
+1500557630.000000	-	b100:7265::6904:2aff	0	3bbf:ff00:40:21:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+#close	2017-10-19-17-26-37
diff --git a/testing/btest/Traces/trunc/ipv4-internally-truncated-header.pcap b/testing/btest/Traces/trunc/ipv4-internally-truncated-header.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..b7ba9f11f824e0a49567d0740ed0c2139dd8c177
GIT binary patch
literal 74
zcmca|c+)~A1{MYcU}0bca^w#^k1XEB!=MCYw*m1LmjAC#e5f!yc+CC~2ZKKYLs9M<
T1_lSVJ#~x!8f-r>ZMQZ6v$Yoo

literal 0
HcmV?d00001

diff --git a/testing/btest/Traces/trunc/ipv4-truncated-broken-header.pcap b/testing/btest/Traces/trunc/ipv4-truncated-broken-header.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..8dba9bb46cbad15485a17bda21ade4dc74dfa323
GIT binary patch
literal 74
zcmca|c+)~A1{MYcU}0bca^w#^k1XEB!=MCYgYXrW|F2Gbs4zTu%>EDugFgd<NbVa3
S1_!o1b&LNRY(Fq<w>AKtpB6;`

literal 0
HcmV?d00001

diff --git a/testing/btest/Traces/trunc/mpls-6in6-6in6-4in6-trunc.pcap b/testing/btest/Traces/trunc/mpls-6in6-6in6-4in6-trunc.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..afd07cbf6b117fd058020a123b56cd8a43954f67
GIT binary patch
literal 168
zcmca|c+)~A1{MYcU}0bca_lx1M1sT`pjf=PB(WqF$YJ}-*x?QYiOFR^o{lENMusAg
zI2dHIX#Ka||DS=ufkE*<2>kv2KTCmugF%jk0Vv9lsR>e+3FH7(p$YiIRT;4X760e|
Q$HWLUI=O_4f#LoS0H^ROvH$=8

literal 0
HcmV?d00001

diff --git a/testing/btest/Traces/trunc/mpls-6in6-broken.pcap.xz b/testing/btest/Traces/trunc/mpls-6in6-broken.pcap.xz
new file mode 100644
index 0000000000000000000000000000000000000000..f45d0a9a17c38a6e7a0ce91427d28ec5f99b2702
GIT binary patch
literal 19204
zcmV(pK=8l)H+ooF000E$*0e?f03iVu0001VFXf}-_C-p<T>xq@(a3#^_z9b@AIy0K
zO=&R-5)T}|&IMl{UrmYbp(L0l9|ZtyuA~47nCZ0a14v0u-<`ni585RTqSYkVm%4`s
z%3;KJGH{MNT%Wi40{g!37;rT@{D1bUi8|tL*QcQ@^QYuBxsn~+*yCTX+#Y9f?A&#m
z<p5tRew$Nmd3Gtqw1#tC@M{iCvm@!~x}Sy$(Spnl>E_FUA){{NeQZP=HGL)ZLLbki
zHjTnL)U2eg<55zv%tn?ot@=IFQp+0h^I&(CitdF&915~xU%Fe_l##ZPQ%$X+e3a(b
z9gW09iYlBu29=uh>der%cwT9+8jC$3bW)eKPb8E3xiH;Xu~I`<y-a3h4=k$PR|g1t
zE&!Ks-*6dB(#teCPb%xMI>vN$R$1BP5|}h}hF-xUFq4p185vIeU^62I*H+M;;(fHP
z6<iSKT)^ixs4xF)Hb)m}2}P?OowZFEeqd72pDao<@22B{$=%>0=bu;o!~K2QjX!Hs
z?@)1zF-hOYd0&Felis?Ym%1api;wOn^_wQaIPtRJhUS;aSG{%n_M0>0UpPy~R!jca
zL(lf~j$#&arKKu`oS6xqCjqBv?(R4oDc3}Evyk)U>~4BX*-B%w*|q4YQ@Qo)8wE*@
z&8NaCHs@6gD1;9I`sS*7$x8g~$N;e8JQ@ts1$a-lOeFt>#Lxc_iz6g}ubrPz(4t9n
z*<p%O9IIs#K2o3$!uU`My=|sKIp>`Ssscd2zLdvmgZ+E@5#hy#5?HkK#i4_304LnE
zQ1J*pG}IIU{c}6`4UpcCILmn^%j&cl=0bVv?sK=568#%5Tsfp=LDAvxeIhr=F+u3w
zAf8Nx5%8-S=J{xO>>n8Fsq?Ft=RfQw)Cv)z1Gtag6njC_|9;5BV+0FwmZlZxb_@iC
z)j;gSPbQlZ+&ZU5S3SFwxvdHa@aG*Nkfpz@M~(f&ax6OMeH#%B!ykz*Ieca{{9+}q
zo{{)Jb9C4*Jc3e`lmT=*+YIq+2evem#$`S?ST72$ZyYSr&LKuf;M1UyuZV{4TYvCi
zt?!-@%LyJ}bUkj{A!ZxfJIB2{T9YDo@YKhmYk$Pd3@!1#L#$^+Es>Ma7k7k^=21Z`
zdbnquGLieb{^}H-GuWW<Nm#<qN>5ef*dbzRRw`@0RhBZHxBoC6r{!_4E2HGuol=6&
z35CC(f8q(}ylamPREWK@<9R{n5x8);MJ=ru)H3o9wno)DXnpFe@q*4Za<K%i9HyWc
zj`6N<PazG0#A5F9+2*kP#BXSwrJ#(<80im+Bp?T`LE#cmb*#sdHU(9nd9B#-KJ&2Z
ziTB%0zUiSMFIA(?baJF6VQp%z&gZ=_rsFFO&DGJY$$z`0iIykzI+H>oJA!w{tM{nQ
zv65ckrJ)3$^WJk0P!)SPu5D3b7C#_JQ1z_YpoKcFG+%1mwfKj+Rd93yc<H_C6i*lh
zi`Y+1YD#o>)mzzjYbauWP{ESvj<t>D&dHIg69GKvHqPtMX&WTuj?s*66al~57VnB4
z1XP-oW$@p)YW$<at-t_N@L2kxs527(%fLenuclC^#ZhsGCF9Ebhh(MR1%ebVa{U-O
zypRvAq3p=#x3oP6EtycRo-i=B0C7rQw}lAm`lr<uqJUc_Iu*u#*P&t6ff~m#CFiDu
z^aL*2Zo}%la!oNU*nMpRHXIliS)LS^MlPoTTe<dVqSy*0*A_IN)P|8<+67}dQKo!6
zm4frT7PtB(Q?dqOt?hc&;rKDi0vT3b9jTkD2R#<Vc~bMSsF^1wC>$#{v*n5bOlE&4
zTuooen}ud~6oi^}_K6#vw*}J%riWFinbr`Dwn}zZ4-Fo{jO^%p8p~&N_bXCHR2{k#
zJHYJh7sl@cp1LR18ds$tlZ3%b(#V5d6>cd__}!&)U&ED~Q@E|Hwwax?%;WlSOqs8F
zu-A;EK2nsWFqZGfzB5u~zuS9sUFag2cU(jHIa0x2*JnTd0ZhauEPiQPCb*})2T3jO
zK5cO7u%Z%%!@+;=rwzC|;_N?z8Dv)K&R$x*V>)JQ51@tJ|APYq|GZ}TvQEOFLXCJH
zZ%_><8QZked<@UC+0{w+jm;q+QaWavSeUqCs(d}Z&)+JSO{#P@1`q^z-$!CSc#=;4
zc|6|Sb~M<l7-}r6T1?oGAe20P?C=e@R|@kHObi#gR~7!2BqL&Ua?~S`!|?3cM<07W
zR4*}9(bV9FQX1mCS7rBSl&DSLpzoQIzOYmF)(_&^Cn(~&QCzl!Yo|^=JnOvHe2=`w
zLv2%lP`asCLs9&$9NIPSS3BU7AV;#e;c%o-i75b4+;5NNQ{@=hD*D#I0~StVFoxX2
z+`|Ih(b|$F##r@sW?Uws6TtVGx3ju{)^NAsc>{1LqpZZV?&?%+iXNXeBp=|0YYW{e
zSu{sjKGdB~;s^4qNZSrO$&}&Wrh_#4(`m(5DfPwkFEgNQ_lE>ifVNg}ro3SY3_V`m
zi<4YFhcByk2gmK5+lJDDE`T#naGo48U;5ra8(P)&{TQhkFu5X+g@1wX@m+e8A7gaK
zBs}+unLdJiOdK8!yLsETjEFt|cW+n#>@85(w^KvY+1J+8B$&fHm$1CeMbfpFU6Z$O
z58LO@c|sHWbx?Hp$@D~*%rI_(<O+~fVeH{10hm17{Ce6G^48KWy&05U?6E?h1bA-B
z@A8S`?XZUJIU>u(EK`sgJci1WyAcx0PrWmsH0^{}PMOW$W&x4nLUQcefWyskLI8~f
zI(kugN(LIR$W}&dVOfyZ)*k}s5g^J7;d0WnVpg^u-_d+A>OHoxw`jfJ$Tp_!T(b!+
zG9gR@occ3Z$15J^$Zr*^rFh0Yc3Nh-N4m`O?2f#8MGS%UFu?c)t<@oeZ90?@UgrP;
zV|8THfW|WOWD3z16wkhOVNin*j**%+OVRZ#lUNdR20eYxQoWQc_`4`R@Z0M+50y5b
z%!5a69KetqT*mQ024di%5}JjMkyAL}%I~=0eI+vY16Io3@QYQu7W4Z@h~sB}BM!<;
zQ0yuXVEmg7v%k6e=Xw3Be8v`I)Y{l_Ei5I1T1TQ%P*%n3{kq;Pzzf;-o3ZS#GNR;s
z*gn3Ei%vMlN*aN5aa!>uqY%<1f~VDv?C4PoWmWOk7K*Rz7QCSt15PG_4Hnr{I9X6{
z%fCS2{7BSUXbM$0&%0^iD>MfAD#|jfUZbtpxbnh~ij<sBk(e5BNP^?Gc2}vKEjf8h
zoJ5M~NIbB1z$Qj|Rc5UE^2O-bi~tm@aDVOyF+~j$+0BWd-P<e_KH&g(zA)|qCc%Ot
zl8^woGL{v>OEuZ%hijG38L~Z5@us2(ljv+KC4op&5|v55V!6R(6bTJdWs_D*i18nC
z5PVWz42u*>EX(MgKeflKjhTp=9I+c3bHgq@&298__>F+>Xr8(%XO`Do2rOJY`27FH
zaTg!Bl?O<i;Y4frtHV!>a$v<e37dU_lk8O$>$mXFg<s+tB9@8HVgTKUH{4a_j7<wP
zLWCP7ctpq%YK^g5iy5~nTzA&Gjs_56U+nKH)1Y58HJ)|)o)08qh-x>X1E2~s=D#UV
zXyD0KC5QUftDF#?P{o!{=*3Jgud0rSESm<S6YOT#asux|rYiN@U)qW2it)pN{I_qC
zfY%PZcjhJf;g_ez)oFifMId_n@lz|~blE*3KQ`bL-8K7j9?G;8QpWC5Pr~VFk7K8#
z_(3UV^Y<BU38YnKcPN)}%E`*W%PpJ|KMV1IRQgS>=d}qcYs}KL?H^j`$vhkV-x>~f
z{q>(Nof;5vINFnBm#L@Q??byA9s87RO3sUC^`Jbp<1UC@x<659sx8|9q)aUp9B|=u
z8r9iCVVJeuH~5&0c9Y0)&{Y+`V-ELAFa1h52OpdG!R?WcD1>!o0NWlWk>s8Ll9=lH
z(dW2+Hm9XsjXC4UMkbr50f7U+kx<FZqA>yOqG7uYUUY?(yW$uXP~SXY!0|J<`vvAD
zdA(T7sxChd!^q<!7jU4#PUW<q!UJqHZ5ba~f}B~kD^HZUxxkMG&>V4#DMQ*vd2U{K
z41p{vHy-h+lS#5{_$x}{(k$g1xoAPriC|=<C>UsVo@MWdbm9e%OQOX@6DnJq6j?su
zbe;i!s_xU%1+F6Mt2zTi{3(CG2{_%lyy1hnVA~ygU5uVQ*$PJtfV>}_`@RYVDUnrl
z*~J_YHb~w!nE}jt`|+2T%)C?6Euh7CfTOBKe9{dAV&khsg}WkpTk3+Ak@s_~2Iz>X
z;=Ly*o}qu8T?!l-!+N<r!&*P7&gGIa_PJByJ9YHj5rkInZy@J_jL6F#)f@k4gCS1O
z3;Hy~YH$e|cSyZvM%|ESDZeM`(m38Hzhr2{3WkYJ6qVDb%~*OBSj+YQhfj*gkL<KV
zg4T}2x!G!f4-!@SNyq@x+Mah>laZvATFi4p3zIF&B9m8Io9cq50fGB~8q%6O#X^C2
zmTh(wh3^0WL`%DDUZt2x?MS&K4)z$8)dpp=zL-3&YFb0^!D>cO$n^yw(0c}e6xBj$
zR8-qgmu3^*47gM6<d6gb9>iuUFoLtOoirSP!a9-%T@Zt|PUPXVbUH&X3nW%^o^$D1
zVGX6n|0xhW3x`q-6!xbNgUk_QHd#jy-p5cpeNS|m^ltn4PgjwzKy@l`7o&cxfjQ%;
z$tA?kF_N<BqIZ8qUvX5%TUA<WU?secU9aY75{i!L^`>EwdscWqYdio6K5j#6%+ZtK
z^AisR0z&NW=(C<bS{2?AGz()x4tTL3ww5oN$Wm%jJ1nfY0l6V|8kq{}B7m7YvbhE(
zQKN)t+HPbdV|735lG6sNOXX=xUI`B*I5j2G&X{Du(jL@BFDB%lQkS&QD4w29gTq6C
za>pr!8Y{;*8j-;d((#z8)02msjtDREMU`=+st-1FF5l_4jF?@n297^@E2hSoLl29{
zJ^85=xF0}o2Z=0s{Yg#Ai>s-dttrHW7z*Ho;H-AVKAsR7(~AeJ2Sgvh5djy9tY!eo
z@glt2B$;_VHmtuyP8b#AeDlMbuM^=mj@@2mLP1feW=F2`1@7C4g@`{GISl(fCcVms
zy1ybL+s?>bCd`drW^*>&{?Zl!i^qV(4};ef52NTDJn$q_LI@&cI~KnHioZ)iz7FyK
zddgp@-TL?7BS2j()|8kcR!~T;*LLjJe67z$2w7F$Tuvt&J%p+_VPQooS04PKPXY|<
zE<w9yMJ+vP7+5>TJ~sQ?_tI>|rODjC0qrMNL{8Y}8nykd9Q1>eHAUn#RGEW#D{3%(
zT$cr|)Y;#c3a%AxcPUR?$!(O9a3rV|Z8-GZ(epdvO3M6m{(&*CnGcK-LJ%&o{v$EG
z`(Z6%pj7-QrDHNxOK17JJ<%xESEJ#%E>96sND~Um%uQm#${F&++{-hLAx7cK?HB07
zwpWGeO^?1Gb*~ZzbE{bjGcR^|LNs~T6gxTqNG!K!y4q!l@vkN?*3{(BW714M)0d~?
zb~-N|p3`!P5lcvu#|?_T1f+gr9Shxvon;~lIAg4D?G-D7;?WbH^LntEMQnoVb5Zf8
z8@2Wlseiock;H;cbMh;Ix~HCO=6Zzi`lc>3v2IKgo-<!eGyWuSs^vjWc&J?aA|?Dz
z)W&9L_d2vT#J`1@88gVeW3%c!<lgt-!l$N@^+L&&<n)?Wa3^_{m#n;k{!^DCTn4I=
zO1Evj@l{VaRv%-zPiO7ZLDoDzoFa2;oisHF;cnVQt?aFeY+lMZ??5gnbVMQtB?d#C
zH%vU7gWzgcQVQi^jy4olf7r~Tg5$)BBDO8QHsvrJhmPGP)&n}6%ueG@tX&ZA2#x<+
zE&93{+f2q$y>0c%i+K?C>9yE!Ie;onW$!u!Z7<son(x3%@Ne2{qC|pHMb*(R`sF?+
zbI+HnUw9CnYt02uJvk%dG^VQoukIK*C$hBY&963aO%+<N>~GVYk*kSew|ZLtfBu~U
zHH^;bBw&#&*zE+6mNp|IK!?F(_ACsIAA&EI$S|D(6x~{2NVx>#BHrEkh~8T!L<f~k
z{B%p#d5DTj0X7Lt)nNHuhmUOMcCoPxF6@O4eFSJ2Z6v*HU#y3=<kb%DvEH_S7<phP
z+BX^&6!x;-THW5FqT~3af|J0OI_1^2(%bTL9n`w?E9-oml<)DJ^E)zBBNL|Z<^Q1Q
zuR5Gb9)?lvKc985Ox{R=h494PPh<i@kyh~#-wpk@2R_|W2_MAWjNOlV+t%3ifz258
zQ&B`+vVaT$_0EX}gov9>=6rd{AFyY^fofS)*VTjkkaJu~AArnEYd$A{K92WW(W^O}
zS7U-z8-QZji+d26AUlyxy_((t7a7^@)d<)-(;liRADAdFbs?W92@__-SLFI-8>N~8
zJ_$GC*vicbR}Q@S3?hZKfKMfx?P2fjgOCzdKfFu|mr)>sDI`nV(nbr{SD7%Rn!6Z;
zq6F)+o>)(&ncj(kSYbX0VcA!JCO?`0+n`GevTzfso`+#oxKKQPu4QIQ^JdasB0)>H
z9hdGm@K(Dta9@pouGMyd|C=pu;UkCdYOiPOsJ4Uw*2`kt1AatLH|%%G*rP!kDoD8U
zE<8ykQ1MZW@1{fY+Kv5*!|fobDFXtHG!W&ooLT5`0eQxlomY^EDuwrGMhP8T4f`vv
zI6T$e$;=n;5Y4LQ)<BDOGLs#eWDpY)i)ZsxG)eW;$NW$UQplvMgYi>}76r=528x>T
z3o~Sp{1#8nExX99G5QPG5XKRapPffiziDa~Hfj`4a%T*6JEy$q_}L4;aMz9e`h)+*
zfy8vw=pHzlj5h*;&GV&b4;X`*i}ubDnxxr@^4lPCjz%&6<mmNN{d2(wRK=HkQ1xVJ
z)o8z5AHF6s!n$Y5k79}OCgdW@ou(y*|Nm_J^j!01y0%AWos%l$FIW|1(K4F=NX$&M
z<~iF;NdUq#M6ybg?;WuG`saK9);mFK(8a7pmDOs7`vM%!s=(QZQ%m`m@urVuN*a41
zKYW9^U%Bc$yQ@+d=!sy5|E;Pi(KSHIv!{=|sC|X^66m`>9?|b)G`_~*c1!QTw)(Aw
z97V+yBuZ&`e8zlJ(CuPG2dljjDduuLllSAcQ!~xEGy%b1c%S7I4T|QTJis9HlUc>M
z4mfOQ7CeOgqXQzwVWCObG7DDt!DW?;HS>%Vk2Vr=Fr!RbE|(CGUpaOK5FI;q$&%?_
zx?df^zdso8N4LfhG>)o;6lmi9-TSP&_8B-&zIrQX)eu3);3Z?;`$4DqU1n)d1YjnL
z=8nxj9U#lcpKg12T-*4U>A0|)xn=c}4%{9Jt%Y^BIyT5M+w>P?i-|QK<<n`;SDcg!
zVdeXf2nWF*;2az|+q_==WvQ^V1e7-<ZkQ}f%|sP19ljb+ecUKT+*cJZOw@-uM2|O-
zXX0HB9!UT%OTj7Ki+8P?5RZa77^kRRi;~M4`aE&(%Rn!&QtFd&tr8b7phphnW$*>(
z4ed=Z(>U&BLmmN>zJhu)L>t&j<H5Z=R{NpP28*GC*3uBwv!@xVVvvl@Z#zG8EaM=I
zqp5?dw)%U+l+eL9W%1v`x{}!*{<t}d|FtR&=vS+8iG@upR>Q@wd|^5=!Ee2HxrpR+
z6B^Dmno+<nO#I$LI40Sp%{C4Rix%79WpOUzXk=)ck=#)vbjeeU^~{=>AtF<54^p_!
zgVN0;_0W27)Rw0n8RbKQ<*Ldk*`7;<I{KkYg}WLJJF$9^L)Y8|vpqEDUP_X0NXl|R
zTmVVs#aeKh6$eA|{uoCV2Mg<Xp(ps9!N3MbPG)&P3l<Hw5@mbXyAu6duTe<^#w*Xt
zl^NhADI?ks+63`NihX(I)Njd{v<s2qd1lAC<ZE*=W}GZN=B`ubJ|xe7Kv!Dy<bAS(
znM1BvU%3%~<lB4~OvHC4B&&DatE@HS_a|I@@h{kXaK0$HhVpoi$`3Yn@T(Aygk;gs
zCDTeFOwH<7oxppQX0~1j#1T<5SKElfUI9Hp+<7m4#wJ)FP2xbqEid2V&_rdnvhpxC
z`H2m+Fv}A-ZXmty<rsM}N$<l}XdB2$Jyl?*SJj+9Aj&ld2;HHtQ*1nVnUZ0pe;jlS
z4h1J$A<MPNK5YR~giVf+@zQ&U!}_i(LV*zSP3e)Z@gPd+vQkb=LPcSI6=;qYk;QjJ
z_-48ewTyE(5!hi`%R~dqcegmj|B<KASNIpRbN4PrmZl)?p4;Yd^(#V)_an{l7Tg13
zQ%D3Xus8^>4P9jaXtM;`$7`NddY8Xvs!cz2nyc%H#KP^8SOtpEaciclA7?(W26Uj?
zgn;W}UTYJQ;$hELs{zyzbpL4!-!4}L^Yc_>#3UTtr-zrGKOvqBqb3NIL&Q|!oyLK@
ztq!1L5+?twy)v;WJahc*oIzMt4xydRiyw~b8=>jPf0C5=7(;FmowZ9m!YBvF8vct=
z>J95OfDEcXRGO2~1-`k@iyYq}l*C=UKVxnKEBd}tqLwD4CGA+t1{`EzW*PfBYaUI{
z$zq3Vzmo$5DJ$`|k=d2APHWn|O8=z^`hlnql|vImRq1vVL|;HkA2y$I0ZFnskP3v$
zjLLityjuGq^I^)6VvqJ0`eBHQ`bXw@3-n$6bST_BVtMylhcK@+kWW@$_JgHjnir)e
zuvo-%Of=I04kC*d^da9QJA3Zq+hhrroP@E)CspV4MjauQ<6nl=BQthLuD|Xa3R66L
zQsjqXUPa*>&#~rT{zX0boxv65Z+<FwIet*mm53$+<x3WP)$UUa9HCarFBXppd81v+
z*7K#ULFCA~f7waErgUeVc7{LNLr1D*J7RR_Z(e<DC6EYrU~`(8Wp*a^c6W`4tJ(cG
z4*6*LzMmRfG{kpwXFg5n^+4eqO&Zx)GPfItD7eCBB*_MQ_I3g4@i=rmt5|t;$B%)!
zM=wrbP*&}diuKyUL_05)QuD^ys%5^M`?=9LIu~_VFYZh={ZjgJRNKPTERq2Ege3H#
zY44Dv3|Xo3aS4qD6PQoaJu{`M+#wFmRdY_D#$>GI?0L4E$>f+XR&bzFrOAL@CGoc>
zeyFyisQcr=$q!jZ&<L|VwY@XM8LZk<kagdCo=z*j4tdw`{YQ9i^xqUTuy`Wtz}Z{5
z=2?N5>IX(LLGfaCyGHO`N&~IyEuJ*e$<b;#zWJ@~FYb=kB0xASJ$p+8PO3~H1vBQ#
zzqFUo@gjS(^?WoiITRDSrTBsC+b+9Jhdpvdsn~}o?K-we<rkikm;V|TJ4bLlb2J?C
znEI|_Pco@3d7QD=2sf^z2zZ9U!W-C9(Q*Ea{@7DPvu>P7+>}MF&jnBuI6d{(eq0QN
zX&6OmP&w{-ir1HjjH|_xq<LT&y81Brg&(_4{kMO^#p{AjKm}FlyCnaDPC#rxRGS!-
zTU$nlcow1;j=IhOiu#iz{et0ZA7pv3dZ2c$a`-`GJbg=VZLw{v-pS}2`tNvq_3}Z+
zxlB+-bH34a_1{ol6|qWOdrXZV>;Ow`onE%OM0A^7++!4O1wXp>#7fi!EB?1fYK`Y3
z^04^DLRi<_)!*d0ntE`5ruzZsLZcdQpwkf#jFhfYet#9dcd-Z>KZI6FZ5(uoQDrZx
zFYEN5<4wId5}Fo(6Dzl`Hhc(jBO{KVlJ6#{O_L*Mt)en}$?l6khJNzXD=T6u>p8+#
z;T^fii=TXzV<-MPef<fO-=eufiGi)=<|Vt4v*%C<a(-t%YT4)xu16j?@mrLGuw6%X
zuR0-j^EL;`=#O+=7Lki+pjZ8U%)1j;EFb<;<#@NML?Ct64<Jm)U;i(b%o{_O1~@$z
ze`&`lCO;Qey0MnthFeCd|Dybcu%!=y_+@@*e1$#o?XLDZs08+UNjDkAaT*BTr^u9W
zTZ@B|>zoe9g$Ars58iq3jlN&l-Z;--3FT+kVn_F1AxB0_)L6^{xs2=VwDOU??1Ff3
z9Nd^F@}_1dVl8&1I6L-@!5#@kQ9(*d_&^r+&QxVIna`6;%1cS;K{D$Z-I@}LKaRLz
z&>_Oh;L?x8XAikxEuQOZpGN|@fVUcOPza-TA8)6*6Drt>5~&*R#L%%duwziUwiuKE
zTS7+)?X+$AQ2u2m%#x=;sQsm*rf2`Y4mL%orss<^p&mhF0;igKxF({C^5`HjQTBsw
z?<FnUc@FZ|x4_Pnq7ocmn>Z+;nYltvp2OR>O#UeIcMA0fES__71jVuiFlFH#_}A?l
zuvNTQ%(`CTrXeGba!$u2bp0!>yCx5yP`=rYaSRFYp11P!<w?FoFmTmeWXn8H-6eiL
z1f86ZJ>$vcRcP3ngL3hILdLw&%U>(3Ji$0+gI49k5}KDjC4^%cZCZ|Uavq-ArGrl<
zsefeI_iIANO$c!6i#}g@r7n#ZbnbL3l~zsZ_inIUGUV7KR1G(1L`+9o3P(4k!bZ!{
zf+wc*%Gn1a5%pSHt2ui-HT8HxDumC(>VQa7XeS5DK^FsY{4Wh{aVN@&=6Qd1^fxwZ
z*+RL`R-1c{g@?&C56Z+BY-=v_&g2+b>R2v86&U7P8J^x*n$V_O>wrk*uzzJ_^pvDe
zY6&;2CbLCLeSwnGIb;Qt9yuqq2bY){vG2(Zw74B%BAtpA<#C2WHeO+*ciU6D!au2k
zI;2;LuVOAxU|#499Gz{vWhSu-TqmVv^6y$Apro*BYpzItg%;rhv%>&ZaV6<VoY2xU
zk;CgzGI_2aq$tN=82PAS6L@J;AGEk1R9kIEoqD|9%BT*+D{hY)=Mudp_mb@lj^jlY
ziXK(Z$qkN+xZ`*Fsc&#%lMri&VVx4gOR(Vk*3l-g;<cu#L`W8Fuoow%JS!?q;}LK4
zz$UqZi=1v+Zp|pVr_XJT))7G<GG(XPSL5j-hh6l}mO{`HSuKE5*ETNW)U+N>V?>NI
z1_yPyRjpER0Mti`<$APtTy6y3XtU<?=q3I6#AGhqsW=52n-$?bC@74?`*%8Cbj{0t
zFPBo(gzyH_2TY{z(PPLkfZtV!P_7K@JY_(ZNM47{MA#1^=z)kaU3(vvgel;UK1p*7
zbPv`#km^5KSmj=L-8U(4PIDgu6B`cY&ZNUPb0Q<qtcZw(Hg}`2ui*B3_*-zi8d7T$
zD}JaSk(<21{m&VHkYQkWTn|&mTC?N3sC*YQ4Nm8zN%1A;t099={+K8D=uVmG7pa#J
zBz`ThPe5E7dV(Vsdt$?LmTi=vlpSG$sfWGq@E8s0@^`gf4v}?HtBu>F&r~F&eT5r2
zmA7SRi0{0Qkv`i=VKUK1FUl6Mw3|Nl=XJ4AqAr-W31>~z6^c#K&GJcfhYg6hhLjnJ
zoc}2dAJ!pwxtY9g@FaR^QGtAESX&LTxT6C;lT=o}N_mzFuk{W-G0l-0y2Qdrw};*A
zRb)mBg8n$ByS+SWuo;@_1mX`18h_0=doFJNk#t6T1S;9a&S1UtAygfZVx+#T>Xh6J
zAP%8v2zv}j_T`(oD?7tDbw{V#d?@fd?zm*CEkLm=s9CI1l9^;M6p|xC5OG$GTQu&R
zhA55xr+E;j;jKkmlH&=?ILxpyYY9Q-Ka8y}myaNAv-Z?EliIUoQi~UJ@u(jB5l}C(
zCaHNZnj`*5H+dZItGuZI$q}pH|AN`D@rsZ-0g=gYp^V6y=%mDyG1{oD)J`0Yy$#0O
zM<NcDMUQq$Fm3Dj8))<$sEnUE^E@{HY(_)iDBkOScS`0+_2cvLm#g6GkfOaQ9^kM6
z0Ve+xnq8om*h+urzxG%!`b4Uc9Y{kPr3~T|23gi$lN{FSTIJv0VQt_IO`fMU4Up|J
zEzZwUY4BajY(mrOC7$`JGl|{>vlK<cQ)!!j?|1vboMcBsE)9XBQ?!z^RW{<7!nxdd
zDy3B#>cOmya~oZGD-zT`XAK0&gah+QKM|;C$LE)1&bwl>V_V`d%Ts&&M+0n6gJXTI
z{ekkjva<l&#96RFp?(p4zKRfI<3n$Ysoy?KilHCVMjcA=j*y&hK;C)ZuYSF4IsT@j
zIQyl)DJ&U1!hB3l{3hw_j$_w{Qs~#ZfKt2MwuZ{ld`=IkO5J#hiPB5Qa%6VddG|9p
zuqM$kMs1mgZ?He|hlcgICOM&R2<kbQKs?CQilj|2%Y){Q=f5LtbzhfUkZgp|^ca3{
zs_vm(=w=Oja@c$yji$wU7ezos%byA@-BtX23yGFmK8upZA6E@MXr}?AANO8geSlzo
zzfU8>`M1?eUB%xlLZU+gd_X;sh3UaUA!$na>?9#a=$AE*#P3z~OHygD0RgI%H~$uM
zaUV>N-_H|dKFgFP{;<wtU9P7MRWLa$cioA{@mJ>ZbUnFGllMzo#pk?4p+}4_+e$jP
zk}Ak{v#tP=>NKFt3vdjTV%V^E|6eBu7?lfa9T+yNwEanLR~Z7gk8UrvIi;(u2`rZf
zH>Z#cj^M(#*vA4r5MBw8x(aoRC|vcLv`hue?>2|TGVFY@%r^PfHwGcsrBrMqJbkk2
z`^b61+&;dddvi73Z1-TTo>z{nB6KRNl>X5CImhZqqJ5-NcT2QC!yNtIALlWom4crj
z;h_Ri-u`llhFCgd82DOLiptVEc|6^nwHR7b_eP5FXf7eG+LtJS<tk-M`8B$q7z$z`
zzTP7PoP~*C3C}Ffv-Jll`qp>py>6G)Em2nOB4)PA93DDsfCeRBS>FzG9N1%V+fCU5
zIW?SHs(LK9?k1PklL~-6S(PFH7ucWlR$-Vkv<p~JbnM3d4E3SuP9y#jH0F#wM=87n
zqM8^AIOi~BaoD-nY}!V*FV3wIK3f%-oolyR4$O+Q-l(fi)#l?v#CKJ|Eos)7Y@0S^
zE@}Q~vnZfPNf&DZH@j>;Z$o%hq?X+lX2IGwl3Icf`=p{HtNrgR=-m+IkABKX{Fg-5
znavHpcoF)6a9B9%*9kn7iPV$JxJ2eZh>&;Ihxq+qrBAgEPCPA5$1<)CD7Cmawv<aG
zy_3YSyW}9qBkahIF0fWl=L-7-of{YydkIUe{DPn{UdQ|obH1`8x$~#x)xF^*THlvv
z8|={S`OY7bXO%;wdIDkmJqhg?4WI$#zymU+DaC-Km=X<?#FNbbgNZ+LzAba)V+D22
zeSZLnA2vbZ44GZiPh4R{xwx(S!RH?QE|$g-&l&&)VubU@tf!&bK7R}ZM7d}Yv;N%W
zF?W?U9y8=9D)G@X9pHn>!~6GtY-J~g%9pcKKtO_v7B-yvl$f_?%nSp<K%sfvzi^_P
z^nD=b-eZ9C2!U+i$kgr?pQdr;)S@65DL1x_-oUyWgfL1)l1l*WkQ6l5(||(o8K92z
z&|#HC6ZoNh16qLYd(yEwq&5199_UbA5}xu^?}sh)ZxK8#YNEStq^mBMrk-g}_x?O7
z!CUZntReRv`e$maKa|CVGQFQuCCWI@Qszgav3)HYDfu6_u^+xbPAJ^+(`HlL^*ky}
z83C2<BTv+Q42>+KopiE9$+1#)K<RXN71i57vKmG|t0*&ZZgz38VuK<E`5P%Ps042S
zfe-M`XX{2eJoSQN8WTDX1RS3XlvorD?dj!W1s!VGgn@J5(1AvFbg7zCx4pqPw;aqI
zPex!-`}H9P4pC`(zbO7PC5)4<g0*qAq>bkj?xstL!+e}4@avIt81$h!x&BY*ZYV&S
zseCzdJw7tWU}_e!a2Jj(qXt5C(@R8;EU<8hVo=WB%FmS7p2GJ9RF&2Hn0){GV6*ac
zcd5qV4lPDJ);R+0L7S*<^|x<q{^J4o+U0<2n!2_39wQk!dMGWVexPl!s6cwPcXYJh
zb}-a9#a#)+ym4FsifGjB^e367RO)?%d1N7WiqIHDTYE^Or*LI>NE?N2pa6ta+j}wQ
zSY%pMRTeJO7)KCAD<|uzZJ%%2%{S|4JR$I0h-SYhhm1F6`h3Q$<99x~qKDnOa0$(x
zc_o(*!TjsO__lZqHv>wgQ1Xz^1oll|Oqj$TD{m%KEq!`JhBM+wztq_+u$Ery0-@pM
zI#(Fp?+Dh=>sO)R0+u*~c#&272ulIJVB*hyi%Zh~Ct{WI;59H*<NpNXN8iXiyq|hI
z5?h3;d;<3|)tH4)q`#*6bI{nE!~9hDbA7$MrFQiyioL&4BQik)Au7ru8MiHKQu%5W
zeG7n!7mk9nr|pq^6<`BSl086nyn#5Q3;_|mgvrA)1*OMQ4yuyc<NS4)m!Zoq><=XA
ztvqOUjZMIu5Ya?I$7cH5&MkSY!tE(yIlg$z_g^Y!=R(cc+Fgkv4kvtPj3Kq9kZcN8
zq{v1jrWl3yc&iF{x=gPj&|F?<BMtwxo7=7}Ak(up?4hcQwE57G{LO1;lbQELr;5W8
zd`3S0`k60|!Ng4rlV6YWk?QpJDJ432<`i3gCXObejUX{e*ms360#roGKrVv3#i4e|
zz1{TKr;VPlYRh$wrpQ=A<n+=!swS)Q+=p~nskwGe2T<?hj~hD3mG0qT<7P!daeBy3
zDx$u;>qrx|sk>G5oqzo$kr<C9%1Xel-mvP;(yLQ0PW<e{;MKAb&7`5Ew9dXDbV}pX
z2+(;BJg@S`;mDH*BXU0Dp}U;t+`bB=9MbPIG#hA=E4CRgJkcn=^Cf_Dq=;g!+N+rn
z?ahgtfAp0Uc<NRkQC?ceakS@ECF$Dh<cY?la$Ze!)AiEdO&l!5>(zw^kth}WBZ>MH
z0P1Q39&IwWk$zJw>8E+id2kZqR*|7q&<ygVXOCDjC28u&-P;!AskoRU(r^<rS9BTa
z$`<R}1%JKx+T&CZZR*n&Uo)%pU8U(;=)F04rgytSZvdP^H+OXzTBbHB{w(Y#4ro9A
zOou56!7C}e^FDGDDq1Masfja99B+Fx<N*|+BpA|OVkavsm)QiJ)?k_Y4ygd}#i}9r
z)dWkJhtQo+;a)!z6dvoLr#Mg51H>bNpP2kTIfbi8A$ICNaep6SQ^Hp;7wQ=KBP;g|
z*S6!qoGWE0$r<>!>dNvJ{dJ`qi5WSX6!j7yjXk%JWGnN#pa~=pfS%M7c|VRqm6o_!
zqU;AcH$-D&5z$xxH{!lbfovfr=^Fg<4%C|<qZhuy^#OWtqGuWNWB9fjiSShFX$GAr
zdJKLlIT2Yv;T+NQB~pPpZM9ySk10N^(MFL^8>LI+^MdOCMK+p`Vr*mKs<54dB?F||
z*bAGoT;)ltvJNCLS^1+!JJg8UHY&J|gwQylEX<3dAtC(zrS$~EO+`DA`28TGNdcYw
zj&4oQ^=u#Lo~aogPnJx}v}45Q*67Z`QtQipL*5<&W#w=;PyK&QhP_+5C1K$SOy&j|
z!(y<*9o`Xc!qGh7?OUsTM@{5)zv@|i^l=hsmGrk2TdKZX{$x(O$YGpZ6KJw(P}Br?
zUFih#o0L6;r^j$*DE25XFY^B=EVO4TgL*TcOU%SGShq(ezAm;Y^#$BhIHC9XyExMZ
zBH5-O)hJfwKp?R%S(BCg`fQg|p!adas2_HnNl~Q$$AbxTcSnhcTYEH8i`X!+KYP3`
zus>oDWzt!EsYY8jDE^u5&_Z%%ompW*<%o?XeU`ewgr1H0*w9_a^Ycp1LtO0>EDU&a
zul9F=$^azM1`fwrj+2iS`P3yN^sY&`1FFCK<Snv-`7&wfE6!TKft;?W#`+pf&RO*!
z+HgICTQW$#zO3j5!cC<tUIjF>O8FbE5V9U}kdz6M?5)+h+99S4kFK|E+M$9z-$c|F
z>A1*INF-Jn+g-xihPp$ypgcsPJe!k2QfxVCW{N4uv=GT~PY+<NrogDwDk&*scF{p`
zr>1FMzWDHaJsgN3gEA^qvWnVTDsYkgc&Og%&Zzn1ig8WZ)h0q6=PBIJ!QP&6!)Hl(
zjlmu4G0_8wEh^x(p>lHbQR4C%7&N@|dsOV9X>-_AwPBz9o(x*X>4?Wkv``YUOon}>
zx&gY4eyrl0=g`wC;DdtO?|9=Diws-}Z@T$U^Vs<q>POM~0`TTPimPETaIcv$Mdxf~
zKk5l|aPvLH@mVjOU_nLA*V<lYkmf1;ePc`H(m~@uonX>?nh-iCmwe>-+mgl1^|)2T
zkgLTN`5z`A)|t(Hj54*VoH25BUIKei;R_i_580nFWCXC*W0g5sPlNlt#}9cNOs`KD
zG&K?vi>B(Q0<lcaj19HtwZ4+N|2TqcU15FGH?CmfRd>VLU45jl2pl<%%4gCWb25|k
zuRLim)39KXzU#alC91p}DDt{hUqAZoMUd~tdNtqQVZTHXDgYMnv}3{P9w@`BRB(-e
z_ATqyzL2E_Yl)<zJK>yiTZaY2v&-AI`?kH6Ik0K`CZtG*_XzG;p`JNDCR96lRPH!n
zq7#?w!7#H>m{G=%V%!bzqf(6T%-Y^#VcLo?+<dTcx6;D$W}J(<s<RFn1|w-BidBh(
zQ(m=kU%G31;-s-Pwrn@F6d?jd4J=J4g}ZmNNC6(43F-=t?n09?CG5`z4@9}hE1?P5
zwyxV0@uh-6Dy7NC82L_10Ky~)88eN<gk)`~uL8~hSGcm#6&(gmI!~GLBKbJEke_aO
ztkfAImKhQ?CiDmcNZ1zizj5_Pc-u5!coLyeH21D<llSlc>D0>i%KhVOKG~z;qSq=#
z%0TReqt>qGx^}<y2@A-8OMB~v2#zhpo#gdCibf_R<Uxj_&$hpSgqy+b%u7_~DqHUI
zvsuN{>)IDZ?7%g*6e5c4S1;)Q!I1>xOe$VHu!kqz+zrYB-;y48z`uI6J{kGU{X^QC
z`?EIb5^MTW(2P0FU&TS*MfMHO@J0!1;6F`bUH~~%h8$J4s5aaXsM1*K;6FMZV7gr~
zae4VUSQ0$In2(DVU0q{M=<^ZB!D%B}^5T<$XP0EP#Z%}dqLe+`!FR0MW@cwC&M6vw
z(yqlT3BgG!=V4DKaFU&Uu&Z3WeOz2`^wL8wpb~MXUb~}fEX{OIdL6)M|LgID99@n5
z`nE5f&0uGaq}jMHaD)lqMXmE%KEf>u%rtFUwUQSe*3@Oc8X<k*@a!u>2)T<6mnpol
zAMLBf<f!y}E+(k|U%s$rPm)6VAQtw?HfF2)VGIU4Lfruq!fm;%*9Tht0{K_K9Lgk5
z{jjaLa;t1)uWMLI{f!@q8*j}pJM%!`au$qJ7Cn%NtK3><F)Q~Dt~HrRd~S(sbIXS~
z$l*l8wS7cMO}I3)ie7|rm}d20_+6c{C4XpRi`AB3pwmdI<&>Gr&3jA31{3WpO5Alv
zO#fut-6a!HS*o$64FqSJaH&i6>7>uLf4#oF53TmOLi=59nZH^rKh>S12J^>A1qQzl
zW%*L)BO*7)q~42U(!NXUil1cAnGxD~&^9on*^FX+Q%#u(J!<Wg<&%*tAP8BjMc(#8
zLVlrQBCyQF^b^ilxq)R+&eDG^)=U|h8%LH<vGRySG%q<Kr8-pSWeXF(apx?|9JAKp
zK+NfR!<oxBTyn1wliicmu=){-896duSvD?lcE44?krPvERZSD_&z$LKbQOIJuHGvl
z;-oPzCC?zEv1uYX`3cUMA>fp+xl$w@L5GHY=)J+28}7Oz2s!{2&$|Cx*jNP^;1_UW
zWHUcQV{k;V@3Sn`4z_m)c+eWi)@49ewLJ=^{rXYgRsAb5*XclYh{(RoON>xjjsipr
z+e}i&4G4x#h9@J~kMmd1e#%U_0GZ3V#zsB}G2F45GI3iuk#~z>LP97aA{_8_1FCDC
zp$)g{i@d@X7u=tg_%&w{ypn5nx{-Alr+?{yYM@x33Y1R-odVZfe|znv=XS43P97`s
zHcpGeL3>cvfeI`5Pkm^gAOvNR1F`}Q0|e%f;sMVxx8?yn9q|;|5XLgiS(HJdC7@84
zxps$lEfmz=@7$_m$N&zMnVRIQSBKO$LZlS|)wK%$T8lwzRspj-%XO~=D4|H_p7rfJ
zWp6XHi7*BkaQNWSahbmed`v&9T^{);B=(5)qK)WNr?jj};0iRE;-vj5e}tmcxDPu<
zb8roIpTX3&r9)hOmgGLdR5qlwCK9*~@e^@h9gZwBwQU{HFsH3d`c4uv-}UwV;pSRj
zu@@f)1(<%PjhpYm+A;ud?1YOQ9>T@NNib-aZk9v)l?N|t7Is$h)3p;H(>?ZV=vK&>
zL46~O_*l?gE|}zoW_20JFX?2c2?rk_7?;0n2~*~o`s!Ro!+RuhB|adIm~U_hC=1|@
z??78TjH?S&j}19qM_tER)4OK}zd^j(o=;5%7*_*RHQ-?B-MPaUt|sSIQA0_{cQvxb
zxRcgzOyPpZ+8`+?j+`4|Ar}b0NFJfsX)*YcH}3l2HtB2#7*i8vE0kLyITA}qQATp$
z$ugt*9PnQm+V!Yj+wj#8+p@bRvTu0vrjK2W(=D`7e3qDR`mLU$y|sdY1okRM0E!ep
zGzUdnc-kxF)EI(wjZREyRfY!p^rWyrz_FT^9Y%9rc)3f`F`1NXL9KcFaOE6!YU(y5
zik~y<L((!L_ssH07nRepbOP*+vPnrUpw*XLLeOlSMG+n65;~nvGdjxy#A{=Pb+0~q
zobTv57^dNJ3anF`uzu7AH!Q0T#sX~G$82*|%pp^3H?aPK%T^7(3B~WdOo&#q>}9yW
zPfkx!rpy$6U!B)Ln9S9ldsf9hSdTW@Emo~xPghan!x0g$8NpdLI#)EgOUk;d5w3>c
zvmd||iBu?jzH)64+D9r}A_uo-snEaT(+-TrCXAi5&%-$&%oyP;pn)nmtF<a+2mKfG
z4f0o;ZMZeJzh00Ks9yvPhI+|K6bxFR*KxIw;`+A4@>rsNuG^7#`v8{Js8r=}c47R6
zA4S@}1O{3vVM{c(!MLi;#Uw2^cuG`g6JGW@yo%qHnc|xhxdy3IhQ4dRArIg<i<xEX
zUPka=2y=)o3$fEaIx$zA=ooE-h~6seo!Ln`LH>DgXoqfATuA#s3_|FQ5jLg(hhP;5
z{EvdCf;wpqhz=)uq`6MJCoSQX)EcrUCp(s_-$5^oy6Qd@DY9qFMjeS&-H8XArNaGe
zXy4~`WC!}qN<_2Y_pkn1L5q=mfcJSLRW#V*^GL}yoF9>&;>L}!waA3UYec_nGR^}V
zZSh2MHB&stUnFN{kX|J7lL|c}xBkO-Iq#2U4|pXSv2~=lQQDGh(k-}qg?80QyGoER
zdX<RPM%ht3(w8nis>p3b)h;MZiUXPOnJLu8D~8-6=U$`+gK^JK6-IsbMv1?$F%10e
zC_IzmC$bTF+Lvz?t*#>~sB2Maf2SV6bgW-w%1=?LIy2Cd_;>pPCGYP{AHeF4vZ}dr
z1NBDNa`h4kMTLgl>Y-ztyN_1&J5qXaP}Z9)1+ln4nr>EbG!_#E=G6j^4(H(qoO(32
z&zn+uP%Pglqp-1SlckjxSjai3gTL{_Q29Hdbt~KWZF&pitJ*OIn1k@#5;$W8hNnB8
zVqNLJO8ih_lFt8@dy4ext=_2A*H0~wmu+zDcs!ERWSOc846G9pFw+}V*c0!kL>{YG
zGR|A91R8QTH^Je1Mei(`%OdM&qdgk(B2VUF2dW!Aq(>L7IieNe8+tUj&PSF33K$wW
zjb+9CU5oVx013RZZxec093F|Vs+aOpsNos+JC1`A!&zeJ<84#`uf`2xcE;IpNaI{!
zO_)0;IW=~vw1M=3<`to#QRsT87>#==Scen8<9Z@e5<pc_vQ%6BN)3tE8f46I$*H#^
zB@P%f3q5}!F$Cri%$~*AtZpPrP}9)z&GBZp!{B{qCP~Esy+hGHlwVZI9$c3Gbqm9p
zZa7=4Uc|y}Nb*b634CLNvwKoS2T7ZreP7s`K7b5lspVyS2#%ELj1Jf>kkmBX>SW0u
z3+d4GVeW^rrc_P#_3xcFGf)x{z^(YGA1K?N7-(HthRak7$7LuhzXaD}5w>SpdU9cE
z^=Gp-elF)zj!*O@p|xC+izO=E1}=uV4R^55{yA7t!fDyR2p4tG2lAQ#ed7loZ%Zl$
z`0<sCy$ah=5EB}k8M8oR5=c}<4N>7qVCO!wZaA|7XXHqYAm*cUjizPS)AGY)?T)VJ
zFRo23VI6e}F99SNu%|+I*R;V_6(KL<me~XJtRru@S0$ha8HbOU6sa=jkGXU21wd;h
zO~H3YqRXA^*y~(V$x>!#EnJZ80>4N}JFx3n*Q}-TNLIABZ{ssx@`ti{*OKG6;tz9R
z8Qgx?A_^k_XowLr1}N~T^2CKs?btg4*G2q1J|C#mOwJFqp7BWkQ+P2`)wP^gVne=4
zGW(1}@R{Q8OoB<-bLPr449}ni8r5M~^b}F?DoR1N(U3RQDYgH}Q>%FEaAV+xPGSq3
zP|R&=_g1C7t`A%oJPPIP|L2b-SNI-{UdEcxAxkkVcS5BF3OhSR>gtWC%a6n=&IFgx
zV>Yg`FWe6f8J8dP85k;#W~qr-ff;swA79**B-A_2?@S(<p;r_*M=q5y1Ygf-Dx<7e
zi!J)YtQ(+IPQ{l$m1&n>Pk*87=@R@I@(6tuYAI2^2HMKmb)g!qg}j&J!*VZOu#oaC
zlJxo^13Xjz*jZn{XbT4CCsG=*q;}3FYoHmSlV4m7s(!QV)9#zCF*{nq16MT}pN`Az
zKGs53eG>Gqb0wavs(v<k+iu*C4;qOX4AtfpQ>JP8d`&YUW7z^U*h6?bS83#am<&;#
zQ+Pnm{iMv=nW8JE7K@{k?EfCogUdwtNn{9pvz@;gR@0^1lK9bw4PauFwqV|kk}9)D
zAu>rJ4b8+-EnO$?xbK$W&>rvpOu&CH89eh`gxmCaJ2czkE#8+WFN*c2FfjgC#U%ih
z@}KJxwq30x?COX(`VosVXt7ll73}5K2=%`1GxvZs3X%}xiqIF58{{|R!2fVKwdOfo
zKs%mhN+$kcQhAT33(dAoouH56fpONvldU@!;M39_(3t>eB@KW|ND=03`{QipolRgq
zX~QO`!v*A8sBu&%!$E>r2{Vze64BYZw?xkS`El)G7x-@Z4Jo3_ftthC-Hue&sTy8;
zR7#&|V6b95;;Ga!I=ECN_rh}}Ey<vQ4Oj*X89c|?kaoKF7BI@$6li9PGep&uzC<c4
z(_!l{Gl*wqAhm<yjXLmT_mHQy6D{>FKXc+tXW^FWh?&CAz(Xnqp=ET)qndi~QcgvR
z2Ku12DjqcZT7;rL4p}ib0^`U63*HVM>`H<wnN>z3?&L-h>LfDjln%HNdZ1?fiHuB&
z{kq#t?R3x1vjUAS0e|3u`F8d#f*PR&gBJrme~K<ZdE{w@AwyHFPNRyWW{trgkxAEX
zJUa+#AzH4s;K!`r^y((=*9>Yvp~KglCL6G0pj8dl$joW(Xnc?V?etse<qJydc2cP9
z)t4l2zF<V2(jDuIgpgzyoRXDP1$Hm!5`{96(OUsD3X9Vb6b(twEwMiUHPc{5|2sRA
zhL0Q3qHg=vx52}sBfSrwALC@pNt~T7zm!J`YL$U@OkX@n`l@&Y9^t=Wu6ub}4<~<I
z9uh$u&Qq%mn>Z|d!8G{8IA&)!Xtd_??dadole~7E*bg-+XGSYBaQ`sGnx{))%KCqU
zY2G#Z)KIxV;f#~q6e0Q3z8?q_e*pH|{}TcA3JUd$6C)e{3Lwt17j13otWD258ptkF
zvf674+tiD$zi}4TLw*WDt~6%XS3RtR4gAzBUvS&}im05hm!+`CI7A~5T66#MY{^r>
zNy{^{15xlEQ+AY@xI--hA8Oy3B;EJk<uz@ZuWs-RuniZ62ZO2aZeZmh2Ad!X#KN}l
zdysi51j2fN`tYP%H>nUfp2YgkKxG%>rFm)g(XGpdzdDR@_CQ+9cWQ+X;M1?)SR8X-
zG}YhR*R4HmPa<n=H+_DO=Lz9#lql)ASwvm;a$ezL;c@1gr0BTsW47fCNkQiN+d%oN
zyEaU_mZgy25S-vZ$Sed~{;mJ|Y4P4AdbTf?*(h3?gy6y4u+>25lT-js6kxCv6trbN
zs|^j%6@kV4hg`k-D*VmzR*Qf7x7!@_h~VK0q@4E(+{g)Ts%9uslFFOBE8~-yTD>{i
z?kcu(c8}S1T_dk1=FgpdGyFW}l{d)k%oWQ9>i>-%uHs_iU$(mJ7Wk~;STHJ63@Myl
z{vJG6o!ZXbm90-~QUb0qYI<b%$11R_oxEG>Z48uY35xSTxOD&dWlXJD)23Iq_Qt#G
z8II{Lc*Do=iebbX11(l1w$<>+%y%k?C-wI@4WC00uW+I^W^*?BVcwl);`irto2+5@
zLv|<S*RI;jLyL_7e<VDI2w1NQSTK)({&;LZaDx<(^Oi+LEgE{|zjWo_8m>tXWSP^?
z0ZOZE<rDjbXu<EW{7NUvvz-MxrLXDamrz2b(nn;Y+P+9(sea`c8@nXEE<C7v!b(iT
zf4G!mYh18f(Td>2p<JeEi>CVk5K(?bfozZKz-V?1m-8U;lts*;8TBOuFZy5jrAuD5
z##o!*6b_2|)B~x!TUik}V@rW%h*5^dXTvEnc)e8inteCHMNKHS(`(Ji*XA=v_N86E
zFeo11Bo}Ei#$PJ16!z(2YteQD$_Ot*kZWazeIrkxn3I9dyvfj+GGG8^Efq!T7#NV3
zlk4*bE8`i#k$5zYCS!z#jR?!2gcxSqy-Y*@GeVd{AbDoAv4|{C{v+cq>(_Ps%@tJx
zrd=g@TrX0q*udjRq}zD%3I4T2NTN?D#a%kzCC8Em9QvZNW_C_F%EUnaZ_%A8@L#T8
zOP9L+PgUYmz0C%|H_YgwV2wFs#S1v&j?4*=zowKl*pPgEE6wT%Rbj(4`s35n+XqJI
zj-xkdB@G@qNqnIk_%*dW;xA+6B)J_ekv-7UjMRSyTCE!&T@hH$WMv9*=UP+2mNMxX
zeF^V3dE@;QHRV)jJ(VSjO<)`lOmGqjtEX;UFjLjm3%o#iYbS7E#B%3&oq@|^yxp8E
zqDaS*K1iQzxjV>5T1UC+mFAw%gCvUasy<XF<ox*(Z1O7-T|bL3&*|QX*Q%Y$ptIfr
zulec^?J;$DItXtF`EukRT)XSW(imX1c|Wpi0i<My&l1@2)@EbQp<PZ?EK#40zet1@
z#5sP%<t*v#T~)X}R7)unUW>r1>&S$a{$O~#$IKn&`joq*nQc+DY8Ndy@z8&j!aI!w
ztYe=cRs8{PlJMvD;Dh=%`10>%^J38#Zle6i+}{vGu6ZNcy($t)V#(&PW1(u=!M{>`
zcIanjwgXH6oN-Y{&SRQ4?CPl98Ds`WigNILL<5~;uF;gMS8JEpIm}GFQQ6h#KX;TQ
zJ*Y66t%4)n?NG9vAMu-9(f)D#r{jmI<{uV)jJfRNNvcFP$jP$3e>3H3)%XN2FK-AC
z59fi>P{h%)a(v6!R5T8KoBBiEdzT~X*{k~`BGIy)=6TLSR+<_)O&|SNWq;paA<5%y
z6Z0|dR2)-TV9Cu&hz2-=%MH8e`v9`(I07<)|2WT2-*B4G9d5V{FgS}o0#3LPOjCU=
zsyrixJFTZ-spq@-!||>^h4C~oB=>Mc3fkV%k8plK>4b91)=~4kPIkpOfsmcawzm2N
z7S3nfa{m&3n4$y}@18jC$3Bb6smJY?i+2jkp*kT_rsBZqc&P?mzBrh-tGEM$p5aGB
zay4Py?>Sbu(hbOIXiqlC4vqGCcSURmdhlR#&J#aF{K(^h<+Xi>Cc`Dn8`UWR32j?7
zm|;m@{R)<Pm!B*rhUB|vU|uHk>$?|hgVBefMTjy@%{eIYhozLtTPCLtVgHZ-T=l?{
z@0$+sCxr#3RGkpL5yj;S9o?QZ?k%bdM|kcTwa+9{2>b)m6QwitrBe&TAb>{|lT*J8
z1x-*p-Br3AO{na%hO%AqU+QdtqXH~S4PL-aF(f{AMr+zRJHFO6aNcpcAI1B4&B#7k
zJEdXvbWZ(iIxF{+dW%)8XMirb0xACf4SkNX8UhEdj@duVKFq@b>=KQ^VJZqniG~Uc
zo9%yGo~}QJ$1lbE-YWS`PLK4dsGTPwODyWvB)xO-*T~Vs4W33}?>u48hhZnONYjF0
z!usD$D*HE`a18Fb0*Y>%Li*GQA|3EMh?^|@!UY-uh;Zik#Tv*aNX6^F?*aW6b38?9
z6KDb=T9Fcsh|kAQbDIIMD}=DUF0+3EKpUf~6eFNf++O2q5Nqg9&veum(#j-4?K1zA
zhnEU*oXd->{4@`auhYSvJuNdG?29T?QW=po$gPIjk{gZ!Zk%FjJvZo<%?!Wxs2M*e
zJIr91d0fz$w(dOFi9$QDCCaT>R<DTZPG0Y>SrlPznoa)QH&qDC+iT|XdxPQp?|KkD
zHRIPG+TmR3@jdYq#<@AaCtm^O0FY#ird_t9Q@+<CT4WX3yEK*e#RGJNP<Tb1-6E)(
z(b>6>Bwjuks7<QEgx;9axU<lm+EmSB9*9Xc`d>j-7W_pqzQ~})N7@-h-%k^nY9?eG
zhwP(^$ud|*4fQK)`_7y9m9AegG7|__aFIF^l<M`A{oU$2_x}v+_w%!*!ZEcVo$<D0
z8{2ZXT`Q5rlbGd#&dd=O&PiS5D3YTwdhvA82yVf-9+84~x+^oc9#!L1*^h4V2M=7R
z`jSYeSc@7RL=?t`fQ3|jV*bZ;$Rs=|PohBGHIPi2<E>2&46^PL;nmatFfF82iLrOp
z9RUv8TNDG~%sRV*u&6|V@_pHz=<@^4!A8;mS#%sVm#Q=i9!XSM>Y3*pz=W3u&8mc0
zmqETu)w2!88boYQDm04|bWpQ{xvdxMDw7mak6tWaEe#6n8%dPXD8H8lL+ZQOenURK
zs$x2|l#x!0fNy6@QOAR&3P2%@Ts!w)5|U!$iP?AVT{`pjMq#C4hX#NEqij@q7b=W{
z<`v?~pFkn$#sko<GQugqm4w_9El(?{NY=Fq%3<l4pDS^45RZplQsMBUN+-sX0TQ*q
ziGcf)p&lg(do=(c6Y8v2f(#m{t|mg8VrLXKI%&KKobc;P9!nx5(G?N9u?zLi?A7@E
zdrW78ibymwz%{;dOCyw><hR4XwhsnS!aF|6$o4oU^p)8DI7t=d+V5B#y<7FKZx~oX
zzgyL*1Gpt(q;M#7mUBFz2VC+^cGvO>1M5E5y&pKG&XTBCu&%c|k~G|p^IC!j3Sgl+
z+2SbaF63qeT(qzI10d!t%MfHoDE*N{d4;-3bWj$F!p2`JrJ4U$HEX9=L$0Y2iuwcu
zQC6n<AK|%64)r5pYd`DP69?McZT2LQ__y%E-UW}>DNJCk%}ghR1N=u1v;Y7A$B`qz
fCo2Y<00G{W0mkeP1TAg7vBYQl0ssI200dcD+Y3H7

literal 0
HcmV?d00001

diff --git a/testing/btest/Traces/tunnels/mpls-6in6-6in6-4in6-invalid-version-4.pcap b/testing/btest/Traces/tunnels/mpls-6in6-6in6-4in6-invalid-version-4.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..a71c0453c2aee54ea70d49ee021cdc2ca8e86a13
GIT binary patch
literal 168
zcmca|c+)~A1{MYcU}0bca_lx1M1sT`pjf=PB(WqF$YJ}-*x?QYiOFR^o{lENMusAg
zI2dHIX#Ka||DS=ufkE*<2>kv2KTCmugF%jk0Vv9lsR>e+3FH7(p$VLat1@B(D*n&^
QkBJdzbaDw71H=6v0JiWeG5`Po

literal 0
HcmV?d00001

diff --git a/testing/btest/Traces/tunnels/mpls-6in6-6in6-invalid-version-6.pcap b/testing/btest/Traces/tunnels/mpls-6in6-6in6-invalid-version-6.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..558809258848a94e744a830335a8ccbcb3917fdc
GIT binary patch
literal 168
zcmca|c+)~A1{MYcU}0bca_lx1M1sT`pjf=PB(WqF$YJ}-*x?QYiOFR^o{lENMusAg
zI2dHIX#Ka||DS=ufkE*<2>kv2|CIs*2ZJ0715lJ9Qxl{t6UYIoLKE<Zt1@B(D*n&^
QkBJdzbaDw71H=6v0Lt(yG5`Po

literal 0
HcmV?d00001

diff --git a/testing/btest/core/ip-broken-header.bro b/testing/btest/core/ip-broken-header.bro
new file mode 100644
index 0000000000..48a90d2821
--- /dev/null
+++ b/testing/btest/core/ip-broken-header.bro
@@ -0,0 +1,7 @@
+# This test has a trace that was generated from fuzzing which used to cause
+# OOB reads in Bro. It has a number of packets broken in weird ways.
+#
+# @TEST-EXEC: xzcat $TRACES/trunc/mpls-6in6-broken.pcap.xz | bro -C -b -r - %INPUT
+# @TEST-EXEC: btest-diff weird.log
+
+@load base/frameworks/notice/weird.bro
diff --git a/testing/btest/core/truncation.test b/testing/btest/core/truncation.test
index c0e4ee857a..d819ca1f88 100644
--- a/testing/btest/core/truncation.test
+++ b/testing/btest/core/truncation.test
@@ -25,4 +25,19 @@
 # @TEST-EXEC: bro -r $TRACES/trunc/trunc-hdr.pcap
 # @TEST-EXEC: cat weird.log >> output
 
+# Truncated packet where the length of the IP header is larger than the total
+# packet length
+# @TEST-EXEC: bro -C -r $TRACES/trunc/ipv4-truncated-broken-header.pcap
+# @TEST-EXEC: cat weird.log >> output
+
+# Truncated packet where the captured length is big enough for the ip header
+# struct, but not large enough to capture the full header length (with options)
+# @TEST-EXEC: bro -C -r $TRACES/trunc/ipv4-internally-truncated-header.pcap
+# @TEST-EXEC: cat weird.log >> output
+
+# Truncated packet where the length of the IP header is larger than the total
+# packet length inside several tunnels
+# @TEST-EXEC: bro -C -r $TRACES/trunc/mpls-6in6-6in6-4in6-trunc.pcap
+# @TEST-EXEC: cat weird.log >> output
+
 # @TEST-EXEC: btest-diff output
diff --git a/testing/btest/core/tunnels/ip-in-ip-version.bro b/testing/btest/core/tunnels/ip-in-ip-version.bro
new file mode 100644
index 0000000000..35d633c8fe
--- /dev/null
+++ b/testing/btest/core/tunnels/ip-in-ip-version.bro
@@ -0,0 +1,14 @@
+# Trace in we have mpls->ip6->ip6->ip4 where the ip4 packet
+# has an invalid IP version.
+# @TEST-EXEC: bro -C -r $TRACES/tunnels/mpls-6in6-6in6-4in6-invalid-version-4.pcap
+# @TEST-EXEC: mv weird.log output
+
+# Trace in which we have mpls->ip6->ip6 where the ip6 packet
+# has an invalid IP version.
+# @TEST-EXEC: bro -C -r $TRACES/tunnels/mpls-6in6-6in6-invalid-version-6.pcap
+# @TEST-EXEC: cat weird.log >> output
+
+# @TEST-EXEC: btest-diff output
+
+@load base/frameworks/notice/weird.bro
+

From 3accfabdfe041cbeef6a58ef98974cc25c0b70b3 Mon Sep 17 00:00:00 2001
From: Christian Kreibich <christian@corelight.com>
Date: Mon, 23 Oct 2017 15:10:01 -0700
Subject: [PATCH 230/631] Minor Bro docs tweaks for correctness and readability

- The protocol seemed to be missing from two frame inclusions, throwing an
  error message when viewing the page locally. Add "https:".

- Reduce whitespace around inline code blocks, where 2em seems really
  large.
---
 doc/_static/broxygen.css   | 12 +++++-------
 doc/_templates/layout.html |  4 ++--
 2 files changed, 7 insertions(+), 9 deletions(-)

diff --git a/doc/_static/broxygen.css b/doc/_static/broxygen.css
index 5259c3adfc..ad06b0f9d9 100644
--- a/doc/_static/broxygen.css
+++ b/doc/_static/broxygen.css
@@ -152,12 +152,10 @@ sup, sub {
 
 pre, code  {
 	white-space: pre;
-    overflow: auto;
-    margin-left: 2em;
-    margin-right: 2em;
-    margin-top: .5em;
-    margin-bottom: 1.5em;
-    word-wrap: normal;
+	overflow: auto;
+	margin-left: 0.25em;
+	margin-right: 0.25em;
+	word-wrap: normal;
 }
 
 pre, code, tt {
@@ -482,4 +480,4 @@ li {
 
 .btest-cmd .code pre, .btest-include .code pre {
     margin-left: 0px;
-}
\ No newline at end of file
+}
diff --git a/doc/_templates/layout.html b/doc/_templates/layout.html
index 3df56a12ff..4debd1d90e 100644
--- a/doc/_templates/layout.html
+++ b/doc/_templates/layout.html
@@ -10,7 +10,7 @@
 {% endblock %}
 
 {% block header %}
-<iframe src="//www.bro.org/frames/header-no-logo.html" width="100%" height="100px" frameborder="0" marginheight="0" scrolling="no" marginwidth="0">
+<iframe src="https://www.bro.org/frames/header-no-logo.html" width="100%" height="100px" frameborder="0" marginheight="0" scrolling="no" marginwidth="0">
 </iframe>
 {% endblock %}
 
@@ -108,6 +108,6 @@
 {% endblock %}
 
 {% block footer %}
-<iframe src="//www.bro.org/frames/footer.html" width="100%" height="420px" frameborder="0" marginheight="0" scrolling="no" marginwidth="0">
+<iframe src="https://www.bro.org/frames/footer.html" width="100%" height="420px" frameborder="0" marginheight="0" scrolling="no" marginwidth="0">
 </iframe>
 {% endblock %}

From 28498f752bcbedf113bc46f555fa611a6fb0633b Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@icir.org>
Date: Wed, 18 Oct 2017 15:57:40 -0700
Subject: [PATCH 231/631] Fix use-after-free in Trigger.cc

timeout_val is used _right_ after it is Unref'd.
---
 src/Trigger.cc | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/Trigger.cc b/src/Trigger.cc
index 772a991791..3867c607fd 100644
--- a/src/Trigger.cc
+++ b/src/Trigger.cc
@@ -136,12 +136,12 @@ Trigger::Trigger(Expr* arg_cond, Stmt* arg_body, Stmt* arg_timeout_stmts,
 
 	if ( timeout_val )
 		{
-		Unref(timeout_val);
 		timeout_value = timeout_val->AsInterval();
+		Unref(timeout_val);
 		}
 
 	// Make sure we don't get deleted if somebody calls a method like
-	// Timeout() while evaluating the trigger. 
+	// Timeout() while evaluating the trigger.
 	Ref(this);
 
 	if ( ! Eval() && timeout_value >= 0 )

From 5b889360705120c9061390214881ea376819c669 Mon Sep 17 00:00:00 2001
From: Robin Sommer <robin@icir.org>
Date: Tue, 24 Oct 2017 10:29:34 -0700
Subject: [PATCH 232/631] Fix assignments to event arguments becoming visible
 to subsequent handlers.

It's well known that changes to mutable event arguments, like tables,
become visible to all places where those values are used, including
subsequent handlers of the same event. However, there's a related case
that's more suprising: simply assigning *a new value* to an event
argument passes through, too. This commit fixes that behaviour. (We
even had a btest with a baseline reflecting the problen).
---
 aux/btest                                     |  2 +-
 src/Func.cc                                   | 22 +++++++++++++++----
 .../Baseline/core.event-arg-reuse/output      |  2 ++
 .../Baseline/signatures.load-sigs/output      |  2 +-
 testing/btest/core/event-arg-reuse.bro        | 20 +++++++++++++++++
 5 files changed, 42 insertions(+), 6 deletions(-)
 create mode 100644 testing/btest/Baseline/core.event-arg-reuse/output
 create mode 100644 testing/btest/core/event-arg-reuse.bro

diff --git a/aux/btest b/aux/btest
index 154dd9f9b2..56a368491d 160000
--- a/aux/btest
+++ b/aux/btest
@@ -1 +1 @@
-Subproject commit 154dd9f9b2011341d2f76a3d3fee1c9a5ac4e393
+Subproject commit 56a368491d8ef3ef527061b353875099070148ad
diff --git a/src/Func.cc b/src/Func.cc
index 88da9a7a04..32cc9faf5a 100644
--- a/src/Func.cc
+++ b/src/Func.cc
@@ -383,11 +383,7 @@ Val* BroFunc::Call(val_list* args, Frame* parent) const
 			FType()->FlavorString().c_str(), d.Description());
 		}
 
-	loop_over_list(*args, i)
-		f->SetElement(i, (*args)[i]);
-
 	stmt_flow_type flow = FLOW_NEXT;
-
 	Val* result = 0;
 
 	for ( size_t i = 0; i < bodies.size(); ++i )
@@ -397,6 +393,19 @@ Val* BroFunc::Call(val_list* args, Frame* parent) const
 				bodies[i].stmts->GetLocationInfo());
 
 		Unref(result);
+
+		loop_over_list(*args, j)
+			{
+			Val* arg = (*args)[j];
+			if ( f->NthElement(j) != arg )
+				{
+				// Either not yet set, or somebody reassigned
+				// the frame slot.
+				Ref(arg);
+				f->SetElement(j, arg);
+				}
+			}
+
 		f->Reset(args->length());
 
 		try
@@ -434,6 +443,11 @@ Val* BroFunc::Call(val_list* args, Frame* parent) const
 			}
 		}
 
+	// We have an extra Ref for each argument (so that they don't get
+	// deleted between bodies), release that.
+	loop_over_list(*args, k)
+		Unref((*args)[k]);
+
 	if ( Flavor() == FUNC_FLAVOR_HOOK )
 		{
 		if ( ! result )
diff --git a/testing/btest/Baseline/core.event-arg-reuse/output b/testing/btest/Baseline/core.event-arg-reuse/output
new file mode 100644
index 0000000000..52024ab5f2
--- /dev/null
+++ b/testing/btest/Baseline/core.event-arg-reuse/output
@@ -0,0 +1,2 @@
+f1, 2
+f2, 1
diff --git a/testing/btest/Baseline/signatures.load-sigs/output b/testing/btest/Baseline/signatures.load-sigs/output
index 52e0eeb92c..d58d0c0a39 100644
--- a/testing/btest/Baseline/signatures.load-sigs/output
+++ b/testing/btest/Baseline/signatures.load-sigs/output
@@ -1,3 +1,3 @@
 [orig_h=141.142.220.118, orig_p=35642/tcp, resp_h=208.80.152.2, resp_p=80/tcp]
 works
-GET /images/wikimedia-button.png HTTP/1.1\x0d\x0aHost: meta.wikimedia.org\x0d\x0aUser-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Geck...
+GET /images/wikimedia-button.png HTTP/1.1\x0d\x0aHost: meta.wikimedia.org\x0d\x0aUser-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15\x0d\x0aAccept: image/png,image/*;q=0.8,*/*;q=0.5\x0d\x0aAccept-Language: en-us,en;q=0.5\x0d\x0aAccept-Encoding: gzip,deflate\x0d\x0aAccept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\x0d\x0aKeep-Alive: 115\x0d\x0aConnection: keep-alive\x0d\x0aReferer: http://www.wikipedia.org/\x0d\x0aIf-Modified-Since: Fri, 05 Nov 2010 16:00:03 GMT\x0d\x0aIf-None-Match: "97a-494505e0c46c0"\x0d\x0aCache-Control: max-age=0\x0d\x0a\x0d\x0a
diff --git a/testing/btest/core/event-arg-reuse.bro b/testing/btest/core/event-arg-reuse.bro
new file mode 100644
index 0000000000..6634d059b9
--- /dev/null
+++ b/testing/btest/core/event-arg-reuse.bro
@@ -0,0 +1,20 @@
+# TEST-DOC: Check that assignment to event parameters isn't visible to other handlers.
+#
+# @TEST-EXEC: bro -b %INPUT >output
+# @TEST-EXEC: btest-diff output
+
+event f(a: int) &priority=5
+	{
+	a = 2;
+	print "f1", a;
+	}
+
+event f(a: int) &priority=-5
+	{
+	print "f2", a;
+	}
+
+event bro_init()
+	{
+	event f(1);
+	}

From aee307f02b26f0d1ea6ac4818f74eb2764247ac1 Mon Sep 17 00:00:00 2001
From: Daniel Thayer <dnthayer@illinois.edu>
Date: Thu, 2 Nov 2017 16:16:06 -0500
Subject: [PATCH 233/631] Add more test cases to ascii-double.bro

---
 .../json.log                                  | 22 ++++++
 .../test.log                                  | 18 ++++-
 .../base/frameworks/logging/ascii-double.bro  | 76 ++++++++++++++++---
 3 files changed, 104 insertions(+), 12 deletions(-)
 create mode 100644 testing/btest/Baseline/scripts.base.frameworks.logging.ascii-double/json.log

diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.ascii-double/json.log b/testing/btest/Baseline/scripts.base.frameworks.logging.ascii-double/json.log
new file mode 100644
index 0000000000..49b3c5d172
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.logging.ascii-double/json.log
@@ -0,0 +1,22 @@
+{"d":2.153226e+09}
+{"d":2.153226e+09}
+{"d":2.153226e+09}
+{"d":1.0}
+{"d":1.1}
+{"d":1.123457}
+{"d":-1.123457}
+{"d":1.1234}
+{"d":0.1234}
+{"d":50000.0}
+{"d":-50000.0}
+{"d":3.140000e+15}
+{"d":-3.140000e+15}
+{"d":1.790000e+308}
+{"d":-1.790000e+308}
+{"d":0.000012}
+{"d":0}
+{"d":-0}
+{"d":inf}
+{"d":-inf}
+{"d":0.0}
+{"d":nan}
diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.ascii-double/test.log b/testing/btest/Baseline/scripts.base.frameworks.logging.ascii-double/test.log
index 7fb6492f1b..45f8783c7b 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.logging.ascii-double/test.log
+++ b/testing/btest/Baseline/scripts.base.frameworks.logging.ascii-double/test.log
@@ -3,7 +3,7 @@
 #empty_field	(empty)
 #unset_field	-
 #path	test
-#open	2016-05-23-22-44-54
+#open	2017-11-02-21-00-25
 #fields	d
 #types	double
 2153226000.0
@@ -12,6 +12,20 @@
 1.0
 1.1
 1.123457
+-1.123457
 1.1234
+0.1234
+50000.0
+-50000.0
 3140000000000000.0
-#close	2016-05-23-22-44-54
+-3140000000000000.0
+NAN.0
+NAN.0
+0.000012
+0
+-0
+inf
+-inf
+0.0
+nan
+#close	2017-11-02-21-00-25
diff --git a/testing/btest/scripts/base/frameworks/logging/ascii-double.bro b/testing/btest/scripts/base/frameworks/logging/ascii-double.bro
index e6d9a05e28..b824d93676 100644
--- a/testing/btest/scripts/base/frameworks/logging/ascii-double.bro
+++ b/testing/btest/scripts/base/frameworks/logging/ascii-double.bro
@@ -1,6 +1,10 @@
+# @TEST-DOC: Test that the ASCII writer logs values of type "double" correctly.
 #
+# @TEST-EXEC: bro -b %INPUT test-json.bro
+# @TEST-EXEC: mv test.log json.log
 # @TEST-EXEC: bro -b %INPUT
 # @TEST-EXEC: btest-diff test.log
+# @TEST-EXEC: btest-diff json.log
 # 
 # Make sure  we do not write out scientific notation for doubles.
 
@@ -14,16 +18,68 @@ export {
 	};
 }
 
-event bro_init()
+function logwrite(val: double)
 {
-	Log::create_stream(Test::LOG, [$columns=Info]);
-	Log::write(Test::LOG, [$d=2153226000.0]);
-	Log::write(Test::LOG, [$d=2153226000.1]);
-	Log::write(Test::LOG, [$d=2153226000.123456789]);
-	Log::write(Test::LOG, [$d=1.0]);
-	Log::write(Test::LOG, [$d=1.1]);
-	Log::write(Test::LOG, [$d=1.123456789]);
-	Log::write(Test::LOG, [$d=1.1234]);
-	Log::write(Test::LOG, [$d=3.14e15]);
+	Log::write(Test::LOG, [$d=val]);
 }
 
+event bro_init()
+{
+	local d: double;
+	local dmax: double = 1.79e308;
+	local dmin: double = 2.23e-308;
+
+	Log::create_stream(Test::LOG, [$columns=Info]);
+
+	# relatively large values
+	logwrite(2153226000.0);
+	logwrite(2153226000.1);
+	logwrite(2153226000.123456789);
+
+	# relatively small values
+	logwrite(1.0);
+	logwrite(1.1);
+	logwrite(1.123456789);
+	logwrite(-1.123456789);
+	logwrite(1.1234);
+	logwrite(.1234);
+
+	# scientific notation (positive exponents)
+	logwrite(5e4);
+	logwrite(-5e4);
+	logwrite(3.14e15);
+	logwrite(-3.14e15);
+	logwrite(dmax);
+	logwrite(-dmax);
+
+	# scientific notation (negative exponents)
+	logwrite(1.23456789e-5);
+	logwrite(dmin);
+	logwrite(-dmin);
+
+	# inf
+	d = dmax;       # ok
+	d = d * 2.0;    # inf
+	logwrite(d);
+
+	# -inf
+	d = -dmax;      # ok
+	d = d * 2.0;    # -inf
+	logwrite(d);
+
+	# negative zero (compares equal to 0.0, but has different representation)
+	d = -0.0;
+	logwrite(d);
+
+	# nan
+	d = dmax;       # ok
+	d = d * 2.0;    # inf
+	d = d * 0.0;    # nan
+	logwrite(d);
+}
+
+# @TEST-START-FILE test-json.bro
+
+redef LogAscii::use_json = T;
+
+# @TEST-END-FILE

From 43b2b9806eb95aa3f256c1d4dda1bcf758e94908 Mon Sep 17 00:00:00 2001
From: Justin Azoff <jazoff@illinois.edu>
Date: Fri, 3 Nov 2017 16:13:18 -0400
Subject: [PATCH 234/631] add a max_line_length flag to ContentLine_Analyzer

In ContentLine_Analyzer, prevent excessively long lines being assembled.
The line length will default to just under 16MB, but can be overriden on
a per-analyzer basis.  This is done for the finger,ident, and irc
analyzers.
---
 scripts/base/frameworks/notice/weird.bro        |   1 +
 src/analyzer/protocol/finger/Finger.cc          |   4 ++--
 src/analyzer/protocol/ident/Ident.cc            |   4 ++--
 src/analyzer/protocol/irc/IRC.cc                |   4 ++--
 src/analyzer/protocol/tcp/ContentLine.cc        |  13 +++++++++----
 src/analyzer/protocol/tcp/ContentLine.h         |   8 ++++++--
 .../weird.log                                   |  12 ++++++++++++
 .../btest/Traces/contentline-irc-5k-line.pcap   | Bin 0 -> 38967 bytes
 .../scripts/base/protocols/irc/longline.test    |   6 ++++++
 9 files changed, 40 insertions(+), 12 deletions(-)
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.irc.longline/weird.log
 create mode 100644 testing/btest/Traces/contentline-irc-5k-line.pcap
 create mode 100644 testing/btest/scripts/base/protocols/irc/longline.test

diff --git a/scripts/base/frameworks/notice/weird.bro b/scripts/base/frameworks/notice/weird.bro
index 6c8ba14974..42bed543ee 100644
--- a/scripts/base/frameworks/notice/weird.bro
+++ b/scripts/base/frameworks/notice/weird.bro
@@ -106,6 +106,7 @@ export {
 		["baroque_SYN"]                         = ACTION_LOG,
 		["base64_illegal_encoding"]             = ACTION_LOG,
 		["connection_originator_SYN_ack"]       = ACTION_LOG_PER_ORIG,
+		["contentline_size_exceeded"]           = ACTION_LOG,
 		["corrupt_tcp_options"]                 = ACTION_LOG_PER_ORIG,
 		["crud_trailing_HTTP_request"]          = ACTION_LOG,
 		["data_after_reset"]                    = ACTION_LOG,
diff --git a/src/analyzer/protocol/finger/Finger.cc b/src/analyzer/protocol/finger/Finger.cc
index a9818ff7af..e1be27e795 100644
--- a/src/analyzer/protocol/finger/Finger.cc
+++ b/src/analyzer/protocol/finger/Finger.cc
@@ -17,9 +17,9 @@ Finger_Analyzer::Finger_Analyzer(Connection* conn)
 : tcp::TCP_ApplicationAnalyzer("FINGER", conn)
 	{
 	did_deliver = 0;
-	content_line_orig = new tcp::ContentLine_Analyzer(conn, true);
+	content_line_orig = new tcp::ContentLine_Analyzer(conn, true, 1000);
 	content_line_orig->SetIsNULSensitive(true);
-	content_line_resp = new tcp::ContentLine_Analyzer(conn, false);
+	content_line_resp = new tcp::ContentLine_Analyzer(conn, false, 1000);
 	AddSupportAnalyzer(content_line_orig);
 	AddSupportAnalyzer(content_line_resp);
 	}
diff --git a/src/analyzer/protocol/ident/Ident.cc b/src/analyzer/protocol/ident/Ident.cc
index f668be921c..9601be7562 100644
--- a/src/analyzer/protocol/ident/Ident.cc
+++ b/src/analyzer/protocol/ident/Ident.cc
@@ -17,8 +17,8 @@ Ident_Analyzer::Ident_Analyzer(Connection* conn)
 	{
 	did_bad_reply = did_deliver = 0;
 
-	orig_ident = new tcp::ContentLine_Analyzer(conn, true);
-	resp_ident = new tcp::ContentLine_Analyzer(conn, false);
+	orig_ident = new tcp::ContentLine_Analyzer(conn, true, 1000);
+	resp_ident = new tcp::ContentLine_Analyzer(conn, false, 1000);
 
 	orig_ident->SetIsNULSensitive(true);
 	resp_ident->SetIsNULSensitive(true);
diff --git a/src/analyzer/protocol/irc/IRC.cc b/src/analyzer/protocol/irc/IRC.cc
index a26045f250..a69674eb50 100644
--- a/src/analyzer/protocol/irc/IRC.cc
+++ b/src/analyzer/protocol/irc/IRC.cc
@@ -21,9 +21,9 @@ IRC_Analyzer::IRC_Analyzer(Connection* conn)
 	orig_zip_status = NO_ZIP;
 	resp_zip_status = NO_ZIP;
 	starttls = false;
-	cl_orig = new tcp::ContentLine_Analyzer(conn, true);
+	cl_orig = new tcp::ContentLine_Analyzer(conn, true, 1000);
 	AddSupportAnalyzer(cl_orig);
-	cl_resp = new tcp::ContentLine_Analyzer(conn, false);
+	cl_resp = new tcp::ContentLine_Analyzer(conn, false, 1000);
 	AddSupportAnalyzer(cl_resp);
 	}
 
diff --git a/src/analyzer/protocol/tcp/ContentLine.cc b/src/analyzer/protocol/tcp/ContentLine.cc
index a830cc8a7d..f15a8851d7 100644
--- a/src/analyzer/protocol/tcp/ContentLine.cc
+++ b/src/analyzer/protocol/tcp/ContentLine.cc
@@ -7,14 +7,14 @@
 
 using namespace analyzer::tcp;
 
-ContentLine_Analyzer::ContentLine_Analyzer(Connection* conn, bool orig)
-: TCP_SupportAnalyzer("CONTENTLINE", conn, orig)
+ContentLine_Analyzer::ContentLine_Analyzer(Connection* conn, bool orig, int max_line_length)
+: TCP_SupportAnalyzer("CONTENTLINE", conn, orig), max_line_length(max_line_length)
 	{
 	InitState();
 	}
 
-ContentLine_Analyzer::ContentLine_Analyzer(const char* name, Connection* conn, bool orig)
-: TCP_SupportAnalyzer(name, conn, orig)
+ContentLine_Analyzer::ContentLine_Analyzer(const char* name, Connection* conn, bool orig, int max_line_length)
+: TCP_SupportAnalyzer(name, conn, orig), max_line_length(max_line_length)
 	{
 	InitState();
 	}
@@ -229,6 +229,11 @@ int ContentLine_Analyzer::DoDeliverOnce(int len, const u_char* data)
 	return seq_len; \
 	}
 
+		if ( offset > max_line_length )
+			{
+			Weird("contentline_size_exceeded");
+			EMIT_LINE
+			}
 		switch ( c ) {
 		case '\r':
 			// Look ahead for '\n'.
diff --git a/src/analyzer/protocol/tcp/ContentLine.h b/src/analyzer/protocol/tcp/ContentLine.h
index 7a5a6b996e..357b3d9527 100644
--- a/src/analyzer/protocol/tcp/ContentLine.h
+++ b/src/analyzer/protocol/tcp/ContentLine.h
@@ -10,9 +10,12 @@ namespace analyzer { namespace tcp {
 #define CR_as_EOL 1
 #define LF_as_EOL 2
 
+// Slightly smaller than 16MB so that the buffer is not unnecessarily resized to 32M.
+#define DEFAULT_MAX_LINE_LENGTH 16*1024*1024 - 100
+
 class ContentLine_Analyzer : public TCP_SupportAnalyzer {
 public:
-	ContentLine_Analyzer(Connection* conn, bool orig);
+	ContentLine_Analyzer(Connection* conn, bool orig, int max_line_length=DEFAULT_MAX_LINE_LENGTH);
 	~ContentLine_Analyzer();
 
 	void SupressWeirds(bool enable)
@@ -60,7 +63,7 @@ public:
 		{ return seq + length <= seq_to_skip; }
 
 protected:
-	ContentLine_Analyzer(const char* name, Connection* conn, bool orig);
+	ContentLine_Analyzer(const char* name, Connection* conn, bool orig, int max_line_length=DEFAULT_MAX_LINE_LENGTH);
 
 	virtual void DeliverStream(int len, const u_char* data, bool is_orig);
 	virtual void Undelivered(uint64 seq, int len, bool orig);
@@ -80,6 +83,7 @@ protected:
 	int offset;	// where we are in buf
 	int buf_len;	// how big buf is, total
 	unsigned int last_char;	// last (non-option) character scanned
+	int max_line_length; // how large of a line to accumulate before emitting and raising a weird
 
 	uint64_t seq;	// last seq number
 	uint64_t seq_to_skip;
diff --git a/testing/btest/Baseline/scripts.base.protocols.irc.longline/weird.log b/testing/btest/Baseline/scripts.base.protocols.irc.longline/weird.log
new file mode 100644
index 0000000000..b88f8724c5
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.irc.longline/weird.log
@@ -0,0 +1,12 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	weird
+#open	2017-11-03-19-17-18
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
+#types	time	string	addr	port	addr	port	string	string	bool	string
+1509735979.080381	CtPZjS20MLrsMUOJi2	127.0.0.1	50164	127.0.0.1	6667	contentline_size_exceeded	-	F	bro
+1509735979.080381	CtPZjS20MLrsMUOJi2	127.0.0.1	50164	127.0.0.1	6667	irc_line_size_exceeded	-	F	bro
+1509735981.241042	CtPZjS20MLrsMUOJi2	127.0.0.1	50164	127.0.0.1	6667	irc_invalid_command	-	F	bro
+#close	2017-11-03-19-17-18
diff --git a/testing/btest/Traces/contentline-irc-5k-line.pcap b/testing/btest/Traces/contentline-irc-5k-line.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..94c8815af2e90197166ff9cf4fe096a1fd943b7c
GIT binary patch
literal 38967
zcmeI52|SeD`~Sz5HCam=D#{XL>`ThN?>l8T7=~etwM3hw1tHo~651r9MU+SzC8d-t
zl}H;A5&v^$F*8h0&-ZzL&;Rv(^?mMMcQbRA&wZWub)9qH=iW5el;koaSP|5P^nLmD
zao3lt<{(yr47f6b)ewP@+MI|$=*&VO5)cR`xPB%mXxvuGe8nU0bJm7$Dfh%81OnC_
z0Cm+t9k`O~DqE=N(A8DY_)LKHK>hASzLhx>Qb3T2gDcH#?twJddL1dCBQ?Q;IH`sp
zt|T3`+*hIWIyHkC@hcu+J)RY2VG>19Csp=QbQT{<bK_Y6OyHOg{v$1F?%;DFSed}e
z8b~07flqO;&SKJint)7h(s~7caM0!we{e+O@WE)j9Ew`B!T%klsDQqsrGmMelBI>C
zzm=YXFBS#M&1PcVz2{{V_{IbEz;c}v{0F~-tcNx^v{?unauy4@EU_GM+bqV04j_~G
zUBCxJh>(xQ1Y<(bei(0g96o@OwFnszj0ug9L&>WkLvW!u9~>?i8RCrzmG_N^pcI-9
zo2-dMMn^{zRl+DLNJ<G7lsq(^xHXI=E)IjmdLvcj6~v`nP$(^NM=fy+OlV|`c#OKL
zr>e4+I673$(Oyd&AEk+s*N|6~N2y4Q8>4-LaY#i46iPu!K}p=vCo+@}i9{*LD=3Rg
zVIzGpe$wJb7(Ch^7lTxiR|R#z7N;5xzBB&8q(Cu@#|lRfx5W8j{4r=hSRB^jfdBDP
z@J*$VlHt#}fB4@#kP9ob_=Q4TFi0pt@%9t=LGlGDllYxMOf+>gP)hRYhZx$cL@Fsp
zxQ02YnYmhljF}N}IvXUz&?aUv!*7&eK|m-lfs1HWq#q1b3ZzqC!4Gz@lFSl{48!8Q
z{bmFPr8qU1xb!_utsD&PtcWo+l@B^DNr_b#Ea1mf&eS&8t*j00?5yoT0uwD{#y?;Q
zx*R$|swe2m{DBKT?f`;+$^|{AC?y5-ZB)V{gOp9xZ3u>r%HeUYu(Ql`LI!1w`wyKE
zunNdgov@UV6XZjEBfRA!F_FIVXun8Meu@JmL~PK1>=GF5qzJTfF|fAOHHEQ72a@rR
z|7)KN<xmVE_nDt|i%*a+F;_reNiE1qNio1mDOO3>EiTqy6=coy$r0G5ztAzzpFur#
zrZpPH;FGuzH~Y6c$dtF3bb;!W6X6z!8~7W&14`2g&V?y(f$b-%FCd3jSO_7^dqyuO
z7U5A;P?uL%0As15yb`EKC&JF8;|T?c3;1#D8RZ9Er2M@9Jzfz5Y7jT{3tvB8YD6i?
zudiUCYZ4npFt@igi8YHc#e$rfu1-t>$$!Dsv0b1Zwfp^T7yq}9fsf^KDP(`;1F5OV
z5zsfXurt+Hit~1GL}76j#xa2mozPqG*PL(=I*;mv|Ftpjv2xR&^@;phN=X5I4ZMrJ
zvy!=en1gGS4IXRC_;9gT@2~mfB|Pp1W1xB__#`gGj{CPe2ppD(O8=W<;1laQ3V>hq
zzb9tU14LB7*CA2PF-qvTI6^?2FFM9a4P?z61iL*z@?RJP?+Jl=)c*Ikef-}(2tIL=
zq@ewk6Kvp+Ms|W#sHJI;qOHB3y0VqIznUZ5L(X(U_9RID3r=9w2KA^;_+J|YpSWM8
zkp7iVoSsrj^6RVln_?~93?l6?;Xz@pK0Y94rb~KZ@?UU?bT6m}#z3uq$3OrAE)e41
zJ`Q{m)dysVo$6Pv4m(OI$*&(4;%A5TcEp)kSSdxC+IfSVnXW!x50d|atJ|DGJ!<d!
z{fEE}A1Gvh<%8&Jl#&AaD3{>4I7LfuV}b?V7v+Fu?1V}<PxuQ?$h|}7g#WoAaO+75
z>0kLIzMN80KtCMo6zhy~jdnw+*abT1`6`2~nH>W<@vr!#+7{G<V_*dofD5tX{_PI(
zzkVDz43E|R)EM~bHl?J1zMihSnua3ABqTJ@#v(YvoN@na9RW4|LjThn1NDHfHP?Yp
z;zBe~AOuaAdBR}oY{Qf%|KoE|a1+EW{Ie%M1PJID0^<`NBE&4lXGEr-{7A|nF(K{&
zHz!km{K=CaPkz8-_CMwDZ}7|}iM+nCg^i7`l8SYlfh{Ho<>CV81T#B#3+(fM#o?Nu
z9-QQD1)s#_|H9!@0rCHHiZ^vW^Dlav*l^nOUy6XoR0u$IaNP5g5P&Dcu8{amJBRuQ
zSBYBBa)2tt%~Gx*5q~haBJlKi8l|X!esoZftC^y6cz}bCZaBsS%lOo1jU}i79RY#`
zTqT0`PhAtRA!p6(!L(P2em24rjg&#c%SXfuKS*C(2)I-ffmB7RDj}UI$#Pg+08TzE
zGyrUjSmjS$HBz9I{-3&P^hZ%rRzyMa%P4tiKq<<vuY|_v>ls^HL@PNFO#H2bK+eoz
zqs9Ux|8qg&$RJ1vfsr9TNbt{x8Y-UPx~N}>H$GTCA}RohQd16#k(-Jmy3Bv$30#~6
zKKsR0$Ulmw*TSIspBr^1dniQ(^n+DU*Z`D|y|2H&QIL|d9R_4E2q@x3BvRHtFzU!N
z2q+Lren>rVnK~j6jrEsPR)_(Yj6GHVjg-F|DQ%qG6!-sX<axeQj8arUpAh4qZ>Q*r
z#w!@vp$MjWa0kF3QYbs2e`fz=#2`{gLytOA-J3Y{grcJ(rgl<DB^C0ZLzhfx)xY~L
zcu2}{)cJ$4rj2VJ1>i3uNcIb*sDOTKu&uYHl2RPOilE>dp{L;uvKT~=HAw#Fc3w&h
zB1jpjOpF}@1{dm$k0nNr9JqG{2G73(&fgwzR{o&Gz%Rqa(VS9LK;Od33KgtqYZ)1W
z@<zuvn!|Y(gK&Z8G5)!5v0xA`qyfht=}#JP!Xt46G-<?v$2n6Y4t@H+arC$2=uA5$
zIDQ#NPp2jv{Q8(!J>77WkDi5<w*$sO*Oy@!?SwOCY8b&e_kTFAVth7*cto}ci3#xz
zKt~W`iFj|GoKGZyfD8RMDE@9xwC|Gnvq8~%9{QN*kbh*h4P%C={-<Z#e`0WfH)@g(
zXXpkO`t*O}=x@hSCcOXXPtBiN%ct&`{U_$*|9KeM{B$4XhxGF&9u!A}p?xuEMu9Xv
z=igBJ+o5!O>f+|F_EW8I;FU4*kn|5s#sBkIvifN(frDgUQY_&j@xF`>cp~UC{*9!+
z8%bTvQ}>qtDw5iyr)Ks4$W;A5k0g^niX?BOKI!c8wBzRKssF~%-;N<RIG_GgJGM5d
z!<3@`$YlLLkD;IM*))(EDB@@og~mr<2&6eX@jUa?{A+s7zp?bUV~HJ3p8i}c$<tiy
z{0C<8|9LEV{d7E1L#n9|V~IF5^MqqiWGIL!PYZadi|(-dXC?lPtzX9$d}z-IJhTTd
zb;A|95Ii`jT=_<a?%}_T_?kiZz}|`nC+;QkAx~2u{(}$gEj|Qw;#6iMjsXF<l6064
zRqUhJAwB$e;vVJUKSVm1;S(PsTwDNkU?_`#|40k73-}ZSD?AARlUaRnp`qZDZh_AM
z?)aX+k&?*i8I8vf(4GW1C74A?MX-BD5b$X45Rd>b29p*Z&xqIv0y@Mq)H?(XlBhY%
z)2g#XV&H>o)B>CsKTjMU6W|#Ll4q0T!2eUpVc-W3T{0dW5yqf2F`2$JTNoZkz=6tK
zQv&P}XnYjLcgjeJ1i|4KiT8$QNWph@m_SVBBAVqBOF%;c@NzUcowy|i>5wX*<4vGf
z=fdKAy|KhbQY1+Fq;#l8m(CM{iHJb^dCuGddmtu)fWyav;zWQ%8BU^^VZlVuR4Zo_
zlQCfoWH?EvX4D`iGpxZ&hzt!yV?D#X@#s+EhWLm!z<AvW;uXd`Tq$vn%%hK2YTV~5
zfw<46iF+8Y1yHBgop*)~p_^WZ6!-Z`#JJ~2outtjr0A^hn5k1YMz2F-kMcBopw1w)
zN5XTaj%mvu=<w6EYf8tQfleeRy$-ou%Aj3AiF`BKH7En@@s4Lj>}Ev}S0ZO-)*aWT
zaUR;Pps^zV+o_fTY)qnvk}EUl&7^T*+2S-eHidaCEUY&E4%#<bKBlbWy5alT-l2(o
z@}gmQ%0S<zOTlyZW;WRj=9XpbOe?tOATLuJV5D8~!F9GeD}S<TW^|05epd8o(1leA
z*6YmrPs^{qS=;1=zp6HAGf+5c$+2|B5i_UJ;g;wdKKswv@7kt>&pxv|v^CQIoLr;q
z_Ya!iSr2{sQQ6H=8e!SRzuv+sq1#W^*-l<Fv1E~*Q~tix%B^$Mv^WnaeBQa|qE2th
zim#d5U#*h&=x6FUER;U{Fgzi=Ic$aS!&<l4_wlZ$V^w$!hY18-@$(Z6!7(ML`XmNB
z`ws4ukus=rcf&?t1Xo10gvmZ`Fze|QUtH8`u|bH>b5i&k{~KY&b?ds*Hl!DNN2rGt
zn&#p46DQ?1s10!<T=}au_WR}?uj78cR$ZrpOTG1$@*2FG#<5k3(W*r~h${^%)2=qV
z2}kCBYWy~4amv+2Y0c541<nt}%EyY+pT;lW@+NRqs<eGAR_2jea=jH+dl#<FA$qN@
zs58HTvBNP$!CTK9_2-k_VZJ-sS~IT+3pH{pN?uL)%5%G71o8UH<@q8blgMO5^02jg
z$Nn_eC-q(n*k@M>GJiVY^4>g(lc{p`?KG*wdFE2F2L0D-wNe@{?pXe+*uu&0Omn!Z
z_zlUBd92!&XU?}t$^1w(x_oq^Ru$iW0i)Q^uX8CcHDt$VVU089ZD0G*Qw>(@3Z4=C
zqjt}6&Bo#-^lla&$g(|AEk1nb^X@#PjJfZ6`?k@iNtJ2OgX<LASGatuyyep(a=~mF
zKRf%&Wp_{B&pEg!!Oiac;KtT$ebYCJ^6`}lkITLc2wywh`<5kYM9cnTQA7Pfg;##c
z(yHPL9I`jg^SNuK_KV2d%bmcuy&k{hsiBS59LX(fV3{v0w5?LRLlwFF(9=W~u8|2|
zm5Q^5Hs`kZpu}S${k68qoIyT*v{mA5-_HInUR>;*paYE_Y5HS}y}Vu@+bX^@;hw$u
zn;j))wj7a4S4-b^M6rgU9gj(`-;nxvLki2h#9H$!r6D<X?E()4_r*o%WH|Sly_ecm
zEQj*mv~8o_`;7h7`RnrbExF;T&eEEx;P-e-W5xE_U!H2z*=8l)XqD6HanP?Ey_23&
z$a8Da<ax8NYZsgh5o~KXE4t>}=*yvb<NMB*e>|tZ?C44B#5lR;*RT6MZ=ObZ#q%h=
zTNpJrr-=~WVBhWMa+ot_C{PDEM|_#i-bsn7svYjCYVD~D#m+ooQ<^)^dEXX`ClU&Y
z=Gm{gcn+Ucc(6<$*7eH%)}_np#2%dAH7r|FkA2(6At7Fk@|llIJO87&K>wOS*AmSf
z^tRD;E7&7DdU$z)iZasz&s-SIxq4-OaNO=lv6t&!mOq+Ya|-ENu;juJ@5>vr+Xh|@
zOI%zMm%KqIg*Sb%Uqyr0oD+}ohqRiQHoZLFeyU=X=j<9A9S)axODjkIgKc$9B1;C^
zRx`P^NyvOTHIcdvv8k&2Y_$~2BIUd*dvfM$a4dPz00*ZHU~rng6EF~`ALJA?hPK0j
zX+{3ncp{(ND0T3LgVVCbQ0K!0E24=LL0n0L9A|^eg+I^{ksD>NnHuC)Lme>4u_%m)
z^gUx~I;(wo^TAyM&)4slj+z|O8+=-4)p_r0(Fe0#w@!-f@D5vevOikL9=p%vplI`#
zye46zkcuM*M0T}(<lFLfWp@77co}({D-v~M8nKv>Gg}wGb@lmi=XP-3A+G~h4it(j
z8CYe{V&0P)ZKE9|x23&4I{f8ve7-H=fPZ$?hkP}}LUpbx6B+AFkDHH1>~bDlUh>rY
z&Mpo_+KThMEU!Bpf<Av{j?t~Sp1ouIj;d9-=;EW&x(l9e)|)8W>GFDEYhjATm9*6#
z-t<d`voF}hwJgfLa>Xb4&ARFtE4II?VEgDMz!MQ?p;A14!8pjx$B1+Hc=Ll{6PYBz
z5^EvJmSfz5;TwxT?eb}`ICd|k<Yvm;DD?fk61Dk#-flNrWQ%t$Z_>+^FPH!JVC{C1
z@mLP@ut8GP13vLd?sZFq>jP}}4k*dw=K5$zu(>FE99h`DLbl=k%A~gJ>)pF~A9M?f
zj*BBbzuw!vB>mXJ^`<MOVy>=NUzc!^vrgX<abo+NT;sR<HG<z5s+~EjJnyRais0E*
zu2Qn>gl9!-JI6ot2|tq!Yn^pmx1Hb3!jPL&<4aL8;e-@(x{f;Mb%KAmc**tMC12;s
zNW|?Ny=N6HjbhH+F^jWw=iBxTJ@-^+MRZJTu3dL|V|%hhblA<I2U~{@v)wm%k6rev
zqd4hP!)?Kfp;wM5M#p=;HV{Q4)mOhyS)U=moO-fSXY+*F?e_|0&NXST!lF1zrO-UO
z*4l@8*(dw4LEKy17cZ*3fpu>dD?G`1bx~@(Zjz!WTkyN;YX-^KD|QpO`4={<eYChf
zW{HgZ>7yz=EJ6EO1LLo6dGqaii{ap=ugqW1+(~=<*tWO3Yiy6QUFq_tfiGVB^2@nh
z${4*_#EVYXWhs!DIJUh1u64FS@&$f_$R9Q}$dZnuuU9Weopv!C{7`(@YgtIV*!;Em
z>o=M`{=}p3!u9;Y7d8ry3r5F=c0Ipkk*|_EyU`<^zcZ?E|L&r<hw^qDW3kWP<S_Am
z-?b5&T8C2k=bTFik=2|g+N{M)Y-p65D38LLt3TxZ`Q49SnY;B^iLp~`DI4pK(vO(M
zFH`3}v90$>xU{w@s3-w+nps|<VlS3QAJICsXXEgN{@4x8$iwmTYd1*m3K8nr_)sQh
zZ<M0NXJJE2d3{00Q-zyWDY4p$Y#6H#tFl>?bXaTMz~xeR+w_i|ju_@$#-HTPMa7n^
zU)1TER<MIpd=-1I&{iAmcy3;F8M^ex+I@ZdSL)4bobP2?@V55&x-YB4PvtJ2J$M0s
z!XWM3x`EkDb5o;rZXUn?W_3`7pG@{P1^rtxZcD~;cA)ko%iVk=z{6U%=iL4GqHj}g
zrN%4?!D-CWy(Hw7^A)jnqOp5js)&TnOXDmdU3UV1_)+Z>Q7(24w^Lh^PJDj7GiccH
z-X@2=?r*nbB3eZ^GzJ|p{2=#gRP>Tnj`Xv1ao0n~6dbjJcnbU#L^q)LDn8l<Ditc%
z4A=P<^@w3xoF<;jnuqk-6fX?$e;Dm|>{ZsL52q|7%_sOjFLAHdYnR1U2VToazg)o`
zh_!v%w^{K#VxN11M9|3h54<T}S)-*-lkK@Od~AI0J!(!+f8cO_N%@gDTeTv#w}a{z
z;uiL-+AOwFzhOaXah0*geb4ga<JNqdw!$V|9|V&I9kP~~zb)vCDZ0^fTzsNSwDfJ1
z_n4w*<?(2r%d<c2Utf^nz37COjLz3;>+AWOG7O3etsW`76JXWRDKD7)=(Hm1(Dmp2
z*HC4Xllq*-uQa}APaKUfyP3S~=B#c0GJWm4&gstzUng(=%D<^Y`>mE)O4;a-lc86$
z59bD?E!mfDu;@+7U5}bmbFv>b<yI|Fa6Tqdws+`)zdwhqX(5lx#<N@9rCvmLF5I<l
zXL@YDfNsAgk4ybQ_S%4x4+USg?b>(&Q;@5*ZSGOGGY^~&tm@Cw?Ugvb_Dbfvr0%aA
zaZ5jB8Hio2YE+RvV&Sr!<#xb_wVh!+;h&qtyz+Gl$`75qq@ZphcRr8z^QX$>y^^(6
zimtp1?*|$EcrtFV#mcvV)heOIUG)0VS+f%PIgcx8=o)Oh>zn_fWsaGj$yKM|sG@tD
z9$!**lYSm}%%ctEVe#NcuD{whr;O!aS-+bnSqZICO&&CP@*q37uaEhH%tp6YgJxV=
zi_h-=el_`t1#(ZpXFgnyGlza+=O^Q<L*^ICIlm5g@aLi$uYJ6J%IoU>(RN)I_4{M-
z(M2oEr9zL|=Cu^JD$h@Im{@DqC?Z>q)N+0L`U-A%5z0nLc<!bPlY(Uj>=Pe3w{OID
z%Z_b`3NIgiZ!xr2S=c1uw8^cdYPIj<#L@^Sd}~j4Dm~tm>@iQfbX&W6%8#RQxy71o
zs|Gt4gpSV<Eiw(}Hglho<;SfYQ)gQ!`e@v|B6PdedZo^x?psfkG!MSr^!dOe*+t2t
zuWeKHUS%<jt=`Q&e5pFDr)gC+=bfXz?N+fn{Yw{W-4#<xZE<*!#?AhaFU8v8@$!Aj
zrE3Lxt`V%yFu#(>d{a@TXZ^6&Ip~Px=7R<`Q4{Ce)7$0kyP_sccJa#SX-dn)X6<&`
zx3$Z9Z$ewMTesERS913h()YagxT+LovG9gdXhP4i%{_6iKCF@4y;3CmD0cR>@`e>^
z+_T;br8u-bdS9C&J2on|Bji9uJlj}r)^nU?;vQFi{hny{o`$1V+vYf<2uqG%`cVFq
zr*<dr8jszdgp(yO7YtUs_0saIj=0~^70z*ZPv%XNc5QBF?_LojcD<0a!I;VVwHY3M
zGIqUjhK8tTJI>qgx)kj^e$l9MG?#6QeDkUAJy$lJ=x@y{UT{UZy52glG^Zoo-=dIh
z^rYn3mpD1B?3o4Yv`}|0{II{HyX$_7*Q?SmAD@NQv7Eb5an<03*SMi=OSQrW2^&d=
z!@Ie^j=lG~{)5v<u}AWriI2{~6yMw@W0B=-h|P8A=5ekC@z|4nPABhPUJ%**<7<a=
z8mEA1cf6{T&3p~Z<xI7DDZCvb4}TQ)1xm5@OFAI3_U*A*a#42ffsGyy&&oS~dfcuc
zUnJl-ywEPdFIf^3>V427AOD2gb)+Gkdtl*px0i@851$Ub;b)gbj(zEsc02L<W_9W6
z`Ez4RzpNt&-P-uAWOI#vG3&A&vBL}A9DQu@t$4A~m^Sm46lBZA-L4V7VTa6Hi)wIh
zAICafUefr~>*~N(6vyECMho4YIr{{Tzh$lIcl5QtRfIUX@zl0VR`&tztz+kB$NU&z
z-*x!@1-XjCefOfV$dfgjmSdTOzRVTcyEVzVZ{@<+fGlN!-VL?KYa%1g<h{JB{0bi7
zO@Jf3=|_r|y7WhQq-pHfc*{VPKq8+K56zJxJi=QIb*geX5b)-4xROsh=uAvI;;i|)
zfcy4Rt=pgoqWI?I<OF!;gqd~CGbR=mHqx|MLLBC?0s*MWbbO|!H7~tw3%F~(ri5pP
z0Nwgx0mhnXZW7`YO&*{*y}fQ}^qOQl>w#`4nEtm=+bbaswV-W640JAH=yk}pg+kkY
zrXvG%%s`vrO6F#CxrSbc&K?n954gL8!VB8tXm4mI?vKN9S()ma6Td(U)fiaVy^>y;
z#==%$;ZsH}T?KTEfOT*sTc{_>MXy7)u$4#*S_mE~p|#M=+SE#XnX@5r;eyt!VPIYH
zR(e$$>)!p$Is>3XJP!y?zLBjPZ#_n@L$>bSly#r!t@HNr^+Wpy1Y&}Mu_2+juyA|?
zAu=jDCN@r2Pv5}M$k@cx%-q7#%G$=(&fdY%$=Su#?Z2@O<Z8r#Yg|4(4=UGH#enNW
zMqck!0ViqU2~8TV&C~ot;<~Ds0oN@sF8>=D{T2T~uET)G^l>A5)6ckS#{jN(Xt+Wi
zTcFO3JK*a1G_I?s^-2;~?HC4J-$0$;iR*K~V>(y6;Gc0_tpm8$&~Sx3-axJiZs20Y
zG_Jz&^g1N2t952_l{AMszZ2I(fX8&MNjvCyP{)Ba9Dr*jl`G^SX%4x@4)V_6+LuMI
zL*lxIg8|ozQ0I5znhtnO=Q{k;@pa8Zz_px)E97xe7I6Kc0fKc}yrxb&?jm!2IFsx0
zxlreK;R<<(Xfn;<n!b%b&ZzOKlLNRGQ@KJO%jZI!Wli8HU>esddwLxbSDhRNT-QUL
z--)X>;4wX3ombHFpmNpq0$ht|xI!N5A=e2k>kO{z@$@<*uDV_fxOPIF--)YA$jo_@
z&`o+CRIYkbfNLHNSIDCia<%=+HiPTPC3+naS3RkjTvr%Co!^No2Jo03ul1kkdC+kE
z47eVla)mrr7(lMKc7i(xri}w4cj<M=Tt745dJ^jVPF!CA9@DvAOr+;Q<*Hu+xYFDf
zumbWp3Ar|lfy+VDxIW9I*CBD$ub9bIiXH0wPF(u|kLg^Q&(ZUsay3W<T+^xX3VBGe
zL#_)`xn{iQ`~|qthW0(@6OR-$ykre_VX~!<*zhU!!}pxSx=2uWx(&M`>1|NZn0N&1
zf%>}>`82oC*x;My#-s{$3`%Ft`JOA$>yUhFkjTKdSlE`|$+v3(kLg^)ed&2neQRg}
ze7lo|E98NNT+>W}Bd7J5p$d8(5?4bL23(t<&hNyv5b&7JHTVNP4=Pt9KEQPw4Ohsc
z33By+HFM54YZ<)`iK`LcOs>)zQ0I5zx)Jc0&b5D9|E1yj3~=2@<qCO7YpeuZ-^r2A
z`@oo`oKrJi$dKzZ23!wAo!^Bk<bjYU-A)JDl6fdsJfr79<!XEkaE+ni3V9rcI`b|8
zpwq^Ig;;tWQoI@;W59JB>ikYz)c}v_@oJb$&x6X<BoJ`L({P16#v#{bMl3V9PBhc&
zkhq!z&g3fN33Yxau9|?ybgmLedLC4+rV4;7mdX|Kknx0EYaY&=^OcOy>yWsbDlp)B
z6YBg<Tw4K;>0CEWJ10)Vbp&ul({P16ZbGg>YiG@f*KgBqWhHYRnaNdF66*X;T$2Eg
z8C<34<BZDHtQv6jq;iEkWF;Zj6IJXpZprmLO|L`#TS49MZ~i2TEaj%&k}JCb{>>la
zExAz%d&<sSI{bR8TUX_*V^Z<gSnZ>4i5sb92ff<$Nk1$@Ugf~o%5^ED5&lu<1P|*s
zFFH~AvZPycC;$0`Q{u>ZnHjNrS~Y|27q+ztS-8$`b*x!%s<onMGCpK<nfKfCUya)G
zLKeM}W!t$v*@&?7^?12*^M&q;lQm7;yv?hUEM^ZqUEM>FTz{qDba~p@2ltKFoXbXC
zPgGV8Zdxbl)HPzwRq*X(f$-vY6=y6;46gdso%<4pZJIME8fA>CuPQp!`;dKTh5lqz
zPVJoS>PhdP^n9~$Ijyek-H&Z^R*rnnD)vH@M@@R^oh(tSX10V&UxwWmwz28%Jm~U>
zl`HN*^~#=WWma!8!y}wu2l&|sG!vYQotZYUwOuPe72V&D+?pMA{ljh{SBd?H50=e(
zucQ3<-T8&qL4)OWc;Uwy!<PrM%f1x`jWi)oWV4k&Gq|^QbZx2Wcb}*<sSSg3mphbw
z5$}j+3l7>|XjfYF?aha6xl7s;8%!TOU8(7mzdMWNk;=0Omq6o#ufz4YO7<ec-L-2@
zR_wLmVf~iB)ACS@<j2w@aaG~X=k~uA5JEkiHS&0A>djl0b9_t95L&8pdX~E-h<_4!
z?~Ux#`)(Dj#%bKNmP@#N%&u9}ZJwp!4Giz6Z2^W6Y$h>r@rPABg0*MMA;jlQ)UK_2
zv+s@GTy;Eh(~p(AZpbOhiC)tEc%-rSsYP|w`mEcApM$Kvy#CUZU?TA}$qQ4{$)$$A
z?UL@f)oaOh1z-GHLXo}Wvh<XwQt{K`P6L)Y+g`PPs<yh>(znNHuw(U!oaGV2X0q|F
zfhLh!Lf0nSRN7ujzVJTS86CAHBHXiHu0itPtNOyo0A}GeXxleg3s}7xV)Z7i<t3Im
z^Kz%X-O8Ebm$E&+-RMJ3`dyKav+e~yIVJex+scJ+{LQ<YH=!_=ja-j~)ZMmh|GLNW
zlTv&(K4aTtNbs#tEt|f1k+(Vyee^GFu$Qs(UUx;iA^JJWuz1!51Jovsx3MP_uASlf
zqO)bqTamOaz3<AJ<?7v*k8WU^r4^KrzwM2O#Nyl!8<)@9;#c<K%n=#6eCOTCqMH44
zM*3RW)~#E5Bw(cb-H390W|QpvwjWnUC;2J^G%m8ut5ME+dU1cg+UNqFq>ZmO+zEVF
z&+B*3LrAo5Vs+Fe>E&gsm<{JIy?rBJJLvF64-@<WiNI&q1;8yXr~7i|s-ItxGuk!m
z@=;Yp_Fkc5SR4Pln&JDWg02_3bv;zSP}N?s@FUY+LHwgRg?UHz$vIW2dB}Wc6Vq%O
z7EJLnH$&dvsUW)7Cj82Ry!6cL6=$u)bwsan)>iD7)frkC6t!b$<L><DlM@dzb|7x{
z6{mC_w4b$M_H(WAZf)s7lZE#}F5(CI7JtIX+Z7zRci?{3Cx0%Z(U)uuF05=P^RlwU
zZ4T{r7f9Upb;+wcR)gzL;#4Nz*goE1-dOv9cXV0Bn~t)W$-_Fyia5hAC$>$<Giy%?
ztH#Vl!ojH?3{KMrIqoR>!HN3E$o8v)KSmZsGsuC#Np=I&ksq9SVoPN+y$)&TVOGsx
z=aCEt%in3|VF-9k=X!S@JrC;6!#o-6JX~qGLLSMGYk>&|f*D+!C9dE=-;kMW;)gK3
z4xN8QRz`6Qg8ex0IWJjokT1J|c&l^Kq8M%^<sS#{+V0vKx((;XA*A)5uf0%e5NVTf
znYBB68Pduv+jZBqV}qe{>U~oOAK6^u!;H%D&r_Ma=n*u@Jr?w;N;B2yU|RAbPM1rE
zq}DB37IZk5hkfEZk1J~F<BW0X_h()BaoDXJ-tnz+9^QYpDn4~UF`G%M!}o?&eCwGb
zxJJC2+5J9?j!oYp+~p=0ux089Cb!BMEq#ScaA(oddh+?vRfM&KTx%OHRVyjs#U6#{
z@4PL<e8yesWd<$x_{e;lAXM=h+hZfUhOC*#bKl2Wen0b(cYfGQK{xg2(!003J%t)9
z_kY&g$;@B3t3p22iP>*<kge%FSLRaPAuG{`X@U;5mxIb%9!A+6zHL2U3(2Qpd1KU3
zuS%DFhk0hU((CXw?}8Sr={LjH=dpLms|l;J#@OE*O1fU3f#te!y1r3Ys)a3qC)PVP
zH0aQRq*EhL#A;S$HW)_nCkYzo7dCq~ZD|lk``>zoZ7Uz|nw>4YuxPH>^@91rtu;fK
z=q)M_w^w4g_~tLLs@u}n(Gab5tV#7#nB-gm0~ra)laudGzc|93Qs6z5y+AoBBH|!3
zkKj%zTv^vmRPJ-(va5btm*>y3t`kq%zng2r_c)c2Lyx6Zj&DD2)>kc+h@6kFD-+M(
ztmAXvWsZ1j%<viUQd6(B!WTx?D3yQX^GG&bbn6`JhGK#I{@W%8JEY#5Sq<!}OBhKw
zGxsUW*XjfBd%T|zUM#f3>_&e!x*NPrxuati>(jgqT}d{D`+To<sU-Sk>`Cv_Z+gCT
z*om3fRUoc0XKApAe!+{leWPrfHomz~f*;+}RCnZHb=P-6)+Ke=s8bS?<8Ei4-5(SA
zlJ2yI)A@mJTE?jQ?W}8(lBa{-h76i5w%DpsoA+{iSV@`Mkhl`_oH@CKB<*X7V}|Up
z4V^0`uRRjz+Go8~ytA{n+91v}>PM@wD&F8-x64Y&#LTD8n>BU#%N_}qqQ;g)3ii$o
zJaTSHl;Q1jCoVS}zyD*sS3<P6t8QN2qXY!fuQ}hlykasn^Y*f>9TSHe5XuGf3+j4H
zm$K`WjO=YKtb8A!u~;kQyt4IsnVUr)*XCe3r2?<t0G)<CP0XXQsIsoq?$8aUv4ty-
zJluEkV4Z=^RhiPNE>->tWO^KzTcE(P?;B;$?-L9k*E_LRBO_G0{8LCrxN>#CJFh3>
zmbQE4ZY)2eIWBo2^J|U1^U|LATn67Rwy|<Q5qx_0M@7h``O5+d^7GDU>d1SBBnH^l
z{qS!$l>St=dgB(q4A(RM8PSG3n8esKFO+!f!(;rl1R8=uu9fQ_5%R#kQ53y%&iVc-
z(Jfh5<cIcV4IG;zvj@TKS0xtVO~^J6U<pbb`_dEUeN}Ap*3Eqz58cL@mdw67a6DbN
zIVnuI$G-2lP5SQ5%_noOom1PtCBE85<pNu1HvR&S*<qnGCD&QL>A3MfYOVMF*f6Ko
zPk;Bp>xjm8&(rgo*FNVxtMjyiQ((jau|p)GORV?f{Jd`U^9p-=*GV6^y(Pvqv3|gS
z@9Xw87>Q>a7hg=h8da2kCi?M}gFTm1)7ZZ@-Fn7iyyl|3LCKiB%i+EDcOMzlN@W%f
zeT#qS&$Q<9^;=l(xhZ^#c2b(1`IYYuV#X#-_Ga|-xF2@jgJ|1dIot8Dk5r><+L6FD
zk(XQKbditk=l48|ac|gLV%yLweRQ@iFKW3f|IKT>^G1X!q}NOK9*xo(ZBbpvA{%k&
zd{JTV<<M>JEGjpT>jZriUt<4#qOw0csi$0ibGgR-Z5(dNk{wJbZ6|LTGnEIH?C24;
z<n9b?4Z$}p4_%!c7gBs-aL&2==^Rpq20V+S>hD>!$emSr6_6<TE&hWwqV~FTqmJvb
zz~$p@X)MMqx1WihZjNZrd;j5nm)UmAt);i_pxuXe_$@^`YWrUuUnq9j#Ps}KiBnBE
z^(DQB_9Lydb+;?-L4N*znmspDQ2qE=*Xw~opO342x9`qMUik^BrDedr^>HWK+1G`@
z+bhJrCzHVD-w^luQsDRC1?W<|y;jnjr8_!f$`LJh-m<g|96B7yfB8sp{>j>Rm&H(z
zulz{JO-);Nv{t7dEg)cAdGJPXV`P72;FrV@u7JMVdvBm#hU%Wxm^TkOtI_GS;+=bL
zjhZrk*Sc%l-di}=<(!c;(m(#*p?I#lQ|j|f^mY|Zi(#24k5!uj^S>JDb}V<A2rbwX
zVJ_F_U)m|Ad|kLZwfLA`zq)zlh>vN|_KZ+B0q!eBLah3ej*2X(j6)fwy;qzBY}-5z
z+&hNf-p%x3K+^dAO`{)dALPW=_}-EoeUstO*X36t`CRI1S-9Z$R4>1!T!&UmhYa?)
zvugg>x)PB(8G8A^#wX>XuNPg4KV{}2!hgGNz26>1Gw<$8T{l}~;$x1be>YSSf3cps
z-y{2!{Dkqv{CO#!fsv_Mna@1bcIp-oo+TaistV$$^5RI0z18io)1|C2<y(oZt<C2n
z$F8+)#km=NQui{kw3=996)jq5aplWV^wC+v8;rO%a`O%Pm({zZ3|^caezALKgkz3?
zj*#rZ&|8>IVnJurw=Bf%$=UeeOVq*Z*tWFI!y;;@pYPqdw>qUM_ICe8|2btXV@tCd
z5pQ+WRTc~1Yc6#Ty5(y+qOV!A6SI7BIIuuFf^*T{+k5PC4ezDDD(5=lz<e3;;fV5`
zJa)eb0pYi%vgLQyR)ls8i|$I=-h6!f(;f2XdHo7z8O>c`ZI_z3UFPNim7YT=pJlh?
zO}g2Wk9IzA*y5wKV~+7Yxsui|3oNB=a>jOlx?d3_xD8n|?^IkG%l9~C3|d?%Hlrc0
zjQhimft!~Lp39~MmC3Yq+bZ6C;Jw1>tL;)3rK3u_ma8I`iVdzXY<}(jwMt~K{+g}L
z)%U+hpX0GMzE$=4)1+!KVx9)dS5Y@l;zk_Xew#WMqq(p4Uw1)0$f}Weq?fdQ@%yUW
z!&rQT;psUqv(7cyiS^W;;nlEgu6sA;y2g8+M%KRYFx#cMi+HcDSRUqOmB}@%u;i=W
z{^Khi$mKp=ylt23Vh>gBL&mGF$E=Rb?*1h0Rkdqp(v9b<N-^Ge|KpFMbXbzHPmewf
z&JCJ#Ykyfsl#W)Z#C`dWLAerFmmxw6Th+V%ijh6SNYM`ix1%4*4fP2hGk(88nRl;?
zY?BRZ(5lCy@;(n8HjN}-n1%UHSpU+Zqs%PEUoCD}u=8#hQmS%Nwf<6`%Q9;_^!oHC
zxaem0>d3aCvZs=1Uxb(}l)cP&<^@&y-gtJmG>t7a*(^Q3efFJf-wx3dJ#7RtA=nBb
zT`hih{y<{$TI+e@+zVwy&UBvcJkTgnxo7EN+oQPS$G;7p9Z;|CU)A&cLCKKHfJ^Dk
zr7~NxnvP(L#Pegj=RWEGUa{|Tpm9WT8^OI2VR}60bm_wF;`YnDS8o<}@XR?UnlR+)
z^T@$kB`CA{LC{92o`M$xkrgp3lPV9g548HsQr6;OI<$a)b6NCp9VG?XlLF?hH9N+Q
zhx58CN>-%kI*<5li9)h{36+uB-e`zjvhR>;YH6p>^UycX^0iM?TeDrQ;J2Us_DR^0
z4B_xANj%pIG7tu*t=C>=?OB)qIAKNjN~tZnHl-XR_T#5L+2=}s$u;d#*0p=itAyZL
zHC`jwo*3F2tRH(g!2WuU;M?RaE6t47JYB2pHr)ML$9muG^7+?tH;c?3Fiy$lN*v3I
z=hxYWwZ6BltNx~Y*8+G%d<`5CPd~EmjG#XvCY?^%ug)VM5}nAmq?G2!8Xgf7PkY;L
zpLxkx><7ILX~trn%wWdS2anKyrx{BW;4y<M2R#q!jK#tR%vkJcxI!L%&_6L^GjAom
z)kUvE;%Z?tlj}-rsPj8<O$9urb9H<{&x6X<QUq|dpmK#gR$4=@?!_}N*UE38*CBDW
z6k))%1nT@wT=9U%bgr9!dYQ(u6L2-6;R<<_K(3LxGjAn*TgZ@W=S;40;1<7?CBGBb
zoq)%5uA|cQJgD(%RRFl^P`N@La&zSX*RQ)~Uaq}+h+c;juT}*NxPn{!<bIo59w85&
z-7_!OeiWtWLFH;42Doa{aD_b9L!Ix7!NuNbmuqtp=ygb3t-}~_ZHGF)OT0oJe4;aN
zB|WB0&x6X<2Ash}Dba9+Jldho-m^0=Ps*I6*CBDWQ73Zcr+oxVUYDYCfq_mcH@yyx
zJsR}(KplBqXphjjnfBZ@`~w|++ICTOmNC$IDn_qEZkGmV7Y^7%^Jp1KM;_SoTAgXe
zqjYQfrs)i2#E;xpB>t5x#*fmWLcyp&e3TAqN`l+X4Zv@>l5b(qX_<D34ZMYCNUCkL
z3h25Q+cA2S4i%c_h6;s`(m_oHpgDc~60T=xr#sMvm+ffUOVWZmnhbP4>C@|wZL5a1
z{Y+=GHWR`dv=6StHZmjJS?uU_YDnBj_P__#Y$<1OQ8?H(P?h-7Iq(UW`CtX7+qo;i
z=K`1j{?1G=8ZU<;0>}m%oDSfG2>k|W3{L`v(>!5E+#n7D$OSrAfH+*qhF@BuPOn2Y
zJc$Sr8eT+aIDD%X2dqn8@EGF2l?MMu@P(n#cuzlcgfAWw2H&eiEJ)0vl!s#AJ97#X
zf`gSf=#dgwb}^BD!75A$W@0JU<XP0jsXsOaTT;M)Nc*&wP>CpU03uD)A%aRo&4dZz
z3bqJWG7-l^+vthV>4*Rw(<vh1z?DQIG;QPuQnapQA-d2EY-qX*H)_*wh=g8=1EBAk
z=0dokaM*BXpmP;$0j^|&%a5zj>yQoZ8o3V|4h=p{XK*;EO6$Ui|8Fkj4Dk*HFO3Ib
z4V&W00ExgC`le8keD|B?!zm=IotO{~piOWkBeCh#`~w|`1dLCl3o0lAL<^BX$B`Fs
zTuyx_9kkUJY-76nj(E{;gM|INAHXgFY<)x%Z*Us~s1pEmzJOqXE6G--55ni@b;xa&
zkZJ>M2DVOi(b-A>wsC-GQOOHap%t2-j|(N>aac`Fd?Xg_3H~k&Vn!l52E0Qq0%0E+
zVh`R_7on-?i;V=Y?!$Wqpb4Jf4RDcI0)tFKAjk^DVf{RP@i_Q)I)rH`0Sz`37Ksl)
zdxG}_hRocQx1S#<ICD!85nw~%k?05lMTKGmu=pohcytIZ3aHVx$Jd+S8wjMZXzvKL
zrw@3YUN9JRuxRl9J=$VK76eQP8W&01G}vBm&tP=y%)(&g0vKce#O4?y#^Z5#gcXhe
z-ZQAF>4OfyfY$;>hJ^uy5%490FaW|C1QPQJ`T(E?l5!geB$~$%iNQ(?q|HEwZa>S6
z&@ok_*C7RxavLR(;A8MKK~D@MFjFEf(6${6Y+L`+AXo1FnQae%4(yC@rF6)4hJz~X
zEI>yDw2{6;5^ejV4%x=QR;(Pu_V<GJC;qHMz6Lr9z(}}~Y-L_Kbd+9)?2kl>t%xNv
zIns2<ceFuBjc@{ZO(g83AaG$wd&2Of3qb}&K~G{(jxPK`5rlOZI@Ab@i>7vJfAGuG
z7jzI1k2J#rea~UgXBgN(D)lQf(4oG#NH8?u8TWj2C};?2kRcBs)Gd*_K6Si^fTc-Y
zlw3H3*yK<gagd-L#E3;fI_%C=0g5(A^~6A<i0`-s?=%G_gn_^R2)L6wDWzm6@%PU_
zhTx{gJ+kwN10U=&{S4x;aoXH~+z&w<j>mvFyuoP4@D1op@6WGG7{%du3?&X3^=ENn
zZzdf#PcX3UcoDrOjcr?hW*e9DOxs4Q=ygbaWPIx%*+x6o@B_{1JJjxn^qMrbr2*Tj
z8F3r%U_$7Cohe*N{g-J~`{qB;5kXZ?Dopj?D7a$=$Y|c0ix>gF!LxG2BTp{)JsOR{
z`++ZX3w&+vPV-PCCGn45cnfT!d9!UG_yL|LATR$XFT7=)@%~*_FfL%hCWzw_ar?8#
zF-~e2>9`uaG7*iRDh1<tmgh{r$SKnEB>OsT<i5%m;Fl{jet|rrppG!mX$Q)1CHV!>
znyW^yL-Mc67tk-#z&@aQqJhpYQP40E@E>{E2R^|Gexl{jKeNNUeS^Wy+#iDlU7TF#
zrytY(!y1b7Lxa*ZfTo0qX+$Mf40vlc_(mj1{Es~%($^R4(5Dh%YZoz~rq@m1S}HZw
zY(TAy5j8oWV*oY-S8_D#1gxajAyHG!rcj$y{zGcxz)%>)(0JIc*}kNAfrDKE>BYw&
z?dQu3YIFeu>v2Tjed%8R3^#-jgzrQ~`x3zGjHl*=urSPHSOA18bRn@{Ff0&;!$U{F
zBXg1h8x|dfrVnxU5a1Xv!2m@_E`+{OX5bqYhEv6H5YcKUfN#z+@=YU_36T%(|A#Bd
zH!R0Lzoz#M)yF_b1a+1vd&)PluxCKSU|rI};z68w!5?g-3A8X}e+P~n{k#d@;H}a)
zJetUZT!->OoFBs<v+lAZ1i*X~EP~|PmY7fjP}v^V1<Ay}oy<a-X2W9aci9kpq#DpV
zm;@G%yUYkdaw^kQD(77$#B4Saa8PI}o!Ai(oPoFq0?|-v4i`gpZiebSK%JL7#ivsz
zdYL;S(kB%3ZwP{_KbxUGFO5EI4Kt-#<TD8{ZO&aT1Q#itn@q|fHVhJi3%JBZToIH!
zT>}F<Vh-s)K5`X(Lpujg6J2`~avnrBo1AB0ZK-Q&Mb2OYpFHFYLy&GkPG<$56fq-H
z3qx8lIK0v2S?O9DlIy`vEI`(?anv(61QTeg88F`GkaO*=jU1eH?I;yNyiQqY@2F>G
z=s;G4EV#&Z9PKFf!T6-u0AKjzNn-<eoB&V)lO#-N0MRc~0l{~leEtTOfW;{1aNuwL
zWUi?YqP|j|Wva43GAA{k5}7p7CP<qPIgpmA`a-n%)Lkp={U1TEoqn9Lv4+0al15au
U6H;xH6QK9gyj>gxdu{Ch15vO2Pyhe`

literal 0
HcmV?d00001

diff --git a/testing/btest/scripts/base/protocols/irc/longline.test b/testing/btest/scripts/base/protocols/irc/longline.test
new file mode 100644
index 0000000000..0573494844
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/irc/longline.test
@@ -0,0 +1,6 @@
+# This tests that an excessively long line is truncated by the contentline
+# analyzer
+
+# @TEST-EXEC: bro -C -r $TRACES/contentline-irc-5k-line.pcap %INPUT
+# @TEST-EXEC: btest-diff weird.log
+

From 6e89505d06f4acb83abcebf167795a6e6bf01d0b Mon Sep 17 00:00:00 2001
From: Daniel Thayer <dnthayer@illinois.edu>
Date: Mon, 6 Nov 2017 14:01:07 -0600
Subject: [PATCH 235/631] Fix ASCII logging of very large values of type
 "double"

Increased the size of a buffer to be large enough to contain all the
characters of the largest possible "double" value when scientific
notation is not being used (previously, the nonsensical "NAN.0" would be
written to ASCII logs for any value >= 1e248).
---
 src/Desc.cc                                               | 4 +++-
 .../scripts.base.frameworks.logging.ascii-double/test.log | 8 ++++----
 2 files changed, 7 insertions(+), 5 deletions(-)

diff --git a/src/Desc.cc b/src/Desc.cc
index 1d76c32e55..b64bcec8d8 100644
--- a/src/Desc.cc
+++ b/src/Desc.cc
@@ -145,7 +145,9 @@ void ODesc::Add(double d, bool no_exp)
 		AddBytes(&d, sizeof(d));
 	else
 		{
-		char tmp[256];
+		// Buffer needs enough chars to store max. possible "double" value
+		// of 1.79e308 without using scientific notation.
+		char tmp[350];
 
 		if ( no_exp )
 			modp_dtoa3(d, tmp, sizeof(tmp), IsReadable() ? 6 : 8);
diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.ascii-double/test.log b/testing/btest/Baseline/scripts.base.frameworks.logging.ascii-double/test.log
index 45f8783c7b..9d5dd6ecf0 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.logging.ascii-double/test.log
+++ b/testing/btest/Baseline/scripts.base.frameworks.logging.ascii-double/test.log
@@ -3,7 +3,7 @@
 #empty_field	(empty)
 #unset_field	-
 #path	test
-#open	2017-11-02-21-00-25
+#open	2017-11-06-19-58-08
 #fields	d
 #types	double
 2153226000.0
@@ -19,8 +19,8 @@
 -50000.0
 3140000000000000.0
 -3140000000000000.0
-NAN.0
-NAN.0
+178999999999999996376899522972626047077637637819240219954027593177370961667659291027329061638406108931437333529420935752785895444161234074984843178962619172326295244262722141766382622299223626438470088150218987997954747866198184686628013966119769261150988554952970462018533787926725176560021258785656871583744.0
+-178999999999999996376899522972626047077637637819240219954027593177370961667659291027329061638406108931437333529420935752785895444161234074984843178962619172326295244262722141766382622299223626438470088150218987997954747866198184686628013966119769261150988554952970462018533787926725176560021258785656871583744.0
 0.000012
 0
 -0
@@ -28,4 +28,4 @@ inf
 -inf
 0.0
 nan
-#close	2017-11-02-21-00-25
+#close	2017-11-06-19-58-08

From de6883fa1c07b3fc8c621729b70741e70438da25 Mon Sep 17 00:00:00 2001
From: Luke Valenta <lukev@seas.upenn.edu>
Date: Tue, 7 Nov 2017 23:19:30 -0500
Subject: [PATCH 236/631] add verbose SSL logging output that includes
 cryptographic values

---
 scripts/policy/protocols/ssl/ssl-verbose.bro  | 103 +++++
 src/analyzer/protocol/ssl/events.bif          |  66 ++-
 .../protocol/ssl/tls-handshake-analyzer.pac   |  81 +++-
 .../protocol/ssl/tls-handshake-protocol.pac   | 391 +++++++++++++++---
 4 files changed, 571 insertions(+), 70 deletions(-)
 create mode 100644 scripts/policy/protocols/ssl/ssl-verbose.bro

diff --git a/scripts/policy/protocols/ssl/ssl-verbose.bro b/scripts/policy/protocols/ssl/ssl-verbose.bro
new file mode 100644
index 0000000000..4de466327c
--- /dev/null
+++ b/scripts/policy/protocols/ssl/ssl-verbose.bro
@@ -0,0 +1,103 @@
+##! More verbose version of the base SSL analysis script. This script
+##! additionally logs client and server randoms, key exchange values, signatures,
+##! and certificates hashes.
+
+@load base/protocols/ssl
+
+module SSL;
+
+export {
+    redef record Info += {
+        # ClientHello
+        client_random: string &log &optional;
+        client_cipher_suites: string &optional;
+
+        # ServerHello
+        server_random: string &log &optional;
+
+        # ServerKeyExchange
+        server_dh_p: string &log &optional;
+        server_dh_q: string &log &optional;
+        server_dh_Ys: string &log &optional;
+        server_ecdh_point: string &log &optional;
+        server_signature: string &log &optional;
+
+        # ServerCertificate
+        server_cert_sha1: string &log &optional;
+
+        # ClientKeyExchange
+        client_rsa_pms: string &log &optional;
+        client_dh_Yc: string &log &optional;
+        client_ecdh_point: string &log &optional;
+    };
+}
+
+
+event ssl_client_hello(c: connection, version: count, possible_ts: time, client_random: string, session_id: string, ciphers: index_vec) &priority=5
+    {
+    set_session(c);
+    c$ssl$client_random = bytestring_to_hexstr(client_random);
+
+    local ciphers_str = "";
+    for (i in ciphers) 
+        {
+            ciphers_str += cipher_desc[ciphers[i]];
+            if ( i != |ciphers|-1)
+                {
+                    ciphers_str += ",";
+                }
+        }
+    c$ssl$client_cipher_suites = ciphers_str;
+    }
+
+event ssl_server_hello(c: connection, version: count, possible_ts: time, server_random: string, session_id: string, cipher: count, comp_method: count) &priority=5
+    {
+    set_session(c);
+    c$ssl$server_random = bytestring_to_hexstr(server_random);
+    }
+
+event ssl_dh_server_params(c: connection, p: string, q: string, Ys: string) &priority=5
+    {
+    set_session(c);
+    c$ssl$server_dh_p = bytestring_to_hexstr(p);
+    c$ssl$server_dh_q = bytestring_to_hexstr(q);
+    c$ssl$server_dh_Ys = bytestring_to_hexstr(Ys);
+    }
+
+event ssl_ecdh_server_params(c: connection, curve: count, point: string) &priority=5
+    {
+    set_session(c);
+    c$ssl$server_ecdh_point = bytestring_to_hexstr(point);
+    }
+
+event ssl_server_signature(c: connection, signed_params: string) &priority=5
+    {
+    set_session(c);
+    c$ssl$server_signature = bytestring_to_hexstr(signed_params);
+    }
+
+event ssl_rsa_client_pms(c: connection, pms: string) &priority=5
+    {
+    set_session(c);
+    c$ssl$client_rsa_pms = bytestring_to_hexstr(pms);
+    }
+
+event ssl_dh_client_params(c: connection, Yc: string) &priority=5
+    {
+    set_session(c);
+    c$ssl$client_dh_Yc = bytestring_to_hexstr(Yc);
+    }
+
+event ssl_ecdh_client_params(c: connection, point: string) &priority=5
+    {
+    set_session(c);
+    c$ssl$client_ecdh_point = bytestring_to_hexstr(point);
+    }
+
+event ssl_established(c: connection) &priority=5
+    {
+    if ( ! c$ssl?$cert_chain || |c$ssl$cert_chain| == 0 ||
+         ! c$ssl$cert_chain[0]?$x509 )
+        return;
+    c$ssl$server_cert_sha1 = c$ssl$cert_chain[0]$sha1;
+    }
diff --git a/src/analyzer/protocol/ssl/events.bif b/src/analyzer/protocol/ssl/events.bif
index 7f0814ee27..feba12abb4 100644
--- a/src/analyzer/protocol/ssl/events.bif
+++ b/src/analyzer/protocol/ssl/events.bif
@@ -177,6 +177,20 @@ event ssl_extension_key_share%(c: connection, is_orig: bool, curves: index_vec%)
 ##    ssl_extension_psk_key_exchange_modes ssl_extension_supported_versions
 event ssl_server_curve%(c: connection, curve: count%);
 
+## Generated if a server uses an ECDH-anon or ECDHE cipher suite. This event
+## contains the server ECDH parameters, which are sent in the ServerKeyExchange
+## message as defined in :rfc:`4492`.
+##
+## c: The connection.
+##
+## curve: The curve parameters.
+##
+## point: The server's ECDH public key.
+##
+## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello
+##    ssl_session_ticket_handshake ssl_server_curve ssl_dh_client_params
+event ssl_ecdh_server_params%(c: connection, curve: count, point: string%);
+
 ## Generated if a server uses a DH-anon or DHE cipher suite. This event contains
 ## the server DH parameters, which are sent in the ServerKeyExchange message as
 ## defined in :rfc:`5246`.
@@ -190,9 +204,59 @@ event ssl_server_curve%(c: connection, curve: count%);
 ## Ys: The server's DH public key.
 ##
 ## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello
-##    ssl_session_ticket_handshake ssl_server_curve
+##    ssl_session_ticket_handshake ssl_server_curve ssl_dh_client_params
 event ssl_dh_server_params%(c: connection, p: string, q: string, Ys: string%);
 
+## Generated if a server uses a non-anonymous DHE or ECDHE cipher suite. This event
+## contains the server signature over the key exchange parameters, which is sent in
+## the ServerKeyExchange message as defined in :rfc:`4492` and :rfc:`5246`.
+##
+## c: The connection.
+##
+## signed_params: A hash of the server params, with the signature appropriate to
+##                that hash applied. The private key corresponding to the certified
+##                public key in the server's Certificate message is used for signing.
+##
+## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello
+##    ssl_session_ticket_handshake ssl_server_curve ssl_dh_client_params
+event ssl_server_signature%(c: connection, signed_params: string%);
+
+## Generated if a client uses an ECDH-anon or ECDHE cipher suite. This event
+## contains the client ECDH public value, which is sent in the ClientKeyExchange
+## message as defined in :rfc:`4492`.
+##
+## c: The connection.
+##
+## point: The client's ECDH public key.
+##
+## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello
+##    ssl_session_ticket_handshake ssl_server_curve ssl_dh_client_params
+event ssl_ecdh_client_params%(c: connection, point: string%);
+
+## Generated if a client uses a DH-anon or DHE cipher suite. This event contains
+## the client DH parameters, which are sent in the ClientKeyExchange message as
+## defined in :rfc:`5246`.
+##
+## c: The connection.
+##
+## Yc: The client's DH public key.
+##
+## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello
+##    ssl_session_ticket_handshake ssl_server_curve ssl_dh_server_params
+event ssl_dh_client_params%(c: connection, Yc: string%);
+
+## Generate if a client uses an RSA key exchange. This event contains the client
+## encrypted pre-master secret which is encrypted using the public key of the
+## server's certificate as defined in :rfc:`5246`.
+##
+## c: The connection.
+##
+## pms: The encrypted pre-master secret.
+##
+## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello
+##    ssl_session_ticket_handshake ssl_server_curve ssl_dh_server_params
+event ssl_rsa_client_pms%(c: connection, pms: string%);
+
 ## Generated for an SSL/TLS Application-Layer Protocol Negotiation extension.
 ## This TLS extension is defined in draft-ietf-tls-applayerprotoneg and sent in
 ## the initial handshake. It contains the list of client supported application
diff --git a/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac b/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac
index e3226551b4..40f546a9f6 100644
--- a/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac
+++ b/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac
@@ -272,15 +272,48 @@ refine connection Handshake_Conn += {
 		return true;
 		%}
 
-	function proc_ec_server_key_exchange(rec: HandshakeRecord, curve_type: uint8, curve: uint16) : bool
+    function proc_ecdhe_server_key_exchange(rec: HandshakeRecord, curve_type: uint8, curve: uint16, point: bytestring, signed_params: bytestring) : bool
 		%{
 		if ( curve_type == NAMED_CURVE )
 			BifEvent::generate_ssl_server_curve(bro_analyzer(),
 			  bro_analyzer()->Conn(), curve);
+            BifEvent::generate_ssl_ecdh_server_params(bro_analyzer(),
+              bro_analyzer()->Conn(), curve, new StringVal(point.length(), (const char*)point.data()));
+            BifEvent::generate_ssl_server_signature(bro_analyzer(),
+              bro_analyzer()->Conn(), new StringVal(signed_params.length(), (const char*)signed_params.data()));
 
 		return true;
 		%}
 
+    function proc_ecdh_anon_server_key_exchange(rec: HandshakeRecord, curve_type: uint8, curve: uint16, point: bytestring) : bool
+		%{
+		if ( curve_type == NAMED_CURVE )
+			BifEvent::generate_ssl_server_curve(bro_analyzer(),
+			  bro_analyzer()->Conn(), curve);
+            BifEvent::generate_ssl_ecdh_server_params(bro_analyzer(),
+              bro_analyzer()->Conn(), curve, new StringVal(point.length(), (const char*)point.data()));
+
+		return true;
+		%}
+
+	function proc_rsa_client_key_exchange(rec: HandshakeRecord, rsa_pms: bytestring) : bool
+		%{
+			BifEvent::generate_ssl_rsa_client_pms(bro_analyzer(), bro_analyzer()->Conn(), new StringVal(rsa_pms.length(), (const char*)rsa_pms.data()));
+			return true;
+		%}
+
+	function proc_dh_client_key_exchange(rec: HandshakeRecord, Yc: bytestring) : bool
+		%{
+			BifEvent::generate_ssl_dh_client_params(bro_analyzer(), bro_analyzer()->Conn(), new StringVal(Yc.length(), (const char*)Yc.data()));
+			return true;
+		%}
+
+	function proc_ecdh_client_key_exchange(rec: HandshakeRecord, point: bytestring) : bool
+		%{
+			BifEvent::generate_ssl_ecdh_client_params(bro_analyzer(), bro_analyzer()->Conn(), new StringVal(point.length(), (const char*)point.data()));
+			return true;
+		%}
+	
 	function proc_signedcertificatetimestamp(rec: HandshakeRecord, version: uint8, logid: const_bytestring, timestamp: uint64, digitally_signed_algorithms: SignatureAndHashAlgorithm, digitally_signed_signature: const_bytestring) : bool
 		%{
 		RecordVal* ha = new RecordVal(BifType::Record::SSL::SignatureAndHashAlgorithm);
@@ -299,7 +332,23 @@ refine connection Handshake_Conn += {
 		return true;
 		%}
 
-	function proc_dh_server_key_exchange(rec: HandshakeRecord, p: bytestring, g: bytestring, Ys: bytestring) : bool
+	function proc_dhe_server_key_exchange(rec: HandshakeRecord, p: bytestring, g: bytestring, Ys: bytestring, signed_params: bytestring) : bool
+		%{
+		BifEvent::generate_ssl_dh_server_params(bro_analyzer(),
+			bro_analyzer()->Conn(),
+		  new StringVal(p.length(), (const char*) p.data()),
+		  new StringVal(g.length(), (const char*) g.data()),
+		  new StringVal(Ys.length(), (const char*) Ys.data())
+		  );
+        BifEvent::generate_ssl_server_signature(bro_analyzer(),
+            bro_analyzer()->Conn(),
+          new StringVal(signed_params.length(), (const char*) signed_params.data())
+          );
+
+		return true;
+		%}
+
+	function proc_dh_anon_server_key_exchange(rec: HandshakeRecord, p: bytestring, g: bytestring, Ys: bytestring) : bool
 		%{
 		BifEvent::generate_ssl_dh_server_params(bro_analyzer(),
 			bro_analyzer()->Conn(),
@@ -388,12 +437,32 @@ refine typeattr CertificateStatus += &let {
 	proc : bool = $context.connection.proc_certificate_status(rec, status_type, response);
 };
 
-refine typeattr EcServerKeyExchange += &let {
-	proc : bool = $context.connection.proc_ec_server_key_exchange(rec, curve_type, curve);
+refine typeattr EcdheServerKeyExchange += &let {
+	proc : bool = $context.connection.proc_ecdhe_server_key_exchange(rec, curve_type, curve, point, signed_params);
 };
 
-refine typeattr DhServerKeyExchange += &let {
-	proc : bool = $context.connection.proc_dh_server_key_exchange(rec, dh_p, dh_g, dh_Ys);
+refine typeattr EcdhAnonServerKeyExchange += &let {
+	proc : bool = $context.connection.proc_ecdh_anon_server_key_exchange(rec, curve_type, curve, point);
+};
+
+refine typeattr DheServerKeyExchange += &let {
+	proc : bool = $context.connection.proc_dhe_server_key_exchange(rec, dh_p, dh_g, dh_Ys, signed_params);
+};
+
+refine typeattr DhAnonServerKeyExchange += &let {
+	proc : bool = $context.connection.proc_dh_anon_server_key_exchange(rec, dh_p, dh_g, dh_Ys);
+};
+
+refine typeattr RsaClientKeyExchange += &let {
+	proc : bool = $context.connection.proc_rsa_client_key_exchange(rec, rsa_pms);
+};
+
+refine typeattr DhClientKeyExchange += &let {
+	proc : bool = $context.connection.proc_dh_client_key_exchange(rec, dh_Yc);
+};
+
+refine typeattr EcdhClientKeyExchange += &let {
+	proc : bool = $context.connection.proc_ecdh_client_key_exchange(rec, point);
 };
 
 refine typeattr SupportedVersions += &let {
diff --git a/src/analyzer/protocol/ssl/tls-handshake-protocol.pac b/src/analyzer/protocol/ssl/tls-handshake-protocol.pac
index bd155d644d..6a4584bb03 100644
--- a/src/analyzer/protocol/ssl/tls-handshake-protocol.pac
+++ b/src/analyzer/protocol/ssl/tls-handshake-protocol.pac
@@ -176,13 +176,326 @@ type CertificateStatus(rec: HandshakeRecord) = record {
 # V3 Server Key Exchange Message (7.4.3.)
 ######################################################################
 
-# Usually, the server key exchange does not contain any information
-# that we are interested in.
-#
-# The exception is when we are using an ECDHE, DHE or DH-Anon suite.
-# In this case, we can extract information about the chosen cipher from
-# here.
+# The server key exchange contains the server public key exchange values, and a
+# signature over those values for non-anonymous exchanges. The server key
+# exchange messages is only sent for ECDHE, ECDH-anon, DHE, and DH-anon cipher
+# suites.
 type ServerKeyExchange(rec: HandshakeRecord) = case $context.connection.chosen_cipher() of {
+	# ECDHE suites
+	TLS_ECDHE_ECDSA_WITH_NULL_SHA,
+	TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
+	TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
+	TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
+	TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
+	TLS_ECDHE_RSA_WITH_NULL_SHA,
+	TLS_ECDHE_RSA_WITH_RC4_128_SHA,
+	TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
+	TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
+	TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
+	TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
+	TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
+	TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
+	TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
+	TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+	TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+	TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+	TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+	TLS_ECDHE_PSK_WITH_RC4_128_SHA,
+	TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA,
+	TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA,
+	TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA,
+	TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256,
+	TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384,
+	TLS_ECDHE_PSK_WITH_NULL_SHA,
+	TLS_ECDHE_PSK_WITH_NULL_SHA256,
+	TLS_ECDHE_PSK_WITH_NULL_SHA384,
+	TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256,
+	TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384,
+	TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256,
+	TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384,
+	TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256,
+	TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384,
+	TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256,
+	TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384,
+	TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256,
+	TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384,
+	TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256,
+	TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384,
+	TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,
+	TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384,
+	TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256,
+	TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384,
+	TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256,
+	TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384,
+	TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256,
+	TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384,
+	TLS_ECDHE_ECDSA_WITH_AES_128_CCM,
+	TLS_ECDHE_ECDSA_WITH_AES_256_CCM,
+	TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8,
+	TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8,
+	TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
+	TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
+		-> ecdhe_server_key_exchange : EcdheServerKeyExchange(rec);
+
+	# ECDH-anon suites
+	TLS_ECDH_ANON_WITH_NULL_SHA,
+	TLS_ECDH_ANON_WITH_RC4_128_SHA,
+	TLS_ECDH_ANON_WITH_3DES_EDE_CBC_SHA,
+	TLS_ECDH_ANON_WITH_AES_128_CBC_SHA,
+	TLS_ECDH_ANON_WITH_AES_256_CBC_SHA
+	# ECDH non-anon suites do not send a ServerKeyExchange
+		-> ecdh_anon_server_key_exchange : EcdhAnonServerKeyExchange(rec);
+
+	# DHE suites
+	TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA,
+	TLS_DHE_DSS_WITH_DES_CBC_SHA,
+	TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,
+	TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA,
+	TLS_DHE_RSA_WITH_DES_CBC_SHA,
+	TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
+	TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
+	TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
+	TLS_DHE_DSS_WITH_AES_256_CBC_SHA,
+	TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
+	TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,
+	TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA,
+	TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,
+	TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA,
+	TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA,
+	TLS_DHE_DSS_WITH_RC4_128_SHA,
+	TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
+	TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,
+	TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
+	TLS_DHE_DSS_WITH_3DES_EDE_CBC_RMD,
+	TLS_DHE_DSS_WITH_AES_128_CBC_RMD,
+	TLS_DHE_DSS_WITH_AES_256_CBC_RMD,
+	TLS_DHE_RSA_WITH_3DES_EDE_CBC_RMD,
+	TLS_DHE_RSA_WITH_AES_128_CBC_RMD,
+	TLS_DHE_RSA_WITH_AES_256_CBC_RMD,
+	TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA,
+	TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,
+	TLS_DHE_PSK_WITH_RC4_128_SHA,
+	TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA,
+	TLS_DHE_PSK_WITH_AES_128_CBC_SHA,
+	TLS_DHE_PSK_WITH_AES_256_CBC_SHA,
+	TLS_DHE_DSS_WITH_SEED_CBC_SHA,
+	TLS_DHE_RSA_WITH_SEED_CBC_SHA,
+	TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
+	TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
+	TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,
+	TLS_DHE_DSS_WITH_AES_256_GCM_SHA384,
+	TLS_DHE_PSK_WITH_AES_128_GCM_SHA256,
+	TLS_DHE_PSK_WITH_AES_256_GCM_SHA384,
+	TLS_DHE_PSK_WITH_AES_128_CBC_SHA256,
+	TLS_DHE_PSK_WITH_AES_256_CBC_SHA384,
+	TLS_DHE_PSK_WITH_NULL_SHA256,
+	TLS_DHE_PSK_WITH_NULL_SHA384,
+	TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256,
+	TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,
+	TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256,
+	TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256,
+	TLS_DHE_DSS_WITH_ARIA_128_CBC_SHA256,
+	TLS_DHE_DSS_WITH_ARIA_256_CBC_SHA384,
+	TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256,
+	TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384,
+	TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256,
+	TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384,
+	TLS_DHE_DSS_WITH_ARIA_128_GCM_SHA256,
+	TLS_DHE_DSS_WITH_ARIA_256_GCM_SHA384,
+	TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256,
+	TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384,
+	TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256,
+	TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384,
+	TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256,
+	TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384,
+	TLS_DHE_DSS_WITH_CAMELLIA_128_GCM_SHA256,
+	TLS_DHE_DSS_WITH_CAMELLIA_256_GCM_SHA384,
+	TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256,
+	TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384,
+	TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256,
+	TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384,
+	TLS_DHE_RSA_WITH_AES_128_CCM,
+	TLS_DHE_RSA_WITH_AES_256_CCM,
+	TLS_DHE_RSA_WITH_AES_128_CCM_8,
+	TLS_DHE_RSA_WITH_AES_256_CCM_8,
+	TLS_DHE_PSK_WITH_AES_128_CCM,
+	TLS_DHE_PSK_WITH_AES_256_CCM,
+	TLS_PSK_DHE_WITH_AES_128_CCM_8,
+	TLS_PSK_DHE_WITH_AES_256_CCM_8,
+	TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256
+		-> dhe_server_key_exchange : DheServerKeyExchange(rec);
+
+	# DH-anon suites
+	TLS_DH_ANON_EXPORT_WITH_RC4_40_MD5,
+	TLS_DH_ANON_WITH_RC4_128_MD5,
+	TLS_DH_ANON_EXPORT_WITH_DES40_CBC_SHA,
+	TLS_DH_ANON_WITH_DES_CBC_SHA,
+	TLS_DH_ANON_WITH_3DES_EDE_CBC_SHA,
+	TLS_DH_ANON_WITH_AES_128_CBC_SHA,
+	TLS_DH_ANON_WITH_AES_256_CBC_SHA,
+	TLS_DH_ANON_WITH_CAMELLIA_128_CBC_SHA,
+	TLS_DH_ANON_WITH_AES_128_CBC_SHA256,
+	TLS_DH_ANON_WITH_AES_256_CBC_SHA256,
+	TLS_DH_ANON_WITH_CAMELLIA_256_CBC_SHA,
+	TLS_DH_ANON_WITH_SEED_CBC_SHA,
+	TLS_DH_ANON_WITH_AES_128_GCM_SHA256,
+	TLS_DH_ANON_WITH_AES_256_GCM_SHA384,
+	TLS_DH_ANON_WITH_CAMELLIA_128_CBC_SHA256,
+	TLS_DH_ANON_WITH_CAMELLIA_256_CBC_SHA256,
+	TLS_DH_ANON_WITH_ARIA_128_CBC_SHA256,
+	TLS_DH_ANON_WITH_ARIA_256_CBC_SHA384,
+	TLS_DH_ANON_WITH_ARIA_128_GCM_SHA256,
+	TLS_DH_ANON_WITH_ARIA_256_GCM_SHA384,
+	TLS_DH_ANON_WITH_CAMELLIA_128_GCM_SHA256,
+	TLS_DH_ANON_WITH_CAMELLIA_256_GCM_SHA384
+	# DH non-anon suites do not send a ServerKeyExchange
+		-> dh_anon_server_key_exchange : DhAnonServerKeyExchange(rec);
+
+	default
+		-> key : bytestring &restofdata &transient;
+};
+
+# Parse an ECDHE ServerKeyExchange message, which contains a signature over the
+# parameters. Parsing explicit curve parameters from the server is not
+# currently supported.
+type EcdheServerKeyExchange(rec: HandshakeRecord) = record {
+	curve_type: uint8;
+	curve: uint16; # only if curve_type = 3 (NAMED_CURVE)
+	point_length: uint8;
+	point: bytestring &length=point_length;
+	signed_params: bytestring &restofdata;
+};
+
+# Parse an ECDH-anon ServerKeyExchange message, which does not contain a
+# signature over the parameters. Parsing explicit curve parameters from the
+# server is not currently supported.
+type EcdhAnonServerKeyExchange(rec: HandshakeRecord) = record {
+	curve_type: uint8;
+	curve: uint16; # only if curve_type = 3 (NAMED_CURVE)
+	point_length: uint8;
+	point: bytestring &length=point_length;
+	data: bytestring &restofdata &transient;
+};
+
+# Parse a DHE ServerKeyExchange message, which contains a signature over the
+# parameters.
+type DheServerKeyExchange(rec: HandshakeRecord) = record {
+	dh_p_length: uint16;
+	dh_p: bytestring &length=dh_p_length;
+	dh_g_length: uint16;
+	dh_g: bytestring &length=dh_g_length;
+	dh_Ys_length: uint16;
+	dh_Ys: bytestring &length=dh_Ys_length;
+	signed_params: bytestring &restofdata;
+};
+
+# Parse a DH-anon ServerKeyExchange message, which does not contain a
+# signature over the parameters.
+type DhAnonServerKeyExchange(rec: HandshakeRecord) = record {
+	dh_p_length: uint16;
+	dh_p: bytestring &length=dh_p_length;
+	dh_g_length: uint16;
+	dh_g: bytestring &length=dh_g_length;
+	dh_Ys_length: uint16;
+	dh_Ys: bytestring &length=dh_Ys_length;
+	data: bytestring &restofdata &transient;
+};
+
+######################################################################
+# V3 Certificate Request (7.4.4.)
+######################################################################
+
+# For now, ignore Certificate Request Details; just eat up message.
+type CertificateRequest(rec: HandshakeRecord) = record {
+	cont : bytestring &restofdata &transient;
+};
+
+
+######################################################################
+# V3 Server Hello Done (7.4.5.)
+######################################################################
+
+# Server Hello Done is empty
+type ServerHelloDone(rec: HandshakeRecord) = empty;
+
+
+######################################################################
+# V3 Client Certificate (7.4.6.)
+######################################################################
+
+# Client Certificate is identical to Server Certificate;
+# no further definition here
+
+
+######################################################################
+# V3 Client Key Exchange Message (7.4.7.)
+######################################################################
+
+# Parse a ClientKeyExchange message. For RSA cipher suites, this consists of an
+# encrypted pre-master secret. For DH, DH-anon, and DHE cipher suites, this
+# consists of the client public finite-field Diffie-Hellman value. For ECDH,
+# ECDH-anon, and ECDHE cipher suites, this consists of the client public
+# elliptic curve point.
+type ClientKeyExchange(rec: HandshakeRecord) = case $context.connection.chosen_cipher() of {
+	# RSA suites
+	TLS_RSA_WITH_NULL_MD5,
+	TLS_RSA_WITH_NULL_SHA,
+	TLS_RSA_EXPORT_WITH_RC4_40_MD5,
+	TLS_RSA_WITH_RC4_128_MD5,
+	TLS_RSA_WITH_RC4_128_SHA,
+	TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5,
+	TLS_RSA_WITH_IDEA_CBC_SHA,
+	TLS_RSA_EXPORT_WITH_DES40_CBC_SHA,
+	TLS_RSA_WITH_DES_CBC_SHA,
+	TLS_RSA_WITH_3DES_EDE_CBC_SHA,
+	TLS_RSA_WITH_AES_128_CBC_SHA,
+	TLS_RSA_WITH_AES_256_CBC_SHA,
+	TLS_RSA_WITH_NULL_SHA256,
+	TLS_RSA_WITH_AES_128_CBC_SHA256,
+	TLS_RSA_WITH_AES_256_CBC_SHA256,
+	TLS_RSA_WITH_CAMELLIA_128_CBC_SHA,
+	TLS_RSA_EXPORT1024_WITH_RC4_56_MD5,
+	TLS_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5,
+	TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA,
+	TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,
+	TLS_RSA_WITH_3DES_EDE_CBC_RMD,
+	TLS_RSA_WITH_AES_128_CBC_RMD,
+	TLS_RSA_WITH_AES_256_CBC_RMD,
+	TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,
+	TLS_RSA_PSK_WITH_RC4_128_SHA,
+	TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA,
+	TLS_RSA_PSK_WITH_AES_128_CBC_SHA,
+	TLS_RSA_PSK_WITH_AES_256_CBC_SHA,
+	TLS_RSA_WITH_SEED_CBC_SHA,
+	TLS_RSA_WITH_AES_128_GCM_SHA256,
+	TLS_RSA_WITH_AES_256_GCM_SHA384,
+	TLS_RSA_PSK_WITH_AES_128_CBC_SHA256,
+	TLS_RSA_PSK_WITH_AES_256_CBC_SHA384,
+	TLS_RSA_PSK_WITH_NULL_SHA256,
+	TLS_RSA_PSK_WITH_NULL_SHA384,
+	TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256,
+	TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256,
+	TLS_RSA_WITH_ARIA_128_CBC_SHA256,
+	TLS_RSA_WITH_ARIA_256_CBC_SHA384,
+	TLS_RSA_WITH_ARIA_128_GCM_SHA256,
+	TLS_RSA_WITH_ARIA_256_GCM_SHA384,
+	TLS_RSA_PSK_WITH_ARIA_128_CBC_SHA256,
+	TLS_RSA_PSK_WITH_ARIA_256_CBC_SHA384,
+	TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256,
+	TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384,
+	TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256,
+	TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384,
+	TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256,
+	TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384,
+	TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256,
+	TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384,
+	TLS_RSA_WITH_AES_128_CCM,
+	TLS_RSA_WITH_AES_256_CCM,
+	TLS_RSA_WITH_AES_128_CCM_8,
+	TLS_RSA_WITH_AES_256_CCM_8
+		-> rsa_client_key_exchange: RsaClientKeyExchange(rec);
+
+	#ECHDE
 	TLS_ECDH_ECDSA_WITH_NULL_SHA,
 	TLS_ECDH_ECDSA_WITH_RC4_128_SHA,
 	TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,
@@ -275,7 +588,7 @@ type ServerKeyExchange(rec: HandshakeRecord) = case $context.connection.chosen_c
 	TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8,
 	TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
 	TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
-		-> ec_server_key_exchange : EcServerKeyExchange(rec);
+		-> ecdh_client_key_exchange : EcdhClientKeyExchange(rec);
 
 	# DHE suites
 	TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA,
@@ -377,72 +690,24 @@ type ServerKeyExchange(rec: HandshakeRecord) = case $context.connection.chosen_c
 	TLS_DH_ANON_WITH_ARIA_256_GCM_SHA384,
 	TLS_DH_ANON_WITH_CAMELLIA_128_GCM_SHA256,
 	TLS_DH_ANON_WITH_CAMELLIA_256_GCM_SHA384
-	# DH non-anon suites do not send a ServerKeyExchange
-		-> dh_server_key_exchange : DhServerKeyExchange(rec);
+		-> dh_server_key_exchange : DhClientKeyExchange(rec);
 
 	default
 		-> key : bytestring &restofdata &transient;
 };
 
-# For the moment, we really only are interested in the curve name. If it
-# is not set (if the server sends explicit parameters), we do not bother.
-# We also do not parse the actual signature data following the named curve.
-type EcServerKeyExchange(rec: HandshakeRecord) = record {
-	curve_type: uint8;
-	curve: uint16; # only if curve_type = 3 (NAMED_CURVE)
-	data: bytestring &restofdata &transient;
+type RsaClientKeyExchange(rec: HandshakeRecord) = record {
+	rsa_pms : bytestring &restofdata;
 };
 
-# For both, dh_anon and dhe the ServerKeyExchange starts with a ServerDHParams
-# structure. After that, they start to differ, but we do not care about that.
-type DhServerKeyExchange(rec: HandshakeRecord) = record {
-	dh_p_length: uint16;
-	dh_p: bytestring &length=dh_p_length;
-	dh_g_length: uint16;
-	dh_g: bytestring &length=dh_g_length;
-	dh_Ys_length: uint16;
-	dh_Ys: bytestring &length=dh_Ys_length;
-	data: bytestring &restofdata &transient;
+type DhClientKeyExchange(rec: HandshakeRecord) = record {
+	dh_Yc : bytestring &restofdata;
 };
 
-
-######################################################################
-# V3 Certificate Request (7.4.4.)
-######################################################################
-
-# For now, ignore Certificate Request Details; just eat up message.
-type CertificateRequest(rec: HandshakeRecord) = record {
-	cont : bytestring &restofdata &transient;
+type EcdhClientKeyExchange(rec: HandshakeRecord) = record {
+	point : bytestring &restofdata;
 };
 
-
-######################################################################
-# V3 Server Hello Done (7.4.5.)
-######################################################################
-
-# Server Hello Done is empty
-type ServerHelloDone(rec: HandshakeRecord) = empty;
-
-
-######################################################################
-# V3 Client Certificate (7.4.6.)
-######################################################################
-
-# Client Certificate is identical to Server Certificate;
-# no further definition here
-
-
-######################################################################
-# V3 Client Key Exchange Message (7.4.7.)
-######################################################################
-
-# For now ignore details of ClientKeyExchange (most of it is
-# encrypted anyway); just eat up message.
-type ClientKeyExchange(rec: HandshakeRecord) = record {
-	key : bytestring &restofdata &transient;
-};
-
-
 ######################################################################
 # V3 Certificate Verify (7.4.8.)
 ######################################################################
@@ -487,7 +752,7 @@ type SSLExtension(rec: HandshakeRecord) = record {
 		EXT_SIGNATURE_ALGORITHMS -> signature_algorithm: SignatureAlgorithm(rec)[] &until($element == 0 || $element != 0);
 		EXT_SIGNED_CERTIFICATE_TIMESTAMP -> certificate_timestamp: SignedCertificateTimestampList(rec)[] &until($element == 0 || $element != 0);
 		EXT_KEY_SHARE -> key_share: KeyShare(rec)[] &until($element == 0 || $element != 0);
- 		EXT_SUPPORTED_VERSIONS -> supported_versions_selector: SupportedVersionsSelector(rec, data_len)[] &until($element == 0 || $element != 0);
+		EXT_SUPPORTED_VERSIONS -> supported_versions_selector: SupportedVersionsSelector(rec, data_len)[] &until($element == 0 || $element != 0);
 		EXT_PSK_KEY_EXCHANGE_MODES -> psk_key_exchange_modes: PSKKeyExchangeModes(rec)[] &until($element == 0 || $element != 0);
 		default -> data: bytestring &restofdata;
 	};

From 6b21167d9647f31bcc5fb67a8e6ecec197d4c86d Mon Sep 17 00:00:00 2001
From: Luke Valenta <lukev@seas.upenn.edu>
Date: Wed, 8 Nov 2017 10:07:54 -0500
Subject: [PATCH 237/631] update documentation, fix whitespace errors, add
 certificate extraction to ssl-verbose script

---
 scripts/policy/protocols/ssl/ssl-verbose.bro  | 204 ++++++++++--------
 src/analyzer/protocol/ssl/events.bif          |  33 ++-
 .../protocol/ssl/tls-handshake-analyzer.pac   |  26 +--
 3 files changed, 158 insertions(+), 105 deletions(-)

diff --git a/scripts/policy/protocols/ssl/ssl-verbose.bro b/scripts/policy/protocols/ssl/ssl-verbose.bro
index 4de466327c..42370339d0 100644
--- a/scripts/policy/protocols/ssl/ssl-verbose.bro
+++ b/scripts/policy/protocols/ssl/ssl-verbose.bro
@@ -3,101 +3,133 @@
 ##! and certificates hashes.
 
 @load base/protocols/ssl
+@load base/files/x509
+@load base/utils/directions-and-hosts
 
 module SSL;
 
 export {
-    redef record Info += {
-        # ClientHello
-        client_random: string &log &optional;
-        client_cipher_suites: string &optional;
+	redef record Info += {
+		# ClientHello
+		client_random: string &log &optional;
+		client_cipher_suites: string &log &optional;
 
-        # ServerHello
-        server_random: string &log &optional;
+		# ServerHello
+		server_random: string &log &optional;
 
-        # ServerKeyExchange
-        server_dh_p: string &log &optional;
-        server_dh_q: string &log &optional;
-        server_dh_Ys: string &log &optional;
-        server_ecdh_point: string &log &optional;
-        server_signature: string &log &optional;
+		# ServerKeyExchange
+		server_dh_p: string &log &optional;
+		server_dh_q: string &log &optional;
+		server_dh_Ys: string &log &optional;
+		server_ecdh_point: string &log &optional;
+		server_signature: string &log &optional;
 
-        # ServerCertificate
-        server_cert_sha1: string &log &optional;
+		# ServerCertificate
+		server_cert_sha1: string &log &optional;
 
-        # ClientKeyExchange
-        client_rsa_pms: string &log &optional;
-        client_dh_Yc: string &log &optional;
-        client_ecdh_point: string &log &optional;
-    };
+		# ClientKeyExchange
+		client_rsa_pms: string &log &optional;
+		client_dh_Yc: string &log &optional;
+		client_ecdh_point: string &log &optional;
+	};
+
+	## Control if host certificates offered by the defined hosts
+	## will be written to the PEM certificates file.
+	## Choices are: LOCAL_HOSTS, REMOTE_HOSTS, ALL_HOSTS, NO_HOSTS.
+	const extract_certs_pem = ALL_HOSTS &redef;
 }
 
-
-event ssl_client_hello(c: connection, version: count, possible_ts: time, client_random: string, session_id: string, ciphers: index_vec) &priority=5
-    {
-    set_session(c);
-    c$ssl$client_random = bytestring_to_hexstr(client_random);
-
-    local ciphers_str = "";
-    for (i in ciphers) 
-        {
-            ciphers_str += cipher_desc[ciphers[i]];
-            if ( i != |ciphers|-1)
-                {
-                    ciphers_str += ",";
-                }
-        }
-    c$ssl$client_cipher_suites = ciphers_str;
-    }
-
-event ssl_server_hello(c: connection, version: count, possible_ts: time, server_random: string, session_id: string, cipher: count, comp_method: count) &priority=5
-    {
-    set_session(c);
-    c$ssl$server_random = bytestring_to_hexstr(server_random);
-    }
-
-event ssl_dh_server_params(c: connection, p: string, q: string, Ys: string) &priority=5
-    {
-    set_session(c);
-    c$ssl$server_dh_p = bytestring_to_hexstr(p);
-    c$ssl$server_dh_q = bytestring_to_hexstr(q);
-    c$ssl$server_dh_Ys = bytestring_to_hexstr(Ys);
-    }
-
-event ssl_ecdh_server_params(c: connection, curve: count, point: string) &priority=5
-    {
-    set_session(c);
-    c$ssl$server_ecdh_point = bytestring_to_hexstr(point);
-    }
-
-event ssl_server_signature(c: connection, signed_params: string) &priority=5
-    {
-    set_session(c);
-    c$ssl$server_signature = bytestring_to_hexstr(signed_params);
-    }
-
-event ssl_rsa_client_pms(c: connection, pms: string) &priority=5
-    {
-    set_session(c);
-    c$ssl$client_rsa_pms = bytestring_to_hexstr(pms);
-    }
-
-event ssl_dh_client_params(c: connection, Yc: string) &priority=5
-    {
-    set_session(c);
-    c$ssl$client_dh_Yc = bytestring_to_hexstr(Yc);
-    }
-
-event ssl_ecdh_client_params(c: connection, point: string) &priority=5
-    {
-    set_session(c);
-    c$ssl$client_ecdh_point = bytestring_to_hexstr(point);
-    }
+# This is an internally maintained variable to prevent relogging of
+# certificates that have already been seen.  It is indexed on an sha1 sum of
+# the certificate.
+global extracted_certs: set[string] = set() &read_expire=1hr &redef;
 
 event ssl_established(c: connection) &priority=5
-    {
-    if ( ! c$ssl?$cert_chain || |c$ssl$cert_chain| == 0 ||
-         ! c$ssl$cert_chain[0]?$x509 )
-        return;
-    c$ssl$server_cert_sha1 = c$ssl$cert_chain[0]$sha1;
-    }
+	{
+	if ( ! c$ssl?$cert_chain || |c$ssl$cert_chain| == 0 ||
+	     ! c$ssl$cert_chain[0]?$x509 )
+		return;
+
+	if ( ! addr_matches_host(c$id$resp_h, extract_certs_pem) )
+		return;
+
+	local hash = c$ssl$cert_chain[0]$sha1;
+	local cert = c$ssl$cert_chain[0]$x509$handle;
+
+	c$ssl$server_cert_sha1 = hash;
+
+	if ( hash in extracted_certs )
+		# If we already extracted this cert, don't do it again.
+		return;
+
+	add extracted_certs[hash];
+	local filename = Site::is_local_addr(c$id$resp_h) ? "certs-local.pem" : "certs-remote.pem";
+	local outfile = open_for_append(filename);
+	enable_raw_output(outfile);
+
+	print outfile, x509_get_certificate_string(cert, T);
+
+	close(outfile);
+	}
+
+event ssl_client_hello(c: connection, version: count, possible_ts: time, client_random: string, session_id: string, ciphers: index_vec) &priority=5
+	{
+	set_session(c);
+	c$ssl$client_random = bytestring_to_hexstr(client_random);
+
+	local ciphers_str = "";
+	for (i in ciphers)
+		{
+			ciphers_str += cipher_desc[ciphers[i]];
+			if ( i != |ciphers|-1)
+				{
+					ciphers_str += ",";
+				}
+		}
+	c$ssl$client_cipher_suites = ciphers_str;
+	}
+
+event ssl_server_hello(c: connection, version: count, possible_ts: time, server_random: string, session_id: string, cipher: count, comp_method: count) &priority=5
+	{
+	set_session(c);
+	c$ssl$server_random = bytestring_to_hexstr(server_random);
+	}
+
+event ssl_dh_server_params(c: connection, p: string, q: string, Ys: string) &priority=5
+	{
+	set_session(c);
+	c$ssl$server_dh_p = bytestring_to_hexstr(p);
+	c$ssl$server_dh_q = bytestring_to_hexstr(q);
+	c$ssl$server_dh_Ys = bytestring_to_hexstr(Ys);
+	}
+
+event ssl_ecdh_server_params(c: connection, curve: count, point: string) &priority=5
+	{
+	set_session(c);
+	c$ssl$server_ecdh_point = bytestring_to_hexstr(point);
+	}
+
+event ssl_server_signature(c: connection, signed_params: string) &priority=5
+	{
+	set_session(c);
+	c$ssl$server_signature = bytestring_to_hexstr(signed_params);
+	}
+
+event ssl_rsa_client_pms(c: connection, pms: string) &priority=5
+	{
+	set_session(c);
+	c$ssl$client_rsa_pms = bytestring_to_hexstr(pms);
+	}
+
+event ssl_dh_client_params(c: connection, Yc: string) &priority=5
+	{
+	set_session(c);
+	c$ssl$client_dh_Yc = bytestring_to_hexstr(Yc);
+	}
+
+event ssl_ecdh_client_params(c: connection, point: string) &priority=5
+	{
+	set_session(c);
+	c$ssl$client_ecdh_point = bytestring_to_hexstr(point);
+	}
+
diff --git a/src/analyzer/protocol/ssl/events.bif b/src/analyzer/protocol/ssl/events.bif
index feba12abb4..cad453844a 100644
--- a/src/analyzer/protocol/ssl/events.bif
+++ b/src/analyzer/protocol/ssl/events.bif
@@ -27,6 +27,8 @@
 ## .. bro:see:: ssl_alert ssl_established ssl_extension ssl_server_hello
 ##    ssl_session_ticket_handshake x509_certificate ssl_handshake_message
 ##    ssl_change_cipher_spec
+##    ssl_dh_client_params ssl_ecdh_server_params ssl_ecdh_client_params
+##    ssl_rsa_client_pms
 event ssl_client_hello%(c: connection, version: count, possible_ts: time, client_random: string, session_id: string, ciphers: index_vec%);
 
 ## Generated for an SSL/TLS server's initial *hello* message. SSL/TLS sessions
@@ -64,6 +66,8 @@ event ssl_client_hello%(c: connection, version: count, possible_ts: time, client
 ## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_extension
 ##    ssl_session_ticket_handshake x509_certificate ssl_server_curve
 ##    ssl_dh_server_params ssl_handshake_message ssl_change_cipher_spec
+##    ssl_dh_client_params ssl_ecdh_server_params ssl_ecdh_client_params
+##    ssl_rsa_client_pms
 event ssl_server_hello%(c: connection, version: count, possible_ts: time, server_random: string, session_id: string, cipher: count, comp_method: count%);
 
 ## Generated for SSL/TLS extensions seen in an initial handshake.  SSL/TLS
@@ -106,6 +110,8 @@ event ssl_extension%(c: connection, is_orig: bool, code: count, val: string%);
 ##    ssl_extension_server_name ssl_server_curve ssl_extension_signature_algorithm
 ##    ssl_extension_key_share
 ##    ssl_extension_psk_key_exchange_modes ssl_extension_supported_versions
+##    ssl_dh_client_params ssl_ecdh_server_params ssl_ecdh_client_params
+##    ssl_rsa_client_pms ssl_server_signature
 event ssl_extension_elliptic_curves%(c: connection, is_orig: bool, curves: index_vec%);
 
 ## Generated for an SSL/TLS Supported Point Formats extension. This TLS extension
@@ -125,6 +131,8 @@ event ssl_extension_elliptic_curves%(c: connection, is_orig: bool, curves: index
 ##    ssl_extension_server_name ssl_server_curve ssl_extension_signature_algorithm
 ##    ssl_extension_key_share
 ##    ssl_extension_psk_key_exchange_modes ssl_extension_supported_versions
+##    ssl_dh_client_params ssl_ecdh_server_params ssl_ecdh_client_params
+##    ssl_rsa_client_pms ssl_server_signature
 event ssl_extension_ec_point_formats%(c: connection, is_orig: bool, point_formats: index_vec%);
 
 ## Generated for an Signature Algorithms extension. This TLS extension
@@ -143,6 +151,8 @@ event ssl_extension_ec_point_formats%(c: connection, is_orig: bool, point_format
 ##    ssl_extension_elliptic_curves ssl_extension_application_layer_protocol_negotiation
 ##    ssl_extension_server_name ssl_server_curve ssl_extension_key_share
 ##    ssl_extension_psk_key_exchange_modes ssl_extension_supported_versions
+##    ssl_dh_client_params ssl_ecdh_server_params ssl_ecdh_client_params
+##    ssl_rsa_client_pms ssl_server_signature
 event ssl_extension_signature_algorithm%(c: connection, is_orig: bool, signature_algorithms: signature_and_hashalgorithm_vec%);
 
 ## Generated for a Key Share extension. This TLS extension is defined in TLS1.3-draft16
@@ -160,6 +170,8 @@ event ssl_extension_signature_algorithm%(c: connection, is_orig: bool, signature
 ##    ssl_extension_elliptic_curves ssl_extension_application_layer_protocol_negotiation
 ##    ssl_extension_server_name ssl_server_curve
 ##    ssl_extension_psk_key_exchange_modes ssl_extension_supported_versions
+##    ssl_dh_client_params ssl_ecdh_server_params ssl_ecdh_client_params
+##    ssl_rsa_client_pms ssl_server_signature
 event ssl_extension_key_share%(c: connection, is_orig: bool, curves: index_vec%);
 
 ## Generated if a named curve is chosen by the server for an SSL/TLS connection.
@@ -175,6 +187,8 @@ event ssl_extension_key_share%(c: connection, is_orig: bool, curves: index_vec%)
 ##    ssl_extension_elliptic_curves ssl_extension_application_layer_protocol_negotiation
 ##    ssl_extension_server_name ssl_extension_key_share
 ##    ssl_extension_psk_key_exchange_modes ssl_extension_supported_versions
+##    ssl_dh_client_params ssl_ecdh_server_params ssl_ecdh_client_params
+##    ssl_rsa_client_pms ssl_server_signature
 event ssl_server_curve%(c: connection, curve: count%);
 
 ## Generated if a server uses an ECDH-anon or ECDHE cipher suite. This event
@@ -188,7 +202,8 @@ event ssl_server_curve%(c: connection, curve: count%);
 ## point: The server's ECDH public key.
 ##
 ## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello
-##    ssl_session_ticket_handshake ssl_server_curve ssl_dh_client_params
+##    ssl_session_ticket_handshake ssl_server_curve ssl_server_signature
+##    ssl_dh_client_params ssl_ecdh_client_params ssl_rsa_client_pms
 event ssl_ecdh_server_params%(c: connection, curve: count, point: string%);
 
 ## Generated if a server uses a DH-anon or DHE cipher suite. This event contains
@@ -204,7 +219,9 @@ event ssl_ecdh_server_params%(c: connection, curve: count, point: string%);
 ## Ys: The server's DH public key.
 ##
 ## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello
-##    ssl_session_ticket_handshake ssl_server_curve ssl_dh_client_params
+##    ssl_session_ticket_handshake ssl_server_curve ssl_server_signature
+##    ssl_dh_client_params ssl_ecdh_server_params ssl_ecdh_client_params
+##    ssl_rsa_client_pms
 event ssl_dh_server_params%(c: connection, p: string, q: string, Ys: string%);
 
 ## Generated if a server uses a non-anonymous DHE or ECDHE cipher suite. This event
@@ -218,7 +235,8 @@ event ssl_dh_server_params%(c: connection, p: string, q: string, Ys: string%);
 ##                public key in the server's Certificate message is used for signing.
 ##
 ## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello
-##    ssl_session_ticket_handshake ssl_server_curve ssl_dh_client_params
+##    ssl_session_ticket_handshake ssl_server_curve ssl_rsa_client_pms
+##    ssl_dh_client_params ssl_ecdh_server_params ssl_ecdh_client_params
 event ssl_server_signature%(c: connection, signed_params: string%);
 
 ## Generated if a client uses an ECDH-anon or ECDHE cipher suite. This event
@@ -230,7 +248,8 @@ event ssl_server_signature%(c: connection, signed_params: string%);
 ## point: The client's ECDH public key.
 ##
 ## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello
-##    ssl_session_ticket_handshake ssl_server_curve ssl_dh_client_params
+##    ssl_session_ticket_handshake ssl_server_curve ssl_server_signature
+##    ssl_dh_client_params ssl_ecdh_server_params ssl_rsa_client_pms
 event ssl_ecdh_client_params%(c: connection, point: string%);
 
 ## Generated if a client uses a DH-anon or DHE cipher suite. This event contains
@@ -242,7 +261,8 @@ event ssl_ecdh_client_params%(c: connection, point: string%);
 ## Yc: The client's DH public key.
 ##
 ## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello
-##    ssl_session_ticket_handshake ssl_server_curve ssl_dh_server_params
+##    ssl_session_ticket_handshake ssl_server_curve ssl_server_signature
+##    ssl_ecdh_server_params ssl_ecdh_client_params ssl_rsa_client_pms
 event ssl_dh_client_params%(c: connection, Yc: string%);
 
 ## Generate if a client uses an RSA key exchange. This event contains the client
@@ -254,7 +274,8 @@ event ssl_dh_client_params%(c: connection, Yc: string%);
 ## pms: The encrypted pre-master secret.
 ##
 ## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello
-##    ssl_session_ticket_handshake ssl_server_curve ssl_dh_server_params
+##    ssl_session_ticket_handshake ssl_server_curve ssl_server_signature
+##    ssl_dh_client_params ssl_ecdh_server_params ssl_ecdh_client_params
 event ssl_rsa_client_pms%(c: connection, pms: string%);
 
 ## Generated for an SSL/TLS Application-Layer Protocol Negotiation extension.
diff --git a/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac b/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac
index 40f546a9f6..6555ccedc2 100644
--- a/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac
+++ b/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac
@@ -272,26 +272,26 @@ refine connection Handshake_Conn += {
 		return true;
 		%}
 
-    function proc_ecdhe_server_key_exchange(rec: HandshakeRecord, curve_type: uint8, curve: uint16, point: bytestring, signed_params: bytestring) : bool
+	function proc_ecdhe_server_key_exchange(rec: HandshakeRecord, curve_type: uint8, curve: uint16, point: bytestring, signed_params: bytestring) : bool
 		%{
 		if ( curve_type == NAMED_CURVE )
 			BifEvent::generate_ssl_server_curve(bro_analyzer(),
 			  bro_analyzer()->Conn(), curve);
-            BifEvent::generate_ssl_ecdh_server_params(bro_analyzer(),
-              bro_analyzer()->Conn(), curve, new StringVal(point.length(), (const char*)point.data()));
-            BifEvent::generate_ssl_server_signature(bro_analyzer(),
-              bro_analyzer()->Conn(), new StringVal(signed_params.length(), (const char*)signed_params.data()));
+			BifEvent::generate_ssl_ecdh_server_params(bro_analyzer(),
+			  bro_analyzer()->Conn(), curve, new StringVal(point.length(), (const char*)point.data()));
+			BifEvent::generate_ssl_server_signature(bro_analyzer(),
+			  bro_analyzer()->Conn(), new StringVal(signed_params.length(), (const char*)signed_params.data()));
 
 		return true;
 		%}
 
-    function proc_ecdh_anon_server_key_exchange(rec: HandshakeRecord, curve_type: uint8, curve: uint16, point: bytestring) : bool
+	function proc_ecdh_anon_server_key_exchange(rec: HandshakeRecord, curve_type: uint8, curve: uint16, point: bytestring) : bool
 		%{
 		if ( curve_type == NAMED_CURVE )
 			BifEvent::generate_ssl_server_curve(bro_analyzer(),
 			  bro_analyzer()->Conn(), curve);
-            BifEvent::generate_ssl_ecdh_server_params(bro_analyzer(),
-              bro_analyzer()->Conn(), curve, new StringVal(point.length(), (const char*)point.data()));
+			BifEvent::generate_ssl_ecdh_server_params(bro_analyzer(),
+			  bro_analyzer()->Conn(), curve, new StringVal(point.length(), (const char*)point.data()));
 
 		return true;
 		%}
@@ -313,7 +313,7 @@ refine connection Handshake_Conn += {
 			BifEvent::generate_ssl_ecdh_client_params(bro_analyzer(), bro_analyzer()->Conn(), new StringVal(point.length(), (const char*)point.data()));
 			return true;
 		%}
-	
+
 	function proc_signedcertificatetimestamp(rec: HandshakeRecord, version: uint8, logid: const_bytestring, timestamp: uint64, digitally_signed_algorithms: SignatureAndHashAlgorithm, digitally_signed_signature: const_bytestring) : bool
 		%{
 		RecordVal* ha = new RecordVal(BifType::Record::SSL::SignatureAndHashAlgorithm);
@@ -340,10 +340,10 @@ refine connection Handshake_Conn += {
 		  new StringVal(g.length(), (const char*) g.data()),
 		  new StringVal(Ys.length(), (const char*) Ys.data())
 		  );
-        BifEvent::generate_ssl_server_signature(bro_analyzer(),
-            bro_analyzer()->Conn(),
-          new StringVal(signed_params.length(), (const char*) signed_params.data())
-          );
+		BifEvent::generate_ssl_server_signature(bro_analyzer(),
+			bro_analyzer()->Conn(),
+		  new StringVal(signed_params.length(), (const char*) signed_params.data())
+		  );
 
 		return true;
 		%}

From 65e65080a01d04f484592d232beb007c13c3802e Mon Sep 17 00:00:00 2001
From: Luke Valenta <lukev@seas.upenn.edu>
Date: Wed, 8 Nov 2017 11:33:39 -0500
Subject: [PATCH 238/631] now passing btest

---
 scripts/policy/protocols/ssl/ssl-verbose.bro | 30 ++------------------
 scripts/test-all-policy.bro                  |  1 +
 2 files changed, 4 insertions(+), 27 deletions(-)

diff --git a/scripts/policy/protocols/ssl/ssl-verbose.bro b/scripts/policy/protocols/ssl/ssl-verbose.bro
index 42370339d0..4e7b4a3c01 100644
--- a/scripts/policy/protocols/ssl/ssl-verbose.bro
+++ b/scripts/policy/protocols/ssl/ssl-verbose.bro
@@ -4,7 +4,7 @@
 
 @load base/protocols/ssl
 @load base/files/x509
-@load base/utils/directions-and-hosts
+@load ./extract-certs-pem.bro
 
 module SSL;
 
@@ -36,40 +36,16 @@ export {
 	## Control if host certificates offered by the defined hosts
 	## will be written to the PEM certificates file.
 	## Choices are: LOCAL_HOSTS, REMOTE_HOSTS, ALL_HOSTS, NO_HOSTS.
-	const extract_certs_pem = ALL_HOSTS &redef;
+	redef extract_certs_pem = ALL_HOSTS;
 }
 
-# This is an internally maintained variable to prevent relogging of
-# certificates that have already been seen.  It is indexed on an sha1 sum of
-# the certificate.
-global extracted_certs: set[string] = set() &read_expire=1hr &redef;
-
 event ssl_established(c: connection) &priority=5
 	{
 	if ( ! c$ssl?$cert_chain || |c$ssl$cert_chain| == 0 ||
 	     ! c$ssl$cert_chain[0]?$x509 )
 		return;
 
-	if ( ! addr_matches_host(c$id$resp_h, extract_certs_pem) )
-		return;
-
-	local hash = c$ssl$cert_chain[0]$sha1;
-	local cert = c$ssl$cert_chain[0]$x509$handle;
-
-	c$ssl$server_cert_sha1 = hash;
-
-	if ( hash in extracted_certs )
-		# If we already extracted this cert, don't do it again.
-		return;
-
-	add extracted_certs[hash];
-	local filename = Site::is_local_addr(c$id$resp_h) ? "certs-local.pem" : "certs-remote.pem";
-	local outfile = open_for_append(filename);
-	enable_raw_output(outfile);
-
-	print outfile, x509_get_certificate_string(cert, T);
-
-	close(outfile);
+	c$ssl$server_cert_sha1 = c$ssl$cert_chain[0]$sha1;
 	}
 
 event ssl_client_hello(c: connection, version: count, possible_ts: time, client_random: string, session_id: string, ciphers: index_vec) &priority=5
diff --git a/scripts/test-all-policy.bro b/scripts/test-all-policy.bro
index 7c828241d0..804ae14d22 100644
--- a/scripts/test-all-policy.bro
+++ b/scripts/test-all-policy.bro
@@ -101,6 +101,7 @@
 @load protocols/ssl/validate-ocsp.bro
 @load protocols/ssl/validate-sct.bro
 @load protocols/ssl/weak-keys.bro
+@load protocols/ssl/ssl-verbose.bro
 @load tuning/__load__.bro
 @load tuning/defaults/__load__.bro
 @load tuning/defaults/extracted_file_limits.bro

From 3af440ffcf971b6b0c0ed1bc8d84dcea3a602060 Mon Sep 17 00:00:00 2001
From: Luke Valenta <lukev@seas.upenn.edu>
Date: Thu, 9 Nov 2017 11:48:24 -0500
Subject: [PATCH 239/631] add btest w/ baseline for ssl-verbose testing dhe,
 ecdhe, and rsa key exchange logging

---
 .../ssl-all.log                               | 32 +++++++++++++++++++
 .../policy/protocols/ssl/ssl-verbose.test     |  9 ++++++
 2 files changed, 41 insertions(+)
 create mode 100644 testing/btest/Baseline/scripts.policy.protocols.ssl.ssl-verbose/ssl-all.log
 create mode 100644 testing/btest/scripts/policy/protocols/ssl/ssl-verbose.test

diff --git a/testing/btest/Baseline/scripts.policy.protocols.ssl.ssl-verbose/ssl-all.log b/testing/btest/Baseline/scripts.policy.protocols.ssl.ssl-verbose/ssl-all.log
new file mode 100644
index 0000000000..b73201a6b5
--- /dev/null
+++ b/testing/btest/Baseline/scripts.policy.protocols.ssl.ssl-verbose/ssl-all.log
@@ -0,0 +1,32 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	ssl
+#open	2017-11-09-16-32-54
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	curve	server_name	resumed	last_alert	next_protocol	established	cert_chain_fuids	client_cert_chain_fuids	subject	issuer	client_subject	client_issuer	client_random	client_cipher_suites	server_random	server_dh_p	server_dh_q	server_dh_Ys	server_ecdh_point	server_signature	server_cert_sha1	client_rsa_pms	client_dh_Yc	client_ecdh_point
+#types	time	string	addr	port	addr	port	string	string	string	string	bool	string	string	bool	vector[string]	vector[string]	string	string	string	string	string	string	string	string	string	string	string	string	string	string	string	string
+1398558136.319509	CHhAvVGS1DHFjwGM9	192.168.18.50	62277	162.219.2.166	443	TLSv12	TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA	-	-	F	-	-	T	F6fLv13PBYz8MNqx68,F8cTDl1penwXxGu4K7	(empty)	emailAddress=denicadmmail@arcor.de,CN=www.lilawelt.net,C=US	CN=StartCom Class 1 Primary Intermediate Server CA,OU=Secure Digital Certificate Signing,O=StartCom Ltd.,C=IL	-	-	1f7f8ae4d8dd45f31ed2e158f5f9ee676b7cb2c92585d8a3e1c2da7e	TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,TLS_EMPTY_RENEGOTIATION_INFO_SCSV	5c3660849d1ba4081e9c5863f11c64233c045d58380ea393bdca5322	bbbc2dcad84674907c43fcf580e9cfdbd958a3f568b42d4b08eed4eb0fb3504c6c030276e710800c5ccbbaa8922614c5beeca565a5fdf1d287a2bc049be6778060e91a92a757e3048f68b076f7d36cc8f29ba5df81dc2ca725ece66270cc9a5035d8ceceef9ea0274a63ab1e58fafd4988d0f65d146757da071df045cfe16b9b	02	af5e4cde6c7ac4ad3f62f9df82e6a378a1c80fccf26abcbd13120339707baae172c0381abde73c3d607c14706bb8ab4d09dd39c5961ea86114c37f6b803554925a3e4c64c54ed1ba171e52f97fa2df2ef7e52725c62635e4c3ab625a018bfa75b266446f24b8e0c13dcc258db35b52e8ed5add68ca54de905395304cf3e1eeac	-	0601010018fd31815d4c5316d23bddb61ada198272ffa76ab0a4f7505b2a232150bd79874a9e5aabd7e39aef8cccdd2eba9cfcef6cc77842c7b359899b976f930e671d9308c3a07eeb6eaf1411a4c91a3523e4a8a4ccf523df2b70d56da5173e862643ad894495f14a94bda7115cedda87d520e524f917197dec625ffa1283d156e39f2daa49424a42aba2e0d0e43ebd537f348db770fe6c901a17432c7dd1a9146a2039c383f293cab5b04cb653332454883396863dd419b63745cc65bfc905c06a5d4283f5ff33a1d59584610293a1b08da9a6884c8e67675568e2c357b3d040350694c8b1c74c4be16e76eafeb8efe69dc501154fd36347d04ffc0c6e9a5646a1902a	c3d48226a8f94d3bbb49918ac02187493258e74e	-	0080545ca1e5a9978e411a23f7ce3b50d2919cb7da2dfd4c97d1dd20db9535d6240b684751b08845d44b780750371c5f229903cf59216bcfbe255de370f9a801177fa0dd11061a0173cd7fe4d740e3a74cc594a8c2510d03039126388730c2c73ca0db5fdad2a2021e9ea025b86dc0ba87aea5629246a4cf0f98726fcda9c89d4483	-
+#close	2017-11-09-16-32-54
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	ssl
+#open	2017-11-09-16-32-54
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	curve	server_name	resumed	last_alert	next_protocol	established	cert_chain_fuids	client_cert_chain_fuids	subject	issuer	client_subject	client_issuer	client_random	client_cipher_suites	server_random	server_dh_p	server_dh_q	server_dh_Ys	server_ecdh_point	server_signature	server_cert_sha1	client_rsa_pms	client_dh_Yc	client_ecdh_point
+#types	time	string	addr	port	addr	port	string	string	string	string	bool	string	string	bool	vector[string]	vector[string]	string	string	string	string	string	string	string	string	string	string	string	string	string	string	string	string
+1398529018.678827	CHhAvVGS1DHFjwGM9	192.168.18.50	56981	74.125.239.97	443	TLSv12	TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA	secp256r1	-	F	-	-	T	FDy6ve1m58lwPRfhE9,FnGjwc1EVGk5x0WZk5,F2T07R1XZFCmeWafv2	(empty)	CN=*.google.com,O=Google Inc,L=Mountain View,ST=California,C=US	CN=Google Internet Authority G2,O=Google Inc,C=US	-	-	d170a048a025925479f1a573610851d30a1f3e7267836932797def95	TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_EMPTY_RENEGOTIATION_INFO_SCSV	5cb1fbd2e5c1f3605984d826eca11a8562b3c36d1f70fa44ba2f723c	-	-	-	04c177ab173fed188d8455b2bd0eeac7c1fc334b5d9d38e651b6a31cbda4a7b62a4a222493711e6aec7590d27292ba300d722841ca52795ca55b9b26d12730b807	06010100bb8ed698a89f33367af245236d1483c2caa406f61a6e3639a6483c8ed3baadaf18bfdfd967697ad29497dd7f16fde1b5d8933b6f5d72e63f0e0dfd416785a3ee3ad7b6d65e71c67c219740723695136678feaca0db5f1cd00a2f2c5b1a0b83098e796bb6539b486639ab02a288d0f0bf68123151437e1b2ef610af17993a107acfcb3791d00b509a5271ddcf60b31b202571c06ceaf51b846a0ff8fd85cf1bc99f82bb936bae69a13f81727f0810280306abb942fd80e0fdf93a51e7e036c26e429295aa60e36506ab1762d49e31152d02bd7850fcaa251219b3dde81ea5fc61c4c63b940120fa6847ccc43fad0a2ac252153254baa03b0baebb6db899ade45e	e2fb0771ee6fc0d0e324bc863c02b57921257c86	-	-	4104a92b630b25f4404c632dcf9cf454d1cf685a95f4d7c34e1bed244d1051c6bf9fda52edd0c840620b6ddf7941f9ee8a2684eec11a5a2131a0a3389d1e49122472
+#close	2017-11-09-16-32-54
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	ssl
+#open	2017-11-09-16-32-55
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	curve	server_name	resumed	last_alert	next_protocol	established	cert_chain_fuids	client_cert_chain_fuids	subject	issuer	client_subject	client_issuer	client_random	client_cipher_suites	server_random	server_dh_p	server_dh_q	server_dh_Ys	server_ecdh_point	server_signature	server_cert_sha1	client_rsa_pms	client_dh_Yc	client_ecdh_point
+#types	time	string	addr	port	addr	port	string	string	string	string	bool	string	string	bool	vector[string]	vector[string]	string	string	string	string	string	string	string	string	string	string	string	string	string	string	string	string
+1170717505.549109	CHhAvVGS1DHFjwGM9	192.150.187.164	58868	194.127.84.106	443	TLSv10	TLS_RSA_WITH_RC4_128_MD5	-	-	F	-	-	T	FeCwNK3rzqPnZ7eBQ5,FfqS7r3rymnsSKq0m2	(empty)	CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE	OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\\, Inc.,O=VeriSign Trust Network	-	-	e6b8efdf91cf44f7eae43c83398fdcb2	TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_RC4_128_MD5,TLS_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_RSA_WITH_DES_CBC_SHA,TLS_DHE_DSS_WITH_DES_CBC_SHA,SSL_RSA_FIPS_WITH_DES_CBC_SHA,TLS_RSA_WITH_DES_CBC_SHA,TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA,TLS_RSA_EXPORT_WITH_RC4_40_MD5,TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5	2b658d5183bbaedbf35e8f126ff926b14979cd703d242aea996a5fda	-	-	-	-	-	2c322ae2b7fe91391345e070b63668978bb1c9da	008057aaeea52e6d030e54fa9328781fda6f8de80ed8531946bfa8adc4b51ca7502cbce62bae6949f6b865d7125e256643b5ede4dd4cf42107cfa73c418f10881edf38a75f968b507f08f9c1089ef26bfd322cf44c0b746b8e3dff731f2585dcf26abb048d55e661e1d2868ccc9c338e451c30431239f96a00e4843b6aa00ba51785	-	-
+1170717508.697180	ClEkJM2Vm5giqnMf4h	192.150.187.164	58869	194.127.84.106	443	TLSv10	TLS_RSA_WITH_RC4_128_MD5	-	-	F	-	-	T	FjkLnG4s34DVZlaBNc,FpMjNF4snD7UDqI5sk	(empty)	CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE	OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\\, Inc.,O=VeriSign Trust Network	-	-	a8a2ab739a64abb4e68cfcfc3470ff6269b1a86858501fbbd1327ed8	TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_RC4_128_MD5,TLS_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_RSA_WITH_DES_CBC_SHA,TLS_DHE_DSS_WITH_DES_CBC_SHA,SSL_RSA_FIPS_WITH_DES_CBC_SHA,TLS_RSA_WITH_DES_CBC_SHA,TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA,TLS_RSA_EXPORT_WITH_RC4_40_MD5,TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5	0fac7f7823587c68438c87876533af7b0baa2a8f1078eb8d182247e9	-	-	-	-	-	2c322ae2b7fe91391345e070b63668978bb1c9da	0080891c1b6b5f0ec9da1b38d5ba6efe9c0380219d1ac4e63a0e8993306cddc6944a57c9292beb5652794181f747d0e868b84dca7dfe9783d1baa2ef3bb68d929b2818c5b58b8f47663220f9781fa469fea7e7d17d410d3979aa15a7be651c9f16fbf1a04f87a95e742c3fe20ca6faf0d2e950708533fd3346e17e410f0f86c01f52	-	-
+1170717511.722913	C4J4Th3PJpwUYZZ6gc	192.150.187.164	58870	194.127.84.106	443	TLSv10	TLS_RSA_WITH_RC4_128_MD5	-	-	F	-	-	T	FQXAWgI2FB5STbrff,FUmSiM3TCtsyMGhcd	(empty)	CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE	OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\\, Inc.,O=VeriSign Trust Network	-	-	240604be2f5644c8dfd2e51cc2b3a30171bd58853ed7c6e3fcd18846	TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_RC4_128_MD5,TLS_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_RSA_WITH_DES_CBC_SHA,TLS_DHE_DSS_WITH_DES_CBC_SHA,SSL_RSA_FIPS_WITH_DES_CBC_SHA,TLS_RSA_WITH_DES_CBC_SHA,TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA,TLS_RSA_EXPORT_WITH_RC4_40_MD5,TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5	fd1b8c1308a2caac010fcb76e9bd21987d897cb6c028cdb3176d5904	-	-	-	-	-	2c322ae2b7fe91391345e070b63668978bb1c9da	008032a6f5fd530f342e4d5b4043765005ba018f488800f897c259b005ad2a544f5800e99812d9a6336e84b07e4595d1b8ae00a582d91804fe715c132d1bdb112e66361db80a57a441fc8ea784ea76ec44b9f3a0f9ddc29be68010ff3bcfffc285a294511991d7952cbbfee88a869818bae31f32f7099b0754d9ce75b8fea887e1b8	-	-
+#close	2017-11-09-16-32-55
diff --git a/testing/btest/scripts/policy/protocols/ssl/ssl-verbose.test b/testing/btest/scripts/policy/protocols/ssl/ssl-verbose.test
new file mode 100644
index 0000000000..253f76c158
--- /dev/null
+++ b/testing/btest/scripts/policy/protocols/ssl/ssl-verbose.test
@@ -0,0 +1,9 @@
+# @TEST-EXEC: bro -r $TRACES/tls/dhe.pcap %INPUT
+# @TEST-EXEC: cat ssl.log > ssl-all.log
+# @TEST-EXEC: bro -r $TRACES/tls/ecdhe.pcap %INPUT
+# @TEST-EXEC: cat ssl.log >> ssl-all.log
+# @TEST-EXEC: bro -r $TRACES/tls/ssl.v3.trace %INPUT
+# @TEST-EXEC: cat ssl.log >> ssl-all.log
+# @TEST-EXEC: btest-diff ssl-all.log
+
+@load protocols/ssl/ssl-verbose

From bde4404b5ecefc8bfcd188216e2a6f409830cc7b Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@icir.org>
Date: Fri, 10 Nov 2017 21:33:17 +0100
Subject: [PATCH 240/631] Update submodules

 [nomail]
---
 aux/binpac   | 2 +-
 aux/bro-aux  | 2 +-
 aux/broccoli | 2 +-
 aux/broctl   | 2 +-
 aux/broker   | 2 +-
 aux/btest    | 2 +-
 cmake        | 2 +-
 7 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/aux/binpac b/aux/binpac
index 27356ae52f..e6d13e5dfc 160000
--- a/aux/binpac
+++ b/aux/binpac
@@ -1 +1 @@
-Subproject commit 27356ae52ff9ff639b53a7325ea3262e1a13b704
+Subproject commit e6d13e5dfc9f727f7c59c0496b529bdb2a1d9b62
diff --git a/aux/bro-aux b/aux/bro-aux
index 02f710a436..53bf0578a4 160000
--- a/aux/bro-aux
+++ b/aux/bro-aux
@@ -1 +1 @@
-Subproject commit 02f710a436dfe285bae0d48d7f7bc498783e11a8
+Subproject commit 53bf0578a4ead2dcf6c488b610644451584d46e5
diff --git a/aux/broccoli b/aux/broccoli
index 25907f6b0a..498e699b32 160000
--- a/aux/broccoli
+++ b/aux/broccoli
@@ -1 +1 @@
-Subproject commit 25907f6b0a5347304d1ec8213bfad3d114260ca0
+Subproject commit 498e699b3273b5c05a4275247e679a31567e71c8
diff --git a/aux/broctl b/aux/broctl
index 5c1cb0d54d..a075a80639 160000
--- a/aux/broctl
+++ b/aux/broctl
@@ -1 +1 @@
-Subproject commit 5c1cb0d54d7814a58f1c0cc03c5be99aac0daf23
+Subproject commit a075a80639b7d543b55cc31191965eb1364e3623
diff --git a/aux/broker b/aux/broker
index 862c982f35..761ef15d9b 160000
--- a/aux/broker
+++ b/aux/broker
@@ -1 +1 @@
-Subproject commit 862c982f35e342fb10fa281120135cf61eca66bb
+Subproject commit 761ef15d9b72d189d29af7dd09c9e576d61fd78f
diff --git a/aux/btest b/aux/btest
index 154dd9f9b2..56a368491d 160000
--- a/aux/btest
+++ b/aux/btest
@@ -1 +1 @@
-Subproject commit 154dd9f9b2011341d2f76a3d3fee1c9a5ac4e393
+Subproject commit 56a368491d8ef3ef527061b353875099070148ad
diff --git a/cmake b/cmake
index 79f2b2e944..9bac595066 160000
--- a/cmake
+++ b/cmake
@@ -1 +1 @@
-Subproject commit 79f2b2e944da77774675be4d5254156451967371
+Subproject commit 9bac5950664ac7b50fb576a2f9422b819b505e21

From 91dcefe104d4dd5ffb59226d55fdbe4d6a9ad330 Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@corelight.com>
Date: Thu, 16 Nov 2017 12:04:11 -0800
Subject: [PATCH 241/631] Fix and extend behavior of HookLoadFile

This commit fixes and extends the behavior of HookLoadFile. Before this
change, HookLoadFile appended ".bro" to each path that was @loaded, even
if the path specified directory names. Furthermore it only gave the path
of the file as it was specified in the Bro script without revealing the
final path of the file that it was going to load.

This patch changes this behavior - in addition to giving the unmodified
path given in the @load command, the hook now returns the resolved path
of the file or directory it is going to load (if found). The hook is
furthermore raises for @load-sigs and @load-plugin; a enum specifies the
kind of load that is happening.
---
 src/plugin/Manager.cc                         |   20 +-
 src/plugin/Manager.h                          |    2 +-
 src/plugin/Plugin.cc                          |    2 +-
 src/plugin/Plugin.h                           |   20 +-
 src/scan.l                                    |   32 +-
 testing/btest/Baseline/plugins.hooks/output   | 1537 ++++++++++-------
 .../btest/plugins/hooks-plugin/src/Plugin.cc  |    6 +-
 .../btest/plugins/hooks-plugin/src/Plugin.h   |    2 +-
 8 files changed, 978 insertions(+), 643 deletions(-)

diff --git a/src/plugin/Manager.cc b/src/plugin/Manager.cc
index a6c564d4f2..2f04354b76 100644
--- a/src/plugin/Manager.cc
+++ b/src/plugin/Manager.cc
@@ -569,32 +569,20 @@ void Manager::RequestBroObjDtor(BroObj* obj, Plugin* plugin)
 	obj->NotifyPluginsOnDtor();
 	}
 
-int Manager::HookLoadFile(const string& file)
+int Manager::HookLoadFile(const Plugin::LoadType type, const string& file, const string& resolved)
 	{
 	HookArgumentList args;
 
 	if ( HavePluginForHook(META_HOOK_PRE) )
 		{
+		args.push_back(HookArgument(type));
 		args.push_back(HookArgument(file));
+		args.push_back(HookArgument(resolved));
 		MetaHookPre(HOOK_LOAD_FILE, args);
 		}
 
 	hook_list* l = hooks[HOOK_LOAD_FILE];
 
-	size_t i = file.find_last_of("./");
-
-	string ext;
-	string normalized_file = file;
-
-	if ( i != string::npos && file[i] == '.' )
-		ext = file.substr(i + 1);
-	else
-		{
-		// Add .bro as default extension.
-		normalized_file = file + ".bro";
-		ext = "bro";
-		}
-
 	int rc = -1;
 
 	if ( l )
@@ -602,7 +590,7 @@ int Manager::HookLoadFile(const string& file)
 			{
 			Plugin* p = (*i).second;
 
-			rc = p->HookLoadFile(normalized_file, ext);
+			rc = p->HookLoadFile(type, file, resolved);
 
 			if ( rc >= 0 )
 				break;
diff --git a/src/plugin/Manager.h b/src/plugin/Manager.h
index 9ece86bfed..7139121b97 100644
--- a/src/plugin/Manager.h
+++ b/src/plugin/Manager.h
@@ -237,7 +237,7 @@ public:
 	 * if a plugin took over the file but had trouble loading it; and -1 if
 	 * no plugin was interested in the file at all.
 	 */
-	virtual int HookLoadFile(const string& file);
+	virtual int HookLoadFile(const Plugin::LoadType type, const string& file, const string& resolved);
 
 	/**
 	 * Hook that filters calls to a script function/event/hook.
diff --git a/src/plugin/Plugin.cc b/src/plugin/Plugin.cc
index f54749f837..502dc0b9e7 100644
--- a/src/plugin/Plugin.cc
+++ b/src/plugin/Plugin.cc
@@ -345,7 +345,7 @@ void Plugin::RequestBroObjDtor(BroObj* obj)
 	plugin_mgr->RequestBroObjDtor(obj, this);
 	}
 
-int Plugin::HookLoadFile(const std::string& file, const std::string& ext)
+int Plugin::HookLoadFile(const LoadType type, const std::string& file, const std::string& resolved)
 	{
 	return -1;
 	}
diff --git a/src/plugin/Plugin.h b/src/plugin/Plugin.h
index c3f231bb93..9f5ccb592c 100644
--- a/src/plugin/Plugin.h
+++ b/src/plugin/Plugin.h
@@ -403,6 +403,13 @@ public:
 	typedef std::list<BifItem> bif_item_list;
 	typedef std::list<std::pair<HookType, int> > hook_list;
 
+	/**
+	 * The different types of @loads supported by HookLoadFile.
+	 */
+	enum LoadType {
+		SCRIPT, SIGNATURES, PLUGIN
+	};
+
 	/**
 	 * Constructor.
 	 */
@@ -611,10 +618,15 @@ protected:
 	 * script directives. The hook can take over the file, in which case
 	 * Bro will not further process it otherwise.
 	 *
-	 * @param file The filename to be loaded, including extension.
+	 * @param type The type of load encountered: script load, signatures load,
+	 *             or plugin load.
 	 *
-	 * @param ext The extension of the filename. This is provided
-	 * separately just for convenience. The dot is excluded.
+	 * @param file The filename that was passed to @load. Only includes
+	 *             an extension if it was given in @load.
+	 *
+	 * @param resolved The file or directory name Bro resolved from
+	 *                 the given path and is going to load. Empty string
+	 *                 if Bro was not able to resolve a path.
 	 *
 	 * @return 1 if the plugin took over the file and loaded it
 	 * successfully; 0 if the plugin took over the file but had trouble
@@ -622,7 +634,7 @@ protected:
 	 * have printed an error message); and -1 if the plugin wasn't
 	 * interested in the file at all.
 	 */
-	virtual int HookLoadFile(const std::string& file, const std::string& ext);
+	virtual int HookLoadFile(const LoadType type, const std::string& file, const std::string& resolved);
 
 	/**
 	 * Hook into executing a script-level function/event/hook. Whenever
diff --git a/src/scan.l b/src/scan.l
index 215b5d7c30..29ff5fa923 100644
--- a/src/scan.l
+++ b/src/scan.l
@@ -348,6 +348,19 @@ when	return TOK_WHEN;
 @load-sigs{WS}{FILE} {
 	const char* file = skip_whitespace(yytext + 10);
 	string path = find_relative_file(file, "sig");
+	int rc = PLUGIN_HOOK_WITH_RESULT(HOOK_LOAD_FILE, HookLoadFile(plugin::Plugin::SIGNATURES, file, path), -1);
+	if ( rc == 1 )
+		return 0; // A plugin took care of it, just skip.
+
+	if ( rc == 0 )
+		{
+		if ( ! reporter->Errors() )
+			reporter->Error("Plugin reported error loading signatures %s", file);
+
+		exit(1);
+		}
+
+	assert(rc == -1); // No plugin in charge of this file.
 
 	if ( path.empty() )
 		reporter->Error("failed to find file associated with @load-sigs %s",
@@ -358,6 +371,19 @@ when	return TOK_WHEN;
 
 @load-plugin{WS}{ID} {
 	const char* plugin = skip_whitespace(yytext + 12);
+	int rc = PLUGIN_HOOK_WITH_RESULT(HOOK_LOAD_FILE, HookLoadFile(plugin::Plugin::PLUGIN, plugin, ""), -1);
+	if ( rc == 1 )
+		return 0; // A plugin took care of it, just skip.
+
+	if ( rc == 0 )
+		{
+		if ( ! reporter->Errors() )
+			reporter->Error("Plugin reported error loading plugin %s", plugin);
+
+		exit(1);
+		}
+
+	assert(rc == -1); // No plugin in charge of this file.
 	plugin_mgr->ActivateDynamicPlugin(plugin);
 }
 
@@ -547,7 +573,8 @@ static bool already_scanned(const string& path)
 
 static int load_files(const char* orig_file)
 	{
-	int rc = PLUGIN_HOOK_WITH_RESULT(HOOK_LOAD_FILE, HookLoadFile(orig_file), -1);
+	string file_path = find_relative_file(orig_file, "bro");
+	int rc = PLUGIN_HOOK_WITH_RESULT(HOOK_LOAD_FILE, HookLoadFile(plugin::Plugin::SCRIPT, orig_file, file_path), -1);
 
 	if ( rc == 1 )
 		return 0; // A plugin took care of it, just skip.
@@ -568,7 +595,6 @@ static int load_files(const char* orig_file)
 	// Whether we pushed on a FileInfo that will restore the
 	// current module after the final file has been scanned.
 	bool did_module_restore = false;
-	string file_path;
 	FILE* f = 0;
 
 	if ( streq(orig_file, "-") )
@@ -585,8 +611,6 @@ static int load_files(const char* orig_file)
 
 	else
 		{
-		file_path = find_relative_file(orig_file, "bro");
-
 		if ( file_path.empty() )
 			reporter->FatalError("can't find %s", orig_file);
 
diff --git a/testing/btest/Baseline/plugins.hooks/output b/testing/btest/Baseline/plugins.hooks/output
index 9f231d821f..42b0b6ef26 100644
--- a/testing/btest/Baseline/plugins.hooks/output
+++ b/testing/btest/Baseline/plugins.hooks/output
@@ -256,7 +256,7 @@
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1498500921.18004, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1510863910.246703, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (Cluster::LOG)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (Communication::LOG)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (Conn::LOG)) -> <no result>
@@ -386,7 +386,7 @@
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1498500921.18004, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1510863910.246703, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
 0.000000   MetaHookPost  CallFunction(NetControl::check_plugins, <frame>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(NetControl::init, <null>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(Notice::want_pp, <frame>, ()) -> <no result>
@@ -422,307 +422,312 @@
 0.000000   MetaHookPost  CallFunction(string_to_pattern, <frame>, ((^\.?|\.)()$, F)) -> <no result>
 0.000000   MetaHookPost  CallFunction(sub, <frame>, ((^\.?|\.)(~~)$, <...>/, )) -> <no result>
 0.000000   MetaHookPost  DrainEvents() -> <void>
-0.000000   MetaHookPost  LoadFile(../main) -> -1
-0.000000   MetaHookPost  LoadFile(../plugin) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_ARP.events.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_AsciiReader.ascii.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_AsciiWriter.ascii.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_BackDoor.events.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_BenchmarkReader.benchmark.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_BinaryReader.binary.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_BitTorrent.events.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_ConnSize.events.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_ConnSize.functions.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_DCE_RPC.consts.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_DCE_RPC.events.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_DCE_RPC.types.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_DHCP.events.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_DNP3.events.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_DNS.events.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_FTP.events.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_FTP.functions.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_File.events.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_FileEntropy.events.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_FileExtract.events.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_FileExtract.functions.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_FileHash.events.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_Finger.events.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_GSSAPI.events.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_GTPv1.events.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_Gnutella.events.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_HTTP.events.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_HTTP.functions.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_ICMP.events.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_IMAP.events.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_IRC.events.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_Ident.events.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_InterConn.events.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_KRB.events.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_KRB.types.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_Login.events.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_Login.functions.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_MIME.events.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_Modbus.events.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_MySQL.events.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_NCP.events.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_NTLM.events.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_NTLM.types.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_NTP.events.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_NetBIOS.events.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_NetBIOS.functions.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_NoneWriter.none.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_PE.events.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_POP3.events.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_RADIUS.events.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_RDP.events.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_RDP.types.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_RFB.events.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_RPC.events.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_RawReader.raw.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_SIP.events.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_SMB.consts.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_SMB.events.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_SMB.smb1_com_check_directory.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_SMB.smb1_com_close.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_SMB.smb1_com_create_directory.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_SMB.smb1_com_echo.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_SMB.smb1_com_logoff_andx.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_SMB.smb1_com_negotiate.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_SMB.smb1_com_nt_cancel.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_SMB.smb1_com_nt_create_andx.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_SMB.smb1_com_query_information.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_SMB.smb1_com_read_andx.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_SMB.smb1_com_session_setup_andx.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_SMB.smb1_com_transaction.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_SMB.smb1_com_transaction2.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_SMB.smb1_com_tree_connect_andx.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_SMB.smb1_com_tree_disconnect.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_SMB.smb1_com_write_andx.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_SMB.smb1_events.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_SMB.smb2_com_close.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_SMB.smb2_com_create.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_SMB.smb2_com_negotiate.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_SMB.smb2_com_read.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_SMB.smb2_com_session_setup.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_SMB.smb2_com_set_info.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_SMB.smb2_com_tree_connect.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_SMB.smb2_com_tree_disconnect.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_SMB.smb2_com_write.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_SMB.smb2_events.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_SMB.types.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_SMTP.events.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_SMTP.functions.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_SNMP.events.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_SNMP.types.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_SOCKS.events.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_SQLiteReader.sqlite.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_SQLiteWriter.sqlite.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_SSH.events.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_SSH.types.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_SSL.events.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_SSL.functions.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_SSL.types.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_SteppingStone.events.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_Syslog.events.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_TCP.events.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_TCP.functions.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_Teredo.events.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_UDP.events.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_Unified2.events.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_Unified2.types.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_X509.events.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_X509.functions.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_X509.ocsp_events.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_X509.types.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_XMPP.events.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./acld) -> -1
-0.000000   MetaHookPost  LoadFile(./addrs) -> -1
-0.000000   MetaHookPost  LoadFile(./analyzer.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./average) -> -1
-0.000000   MetaHookPost  LoadFile(./bloom-filter.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./bro.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./broker) -> -1
-0.000000   MetaHookPost  LoadFile(./broxygen.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./cardinality-counter.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./catch-and-release) -> -1
-0.000000   MetaHookPost  LoadFile(./comm.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./const-dos-error) -> -1
-0.000000   MetaHookPost  LoadFile(./const-nt-status) -> -1
-0.000000   MetaHookPost  LoadFile(./const.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./consts) -> -1
-0.000000   MetaHookPost  LoadFile(./consts.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./contents) -> -1
-0.000000   MetaHookPost  LoadFile(./ct-list) -> -1
-0.000000   MetaHookPost  LoadFile(./data.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./dcc-send) -> -1
-0.000000   MetaHookPost  LoadFile(./debug) -> -1
-0.000000   MetaHookPost  LoadFile(./drop) -> -1
-0.000000   MetaHookPost  LoadFile(./entities) -> -1
-0.000000   MetaHookPost  LoadFile(./event.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./exec) -> -1
-0.000000   MetaHookPost  LoadFile(./file_analysis.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./files) -> -1
-0.000000   MetaHookPost  LoadFile(./gridftp) -> -1
-0.000000   MetaHookPost  LoadFile(./hll_unique) -> -1
-0.000000   MetaHookPost  LoadFile(./hooks.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./inactivity) -> -1
-0.000000   MetaHookPost  LoadFile(./info) -> -1
-0.000000   MetaHookPost  LoadFile(./init.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./input) -> -1
-0.000000   MetaHookPost  LoadFile(./input.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./last) -> -1
-0.000000   MetaHookPost  LoadFile(./log) -> -1
-0.000000   MetaHookPost  LoadFile(./logging.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./magic) -> -1
-0.000000   MetaHookPost  LoadFile(./main) -> -1
-0.000000   MetaHookPost  LoadFile(./main.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./max) -> -1
-0.000000   MetaHookPost  LoadFile(./messaging.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./min) -> -1
-0.000000   MetaHookPost  LoadFile(./mozilla-ca-list) -> -1
-0.000000   MetaHookPost  LoadFile(./netstats) -> -1
-0.000000   MetaHookPost  LoadFile(./non-cluster) -> -1
-0.000000   MetaHookPost  LoadFile(./openflow) -> -1
-0.000000   MetaHookPost  LoadFile(./packetfilter) -> -1
-0.000000   MetaHookPost  LoadFile(./patterns) -> -1
-0.000000   MetaHookPost  LoadFile(./pcap.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./plugin) -> -1
-0.000000   MetaHookPost  LoadFile(./plugins) -> -1
-0.000000   MetaHookPost  LoadFile(./polling) -> -1
-0.000000   MetaHookPost  LoadFile(./postprocessors) -> -1
-0.000000   MetaHookPost  LoadFile(./reporter.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./ryu) -> -1
-0.000000   MetaHookPost  LoadFile(./sample) -> -1
-0.000000   MetaHookPost  LoadFile(./scp) -> -1
-0.000000   MetaHookPost  LoadFile(./sftp) -> -1
-0.000000   MetaHookPost  LoadFile(./shunt) -> -1
-0.000000   MetaHookPost  LoadFile(./site) -> -1
-0.000000   MetaHookPost  LoadFile(./stats.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./std-dev) -> -1
-0.000000   MetaHookPost  LoadFile(./store) -> -1
-0.000000   MetaHookPost  LoadFile(./store.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./strings.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./sum) -> -1
-0.000000   MetaHookPost  LoadFile(./thresholds) -> -1
-0.000000   MetaHookPost  LoadFile(./top-k.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./topk) -> -1
-0.000000   MetaHookPost  LoadFile(./types) -> -1
-0.000000   MetaHookPost  LoadFile(./types.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./types.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./unique) -> -1
-0.000000   MetaHookPost  LoadFile(./utils) -> -1
-0.000000   MetaHookPost  LoadFile(./utils-commands) -> -1
-0.000000   MetaHookPost  LoadFile(./utils.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./variance) -> -1
-0.000000   MetaHookPost  LoadFile(./weird) -> -1
-0.000000   MetaHookPost  LoadFile(.<...>/add-geodata) -> -1
-0.000000   MetaHookPost  LoadFile(.<...>/ascii) -> -1
-0.000000   MetaHookPost  LoadFile(.<...>/benchmark) -> -1
-0.000000   MetaHookPost  LoadFile(.<...>/binary) -> -1
-0.000000   MetaHookPost  LoadFile(.<...>/drop) -> -1
-0.000000   MetaHookPost  LoadFile(.<...>/email_admin) -> -1
-0.000000   MetaHookPost  LoadFile(.<...>/hostnames) -> -1
-0.000000   MetaHookPost  LoadFile(.<...>/none) -> -1
-0.000000   MetaHookPost  LoadFile(.<...>/page) -> -1
-0.000000   MetaHookPost  LoadFile(.<...>/pp-alarms) -> -1
-0.000000   MetaHookPost  LoadFile(.<...>/raw) -> -1
-0.000000   MetaHookPost  LoadFile(.<...>/sqlite) -> -1
-0.000000   MetaHookPost  LoadFile(<...>/__load__.bro) -> -1
-0.000000   MetaHookPost  LoadFile(<...>/__preload__.bro) -> -1
-0.000000   MetaHookPost  LoadFile(<...>/hooks.bro) -> -1
-0.000000   MetaHookPost  LoadFile(base/bif) -> -1
-0.000000   MetaHookPost  LoadFile(base/init-default.bro) -> -1
-0.000000   MetaHookPost  LoadFile(base<...>/Bro_KRB.types.bif) -> -1
-0.000000   MetaHookPost  LoadFile(base<...>/Bro_SNMP.types.bif) -> -1
-0.000000   MetaHookPost  LoadFile(base<...>/active-http) -> -1
-0.000000   MetaHookPost  LoadFile(base<...>/addrs) -> -1
-0.000000   MetaHookPost  LoadFile(base<...>/analyzer) -> -1
-0.000000   MetaHookPost  LoadFile(base<...>/analyzer.bif) -> -1
-0.000000   MetaHookPost  LoadFile(base<...>/bro.bif) -> -1
-0.000000   MetaHookPost  LoadFile(base<...>/broker) -> -1
-0.000000   MetaHookPost  LoadFile(base<...>/cluster) -> -1
-0.000000   MetaHookPost  LoadFile(base<...>/comm.bif) -> -1
-0.000000   MetaHookPost  LoadFile(base<...>/communication) -> -1
-0.000000   MetaHookPost  LoadFile(base<...>/conn) -> -1
-0.000000   MetaHookPost  LoadFile(base<...>/conn-ids) -> -1
-0.000000   MetaHookPost  LoadFile(base<...>/const.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(base<...>/control) -> -1
-0.000000   MetaHookPost  LoadFile(base<...>/data.bif) -> -1
-0.000000   MetaHookPost  LoadFile(base<...>/dce-rpc) -> -1
-0.000000   MetaHookPost  LoadFile(base<...>/dhcp) -> -1
-0.000000   MetaHookPost  LoadFile(base<...>/dir) -> -1
-0.000000   MetaHookPost  LoadFile(base<...>/directions-and-hosts) -> -1
-0.000000   MetaHookPost  LoadFile(base<...>/dnp3) -> -1
-0.000000   MetaHookPost  LoadFile(base<...>/dns) -> -1
-0.000000   MetaHookPost  LoadFile(base<...>/dpd) -> -1
-0.000000   MetaHookPost  LoadFile(base<...>/email) -> -1
-0.000000   MetaHookPost  LoadFile(base<...>/event.bif) -> -1
-0.000000   MetaHookPost  LoadFile(base<...>/exec) -> -1
-0.000000   MetaHookPost  LoadFile(base<...>/extract) -> -1
-0.000000   MetaHookPost  LoadFile(base<...>/file_analysis.bif) -> -1
-0.000000   MetaHookPost  LoadFile(base<...>/files) -> -1
-0.000000   MetaHookPost  LoadFile(base<...>/find-checksum-offloading) -> -1
-0.000000   MetaHookPost  LoadFile(base<...>/find-filtered-trace) -> -1
-0.000000   MetaHookPost  LoadFile(base<...>/ftp) -> -1
-0.000000   MetaHookPost  LoadFile(base<...>/geoip-distance) -> -1
-0.000000   MetaHookPost  LoadFile(base<...>/hash) -> -1
-0.000000   MetaHookPost  LoadFile(base<...>/http) -> -1
-0.000000   MetaHookPost  LoadFile(base<...>/imap) -> -1
-0.000000   MetaHookPost  LoadFile(base<...>/input) -> -1
-0.000000   MetaHookPost  LoadFile(base<...>/input.bif) -> -1
-0.000000   MetaHookPost  LoadFile(base<...>/intel) -> -1
-0.000000   MetaHookPost  LoadFile(base<...>/irc) -> -1
-0.000000   MetaHookPost  LoadFile(base<...>/json) -> -1
-0.000000   MetaHookPost  LoadFile(base<...>/krb) -> -1
-0.000000   MetaHookPost  LoadFile(base<...>/logging) -> -1
-0.000000   MetaHookPost  LoadFile(base<...>/logging.bif) -> -1
-0.000000   MetaHookPost  LoadFile(base<...>/main) -> -1
-0.000000   MetaHookPost  LoadFile(base<...>/messaging.bif) -> -1
-0.000000   MetaHookPost  LoadFile(base<...>/modbus) -> -1
-0.000000   MetaHookPost  LoadFile(base<...>/mysql) -> -1
-0.000000   MetaHookPost  LoadFile(base<...>/netcontrol) -> -1
-0.000000   MetaHookPost  LoadFile(base<...>/notice) -> -1
-0.000000   MetaHookPost  LoadFile(base<...>/ntlm) -> -1
-0.000000   MetaHookPost  LoadFile(base<...>/numbers) -> -1
-0.000000   MetaHookPost  LoadFile(base<...>/openflow) -> -1
-0.000000   MetaHookPost  LoadFile(base<...>/packet-filter) -> -1
-0.000000   MetaHookPost  LoadFile(base<...>/paths) -> -1
-0.000000   MetaHookPost  LoadFile(base<...>/patterns) -> -1
-0.000000   MetaHookPost  LoadFile(base<...>/pe) -> -1
-0.000000   MetaHookPost  LoadFile(base<...>/plugins) -> -1
-0.000000   MetaHookPost  LoadFile(base<...>/pop3) -> -1
-0.000000   MetaHookPost  LoadFile(base<...>/queue) -> -1
-0.000000   MetaHookPost  LoadFile(base<...>/radius) -> -1
-0.000000   MetaHookPost  LoadFile(base<...>/rdp) -> -1
-0.000000   MetaHookPost  LoadFile(base<...>/reporter) -> -1
-0.000000   MetaHookPost  LoadFile(base<...>/reporter.bif) -> -1
-0.000000   MetaHookPost  LoadFile(base<...>/rfb) -> -1
-0.000000   MetaHookPost  LoadFile(base<...>/signatures) -> -1
-0.000000   MetaHookPost  LoadFile(base<...>/sip) -> -1
-0.000000   MetaHookPost  LoadFile(base<...>/site) -> -1
-0.000000   MetaHookPost  LoadFile(base<...>/smb) -> -1
-0.000000   MetaHookPost  LoadFile(base<...>/smtp) -> -1
-0.000000   MetaHookPost  LoadFile(base<...>/snmp) -> -1
-0.000000   MetaHookPost  LoadFile(base<...>/socks) -> -1
-0.000000   MetaHookPost  LoadFile(base<...>/software) -> -1
-0.000000   MetaHookPost  LoadFile(base<...>/ssh) -> -1
-0.000000   MetaHookPost  LoadFile(base<...>/ssl) -> -1
-0.000000   MetaHookPost  LoadFile(base<...>/store.bif) -> -1
-0.000000   MetaHookPost  LoadFile(base<...>/strings) -> -1
-0.000000   MetaHookPost  LoadFile(base<...>/strings.bif) -> -1
-0.000000   MetaHookPost  LoadFile(base<...>/sumstats) -> -1
-0.000000   MetaHookPost  LoadFile(base<...>/syslog) -> -1
-0.000000   MetaHookPost  LoadFile(base<...>/thresholds) -> -1
-0.000000   MetaHookPost  LoadFile(base<...>/time) -> -1
-0.000000   MetaHookPost  LoadFile(base<...>/tunnels) -> -1
-0.000000   MetaHookPost  LoadFile(base<...>/types.bif) -> -1
-0.000000   MetaHookPost  LoadFile(base<...>/unified2) -> -1
-0.000000   MetaHookPost  LoadFile(base<...>/urls) -> -1
-0.000000   MetaHookPost  LoadFile(base<...>/utils) -> -1
-0.000000   MetaHookPost  LoadFile(base<...>/version) -> -1
-0.000000   MetaHookPost  LoadFile(base<...>/weird) -> -1
-0.000000   MetaHookPost  LoadFile(base<...>/x509) -> -1
-0.000000   MetaHookPost  LoadFile(base<...>/xmpp) -> -1
+0.000000   MetaHookPost  LoadFile(0, ..<...>/main.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, ..<...>/plugin.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_ARP.events.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_AsciiReader.ascii.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_AsciiWriter.ascii.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_BackDoor.events.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_BenchmarkReader.benchmark.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_BinaryReader.binary.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_BitTorrent.events.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_ConnSize.events.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_ConnSize.functions.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_DCE_RPC.consts.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_DCE_RPC.events.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_DCE_RPC.types.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_DHCP.events.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_DNP3.events.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_DNS.events.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_FTP.events.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_FTP.functions.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_File.events.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_FileEntropy.events.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_FileExtract.events.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_FileExtract.functions.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_FileHash.events.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_Finger.events.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_GSSAPI.events.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_GTPv1.events.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_Gnutella.events.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_HTTP.events.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_HTTP.functions.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_ICMP.events.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_IMAP.events.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_IRC.events.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_Ident.events.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_InterConn.events.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_KRB.events.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_KRB.types.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_Login.events.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_Login.functions.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_MIME.events.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_Modbus.events.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_MySQL.events.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_NCP.events.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_NTLM.events.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_NTLM.types.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_NTP.events.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_NetBIOS.events.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_NetBIOS.functions.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_NoneWriter.none.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_PE.events.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_POP3.events.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_RADIUS.events.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_RDP.events.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_RDP.types.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_RFB.events.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_RPC.events.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_RawReader.raw.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_SIP.events.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_SMB.consts.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_SMB.events.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_SMB.smb1_com_check_directory.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_SMB.smb1_com_close.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_SMB.smb1_com_create_directory.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_SMB.smb1_com_echo.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_SMB.smb1_com_logoff_andx.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_SMB.smb1_com_negotiate.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_SMB.smb1_com_nt_cancel.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_SMB.smb1_com_nt_create_andx.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_SMB.smb1_com_query_information.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_SMB.smb1_com_read_andx.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_SMB.smb1_com_session_setup_andx.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_SMB.smb1_com_transaction.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_SMB.smb1_com_transaction2.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_SMB.smb1_com_tree_connect_andx.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_SMB.smb1_com_tree_disconnect.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_SMB.smb1_com_write_andx.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_SMB.smb1_events.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_SMB.smb2_com_close.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_SMB.smb2_com_create.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_SMB.smb2_com_negotiate.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_SMB.smb2_com_read.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_SMB.smb2_com_session_setup.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_SMB.smb2_com_set_info.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_SMB.smb2_com_tree_connect.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_SMB.smb2_com_tree_disconnect.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_SMB.smb2_com_write.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_SMB.smb2_events.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_SMB.types.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_SMTP.events.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_SMTP.functions.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_SNMP.events.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_SNMP.types.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_SOCKS.events.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_SQLiteReader.sqlite.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_SQLiteWriter.sqlite.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_SSH.events.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_SSH.types.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_SSL.events.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_SSL.functions.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_SSL.types.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_SteppingStone.events.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_Syslog.events.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_TCP.events.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_TCP.functions.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_Teredo.events.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_UDP.events.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_Unified2.events.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_Unified2.types.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_X509.events.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_X509.functions.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_X509.ocsp_events.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_X509.types.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_XMPP.events.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/acld.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/add-geodata.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/addrs.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/analyzer.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/ascii.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/average.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/benchmark.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/binary.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/bloom-filter.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/bro.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/broker.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/broxygen.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/cardinality-counter.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/catch-and-release.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/comm.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/const-dos-error.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/const-nt-status.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/const.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/consts.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/contents.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/ct-list.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/data.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/dcc-send.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/debug.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/drop.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/email_admin.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/entities.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/event.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/exec.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/file_analysis.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/files.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/gridftp.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/hll_unique.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/hooks.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/hostnames.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/inactivity.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/info.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/init.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/input.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/input.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/last.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/log.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/logging.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/magic) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/main.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/max.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/messaging.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/min.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/mozilla-ca-list.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/netstats.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/non-cluster.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/none.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/openflow.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/packetfilter.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/page.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/patterns.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/pcap.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/plugin.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/plugins) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/polling.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/postprocessors) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/pp-alarms.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/raw.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/reporter.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/ryu.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/sample.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/scp.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/sftp.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/shunt.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/site.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/sqlite.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/stats.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/std-dev.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/store.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/store.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/strings.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/sum.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/thresholds.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/top-k.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/topk.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/types.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/types.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/unique.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/utils-commands.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/utils.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/variance.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/weird.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, <...>/__load__.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, <...>/__preload__.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, <...>/hooks.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/Bro_KRB.types.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/Bro_SNMP.types.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/active-http.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/addrs.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/analyzer) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/analyzer.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/bif) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/bro.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/broker) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/cluster) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/comm.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/communication) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/conn) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/conn-ids.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/const.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/control) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/data.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/dce-rpc) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/dhcp) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/dir.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/directions-and-hosts.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/dnp3) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/dns) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/dpd) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/email.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/event.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/exec.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/extract) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/file_analysis.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/files) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/files.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/find-checksum-offloading.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/find-filtered-trace.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/ftp) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/geoip-distance.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/hash) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/http) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/imap) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/init-default.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/input) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/input.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/intel) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/irc) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/json.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/krb) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/logging) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/logging.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/main.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/messaging.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/modbus) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/mysql) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/netcontrol) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/notice) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/ntlm) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/numbers.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/openflow) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/packet-filter) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/paths.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/patterns.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/pe) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/plugins) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/pop3) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/queue.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/radius) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/rdp) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/reporter) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/reporter.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/rfb) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/signatures) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/sip) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/site.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/smb) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/smtp) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/snmp) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/socks) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/software) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/ssh) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/ssl) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/store.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/strings.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/strings.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/sumstats) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/syslog) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/thresholds.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/time.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/tunnels) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/types.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/unified2) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/urls.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/utils.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/version.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/weird.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/x509) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/xmpp) -> -1
+0.000000   MetaHookPost  LoadFile(1, .<...>/archive.sig) -> -1
+0.000000   MetaHookPost  LoadFile(1, .<...>/audio.sig) -> -1
+0.000000   MetaHookPost  LoadFile(1, .<...>/dpd.sig) -> -1
+0.000000   MetaHookPost  LoadFile(1, .<...>/font.sig) -> -1
+0.000000   MetaHookPost  LoadFile(1, .<...>/general.sig) -> -1
+0.000000   MetaHookPost  LoadFile(1, .<...>/image.sig) -> -1
+0.000000   MetaHookPost  LoadFile(1, .<...>/libmagic.sig) -> -1
+0.000000   MetaHookPost  LoadFile(1, .<...>/msoffice.sig) -> -1
+0.000000   MetaHookPost  LoadFile(1, .<...>/video.sig) -> -1
 0.000000   MetaHookPost  LogInit(Log::WRITER_ASCII, default, true, true, packet_filter(0.0,0.0,0.0), 5, {ts (time), node (string), filter (string), init (bool), success (bool)}) -> <void>
 0.000000   MetaHookPost  LogWrite(Log::WRITER_ASCII, default, packet_filter(0.0,0.0,0.0), 5, {ts (time), node (string), filter (string), init (bool), success (bool)}, <void ptr>) -> true
 0.000000   MetaHookPost  QueueEvent(NetControl::init()) -> false
@@ -986,7 +991,7 @@
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird]))
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509]))
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql]))
-0.000000   MetaHookPre   CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1498500921.18004, node=bro, filter=ip or not ip, init=T, success=T]))
+0.000000   MetaHookPre   CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1510863910.246703, node=bro, filter=ip or not ip, init=T, success=T]))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (Cluster::LOG))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (Communication::LOG))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (Conn::LOG))
@@ -1116,7 +1121,7 @@
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird]))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509]))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql]))
-0.000000   MetaHookPre   CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1498500921.18004, node=bro, filter=ip or not ip, init=T, success=T]))
+0.000000   MetaHookPre   CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1510863910.246703, node=bro, filter=ip or not ip, init=T, success=T]))
 0.000000   MetaHookPre   CallFunction(NetControl::check_plugins, <frame>, ())
 0.000000   MetaHookPre   CallFunction(NetControl::init, <null>, ())
 0.000000   MetaHookPre   CallFunction(Notice::want_pp, <frame>, ())
@@ -1152,307 +1157,312 @@
 0.000000   MetaHookPre   CallFunction(string_to_pattern, <frame>, ((^\.?|\.)()$, F))
 0.000000   MetaHookPre   CallFunction(sub, <frame>, ((^\.?|\.)(~~)$, <...>/, ))
 0.000000   MetaHookPre   DrainEvents()
-0.000000   MetaHookPre   LoadFile(../main)
-0.000000   MetaHookPre   LoadFile(../plugin)
-0.000000   MetaHookPre   LoadFile(./Bro_ARP.events.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_AsciiReader.ascii.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_AsciiWriter.ascii.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_BackDoor.events.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_BenchmarkReader.benchmark.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_BinaryReader.binary.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_BitTorrent.events.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_ConnSize.events.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_ConnSize.functions.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_DCE_RPC.consts.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_DCE_RPC.events.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_DCE_RPC.types.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_DHCP.events.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_DNP3.events.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_DNS.events.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_FTP.events.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_FTP.functions.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_File.events.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_FileEntropy.events.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_FileExtract.events.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_FileExtract.functions.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_FileHash.events.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_Finger.events.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_GSSAPI.events.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_GTPv1.events.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_Gnutella.events.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_HTTP.events.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_HTTP.functions.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_ICMP.events.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_IMAP.events.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_IRC.events.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_Ident.events.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_InterConn.events.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_KRB.events.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_KRB.types.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_Login.events.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_Login.functions.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_MIME.events.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_Modbus.events.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_MySQL.events.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_NCP.events.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_NTLM.events.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_NTLM.types.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_NTP.events.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_NetBIOS.events.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_NetBIOS.functions.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_NoneWriter.none.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_PE.events.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_POP3.events.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_RADIUS.events.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_RDP.events.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_RDP.types.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_RFB.events.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_RPC.events.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_RawReader.raw.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_SIP.events.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_SMB.consts.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_SMB.events.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_SMB.smb1_com_check_directory.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_SMB.smb1_com_close.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_SMB.smb1_com_create_directory.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_SMB.smb1_com_echo.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_SMB.smb1_com_logoff_andx.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_SMB.smb1_com_negotiate.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_SMB.smb1_com_nt_cancel.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_SMB.smb1_com_nt_create_andx.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_SMB.smb1_com_query_information.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_SMB.smb1_com_read_andx.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_SMB.smb1_com_session_setup_andx.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_SMB.smb1_com_transaction.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_SMB.smb1_com_transaction2.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_SMB.smb1_com_tree_connect_andx.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_SMB.smb1_com_tree_disconnect.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_SMB.smb1_com_write_andx.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_SMB.smb1_events.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_SMB.smb2_com_close.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_SMB.smb2_com_create.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_SMB.smb2_com_negotiate.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_SMB.smb2_com_read.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_SMB.smb2_com_session_setup.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_SMB.smb2_com_set_info.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_SMB.smb2_com_tree_connect.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_SMB.smb2_com_tree_disconnect.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_SMB.smb2_com_write.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_SMB.smb2_events.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_SMB.types.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_SMTP.events.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_SMTP.functions.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_SNMP.events.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_SNMP.types.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_SOCKS.events.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_SQLiteReader.sqlite.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_SQLiteWriter.sqlite.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_SSH.events.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_SSH.types.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_SSL.events.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_SSL.functions.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_SSL.types.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_SteppingStone.events.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_Syslog.events.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_TCP.events.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_TCP.functions.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_Teredo.events.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_UDP.events.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_Unified2.events.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_Unified2.types.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_X509.events.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_X509.functions.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_X509.ocsp_events.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_X509.types.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_XMPP.events.bif.bro)
-0.000000   MetaHookPre   LoadFile(./acld)
-0.000000   MetaHookPre   LoadFile(./addrs)
-0.000000   MetaHookPre   LoadFile(./analyzer.bif.bro)
-0.000000   MetaHookPre   LoadFile(./average)
-0.000000   MetaHookPre   LoadFile(./bloom-filter.bif.bro)
-0.000000   MetaHookPre   LoadFile(./bro.bif.bro)
-0.000000   MetaHookPre   LoadFile(./broker)
-0.000000   MetaHookPre   LoadFile(./broxygen.bif.bro)
-0.000000   MetaHookPre   LoadFile(./cardinality-counter.bif.bro)
-0.000000   MetaHookPre   LoadFile(./catch-and-release)
-0.000000   MetaHookPre   LoadFile(./comm.bif.bro)
-0.000000   MetaHookPre   LoadFile(./const-dos-error)
-0.000000   MetaHookPre   LoadFile(./const-nt-status)
-0.000000   MetaHookPre   LoadFile(./const.bif.bro)
-0.000000   MetaHookPre   LoadFile(./consts)
-0.000000   MetaHookPre   LoadFile(./consts.bro)
-0.000000   MetaHookPre   LoadFile(./contents)
-0.000000   MetaHookPre   LoadFile(./ct-list)
-0.000000   MetaHookPre   LoadFile(./data.bif.bro)
-0.000000   MetaHookPre   LoadFile(./dcc-send)
-0.000000   MetaHookPre   LoadFile(./debug)
-0.000000   MetaHookPre   LoadFile(./drop)
-0.000000   MetaHookPre   LoadFile(./entities)
-0.000000   MetaHookPre   LoadFile(./event.bif.bro)
-0.000000   MetaHookPre   LoadFile(./exec)
-0.000000   MetaHookPre   LoadFile(./file_analysis.bif.bro)
-0.000000   MetaHookPre   LoadFile(./files)
-0.000000   MetaHookPre   LoadFile(./gridftp)
-0.000000   MetaHookPre   LoadFile(./hll_unique)
-0.000000   MetaHookPre   LoadFile(./hooks.bif.bro)
-0.000000   MetaHookPre   LoadFile(./inactivity)
-0.000000   MetaHookPre   LoadFile(./info)
-0.000000   MetaHookPre   LoadFile(./init.bro)
-0.000000   MetaHookPre   LoadFile(./input)
-0.000000   MetaHookPre   LoadFile(./input.bif.bro)
-0.000000   MetaHookPre   LoadFile(./last)
-0.000000   MetaHookPre   LoadFile(./log)
-0.000000   MetaHookPre   LoadFile(./logging.bif.bro)
-0.000000   MetaHookPre   LoadFile(./magic)
-0.000000   MetaHookPre   LoadFile(./main)
-0.000000   MetaHookPre   LoadFile(./main.bro)
-0.000000   MetaHookPre   LoadFile(./max)
-0.000000   MetaHookPre   LoadFile(./messaging.bif.bro)
-0.000000   MetaHookPre   LoadFile(./min)
-0.000000   MetaHookPre   LoadFile(./mozilla-ca-list)
-0.000000   MetaHookPre   LoadFile(./netstats)
-0.000000   MetaHookPre   LoadFile(./non-cluster)
-0.000000   MetaHookPre   LoadFile(./openflow)
-0.000000   MetaHookPre   LoadFile(./packetfilter)
-0.000000   MetaHookPre   LoadFile(./patterns)
-0.000000   MetaHookPre   LoadFile(./pcap.bif.bro)
-0.000000   MetaHookPre   LoadFile(./plugin)
-0.000000   MetaHookPre   LoadFile(./plugins)
-0.000000   MetaHookPre   LoadFile(./polling)
-0.000000   MetaHookPre   LoadFile(./postprocessors)
-0.000000   MetaHookPre   LoadFile(./reporter.bif.bro)
-0.000000   MetaHookPre   LoadFile(./ryu)
-0.000000   MetaHookPre   LoadFile(./sample)
-0.000000   MetaHookPre   LoadFile(./scp)
-0.000000   MetaHookPre   LoadFile(./sftp)
-0.000000   MetaHookPre   LoadFile(./shunt)
-0.000000   MetaHookPre   LoadFile(./site)
-0.000000   MetaHookPre   LoadFile(./stats.bif.bro)
-0.000000   MetaHookPre   LoadFile(./std-dev)
-0.000000   MetaHookPre   LoadFile(./store)
-0.000000   MetaHookPre   LoadFile(./store.bif.bro)
-0.000000   MetaHookPre   LoadFile(./strings.bif.bro)
-0.000000   MetaHookPre   LoadFile(./sum)
-0.000000   MetaHookPre   LoadFile(./thresholds)
-0.000000   MetaHookPre   LoadFile(./top-k.bif.bro)
-0.000000   MetaHookPre   LoadFile(./topk)
-0.000000   MetaHookPre   LoadFile(./types)
-0.000000   MetaHookPre   LoadFile(./types.bif.bro)
-0.000000   MetaHookPre   LoadFile(./types.bro)
-0.000000   MetaHookPre   LoadFile(./unique)
-0.000000   MetaHookPre   LoadFile(./utils)
-0.000000   MetaHookPre   LoadFile(./utils-commands)
-0.000000   MetaHookPre   LoadFile(./utils.bro)
-0.000000   MetaHookPre   LoadFile(./variance)
-0.000000   MetaHookPre   LoadFile(./weird)
-0.000000   MetaHookPre   LoadFile(.<...>/add-geodata)
-0.000000   MetaHookPre   LoadFile(.<...>/ascii)
-0.000000   MetaHookPre   LoadFile(.<...>/benchmark)
-0.000000   MetaHookPre   LoadFile(.<...>/binary)
-0.000000   MetaHookPre   LoadFile(.<...>/drop)
-0.000000   MetaHookPre   LoadFile(.<...>/email_admin)
-0.000000   MetaHookPre   LoadFile(.<...>/hostnames)
-0.000000   MetaHookPre   LoadFile(.<...>/none)
-0.000000   MetaHookPre   LoadFile(.<...>/page)
-0.000000   MetaHookPre   LoadFile(.<...>/pp-alarms)
-0.000000   MetaHookPre   LoadFile(.<...>/raw)
-0.000000   MetaHookPre   LoadFile(.<...>/sqlite)
-0.000000   MetaHookPre   LoadFile(<...>/__load__.bro)
-0.000000   MetaHookPre   LoadFile(<...>/__preload__.bro)
-0.000000   MetaHookPre   LoadFile(<...>/hooks.bro)
-0.000000   MetaHookPre   LoadFile(base/bif)
-0.000000   MetaHookPre   LoadFile(base/init-default.bro)
-0.000000   MetaHookPre   LoadFile(base<...>/Bro_KRB.types.bif)
-0.000000   MetaHookPre   LoadFile(base<...>/Bro_SNMP.types.bif)
-0.000000   MetaHookPre   LoadFile(base<...>/active-http)
-0.000000   MetaHookPre   LoadFile(base<...>/addrs)
-0.000000   MetaHookPre   LoadFile(base<...>/analyzer)
-0.000000   MetaHookPre   LoadFile(base<...>/analyzer.bif)
-0.000000   MetaHookPre   LoadFile(base<...>/bro.bif)
-0.000000   MetaHookPre   LoadFile(base<...>/broker)
-0.000000   MetaHookPre   LoadFile(base<...>/cluster)
-0.000000   MetaHookPre   LoadFile(base<...>/comm.bif)
-0.000000   MetaHookPre   LoadFile(base<...>/communication)
-0.000000   MetaHookPre   LoadFile(base<...>/conn)
-0.000000   MetaHookPre   LoadFile(base<...>/conn-ids)
-0.000000   MetaHookPre   LoadFile(base<...>/const.bif.bro)
-0.000000   MetaHookPre   LoadFile(base<...>/control)
-0.000000   MetaHookPre   LoadFile(base<...>/data.bif)
-0.000000   MetaHookPre   LoadFile(base<...>/dce-rpc)
-0.000000   MetaHookPre   LoadFile(base<...>/dhcp)
-0.000000   MetaHookPre   LoadFile(base<...>/dir)
-0.000000   MetaHookPre   LoadFile(base<...>/directions-and-hosts)
-0.000000   MetaHookPre   LoadFile(base<...>/dnp3)
-0.000000   MetaHookPre   LoadFile(base<...>/dns)
-0.000000   MetaHookPre   LoadFile(base<...>/dpd)
-0.000000   MetaHookPre   LoadFile(base<...>/email)
-0.000000   MetaHookPre   LoadFile(base<...>/event.bif)
-0.000000   MetaHookPre   LoadFile(base<...>/exec)
-0.000000   MetaHookPre   LoadFile(base<...>/extract)
-0.000000   MetaHookPre   LoadFile(base<...>/file_analysis.bif)
-0.000000   MetaHookPre   LoadFile(base<...>/files)
-0.000000   MetaHookPre   LoadFile(base<...>/find-checksum-offloading)
-0.000000   MetaHookPre   LoadFile(base<...>/find-filtered-trace)
-0.000000   MetaHookPre   LoadFile(base<...>/ftp)
-0.000000   MetaHookPre   LoadFile(base<...>/geoip-distance)
-0.000000   MetaHookPre   LoadFile(base<...>/hash)
-0.000000   MetaHookPre   LoadFile(base<...>/http)
-0.000000   MetaHookPre   LoadFile(base<...>/imap)
-0.000000   MetaHookPre   LoadFile(base<...>/input)
-0.000000   MetaHookPre   LoadFile(base<...>/input.bif)
-0.000000   MetaHookPre   LoadFile(base<...>/intel)
-0.000000   MetaHookPre   LoadFile(base<...>/irc)
-0.000000   MetaHookPre   LoadFile(base<...>/json)
-0.000000   MetaHookPre   LoadFile(base<...>/krb)
-0.000000   MetaHookPre   LoadFile(base<...>/logging)
-0.000000   MetaHookPre   LoadFile(base<...>/logging.bif)
-0.000000   MetaHookPre   LoadFile(base<...>/main)
-0.000000   MetaHookPre   LoadFile(base<...>/messaging.bif)
-0.000000   MetaHookPre   LoadFile(base<...>/modbus)
-0.000000   MetaHookPre   LoadFile(base<...>/mysql)
-0.000000   MetaHookPre   LoadFile(base<...>/netcontrol)
-0.000000   MetaHookPre   LoadFile(base<...>/notice)
-0.000000   MetaHookPre   LoadFile(base<...>/ntlm)
-0.000000   MetaHookPre   LoadFile(base<...>/numbers)
-0.000000   MetaHookPre   LoadFile(base<...>/openflow)
-0.000000   MetaHookPre   LoadFile(base<...>/packet-filter)
-0.000000   MetaHookPre   LoadFile(base<...>/paths)
-0.000000   MetaHookPre   LoadFile(base<...>/patterns)
-0.000000   MetaHookPre   LoadFile(base<...>/pe)
-0.000000   MetaHookPre   LoadFile(base<...>/plugins)
-0.000000   MetaHookPre   LoadFile(base<...>/pop3)
-0.000000   MetaHookPre   LoadFile(base<...>/queue)
-0.000000   MetaHookPre   LoadFile(base<...>/radius)
-0.000000   MetaHookPre   LoadFile(base<...>/rdp)
-0.000000   MetaHookPre   LoadFile(base<...>/reporter)
-0.000000   MetaHookPre   LoadFile(base<...>/reporter.bif)
-0.000000   MetaHookPre   LoadFile(base<...>/rfb)
-0.000000   MetaHookPre   LoadFile(base<...>/signatures)
-0.000000   MetaHookPre   LoadFile(base<...>/sip)
-0.000000   MetaHookPre   LoadFile(base<...>/site)
-0.000000   MetaHookPre   LoadFile(base<...>/smb)
-0.000000   MetaHookPre   LoadFile(base<...>/smtp)
-0.000000   MetaHookPre   LoadFile(base<...>/snmp)
-0.000000   MetaHookPre   LoadFile(base<...>/socks)
-0.000000   MetaHookPre   LoadFile(base<...>/software)
-0.000000   MetaHookPre   LoadFile(base<...>/ssh)
-0.000000   MetaHookPre   LoadFile(base<...>/ssl)
-0.000000   MetaHookPre   LoadFile(base<...>/store.bif)
-0.000000   MetaHookPre   LoadFile(base<...>/strings)
-0.000000   MetaHookPre   LoadFile(base<...>/strings.bif)
-0.000000   MetaHookPre   LoadFile(base<...>/sumstats)
-0.000000   MetaHookPre   LoadFile(base<...>/syslog)
-0.000000   MetaHookPre   LoadFile(base<...>/thresholds)
-0.000000   MetaHookPre   LoadFile(base<...>/time)
-0.000000   MetaHookPre   LoadFile(base<...>/tunnels)
-0.000000   MetaHookPre   LoadFile(base<...>/types.bif)
-0.000000   MetaHookPre   LoadFile(base<...>/unified2)
-0.000000   MetaHookPre   LoadFile(base<...>/urls)
-0.000000   MetaHookPre   LoadFile(base<...>/utils)
-0.000000   MetaHookPre   LoadFile(base<...>/version)
-0.000000   MetaHookPre   LoadFile(base<...>/weird)
-0.000000   MetaHookPre   LoadFile(base<...>/x509)
-0.000000   MetaHookPre   LoadFile(base<...>/xmpp)
+0.000000   MetaHookPre   LoadFile(0, ..<...>/main.bro)
+0.000000   MetaHookPre   LoadFile(0, ..<...>/plugin.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_ARP.events.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_AsciiReader.ascii.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_AsciiWriter.ascii.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_BackDoor.events.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_BenchmarkReader.benchmark.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_BinaryReader.binary.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_BitTorrent.events.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_ConnSize.events.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_ConnSize.functions.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_DCE_RPC.consts.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_DCE_RPC.events.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_DCE_RPC.types.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_DHCP.events.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_DNP3.events.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_DNS.events.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_FTP.events.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_FTP.functions.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_File.events.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_FileEntropy.events.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_FileExtract.events.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_FileExtract.functions.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_FileHash.events.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_Finger.events.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_GSSAPI.events.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_GTPv1.events.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_Gnutella.events.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_HTTP.events.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_HTTP.functions.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_ICMP.events.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_IMAP.events.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_IRC.events.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_Ident.events.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_InterConn.events.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_KRB.events.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_KRB.types.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_Login.events.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_Login.functions.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_MIME.events.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_Modbus.events.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_MySQL.events.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_NCP.events.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_NTLM.events.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_NTLM.types.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_NTP.events.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_NetBIOS.events.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_NetBIOS.functions.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_NoneWriter.none.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_PE.events.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_POP3.events.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_RADIUS.events.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_RDP.events.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_RDP.types.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_RFB.events.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_RPC.events.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_RawReader.raw.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_SIP.events.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_SMB.consts.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_SMB.events.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_SMB.smb1_com_check_directory.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_SMB.smb1_com_close.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_SMB.smb1_com_create_directory.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_SMB.smb1_com_echo.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_SMB.smb1_com_logoff_andx.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_SMB.smb1_com_negotiate.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_SMB.smb1_com_nt_cancel.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_SMB.smb1_com_nt_create_andx.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_SMB.smb1_com_query_information.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_SMB.smb1_com_read_andx.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_SMB.smb1_com_session_setup_andx.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_SMB.smb1_com_transaction.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_SMB.smb1_com_transaction2.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_SMB.smb1_com_tree_connect_andx.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_SMB.smb1_com_tree_disconnect.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_SMB.smb1_com_write_andx.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_SMB.smb1_events.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_SMB.smb2_com_close.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_SMB.smb2_com_create.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_SMB.smb2_com_negotiate.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_SMB.smb2_com_read.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_SMB.smb2_com_session_setup.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_SMB.smb2_com_set_info.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_SMB.smb2_com_tree_connect.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_SMB.smb2_com_tree_disconnect.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_SMB.smb2_com_write.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_SMB.smb2_events.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_SMB.types.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_SMTP.events.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_SMTP.functions.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_SNMP.events.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_SNMP.types.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_SOCKS.events.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_SQLiteReader.sqlite.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_SQLiteWriter.sqlite.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_SSH.events.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_SSH.types.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_SSL.events.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_SSL.functions.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_SSL.types.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_SteppingStone.events.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_Syslog.events.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_TCP.events.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_TCP.functions.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_Teredo.events.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_UDP.events.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_Unified2.events.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_Unified2.types.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_X509.events.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_X509.functions.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_X509.ocsp_events.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_X509.types.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_XMPP.events.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/acld.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/add-geodata.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/addrs.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/analyzer.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/ascii.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/average.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/benchmark.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/binary.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/bloom-filter.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/bro.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/broker.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/broxygen.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/cardinality-counter.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/catch-and-release.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/comm.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/const-dos-error.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/const-nt-status.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/const.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/consts.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/contents.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/ct-list.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/data.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/dcc-send.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/debug.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/drop.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/email_admin.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/entities.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/event.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/exec.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/file_analysis.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/files.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/gridftp.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/hll_unique.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/hooks.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/hostnames.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/inactivity.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/info.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/init.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/input.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/input.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/last.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/log.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/logging.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/magic)
+0.000000   MetaHookPre   LoadFile(0, .<...>/main.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/max.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/messaging.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/min.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/mozilla-ca-list.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/netstats.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/non-cluster.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/none.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/openflow.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/packetfilter.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/page.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/patterns.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/pcap.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/plugin.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/plugins)
+0.000000   MetaHookPre   LoadFile(0, .<...>/polling.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/postprocessors)
+0.000000   MetaHookPre   LoadFile(0, .<...>/pp-alarms.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/raw.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/reporter.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/ryu.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/sample.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/scp.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/sftp.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/shunt.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/site.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/sqlite.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/stats.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/std-dev.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/store.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/store.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/strings.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/sum.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/thresholds.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/top-k.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/topk.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/types.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/types.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/unique.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/utils-commands.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/utils.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/variance.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/weird.bro)
+0.000000   MetaHookPre   LoadFile(0, <...>/__load__.bro)
+0.000000   MetaHookPre   LoadFile(0, <...>/__preload__.bro)
+0.000000   MetaHookPre   LoadFile(0, <...>/hooks.bro)
+0.000000   MetaHookPre   LoadFile(0, base<...>/Bro_KRB.types.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, base<...>/Bro_SNMP.types.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, base<...>/active-http.bro)
+0.000000   MetaHookPre   LoadFile(0, base<...>/addrs.bro)
+0.000000   MetaHookPre   LoadFile(0, base<...>/analyzer)
+0.000000   MetaHookPre   LoadFile(0, base<...>/analyzer.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, base<...>/bif)
+0.000000   MetaHookPre   LoadFile(0, base<...>/bro.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, base<...>/broker)
+0.000000   MetaHookPre   LoadFile(0, base<...>/cluster)
+0.000000   MetaHookPre   LoadFile(0, base<...>/comm.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, base<...>/communication)
+0.000000   MetaHookPre   LoadFile(0, base<...>/conn)
+0.000000   MetaHookPre   LoadFile(0, base<...>/conn-ids.bro)
+0.000000   MetaHookPre   LoadFile(0, base<...>/const.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, base<...>/control)
+0.000000   MetaHookPre   LoadFile(0, base<...>/data.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, base<...>/dce-rpc)
+0.000000   MetaHookPre   LoadFile(0, base<...>/dhcp)
+0.000000   MetaHookPre   LoadFile(0, base<...>/dir.bro)
+0.000000   MetaHookPre   LoadFile(0, base<...>/directions-and-hosts.bro)
+0.000000   MetaHookPre   LoadFile(0, base<...>/dnp3)
+0.000000   MetaHookPre   LoadFile(0, base<...>/dns)
+0.000000   MetaHookPre   LoadFile(0, base<...>/dpd)
+0.000000   MetaHookPre   LoadFile(0, base<...>/email.bro)
+0.000000   MetaHookPre   LoadFile(0, base<...>/event.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, base<...>/exec.bro)
+0.000000   MetaHookPre   LoadFile(0, base<...>/extract)
+0.000000   MetaHookPre   LoadFile(0, base<...>/file_analysis.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, base<...>/files)
+0.000000   MetaHookPre   LoadFile(0, base<...>/files.bro)
+0.000000   MetaHookPre   LoadFile(0, base<...>/find-checksum-offloading.bro)
+0.000000   MetaHookPre   LoadFile(0, base<...>/find-filtered-trace.bro)
+0.000000   MetaHookPre   LoadFile(0, base<...>/ftp)
+0.000000   MetaHookPre   LoadFile(0, base<...>/geoip-distance.bro)
+0.000000   MetaHookPre   LoadFile(0, base<...>/hash)
+0.000000   MetaHookPre   LoadFile(0, base<...>/http)
+0.000000   MetaHookPre   LoadFile(0, base<...>/imap)
+0.000000   MetaHookPre   LoadFile(0, base<...>/init-default.bro)
+0.000000   MetaHookPre   LoadFile(0, base<...>/input)
+0.000000   MetaHookPre   LoadFile(0, base<...>/input.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, base<...>/intel)
+0.000000   MetaHookPre   LoadFile(0, base<...>/irc)
+0.000000   MetaHookPre   LoadFile(0, base<...>/json.bro)
+0.000000   MetaHookPre   LoadFile(0, base<...>/krb)
+0.000000   MetaHookPre   LoadFile(0, base<...>/logging)
+0.000000   MetaHookPre   LoadFile(0, base<...>/logging.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, base<...>/main.bro)
+0.000000   MetaHookPre   LoadFile(0, base<...>/messaging.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, base<...>/modbus)
+0.000000   MetaHookPre   LoadFile(0, base<...>/mysql)
+0.000000   MetaHookPre   LoadFile(0, base<...>/netcontrol)
+0.000000   MetaHookPre   LoadFile(0, base<...>/notice)
+0.000000   MetaHookPre   LoadFile(0, base<...>/ntlm)
+0.000000   MetaHookPre   LoadFile(0, base<...>/numbers.bro)
+0.000000   MetaHookPre   LoadFile(0, base<...>/openflow)
+0.000000   MetaHookPre   LoadFile(0, base<...>/packet-filter)
+0.000000   MetaHookPre   LoadFile(0, base<...>/paths.bro)
+0.000000   MetaHookPre   LoadFile(0, base<...>/patterns.bro)
+0.000000   MetaHookPre   LoadFile(0, base<...>/pe)
+0.000000   MetaHookPre   LoadFile(0, base<...>/plugins)
+0.000000   MetaHookPre   LoadFile(0, base<...>/pop3)
+0.000000   MetaHookPre   LoadFile(0, base<...>/queue.bro)
+0.000000   MetaHookPre   LoadFile(0, base<...>/radius)
+0.000000   MetaHookPre   LoadFile(0, base<...>/rdp)
+0.000000   MetaHookPre   LoadFile(0, base<...>/reporter)
+0.000000   MetaHookPre   LoadFile(0, base<...>/reporter.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, base<...>/rfb)
+0.000000   MetaHookPre   LoadFile(0, base<...>/signatures)
+0.000000   MetaHookPre   LoadFile(0, base<...>/sip)
+0.000000   MetaHookPre   LoadFile(0, base<...>/site.bro)
+0.000000   MetaHookPre   LoadFile(0, base<...>/smb)
+0.000000   MetaHookPre   LoadFile(0, base<...>/smtp)
+0.000000   MetaHookPre   LoadFile(0, base<...>/snmp)
+0.000000   MetaHookPre   LoadFile(0, base<...>/socks)
+0.000000   MetaHookPre   LoadFile(0, base<...>/software)
+0.000000   MetaHookPre   LoadFile(0, base<...>/ssh)
+0.000000   MetaHookPre   LoadFile(0, base<...>/ssl)
+0.000000   MetaHookPre   LoadFile(0, base<...>/store.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, base<...>/strings.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, base<...>/strings.bro)
+0.000000   MetaHookPre   LoadFile(0, base<...>/sumstats)
+0.000000   MetaHookPre   LoadFile(0, base<...>/syslog)
+0.000000   MetaHookPre   LoadFile(0, base<...>/thresholds.bro)
+0.000000   MetaHookPre   LoadFile(0, base<...>/time.bro)
+0.000000   MetaHookPre   LoadFile(0, base<...>/tunnels)
+0.000000   MetaHookPre   LoadFile(0, base<...>/types.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, base<...>/unified2)
+0.000000   MetaHookPre   LoadFile(0, base<...>/urls.bro)
+0.000000   MetaHookPre   LoadFile(0, base<...>/utils.bro)
+0.000000   MetaHookPre   LoadFile(0, base<...>/version.bro)
+0.000000   MetaHookPre   LoadFile(0, base<...>/weird.bro)
+0.000000   MetaHookPre   LoadFile(0, base<...>/x509)
+0.000000   MetaHookPre   LoadFile(0, base<...>/xmpp)
+0.000000   MetaHookPre   LoadFile(1, .<...>/archive.sig)
+0.000000   MetaHookPre   LoadFile(1, .<...>/audio.sig)
+0.000000   MetaHookPre   LoadFile(1, .<...>/dpd.sig)
+0.000000   MetaHookPre   LoadFile(1, .<...>/font.sig)
+0.000000   MetaHookPre   LoadFile(1, .<...>/general.sig)
+0.000000   MetaHookPre   LoadFile(1, .<...>/image.sig)
+0.000000   MetaHookPre   LoadFile(1, .<...>/libmagic.sig)
+0.000000   MetaHookPre   LoadFile(1, .<...>/msoffice.sig)
+0.000000   MetaHookPre   LoadFile(1, .<...>/video.sig)
 0.000000   MetaHookPre   LogInit(Log::WRITER_ASCII, default, true, true, packet_filter(0.0,0.0,0.0), 5, {ts (time), node (string), filter (string), init (bool), success (bool)})
 0.000000   MetaHookPre   LogWrite(Log::WRITER_ASCII, default, packet_filter(0.0,0.0,0.0), 5, {ts (time), node (string), filter (string), init (bool), success (bool)}, <void ptr>)
 0.000000   MetaHookPre   QueueEvent(NetControl::init())
@@ -1715,7 +1725,7 @@
 0.000000 | HookCallFunction Log::__create_stream(Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird])
 0.000000 | HookCallFunction Log::__create_stream(X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509])
 0.000000 | HookCallFunction Log::__create_stream(mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql])
-0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1498500921.18004, node=bro, filter=ip or not ip, init=T, success=T])
+0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1510863910.246703, node=bro, filter=ip or not ip, init=T, success=T])
 0.000000 | HookCallFunction Log::add_default_filter(Cluster::LOG)
 0.000000 | HookCallFunction Log::add_default_filter(Communication::LOG)
 0.000000 | HookCallFunction Log::add_default_filter(Conn::LOG)
@@ -1845,7 +1855,7 @@
 0.000000 | HookCallFunction Log::create_stream(Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird])
 0.000000 | HookCallFunction Log::create_stream(X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509])
 0.000000 | HookCallFunction Log::create_stream(mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql])
-0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1498500921.18004, node=bro, filter=ip or not ip, init=T, success=T])
+0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1510863910.246703, node=bro, filter=ip or not ip, init=T, success=T])
 0.000000 | HookCallFunction NetControl::check_plugins()
 0.000000 | HookCallFunction NetControl::init()
 0.000000 | HookCallFunction Notice::want_pp()
@@ -1881,13 +1891,314 @@
 0.000000 | HookCallFunction string_to_pattern((^\.?|\.)()$, F)
 0.000000 | HookCallFunction sub((^\.?|\.)(~~)$, <...>/, )
 0.000000 | HookDrainEvents
-0.000000 | HookLoadFile  ..<...>/bro
-0.000000 | HookLoadFile  .<...>/bro
-0.000000 | HookLoadFile  <...>/bro
+0.000000 | HookLoadFile  ..<...>/main.bro
+0.000000 | HookLoadFile  ..<...>/plugin.bro
+0.000000 | HookLoadFile  .<...>/Bro_ARP.events.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_AsciiReader.ascii.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_AsciiWriter.ascii.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_BackDoor.events.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_BenchmarkReader.benchmark.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_BinaryReader.binary.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_BitTorrent.events.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_ConnSize.events.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_ConnSize.functions.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_DCE_RPC.consts.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_DCE_RPC.events.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_DCE_RPC.types.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_DHCP.events.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_DNP3.events.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_DNS.events.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_FTP.events.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_FTP.functions.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_File.events.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_FileEntropy.events.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_FileExtract.events.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_FileExtract.functions.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_FileHash.events.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_Finger.events.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_GSSAPI.events.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_GTPv1.events.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_Gnutella.events.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_HTTP.events.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_HTTP.functions.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_ICMP.events.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_IMAP.events.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_IRC.events.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_Ident.events.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_InterConn.events.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_KRB.events.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_KRB.types.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_Login.events.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_Login.functions.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_MIME.events.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_Modbus.events.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_MySQL.events.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_NCP.events.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_NTLM.events.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_NTLM.types.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_NTP.events.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_NetBIOS.events.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_NetBIOS.functions.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_NoneWriter.none.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_PE.events.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_POP3.events.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_RADIUS.events.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_RDP.events.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_RDP.types.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_RFB.events.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_RPC.events.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_RawReader.raw.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_SIP.events.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_SMB.consts.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_SMB.events.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_SMB.smb1_com_check_directory.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_SMB.smb1_com_close.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_SMB.smb1_com_create_directory.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_SMB.smb1_com_echo.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_SMB.smb1_com_logoff_andx.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_SMB.smb1_com_negotiate.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_SMB.smb1_com_nt_cancel.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_SMB.smb1_com_nt_create_andx.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_SMB.smb1_com_query_information.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_SMB.smb1_com_read_andx.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_SMB.smb1_com_session_setup_andx.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_SMB.smb1_com_transaction.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_SMB.smb1_com_transaction2.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_SMB.smb1_com_tree_connect_andx.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_SMB.smb1_com_tree_disconnect.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_SMB.smb1_com_write_andx.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_SMB.smb1_events.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_SMB.smb2_com_close.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_SMB.smb2_com_create.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_SMB.smb2_com_negotiate.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_SMB.smb2_com_read.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_SMB.smb2_com_session_setup.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_SMB.smb2_com_set_info.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_SMB.smb2_com_tree_connect.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_SMB.smb2_com_tree_disconnect.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_SMB.smb2_com_write.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_SMB.smb2_events.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_SMB.types.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_SMTP.events.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_SMTP.functions.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_SNMP.events.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_SNMP.types.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_SOCKS.events.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_SQLiteReader.sqlite.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_SQLiteWriter.sqlite.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_SSH.events.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_SSH.types.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_SSL.events.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_SSL.functions.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_SSL.types.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_SteppingStone.events.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_Syslog.events.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_TCP.events.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_TCP.functions.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_Teredo.events.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_UDP.events.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_Unified2.events.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_Unified2.types.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_X509.events.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_X509.functions.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_X509.ocsp_events.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_X509.types.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_XMPP.events.bif.bro
+0.000000 | HookLoadFile  .<...>/acld.bro
+0.000000 | HookLoadFile  .<...>/add-geodata.bro
+0.000000 | HookLoadFile  .<...>/addrs.bro
+0.000000 | HookLoadFile  .<...>/analyzer.bif.bro
+0.000000 | HookLoadFile  .<...>/archive.sig
+0.000000 | HookLoadFile  .<...>/ascii.bro
+0.000000 | HookLoadFile  .<...>/audio.sig
+0.000000 | HookLoadFile  .<...>/average.bro
+0.000000 | HookLoadFile  .<...>/benchmark.bro
+0.000000 | HookLoadFile  .<...>/binary.bro
+0.000000 | HookLoadFile  .<...>/bloom-filter.bif.bro
+0.000000 | HookLoadFile  .<...>/bro.bif.bro
+0.000000 | HookLoadFile  .<...>/broker.bro
+0.000000 | HookLoadFile  .<...>/broxygen.bif.bro
+0.000000 | HookLoadFile  .<...>/cardinality-counter.bif.bro
+0.000000 | HookLoadFile  .<...>/catch-and-release.bro
+0.000000 | HookLoadFile  .<...>/comm.bif.bro
+0.000000 | HookLoadFile  .<...>/const-dos-error.bro
+0.000000 | HookLoadFile  .<...>/const-nt-status.bro
+0.000000 | HookLoadFile  .<...>/const.bif.bro
+0.000000 | HookLoadFile  .<...>/consts.bro
+0.000000 | HookLoadFile  .<...>/contents.bro
+0.000000 | HookLoadFile  .<...>/ct-list.bro
+0.000000 | HookLoadFile  .<...>/data.bif.bro
+0.000000 | HookLoadFile  .<...>/dcc-send.bro
+0.000000 | HookLoadFile  .<...>/debug.bro
+0.000000 | HookLoadFile  .<...>/dpd.sig
+0.000000 | HookLoadFile  .<...>/drop.bro
+0.000000 | HookLoadFile  .<...>/email_admin.bro
+0.000000 | HookLoadFile  .<...>/entities.bro
+0.000000 | HookLoadFile  .<...>/event.bif.bro
+0.000000 | HookLoadFile  .<...>/exec.bro
+0.000000 | HookLoadFile  .<...>/file_analysis.bif.bro
+0.000000 | HookLoadFile  .<...>/files.bro
+0.000000 | HookLoadFile  .<...>/font.sig
+0.000000 | HookLoadFile  .<...>/general.sig
+0.000000 | HookLoadFile  .<...>/gridftp.bro
+0.000000 | HookLoadFile  .<...>/hll_unique.bro
+0.000000 | HookLoadFile  .<...>/hooks.bif.bro
+0.000000 | HookLoadFile  .<...>/hostnames.bro
+0.000000 | HookLoadFile  .<...>/image.sig
+0.000000 | HookLoadFile  .<...>/inactivity.bro
+0.000000 | HookLoadFile  .<...>/info.bro
+0.000000 | HookLoadFile  .<...>/init.bro
+0.000000 | HookLoadFile  .<...>/input.bif.bro
+0.000000 | HookLoadFile  .<...>/input.bro
+0.000000 | HookLoadFile  .<...>/last.bro
+0.000000 | HookLoadFile  .<...>/libmagic.sig
+0.000000 | HookLoadFile  .<...>/log.bro
+0.000000 | HookLoadFile  .<...>/logging.bif.bro
+0.000000 | HookLoadFile  .<...>/magic
+0.000000 | HookLoadFile  .<...>/main.bro
+0.000000 | HookLoadFile  .<...>/max.bro
+0.000000 | HookLoadFile  .<...>/messaging.bif.bro
+0.000000 | HookLoadFile  .<...>/min.bro
+0.000000 | HookLoadFile  .<...>/mozilla-ca-list.bro
+0.000000 | HookLoadFile  .<...>/msoffice.sig
+0.000000 | HookLoadFile  .<...>/netstats.bro
+0.000000 | HookLoadFile  .<...>/non-cluster.bro
+0.000000 | HookLoadFile  .<...>/none.bro
+0.000000 | HookLoadFile  .<...>/openflow.bro
+0.000000 | HookLoadFile  .<...>/packetfilter.bro
+0.000000 | HookLoadFile  .<...>/page.bro
+0.000000 | HookLoadFile  .<...>/patterns.bro
+0.000000 | HookLoadFile  .<...>/pcap.bif.bro
+0.000000 | HookLoadFile  .<...>/plugin.bro
+0.000000 | HookLoadFile  .<...>/plugins
+0.000000 | HookLoadFile  .<...>/polling.bro
+0.000000 | HookLoadFile  .<...>/postprocessors
+0.000000 | HookLoadFile  .<...>/pp-alarms.bro
+0.000000 | HookLoadFile  .<...>/raw.bro
+0.000000 | HookLoadFile  .<...>/reporter.bif.bro
+0.000000 | HookLoadFile  .<...>/ryu.bro
+0.000000 | HookLoadFile  .<...>/sample.bro
+0.000000 | HookLoadFile  .<...>/scp.bro
+0.000000 | HookLoadFile  .<...>/sftp.bro
+0.000000 | HookLoadFile  .<...>/shunt.bro
+0.000000 | HookLoadFile  .<...>/site.bro
+0.000000 | HookLoadFile  .<...>/sqlite.bro
+0.000000 | HookLoadFile  .<...>/stats.bif.bro
+0.000000 | HookLoadFile  .<...>/std-dev.bro
+0.000000 | HookLoadFile  .<...>/store.bif.bro
+0.000000 | HookLoadFile  .<...>/store.bro
+0.000000 | HookLoadFile  .<...>/strings.bif.bro
+0.000000 | HookLoadFile  .<...>/sum.bro
+0.000000 | HookLoadFile  .<...>/thresholds.bro
+0.000000 | HookLoadFile  .<...>/top-k.bif.bro
+0.000000 | HookLoadFile  .<...>/topk.bro
+0.000000 | HookLoadFile  .<...>/types.bif.bro
+0.000000 | HookLoadFile  .<...>/types.bro
+0.000000 | HookLoadFile  .<...>/unique.bro
+0.000000 | HookLoadFile  .<...>/utils-commands.bro
+0.000000 | HookLoadFile  .<...>/utils.bro
+0.000000 | HookLoadFile  .<...>/variance.bro
+0.000000 | HookLoadFile  .<...>/video.sig
+0.000000 | HookLoadFile  .<...>/weird.bro
+0.000000 | HookLoadFile  <...>/__load__.bro
+0.000000 | HookLoadFile  <...>/__preload__.bro
+0.000000 | HookLoadFile  <...>/hooks.bro
+0.000000 | HookLoadFile  base<...>/Bro_KRB.types.bif.bro
+0.000000 | HookLoadFile  base<...>/Bro_SNMP.types.bif.bro
+0.000000 | HookLoadFile  base<...>/active-http.bro
+0.000000 | HookLoadFile  base<...>/addrs.bro
+0.000000 | HookLoadFile  base<...>/analyzer
+0.000000 | HookLoadFile  base<...>/analyzer.bif.bro
 0.000000 | HookLoadFile  base<...>/bif
-0.000000 | HookLoadFile  base<...>/bro
+0.000000 | HookLoadFile  base<...>/bro.bif.bro
+0.000000 | HookLoadFile  base<...>/broker
+0.000000 | HookLoadFile  base<...>/cluster
+0.000000 | HookLoadFile  base<...>/comm.bif.bro
+0.000000 | HookLoadFile  base<...>/communication
+0.000000 | HookLoadFile  base<...>/conn
+0.000000 | HookLoadFile  base<...>/conn-ids.bro
+0.000000 | HookLoadFile  base<...>/const.bif.bro
+0.000000 | HookLoadFile  base<...>/control
+0.000000 | HookLoadFile  base<...>/data.bif.bro
+0.000000 | HookLoadFile  base<...>/dce-rpc
+0.000000 | HookLoadFile  base<...>/dhcp
+0.000000 | HookLoadFile  base<...>/dir.bro
+0.000000 | HookLoadFile  base<...>/directions-and-hosts.bro
+0.000000 | HookLoadFile  base<...>/dnp3
+0.000000 | HookLoadFile  base<...>/dns
+0.000000 | HookLoadFile  base<...>/dpd
+0.000000 | HookLoadFile  base<...>/email.bro
+0.000000 | HookLoadFile  base<...>/event.bif.bro
+0.000000 | HookLoadFile  base<...>/exec.bro
+0.000000 | HookLoadFile  base<...>/extract
+0.000000 | HookLoadFile  base<...>/file_analysis.bif.bro
+0.000000 | HookLoadFile  base<...>/files
+0.000000 | HookLoadFile  base<...>/files.bro
+0.000000 | HookLoadFile  base<...>/find-checksum-offloading.bro
+0.000000 | HookLoadFile  base<...>/find-filtered-trace.bro
+0.000000 | HookLoadFile  base<...>/ftp
+0.000000 | HookLoadFile  base<...>/geoip-distance.bro
+0.000000 | HookLoadFile  base<...>/hash
+0.000000 | HookLoadFile  base<...>/http
+0.000000 | HookLoadFile  base<...>/imap
+0.000000 | HookLoadFile  base<...>/init-default.bro
+0.000000 | HookLoadFile  base<...>/input
+0.000000 | HookLoadFile  base<...>/input.bif.bro
+0.000000 | HookLoadFile  base<...>/intel
+0.000000 | HookLoadFile  base<...>/irc
+0.000000 | HookLoadFile  base<...>/json.bro
+0.000000 | HookLoadFile  base<...>/krb
+0.000000 | HookLoadFile  base<...>/logging
+0.000000 | HookLoadFile  base<...>/logging.bif.bro
+0.000000 | HookLoadFile  base<...>/main.bro
+0.000000 | HookLoadFile  base<...>/messaging.bif.bro
+0.000000 | HookLoadFile  base<...>/modbus
+0.000000 | HookLoadFile  base<...>/mysql
+0.000000 | HookLoadFile  base<...>/netcontrol
+0.000000 | HookLoadFile  base<...>/notice
+0.000000 | HookLoadFile  base<...>/ntlm
+0.000000 | HookLoadFile  base<...>/numbers.bro
+0.000000 | HookLoadFile  base<...>/openflow
+0.000000 | HookLoadFile  base<...>/packet-filter
+0.000000 | HookLoadFile  base<...>/paths.bro
+0.000000 | HookLoadFile  base<...>/patterns.bro
+0.000000 | HookLoadFile  base<...>/pe
+0.000000 | HookLoadFile  base<...>/plugins
+0.000000 | HookLoadFile  base<...>/pop3
+0.000000 | HookLoadFile  base<...>/queue.bro
+0.000000 | HookLoadFile  base<...>/radius
+0.000000 | HookLoadFile  base<...>/rdp
+0.000000 | HookLoadFile  base<...>/reporter
+0.000000 | HookLoadFile  base<...>/reporter.bif.bro
+0.000000 | HookLoadFile  base<...>/rfb
+0.000000 | HookLoadFile  base<...>/signatures
+0.000000 | HookLoadFile  base<...>/sip
+0.000000 | HookLoadFile  base<...>/site.bro
+0.000000 | HookLoadFile  base<...>/smb
+0.000000 | HookLoadFile  base<...>/smtp
+0.000000 | HookLoadFile  base<...>/snmp
+0.000000 | HookLoadFile  base<...>/socks
+0.000000 | HookLoadFile  base<...>/software
+0.000000 | HookLoadFile  base<...>/ssh
+0.000000 | HookLoadFile  base<...>/ssl
+0.000000 | HookLoadFile  base<...>/store.bif.bro
+0.000000 | HookLoadFile  base<...>/strings.bif.bro
+0.000000 | HookLoadFile  base<...>/strings.bro
+0.000000 | HookLoadFile  base<...>/sumstats
+0.000000 | HookLoadFile  base<...>/syslog
+0.000000 | HookLoadFile  base<...>/thresholds.bro
+0.000000 | HookLoadFile  base<...>/time.bro
+0.000000 | HookLoadFile  base<...>/tunnels
+0.000000 | HookLoadFile  base<...>/types.bif.bro
+0.000000 | HookLoadFile  base<...>/unified2
+0.000000 | HookLoadFile  base<...>/urls.bro
+0.000000 | HookLoadFile  base<...>/utils.bro
+0.000000 | HookLoadFile  base<...>/version.bro
+0.000000 | HookLoadFile  base<...>/weird.bro
+0.000000 | HookLoadFile  base<...>/x509
+0.000000 | HookLoadFile  base<...>/xmpp
 0.000000 | HookLogInit   packet_filter 1/1 {ts (time), node (string), filter (string), init (bool), success (bool)}
-0.000000 | HookLogWrite  packet_filter [ts=1498500921.180040, node=bro, filter=ip or not ip, init=T, success=T]
+0.000000 | HookLogWrite  packet_filter [ts=1510863910.246703, node=bro, filter=ip or not ip, init=T, success=T]
 0.000000 | HookQueueEvent NetControl::init()
 0.000000 | HookQueueEvent bro_init()
 0.000000 | HookQueueEvent filter_change_tracking()
diff --git a/testing/btest/plugins/hooks-plugin/src/Plugin.cc b/testing/btest/plugins/hooks-plugin/src/Plugin.cc
index d636e12b7c..c5b8f4e981 100644
--- a/testing/btest/plugins/hooks-plugin/src/Plugin.cc
+++ b/testing/btest/plugins/hooks-plugin/src/Plugin.cc
@@ -46,10 +46,10 @@ static void describe_hook_args(const plugin::HookArgumentList& args, ODesc* d)
 		}
 	}
 
-int Plugin::HookLoadFile(const std::string& file, const std::string& ext)
+int Plugin::HookLoadFile(const LoadType type, const std::string& file, const std::string& resolved)
 	{
-	fprintf(stderr, "%.6f %-15s %s/%s\n", network_time, "| HookLoadFile",
-		file.c_str(), ext.c_str());
+	fprintf(stderr, "%.6f %-15s %s %s\n", network_time, "| HookLoadFile",
+		file.c_str(), resolved.c_str());
 	return -1;
 	}
 
diff --git a/testing/btest/plugins/hooks-plugin/src/Plugin.h b/testing/btest/plugins/hooks-plugin/src/Plugin.h
index 64227c0660..1192304976 100644
--- a/testing/btest/plugins/hooks-plugin/src/Plugin.h
+++ b/testing/btest/plugins/hooks-plugin/src/Plugin.h
@@ -10,7 +10,7 @@ namespace Demo_Hooks {
 class Plugin : public ::plugin::Plugin
 {
 protected:
-	int HookLoadFile(const std::string& file, const std::string& ext) override;
+	int HookLoadFile(const LoadType type, const std::string& file, const std::string& resolved) override;
 	std::pair<bool, Val*> HookCallFunction(const Func* func, Frame* frame, val_list* args) override;
 	bool HookQueueEvent(Event* event) override;
 	void HookDrainEvents() override;

From b8524371264f4baa9942a5b4f5c475e200f81d6f Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@corelight.com>
Date: Thu, 16 Nov 2017 12:45:11 -0800
Subject: [PATCH 242/631] Add reporter hook.

The hook being added is:

bool HookReporter(const std::string& prefix, const EventHandlerPtr event,
                  const Connection* conn, const val_list* addl, bool location,
                  const Location* location1, const Location* location2,
                  bool time, const std::string& buffer) override;

This hook gives access to basically all information that is available in
the function in Reporter.cc that performs the logging. The hook is
called each time when anything passes through the reporter in the cases
in which an event usually would be called. This includes weirds. The
hook can return false to prevent the normal reporter events from being
raised.
---
 src/Reporter.cc                               | 21 ++++++++-
 src/plugin/Manager.cc                         | 46 +++++++++++++++++++
 src/plugin/Manager.h                          | 33 +++++++++++++
 src/plugin/Plugin.cc                          | 18 ++++++++
 src/plugin/Plugin.h                           | 42 ++++++++++++++++-
 .../Baseline/plugins.reporter-hook/output     | 10 ++++
 .../plugins.reporter-hook/reporter.log        | 13 ++++++
 .../reporter-hook-plugin/.btest-ignore        |  0
 .../reporter-hook-plugin/src/Plugin.cc        | 43 +++++++++++++++++
 .../plugins/reporter-hook-plugin/src/Plugin.h | 27 +++++++++++
 testing/btest/plugins/reporter-hook.bro       | 24 ++++++++++
 11 files changed, 275 insertions(+), 2 deletions(-)
 create mode 100644 testing/btest/Baseline/plugins.reporter-hook/output
 create mode 100644 testing/btest/Baseline/plugins.reporter-hook/reporter.log
 create mode 100644 testing/btest/plugins/reporter-hook-plugin/.btest-ignore
 create mode 100644 testing/btest/plugins/reporter-hook-plugin/src/Plugin.cc
 create mode 100644 testing/btest/plugins/reporter-hook-plugin/src/Plugin.h
 create mode 100644 testing/btest/plugins/reporter-hook.bro

diff --git a/src/Reporter.cc b/src/Reporter.cc
index 4823b33ef3..eb89a29d30 100644
--- a/src/Reporter.cc
+++ b/src/Reporter.cc
@@ -10,6 +10,8 @@
 #include "NetVar.h"
 #include "Net.h"
 #include "Conn.h"
+#include "plugin/Plugin.h"
+#include "plugin/Manager.h"
 
 #ifdef SYSLOG_INT
 extern "C" {
@@ -323,7 +325,24 @@ void Reporter::DoLog(const char* prefix, EventHandlerPtr event, FILE* out,
 		// buffer size above.
 		safe_snprintf(buffer + strlen(buffer), size - strlen(buffer), " [%s]", postfix);
 
-	if ( event && via_events && ! in_error_handler )
+	bool raise_event = true;
+
+	if ( via_events && ! in_error_handler )
+		{
+		if ( locations.size() )
+			{
+			auto locs = locations.back();
+			raise_event = PLUGIN_HOOK_WITH_RESULT(HOOK_REPORTER,
+							      HookReporter(prefix, event, conn, addl, location,
+									   locs.first, locs.second, time, buffer), true);
+			}
+		else
+			raise_event = PLUGIN_HOOK_WITH_RESULT(HOOK_REPORTER,
+							      HookReporter(prefix, event, conn, addl, location,
+									   nullptr, nullptr, time, buffer), true);
+		}
+
+	if ( raise_event && event && via_events && ! in_error_handler )
 		{
 		val_list* vl = new val_list;
 
diff --git a/src/plugin/Manager.cc b/src/plugin/Manager.cc
index a6c564d4f2..5e48be80f5 100644
--- a/src/plugin/Manager.cc
+++ b/src/plugin/Manager.cc
@@ -853,6 +853,52 @@ bool Manager::HookLogWrite(const std::string& writer,
 	return result;
 	}
 
+bool Manager::HookReporter(const std::string& prefix, const EventHandlerPtr event,
+			   const Connection* conn, const val_list* addl, bool location,
+			   const Location* location1, const Location* location2,
+			   bool time, const std::string& message)
+
+	{
+	HookArgumentList args;
+
+	if ( HavePluginForHook(META_HOOK_PRE) )
+		{
+		args.push_back(HookArgument(prefix));
+		args.push_back(HookArgument(conn));
+		args.push_back(HookArgument(addl));
+		args.push_back(HookArgument(location1));
+		args.push_back(HookArgument(location2));
+		args.push_back(HookArgument(location));
+		args.push_back(HookArgument(time));
+		args.push_back(HookArgument(message));
+		MetaHookPre(HOOK_REPORTER, args);
+		}
+
+	hook_list* l = hooks[HOOK_REPORTER];
+
+	bool result = true;
+
+	if ( l )
+		{
+		for ( hook_list::iterator i = l->begin(); i != l->end(); ++i )
+			{
+			Plugin* p = (*i).second;
+
+			if ( ! p->HookReporter(prefix, event, conn, addl, location, location1, location2, time, message) )
+				{
+				result = false;
+				break;
+				}
+			}
+		}
+
+	if ( HavePluginForHook(META_HOOK_POST) )
+		MetaHookPost(HOOK_REPORTER, args, HookArgument(result));
+
+	return result;
+	}
+
+
 void Manager::MetaHookPre(HookType hook, const HookArgumentList& args) const
 	{
 	hook_list* l = hooks[HOOK_CALL_FUNCTION];
diff --git a/src/plugin/Manager.h b/src/plugin/Manager.h
index 9ece86bfed..1fdc588c7b 100644
--- a/src/plugin/Manager.h
+++ b/src/plugin/Manager.h
@@ -355,6 +355,39 @@ public:
 	                  int num_fields, const threading::Field* const* fields,
 	                  threading::Value** vals) const;
 
+	/**
+	 * Hook into reporting. This method will be called for each reporter call
+	 * made; this includes weirds. The method cannot manipulate the data at
+	 * the current time; however it is possible to prevent script-side events
+	 * from being called by returning false.
+	 *
+	 * @param prefix The prefix passed by the reporter framework
+	 *
+	 * @param event The event to be called
+	 *
+	 * @param conn The associated connection
+	 *
+	 * @param addl Additional Bro values; typically will be passed to the event
+	 *             by the reporter framework.
+	 *
+	 * @param location True if event expects location information
+	 *
+	 * @param location1 First location
+	 *
+	 * @param location2 Second location
+	 *
+	 * @param time True if event expects time information
+	 *
+	 * @param message Message supplied by the reporter framework
+	 *
+	 * @return true if event should be called by the reporter framework, false
+	 *         if the event call should be skipped
+	 */
+	bool HookReporter(const std::string& prefix, const EventHandlerPtr event,
+	                  const Connection* conn, const val_list* addl, bool location,
+	                  const Location* location1, const Location* location2,
+	                  bool time, const std::string& message);
+
 	/**
 	 * Internal method that registers a freshly instantiated plugin with
 	 * the manager.
diff --git a/src/plugin/Plugin.cc b/src/plugin/Plugin.cc
index f54749f837..21e5401e48 100644
--- a/src/plugin/Plugin.cc
+++ b/src/plugin/Plugin.cc
@@ -208,6 +208,16 @@ void HookArgument::Describe(ODesc* d) const
 		d->Add("}");
 		}
 		break;
+
+	case LOCATION:
+		if ( arg.loc )
+			{
+			arg.loc->Describe(d);
+			}
+		else
+		 {
+			d->Add("<no location>");
+		 }
 	}
 	}
 
@@ -393,6 +403,14 @@ bool Plugin::HookLogWrite(const std::string& writer, const std::string& filter,
 	return true;
 	}
 
+bool Plugin::HookReporter(const std::string& prefix, const EventHandlerPtr event,
+			  const Connection* conn, const val_list* addl, bool location,
+			  const Location* location1, const Location* location2,
+			  bool time, const std::string& message)
+	{
+	return true;
+	}
+
 void Plugin::MetaHookPre(HookType hook, const HookArgumentList& args)
 	{
 	}
diff --git a/src/plugin/Plugin.h b/src/plugin/Plugin.h
index c3f231bb93..78a4b5abe5 100644
--- a/src/plugin/Plugin.h
+++ b/src/plugin/Plugin.h
@@ -48,6 +48,7 @@ enum HookType {
 	HOOK_SETUP_ANALYZER_TREE,	//< Activates Plugin::HookAddToAnalyzerTree
 	HOOK_LOG_INIT,			//< Activates Plugin::HookLogInit
 	HOOK_LOG_WRITE,			//< Activates Plugin::HookLogWrite
+	HOOK_REPORTER,			//< Activates Plugin::HookReporter
 
 	// Meta hooks.
 	META_HOOK_PRE,			//< Activates Plugin::MetaHookPre().
@@ -172,7 +173,7 @@ public:
 	 */
 	enum Type {
 		BOOL, DOUBLE, EVENT, FRAME, FUNC, FUNC_RESULT, INT, STRING, VAL,
-		VAL_LIST, VOID, VOIDP, WRITER_INFO, CONN, THREAD_FIELDS
+		VAL_LIST, VOID, VOIDP, WRITER_INFO, CONN, THREAD_FIELDS, LOCATION
 	};
 
 	/**
@@ -250,6 +251,11 @@ public:
 	 */
 	explicit HookArgument(const std::pair<int, const threading::Field* const*> fpair)	{ type = THREAD_FIELDS; tfields = fpair; }
 
+	/**
+	 * Constructor with a location argument.
+	 */
+	explicit HookArgument(const Location* location)	{ type = LOCATION; arg.loc = location; }
+
 	/**
 	 * Returns the value for a boolen argument. The argument's type must
 	 * match accordingly.
@@ -360,6 +366,7 @@ private:
 		const val_list* vals;
 		const void* voidp;
 		const logging::WriterBackend::WriterInfo* winfo;
+		const Location* loc;
 	} arg;
 
 	// Outside union because these have dtors.
@@ -769,6 +776,39 @@ protected:
 	                          const threading::Field* const* fields,
 	                          threading::Value** vals);
 
+	/**
+	 * Hook into reporting. This method will be called for each reporter call
+	 * made; this includes weirds. The method cannot manipulate the data at
+	 * the current time; however it is possible to prevent script-side events
+	 * from being called by returning false.
+	 *
+	 * @param prefix The prefix passed by the reporter framework
+	 *
+	 * @param event The event to be called
+	 *
+	 * @param conn The associated connection
+	 *
+	 * @param addl Additional Bro values; typically will be passed to the event
+	 *             by the reporter framework.
+	 *
+	 * @param location True if event expects location information
+	 *
+	 * @param location1 First location
+	 *
+	 * @param location2 Second location
+	 *
+	 * @param time True if event expects time information
+	 *
+	 * @param message Message supplied by the reporter framework
+	 *
+	 * @return true if event should be called by the reporter framework, false
+	 *         if the event call should be skipped
+	 */
+	virtual bool HookReporter(const std::string& prefix, const EventHandlerPtr event,
+	                          const Connection* conn, const val_list* addl, bool location,
+	                          const Location* location1, const Location* location2,
+	                          bool time, const std::string& message);
+
 	// Meta hooks.
 
 	/**
diff --git a/testing/btest/Baseline/plugins.reporter-hook/output b/testing/btest/Baseline/plugins.reporter-hook/output
new file mode 100644
index 0000000000..e5ed573e67
--- /dev/null
+++ b/testing/btest/Baseline/plugins.reporter-hook/output
@@ -0,0 +1,10 @@
+ | Hook  Some Info <...>/reporter-hook.bro, line 16
+ | Hook error An Error <...>/reporter-hook.bro, line 18
+ | Hook error An Error that does not show up in the log <...>/reporter-hook.bro, line 19
+ | Hook expression error field value missing [b$a] <...>/reporter-hook.bro, line 23
+ | Hook warning A warning <...>/reporter-hook.bro, line 17
+<...>/reporter-hook.bro, line 16: Some Info
+error in <...>/reporter-hook.bro, line 18: An Error
+error in <...>/reporter-hook.bro, line 19: An Error that does not show up in the log
+expression error in <...>/reporter-hook.bro, line 23: field value missing [b$a]
+warning in <...>/reporter-hook.bro, line 17: A warning
diff --git a/testing/btest/Baseline/plugins.reporter-hook/reporter.log b/testing/btest/Baseline/plugins.reporter-hook/reporter.log
new file mode 100644
index 0000000000..ab70b0c17a
--- /dev/null
+++ b/testing/btest/Baseline/plugins.reporter-hook/reporter.log
@@ -0,0 +1,13 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	reporter
+#open	2017-07-26-17-58-52
+#fields	ts	level	message	location
+#types	time	enum	string	string
+0.000000	Reporter::INFO	Some Info	/Users/johanna/corelight/bro/testing/btest/.tmp/plugins.reporter-hook/reporter-hook.bro, line 16
+0.000000	Reporter::WARNING	A warning	/Users/johanna/corelight/bro/testing/btest/.tmp/plugins.reporter-hook/reporter-hook.bro, line 17
+0.000000	Reporter::ERROR	An Error	/Users/johanna/corelight/bro/testing/btest/.tmp/plugins.reporter-hook/reporter-hook.bro, line 18
+0.000000	Reporter::ERROR	field value missing [b$a]	/Users/johanna/corelight/bro/testing/btest/.tmp/plugins.reporter-hook/reporter-hook.bro, line 23
+#close	2017-07-26-17-58-52
diff --git a/testing/btest/plugins/reporter-hook-plugin/.btest-ignore b/testing/btest/plugins/reporter-hook-plugin/.btest-ignore
new file mode 100644
index 0000000000..e69de29bb2
diff --git a/testing/btest/plugins/reporter-hook-plugin/src/Plugin.cc b/testing/btest/plugins/reporter-hook-plugin/src/Plugin.cc
new file mode 100644
index 0000000000..9c8eee6ca8
--- /dev/null
+++ b/testing/btest/plugins/reporter-hook-plugin/src/Plugin.cc
@@ -0,0 +1,43 @@
+
+#include "Plugin.h"
+
+#include <Func.h>
+#include <Event.h>
+#include <Conn.h>
+#include <threading/Formatter.h>
+
+namespace plugin { namespace Reporter_Hook { Plugin plugin; } }
+
+using namespace plugin::Reporter_Hook;
+
+plugin::Configuration Plugin::Configure()
+	{
+	EnableHook(HOOK_REPORTER);
+
+	plugin::Configuration config;
+	config.name = "Reporter::Hook";
+	config.description = "Exercise Reporter Hook";
+	config.version.major = 1;
+	config.version.minor = 0;
+	return config;
+	}
+
+bool Plugin::HookReporter(const std::string& prefix, const EventHandlerPtr event,
+                          const Connection* conn, const val_list* addl, bool location,
+                          const Location* location1, const Location* location2,
+                          bool time, const std::string& message)
+	{
+	ODesc d;
+	if ( location1 )
+		location1->Describe(&d);
+	if ( location2 )
+		location2->Describe(&d);
+
+	fprintf(stderr, " | Hook %s %s %s\n", prefix.c_str(), message.c_str(), d.Description());
+
+	if ( message == "An Error that does not show up in the log" )
+		return false;
+
+	return true;
+	}
+
diff --git a/testing/btest/plugins/reporter-hook-plugin/src/Plugin.h b/testing/btest/plugins/reporter-hook-plugin/src/Plugin.h
new file mode 100644
index 0000000000..2e793aba08
--- /dev/null
+++ b/testing/btest/plugins/reporter-hook-plugin/src/Plugin.h
@@ -0,0 +1,27 @@
+
+#ifndef BRO_PLUGIN_Reporter_Hook
+#define BRO_PLUGIN_Reporter_Hook
+
+#include <plugin/Plugin.h>
+
+namespace plugin {
+namespace Reporter_Hook {
+
+class Plugin : public ::plugin::Plugin
+{
+protected:
+	bool HookReporter(const std::string& prefix, const EventHandlerPtr event,
+	                  const Connection* conn, const val_list* addl, bool location,
+	                  const Location* location1, const Location* location2,
+	                  bool time, const std::string& buffer) override;
+
+	// Overridden from plugin::Plugin.
+	plugin::Configuration Configure() override;
+};
+
+extern Plugin plugin;
+
+}
+}
+
+#endif
diff --git a/testing/btest/plugins/reporter-hook.bro b/testing/btest/plugins/reporter-hook.bro
new file mode 100644
index 0000000000..13e98fc76e
--- /dev/null
+++ b/testing/btest/plugins/reporter-hook.bro
@@ -0,0 +1,24 @@
+# @TEST-EXEC: ${DIST}/aux/bro-aux/plugin-support/init-plugin -u . Reporter Hook
+# @TEST-EXEC: cp -r %DIR/reporter-hook-plugin/* .
+# @TEST-EXEC: ./configure --bro-dist=${DIST} && make
+# @TEST-EXEC: BRO_PLUGIN_ACTIVATE="Reporter::Hook" BRO_PLUGIN_PATH=`pwd` bro -b %INPUT 2>&1 | $SCRIPTS/diff-remove-abspath | sort | uniq  >output
+# @TEST-EXEC: btest-diff output
+# @TEST-EXEC: TEST_DIFF_CANONIFIER="$SCRIPTS/diff-remove-abspath | $SCRIPTS/diff-remove-timestamps" btest-diff reporter.log
+
+@load base/frameworks/reporter
+
+type TestType: record {
+	a: bool &optional;
+};
+
+event bro_init()
+	{
+	Reporter::info("Some Info");
+	Reporter::warning("A warning");
+	Reporter::error("An Error");
+	Reporter::error("An Error that does not show up in the log");
+
+	# And just trigger a runtime problem.
+	local b = TestType();
+	print b$a;
+	}

From 395c26b8bee8f819351abf4b5c21cb3f8c8d0e02 Mon Sep 17 00:00:00 2001
From: Robin Sommer <robin@icir.org>
Date: Fri, 17 Nov 2017 15:13:01 -0800
Subject: [PATCH 243/631] Updating submodule(s).

 [nomail]
---
 aux/btest | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/aux/btest b/aux/btest
index 154dd9f9b2..bc50a42297 160000
--- a/aux/btest
+++ b/aux/btest
@@ -1 +1 @@
-Subproject commit 154dd9f9b2011341d2f76a3d3fee1c9a5ac4e393
+Subproject commit bc50a42297db84a88f1a0730691918062de315f7

From 7139e30bedc9ff43e72a3726e8c7043f5b702a5f Mon Sep 17 00:00:00 2001
From: Robin Sommer <robin@icir.org>
Date: Fri, 17 Nov 2017 15:27:04 -0800
Subject: [PATCH 244/631] Updating submodule(s).

 [nomail]
---
 CHANGES      | 2 +-
 VERSION      | 2 +-
 aux/broccoli | 2 +-
 aux/btest    | 2 +-
 4 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/CHANGES b/CHANGES
index e31bade741..910321247f 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,5 +1,5 @@
 
-2.5-342 | 2017-11-17 15:13:17 -0800
+2.5-343 | 2017-11-17 15:27:04 -0800
 
   * Fix ASCII logging of very large values of type "double".
     Previously, the nonsensical "NAN.0" would be written to ASCII logs
diff --git a/VERSION b/VERSION
index 36492dfd1e..26514725b5 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.5-342
+2.5-343
diff --git a/aux/broccoli b/aux/broccoli
index 498e699b32..13fe5fba7e 160000
--- a/aux/broccoli
+++ b/aux/broccoli
@@ -1 +1 @@
-Subproject commit 498e699b3273b5c05a4275247e679a31567e71c8
+Subproject commit 13fe5fba7ebd314e6bf2bedbac465d4c3f2e4301
diff --git a/aux/btest b/aux/btest
index bc50a42297..b3a5742b6b 160000
--- a/aux/btest
+++ b/aux/btest
@@ -1 +1 @@
-Subproject commit bc50a42297db84a88f1a0730691918062de315f7
+Subproject commit b3a5742b6b04acdd851dba4e08723a568c4aa755

From 105cdb5aaf49fb767e45afe0f6bd6ec29f29cbd6 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Mon, 20 Nov 2017 08:39:11 -0600
Subject: [PATCH 245/631] Add --build-type flag to configure wrapper.

---
 CMakeLists.txt |  2 ++
 configure      | 15 ++++++++++++++-
 2 files changed, 16 insertions(+), 1 deletion(-)

diff --git a/CMakeLists.txt b/CMakeLists.txt
index 990c09b611..31e2346dfe 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -246,6 +246,8 @@ endif ()
 message(
     "\n====================|  Bro Build Summary  |====================="
     "\n"
+    "\nBuild type:        ${CMAKE_BUILD_TYPE}"
+    "\nBuild dir:         ${CMAKE_BINARY_DIR}"
     "\nInstall prefix:    ${CMAKE_INSTALL_PREFIX}"
     "\nBro Script Path:   ${BRO_SCRIPT_INSTALL_PATH}"
     "\nDebug mode:        ${ENABLE_DEBUG}"
diff --git a/configure b/configure
index b58dd84c6a..757dfc595b 100755
--- a/configure
+++ b/configure
@@ -18,6 +18,12 @@ Usage: $0 [OPTION]... [VAR=VALUE]...
 
   Build Options:
     --builddir=DIR         place build files in directory [build]
+    --build-type=TYPE      set CMake build type [RelWithDebInfo]:
+                             - Debug: optimizations off, debug symbols + flags
+                             - MinSizeRel: size optimizations, debugging off
+                             - Release: optimizations on, debugging off
+                             - RelWithDebInfo: optimizations on,
+                                   debug symbols on, debug flags off
     --generator=GENERATOR  CMake generator to use (see cmake --help)
 
   Installation Directories:
@@ -34,7 +40,7 @@ Usage: $0 [OPTION]... [VAR=VALUE]...
     --conf-files-dir=PATH  config files installation directory [PREFIX/etc]
 
   Optional Features:
-    --enable-debug         compile in debugging mode
+    --enable-debug         compile in debugging mode (like --build-type=Debug)
     --enable-mobile-ipv6   analyze mobile IPv6 features defined by RFC 6275
     --enable-perftools     force use of Google perftools on non-Linux systems
                            (automatically on when perftools is present on Linux)
@@ -153,6 +159,13 @@ while [ $# -ne 0 ]; do
         --builddir=*)
             builddir=$optarg
             ;;
+        --build-type=*)
+            append_cache_entry CMAKE_BUILD_TYPE     STRING $optarg
+
+            if [ $(echo "$optarg" | tr [:upper:] [:lower:]) = "debug" ]; then
+                append_cache_entry ENABLE_DEBUG         BOOL   true
+            fi
+            ;;
         --generator=*)
             CMakeGenerator="$optarg"
             ;;

From 26dc94c31dec9cf32360456ea6e7ab4903ad30f6 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Mon, 20 Nov 2017 11:28:59 -0600
Subject: [PATCH 246/631] BIT-1827: fix error on initializing DNS w/ IPv6
 nameserver.

This just skips over IPv6 nameserver addresses for now and uses the
first IPv4 one in the resolver config.  Should be possible to support
IPv6, but that may need more testing (e.g. need to make sure the code
will be portable to various platforms).
---
 CHANGES      |  6 ++++++
 VERSION      |  2 +-
 src/nb_dns.c | 49 +++++++++++++++++++++++++++++++------------------
 3 files changed, 38 insertions(+), 19 deletions(-)

diff --git a/CHANGES b/CHANGES
index 910321247f..98465b94d7 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,10 @@
 
+2.5-345 | 2017-11-20 11:28:59 -0600
+
+  * BIT-1827: fix error on initializing DNS w/ IPv6 nameserver. (Corelight)
+
+  * Add --build-type flag to configure wrapper. (Corelight)
+
 2.5-343 | 2017-11-17 15:27:04 -0800
 
   * Fix ASCII logging of very large values of type "double".
diff --git a/VERSION b/VERSION
index 26514725b5..13eaeb1e39 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.5-343
+2.5-345
diff --git a/src/nb_dns.c b/src/nb_dns.c
index 35059ab4f0..f239b4d401 100644
--- a/src/nb_dns.c
+++ b/src/nb_dns.c
@@ -131,27 +131,40 @@ nb_dns_init(char *errstr)
 		free(nd);
 		return (NULL);
 	}
-	nd->s = socket(PF_INET, SOCK_DGRAM, 0);
-	if (nd->s < 0) {
-		snprintf(errstr, NB_DNS_ERRSIZE, "socket(): %s",
-		    my_strerror(errno));
-		free(nd);
-		return (NULL);
-	}
 
-	/* XXX should use resolver config */
-	nd->server = _res.nsaddr_list[0];
+	for ( int i = 0; i < _res.nscount; ++i )
+		{
+		nd->server = _res.nsaddr_list[i];
 
-	if (connect(nd->s, (struct sockaddr *)&nd->server,
-	    sizeof(struct sockaddr)) < 0) {
-		snprintf(errstr, NB_DNS_ERRSIZE, "connect(%s): %s",
-		    inet_ntoa(nd->server.sin_addr), my_strerror(errno));
-		close(nd->s);
-		free(nd);
-		return (NULL);
-	}
+		/* XXX support IPv6 */
+		if ( nd->server.sin_family != AF_INET )
+			continue;
 
-	return (nd);
+		nd->s = socket(nd->server.sin_family, SOCK_DGRAM, 0);
+
+		if ( nd->s < 0 )
+			{
+			snprintf(errstr, NB_DNS_ERRSIZE, "socket(): %s",
+			         my_strerror(errno));
+			free(nd);
+			return (NULL);
+			}
+
+		if ( connect(nd->s, (struct sockaddr *)&nd->server,
+		             sizeof(struct sockaddr)) < 0 )
+			{
+			snprintf(errstr, NB_DNS_ERRSIZE, "connect(%s): %s",
+			         inet_ntoa(nd->server.sin_addr), my_strerror(errno));
+			close(nd->s);
+			free(nd);
+			return (NULL);
+			}
+
+		return (nd);
+		}
+
+	snprintf(errstr, NB_DNS_ERRSIZE, "no valid nameservers in resolver config");
+	return (NULL);
 }
 
 void

From deced3795c53c2310c3115cd7c682613b2ba5fc7 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Tue, 21 Nov 2017 11:30:55 -0600
Subject: [PATCH 247/631] Fix a nb_dns.c compile error (older OSs) due to C90
 vs C99.

---
 CHANGES      | 4 ++++
 VERSION      | 2 +-
 src/nb_dns.c | 4 +++-
 3 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/CHANGES b/CHANGES
index 4758363876..f13c1e0fe3 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,8 @@
 
+2.5-348 | 2017-11-21 11:30:55 -0600
+
+  * Fix a nb_dns.c compile error (older OSs) due to C90 vs C99. (Corelight)
+
 2.5-347 | 2017-11-20 14:00:37 -0600
 
   * Fix and extend behavior of HookLoadFile. (Corelight)
diff --git a/VERSION b/VERSION
index a074771e18..ad68c02345 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.5-347
+2.5-348
diff --git a/src/nb_dns.c b/src/nb_dns.c
index f239b4d401..be6ca66059 100644
--- a/src/nb_dns.c
+++ b/src/nb_dns.c
@@ -132,7 +132,9 @@ nb_dns_init(char *errstr)
 		return (NULL);
 	}
 
-	for ( int i = 0; i < _res.nscount; ++i )
+	int i;
+
+	for ( i = 0; i < _res.nscount; ++i )
 		{
 		nd->server = _res.nsaddr_list[i];
 

From 577357d509cb6b961ac447fe420e784a2caa0152 Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@icir.org>
Date: Tue, 28 Nov 2017 12:13:26 -0800
Subject: [PATCH 248/631] Small fixes and changes for the recent
 ssl-keyexchange-event merge.

This commit fixes a few small issues.

* server key exchange parameters are only parsed when a named curve is
  given.

* I removed the ssl-verbose.bro and moved the functionality into the
  testcase.

  The information that we get with these events is likely irrelevant to
  the majority of Bro users; I do not think that we have to ship a
  script that uses them by default. A script like this would be
  something to publish via the Bro package manager instead; this is the
  approach that we have taken with a number of the recent SSL addition.

* I marked the ssl_server_curve event as deprecated. More information is
  contained in the new ssl_ecdh_server_params event.

  This is an events that is probably seldomly (or never) directly used
  by anyone; I plan to completely remove it right after the 2.6 release.
---
 CHANGES                                       |  15 +++
 NEWS                                          |  14 +++
 VERSION                                       |   2 +-
 scripts/base/protocols/ssl/main.bro           |   2 +-
 scripts/test-all-policy.bro                   |   1 -
 src/analyzer/protocol/ssl/events.bif          |  26 ++--
 .../protocol/ssl/tls-handshake-analyzer.pac   |  48 ++++----
 .../protocol/ssl/tls-handshake-protocol.pac   |  21 ++--
 .../ssl-all.log                               |   0
 .../base/protocols/ssl/keyexchange.test       | 116 ++++++++++++++++++
 .../policy/protocols/ssl/ssl-verbose.test     |   9 --
 11 files changed, 201 insertions(+), 53 deletions(-)
 rename testing/btest/Baseline/{scripts.policy.protocols.ssl.ssl-verbose => scripts.base.protocols.ssl.keyexchange}/ssl-all.log (100%)
 create mode 100644 testing/btest/scripts/base/protocols/ssl/keyexchange.test
 delete mode 100644 testing/btest/scripts/policy/protocols/ssl/ssl-verbose.test

diff --git a/CHANGES b/CHANGES
index 3d124b1c5a..c664bca820 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,19 @@
 
+2.5-358 | 2017-11-28 12:28:14 -0800
+
+  * Extend the TLS analyzer with several events containing cryptographic
+    parameters from the client and server key exchanges.
+
+   The new events are:
+
+    ssl_ecdh_server_params, ssl_dh_server_params, ssl_server_signature,
+    ssl_ecdh_client_params, ssl_dh_client_params, ssl_rsa_client_pms
+
+    Since ssl_ecdh_server_params contains more information than the old
+    ssl_server_curve event, ssl_server_curve is now marked as deprecated.
+
+    (Luke Valenta)
+
 2.5-352 | 2017-11-21 13:21:51 -0600
 
   * Fix assignments to event arguments becoming visible to subsequent
diff --git a/NEWS b/NEWS
index 6d35a8978b..d25c0920cf 100644
--- a/NEWS
+++ b/NEWS
@@ -26,6 +26,16 @@ New Functionality
 - The SSL scripts provide a new hook "ssl_finishing(c: connection)"
   to trigger actions after the handshake has concluded.
 
+- New functionality has been added to the TLS parser, adding several
+  events. These events mostly extract information from the server and client
+  key exchange messages. The new events are:
+
+  ssl_ecdh_server_params, ssl_dh_server_params, ssl_server_signature,
+  ssl_ecdh_client_params, ssl_dh_client_params, ssl_rsa_client_pms
+
+  Since ssl_ecdh_server_params contains more information than the old
+  ssl_server_curve event, ssl_server_curve is now marked as deprecated.
+
 Changed Functionality
 ---------------------
 
@@ -34,6 +44,10 @@ Changed Functionality
   "application/x-x509-user-cert" for host certificates and
   "application/x-x509-ca-cert" for CA certificates.
 
+- With the new ssl_ecdh_server_params event, the ssl_server_curve
+  event is considered deprecated and will be removed in a future
+  version of Bro.
+
 Removed Functionality
 ---------------------
 
diff --git a/VERSION b/VERSION
index 0ddfa81ebe..d05adf51f7 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.5-352
+2.5-358
diff --git a/scripts/base/protocols/ssl/main.bro b/scripts/base/protocols/ssl/main.bro
index f806449368..5a50d4a4c3 100644
--- a/scripts/base/protocols/ssl/main.bro
+++ b/scripts/base/protocols/ssl/main.bro
@@ -224,7 +224,7 @@ event ssl_server_hello(c: connection, version: count, possible_ts: time, server_
 		c$ssl$resumed = T;
 	}
 
-event ssl_server_curve(c: connection, curve: count) &priority=5
+event ssl_ecdh_server_params(c: connection, curve: count, point: string) &priority=5
 	{
 	set_session(c);
 
diff --git a/scripts/test-all-policy.bro b/scripts/test-all-policy.bro
index 804ae14d22..7c828241d0 100644
--- a/scripts/test-all-policy.bro
+++ b/scripts/test-all-policy.bro
@@ -101,7 +101,6 @@
 @load protocols/ssl/validate-ocsp.bro
 @load protocols/ssl/validate-sct.bro
 @load protocols/ssl/weak-keys.bro
-@load protocols/ssl/ssl-verbose.bro
 @load tuning/__load__.bro
 @load tuning/defaults/__load__.bro
 @load tuning/defaults/extracted_file_limits.bro
diff --git a/src/analyzer/protocol/ssl/events.bif b/src/analyzer/protocol/ssl/events.bif
index cad453844a..890f6da396 100644
--- a/src/analyzer/protocol/ssl/events.bif
+++ b/src/analyzer/protocol/ssl/events.bif
@@ -108,10 +108,9 @@ event ssl_extension%(c: connection, is_orig: bool, code: count, val: string%);
 ##    ssl_session_ticket_handshake ssl_extension
 ##    ssl_extension_ec_point_formats ssl_extension_application_layer_protocol_negotiation
 ##    ssl_extension_server_name ssl_server_curve ssl_extension_signature_algorithm
-##    ssl_extension_key_share
+##    ssl_extension_key_share ssl_rsa_client_pms ssl_server_signature
 ##    ssl_extension_psk_key_exchange_modes ssl_extension_supported_versions
 ##    ssl_dh_client_params ssl_ecdh_server_params ssl_ecdh_client_params
-##    ssl_rsa_client_pms ssl_server_signature
 event ssl_extension_elliptic_curves%(c: connection, is_orig: bool, curves: index_vec%);
 
 ## Generated for an SSL/TLS Supported Point Formats extension. This TLS extension
@@ -182,6 +181,9 @@ event ssl_extension_key_share%(c: connection, is_orig: bool, curves: index_vec%)
 ##
 ## curve: The curve.
 ##
+## .. note:: This event is deprecated and superseded by the ssl_ecdh_server_params
+##           event. This event will be removed in a future version of Bro.
+##
 ## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello
 ##    ssl_session_ticket_handshake ssl_extension
 ##    ssl_extension_elliptic_curves ssl_extension_application_layer_protocol_negotiation
@@ -189,11 +191,11 @@ event ssl_extension_key_share%(c: connection, is_orig: bool, curves: index_vec%)
 ##    ssl_extension_psk_key_exchange_modes ssl_extension_supported_versions
 ##    ssl_dh_client_params ssl_ecdh_server_params ssl_ecdh_client_params
 ##    ssl_rsa_client_pms ssl_server_signature
-event ssl_server_curve%(c: connection, curve: count%);
+event ssl_server_curve%(c: connection, curve: count%) &deprecated;
 
-## Generated if a server uses an ECDH-anon or ECDHE cipher suite. This event
-## contains the server ECDH parameters, which are sent in the ServerKeyExchange
-## message as defined in :rfc:`4492`.
+## Generated if a server uses an ECDH-anon or ECDHE cipher suite using a named curve
+## This event contains the named curve name and the server ECDH parameters contained
+## in the ServerKeyExchange message as defined in :rfc:`4492`.
 ##
 ## c: The connection.
 ##
@@ -207,7 +209,7 @@ event ssl_server_curve%(c: connection, curve: count%);
 event ssl_ecdh_server_params%(c: connection, curve: count, point: string%);
 
 ## Generated if a server uses a DH-anon or DHE cipher suite. This event contains
-## the server DH parameters, which are sent in the ServerKeyExchange message as
+## the server DH parameters, contained in the ServerKeyExchange message as
 ## defined in :rfc:`5246`.
 ##
 ## c: The connection.
@@ -225,14 +227,14 @@ event ssl_ecdh_server_params%(c: connection, curve: count, point: string%);
 event ssl_dh_server_params%(c: connection, p: string, q: string, Ys: string%);
 
 ## Generated if a server uses a non-anonymous DHE or ECDHE cipher suite. This event
-## contains the server signature over the key exchange parameters, which is sent in
+## contains the server signature over the key exchange parameters contained in
 ## the ServerKeyExchange message as defined in :rfc:`4492` and :rfc:`5246`.
 ##
 ## c: The connection.
 ##
 ## signed_params: A hash of the server params, with the signature appropriate to
 ##                that hash applied. The private key corresponding to the certified
-##                public key in the server's Certificate message is used for signing.
+##                public key in the server's certificate message is used for signing.
 ##
 ## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello
 ##    ssl_session_ticket_handshake ssl_server_curve ssl_rsa_client_pms
@@ -240,7 +242,7 @@ event ssl_dh_server_params%(c: connection, p: string, q: string, Ys: string%);
 event ssl_server_signature%(c: connection, signed_params: string%);
 
 ## Generated if a client uses an ECDH-anon or ECDHE cipher suite. This event
-## contains the client ECDH public value, which is sent in the ClientKeyExchange
+## contains the client ECDH public value contained in the ClientKeyExchange
 ## message as defined in :rfc:`4492`.
 ##
 ## c: The connection.
@@ -253,7 +255,7 @@ event ssl_server_signature%(c: connection, signed_params: string%);
 event ssl_ecdh_client_params%(c: connection, point: string%);
 
 ## Generated if a client uses a DH-anon or DHE cipher suite. This event contains
-## the client DH parameters, which are sent in the ClientKeyExchange message as
+## the client DH parameters contained in the ClientKeyExchange message as
 ## defined in :rfc:`5246`.
 ##
 ## c: The connection.
@@ -265,7 +267,7 @@ event ssl_ecdh_client_params%(c: connection, point: string%);
 ##    ssl_ecdh_server_params ssl_ecdh_client_params ssl_rsa_client_pms
 event ssl_dh_client_params%(c: connection, Yc: string%);
 
-## Generate if a client uses an RSA key exchange. This event contains the client
+## Generated if a client uses RSA key exchange. This event contains the client
 ## encrypted pre-master secret which is encrypted using the public key of the
 ## server's certificate as defined in :rfc:`5246`.
 ##
diff --git a/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac b/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac
index 6555ccedc2..ae62f610e7 100644
--- a/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac
+++ b/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac
@@ -272,46 +272,50 @@ refine connection Handshake_Conn += {
 		return true;
 		%}
 
-	function proc_ecdhe_server_key_exchange(rec: HandshakeRecord, curve_type: uint8, curve: uint16, point: bytestring, signed_params: bytestring) : bool
+	function proc_ecdhe_server_key_exchange(kex: EcdheServerKeyExchange) : bool
 		%{
-		if ( curve_type == NAMED_CURVE )
-			BifEvent::generate_ssl_server_curve(bro_analyzer(),
-			  bro_analyzer()->Conn(), curve);
-			BifEvent::generate_ssl_ecdh_server_params(bro_analyzer(),
-			  bro_analyzer()->Conn(), curve, new StringVal(point.length(), (const char*)point.data()));
-			BifEvent::generate_ssl_server_signature(bro_analyzer(),
-			  bro_analyzer()->Conn(), new StringVal(signed_params.length(), (const char*)signed_params.data()));
+		if ( ${kex.curve_type} != NAMED_CURVE )
+			return true;
+
+		BifEvent::generate_ssl_server_curve(bro_analyzer(),
+			bro_analyzer()->Conn(), ${kex.params.curve});
+		BifEvent::generate_ssl_ecdh_server_params(bro_analyzer(),
+			bro_analyzer()->Conn(), ${kex.params.curve}, new StringVal(${kex.params.point}.length(), (const char*)${kex.params.point}.data()));
+		BifEvent::generate_ssl_server_signature(bro_analyzer(),
+			bro_analyzer()->Conn(), new StringVal(${kex.params.signed_params}.length(), (const char*)${kex.params.signed_params}.data()));
 
 		return true;
 		%}
 
-	function proc_ecdh_anon_server_key_exchange(rec: HandshakeRecord, curve_type: uint8, curve: uint16, point: bytestring) : bool
+	function proc_ecdh_anon_server_key_exchange(kex: EcdhAnonServerKeyExchange) : bool
 		%{
-		if ( curve_type == NAMED_CURVE )
-			BifEvent::generate_ssl_server_curve(bro_analyzer(),
-			  bro_analyzer()->Conn(), curve);
-			BifEvent::generate_ssl_ecdh_server_params(bro_analyzer(),
-			  bro_analyzer()->Conn(), curve, new StringVal(point.length(), (const char*)point.data()));
+		if ( ${kex.curve_type} != NAMED_CURVE )
+			return true;
+
+		BifEvent::generate_ssl_server_curve(bro_analyzer(),
+			bro_analyzer()->Conn(), ${kex.params.curve});
+		BifEvent::generate_ssl_ecdh_server_params(bro_analyzer(),
+			bro_analyzer()->Conn(), ${kex.params.curve}, new StringVal(${kex.params.point}.length(), (const char*)${kex.params.point}.data()));
 
 		return true;
 		%}
 
 	function proc_rsa_client_key_exchange(rec: HandshakeRecord, rsa_pms: bytestring) : bool
 		%{
-			BifEvent::generate_ssl_rsa_client_pms(bro_analyzer(), bro_analyzer()->Conn(), new StringVal(rsa_pms.length(), (const char*)rsa_pms.data()));
-			return true;
+		BifEvent::generate_ssl_rsa_client_pms(bro_analyzer(), bro_analyzer()->Conn(), new StringVal(rsa_pms.length(), (const char*)rsa_pms.data()));
+		return true;
 		%}
 
 	function proc_dh_client_key_exchange(rec: HandshakeRecord, Yc: bytestring) : bool
 		%{
-			BifEvent::generate_ssl_dh_client_params(bro_analyzer(), bro_analyzer()->Conn(), new StringVal(Yc.length(), (const char*)Yc.data()));
-			return true;
+		BifEvent::generate_ssl_dh_client_params(bro_analyzer(), bro_analyzer()->Conn(), new StringVal(Yc.length(), (const char*)Yc.data()));
+		return true;
 		%}
 
 	function proc_ecdh_client_key_exchange(rec: HandshakeRecord, point: bytestring) : bool
 		%{
-			BifEvent::generate_ssl_ecdh_client_params(bro_analyzer(), bro_analyzer()->Conn(), new StringVal(point.length(), (const char*)point.data()));
-			return true;
+		BifEvent::generate_ssl_ecdh_client_params(bro_analyzer(), bro_analyzer()->Conn(), new StringVal(point.length(), (const char*)point.data()));
+		return true;
 		%}
 
 	function proc_signedcertificatetimestamp(rec: HandshakeRecord, version: uint8, logid: const_bytestring, timestamp: uint64, digitally_signed_algorithms: SignatureAndHashAlgorithm, digitally_signed_signature: const_bytestring) : bool
@@ -438,11 +442,11 @@ refine typeattr CertificateStatus += &let {
 };
 
 refine typeattr EcdheServerKeyExchange += &let {
-	proc : bool = $context.connection.proc_ecdhe_server_key_exchange(rec, curve_type, curve, point, signed_params);
+	proc : bool = $context.connection.proc_ecdhe_server_key_exchange(this);
 };
 
 refine typeattr EcdhAnonServerKeyExchange += &let {
-	proc : bool = $context.connection.proc_ecdh_anon_server_key_exchange(rec, curve_type, curve, point);
+	proc : bool = $context.connection.proc_ecdh_anon_server_key_exchange(this);
 };
 
 refine typeattr DheServerKeyExchange += &let {
diff --git a/src/analyzer/protocol/ssl/tls-handshake-protocol.pac b/src/analyzer/protocol/ssl/tls-handshake-protocol.pac
index 6a4584bb03..43bca802d2 100644
--- a/src/analyzer/protocol/ssl/tls-handshake-protocol.pac
+++ b/src/analyzer/protocol/ssl/tls-handshake-protocol.pac
@@ -360,10 +360,10 @@ type ServerKeyExchange(rec: HandshakeRecord) = case $context.connection.chosen_c
 # currently supported.
 type EcdheServerKeyExchange(rec: HandshakeRecord) = record {
 	curve_type: uint8;
-	curve: uint16; # only if curve_type = 3 (NAMED_CURVE)
-	point_length: uint8;
-	point: bytestring &length=point_length;
-	signed_params: bytestring &restofdata;
+	named_curve: case curve_type of {
+		NAMED_CURVE -> params: ServerEDCHParamsAndSignature;
+		default -> data: bytestring &restofdata &transient;
+	};
 };
 
 # Parse an ECDH-anon ServerKeyExchange message, which does not contain a
@@ -371,11 +371,18 @@ type EcdheServerKeyExchange(rec: HandshakeRecord) = record {
 # server is not currently supported.
 type EcdhAnonServerKeyExchange(rec: HandshakeRecord) = record {
 	curve_type: uint8;
-	curve: uint16; # only if curve_type = 3 (NAMED_CURVE)
+	named_curve: case curve_type of {
+		NAMED_CURVE -> params: ServerEDCHParamsAndSignature;
+		default -> data: bytestring &restofdata &transient;
+	};
+};
+
+type ServerEDCHParamsAndSignature() = record {
+	curve: uint16;
 	point_length: uint8;
 	point: bytestring &length=point_length;
-	data: bytestring &restofdata &transient;
-};
+	signed_params: bytestring &restofdata; # only present in case of non-anon message
+}
 
 # Parse a DHE ServerKeyExchange message, which contains a signature over the
 # parameters.
diff --git a/testing/btest/Baseline/scripts.policy.protocols.ssl.ssl-verbose/ssl-all.log b/testing/btest/Baseline/scripts.base.protocols.ssl.keyexchange/ssl-all.log
similarity index 100%
rename from testing/btest/Baseline/scripts.policy.protocols.ssl.ssl-verbose/ssl-all.log
rename to testing/btest/Baseline/scripts.base.protocols.ssl.keyexchange/ssl-all.log
diff --git a/testing/btest/scripts/base/protocols/ssl/keyexchange.test b/testing/btest/scripts/base/protocols/ssl/keyexchange.test
new file mode 100644
index 0000000000..1bae07c7f8
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/ssl/keyexchange.test
@@ -0,0 +1,116 @@
+# @TEST-EXEC: bro -r $TRACES/tls/dhe.pcap %INPUT
+# @TEST-EXEC: cat ssl.log > ssl-all.log
+# @TEST-EXEC: bro -r $TRACES/tls/ecdhe.pcap %INPUT
+# @TEST-EXEC: cat ssl.log >> ssl-all.log
+# @TEST-EXEC: bro -r $TRACES/tls/ssl.v3.trace %INPUT
+# @TEST-EXEC: cat ssl.log >> ssl-all.log
+# @TEST-EXEC: btest-diff ssl-all.log
+
+# Test the new client and server key exchange events.
+
+@load base/protocols/ssl
+@load base/files/x509
+@load protocols/ssl/extract-certs-pem.bro
+
+module SSL;
+
+export {
+	redef record Info += {
+		# ClientHello
+		client_random: string &log &optional;
+		client_cipher_suites: string &log &optional;
+
+		# ServerHello
+		server_random: string &log &optional;
+
+		# ServerKeyExchange
+		server_dh_p: string &log &optional;
+		server_dh_q: string &log &optional;
+		server_dh_Ys: string &log &optional;
+		server_ecdh_point: string &log &optional;
+		server_signature: string &log &optional;
+
+		# ServerCertificate
+		server_cert_sha1: string &log &optional;
+
+		# ClientKeyExchange
+		client_rsa_pms: string &log &optional;
+		client_dh_Yc: string &log &optional;
+		client_ecdh_point: string &log &optional;
+	};
+
+	## Control if host certificates offered by the defined hosts
+	## will be written to the PEM certificates file.
+	## Choices are: LOCAL_HOSTS, REMOTE_HOSTS, ALL_HOSTS, NO_HOSTS.
+	redef extract_certs_pem = ALL_HOSTS;
+}
+
+event ssl_established(c: connection) &priority=5
+	{
+	if ( ! c$ssl?$cert_chain || |c$ssl$cert_chain| == 0 ||
+	     ! c$ssl$cert_chain[0]?$x509 )
+		return;
+
+	c$ssl$server_cert_sha1 = c$ssl$cert_chain[0]$sha1;
+	}
+
+event ssl_client_hello(c: connection, version: count, possible_ts: time, client_random: string, session_id: string, ciphers: index_vec) &priority=5
+	{
+	set_session(c);
+	c$ssl$client_random = bytestring_to_hexstr(client_random);
+
+	local ciphers_str = "";
+	for (i in ciphers)
+		{
+			ciphers_str += cipher_desc[ciphers[i]];
+			if ( i != |ciphers|-1)
+				{
+					ciphers_str += ",";
+				}
+		}
+	c$ssl$client_cipher_suites = ciphers_str;
+	}
+
+event ssl_server_hello(c: connection, version: count, possible_ts: time, server_random: string, session_id: string, cipher: count, comp_method: count) &priority=5
+	{
+	set_session(c);
+	c$ssl$server_random = bytestring_to_hexstr(server_random);
+	}
+
+event ssl_dh_server_params(c: connection, p: string, q: string, Ys: string) &priority=5
+	{
+	set_session(c);
+	c$ssl$server_dh_p = bytestring_to_hexstr(p);
+	c$ssl$server_dh_q = bytestring_to_hexstr(q);
+	c$ssl$server_dh_Ys = bytestring_to_hexstr(Ys);
+	}
+
+event ssl_ecdh_server_params(c: connection, curve: count, point: string) &priority=5
+	{
+	set_session(c);
+	c$ssl$server_ecdh_point = bytestring_to_hexstr(point);
+	}
+
+event ssl_server_signature(c: connection, signed_params: string) &priority=5
+	{
+	set_session(c);
+	c$ssl$server_signature = bytestring_to_hexstr(signed_params);
+	}
+
+event ssl_rsa_client_pms(c: connection, pms: string) &priority=5
+	{
+	set_session(c);
+	c$ssl$client_rsa_pms = bytestring_to_hexstr(pms);
+	}
+
+event ssl_dh_client_params(c: connection, Yc: string) &priority=5
+	{
+	set_session(c);
+	c$ssl$client_dh_Yc = bytestring_to_hexstr(Yc);
+	}
+
+event ssl_ecdh_client_params(c: connection, point: string) &priority=5
+	{
+	set_session(c);
+	c$ssl$client_ecdh_point = bytestring_to_hexstr(point);
+	}
diff --git a/testing/btest/scripts/policy/protocols/ssl/ssl-verbose.test b/testing/btest/scripts/policy/protocols/ssl/ssl-verbose.test
deleted file mode 100644
index 253f76c158..0000000000
--- a/testing/btest/scripts/policy/protocols/ssl/ssl-verbose.test
+++ /dev/null
@@ -1,9 +0,0 @@
-# @TEST-EXEC: bro -r $TRACES/tls/dhe.pcap %INPUT
-# @TEST-EXEC: cat ssl.log > ssl-all.log
-# @TEST-EXEC: bro -r $TRACES/tls/ecdhe.pcap %INPUT
-# @TEST-EXEC: cat ssl.log >> ssl-all.log
-# @TEST-EXEC: bro -r $TRACES/tls/ssl.v3.trace %INPUT
-# @TEST-EXEC: cat ssl.log >> ssl-all.log
-# @TEST-EXEC: btest-diff ssl-all.log
-
-@load protocols/ssl/ssl-verbose

From 88f98489a2b85f0ab909a3284eae2eee5b9c27a5 Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@icir.org>
Date: Tue, 28 Nov 2017 13:45:50 -0800
Subject: [PATCH 249/631] Add more details to ssl_server_signature.

This splits out the signature and the hash algorithm from the actual
signature.
---
 src/analyzer/protocol/ssl/events.bif          | 11 +++---
 .../protocol/ssl/tls-handshake-analyzer.pac   | 18 +++++++---
 .../protocol/ssl/tls-handshake-protocol.pac   | 13 +++++--
 .../ssl-all.log                               | 34 +++++++++----------
 .../base/protocols/ssl/keyexchange.test       |  8 +++--
 5 files changed, 55 insertions(+), 29 deletions(-)

diff --git a/src/analyzer/protocol/ssl/events.bif b/src/analyzer/protocol/ssl/events.bif
index 890f6da396..7b919c4587 100644
--- a/src/analyzer/protocol/ssl/events.bif
+++ b/src/analyzer/protocol/ssl/events.bif
@@ -232,14 +232,17 @@ event ssl_dh_server_params%(c: connection, p: string, q: string, Ys: string%);
 ##
 ## c: The connection.
 ##
-## signed_params: A hash of the server params, with the signature appropriate to
-##                that hash applied. The private key corresponding to the certified
-##                public key in the server's certificate message is used for signing.
+## signature_and_hashalgorithm: signature and hash algorithm used for the
+##                              digitally_signed struct
+##
+## signature: Signature part of the digitally_signed struct. The private key
+##            corresponding to the certified public key in the server's certificate
+##            message is used for signing.
 ##
 ## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello
 ##    ssl_session_ticket_handshake ssl_server_curve ssl_rsa_client_pms
 ##    ssl_dh_client_params ssl_ecdh_server_params ssl_ecdh_client_params
-event ssl_server_signature%(c: connection, signed_params: string%);
+event ssl_server_signature%(c: connection, signature_and_hashalgorithm: SSL::SignatureAndHashAlgorithm, signature: string%);
 
 ## Generated if a client uses an ECDH-anon or ECDHE cipher suite. This event
 ## contains the client ECDH public value contained in the ClientKeyExchange
diff --git a/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac b/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac
index ae62f610e7..840d2536c1 100644
--- a/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac
+++ b/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac
@@ -281,8 +281,13 @@ refine connection Handshake_Conn += {
 			bro_analyzer()->Conn(), ${kex.params.curve});
 		BifEvent::generate_ssl_ecdh_server_params(bro_analyzer(),
 			bro_analyzer()->Conn(), ${kex.params.curve}, new StringVal(${kex.params.point}.length(), (const char*)${kex.params.point}.data()));
+
+		RecordVal* ha = new RecordVal(BifType::Record::SSL::SignatureAndHashAlgorithm);
+		ha->Assign(0, new Val(${kex.signed_params.algorithm.HashAlgorithm}, TYPE_COUNT));
+		ha->Assign(1, new Val(${kex.signed_params.algorithm.SignatureAlgorithm}, TYPE_COUNT));
+
 		BifEvent::generate_ssl_server_signature(bro_analyzer(),
-			bro_analyzer()->Conn(), new StringVal(${kex.params.signed_params}.length(), (const char*)${kex.params.signed_params}.data()));
+			bro_analyzer()->Conn(), ha, new StringVal(${kex.signed_params.signature}.length(), (const char*)(${kex.signed_params.signature}).data()));
 
 		return true;
 		%}
@@ -336,7 +341,7 @@ refine connection Handshake_Conn += {
 		return true;
 		%}
 
-	function proc_dhe_server_key_exchange(rec: HandshakeRecord, p: bytestring, g: bytestring, Ys: bytestring, signed_params: bytestring) : bool
+	function proc_dhe_server_key_exchange(rec: HandshakeRecord, p: bytestring, g: bytestring, Ys: bytestring, signed_params: ServerKeyExchangeSignature) : bool
 		%{
 		BifEvent::generate_ssl_dh_server_params(bro_analyzer(),
 			bro_analyzer()->Conn(),
@@ -344,9 +349,14 @@ refine connection Handshake_Conn += {
 		  new StringVal(g.length(), (const char*) g.data()),
 		  new StringVal(Ys.length(), (const char*) Ys.data())
 		  );
+
+		RecordVal* ha = new RecordVal(BifType::Record::SSL::SignatureAndHashAlgorithm);
+		ha->Assign(0, new Val(${signed_params.algorithm.HashAlgorithm}, TYPE_COUNT));
+		ha->Assign(1, new Val(${signed_params.algorithm.SignatureAlgorithm}, TYPE_COUNT));
+
 		BifEvent::generate_ssl_server_signature(bro_analyzer(),
-			bro_analyzer()->Conn(),
-		  new StringVal(signed_params.length(), (const char*) signed_params.data())
+			bro_analyzer()->Conn(), ha,
+		  new StringVal(${signed_params.signature}.length(), (const char*)(${signed_params.signature}).data())
 		  );
 
 		return true;
diff --git a/src/analyzer/protocol/ssl/tls-handshake-protocol.pac b/src/analyzer/protocol/ssl/tls-handshake-protocol.pac
index 43bca802d2..7a86ad7a92 100644
--- a/src/analyzer/protocol/ssl/tls-handshake-protocol.pac
+++ b/src/analyzer/protocol/ssl/tls-handshake-protocol.pac
@@ -364,8 +364,18 @@ type EcdheServerKeyExchange(rec: HandshakeRecord) = record {
 		NAMED_CURVE -> params: ServerEDCHParamsAndSignature;
 		default -> data: bytestring &restofdata &transient;
 	};
+	signature: case curve_type of {
+		NAMED_CURVE -> signed_params: ServerKeyExchangeSignature;
+		default -> nothing: bytestring &length=0;
+	};
 };
 
+type ServerKeyExchangeSignature = record {
+	algorithm: SignatureAndHashAlgorithm;
+	signature_length: uint16;
+	signature: bytestring &length=signature_length;
+}
+
 # Parse an ECDH-anon ServerKeyExchange message, which does not contain a
 # signature over the parameters. Parsing explicit curve parameters from the
 # server is not currently supported.
@@ -381,7 +391,6 @@ type ServerEDCHParamsAndSignature() = record {
 	curve: uint16;
 	point_length: uint8;
 	point: bytestring &length=point_length;
-	signed_params: bytestring &restofdata; # only present in case of non-anon message
 }
 
 # Parse a DHE ServerKeyExchange message, which contains a signature over the
@@ -393,7 +402,7 @@ type DheServerKeyExchange(rec: HandshakeRecord) = record {
 	dh_g: bytestring &length=dh_g_length;
 	dh_Ys_length: uint16;
 	dh_Ys: bytestring &length=dh_Ys_length;
-	signed_params: bytestring &restofdata;
+	signed_params: ServerKeyExchangeSignature;
 };
 
 # Parse a DH-anon ServerKeyExchange message, which does not contain a
diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.keyexchange/ssl-all.log b/testing/btest/Baseline/scripts.base.protocols.ssl.keyexchange/ssl-all.log
index b73201a6b5..bcb3e11484 100644
--- a/testing/btest/Baseline/scripts.base.protocols.ssl.keyexchange/ssl-all.log
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.keyexchange/ssl-all.log
@@ -3,30 +3,30 @@
 #empty_field	(empty)
 #unset_field	-
 #path	ssl
-#open	2017-11-09-16-32-54
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	curve	server_name	resumed	last_alert	next_protocol	established	cert_chain_fuids	client_cert_chain_fuids	subject	issuer	client_subject	client_issuer	client_random	client_cipher_suites	server_random	server_dh_p	server_dh_q	server_dh_Ys	server_ecdh_point	server_signature	server_cert_sha1	client_rsa_pms	client_dh_Yc	client_ecdh_point
-#types	time	string	addr	port	addr	port	string	string	string	string	bool	string	string	bool	vector[string]	vector[string]	string	string	string	string	string	string	string	string	string	string	string	string	string	string	string	string
-1398558136.319509	CHhAvVGS1DHFjwGM9	192.168.18.50	62277	162.219.2.166	443	TLSv12	TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA	-	-	F	-	-	T	F6fLv13PBYz8MNqx68,F8cTDl1penwXxGu4K7	(empty)	emailAddress=denicadmmail@arcor.de,CN=www.lilawelt.net,C=US	CN=StartCom Class 1 Primary Intermediate Server CA,OU=Secure Digital Certificate Signing,O=StartCom Ltd.,C=IL	-	-	1f7f8ae4d8dd45f31ed2e158f5f9ee676b7cb2c92585d8a3e1c2da7e	TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,TLS_EMPTY_RENEGOTIATION_INFO_SCSV	5c3660849d1ba4081e9c5863f11c64233c045d58380ea393bdca5322	bbbc2dcad84674907c43fcf580e9cfdbd958a3f568b42d4b08eed4eb0fb3504c6c030276e710800c5ccbbaa8922614c5beeca565a5fdf1d287a2bc049be6778060e91a92a757e3048f68b076f7d36cc8f29ba5df81dc2ca725ece66270cc9a5035d8ceceef9ea0274a63ab1e58fafd4988d0f65d146757da071df045cfe16b9b	02	af5e4cde6c7ac4ad3f62f9df82e6a378a1c80fccf26abcbd13120339707baae172c0381abde73c3d607c14706bb8ab4d09dd39c5961ea86114c37f6b803554925a3e4c64c54ed1ba171e52f97fa2df2ef7e52725c62635e4c3ab625a018bfa75b266446f24b8e0c13dcc258db35b52e8ed5add68ca54de905395304cf3e1eeac	-	0601010018fd31815d4c5316d23bddb61ada198272ffa76ab0a4f7505b2a232150bd79874a9e5aabd7e39aef8cccdd2eba9cfcef6cc77842c7b359899b976f930e671d9308c3a07eeb6eaf1411a4c91a3523e4a8a4ccf523df2b70d56da5173e862643ad894495f14a94bda7115cedda87d520e524f917197dec625ffa1283d156e39f2daa49424a42aba2e0d0e43ebd537f348db770fe6c901a17432c7dd1a9146a2039c383f293cab5b04cb653332454883396863dd419b63745cc65bfc905c06a5d4283f5ff33a1d59584610293a1b08da9a6884c8e67675568e2c357b3d040350694c8b1c74c4be16e76eafeb8efe69dc501154fd36347d04ffc0c6e9a5646a1902a	c3d48226a8f94d3bbb49918ac02187493258e74e	-	0080545ca1e5a9978e411a23f7ce3b50d2919cb7da2dfd4c97d1dd20db9535d6240b684751b08845d44b780750371c5f229903cf59216bcfbe255de370f9a801177fa0dd11061a0173cd7fe4d740e3a74cc594a8c2510d03039126388730c2c73ca0db5fdad2a2021e9ea025b86dc0ba87aea5629246a4cf0f98726fcda9c89d4483	-
-#close	2017-11-09-16-32-54
+#open	2017-11-28-21-44-19
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	curve	server_name	resumed	last_alert	next_protocol	established	cert_chain_fuids	client_cert_chain_fuids	subject	issuer	client_subject	client_issuer	client_random	client_cipher_suites	server_random	server_dh_p	server_dh_q	server_dh_Ys	server_ecdh_point	server_signature_sig_alg	server_signature_hash_alg	server_signature	server_cert_sha1	client_rsa_pms	client_dh_Yc	client_ecdh_point
+#types	time	string	addr	port	addr	port	string	string	string	string	bool	string	string	bool	vector[string]	vector[string]	string	string	string	string	string	string	string	string	string	string	string	count	count	string	string	string	string	string
+1398558136.319509	CHhAvVGS1DHFjwGM9	192.168.18.50	62277	162.219.2.166	443	TLSv12	TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA	-	-	F	-	-	T	F6fLv13PBYz8MNqx68,F8cTDl1penwXxGu4K7	(empty)	emailAddress=denicadmmail@arcor.de,CN=www.lilawelt.net,C=US	CN=StartCom Class 1 Primary Intermediate Server CA,OU=Secure Digital Certificate Signing,O=StartCom Ltd.,C=IL	-	-	1f7f8ae4d8dd45f31ed2e158f5f9ee676b7cb2c92585d8a3e1c2da7e	TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,TLS_EMPTY_RENEGOTIATION_INFO_SCSV	5c3660849d1ba4081e9c5863f11c64233c045d58380ea393bdca5322	bbbc2dcad84674907c43fcf580e9cfdbd958a3f568b42d4b08eed4eb0fb3504c6c030276e710800c5ccbbaa8922614c5beeca565a5fdf1d287a2bc049be6778060e91a92a757e3048f68b076f7d36cc8f29ba5df81dc2ca725ece66270cc9a5035d8ceceef9ea0274a63ab1e58fafd4988d0f65d146757da071df045cfe16b9b	02	af5e4cde6c7ac4ad3f62f9df82e6a378a1c80fccf26abcbd13120339707baae172c0381abde73c3d607c14706bb8ab4d09dd39c5961ea86114c37f6b803554925a3e4c64c54ed1ba171e52f97fa2df2ef7e52725c62635e4c3ab625a018bfa75b266446f24b8e0c13dcc258db35b52e8ed5add68ca54de905395304cf3e1eeac	-	1	6	18fd31815d4c5316d23bddb61ada198272ffa76ab0a4f7505b2a232150bd79874a9e5aabd7e39aef8cccdd2eba9cfcef6cc77842c7b359899b976f930e671d9308c3a07eeb6eaf1411a4c91a3523e4a8a4ccf523df2b70d56da5173e862643ad894495f14a94bda7115cedda87d520e524f917197dec625ffa1283d156e39f2daa49424a42aba2e0d0e43ebd537f348db770fe6c901a17432c7dd1a9146a2039c383f293cab5b04cb653332454883396863dd419b63745cc65bfc905c06a5d4283f5ff33a1d59584610293a1b08da9a6884c8e67675568e2c357b3d040350694c8b1c74c4be16e76eafeb8efe69dc501154fd36347d04ffc0c6e9a5646a1902a	c3d48226a8f94d3bbb49918ac02187493258e74e	-	0080545ca1e5a9978e411a23f7ce3b50d2919cb7da2dfd4c97d1dd20db9535d6240b684751b08845d44b780750371c5f229903cf59216bcfbe255de370f9a801177fa0dd11061a0173cd7fe4d740e3a74cc594a8c2510d03039126388730c2c73ca0db5fdad2a2021e9ea025b86dc0ba87aea5629246a4cf0f98726fcda9c89d4483	-
+#close	2017-11-28-21-44-19
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	ssl
-#open	2017-11-09-16-32-54
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	curve	server_name	resumed	last_alert	next_protocol	established	cert_chain_fuids	client_cert_chain_fuids	subject	issuer	client_subject	client_issuer	client_random	client_cipher_suites	server_random	server_dh_p	server_dh_q	server_dh_Ys	server_ecdh_point	server_signature	server_cert_sha1	client_rsa_pms	client_dh_Yc	client_ecdh_point
-#types	time	string	addr	port	addr	port	string	string	string	string	bool	string	string	bool	vector[string]	vector[string]	string	string	string	string	string	string	string	string	string	string	string	string	string	string	string	string
-1398529018.678827	CHhAvVGS1DHFjwGM9	192.168.18.50	56981	74.125.239.97	443	TLSv12	TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA	secp256r1	-	F	-	-	T	FDy6ve1m58lwPRfhE9,FnGjwc1EVGk5x0WZk5,F2T07R1XZFCmeWafv2	(empty)	CN=*.google.com,O=Google Inc,L=Mountain View,ST=California,C=US	CN=Google Internet Authority G2,O=Google Inc,C=US	-	-	d170a048a025925479f1a573610851d30a1f3e7267836932797def95	TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_EMPTY_RENEGOTIATION_INFO_SCSV	5cb1fbd2e5c1f3605984d826eca11a8562b3c36d1f70fa44ba2f723c	-	-	-	04c177ab173fed188d8455b2bd0eeac7c1fc334b5d9d38e651b6a31cbda4a7b62a4a222493711e6aec7590d27292ba300d722841ca52795ca55b9b26d12730b807	06010100bb8ed698a89f33367af245236d1483c2caa406f61a6e3639a6483c8ed3baadaf18bfdfd967697ad29497dd7f16fde1b5d8933b6f5d72e63f0e0dfd416785a3ee3ad7b6d65e71c67c219740723695136678feaca0db5f1cd00a2f2c5b1a0b83098e796bb6539b486639ab02a288d0f0bf68123151437e1b2ef610af17993a107acfcb3791d00b509a5271ddcf60b31b202571c06ceaf51b846a0ff8fd85cf1bc99f82bb936bae69a13f81727f0810280306abb942fd80e0fdf93a51e7e036c26e429295aa60e36506ab1762d49e31152d02bd7850fcaa251219b3dde81ea5fc61c4c63b940120fa6847ccc43fad0a2ac252153254baa03b0baebb6db899ade45e	e2fb0771ee6fc0d0e324bc863c02b57921257c86	-	-	4104a92b630b25f4404c632dcf9cf454d1cf685a95f4d7c34e1bed244d1051c6bf9fda52edd0c840620b6ddf7941f9ee8a2684eec11a5a2131a0a3389d1e49122472
-#close	2017-11-09-16-32-54
+#open	2017-11-28-21-44-19
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	curve	server_name	resumed	last_alert	next_protocol	established	cert_chain_fuids	client_cert_chain_fuids	subject	issuer	client_subject	client_issuer	client_random	client_cipher_suites	server_random	server_dh_p	server_dh_q	server_dh_Ys	server_ecdh_point	server_signature_sig_alg	server_signature_hash_alg	server_signature	server_cert_sha1	client_rsa_pms	client_dh_Yc	client_ecdh_point
+#types	time	string	addr	port	addr	port	string	string	string	string	bool	string	string	bool	vector[string]	vector[string]	string	string	string	string	string	string	string	string	string	string	string	count	count	string	string	string	string	string
+1398529018.678827	CHhAvVGS1DHFjwGM9	192.168.18.50	56981	74.125.239.97	443	TLSv12	TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA	secp256r1	-	F	-	-	T	FDy6ve1m58lwPRfhE9,FnGjwc1EVGk5x0WZk5,F2T07R1XZFCmeWafv2	(empty)	CN=*.google.com,O=Google Inc,L=Mountain View,ST=California,C=US	CN=Google Internet Authority G2,O=Google Inc,C=US	-	-	d170a048a025925479f1a573610851d30a1f3e7267836932797def95	TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_EMPTY_RENEGOTIATION_INFO_SCSV	5cb1fbd2e5c1f3605984d826eca11a8562b3c36d1f70fa44ba2f723c	-	-	-	04c177ab173fed188d8455b2bd0eeac7c1fc334b5d9d38e651b6a31cbda4a7b62a4a222493711e6aec7590d27292ba300d722841ca52795ca55b9b26d12730b807	1	6	bb8ed698a89f33367af245236d1483c2caa406f61a6e3639a6483c8ed3baadaf18bfdfd967697ad29497dd7f16fde1b5d8933b6f5d72e63f0e0dfd416785a3ee3ad7b6d65e71c67c219740723695136678feaca0db5f1cd00a2f2c5b1a0b83098e796bb6539b486639ab02a288d0f0bf68123151437e1b2ef610af17993a107acfcb3791d00b509a5271ddcf60b31b202571c06ceaf51b846a0ff8fd85cf1bc99f82bb936bae69a13f81727f0810280306abb942fd80e0fdf93a51e7e036c26e429295aa60e36506ab1762d49e31152d02bd7850fcaa251219b3dde81ea5fc61c4c63b940120fa6847ccc43fad0a2ac252153254baa03b0baebb6db899ade45e	e2fb0771ee6fc0d0e324bc863c02b57921257c86	-	-	4104a92b630b25f4404c632dcf9cf454d1cf685a95f4d7c34e1bed244d1051c6bf9fda52edd0c840620b6ddf7941f9ee8a2684eec11a5a2131a0a3389d1e49122472
+#close	2017-11-28-21-44-20
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	ssl
-#open	2017-11-09-16-32-55
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	curve	server_name	resumed	last_alert	next_protocol	established	cert_chain_fuids	client_cert_chain_fuids	subject	issuer	client_subject	client_issuer	client_random	client_cipher_suites	server_random	server_dh_p	server_dh_q	server_dh_Ys	server_ecdh_point	server_signature	server_cert_sha1	client_rsa_pms	client_dh_Yc	client_ecdh_point
-#types	time	string	addr	port	addr	port	string	string	string	string	bool	string	string	bool	vector[string]	vector[string]	string	string	string	string	string	string	string	string	string	string	string	string	string	string	string	string
-1170717505.549109	CHhAvVGS1DHFjwGM9	192.150.187.164	58868	194.127.84.106	443	TLSv10	TLS_RSA_WITH_RC4_128_MD5	-	-	F	-	-	T	FeCwNK3rzqPnZ7eBQ5,FfqS7r3rymnsSKq0m2	(empty)	CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE	OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\\, Inc.,O=VeriSign Trust Network	-	-	e6b8efdf91cf44f7eae43c83398fdcb2	TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_RC4_128_MD5,TLS_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_RSA_WITH_DES_CBC_SHA,TLS_DHE_DSS_WITH_DES_CBC_SHA,SSL_RSA_FIPS_WITH_DES_CBC_SHA,TLS_RSA_WITH_DES_CBC_SHA,TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA,TLS_RSA_EXPORT_WITH_RC4_40_MD5,TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5	2b658d5183bbaedbf35e8f126ff926b14979cd703d242aea996a5fda	-	-	-	-	-	2c322ae2b7fe91391345e070b63668978bb1c9da	008057aaeea52e6d030e54fa9328781fda6f8de80ed8531946bfa8adc4b51ca7502cbce62bae6949f6b865d7125e256643b5ede4dd4cf42107cfa73c418f10881edf38a75f968b507f08f9c1089ef26bfd322cf44c0b746b8e3dff731f2585dcf26abb048d55e661e1d2868ccc9c338e451c30431239f96a00e4843b6aa00ba51785	-	-
-1170717508.697180	ClEkJM2Vm5giqnMf4h	192.150.187.164	58869	194.127.84.106	443	TLSv10	TLS_RSA_WITH_RC4_128_MD5	-	-	F	-	-	T	FjkLnG4s34DVZlaBNc,FpMjNF4snD7UDqI5sk	(empty)	CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE	OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\\, Inc.,O=VeriSign Trust Network	-	-	a8a2ab739a64abb4e68cfcfc3470ff6269b1a86858501fbbd1327ed8	TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_RC4_128_MD5,TLS_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_RSA_WITH_DES_CBC_SHA,TLS_DHE_DSS_WITH_DES_CBC_SHA,SSL_RSA_FIPS_WITH_DES_CBC_SHA,TLS_RSA_WITH_DES_CBC_SHA,TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA,TLS_RSA_EXPORT_WITH_RC4_40_MD5,TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5	0fac7f7823587c68438c87876533af7b0baa2a8f1078eb8d182247e9	-	-	-	-	-	2c322ae2b7fe91391345e070b63668978bb1c9da	0080891c1b6b5f0ec9da1b38d5ba6efe9c0380219d1ac4e63a0e8993306cddc6944a57c9292beb5652794181f747d0e868b84dca7dfe9783d1baa2ef3bb68d929b2818c5b58b8f47663220f9781fa469fea7e7d17d410d3979aa15a7be651c9f16fbf1a04f87a95e742c3fe20ca6faf0d2e950708533fd3346e17e410f0f86c01f52	-	-
-1170717511.722913	C4J4Th3PJpwUYZZ6gc	192.150.187.164	58870	194.127.84.106	443	TLSv10	TLS_RSA_WITH_RC4_128_MD5	-	-	F	-	-	T	FQXAWgI2FB5STbrff,FUmSiM3TCtsyMGhcd	(empty)	CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE	OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\\, Inc.,O=VeriSign Trust Network	-	-	240604be2f5644c8dfd2e51cc2b3a30171bd58853ed7c6e3fcd18846	TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_RC4_128_MD5,TLS_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_RSA_WITH_DES_CBC_SHA,TLS_DHE_DSS_WITH_DES_CBC_SHA,SSL_RSA_FIPS_WITH_DES_CBC_SHA,TLS_RSA_WITH_DES_CBC_SHA,TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA,TLS_RSA_EXPORT_WITH_RC4_40_MD5,TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5	fd1b8c1308a2caac010fcb76e9bd21987d897cb6c028cdb3176d5904	-	-	-	-	-	2c322ae2b7fe91391345e070b63668978bb1c9da	008032a6f5fd530f342e4d5b4043765005ba018f488800f897c259b005ad2a544f5800e99812d9a6336e84b07e4595d1b8ae00a582d91804fe715c132d1bdb112e66361db80a57a441fc8ea784ea76ec44b9f3a0f9ddc29be68010ff3bcfffc285a294511991d7952cbbfee88a869818bae31f32f7099b0754d9ce75b8fea887e1b8	-	-
-#close	2017-11-09-16-32-55
+#open	2017-11-28-21-44-20
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	curve	server_name	resumed	last_alert	next_protocol	established	cert_chain_fuids	client_cert_chain_fuids	subject	issuer	client_subject	client_issuer	client_random	client_cipher_suites	server_random	server_dh_p	server_dh_q	server_dh_Ys	server_ecdh_point	server_signature_sig_alg	server_signature_hash_alg	server_signature	server_cert_sha1	client_rsa_pms	client_dh_Yc	client_ecdh_point
+#types	time	string	addr	port	addr	port	string	string	string	string	bool	string	string	bool	vector[string]	vector[string]	string	string	string	string	string	string	string	string	string	string	string	count	count	string	string	string	string	string
+1170717505.549109	CHhAvVGS1DHFjwGM9	192.150.187.164	58868	194.127.84.106	443	TLSv10	TLS_RSA_WITH_RC4_128_MD5	-	-	F	-	-	T	FeCwNK3rzqPnZ7eBQ5,FfqS7r3rymnsSKq0m2	(empty)	CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE	OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\\, Inc.,O=VeriSign Trust Network	-	-	e6b8efdf91cf44f7eae43c83398fdcb2	TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_RC4_128_MD5,TLS_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_RSA_WITH_DES_CBC_SHA,TLS_DHE_DSS_WITH_DES_CBC_SHA,SSL_RSA_FIPS_WITH_DES_CBC_SHA,TLS_RSA_WITH_DES_CBC_SHA,TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA,TLS_RSA_EXPORT_WITH_RC4_40_MD5,TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5	2b658d5183bbaedbf35e8f126ff926b14979cd703d242aea996a5fda	-	-	-	-	-	-	-	2c322ae2b7fe91391345e070b63668978bb1c9da	008057aaeea52e6d030e54fa9328781fda6f8de80ed8531946bfa8adc4b51ca7502cbce62bae6949f6b865d7125e256643b5ede4dd4cf42107cfa73c418f10881edf38a75f968b507f08f9c1089ef26bfd322cf44c0b746b8e3dff731f2585dcf26abb048d55e661e1d2868ccc9c338e451c30431239f96a00e4843b6aa00ba51785	-	-
+1170717508.697180	ClEkJM2Vm5giqnMf4h	192.150.187.164	58869	194.127.84.106	443	TLSv10	TLS_RSA_WITH_RC4_128_MD5	-	-	F	-	-	T	FjkLnG4s34DVZlaBNc,FpMjNF4snD7UDqI5sk	(empty)	CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE	OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\\, Inc.,O=VeriSign Trust Network	-	-	a8a2ab739a64abb4e68cfcfc3470ff6269b1a86858501fbbd1327ed8	TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_RC4_128_MD5,TLS_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_RSA_WITH_DES_CBC_SHA,TLS_DHE_DSS_WITH_DES_CBC_SHA,SSL_RSA_FIPS_WITH_DES_CBC_SHA,TLS_RSA_WITH_DES_CBC_SHA,TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA,TLS_RSA_EXPORT_WITH_RC4_40_MD5,TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5	0fac7f7823587c68438c87876533af7b0baa2a8f1078eb8d182247e9	-	-	-	-	-	-	-	2c322ae2b7fe91391345e070b63668978bb1c9da	0080891c1b6b5f0ec9da1b38d5ba6efe9c0380219d1ac4e63a0e8993306cddc6944a57c9292beb5652794181f747d0e868b84dca7dfe9783d1baa2ef3bb68d929b2818c5b58b8f47663220f9781fa469fea7e7d17d410d3979aa15a7be651c9f16fbf1a04f87a95e742c3fe20ca6faf0d2e950708533fd3346e17e410f0f86c01f52	-	-
+1170717511.722913	C4J4Th3PJpwUYZZ6gc	192.150.187.164	58870	194.127.84.106	443	TLSv10	TLS_RSA_WITH_RC4_128_MD5	-	-	F	-	-	T	FQXAWgI2FB5STbrff,FUmSiM3TCtsyMGhcd	(empty)	CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE	OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\\, Inc.,O=VeriSign Trust Network	-	-	240604be2f5644c8dfd2e51cc2b3a30171bd58853ed7c6e3fcd18846	TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_RC4_128_MD5,TLS_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_RSA_WITH_DES_CBC_SHA,TLS_DHE_DSS_WITH_DES_CBC_SHA,SSL_RSA_FIPS_WITH_DES_CBC_SHA,TLS_RSA_WITH_DES_CBC_SHA,TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA,TLS_RSA_EXPORT_WITH_RC4_40_MD5,TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5	fd1b8c1308a2caac010fcb76e9bd21987d897cb6c028cdb3176d5904	-	-	-	-	-	-	-	2c322ae2b7fe91391345e070b63668978bb1c9da	008032a6f5fd530f342e4d5b4043765005ba018f488800f897c259b005ad2a544f5800e99812d9a6336e84b07e4595d1b8ae00a582d91804fe715c132d1bdb112e66361db80a57a441fc8ea784ea76ec44b9f3a0f9ddc29be68010ff3bcfffc285a294511991d7952cbbfee88a869818bae31f32f7099b0754d9ce75b8fea887e1b8	-	-
+#close	2017-11-28-21-44-20
diff --git a/testing/btest/scripts/base/protocols/ssl/keyexchange.test b/testing/btest/scripts/base/protocols/ssl/keyexchange.test
index 1bae07c7f8..79b4106440 100644
--- a/testing/btest/scripts/base/protocols/ssl/keyexchange.test
+++ b/testing/btest/scripts/base/protocols/ssl/keyexchange.test
@@ -28,6 +28,8 @@ export {
 		server_dh_q: string &log &optional;
 		server_dh_Ys: string &log &optional;
 		server_ecdh_point: string &log &optional;
+		server_signature_sig_alg: count &log &optional;
+		server_signature_hash_alg: count &log &optional;
 		server_signature: string &log &optional;
 
 		# ServerCertificate
@@ -91,10 +93,12 @@ event ssl_ecdh_server_params(c: connection, curve: count, point: string) &priori
 	c$ssl$server_ecdh_point = bytestring_to_hexstr(point);
 	}
 
-event ssl_server_signature(c: connection, signed_params: string) &priority=5
+event ssl_server_signature(c: connection, signature_and_hashalgorithm: SSL::SignatureAndHashAlgorithm, signature: string) &priority=5
 	{
 	set_session(c);
-	c$ssl$server_signature = bytestring_to_hexstr(signed_params);
+	c$ssl$server_signature_sig_alg = signature_and_hashalgorithm$SignatureAlgorithm;
+	c$ssl$server_signature_hash_alg = signature_and_hashalgorithm$HashAlgorithm;
+	c$ssl$server_signature = bytestring_to_hexstr(signature);
 	}
 
 event ssl_rsa_client_pms(c: connection, pms: string) &priority=5

From f8f343fd3ae5bff315224b30d8a8ac9293da6b14 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Wed, 29 Nov 2017 14:01:37 -0600
Subject: [PATCH 250/631] Add --ccache option to configure script (requires
 CMake 3.10+).

This just provides a convient way of indicating that ccache should
be used as compiler-wrapper during builds. e.g. when I want dev/debug
builds that (re)compile quickly, I do:

./configure --build-type=debug --generator=Ninja --ccache
---
 CHANGES        |  4 ++++
 CMakeLists.txt | 12 ++++++++++++
 VERSION        |  2 +-
 configure      |  5 +++++
 4 files changed, 22 insertions(+), 1 deletion(-)

diff --git a/CHANGES b/CHANGES
index c664bca820..f8c54b1b19 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,8 @@
 
+2.5-359 | 2017-11-29 14:01:37 -0600
+
+  * Add --ccache option to configure script (requires CMake 3.10+). (Corelight)
+
 2.5-358 | 2017-11-28 12:28:14 -0800
 
   * Extend the TLS analyzer with several events containing cryptographic
diff --git a/CMakeLists.txt b/CMakeLists.txt
index 31e2346dfe..2abd715732 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -9,6 +9,18 @@ include(cmake/CommonCMakeConfig.cmake)
 ########################################################################
 ## Project/Build Configuration
 
+if ( ENABLE_CCACHE )
+    find_program(CCACHE_PROGRAM ccache)
+
+    if ( NOT CCACHE_PROGRAM )
+        message(FATAL_ERROR "ccache not found")
+    endif ()
+
+    message(STATUS "Using ccache: ${CCACHE_PROGRAM}")
+    set(CMAKE_C_COMPILER_LAUNCHER   ${CCACHE_PROGRAM})
+    set(CMAKE_CXX_COMPILER_LAUNCHER ${CCACHE_PROGRAM})
+endif ()
+
 set(BRO_ROOT_DIR ${CMAKE_INSTALL_PREFIX})
 if (NOT BRO_SCRIPT_INSTALL_PATH)
     # set the default Bro script installation path (user did not specify one)
diff --git a/VERSION b/VERSION
index d05adf51f7..253e551217 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.5-358
+2.5-359
diff --git a/configure b/configure
index 757dfc595b..23b12bfb03 100755
--- a/configure
+++ b/configure
@@ -25,6 +25,8 @@ Usage: $0 [OPTION]... [VAR=VALUE]...
                              - RelWithDebInfo: optimizations on,
                                    debug symbols on, debug flags off
     --generator=GENERATOR  CMake generator to use (see cmake --help)
+    --ccache               use ccache to speed up recompilation (requires
+                           ccache installation and CMake 3.10+)
 
   Installation Directories:
     --prefix=PREFIX        installation directory [/usr/local/bro]
@@ -169,6 +171,9 @@ while [ $# -ne 0 ]; do
         --generator=*)
             CMakeGenerator="$optarg"
             ;;
+        --ccache)
+            append_cache_entry ENABLE_CCACHE         BOOL   true
+            ;;
         --prefix=*)
             prefix=$optarg
             append_cache_entry CMAKE_INSTALL_PREFIX PATH   $optarg

From db6f0280039883f7c21ce0119d93950d366cac9f Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@corelight.com>
Date: Wed, 29 Nov 2017 13:18:46 -0800
Subject: [PATCH 251/631] Add config framework.

The configuration framework consists of three mostly distinct parts:

* option variables
* the config reader
* the script level framework

I will describe the three elements in the following.

Internally, this commit also performs a range of changes to the Input
manager; it marks a lot of functions as const and introduces a new
ValueToVal method (which could in theory replace the already existing
one - it is a bit more powerful).

This also changes SerialTypes to have a subtype for Values, just as
Fields already have it; I think it was mostly an oversight that this was
not introduced from the beginning. This should not necessitate any code
changes for people already using SerialTypes.

option variable
===============

The option keyword allows variables to be specified as run-tine options.
Such variables cannot be changed using normal assignments. Instead, they
can be changed using Option::set. It is possible to "subscribe" to
options and be notified when an option value changes.

Change handlers can also change values before they are applied; this
gives them the opportunity to reject changes. Priorities can be
specified if there are several handlers for one option.

Example script:

option testbool: bool = T;

function option_changed(ID: string, new_value: bool): bool
  {
  print fmt("Value of %s changed from %s to %s", ID, testbool, new_value);
  return new_value;
  }

event bro_init()
  {
  print "Old value", testbool;
  Option::set_change_handler("testbool", option_changed);
  Option::set("testbool", F);
  print "New value", testbool;
  }

config reader
=============

The config reader provides a way to read configuration files back into
Bro. Most importantly it automatically converts values to the correct
types. This is important because it is at least inconvenient (and
sometimes near impossible) to perform the necessary type conversions in
Bro scripts themselves. This is especially true for sets/vectors.

Configuration generally look like this:

[option name][tab/spaces][new variable value]

so, for example:

testaddr 2607:f8b0:4005:801::200e
testinterval 60
testtime 1507321987
test_set a	b	c	d	erdbeerschnitzel

The reader uses the option name to look up the type that variable has in
the Bro core and automatically converts the value to the correct type.

Example script use:

type Idx: record {
  option_name: string;
};

type Val: record {
  option_val: string;
};

global currconfig: table[string] of string = table();

event InputConfig::new_value(name: string, source: string, id: string, value: any)
  {
  print id, value;
  }

event bro_init()
  {
  Input::add_table([$reader=Input::READER_CONFIG, $source="../configfile", $name="configuration", $idx=Idx, $val=Val, $destination=currconfig, $want_record=F]);
  }

Script-level config framework
=============================

The script-level framework ties these two features together and makes
them a bit more convenient to use. Configuration files can simply be
specified by placing them into Config::config_files. The framework also
creates a config.log that shows all value changes that took place.

Usage example:

redef Config::config_files += {configfile};

export {
  option testbool : bool = F;
}

The file is now monitored for changes; when a change occurs the
respective option values are automatically updated and the value change
is written to config.log.
---
 doc/script-reference/log-files.rst            |   2 +
 scripts/base/frameworks/config/README         |   2 +
 scripts/base/frameworks/config/__load__.bro   |   2 +
 scripts/base/frameworks/config/input.bro      |  76 +++++
 scripts/base/frameworks/config/main.bro       |  77 +++++
 scripts/base/frameworks/input/__load__.bro    |   1 +
 .../base/frameworks/input/readers/ascii.bro   |   2 +-
 .../base/frameworks/input/readers/config.bro  |  42 +++
 scripts/base/init-bare.bro                    |   1 +
 scripts/base/init-default.bro                 |   1 +
 src/CMakeLists.txt                            |   1 +
 src/Expr.cc                                   |   3 +
 src/Func.cc                                   |   3 +
 src/ID.cc                                     |  24 +-
 src/ID.h                                      |  32 +-
 src/Var.cc                                    |  12 +
 src/Var.h                                     |   2 +-
 src/bro.bif                                   |   5 +-
 src/broxygen/ScriptInfo.cc                    |  20 +-
 src/broxygen/ScriptInfo.h                     |   1 +
 src/input/Manager.cc                          | 243 ++++++++++++--
 src/input/Manager.h                           |  73 +++--
 src/input/readers/CMakeLists.txt              |   1 +
 src/input/readers/benchmark/Benchmark.cc      |   2 +-
 src/input/readers/config/CMakeLists.txt       |   9 +
 src/input/readers/config/Config.cc            | 310 ++++++++++++++++++
 src/input/readers/config/Config.h             |  67 ++++
 src/input/readers/config/Plugin.cc            |  24 ++
 src/input/readers/config/config.bif           |   6 +
 src/input/readers/sqlite/SQLite.cc            |   2 +-
 src/option.bif                                | 155 +++++++++
 src/parse.y                                   |   8 +-
 src/scan.l                                    |   1 +
 src/threading/SerialTypes.cc                  |   6 +-
 src/threading/SerialTypes.h                   |  20 +-
 src/threading/formatters/Ascii.cc             |  19 +-
 .../core.check-unused-event-handlers/.stderr  |   1 +
 .../Baseline/core.option-errors-2/.stderr     |   1 +
 .../Baseline/core.option-errors-3/.stderr     |   1 +
 .../Baseline/core.option-errors-4/.stderr     |   1 +
 .../btest/Baseline/core.option-errors/.stderr |   1 +
 .../Baseline/core.option-priorities/.stdout   |   6 +
 .../btest/Baseline/core.option-redef/.stdout  |   1 +
 .../core.option-runtime-errors-10/.stderr     |   1 +
 .../core.option-runtime-errors-11/.stderr     |   1 +
 .../core.option-runtime-errors-12/.stderr     |   1 +
 .../core.option-runtime-errors-13/.stderr     |   1 +
 .../core.option-runtime-errors-2/.stderr      |   1 +
 .../core.option-runtime-errors-3/.stderr      |   1 +
 .../core.option-runtime-errors-4/.stderr      |   1 +
 .../core.option-runtime-errors-5/.stderr      |   1 +
 .../core.option-runtime-errors-6/.stderr      |   1 +
 .../core.option-runtime-errors-7/.stderr      |   1 +
 .../core.option-runtime-errors-8/.stderr      |   1 +
 .../core.option-runtime-errors-9/.stderr      |   1 +
 .../core.option-runtime-errors/.stderr        |   1 +
 .../canonified_loaded_scripts.log             |   3 +
 .../canonified_loaded_scripts.log             |   6 +
 .../btest/Baseline/coverage.find-bro-logs/out |   1 +
 .../Baseline/doc.broxygen.example/example.rst |   8 +-
 testing/btest/Baseline/plugins.hooks/output   |  44 ++-
 .../bro.config.log                            |  23 ++
 .../bro.config.log                            |  23 ++
 .../bro.config.log                            |  19 ++
 .../bro.config.log                            |  26 ++
 .../scripts.base.frameworks.input.basic/out   |   2 +-
 .../out                                       |  28 ++
 .../errout                                    |  14 +
 testing/btest/core/option-errors.bro          |  18 +
 testing/btest/core/option-priorities.bro      |  28 ++
 testing/btest/core/option-redef.bro           |  12 +
 testing/btest/core/option-runtime-errors.bro  | 104 ++++++
 .../scripts/base/frameworks/config/basic.bro  |  52 +++
 .../base/frameworks/config/read_config.bro    |  56 ++++
 .../base/frameworks/config/several-files.bro  |  50 +++
 .../base/frameworks/config/updates.bro        |  76 +++++
 .../scripts/base/frameworks/input/basic.bro   |   7 +-
 .../base/frameworks/input/config/basic.bro    |  75 +++++
 .../base/frameworks/input/config/errors.bro   |  66 ++++
 79 files changed, 1910 insertions(+), 111 deletions(-)
 create mode 100644 scripts/base/frameworks/config/README
 create mode 100644 scripts/base/frameworks/config/__load__.bro
 create mode 100644 scripts/base/frameworks/config/input.bro
 create mode 100644 scripts/base/frameworks/config/main.bro
 create mode 100644 scripts/base/frameworks/input/readers/config.bro
 create mode 100644 src/input/readers/config/CMakeLists.txt
 create mode 100644 src/input/readers/config/Config.cc
 create mode 100644 src/input/readers/config/Config.h
 create mode 100644 src/input/readers/config/Plugin.cc
 create mode 100644 src/input/readers/config/config.bif
 create mode 100644 src/option.bif
 create mode 100644 testing/btest/Baseline/core.option-errors-2/.stderr
 create mode 100644 testing/btest/Baseline/core.option-errors-3/.stderr
 create mode 100644 testing/btest/Baseline/core.option-errors-4/.stderr
 create mode 100644 testing/btest/Baseline/core.option-errors/.stderr
 create mode 100644 testing/btest/Baseline/core.option-priorities/.stdout
 create mode 100644 testing/btest/Baseline/core.option-redef/.stdout
 create mode 100644 testing/btest/Baseline/core.option-runtime-errors-10/.stderr
 create mode 100644 testing/btest/Baseline/core.option-runtime-errors-11/.stderr
 create mode 100644 testing/btest/Baseline/core.option-runtime-errors-12/.stderr
 create mode 100644 testing/btest/Baseline/core.option-runtime-errors-13/.stderr
 create mode 100644 testing/btest/Baseline/core.option-runtime-errors-2/.stderr
 create mode 100644 testing/btest/Baseline/core.option-runtime-errors-3/.stderr
 create mode 100644 testing/btest/Baseline/core.option-runtime-errors-4/.stderr
 create mode 100644 testing/btest/Baseline/core.option-runtime-errors-5/.stderr
 create mode 100644 testing/btest/Baseline/core.option-runtime-errors-6/.stderr
 create mode 100644 testing/btest/Baseline/core.option-runtime-errors-7/.stderr
 create mode 100644 testing/btest/Baseline/core.option-runtime-errors-8/.stderr
 create mode 100644 testing/btest/Baseline/core.option-runtime-errors-9/.stderr
 create mode 100644 testing/btest/Baseline/core.option-runtime-errors/.stderr
 create mode 100644 testing/btest/Baseline/scripts.base.frameworks.config.basic/bro.config.log
 create mode 100644 testing/btest/Baseline/scripts.base.frameworks.config.read_config/bro.config.log
 create mode 100644 testing/btest/Baseline/scripts.base.frameworks.config.several-files/bro.config.log
 create mode 100644 testing/btest/Baseline/scripts.base.frameworks.config.updates/bro.config.log
 create mode 100644 testing/btest/Baseline/scripts.base.frameworks.input.config.basic/out
 create mode 100644 testing/btest/Baseline/scripts.base.frameworks.input.config.errors/errout
 create mode 100644 testing/btest/core/option-errors.bro
 create mode 100644 testing/btest/core/option-priorities.bro
 create mode 100644 testing/btest/core/option-redef.bro
 create mode 100644 testing/btest/core/option-runtime-errors.bro
 create mode 100644 testing/btest/scripts/base/frameworks/config/basic.bro
 create mode 100644 testing/btest/scripts/base/frameworks/config/read_config.bro
 create mode 100644 testing/btest/scripts/base/frameworks/config/several-files.bro
 create mode 100644 testing/btest/scripts/base/frameworks/config/updates.bro
 create mode 100644 testing/btest/scripts/base/frameworks/input/config/basic.bro
 create mode 100644 testing/btest/scripts/base/frameworks/input/config/errors.bro

diff --git a/doc/script-reference/log-files.rst b/doc/script-reference/log-files.rst
index e8550ee41c..a0720ff7c9 100644
--- a/doc/script-reference/log-files.rst
+++ b/doc/script-reference/log-files.rst
@@ -14,6 +14,8 @@ Network Protocols
 +============================+=======================================+=================================+
 | conn.log                   | TCP/UDP/ICMP connections              | :bro:type:`Conn::Info`          |
 +----------------------------+---------------------------------------+---------------------------------+
+| config.log                 | Configuration option changes          | :bro:type:`Config::Info`        |
++----------------------------+---------------------------------------+---------------------------------+
 | dce_rpc.log                | Distributed Computing Environment/RPC | :bro:type:`DCE_RPC::Info`       |
 +----------------------------+---------------------------------------+---------------------------------+
 | dhcp.log                   | DHCP leases                           | :bro:type:`DHCP::Info`          |
diff --git a/scripts/base/frameworks/config/README b/scripts/base/frameworks/config/README
new file mode 100644
index 0000000000..95193b49a3
--- /dev/null
+++ b/scripts/base/frameworks/config/README
@@ -0,0 +1,2 @@
+The configuration famework provides a way to change the Bro configuration
+in "option" values at run-time.
diff --git a/scripts/base/frameworks/config/__load__.bro b/scripts/base/frameworks/config/__load__.bro
new file mode 100644
index 0000000000..0a7a8d0713
--- /dev/null
+++ b/scripts/base/frameworks/config/__load__.bro
@@ -0,0 +1,2 @@
+@load ./main
+@load ./input
diff --git a/scripts/base/frameworks/config/input.bro b/scripts/base/frameworks/config/input.bro
new file mode 100644
index 0000000000..9ebcd3a4a9
--- /dev/null
+++ b/scripts/base/frameworks/config/input.bro
@@ -0,0 +1,76 @@
+##! File input for the configuration framework using the input framework.
+
+@load ./main
+@load base/frameworks/cluster
+
+module Config;
+
+export {
+	## Configuration files that will be read off disk. Files are reread
+	## every time they are updated so updates should be atomic with "mv"
+	## instead of writing the file in place.
+	##
+	## If the same configuration option is defined in several files with
+	## different values, behavior is unspecified.
+	const config_files: set[string] = {} &redef;
+
+	## Read specified configuration file and apply values; updates to file
+	## are not tracked.
+	global read_config: function(filename: string);
+}
+
+global current_config: table[string] of string = table();
+
+type ConfigItem: record {
+	option_nv: string;
+};
+
+type EventFields: record {
+	option_name: string;
+	option_val: string;
+};
+
+event config_line(description: Input::EventDescription, tpe: Input::Event, p: EventFields)
+	{
+	}
+
+event bro_init() &priority=5
+	{
+	if ( Cluster::is_enabled() && Cluster::local_node_type() != Cluster::MANAGER )
+		return;
+
+	for ( fi in config_files )
+		Input::add_table([$reader=Input::READER_CONFIG,
+			$mode=Input::REREAD,
+			$source=fi,
+			$name=cat("config-", fi),
+			$idx=ConfigItem,
+			$val=ConfigItem,
+			$want_record=F,
+			$destination=current_config]);
+	}
+
+event InputConfig::new_value(name: string, source: string, id: string, value: any)
+	{
+	if ( sub_bytes(name, 1,  7) != "config-" || source !in config_files )
+		if ( sub_bytes(name, 1,  15) != "config-oneshot-" )
+			return;
+
+	Option::set(id, value, source);
+	}
+
+function read_config(filename: string)
+	{
+	if ( Cluster::is_enabled() && Cluster::local_node_type() != Cluster::MANAGER )
+		return;
+
+	local iname = cat("config-oneshot-", filename);
+
+	Input::add_event([$reader=Input::READER_CONFIG,
+		$mode=Input::MANUAL,
+		$source=filename,
+		$name=iname,
+		$fields=EventFields,
+		$ev=config_line]);
+	Input::remove(iname);
+	}
diff --git a/scripts/base/frameworks/config/main.bro b/scripts/base/frameworks/config/main.bro
new file mode 100644
index 0000000000..372bb10eb4
--- /dev/null
+++ b/scripts/base/frameworks/config/main.bro
@@ -0,0 +1,77 @@
+##! The configuration framework provides a way to change Bro options
+##! (as specified by the option keyword) at runtime. It also logs runtime changes
+##! to options to config.log.
+
+module Config;
+
+export {
+	## The config logging stream identifier.
+	redef enum Log::ID += { LOG };
+
+	## Represents the data in config.log.
+	type Info: record {
+		## Timestamp at which the configuration change occured.
+		ts: time &log;
+		## ID of the value that was changed.
+		id: string &log;
+		## Value before the change.
+		old_value: string &log;
+		## Value after the change.
+		new_value: string &log;
+		## Optional location that triggered the change.
+		location: string &optional &log;
+	};
+
+	## Event that can be handled to access the :bro:type:`Config::Info`
+	## record as it is sent on to the logging framework.
+	global log_config: event(rec: Info);
+}
+
+function format_value(value: any) : string
+	{
+	local tn = type_name(value);
+	local part: string_vec = vector();
+	if ( /^set/ in tn )
+		{
+		local it: set[bool] = value;
+		for ( sv in it )
+			part[|part|] = cat(sv);
+		return join_string_vec(part, ",");
+		}
+	else if ( /^vector/ in tn )
+		{
+		local vit: vector of any = value;
+		for ( i in vit )
+			part[|part|] = cat(vit[i]);
+		return join_string_vec(part, ",");
+		}
+	else if ( tn == "string" )
+		return value;
+
+	return cat(value);
+	}
+
+function config_option_changed(ID: string, new_value: any, location: string): any
+	{
+	local log = Info($ts=network_time(), $id=ID, $old_value=format_value(lookup_ID(ID)), $new_value=format_value(new_value));
+	if ( location != "" )
+		log$location = location;
+	Log::write(LOG, log);
+	return new_value;
+	}
+
+event bro_init() &priority=10
+	{
+	Log::create_stream(LOG, [$columns=Info, $ev=log_config, $path="config"]);
+
+	# Iterate over all existing options and add ourselves as change handlers with
+	# a low priority so that we can log the changes.
+	local gids = global_ids();
+	for ( i in gids )
+		{
+		if ( ! gids[i]$option_value )
+			next;
+
+		Option::set_change_handler(i, config_option_changed, -100);
+		}
+	}
diff --git a/scripts/base/frameworks/input/__load__.bro b/scripts/base/frameworks/input/__load__.bro
index 9280af0258..1d81e43573 100644
--- a/scripts/base/frameworks/input/__load__.bro
+++ b/scripts/base/frameworks/input/__load__.bro
@@ -3,4 +3,5 @@
 @load ./readers/raw
 @load ./readers/benchmark
 @load ./readers/binary
+@load ./readers/config
 @load ./readers/sqlite
diff --git a/scripts/base/frameworks/input/readers/ascii.bro b/scripts/base/frameworks/input/readers/ascii.bro
index 1d4072e118..ff1d30f3a9 100644
--- a/scripts/base/frameworks/input/readers/ascii.bro
+++ b/scripts/base/frameworks/input/readers/ascii.bro
@@ -9,7 +9,7 @@ export {
 	## Please note that the separator has to be exactly one character long.
 	const separator = Input::separator &redef;
 
-	## Separator between set elements.
+	## Separator between set and vector elements.
 	## Please note that the separator has to be exactly one character long.
 	const set_separator = Input::set_separator &redef;
 
diff --git a/scripts/base/frameworks/input/readers/config.bro b/scripts/base/frameworks/input/readers/config.bro
new file mode 100644
index 0000000000..f97323d4a5
--- /dev/null
+++ b/scripts/base/frameworks/input/readers/config.bro
@@ -0,0 +1,42 @@
+##! Interface for the config input reader.
+
+module InputConfig;
+
+export {
+	## Separator between set and vector elements.
+	## Please note that the separator has to be exactly one character long.
+	const set_separator = Input::set_separator &redef;
+
+	## String to use for empty fields.
+	const empty_field = Input::empty_field &redef;
+
+	## Fail on file read problems. If set to true, the config
+	## input reader will fail when encountering any problems
+	## while reading a file different from invalid lines.
+	## Examples of such problems are permission problems, or
+	## missing files.
+	## When set to false, these problems will be ignored. This
+	## has an especially big effect for the REREAD mode, which will
+	## seamlessly recover from read errors when a file is
+	## only temporarily inaccessible. For MANUAL or STREAM files,
+	## errors will most likely still be fatal since no automatic
+	## re-reading of the file is attempted.
+	## Individual readers can use a different value using
+	## the $config table.
+	const fail_on_file_problem = F &redef;
+
+	## Event that is called when a config option is added or changes.
+	##
+	## Note - this does not track the reason for a change (new, changed),
+	## and also does not track removals. If you need this, combine the event
+	## with a table reader.
+	##
+	## name: name of the input stream.
+	##
+	## source: source of the input stream.
+	##
+	## id: ID of the configuration option being set.
+	##
+	## value: new value of the configuration option being set.
+	global new_value: event(name: string, source: string, id: string, value: any);
+}
diff --git a/scripts/base/init-bare.bro b/scripts/base/init-bare.bro
index f2a6816d9d..0756ce1762 100644
--- a/scripts/base/init-bare.bro
+++ b/scripts/base/init-bare.bro
@@ -631,6 +631,7 @@ type script_id: record {
 	exported: bool;	##< True if the identifier is exported.
 	constant: bool;	##< True if the identifier is a constant.
 	enum_constant: bool;	##< True if the identifier is an enum value.
+	option_value: bool;	##< True if the identifier is an option.
 	redefinable: bool;	##< True if the identifier is declared with the :bro:attr:`&redef` attribute.
 	value: any &optional;	##< The current value of the identifier.
 };
diff --git a/scripts/base/init-default.bro b/scripts/base/init-default.bro
index 65b41305c7..8a942eb4df 100644
--- a/scripts/base/init-default.bro
+++ b/scripts/base/init-default.bro
@@ -36,6 +36,7 @@
 @load base/frameworks/control
 @load base/frameworks/cluster
 @load base/frameworks/intel
+@load base/frameworks/config
 @load base/frameworks/reporter
 @load base/frameworks/sumstats
 @load base/frameworks/tunnels
diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt
index a564f16b32..982c37a79b 100644
--- a/src/CMakeLists.txt
+++ b/src/CMakeLists.txt
@@ -124,6 +124,7 @@ set(BIF_SRCS
     types.bif
     strings.bif
     reporter.bif
+    option.bif
 )
 
 foreach (bift ${BIF_SRCS})
diff --git a/src/Expr.cc b/src/Expr.cc
index bea43ff7c4..a0456fda31 100644
--- a/src/Expr.cc
+++ b/src/Expr.cc
@@ -283,6 +283,9 @@ Expr* NameExpr::MakeLvalue()
 	if ( id->IsConst() && ! in_const_init )
 		ExprError("const is not a modifiable lvalue");
 
+	if ( id->IsOption() && ! in_const_init )
+		ExprError("option is not a modifiable lvalue");
+
 	return new RefExpr(this);
 	}
 
diff --git a/src/Func.cc b/src/Func.cc
index f7877d04a0..e7167eb8ee 100644
--- a/src/Func.cc
+++ b/src/Func.cc
@@ -647,11 +647,13 @@ void builtin_error(const char* msg, BroObj* arg)
 #include "stats.bif.func_h"
 #include "reporter.bif.func_h"
 #include "strings.bif.func_h"
+#include "option.bif.func_h"
 
 #include "bro.bif.func_def"
 #include "stats.bif.func_def"
 #include "reporter.bif.func_def"
 #include "strings.bif.func_def"
+#include "option.bif.func_def"
 
 #include "__all__.bif.cc" // Autogenerated for compiling in the bif_target() code.
 #include "__all__.bif.register.cc" // Autogenerated for compiling in the bif_target() code.
@@ -676,6 +678,7 @@ void init_builtin_funcs()
 #include "stats.bif.func_init"
 #include "reporter.bif.func_init"
 #include "strings.bif.func_init"
+#include "option.bif.func_init"
 
 	did_builtin_init = true;
 	}
diff --git a/src/ID.cc b/src/ID.cc
index efc488449b..a12c856ac0 100644
--- a/src/ID.cc
+++ b/src/ID.cc
@@ -21,12 +21,13 @@ ID::ID(const char* arg_name, IDScope arg_scope, bool arg_is_export)
 	name = copy_string(arg_name);
 	scope = arg_scope;
 	is_export = arg_is_export;
+	is_option = false;
 	type = 0;
 	val = 0;
 	attrs = 0;
-	is_const = 0;
-	is_enum_const = 0;
-	is_type = 0;
+	is_const = false;
+	is_enum_const = false;
+	is_type = false;
 	offset = 0;
 
 	infer_return_type = false;
@@ -41,6 +42,8 @@ ID::~ID()
 	Unref(type);
 	Unref(attrs);
 
+	for ( auto element : option_handlers )
+		Unref(element.second);
 	if ( ! weak_ref )
 		Unref(val);
 	}
@@ -772,3 +775,18 @@ void ID::UpdateValID()
 	}
 #endif
 
+void ID::AddOptionHandler(Func* callback, int priority)
+	{
+	option_handlers.insert({priority, callback});
+	}
+
+vector<Func*> ID::GetOptionHandlers() const
+	{
+	// multimap is sorted
+	// It might be worth caching this if we expect it to be called
+	// a lot...
+	vector<Func*> v;
+	for ( auto& element : option_handlers )
+		v.push_back(element.second);
+	return v;
+	}
diff --git a/src/ID.h b/src/ID.h
index 2e0d5708a9..7e384d0046 100644
--- a/src/ID.h
+++ b/src/ID.h
@@ -11,6 +11,7 @@
 
 class Val;
 class SerialInfo;
+class Func;
 
 typedef enum { INIT_NONE, INIT_FULL, INIT_EXTRA, INIT_REMOVE, } init_class;
 typedef enum { SCOPE_FUNCTION, SCOPE_MODULE, SCOPE_GLOBAL } IDScope;
@@ -34,7 +35,7 @@ public:
 	BroType* Type()			{ return type; }
 	const BroType* Type() const	{ return type; }
 
-	void MakeType()			{ is_type = 1; }
+	void MakeType()			{ is_type = true; }
 	BroType* AsType()		{ return is_type ? Type() : 0; }
 	const BroType* AsType() const	{ return is_type ? Type() : 0; }
 
@@ -51,21 +52,24 @@ public:
 	void SetVal(Val* v, init_class c);
 	void SetVal(Expr* ev, init_class c);
 
-	int HasVal() const		{ return val != 0; }
+	bool HasVal() const		{ return val != 0; }
 	Val* ID_Val()			{ return val; }
 	const Val* ID_Val() const	{ return val; }
 	void ClearVal();
 
-	void SetConst()			{ is_const = 1; }
-	int IsConst() const		{ return is_const; }
+	void SetConst()			{ is_const = true; }
+	bool IsConst() const		{ return is_const; }
 
-	void SetEnumConst()		{ is_enum_const = 1; }
-	int IsEnumConst() const		{ return is_enum_const; }
+	void SetOption()			{ is_option = true; }
+	bool IsOption() const		{ return is_option; }
+
+	void SetEnumConst()		{ is_enum_const = true; }
+	bool IsEnumConst() const		{ return is_enum_const; }
 
 	void SetOffset(int arg_offset)	{ offset = arg_offset; }
 	int Offset() const		{ return offset; }
 
-	int IsRedefinable() const	{ return FindAttr(ATTR_REDEF) != 0; }
+	bool IsRedefinable() const	{ return FindAttr(ATTR_REDEF) != 0; }
 
 	// Returns true if ID is one of those internal globally unique IDs
 	// to which MutableVals are bound (there name start with a '#').
@@ -97,12 +101,18 @@ public:
 	bool Serialize(SerialInfo* info) const;
 	static ID* Unserialize(UnserialInfo* info);
 
-	bool DoInferReturnType()        { return infer_return_type; }
+	bool DoInferReturnType() const
+		{ return infer_return_type; }
 	void SetInferReturnType(bool infer)
-	        { infer_return_type = infer; }
+		{ infer_return_type = infer; }
 
 	virtual TraversalCode Traverse(TraversalCallback* cb) const;
 
+	bool HasOptionHandlers() const
+		{ return !option_handlers.empty(); }
+	void AddOptionHandler(Func* callback, int priority);
+	vector<Func*> GetOptionHandlers() const;
+
 protected:
 	ID()	{ name = 0; type = 0; val = 0; attrs = 0; }
 
@@ -119,10 +129,12 @@ protected:
 	IDScope scope;
 	bool is_export;
 	BroType* type;
-	int is_const, is_enum_const, is_type;
+	bool is_const, is_enum_const, is_type, is_option;
 	int offset;
 	Val* val;
 	Attributes* attrs;
+	// contains list of functions that are called when an option changes
+	std::multimap<int, Func*> option_handlers;
 
 	bool infer_return_type;
 	bool weak_ref;
diff --git a/src/Var.cc b/src/Var.cc
index e923e2ec37..ec7c1322bf 100644
--- a/src/Var.cc
+++ b/src/Var.cc
@@ -142,6 +142,11 @@ static void make_var(ID* id, BroType* t, init_class c, Expr* init,
 			id->Error("&persistant/synchronized with constant");
 			return;
 			}
+		else if ( dt == VAR_OPTION )
+			{
+			id->Error("&persistant/synchronized with option");
+			return;
+			}
 
 		if ( ! id->IsGlobal() )
 			{
@@ -206,6 +211,13 @@ static void make_var(ID* id, BroType* t, init_class c, Expr* init,
 
 		id->SetConst();
 		}
+	if ( dt == VAR_OPTION )
+		{
+		if ( ! init )
+			id->Error("option variable must be initialized");
+
+		id->SetOption();
+		}
 
 	id->UpdateValAttrs();
 
diff --git a/src/Var.h b/src/Var.h
index bcdd45dad2..831c10e90c 100644
--- a/src/Var.h
+++ b/src/Var.h
@@ -10,7 +10,7 @@
 class Func;
 class EventHandlerPtr;
 
-typedef enum { VAR_REGULAR, VAR_CONST, VAR_REDEF, } decl_type;
+typedef enum { VAR_REGULAR, VAR_CONST, VAR_REDEF, VAR_OPTION, } decl_type;
 
 extern void add_global(ID* id, BroType* t, init_class c, Expr* init,
 			attr_list* attr, decl_type dt);
diff --git a/src/bro.bif b/src/bro.bif
index 852f806230..fbf2979f37 100644
--- a/src/bro.bif
+++ b/src/bro.bif
@@ -1775,13 +1775,14 @@ function global_ids%(%): id_table
 		rec->Assign(1, new Val(id->IsExport(), TYPE_BOOL));
 		rec->Assign(2, new Val(id->IsConst(), TYPE_BOOL));
 		rec->Assign(3, new Val(id->IsEnumConst(), TYPE_BOOL));
-		rec->Assign(4, new Val(id->IsRedefinable(), TYPE_BOOL));
+		rec->Assign(4, new Val(id->IsOption(), TYPE_BOOL));
+		rec->Assign(5, new Val(id->IsRedefinable(), TYPE_BOOL));
 
 		if ( id->HasVal() )
 			{
 			Val* val = id->ID_Val();
 			Ref(val);
-			rec->Assign(5, val);
+			rec->Assign(6, val);
 			}
 
 		Val* id_name = new StringVal(id->Name());
diff --git a/src/broxygen/ScriptInfo.cc b/src/broxygen/ScriptInfo.cc
index f9c5bf2288..c3a9ab8031 100644
--- a/src/broxygen/ScriptInfo.cc
+++ b/src/broxygen/ScriptInfo.cc
@@ -160,7 +160,7 @@ ScriptInfo::ScriptInfo(const string& arg_name, const string& arg_path)
       name(arg_name), path(arg_path),
       is_pkg_loader(SafeBasename(name).result == PACKAGE_LOADER),
       dependencies(), module_usages(), comments(), id_info(),
-      options(), constants(), state_vars(), types(), events(), hooks(),
+      redef_options(), constants(), state_vars(), types(), events(), hooks(),
       functions(), redefs()
 	{
 	}
@@ -219,9 +219,9 @@ void ScriptInfo::DoInitPostScript()
 			{
 			if ( id->FindAttr(ATTR_REDEF) )
 				{
-				DBG_LOG(DBG_BROXYGEN, "Filter id '%s' in '%s' as an option",
+				DBG_LOG(DBG_BROXYGEN, "Filter id '%s' in '%s' as a redef_option",
 				        id->Name(), name.c_str());
-				options.push_back(info);
+				redef_options.push_back(info);
 				}
 			else
 				{
@@ -232,6 +232,14 @@ void ScriptInfo::DoInitPostScript()
 
 			continue;
 			}
+		else if ( id->IsOption() )
+			{
+			DBG_LOG(DBG_BROXYGEN, "Filter id '%s' in '%s' as a redef_option",
+							id->Name(), name.c_str());
+			options.push_back(info);
+
+			continue;
+			}
 
 		if ( id->Type()->Tag() == TYPE_ENUM )
 			// Enums are always referenced/documented from the type's
@@ -309,7 +317,8 @@ string ScriptInfo::DoReStructuredText(bool roles_only) const
 	rval += fmt(":Source File: :download:`/scripts/%s`\n", name.c_str());
 	rval += "\n";
 	rval += broxygen::make_heading("Summary", '~');
-	rval += make_summary("Options", '#', '=', options);
+	rval += make_summary("Runtime Options", '#', '=', options);
+	rval += make_summary("Redefinable Options", '#', '=', redef_options);
 	rval += make_summary("Constants", '#', '=', constants);
 	rval += make_summary("State Variables", '#', '=', state_vars);
 	rval += make_summary("Types", '#', '=', types);
@@ -319,7 +328,8 @@ string ScriptInfo::DoReStructuredText(bool roles_only) const
 	rval += make_summary("Functions", '#', '=', functions);
 	rval += "\n";
 	rval += broxygen::make_heading("Detailed Interface", '~');
-	rval += make_details("Options", '#', options);
+	rval += make_details("Runtime Options", '#', options);
+	rval += make_details("Redefinable Options", '#', redef_options);
 	rval += make_details("Constants", '#', constants);
 	rval += make_details("State Variables", '#', state_vars);
 	rval += make_details("Types", '#', types);
diff --git a/src/broxygen/ScriptInfo.h b/src/broxygen/ScriptInfo.h
index 146d66f05f..178ebdab44 100644
--- a/src/broxygen/ScriptInfo.h
+++ b/src/broxygen/ScriptInfo.h
@@ -108,6 +108,7 @@ private:
 	string_set module_usages;
 	std::vector<std::string> comments;
 	id_info_map id_info;
+	id_info_list redef_options;
 	id_info_list options;
 	id_info_list constants;
 	id_info_list state_vars;
diff --git a/src/input/Manager.cc b/src/input/Manager.cc
index d029e38092..85bd127677 100644
--- a/src/input/Manager.cc
+++ b/src/input/Manager.cc
@@ -711,7 +711,7 @@ bool Manager::CreateTableStream(RecordVal* fval)
 	return true;
 	}
 
-bool Manager::CheckErrorEventTypes(std::string stream_name, Func* ev, bool table)
+bool Manager::CheckErrorEventTypes(std::string stream_name, const Func* ev, bool table) const
 	{
 	if ( ev == nullptr )
 		return true;
@@ -899,7 +899,7 @@ bool Manager::RemoveStreamContinuation(ReaderFrontend* reader)
 	}
 
 bool Manager::UnrollRecordType(vector<Field*> *fields, const RecordType *rec,
-			       const string& nameprepend, bool allow_file_func)
+			       const string& nameprepend, bool allow_file_func) const
 	{
 	for ( int i = 0; i < rec->NumFields(); i++ )
 		{
@@ -1007,7 +1007,7 @@ bool Manager::ForceUpdate(const string &name)
 }
 
 
-Val* Manager::RecordValToIndexVal(RecordVal *r)
+Val* Manager::RecordValToIndexVal(RecordVal *r) const
 	{
 	Val* idxval;
 
@@ -1032,7 +1032,7 @@ Val* Manager::RecordValToIndexVal(RecordVal *r)
 	}
 
 
-Val* Manager::ValueToIndexVal(const Stream* i, int num_fields, const RecordType *type, const Value* const *vals, bool& have_error)
+Val* Manager::ValueToIndexVal(const Stream* i, int num_fields, const RecordType *type, const Value* const *vals, bool& have_error) const
 	{
 	Val* idxval;
 	int position = 0;
@@ -1810,7 +1810,7 @@ bool Manager::Delete(ReaderFrontend* reader, Value* *vals)
 	return success;
 	}
 
-bool Manager::CallPred(Func* pred_func, const int numvals, ...)
+bool Manager::CallPred(Func* pred_func, const int numvals, ...) const
 	{
 	bool result = false;
 	val_list vl(numvals);
@@ -1835,7 +1835,7 @@ bool Manager::CallPred(Func* pred_func, const int numvals, ...)
 // Raise everything in here as warnings so it is passed to scriptland without
 // looking "fatal". In addition to these warnings, ReaderBackend will queue
 // one reporter message.
-bool Manager::SendEvent(ReaderFrontend* reader, const string& name, const int num_vals, Value* *vals)
+bool Manager::SendEvent(ReaderFrontend* reader, const string& name, const int num_vals, Value* *vals) const
 	{
 	Stream *i = FindStream(reader);
 	if ( i == 0 )
@@ -1871,7 +1871,15 @@ bool Manager::SendEvent(ReaderFrontend* reader, const string& name, const int nu
 
 	val_list* vl = new val_list;
 	for ( int j = 0; j < num_vals; j++)
-		vl->append(ValueToVal(i, vals[j], type->FieldType(j), convert_error));
+		{
+		Val* v = ValueToVal(i, vals[j], convert_error);
+		vl->append(v);
+		if ( v && ! convert_error && ! same_type(type->FieldType(j), v->Type()) )
+			{
+			convert_error = true;
+			type->FieldType(j)->Error("SendEvent types do not match", v->Type());
+			}
+		}
 
 	delete_value_ptr_array(vals, num_vals);
 
@@ -1886,7 +1894,7 @@ bool Manager::SendEvent(ReaderFrontend* reader, const string& name, const int nu
 	return true;
 }
 
-void Manager::SendEvent(EventHandlerPtr ev, const int numvals, ...)
+void Manager::SendEvent(EventHandlerPtr ev, const int numvals, ...) const
 	{
 	val_list* vl = new val_list;
 
@@ -1905,7 +1913,7 @@ void Manager::SendEvent(EventHandlerPtr ev, const int numvals, ...)
 	mgr.QueueEvent(ev, vl, SOURCE_LOCAL);
 	}
 
-void Manager::SendEvent(EventHandlerPtr ev, list<Val*> events)
+void Manager::SendEvent(EventHandlerPtr ev, list<Val*> events) const
 	{
 	val_list* vl = new val_list;
 
@@ -1924,7 +1932,7 @@ void Manager::SendEvent(EventHandlerPtr ev, list<Val*> events)
 
 // Convert a bro list value to a bro record value.
 // I / we could think about moving this functionality to val.cc
-RecordVal* Manager::ListValToRecordVal(ListVal* list, RecordType *request_type, int* position)
+RecordVal* Manager::ListValToRecordVal(ListVal* list, RecordType *request_type, int* position) const
 	{
 	assert(position != 0 ); // we need the pointer to point to data;
 
@@ -1954,7 +1962,7 @@ RecordVal* Manager::ListValToRecordVal(ListVal* list, RecordType *request_type,
 
 // Convert a threading value to a record value
 RecordVal* Manager::ValueToRecordVal(const Stream* stream, const Value* const *vals,
-	                             RecordType *request_type, int* position, bool& have_error)
+	                             RecordType *request_type, int* position, bool& have_error) const
 	{
 	assert(position != 0); // we need the pointer to point to data.
 
@@ -1991,7 +1999,8 @@ RecordVal* Manager::ValueToRecordVal(const Stream* stream, const Value* const *v
 
 // Count the length of the values used to create a correct length buffer for
 // hashing later
-int Manager::GetValueLength(const Value* val) {
+int Manager::GetValueLength(const Value* val) const
+	{
 	assert( val->present ); // presence has to be checked elsewhere
 	int length = 0;
 
@@ -2081,7 +2090,7 @@ int Manager::GetValueLength(const Value* val) {
 
 // Given a threading::value, copy the raw data bytes into *data and return how many bytes were copied.
 // Used for hashing the values for lookup in the bro table
-int Manager::CopyValue(char *data, const int startpos, const Value* val)
+int Manager::CopyValue(char *data, const int startpos, const Value* val) const
 	{
 	assert( val->present ); // presence has to be checked elsewhere
 
@@ -2205,7 +2214,7 @@ int Manager::CopyValue(char *data, const int startpos, const Value* val)
 	}
 
 // Hash num_elements threading values and return the HashKey for them. At least one of the vals has to be ->present.
-HashKey* Manager::HashValues(const int num_elements, const Value* const *vals)
+HashKey* Manager::HashValues(const int num_elements, const Value* const *vals) const
 	{
 	int length = 0;
 
@@ -2251,19 +2260,19 @@ HashKey* Manager::HashValues(const int num_elements, const Value* const *vals)
 // have_error is a reference to a boolean which is set to true as soon as an error occured.
 // When have_error is set to true at the beginning of the function, it is assumed that
 // an error already occured in the past and processing is aborted.
-Val* Manager::ValueToVal(const Stream* i, const Value* val, BroType* request_type, bool& have_error)
+Val* Manager::ValueToVal(const Stream* i, const Value* val, BroType* request_type, bool& have_error) const
 	{
 	if ( have_error )
-		return 0;
+		return nullptr;
 
 	if ( request_type->Tag() != TYPE_ANY && request_type->Tag() != val->type )
 		{
 		reporter->InternalError("Typetags don't match: %d vs %d in stream %s", request_type->Tag(), val->type, i->name.c_str());
-		return 0;
+		return nullptr;
 		}
 
 	if ( !val->present )
-		return 0; // unset field
+		return nullptr; // unset field
 
 	switch ( val->type ) {
 	case TYPE_BOOL:
@@ -2312,7 +2321,7 @@ Val* Manager::ValueToVal(const Stream* i, const Value* val, BroType* request_typ
 
 	case TYPE_SUBNET:
 		{
-		IPAddr* addr = 0;
+		IPAddr* addr = nullptr;
 		switch ( val->val.subnet_val.prefix.family ) {
 		case IPv4:
 			addr = new IPAddr(val->val.subnet_val.prefix.in.in4);
@@ -2359,7 +2368,7 @@ Val* Manager::ValueToVal(const Stream* i, const Value* val, BroType* request_typ
 		VectorVal* v = new VectorVal(vt);
 		for ( int j = 0; j < val->val.vector_val.size; j++ )
 			{
-			v->Assign(j, ValueToVal(i, val->val.set_val.vals[j], type, have_error));
+			v->Assign(j, ValueToVal(i, val->val.vector_val.vals[j], type, have_error));
 			}
 
 		Unref(vt);
@@ -2384,7 +2393,7 @@ Val* Manager::ValueToVal(const Stream* i, const Value* val, BroType* request_typ
 			                        enum_string.c_str(), i->name.c_str());
 
 			have_error = true;
-			return 0;
+			return nullptr;
 			}
 
 		return new EnumVal(index, request_type->Ref()->AsEnumType());
@@ -2398,9 +2407,177 @@ Val* Manager::ValueToVal(const Stream* i, const Value* val, BroType* request_typ
 	return NULL;
 	}
 
-Manager::Stream* Manager::FindStream(const string &name)
+Val* Manager::ValueToVal(const Stream* i, const Value* val, bool& have_error) const
 	{
-	for ( map<ReaderFrontend*, Stream*>::iterator s = readers.begin(); s != readers.end(); ++s )
+	if ( have_error )
+		return nullptr;
+
+	if ( !val->present )
+		return nullptr; // unset field
+
+	switch ( val->type ) {
+	case TYPE_BOOL:
+	case TYPE_INT:
+		return new Val(val->val.int_val, val->type);
+		break;
+
+	case TYPE_COUNT:
+	case TYPE_COUNTER:
+		return new Val(val->val.uint_val, val->type);
+
+	case TYPE_DOUBLE:
+	case TYPE_TIME:
+	case TYPE_INTERVAL:
+		return new Val(val->val.double_val, val->type);
+
+	case TYPE_STRING:
+		{
+		BroString *s = new BroString((const u_char*)val->val.string_val.data, val->val.string_val.length, 1);
+		return new StringVal(s);
+		}
+
+	case TYPE_PORT:
+		return new PortVal(val->val.port_val.port, val->val.port_val.proto);
+
+	case TYPE_ADDR:
+		{
+		IPAddr* addr = 0;
+		switch ( val->val.addr_val.family ) {
+		case IPv4:
+			addr = new IPAddr(val->val.addr_val.in.in4);
+			break;
+
+		case IPv6:
+			addr = new IPAddr(val->val.addr_val.in.in6);
+			break;
+
+		default:
+			assert(false);
+		}
+
+		AddrVal* addrval = new AddrVal(*addr);
+		delete addr;
+		return addrval;
+		}
+
+	case TYPE_SUBNET:
+		{
+		IPAddr* addr = nullptr;
+		switch ( val->val.subnet_val.prefix.family ) {
+		case IPv4:
+			addr = new IPAddr(val->val.subnet_val.prefix.in.in4);
+			break;
+
+		case IPv6:
+			addr = new IPAddr(val->val.subnet_val.prefix.in.in6);
+			break;
+
+		default:
+			assert(false);
+		}
+
+		SubNetVal* subnetval = new SubNetVal(*addr, val->val.subnet_val.length);
+		delete addr;
+		return subnetval;
+		}
+
+	case TYPE_TABLE:
+		{
+		TypeList* set_index;
+		if ( val->val.set_val.size == 0 && val->subtype == TYPE_VOID )
+			// don't know type - unspecified table.
+			set_index = new TypeList();
+		else
+			{
+			// all entries have to have the same type...
+			TypeTag stag = val->subtype;
+			if ( stag == TYPE_VOID )
+				TypeTag stag = val->val.set_val.vals[0]->type;
+
+			set_index = new TypeList(base_type(stag)->Ref());
+			set_index->Append(base_type(stag)->Ref());
+			}
+		SetType* s = new SetType(set_index, 0);
+		TableVal* t = new TableVal(s);
+		for ( int j = 0; j < val->val.set_val.size; j++ )
+			{
+			Val* assignval = ValueToVal(i, val->val.set_val.vals[j], have_error);
+
+			t->Assign(assignval, 0);
+			Unref(assignval); // index is not consumed by assign.
+			}
+
+		Unref(s);
+		return t;
+		}
+
+	case TYPE_VECTOR:
+		{
+		BroType* type;
+		if ( val->val.vector_val.size == 0  && val->subtype == TYPE_VOID )
+			// don't know type - unspecified table.
+			type = base_type(TYPE_ANY);
+		else
+			{
+			// all entries have to have the same type...
+			if ( val->subtype == TYPE_VOID )
+				type = base_type(val->val.vector_val.vals[0]->type);
+			else
+				type = base_type(val->subtype);
+			}
+
+		VectorType* vt = new VectorType(type->Ref());
+		VectorVal* v = new VectorVal(vt);
+		for ( int j = 0; j < val->val.vector_val.size; j++ )
+			{
+			v->Assign(j, ValueToVal(i, val->val.vector_val.vals[j], have_error));
+			}
+
+		Unref(vt);
+		return v;
+		}
+
+	case TYPE_ENUM: {
+		// Convert to string first to not have to deal with missing
+		// \0's...
+		string enum_string(val->val.string_val.data, val->val.string_val.length);
+
+		// let's try looking it up by global ID.
+		ID* id = lookup_ID(enum_string.c_str(), GLOBAL_MODULE_NAME);
+		if ( ! id || ! id->IsEnumConst() )
+			{
+			Warning(i, "Value '%s' for stream '%s' is not a valid enum.",
+			                        enum_string.c_str(), i->name.c_str());
+
+			have_error = true;
+			return nullptr;
+			}
+
+		EnumType* t = id->Type()->AsEnumType();
+		int intval = t->Lookup(id->ModuleName(), id->Name());
+		if ( intval < 0 )
+			{
+			Warning(i, "Enum value '%s' for stream '%s' not found.",
+			                        enum_string.c_str(), i->name.c_str());
+
+			have_error = true;
+			return nullptr;
+			}
+
+		return new EnumVal(intval, t);
+		}
+
+	default:
+		reporter->InternalError("Unsupported type for input_read in stream %s", i->name.c_str());
+	}
+
+	assert(false);
+	return NULL;
+	}
+
+Manager::Stream* Manager::FindStream(const string &name) const
+	{
+	for ( auto s = readers.begin(); s != readers.end(); ++s )
 		{
 		if ( (*s).second->name  == name )
 			return (*s).second;
@@ -2409,9 +2586,9 @@ Manager::Stream* Manager::FindStream(const string &name)
 	return 0;
 	}
 
-Manager::Stream* Manager::FindStream(ReaderFrontend* reader)
+Manager::Stream* Manager::FindStream(ReaderFrontend* reader) const
 	{
-	map<ReaderFrontend*, Stream*>::iterator s = readers.find(reader);
+	auto s = readers.find(reader);
 	if ( s != readers.end() )
 		return s->second;
 
@@ -2433,7 +2610,7 @@ void Manager::Terminate()
 
 	}
 
-void Manager::Info(ReaderFrontend* reader, const char* msg)
+void Manager::Info(ReaderFrontend* reader, const char* msg) const
 	{
 	Stream *i = FindStream(reader);
 	if ( !i )
@@ -2445,7 +2622,7 @@ void Manager::Info(ReaderFrontend* reader, const char* msg)
 	ErrorHandler(i, ErrorType::INFO, false, "%s", msg);
 	}
 
-void Manager::Warning(ReaderFrontend* reader, const char* msg)
+void Manager::Warning(ReaderFrontend* reader, const char* msg) const
 	{
 	Stream *i = FindStream(reader);
 	if ( !i )
@@ -2457,7 +2634,7 @@ void Manager::Warning(ReaderFrontend* reader, const char* msg)
 	ErrorHandler(i, ErrorType::WARNING, false, "%s", msg);
 	}
 
-void Manager::Error(ReaderFrontend* reader, const char* msg)
+void Manager::Error(ReaderFrontend* reader, const char* msg) const
 	{
 	Stream *i = FindStream(reader);
 	if ( !i )
@@ -2469,7 +2646,7 @@ void Manager::Error(ReaderFrontend* reader, const char* msg)
 	ErrorHandler(i, ErrorType::ERROR, false, "%s", msg);
 	}
 
-void Manager::Info(const Stream* i, const char* fmt, ...)
+void Manager::Info(const Stream* i, const char* fmt, ...) const
 	{
 	va_list ap;
 	va_start(ap, fmt);
@@ -2477,7 +2654,7 @@ void Manager::Info(const Stream* i, const char* fmt, ...)
 	va_end(ap);
 	}
 
-void Manager::Warning(const Stream* i, const char* fmt, ...)
+void Manager::Warning(const Stream* i, const char* fmt, ...) const
 	{
 	va_list ap;
 	va_start(ap, fmt);
@@ -2485,7 +2662,7 @@ void Manager::Warning(const Stream* i, const char* fmt, ...)
 	va_end(ap);
 	}
 
-void Manager::Error(const Stream* i, const char* fmt, ...)
+void Manager::Error(const Stream* i, const char* fmt, ...) const
 	{
 	va_list ap;
 	va_start(ap, fmt);
@@ -2493,7 +2670,7 @@ void Manager::Error(const Stream* i, const char* fmt, ...)
 	va_end(ap);
 	}
 
-void Manager::ErrorHandler(const Stream* i, ErrorType et, bool reporter_send, const char* fmt, ...)
+void Manager::ErrorHandler(const Stream* i, ErrorType et, bool reporter_send, const char* fmt, ...) const
 	{
 	va_list ap;
 	va_start(ap, fmt);
@@ -2501,7 +2678,7 @@ void Manager::ErrorHandler(const Stream* i, ErrorType et, bool reporter_send, co
 	va_end(ap);
 	}
 
-void Manager::ErrorHandler(const Stream* i, ErrorType et, bool reporter_send, const char* fmt, va_list ap)
+void Manager::ErrorHandler(const Stream* i, ErrorType et, bool reporter_send, const char* fmt, va_list ap) const
 	{
 	char* buf;
 
diff --git a/src/input/Manager.h b/src/input/Manager.h
index 8296ce9f8b..76f82835a2 100644
--- a/src/input/Manager.h
+++ b/src/input/Manager.h
@@ -98,6 +98,21 @@ public:
 	 */
 	void Terminate();
 
+	/**
+	 * Checks if a Bro type can be used for data reading. Note that
+	 * this function only applies to input streams; the logging framework
+	 * has an equivalent function; however we support logging of a wider
+	 * variety of types (e.g. functions).
+	 *
+	 * @param t The type to check.
+	 *
+	 * @param atomic_only Set to true to forbid non-atomic types 
+	 *        (records/sets/vectors).
+	 *
+	 * @return True if the type is compatible with the input framework.
+	 */
+	static bool IsCompatibleType(BroType* t, bool atomic_only=false);
+
 protected:
 	friend class ReaderFrontend;
 	friend class PutMessage;
@@ -130,7 +145,7 @@ protected:
 	// Allows readers to directly send Bro events. The num_vals and vals
 	// must be the same the named event expects. Takes ownership of
 	// threading::Value fields.
-	bool SendEvent(ReaderFrontend* reader, const string& name, const int num_vals, threading::Value* *vals);
+	bool SendEvent(ReaderFrontend* reader, const string& name, const int num_vals, threading::Value* *vals) const;
 
 	// Instantiates a new ReaderBackend of the given type (note that
 	// doing so creates a new thread!).
@@ -147,9 +162,9 @@ protected:
 	// Signal Informational messages, warnings and errors. These will be
 	// passed to the error function in scriptland. Note that the messages
 	// are not passed to reporter - this is done in ReaderBackend.
-	void Info(ReaderFrontend* reader, const char* msg);
-	void Warning(ReaderFrontend* reader, const char* msg);
-	void Error(ReaderFrontend* reader, const char* msg);
+	void Info(ReaderFrontend* reader, const char* msg) const;
+	void Warning(ReaderFrontend* reader, const char* msg) const;
+	void Error(ReaderFrontend* reader, const char* msg) const;
 
 	/**
 	 * Deletes an existing input stream.
@@ -176,7 +191,7 @@ private:
 	// Check if the types of the error_ev event are correct. If table is
 	// true, check for tablestream type, otherwhise check for eventstream
 	// type.
-	bool CheckErrorEventTypes(std::string stream_name, Func* error_event, bool table);
+	bool CheckErrorEventTypes(std::string stream_name, const Func* error_event, bool table) const;
 
 	// SendEntry implementation for Table stream.
 	int SendEntryTable(Stream* i, const threading::Value* const *vals);
@@ -187,63 +202,63 @@ private:
 	// SendEntry and Put implementation for Event stream.
 	int SendEventStreamEvent(Stream* i, EnumVal* type, const threading::Value* const *vals);
 
-	// Checks that a Bro type can be used for data reading. The
-	// equivalend in threading cannot be used, because we have support
-	// different types from the log framework
-	bool IsCompatibleType(BroType* t, bool atomic_only=false);
 	// Check if a record is made up of compatible types and return a list
 	// of all fields that are in the record in order. Recursively unrolls
 	// records
-	bool UnrollRecordType(vector<threading::Field*> *fields, const RecordType *rec, const string& nameprepend, bool allow_file_func);
+	bool UnrollRecordType(vector<threading::Field*> *fields, const RecordType *rec, const string& nameprepend, bool allow_file_func) const;
 
 	// Send events
-	void SendEvent(EventHandlerPtr ev, const int numvals, ...);
-	void SendEvent(EventHandlerPtr ev, list<Val*> events);
+	void SendEvent(EventHandlerPtr ev, const int numvals, ...) const;
+	void SendEvent(EventHandlerPtr ev, list<Val*> events) const;
 
 	// Implementation of SendEndOfData (send end_of_data event).
 	void SendEndOfData(const Stream *i);
 
 	// Call predicate function and return result.
-	bool CallPred(Func* pred_func, const int numvals, ...);
+	bool CallPred(Func* pred_func, const int numvals, ...) const;
 
 	// Get a hashkey for a set of threading::Values.
-	HashKey* HashValues(const int num_elements, const threading::Value* const *vals);
+	HashKey* HashValues(const int num_elements, const threading::Value* const *vals) const;
 
 	// Get the memory used by a specific value.
-	int GetValueLength(const threading::Value* val);
+	int GetValueLength(const threading::Value* val) const;
 
 	// Copies the raw data in a specific threading::Value to position
 	// startpos.
-	int CopyValue(char *data, const int startpos, const threading::Value* val);
+	int CopyValue(char *data, const int startpos, const threading::Value* val) const;
 
 	// Convert Threading::Value to an internal Bro Type (works also with
 	// Records).
-	Val* ValueToVal(const Stream* i, const threading::Value* val, BroType* request_type, bool& have_error);
+	Val* ValueToVal(const Stream* i, const threading::Value* val, BroType* request_type, bool& have_error) const;
 
-	// Convert Threading::Value to an internal Bro List type.
-	Val* ValueToIndexVal(const Stream* i, int num_fields, const RecordType* type, const threading::Value* const *vals, bool& have_error);
+	// Convert Threading::Value to an internal Bro type just using the information given in the threading::Value.
+	// This allows more flexibility, especially given structures in script-land that contain any types.
+	Val* ValueToVal(const Stream* i, const threading::Value* val, bool& have_error) const;
+
+	// Convert Threading::Value to an internal Bro list type.
+	Val* ValueToIndexVal(const Stream* i, int num_fields, const RecordType* type, const threading::Value* const *vals, bool& have_error) const;
 
 	// Converts a threading::value to a record type. Mostly used by
 	// ValueToVal.
-	RecordVal* ValueToRecordVal(const Stream* i, const threading::Value* const *vals, RecordType *request_type, int* position, bool& have_error);
+	RecordVal* ValueToRecordVal(const Stream* i, const threading::Value* const *vals, RecordType *request_type, int* position, bool& have_error) const;
 
-	Val* RecordValToIndexVal(RecordVal *r);
+	Val* RecordValToIndexVal(RecordVal *r) const;
 
 	// Converts a Bro ListVal to a RecordVal given the record type.
-	RecordVal* ListValToRecordVal(ListVal* list, RecordType *request_type, int* position);
+	RecordVal* ListValToRecordVal(ListVal* list, RecordType *request_type, int* position) const;
 
 	// Internally signal errors, warnings, etc.
 	// These are sent on to input scriptland and reporter.log
-	void Info(const Stream* i, const char* fmt, ...) __attribute__((format(printf, 3, 4)));
-	void Warning(const Stream* i, const char* fmt, ...) __attribute__((format(printf, 3, 4)));
-	void Error(const Stream* i, const char* fmt, ...) __attribute__((format(printf, 3, 4)));
+	void Info(const Stream* i, const char* fmt, ...) const __attribute__((format(printf, 3, 4)));
+	void Warning(const Stream* i, const char* fmt, ...) const __attribute__((format(printf, 3, 4)));
+	void Error(const Stream* i, const char* fmt, ...) const __attribute__((format(printf, 3, 4)));
 
 	enum class ErrorType { INFO, WARNING, ERROR };
-	void ErrorHandler(const Stream* i, ErrorType et, bool reporter_send, const char* fmt, ...) __attribute__((format(printf, 5, 6)));
-	void ErrorHandler(const Stream* i, ErrorType et, bool reporter_send, const char* fmt, va_list ap) __attribute__((format(printf, 5, 0)));
+	void ErrorHandler(const Stream* i, ErrorType et, bool reporter_send, const char* fmt, ...) const __attribute__((format(printf, 5, 6)));
+	void ErrorHandler(const Stream* i, ErrorType et, bool reporter_send, const char* fmt, va_list ap) const __attribute__((format(printf, 5, 0)));
 
-	Stream* FindStream(const string &name);
-	Stream* FindStream(ReaderFrontend* reader);
+	Stream* FindStream(const string &name) const;
+	Stream* FindStream(ReaderFrontend* reader) const;
 
 	enum StreamType { TABLE_STREAM, EVENT_STREAM, ANALYSIS_STREAM };
 
diff --git a/src/input/readers/CMakeLists.txt b/src/input/readers/CMakeLists.txt
index 36b7439052..d653789847 100644
--- a/src/input/readers/CMakeLists.txt
+++ b/src/input/readers/CMakeLists.txt
@@ -2,5 +2,6 @@
 add_subdirectory(ascii)
 add_subdirectory(benchmark)
 add_subdirectory(binary)
+add_subdirectory(config)
 add_subdirectory(raw)
 add_subdirectory(sqlite)
diff --git a/src/input/readers/benchmark/Benchmark.cc b/src/input/readers/benchmark/Benchmark.cc
index 9d962c8c64..49e989909c 100644
--- a/src/input/readers/benchmark/Benchmark.cc
+++ b/src/input/readers/benchmark/Benchmark.cc
@@ -125,7 +125,7 @@ bool Benchmark::DoUpdate()
 
 threading::Value* Benchmark::EntryToVal(TypeTag type, TypeTag subtype)
 	{
-	Value* val = new Value(type, true);
+	Value* val = new Value(type, subtype, true);
 
 	// basically construct something random from the fields that we want.
 
diff --git a/src/input/readers/config/CMakeLists.txt b/src/input/readers/config/CMakeLists.txt
new file mode 100644
index 0000000000..8e4c1aa5aa
--- /dev/null
+++ b/src/input/readers/config/CMakeLists.txt
@@ -0,0 +1,9 @@
+
+include(BroPlugin)
+
+include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
+
+bro_plugin_begin(Bro ConfigReader)
+bro_plugin_cc(Config.cc Plugin.cc)
+bro_plugin_bif(config.bif)
+bro_plugin_end()
diff --git a/src/input/readers/config/Config.cc b/src/input/readers/config/Config.cc
new file mode 100644
index 0000000000..d3f0d9e0a5
--- /dev/null
+++ b/src/input/readers/config/Config.cc
@@ -0,0 +1,310 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include <sstream>
+#include <unordered_set>
+#include <regex>
+
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <unistd.h>
+#include <errno.h>
+
+#include "Config.h"
+#include "config.bif.h"
+
+#include "input/Manager.h"
+#include "threading/SerialTypes.h"
+
+using namespace input::reader;
+using namespace threading;
+using threading::Value;
+using threading::Field;
+
+Config::Config(ReaderFrontend *frontend) : ReaderBackend(frontend)
+	{
+	mtime = 0;
+	suppress_warnings = false;
+	fail_on_file_problem = false;
+
+	// find all option names and their types.
+	auto globals = global_scope()->Vars();
+	auto c = globals->InitForIteration();
+
+	while ( auto id = globals->NextEntry(c) )
+		{
+		if ( id->IsInternalGlobal() || ! id->IsOption() )
+			continue;
+
+		if ( id->Type()->Tag() == TYPE_RECORD ||
+				 ! input::Manager::IsCompatibleType(id->Type()) )
+			{
+			option_types[id->Name()] = std::make_tuple(TYPE_ERROR, id->Type()->Tag());
+			continue;
+			}
+
+		TypeTag primary = id->Type()->Tag();
+		TypeTag secondary = TYPE_VOID;
+		if ( primary == TYPE_TABLE )
+			secondary = id->Type()->AsSetType()->Indices()->PureType()->Tag();
+		else if ( primary == TYPE_VECTOR )
+			secondary = id->Type()->AsVectorType()->YieldType()->Tag();
+
+		option_types[id->Name()] = std::make_tuple(primary, secondary);
+		}
+	}
+
+Config::~Config()
+	{
+	}
+
+void Config::DoClose()
+	{
+	}
+
+bool Config::DoInit(const ReaderInfo& info, int num_fields, const Field* const* fields)
+	{
+	fail_on_file_problem = BifConst::InputConfig::fail_on_file_problem;
+
+	set_separator.assign( (const char*) BifConst::InputConfig::set_separator->Bytes(),
+	                     BifConst::InputConfig::set_separator->Len());
+
+	empty_field.assign( (const char*) BifConst::InputConfig::empty_field->Bytes(),
+	                   BifConst::InputConfig::empty_field->Len());
+
+
+	formatter::Ascii::SeparatorInfo sep_info("\t", set_separator, "", empty_field);
+	formatter = unique_ptr<threading::formatter::Formatter>(new formatter::Ascii(this, sep_info));
+
+	return DoUpdate();
+	}
+
+bool Config::OpenFile()
+	{
+	if ( file.is_open() )
+		return true;
+
+	file.open(Info().source);
+
+	if ( ! file.is_open() )
+		{
+		FailWarn(fail_on_file_problem, Fmt("Init: cannot open %s", Info().source), true);
+		return ! fail_on_file_problem;
+		}
+
+	suppress_warnings = false;
+	return true;
+	}
+
+void Config::FailWarn(bool is_error, const char *msg, bool suppress_future)
+	{
+	if ( is_error )
+		Error(msg);
+	else
+		{
+		// suppress error message when we are already in error mode.
+		// There is no reason to repeat it every second.
+		if ( ! suppress_warnings )
+			Warning(msg);
+
+		if ( suppress_future )
+			suppress_warnings = true;
+		}
+	}
+
+bool Config::GetLine(string& str)
+	{
+	while ( getline(file, str) )
+		{
+		if ( ! str.size() )
+			continue;
+
+		if ( str.back() == '\r' ) // deal with \r\n by removing \r
+			str.pop_back();
+
+		if ( str[0] != '#' )
+			return true;
+		}
+
+	return false;
+	}
+
+// read the entire file and send appropriate thingies back to InputMgr
+bool Config::DoUpdate()
+	{
+	if ( ! OpenFile() )
+		return ! fail_on_file_problem;
+
+	switch ( Info().mode ) {
+		case MODE_REREAD:
+			{
+			// check if the file has changed
+			struct stat sb;
+			if ( stat(Info().source, &sb) == -1 )
+				{
+				FailWarn(fail_on_file_problem, Fmt("Could not get stat for %s", Info().source), true);
+
+				file.close();
+				return ! fail_on_file_problem;
+				}
+
+			if ( sb.st_mtime <= mtime ) // no change
+				return true;
+
+			mtime = sb.st_mtime;
+			// file changed. reread.
+
+			// fallthrough
+			}
+
+		case MODE_MANUAL:
+		case MODE_STREAM:
+			{
+			// dirty, fix me. (well, apparently after trying seeking, etc
+			// - this is not that bad)
+			if ( file.is_open() )
+				{
+				if ( Info().mode == MODE_STREAM )
+					{
+					file.clear(); // remove end of file evil bits
+					break;
+					}
+
+				file.close();
+				}
+
+			OpenFile();
+
+			break;
+			}
+
+		default:
+			assert(false);
+		}
+
+	string line;
+	file.sync();
+
+	// keep a list of options to remove because they were no longer in the input file.
+	// Start out with all element and removes while going along
+	std::unordered_set<std::string> unseen_options;
+	for ( auto i : option_values )
+		{
+		unseen_options.insert(i.first);
+		}
+
+	while ( GetLine(line) )
+		{
+		static std::regex re("^(.*?)\\s+(.*)$");
+		std::smatch match;
+		if ( ! std::regex_search(line, match, re) )
+			{
+			Warning(Fmt("Could not parse '%s'; line has invalid format. Ignoring line.", line.c_str()));
+			continue;
+			}
+
+		string key = match[1];
+		string value = match[2];
+
+		auto typeit = option_types.find(key);
+		if ( typeit == option_types.end() )
+			{
+			Warning(Fmt("Option '%s' does not exist. Ignoring line.", key.c_str()));
+			continue;
+			}
+
+		if ( std::get<0>((*typeit).second) == TYPE_ERROR )
+			{
+			Warning(Fmt("Option '%s' has type '%s', which is not supported for file input. Ignoring line.", key.c_str(), type_name(std::get<1>((*typeit).second))));
+			continue;
+			}
+
+		Value* eventval = formatter->ParseValue(value, key, std::get<0>((*typeit).second), std::get<1>((*typeit).second));
+		if ( ! eventval )
+			{
+			Warning(Fmt("Could not convert line '%s' to Val. Ignoring line.", line.c_str()));
+			continue;
+			}
+		else if ( ! eventval->present )
+			{
+			Warning(Fmt("Line '%s' has no Value. Ignoring line.", line.c_str()));
+			delete eventval;
+			continue;
+			}
+
+		// we only send the event if the underlying value has changed. Let's check that.
+		// (Yes, this means we keep all configuration options in memory twice - once here in
+		// the reader and once in memory in Bro; that is difficult to change.
+		auto search = option_values.find(key);
+		if ( search != option_values.end() && search->second == value )
+			{
+			delete eventval;
+			continue;
+			}
+
+		option_values[key] = value;
+		unseen_options.erase(key);
+
+			{
+			Value** fields = new Value*[2];
+			Value* keyval = new threading::Value(TYPE_STRING, true);
+			keyval->val.string_val.length = key.size();
+			keyval->val.string_val.data = copy_string(key.c_str());
+			fields[0] = keyval;
+			Value* val = new threading::Value(TYPE_STRING, true);
+			val->val.string_val.length = value.size();
+			val->val.string_val.data = copy_string(value.c_str());
+			fields[1] = val;
+
+			if ( Info().mode  == MODE_STREAM )
+				Put(fields);
+			else
+				SendEntry(fields);
+			}
+			{
+			Value** vals = new Value*[4];
+			vals[0] = new Value(TYPE_STRING, true);
+			vals[0]->val.string_val.data = copy_string(Info().name);
+			vals[0]->val.string_val.length = strlen(Info().name);
+			vals[1] = new Value(TYPE_STRING, true);
+			vals[1]->val.string_val.data = copy_string(Info().source);
+			vals[1]->val.string_val.length = strlen(Info().source);
+			vals[2] = new Value(TYPE_STRING, true);
+			vals[2]->val.string_val.data = copy_string(key.c_str());
+			vals[2]->val.string_val.length = key.size();
+			vals[3] = eventval;
+
+			SendEvent("InputConfig::new_value", 4, vals);
+			}
+		}
+
+	if ( Info().mode != MODE_STREAM )
+		EndCurrentSend();
+
+	// clean up all options we did not see
+	for ( auto i : unseen_options )
+		option_values.erase(i);
+
+	return true;
+	}
+
+bool Config::DoHeartbeat(double network_time, double current_time)
+	{
+	switch ( Info().mode )
+		{
+		case MODE_MANUAL:
+			// yay, we do nothing :)
+			break;
+
+		case MODE_REREAD:
+		case MODE_STREAM:
+			Update(); // call update and not DoUpdate, because update
+				  // checks disabled.
+			break;
+
+		default:
+			assert(false);
+		}
+
+	return true;
+	}
+
diff --git a/src/input/readers/config/Config.h b/src/input/readers/config/Config.h
new file mode 100644
index 0000000000..05f1f6b767
--- /dev/null
+++ b/src/input/readers/config/Config.h
@@ -0,0 +1,67 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#ifndef INPUT_READERS_CONFIG_H
+#define INPUT_READERS_CONFIG_H
+
+#include <iostream>
+#include <vector>
+#include <fstream>
+#include <memory>
+#include <unordered_map>
+
+#include "input/ReaderBackend.h"
+#include "threading/formatters/Ascii.h"
+
+namespace input { namespace reader {
+
+/**
+ * Reader for Configuration files.
+ */
+class Config : public ReaderBackend {
+public:
+	explicit Config(ReaderFrontend* frontend);
+	~Config();
+
+	// prohibit copying and moving
+	Config(const Config&) = delete;
+	Config(Config&&) = delete;
+	Config& operator=(const Config&) = delete;
+	Config& operator=(Config&&) = delete;
+
+	static ReaderBackend* Instantiate(ReaderFrontend* frontend) { return new Config(frontend); }
+
+protected:
+	bool DoInit(const ReaderInfo& info, int arg_num_fields, const threading::Field* const* fields) override;
+	void DoClose() override;
+	bool DoUpdate() override;
+	bool DoHeartbeat(double network_time, double current_time) override;
+
+private:
+	bool GetLine(string& str);
+	bool OpenFile();
+	// Call Warning or Error, depending on the is_error boolean.
+	// In case of a warning, setting suppress_future to true will suppress all future warnings
+	// (by setting suppress_warnings to true, until suppress_warnings is set back to false)
+	void FailWarn(bool is_error, const char *msg, bool suppress_future = false);
+
+	ifstream file;
+	time_t mtime;
+
+	bool fail_on_file_problem;
+	// this is an internal indicator in case the read is currently in a failed state
+	// it's used to suppress duplicate error messages.
+	bool suppress_warnings;
+
+	string set_separator;
+	string empty_field;
+
+	std::unique_ptr<threading::formatter::Formatter> formatter;
+	std::unordered_map<std::string, std::tuple<TypeTag, TypeTag>> option_types;
+	std::unordered_map<std::string, std::string> option_values;
+};
+
+
+}
+}
+
+#endif /* INPUT_READERS_CONFIG_H */
diff --git a/src/input/readers/config/Plugin.cc b/src/input/readers/config/Plugin.cc
new file mode 100644
index 0000000000..77c8a97091
--- /dev/null
+++ b/src/input/readers/config/Plugin.cc
@@ -0,0 +1,24 @@
+// See the file  in the main distribution directory for copyright.
+
+#include "plugin/Plugin.h"
+
+#include "Config.h"
+
+namespace plugin {
+namespace Bro_ConfigReader {
+
+class Plugin : public plugin::Plugin {
+public:
+	plugin::Configuration Configure()
+		{
+		AddComponent(new ::input::Component("Config", ::input::reader::Config::Instantiate));
+
+		plugin::Configuration config;
+		config.name = "Bro::ConfigReader";
+		config.description = "Configuration file input reader";
+		return config;
+		}
+} plugin;
+
+}
+}
diff --git a/src/input/readers/config/config.bif b/src/input/readers/config/config.bif
new file mode 100644
index 0000000000..4ca3ec6690
--- /dev/null
+++ b/src/input/readers/config/config.bif
@@ -0,0 +1,6 @@
+
+module InputConfig;
+
+const set_separator: string;
+const empty_field: string;
+const fail_on_file_problem: bool;
diff --git a/src/input/readers/sqlite/SQLite.cc b/src/input/readers/sqlite/SQLite.cc
index c970e60182..40c0f8a063 100644
--- a/src/input/readers/sqlite/SQLite.cc
+++ b/src/input/readers/sqlite/SQLite.cc
@@ -128,7 +128,7 @@ bool SQLite::DoInit(const ReaderInfo& info, int arg_num_fields, const threading:
 Value* SQLite::EntryToVal(sqlite3_stmt *st, const threading::Field *field, int pos, int subpos)
 	{
 	if ( sqlite3_column_type(st, pos ) == SQLITE_NULL )
-		return new Value(field->type, false);
+		return new Value(field->type, field->subtype, false);
 
 	Value* val = new Value(field->type, true);
 
diff --git a/src/option.bif b/src/option.bif
new file mode 100644
index 0000000000..ecbbacc204
--- /dev/null
+++ b/src/option.bif
@@ -0,0 +1,155 @@
+##! The option built-in functions allow the scripting layer to
+##! change the value of option-values and to be notified when
+##! option values change.
+
+module Option;
+
+%%{
+#include "NetVar.h"
+%%}
+
+## Sets an option to a new value. This change will also cause the option change handlers
+## to be called.
+##
+## ID: The ID of the option to update.
+##
+## val: The new value of the option.
+##
+## location: optional parameter detailing where this change originated from.
+##
+## Returns: true on success, false when an error occured.
+##
+## .. bro:see:: Option::set_change_handler
+function Option::set%(ID: string, val: any, location: string &default=""%): bool
+	%{
+	auto i = global_scope()->Lookup(ID->CheckString());
+	if ( ! i )
+		{
+		builtin_error(fmt("Could not find ID named '%s'", ID->CheckString()));
+		return new Val(0, TYPE_BOOL);
+		}
+	if ( ! i->HasVal() )
+		{
+		// should be impossible because initialization is enforced
+		builtin_error(fmt("ID '%s' has no value", ID->CheckString()));
+		return new Val(0, TYPE_BOOL);
+		}
+	if ( ! i->IsOption() )
+		{
+		builtin_error(fmt("ID '%s' is not an option", ID->CheckString()));
+		return new Val(0, TYPE_BOOL);
+		}
+	if ( ! same_type(i->Type(), val->Type()) )
+		{
+		builtin_error(fmt("Incompatible type for set of ID '%s': got '%s', need '%s'",
+			ID->CheckString(), type_name(val->Type()->Tag()), type_name(i->Type()->Tag())));
+		}
+
+	val->Ref();
+	if ( i->HasOptionHandlers() )
+		{
+		for ( auto handler_function : i->GetOptionHandlers() )
+			{
+			val_list vl(2);
+			vl.append(ID->Ref());
+			vl.append(val);
+			if ( handler_function->FType()->AsFuncType()->ArgTypes()->Types()->length() == 3 )
+				vl.append(location->Ref());
+			val = handler_function->Call(&vl); // consumed by next call.
+			if ( ! val )
+				{
+				// Someone messed up, don't change value and just return
+				return new Val(0, TYPE_BOOL);
+				}
+			}
+		}
+
+	// clone to prevent changes
+	i->SetVal(val->Clone());
+	Unref(val); // Either ref'd once or function call result.
+	return new Val(1, TYPE_BOOL);
+	%}
+
+## Set the change handler for the option *ID*. The change handler will be called anytime
+## :bro:id:`Option::set` is called fot *ID*.
+##
+## ID: The ID of the option for which change notifications are desired.
+##
+## on_change: The function that will be called when a change occurs. The function can choose to
+##            receive two or three parameters: the first parameter is a string containing *ID*,
+##            the second parameter is the new option value. If the third, optional, parameter is the
+##            location string as passed to Option::set. Note that the global value is not yet changed
+##            when the function is called. The passed function has to return the new value that
+##            it wants the option to be set to. This enables it to reject changes, or change values
+##            that are being set. When several change handlers are set for an option they are chained;
+##            the second change handler will see the return value of the first change handler as the
+##            "new value".
+##
+## priority: The priority of the function that was added; functions with higher priority are
+##           called first, functions with the same priority are called in the order in which
+##           they were added.
+##
+## Returns: true when the change handler was set, false when an error occurred.
+##
+## .. bro:see:: Option::set
+function Option::set_change_handler%(ID: string, on_change: any, priority: int &default=0%): bool
+	%{
+	auto i = global_scope()->Lookup(ID->CheckString());
+	if ( ! i )
+		{
+		builtin_error(fmt("Could not find ID named '%s'", ID->CheckString()));
+		return new Val(0, TYPE_BOOL);
+		}
+	if ( ! i->IsOption() )
+		{
+		builtin_error(fmt("ID '%s' is not an option", ID->CheckString()));
+		return new Val(0, TYPE_BOOL);
+		}
+
+	if ( on_change->Type()->Tag() != TYPE_FUNC )
+		{
+		builtin_error(fmt("Option::on_change needs function argument; got '%s' for ID '%s'",
+			type_name(on_change->Type()->Tag()), ID->CheckString()));
+		return new Val(0, TYPE_BOOL);
+		}
+	if ( on_change->Type()->AsFuncType()->Flavor() != FUNC_FLAVOR_FUNCTION )
+		{
+		builtin_error("Option::on_change needs function argument; not hook or event");
+		return new Val(0, TYPE_BOOL);
+		}
+
+	const type_list* args = on_change->Type()->AsFuncType()->ArgTypes()->Types();
+	if ( args->length() < 2 || args->length() > 3 )
+		{
+		builtin_error(fmt("Wrong number of arguments for passed function in Option::on_change for ID '%s'; expected 2 or 3, got %d",
+			ID->CheckString(), args->length()));
+		return new Val(0, TYPE_BOOL);
+		}
+	if ( (*args)[0]->Tag() != TYPE_STRING )
+		{
+		builtin_error(fmt("First argument of passed function has to be string in Option::on_change for ID '%s'; got '%s'",
+			ID->CheckString(), type_name((*args)[0]->Tag())));
+		return new Val(0, TYPE_BOOL);
+		}
+	if ( ! same_type((*args)[1], i->Type()) )
+		{
+		builtin_error(fmt("Second argument of passed function has to be %s in Option::on_change for ID '%s'; got '%s'",
+			type_name(i->Type()->Tag()), ID->CheckString(), type_name((*args)[1]->Tag())));
+		return new Val(0, TYPE_BOOL);
+		}
+	if ( args->length() == 3 && (*args)[2]->Tag() != TYPE_STRING )
+		{
+		builtin_error(fmt("Third argument of passed function has to be string in Option::on_change for ID '%s'; got '%s'",
+			ID->CheckString(), type_name((*args)[2]->Tag())));
+		return new Val(0, TYPE_BOOL);
+		}
+	if ( ! same_type(on_change->Type()->AsFuncType()->YieldType(), i->Type()) )
+		{
+		builtin_error(fmt("Passed function needs to return type '%s' for ID '%s'; got '%s'",
+			type_name(i->Type()->Tag()), ID->CheckString(), type_name(on_change->Type()->AsFuncType()->YieldType()->Tag())));
+		return new Val(0, TYPE_BOOL);
+		}
+
+	i->AddOptionHandler(on_change->Ref()->AsFunc(), -priority);
+	return new Val(1, TYPE_BOOL);
+	%}
diff --git a/src/parse.y b/src/parse.y
index facd7e55ed..89bb5adbee 100644
--- a/src/parse.y
+++ b/src/parse.y
@@ -6,7 +6,7 @@
 
 %token TOK_ADD TOK_ADD_TO TOK_ADDR TOK_ANY
 %token TOK_ATENDIF TOK_ATELSE TOK_ATIF TOK_ATIFDEF TOK_ATIFNDEF
-%token TOK_BOOL TOK_BREAK TOK_CASE TOK_CONST
+%token TOK_BOOL TOK_BREAK TOK_CASE TOK_OPTION TOK_CONST
 %token TOK_CONSTANT TOK_COPY TOK_COUNT TOK_COUNTER TOK_DEFAULT TOK_DELETE
 %token TOK_DOUBLE TOK_ELSE TOK_ENUM TOK_EVENT TOK_EXPORT TOK_FALLTHROUGH
 %token TOK_FILE TOK_FOR TOK_FUNCTION TOK_GLOBAL TOK_HOOK TOK_ID TOK_IF TOK_INT
@@ -1059,6 +1059,12 @@ decl:
 			broxygen_mgr->Identifier($2);
 			}
 
+	|	TOK_OPTION def_global_id opt_type init_class opt_init opt_attr ';'
+			{
+			add_global($2, $3, $4, $5, $6, VAR_OPTION);
+			broxygen_mgr->Identifier($2);
+			}
+
 	|	TOK_CONST def_global_id opt_type init_class opt_init opt_attr ';'
 			{
 			add_global($2, $3, $4, $5, $6, VAR_CONST);
diff --git a/src/scan.l b/src/scan.l
index cdac72c1cd..ef0d40dadd 100644
--- a/src/scan.l
+++ b/src/scan.l
@@ -215,6 +215,7 @@ any	return TOK_ANY;
 bool	return TOK_BOOL;
 break	return TOK_BREAK;
 case	return TOK_CASE;
+option	return TOK_OPTION;
 const	return TOK_CONST;
 copy	return TOK_COPY;
 count	return TOK_COUNT;
diff --git a/src/threading/SerialTypes.cc b/src/threading/SerialTypes.cc
index 3836638e5c..8468d19ea8 100644
--- a/src/threading/SerialTypes.cc
+++ b/src/threading/SerialTypes.cc
@@ -161,12 +161,13 @@ bool Value::IsCompatibleType(BroType* t, bool atomic_only)
 
 bool Value::Read(SerializationFormat* fmt)
 	{
-	int ty;
+	int ty, sty;
 
-	if ( ! (fmt->Read(&ty, "type") && fmt->Read(&present, "present")) )
+	if ( ! (fmt->Read(&ty, "type") && fmt->Read(&sty, "subtype") && fmt->Read(&present, "present")) )
 		return false;
 
 	type = (TypeTag)(ty);
+	subtype = (TypeTag)(sty);
 
 	if ( ! present )
 		return true;
@@ -311,6 +312,7 @@ bool Value::Read(SerializationFormat* fmt)
 bool Value::Write(SerializationFormat* fmt) const
 	{
 	if ( ! (fmt->Write((int)type, "type") &&
+		fmt->Write((int)subtype, "subtype") &&
 		fmt->Write(present, "present")) )
 		return false;
 
diff --git a/src/threading/SerialTypes.h b/src/threading/SerialTypes.h
index af3f92d416..5a8361feba 100644
--- a/src/threading/SerialTypes.h
+++ b/src/threading/SerialTypes.h
@@ -26,7 +26,7 @@ struct Field {
 	//! port, one for the type), and this specifies the secondary name.
 	const char* secondary_name;
 	TypeTag type;	//! Type of the field.
-	TypeTag subtype;	//! Inner type for sets.
+	TypeTag subtype;	//! Inner type for sets and vectors.
 	bool optional;	//! True if field is optional.
 
 	/**
@@ -92,6 +92,7 @@ private:
  */
 struct Value {
 	TypeTag type;	//! The type of the value.
+	TypeTag subtype;	//! Inner type for sets and vectors.
 	bool present;	//! False for optional record fields that are not set.
 
 	struct set_t { bro_int_t size; Value** vals; };
@@ -146,7 +147,20 @@ struct Value {
 	* that is not set.
 	 */
 	Value(TypeTag arg_type = TYPE_ERROR, bool arg_present = true)
-		: type(arg_type), present(arg_present)	{}
+		: type(arg_type), subtype(TYPE_VOID), present(arg_present)	{}
+
+	/**
+	* Constructor.
+	*
+	* arg_type: The type of the value.
+	*
+	* arg_type: The subtype of the value for sets and vectors.
+	*
+	* arg_present: False if the value represents an optional record field
+	* that is not set.
+	 */
+	Value(TypeTag arg_type, TypeTag arg_subtype, bool arg_present = true)
+		: type(arg_type), subtype(arg_subtype), present(arg_present)	{}
 
 	/**
 	 * Destructor.
@@ -185,4 +199,4 @@ private:
 
 }
 
-#endif /* THREADING_SERIALIZATIONTZPES_H */
+#endif /* THREADING_SERIALIZATIONTYPES_H */
diff --git a/src/threading/formatters/Ascii.cc b/src/threading/formatters/Ascii.cc
index bf36c361cc..80edd42a61 100644
--- a/src/threading/formatters/Ascii.cc
+++ b/src/threading/formatters/Ascii.cc
@@ -207,13 +207,14 @@ bool Ascii::Describe(ODesc* desc, threading::Value* val, const string& name) con
 
 threading::Value* Ascii::ParseValue(const string& s, const string& name, TypeTag type, TypeTag subtype) const
 	{
-	if ( s.compare(separators.unset_field) == 0 )  // field is not set...
+	if ( ! separators.unset_field.empty() && s.compare(separators.unset_field) == 0 )  // field is not set...
 		return new threading::Value(type, false);
 
-	threading::Value* val = new threading::Value(type, true);
+	threading::Value* val = new threading::Value(type, subtype, true);
 	const char* start = s.c_str();
 	char* end = 0;
 	errno = 0;
+	size_t pos;
 
 	switch ( type ) {
 	case TYPE_ENUM:
@@ -260,11 +261,21 @@ threading::Value* Ascii::ParseValue(const string& s, const string& name, TypeTag
 		break;
 
 	case TYPE_PORT:
+		val->val.port_val.proto = TRANSPORT_UNKNOWN;
+		pos = s.find('/');
+		if ( pos != std::string::npos && s.length() > pos + 1 )
+			{
+			auto proto = s.substr(pos+1);
+			if ( strtolower(proto) == "tcp" )
+				val->val.port_val.proto = TRANSPORT_TCP;
+			else if ( strtolower(proto) == "udp" )
+				val->val.port_val.proto = TRANSPORT_UDP;
+			else if ( strtolower(proto) == "icmp" )
+				val->val.port_val.proto = TRANSPORT_ICMP;
+			}
 		val->val.port_val.port = strtoull(start, &end, 10);
 		if ( CheckNumberError(start, end) )
 			goto parse_error;
-
-		val->val.port_val.proto = TRANSPORT_UNKNOWN;
 		break;
 
 	case TYPE_SUBNET:
diff --git a/testing/btest/Baseline/core.check-unused-event-handlers/.stderr b/testing/btest/Baseline/core.check-unused-event-handlers/.stderr
index 1a32ad442c..8c4e4def40 100644
--- a/testing/btest/Baseline/core.check-unused-event-handlers/.stderr
+++ b/testing/btest/Baseline/core.check-unused-event-handlers/.stderr
@@ -1,2 +1,3 @@
 warning in <params>, line 1: event handler never invoked: this_is_never_used
+warning in <params>, line 1: event handler never invoked: InputConfig::new_value
 warning in <params>, line 1: event handler never invoked: InputRaw::process_finished
diff --git a/testing/btest/Baseline/core.option-errors-2/.stderr b/testing/btest/Baseline/core.option-errors-2/.stderr
new file mode 100644
index 0000000000..90011d5c85
--- /dev/null
+++ b/testing/btest/Baseline/core.option-errors-2/.stderr
@@ -0,0 +1 @@
+error in /Users/johanna/corelight/bro/testing/btest/.tmp/core.option-errors-2/option-errors.bro, line 2: option variable must be initialized (testbool)
diff --git a/testing/btest/Baseline/core.option-errors-3/.stderr b/testing/btest/Baseline/core.option-errors-3/.stderr
new file mode 100644
index 0000000000..ffe699c739
--- /dev/null
+++ b/testing/btest/Baseline/core.option-errors-3/.stderr
@@ -0,0 +1 @@
+error in /Users/johanna/corelight/bro/testing/btest/.tmp/core.option-errors-3/option-errors.bro, line 3: option is not a modifiable lvalue (testopt)
diff --git a/testing/btest/Baseline/core.option-errors-4/.stderr b/testing/btest/Baseline/core.option-errors-4/.stderr
new file mode 100644
index 0000000000..b443da2eb9
--- /dev/null
+++ b/testing/btest/Baseline/core.option-errors-4/.stderr
@@ -0,0 +1 @@
+error in /Users/johanna/corelight/bro/testing/btest/.tmp/core.option-errors-4/option-errors.bro, line 2 and /Users/johanna/corelight/bro/testing/btest/.tmp/core.option-errors-4/option-errors.bro, line 3: already defined (testopt)
diff --git a/testing/btest/Baseline/core.option-errors/.stderr b/testing/btest/Baseline/core.option-errors/.stderr
new file mode 100644
index 0000000000..27a73e180d
--- /dev/null
+++ b/testing/btest/Baseline/core.option-errors/.stderr
@@ -0,0 +1 @@
+error in /Users/johanna/corelight/bro/testing/btest/.tmp/core.option-errors/option-errors.bro, line 4: no type given (testbool)
diff --git a/testing/btest/Baseline/core.option-priorities/.stdout b/testing/btest/Baseline/core.option-priorities/.stdout
new file mode 100644
index 0000000000..5565a18a92
--- /dev/null
+++ b/testing/btest/Baseline/core.option-priorities/.stdout
@@ -0,0 +1,6 @@
+Old value, T
+Higher prio - Value of testbool changed from T to F at location ''
+Value of testbool changed from T to T
+Higher prio - Value of testbool changed from T to F at location 'here'
+Value of testbool changed from T to T
+New value, T
diff --git a/testing/btest/Baseline/core.option-redef/.stdout b/testing/btest/Baseline/core.option-redef/.stdout
new file mode 100644
index 0000000000..1e8b314962
--- /dev/null
+++ b/testing/btest/Baseline/core.option-redef/.stdout
@@ -0,0 +1 @@
+6
diff --git a/testing/btest/Baseline/core.option-runtime-errors-10/.stderr b/testing/btest/Baseline/core.option-runtime-errors-10/.stderr
new file mode 100644
index 0000000000..3b4cf422f5
--- /dev/null
+++ b/testing/btest/Baseline/core.option-runtime-errors-10/.stderr
@@ -0,0 +1 @@
+error in /Users/johanna/corelight/bro/testing/btest/.tmp/core.option-runtime-errors-10/option-runtime-errors.bro, line 7: ID 'A' is not an option (Option::set_change_handler(A, option_changed, (coerce 0 to int)))
diff --git a/testing/btest/Baseline/core.option-runtime-errors-11/.stderr b/testing/btest/Baseline/core.option-runtime-errors-11/.stderr
new file mode 100644
index 0000000000..8fd7de5d2e
--- /dev/null
+++ b/testing/btest/Baseline/core.option-runtime-errors-11/.stderr
@@ -0,0 +1 @@
+error in /Users/johanna/corelight/bro/testing/btest/.tmp/core.option-runtime-errors-11/option-runtime-errors.bro, line 4: Option::on_change needs function argument; got 'count' for ID 'A' (Option::set_change_handler(A, A, (coerce 0 to int)))
diff --git a/testing/btest/Baseline/core.option-runtime-errors-12/.stderr b/testing/btest/Baseline/core.option-runtime-errors-12/.stderr
new file mode 100644
index 0000000000..635b287c6b
--- /dev/null
+++ b/testing/btest/Baseline/core.option-runtime-errors-12/.stderr
@@ -0,0 +1 @@
+error in /Users/johanna/corelight/bro/testing/btest/.tmp/core.option-runtime-errors-12/option-runtime-errors.bro, line 7: Third argument of passed function has to be string in Option::on_change for ID 'A'; got 'count' (Option::set_change_handler(A, option_changed, (coerce 0 to int)))
diff --git a/testing/btest/Baseline/core.option-runtime-errors-13/.stderr b/testing/btest/Baseline/core.option-runtime-errors-13/.stderr
new file mode 100644
index 0000000000..7b58339d8b
--- /dev/null
+++ b/testing/btest/Baseline/core.option-runtime-errors-13/.stderr
@@ -0,0 +1 @@
+error in /Users/johanna/corelight/bro/testing/btest/.tmp/core.option-runtime-errors-13/option-runtime-errors.bro, line 7: Wrong number of arguments for passed function in Option::on_change for ID 'A'; expected 2 or 3, got 4 (Option::set_change_handler(A, option_changed, (coerce 0 to int)))
diff --git a/testing/btest/Baseline/core.option-runtime-errors-2/.stderr b/testing/btest/Baseline/core.option-runtime-errors-2/.stderr
new file mode 100644
index 0000000000..ad027f69db
--- /dev/null
+++ b/testing/btest/Baseline/core.option-runtime-errors-2/.stderr
@@ -0,0 +1 @@
+error in /Users/johanna/corelight/bro/testing/btest/.tmp/core.option-runtime-errors-2/option-runtime-errors.bro, line 3: Incompatible type for set of ID 'A': got 'string', need 'count' (Option::set(A, hi, ))
diff --git a/testing/btest/Baseline/core.option-runtime-errors-3/.stderr b/testing/btest/Baseline/core.option-runtime-errors-3/.stderr
new file mode 100644
index 0000000000..2c98b170b7
--- /dev/null
+++ b/testing/btest/Baseline/core.option-runtime-errors-3/.stderr
@@ -0,0 +1 @@
+error in /Users/johanna/corelight/bro/testing/btest/.tmp/core.option-runtime-errors-3/option-runtime-errors.bro, line 3: ID 'A' is not an option (Option::set(A, 6, ))
diff --git a/testing/btest/Baseline/core.option-runtime-errors-4/.stderr b/testing/btest/Baseline/core.option-runtime-errors-4/.stderr
new file mode 100644
index 0000000000..a965ddd3ae
--- /dev/null
+++ b/testing/btest/Baseline/core.option-runtime-errors-4/.stderr
@@ -0,0 +1 @@
+error in /Users/johanna/corelight/bro/testing/btest/.tmp/core.option-runtime-errors-4/option-runtime-errors.bro, line 7: Second argument of passed function has to be count in Option::on_change for ID 'A'; got 'bool' (Option::set_change_handler(A, option_changed, (coerce 0 to int)))
diff --git a/testing/btest/Baseline/core.option-runtime-errors-5/.stderr b/testing/btest/Baseline/core.option-runtime-errors-5/.stderr
new file mode 100644
index 0000000000..d931ff062a
--- /dev/null
+++ b/testing/btest/Baseline/core.option-runtime-errors-5/.stderr
@@ -0,0 +1 @@
+error in /Users/johanna/corelight/bro/testing/btest/.tmp/core.option-runtime-errors-5/option-runtime-errors.bro, line 7: Wrong number of arguments for passed function in Option::on_change for ID 'A'; expected 2 or 3, got 1 (Option::set_change_handler(A, option_changed, (coerce 0 to int)))
diff --git a/testing/btest/Baseline/core.option-runtime-errors-6/.stderr b/testing/btest/Baseline/core.option-runtime-errors-6/.stderr
new file mode 100644
index 0000000000..593c239155
--- /dev/null
+++ b/testing/btest/Baseline/core.option-runtime-errors-6/.stderr
@@ -0,0 +1 @@
+error in /Users/johanna/corelight/bro/testing/btest/.tmp/core.option-runtime-errors-6/option-runtime-errors.bro, line 7: Passed function needs to return type 'count' for ID 'A'; got 'bool' (Option::set_change_handler(A, option_changed, (coerce 0 to int)))
diff --git a/testing/btest/Baseline/core.option-runtime-errors-7/.stderr b/testing/btest/Baseline/core.option-runtime-errors-7/.stderr
new file mode 100644
index 0000000000..57f7b5c21b
--- /dev/null
+++ b/testing/btest/Baseline/core.option-runtime-errors-7/.stderr
@@ -0,0 +1 @@
+error in /Users/johanna/corelight/bro/testing/btest/.tmp/core.option-runtime-errors-7/option-runtime-errors.bro, line 7: Option::on_change needs function argument; not hook or event (Option::set_change_handler(A, option_changed, (coerce 0 to int)))
diff --git a/testing/btest/Baseline/core.option-runtime-errors-8/.stderr b/testing/btest/Baseline/core.option-runtime-errors-8/.stderr
new file mode 100644
index 0000000000..2e7735f433
--- /dev/null
+++ b/testing/btest/Baseline/core.option-runtime-errors-8/.stderr
@@ -0,0 +1 @@
+error in /Users/johanna/corelight/bro/testing/btest/.tmp/core.option-runtime-errors-8/option-runtime-errors.bro, line 7: Option::on_change needs function argument; not hook or event (Option::set_change_handler(A, option_changed, (coerce 0 to int)))
diff --git a/testing/btest/Baseline/core.option-runtime-errors-9/.stderr b/testing/btest/Baseline/core.option-runtime-errors-9/.stderr
new file mode 100644
index 0000000000..a95196eef7
--- /dev/null
+++ b/testing/btest/Baseline/core.option-runtime-errors-9/.stderr
@@ -0,0 +1 @@
+error in /Users/johanna/corelight/bro/testing/btest/.tmp/core.option-runtime-errors-9/option-runtime-errors.bro, line 5: Could not find ID named 'A' (Option::set_change_handler(A, option_changed, (coerce 0 to int)))
diff --git a/testing/btest/Baseline/core.option-runtime-errors/.stderr b/testing/btest/Baseline/core.option-runtime-errors/.stderr
new file mode 100644
index 0000000000..f3ad46d382
--- /dev/null
+++ b/testing/btest/Baseline/core.option-runtime-errors/.stderr
@@ -0,0 +1 @@
+error in /Users/johanna/corelight/bro/testing/btest/.tmp/core.option-runtime-errors/option-runtime-errors.bro, line 8: Could not find ID named 'B' (Option::set(B, 6, ))
diff --git a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log
index 52a660261c..9a4e03d884 100644
--- a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log
+++ b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log
@@ -38,6 +38,7 @@ scripts/base/init-bare.bro
     scripts/base/frameworks/input/readers/raw.bro
     scripts/base/frameworks/input/readers/benchmark.bro
     scripts/base/frameworks/input/readers/binary.bro
+    scripts/base/frameworks/input/readers/config.bro
     scripts/base/frameworks/input/readers/sqlite.bro
   scripts/base/frameworks/analyzer/__load__.bro
     scripts/base/frameworks/analyzer/main.bro
@@ -51,6 +52,7 @@ scripts/base/init-bare.bro
     scripts/base/frameworks/files/magic/__load__.bro
   build/scripts/base/bif/__load__.bro
     build/scripts/base/bif/stats.bif.bro
+    build/scripts/base/bif/option.bif.bro
     build/scripts/base/bif/broxygen.bif.bro
     build/scripts/base/bif/pcap.bif.bro
     build/scripts/base/bif/bloom-filter.bif.bro
@@ -161,6 +163,7 @@ scripts/base/init-bare.bro
     build/scripts/base/bif/plugins/Bro_AsciiReader.ascii.bif.bro
     build/scripts/base/bif/plugins/Bro_BenchmarkReader.benchmark.bif.bro
     build/scripts/base/bif/plugins/Bro_BinaryReader.binary.bif.bro
+    build/scripts/base/bif/plugins/Bro_ConfigReader.config.bif.bro
     build/scripts/base/bif/plugins/Bro_RawReader.raw.bif.bro
     build/scripts/base/bif/plugins/Bro_SQLiteReader.sqlite.bif.bro
     build/scripts/base/bif/plugins/Bro_AsciiWriter.ascii.bif.bro
diff --git a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
index 75ef872a95..9f29b5b8ae 100644
--- a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
+++ b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
@@ -38,6 +38,7 @@ scripts/base/init-bare.bro
     scripts/base/frameworks/input/readers/raw.bro
     scripts/base/frameworks/input/readers/benchmark.bro
     scripts/base/frameworks/input/readers/binary.bro
+    scripts/base/frameworks/input/readers/config.bro
     scripts/base/frameworks/input/readers/sqlite.bro
   scripts/base/frameworks/analyzer/__load__.bro
     scripts/base/frameworks/analyzer/main.bro
@@ -51,6 +52,7 @@ scripts/base/init-bare.bro
     scripts/base/frameworks/files/magic/__load__.bro
   build/scripts/base/bif/__load__.bro
     build/scripts/base/bif/stats.bif.bro
+    build/scripts/base/bif/option.bif.bro
     build/scripts/base/bif/broxygen.bif.bro
     build/scripts/base/bif/pcap.bif.bro
     build/scripts/base/bif/bloom-filter.bif.bro
@@ -161,6 +163,7 @@ scripts/base/init-bare.bro
     build/scripts/base/bif/plugins/Bro_AsciiReader.ascii.bif.bro
     build/scripts/base/bif/plugins/Bro_BenchmarkReader.benchmark.bif.bro
     build/scripts/base/bif/plugins/Bro_BinaryReader.binary.bif.bro
+    build/scripts/base/bif/plugins/Bro_ConfigReader.config.bif.bro
     build/scripts/base/bif/plugins/Bro_RawReader.raw.bif.bro
     build/scripts/base/bif/plugins/Bro_SQLiteReader.sqlite.bif.bro
     build/scripts/base/bif/plugins/Bro_AsciiWriter.ascii.bif.bro
@@ -238,6 +241,9 @@ scripts/base/init-default.bro
     scripts/base/frameworks/intel/main.bro
     scripts/base/frameworks/intel/files.bro
     scripts/base/frameworks/intel/input.bro
+  scripts/base/frameworks/config/__load__.bro
+    scripts/base/frameworks/config/main.bro
+    scripts/base/frameworks/config/input.bro
   scripts/base/frameworks/sumstats/__load__.bro
     scripts/base/frameworks/sumstats/main.bro
     scripts/base/frameworks/sumstats/plugins/__load__.bro
diff --git a/testing/btest/Baseline/coverage.find-bro-logs/out b/testing/btest/Baseline/coverage.find-bro-logs/out
index 09a08914fe..1433646a9f 100644
--- a/testing/btest/Baseline/coverage.find-bro-logs/out
+++ b/testing/btest/Baseline/coverage.find-bro-logs/out
@@ -2,6 +2,7 @@ barnyard2
 capture_loss
 cluster
 communication
+config
 conn
 dce__r_pc
 dhcp
diff --git a/testing/btest/Baseline/doc.broxygen.example/example.rst b/testing/btest/Baseline/doc.broxygen.example/example.rst
index 48289fe466..109784229d 100644
--- a/testing/btest/Baseline/doc.broxygen.example/example.rst
+++ b/testing/btest/Baseline/doc.broxygen.example/example.rst
@@ -32,8 +32,8 @@ And a custom directive does the equivalent references:
 
 Summary
 ~~~~~~~
-Options
-#######
+Redefinable Options
+###################
 ==================================================================================== =======================================================
 :bro:id:`BroxygenExample::an_option`: :bro:type:`set` :bro:attr:`&redef`             Add documentation for "an_option" here.
 :bro:id:`BroxygenExample::option_with_init`: :bro:type:`interval` :bro:attr:`&redef` Default initialization will be generated automatically.
@@ -81,8 +81,8 @@ Functions
 
 Detailed Interface
 ~~~~~~~~~~~~~~~~~~
-Options
-#######
+Redefinable Options
+###################
 .. bro:id:: BroxygenExample::an_option
 
    :Type: :bro:type:`set` [:bro:type:`addr`, :bro:type:`addr`, :bro:type:`string`]
diff --git a/testing/btest/Baseline/plugins.hooks/output b/testing/btest/Baseline/plugins.hooks/output
index 42b0b6ef26..511cc3dec9 100644
--- a/testing/btest/Baseline/plugins.hooks/output
+++ b/testing/btest/Baseline/plugins.hooks/output
@@ -172,6 +172,7 @@
 0.000000   MetaHookPost  CallFunction(Files::register_protocol, <frame>, (Analyzer::ANALYZER_SSL, [get_file_handle=SSL::get_file_handle{ return ()}, describe=SSL::describe_file{ <init> SSL::cid{ if (SSL::f$source != SSL || !SSL::f?$info || !SSL::f$info?$x509 || !SSL::f$info$x509?$certificate) return ()for ([SSL::cid] in SSL::f$conns) { if (SSL::f$conns[SSL::cid]?$ssl) { SSL::c = SSL::f$conns[SSL::cid]return (cat(SSL::c$id$resp_h, :, SSL::c$id$resp_p))}}return (cat(Serial: , SSL::f$info$x509$certificate$serial,  Subject: , SSL::f$info$x509$certificate$subject,  Issuer: , SSL::f$info$x509$certificate$issuer))}}])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__add_filter, <frame>, (Cluster::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=cluster, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__add_filter, <frame>, (Communication::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=communication, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::__add_filter, <frame>, (Config::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=config, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__add_filter, <frame>, (Conn::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=conn, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__add_filter, <frame>, (DCE_RPC::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=dce_rpc, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__add_filter, <frame>, (DHCP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=dhcp, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
@@ -215,6 +216,7 @@
 0.000000   MetaHookPost  CallFunction(Log::__add_filter, <frame>, (mysql::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=mysql, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (Cluster::LOG, [columns=<no value description>, ev=<uninitialized>, path=cluster])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (Communication::LOG, [columns=<no value description>, ev=<uninitialized>, path=communication])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (Config::LOG, [columns=<no value description>, ev=Config::log_config, path=config])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (Conn::LOG, [columns=<no value description>, ev=Conn::log_conn, path=conn])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (DCE_RPC::LOG, [columns=<no value description>, ev=<uninitialized>, path=dce_rpc])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (DHCP::LOG, [columns=<no value description>, ev=DHCP::log_dhcp, path=dhcp])) -> <no result>
@@ -256,9 +258,10 @@
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1510863910.246703, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1511991433.194848, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (Cluster::LOG)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (Communication::LOG)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (Config::LOG)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (Conn::LOG)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (DCE_RPC::LOG)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (DHCP::LOG)) -> <no result>
@@ -302,6 +305,7 @@
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (mysql::LOG)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_filter, <frame>, (Cluster::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_filter, <frame>, (Communication::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::add_filter, <frame>, (Config::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_filter, <frame>, (Conn::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_filter, <frame>, (DCE_RPC::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_filter, <frame>, (DHCP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
@@ -345,6 +349,7 @@
 0.000000   MetaHookPost  CallFunction(Log::add_filter, <frame>, (mysql::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (Cluster::LOG, [columns=<no value description>, ev=<uninitialized>, path=cluster])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (Communication::LOG, [columns=<no value description>, ev=<uninitialized>, path=communication])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (Config::LOG, [columns=<no value description>, ev=Config::log_config, path=config])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (Conn::LOG, [columns=<no value description>, ev=Conn::log_conn, path=conn])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (DCE_RPC::LOG, [columns=<no value description>, ev=<uninitialized>, path=dce_rpc])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (DHCP::LOG, [columns=<no value description>, ev=DHCP::log_dhcp, path=dhcp])) -> <no result>
@@ -386,7 +391,7 @@
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1510863910.246703, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1511991433.194848, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
 0.000000   MetaHookPost  CallFunction(NetControl::check_plugins, <frame>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(NetControl::init, <null>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(Notice::want_pp, <frame>, ()) -> <no result>
@@ -415,6 +420,7 @@
 0.000000   MetaHookPost  CallFunction(current_time, <frame>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(filter_change_tracking, <null>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(getenv, <null>, (CLUSTER_NODE)) -> <no result>
+0.000000   MetaHookPost  CallFunction(global_ids, <frame>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(network_time, <frame>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(reading_live_traffic, <frame>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(reading_traces, <frame>, ()) -> <no result>
@@ -431,6 +437,7 @@
 0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_BenchmarkReader.benchmark.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_BinaryReader.binary.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_BitTorrent.events.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_ConfigReader.config.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_ConnSize.events.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_ConnSize.functions.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_DCE_RPC.consts.bif.bro) -> -1
@@ -550,6 +557,7 @@
 0.000000   MetaHookPost  LoadFile(0, .<...>/cardinality-counter.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(0, .<...>/catch-and-release.bro) -> -1
 0.000000   MetaHookPost  LoadFile(0, .<...>/comm.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/config.bro) -> -1
 0.000000   MetaHookPost  LoadFile(0, .<...>/const-dos-error.bro) -> -1
 0.000000   MetaHookPost  LoadFile(0, .<...>/const-nt-status.bro) -> -1
 0.000000   MetaHookPost  LoadFile(0, .<...>/const.bif.bro) -> -1
@@ -588,6 +596,7 @@
 0.000000   MetaHookPost  LoadFile(0, .<...>/non-cluster.bro) -> -1
 0.000000   MetaHookPost  LoadFile(0, .<...>/none.bro) -> -1
 0.000000   MetaHookPost  LoadFile(0, .<...>/openflow.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/option.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(0, .<...>/packetfilter.bro) -> -1
 0.000000   MetaHookPost  LoadFile(0, .<...>/page.bro) -> -1
 0.000000   MetaHookPost  LoadFile(0, .<...>/patterns.bro) -> -1
@@ -637,6 +646,7 @@
 0.000000   MetaHookPost  LoadFile(0, base<...>/cluster) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/comm.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/communication) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/config) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/conn) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/conn-ids.bro) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/const.bif.bro) -> -1
@@ -907,6 +917,7 @@
 0.000000   MetaHookPre   CallFunction(Files::register_protocol, <frame>, (Analyzer::ANALYZER_SSL, [get_file_handle=SSL::get_file_handle{ return ()}, describe=SSL::describe_file{ <init> SSL::cid{ if (SSL::f$source != SSL || !SSL::f?$info || !SSL::f$info?$x509 || !SSL::f$info$x509?$certificate) return ()for ([SSL::cid] in SSL::f$conns) { if (SSL::f$conns[SSL::cid]?$ssl) { SSL::c = SSL::f$conns[SSL::cid]return (cat(SSL::c$id$resp_h, :, SSL::c$id$resp_p))}}return (cat(Serial: , SSL::f$info$x509$certificate$serial,  Subject: , SSL::f$info$x509$certificate$subject,  Issuer: , SSL::f$info$x509$certificate$issuer))}}]))
 0.000000   MetaHookPre   CallFunction(Log::__add_filter, <frame>, (Cluster::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=cluster, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}]))
 0.000000   MetaHookPre   CallFunction(Log::__add_filter, <frame>, (Communication::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=communication, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::__add_filter, <frame>, (Config::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=config, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}]))
 0.000000   MetaHookPre   CallFunction(Log::__add_filter, <frame>, (Conn::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=conn, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}]))
 0.000000   MetaHookPre   CallFunction(Log::__add_filter, <frame>, (DCE_RPC::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=dce_rpc, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}]))
 0.000000   MetaHookPre   CallFunction(Log::__add_filter, <frame>, (DHCP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=dhcp, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}]))
@@ -950,6 +961,7 @@
 0.000000   MetaHookPre   CallFunction(Log::__add_filter, <frame>, (mysql::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=mysql, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}]))
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (Cluster::LOG, [columns=<no value description>, ev=<uninitialized>, path=cluster]))
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (Communication::LOG, [columns=<no value description>, ev=<uninitialized>, path=communication]))
+0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (Config::LOG, [columns=<no value description>, ev=Config::log_config, path=config]))
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (Conn::LOG, [columns=<no value description>, ev=Conn::log_conn, path=conn]))
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (DCE_RPC::LOG, [columns=<no value description>, ev=<uninitialized>, path=dce_rpc]))
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (DHCP::LOG, [columns=<no value description>, ev=DHCP::log_dhcp, path=dhcp]))
@@ -991,9 +1003,10 @@
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird]))
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509]))
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql]))
-0.000000   MetaHookPre   CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1510863910.246703, node=bro, filter=ip or not ip, init=T, success=T]))
+0.000000   MetaHookPre   CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1511991433.194848, node=bro, filter=ip or not ip, init=T, success=T]))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (Cluster::LOG))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (Communication::LOG))
+0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (Config::LOG))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (Conn::LOG))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (DCE_RPC::LOG))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (DHCP::LOG))
@@ -1037,6 +1050,7 @@
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (mysql::LOG))
 0.000000   MetaHookPre   CallFunction(Log::add_filter, <frame>, (Cluster::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}]))
 0.000000   MetaHookPre   CallFunction(Log::add_filter, <frame>, (Communication::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::add_filter, <frame>, (Config::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}]))
 0.000000   MetaHookPre   CallFunction(Log::add_filter, <frame>, (Conn::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}]))
 0.000000   MetaHookPre   CallFunction(Log::add_filter, <frame>, (DCE_RPC::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}]))
 0.000000   MetaHookPre   CallFunction(Log::add_filter, <frame>, (DHCP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}]))
@@ -1080,6 +1094,7 @@
 0.000000   MetaHookPre   CallFunction(Log::add_filter, <frame>, (mysql::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}]))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (Cluster::LOG, [columns=<no value description>, ev=<uninitialized>, path=cluster]))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (Communication::LOG, [columns=<no value description>, ev=<uninitialized>, path=communication]))
+0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (Config::LOG, [columns=<no value description>, ev=Config::log_config, path=config]))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (Conn::LOG, [columns=<no value description>, ev=Conn::log_conn, path=conn]))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (DCE_RPC::LOG, [columns=<no value description>, ev=<uninitialized>, path=dce_rpc]))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (DHCP::LOG, [columns=<no value description>, ev=DHCP::log_dhcp, path=dhcp]))
@@ -1121,7 +1136,7 @@
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird]))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509]))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql]))
-0.000000   MetaHookPre   CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1510863910.246703, node=bro, filter=ip or not ip, init=T, success=T]))
+0.000000   MetaHookPre   CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1511991433.194848, node=bro, filter=ip or not ip, init=T, success=T]))
 0.000000   MetaHookPre   CallFunction(NetControl::check_plugins, <frame>, ())
 0.000000   MetaHookPre   CallFunction(NetControl::init, <null>, ())
 0.000000   MetaHookPre   CallFunction(Notice::want_pp, <frame>, ())
@@ -1150,6 +1165,7 @@
 0.000000   MetaHookPre   CallFunction(current_time, <frame>, ())
 0.000000   MetaHookPre   CallFunction(filter_change_tracking, <null>, ())
 0.000000   MetaHookPre   CallFunction(getenv, <null>, (CLUSTER_NODE))
+0.000000   MetaHookPre   CallFunction(global_ids, <frame>, ())
 0.000000   MetaHookPre   CallFunction(network_time, <frame>, ())
 0.000000   MetaHookPre   CallFunction(reading_live_traffic, <frame>, ())
 0.000000   MetaHookPre   CallFunction(reading_traces, <frame>, ())
@@ -1166,6 +1182,7 @@
 0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_BenchmarkReader.benchmark.bif.bro)
 0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_BinaryReader.binary.bif.bro)
 0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_BitTorrent.events.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_ConfigReader.config.bif.bro)
 0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_ConnSize.events.bif.bro)
 0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_ConnSize.functions.bif.bro)
 0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_DCE_RPC.consts.bif.bro)
@@ -1285,6 +1302,7 @@
 0.000000   MetaHookPre   LoadFile(0, .<...>/cardinality-counter.bif.bro)
 0.000000   MetaHookPre   LoadFile(0, .<...>/catch-and-release.bro)
 0.000000   MetaHookPre   LoadFile(0, .<...>/comm.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/config.bro)
 0.000000   MetaHookPre   LoadFile(0, .<...>/const-dos-error.bro)
 0.000000   MetaHookPre   LoadFile(0, .<...>/const-nt-status.bro)
 0.000000   MetaHookPre   LoadFile(0, .<...>/const.bif.bro)
@@ -1323,6 +1341,7 @@
 0.000000   MetaHookPre   LoadFile(0, .<...>/non-cluster.bro)
 0.000000   MetaHookPre   LoadFile(0, .<...>/none.bro)
 0.000000   MetaHookPre   LoadFile(0, .<...>/openflow.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/option.bif.bro)
 0.000000   MetaHookPre   LoadFile(0, .<...>/packetfilter.bro)
 0.000000   MetaHookPre   LoadFile(0, .<...>/page.bro)
 0.000000   MetaHookPre   LoadFile(0, .<...>/patterns.bro)
@@ -1372,6 +1391,7 @@
 0.000000   MetaHookPre   LoadFile(0, base<...>/cluster)
 0.000000   MetaHookPre   LoadFile(0, base<...>/comm.bif.bro)
 0.000000   MetaHookPre   LoadFile(0, base<...>/communication)
+0.000000   MetaHookPre   LoadFile(0, base<...>/config)
 0.000000   MetaHookPre   LoadFile(0, base<...>/conn)
 0.000000   MetaHookPre   LoadFile(0, base<...>/conn-ids.bro)
 0.000000   MetaHookPre   LoadFile(0, base<...>/const.bif.bro)
@@ -1641,6 +1661,7 @@
 0.000000 | HookCallFunction Files::register_protocol(Analyzer::ANALYZER_SSL, [get_file_handle=SSL::get_file_handle{ return ()}, describe=SSL::describe_file{ <init> SSL::cid{ if (SSL::f$source != SSL || !SSL::f?$info || !SSL::f$info?$x509 || !SSL::f$info$x509?$certificate) return ()for ([SSL::cid] in SSL::f$conns) { if (SSL::f$conns[SSL::cid]?$ssl) { SSL::c = SSL::f$conns[SSL::cid]return (cat(SSL::c$id$resp_h, :, SSL::c$id$resp_p))}}return (cat(Serial: , SSL::f$info$x509$certificate$serial,  Subject: , SSL::f$info$x509$certificate$subject,  Issuer: , SSL::f$info$x509$certificate$issuer))}}])
 0.000000 | HookCallFunction Log::__add_filter(Cluster::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=cluster, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])
 0.000000 | HookCallFunction Log::__add_filter(Communication::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=communication, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])
+0.000000 | HookCallFunction Log::__add_filter(Config::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=config, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])
 0.000000 | HookCallFunction Log::__add_filter(Conn::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=conn, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])
 0.000000 | HookCallFunction Log::__add_filter(DCE_RPC::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=dce_rpc, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])
 0.000000 | HookCallFunction Log::__add_filter(DHCP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=dhcp, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])
@@ -1684,6 +1705,7 @@
 0.000000 | HookCallFunction Log::__add_filter(mysql::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=mysql, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])
 0.000000 | HookCallFunction Log::__create_stream(Cluster::LOG, [columns=<no value description>, ev=<uninitialized>, path=cluster])
 0.000000 | HookCallFunction Log::__create_stream(Communication::LOG, [columns=<no value description>, ev=<uninitialized>, path=communication])
+0.000000 | HookCallFunction Log::__create_stream(Config::LOG, [columns=<no value description>, ev=Config::log_config, path=config])
 0.000000 | HookCallFunction Log::__create_stream(Conn::LOG, [columns=<no value description>, ev=Conn::log_conn, path=conn])
 0.000000 | HookCallFunction Log::__create_stream(DCE_RPC::LOG, [columns=<no value description>, ev=<uninitialized>, path=dce_rpc])
 0.000000 | HookCallFunction Log::__create_stream(DHCP::LOG, [columns=<no value description>, ev=DHCP::log_dhcp, path=dhcp])
@@ -1725,9 +1747,10 @@
 0.000000 | HookCallFunction Log::__create_stream(Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird])
 0.000000 | HookCallFunction Log::__create_stream(X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509])
 0.000000 | HookCallFunction Log::__create_stream(mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql])
-0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1510863910.246703, node=bro, filter=ip or not ip, init=T, success=T])
+0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1511991433.194848, node=bro, filter=ip or not ip, init=T, success=T])
 0.000000 | HookCallFunction Log::add_default_filter(Cluster::LOG)
 0.000000 | HookCallFunction Log::add_default_filter(Communication::LOG)
+0.000000 | HookCallFunction Log::add_default_filter(Config::LOG)
 0.000000 | HookCallFunction Log::add_default_filter(Conn::LOG)
 0.000000 | HookCallFunction Log::add_default_filter(DCE_RPC::LOG)
 0.000000 | HookCallFunction Log::add_default_filter(DHCP::LOG)
@@ -1771,6 +1794,7 @@
 0.000000 | HookCallFunction Log::add_default_filter(mysql::LOG)
 0.000000 | HookCallFunction Log::add_filter(Cluster::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])
 0.000000 | HookCallFunction Log::add_filter(Communication::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])
+0.000000 | HookCallFunction Log::add_filter(Config::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])
 0.000000 | HookCallFunction Log::add_filter(Conn::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])
 0.000000 | HookCallFunction Log::add_filter(DCE_RPC::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])
 0.000000 | HookCallFunction Log::add_filter(DHCP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])
@@ -1814,6 +1838,7 @@
 0.000000 | HookCallFunction Log::add_filter(mysql::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])
 0.000000 | HookCallFunction Log::create_stream(Cluster::LOG, [columns=<no value description>, ev=<uninitialized>, path=cluster])
 0.000000 | HookCallFunction Log::create_stream(Communication::LOG, [columns=<no value description>, ev=<uninitialized>, path=communication])
+0.000000 | HookCallFunction Log::create_stream(Config::LOG, [columns=<no value description>, ev=Config::log_config, path=config])
 0.000000 | HookCallFunction Log::create_stream(Conn::LOG, [columns=<no value description>, ev=Conn::log_conn, path=conn])
 0.000000 | HookCallFunction Log::create_stream(DCE_RPC::LOG, [columns=<no value description>, ev=<uninitialized>, path=dce_rpc])
 0.000000 | HookCallFunction Log::create_stream(DHCP::LOG, [columns=<no value description>, ev=DHCP::log_dhcp, path=dhcp])
@@ -1855,7 +1880,7 @@
 0.000000 | HookCallFunction Log::create_stream(Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird])
 0.000000 | HookCallFunction Log::create_stream(X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509])
 0.000000 | HookCallFunction Log::create_stream(mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql])
-0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1510863910.246703, node=bro, filter=ip or not ip, init=T, success=T])
+0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1511991433.194848, node=bro, filter=ip or not ip, init=T, success=T])
 0.000000 | HookCallFunction NetControl::check_plugins()
 0.000000 | HookCallFunction NetControl::init()
 0.000000 | HookCallFunction Notice::want_pp()
@@ -1884,6 +1909,7 @@
 0.000000 | HookCallFunction current_time()
 0.000000 | HookCallFunction filter_change_tracking()
 0.000000 | HookCallFunction getenv(CLUSTER_NODE)
+0.000000 | HookCallFunction global_ids()
 0.000000 | HookCallFunction network_time()
 0.000000 | HookCallFunction reading_live_traffic()
 0.000000 | HookCallFunction reading_traces()
@@ -1900,6 +1926,7 @@
 0.000000 | HookLoadFile  .<...>/Bro_BenchmarkReader.benchmark.bif.bro
 0.000000 | HookLoadFile  .<...>/Bro_BinaryReader.binary.bif.bro
 0.000000 | HookLoadFile  .<...>/Bro_BitTorrent.events.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_ConfigReader.config.bif.bro
 0.000000 | HookLoadFile  .<...>/Bro_ConnSize.events.bif.bro
 0.000000 | HookLoadFile  .<...>/Bro_ConnSize.functions.bif.bro
 0.000000 | HookLoadFile  .<...>/Bro_DCE_RPC.consts.bif.bro
@@ -2021,6 +2048,7 @@
 0.000000 | HookLoadFile  .<...>/cardinality-counter.bif.bro
 0.000000 | HookLoadFile  .<...>/catch-and-release.bro
 0.000000 | HookLoadFile  .<...>/comm.bif.bro
+0.000000 | HookLoadFile  .<...>/config.bro
 0.000000 | HookLoadFile  .<...>/const-dos-error.bro
 0.000000 | HookLoadFile  .<...>/const-nt-status.bro
 0.000000 | HookLoadFile  .<...>/const.bif.bro
@@ -2065,6 +2093,7 @@
 0.000000 | HookLoadFile  .<...>/non-cluster.bro
 0.000000 | HookLoadFile  .<...>/none.bro
 0.000000 | HookLoadFile  .<...>/openflow.bro
+0.000000 | HookLoadFile  .<...>/option.bif.bro
 0.000000 | HookLoadFile  .<...>/packetfilter.bro
 0.000000 | HookLoadFile  .<...>/page.bro
 0.000000 | HookLoadFile  .<...>/patterns.bro
@@ -2115,6 +2144,7 @@
 0.000000 | HookLoadFile  base<...>/cluster
 0.000000 | HookLoadFile  base<...>/comm.bif.bro
 0.000000 | HookLoadFile  base<...>/communication
+0.000000 | HookLoadFile  base<...>/config
 0.000000 | HookLoadFile  base<...>/conn
 0.000000 | HookLoadFile  base<...>/conn-ids.bro
 0.000000 | HookLoadFile  base<...>/const.bif.bro
@@ -2198,7 +2228,7 @@
 0.000000 | HookLoadFile  base<...>/x509
 0.000000 | HookLoadFile  base<...>/xmpp
 0.000000 | HookLogInit   packet_filter 1/1 {ts (time), node (string), filter (string), init (bool), success (bool)}
-0.000000 | HookLogWrite  packet_filter [ts=1510863910.246703, node=bro, filter=ip or not ip, init=T, success=T]
+0.000000 | HookLogWrite  packet_filter [ts=1511991433.194848, node=bro, filter=ip or not ip, init=T, success=T]
 0.000000 | HookQueueEvent NetControl::init()
 0.000000 | HookQueueEvent bro_init()
 0.000000 | HookQueueEvent filter_change_tracking()
diff --git a/testing/btest/Baseline/scripts.base.frameworks.config.basic/bro.config.log b/testing/btest/Baseline/scripts.base.frameworks.config.basic/bro.config.log
new file mode 100644
index 0000000000..b1e03411e5
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.config.basic/bro.config.log
@@ -0,0 +1,23 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	config
+#open	2017-10-11-20-23-11
+#fields	ts	id	old_value	new_value	location
+#types	time	string	string	string	string
+1507753391.587107	testbool	T	F	../configfile
+1507753391.587107	testcount	0	1	../configfile
+1507753391.587107	testcount	1	2	../configfile
+1507753391.587107	testint	0	-1	../configfile
+1507753391.587107	testenum	SSH::LOG	Conn::LOG	../configfile
+1507753391.587107	testport	42/tcp	45/unknown	../configfile
+1507753391.587107	testaddr	127.0.0.1	127.0.0.1	../configfile
+1507753391.587107	testaddr	127.0.0.1	2607:f8b0:4005:801::200e	../configfile
+1507753391.587107	testinterval	1.0 sec	60.0	../configfile
+1507753391.587107	testtime	0.0	1507321987.0	../configfile
+1507753391.587107	test_set	(empty)	b,c,a,d,erdbeerschnitzel	../configfile
+1507753391.587107	test_vector	(empty)	1,2,3,4,5,6	../configfile
+1507753391.587107	test_set	b,c,a,d,erdbeerschnitzel	(empty)	../configfile
+1507753391.587107	test_set	(empty)	\x2d	../configfile
+#close	2017-10-11-20-23-11
diff --git a/testing/btest/Baseline/scripts.base.frameworks.config.read_config/bro.config.log b/testing/btest/Baseline/scripts.base.frameworks.config.read_config/bro.config.log
new file mode 100644
index 0000000000..fa56b8455e
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.config.read_config/bro.config.log
@@ -0,0 +1,23 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	config
+#open	2017-10-11-20-47-09
+#fields	ts	id	old_value	new_value	location
+#types	time	string	string	string	string
+1507754829.092788	testbool	T	F	../configfile
+1507754829.092788	testcount	0	1	../configfile
+1507754829.092788	testcount	1	2	../configfile
+1507754829.092788	testint	0	-1	../configfile
+1507754829.092788	testenum	SSH::LOG	Conn::LOG	../configfile
+1507754829.092788	testport	42/tcp	45/unknown	../configfile
+1507754829.092788	testaddr	127.0.0.1	127.0.0.1	../configfile
+1507754829.092788	testaddr	127.0.0.1	2607:f8b0:4005:801::200e	../configfile
+1507754829.092788	testinterval	1.0 sec	60.0	../configfile
+1507754829.092788	testtime	0.0	1507321987.0	../configfile
+1507754829.092788	test_set	(empty)	b,c,a,d,erdbeerschnitzel	../configfile
+1507754829.092788	test_vector	(empty)	1,2,3,4,5,6	../configfile
+1507754829.092788	test_set	b,c,a,d,erdbeerschnitzel	(empty)	../configfile
+1507754829.092788	test_set	(empty)	\x2d	../configfile
+#close	2017-10-11-20-47-09
diff --git a/testing/btest/Baseline/scripts.base.frameworks.config.several-files/bro.config.log b/testing/btest/Baseline/scripts.base.frameworks.config.several-files/bro.config.log
new file mode 100644
index 0000000000..d8e388f60b
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.config.several-files/bro.config.log
@@ -0,0 +1,19 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	config
+#open	2017-10-11-21-01-26
+#fields	ts	id	old_value	new_value	location
+#types	time	string	string	string	string
+1507755686.516466	testbool	T	F	../configfile1
+1507755686.516466	testcount	0	2	../configfile1
+1507755686.516466	testint	0	-1	../configfile1
+1507755686.516466	testenum	SSH::LOG	Conn::LOG	../configfile1
+1507755686.516466	test_set	(empty)	b,c,a,d,erdbeerschnitzel	../configfile1
+1507755686.516466	test_vector	(empty)	1,2,3,4,5,6	../configfile1
+1507755686.516466	testport	42/tcp	45/unknown	../configfile2
+1507755686.516466	testaddr	127.0.0.1	127.0.0.1	../configfile2
+1507755686.516466	testinterval	1.0 sec	60.0	../configfile2
+1507755686.516466	testtime	0.0	1507321987.0	../configfile2
+#close	2017-10-11-21-01-26
diff --git a/testing/btest/Baseline/scripts.base.frameworks.config.updates/bro.config.log b/testing/btest/Baseline/scripts.base.frameworks.config.updates/bro.config.log
new file mode 100644
index 0000000000..2e4f75b903
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.config.updates/bro.config.log
@@ -0,0 +1,26 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	config
+#open	2017-10-11-21-00-06
+#fields	ts	id	old_value	new_value	location
+#types	time	string	string	string	string
+1507755606.563360	testbool	T	F	../configfile
+1507755606.563360	testcount	0	1	../configfile
+1507755606.563360	testcount	1	2	../configfile
+1507755606.563360	testint	0	-1	../configfile
+1507755606.563360	testenum	SSH::LOG	Conn::LOG	../configfile
+1507755606.563360	testport	42/tcp	45/unknown	../configfile
+1507755606.563360	testaddr	127.0.0.1	127.0.0.1	../configfile
+1507755606.563360	testaddr	127.0.0.1	2607:f8b0:4005:801::200e	../configfile
+1507755606.563360	testinterval	1.0 sec	60.0	../configfile
+1507755606.563360	testtime	0.0	1507321987.0	../configfile
+1507755606.563360	test_set	(empty)	b,c,a,d,erdbeerschnitzel	../configfile
+1507755606.563360	test_vector	(empty)	1,2,3,4,5,6	../configfile
+1507755609.793956	testcount	2	1	../configfile
+1507755609.793956	testcount	1	2	../configfile
+1507755609.793956	testaddr	2607:f8b0:4005:801::200e	127.0.0.1	../configfile
+1507755609.793956	testaddr	127.0.0.1	2607:f8b0:4005:801::200e	../configfile
+1507755609.793956	test_vector	1,2,3,4,5,6	1,2,3,4,5,9	../configfile
+#close	2017-10-11-21-00-09
diff --git a/testing/btest/Baseline/scripts.base.frameworks.input.basic/out b/testing/btest/Baseline/scripts.base.frameworks.input.basic/out
index 694f708fd8..3f288d5c54 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.input.basic/out
+++ b/testing/btest/Baseline/scripts.base.frameworks.input.basic/out
@@ -1,5 +1,5 @@
 {
-[-42] = [b=T, e=SSH::LOG, c=21, p=123/unknown, sn=10.0.0.0/24, a=1.2.3.4, d=3.14, t=1315801931.273616, iv=100.0, s=hurz, ns=4242, sc={
+[-42] = [b=T, e=SSH::LOG, c=21, p=123/unknown, pp=5/icmp, sn=10.0.0.0/24, a=1.2.3.4, d=3.14, t=1315801931.273616, iv=100.0, s=hurz, ns=4242, sc={
 2,
 4,
 1,
diff --git a/testing/btest/Baseline/scripts.base.frameworks.input.config.basic/out b/testing/btest/Baseline/scripts.base.frameworks.input.config.basic/out
new file mode 100644
index 0000000000..1863c7e8ea
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.input.config.basic/out
@@ -0,0 +1,28 @@
+testbool, F
+testcount, 1
+testcount, 2
+testint, -1
+testenum, Conn::LOG
+testport, 45/unknown
+testportandproto, 45/udp
+testaddr, 127.0.0.1
+testaddr, 2607:f8b0:4005:801::200e
+testinterval, 60.0
+testtime, 1507321987.0
+test_set, {
+b,
+c,
+a,
+d,
+erdbeerschnitzel
+}
+test_vector, [1, 2, 3, 4, 5, 6]
+test_set, {
+(empty)
+}
+test_set, {
+
+}
+test_set, {
+-
+}
diff --git a/testing/btest/Baseline/scripts.base.frameworks.input.config.errors/errout b/testing/btest/Baseline/scripts.base.frameworks.input.config.errors/errout
new file mode 100644
index 0000000000..92877a794c
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.input.config.errors/errout
@@ -0,0 +1,14 @@
+warning: ../configfile/Input::READER_CONFIG: Field: testbool Invalid value for boolean: A
+warning: ../configfile/Input::READER_CONFIG: Could not convert line 'testbool A' to Val. Ignoring line.
+warning: ../configfile/Input::READER_CONFIG: Could not parse 'testtesttesttesttesttest'; line has invalid format. Ignoring line.
+warning: ../configfile/Input::READER_CONFIG: Field: testbool Invalid value for boolean: A B
+warning: ../configfile/Input::READER_CONFIG: Could not convert line 'testbool A B' to Val. Ignoring line.
+warning: ../configfile/Input::READER_CONFIG: String 'A' contained no parseable number
+warning: ../configfile/Input::READER_CONFIG: Could not convert line 'testcount A' to Val. Ignoring line.
+warning: Value 'unknown' for stream 'configuration' is not a valid enum.
+error: SendEvent for event InputConfig::new_value failed
+warning: ../configfile/Input::READER_CONFIG: Option 'testbooool' does not exist. Ignoring line.
+warning: ../configfile/Input::READER_CONFIG: Option 'test_any' has type 'any', which is not supported for file input. Ignoring line.
+warning: ../configfile/Input::READER_CONFIG: Option 'test_table' has type 'table', which is not supported for file input. Ignoring line.
+received termination signal
+>>>
diff --git a/testing/btest/core/option-errors.bro b/testing/btest/core/option-errors.bro
new file mode 100644
index 0000000000..6a53598650
--- /dev/null
+++ b/testing/btest/core/option-errors.bro
@@ -0,0 +1,18 @@
+# @TEST-EXEC-FAIL: bro %INPUT
+# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff .stderr
+
+option testbool;
+
+@TEST-START-NEXT
+
+option testbool : bool;
+
+@TEST-START-NEXT
+
+option testopt = 5;
+testopt = 6;
+
+@TEST-START-NEXT
+
+option testopt = 5;
+redef testopt = 6;
diff --git a/testing/btest/core/option-priorities.bro b/testing/btest/core/option-priorities.bro
new file mode 100644
index 0000000000..fd352a5459
--- /dev/null
+++ b/testing/btest/core/option-priorities.bro
@@ -0,0 +1,28 @@
+# @TEST-EXEC: bro %INPUT
+# @TEST-EXEC: btest-diff .stdout
+
+export {
+	## Test some documentation here!
+	option testbool: bool = T;
+}
+
+function option_changed(ID: string, new_value: bool): bool {
+	print fmt("Value of %s changed from %s to %s", ID, testbool, new_value);
+	return new_value;
+}
+
+function option_changed_two(ID: string, new_value: bool, location: string): bool {
+	print fmt("Higher prio - Value of %s changed from %s to %s at location '%s'", ID, testbool, new_value, location);
+	return T;
+}
+
+event bro_init()
+	{
+	print "Old value", testbool;
+	Option::set_change_handler("testbool", option_changed);
+	Option::set_change_handler("testbool", option_changed_two, 99);
+	Option::set("testbool", F);
+	Option::set("testbool", F, "here");
+	print "New value", testbool;
+	}
+
diff --git a/testing/btest/core/option-redef.bro b/testing/btest/core/option-redef.bro
new file mode 100644
index 0000000000..05706ab48b
--- /dev/null
+++ b/testing/btest/core/option-redef.bro
@@ -0,0 +1,12 @@
+# @TEST-EXEC: bro %INPUT
+# @TEST-EXEC: btest-diff .stdout
+
+# options are allowed to be redef-able.
+
+option testopt = 5 &redef;
+redef testopt = 6;
+
+event bro_init() {
+	print testopt;
+}
+
diff --git a/testing/btest/core/option-runtime-errors.bro b/testing/btest/core/option-runtime-errors.bro
new file mode 100644
index 0000000000..8ae4b9ca40
--- /dev/null
+++ b/testing/btest/core/option-runtime-errors.bro
@@ -0,0 +1,104 @@
+# @TEST-EXEC: bro %INPUT
+# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff .stderr
+
+# Errors that happen during runtime. At least at the moment we are not checking these early enough
+# that Bro will bail out during startup. Perhaps we want to change this later.
+
+option A = 5;
+Option::set("B", 6);
+
+@TEST-START-NEXT
+
+option A = 5;
+Option::set("A", "hi");
+
+@TEST-START-NEXT
+
+const A = 5;
+Option::set("A", 6);
+
+@TEST-START-NEXT:
+
+option A = 5;
+
+function option_changed(ID: string, new_value: bool): bool {
+}
+
+Option::set_change_handler("A", option_changed);
+
+@TEST-START-NEXT:
+
+option A = 5;
+
+function option_changed(ID: string): bool {
+}
+
+Option::set_change_handler("A", option_changed);
+
+@TEST-START-NEXT:
+
+option A : count = 5;
+
+function option_changed(ID: string, new_value: count): bool {
+}
+
+Option::set_change_handler("A", option_changed);
+
+@TEST-START-NEXT:
+
+option A : count = 5;
+
+hook option_changed(ID: string, new_value: count) {
+}
+
+Option::set_change_handler("A", option_changed);
+
+@TEST-START-NEXT:
+
+option A : count = 5;
+
+event option_changed(ID: string, new_value: count) {
+}
+
+Option::set_change_handler("A", option_changed);
+
+@TEST-START-NEXT:
+
+function option_changed(ID: string, new_value: count) : count {
+}
+
+Option::set_change_handler("A", option_changed);
+
+
+@TEST-START-NEXT:
+
+const A : count = 5;
+
+function option_changed(ID: string, new_value: count) : count {
+}
+
+Option::set_change_handler("A", option_changed);
+
+@TEST-START-NEXT:
+
+option A : count = 5;
+
+Option::set_change_handler("A", A);
+
+@TEST-START-NEXT:
+
+option A : count = 5;
+
+function option_changed(ID: string, new_value: count, location: count) : count {
+}
+
+Option::set_change_handler("A", option_changed);
+
+@TEST-START-NEXT:
+
+option A : count = 5;
+
+function option_changed(ID: string, new_value: count, location: string, a: count) : count {
+}
+
+Option::set_change_handler("A", option_changed);
diff --git a/testing/btest/scripts/base/frameworks/config/basic.bro b/testing/btest/scripts/base/frameworks/config/basic.bro
new file mode 100644
index 0000000000..19a1ecc64a
--- /dev/null
+++ b/testing/btest/scripts/base/frameworks/config/basic.bro
@@ -0,0 +1,52 @@
+# @TEST-EXEC: btest-bg-run bro bro -b %INPUT
+# @TEST-EXEC: btest-bg-wait 10
+# @TEST-EXEC: btest-diff bro/config.log
+
+@load base/frameworks/config
+@load base/protocols/conn
+
+redef exit_only_after_terminate = T;
+redef Config::config_files += {"../configfile"};
+
+@TEST-START-FILE configfile
+testbool F
+testcount    1
+testcount 2
+testcount 2
+testint		-1
+testenum Conn::LOG
+testport 45
+testaddr 127.0.0.1
+testaddr 2607:f8b0:4005:801::200e
+testinterval 60
+testtime 1507321987
+test_set a,b,c,d,erdbeerschnitzel
+test_vector 1,2,3,4,5,6
+test_set (empty)
+test_set -
+@TEST-END-FILE
+
+@load base/protocols/ssh
+@load base/protocols/conn
+
+export {
+	option testbool: bool = T;
+	option testcount: count = 0;
+	option testint: int = 0;
+	option testenum = SSH::LOG;
+	option testport = 42/tcp;
+	option testaddr = 127.0.0.1;
+	option testtime = network_time();
+	option testinterval = 1sec;
+	option teststring = "a";
+	option test_set: set[string] = {};
+	option test_vector: vector of count = {};
+}
+
+event Input::end_of_data(name: string, source:string)
+	{
+	if ( sub_bytes(name, 1,  7) != "config-" )
+		return;
+
+	terminate();
+	}
diff --git a/testing/btest/scripts/base/frameworks/config/read_config.bro b/testing/btest/scripts/base/frameworks/config/read_config.bro
new file mode 100644
index 0000000000..847bab6f8a
--- /dev/null
+++ b/testing/btest/scripts/base/frameworks/config/read_config.bro
@@ -0,0 +1,56 @@
+# @TEST-EXEC: btest-bg-run bro bro -b %INPUT
+# @TEST-EXEC: btest-bg-wait 10
+# @TEST-EXEC: btest-diff bro/config.log
+
+@load base/frameworks/config
+@load base/protocols/conn
+
+redef exit_only_after_terminate = T;
+
+@TEST-START-FILE configfile
+testbool F
+testcount    1
+testcount 2
+testcount 2
+testint		-1
+testenum Conn::LOG
+testport 45
+testaddr 127.0.0.1
+testaddr 2607:f8b0:4005:801::200e
+testinterval 60
+testtime 1507321987
+test_set a,b,c,d,erdbeerschnitzel
+test_vector 1,2,3,4,5,6
+test_set (empty)
+test_set -
+@TEST-END-FILE
+
+@load base/protocols/ssh
+@load base/protocols/conn
+
+export {
+	option testbool: bool = T;
+	option testcount: count = 0;
+	option testint: int = 0;
+	option testenum = SSH::LOG;
+	option testport = 42/tcp;
+	option testaddr = 127.0.0.1;
+	option testtime = network_time();
+	option testinterval = 1sec;
+	option teststring = "a";
+	option test_set: set[string] = {};
+	option test_vector: vector of count = {};
+}
+
+event Input::end_of_data(name: string, source:string)
+	{
+	if ( sub_bytes(name, 1,  7) != "config-" )
+		return;
+
+	terminate();
+	}
+
+event bro_init()
+	{
+	Config::read_config("../configfile");
+	}
diff --git a/testing/btest/scripts/base/frameworks/config/several-files.bro b/testing/btest/scripts/base/frameworks/config/several-files.bro
new file mode 100644
index 0000000000..d6b84cdaaa
--- /dev/null
+++ b/testing/btest/scripts/base/frameworks/config/several-files.bro
@@ -0,0 +1,50 @@
+# @TEST-EXEC: btest-bg-run bro bro -b %INPUT
+# @TEST-EXEC: btest-bg-wait 10
+# @TEST-EXEC: btest-diff bro/config.log
+
+@load base/frameworks/config
+@load base/protocols/conn
+
+redef exit_only_after_terminate = T;
+redef Config::config_files += {"../configfile1", "../configfile2"};
+
+@TEST-START-FILE configfile1
+testbool F
+testcount 2
+testint		-1
+testenum Conn::LOG
+test_set a,b,c,d,erdbeerschnitzel
+test_vector 1,2,3,4,5,6
+@TEST-END-FILE
+
+@TEST-START-FILE configfile2
+testport 45
+testaddr 127.0.0.1
+testinterval 60
+testtime 1507321987
+@TEST-END-FILE
+
+@load base/protocols/ssh
+@load base/protocols/conn
+
+export {
+	option testbool: bool = T;
+	option testcount: count = 0;
+	option testint: int = 0;
+	option testenum = SSH::LOG;
+	option testport = 42/tcp;
+	option testaddr = 127.0.0.1;
+	option testtime = network_time();
+	option testinterval = 1sec;
+	option teststring = "a";
+	option test_set: set[string] = {};
+	option test_vector: vector of count = {};
+}
+
+event Input::end_of_data(name: string, source:string)
+	{
+	if ( sub_bytes(name, 1,  7) != "config-" )
+		return;
+
+	terminate();
+	}
diff --git a/testing/btest/scripts/base/frameworks/config/updates.bro b/testing/btest/scripts/base/frameworks/config/updates.bro
new file mode 100644
index 0000000000..7e42162190
--- /dev/null
+++ b/testing/btest/scripts/base/frameworks/config/updates.bro
@@ -0,0 +1,76 @@
+# @TEST-EXEC: btest-bg-run bro bro -b %INPUT
+# @TEST-EXEC: sleep 2
+# @TEST-EXEC: mv configfile2 configfile
+# @TEST-EXEC: touch configfile
+# @TEST-EXEC: btest-bg-wait 10
+# @TEST-EXEC: btest-diff bro/config.log
+
+@load base/frameworks/config
+@load base/protocols/conn
+@load base/frameworks/communication  # let network-time run
+
+redef exit_only_after_terminate = T;
+redef Config::config_files += {"../configfile"};
+
+@TEST-START-FILE configfile
+testbool F
+testcount    1
+testcount 2
+testcount 2
+testint		-1
+testenum Conn::LOG
+testport 45
+testaddr 127.0.0.1
+testaddr 2607:f8b0:4005:801::200e
+testinterval 60
+testtime 1507321987
+test_set a,b,c,d,erdbeerschnitzel
+test_vector 1,2,3,4,5,6
+@TEST-END-FILE
+
+@TEST-START-FILE configfile2
+testbool F
+testcount    1
+testcount 2
+testcount 2
+testint		-1
+testenum Conn::LOG
+testport 45
+testaddr 127.0.0.1
+testaddr 2607:f8b0:4005:801::200e
+testinterval 60
+testtime 1507321987
+test_set a,b,c,d,erdbeerschnitzel
+test_vector 1,2,3,4,5,9
+@TEST-END-FILE
+
+@load base/protocols/ssh
+@load base/protocols/conn
+
+export {
+	option testbool: bool = T;
+	option testcount: count = 0;
+	option testint: int = 0;
+	option testenum = SSH::LOG;
+	option testport = 42/tcp;
+	option testaddr = 127.0.0.1;
+	option testtime = network_time();
+	option testinterval = 1sec;
+	option teststring = "a";
+	option test_set: set[string] = {};
+	option test_vector: vector of count = {};
+}
+
+global eolcount = 0;
+
+event Input::end_of_data(name: string, source:string)
+	{
+	print "eod";
+	if ( sub_bytes(name, 1,  7) != "config-" )
+		return;
+
+	eolcount += 1;
+
+	if ( eolcount == 2 )
+		terminate();
+	}
diff --git a/testing/btest/scripts/base/frameworks/input/basic.bro b/testing/btest/scripts/base/frameworks/input/basic.bro
index d52af7d6e2..e77a418f0d 100644
--- a/testing/btest/scripts/base/frameworks/input/basic.bro
+++ b/testing/btest/scripts/base/frameworks/input/basic.bro
@@ -7,9 +7,9 @@ redef exit_only_after_terminate = T;
 @TEST-START-FILE input.log
 #separator \x09
 #path	ssh
-#fields	b	i	e	c	p	sn	a	d	t	iv	s	sc	ss	se	vc	ve	ns
-#types	bool	int	enum	count	port	subnet	addr	double	time	interval	string	table	table	table	vector	vector	string
-T	-42	SSH::LOG	21	123	10.0.0.0/24	1.2.3.4	3.14	1315801931.273616	100.000000	hurz	2,4,1,3	CC,AA,BB	EMPTY	10,20,30	EMPTY	4242
+#fields	b	i	e	c	p	pp	sn	a	d	t	iv	s	sc	ss	se	vc	ve	ns
+#types	bool	int	enum	count	port	port	subnet	addr	double	time	interval	string	table	table	table	vector	vector	string
+T	-42	SSH::LOG	21	123	5/icmp	10.0.0.0/24	1.2.3.4	3.14	1315801931.273616	100.000000	hurz	2,4,1,3	CC,AA,BB	EMPTY	10,20,30	EMPTY	4242
 @TEST-END-FILE
 
 @load base/protocols/ssh
@@ -29,6 +29,7 @@ type Val: record {
 	e: Log::ID;
 	c: count;
 	p: port;
+	pp: port;
 	sn: subnet;
 	a: addr;
 	d: double;
diff --git a/testing/btest/scripts/base/frameworks/input/config/basic.bro b/testing/btest/scripts/base/frameworks/input/config/basic.bro
new file mode 100644
index 0000000000..c8d68fc822
--- /dev/null
+++ b/testing/btest/scripts/base/frameworks/input/config/basic.bro
@@ -0,0 +1,75 @@
+# @TEST-EXEC: btest-bg-run bro bro -b %INPUT
+# @TEST-EXEC: btest-bg-wait 10
+# @TEST-EXEC: btest-diff out
+
+redef exit_only_after_terminate = T;
+redef InputConfig::empty_field = "EMPTY";
+redef InputConfig::set_separator = "\t";
+
+@TEST-START-FILE configfile
+testbool F
+testcount    1
+testcount 2
+testcount 2
+testint		-1
+testenum Conn::LOG
+testport 45
+testportandproto 45/udp
+testaddr 127.0.0.1
+testaddr 2607:f8b0:4005:801::200e
+testinterval 60
+testtime 1507321987
+test_set a	b	c	d	erdbeerschnitzel
+test_vector 1	2	3	4	5	6
+test_set (empty)
+test_set EMPTY
+test_set -
+@TEST-END-FILE
+
+@load base/protocols/ssh
+@load base/protocols/conn
+
+global outfile: file;
+
+export {
+	option testbool: bool = T;
+	option testcount: count = 0;
+	option testint: int = 0;
+	option testenum = SSH::LOG;
+	option testport = 42/tcp;
+	option testportandproto = 42/tcp;
+	option testaddr = 127.0.0.1;
+	option testtime = network_time();
+	option testinterval = 1sec;
+	option teststring = "a";
+	option test_set: set[string] = {};
+	option test_vector: vector of count = {};
+}
+
+type Idx: record {
+	option_name: string;
+};
+
+type Val: record {
+	option_val: string;
+};
+
+global currconfig: table[string] of string = table();
+
+event InputConfig::new_value(name: string, source: string, id: string, value: any)
+	{
+	print outfile, id, value;
+	}
+
+event Input::end_of_data(name: string, source:string)
+	{
+	close(outfile);
+	terminate();
+	}
+
+event bro_init()
+	{
+	outfile = open("../out");
+	Input::add_table([$reader=Input::READER_CONFIG, $source="../configfile", $name="configuration", $idx=Idx, $val=Val, $destination=currconfig, $want_record=F]);
+	}
+
diff --git a/testing/btest/scripts/base/frameworks/input/config/errors.bro b/testing/btest/scripts/base/frameworks/input/config/errors.bro
new file mode 100644
index 0000000000..4f398956dc
--- /dev/null
+++ b/testing/btest/scripts/base/frameworks/input/config/errors.bro
@@ -0,0 +1,66 @@
+# @TEST-EXEC: btest-bg-run bro bro -b %INPUT
+# @TEST-EXEC: btest-bg-wait 10
+# @TEST-EXEC: tail -n +2 .stderr > errout
+# @TEST-EXEC: btest-diff errout
+
+redef exit_only_after_terminate = T;
+
+@TEST-START-FILE configfile
+testbool A
+testtesttesttesttesttest
+testbool A B
+testcount A
+testenum unknown
+testbooool T
+test_any F
+test_table whatever
+@TEST-END-FILE
+
+@load base/protocols/ssh
+@load base/protocols/conn
+
+global outfile: file;
+
+export {
+	option testbool: bool = T;
+	option testcount: count = 0;
+	option testint: int = 0;
+	option testenum = SSH::LOG;
+	option testport = 42/tcp;
+	option testaddr = 127.0.0.1;
+	option testtime = network_time();
+	option testinterval = 1sec;
+	option teststring = "a";
+	option test_set: set[string] = {};
+	option test_vector: vector of count = {};
+	option test_any: any = 5;
+	option test_table: table[string] of string = {};
+}
+
+type Idx: record {
+	option_name: string;
+};
+
+type Val: record {
+	option_val: string;
+};
+
+global currconfig: table[string] of string = table();
+
+event InputConfig::new_value(name: string, source: string, id: string, value: any)
+	{
+	print outfile, id, value;
+	}
+
+event Input::end_of_data(name: string, source:string)
+	{
+	close(outfile);
+	terminate();
+	}
+
+event bro_init()
+	{
+	outfile = open("../out");
+	Input::add_table([$reader=Input::READER_CONFIG, $source="../configfile", $name="configuration", $idx=Idx, $val=Val, $destination=currconfig, $want_record=F]);
+	}
+

From 1f6954ca3efa8e94542a743aee762e96dbb53704 Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@icir.org>
Date: Thu, 30 Nov 2017 08:42:18 -0800
Subject: [PATCH 252/631] Add missing ; in SSL binpac parser.

Binpac for some reason also works without it.

Found by Luke Valenta.
---
 src/analyzer/protocol/ssl/tls-handshake-protocol.pac | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/analyzer/protocol/ssl/tls-handshake-protocol.pac b/src/analyzer/protocol/ssl/tls-handshake-protocol.pac
index 43bca802d2..1ccd128dee 100644
--- a/src/analyzer/protocol/ssl/tls-handshake-protocol.pac
+++ b/src/analyzer/protocol/ssl/tls-handshake-protocol.pac
@@ -382,7 +382,7 @@ type ServerEDCHParamsAndSignature() = record {
 	point_length: uint8;
 	point: bytestring &length=point_length;
 	signed_params: bytestring &restofdata; # only present in case of non-anon message
-}
+};
 
 # Parse a DHE ServerKeyExchange message, which contains a signature over the
 # parameters.

From 94f55532f2a1cf0077a1a6bce2f13f58f117228e Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@icir.org>
Date: Thu, 30 Nov 2017 12:18:14 -0800
Subject: [PATCH 253/631] Make parsing of ServerKeyExchange work for D(TLS) <
 1.2.

Now we only parse the SignatureAndHashalgorithm field in cases where it
is present. This change also takes care to respect SCTs, which do
include the SignatureAndHashalgorithm in their digitally-signed struct,
even when used in protocol versions that do not have the
SignatureAndHashalgorithm in the protocols digitally-signed struct.

I also added tests to make sure this does indeed work with TLS 1.1 - it
turns out that so far we did not have a single TLS 1.1 pcap.
---
 src/analyzer/protocol/ssl/events.bif          |   6 ++-
 .../protocol/ssl/tls-handshake-analyzer.pac   |  26 +++++++++--
 .../protocol/ssl/tls-handshake-protocol.pac   |  28 +++++++++---
 .../ssl1_2.log                                |  10 +++++
 .../x5091_2.log                               |  10 +++++
 .../ssl-all.log                               |  42 +++++++++++++++---
 .../.stdout                                   |   6 +++
 .../scripts.base.protocols.ssl.tls1_1/ssl.log |  10 +++++
 .../x509.log                                  |  12 +++++
 .../tls/{dtls-openssl.pcap => dtls1_0.pcap}   | Bin
 testing/btest/Traces/tls/dtls1_2.pcap         | Bin 0 -> 3675 bytes
 .../signed_certificate_timestamp_tls1_0.pcap  | Bin 0 -> 7021 bytes
 testing/btest/Traces/tls/tls1_1.pcap          | Bin 0 -> 6980 bytes
 .../scripts/base/protocols/ssl/basic.test     |   1 +
 .../scripts/base/protocols/ssl/dtls.test      |   7 ++-
 .../base/protocols/ssl/keyexchange.test       |   6 +++
 .../ssl/signed_certificate_timestamp.test     |  10 +++++
 .../scripts/base/protocols/ssl/tls1_1.test    |   6 +++
 18 files changed, 163 insertions(+), 17 deletions(-)
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.ssl.dtls/ssl1_2.log
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.ssl.dtls/x5091_2.log
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.ssl.tls1_1/ssl.log
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.ssl.tls1_1/x509.log
 rename testing/btest/Traces/tls/{dtls-openssl.pcap => dtls1_0.pcap} (100%)
 create mode 100644 testing/btest/Traces/tls/dtls1_2.pcap
 create mode 100644 testing/btest/Traces/tls/signed_certificate_timestamp_tls1_0.pcap
 create mode 100644 testing/btest/Traces/tls/tls1_1.pcap
 create mode 100644 testing/btest/scripts/base/protocols/ssl/tls1_1.test

diff --git a/src/analyzer/protocol/ssl/events.bif b/src/analyzer/protocol/ssl/events.bif
index 7b919c4587..e4743b9399 100644
--- a/src/analyzer/protocol/ssl/events.bif
+++ b/src/analyzer/protocol/ssl/events.bif
@@ -233,7 +233,11 @@ event ssl_dh_server_params%(c: connection, p: string, q: string, Ys: string%);
 ## c: The connection.
 ##
 ## signature_and_hashalgorithm: signature and hash algorithm used for the
-##                              digitally_signed struct
+##                              digitally_signed struct. This field is only present
+##                              starting with TLSv1.2 and DTLSv1.2. Earlier versions
+##                              used a hardcoded hash algorithm. For protocol versions
+##                              below D(TLS)v1.2 this field is filled with an dummy
+##                              value of 256.
 ##
 ## signature: Signature part of the digitally_signed struct. The private key
 ##            corresponding to the certified public key in the server's certificate
diff --git a/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac b/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac
index 840d2536c1..b45fb7d2a9 100644
--- a/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac
+++ b/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac
@@ -283,8 +283,17 @@ refine connection Handshake_Conn += {
 			bro_analyzer()->Conn(), ${kex.params.curve}, new StringVal(${kex.params.point}.length(), (const char*)${kex.params.point}.data()));
 
 		RecordVal* ha = new RecordVal(BifType::Record::SSL::SignatureAndHashAlgorithm);
-		ha->Assign(0, new Val(${kex.signed_params.algorithm.HashAlgorithm}, TYPE_COUNT));
-		ha->Assign(1, new Val(${kex.signed_params.algorithm.SignatureAlgorithm}, TYPE_COUNT));
+		if ( ${kex.signed_params.uses_signature_and_hashalgorithm} )
+			{
+			ha->Assign(0, new Val(${kex.signed_params.algorithm.HashAlgorithm}, TYPE_COUNT));
+			ha->Assign(1, new Val(${kex.signed_params.algorithm.SignatureAlgorithm}, TYPE_COUNT));
+			}
+			else
+			{
+			// set to impossible value
+			ha->Assign(0, new Val(256, TYPE_COUNT));
+			ha->Assign(1, new Val(256, TYPE_COUNT));
+			}
 
 		BifEvent::generate_ssl_server_signature(bro_analyzer(),
 			bro_analyzer()->Conn(), ha, new StringVal(${kex.signed_params.signature}.length(), (const char*)(${kex.signed_params.signature}).data()));
@@ -351,8 +360,17 @@ refine connection Handshake_Conn += {
 		  );
 
 		RecordVal* ha = new RecordVal(BifType::Record::SSL::SignatureAndHashAlgorithm);
-		ha->Assign(0, new Val(${signed_params.algorithm.HashAlgorithm}, TYPE_COUNT));
-		ha->Assign(1, new Val(${signed_params.algorithm.SignatureAlgorithm}, TYPE_COUNT));
+		if ( ${signed_params.uses_signature_and_hashalgorithm} )
+			{
+			ha->Assign(0, new Val(${signed_params.algorithm.HashAlgorithm}, TYPE_COUNT));
+			ha->Assign(1, new Val(${signed_params.algorithm.SignatureAlgorithm}, TYPE_COUNT));
+			}
+			else
+			{
+			// set to impossible value
+			ha->Assign(0, new Val(256, TYPE_COUNT));
+			ha->Assign(1, new Val(256, TYPE_COUNT));
+			}
 
 		BifEvent::generate_ssl_server_signature(bro_analyzer(),
 			bro_analyzer()->Conn(), ha,
diff --git a/src/analyzer/protocol/ssl/tls-handshake-protocol.pac b/src/analyzer/protocol/ssl/tls-handshake-protocol.pac
index 327a4d8771..e6b3754d07 100644
--- a/src/analyzer/protocol/ssl/tls-handshake-protocol.pac
+++ b/src/analyzer/protocol/ssl/tls-handshake-protocol.pac
@@ -112,6 +112,7 @@ type ServerHelloChoice(rec: HandshakeRecord) = record {
 		0x7F -> 0x7F00; # map any draft version to 00
 		default -> server_version;
 	};
+	version_set : bool = $context.connection.set_version(server_version);
 };
 
 type ServerHello(rec: HandshakeRecord, server_version: uint16) = record {
@@ -361,7 +362,7 @@ type ServerKeyExchange(rec: HandshakeRecord) = case $context.connection.chosen_c
 type EcdheServerKeyExchange(rec: HandshakeRecord) = record {
 	curve_type: uint8;
 	named_curve: case curve_type of {
-		NAMED_CURVE -> params: ServerEDCHParamsAndSignature;
+		NAMED_CURVE -> params: ServerECDHParamsAndSignature;
 		default -> data: bytestring &restofdata &transient;
 	};
 	signature: case curve_type of {
@@ -371,10 +372,17 @@ type EcdheServerKeyExchange(rec: HandshakeRecord) = record {
 };
 
 type ServerKeyExchangeSignature = record {
-	algorithm: SignatureAndHashAlgorithm;
+	alg: case uses_signature_and_hashalgorithm of {
+		true -> algorithm: SignatureAndHashAlgorithm;
+		false -> nothing: bytestring &length=0;
+	} &requires(uses_signature_and_hashalgorithm);
 	signature_length: uint16;
 	signature: bytestring &length=signature_length;
-}
+} &let {
+	uses_signature_and_hashalgorithm : bool =
+		($context.connection.chosen_version() > TLSv11) &&
+		($context.connection.chosen_version() != DTLSv10);
+};
 
 # Parse an ECDH-anon ServerKeyExchange message, which does not contain a
 # signature over the parameters. Parsing explicit curve parameters from the
@@ -382,12 +390,12 @@ type ServerKeyExchangeSignature = record {
 type EcdhAnonServerKeyExchange(rec: HandshakeRecord) = record {
 	curve_type: uint8;
 	named_curve: case curve_type of {
-		NAMED_CURVE -> params: ServerEDCHParamsAndSignature;
+		NAMED_CURVE -> params: ServerECDHParamsAndSignature;
 		default -> data: bytestring &restofdata &transient;
 	};
 };
 
-type ServerEDCHParamsAndSignature() = record {
+type ServerECDHParamsAndSignature() = record {
 	curve: uint16;
 	point_length: uint8;
 	point: bytestring &length=point_length;
@@ -876,10 +884,12 @@ refine connection Handshake_Conn += {
 
 	%member{
 		uint32 chosen_cipher_;
+		uint16 chosen_version_;
 	%}
 
 	%init{
 		chosen_cipher_ = NO_CHOSEN_CIPHER;
+		chosen_version_ = UNKNOWN_VERSION;
 	%}
 
 	function chosen_cipher() : int %{ return chosen_cipher_; %}
@@ -889,6 +899,14 @@ refine connection Handshake_Conn += {
 		chosen_cipher_ = cipher;
 		return true;
 		%}
+
+	function chosen_version() : int %{ return chosen_version_; %}
+
+	function set_version(version: uint16) : bool
+		%{
+		chosen_version_ = version;
+		return true;
+		%}
 };
 
 
diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.dtls/ssl1_2.log b/testing/btest/Baseline/scripts.base.protocols.ssl.dtls/ssl1_2.log
new file mode 100644
index 0000000000..519af88f6a
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.dtls/ssl1_2.log
@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	ssl
+#open	2017-11-30-19-59-22
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	curve	server_name	resumed	last_alert	next_protocol	established	cert_chain_fuids	client_cert_chain_fuids	subject	issuer	client_subject	client_issuer
+#types	time	string	addr	port	addr	port	string	string	string	string	bool	string	string	bool	vector[string]	vector[string]	string	string	string	string
+1512070268.983215	CHhAvVGS1DHFjwGM9	192.168.17.58	60934	165.227.57.17	4400	DTLSv12	TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384	secp256r1	-	F	-	-	T	Fox0Fc3MY8kLKfhNK6	(empty)	O=Internet Widgits Pty Ltd,ST=Some-State,C=AU	O=Internet Widgits Pty Ltd,ST=Some-State,C=AU	-	-
+#close	2017-11-30-19-59-22
diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.dtls/x5091_2.log b/testing/btest/Baseline/scripts.base.protocols.ssl.dtls/x5091_2.log
new file mode 100644
index 0000000000..7eb8b9edbc
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.dtls/x5091_2.log
@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	x509
+#open	2017-11-30-19-59-22
+#fields	ts	id	certificate.version	certificate.serial	certificate.subject	certificate.issuer	certificate.not_valid_before	certificate.not_valid_after	certificate.key_alg	certificate.sig_alg	certificate.key_type	certificate.key_length	certificate.exponent	certificate.curve	san.dns	san.uri	san.email	san.ip	basic_constraints.ca	basic_constraints.path_len
+#types	time	string	count	string	string	string	time	time	string	string	string	count	string	string	vector[string]	vector[string]	vector[string]	vector[addr]	bool	count
+1512070269.021156	Fox0Fc3MY8kLKfhNK6	3	87AAFFBCA26E44BF	O=Internet Widgits Pty Ltd,ST=Some-State,C=AU	O=Internet Widgits Pty Ltd,ST=Some-State,C=AU	1512070108.000000	1543606108.000000	rsaEncryption	sha256WithRSAEncryption	rsa	2048	65537	-	-	-	-	-	T	-
+#close	2017-11-30-19-59-22
diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.keyexchange/ssl-all.log b/testing/btest/Baseline/scripts.base.protocols.ssl.keyexchange/ssl-all.log
index bcb3e11484..74883271b6 100644
--- a/testing/btest/Baseline/scripts.base.protocols.ssl.keyexchange/ssl-all.log
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.keyexchange/ssl-all.log
@@ -3,30 +3,60 @@
 #empty_field	(empty)
 #unset_field	-
 #path	ssl
-#open	2017-11-28-21-44-19
+#open	2017-11-30-20-15-05
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	curve	server_name	resumed	last_alert	next_protocol	established	cert_chain_fuids	client_cert_chain_fuids	subject	issuer	client_subject	client_issuer	client_random	client_cipher_suites	server_random	server_dh_p	server_dh_q	server_dh_Ys	server_ecdh_point	server_signature_sig_alg	server_signature_hash_alg	server_signature	server_cert_sha1	client_rsa_pms	client_dh_Yc	client_ecdh_point
 #types	time	string	addr	port	addr	port	string	string	string	string	bool	string	string	bool	vector[string]	vector[string]	string	string	string	string	string	string	string	string	string	string	string	count	count	string	string	string	string	string
 1398558136.319509	CHhAvVGS1DHFjwGM9	192.168.18.50	62277	162.219.2.166	443	TLSv12	TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA	-	-	F	-	-	T	F6fLv13PBYz8MNqx68,F8cTDl1penwXxGu4K7	(empty)	emailAddress=denicadmmail@arcor.de,CN=www.lilawelt.net,C=US	CN=StartCom Class 1 Primary Intermediate Server CA,OU=Secure Digital Certificate Signing,O=StartCom Ltd.,C=IL	-	-	1f7f8ae4d8dd45f31ed2e158f5f9ee676b7cb2c92585d8a3e1c2da7e	TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,TLS_EMPTY_RENEGOTIATION_INFO_SCSV	5c3660849d1ba4081e9c5863f11c64233c045d58380ea393bdca5322	bbbc2dcad84674907c43fcf580e9cfdbd958a3f568b42d4b08eed4eb0fb3504c6c030276e710800c5ccbbaa8922614c5beeca565a5fdf1d287a2bc049be6778060e91a92a757e3048f68b076f7d36cc8f29ba5df81dc2ca725ece66270cc9a5035d8ceceef9ea0274a63ab1e58fafd4988d0f65d146757da071df045cfe16b9b	02	af5e4cde6c7ac4ad3f62f9df82e6a378a1c80fccf26abcbd13120339707baae172c0381abde73c3d607c14706bb8ab4d09dd39c5961ea86114c37f6b803554925a3e4c64c54ed1ba171e52f97fa2df2ef7e52725c62635e4c3ab625a018bfa75b266446f24b8e0c13dcc258db35b52e8ed5add68ca54de905395304cf3e1eeac	-	1	6	18fd31815d4c5316d23bddb61ada198272ffa76ab0a4f7505b2a232150bd79874a9e5aabd7e39aef8cccdd2eba9cfcef6cc77842c7b359899b976f930e671d9308c3a07eeb6eaf1411a4c91a3523e4a8a4ccf523df2b70d56da5173e862643ad894495f14a94bda7115cedda87d520e524f917197dec625ffa1283d156e39f2daa49424a42aba2e0d0e43ebd537f348db770fe6c901a17432c7dd1a9146a2039c383f293cab5b04cb653332454883396863dd419b63745cc65bfc905c06a5d4283f5ff33a1d59584610293a1b08da9a6884c8e67675568e2c357b3d040350694c8b1c74c4be16e76eafeb8efe69dc501154fd36347d04ffc0c6e9a5646a1902a	c3d48226a8f94d3bbb49918ac02187493258e74e	-	0080545ca1e5a9978e411a23f7ce3b50d2919cb7da2dfd4c97d1dd20db9535d6240b684751b08845d44b780750371c5f229903cf59216bcfbe255de370f9a801177fa0dd11061a0173cd7fe4d740e3a74cc594a8c2510d03039126388730c2c73ca0db5fdad2a2021e9ea025b86dc0ba87aea5629246a4cf0f98726fcda9c89d4483	-
-#close	2017-11-28-21-44-19
+#close	2017-11-30-20-15-05
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	ssl
-#open	2017-11-28-21-44-19
+#open	2017-11-30-20-15-06
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	curve	server_name	resumed	last_alert	next_protocol	established	cert_chain_fuids	client_cert_chain_fuids	subject	issuer	client_subject	client_issuer	client_random	client_cipher_suites	server_random	server_dh_p	server_dh_q	server_dh_Ys	server_ecdh_point	server_signature_sig_alg	server_signature_hash_alg	server_signature	server_cert_sha1	client_rsa_pms	client_dh_Yc	client_ecdh_point
 #types	time	string	addr	port	addr	port	string	string	string	string	bool	string	string	bool	vector[string]	vector[string]	string	string	string	string	string	string	string	string	string	string	string	count	count	string	string	string	string	string
 1398529018.678827	CHhAvVGS1DHFjwGM9	192.168.18.50	56981	74.125.239.97	443	TLSv12	TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA	secp256r1	-	F	-	-	T	FDy6ve1m58lwPRfhE9,FnGjwc1EVGk5x0WZk5,F2T07R1XZFCmeWafv2	(empty)	CN=*.google.com,O=Google Inc,L=Mountain View,ST=California,C=US	CN=Google Internet Authority G2,O=Google Inc,C=US	-	-	d170a048a025925479f1a573610851d30a1f3e7267836932797def95	TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_EMPTY_RENEGOTIATION_INFO_SCSV	5cb1fbd2e5c1f3605984d826eca11a8562b3c36d1f70fa44ba2f723c	-	-	-	04c177ab173fed188d8455b2bd0eeac7c1fc334b5d9d38e651b6a31cbda4a7b62a4a222493711e6aec7590d27292ba300d722841ca52795ca55b9b26d12730b807	1	6	bb8ed698a89f33367af245236d1483c2caa406f61a6e3639a6483c8ed3baadaf18bfdfd967697ad29497dd7f16fde1b5d8933b6f5d72e63f0e0dfd416785a3ee3ad7b6d65e71c67c219740723695136678feaca0db5f1cd00a2f2c5b1a0b83098e796bb6539b486639ab02a288d0f0bf68123151437e1b2ef610af17993a107acfcb3791d00b509a5271ddcf60b31b202571c06ceaf51b846a0ff8fd85cf1bc99f82bb936bae69a13f81727f0810280306abb942fd80e0fdf93a51e7e036c26e429295aa60e36506ab1762d49e31152d02bd7850fcaa251219b3dde81ea5fc61c4c63b940120fa6847ccc43fad0a2ac252153254baa03b0baebb6db899ade45e	e2fb0771ee6fc0d0e324bc863c02b57921257c86	-	-	4104a92b630b25f4404c632dcf9cf454d1cf685a95f4d7c34e1bed244d1051c6bf9fda52edd0c840620b6ddf7941f9ee8a2684eec11a5a2131a0a3389d1e49122472
-#close	2017-11-28-21-44-20
+#close	2017-11-30-20-15-06
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	ssl
-#open	2017-11-28-21-44-20
+#open	2017-11-30-20-15-06
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	curve	server_name	resumed	last_alert	next_protocol	established	cert_chain_fuids	client_cert_chain_fuids	subject	issuer	client_subject	client_issuer	client_random	client_cipher_suites	server_random	server_dh_p	server_dh_q	server_dh_Ys	server_ecdh_point	server_signature_sig_alg	server_signature_hash_alg	server_signature	server_cert_sha1	client_rsa_pms	client_dh_Yc	client_ecdh_point
 #types	time	string	addr	port	addr	port	string	string	string	string	bool	string	string	bool	vector[string]	vector[string]	string	string	string	string	string	string	string	string	string	string	string	count	count	string	string	string	string	string
 1170717505.549109	CHhAvVGS1DHFjwGM9	192.150.187.164	58868	194.127.84.106	443	TLSv10	TLS_RSA_WITH_RC4_128_MD5	-	-	F	-	-	T	FeCwNK3rzqPnZ7eBQ5,FfqS7r3rymnsSKq0m2	(empty)	CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE	OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\\, Inc.,O=VeriSign Trust Network	-	-	e6b8efdf91cf44f7eae43c83398fdcb2	TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_RC4_128_MD5,TLS_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_RSA_WITH_DES_CBC_SHA,TLS_DHE_DSS_WITH_DES_CBC_SHA,SSL_RSA_FIPS_WITH_DES_CBC_SHA,TLS_RSA_WITH_DES_CBC_SHA,TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA,TLS_RSA_EXPORT_WITH_RC4_40_MD5,TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5	2b658d5183bbaedbf35e8f126ff926b14979cd703d242aea996a5fda	-	-	-	-	-	-	-	2c322ae2b7fe91391345e070b63668978bb1c9da	008057aaeea52e6d030e54fa9328781fda6f8de80ed8531946bfa8adc4b51ca7502cbce62bae6949f6b865d7125e256643b5ede4dd4cf42107cfa73c418f10881edf38a75f968b507f08f9c1089ef26bfd322cf44c0b746b8e3dff731f2585dcf26abb048d55e661e1d2868ccc9c338e451c30431239f96a00e4843b6aa00ba51785	-	-
 1170717508.697180	ClEkJM2Vm5giqnMf4h	192.150.187.164	58869	194.127.84.106	443	TLSv10	TLS_RSA_WITH_RC4_128_MD5	-	-	F	-	-	T	FjkLnG4s34DVZlaBNc,FpMjNF4snD7UDqI5sk	(empty)	CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE	OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\\, Inc.,O=VeriSign Trust Network	-	-	a8a2ab739a64abb4e68cfcfc3470ff6269b1a86858501fbbd1327ed8	TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_RC4_128_MD5,TLS_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_RSA_WITH_DES_CBC_SHA,TLS_DHE_DSS_WITH_DES_CBC_SHA,SSL_RSA_FIPS_WITH_DES_CBC_SHA,TLS_RSA_WITH_DES_CBC_SHA,TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA,TLS_RSA_EXPORT_WITH_RC4_40_MD5,TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5	0fac7f7823587c68438c87876533af7b0baa2a8f1078eb8d182247e9	-	-	-	-	-	-	-	2c322ae2b7fe91391345e070b63668978bb1c9da	0080891c1b6b5f0ec9da1b38d5ba6efe9c0380219d1ac4e63a0e8993306cddc6944a57c9292beb5652794181f747d0e868b84dca7dfe9783d1baa2ef3bb68d929b2818c5b58b8f47663220f9781fa469fea7e7d17d410d3979aa15a7be651c9f16fbf1a04f87a95e742c3fe20ca6faf0d2e950708533fd3346e17e410f0f86c01f52	-	-
 1170717511.722913	C4J4Th3PJpwUYZZ6gc	192.150.187.164	58870	194.127.84.106	443	TLSv10	TLS_RSA_WITH_RC4_128_MD5	-	-	F	-	-	T	FQXAWgI2FB5STbrff,FUmSiM3TCtsyMGhcd	(empty)	CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE	OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\\, Inc.,O=VeriSign Trust Network	-	-	240604be2f5644c8dfd2e51cc2b3a30171bd58853ed7c6e3fcd18846	TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_RC4_128_MD5,TLS_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_RSA_WITH_DES_CBC_SHA,TLS_DHE_DSS_WITH_DES_CBC_SHA,SSL_RSA_FIPS_WITH_DES_CBC_SHA,TLS_RSA_WITH_DES_CBC_SHA,TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA,TLS_RSA_EXPORT_WITH_RC4_40_MD5,TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5	fd1b8c1308a2caac010fcb76e9bd21987d897cb6c028cdb3176d5904	-	-	-	-	-	-	-	2c322ae2b7fe91391345e070b63668978bb1c9da	008032a6f5fd530f342e4d5b4043765005ba018f488800f897c259b005ad2a544f5800e99812d9a6336e84b07e4595d1b8ae00a582d91804fe715c132d1bdb112e66361db80a57a441fc8ea784ea76ec44b9f3a0f9ddc29be68010ff3bcfffc285a294511991d7952cbbfee88a869818bae31f32f7099b0754d9ce75b8fea887e1b8	-	-
-#close	2017-11-28-21-44-20
+#close	2017-11-30-20-15-06
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	ssl
+#open	2017-11-30-20-15-07
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	curve	server_name	resumed	last_alert	next_protocol	established	cert_chain_fuids	client_cert_chain_fuids	subject	issuer	client_subject	client_issuer	client_random	client_cipher_suites	server_random	server_dh_p	server_dh_q	server_dh_Ys	server_ecdh_point	server_signature_sig_alg	server_signature_hash_alg	server_signature	server_cert_sha1	client_rsa_pms	client_dh_Yc	client_ecdh_point
+#types	time	string	addr	port	addr	port	string	string	string	string	bool	string	string	bool	vector[string]	vector[string]	string	string	string	string	string	string	string	string	string	string	string	count	count	string	string	string	string	string
+1512072318.429417	CHhAvVGS1DHFjwGM9	192.168.17.58	62987	216.58.192.14	443	TLSv11	TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA	secp256r1	-	F	-	-	T	F1uIRd10FHM79akjJ1,FBy2pg1ix88ibHSEEf,FlfUEZ3rbay3xxsd9i	(empty)	CN=*.google.com,O=Google Inc,L=Mountain View,ST=California,C=US	CN=Google Internet Authority G2,O=Google Inc,C=US	-	-	ae1b693f91b97315fc38b4b19f600e2aff7f24ce9b11bf538b1667e5	TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_DH_RSA_WITH_AES_256_CBC_SHA,TLS_DH_DSS_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA,TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA,TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_DH_RSA_WITH_AES_128_CBC_SHA,TLS_DH_DSS_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_SEED_CBC_SHA,TLS_DHE_DSS_WITH_SEED_CBC_SHA,TLS_DH_RSA_WITH_SEED_CBC_SHA,TLS_DH_DSS_WITH_SEED_CBC_SHA,TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA,TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA,TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_SEED_CBC_SHA,TLS_RSA_WITH_CAMELLIA_128_CBC_SHA,TLS_RSA_WITH_IDEA_CBC_SHA,TLS_ECDHE_RSA_WITH_RC4_128_SHA,TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,TLS_ECDH_RSA_WITH_RC4_128_SHA,TLS_ECDH_ECDSA_WITH_RC4_128_SHA,TLS_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_RC4_128_MD5,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_EMPTY_RENEGOTIATION_INFO_SCSV	0bdeb3f9e87d53e65a458a89d647f40fab7658f9d4a6ac93a5a65d71	-	-	-	04c8dd2cfb5dce034588f47acea36d8a0443857ec302c7be2974ce2a5a6d8db18e6161b1ee657dacc3b6ceb92f52dd122f0d466e01f21a39dfe35d48143e41d3cb	256	256	72abf64adf8d025394e3dddab15681f669efc25301458e20a35d2c0c8aa696992c49baca5096656dbae6acd79374aaec2c0be0b85614d8d647f4e56e956d52d959761f3a18ef80a695e6cd549ba4f2802e44983382b07d0fde27296bbb1fa72bb7ceb1b0ae1959bbcf9e4560d9771c2267518b44b9e6f472fa6b9fe6c60d41a57dc0de81d9cc57706a80e0818170e503dd44f221160096593ea2f83bd8755e0ae4a3380b5c52811eb33d95944535148bed5f16817df4b9938be40b4bc8f55f86ded30efe48a0f37fd66316fba484f62dd2f7e1c0825b59b84aa5cbee6c0fd09779023f3e5ea6e7ec337d9acc1cb831c5df5f6499ed97c1f454d31e5a323b541a	b453697b78df7c522c3e2bfc889b7fa6674903ca	-	-	4104887d740719eb306e32bf94ba4b9bf31ecabf9cca860e12f7fa55ac95c6676b0da90513aa453b18b82bf424bf2654a72a46b8d3d19210502a88381ba146533792
+#close	2017-11-30-20-15-07
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	ssl
+#open	2017-11-30-20-15-08
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	curve	server_name	resumed	last_alert	next_protocol	established	cert_chain_fuids	client_cert_chain_fuids	subject	issuer	client_subject	client_issuer	client_random	client_cipher_suites	server_random	server_dh_p	server_dh_q	server_dh_Ys	server_ecdh_point	server_signature_sig_alg	server_signature_hash_alg	server_signature	server_cert_sha1	client_rsa_pms	client_dh_Yc	client_ecdh_point
+#types	time	string	addr	port	addr	port	string	string	string	string	bool	string	string	bool	vector[string]	vector[string]	string	string	string	string	string	string	string	string	string	string	string	count	count	string	string	string	string	string
+1425932016.520157	CHhAvVGS1DHFjwGM9	192.168.6.86	63721	104.236.167.107	4433	DTLSv10	TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA	secp256r1	-	F	-	-	T	FZi2Ct2AcCswhiIjKe	(empty)	CN=bro	CN=bro	-	-	543f24d1a377e53b63d935157e76c81e2067b1333bccaad6c24ce92d	TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_DH_RSA_WITH_AES_256_CBC_SHA,TLS_DH_DSS_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA,TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA,TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_DH_RSA_WITH_AES_128_CBC_SHA,TLS_DH_DSS_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_SEED_CBC_SHA,TLS_DHE_DSS_WITH_SEED_CBC_SHA,TLS_DH_RSA_WITH_SEED_CBC_SHA,TLS_DH_DSS_WITH_SEED_CBC_SHA,TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA,TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA,TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_SEED_CBC_SHA,TLS_RSA_WITH_CAMELLIA_128_CBC_SHA,TLS_RSA_WITH_IDEA_CBC_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_RSA_WITH_DES_CBC_SHA,TLS_DHE_DSS_WITH_DES_CBC_SHA,TLS_DH_RSA_WITH_DES_CBC_SHA,TLS_DH_DSS_WITH_DES_CBC_SHA,TLS_RSA_WITH_DES_CBC_SHA,TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA,TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA,TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA,TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA,TLS_RSA_EXPORT_WITH_DES40_CBC_SHA,TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5,TLS_EMPTY_RENEGOTIATION_INFO_SCSV	e29e9780bd73e567dba0ae66ed5b7fb1ee86efba4b09f98bd7b03ad2	-	-	-	043c5e4b4508b840ef8ac34f592fba8716445aeb9ab2028695541ea62eb79b735da9dbfdbdd01a7beab2c832a633b7fd1ce278659355d7b8a1c88503bfb938b7ef	256	256	17569f292088d5383ffa009ffd5ae4a34b5aec68a206d68eea910b808831c098e5385b2fcf49bbd5df914d2b9d7efcd67a493c324daf48c929bdb3838e56fef25d67f45d6f03f7b195a9d688ec5efe96f1ffe0d88e73458b87175fac7073ca8d8e340657e805cb1e91db02ee687fe5ce37c57fb177368bf3ac787971591a67eaf1880eabac8307ec74e269539b9894781c0026ea61101dafbac1995bc32d39584a03ef82d413731df06dae085dc5984b7fcbedd860715fb84ebb75e74406b88bee23533eba46fe5b3f0936c130e262dcc48d3809f5e208719a70a2a918c0e9fe60b4e992ac555048ff6c2cd077ca2afdc0c36cde432a38c1058fb6bd9cb2cc39	fa6d780625219f5e1ae0b4c863e8321328241134	-	-	4104093d316a7b6bdfdbc28c02516e145b8f52881cbb7a5f327e3d0967fc4303617d03d423277420024e6f89b9ab16414681d47a221998a2ba85c4e2f625a0ad7c49
+#close	2017-11-30-20-15-08
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	ssl
+#open	2017-11-30-20-15-09
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	curve	server_name	resumed	last_alert	next_protocol	established	cert_chain_fuids	client_cert_chain_fuids	subject	issuer	client_subject	client_issuer	client_random	client_cipher_suites	server_random	server_dh_p	server_dh_q	server_dh_Ys	server_ecdh_point	server_signature_sig_alg	server_signature_hash_alg	server_signature	server_cert_sha1	client_rsa_pms	client_dh_Yc	client_ecdh_point
+#types	time	string	addr	port	addr	port	string	string	string	string	bool	string	string	bool	vector[string]	vector[string]	string	string	string	string	string	string	string	string	string	string	string	count	count	string	string	string	string	string
+1512070268.983215	CHhAvVGS1DHFjwGM9	192.168.17.58	60934	165.227.57.17	4400	DTLSv12	TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384	secp256r1	-	F	-	-	T	Fox0Fc3MY8kLKfhNK6	(empty)	O=Internet Widgits Pty Ltd,ST=Some-State,C=AU	O=Internet Widgits Pty Ltd,ST=Some-State,C=AU	-	-	e701fd74cac15bdb8d0fb735dca354f8e4cc1e65944f8d443a1af9b2	TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_DH_DSS_WITH_AES_256_GCM_SHA384,TLS_DHE_DSS_WITH_AES_256_GCM_SHA384,TLS_DH_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,TLS_DH_RSA_WITH_AES_256_CBC_SHA256,TLS_DH_DSS_WITH_AES_256_CBC_SHA256,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_DH_RSA_WITH_AES_256_CBC_SHA,TLS_DH_DSS_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA,TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA,TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA,TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_DH_DSS_WITH_AES_128_GCM_SHA256,TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,TLS_DH_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_DH_RSA_WITH_AES_128_CBC_SHA256,TLS_DH_DSS_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_DH_RSA_WITH_AES_128_CBC_SHA,TLS_DH_DSS_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_SEED_CBC_SHA,TLS_DHE_DSS_WITH_SEED_CBC_SHA,TLS_DH_RSA_WITH_SEED_CBC_SHA,TLS_DH_DSS_WITH_SEED_CBC_SHA,TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA,TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA,TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA,TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_SEED_CBC_SHA,TLS_RSA_WITH_CAMELLIA_128_CBC_SHA,TLS_RSA_WITH_IDEA_CBC_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_EMPTY_RENEGOTIATION_INFO_SCSV	1fea3e397e8a4533a9f4fd6e82cd650533269d28dc7b2d62496dc490	-	-	-	049e5bb8781f90c66cae6b86d7a74977bccd02963bb55631fe7d916ba91c9af9a9562dec1c71b66005503523fbb72a95874bc77394aed429093ad69d7971fb13a9	1	6	e55f866f29d42c23dc5e87acaccff3fd5da17f001fbfcc1060188cc4351101bb53355ee7015edec32874dad840669578101ec98f898b87d1ce5f045ed990e1655dc9562dc83193ec2b6fbcb9410af9efd6d04c434d29cf809ee0be4bde51674ccfc2c662f76a6c2092cae471c0560f3cc358ed4211b8c6da4f2350ed479f82da84ec6d072e2b31cc0b982c2181af2066b502f5cb1b2e6becdd1e8bbd897a1038939121491c39294e3b584b618d5f9ae7dbc4b36b1a6ac99b92799ab2c8600f1698423bdde64e7476db84afaef919655f6b3dda48400995cf9334564ba70606004d805f4d9aeb4f0df42cea6034d42261d03544efeee721204c30de62268a217c	1cb43b5f1de3fe36d595da76210bbf5572a721be	-	-	41049c7a642fbbd5847c306ee295360442e353d78aef43297523f92be70b68b882ac708aefcb7a224b34130d6c6041030e5b62fc3def72d7774fd61043a0a430a416
+#close	2017-11-30-20-15-09
diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.signed_certificate_timestamp/.stdout b/testing/btest/Baseline/scripts.base.protocols.ssl.signed_certificate_timestamp/.stdout
index 342228a1cf..327b97df41 100644
--- a/testing/btest/Baseline/scripts.base.protocols.ssl.signed_certificate_timestamp/.stdout
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.signed_certificate_timestamp/.stdout
@@ -7,3 +7,9 @@ Verify of, Google 'Aviator' log, T
 Bad verify of, Google 'Aviator' log, F
 Verify of, Google 'Rocketeer' log, T
 Bad verify of, Google 'Rocketeer' log, F
+0, Google 'Rocketeer' log, 1509548284.428, [HashAlgorithm=4, SignatureAlgorithm=3]
+0, Symantec log, 1509548284.713, [HashAlgorithm=4, SignatureAlgorithm=3]
+Verify of, Google 'Rocketeer' log, T
+Bad verify of, Google 'Rocketeer' log, F
+Verify of, Symantec log, T
+Bad verify of, Symantec log, F
diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.tls1_1/ssl.log b/testing/btest/Baseline/scripts.base.protocols.ssl.tls1_1/ssl.log
new file mode 100644
index 0000000000..de6af18a69
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.tls1_1/ssl.log
@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	ssl
+#open	2017-11-30-20-08-27
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	curve	server_name	resumed	last_alert	next_protocol	established	cert_chain_fuids	client_cert_chain_fuids	subject	issuer	client_subject	client_issuer
+#types	time	string	addr	port	addr	port	string	string	string	string	bool	string	string	bool	vector[string]	vector[string]	string	string	string	string
+1512072318.429417	CHhAvVGS1DHFjwGM9	192.168.17.58	62987	216.58.192.14	443	TLSv11	TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA	secp256r1	-	F	-	-	T	F1uIRd10FHM79akjJ1,FBy2pg1ix88ibHSEEf,FlfUEZ3rbay3xxsd9i	(empty)	CN=*.google.com,O=Google Inc,L=Mountain View,ST=California,C=US	CN=Google Internet Authority G2,O=Google Inc,C=US	-	-
+#close	2017-11-30-20-08-27
diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.tls1_1/x509.log b/testing/btest/Baseline/scripts.base.protocols.ssl.tls1_1/x509.log
new file mode 100644
index 0000000000..f6a3eac608
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.tls1_1/x509.log
@@ -0,0 +1,12 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	x509
+#open	2017-11-30-20-08-27
+#fields	ts	id	certificate.version	certificate.serial	certificate.subject	certificate.issuer	certificate.not_valid_before	certificate.not_valid_after	certificate.key_alg	certificate.sig_alg	certificate.key_type	certificate.key_length	certificate.exponent	certificate.curve	san.dns	san.uri	san.email	san.ip	basic_constraints.ca	basic_constraints.path_len
+#types	time	string	count	string	string	string	time	time	string	string	string	count	string	string	vector[string]	vector[string]	vector[string]	vector[addr]	bool	count
+1512072318.462960	F1uIRd10FHM79akjJ1	3	3D1DE44E346ECE68	CN=*.google.com,O=Google Inc,L=Mountain View,ST=California,C=US	CN=Google Internet Authority G2,O=Google Inc,C=US	1509544136.000000	1516800660.000000	rsaEncryption	sha256WithRSAEncryption	rsa	2048	65537	-	*.google.com,*.android.com,*.appengine.google.com,*.cloud.google.com,*.db833953.google.cn,*.g.co,*.gcp.gvt2.com,*.google-analytics.com,*.google.ca,*.google.cl,*.google.co.in,*.google.co.jp,*.google.co.uk,*.google.com.ar,*.google.com.au,*.google.com.br,*.google.com.co,*.google.com.mx,*.google.com.tr,*.google.com.vn,*.google.de,*.google.es,*.google.fr,*.google.hu,*.google.it,*.google.nl,*.google.pl,*.google.pt,*.googleadapis.com,*.googleapis.cn,*.googlecommerce.com,*.googlevideo.com,*.gstatic.cn,*.gstatic.com,*.gvt1.com,*.gvt2.com,*.metric.gstatic.com,*.urchin.com,*.url.google.com,*.youtube-nocookie.com,*.youtube.com,*.youtubeeducation.com,*.yt.be,*.ytimg.com,android.clients.google.com,android.com,developer.android.google.cn,developers.android.google.cn,g.co,goo.gl,google-analytics.com,google.com,googlecommerce.com,source.android.google.cn,urchin.com,www.goo.gl,youtu.be,youtube.com,youtubeeducation.com,yt.be	-	-	-	F	-
+1512072318.462960	FBy2pg1ix88ibHSEEf	3	0100212588B0FA59A777EF057B6627DF	CN=Google Internet Authority G2,O=Google Inc,C=US	CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US	1495452757.000000	1546300799.000000	rsaEncryption	sha256WithRSAEncryption	rsa	2048	65537	-	-	-	-	-	T	0
+1512072318.462960	FlfUEZ3rbay3xxsd9i	3	12BBE6	CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US	OU=Equifax Secure Certificate Authority,O=Equifax,C=US	1021953600.000000	1534824000.000000	rsaEncryption	sha1WithRSAEncryption	rsa	2048	65537	-	-	-	-	-	T	-
+#close	2017-11-30-20-08-27
diff --git a/testing/btest/Traces/tls/dtls-openssl.pcap b/testing/btest/Traces/tls/dtls1_0.pcap
similarity index 100%
rename from testing/btest/Traces/tls/dtls-openssl.pcap
rename to testing/btest/Traces/tls/dtls1_0.pcap
diff --git a/testing/btest/Traces/tls/dtls1_2.pcap b/testing/btest/Traces/tls/dtls1_2.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..a8ce0f92d5a4f99ec881ee246c5d4067938d099d
GIT binary patch
literal 3675
zcmd6q3pkY98pq%7n~TesaVxqYmy%2P#-)&U7>ejBR0u_GCGE6J%4yrhQS6kGlp-V|
zZEa;s^|=-j9g3tYQX1DTQX6}Hs7ZC6=j@(yp69IRd1uX<S>Jl!_xJwStTlDTIY~Is
zLD1-cp}`Jk#Z^xSIKV*z%JQbabPjji#w{$HTO<sYXwH=@0H%_xmE;*o<J4v&$xfyu
z0sIf;GJ^x37OTeqn=(4892{U~@_237Kww3o)BPy%O9oBJ%ip!!RPa2sILg9!QhyGb
znMe}k3{s7pN{%B%Ar+D#2~L6^_<|33gAo|QESL%Zgm4IhJ)|zFO=^&;q&Ufd1egN`
zu$$B&HOc9u3MoyBKnk3KL^uInU<z~L2hamu-~s{ha1`R;2+G3(cwkO)Ni9;HoJMj;
zIvfWR(1BPm10hn16b2cP1_@x3Y?20|Foamx57Ws8akK&q+n018V%o11o#df0bhfBi
z3Fu(p_K{8{z;YJQX@KF#g&a%*S(u3W$uI%EmjMp2fdyh9g1%KjF4>?63QUZNGieNr
zfiq}yjE>W3G>nGRXgG%BI1L4dVLMR~t<d~cqc&2$kzi2~6~Pt-3A&O;GN=Mlp-K{+
zOfXdQkr^C9&x|w`8lZSan(W}vI9oOOR3(2_RavcLfUN%$9WTF(W0a>BH09sR<+?Zp
z1Q!|ugnuYf00ak0E_%cA1Ncwm^372G4<$s=Q9{BwiwIHnm0S`woTlhF)sCSP;qEJ-
zLxaGNbdX%Uzop9mm4xDWg2H|&A(Yjygks;0kq}?TS`a!0mN=ljOU*_7;DAu+x%X4r
ze=rK!YpIw1dcZ%l%9Ej|nxNJcthL5^LrFA{1b`&kYUqiNNg>?}R>WZs3uwN8mPIWH
zXkI|`AVO(wL?~{RIJ^Z!AUtEJ;FQ0`HG<6)(Fn5&>tkaWivffsmqmy$Y4&ucG;U_k
zl_n&qfv}jU-Np@`T6Tf%fu39?VhZ)4sMrK+|3J?l{XGK}9eq5!d;&KsE(r`$v<>ti
z6lB?4s;~*)K_~e$Iy9*Nm`f0n{VXn5kKh{V8tNLZLLLl18~(Q<55<%}XM!<+7K(`j
z5sHc8p%@08OHM!WPdla`b*;zcnL{|fU~-Qf&-egoKX-C`O{(cFzSBInOFLWVN<OYw
z;N0YuRMWl5)nxn5j(xLg`F<Ws5Bblvnr@dx4N-J{viSSjaj6khn*NCnhE}SqiavjD
z>h*o4;>!K4-ZfE|s>Vl8pO%ynvbAcaq*BG>T=|#%Z-Q?*Di_#PG)-NZ=kh+J;a?iS
zbpm5P8DO{RFnQ;_h*+Cy?CnGE(l<KfTXT{${JW0oB}f@56!=wkpQrOD{i&P1`Ng9-
zxn8aZkFKpH*USs>yjU1(;=Ul-WZp?9GnVGvXmx*m>y>Xi^1~+D_n4PQ$%g!}Cx2}f
zCuCV>`klJoH*xW}PJ@SrN@9$iX=Cv67B<GiX-Le;cEnOb9_dP+Lzkgbbb`Nwj)SRy
z4&xIY9R0jjjw@Def0SBK7{S;-{zad*d-rtn7Uf|j%d5~Q5Hh>IJwcobNgBh3=nR5}
zy3fUdHVhI62BpmY<OB1rk_|<E^BrtjC#-wjOlR-;pizHDeOj9D(@ORGB3ar&MN)S6
z4OEEA#NT>XELZz|CZ}Ioule1HR-=WQHfe@^MZdqAqtm|qjj(!gq5X22R*aUXPb%~1
zdt;xJr&3!|9{1O-^;mnR<MfaaNzqAJ_V=}O@t}YX6ONDWEW8mQ+NETFi*&Y}cE;)x
z>M@0<4f0t}q~}#%sO~GupEa#;oY{w-u(}wd-ZJA{HOsYH2QoNPtuN~DiB5d)7${eB
zMTfCJc0N(!tR-dDoLIguWa=*gmy)z1gO%<s392&JJ98>>lQL&nz^Sa>wDqKCXL7mR
zL*ey9_ruRe=xvow&Cs@JnVHwb6Uvu*o_I(hap17hD?y+_pe+WNHK2nQHDwyen$b@<
z<!zf1UAF$5Us!#b_11zaJa%@j19x!e0l#!Picb1>&<TweI2DHak4}}5cH;Zf9klpz
zn=ZOBmKdmfxTJA7+~)e`L+9$$MU3wz1a0~toz6r$Xmt(Ss9rZirD=6|W@h!P0hgqI
zz?5q@CEO-NmKaE4m+cHzw_&Rv7OMp|HkhtEyiG!(e1F8g@Y}as>8tNWKk;-achI`Q
zjp1u<EcnArw7=_ajV*7XdiAaokFVN1T<T?8T~xNF&v(7z!HSkmq=UFg@rn*}$-J`0
z#VSiW=AR60+|A!0q^-%l$%>ny^mDf2x?KEC<z#I?{sV=5S0c7c7{(k>vZm-XAUb&n
zCS_lqS&%VuW*xB|b7sZ9=oZis0q>7=IslyIjMNv+USZ=N<r?31zvP17B;WF52ZQ2s
zZn%ld#F@{2@N7}wPxp6cpX;CK>FPJ9(aKchaCMBngH0Nf2@7|*E{uP<nEiT2yPJNU
zvU`nzMOSB=lA<l~aE<C-r5ysNq9Deh6hNn50H{2~oB?Xkd&<7LHWa-pr>+e(d&gWG
z&N&GSmZZZX2>|oalhWLbetf%!&gDD1cM$$h56`5VH`~?k?c%9#QR&xgV|nL=W(Mr-
zs@$$@qc6=~?`B5hIIa0}PS=n1TNmGz;3cLIDKg_eUGEv_hDkXZIo1J)ExIp*1{y>w
zBCB=uk7c&oD^I^|W82N_?JnyndlZK`$DYRh=dMl3F3U4;^1i${j>>P#QGh;_8)aYB
z>BVTB*kkH+XYQaNKNjR5TBm`5o~L?{Q-nn9LfzYk=CXTjrH`ceG)*xph-?T>t161R
z#Vw!sYm1sg1nW|xZ?SIvkU_0Wd%%LM8;+{UoZO}DZ3p}#8d=AC-)d@I?QCo)@3P8x
z6?IU|Uapg$F`<^xJK1}~S@|%T$l_NsjBv~Se+=wNvbIv2G`~0Zm%JlY7xslc-*~k#
zeW#0_ib+c8y6WRbZcl!mW_wlDkT<@$up}!^ROW8Zypoqs1q_kKhHvR>;sO0h8L_W0
ztQ^IVFb0FAyZ9LTJxiS*%s(m?7xG(kPH9S$@q!yB#q0ImBWGL0_Oh?yjI46{Bgj&}
z$=D^~em0|0f}&qqAqGp4Tgtvt7q2mmQdgJe7<K9JO2>aHItG(Qi(a{E!<lCf;+67}
OR(2H{AAfe^q{m-A1I8Wz

literal 0
HcmV?d00001

diff --git a/testing/btest/Traces/tls/signed_certificate_timestamp_tls1_0.pcap b/testing/btest/Traces/tls/signed_certificate_timestamp_tls1_0.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..4cd9fdcd5b0eac84900530b172567cd0028407ae
GIT binary patch
literal 7021
zcmb_h3pkWp7v6I<jmx-9LavEi!Z$>SR6-;asv{-FU>GxuaZAKd_*HUBsgRQ{P9?gW
zRHUJ#kS-^st8^iWI+8BJzrPur;dK80f6nuJ?8mqExA(i&UTf`luW!3|<@7IDfCqp6
z-~k2-C!VVL<PQ;m8+=9^(9P)FmIB(X0hU7o4gf4be-{vIbp$2&D<>Wj-5#FARK985
z&qfEA*N%*Qc>n+wPdJOg;RqNEiL9Ev<Y)999xFoko<;;NP)3^wSENITZZm`fz>+Af
ziz1^MFqIEaUOuKV05x!m<PVoL9u=Yo;;|&Mb>*hnC_2<cLhXJ9krzQwwEe~IIiq&d
zCfUt_=%15iWl7nW0T{J64@E{1i&cm~2D$}plM&G_)Dty~A0jHrlAO;^L{!9KKs}sx
z1&68eN_IT5bG35&w1V^%JF<%7daqOKnl-Nc-dOVOvh(3t00auC0y3}ymS8Th02v@1
zYyq1E6afL4gEWDHU<xn;rho<zun+77d0-C=&SGE>771hocwho{gM~msASaLzNC~ij
z0Pq5N0SPDq1t1Hg1=0c>AcGMsw8k7r0z3|2u&_fFsDNoe8UCFPl;E=>kO9*0y%d-N
z-)h4ZQ=pH4yeN{%G%<e*Gej(sbB17Y!AKfSisa`vt@-nkWx=sRm;k81p|8zg6!TDj
zKiNnGO#~oplXHVmJtT!9O6>nT#F(Aqh>j>C^f$%~3os@)jE~yW6IO8=ZTbXmiaVv-
z(oG2)t8nFRoo}jDkMr(VHb9^NFcKpebPu4*ln4Ew55$7rrI#wAo7Z1#U&Pcn-d-3~
zOiA)9=eDMTs|lGKN`@MtLcci0N6;|n!X=0!RtvQK=0LJp6p}nA_ai@AH`w|4x(1u9
zKCjpm?WUEV3%cClkV7*_Ia>$aZ?3HnoNTyUn6x+k@DoXz)jMll?TyrjzAvHTr`>9X
z8>HQjXlA99ri4T!8E-GZwD@Lhvz5Dg^W3}YCXwRD`eKS(f74gLa<CC=PA%oFGgzN*
zzf1G6f6bwtPMK?;1y1M4LB;1@+P#T>@ICGRKw;k9?C_hVr|<_B@@{ri=e}@yU$@B{
zh8m^>^c!VF5>N&K<qIG!LinWl2wy_C2#3XBu_RlyS8j9I%^`?1af-o~C0jmAV=$5g
zfH>16ktsx+H=d|~_4cGGAabZcRv<fZIKeE2rZbyP(?PV+PMm`3cqfm+Wixo13!`}<
z94?a=ujyops85ro&85*08qI8urMZO<6fF^&=^UDw84W>vkf0x`B1w_${aMT)4wudJ
zrzs*-RF#C3^fFE~o9EADYp!H6V#n>061QtAq9C+OO3J`ESZJ;>ofD4mF*C$hi6H<S
zA437KpN!?heQ-kk`SNeK+tyt<k{-LW0y+L=aMyhn-Y(D9XJDW{XGK<+rqz(G+LET_
zTwIV*Mu+#}pQSe4@!DfybZYPOFI>*c`eVvii-h2u!Wh3+mkU<Zk2jdK-wzf$ULzGY
zR0N$;@6;QPQPOe#@c4``GHWF*zBJ(7{uyf*F&|)!mr{bfc1JPE%evA&-zoZ}uj#6Y
z%UK&kKJFN|#^rGM3oWmCHi`36Zc5~a$u~$H36Zr?Umb(gC&^4%J-Ee0?)NVBS=%i-
zpM*IbD(a3geLY|KMX2Gj=^58n-7u@m)o-5?9?~~u?x9sK@6XGgOS)bwx3PZTj4%x8
zyBz=a%!S>L6V8MlX<dtjgoY{R6C@EnK|<(4H66SZLMD<7i5LPw0*68PxOV7SH90&V
z*9wJu{0ScBOB)#bvje#tW+3Wtz9JMOA{gvoCYvD^2)?|5F`dPU4ixXB8W;x#Seltx
znVXGwv-w0AKnTT`fq&@{#=$W>(=lXGV2%9Q{;YT&lO84Pm;5u}{(LckB}5oY1!E?A
zq8u7AQH~DdQ~pHagd6*FCwD|o>Ij%T0$M#0BRp<W2XFF}7`B+rfebN$5hW%Bam9p?
zXfc7w6BF1hF(G1tz(YeIa-e^pe*{zHym50yJ#0RViD(cEW;laOX9#^PXMl41yZ_AX
z(n4<EH<8<QQpQdT!&?)%eN;~jGmya%DnauqisuglYfNXOc{MJ<ydpy}hDQ?)6g`Ww
z0@@qS;Bny`@zD?}noAF1vW4SiQHeF4VxlaK=S1_O0~khZ4xPgZV~W-Zm5%lcC&FYN
z6&ZoibZ8kz1SkRfdBy?4Xu(7bNAoqDuQI+5SWE_+7bUJxa{L_}I6aUN!(eeD7~Ju#
zGe%i#zUuhPs2{w=3%3Rl4mS>F@u{L|lQsl-3=FE07d=l1rcx9KI*0KCbh4P!$g#1p
z=n7ChB%v3C3l?_|^@q+O2wj7Oj8O;%gZG7uZ#X6+*ex0%JYIygiAh8lQ_M*wPR<LR
zU{tw0vB8+}!E}*VY2q_D^r#3#4W%a;yds`@>O4ikXU%uz0~R^)_T4eM4(2l>5h?Vw
z0tPdJ$07jHKqYOw5~7$)b$LouoL)5$@>|TOlyj8<Di?iHOb{(}fF@oAQGzqckOlFW
z`|(%;1|boN!6{Pk{6r9Rhz4FCnT6;SX%}gYoA@{DVTm6>@Suf95C+5;ybn*-NMN?U
zTBftL|15!bwBgg++gHz|b`0k(^J=VEPF~XHQ{{1I_QTaWE*`HHWZg=eTHD+=8!ukm
zf6}gDXt4=psqUTHbo{9%l4fM>`Q=!Xx{Et$`}NjM*DH3!$-eD=WYghwzh}2)zCn_2
z54AOoyK|X)?h2bu`JRR@+uOf1-e5*>YZ7fdC^u&uk}>N0MRCv1$roDm|8>c3VCa)=
zG)3X$+1ZlosucapGeBdmn!S=-M@og>Qq65GWy`wgVRZM~4pB4Ldal`ORJqk#m0#BP
z>zrJM1h)46hIZ9b>(`Aeo%rdFLGjy)S{6`hD&-Cz{~f&0S3Q<au`RT@YXtDK5k6iI
zo+z@SvP2dGv~)7czx{MH_B|mXXja=KuOW*j)(oTN0a-!XiNW#WMo00`0>zj%9Z`ny
zffb7Uc)t^i6X4I%v|lKyOAvEYQ&^aon#~o~B{Wkr_-k%uZsqg;EP?)8>5*@MkM(W!
z$gw6C^PjhREUC)0`$IWGCBrf4d3N0&nax_gKEwXf6{d?bi+GZr?%s!*`2o4T-9PzV
zYbPYjUtPD$u4>H^%YM(#Gdl)zx~5*e)$b|Y@ACbC*R#axqA*Un;I@Z`9)er&h!nM)
zwQ0oK=IC7F_Df6U@ZE_spLKlwPKzAe)w2Ghu}c}s?S225+hv5@zIP(G8%mCGyUXH<
z+`i~;<J+sDDyN$~pH5wxrEy)^U*l#$$$YwDnmLn^c3rv7amE+V-0GLfF0$7Q-d)_I
zDOYc`R~BFN!GA-p&Q`Y-(J#*RkQ%7pn`eZcal7S++p`CkBsldfq0GVT*2Vde70>#0
zbZVu|GYbj^W#r;B)#uigZRavaiy4d@EbpWz>~z6~ypU~~gU1PhQgVsM5*g<kn%u;A
z<A+2bgYI$)${ToCHWLx!F#>~xHUrT_)W>85vqgTC(1MMl;=}2}N(hlh=L>m<gb*PN
zEXxsd5px(Lvk`+Ly&~N$Gbc<8K+h2qI+qn?63h!0CM~2x*8jpuLK4)$qnl#9bQ^!d
zPTERB0%~x6ed0l2VC<Ue$Zxm$)wS#QG3j1@-LChQ^|S+nwyV~sCkOiBvvkYy+Q<=A
zRm!%#31+`;y3|j&7g0&jjeonZKJS8rGGk7YO_yCA<{L*U>G6gLU)NzH@S&mFX#3fc
z<Ux!=Mq|F+>&n;$>tKtI%`LOAT>GL+Z0sLSgvj}rpSt7<RX(Osl8+pWGdDR`e{j>Z
zjqO=0Pxc09ET4s}KOC^)%G{QDZ#NrYEYlC(iYPs_;l|a@hPp>p+NOQOO0@~k+vb_v
zyDi(X+jVepg;t>S1+WW|*G*rYXGO52H1U_f?}MP;%V+(rjzpBSZ_0`{JkKyKzEDBy
zB7YjtFnt1WDUf^;5k9s<L_j$C$_{Zy5#T40+eFThMbNB(pF|Q4k<rW`|2UcvJgZ=j
zq{7V69!*aMJ(|nVv}bU6%pfML8W?|m8ln7ym_q)cA#)J;Bl<3~92fsD9QWUd=TVaq
z9U1DMrmeCvX-%6A%kouZMO@Cks$W`Nzm(XY!*wmwk|1R~T5S?!rGJSKmsMc-hENfj
z6nUuQ>iQ$)?~`9;>QM@H?)RjAEIpD_pLb)Ck~y`YG|%y8WA}zX((P*$b5|L8yw5aB
z-mt2)uh%c^F4%T~`h_~x{Gq_HIDvaT=kg72!<)DF%+J>iY-(#xRgP?M>$umF@T>Ao
z?`PNF-Cbwt`P$cgtI@EBw#E0Lj>heWtdv1TF4ihXQfAoF_>LN3-@vl@9EyZm*=+Uf
z^;R#wS$HZ~-CL(?_}I3Dddaj~38%LLANl&YnQgmerG!OVKz{sNMWo+PVE867?A2Eh
zO{9E4QhFwk#FCDXuZDL|=RR<1)z*}CH_O{`;GP&s{E$N^<C~m-z`KeOVSb3ShP7zN
zn;|sBq{yhqaEt!vj)(i&IGDlVp$FHW+dfK|Jam8Iws%A4YT}&`2gII;hmQc6hggm6
zYAi<42*rwmg_N*X69?lmL`7Z{%I%*aw_CxxJG4!{lffDeQBZD|G@QuoNUo6EmB2AJ
zZz8vwa2XMtC?=1?ji0nza49Jurd^)xwp3Am3qm}dLb~;VR9_#N6x3VWb8nu;$cGQt
z-R|34mR~>;m2P{d9t>@?kjsCwB&axi(|Lt^PQzI~zER&#KAdi<Y<Yao9O|*%ce{&K
zsU+ufm9KN&r&@HYt>iR3s*0lTc(o~E{)|Rji5@>oUj9p*hube@dA<I9X?F7HjnPsm
zfN{csX$$co=czfqR79h7f!(1J^RKeQ87nVy<F7yWuvOQ17Qmg~TveWIv`IqYXrIfD
zlt=AnzA1ilRtOVVEX(OmwLfa&h5^am%V)+;Dcb&U_s&HP(=0;oC}-E@*M?wpEu=`D
zS*@v=i5FGAJU92==6bQLe#qeNS1Ai@>WXRiINV(dml`&x&1#Ptq_geT)mDDGR({{F
z#Y$^xnLmbHXF!-&qN-tCmn27y5xl97@c7x4*O$nOeJ)knHKTWEwVp?|XU@*9cWc_#
zB!(_lVrc|$<}kinyVt9$wR=5K>#ELW4Y{AJR+9V5mw0R!J7}`e+-`Vt`ZeE&{4|G@
zBCWd;#YNB7?#^$^irds-7)o04YXJp$pu3KgKP4t;MDOGNtYWt-RrKLVVs57s=!<A!
zMyrj)wU>QK{+G?#RRvqF*;Drt_rH6A-gx5S=`Xxi4oDQcE}VR={5RLL`SUIxGn7o0
zrIe)+MTrD2_R8Uvp(C1_k^d0UbSp%R+F0{f#HQ?jW}^`C(?*+d#4}?yV#|o&I`jbA
zCSM_gi=$V_$0uGPqpOC9O0r<}+i}E76cKf(qb$7QUWmVj>)V$i+4PiS<WU>@a#p8v
zi3hE-;!Vw?sNZ7RQ(6*S9-n;jJ}>%m;mG=P+aeVAgQ{((?UUTpV^4haZESl~LPalc
zFeo5m%szG0M{h?#_Y2GUTL)&ytQ?%(>d+st5otR$khSIlVOB8T5FgZ%cYjI43uTFA
zT-5go^+ezgZ%ffOnHDgfLn=aA_%e|eOt(T>s7Y1=Wnt~2b-^|L1S49Bn$ZR?j2{C`
zrU0~nbcqAHYcdwPA^9G2H#?;t-E5ew`u=R?v-8?=ktG!ms8PE!KWkoZTA+I(A6u&{
z@9}PG)#jm3={dC<TLQm&WoUaVXV-qu*x@?0XP`mHmCku&>2X_sf8k#9ORLQ9Bq}E|
zT%VkCwGQ1}t`czjJkb4^X`8(5L)0^^YW4M<h&1h2vw`N`KsT0BxH>PpD&+jRCuENg
zgK_0GOJknz>8jG5&A963#_rj(J?>wbcP`wg*9=?I_e?X;i)~S9c5ras?OEM$>{~OJ
zn{Gv{-hT2}wV6gaqf5-;@jEx4?jBg}a3Q`2_f_ZCz9+|v7d}Zm5`17`f6+<}=gidV
zgad^~v>%50wdj21N!&mkzVZ4$NX?qd$IOnyWdFQjl!u|SYfz_`Lc}d?1P~0Phqk|@
z=1-#3td*LSnj%D)n&jDIsp%SwB2I-N)O@wE+5elmq5kR*f7ldI5;vZe$)=Q8c?M`v
zw#%1%%1uMnHbAxLzi80*7qx%K10BMJ$jO430~6Jvh)n}xh=2J<#PCUBE~ZY*MYH2D
t7dw;XKpB5@*IHMmN~vbM2BV0wpT!XWSFY-WHlBda9^rP5+sHyu{|y?K!hHY$

literal 0
HcmV?d00001

diff --git a/testing/btest/Traces/tls/tls1_1.pcap b/testing/btest/Traces/tls/tls1_1.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..36ad52c664fb28a6e03d3cdd7f45746029c7bfe4
GIT binary patch
literal 6980
zcmb_h2V7Ih)}Nb-w9rJF5DSPP;Rd9Os5C30fCUR;5+D+ikc1|W78|T(7d3*et0>4?
zKxK6W#1gT9fQX8Ux(cYUB7z8r1(i290XCq|_w9Z!zsxW9%$@nqnbYRXN$us|4&VR*
z{PiIK1QLl%YT%qPB;W&|u~sypb@`^nvGhyV+)9;zCjis1?=(`)7U^M4=Q?MpdXEZH
z5?C8!4+n#jxW2v%+X284h^G-eo`@hy$|l;Tf!I3&PL8hg0}0H4G}h#}@--kj6-+kF
z1i*pxxdB7QRzOO6REXt|o!|-%$y#~IIdw90CIN@XkAMgmzj+W5TOMm)@oV1CZ_Y4&
z9U!W+uLc#w-jSoQx01jYh=8@PP&(u&H~;u1iXIg(p8=qYN5Ew$#EW>GvG(qu<A!Xv
z^kU)2PmZSx_ODX6=t~-3{j=spzs<U#O#m>ZI#Ole1RQ|_WIPpY0vo{wDMd;Ic3{0!
zTRH;R0vkXFDA)sbgG`VCh3^5}!3-!D0<Z?Vz;r;CYD&pcRVfY-0YR!IRRX#|8)yJE
zshSiIltCX3azh6yfPe=G4t5v;1278c!(T(72cLC;I#7e}Rlx}Ob{yO}1t16}Q`Ji(
zFa^?B`$|jZhIukA)eX~<Gt^R_uLj7=2!hjO9}H`uDj8G}fvgS3B3>{o!m!@k|0k?l
zqcO?ifD5!A2Rts2%1l&wa_Ym21i$7$&mYq6d3RHeMKAeKo13@eQ0|IIAk~Ju=tD4T
z#x|q^pb+4EN}md#^a9Fzpfm#&D@{ekWV0+h4#DA+Tt`3mnar&YL)AzlEH=*E_)ZN$
zREPkbMOQ&bknjNnk~S{DkFJesVuZ4`vNw+x%3)DwaT#<|bR5=+*ESmL6tM(cmWVn%
zN)*NuutjlHZyVHjlp5WEPDkl<+sTf0_JNReMCmq@>9)3X6b(c}zPXf=s<L}9haJKb
zaM{6hT~r5Kima+Oj~B%i1+%%-MQm2gAYZDAe2ql4WqhfsTF^pe?9v##2vm%WRoo>)
z1b8t*0kB^gCq@vEXWX#hV@>_a%ek9kb`+w=-uLdj$04|7x(4?2l%+4+98Pum>^gd8
z)dB%N#45Epz+<~=(k=fCd#i%o4etfKXJtqAarW_{>HDIC>Sh-^>2zIZ)9)P2_PVCD
zuc9!d!1zz|FVT9YvpOD~T8>UwM32i~{p#njD`v3o<7jgzA^y9BY~^_^>)+kVdOMLi
zR~MhYB3k*FSM0Lcha#Si@pqY$;F5BKED6`DP|Xd~m}0yn8ZApyAF-r&qqXLp7UK!q
z?Em~D+&d?$HQJ_Ws{Ye8mh%i#uPwfAdsQ;AaYRH|=Lm<K#j{@*X`D$cFV*~4*`BfC
zh|(uban1PYt&ieQt;wxhfrBoLWQ&O^sF+BWiEy+jK^0XdDOr*bB9V+oP%*v{N_Mm+
zL5#11M6Gy;gvDwWv|uh%z+*Epfs1t^$>+1Up=>ToK@nmt3mSvNi()GF=~&R1s~v4^
zo$PD}ySZW#R3L;BtHWOgpB5S|vKc^@E7mHQ8_bClu^B>Hzsg?<4;CvB92vrZDbU#5
zq4XO5P&z7HO!*6m7eNaa4DW~<*0Fl{2*~wNjELA_9irh=qPYq@Gg%4*OQ=AE2o#90
zC<THoQXse-1%f|>5Me5i3ow`&%xBAmH^{EMhbx9Ukq?5(j9>{EESZco2YRE~Ocqbp
zg;{}66b#isV{kDm7^I*TC_^$@M3)VeKg)Fp(IZ$Q0i2^a8bU=07-4L#Y`g|WaRv=S
zZc}l*C{fgEmKB%B;PJxQa<1T_{r$3u(DeFA7Bh+gIpfIz$*^BUTP>3<G@A&_x+25|
zgI3F7v$!Im;({uJ@8Cc~CM%l7;qh4lEVc)JKeiXkV!PeY*#5L;;GEzb0btNw2Er6q
zY&5up@EdOlGIt=s;j~bWSVul>m=h=ufI)_}<j+GCs3+t>5wpI5uB;$><(QZlOb*yO
zN-|l>#HJ`@oo|YmC=)OmHV`%tgs>b&dCLJB#cebR6N&iF*4F%Rwt}dwy=P7LhPELP
zDGWvi2Q%clp)1bdF@$_{G!~N73AzNGf+C7`;IdEp`|Z=?+*_l~JnhCuqN><yZ3O8f
z;81{?VAME*9;%zHGy5?~*YI3V*zeJAQ_hsEHaHuYVvUZ$22cqGs2-fD3?m-_xfh2c
zBB&CH6q=$6&rB4>hL{j0q7zWltZ`Xm23h<M`{5`aJMeIY#|{FbEnY_?o5Zv0p3gJg
z(tVmJ`nBTi%bF{v)-`{T%=51-T%bI&KJc9Htw|4-n9lZX($?_Fud1t`zk%lA(S6*l
z;<JY}Wscdc(oKYdDkW-UY0(0l_0_XG=s%mUG&Ill!fU*2eK@7r|6bcJ$GsMb%iDD7
z)(dvbn=e^7<xj1)iWb+J1C`g=e8HuJDZZ2&V{_E4IuGb(Y)>w}JMo9}Zatshx<*m7
zkDs2Tvhtj6@X1tADH-jqr`eoRXg-I!_3nvzEsSu+{2EW;_!WN3wpf*H2{00$=sYr6
z!Xo2J@2zb#%6D$6<e0`8dWFPo&AK~{a;Ze~(6Kw<=|rQWn<%dPrrfpygh{BFU=B|a
z4S6b}fq*flsV6@!{Waz_F+OBM{V=JaGlu2~{V9R6wwgDK=P!s7im;@FMmI$Dp?+Xi
zqBYp>&Ec&M=1|?I%X1Ob&c+5NBQ~}UvRs62V++4_PIgX#|I4)Jzoi>{EeJ8o>wMFl
zN!j9tI^UV+(%jzY^9@qH5*vQJ`X;S<Oncy$V6{RUkF+e2ir@TzoNDoENqg(kplgl9
zWUVVJce<ThHq)`&@7?(3-t?A{S8jIusddl(wBP?p!iB7G-X>{{uZcN|pY~8mxPX(?
z=RD<C2hz6lb2JI93FDtMfA~a??A>{HRTpjci5a&mUtU>b@LQGN<B@YVo0RJZo80*2
z@KlE7dOJ32eYyTsud(m_Bp03~&(^qR@#<^_RkO@#w+11rBY3UEbc@fzsHbPzlqz&S
zRgYbB%IBsRJ|hF4C@pvrf5OxD=Gm!{g-^OoO-t46(ti1+S6wqM&Di1UiERRQf4YHa
z!URlhh+j(AW`=D|>pezfs%j=2O<)yORQV`)`8VBG9rH;F=H&#K*pg7%K)8Y7XDmuZ
zjR$BH*{IbYenM%&xCn+US3$L~`LZaXgkrJ%IE?Lo`(D*YEPoN=t6`EG;UvFT>8t&7
z6e{4<%Tf3m-@QYem7Oz_hn_PpLI%#6&L06FLBYVQ0BR?XTr_kNYLR80Wwvqr5K*kg
zPD5*kfFraH6@|*228LtK|0O2Mg0Lw8bIQSVaqtN@%#~#UuwqtI-hC!BX4!?vk2kxG
z$Cd42GyH>E=ibvdAIA*YW>mH*nHfabY<42EUYURHoW5&&yzP;s^WDT+ehJYm?&Y4c
z%wn=WYjV|;7PqU&N1kfpqqY3ybH7-Dj*1Ib+fE-&?nSgyEBCrJmBdsyhuU{l-<^OH
zxM!W`;@)@@Bc~!uTQv6>bgic(=N^o;vp!RHFlp4k8aFRG-X5B|U;?`8(CUSk9qzik
z++cw?ZaR3ApP#e#`jtN`u0A|B&ZhH=UTJ(oy^D2ijYjjXxxF5RW0-2iU?-|&wrNSG
z6VZ`UC7ucIBq8k=PX}G;;~#EJ+8k$D#IngQE~K|8zwI%x`2*lnVDL*o#kgj90K{vR
zG%E^<2(Mv2Lt~x>irG25hLJrZqu3$Av2-hVR>B???eYCRR6iCYO2DGJvjie`2pi@;
ztiP^fSo}k6VEm(_lTrAQ-^CmU$^S`={cnNqVU->O{oFljoWY{RW%W}yj?W_tW7BKT
z9jKf8{;>NQe9OEsWTn)HORPhjCY~q8ZvMsb1+j2VVq{M9l~uVXUnf6LGpFn`z1Oy`
zD?c~AEc5ydJv*IW@-w}*)8<#a+2npnSF+g3_jQ_8^4i7uo$W#4x53t8o%cE;?H)+I
zvf~Bi=@+jDSl+0~n7Y@DSyf-XPCv53r@8iS{1N>d0Z+<b-CpVF*R*{87OOA5<Lp0$
zG*@oRanc8c5}Z@IiuxBv+O5&VJw5ZL@+jodCng#HxXS72M|(eQr`nZfmXBNy>zub~
z)x(=FBt$kHvvqBBEFs&kU%fZ(r7qeXB(;1I8UFl(Jn*G-peb!b!rsj0un(5Ef0Nwz
zt{X?ym~Wf;)Bak8u=mZVNEr-UL=+F5TxK7NanM=r@wO-(wa&82vfMba-{YZQ(?VH1
z5q5C?<@Q3E@i2mAZtsK5r4qbRPt=`6fR6xmL7fJ?8i(jwVOT<#$jNd=MKA$No@5HG
z1uQ;K$QJPgal>pIpOONi8@0GTb9A*fqNLwalx}t?m6b&%hP0Qq)w-DUb##>b+;ew4
zS&Sy=)dZ|NxTexxbMK3pA=wd0McTFAUp5CW7k)baz|cnD@mR)Wouj*Mw`LpZD9t)k
z(v<#soqg-*MZAiK=Y))(o+rgm9b4&2ZVPf0?R|##^*L}Nvpu+Ty_*)SjUaPW0pg7Z
zqoxzeA5ZFCQH}RZ?Ot1*9q|LfeM919T-k+*qH2r4h^+<Nf`bd%SqXWU&r}y%FMO<J
zt>(o=It`rapRJgwGj;l%N(2aw^~|o{iu2p~?D4~bMJYY(*QI`l=Qe8gib<+J<nG!%
zY1Y{a-(9STv(0(;cZjfaCK|?eO<1nM+VJ`if;TL|V*97|p|QQ~lPtFDfjlDz0FJ(z
zq|#8dNT&`~gPORKh=mW9Mw>Y6y-v=RG~e+5Ij1w3=8<VDKAAvyGGStPiOH{)h1CTo
zkLxcjxw+4C)q@zLv7rk#dlWZ!3qFSLZ@#8B{ZNARNy>w&#r!qN4Jj%7Cj4WM&M~@R
z*V3s6-@DXBtyF%V?WnSRVT$o7SIJIKJDtsKLAogk-NidLKUbMk{x)dilRN5PW@dFI
z-DBwX=B)3ry8W(EDqgm<X!fDXb`GT`BM#>_b!G0KuWS?cR2db~uhs`KceiC+>h`~5
z9BAX>Z-7<22<otYg$bw%3h194#O?RtL0lDbP>#Yef=4Js#M)N{&I|ozQd!Xz6Lo)C
z7ar#j1r|7K|0OTOd1=7X?Q}wFf{3i&igIl(?mRo^=Pu)li+d|Js%yRb7?3Bq78<U0
zgs6Sg(?zeyvU~hRGyh*Lyo&DJ+OFYik?Lr8z{}5JyAIqRf?&IxMpoUFm8>Dz5P#H%
zIBx%{nd<f%p0F2Q*7e=hIg(4>N;qwuxpUQ4P_p=Aep%Y1UHtmO-!1B6PP|)HV>{!)
zXPXU}ggpJpfCbG5YhRhrVnbLoh9;CS)P&ma2iC?)eD%P|n5FW))x&!DBY>ny!Cerj
z{<8K&Sk;S!YlZViwUKV8-9S8MS7_|(y|}E=Pf|SJbQ^pBB8pX!C^hiZjNK+57p-r)
zxThvxbY`xRFlCKFB7H9>sPeRgv+&@jH-99}$y?sp{-*tv@%dz<{CuO6f>&DR>>&Rm
zTeErQUN<@=*9rnOe{U#hFfJ|EY7TvIExnsO|6Tb{`>lgLaF24jmMVQf?l`_8hm_fn
z4%(ik`um&huT5<^exY#Q$0Cb!Ub^AJGge*KMt0TH9{Z#1dbcmRt<<WwkFnb|VNavc
z?J4ec-en=QGYUdKem6XfQCcwC+UN>vqHoK)0&BJVYkRiv4NDfE)%Tpt-7e~RzmoCP
z-8-tIb>CU#=XsxFyq4{8iOmVr4l<rse;O0|n1H`;ma!6Ic?SuaWe@Wd07(!fql*Z_
zp-E!xE3;hDZ<f5Fb@zT0XqF960T>Cb2sJI>gjy6=RH$EfKBFHwVoNW+(7=zat=`EX
z)iItNH@oGNS!Ce*Wy!WZ1v-_Z8fvkneR_z0+pl6PWE;?gC4ZrO13~8B`$NOn4YR#o
zr=hmjLBeb=Sp%HR%?8jBh{}+zfUOea>i|Ujha%C3B5C}8h~%#2_v-$}(`1|R_{L@`
zVcq}ay30_BvJbY6``^c!F2i#FCYC0|Dpkb7P5S%)@x)d_Rgs~s^$n=1f%RQgEs$|E
TVHihbOf5219T-%V1nc`ZNmQ<U

literal 0
HcmV?d00001

diff --git a/testing/btest/scripts/base/protocols/ssl/basic.test b/testing/btest/scripts/base/protocols/ssl/basic.test
index 05dad1dca7..51eacfd572 100644
--- a/testing/btest/scripts/base/protocols/ssl/basic.test
+++ b/testing/btest/scripts/base/protocols/ssl/basic.test
@@ -3,3 +3,4 @@
 # @TEST-EXEC: bro -r $TRACES/tls/tls-conn-with-extensions.trace %INPUT
 # @TEST-EXEC: btest-diff ssl.log
 # @TEST-EXEC: btest-diff x509.log
+# @TEST-EXEC: test ! -f dpd.log
diff --git a/testing/btest/scripts/base/protocols/ssl/dtls.test b/testing/btest/scripts/base/protocols/ssl/dtls.test
index 46b74d2b78..a1b2c74dd8 100644
--- a/testing/btest/scripts/base/protocols/ssl/dtls.test
+++ b/testing/btest/scripts/base/protocols/ssl/dtls.test
@@ -1,5 +1,10 @@
 # This tests a normal SSL connection and the log it outputs.
 
-# @TEST-EXEC: bro -r $TRACES/tls/dtls-openssl.pcap %INPUT
+# @TEST-EXEC: bro -r $TRACES/tls/dtls1_0.pcap %INPUT
 # @TEST-EXEC: btest-diff ssl.log
 # @TEST-EXEC: btest-diff x509.log
+# @TEST-EXEC: bro -r $TRACES/tls/dtls1_2.pcap %INPUT
+# @TEST-EXEC: cp ssl.log ssl1_2.log
+# @TEST-EXEC: cp x509.log x5091_2.log
+# @TEST-EXEC: btest-diff ssl1_2.log
+# @TEST-EXEC: btest-diff x5091_2.log
diff --git a/testing/btest/scripts/base/protocols/ssl/keyexchange.test b/testing/btest/scripts/base/protocols/ssl/keyexchange.test
index 79b4106440..f7ae714875 100644
--- a/testing/btest/scripts/base/protocols/ssl/keyexchange.test
+++ b/testing/btest/scripts/base/protocols/ssl/keyexchange.test
@@ -4,6 +4,12 @@
 # @TEST-EXEC: cat ssl.log >> ssl-all.log
 # @TEST-EXEC: bro -r $TRACES/tls/ssl.v3.trace %INPUT
 # @TEST-EXEC: cat ssl.log >> ssl-all.log
+# @TEST-EXEC: bro -r $TRACES/tls/tls1_1.pcap %INPUT
+# @TEST-EXEC: cat ssl.log >> ssl-all.log
+# @TEST-EXEC: bro -r $TRACES/tls/dtls1_0.pcap %INPUT
+# @TEST-EXEC: cat ssl.log >> ssl-all.log
+# @TEST-EXEC: bro -r $TRACES/tls/dtls1_2.pcap %INPUT
+# @TEST-EXEC: cat ssl.log >> ssl-all.log
 # @TEST-EXEC: btest-diff ssl-all.log
 
 # Test the new client and server key exchange events.
diff --git a/testing/btest/scripts/base/protocols/ssl/signed_certificate_timestamp.test b/testing/btest/scripts/base/protocols/ssl/signed_certificate_timestamp.test
index 0b9c5fc157..7c7dc90e4c 100644
--- a/testing/btest/scripts/base/protocols/ssl/signed_certificate_timestamp.test
+++ b/testing/btest/scripts/base/protocols/ssl/signed_certificate_timestamp.test
@@ -1,5 +1,15 @@
 # @TEST-EXEC: bro -r $TRACES/tls/signed_certificate_timestamp.pcap %INPUT
+#
+# The following file contains a tls 1.0 connection with a SCT in a TLS extension.
+# This is interesting because the digitally-signed struct in TLS 1.0 does not come
+# with a SignatureAndHashAlgorithm structure. The digitally-signed struct in the
+# SCT is, however, based on the TLS 1.2 RFC, no matter which version of TLS one
+# uses in the end. So this one does have a Signature/Hash alg, even if the protocol
+# itself does not carry it in the same struct.
+#
+# @TEST-EXEC: bro -r $TRACES/tls/signed_certificate_timestamp_tls1_0.pcap %INPUT
 # @TEST-EXEC: btest-diff .stdout
+# @TEST-EXEC: test ! -f dpd.log
 
 export {
 	type LogInfo: record {
diff --git a/testing/btest/scripts/base/protocols/ssl/tls1_1.test b/testing/btest/scripts/base/protocols/ssl/tls1_1.test
new file mode 100644
index 0000000000..885a047ebe
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/ssl/tls1_1.test
@@ -0,0 +1,6 @@
+# This tests a normal SSL connection and the log it outputs.
+
+# @TEST-EXEC: bro -r $TRACES/tls/tls1_1.pcap %INPUT
+# @TEST-EXEC: btest-diff ssl.log
+# @TEST-EXEC: btest-diff x509.log
+# @TEST-EXEC: test ! -f dpd.log

From 8ba5c035388cc52317cd81bae3c9fa3c947c7f2a Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@icir.org>
Date: Fri, 1 Dec 2017 14:35:51 -0800
Subject: [PATCH 254/631] Do not log SOCKS passwords by default.

This introduces a new option, SOCKS::default_capture_password which can
be used to specify if Socks passwords are logged by default

Like fot FTP/HTTP, this option is set to false by default.

Addresses BIT-1791
---
 NEWS                                          |  8 +++++
 scripts/base/protocols/socks/main.bro         | 33 +++++++++++--------
 .../socks.log                                 | 10 ++++++
 .../tunnel.log                                | 10 ++++++
 .../base/protocols/socks/socks-auth.bro       |  6 ++++
 5 files changed, 54 insertions(+), 13 deletions(-)
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.socks.socks-auth-2/socks.log
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.socks.socks-auth-2/tunnel.log

diff --git a/NEWS b/NEWS
index d25c0920cf..57c03fe5c5 100644
--- a/NEWS
+++ b/NEWS
@@ -48,6 +48,14 @@ Changed Functionality
   event is considered deprecated and will be removed in a future
   version of Bro.
 
+- The Socks analyzer does no longer log passwords by default. This
+  brings its behavior in line with the FTP/HTTP analyzers which also
+  do not log passwords by default.
+
+  To restore the previous behavior and log Socks passwords, use:
+
+  redef SOCKS::default_capture_password = T;
+
 Removed Functionality
 ---------------------
 
diff --git a/scripts/base/protocols/socks/main.bro b/scripts/base/protocols/socks/main.bro
index 536e240b81..6995b5de88 100644
--- a/scripts/base/protocols/socks/main.bro
+++ b/scripts/base/protocols/socks/main.bro
@@ -6,32 +6,38 @@ module SOCKS;
 export {
 	redef enum Log::ID += { LOG };
 
+	## This setting changes if passwords are captured or
+	## not.
+	const default_capture_password = F &redef;
+
 	## The record type which contains the fields of the SOCKS log.
 	type Info: record {
 		## Time when the proxy connection was first detected.
-		ts:          time            &log;
+		ts:               time            &log;
 		## Unique ID for the tunnel - may correspond to connection uid
 		## or be non-existent.
-		uid:         string          &log;
+		uid:              string          &log;
 		## The connection's 4-tuple of endpoint addresses/ports.
-		id:          conn_id         &log;
+		id:               conn_id         &log;
 		## Protocol version of SOCKS.
-		version:     count           &log;
+		version:          count           &log;
 		## Username used to request a login to the proxy.
-		user:        string          &log &optional;
+		user:             string          &log &optional;
 		## Password used to request a login to the proxy.
-		password:    string          &log &optional;
+		password:         string          &log &optional;
 		## Server status for the attempt at using the proxy.
-		status:      string          &log &optional;
+		status:           string          &log &optional;
 		## Client requested SOCKS address. Could be an address, a name
 		## or both.
-		request:     SOCKS::Address  &log &optional;
+		request:          SOCKS::Address  &log &optional;
 		## Client requested port.
-		request_p:   port            &log &optional;
+		request_p:        port            &log &optional;
 		## Server bound address. Could be an address, a name or both.
-		bound:       SOCKS::Address  &log &optional;
+		bound:            SOCKS::Address  &log &optional;
 		## Server bound port.
-		bound_p:     port            &log &optional;
+		bound_p:          port            &log &optional;
+		## Determines if the password will be captured for this request.
+		capture_password: bool      &default=default_capture_password;
 	};
 
 	## Event that can be handled to access the SOCKS
@@ -90,10 +96,11 @@ event socks_reply(c: connection, version: count, reply: count, sa: SOCKS::Addres
 event socks_login_userpass_request(c: connection, user: string, password: string) &priority=5
 	{
 	# Authentication only possible with the version 5.
-	set_session(c, 5); 
+	set_session(c, 5);
 
 	c$socks$user = user;
-	c$socks$password = password;
+	if ( c$socks$capture_password )
+		c$socks$password = password;
 	}
 
 event socks_login_userpass_reply(c: connection, code: count) &priority=5
diff --git a/testing/btest/Baseline/scripts.base.protocols.socks.socks-auth-2/socks.log b/testing/btest/Baseline/scripts.base.protocols.socks.socks-auth-2/socks.log
new file mode 100644
index 0000000000..2f7963dbd6
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.socks.socks-auth-2/socks.log
@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	socks
+#open	2017-12-01-22-33-17
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	user	password	status	request.host	request.name	request_p	bound.host	bound.name	bound_p
+#types	time	string	addr	port	addr	port	count	string	string	string	addr	string	port	addr	string	port
+1368517392.724989	CHhAvVGS1DHFjwGM9	192.168.0.2	55951	192.168.0.1	1080	5	bob	-	succeeded	192.168.0.2	-	22	192.168.0.1	-	55951
+#close	2017-12-01-22-33-17
diff --git a/testing/btest/Baseline/scripts.base.protocols.socks.socks-auth-2/tunnel.log b/testing/btest/Baseline/scripts.base.protocols.socks.socks-auth-2/tunnel.log
new file mode 100644
index 0000000000..ef6bdc5b33
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.socks.socks-auth-2/tunnel.log
@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	tunnel
+#open	2017-12-01-22-33-17
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	tunnel_type	action
+#types	time	string	addr	port	addr	port	enum	enum
+1368517392.728523	-	192.168.0.2	0	192.168.0.1	1080	Tunnel::SOCKS	Tunnel::DISCOVER
+#close	2017-12-01-22-33-17
diff --git a/testing/btest/scripts/base/protocols/socks/socks-auth.bro b/testing/btest/scripts/base/protocols/socks/socks-auth.bro
index 2123dc1d45..d58e1b5801 100644
--- a/testing/btest/scripts/base/protocols/socks/socks-auth.bro
+++ b/testing/btest/scripts/base/protocols/socks/socks-auth.bro
@@ -3,3 +3,9 @@
 # @TEST-EXEC: btest-diff tunnel.log
 
 @load base/protocols/socks
+
+redef SOCKS::default_capture_password = T;
+
+@TEST-START-NEXT
+
+@load base/protocols/socks

From ecfacbe96e35f0392e04cad04228c870a4363c33 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Tue, 5 Dec 2017 11:00:09 -0600
Subject: [PATCH 255/631] Fix documentation for ReassemblerStats.

---
 CHANGES                    | 4 ++++
 VERSION                    | 2 +-
 scripts/base/init-bare.bro | 2 +-
 3 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/CHANGES b/CHANGES
index bd18dc5e1c..dc0d2e4e63 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,8 @@
 
+2.5-363 | 2017-12-05 11:00:09 -0600
+
+  * Fix documentation for ReassemblerStats. (Corelight)
+
 2.5-362 | 2017-12-02 09:45:04 -0600
 
   * BIT-1791: Do not log SOCKS passwords by default and add
diff --git a/VERSION b/VERSION
index 37deebc97b..f22c264edd 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.5-362
+2.5-363
diff --git a/scripts/base/init-bare.bro b/scripts/base/init-bare.bro
index f2a6816d9d..f2ea2ed29a 100644
--- a/scripts/base/init-bare.bro
+++ b/scripts/base/init-bare.bro
@@ -531,7 +531,7 @@ type EventStats: record {
 	dispatched: count; ##< Total number of events dispatched so far.
 };
 
-## Summary statistics of all regular expression matchers.
+## Holds statistics for all types of reassembly.
 ##
 ## .. bro:see:: get_reassembler_stats
 type ReassemblerStats: record {

From 8827ece34a7292718a4da60b4abcb925619e149c Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Tue, 5 Dec 2017 11:19:57 -0600
Subject: [PATCH 256/631] Updating submodule(s).

 [nomail]
---
 aux/bro-aux | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/aux/bro-aux b/aux/bro-aux
index 53bf0578a4..e9e91eac74 160000
--- a/aux/bro-aux
+++ b/aux/bro-aux
@@ -1 +1 @@
-Subproject commit 53bf0578a4ead2dcf6c488b610644451584d46e5
+Subproject commit e9e91eac74bf1a240e40bc62ad4f4dc3d88bc126

From 7c03f4dec0b3c693e61f7f8177b03f739e76b36a Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@icir.org>
Date: Tue, 5 Dec 2017 09:49:00 -0800
Subject: [PATCH 257/631] Fix compile warnings raised by gcc7.

/home/johanna/bro/master/src/Sessions.cc: In member function 'void NetSessions::DoNextPacket(double, const Packet*, const IP_Hdr*, const EncapsulationStack*)':
/home/johanna/bro/master/src/Sessions.cc:343:18: warning: comparison between signed and unsigned integer expressions [-Wsign-compare]
  if ( ip_hdr_len > len )
       ~~~~~~~~~~~^~~~~
/home/johanna/bro/master/src/Sessions.cc:349:18: warning: comparison between signed and unsigned integer expressions [-Wsign-compare]
  if ( ip_hdr_len > caplen )
       ~~~~~~~~~~~^~~~~~~~
/home/johanna/bro/master/src/Sessions.cc:399:20: warning: comparison between signed and unsigned integer expressions [-Wsign-compare]
    if ( ip_hdr_len > len )
         ~~~~~~~~~~~^~~~~

In file included from /usr/include/machine/endian.h:6:0,
                 from /usr/include/sys/types.h:44,
                 from /usr/include/unistd.h:37,
                 from /home/johanna/bro/master/src/Anon.cc:2:
/home/johanna/bro/master/src/Anon.cc: In member function 'virtual ipaddr32_t AnonymizeIPAddr_Seq::anonymize(ipaddr32_t)':
/home/johanna/bro/master/src/Anon.cc:85:18: warning: operation on '((AnonymizeIPAddr_Seq*)this)->AnonymizeIPAddr_Seq::seq' may be undefined [-Wsequence-point]
  return htonl(seq++);
                  ^
---
 src/Anon.cc     | 3 ++-
 src/Sessions.cc | 2 +-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/Anon.cc b/src/Anon.cc
index 87791501a4..a2afc489ca 100644
--- a/src/Anon.cc
+++ b/src/Anon.cc
@@ -82,7 +82,8 @@ int AnonymizeIPAddr::PreserveNet(ipaddr32_t input)
 
 ipaddr32_t AnonymizeIPAddr_Seq::anonymize(ipaddr32_t /* input */)
 	{
-	return htonl(seq++);
+	++seq;
+	return htonl(seq);
 	}
 
 ipaddr32_t AnonymizeIPAddr_RandomMD5::anonymize(ipaddr32_t input)
diff --git a/src/Sessions.cc b/src/Sessions.cc
index a1e685a608..9dc569daa7 100644
--- a/src/Sessions.cc
+++ b/src/Sessions.cc
@@ -339,7 +339,7 @@ void NetSessions::DoNextPacket(double t, const Packet* pkt, const IP_Hdr* ip_hdr
 
 	// For both of these it is safe to pass ip_hdr because the presence
 	// is guaranteed for the functions that pass data to us.
-	int ip_hdr_len = ip_hdr->HdrLen();
+	uint16 ip_hdr_len = ip_hdr->HdrLen();
 	if ( ip_hdr_len > len )
 		{
 		Weird("invalid_IP_header_size", ip_hdr, encapsulation);

From bfe94641cf3781293354fd8c80e7307e734be4db Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@icir.org>
Date: Tue, 5 Dec 2017 11:30:06 -0800
Subject: [PATCH 258/631] Fix another gcc7 warning.

Warning is:

/home/johanna/bro/master/src/Type.cc: In member function 'virtual bool IndexType::DoUnserialize(UnserialInfo*)':
/home/johanna/bro/master/src/Type.cc:548:60: warning: enum constant in boolean context [-Wint-in-bool-context]
  indices = (TypeList*) BroType::Unserialize(info, TYPE_LIST);
                                                            ^
/home/johanna/bro/master/src/Type.cc: In member function 'virtual bool FuncType::DoUnserialize(UnserialInfo*)':
/home/johanna/bro/master/src/Type.cc:868:61: warning: enum constant in boolean context [-Wint-in-bool-context]
  args = (RecordType*) BroType::Unserialize(info, TYPE_RECORD);
                                                             ^
/home/johanna/bro/master/src/Type.cc:872:62: warning: enum constant in boolean context [-Wint-in-bool-context]
  arg_types = (TypeList*) BroType::Unserialize(info, TYPE_LIST);

This one is a really nice catch in my opinion. GCC is completely correct
- the 2nd argument to Unserialize is a bool. This means that all these
calls always evaluate to Unserialize(info, true). Which is equivalent
with the default, so I just removed the type from the call.

This was probably caused by someone thinking of BroVal::Unserialize,
which needs the type as the 2nd argument.
---
 src/Type.cc | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/Type.cc b/src/Type.cc
index cce328d92b..aa9388d64e 100644
--- a/src/Type.cc
+++ b/src/Type.cc
@@ -545,7 +545,7 @@ bool IndexType::DoUnserialize(UnserialInfo* info)
 	DO_UNSERIALIZE(BroType);
 
 	UNSERIALIZE_OPTIONAL(yield_type, BroType::Unserialize(info));
-	indices = (TypeList*) BroType::Unserialize(info, TYPE_LIST);
+	indices = (TypeList*) BroType::Unserialize(info);
 	return indices != 0;
 	}
 
@@ -865,11 +865,11 @@ bool FuncType::DoUnserialize(UnserialInfo* info)
 
 	UNSERIALIZE_OPTIONAL(yield, BroType::Unserialize(info));
 
-	args = (RecordType*) BroType::Unserialize(info, TYPE_RECORD);
+	args = (RecordType*) BroType::Unserialize(info);
 	if ( ! args )
 		return false;
 
-	arg_types = (TypeList*) BroType::Unserialize(info, TYPE_LIST);
+	arg_types = (TypeList*) BroType::Unserialize(info);
 	if ( ! arg_types )
 		return false;
 

From ea4cf7dbe978f1fa16daf6295d7385b311edba7d Mon Sep 17 00:00:00 2001
From: Hilko Bengen <bengen@hilluzination.de>
Date: Sat, 2 Dec 2017 19:59:37 +0100
Subject: [PATCH 259/631] Adapt most of the X509 support to OpenSSL 1.1

---
 src/File.cc                                   |  4 +-
 src/file_analysis/analyzer/x509/X509.cc       | 46 +++++++------
 src/file_analysis/analyzer/x509/X509.h        | 41 +++++++++++
 src/file_analysis/analyzer/x509/X509Common.cc |  9 ++-
 src/file_analysis/analyzer/x509/functions.bif | 68 +++++++++++--------
 src/main.cc                                   |  2 -
 6 files changed, 116 insertions(+), 54 deletions(-)

diff --git a/src/File.cc b/src/File.cc
index e0e0d63332..609ea4f0ac 100644
--- a/src/File.cc
+++ b/src/File.cc
@@ -692,7 +692,7 @@ void BroFile::InitEncrypt(const char* keyfile)
 	// Depending on the OpenSSL version, EVP_*_cbc()
 	// returns a const or a non-const.
 	EVP_CIPHER* cipher_type = (EVP_CIPHER*) EVP_bf_cbc();
-	cipher_ctx = new EVP_CIPHER_CTX;
+	cipher_ctx = EVP_CIPHER_CTX_new();
 
 	unsigned char secret[EVP_PKEY_size(pub_key)];
 	unsigned char* psecret = secret;
@@ -747,7 +747,7 @@ void BroFile::FinishEncrypt()
 			return;
 			}
 
-		delete cipher_ctx;
+		EVP_CIPHER_CTX_free(cipher_ctx);
 		cipher_ctx = 0;
 		}
 	}
diff --git a/src/file_analysis/analyzer/x509/X509.cc b/src/file_analysis/analyzer/x509/X509.cc
index 2274f8fe3d..c9e78bb0b9 100644
--- a/src/file_analysis/analyzer/x509/X509.cc
+++ b/src/file_analysis/analyzer/x509/X509.cc
@@ -139,7 +139,9 @@ RecordVal* file_analysis::X509::ParseCertificate(X509Val* cert_val, const char*
 	// we only read 255 bytes because byte 256 is always 0.
 	// if the string is longer than 255, that will be our null-termination,
 	// otherwhise i2t does null-terminate.
-	if ( ! i2t_ASN1_OBJECT(buf, 255, ssl_cert->cert_info->key->algor->algorithm) )
+	ASN1_OBJECT *algorithm;
+	X509_PUBKEY_get0_param(&algorithm, NULL, NULL, NULL, X509_get_X509_PUBKEY(ssl_cert));
+	if ( ! i2t_ASN1_OBJECT(buf, 255, algorithm) )
 		buf[0] = 0;
 
 	pX509Cert->Assign(7, new StringVal(buf));
@@ -150,14 +152,12 @@ RecordVal* file_analysis::X509::ParseCertificate(X509Val* cert_val, const char*
 	// actually should be (namely - rsaEncryption), so that OpenSSL will parse out the
 	// key later. Otherwise it will just fail to parse the certificate key.
 
-	ASN1_OBJECT* old_algorithm = 0;
-	if ( OBJ_obj2nid(ssl_cert->cert_info->key->algor->algorithm) == NID_md5WithRSAEncryption )
-		{
-		old_algorithm = ssl_cert->cert_info->key->algor->algorithm;
-		ssl_cert->cert_info->key->algor->algorithm = OBJ_nid2obj(NID_rsaEncryption);
-		}
+	if ( X509_get_signature_nid(ssl_cert) == NID_md5WithRSAEncryption )
+		X509_PUBKEY_set0_param(X509_get_X509_PUBKEY(ssl_cert), OBJ_nid2obj(NID_rsaEncryption), 0, NULL, NULL, 0);
+	else
+		algorithm = 0;
 
-	if ( ! i2t_ASN1_OBJECT(buf, 255, ssl_cert->sig_alg->algorithm) )
+	if ( ! i2t_ASN1_OBJECT(buf, 255, OBJ_nid2obj(X509_get_signature_nid(ssl_cert))) )
 		buf[0] = 0;
 
 	pX509Cert->Assign(8, new StringVal(buf));
@@ -166,14 +166,16 @@ RecordVal* file_analysis::X509::ParseCertificate(X509Val* cert_val, const char*
 	EVP_PKEY *pkey = X509_extract_key(ssl_cert);
 	if ( pkey != NULL )
 		{
-		if ( pkey->type == EVP_PKEY_DSA )
+		if ( EVP_PKEY_base_id(pkey) == EVP_PKEY_DSA )
 			pX509Cert->Assign(9, new StringVal("dsa"));
 
-		else if ( pkey->type == EVP_PKEY_RSA )
+		else if ( EVP_PKEY_base_id(pkey) == EVP_PKEY_RSA )
 			{
 			pX509Cert->Assign(9, new StringVal("rsa"));
 
-			char *exponent = BN_bn2dec(pkey->pkey.rsa->e);
+			const BIGNUM *e;
+			RSA_get0_key(EVP_PKEY_get0_RSA(pkey), NULL, &e, NULL);
+			char *exponent = BN_bn2dec(e);
 			if ( exponent != NULL )
 				{
 				pX509Cert->Assign(11, new StringVal(exponent));
@@ -182,7 +184,7 @@ RecordVal* file_analysis::X509::ParseCertificate(X509Val* cert_val, const char*
 				}
 			}
 #ifndef OPENSSL_NO_EC
-		else if ( pkey->type == EVP_PKEY_EC )
+		else if ( EVP_PKEY_base_id(pkey) == EVP_PKEY_EC )
 			{
 			pX509Cert->Assign(9, new StringVal("ecdsa"));
 			pX509Cert->Assign(12, KeyCurve(pkey));
@@ -191,8 +193,8 @@ RecordVal* file_analysis::X509::ParseCertificate(X509Val* cert_val, const char*
 
 		// set key algorithm back. We do not have to free the value that we created because (I think) it
 		// comes out of a static array from OpenSSL memory.
-		if ( old_algorithm )
-			ssl_cert->cert_info->key->algor->algorithm = old_algorithm;
+		if ( algorithm )
+			X509_PUBKEY_set0_param(X509_get_X509_PUBKEY(ssl_cert), algorithm, 0, NULL, NULL, 0);
 
 		unsigned int length = KeyLength(pkey);
 		if ( length > 0 )
@@ -370,7 +372,7 @@ StringVal* file_analysis::X509::KeyCurve(EVP_PKEY *key)
 	// well, we do not have EC-Support...
 	return NULL;
 #else
-	if ( key->type != EVP_PKEY_EC )
+	if ( EVP_PKEY_base_id(key) != EVP_PKEY_EC )
 		{
 		// no EC-key - no curve name
 		return NULL;
@@ -378,7 +380,7 @@ StringVal* file_analysis::X509::KeyCurve(EVP_PKEY *key)
 
 	const EC_GROUP *group;
 	int nid;
-	if ( (group = EC_KEY_get0_group(key->pkey.ec)) == NULL)
+	if ( (group = EC_KEY_get0_group(EVP_PKEY_get0_EC_KEY(key))) == NULL)
 		// I guess we could not parse this
 		return NULL;
 
@@ -399,12 +401,16 @@ unsigned int file_analysis::X509::KeyLength(EVP_PKEY *key)
 	{
 	assert(key != NULL);
 
-	switch(key->type) {
+	switch(EVP_PKEY_base_id(key)) {
 	case EVP_PKEY_RSA:
-		return BN_num_bits(key->pkey.rsa->n);
+		const BIGNUM *n;
+		RSA_get0_key(EVP_PKEY_get0_RSA(key), &n, NULL, NULL);
+		return BN_num_bits(n);
 
 	case EVP_PKEY_DSA:
-		return BN_num_bits(key->pkey.dsa->p);
+		const BIGNUM *p;
+		DSA_get0_pqg(EVP_PKEY_get0_DSA(key), &p, NULL, NULL);
+		return BN_num_bits(p);
 
 #ifndef OPENSSL_NO_EC
 	case EVP_PKEY_EC:
@@ -414,7 +420,7 @@ unsigned int file_analysis::X509::KeyLength(EVP_PKEY *key)
 			// could not malloc bignum?
 			return 0;
 
-		const EC_GROUP *group = EC_KEY_get0_group(key->pkey.ec);
+		const EC_GROUP *group = EC_KEY_get0_group(EVP_PKEY_get0_EC_KEY(key));
 
 		if ( ! group )
 			{
diff --git a/src/file_analysis/analyzer/x509/X509.h b/src/file_analysis/analyzer/x509/X509.h
index 325e8becac..60f67a9fd1 100644
--- a/src/file_analysis/analyzer/x509/X509.h
+++ b/src/file_analysis/analyzer/x509/X509.h
@@ -8,6 +8,47 @@
 #include "Val.h"
 #include "X509Common.h"
 
+#if (OPENSSL_VERSION_NUMBER < 0x10002000L)
+
+#define X509_get_signature_nid(x) OBJ_obj2nid((x)->sig_alg->algorithm)
+
+#define X509_OBJECT_new()   (X509_OBJECT*)malloc(sizeof(X509_OBJECT))
+#define X509_OBJECT_free(a) free(a)
+
+static X509 *X509_OBJECT_get0_X509(const X509_OBJECT *a)
+{
+	if (a == NULL || a->type != X509_LU_X509)
+		return NULL;
+	return a->data.x509;
+}
+
+#define OCSP_SINGLERESP_get0_id(s) (s)->certId
+#define OCSP_resp_get0_certs(x)    (x)->certs
+
+#endif
+
+#if (OPENSSL_VERSION_NUMBER < 0x1010000fL)
+
+#define EVP_PKEY_get0_DSA(p)    ((p)->pkey.dsa)
+#define EVP_PKEY_get0_EC_KEY(p) ((p)->pkey.ec)
+#define EVP_PKEY_get0_RSA(p)    ((p)->pkey.rsa)
+
+static void DSA_get0_pqg(const DSA *d,
+			 const BIGNUM **p, const BIGNUM **q, const BIGNUM **g)
+{
+	if (p != NULL) *p = d->p;
+	if (q != NULL) *q = d->q;
+	if (g != NULL) *g = d->g;
+}
+
+static void RSA_get0_key(const RSA *r,
+			 const BIGNUM **n, const BIGNUM **e, const BIGNUM **d)
+{
+	if (n != NULL) *n = r->n;
+	if (e != NULL) *e = r->e;
+	if (d != NULL) *d = r->d;
+}
+#endif
 
 namespace file_analysis {
 
diff --git a/src/file_analysis/analyzer/x509/X509Common.cc b/src/file_analysis/analyzer/x509/X509Common.cc
index dba593a3eb..2e0a03ac8f 100644
--- a/src/file_analysis/analyzer/x509/X509Common.cc
+++ b/src/file_analysis/analyzer/x509/X509Common.cc
@@ -213,7 +213,7 @@ void file_analysis::X509Common::ParseSignedCertificateTimestamps(X509_EXTENSION*
 		reporter->Error("X509::ParseSignedCertificateTimestamps could not parse SCT");
 		}
 
-	M_ASN1_OCTET_STRING_free(inner);
+	ASN1_OCTET_STRING_free(inner);
 	OPENSSL_free(ext_val_second_pointer);
 
 	interp->FlowEOF();
@@ -239,7 +239,12 @@ void file_analysis::X509Common::ParseExtension(X509_EXTENSION* ex, EventHandlerP
 
 	BIO *bio = BIO_new(BIO_s_mem());
 	if( ! X509V3_EXT_print(bio, ex, 0, 0))
-		M_ASN1_OCTET_STRING_print(bio,ex->value);
+		{
+		unsigned char **buf = NULL;
+		int len = i2d_ASN1_OCTET_STRING(X509_EXTENSION_get_data(ex), buf);
+		if (len >=0 )
+			BIO_write(bio, *buf, len);
+		}
 
 	StringVal* ext_val = GetExtensionFromBIO(bio);
 
diff --git a/src/file_analysis/analyzer/x509/functions.bif b/src/file_analysis/analyzer/x509/functions.bif
index 1c1ec51818..217a845aa3 100644
--- a/src/file_analysis/analyzer/x509/functions.bif
+++ b/src/file_analysis/analyzer/x509/functions.bif
@@ -239,6 +239,8 @@ function x509_get_certificate_string%(cert: opaque of x509, pem: bool &default=F
 ##              x509_get_certificate_string x509_verify
 function x509_ocsp_verify%(certs: x509_opaque_vector, ocsp_reply: string, root_certs: table_string_of_string, verify_time: time &default=network_time()%): X509::Result
 	%{
+	stack_st_X509* ocsp_certs;
+
 	RecordVal* rval = 0;
 	X509_STORE* ctx = x509_get_root_store(root_certs->AsTableVal());
 	if ( ! ctx )
@@ -317,10 +319,11 @@ function x509_ocsp_verify%(certs: x509_opaque_vector, ocsp_reply: string, root_c
 	// the lookup.
 	// Yay.
 
-	if ( ! basic->certs )
+	ocsp_certs = sk_X509_dup(OCSP_resp_get0_certs(basic));
+	if ( !ocsp_certs )
 		{
-		basic->certs = sk_X509_new_null();
-		if ( ! basic->certs )
+		ocsp_certs = sk_X509_new_null();
+		if ( !ocsp_certs )
 			{
 			rval = x509_result_record(-1, "Could not allocate basic x509 stack");
 			goto x509_ocsp_cleanup;
@@ -330,7 +333,7 @@ function x509_ocsp_verify%(certs: x509_opaque_vector, ocsp_reply: string, root_c
 	issuer_certificate = 0;
 	for ( int i = 0; i < sk_X509_num(untrusted_certs); i++)
 		{
-		sk_X509_push(basic->certs, X509_dup(sk_X509_value(untrusted_certs, i)));
+		sk_X509_push(ocsp_certs, X509_dup(sk_X509_value(untrusted_certs, i)));
 
 		if ( X509_NAME_cmp(X509_get_issuer_name(cert), X509_get_subject_name(sk_X509_value(untrusted_certs, i))) == 0 )
 			issuer_certificate = sk_X509_value(untrusted_certs, i);
@@ -346,7 +349,7 @@ function x509_ocsp_verify%(certs: x509_opaque_vector, ocsp_reply: string, root_c
 
 	if ( !s igner )
 		// if we did not find it in the certificates that were sent, search in the root store
-		signer = x509_get_ocsp_signer(basic->certs, basic->tbsResponseData->responderId);
+		signer = x509_get_ocsp_signer(ocsp_certs, basic->tbsResponseData->responderId);
 	*/
 
 	if ( ! signer )
@@ -356,15 +359,15 @@ function x509_ocsp_verify%(certs: x509_opaque_vector, ocsp_reply: string, root_c
 		}
 
 	csc = X509_STORE_CTX_new();
-	X509_STORE_CTX_init(csc, ctx, signer, basic->certs);
+	X509_STORE_CTX_init(csc, ctx, signer, ocsp_certs);
 	X509_STORE_CTX_set_time(csc, 0, (time_t) verify_time);
 	X509_STORE_CTX_set_purpose(csc, X509_PURPOSE_OCSP_HELPER);
 
 	result = X509_verify_cert(csc);
 	if ( result != 1 )
 		{
-		const char *reason = X509_verify_cert_error_string((*csc).error);
-		rval = x509_result_record(result, X509_verify_cert_error_string((*csc).error));
+		const char *reason = X509_verify_cert_error_string(X509_STORE_CTX_get_error(csc));
+		rval = x509_result_record(result, X509_verify_cert_error_string(X509_STORE_CTX_get_error(csc)));
 		goto x509_ocsp_cleanup;
 		}
 
@@ -392,15 +395,17 @@ function x509_ocsp_verify%(certs: x509_opaque_vector, ocsp_reply: string, root_c
 	else
 		{
 		// issuer not in list sent by server, check store
-		X509_OBJECT obj;
-		int lookup = X509_STORE_get_by_subject(csc, X509_LU_X509, X509_get_subject_name(cert), &obj);
+		X509_OBJECT *obj = X509_OBJECT_new();
+		int lookup = X509_STORE_get_by_subject(csc, X509_LU_X509, X509_get_subject_name(cert), obj);
 		if ( lookup <= 0)
 			{
 			rval = x509_result_record(lookup, "Could not find issuer of host certificate");
+			X509_OBJECT_free(obj);
 			goto x509_ocsp_cleanup;
 			}
 
-		certid = OCSP_cert_to_id(NULL, cert, obj.data.x509);
+		certid = OCSP_cert_to_id(NULL, cert,X509_OBJECT_get0_X509( obj));
+		X509_OBJECT_free(obj);
 		}
 
 
@@ -411,18 +416,22 @@ function x509_ocsp_verify%(certs: x509_opaque_vector, ocsp_reply: string, root_c
 		}
 
 	// for now, assume we have one reply...
-	single = sk_OCSP_SINGLERESP_value(basic->tbsResponseData->responses, 0);
+	single = OCSP_resp_get0(basic, 0);
 	if ( ! single )
 		{
 		rval = x509_result_record(-1, "Could not lookup OCSP response information");
 		goto x509_ocsp_cleanup;
 		}
 
-	if ( OCSP_id_cmp(certid, single->certId) != 0 )
+	if ( OCSP_id_cmp(certid, (OCSP_CERTID*)OCSP_SINGLERESP_get0_id(single)) != 0 )
 		return x509_result_record(-1, "OCSP reply is not for host certificate");
 
 	// next - check freshness of proof...
-	if ( ! ASN1_GENERALIZEDTIME_check(single->thisUpdate) || ! ASN1_GENERALIZEDTIME_check(single->nextUpdate) )
+	ASN1_GENERALIZEDTIME *thisUpdate;
+	ASN1_GENERALIZEDTIME *nextUpdate;
+	int type;
+	type = OCSP_single_get0_status(single, NULL, NULL, &thisUpdate, &nextUpdate);
+	if ( ! ASN1_GENERALIZEDTIME_check(thisUpdate) || ! ASN1_GENERALIZEDTIME_check(nextUpdate) )
 		{
 		rval = x509_result_record(-1, "OCSP reply contains invalid dates");
 		goto x509_ocsp_cleanup;
@@ -435,16 +444,16 @@ function x509_ocsp_verify%(certs: x509_opaque_vector, ocsp_reply: string, root_c
 	// Well, we will do it manually.
 
 
-	if ( X509_cmp_time(single->thisUpdate, &vtime) > 0 )
+	if ( X509_cmp_time(thisUpdate, &vtime) > 0 )
 		rval = x509_result_record(-1, "OCSP reply specifies time in future");
-	else if ( X509_cmp_time(single->nextUpdate, &vtime) < 0 )
+	else if ( X509_cmp_time(nextUpdate, &vtime) < 0 )
 		rval = x509_result_record(-1, "OCSP reply expired");
-	else if ( single->certStatus->type != V_OCSP_CERTSTATUS_GOOD )
-		rval = x509_result_record(-1, OCSP_cert_status_str(single->certStatus->type));
+	else if ( type != V_OCSP_CERTSTATUS_GOOD )
+		rval = x509_result_record(-1, OCSP_cert_status_str(type));
 
 	// if we have no error so far, we are done.
 	if ( !rval )
-		rval = x509_result_record(1, OCSP_cert_status_str(single->certStatus->type));
+		rval = x509_result_record(1, OCSP_cert_status_str(type));
 
 x509_ocsp_cleanup:
 
@@ -521,18 +530,18 @@ function x509_verify%(certs: x509_opaque_vector, root_certs: table_string_of_str
 	if ( ! untrusted_certs )
 		return x509_result_record(-1, "Problem initializing list of untrusted certificates");
 
-	X509_STORE_CTX csc;
-	X509_STORE_CTX_init(&csc, ctx, cert, untrusted_certs);
-	X509_STORE_CTX_set_time(&csc, 0, (time_t) verify_time);
-	X509_STORE_CTX_set_flags(&csc, X509_V_FLAG_USE_CHECK_TIME);
+	X509_STORE_CTX *csc = X509_STORE_CTX_new();
+	X509_STORE_CTX_init(csc, ctx, cert, untrusted_certs);
+	X509_STORE_CTX_set_time(csc, 0, (time_t) verify_time);
+	X509_STORE_CTX_set_flags(csc, X509_V_FLAG_USE_CHECK_TIME);
 
-	int result = X509_verify_cert(&csc);
+	int result = X509_verify_cert(csc);
 
 	VectorVal* chainVector = 0;
 
 	if ( result == 1 ) // we have a valid chain. try to get it...
 		{
-		STACK_OF(X509)* chain = X509_STORE_CTX_get1_chain(&csc); // get1 = deep copy
+		STACK_OF(X509)* chain = X509_STORE_CTX_get1_chain(csc); // get1 = deep copy
 
 		if ( ! chain )
 			{
@@ -564,11 +573,11 @@ function x509_verify%(certs: x509_opaque_vector, root_certs: table_string_of_str
 
 x509_verify_chainerror:
 
-	X509_STORE_CTX_cleanup(&csc);
+	X509_STORE_CTX_cleanup(csc);
 
 	sk_X509_free(untrusted_certs);
 
-	RecordVal* rrecord = x509_result_record(csc.error, X509_verify_cert_error_string(csc.error), chainVector);
+	RecordVal* rrecord = x509_result_record(X509_STORE_CTX_get_error(csc), X509_verify_cert_error_string(X509_STORE_CTX_get_error(csc)), chainVector);
 
 	return rrecord;
 	%}
@@ -660,9 +669,12 @@ function sct_verify%(cert: opaque of x509, logid: string, log_key: string, signa
 	uint32 cert_length;
 	if ( precert )
 		{
-		// we also could use i2d_re_X509_tbs, for OpenSSL >= 1.0.2
+#if (OPENSSL_VERSION_NUMBER < 0x10002000L)
 		x->cert_info->enc.modified = 1;
 		cert_length = i2d_X509_CINF(x->cert_info, &cert_out);
+#else
+		i2d_re_X509_tbs(x, &cert_out);
+#endif
 		data.append(reinterpret_cast<const char*>(issuer_key_hash->Bytes()), issuer_key_hash->Len());
 		}
 	else
diff --git a/src/main.cc b/src/main.cc
index 0ca39e9e2d..5851cd586b 100644
--- a/src/main.cc
+++ b/src/main.cc
@@ -21,8 +21,6 @@ extern "C" {
 #include <openssl/ssl.h>
 #include <openssl/err.h>
 
-extern "C" void OPENSSL_add_all_algorithms_conf(void);
-
 #include "bsd-getopt-long.h"
 #include "input.h"
 #include "DNS_Mgr.h"

From f2c3a9495d616659097bc980324d5ef6582cb21a Mon Sep 17 00:00:00 2001
From: Jeffrey Bencteux <jeffrey.bencteux@ssi.gouv.fr>
Date: Wed, 17 May 2017 11:10:49 +0200
Subject: [PATCH 260/631] add SMB_Parameters.Words to smb1_transaction2_request
 event

expose the fields contained in SMB_Parameters.Words of the
SMB_COM_TRANSACTION2 (0x32) message to the script language. See
MS-CIFS section 2.2.46.1.
---
 scripts/base/init-bare.bro                    | 27 +++++++++++++++++++
 scripts/policy/protocols/smb/smb1-main.bro    |  2 +-
 .../protocol/smb/smb1-com-transaction2.pac    | 15 ++++++++++-
 .../protocol/smb/smb1_com_transaction2.bif    |  8 +++---
 4 files changed, 46 insertions(+), 6 deletions(-)

diff --git a/scripts/base/init-bare.bro b/scripts/base/init-bare.bro
index f2ea2ed29a..e63f9f7853 100644
--- a/scripts/base/init-bare.bro
+++ b/scripts/base/init-bare.bro
@@ -2834,6 +2834,33 @@ export {
 		security_blob	: string &optional;
 	};
 
+	type SMB1::Trans2_Args: record {
+	     ## Total parameter count
+	     total_param_count: count;
+	     ## Total data count
+	     total_data_count: count;
+	     ## Max parameter count
+	     max_param_count: count;
+	     ## Max data count
+	     max_data_count: count;
+	     ## Max setup count
+	     max_setup_count: count;
+	     ## Flags
+	     flags: count;
+	     ## Timeout
+	     trans_timeout: count;
+	     ## Parameter count
+	     param_count: count;
+	     ## Parameter offset
+	     param_offset: count;
+	     ## Data count
+	     data_count: count;
+	     ## Data offset
+	     data_offset: count;
+	     ## Setup count
+	     setup_count: count;
+	};
+
 	type SMB1::Find_First2_Request_Args: record {
 		## File attributes to apply as a constraint to the search
 		search_attrs		: count;
diff --git a/scripts/policy/protocols/smb/smb1-main.bro b/scripts/policy/protocols/smb/smb1-main.bro
index 853d83b01f..db817ca4a3 100644
--- a/scripts/policy/protocols/smb/smb1-main.bro
+++ b/scripts/policy/protocols/smb/smb1-main.bro
@@ -82,7 +82,7 @@ event smb1_message(c: connection, hdr: SMB1::Header, is_orig: bool) &priority=-5
 	}
 
 
-event smb1_transaction2_request(c: connection, hdr: SMB1::Header, sub_cmd: count)
+event smb1_transaction2_request(c: connection, hdr: SMB1::Header, args: SMB1::Trans2_Args, sub_cmd: count)
 	{
 	c$smb_state$current_cmd$sub_command = SMB1::trans2_sub_commands[sub_cmd];
 	}
diff --git a/src/analyzer/protocol/smb/smb1-com-transaction2.pac b/src/analyzer/protocol/smb/smb1-com-transaction2.pac
index 1025e89dc2..a089c0324f 100644
--- a/src/analyzer/protocol/smb/smb1-com-transaction2.pac
+++ b/src/analyzer/protocol/smb/smb1-com-transaction2.pac
@@ -22,8 +22,21 @@ refine connection SMB_Conn += {
 
 	function proc_smb1_transaction2_request(header: SMB_Header, val: SMB1_transaction2_request): bool
 		%{
+		RecordVal* args = new RecordVal(BifType::Record::SMB1::Trans2_Args);
+		args->Assign(0, new Val(${val.total_param_count}, TYPE_COUNT));
+		args->Assign(1, new Val(${val.total_data_count}, TYPE_COUNT));
+		args->Assign(2, new Val(${val.max_param_count}, TYPE_COUNT));
+		args->Assign(3, new Val(${val.max_data_count}, TYPE_COUNT));
+		args->Assign(4, new Val(${val.max_setup_count}, TYPE_COUNT));
+		args->Assign(5, new Val(${val.flags}, TYPE_COUNT));
+		args->Assign(6, new Val(${val.timeout}, TYPE_COUNT));
+		args->Assign(7, new Val(${val.param_count}, TYPE_COUNT));
+		args->Assign(8, new Val(${val.param_offset}, TYPE_COUNT));
+		args->Assign(9, new Val(${val.data_count}, TYPE_COUNT));
+		args->Assign(10, new Val(${val.data_offset}, TYPE_COUNT));
+		args->Assign(11, new Val(${val.setup_count}, TYPE_COUNT));
 		if ( smb1_transaction2_request )
-			BifEvent::generate_smb1_transaction2_request(bro_analyzer(), bro_analyzer()->Conn(), BuildHeaderVal(header), ${val.sub_cmd});
+			BifEvent::generate_smb1_transaction2_request(bro_analyzer(), bro_analyzer()->Conn(), BuildHeaderVal(header), args, ${val.sub_cmd});
 
 		return true;
 		%}
diff --git a/src/analyzer/protocol/smb/smb1_com_transaction2.bif b/src/analyzer/protocol/smb/smb1_com_transaction2.bif
index 0daf5fcdd9..3e8c934db2 100644
--- a/src/analyzer/protocol/smb/smb1_com_transaction2.bif
+++ b/src/analyzer/protocol/smb/smb1_com_transaction2.bif
@@ -17,7 +17,7 @@
 ##
 ## .. bro:see:: smb1_message smb1_trans2_find_first2_request smb1_trans2_query_path_info_request
 ##    smb1_trans2_get_dfs_referral_request smb1_transaction_request
-event smb1_transaction2_request%(c: connection, hdr: SMB1::Header, sub_cmd: count%);
+event smb1_transaction2_request%(c: connection, hdr: SMB1::Header, args: SMB1::Trans2_Args, sub_cmd: count%);
 
 ## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
 ## version 1 *transaction2* requests of subtype *find first2*. This transaction is used to begin
@@ -91,7 +91,7 @@ event smb1_trans2_get_dfs_referral_request%(c: connection, hdr: SMB1::Header, fi
 # event smb1_trans2_get_dfs_referral_response%(c: connection, hdr: SMB1::Header, ??? %);
 
 
-### Types
-
+## Types
 type SMB1::Find_First2_Request_Args: record;
-type SMB1::Find_First2_Response_Args: record;
\ No newline at end of file
+type SMB1::Find_First2_Response_Args: record;
+type SMB1::Trans2_Args: record;

From bd72710e3b7de4aa24b9eea82e050961373cc57f Mon Sep 17 00:00:00 2001
From: Jeffrey Bencteux <jeffrey.bencteux@ssi.gouv.fr>
Date: Fri, 26 May 2017 15:18:59 +0200
Subject: [PATCH 261/631] add parameters and data to
 smb1_transaction_request/response messages

expose SMB_Data.Trans_Parameters and SMB_Data.Trans_Data fields of
SMB_COM_TRANSACTION (0x25) message type. See MS-CIFS section
2.2.4.33.1.

These fields are exposed to the script level as Bro strings. Note that
this commit also expose a new event smb1_transaction_response.
---
 scripts/policy/protocols/smb/smb1-main.bro    |  2 +-
 .../protocol/smb/smb1-com-transaction.pac     | 84 ++++++++++++++++++-
 .../protocol/smb/smb1_com_transaction.bif     | 24 +++++-
 3 files changed, 104 insertions(+), 6 deletions(-)

diff --git a/scripts/policy/protocols/smb/smb1-main.bro b/scripts/policy/protocols/smb/smb1-main.bro
index db817ca4a3..6b23fe91db 100644
--- a/scripts/policy/protocols/smb/smb1-main.bro
+++ b/scripts/policy/protocols/smb/smb1-main.bro
@@ -263,7 +263,7 @@ event smb1_session_setup_andx_response(c: connection, hdr: SMB1::Header, respons
 	# No behavior yet.
 	}
 	
-event smb1_transaction_request(c: connection, hdr: SMB1::Header, name: string, sub_cmd: count)
+event smb1_transaction_request(c: connection, hdr: SMB1::Header, name: string, sub_cmd: count, parameters: string, data: string)
 	{
 	c$smb_state$current_cmd$sub_command = SMB1::trans_sub_commands[sub_cmd];
 	}
diff --git a/src/analyzer/protocol/smb/smb1-com-transaction.pac b/src/analyzer/protocol/smb/smb1-com-transaction.pac
index d199b9062c..725399b1bb 100644
--- a/src/analyzer/protocol/smb/smb1-com-transaction.pac
+++ b/src/analyzer/protocol/smb/smb1-com-transaction.pac
@@ -31,18 +31,96 @@ refine connection SMB_Conn += {
 
 	function proc_smb1_transaction_request(header: SMB_Header, val: SMB1_transaction_request): bool
 		%{
+		StringVal *parameters = new StringVal(${val.param_count}, (const char*)${val.parameters}.data());
+		StringVal *payload_str = nullptr;
+		SMB1_transaction_data *payload = nullptr;
+
+		if ( !parameters )
+		{
+			parameters = new StringVal("");
+		}
+
+		if ( ${val.data_count > 0} )
+		{
+			payload = ${val.data};
+		}
+
+		if ( payload )
+		{
+			switch ( payload->trans_type() )
+			{
+			case SMB_PIPE:
+				payload_str = new StringVal(${val.data_count}, (const char*)${val.data.pipe_data}.data());
+				break;
+			case SMB_UNKNOWN:
+				payload_str = new StringVal(${val.data_count}, (const char*)${val.data.unknown}.data());
+				break;
+			default:
+				payload_str = new StringVal(${val.data_count}, (const char*)${val.data.data}.data());
+				break;
+			}
+		}
+
+		if ( !payload_str )
+		{
+			payload_str = new StringVal("");
+		}
+
 		if ( smb1_transaction_request )
 			BifEvent::generate_smb1_transaction_request(bro_analyzer(),
 			                                            bro_analyzer()->Conn(),
 			                                            BuildHeaderVal(header),
 			                                            smb_string2stringval(${val.name}),
-			                                            ${val.sub_cmd});
+			                                            ${val.sub_cmd},
+								    parameters,
+								    payload_str);
 
 		return true;
 		%}
 
 	function proc_smb1_transaction_response(header: SMB_Header, val: SMB1_transaction_response): bool
 		%{
+		StringVal *parameters = new StringVal(${val.param_count}, (const char*)${val.parameters}.data());
+		StringVal *payload_str = nullptr;
+		SMB1_transaction_data *payload = nullptr;
+
+		if ( !parameters )
+		{
+			parameters = new StringVal("");
+		}
+
+		if ( ${val.data_count > 0} )
+		{
+			payload = ${val.data[0]};
+		}
+
+		if ( payload )
+		{
+			switch ( payload->trans_type() )
+			{
+			case SMB_PIPE:
+				payload_str = new StringVal(${val.data_count}, (const char*)${val.data[0].pipe_data}.data());
+				break;
+			case SMB_UNKNOWN:
+				payload_str = new StringVal(${val.data_count}, (const char*)${val.data[0].unknown}.data());
+				break;
+			default:
+				payload_str = new StringVal(${val.data_count}, (const char*)${val.data[0].data}.data());
+				break;
+			}
+		}
+
+		if ( !payload_str )
+		{
+			payload_str = new StringVal("");
+		}
+
+		if ( smb1_transaction_response )
+			BifEvent::generate_smb1_transaction_response(bro_analyzer(),
+			                                             bro_analyzer()->Conn(),
+			                                             BuildHeaderVal(header),
+								     parameters,
+			                                             payload_str);
 		return true;
 		%}
 };
@@ -54,8 +132,8 @@ type SMB1_transaction_data(header: SMB_Header, is_orig: bool, count: uint16, sub
 #	SMB_MAILSLOT_LANMAN -> lanman    : SMB_MailSlot_message(header.unicode, count);
 #	SMB_RAP             -> rap       : SMB_Pipe_message(header.unicode, count);
 	SMB_PIPE            -> pipe_data : bytestring &restofdata;
-	SMB_UNKNOWN         -> unknown   : bytestring &restofdata &transient;
-	default             -> data      : bytestring &restofdata &transient;
+	SMB_UNKNOWN         -> unknown   : bytestring &restofdata;
+	default             -> data      : bytestring &restofdata;
 } &let {
 	pipe_proc : bool = $context.connection.forward_dce_rpc(pipe_data, 0, is_orig) &if(trans_type == SMB_PIPE);
 };
diff --git a/src/analyzer/protocol/smb/smb1_com_transaction.bif b/src/analyzer/protocol/smb/smb1_com_transaction.bif
index 8811cc3e92..0c411b55c3 100644
--- a/src/analyzer/protocol/smb/smb1_com_transaction.bif
+++ b/src/analyzer/protocol/smb/smb1_com_transaction.bif
@@ -3,7 +3,7 @@
 ## Transaction Subprotocol Commands. These commands operate on mailslots and named pipes,
 ## which are interprocess communication endpoints within the CIFS file system.
 ##
-## For more information, see MS-CIFS:2.2.4.33
+## For more information, see MS-CIFS:2.2.4.33.1
 ##
 ## c: The connection.
 ##
@@ -14,5 +14,25 @@
 ##
 ## sub_cmd: The sub command, some may be parsed and have their own events.
 ##
+## parameters: content of the SMB_Data.Trans_Parameters field
+##
+## data: content of the SMB_Data.Trans_Data field
+##
 ## .. bro:see:: smb1_message smb1_transaction2_request
-event smb1_transaction_request%(c: connection, hdr: SMB1::Header, name: string, sub_cmd: count%);
+event smb1_transaction_request%(c: connection, hdr: SMB1::Header, name: string, sub_cmd: count, parameters: string, data: string%);
+
+## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+## version 1 requests of type *transaction*. This command serves as the transport for the
+## Transaction Subprotocol Commands. These commands operate on mailslots and named pipes,
+## which are interprocess communication endpoints within the CIFS file system.
+##
+## For more information, see MS-CIFS:2.2.4.33.2
+##
+## c: The connection.
+##
+## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message.
+##
+## parameters: content of the SMB_Data.Trans_Parameters field
+##
+## data: content of the SMB_Data.Trans_Data field
+event smb1_transaction_response%(c: connection, hdr: SMB1::Header, parameters: string, data: string%);

From 046c7bc48189b60f54d17ebd2df2dd6b303a6c85 Mon Sep 17 00:00:00 2001
From: Jeffrey Bencteux <jeffrey.bencteux@ssi.gouv.fr>
Date: Thu, 1 Jun 2017 09:18:55 +0200
Subject: [PATCH 262/631] add smb1_transaction_secondary_request event

expose SMB_COM_TRANSACTION_SECONDARY (0x26) message to script
language. See MS-CIFS section 2.2.4.34.1.
---
 scripts/base/init-bare.bro                    | 19 ++++++
 src/analyzer/protocol/smb/CMakeLists.txt      |  1 +
 src/analyzer/protocol/smb/smb.pac             |  1 +
 .../smb/smb1-com-transaction-secondary.pac    | 65 +++++++++++++++++++
 src/analyzer/protocol/smb/smb1-protocol.pac   |  2 +-
 .../smb/smb1_com_transaction_secondary.bif    | 19 ++++++
 6 files changed, 106 insertions(+), 1 deletion(-)
 create mode 100644 src/analyzer/protocol/smb/smb1_com_transaction_secondary.bif

diff --git a/scripts/base/init-bare.bro b/scripts/base/init-bare.bro
index e63f9f7853..b92ac9a5e4 100644
--- a/scripts/base/init-bare.bro
+++ b/scripts/base/init-bare.bro
@@ -2861,6 +2861,25 @@ export {
 	     setup_count: count;
 	};
 
+	type SMB1::Trans_Sec_Args: record {
+	     ## Total parameter count
+	     total_param_count: count;
+	     ## Total data count
+	     total_data_count: count;
+	     ## Parameter count
+	     param_count: count;
+	     ## Parameter offset
+	     param_offset: count;
+	     ## Parameter displacement
+	     param_displacement: count;
+	     ## Data count
+	     data_count: count;
+	     ## Data offset
+	     data_offset: count;
+	     ## Data displacement
+	     data_displacement: count;
+	};
+
 	type SMB1::Find_First2_Request_Args: record {
 		## File attributes to apply as a constraint to the search
 		search_attrs		: count;
diff --git a/src/analyzer/protocol/smb/CMakeLists.txt b/src/analyzer/protocol/smb/CMakeLists.txt
index bf44501b96..6b594d5367 100644
--- a/src/analyzer/protocol/smb/CMakeLists.txt
+++ b/src/analyzer/protocol/smb/CMakeLists.txt
@@ -18,6 +18,7 @@ bro_plugin_bif(
 	smb1_com_read_andx.bif
 	smb1_com_session_setup_andx.bif
 	smb1_com_transaction.bif
+	smb1_com_transaction_secondary.bif
 	smb1_com_transaction2.bif
 	smb1_com_tree_connect_andx.bif
 	smb1_com_tree_disconnect.bif
diff --git a/src/analyzer/protocol/smb/smb.pac b/src/analyzer/protocol/smb/smb.pac
index 156037f614..c747d87e92 100644
--- a/src/analyzer/protocol/smb/smb.pac
+++ b/src/analyzer/protocol/smb/smb.pac
@@ -24,6 +24,7 @@
 #include "smb1_com_read_andx.bif.h"
 #include "smb1_com_session_setup_andx.bif.h"
 #include "smb1_com_transaction.bif.h"
+#include "smb1_com_transaction_secondary.bif.h"
 #include "smb1_com_transaction2.bif.h"
 #include "smb1_com_tree_connect_andx.bif.h"
 #include "smb1_com_tree_disconnect.bif.h"
diff --git a/src/analyzer/protocol/smb/smb1-com-transaction-secondary.pac b/src/analyzer/protocol/smb/smb1-com-transaction-secondary.pac
index bcd9ba91bb..a9ccddea73 100644
--- a/src/analyzer/protocol/smb/smb1-com-transaction-secondary.pac
+++ b/src/analyzer/protocol/smb/smb1-com-transaction-secondary.pac
@@ -1,3 +1,66 @@
+refine connection SMB_Conn += {
+
+       function proc_smb1_transaction_secondary_request(header: SMB_Header, val: SMB1_transaction_secondary_request): bool
+       %{
+	RecordVal* args = new RecordVal(BifType::Record::SMB1::Trans_Sec_Args);
+	args->Assign(0, new Val(${val.total_param_count}, TYPE_COUNT));
+	args->Assign(1, new Val(${val.total_data_count}, TYPE_COUNT));
+	args->Assign(2, new Val(${val.param_count}, TYPE_COUNT));
+	args->Assign(3, new Val(${val.param_offset}, TYPE_COUNT));
+	args->Assign(4, new Val(${val.param_displacement}, TYPE_COUNT));
+	args->Assign(5, new Val(${val.data_count}, TYPE_COUNT));
+	args->Assign(6, new Val(${val.data_offset}, TYPE_COUNT));
+	args->Assign(7, new Val(${val.data_displacement}, TYPE_COUNT));
+
+	StringVal *parameters = new StringVal(${val.param_count}, (const char*)${val.parameters}.data());
+	StringVal *payload_str = nullptr;
+	SMB1_transaction_data *payload = nullptr;
+
+	if ( !parameters )
+	{
+		parameters = new StringVal("");
+	}
+
+	if ( ${val.data_count > 0} )
+	{
+		payload = ${val.data};
+	}
+
+	if ( payload )
+	{
+		switch ( payload->trans_type() )
+		{
+		case SMB_PIPE:
+			payload_str = new StringVal(${val.data_count}, (const char*)${val.data.pipe_data}.data());
+			break;
+		case SMB_UNKNOWN:
+			payload_str = new StringVal(${val.data_count}, (const char*)${val.data.unknown}.data());
+			break;
+		default:
+			payload_str = new StringVal(${val.data_count}, (const char*)${val.data.data}.data());
+			break;
+		}
+	}
+
+	if ( !payload_str )
+	{
+		payload_str = new StringVal("");
+	}
+
+	if ( smb1_transaction_secondary_request )
+	{
+		BifEvent::generate_smb1_transaction_secondary_request(bro_analyzer(),
+								      bro_analyzer()->Conn(),
+								      BuildHeaderVal(header),
+								      args,
+								      parameters,
+								      payload_str);
+	}
+
+	return true;
+       %}
+};
+
 type SMB1_transaction_secondary_request(header: SMB_Header) = record {
 	word_count          : uint8;
 	total_param_count   : uint16;
@@ -14,4 +77,6 @@ type SMB1_transaction_secondary_request(header: SMB_Header) = record {
 	parameters          : bytestring &length = param_count;
 	pad2                : padding to data_offset - SMB_Header_length;
 	data                : SMB1_transaction_data(header, true, data_count, 0, SMB_UNKNOWN, false);
+} &let {
+  proc : bool = $context.connection.proc_smb1_transaction_secondary_request(header, this);
 };
diff --git a/src/analyzer/protocol/smb/smb1-protocol.pac b/src/analyzer/protocol/smb/smb1-protocol.pac
index 4b38feefcb..92a448ea8e 100644
--- a/src/analyzer/protocol/smb/smb1-protocol.pac
+++ b/src/analyzer/protocol/smb/smb1-protocol.pac
@@ -170,7 +170,7 @@ type SMB_Message_Request(header: SMB_Header, offset: uint16, command: uint8, is_
 #	#SMB_COM_QUERY_INFORMATION2       -> query_information2     : SMB_query_information2_request(header);
 	SMB_COM_LOCKING_ANDX             -> locking_andx           : SMB1_locking_andx_request(header, offset);
 	SMB_COM_TRANSACTION              -> transaction            : SMB1_transaction_request(header);
-#	SMB_COM_TRANSACTION_SECONDARY    -> transaction_secondary  : SMB1_transaction_secondary_request(header);
+	SMB_COM_TRANSACTION_SECONDARY     -> transaction_secondary  : SMB1_transaction_secondary_request(header);
 #	#SMB_COM_IOCTL                    -> ioctl                  : SMB_ioctl_request(header);
 #	#SMB_COM_IOCTL_SECONDARY          -> ioctl_secondary        : SMB_ioctl_secondary_request(header);
 #	#SMB_COM_COPY                     -> copy                   : SMB_copy_request(header);
diff --git a/src/analyzer/protocol/smb/smb1_com_transaction_secondary.bif b/src/analyzer/protocol/smb/smb1_com_transaction_secondary.bif
new file mode 100644
index 0000000000..ee658d4b76
--- /dev/null
+++ b/src/analyzer/protocol/smb/smb1_com_transaction_secondary.bif
@@ -0,0 +1,19 @@
+## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+## version 1 requests of type *transaction_secondary*. This command
+## serves as an additional request data container for the
+## Transaction Subprotocol Commands (carried by *transaction* requests).
+##
+## For more information, see MS-CIFS:2.2.4.34
+##
+## c: The connection.
+##
+## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message.
+##
+## parameters: the SMB_Data.Trans_Parameters field content
+##
+## data: the SMB_Data.Trans_Data field content
+##
+event smb1_transaction_secondary_request%(c: connection, hdr: SMB1::Header, args: SMB1::Trans_Sec_Args, parameters: string, data: string%);
+
+## Types
+type SMB1::Trans_Sec_Args: record;

From bbe89a79a47e6508a00c11d77d5ea5441723ee37 Mon Sep 17 00:00:00 2001
From: Jeffrey Bencteux <jeffrey.bencteux@ssi.gouv.fr>
Date: Fri, 2 Jun 2017 17:27:11 +0200
Subject: [PATCH 263/631] add smb1_transaction2_secondary_request event

parse and expose SMB_COM_TRANSACTION2_SECONDARY (0x33) message to
script level. See MS-CIFS section 2.2.4.47.1.
---
 scripts/base/init-bare.bro                    | 21 +++++++
 src/analyzer/protocol/smb/CMakeLists.txt      |  2 +
 src/analyzer/protocol/smb/smb.pac             |  2 +
 .../smb/smb1-com-transaction2-secondary.pac   | 62 +++++++++++++++++++
 src/analyzer/protocol/smb/smb1-protocol.pac   |  2 +-
 .../smb/smb1_com_transaction2_secondary.bif   | 19 ++++++
 6 files changed, 107 insertions(+), 1 deletion(-)
 create mode 100644 src/analyzer/protocol/smb/smb1-com-transaction2-secondary.pac
 create mode 100644 src/analyzer/protocol/smb/smb1_com_transaction2_secondary.bif

diff --git a/scripts/base/init-bare.bro b/scripts/base/init-bare.bro
index b92ac9a5e4..592c89116e 100644
--- a/scripts/base/init-bare.bro
+++ b/scripts/base/init-bare.bro
@@ -2880,6 +2880,27 @@ export {
 	     data_displacement: count;
 	};
 
+	type SMB1::Trans2_Sec_Args: record {
+	     ## Total parameter count
+	     total_param_count: count;
+	     ## Total data count
+	     total_data_count: count;
+	     ## Parameter count
+	     param_count: count;
+	     ## Parameter offset
+	     param_offset: count;
+	     ## Parameter displacement
+	     param_displacement: count;
+	     ## Data count
+	     data_count: count;
+	     ## Data offset
+	     data_offset: count;
+	     ## Data displacement
+	     data_displacement: count;
+	     ## File ID
+	     FID: count;
+	};
+
 	type SMB1::Find_First2_Request_Args: record {
 		## File attributes to apply as a constraint to the search
 		search_attrs		: count;
diff --git a/src/analyzer/protocol/smb/CMakeLists.txt b/src/analyzer/protocol/smb/CMakeLists.txt
index 6b594d5367..cc5d690dfd 100644
--- a/src/analyzer/protocol/smb/CMakeLists.txt
+++ b/src/analyzer/protocol/smb/CMakeLists.txt
@@ -20,6 +20,7 @@ bro_plugin_bif(
 	smb1_com_transaction.bif
 	smb1_com_transaction_secondary.bif
 	smb1_com_transaction2.bif
+	smb1_com_transaction2_secondary.bif
 	smb1_com_tree_connect_andx.bif
 	smb1_com_tree_disconnect.bif
 	smb1_com_write_andx.bif
@@ -66,6 +67,7 @@ bro_plugin_pac(
 	smb1-com-transaction-secondary.pac
 	smb1-com-transaction.pac
 	smb1-com-transaction2.pac
+	smb1-com-transaction2-secondary.pac
 	smb1-com-tree-connect-andx.pac
 	smb1-com-tree-disconnect.pac
 	smb1-com-write-andx.pac
diff --git a/src/analyzer/protocol/smb/smb.pac b/src/analyzer/protocol/smb/smb.pac
index c747d87e92..a21101faaa 100644
--- a/src/analyzer/protocol/smb/smb.pac
+++ b/src/analyzer/protocol/smb/smb.pac
@@ -26,6 +26,7 @@
 #include "smb1_com_transaction.bif.h"
 #include "smb1_com_transaction_secondary.bif.h"
 #include "smb1_com_transaction2.bif.h"
+#include "smb1_com_transaction2_secondary.bif.h"
 #include "smb1_com_tree_connect_andx.bif.h"
 #include "smb1_com_tree_disconnect.bif.h"
 #include "smb1_com_write_andx.bif.h"
@@ -75,6 +76,7 @@ connection SMB_Conn(bro_analyzer: BroAnalyzer) {
 %include smb1-com-transaction-secondary.pac
 %include smb1-com-transaction.pac
 %include smb1-com-transaction2.pac
+%include smb1-com-transaction2-secondary.pac
 %include smb1-com-tree-connect-andx.pac
 %include smb1-com-tree-disconnect.pac
 %include smb1-com-write-andx.pac
diff --git a/src/analyzer/protocol/smb/smb1-com-transaction2-secondary.pac b/src/analyzer/protocol/smb/smb1-com-transaction2-secondary.pac
new file mode 100644
index 0000000000..f2ae2e8e99
--- /dev/null
+++ b/src/analyzer/protocol/smb/smb1-com-transaction2-secondary.pac
@@ -0,0 +1,62 @@
+refine connection SMB_Conn += {
+
+       function proc_smb1_transaction2_secondary_request(header: SMB_Header, val: SMB1_transaction2_secondary_request): bool
+       %{
+	RecordVal *args = new RecordVal(BifType::Record::SMB1::Trans2_Sec_Args);
+	args->Assign(0, new Val(${val.total_param_count}, TYPE_COUNT));
+	args->Assign(1, new Val(${val.total_data_count}, TYPE_COUNT));
+	args->Assign(2, new Val(${val.param_count}, TYPE_COUNT));
+	args->Assign(3, new Val(${val.param_offset}, TYPE_COUNT));
+	args->Assign(4, new Val(${val.param_displacement}, TYPE_COUNT));
+	args->Assign(5, new Val(${val.data_count}, TYPE_COUNT));
+	args->Assign(6, new Val(${val.data_offset}, TYPE_COUNT));
+	args->Assign(7, new Val(${val.data_displacement}, TYPE_COUNT));
+	args->Assign(8, new Val(${val.FID}, TYPE_COUNT));
+
+	StringVal *parameters = new StringVal(${val.param_count}, (const char*)${val.parameters}.data());
+	StringVal *payload = new StringVal(${val.data_count}, (const char*)${val.data}.data());
+
+	if ( !parameters )
+	{
+		parameters = new StringVal("");
+	}
+
+	if ( !payload )
+	{
+		payload = new StringVal("");
+	}
+
+	if ( smb1_transaction2_secondary_request )
+	{
+		BifEvent::generate_smb1_transaction2_secondary_request(bro_analyzer(),
+								       bro_analyzer()->Conn(),
+								       BuildHeaderVal(header),
+								       args,
+								       parameters,
+								       payload);
+	}
+
+	return true;
+       %}
+};
+
+type SMB1_transaction2_secondary_request(header: SMB_Header) = record {
+	word_count          : uint8;
+	total_param_count   : uint16;
+	total_data_count    : uint16;
+	param_count         : uint16;
+	param_offset        : uint16;
+	param_displacement  : uint16;
+	data_count          : uint16;
+	data_offset         : uint16;
+	data_displacement   : uint16;
+	FID                 : uint16;
+
+	byte_count          : uint16;
+	pad1                : padding to (param_offset - SMB_Header_length);
+	parameters          : bytestring &length = param_count;
+	pad2                : padding to (data_offset - SMB_Header_length);
+	data                : bytestring &length=data_count;
+} &let {
+	proc : bool = $context.connection.proc_smb1_transaction2_secondary_request(header, this);
+};
diff --git a/src/analyzer/protocol/smb/smb1-protocol.pac b/src/analyzer/protocol/smb/smb1-protocol.pac
index 92a448ea8e..75db898f73 100644
--- a/src/analyzer/protocol/smb/smb1-protocol.pac
+++ b/src/analyzer/protocol/smb/smb1-protocol.pac
@@ -179,7 +179,7 @@ type SMB_Message_Request(header: SMB_Header, offset: uint16, command: uint8, is_
 #	#SMB_COM_WRITE_AND_CLOSE          -> write_and_close        : SMB_write_and_close_request(header);
 #	#SMB_COM_NEW_FILE_SIZE            -> new_file_size          : SMB_new_file_size_request(header);
 #	#SMB_COM_CLOSE_AND_TREE_DISC      -> close_and_tree_disc    : SMB_close_and_tree_disc_request(header);
-#	#SMB_COM_TRANSACTION2_SECONDARY   -> transaction2_secondary : SMB1_transaction2_secondary_request(header);
+	SMB_COM_TRANSACTION2_SECONDARY   -> transaction2_secondary : SMB1_transaction2_secondary_request(header);
 #	#SMB_COM_FIND_CLOSE2              -> find_close2            : SMB_find_close2_request(header);
 #	#SMB_COM_FIND_NOTIFY_CLOSE        -> find_notify_close      : SMB_find_notify_close_request(header);
 #	#SMB_COM_TREE_CONNECT             -> tree_connect           : SMB_tree_connect_request(header);
diff --git a/src/analyzer/protocol/smb/smb1_com_transaction2_secondary.bif b/src/analyzer/protocol/smb/smb1_com_transaction2_secondary.bif
new file mode 100644
index 0000000000..81aef809aa
--- /dev/null
+++ b/src/analyzer/protocol/smb/smb1_com_transaction2_secondary.bif
@@ -0,0 +1,19 @@
+## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+## version 1 requests of type *transaction2 secondary*.
+##
+## For more information, see MS-CIFS:2.2.4.47.1
+##
+## c: The connection.
+##
+## hdr: The parsed header of the :abbr:`SMB (Server Message Block)`
+## version 1 message.
+##
+## args: arguments of the message (SMB_Parameters.Words)
+##
+## parameters: content of the SMB_Data.Trans_Parameters field
+##
+## data: content of the SMB_Data.Trans_Data field
+event smb1_transaction2_secondary_request%(c: connection, hdr: SMB1::Header, args: SMB1::Trans2_Sec_Args, parameters: string, data: string%);
+
+## Types
+type SMB1::Trans2_Sec_Args: record;

From 6a93abea3250f47ed46bb99913cba85c50e3b26a Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@icir.org>
Date: Thu, 7 Dec 2017 14:01:47 -0800
Subject: [PATCH 264/631] Adjust coding style & fix test failures.

I am still not 100% convinced that there is no memory leak hidden
somwehere...

This also makes everything compile with OpenSSL 1.0.2 for me.
---
 src/file_analysis/analyzer/x509/X509.cc       |  4 +-
 src/file_analysis/analyzer/x509/X509.h        | 45 +++++++++++--------
 src/file_analysis/analyzer/x509/X509Common.cc | 11 +++--
 src/file_analysis/analyzer/x509/functions.bif | 37 ++++++++-------
 4 files changed, 53 insertions(+), 44 deletions(-)

diff --git a/src/file_analysis/analyzer/x509/X509.cc b/src/file_analysis/analyzer/x509/X509.cc
index c9e78bb0b9..6f3cce23f4 100644
--- a/src/file_analysis/analyzer/x509/X509.cc
+++ b/src/file_analysis/analyzer/x509/X509.cc
@@ -152,7 +152,7 @@ RecordVal* file_analysis::X509::ParseCertificate(X509Val* cert_val, const char*
 	// actually should be (namely - rsaEncryption), so that OpenSSL will parse out the
 	// key later. Otherwise it will just fail to parse the certificate key.
 
-	if ( X509_get_signature_nid(ssl_cert) == NID_md5WithRSAEncryption )
+	if ( OBJ_obj2nid(algorithm) == NID_md5WithRSAEncryption )
 		X509_PUBKEY_set0_param(X509_get_X509_PUBKEY(ssl_cert), OBJ_nid2obj(NID_rsaEncryption), 0, NULL, NULL, 0);
 	else
 		algorithm = 0;
@@ -380,7 +380,7 @@ StringVal* file_analysis::X509::KeyCurve(EVP_PKEY *key)
 
 	const EC_GROUP *group;
 	int nid;
-	if ( (group = EC_KEY_get0_group(EVP_PKEY_get0_EC_KEY(key))) == NULL)
+	if ( (group = EC_KEY_get0_group(EVP_PKEY_get0_EC_KEY(key))) == NULL )
 		// I guess we could not parse this
 		return NULL;
 
diff --git a/src/file_analysis/analyzer/x509/X509.h b/src/file_analysis/analyzer/x509/X509.h
index 60f67a9fd1..1e7cd05a62 100644
--- a/src/file_analysis/analyzer/x509/X509.h
+++ b/src/file_analysis/analyzer/x509/X509.h
@@ -12,42 +12,49 @@
 
 #define X509_get_signature_nid(x) OBJ_obj2nid((x)->sig_alg->algorithm)
 
-#define X509_OBJECT_new()   (X509_OBJECT*)malloc(sizeof(X509_OBJECT))
-#define X509_OBJECT_free(a) free(a)
-
-static X509 *X509_OBJECT_get0_X509(const X509_OBJECT *a)
-{
-	if (a == NULL || a->type != X509_LU_X509)
-		return NULL;
-	return a->data.x509;
-}
-
-#define OCSP_SINGLERESP_get0_id(s) (s)->certId
-#define OCSP_resp_get0_certs(x)    (x)->certs
-
 #endif
 
 #if (OPENSSL_VERSION_NUMBER < 0x1010000fL)
 
+#define X509_OBJECT_new()   (X509_OBJECT*)malloc(sizeof(X509_OBJECT))
+#define X509_OBJECT_free(a) free(a)
+
+#define OCSP_SINGLERESP_get0_id(s) (s)->certId
+#define OCSP_resp_get0_certs(x)    (x)->certs
+
 #define EVP_PKEY_get0_DSA(p)    ((p)->pkey.dsa)
 #define EVP_PKEY_get0_EC_KEY(p) ((p)->pkey.ec)
 #define EVP_PKEY_get0_RSA(p)    ((p)->pkey.rsa)
 
+static X509 *X509_OBJECT_get0_X509(const X509_OBJECT *a)
+{
+	if ( a == nullptr || a->type != X509_LU_X509 )
+		return nullptr;
+	return a->data.x509;
+}
+
 static void DSA_get0_pqg(const DSA *d,
 			 const BIGNUM **p, const BIGNUM **q, const BIGNUM **g)
 {
-	if (p != NULL) *p = d->p;
-	if (q != NULL) *q = d->q;
-	if (g != NULL) *g = d->g;
+	if ( p != nullptr )
+		*p = d->p;
+	if ( q != nullptr )
+		*q = d->q;
+	if ( g != nullptr )
+		*g = d->g;
 }
 
 static void RSA_get0_key(const RSA *r,
 			 const BIGNUM **n, const BIGNUM **e, const BIGNUM **d)
 {
-	if (n != NULL) *n = r->n;
-	if (e != NULL) *e = r->e;
-	if (d != NULL) *d = r->d;
+	if ( n != nullptr )
+		*n = r->n;
+	if ( e != nullptr )
+		*e = r->e;
+	if ( d != nullptr )
+		*d = r->d;
 }
+
 #endif
 
 namespace file_analysis {
diff --git a/src/file_analysis/analyzer/x509/X509Common.cc b/src/file_analysis/analyzer/x509/X509Common.cc
index 2e0a03ac8f..b101f502ff 100644
--- a/src/file_analysis/analyzer/x509/X509Common.cc
+++ b/src/file_analysis/analyzer/x509/X509Common.cc
@@ -240,10 +240,13 @@ void file_analysis::X509Common::ParseExtension(X509_EXTENSION* ex, EventHandlerP
 	BIO *bio = BIO_new(BIO_s_mem());
 	if( ! X509V3_EXT_print(bio, ex, 0, 0))
 		{
-		unsigned char **buf = NULL;
-		int len = i2d_ASN1_OCTET_STRING(X509_EXTENSION_get_data(ex), buf);
-		if (len >=0 )
-			BIO_write(bio, *buf, len);
+		unsigned char *buf = nullptr;
+		int len = i2d_ASN1_OCTET_STRING(X509_EXTENSION_get_data(ex), &buf);
+		if ( len >=0 )
+			{
+			BIO_write(bio, &buf, len);
+			OPENSSL_free(buf);
+			}
 		}
 
 	StringVal* ext_val = GetExtensionFromBIO(bio);
diff --git a/src/file_analysis/analyzer/x509/functions.bif b/src/file_analysis/analyzer/x509/functions.bif
index 217a845aa3..6fdb695ce8 100644
--- a/src/file_analysis/analyzer/x509/functions.bif
+++ b/src/file_analysis/analyzer/x509/functions.bif
@@ -239,8 +239,6 @@ function x509_get_certificate_string%(cert: opaque of x509, pem: bool &default=F
 ##              x509_get_certificate_string x509_verify
 function x509_ocsp_verify%(certs: x509_opaque_vector, ocsp_reply: string, root_certs: table_string_of_string, verify_time: time &default=network_time()%): X509::Result
 	%{
-	stack_st_X509* ocsp_certs;
-
 	RecordVal* rval = 0;
 	X509_STORE* ctx = x509_get_root_store(root_certs->AsTableVal());
 	if ( ! ctx )
@@ -284,6 +282,7 @@ function x509_ocsp_verify%(certs: x509_opaque_vector, ocsp_reply: string, root_c
 	OCSP_SINGLERESP *single = 0;
 	X509_STORE_CTX *csc = 0;
 	OCSP_CERTID *certid = 0;
+	stack_st_X509* ocsp_certs = nullptr;
 	int status = -1;
 	int out = -1;
 	int result = -1;
@@ -310,7 +309,6 @@ function x509_ocsp_verify%(certs: x509_opaque_vector, ocsp_reply: string, root_c
 		goto x509_ocsp_cleanup;
 		}
 
-
 	// the following code took me _forever_ to get right.
 	// The OCSP_basic_verify command takes a list of certificates. However (which is not immediately
 	// visible or understandable), those are only used to find the signer certificate. They are _not_
@@ -319,21 +317,10 @@ function x509_ocsp_verify%(certs: x509_opaque_vector, ocsp_reply: string, root_c
 	// the lookup.
 	// Yay.
 
-	ocsp_certs = sk_X509_dup(OCSP_resp_get0_certs(basic));
-	if ( !ocsp_certs )
-		{
-		ocsp_certs = sk_X509_new_null();
-		if ( !ocsp_certs )
-			{
-			rval = x509_result_record(-1, "Could not allocate basic x509 stack");
-			goto x509_ocsp_cleanup;
-			}
-		}
-
 	issuer_certificate = 0;
 	for ( int i = 0; i < sk_X509_num(untrusted_certs); i++)
 		{
-		sk_X509_push(ocsp_certs, X509_dup(sk_X509_value(untrusted_certs, i)));
+		OCSP_basic_add1_cert(basic, sk_X509_value(untrusted_certs, i));
 
 		if ( X509_NAME_cmp(X509_get_issuer_name(cert), X509_get_subject_name(sk_X509_value(untrusted_certs, i))) == 0 )
 			issuer_certificate = sk_X509_value(untrusted_certs, i);
@@ -358,6 +345,14 @@ function x509_ocsp_verify%(certs: x509_opaque_vector, ocsp_reply: string, root_c
 		goto x509_ocsp_cleanup;
 		}
 
+		{
+		auto basic_certs = OCSP_resp_get0_certs(basic);
+		if ( basic_certs )
+			ocsp_certs = sk_X509_dup(basic_certs);
+
+		assert(ocsp_certs);
+		}
+
 	csc = X509_STORE_CTX_new();
 	X509_STORE_CTX_init(csc, ctx, signer, ocsp_certs);
 	X509_STORE_CTX_set_time(csc, 0, (time_t) verify_time);
@@ -383,7 +378,7 @@ function x509_ocsp_verify%(certs: x509_opaque_vector, ocsp_reply: string, root_c
 
 	// ok, now we verified the OCSP response. This means that we have a valid chain tying it
 	// to a root that we trust and that the signature also hopefully is valid. This does not yet
-	// mean that the ocsp response actually matches the certificate the server send us or that
+	// mean that the ocsp response actually matches the certificate the server sent us or that
 	// the OCSP response even says that the certificate is valid.
 
 	// let's start this out by checking that the response is actually for the certificate we want
@@ -457,6 +452,9 @@ function x509_ocsp_verify%(certs: x509_opaque_vector, ocsp_reply: string, root_c
 
 x509_ocsp_cleanup:
 
+	if ( ocsp_certs )
+		sk_X509_free(ocsp_certs);
+
 	if ( untrusted_certs )
 		sk_X509_free(untrusted_certs);
 
@@ -573,12 +571,13 @@ function x509_verify%(certs: x509_opaque_vector, root_certs: table_string_of_str
 
 x509_verify_chainerror:
 
+	RecordVal* rrecord = x509_result_record(X509_STORE_CTX_get_error(csc), X509_verify_cert_error_string(X509_STORE_CTX_get_error(csc)), chainVector);
+
 	X509_STORE_CTX_cleanup(csc);
+	X509_STORE_CTX_free(csc);
 
 	sk_X509_free(untrusted_certs);
 
-	RecordVal* rrecord = x509_result_record(X509_STORE_CTX_get_error(csc), X509_verify_cert_error_string(X509_STORE_CTX_get_error(csc)), chainVector);
-
 	return rrecord;
 	%}
 
@@ -673,7 +672,7 @@ function sct_verify%(cert: opaque of x509, logid: string, log_key: string, signa
 		x->cert_info->enc.modified = 1;
 		cert_length = i2d_X509_CINF(x->cert_info, &cert_out);
 #else
-		i2d_re_X509_tbs(x, &cert_out);
+		cert_length = i2d_re_X509_tbs(x, &cert_out);
 #endif
 		data.append(reinterpret_cast<const char*>(issuer_key_hash->Bytes()), issuer_key_hash->Len());
 		}

From b730874ea117ef8681359fae92825b85a52af401 Mon Sep 17 00:00:00 2001
From: Justin Azoff <jazoff@illinois.edu>
Date: Tue, 17 Oct 2017 18:45:06 -0400
Subject: [PATCH 265/631] problem: for loops over empty tables are slow.

This change doubles the performance of for loops over empty tables.

A bro binary that prints out this size shows for
testing/external/bro-testing/2009-M57-day11-18.trace, for loops are run
over tables of size:

11477 for size 0
8371 for size 1
1227 for size 3
239 for size 2
141 for size 6
57 for size 5
10 for size 4
5 for size 7
2 for size 13
2 for size 8
2 for size 11
1 for size 9

~53% of the for loops were across an empty table.  These loops come from
things like the for loop in the http script over c$http_state$pending

This change prevents the creation of an iteration cookie entirely if the
table is empty.

Using this test script:

    const scan_ports: table[port] of count = { };

    local x = 0;
    while ( x < 20000000 ) {
        for(p in scan_ports) {
        }
        ++x;
    }

$ time bro.orig -b ___bench.bro

real    0m10.732s
user    0m10.415s
sys     0m0.113s

$ time bro.nocookie -b ___bench.bro

real    0m4.694s
user    0m4.464s
sys     0m0.086s
---
 src/Stmt.cc | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/Stmt.cc b/src/Stmt.cc
index d93e8ff14e..ac7bcb39b5 100644
--- a/src/Stmt.cc
+++ b/src/Stmt.cc
@@ -1292,6 +1292,8 @@ Val* ForStmt::DoExec(Frame* f, Val* v, stmt_flow_type& flow) const
 		{
 		TableVal* tv = v->AsTableVal();
 		const PDict(TableEntryVal)* loop_vals = tv->AsTable();
+		if (!loop_vals->Length())
+			return ret;
 
 		HashKey* k;
 		IterCookie* c = loop_vals->InitForIteration();

From 03f98c70223939b651cb5fdc682691a8d7b9e633 Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@icir.org>
Date: Thu, 7 Dec 2017 14:47:56 -0800
Subject: [PATCH 266/631] Fix recently introduced double free in OpenSSL code.

---
 src/file_analysis/analyzer/x509/X509.cc | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/src/file_analysis/analyzer/x509/X509.cc b/src/file_analysis/analyzer/x509/X509.cc
index 6f3cce23f4..0426b59923 100644
--- a/src/file_analysis/analyzer/x509/X509.cc
+++ b/src/file_analysis/analyzer/x509/X509.cc
@@ -153,7 +153,13 @@ RecordVal* file_analysis::X509::ParseCertificate(X509Val* cert_val, const char*
 	// key later. Otherwise it will just fail to parse the certificate key.
 
 	if ( OBJ_obj2nid(algorithm) == NID_md5WithRSAEncryption )
+		{
+		ASN1_OBJECT *copy = OBJ_dup(algorithm); // the next line will destroy the original algorithm.
 		X509_PUBKEY_set0_param(X509_get_X509_PUBKEY(ssl_cert), OBJ_nid2obj(NID_rsaEncryption), 0, NULL, NULL, 0);
+		algorithm = copy;
+		// we do not have to worry about freeing algorithm in that case - since it will be re-assigned using
+		// set0_param and the cert will take ownership.
+		}
 	else
 		algorithm = 0;
 

From 1e4964de7760ba83c9557b00fd8563e61e364d18 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Mon, 11 Dec 2017 15:29:28 -0600
Subject: [PATCH 267/631] Preallocate all possible PortVals.

The performance benefit is small (maybe ~1% at most), however, it's a
trivial change without downsides.
---
 src/CompHash.cc                               |  2 +-
 src/Conn.cc                                   |  4 +-
 src/Event.cc                                  |  2 +-
 src/IP.cc                                     |  8 ++--
 src/PersistenceSerializer.cc                  |  2 +-
 src/RemoteSerializer.cc                       |  2 +-
 src/TunnelEncapsulation.cc                    |  4 +-
 src/Val.cc                                    | 47 +++++++++++++++++++
 src/Val.h                                     | 24 ++++++++--
 src/analyzer/Manager.cc                       |  8 ++--
 .../protocol/bittorrent/BitTorrentTracker.cc  |  2 +-
 .../bittorrent/bittorrent-analyzer.pac        |  2 +-
 src/analyzer/protocol/ftp/functions.bif       |  6 +--
 src/analyzer/protocol/icmp/ICMP.cc            |  8 ++--
 src/analyzer/protocol/ident/Ident.cc          | 12 ++---
 src/analyzer/protocol/rpc/Portmap.cc          |  6 +--
 .../protocol/socks/socks-analyzer.pac         |  8 ++--
 src/analyzer/protocol/tcp/TCP_Reassembler.cc  |  7 +--
 src/analyzer/protocol/teredo/Teredo.cc        |  2 +-
 src/analyzer/protocol/udp/UDP.cc              |  8 ++--
 src/bro.bif                                   | 14 +++---
 src/broker/Data.cc                            |  2 +-
 src/broker/Manager.cc                         |  6 +--
 src/broker/data.bif                           |  2 +-
 src/file_analysis/File.cc                     |  4 +-
 .../analyzer/unified2/unified2-analyzer.pac   |  2 +-
 src/input/Manager.cc                          |  2 +-
 src/main.cc                                   |  3 ++
 src/scan.l                                    |  8 ++--
 29 files changed, 139 insertions(+), 68 deletions(-)

diff --git a/src/CompHash.cc b/src/CompHash.cc
index 2e28bff78e..f120c3618b 100644
--- a/src/CompHash.cc
+++ b/src/CompHash.cc
@@ -703,7 +703,7 @@ const char* CompositeHash::RecoverOneVal(const HashKey* k, const char* kp0,
 			break;
 
 		case TYPE_PORT:
-			pval = new PortVal(*kp);
+			pval = port_mgr->Get(*kp);
 			break;
 
 		default:
diff --git a/src/Conn.cc b/src/Conn.cc
index 2034a57786..1edecde0b9 100644
--- a/src/Conn.cc
+++ b/src/Conn.cc
@@ -364,9 +364,9 @@ RecordVal* Connection::BuildConnVal()
 
 		RecordVal* id_val = new RecordVal(conn_id);
 		id_val->Assign(0, new AddrVal(orig_addr));
-		id_val->Assign(1, new PortVal(ntohs(orig_port), prot_type));
+		id_val->Assign(1, port_mgr->Get(ntohs(orig_port), prot_type));
 		id_val->Assign(2, new AddrVal(resp_addr));
-		id_val->Assign(3, new PortVal(ntohs(resp_port), prot_type));
+		id_val->Assign(3, port_mgr->Get(ntohs(resp_port), prot_type));
 
 		RecordVal *orig_endp = new RecordVal(endpoint);
 		orig_endp->Assign(0, new Val(0, TYPE_COUNT));
diff --git a/src/Event.cc b/src/Event.cc
index 6371a69248..7b1c88ea64 100644
--- a/src/Event.cc
+++ b/src/Event.cc
@@ -166,7 +166,7 @@ RecordVal* EventMgr::GetLocalPeerVal()
 		src_val = new RecordVal(peer);
 		src_val->Assign(0, new Val(0, TYPE_COUNT));
 		src_val->Assign(1, new AddrVal("127.0.0.1"));
-		src_val->Assign(2, new PortVal(0));
+		src_val->Assign(2, port_mgr->Get(0));
 		src_val->Assign(3, new Val(true, TYPE_BOOL));
 
 		Ref(peer_description);
diff --git a/src/IP.cc b/src/IP.cc
index ebe778e3d7..79e1cf4fba 100644
--- a/src/IP.cc
+++ b/src/IP.cc
@@ -370,8 +370,8 @@ RecordVal* IP_Hdr::BuildPktHdrVal(RecordVal* pkt_hdr, int sindex) const
 		int tcp_hdr_len = tp->th_off * 4;
 		int data_len = PayloadLen() - tcp_hdr_len;
 
-		tcp_hdr->Assign(0, new PortVal(ntohs(tp->th_sport), TRANSPORT_TCP));
-		tcp_hdr->Assign(1, new PortVal(ntohs(tp->th_dport), TRANSPORT_TCP));
+		tcp_hdr->Assign(0, port_mgr->Get(ntohs(tp->th_sport), TRANSPORT_TCP));
+		tcp_hdr->Assign(1, port_mgr->Get(ntohs(tp->th_dport), TRANSPORT_TCP));
 		tcp_hdr->Assign(2, new Val(uint32(ntohl(tp->th_seq)), TYPE_COUNT));
 		tcp_hdr->Assign(3, new Val(uint32(ntohl(tp->th_ack)), TYPE_COUNT));
 		tcp_hdr->Assign(4, new Val(tcp_hdr_len, TYPE_COUNT));
@@ -388,8 +388,8 @@ RecordVal* IP_Hdr::BuildPktHdrVal(RecordVal* pkt_hdr, int sindex) const
 		const struct udphdr* up = (const struct udphdr*) data;
 		RecordVal* udp_hdr = new RecordVal(udp_hdr_type);
 
-		udp_hdr->Assign(0, new PortVal(ntohs(up->uh_sport), TRANSPORT_UDP));
-		udp_hdr->Assign(1, new PortVal(ntohs(up->uh_dport), TRANSPORT_UDP));
+		udp_hdr->Assign(0, port_mgr->Get(ntohs(up->uh_sport), TRANSPORT_UDP));
+		udp_hdr->Assign(1, port_mgr->Get(ntohs(up->uh_dport), TRANSPORT_UDP));
 		udp_hdr->Assign(2, new Val(ntohs(up->uh_ulen), TYPE_COUNT));
 
 		pkt_hdr->Assign(sindex + 3, udp_hdr);
diff --git a/src/PersistenceSerializer.cc b/src/PersistenceSerializer.cc
index 9400b2d0ca..52778ed10c 100644
--- a/src/PersistenceSerializer.cc
+++ b/src/PersistenceSerializer.cc
@@ -191,7 +191,7 @@ void PersistenceSerializer::RaiseFinishedSendState()
 	{
 	val_list* vl = new val_list;
 	vl->append(new AddrVal(htonl(remote_host)));
-	vl->append(new PortVal(remote_port));
+	vl->append(port_mgr->Get(remote_port));
 
 	mgr.QueueEvent(finished_send_state, vl);
 	reporter->Log("Serialization done.");
diff --git a/src/RemoteSerializer.cc b/src/RemoteSerializer.cc
index 7d8899d8b9..78080e31f5 100644
--- a/src/RemoteSerializer.cc
+++ b/src/RemoteSerializer.cc
@@ -1809,7 +1809,7 @@ RecordVal* RemoteSerializer::MakePeerVal(Peer* peer)
 	v->Assign(0, new Val(uint32(peer->id), TYPE_COUNT));
 	// Sic! Network order for AddrVal, host order for PortVal.
 	v->Assign(1, new AddrVal(peer->ip));
-	v->Assign(2, new PortVal(peer->port, TRANSPORT_TCP));
+	v->Assign(2, port_mgr->Get(peer->port, TRANSPORT_TCP));
 	v->Assign(3, new Val(false, TYPE_BOOL));
 	v->Assign(4, new StringVal(""));	// set when received
 	v->Assign(5, peer->peer_class.size() ?
diff --git a/src/TunnelEncapsulation.cc b/src/TunnelEncapsulation.cc
index cb4b1eaabe..556de9382a 100644
--- a/src/TunnelEncapsulation.cc
+++ b/src/TunnelEncapsulation.cc
@@ -22,9 +22,9 @@ RecordVal* EncapsulatingConn::GetRecordVal() const
 
 	RecordVal* id_val = new RecordVal(conn_id);
 	id_val->Assign(0, new AddrVal(src_addr));
-	id_val->Assign(1, new PortVal(ntohs(src_port), proto));
+	id_val->Assign(1, port_mgr->Get(ntohs(src_port), proto));
 	id_val->Assign(2, new AddrVal(dst_addr));
-	id_val->Assign(3, new PortVal(ntohs(dst_port), proto));
+	id_val->Assign(3, port_mgr->Get(ntohs(dst_port), proto));
 	rv->Assign(0, id_val);
 	rv->Assign(1, new EnumVal(type, BifType::Enum::Tunnel::Type));
 
diff --git a/src/Val.cc b/src/Val.cc
index ca70e1f5df..abae677754 100644
--- a/src/Val.cc
+++ b/src/Val.cc
@@ -760,6 +760,53 @@ bool IntervalVal::DoUnserialize(UnserialInfo* info)
 	return true;
 	}
 
+PortManager::PortManager()
+	{
+	for ( auto i = 0u; i < ports.size(); ++i )
+		{
+		auto& arr = ports[i];
+		auto port_type = (TransportProto)i;
+
+		for ( auto j = 0u; j < arr.size(); ++j )
+			arr[j] = new PortVal(j, port_type);
+		}
+	}
+
+PortManager::~PortManager()
+	{
+	for ( auto& arr : ports )
+		for ( auto& pv : arr )
+			Unref(pv);
+	}
+
+PortVal* PortManager::Get(uint32 port_num) const
+	{
+	auto mask = port_num & PORT_SPACE_MASK;
+	port_num &= ~PORT_SPACE_MASK;
+
+	if ( mask == TCP_PORT_MASK )
+		return Get(port_num, TRANSPORT_TCP);
+	else if ( mask == UDP_PORT_MASK )
+		return Get(port_num, TRANSPORT_UDP);
+	else if ( mask == ICMP_PORT_MASK )
+		return Get(port_num, TRANSPORT_ICMP);
+	else
+		return Get(port_num, TRANSPORT_UNKNOWN);
+	}
+
+PortVal* PortManager::Get(uint32 port_num, TransportProto port_type) const
+	{
+	if ( port_num >= 65536 )
+		{
+		reporter->Warning("bad port number %d", port_num);
+		port_num = 0;
+		}
+
+	auto rval = ports[port_type][port_num];
+	::Ref(rval);
+	return rval;
+	}
+
 PortVal::PortVal(uint32 p, TransportProto port_type) : Val(TYPE_PORT)
 	{
 	// Note, for ICMP one-way connections:
diff --git a/src/Val.h b/src/Val.h
index 160eeafe64..d0538db8ee 100644
--- a/src/Val.h
+++ b/src/Val.h
@@ -7,6 +7,7 @@
 
 #include <vector>
 #include <list>
+#include <array>
 
 #include "net_util.h"
 #include "Type.h"
@@ -503,12 +504,22 @@ protected:
 #define UDP_PORT_MASK	0x20000
 #define ICMP_PORT_MASK	0x30000
 
+class PortManager {
+public:
+	PortManager();
+	~PortManager();
+
+	// Port number given in host order.
+	PortVal* Get(uint32 port_num) const;
+	PortVal* Get(uint32 port_num, TransportProto port_type) const;
+
+	std::array<std::array<PortVal*, 65536>, NUM_PORT_SPACES> ports;
+};
+
+extern PortManager* port_mgr;
+
 class PortVal : public Val {
 public:
-	// Constructors - both take the port number in host order.
-	PortVal(uint32 p, TransportProto port_type);
-	PortVal(uint32 p);	// used for already-massaged port value.
-
 	Val* SizeVal() const override	{ return new Val(val.uint_val, TYPE_INT); }
 
 	// Returns the port number in host order (not including the mask).
@@ -533,7 +544,12 @@ public:
 
 protected:
 	friend class Val;
+	friend class PortManager;
 	PortVal()	{}
+	// Constructors - both take the port number in host order.
+	PortVal(uint32 p, TransportProto port_type);
+	PortVal(uint32 p);	// used for already-massaged port value.
+
 
 	void ValDescribe(ODesc* d) const override;
 
diff --git a/src/analyzer/Manager.cc b/src/analyzer/Manager.cc
index 9858001c6f..4b5441f395 100644
--- a/src/analyzer/Manager.cc
+++ b/src/analyzer/Manager.cc
@@ -434,14 +434,16 @@ bool Manager::BuildInitialAnalyzerTree(Connection* conn)
 
 		if ( tcp_contents && ! reass )
 			{
-			PortVal dport(ntohs(conn->RespPort()), TRANSPORT_TCP);
+			auto dport = port_mgr->Get(ntohs(conn->RespPort()), TRANSPORT_TCP);
 			Val* result;
 
 			if ( ! reass )
-				reass = tcp_content_delivery_ports_orig->Lookup(&dport);
+				reass = tcp_content_delivery_ports_orig->Lookup(dport);
 
 			if ( ! reass )
-				reass = tcp_content_delivery_ports_resp->Lookup(&dport);
+				reass = tcp_content_delivery_ports_resp->Lookup(dport);
+
+			Unref(dport);
 			}
 
 		if ( reass )
diff --git a/src/analyzer/protocol/bittorrent/BitTorrentTracker.cc b/src/analyzer/protocol/bittorrent/BitTorrentTracker.cc
index 43ee6a2b21..452fb0fe6c 100644
--- a/src/analyzer/protocol/bittorrent/BitTorrentTracker.cc
+++ b/src/analyzer/protocol/bittorrent/BitTorrentTracker.cc
@@ -482,7 +482,7 @@ void BitTorrentTracker_Analyzer::ResponseBenc(int name_len, char* name,
 
 			RecordVal* peer = new RecordVal(bittorrent_peer);
 			peer->Assign(0, new AddrVal(ad));
-			peer->Assign(1, new PortVal(pt, TRANSPORT_TCP));
+			peer->Assign(1, port_mgr->Get(pt, TRANSPORT_TCP));
 			res_val_peers->Assign(peer, 0);
 
 			Unref(peer);
diff --git a/src/analyzer/protocol/bittorrent/bittorrent-analyzer.pac b/src/analyzer/protocol/bittorrent/bittorrent-analyzer.pac
index 3bc6d90230..6040577d39 100644
--- a/src/analyzer/protocol/bittorrent/bittorrent-analyzer.pac
+++ b/src/analyzer/protocol/bittorrent/bittorrent-analyzer.pac
@@ -222,7 +222,7 @@ flow BitTorrent_Flow(is_orig: bool) {
 				connection()->bro_analyzer(),
 				connection()->bro_analyzer()->Conn(),
 				is_orig(),
-				new PortVal(listen_port, TRANSPORT_TCP));
+				port_mgr->Get(listen_port, TRANSPORT_TCP));
 			}
 
 		return true;
diff --git a/src/analyzer/protocol/ftp/functions.bif b/src/analyzer/protocol/ftp/functions.bif
index b57b24df20..9508061102 100644
--- a/src/analyzer/protocol/ftp/functions.bif
+++ b/src/analyzer/protocol/ftp/functions.bif
@@ -33,13 +33,13 @@ static Val* parse_port(const char* line)
 			}
 
 		r->Assign(0, new AddrVal(htonl(addr)));
-		r->Assign(1, new PortVal(port, TRANSPORT_TCP));
+		r->Assign(1, port_mgr->Get(port, TRANSPORT_TCP));
 		r->Assign(2, new Val(good, TYPE_BOOL));
 		}
 	else
 		{
 		r->Assign(0, new AddrVal(uint32(0)));
-		r->Assign(1, new PortVal(0, TRANSPORT_TCP));
+		r->Assign(1, port_mgr->Get(0, TRANSPORT_TCP));
 		r->Assign(2, new Val(0, TYPE_BOOL));
 		}
 
@@ -109,7 +109,7 @@ static Val* parse_eftp(const char* line)
 		}
 
 	r->Assign(0, new AddrVal(addr));
-	r->Assign(1, new PortVal(port, TRANSPORT_TCP));
+	r->Assign(1, port_mgr->Get(port, TRANSPORT_TCP));
 	r->Assign(2, new Val(good, TYPE_BOOL));
 
 	return r;
diff --git a/src/analyzer/protocol/icmp/ICMP.cc b/src/analyzer/protocol/icmp/ICMP.cc
index 6a42e064d7..2dedca5ae1 100644
--- a/src/analyzer/protocol/icmp/ICMP.cc
+++ b/src/analyzer/protocol/icmp/ICMP.cc
@@ -352,9 +352,9 @@ RecordVal* ICMP_Analyzer::ExtractICMP4Context(int len, const u_char*& data)
 	RecordVal* id_val = new RecordVal(conn_id);
 
 	id_val->Assign(0, new AddrVal(src_addr));
-	id_val->Assign(1, new PortVal(src_port, proto));
+	id_val->Assign(1, port_mgr->Get(src_port, proto));
 	id_val->Assign(2, new AddrVal(dst_addr));
-	id_val->Assign(3, new PortVal(dst_port, proto));
+	id_val->Assign(3, port_mgr->Get(dst_port, proto));
 
 	iprec->Assign(0, id_val);
 	iprec->Assign(1, new Val(ip_len, TYPE_COUNT));
@@ -411,9 +411,9 @@ RecordVal* ICMP_Analyzer::ExtractICMP6Context(int len, const u_char*& data)
 	RecordVal* id_val = new RecordVal(conn_id);
 
 	id_val->Assign(0, new AddrVal(src_addr));
-	id_val->Assign(1, new PortVal(src_port, proto));
+	id_val->Assign(1, port_mgr->Get(src_port, proto));
 	id_val->Assign(2, new AddrVal(dst_addr));
-	id_val->Assign(3, new PortVal(dst_port, proto));
+	id_val->Assign(3, port_mgr->Get(dst_port, proto));
 
 	iprec->Assign(0, id_val);
 	iprec->Assign(1, new Val(ip_len, TYPE_COUNT));
diff --git a/src/analyzer/protocol/ident/Ident.cc b/src/analyzer/protocol/ident/Ident.cc
index 9601be7562..27eafb5426 100644
--- a/src/analyzer/protocol/ident/Ident.cc
+++ b/src/analyzer/protocol/ident/Ident.cc
@@ -82,8 +82,8 @@ void Ident_Analyzer::DeliverStream(int length, const u_char* data, bool is_orig)
 
 		val_list* vl = new val_list;
 		vl->append(BuildConnVal());
-		vl->append(new PortVal(local_port, TRANSPORT_TCP));
-		vl->append(new PortVal(remote_port, TRANSPORT_TCP));
+		vl->append(port_mgr->Get(local_port, TRANSPORT_TCP));
+		vl->append(port_mgr->Get(remote_port, TRANSPORT_TCP));
 
 		ConnectionEvent(ident_request, vl);
 
@@ -143,8 +143,8 @@ void Ident_Analyzer::DeliverStream(int length, const u_char* data, bool is_orig)
 			{
 			val_list* vl = new val_list;
 			vl->append(BuildConnVal());
-			vl->append(new PortVal(local_port, TRANSPORT_TCP));
-			vl->append(new PortVal(remote_port, TRANSPORT_TCP));
+			vl->append(port_mgr->Get(local_port, TRANSPORT_TCP));
+			vl->append(port_mgr->Get(remote_port, TRANSPORT_TCP));
 			vl->append(new StringVal(end_of_line - line, line));
 
 			ConnectionEvent(ident_error, vl);
@@ -177,8 +177,8 @@ void Ident_Analyzer::DeliverStream(int length, const u_char* data, bool is_orig)
 
 			val_list* vl = new val_list;
 			vl->append(BuildConnVal());
-			vl->append(new PortVal(local_port, TRANSPORT_TCP));
-			vl->append(new PortVal(remote_port, TRANSPORT_TCP));
+			vl->append(port_mgr->Get(local_port, TRANSPORT_TCP));
+			vl->append(port_mgr->Get(remote_port, TRANSPORT_TCP));
 			vl->append(new StringVal(end_of_line - line, line));
 			vl->append(new StringVal(sys_type_s));
 
diff --git a/src/analyzer/protocol/rpc/Portmap.cc b/src/analyzer/protocol/rpc/Portmap.cc
index 5d7c980879..9f52394ac4 100644
--- a/src/analyzer/protocol/rpc/Portmap.cc
+++ b/src/analyzer/protocol/rpc/Portmap.cc
@@ -126,7 +126,7 @@ int PortmapperInterp::RPC_BuildReply(RPC_CallInfo* c, BifEnum::rpc_status status
 
 			RecordVal* rv = c->RequestVal()->AsRecordVal();
 			Val* is_tcp = rv->Lookup(2);
-			reply = new PortVal(CheckPort(port),
+			reply = port_mgr->Get(CheckPort(port),
 					is_tcp->IsOne() ?
 						TRANSPORT_TCP : TRANSPORT_UDP);
 			event = pm_request_getport;
@@ -178,7 +178,7 @@ int PortmapperInterp::RPC_BuildReply(RPC_CallInfo* c, BifEnum::rpc_status status
 			if ( ! opaque_reply )
 				return 0;
 
-			reply = new PortVal(CheckPort(port), TRANSPORT_UDP);
+			reply = port_mgr->Get(CheckPort(port), TRANSPORT_UDP);
 			event = pm_request_callit;
 			}
 		else
@@ -202,7 +202,7 @@ Val* PortmapperInterp::ExtractMapping(const u_char*& buf, int& len)
 
 	int is_tcp = extract_XDR_uint32(buf, len) == IPPROTO_TCP;
 	uint32 port = extract_XDR_uint32(buf, len);
-	mapping->Assign(2, new PortVal(CheckPort(port),
+	mapping->Assign(2, port_mgr->Get(CheckPort(port),
 			is_tcp ? TRANSPORT_TCP : TRANSPORT_UDP));
 
 	if ( ! buf )
diff --git a/src/analyzer/protocol/socks/socks-analyzer.pac b/src/analyzer/protocol/socks/socks-analyzer.pac
index b8c4165a54..0f13335785 100644
--- a/src/analyzer/protocol/socks/socks-analyzer.pac
+++ b/src/analyzer/protocol/socks/socks-analyzer.pac
@@ -32,7 +32,7 @@ refine connection SOCKS_Conn += {
 		                                 4,
 		                                 ${request.command},
 		                                 sa,
-		                                 new PortVal(${request.port} | TCP_PORT_MASK),
+		                                 port_mgr->Get(${request.port} | TCP_PORT_MASK),
 		                                 array_to_string(${request.user}));
 
 		static_cast<analyzer::socks::SOCKS_Analyzer*>(bro_analyzer())->EndpointDone(true);
@@ -50,7 +50,7 @@ refine connection SOCKS_Conn += {
 		                               4,
 		                               ${reply.status},
 		                               sa,
-		                               new PortVal(${reply.port} | TCP_PORT_MASK));
+		                               port_mgr->Get(${reply.port} | TCP_PORT_MASK));
 
 		bro_analyzer()->ProtocolConfirmation();
 		static_cast<analyzer::socks::SOCKS_Analyzer*>(bro_analyzer())->EndpointDone(false);
@@ -102,7 +102,7 @@ refine connection SOCKS_Conn += {
 		                                 5,
 		                                 ${request.command},
 		                                 sa,
-		                                 new PortVal(${request.port} | TCP_PORT_MASK),
+		                                 port_mgr->Get(${request.port} | TCP_PORT_MASK),
 		                                 new StringVal(""));
 
 		static_cast<analyzer::socks::SOCKS_Analyzer*>(bro_analyzer())->EndpointDone(true);
@@ -141,7 +141,7 @@ refine connection SOCKS_Conn += {
 		                               5,
 		                               ${reply.reply},
 		                               sa,
-		                               new PortVal(${reply.port} | TCP_PORT_MASK));
+		                               port_mgr->Get(${reply.port} | TCP_PORT_MASK));
 
 		bro_analyzer()->ProtocolConfirmation();
 		static_cast<analyzer::socks::SOCKS_Analyzer*>(bro_analyzer())->EndpointDone(false);
diff --git a/src/analyzer/protocol/tcp/TCP_Reassembler.cc b/src/analyzer/protocol/tcp/TCP_Reassembler.cc
index b1d7dca012..bcbe20d499 100644
--- a/src/analyzer/protocol/tcp/TCP_Reassembler.cc
+++ b/src/analyzer/protocol/tcp/TCP_Reassembler.cc
@@ -38,18 +38,19 @@ TCP_Reassembler::TCP_Reassembler(analyzer::Analyzer* arg_dst_analyzer,
 
 	if ( ::tcp_contents )
 		{
-		// Val dst_port_val(ntohs(Conn()->RespPort()), TYPE_PORT);
-		PortVal dst_port_val(ntohs(tcp_analyzer->Conn()->RespPort()),
+		auto dst_port_val = port_mgr->Get(ntohs(tcp_analyzer->Conn()->RespPort()),
 					TRANSPORT_TCP);
 		TableVal* ports = IsOrig() ?
 			tcp_content_delivery_ports_orig :
 			tcp_content_delivery_ports_resp;
-		Val* result = ports->Lookup(&dst_port_val);
+		Val* result = ports->Lookup(dst_port_val);
 
 		if ( (IsOrig() && tcp_content_deliver_all_orig) ||
 		     (! IsOrig() && tcp_content_deliver_all_resp) ||
 		     (result && result->AsBool()) )
 			deliver_tcp_contents = 1;
+
+		Unref(dst_port_val);
 		}
 	}
 
diff --git a/src/analyzer/protocol/teredo/Teredo.cc b/src/analyzer/protocol/teredo/Teredo.cc
index 663e61749d..3d7fb397fb 100644
--- a/src/analyzer/protocol/teredo/Teredo.cc
+++ b/src/analyzer/protocol/teredo/Teredo.cc
@@ -130,7 +130,7 @@ RecordVal* TeredoEncapsulation::BuildVal(const IP_Hdr* inner) const
 		RecordVal* teredo_origin = new RecordVal(teredo_origin_type);
 		uint16 port = ntohs(*((uint16*)(origin_indication + 2))) ^ 0xFFFF;
 		uint32 addr = ntohl(*((uint32*)(origin_indication + 4))) ^ 0xFFFFFFFF;
-		teredo_origin->Assign(0, new PortVal(port, TRANSPORT_UDP));
+		teredo_origin->Assign(0, port_mgr->Get(port, TRANSPORT_UDP));
 		teredo_origin->Assign(1, new AddrVal(htonl(addr)));
 		teredo_hdr->Assign(1, teredo_origin);
 		}
diff --git a/src/analyzer/protocol/udp/UDP.cc b/src/analyzer/protocol/udp/UDP.cc
index 3bd3736b2a..ca46b88339 100644
--- a/src/analyzer/protocol/udp/UDP.cc
+++ b/src/analyzer/protocol/udp/UDP.cc
@@ -97,14 +97,14 @@ void UDP_Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig,
 
 	if ( udp_contents )
 		{
-		PortVal port_val(ntohs(up->uh_dport), TRANSPORT_UDP);
+		auto port_val = port_mgr->Get(ntohs(up->uh_dport), TRANSPORT_UDP);
 		Val* result = 0;
 		bool do_udp_contents = false;
 
 		if ( is_orig )
 			{
 			result = udp_content_delivery_ports_orig->Lookup(
-								&port_val);
+								port_val);
 			if ( udp_content_deliver_all_orig ||
 			     (result && result->AsBool()) )
 				do_udp_contents = true;
@@ -112,7 +112,7 @@ void UDP_Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig,
 		else
 			{
 			result = udp_content_delivery_ports_resp->Lookup(
-								&port_val);
+								port_val);
 			if ( udp_content_deliver_all_resp ||
 			     (result && result->AsBool()) )
 				do_udp_contents = true;
@@ -126,6 +126,8 @@ void UDP_Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig,
 			vl->append(new StringVal(len, (const char*) data));
 			ConnectionEvent(udp_contents, vl);
 			}
+
+		Unref(port_val);
 		}
 
 	if ( is_orig )
diff --git a/src/bro.bif b/src/bro.bif
index 852f806230..b6922f9fab 100644
--- a/src/bro.bif
+++ b/src/bro.bif
@@ -2270,7 +2270,7 @@ function port_to_count%(p: port%): count
 ## .. bro:see:: port_to_count
 function count_to_port%(num: count, proto: transport_proto%): port
 	%{
-	return new PortVal(num, (TransportProto)proto->AsEnum());
+	return port_mgr->Get(num, (TransportProto)proto->AsEnum());
 	%}
 
 ## Converts a :bro:type:`string` to an :bro:type:`addr`.
@@ -2430,16 +2430,16 @@ function to_port%(s: string%): port
             {
             ++slash;
             if ( streq(slash, "tcp") )
-                return new PortVal(port, TRANSPORT_TCP);
+                return port_mgr->Get(port, TRANSPORT_TCP);
             else if ( streq(slash, "udp") )
-                return new PortVal(port, TRANSPORT_UDP);
+                return port_mgr->Get(port, TRANSPORT_UDP);
             else if ( streq(slash, "icmp") )
-                return new PortVal(port, TRANSPORT_ICMP);
+                return port_mgr->Get(port, TRANSPORT_ICMP);
             }
         }
 
     builtin_error("wrong port format, must be /[0-9]{1,5}\\/(tcp|udp|icmp)/");
-    return new PortVal(port, TRANSPORT_UNKNOWN);
+    return port_mgr->Get(port, TRANSPORT_UNKNOWN);
 	%}
 
 ## Converts a string of bytes (in network byte order) to a :bro:type:`double`.
@@ -3208,9 +3208,9 @@ function lookup_connection%(cid: conn_id%): connection
 
 	RecordVal* id_val = new RecordVal(conn_id);
 	id_val->Assign(0, new AddrVal((unsigned int) 0));
-	id_val->Assign(1, new PortVal(ntohs(0), TRANSPORT_UDP));
+	id_val->Assign(1, port_mgr->Get(ntohs(0), TRANSPORT_UDP));
 	id_val->Assign(2, new AddrVal((unsigned int) 0));
-	id_val->Assign(3, new PortVal(ntohs(0), TRANSPORT_UDP));
+	id_val->Assign(3, port_mgr->Get(ntohs(0), TRANSPORT_UDP));
 	c->Assign(0, id_val);
 
 	RecordVal* orig_endp = new RecordVal(endpoint);
diff --git a/src/broker/Data.cc b/src/broker/Data.cc
index 6420144193..09b0da11e1 100644
--- a/src/broker/Data.cc
+++ b/src/broker/Data.cc
@@ -135,7 +135,7 @@ struct val_converter {
 	result_type operator()(broker::port& a)
 		{
 		if ( type->Tag() == TYPE_PORT )
-			return new PortVal(a.number(), bro_broker::to_bro_port_proto(a.type()));
+			return port_mgr->Get(a.number(), bro_broker::to_bro_port_proto(a.type()));
 
 		return nullptr;
 		}
diff --git a/src/broker/Manager.cc b/src/broker/Manager.cc
index eebcd2792f..d5acb27b5a 100644
--- a/src/broker/Manager.cc
+++ b/src/broker/Manager.cc
@@ -697,7 +697,7 @@ void bro_broker::Manager::Process()
 				{
 				val_list* vl = new val_list;
 				vl->append(new StringVal(u.relation.remote_tuple().first));
-				vl->append(new PortVal(u.relation.remote_tuple().second,
+				vl->append(port_mgr->Get(u.relation.remote_tuple().second,
 				                       TRANSPORT_TCP));
 				vl->append(new StringVal(u.peer_name));
 				mgr.QueueEvent(Broker::outgoing_connection_established, vl);
@@ -709,7 +709,7 @@ void bro_broker::Manager::Process()
 				{
 				val_list* vl = new val_list;
 				vl->append(new StringVal(u.relation.remote_tuple().first));
-				vl->append(new PortVal(u.relation.remote_tuple().second,
+				vl->append(port_mgr->Get(u.relation.remote_tuple().second,
 				                       TRANSPORT_TCP));
 				mgr.QueueEvent(Broker::outgoing_connection_broken, vl);
 				}
@@ -720,7 +720,7 @@ void bro_broker::Manager::Process()
 				{
 				val_list* vl = new val_list;
 				vl->append(new StringVal(u.relation.remote_tuple().first));
-				vl->append(new PortVal(u.relation.remote_tuple().second,
+				vl->append(port_mgr->Get(u.relation.remote_tuple().second,
 				                       TRANSPORT_TCP));
 				mgr.QueueEvent(Broker::outgoing_connection_incompatible, vl);
 				}
diff --git a/src/broker/data.bif b/src/broker/data.bif
index d526d0a779..7f9c27f9a2 100644
--- a/src/broker/data.bif
+++ b/src/broker/data.bif
@@ -88,7 +88,7 @@ function Broker::__refine_to_port%(d: Broker::Data%): port
 	%{
 	auto& a = bro_broker::require_data_type<broker::port>(d->AsRecordVal(),
 													TYPE_PORT, frame);
-	return new PortVal(a.number(), bro_broker::to_bro_port_proto(a.type()));
+	return port_mgr->Get(a.number(), bro_broker::to_bro_port_proto(a.type()));
 	%}
 
 function Broker::__refine_to_time%(d: Broker::Data%): time
diff --git a/src/file_analysis/File.cc b/src/file_analysis/File.cc
index 46624e23c0..711186335e 100644
--- a/src/file_analysis/File.cc
+++ b/src/file_analysis/File.cc
@@ -34,9 +34,9 @@ static RecordVal* get_conn_id_val(const Connection* conn)
 	{
 	RecordVal* v = new RecordVal(conn_id);
 	v->Assign(0, new AddrVal(conn->OrigAddr()));
-	v->Assign(1, new PortVal(ntohs(conn->OrigPort()), conn->ConnTransport()));
+	v->Assign(1, port_mgr->Get(ntohs(conn->OrigPort()), conn->ConnTransport()));
 	v->Assign(2, new AddrVal(conn->RespAddr()));
-	v->Assign(3, new PortVal(ntohs(conn->RespPort()), conn->ConnTransport()));
+	v->Assign(3, port_mgr->Get(ntohs(conn->RespPort()), conn->ConnTransport()));
 	return v;
 	}
 
diff --git a/src/file_analysis/analyzer/unified2/unified2-analyzer.pac b/src/file_analysis/analyzer/unified2/unified2-analyzer.pac
index 11072f140b..bedf54be5b 100644
--- a/src/file_analysis/analyzer/unified2/unified2-analyzer.pac
+++ b/src/file_analysis/analyzer/unified2/unified2-analyzer.pac
@@ -54,7 +54,7 @@ refine flow Flow += {
 		case 17: proto = TRANSPORT_UDP; break;
 		}
 
-		return new PortVal(n, proto);
+		return port_mgr->Get(n, proto);
 		%}
 
 	#function proc_record(rec: Record) : bool
diff --git a/src/input/Manager.cc b/src/input/Manager.cc
index d029e38092..9a7f1f052f 100644
--- a/src/input/Manager.cc
+++ b/src/input/Manager.cc
@@ -2287,7 +2287,7 @@ Val* Manager::ValueToVal(const Stream* i, const Value* val, BroType* request_typ
 		}
 
 	case TYPE_PORT:
-		return new PortVal(val->val.port_val.port, val->val.port_val.proto);
+		return port_mgr->Get(val->val.port_val.port, val->val.port_val.proto);
 
 	case TYPE_ADDR:
 		{
diff --git a/src/main.cc b/src/main.cc
index 0ca39e9e2d..a1ae750963 100644
--- a/src/main.cc
+++ b/src/main.cc
@@ -87,6 +87,7 @@ int perftools_profile = 0;
 
 DNS_Mgr* dns_mgr;
 TimerMgr* timer_mgr;
+PortManager* port_mgr = 0;
 logging::Manager* log_mgr = 0;
 threading::Manager* thread_mgr = 0;
 input::Manager* input_mgr = 0;
@@ -384,6 +385,7 @@ void terminate_bro()
 	delete plugin_mgr;
 	delete reporter;
 	delete iosource_mgr;
+	delete port_mgr;
 
 	reporter = 0;
 	}
@@ -711,6 +713,7 @@ int main(int argc, char** argv)
 
 	bro_start_time = current_time(true);
 
+	port_mgr = new PortManager();
 	reporter = new Reporter();
 	thread_mgr = new threading::Manager();
 	plugin_mgr = new plugin::Manager();
diff --git a/src/scan.l b/src/scan.l
index cdac72c1cd..46848f78fd 100644
--- a/src/scan.l
+++ b/src/scan.l
@@ -474,7 +474,7 @@ F	RET_CONST(new Val(false, TYPE_BOOL))
 			reporter->Error("bad port number - %s", yytext);
 			p = 0;
 			}
-		RET_CONST(new PortVal(p, TRANSPORT_TCP))
+		RET_CONST(port_mgr->Get(p, TRANSPORT_TCP))
 		}
 {D}"/udp"	{
 		uint32 p = atoi(yytext);
@@ -483,7 +483,7 @@ F	RET_CONST(new Val(false, TYPE_BOOL))
 			reporter->Error("bad port number - %s", yytext);
 			p = 0;
 			}
-		RET_CONST(new PortVal(p, TRANSPORT_UDP))
+		RET_CONST(port_mgr->Get(p, TRANSPORT_UDP))
 		}
 {D}"/icmp"	{
 		uint32 p = atoi(yytext);
@@ -492,7 +492,7 @@ F	RET_CONST(new Val(false, TYPE_BOOL))
 			reporter->Error("bad port number - %s", yytext);
 			p = 0;
 			}
-		RET_CONST(new PortVal(p, TRANSPORT_ICMP))
+		RET_CONST(port_mgr->Get(p, TRANSPORT_ICMP))
 		}
 {D}"/unknown"	{
 		uint32 p = atoi(yytext);
@@ -501,7 +501,7 @@ F	RET_CONST(new Val(false, TYPE_BOOL))
 			reporter->Error("bad port number - %s", yytext);
 			p = 0;
 			}
-		RET_CONST(new PortVal(p, TRANSPORT_UNKNOWN))
+		RET_CONST(port_mgr->Get(p, TRANSPORT_UNKNOWN))
 		}
 
 {FLOAT}{OWS}day(s?)	RET_CONST(new IntervalVal(atof(yytext),Days))

From 054c4a67c4e48fa93685240f62feba50c3f66f8b Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Tue, 12 Dec 2017 11:34:49 -0600
Subject: [PATCH 268/631] Add BRO_DEPRECATED macro.

---
 src/util.h | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/src/util.h b/src/util.h
index 30ef8a61da..5dc2484319 100644
--- a/src/util.h
+++ b/src/util.h
@@ -3,6 +3,15 @@
 #ifndef util_h
 #define util_h
 
+#ifdef __GNUC__
+    #define BRO_DEPRECATED(msg) __attribute__ ((deprecated(msg)))
+#elif defined(_MSC_VER)
+    #define BRO_DEPRECATED(msg) __declspec(deprecated(msg)) func
+#else
+	#pragma message("Warning: BRO_DEPRECATED macro not implemented")
+	#define BRO_DEPRECATED(msg)
+#endif
+
 // Expose C99 functionality from inttypes.h, which would otherwise not be
 // available in C++.
 #ifndef __STDC_FORMAT_MACROS

From d6d7f33f5c62fef59f6bce3892d5c81f1d333755 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Tue, 12 Dec 2017 11:35:55 -0600
Subject: [PATCH 269/631] Clean up PortManager class, mark PortVal ctors
 deprecated.

Moved PortVal ctors back to public API, but deprecated, just in
case it helps give any external code a chance to adapt.
---
 src/Val.cc | 29 ++++++++++++++++++++---------
 src/Val.h  | 21 ++++++++++++++++-----
 2 files changed, 36 insertions(+), 14 deletions(-)

diff --git a/src/Val.cc b/src/Val.cc
index abae677754..4db8aedd73 100644
--- a/src/Val.cc
+++ b/src/Val.cc
@@ -768,7 +768,7 @@ PortManager::PortManager()
 		auto port_type = (TransportProto)i;
 
 		for ( auto j = 0u; j < arr.size(); ++j )
-			arr[j] = new PortVal(j, port_type);
+			arr[j] = new PortVal(Mask(j, port_type), true);
 		}
 	}
 
@@ -807,34 +807,45 @@ PortVal* PortManager::Get(uint32 port_num, TransportProto port_type) const
 	return rval;
 	}
 
-PortVal::PortVal(uint32 p, TransportProto port_type) : Val(TYPE_PORT)
+uint32 PortManager::Mask(uint32 port_num, TransportProto port_type) const
 	{
 	// Note, for ICMP one-way connections:
 	// src_port = icmp_type, dst_port = icmp_code.
 
-	if ( p >= 65536 )
+	if ( port_num >= 65536 )
 		{
-		InternalWarning("bad port number");
-		p = 0;
+		reporter->Warning("bad port number %d", port_num);
+		port_num = 0;
 		}
 
 	switch ( port_type ) {
 	case TRANSPORT_TCP:
-		p |= TCP_PORT_MASK;
+		port_num |= TCP_PORT_MASK;
 		break;
 
 	case TRANSPORT_UDP:
-		p |= UDP_PORT_MASK;
+		port_num |= UDP_PORT_MASK;
 		break;
 
 	case TRANSPORT_ICMP:
-		p |= ICMP_PORT_MASK;
+		port_num |= ICMP_PORT_MASK;
 		break;
 
 	default:
-		break;	// "other"
+		break;	// "unknown/other"
 	}
 
+	return port_num;
+	}
+
+PortVal::PortVal(uint32 p, TransportProto port_type) : Val(TYPE_PORT)
+	{
+	auto port_num = port_mgr->Mask(p, port_type);
+	val.uint_val = static_cast<bro_uint_t>(port_num);
+	}
+
+PortVal::PortVal(uint32 p, bool unused) : Val(TYPE_PORT)
+	{
 	val.uint_val = static_cast<bro_uint_t>(p);
 	}
 
diff --git a/src/Val.h b/src/Val.h
index d0538db8ee..6da37b7137 100644
--- a/src/Val.h
+++ b/src/Val.h
@@ -510,9 +510,15 @@ public:
 	~PortManager();
 
 	// Port number given in host order.
-	PortVal* Get(uint32 port_num) const;
 	PortVal* Get(uint32 port_num, TransportProto port_type) const;
 
+	// Host-order port number already masked with port space protocol mask.
+	PortVal* Get(uint32 port_num) const;
+
+	// Returns a masked port number
+	uint32 Mask(uint32 port_num, TransportProto port_type) const;
+
+private:
 	std::array<std::array<PortVal*, 65536>, NUM_PORT_SPACES> ports;
 };
 
@@ -520,6 +526,14 @@ extern PortManager* port_mgr;
 
 class PortVal : public Val {
 public:
+	// Port number given in host order.
+	BRO_DEPRECATED("use port_mgr->Get() instead")
+	PortVal(uint32 p, TransportProto port_type);
+
+	// Host-order port number already masked with port space protocol mask.
+	BRO_DEPRECATED("use port_mgr->Get() instead")
+	PortVal(uint32 p);
+
 	Val* SizeVal() const override	{ return new Val(val.uint_val, TYPE_INT); }
 
 	// Returns the port number in host order (not including the mask).
@@ -546,10 +560,7 @@ protected:
 	friend class Val;
 	friend class PortManager;
 	PortVal()	{}
-	// Constructors - both take the port number in host order.
-	PortVal(uint32 p, TransportProto port_type);
-	PortVal(uint32 p);	// used for already-massaged port value.
-
+	PortVal(uint32 p, bool unused);
 
 	void ValDescribe(ODesc* d) const override;
 

From ac955519b2f6279699d3e335ec993b5b615209ff Mon Sep 17 00:00:00 2001
From: Seth Hall <seth@corelight.com>
Date: Wed, 13 Dec 2017 15:00:15 -0500
Subject: [PATCH 270/631] Remove some DNS weirds that caused volume and didn't
 help anyone.

These have been lingering for a while and they generally annoy
everyone because of the sheer volume.  They also don't really add
any useful information for debugging and they were generated differently
than most other weirds anyway (which was a little weird...).
---
 scripts/base/protocols/dns/main.bro                | 14 ++------------
 .../weird.log                                      |  6 ++----
 2 files changed, 4 insertions(+), 16 deletions(-)

diff --git a/scripts/base/protocols/dns/main.bro b/scripts/base/protocols/dns/main.bro
index db5d30b55c..a8946e871e 100644
--- a/scripts/base/protocols/dns/main.bro
+++ b/scripts/base/protocols/dns/main.bro
@@ -2,7 +2,6 @@
 ##! their responses.
 
 @load base/utils/queue
-@load base/frameworks/notice/weird
 @load ./consts
 
 module DNS;
@@ -177,9 +176,6 @@ function log_unmatched_msgs_queue(q: Queue::Queue)
 
 	for ( i in infos )
 		{
-		local wi = Weird::Info($ts=network_time(), $name="dns_unmatched_msg", $uid=infos[i]$uid,
-		                       $id=infos[i]$id);
-		Weird::weird(wi);
 		Log::write(DNS::LOG, infos[i]);
 		}
 	}
@@ -187,21 +183,19 @@ function log_unmatched_msgs_queue(q: Queue::Queue)
 function log_unmatched_msgs(msgs: PendingMessages)
 	{
 	for ( trans_id in msgs )
+		{
 		log_unmatched_msgs_queue(msgs[trans_id]);
+		}
 
 	clear_table(msgs);
 	}
 
 function enqueue_new_msg(msgs: PendingMessages, id: count, msg: Info)
 	{
-	local wi: Weird::Info;
 	if ( id !in msgs )
 		{
 		if ( |msgs| > max_pending_query_ids )
 			{
-			wi = Weird::Info($ts=network_time(), $name="dns_unmatched_msg", $uid=msg$uid,
-			                       $id=msg$id);
-			Weird::weird(wi);
 			# Throw away all unmatched on assumption they'll never be matched.
 			log_unmatched_msgs(msgs);
 			}
@@ -212,9 +206,6 @@ function enqueue_new_msg(msgs: PendingMessages, id: count, msg: Info)
 		{
 		if ( Queue::len(msgs[id]) > max_pending_msgs )
 			{
-			wi = Weird::Info($ts=network_time(), $name="dns_unmatched_msg_quantity", $uid=msg$uid,
-			                       $id=msg$id);
-			Weird::weird(wi);
 			log_unmatched_msgs_queue(msgs[id]);
 			# Throw away all unmatched on assumption they'll never be matched.
 			msgs[id] = Queue::init();
@@ -271,7 +262,6 @@ hook set_session(c: connection, msg: dns_msg, is_query: bool) &priority=5
 			# Create a new DNS session and put it in the reply queue so
 			# we can wait for a matching query.
 			c$dns = new_session(c, msg$id);
-			event conn_weird("dns_unmatched_reply", c, "");
 			enqueue_new_msg(c$dns_state$pending_replies, msg$id, c$dns);
 			}
 		}
diff --git a/testing/btest/Baseline/scripts.base.protocols.dns.duplicate-reponses/weird.log b/testing/btest/Baseline/scripts.base.protocols.dns.duplicate-reponses/weird.log
index d06db5cb06..e9d388f1fc 100644
--- a/testing/btest/Baseline/scripts.base.protocols.dns.duplicate-reponses/weird.log
+++ b/testing/btest/Baseline/scripts.base.protocols.dns.duplicate-reponses/weird.log
@@ -3,10 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	weird
-#open	2016-07-13-16-16-12
+#open	2017-12-13-19-40-49
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
 #types	time	string	addr	port	addr	port	string	string	bool	string
 1363716396.798286	CHhAvVGS1DHFjwGM9	55.247.223.174	27285	222.195.43.124	53	DNS_RR_unknown_type	46	F	bro
-1363716396.798374	CHhAvVGS1DHFjwGM9	55.247.223.174	27285	222.195.43.124	53	dns_unmatched_reply	-	F	bro
-1363716396.798374	CHhAvVGS1DHFjwGM9	55.247.223.174	27285	222.195.43.124	53	dns_unmatched_msg	-	F	bro
-#close	2016-07-13-16-16-12
+#close	2017-12-13-19-40-49

From f236dcdaa3ef1fa167ce58d9d7edbe7cfb86a98c Mon Sep 17 00:00:00 2001
From: Seth Hall <seth@corelight.com>
Date: Wed, 13 Dec 2017 15:09:52 -0500
Subject: [PATCH 271/631] Updated news.

---
 NEWS | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/NEWS b/NEWS
index a219e76624..ad1ec55afd 100644
--- a/NEWS
+++ b/NEWS
@@ -56,6 +56,9 @@ Changed Functionality
 
   redef SOCKS::default_capture_password = T;
 
+- The DNS base scripts no longer generate some noisy and annoying
+  weirds (dns_unmatched_msg, dns_unmatched_msg_quantity, dns_unmatched_reply)
+
 Removed Functionality
 ---------------------
 

From 4965a7e1562cc05d81e769815f64b0dd235e7791 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Wed, 13 Dec 2017 14:22:47 -0600
Subject: [PATCH 272/631] Fix typo in analyzer::Manager API docs

---
 CHANGES                | 4 ++++
 VERSION                | 2 +-
 src/analyzer/Manager.h | 2 +-
 3 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/CHANGES b/CHANGES
index 1a6721eeb0..f084b5da97 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,8 @@
 
+2.5-369 | 2017-12-13 14:22:47 -0600
+
+  * Fix typo in analyzer::Manager API docs (Corelight)
+
 2.5-368 | 2017-12-08 13:09:25 -0600
 
   * Improve for-loop iteration performance over empty tables. (Justin Azoff)
diff --git a/VERSION b/VERSION
index 91bd48a9c6..e28d3e68fa 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.5-368
+2.5-369
diff --git a/src/analyzer/Manager.h b/src/analyzer/Manager.h
index 2388a36219..d341940e7d 100644
--- a/src/analyzer/Manager.h
+++ b/src/analyzer/Manager.h
@@ -114,7 +114,7 @@ public:
 	bool DisableAnalyzer(Tag tag);
 
 	/**
-	 * Enables an analyzer type. Disabled analyzers will not be
+	 * Disables an analyzer type. Disabled analyzers will not be
 	 * instantiated for new connections.
 	 *
 	 * @param tag The analyzer's tag as an enum of script type \c

From f07fdc255f8dc00fe5087b9c35c3e42d0442fd42 Mon Sep 17 00:00:00 2001
From: Andrew Woodford <andrew.woodford@darktrace.com>
Date: Thu, 21 Dec 2017 16:34:26 +0000
Subject: [PATCH 273/631] SSH protocol now assesses the packet length at an
 earlier stage within binpac. Stops SSH analyzer constantly raising binpac
 exceptions. Seems to be because a packet continues to go through binpac when
 empty and only calls the next packet when asked for more data and not on
 operations.

---
 src/analyzer/protocol/ssh/ssh-analyzer.pac | 12 +++++++++++
 src/analyzer/protocol/ssh/ssh-protocol.pac | 25 +++++++++++-----------
 2 files changed, 25 insertions(+), 12 deletions(-)

diff --git a/src/analyzer/protocol/ssh/ssh-analyzer.pac b/src/analyzer/protocol/ssh/ssh-analyzer.pac
index 598dc869ab..bdb2553849 100644
--- a/src/analyzer/protocol/ssh/ssh-analyzer.pac
+++ b/src/analyzer/protocol/ssh/ssh-analyzer.pac
@@ -173,6 +173,18 @@ refine flow SSH_Flow += {
 		connection()->bro_analyzer()->ProtocolConfirmation();
 		return true;
 		%}
+
+	function get_kex_length(v: int, packet_length: uint32): int
+		%{
+		switch (v) {
+			case SSH1:
+				return packet_length + 4 + 8 -(packet_length%8);
+			case SSH2:
+				return packet_length + 4;
+			default:
+				return 1; //currently causes the rest of the packet to dump
+		}
+		%}
 };
 
 refine typeattr SSH_Version += &let {
diff --git a/src/analyzer/protocol/ssh/ssh-protocol.pac b/src/analyzer/protocol/ssh/ssh-protocol.pac
index 3b147f6b6e..a86e6cef8e 100644
--- a/src/analyzer/protocol/ssh/ssh-protocol.pac
+++ b/src/analyzer/protocol/ssh/ssh-protocol.pac
@@ -22,21 +22,23 @@ type SSH_Version(is_orig: bool) = record {
 	update_version : bool = $context.connection.update_version(version, is_orig);
 };
 
-type SSH_Key_Exchange(is_orig: bool) = case $context.connection.get_version() of {
-	SSH1 -> ssh1_msg : SSH1_Key_Exchange(is_orig);
-	SSH2 -> ssh2_msg : SSH2_Key_Exchange(is_orig);
-};
+type SSH_Key_Exchange(is_orig: bool) = record {
+	packet_length: uint32;
+	key_ex: case $context.connection.get_version() of {
+		SSH1 -> ssh1_msg : SSH1_Key_Exchange(is_orig, packet_length);
+		SSH2 -> ssh2_msg : SSH2_Key_Exchange(is_orig, packet_length);
+	};
+} &length = $context.flow.get_kex_length($context.connection.get_version(), packet_length);
 
 # SSH1 constructs
 #################
 
-type SSH1_Key_Exchange(is_orig: bool) = record {
-	packet_length : uint32;
+type SSH1_Key_Exchange(is_orig: bool, packet_length: uint32) = record {
 	pad_fill      : bytestring &length = 8 - (packet_length % 8);
 	msg_type      : uint8;
 	message       : SSH1_Message(is_orig, msg_type, packet_length - 5);
 	crc           : uint32;
-} &length = packet_length + 4 + 8 - (packet_length % 8);
+} &length = packet_length + 8 - (packet_length % 8);
 
 type SSH1_Message(is_orig: bool, msg_type: uint8, length: uint32) = case msg_type of {
 	SSH_SMSG_PUBLIC_KEY  -> public_key  : SSH1_PUBLIC_KEY(length);
@@ -73,8 +75,7 @@ type ssh1_mp_int = record {
 
 ## SSH2
 
-type SSH2_Header(is_orig: bool) = record {
-	packet_length  : uint32;
+type SSH2_Header(is_orig: bool, packet_length: uint32) = record {
 	padding_length : uint8;
 	msg_type       : uint8;
 } &let {
@@ -82,11 +83,11 @@ type SSH2_Header(is_orig: bool) = record {
 	detach         : bool = $context.connection.update_state(ENCRYPTED, is_orig) &if(msg_type == MSG_NEWKEYS);
 };
 
-type SSH2_Key_Exchange(is_orig: bool) = record {
-	header   : SSH2_Header(is_orig);
+type SSH2_Key_Exchange(is_orig: bool, packet_length: uint32) = record {
+	header   : SSH2_Header(is_orig, packet_length);
 	payload  : SSH2_Message(is_orig, header.msg_type, header.payload_length);
 	pad      : bytestring &length=header.padding_length;
-} &length=header.packet_length + 4;
+} &length=packet_length;
 
 type SSH2_Message(is_orig: bool, msg_type: uint8, length: uint32) = case $context.connection.get_state(is_orig) of {
 	KEX_INIT   -> kex        : SSH2_KEXINIT(length, is_orig);

From 8b28b7312405308b54118ea991088739e3318dd3 Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@icir.org>
Date: Tue, 2 Jan 2018 09:12:09 +0100
Subject: [PATCH 274/631] Add CVE ID for BIT-1856.

---
 CHANGES | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/CHANGES b/CHANGES
index 9a7c010b96..35115b2acc 100644
--- a/CHANGES
+++ b/CHANGES
@@ -101,7 +101,7 @@
   * Patch OOB write in content-line analyzer.
 
     A combination of packets can trigger an out of bound write of '0' byte
-    in the content-line analyzer. Addresses BIT-1856.
+    in the content-line analyzer. Addresses BIT-1856 / CVE-2017-1000458.
     (Frank Meier/Johanna Amann)
 
 2.5-327 | 2017-10-16 12:21:01 -0700

From 18499fd7d926051e7be850d5e932e950844ba5b7 Mon Sep 17 00:00:00 2001
From: Valerio G <valerio.click@gmx.com>
Date: Sun, 31 Dec 2017 17:36:30 +0100
Subject: [PATCH 275/631] Extend DHCP protocol analyzer with new options.

Add the folowing option types:
- 55 Parameters Request List;
- 58 Renewal time;
- 59 Rebinding time;
- 61 Client Identifier;
- 82 Relay Agent Information.

Extend the following events with new parameters, specifically:
- dhcp_discover exports client identifier and parameters request list;
- dhcp_request exports client_identifier and parameters request list;
- dhcp_ack exports rebinding time, renewal time and list of suboptions value of
  dhcp relay agent information option;
- dhcp_inform exports parameters request list.

Add option type specific variables within the scope of DHCP module
(see src/analyzer/protocol/dhcp/types.bif).

Move protocol specific variables "dhcp_msg" and "dhcp_router_list" from scope Global to DHCP::
and adapt inet_net_var in src/NetVar.cc consequently.

Extend src/analyzer/protocols/dhcp/main.bro to handle the new events and to log
dhcp_ack, dhcp_request and dhcp_discover.

Modify scripts/policy/protocols/dhcp/known-devices-and-hostnames.bro to
include new events' variables.
---
 scripts/base/init-bare.bro                    |  51 +++++---
 scripts/base/protocols/dhcp/main.bro          |  90 ++++++++++++--
 .../dhcp/known-devices-and-hostnames.bro      |   4 +-
 src/NetVar.cc                                 |   4 +-
 src/analyzer/protocol/dhcp/CMakeLists.txt     |   1 +
 src/analyzer/protocol/dhcp/DHCP.cc            |   1 +
 src/analyzer/protocol/dhcp/dhcp-analyzer.pac  |  90 +++++++++++---
 src/analyzer/protocol/dhcp/dhcp-protocol.pac  | 114 +++++++++---------
 src/analyzer/protocol/dhcp/dhcp.pac           |   1 +
 src/analyzer/protocol/dhcp/events.bif         |  37 ++++--
 src/analyzer/protocol/dhcp/types.bif          |  10 ++
 11 files changed, 291 insertions(+), 112 deletions(-)
 create mode 100644 src/analyzer/protocol/dhcp/types.bif

diff --git a/scripts/base/init-bare.bro b/scripts/base/init-bare.bro
index f2ea2ed29a..a7047d4cfc 100644
--- a/scripts/base/init-bare.bro
+++ b/scripts/base/init-bare.bro
@@ -3058,24 +3058,43 @@ export {
 
 module GLOBAL;
 
-## A list of router addresses offered by a DHCP server.
-##
-## .. bro:see:: dhcp_ack dhcp_offer
-type dhcp_router_list: table[count] of addr;
+module DHCP;
 
-## A DHCP message.
-##
-## .. bro:see:: dhcp_ack dhcp_decline dhcp_discover dhcp_inform dhcp_nak
-##    dhcp_offer dhcp_release dhcp_request
-type dhcp_msg: record {
-	op: count;	##< Message OP code. 1 = BOOTREQUEST, 2 = BOOTREPLY
-	m_type: count;	##< The type of DHCP message.
-	xid: count;	##< Transaction ID of a DHCP session.
-	h_addr: string;	##< Hardware address of the client.
-	ciaddr: addr;	##< Original IP address of the client.
-	yiaddr: addr;	##< IP address assigned to the client.
-};
+export {
+	## A list of router addresses offered by a DHCP server.
+	##
+	## .. bro:see:: dhcp_ack dhcp_offer
+	type DHCP::dhcp_router_list: table[count] of addr;
+	## A DHCP message.
+	## .. bro:see:: dhcp_ack dhcp_decline dhcp_discover dhcp_inform dhcp_nak
+	##    dhcp_offer dhcp_release dhcp_request
+	type DHCP::dhcp_msg: record {
+		op: count;	##< Message OP code. 1 = BOOTREQUEST, 2 = BOOTREPLY
+		m_type: count;	##< The type of DHCP message.
+		xid: count;	##< Transaction ID of a DHCP session.
+		h_addr: string;	##< Hardware address of the client.
+		ciaddr: addr;	##< Original IP address of the client.
+		yiaddr: addr;	##< IP address assigned to the client.
+	};
+	## DHCP Paremeter Reuqest list (Option 55)
+	## .. bro:see:: dhcp_request dhcp_discover
+	type DHCP::dhcp_params_list: table[count] of count;
+	## DHCP Relay Agent Information Option (Option 82)
+	## .. bro:see:: dhcp_ack
+	type DHCP::dhcp_sub_opt: record {
+		code: count;
+		value: string;
+	};
+	## DHCP Client Identifier (Option 61)
+	## .. bro:see:: dhcp_request dhcp_discover
+	type DHCP::dhcp_client_id: record {
+		hwtype: count;
+		hwaddr: string;
+	};
+	type DHCP::dhcp_sub_opt_list: table[count] of DHCP::dhcp_sub_opt;
+}
 
+module GLOBAL;
 ## A DNS message.
 ##
 ## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
diff --git a/scripts/base/protocols/dhcp/main.bro b/scripts/base/protocols/dhcp/main.bro
index bfc3d98117..92b61697fe 100644
--- a/scripts/base/protocols/dhcp/main.bro
+++ b/scripts/base/protocols/dhcp/main.bro
@@ -17,20 +17,32 @@ export {
 	type Info: record {
 		## The earliest time at which a DHCP message over the
 		## associated connection is observed.
-		ts:		time		&log;
+		ts:			time			&log;
 		## A unique identifier of the connection over which DHCP is
 		## occurring.
-		uid:		string		&log;
+		uid:			string			&log;
 		## The connection's 4-tuple of endpoint addresses/ports.
-		id:		conn_id		&log;
+		id:		 	conn_id			&log;
 		## Client's hardware address.
-		mac:		string		&log &optional;
+		mac:		 	string			&log &optional;
 		## Client's actual assigned IP address.
-		assigned_ip:	addr		&log &optional;
+		assigned_ip:	 	addr			&log &optional;
 		## IP address lease interval.
-		lease_time:	interval	&log &optional;
+		lease_time:	 	interval		&log &optional;
 		## A random number chosen by the client for this transaction.
-		trans_id:	count		&log;
+		trans_id:	 	count			&log;
+		## the message type
+		msg_type:	 	string			&log &optional;
+		## client ID
+		client_id:		string			&log &optional;
+		## the server ID
+		server_id: 	 	addr			&log &optional;
+		## the host name
+		host_name:	 	string			&log &optional;
+		## the subscriber id (if present)
+		subscriber_id:	 	string			&log &optional;
+		## the agent remote id (if present)
+		agent_remote_id:	string			&log &optional;
 	};
 
 	## Event that can be handled to access the DHCP
@@ -47,20 +59,26 @@ redef record connection += {
 const ports = { 67/udp, 68/udp };
 redef likely_server_ports += { 67/udp };
 
+global info: Info;
+
 event bro_init() &priority=5
 	{
 	Log::create_stream(DHCP::LOG, [$columns=Info, $ev=log_dhcp, $path="dhcp"]);
 	Analyzer::register_for_ports(Analyzer::ANALYZER_DHCP, ports);
 	}
 
-event dhcp_ack(c: connection, msg: dhcp_msg, mask: addr, router: dhcp_router_list, lease: interval, serv_addr: addr, host_name: string) &priority=5
+event dhcp_ack(c: connection, msg: dhcp_msg, mask: addr, router: dhcp_router_list, lease: interval, serv_addr: addr, host_name: string, reb_time: count, ren_time: count, sub_opt: dhcp_sub_opt_list) &priority=5
 	{
-	local info: Info;
+	#local info: Info;
 	info$ts          = network_time();
 	info$id          = c$id;
 	info$uid         = c$uid;
 	info$lease_time  = lease;
 	info$trans_id    = msg$xid;
+	info$msg_type	 = message_types[msg$m_type];
+
+	info$server_id	 = serv_addr;
+	info$host_name   = host_name;
 
 	if ( msg$h_addr != "" )
 		info$mac = msg$h_addr;
@@ -70,10 +88,62 @@ event dhcp_ack(c: connection, msg: dhcp_msg, mask: addr, router: dhcp_router_lis
 	else
 		info$assigned_ip = c$id$orig_h;
 
+	for (param in sub_opt)
+	{
+		#if ( sub_opt[param]$code == 1 ) 
+                #{
+                #print fmt("Relay Agent Information:");
+                #print fmt( "sub option: code=%d circuit id=%s",sub_opt[param]$code,sub_opt[param]$value );
+                #}
+                if ( sub_opt[param]$code == 2 )
+                        info$agent_remote_id = bytestring_to_hexstr(sub_opt[param]$value);
+
+                if ( sub_opt[param]$code == 6 )
+                        info$subscriber_id = (sub_opt[param]$value);
+	}
+
 	c$dhcp = info;
 	}
 
-event dhcp_ack(c: connection, msg: dhcp_msg, mask: addr, router: dhcp_router_list, lease: interval, serv_addr: addr, host_name: string) &priority=-5
+event dhcp_ack(c: connection, msg: dhcp_msg, mask: addr, router: dhcp_router_list, lease: interval, serv_addr: addr, host_name: string, reb_time: count, ren_time: count, sub_opt: dhcp_sub_opt_list) &priority=-5
 	{
 	Log::write(DHCP::LOG, c$dhcp);
 	}
+
+event dhcp_request(c: connection, msg: dhcp_msg, req_addr: addr, serv_addr: addr, host_name: string, c_id: dhcp_client_id, req_params: table[count] of count) &priority=5
+	{
+	info$ts          = network_time();
+	info$id          = c$id;
+	info$uid         = c$uid;
+	info$trans_id    = msg$xid;
+	info$msg_type	 = message_types[msg$m_type];
+	info$server_id	 = serv_addr;
+	info$host_name   = host_name;
+	info$client_id 	 = c_id$hwaddr;
+
+	c$dhcp = info;
+	}
+
+event dhcp_request(c: connection, msg: dhcp_msg, req_addr: addr, serv_addr: addr, host_name: string, c_id: dhcp_client_id, req_params: table[count] of count) &priority=-5
+	{
+	Log::write(DHCP::LOG, c$dhcp);
+	}
+
+event dhcp_discover(c: connection, msg: dhcp_msg, req_addr: addr, host_name: string, c_id: dhcp_client_id, req_params: table[count] of count) &priority=5
+	{
+	info$ts		= network_time();
+	info$id		= c$id;
+	info$uid	= c$uid;
+	info$trans_id	= msg$xid;
+	info$msg_type	= message_types[msg$m_type];
+	info$host_name	= host_name;
+	info$client_id	= c_id$hwaddr;
+
+	c$dhcp = info;
+	}
+
+event dhcp_discover(c: connection, msg: dhcp_msg, req_addr: addr, host_name: string, c_id: dhcp_client_id, req_params: table[count] of count) &priority=-5
+	{
+	Log::write(DHCP::LOG, c$dhcp);
+	}
+
diff --git a/scripts/policy/protocols/dhcp/known-devices-and-hostnames.bro b/scripts/policy/protocols/dhcp/known-devices-and-hostnames.bro
index 63b794cb9f..39ea02c759 100644
--- a/scripts/policy/protocols/dhcp/known-devices-and-hostnames.bro
+++ b/scripts/policy/protocols/dhcp/known-devices-and-hostnames.bro
@@ -12,7 +12,7 @@ export {
 	};
 }
 
-event dhcp_request(c: connection, msg: dhcp_msg, req_addr: addr, serv_addr: addr, host_name: string)
+event dhcp_request(c: connection, msg: DHCP::dhcp_msg, req_addr: addr, serv_addr: addr, host_name: string, client_id: DHCP::dhcp_client_id, req_params: DHCP::dhcp_params_list)
 	{
 	if ( msg$h_addr == "" )
 		return;
@@ -24,7 +24,7 @@ event dhcp_request(c: connection, msg: dhcp_msg, req_addr: addr, serv_addr: addr
 		}
 	}
 
-event dhcp_inform(c: connection, msg: dhcp_msg, host_name: string)
+event dhcp_inform(c: connection, msg: DHCP::dhcp_msg, host_name: string, req_params: DHCP::dhcp_params_list)
 	{
 	if ( msg$h_addr == "" )
 		return;
diff --git a/src/NetVar.cc b/src/NetVar.cc
index 75613364e2..3f0967dbc4 100644
--- a/src/NetVar.cc
+++ b/src/NetVar.cc
@@ -426,8 +426,8 @@ void init_net_var()
 
 	entropy_test_result = internal_type("entropy_test_result")->AsRecordType();
 
-	dhcp_router_list = internal_type("dhcp_router_list")->AsTableType();
-	dhcp_msg = internal_type("dhcp_msg")->AsRecordType();
+	dhcp_router_list = internal_type("DHCP::dhcp_router_list")->AsTableType();
+	dhcp_msg = internal_type("DHCP::dhcp_msg")->AsRecordType();
 
 	dns_msg = internal_type("dns_msg")->AsRecordType();
 	dns_answer = internal_type("dns_answer")->AsRecordType();
diff --git a/src/analyzer/protocol/dhcp/CMakeLists.txt b/src/analyzer/protocol/dhcp/CMakeLists.txt
index 646a11f9ab..ece07e3a7e 100644
--- a/src/analyzer/protocol/dhcp/CMakeLists.txt
+++ b/src/analyzer/protocol/dhcp/CMakeLists.txt
@@ -6,5 +6,6 @@ include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DI
 bro_plugin_begin(Bro DHCP)
 bro_plugin_cc(DHCP.cc Plugin.cc)
 bro_plugin_bif(events.bif)
+bro_plugin_bif(types.bif)
 bro_plugin_pac(dhcp.pac dhcp-protocol.pac dhcp-analyzer.pac)
 bro_plugin_end()
diff --git a/src/analyzer/protocol/dhcp/DHCP.cc b/src/analyzer/protocol/dhcp/DHCP.cc
index 78b1c6be69..4ab77c09a4 100644
--- a/src/analyzer/protocol/dhcp/DHCP.cc
+++ b/src/analyzer/protocol/dhcp/DHCP.cc
@@ -1,6 +1,7 @@
 #include "DHCP.h"
 
 #include "events.bif.h"
+#include "types.bif.h"
 
 using namespace analyzer::dhcp;
 
diff --git a/src/analyzer/protocol/dhcp/dhcp-analyzer.pac b/src/analyzer/protocol/dhcp/dhcp-analyzer.pac
index a11412ce96..f9b195088e 100644
--- a/src/analyzer/protocol/dhcp/dhcp-analyzer.pac
+++ b/src/analyzer/protocol/dhcp/dhcp-analyzer.pac
@@ -8,17 +8,26 @@ flow DHCP_Flow(is_orig: bool) {
 
 	%member{
 		BroVal dhcp_msg_val_;
+		uint8 sum_len;
 	%}
 
 	%init{
 		dhcp_msg_val_ = 0;
+		sum_len = 0;
 	%}
 
 	%cleanup{
 		Unref(dhcp_msg_val_);
 		dhcp_msg_val_ = 0;
+		sum_len = 0;
 	%}
 
+	function get_dhcp_sumlen(len: uint8): uint8
+		%{
+			sum_len = len + sum_len;
+			return sum_len;
+		%}
+
 	function get_dhcp_msgtype(options: DHCP_Option[]): uint8
 		%{
 		vector<DHCP_Option*>::const_iterator ptr;
@@ -54,7 +63,12 @@ flow DHCP_Flow(is_orig: bool) {
 
 		// Requested IP address to the server.
 		::uint32 req_addr = 0, serv_addr = 0;
-		StringVal* host_name = 0;
+		StringVal* host_name = new StringVal("");
+
+		TableVal* params_list = 0;
+		RecordVal* client_id = new RecordVal(BifType::Record::DHCP::dhcp_client_id);
+		client_id->Assign(0,0);
+		client_id->Assign(1,new StringVal(""));
 
 		for ( ptr = options->begin();  ptr != options->end() && ! (*ptr)->last(); ++ptr )
 			{
@@ -69,29 +83,42 @@ flow DHCP_Flow(is_orig: bool) {
 					break;
 
 				case HOST_NAME_OPTION:
-					Unref(host_name);
 					host_name = new StringVal((*ptr)->info()->host_name().length(),
 								  (const char*) (*ptr)->info()->host_name().begin());
 					break;
+				case CLIENT_ID_OPTION:
+					client_id->Assign(0, new Val((*ptr)->info()->client_id()->hwtype(), TYPE_COUNT));
+					client_id->Assign(1, new StringVal(fmt_mac((*ptr)->info()->client_id()->hwaddr().begin(), (*ptr)->info()->client_id()->hwaddr().length())));
+					break;
+				case PAR_REQ_LIST:
+					params_list = new TableVal(BifType::Table::DHCP::dhcp_params_list);
+					int num_parms = (*ptr)->info()->par_req_list()->size();
+					for (int i=0; i < num_parms; ++i)
+					{
+						vector<uint8>* plist = (*ptr)->info()->par_req_list();
+						uint8 param = (*plist)[i];
+						Val* index = new Val(i+1, TYPE_COUNT);
+						params_list->Assign(index, new Val(param, TYPE_COUNT));
+						Unref(index);
+					}
+				break;
 				}
 			}
 
-		if ( host_name == 0 )
-			host_name = new StringVal("");
-
 		switch ( type )
 			{
 			case DHCPDISCOVER:
 				BifEvent::generate_dhcp_discover(connection()->bro_analyzer(),
 								 connection()->bro_analyzer()->Conn(),
-								 dhcp_msg_val_->Ref(), new AddrVal(req_addr), host_name);
+								 dhcp_msg_val_->Ref(), new AddrVal(req_addr),
+								 host_name, client_id, params_list);
 				break;
 
 			case DHCPREQUEST:
 				BifEvent::generate_dhcp_request(connection()->bro_analyzer(),
 								connection()->bro_analyzer()->Conn(),
 								dhcp_msg_val_->Ref(), new AddrVal(req_addr),
-								new AddrVal(serv_addr), host_name);
+								new AddrVal(serv_addr), host_name, client_id, params_list);
 				break;
 
 			case DHCPDECLINE:
@@ -109,7 +136,7 @@ flow DHCP_Flow(is_orig: bool) {
 			case DHCPINFORM:
 				BifEvent::generate_dhcp_inform(connection()->bro_analyzer(),
 							       connection()->bro_analyzer()->Conn(),
-							       dhcp_msg_val_->Ref(), host_name);
+							       dhcp_msg_val_->Ref(), host_name, params_list);
 				break;
 
 			default:
@@ -123,6 +150,7 @@ flow DHCP_Flow(is_orig: bool) {
 	function parse_reply(options: DHCP_Option[], type: uint8): bool
 		%{
 		vector<DHCP_Option*>::const_iterator ptr;
+		vector<Relay_Agent_SubOption*>::const_iterator ptrsubopt;
 
 		// RFC 1533 allows a list of router addresses.
 		TableVal* router_list = 0;
@@ -132,6 +160,13 @@ flow DHCP_Flow(is_orig: bool) {
 		uint32 lease = 0;
 		StringVal* host_name = 0;
 
+		uint32 reb_time = 0;
+		uint32 ren_time = 0;
+		StringVal* agent_cir = 0;
+		StringVal* agent_rem = 0;
+		StringVal* agent_sub_opt = 0;
+		TableVal* relay_agent_sub_opt = new TableVal(BifType::Table::DHCP::dhcp_sub_opt_list);
+
 		for ( ptr = options->begin();
 		      ptr != options->end() && ! (*ptr)->last(); ++ptr )
 			{
@@ -144,7 +179,7 @@ flow DHCP_Flow(is_orig: bool) {
 				case ROUTER_OPTION:
 					// Let's hope there aren't multiple
 					// such options.
-					Unref(router_list);
+					//Unref(router_list);
 					router_list = new TableVal(dhcp_router_list);
 
 						{
@@ -175,10 +210,32 @@ flow DHCP_Flow(is_orig: bool) {
 					break;
 
 				case HOST_NAME_OPTION:
-					Unref(host_name);
 					host_name = new StringVal((*ptr)->info()->host_name().length(),
 								  (const char*) (*ptr)->info()->host_name().begin());
 					break;
+
+				case REB_TIME_OPTION:
+					reb_time = (*ptr)->info()->reb_time();
+					break;
+
+				case REN_TIME_OPTION:
+					ren_time = (*ptr)->info()->ren_time();
+					break;
+
+				case RELAY_AGENT_INF:
+					RecordVal* r = new RecordVal(BifType::Record::DHCP::dhcp_sub_opt);
+					uint i = 0;
+					for( ptrsubopt = (*ptr)->info()->relay_agent_inf()->begin(); ptrsubopt != (*ptr)->info()->relay_agent_inf()->end(); ++ptrsubopt)
+					{
+						r = new RecordVal(BifType::Record::DHCP::dhcp_sub_opt);
+						Val* index = new Val(i + 1, TYPE_COUNT);
+						r->Assign(0, new Val((*ptrsubopt)->code(), TYPE_COUNT));
+						r->Assign(1, bytestring_to_val((*ptrsubopt)->value()));
+						relay_agent_sub_opt->Assign(index, r);
+						Unref(index);
+						++i;
+					}
+					break;
 				}
 			}
 
@@ -204,19 +261,19 @@ flow DHCP_Flow(is_orig: bool) {
 				BifEvent::generate_dhcp_ack(connection()->bro_analyzer(),
 							    connection()->bro_analyzer()->Conn(),
 							    dhcp_msg_val_->Ref(), new AddrVal(subnet_mask),
-							    router_list, lease, new AddrVal(serv_addr), host_name);
+							    router_list, lease, new AddrVal(serv_addr), host_name, reb_time, ren_time, relay_agent_sub_opt);
 				break;
 
 			case DHCPNAK:
-				Unref(router_list);
+				//Unref(router_list);
 				BifEvent::generate_dhcp_nak(connection()->bro_analyzer(),
 							    connection()->bro_analyzer()->Conn(),
 							    dhcp_msg_val_->Ref(), host_name);
 				break;
 
 			default:
-				Unref(router_list);
-				Unref(host_name);
+				//Unref(router_list);
+				//Unref(host_name);
 				break;
 			}
 
@@ -266,7 +323,10 @@ flow DHCP_Flow(is_orig: bool) {
 			case BOOTREPLY:		// presumably from server to client
 				if ( ${msg.type} == DHCPOFFER ||
 			     	     ${msg.type} == DHCPACK ||
-				     ${msg.type} == DHCPNAK )
+				     ${msg.type} == DHCPNAK ||
+				     ${msg.type} == DHCPLEASEUNASSIGNED ||
+				     ${msg.type} == DHCPLEASEUNKNOWN ||
+				     ${msg.type} == DHCPLEASEACTIVE )
 					parse_reply(${msg.options}, ${msg.type});
 				else
 					connection()->bro_analyzer()->ProtocolViolation(fmt("unknown DHCP message type option for BOOTREPLY (%d)",
diff --git a/src/analyzer/protocol/dhcp/dhcp-protocol.pac b/src/analyzer/protocol/dhcp/dhcp-protocol.pac
index cf8cf69b26..ebc1fd946a 100644
--- a/src/analyzer/protocol/dhcp/dhcp-protocol.pac
+++ b/src/analyzer/protocol/dhcp/dhcp-protocol.pac
@@ -3,7 +3,7 @@
 # Refer to RFC 2131 for op types.
 enum OP_type {
 	BOOTREQUEST	= 1,
-	BOOTREPLY	= 2,
+	BOOTREPLY	= 2
 };
 
 # Refer to RFC 1533 for option types.
@@ -16,33 +16,67 @@ enum OPTION_type {
 	REQ_IP_OPTION	 = 50,
 	LEASE_OPTION	 = 51,
 	MSG_TYPE_OPTION  = 53,
-	SERV_ID_OPTION	 = 54,	# Server address, actually :)
-	END_OPTION	 = 255,
+	SERV_ID_OPTION	 = 54, # Server address, actually :)
+	PAR_REQ_LIST	 = 55, # Parameters Request List - NEW
+	REN_TIME_OPTION	 = 58, # Renewal time - NEW
+	REB_TIME_OPTION  = 59, # Rebinding time - NEW
+	CLIENT_ID_OPTION = 61, # Client Identifier - NEW
+	RELAY_AGENT_INF  = 82, # Relay Agent Information - NEW
+	END_OPTION	 = 255
 };
 
-# Refer to RFC 1533 for message types (with option = 53).
 enum DHCP_message_type {
-	DHCPDISCOVER	= 1,
-	DHCPOFFER	= 2,
-	DHCPREQUEST	= 3,
-	DHCPDECLINE	= 4,
-	DHCPACK		= 5,
-	DHCPNAK		= 6,
-	DHCPRELEASE	= 7,
-	DHCPINFORM	= 8,
+	DHCPDISCOVER		= 1,
+	DHCPOFFER		= 2,
+	DHCPREQUEST		= 3,
+	DHCPDECLINE		= 4,
+	DHCPACK			= 5,
+	DHCPNAK			= 6,
+	DHCPRELEASE		= 7,
+	DHCPINFORM		= 8,
+	DHCPFORCERENEW  	= 9,	# RFC 2132
+	DHCPLEASEQUERY 		= 10,	# RFC 4388
+	DHCPLEASEUNASSIGNED 	= 11, 	# RFC 4388
+	DHCPLEASEUNKNOWN	= 12,	# RFC 4388
+	DHCPLEASEACTIVE		= 13	# RFC 4388
+};
+
+type Relay_Agent_SubOption(tot_len: uint8) = record {
+	code	: uint8;
+	length	: uint8;
+	value	: bytestring &length = length;
+} &let {
+	sum_len: uint8 = $context.flow.get_dhcp_sumlen(length + 2);
+	last: bool = (sum_len == tot_len);
+};
+
+type Client_Identifier(length: uint8) = record {
+	hwtype	: uint8;
+	hwaddr	: bytestring &length = length -1;
+};
+
+enum DHCP_hardware_type
+{
+	ETHERNET = 1,
+	EXPERIMENTAL_ETHERNET = 2
 };
 
 type Option_Info(code: uint8)  = record {
 	length		: uint8;
 	value		: case code of {
-		SUBNET_OPTION	-> mask	: uint32;
-		ROUTER_OPTION	-> router_list : uint32[length/4];
-		REQ_IP_OPTION	-> req_addr	: uint32;
-		LEASE_OPTION	-> lease	: uint32;
-		MSG_TYPE_OPTION	-> msg_type	: uint8;
-		SERV_ID_OPTION	-> serv_addr	: uint32;
-		HOST_NAME_OPTION-> host_name	: bytestring &length = length;
-		default		-> other	: bytestring &length = length;
+		SUBNET_OPTION	 -> mask	 : uint32;
+		ROUTER_OPTION	 -> router_list  : uint32[length/4];
+		REQ_IP_OPTION	 -> req_addr	 : uint32;
+		LEASE_OPTION	 -> lease	 : uint32;
+		MSG_TYPE_OPTION	 -> msg_type	 : uint8;
+		SERV_ID_OPTION	 -> serv_addr	 : uint32;
+		HOST_NAME_OPTION -> host_name	 : bytestring &length = length;
+		PAR_REQ_LIST	 -> par_req_list : uint8[length];
+		REB_TIME_OPTION	 -> reb_time	 : uint32;
+		REN_TIME_OPTION  -> ren_time	 : uint32;
+		CLIENT_ID_OPTION -> client_id	 : Client_Identifier(length);
+		RELAY_AGENT_INF  -> relay_agent_inf : Relay_Agent_SubOption(length)[] &until($element.last);
+		default		 -> other	 : bytestring &length = length;
 	};
 };
 
@@ -53,45 +87,9 @@ type DHCP_Option = record {
 		default	-> info	: Option_Info(code);
 	};
 } &let {
-	last: bool	= (code == 255);   # Mark the end of a list of options
+	last: bool	= (code == END_OPTION);   # Mark the end of a list of options
 };
 
-#    Message format according to RFC 2131
-#
-#                           1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3 3
-#     0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2
-#    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-#    |     op (1)    |   htype (1)   |    hlen (1)   |     hops (1)    |
-#    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-#    |				   xid (4)			       |
-#    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-#    |		  secs (2)	     |		  flags (2)	       |
-#    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-#    |				  ciaddr (4)			       |
-#    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-#    |				  yiaddr (4)			       |
-#    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-#    |				  siaddr (4)			       |
-#    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-#    |				  giaddr (4)			       |
-#    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-#    |								       |
-#    |				  chaddr (16)			       |
-#    /								       /
-#    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-#    |								       |
-#    |				   sname (64)			       |
-#    /								       /
-#    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-#    |								       |
-#    |				   file  (128)			       |
-#    /								       /
-#    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-#    |								       |
-#    |				 options (variable)		       |
-#    /								       /
-#    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-
 type DHCP_Message = record {
 	op	: uint8;
 	htype	: uint8;
@@ -107,11 +105,9 @@ type DHCP_Message = record {
 	chaddr  : bytestring &length = 16;
 	sname	: bytestring &length = 64;
 	file	: bytestring &length = 128;
-
 	# Cookie belongs to options in RFC 2131, but we separate
 	# them here for easy parsing.
 	cookie  : uint32;
-
 	options	: DHCP_Option[] &until($element.last);
 } &let {
 	type	: uint8 = $context.flow.get_dhcp_msgtype(options);
diff --git a/src/analyzer/protocol/dhcp/dhcp.pac b/src/analyzer/protocol/dhcp/dhcp.pac
index 706be31e10..18439cf341 100644
--- a/src/analyzer/protocol/dhcp/dhcp.pac
+++ b/src/analyzer/protocol/dhcp/dhcp.pac
@@ -2,6 +2,7 @@
 %include bro.pac
 
 %extern{
+#include "types.bif.h"
 #include "events.bif.h"
 %}
 
diff --git a/src/analyzer/protocol/dhcp/events.bif b/src/analyzer/protocol/dhcp/events.bif
index bbd27c71f7..057db36aff 100644
--- a/src/analyzer/protocol/dhcp/events.bif
+++ b/src/analyzer/protocol/dhcp/events.bif
@@ -9,6 +9,10 @@
 ##
 ## host_name: The value of the host name option, if specified by the client.
 ##
+## client_id: The value of the client id (usually the MAC ADDRESS).
+##
+## req_params: The Parameters Request List.
+##
 ## .. bro:see:: dhcp_discover dhcp_offer dhcp_request dhcp_decline dhcp_ack dhcp_nak
 ##              dhcp_release dhcp_inform
 ##
@@ -16,7 +20,7 @@
 ##    protocol). It treats broadcast addresses just like any other and
 ##    associates packets into transport-level flows in the same way as usual.
 ##
-event dhcp_discover%(c: connection, msg: dhcp_msg, req_addr: addr, host_name: string%);
+event dhcp_discover%(c: connection, msg: DHCP::dhcp_msg, req_addr: addr, host_name: string, client_id: DHCP::dhcp_client_id, req_params: DHCP::dhcp_params_list%);
 
 ## Generated for DHCP messages of type *DHCPOFFER* (server to client in response
 ## to DHCPDISCOVER with offer of configuration parameters).
@@ -43,7 +47,7 @@ event dhcp_discover%(c: connection, msg: dhcp_msg, req_addr: addr, host_name: st
 ##    protocol). It treats broadcast addresses just like any other and
 ##    associates packets into transport-level flows in the same way as usual.
 ##
-event dhcp_offer%(c: connection, msg: dhcp_msg, mask: addr, router: dhcp_router_list, lease: interval, serv_addr: addr, host_name: string%);
+event dhcp_offer%(c: connection, msg: DHCP::dhcp_msg, mask: addr, router: DHCP::dhcp_router_list, lease: interval, serv_addr: addr, host_name: string%);
 
 ## Generated for DHCP messages of type *DHCPREQUEST* (Client message to servers either
 ## (a) requesting offered parameters from one server and implicitly declining offers
@@ -60,6 +64,10 @@ event dhcp_offer%(c: connection, msg: dhcp_msg, mask: addr, router: dhcp_router_
 ##
 ## host_name: The value of the host name option, if specified by the client.
 ##
+## client_id: The client id.
+##
+## req_parms: The Parameters Request List.
+##
 ## .. bro:see:: dhcp_discover dhcp_offer dhcp_decline dhcp_ack dhcp_nak
 ##              dhcp_release dhcp_inform
 ##
@@ -67,7 +75,7 @@ event dhcp_offer%(c: connection, msg: dhcp_msg, mask: addr, router: dhcp_router_
 ##    protocol). It treats broadcast addresses just like any other and
 ##    associates packets into transport-level flows in the same way as usual.
 ##
-event dhcp_request%(c: connection, msg: dhcp_msg, req_addr: addr, serv_addr: addr, host_name: string%);
+event dhcp_request%(c: connection, msg: DHCP::dhcp_msg, req_addr: addr, serv_addr: addr, host_name: string, client_id: DHCP::dhcp_client_id, req_params: DHCP::dhcp_params_list%);
 
 ## Generated for DHCP messages of type *DHCPDECLINE* (Client to server indicating
 ## network address is already in use).
@@ -85,7 +93,7 @@ event dhcp_request%(c: connection, msg: dhcp_msg, req_addr: addr, serv_addr: add
 ##    protocol). It treats broadcast addresses just like any other and
 ##    associates packets into transport-level flows in the same way as usual.
 ##
-event dhcp_decline%(c: connection, msg: dhcp_msg, host_name: string%);
+event dhcp_decline%(c: connection, msg: DHCP::dhcp_msg, host_name: string%);
 
 ## Generated for DHCP messages of type *DHCPACK* (Server to client with configuration
 ## parameters, including committed network address).
@@ -105,10 +113,21 @@ event dhcp_decline%(c: connection, msg: dhcp_msg, host_name: string%);
 ## host_name: Optional host name value. May differ from the host name requested
 ##            from the client.
 ##
+## reb_time: A 32-bit unsigned integer indicating the number of seconds before
+##	     the cilent enters the rebinding state if it has not renewed its
+##           current address lease with the DHCP server.
+##
+## ren_time: A 32-bit unsigned integer indicating the number of seconds before
+##	     the client begins to renew its address lease with the DHCP server.
+##
+## sub_opt: DHCP relay agent information option list of suboption values
+##          (see http://slaptijack.com/networking/what-is-dhcp-option-82/ or
+##           http://www.juniper.net/documentation/en_US/junose14.3/topics/concept/dhcp-relay-option-82-suboptions-overview.html)
+##
 ## .. bro:see:: dhcp_discover dhcp_offer dhcp_request dhcp_decline dhcp_nak
 ##              dhcp_release dhcp_inform
 ##
-event dhcp_ack%(c: connection, msg: dhcp_msg, mask: addr, router: dhcp_router_list, lease: interval, serv_addr: addr, host_name: string%);
+event dhcp_ack%(c: connection, msg: DHCP::dhcp_msg, mask: addr, router: DHCP::dhcp_router_list, lease: interval, serv_addr: addr, host_name: string, reb_time: count, ren_time: count, sub_opt: DHCP::dhcp_sub_opt_list%);
 
 ## Generated for DHCP messages of type *DHCPNAK* (Server to client indicating client's
 ## notion of network address is incorrect (e.g., client has moved to new subnet) or
@@ -127,7 +146,7 @@ event dhcp_ack%(c: connection, msg: dhcp_msg, mask: addr, router: dhcp_router_li
 ##    protocol). It treats broadcast addresses just like any other and
 ##    associates packets into transport-level flows in the same way as usual.
 ##
-event dhcp_nak%(c: connection, msg: dhcp_msg, host_name: string%);
+event dhcp_nak%(c: connection, msg: DHCP::dhcp_msg, host_name: string%);
 
 ## Generated for DHCP messages of type *DHCPRELEASE* (Client to server relinquishing
 ## network address and cancelling remaining lease).
@@ -141,7 +160,7 @@ event dhcp_nak%(c: connection, msg: dhcp_msg, host_name: string%);
 ## .. bro:see:: dhcp_discover dhcp_offer dhcp_request dhcp_decline dhcp_ack dhcp_nak
 ##              dhcp_inform
 ##
-event dhcp_release%(c: connection, msg: dhcp_msg, host_name: string%);
+event dhcp_release%(c: connection, msg: DHCP::dhcp_msg, host_name: string%);
 
 ## Generated for DHCP messages of type *DHCPINFORM* (Client to server, asking only for
 ## local configuration parameters; client already has externally configured network
@@ -153,6 +172,8 @@ event dhcp_release%(c: connection, msg: dhcp_msg, host_name: string%);
 ##
 ## host_name: The value of the host name option, if specified by the client.
 ##
+## req_parms: The Parameters Request List.
+##
 ## .. bro:see:: dhcp_discover dhcp_offer dhcp_request dhcp_decline dhcp_ack dhcp_nak
 ##              dhcp_release
 ##
@@ -160,5 +181,5 @@ event dhcp_release%(c: connection, msg: dhcp_msg, host_name: string%);
 ##    protocol). It treats broadcast addresses just like any other and
 ##    associates packets into transport-level flows in the same way as usual.
 ##
-event dhcp_inform%(c: connection, msg: dhcp_msg, host_name: string%);
+event dhcp_inform%(c: connection, msg: DHCP::dhcp_msg, host_name: string, req_params: DHCP::dhcp_params_list%);
 
diff --git a/src/analyzer/protocol/dhcp/types.bif b/src/analyzer/protocol/dhcp/types.bif
new file mode 100644
index 0000000000..8f501fc7fd
--- /dev/null
+++ b/src/analyzer/protocol/dhcp/types.bif
@@ -0,0 +1,10 @@
+module DHCP;
+
+type dhcp_msg: record;
+type dhcp_router_list: table;
+type dhcp_params_list:   table;
+type dhcp_sub_opt_list: table;
+type dhcp_sub_opt:      record;
+type dhcp_client_id: record;
+
+module GLOBAL;

From 928e33a7b8019a178ed6ca6dc819b350aefcef16 Mon Sep 17 00:00:00 2001
From: Valerio G <valerio.click@gmx.com>
Date: Mon, 8 Jan 2018 21:39:11 +0100
Subject: [PATCH 276/631] Add .btest scripts for dhck_ack and dhcp_discover
 messages verifying that new options are correctly reported in dhcp.log
 records.

---
 .../dhcp.log                                      |  10 ++++++++++
 .../dhcp.log                                      |  10 ++++++++++
 ...cp_ack_subscriber_id_and_agent_remote_id.trace | Bin 0 -> 419 bytes
 .../dhcp_discover_param_req_and_client_id.trace   | Bin 0 -> 363 bytes
 .../base/protocols/dhcp/dhcp-ack-msg-types.btest  |   6 ++++++
 .../protocols/dhcp/dhcp-discover-msg-types.btest  |   6 ++++++
 6 files changed, 32 insertions(+)
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.dhcp.dhcp-ack-msg-types/dhcp.log
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.dhcp.dhcp-discover-msg-types/dhcp.log
 create mode 100644 testing/btest/Traces/dhcp/dhcp_ack_subscriber_id_and_agent_remote_id.trace
 create mode 100644 testing/btest/Traces/dhcp/dhcp_discover_param_req_and_client_id.trace
 create mode 100644 testing/btest/scripts/base/protocols/dhcp/dhcp-ack-msg-types.btest
 create mode 100644 testing/btest/scripts/base/protocols/dhcp/dhcp-discover-msg-types.btest

diff --git a/testing/btest/Baseline/scripts.base.protocols.dhcp.dhcp-ack-msg-types/dhcp.log b/testing/btest/Baseline/scripts.base.protocols.dhcp.dhcp-ack-msg-types/dhcp.log
new file mode 100644
index 0000000000..1edaec49ee
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.dhcp.dhcp-ack-msg-types/dhcp.log
@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	dhcp
+#open	2018-01-08-17-58-31
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	mac	assigned_ip	lease_time	trans_id	msg_type	client_id	server_id	host_name	subscriber_id	agent_remote_id
+#types	time	string	addr	port	addr	port	string	addr	interval	count	string	string	addr	string	string	string
+1102274184.387798	CHhAvVGS1DHFjwGM9	10.10.0.10	68	10.10.0.1	67	00:0a:28:00:fa:42	192.168.0.10	3600.000000	15633	DHCP_ACK	-	10.10.0.1	(empty)	-subID-	13
+#close	2018-01-08-17-58-31
diff --git a/testing/btest/Baseline/scripts.base.protocols.dhcp.dhcp-discover-msg-types/dhcp.log b/testing/btest/Baseline/scripts.base.protocols.dhcp.dhcp-discover-msg-types/dhcp.log
new file mode 100644
index 0000000000..13e87b3855
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.dhcp.dhcp-discover-msg-types/dhcp.log
@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	dhcp
+#open	2018-01-08-17-58-41
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	mac	assigned_ip	lease_time	trans_id	msg_type	client_id	server_id	host_name	subscriber_id	agent_remote_id
+#types	time	string	addr	port	addr	port	string	addr	interval	count	string	string	addr	string	string	string
+1102274184.317453	CHhAvVGS1DHFjwGM9	0.0.0.0	68	255.255.255.255	67	-	-	-	15633	DHCP_DISCOVER	00:0b:82:01:fc:42	-	test0000	-	-
+#close	2018-01-08-17-58-41
diff --git a/testing/btest/Traces/dhcp/dhcp_ack_subscriber_id_and_agent_remote_id.trace b/testing/btest/Traces/dhcp/dhcp_ack_subscriber_id_and_agent_remote_id.trace
new file mode 100644
index 0000000000000000000000000000000000000000..b5e72d473576c32fbc99cf0775860ff4e1860f4f
GIT binary patch
literal 419
zcmca|c+)~A1{MYw`2U}Qff2~*h}-OV?G-CSHIM_s3|txvzns9NBL{;k17j|W8v{dw
zprQ;H7Xu>@b1^tGxG+Xal`%200hQYd!c07{0w@Oq5K~~hAx|ea1t*&_vRVPdkDbFB
zNb=|z14%vsGZs*=FtYpyhG&opqgY8sX0ZYg<>%#8DkLhDq!yRx>FF^s3bV267MCV@
Ly66JK9R~maz#k;D

literal 0
HcmV?d00001

diff --git a/testing/btest/Traces/dhcp/dhcp_discover_param_req_and_client_id.trace b/testing/btest/Traces/dhcp/dhcp_discover_param_req_and_client_id.trace
new file mode 100644
index 0000000000000000000000000000000000000000..bfdbb54c01dd71276c37f881c1dd3d8198cc5691
GIT binary patch
literal 363
zcmca|c+)~A1{MYw`2U}Qff2~*h}-PQdxM3+8OQ<Q|6sttrNQvak%PgNfzfn@83V&F
zLGdP#PLL#n3s9kA=oUssHlT>DAV?eoa5pjjal#NCvI5CX!O5nKjJE8I3}Bxbv0QMz
Ych8)Kk(o`4hodC5xWoVmfI$iZ0FO;2VE_OC

literal 0
HcmV?d00001

diff --git a/testing/btest/scripts/base/protocols/dhcp/dhcp-ack-msg-types.btest b/testing/btest/scripts/base/protocols/dhcp/dhcp-ack-msg-types.btest
new file mode 100644
index 0000000000..8f192b7aa4
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/dhcp/dhcp-ack-msg-types.btest
@@ -0,0 +1,6 @@
+# This tests that DHCP leases are logged in dhcp.log
+# The trace has a message of each DHCP message type,
+# but only one lease should show up in the logs.
+
+# @TEST-EXEC: bro -r $TRACES/dhcp/dhcp_ack_subscriber_id_and_agent_remote_id.trace %INPUT
+# @TEST-EXEC: btest-diff dhcp.log
diff --git a/testing/btest/scripts/base/protocols/dhcp/dhcp-discover-msg-types.btest b/testing/btest/scripts/base/protocols/dhcp/dhcp-discover-msg-types.btest
new file mode 100644
index 0000000000..1952682e61
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/dhcp/dhcp-discover-msg-types.btest
@@ -0,0 +1,6 @@
+# This tests that DHCP leases are logged in dhcp.log
+# The trace has a message of each DHCP message type,
+# but only one lease should show up in the logs.
+
+# @TEST-EXEC: bro -r $TRACES/dhcp/dhcp_discover_param_req_and_client_id.trace %INPUT
+# @TEST-EXEC: btest-diff dhcp.log

From 7cb6cf24a6aad19a95768098eeac263508c44a4b Mon Sep 17 00:00:00 2001
From: Seth Hall <seth@corelight.com>
Date: Tue, 9 Jan 2018 12:16:17 -0500
Subject: [PATCH 277/631] Functions for retrieving files by their id.

There are two new script level functions to query and lookup files
from the core by their IDs.  These are adding feature parity for
similarly named functions for files.  The function prototypes are
as follows:

  Files::file_exists(fuid: string): bool
  Files::lookup_File(fuid: string): fa_file
---
 scripts/base/frameworks/files/main.bro        | 24 +++++++
 src/file_analysis/Manager.h                   | 62 +++++++++----------
 src/file_analysis/file_analysis.bif           | 22 +++++++
 .../.stdout                                   |  9 +++
 .../bifs/file_exists_lookup_file.bro          | 21 +++++++
 5 files changed, 107 insertions(+), 31 deletions(-)
 create mode 100644 testing/btest/Baseline/scripts.base.frameworks.file-analysis.bifs.file_exists_lookup_file/.stdout
 create mode 100644 testing/btest/scripts/base/frameworks/file-analysis/bifs/file_exists_lookup_file.bro

diff --git a/scripts/base/frameworks/files/main.bro b/scripts/base/frameworks/files/main.bro
index ed73028236..71147a77aa 100644
--- a/scripts/base/frameworks/files/main.bro
+++ b/scripts/base/frameworks/files/main.bro
@@ -135,6 +135,20 @@ export {
 	## The default per-file reassembly buffer size.
 	const reassembly_buffer_size = 524288 &redef;
 
+	## Lookup to see if a particular file id exists and is still valid.
+	##
+	## fuid: the file id.
+	##
+	## Returns: T if the file uid is known.
+	global file_exists: function(fuid: string): bool;
+
+	## Lookup an :bro:see:`fa_file` record with the file id.
+	##
+	## fuid: the file id.
+	##
+	## Returns: the associated :bro:see:`fa_file` record.
+	global lookup_file: function(fuid: string): fa_file;
+
 	## Allows the file reassembler to be used if it's necessary because the
 	## file is transferred out of order.
 	##
@@ -338,6 +352,16 @@ function set_info(f: fa_file)
 		f$info$is_orig = f$is_orig;
 	}
 
+function file_exists(fuid: string): bool
+	{
+	return __file_exists(fuid);
+	}
+
+function lookup_file(fuid: string): fa_file
+	{
+	return __lookup_file(fuid);
+	}
+
 function set_timeout_interval(f: fa_file, t: interval): bool
 	{
 	return __set_timeout_interval(f$id, t);
diff --git a/src/file_analysis/Manager.h b/src/file_analysis/Manager.h
index dec308236a..1a5fb55f89 100644
--- a/src/file_analysis/Manager.h
+++ b/src/file_analysis/Manager.h
@@ -256,6 +256,14 @@ public:
 	bool SetExtractionLimit(const string& file_id, RecordVal* args,
 	                        uint64 n) const;
 
+	/**
+	 * Try to retrieve a file that's being analyzed, using its identifier/hash.
+	 * @param file_id the file identifier/hash.
+	 * @return the File object mapped to \a file_id, or a null pointer if no
+	 *         mapping exists.
+	 */
+	File* LookupFile(const string& file_id) const;
+
 	/**
 	 * Queue attachment of an analzer to the file identifier.  Multiple
 	 * analyzers of a given type can be attached per file identifier at a time
@@ -332,37 +340,6 @@ protected:
 	typedef PDict(bool) IDSet;
 	typedef PDict(File) IDMap;
 
-	/**
-	 * Create a new file to be analyzed or retrieve an existing one.
-	 * @param file_id the file identifier/hash.
-	 * @param conn network connection, if any, over which the file is
-	 *        transferred.
-	 * @param tag network protocol, if any, over which the file is transferred.
-	 * @param is_orig true if the file is being sent from connection originator
-	 *        or false if is being sent in the opposite direction (or if it
-	 *        this file isn't related to a connection).
-	 * @param update_conn whether we need to update connection-related field
-	 *        in the \c fa_file record value associated with the file.
-	 * @param an optional value of the source field to fill in.
-	 * @return the File object mapped to \a file_id or a null pointer if
-	 *         analysis is being ignored for the associated file.  An File
-	 *         object may be created if a mapping doesn't exist, and if it did
-	 *         exist, the activity time is refreshed along with any
-	 *         connection-related fields.
-	 */
-	File* GetFile(const string& file_id, Connection* conn = 0,
-	              analyzer::Tag tag = analyzer::Tag::Error,
-	              bool is_orig = false, bool update_conn = true,
-	              const char* source_name = 0);
-
-	/**
-	 * Try to retrieve a file that's being analyzed, using its identifier/hash.
-	 * @param file_id the file identifier/hash.
-	 * @return the File object mapped to \a file_id, or a null pointer if no
-	 *         mapping exists.
-	 */
-	File* LookupFile(const string& file_id) const;
-
 	/**
 	 * Evaluate timeout policy for a file and remove the File object mapped to
 	 * \a file_id if needed.
@@ -392,6 +369,29 @@ protected:
 	 */
 	std::string GetFileID(analyzer::Tag tag, Connection* c, bool is_orig);
 
+	/**
+	 * Create a new file to be analyzed or retrieve an existing one.
+	 * @param file_id the file identifier/hash.
+	 * @param conn network connection, if any, over which the file is
+	 *        transferred.
+	 * @param tag network protocol, if any, over which the file is transferred.
+	 * @param is_orig true if the file is being sent from connection originator
+	 *        or false if is being sent in the opposite direction (or if it
+	 *        this file isn't related to a connection).
+	 * @param update_conn whether we need to update connection-related field
+	 *        in the \c fa_file record value associated with the file.
+	 * @param an optional value of the source field to fill in.
+	 * @return the File object mapped to \a file_id or a null pointer if
+	 *         analysis is being ignored for the associated file.  An File
+	 *         object may be created if a mapping doesn't exist, and if it did
+	 *         exist, the activity time is refreshed along with any
+	 *         connection-related fields.
+	 */
+	File* GetFile(const string& file_id, Connection* conn = 0,
+	              analyzer::Tag tag = analyzer::Tag::Error,
+	              bool is_orig = false, bool update_conn = true,
+	              const char* source_name = 0);
+
 	/**
 	 * Check if analysis is available for files transferred over a given
 	 * network protocol.
diff --git a/src/file_analysis/file_analysis.bif b/src/file_analysis/file_analysis.bif
index 480d8c84d8..f445a9cf6a 100644
--- a/src/file_analysis/file_analysis.bif
+++ b/src/file_analysis/file_analysis.bif
@@ -71,6 +71,28 @@ function Files::__analyzer_name%(tag: Files::Tag%) : string
 	return new StringVal(file_mgr->GetComponentName(tag));
 	%}
 
+## :bro:see:`Files::file_exists`.
+function Files::__file_exists%(fuid: string%): bool
+	%{
+	if ( file_mgr->LookupFile(fuid->CheckString()) != nullptr )
+		return new Val(true, TYPE_BOOL);
+	else
+		return new Val(false, TYPE_BOOL);
+	%}
+
+## :bro:see:`Files::lookup_file`.
+function Files::__lookup_file%(fuid: string%): fa_file
+	%{
+	auto f = file_mgr->LookupFile(fuid->CheckString());
+	if ( f != nullptr )
+		{
+		return f->GetVal()->Ref();
+		}
+	
+	reporter->Error("file ID %s not a known file", fuid->CheckString());
+	return 0;
+	%}
+
 module GLOBAL;
 
 ## For use within a :bro:see:`get_file_handle` handler to set a unique
diff --git a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.bifs.file_exists_lookup_file/.stdout b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.bifs.file_exists_lookup_file/.stdout
new file mode 100644
index 0000000000..d5dd2cab55
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.bifs.file_exists_lookup_file/.stdout
@@ -0,0 +1,9 @@
+error: file ID asdf not a known file
+warning: non-void function returns without a value: Files::lookup_file
+This should fail but not crash
+This should return F
+F
+lookup fid: FakNcS1Jfe01uljb3
+We should have found the file id: FakNcS1Jfe01uljb3
+This should return T
+T
diff --git a/testing/btest/scripts/base/frameworks/file-analysis/bifs/file_exists_lookup_file.bro b/testing/btest/scripts/base/frameworks/file-analysis/bifs/file_exists_lookup_file.bro
new file mode 100644
index 0000000000..cba82bbfab
--- /dev/null
+++ b/testing/btest/scripts/base/frameworks/file-analysis/bifs/file_exists_lookup_file.bro
@@ -0,0 +1,21 @@
+# @TEST-EXEC: bro -r $TRACES/http/get.trace %INPUT 2>&1
+# @TEST-EXEC: btest-diff .stdout
+
+event bro_init()
+	{
+	print "This should fail but not crash";
+	print Files::lookup_file("asdf");
+
+	print "This should return F";
+	print Files::file_exists("asdf");
+	}
+
+event file_sniff(f: fa_file, meta: fa_metadata)
+	{
+	print "lookup fid: " + f$id;
+	local looked_up_file = Files::lookup_file(f$id);
+	print "We should have found the file id: " + looked_up_file$id ;
+
+	print "This should return T";
+	print Files::file_exists(f$id);
+	}

From b93691b15c2c1182084c5e9e5fea3cbdabce53db Mon Sep 17 00:00:00 2001
From: Devin Trejo <trejo@sig.com>
Date: Wed, 10 Jan 2018 12:06:10 -0500
Subject: [PATCH 278/631] Add nfs_proc_symlink, nfs_proc_link, nfs_proc_sattr.

---
 scripts/base/init-bare.bro           |  61 ++++++++++++
 src/analyzer/protocol/rpc/NFS.cc     | 139 +++++++++++++++++++++++++++
 src/analyzer/protocol/rpc/NFS.h      |   8 ++
 src/analyzer/protocol/rpc/events.bif |  88 ++++++++++++++++-
 src/types.bif                        |  20 +++-
 5 files changed, 311 insertions(+), 5 deletions(-)

diff --git a/scripts/base/init-bare.bro b/scripts/base/init-bare.bro
index f2ea2ed29a..287c213091 100644
--- a/scripts/base/init-bare.bro
+++ b/scripts/base/init-bare.bro
@@ -2157,6 +2157,18 @@ export {
 		rpc_auxgids: index_vec;
 	};
 
+	## NFS file attributes. Field names are based on RFC 1813.
+	##
+	## .. bro:see:: nfs_proc_sattr
+	type sattr_t: record {
+		mode: count &optional; ##< Mode
+		uid: count	&optional; ##< User ID.
+		gid: count	&optional; ##< Group ID.
+		size: count &optional; ##< Size.
+		atime: time_how_t &optional; ##< Time of last access.
+		mtime: time_how_t &optional; ##< Time of last modification.
+	};
+
 	## NFS file attributes. Field names are based on RFC 1813.
 	##
 	## .. bro:see:: nfs_proc_getattr
@@ -2177,6 +2189,14 @@ export {
 		ctime: time;	##< Time of creation.
 	};
 
+	## NFS symlinkdata attributes. Field names are based on RFC 1813
+	##
+	## .. bro:see:: nfs_proc_symlink
+	type symlinkdata_t: record {
+		symlink_attributes: sattr_t; ##< The initial attributes for the symbolic link
+		nfspath: string &optional;	##< The string containing the symbolic link data.
+	};
+
 	## NFS *readdir* arguments.
 	##
 	## .. bro:see:: nfs_proc_readdir
@@ -2195,6 +2215,30 @@ export {
 		dst_fname : string;
 	};
 
+	## NFS *symlink* arguments.
+	##
+	## .. bro:see:: nfs_proc_symlink
+	type symlinkargs_t: record {
+		link : diropargs_t;  ##< The location of the link to be created.
+		symlinkdata: symlinkdata_t; ##< The symbolic link to be created.
+	};
+
+	## NFS *link* arguments.
+	##
+	## .. bro:see:: nfs_proc_link
+	type linkargs_t: record {
+		fh : string; ##< The file handle for the existing file system object.
+		link : diropargs_t;  ##< The location of the link to be created.
+	};
+
+	## NFS *sattr* arguments.
+	##
+	## .. bro:see:: nfs_proc_sattr
+	type sattrargs_t: record {
+		fh : string; ##< The file handle for the existing file system object.
+		new_attributes: sattr_t; ##< The new attributes for the file.
+	};
+
 	## NFS lookup reply. If the lookup failed, *dir_attr* may be set. If the
 	## lookup succeeded, *fh* is always set and *obj_attr* and *dir_attr*
 	## may be set.
@@ -2253,6 +2297,23 @@ export {
 		mtime: time;	##< Modification time.
 	};
 
+	## NFS *link* reply.
+	##
+	## .. bro:see:: nfs_proc_link
+	type link_reply_t: record {
+		post_attr: fattr_t &optional; ##< Optional post-operation attributes of the file system object identified by file
+		preattr: wcc_attr_t &optional;	##< Optional attributes associated w/ file.
+		postattr: fattr_t &optional;	##< Optional attributes associated w/ file.
+	};
+
+	## NFS *sattr* reply. If the request fails, *pre|post* attr may be set.
+	## If the request succeeds, *pre|post* attr are set.
+	##
+	type sattr_reply_t: record {
+		dir_pre_attr: wcc_attr_t &optional;	##< Optional attributes associated w/ dir.
+		dir_post_attr: fattr_t &optional;	##< Optional attributes associated w/ dir.
+	};
+
 	## NFS *write* reply. If the request fails, *pre|post* attr may be set.
 	## If the request succeeds, *pre|post* attr may be set and all other
 	## fields are set.
diff --git a/src/analyzer/protocol/rpc/NFS.cc b/src/analyzer/protocol/rpc/NFS.cc
index 03cd91e573..f03e47ab8b 100644
--- a/src/analyzer/protocol/rpc/NFS.cc
+++ b/src/analyzer/protocol/rpc/NFS.cc
@@ -31,6 +31,10 @@ int NFS_Interp::RPC_BuildCall(RPC_CallInfo* c, const u_char*& buf, int& n)
 		callarg = nfs3_fh(buf, n);
 		break;
 
+	case BifEnum::NFS3::PROC_SETATTR:
+		callarg = nfs3_sattrargs(buf, n);
+		break;
+
 	case BifEnum::NFS3::PROC_LOOKUP:
 		callarg = nfs3_diropargs(buf, n);
 		break;
@@ -43,6 +47,14 @@ int NFS_Interp::RPC_BuildCall(RPC_CallInfo* c, const u_char*& buf, int& n)
 		callarg = nfs3_fh(buf, n);
 		break;
 
+	case BifEnum::NFS3::PROC_SYMLINK:
+		callarg = nfs3_symlinkargs(buf, n);
+		break;
+
+	case BifEnum::NFS3::PROC_LINK:
+		callarg = nfs3_linkargs(buf, n);
+		break;
+
 	case BifEnum::NFS3::PROC_WRITE:
 		callarg = nfs3_writeargs(buf, n);
 		break;
@@ -159,6 +171,11 @@ int NFS_Interp::RPC_BuildReply(RPC_CallInfo* c, BifEnum::rpc_status rpc_status,
 		event = nfs_proc_getattr;
 		break;
 
+	case BifEnum::NFS3::PROC_SETATTR:
+		reply = nfs3_sattr_reply(buf, n, nfs_status);
+		event = nfs_proc_sattr;
+		break;
+
 	case BifEnum::NFS3::PROC_LOOKUP:
 		reply = nfs3_lookup_reply(buf, n, nfs_status);
 		event = nfs_proc_lookup;
@@ -176,6 +193,16 @@ int NFS_Interp::RPC_BuildReply(RPC_CallInfo* c, BifEnum::rpc_status rpc_status,
 		event = nfs_proc_readlink;
 		break;
 
+	case BifEnum::NFS3::PROC_SYMLINK:
+		reply = nfs3_newobj_reply(buf, n, nfs_status);
+		event = nfs_proc_symlink;
+		break;
+
+	case BifEnum::NFS3::PROC_LINK:
+		reply = nfs3_link_reply(buf, n, nfs_status);
+		event = nfs_proc_link;
+		break;
+
 	case BifEnum::NFS3::PROC_WRITE:
 		reply = nfs3_write_reply(buf, n, nfs_status);
 		event = nfs_proc_write;
@@ -334,6 +361,56 @@ StringVal* NFS_Interp::nfs3_fh(const u_char*& buf, int& n)
 	return new StringVal(new BroString(fh, fh_n, 0));
 	}
 
+
+RecordVal* NFS_Interp::nfs3_sattr(const u_char*& buf, int& n)
+	{
+	RecordVal* attrs = new RecordVal(BifType::Record::NFS3::sattr_t);
+
+	attrs->Assign(0, 0); // mode
+	int mode_set_it =  extract_XDR_uint32(buf, n);
+	if ( mode_set_it )
+		attrs->Assign(0, ExtractUint32(buf, n)); // mode
+
+	attrs->Assign(1, 0); // uid
+	int uid_set_it =  extract_XDR_uint32(buf, n);
+	if ( uid_set_it )
+		attrs->Assign(1, ExtractUint32(buf, n)); // uid
+
+	attrs->Assign(2, 0); // gid
+	int gid_set_it =  extract_XDR_uint32(buf, n);
+	if ( gid_set_it )
+		attrs->Assign(2, ExtractUint32(buf, n)); // gid
+
+	attrs->Assign(3, 0); // size
+	int size_set_it =  extract_XDR_uint32(buf, n);
+	if ( size_set_it )
+		attrs->Assign(3, ExtractTime(buf, n));	 // size
+
+	attrs->Assign(4, nfs3_time_how(buf, n)); // time_how
+
+	attrs->Assign(5, nfs3_time_how(buf, n)); // time_how
+
+	return attrs;
+	}
+
+RecordVal* NFS_Interp::nfs3_sattr_reply(const u_char*& buf, int& n, BifEnum::NFS3::status_t status)
+	{
+	RecordVal* rep = new RecordVal(BifType::Record::NFS3::sattr_reply_t);
+
+	if ( status == BifEnum::NFS3::NFS3ERR_OK )
+		{
+		rep->Assign(0, nfs3_pre_op_attr(buf, n));
+		rep->Assign(1, nfs3_post_op_attr(buf, n));
+		}
+	else
+		{
+		rep->Assign(1, 0);
+		rep->Assign(2, 0);
+		}
+
+	return rep;
+	}
+
 RecordVal* NFS_Interp::nfs3_fattr(const u_char*& buf, int& n)
 	{
 	RecordVal* attrs = new RecordVal(BifType::Record::NFS3::fattr_t);
@@ -356,6 +433,12 @@ RecordVal* NFS_Interp::nfs3_fattr(const u_char*& buf, int& n)
 	return attrs;
 	}
 
+EnumVal* NFS_Interp::nfs3_time_how(const u_char*& buf, int& n)
+	{
+	BifEnum::NFS3::time_how_t t = (BifEnum::NFS3::time_how_t)extract_XDR_uint32(buf, n);
+	return new EnumVal(t, BifType::Enum::NFS3::time_how_t);
+	}
+
 EnumVal* NFS_Interp::nfs3_ftype(const u_char*& buf, int& n)
 	{
 	BifEnum::NFS3::file_type_t t = (BifEnum::NFS3::file_type_t)extract_XDR_uint32(buf, n);
@@ -394,6 +477,16 @@ RecordVal *NFS_Interp::nfs3_diropargs(const u_char*& buf, int& n)
 	return diropargs;
 	}
 
+RecordVal *NFS_Interp::nfs3_symlinkdata(const u_char*& buf, int& n)
+	{
+	RecordVal *symlinkdata = new RecordVal(BifType::Record::NFS3::symlinkdata_t);
+
+	symlinkdata->Assign(0, nfs3_sattr(buf, n));
+	symlinkdata->Assign(1, nfs3_nfspath(buf, n));
+
+	return symlinkdata;
+	}
+
 RecordVal *NFS_Interp::nfs3_renameopargs(const u_char*& buf, int& n)
 	{
 	RecordVal *renameopargs = new RecordVal(BifType::Record::NFS3::renameopargs_t);
@@ -511,6 +604,52 @@ RecordVal* NFS_Interp::nfs3_readlink_reply(const u_char*& buf, int& n, BifEnum::
 	return rep;
 	}
 
+RecordVal* NFS_Interp::nfs3_link_reply(const u_char*& buf, int& n, BifEnum::NFS3::status_t status)
+	{
+	RecordVal *rep = new RecordVal(BifType::Record::NFS3::link_reply_t);
+
+	if (status == BifEnum::NFS3::NFS3ERR_OK)
+		{
+		rep->Assign(0, nfs3_post_op_attr(buf, n));
+
+		// wcc_data
+		rep->Assign(1, nfs3_pre_op_attr(buf, n));
+		rep->Assign(2, nfs3_post_op_attr(buf, n));
+		}
+
+	return rep;
+	}
+
+RecordVal* NFS_Interp::nfs3_symlinkargs(const u_char*& buf, int& n)
+	{
+	RecordVal *symlinkargs = new RecordVal(BifType::Record::NFS3::symlinkargs_t);
+
+	symlinkargs->Assign(0, nfs3_diropargs(buf, n));
+	symlinkargs->Assign(1, nfs3_symlinkdata(buf, n));
+
+	return symlinkargs;
+	}
+
+RecordVal* NFS_Interp::nfs3_sattrargs(const u_char*& buf, int& n)
+	{
+	RecordVal *sattrargs = new RecordVal(BifType::Record::NFS3::sattrargs_t);
+
+	sattrargs->Assign(0, nfs3_fh(buf, n));
+	sattrargs->Assign(1, nfs3_sattr(buf, n));
+
+	return sattrargs;
+	}
+
+RecordVal* NFS_Interp::nfs3_linkargs(const u_char*& buf, int& n)
+	{
+	RecordVal *linkargs = new RecordVal(BifType::Record::NFS3::linkargs_t);
+
+	linkargs->Assign(0, nfs3_fh(buf, n));
+	linkargs->Assign(1, nfs3_diropargs(buf, n));
+
+	return linkargs;
+	}
+
 RecordVal *NFS_Interp::nfs3_writeargs(const u_char*& buf, int& n)
 	{
 	uint32_t bytes;
diff --git a/src/analyzer/protocol/rpc/NFS.h b/src/analyzer/protocol/rpc/NFS.h
index 85fb10ab49..3a6da1f765 100644
--- a/src/analyzer/protocol/rpc/NFS.h
+++ b/src/analyzer/protocol/rpc/NFS.h
@@ -34,11 +34,17 @@ protected:
 	// are based on the type names of RFC 1813.
 	StringVal* nfs3_fh(const u_char*& buf, int& n);
 	RecordVal* nfs3_fattr(const u_char*& buf, int& n);
+	RecordVal* nfs3_sattr(const u_char*& buf, int& n);
 	EnumVal* nfs3_ftype(const u_char*& buf, int& n);
+	EnumVal* nfs3_time_how(const u_char*& buf, int& n);
 	RecordVal* nfs3_wcc_attr(const u_char*& buf, int& n);
 	RecordVal* nfs3_diropargs(const u_char*&buf, int &n);
+	RecordVal* nfs3_symlinkdata(const u_char*& buf, int& n);
 	RecordVal* nfs3_renameopargs(const u_char*&buf, int &n);
 	StringVal* nfs3_filename(const u_char*& buf, int& n);
+	RecordVal* nfs3_linkargs(const u_char*& buf, int& n);
+	RecordVal* nfs3_symlinkargs(const u_char*& buf, int& n);
+	RecordVal* nfs3_sattrargs(const u_char*& buf, int& n);
 	StringVal* nfs3_nfspath(const u_char*& buf, int& n)
 		{
 		return nfs3_filename(buf,n);
@@ -46,10 +52,12 @@ protected:
 
 	RecordVal* nfs3_post_op_attr(const u_char*&buf, int &n);	// Return 0 or an fattr
 	RecordVal* nfs3_pre_op_attr(const u_char*&buf, int &n);	// Return 0 or an wcc_attr
+	RecordVal* nfs3_sattr_reply(const u_char*& buf, int& n, BifEnum::NFS3::status_t status);
 	RecordVal* nfs3_lookup_reply(const u_char*& buf, int& n, BifEnum::NFS3::status_t status);
 	RecordVal* nfs3_readargs(const u_char*& buf, int& n);
 	RecordVal* nfs3_read_reply(const u_char*& buf, int& n, BifEnum::NFS3::status_t status, bro_uint_t offset);
 	RecordVal* nfs3_readlink_reply(const u_char*& buf, int& n, BifEnum::NFS3::status_t status);
+	RecordVal* nfs3_link_reply(const u_char*& buf, int& n, BifEnum::NFS3::status_t status);
 	RecordVal* nfs3_writeargs(const u_char*& buf, int& n);
 	EnumVal* nfs3_stable_how(const u_char*& buf, int& n);
 	RecordVal* nfs3_write_reply(const u_char*& buf, int& n, BifEnum::NFS3::status_t status);
diff --git a/src/analyzer/protocol/rpc/events.bif b/src/analyzer/protocol/rpc/events.bif
index 881faface1..f2ad7bc3f5 100644
--- a/src/analyzer/protocol/rpc/events.bif
+++ b/src/analyzer/protocol/rpc/events.bif
@@ -49,6 +49,34 @@ event nfs_proc_null%(c: connection, info: NFS3::info_t%);
 ##    register a port for it or add a DPD payload signature.
 event nfs_proc_getattr%(c: connection, info: NFS3::info_t, fh: string, attrs: NFS3::fattr_t%);
 
+## Generated for NFSv3 request/reply dialogues of type *sattr*. The event is
+## generated once we have either seen both the request and its corresponding
+## reply, or an unanswered request has timed out.
+##
+## NFS is a service running on top of RPC. See `Wikipedia
+## <http://en.wikipedia.org/wiki/Network_File_System_(protocol)>`__ for more
+## information about the service.
+##
+## c: The RPC connection.
+##
+## info: Reports the status of the dialogue, along with some meta information.
+##
+## req:  The arguments passed in the request.
+##
+## rep: The attributes returned in the reply. The values may not be
+##	  valid if the request was unsuccessful.
+##
+## .. bro:see:: nfs_proc_create  nfs_proc_lookup nfs_proc_mkdir
+##	  nfs_proc_not_implemented nfs_proc_null nfs_proc_read nfs_proc_readdir
+##	  nfs_proc_readlink nfs_proc_remove nfs_proc_rmdir nfs_proc_write nfs_reply_status
+##	  rpc_call rpc_dialogue rpc_reply file_mode
+##
+## .. todo:: Bro's current default configuration does not activate the protocol
+##	  analyzer that generates this event; the corresponding script has not yet
+##	  been ported to Bro 2.x. To still enable this event, one needs to
+##	  register a port for it or add a DPD payload signature.
+event nfs_proc_sattr%(c: connection, info: NFS3::info_t, req: NFS3::sattrargs_t, rep: NFS3::sattr_reply_t%);
+
 ## Generated for NFSv3 request/reply dialogues of type *lookup*. The event is
 ## generated once we have either seen both the request and its corresponding
 ## reply, or an unanswered request has timed out.
@@ -124,8 +152,8 @@ event nfs_proc_read%(c: connection, info: NFS3::info_t, req: NFS3::readargs_t, r
 ##
 ## .. bro:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir
 ##    nfs_proc_not_implemented nfs_proc_null nfs_proc_read nfs_proc_readdir
-##    nfs_proc_remove nfs_proc_rmdir nfs_proc_write nfs_reply_status rpc_call
-##    rpc_dialogue rpc_reply
+##    nfs_proc_remove nfs_proc_rmdir nfs_proc_write nfs_reply_status
+##    nfs_proc_symlink rpc_call rpc_dialogue rpc_reply
 ##
 ## .. todo:: Bro's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
@@ -133,6 +161,62 @@ event nfs_proc_read%(c: connection, info: NFS3::info_t, req: NFS3::readargs_t, r
 ##    register a port for it or add a DPD payload signature.
 event nfs_proc_readlink%(c: connection, info: NFS3::info_t, fh: string, rep: NFS3::readlink_reply_t%);
 
+## Generated for NFSv3 request/reply dialogues of type *symlink*. The event is
+## generated once we have either seen both the request and its corresponding
+## reply, or an unanswered request has timed out.
+##
+## NFS is a service running on top of RPC. See `Wikipedia
+## <http://en.wikipedia.org/wiki/Network_File_System_(protocol)>`__ for more
+## information about the service.
+##
+## c: The RPC connection.
+##
+## info: Reports the status of the dialogue, along with some meta information.
+##
+## req:  The arguments passed in the request.
+##
+## rep: The attributes returned in the reply. The values may not be
+##	  valid if the request was unsuccessful.
+##
+## .. bro:see:: nfs_proc_create  nfs_proc_lookup nfs_proc_mkdir
+##	  nfs_proc_not_implemented nfs_proc_null nfs_proc_read nfs_proc_readdir
+##	  nfs_proc_readlink nfs_proc_remove nfs_proc_rmdir nfs_proc_write nfs_reply_status
+##	  nfs_proc_link rpc_call rpc_dialogue rpc_reply file_mode
+##
+## .. todo:: Bro's current default configuration does not activate the protocol
+##	  analyzer that generates this event; the corresponding script has not yet
+##	  been ported to Bro 2.x. To still enable this event, one needs to
+##	  register a port for it or add a DPD payload signature.
+event nfs_proc_symlink%(c: connection, info: NFS3::info_t, req: NFS3::symlinkargs_t, rep: NFS3::newobj_reply_t%);
+
+## Generated for NFSv3 request/reply dialogues of type *link*. The event is
+## generated once we have either seen both the request and its corresponding
+## reply, or an unanswered request has timed out.
+##
+## NFS is a service running on top of RPC. See `Wikipedia
+## <http://en.wikipedia.org/wiki/Network_File_System_(protocol)>`__ for more
+## information about the service.
+##
+## c: The RPC connection.
+##
+## info: Reports the status of the dialogue, along with some meta information.
+##
+## req:  The arguments passed in the request.
+##
+## rep: The response returned in the reply. The values may not be valid if the
+##		request was unsuccessful.
+##
+## .. bro:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir
+##	  nfs_proc_not_implemented nfs_proc_null nfs_proc_read nfs_proc_readdir
+##	  nfs_proc_remove nfs_proc_rmdir nfs_proc_write nfs_reply_status rpc_call
+##	  nfs_proc_symlink rpc_dialogue rpc_reply
+##
+## .. todo:: Bro's current default configuration does not activate the protocol
+##	  analyzer that generates this event; the corresponding script has not yet
+##	  been ported to Bro 2.x. To still enable this event, one needs to
+##	  register a port for it or add a DPD payload signature.
+event nfs_proc_link%(c: connection, info: NFS3::info_t, req: NFS3::linkargs_t, rep: NFS3::link_reply_t%);
+
 ## Generated for NFSv3 request/reply dialogues of type *write*. The event is
 ## generated once we have either seen both the request and its corresponding
 ## reply, or an unanswered request has timed out.
diff --git a/src/types.bif b/src/types.bif
index 20995ef105..0befcb941e 100644
--- a/src/types.bif
+++ b/src/types.bif
@@ -18,7 +18,7 @@ module NFS3;
 enum proc_t %{	# NFSv3 procedures
 	PROC_NULL     = 0,	# done
 	PROC_GETATTR  = 1,	# done
-	PROC_SETATTR  = 2,	# not implemented
+	PROC_SETATTR  = 2,	# done
 	PROC_LOOKUP   = 3,	# done
 	PROC_ACCESS   = 4,	# not implemented
 	PROC_READLINK = 5,	# done
@@ -26,12 +26,12 @@ enum proc_t %{	# NFSv3 procedures
 	PROC_WRITE    = 7,	# done
 	PROC_CREATE   = 8,	# partial
 	PROC_MKDIR    = 9,	# partial
-	PROC_SYMLINK  = 10,	# not implemented
+	PROC_SYMLINK  = 10,	# done
 	PROC_MKNOD    = 11,	# not implemented
 	PROC_REMOVE   = 12,	# done
 	PROC_RMDIR    = 13,	# done
 	PROC_RENAME   = 14,	# done
-	PROC_LINK     = 15,	# not implemented
+	PROC_LINK     = 15,	# done
 	PROC_READDIR  = 16,	# done
 	PROC_READDIRPLUS  = 17,	# done
 	PROC_FSSTAT   = 18,	# not implemented
@@ -74,6 +74,12 @@ enum status_t %{	# NFSv3 return status
 	NFS3ERR_UNKNOWN     = 0xffffffff,
 %}
 
+enum time_how_t %{
+	DONT_CHANGE = 0,
+	SET_TO_SERVER_TIME = 1,
+	SET_TO_CLIENT_TIME = 2,
+%}
+
 enum file_type_t %{
 	FTYPE_REG   = 1,
 	FTYPE_DIR   = 2,
@@ -84,6 +90,7 @@ enum file_type_t %{
 	FTYPE_FIFO  = 7,
 %}
 
+
 enum stable_how_t %{
 	UNSTABLE = 0,
 	DATA_SYNC = 1,
@@ -100,12 +107,19 @@ enum createmode_t %{
 # defined in init-bare.bro.
 type info_t: record;
 type fattr_t: record;
+type sattr_t: record;
+type symlinkdata_t: record;
 type diropargs_t: record;
+type symlinkargs_t: record;
+type sattrargs_t: record;
+type linkargs_t: record;
 type renameopargs_t: record;
+type sattr_reply_t: record;
 type lookup_reply_t: record;
 type readargs_t: record;
 type read_reply_t: record;
 type readlink_reply_t: record;
+type link_reply_t: record;
 type writeargs_t: record;
 type wcc_attr_t: record;
 type write_reply_t: record;

From 1981f2406ad6a8361c83fe0ed4aebdb71820590a Mon Sep 17 00:00:00 2001
From: Devin Trejo <trejo@sig.com>
Date: Wed, 10 Jan 2018 12:16:45 -0500
Subject: [PATCH 279/631] Bug fix: nfs3_writeargs didn't properly return
 filehandle.

---
 src/analyzer/protocol/rpc/NFS.cc | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/src/analyzer/protocol/rpc/NFS.cc b/src/analyzer/protocol/rpc/NFS.cc
index f03e47ab8b..a8395b6928 100644
--- a/src/analyzer/protocol/rpc/NFS.cc
+++ b/src/analyzer/protocol/rpc/NFS.cc
@@ -656,12 +656,12 @@ RecordVal *NFS_Interp::nfs3_writeargs(const u_char*& buf, int& n)
 	uint64_t offset;
 	RecordVal *writeargs = new RecordVal(BifType::Record::NFS3::writeargs_t);
 
-	offset = extract_XDR_uint64(buf, n);
-	bytes = extract_XDR_uint32(buf, n);
-
 	writeargs->Assign(0, nfs3_fh(buf, n));
-	writeargs->Assign(1, new Val(offset, TYPE_COUNT));
-	writeargs->Assign(2, new Val(bytes, TYPE_COUNT));
+	offset = extract_XDR_uint64(buf, n);
+	writeargs->Assign(1, new Val(offset, TYPE_COUNT));  // offset
+	bytes = extract_XDR_uint32(buf, n);
+	writeargs->Assign(2, new Val(bytes, TYPE_COUNT));   // size
+
 	writeargs->Assign(3, nfs3_stable_how(buf, n));
 	writeargs->Assign(4, nfs3_file_data(buf, n, offset, bytes));
 

From f7c115a47aa92ab4956cb815b708e8f1b8fb8fda Mon Sep 17 00:00:00 2001
From: Daniel Thayer <dnthayer@illinois.edu>
Date: Wed, 10 Jan 2018 13:20:02 -0600
Subject: [PATCH 280/631] Fix a test that fails in some environments

The "coverage/init-default.test" will always fail if there is a
path component named "build" anywhere before the bro install
directory (for example, if the tests are run from home dir of a user
named "build").  Fixed this by making a regex more specific so that
it matches the correct lines in loaded_scripts.log.
---
 testing/btest/coverage/init-default.test | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/testing/btest/coverage/init-default.test b/testing/btest/coverage/init-default.test
index 6877159c62..d736277d49 100644
--- a/testing/btest/coverage/init-default.test
+++ b/testing/btest/coverage/init-default.test
@@ -11,7 +11,7 @@
 #@TEST-EXEC: test -e $DIST/scripts/base/init-default.bro
 #@TEST-EXEC: ( cd $DIST/scripts/base && find . -name '*.bro' ) | sort >"all scripts found"
 #@TEST-EXEC: bro misc/loaded-scripts
-#@TEST-EXEC: cat loaded_scripts.log | egrep -v '/build/|/loaded-scripts.bro|#' | sed 's#/./#/#g'  >loaded_scripts.log.tmp
+#@TEST-EXEC: cat loaded_scripts.log | egrep -v '/build/scripts/|/loaded-scripts.bro|#' | sed 's#/./#/#g'  >loaded_scripts.log.tmp
 #@TEST-EXEC: cat loaded_scripts.log.tmp | sed 's/ //g' | sed -e ':a' -e '$!N' -e 's/^\(.*\).*\n\1.*/\1/' -e 'ta' >prefix
 #@TEST-EXEC: cat loaded_scripts.log.tmp | sed 's/ //g' | sed "s#`cat prefix`#./#g" | sort >init-default.bro
 #@TEST-EXEC: diff -u "all scripts found" init-default.bro | egrep "^-[^-]" > missing_loads

From 99e411f621de796b690086342435863211f71455 Mon Sep 17 00:00:00 2001
From: Devin Trejo <trejo@sig.com>
Date: Thu, 11 Jan 2018 11:38:19 -0500
Subject: [PATCH 281/631] Add mount_proc_null, mount_proc_mnt, mount_proc_umnt,
 mount_proc_umnt_all, mount_proc_not_implemented, mount_reply_status.

---
 scripts/base/init-bare.bro               |  65 +++++
 src/analyzer/protocol/rpc/CMakeLists.txt |   2 +-
 src/analyzer/protocol/rpc/MOUNT.cc       | 299 +++++++++++++++++++++++
 src/analyzer/protocol/rpc/MOUNT.h        |  55 +++++
 src/analyzer/protocol/rpc/Plugin.cc      |   2 +
 src/analyzer/protocol/rpc/events.bif     | 117 +++++++++
 src/types.bif                            |  37 +++
 7 files changed, 576 insertions(+), 1 deletion(-)
 create mode 100644 src/analyzer/protocol/rpc/MOUNT.cc
 create mode 100644 src/analyzer/protocol/rpc/MOUNT.h

diff --git a/scripts/base/init-bare.bro b/scripts/base/init-bare.bro
index f2ea2ed29a..c192f25ed9 100644
--- a/scripts/base/init-bare.bro
+++ b/scripts/base/init-bare.bro
@@ -2350,6 +2350,71 @@ export {
 	};
 } # end export
 
+
+module MOUNT3;
+export {
+
+	## Record summarizing the general results and status of MOUNT3
+	## request/reply pairs.
+	##
+	## Note that when *rpc_stat* or *mount_stat* indicates not successful,
+	## the reply record passed to the corresponding event will be empty and
+	## contain uninitialized fields, so don't use it. Also note that time
+	# and duration values might not be fully accurate. For TCP, we record
+	# times when the corresponding chunk of data is delivered to the
+	# analyzer. Depending on the reassembler, this might be well after the
+	# first packet of the request was received.
+	#
+	# .. bro:see:: mount_proc_mnt mount_proc_dump mount_proc_umnt
+	#    mount_proc_umntall mount_proc_export mount_proc_not_implemented
+	type info_t: record {
+		## The RPC status.
+		rpc_stat: rpc_status;
+		## The MOUNT status.
+		mnt_stat: status_t;
+		## The start time of the request.
+		req_start: time;
+		## The duration of the request.
+		req_dur: interval;
+		## The length in bytes of the request.
+		req_len: count;
+		## The start time of the reply.
+		rep_start: time;
+		## The duration of the reply.
+		rep_dur: interval;
+		## The length in bytes of the reply.
+		rep_len: count;
+		## The user id of the reply.
+		rpc_uid: count;
+		## The group id of the reply.
+		rpc_gid: count;
+		## The stamp of the reply.
+		rpc_stamp: count;
+		## The machine name of the reply.
+		rpc_machine_name: string;
+		## The auxiliary ids of the reply.
+		rpc_auxgids: index_vec;
+	};
+
+	## MOUNT *mnt* arguments.
+	##
+	## .. bro:see:: mount_proc_mnt
+	type dirmntargs_t : record {
+		dirname: string;	##< Name of directory to mount
+	};
+
+	## MOUNT lookup reply. If the mount failed, *dir_attr* may be set. If the
+	## mount succeeded, *fh* is always set.
+	##
+	## .. bro:see:: mount_proc_mnt
+	type mnt_reply_t: record {
+		dirfh: string &optional;	##< Dir handle
+		auth_flavors: vector of auth_flavor_t &optional;	##< Returned authentication flavors
+	};
+
+} # end export
+
+
 module Threading;
 
 export {
diff --git a/src/analyzer/protocol/rpc/CMakeLists.txt b/src/analyzer/protocol/rpc/CMakeLists.txt
index 5696a74cd6..c71c6ddd9a 100644
--- a/src/analyzer/protocol/rpc/CMakeLists.txt
+++ b/src/analyzer/protocol/rpc/CMakeLists.txt
@@ -4,6 +4,6 @@ include(BroPlugin)
 include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
 
 bro_plugin_begin(Bro RPC)
-bro_plugin_cc(RPC.cc NFS.cc Portmap.cc XDR.cc Plugin.cc)
+bro_plugin_cc(RPC.cc NFS.cc MOUNT.cc Portmap.cc XDR.cc Plugin.cc)
 bro_plugin_bif(events.bif)
 bro_plugin_end()
diff --git a/src/analyzer/protocol/rpc/MOUNT.cc b/src/analyzer/protocol/rpc/MOUNT.cc
new file mode 100644
index 0000000000..4500f35788
--- /dev/null
+++ b/src/analyzer/protocol/rpc/MOUNT.cc
@@ -0,0 +1,299 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include <algorithm>
+#include <vector>
+
+#include "bro-config.h"
+
+#include "NetVar.h"
+#include "XDR.h"
+#include "MOUNT.h"
+#include "Event.h"
+
+#include "events.bif.h"
+
+using namespace analyzer::rpc;
+
+int MOUNT_Interp::RPC_BuildCall(RPC_CallInfo* c, const u_char*& buf, int& n)
+	{
+	if ( c->Program() != 100005 )
+		Weird(fmt("bad_RPC_program (%d)", c->Program()));
+
+	uint32 proc = c->Proc();
+	// The call arguments, depends on the call type obviously ...
+	Val *callarg = 0;
+
+	switch ( proc ) {
+		case BifEnum::MOUNT3::PROC_NULL:
+		break;
+
+	case BifEnum::MOUNT3::PROC_MNT:
+		callarg = mount3_dirmntargs(buf, n);
+		break;
+
+	case BifEnum::MOUNT3::PROC_UMNT:
+		callarg = mount3_dirmntargs(buf, n);
+		break;
+
+	case BifEnum::MOUNT3::PROC_UMNT_ALL:
+		callarg = mount3_dirmntargs(buf, n);
+		break;
+
+	default:
+		callarg = 0;
+		if ( proc < BifEnum::MOUNT3::PROC_END_OF_PROCS )
+			{
+			// We know the procedure but haven't implemented it.
+			// Otherwise DeliverRPC would complain about
+			// excess_RPC.
+			n = 0;
+			}
+		else
+			Weird(fmt("unknown_MOUNT_request(%u)", proc));
+
+		// Return 1 so that replies to unprocessed calls will still
+		// be processed, and the return status extracted.
+		return 1;
+	}
+
+	if ( ! buf )
+		{
+		// There was a parse error while trying to extract the call
+		// arguments. However, we don't know where exactly it
+		// happened and whether Vals where already allocated (e.g., a
+		// RecordVal was allocated but we failed to fill it). So we
+		// Unref() the call arguments, and we are fine.
+		Unref(callarg);
+		callarg = 0;
+		return 0;
+		}
+
+	c->AddVal(callarg); // It's save to AddVal(0).
+
+	return 1;
+	}
+
+int MOUNT_Interp::RPC_BuildReply(RPC_CallInfo* c, BifEnum::rpc_status rpc_status,
+			       const u_char*& buf, int& n, double start_time,
+			       double last_time, int reply_len)
+	{
+	EventHandlerPtr event = 0;
+	Val *reply = 0;
+	BifEnum::MOUNT3::status_t mount_status = BifEnum::MOUNT3::MNT3_OK;
+	bool rpc_success = ( rpc_status == BifEnum::RPC_SUCCESS );
+
+	// Reply always starts with the MOUNT status.
+	if ( rpc_success )
+		{
+		if ( n >= 4 )
+			mount_status = (BifEnum::MOUNT3::status_t)extract_XDR_uint32(buf, n);
+		else
+			mount_status = BifEnum::MOUNT3::MOUNT3ERR_UNKNOWN;
+		}
+
+	if ( mount_reply_status )
+		{
+		val_list* vl = event_common_vl(c, rpc_status, mount_status,
+					   start_time, last_time, reply_len);
+		analyzer->ConnectionEvent(mount_reply_status, vl);
+		}
+
+	if ( ! rpc_success )
+		{
+		// We set the buffer to NULL, the function that extract the
+		// reply from the data stream will then return empty records.
+		//
+		buf = NULL;
+		n = 0;
+		}
+
+	switch ( c->Proc() ) {
+	case BifEnum::MOUNT3::PROC_NULL:
+		event = mount_proc_null;
+		break;
+
+	case BifEnum::MOUNT3::PROC_MNT:
+		reply = mount3_mnt_reply(buf, n, mount_status);
+		event = mount_proc_mnt;
+		break;
+
+	case BifEnum::MOUNT3::PROC_UMNT:
+		reply = 0;
+		n = 0;
+		mount_status = BifEnum::MOUNT3::MNT3_OK;
+		event = mount_proc_umnt;
+		break;
+
+	case BifEnum::MOUNT3::PROC_UMNT_ALL:
+		reply = 0;
+		n = 0;
+		mount_status = BifEnum::MOUNT3::MNT3_OK;
+		event = mount_proc_umnt;
+		break;
+
+	default:
+		if ( c->Proc() < BifEnum::MOUNT3::PROC_END_OF_PROCS )
+			{
+			// We know the procedure but haven't implemented it.
+			// Otherwise DeliverRPC would complain about
+			// excess_RPC.
+			n = 0;
+			reply = new EnumVal(c->Proc(), BifType::Enum::MOUNT3::proc_t);
+			event = mount_proc_not_implemented;
+			}
+		else
+			return 0;
+	}
+
+	if ( rpc_success && ! buf )
+		{
+		// There was a parse error. We have to unref the reply. (see
+		// also comments in RPC_BuildCall.
+		Unref(reply);
+		reply = 0;
+		return 0;
+		}
+
+	// Note: if reply == 0, it won't be added to the val_list for the
+	// event. While we can check for that on the policy layer it's kinda
+	// ugly, because it's contrary to the event prototype. But having
+	// this optional argument to the event is really helpful. Otherwise I
+	// have to let reply point to a RecordVal where all fields are
+	// optional and all are set to 0 ...
+	if ( event )
+		{
+		val_list* vl = event_common_vl(c, rpc_status, mount_status,
+					start_time, last_time, reply_len);
+
+		Val *request = c->TakeRequestVal();
+
+		if ( request )
+			vl->append(request);
+
+		if ( reply )
+			vl->append(reply);
+
+		analyzer->ConnectionEvent(event, vl);
+		}
+	else
+		Unref(reply);
+	return 1;
+	}
+
+val_list* MOUNT_Interp::event_common_vl(RPC_CallInfo *c, 
+		      BifEnum::rpc_status rpc_status,
+				      BifEnum::MOUNT3::status_t mount_status,
+				      double rep_start_time,
+				      double rep_last_time, int reply_len)
+	{
+	// Returns a new val_list that already has a conn_val, and mount3_info.
+	// These are the first parameters for each mount_* event ...
+	val_list *vl = new val_list;
+	vl->append(analyzer->BuildConnVal());
+	VectorVal* auxgids = new VectorVal(internal_type("index_vec")->AsVectorType());
+	for (size_t i = 0; i < c->AuxGIDs().size(); ++i)
+		{
+		auxgids->Assign(i, new Val(c->AuxGIDs()[i], TYPE_COUNT));
+		}
+
+	RecordVal *info = new RecordVal(BifType::Record::MOUNT3::info_t);
+	info->Assign(0, new EnumVal(rpc_status, BifType::Enum::rpc_status));
+	info->Assign(1, new EnumVal(mount_status, BifType::Enum::MOUNT3::status_t));
+	info->Assign(2, new Val(c->StartTime(), TYPE_TIME));
+	info->Assign(3, new Val(c->LastTime()-c->StartTime(), TYPE_INTERVAL));
+	info->Assign(4, new Val(c->RPCLen(), TYPE_COUNT));
+	info->Assign(5, new Val(rep_start_time, TYPE_TIME));
+	info->Assign(6, new Val(rep_last_time-rep_start_time, TYPE_INTERVAL));
+	info->Assign(7, new Val(reply_len, TYPE_COUNT));
+	info->Assign(8, new Val(c->Uid(), TYPE_COUNT));
+	info->Assign(9, new Val(c->Gid(), TYPE_COUNT));
+	info->Assign(10, new Val(c->Stamp(), TYPE_COUNT));
+	info->Assign(11, new StringVal(c->MachineName()));
+	info->Assign(12, auxgids);
+
+	vl->append(info);
+	return vl;
+	}
+
+EnumVal* MOUNT_Interp::mount3_auth_flavor(const u_char*& buf, int& n)
+    {
+	BifEnum::MOUNT3::auth_flavor_t t = (BifEnum::MOUNT3::auth_flavor_t)extract_XDR_uint32(buf, n);
+	return new EnumVal(t, BifType::Enum::MOUNT3::auth_flavor_t);
+    }
+
+StringVal* MOUNT_Interp::mount3_fh(const u_char*& buf, int& n)
+	{
+	int fh_n;
+	const u_char* fh = extract_XDR_opaque(buf, n, fh_n, 64);
+
+	if ( ! fh )
+		return 0;
+
+	return new StringVal(new BroString(fh, fh_n, 0));
+	}
+
+StringVal* MOUNT_Interp::mount3_filename(const u_char*& buf, int& n)
+	{
+	int name_len;
+	const u_char* name = extract_XDR_opaque(buf, n, name_len);
+
+	if ( ! name )
+		return 0;
+
+	return new StringVal(new BroString(name, name_len, 0));
+	}
+
+RecordVal* MOUNT_Interp::mount3_dirmntargs(const u_char*& buf, int& n)
+	{
+	RecordVal *dirmntargs = new RecordVal(BifType::Record::MOUNT3::dirmntargs_t);
+
+	dirmntargs->Assign(0, mount3_filename(buf, n));
+
+	return dirmntargs;
+	}
+
+RecordVal* MOUNT_Interp::mount3_mnt_reply(const u_char*& buf, int& n,
+		     BifEnum::MOUNT3::status_t status)
+	{
+	RecordVal *rep = new RecordVal(BifType::Record::MOUNT3::mnt_reply_t);
+
+	if ( status == BifEnum::MOUNT3::MNT3_OK )
+		{
+		rep->Assign(0, mount3_fh(buf,n));
+
+		int auth_flavors_count =  extract_XDR_uint32(buf, n);
+		VectorType *enum_vector = new VectorType(base_type(TYPE_ENUM));
+		VectorVal *auth_flavors = new VectorVal(enum_vector);
+		Unref(enum_vector);
+		for (int i = 0; i < auth_flavors_count; i++)
+			{
+			auth_flavors->Assign(auth_flavors->Size(), mount3_auth_flavor(buf, n)); // authentication
+			}
+		rep->Assign(1, auth_flavors);
+		}
+	else
+		{
+		rep->Assign(0, 0);
+		rep->Assign(1, 0);
+		}
+	return rep;
+	}
+
+MOUNT_Analyzer::MOUNT_Analyzer(Connection* conn)
+	: RPC_Analyzer("MOUNT", conn, new MOUNT_Interp(this))
+	{
+	orig_rpc = resp_rpc = 0;
+	}
+
+void MOUNT_Analyzer::Init()
+	{
+	RPC_Analyzer::Init();
+
+	if ( Conn()->ConnTransport() == TRANSPORT_TCP )
+		{
+		orig_rpc = new Contents_RPC(Conn(), true, interp);
+		resp_rpc = new Contents_RPC(Conn(), false, interp);
+		AddSupportAnalyzer(orig_rpc);
+		AddSupportAnalyzer(resp_rpc);
+		}
+	}
diff --git a/src/analyzer/protocol/rpc/MOUNT.h b/src/analyzer/protocol/rpc/MOUNT.h
new file mode 100644
index 0000000000..ed0c8fc9fc
--- /dev/null
+++ b/src/analyzer/protocol/rpc/MOUNT.h
@@ -0,0 +1,55 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#ifndef ANALYZER_PROTOCOL_RPC_MOUNT_H
+#define ANALYZER_PROTOCOL_RPC_MOUNT_H
+
+#include "RPC.h"
+#include "XDR.h"
+#include "Event.h"
+
+namespace analyzer { namespace rpc {
+
+class MOUNT_Interp : public RPC_Interpreter {
+public:
+	MOUNT_Interp(analyzer::Analyzer* arg_analyzer) : RPC_Interpreter(arg_analyzer) { }
+
+protected:
+	int RPC_BuildCall(RPC_CallInfo* c, const u_char*& buf, int& n);
+	int RPC_BuildReply(RPC_CallInfo* c, BifEnum::rpc_status rpc_status,
+				const u_char*& buf, int& n, double start_time,
+				double last_time, int reply_len);
+
+	// Returns a new val_list that already has a conn_val, rpc_status and
+	// mount_status. These are the first parameters for each mount_* event
+	// ...
+	val_list* event_common_vl(RPC_CallInfo *c, BifEnum::rpc_status rpc_status,
+				BifEnum::MOUNT3::status_t mount_status,
+				double rep_start_time, double rep_last_time,
+				int reply_len);
+
+	// These methods parse the appropriate MOUNTv3 "type" out of buf. If
+	// there are any errors (i.e., buffer to short, etc), buf will be set
+	// to 0. However, the methods might still return an allocated Val * !
+	// So, you might want to Unref() the Val if buf is 0. Method names
+	// are based on the type names of RFC 1813.
+	EnumVal*   mount3_auth_flavor(const u_char*& buf, int& n);
+	StringVal* mount3_fh(const u_char*& buf, int& n);
+	RecordVal* mount3_dirmntargs(const u_char*&buf, int &n);
+	StringVal* mount3_filename(const u_char*& buf, int& n);
+
+	RecordVal* mount3_mnt_reply(const u_char*& buf, int& n, BifEnum::MOUNT3::status_t status);
+};
+
+class MOUNT_Analyzer : public RPC_Analyzer {
+public:
+	MOUNT_Analyzer(Connection* conn);
+	virtual void Init();
+
+	static analyzer::Analyzer* Instantiate(Connection* conn)
+		{ return new MOUNT_Analyzer(conn); }
+};
+
+
+} } // namespace analyzer::*
+
+#endif
diff --git a/src/analyzer/protocol/rpc/Plugin.cc b/src/analyzer/protocol/rpc/Plugin.cc
index 15337f2d6e..abc2f679f2 100644
--- a/src/analyzer/protocol/rpc/Plugin.cc
+++ b/src/analyzer/protocol/rpc/Plugin.cc
@@ -5,6 +5,7 @@
 
 #include "RPC.h"
 #include "NFS.h"
+#include "MOUNT.h"
 #include "Portmap.h"
 
 namespace plugin {
@@ -15,6 +16,7 @@ public:
 	plugin::Configuration Configure()
 		{
 		AddComponent(new ::analyzer::Component("NFS", ::analyzer::rpc::NFS_Analyzer::Instantiate));
+		AddComponent(new ::analyzer::Component("MOUNT", ::analyzer::rpc::MOUNT_Analyzer::Instantiate));
 		AddComponent(new ::analyzer::Component("Portmapper", ::analyzer::rpc::Portmapper_Analyzer::Instantiate));
 		AddComponent(new ::analyzer::Component("Contents_RPC", 0));
 		AddComponent(new ::analyzer::Component("Contents_NFS", 0));
diff --git a/src/analyzer/protocol/rpc/events.bif b/src/analyzer/protocol/rpc/events.bif
index 881faface1..d637537700 100644
--- a/src/analyzer/protocol/rpc/events.bif
+++ b/src/analyzer/protocol/rpc/events.bif
@@ -765,3 +765,120 @@ event rpc_call%(c: connection, xid: count, prog: count, ver: count, proc: count,
 ##    call to :bro:see:`Analyzer::register_for_ports` or a DPD payload
 ##    signature.
 event rpc_reply%(c: connection, xid: count, status: rpc_status, reply_len: count%);
+
+## Generated for MOUNT3 request/reply dialogues of type *null*. The event is
+## generated once we have either seen both the request and its corresponding
+## reply, or an unanswered request has timed out.
+## MOUNT is a service running on top of RPC.
+##
+## c: The RPC connection.
+##
+## info: Reports the status of the dialogue, along with some meta information.
+##
+## .. bro:see:: mount_proc_mnt mount_proc_dump mount_proc_umnt
+##    mount_proc_umntall mount_proc_export mount_proc_not_implemented
+##
+## .. todo:: Bro's current default configuration does not activate the protocol
+##    analyzer that generates this event; the corresponding script has not yet
+##    been ported to Bro 2.x. To still enable this event, one needs to
+##    register a port for it or add a DPD payload signature.
+event mount_proc_null%(c: connection, info: MOUNT3::info_t%);
+
+## Generated for MOUNT3 request/reply dialogues of type *mnt*. The event is
+## generated once we have either seen both the request and its corresponding
+## reply, or an unanswered request has timed out.
+## MOUNT is a service running on top of RPC.
+##
+## c: The RPC connection.
+##
+## info: Reports the status of the dialogue, along with some meta information.
+##
+## req:  The arguments passed in the request.
+##
+## rep: The response returned in the reply. The values may not be valid if the
+##      request was unsuccessful.
+##
+## .. bro:see:: mount_proc_mnt mount_proc_dump mount_proc_umnt
+##    mount_proc_umntall mount_proc_export mount_proc_not_implemented
+##
+## .. todo:: Bro's current default configuration does not activate the protocol
+##    analyzer that generates this event; the corresponding script has not yet
+##    been ported to Bro 2.x. To still enable this event, one needs to
+##    register a port for it or add a DPD payload signature.
+event mount_proc_mnt%(c: connection, info: MOUNT3::info_t, req: MOUNT3::dirmntargs_t, rep: MOUNT3::mnt_reply_t%);
+
+## Generated for MOUNT3 request/reply dialogues of type *umnt*. The event is
+## generated once we have either seen both the request and its corresponding
+## reply, or an unanswered request has timed out.
+## MOUNT is a service running on top of RPC.
+##
+## c: The RPC connection.
+##
+## info: Reports the status of the dialogue, along with some meta information.
+##
+## req:  The arguments passed in the request.
+##
+##
+## .. bro:see:: mount_proc_mnt mount_proc_dump mount_proc_umnt
+##    mount_proc_umntall mount_proc_export mount_proc_not_implemented
+##
+## .. todo:: Bro's current default configuration does not activate the protocol
+##    analyzer that generates this event; the corresponding script has not yet
+##    been ported to Bro 2.x. To still enable this event, one needs to
+##    register a port for it or add a DPD payload signature.
+event mount_proc_umnt%(c: connection, info: MOUNT3::info_t, req: MOUNT3::dirmntargs_t%);
+
+## Generated for MOUNT3 request/reply dialogues of type *umn_allt*. The event is
+## generated once we have either seen both the request and its corresponding
+## reply, or an unanswered request has timed out.
+## MOUNT is a service running on top of RPC.
+##
+## c: The RPC connection.
+##
+## info: Reports the status of the dialogue, along with some meta information.
+##
+## req:  The arguments passed in the request.
+##
+##
+## .. bro:see:: mount_proc_mnt mount_proc_dump mount_proc_umnt
+##    mount_proc_umntall mount_proc_export mount_proc_not_implemented
+##
+## .. todo:: Bro's current default configuration does not activate the protocol
+##    analyzer that generates this event; the corresponding script has not yet
+##    been ported to Bro 2.x. To still enable this event, one needs to
+##    register a port for it or add a DPD payload signature.
+event mount_proc_umnt_all%(c: connection, info: MOUNT3::info_t, req: MOUNT3::dirmntargs_t%);
+
+## Generated for MOUNT3 request/reply dialogues of a type that Bro's MOUNTv3
+## analyzer does not implement.
+##
+## c: The RPC connection.
+##
+## info: Reports the status of the dialogue, along with some meta information.
+##
+## proc: The procedure called that Bro does not implement.
+##
+## .. bro:see:: mount_proc_mnt mount_proc_dump mount_proc_umnt
+##    mount_proc_umntall mount_proc_export mount_proc_not_implemented
+##
+## .. todo:: Bro's current default configuration does not activate the protocol
+##    analyzer that generates this event; the corresponding script has not yet
+##    been ported to Bro 2.x. To still enable this event, one needs to
+##    register a port for it or add a DPD payload signature.
+event mount_proc_not_implemented%(c: connection, info: MOUNT3::info_t, proc: MOUNT3::proc_t%);
+
+## Generated for each MOUNT3 reply message received, reporting just the
+## status included.
+##
+## n: The connection.
+##
+## info: Reports the status included in the reply.
+##
+## .. bro:see:: mount_proc_mnt mount_proc_dump mount_proc_umnt
+##    mount_proc_umntall mount_proc_export mount_proc_not_implemented
+##
+## .. todo:: Bro's current default configuration does not activate the protocol
+##    analyzer that generates this event; the corresponding script has not yet
+##    been ported to Bro 2.x. To still enable this event, one needs to
+##    register a port for it or add a DPD payload signature.
+event mount_reply_status%(n: connection, info: MOUNT3::info_t%);
diff --git a/src/types.bif b/src/types.bif
index 20995ef105..ad7d1068f4 100644
--- a/src/types.bif
+++ b/src/types.bif
@@ -13,6 +13,43 @@ enum rpc_status %{
 	RPC_UNKNOWN_ERROR,
 %}
 
+module MOUNT3;
+
+enum proc_t %{ # MOUNT3 procedures
+	PROC_NULL         = 0,  # done
+	PROC_MNT          = 1,  # done
+	PROC_DUMP         = 2,  # not implemented
+	PROC_UMNT         = 3,  # done
+	PROC_UMNT_ALL     = 4,  # done
+	PROC_EXPORT       = 5,  # not implemented
+	PROC_END_OF_PROCS = 6,	# not implemented
+%}
+
+enum status_t %{ # MOUNT3 return status
+	MNT3_OK            = 0,
+	MNT3ERR_PERM       = 1,
+	MNT3ERR_NOENT       = 2,
+	MNT3ERR_IO          = 5,
+	MNT3ERR_ACCES       = 13,
+	MNT3ERR_NOTDIR      = 20,
+	MNT3ERR_INVAL       = 22,
+	MNT3ERR_NAMETOOLONG = 63,
+	MNT3ERR_NOTSUPP     = 10004,
+	MNT3ERR_SERVERFAULT = 10006,
+	MOUNT3ERR_UNKNOWN   = 0xffffffff,
+%}
+
+enum auth_flavor_t %{ # MOUNT3 auth flavors
+	AUTH_NULL   = 0,
+	AUTH_UNIX   = 1,
+	AUTH_SHORT  = 2,
+	AUTH_DES    = 3,
+%}
+
+type info_t: record;
+type mnt_reply_t: record;
+type dirmntargs_t: record;
+
 module NFS3;
 
 enum proc_t %{	# NFSv3 procedures

From f041c97cdcf23449039fbe6c402ca4a062b2f2eb Mon Sep 17 00:00:00 2001
From: Julien Wallior <wallior@sig.com>
Date: Thu, 11 Jan 2018 14:23:10 -0500
Subject: [PATCH 282/631] Change smb2_create_request event arguments to single
 request struct. Added disposition and create_option fields.

---
 scripts/base/init-bare.bro                    | 14 ++++++++++++++
 scripts/policy/protocols/smb/smb2-main.bro    |  8 ++++----
 src/analyzer/protocol/smb/smb2-com-create.pac |  6 +++++-
 src/analyzer/protocol/smb/smb2_com_create.bif |  8 ++++++--
 4 files changed, 29 insertions(+), 7 deletions(-)

diff --git a/scripts/base/init-bare.bro b/scripts/base/init-bare.bro
index f2ea2ed29a..4cd061e737 100644
--- a/scripts/base/init-bare.bro
+++ b/scripts/base/init-bare.bro
@@ -3054,6 +3054,20 @@ export {
 		## The type of share being accessed. Physical disk, named pipe, or printer.
 		share_type: count;
 	};
+
+	## The request sent by the client to request either creation of or access to a file.
+	##
+	## For more information, see MS-SMB2:2.2.13
+	##
+	## .. bro:see:: smb2_create_request
+	type SMB2::CreateRequest: record {
+		## Name of the file
+		filename       : string;
+		## Defines the action the server MUST take if the file that is specified already exists.
+		disposition    : count;
+		## Specifies the options to be applied when creating or opening the file.
+		create_options : count;
+	};
 }
 
 module GLOBAL;
diff --git a/scripts/policy/protocols/smb/smb2-main.bro b/scripts/policy/protocols/smb/smb2-main.bro
index 1dc3a10654..55b6da5534 100644
--- a/scripts/policy/protocols/smb/smb2-main.bro
+++ b/scripts/policy/protocols/smb/smb2-main.bro
@@ -129,12 +129,12 @@ event smb2_tree_disconnect_request(c: connection, hdr: SMB2::Header) &priority=5
 		}
 	}
 
-event smb2_create_request(c: connection, hdr: SMB2::Header, name: string) &priority=5
+event smb2_create_request(c: connection, hdr: SMB2::Header, request: SMB2::CreateRequest) &priority=5
 	{
-	if ( name == "")
-		name = "<share_root>";
+	if ( request$filename == "")
+		request$filename = "<share_root>";
 
-	c$smb_state$current_file$name = name;
+	c$smb_state$current_file$name = request$filename;
 
 	switch ( c$smb_state$current_tree$share_type )
 		{
diff --git a/src/analyzer/protocol/smb/smb2-com-create.pac b/src/analyzer/protocol/smb/smb2-com-create.pac
index 4d7c70bbe7..afa6dbcfec 100644
--- a/src/analyzer/protocol/smb/smb2-com-create.pac
+++ b/src/analyzer/protocol/smb/smb2-com-create.pac
@@ -13,10 +13,14 @@ refine connection SMB_Conn += {
 
 		if ( smb2_create_request )
 			{
+			RecordVal* requestinfo = new RecordVal(BifType::Record::SMB2::CreateRequest);
+			requestinfo->Assign(0, filename);
+			requestinfo->Assign(1, new Val(${val.disposition}, TYPE_COUNT));
+			requestinfo->Assign(2, new Val(${val.create_options}, TYPE_COUNT));
 			BifEvent::generate_smb2_create_request(bro_analyzer(),
 			                                       bro_analyzer()->Conn(),
 			                                       BuildSMB2HeaderVal(h),
-			                                       filename);
+			                                       requestinfo);
 			}
 		else
 			{
diff --git a/src/analyzer/protocol/smb/smb2_com_create.bif b/src/analyzer/protocol/smb/smb2_com_create.bif
index dea5b118ca..ef7d8d93ff 100644
--- a/src/analyzer/protocol/smb/smb2_com_create.bif
+++ b/src/analyzer/protocol/smb/smb2_com_create.bif
@@ -8,10 +8,10 @@
 ##
 ## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message.
 ##
-## file_name: The name of the file being requested.
+## request: A record with more information related to the request.
 ##
 ## .. bro:see:: smb2_message smb2_create_response
-event smb2_create_request%(c: connection, hdr: SMB2::Header, file_name: string%);
+event smb2_create_request%(c: connection, hdr: SMB2::Header, request: SMB2::CreateRequest%);
 
 ## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
 ## version 2 responses of type *create*. This is sent by the server to notify the client of
@@ -33,3 +33,7 @@ event smb2_create_request%(c: connection, hdr: SMB2::Header, file_name: string%)
 ##
 ## .. bro:see:: smb2_message smb2_create_request
 event smb2_create_response%(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, size: count, times: SMB::MACTimes, attrs: SMB2::FileAttrs%);
+
+#### Types
+
+type SMB2::CreateRequest: record;

From a76e50d2e15c6588773bb8e9e1120de32260af97 Mon Sep 17 00:00:00 2001
From: Julien Wallior <wallior@sig.com>
Date: Thu, 11 Jan 2018 14:47:14 -0500
Subject: [PATCH 283/631] Change smb2_create_response event arguments to single
 response struct. Added disposition and create_action fields.

---
 scripts/base/init-bare.bro                    | 19 +++++++++++++++++++
 scripts/policy/protocols/smb/smb2-main.bro    | 18 +++++++++---------
 src/analyzer/protocol/smb/smb2-com-create.pac | 17 ++++++++++-------
 src/analyzer/protocol/smb/smb2_com_create.bif | 11 +++--------
 4 files changed, 41 insertions(+), 24 deletions(-)

diff --git a/scripts/base/init-bare.bro b/scripts/base/init-bare.bro
index 4cd061e737..78b91b53f2 100644
--- a/scripts/base/init-bare.bro
+++ b/scripts/base/init-bare.bro
@@ -3068,6 +3068,25 @@ export {
 		## Specifies the options to be applied when creating or opening the file.
 		create_options : count;
 	};
+
+	## The response to an SMB2 *create_request* request, which is sent by the client to request
+	## either creation of or access to a file.
+	##
+	## For more information, see MS-SMB2:2.2.14
+	##
+	## .. bro:see:: smb2_create_response
+	type SMB2::CreateResponse: record {
+		## The SMB2 GUID for the file.
+		file_id       : SMB2::GUID;
+		## Size of the file.
+		size          : count;
+		## Timestamps associated with the file in question.
+		times         : SMB::MACTimes;
+		## File attributes.
+		attrs         : SMB2::FileAttrs;
+		## The action taken in establishing the open.
+		create_action : count;
+	};
 }
 
 module GLOBAL;
diff --git a/scripts/policy/protocols/smb/smb2-main.bro b/scripts/policy/protocols/smb/smb2-main.bro
index 55b6da5534..750a7ff1bc 100644
--- a/scripts/policy/protocols/smb/smb2-main.bro
+++ b/scripts/policy/protocols/smb/smb2-main.bro
@@ -153,28 +153,28 @@ event smb2_create_request(c: connection, hdr: SMB2::Header, request: SMB2::Creat
 		}
 	}
 
-event smb2_create_response(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, file_size: count, times: SMB::MACTimes, attrs: SMB2::FileAttrs) &priority=5
+event smb2_create_response(c: connection, hdr: SMB2::Header, response: SMB2::CreateResponse) &priority=5
 	{
-	SMB::set_current_file(c$smb_state, file_id$persistent+file_id$volatile);
+	SMB::set_current_file(c$smb_state, response$file_id$persistent+response$file_id$volatile);
 
-	c$smb_state$current_file$fid = file_id$persistent+file_id$volatile;
-	c$smb_state$current_file$size = file_size;
+	c$smb_state$current_file$fid = response$file_id$persistent+response$file_id$volatile;
+	c$smb_state$current_file$size = response$size;
 
 	if ( c$smb_state$current_tree?$path )
 		c$smb_state$current_file$path = c$smb_state$current_tree$path;
 
 	# I'm seeing negative data from IPC tree transfers
-	if ( time_to_double(times$modified) > 0.0 )
-		c$smb_state$current_file$times = times;
+	if ( time_to_double(response$times$modified) > 0.0 )
+		c$smb_state$current_file$times = response$times;
 
 	# We can identify the file by its file id now so let's stick it 
 	# in the file map.
-	c$smb_state$fid_map[file_id$persistent+file_id$volatile] = c$smb_state$current_file;
+	c$smb_state$fid_map[response$file_id$persistent+response$file_id$volatile] = c$smb_state$current_file;
 	
-	c$smb_state$current_file = c$smb_state$fid_map[file_id$persistent+file_id$volatile];
+	c$smb_state$current_file = c$smb_state$fid_map[response$file_id$persistent+response$file_id$volatile];
 	}
 
-event smb2_create_response(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, file_size: count, times: SMB::MACTimes, attrs: SMB2::FileAttrs) &priority=-5
+event smb2_create_response(c: connection, hdr: SMB2::Header, response: SMB2::CreateResponse) &priority=-5
 	{
 	SMB::write_file_log(c$smb_state);
 	}
diff --git a/src/analyzer/protocol/smb/smb2-com-create.pac b/src/analyzer/protocol/smb/smb2-com-create.pac
index afa6dbcfec..1cc97fb0bd 100644
--- a/src/analyzer/protocol/smb/smb2-com-create.pac
+++ b/src/analyzer/protocol/smb/smb2-com-create.pac
@@ -34,16 +34,19 @@ refine connection SMB_Conn += {
 		%{
 		if ( smb2_create_response )
 			{
+			RecordVal* responseinfo = new RecordVal(BifType::Record::SMB2::CreateResponse);
+			responseinfo->Assign(0, BuildSMB2GUID(${val.file_id}));
+			responseinfo->Assign(1, new Val(${val.eof}, TYPE_COUNT));
+			responseinfo->Assign(2, SMB_BuildMACTimes(${val.last_write_time},
+			                                          ${val.last_access_time},
+			                                          ${val.creation_time},
+			                                          ${val.change_time}));
+			responseinfo->Assign(3, smb2_file_attrs_to_bro(${val.file_attrs}));
+			responseinfo->Assign(4, new Val(${val.create_action}, TYPE_COUNT));
 			BifEvent::generate_smb2_create_response(bro_analyzer(),
 			                                        bro_analyzer()->Conn(),
 			                                        BuildSMB2HeaderVal(h),
-			                                        BuildSMB2GUID(${val.file_id}),
-			                                        ${val.eof},
-			                                        SMB_BuildMACTimes(${val.last_write_time},
-			                                                          ${val.last_access_time},
-			                                                          ${val.creation_time},
-			                                                          ${val.change_time}),
-			                                        smb2_file_attrs_to_bro(${val.file_attrs}));
+			                                        responseinfo);
 			}
 
 		return true;
diff --git a/src/analyzer/protocol/smb/smb2_com_create.bif b/src/analyzer/protocol/smb/smb2_com_create.bif
index ef7d8d93ff..9a77878e9f 100644
--- a/src/analyzer/protocol/smb/smb2_com_create.bif
+++ b/src/analyzer/protocol/smb/smb2_com_create.bif
@@ -23,17 +23,12 @@ event smb2_create_request%(c: connection, hdr: SMB2::Header, request: SMB2::Crea
 ##
 ## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message.
 ##
-## file_id: The SMB2 GUID for the file.
-##
-## size: Size of the file.
-##
-## times: Timestamps associated with the file in question.
-##
-## attrs: File attributes.
+## response: A record with more information related to the response.
 ##
 ## .. bro:see:: smb2_message smb2_create_request
-event smb2_create_response%(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, size: count, times: SMB::MACTimes, attrs: SMB2::FileAttrs%);
+event smb2_create_response%(c: connection, hdr: SMB2::Header, response: SMB2::CreateResponse%);
 
 #### Types
 
 type SMB2::CreateRequest: record;
+type SMB2::CreateResponse: record;

From f165ff943efa83fdb5eed46a65a6e2bd21470e72 Mon Sep 17 00:00:00 2001
From: Julien Wallior <wallior@sig.com>
Date: Thu, 11 Jan 2018 15:18:56 -0500
Subject: [PATCH 284/631] Expand smb2 unit test.

---
 .../scripts.base.protocols.smb.smb2/.stdout   | 238 ++++++++++++++++++
 .../scripts/base/protocols/smb/smb2.test      |  11 +
 2 files changed, 249 insertions(+)
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.smb.smb2/.stdout

diff --git a/testing/btest/Baseline/scripts.base.protocols.smb.smb2/.stdout b/testing/btest/Baseline/scripts.base.protocols.smb.smb2/.stdout
new file mode 100644
index 0000000000..015b55c71d
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.smb.smb2/.stdout
@@ -0,0 +1,238 @@
+smb2_create_request, [id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], orig=[size=1225, state=4, num_pkts=6, num_bytes_ip=1257, flow_label=0, l2_addr=00:0c:29:6b:99:0f], resp=[size=760, state=4, num_pkts=5, num_bytes_ip=972, flow_label=0, l2_addr=00:0c:29:4e:b0:d0], start_time=1323202695.370647, duration=0.006812, service={
+SMB,
+GSSAPI,
+NTLM
+}, history=ShADd, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=[ts=1323202695.372863, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], username=Administrator, hostname=SERVER01, domainname=CONTOSO, success=T, status=SUCCESS, done=T], radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>, smb_state=[current_cmd=[ts=1323202695.377459, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], command=CREATE, sub_command=<uninitialized>, argument=<uninitialized>, status=<uninitialized>, rtt=<uninitialized>, version=SMB2, username=<uninitialized>, tree=<uninitialized>, tree_service=<uninitialized>, referenced_file=[ts=1323202695.377459, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=<uninitialized>, action=SMB::FILE_OPEN, path=<uninitialized>, name=<share_root>, size=0, prev_name=<uninitialized>, times=<uninitialized>, fid=<uninitialized>, uuid=<uninitialized>], referenced_tree=[ts=1323202695.377084, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\smb2, service=<uninitialized>, native_file_system=<uninitialized>, share_type=DISK], smb1_offered_dialects=<uninitialized>, smb2_offered_dialects=<uninitialized>], current_file=[ts=1323202695.377459, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=<uninitialized>, action=SMB::FILE_OPEN, path=<uninitialized>, name=<share_root>, size=0, prev_name=<uninitialized>, times=<uninitialized>, fid=<uninitialized>, uuid=<uninitialized>], current_tree=[ts=1323202695.377084, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\smb2, service=<uninitialized>, native_file_system=<uninitialized>, share_type=DISK], pending_cmds={
+[4] = [ts=1323202695.377459, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], command=CREATE, sub_command=<uninitialized>, argument=<uninitialized>, status=<uninitialized>, rtt=<uninitialized>, version=SMB2, username=<uninitialized>, tree=<uninitialized>, tree_service=<uninitialized>, referenced_file=[ts=1323202695.377459, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=<uninitialized>, action=SMB::FILE_OPEN, path=<uninitialized>, name=<share_root>, size=0, prev_name=<uninitialized>, times=<uninitialized>, fid=<uninitialized>, uuid=<uninitialized>], referenced_tree=[ts=1323202695.377084, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\smb2, service=<uninitialized>, native_file_system=<uninitialized>, share_type=DISK], smb1_offered_dialects=<uninitialized>, smb2_offered_dialects=<uninitialized>]
+}, fid_map={
+
+}, tid_map={
+[1] = [ts=1323202695.377084, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\smb2, service=<uninitialized>, native_file_system=<uninitialized>, share_type=DISK],
+[65535] = [ts=<uninitialized>, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=<uninitialized>, service=<uninitialized>, native_file_system=<uninitialized>, share_type=DISK]
+}, uid_map={
+
+}, pipe_map={
+
+}, recent_files={
+
+}]], [credit_charge=0, status=0, command=5, credits=1, flags=0, message_id=4, process_id=65279, tree_id=1, session_id=4398046511109, signature=\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00], [filename=<share_root>, disposition=1, create_options=32]
+smb2_create_response, [id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], orig=[size=1225, state=4, num_pkts=7, num_bytes_ip=1517, flow_label=0, l2_addr=00:0c:29:6b:99:0f], resp=[size=1004, state=4, num_pkts=5, num_bytes_ip=972, flow_label=0, l2_addr=00:0c:29:4e:b0:d0], start_time=1323202695.370647, duration=0.006958, service={
+SMB,
+GSSAPI,
+NTLM
+}, history=ShADd, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=[ts=1323202695.372863, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], username=Administrator, hostname=SERVER01, domainname=CONTOSO, success=T, status=SUCCESS, done=T], radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>, smb_state=[current_cmd=[ts=1323202695.377459, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], command=CREATE, sub_command=<uninitialized>, argument=<uninitialized>, status=SUCCESS, rtt=145.0 usecs, version=SMB2, username=<uninitialized>, tree=<uninitialized>, tree_service=<uninitialized>, referenced_file=[ts=1323202695.377459, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=<uninitialized>, action=SMB::FILE_OPEN, path=\\10.0.0.12\smb2, name=<share_root>, size=8192, prev_name=<uninitialized>, times=[modified=1323202604.512058, accessed=1323202604.512058, created=1322343963.945297, changed=1323202604.512058], fid=18446744069414584390, uuid=<uninitialized>], referenced_tree=[ts=1323202695.377084, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\smb2, service=<uninitialized>, native_file_system=<uninitialized>, share_type=DISK], smb1_offered_dialects=<uninitialized>, smb2_offered_dialects=<uninitialized>], current_file=[ts=1323202695.377459, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=<uninitialized>, action=SMB::FILE_OPEN, path=\\10.0.0.12\smb2, name=<share_root>, size=8192, prev_name=<uninitialized>, times=[modified=1323202604.512058, accessed=1323202604.512058, created=1322343963.945297, changed=1323202604.512058], fid=18446744069414584390, uuid=<uninitialized>], current_tree=[ts=1323202695.377084, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\smb2, service=<uninitialized>, native_file_system=<uninitialized>, share_type=DISK], pending_cmds={
+
+}, fid_map={
+[18446744069414584390] = [ts=1323202695.377459, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=<uninitialized>, action=SMB::FILE_OPEN, path=\\10.0.0.12\smb2, name=<share_root>, size=8192, prev_name=<uninitialized>, times=[modified=1323202604.512058, accessed=1323202604.512058, created=1322343963.945297, changed=1323202604.512058], fid=18446744069414584390, uuid=<uninitialized>]
+}, tid_map={
+[1] = [ts=1323202695.377084, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\smb2, service=<uninitialized>, native_file_system=<uninitialized>, share_type=DISK],
+[65535] = [ts=<uninitialized>, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=<uninitialized>, service=<uninitialized>, native_file_system=<uninitialized>, share_type=DISK]
+}, uid_map={
+
+}, pipe_map={
+
+}, recent_files={
+
+}]], [credit_charge=0, status=0, command=5, credits=1, flags=1, message_id=4, process_id=65279, tree_id=1, session_id=4398046511109, signature=\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00], [file_id=[persistent=69, volatile=18446744069414584321], size=8192, times=[modified=1323202604.512058, accessed=1323202604.512058, created=1322343963.945297, changed=1323202604.512058], attrs=[read_only=F, hidden=F, system=F, directory=T, archive=F, normal=F, temporary=F, sparse_file=F, reparse_point=F, compressed=F, offline=F, not_content_indexed=F, encrypted=F, integrity_stream=F, no_scrub_data=F], create_action=1]
+smb2_create_request, [id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], orig=[size=1469, state=4, num_pkts=8, num_bytes_ip=1665, flow_label=0, l2_addr=00:0c:29:6b:99:0f], resp=[size=1088, state=4, num_pkts=7, num_bytes_ip=1380, flow_label=0, l2_addr=00:0c:29:4e:b0:d0], start_time=1323202695.370647, duration=0.007847, service={
+SMB,
+GSSAPI,
+NTLM
+}, history=ShADd, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=[ts=1323202695.372863, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], username=Administrator, hostname=SERVER01, domainname=CONTOSO, success=T, status=SUCCESS, done=T], radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>, smb_state=[current_cmd=[ts=1323202695.378494, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], command=CREATE, sub_command=<uninitialized>, argument=<uninitialized>, status=<uninitialized>, rtt=<uninitialized>, version=SMB2, username=<uninitialized>, tree=<uninitialized>, tree_service=<uninitialized>, referenced_file=[ts=1323202695.378494, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=<uninitialized>, action=SMB::PIPE_OPEN, path=<uninitialized>, name=srvsvc, size=0, prev_name=<uninitialized>, times=<uninitialized>, fid=<uninitialized>, uuid=<uninitialized>], referenced_tree=[ts=1323202695.378188, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\IPC$, service=<uninitialized>, native_file_system=<uninitialized>, share_type=PIPE], smb1_offered_dialects=<uninitialized>, smb2_offered_dialects=<uninitialized>], current_file=[ts=1323202695.378494, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=<uninitialized>, action=SMB::PIPE_OPEN, path=<uninitialized>, name=srvsvc, size=0, prev_name=<uninitialized>, times=<uninitialized>, fid=<uninitialized>, uuid=<uninitialized>], current_tree=[ts=1323202695.378188, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\IPC$, service=<uninitialized>, native_file_system=<uninitialized>, share_type=PIPE], pending_cmds={
+[6] = [ts=1323202695.378494, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], command=CREATE, sub_command=<uninitialized>, argument=<uninitialized>, status=<uninitialized>, rtt=<uninitialized>, version=SMB2, username=<uninitialized>, tree=<uninitialized>, tree_service=<uninitialized>, referenced_file=[ts=1323202695.378494, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=<uninitialized>, action=SMB::PIPE_OPEN, path=<uninitialized>, name=srvsvc, size=0, prev_name=<uninitialized>, times=<uninitialized>, fid=<uninitialized>, uuid=<uninitialized>], referenced_tree=[ts=1323202695.378188, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\IPC$, service=<uninitialized>, native_file_system=<uninitialized>, share_type=PIPE], smb1_offered_dialects=<uninitialized>, smb2_offered_dialects=<uninitialized>]
+}, fid_map={
+[18446744069414584390] = [ts=1323202695.377459, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=<uninitialized>, action=SMB::FILE_OPEN, path=\\10.0.0.12\smb2, name=<share_root>, size=8192, prev_name=<uninitialized>, times=[modified=1323202604.512058, accessed=1323202604.512058, created=1322343963.945297, changed=1323202604.512058], fid=18446744069414584390, uuid=<uninitialized>]
+}, tid_map={
+[1] = [ts=1323202695.377084, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\smb2, service=<uninitialized>, native_file_system=<uninitialized>, share_type=DISK],
+[65535] = [ts=<uninitialized>, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=<uninitialized>, service=<uninitialized>, native_file_system=<uninitialized>, share_type=DISK],
+[5] = [ts=1323202695.378188, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\IPC$, service=<uninitialized>, native_file_system=<uninitialized>, share_type=PIPE]
+}, uid_map={
+
+}, pipe_map={
+
+}, recent_files={
+SMB::FILE_OPEN<share_root>\\10.0.0.12\smb28192[modified=1323202604.512058, accessed=1323202604.512058, created=1322343963.945297, changed=1323202604.512058]
+}]], [credit_charge=0, status=0, command=5, credits=1, flags=0, message_id=6, process_id=65279, tree_id=5, session_id=4398046511109, signature=\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00], [filename=srvsvc, disposition=1, create_options=4194368]
+smb2_create_response, [id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], orig=[size=1469, state=4, num_pkts=9, num_bytes_ip=1841, flow_label=0, l2_addr=00:0c:29:6b:99:0f], resp=[size=1244, state=4, num_pkts=7, num_bytes_ip=1380, flow_label=0, l2_addr=00:0c:29:4e:b0:d0], start_time=1323202695.370647, duration=0.008011, service={
+SMB,
+GSSAPI,
+NTLM
+}, history=ShADd, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=[ts=1323202695.372863, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], username=Administrator, hostname=SERVER01, domainname=CONTOSO, success=T, status=SUCCESS, done=T], radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>, smb_state=[current_cmd=[ts=1323202695.378494, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], command=CREATE, sub_command=<uninitialized>, argument=<uninitialized>, status=SUCCESS, rtt=164.0 usecs, version=SMB2, username=<uninitialized>, tree=<uninitialized>, tree_service=<uninitialized>, referenced_file=[ts=1323202695.378494, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=<uninitialized>, action=SMB::PIPE_OPEN, path=\\10.0.0.12\IPC$, name=srvsvc, size=0, prev_name=<uninitialized>, times=<uninitialized>, fid=18446744069414584398, uuid=<uninitialized>], referenced_tree=[ts=1323202695.378188, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\IPC$, service=<uninitialized>, native_file_system=<uninitialized>, share_type=PIPE], smb1_offered_dialects=<uninitialized>, smb2_offered_dialects=<uninitialized>], current_file=[ts=1323202695.378494, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=<uninitialized>, action=SMB::PIPE_OPEN, path=\\10.0.0.12\IPC$, name=srvsvc, size=0, prev_name=<uninitialized>, times=<uninitialized>, fid=18446744069414584398, uuid=<uninitialized>], current_tree=[ts=1323202695.378188, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\IPC$, service=<uninitialized>, native_file_system=<uninitialized>, share_type=PIPE], pending_cmds={
+
+}, fid_map={
+[18446744069414584398] = [ts=1323202695.378494, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=<uninitialized>, action=SMB::PIPE_OPEN, path=\\10.0.0.12\IPC$, name=srvsvc, size=0, prev_name=<uninitialized>, times=<uninitialized>, fid=18446744069414584398, uuid=<uninitialized>],
+[18446744069414584390] = [ts=1323202695.377459, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=<uninitialized>, action=SMB::FILE_OPEN, path=\\10.0.0.12\smb2, name=<share_root>, size=8192, prev_name=<uninitialized>, times=[modified=1323202604.512058, accessed=1323202604.512058, created=1322343963.945297, changed=1323202604.512058], fid=18446744069414584390, uuid=<uninitialized>]
+}, tid_map={
+[1] = [ts=1323202695.377084, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\smb2, service=<uninitialized>, native_file_system=<uninitialized>, share_type=DISK],
+[65535] = [ts=<uninitialized>, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=<uninitialized>, service=<uninitialized>, native_file_system=<uninitialized>, share_type=DISK],
+[5] = [ts=1323202695.378188, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\IPC$, service=<uninitialized>, native_file_system=<uninitialized>, share_type=PIPE]
+}, uid_map={
+
+}, pipe_map={
+
+}, recent_files={
+SMB::FILE_OPEN<share_root>\\10.0.0.12\smb28192[modified=1323202604.512058, accessed=1323202604.512058, created=1322343963.945297, changed=1323202604.512058]
+}]], [credit_charge=0, status=0, command=5, credits=1, flags=1, message_id=6, process_id=65279, tree_id=5, session_id=4398046511109, signature=\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00], [file_id=[persistent=73, volatile=18446744069414584325], size=0, times=[modified=-1.164447e+10, accessed=-1.164447e+10, created=-1.164447e+10, changed=-1.164447e+10], attrs=[read_only=F, hidden=F, system=F, directory=F, archive=F, normal=T, temporary=F, sparse_file=F, reparse_point=F, compressed=F, offline=F, not_content_indexed=F, encrypted=F, integrity_stream=F, no_scrub_data=F], create_action=1]
+smb2_create_request, [id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], orig=[size=2342, state=4, num_pkts=13, num_bytes_ip=2654, flow_label=0, l2_addr=00:0c:29:6b:99:0f], resp=[size=1924, state=4, num_pkts=12, num_bytes_ip=2416, flow_label=0, l2_addr=00:0c:29:4e:b0:d0], start_time=1323202695.370647, duration=0.010734, service={
+SMB,
+GSSAPI,
+NTLM,
+DCE_RPC
+}, history=ShADd, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=[uuid=4b324fc8-1670-01d3-1278-5a47bf6ee188, named_pipe=\PIPE\srvsvc], dce_rpc_backing={
+[18446744069414584398] = [info=[ts=1323202695.379517, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], rtt=183.0 usecs, named_pipe=\PIPE\srvsvc, endpoint=srvsvc, operation=NetrShareGetInfo], state=[uuid=4b324fc8-1670-01d3-1278-5a47bf6ee188, named_pipe=\PIPE\srvsvc]]
+}, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=[ts=1323202695.372863, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], username=Administrator, hostname=SERVER01, domainname=CONTOSO, success=T, status=SUCCESS, done=T], radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>, smb_state=[current_cmd=[ts=1323202695.381381, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], command=CREATE, sub_command=<uninitialized>, argument=<uninitialized>, status=<uninitialized>, rtt=<uninitialized>, version=SMB2, username=<uninitialized>, tree=<uninitialized>, tree_service=<uninitialized>, referenced_file=[ts=1323202695.381381, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=<uninitialized>, action=SMB::FILE_OPEN, path=<uninitialized>, name=<share_root>, size=0, prev_name=<uninitialized>, times=<uninitialized>, fid=<uninitialized>, uuid=<uninitialized>], referenced_tree=[ts=1323202695.377084, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\smb2, service=<uninitialized>, native_file_system=<uninitialized>, share_type=DISK], smb1_offered_dialects=<uninitialized>, smb2_offered_dialects=<uninitialized>], current_file=[ts=1323202695.381381, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=<uninitialized>, action=SMB::FILE_OPEN, path=<uninitialized>, name=<share_root>, size=0, prev_name=<uninitialized>, times=<uninitialized>, fid=<uninitialized>, uuid=<uninitialized>], current_tree=[ts=1323202695.377084, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\smb2, service=<uninitialized>, native_file_system=<uninitialized>, share_type=DISK], pending_cmds={
+[11] = [ts=1323202695.381381, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], command=CREATE, sub_command=<uninitialized>, argument=<uninitialized>, status=<uninitialized>, rtt=<uninitialized>, version=SMB2, username=<uninitialized>, tree=<uninitialized>, tree_service=<uninitialized>, referenced_file=[ts=1323202695.381381, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=<uninitialized>, action=SMB::FILE_OPEN, path=<uninitialized>, name=<share_root>, size=0, prev_name=<uninitialized>, times=<uninitialized>, fid=<uninitialized>, uuid=<uninitialized>], referenced_tree=[ts=1323202695.377084, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\smb2, service=<uninitialized>, native_file_system=<uninitialized>, share_type=DISK], smb1_offered_dialects=<uninitialized>, smb2_offered_dialects=<uninitialized>]
+}, fid_map={
+[18446744069414584390] = [ts=1323202695.377459, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=<uninitialized>, action=SMB::FILE_OPEN, path=\\10.0.0.12\smb2, name=<share_root>, size=8192, prev_name=<uninitialized>, times=[modified=1323202604.512058, accessed=1323202604.512058, created=1322343963.945297, changed=1323202604.512058], fid=18446744069414584390, uuid=<uninitialized>]
+}, tid_map={
+[1] = [ts=1323202695.377084, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\smb2, service=<uninitialized>, native_file_system=<uninitialized>, share_type=DISK],
+[65535] = [ts=<uninitialized>, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=<uninitialized>, service=<uninitialized>, native_file_system=<uninitialized>, share_type=DISK],
+[5] = [ts=1323202695.378188, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\IPC$, service=<uninitialized>, native_file_system=<uninitialized>, share_type=PIPE]
+}, uid_map={
+
+}, pipe_map={
+
+}, recent_files={
+SMB::FILE_OPEN<share_root>\\10.0.0.12\smb28192[modified=1323202604.512058, accessed=1323202604.512058, created=1322343963.945297, changed=1323202604.512058]
+}]], [credit_charge=0, status=0, command=5, credits=1, flags=0, message_id=11, process_id=65279, tree_id=1, session_id=4398046511109, signature=\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00], [filename=<share_root>, disposition=2, create_options=2097185]
+smb2_create_request, [id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], orig=[size=2947, state=4, num_pkts=16, num_bytes_ip=3323, flow_label=0, l2_addr=00:0c:29:6b:99:0f], resp=[size=2297, state=4, num_pkts=15, num_bytes_ip=2909, flow_label=0, l2_addr=00:0c:29:4e:b0:d0], start_time=1323202695.370647, duration=0.061545, service={
+SMB,
+GSSAPI,
+NTLM,
+DCE_RPC
+}, history=ShADd, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=[uuid=4b324fc8-1670-01d3-1278-5a47bf6ee188, named_pipe=\PIPE\srvsvc], dce_rpc_backing={
+[18446744069414584398] = [info=[ts=1323202695.379517, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], rtt=183.0 usecs, named_pipe=\PIPE\srvsvc, endpoint=srvsvc, operation=NetrShareGetInfo], state=[uuid=4b324fc8-1670-01d3-1278-5a47bf6ee188, named_pipe=\PIPE\srvsvc]]
+}, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=[ts=1323202695.372863, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], username=Administrator, hostname=SERVER01, domainname=CONTOSO, success=T, status=SUCCESS, done=T], radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>, smb_state=[current_cmd=[ts=1323202695.432192, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], command=CREATE, sub_command=<uninitialized>, argument=<uninitialized>, status=<uninitialized>, rtt=<uninitialized>, version=SMB2, username=<uninitialized>, tree=<uninitialized>, tree_service=<uninitialized>, referenced_file=[ts=1323202695.432192, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=<uninitialized>, action=SMB::FILE_OPEN, path=<uninitialized>, name=WP_SMBPlugin.pdf, size=0, prev_name=<uninitialized>, times=<uninitialized>, fid=<uninitialized>, uuid=<uninitialized>], referenced_tree=[ts=1323202695.377084, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\smb2, service=<uninitialized>, native_file_system=<uninitialized>, share_type=DISK], smb1_offered_dialects=<uninitialized>, smb2_offered_dialects=<uninitialized>], current_file=[ts=1323202695.432192, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=<uninitialized>, action=SMB::FILE_OPEN, path=<uninitialized>, name=WP_SMBPlugin.pdf, size=0, prev_name=<uninitialized>, times=<uninitialized>, fid=<uninitialized>, uuid=<uninitialized>], current_tree=[ts=1323202695.377084, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\smb2, service=<uninitialized>, native_file_system=<uninitialized>, share_type=DISK], pending_cmds={
+[15] = [ts=1323202695.432192, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], command=CREATE, sub_command=<uninitialized>, argument=<uninitialized>, status=<uninitialized>, rtt=<uninitialized>, version=SMB2, username=<uninitialized>, tree=<uninitialized>, tree_service=<uninitialized>, referenced_file=[ts=1323202695.432192, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=<uninitialized>, action=SMB::FILE_OPEN, path=<uninitialized>, name=WP_SMBPlugin.pdf, size=0, prev_name=<uninitialized>, times=<uninitialized>, fid=<uninitialized>, uuid=<uninitialized>], referenced_tree=[ts=1323202695.377084, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\smb2, service=<uninitialized>, native_file_system=<uninitialized>, share_type=DISK], smb1_offered_dialects=<uninitialized>, smb2_offered_dialects=<uninitialized>]
+}, fid_map={
+[18446744069414584390] = [ts=1323202695.377459, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=<uninitialized>, action=SMB::FILE_OPEN, path=\\10.0.0.12\smb2, name=<share_root>, size=8192, prev_name=<uninitialized>, times=[modified=1323202604.512058, accessed=1323202604.512058, created=1322343963.945297, changed=1323202604.512058], fid=18446744069414584390, uuid=<uninitialized>]
+}, tid_map={
+[1] = [ts=1323202695.377084, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\smb2, service=<uninitialized>, native_file_system=<uninitialized>, share_type=DISK],
+[65535] = [ts=<uninitialized>, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=<uninitialized>, service=<uninitialized>, native_file_system=<uninitialized>, share_type=DISK],
+[5] = [ts=1323202695.378188, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\IPC$, service=<uninitialized>, native_file_system=<uninitialized>, share_type=PIPE]
+}, uid_map={
+
+}, pipe_map={
+
+}, recent_files={
+SMB::FILE_OPEN<share_root>\\10.0.0.12\smb28192[modified=1323202604.512058, accessed=1323202604.512058, created=1322343963.945297, changed=1323202604.512058]
+}]], [credit_charge=0, status=0, command=5, credits=1, flags=0, message_id=15, process_id=65279, tree_id=1, session_id=4398046511109, signature=\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00], [filename=WP_SMBPlugin.pdf, disposition=2, create_options=68]
+smb2_create_response, [id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], orig=[size=2947, state=4, num_pkts=17, num_bytes_ip=3639, flow_label=0, l2_addr=00:0c:29:6b:99:0f], resp=[size=2573, state=4, num_pkts=15, num_bytes_ip=2909, flow_label=0, l2_addr=00:0c:29:4e:b0:d0], start_time=1323202695.370647, duration=0.062223, service={
+SMB,
+GSSAPI,
+NTLM,
+DCE_RPC
+}, history=ShADd, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=[uuid=4b324fc8-1670-01d3-1278-5a47bf6ee188, named_pipe=\PIPE\srvsvc], dce_rpc_backing={
+[18446744069414584398] = [info=[ts=1323202695.379517, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], rtt=183.0 usecs, named_pipe=\PIPE\srvsvc, endpoint=srvsvc, operation=NetrShareGetInfo], state=[uuid=4b324fc8-1670-01d3-1278-5a47bf6ee188, named_pipe=\PIPE\srvsvc]]
+}, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=[ts=1323202695.372863, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], username=Administrator, hostname=SERVER01, domainname=CONTOSO, success=T, status=SUCCESS, done=T], radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>, smb_state=[current_cmd=[ts=1323202695.432192, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], command=CREATE, sub_command=<uninitialized>, argument=<uninitialized>, status=SUCCESS, rtt=677.0 usecs, version=SMB2, username=<uninitialized>, tree=<uninitialized>, tree_service=<uninitialized>, referenced_file=[ts=1323202695.432192, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=<uninitialized>, action=SMB::FILE_OPEN, path=\\10.0.0.12\smb2, name=WP_SMBPlugin.pdf, size=0, prev_name=<uninitialized>, times=[modified=1323202695.427036, accessed=1323202695.427036, created=1323202695.427036, changed=1323202695.427036], fid=18446744069414584406, uuid=<uninitialized>], referenced_tree=[ts=1323202695.377084, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\smb2, service=<uninitialized>, native_file_system=<uninitialized>, share_type=DISK], smb1_offered_dialects=<uninitialized>, smb2_offered_dialects=<uninitialized>], current_file=[ts=1323202695.432192, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=<uninitialized>, action=SMB::FILE_OPEN, path=\\10.0.0.12\smb2, name=WP_SMBPlugin.pdf, size=0, prev_name=<uninitialized>, times=[modified=1323202695.427036, accessed=1323202695.427036, created=1323202695.427036, changed=1323202695.427036], fid=18446744069414584406, uuid=<uninitialized>], current_tree=[ts=1323202695.377084, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\smb2, service=<uninitialized>, native_file_system=<uninitialized>, share_type=DISK], pending_cmds={
+
+}, fid_map={
+[18446744069414584406] = [ts=1323202695.432192, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=<uninitialized>, action=SMB::FILE_OPEN, path=\\10.0.0.12\smb2, name=WP_SMBPlugin.pdf, size=0, prev_name=<uninitialized>, times=[modified=1323202695.427036, accessed=1323202695.427036, created=1323202695.427036, changed=1323202695.427036], fid=18446744069414584406, uuid=<uninitialized>],
+[18446744069414584390] = [ts=1323202695.377459, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=<uninitialized>, action=SMB::FILE_OPEN, path=\\10.0.0.12\smb2, name=<share_root>, size=8192, prev_name=<uninitialized>, times=[modified=1323202604.512058, accessed=1323202604.512058, created=1322343963.945297, changed=1323202604.512058], fid=18446744069414584390, uuid=<uninitialized>]
+}, tid_map={
+[1] = [ts=1323202695.377084, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\smb2, service=<uninitialized>, native_file_system=<uninitialized>, share_type=DISK],
+[65535] = [ts=<uninitialized>, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=<uninitialized>, service=<uninitialized>, native_file_system=<uninitialized>, share_type=DISK],
+[5] = [ts=1323202695.378188, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\IPC$, service=<uninitialized>, native_file_system=<uninitialized>, share_type=PIPE]
+}, uid_map={
+
+}, pipe_map={
+
+}, recent_files={
+SMB::FILE_OPEN<share_root>\\10.0.0.12\smb28192[modified=1323202604.512058, accessed=1323202604.512058, created=1322343963.945297, changed=1323202604.512058]
+}]], [credit_charge=0, status=0, command=5, credits=1, flags=1, message_id=15, process_id=65279, tree_id=1, session_id=4398046511109, signature=\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00], [file_id=[persistent=77, volatile=18446744069414584329], size=0, times=[modified=1323202695.427036, accessed=1323202695.427036, created=1323202695.427036, changed=1323202695.427036], attrs=[read_only=F, hidden=F, system=F, directory=F, archive=T, normal=F, temporary=F, sparse_file=F, reparse_point=F, compressed=F, offline=F, not_content_indexed=F, encrypted=F, integrity_stream=F, no_scrub_data=F], create_action=2]
+smb2_create_request, [id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], orig=[size=1515338, state=4, num_pkts=1064, num_bytes_ip=1557690, flow_label=0, l2_addr=00:0c:29:6b:99:0f], resp=[size=4957, state=4, num_pkts=101, num_bytes_ip=9009, flow_label=0, l2_addr=00:0c:29:4e:b0:d0], start_time=1323202695.370647, duration=0.229267, service={
+SMB,
+GSSAPI,
+NTLM,
+DCE_RPC
+}, history=ShADda, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=[uuid=4b324fc8-1670-01d3-1278-5a47bf6ee188, named_pipe=\PIPE\srvsvc], dce_rpc_backing={
+[18446744069414584398] = [info=[ts=1323202695.379517, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], rtt=183.0 usecs, named_pipe=\PIPE\srvsvc, endpoint=srvsvc, operation=NetrShareGetInfo], state=[uuid=4b324fc8-1670-01d3-1278-5a47bf6ee188, named_pipe=\PIPE\srvsvc]]
+}, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=[ts=1323202695.372863, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], username=Administrator, hostname=SERVER01, domainname=CONTOSO, success=T, status=SUCCESS, done=T], radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>, smb_state=[current_cmd=[ts=1323202695.599914, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], command=CREATE, sub_command=<uninitialized>, argument=<uninitialized>, status=<uninitialized>, rtt=<uninitialized>, version=SMB2, username=<uninitialized>, tree=<uninitialized>, tree_service=<uninitialized>, referenced_file=[ts=1323202695.599914, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=<uninitialized>, action=SMB::FILE_OPEN, path=<uninitialized>, name=<share_root>, size=0, prev_name=<uninitialized>, times=<uninitialized>, fid=<uninitialized>, uuid=<uninitialized>], referenced_tree=[ts=1323202695.377084, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\smb2, service=<uninitialized>, native_file_system=<uninitialized>, share_type=DISK], smb1_offered_dialects=<uninitialized>, smb2_offered_dialects=<uninitialized>], current_file=[ts=1323202695.599914, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=<uninitialized>, action=SMB::FILE_OPEN, path=<uninitialized>, name=<share_root>, size=0, prev_name=<uninitialized>, times=<uninitialized>, fid=<uninitialized>, uuid=<uninitialized>], current_tree=[ts=1323202695.377084, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\smb2, service=<uninitialized>, native_file_system=<uninitialized>, share_type=DISK], pending_cmds={
+[44] = [ts=1323202695.599914, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], command=CREATE, sub_command=<uninitialized>, argument=<uninitialized>, status=<uninitialized>, rtt=<uninitialized>, version=SMB2, username=<uninitialized>, tree=<uninitialized>, tree_service=<uninitialized>, referenced_file=[ts=1323202695.599914, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=<uninitialized>, action=SMB::FILE_OPEN, path=<uninitialized>, name=<share_root>, size=0, prev_name=<uninitialized>, times=<uninitialized>, fid=<uninitialized>, uuid=<uninitialized>], referenced_tree=[ts=1323202695.377084, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\smb2, service=<uninitialized>, native_file_system=<uninitialized>, share_type=DISK], smb1_offered_dialects=<uninitialized>, smb2_offered_dialects=<uninitialized>]
+}, fid_map={
+[18446744069414584390] = [ts=1323202695.377459, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=<uninitialized>, action=SMB::FILE_OPEN, path=\\10.0.0.12\smb2, name=<share_root>, size=8192, prev_name=<uninitialized>, times=[modified=1323202604.512058, accessed=1323202604.512058, created=1322343963.945297, changed=1323202604.512058], fid=18446744069414584390, uuid=<uninitialized>]
+}, tid_map={
+[1] = [ts=1323202695.377084, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\smb2, service=<uninitialized>, native_file_system=<uninitialized>, share_type=DISK],
+[65535] = [ts=<uninitialized>, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=<uninitialized>, service=<uninitialized>, native_file_system=<uninitialized>, share_type=DISK],
+[5] = [ts=1323202695.378188, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\IPC$, service=<uninitialized>, native_file_system=<uninitialized>, share_type=PIPE]
+}, uid_map={
+
+}, pipe_map={
+
+}, recent_files={
+SMB::FILE_OPEN<share_root>\\10.0.0.12\smb28192[modified=1323202604.512058, accessed=1323202604.512058, created=1322343963.945297, changed=1323202604.512058],
+SMB::FILE_OPENWP_SMBPlugin.pdf\\10.0.0.12\smb20[modified=1323202695.427036, accessed=1323202695.427036, created=1323202695.427036, changed=1323202695.427036]
+}]], [credit_charge=0, status=0, command=5, credits=104, flags=0, message_id=44, process_id=65279, tree_id=1, session_id=4398046511109, signature=\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00], [filename=<share_root>, disposition=1, create_options=32]
+smb2_create_response, [id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], orig=[size=1515338, state=4, num_pkts=1065, num_bytes_ip=1557950, flow_label=0, l2_addr=00:0c:29:6b:99:0f], resp=[size=5201, state=4, num_pkts=101, num_bytes_ip=9009, flow_label=0, l2_addr=00:0c:29:4e:b0:d0], start_time=1323202695.370647, duration=0.229443, service={
+SMB,
+GSSAPI,
+NTLM,
+DCE_RPC
+}, history=ShADda, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=[uuid=4b324fc8-1670-01d3-1278-5a47bf6ee188, named_pipe=\PIPE\srvsvc], dce_rpc_backing={
+[18446744069414584398] = [info=[ts=1323202695.379517, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], rtt=183.0 usecs, named_pipe=\PIPE\srvsvc, endpoint=srvsvc, operation=NetrShareGetInfo], state=[uuid=4b324fc8-1670-01d3-1278-5a47bf6ee188, named_pipe=\PIPE\srvsvc]]
+}, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=[ts=1323202695.372863, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], username=Administrator, hostname=SERVER01, domainname=CONTOSO, success=T, status=SUCCESS, done=T], radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>, smb_state=[current_cmd=[ts=1323202695.599914, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], command=CREATE, sub_command=<uninitialized>, argument=<uninitialized>, status=SUCCESS, rtt=175.0 usecs, version=SMB2, username=<uninitialized>, tree=<uninitialized>, tree_service=<uninitialized>, referenced_file=[ts=1323202695.599914, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=<uninitialized>, action=SMB::FILE_OPEN, path=\\10.0.0.12\smb2, name=<share_root>, size=8192, prev_name=<uninitialized>, times=[modified=1323202695.427036, accessed=1323202695.427036, created=1322343963.945297, changed=1323202695.427036], fid=18446744069414584414, uuid=<uninitialized>], referenced_tree=[ts=1323202695.377084, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\smb2, service=<uninitialized>, native_file_system=<uninitialized>, share_type=DISK], smb1_offered_dialects=<uninitialized>, smb2_offered_dialects=<uninitialized>], current_file=[ts=1323202695.599914, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=<uninitialized>, action=SMB::FILE_OPEN, path=\\10.0.0.12\smb2, name=<share_root>, size=8192, prev_name=<uninitialized>, times=[modified=1323202695.427036, accessed=1323202695.427036, created=1322343963.945297, changed=1323202695.427036], fid=18446744069414584414, uuid=<uninitialized>], current_tree=[ts=1323202695.377084, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\smb2, service=<uninitialized>, native_file_system=<uninitialized>, share_type=DISK], pending_cmds={
+
+}, fid_map={
+[18446744069414584390] = [ts=1323202695.377459, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=<uninitialized>, action=SMB::FILE_OPEN, path=\\10.0.0.12\smb2, name=<share_root>, size=8192, prev_name=<uninitialized>, times=[modified=1323202604.512058, accessed=1323202604.512058, created=1322343963.945297, changed=1323202604.512058], fid=18446744069414584390, uuid=<uninitialized>],
+[18446744069414584414] = [ts=1323202695.599914, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=<uninitialized>, action=SMB::FILE_OPEN, path=\\10.0.0.12\smb2, name=<share_root>, size=8192, prev_name=<uninitialized>, times=[modified=1323202695.427036, accessed=1323202695.427036, created=1322343963.945297, changed=1323202695.427036], fid=18446744069414584414, uuid=<uninitialized>]
+}, tid_map={
+[1] = [ts=1323202695.377084, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\smb2, service=<uninitialized>, native_file_system=<uninitialized>, share_type=DISK],
+[65535] = [ts=<uninitialized>, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=<uninitialized>, service=<uninitialized>, native_file_system=<uninitialized>, share_type=DISK],
+[5] = [ts=1323202695.378188, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\IPC$, service=<uninitialized>, native_file_system=<uninitialized>, share_type=PIPE]
+}, uid_map={
+
+}, pipe_map={
+
+}, recent_files={
+SMB::FILE_OPEN<share_root>\\10.0.0.12\smb28192[modified=1323202604.512058, accessed=1323202604.512058, created=1322343963.945297, changed=1323202604.512058],
+SMB::FILE_OPENWP_SMBPlugin.pdf\\10.0.0.12\smb20[modified=1323202695.427036, accessed=1323202695.427036, created=1323202695.427036, changed=1323202695.427036]
+}]], [credit_charge=0, status=0, command=5, credits=9, flags=1, message_id=44, process_id=65279, tree_id=1, session_id=4398046511109, signature=\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00], [file_id=[persistent=81, volatile=18446744069414584333], size=8192, times=[modified=1323202695.427036, accessed=1323202695.427036, created=1322343963.945297, changed=1323202695.427036], attrs=[read_only=F, hidden=F, system=F, directory=T, archive=F, normal=F, temporary=F, sparse_file=F, reparse_point=F, compressed=F, offline=F, not_content_indexed=F, encrypted=F, integrity_stream=F, no_scrub_data=F], create_action=1]
+smb2_create_request, [id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], orig=[size=1515782, state=4, num_pkts=1067, num_bytes_ip=1558254, flow_label=0, l2_addr=00:0c:29:6b:99:0f], resp=[size=5541, state=4, num_pkts=104, num_bytes_ip=9713, flow_label=0, l2_addr=00:0c:29:4e:b0:d0], start_time=1323202695.370647, duration=0.233359, service={
+SMB,
+GSSAPI,
+NTLM,
+DCE_RPC
+}, history=ShADda, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=[uuid=4b324fc8-1670-01d3-1278-5a47bf6ee188, named_pipe=\PIPE\srvsvc], dce_rpc_backing={
+[18446744069414584398] = [info=[ts=1323202695.379517, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], rtt=183.0 usecs, named_pipe=\PIPE\srvsvc, endpoint=srvsvc, operation=NetrShareGetInfo], state=[uuid=4b324fc8-1670-01d3-1278-5a47bf6ee188, named_pipe=\PIPE\srvsvc]]
+}, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=[ts=1323202695.372863, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], username=Administrator, hostname=SERVER01, domainname=CONTOSO, success=T, status=SUCCESS, done=T], radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>, smb_state=[current_cmd=[ts=1323202695.604006, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], command=CREATE, sub_command=<uninitialized>, argument=<uninitialized>, status=<uninitialized>, rtt=<uninitialized>, version=SMB2, username=<uninitialized>, tree=<uninitialized>, tree_service=<uninitialized>, referenced_file=[ts=1323202695.604006, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=<uninitialized>, action=SMB::FILE_OPEN, path=<uninitialized>, name=<share_root>, size=0, prev_name=<uninitialized>, times=<uninitialized>, fid=<uninitialized>, uuid=<uninitialized>], referenced_tree=[ts=1323202695.377084, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\smb2, service=<uninitialized>, native_file_system=<uninitialized>, share_type=DISK], smb1_offered_dialects=<uninitialized>, smb2_offered_dialects=<uninitialized>], current_file=[ts=1323202695.604006, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=<uninitialized>, action=SMB::FILE_OPEN, path=<uninitialized>, name=<share_root>, size=0, prev_name=<uninitialized>, times=<uninitialized>, fid=<uninitialized>, uuid=<uninitialized>], current_tree=[ts=1323202695.377084, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\smb2, service=<uninitialized>, native_file_system=<uninitialized>, share_type=DISK], pending_cmds={
+[47] = [ts=1323202695.604006, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], command=CREATE, sub_command=<uninitialized>, argument=<uninitialized>, status=<uninitialized>, rtt=<uninitialized>, version=SMB2, username=<uninitialized>, tree=<uninitialized>, tree_service=<uninitialized>, referenced_file=[ts=1323202695.604006, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=<uninitialized>, action=SMB::FILE_OPEN, path=<uninitialized>, name=<share_root>, size=0, prev_name=<uninitialized>, times=<uninitialized>, fid=<uninitialized>, uuid=<uninitialized>], referenced_tree=[ts=1323202695.377084, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\smb2, service=<uninitialized>, native_file_system=<uninitialized>, share_type=DISK], smb1_offered_dialects=<uninitialized>, smb2_offered_dialects=<uninitialized>]
+}, fid_map={
+[18446744069414584390] = [ts=1323202695.377459, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=<uninitialized>, action=SMB::FILE_OPEN, path=\\10.0.0.12\smb2, name=<share_root>, size=8192, prev_name=<uninitialized>, times=[modified=1323202604.512058, accessed=1323202604.512058, created=1322343963.945297, changed=1323202604.512058], fid=18446744069414584390, uuid=<uninitialized>]
+}, tid_map={
+[1] = [ts=1323202695.377084, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\smb2, service=<uninitialized>, native_file_system=<uninitialized>, share_type=DISK],
+[65535] = [ts=<uninitialized>, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=<uninitialized>, service=<uninitialized>, native_file_system=<uninitialized>, share_type=DISK],
+[5] = [ts=1323202695.378188, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\IPC$, service=<uninitialized>, native_file_system=<uninitialized>, share_type=PIPE]
+}, uid_map={
+
+}, pipe_map={
+
+}, recent_files={
+SMB::FILE_OPEN<share_root>\\10.0.0.12\smb28192[modified=1323202695.427036, accessed=1323202695.427036, created=1322343963.945297, changed=1323202695.427036],
+SMB::FILE_OPEN<share_root>\\10.0.0.12\smb28192[modified=1323202604.512058, accessed=1323202604.512058, created=1322343963.945297, changed=1323202604.512058],
+SMB::FILE_OPENWP_SMBPlugin.pdf\\10.0.0.12\smb20[modified=1323202695.427036, accessed=1323202695.427036, created=1323202695.427036, changed=1323202695.427036]
+}]], [credit_charge=0, status=0, command=5, credits=80, flags=0, message_id=47, process_id=65279, tree_id=1, session_id=4398046511109, signature=\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00], [filename=<share_root>, disposition=1, create_options=32]
+smb2_create_response, [id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], orig=[size=1515782, state=4, num_pkts=1068, num_bytes_ip=1558514, flow_label=0, l2_addr=00:0c:29:6b:99:0f], resp=[size=5785, state=4, num_pkts=104, num_bytes_ip=9713, flow_label=0, l2_addr=00:0c:29:4e:b0:d0], start_time=1323202695.370647, duration=0.233475, service={
+SMB,
+GSSAPI,
+NTLM,
+DCE_RPC
+}, history=ShADda, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=[uuid=4b324fc8-1670-01d3-1278-5a47bf6ee188, named_pipe=\PIPE\srvsvc], dce_rpc_backing={
+[18446744069414584398] = [info=[ts=1323202695.379517, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], rtt=183.0 usecs, named_pipe=\PIPE\srvsvc, endpoint=srvsvc, operation=NetrShareGetInfo], state=[uuid=4b324fc8-1670-01d3-1278-5a47bf6ee188, named_pipe=\PIPE\srvsvc]]
+}, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=[ts=1323202695.372863, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], username=Administrator, hostname=SERVER01, domainname=CONTOSO, success=T, status=SUCCESS, done=T], radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>, smb_state=[current_cmd=[ts=1323202695.604006, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], command=CREATE, sub_command=<uninitialized>, argument=<uninitialized>, status=SUCCESS, rtt=115.0 usecs, version=SMB2, username=<uninitialized>, tree=<uninitialized>, tree_service=<uninitialized>, referenced_file=[ts=1323202695.604006, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=<uninitialized>, action=SMB::FILE_OPEN, path=\\10.0.0.12\smb2, name=<share_root>, size=8192, prev_name=<uninitialized>, times=[modified=1323202695.427036, accessed=1323202695.427036, created=1322343963.945297, changed=1323202695.427036], fid=18446744069414584422, uuid=<uninitialized>], referenced_tree=[ts=1323202695.377084, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\smb2, service=<uninitialized>, native_file_system=<uninitialized>, share_type=DISK], smb1_offered_dialects=<uninitialized>, smb2_offered_dialects=<uninitialized>], current_file=[ts=1323202695.604006, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=<uninitialized>, action=SMB::FILE_OPEN, path=\\10.0.0.12\smb2, name=<share_root>, size=8192, prev_name=<uninitialized>, times=[modified=1323202695.427036, accessed=1323202695.427036, created=1322343963.945297, changed=1323202695.427036], fid=18446744069414584422, uuid=<uninitialized>], current_tree=[ts=1323202695.377084, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\smb2, service=<uninitialized>, native_file_system=<uninitialized>, share_type=DISK], pending_cmds={
+
+}, fid_map={
+[18446744069414584390] = [ts=1323202695.377459, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=<uninitialized>, action=SMB::FILE_OPEN, path=\\10.0.0.12\smb2, name=<share_root>, size=8192, prev_name=<uninitialized>, times=[modified=1323202604.512058, accessed=1323202604.512058, created=1322343963.945297, changed=1323202604.512058], fid=18446744069414584390, uuid=<uninitialized>],
+[18446744069414584422] = [ts=1323202695.604006, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=<uninitialized>, action=SMB::FILE_OPEN, path=\\10.0.0.12\smb2, name=<share_root>, size=8192, prev_name=<uninitialized>, times=[modified=1323202695.427036, accessed=1323202695.427036, created=1322343963.945297, changed=1323202695.427036], fid=18446744069414584422, uuid=<uninitialized>]
+}, tid_map={
+[1] = [ts=1323202695.377084, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\smb2, service=<uninitialized>, native_file_system=<uninitialized>, share_type=DISK],
+[65535] = [ts=<uninitialized>, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=<uninitialized>, service=<uninitialized>, native_file_system=<uninitialized>, share_type=DISK],
+[5] = [ts=1323202695.378188, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\IPC$, service=<uninitialized>, native_file_system=<uninitialized>, share_type=PIPE]
+}, uid_map={
+
+}, pipe_map={
+
+}, recent_files={
+SMB::FILE_OPEN<share_root>\\10.0.0.12\smb28192[modified=1323202695.427036, accessed=1323202695.427036, created=1322343963.945297, changed=1323202695.427036],
+SMB::FILE_OPEN<share_root>\\10.0.0.12\smb28192[modified=1323202604.512058, accessed=1323202604.512058, created=1322343963.945297, changed=1323202604.512058],
+SMB::FILE_OPENWP_SMBPlugin.pdf\\10.0.0.12\smb20[modified=1323202695.427036, accessed=1323202695.427036, created=1323202695.427036, changed=1323202695.427036]
+}]], [credit_charge=0, status=0, command=5, credits=9, flags=1, message_id=47, process_id=65279, tree_id=1, session_id=4398046511109, signature=\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00], [file_id=[persistent=85, volatile=18446744069414584337], size=8192, times=[modified=1323202695.427036, accessed=1323202695.427036, created=1322343963.945297, changed=1323202695.427036], attrs=[read_only=F, hidden=F, system=F, directory=T, archive=F, normal=F, temporary=F, sparse_file=F, reparse_point=F, compressed=F, offline=F, not_content_indexed=F, encrypted=F, integrity_stream=F, no_scrub_data=F], create_action=1]
diff --git a/testing/btest/scripts/base/protocols/smb/smb2.test b/testing/btest/scripts/base/protocols/smb/smb2.test
index 1a1dc980ca..3b8c45de47 100644
--- a/testing/btest/scripts/base/protocols/smb/smb2.test
+++ b/testing/btest/scripts/base/protocols/smb/smb2.test
@@ -4,6 +4,17 @@
 # @TEST-EXEC: btest-diff files.log
 # @TEST-EXEC: test ! -f dpd.log
 # @TEST-EXEC: test ! -f weird.log
+# @TEST-EXEC: btest-diff .stdout
 
 @load policy/protocols/smb
 
+event smb2_create_request(c: connection, hdr: SMB2::Header, request: SMB2::CreateRequest )
+	{
+	print "smb2_create_request", c, hdr, request;
+	}
+
+event smb2_create_response(c: connection, hdr: SMB2::Header, response: SMB2::CreateResponse )
+	{
+	print "smb2_create_response", c, hdr, response;
+	}
+

From f6cf4a41ff66aec11abfa5f8ecbc54910d803dbd Mon Sep 17 00:00:00 2001
From: Devin Trejo <trejo@sig.com>
Date: Thu, 11 Jan 2018 17:00:15 -0500
Subject: [PATCH 285/631] Add unit tests for new MOUNT events --
 mount_proc_mnt, mount_proc_umnt, mount_proc_umnt_all,
 mount_proc_not_implemented.

---
 .../.stdout                                   |   2 ++
 testing/btest/Traces/mount/mount_base.pcap    | Bin 0 -> 18266 bytes
 .../scripts/base/protocols/mount/basic.test   |  31 ++++++++++++++++++
 3 files changed, 33 insertions(+)
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.mount.basic/.stdout
 create mode 100644 testing/btest/Traces/mount/mount_base.pcap
 create mode 100644 testing/btest/scripts/base/protocols/mount/basic.test

diff --git a/testing/btest/Baseline/scripts.base.protocols.mount.basic/.stdout b/testing/btest/Baseline/scripts.base.protocols.mount.basic/.stdout
new file mode 100644
index 0000000000..b3e377595b
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.mount.basic/.stdout
@@ -0,0 +1,2 @@
+mount_proc_mnt: [id=[orig_h=10.111.131.18, orig_p=765/udp, resp_h=10.111.131.132, resp_p=20048/udp], orig=[size=144, state=1, num_pkts=2, num_bytes_ip=200, flow_label=0, l2_addr=00:50:56:b2:4e:d3], resp=[size=84, state=1, num_pkts=1, num_bytes_ip=52, flow_label=0, l2_addr=00:50:56:b2:78:69], start_time=1514568131.621984, duration=0.000553, service={\x0a\x0a}, history=Dd, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>]\x0a\x09[rpc_stat=RPC_SUCCESS, mnt_stat=MOUNT3::MNT3_OK, req_start=1514568131.62212, req_dur=0.0, req_len=96, rep_start=1514568131.622537, rep_dur=0.0, rep_len=52, rpc_uid=0, rpc_gid=0, rpc_stamp=19078341, rpc_machine_name=pddevbal802, rpc_auxgids=[0, 5, 10, 24]]\x0a\x09[dirname=/pddevbal801]\x0a\x09[dirfh=\x01\x00\x06\x00\xea,\xbbJ\x9e\xf7I\x95\xa56V(\xce\xda`\xa2, auth_flavors=[MOUNT3::AUTH_UNIX]]\x0a
+mount_proc_umnt: [id=[orig_h=10.111.131.18, orig_p=1016/udp, resp_h=10.111.131.132, resp_p=20048/udp], orig=[size=92, state=1, num_pkts=1, num_bytes_ip=120, flow_label=0, l2_addr=00:50:56:b2:4e:d3], resp=[size=24, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:50:56:b2:78:69], start_time=1514568131.665918, duration=0.000266, service={\x0a\x0a}, history=Dd, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>]\x0a\x09[rpc_stat=RPC_SUCCESS, mnt_stat=MOUNT3::MNT3_OK, req_start=1514568131.665918, req_dur=0.0, req_len=84, rep_start=1514568131.666184, rep_dur=0.0, rep_len=16, rpc_uid=0, rpc_gid=0, rpc_stamp=1514568131, rpc_machine_name=pddevbal802, rpc_auxgids=[0]]\x0a\x09[dirname=/pddevbal801]\x0a
diff --git a/testing/btest/Traces/mount/mount_base.pcap b/testing/btest/Traces/mount/mount_base.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..0d7187842424a5ae5a7254b71ec528a5e452c222
GIT binary patch
literal 18266
zcmd5^33L=i8tzE~WI}*&DLT<a@rV}*0vV1Ff*@WoL{Q{#UnC(Y8bS<_px_#mbzNs4
z;EB&gQ9<#!h$|qjIxZ+GC?3e5ct=G9!E<+?+{1qV-&K>Y>Y4@~6Wn^Qrf0f){`$Y~
z`|Gdj>YmxSdg)_HR*KbBQY;@ntiEZ;=**k_Rw3R~wMs`UojQSDOCqV(`IePeabl5G
z)H2*FZPM)>P-lKpmg?JIIjxaSu1TuR2+Xytq?8uReaXpwvNlVzRuZvo!dkYKXIW$|
zt0!3^i>ba(%I<#ho*Q8CtC|kA8TGHJ*8T=-`Dlr%%eS10EcUHH^X)5GtS!y3`UYm(
z2%m$Mau}fMvT}JvHd|?Dw9*AuUbd_T%gUMF;n`|3fRbeS?pT0rGJn!uh=rVKeyafc
zsoHEhSjZ{<np)g2T4SMhf93Ra^1E|iX_9P>gsoxNLDgkzaPc>6tH03}yq_?Qz3(Et
zC()HcEsQ}69xR{4{Pb1%nVt@oXE|A}^0sm^Tj^u8(!NQnpS_ve%xFhyXlH@BHl?uA
zIa7ioT>tU*s4IKaTl1(5aLsn&x^243|5RuH7~CNZR@%2YOIq2UTT*J}1y+n6dfB(a
z7mAiA@IG#|Shx7C^Kb%HO<~LGnROSnaNs40xukS^u9baYrf9*a=%cXcj2X@6*6j0{
z(&wc8w$BSsf9MKw0p*}RcmAWN&ms2t#U`JV_FLJPSBn;mKIg#VJ!qP$-CJxfI1kP2
zkWLoUzgK*&3H<hi*=K5jYM!ra<{Q|yt{FG3a!UEws@{3$;$y7Hl-L4$(onm^j#yTD
zZqt{#Q#`$OtKS-r6R5g$8kzN1#(bZGdGNit!b2Bk(NZU$)zaF2_RAMPvh$+*pU5AP
z^WLXdKaOLJfLdKM!z(}M??kIDw_O$EWqqnI8tBFe)0CgDx=poqu>72~J`yS)4U0j_
z&wr^`^K%uf#m^l1yV$o1&9@*dj&b&|n_#6Jkg2+qzdV08Tgf+CapdRUvi|%z89+H`
ze%^}~<LBq_T57R;vQ#qF$1IEi3l-$|X+PV|*rUstx2t_kVRUf#Ew(knXbaxwJa6Y`
z;k_$LC<4w#3mz=*VSdJH{8WJDdMC?eu<|q<r|M#PUjAOPvh@d}75JHn?A3rFf2Wz{
zj<9*8{ms}D2>-|M{4O*=RqJ=z*7We(%<u^s!}U;WQz<;3GKxJf6`s2oCZk+3@Jf|l
zobU1B)&q9ILHYdvdG?Dpr~8=G9U7;bpv*e*Ome!*%xNdl+L7e2xSU=)({I(H0je%e
z$A#B1r;d3V_keZLK<*{vdDjz|)84{!$qCug%K_}5N=2UMBkpd22OjabpSjzva+iBa
zBvjGL$=z-<chnNqX5sD^&2y#4&kMgpo{!zD#$!b*aJP~?pZ}rVlZ5Az6XM5Nk}PWw
z@z&0{Qv@h>aiH>{;2GzXmj8JCP;p*^*jl59+%&K2utojkmN*~yCr{3!%z4uo%VSCI
zN^m~S$@v~L=gpb}R={(Q9Plp3>+u@r)1raA9^`q=ZaW7E&*O2f_WMK30qeXuJ;0o9
zQ{y<V2RMD-$?0A*r_CD2!|qU{L5t(}IF5H~oW2iE7m?@lPPOA$cpi__W{Km*2mIC&
z1UgmMSoUbpV$L^foG*%m#tmZ5Te0VL`^=ovoRHAO$sOsvaBMBAoI9rBJ<S_wpDf0_
zi-TFz3vZq4x0d1qRafp^7=E95|3&3}+@NTndlq^Bke|JuD!h-!JMB+6_pr$bo&<so
z_(0Xg|LZ{?^ZzfE|L$4fpEF?QS&ZPp{bv4wui5x-RbD&koa*tD$!{>^`;p%0g*4g-
znlHu~RCSGf1>yCq(UqD;E1}WL(5N6Exv;_VWe9|1!&GR0Hs=2`^!fkJ#sx+6h2wiw
z)5Qjz2Q3GZx7fxa5Fc^zpcUtMP_&?NC-VR5Q-?h9ioV6ygkKr1u|gb^@zXTea9i@D
z+*+2iO`Ouer{P6!lbC(uVZZefj!|{R&f;Ja$IgdZ?7SQaRYr)}OlH<<h?-+35q<Yi
z6yaVl<`K_+`~k<vPil-*Mxudp2LMUo_O^CE7D$8^M2b?HOM6Bz1qfb4b5vbgEDt8L
z7VoH9oI4;A8b6e^2rz;>516%}^$zm>Nb=~RXpvf1Ik|59gsMu4uKx4YkwF>L9u03`
zO@38189x-7(2Trj+Zl|gP9QRAf<D2huuW`#B=3j8`)|+yRhJ$cgDI@X-!(nfL60@8
zM?d!dDJ$D}C7dceKWcgq2o$jBTWG&kUkP#9<DPjo!g^h<>9r;r=ur>E=ZzXfh<zCX
zu}LrCfjQ6a7J0T~Q=Wy58RRXtN}g3+$0ujbL!RBO=Q{b>wq<`^?vq<_EM6>iw!hW%
zs<jz6w-d9|!K}v^-GXC@Ruy?&KZ)o1J?bN&Yd!<Bg>sDcnPUkab1z7EENO}~LAT$L
z!mKhOT)fb4y^S4I^)cEChc|NUMAX>1=Cf#^XGb6$Tv@`sWsX3|R>_c7V*90La*OkX
zH;IiGLbhm;-}(p*P<7>jwZWFG-Set;Jv&B1*G>YmqRd=IHZSS-)eh|VRuKSGA(RDA
zd+PTg>$gGG@7hVwZy8Vy83oxJENhNH8PiE?Ew*3kCbu|G>bJ^%pMd^;`;w)E%(ui-
zzgDc@a!tQwk<f%>AUjX$m;C$dCs%GXQtg$`tN-Dt-$$(92daJ(lB0oM!-4X`lCHLX
z0%c4mt*O|4sT*&>v#l9vID@>zHgWoOTc#pY?w^E%sjS~hRli=tq2F8}8=NVSrI__Q
zTJxd|IWIbA@=X(~CRATfk@+T&Ij@|x`OzlUj8=ig{aIS~n=lueZ3VK6KVQt6)d^%V
zZ5*1(k)c_}w7u}YEn20j=S80t^s_EEYr1TWgsyAHx?IEFZ){=KB~3(B!pAi2YR;vL
z-L5ZQUppxm7p%^EQMuwGHdhJ^1Eg)?3eUOJ$E@v8Rom;@MFaVCRbCuDhS>3C2zE@`
zq8-ke*`{mOJ?^;_?y5az>YFE#A!pI%HG5<q*SGji%r7M$;QCe^ix+oiJKLl8TAS)z
z3i(C0P0Y@J(Qkc<?@-m_&Uz=9#&P$I8h80vH@&_qm>rVYgX8YemgcyVJtpCCXP8TY
zJ<gKEBE`E>2<e?+HS;O?AsqgMW9U6KhOX}#4FoHIw50G-Mmk3zjcKJc6HmkVIo;){
zw5Mrko`bJ?AwtMLSm~)@Yu0eFs$md!(XM|1$S#x`w)+3l(7EQwq!7|?U-i`RQ`YcZ
zO~V(Wf!=gy<+AR-*%}I@ho>R9h8y%9)C7*pLc`bJ@Vur;XAPIB8uo4#302WutBd6|
zO{!VLqctvfk!f3w%iU@#tH(~P97o!Xf75e({*1Mwy9ti*x#|*Vw*Ux-ulgrzS0@mf
zw3FGUS@Pt=@IDQ#Qg!9YeZe-Yk2XH{UI2YovpyB<{d&JyAFP*gWF<UL9>VyXZ5r{k
z?|JIl@hv=e0amCIGtRu~%L{+bx@zmmRjZ?cKD5qp#q4}y#+M?PAseO=+b_p1xy8wJ
zES}~)bz@pyRmaBtuhKom)u&=B?DE%TTXHLoCA>}QC41KStrcj1sw>W(3by4qqYUR*
z+vtO}jfu3%SDe|7<7|4GInIbFstJ!X=M0HZ%z4N2{@WKE6LbgM(bp&99(<pjKyl@O
zrx`_!KoQfPC~=g;&cUELdA=B)d+^_m`PbHs`|ON_s%hmr#(!%w|M2+e@L&9{dX?_%
zlh)esm(2ewD*x33qJh5DCr3TDk@=q|P{iY(_9t8e*gWK`f`02g$IJ}Y>RGj~^hIB(
zZUo8_IcBDtwMuU;tqv!*PK$WXcN$s8wVIBN(Lg_12OJZCLJe3)5(vF?1XyuT%bf$`
z<+;OK!*$rDeir;lMW(Gov}f&BsM__zI^d+qKz5m2hiGHg?r6<-+QjBNv<LwP3E3(j
z^H_)YiZ!D<_>SB+X)-jUXAk}``(D<pP9QUB20c8-yd%=(Yk2<?8ldVLf4&NKU|sIk
zbiwlnlXkE!7qIus+nRO3=+r#<PrDw>K7=`qQM>a$@mnW@bE>YnOsDYItX;LH-HvFW
zpbY5CCfa#(n?P^Uj##DrsC*3pEsuO{@3g*euMu|1zI|`n(ci?ec>Nf62G!y<N20c9
z9z<J;_W56Uj+Y%dUMNF3<|_qdkx<PhFg9GySK685MKG24`HC|K6N)pw^qjAJ!@6%#
zb+6e3-DxBlTR)PczDA&kr+c&Te<?hF5AsoU_19IwPRzeH1{O3%LO0NL<M7PW+4K7{
z%>1{9O+u6K`J$75a$GHx;4(OuZUee=k<F><{W1BJ@Mc0+Mo)-4a_J4YX6#S%n2Kjs
z61t>a0$n^^Xn(@BaUkM$>3J3G^L1-FkV2nPo1<;An|%mbkbT3s4dh3+Cg<qc8{r#2
ztJ(BG3=T9squI3EnKN)g1D!>MubCXr=wKJwjrSB8`$PAfaZc>%2fU{upPs@w&5}Ef
zd}$+#(?8b;V!KJv%NT!8KiLP$Y!`jwInV0M`C+M=pZjBuTz3I_&<HutYH!XDM{ADk
zVw#W@Z&8sc*Er$uw}fo$YBe|1T@Vcvwg$4w?`k<n=Llr1tF52%8rv_&Jh>Gb$LqU?
zH3!qj)ZO2!$h5ifF|65hs%C|)p&32jFiL9H!K~TQnj6RN1v%FM@7(S=H{QaUeW_`N
z=Nby<1KG9J53pu+0$EHOhho(EXn(Wl@;tovSQ|K&b$MOWWqu@dBi$7qCFeRF&AO1+
zR1-edIx`sco4g&KbDi&4gRfN$ZX6yB49EhC>xMnW8q^3BCJg|BkR)!6T+TH|!1FyY
zPSrKn`61Ya`M*`=e?S)aU&H(lXU|u4GV|Zo_B!$WYjYjvsFr;QBeby}&H2%D&2=kl
zSgdJ?XUhg`1`}1w!o-9xMKIx^ArWnl;m#a|UG$xJeGI>#QHyhKpg*^JTK&fUoKvyI
zw_?7?JS(^2Si;++9`WEWp8fhbj;q(SxY`^EO`+d8TqXN;XLDQ;BC5^aue<%~*{`>8
zOf;%7F$KSQD5CqD)q}g+{aT=i=>X521^W}&uc0~dKOCOFgjT4!`t{=A@ytK1RywXB
zi*Wz4eh~BDkv(rX#>{^TY&JXpXyY70(&FEq&rN^N8hoT`P><g~6m12Pnt}Fjd8P^^
z9vTp$#OfdsoCpMO;{#Qf7U5ukwb1S*7vVXS`jxCjSJq<Av1Tof)_l>JGjI5>icFg?
zZf9+@HSv1<?qMMPLacV_Dg~LBHpCoX_ZV_py!>@ozjbihrKl_1>6yPWSu^dKu7T4c
zp{X=4DU<oDi&?Wa0CS}MC*IXw>^Ccf;)UIw`s`qR!fM}{ih0Svy+Bd-z|Xcm0>we}
z;opTQza0@Mq0bTjHgWZ7%fGmv$1Q9LSw&8o*MAn!HCX#L*)qRv*dqRCp|}P8Du&8I
z|Fa<Fj5M$RS(rsF9H7;7UMDFj-LS>VE`MvZ-GYlNjwx8Y15HzP<$<Xk=o+MbdhGYV
z$-Ch5xWM+&#VNPZ7f_r&%WIBPh!q@*_n!s2C$9e~xbRF*oU<7xJv}UNChxMcdz>u1
z(yj9f)52M49=|{jo&bw2w-ril>}Sab?nU3(ieI3Y%l~0HZi%Or6WL0Cqm}keR_4P>
z0qCJhoGTeBC;S6hDc7EIo4OS}U?2V=q;B6V`Wh9|Z?U&WS?p2l|78TOeZaL%;`$%o
C?n-+A

literal 0
HcmV?d00001

diff --git a/testing/btest/scripts/base/protocols/mount/basic.test b/testing/btest/scripts/base/protocols/mount/basic.test
new file mode 100644
index 0000000000..8576874ce3
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/mount/basic.test
@@ -0,0 +1,31 @@
+# @TEST-EXEC: bro -b -r $TRACES/mount/mount_base.pcap %INPUT
+# @TEST-EXEC: btest-diff .stdout
+
+global mount_ports: set[port] = { 635/tcp, 635/udp, 20048/tcp, 20048/udp } &redef;
+redef ignore_checksums = T;
+
+event bro_init()
+	{
+	Analyzer::register_for_ports(Analyzer::ANALYZER_MOUNT, mount_ports);
+	Analyzer::enable_analyzer(Analyzer::ANALYZER_MOUNT);
+	}
+
+event mount_proc_mnt(c: connection, info: MOUNT3::info_t, req: MOUNT3::dirmntargs_t, rep: MOUNT3::mnt_reply_t)
+	{
+	print(fmt("mount_proc_mnt: %s\n\t%s\n\t%s\n\t%s\n", c, info, req, rep));
+	}
+
+event mount_proc_umnt(c: connection, info: MOUNT3::info_t, req: MOUNT3::dirmntargs_t)
+	{
+	print(fmt("mount_proc_umnt: %s\n\t%s\n\t%s\n", c, info, req));
+	}
+
+event mount_proc_umnt_all(c: connection, info: MOUNT3::info_t, req: MOUNT3::dirmntargs_t)
+	{
+	print(fmt("mount_proc_umnt_all: %s\n\t%s\n\t%s\n", c, info, req));
+	}
+
+event mount_proc_not_implemented(c: connection, info: MOUNT3::info_t, proc: MOUNT3::proc_t)
+	{
+	print(fmt("mount_proc_not_implemented: %s\n\t%s\n\t%s\n", c, info, proc));
+	}

From e529268b0acd2f74dc879e6a9f645b039d8efea3 Mon Sep 17 00:00:00 2001
From: Devin Trejo <trejo@sig.com>
Date: Thu, 11 Jan 2018 17:02:47 -0500
Subject: [PATCH 286/631] Format print nfs units tests to improve output
 readability. Add unit tests for new NFS events -- nfs_proc_symlink,
 nfs_proc_link, nfs_proc_sattr.

---
 .../scripts.base.protocols.nfs.basic/.stdout  |  52 ++++++++++--------
 testing/btest/Traces/nfs/nfs_base.pcap        | Bin 6794 -> 18266 bytes
 .../scripts/base/protocols/nfs/basic.test     |  38 +++++++++----
 3 files changed, 55 insertions(+), 35 deletions(-)

diff --git a/testing/btest/Baseline/scripts.base.protocols.nfs.basic/.stdout b/testing/btest/Baseline/scripts.base.protocols.nfs.basic/.stdout
index 58d51a773a..f80d355e65 100644
--- a/testing/btest/Baseline/scripts.base.protocols.nfs.basic/.stdout
+++ b/testing/btest/Baseline/scripts.base.protocols.nfs.basic/.stdout
@@ -1,24 +1,28 @@
-nfs_proc_not_implemented, [id=[orig_h=10.111.131.132, orig_p=972/tcp, resp_h=10.111.131.14, resp_p=2049/tcp], orig=[size=425, state=3, num_pkts=5, num_bytes_ip=624, flow_label=0, l2_addr=00:50:56:b2:78:69], resp=[size=520, state=3, num_pkts=3, num_bytes_ip=516, flow_label=0, l2_addr=00:50:56:b2:47:b9], start_time=1495059599.592055, duration=8.972795, service={
-
-}, history=AaDd, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>], [rpc_stat=RPC_SUCCESS, nfs_stat=NFS3::NFS3ERR_OK, req_start=1495059608.564809, req_dur=0.0, req_len=124, rep_start=1495059608.56485, rep_dur=0.0, rep_len=112, rpc_uid=1628, rpc_gid=200, rpc_stamp=47704458, rpc_machine_name=pddevbal801, rpc_auxgids=[10, 24, 200, 320, 5189, 5196]], NFS3::PROC_ACCESS
-nfs_proc_create, [id=[orig_h=10.111.131.132, orig_p=972/tcp, resp_h=10.111.131.14, resp_p=2049/tcp], orig=[size=581, state=3, num_pkts=6, num_bytes_ip=820, flow_label=0, l2_addr=00:50:56:b2:78:69], resp=[size=792, state=3, num_pkts=4, num_bytes_ip=680, flow_label=0, l2_addr=00:50:56:b2:47:b9], start_time=1495059599.592055, duration=8.97641, service={
-
-}, history=AaDd, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>], [rpc_stat=RPC_SUCCESS, nfs_stat=NFS3::NFS3ERR_OK, req_start=1495059608.565064, req_dur=0.0, req_len=144, rep_start=1495059608.568465, rep_dur=0.0, rep_len=260, rpc_uid=1628, rpc_gid=200, rpc_stamp=47704458, rpc_machine_name=pddevbal801, rpc_auxgids=[10, 24, 200, 320, 5189, 5196]], [dirfh=\x01\x00\x06\x01\x9e\xb5K+3\xeeB+\x82\xa7d\xc9%z\x82\s\xc4\xfa\x00\x09\x8c\xbc\xd8, fname=testfile], [fh=\x01\x00\x06\x01\x9e\xb5K+3\xeeB+\x82\xa7d\xc9%z\x82\w\x1ew\x01]\xb6\x00=, obj_attr=[ftype=NFS3::FTYPE_REG, mode=32768, nlink=1, uid=1628, gid=200, size=0, used=0, rdev1=0, rdev2=0, fsid=8629059712046797340, fileid=24583799, atime=2044592128.0, mtime=51501766.0, ctime=1495059608.558778], dir_pre_attr=[size=0, atime=1495059608.558778, mtime=1495059608.558778], dir_post_attr=[ftype=NFS3::FTYPE_DIR, mode=16877, nlink=2, uid=1628, gid=200, size=21, used=0, rdev1=0, rdev2=0, fsid=8629059712046797340, fileid=16434291, atime=1495059608.558778, mtime=1495059608.558778, ctime=1495059608.558778]]
-nfs_proc_not_implemented, [id=[orig_h=10.111.131.132, orig_p=972/tcp, resp_h=10.111.131.14, resp_p=2049/tcp], orig=[size=745, state=3, num_pkts=7, num_bytes_ip=1024, flow_label=0, l2_addr=00:50:56:b2:78:69], resp=[size=940, state=3, num_pkts=5, num_bytes_ip=992, flow_label=0, l2_addr=00:50:56:b2:47:b9], start_time=1495059599.592055, duration=8.982349, service={
-
-}, history=AaDd, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>], [rpc_stat=RPC_SUCCESS, nfs_stat=NFS3::NFS3ERR_OK, req_start=1495059608.568646, req_dur=0.0, req_len=152, rep_start=1495059608.574404, rep_dur=0.0, rep_len=136, rpc_uid=1628, rpc_gid=200, rpc_stamp=47704458, rpc_machine_name=pddevbal801, rpc_auxgids=[10, 24, 200, 320, 5189, 5196]], NFS3::PROC_SETATTR
-nfs_proc_lookup, [id=[orig_h=10.111.131.132, orig_p=972/tcp, resp_h=10.111.131.14, resp_p=2049/tcp], orig=[size=1185, state=3, num_pkts=10, num_bytes_ip=1584, flow_label=0, l2_addr=00:50:56:b2:78:69], resp=[size=1388, state=3, num_pkts=8, num_bytes_ip=1588, flow_label=0, l2_addr=00:50:56:b2:47:b9], start_time=1495059599.592055, duration=8.989157, service={
-
-}, history=AaDd, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>], [rpc_stat=RPC_SUCCESS, nfs_stat=NFS3::NFS3ERR_NOENT, req_start=1495059608.581163, req_dur=0.0, req_len=136, rep_start=1495059608.581212, rep_dur=0.0, rep_len=108, rpc_uid=1628, rpc_gid=200, rpc_stamp=47704458, rpc_machine_name=pddevbal801, rpc_auxgids=[10, 24, 200, 320, 5189, 5196]], [dirfh=\x01\x00\x06\x01\x9e\xb5K+3\xeeB+\x82\xa7d\xc9%z\x82\s\xc4\xfa\x00\x09\x8c\xbc\xd8, fname=testfile2], [fh=<uninitialized>, obj_attr=<uninitialized>, dir_attr=[ftype=NFS3::FTYPE_DIR, mode=16877, nlink=2, uid=1628, gid=200, size=21, used=0, rdev1=0, rdev2=0, fsid=8629059712046797340, fileid=16434291, atime=1495059608.558778, mtime=1495059608.558778, ctime=1495059608.558778]]
-nfs_proc_rename, [id=[orig_h=10.111.131.132, orig_p=972/tcp, resp_h=10.111.131.14, resp_p=2049/tcp], orig=[size=1377, state=3, num_pkts=11, num_bytes_ip=1816, flow_label=0, l2_addr=00:50:56:b2:78:69], resp=[size=1652, state=3, num_pkts=9, num_bytes_ip=1748, flow_label=0, l2_addr=00:50:56:b2:47:b9], start_time=1495059599.592055, duration=8.991291, service={
-
-}, history=AaDd, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>], [rpc_stat=RPC_SUCCESS, nfs_stat=NFS3::NFS3ERR_OK, req_start=1495059608.581412, req_dur=0.0, req_len=180, rep_start=1495059608.583346, rep_dur=0.0, rep_len=252, rpc_uid=1628, rpc_gid=200, rpc_stamp=47704458, rpc_machine_name=pddevbal801, rpc_auxgids=[10, 24, 200, 320, 5189, 5196]], [src_dirfh=\x01\x00\x06\x01\x9e\xb5K+3\xeeB+\x82\xa7d\xc9%z\x82\s\xc4\xfa\x00\x09\x8c\xbc\xd8, src_fname=testfile, dst_dirfh=\x01\x00\x06\x01\x9e\xb5K+3\xeeB+\x82\xa7d\xc9%z\x82\s\xc4\xfa\x00\x09\x8c\xbc\xd8, dst_fname=testfile2], [src_dir_pre_attr=[size=0, atime=1495059608.558778, mtime=1495059608.558778], src_dir_post_attr=[ftype=NFS3::FTYPE_DIR, mode=16877, nlink=2, uid=1628, gid=200, size=22, used=0, rdev1=0, rdev2=0, fsid=8629059712046797340, fileid=16434291, atime=1495059608.558778, mtime=1495059608.574778, ctime=1495059608.574778], dst_dir_pre_attr=[size=0, atime=1495059608.558778, mtime=1495059608.558778], dst_dir_post_attr=[ftype=NFS3::FTYPE_DIR, mode=16877, nlink=2, uid=1628, gid=200, size=22, used=0, rdev1=0, rdev2=0, fsid=8629059712046797340, fileid=16434291, atime=1495059608.558778, mtime=1495059608.574778, ctime=1495059608.574778]]
-nfs_proc_not_implemented, [id=[orig_h=10.111.131.132, orig_p=972/tcp, resp_h=10.111.131.14, resp_p=2049/tcp], orig=[size=1777, state=3, num_pkts=14, num_bytes_ip=2336, flow_label=0, l2_addr=00:50:56:b2:78:69], resp=[size=2008, state=3, num_pkts=12, num_bytes_ip=2364, flow_label=0, l2_addr=00:50:56:b2:47:b9], start_time=1495059599.592055, duration=8.993098, service={
-
-}, history=AaDd, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>], [rpc_stat=RPC_SUCCESS, nfs_stat=NFS3::NFS3ERR_OK, req_start=1495059608.585126, req_dur=0.0, req_len=124, rep_start=1495059608.585153, rep_dur=0.0, rep_len=112, rpc_uid=1628, rpc_gid=200, rpc_stamp=47704458, rpc_machine_name=pddevbal801, rpc_auxgids=[10, 24, 200, 320, 5189, 5196]], NFS3::PROC_ACCESS
-nfs_proc_remove, [id=[orig_h=10.111.131.132, orig_p=972/tcp, resp_h=10.111.131.14, resp_p=2049/tcp], orig=[size=1925, state=3, num_pkts=16, num_bytes_ip=2564, flow_label=0, l2_addr=00:50:56:b2:78:69], resp=[size=2156, state=3, num_pkts=13, num_bytes_ip=2528, flow_label=0, l2_addr=00:50:56:b2:47:b9], start_time=1495059599.592055, duration=9.813823, service={
-
-}, history=AaDd, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>], [rpc_stat=RPC_SUCCESS, nfs_stat=NFS3::NFS3ERR_OK, req_start=1495059609.400145, req_dur=0.0, req_len=136, rep_start=1495059609.405878, rep_dur=0.0, rep_len=136, rpc_uid=1628, rpc_gid=200, rpc_stamp=47704459, rpc_machine_name=pddevbal801, rpc_auxgids=[10, 24, 200, 320, 5189, 5196]], [dirfh=\x01\x00\x06\x01\x9e\xb5K+3\xeeB+\x82\xa7d\xc9%z\x82\s\xc4\xfa\x00\x09\x8c\xbc\xd8, fname=testfile2], [dir_pre_attr=[size=0, atime=1495059608.574778, mtime=1495059608.574778], dir_post_attr=[ftype=NFS3::FTYPE_DIR, mode=16877, nlink=2, uid=1628, gid=200, size=6, used=0, rdev1=0, rdev2=0, fsid=8629059712046797340, fileid=16434291, atime=1495059608.558778, mtime=1495059609.398797, ctime=1495059609.398797]]
-nfs_proc_rmdir, [id=[orig_h=10.111.131.132, orig_p=972/tcp, resp_h=10.111.131.14, resp_p=2049/tcp], orig=[size=2057, state=3, num_pkts=18, num_bytes_ip=2776, flow_label=0, l2_addr=00:50:56:b2:78:69], resp=[size=2304, state=3, num_pkts=14, num_bytes_ip=2716, flow_label=0, l2_addr=00:50:56:b2:47:b9], start_time=1495059599.592055, duration=9.818272, service={
-
-}, history=AaDd, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>], [rpc_stat=RPC_SUCCESS, nfs_stat=NFS3::NFS3ERR_OK, req_start=1495059609.407676, req_dur=0.0, req_len=120, rep_start=1495059609.410327, rep_dur=0.0, rep_len=136, rpc_uid=1628, rpc_gid=200, rpc_stamp=47704459, rpc_machine_name=pddevbal801, rpc_auxgids=[10, 24, 200, 320, 5189, 5196]], [dirfh=\x01\x00\x06\x00\x9e\xb5K+3\xeeB+\x82\xa7d\xc9%z\x82\, fname=test], [dir_pre_attr=[size=4096, atime=1495059608.558778, mtime=1495059608.558778], dir_post_attr=[ftype=NFS3::FTYPE_DIR, mode=17407, nlink=44, uid=0, gid=0, size=4096, used=4096, rdev1=0, rdev2=0, fsid=8629059712046797340, fileid=128, atime=0.0, mtime=1495059609.402797, ctime=1495059609.402797]]
+nfs_proc_not_implemented: [id=[orig_h=10.111.131.18, orig_p=720/tcp, resp_h=10.111.131.132, resp_p=2049/tcp], orig=[size=160, state=4, num_pkts=5, num_bytes_ip=368, flow_label=0, l2_addr=00:50:56:b2:4e:d3], resp=[size=112, state=4, num_pkts=3, num_bytes_ip=156, flow_label=0, l2_addr=00:50:56:b2:78:69], start_time=1514568131.623047, duration=0.000529, service={\x0a\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>]\x0a\x09[rpc_stat=RPC_SUCCESS, nfs_stat=NFS3::NFS3ERR_OK, req_start=1514568131.623455, req_dur=0.0, req_len=104, rep_start=1514568131.623576, rep_dur=0.0, rep_len=72, rpc_uid=0, rpc_gid=0, rpc_stamp=19078341, rpc_machine_name=pddevbal802, rpc_auxgids=[0, 5, 10, 24]]\x0a\x09NFS3::PROC_FSINFO\x0a
+nfs_proc_not_implemented: [id=[orig_h=10.111.131.18, orig_p=720/tcp, resp_h=10.111.131.132, resp_p=2049/tcp], orig=[size=276, state=4, num_pkts=6, num_bytes_ip=524, flow_label=0, l2_addr=00:50:56:b2:4e:d3], resp=[size=172, state=4, num_pkts=4, num_bytes_ip=280, flow_label=0, l2_addr=00:50:56:b2:78:69], start_time=1514568131.623047, duration=0.000673, service={\x0a\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>]\x0a\x09[rpc_stat=RPC_SUCCESS, nfs_stat=NFS3::NFS3ERR_OK, req_start=1514568131.6236, req_dur=0.0, req_len=104, rep_start=1514568131.62372, rep_dur=0.0, rep_len=48, rpc_uid=0, rpc_gid=0, rpc_stamp=19078341, rpc_machine_name=pddevbal802, rpc_auxgids=[0, 5, 10, 24]]\x0a\x09NFS3::PROC_PATHCONF\x0a
+nfs_proc_not_implemented: [id=[orig_h=10.111.131.18, orig_p=720/tcp, resp_h=10.111.131.132, resp_p=2049/tcp], orig=[size=508, state=4, num_pkts=8, num_bytes_ip=836, flow_label=0, l2_addr=00:50:56:b2:4e:d3], resp=[size=372, state=4, num_pkts=6, num_bytes_ip=536, flow_label=0, l2_addr=00:50:56:b2:78:69], start_time=1514568131.623047, duration=0.001007, service={\x0a\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>]\x0a\x09[rpc_stat=RPC_SUCCESS, nfs_stat=NFS3::NFS3ERR_OK, req_start=1514568131.623937, req_dur=0.0, req_len=104, rep_start=1514568131.624054, rep_dur=0.0, rep_len=72, rpc_uid=0, rpc_gid=0, rpc_stamp=19078341, rpc_machine_name=pddevbal802, rpc_auxgids=[0, 5, 10, 24]]\x0a\x09NFS3::PROC_FSINFO\x0a
+nfs_proc_not_implemented: [id=[orig_h=10.111.131.18, orig_p=720/tcp, resp_h=10.111.131.132, resp_p=2049/tcp], orig=[size=744, state=4, num_pkts=10, num_bytes_ip=1152, flow_label=0, l2_addr=00:50:56:b2:4e:d3], resp=[size=612, state=4, num_pkts=8, num_bytes_ip=816, flow_label=0, l2_addr=00:50:56:b2:78:69], start_time=1514568131.623047, duration=0.00556, service={\x0a\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>]\x0a\x09[rpc_stat=RPC_SUCCESS, nfs_stat=NFS3::NFS3ERR_OK, req_start=1514568131.628447, req_dur=0.0, req_len=108, rep_start=1514568131.628607, rep_dur=0.0, rep_len=112, rpc_uid=3125, rpc_gid=200, rpc_stamp=19078341, rpc_machine_name=pddevbal802, rpc_auxgids=[0, 10, 24, 200]]\x0a\x09NFS3::PROC_ACCESS\x0a
+nfs_proc_mkdir: [id=[orig_h=10.111.131.18, orig_p=720/tcp, resp_h=10.111.131.132, resp_p=2049/tcp], orig=[size=900, state=4, num_pkts=11, num_bytes_ip=1348, flow_label=0, l2_addr=00:50:56:b2:4e:d3], resp=[size=888, state=4, num_pkts=9, num_bytes_ip=980, flow_label=0, l2_addr=00:50:56:b2:78:69], start_time=1514568131.623047, duration=0.006413, service={\x0a\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>]\x0a\x09[rpc_stat=RPC_SUCCESS, nfs_stat=NFS3::NFS3ERR_OK, req_start=1514568131.628646, req_dur=0.0, req_len=144, rep_start=1514568131.62946, rep_dur=0.0, rep_len=264, rpc_uid=3125, rpc_gid=200, rpc_stamp=19078341, rpc_machine_name=pddevbal802, rpc_auxgids=[0, 10, 24, 200]]\x0a\x09[dirfh=\x01\x00\x06\x00\xea,\xbbJ\x9e\xf7I\x95\xa56V(\xce\xda`\xa2, fname=bro-nfs]\x0a\x09[fh=\x01\x00\x06\x81\xea,\xbbJ\x9e\xf7I\x95\xa56V(\xce\xda`\xa2\xf7\xdf\xa3@\x00\x00\x00\x00\x1a5nf, obj_attr=[ftype=NFS3::FTYPE_DIR, mode=16877, nlink=2, uid=3125, gid=200, size=6, used=0, rdev1=0, rdev2=0, fsid=3974757969411512911, fileid=1084481527, atime=1514568131.625387, mtime=1514568131.625387, ctime=1514568131.625387], dir_pre_attr=[size=4096, atime=1514568092.592619, mtime=1514568092.592619], dir_post_attr=[ftype=NFS3::FTYPE_DIR, mode=17407, nlink=16, uid=0, gid=0, size=4096, used=4096, rdev1=0, rdev2=0, fsid=3974757969411512911, fileid=128, atime=0.0, mtime=1514568131.625387, ctime=1514568131.625387]]\x0a
+nfs_proc_not_implemented: [id=[orig_h=10.111.131.18, orig_p=720/tcp, resp_h=10.111.131.132, resp_p=2049/tcp], orig=[size=1032, state=4, num_pkts=12, num_bytes_ip=1520, flow_label=0, l2_addr=00:50:56:b2:4e:d3], resp=[size=1012, state=4, num_pkts=10, num_bytes_ip=1296, flow_label=0, l2_addr=00:50:56:b2:78:69], start_time=1514568131.623047, duration=0.007316, service={\x0a\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>]\x0a\x09[rpc_stat=RPC_SUCCESS, nfs_stat=NFS3::NFS3ERR_OK, req_start=1514568131.630213, req_dur=0.0, req_len=120, rep_start=1514568131.630363, rep_dur=0.0, rep_len=112, rpc_uid=3125, rpc_gid=200, rpc_stamp=19078341, rpc_machine_name=pddevbal802, rpc_auxgids=[0, 10, 24, 200]]\x0a\x09NFS3::PROC_ACCESS\x0a
+nfs_proc_lookup: [id=[orig_h=10.111.131.18, orig_p=720/tcp, resp_h=10.111.131.132, resp_p=2049/tcp], orig=[size=1172, state=4, num_pkts=13, num_bytes_ip=1700, flow_label=0, l2_addr=00:50:56:b2:4e:d3], resp=[size=1132, state=4, num_pkts=11, num_bytes_ip=1460, flow_label=0, l2_addr=00:50:56:b2:78:69], start_time=1514568131.623047, duration=0.007542, service={\x0a\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>]\x0a\x09[rpc_stat=RPC_SUCCESS, nfs_stat=NFS3::NFS3ERR_NOENT, req_start=1514568131.63039, req_dur=0.0, req_len=128, rep_start=1514568131.630589, rep_dur=0.0, rep_len=108, rpc_uid=3125, rpc_gid=200, rpc_stamp=19078341, rpc_machine_name=pddevbal802, rpc_auxgids=[0, 10, 24, 200]]\x0a\x09[dirfh=\x01\x00\x06\x81\xea,\xbbJ\x9e\xf7I\x95\xa56V(\xce\xda`\xa2\xf7\xdf\xa3@\x00\x00\x00\x00\x1a5nf, fname=testfile]\x0a\x09[fh=<uninitialized>, obj_attr=<uninitialized>, dir_attr=[ftype=NFS3::FTYPE_DIR, mode=16877, nlink=2, uid=3125, gid=200, size=6, used=0, rdev1=0, rdev2=0, fsid=3974757969411512911, fileid=1084481527, atime=1514568131.625387, mtime=1514568131.625387, ctime=1514568131.625387]]\x0a
+nfs_proc_create: [id=[orig_h=10.111.131.18, orig_p=720/tcp, resp_h=10.111.131.132, resp_p=2049/tcp], orig=[size=1344, state=4, num_pkts=14, num_bytes_ip=1912, flow_label=0, l2_addr=00:50:56:b2:4e:d3], resp=[size=1408, state=4, num_pkts=12, num_bytes_ip=1620, flow_label=0, l2_addr=00:50:56:b2:78:69], start_time=1514568131.623047, duration=0.008344, service={\x0a\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>]\x0a\x09[rpc_stat=RPC_SUCCESS, nfs_stat=NFS3::NFS3ERR_OK, req_start=1514568131.63061, req_dur=0.0, req_len=160, rep_start=1514568131.631391, rep_dur=0.0, rep_len=264, rpc_uid=3125, rpc_gid=200, rpc_stamp=19078341, rpc_machine_name=pddevbal802, rpc_auxgids=[0, 10, 24, 200]]\x0a\x09[dirfh=\x01\x00\x06\x81\xea,\xbbJ\x9e\xf7I\x95\xa56V(\xce\xda`\xa2\xf7\xdf\xa3@\x00\x00\x00\x00\x1a5nf, fname=testfile]\x0a\x09[fh=\x01\x00\x06\x81\xea,\xbbJ\x9e\xf7I\x95\xa56V(\xce\xda`\xa2\xf9\xdf\xa3@\x00\x00\x00\x00\x135nf, obj_attr=[ftype=NFS3::FTYPE_REG, mode=33188, nlink=1, uid=3125, gid=200, size=0, used=0, rdev1=0, rdev2=0, fsid=3974757969411512911, fileid=1084481529, atime=1514568131.625387, mtime=1514568131.625387, ctime=1514568131.625387], dir_pre_attr=[size=0, atime=1514568131.625387, mtime=1514568131.625387], dir_post_attr=[ftype=NFS3::FTYPE_DIR, mode=16877, nlink=2, uid=3125, gid=200, size=21, used=0, rdev1=0, rdev2=0, fsid=3974757969411512911, fileid=1084481527, atime=1514568131.625387, mtime=1514568131.625387, ctime=1514568131.625387]]\x0a
+nfs_proc_sattr: [id=[orig_h=10.111.131.18, orig_p=720/tcp, resp_h=10.111.131.132, resp_p=2049/tcp], orig=[size=1500, state=4, num_pkts=15, num_bytes_ip=2108, flow_label=0, l2_addr=00:50:56:b2:4e:d3], resp=[size=1556, state=4, num_pkts=13, num_bytes_ip=1936, flow_label=0, l2_addr=00:50:56:b2:78:69], start_time=1514568131.623047, duration=0.008933, service={\x0a\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>]\x0a\x09[rpc_stat=RPC_SUCCESS, nfs_stat=NFS3::NFS3ERR_OK, req_start=1514568131.63142, req_dur=0.0, req_len=144, rep_start=1514568131.63198, rep_dur=0.0, rep_len=136, rpc_uid=3125, rpc_gid=200, rpc_stamp=19078341, rpc_machine_name=pddevbal802, rpc_auxgids=[0, 10, 24, 200]]\x0a\x09[fh=\x01\x00\x06\x81\xea,\xbbJ\x9e\xf7I\x95\xa56V(\xce\xda`\xa2\xf9\xdf\xa3@\x00\x00\x00\x00\x135nf, new_attributes=[mode=<uninitialized>, uid=<uninitialized>, gid=<uninitialized>, size=<uninitialized>, atime=NFS3::SET_TO_SERVER_TIME, mtime=NFS3::SET_TO_SERVER_TIME]]\x0a\x09[dir_pre_attr=[size=0, atime=1514568131.625387, mtime=1514568131.625387], dir_post_attr=[ftype=NFS3::FTYPE_REG, mode=33188, nlink=1, uid=3125, gid=200, size=0, used=0, rdev1=0, rdev2=0, fsid=3974757969411512911, fileid=1084481529, atime=1514568131.625387, mtime=1514568131.625387, ctime=1514568131.625387]]\x0a
+nfs_proc_sattr: [id=[orig_h=10.111.131.18, orig_p=720/tcp, resp_h=10.111.131.132, resp_p=2049/tcp], orig=[size=1660, state=4, num_pkts=16, num_bytes_ip=2308, flow_label=0, l2_addr=00:50:56:b2:4e:d3], resp=[size=1704, state=4, num_pkts=14, num_bytes_ip=2124, flow_label=0, l2_addr=00:50:56:b2:78:69], start_time=1514568131.623047, duration=0.010357, service={\x0a\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>]\x0a\x09[rpc_stat=RPC_SUCCESS, nfs_stat=NFS3::NFS3ERR_OK, req_start=1514568131.632743, req_dur=0.0, req_len=148, rep_start=1514568131.633404, rep_dur=0.0, rep_len=136, rpc_uid=3125, rpc_gid=200, rpc_stamp=19078341, rpc_machine_name=pddevbal802, rpc_auxgids=[0, 10, 24, 200]]\x0a\x09[fh=\x01\x00\x06\x81\xea,\xbbJ\x9e\xf7I\x95\xa56V(\xce\xda`\xa2\xf9\xdf\xa3@\x00\x00\x00\x00\x135nf, new_attributes=[mode=448, uid=<uninitialized>, gid=<uninitialized>, size=<uninitialized>, atime=NFS3::DONT_CHANGE, mtime=NFS3::DONT_CHANGE]]\x0a\x09[dir_pre_attr=[size=0, atime=1514568131.625387, mtime=1514568131.625387], dir_post_attr=[ftype=NFS3::FTYPE_REG, mode=33216, nlink=1, uid=3125, gid=200, size=0, used=0, rdev1=0, rdev2=0, fsid=3974757969411512911, fileid=1084481529, atime=1514568131.625387, mtime=1514568131.625387, ctime=1514568131.629387]]\x0a
+nfs_proc_sattr: [id=[orig_h=10.111.131.18, orig_p=720/tcp, resp_h=10.111.131.132, resp_p=2049/tcp], orig=[size=1820, state=4, num_pkts=17, num_bytes_ip=2508, flow_label=0, l2_addr=00:50:56:b2:4e:d3], resp=[size=1852, state=4, num_pkts=15, num_bytes_ip=2312, flow_label=0, l2_addr=00:50:56:b2:78:69], start_time=1514568131.623047, duration=0.011929, service={\x0a\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>]\x0a\x09[rpc_stat=RPC_SUCCESS, nfs_stat=NFS3::NFS3ERR_OK, req_start=1514568131.634369, req_dur=0.0, req_len=148, rep_start=1514568131.634976, rep_dur=0.0, rep_len=136, rpc_uid=3125, rpc_gid=200, rpc_stamp=19078341, rpc_machine_name=pddevbal802, rpc_auxgids=[0, 10, 24, 200]]\x0a\x09[fh=\x01\x00\x06\x81\xea,\xbbJ\x9e\xf7I\x95\xa56V(\xce\xda`\xa2\xf9\xdf\xa3@\x00\x00\x00\x00\x135nf, new_attributes=[mode=511, uid=<uninitialized>, gid=<uninitialized>, size=<uninitialized>, atime=NFS3::DONT_CHANGE, mtime=NFS3::DONT_CHANGE]]\x0a\x09[dir_pre_attr=[size=0, atime=1514568131.625387, mtime=1514568131.629387], dir_post_attr=[ftype=NFS3::FTYPE_REG, mode=33279, nlink=1, uid=3125, gid=200, size=0, used=0, rdev1=0, rdev2=0, fsid=3974757969411512911, fileid=1084481529, atime=1514568131.625387, mtime=1514568131.625387, ctime=1514568131.629387]]\x0a
+nfs_proc_lookup: [id=[orig_h=10.111.131.18, orig_p=720/tcp, resp_h=10.111.131.132, resp_p=2049/tcp], orig=[size=1968, state=4, num_pkts=18, num_bytes_ip=2696, flow_label=0, l2_addr=00:50:56:b2:4e:d3], resp=[size=1972, state=4, num_pkts=16, num_bytes_ip=2500, flow_label=0, l2_addr=00:50:56:b2:78:69], start_time=1514568131.623047, duration=0.012799, service={\x0a\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>]\x0a\x09[rpc_stat=RPC_SUCCESS, nfs_stat=NFS3::NFS3ERR_NOENT, req_start=1514568131.635694, req_dur=0.0, req_len=136, rep_start=1514568131.635846, rep_dur=0.0, rep_len=108, rpc_uid=3125, rpc_gid=200, rpc_stamp=19078341, rpc_machine_name=pddevbal802, rpc_auxgids=[0, 10, 24, 200]]\x0a\x09[dirfh=\x01\x00\x06\x81\xea,\xbbJ\x9e\xf7I\x95\xa56V(\xce\xda`\xa2\xf7\xdf\xa3@\x00\x00\x00\x00\x1a5nf, fname=testfile-symlink]\x0a\x09[fh=<uninitialized>, obj_attr=<uninitialized>, dir_attr=[ftype=NFS3::FTYPE_DIR, mode=16877, nlink=2, uid=3125, gid=200, size=21, used=0, rdev1=0, rdev2=0, fsid=3974757969411512911, fileid=1084481527, atime=1514568131.625387, mtime=1514568131.625387, ctime=1514568131.625387]]\x0a
+nfs_proc_symlink: [id=[orig_h=10.111.131.18, orig_p=720/tcp, resp_h=10.111.131.132, resp_p=2049/tcp], orig=[size=2184, state=4, num_pkts=19, num_bytes_ip=2952, flow_label=0, l2_addr=00:50:56:b2:4e:d3], resp=[size=2248, state=4, num_pkts=17, num_bytes_ip=2660, flow_label=0, l2_addr=00:50:56:b2:78:69], start_time=1514568131.623047, duration=0.013431, service={\x0a\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>]\x0a\x09[rpc_stat=RPC_SUCCESS, nfs_stat=NFS3::NFS3ERR_OK, req_start=1514568131.635899, req_dur=0.0, req_len=204, rep_start=1514568131.636478, rep_dur=0.0, rep_len=264, rpc_uid=3125, rpc_gid=200, rpc_stamp=19078341, rpc_machine_name=pddevbal802, rpc_auxgids=[0, 10, 24, 200]]\x0a\x09[link=[dirfh=\x01\x00\x06\x81\xea,\xbbJ\x9e\xf7I\x95\xa56V(\xce\xda`\xa2\xf7\xdf\xa3@\x00\x00\x00\x00\x1a5nf, fname=testfile-symlink], symlinkdata=[symlink_attributes=[mode=511, uid=<uninitialized>, gid=<uninitialized>, size=<uninitialized>, atime=NFS3::DONT_CHANGE, mtime=NFS3::DONT_CHANGE], nfspath=/nfs/pddevbal801/bro-nfs/testfile]]\x0a\x09[fh=\x01\x00\x06\x81\xea,\xbbJ\x9e\xf7I\x95\xa56V(\xce\xda`\xa2\xfa\xdf\xa3@\x00\x00\x00\x00\x135nf, obj_attr=[ftype=NFS3::FTYPE_LNK, mode=41471, nlink=1, uid=3125, gid=200, size=33, used=0, rdev1=0, rdev2=0, fsid=3974757969411512911, fileid=1084481530, atime=1514568131.629387, mtime=1514568131.629387, ctime=1514568131.629387], dir_pre_attr=[size=0, atime=1514568131.625387, mtime=1514568131.625387], dir_post_attr=[ftype=NFS3::FTYPE_DIR, mode=16877, nlink=2, uid=3125, gid=200, size=44, used=0, rdev1=0, rdev2=0, fsid=3974757969411512911, fileid=1084481527, atime=1514568131.625387, mtime=1514568131.629387, ctime=1514568131.629387]]\x0a
+nfs_proc_sattr: [id=[orig_h=10.111.131.18, orig_p=720/tcp, resp_h=10.111.131.132, resp_p=2049/tcp], orig=[size=2348, state=4, num_pkts=20, num_bytes_ip=3156, flow_label=0, l2_addr=00:50:56:b2:4e:d3], resp=[size=2396, state=4, num_pkts=18, num_bytes_ip=2976, flow_label=0, l2_addr=00:50:56:b2:78:69], start_time=1514568131.623047, duration=0.015041, service={\x0a\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>]\x0a\x09[rpc_stat=RPC_SUCCESS, nfs_stat=NFS3::NFS3ERR_OK, req_start=1514568131.637343, req_dur=0.0, req_len=152, rep_start=1514568131.638088, rep_dur=0.0, rep_len=136, rpc_uid=3125, rpc_gid=200, rpc_stamp=19078341, rpc_machine_name=pddevbal802, rpc_auxgids=[0, 10, 24, 200]]\x0a\x09[fh=\x01\x00\x06\x81\xea,\xbbJ\x9e\xf7I\x95\xa56V(\xce\xda`\xa2\xf9\xdf\xa3@\x00\x00\x00\x00\x135nf, new_attributes=[mode=<uninitialized>, uid=3125, gid=10, size=<uninitialized>, atime=NFS3::DONT_CHANGE, mtime=NFS3::DONT_CHANGE]]\x0a\x09[dir_pre_attr=[size=0, atime=1514568131.625387, mtime=1514568131.629387], dir_post_attr=[ftype=NFS3::FTYPE_REG, mode=33279, nlink=1, uid=3125, gid=10, size=0, used=0, rdev1=0, rdev2=0, fsid=3974757969411512911, fileid=1084481529, atime=1514568131.625387, mtime=1514568131.625387, ctime=1514568131.633387]]\x0a
+nfs_proc_sattr: [id=[orig_h=10.111.131.18, orig_p=720/tcp, resp_h=10.111.131.132, resp_p=2049/tcp], orig=[size=2512, state=4, num_pkts=21, num_bytes_ip=3360, flow_label=0, l2_addr=00:50:56:b2:4e:d3], resp=[size=2544, state=4, num_pkts=19, num_bytes_ip=3164, flow_label=0, l2_addr=00:50:56:b2:78:69], start_time=1514568131.623047, duration=0.016413, service={\x0a\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>]\x0a\x09[rpc_stat=RPC_SUCCESS, nfs_stat=NFS3::NFS3ERR_OK, req_start=1514568131.638929, req_dur=0.0, req_len=152, rep_start=1514568131.63946, rep_dur=0.0, rep_len=136, rpc_uid=3125, rpc_gid=200, rpc_stamp=19078341, rpc_machine_name=pddevbal802, rpc_auxgids=[0, 10, 24, 200]]\x0a\x09[fh=\x01\x00\x06\x81\xea,\xbbJ\x9e\xf7I\x95\xa56V(\xce\xda`\xa2\xf9\xdf\xa3@\x00\x00\x00\x00\x135nf, new_attributes=[mode=<uninitialized>, uid=3125, gid=200, size=<uninitialized>, atime=NFS3::DONT_CHANGE, mtime=NFS3::DONT_CHANGE]]\x0a\x09[dir_pre_attr=[size=0, atime=1514568131.625387, mtime=1514568131.633387], dir_post_attr=[ftype=NFS3::FTYPE_REG, mode=33279, nlink=1, uid=3125, gid=200, size=0, used=0, rdev1=0, rdev2=0, fsid=3974757969411512911, fileid=1084481529, atime=1514568131.625387, mtime=1514568131.625387, ctime=1514568131.633387]]\x0a
+nfs_proc_lookup: [id=[orig_h=10.111.131.18, orig_p=720/tcp, resp_h=10.111.131.132, resp_p=2049/tcp], orig=[size=2668, state=4, num_pkts=22, num_bytes_ip=3556, flow_label=0, l2_addr=00:50:56:b2:4e:d3], resp=[size=2664, state=4, num_pkts=20, num_bytes_ip=3352, flow_label=0, l2_addr=00:50:56:b2:78:69], start_time=1514568131.623047, duration=0.017567, service={\x0a\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>]\x0a\x09[rpc_stat=RPC_SUCCESS, nfs_stat=NFS3::NFS3ERR_NOENT, req_start=1514568131.640452, req_dur=0.0, req_len=144, rep_start=1514568131.640614, rep_dur=0.0, rep_len=108, rpc_uid=3125, rpc_gid=200, rpc_stamp=19078341, rpc_machine_name=pddevbal802, rpc_auxgids=[0, 10, 24, 200]]\x0a\x09[dirfh=\x01\x00\x06\x81\xea,\xbbJ\x9e\xf7I\x95\xa56V(\xce\xda`\xa2\xf7\xdf\xa3@\x00\x00\x00\x00\x1a5nf, fname=testfile-symlink.renamed]\x0a\x09[fh=<uninitialized>, obj_attr=<uninitialized>, dir_attr=[ftype=NFS3::FTYPE_DIR, mode=16877, nlink=2, uid=3125, gid=200, size=44, used=0, rdev1=0, rdev2=0, fsid=3974757969411512911, fileid=1084481527, atime=1514568131.625387, mtime=1514568131.629387, ctime=1514568131.629387]]\x0a
+nfs_proc_rename: [id=[orig_h=10.111.131.18, orig_p=720/tcp, resp_h=10.111.131.132, resp_p=2049/tcp], orig=[size=2880, state=4, num_pkts=23, num_bytes_ip=3808, flow_label=0, l2_addr=00:50:56:b2:4e:d3], resp=[size=2928, state=4, num_pkts=21, num_bytes_ip=3512, flow_label=0, l2_addr=00:50:56:b2:78:69], start_time=1514568131.623047, duration=0.018252, service={\x0a\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>]\x0a\x09[rpc_stat=RPC_SUCCESS, nfs_stat=NFS3::NFS3ERR_OK, req_start=1514568131.640669, req_dur=0.0, req_len=200, rep_start=1514568131.641299, rep_dur=0.0, rep_len=252, rpc_uid=3125, rpc_gid=200, rpc_stamp=19078341, rpc_machine_name=pddevbal802, rpc_auxgids=[0, 10, 24, 200]]\x0a\x09[src_dirfh=\x01\x00\x06\x81\xea,\xbbJ\x9e\xf7I\x95\xa56V(\xce\xda`\xa2\xf7\xdf\xa3@\x00\x00\x00\x00\x1a5nf, src_fname=testfile-symlink, dst_dirfh=\x01\x00\x06\x81\xea,\xbbJ\x9e\xf7I\x95\xa56V(\xce\xda`\xa2\xf7\xdf\xa3@\x00\x00\x00\x00\x1a5nf, dst_fname=testfile-symlink.renamed]\x0a\x09[src_dir_pre_attr=[size=0, atime=1514568131.629387, mtime=1514568131.629387], src_dir_post_attr=[ftype=NFS3::FTYPE_DIR, mode=16877, nlink=2, uid=3125, gid=200, size=52, used=0, rdev1=0, rdev2=0, fsid=3974757969411512911, fileid=1084481527, atime=1514568131.625387, mtime=1514568131.637387, ctime=1514568131.637387], dst_dir_pre_attr=[size=0, atime=1514568131.629387, mtime=1514568131.629387], dst_dir_post_attr=[ftype=NFS3::FTYPE_DIR, mode=16877, nlink=2, uid=3125, gid=200, size=52, used=0, rdev1=0, rdev2=0, fsid=3974757969411512911, fileid=1084481527, atime=1514568131.625387, mtime=1514568131.637387, ctime=1514568131.637387]]\x0a
+nfs_proc_readlink: [id=[orig_h=10.111.131.18, orig_p=720/tcp, resp_h=10.111.131.132, resp_p=2049/tcp], orig=[size=3136, state=4, num_pkts=25, num_bytes_ip=4144, flow_label=0, l2_addr=00:50:56:b2:4e:d3], resp=[size=3204, state=4, num_pkts=23, num_bytes_ip=3972, flow_label=0, l2_addr=00:50:56:b2:78:69], start_time=1514568131.623047, duration=0.019333, service={\x0a\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>]\x0a\x09[rpc_stat=RPC_SUCCESS, nfs_stat=NFS3::NFS3ERR_OK, req_start=1514568131.64222, req_dur=0.0, req_len=116, rep_start=1514568131.64238, rep_dur=0.0, rep_len=148, rpc_uid=3125, rpc_gid=200, rpc_stamp=19078341, rpc_machine_name=pddevbal802, rpc_auxgids=[0, 10, 24, 200]]\x0a\x09\x01\x00\x06\x81\xea,\xbbJ\x9e\xf7I\x95\xa56V(\xce\xda`\xa2\xfa\xdf\xa3@\x00\x00\x00\x00\x135nf\x0a\x09[attr=[ftype=NFS3::FTYPE_LNK, mode=41471, nlink=1, uid=3125, gid=200, size=33, used=0, rdev1=0, rdev2=0, fsid=3974757969411512911, fileid=1084481530, atime=1514568131.629387, mtime=1514568131.629387, ctime=1514568131.637387], nfspath=/nfs/pddevbal801/bro-nfs/testfile]\x0a
+nfs_proc_remove: [id=[orig_h=10.111.131.18, orig_p=720/tcp, resp_h=10.111.131.132, resp_p=2049/tcp], orig=[size=3292, state=4, num_pkts=26, num_bytes_ip=4340, flow_label=0, l2_addr=00:50:56:b2:4e:d3], resp=[size=3352, state=4, num_pkts=24, num_bytes_ip=4172, flow_label=0, l2_addr=00:50:56:b2:78:69], start_time=1514568131.623047, duration=0.020916, service={\x0a\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>]\x0a\x09[rpc_stat=RPC_SUCCESS, nfs_stat=NFS3::NFS3ERR_OK, req_start=1514568131.643131, req_dur=0.0, req_len=144, rep_start=1514568131.643963, rep_dur=0.0, rep_len=136, rpc_uid=3125, rpc_gid=200, rpc_stamp=19078341, rpc_machine_name=pddevbal802, rpc_auxgids=[0, 10, 24, 200]]\x0a\x09[dirfh=\x01\x00\x06\x81\xea,\xbbJ\x9e\xf7I\x95\xa56V(\xce\xda`\xa2\xf7\xdf\xa3@\x00\x00\x00\x00\x1a5nf, fname=testfile-symlink.renamed]\x0a\x09[dir_pre_attr=[size=0, atime=1514568131.637387, mtime=1514568131.637387], dir_post_attr=[ftype=NFS3::FTYPE_DIR, mode=16877, nlink=2, uid=3125, gid=200, size=21, used=0, rdev1=0, rdev2=0, fsid=3974757969411512911, fileid=1084481527, atime=1514568131.625387, mtime=1514568131.637387, ctime=1514568131.637387]]\x0a
+nfs_proc_lookup: [id=[orig_h=10.111.131.18, orig_p=720/tcp, resp_h=10.111.131.132, resp_p=2049/tcp], orig=[size=3440, state=4, num_pkts=27, num_bytes_ip=4528, flow_label=0, l2_addr=00:50:56:b2:4e:d3], resp=[size=3472, state=4, num_pkts=25, num_bytes_ip=4360, flow_label=0, l2_addr=00:50:56:b2:78:69], start_time=1514568131.623047, duration=0.021753, service={\x0a\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>]\x0a\x09[rpc_stat=RPC_SUCCESS, nfs_stat=NFS3::NFS3ERR_NOENT, req_start=1514568131.644663, req_dur=0.0, req_len=136, rep_start=1514568131.6448, rep_dur=0.0, rep_len=108, rpc_uid=3125, rpc_gid=200, rpc_stamp=19078341, rpc_machine_name=pddevbal802, rpc_auxgids=[0, 10, 24, 200]]\x0a\x09[dirfh=\x01\x00\x06\x81\xea,\xbbJ\x9e\xf7I\x95\xa56V(\xce\xda`\xa2\xf7\xdf\xa3@\x00\x00\x00\x00\x1a5nf, fname=testfile-link]\x0a\x09[fh=<uninitialized>, obj_attr=<uninitialized>, dir_attr=[ftype=NFS3::FTYPE_DIR, mode=16877, nlink=2, uid=3125, gid=200, size=21, used=0, rdev1=0, rdev2=0, fsid=3974757969411512911, fileid=1084481527, atime=1514568131.625387, mtime=1514568131.637387, ctime=1514568131.637387]]\x0a
+nfs_proc_link: [id=[orig_h=10.111.131.18, orig_p=720/tcp, resp_h=10.111.131.132, resp_p=2049/tcp], orig=[size=3624, state=4, num_pkts=28, num_bytes_ip=4752, flow_label=0, l2_addr=00:50:56:b2:4e:d3], resp=[size=3708, state=4, num_pkts=26, num_bytes_ip=4520, flow_label=0, l2_addr=00:50:56:b2:78:69], start_time=1514568131.623047, duration=0.022398, service={\x0a\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>]\x0a\x09[rpc_stat=RPC_SUCCESS, nfs_stat=NFS3::NFS3ERR_OK, req_start=1514568131.644833, req_dur=0.0, req_len=172, rep_start=1514568131.645445, rep_dur=0.0, rep_len=224, rpc_uid=3125, rpc_gid=200, rpc_stamp=19078341, rpc_machine_name=pddevbal802, rpc_auxgids=[0, 10, 24, 200]]\x0a\x09[fh=\x01\x00\x06\x81\xea,\xbbJ\x9e\xf7I\x95\xa56V(\xce\xda`\xa2\xf9\xdf\xa3@\x00\x00\x00\x00\x135nf, link=[dirfh=\x01\x00\x06\x81\xea,\xbbJ\x9e\xf7I\x95\xa56V(\xce\xda`\xa2\xf7\xdf\xa3@\x00\x00\x00\x00\x1a5nf, fname=testfile-link]]\x0a\x09[post_attr=[ftype=NFS3::FTYPE_REG, mode=33279, nlink=2, uid=3125, gid=200, size=0, used=0, rdev1=0, rdev2=0, fsid=3974757969411512911, fileid=1084481529, atime=1514568131.625387, mtime=1514568131.625387, ctime=1514568131.641387], preattr=[size=0, atime=1514568131.637387, mtime=1514568131.637387], postattr=[ftype=NFS3::FTYPE_DIR, mode=16877, nlink=2, uid=3125, gid=200, size=41, used=0, rdev1=0, rdev2=0, fsid=3974757969411512911, fileid=1084481527, atime=1514568131.625387, mtime=1514568131.641387, ctime=1514568131.641387]]\x0a
+nfs_proc_readdir: [id=[orig_h=10.111.131.18, orig_p=720/tcp, resp_h=10.111.131.132, resp_p=2049/tcp], orig=[size=3904, state=4, num_pkts=30, num_bytes_ip=5112, flow_label=0, l2_addr=00:50:56:b2:4e:d3], resp=[size=4588, state=4, num_pkts=28, num_bytes_ip=4952, flow_label=0, l2_addr=00:50:56:b2:78:69], start_time=1514568131.623047, duration=0.023841, service={\x0a\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>]\x0a\x09[rpc_stat=RPC_SUCCESS, nfs_stat=NFS3::NFS3ERR_OK, req_start=1514568131.646733, req_dur=0.0, req_len=140, rep_start=1514568131.646888, rep_dur=0.0, rep_len=752, rpc_uid=3125, rpc_gid=200, rpc_stamp=19078341, rpc_machine_name=pddevbal802, rpc_auxgids=[0, 10, 24, 200]]\x0a\x09[isplus=T, dirfh=\x01\x00\x06\x81\xea,\xbbJ\x9e\xf7I\x95\xa56V(\xce\xda`\xa2\xf7\xdf\xa3@\x00\x00\x00\x00\x1a5nf, cookie=0, cookieverf=0, dircount=512, maxcount=4096]\x0a\x09[isplus=T, dir_attr=[ftype=NFS3::FTYPE_DIR, mode=16877, nlink=2, uid=3125, gid=200, size=41, used=0, rdev1=0, rdev2=0, fsid=3974757969411512911, fileid=1084481527, atime=1514568131.625387, mtime=1514568131.641387, ctime=1514568131.641387], cookieverf=0, entries=[, [fileid=1084481527, fname=., cookie=4, attr=[ftype=NFS3::FTYPE_DIR, mode=16877, nlink=2, uid=3125, gid=200, size=41, used=0, rdev1=0, rdev2=0, fsid=3974757969411512911, fileid=1084481527, atime=1514568131.625387, mtime=1514568131.641387, ctime=1514568131.641387], fh=\x01\x00\x06\x81\xea,\xbbJ\x9e\xf7I\x95\xa56V(\xce\xda`\xa2\xf7\xdf\xa3@\x00\x00\x00\x00\x1a5nf], [fileid=128, fname=.., cookie=6, attr=[ftype=NFS3::FTYPE_DIR, mode=17407, nlink=16, uid=0, gid=0, size=4096, used=4096, rdev1=0, rdev2=0, fsid=3974757969411512911, fileid=128, atime=0.0, mtime=1514568131.625387, ctime=1514568131.625387], fh=\x01\x00\x06\x00\xea,\xbbJ\x9e\xf7I\x95\xa56V(\xce\xda`\xa2], [fileid=1084481529, fname=testfile, cookie=9, attr=[ftype=NFS3::FTYPE_REG, mode=33279, nlink=2, uid=3125, gid=200, size=0, used=0, rdev1=0, rdev2=0, fsid=3974757969411512911, fileid=1084481529, atime=1514568131.625387, mtime=1514568131.625387, ctime=1514568131.641387], fh=\x01\x00\x06\x81\xea,\xbbJ\x9e\xf7I\x95\xa56V(\xce\xda`\xa2\xf9\xdf\xa3@\x00\x00\x00\x00\x135nf], [fileid=1084481529, fname=testfile-link, cookie=512, attr=[ftype=NFS3::FTYPE_REG, mode=33279, nlink=2, uid=3125, gid=200, size=0, used=0, rdev1=0, rdev2=0, fsid=3974757969411512911, fileid=1084481529, atime=1514568131.625387, mtime=1514568131.625387, ctime=1514568131.641387], fh=\x01\x00\x06\x81\xea,\xbbJ\x9e\xf7I\x95\xa56V(\xce\xda`\xa2\xf9\xdf\xa3@\x00\x00\x00\x00\x135nf]], eof=T]\x0a
+nfs_proc_remove: [id=[orig_h=10.111.131.18, orig_p=720/tcp, resp_h=10.111.131.132, resp_p=2049/tcp], orig=[size=4052, state=4, num_pkts=31, num_bytes_ip=5300, flow_label=0, l2_addr=00:50:56:b2:4e:d3], resp=[size=4736, state=4, num_pkts=29, num_bytes_ip=5756, flow_label=0, l2_addr=00:50:56:b2:78:69], start_time=1514568131.623047, duration=0.025477, service={\x0a\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>]\x0a\x09[rpc_stat=RPC_SUCCESS, nfs_stat=NFS3::NFS3ERR_OK, req_start=1514568131.647753, req_dur=0.0, req_len=136, rep_start=1514568131.648524, rep_dur=0.0, rep_len=136, rpc_uid=3125, rpc_gid=200, rpc_stamp=19078341, rpc_machine_name=pddevbal802, rpc_auxgids=[0, 10, 24, 200]]\x0a\x09[dirfh=\x01\x00\x06\x81\xea,\xbbJ\x9e\xf7I\x95\xa56V(\xce\xda`\xa2\xf7\xdf\xa3@\x00\x00\x00\x00\x1a5nf, fname=testfile-link]\x0a\x09[dir_pre_attr=[size=0, atime=1514568131.641387, mtime=1514568131.641387], dir_post_attr=[ftype=NFS3::FTYPE_DIR, mode=16877, nlink=2, uid=3125, gid=200, size=21, used=0, rdev1=0, rdev2=0, fsid=3974757969411512911, fileid=1084481527, atime=1514568131.625387, mtime=1514568131.641387, ctime=1514568131.641387]]\x0a
+nfs_proc_lookup: [id=[orig_h=10.111.131.18, orig_p=720/tcp, resp_h=10.111.131.132, resp_p=2049/tcp], orig=[size=4200, state=4, num_pkts=32, num_bytes_ip=5488, flow_label=0, l2_addr=00:50:56:b2:4e:d3], resp=[size=4856, state=4, num_pkts=30, num_bytes_ip=5944, flow_label=0, l2_addr=00:50:56:b2:78:69], start_time=1514568131.623047, duration=0.026817, service={\x0a\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>]\x0a\x09[rpc_stat=RPC_SUCCESS, nfs_stat=NFS3::NFS3ERR_NOENT, req_start=1514568131.649721, req_dur=0.0, req_len=136, rep_start=1514568131.649864, rep_dur=0.0, rep_len=108, rpc_uid=3125, rpc_gid=200, rpc_stamp=19078341, rpc_machine_name=pddevbal802, rpc_auxgids=[0, 10, 24, 200]]\x0a\x09[dirfh=\x01\x00\x06\x81\xea,\xbbJ\x9e\xf7I\x95\xa56V(\xce\xda`\xa2\xf7\xdf\xa3@\x00\x00\x00\x00\x1a5nf, fname=testfile.renamed]\x0a\x09[fh=<uninitialized>, obj_attr=<uninitialized>, dir_attr=[ftype=NFS3::FTYPE_DIR, mode=16877, nlink=2, uid=3125, gid=200, size=21, used=0, rdev1=0, rdev2=0, fsid=3974757969411512911, fileid=1084481527, atime=1514568131.625387, mtime=1514568131.641387, ctime=1514568131.641387]]\x0a
+nfs_proc_rename: [id=[orig_h=10.111.131.18, orig_p=720/tcp, resp_h=10.111.131.132, resp_p=2049/tcp], orig=[size=4524, state=4, num_pkts=34, num_bytes_ip=5892, flow_label=0, l2_addr=00:50:56:b2:4e:d3], resp=[size=5236, state=4, num_pkts=32, num_bytes_ip=6260, flow_label=0, l2_addr=00:50:56:b2:78:69], start_time=1514568131.623047, duration=0.027593, service={\x0a\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>]\x0a\x09[rpc_stat=RPC_SUCCESS, nfs_stat=NFS3::NFS3ERR_OK, req_start=1514568131.65007, req_dur=0.0, req_len=184, rep_start=1514568131.65064, rep_dur=0.0, rep_len=252, rpc_uid=3125, rpc_gid=200, rpc_stamp=19078341, rpc_machine_name=pddevbal802, rpc_auxgids=[0, 10, 24, 200]]\x0a\x09[src_dirfh=\x01\x00\x06\x81\xea,\xbbJ\x9e\xf7I\x95\xa56V(\xce\xda`\xa2\xf7\xdf\xa3@\x00\x00\x00\x00\x1a5nf, src_fname=testfile, dst_dirfh=\x01\x00\x06\x81\xea,\xbbJ\x9e\xf7I\x95\xa56V(\xce\xda`\xa2\xf7\xdf\xa3@\x00\x00\x00\x00\x1a5nf, dst_fname=testfile.renamed]\x0a\x09[src_dir_pre_attr=[size=0, atime=1514568131.641387, mtime=1514568131.641387], src_dir_post_attr=[ftype=NFS3::FTYPE_DIR, mode=16877, nlink=2, uid=3125, gid=200, size=29, used=0, rdev1=0, rdev2=0, fsid=3974757969411512911, fileid=1084481527, atime=1514568131.625387, mtime=1514568131.645387, ctime=1514568131.645387], dst_dir_pre_attr=[size=0, atime=1514568131.641387, mtime=1514568131.641387], dst_dir_post_attr=[ftype=NFS3::FTYPE_DIR, mode=16877, nlink=2, uid=3125, gid=200, size=29, used=0, rdev1=0, rdev2=0, fsid=3974757969411512911, fileid=1084481527, atime=1514568131.625387, mtime=1514568131.645387, ctime=1514568131.645387]]\x0a
+nfs_proc_not_implemented: [id=[orig_h=10.111.131.18, orig_p=720/tcp, resp_h=10.111.131.132, resp_p=2049/tcp], orig=[size=4784, state=4, num_pkts=36, num_bytes_ip=6232, flow_label=0, l2_addr=00:50:56:b2:4e:d3], resp=[size=5476, state=4, num_pkts=34, num_bytes_ip=6720, flow_label=0, l2_addr=00:50:56:b2:78:69], start_time=1514568131.623047, duration=0.028734, service={\x0a\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>]\x0a\x09[rpc_stat=RPC_SUCCESS, nfs_stat=NFS3::NFS3ERR_OK, req_start=1514568131.651603, req_dur=0.0, req_len=120, rep_start=1514568131.651781, rep_dur=0.0, rep_len=112, rpc_uid=3125, rpc_gid=200, rpc_stamp=19078341, rpc_machine_name=pddevbal802, rpc_auxgids=[0, 10, 24, 200]]\x0a\x09NFS3::PROC_ACCESS\x0a
+nfs_proc_remove: [id=[orig_h=10.111.131.18, orig_p=720/tcp, resp_h=10.111.131.132, resp_p=2049/tcp], orig=[size=4932, state=4, num_pkts=37, num_bytes_ip=6420, flow_label=0, l2_addr=00:50:56:b2:4e:d3], resp=[size=5624, state=4, num_pkts=35, num_bytes_ip=6884, flow_label=0, l2_addr=00:50:56:b2:78:69], start_time=1514568131.623047, duration=0.029354, service={\x0a\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>]\x0a\x09[rpc_stat=RPC_SUCCESS, nfs_stat=NFS3::NFS3ERR_OK, req_start=1514568131.651806, req_dur=0.0, req_len=136, rep_start=1514568131.652401, rep_dur=0.0, rep_len=136, rpc_uid=3125, rpc_gid=200, rpc_stamp=19078341, rpc_machine_name=pddevbal802, rpc_auxgids=[0, 10, 24, 200]]\x0a\x09[dirfh=\x01\x00\x06\x81\xea,\xbbJ\x9e\xf7I\x95\xa56V(\xce\xda`\xa2\xf7\xdf\xa3@\x00\x00\x00\x00\x1a5nf, fname=testfile.renamed]\x0a\x09[dir_pre_attr=[size=0, atime=1514568131.645387, mtime=1514568131.645387], dir_post_attr=[ftype=NFS3::FTYPE_DIR, mode=16877, nlink=2, uid=3125, gid=200, size=6, used=0, rdev1=0, rdev2=0, fsid=3974757969411512911, fileid=1084481527, atime=1514568131.625387, mtime=1514568131.645387, ctime=1514568131.645387]]\x0a
+nfs_proc_rmdir: [id=[orig_h=10.111.131.18, orig_p=720/tcp, resp_h=10.111.131.132, resp_p=2049/tcp], orig=[size=5060, state=4, num_pkts=38, num_bytes_ip=6588, flow_label=0, l2_addr=00:50:56:b2:4e:d3], resp=[size=5772, state=4, num_pkts=36, num_bytes_ip=7072, flow_label=0, l2_addr=00:50:56:b2:78:69], start_time=1514568131.623047, duration=0.030704, service={\x0a\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>]\x0a\x09[rpc_stat=RPC_SUCCESS, nfs_stat=NFS3::NFS3ERR_OK, req_start=1514568131.653118, req_dur=0.0, req_len=116, rep_start=1514568131.653751, rep_dur=0.0, rep_len=136, rpc_uid=3125, rpc_gid=200, rpc_stamp=19078341, rpc_machine_name=pddevbal802, rpc_auxgids=[0, 10, 24, 200]]\x0a\x09[dirfh=\x01\x00\x06\x00\xea,\xbbJ\x9e\xf7I\x95\xa56V(\xce\xda`\xa2, fname=bro-nfs]\x0a\x09[dir_pre_attr=[size=4096, atime=1514568131.625387, mtime=1514568131.625387], dir_post_attr=[ftype=NFS3::FTYPE_DIR, mode=17407, nlink=15, uid=0, gid=0, size=4096, used=4096, rdev1=0, rdev2=0, fsid=3974757969411512911, fileid=128, atime=0.0, mtime=1514568131.649387, ctime=1514568131.649387]]\x0a
diff --git a/testing/btest/Traces/nfs/nfs_base.pcap b/testing/btest/Traces/nfs/nfs_base.pcap
index 1707107c83cbf8998dc026a14ca4bdd542dec621..0d7187842424a5ae5a7254b71ec528a5e452c222 100644
GIT binary patch
literal 18266
zcmd5^33L=i8tzE~WI}*&DLT<a@rV}*0vV1Ff*@WoL{Q{#UnC(Y8bS<_px_#mbzNs4
z;EB&gQ9<#!h$|qjIxZ+GC?3e5ct=G9!E<+?+{1qV-&K>Y>Y4@~6Wn^Qrf0f){`$Y~
z`|Gdj>YmxSdg)_HR*KbBQY;@ntiEZ;=**k_Rw3R~wMs`UojQSDOCqV(`IePeabl5G
z)H2*FZPM)>P-lKpmg?JIIjxaSu1TuR2+Xytq?8uReaXpwvNlVzRuZvo!dkYKXIW$|
zt0!3^i>ba(%I<#ho*Q8CtC|kA8TGHJ*8T=-`Dlr%%eS10EcUHH^X)5GtS!y3`UYm(
z2%m$Mau}fMvT}JvHd|?Dw9*AuUbd_T%gUMF;n`|3fRbeS?pT0rGJn!uh=rVKeyafc
zsoHEhSjZ{<np)g2T4SMhf93Ra^1E|iX_9P>gsoxNLDgkzaPc>6tH03}yq_?Qz3(Et
zC()HcEsQ}69xR{4{Pb1%nVt@oXE|A}^0sm^Tj^u8(!NQnpS_ve%xFhyXlH@BHl?uA
zIa7ioT>tU*s4IKaTl1(5aLsn&x^243|5RuH7~CNZR@%2YOIq2UTT*J}1y+n6dfB(a
z7mAiA@IG#|Shx7C^Kb%HO<~LGnROSnaNs40xukS^u9baYrf9*a=%cXcj2X@6*6j0{
z(&wc8w$BSsf9MKw0p*}RcmAWN&ms2t#U`JV_FLJPSBn;mKIg#VJ!qP$-CJxfI1kP2
zkWLoUzgK*&3H<hi*=K5jYM!ra<{Q|yt{FG3a!UEws@{3$;$y7Hl-L4$(onm^j#yTD
zZqt{#Q#`$OtKS-r6R5g$8kzN1#(bZGdGNit!b2Bk(NZU$)zaF2_RAMPvh$+*pU5AP
z^WLXdKaOLJfLdKM!z(}M??kIDw_O$EWqqnI8tBFe)0CgDx=poqu>72~J`yS)4U0j_
z&wr^`^K%uf#m^l1yV$o1&9@*dj&b&|n_#6Jkg2+qzdV08Tgf+CapdRUvi|%z89+H`
ze%^}~<LBq_T57R;vQ#qF$1IEi3l-$|X+PV|*rUstx2t_kVRUf#Ew(knXbaxwJa6Y`
z;k_$LC<4w#3mz=*VSdJH{8WJDdMC?eu<|q<r|M#PUjAOPvh@d}75JHn?A3rFf2Wz{
zj<9*8{ms}D2>-|M{4O*=RqJ=z*7We(%<u^s!}U;WQz<;3GKxJf6`s2oCZk+3@Jf|l
zobU1B)&q9ILHYdvdG?Dpr~8=G9U7;bpv*e*Ome!*%xNdl+L7e2xSU=)({I(H0je%e
z$A#B1r;d3V_keZLK<*{vdDjz|)84{!$qCug%K_}5N=2UMBkpd22OjabpSjzva+iBa
zBvjGL$=z-<chnNqX5sD^&2y#4&kMgpo{!zD#$!b*aJP~?pZ}rVlZ5Az6XM5Nk}PWw
z@z&0{Qv@h>aiH>{;2GzXmj8JCP;p*^*jl59+%&K2utojkmN*~yCr{3!%z4uo%VSCI
zN^m~S$@v~L=gpb}R={(Q9Plp3>+u@r)1raA9^`q=ZaW7E&*O2f_WMK30qeXuJ;0o9
zQ{y<V2RMD-$?0A*r_CD2!|qU{L5t(}IF5H~oW2iE7m?@lPPOA$cpi__W{Km*2mIC&
z1UgmMSoUbpV$L^foG*%m#tmZ5Te0VL`^=ovoRHAO$sOsvaBMBAoI9rBJ<S_wpDf0_
zi-TFz3vZq4x0d1qRafp^7=E95|3&3}+@NTndlq^Bke|JuD!h-!JMB+6_pr$bo&<so
z_(0Xg|LZ{?^ZzfE|L$4fpEF?QS&ZPp{bv4wui5x-RbD&koa*tD$!{>^`;p%0g*4g-
znlHu~RCSGf1>yCq(UqD;E1}WL(5N6Exv;_VWe9|1!&GR0Hs=2`^!fkJ#sx+6h2wiw
z)5Qjz2Q3GZx7fxa5Fc^zpcUtMP_&?NC-VR5Q-?h9ioV6ygkKr1u|gb^@zXTea9i@D
z+*+2iO`Ouer{P6!lbC(uVZZefj!|{R&f;Ja$IgdZ?7SQaRYr)}OlH<<h?-+35q<Yi
z6yaVl<`K_+`~k<vPil-*Mxudp2LMUo_O^CE7D$8^M2b?HOM6Bz1qfb4b5vbgEDt8L
z7VoH9oI4;A8b6e^2rz;>516%}^$zm>Nb=~RXpvf1Ik|59gsMu4uKx4YkwF>L9u03`
zO@38189x-7(2Trj+Zl|gP9QRAf<D2huuW`#B=3j8`)|+yRhJ$cgDI@X-!(nfL60@8
zM?d!dDJ$D}C7dceKWcgq2o$jBTWG&kUkP#9<DPjo!g^h<>9r;r=ur>E=ZzXfh<zCX
zu}LrCfjQ6a7J0T~Q=Wy58RRXtN}g3+$0ujbL!RBO=Q{b>wq<`^?vq<_EM6>iw!hW%
zs<jz6w-d9|!K}v^-GXC@Ruy?&KZ)o1J?bN&Yd!<Bg>sDcnPUkab1z7EENO}~LAT$L
z!mKhOT)fb4y^S4I^)cEChc|NUMAX>1=Cf#^XGb6$Tv@`sWsX3|R>_c7V*90La*OkX
zH;IiGLbhm;-}(p*P<7>jwZWFG-Set;Jv&B1*G>YmqRd=IHZSS-)eh|VRuKSGA(RDA
zd+PTg>$gGG@7hVwZy8Vy83oxJENhNH8PiE?Ew*3kCbu|G>bJ^%pMd^;`;w)E%(ui-
zzgDc@a!tQwk<f%>AUjX$m;C$dCs%GXQtg$`tN-Dt-$$(92daJ(lB0oM!-4X`lCHLX
z0%c4mt*O|4sT*&>v#l9vID@>zHgWoOTc#pY?w^E%sjS~hRli=tq2F8}8=NVSrI__Q
zTJxd|IWIbA@=X(~CRATfk@+T&Ij@|x`OzlUj8=ig{aIS~n=lueZ3VK6KVQt6)d^%V
zZ5*1(k)c_}w7u}YEn20j=S80t^s_EEYr1TWgsyAHx?IEFZ){=KB~3(B!pAi2YR;vL
z-L5ZQUppxm7p%^EQMuwGHdhJ^1Eg)?3eUOJ$E@v8Rom;@MFaVCRbCuDhS>3C2zE@`
zq8-ke*`{mOJ?^;_?y5az>YFE#A!pI%HG5<q*SGji%r7M$;QCe^ix+oiJKLl8TAS)z
z3i(C0P0Y@J(Qkc<?@-m_&Uz=9#&P$I8h80vH@&_qm>rVYgX8YemgcyVJtpCCXP8TY
zJ<gKEBE`E>2<e?+HS;O?AsqgMW9U6KhOX}#4FoHIw50G-Mmk3zjcKJc6HmkVIo;){
zw5Mrko`bJ?AwtMLSm~)@Yu0eFs$md!(XM|1$S#x`w)+3l(7EQwq!7|?U-i`RQ`YcZ
zO~V(Wf!=gy<+AR-*%}I@ho>R9h8y%9)C7*pLc`bJ@Vur;XAPIB8uo4#302WutBd6|
zO{!VLqctvfk!f3w%iU@#tH(~P97o!Xf75e({*1Mwy9ti*x#|*Vw*Ux-ulgrzS0@mf
zw3FGUS@Pt=@IDQ#Qg!9YeZe-Yk2XH{UI2YovpyB<{d&JyAFP*gWF<UL9>VyXZ5r{k
z?|JIl@hv=e0amCIGtRu~%L{+bx@zmmRjZ?cKD5qp#q4}y#+M?PAseO=+b_p1xy8wJ
zES}~)bz@pyRmaBtuhKom)u&=B?DE%TTXHLoCA>}QC41KStrcj1sw>W(3by4qqYUR*
z+vtO}jfu3%SDe|7<7|4GInIbFstJ!X=M0HZ%z4N2{@WKE6LbgM(bp&99(<pjKyl@O
zrx`_!KoQfPC~=g;&cUELdA=B)d+^_m`PbHs`|ON_s%hmr#(!%w|M2+e@L&9{dX?_%
zlh)esm(2ewD*x33qJh5DCr3TDk@=q|P{iY(_9t8e*gWK`f`02g$IJ}Y>RGj~^hIB(
zZUo8_IcBDtwMuU;tqv!*PK$WXcN$s8wVIBN(Lg_12OJZCLJe3)5(vF?1XyuT%bf$`
z<+;OK!*$rDeir;lMW(Gov}f&BsM__zI^d+qKz5m2hiGHg?r6<-+QjBNv<LwP3E3(j
z^H_)YiZ!D<_>SB+X)-jUXAk}``(D<pP9QUB20c8-yd%=(Yk2<?8ldVLf4&NKU|sIk
zbiwlnlXkE!7qIus+nRO3=+r#<PrDw>K7=`qQM>a$@mnW@bE>YnOsDYItX;LH-HvFW
zpbY5CCfa#(n?P^Uj##DrsC*3pEsuO{@3g*euMu|1zI|`n(ci?ec>Nf62G!y<N20c9
z9z<J;_W56Uj+Y%dUMNF3<|_qdkx<PhFg9GySK685MKG24`HC|K6N)pw^qjAJ!@6%#
zb+6e3-DxBlTR)PczDA&kr+c&Te<?hF5AsoU_19IwPRzeH1{O3%LO0NL<M7PW+4K7{
z%>1{9O+u6K`J$75a$GHx;4(OuZUee=k<F><{W1BJ@Mc0+Mo)-4a_J4YX6#S%n2Kjs
z61t>a0$n^^Xn(@BaUkM$>3J3G^L1-FkV2nPo1<;An|%mbkbT3s4dh3+Cg<qc8{r#2
ztJ(BG3=T9squI3EnKN)g1D!>MubCXr=wKJwjrSB8`$PAfaZc>%2fU{upPs@w&5}Ef
zd}$+#(?8b;V!KJv%NT!8KiLP$Y!`jwInV0M`C+M=pZjBuTz3I_&<HutYH!XDM{ADk
zVw#W@Z&8sc*Er$uw}fo$YBe|1T@Vcvwg$4w?`k<n=Llr1tF52%8rv_&Jh>Gb$LqU?
zH3!qj)ZO2!$h5ifF|65hs%C|)p&32jFiL9H!K~TQnj6RN1v%FM@7(S=H{QaUeW_`N
z=Nby<1KG9J53pu+0$EHOhho(EXn(Wl@;tovSQ|K&b$MOWWqu@dBi$7qCFeRF&AO1+
zR1-edIx`sco4g&KbDi&4gRfN$ZX6yB49EhC>xMnW8q^3BCJg|BkR)!6T+TH|!1FyY
zPSrKn`61Ya`M*`=e?S)aU&H(lXU|u4GV|Zo_B!$WYjYjvsFr;QBeby}&H2%D&2=kl
zSgdJ?XUhg`1`}1w!o-9xMKIx^ArWnl;m#a|UG$xJeGI>#QHyhKpg*^JTK&fUoKvyI
zw_?7?JS(^2Si;++9`WEWp8fhbj;q(SxY`^EO`+d8TqXN;XLDQ;BC5^aue<%~*{`>8
zOf;%7F$KSQD5CqD)q}g+{aT=i=>X521^W}&uc0~dKOCOFgjT4!`t{=A@ytK1RywXB
zi*Wz4eh~BDkv(rX#>{^TY&JXpXyY70(&FEq&rN^N8hoT`P><g~6m12Pnt}Fjd8P^^
z9vTp$#OfdsoCpMO;{#Qf7U5ukwb1S*7vVXS`jxCjSJq<Av1Tof)_l>JGjI5>icFg?
zZf9+@HSv1<?qMMPLacV_Dg~LBHpCoX_ZV_py!>@ozjbihrKl_1>6yPWSu^dKu7T4c
zp{X=4DU<oDi&?Wa0CS}MC*IXw>^Ccf;)UIw`s`qR!fM}{ih0Svy+Bd-z|Xcm0>we}
z;opTQza0@Mq0bTjHgWZ7%fGmv$1Q9LSw&8o*MAn!HCX#L*)qRv*dqRCp|}P8Du&8I
z|Fa<Fj5M$RS(rsF9H7;7UMDFj-LS>VE`MvZ-GYlNjwx8Y15HzP<$<Xk=o+MbdhGYV
z$-Ch5xWM+&#VNPZ7f_r&%WIBPh!q@*_n!s2C$9e~xbRF*oU<7xJv}UNChxMcdz>u1
z(yj9f)52M49=|{jo&bw2w-ril>}Sab?nU3(ieI3Y%l~0HZi%Or6WL0Cqm}keR_4P>
z0qCJhoGTeBC;S6hDc7EIo4OS}U?2V=q;B6V`Wh9|Z?U&WS?p2l|78TOeZaL%;`$%o
C?n-+A

literal 6794
zcmc(kdr%cs9LLWtcv%b$4Y@b&O#>f1)DdaMVayz~0W!=X=`ot&;6M|MuK|4KAB3cq
z&SY6LsAQI0<)WFxl%^7D0$q!-nWj-ALnFk;=$$MdiH7~Y=kDI_*}JUc2y|wCoZYi`
ze|x^?^ZT8%d-&;S%_lMoW?FeTmNAJ=-feQs*r$ZD33Lo&nJ?9(@5kSz`3g&YoW)tM
zrLYuB$ke_IR+f?V4{A~*k8|5HmpgiTX1F9Lyn@?M;OiLq8b`-4uNSXJ^2J!3{4;zx
zR>KecDN;}q{E)xpnc?iTeJx|<<mJ%&3foH#U;#a<vR;Q5%lEn-E$2P5Niti-SP5e*
z25xCP00&fLCau~=br2Z_0n(G@lNaBi`k{rnxp|A{<jhS@980H`S@g$^1G2tkHt)HV
z!dL`}h?q*}T8WV8XIs9^82N-}^2pL1xyObtFU9>spyCdxsG$>Bz*tnu&3r8S8jM9p
zrj4~YLb!^hstWYjsGwbD?CHByj}m_nuAXW&V@nQy5ZO9rphLY-qWyk`qbbY2zvFqW
zrgpC2!wrgAWZZy)kY{xqI*7w@L`HnJ<{zVRgnXT#23P=7xAi7`SzLy`h-pMQAB~Df
zjG2a#&z@!)T%1=_?0t@O1tRnXDsNXPERA{s(=(Tn<zJxEzDURXxW`$!iI|^tY=%lH
zOjQXVMg{E-iabdlc}4XdEOcG%DY}l|P+UwxPpS4rHJ$RvM(ry?Ty)eIQ5=*<PfJbL
z*K~v0r*NjlidL)Fv{)SNbIuR67}RRhSQMU(QJu0yVRhsO77#motbg;^IV{Fb<tCRq
zrX|xRg?+n@$4*&<aqM*Gd~h!+JgW*xjmf-l8fqMh7$Y$)9;Y*gVx(1@7gRN7G13$K
zxq@dtR@je(0v5od-g=Ak*eUXG#<<)=XM#u8RnDV)kTDO1d_q-s%+L4Yp&+MU%b%M^
z&yyRQ2hjS^atjgn-Y(NT{uK)CMIxi2Gl@|hF>2HDSXF4o$gqb?1}~9b-OHX*M}qDz
zp+k&{kjH2fihmwU<YZZk_j1sH=0+T8`AmntK51=QtzPRYb_T(ZfAN1NGnqRus%f7o
zteI|x1;kC0wS&jar@FYQbGe5VP~2Eu349#3MjFQr^|)u_Mx-KDLWEzzi1JZ|()yzc
z`;Ho5`gMTS$}K#8JYxI|EATkC&!PBfcMRc5*Q-i>tl-SA_}aVROV{5-FR8x2xZ$y|
zc3P#rhO)wX)4BLIXZW?qaQhr$*hvhd4>fRQWmbXV>Xp<>yqiH0tT%E$3~DM!&7br@
zSOBLs`3&dOpySj@oGuZk3yyTI<||bVdTvzE-tGBBKEw16o0~ZL^#w)6^K<6qvBWWj
zdBue}^NVH|=g-TVJ+Fv8mztF|DLpmozq>F3iyBPl@;jVom5%2nmwWgD;yEhyNj?JQ
zHi4(_U7OxvdzPnPPHM6+4{*z&w|6MaJf*O2s1X*x_zU?gXM9a$Jp6#ixnmVEzT~iS
zg=<uWT``7lTq85gIrNB%@%s<vYX4k|>64R<bJTPb?v-E82r6cB>=7s$*&@y^!WUbu
z^&igcbCKDORWA34G-5XHhg_~`{iDXrv^?yM91PXg-z1U<WwS`xZaRhqu-YpB24#*A
zk=2MakFzR@SY38d-%A)PR+SmC!dRl6YQuNq2U_2Tol)2gat=f91uhq?ot#Ul$fYWZ
zxX@dJH17OC-uv1pV=n#4Cwkr+T>RgQ4Bt@vzBB?D*0d{ZBJ~ueXDB7gtr!LSVjaUe
zV%SU!J&p|+1u0k^1^6&3zIL8Be%~teV_fTsZ=~Lt+51b(<bs1d52;rD^4ojsnaGHw
z%L>Cb1}q?^c3JQ8n9{AcRn0DUY$L@~%D$OArb_I_F@=$W^>|D{$#hauO%H?V<APPl
zze9;5RE&$*Mvv2#O>yyuopv}%7+a_+L9dNUw{u6&ubMKjG0vb?%xhP+%N;i!3_e=s
zW#IUq7-(xGl!RR|WzfbM=)OJU#uI~9V(^#7KvmKe18VQaHIQ--J>O0}uOs5HfIQek
z!%Wd**{5UBN(^>`!R9HPLD^%*41&og)bv;$Xbk8XqoL*qsi~n8SU@gR%IBcQepk$e
zxZNISHGK)O>)IZGs>Xx^RCO;4>Tf?NIQW*?uCYyqf{=+KkLm)KJ3fK-22<=WKsd@q
z@-@J25x$m$b+gtM#M$ch2323gwtfv~yMC}STf8M}Y-xY_f%bdvYb}Jb#bZTfOY^<4
z%lE@;<#x`wUE~~}K%D7oiQUw`165^aoH3OA``%#9>S|8J4!2ND*20a}hWNK>-QzWs
z1tnQb_J(c2oc{zJ|4!mxNBlFQqO}LZ*NS9|$r@+t!};rSyV~o^CS}}y!#lqYG3MWo
zp446ZyV~#Pd&5w2a<VD!^PKlN9dCN~*;z`wZ)v<$CHLUX_h5y+QdKGOe&GKHY_!Qq
h7r`4fltrE}<!#}-$BVpomb%;t_%G3mHd?*C<zN4n-=_co

diff --git a/testing/btest/scripts/base/protocols/nfs/basic.test b/testing/btest/scripts/base/protocols/nfs/basic.test
index 4940c095a5..f2d2b1862a 100755
--- a/testing/btest/scripts/base/protocols/nfs/basic.test
+++ b/testing/btest/scripts/base/protocols/nfs/basic.test
@@ -7,60 +7,76 @@ redef ignore_checksums = T;
 event bro_init()
 	{
 	Analyzer::register_for_ports(Analyzer::ANALYZER_NFS, nfs_ports);
+	Analyzer::enable_analyzer(Analyzer::ANALYZER_NFS);
 	}
 
 event nfs_proc_lookup(c: connection , info: NFS3::info_t , req: NFS3::diropargs_t , rep: NFS3::lookup_reply_t )
 	{
-	print "nfs_proc_lookup", c, info, req, rep;
+	print(fmt("nfs_proc_lookup: %s\n\t%s\n\t%s\n\t%s\n", c, info, req, rep));
 	}
 
 event nfs_proc_read(c: connection , info: NFS3::info_t , req: NFS3::readargs_t , rep: NFS3::read_reply_t )
 	{
-	print "nfs_proc_read", c, info, req, rep;
+	print(fmt("nfs_proc_read: %s\n\t%s\n\t%s\n\t%s\n", c, info, req, rep));
 	}
 
 event nfs_proc_readlink(c: connection , info: NFS3::info_t , fh: string , rep: NFS3::readlink_reply_t )
 	{
-	print "nfs_proc_readlink", c, info, fh, rep;
+	print(fmt("nfs_proc_readlink: %s\n\t%s\n\t%s\n\t%s\n", c, info, fh, rep));
 	}
 
 event nfs_proc_write(c: connection , info: NFS3::info_t , req: NFS3::writeargs_t , rep: NFS3::write_reply_t )
 	{
-	print "nfs_proc_write", c, info, req, rep;
+	print(fmt("nfs_proc_write: %s\n\t%s\n\t%s\n\t%s\n", c, info, req, rep));
 	}
 
 event nfs_proc_create(c: connection , info: NFS3::info_t , req: NFS3::diropargs_t , rep: NFS3::newobj_reply_t )
 	{
-	print "nfs_proc_create", c, info, req, rep;
+	print(fmt("nfs_proc_create: %s\n\t%s\n\t%s\n\t%s\n", c, info, req, rep));
 	}
 
 event nfs_proc_mkdir(c: connection , info: NFS3::info_t , req: NFS3::diropargs_t , rep: NFS3::newobj_reply_t )
 	{
-	print "nfs_proc_mkdir", c, info, req, rep;
+	print(fmt("nfs_proc_mkdir: %s\n\t%s\n\t%s\n\t%s\n", c, info, req, rep));
 	}
 
 event nfs_proc_remove(c: connection , info: NFS3::info_t , req: NFS3::diropargs_t , rep: NFS3::delobj_reply_t )
 	{
-	print "nfs_proc_remove", c, info, req, rep;
+	print(fmt("nfs_proc_remove: %s\n\t%s\n\t%s\n\t%s\n", c, info, req, rep));
 	}
 
 event nfs_proc_rmdir(c: connection , info: NFS3::info_t , req: NFS3::diropargs_t , rep: NFS3::delobj_reply_t )
 	{
-	print "nfs_proc_rmdir", c, info, req, rep;
+	print(fmt("nfs_proc_rmdir: %s\n\t%s\n\t%s\n\t%s\n", c, info, req, rep));
 	}
 
 event nfs_proc_readdir(c: connection , info: NFS3::info_t , req: NFS3::readdirargs_t , rep: NFS3::readdir_reply_t )
 	{
-	print "nfs_proc_readdir", c, info, req, rep;
+	print(fmt("nfs_proc_readdir: %s\n\t%s\n\t%s\n\t%s\n", c, info, req, rep));
 	}
 
 event nfs_proc_rename(c: connection , info: NFS3::info_t , req: NFS3::renameopargs_t , rep: NFS3::renameobj_reply_t )
 	{
-	print "nfs_proc_rename", c, info, req, rep;
+	print(fmt("nfs_proc_rename: %s\n\t%s\n\t%s\n\t%s\n", c, info, req, rep));
+	}
+
+event nfs_proc_sattr(c: connection, info: NFS3::info_t, req: NFS3::sattrargs_t, rep: NFS3::sattr_reply_t)
+	{
+	print(fmt("nfs_proc_sattr: %s\n\t%s\n\t%s\n\t%s\n", c, info, req, rep));
+	}
+
+event nfs_proc_link(c: connection, info: NFS3::info_t, req: NFS3::linkargs_t, rep: NFS3::link_reply_t)
+	{
+	print(fmt("nfs_proc_link: %s\n\t%s\n\t%s\n\t%s\n", c, info, req, rep));
+	}
+
+event nfs_proc_symlink(c: connection, info: NFS3::info_t, req: NFS3::symlinkargs_t, rep: NFS3::newobj_reply_t)
+	{
+	print(fmt("nfs_proc_symlink: %s\n\t%s\n\t%s\n\t%s\n", c, info, req, rep));
 	}
 
 event nfs_proc_not_implemented(c: connection , info: NFS3::info_t , proc: NFS3::proc_t )
 	{
-	print "nfs_proc_not_implemented", c, info, proc;
+	print(fmt("nfs_proc_not_implemented: %s\n\t%s\n\t%s\n", c, info, proc));
 	}
 

From f7a8726ffc357b4a8b34ae37e059ac2088d89482 Mon Sep 17 00:00:00 2001
From: Jeffrey Bencteux <jeffrey.bencteux@ssi.gouv.fr>
Date: Fri, 12 Jan 2018 15:29:17 +0100
Subject: [PATCH 287/631] fix smb1_com_transaction* messages

---
 .../smb/smb1-com-transaction-secondary.pac    | 27 ++++------
 .../protocol/smb/smb1-com-transaction.pac     | 50 ++++++++-----------
 .../smb/smb1-com-transaction2-secondary.pac   | 27 ++++------
 .../protocol/smb/smb1-com-transaction2.pac    | 29 ++++++-----
 4 files changed, 60 insertions(+), 73 deletions(-)

diff --git a/src/analyzer/protocol/smb/smb1-com-transaction-secondary.pac b/src/analyzer/protocol/smb/smb1-com-transaction-secondary.pac
index a9ccddea73..d6010d3972 100644
--- a/src/analyzer/protocol/smb/smb1-com-transaction-secondary.pac
+++ b/src/analyzer/protocol/smb/smb1-com-transaction-secondary.pac
@@ -2,6 +2,9 @@ refine connection SMB_Conn += {
 
        function proc_smb1_transaction_secondary_request(header: SMB_Header, val: SMB1_transaction_secondary_request): bool
        %{
+	if ( ! smb1_transaction_secondary_request )
+	   return false;
+
 	RecordVal* args = new RecordVal(BifType::Record::SMB1::Trans_Sec_Args);
 	args->Assign(0, new Val(${val.total_param_count}, TYPE_COUNT));
 	args->Assign(1, new Val(${val.total_data_count}, TYPE_COUNT));
@@ -12,16 +15,11 @@ refine connection SMB_Conn += {
 	args->Assign(6, new Val(${val.data_offset}, TYPE_COUNT));
 	args->Assign(7, new Val(${val.data_displacement}, TYPE_COUNT));
 
-	StringVal *parameters = new StringVal(${val.param_count}, (const char*)${val.parameters}.data());
+	StringVal *parameters = new StringVal(${val.parameters}.length(), (const char*)${val.parameters}.data());
 	StringVal *payload_str = nullptr;
 	SMB1_transaction_data *payload = nullptr;
 
-	if ( !parameters )
-	{
-		parameters = new StringVal("");
-	}
-
-	if ( ${val.data_count > 0} )
+	if ( ${val.data_count} > 0 )
 	{
 		payload = ${val.data};
 	}
@@ -47,15 +45,12 @@ refine connection SMB_Conn += {
 		payload_str = new StringVal("");
 	}
 
-	if ( smb1_transaction_secondary_request )
-	{
-		BifEvent::generate_smb1_transaction_secondary_request(bro_analyzer(),
-								      bro_analyzer()->Conn(),
-								      BuildHeaderVal(header),
-								      args,
-								      parameters,
-								      payload_str);
-	}
+	BifEvent::generate_smb1_transaction_secondary_request(bro_analyzer(),
+							      bro_analyzer()->Conn(),
+							      BuildHeaderVal(header),
+							      args,
+							      parameters,
+							      payload_str);
 
 	return true;
        %}
diff --git a/src/analyzer/protocol/smb/smb1-com-transaction.pac b/src/analyzer/protocol/smb/smb1-com-transaction.pac
index 725399b1bb..7f3c409a95 100644
--- a/src/analyzer/protocol/smb/smb1-com-transaction.pac
+++ b/src/analyzer/protocol/smb/smb1-com-transaction.pac
@@ -31,16 +31,14 @@ refine connection SMB_Conn += {
 
 	function proc_smb1_transaction_request(header: SMB_Header, val: SMB1_transaction_request): bool
 		%{
-		StringVal *parameters = new StringVal(${val.param_count}, (const char*)${val.parameters}.data());
+		if ( ! smb1_transaction_request )
+		   return false;
+
+		StringVal *parameters = new StringVal(${val.parameters}.length(), (const char*)${val.parameters}.data());
 		StringVal *payload_str = nullptr;
 		SMB1_transaction_data *payload = nullptr;
 
-		if ( !parameters )
-		{
-			parameters = new StringVal("");
-		}
-
-		if ( ${val.data_count > 0} )
+		if ( ${val.data_count} > 0 )
 		{
 			payload = ${val.data};
 		}
@@ -66,30 +64,27 @@ refine connection SMB_Conn += {
 			payload_str = new StringVal("");
 		}
 
-		if ( smb1_transaction_request )
-			BifEvent::generate_smb1_transaction_request(bro_analyzer(),
-			                                            bro_analyzer()->Conn(),
-			                                            BuildHeaderVal(header),
-			                                            smb_string2stringval(${val.name}),
-			                                            ${val.sub_cmd},
-								    parameters,
-								    payload_str);
+		BifEvent::generate_smb1_transaction_request(bro_analyzer(),
+		                                            bro_analyzer()->Conn(),
+		                                            BuildHeaderVal(header),
+		                                            smb_string2stringval(${val.name}),
+		                                            ${val.sub_cmd},
+							    parameters,
+							    payload_str);
 
 		return true;
 		%}
 
 	function proc_smb1_transaction_response(header: SMB_Header, val: SMB1_transaction_response): bool
 		%{
-		StringVal *parameters = new StringVal(${val.param_count}, (const char*)${val.parameters}.data());
+		if ( !smb1_transaction_response )
+		   return false;
+
+		StringVal *parameters = new StringVal(${val.parameters}.length(), (const char*)${val.parameters}.data());
 		StringVal *payload_str = nullptr;
 		SMB1_transaction_data *payload = nullptr;
 
-		if ( !parameters )
-		{
-			parameters = new StringVal("");
-		}
-
-		if ( ${val.data_count > 0} )
+		if ( ${val.data_count} > 0 )
 		{
 			payload = ${val.data[0]};
 		}
@@ -115,12 +110,11 @@ refine connection SMB_Conn += {
 			payload_str = new StringVal("");
 		}
 
-		if ( smb1_transaction_response )
-			BifEvent::generate_smb1_transaction_response(bro_analyzer(),
-			                                             bro_analyzer()->Conn(),
-			                                             BuildHeaderVal(header),
-								     parameters,
-			                                             payload_str);
+		BifEvent::generate_smb1_transaction_response(bro_analyzer(),
+		                                             bro_analyzer()->Conn(),
+		                                             BuildHeaderVal(header),
+							     parameters,
+		                                             payload_str);
 		return true;
 		%}
 };
diff --git a/src/analyzer/protocol/smb/smb1-com-transaction2-secondary.pac b/src/analyzer/protocol/smb/smb1-com-transaction2-secondary.pac
index f2ae2e8e99..e608da4e4f 100644
--- a/src/analyzer/protocol/smb/smb1-com-transaction2-secondary.pac
+++ b/src/analyzer/protocol/smb/smb1-com-transaction2-secondary.pac
@@ -2,6 +2,9 @@ refine connection SMB_Conn += {
 
        function proc_smb1_transaction2_secondary_request(header: SMB_Header, val: SMB1_transaction2_secondary_request): bool
        %{
+	if ( !smb1_transaction2_secondary_request )
+	   return false;
+
 	RecordVal *args = new RecordVal(BifType::Record::SMB1::Trans2_Sec_Args);
 	args->Assign(0, new Val(${val.total_param_count}, TYPE_COUNT));
 	args->Assign(1, new Val(${val.total_data_count}, TYPE_COUNT));
@@ -13,28 +16,20 @@ refine connection SMB_Conn += {
 	args->Assign(7, new Val(${val.data_displacement}, TYPE_COUNT));
 	args->Assign(8, new Val(${val.FID}, TYPE_COUNT));
 
-	StringVal *parameters = new StringVal(${val.param_count}, (const char*)${val.parameters}.data());
-	StringVal *payload = new StringVal(${val.data_count}, (const char*)${val.data}.data());
-
-	if ( !parameters )
-	{
-		parameters = new StringVal("");
-	}
+	StringVal *parameters = new StringVal(${val.parameters}.length(), (const char*)${val.parameters}.data());
+	StringVal *payload = new StringVal(${val.data}.length(), (const char*)${val.data}.data());
 
 	if ( !payload )
 	{
 		payload = new StringVal("");
 	}
 
-	if ( smb1_transaction2_secondary_request )
-	{
-		BifEvent::generate_smb1_transaction2_secondary_request(bro_analyzer(),
-								       bro_analyzer()->Conn(),
-								       BuildHeaderVal(header),
-								       args,
-								       parameters,
-								       payload);
-	}
+	BifEvent::generate_smb1_transaction2_secondary_request(bro_analyzer(),
+							       bro_analyzer()->Conn(),
+							       BuildHeaderVal(header),
+							       args,
+							       parameters,
+							       payload);
 
 	return true;
        %}
diff --git a/src/analyzer/protocol/smb/smb1-com-transaction2.pac b/src/analyzer/protocol/smb/smb1-com-transaction2.pac
index a089c0324f..5e77489d10 100644
--- a/src/analyzer/protocol/smb/smb1-com-transaction2.pac
+++ b/src/analyzer/protocol/smb/smb1-com-transaction2.pac
@@ -22,21 +22,24 @@ refine connection SMB_Conn += {
 
 	function proc_smb1_transaction2_request(header: SMB_Header, val: SMB1_transaction2_request): bool
 		%{
-		RecordVal* args = new RecordVal(BifType::Record::SMB1::Trans2_Args);
-		args->Assign(0, new Val(${val.total_param_count}, TYPE_COUNT));
-		args->Assign(1, new Val(${val.total_data_count}, TYPE_COUNT));
-		args->Assign(2, new Val(${val.max_param_count}, TYPE_COUNT));
-		args->Assign(3, new Val(${val.max_data_count}, TYPE_COUNT));
-		args->Assign(4, new Val(${val.max_setup_count}, TYPE_COUNT));
-		args->Assign(5, new Val(${val.flags}, TYPE_COUNT));
-		args->Assign(6, new Val(${val.timeout}, TYPE_COUNT));
-		args->Assign(7, new Val(${val.param_count}, TYPE_COUNT));
-		args->Assign(8, new Val(${val.param_offset}, TYPE_COUNT));
-		args->Assign(9, new Val(${val.data_count}, TYPE_COUNT));
-		args->Assign(10, new Val(${val.data_offset}, TYPE_COUNT));
-		args->Assign(11, new Val(${val.setup_count}, TYPE_COUNT));
 		if ( smb1_transaction2_request )
+			{
+			RecordVal* args = new RecordVal(BifType::Record::SMB1::Trans2_Args);
+			args->Assign(0, new Val(${val.total_param_count}, TYPE_COUNT));
+			args->Assign(1, new Val(${val.total_data_count}, TYPE_COUNT));
+			args->Assign(2, new Val(${val.max_param_count}, TYPE_COUNT));
+			args->Assign(3, new Val(${val.max_data_count}, TYPE_COUNT));
+			args->Assign(4, new Val(${val.max_setup_count}, TYPE_COUNT));
+			args->Assign(5, new Val(${val.flags}, TYPE_COUNT));
+			args->Assign(6, new Val(${val.timeout}, TYPE_COUNT));
+			args->Assign(7, new Val(${val.param_count}, TYPE_COUNT));
+			args->Assign(8, new Val(${val.param_offset}, TYPE_COUNT));
+			args->Assign(9, new Val(${val.data_count}, TYPE_COUNT));
+			args->Assign(10, new Val(${val.data_offset}, TYPE_COUNT));
+			args->Assign(11, new Val(${val.setup_count}, TYPE_COUNT));
+
 			BifEvent::generate_smb1_transaction2_request(bro_analyzer(), bro_analyzer()->Conn(), BuildHeaderVal(header), args, ${val.sub_cmd});
+			}
 
 		return true;
 		%}

From 00be145b1b05ba14d132736642d0ec362a3ba489 Mon Sep 17 00:00:00 2001
From: Jeffrey Bencteux <jeffrey.bencteux@ssi.gouv.fr>
Date: Fri, 12 Jan 2018 15:30:03 +0100
Subject: [PATCH 288/631] fix setup field handling in
 smb1_com_transaction_request messages

This field is an array of 16 bit words and was parsed as an array of
32 bit words. Moreover, one can not assume the format is going to be a
16 bits opcode followed by a 16 bit file ID, the content of the setup
field is different according to its first 16 bits word that defines
the subcommand code. See MS-CIFS section 2.2.4.33.1 :

Setup (variable): An array of two-byte words that provides transaction
context to the server. The size and content of the array are specific
to individual subcommands.
---
 src/analyzer/protocol/smb/smb1-com-transaction.pac | 9 ++-------
 1 file changed, 2 insertions(+), 7 deletions(-)

diff --git a/src/analyzer/protocol/smb/smb1-com-transaction.pac b/src/analyzer/protocol/smb/smb1-com-transaction.pac
index 7f3c409a95..eed584dfff 100644
--- a/src/analyzer/protocol/smb/smb1-com-transaction.pac
+++ b/src/analyzer/protocol/smb/smb1-com-transaction.pac
@@ -132,11 +132,6 @@ type SMB1_transaction_data(header: SMB_Header, is_orig: bool, count: uint16, sub
 	pipe_proc : bool = $context.connection.forward_dce_rpc(pipe_data, 0, is_orig) &if(trans_type == SMB_PIPE);
 };
 
-type SMB1_transaction_setup = record {
-	op_code : uint16;
-	file_id : uint16;
-}
-
 type SMB1_transaction_request(header: SMB_Header) = record {
 	word_count          : uint8;
 	total_param_count   : uint16;
@@ -155,7 +150,7 @@ type SMB1_transaction_request(header: SMB_Header) = record {
 	setup_count         : uint8;
 	reserved3           : uint8;
 	# word_count 16 is a different dialect that behaves a bit differently.
-	setup               : SMB1_transaction_setup[word_count == 16 ? 1 : setup_count];
+	setup               : uint16[setup_count];
 
 	byte_count          : uint16;
 	name                : SMB_string(header.unicode, offsetof(name));
@@ -164,7 +159,7 @@ type SMB1_transaction_request(header: SMB_Header) = record {
 	pad2                : padding to data_offset - SMB_Header_length;
 	data                : SMB1_transaction_data(header, true, data_count, sub_cmd, transtype, is_pipe);
 } &let {
-	sub_cmd : uint16 = (sizeof(setup) && word_count != 16) > 0 ? setup[0].op_code : 0;
+	sub_cmd : uint16 = (sizeof(setup) && word_count != 16) > 0 ? setup[0] : 0;
 	transtype : int = determine_transaction_type(header, name);
 	is_pipe : bool = (transtype == SMB_PIPE || (transtype == SMB_UNKNOWN && $context.connection.get_tree_is_pipe(header.tid)));
 

From 6d497ea8b05d712f5c35f403f9854ea0e4310c82 Mon Sep 17 00:00:00 2001
From: Jeffrey Bencteux <jeffrey.bencteux@ssi.gouv.fr>
Date: Fri, 12 Jan 2018 15:35:44 +0100
Subject: [PATCH 289/631] add test for smb1_com_transaction_request event
 changes

---
 .../.stdout                                      |   1 +
 .../Traces/smb/smb1_transaction_request.pcap     | Bin 0 -> 1731 bytes
 .../protocols/smb/smb1-transaction-request.test  |  12 ++++++++++++
 3 files changed, 13 insertions(+)
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.smb.smb1-transaction-request/.stdout
 create mode 100644 testing/btest/Traces/smb/smb1_transaction_request.pcap
 create mode 100644 testing/btest/scripts/base/protocols/smb/smb1-transaction-request.test

diff --git a/testing/btest/Baseline/scripts.base.protocols.smb.smb1-transaction-request/.stdout b/testing/btest/Baseline/scripts.base.protocols.smb.smb1-transaction-request/.stdout
new file mode 100644
index 0000000000..b9d6e354ee
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.smb.smb1-transaction-request/.stdout
@@ -0,0 +1 @@
+smb1_transaction_request hdr: [command=37, status=0, flags=0, flags2=0, tid=31335, pid=1, uid=11132, mid=2], name: \\PIPE\lsarpc, sub_cmd: 2600, params: some_params, data: some_data
diff --git a/testing/btest/Traces/smb/smb1_transaction_request.pcap b/testing/btest/Traces/smb/smb1_transaction_request.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..e234ec4e76f2ce3c8b2e3b7db28c5d4429e42c05
GIT binary patch
literal 1731
zcmb7DT}V?=9RJ_D8P=TnK{0}8V47e}9m7BhEYn&wyR?;I%XXcXqn5TAMrEvsP^^b2
zk)EQDL0zziK%)mkum|bIhk}UMz_g+Vi5gf2b^HI%ans!^!4CWn=bn$>{e7JCcKq3W
z5sZ**stO?B$FaU6O*6BrpbE!Sum8UM79WZaQJ)QU0Hw68X2tx)vBw}_iIWLoG>IaK
zR@fHjC@P{<;{p{w&#@TFX2d|07v~9qkc836M0DiQ7ThfO3KZpVGk|DR-w~fsnJIHV
z0;1WZJS+V8%K7~4F+l*~sdTE2E~wh0QN>X#Rw#Uc#{kMzw`*sJMi%OpHgZn{$N{mz
zW8LqvR@f@-%uez0B7L0^rLm7>#D}{YBW#G~kn$9zJ%`i35;4I&oTSpB+=@*zl=5X!
zEQ(^8z+(VyDf+#J8a9*aIQ@J8gB`sv?w|z$DslQxA_9IzIeWAJjqpm%wnA-i)0%6_
zx?&IB2RC?d<6bs$gOhFu6TP;^oOxyr%xsWl=He)Q*Uj)85vg>UJ>i-C`mM=~qhMw(
zyhGS}NOYJ+781F%anWWKe9&&PFRUaVMHYS+fh32+yARd5QD$S{OlwDX*y^xVq>YXE
zb})JY3IM#`MrVV4pVukXZUpR@8Mph*5WziEy6i%+8J3+(lieV09+oUa6Hjm82%tVC
zqu0PD7CQkhm5E>=8Un0OajUXbf?E!@$jErB%>f=#(Toquw}C(Ij2`$fhBHOse7_0|
zCGH34#$QtD!U^zj=BqW~a1;zDl3@I|ld5xUsO`8aW-jSk&Ri0+>jXeMo~6>6+Z6l6
z%x%?}JB6F)$lR83_FG$uMkL+blNZv=&0?7{`3H)`%y0NybR=5HOkB-PoINGNL!>~Z
zGjU+S#9WPu90g4r>tXBz#J-pf)4L@5TobHJUjY*w#5o_{TPRW061=#QQ>ycx4$GlV
zKR~!6*mk^A4#`1!Iqa)d?vlxHrE5{R&hXOMXJ+_7y5Z46jL<LTqv7wl@cQW$Df^Z|
L`NB}{{14?HBVz{M

literal 0
HcmV?d00001

diff --git a/testing/btest/scripts/base/protocols/smb/smb1-transaction-request.test b/testing/btest/scripts/base/protocols/smb/smb1-transaction-request.test
new file mode 100644
index 0000000000..9334230e84
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/smb/smb1-transaction-request.test
@@ -0,0 +1,12 @@
+#@TEST-EXEC: bro -b -C -r $TRACES/smb/smb1_transaction_request.pcap %INPUT
+#@TEST-EXEC: btest-diff .stdout
+
+@load base/protocols/smb
+@load policy/protocols/smb
+
+# Check that smb1_transaction requests are parsed correctly
+
+event smb1_transaction_request(c: connection, hdr: SMB1::Header, name: string, sub_cmd: count, parameters: string, data: string)
+{
+	print fmt("smb1_transaction_request hdr: %s, name: %s, sub_cmd: %x, params: %s, data: %s", hdr, name, sub_cmd, parameters, data);
+}

From bdb7f623356f75884364515549572897bb5f8548 Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@icir.org>
Date: Fri, 12 Jan 2018 10:58:11 -0800
Subject: [PATCH 290/631] Correct include-path in x509Common.h

The file used a relative path which leads to problems if it is included
by an external Plugin. This commit changes this to an absolute path,
like everywhere else.
---
 src/file_analysis/analyzer/x509/X509Common.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/file_analysis/analyzer/x509/X509Common.h b/src/file_analysis/analyzer/x509/X509Common.h
index 1e1a9b94ee..7e9bdd9be4 100644
--- a/src/file_analysis/analyzer/x509/X509Common.h
+++ b/src/file_analysis/analyzer/x509/X509Common.h
@@ -6,7 +6,7 @@
 #ifndef FILE_ANALYSIS_X509_COMMON
 #define FILE_ANALYSIS_X509_COMMON
 
-#include "../File.h"
+#include "file_analysis/File.h"
 #include "Analyzer.h"
 
 #include <openssl/x509.h>

From 6f9524e0823d7fe7a1303183e59e358d716632a9 Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@icir.org>
Date: Fri, 12 Jan 2018 13:25:21 -0800
Subject: [PATCH 291/631] Make tunnel_parents in conn.log optional.

This makes conn.logs a bit prettier (and smaller) because all lines that
do not use a tunnel will now have a "-" instead of the "(empty)" for
tunnel_parents.
---
 scripts/base/protocols/conn/main.bro          |   10 +-
 .../btest/Baseline/core.history-flip/conn.log |    2 +-
 .../btest/Baseline/core.mpls-in-vlan/conn.log |    6 +-
 .../core.pcap.dynamic-filter/conn.log         |   32 +-
 .../core.pcap.read-trace-with-filter/conn.log |    2 +-
 testing/btest/Baseline/core.pppoe/conn.log    |   14 +-
 .../Baseline/core.print-bpf-filters/conn.log  |    2 +-
 testing/btest/Baseline/core.q-in-q/conn.log   |    4 +-
 testing/btest/Baseline/core.radiotap/conn.log |    4 +-
 .../core.tcp.large-file-reassembly/conn.log   |    6 +-
 .../Baseline/core.tcp.miss-end-data/conn.log  |    2 +-
 .../Baseline/core.tcp.missing-syn/conn.log    |    2 +-
 .../core.tcp.rxmit-history/conn-1.log         |    6 +-
 .../core.tcp.rxmit-history/conn-2.log         |   72 +-
 .../Baseline/core.tunnels.ayiya/conn.log      |    4 +-
 .../conn.log                                  |    4 +-
 .../core.tunnels.gtp.false_gtp/conn.log       |    2 +-
 .../core.tunnels.gtp.inner_ipv6/conn.log      |    2 +-
 .../core.tunnels.gtp.inner_teredo/conn.log    |   12 +-
 .../conn.log                                  |    4 +-
 .../core.tunnels.gtp.opt_header/conn.log      |    2 +-
 .../core.tunnels.gtp.outer_ip_frag/conn.log   |    2 +-
 .../Baseline/core.tunnels.teredo/conn.log     |   34 +-
 .../conn.log                                  |    6 +-
 .../btest/Baseline/core.vlan-mpls/conn.log    |    6 +-
 .../doc.manual.using_bro_sandbox_01/conn.log  |   68 +-
 .../doc.manual.using_bro_sandbox_02/conn.log  |   12 +-
 .../btest-doc.sphinx.connection-record-01#1   |    4 +-
 .../btest-doc.sphinx.connection-record-02#1   |    4 +-
 .../btest-doc.sphinx.using_bro#1              |   16 +-
 testing/btest/Baseline/plugins.hooks/output   |   28 +-
 .../btest/Baseline/plugins.pktsrc/conn.log    |    2 +-
 testing/btest/Baseline/plugins.writer/output  |   16 +-
 .../conn.log                                  |   68 +-
 .../conn.log                                  |    2 +-
 .../conn.log                                  |   68 +-
 .../conn.log                                  |   68 +-
 .../conn.log                                  |   68 +-
 .../conn.log                                  |   68 +-
 .../conn.log                                  |   68 +-
 .../conn.select                               |   68 +-
 .../conn.log                                  |   12 +-
 .../conn.log                                  |    2 +-
 .../conn.log                                  |   10 +-
 .../conn.log                                  |   12 +-
 .../conn.log                                  |    4 +-
 .../conn.log                                  |    2 +-
 .../conn.log                                  |    2 +-
 .../conn.log                                  |    2 +-
 .../scripts.base.protocols.irc.basic/conn.log |    4 +-
 .../conn.log                                  |    2 +-
 .../conn.log                                  |   18 +-
 .../conn.log                                  |    2 +-
 .../scripts.base.protocols.ssh.basic/conn.log |   50 +-
 .../conn.log                                  |    2 +-
 .../conn1.log                                 |   72 +-
 .../conn2.log                                 |    8 +-
 .../conn3.log                                 | 2670 ++++++++---------
 .../conn.log                                  |    4 +-
 .../signatures.eval-condition/conn.log        |   10 +-
 60 files changed, 1881 insertions(+), 1877 deletions(-)

diff --git a/scripts/base/protocols/conn/main.bro b/scripts/base/protocols/conn/main.bro
index f0dab79d90..c806a017e0 100644
--- a/scripts/base/protocols/conn/main.bro
+++ b/scripts/base/protocols/conn/main.bro
@@ -116,7 +116,7 @@ export {
 		## If this connection was over a tunnel, indicate the
 		## *uid* values for any encapsulating parent connections
 		## used over the lifetime of this inner connection.
-		tunnel_parents: set[string] &log;
+		tunnel_parents: set[string] &log &optional;
 	};
 
 	## Event that can be handled to access the :bro:type:`Conn::Info`
@@ -207,7 +207,11 @@ function set_conn(c: connection, eoc: bool)
 	c$conn$uid=c$uid;
 	c$conn$id=c$id;
 	if ( c?$tunnel && |c$tunnel| > 0 )
+		{
+		if ( ! c$conn?$tunnel_parents )
+			c$conn$tunnel_parents = set();
 		add c$conn$tunnel_parents[c$tunnel[|c$tunnel|-1]$uid];
+		}
 	c$conn$proto=get_port_transport_proto(c$id$resp_p);
 	if( |Site::local_nets| > 0 )
 		{
@@ -253,7 +257,11 @@ event tunnel_changed(c: connection, e: EncapsulatingConnVector) &priority=5
 	{
 	set_conn(c, F);
 	if ( |e| > 0 )
+		{
+		if ( ! c$conn?$tunnel_parents )
+			c$conn$tunnel_parents = set();
 		add c$conn$tunnel_parents[e[|e|-1]$uid];
+		}
 	c$tunnel = e;
 	}
 
diff --git a/testing/btest/Baseline/core.history-flip/conn.log b/testing/btest/Baseline/core.history-flip/conn.log
index 4c22a6484b..8e2d5627f1 100644
--- a/testing/btest/Baseline/core.history-flip/conn.log
+++ b/testing/btest/Baseline/core.history-flip/conn.log
@@ -6,5 +6,5 @@
 #open	2017-01-30-23-13-15
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	orig_l2_addr	resp_l2_addr
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]	string	string
-1128727435.633408	CHhAvVGS1DHFjwGM9	141.42.64.125	56730	125.190.109.199	80	tcp	http	1.550793	98	9417	SF	-	-	0	^hADdFaf	11	670	10	9945	(empty)	00:d0:03:3b:f4:00	00:b0:c2:86:ec:00
+1128727435.633408	CHhAvVGS1DHFjwGM9	141.42.64.125	56730	125.190.109.199	80	tcp	http	1.550793	98	9417	SF	-	-	0	^hADdFaf	11	670	10	9945	-	00:d0:03:3b:f4:00	00:b0:c2:86:ec:00
 #close	2017-01-30-23-13-15
diff --git a/testing/btest/Baseline/core.mpls-in-vlan/conn.log b/testing/btest/Baseline/core.mpls-in-vlan/conn.log
index 8408056be2..5cbd2c5405 100644
--- a/testing/btest/Baseline/core.mpls-in-vlan/conn.log
+++ b/testing/btest/Baseline/core.mpls-in-vlan/conn.log
@@ -6,7 +6,7 @@
 #open	2016-07-13-16-12-55
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
-1371685686.536606	CHhAvVGS1DHFjwGM9	65.65.65.65	19244	65.65.65.65	80	tcp	-	-	-	-	OTH	-	-	0	D	1	257	0	0	(empty)
-1371686961.479321	C4J4Th3PJpwUYZZ6gc	65.65.65.65	61193	65.65.65.65	80	tcp	-	-	-	-	OTH	-	-	0	D	1	710	0	0	(empty)
-1371686961.156859	ClEkJM2Vm5giqnMf4h	65.65.65.65	32828	65.65.65.65	80	tcp	-	-	-	-	OTH	-	-	0	^d	0	0	1	1500	(empty)
+1371685686.536606	CHhAvVGS1DHFjwGM9	65.65.65.65	19244	65.65.65.65	80	tcp	-	-	-	-	OTH	-	-	0	D	1	257	0	0	-
+1371686961.479321	C4J4Th3PJpwUYZZ6gc	65.65.65.65	61193	65.65.65.65	80	tcp	-	-	-	-	OTH	-	-	0	D	1	710	0	0	-
+1371686961.156859	ClEkJM2Vm5giqnMf4h	65.65.65.65	32828	65.65.65.65	80	tcp	-	-	-	-	OTH	-	-	0	^d	0	0	1	1500	-
 #close	2016-07-13-16-12-55
diff --git a/testing/btest/Baseline/core.pcap.dynamic-filter/conn.log b/testing/btest/Baseline/core.pcap.dynamic-filter/conn.log
index d410538d28..8518a0a68a 100644
--- a/testing/btest/Baseline/core.pcap.dynamic-filter/conn.log
+++ b/testing/btest/Baseline/core.pcap.dynamic-filter/conn.log
@@ -6,20 +6,20 @@
 #open	2016-07-13-16-12-55
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
-1300475167.096535	CHhAvVGS1DHFjwGM9	141.142.220.202	5353	224.0.0.251	5353	udp	dns	-	-	-	S0	-	-	0	D	1	73	0	0	(empty)
-1300475168.853899	C4J4Th3PJpwUYZZ6gc	141.142.220.118	43927	141.142.2.2	53	udp	dns	0.000435	38	89	SF	-	-	0	Dd	1	66	1	117	(empty)
-1300475168.854378	CtPZjS20MLrsMUOJi2	141.142.220.118	37676	141.142.2.2	53	udp	dns	0.000420	52	99	SF	-	-	0	Dd	1	80	1	127	(empty)
-1300475168.854837	CUM0KZ3MLUfNB0cl11	141.142.220.118	40526	141.142.2.2	53	udp	dns	0.000392	38	183	SF	-	-	0	Dd	1	66	1	211	(empty)
-1300475168.857956	CmES5u32sYpV7JYN	141.142.220.118	32902	141.142.2.2	53	udp	dns	0.000317	38	89	SF	-	-	0	Dd	1	66	1	117	(empty)
-1300475168.858306	CP5puj4I8PtEU4qzYg	141.142.220.118	59816	141.142.2.2	53	udp	dns	0.000343	52	99	SF	-	-	0	Dd	1	80	1	127	(empty)
-1300475168.858713	C37jN32gN3y3AZzyf6	141.142.220.118	59714	141.142.2.2	53	udp	dns	0.000375	38	183	SF	-	-	0	Dd	1	66	1	211	(empty)
-1300475168.891644	C3eiCBGOLw3VtHfOj	141.142.220.118	58206	141.142.2.2	53	udp	dns	0.000339	38	89	SF	-	-	0	Dd	1	66	1	117	(empty)
-1300475168.892037	CwjjYJ2WqgTbAqiHl6	141.142.220.118	38911	141.142.2.2	53	udp	dns	0.000335	52	99	SF	-	-	0	Dd	1	80	1	127	(empty)
-1300475168.892414	C0LAHyvtKSQHyJxIl	141.142.220.118	59746	141.142.2.2	53	udp	dns	0.000421	38	183	SF	-	-	0	Dd	1	66	1	211	(empty)
-1300475168.893988	CFLRIC3zaTU1loLGxh	141.142.220.118	45000	141.142.2.2	53	udp	dns	0.000384	38	89	SF	-	-	0	Dd	1	66	1	117	(empty)
-1300475168.894422	C9rXSW3KSpTYvPrlI1	141.142.220.118	48479	141.142.2.2	53	udp	dns	0.000317	52	99	SF	-	-	0	Dd	1	80	1	127	(empty)
-1300475168.894787	Ck51lg1bScffFj34Ri	141.142.220.118	48128	141.142.2.2	53	udp	dns	0.000423	38	183	SF	-	-	0	Dd	1	66	1	211	(empty)
-1300475168.901749	C9mvWx3ezztgzcexV7	141.142.220.118	56056	141.142.2.2	53	udp	dns	0.000402	36	131	SF	-	-	0	Dd	1	64	1	159	(empty)
-1300475168.902195	CNnMIj2QSd84NKf7U3	141.142.220.118	55092	141.142.2.2	53	udp	dns	0.000374	36	198	SF	-	-	0	Dd	1	64	1	226	(empty)
-1300475168.652003	ClEkJM2Vm5giqnMf4h	141.142.220.118	35634	208.80.152.2	80	tcp	-	-	-	-	OTH	-	-	0	D	1	515	0	0	(empty)
+1300475167.096535	CHhAvVGS1DHFjwGM9	141.142.220.202	5353	224.0.0.251	5353	udp	dns	-	-	-	S0	-	-	0	D	1	73	0	0	-
+1300475168.853899	C4J4Th3PJpwUYZZ6gc	141.142.220.118	43927	141.142.2.2	53	udp	dns	0.000435	38	89	SF	-	-	0	Dd	1	66	1	117	-
+1300475168.854378	CtPZjS20MLrsMUOJi2	141.142.220.118	37676	141.142.2.2	53	udp	dns	0.000420	52	99	SF	-	-	0	Dd	1	80	1	127	-
+1300475168.854837	CUM0KZ3MLUfNB0cl11	141.142.220.118	40526	141.142.2.2	53	udp	dns	0.000392	38	183	SF	-	-	0	Dd	1	66	1	211	-
+1300475168.857956	CmES5u32sYpV7JYN	141.142.220.118	32902	141.142.2.2	53	udp	dns	0.000317	38	89	SF	-	-	0	Dd	1	66	1	117	-
+1300475168.858306	CP5puj4I8PtEU4qzYg	141.142.220.118	59816	141.142.2.2	53	udp	dns	0.000343	52	99	SF	-	-	0	Dd	1	80	1	127	-
+1300475168.858713	C37jN32gN3y3AZzyf6	141.142.220.118	59714	141.142.2.2	53	udp	dns	0.000375	38	183	SF	-	-	0	Dd	1	66	1	211	-
+1300475168.891644	C3eiCBGOLw3VtHfOj	141.142.220.118	58206	141.142.2.2	53	udp	dns	0.000339	38	89	SF	-	-	0	Dd	1	66	1	117	-
+1300475168.892037	CwjjYJ2WqgTbAqiHl6	141.142.220.118	38911	141.142.2.2	53	udp	dns	0.000335	52	99	SF	-	-	0	Dd	1	80	1	127	-
+1300475168.892414	C0LAHyvtKSQHyJxIl	141.142.220.118	59746	141.142.2.2	53	udp	dns	0.000421	38	183	SF	-	-	0	Dd	1	66	1	211	-
+1300475168.893988	CFLRIC3zaTU1loLGxh	141.142.220.118	45000	141.142.2.2	53	udp	dns	0.000384	38	89	SF	-	-	0	Dd	1	66	1	117	-
+1300475168.894422	C9rXSW3KSpTYvPrlI1	141.142.220.118	48479	141.142.2.2	53	udp	dns	0.000317	52	99	SF	-	-	0	Dd	1	80	1	127	-
+1300475168.894787	Ck51lg1bScffFj34Ri	141.142.220.118	48128	141.142.2.2	53	udp	dns	0.000423	38	183	SF	-	-	0	Dd	1	66	1	211	-
+1300475168.901749	C9mvWx3ezztgzcexV7	141.142.220.118	56056	141.142.2.2	53	udp	dns	0.000402	36	131	SF	-	-	0	Dd	1	64	1	159	-
+1300475168.902195	CNnMIj2QSd84NKf7U3	141.142.220.118	55092	141.142.2.2	53	udp	dns	0.000374	36	198	SF	-	-	0	Dd	1	64	1	226	-
+1300475168.652003	ClEkJM2Vm5giqnMf4h	141.142.220.118	35634	208.80.152.2	80	tcp	-	-	-	-	OTH	-	-	0	D	1	515	0	0	-
 #close	2016-07-13-16-12-55
diff --git a/testing/btest/Baseline/core.pcap.read-trace-with-filter/conn.log b/testing/btest/Baseline/core.pcap.read-trace-with-filter/conn.log
index 1959602389..b9c04a357e 100644
--- a/testing/btest/Baseline/core.pcap.read-trace-with-filter/conn.log
+++ b/testing/btest/Baseline/core.pcap.read-trace-with-filter/conn.log
@@ -6,5 +6,5 @@
 #open	2016-07-13-16-12-56
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
-1300475168.892936	CHhAvVGS1DHFjwGM9	141.142.220.118	50000	208.80.152.3	80	tcp	http	0.229603	1148	734	S1	-	-	0	ShADad	6	1468	4	950	(empty)
+1300475168.892936	CHhAvVGS1DHFjwGM9	141.142.220.118	50000	208.80.152.3	80	tcp	http	0.229603	1148	734	S1	-	-	0	ShADad	6	1468	4	950	-
 #close	2016-07-13-16-12-56
diff --git a/testing/btest/Baseline/core.pppoe/conn.log b/testing/btest/Baseline/core.pppoe/conn.log
index e2f4a62533..cb6579e9e2 100644
--- a/testing/btest/Baseline/core.pppoe/conn.log
+++ b/testing/btest/Baseline/core.pppoe/conn.log
@@ -6,11 +6,11 @@
 #open	2016-07-13-16-12-57
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
-1284385417.962560	CUM0KZ3MLUfNB0cl11	fe80::ce05:eff:fe88:0	546	ff02::1:2	547	udp	-	0.078000	114	0	S0	-	-	0	D	2	210	0	0	(empty)
-1284385418.014560	CmES5u32sYpV7JYN	fe80::c801:eff:fe88:8	547	fe80::ce05:eff:fe88:0	546	udp	-	0.096000	192	0	S0	-	-	0	D	2	288	0	0	(empty)
-1284385411.035560	CHhAvVGS1DHFjwGM9	fe80::c801:eff:fe88:8	143	ff02::16	0	icmp	-	0.835000	160	0	OTH	-	-	0	-	8	608	0	0	(empty)
-1284385451.658560	CP5puj4I8PtEU4qzYg	fc00:0:2:100::1:1	128	fc00::1	129	icmp	-	0.156000	260	260	OTH	-	-	0	-	5	500	5	500	(empty)
-1284385412.963560	C4J4Th3PJpwUYZZ6gc	fe80::ce05:eff:fe88:0	133	ff02::2	134	icmp	-	-	-	-	OTH	-	-	0	-	1	48	0	0	(empty)
-1284385413.027560	CtPZjS20MLrsMUOJi2	fe80::c801:eff:fe88:8	134	fe80::ce05:eff:fe88:0	133	icmp	-	-	-	-	OTH	-	-	0	-	1	64	0	0	(empty)
-1284385411.091560	ClEkJM2Vm5giqnMf4h	fe80::c801:eff:fe88:8	136	ff02::1	135	icmp	-	-	-	-	OTH	-	-	0	-	1	64	0	0	(empty)
+1284385417.962560	CUM0KZ3MLUfNB0cl11	fe80::ce05:eff:fe88:0	546	ff02::1:2	547	udp	-	0.078000	114	0	S0	-	-	0	D	2	210	0	0	-
+1284385418.014560	CmES5u32sYpV7JYN	fe80::c801:eff:fe88:8	547	fe80::ce05:eff:fe88:0	546	udp	-	0.096000	192	0	S0	-	-	0	D	2	288	0	0	-
+1284385411.035560	CHhAvVGS1DHFjwGM9	fe80::c801:eff:fe88:8	143	ff02::16	0	icmp	-	0.835000	160	0	OTH	-	-	0	-	8	608	0	0	-
+1284385451.658560	CP5puj4I8PtEU4qzYg	fc00:0:2:100::1:1	128	fc00::1	129	icmp	-	0.156000	260	260	OTH	-	-	0	-	5	500	5	500	-
+1284385412.963560	C4J4Th3PJpwUYZZ6gc	fe80::ce05:eff:fe88:0	133	ff02::2	134	icmp	-	-	-	-	OTH	-	-	0	-	1	48	0	0	-
+1284385413.027560	CtPZjS20MLrsMUOJi2	fe80::c801:eff:fe88:8	134	fe80::ce05:eff:fe88:0	133	icmp	-	-	-	-	OTH	-	-	0	-	1	64	0	0	-
+1284385411.091560	ClEkJM2Vm5giqnMf4h	fe80::c801:eff:fe88:8	136	ff02::1	135	icmp	-	-	-	-	OTH	-	-	0	-	1	64	0	0	-
 #close	2016-07-13-16-12-57
diff --git a/testing/btest/Baseline/core.print-bpf-filters/conn.log b/testing/btest/Baseline/core.print-bpf-filters/conn.log
index aa954a972e..e7f8f8714a 100644
--- a/testing/btest/Baseline/core.print-bpf-filters/conn.log
+++ b/testing/btest/Baseline/core.print-bpf-filters/conn.log
@@ -6,5 +6,5 @@
 #open	2016-07-13-16-12-58
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
-1278600802.069419	CHhAvVGS1DHFjwGM9	10.20.80.1	50343	10.0.0.15	80	tcp	-	0.004152	9	3429	SF	-	-	0	ShADadfF	7	381	7	3801	(empty)
+1278600802.069419	CHhAvVGS1DHFjwGM9	10.20.80.1	50343	10.0.0.15	80	tcp	-	0.004152	9	3429	SF	-	-	0	ShADadfF	7	381	7	3801	-
 #close	2016-07-13-16-12-59
diff --git a/testing/btest/Baseline/core.q-in-q/conn.log b/testing/btest/Baseline/core.q-in-q/conn.log
index 9ef7628b01..84cc55d13d 100644
--- a/testing/btest/Baseline/core.q-in-q/conn.log
+++ b/testing/btest/Baseline/core.q-in-q/conn.log
@@ -6,6 +6,6 @@
 #open	2016-07-13-16-13-00
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
-1363900699.548138	CHhAvVGS1DHFjwGM9	172.19.51.37	47808	172.19.51.63	47808	udp	-	0.000100	36	0	S0	-	-	0	D	2	92	0	0	(empty)
-1363900699.549647	ClEkJM2Vm5giqnMf4h	193.1.186.60	9875	224.2.127.254	9875	udp	-	0.000139	552	0	S0	-	-	0	D	2	608	0	0	(empty)
+1363900699.548138	CHhAvVGS1DHFjwGM9	172.19.51.37	47808	172.19.51.63	47808	udp	-	0.000100	36	0	S0	-	-	0	D	2	92	0	0	-
+1363900699.549647	ClEkJM2Vm5giqnMf4h	193.1.186.60	9875	224.2.127.254	9875	udp	-	0.000139	552	0	S0	-	-	0	D	2	608	0	0	-
 #close	2016-07-13-16-13-00
diff --git a/testing/btest/Baseline/core.radiotap/conn.log b/testing/btest/Baseline/core.radiotap/conn.log
index a8bd4c7591..c88d32480e 100644
--- a/testing/btest/Baseline/core.radiotap/conn.log
+++ b/testing/btest/Baseline/core.radiotap/conn.log
@@ -6,6 +6,6 @@
 #open	2016-07-13-16-13-00
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
-1439902891.705224	CHhAvVGS1DHFjwGM9	172.17.156.76	61738	208.67.220.220	53	udp	dns	0.041654	35	128	SF	-	-	0	Dd	1	63	1	156	(empty)
-1439903050.580632	ClEkJM2Vm5giqnMf4h	fe80::a667:6ff:fef7:ec54	5353	ff02::fb	5353	udp	dns	-	-	-	S0	-	-	0	D	1	328	0	0	(empty)
+1439902891.705224	CHhAvVGS1DHFjwGM9	172.17.156.76	61738	208.67.220.220	53	udp	dns	0.041654	35	128	SF	-	-	0	Dd	1	63	1	156	-
+1439903050.580632	ClEkJM2Vm5giqnMf4h	fe80::a667:6ff:fef7:ec54	5353	ff02::fb	5353	udp	dns	-	-	-	S0	-	-	0	D	1	328	0	0	-
 #close	2016-07-13-16-13-00
diff --git a/testing/btest/Baseline/core.tcp.large-file-reassembly/conn.log b/testing/btest/Baseline/core.tcp.large-file-reassembly/conn.log
index 73c860cb67..8da44df913 100644
--- a/testing/btest/Baseline/core.tcp.large-file-reassembly/conn.log
+++ b/testing/btest/Baseline/core.tcp.large-file-reassembly/conn.log
@@ -6,7 +6,7 @@
 #open	2016-07-13-16-13-01
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
-1395939406.175845	ClEkJM2Vm5giqnMf4h	192.168.56.1	59763	192.168.56.101	63988	tcp	ftp-data	0.001676	0	270	SF	-	-	0	ShAdfFa	5	272	4	486	(empty)
-1395939411.361078	C4J4Th3PJpwUYZZ6gc	192.168.56.1	59764	192.168.56.101	37150	tcp	ftp-data	150.496065	0	5416666670	SF	-	-	4675708816	ShAdfFa	13	688	12	24454	(empty)
-1395939399.984671	CHhAvVGS1DHFjwGM9	192.168.56.1	59762	192.168.56.101	21	tcp	ftp	169.634297	104	1041	SF	-	-	0	ShAdDaFf	31	1728	18	1985	(empty)
+1395939406.175845	ClEkJM2Vm5giqnMf4h	192.168.56.1	59763	192.168.56.101	63988	tcp	ftp-data	0.001676	0	270	SF	-	-	0	ShAdfFa	5	272	4	486	-
+1395939411.361078	C4J4Th3PJpwUYZZ6gc	192.168.56.1	59764	192.168.56.101	37150	tcp	ftp-data	150.496065	0	5416666670	SF	-	-	4675708816	ShAdfFa	13	688	12	24454	-
+1395939399.984671	CHhAvVGS1DHFjwGM9	192.168.56.1	59762	192.168.56.101	21	tcp	ftp	169.634297	104	1041	SF	-	-	0	ShAdDaFf	31	1728	18	1985	-
 #close	2016-07-13-16-13-01
diff --git a/testing/btest/Baseline/core.tcp.miss-end-data/conn.log b/testing/btest/Baseline/core.tcp.miss-end-data/conn.log
index 048065166c..b33aec3366 100644
--- a/testing/btest/Baseline/core.tcp.miss-end-data/conn.log
+++ b/testing/btest/Baseline/core.tcp.miss-end-data/conn.log
@@ -6,5 +6,5 @@
 #open	2016-07-13-16-13-02
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
-1331764471.664131	CHhAvVGS1DHFjwGM9	192.168.122.230	60648	77.238.160.184	80	tcp	http	10.048360	538	2902	SF	-	-	2902	ShADafF	5	750	4	172	(empty)
+1331764471.664131	CHhAvVGS1DHFjwGM9	192.168.122.230	60648	77.238.160.184	80	tcp	http	10.048360	538	2902	SF	-	-	2902	ShADafF	5	750	4	172	-
 #close	2016-07-13-16-13-02
diff --git a/testing/btest/Baseline/core.tcp.missing-syn/conn.log b/testing/btest/Baseline/core.tcp.missing-syn/conn.log
index ca1f61216f..4832f83bfe 100644
--- a/testing/btest/Baseline/core.tcp.missing-syn/conn.log
+++ b/testing/btest/Baseline/core.tcp.missing-syn/conn.log
@@ -6,5 +6,5 @@
 #open	2016-07-13-17-58-31
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
-1128727435.633408	CHhAvVGS1DHFjwGM9	141.42.64.125	56730	125.190.109.199	80	tcp	http	1.550793	98	9417	SF	-	-	0	^hADdFaf	11	670	10	9945	(empty)
+1128727435.633408	CHhAvVGS1DHFjwGM9	141.42.64.125	56730	125.190.109.199	80	tcp	http	1.550793	98	9417	SF	-	-	0	^hADdFaf	11	670	10	9945	-
 #close	2016-07-13-17-58-31
diff --git a/testing/btest/Baseline/core.tcp.rxmit-history/conn-1.log b/testing/btest/Baseline/core.tcp.rxmit-history/conn-1.log
index f8ffb3ad74..43daf101a3 100644
--- a/testing/btest/Baseline/core.tcp.rxmit-history/conn-1.log
+++ b/testing/btest/Baseline/core.tcp.rxmit-history/conn-1.log
@@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	conn
-#open	2016-07-13-16-13-02
+#open	2018-01-12-21-43-34
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
-1285862902.700271	CHhAvVGS1DHFjwGM9	10.0.88.85	50368	192.168.0.27	80	tcp	-	60.991770	474	23783	RSTO	-	-	24257	ShADadtR	17	1250	22	28961	(empty)
-#close	2016-07-13-16-13-03
+1285862902.700271	CHhAvVGS1DHFjwGM9	10.0.88.85	50368	192.168.0.27	80	tcp	-	60.991770	474	23783	RSTO	-	-	24257	ShADadtR	17	1250	22	28961	-
+#close	2018-01-12-21-43-34
diff --git a/testing/btest/Baseline/core.tcp.rxmit-history/conn-2.log b/testing/btest/Baseline/core.tcp.rxmit-history/conn-2.log
index 73ec0e6fad..22d4ec3ab9 100644
--- a/testing/btest/Baseline/core.tcp.rxmit-history/conn-2.log
+++ b/testing/btest/Baseline/core.tcp.rxmit-history/conn-2.log
@@ -3,41 +3,41 @@
 #empty_field	(empty)
 #unset_field	-
 #path	conn
-#open	2016-07-13-16-13-03
+#open	2018-01-12-21-43-35
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
-1300475167.096535	CHhAvVGS1DHFjwGM9	141.142.220.202	5353	224.0.0.251	5353	udp	dns	-	-	-	S0	-	-	0	D	1	73	0	0	(empty)
-1300475167.097012	ClEkJM2Vm5giqnMf4h	fe80::217:f2ff:fed7:cf65	5353	ff02::fb	5353	udp	dns	-	-	-	S0	-	-	0	D	1	199	0	0	(empty)
-1300475167.099816	C4J4Th3PJpwUYZZ6gc	141.142.220.50	5353	224.0.0.251	5353	udp	dns	-	-	-	S0	-	-	0	D	1	179	0	0	(empty)
-1300475168.853899	CmES5u32sYpV7JYN	141.142.220.118	43927	141.142.2.2	53	udp	dns	0.000435	38	89	SF	-	-	0	Dd	1	66	1	117	(empty)
-1300475168.854378	CP5puj4I8PtEU4qzYg	141.142.220.118	37676	141.142.2.2	53	udp	dns	0.000420	52	99	SF	-	-	0	Dd	1	80	1	127	(empty)
-1300475168.854837	C37jN32gN3y3AZzyf6	141.142.220.118	40526	141.142.2.2	53	udp	dns	0.000392	38	183	SF	-	-	0	Dd	1	66	1	211	(empty)
-1300475168.857956	C0LAHyvtKSQHyJxIl	141.142.220.118	32902	141.142.2.2	53	udp	dns	0.000317	38	89	SF	-	-	0	Dd	1	66	1	117	(empty)
-1300475168.858306	CFLRIC3zaTU1loLGxh	141.142.220.118	59816	141.142.2.2	53	udp	dns	0.000343	52	99	SF	-	-	0	Dd	1	80	1	127	(empty)
-1300475168.858713	C9rXSW3KSpTYvPrlI1	141.142.220.118	59714	141.142.2.2	53	udp	dns	0.000375	38	183	SF	-	-	0	Dd	1	66	1	211	(empty)
-1300475168.891644	C9mvWx3ezztgzcexV7	141.142.220.118	58206	141.142.2.2	53	udp	dns	0.000339	38	89	SF	-	-	0	Dd	1	66	1	117	(empty)
-1300475168.892037	CNnMIj2QSd84NKf7U3	141.142.220.118	38911	141.142.2.2	53	udp	dns	0.000335	52	99	SF	-	-	0	Dd	1	80	1	127	(empty)
-1300475168.892414	C7fIlMZDuRiqjpYbb	141.142.220.118	59746	141.142.2.2	53	udp	dns	0.000421	38	183	SF	-	-	0	Dd	1	66	1	211	(empty)
-1300475168.893988	CpmdRlaUoJLN3uIRa	141.142.220.118	45000	141.142.2.2	53	udp	dns	0.000384	38	89	SF	-	-	0	Dd	1	66	1	117	(empty)
-1300475168.894422	C1Xkzz2MaGtLrc1Tla	141.142.220.118	48479	141.142.2.2	53	udp	dns	0.000317	52	99	SF	-	-	0	Dd	1	80	1	127	(empty)
-1300475168.894787	CqlVyW1YwZ15RhTBc4	141.142.220.118	48128	141.142.2.2	53	udp	dns	0.000423	38	183	SF	-	-	0	Dd	1	66	1	211	(empty)
-1300475168.901749	CBA8792iHmnhPLksKa	141.142.220.118	56056	141.142.2.2	53	udp	dns	0.000402	36	131	SF	-	-	0	Dd	1	64	1	159	(empty)
-1300475168.902195	CGLPPc35OzDQij1XX8	141.142.220.118	55092	141.142.2.2	53	udp	dns	0.000374	36	198	SF	-	-	0	Dd	1	64	1	226	(empty)
-1300475169.899438	Cipfzj1BEnhejw8cGf	141.142.220.44	5353	224.0.0.251	5353	udp	dns	-	-	-	S0	-	-	0	D	1	85	0	0	(empty)
-1300475170.862384	CV5WJ42jPYbNW9JNWf	141.142.220.226	137	141.142.220.255	137	udp	dns	2.613017	350	0	S0	-	-	0	D	7	546	0	0	(empty)
-1300475171.675372	CPhDKt12KQPUVbQz06	fe80::3074:17d5:2052:c324	65373	ff02::1:3	5355	udp	dns	0.100096	66	0	S0	-	-	0	D	2	162	0	0	(empty)
-1300475171.677081	CAnFrb2Cvxr5T7quOc	141.142.220.226	55131	224.0.0.252	5355	udp	dns	0.100021	66	0	S0	-	-	0	D	2	122	0	0	(empty)
-1300475173.116749	C8rquZ3DjgNW06JGLl	fe80::3074:17d5:2052:c324	54213	ff02::1:3	5355	udp	dns	0.099801	66	0	S0	-	-	0	D	2	162	0	0	(empty)
-1300475173.117362	CzrZOtXqhwwndQva3	141.142.220.226	55671	224.0.0.252	5355	udp	dns	0.099849	66	0	S0	-	-	0	D	2	122	0	0	(empty)
-1300475173.153679	CaGCc13FffXe6RkQl9	141.142.220.238	56641	141.142.220.255	137	udp	dns	-	-	-	S0	-	-	0	D	1	78	0	0	(empty)
-1300475169.780331	CFSwNi4CNGxcuffo49	141.142.220.235	6705	173.192.163.128	80	tcp	-	-	-	-	OTH	-	-	0	^h	0	0	1	48	(empty)
-1300475168.892913	CykQaM33ztNt0csB9a	141.142.220.118	49999	208.80.152.3	80	tcp	http	0.220961	1137	733	S1	-	-	0	ShADad	6	1457	4	949	(empty)
-1300475168.724007	CUM0KZ3MLUfNB0cl11	141.142.220.118	48649	208.80.152.118	80	tcp	http	0.119905	525	232	S1	-	-	0	ShADad	4	741	3	396	(empty)
-1300475168.855330	CwjjYJ2WqgTbAqiHl6	141.142.220.118	49997	208.80.152.3	80	tcp	http	0.219720	1125	734	S1	-	-	0	ShADad	6	1445	4	950	(empty)
-1300475168.855305	C3eiCBGOLw3VtHfOj	141.142.220.118	49996	208.80.152.3	80	tcp	http	0.218501	1171	733	S1	-	-	0	ShADad	6	1491	4	949	(empty)
-1300475168.652003	CtPZjS20MLrsMUOJi2	141.142.220.118	35634	208.80.152.2	80	tcp	-	0.061329	463	350	OTH	-	-	0	DdA	2	567	1	402	(empty)
-1300475168.902635	CiyBAq1bBLNaTiTAc	141.142.220.118	35642	208.80.152.2	80	tcp	http	0.120041	534	412	S1	-	-	0	ShADad	4	750	3	576	(empty)
-1300475168.859163	Ck51lg1bScffFj34Ri	141.142.220.118	49998	208.80.152.3	80	tcp	http	0.215893	1130	734	S1	-	-	0	ShADad	6	1450	4	950	(empty)
-1300475168.892936	CtxTCR2Yer0FR1tIBg	141.142.220.118	50000	208.80.152.3	80	tcp	http	0.229603	1148	734	S1	-	-	0	ShADad	6	1468	4	950	(empty)
-1300475168.895267	CLNN1k2QMum1aexUK7	141.142.220.118	50001	208.80.152.3	80	tcp	http	0.227284	1178	734	S1	-	-	0	ShADad	6	1498	4	950	(empty)
-#close	2016-07-13-16-13-03
+1300475167.096535	CHhAvVGS1DHFjwGM9	141.142.220.202	5353	224.0.0.251	5353	udp	dns	-	-	-	S0	-	-	0	D	1	73	0	0	-
+1300475167.097012	ClEkJM2Vm5giqnMf4h	fe80::217:f2ff:fed7:cf65	5353	ff02::fb	5353	udp	dns	-	-	-	S0	-	-	0	D	1	199	0	0	-
+1300475167.099816	C4J4Th3PJpwUYZZ6gc	141.142.220.50	5353	224.0.0.251	5353	udp	dns	-	-	-	S0	-	-	0	D	1	179	0	0	-
+1300475168.853899	CmES5u32sYpV7JYN	141.142.220.118	43927	141.142.2.2	53	udp	dns	0.000435	38	89	SF	-	-	0	Dd	1	66	1	117	-
+1300475168.854378	CP5puj4I8PtEU4qzYg	141.142.220.118	37676	141.142.2.2	53	udp	dns	0.000420	52	99	SF	-	-	0	Dd	1	80	1	127	-
+1300475168.854837	C37jN32gN3y3AZzyf6	141.142.220.118	40526	141.142.2.2	53	udp	dns	0.000392	38	183	SF	-	-	0	Dd	1	66	1	211	-
+1300475168.857956	C0LAHyvtKSQHyJxIl	141.142.220.118	32902	141.142.2.2	53	udp	dns	0.000317	38	89	SF	-	-	0	Dd	1	66	1	117	-
+1300475168.858306	CFLRIC3zaTU1loLGxh	141.142.220.118	59816	141.142.2.2	53	udp	dns	0.000343	52	99	SF	-	-	0	Dd	1	80	1	127	-
+1300475168.858713	C9rXSW3KSpTYvPrlI1	141.142.220.118	59714	141.142.2.2	53	udp	dns	0.000375	38	183	SF	-	-	0	Dd	1	66	1	211	-
+1300475168.891644	C9mvWx3ezztgzcexV7	141.142.220.118	58206	141.142.2.2	53	udp	dns	0.000339	38	89	SF	-	-	0	Dd	1	66	1	117	-
+1300475168.892037	CNnMIj2QSd84NKf7U3	141.142.220.118	38911	141.142.2.2	53	udp	dns	0.000335	52	99	SF	-	-	0	Dd	1	80	1	127	-
+1300475168.892414	C7fIlMZDuRiqjpYbb	141.142.220.118	59746	141.142.2.2	53	udp	dns	0.000421	38	183	SF	-	-	0	Dd	1	66	1	211	-
+1300475168.893988	CpmdRlaUoJLN3uIRa	141.142.220.118	45000	141.142.2.2	53	udp	dns	0.000384	38	89	SF	-	-	0	Dd	1	66	1	117	-
+1300475168.894422	C1Xkzz2MaGtLrc1Tla	141.142.220.118	48479	141.142.2.2	53	udp	dns	0.000317	52	99	SF	-	-	0	Dd	1	80	1	127	-
+1300475168.894787	CqlVyW1YwZ15RhTBc4	141.142.220.118	48128	141.142.2.2	53	udp	dns	0.000423	38	183	SF	-	-	0	Dd	1	66	1	211	-
+1300475168.901749	CBA8792iHmnhPLksKa	141.142.220.118	56056	141.142.2.2	53	udp	dns	0.000402	36	131	SF	-	-	0	Dd	1	64	1	159	-
+1300475168.902195	CGLPPc35OzDQij1XX8	141.142.220.118	55092	141.142.2.2	53	udp	dns	0.000374	36	198	SF	-	-	0	Dd	1	64	1	226	-
+1300475169.899438	Cipfzj1BEnhejw8cGf	141.142.220.44	5353	224.0.0.251	5353	udp	dns	-	-	-	S0	-	-	0	D	1	85	0	0	-
+1300475170.862384	CV5WJ42jPYbNW9JNWf	141.142.220.226	137	141.142.220.255	137	udp	dns	2.613017	350	0	S0	-	-	0	D	7	546	0	0	-
+1300475171.675372	CPhDKt12KQPUVbQz06	fe80::3074:17d5:2052:c324	65373	ff02::1:3	5355	udp	dns	0.100096	66	0	S0	-	-	0	D	2	162	0	0	-
+1300475171.677081	CAnFrb2Cvxr5T7quOc	141.142.220.226	55131	224.0.0.252	5355	udp	dns	0.100021	66	0	S0	-	-	0	D	2	122	0	0	-
+1300475173.116749	C8rquZ3DjgNW06JGLl	fe80::3074:17d5:2052:c324	54213	ff02::1:3	5355	udp	dns	0.099801	66	0	S0	-	-	0	D	2	162	0	0	-
+1300475173.117362	CzrZOtXqhwwndQva3	141.142.220.226	55671	224.0.0.252	5355	udp	dns	0.099849	66	0	S0	-	-	0	D	2	122	0	0	-
+1300475173.153679	CaGCc13FffXe6RkQl9	141.142.220.238	56641	141.142.220.255	137	udp	dns	-	-	-	S0	-	-	0	D	1	78	0	0	-
+1300475169.780331	CFSwNi4CNGxcuffo49	141.142.220.235	6705	173.192.163.128	80	tcp	-	-	-	-	OTH	-	-	0	^h	0	0	1	48	-
+1300475168.892913	CykQaM33ztNt0csB9a	141.142.220.118	49999	208.80.152.3	80	tcp	http	0.220961	1137	733	S1	-	-	0	ShADad	6	1457	4	949	-
+1300475168.724007	CUM0KZ3MLUfNB0cl11	141.142.220.118	48649	208.80.152.118	80	tcp	http	0.119905	525	232	S1	-	-	0	ShADad	4	741	3	396	-
+1300475168.855330	CwjjYJ2WqgTbAqiHl6	141.142.220.118	49997	208.80.152.3	80	tcp	http	0.219720	1125	734	S1	-	-	0	ShADad	6	1445	4	950	-
+1300475168.855305	C3eiCBGOLw3VtHfOj	141.142.220.118	49996	208.80.152.3	80	tcp	http	0.218501	1171	733	S1	-	-	0	ShADad	6	1491	4	949	-
+1300475168.652003	CtPZjS20MLrsMUOJi2	141.142.220.118	35634	208.80.152.2	80	tcp	-	0.061329	463	350	OTH	-	-	0	DdA	2	567	1	402	-
+1300475168.902635	CiyBAq1bBLNaTiTAc	141.142.220.118	35642	208.80.152.2	80	tcp	http	0.120041	534	412	S1	-	-	0	ShADad	4	750	3	576	-
+1300475168.859163	Ck51lg1bScffFj34Ri	141.142.220.118	49998	208.80.152.3	80	tcp	http	0.215893	1130	734	S1	-	-	0	ShADad	6	1450	4	950	-
+1300475168.892936	CtxTCR2Yer0FR1tIBg	141.142.220.118	50000	208.80.152.3	80	tcp	http	0.229603	1148	734	S1	-	-	0	ShADad	6	1468	4	950	-
+1300475168.895267	CLNN1k2QMum1aexUK7	141.142.220.118	50001	208.80.152.3	80	tcp	http	0.227284	1178	734	S1	-	-	0	ShADad	6	1498	4	950	-
+#close	2018-01-12-21-43-35
diff --git a/testing/btest/Baseline/core.tunnels.ayiya/conn.log b/testing/btest/Baseline/core.tunnels.ayiya/conn.log
index d50978e86d..662918b83a 100644
--- a/testing/btest/Baseline/core.tunnels.ayiya/conn.log
+++ b/testing/btest/Baseline/core.tunnels.ayiya/conn.log
@@ -7,8 +7,8 @@
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
 1257655301.595604	C37jN32gN3y3AZzyf6	2001:4978:f:4c::2	53382	2001:4860:b002::68	80	tcp	http	2.101052	2981	4665	S1	-	-	0	ShADad	10	3605	11	5329	C4J4Th3PJpwUYZZ6gc
-1257655296.585034	C4J4Th3PJpwUYZZ6gc	192.168.3.101	53859	216.14.98.22	5072	udp	ayiya	20.879001	5129	6109	SF	-	-	0	Dd	21	5717	13	6473	(empty)
-1257655293.629048	CHhAvVGS1DHFjwGM9	192.168.3.101	53796	216.14.98.22	5072	udp	ayiya	-	-	-	SHR	-	-	0	^d	0	0	1	176	(empty)
+1257655296.585034	C4J4Th3PJpwUYZZ6gc	192.168.3.101	53859	216.14.98.22	5072	udp	ayiya	20.879001	5129	6109	SF	-	-	0	Dd	21	5717	13	6473	-
+1257655293.629048	CHhAvVGS1DHFjwGM9	192.168.3.101	53796	216.14.98.22	5072	udp	ayiya	-	-	-	SHR	-	-	0	^d	0	0	1	176	-
 1257655296.585333	CP5puj4I8PtEU4qzYg	::	135	ff02::1:ff00:2	136	icmp	-	-	-	-	OTH	-	-	0	-	1	64	0	0	C4J4Th3PJpwUYZZ6gc
 1257655296.585151	CUM0KZ3MLUfNB0cl11	fe80::216:cbff:fe9a:4cb9	131	ff02::2:f901:d225	130	icmp	-	0.719947	32	0	OTH	-	-	0	-	2	144	0	0	C4J4Th3PJpwUYZZ6gc
 1257655296.585034	CtPZjS20MLrsMUOJi2	fe80::216:cbff:fe9a:4cb9	131	ff02::1:ff9a:4cb9	130	icmp	-	4.922880	32	0	OTH	-	-	0	-	2	144	0	0	C4J4Th3PJpwUYZZ6gc
diff --git a/testing/btest/Baseline/core.tunnels.gtp.different_dl_and_ul/conn.log b/testing/btest/Baseline/core.tunnels.gtp.different_dl_and_ul/conn.log
index a6e8235233..ce137763d0 100644
--- a/testing/btest/Baseline/core.tunnels.gtp.different_dl_and_ul/conn.log
+++ b/testing/btest/Baseline/core.tunnels.gtp.different_dl_and_ul/conn.log
@@ -7,6 +7,6 @@
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
 1333458850.321642	ClEkJM2Vm5giqnMf4h	10.131.17.170	51803	173.199.115.168	80	tcp	http	0.257902	1138	63424	S3	-	-	0	ShADadf	29	2310	49	65396	CHhAvVGS1DHFjwGM9,C4J4Th3PJpwUYZZ6gc
-1333458850.321642	CHhAvVGS1DHFjwGM9	167.55.105.244	5906	207.233.125.40	2152	udp	gtpv1	0.257902	2542	0	S0	-	-	0	D	29	3354	0	0	(empty)
-1333458850.325787	C4J4Th3PJpwUYZZ6gc	207.233.125.40	2152	167.55.105.244	2152	udp	gtpv1	0.251127	65788	0	S0	-	-	0	D	49	67160	0	0	(empty)
+1333458850.321642	CHhAvVGS1DHFjwGM9	167.55.105.244	5906	207.233.125.40	2152	udp	gtpv1	0.257902	2542	0	S0	-	-	0	D	29	3354	0	0	-
+1333458850.325787	C4J4Th3PJpwUYZZ6gc	207.233.125.40	2152	167.55.105.244	2152	udp	gtpv1	0.251127	65788	0	S0	-	-	0	D	49	67160	0	0	-
 #close	2016-07-13-16-13-06
diff --git a/testing/btest/Baseline/core.tunnels.gtp.false_gtp/conn.log b/testing/btest/Baseline/core.tunnels.gtp.false_gtp/conn.log
index 7917700127..fa2c080c7a 100644
--- a/testing/btest/Baseline/core.tunnels.gtp.false_gtp/conn.log
+++ b/testing/btest/Baseline/core.tunnels.gtp.false_gtp/conn.log
@@ -6,5 +6,5 @@
 #open	2016-07-13-16-13-07
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
-1333458871.219794	CHhAvVGS1DHFjwGM9	10.131.24.6	2152	195.178.38.3	53	udp	dns	-	-	-	S0	-	-	0	D	1	64	0	0	(empty)
+1333458871.219794	CHhAvVGS1DHFjwGM9	10.131.24.6	2152	195.178.38.3	53	udp	dns	-	-	-	S0	-	-	0	D	1	64	0	0	-
 #close	2016-07-13-16-13-07
diff --git a/testing/btest/Baseline/core.tunnels.gtp.inner_ipv6/conn.log b/testing/btest/Baseline/core.tunnels.gtp.inner_ipv6/conn.log
index 7fd6ec6835..9f8d866fbb 100644
--- a/testing/btest/Baseline/core.tunnels.gtp.inner_ipv6/conn.log
+++ b/testing/btest/Baseline/core.tunnels.gtp.inner_ipv6/conn.log
@@ -7,6 +7,6 @@
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
 1333458851.770000	ClEkJM2Vm5giqnMf4h	fe80::224c:4fff:fe43:414c	1234	ff02::1:3	5355	udp	dns	-	-	-	S0	-	-	0	D	1	80	0	0	CHhAvVGS1DHFjwGM9
-1333458851.770000	CHhAvVGS1DHFjwGM9	118.92.124.41	2152	118.92.124.72	2152	udp	gtpv1	0.199236	152	0	S0	-	-	0	D	2	208	0	0	(empty)
+1333458851.770000	CHhAvVGS1DHFjwGM9	118.92.124.41	2152	118.92.124.72	2152	udp	gtpv1	0.199236	152	0	S0	-	-	0	D	2	208	0	0	-
 1333458851.969236	C4J4Th3PJpwUYZZ6gc	fe80::224c:4fff:fe43:414c	133	ff02::2	134	icmp	-	-	-	-	OTH	-	-	0	-	1	56	0	0	CHhAvVGS1DHFjwGM9
 #close	2016-07-13-16-13-08
diff --git a/testing/btest/Baseline/core.tunnels.gtp.inner_teredo/conn.log b/testing/btest/Baseline/core.tunnels.gtp.inner_teredo/conn.log
index 12fc4e0e0c..53ab0420a6 100644
--- a/testing/btest/Baseline/core.tunnels.gtp.inner_teredo/conn.log
+++ b/testing/btest/Baseline/core.tunnels.gtp.inner_teredo/conn.log
@@ -10,17 +10,17 @@
 1333458850.035456	C0LAHyvtKSQHyJxIl	172.27.159.9	63912	94.245.121.253	3544	udp	teredo	-	-	-	S0	-	-	0	D	1	89	0	0	CwjjYJ2WqgTbAqiHl6
 1333458850.029783	C37jN32gN3y3AZzyf6	172.24.16.67	52298	65.55.158.118	3544	udp	teredo	-	-	-	S0	-	-	0	D	1	88	0	0	CmES5u32sYpV7JYN
 1333458850.040098	C7fIlMZDuRiqjpYbb	172.24.203.81	54447	65.55.158.118	3544	udp	teredo	0.003698	120	0	S0	-	-	0	D	2	176	0	0	CNnMIj2QSd84NKf7U3
-1333458850.037956	Ck51lg1bScffFj34Ri	190.104.181.57	2152	190.104.181.222	2152	udp	gtpv1	-	-	-	S0	-	-	0	D	1	120	0	0	(empty)
+1333458850.037956	Ck51lg1bScffFj34Ri	190.104.181.57	2152	190.104.181.222	2152	udp	gtpv1	-	-	-	S0	-	-	0	D	1	120	0	0	-
 1333458850.035460	C9rXSW3KSpTYvPrlI1	172.27.159.9	63912	94.245.121.254	3544	udp	teredo	-	-	-	S0	-	-	0	D	1	89	0	0	CwjjYJ2WqgTbAqiHl6
-1333458850.040098	CNnMIj2QSd84NKf7U3	174.94.190.229	2152	190.104.181.57	2152	udp	gtpv1	0.003698	192	0	S0	-	-	0	D	2	248	0	0	(empty)
-1333458850.035456	CwjjYJ2WqgTbAqiHl6	190.104.181.210	2152	190.104.181.125	2152	udp	gtpv1	0.000004	194	0	S0	-	-	0	D	2	250	0	0	(empty)
+1333458850.040098	CNnMIj2QSd84NKf7U3	174.94.190.229	2152	190.104.181.57	2152	udp	gtpv1	0.003698	192	0	S0	-	-	0	D	2	248	0	0	-
+1333458850.035456	CwjjYJ2WqgTbAqiHl6	190.104.181.210	2152	190.104.181.125	2152	udp	gtpv1	0.000004	194	0	S0	-	-	0	D	2	250	0	0	-
 1333458850.029781	CP5puj4I8PtEU4qzYg	172.24.16.67	52298	94.245.121.253	3544	udp	teredo	-	-	-	S0	-	-	0	D	1	88	0	0	CmES5u32sYpV7JYN
 1333458850.032887	C3eiCBGOLw3VtHfOj	10.131.42.160	62069	94.245.121.253	3544	udp	teredo	-	-	-	SHR	-	-	0	^d	0	0	1	84	C4J4Th3PJpwUYZZ6gc
 1333458850.037956	C9mvWx3ezztgzcexV7	10.131.112.102	51403	94.245.121.253	3544	udp	teredo	-	-	-	SHR	-	-	0	^d	0	0	1	84	Ck51lg1bScffFj34Ri
-1333458850.014199	CHhAvVGS1DHFjwGM9	174.94.190.213	2152	190.104.181.57	2152	udp	gtpv1	-	-	-	S0	-	-	0	D	1	124	0	0	(empty)
-1333458850.016620	C4J4Th3PJpwUYZZ6gc	174.94.190.229	2152	190.104.181.62	2152	udp	gtpv1	0.016267	88	92	SF	-	-	0	Dd	1	116	1	120	(empty)
+1333458850.014199	CHhAvVGS1DHFjwGM9	174.94.190.213	2152	190.104.181.57	2152	udp	gtpv1	-	-	-	S0	-	-	0	D	1	124	0	0	-
+1333458850.016620	C4J4Th3PJpwUYZZ6gc	174.94.190.229	2152	190.104.181.62	2152	udp	gtpv1	0.016267	88	92	SF	-	-	0	Dd	1	116	1	120	-
 1333458850.016620	CtPZjS20MLrsMUOJi2	172.24.16.121	61901	94.245.121.251	3544	udp	teredo	-	-	-	S0	-	-	0	D	1	80	0	0	C4J4Th3PJpwUYZZ6gc
-1333458850.029781	CmES5u32sYpV7JYN	190.104.181.254	2152	190.104.181.62	2152	udp	gtpv1	0.000002	192	0	S0	-	-	0	D	2	248	0	0	(empty)
+1333458850.029781	CmES5u32sYpV7JYN	190.104.181.254	2152	190.104.181.62	2152	udp	gtpv1	0.000002	192	0	S0	-	-	0	D	2	248	0	0	-
 1333458850.016620	CUM0KZ3MLUfNB0cl11	2001:0:5ef5:79fb:38b8:1695:2b37:be8e	128	2002:2571:c817::2571:c817	129	icmp	-	-	-	-	OTH	-	-	0	-	1	52	0	0	CtPZjS20MLrsMUOJi2
 1333458850.035456	CFLRIC3zaTU1loLGxh	fe80::ffff:ffff:fffe	133	ff02::2	134	icmp	-	0.000004	0	0	OTH	-	-	0	-	2	96	0	0	C9rXSW3KSpTYvPrlI1,C0LAHyvtKSQHyJxIl
 #close	2016-07-13-16-13-08
diff --git a/testing/btest/Baseline/core.tunnels.gtp.not_user_plane_data/conn.log b/testing/btest/Baseline/core.tunnels.gtp.not_user_plane_data/conn.log
index a25cc10a18..151b7a135b 100644
--- a/testing/btest/Baseline/core.tunnels.gtp.not_user_plane_data/conn.log
+++ b/testing/btest/Baseline/core.tunnels.gtp.not_user_plane_data/conn.log
@@ -6,6 +6,6 @@
 #open	2016-07-13-16-13-09
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
-1333458850.867091	ClEkJM2Vm5giqnMf4h	247.56.43.214	2152	237.56.101.238	2152	udp	-	0.028676	12	14	SF	-	-	0	Dd	1	40	1	42	(empty)
-1333458850.532814	CHhAvVGS1DHFjwGM9	247.56.43.90	2152	247.56.43.248	2152	udp	-	-	-	-	S0	-	-	0	D	1	52	0	0	(empty)
+1333458850.867091	ClEkJM2Vm5giqnMf4h	247.56.43.214	2152	237.56.101.238	2152	udp	-	0.028676	12	14	SF	-	-	0	Dd	1	40	1	42	-
+1333458850.532814	CHhAvVGS1DHFjwGM9	247.56.43.90	2152	247.56.43.248	2152	udp	-	-	-	-	S0	-	-	0	D	1	52	0	0	-
 #close	2016-07-13-16-13-09
diff --git a/testing/btest/Baseline/core.tunnels.gtp.opt_header/conn.log b/testing/btest/Baseline/core.tunnels.gtp.opt_header/conn.log
index ea885d6a5f..1a0e4515cb 100644
--- a/testing/btest/Baseline/core.tunnels.gtp.opt_header/conn.log
+++ b/testing/btest/Baseline/core.tunnels.gtp.opt_header/conn.log
@@ -7,5 +7,5 @@
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
 1333458852.011535	ClEkJM2Vm5giqnMf4h	10.222.10.10	44960	173.194.69.188	5228	tcp	ssl	0.573499	704	1026	S1	-	-	0	ShADad	17	1604	14	1762	CHhAvVGS1DHFjwGM9
-1333458852.011535	CHhAvVGS1DHFjwGM9	79.188.154.91	2152	243.149.173.198	2152	udp	gtpv1	0.573499	1740	1930	SF	-	-	0	Dd	17	2216	14	2322	(empty)
+1333458852.011535	CHhAvVGS1DHFjwGM9	79.188.154.91	2152	243.149.173.198	2152	udp	gtpv1	0.573499	1740	1930	SF	-	-	0	Dd	17	2216	14	2322	-
 #close	2016-07-13-16-13-10
diff --git a/testing/btest/Baseline/core.tunnels.gtp.outer_ip_frag/conn.log b/testing/btest/Baseline/core.tunnels.gtp.outer_ip_frag/conn.log
index 1216a09d8a..4c598b386d 100644
--- a/testing/btest/Baseline/core.tunnels.gtp.outer_ip_frag/conn.log
+++ b/testing/btest/Baseline/core.tunnels.gtp.outer_ip_frag/conn.log
@@ -7,5 +7,5 @@
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
 1333458850.364667	ClEkJM2Vm5giqnMf4h	10.131.47.185	1923	79.101.110.141	80	tcp	http	0.069783	2100	56702	SF	-	-	0	ShADadfF	27	3204	41	52594	CHhAvVGS1DHFjwGM9
-1333458850.364667	CHhAvVGS1DHFjwGM9	239.114.155.111	2152	63.94.149.181	2152	udp	gtpv1	0.069813	3420	52922	SF	-	-	0	Dd	27	4176	41	54070	(empty)
+1333458850.364667	CHhAvVGS1DHFjwGM9	239.114.155.111	2152	63.94.149.181	2152	udp	gtpv1	0.069813	3420	52922	SF	-	-	0	Dd	27	4176	41	54070	-
 #close	2016-07-13-16-13-10
diff --git a/testing/btest/Baseline/core.tunnels.teredo/conn.log b/testing/btest/Baseline/core.tunnels.teredo/conn.log
index 12e7481b36..159ad78bb6 100644
--- a/testing/btest/Baseline/core.tunnels.teredo/conn.log
+++ b/testing/btest/Baseline/core.tunnels.teredo/conn.log
@@ -6,24 +6,24 @@
 #open	2016-07-13-16-13-14
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
-1210953047.736921	ClEkJM2Vm5giqnMf4h	192.168.2.16	1576	75.126.130.163	80	tcp	-	0.000357	0	0	SHR	-	-	0	^fA	1	40	1	40	(empty)
-1210953050.867067	C4J4Th3PJpwUYZZ6gc	192.168.2.16	1577	75.126.203.78	80	tcp	-	0.000387	0	0	SHR	-	-	0	^fA	1	40	1	40	(empty)
-1210953057.833364	C37jN32gN3y3AZzyf6	192.168.2.16	1577	75.126.203.78	80	tcp	-	0.079208	0	0	SH	-	-	0	Fa	1	40	1	40	(empty)
-1210953058.007081	CwjjYJ2WqgTbAqiHl6	192.168.2.16	1576	75.126.130.163	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)
-1210953057.834454	C3eiCBGOLw3VtHfOj	192.168.2.16	1578	75.126.203.78	80	tcp	http	0.407908	790	171	RSTO	-	-	0	ShADadR	6	1038	4	335	(empty)
-1210953058.350065	C0LAHyvtKSQHyJxIl	192.168.2.16	1920	192.168.2.1	53	udp	dns	0.223055	66	438	SF	-	-	0	Dd	2	122	2	494	(empty)
-1210953058.577231	CFLRIC3zaTU1loLGxh	192.168.2.16	137	192.168.2.255	137	udp	dns	1.499261	150	0	S0	-	-	0	D	3	234	0	0	(empty)
-1210953074.264819	CtxTCR2Yer0FR1tIBg	192.168.2.16	1920	192.168.2.1	53	udp	dns	0.297723	123	598	SF	-	-	0	Dd	3	207	3	682	(empty)
-1210953074.570439	CpmdRlaUoJLN3uIRa	192.168.2.16	1580	67.228.110.120	80	tcp	http	0.466677	469	3916	SF	-	-	0	ShADadFf	7	757	6	4164	(empty)
-1210953074.057124	CykQaM33ztNt0csB9a	192.168.2.16	1576	75.126.130.163	80	tcp	-	-	-	-	RSTRH	-	-	0	^r	0	0	1	40	(empty)
+1210953047.736921	ClEkJM2Vm5giqnMf4h	192.168.2.16	1576	75.126.130.163	80	tcp	-	0.000357	0	0	SHR	-	-	0	^fA	1	40	1	40	-
+1210953050.867067	C4J4Th3PJpwUYZZ6gc	192.168.2.16	1577	75.126.203.78	80	tcp	-	0.000387	0	0	SHR	-	-	0	^fA	1	40	1	40	-
+1210953057.833364	C37jN32gN3y3AZzyf6	192.168.2.16	1577	75.126.203.78	80	tcp	-	0.079208	0	0	SH	-	-	0	Fa	1	40	1	40	-
+1210953058.007081	CwjjYJ2WqgTbAqiHl6	192.168.2.16	1576	75.126.130.163	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-
+1210953057.834454	C3eiCBGOLw3VtHfOj	192.168.2.16	1578	75.126.203.78	80	tcp	http	0.407908	790	171	RSTO	-	-	0	ShADadR	6	1038	4	335	-
+1210953058.350065	C0LAHyvtKSQHyJxIl	192.168.2.16	1920	192.168.2.1	53	udp	dns	0.223055	66	438	SF	-	-	0	Dd	2	122	2	494	-
+1210953058.577231	CFLRIC3zaTU1loLGxh	192.168.2.16	137	192.168.2.255	137	udp	dns	1.499261	150	0	S0	-	-	0	D	3	234	0	0	-
+1210953074.264819	CtxTCR2Yer0FR1tIBg	192.168.2.16	1920	192.168.2.1	53	udp	dns	0.297723	123	598	SF	-	-	0	Dd	3	207	3	682	-
+1210953074.570439	CpmdRlaUoJLN3uIRa	192.168.2.16	1580	67.228.110.120	80	tcp	http	0.466677	469	3916	SF	-	-	0	ShADadFf	7	757	6	4164	-
+1210953074.057124	CykQaM33ztNt0csB9a	192.168.2.16	1576	75.126.130.163	80	tcp	-	-	-	-	RSTRH	-	-	0	^r	0	0	1	40	-
 1210953061.312379	CNnMIj2QSd84NKf7U3	2001:0:4137:9e50:8000:f12a:b9c8:2815	1286	2001:4860:0:2001::68	80	tcp	http	12.810848	1675	10467	S1	-	-	0	ShADad	10	2279	12	11191	Ck51lg1bScffFj34Ri
-1210953076.058333	C1Xkzz2MaGtLrc1Tla	192.168.2.16	1578	75.126.203.78	80	tcp	-	-	-	-	RSTRH	-	-	0	^r	0	0	1	40	(empty)
-1210953074.055744	C7fIlMZDuRiqjpYbb	192.168.2.16	1577	75.126.203.78	80	tcp	-	-	-	-	RSTRH	-	-	0	^r	0	0	1	40	(empty)
-1210953052.324629	CmES5u32sYpV7JYN	192.168.2.16	3797	65.55.158.81	3544	udp	-	-	-	-	SHR	-	-	0	^d	0	0	1	137	(empty)
-1210953052.202579	CtPZjS20MLrsMUOJi2	192.168.2.16	3797	65.55.158.80	3544	udp	teredo	8.928880	129	48	SF	-	-	0	Dd	2	185	1	76	(empty)
-1210953058.933954	C9rXSW3KSpTYvPrlI1	0.0.0.0	68	255.255.255.255	67	udp	dhcp	-	-	-	S0	-	-	0	D	1	328	0	0	(empty)
-1210953060.829233	Ck51lg1bScffFj34Ri	192.168.2.16	3797	83.170.1.38	32900	udp	teredo	13.293994	2359	11243	SF	-	-	0	Dd	12	2695	13	11607	(empty)
-1210953046.591933	CHhAvVGS1DHFjwGM9	192.168.2.16	138	192.168.2.255	138	udp	-	28.448321	416	0	S0	-	-	0	D	2	472	0	0	(empty)
+1210953076.058333	C1Xkzz2MaGtLrc1Tla	192.168.2.16	1578	75.126.203.78	80	tcp	-	-	-	-	RSTRH	-	-	0	^r	0	0	1	40	-
+1210953074.055744	C7fIlMZDuRiqjpYbb	192.168.2.16	1577	75.126.203.78	80	tcp	-	-	-	-	RSTRH	-	-	0	^r	0	0	1	40	-
+1210953052.324629	CmES5u32sYpV7JYN	192.168.2.16	3797	65.55.158.81	3544	udp	-	-	-	-	SHR	-	-	0	^d	0	0	1	137	-
+1210953052.202579	CtPZjS20MLrsMUOJi2	192.168.2.16	3797	65.55.158.80	3544	udp	teredo	8.928880	129	48	SF	-	-	0	Dd	2	185	1	76	-
+1210953058.933954	C9rXSW3KSpTYvPrlI1	0.0.0.0	68	255.255.255.255	67	udp	dhcp	-	-	-	S0	-	-	0	D	1	328	0	0	-
+1210953060.829233	Ck51lg1bScffFj34Ri	192.168.2.16	3797	83.170.1.38	32900	udp	teredo	13.293994	2359	11243	SF	-	-	0	Dd	12	2695	13	11607	-
+1210953046.591933	CHhAvVGS1DHFjwGM9	192.168.2.16	138	192.168.2.255	138	udp	-	28.448321	416	0	S0	-	-	0	D	2	472	0	0	-
 1210953052.324629	CP5puj4I8PtEU4qzYg	fe80::8000:f227:bec8:61af	134	fe80::8000:ffff:ffff:fffd	133	icmp	-	-	-	-	OTH	-	-	0	-	1	88	0	0	CmES5u32sYpV7JYN
 1210953060.829303	C9mvWx3ezztgzcexV7	2001:0:4137:9e50:8000:f12a:b9c8:2815	128	2001:4860:0:2001::68	129	icmp	-	0.463615	4	4	OTH	-	-	0	-	1	52	1	52	CtPZjS20MLrsMUOJi2,Ck51lg1bScffFj34Ri
 1210953052.202579	CUM0KZ3MLUfNB0cl11	fe80::8000:ffff:ffff:fffd	133	ff02::2	134	icmp	-	-	-	-	OTH	-	-	0	-	1	64	0	0	CtPZjS20MLrsMUOJi2
diff --git a/testing/btest/Baseline/core.tunnels.teredo_bubble_with_payload/conn.log b/testing/btest/Baseline/core.tunnels.teredo_bubble_with_payload/conn.log
index 6d4a0302b3..3b4f3da36e 100644
--- a/testing/btest/Baseline/core.tunnels.teredo_bubble_with_payload/conn.log
+++ b/testing/btest/Baseline/core.tunnels.teredo_bubble_with_payload/conn.log
@@ -7,9 +7,9 @@
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
 1340127577.354166	CP5puj4I8PtEU4qzYg	2001:0:4137:9e50:8000:f12a:b9c8:2815	1286	2001:4860:0:2001::68	80	tcp	http	0.052829	1675	10467	S1	-	-	0	ShADad	10	2279	12	11191	CUM0KZ3MLUfNB0cl11
-1340127577.339015	C4J4Th3PJpwUYZZ6gc	192.168.2.16	3797	65.55.158.81	3544	udp	-	-	-	-	SHR	-	-	0	^d	0	0	1	137	(empty)
-1340127577.336558	CHhAvVGS1DHFjwGM9	192.168.2.16	3797	65.55.158.80	3544	udp	teredo	0.010291	129	52	SF	-	-	0	Dd	2	185	1	80	(empty)
-1340127577.341510	CUM0KZ3MLUfNB0cl11	192.168.2.16	3797	83.170.1.38	32900	udp	teredo	0.065485	2367	11243	SF	-	-	0	Dd	12	2703	13	11607	(empty)
+1340127577.339015	C4J4Th3PJpwUYZZ6gc	192.168.2.16	3797	65.55.158.81	3544	udp	-	-	-	-	SHR	-	-	0	^d	0	0	1	137	-
+1340127577.336558	CHhAvVGS1DHFjwGM9	192.168.2.16	3797	65.55.158.80	3544	udp	teredo	0.010291	129	52	SF	-	-	0	Dd	2	185	1	80	-
+1340127577.341510	CUM0KZ3MLUfNB0cl11	192.168.2.16	3797	83.170.1.38	32900	udp	teredo	0.065485	2367	11243	SF	-	-	0	Dd	12	2703	13	11607	-
 1340127577.339015	CtPZjS20MLrsMUOJi2	fe80::8000:f227:bec8:61af	134	fe80::8000:ffff:ffff:fffd	133	icmp	-	-	-	-	OTH	-	-	0	-	1	88	0	0	C4J4Th3PJpwUYZZ6gc
 1340127577.343969	CmES5u32sYpV7JYN	2001:0:4137:9e50:8000:f12a:b9c8:2815	128	2001:4860:0:2001::68	129	icmp	-	0.007778	4	4	OTH	-	-	0	-	1	52	1	52	CUM0KZ3MLUfNB0cl11,CHhAvVGS1DHFjwGM9
 1340127577.336558	ClEkJM2Vm5giqnMf4h	fe80::8000:ffff:ffff:fffd	133	ff02::2	134	icmp	-	-	-	-	OTH	-	-	0	-	1	64	0	0	CHhAvVGS1DHFjwGM9
diff --git a/testing/btest/Baseline/core.vlan-mpls/conn.log b/testing/btest/Baseline/core.vlan-mpls/conn.log
index 7b7b1e919d..5bcf4c6778 100644
--- a/testing/btest/Baseline/core.vlan-mpls/conn.log
+++ b/testing/btest/Baseline/core.vlan-mpls/conn.log
@@ -6,7 +6,7 @@
 #open	2016-07-13-16-13-15
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
-952109346.874907	CHhAvVGS1DHFjwGM9	10.1.2.1	11001	10.34.0.1	23	tcp	-	2.102560	26	0	SH	-	-	0	SADF	11	470	0	0	(empty)
-1128727435.450898	ClEkJM2Vm5giqnMf4h	141.42.64.125	56730	125.190.109.199	80	tcp	http	1.733303	98	9417	SF	-	-	0	ShADdFaf	12	730	10	9945	(empty)
-1278600802.069419	C4J4Th3PJpwUYZZ6gc	10.20.80.1	50343	10.0.0.15	80	tcp	-	0.004152	9	3429	SF	-	-	0	ShADadfF	7	381	7	3801	(empty)
+952109346.874907	CHhAvVGS1DHFjwGM9	10.1.2.1	11001	10.34.0.1	23	tcp	-	2.102560	26	0	SH	-	-	0	SADF	11	470	0	0	-
+1128727435.450898	ClEkJM2Vm5giqnMf4h	141.42.64.125	56730	125.190.109.199	80	tcp	http	1.733303	98	9417	SF	-	-	0	ShADdFaf	12	730	10	9945	-
+1278600802.069419	C4J4Th3PJpwUYZZ6gc	10.20.80.1	50343	10.0.0.15	80	tcp	-	0.004152	9	3429	SF	-	-	0	ShADadfF	7	381	7	3801	-
 #close	2016-07-13-16-13-15
diff --git a/testing/btest/Baseline/doc.manual.using_bro_sandbox_01/conn.log b/testing/btest/Baseline/doc.manual.using_bro_sandbox_01/conn.log
index 7fe6aa385c..6eb08725f5 100644
--- a/testing/btest/Baseline/doc.manual.using_bro_sandbox_01/conn.log
+++ b/testing/btest/Baseline/doc.manual.using_bro_sandbox_01/conn.log
@@ -6,38 +6,38 @@
 #open	2013-05-05-20-51-24
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	count	string	count	count	count	count	table[string]
-1300475167.096535	UWkUyAuUGXf	141.142.220.202	5353	224.0.0.251	5353	udp	dns	-	-	-	S0	-	0	D	1	73	0	0	(empty)
-1300475167.097012	arKYeMETxOg	fe80::217:f2ff:fed7:cf65	5353	ff02::fb	5353	udp	-	-	-	-	S0	-	0	D	1	199	0	0	(empty)
-1300475167.099816	k6kgXLOoSKl	141.142.220.50	5353	224.0.0.251	5353	udp	-	-	-	-	S0	-	0	D	1	179	0	0	(empty)
-1300475168.853899	TEfuqmmG4bh	141.142.220.118	43927	141.142.2.2	53	udp	dns	0.000435	38	89	SF	-	0	Dd	1	66	1	117	(empty)
-1300475168.854378	FrJExwHcSal	141.142.220.118	37676	141.142.2.2	53	udp	dns	0.000420	52	99	SF	-	0	Dd	1	80	1	127	(empty)
-1300475168.854837	5OKnoww6xl4	141.142.220.118	40526	141.142.2.2	53	udp	dns	0.000392	38	183	SF	-	0	Dd	1	66	1	211	(empty)
-1300475168.857956	fRFu0wcOle6	141.142.220.118	32902	141.142.2.2	53	udp	dns	0.000317	38	89	SF	-	0	Dd	1	66	1	117	(empty)
-1300475168.858306	qSsw6ESzHV4	141.142.220.118	59816	141.142.2.2	53	udp	dns	0.000343	52	99	SF	-	0	Dd	1	80	1	127	(empty)
-1300475168.858713	iE6yhOq3SF	141.142.220.118	59714	141.142.2.2	53	udp	dns	0.000375	38	183	SF	-	0	Dd	1	66	1	211	(empty)
-1300475168.891644	qCaWGmzFtM5	141.142.220.118	58206	141.142.2.2	53	udp	dns	0.000339	38	89	SF	-	0	Dd	1	66	1	117	(empty)
-1300475168.892037	70MGiRM1Qf4	141.142.220.118	38911	141.142.2.2	53	udp	dns	0.000335	52	99	SF	-	0	Dd	1	80	1	127	(empty)
-1300475168.892414	h5DsfNtYzi1	141.142.220.118	59746	141.142.2.2	53	udp	dns	0.000421	38	183	SF	-	0	Dd	1	66	1	211	(empty)
-1300475168.893988	c4Zw9TmAE05	141.142.220.118	45000	141.142.2.2	53	udp	dns	0.000384	38	89	SF	-	0	Dd	1	66	1	117	(empty)
-1300475168.894422	EAr0uf4mhq	141.142.220.118	48479	141.142.2.2	53	udp	dns	0.000317	52	99	SF	-	0	Dd	1	80	1	127	(empty)
-1300475168.894787	GvmoxJFXdTa	141.142.220.118	48128	141.142.2.2	53	udp	dns	0.000423	38	183	SF	-	0	Dd	1	66	1	211	(empty)
-1300475168.901749	slFea8xwSmb	141.142.220.118	56056	141.142.2.2	53	udp	dns	0.000402	36	131	SF	-	0	Dd	1	64	1	159	(empty)
-1300475168.902195	UfGkYA2HI2g	141.142.220.118	55092	141.142.2.2	53	udp	dns	0.000374	36	198	SF	-	0	Dd	1	64	1	226	(empty)
-1300475169.899438	BWaU4aSuwkc	141.142.220.44	5353	224.0.0.251	5353	udp	dns	-	-	-	S0	-	0	D	1	85	0	0	(empty)
-1300475170.862384	10XodEwRycf	141.142.220.226	137	141.142.220.255	137	udp	dns	2.613017	350	0	S0	-	0	D	7	546	0	0	(empty)
-1300475171.675372	zno26fFZkrh	fe80::3074:17d5:2052:c324	65373	ff02::1:3	5355	udp	dns	0.100096	66	0	S0	-	0	D	2	162	0	0	(empty)
-1300475171.677081	v5rgkJBig5l	141.142.220.226	55131	224.0.0.252	5355	udp	dns	0.100021	66	0	S0	-	0	D	2	122	0	0	(empty)
-1300475173.116749	eWZCH7OONC1	fe80::3074:17d5:2052:c324	54213	ff02::1:3	5355	udp	dns	0.099801	66	0	S0	-	0	D	2	162	0	0	(empty)
-1300475173.117362	0Pwk3ntf8O3	141.142.220.226	55671	224.0.0.252	5355	udp	dns	0.099849	66	0	S0	-	0	D	2	122	0	0	(empty)
-1300475173.153679	0HKorjr8Zp7	141.142.220.238	56641	141.142.220.255	137	udp	dns	-	-	-	S0	-	0	D	1	78	0	0	(empty)
-1300475168.859163	GSxOnSLghOa	141.142.220.118	49998	208.80.152.3	80	tcp	http	0.215893	1130	734	S1	-	0	ShADad	6	1450	4	950	(empty)
-1300475168.652003	nQcgTWjvg4c	141.142.220.118	35634	208.80.152.2	80	tcp	-	0.061329	463	350	OTH	-	0	DdA	2	567	1	402	(empty)
-1300475168.895267	0Q4FH8sESw5	141.142.220.118	50001	208.80.152.3	80	tcp	http	0.227284	1178	734	S1	-	0	ShADad	6	1498	4	950	(empty)
-1300475168.902635	i2rO3KD1Syg	141.142.220.118	35642	208.80.152.2	80	tcp	http	0.120041	534	412	S1	-	0	ShADad	4	750	3	576	(empty)
-1300475168.892936	Tw8jXtpTGu6	141.142.220.118	50000	208.80.152.3	80	tcp	http	0.229603	1148	734	S1	-	0	ShADad	6	1468	4	950	(empty)
-1300475168.855305	3PKsZ2Uye21	141.142.220.118	49996	208.80.152.3	80	tcp	http	0.218501	1171	733	S1	-	0	ShADad	6	1491	4	949	(empty)
-1300475168.892913	P654jzLoe3a	141.142.220.118	49999	208.80.152.3	80	tcp	http	0.220961	1137	733	S1	-	0	ShADad	6	1457	4	949	(empty)
-1300475169.780331	2cx26uAvUPl	141.142.220.235	6705	173.192.163.128	80	tcp	-	-	-	-	OTH	-	0	h	0	0	1	48	(empty)
-1300475168.724007	j4u32Pc5bif	141.142.220.118	48649	208.80.152.118	80	tcp	http	0.119905	525	232	S1	-	0	ShADad	4	741	3	396	(empty)
-1300475168.855330	VW0XPVINV8a	141.142.220.118	49997	208.80.152.3	80	tcp	http	0.219720	1125	734	S1	-	0	ShADad	6	1445	4	950	(empty)
+1300475167.096535	UWkUyAuUGXf	141.142.220.202	5353	224.0.0.251	5353	udp	dns	-	-	-	S0	-	0	D	1	73	0	0	-
+1300475167.097012	arKYeMETxOg	fe80::217:f2ff:fed7:cf65	5353	ff02::fb	5353	udp	-	-	-	-	S0	-	0	D	1	199	0	0	-
+1300475167.099816	k6kgXLOoSKl	141.142.220.50	5353	224.0.0.251	5353	udp	-	-	-	-	S0	-	0	D	1	179	0	0	-
+1300475168.853899	TEfuqmmG4bh	141.142.220.118	43927	141.142.2.2	53	udp	dns	0.000435	38	89	SF	-	0	Dd	1	66	1	117	-
+1300475168.854378	FrJExwHcSal	141.142.220.118	37676	141.142.2.2	53	udp	dns	0.000420	52	99	SF	-	0	Dd	1	80	1	127	-
+1300475168.854837	5OKnoww6xl4	141.142.220.118	40526	141.142.2.2	53	udp	dns	0.000392	38	183	SF	-	0	Dd	1	66	1	211	-
+1300475168.857956	fRFu0wcOle6	141.142.220.118	32902	141.142.2.2	53	udp	dns	0.000317	38	89	SF	-	0	Dd	1	66	1	117	-
+1300475168.858306	qSsw6ESzHV4	141.142.220.118	59816	141.142.2.2	53	udp	dns	0.000343	52	99	SF	-	0	Dd	1	80	1	127	-
+1300475168.858713	iE6yhOq3SF	141.142.220.118	59714	141.142.2.2	53	udp	dns	0.000375	38	183	SF	-	0	Dd	1	66	1	211	-
+1300475168.891644	qCaWGmzFtM5	141.142.220.118	58206	141.142.2.2	53	udp	dns	0.000339	38	89	SF	-	0	Dd	1	66	1	117	-
+1300475168.892037	70MGiRM1Qf4	141.142.220.118	38911	141.142.2.2	53	udp	dns	0.000335	52	99	SF	-	0	Dd	1	80	1	127	-
+1300475168.892414	h5DsfNtYzi1	141.142.220.118	59746	141.142.2.2	53	udp	dns	0.000421	38	183	SF	-	0	Dd	1	66	1	211	-
+1300475168.893988	c4Zw9TmAE05	141.142.220.118	45000	141.142.2.2	53	udp	dns	0.000384	38	89	SF	-	0	Dd	1	66	1	117	-
+1300475168.894422	EAr0uf4mhq	141.142.220.118	48479	141.142.2.2	53	udp	dns	0.000317	52	99	SF	-	0	Dd	1	80	1	127	-
+1300475168.894787	GvmoxJFXdTa	141.142.220.118	48128	141.142.2.2	53	udp	dns	0.000423	38	183	SF	-	0	Dd	1	66	1	211	-
+1300475168.901749	slFea8xwSmb	141.142.220.118	56056	141.142.2.2	53	udp	dns	0.000402	36	131	SF	-	0	Dd	1	64	1	159	-
+1300475168.902195	UfGkYA2HI2g	141.142.220.118	55092	141.142.2.2	53	udp	dns	0.000374	36	198	SF	-	0	Dd	1	64	1	226	-
+1300475169.899438	BWaU4aSuwkc	141.142.220.44	5353	224.0.0.251	5353	udp	dns	-	-	-	S0	-	0	D	1	85	0	0	-
+1300475170.862384	10XodEwRycf	141.142.220.226	137	141.142.220.255	137	udp	dns	2.613017	350	0	S0	-	0	D	7	546	0	0	-
+1300475171.675372	zno26fFZkrh	fe80::3074:17d5:2052:c324	65373	ff02::1:3	5355	udp	dns	0.100096	66	0	S0	-	0	D	2	162	0	0	-
+1300475171.677081	v5rgkJBig5l	141.142.220.226	55131	224.0.0.252	5355	udp	dns	0.100021	66	0	S0	-	0	D	2	122	0	0	-
+1300475173.116749	eWZCH7OONC1	fe80::3074:17d5:2052:c324	54213	ff02::1:3	5355	udp	dns	0.099801	66	0	S0	-	0	D	2	162	0	0	-
+1300475173.117362	0Pwk3ntf8O3	141.142.220.226	55671	224.0.0.252	5355	udp	dns	0.099849	66	0	S0	-	0	D	2	122	0	0	-
+1300475173.153679	0HKorjr8Zp7	141.142.220.238	56641	141.142.220.255	137	udp	dns	-	-	-	S0	-	0	D	1	78	0	0	-
+1300475168.859163	GSxOnSLghOa	141.142.220.118	49998	208.80.152.3	80	tcp	http	0.215893	1130	734	S1	-	0	ShADad	6	1450	4	950	-
+1300475168.652003	nQcgTWjvg4c	141.142.220.118	35634	208.80.152.2	80	tcp	-	0.061329	463	350	OTH	-	0	DdA	2	567	1	402	-
+1300475168.895267	0Q4FH8sESw5	141.142.220.118	50001	208.80.152.3	80	tcp	http	0.227284	1178	734	S1	-	0	ShADad	6	1498	4	950	-
+1300475168.902635	i2rO3KD1Syg	141.142.220.118	35642	208.80.152.2	80	tcp	http	0.120041	534	412	S1	-	0	ShADad	4	750	3	576	-
+1300475168.892936	Tw8jXtpTGu6	141.142.220.118	50000	208.80.152.3	80	tcp	http	0.229603	1148	734	S1	-	0	ShADad	6	1468	4	950	-
+1300475168.855305	3PKsZ2Uye21	141.142.220.118	49996	208.80.152.3	80	tcp	http	0.218501	1171	733	S1	-	0	ShADad	6	1491	4	949	-
+1300475168.892913	P654jzLoe3a	141.142.220.118	49999	208.80.152.3	80	tcp	http	0.220961	1137	733	S1	-	0	ShADad	6	1457	4	949	-
+1300475169.780331	2cx26uAvUPl	141.142.220.235	6705	173.192.163.128	80	tcp	-	-	-	-	OTH	-	0	h	0	0	1	48	-
+1300475168.724007	j4u32Pc5bif	141.142.220.118	48649	208.80.152.118	80	tcp	http	0.119905	525	232	S1	-	0	ShADad	4	741	3	396	-
+1300475168.855330	VW0XPVINV8a	141.142.220.118	49997	208.80.152.3	80	tcp	http	0.219720	1125	734	S1	-	0	ShADad	6	1445	4	950	-
 #close	2013-05-05-20-51-24
diff --git a/testing/btest/Baseline/doc.manual.using_bro_sandbox_02/conn.log b/testing/btest/Baseline/doc.manual.using_bro_sandbox_02/conn.log
index 1227e60ad3..cc68286986 100644
--- a/testing/btest/Baseline/doc.manual.using_bro_sandbox_02/conn.log
+++ b/testing/btest/Baseline/doc.manual.using_bro_sandbox_02/conn.log
@@ -6,10 +6,10 @@
 #open	2013-05-07-14-38-27
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	count	string	count	count	count	count	table[string]
-1320329757.771503	j4u32Pc5bif	10.0.2.15	49286	192.150.187.43	80	tcp	http	15.161537	2899	1127	S2	-	0	ShADadF	20	3719	19	1891	(empty)
-1320329757.771262	nQcgTWjvg4c	10.0.2.15	49285	192.150.187.43	80	tcp	http	15.161772	889	377	S2	-	0	ShADadF	8	1229	8	701	(empty)
-1320329757.761327	arKYeMETxOg	10.0.2.15	49283	192.150.187.43	80	tcp	http	15.168898	459	189	S2	-	0	ShADadF	5	679	4	353	(empty)
-1320329757.458867	UWkUyAuUGXf	10.0.2.15	49282	192.150.187.43	80	tcp	http	15.471378	1824	751	S2	-	0	ShADadF	12	2324	13	1275	(empty)
-1320329757.761638	k6kgXLOoSKl	10.0.2.15	49284	192.150.187.43	80	tcp	http	15.168613	898	376	S2	-	0	ShADadF	8	1238	8	700	(empty)
-1320329757.771755	TEfuqmmG4bh	10.0.2.15	49287	192.150.187.43	80	tcp	http	15.161267	900	376	S2	-	0	ShADadF	8	1240	8	700	(empty)
+1320329757.771503	j4u32Pc5bif	10.0.2.15	49286	192.150.187.43	80	tcp	http	15.161537	2899	1127	S2	-	0	ShADadF	20	3719	19	1891	-
+1320329757.771262	nQcgTWjvg4c	10.0.2.15	49285	192.150.187.43	80	tcp	http	15.161772	889	377	S2	-	0	ShADadF	8	1229	8	701	-
+1320329757.761327	arKYeMETxOg	10.0.2.15	49283	192.150.187.43	80	tcp	http	15.168898	459	189	S2	-	0	ShADadF	5	679	4	353	-
+1320329757.458867	UWkUyAuUGXf	10.0.2.15	49282	192.150.187.43	80	tcp	http	15.471378	1824	751	S2	-	0	ShADadF	12	2324	13	1275	-
+1320329757.761638	k6kgXLOoSKl	10.0.2.15	49284	192.150.187.43	80	tcp	http	15.168613	898	376	S2	-	0	ShADadF	8	1238	8	700	-
+1320329757.771755	TEfuqmmG4bh	10.0.2.15	49287	192.150.187.43	80	tcp	http	15.161267	900	376	S2	-	0	ShADadF	8	1240	8	700	-
 #close	2013-05-07-14-38-27
diff --git a/testing/btest/Baseline/doc.sphinx.connection-record-01/btest-doc.sphinx.connection-record-01#1 b/testing/btest/Baseline/doc.sphinx.connection-record-01/btest-doc.sphinx.connection-record-01#1
index 763f42387e..fcc4c8f846 100644
--- a/testing/btest/Baseline/doc.sphinx.connection-record-01/btest-doc.sphinx.connection-record-01#1
+++ b/testing/btest/Baseline/doc.sphinx.connection-record-01/btest-doc.sphinx.connection-record-01#1
@@ -7,7 +7,5 @@
       # bro -b -r http/get.trace connection_record_01.bro
       [id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=5, num_pkts=7, num_bytes_ip=512, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=5007, state=5, num_pkts=7, num_bytes_ip=5379, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.211484, service={
       
-      }, history=ShADadFf, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, conn=[ts=1362692526.869344, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], proto=tcp, service=<uninitialized>, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents={
-      
-      }], extract_orig=F, extract_resp=F, thresholds=<uninitialized>]
+      }, history=ShADadFf, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, conn=[ts=1362692526.869344, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], proto=tcp, service=<uninitialized>, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=<uninitialized>], extract_orig=F, extract_resp=F, thresholds=<uninitialized>]
 
diff --git a/testing/btest/Baseline/doc.sphinx.connection-record-02/btest-doc.sphinx.connection-record-02#1 b/testing/btest/Baseline/doc.sphinx.connection-record-02/btest-doc.sphinx.connection-record-02#1
index 23cba743e3..db5b18beeb 100644
--- a/testing/btest/Baseline/doc.sphinx.connection-record-02/btest-doc.sphinx.connection-record-02#1
+++ b/testing/btest/Baseline/doc.sphinx.connection-record-02/btest-doc.sphinx.connection-record-02#1
@@ -7,9 +7,7 @@
       # bro -b -r http/get.trace connection_record_02.bro
       [id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=5, num_pkts=7, num_bytes_ip=512, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=5007, state=5, num_pkts=7, num_bytes_ip=5379, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.211484, service={
       
-      }, history=ShADadFf, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, conn=[ts=1362692526.869344, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], proto=tcp, service=<uninitialized>, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents={
-      
-      }], extract_orig=F, extract_resp=F, thresholds=<uninitialized>, http=[ts=1362692526.939527, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=4705, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={
+      }, history=ShADadFf, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, conn=[ts=1362692526.869344, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], proto=tcp, service=<uninitialized>, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=<uninitialized>], extract_orig=F, extract_resp=F, thresholds=<uninitialized>, http=[ts=1362692526.939527, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=4705, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={
       
       }, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FakNcS1Jfe01uljb3], resp_filenames=<uninitialized>, resp_mime_types=[text/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={
       
diff --git a/testing/btest/Baseline/doc.sphinx.using_bro/btest-doc.sphinx.using_bro#1 b/testing/btest/Baseline/doc.sphinx.using_bro/btest-doc.sphinx.using_bro#1
index d0745a35ea..f64da50784 100644
--- a/testing/btest/Baseline/doc.sphinx.using_bro/btest-doc.sphinx.using_bro#1
+++ b/testing/btest/Baseline/doc.sphinx.using_bro/btest-doc.sphinx.using_bro#1
@@ -16,15 +16,15 @@
       #empty_field	(empty)
       #unset_field	-
       #path	conn
-      #open	2016-07-13-16-13-24
+      #open	2018-01-12-21-43-52
       #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
       #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
-      1300475167.096535	CHhAvVGS1DHFjwGM9	141.142.220.202	5353	224.0.0.251	5353	udp	dns	-	-	-	S0	-	-	0	D	1	73	0	0	(empty)
-      1300475167.097012	ClEkJM2Vm5giqnMf4h	fe80::217:f2ff:fed7:cf65	5353	ff02::fb	5353	udp	dns	-	-	-	S0	-	-	0	D	1	199	0	0	(empty)
-      1300475167.099816	C4J4Th3PJpwUYZZ6gc	141.142.220.50	5353	224.0.0.251	5353	udp	dns	-	-	-	S0	-	-	0	D	1	179	0	0	(empty)
-      1300475168.853899	CmES5u32sYpV7JYN	141.142.220.118	43927	141.142.2.2	53	udp	dns	0.000435	38	89	SF	-	-	0	Dd	1	66	1	117	(empty)
-      1300475168.854378	CP5puj4I8PtEU4qzYg	141.142.220.118	37676	141.142.2.2	53	udp	dns	0.000420	52	99	SF	-	-	0	Dd	1	80	1	127	(empty)
-      1300475168.854837	C37jN32gN3y3AZzyf6	141.142.220.118	40526	141.142.2.2	53	udp	dns	0.000392	38	183	SF	-	-	0	Dd	1	66	1	211	(empty)
-      1300475168.857956	C0LAHyvtKSQHyJxIl	141.142.220.118	32902	141.142.2.2	53	udp	dns	0.000317	38	89	SF	-	-	0	Dd	1	66	1	117	(empty)
+      1300475167.096535	CHhAvVGS1DHFjwGM9	141.142.220.202	5353	224.0.0.251	5353	udp	dns	-	-	-	S0	-	-	0	D	1	73	0	0	-
+      1300475167.097012	ClEkJM2Vm5giqnMf4h	fe80::217:f2ff:fed7:cf65	5353	ff02::fb	5353	udp	dns	-	-	-	S0	-	-	0	D	1	199	0	0	-
+      1300475167.099816	C4J4Th3PJpwUYZZ6gc	141.142.220.50	5353	224.0.0.251	5353	udp	dns	-	-	-	S0	-	-	0	D	1	179	0	0	-
+      1300475168.853899	CmES5u32sYpV7JYN	141.142.220.118	43927	141.142.2.2	53	udp	dns	0.000435	38	89	SF	-	-	0	Dd	1	66	1	117	-
+      1300475168.854378	CP5puj4I8PtEU4qzYg	141.142.220.118	37676	141.142.2.2	53	udp	dns	0.000420	52	99	SF	-	-	0	Dd	1	80	1	127	-
+      1300475168.854837	C37jN32gN3y3AZzyf6	141.142.220.118	40526	141.142.2.2	53	udp	dns	0.000392	38	183	SF	-	-	0	Dd	1	66	1	211	-
+      1300475168.857956	C0LAHyvtKSQHyJxIl	141.142.220.118	32902	141.142.2.2	53	udp	dns	0.000317	38	89	SF	-	-	0	Dd	1	66	1	117	-
       [...]
 
diff --git a/testing/btest/Baseline/plugins.hooks/output b/testing/btest/Baseline/plugins.hooks/output
index 42b0b6ef26..1b967636a6 100644
--- a/testing/btest/Baseline/plugins.hooks/output
+++ b/testing/btest/Baseline/plugins.hooks/output
@@ -256,7 +256,7 @@
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1510863910.246703, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1515793448.944163, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (Cluster::LOG)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (Communication::LOG)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (Conn::LOG)) -> <no result>
@@ -386,7 +386,7 @@
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1510863910.246703, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1515793448.944163, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
 0.000000   MetaHookPost  CallFunction(NetControl::check_plugins, <frame>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(NetControl::init, <null>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(Notice::want_pp, <frame>, ()) -> <no result>
@@ -991,7 +991,7 @@
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird]))
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509]))
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql]))
-0.000000   MetaHookPre   CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1510863910.246703, node=bro, filter=ip or not ip, init=T, success=T]))
+0.000000   MetaHookPre   CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1515793448.944163, node=bro, filter=ip or not ip, init=T, success=T]))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (Cluster::LOG))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (Communication::LOG))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (Conn::LOG))
@@ -1121,7 +1121,7 @@
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird]))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509]))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql]))
-0.000000   MetaHookPre   CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1510863910.246703, node=bro, filter=ip or not ip, init=T, success=T]))
+0.000000   MetaHookPre   CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1515793448.944163, node=bro, filter=ip or not ip, init=T, success=T]))
 0.000000   MetaHookPre   CallFunction(NetControl::check_plugins, <frame>, ())
 0.000000   MetaHookPre   CallFunction(NetControl::init, <null>, ())
 0.000000   MetaHookPre   CallFunction(Notice::want_pp, <frame>, ())
@@ -1725,7 +1725,7 @@
 0.000000 | HookCallFunction Log::__create_stream(Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird])
 0.000000 | HookCallFunction Log::__create_stream(X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509])
 0.000000 | HookCallFunction Log::__create_stream(mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql])
-0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1510863910.246703, node=bro, filter=ip or not ip, init=T, success=T])
+0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1515793448.944163, node=bro, filter=ip or not ip, init=T, success=T])
 0.000000 | HookCallFunction Log::add_default_filter(Cluster::LOG)
 0.000000 | HookCallFunction Log::add_default_filter(Communication::LOG)
 0.000000 | HookCallFunction Log::add_default_filter(Conn::LOG)
@@ -1855,7 +1855,7 @@
 0.000000 | HookCallFunction Log::create_stream(Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird])
 0.000000 | HookCallFunction Log::create_stream(X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509])
 0.000000 | HookCallFunction Log::create_stream(mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql])
-0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1510863910.246703, node=bro, filter=ip or not ip, init=T, success=T])
+0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1515793448.944163, node=bro, filter=ip or not ip, init=T, success=T])
 0.000000 | HookCallFunction NetControl::check_plugins()
 0.000000 | HookCallFunction NetControl::init()
 0.000000 | HookCallFunction Notice::want_pp()
@@ -2198,7 +2198,7 @@
 0.000000 | HookLoadFile  base<...>/x509
 0.000000 | HookLoadFile  base<...>/xmpp
 0.000000 | HookLogInit   packet_filter 1/1 {ts (time), node (string), filter (string), init (bool), success (bool)}
-0.000000 | HookLogWrite  packet_filter [ts=1510863910.246703, node=bro, filter=ip or not ip, init=T, success=T]
+0.000000 | HookLogWrite  packet_filter [ts=1515793448.944163, node=bro, filter=ip or not ip, init=T, success=T]
 0.000000 | HookQueueEvent NetControl::init()
 0.000000 | HookQueueEvent bro_init()
 0.000000 | HookQueueEvent filter_change_tracking()
@@ -2654,8 +2654,8 @@
 1362692527.080972   MetaHookPost  CallFunction(HTTP::get_file_handle, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <no result>
 1362692527.080972   MetaHookPost  CallFunction(KRB::do_log, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])) -> <no result>
 1362692527.080972   MetaHookPost  CallFunction(KRB::fill_in_subjects, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])) -> <no result>
-1362692527.080972   MetaHookPost  CallFunction(Log::__write, <frame>, (Conn::LOG, [ts=1362692526.869344, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents={}])) -> <no result>
-1362692527.080972   MetaHookPost  CallFunction(Log::write, <frame>, (Conn::LOG, [ts=1362692526.869344, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents={}])) -> <no result>
+1362692527.080972   MetaHookPost  CallFunction(Log::__write, <frame>, (Conn::LOG, [ts=1362692526.869344, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=<uninitialized>])) -> <no result>
+1362692527.080972   MetaHookPost  CallFunction(Log::write, <frame>, (Conn::LOG, [ts=1362692526.869344, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=<uninitialized>])) -> <no result>
 1362692527.080972   MetaHookPost  CallFunction(bro_done, <null>, ()) -> <no result>
 1362692527.080972   MetaHookPost  CallFunction(cat, <frame>, (Analyzer::ANALYZER_HTTP, 1362692526.869344, T, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80)) -> <no result>
 1362692527.080972   MetaHookPost  CallFunction(connection_state_remove, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])) -> <no result>
@@ -2687,8 +2687,8 @@
 1362692527.080972   MetaHookPre   CallFunction(HTTP::get_file_handle, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
 1362692527.080972   MetaHookPre   CallFunction(KRB::do_log, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]))
 1362692527.080972   MetaHookPre   CallFunction(KRB::fill_in_subjects, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]))
-1362692527.080972   MetaHookPre   CallFunction(Log::__write, <frame>, (Conn::LOG, [ts=1362692526.869344, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents={}]))
-1362692527.080972   MetaHookPre   CallFunction(Log::write, <frame>, (Conn::LOG, [ts=1362692526.869344, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents={}]))
+1362692527.080972   MetaHookPre   CallFunction(Log::__write, <frame>, (Conn::LOG, [ts=1362692526.869344, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=<uninitialized>]))
+1362692527.080972   MetaHookPre   CallFunction(Log::write, <frame>, (Conn::LOG, [ts=1362692526.869344, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=<uninitialized>]))
 1362692527.080972   MetaHookPre   CallFunction(bro_done, <null>, ())
 1362692527.080972   MetaHookPre   CallFunction(cat, <frame>, (Analyzer::ANALYZER_HTTP, 1362692526.869344, T, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80))
 1362692527.080972   MetaHookPre   CallFunction(connection_state_remove, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]))
@@ -2721,8 +2721,8 @@
 1362692527.080972 | HookCallFunction HTTP::get_file_handle([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
 1362692527.080972 | HookCallFunction KRB::do_log([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])
 1362692527.080972 | HookCallFunction KRB::fill_in_subjects([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])
-1362692527.080972 | HookCallFunction Log::__write(Conn::LOG, [ts=1362692526.869344, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents={}])
-1362692527.080972 | HookCallFunction Log::write(Conn::LOG, [ts=1362692526.869344, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents={}])
+1362692527.080972 | HookCallFunction Log::__write(Conn::LOG, [ts=1362692526.869344, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=<uninitialized>])
+1362692527.080972 | HookCallFunction Log::write(Conn::LOG, [ts=1362692526.869344, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=<uninitialized>])
 1362692527.080972 | HookCallFunction bro_done()
 1362692527.080972 | HookCallFunction cat(Analyzer::ANALYZER_HTTP, 1362692526.869344, T, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80)
 1362692527.080972 | HookCallFunction connection_state_remove([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])
@@ -2740,7 +2740,7 @@
 1362692527.080972 | HookCallFunction to_lower(HTTP)
 1362692527.080972 | HookDrainEvents
 1362692527.080972 | HookLogInit   conn 1/1 {ts (time), uid (string), id.orig_h (addr), id.orig_p (port), id.resp_h (addr), id.resp_p (port), proto (enum), service (string), duration (interval), orig_bytes (count), resp_bytes (count), conn_state (string), local_orig (bool), local_resp (bool), missed_bytes (count), history (string), orig_pkts (count), orig_ip_bytes (count), resp_pkts (count), resp_ip_bytes (count), tunnel_parents (set[string])}
-1362692527.080972 | HookLogWrite  conn [ts=1362692526.869344, uid=CHhAvVGS1DHFjwGM9, id.orig_h=141.142.228.5, id.orig_p=59856, id.resp_h=192.150.187.43, id.resp_p=80, proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=]
+1362692527.080972 | HookLogWrite  conn [ts=1362692526.869344, uid=CHhAvVGS1DHFjwGM9, id.orig_h=141.142.228.5, id.orig_p=59856, id.resp_h=192.150.187.43, id.resp_p=80, proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=<uninitialized>]
 1362692527.080972 | HookQueueEvent ChecksumOffloading::check()
 1362692527.080972 | HookQueueEvent bro_done()
 1362692527.080972 | HookQueueEvent connection_state_remove([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])
diff --git a/testing/btest/Baseline/plugins.pktsrc/conn.log b/testing/btest/Baseline/plugins.pktsrc/conn.log
index 6beeb3c5ea..1f19f48ffa 100644
--- a/testing/btest/Baseline/plugins.pktsrc/conn.log
+++ b/testing/btest/Baseline/plugins.pktsrc/conn.log
@@ -6,5 +6,5 @@
 #open	2016-07-13-16-14-11
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
-1409193037.000000	CHhAvVGS1DHFjwGM9	1.2.0.2	2527	1.2.0.3	6649	tcp	-	-	-	-	S0	-	-	0	S	1	64	0	0	(empty)
+1409193037.000000	CHhAvVGS1DHFjwGM9	1.2.0.2	2527	1.2.0.3	6649	tcp	-	-	-	-	S0	-	-	0	S	1	64	0	0	-
 #close	2016-07-13-16-14-11
diff --git a/testing/btest/Baseline/plugins.writer/output b/testing/btest/Baseline/plugins.writer/output
index f17b55dad2..bbd11b8484 100644
--- a/testing/btest/Baseline/plugins.writer/output
+++ b/testing/btest/Baseline/plugins.writer/output
@@ -2,13 +2,13 @@ Demo::Foo - A Foo test logging writer (dynamic, version 1.0)
     [Writer] Foo (Log::WRITER_FOO)
 
 ===
-[conn] 1340213005.165293|CHhAvVGS1DHFjwGM9|10.0.0.55|53994|60.190.189.214|8124|tcp|-|4.314406|0|0|S0|-|-|0|S|5|320|0|0|
-[conn] 1340213010.582723|ClEkJM2Vm5giqnMf4h|10.0.0.55|53994|60.190.189.214|8124|tcp|socks,http|13.839419|3860|2934|SF|-|-|0|ShADadfF|23|5080|20|3986|
-[conn] 1340213048.780152|C4J4Th3PJpwUYZZ6gc|10.0.0.55|53994|60.190.189.214|8124|tcp|-|-|-|-|SH|-|-|0|F|1|52|0|0|
-[conn] 1340213097.272764|CtPZjS20MLrsMUOJi2|10.0.0.55|53994|60.190.189.214|8124|tcp|-|-|-|-|SH|-|-|0|F|1|52|0|0|
-[conn] 1340213162.160367|CUM0KZ3MLUfNB0cl11|10.0.0.55|53994|60.190.189.214|8124|tcp|-|-|-|-|SH|-|-|0|F|1|52|0|0|
-[conn] 1340213226.561757|CmES5u32sYpV7JYN|10.0.0.55|53994|60.190.189.214|8124|tcp|-|-|-|-|SH|-|-|0|F|1|52|0|0|
-[conn] 1340213290.981995|CP5puj4I8PtEU4qzYg|10.0.0.55|53994|60.190.189.214|8124|tcp|-|-|-|-|SH|-|-|0|F|1|52|0|0|
+[conn] 1340213005.165293|CHhAvVGS1DHFjwGM9|10.0.0.55|53994|60.190.189.214|8124|tcp|-|4.314406|0|0|S0|-|-|0|S|5|320|0|0|-
+[conn] 1340213010.582723|ClEkJM2Vm5giqnMf4h|10.0.0.55|53994|60.190.189.214|8124|tcp|socks,http|13.839419|3860|2934|SF|-|-|0|ShADadfF|23|5080|20|3986|-
+[conn] 1340213048.780152|C4J4Th3PJpwUYZZ6gc|10.0.0.55|53994|60.190.189.214|8124|tcp|-|-|-|-|SH|-|-|0|F|1|52|0|0|-
+[conn] 1340213097.272764|CtPZjS20MLrsMUOJi2|10.0.0.55|53994|60.190.189.214|8124|tcp|-|-|-|-|SH|-|-|0|F|1|52|0|0|-
+[conn] 1340213162.160367|CUM0KZ3MLUfNB0cl11|10.0.0.55|53994|60.190.189.214|8124|tcp|-|-|-|-|SH|-|-|0|F|1|52|0|0|-
+[conn] 1340213226.561757|CmES5u32sYpV7JYN|10.0.0.55|53994|60.190.189.214|8124|tcp|-|-|-|-|SH|-|-|0|F|1|52|0|0|-
+[conn] 1340213290.981995|CP5puj4I8PtEU4qzYg|10.0.0.55|53994|60.190.189.214|8124|tcp|-|-|-|-|SH|-|-|0|F|1|52|0|0|-
 [files] 1340213020.732547|FBtZ7y1ppK8iIeY622|60.190.189.214|10.0.0.55|ClEkJM2Vm5giqnMf4h|HTTP|0||image/gif|-|0.000034|-|F|1368|1368|0|0|F|-|-|-|-|-|-|-
 [http] 1340213019.013158|ClEkJM2Vm5giqnMf4h|10.0.0.55|53994|60.190.189.214|8124|1|GET|www.osnews.com|/images/printer2.gif|http://www.osnews.com/|1.1|Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:10.0.2) Gecko/20100101 Firefox/10.0.2|0|0|304|Not Modified|-|-||-|-|-|-|-|-|-|-|-
 [http] 1340213019.013426|ClEkJM2Vm5giqnMf4h|10.0.0.55|53994|60.190.189.214|8124|2|GET|www.osnews.com|/img2/shorturl.jpg|http://www.osnews.com/|1.1|Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:10.0.2) Gecko/20100101 Firefox/10.0.2|0|0|304|Not Modified|-|-||-|-|-|-|-|-|-|-|-
@@ -17,6 +17,6 @@ Demo::Foo - A Foo test logging writer (dynamic, version 1.0)
 [http] 1340213020.732963|ClEkJM2Vm5giqnMf4h|10.0.0.55|53994|60.190.189.214|8124|5|GET|www.osnews.com|/images/icons/17.gif|http://www.osnews.com/|1.1|Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:10.0.2) Gecko/20100101 Firefox/10.0.2|0|0|304|Not Modified|-|-||-|-|-|-|-|-|-|-|-
 [http] 1340213021.300269|ClEkJM2Vm5giqnMf4h|10.0.0.55|53994|60.190.189.214|8124|6|GET|www.osnews.com|/images/left.gif|http://www.osnews.com/|1.1|Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:10.0.2) Gecko/20100101 Firefox/10.0.2|0|0|304|Not Modified|-|-||-|-|-|-|-|-|-|-|-
 [http] 1340213021.861584|ClEkJM2Vm5giqnMf4h|10.0.0.55|53994|60.190.189.214|8124|7|GET|www.osnews.com|/images/icons/32.gif|http://www.osnews.com/|1.1|Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:10.0.2) Gecko/20100101 Firefox/10.0.2|0|0|304|Not Modified|-|-||-|-|-|-|-|-|-|-|-
-[packet_filter] 1485327742.161604|bro|ip or not ip|T|T
+[packet_filter] 1515793460.485950|bro|ip or not ip|T|T
 [socks] 1340213015.276495|ClEkJM2Vm5giqnMf4h|10.0.0.55|53994|60.190.189.214|8124|5|-|-|succeeded|-|www.osnews.com|80|192.168.0.31|-|2688
 [tunnel] 1340213015.276495|-|10.0.0.55|0|60.190.189.214|8124|Tunnel::SOCKS|Tunnel::DISCOVER
diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.field-extension-complex/conn.log b/testing/btest/Baseline/scripts.base.frameworks.logging.field-extension-complex/conn.log
index 96922ff529..1919c5f9d1 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.logging.field-extension-complex/conn.log
+++ b/testing/btest/Baseline/scripts.base.frameworks.logging.field-extension-complex/conn.log
@@ -6,38 +6,38 @@
 #open	2016-08-10-20-36-59
 #fields	_write_ts	_stream	_innerLogged.a	_innerLogged.c	_innerLogged.d	_system_name	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
 #types	time	string	count	count	set[count]	string	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
-1300475173.475401	conn	1	3	2,4,1,3	-	1300475169.780331	C3eiCBGOLw3VtHfOj	173.192.163.128	80	141.142.220.235	6705	tcp	-	-	-	-	OTH	-	-	0	H	1	48	0	0	(empty)
-1300475173.475401	conn	1	3	2,4,1,3	-	1300475168.892913	CmES5u32sYpV7JYN	141.142.220.118	49999	208.80.152.3	80	tcp	-	0.220961	1137	733	S1	-	-	0	ShADad	6	1457	4	949	(empty)
-1300475173.475401	conn	1	3	2,4,1,3	-	1300475168.724007	CHhAvVGS1DHFjwGM9	141.142.220.118	48649	208.80.152.118	80	tcp	-	0.119905	525	232	S1	-	-	0	ShADad	4	741	3	396	(empty)
-1300475173.475401	conn	1	3	2,4,1,3	-	1300475168.855330	ClEkJM2Vm5giqnMf4h	141.142.220.118	49997	208.80.152.3	80	tcp	-	0.219720	1125	734	S1	-	-	0	ShADad	6	1445	4	950	(empty)
-1300475173.475401	conn	1	3	2,4,1,3	-	1300475168.855305	C4J4Th3PJpwUYZZ6gc	141.142.220.118	49996	208.80.152.3	80	tcp	-	0.218501	1171	733	S1	-	-	0	ShADad	6	1491	4	949	(empty)
-1300475173.475401	conn	1	3	2,4,1,3	-	1300475168.652003	CwjjYJ2WqgTbAqiHl6	141.142.220.118	35634	208.80.152.2	80	tcp	-	0.061329	463	350	OTH	-	-	0	DdA	2	567	1	402	(empty)
-1300475173.475401	conn	1	3	2,4,1,3	-	1300475168.902635	C37jN32gN3y3AZzyf6	141.142.220.118	35642	208.80.152.2	80	tcp	-	0.120041	534	412	S1	-	-	0	ShADad	4	750	3	576	(empty)
-1300475173.475401	conn	1	3	2,4,1,3	-	1300475168.859163	CtPZjS20MLrsMUOJi2	141.142.220.118	49998	208.80.152.3	80	tcp	-	0.215893	1130	734	S1	-	-	0	ShADad	6	1450	4	950	(empty)
-1300475173.475401	conn	1	3	2,4,1,3	-	1300475168.892936	CUM0KZ3MLUfNB0cl11	141.142.220.118	50000	208.80.152.3	80	tcp	-	0.229603	1148	734	S1	-	-	0	ShADad	6	1468	4	950	(empty)
-1300475173.475401	conn	1	3	2,4,1,3	-	1300475168.895267	CP5puj4I8PtEU4qzYg	141.142.220.118	50001	208.80.152.3	80	tcp	-	0.227284	1178	734	S1	-	-	0	ShADad	6	1498	4	950	(empty)
-1300475173.475401	conn	1	3	2,4,1,3	-	1300475168.853899	C0LAHyvtKSQHyJxIl	141.142.220.118	43927	141.142.2.2	53	udp	-	0.000435	38	89	SF	-	-	0	Dd	1	66	1	117	(empty)
-1300475173.475401	conn	1	3	2,4,1,3	-	1300475168.901749	CFLRIC3zaTU1loLGxh	141.142.220.118	56056	141.142.2.2	53	udp	-	0.000402	36	131	SF	-	-	0	Dd	1	64	1	159	(empty)
-1300475173.475401	conn	1	3	2,4,1,3	-	1300475168.902195	C9rXSW3KSpTYvPrlI1	141.142.220.118	55092	141.142.2.2	53	udp	-	0.000374	36	198	SF	-	-	0	Dd	1	64	1	226	(empty)
-1300475173.475401	conn	1	3	2,4,1,3	-	1300475168.858713	Ck51lg1bScffFj34Ri	141.142.220.118	59714	141.142.2.2	53	udp	-	0.000375	38	183	SF	-	-	0	Dd	1	66	1	211	(empty)
-1300475173.475401	conn	1	3	2,4,1,3	-	1300475167.099816	C9mvWx3ezztgzcexV7	141.142.220.50	5353	224.0.0.251	5353	udp	-	-	-	-	S0	-	-	0	D	1	179	0	0	(empty)
-1300475173.475401	conn	1	3	2,4,1,3	-	1300475168.854837	CNnMIj2QSd84NKf7U3	141.142.220.118	40526	141.142.2.2	53	udp	-	0.000392	38	183	SF	-	-	0	Dd	1	66	1	211	(empty)
-1300475173.475401	conn	1	3	2,4,1,3	-	1300475168.894787	C7fIlMZDuRiqjpYbb	141.142.220.118	48128	141.142.2.2	53	udp	-	0.000423	38	183	SF	-	-	0	Dd	1	66	1	211	(empty)
-1300475173.475401	conn	1	3	2,4,1,3	-	1300475168.894422	CykQaM33ztNt0csB9a	141.142.220.118	48479	141.142.2.2	53	udp	-	0.000317	52	99	SF	-	-	0	Dd	1	80	1	127	(empty)
-1300475173.475401	conn	1	3	2,4,1,3	-	1300475169.899438	CtxTCR2Yer0FR1tIBg	141.142.220.44	5353	224.0.0.251	5353	udp	-	-	-	-	S0	-	-	0	D	1	85	0	0	(empty)
-1300475173.475401	conn	1	3	2,4,1,3	-	1300475170.862384	CpmdRlaUoJLN3uIRa	141.142.220.226	137	141.142.220.255	137	udp	-	2.613017	350	0	S0	-	-	0	D	7	546	0	0	(empty)
-1300475173.475401	conn	1	3	2,4,1,3	-	1300475168.892414	C1Xkzz2MaGtLrc1Tla	141.142.220.118	59746	141.142.2.2	53	udp	-	0.000421	38	183	SF	-	-	0	Dd	1	66	1	211	(empty)
-1300475173.475401	conn	1	3	2,4,1,3	-	1300475168.858306	CqlVyW1YwZ15RhTBc4	141.142.220.118	59816	141.142.2.2	53	udp	-	0.000343	52	99	SF	-	-	0	Dd	1	80	1	127	(empty)
-1300475173.475401	conn	1	3	2,4,1,3	-	1300475167.097012	CLNN1k2QMum1aexUK7	fe80::217:f2ff:fed7:cf65	5353	ff02::fb	5353	udp	-	-	-	-	S0	-	-	0	D	1	199	0	0	(empty)
-1300475173.475401	conn	1	3	2,4,1,3	-	1300475173.117362	CBA8792iHmnhPLksKa	141.142.220.226	55671	224.0.0.252	5355	udp	-	0.099849	66	0	S0	-	-	0	D	2	122	0	0	(empty)
-1300475173.475401	conn	1	3	2,4,1,3	-	1300475173.153679	CGLPPc35OzDQij1XX8	141.142.220.238	56641	141.142.220.255	137	udp	-	-	-	-	S0	-	-	0	D	1	78	0	0	(empty)
-1300475173.475401	conn	1	3	2,4,1,3	-	1300475168.892037	CiyBAq1bBLNaTiTAc	141.142.220.118	38911	141.142.2.2	53	udp	-	0.000335	52	99	SF	-	-	0	Dd	1	80	1	127	(empty)
-1300475173.475401	conn	1	3	2,4,1,3	-	1300475171.675372	CFSwNi4CNGxcuffo49	fe80::3074:17d5:2052:c324	65373	ff02::1:3	5355	udp	-	0.100096	66	0	S0	-	-	0	D	2	162	0	0	(empty)
-1300475173.475401	conn	1	3	2,4,1,3	-	1300475167.096535	Cipfzj1BEnhejw8cGf	141.142.220.202	5353	224.0.0.251	5353	udp	-	-	-	-	S0	-	-	0	D	1	73	0	0	(empty)
-1300475173.475401	conn	1	3	2,4,1,3	-	1300475168.854378	CV5WJ42jPYbNW9JNWf	141.142.220.118	37676	141.142.2.2	53	udp	-	0.000420	52	99	SF	-	-	0	Dd	1	80	1	127	(empty)
-1300475173.475401	conn	1	3	2,4,1,3	-	1300475171.677081	CPhDKt12KQPUVbQz06	141.142.220.226	55131	224.0.0.252	5355	udp	-	0.100021	66	0	S0	-	-	0	D	2	122	0	0	(empty)
-1300475173.475401	conn	1	3	2,4,1,3	-	1300475173.116749	CAnFrb2Cvxr5T7quOc	fe80::3074:17d5:2052:c324	54213	ff02::1:3	5355	udp	-	0.099801	66	0	S0	-	-	0	D	2	162	0	0	(empty)
-1300475173.475401	conn	1	3	2,4,1,3	-	1300475168.893988	C8rquZ3DjgNW06JGLl	141.142.220.118	45000	141.142.2.2	53	udp	-	0.000384	38	89	SF	-	-	0	Dd	1	66	1	117	(empty)
-1300475173.475401	conn	1	3	2,4,1,3	-	1300475168.857956	CzrZOtXqhwwndQva3	141.142.220.118	32902	141.142.2.2	53	udp	-	0.000317	38	89	SF	-	-	0	Dd	1	66	1	117	(empty)
-1300475173.475401	conn	1	3	2,4,1,3	-	1300475168.891644	CaGCc13FffXe6RkQl9	141.142.220.118	58206	141.142.2.2	53	udp	-	0.000339	38	89	SF	-	-	0	Dd	1	66	1	117	(empty)
+1300475173.475401	conn	1	3	2,4,1,3	-	1300475169.780331	C3eiCBGOLw3VtHfOj	173.192.163.128	80	141.142.220.235	6705	tcp	-	-	-	-	OTH	-	-	0	H	1	48	0	0	-
+1300475173.475401	conn	1	3	2,4,1,3	-	1300475168.892913	CmES5u32sYpV7JYN	141.142.220.118	49999	208.80.152.3	80	tcp	-	0.220961	1137	733	S1	-	-	0	ShADad	6	1457	4	949	-
+1300475173.475401	conn	1	3	2,4,1,3	-	1300475168.724007	CHhAvVGS1DHFjwGM9	141.142.220.118	48649	208.80.152.118	80	tcp	-	0.119905	525	232	S1	-	-	0	ShADad	4	741	3	396	-
+1300475173.475401	conn	1	3	2,4,1,3	-	1300475168.855330	ClEkJM2Vm5giqnMf4h	141.142.220.118	49997	208.80.152.3	80	tcp	-	0.219720	1125	734	S1	-	-	0	ShADad	6	1445	4	950	-
+1300475173.475401	conn	1	3	2,4,1,3	-	1300475168.855305	C4J4Th3PJpwUYZZ6gc	141.142.220.118	49996	208.80.152.3	80	tcp	-	0.218501	1171	733	S1	-	-	0	ShADad	6	1491	4	949	-
+1300475173.475401	conn	1	3	2,4,1,3	-	1300475168.652003	CwjjYJ2WqgTbAqiHl6	141.142.220.118	35634	208.80.152.2	80	tcp	-	0.061329	463	350	OTH	-	-	0	DdA	2	567	1	402	-
+1300475173.475401	conn	1	3	2,4,1,3	-	1300475168.902635	C37jN32gN3y3AZzyf6	141.142.220.118	35642	208.80.152.2	80	tcp	-	0.120041	534	412	S1	-	-	0	ShADad	4	750	3	576	-
+1300475173.475401	conn	1	3	2,4,1,3	-	1300475168.859163	CtPZjS20MLrsMUOJi2	141.142.220.118	49998	208.80.152.3	80	tcp	-	0.215893	1130	734	S1	-	-	0	ShADad	6	1450	4	950	-
+1300475173.475401	conn	1	3	2,4,1,3	-	1300475168.892936	CUM0KZ3MLUfNB0cl11	141.142.220.118	50000	208.80.152.3	80	tcp	-	0.229603	1148	734	S1	-	-	0	ShADad	6	1468	4	950	-
+1300475173.475401	conn	1	3	2,4,1,3	-	1300475168.895267	CP5puj4I8PtEU4qzYg	141.142.220.118	50001	208.80.152.3	80	tcp	-	0.227284	1178	734	S1	-	-	0	ShADad	6	1498	4	950	-
+1300475173.475401	conn	1	3	2,4,1,3	-	1300475168.853899	C0LAHyvtKSQHyJxIl	141.142.220.118	43927	141.142.2.2	53	udp	-	0.000435	38	89	SF	-	-	0	Dd	1	66	1	117	-
+1300475173.475401	conn	1	3	2,4,1,3	-	1300475168.901749	CFLRIC3zaTU1loLGxh	141.142.220.118	56056	141.142.2.2	53	udp	-	0.000402	36	131	SF	-	-	0	Dd	1	64	1	159	-
+1300475173.475401	conn	1	3	2,4,1,3	-	1300475168.902195	C9rXSW3KSpTYvPrlI1	141.142.220.118	55092	141.142.2.2	53	udp	-	0.000374	36	198	SF	-	-	0	Dd	1	64	1	226	-
+1300475173.475401	conn	1	3	2,4,1,3	-	1300475168.858713	Ck51lg1bScffFj34Ri	141.142.220.118	59714	141.142.2.2	53	udp	-	0.000375	38	183	SF	-	-	0	Dd	1	66	1	211	-
+1300475173.475401	conn	1	3	2,4,1,3	-	1300475167.099816	C9mvWx3ezztgzcexV7	141.142.220.50	5353	224.0.0.251	5353	udp	-	-	-	-	S0	-	-	0	D	1	179	0	0	-
+1300475173.475401	conn	1	3	2,4,1,3	-	1300475168.854837	CNnMIj2QSd84NKf7U3	141.142.220.118	40526	141.142.2.2	53	udp	-	0.000392	38	183	SF	-	-	0	Dd	1	66	1	211	-
+1300475173.475401	conn	1	3	2,4,1,3	-	1300475168.894787	C7fIlMZDuRiqjpYbb	141.142.220.118	48128	141.142.2.2	53	udp	-	0.000423	38	183	SF	-	-	0	Dd	1	66	1	211	-
+1300475173.475401	conn	1	3	2,4,1,3	-	1300475168.894422	CykQaM33ztNt0csB9a	141.142.220.118	48479	141.142.2.2	53	udp	-	0.000317	52	99	SF	-	-	0	Dd	1	80	1	127	-
+1300475173.475401	conn	1	3	2,4,1,3	-	1300475169.899438	CtxTCR2Yer0FR1tIBg	141.142.220.44	5353	224.0.0.251	5353	udp	-	-	-	-	S0	-	-	0	D	1	85	0	0	-
+1300475173.475401	conn	1	3	2,4,1,3	-	1300475170.862384	CpmdRlaUoJLN3uIRa	141.142.220.226	137	141.142.220.255	137	udp	-	2.613017	350	0	S0	-	-	0	D	7	546	0	0	-
+1300475173.475401	conn	1	3	2,4,1,3	-	1300475168.892414	C1Xkzz2MaGtLrc1Tla	141.142.220.118	59746	141.142.2.2	53	udp	-	0.000421	38	183	SF	-	-	0	Dd	1	66	1	211	-
+1300475173.475401	conn	1	3	2,4,1,3	-	1300475168.858306	CqlVyW1YwZ15RhTBc4	141.142.220.118	59816	141.142.2.2	53	udp	-	0.000343	52	99	SF	-	-	0	Dd	1	80	1	127	-
+1300475173.475401	conn	1	3	2,4,1,3	-	1300475167.097012	CLNN1k2QMum1aexUK7	fe80::217:f2ff:fed7:cf65	5353	ff02::fb	5353	udp	-	-	-	-	S0	-	-	0	D	1	199	0	0	-
+1300475173.475401	conn	1	3	2,4,1,3	-	1300475173.117362	CBA8792iHmnhPLksKa	141.142.220.226	55671	224.0.0.252	5355	udp	-	0.099849	66	0	S0	-	-	0	D	2	122	0	0	-
+1300475173.475401	conn	1	3	2,4,1,3	-	1300475173.153679	CGLPPc35OzDQij1XX8	141.142.220.238	56641	141.142.220.255	137	udp	-	-	-	-	S0	-	-	0	D	1	78	0	0	-
+1300475173.475401	conn	1	3	2,4,1,3	-	1300475168.892037	CiyBAq1bBLNaTiTAc	141.142.220.118	38911	141.142.2.2	53	udp	-	0.000335	52	99	SF	-	-	0	Dd	1	80	1	127	-
+1300475173.475401	conn	1	3	2,4,1,3	-	1300475171.675372	CFSwNi4CNGxcuffo49	fe80::3074:17d5:2052:c324	65373	ff02::1:3	5355	udp	-	0.100096	66	0	S0	-	-	0	D	2	162	0	0	-
+1300475173.475401	conn	1	3	2,4,1,3	-	1300475167.096535	Cipfzj1BEnhejw8cGf	141.142.220.202	5353	224.0.0.251	5353	udp	-	-	-	-	S0	-	-	0	D	1	73	0	0	-
+1300475173.475401	conn	1	3	2,4,1,3	-	1300475168.854378	CV5WJ42jPYbNW9JNWf	141.142.220.118	37676	141.142.2.2	53	udp	-	0.000420	52	99	SF	-	-	0	Dd	1	80	1	127	-
+1300475173.475401	conn	1	3	2,4,1,3	-	1300475171.677081	CPhDKt12KQPUVbQz06	141.142.220.226	55131	224.0.0.252	5355	udp	-	0.100021	66	0	S0	-	-	0	D	2	122	0	0	-
+1300475173.475401	conn	1	3	2,4,1,3	-	1300475173.116749	CAnFrb2Cvxr5T7quOc	fe80::3074:17d5:2052:c324	54213	ff02::1:3	5355	udp	-	0.099801	66	0	S0	-	-	0	D	2	162	0	0	-
+1300475173.475401	conn	1	3	2,4,1,3	-	1300475168.893988	C8rquZ3DjgNW06JGLl	141.142.220.118	45000	141.142.2.2	53	udp	-	0.000384	38	89	SF	-	-	0	Dd	1	66	1	117	-
+1300475173.475401	conn	1	3	2,4,1,3	-	1300475168.857956	CzrZOtXqhwwndQva3	141.142.220.118	32902	141.142.2.2	53	udp	-	0.000317	38	89	SF	-	-	0	Dd	1	66	1	117	-
+1300475173.475401	conn	1	3	2,4,1,3	-	1300475168.891644	CaGCc13FffXe6RkQl9	141.142.220.118	58206	141.142.2.2	53	udp	-	0.000339	38	89	SF	-	-	0	Dd	1	66	1	117	-
 #close	2016-08-10-20-36-59
diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.field-extension-invalid/conn.log b/testing/btest/Baseline/scripts.base.frameworks.logging.field-extension-invalid/conn.log
index 7a7408239d..05999fc9e2 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.logging.field-extension-invalid/conn.log
+++ b/testing/btest/Baseline/scripts.base.frameworks.logging.field-extension-invalid/conn.log
@@ -6,5 +6,5 @@
 #open	2016-08-10-20-26-22
 #fields	_write_ts	_stream	_system_name	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
 #types	time	string	string	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
--	-	-	1362692526.869344	CHhAvVGS1DHFjwGM9	141.142.228.5	59856	192.150.187.43	80	tcp	-	0.211484	136	5007	SF	-	-	0	ShADadFf	7	512	7	5379	(empty)
+-	-	-	1362692526.869344	CHhAvVGS1DHFjwGM9	141.142.228.5	59856	192.150.187.43	80	tcp	-	0.211484	136	5007	SF	-	-	0	ShADadFf	7	512	7	5379	-
 #close	2016-08-10-20-26-22
diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.field-extension-optional/conn.log b/testing/btest/Baseline/scripts.base.frameworks.logging.field-extension-optional/conn.log
index 64a99641df..867ba696d8 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.logging.field-extension-optional/conn.log
+++ b/testing/btest/Baseline/scripts.base.frameworks.logging.field-extension-optional/conn.log
@@ -6,38 +6,38 @@
 #open	2016-08-10-20-27-56
 #fields	_write_ts	_system_name	_undefined_string	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
 #types	time	string	string	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
-1300475173.475401	bro	-	1300475173.475401	C3eiCBGOLw3VtHfOj	173.192.163.128	80	141.142.220.235	6705	tcp	-	-	-	-	OTH	-	-	0	H	1	48	0	0	(empty)
-1300475173.475401	bro	-	1300475173.475401	CmES5u32sYpV7JYN	141.142.220.118	49999	208.80.152.3	80	tcp	-	0.220961	1137	733	S1	-	-	0	ShADad	6	1457	4	949	(empty)
-1300475173.475401	bro	-	1300475173.475401	CHhAvVGS1DHFjwGM9	141.142.220.118	48649	208.80.152.118	80	tcp	-	0.119905	525	232	S1	-	-	0	ShADad	4	741	3	396	(empty)
-1300475173.475401	bro	-	1300475173.475401	ClEkJM2Vm5giqnMf4h	141.142.220.118	49997	208.80.152.3	80	tcp	-	0.219720	1125	734	S1	-	-	0	ShADad	6	1445	4	950	(empty)
-1300475173.475401	bro	-	1300475173.475401	C4J4Th3PJpwUYZZ6gc	141.142.220.118	49996	208.80.152.3	80	tcp	-	0.218501	1171	733	S1	-	-	0	ShADad	6	1491	4	949	(empty)
-1300475173.475401	bro	-	1300475173.475401	CwjjYJ2WqgTbAqiHl6	141.142.220.118	35634	208.80.152.2	80	tcp	-	0.061329	463	350	OTH	-	-	0	DdA	2	567	1	402	(empty)
-1300475173.475401	bro	-	1300475173.475401	C37jN32gN3y3AZzyf6	141.142.220.118	35642	208.80.152.2	80	tcp	-	0.120041	534	412	S1	-	-	0	ShADad	4	750	3	576	(empty)
-1300475173.475401	bro	-	1300475173.475401	CtPZjS20MLrsMUOJi2	141.142.220.118	49998	208.80.152.3	80	tcp	-	0.215893	1130	734	S1	-	-	0	ShADad	6	1450	4	950	(empty)
-1300475173.475401	bro	-	1300475173.475401	CUM0KZ3MLUfNB0cl11	141.142.220.118	50000	208.80.152.3	80	tcp	-	0.229603	1148	734	S1	-	-	0	ShADad	6	1468	4	950	(empty)
-1300475173.475401	bro	-	1300475173.475401	CP5puj4I8PtEU4qzYg	141.142.220.118	50001	208.80.152.3	80	tcp	-	0.227284	1178	734	S1	-	-	0	ShADad	6	1498	4	950	(empty)
-1300475173.475401	bro	-	1300475173.475401	C0LAHyvtKSQHyJxIl	141.142.220.118	43927	141.142.2.2	53	udp	-	0.000435	38	89	SF	-	-	0	Dd	1	66	1	117	(empty)
-1300475173.475401	bro	-	1300475173.475401	CFLRIC3zaTU1loLGxh	141.142.220.118	56056	141.142.2.2	53	udp	-	0.000402	36	131	SF	-	-	0	Dd	1	64	1	159	(empty)
-1300475173.475401	bro	-	1300475173.475401	C9rXSW3KSpTYvPrlI1	141.142.220.118	55092	141.142.2.2	53	udp	-	0.000374	36	198	SF	-	-	0	Dd	1	64	1	226	(empty)
-1300475173.475401	bro	-	1300475173.475401	Ck51lg1bScffFj34Ri	141.142.220.118	59714	141.142.2.2	53	udp	-	0.000375	38	183	SF	-	-	0	Dd	1	66	1	211	(empty)
-1300475173.475401	bro	-	1300475173.475401	C9mvWx3ezztgzcexV7	141.142.220.50	5353	224.0.0.251	5353	udp	-	-	-	-	S0	-	-	0	D	1	179	0	0	(empty)
-1300475173.475401	bro	-	1300475173.475401	CNnMIj2QSd84NKf7U3	141.142.220.118	40526	141.142.2.2	53	udp	-	0.000392	38	183	SF	-	-	0	Dd	1	66	1	211	(empty)
-1300475173.475401	bro	-	1300475173.475401	C7fIlMZDuRiqjpYbb	141.142.220.118	48128	141.142.2.2	53	udp	-	0.000423	38	183	SF	-	-	0	Dd	1	66	1	211	(empty)
-1300475173.475401	bro	-	1300475173.475401	CykQaM33ztNt0csB9a	141.142.220.118	48479	141.142.2.2	53	udp	-	0.000317	52	99	SF	-	-	0	Dd	1	80	1	127	(empty)
-1300475173.475401	bro	-	1300475173.475401	CtxTCR2Yer0FR1tIBg	141.142.220.44	5353	224.0.0.251	5353	udp	-	-	-	-	S0	-	-	0	D	1	85	0	0	(empty)
-1300475173.475401	bro	-	1300475173.475401	CpmdRlaUoJLN3uIRa	141.142.220.226	137	141.142.220.255	137	udp	-	2.613017	350	0	S0	-	-	0	D	7	546	0	0	(empty)
-1300475173.475401	bro	-	1300475173.475401	C1Xkzz2MaGtLrc1Tla	141.142.220.118	59746	141.142.2.2	53	udp	-	0.000421	38	183	SF	-	-	0	Dd	1	66	1	211	(empty)
-1300475173.475401	bro	-	1300475173.475401	CqlVyW1YwZ15RhTBc4	141.142.220.118	59816	141.142.2.2	53	udp	-	0.000343	52	99	SF	-	-	0	Dd	1	80	1	127	(empty)
-1300475173.475401	bro	-	1300475173.475401	CLNN1k2QMum1aexUK7	fe80::217:f2ff:fed7:cf65	5353	ff02::fb	5353	udp	-	-	-	-	S0	-	-	0	D	1	199	0	0	(empty)
-1300475173.475401	bro	-	1300475173.475401	CBA8792iHmnhPLksKa	141.142.220.226	55671	224.0.0.252	5355	udp	-	0.099849	66	0	S0	-	-	0	D	2	122	0	0	(empty)
-1300475173.475401	bro	-	1300475173.475401	CGLPPc35OzDQij1XX8	141.142.220.238	56641	141.142.220.255	137	udp	-	-	-	-	S0	-	-	0	D	1	78	0	0	(empty)
-1300475173.475401	bro	-	1300475173.475401	CiyBAq1bBLNaTiTAc	141.142.220.118	38911	141.142.2.2	53	udp	-	0.000335	52	99	SF	-	-	0	Dd	1	80	1	127	(empty)
-1300475173.475401	bro	-	1300475173.475401	CFSwNi4CNGxcuffo49	fe80::3074:17d5:2052:c324	65373	ff02::1:3	5355	udp	-	0.100096	66	0	S0	-	-	0	D	2	162	0	0	(empty)
-1300475173.475401	bro	-	1300475173.475401	Cipfzj1BEnhejw8cGf	141.142.220.202	5353	224.0.0.251	5353	udp	-	-	-	-	S0	-	-	0	D	1	73	0	0	(empty)
-1300475173.475401	bro	-	1300475173.475401	CV5WJ42jPYbNW9JNWf	141.142.220.118	37676	141.142.2.2	53	udp	-	0.000420	52	99	SF	-	-	0	Dd	1	80	1	127	(empty)
-1300475173.475401	bro	-	1300475173.475401	CPhDKt12KQPUVbQz06	141.142.220.226	55131	224.0.0.252	5355	udp	-	0.100021	66	0	S0	-	-	0	D	2	122	0	0	(empty)
-1300475173.475401	bro	-	1300475173.475401	CAnFrb2Cvxr5T7quOc	fe80::3074:17d5:2052:c324	54213	ff02::1:3	5355	udp	-	0.099801	66	0	S0	-	-	0	D	2	162	0	0	(empty)
-1300475173.475401	bro	-	1300475173.475401	C8rquZ3DjgNW06JGLl	141.142.220.118	45000	141.142.2.2	53	udp	-	0.000384	38	89	SF	-	-	0	Dd	1	66	1	117	(empty)
-1300475173.475401	bro	-	1300475173.475401	CzrZOtXqhwwndQva3	141.142.220.118	32902	141.142.2.2	53	udp	-	0.000317	38	89	SF	-	-	0	Dd	1	66	1	117	(empty)
-1300475173.475401	bro	-	1300475173.475401	CaGCc13FffXe6RkQl9	141.142.220.118	58206	141.142.2.2	53	udp	-	0.000339	38	89	SF	-	-	0	Dd	1	66	1	117	(empty)
+1300475173.475401	bro	-	1300475173.475401	C3eiCBGOLw3VtHfOj	173.192.163.128	80	141.142.220.235	6705	tcp	-	-	-	-	OTH	-	-	0	H	1	48	0	0	-
+1300475173.475401	bro	-	1300475173.475401	CmES5u32sYpV7JYN	141.142.220.118	49999	208.80.152.3	80	tcp	-	0.220961	1137	733	S1	-	-	0	ShADad	6	1457	4	949	-
+1300475173.475401	bro	-	1300475173.475401	CHhAvVGS1DHFjwGM9	141.142.220.118	48649	208.80.152.118	80	tcp	-	0.119905	525	232	S1	-	-	0	ShADad	4	741	3	396	-
+1300475173.475401	bro	-	1300475173.475401	ClEkJM2Vm5giqnMf4h	141.142.220.118	49997	208.80.152.3	80	tcp	-	0.219720	1125	734	S1	-	-	0	ShADad	6	1445	4	950	-
+1300475173.475401	bro	-	1300475173.475401	C4J4Th3PJpwUYZZ6gc	141.142.220.118	49996	208.80.152.3	80	tcp	-	0.218501	1171	733	S1	-	-	0	ShADad	6	1491	4	949	-
+1300475173.475401	bro	-	1300475173.475401	CwjjYJ2WqgTbAqiHl6	141.142.220.118	35634	208.80.152.2	80	tcp	-	0.061329	463	350	OTH	-	-	0	DdA	2	567	1	402	-
+1300475173.475401	bro	-	1300475173.475401	C37jN32gN3y3AZzyf6	141.142.220.118	35642	208.80.152.2	80	tcp	-	0.120041	534	412	S1	-	-	0	ShADad	4	750	3	576	-
+1300475173.475401	bro	-	1300475173.475401	CtPZjS20MLrsMUOJi2	141.142.220.118	49998	208.80.152.3	80	tcp	-	0.215893	1130	734	S1	-	-	0	ShADad	6	1450	4	950	-
+1300475173.475401	bro	-	1300475173.475401	CUM0KZ3MLUfNB0cl11	141.142.220.118	50000	208.80.152.3	80	tcp	-	0.229603	1148	734	S1	-	-	0	ShADad	6	1468	4	950	-
+1300475173.475401	bro	-	1300475173.475401	CP5puj4I8PtEU4qzYg	141.142.220.118	50001	208.80.152.3	80	tcp	-	0.227284	1178	734	S1	-	-	0	ShADad	6	1498	4	950	-
+1300475173.475401	bro	-	1300475173.475401	C0LAHyvtKSQHyJxIl	141.142.220.118	43927	141.142.2.2	53	udp	-	0.000435	38	89	SF	-	-	0	Dd	1	66	1	117	-
+1300475173.475401	bro	-	1300475173.475401	CFLRIC3zaTU1loLGxh	141.142.220.118	56056	141.142.2.2	53	udp	-	0.000402	36	131	SF	-	-	0	Dd	1	64	1	159	-
+1300475173.475401	bro	-	1300475173.475401	C9rXSW3KSpTYvPrlI1	141.142.220.118	55092	141.142.2.2	53	udp	-	0.000374	36	198	SF	-	-	0	Dd	1	64	1	226	-
+1300475173.475401	bro	-	1300475173.475401	Ck51lg1bScffFj34Ri	141.142.220.118	59714	141.142.2.2	53	udp	-	0.000375	38	183	SF	-	-	0	Dd	1	66	1	211	-
+1300475173.475401	bro	-	1300475173.475401	C9mvWx3ezztgzcexV7	141.142.220.50	5353	224.0.0.251	5353	udp	-	-	-	-	S0	-	-	0	D	1	179	0	0	-
+1300475173.475401	bro	-	1300475173.475401	CNnMIj2QSd84NKf7U3	141.142.220.118	40526	141.142.2.2	53	udp	-	0.000392	38	183	SF	-	-	0	Dd	1	66	1	211	-
+1300475173.475401	bro	-	1300475173.475401	C7fIlMZDuRiqjpYbb	141.142.220.118	48128	141.142.2.2	53	udp	-	0.000423	38	183	SF	-	-	0	Dd	1	66	1	211	-
+1300475173.475401	bro	-	1300475173.475401	CykQaM33ztNt0csB9a	141.142.220.118	48479	141.142.2.2	53	udp	-	0.000317	52	99	SF	-	-	0	Dd	1	80	1	127	-
+1300475173.475401	bro	-	1300475173.475401	CtxTCR2Yer0FR1tIBg	141.142.220.44	5353	224.0.0.251	5353	udp	-	-	-	-	S0	-	-	0	D	1	85	0	0	-
+1300475173.475401	bro	-	1300475173.475401	CpmdRlaUoJLN3uIRa	141.142.220.226	137	141.142.220.255	137	udp	-	2.613017	350	0	S0	-	-	0	D	7	546	0	0	-
+1300475173.475401	bro	-	1300475173.475401	C1Xkzz2MaGtLrc1Tla	141.142.220.118	59746	141.142.2.2	53	udp	-	0.000421	38	183	SF	-	-	0	Dd	1	66	1	211	-
+1300475173.475401	bro	-	1300475173.475401	CqlVyW1YwZ15RhTBc4	141.142.220.118	59816	141.142.2.2	53	udp	-	0.000343	52	99	SF	-	-	0	Dd	1	80	1	127	-
+1300475173.475401	bro	-	1300475173.475401	CLNN1k2QMum1aexUK7	fe80::217:f2ff:fed7:cf65	5353	ff02::fb	5353	udp	-	-	-	-	S0	-	-	0	D	1	199	0	0	-
+1300475173.475401	bro	-	1300475173.475401	CBA8792iHmnhPLksKa	141.142.220.226	55671	224.0.0.252	5355	udp	-	0.099849	66	0	S0	-	-	0	D	2	122	0	0	-
+1300475173.475401	bro	-	1300475173.475401	CGLPPc35OzDQij1XX8	141.142.220.238	56641	141.142.220.255	137	udp	-	-	-	-	S0	-	-	0	D	1	78	0	0	-
+1300475173.475401	bro	-	1300475173.475401	CiyBAq1bBLNaTiTAc	141.142.220.118	38911	141.142.2.2	53	udp	-	0.000335	52	99	SF	-	-	0	Dd	1	80	1	127	-
+1300475173.475401	bro	-	1300475173.475401	CFSwNi4CNGxcuffo49	fe80::3074:17d5:2052:c324	65373	ff02::1:3	5355	udp	-	0.100096	66	0	S0	-	-	0	D	2	162	0	0	-
+1300475173.475401	bro	-	1300475173.475401	Cipfzj1BEnhejw8cGf	141.142.220.202	5353	224.0.0.251	5353	udp	-	-	-	-	S0	-	-	0	D	1	73	0	0	-
+1300475173.475401	bro	-	1300475173.475401	CV5WJ42jPYbNW9JNWf	141.142.220.118	37676	141.142.2.2	53	udp	-	0.000420	52	99	SF	-	-	0	Dd	1	80	1	127	-
+1300475173.475401	bro	-	1300475173.475401	CPhDKt12KQPUVbQz06	141.142.220.226	55131	224.0.0.252	5355	udp	-	0.100021	66	0	S0	-	-	0	D	2	122	0	0	-
+1300475173.475401	bro	-	1300475173.475401	CAnFrb2Cvxr5T7quOc	fe80::3074:17d5:2052:c324	54213	ff02::1:3	5355	udp	-	0.099801	66	0	S0	-	-	0	D	2	162	0	0	-
+1300475173.475401	bro	-	1300475173.475401	C8rquZ3DjgNW06JGLl	141.142.220.118	45000	141.142.2.2	53	udp	-	0.000384	38	89	SF	-	-	0	Dd	1	66	1	117	-
+1300475173.475401	bro	-	1300475173.475401	CzrZOtXqhwwndQva3	141.142.220.118	32902	141.142.2.2	53	udp	-	0.000317	38	89	SF	-	-	0	Dd	1	66	1	117	-
+1300475173.475401	bro	-	1300475173.475401	CaGCc13FffXe6RkQl9	141.142.220.118	58206	141.142.2.2	53	udp	-	0.000339	38	89	SF	-	-	0	Dd	1	66	1	117	-
 #close	2016-08-10-20-27-56
diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.field-extension/conn.log b/testing/btest/Baseline/scripts.base.frameworks.logging.field-extension/conn.log
index dd98eac209..5d66623de7 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.logging.field-extension/conn.log
+++ b/testing/btest/Baseline/scripts.base.frameworks.logging.field-extension/conn.log
@@ -6,38 +6,38 @@
 #open	2016-08-10-17-45-11
 #fields	_write_ts	_stream	_system_name	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
 #types	time	string	string	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
-1300475173.475401	conn	bro	1300475169.780331	C3eiCBGOLw3VtHfOj	173.192.163.128	80	141.142.220.235	6705	tcp	-	-	-	-	OTH	-	-	0	H	1	48	0	0	(empty)
-1300475173.475401	conn	bro	1300475168.892913	CmES5u32sYpV7JYN	141.142.220.118	49999	208.80.152.3	80	tcp	-	0.220961	1137	733	S1	-	-	0	ShADad	6	1457	4	949	(empty)
-1300475173.475401	conn	bro	1300475168.724007	CHhAvVGS1DHFjwGM9	141.142.220.118	48649	208.80.152.118	80	tcp	-	0.119905	525	232	S1	-	-	0	ShADad	4	741	3	396	(empty)
-1300475173.475401	conn	bro	1300475168.855330	ClEkJM2Vm5giqnMf4h	141.142.220.118	49997	208.80.152.3	80	tcp	-	0.219720	1125	734	S1	-	-	0	ShADad	6	1445	4	950	(empty)
-1300475173.475401	conn	bro	1300475168.855305	C4J4Th3PJpwUYZZ6gc	141.142.220.118	49996	208.80.152.3	80	tcp	-	0.218501	1171	733	S1	-	-	0	ShADad	6	1491	4	949	(empty)
-1300475173.475401	conn	bro	1300475168.652003	CwjjYJ2WqgTbAqiHl6	141.142.220.118	35634	208.80.152.2	80	tcp	-	0.061329	463	350	OTH	-	-	0	DdA	2	567	1	402	(empty)
-1300475173.475401	conn	bro	1300475168.902635	C37jN32gN3y3AZzyf6	141.142.220.118	35642	208.80.152.2	80	tcp	-	0.120041	534	412	S1	-	-	0	ShADad	4	750	3	576	(empty)
-1300475173.475401	conn	bro	1300475168.859163	CtPZjS20MLrsMUOJi2	141.142.220.118	49998	208.80.152.3	80	tcp	-	0.215893	1130	734	S1	-	-	0	ShADad	6	1450	4	950	(empty)
-1300475173.475401	conn	bro	1300475168.892936	CUM0KZ3MLUfNB0cl11	141.142.220.118	50000	208.80.152.3	80	tcp	-	0.229603	1148	734	S1	-	-	0	ShADad	6	1468	4	950	(empty)
-1300475173.475401	conn	bro	1300475168.895267	CP5puj4I8PtEU4qzYg	141.142.220.118	50001	208.80.152.3	80	tcp	-	0.227284	1178	734	S1	-	-	0	ShADad	6	1498	4	950	(empty)
-1300475173.475401	conn	bro	1300475168.853899	C0LAHyvtKSQHyJxIl	141.142.220.118	43927	141.142.2.2	53	udp	-	0.000435	38	89	SF	-	-	0	Dd	1	66	1	117	(empty)
-1300475173.475401	conn	bro	1300475168.901749	CFLRIC3zaTU1loLGxh	141.142.220.118	56056	141.142.2.2	53	udp	-	0.000402	36	131	SF	-	-	0	Dd	1	64	1	159	(empty)
-1300475173.475401	conn	bro	1300475168.902195	C9rXSW3KSpTYvPrlI1	141.142.220.118	55092	141.142.2.2	53	udp	-	0.000374	36	198	SF	-	-	0	Dd	1	64	1	226	(empty)
-1300475173.475401	conn	bro	1300475168.858713	Ck51lg1bScffFj34Ri	141.142.220.118	59714	141.142.2.2	53	udp	-	0.000375	38	183	SF	-	-	0	Dd	1	66	1	211	(empty)
-1300475173.475401	conn	bro	1300475167.099816	C9mvWx3ezztgzcexV7	141.142.220.50	5353	224.0.0.251	5353	udp	-	-	-	-	S0	-	-	0	D	1	179	0	0	(empty)
-1300475173.475401	conn	bro	1300475168.854837	CNnMIj2QSd84NKf7U3	141.142.220.118	40526	141.142.2.2	53	udp	-	0.000392	38	183	SF	-	-	0	Dd	1	66	1	211	(empty)
-1300475173.475401	conn	bro	1300475168.894787	C7fIlMZDuRiqjpYbb	141.142.220.118	48128	141.142.2.2	53	udp	-	0.000423	38	183	SF	-	-	0	Dd	1	66	1	211	(empty)
-1300475173.475401	conn	bro	1300475168.894422	CykQaM33ztNt0csB9a	141.142.220.118	48479	141.142.2.2	53	udp	-	0.000317	52	99	SF	-	-	0	Dd	1	80	1	127	(empty)
-1300475173.475401	conn	bro	1300475169.899438	CtxTCR2Yer0FR1tIBg	141.142.220.44	5353	224.0.0.251	5353	udp	-	-	-	-	S0	-	-	0	D	1	85	0	0	(empty)
-1300475173.475401	conn	bro	1300475170.862384	CpmdRlaUoJLN3uIRa	141.142.220.226	137	141.142.220.255	137	udp	-	2.613017	350	0	S0	-	-	0	D	7	546	0	0	(empty)
-1300475173.475401	conn	bro	1300475168.892414	C1Xkzz2MaGtLrc1Tla	141.142.220.118	59746	141.142.2.2	53	udp	-	0.000421	38	183	SF	-	-	0	Dd	1	66	1	211	(empty)
-1300475173.475401	conn	bro	1300475168.858306	CqlVyW1YwZ15RhTBc4	141.142.220.118	59816	141.142.2.2	53	udp	-	0.000343	52	99	SF	-	-	0	Dd	1	80	1	127	(empty)
-1300475173.475401	conn	bro	1300475167.097012	CLNN1k2QMum1aexUK7	fe80::217:f2ff:fed7:cf65	5353	ff02::fb	5353	udp	-	-	-	-	S0	-	-	0	D	1	199	0	0	(empty)
-1300475173.475401	conn	bro	1300475173.117362	CBA8792iHmnhPLksKa	141.142.220.226	55671	224.0.0.252	5355	udp	-	0.099849	66	0	S0	-	-	0	D	2	122	0	0	(empty)
-1300475173.475401	conn	bro	1300475173.153679	CGLPPc35OzDQij1XX8	141.142.220.238	56641	141.142.220.255	137	udp	-	-	-	-	S0	-	-	0	D	1	78	0	0	(empty)
-1300475173.475401	conn	bro	1300475168.892037	CiyBAq1bBLNaTiTAc	141.142.220.118	38911	141.142.2.2	53	udp	-	0.000335	52	99	SF	-	-	0	Dd	1	80	1	127	(empty)
-1300475173.475401	conn	bro	1300475171.675372	CFSwNi4CNGxcuffo49	fe80::3074:17d5:2052:c324	65373	ff02::1:3	5355	udp	-	0.100096	66	0	S0	-	-	0	D	2	162	0	0	(empty)
-1300475173.475401	conn	bro	1300475167.096535	Cipfzj1BEnhejw8cGf	141.142.220.202	5353	224.0.0.251	5353	udp	-	-	-	-	S0	-	-	0	D	1	73	0	0	(empty)
-1300475173.475401	conn	bro	1300475168.854378	CV5WJ42jPYbNW9JNWf	141.142.220.118	37676	141.142.2.2	53	udp	-	0.000420	52	99	SF	-	-	0	Dd	1	80	1	127	(empty)
-1300475173.475401	conn	bro	1300475171.677081	CPhDKt12KQPUVbQz06	141.142.220.226	55131	224.0.0.252	5355	udp	-	0.100021	66	0	S0	-	-	0	D	2	122	0	0	(empty)
-1300475173.475401	conn	bro	1300475173.116749	CAnFrb2Cvxr5T7quOc	fe80::3074:17d5:2052:c324	54213	ff02::1:3	5355	udp	-	0.099801	66	0	S0	-	-	0	D	2	162	0	0	(empty)
-1300475173.475401	conn	bro	1300475168.893988	C8rquZ3DjgNW06JGLl	141.142.220.118	45000	141.142.2.2	53	udp	-	0.000384	38	89	SF	-	-	0	Dd	1	66	1	117	(empty)
-1300475173.475401	conn	bro	1300475168.857956	CzrZOtXqhwwndQva3	141.142.220.118	32902	141.142.2.2	53	udp	-	0.000317	38	89	SF	-	-	0	Dd	1	66	1	117	(empty)
-1300475173.475401	conn	bro	1300475168.891644	CaGCc13FffXe6RkQl9	141.142.220.118	58206	141.142.2.2	53	udp	-	0.000339	38	89	SF	-	-	0	Dd	1	66	1	117	(empty)
+1300475173.475401	conn	bro	1300475169.780331	C3eiCBGOLw3VtHfOj	173.192.163.128	80	141.142.220.235	6705	tcp	-	-	-	-	OTH	-	-	0	H	1	48	0	0	-
+1300475173.475401	conn	bro	1300475168.892913	CmES5u32sYpV7JYN	141.142.220.118	49999	208.80.152.3	80	tcp	-	0.220961	1137	733	S1	-	-	0	ShADad	6	1457	4	949	-
+1300475173.475401	conn	bro	1300475168.724007	CHhAvVGS1DHFjwGM9	141.142.220.118	48649	208.80.152.118	80	tcp	-	0.119905	525	232	S1	-	-	0	ShADad	4	741	3	396	-
+1300475173.475401	conn	bro	1300475168.855330	ClEkJM2Vm5giqnMf4h	141.142.220.118	49997	208.80.152.3	80	tcp	-	0.219720	1125	734	S1	-	-	0	ShADad	6	1445	4	950	-
+1300475173.475401	conn	bro	1300475168.855305	C4J4Th3PJpwUYZZ6gc	141.142.220.118	49996	208.80.152.3	80	tcp	-	0.218501	1171	733	S1	-	-	0	ShADad	6	1491	4	949	-
+1300475173.475401	conn	bro	1300475168.652003	CwjjYJ2WqgTbAqiHl6	141.142.220.118	35634	208.80.152.2	80	tcp	-	0.061329	463	350	OTH	-	-	0	DdA	2	567	1	402	-
+1300475173.475401	conn	bro	1300475168.902635	C37jN32gN3y3AZzyf6	141.142.220.118	35642	208.80.152.2	80	tcp	-	0.120041	534	412	S1	-	-	0	ShADad	4	750	3	576	-
+1300475173.475401	conn	bro	1300475168.859163	CtPZjS20MLrsMUOJi2	141.142.220.118	49998	208.80.152.3	80	tcp	-	0.215893	1130	734	S1	-	-	0	ShADad	6	1450	4	950	-
+1300475173.475401	conn	bro	1300475168.892936	CUM0KZ3MLUfNB0cl11	141.142.220.118	50000	208.80.152.3	80	tcp	-	0.229603	1148	734	S1	-	-	0	ShADad	6	1468	4	950	-
+1300475173.475401	conn	bro	1300475168.895267	CP5puj4I8PtEU4qzYg	141.142.220.118	50001	208.80.152.3	80	tcp	-	0.227284	1178	734	S1	-	-	0	ShADad	6	1498	4	950	-
+1300475173.475401	conn	bro	1300475168.853899	C0LAHyvtKSQHyJxIl	141.142.220.118	43927	141.142.2.2	53	udp	-	0.000435	38	89	SF	-	-	0	Dd	1	66	1	117	-
+1300475173.475401	conn	bro	1300475168.901749	CFLRIC3zaTU1loLGxh	141.142.220.118	56056	141.142.2.2	53	udp	-	0.000402	36	131	SF	-	-	0	Dd	1	64	1	159	-
+1300475173.475401	conn	bro	1300475168.902195	C9rXSW3KSpTYvPrlI1	141.142.220.118	55092	141.142.2.2	53	udp	-	0.000374	36	198	SF	-	-	0	Dd	1	64	1	226	-
+1300475173.475401	conn	bro	1300475168.858713	Ck51lg1bScffFj34Ri	141.142.220.118	59714	141.142.2.2	53	udp	-	0.000375	38	183	SF	-	-	0	Dd	1	66	1	211	-
+1300475173.475401	conn	bro	1300475167.099816	C9mvWx3ezztgzcexV7	141.142.220.50	5353	224.0.0.251	5353	udp	-	-	-	-	S0	-	-	0	D	1	179	0	0	-
+1300475173.475401	conn	bro	1300475168.854837	CNnMIj2QSd84NKf7U3	141.142.220.118	40526	141.142.2.2	53	udp	-	0.000392	38	183	SF	-	-	0	Dd	1	66	1	211	-
+1300475173.475401	conn	bro	1300475168.894787	C7fIlMZDuRiqjpYbb	141.142.220.118	48128	141.142.2.2	53	udp	-	0.000423	38	183	SF	-	-	0	Dd	1	66	1	211	-
+1300475173.475401	conn	bro	1300475168.894422	CykQaM33ztNt0csB9a	141.142.220.118	48479	141.142.2.2	53	udp	-	0.000317	52	99	SF	-	-	0	Dd	1	80	1	127	-
+1300475173.475401	conn	bro	1300475169.899438	CtxTCR2Yer0FR1tIBg	141.142.220.44	5353	224.0.0.251	5353	udp	-	-	-	-	S0	-	-	0	D	1	85	0	0	-
+1300475173.475401	conn	bro	1300475170.862384	CpmdRlaUoJLN3uIRa	141.142.220.226	137	141.142.220.255	137	udp	-	2.613017	350	0	S0	-	-	0	D	7	546	0	0	-
+1300475173.475401	conn	bro	1300475168.892414	C1Xkzz2MaGtLrc1Tla	141.142.220.118	59746	141.142.2.2	53	udp	-	0.000421	38	183	SF	-	-	0	Dd	1	66	1	211	-
+1300475173.475401	conn	bro	1300475168.858306	CqlVyW1YwZ15RhTBc4	141.142.220.118	59816	141.142.2.2	53	udp	-	0.000343	52	99	SF	-	-	0	Dd	1	80	1	127	-
+1300475173.475401	conn	bro	1300475167.097012	CLNN1k2QMum1aexUK7	fe80::217:f2ff:fed7:cf65	5353	ff02::fb	5353	udp	-	-	-	-	S0	-	-	0	D	1	199	0	0	-
+1300475173.475401	conn	bro	1300475173.117362	CBA8792iHmnhPLksKa	141.142.220.226	55671	224.0.0.252	5355	udp	-	0.099849	66	0	S0	-	-	0	D	2	122	0	0	-
+1300475173.475401	conn	bro	1300475173.153679	CGLPPc35OzDQij1XX8	141.142.220.238	56641	141.142.220.255	137	udp	-	-	-	-	S0	-	-	0	D	1	78	0	0	-
+1300475173.475401	conn	bro	1300475168.892037	CiyBAq1bBLNaTiTAc	141.142.220.118	38911	141.142.2.2	53	udp	-	0.000335	52	99	SF	-	-	0	Dd	1	80	1	127	-
+1300475173.475401	conn	bro	1300475171.675372	CFSwNi4CNGxcuffo49	fe80::3074:17d5:2052:c324	65373	ff02::1:3	5355	udp	-	0.100096	66	0	S0	-	-	0	D	2	162	0	0	-
+1300475173.475401	conn	bro	1300475167.096535	Cipfzj1BEnhejw8cGf	141.142.220.202	5353	224.0.0.251	5353	udp	-	-	-	-	S0	-	-	0	D	1	73	0	0	-
+1300475173.475401	conn	bro	1300475168.854378	CV5WJ42jPYbNW9JNWf	141.142.220.118	37676	141.142.2.2	53	udp	-	0.000420	52	99	SF	-	-	0	Dd	1	80	1	127	-
+1300475173.475401	conn	bro	1300475171.677081	CPhDKt12KQPUVbQz06	141.142.220.226	55131	224.0.0.252	5355	udp	-	0.100021	66	0	S0	-	-	0	D	2	122	0	0	-
+1300475173.475401	conn	bro	1300475173.116749	CAnFrb2Cvxr5T7quOc	fe80::3074:17d5:2052:c324	54213	ff02::1:3	5355	udp	-	0.099801	66	0	S0	-	-	0	D	2	162	0	0	-
+1300475173.475401	conn	bro	1300475168.893988	C8rquZ3DjgNW06JGLl	141.142.220.118	45000	141.142.2.2	53	udp	-	0.000384	38	89	SF	-	-	0	Dd	1	66	1	117	-
+1300475173.475401	conn	bro	1300475168.857956	CzrZOtXqhwwndQva3	141.142.220.118	32902	141.142.2.2	53	udp	-	0.000317	38	89	SF	-	-	0	Dd	1	66	1	117	-
+1300475173.475401	conn	bro	1300475168.891644	CaGCc13FffXe6RkQl9	141.142.220.118	58206	141.142.2.2	53	udp	-	0.000339	38	89	SF	-	-	0	Dd	1	66	1	117	-
 #close	2016-08-10-17-45-11
diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.field-name-map/conn.log b/testing/btest/Baseline/scripts.base.frameworks.logging.field-name-map/conn.log
index a97fff59b2..26ea9cd33c 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.logging.field-name-map/conn.log
+++ b/testing/btest/Baseline/scripts.base.frameworks.logging.field-name-map/conn.log
@@ -6,38 +6,38 @@
 #open	2016-08-10-16-51-09
 #fields	ts	uid	src	src_port	dst	dst_port	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
-1300475169.780331	C3eiCBGOLw3VtHfOj	173.192.163.128	80	141.142.220.235	6705	tcp	-	-	-	-	OTH	-	-	0	H	1	48	0	0	(empty)
-1300475168.892913	CmES5u32sYpV7JYN	141.142.220.118	49999	208.80.152.3	80	tcp	-	0.220961	1137	733	S1	-	-	0	ShADad	6	1457	4	949	(empty)
-1300475168.724007	CHhAvVGS1DHFjwGM9	141.142.220.118	48649	208.80.152.118	80	tcp	-	0.119905	525	232	S1	-	-	0	ShADad	4	741	3	396	(empty)
-1300475168.855330	ClEkJM2Vm5giqnMf4h	141.142.220.118	49997	208.80.152.3	80	tcp	-	0.219720	1125	734	S1	-	-	0	ShADad	6	1445	4	950	(empty)
-1300475168.855305	C4J4Th3PJpwUYZZ6gc	141.142.220.118	49996	208.80.152.3	80	tcp	-	0.218501	1171	733	S1	-	-	0	ShADad	6	1491	4	949	(empty)
-1300475168.652003	CwjjYJ2WqgTbAqiHl6	141.142.220.118	35634	208.80.152.2	80	tcp	-	0.061329	463	350	OTH	-	-	0	DdA	2	567	1	402	(empty)
-1300475168.902635	C37jN32gN3y3AZzyf6	141.142.220.118	35642	208.80.152.2	80	tcp	-	0.120041	534	412	S1	-	-	0	ShADad	4	750	3	576	(empty)
-1300475168.859163	CtPZjS20MLrsMUOJi2	141.142.220.118	49998	208.80.152.3	80	tcp	-	0.215893	1130	734	S1	-	-	0	ShADad	6	1450	4	950	(empty)
-1300475168.892936	CUM0KZ3MLUfNB0cl11	141.142.220.118	50000	208.80.152.3	80	tcp	-	0.229603	1148	734	S1	-	-	0	ShADad	6	1468	4	950	(empty)
-1300475168.895267	CP5puj4I8PtEU4qzYg	141.142.220.118	50001	208.80.152.3	80	tcp	-	0.227284	1178	734	S1	-	-	0	ShADad	6	1498	4	950	(empty)
-1300475168.853899	C0LAHyvtKSQHyJxIl	141.142.220.118	43927	141.142.2.2	53	udp	-	0.000435	38	89	SF	-	-	0	Dd	1	66	1	117	(empty)
-1300475168.901749	CFLRIC3zaTU1loLGxh	141.142.220.118	56056	141.142.2.2	53	udp	-	0.000402	36	131	SF	-	-	0	Dd	1	64	1	159	(empty)
-1300475168.902195	C9rXSW3KSpTYvPrlI1	141.142.220.118	55092	141.142.2.2	53	udp	-	0.000374	36	198	SF	-	-	0	Dd	1	64	1	226	(empty)
-1300475168.858713	Ck51lg1bScffFj34Ri	141.142.220.118	59714	141.142.2.2	53	udp	-	0.000375	38	183	SF	-	-	0	Dd	1	66	1	211	(empty)
-1300475167.099816	C9mvWx3ezztgzcexV7	141.142.220.50	5353	224.0.0.251	5353	udp	-	-	-	-	S0	-	-	0	D	1	179	0	0	(empty)
-1300475168.854837	CNnMIj2QSd84NKf7U3	141.142.220.118	40526	141.142.2.2	53	udp	-	0.000392	38	183	SF	-	-	0	Dd	1	66	1	211	(empty)
-1300475168.894787	C7fIlMZDuRiqjpYbb	141.142.220.118	48128	141.142.2.2	53	udp	-	0.000423	38	183	SF	-	-	0	Dd	1	66	1	211	(empty)
-1300475168.894422	CykQaM33ztNt0csB9a	141.142.220.118	48479	141.142.2.2	53	udp	-	0.000317	52	99	SF	-	-	0	Dd	1	80	1	127	(empty)
-1300475169.899438	CtxTCR2Yer0FR1tIBg	141.142.220.44	5353	224.0.0.251	5353	udp	-	-	-	-	S0	-	-	0	D	1	85	0	0	(empty)
-1300475170.862384	CpmdRlaUoJLN3uIRa	141.142.220.226	137	141.142.220.255	137	udp	-	2.613017	350	0	S0	-	-	0	D	7	546	0	0	(empty)
-1300475168.892414	C1Xkzz2MaGtLrc1Tla	141.142.220.118	59746	141.142.2.2	53	udp	-	0.000421	38	183	SF	-	-	0	Dd	1	66	1	211	(empty)
-1300475168.858306	CqlVyW1YwZ15RhTBc4	141.142.220.118	59816	141.142.2.2	53	udp	-	0.000343	52	99	SF	-	-	0	Dd	1	80	1	127	(empty)
-1300475167.097012	CLNN1k2QMum1aexUK7	fe80::217:f2ff:fed7:cf65	5353	ff02::fb	5353	udp	-	-	-	-	S0	-	-	0	D	1	199	0	0	(empty)
-1300475173.117362	CBA8792iHmnhPLksKa	141.142.220.226	55671	224.0.0.252	5355	udp	-	0.099849	66	0	S0	-	-	0	D	2	122	0	0	(empty)
-1300475173.153679	CGLPPc35OzDQij1XX8	141.142.220.238	56641	141.142.220.255	137	udp	-	-	-	-	S0	-	-	0	D	1	78	0	0	(empty)
-1300475168.892037	CiyBAq1bBLNaTiTAc	141.142.220.118	38911	141.142.2.2	53	udp	-	0.000335	52	99	SF	-	-	0	Dd	1	80	1	127	(empty)
-1300475171.675372	CFSwNi4CNGxcuffo49	fe80::3074:17d5:2052:c324	65373	ff02::1:3	5355	udp	-	0.100096	66	0	S0	-	-	0	D	2	162	0	0	(empty)
-1300475167.096535	Cipfzj1BEnhejw8cGf	141.142.220.202	5353	224.0.0.251	5353	udp	-	-	-	-	S0	-	-	0	D	1	73	0	0	(empty)
-1300475168.854378	CV5WJ42jPYbNW9JNWf	141.142.220.118	37676	141.142.2.2	53	udp	-	0.000420	52	99	SF	-	-	0	Dd	1	80	1	127	(empty)
-1300475171.677081	CPhDKt12KQPUVbQz06	141.142.220.226	55131	224.0.0.252	5355	udp	-	0.100021	66	0	S0	-	-	0	D	2	122	0	0	(empty)
-1300475173.116749	CAnFrb2Cvxr5T7quOc	fe80::3074:17d5:2052:c324	54213	ff02::1:3	5355	udp	-	0.099801	66	0	S0	-	-	0	D	2	162	0	0	(empty)
-1300475168.893988	C8rquZ3DjgNW06JGLl	141.142.220.118	45000	141.142.2.2	53	udp	-	0.000384	38	89	SF	-	-	0	Dd	1	66	1	117	(empty)
-1300475168.857956	CzrZOtXqhwwndQva3	141.142.220.118	32902	141.142.2.2	53	udp	-	0.000317	38	89	SF	-	-	0	Dd	1	66	1	117	(empty)
-1300475168.891644	CaGCc13FffXe6RkQl9	141.142.220.118	58206	141.142.2.2	53	udp	-	0.000339	38	89	SF	-	-	0	Dd	1	66	1	117	(empty)
+1300475169.780331	C3eiCBGOLw3VtHfOj	173.192.163.128	80	141.142.220.235	6705	tcp	-	-	-	-	OTH	-	-	0	H	1	48	0	0	-
+1300475168.892913	CmES5u32sYpV7JYN	141.142.220.118	49999	208.80.152.3	80	tcp	-	0.220961	1137	733	S1	-	-	0	ShADad	6	1457	4	949	-
+1300475168.724007	CHhAvVGS1DHFjwGM9	141.142.220.118	48649	208.80.152.118	80	tcp	-	0.119905	525	232	S1	-	-	0	ShADad	4	741	3	396	-
+1300475168.855330	ClEkJM2Vm5giqnMf4h	141.142.220.118	49997	208.80.152.3	80	tcp	-	0.219720	1125	734	S1	-	-	0	ShADad	6	1445	4	950	-
+1300475168.855305	C4J4Th3PJpwUYZZ6gc	141.142.220.118	49996	208.80.152.3	80	tcp	-	0.218501	1171	733	S1	-	-	0	ShADad	6	1491	4	949	-
+1300475168.652003	CwjjYJ2WqgTbAqiHl6	141.142.220.118	35634	208.80.152.2	80	tcp	-	0.061329	463	350	OTH	-	-	0	DdA	2	567	1	402	-
+1300475168.902635	C37jN32gN3y3AZzyf6	141.142.220.118	35642	208.80.152.2	80	tcp	-	0.120041	534	412	S1	-	-	0	ShADad	4	750	3	576	-
+1300475168.859163	CtPZjS20MLrsMUOJi2	141.142.220.118	49998	208.80.152.3	80	tcp	-	0.215893	1130	734	S1	-	-	0	ShADad	6	1450	4	950	-
+1300475168.892936	CUM0KZ3MLUfNB0cl11	141.142.220.118	50000	208.80.152.3	80	tcp	-	0.229603	1148	734	S1	-	-	0	ShADad	6	1468	4	950	-
+1300475168.895267	CP5puj4I8PtEU4qzYg	141.142.220.118	50001	208.80.152.3	80	tcp	-	0.227284	1178	734	S1	-	-	0	ShADad	6	1498	4	950	-
+1300475168.853899	C0LAHyvtKSQHyJxIl	141.142.220.118	43927	141.142.2.2	53	udp	-	0.000435	38	89	SF	-	-	0	Dd	1	66	1	117	-
+1300475168.901749	CFLRIC3zaTU1loLGxh	141.142.220.118	56056	141.142.2.2	53	udp	-	0.000402	36	131	SF	-	-	0	Dd	1	64	1	159	-
+1300475168.902195	C9rXSW3KSpTYvPrlI1	141.142.220.118	55092	141.142.2.2	53	udp	-	0.000374	36	198	SF	-	-	0	Dd	1	64	1	226	-
+1300475168.858713	Ck51lg1bScffFj34Ri	141.142.220.118	59714	141.142.2.2	53	udp	-	0.000375	38	183	SF	-	-	0	Dd	1	66	1	211	-
+1300475167.099816	C9mvWx3ezztgzcexV7	141.142.220.50	5353	224.0.0.251	5353	udp	-	-	-	-	S0	-	-	0	D	1	179	0	0	-
+1300475168.854837	CNnMIj2QSd84NKf7U3	141.142.220.118	40526	141.142.2.2	53	udp	-	0.000392	38	183	SF	-	-	0	Dd	1	66	1	211	-
+1300475168.894787	C7fIlMZDuRiqjpYbb	141.142.220.118	48128	141.142.2.2	53	udp	-	0.000423	38	183	SF	-	-	0	Dd	1	66	1	211	-
+1300475168.894422	CykQaM33ztNt0csB9a	141.142.220.118	48479	141.142.2.2	53	udp	-	0.000317	52	99	SF	-	-	0	Dd	1	80	1	127	-
+1300475169.899438	CtxTCR2Yer0FR1tIBg	141.142.220.44	5353	224.0.0.251	5353	udp	-	-	-	-	S0	-	-	0	D	1	85	0	0	-
+1300475170.862384	CpmdRlaUoJLN3uIRa	141.142.220.226	137	141.142.220.255	137	udp	-	2.613017	350	0	S0	-	-	0	D	7	546	0	0	-
+1300475168.892414	C1Xkzz2MaGtLrc1Tla	141.142.220.118	59746	141.142.2.2	53	udp	-	0.000421	38	183	SF	-	-	0	Dd	1	66	1	211	-
+1300475168.858306	CqlVyW1YwZ15RhTBc4	141.142.220.118	59816	141.142.2.2	53	udp	-	0.000343	52	99	SF	-	-	0	Dd	1	80	1	127	-
+1300475167.097012	CLNN1k2QMum1aexUK7	fe80::217:f2ff:fed7:cf65	5353	ff02::fb	5353	udp	-	-	-	-	S0	-	-	0	D	1	199	0	0	-
+1300475173.117362	CBA8792iHmnhPLksKa	141.142.220.226	55671	224.0.0.252	5355	udp	-	0.099849	66	0	S0	-	-	0	D	2	122	0	0	-
+1300475173.153679	CGLPPc35OzDQij1XX8	141.142.220.238	56641	141.142.220.255	137	udp	-	-	-	-	S0	-	-	0	D	1	78	0	0	-
+1300475168.892037	CiyBAq1bBLNaTiTAc	141.142.220.118	38911	141.142.2.2	53	udp	-	0.000335	52	99	SF	-	-	0	Dd	1	80	1	127	-
+1300475171.675372	CFSwNi4CNGxcuffo49	fe80::3074:17d5:2052:c324	65373	ff02::1:3	5355	udp	-	0.100096	66	0	S0	-	-	0	D	2	162	0	0	-
+1300475167.096535	Cipfzj1BEnhejw8cGf	141.142.220.202	5353	224.0.0.251	5353	udp	-	-	-	-	S0	-	-	0	D	1	73	0	0	-
+1300475168.854378	CV5WJ42jPYbNW9JNWf	141.142.220.118	37676	141.142.2.2	53	udp	-	0.000420	52	99	SF	-	-	0	Dd	1	80	1	127	-
+1300475171.677081	CPhDKt12KQPUVbQz06	141.142.220.226	55131	224.0.0.252	5355	udp	-	0.100021	66	0	S0	-	-	0	D	2	122	0	0	-
+1300475173.116749	CAnFrb2Cvxr5T7quOc	fe80::3074:17d5:2052:c324	54213	ff02::1:3	5355	udp	-	0.099801	66	0	S0	-	-	0	D	2	162	0	0	-
+1300475168.893988	C8rquZ3DjgNW06JGLl	141.142.220.118	45000	141.142.2.2	53	udp	-	0.000384	38	89	SF	-	-	0	Dd	1	66	1	117	-
+1300475168.857956	CzrZOtXqhwwndQva3	141.142.220.118	32902	141.142.2.2	53	udp	-	0.000317	38	89	SF	-	-	0	Dd	1	66	1	117	-
+1300475168.891644	CaGCc13FffXe6RkQl9	141.142.220.118	58206	141.142.2.2	53	udp	-	0.000339	38	89	SF	-	-	0	Dd	1	66	1	117	-
 #close	2016-08-10-16-51-09
diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.scope_sep/conn.log b/testing/btest/Baseline/scripts.base.frameworks.logging.scope_sep/conn.log
index 2347e0b3ce..da75aa01ec 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.logging.scope_sep/conn.log
+++ b/testing/btest/Baseline/scripts.base.frameworks.logging.scope_sep/conn.log
@@ -6,38 +6,38 @@
 #open	2016-08-10-16-53-04
 #fields	ts	uid	id_orig_h	id_orig_p	id_resp_h	id_resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
-1300475169.780331	C3eiCBGOLw3VtHfOj	173.192.163.128	80	141.142.220.235	6705	tcp	-	-	-	-	OTH	-	-	0	H	1	48	0	0	(empty)
-1300475168.892913	CmES5u32sYpV7JYN	141.142.220.118	49999	208.80.152.3	80	tcp	-	0.220961	1137	733	S1	-	-	0	ShADad	6	1457	4	949	(empty)
-1300475168.724007	CHhAvVGS1DHFjwGM9	141.142.220.118	48649	208.80.152.118	80	tcp	-	0.119905	525	232	S1	-	-	0	ShADad	4	741	3	396	(empty)
-1300475168.855330	ClEkJM2Vm5giqnMf4h	141.142.220.118	49997	208.80.152.3	80	tcp	-	0.219720	1125	734	S1	-	-	0	ShADad	6	1445	4	950	(empty)
-1300475168.855305	C4J4Th3PJpwUYZZ6gc	141.142.220.118	49996	208.80.152.3	80	tcp	-	0.218501	1171	733	S1	-	-	0	ShADad	6	1491	4	949	(empty)
-1300475168.652003	CwjjYJ2WqgTbAqiHl6	141.142.220.118	35634	208.80.152.2	80	tcp	-	0.061329	463	350	OTH	-	-	0	DdA	2	567	1	402	(empty)
-1300475168.902635	C37jN32gN3y3AZzyf6	141.142.220.118	35642	208.80.152.2	80	tcp	-	0.120041	534	412	S1	-	-	0	ShADad	4	750	3	576	(empty)
-1300475168.859163	CtPZjS20MLrsMUOJi2	141.142.220.118	49998	208.80.152.3	80	tcp	-	0.215893	1130	734	S1	-	-	0	ShADad	6	1450	4	950	(empty)
-1300475168.892936	CUM0KZ3MLUfNB0cl11	141.142.220.118	50000	208.80.152.3	80	tcp	-	0.229603	1148	734	S1	-	-	0	ShADad	6	1468	4	950	(empty)
-1300475168.895267	CP5puj4I8PtEU4qzYg	141.142.220.118	50001	208.80.152.3	80	tcp	-	0.227284	1178	734	S1	-	-	0	ShADad	6	1498	4	950	(empty)
-1300475168.853899	C0LAHyvtKSQHyJxIl	141.142.220.118	43927	141.142.2.2	53	udp	-	0.000435	38	89	SF	-	-	0	Dd	1	66	1	117	(empty)
-1300475168.901749	CFLRIC3zaTU1loLGxh	141.142.220.118	56056	141.142.2.2	53	udp	-	0.000402	36	131	SF	-	-	0	Dd	1	64	1	159	(empty)
-1300475168.902195	C9rXSW3KSpTYvPrlI1	141.142.220.118	55092	141.142.2.2	53	udp	-	0.000374	36	198	SF	-	-	0	Dd	1	64	1	226	(empty)
-1300475168.858713	Ck51lg1bScffFj34Ri	141.142.220.118	59714	141.142.2.2	53	udp	-	0.000375	38	183	SF	-	-	0	Dd	1	66	1	211	(empty)
-1300475167.099816	C9mvWx3ezztgzcexV7	141.142.220.50	5353	224.0.0.251	5353	udp	-	-	-	-	S0	-	-	0	D	1	179	0	0	(empty)
-1300475168.854837	CNnMIj2QSd84NKf7U3	141.142.220.118	40526	141.142.2.2	53	udp	-	0.000392	38	183	SF	-	-	0	Dd	1	66	1	211	(empty)
-1300475168.894787	C7fIlMZDuRiqjpYbb	141.142.220.118	48128	141.142.2.2	53	udp	-	0.000423	38	183	SF	-	-	0	Dd	1	66	1	211	(empty)
-1300475168.894422	CykQaM33ztNt0csB9a	141.142.220.118	48479	141.142.2.2	53	udp	-	0.000317	52	99	SF	-	-	0	Dd	1	80	1	127	(empty)
-1300475169.899438	CtxTCR2Yer0FR1tIBg	141.142.220.44	5353	224.0.0.251	5353	udp	-	-	-	-	S0	-	-	0	D	1	85	0	0	(empty)
-1300475170.862384	CpmdRlaUoJLN3uIRa	141.142.220.226	137	141.142.220.255	137	udp	-	2.613017	350	0	S0	-	-	0	D	7	546	0	0	(empty)
-1300475168.892414	C1Xkzz2MaGtLrc1Tla	141.142.220.118	59746	141.142.2.2	53	udp	-	0.000421	38	183	SF	-	-	0	Dd	1	66	1	211	(empty)
-1300475168.858306	CqlVyW1YwZ15RhTBc4	141.142.220.118	59816	141.142.2.2	53	udp	-	0.000343	52	99	SF	-	-	0	Dd	1	80	1	127	(empty)
-1300475167.097012	CLNN1k2QMum1aexUK7	fe80::217:f2ff:fed7:cf65	5353	ff02::fb	5353	udp	-	-	-	-	S0	-	-	0	D	1	199	0	0	(empty)
-1300475173.117362	CBA8792iHmnhPLksKa	141.142.220.226	55671	224.0.0.252	5355	udp	-	0.099849	66	0	S0	-	-	0	D	2	122	0	0	(empty)
-1300475173.153679	CGLPPc35OzDQij1XX8	141.142.220.238	56641	141.142.220.255	137	udp	-	-	-	-	S0	-	-	0	D	1	78	0	0	(empty)
-1300475168.892037	CiyBAq1bBLNaTiTAc	141.142.220.118	38911	141.142.2.2	53	udp	-	0.000335	52	99	SF	-	-	0	Dd	1	80	1	127	(empty)
-1300475171.675372	CFSwNi4CNGxcuffo49	fe80::3074:17d5:2052:c324	65373	ff02::1:3	5355	udp	-	0.100096	66	0	S0	-	-	0	D	2	162	0	0	(empty)
-1300475167.096535	Cipfzj1BEnhejw8cGf	141.142.220.202	5353	224.0.0.251	5353	udp	-	-	-	-	S0	-	-	0	D	1	73	0	0	(empty)
-1300475168.854378	CV5WJ42jPYbNW9JNWf	141.142.220.118	37676	141.142.2.2	53	udp	-	0.000420	52	99	SF	-	-	0	Dd	1	80	1	127	(empty)
-1300475171.677081	CPhDKt12KQPUVbQz06	141.142.220.226	55131	224.0.0.252	5355	udp	-	0.100021	66	0	S0	-	-	0	D	2	122	0	0	(empty)
-1300475173.116749	CAnFrb2Cvxr5T7quOc	fe80::3074:17d5:2052:c324	54213	ff02::1:3	5355	udp	-	0.099801	66	0	S0	-	-	0	D	2	162	0	0	(empty)
-1300475168.893988	C8rquZ3DjgNW06JGLl	141.142.220.118	45000	141.142.2.2	53	udp	-	0.000384	38	89	SF	-	-	0	Dd	1	66	1	117	(empty)
-1300475168.857956	CzrZOtXqhwwndQva3	141.142.220.118	32902	141.142.2.2	53	udp	-	0.000317	38	89	SF	-	-	0	Dd	1	66	1	117	(empty)
-1300475168.891644	CaGCc13FffXe6RkQl9	141.142.220.118	58206	141.142.2.2	53	udp	-	0.000339	38	89	SF	-	-	0	Dd	1	66	1	117	(empty)
+1300475169.780331	C3eiCBGOLw3VtHfOj	173.192.163.128	80	141.142.220.235	6705	tcp	-	-	-	-	OTH	-	-	0	H	1	48	0	0	-
+1300475168.892913	CmES5u32sYpV7JYN	141.142.220.118	49999	208.80.152.3	80	tcp	-	0.220961	1137	733	S1	-	-	0	ShADad	6	1457	4	949	-
+1300475168.724007	CHhAvVGS1DHFjwGM9	141.142.220.118	48649	208.80.152.118	80	tcp	-	0.119905	525	232	S1	-	-	0	ShADad	4	741	3	396	-
+1300475168.855330	ClEkJM2Vm5giqnMf4h	141.142.220.118	49997	208.80.152.3	80	tcp	-	0.219720	1125	734	S1	-	-	0	ShADad	6	1445	4	950	-
+1300475168.855305	C4J4Th3PJpwUYZZ6gc	141.142.220.118	49996	208.80.152.3	80	tcp	-	0.218501	1171	733	S1	-	-	0	ShADad	6	1491	4	949	-
+1300475168.652003	CwjjYJ2WqgTbAqiHl6	141.142.220.118	35634	208.80.152.2	80	tcp	-	0.061329	463	350	OTH	-	-	0	DdA	2	567	1	402	-
+1300475168.902635	C37jN32gN3y3AZzyf6	141.142.220.118	35642	208.80.152.2	80	tcp	-	0.120041	534	412	S1	-	-	0	ShADad	4	750	3	576	-
+1300475168.859163	CtPZjS20MLrsMUOJi2	141.142.220.118	49998	208.80.152.3	80	tcp	-	0.215893	1130	734	S1	-	-	0	ShADad	6	1450	4	950	-
+1300475168.892936	CUM0KZ3MLUfNB0cl11	141.142.220.118	50000	208.80.152.3	80	tcp	-	0.229603	1148	734	S1	-	-	0	ShADad	6	1468	4	950	-
+1300475168.895267	CP5puj4I8PtEU4qzYg	141.142.220.118	50001	208.80.152.3	80	tcp	-	0.227284	1178	734	S1	-	-	0	ShADad	6	1498	4	950	-
+1300475168.853899	C0LAHyvtKSQHyJxIl	141.142.220.118	43927	141.142.2.2	53	udp	-	0.000435	38	89	SF	-	-	0	Dd	1	66	1	117	-
+1300475168.901749	CFLRIC3zaTU1loLGxh	141.142.220.118	56056	141.142.2.2	53	udp	-	0.000402	36	131	SF	-	-	0	Dd	1	64	1	159	-
+1300475168.902195	C9rXSW3KSpTYvPrlI1	141.142.220.118	55092	141.142.2.2	53	udp	-	0.000374	36	198	SF	-	-	0	Dd	1	64	1	226	-
+1300475168.858713	Ck51lg1bScffFj34Ri	141.142.220.118	59714	141.142.2.2	53	udp	-	0.000375	38	183	SF	-	-	0	Dd	1	66	1	211	-
+1300475167.099816	C9mvWx3ezztgzcexV7	141.142.220.50	5353	224.0.0.251	5353	udp	-	-	-	-	S0	-	-	0	D	1	179	0	0	-
+1300475168.854837	CNnMIj2QSd84NKf7U3	141.142.220.118	40526	141.142.2.2	53	udp	-	0.000392	38	183	SF	-	-	0	Dd	1	66	1	211	-
+1300475168.894787	C7fIlMZDuRiqjpYbb	141.142.220.118	48128	141.142.2.2	53	udp	-	0.000423	38	183	SF	-	-	0	Dd	1	66	1	211	-
+1300475168.894422	CykQaM33ztNt0csB9a	141.142.220.118	48479	141.142.2.2	53	udp	-	0.000317	52	99	SF	-	-	0	Dd	1	80	1	127	-
+1300475169.899438	CtxTCR2Yer0FR1tIBg	141.142.220.44	5353	224.0.0.251	5353	udp	-	-	-	-	S0	-	-	0	D	1	85	0	0	-
+1300475170.862384	CpmdRlaUoJLN3uIRa	141.142.220.226	137	141.142.220.255	137	udp	-	2.613017	350	0	S0	-	-	0	D	7	546	0	0	-
+1300475168.892414	C1Xkzz2MaGtLrc1Tla	141.142.220.118	59746	141.142.2.2	53	udp	-	0.000421	38	183	SF	-	-	0	Dd	1	66	1	211	-
+1300475168.858306	CqlVyW1YwZ15RhTBc4	141.142.220.118	59816	141.142.2.2	53	udp	-	0.000343	52	99	SF	-	-	0	Dd	1	80	1	127	-
+1300475167.097012	CLNN1k2QMum1aexUK7	fe80::217:f2ff:fed7:cf65	5353	ff02::fb	5353	udp	-	-	-	-	S0	-	-	0	D	1	199	0	0	-
+1300475173.117362	CBA8792iHmnhPLksKa	141.142.220.226	55671	224.0.0.252	5355	udp	-	0.099849	66	0	S0	-	-	0	D	2	122	0	0	-
+1300475173.153679	CGLPPc35OzDQij1XX8	141.142.220.238	56641	141.142.220.255	137	udp	-	-	-	-	S0	-	-	0	D	1	78	0	0	-
+1300475168.892037	CiyBAq1bBLNaTiTAc	141.142.220.118	38911	141.142.2.2	53	udp	-	0.000335	52	99	SF	-	-	0	Dd	1	80	1	127	-
+1300475171.675372	CFSwNi4CNGxcuffo49	fe80::3074:17d5:2052:c324	65373	ff02::1:3	5355	udp	-	0.100096	66	0	S0	-	-	0	D	2	162	0	0	-
+1300475167.096535	Cipfzj1BEnhejw8cGf	141.142.220.202	5353	224.0.0.251	5353	udp	-	-	-	-	S0	-	-	0	D	1	73	0	0	-
+1300475168.854378	CV5WJ42jPYbNW9JNWf	141.142.220.118	37676	141.142.2.2	53	udp	-	0.000420	52	99	SF	-	-	0	Dd	1	80	1	127	-
+1300475171.677081	CPhDKt12KQPUVbQz06	141.142.220.226	55131	224.0.0.252	5355	udp	-	0.100021	66	0	S0	-	-	0	D	2	122	0	0	-
+1300475173.116749	CAnFrb2Cvxr5T7quOc	fe80::3074:17d5:2052:c324	54213	ff02::1:3	5355	udp	-	0.099801	66	0	S0	-	-	0	D	2	162	0	0	-
+1300475168.893988	C8rquZ3DjgNW06JGLl	141.142.220.118	45000	141.142.2.2	53	udp	-	0.000384	38	89	SF	-	-	0	Dd	1	66	1	117	-
+1300475168.857956	CzrZOtXqhwwndQva3	141.142.220.118	32902	141.142.2.2	53	udp	-	0.000317	38	89	SF	-	-	0	Dd	1	66	1	117	-
+1300475168.891644	CaGCc13FffXe6RkQl9	141.142.220.118	58206	141.142.2.2	53	udp	-	0.000339	38	89	SF	-	-	0	Dd	1	66	1	117	-
 #close	2016-08-10-16-53-04
diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.scope_sep_and_field_name_map/conn.log b/testing/btest/Baseline/scripts.base.frameworks.logging.scope_sep_and_field_name_map/conn.log
index e52c0ce6bd..36afb8856c 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.logging.scope_sep_and_field_name_map/conn.log
+++ b/testing/btest/Baseline/scripts.base.frameworks.logging.scope_sep_and_field_name_map/conn.log
@@ -6,38 +6,38 @@
 #open	2016-08-10-16-53-37
 #fields	ts	uid	src	src_port	dst	dst_port	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
-1300475169.780331	C3eiCBGOLw3VtHfOj	173.192.163.128	80	141.142.220.235	6705	tcp	-	-	-	-	OTH	-	-	0	H	1	48	0	0	(empty)
-1300475168.892913	CmES5u32sYpV7JYN	141.142.220.118	49999	208.80.152.3	80	tcp	-	0.220961	1137	733	S1	-	-	0	ShADad	6	1457	4	949	(empty)
-1300475168.724007	CHhAvVGS1DHFjwGM9	141.142.220.118	48649	208.80.152.118	80	tcp	-	0.119905	525	232	S1	-	-	0	ShADad	4	741	3	396	(empty)
-1300475168.855330	ClEkJM2Vm5giqnMf4h	141.142.220.118	49997	208.80.152.3	80	tcp	-	0.219720	1125	734	S1	-	-	0	ShADad	6	1445	4	950	(empty)
-1300475168.855305	C4J4Th3PJpwUYZZ6gc	141.142.220.118	49996	208.80.152.3	80	tcp	-	0.218501	1171	733	S1	-	-	0	ShADad	6	1491	4	949	(empty)
-1300475168.652003	CwjjYJ2WqgTbAqiHl6	141.142.220.118	35634	208.80.152.2	80	tcp	-	0.061329	463	350	OTH	-	-	0	DdA	2	567	1	402	(empty)
-1300475168.902635	C37jN32gN3y3AZzyf6	141.142.220.118	35642	208.80.152.2	80	tcp	-	0.120041	534	412	S1	-	-	0	ShADad	4	750	3	576	(empty)
-1300475168.859163	CtPZjS20MLrsMUOJi2	141.142.220.118	49998	208.80.152.3	80	tcp	-	0.215893	1130	734	S1	-	-	0	ShADad	6	1450	4	950	(empty)
-1300475168.892936	CUM0KZ3MLUfNB0cl11	141.142.220.118	50000	208.80.152.3	80	tcp	-	0.229603	1148	734	S1	-	-	0	ShADad	6	1468	4	950	(empty)
-1300475168.895267	CP5puj4I8PtEU4qzYg	141.142.220.118	50001	208.80.152.3	80	tcp	-	0.227284	1178	734	S1	-	-	0	ShADad	6	1498	4	950	(empty)
-1300475168.853899	C0LAHyvtKSQHyJxIl	141.142.220.118	43927	141.142.2.2	53	udp	-	0.000435	38	89	SF	-	-	0	Dd	1	66	1	117	(empty)
-1300475168.901749	CFLRIC3zaTU1loLGxh	141.142.220.118	56056	141.142.2.2	53	udp	-	0.000402	36	131	SF	-	-	0	Dd	1	64	1	159	(empty)
-1300475168.902195	C9rXSW3KSpTYvPrlI1	141.142.220.118	55092	141.142.2.2	53	udp	-	0.000374	36	198	SF	-	-	0	Dd	1	64	1	226	(empty)
-1300475168.858713	Ck51lg1bScffFj34Ri	141.142.220.118	59714	141.142.2.2	53	udp	-	0.000375	38	183	SF	-	-	0	Dd	1	66	1	211	(empty)
-1300475167.099816	C9mvWx3ezztgzcexV7	141.142.220.50	5353	224.0.0.251	5353	udp	-	-	-	-	S0	-	-	0	D	1	179	0	0	(empty)
-1300475168.854837	CNnMIj2QSd84NKf7U3	141.142.220.118	40526	141.142.2.2	53	udp	-	0.000392	38	183	SF	-	-	0	Dd	1	66	1	211	(empty)
-1300475168.894787	C7fIlMZDuRiqjpYbb	141.142.220.118	48128	141.142.2.2	53	udp	-	0.000423	38	183	SF	-	-	0	Dd	1	66	1	211	(empty)
-1300475168.894422	CykQaM33ztNt0csB9a	141.142.220.118	48479	141.142.2.2	53	udp	-	0.000317	52	99	SF	-	-	0	Dd	1	80	1	127	(empty)
-1300475169.899438	CtxTCR2Yer0FR1tIBg	141.142.220.44	5353	224.0.0.251	5353	udp	-	-	-	-	S0	-	-	0	D	1	85	0	0	(empty)
-1300475170.862384	CpmdRlaUoJLN3uIRa	141.142.220.226	137	141.142.220.255	137	udp	-	2.613017	350	0	S0	-	-	0	D	7	546	0	0	(empty)
-1300475168.892414	C1Xkzz2MaGtLrc1Tla	141.142.220.118	59746	141.142.2.2	53	udp	-	0.000421	38	183	SF	-	-	0	Dd	1	66	1	211	(empty)
-1300475168.858306	CqlVyW1YwZ15RhTBc4	141.142.220.118	59816	141.142.2.2	53	udp	-	0.000343	52	99	SF	-	-	0	Dd	1	80	1	127	(empty)
-1300475167.097012	CLNN1k2QMum1aexUK7	fe80::217:f2ff:fed7:cf65	5353	ff02::fb	5353	udp	-	-	-	-	S0	-	-	0	D	1	199	0	0	(empty)
-1300475173.117362	CBA8792iHmnhPLksKa	141.142.220.226	55671	224.0.0.252	5355	udp	-	0.099849	66	0	S0	-	-	0	D	2	122	0	0	(empty)
-1300475173.153679	CGLPPc35OzDQij1XX8	141.142.220.238	56641	141.142.220.255	137	udp	-	-	-	-	S0	-	-	0	D	1	78	0	0	(empty)
-1300475168.892037	CiyBAq1bBLNaTiTAc	141.142.220.118	38911	141.142.2.2	53	udp	-	0.000335	52	99	SF	-	-	0	Dd	1	80	1	127	(empty)
-1300475171.675372	CFSwNi4CNGxcuffo49	fe80::3074:17d5:2052:c324	65373	ff02::1:3	5355	udp	-	0.100096	66	0	S0	-	-	0	D	2	162	0	0	(empty)
-1300475167.096535	Cipfzj1BEnhejw8cGf	141.142.220.202	5353	224.0.0.251	5353	udp	-	-	-	-	S0	-	-	0	D	1	73	0	0	(empty)
-1300475168.854378	CV5WJ42jPYbNW9JNWf	141.142.220.118	37676	141.142.2.2	53	udp	-	0.000420	52	99	SF	-	-	0	Dd	1	80	1	127	(empty)
-1300475171.677081	CPhDKt12KQPUVbQz06	141.142.220.226	55131	224.0.0.252	5355	udp	-	0.100021	66	0	S0	-	-	0	D	2	122	0	0	(empty)
-1300475173.116749	CAnFrb2Cvxr5T7quOc	fe80::3074:17d5:2052:c324	54213	ff02::1:3	5355	udp	-	0.099801	66	0	S0	-	-	0	D	2	162	0	0	(empty)
-1300475168.893988	C8rquZ3DjgNW06JGLl	141.142.220.118	45000	141.142.2.2	53	udp	-	0.000384	38	89	SF	-	-	0	Dd	1	66	1	117	(empty)
-1300475168.857956	CzrZOtXqhwwndQva3	141.142.220.118	32902	141.142.2.2	53	udp	-	0.000317	38	89	SF	-	-	0	Dd	1	66	1	117	(empty)
-1300475168.891644	CaGCc13FffXe6RkQl9	141.142.220.118	58206	141.142.2.2	53	udp	-	0.000339	38	89	SF	-	-	0	Dd	1	66	1	117	(empty)
+1300475169.780331	C3eiCBGOLw3VtHfOj	173.192.163.128	80	141.142.220.235	6705	tcp	-	-	-	-	OTH	-	-	0	H	1	48	0	0	-
+1300475168.892913	CmES5u32sYpV7JYN	141.142.220.118	49999	208.80.152.3	80	tcp	-	0.220961	1137	733	S1	-	-	0	ShADad	6	1457	4	949	-
+1300475168.724007	CHhAvVGS1DHFjwGM9	141.142.220.118	48649	208.80.152.118	80	tcp	-	0.119905	525	232	S1	-	-	0	ShADad	4	741	3	396	-
+1300475168.855330	ClEkJM2Vm5giqnMf4h	141.142.220.118	49997	208.80.152.3	80	tcp	-	0.219720	1125	734	S1	-	-	0	ShADad	6	1445	4	950	-
+1300475168.855305	C4J4Th3PJpwUYZZ6gc	141.142.220.118	49996	208.80.152.3	80	tcp	-	0.218501	1171	733	S1	-	-	0	ShADad	6	1491	4	949	-
+1300475168.652003	CwjjYJ2WqgTbAqiHl6	141.142.220.118	35634	208.80.152.2	80	tcp	-	0.061329	463	350	OTH	-	-	0	DdA	2	567	1	402	-
+1300475168.902635	C37jN32gN3y3AZzyf6	141.142.220.118	35642	208.80.152.2	80	tcp	-	0.120041	534	412	S1	-	-	0	ShADad	4	750	3	576	-
+1300475168.859163	CtPZjS20MLrsMUOJi2	141.142.220.118	49998	208.80.152.3	80	tcp	-	0.215893	1130	734	S1	-	-	0	ShADad	6	1450	4	950	-
+1300475168.892936	CUM0KZ3MLUfNB0cl11	141.142.220.118	50000	208.80.152.3	80	tcp	-	0.229603	1148	734	S1	-	-	0	ShADad	6	1468	4	950	-
+1300475168.895267	CP5puj4I8PtEU4qzYg	141.142.220.118	50001	208.80.152.3	80	tcp	-	0.227284	1178	734	S1	-	-	0	ShADad	6	1498	4	950	-
+1300475168.853899	C0LAHyvtKSQHyJxIl	141.142.220.118	43927	141.142.2.2	53	udp	-	0.000435	38	89	SF	-	-	0	Dd	1	66	1	117	-
+1300475168.901749	CFLRIC3zaTU1loLGxh	141.142.220.118	56056	141.142.2.2	53	udp	-	0.000402	36	131	SF	-	-	0	Dd	1	64	1	159	-
+1300475168.902195	C9rXSW3KSpTYvPrlI1	141.142.220.118	55092	141.142.2.2	53	udp	-	0.000374	36	198	SF	-	-	0	Dd	1	64	1	226	-
+1300475168.858713	Ck51lg1bScffFj34Ri	141.142.220.118	59714	141.142.2.2	53	udp	-	0.000375	38	183	SF	-	-	0	Dd	1	66	1	211	-
+1300475167.099816	C9mvWx3ezztgzcexV7	141.142.220.50	5353	224.0.0.251	5353	udp	-	-	-	-	S0	-	-	0	D	1	179	0	0	-
+1300475168.854837	CNnMIj2QSd84NKf7U3	141.142.220.118	40526	141.142.2.2	53	udp	-	0.000392	38	183	SF	-	-	0	Dd	1	66	1	211	-
+1300475168.894787	C7fIlMZDuRiqjpYbb	141.142.220.118	48128	141.142.2.2	53	udp	-	0.000423	38	183	SF	-	-	0	Dd	1	66	1	211	-
+1300475168.894422	CykQaM33ztNt0csB9a	141.142.220.118	48479	141.142.2.2	53	udp	-	0.000317	52	99	SF	-	-	0	Dd	1	80	1	127	-
+1300475169.899438	CtxTCR2Yer0FR1tIBg	141.142.220.44	5353	224.0.0.251	5353	udp	-	-	-	-	S0	-	-	0	D	1	85	0	0	-
+1300475170.862384	CpmdRlaUoJLN3uIRa	141.142.220.226	137	141.142.220.255	137	udp	-	2.613017	350	0	S0	-	-	0	D	7	546	0	0	-
+1300475168.892414	C1Xkzz2MaGtLrc1Tla	141.142.220.118	59746	141.142.2.2	53	udp	-	0.000421	38	183	SF	-	-	0	Dd	1	66	1	211	-
+1300475168.858306	CqlVyW1YwZ15RhTBc4	141.142.220.118	59816	141.142.2.2	53	udp	-	0.000343	52	99	SF	-	-	0	Dd	1	80	1	127	-
+1300475167.097012	CLNN1k2QMum1aexUK7	fe80::217:f2ff:fed7:cf65	5353	ff02::fb	5353	udp	-	-	-	-	S0	-	-	0	D	1	199	0	0	-
+1300475173.117362	CBA8792iHmnhPLksKa	141.142.220.226	55671	224.0.0.252	5355	udp	-	0.099849	66	0	S0	-	-	0	D	2	122	0	0	-
+1300475173.153679	CGLPPc35OzDQij1XX8	141.142.220.238	56641	141.142.220.255	137	udp	-	-	-	-	S0	-	-	0	D	1	78	0	0	-
+1300475168.892037	CiyBAq1bBLNaTiTAc	141.142.220.118	38911	141.142.2.2	53	udp	-	0.000335	52	99	SF	-	-	0	Dd	1	80	1	127	-
+1300475171.675372	CFSwNi4CNGxcuffo49	fe80::3074:17d5:2052:c324	65373	ff02::1:3	5355	udp	-	0.100096	66	0	S0	-	-	0	D	2	162	0	0	-
+1300475167.096535	Cipfzj1BEnhejw8cGf	141.142.220.202	5353	224.0.0.251	5353	udp	-	-	-	-	S0	-	-	0	D	1	73	0	0	-
+1300475168.854378	CV5WJ42jPYbNW9JNWf	141.142.220.118	37676	141.142.2.2	53	udp	-	0.000420	52	99	SF	-	-	0	Dd	1	80	1	127	-
+1300475171.677081	CPhDKt12KQPUVbQz06	141.142.220.226	55131	224.0.0.252	5355	udp	-	0.100021	66	0	S0	-	-	0	D	2	122	0	0	-
+1300475173.116749	CAnFrb2Cvxr5T7quOc	fe80::3074:17d5:2052:c324	54213	ff02::1:3	5355	udp	-	0.099801	66	0	S0	-	-	0	D	2	162	0	0	-
+1300475168.893988	C8rquZ3DjgNW06JGLl	141.142.220.118	45000	141.142.2.2	53	udp	-	0.000384	38	89	SF	-	-	0	Dd	1	66	1	117	-
+1300475168.857956	CzrZOtXqhwwndQva3	141.142.220.118	32902	141.142.2.2	53	udp	-	0.000317	38	89	SF	-	-	0	Dd	1	66	1	117	-
+1300475168.891644	CaGCc13FffXe6RkQl9	141.142.220.118	58206	141.142.2.2	53	udp	-	0.000339	38	89	SF	-	-	0	Dd	1	66	1	117	-
 #close	2016-08-10-16-53-37
diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.sqlite.wikipedia/conn.select b/testing/btest/Baseline/scripts.base.frameworks.logging.sqlite.wikipedia/conn.select
index 2d2aab7e90..f1c0099e40 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.logging.sqlite.wikipedia/conn.select
+++ b/testing/btest/Baseline/scripts.base.frameworks.logging.sqlite.wikipedia/conn.select
@@ -1,34 +1,34 @@
-1300475167.09653|CHhAvVGS1DHFjwGM9|141.142.220.202|5353|224.0.0.251|5353|udp|dns||||S0|||0|D|1|73|0|0|(empty)
-1300475167.09701|ClEkJM2Vm5giqnMf4h|fe80::217:f2ff:fed7:cf65|5353|ff02::fb|5353|udp|dns||||S0|||0|D|1|199|0|0|(empty)
-1300475167.09982|C4J4Th3PJpwUYZZ6gc|141.142.220.50|5353|224.0.0.251|5353|udp|dns||||S0|||0|D|1|179|0|0|(empty)
-1300475168.652|CtPZjS20MLrsMUOJi2|141.142.220.118|35634|208.80.152.2|80|tcp||0.0613288879394531|463|350|OTH|||0|DdA|2|567|1|402|(empty)
-1300475168.72401|CUM0KZ3MLUfNB0cl11|141.142.220.118|48649|208.80.152.118|80|tcp|http|0.1199049949646|525|232|S1|||0|ShADad|4|741|3|396|(empty)
-1300475168.8539|CmES5u32sYpV7JYN|141.142.220.118|43927|141.142.2.2|53|udp|dns|0.000435113906860352|38|89|SF|||0|Dd|1|66|1|117|(empty)
-1300475168.85438|CP5puj4I8PtEU4qzYg|141.142.220.118|37676|141.142.2.2|53|udp|dns|0.000420093536376953|52|99|SF|||0|Dd|1|80|1|127|(empty)
-1300475168.85484|C37jN32gN3y3AZzyf6|141.142.220.118|40526|141.142.2.2|53|udp|dns|0.000391960144042969|38|183|SF|||0|Dd|1|66|1|211|(empty)
-1300475168.8553|C3eiCBGOLw3VtHfOj|141.142.220.118|49996|208.80.152.3|80|tcp|http|0.218501091003418|1171|733|S1|||0|ShADad|6|1491|4|949|(empty)
-1300475168.85533|CwjjYJ2WqgTbAqiHl6|141.142.220.118|49997|208.80.152.3|80|tcp|http|0.219720125198364|1125|734|S1|||0|ShADad|6|1445|4|950|(empty)
-1300475168.85796|C0LAHyvtKSQHyJxIl|141.142.220.118|32902|141.142.2.2|53|udp|dns|0.000317096710205078|38|89|SF|||0|Dd|1|66|1|117|(empty)
-1300475168.85831|CFLRIC3zaTU1loLGxh|141.142.220.118|59816|141.142.2.2|53|udp|dns|0.000343084335327148|52|99|SF|||0|Dd|1|80|1|127|(empty)
-1300475168.85871|C9rXSW3KSpTYvPrlI1|141.142.220.118|59714|141.142.2.2|53|udp|dns|0.000375032424926758|38|183|SF|||0|Dd|1|66|1|211|(empty)
-1300475168.85916|Ck51lg1bScffFj34Ri|141.142.220.118|49998|208.80.152.3|80|tcp|http|0.215893030166626|1130|734|S1|||0|ShADad|6|1450|4|950|(empty)
-1300475168.89164|C9mvWx3ezztgzcexV7|141.142.220.118|58206|141.142.2.2|53|udp|dns|0.000339031219482422|38|89|SF|||0|Dd|1|66|1|117|(empty)
-1300475168.89204|CNnMIj2QSd84NKf7U3|141.142.220.118|38911|141.142.2.2|53|udp|dns|0.000334978103637695|52|99|SF|||0|Dd|1|80|1|127|(empty)
-1300475168.89241|C7fIlMZDuRiqjpYbb|141.142.220.118|59746|141.142.2.2|53|udp|dns|0.000420808792114258|38|183|SF|||0|Dd|1|66|1|211|(empty)
-1300475168.89291|CykQaM33ztNt0csB9a|141.142.220.118|49999|208.80.152.3|80|tcp|http|0.220960855484009|1137|733|S1|||0|ShADad|6|1457|4|949|(empty)
-1300475168.89294|CtxTCR2Yer0FR1tIBg|141.142.220.118|50000|208.80.152.3|80|tcp|http|0.229603052139282|1148|734|S1|||0|ShADad|6|1468|4|950|(empty)
-1300475168.89399|CpmdRlaUoJLN3uIRa|141.142.220.118|45000|141.142.2.2|53|udp|dns|0.000384092330932617|38|89|SF|||0|Dd|1|66|1|117|(empty)
-1300475168.89442|C1Xkzz2MaGtLrc1Tla|141.142.220.118|48479|141.142.2.2|53|udp|dns|0.000316858291625977|52|99|SF|||0|Dd|1|80|1|127|(empty)
-1300475168.89479|CqlVyW1YwZ15RhTBc4|141.142.220.118|48128|141.142.2.2|53|udp|dns|0.000422954559326172|38|183|SF|||0|Dd|1|66|1|211|(empty)
-1300475168.89527|CLNN1k2QMum1aexUK7|141.142.220.118|50001|208.80.152.3|80|tcp|http|0.227283954620361|1178|734|S1|||0|ShADad|6|1498|4|950|(empty)
-1300475168.90175|CBA8792iHmnhPLksKa|141.142.220.118|56056|141.142.2.2|53|udp|dns|0.000402212142944336|36|131|SF|||0|Dd|1|64|1|159|(empty)
-1300475168.90219|CGLPPc35OzDQij1XX8|141.142.220.118|55092|141.142.2.2|53|udp|dns|0.000374078750610352|36|198|SF|||0|Dd|1|64|1|226|(empty)
-1300475168.90264|CiyBAq1bBLNaTiTAc|141.142.220.118|35642|208.80.152.2|80|tcp|http|0.120040893554688|534|412|S1|||0|ShADad|4|750|3|576|(empty)
-1300475169.78033|CFSwNi4CNGxcuffo49|141.142.220.235|6705|173.192.163.128|80|tcp|||||OTH|||0|^h|0|0|1|48|(empty)
-1300475169.89944|Cipfzj1BEnhejw8cGf|141.142.220.44|5353|224.0.0.251|5353|udp|dns||||S0|||0|D|1|85|0|0|(empty)
-1300475170.86238|CV5WJ42jPYbNW9JNWf|141.142.220.226|137|141.142.220.255|137|udp|dns|2.61301684379578|350|0|S0|||0|D|7|546|0|0|(empty)
-1300475171.67537|CPhDKt12KQPUVbQz06|fe80::3074:17d5:2052:c324|65373|ff02::1:3|5355|udp|dns|0.100096225738525|66|0|S0|||0|D|2|162|0|0|(empty)
-1300475171.67708|CAnFrb2Cvxr5T7quOc|141.142.220.226|55131|224.0.0.252|5355|udp|dns|0.100020885467529|66|0|S0|||0|D|2|122|0|0|(empty)
-1300475173.11675|C8rquZ3DjgNW06JGLl|fe80::3074:17d5:2052:c324|54213|ff02::1:3|5355|udp|dns|0.0998010635375977|66|0|S0|||0|D|2|162|0|0|(empty)
-1300475173.11736|CzrZOtXqhwwndQva3|141.142.220.226|55671|224.0.0.252|5355|udp|dns|0.0998489856719971|66|0|S0|||0|D|2|122|0|0|(empty)
-1300475173.15368|CaGCc13FffXe6RkQl9|141.142.220.238|56641|141.142.220.255|137|udp|dns||||S0|||0|D|1|78|0|0|(empty)
+1300475167.09653|CHhAvVGS1DHFjwGM9|141.142.220.202|5353|224.0.0.251|5353|udp|dns||||S0|||0|D|1|73|0|0|
+1300475167.09701|ClEkJM2Vm5giqnMf4h|fe80::217:f2ff:fed7:cf65|5353|ff02::fb|5353|udp|dns||||S0|||0|D|1|199|0|0|
+1300475167.09982|C4J4Th3PJpwUYZZ6gc|141.142.220.50|5353|224.0.0.251|5353|udp|dns||||S0|||0|D|1|179|0|0|
+1300475168.652|CtPZjS20MLrsMUOJi2|141.142.220.118|35634|208.80.152.2|80|tcp||0.0613288879394531|463|350|OTH|||0|DdA|2|567|1|402|
+1300475168.72401|CUM0KZ3MLUfNB0cl11|141.142.220.118|48649|208.80.152.118|80|tcp|http|0.1199049949646|525|232|S1|||0|ShADad|4|741|3|396|
+1300475168.8539|CmES5u32sYpV7JYN|141.142.220.118|43927|141.142.2.2|53|udp|dns|0.000435113906860352|38|89|SF|||0|Dd|1|66|1|117|
+1300475168.85438|CP5puj4I8PtEU4qzYg|141.142.220.118|37676|141.142.2.2|53|udp|dns|0.000420093536376953|52|99|SF|||0|Dd|1|80|1|127|
+1300475168.85484|C37jN32gN3y3AZzyf6|141.142.220.118|40526|141.142.2.2|53|udp|dns|0.000391960144042969|38|183|SF|||0|Dd|1|66|1|211|
+1300475168.8553|C3eiCBGOLw3VtHfOj|141.142.220.118|49996|208.80.152.3|80|tcp|http|0.218501091003418|1171|733|S1|||0|ShADad|6|1491|4|949|
+1300475168.85533|CwjjYJ2WqgTbAqiHl6|141.142.220.118|49997|208.80.152.3|80|tcp|http|0.219720125198364|1125|734|S1|||0|ShADad|6|1445|4|950|
+1300475168.85796|C0LAHyvtKSQHyJxIl|141.142.220.118|32902|141.142.2.2|53|udp|dns|0.000317096710205078|38|89|SF|||0|Dd|1|66|1|117|
+1300475168.85831|CFLRIC3zaTU1loLGxh|141.142.220.118|59816|141.142.2.2|53|udp|dns|0.000343084335327148|52|99|SF|||0|Dd|1|80|1|127|
+1300475168.85871|C9rXSW3KSpTYvPrlI1|141.142.220.118|59714|141.142.2.2|53|udp|dns|0.000375032424926758|38|183|SF|||0|Dd|1|66|1|211|
+1300475168.85916|Ck51lg1bScffFj34Ri|141.142.220.118|49998|208.80.152.3|80|tcp|http|0.215893030166626|1130|734|S1|||0|ShADad|6|1450|4|950|
+1300475168.89164|C9mvWx3ezztgzcexV7|141.142.220.118|58206|141.142.2.2|53|udp|dns|0.000339031219482422|38|89|SF|||0|Dd|1|66|1|117|
+1300475168.89204|CNnMIj2QSd84NKf7U3|141.142.220.118|38911|141.142.2.2|53|udp|dns|0.000334978103637695|52|99|SF|||0|Dd|1|80|1|127|
+1300475168.89241|C7fIlMZDuRiqjpYbb|141.142.220.118|59746|141.142.2.2|53|udp|dns|0.000420808792114258|38|183|SF|||0|Dd|1|66|1|211|
+1300475168.89291|CykQaM33ztNt0csB9a|141.142.220.118|49999|208.80.152.3|80|tcp|http|0.220960855484009|1137|733|S1|||0|ShADad|6|1457|4|949|
+1300475168.89294|CtxTCR2Yer0FR1tIBg|141.142.220.118|50000|208.80.152.3|80|tcp|http|0.229603052139282|1148|734|S1|||0|ShADad|6|1468|4|950|
+1300475168.89399|CpmdRlaUoJLN3uIRa|141.142.220.118|45000|141.142.2.2|53|udp|dns|0.000384092330932617|38|89|SF|||0|Dd|1|66|1|117|
+1300475168.89442|C1Xkzz2MaGtLrc1Tla|141.142.220.118|48479|141.142.2.2|53|udp|dns|0.000316858291625977|52|99|SF|||0|Dd|1|80|1|127|
+1300475168.89479|CqlVyW1YwZ15RhTBc4|141.142.220.118|48128|141.142.2.2|53|udp|dns|0.000422954559326172|38|183|SF|||0|Dd|1|66|1|211|
+1300475168.89527|CLNN1k2QMum1aexUK7|141.142.220.118|50001|208.80.152.3|80|tcp|http|0.227283954620361|1178|734|S1|||0|ShADad|6|1498|4|950|
+1300475168.90175|CBA8792iHmnhPLksKa|141.142.220.118|56056|141.142.2.2|53|udp|dns|0.000402212142944336|36|131|SF|||0|Dd|1|64|1|159|
+1300475168.90219|CGLPPc35OzDQij1XX8|141.142.220.118|55092|141.142.2.2|53|udp|dns|0.000374078750610352|36|198|SF|||0|Dd|1|64|1|226|
+1300475168.90264|CiyBAq1bBLNaTiTAc|141.142.220.118|35642|208.80.152.2|80|tcp|http|0.120040893554688|534|412|S1|||0|ShADad|4|750|3|576|
+1300475169.78033|CFSwNi4CNGxcuffo49|141.142.220.235|6705|173.192.163.128|80|tcp|||||OTH|||0|^h|0|0|1|48|
+1300475169.89944|Cipfzj1BEnhejw8cGf|141.142.220.44|5353|224.0.0.251|5353|udp|dns||||S0|||0|D|1|85|0|0|
+1300475170.86238|CV5WJ42jPYbNW9JNWf|141.142.220.226|137|141.142.220.255|137|udp|dns|2.61301684379578|350|0|S0|||0|D|7|546|0|0|
+1300475171.67537|CPhDKt12KQPUVbQz06|fe80::3074:17d5:2052:c324|65373|ff02::1:3|5355|udp|dns|0.100096225738525|66|0|S0|||0|D|2|162|0|0|
+1300475171.67708|CAnFrb2Cvxr5T7quOc|141.142.220.226|55131|224.0.0.252|5355|udp|dns|0.100020885467529|66|0|S0|||0|D|2|122|0|0|
+1300475173.11675|C8rquZ3DjgNW06JGLl|fe80::3074:17d5:2052:c324|54213|ff02::1:3|5355|udp|dns|0.0998010635375977|66|0|S0|||0|D|2|162|0|0|
+1300475173.11736|CzrZOtXqhwwndQva3|141.142.220.226|55671|224.0.0.252|5355|udp|dns|0.0998489856719971|66|0|S0|||0|D|2|122|0|0|
+1300475173.15368|CaGCc13FffXe6RkQl9|141.142.220.238|56641|141.142.220.255|137|udp|dns||||S0|||0|D|1|78|0|0|
diff --git a/testing/btest/Baseline/scripts.base.frameworks.netcontrol.packetfilter/conn.log b/testing/btest/Baseline/scripts.base.frameworks.netcontrol.packetfilter/conn.log
index fa77d35343..9a673f80e2 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.netcontrol.packetfilter/conn.log
+++ b/testing/btest/Baseline/scripts.base.frameworks.netcontrol.packetfilter/conn.log
@@ -6,10 +6,10 @@
 #open	2016-07-13-16-15-38
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
-1254722767.492060	CHhAvVGS1DHFjwGM9	10.10.1.4	56166	10.10.1.1	53	udp	dns	0.034025	34	100	SF	-	-	0	Dd	1	62	1	128	(empty)
-1254722776.690444	C4J4Th3PJpwUYZZ6gc	10.10.1.20	138	10.10.1.255	138	udp	-	-	-	-	S0	-	-	0	D	1	229	0	0	(empty)
-1254722767.529046	ClEkJM2Vm5giqnMf4h	10.10.1.4	1470	74.53.140.153	25	tcp	-	0.346950	0	0	S1	-	-	0	Sh	1	48	1	48	(empty)
-1437831776.764391	CtPZjS20MLrsMUOJi2	192.168.133.100	49285	66.196.121.26	5050	tcp	-	0.343008	41	0	OTH	-	-	0	Da	1	93	1	52	(empty)
-1437831787.856895	CUM0KZ3MLUfNB0cl11	192.168.133.100	49648	192.168.133.102	25	tcp	-	0.048043	162	154	S1	-	-	154	ShDA	3	192	1	60	(empty)
-1437831798.533765	CmES5u32sYpV7JYN	192.168.133.100	49336	74.125.71.189	443	tcp	-	-	-	-	OTH	-	-	0	A	1	52	0	0	(empty)
+1254722767.492060	CHhAvVGS1DHFjwGM9	10.10.1.4	56166	10.10.1.1	53	udp	dns	0.034025	34	100	SF	-	-	0	Dd	1	62	1	128	-
+1254722776.690444	C4J4Th3PJpwUYZZ6gc	10.10.1.20	138	10.10.1.255	138	udp	-	-	-	-	S0	-	-	0	D	1	229	0	0	-
+1254722767.529046	ClEkJM2Vm5giqnMf4h	10.10.1.4	1470	74.53.140.153	25	tcp	-	0.346950	0	0	S1	-	-	0	Sh	1	48	1	48	-
+1437831776.764391	CtPZjS20MLrsMUOJi2	192.168.133.100	49285	66.196.121.26	5050	tcp	-	0.343008	41	0	OTH	-	-	0	Da	1	93	1	52	-
+1437831787.856895	CUM0KZ3MLUfNB0cl11	192.168.133.100	49648	192.168.133.102	25	tcp	-	0.048043	162	154	S1	-	-	154	ShDA	3	192	1	60	-
+1437831798.533765	CmES5u32sYpV7JYN	192.168.133.100	49336	74.125.71.189	443	tcp	-	-	-	-	OTH	-	-	0	A	1	52	0	0	-
 #close	2016-07-13-16-15-38
diff --git a/testing/btest/Baseline/scripts.base.protocols.ftp.cwd-navigation/conn.log b/testing/btest/Baseline/scripts.base.protocols.ftp.cwd-navigation/conn.log
index 46d0dcc971..8990518008 100644
--- a/testing/btest/Baseline/scripts.base.protocols.ftp.cwd-navigation/conn.log
+++ b/testing/btest/Baseline/scripts.base.protocols.ftp.cwd-navigation/conn.log
@@ -6,5 +6,5 @@
 #open	2016-07-13-16-16-15
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
-1464385864.999633	CHhAvVGS1DHFjwGM9	10.3.22.91	58218	10.167.25.101	21	tcp	ftp	600.931043	41420	159830	S1	-	-	233	ShAdDa	4139	206914	4178	326799	(empty)
+1464385864.999633	CHhAvVGS1DHFjwGM9	10.3.22.91	58218	10.167.25.101	21	tcp	ftp	600.931043	41420	159830	S1	-	-	233	ShAdDa	4139	206914	4178	326799	-
 #close	2016-07-13-16-16-15
diff --git a/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-ipv4/conn.log b/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-ipv4/conn.log
index 3aeefea5fa..163c932e2c 100644
--- a/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-ipv4/conn.log
+++ b/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-ipv4/conn.log
@@ -6,9 +6,9 @@
 #open	2016-07-13-16-16-17
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
-1329843175.736107	ClEkJM2Vm5giqnMf4h	141.142.220.235	37604	199.233.217.249	56666	tcp	ftp-data	0.112432	0	342	SF	-	-	0	ShAdfFa	4	216	4	562	(empty)
-1329843179.871641	C4J4Th3PJpwUYZZ6gc	141.142.220.235	59378	199.233.217.249	56667	tcp	ftp-data	0.111218	0	77	SF	-	-	0	ShAdfFa	4	216	4	297	(empty)
-1329843194.151526	CtPZjS20MLrsMUOJi2	199.233.217.249	61920	141.142.220.235	33582	tcp	ftp-data	0.056211	342	0	SF	-	-	0	ShADaFf	5	614	3	164	(empty)
-1329843197.783443	CUM0KZ3MLUfNB0cl11	199.233.217.249	61918	141.142.220.235	37835	tcp	ftp-data	0.056005	77	0	SF	-	-	0	ShADaFf	5	349	3	164	(empty)
-1329843161.968492	CHhAvVGS1DHFjwGM9	141.142.220.235	50003	199.233.217.249	21	tcp	ftp	38.055625	180	3146	SF	-	-	0	ShAdDfFa	38	2164	25	4458	(empty)
+1329843175.736107	ClEkJM2Vm5giqnMf4h	141.142.220.235	37604	199.233.217.249	56666	tcp	ftp-data	0.112432	0	342	SF	-	-	0	ShAdfFa	4	216	4	562	-
+1329843179.871641	C4J4Th3PJpwUYZZ6gc	141.142.220.235	59378	199.233.217.249	56667	tcp	ftp-data	0.111218	0	77	SF	-	-	0	ShAdfFa	4	216	4	297	-
+1329843194.151526	CtPZjS20MLrsMUOJi2	199.233.217.249	61920	141.142.220.235	33582	tcp	ftp-data	0.056211	342	0	SF	-	-	0	ShADaFf	5	614	3	164	-
+1329843197.783443	CUM0KZ3MLUfNB0cl11	199.233.217.249	61918	141.142.220.235	37835	tcp	ftp-data	0.056005	77	0	SF	-	-	0	ShADaFf	5	349	3	164	-
+1329843161.968492	CHhAvVGS1DHFjwGM9	141.142.220.235	50003	199.233.217.249	21	tcp	ftp	38.055625	180	3146	SF	-	-	0	ShAdDfFa	38	2164	25	4458	-
 #close	2016-07-13-16-16-17
diff --git a/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-ipv6/conn.log b/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-ipv6/conn.log
index 7433d79105..d51f953f4c 100644
--- a/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-ipv6/conn.log
+++ b/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-ipv6/conn.log
@@ -6,10 +6,10 @@
 #open	2016-07-13-16-16-18
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
-1329327783.316897	ClEkJM2Vm5giqnMf4h	2001:470:1f11:81f:c999:d94:aa7c:2e3e	49186	2001:470:4867:99::21	57086	tcp	ftp-data	0.219721	0	342	SF	-	-	0	ShAdfFa	5	372	4	642	(empty)
-1329327786.524332	C4J4Th3PJpwUYZZ6gc	2001:470:1f11:81f:c999:d94:aa7c:2e3e	49187	2001:470:4867:99::21	57087	tcp	ftp-data	0.217501	0	43	SF	-	-	0	ShAdfFa	5	372	4	343	(empty)
-1329327787.289095	CtPZjS20MLrsMUOJi2	2001:470:1f11:81f:c999:d94:aa7c:2e3e	49188	2001:470:4867:99::21	57088	tcp	ftp-data	0.217941	0	77	SF	-	-	0	ShAdfFa	5	372	4	377	(empty)
-1329327795.571921	CUM0KZ3MLUfNB0cl11	2001:470:4867:99::21	55785	2001:470:1f11:81f:c999:d94:aa7c:2e3e	49189	tcp	ftp-data	0.109813	77	0	SF	-	-	0	ShADFaf	5	449	4	300	(empty)
-1329327777.822004	CHhAvVGS1DHFjwGM9	2001:470:1f11:81f:c999:d94:aa7c:2e3e	49185	2001:470:4867:99::21	21	tcp	ftp	26.658219	310	3448	SF	-	-	0	ShAdDfFa	57	4426	34	5908	(empty)
-1329327800.017649	CmES5u32sYpV7JYN	2001:470:4867:99::21	55647	2001:470:1f11:81f:c999:d94:aa7c:2e3e	49190	tcp	ftp-data	0.109181	342	0	SF	-	-	0	ShADFaf	5	714	4	300	(empty)
+1329327783.316897	ClEkJM2Vm5giqnMf4h	2001:470:1f11:81f:c999:d94:aa7c:2e3e	49186	2001:470:4867:99::21	57086	tcp	ftp-data	0.219721	0	342	SF	-	-	0	ShAdfFa	5	372	4	642	-
+1329327786.524332	C4J4Th3PJpwUYZZ6gc	2001:470:1f11:81f:c999:d94:aa7c:2e3e	49187	2001:470:4867:99::21	57087	tcp	ftp-data	0.217501	0	43	SF	-	-	0	ShAdfFa	5	372	4	343	-
+1329327787.289095	CtPZjS20MLrsMUOJi2	2001:470:1f11:81f:c999:d94:aa7c:2e3e	49188	2001:470:4867:99::21	57088	tcp	ftp-data	0.217941	0	77	SF	-	-	0	ShAdfFa	5	372	4	377	-
+1329327795.571921	CUM0KZ3MLUfNB0cl11	2001:470:4867:99::21	55785	2001:470:1f11:81f:c999:d94:aa7c:2e3e	49189	tcp	ftp-data	0.109813	77	0	SF	-	-	0	ShADFaf	5	449	4	300	-
+1329327777.822004	CHhAvVGS1DHFjwGM9	2001:470:1f11:81f:c999:d94:aa7c:2e3e	49185	2001:470:4867:99::21	21	tcp	ftp	26.658219	310	3448	SF	-	-	0	ShAdDfFa	57	4426	34	5908	-
+1329327800.017649	CmES5u32sYpV7JYN	2001:470:4867:99::21	55647	2001:470:1f11:81f:c999:d94:aa7c:2e3e	49190	tcp	ftp-data	0.109181	342	0	SF	-	-	0	ShADFaf	5	714	4	300	-
 #close	2016-07-13-16-16-18
diff --git a/testing/btest/Baseline/scripts.base.protocols.ftp.gridftp/conn.log b/testing/btest/Baseline/scripts.base.protocols.ftp.gridftp/conn.log
index 10920126e4..5f470124a3 100644
--- a/testing/btest/Baseline/scripts.base.protocols.ftp.gridftp/conn.log
+++ b/testing/btest/Baseline/scripts.base.protocols.ftp.gridftp/conn.log
@@ -6,6 +6,6 @@
 #open	2016-07-13-16-16-18
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
-1348168976.546371	ClEkJM2Vm5giqnMf4h	192.168.57.103	35391	192.168.57.101	55968	tcp	ssl,gridftp-data	0.010760	2109	3196	S1	-	-	0	ShADad	7	2481	6	3516	(empty)
-1348168976.274919	CHhAvVGS1DHFjwGM9	192.168.57.103	60108	192.168.57.101	2811	tcp	ftp,gridftp,ssl	0.294743	4491	6659	SF	-	-	0	ShAdDaFf	22	5643	21	7759	(empty)
+1348168976.546371	ClEkJM2Vm5giqnMf4h	192.168.57.103	35391	192.168.57.101	55968	tcp	ssl,gridftp-data	0.010760	2109	3196	S1	-	-	0	ShADad	7	2481	6	3516	-
+1348168976.274919	CHhAvVGS1DHFjwGM9	192.168.57.103	60108	192.168.57.101	2811	tcp	ftp,gridftp,ssl	0.294743	4491	6659	SF	-	-	0	ShAdDaFf	22	5643	21	7759	-
 #close	2016-07-13-16-16-18
diff --git a/testing/btest/Baseline/scripts.base.protocols.http.http-connect-with-header/conn.log b/testing/btest/Baseline/scripts.base.protocols.http.http-connect-with-header/conn.log
index fe20e19e6d..fcc76c8cd7 100644
--- a/testing/btest/Baseline/scripts.base.protocols.http.http-connect-with-header/conn.log
+++ b/testing/btest/Baseline/scripts.base.protocols.http.http-connect-with-header/conn.log
@@ -6,5 +6,5 @@
 #open	2016-07-13-16-16-21
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
-1443732977.727740	CHhAvVGS1DHFjwGM9	::1	52522	::1	80	tcp	ssl,http	0.691241	3644	55499	S1	-	-	0	ShAaDd	29	5744	29	57599	(empty)
+1443732977.727740	CHhAvVGS1DHFjwGM9	::1	52522	::1	80	tcp	ssl,http	0.691241	3644	55499	S1	-	-	0	ShAaDd	29	5744	29	57599	-
 #close	2016-07-13-16-16-21
diff --git a/testing/btest/Baseline/scripts.base.protocols.http.http-connect/conn.log b/testing/btest/Baseline/scripts.base.protocols.http.http-connect/conn.log
index 92db604406..af890ad64a 100644
--- a/testing/btest/Baseline/scripts.base.protocols.http.http-connect/conn.log
+++ b/testing/btest/Baseline/scripts.base.protocols.http.http-connect/conn.log
@@ -6,5 +6,5 @@
 #open	2016-07-13-16-16-21
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
-1078232251.833846	CHhAvVGS1DHFjwGM9	79.26.245.236	3378	254.228.86.79	8240	tcp	smtp,http	6.722274	1685	223	SF	-	-	0	ShADadfF	14	2257	16	944	(empty)
+1078232251.833846	CHhAvVGS1DHFjwGM9	79.26.245.236	3378	254.228.86.79	8240	tcp	smtp,http	6.722274	1685	223	SF	-	-	0	ShADadfF	14	2257	16	944	-
 #close	2016-07-13-16-16-21
diff --git a/testing/btest/Baseline/scripts.base.protocols.imap.starttls/conn.log b/testing/btest/Baseline/scripts.base.protocols.imap.starttls/conn.log
index fa8ef4cf91..c313e0ea2d 100644
--- a/testing/btest/Baseline/scripts.base.protocols.imap.starttls/conn.log
+++ b/testing/btest/Baseline/scripts.base.protocols.imap.starttls/conn.log
@@ -6,5 +6,5 @@
 #open	2016-07-13-16-16-27
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
-1437584567.812552	CHhAvVGS1DHFjwGM9	192.168.17.53	49640	212.227.17.186	143	tcp	ssl,imap	2.827002	540	5653	SF	-	-	0	ShAdDafFr	18	1284	14	6225	(empty)
+1437584567.812552	CHhAvVGS1DHFjwGM9	192.168.17.53	49640	212.227.17.186	143	tcp	ssl,imap	2.827002	540	5653	SF	-	-	0	ShAdDafFr	18	1284	14	6225	-
 #close	2016-07-13-16-16-27
diff --git a/testing/btest/Baseline/scripts.base.protocols.irc.basic/conn.log b/testing/btest/Baseline/scripts.base.protocols.irc.basic/conn.log
index cf5b249b79..d7064790ae 100644
--- a/testing/btest/Baseline/scripts.base.protocols.irc.basic/conn.log
+++ b/testing/btest/Baseline/scripts.base.protocols.irc.basic/conn.log
@@ -6,6 +6,6 @@
 #open	2016-07-13-16-16-28
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
-1311189318.898709	ClEkJM2Vm5giqnMf4h	192.168.1.77	57655	209.197.168.151	1024	tcp	irc-dcc-data	2.256935	124	42208	SF	-	-	0	ShAdDaFf	28	1592	43	44452	(empty)
-1311189164.064603	CHhAvVGS1DHFjwGM9	192.168.1.77	57640	66.198.80.67	6667	tcp	irc	178.237017	453	25404	S3	-	-	0	ShADdaf	63	3761	52	28194	(empty)
+1311189318.898709	ClEkJM2Vm5giqnMf4h	192.168.1.77	57655	209.197.168.151	1024	tcp	irc-dcc-data	2.256935	124	42208	SF	-	-	0	ShAdDaFf	28	1592	43	44452	-
+1311189164.064603	CHhAvVGS1DHFjwGM9	192.168.1.77	57640	66.198.80.67	6667	tcp	irc	178.237017	453	25404	S3	-	-	0	ShADdaf	63	3761	52	28194	-
 #close	2016-07-13-16-16-28
diff --git a/testing/btest/Baseline/scripts.base.protocols.irc.starttls/conn.log b/testing/btest/Baseline/scripts.base.protocols.irc.starttls/conn.log
index 59114a03b4..8d54d0c260 100644
--- a/testing/btest/Baseline/scripts.base.protocols.irc.starttls/conn.log
+++ b/testing/btest/Baseline/scripts.base.protocols.irc.starttls/conn.log
@@ -6,5 +6,5 @@
 #open	2016-07-13-16-16-28
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
-1438145937.325196	CHhAvVGS1DHFjwGM9	203.143.168.47	55123	185.18.76.170	6667	tcp	ssl,irc	4.923144	913	1903	SF	-	-	0	ShADadFRf	11	1469	9	2379	(empty)
+1438145937.325196	CHhAvVGS1DHFjwGM9	203.143.168.47	55123	185.18.76.170	6667	tcp	ssl,irc	4.923144	913	1903	SF	-	-	0	ShADadFRf	11	1469	9	2379	-
 #close	2016-07-13-16-16-28
diff --git a/testing/btest/Baseline/scripts.base.protocols.modbus.events/conn.log b/testing/btest/Baseline/scripts.base.protocols.modbus.events/conn.log
index 128c1e225f..dbdf6b2bef 100644
--- a/testing/btest/Baseline/scripts.base.protocols.modbus.events/conn.log
+++ b/testing/btest/Baseline/scripts.base.protocols.modbus.events/conn.log
@@ -6,13 +6,13 @@
 #open	2016-07-13-16-16-30
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
-1093521678.945447	CHhAvVGS1DHFjwGM9	10.0.0.57	2387	10.0.0.3	502	tcp	-	0.000493	0	0	SF	-	-	0	FafA	2	80	2	80	(empty)
-1093521953.490353	C4J4Th3PJpwUYZZ6gc	10.0.0.57	2579	10.0.0.8	502	tcp	modbus	23.256631	24	0	SF	-	-	0	ShADaFf	6	272	5	208	(empty)
-1093521681.696827	ClEkJM2Vm5giqnMf4h	10.0.0.57	2578	10.0.0.3	502	tcp	modbus	385.694948	112	138	S3	-	-	0	ShADdf	20	920	12	626	(empty)
-1093522326.102435	CtPZjS20MLrsMUOJi2	10.0.0.9	3082	10.0.0.3	502	tcp	modbus	177.095534	72	69	SF	-	-	0	ShADdFaf	16	720	9	437	(empty)
-1093522946.554059	CUM0KZ3MLUfNB0cl11	10.0.0.57	2585	10.0.0.8	502	tcp	-	76.561880	926	0	SF	-	-	0	ShADafF	8	1254	7	288	(empty)
-1093523065.562221	CmES5u32sYpV7JYN	10.0.0.8	502	10.0.0.57	4446	tcp	-	155.114237	128	0	SF	-	-	0	ShADaFf	16	776	15	608	(empty)
-1153491879.610371	CP5puj4I8PtEU4qzYg	192.168.66.235	2582	166.161.16.230	502	tcp	-	2.905078	0	0	S0	-	-	0	S	2	96	0	0	(empty)
-1153491888.530306	C37jN32gN3y3AZzyf6	192.168.66.235	2582	166.161.16.230	502	tcp	modbus	85.560847	1692	1278	S1	-	-	0	ShADad	167	8380	181	8522	(empty)
-1342774499.588269	C3eiCBGOLw3VtHfOj	10.1.1.234	51411	10.10.5.85	502	tcp	modbus	2100.811351	237936	4121200	S2	-	-	0	ShADdaF	39659	2300216	20100	5166412	(empty)
+1093521678.945447	CHhAvVGS1DHFjwGM9	10.0.0.57	2387	10.0.0.3	502	tcp	-	0.000493	0	0	SF	-	-	0	FafA	2	80	2	80	-
+1093521953.490353	C4J4Th3PJpwUYZZ6gc	10.0.0.57	2579	10.0.0.8	502	tcp	modbus	23.256631	24	0	SF	-	-	0	ShADaFf	6	272	5	208	-
+1093521681.696827	ClEkJM2Vm5giqnMf4h	10.0.0.57	2578	10.0.0.3	502	tcp	modbus	385.694948	112	138	S3	-	-	0	ShADdf	20	920	12	626	-
+1093522326.102435	CtPZjS20MLrsMUOJi2	10.0.0.9	3082	10.0.0.3	502	tcp	modbus	177.095534	72	69	SF	-	-	0	ShADdFaf	16	720	9	437	-
+1093522946.554059	CUM0KZ3MLUfNB0cl11	10.0.0.57	2585	10.0.0.8	502	tcp	-	76.561880	926	0	SF	-	-	0	ShADafF	8	1254	7	288	-
+1093523065.562221	CmES5u32sYpV7JYN	10.0.0.8	502	10.0.0.57	4446	tcp	-	155.114237	128	0	SF	-	-	0	ShADaFf	16	776	15	608	-
+1153491879.610371	CP5puj4I8PtEU4qzYg	192.168.66.235	2582	166.161.16.230	502	tcp	-	2.905078	0	0	S0	-	-	0	S	2	96	0	0	-
+1153491888.530306	C37jN32gN3y3AZzyf6	192.168.66.235	2582	166.161.16.230	502	tcp	modbus	85.560847	1692	1278	S1	-	-	0	ShADad	167	8380	181	8522	-
+1342774499.588269	C3eiCBGOLw3VtHfOj	10.1.1.234	51411	10.10.5.85	502	tcp	modbus	2100.811351	237936	4121200	S2	-	-	0	ShADdaF	39659	2300216	20100	5166412	-
 #close	2016-07-13-16-16-33
diff --git a/testing/btest/Baseline/scripts.base.protocols.pop3.starttls/conn.log b/testing/btest/Baseline/scripts.base.protocols.pop3.starttls/conn.log
index e5cec1bccc..dee9141a7c 100644
--- a/testing/btest/Baseline/scripts.base.protocols.pop3.starttls/conn.log
+++ b/testing/btest/Baseline/scripts.base.protocols.pop3.starttls/conn.log
@@ -6,5 +6,5 @@
 #open	2016-07-13-16-16-46
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
-1400173552.423915	CHhAvVGS1DHFjwGM9	192.168.4.149	54775	192.168.4.149	110	tcp	pop3,ssl	2.489002	851	2590	SF	-	-	0	ShAadDfFr	16	1695	17	3462	(empty)
+1400173552.423915	CHhAvVGS1DHFjwGM9	192.168.4.149	54775	192.168.4.149	110	tcp	pop3,ssl	2.489002	851	2590	SF	-	-	0	ShAadDfFr	16	1695	17	3462	-
 #close	2016-07-13-16-16-46
diff --git a/testing/btest/Baseline/scripts.base.protocols.ssh.basic/conn.log b/testing/btest/Baseline/scripts.base.protocols.ssh.basic/conn.log
index 48becca872..679ab63a76 100644
--- a/testing/btest/Baseline/scripts.base.protocols.ssh.basic/conn.log
+++ b/testing/btest/Baseline/scripts.base.protocols.ssh.basic/conn.log
@@ -6,29 +6,29 @@
 #open	2016-07-13-16-16-57
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
-1324071333.493287	CHhAvVGS1DHFjwGM9	192.168.1.79	51880	131.159.21.1	22	tcp	ssh	6.159326	2669	2501	SF	-	-	0	ShAdDaFf	25	3981	20	3549	(empty)
-1409516196.337184	ClEkJM2Vm5giqnMf4h	10.0.0.18	40184	128.2.6.88	41644	tcp	ssh	2.079071	3813	3633	SF	-	-	0	ShADadFf	22	4965	26	5017	(empty)
-1419870189.485611	C4J4Th3PJpwUYZZ6gc	192.168.2.1	57189	192.168.2.158	22	tcp	ssh	6.641754	5253	3489	SF	-	-	0	ShADadFf	38	7241	29	5005	(empty)
-1419870206.101883	CtPZjS20MLrsMUOJi2	192.168.2.1	57191	192.168.2.158	22	tcp	ssh	3.862198	576	813	SF	-	-	0	ShAdDaFf	23	1784	16	1653	(empty)
-1419996264.318569	CUM0KZ3MLUfNB0cl11	192.168.2.1	55179	192.168.2.158	2200	tcp	ssh	2.557930	2757	1721	RSTR	-	-	0	ShADadFr	37	4693	29	3225	(empty)
-1420588548.721272	CmES5u32sYpV7JYN	192.168.2.1	56594	192.168.2.158	22	tcp	ssh	8.841749	480	537	SF	-	-	0	ShAdDaFf	17	1376	14	1273	(empty)
-1420590124.879760	CP5puj4I8PtEU4qzYg	192.168.2.1	56821	192.168.2.158	22	tcp	ssh	1.106250	820	1125	SF	-	-	0	ShAdDaFf	26	2184	20	2173	(empty)
-1420590308.775525	C37jN32gN3y3AZzyf6	192.168.2.1	56837	192.168.2.158	22	tcp	ssh	1.080767	692	997	SF	-	-	0	ShAdDaFf	25	2004	19	1993	(empty)
-1420590322.673363	C3eiCBGOLw3VtHfOj	192.168.2.1	56845	192.168.2.158	22	tcp	ssh	1.302395	660	965	SF	-	-	0	ShAdDaFf	26	2024	20	2013	(empty)
-1420590636.473213	CwjjYJ2WqgTbAqiHl6	192.168.2.1	56875	192.168.2.158	22	tcp	ssh	12.013506	588	549	SF	-	-	0	ShAdDaFf	19	1588	16	1389	(empty)
-1420590659.422161	C0LAHyvtKSQHyJxIl	192.168.2.1	56878	192.168.2.158	22	tcp	ssh	3.628964	684	825	SF	-	-	0	ShAdDaFf	25	1996	19	1821	(empty)
-1420591379.650462	CFLRIC3zaTU1loLGxh	192.168.2.1	56940	192.168.2.158	22	tcp	ssh	0.104978	500	609	SF	-	-	0	ShAdDaFf	14	1240	10	1137	(empty)
-1420599430.822385	C9rXSW3KSpTYvPrlI1	192.168.2.1	57831	192.168.2.158	22	tcp	ssh	2.758790	576	813	SF	-	-	0	ShAdDaFf	23	1784	18	1757	(empty)
-1420851448.309629	Ck51lg1bScffFj34Ri	192.168.2.1	59246	192.168.2.158	22	tcp	ssh	3.076752	3049	4165	SF	-	-	0	ShADadFf	32	4725	23	5369	(empty)
-1420860283.029061	C9mvWx3ezztgzcexV7	192.168.1.32	41164	128.2.10.238	22	tcp	ssh	8.485357	6087	3015	SF	-	-	0	ShADadFf	32	7759	33	4763	(empty)
-1420860616.400297	CNnMIj2QSd84NKf7U3	192.168.1.32	33910	128.2.13.133	22	tcp	ssh	1.910959	6471	6037	SF	-	-	0	ShADadFf	33	8195	29	7565	(empty)
-1420868281.639103	C7fIlMZDuRiqjpYbb	192.168.1.32	41268	128.2.10.238	22	tcp	ssh	2.710778	5613	2487	SF	-	-	0	ShADadFf	24	6869	20	3535	(empty)
-1420917487.220407	CpmdRlaUoJLN3uIRa	192.168.1.31	52294	192.168.1.32	22	tcp	ssh	3.658968	3729	2229	SF	-	-	0	ShADadFf	36	5613	24	3497	(empty)
-1420917487.213378	CykQaM33ztNt0csB9a	192.168.1.31	57621	192.168.1.255	57621	udp	-	-	-	-	S0	-	-	0	D	1	72	0	0	(empty)
-1420917487.213468	CtxTCR2Yer0FR1tIBg	192.168.1.32	57621	192.168.1.31	57621	udp	-	-	-	-	S0	-	-	0	D	1	72	0	0	(empty)
-1421006072.431795	CqlVyW1YwZ15RhTBc4	192.168.1.31	51476	192.168.1.32	8118	tcp	-	0.000539	76	0	SF	-	-	0	DaFfA	6	388	5	284	(empty)
-1421006072.001012	C1Xkzz2MaGtLrc1Tla	192.168.1.31	51489	192.168.1.32	22	tcp	ssh	4.926958	4029	2497	SF	-	-	0	ShAdDaFf	42	6249	27	3937	(empty)
-1421041176.944687	CLNN1k2QMum1aexUK7	192.168.1.32	58641	131.103.20.168	22	tcp	ssh	0.587601	2885	2309	SF	-	-	0	ShADdaFf	16	3725	13	2993	(empty)
-1421041299.738916	CBA8792iHmnhPLksKa	192.168.1.32	58646	131.103.20.168	22	tcp	ssh	2.236727	4477	535101	SF	-	-	0	ShADadFf	179	13793	226	546861	(empty)
-1421041526.312919	CGLPPc35OzDQij1XX8	192.168.1.32	58649	131.103.20.168	22	tcp	ssh	2.066433	4477	534861	SF	-	-	0	ShADadFf	183	14001	236	547141	(empty)
+1324071333.493287	CHhAvVGS1DHFjwGM9	192.168.1.79	51880	131.159.21.1	22	tcp	ssh	6.159326	2669	2501	SF	-	-	0	ShAdDaFf	25	3981	20	3549	-
+1409516196.337184	ClEkJM2Vm5giqnMf4h	10.0.0.18	40184	128.2.6.88	41644	tcp	ssh	2.079071	3813	3633	SF	-	-	0	ShADadFf	22	4965	26	5017	-
+1419870189.485611	C4J4Th3PJpwUYZZ6gc	192.168.2.1	57189	192.168.2.158	22	tcp	ssh	6.641754	5253	3489	SF	-	-	0	ShADadFf	38	7241	29	5005	-
+1419870206.101883	CtPZjS20MLrsMUOJi2	192.168.2.1	57191	192.168.2.158	22	tcp	ssh	3.862198	576	813	SF	-	-	0	ShAdDaFf	23	1784	16	1653	-
+1419996264.318569	CUM0KZ3MLUfNB0cl11	192.168.2.1	55179	192.168.2.158	2200	tcp	ssh	2.557930	2757	1721	RSTR	-	-	0	ShADadFr	37	4693	29	3225	-
+1420588548.721272	CmES5u32sYpV7JYN	192.168.2.1	56594	192.168.2.158	22	tcp	ssh	8.841749	480	537	SF	-	-	0	ShAdDaFf	17	1376	14	1273	-
+1420590124.879760	CP5puj4I8PtEU4qzYg	192.168.2.1	56821	192.168.2.158	22	tcp	ssh	1.106250	820	1125	SF	-	-	0	ShAdDaFf	26	2184	20	2173	-
+1420590308.775525	C37jN32gN3y3AZzyf6	192.168.2.1	56837	192.168.2.158	22	tcp	ssh	1.080767	692	997	SF	-	-	0	ShAdDaFf	25	2004	19	1993	-
+1420590322.673363	C3eiCBGOLw3VtHfOj	192.168.2.1	56845	192.168.2.158	22	tcp	ssh	1.302395	660	965	SF	-	-	0	ShAdDaFf	26	2024	20	2013	-
+1420590636.473213	CwjjYJ2WqgTbAqiHl6	192.168.2.1	56875	192.168.2.158	22	tcp	ssh	12.013506	588	549	SF	-	-	0	ShAdDaFf	19	1588	16	1389	-
+1420590659.422161	C0LAHyvtKSQHyJxIl	192.168.2.1	56878	192.168.2.158	22	tcp	ssh	3.628964	684	825	SF	-	-	0	ShAdDaFf	25	1996	19	1821	-
+1420591379.650462	CFLRIC3zaTU1loLGxh	192.168.2.1	56940	192.168.2.158	22	tcp	ssh	0.104978	500	609	SF	-	-	0	ShAdDaFf	14	1240	10	1137	-
+1420599430.822385	C9rXSW3KSpTYvPrlI1	192.168.2.1	57831	192.168.2.158	22	tcp	ssh	2.758790	576	813	SF	-	-	0	ShAdDaFf	23	1784	18	1757	-
+1420851448.309629	Ck51lg1bScffFj34Ri	192.168.2.1	59246	192.168.2.158	22	tcp	ssh	3.076752	3049	4165	SF	-	-	0	ShADadFf	32	4725	23	5369	-
+1420860283.029061	C9mvWx3ezztgzcexV7	192.168.1.32	41164	128.2.10.238	22	tcp	ssh	8.485357	6087	3015	SF	-	-	0	ShADadFf	32	7759	33	4763	-
+1420860616.400297	CNnMIj2QSd84NKf7U3	192.168.1.32	33910	128.2.13.133	22	tcp	ssh	1.910959	6471	6037	SF	-	-	0	ShADadFf	33	8195	29	7565	-
+1420868281.639103	C7fIlMZDuRiqjpYbb	192.168.1.32	41268	128.2.10.238	22	tcp	ssh	2.710778	5613	2487	SF	-	-	0	ShADadFf	24	6869	20	3535	-
+1420917487.220407	CpmdRlaUoJLN3uIRa	192.168.1.31	52294	192.168.1.32	22	tcp	ssh	3.658968	3729	2229	SF	-	-	0	ShADadFf	36	5613	24	3497	-
+1420917487.213378	CykQaM33ztNt0csB9a	192.168.1.31	57621	192.168.1.255	57621	udp	-	-	-	-	S0	-	-	0	D	1	72	0	0	-
+1420917487.213468	CtxTCR2Yer0FR1tIBg	192.168.1.32	57621	192.168.1.31	57621	udp	-	-	-	-	S0	-	-	0	D	1	72	0	0	-
+1421006072.431795	CqlVyW1YwZ15RhTBc4	192.168.1.31	51476	192.168.1.32	8118	tcp	-	0.000539	76	0	SF	-	-	0	DaFfA	6	388	5	284	-
+1421006072.001012	C1Xkzz2MaGtLrc1Tla	192.168.1.31	51489	192.168.1.32	22	tcp	ssh	4.926958	4029	2497	SF	-	-	0	ShAdDaFf	42	6249	27	3937	-
+1421041176.944687	CLNN1k2QMum1aexUK7	192.168.1.32	58641	131.103.20.168	22	tcp	ssh	0.587601	2885	2309	SF	-	-	0	ShADdaFf	16	3725	13	2993	-
+1421041299.738916	CBA8792iHmnhPLksKa	192.168.1.32	58646	131.103.20.168	22	tcp	ssh	2.236727	4477	535101	SF	-	-	0	ShADadFf	179	13793	226	546861	-
+1421041526.312919	CGLPPc35OzDQij1XX8	192.168.1.32	58649	131.103.20.168	22	tcp	ssh	2.066433	4477	534861	SF	-	-	0	ShADadFf	183	14001	236	547141	-
 #close	2016-07-13-16-16-57
diff --git a/testing/btest/Baseline/scripts.base.protocols.xmpp.starttls/conn.log b/testing/btest/Baseline/scripts.base.protocols.xmpp.starttls/conn.log
index 0d22b36e23..2d1899f02e 100644
--- a/testing/btest/Baseline/scripts.base.protocols.xmpp.starttls/conn.log
+++ b/testing/btest/Baseline/scripts.base.protocols.xmpp.starttls/conn.log
@@ -6,5 +6,5 @@
 #open	2016-07-13-16-17-08
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
-1437091701.732171	CHhAvVGS1DHFjwGM9	198.128.203.95	56048	146.255.57.229	5222	tcp	ssl,xmpp	2.213218	676	4678	SF	-	-	0	ShADadfFr	19	1676	15	5442	(empty)
+1437091701.732171	CHhAvVGS1DHFjwGM9	198.128.203.95	56048	146.255.57.229	5222	tcp	ssl,xmpp	2.213218	676	4678	SF	-	-	0	ShADadfFr	19	1676	15	5442	-
 #close	2016-07-13-16-17-08
diff --git a/testing/btest/Baseline/scripts.policy.protocols.conn.mac-logging/conn1.log b/testing/btest/Baseline/scripts.policy.protocols.conn.mac-logging/conn1.log
index fc07453119..3d415916f2 100644
--- a/testing/btest/Baseline/scripts.policy.protocols.conn.mac-logging/conn1.log
+++ b/testing/btest/Baseline/scripts.policy.protocols.conn.mac-logging/conn1.log
@@ -3,41 +3,41 @@
 #empty_field	(empty)
 #unset_field	-
 #path	conn
-#open	2016-07-13-16-17-25
+#open	2018-01-12-21-44-59
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	orig_l2_addr	resp_l2_addr
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]	string	string
-1300475169.780331	C3eiCBGOLw3VtHfOj	173.192.163.128	80	141.142.220.235	6705	tcp	-	-	-	-	OTH	-	-	0	H	1	48	0	0	(empty)	00:13:7f:be:8c:ff	00:e0:db:01:cf:4b
-1300475168.892913	CmES5u32sYpV7JYN	141.142.220.118	49999	208.80.152.3	80	tcp	-	0.220961	1137	733	S1	-	-	0	ShADad	6	1457	4	949	(empty)	00:24:7e:e0:1d:b5	00:13:7f:be:8c:ff
-1300475168.724007	CHhAvVGS1DHFjwGM9	141.142.220.118	48649	208.80.152.118	80	tcp	-	0.119905	525	232	S1	-	-	0	ShADad	4	741	3	396	(empty)	00:24:7e:e0:1d:b5	00:13:7f:be:8c:ff
-1300475168.855330	ClEkJM2Vm5giqnMf4h	141.142.220.118	49997	208.80.152.3	80	tcp	-	0.219720	1125	734	S1	-	-	0	ShADad	6	1445	4	950	(empty)	00:24:7e:e0:1d:b5	00:13:7f:be:8c:ff
-1300475168.855305	C4J4Th3PJpwUYZZ6gc	141.142.220.118	49996	208.80.152.3	80	tcp	-	0.218501	1171	733	S1	-	-	0	ShADad	6	1491	4	949	(empty)	00:24:7e:e0:1d:b5	00:13:7f:be:8c:ff
-1300475168.652003	CwjjYJ2WqgTbAqiHl6	141.142.220.118	35634	208.80.152.2	80	tcp	-	0.061329	463	350	OTH	-	-	0	DdA	2	567	1	402	(empty)	00:24:7e:e0:1d:b5	00:13:7f:be:8c:ff
-1300475168.902635	C37jN32gN3y3AZzyf6	141.142.220.118	35642	208.80.152.2	80	tcp	-	0.120041	534	412	S1	-	-	0	ShADad	4	750	3	576	(empty)	00:24:7e:e0:1d:b5	00:13:7f:be:8c:ff
-1300475168.859163	CtPZjS20MLrsMUOJi2	141.142.220.118	49998	208.80.152.3	80	tcp	-	0.215893	1130	734	S1	-	-	0	ShADad	6	1450	4	950	(empty)	00:24:7e:e0:1d:b5	00:13:7f:be:8c:ff
-1300475168.892936	CUM0KZ3MLUfNB0cl11	141.142.220.118	50000	208.80.152.3	80	tcp	-	0.229603	1148	734	S1	-	-	0	ShADad	6	1468	4	950	(empty)	00:24:7e:e0:1d:b5	00:13:7f:be:8c:ff
-1300475168.895267	CP5puj4I8PtEU4qzYg	141.142.220.118	50001	208.80.152.3	80	tcp	-	0.227284	1178	734	S1	-	-	0	ShADad	6	1498	4	950	(empty)	00:24:7e:e0:1d:b5	00:13:7f:be:8c:ff
-1300475168.853899	C0LAHyvtKSQHyJxIl	141.142.220.118	43927	141.142.2.2	53	udp	-	0.000435	38	89	SF	-	-	0	Dd	1	66	1	117	(empty)	00:24:7e:e0:1d:b5	00:13:7f:be:8c:ff
-1300475168.901749	CFLRIC3zaTU1loLGxh	141.142.220.118	56056	141.142.2.2	53	udp	-	0.000402	36	131	SF	-	-	0	Dd	1	64	1	159	(empty)	00:24:7e:e0:1d:b5	00:13:7f:be:8c:ff
-1300475168.902195	C9rXSW3KSpTYvPrlI1	141.142.220.118	55092	141.142.2.2	53	udp	-	0.000374	36	198	SF	-	-	0	Dd	1	64	1	226	(empty)	00:24:7e:e0:1d:b5	00:13:7f:be:8c:ff
-1300475168.858713	Ck51lg1bScffFj34Ri	141.142.220.118	59714	141.142.2.2	53	udp	-	0.000375	38	183	SF	-	-	0	Dd	1	66	1	211	(empty)	00:24:7e:e0:1d:b5	00:13:7f:be:8c:ff
-1300475167.099816	C9mvWx3ezztgzcexV7	141.142.220.50	5353	224.0.0.251	5353	udp	-	-	-	-	S0	-	-	0	D	1	179	0	0	(empty)	00:17:f2:d7:cf:65	01:00:5e:00:00:fb
-1300475168.854837	CNnMIj2QSd84NKf7U3	141.142.220.118	40526	141.142.2.2	53	udp	-	0.000392	38	183	SF	-	-	0	Dd	1	66	1	211	(empty)	00:24:7e:e0:1d:b5	00:13:7f:be:8c:ff
-1300475168.894787	C7fIlMZDuRiqjpYbb	141.142.220.118	48128	141.142.2.2	53	udp	-	0.000423	38	183	SF	-	-	0	Dd	1	66	1	211	(empty)	00:24:7e:e0:1d:b5	00:13:7f:be:8c:ff
-1300475168.894422	CykQaM33ztNt0csB9a	141.142.220.118	48479	141.142.2.2	53	udp	-	0.000317	52	99	SF	-	-	0	Dd	1	80	1	127	(empty)	00:24:7e:e0:1d:b5	00:13:7f:be:8c:ff
-1300475169.899438	CtxTCR2Yer0FR1tIBg	141.142.220.44	5353	224.0.0.251	5353	udp	-	-	-	-	S0	-	-	0	D	1	85	0	0	(empty)	00:16:76:23:d9:e3	01:00:5e:00:00:fb
-1300475170.862384	CpmdRlaUoJLN3uIRa	141.142.220.226	137	141.142.220.255	137	udp	-	2.613017	350	0	S0	-	-	0	D	7	546	0	0	(empty)	f0:4d:a2:47:ba:25	ff:ff:ff:ff:ff:ff
-1300475168.892414	C1Xkzz2MaGtLrc1Tla	141.142.220.118	59746	141.142.2.2	53	udp	-	0.000421	38	183	SF	-	-	0	Dd	1	66	1	211	(empty)	00:24:7e:e0:1d:b5	00:13:7f:be:8c:ff
-1300475168.858306	CqlVyW1YwZ15RhTBc4	141.142.220.118	59816	141.142.2.2	53	udp	-	0.000343	52	99	SF	-	-	0	Dd	1	80	1	127	(empty)	00:24:7e:e0:1d:b5	00:13:7f:be:8c:ff
-1300475167.097012	CLNN1k2QMum1aexUK7	fe80::217:f2ff:fed7:cf65	5353	ff02::fb	5353	udp	-	-	-	-	S0	-	-	0	D	1	199	0	0	(empty)	00:17:f2:d7:cf:65	33:33:00:00:00:fb
-1300475173.117362	CBA8792iHmnhPLksKa	141.142.220.226	55671	224.0.0.252	5355	udp	-	0.099849	66	0	S0	-	-	0	D	2	122	0	0	(empty)	f0:4d:a2:47:ba:25	01:00:5e:00:00:fc
-1300475173.153679	CGLPPc35OzDQij1XX8	141.142.220.238	56641	141.142.220.255	137	udp	-	-	-	-	S0	-	-	0	D	1	78	0	0	(empty)	00:23:32:b6:0c:46	ff:ff:ff:ff:ff:ff
-1300475168.892037	CiyBAq1bBLNaTiTAc	141.142.220.118	38911	141.142.2.2	53	udp	-	0.000335	52	99	SF	-	-	0	Dd	1	80	1	127	(empty)	00:24:7e:e0:1d:b5	00:13:7f:be:8c:ff
-1300475171.675372	CFSwNi4CNGxcuffo49	fe80::3074:17d5:2052:c324	65373	ff02::1:3	5355	udp	-	0.100096	66	0	S0	-	-	0	D	2	162	0	0	(empty)	f0:4d:a2:47:ba:25	33:33:00:01:00:03
-1300475167.096535	Cipfzj1BEnhejw8cGf	141.142.220.202	5353	224.0.0.251	5353	udp	-	-	-	-	S0	-	-	0	D	1	73	0	0	(empty)	00:30:48:bd:3e:c4	01:00:5e:00:00:fb
-1300475168.854378	CV5WJ42jPYbNW9JNWf	141.142.220.118	37676	141.142.2.2	53	udp	-	0.000420	52	99	SF	-	-	0	Dd	1	80	1	127	(empty)	00:24:7e:e0:1d:b5	00:13:7f:be:8c:ff
-1300475171.677081	CPhDKt12KQPUVbQz06	141.142.220.226	55131	224.0.0.252	5355	udp	-	0.100021	66	0	S0	-	-	0	D	2	122	0	0	(empty)	f0:4d:a2:47:ba:25	01:00:5e:00:00:fc
-1300475173.116749	CAnFrb2Cvxr5T7quOc	fe80::3074:17d5:2052:c324	54213	ff02::1:3	5355	udp	-	0.099801	66	0	S0	-	-	0	D	2	162	0	0	(empty)	f0:4d:a2:47:ba:25	33:33:00:01:00:03
-1300475168.893988	C8rquZ3DjgNW06JGLl	141.142.220.118	45000	141.142.2.2	53	udp	-	0.000384	38	89	SF	-	-	0	Dd	1	66	1	117	(empty)	00:24:7e:e0:1d:b5	00:13:7f:be:8c:ff
-1300475168.857956	CzrZOtXqhwwndQva3	141.142.220.118	32902	141.142.2.2	53	udp	-	0.000317	38	89	SF	-	-	0	Dd	1	66	1	117	(empty)	00:24:7e:e0:1d:b5	00:13:7f:be:8c:ff
-1300475168.891644	CaGCc13FffXe6RkQl9	141.142.220.118	58206	141.142.2.2	53	udp	-	0.000339	38	89	SF	-	-	0	Dd	1	66	1	117	(empty)	00:24:7e:e0:1d:b5	00:13:7f:be:8c:ff
-#close	2016-07-13-16-17-25
+1300475169.780331	C3eiCBGOLw3VtHfOj	173.192.163.128	80	141.142.220.235	6705	tcp	-	-	-	-	OTH	-	-	0	H	1	48	0	0	-	00:13:7f:be:8c:ff	00:e0:db:01:cf:4b
+1300475168.892913	CmES5u32sYpV7JYN	141.142.220.118	49999	208.80.152.3	80	tcp	-	0.220961	1137	733	S1	-	-	0	ShADad	6	1457	4	949	-	00:24:7e:e0:1d:b5	00:13:7f:be:8c:ff
+1300475168.724007	CHhAvVGS1DHFjwGM9	141.142.220.118	48649	208.80.152.118	80	tcp	-	0.119905	525	232	S1	-	-	0	ShADad	4	741	3	396	-	00:24:7e:e0:1d:b5	00:13:7f:be:8c:ff
+1300475168.855330	ClEkJM2Vm5giqnMf4h	141.142.220.118	49997	208.80.152.3	80	tcp	-	0.219720	1125	734	S1	-	-	0	ShADad	6	1445	4	950	-	00:24:7e:e0:1d:b5	00:13:7f:be:8c:ff
+1300475168.855305	C4J4Th3PJpwUYZZ6gc	141.142.220.118	49996	208.80.152.3	80	tcp	-	0.218501	1171	733	S1	-	-	0	ShADad	6	1491	4	949	-	00:24:7e:e0:1d:b5	00:13:7f:be:8c:ff
+1300475168.652003	CwjjYJ2WqgTbAqiHl6	141.142.220.118	35634	208.80.152.2	80	tcp	-	0.061329	463	350	OTH	-	-	0	DdA	2	567	1	402	-	00:24:7e:e0:1d:b5	00:13:7f:be:8c:ff
+1300475168.902635	C37jN32gN3y3AZzyf6	141.142.220.118	35642	208.80.152.2	80	tcp	-	0.120041	534	412	S1	-	-	0	ShADad	4	750	3	576	-	00:24:7e:e0:1d:b5	00:13:7f:be:8c:ff
+1300475168.859163	CtPZjS20MLrsMUOJi2	141.142.220.118	49998	208.80.152.3	80	tcp	-	0.215893	1130	734	S1	-	-	0	ShADad	6	1450	4	950	-	00:24:7e:e0:1d:b5	00:13:7f:be:8c:ff
+1300475168.892936	CUM0KZ3MLUfNB0cl11	141.142.220.118	50000	208.80.152.3	80	tcp	-	0.229603	1148	734	S1	-	-	0	ShADad	6	1468	4	950	-	00:24:7e:e0:1d:b5	00:13:7f:be:8c:ff
+1300475168.895267	CP5puj4I8PtEU4qzYg	141.142.220.118	50001	208.80.152.3	80	tcp	-	0.227284	1178	734	S1	-	-	0	ShADad	6	1498	4	950	-	00:24:7e:e0:1d:b5	00:13:7f:be:8c:ff
+1300475168.853899	C0LAHyvtKSQHyJxIl	141.142.220.118	43927	141.142.2.2	53	udp	-	0.000435	38	89	SF	-	-	0	Dd	1	66	1	117	-	00:24:7e:e0:1d:b5	00:13:7f:be:8c:ff
+1300475168.901749	CFLRIC3zaTU1loLGxh	141.142.220.118	56056	141.142.2.2	53	udp	-	0.000402	36	131	SF	-	-	0	Dd	1	64	1	159	-	00:24:7e:e0:1d:b5	00:13:7f:be:8c:ff
+1300475168.902195	C9rXSW3KSpTYvPrlI1	141.142.220.118	55092	141.142.2.2	53	udp	-	0.000374	36	198	SF	-	-	0	Dd	1	64	1	226	-	00:24:7e:e0:1d:b5	00:13:7f:be:8c:ff
+1300475168.858713	Ck51lg1bScffFj34Ri	141.142.220.118	59714	141.142.2.2	53	udp	-	0.000375	38	183	SF	-	-	0	Dd	1	66	1	211	-	00:24:7e:e0:1d:b5	00:13:7f:be:8c:ff
+1300475167.099816	C9mvWx3ezztgzcexV7	141.142.220.50	5353	224.0.0.251	5353	udp	-	-	-	-	S0	-	-	0	D	1	179	0	0	-	00:17:f2:d7:cf:65	01:00:5e:00:00:fb
+1300475168.854837	CNnMIj2QSd84NKf7U3	141.142.220.118	40526	141.142.2.2	53	udp	-	0.000392	38	183	SF	-	-	0	Dd	1	66	1	211	-	00:24:7e:e0:1d:b5	00:13:7f:be:8c:ff
+1300475168.894787	C7fIlMZDuRiqjpYbb	141.142.220.118	48128	141.142.2.2	53	udp	-	0.000423	38	183	SF	-	-	0	Dd	1	66	1	211	-	00:24:7e:e0:1d:b5	00:13:7f:be:8c:ff
+1300475168.894422	CykQaM33ztNt0csB9a	141.142.220.118	48479	141.142.2.2	53	udp	-	0.000317	52	99	SF	-	-	0	Dd	1	80	1	127	-	00:24:7e:e0:1d:b5	00:13:7f:be:8c:ff
+1300475169.899438	CtxTCR2Yer0FR1tIBg	141.142.220.44	5353	224.0.0.251	5353	udp	-	-	-	-	S0	-	-	0	D	1	85	0	0	-	00:16:76:23:d9:e3	01:00:5e:00:00:fb
+1300475170.862384	CpmdRlaUoJLN3uIRa	141.142.220.226	137	141.142.220.255	137	udp	-	2.613017	350	0	S0	-	-	0	D	7	546	0	0	-	f0:4d:a2:47:ba:25	ff:ff:ff:ff:ff:ff
+1300475168.892414	C1Xkzz2MaGtLrc1Tla	141.142.220.118	59746	141.142.2.2	53	udp	-	0.000421	38	183	SF	-	-	0	Dd	1	66	1	211	-	00:24:7e:e0:1d:b5	00:13:7f:be:8c:ff
+1300475168.858306	CqlVyW1YwZ15RhTBc4	141.142.220.118	59816	141.142.2.2	53	udp	-	0.000343	52	99	SF	-	-	0	Dd	1	80	1	127	-	00:24:7e:e0:1d:b5	00:13:7f:be:8c:ff
+1300475167.097012	CLNN1k2QMum1aexUK7	fe80::217:f2ff:fed7:cf65	5353	ff02::fb	5353	udp	-	-	-	-	S0	-	-	0	D	1	199	0	0	-	00:17:f2:d7:cf:65	33:33:00:00:00:fb
+1300475173.117362	CBA8792iHmnhPLksKa	141.142.220.226	55671	224.0.0.252	5355	udp	-	0.099849	66	0	S0	-	-	0	D	2	122	0	0	-	f0:4d:a2:47:ba:25	01:00:5e:00:00:fc
+1300475173.153679	CGLPPc35OzDQij1XX8	141.142.220.238	56641	141.142.220.255	137	udp	-	-	-	-	S0	-	-	0	D	1	78	0	0	-	00:23:32:b6:0c:46	ff:ff:ff:ff:ff:ff
+1300475168.892037	CiyBAq1bBLNaTiTAc	141.142.220.118	38911	141.142.2.2	53	udp	-	0.000335	52	99	SF	-	-	0	Dd	1	80	1	127	-	00:24:7e:e0:1d:b5	00:13:7f:be:8c:ff
+1300475171.675372	CFSwNi4CNGxcuffo49	fe80::3074:17d5:2052:c324	65373	ff02::1:3	5355	udp	-	0.100096	66	0	S0	-	-	0	D	2	162	0	0	-	f0:4d:a2:47:ba:25	33:33:00:01:00:03
+1300475167.096535	Cipfzj1BEnhejw8cGf	141.142.220.202	5353	224.0.0.251	5353	udp	-	-	-	-	S0	-	-	0	D	1	73	0	0	-	00:30:48:bd:3e:c4	01:00:5e:00:00:fb
+1300475168.854378	CV5WJ42jPYbNW9JNWf	141.142.220.118	37676	141.142.2.2	53	udp	-	0.000420	52	99	SF	-	-	0	Dd	1	80	1	127	-	00:24:7e:e0:1d:b5	00:13:7f:be:8c:ff
+1300475171.677081	CPhDKt12KQPUVbQz06	141.142.220.226	55131	224.0.0.252	5355	udp	-	0.100021	66	0	S0	-	-	0	D	2	122	0	0	-	f0:4d:a2:47:ba:25	01:00:5e:00:00:fc
+1300475173.116749	CAnFrb2Cvxr5T7quOc	fe80::3074:17d5:2052:c324	54213	ff02::1:3	5355	udp	-	0.099801	66	0	S0	-	-	0	D	2	162	0	0	-	f0:4d:a2:47:ba:25	33:33:00:01:00:03
+1300475168.893988	C8rquZ3DjgNW06JGLl	141.142.220.118	45000	141.142.2.2	53	udp	-	0.000384	38	89	SF	-	-	0	Dd	1	66	1	117	-	00:24:7e:e0:1d:b5	00:13:7f:be:8c:ff
+1300475168.857956	CzrZOtXqhwwndQva3	141.142.220.118	32902	141.142.2.2	53	udp	-	0.000317	38	89	SF	-	-	0	Dd	1	66	1	117	-	00:24:7e:e0:1d:b5	00:13:7f:be:8c:ff
+1300475168.891644	CaGCc13FffXe6RkQl9	141.142.220.118	58206	141.142.2.2	53	udp	-	0.000339	38	89	SF	-	-	0	Dd	1	66	1	117	-	00:24:7e:e0:1d:b5	00:13:7f:be:8c:ff
+#close	2018-01-12-21-44-59
diff --git a/testing/btest/Baseline/scripts.policy.protocols.conn.mac-logging/conn2.log b/testing/btest/Baseline/scripts.policy.protocols.conn.mac-logging/conn2.log
index c4746cbd4b..0cfe1b9e4e 100644
--- a/testing/btest/Baseline/scripts.policy.protocols.conn.mac-logging/conn2.log
+++ b/testing/btest/Baseline/scripts.policy.protocols.conn.mac-logging/conn2.log
@@ -3,9 +3,9 @@
 #empty_field	(empty)
 #unset_field	-
 #path	conn
-#open	2016-07-13-16-17-25
+#open	2018-01-12-21-45-00
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	orig_l2_addr	resp_l2_addr
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]	string	string
-1439902891.705224	CHhAvVGS1DHFjwGM9	172.17.156.76	61738	208.67.220.220	53	udp	-	0.041654	35	128	SF	-	-	0	Dd	1	63	1	156	(empty)	90:72:40:97:b6:f5	44:2b:03:aa:ab:8d
-1439903050.580632	ClEkJM2Vm5giqnMf4h	fe80::a667:6ff:fef7:ec54	5353	ff02::fb	5353	udp	-	-	-	-	S0	-	-	0	D	1	328	0	0	(empty)	a4:67:06:f7:ec:54	33:33:00:00:00:fb
-#close	2016-07-13-16-17-25
+1439902891.705224	CHhAvVGS1DHFjwGM9	172.17.156.76	61738	208.67.220.220	53	udp	-	0.041654	35	128	SF	-	-	0	Dd	1	63	1	156	-	90:72:40:97:b6:f5	44:2b:03:aa:ab:8d
+1439903050.580632	ClEkJM2Vm5giqnMf4h	fe80::a667:6ff:fef7:ec54	5353	ff02::fb	5353	udp	-	-	-	-	S0	-	-	0	D	1	328	0	0	-	a4:67:06:f7:ec:54	33:33:00:00:00:fb
+#close	2018-01-12-21-45-00
diff --git a/testing/btest/Baseline/scripts.policy.protocols.conn.mac-logging/conn3.log b/testing/btest/Baseline/scripts.policy.protocols.conn.mac-logging/conn3.log
index cf205169c1..b738f14754 100644
--- a/testing/btest/Baseline/scripts.policy.protocols.conn.mac-logging/conn3.log
+++ b/testing/btest/Baseline/scripts.policy.protocols.conn.mac-logging/conn3.log
@@ -3,1340 +3,1340 @@
 #empty_field	(empty)
 #unset_field	-
 #path	conn
-#open	2016-07-13-16-17-25
+#open	2018-01-12-21-45-00
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	orig_l2_addr	resp_l2_addr
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]	string	string
-826191058.128321	CHhAvVGS1DHFjwGM9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826191118.129144	ClEkJM2Vm5giqnMf4h	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826191178.297416	C4J4Th3PJpwUYZZ6gc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826191238.140114	CtPZjS20MLrsMUOJi2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826191298.137032	CUM0KZ3MLUfNB0cl11	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826191358.243247	CmES5u32sYpV7JYN	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826191418.144505	CP5puj4I8PtEU4qzYg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826191478.189218	C37jN32gN3y3AZzyf6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826191538.242710	C3eiCBGOLw3VtHfOj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826191598.142982	CwjjYJ2WqgTbAqiHl6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826191658.206258	C0LAHyvtKSQHyJxIl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826191718.141676	CFLRIC3zaTU1loLGxh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826191778.139555	C9rXSW3KSpTYvPrlI1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826191838.160870	Ck51lg1bScffFj34Ri	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826191898.207550	C9mvWx3ezztgzcexV7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826191958.161501	CNnMIj2QSd84NKf7U3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826192018.156454	C7fIlMZDuRiqjpYbb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826192078.143576	CykQaM33ztNt0csB9a	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826192138.157070	CtxTCR2Yer0FR1tIBg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826192198.209621	CpmdRlaUoJLN3uIRa	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826192258.213369	C1Xkzz2MaGtLrc1Tla	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826192318.168316	CqlVyW1YwZ15RhTBc4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826192378.142768	CLNN1k2QMum1aexUK7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826192438.145514	CBA8792iHmnhPLksKa	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826192498.211725	CGLPPc35OzDQij1XX8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826192558.254519	CiyBAq1bBLNaTiTAc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826192618.151880	CFSwNi4CNGxcuffo49	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826192678.152689	Cipfzj1BEnhejw8cGf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826192738.148612	CV5WJ42jPYbNW9JNWf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826192798.184559	CPhDKt12KQPUVbQz06	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826192858.168774	CAnFrb2Cvxr5T7quOc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826192918.151045	C8rquZ3DjgNW06JGLl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826192978.149902	CzrZOtXqhwwndQva3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826193038.200491	CaGCc13FffXe6RkQl9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826193098.159328	CNdne23ox8SQTgPoy3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826193158.151344	CeGt004UBsXLoZSeCg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826193218.158016	CTrywc2ra7tcWn2af	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826193278.162718	CzmEfj4RValNyLfT58	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826193338.440718	CCk2V03QgWwIurU3f	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826193398.155563	Cgc67J2CpHIVN7HAw4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826193458.258855	CgwPkWkJfuBIJsNi4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826193518.163043	CImWJ03GsvPvA0P67i	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826193578.166776	CKJVAj1rNx0nolFFc4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826193638.349114	CD7vfu1qu4YJKe1nGi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826193698.277702	CWhRtK3eXodviHmbo7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826193758.259000	CqVUM4vyqCacqFiud	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826193818.167095	CudMuD3jKHCaCU5CE	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826193878.266468	CRJ9x54IaE7bkVEpad	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826193938.404902	CAvUKGaEgLlR4i6t2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826193998.202719	Ck78JG32Y4I7AGp7Vb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826194058.784259	Cgwg7Z1MHA1YkiZmm3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826194118.356593	CDNchHwRoXhVzzHB2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826194178.167100	CeP1sc28dOzbbYkbA	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826194238.165957	COOKv01AQPAqfGMN9k	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826194298.195067	C0JEpR1Ij6308CwEhh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826194358.251498	CQcXCjONUKqMfnhXb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826194418.279634	CVcd914ZFpaUisaVf2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826194478.176984	C5pL731XEkARXOq253	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826194538.254895	CB0Ovs3cNZgLQ93FSh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826194598.272308	CM4z3Z2rdNfyHYQ0Df	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826194658.273130	C1dGa34JRiYAKbMI0c	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826194718.258333	CtEfXf4f39NRDu1Dr4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826194778.255249	CdY2UF17xGQ6lUx7e8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826194838.176031	CkD1144ZtRYffh5zjg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826194898.187592	CbI5Qt4rlFnOHuL522	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826194958.284053	CjGaD11BLkmCG5cEVf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826195018.191134	CdGkzc4fIBRo0721v	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826195078.186092	C1ejhC4SXsZ4pEdOd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826195138.181047	CisPKv3PhjrFFhZbq7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826195198.277505	CCgIHR2Vna1ZW9BPjd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826195258.191452	CWqViP2k4EKfYWy7Y1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826195318.276192	CBr8Cp4juBTcRQZAA4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826195378.246741	CWMTYT1vZEQXErCXY7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826195438.187041	C9Mb033HGlhETKxUbj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826195498.328394	CGwfOa4GYyzNItzc9j	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826195558.260878	C4C8Lr4DOGUTRZPAW8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826195618.192392	CfQutTEgs3g8sUrsa	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826195678.183445	CKvlqe4bTVu5HNGrb1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826195738.336498	C04EG53Yaw6dgjGT3k	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826195798.190914	CdzNo91LLZlfe0pmT8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826195858.193703	Cb2Rv3Wek35VDwxDk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826195918.289198	CsLUyBLEs5x3GKtgk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826195978.194311	CF00uX66iWHtiV1q1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826196038.286860	CkVqlMyWLZSpdNcPa	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826196098.237900	C6Frs83UqNszgcqN15	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826196158.192843	CQCAYJ2zCov16vZwf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826196218.198534	Cil9Tc1rwfQS9uqdsb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826196278.201302	CgHhMv2Ww0Y4oQNtd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826196338.294847	CFTS591Wnlb7gnrpP7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826196398.194157	CoVJDI3K3qTiTnPoV9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826196458.194955	ChHNpz2Xf9xMo2lnC4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826196518.242601	Ch5tsG3OlOd7l83JFc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826196578.363462	C3AXaL2up5k3PR4VW4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826196638.194463	C2qZRm2yQg9RoQNkVg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826196698.220656	C6tA8aOk3QI9oIaHl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826196758.207790	CggxJkLPcdPyKjfma	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826196818.238833	CI5pddk2aeicnmmoj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826196878.202555	CKpb612OxJundLAeRf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826196938.212156	CcwXC81REVUrKprLz	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826196998.239313	C5OBjqCVHlPAjKQXi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826197058.200122	Cb7w0T1dHZUPXzdgRi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826197118.310249	Cuhrwt2ypWdmhxNcjb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826197178.309093	CJmTVn4YcEf19Wo137	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826197238.207420	COvnS21VmREmS5Xzuf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826197298.208237	CpKJJiDUPEBNMGSC	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826197358.217839	C5II0Z3yZFhDzHSKrl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826197418.275266	CQ7b0y4Vd4NVQ3nJRi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826197478.334646	C68HZHafWQbOYWkYi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826197538.212478	CX9xXW3s3cSCaIB9a2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826197598.225962	CUTgljebkkh2Ydhzi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826197658.309739	CsnMLaDyNeIqxq6i2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826197718.241266	CuIjKg2hEOBmXsIvx4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826197778.378715	C1alUz23K74AR4WZUc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826197838.344394	C9ywcdnOP5TLfD97e	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826197898.249569	C7aJ8S1bYoBzPdxRDb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826197958.398725	CTISqXQMVxGJCVG2i	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826198018.215078	CjsoT83JnYI2Be2f8j	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826198078.218834	CohWkh4QvZcB1WXOVe	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826198138.216728	CL7JR54e4lOc3aUAph	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826198198.217548	CS9xQJ3Jly032E9jC2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826198258.267159	CPOg0SZxpoHbNzpG5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826198318.222088	CgYh1L1mwsOxSqVBu9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826198378.269737	CPEPje2CwXXxGGPo27	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826198438.216854	CIWOQa2vaf6TxyZ2Jg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826198498.219601	CqyxRG6TRKYW41Zz5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826198558.233108	C3HR3r12iwKiqXa9c	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826198618.222208	C823dt2fd3qQ26XyU	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826198678.234721	CalQkN3MoYim6AEEe4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826198738.223849	CzZuKd2XEy2jlcWqT6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826198798.377868	CVgpXQ1plHZSjZoGq9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826198858.273279	CPnPwW1vseaFvOVKZc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826198918.231128	Cr5ot64fYu8c0wBtik	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826198978.225059	CceZRf3q969iOibom4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826199038.226843	Cfv1oI1ypkphPOMD7g	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826199098.229611	CkgPZ03tcwpxYjnOSc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826199158.229450	CeYlkM3WxZVUmujyB9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826199218.227329	C8yjkq23bmUk9MkLf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826199278.340384	CevQX3116xo72LIoK9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826199338.231893	ChN5cQ1faCW2xBl8Ki	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826199398.231727	CjTrQkID6Z2SNK3ha	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826199818.339795	CA4o9G1CB2Af4WWhCf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826199878.341563	Cf8FAq4I77xaBMSVT9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826199938.340438	CPjxvb4XleEtywR72	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826199998.238772	C7XVqL2qUJ1enNZYag	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826200058.240561	CjqWgiHlaYFi9YImg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826200118.239417	C1uJul2gbxeDRNFura	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826200178.241203	CbIFhV2t1dFcA47mxb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826200238.243969	CAy1xs4SqOffMYYoi6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826200298.255520	C3sUxYJbMLLrlkY2l	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826200358.245608	Cz7T4t4CVp8k2htbIk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826200418.241558	Cqn0E64YUKHGEJtXE9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826200478.379987	CwkPvf43XtOGn09xUb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826200538.687256	CQKymemsGWxk8qNhi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826200598.867643	C4DpKm2ihMjo33xAK9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826200658.261374	Cx1J5T2RlUHdnWX4P7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826200718.287570	Cq5Tn24Flxl5ykcPB4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826200778.408439	CBMc5Bq8xeq3TqHyl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826200838.424863	CwalhH1EmkTCp6Z5oj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826200898.441277	CoBPIr1bmfwOHYS8k7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826200958.658763	CauDdy1kS45qWx7Jaf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826201018.254540	CeivHI16nJNE1XoDn8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826201078.268039	Cwks1t1XCX1VVKWlui	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826201138.255207	COzc1t4726TvteJAq9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826201198.275551	CySyNg2Q7X5Wig9qXc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826201258.252935	CdHHGD21PDk8qHCNZi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826201318.289854	CytmUVLD1AW7Bjdda	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826201378.426313	CyAz9V2XDShWvc9X85	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826201438.335369	C9mSwv1EoAGeQwdxia	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826201498.320561	CSqd0W3t872JJDPQR7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826201558.320384	CBdUFS64H8SD3CRc7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826201618.267492	CXmENaHXj6AAZ6z67	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826201678.371750	CHxNzE4i1HGC9aNQb8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826201738.266200	CCOssQ1lVW9L4luov7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826201798.263102	CH4Zqaz7LIoXnVdx6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826201858.260975	CmYN6N1hsT2MgdKQo9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826201918.266689	CkH9U915OzOOjvkSJi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826201978.271412	CCwJVWbbaSCkRe2K9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826202038.344449	CRGnRy2aYiKuVFnIG	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826202098.825455	C3JRhD4EKTLL9ETgB6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826202158.956074	CTy7qulV8eG6LkeUd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826202218.304913	CUN1fq1Nh9yg0qjEZk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826202278.282291	Cy1IPuLzKTRb2fGF8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826202338.312374	C2sbOw4qh4NrDdHRH2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826202398.465444	CsTLYp3UVyKHvvF8jl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826202458.270082	COJL3m2IFflzZ1Cvdk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826202518.370443	CAR8U13yNQoRQJZLcd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826202578.275607	CYXkGL3OwfyucBURVl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826202638.285208	CfyyuF35s6IHIKaPy1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826202698.272334	C6lrWz3udBitB6moKf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826202758.277055	CJBk991FDSqc8wRBK1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826202818.279800	CeoHSa1uBAQlDI3FEe	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826202878.415282	CnB5fj2ShUFnGngqf8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826202938.279472	C850go2IsfiAcSGCfc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826202998.275417	CRM6Kv2JvySZyj1qrl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826203058.292814	ChDijs42aziwiDYP4c	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826203118.283859	CiZMlr41UYw4zUSiH7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826203178.277842	Car6PO34Q2yGqFhtw8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826203238.279637	CwUICHbZAZuWABr9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826203298.293148	CLvoof1o65FluhXQI6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826203358.339838	C45NxP1qI6S5UMi6Ta	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826203418.287944	C73cNq1ss4gZpfV8Jj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826203478.446865	CWnddL27sIwroPwU4h	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826203538.287610	CwP7As3BK8V5lwj7D8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826203598.284519	CaEkUY1AI0qcJSl8Cd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826203658.453200	CBkOwg2KK7rXFXUTmd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826203718.292998	C0u03i3hv4B4fSd7zg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826203778.296740	CITjhO2n7PZKsy3Mw4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826203838.288761	Ci0XPI2JfTjInNGHJ7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826203898.288604	CvRIiA3mohju9nTku6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826203958.306005	CUAWQS1YtxjDhtxxte	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826204018.302916	Cgcc4N2eKsv3m3nA87	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826204078.295923	CWT4zv7sNwj1cnBeb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826204138.292825	CylDMs45x5z5lRx9se	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826204198.293633	CT4t8k1zeBe7ZRUBg5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826204258.303229	CQHUiY2AW9ZT2iB0x8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826204318.297196	CZvB3g1drtq6h6KP8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826204378.332142	CBeoy737B8VrP0iSS6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826204438.374915	Cs4vHa2laJaNpjym2a	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826204498.296670	CYwHEGkAUO1v9YGk8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826204558.295509	CzcPSa4HIZVpmSAZQ1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826204618.307043	CmVWUQ1Zj8v9tk8Tn9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826204678.296142	Cyyy781JVg92X5mDUc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826204738.304744	CMU7t24bL4QMZtMO2l	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826204798.310410	Czv7tI2Aq1yfgdryG	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826204858.301417	CR7XxA2W5vLwE5KTs	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826204918.303191	CmDpIN2aFGjiOMOJWe	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826204978.324493	C5p9eh4XiSATtqsZi5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826205038.300903	CVLeLf3d954JlCj5Ch	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826205098.305623	CUeKfb4nbjydJsNdId	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826205158.322052	Cekrs3zkM6eSou1mg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826205218.303340	CUVPVWOtpPH13Hfck	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826205278.385157	CfhuF84Ji7AdXxsAA6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826205338.307892	CgfSWCkLmMlaKMWUl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826205398.364345	CRYwli4VJ5IlPTDWIl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826205458.311479	CguHTc3ErOLWFoQyBa	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826205518.310351	CpDj0c1fnKaDIGyqma	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826205578.312118	CF5tR03Af5y0DJD2he	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826205638.310976	CbaJQC9l9K3ELB1u1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826205698.312761	C9xsW63PP2wB8hiDUk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826205758.334077	CzWoyC1HE4FO1zdT3a	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826205818.418825	CyVhox28QHRlYRbY9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826205878.319114	C57jQA4eBlGbOkJ0xc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826205938.317005	CimLTH3Vi2F5nxs6Bf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826205998.320749	COlS4I3p8lZG3vxBag	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826206058.316670	Ch4OGK13MCwxE2a1O9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826206178.372932	CzTeK32euJBRHTY2z5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826206238.321042	CA1qPq3zXlCZGMTF3d	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826206298.327724	ClzajT3YA0FYcHeIsi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826206358.322675	CoW1ycpevZQjU9uK	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826206418.433774	C4mAqd3q1os6WQrFGi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826206478.335035	CoLfC03bP9cbW0s7Cb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826206538.446151	CDZen84XixQL22chD7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826206598.357171	CEUdRVRpBWnzWSuJl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826206658.324795	COUblG2yCsr6J0Z8k3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826206718.330487	CtAsd2ykOOaUv0sel	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826206778.331300	C8iXoIHQrMuYvFD7d	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826206838.371150	CEZ4zB1w0bcdFufPv5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826206898.501767	CHwfwB4tWYNdiXgqj9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826206958.338610	CpXYCp3HhrY4ziK5w6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826207018.353094	Cu3mx7WQp10fiKvVd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826207078.357820	CJK73d2tv5bceelJs1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826207138.439665	CiBJbd1e77zhCc8o92	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826207198.330243	CrDDne3jAfXkyEZLZh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826207258.399375	CrtbM81EwribjjBbs6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826207318.339670	CinzyU2OZ3RzfO3iQb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826207378.337548	CdMDAn1K65PDClegO2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826207438.341279	CL72Eb6pZzrrF1MPc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826207498.337215	CTH9yVeqRZ7hCysmc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826207558.342907	C7dQb6wN8PS99nDpc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826207618.357377	C7zVw01Vz6Gp5SUxgl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826207678.467498	ChrOVe26x8jzyNa2uf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826207738.447804	CNSAUE2BML8biNfBQ	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826207798.341241	CNJ4Xn4VtXlynW3J3a	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826207858.349856	ChGNUG3biEoPUuqOa6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826207918.418989	CXw2CyoyLEXO1cDi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826207978.339771	CjvpgV6kqW0852q3f	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826208038.347415	CxUw172WrEAdzXMRL7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826208098.425324	CeRlLB2HA8cgJm1oe9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826208158.352927	CkQkiC4YuLauG6WZEa	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826208218.344948	CfgLCv4QFww6gvQ87j	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826208278.344772	C8jLEg3BRmkSv2OTHd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826208338.350459	CGCF331JLuHl54L5rd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826208398.352240	CWBzQU3jlmCFJxIvW7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826208458.448653	CuQnVY1S26nokuHtw9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826208518.346965	CDLpxA3tPGVgwxSem	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826208578.371204	CqWOXg3fwJ6pVRPP41	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826208638.382748	CH9f4S31R76ubzMqXl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826208698.354276	C7NKKJ363Po1sp1G76	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826208758.393143	Coa3vE2Wqxw7XtPyaf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826208818.351978	CPbwgd4HAWmMrjHmBl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826208878.364498	Cg3va11ZQR3RERyK2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826208938.434595	CX1G5j2XAjJVbgRRYg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826208998.354384	C1BbhC2e0BR83RHPhe	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826209058.435227	CBMwL219aumFxhrnzd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826209118.356985	Ce8sjQ1yXYbarn3Mv	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826209178.536399	C78sjv46n0JEJJ9Ixa	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826209238.366407	C2z8sX3Zt54zcv7nHb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826209298.357460	CrmZ753z4MFkzJPjfk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826209358.367044	CmZgh34NMetxae8Pm8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826209418.459570	CtsyPdY3mkmf7kLb4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826209478.362786	Ct0FdeHeoqV11oqi3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826209538.816451	CHpfPUBDLI48ElQX6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826209598.447358	C6QeBz4zMAkwfJKzp8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826209658.373018	CvZvjb1h22zExFA9Z5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826209718.371878	CQnxI03CHdqwafO4o2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826209778.369758	CV85Bg1jB95m3NCt2b	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826209838.378365	Cpa0UQ2794FcjpykQh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826209898.371356	C9U9nP2cjbHpr2TZZc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826209958.412180	CIkXHw1k27sxdK1IL3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826210018.593545	C6sQTZ3batj1lRDpFf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826210078.395223	CrLzH72bC4Py0O0Pw9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826210138.522899	CwByX11akVrJXiAL89	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826210198.386118	CMrmZC4fwKKms3eVfe	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826210258.375204	CIMbgg4rrK1rYO007	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826210318.372116	Cl92e44KbzduaHbhyg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826210378.373906	C5yYvFfVOJPVQqJWb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826210438.392281	CaIW4B1CNbhrY3Z9P5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826210498.466302	CuFyuJ3RcaoYD2YSlb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826210558.373412	CkeuvB3U6Z48hwsmd7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826210618.381066	CmZ5913VmiwYcCMsV9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826210678.444343	C4iWMr1o5OhwPrp8sc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826210738.786745	CeVw7f1PrVOGyux7f8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826210798.378604	Cv7Ojs44cHurW5mca	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826210858.393065	CG1IZO2kmbIytfrjF	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826210918.388978	CFo4ijFpPMOaVkxyc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826210978.524464	C6aRsb3UekWRpglS77	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826211038.380818	CFOKe2YkWP7etA8pi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826211098.456790	C37mAJ2U5Kisle0Qgl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826211158.595216	Cgjcpf4p7v2QzNmLSf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826211218.386167	CH7oxC2LFgxSRkfdi8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826211278.396726	CaQ3deHsj3TrWL6J	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826211338.568337	CHfOyV1EmktPdJYs1c	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826211398.491118	CAP1W92itot6anqOh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826211458.395342	C42zWs36ET4H6JkMAf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826211518.504492	ChCctc1RXXIqfN02T2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826211578.416483	CMIGG63blVyQrgtKZc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826211638.390960	Cm5hUStLXU9qmc9oi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826211698.525482	CST4021EoQxELJXa23	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826211758.535067	CEUV1F4e4X7KZmIQjg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826211818.464624	CMXu7r17v95iIWljHb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826211880.427357	Cf2iT43rdptpnlRFaf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826211938.496475	CKee4U3Z4oY4yRz57c	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826211998.412364	CyyAsI1bENRZJHsPxi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826212058.558577	CFfE5G2444nCYFZKB2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826212118.608187	C3qdoZ1n9Z9JKjUDzg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826212178.505544	C8F0wsJvnG24pWYob	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826212238.398986	CeHfJV2oKMDd0Y5Q7i	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826212298.417363	CnDV6B3aFu2Rig5pDc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826212358.419147	CAYs6PGpPpvE5HD45	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826212418.567316	CnYoeO12NNlpv8vJw5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826212478.954585	C7qhx8MH4aXtRLCz5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826212538.490773	CmqlEJhGZCyPSVeVg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826212598.433975	C30S013blQYUkUFuKb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826212658.488438	CfUaZj2hvTwscPvXpa	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826212718.422866	CI8nPFXkU5AYE84Ei	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826212778.479312	CtnR3q3r0iCKvV7N7b	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826212838.407898	CKjWKd4Mq2FDzB7lNa	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826212898.595122	CsmwQW1n5WCKtRZWOa	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826213138.524203	CisUSAKIZdFFX8lWh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826213318.422154	CeyYdH2Qfmpzbjsr2h	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826213378.462951	C0i55oDRpoYXbScq	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826213438.435434	Cog8rV2Ws6Hv7UCGta	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826213498.448913	CW524A4Jvs7LV4nSi2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826213558.431157	CZImj8vHpyMzhT9Xh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826213618.429994	CZ7qJ91KzEqUNJwu96	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826213678.421046	Cz0TOI3Oz84uu7WmSc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826213738.417958	CpkFh021CJKOiZXyPg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826213798.461704	Cggyq72pcsVl1twmKc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826213858.459578	CkjjDD4mVrHaOHrTpb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826213918.542352	Cl2Pp43hVt8yeVkbI9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826213978.451395	CXahDdeDuBzEqAb1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826214038.428786	CTecLV1manIXTrjAIe	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826214098.423739	CsLyVu1YU7im0wl04e	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826214158.438205	CLYYbS2z9Ou3vNkkZb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826214218.450701	Cpj9DeO0yZuq6Ute	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826214278.423204	Cc8BePGbhxSxkHHjf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826214338.476713	CwYtAfMvzk9Fod7cb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826214398.556580	CUfWl31hYnv6Wwvt1j	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826214458.448105	C89fm75JmUuUqVjL2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826214518.471366	CR8db31SCvKcWQu7se	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826214578.803035	CZ5SE92qMLKBRvXPTg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826214638.471966	CextRf3AOZqeA1XkZk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826214698.459073	CTPOjD2rPLS9mqWtI6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826214758.622869	Cx2fdd4vASV4hGNamk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826214818.450923	CxO4Hl2za3S1dI7BF1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826214878.554209	CbTCX64fnBOz5Rnss5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826214938.443726	C7fmrSMRs5eEbiXEj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826214998.442581	Cfoam51KJQvseaC6O4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826215058.447292	C1Cfql1xwhiHqaEiGk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826215118.470537	CcKAdX2Q0thi02ReMe	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826215178.443043	CR4uj7veM5o7mhLT2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826215238.472167	CM36EW1l3dYeFyEps8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826215298.434914	C6RIBPCLUqy7QrkG7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826215358.444512	Czd0jk2Saz3xxLJsU3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826215418.593672	C6IvVK1opBeZQ7AQ7a	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826215478.442217	CUDpIg3BIilKU95Loh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826215538.446917	CYSUaV17LYTkbrEVpa	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826215598.440880	CnSEAH1VZnpGoxnDPb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826215658.447537	CNJWdr1axp5uTe7O79	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826215718.497136	Cd0PwY1sOnxvxlpOUd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826215778.541854	C3plZ01VSnQwnkq1Ce	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826215838.718352	CF0xAHahJVVCD5Fi4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826215898.652795	CTPJGE4d84dfLkqXCb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826215958.455473	CVuUh142e1YgH4Ofll	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826216018.446512	CLMQOF35kFy3YN5Xx8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826216078.459038	CuMT6LYNk1J990vRk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826216138.454975	C1Almd46wwAwBRkkE5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826216198.451877	Cx2o7z1ve2pwRELwm2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826216258.478050	C7ORHD2Ge1bznHOYxb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826216318.508142	C1hBHK2Ako3EciFj8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826216378.615328	CAKOnF2dhpD2lIpMW5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826216438.513650	CsVB753IMy3ksnCXJc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826216498.455902	CnPxgy4t7wZRlJlXic	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826216558.506493	CUgy2o3FvSC7r4Z9ya	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826216618.627343	Cxd0L53LzmLx1GQL3i	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826216678.455377	CdERFK2TuqeY6bOLIk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826216738.463003	C7gYx43YuJLYHaolL	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826216798.484306	CQ02Hh28fM99vbB7t8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826216858.464603	CZ6vmo2iQaPNxh2Cp5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826216918.457605	CkOZDv22AxQ2YWa9d9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826216978.463284	C913kM1HJAW0Z0QCWc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826217038.656359	CKgKAx20fbelsVSjj3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826217098.472702	CRhBnt2F6fTBWyjylj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826217158.458863	Css94F2wp6eqs3AG2g	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826217218.685135	C5Iwq42ShwCJuekrR8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826217278.460500	CiThk046sKXUN21yT7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826217338.809744	CIKTEw1hGfX8fLggpl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826217398.468952	Cuqf1SXU2lRMru8ab	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826217458.473659	CViQRu2F6CP81AHxN7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826217518.644301	ClxNef4rXFifWlnVe5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826217578.554358	Ce9ZL977eCsGAEVwh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826217638.574699	CcsJ6S3KeIOnq32dUf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826217698.468159	CNeOYwF6hHL1iYy7a	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826217758.628043	CtIalz3JApUL6lBk5c	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826217818.476557	CiGbMU1lOEKc8ZcnJ5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826217878.468586	CZ7cfF1ZmnbEKFCL86	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826217938.582596	CtwugB8dqTukJE53l	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826217998.477002	CzuDds1p0W3c1OxtQa	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826218058.883849	C8icM720Rm3KFNSaO3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826218118.482549	CBqI3A3aZ9wbTqAHKc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826218178.482392	CDI2sycOSZMfUwDej	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826218238.474417	CdPmeZ2wefP1W2pDaf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826218298.507434	Ctqz3r2Q6Hhh45ynBb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826218358.560950	CZ3VMr9TGKr4pDG49	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826218418.478818	C9L1P41WGLblqJ5lX9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826218478.483546	CjpsNzwm6pkRPysTl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826218538.483389	CXKlOW2OXCLUH0tag2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826218598.558389	CaX41W2rQe7myStGic	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826218658.787580	CwL1AP20TmhyPubBzi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826218718.583409	CGsgYT2M54ThS9dD1i	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826218778.619355	Ct7NPa2Gjw99Ds55Fa	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826218838.509870	CmYrUP1Jii5rRzA2N4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826218898.485297	CfAQDb3ztIZ9Esdhnb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826218958.502698	C6gNhw2NFYJKnnBJAb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826219018.634278	CLrESm1lxkihbOfujc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826219078.491595	CGxlGu1ohd5JBhXb3l	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826219138.488486	CTCzwn49MMq762o5wl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826219198.592761	CLvYvUL9THPcxwH09	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826219258.492052	CordDM2ka874SoTG4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826219318.490911	C6SzT4NIAosKk51Ne	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826219378.959227	CzpRvg1ZARpYbvKZLd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826219438.545233	CRJfqUBQrh1OECRKh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826219498.525544	CUD9vt2xm6AFEFb9te	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826219558.500988	CGTvIE10hTfMDqvRg8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826219618.532072	C1USEM2mkGmssUQFnc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826219678.555324	CuwWUn1WWhrDuebDLg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826219738.527822	Cn0jH9tRvniY1wOdi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826219798.597931	C3JTJw4PGH9c3y1zOk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826219858.854441	CpvOTy47aAhFPLLhy2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826219918.507732	CBZ93D1F4V32UnHVuc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826219978.497853	CU5NwdnJySKzDO6Ia	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826220038.515262	CxseO02jluUsidcJ62	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826220098.578550	CUxHC03hhHZPPZPPd7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826220158.735531	C4F8Mc19wr3znjj7ec	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826220218.628969	CCa0k62q3tTbsgMjD6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826220278.712744	CgPOxw4ZcDNtb4qUGb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826220338.505674	Cr2WN61qD7lqnpZNrd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826220398.664581	CmcxqC1uCPLsuEWiwh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826220458.510190	CAYq3UzQvLCe76Zc3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826220518.507097	CyO8GYetxJ83COadh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826220578.526459	Cn4Im3oIZPuXCwbBl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826220638.618046	CGvCUk133LGTDCu1j1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826220698.513457	CpXlZE1JfmFmO9ezNe	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826220758.537687	CereAezpP5CfTQdme	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826220818.575589	C8ldQR1zcqOsEUFCO8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826220878.554922	CvZeCEJYay1Ly86ce	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826220938.527428	CTUAHv3hD1FX8aHrlc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826220998.547748	C4Badl1Yn0KV5EiZI4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826221058.528063	CZTcLz2NmHcn4ZD5cc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826221118.541565	C6VgL03HYoBgYkYcwe	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826221178.570688	CBekaf1GPCZTu5hfEb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826221238.529546	CorcCoU4w4ta7bXdb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826221298.524518	CIBpBT20L8Wr5vMz6e	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826221358.579005	CiFKHS3FlSxbhZirR8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826221418.523209	CyeHfv5JsaGfR6Q9h	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826221478.515248	CiCUSr4CVHoG6yVoce	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826221538.650743	C4gVAPgEpkdEDZxR8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826221598.545164	CpkdiS3JOJCsLKSJh5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826221658.673828	CF9ZRQ3YWkwyOaZtZ3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826221718.527284	CVtLls2idlUP7gvVfa	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826221778.630584	C0iDve2iVKhr0DZq4j	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826221838.526966	CEpMvc44Y9buZQW9R	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826221898.545333	CSznMg1xj0hV5nntTd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826221958.534428	CRMyfvgvdHPOGXlY5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826222018.583071	CKVSkGTNGUHtVkSih	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826222078.557534	CPSiwK2DMpE2jH6Vyh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826222138.536850	Coz5244kxG3F2Uwsp1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826222198.593281	C4ZIj1N89EJ4eXGG	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826222258.593131	CQnl3dyMoPF8TrJKb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826222318.816482	CBEXHD3r3x6EhHlQak	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826222378.818261	C4qlRm371SZUAlFHTe	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826222438.632643	COUK6C40KLFuCC2Bnj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826222498.589524	C5aYAD4Cn2Ubc3Lhgc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826222558.568852	CHBOAd3sRJs4TZG5rk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826222618.564786	C1KXFY1d00OW56NOug	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826222678.624152	CaqiRv1kssCwKFiAEi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826222738.578089	C2ImrtGJ5Was24kO5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826222798.596391	CkIEMY2v5zXcCRAK06	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826222858.573723	C9nK7T2OW1zdBcXRr	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826222918.646725	CyNYn63xqRCtJ0Swci	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826222978.538235	CuxhD94HGUTuDMCPeh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826223038.987043	CztBgE4sLwXhmXQ1V7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826223098.542807	CtBp2AhjFqcG9qhq5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826223158.613896	CIVadw3MmsEwKSXoRc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826223218.551280	CsJlJw3gPwZPfiVGdf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826223278.578458	CXe01x1FHRzA4kaake	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826223338.920871	CY25m12Au0LbTQ7ajh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826223398.710865	Cz9mVbJ3mLhtk3Vda	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826223458.611153	CBGwJBRTFD8aLOKJc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826223519.399189	CkSzRz17ol01kBjlNf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826223578.634244	CZLdPO2kd9vZKOmwTh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826223638.568696	CEmAHt4Xvq0HLd9W82	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826223698.552911	C3838x22eO0vcv6Mgb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826223758.619132	CpltvGXeH3DLAPPT4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826223818.616998	C3Z4pJiqtIGHawj0g	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826223878.588534	ChL9vB4VvykErujpb4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826223938.560053	Ca5orO1gBdPoGkIAGe	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826223998.553003	CcwdAP1q3qj9kGbD64	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826224058.654340	CGoZfnZAUfEApqP12	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826224118.580976	CULfbN3hEwMuuClQlj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826224178.669638	C5CCVa2TESFWWp4h2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826224238.648991	CbEhxC3seucNFjJzl7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826224298.566850	CNkqdY1uFJUpLHcIfd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826224358.578406	CJ5lKt1FBnPOLExVJi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826224418.601677	C7tQLt4nj8nmymJNBb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826224478.615185	CNndLX2qcoBO1T5h3i	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826224538.557437	Cl6URq30CgLqZmHbdl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826224598.601200	CQrWXaeiNsamnLxJe	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826224658.584449	CUUubM1kNFUIoAtRDi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826224718.714092	Cdm9Cl2oExwyIrTygf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826224778.590942	CnKdXm4Tf4ML9ukOYh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826227058.642220	C66i3N2Qa1eqAyN8N8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826227118.588374	CoXkaI3nBcggoQSFO3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826227179.008863	CRJy7L2YDZXsYxDhC3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826227238.597804	Cl2pecmmIw1GjkVJb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826227298.642536	CHWRw82poLxopSRDzg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826227358.735113	CnflkX1d2USQ4QeAK8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826227418.698844	C16ibw2KpRbXYrd0Yl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826227478.606937	CFiVSW1o9EVx5N4Jb6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826227538.632140	CbGXIX2xTZKRuIZwCj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826227598.843766	CCvExA2GM22zrnZkZi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826227658.607429	CV5jTHZXiRRacOOud	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826227778.631493	ClpAsC4U0tWM3Z6Gz1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826227838.700623	CGToTMGh5q3VrJjni	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826227898.735615	CfEaWC21ew1UaBmeLa	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826227958.728618	CoNHfb4cDZSJh2h1l2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826228018.837749	CAu0Oo4x3iftOu5dF4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826228078.611153	CoysEl2JglWGPKCEF8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826228138.664679	CfPVQm1k7F6Fd9dXi8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826228198.822629	CXEAGK24uAf1EMpLV4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826228258.998144	Cga10I1NjMZq5YSNWd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826228378.685506	CABy0s1rpWlZ6X6tW5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826228438.978170	CFIQPc4ShJClVxKPr4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826228498.661770	CIYmfgVlNE7B6N4ec	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826228558.651863	Ctu1Eu1GyUwEttbbRb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826228618.701470	CUBLiE4H0lDoOyqIr3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826228678.650545	CdoKkT2Ke5De7MWN6l	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826228738.665995	CkibYw4PuXuckQflIh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826228798.694152	C9HQs14k8DJZQaqRmd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826228858.666644	Ct2bcYZHIODrba6hg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826228918.714285	CgUlJjlqbB9Kzozkj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826228979.077767	CI6Avt2cWWdmpsQnb9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826229038.727630	CUn1iH2S48i4Heqnzh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826229098.860212	C7CXmL3ysk9qbtIpVl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826229160.016217	C1Zh983vVGDE8rpT2b	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826229218.786701	CwhQVj4Sr6YxoNBRek	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826229278.847042	CC1mwWtpL7QIsnIu	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826229338.642872	CqQ3mZ3WK7Dpj8ebI1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826229458.657132	Cuoe3c3Hv3XA5H3auc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826229518.649148	CNm68aOVy0Yxl7tHg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826229578.759279	CecHQz1SmJzVmrjLc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826229638.661509	C7FoyE15oylgO2D0vh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826229698.619359	CdjqSs1yLtNe7Xiylk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826229758.681659	CaQnjV3UHc2hg5HvJ9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826229818.639541	CPqeCK3u65w4FShPC2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826229878.937049	CJIWFo1ifuQFC3myBb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826229938.677242	CpIBX42j0JTDLqNky9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826229998.670222	CrDPHt2myMadMHRtGj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826230058.696392	ChUf2j8A2cckuCB9c	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826230118.687435	CodUX14FayPV287Dka	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826230178.687273	CpYISz2x0t1IB0QTDf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826230238.666614	C9aPOm1XvemsGRM5n2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826230298.675238	CwA7AO3h7M0tClfk14	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826230358.663380	C5OuLn1RyWY1Cbhc24	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826230418.669078	CTrEfQ2OTZ6XwuqzF6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826230478.769466	CB7oN32GMSHJRH46Q9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826230538.701949	Cts2Bw3UyYSC8eJbw5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826230598.701785	COVKbVuLViTpKix0i	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826230658.684023	CtcBaG9xFLC4GY3f	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826230718.697517	CEukfh1EN6VBqvS5V5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826230778.669049	CwK86z3GfLlLdBtjf7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826230838.655236	CgKGYB4pW3vOfMBV	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826230898.676545	CMn4xD3x1CpYubrX2f	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826230958.677362	CY9Su7UUQHd3QxCU7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826231018.675249	ChWyT7DaScEmURW7i	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826231078.648723	CHCWma4mS3ppsLP48e	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826231138.705163	CLDNHl1Z4OK0sDBoif	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826231198.675715	CM2JMA3ZfXFcSbIVb1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826231258.652131	CLe3ci30E20BAchq3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826231318.682228	CfgmfA4jTr8Y6eLJHg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826231378.688895	CW4Csw229iMW5e0Rlk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826231438.682849	CeoYqm4Iisj3ozpq92	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826231498.666083	Cbr3ZX2RpOAHKjmCff	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826231558.651282	COwrPBGIpzPLJeW68	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826231618.668673	CNsMUUGQHroPHA8Ci	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826231678.701684	C426X13okmzS5nezed	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826231738.666386	Ctvhwu1lrpdV6DZdwb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826231798.665239	C6b9XS2XeGtwYY87xk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826231858.658224	CYCYdh13mKTqx1ydmg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826231918.705874	CzzvQk2VG9RA5JUFa	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826231978.670582	C3qPT62UwGnCqVIHe3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826232038.659686	CsBdJ51j1nLK3tl2F3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826232098.654639	CGF4CK3UKYLwIPRwyl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826232158.749160	CS9Igm4X2rCHxh8EI2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826232218.694336	CZVWmQN2v8aUbBLrl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826232278.658067	CiWSbfVPxd3DU1Tkl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826232338.689134	CN8vYE2x91ejKzzsD1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826232398.689943	CWfGo22Wn4dNhEMG06	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826232458.685863	CQwX581RWAcdloUaCl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826232518.661313	CcHqZF4mAmTipPOItj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826232578.668970	CDbHurHHYzQh16a75	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826232638.677580	CeOJdl3twOYDJJ71De	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826232698.834546	CB2C6x1g0GQKuoDeTj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826232758.673342	CrynIf4rhiaSYubZmk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826232818.695626	Cgpa8U1xzUsAFVfqac	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826232878.693516	CLSa0ZadTj6WeeEu5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826232938.676758	CnxPqm1SEHF2WwWUG4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826232998.696103	CXhpq14dW9SZTBfHJ4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826233058.672523	CCgTLd2teo52h0Wstf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826233118.673347	CeFdYqfRlkaD4rak9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826233178.684889	C9mchV3W5GidlSM84	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826233238.710110	CMErzU3stNQPLKaMU9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826233298.683598	C0I0Rx1ymjsyaZC0jh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826233358.812265	CiKVFD1jyEZMI1gXIb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826233418.818938	Cdnacw1CFnnqrlU3O4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826233478.726052	CPStWmXe4km0Cl0ol	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826233538.712213	CJRkQA3jOwlmlfcqU1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826233598.675928	CeEFRd4qMWwv0Jh8k7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826233658.821184	CQ9bIuaEcQxsRROo5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826233718.692187	C284OX195pTFFffz36	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826233778.695922	CNGTy6cxx7ybLF9W9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826233838.705511	C7q4oH2DTPedalIPWe	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826233898.768793	ChBuyc19gI9J1KGmY	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826233958.691530	CqDFty3SRyrnf90hfi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826234018.686472	Cggwuf3G2K5ZN4oakd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826234078.765344	CM7VSScmo8RxJVRq4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826234138.676343	CouMIolaAAuU3uBsl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826234198.788417	CEAWkJ28DI9nEKRfOj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826234258.724814	CLYTyf2HBOn3UVjHO1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826234318.692441	CO6Ebe3kdaK8oiVzs	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826234378.781109	CGTZtF4cqefNQf85xi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826234438.715539	Ch03izqlxvJxYGLH2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826234498.765130	C9I5rZ3zk42R1XANoc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826234558.756185	CaU2kGXngY73q9ukb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826234618.754067	CTm5e81lzI1LnBExS	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826234678.682658	CxmPyngR6MzIa1Eh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826234738.705925	CbFrYB4DZH8tDkL0Y	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826234798.711622	CMXdX44qcXXU2h79Z3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826234858.698771	CEFFYl4SiGIgQVBwlj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826234918.694710	Ch7jT14FYeXA4zibfh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826234978.883896	CJGat7FcGiecvRUsg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826235038.712921	CNatvs4kRF4PKwSQa6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826235098.696154	C2NBCp3jV77cmR5Zt8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826235158.697939	C6WtsQczYdAqti8rf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826235218.836370	CUhe5I3aTm7jZot2n3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826235338.920938	CNFZJ71R8kIIoPNIk5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826235398.737276	CcUcWO2v7gHgNp7Q62	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826235458.732217	Cb3KX21dAVvTruW5u5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826235518.757406	Ck2Rvb2bOsJDxQIHh2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826235578.831421	CDI95K1GQpHhlE1WO3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826235638.732696	CkQ1G62jdm35jCXtlh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826235698.778410	CPVwfY3kLDmu8VeKdi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826235758.710891	CXOtEWMw2dl3XsTGj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826235818.701921	C96Nem3M5LAE4wmxq8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826235878.700775	Ch4s3N255T98eOAbg7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826235939.808964	CRfKrw2WpPG0f6YNab	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826235998.908367	CkvEuA3A1e1PDP6u9l	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826236058.833061	CJGA6LrfAhefNKwZg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826236118.756764	CxAT1S1sipPu2RSOK5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826236178.750737	CR9GIt1uVcCEzQmX0d	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826236238.758377	CG0N5A4T0LUzvnAdr9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826236298.718200	CfXYNY2Gtu2mOvJMAb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826236358.744379	CqUr0V2Ejojsue0UB2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826236418.820342	CvrWt84lulkHNvYqk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826236478.762593	CGb1NjWtOcccF7wwj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826236538.720468	CilF4d1b6woayAE906	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826236598.720300	C8j5rU2S8wOqxY7Xzf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826236658.811881	CuUrLB3Xprhr47zsPg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826236718.736563	CpIcgv424hVeESIlv2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826236778.761764	CgVp8E3o8WDS25ZEah	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826236838.741101	CaN1s3SLGBQ4aYcp4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826236898.722394	CLIxGjgqmKhRAW0A6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826236958.714419	CBcpca4v5bAbAgFPnk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826237018.722085	Cx0S392Jm2GGs57Vqh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826237078.810745	C0rM4y1xCN8gaJlx65	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826237139.031717	CWTYeZLvhVCqQ0Oii	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826237258.752607	CHdNJ23h8TGauylVzi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826237318.847110	CmlD1G1PBWF7V3AqC4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826237378.904555	CxD8fj1FHwuZnvlIDj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826237438.753128	CpXPjc2FWuGLYIHrq7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826237498.727592	CXStoPw0l608HE7Wa	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826237558.949964	CppWZ13XXmGNWo1sa5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826237618.841486	CsOsbJtpfytT4Zwmk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826237978.730259	CAp5VrBkO3ZBZDw7d	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826238038.726230	CdArbn3VkPQ2LQ6IZk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826238098.730892	CFQWWm3dCGqvIQuOIf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826238158.744403	Cuf8Te1rhfkUe3Ps39	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826238218.757871	CXQYhQ1U3eH1eCHbO1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826238278.772353	CLd7E94pRH1IAYvYYe	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826238338.739988	CXSjf889bs6zGkd1l	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826238398.789594	CmudKn4wcczZ81CgS	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826238458.816759	C7cysk1k80rr0XAVGc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826238518.761940	CeAngf2WowKEx9bxt4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826238578.781285	COlxFa21bPstCyqFbj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826238638.756717	CFLsus24dYUFU43gT4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826238698.789742	COPxfr3aAGe1RkBpY5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826239058.742858	CkChJz10kLSqA8jzMh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826239118.817844	CZLWOymP9apVN0cS1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826239178.749343	ClpiTi38HDCVH757G8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826239238.770674	Cc6Ywj2npKqeQWf0Xj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826239298.761685	CURyWM3JQc50i4uAy4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826239358.746873	CPlAAd1glpWofm9c48	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826239418.919459	Cs22AT1iDlXjpnEh23	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826239478.847061	CX9APc3bZVpG3EOoJ9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826239538.746371	Cu5n8i1eR1Uq7cpNp8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826239598.748166	CQZgXn37WW1G2MlGkd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826239658.781183	CfSvmp2TftQyAmW5Zi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826239718.803472	CjVLso4czHP84pCpIe	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826239778.818943	C4SV4k38RC1OUl5bJg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826239838.753386	CLODqD4BvYLZkLD46e	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826239898.798115	CYrTQs2MBgNd1gdB54	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826239958.766735	CEePRr28Y2Y1Mk7fol	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826240018.815379	Cp9nfP3Ll0DU202fD5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826240078.990916	CB1p8vzDu27Xh8mjb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826240138.857062	C1cf2A1IEXB6OWP7g8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826240198.789568	CNH2dH2ojKinxj8Znl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826240258.770860	CSw824rvuPrp6U7lb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826240318.877996	CSLQtD1VcMg50oXYij	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826240378.759724	CtS0rHoMhL7UNXlk9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826240438.752743	CpNVijnE2lWwqFUTd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826240498.795532	CjsNda3kT7BMmn79r5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826240558.806102	CgYgjg4uU6EPRMKrHe	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826240618.805927	CGv6GGMohalagEtfh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826240678.804787	CSW3Ia4wgHVN2LR2x6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826240738.827089	CIocUB2QmNtAt98Raa	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826240798.758610	Cc4qTzr0Vrfu3VYJ8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826240858.757472	CbTdzs3jEHRNU2hFC6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826240918.765106	CnxLUi2KiCwChGAqX8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826240978.797143	CQWG8r2dfrbg8LUlua	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826241218.771213	CngLM039cnn4Mvt3Df	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826241278.766164	CPchod2Y4uAM4sSS9c	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826241338.777724	CFTJ5k1BeIJn84TMH3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826241398.765852	CyZqmk3JlFJTzRoIM4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826241458.768609	CvI2Po42hxTw7EWx0d	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826241518.769419	CUNPU92OvaTuTi9Mn6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826241578.776090	CCljqz1dhNjSOwPtt2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826241638.772991	CQxarQ3Old0ATLJU34	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826241698.791353	Cw0Nu83mpEDdLy8MC6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826241758.774582	ChnNNF3g5zHZRnTnB4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826241818.771469	CuuVrm28b4g38DwYsc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826241878.863055	CMXwF2rCJiIRPl6jd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826241939.284125	Cvez3u2SD3arHlyAhb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826241998.780750	Ca4smwv5Bm87TV2Tl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826242059.025161	CPm8hfqbQLr7uupN8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826242118.790175	CpkkHm4vwb3YqzXCZf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826242178.788064	CfjnpA16loSFIdknW6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826242238.835729	Cps5Az3rXyb1nHevh1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826242298.779917	CXmQLh4nwA2enaBMqg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826242358.860709	Cw3UIy3L6yJtxXSNa2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826242418.804890	CZKPJ624uO7F4s4uH8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826242478.905255	CqPUf01ahHtGb1RWvf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826242538.810416	C0KvlV3xhBAS0TjIDj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826242598.786827	CyMvF62XUvVdRK9MI8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826242658.838395	CGOfGiDKJQjG94tMd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826242718.874347	CwA19D3CGPf5cw6el7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826242778.838084	CTR9yW1pU9hdggZRuk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826242838.787168	ChvW5E4jKCLmJGFNg5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826242898.920704	CjJLKQ1Tjc2vp8BG8a	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826242958.863934	CsXjRw16FavgTXwrbf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826243018.841315	CUCes41sQHFSrH1ZEe	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826243078.829442	CH3IYJ2c8Jen6r8iV8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826243138.797073	ClE3yWP7k1x6qEyPl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826243198.790087	CDMnmw29INxxeNQYE5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826243318.790753	CNncBmG60jrMYE6l	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826243378.939943	C8eX4r3Cp2UPufTe1c	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826243438.803122	Cgt8oPuPHbri1sDsf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826243498.837082	C0tU0J3qBSNPZvvCs2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826243558.806671	C8KI9R1ifxBOWmcYbk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826243618.902231	Chmysb4fi1r6OFHDDj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826243678.799713	C0QO6i301914TaOGJl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826243738.801488	C1ORxn3XJz6yGFeo1g	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826243798.797409	C16xpV1tjLQ8icxRRe	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826243858.808938	CEMDMT1e4PPAuvjdM8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826243918.824396	CIUQGp3FrmzWVrNbWi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826243978.811537	CmQYii6kvBaNTuNVk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826244038.808443	C75hcC2LEEqHPcTGQg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826244098.843419	CgOLAF3SB0Iuo1RoGb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826244158.807117	CdThD72YLnxl0tAhx9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826244218.805965	C7pyIc1SjyxmZqpP2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826244278.871193	CG40jK2kO1NXwdRjlf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826244338.832976	CFT5QX2NGkWvDoS73b	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826244398.829901	Culfcf32j5G4hy5STj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826244458.854146	CbyYXp3OuxgvSs1rnd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826244518.802259	CX4BSWvxCOPQSsoz8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826244578.812840	CJU0ts38Nm9alT7qOa	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826244638.889787	CmNRTy2A3u7dm89xd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826244698.804714	C0iw8dgSzn6Lt2l87	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826244758.866022	CaRZ9m4zUs222cMaf6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826244818.840494	CyNxcw4xw2VLy5xqM9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826244878.841322	CdRhWT3WJiNJd6yI4d	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826244938.838230	CCZZib3Y9pjgYtJW2f	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826244998.816588	C2lPJTbmBFDRGZltf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826245058.821315	CBNXBD24hjefp0LZkj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826245118.812373	CbnyaU2sWQc9hrOFsg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826245178.913723	CrSfRNn9Y6TpKSYwe	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826245238.866722	CfcTNZ3VzQGbNyOYm1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826245298.921238	CnrF0h45yKF5cL7XQ4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826245358.819586	Ccw4T01sNMI4v5qGs3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826245418.830157	CxZjbb1da9hcaT6Bt4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826245478.863177	C840ag3wJtif3z9DV	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826245538.856182	CoXTPA2KVYz9zNYlib	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826245598.824786	C92XxR3BCHdnrMocM5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826245658.816823	Cvjzja4a0xIU8nOkg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826245718.819596	Cadfsn2NN5nFfCVO97	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826245778.876048	CT2pLJkKDfRbdDUWk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826245838.875872	CgQAlXJSKaQ8YnvPg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826245898.863029	CQLrXR3icdsWYVPKg2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826245959.038160	CZxRwdVLWuciheCb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826246018.825643	C90m229PgBu1jrrF5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826246438.824533	C4Evyd2E8m6d4Xhqsi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826246558.835921	Ctt4oD26CzPAWcJQCl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826246618.829895	CAVH4i4ZVYN0WDoo27	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826246678.850235	CGiOCL3c4KjdZuXuff	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826246738.830559	Chc8Fa457qFmtuEYY8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826246798.832344	CKMhv2oB2z1eyRX6d	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826246858.832179	CSHS0H1H0rjxicgcAg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826246918.902298	CJuvoE1YyLGhjELqf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826246978.837724	CMdhHL152FlWWz9vr1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826247038.885394	CJfYiM1E2zyHG1NoGk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826247098.844228	CDvkJz2zlMjW4EqRb9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826247158.856738	CUozuC4RUktVWsM4C1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826247218.840973	C4LIRIHQPjU6UiSOh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826247278.845693	CkW4Mh33uCHmIm9Hdf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826247338.855270	CTjtV749YvoXcl8Nd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826247398.872668	CFEIoY1dUsibWoByJ5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826247458.842250	CgBkDF4bRECntkASrc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826247518.845986	CWSdwH3KEQ3oqHyRAe	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826247578.851689	CRwYxf2x9mIXyPwkJl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826247638.844676	C6IE5b4s4Qoqk5pgni	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826247698.862067	CxyBM33gWvfqTVKzb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826247758.911671	CogwD74Lz7PMpUif8i	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826247818.879290	C93l5e4yKVetWUxmIb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826247878.855719	CWKen9tbdg32AFm98	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826247938.917065	CeCoMC2Dl66C9enIj2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826247998.846648	CQnCV1iF8YjETdeQf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826248058.850394	CYmjX01wozt3Bngyne	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826248118.853168	CvDeSJECATHoiOMig	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826248178.851054	CcfaGF3WOUkVaqaPs2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826248238.858695	C4yqWO3VAbIxES2rH2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826248298.850725	CugL4P2LP2PttPSKNj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826248358.853490	CCWbyI1qxx4x5p9JCf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826248418.885526	Caiz9z3pIV3Vw8bLA2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826248478.865847	CLlaSu3305zpdumq64	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826248538.858860	CgUrgP2EUQhnVU0mhh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826248598.863576	CFS3FG2WRxrhm1dYj9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826248658.858523	Cu46pf3vovzIOnRuGj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826248718.861298	Cg6txW3WQysgx9vIN	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826248778.859179	CWV1P3151cMujgYXRk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826248838.870699	C2cQQGuP8RfmlD1yg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826248898.875419	C7HQwd40e8TI0qTbCf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826248958.899648	CwddlB7WvzDnYFgOi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826249018.864386	CEDuC91bJvWJYKl6d7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826249078.867101	CbmmXy37yurxWpeoib	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826249138.866899	CtooJF4JHtk2Dew0Vl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826249198.876445	CbCZuG4MmggnzhJmL7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826249258.863540	CLr3hj4nHaqHaIRjSf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826249318.949260	C3LL3aI2IfjynCCu5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826249378.880778	Cn15F21dn89NwMjUjh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826249438.919666	CniUKjRyvTYk6WBv9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826249498.916588	CghlGU17ItoPIDGyn1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826249558.883238	CJVKIq4FzEOY3CJmfl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826249618.870405	CjGaO63WQ0GHxJJSk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826249678.869265	CMI1IP3AFxaLd0eVOh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826249738.875938	CwrX304jrMjLIeAM5c	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826249798.879699	C3Mkiu9LkW3gl5KFc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826249858.873691	CAzVmk2t7tdRqXyzqk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826249918.969767	CeI5mjbpx6OYSJkrd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826249978.872403	CWMQeA3cuWTnRkxSKb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826250038.871257	CBjDGy2vGTS1KryS56	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826250098.889646	CuSlgI15ZcagsYuCRh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826250158.872911	CiFQosvqoGjiz52G2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826250218.873732	CuQyJQ1xb6qBH5mv0g	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826250278.874538	C8BMk54ff2CdTgLcB4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826250338.887065	CRoARV3xDWYArG9vL1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826250398.879104	CETFoW1N76CJjEjT9d	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826250458.879920	CTeOjNzx0LGGuuKX9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826250518.888560	CO7Hw14t1CywZ0yUwk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826250578.898170	Czne8F2sr7nAi9C5D5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826250638.880507	CqqsZIhawJagd7XAa	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826250698.881338	CIdqf72xgABNn2nYD1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826250758.997899	CcyrTu1f7iAFTnrVl5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826250818.914243	CrozhMW1WU9fALA72	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826250878.887750	CCvsjuhEYzjznKVi7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826250938.889540	Cvx5Qs2kADc9pywrK7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826250998.908891	C4wohC17dIkpiAbtv2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826251058.901889	CM5Lx21gZyMpPtOOob	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826251118.886125	CM4rP44To5Keaj6Xbj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826251178.894743	CiLI3a139hB8I8ntOf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826251238.889686	C4henr1eVw3EMMJQBa	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826251298.908089	CzhrlT2CAXztbzeFmk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826251358.887436	CifFNK2knaMKUFXnH1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826251418.918515	CXMQFe5QDnd36lRki	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826251478.896887	C8bErJ3q2mS9xxwSwc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826251538.901595	CDkOR54icnCqIB0tN8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826251598.893636	CJkGixVUU9nbF8rue	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826251658.898345	Cb2zqa3PSKO9Zh9Ull	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826251718.893305	CQZ5a64bHSy6ZYaGoe	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826251778.895096	C7yRPv4jexg8uI21ki	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826251838.895901	CDTQan1SsGgBKte2ld	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826251898.895715	CLv8H3vjbMwHcVIJ5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826251958.894582	Cq817s1MTFzkHnmih	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826252018.924681	CO4vvcBZfWsIRgFBl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826252078.901098	C5cF4Q1gr9Sq1DIJw9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826252138.910683	C2XXQN3HVBDKRX09Ui	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826252198.907574	CM6mii17UPgzVUOOSb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826252258.903484	C1miNmjS2Lo1RG2l	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826252318.967273	CStGtB4Si077kSmnP4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826252378.912848	CNJBsF4nhSDAXQ9An1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826252438.926355	CVDp5B1mDeUv2LkX22	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826252498.905693	CD7fKL2uNfgd9JUnv3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826252558.902612	CCK6ws41WuM7BfinG3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826252618.908308	CC0oNM20B5fEE2iDJd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826252678.907164	Cot7Du210ANamYj5Uf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826252739.201367	C8eIdf2rXg9IZJGZa	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826252798.934171	Cz1Rx629LLmmyzvfF3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826252858.911565	Cl9UtTOVQpbj8EQbe	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826252918.920173	C1vTL64Gr0Nv7uAH23	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826252979.015256	Cd4UghVP1yZSaJmh6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826253038.913020	CegO0K37XS9XyGQ0p3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826253098.913839	CyMu0h12iZg1usDPM6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826253158.920496	CeiKu03BGkM33M6hde	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826253218.912474	CuXCbU2pPFsSsDgG3e	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826253278.914220	C5R4aj3pNdq8ur7KJl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826253338.912114	CL8AQ43cVT3zg9mXVe	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826253398.914923	C4CPZlyAhV7lzddu3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826253458.918705	CBbEFo2iNwrO3EmNn4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826253518.917565	CU6agx2rD4wFNvYzF3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826253578.920324	CNf7VA2g9xKfDq3oic	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826253638.927971	CWba3C3KcZdjT76YV6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826253698.918042	CVukb93tlV2MQNu2R9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826253758.960352	C2kJEa2bWgLLSUMV6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826253818.920563	Cc0EBI3i4Sg2p5V1B4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826253878.977586	CbHKU34s9H2DTlSin7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826253938.921223	C79vGi3WgsbTVBMGYd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826253998.924959	CjpfZMPPll5f3aMO	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826254058.922838	Cy1NOD4AzXLyEkvF96	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826254118.925608	CgDsU32KkitFRq5lKl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826254178.921518	CcMyDA4phiU99YuPj9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826254238.924237	CWYF7J1GZoiMLC6p09	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826254298.945549	CwzvDa1UBD9o0gY6l	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826254358.930755	CTJexFQEEX6Q6Y147	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826254418.931575	CuURcXPy9Yf3fffp3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826254478.927493	C73nFd1kHhSg9H0we	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826254538.930243	CbJW752k4xO0AGgb86	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826254598.927136	CEQVKVBDKRxjES593	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826254659.050546	CBWXZk44HPgXMc89P2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826254718.934655	C8cd7s4s2BP6B2fJNi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826254778.945240	ClH5jbDR1LYIRXd71	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826254838.951909	CaICTV1ibR59BsqEjl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826254898.945901	C8SJ9k39WeDEkTYoO3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826254958.937938	CtUWcL3TWvF8KhVem5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826255018.934852	CyloG21FfI5ZrMVFn2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826255078.932744	C88UNG2NmUgRCRsNue	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826255138.978058	CLVT864ykyCrW11LY4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826255199.037442	C3IHPG3oSm29zc3p3f	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826255258.943011	Cw2LWlnnRKp1pyz1c	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826255318.937976	CoZu1c1NzNQYFKmJKb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826255378.936804	CEpktv1QzqZ01hu1Ll	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826255438.942466	COLt8K3RVsghUlwwlj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826255498.945244	CPNrE51wE94CGcz2y2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826255558.943115	CrHjBv4IxQageHT2hf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826255618.940043	CakBqG2eh8LpGPpMie	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826255678.939884	C8OTyM3QLLANhzAhS1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826255738.946546	ChJeRQ1Fk8dImYddYe	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826255798.959638	CZKmJe3BZnVOLOScJg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826255858.942307	Ck0ZIns7FRqEDteY6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826255918.943103	CEAAeHq9NVabX7dsl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826255978.952270	CRSG7beuuCV4Awie	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826256038.947620	CMGTqYUKMiEPlDu1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826256098.952922	C7N6YdogWVuNPxt5c	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826256158.947284	CHmJal1SqsPRLYVucf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826256218.950572	CGV5WX3XamXfeCPIQ4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826256278.950427	Csdqbs4Gl2KXcYu4c3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826256338.948722	CrSLew3moViFbz1qm6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826256398.955968	CRWY5P1O5XpXWdV5w8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826256458.950944	C6t8vm2lI5YLsixcL	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826256518.950800	CSkk3F4465nT62JjM6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826256578.962348	CySinR2Ukr7K255cYk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826256638.958265	CSmiWy2ijhhZYx51aj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826256698.966875	C5VCTW1d4Y04IFrmyd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826256758.955000	CJHfOa2essjP0bgKz2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826256818.981197	CgqUvZ1nEsLTpeM14h	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826256878.965414	CNHO3k4NgRtiR9LGg4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826256938.961351	CvTDqyv0AzFZYhvYa	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826256998.962186	Cwl5An2Zl1KmfDmeuh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826257058.977647	CrPiC82XSrQHnWbSX8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826257118.972604	CEqAJrLp6vnKEWMSe	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826257178.964625	CU1iZ02xS6oIywBvre	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826257238.978134	C0xJcY2DtdXEexKa73	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826257298.961371	CqqMfq1eRUAlRBVTil	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826257358.961204	ChPlIQn7hT4ielqD4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826257418.988368	CPzlHT1W7t9ae9GYod	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826257478.964774	C8L93h4WLd8rzjnDk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826257538.963626	CUxHYs1Khzuo2rNPrc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826257598.966389	CeAk8k1y2fNlUN41L9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826257659.124337	CNrfn43LSwXw9bRMT2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826257719.025602	CzgGhXxDgtHrQx1Cb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826257778.972750	CPCuNh4yfaVBf03vwe	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826257838.988161	CujTOp1hfr9YtLUL77	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826257898.970378	CMfhB12Y3M2xmf2lUh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826257958.970224	CMSugk33CuYdOCnrj2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826258018.973008	CQU75q2w6MKlL7TOw9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826258078.979685	C0jKCV1vJ5dNrFbKyj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826258138.973686	CGklVD3bA0Y144Jsd8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826258198.980376	C6HGJp3SJ9z8NWIWue	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826258258.974347	ClFEx44Cxokti2M5a3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826258318.979060	CeUHgQ10eSfaPljB8i	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826258379.042341	CtHB5M1FZqEMBsDqmc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826258438.981621	C3gaJq28J9Z0bJwkt4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826258498.980480	CGaqMT2Bkznty4vuRj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826258558.978357	C9Kktu3h8egsI8bXul	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826258618.979172	C4bhw0253RfFe8QQgb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826258678.982917	CkzPML2sTaC8EpDQq1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826258738.984715	CTFVYg3F6kPgvvigZ3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826258798.979677	C7alhG18cdswwf49B9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826258858.986344	CnwiJo3C6bzuaTB2Ng	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826258918.981304	CQZvsX2MZK2MLgB8W	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826258978.987979	C6JDfkEbDcWUF325l	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826259038.984881	CRo99W2oC6tPJyIqmb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826259098.983739	Cf8KoB2oIsPLUEaLTl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826259158.983560	CjsgRCNRaU0bXmXO6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826259218.984345	C98t3N3vGfFxouiY5e	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826259278.997890	CeJaoEsgZUUehqGXf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826259338.990890	CyWDN9mnZGMJ1saLe	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826259398.988756	CvZPT62WfToKxceyEf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826259458.988584	C9pfbjOVDc6OP6iY9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826259518.995258	CkO2bn2PlAVTlrXvra	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826259578.992149	CgaS9u2aLx3wKaTlml	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826259638.991957	C30LxW2Th1gjujVr22	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826259698.999553	CcEJR83FsF84gpOd99	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826259759.002304	CxSX2XRSWdjDgyNz6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826259818.992412	CWwkUh4P2SNipqOgL1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826259878.995197	C2ZaFAfQnfzGByPC7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826259939.010645	CxQLCs4niKD8U6Pz9i	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826259998.993883	CxCf8J2esw472Ielw	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826260058.994683	CuaG7w1ufkC6A9gtFh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826260119.000360	CPba6z3CUAMjAVWIk5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826260178.997278	CfYXN8RcLJE1ncGsf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826260238.999066	CtwsWy2janmDrrsrmi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826260298.997944	CCBUYR130FjWz8Bg6d	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826260359.003590	CSlCZo3oIlpqVFvL9i	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826260419.002447	CuLqt91wSykza0MUr	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826260479.004239	Cr6BDA1u5j3a1jfbMf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826260539.002119	CznkyN5OS360c7fzg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826260599.000967	Cjlzzx3hDTXYwCCZfi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826260659.002741	CBlqmd40gboMM18XRj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826260719.004517	C4AeuTNzLiWRGK4Te	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826260779.009235	Cg39xa3V4NdPUzWJP9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826260839.006152	CdN9Ip3sqmcRtT6c06	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826260899.006966	CvrdKi3MZkWWOHzZba	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826260959.010702	CsA0Ka1rED2oJVwNh9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826261019.008568	CoOuCA3ocam2A7NYCe	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826261079.025985	C8ECoi1gSfd8MF51Vi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826261139.007288	CaRKSZ2vQuFygUO8mk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826261199.011013	CbH8HE1wAvU9RKMdOi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826261259.012811	CaWQM53kzXuppddTD5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826261319.014622	CTGxwZ17I9IK4IPe7d	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826261379.010557	CZgDR43jpwQ9wjb3d4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826261439.011374	CsA5eg2ZCIorZpTdT2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826261499.012190	CGIniW2GzJdP6AIbJl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826261559.017896	CHDTTo3cs7h0VcRLyd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826261619.030434	CLPttK3P6NNlayture	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826261679.015624	C8XeSi2ysHv635JUMb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826261739.021299	CpApEnPgUSa06tsxb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826261799.057228	Cln6984XP6WQL2a6jh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826261859.016050	CqEAVT1aXMorGMNSvb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826261919.024671	Cg2HHq2uL1cpzLEWOj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826261979.153343	CUrs2G36GBmRYMAeUe	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826262039.022404	CYJ0oW3tQfJQCAst1d	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826262099.020289	CN8aXr1Q63uhBnt3gi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826262159.032811	CwFpNj16f144BTWjI3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826262219.027774	CKUInZ3I9NXuVRJ0Gh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826262279.032466	ClDE4n16xMQPvjODEf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826262339.024512	CML1AY3hOt5zvH1TT8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826262399.022397	COlSNEF18pudbNONd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826262459.037847	CYE02G18YwMa6n39k9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826262519.025947	CALuC816KX0SuRA93k	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826262579.053102	CLgXhW3nduerCXCJZh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826262639.027550	CUuqeQ1jV5e1C0hRW1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826262699.027365	Ci8Hhb32NQGkzEhQxb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826262759.030118	CiP0kcArU4JsR0Bg9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826262819.029939	CxrLmv46qzXI9L3Wad	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826262879.030732	C0CuYWAzapH9Y1N9h	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826262939.031549	CDXH4xJCnyb5tOLii	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826262999.030389	CykG4n3Dxwvrk8ST9e	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826263059.037025	CYbdBD1xNg67gOWIHe	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826263119.033946	CPEstI3RgL6nRsJ8W5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826263179.033778	CGoDMnzCLhEMKVLrc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826263239.035560	CVPyZY3yBTgzZRquV3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826263299.035377	CQghfc2KfUgjWFzIp	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826263359.038144	CHmtZi4dWdmwAF1le4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826263419.042855	Cr9A2y47TA7mm1zpt4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826263479.037751	CnK96q4UmUem8G4KUi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826263539.036572	CVKsXw3ESdgONGrYyk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826263599.037390	C8Cz1kEKMFmaBpwFk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826263659.120188	C1Oihq3c0CnGxnsyb7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826263719.051695	C8e6AA3EEmfxrlaA76	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826263779.062263	Cn8XC64o03t3dm0UYe	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826263839.039643	C1gS9LiwgpfSE6c1b	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826263899.054120	CaQlwk3hIHyw5CbUT3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826263959.041272	CANA543bVGTX8nPqc4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826264019.043036	CDqrws3sJtHbatTcof	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826264079.045815	CH9Ezw4lGM8yAvG9k9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826264139.057337	Clj6pF1D7hB5fnMBg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826264199.045453	C3TNnl1P9wFMmMTNll	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826264259.045283	CoeZek83RtKuXfxN5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826264319.054863	Ci3UVZ1k3npfds09I3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826264379.061528	CuMnFP3678h2jQ7ulh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826264439.057460	CenkCO2hmdyEL8FPKg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826264499.047530	CY2fO53hF8GwkyHa12	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826264559.049322	CGJT3l1VgeuACrsEr4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826264619.060880	CPt6WNG3WWvYoglu4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826264679.071437	CTNsnW3LZuKQ7ybUmj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826264739.055629	CtPqGp3ivrqkDfCHW9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826264799.057424	CDkrrE4xRnuwaOYzB1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826264859.057263	C9tgDs41wRFwrwMHDb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826264919.058088	C9VusU2DYszWdN5lv2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826264979.062782	CovX3L36kxML9jD8Ql	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826265039.054836	CK3H7F2i2EFuRQmHr8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826265099.056628	CcAWbc4k7xJ4cwzFcj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826267019.094978	CDsfJ83mBfShtP3ra3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826267079.081091	CtA8cD3dbZbDyD3ggb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826267139.076009	CIMc7c3MIoZBJIrN8l	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826267199.081708	CxfzyB3K82Ybv72ug7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826267319.084284	C4BrGE1jIIuMPtZJjk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826267379.081202	ChTknA2H7Dsub8YRxc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826267439.082032	CFMigc3cSgZsWMpKff	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826267499.082824	CLt9861h4kL32m3j7f	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826267559.080678	CZz5Al2VYRjHdflA8h	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826267619.117602	CI8Whj2h6r6LcSfVub	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826267679.082308	Cj7NVNNrbAqyXqUw5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826267739.085073	Cy6tdt3KfDywtI7Ob2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826267799.084918	CrAxoy2GoejEATJvDh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826267859.091594	CwaLTn4LXluo7UvqTf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826267919.092401	CZqwGT2kwjPGescsFe	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826267979.095153	CFKxJC2R9cBSw9fpjf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826268039.092073	Cpso3f36rgNdVupv79	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826268099.101672	CppBrMUywKphAbms5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826268159.091753	CkGInR1qK0eOnMHvkc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826268219.127714	CyGCzw47PTvCscGFQh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826268279.089493	CKRgKA35Bl8MptEZ98	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826268339.241580	CidM6JqQOb2FHVtUi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826268399.095944	Ci9Qqo4Mqhkhd7qFZb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826268459.097696	CHY8RiUHiFhKhES27	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826268519.100469	CjBnuMqmiaV3z7i7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826268579.100299	CAZ39E4TQkxd0lBVNg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826268639.100120	CLuA6a3JjPP1pqXDgl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826268699.104832	Cx3A5Z1dvTDKH5xurg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826268759.094878	Ct5q9b3OYGNtBKVNSb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826268819.097657	C9WYFL3vuvOx7uhvxg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826268879.097488	CPMkCm4JEbNgyx5Ewd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826268939.103179	Cva7PE4j6kICfsMksa	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826268999.132280	CPfswM1AJyRPS775mf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826269059.100881	CVLcgX1RZ13gUgyf5h	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826269119.099763	C42eDo2F7NJVIz04oa	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826269179.100583	CU2ANA1Yt4ObqJFRY9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826269239.111149	CX3IPy3pUxul2z02q6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826269299.439902	CcoTmD3IHZnRv6mtOi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826269359.264070	CGT6YF1SsJIs9T9lnf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826269419.120439	Cqlwx01oD12uO94Ib8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826269479.103684	CDLOMy2vjf76gI0rEb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826269539.222577	C1YUOM3kd8rSJQYu4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826269599.267269	Cu3NBQsaY2BAcBVN7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826269659.148995	CUSG2v16HRuh7yK0S8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826269719.104862	CJ0hRn2MsrZOv31smh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826269779.127139	CqGMy32Z8uKHOnELh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826269839.115267	CDWB1b1haIEHVS9sb3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826269899.113179	CRAZht1smUfIWWMRsl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826269959.112020	CBWnVl4AhC2yViYHq6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826270019.108940	C7viQw259LpLw1bef1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826270079.151713	CWeakb4xAgF95QleOe	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826270139.112488	Cay5bn2vtLHX9KwOje	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826270199.132810	C5LNRFqO8x4l43CF4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826270259.112162	CIhkRr4eHA71oq6BC	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826270319.135418	CTggH82xFpM171oygh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826270379.141103	CNtx0XvYoJ8ljgsj6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826270439.127287	CqKkoXjDIKqwN4xp8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826270499.117371	CN5oXL1vK53j2UehWc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826270559.123058	CyVWZ63RmCoT7Jda67	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826270619.126776	C4wshM3dMV4pJySvXi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826270679.121718	CDROSq1z8LAIXNUmhk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826270739.130345	CcXZsf1GB9mlwwT7F6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826270799.119478	ChGADDsCZhKs9BcFe	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826270859.127121	C5pIAZq3OcXUdJVx	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826270919.123056	CVxCZu2vfyEgzJTSZ4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826270979.122865	ChhFkQ36rFvb52Ye61	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826271039.124649	CR6t1A3SZnlSLUonm7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826271099.126441	CHYPfS2TDpyiCxWKY	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826271159.258051	CpjaKw2UzL2pMQIdsa	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826271219.127113	CPiEgIQRKv8QZLRWf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826271279.124989	CsMqt73dlmRROjwIUe	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826271339.312208	Ca9ZmG4i82iE2d0YR3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826271399.140270	CxR52Y3GzT5T7QPGrj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826271459.141075	C0m7qm2cK3rhFZySFb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826271519.250200	Cq4vle2OoD0gt9mBd6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826271579.409125	CiEIqD3A03Z25mZpP1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826271639.133701	CcxfVg2FUarIYu7CT7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826271699.173537	CkftvZ2kq3sDL3Kco8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826271759.143099	C9nivj101nFcyZv5A5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826271819.143934	CtefJ6ox2Y36z8fU2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826271879.135946	CJjRzu40yZQmdLa7af	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826271939.145541	CdEhA81a9gr5DFlDK8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826271999.175638	CpN0AM1QmlCca61py9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826272059.134518	CEdPh92zmv83S2Nkl7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826272119.147027	CN4lI43Zc9ELnQbdL9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826272179.165321	C3cZ3nRZ7QcfNlcA1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826272239.165094	Cfd5UC4SjyBeRgJLE5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826272299.148322	C22vJE3gkYDqoRi69f	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826272359.146201	Cyv1Q53irT6Dh7AgHc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826272419.156786	C3UJgq2A2RTuKRgt23	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826272479.147862	CchdFNQuAo3IiP823	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826272539.253121	CY3Z1SRmzjBaIwPZb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826272599.142672	CzZawy1pgVAgYUyYKi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826272659.190310	C3sEsF3VPXkvtnrzU4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826272719.281883	CiRblW13ZKi1thxWQb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826272779.149966	Cu35wahBF5Imcilk8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826272839.205443	Cm12m71K09UdwP4REb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826272899.287243	CFwye24v2TzbFWF6h2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826272959.229489	CDWNQu2lmBr3AjHR5l	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826273019.146353	Chn0u74Z84C8gRRMk9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826273079.280873	CvBNEh2BX7uj2WBB4k	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826273139.194825	C2wkTtkbOqgitNpie	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826273199.225903	CqelPd3lByl65cwW0i	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826273259.252096	CXXaK91JJmd6qlH3g2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826273319.162128	CeyA8eddGDVUGHUud	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826273379.159026	CDavIt2ice9TjDxiA3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826273439.171553	CkmozifGdEBYaNd2a	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826273499.155754	CRFhntGpfiLw8Pv0i	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826273559.177995	C1dZ433UvCCjRtEjzl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826273619.166103	Cw2cfZCugd0Q63rI6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826273679.164928	CK4u8R36tgECdnBZ04	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826273739.212569	C6sJ4j3d8WLg8YnFO7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826273799.387098	CofNlYPxkrXg6WnY1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826273859.390835	CSMq1t4LlwsA7FZxzc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826273919.382854	CJXpd22FaR9f85tITj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826273979.901520	CnKf1OWDIpFR3yip4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826274039.467417	CjIFm71sV0Kam01oac	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826274099.227156	CcdNPj2qOnTcLkcNej	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826274159.250414	CdMKxC2TJXnB2ycVhf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826274220.639673	CKByou4dCuNE1OUoPe	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826274279.311579	CAUTzU3lsdTflOr7Nj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826274339.187456	C7Ur701fO8ULRsKar	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826274399.171677	CeBTMV30QJxZRtURgj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826274459.276903	Cczxwh2v1MVpMCkWf3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826274519.208411	CMgjaQencP0Pv3kqj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826274579.166270	CAcVss2KDF0ton5JIh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826274639.178783	CBHupf4ZYdpKEW6qc1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826274699.193243	CVm1PF3PnRHFuJuSKk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826274759.247733	CA9q8t4O0VUp7uhQWl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826274819.455453	CcpP2rwrG9PfcdDki	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826274879.173217	CZAGCb3Fu0tfU51eD2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826274939.183773	C3b81P1uqoaf5M4IXi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826274999.291933	CFjfL12CkVQIBjKvb5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826275059.171716	CIuGzw4zzngxgGtPed	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826275119.176430	Cf2Jq43a5S93qH7Cx7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826275179.189919	CTMTvD2czD52f1cpS5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826275239.245368	ChIy11cKIY7wF59lb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826275299.176864	CS6FIu9dD05jdClR8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826275359.180574	CnNZty15Hqn2xhgJGg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826275419.174541	Cn8vaY3NVNZcimP1K2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826275479.181199	CxBtUd3YCJxBhKCNV6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826275539.177143	CpBKFj1oWgquf8Jq5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826275599.302874	CQSFxVDVIk4IIuHV4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826275659.277325	CZUtzG1SNOonX286De	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826275719.190276	CbDLnv3P4wxNruySI8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826275779.245738	Ce2gy92a3Zdxn8U5Q	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826275839.184073	CAmLMR3rs3nnp7BC7e	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826275899.188765	C9ni9syojCRMsSjzd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826275959.183704	C0B0K22KRamKeoqSz6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826276019.182550	CY5kdp51F3oeCijJ9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826276079.189208	CJKWcFBAgZzVVtF03	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826276139.187077	CY2VN44UarHiJwjbg6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826276199.201536	CQxEWi1F3d6K4qjmb5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826276259.191597	ChX0Vn4uasaGJIe7Fg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826276319.218739	CxO0Uf4uUDyFU7u9l4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826276379.186349	CzY97244I3S03VcMdf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826276439.283767	Cl1tlc2gLRTcw4Bcw7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826276499.197714	CjhFfB1x1TpkFpuwN	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826276559.229740	CrGRrI1ZI7AGukEkUd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826276619.195407	CHkdVF40CArtrW2IMb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826276679.191323	Ch7MMq0yqytJoNWpk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826276739.195159	C8INLO2H6kVl0oKAEc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826276799.217455	Cax5UJ3dNqfI1V9N38	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826276859.244611	CavCYn4sbKc30BxpQ7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826276919.195650	Crf81W1wnKqCkmdQQk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826276979.196463	CvGWHB3BSp1gpHFFKi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826277039.286081	C0Q2If35e26kj6oqL4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826277099.213676	CviTe74vjHLLx7AISe	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826277159.197878	Cf0ZeH1gKEDckEkJV1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826277219.225014	C1hQrk1L844cx5tTNd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826277279.235554	CBP3Hu4RKc79x58Y2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826277339.221727	CUbAnm2k9C1iEtTmgd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826277399.202051	CkWokd3nscpygp5lIc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-#close	2016-07-13-16-17-25
+826191058.128321	CHhAvVGS1DHFjwGM9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826191118.129144	ClEkJM2Vm5giqnMf4h	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826191178.297416	C4J4Th3PJpwUYZZ6gc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826191238.140114	CtPZjS20MLrsMUOJi2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826191298.137032	CUM0KZ3MLUfNB0cl11	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826191358.243247	CmES5u32sYpV7JYN	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826191418.144505	CP5puj4I8PtEU4qzYg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826191478.189218	C37jN32gN3y3AZzyf6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826191538.242710	C3eiCBGOLw3VtHfOj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826191598.142982	CwjjYJ2WqgTbAqiHl6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826191658.206258	C0LAHyvtKSQHyJxIl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826191718.141676	CFLRIC3zaTU1loLGxh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826191778.139555	C9rXSW3KSpTYvPrlI1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826191838.160870	Ck51lg1bScffFj34Ri	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826191898.207550	C9mvWx3ezztgzcexV7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826191958.161501	CNnMIj2QSd84NKf7U3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826192018.156454	C7fIlMZDuRiqjpYbb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826192078.143576	CykQaM33ztNt0csB9a	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826192138.157070	CtxTCR2Yer0FR1tIBg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826192198.209621	CpmdRlaUoJLN3uIRa	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826192258.213369	C1Xkzz2MaGtLrc1Tla	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826192318.168316	CqlVyW1YwZ15RhTBc4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826192378.142768	CLNN1k2QMum1aexUK7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826192438.145514	CBA8792iHmnhPLksKa	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826192498.211725	CGLPPc35OzDQij1XX8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826192558.254519	CiyBAq1bBLNaTiTAc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826192618.151880	CFSwNi4CNGxcuffo49	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826192678.152689	Cipfzj1BEnhejw8cGf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826192738.148612	CV5WJ42jPYbNW9JNWf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826192798.184559	CPhDKt12KQPUVbQz06	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826192858.168774	CAnFrb2Cvxr5T7quOc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826192918.151045	C8rquZ3DjgNW06JGLl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826192978.149902	CzrZOtXqhwwndQva3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826193038.200491	CaGCc13FffXe6RkQl9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826193098.159328	CNdne23ox8SQTgPoy3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826193158.151344	CeGt004UBsXLoZSeCg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826193218.158016	CTrywc2ra7tcWn2af	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826193278.162718	CzmEfj4RValNyLfT58	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826193338.440718	CCk2V03QgWwIurU3f	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826193398.155563	Cgc67J2CpHIVN7HAw4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826193458.258855	CgwPkWkJfuBIJsNi4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826193518.163043	CImWJ03GsvPvA0P67i	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826193578.166776	CKJVAj1rNx0nolFFc4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826193638.349114	CD7vfu1qu4YJKe1nGi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826193698.277702	CWhRtK3eXodviHmbo7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826193758.259000	CqVUM4vyqCacqFiud	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826193818.167095	CudMuD3jKHCaCU5CE	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826193878.266468	CRJ9x54IaE7bkVEpad	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826193938.404902	CAvUKGaEgLlR4i6t2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826193998.202719	Ck78JG32Y4I7AGp7Vb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826194058.784259	Cgwg7Z1MHA1YkiZmm3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826194118.356593	CDNchHwRoXhVzzHB2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826194178.167100	CeP1sc28dOzbbYkbA	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826194238.165957	COOKv01AQPAqfGMN9k	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826194298.195067	C0JEpR1Ij6308CwEhh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826194358.251498	CQcXCjONUKqMfnhXb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826194418.279634	CVcd914ZFpaUisaVf2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826194478.176984	C5pL731XEkARXOq253	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826194538.254895	CB0Ovs3cNZgLQ93FSh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826194598.272308	CM4z3Z2rdNfyHYQ0Df	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826194658.273130	C1dGa34JRiYAKbMI0c	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826194718.258333	CtEfXf4f39NRDu1Dr4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826194778.255249	CdY2UF17xGQ6lUx7e8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826194838.176031	CkD1144ZtRYffh5zjg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826194898.187592	CbI5Qt4rlFnOHuL522	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826194958.284053	CjGaD11BLkmCG5cEVf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826195018.191134	CdGkzc4fIBRo0721v	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826195078.186092	C1ejhC4SXsZ4pEdOd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826195138.181047	CisPKv3PhjrFFhZbq7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826195198.277505	CCgIHR2Vna1ZW9BPjd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826195258.191452	CWqViP2k4EKfYWy7Y1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826195318.276192	CBr8Cp4juBTcRQZAA4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826195378.246741	CWMTYT1vZEQXErCXY7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826195438.187041	C9Mb033HGlhETKxUbj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826195498.328394	CGwfOa4GYyzNItzc9j	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826195558.260878	C4C8Lr4DOGUTRZPAW8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826195618.192392	CfQutTEgs3g8sUrsa	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826195678.183445	CKvlqe4bTVu5HNGrb1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826195738.336498	C04EG53Yaw6dgjGT3k	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826195798.190914	CdzNo91LLZlfe0pmT8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826195858.193703	Cb2Rv3Wek35VDwxDk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826195918.289198	CsLUyBLEs5x3GKtgk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826195978.194311	CF00uX66iWHtiV1q1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826196038.286860	CkVqlMyWLZSpdNcPa	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826196098.237900	C6Frs83UqNszgcqN15	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826196158.192843	CQCAYJ2zCov16vZwf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826196218.198534	Cil9Tc1rwfQS9uqdsb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826196278.201302	CgHhMv2Ww0Y4oQNtd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826196338.294847	CFTS591Wnlb7gnrpP7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826196398.194157	CoVJDI3K3qTiTnPoV9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826196458.194955	ChHNpz2Xf9xMo2lnC4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826196518.242601	Ch5tsG3OlOd7l83JFc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826196578.363462	C3AXaL2up5k3PR4VW4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826196638.194463	C2qZRm2yQg9RoQNkVg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826196698.220656	C6tA8aOk3QI9oIaHl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826196758.207790	CggxJkLPcdPyKjfma	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826196818.238833	CI5pddk2aeicnmmoj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826196878.202555	CKpb612OxJundLAeRf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826196938.212156	CcwXC81REVUrKprLz	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826196998.239313	C5OBjqCVHlPAjKQXi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826197058.200122	Cb7w0T1dHZUPXzdgRi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826197118.310249	Cuhrwt2ypWdmhxNcjb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826197178.309093	CJmTVn4YcEf19Wo137	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826197238.207420	COvnS21VmREmS5Xzuf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826197298.208237	CpKJJiDUPEBNMGSC	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826197358.217839	C5II0Z3yZFhDzHSKrl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826197418.275266	CQ7b0y4Vd4NVQ3nJRi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826197478.334646	C68HZHafWQbOYWkYi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826197538.212478	CX9xXW3s3cSCaIB9a2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826197598.225962	CUTgljebkkh2Ydhzi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826197658.309739	CsnMLaDyNeIqxq6i2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826197718.241266	CuIjKg2hEOBmXsIvx4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826197778.378715	C1alUz23K74AR4WZUc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826197838.344394	C9ywcdnOP5TLfD97e	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826197898.249569	C7aJ8S1bYoBzPdxRDb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826197958.398725	CTISqXQMVxGJCVG2i	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826198018.215078	CjsoT83JnYI2Be2f8j	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826198078.218834	CohWkh4QvZcB1WXOVe	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826198138.216728	CL7JR54e4lOc3aUAph	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826198198.217548	CS9xQJ3Jly032E9jC2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826198258.267159	CPOg0SZxpoHbNzpG5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826198318.222088	CgYh1L1mwsOxSqVBu9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826198378.269737	CPEPje2CwXXxGGPo27	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826198438.216854	CIWOQa2vaf6TxyZ2Jg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826198498.219601	CqyxRG6TRKYW41Zz5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826198558.233108	C3HR3r12iwKiqXa9c	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826198618.222208	C823dt2fd3qQ26XyU	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826198678.234721	CalQkN3MoYim6AEEe4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826198738.223849	CzZuKd2XEy2jlcWqT6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826198798.377868	CVgpXQ1plHZSjZoGq9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826198858.273279	CPnPwW1vseaFvOVKZc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826198918.231128	Cr5ot64fYu8c0wBtik	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826198978.225059	CceZRf3q969iOibom4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826199038.226843	Cfv1oI1ypkphPOMD7g	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826199098.229611	CkgPZ03tcwpxYjnOSc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826199158.229450	CeYlkM3WxZVUmujyB9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826199218.227329	C8yjkq23bmUk9MkLf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826199278.340384	CevQX3116xo72LIoK9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826199338.231893	ChN5cQ1faCW2xBl8Ki	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826199398.231727	CjTrQkID6Z2SNK3ha	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826199818.339795	CA4o9G1CB2Af4WWhCf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826199878.341563	Cf8FAq4I77xaBMSVT9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826199938.340438	CPjxvb4XleEtywR72	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826199998.238772	C7XVqL2qUJ1enNZYag	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826200058.240561	CjqWgiHlaYFi9YImg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826200118.239417	C1uJul2gbxeDRNFura	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826200178.241203	CbIFhV2t1dFcA47mxb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826200238.243969	CAy1xs4SqOffMYYoi6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826200298.255520	C3sUxYJbMLLrlkY2l	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826200358.245608	Cz7T4t4CVp8k2htbIk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826200418.241558	Cqn0E64YUKHGEJtXE9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826200478.379987	CwkPvf43XtOGn09xUb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826200538.687256	CQKymemsGWxk8qNhi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826200598.867643	C4DpKm2ihMjo33xAK9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826200658.261374	Cx1J5T2RlUHdnWX4P7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826200718.287570	Cq5Tn24Flxl5ykcPB4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826200778.408439	CBMc5Bq8xeq3TqHyl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826200838.424863	CwalhH1EmkTCp6Z5oj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826200898.441277	CoBPIr1bmfwOHYS8k7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826200958.658763	CauDdy1kS45qWx7Jaf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826201018.254540	CeivHI16nJNE1XoDn8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826201078.268039	Cwks1t1XCX1VVKWlui	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826201138.255207	COzc1t4726TvteJAq9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826201198.275551	CySyNg2Q7X5Wig9qXc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826201258.252935	CdHHGD21PDk8qHCNZi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826201318.289854	CytmUVLD1AW7Bjdda	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826201378.426313	CyAz9V2XDShWvc9X85	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826201438.335369	C9mSwv1EoAGeQwdxia	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826201498.320561	CSqd0W3t872JJDPQR7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826201558.320384	CBdUFS64H8SD3CRc7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826201618.267492	CXmENaHXj6AAZ6z67	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826201678.371750	CHxNzE4i1HGC9aNQb8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826201738.266200	CCOssQ1lVW9L4luov7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826201798.263102	CH4Zqaz7LIoXnVdx6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826201858.260975	CmYN6N1hsT2MgdKQo9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826201918.266689	CkH9U915OzOOjvkSJi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826201978.271412	CCwJVWbbaSCkRe2K9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826202038.344449	CRGnRy2aYiKuVFnIG	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826202098.825455	C3JRhD4EKTLL9ETgB6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826202158.956074	CTy7qulV8eG6LkeUd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826202218.304913	CUN1fq1Nh9yg0qjEZk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826202278.282291	Cy1IPuLzKTRb2fGF8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826202338.312374	C2sbOw4qh4NrDdHRH2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826202398.465444	CsTLYp3UVyKHvvF8jl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826202458.270082	COJL3m2IFflzZ1Cvdk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826202518.370443	CAR8U13yNQoRQJZLcd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826202578.275607	CYXkGL3OwfyucBURVl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826202638.285208	CfyyuF35s6IHIKaPy1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826202698.272334	C6lrWz3udBitB6moKf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826202758.277055	CJBk991FDSqc8wRBK1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826202818.279800	CeoHSa1uBAQlDI3FEe	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826202878.415282	CnB5fj2ShUFnGngqf8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826202938.279472	C850go2IsfiAcSGCfc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826202998.275417	CRM6Kv2JvySZyj1qrl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826203058.292814	ChDijs42aziwiDYP4c	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826203118.283859	CiZMlr41UYw4zUSiH7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826203178.277842	Car6PO34Q2yGqFhtw8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826203238.279637	CwUICHbZAZuWABr9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826203298.293148	CLvoof1o65FluhXQI6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826203358.339838	C45NxP1qI6S5UMi6Ta	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826203418.287944	C73cNq1ss4gZpfV8Jj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826203478.446865	CWnddL27sIwroPwU4h	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826203538.287610	CwP7As3BK8V5lwj7D8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826203598.284519	CaEkUY1AI0qcJSl8Cd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826203658.453200	CBkOwg2KK7rXFXUTmd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826203718.292998	C0u03i3hv4B4fSd7zg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826203778.296740	CITjhO2n7PZKsy3Mw4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826203838.288761	Ci0XPI2JfTjInNGHJ7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826203898.288604	CvRIiA3mohju9nTku6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826203958.306005	CUAWQS1YtxjDhtxxte	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826204018.302916	Cgcc4N2eKsv3m3nA87	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826204078.295923	CWT4zv7sNwj1cnBeb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826204138.292825	CylDMs45x5z5lRx9se	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826204198.293633	CT4t8k1zeBe7ZRUBg5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826204258.303229	CQHUiY2AW9ZT2iB0x8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826204318.297196	CZvB3g1drtq6h6KP8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826204378.332142	CBeoy737B8VrP0iSS6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826204438.374915	Cs4vHa2laJaNpjym2a	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826204498.296670	CYwHEGkAUO1v9YGk8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826204558.295509	CzcPSa4HIZVpmSAZQ1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826204618.307043	CmVWUQ1Zj8v9tk8Tn9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826204678.296142	Cyyy781JVg92X5mDUc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826204738.304744	CMU7t24bL4QMZtMO2l	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826204798.310410	Czv7tI2Aq1yfgdryG	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826204858.301417	CR7XxA2W5vLwE5KTs	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826204918.303191	CmDpIN2aFGjiOMOJWe	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826204978.324493	C5p9eh4XiSATtqsZi5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826205038.300903	CVLeLf3d954JlCj5Ch	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826205098.305623	CUeKfb4nbjydJsNdId	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826205158.322052	Cekrs3zkM6eSou1mg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826205218.303340	CUVPVWOtpPH13Hfck	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826205278.385157	CfhuF84Ji7AdXxsAA6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826205338.307892	CgfSWCkLmMlaKMWUl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826205398.364345	CRYwli4VJ5IlPTDWIl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826205458.311479	CguHTc3ErOLWFoQyBa	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826205518.310351	CpDj0c1fnKaDIGyqma	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826205578.312118	CF5tR03Af5y0DJD2he	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826205638.310976	CbaJQC9l9K3ELB1u1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826205698.312761	C9xsW63PP2wB8hiDUk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826205758.334077	CzWoyC1HE4FO1zdT3a	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826205818.418825	CyVhox28QHRlYRbY9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826205878.319114	C57jQA4eBlGbOkJ0xc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826205938.317005	CimLTH3Vi2F5nxs6Bf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826205998.320749	COlS4I3p8lZG3vxBag	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826206058.316670	Ch4OGK13MCwxE2a1O9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826206178.372932	CzTeK32euJBRHTY2z5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826206238.321042	CA1qPq3zXlCZGMTF3d	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826206298.327724	ClzajT3YA0FYcHeIsi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826206358.322675	CoW1ycpevZQjU9uK	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826206418.433774	C4mAqd3q1os6WQrFGi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826206478.335035	CoLfC03bP9cbW0s7Cb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826206538.446151	CDZen84XixQL22chD7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826206598.357171	CEUdRVRpBWnzWSuJl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826206658.324795	COUblG2yCsr6J0Z8k3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826206718.330487	CtAsd2ykOOaUv0sel	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826206778.331300	C8iXoIHQrMuYvFD7d	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826206838.371150	CEZ4zB1w0bcdFufPv5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826206898.501767	CHwfwB4tWYNdiXgqj9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826206958.338610	CpXYCp3HhrY4ziK5w6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826207018.353094	Cu3mx7WQp10fiKvVd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826207078.357820	CJK73d2tv5bceelJs1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826207138.439665	CiBJbd1e77zhCc8o92	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826207198.330243	CrDDne3jAfXkyEZLZh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826207258.399375	CrtbM81EwribjjBbs6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826207318.339670	CinzyU2OZ3RzfO3iQb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826207378.337548	CdMDAn1K65PDClegO2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826207438.341279	CL72Eb6pZzrrF1MPc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826207498.337215	CTH9yVeqRZ7hCysmc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826207558.342907	C7dQb6wN8PS99nDpc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826207618.357377	C7zVw01Vz6Gp5SUxgl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826207678.467498	ChrOVe26x8jzyNa2uf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826207738.447804	CNSAUE2BML8biNfBQ	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826207798.341241	CNJ4Xn4VtXlynW3J3a	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826207858.349856	ChGNUG3biEoPUuqOa6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826207918.418989	CXw2CyoyLEXO1cDi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826207978.339771	CjvpgV6kqW0852q3f	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826208038.347415	CxUw172WrEAdzXMRL7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826208098.425324	CeRlLB2HA8cgJm1oe9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826208158.352927	CkQkiC4YuLauG6WZEa	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826208218.344948	CfgLCv4QFww6gvQ87j	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826208278.344772	C8jLEg3BRmkSv2OTHd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826208338.350459	CGCF331JLuHl54L5rd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826208398.352240	CWBzQU3jlmCFJxIvW7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826208458.448653	CuQnVY1S26nokuHtw9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826208518.346965	CDLpxA3tPGVgwxSem	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826208578.371204	CqWOXg3fwJ6pVRPP41	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826208638.382748	CH9f4S31R76ubzMqXl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826208698.354276	C7NKKJ363Po1sp1G76	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826208758.393143	Coa3vE2Wqxw7XtPyaf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826208818.351978	CPbwgd4HAWmMrjHmBl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826208878.364498	Cg3va11ZQR3RERyK2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826208938.434595	CX1G5j2XAjJVbgRRYg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826208998.354384	C1BbhC2e0BR83RHPhe	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826209058.435227	CBMwL219aumFxhrnzd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826209118.356985	Ce8sjQ1yXYbarn3Mv	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826209178.536399	C78sjv46n0JEJJ9Ixa	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826209238.366407	C2z8sX3Zt54zcv7nHb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826209298.357460	CrmZ753z4MFkzJPjfk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826209358.367044	CmZgh34NMetxae8Pm8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826209418.459570	CtsyPdY3mkmf7kLb4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826209478.362786	Ct0FdeHeoqV11oqi3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826209538.816451	CHpfPUBDLI48ElQX6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826209598.447358	C6QeBz4zMAkwfJKzp8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826209658.373018	CvZvjb1h22zExFA9Z5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826209718.371878	CQnxI03CHdqwafO4o2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826209778.369758	CV85Bg1jB95m3NCt2b	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826209838.378365	Cpa0UQ2794FcjpykQh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826209898.371356	C9U9nP2cjbHpr2TZZc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826209958.412180	CIkXHw1k27sxdK1IL3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826210018.593545	C6sQTZ3batj1lRDpFf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826210078.395223	CrLzH72bC4Py0O0Pw9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826210138.522899	CwByX11akVrJXiAL89	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826210198.386118	CMrmZC4fwKKms3eVfe	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826210258.375204	CIMbgg4rrK1rYO007	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826210318.372116	Cl92e44KbzduaHbhyg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826210378.373906	C5yYvFfVOJPVQqJWb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826210438.392281	CaIW4B1CNbhrY3Z9P5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826210498.466302	CuFyuJ3RcaoYD2YSlb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826210558.373412	CkeuvB3U6Z48hwsmd7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826210618.381066	CmZ5913VmiwYcCMsV9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826210678.444343	C4iWMr1o5OhwPrp8sc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826210738.786745	CeVw7f1PrVOGyux7f8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826210798.378604	Cv7Ojs44cHurW5mca	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826210858.393065	CG1IZO2kmbIytfrjF	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826210918.388978	CFo4ijFpPMOaVkxyc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826210978.524464	C6aRsb3UekWRpglS77	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826211038.380818	CFOKe2YkWP7etA8pi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826211098.456790	C37mAJ2U5Kisle0Qgl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826211158.595216	Cgjcpf4p7v2QzNmLSf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826211218.386167	CH7oxC2LFgxSRkfdi8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826211278.396726	CaQ3deHsj3TrWL6J	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826211338.568337	CHfOyV1EmktPdJYs1c	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826211398.491118	CAP1W92itot6anqOh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826211458.395342	C42zWs36ET4H6JkMAf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826211518.504492	ChCctc1RXXIqfN02T2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826211578.416483	CMIGG63blVyQrgtKZc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826211638.390960	Cm5hUStLXU9qmc9oi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826211698.525482	CST4021EoQxELJXa23	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826211758.535067	CEUV1F4e4X7KZmIQjg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826211818.464624	CMXu7r17v95iIWljHb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826211880.427357	Cf2iT43rdptpnlRFaf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826211938.496475	CKee4U3Z4oY4yRz57c	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826211998.412364	CyyAsI1bENRZJHsPxi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826212058.558577	CFfE5G2444nCYFZKB2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826212118.608187	C3qdoZ1n9Z9JKjUDzg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826212178.505544	C8F0wsJvnG24pWYob	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826212238.398986	CeHfJV2oKMDd0Y5Q7i	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826212298.417363	CnDV6B3aFu2Rig5pDc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826212358.419147	CAYs6PGpPpvE5HD45	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826212418.567316	CnYoeO12NNlpv8vJw5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826212478.954585	C7qhx8MH4aXtRLCz5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826212538.490773	CmqlEJhGZCyPSVeVg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826212598.433975	C30S013blQYUkUFuKb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826212658.488438	CfUaZj2hvTwscPvXpa	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826212718.422866	CI8nPFXkU5AYE84Ei	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826212778.479312	CtnR3q3r0iCKvV7N7b	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826212838.407898	CKjWKd4Mq2FDzB7lNa	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826212898.595122	CsmwQW1n5WCKtRZWOa	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826213138.524203	CisUSAKIZdFFX8lWh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826213318.422154	CeyYdH2Qfmpzbjsr2h	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826213378.462951	C0i55oDRpoYXbScq	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826213438.435434	Cog8rV2Ws6Hv7UCGta	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826213498.448913	CW524A4Jvs7LV4nSi2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826213558.431157	CZImj8vHpyMzhT9Xh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826213618.429994	CZ7qJ91KzEqUNJwu96	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826213678.421046	Cz0TOI3Oz84uu7WmSc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826213738.417958	CpkFh021CJKOiZXyPg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826213798.461704	Cggyq72pcsVl1twmKc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826213858.459578	CkjjDD4mVrHaOHrTpb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826213918.542352	Cl2Pp43hVt8yeVkbI9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826213978.451395	CXahDdeDuBzEqAb1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826214038.428786	CTecLV1manIXTrjAIe	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826214098.423739	CsLyVu1YU7im0wl04e	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826214158.438205	CLYYbS2z9Ou3vNkkZb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826214218.450701	Cpj9DeO0yZuq6Ute	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826214278.423204	Cc8BePGbhxSxkHHjf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826214338.476713	CwYtAfMvzk9Fod7cb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826214398.556580	CUfWl31hYnv6Wwvt1j	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826214458.448105	C89fm75JmUuUqVjL2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826214518.471366	CR8db31SCvKcWQu7se	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826214578.803035	CZ5SE92qMLKBRvXPTg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826214638.471966	CextRf3AOZqeA1XkZk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826214698.459073	CTPOjD2rPLS9mqWtI6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826214758.622869	Cx2fdd4vASV4hGNamk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826214818.450923	CxO4Hl2za3S1dI7BF1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826214878.554209	CbTCX64fnBOz5Rnss5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826214938.443726	C7fmrSMRs5eEbiXEj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826214998.442581	Cfoam51KJQvseaC6O4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826215058.447292	C1Cfql1xwhiHqaEiGk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826215118.470537	CcKAdX2Q0thi02ReMe	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826215178.443043	CR4uj7veM5o7mhLT2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826215238.472167	CM36EW1l3dYeFyEps8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826215298.434914	C6RIBPCLUqy7QrkG7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826215358.444512	Czd0jk2Saz3xxLJsU3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826215418.593672	C6IvVK1opBeZQ7AQ7a	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826215478.442217	CUDpIg3BIilKU95Loh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826215538.446917	CYSUaV17LYTkbrEVpa	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826215598.440880	CnSEAH1VZnpGoxnDPb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826215658.447537	CNJWdr1axp5uTe7O79	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826215718.497136	Cd0PwY1sOnxvxlpOUd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826215778.541854	C3plZ01VSnQwnkq1Ce	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826215838.718352	CF0xAHahJVVCD5Fi4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826215898.652795	CTPJGE4d84dfLkqXCb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826215958.455473	CVuUh142e1YgH4Ofll	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826216018.446512	CLMQOF35kFy3YN5Xx8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826216078.459038	CuMT6LYNk1J990vRk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826216138.454975	C1Almd46wwAwBRkkE5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826216198.451877	Cx2o7z1ve2pwRELwm2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826216258.478050	C7ORHD2Ge1bznHOYxb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826216318.508142	C1hBHK2Ako3EciFj8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826216378.615328	CAKOnF2dhpD2lIpMW5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826216438.513650	CsVB753IMy3ksnCXJc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826216498.455902	CnPxgy4t7wZRlJlXic	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826216558.506493	CUgy2o3FvSC7r4Z9ya	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826216618.627343	Cxd0L53LzmLx1GQL3i	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826216678.455377	CdERFK2TuqeY6bOLIk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826216738.463003	C7gYx43YuJLYHaolL	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826216798.484306	CQ02Hh28fM99vbB7t8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826216858.464603	CZ6vmo2iQaPNxh2Cp5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826216918.457605	CkOZDv22AxQ2YWa9d9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826216978.463284	C913kM1HJAW0Z0QCWc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826217038.656359	CKgKAx20fbelsVSjj3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826217098.472702	CRhBnt2F6fTBWyjylj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826217158.458863	Css94F2wp6eqs3AG2g	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826217218.685135	C5Iwq42ShwCJuekrR8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826217278.460500	CiThk046sKXUN21yT7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826217338.809744	CIKTEw1hGfX8fLggpl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826217398.468952	Cuqf1SXU2lRMru8ab	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826217458.473659	CViQRu2F6CP81AHxN7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826217518.644301	ClxNef4rXFifWlnVe5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826217578.554358	Ce9ZL977eCsGAEVwh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826217638.574699	CcsJ6S3KeIOnq32dUf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826217698.468159	CNeOYwF6hHL1iYy7a	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826217758.628043	CtIalz3JApUL6lBk5c	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826217818.476557	CiGbMU1lOEKc8ZcnJ5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826217878.468586	CZ7cfF1ZmnbEKFCL86	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826217938.582596	CtwugB8dqTukJE53l	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826217998.477002	CzuDds1p0W3c1OxtQa	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826218058.883849	C8icM720Rm3KFNSaO3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826218118.482549	CBqI3A3aZ9wbTqAHKc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826218178.482392	CDI2sycOSZMfUwDej	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826218238.474417	CdPmeZ2wefP1W2pDaf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826218298.507434	Ctqz3r2Q6Hhh45ynBb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826218358.560950	CZ3VMr9TGKr4pDG49	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826218418.478818	C9L1P41WGLblqJ5lX9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826218478.483546	CjpsNzwm6pkRPysTl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826218538.483389	CXKlOW2OXCLUH0tag2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826218598.558389	CaX41W2rQe7myStGic	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826218658.787580	CwL1AP20TmhyPubBzi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826218718.583409	CGsgYT2M54ThS9dD1i	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826218778.619355	Ct7NPa2Gjw99Ds55Fa	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826218838.509870	CmYrUP1Jii5rRzA2N4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826218898.485297	CfAQDb3ztIZ9Esdhnb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826218958.502698	C6gNhw2NFYJKnnBJAb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826219018.634278	CLrESm1lxkihbOfujc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826219078.491595	CGxlGu1ohd5JBhXb3l	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826219138.488486	CTCzwn49MMq762o5wl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826219198.592761	CLvYvUL9THPcxwH09	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826219258.492052	CordDM2ka874SoTG4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826219318.490911	C6SzT4NIAosKk51Ne	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826219378.959227	CzpRvg1ZARpYbvKZLd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826219438.545233	CRJfqUBQrh1OECRKh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826219498.525544	CUD9vt2xm6AFEFb9te	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826219558.500988	CGTvIE10hTfMDqvRg8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826219618.532072	C1USEM2mkGmssUQFnc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826219678.555324	CuwWUn1WWhrDuebDLg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826219738.527822	Cn0jH9tRvniY1wOdi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826219798.597931	C3JTJw4PGH9c3y1zOk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826219858.854441	CpvOTy47aAhFPLLhy2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826219918.507732	CBZ93D1F4V32UnHVuc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826219978.497853	CU5NwdnJySKzDO6Ia	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826220038.515262	CxseO02jluUsidcJ62	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826220098.578550	CUxHC03hhHZPPZPPd7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826220158.735531	C4F8Mc19wr3znjj7ec	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826220218.628969	CCa0k62q3tTbsgMjD6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826220278.712744	CgPOxw4ZcDNtb4qUGb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826220338.505674	Cr2WN61qD7lqnpZNrd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826220398.664581	CmcxqC1uCPLsuEWiwh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826220458.510190	CAYq3UzQvLCe76Zc3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826220518.507097	CyO8GYetxJ83COadh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826220578.526459	Cn4Im3oIZPuXCwbBl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826220638.618046	CGvCUk133LGTDCu1j1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826220698.513457	CpXlZE1JfmFmO9ezNe	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826220758.537687	CereAezpP5CfTQdme	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826220818.575589	C8ldQR1zcqOsEUFCO8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826220878.554922	CvZeCEJYay1Ly86ce	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826220938.527428	CTUAHv3hD1FX8aHrlc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826220998.547748	C4Badl1Yn0KV5EiZI4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826221058.528063	CZTcLz2NmHcn4ZD5cc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826221118.541565	C6VgL03HYoBgYkYcwe	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826221178.570688	CBekaf1GPCZTu5hfEb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826221238.529546	CorcCoU4w4ta7bXdb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826221298.524518	CIBpBT20L8Wr5vMz6e	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826221358.579005	CiFKHS3FlSxbhZirR8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826221418.523209	CyeHfv5JsaGfR6Q9h	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826221478.515248	CiCUSr4CVHoG6yVoce	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826221538.650743	C4gVAPgEpkdEDZxR8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826221598.545164	CpkdiS3JOJCsLKSJh5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826221658.673828	CF9ZRQ3YWkwyOaZtZ3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826221718.527284	CVtLls2idlUP7gvVfa	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826221778.630584	C0iDve2iVKhr0DZq4j	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826221838.526966	CEpMvc44Y9buZQW9R	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826221898.545333	CSznMg1xj0hV5nntTd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826221958.534428	CRMyfvgvdHPOGXlY5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826222018.583071	CKVSkGTNGUHtVkSih	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826222078.557534	CPSiwK2DMpE2jH6Vyh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826222138.536850	Coz5244kxG3F2Uwsp1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826222198.593281	C4ZIj1N89EJ4eXGG	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826222258.593131	CQnl3dyMoPF8TrJKb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826222318.816482	CBEXHD3r3x6EhHlQak	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826222378.818261	C4qlRm371SZUAlFHTe	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826222438.632643	COUK6C40KLFuCC2Bnj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826222498.589524	C5aYAD4Cn2Ubc3Lhgc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826222558.568852	CHBOAd3sRJs4TZG5rk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826222618.564786	C1KXFY1d00OW56NOug	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826222678.624152	CaqiRv1kssCwKFiAEi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826222738.578089	C2ImrtGJ5Was24kO5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826222798.596391	CkIEMY2v5zXcCRAK06	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826222858.573723	C9nK7T2OW1zdBcXRr	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826222918.646725	CyNYn63xqRCtJ0Swci	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826222978.538235	CuxhD94HGUTuDMCPeh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826223038.987043	CztBgE4sLwXhmXQ1V7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826223098.542807	CtBp2AhjFqcG9qhq5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826223158.613896	CIVadw3MmsEwKSXoRc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826223218.551280	CsJlJw3gPwZPfiVGdf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826223278.578458	CXe01x1FHRzA4kaake	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826223338.920871	CY25m12Au0LbTQ7ajh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826223398.710865	Cz9mVbJ3mLhtk3Vda	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826223458.611153	CBGwJBRTFD8aLOKJc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826223519.399189	CkSzRz17ol01kBjlNf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826223578.634244	CZLdPO2kd9vZKOmwTh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826223638.568696	CEmAHt4Xvq0HLd9W82	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826223698.552911	C3838x22eO0vcv6Mgb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826223758.619132	CpltvGXeH3DLAPPT4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826223818.616998	C3Z4pJiqtIGHawj0g	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826223878.588534	ChL9vB4VvykErujpb4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826223938.560053	Ca5orO1gBdPoGkIAGe	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826223998.553003	CcwdAP1q3qj9kGbD64	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826224058.654340	CGoZfnZAUfEApqP12	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826224118.580976	CULfbN3hEwMuuClQlj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826224178.669638	C5CCVa2TESFWWp4h2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826224238.648991	CbEhxC3seucNFjJzl7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826224298.566850	CNkqdY1uFJUpLHcIfd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826224358.578406	CJ5lKt1FBnPOLExVJi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826224418.601677	C7tQLt4nj8nmymJNBb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826224478.615185	CNndLX2qcoBO1T5h3i	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826224538.557437	Cl6URq30CgLqZmHbdl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826224598.601200	CQrWXaeiNsamnLxJe	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826224658.584449	CUUubM1kNFUIoAtRDi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826224718.714092	Cdm9Cl2oExwyIrTygf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826224778.590942	CnKdXm4Tf4ML9ukOYh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826227058.642220	C66i3N2Qa1eqAyN8N8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826227118.588374	CoXkaI3nBcggoQSFO3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826227179.008863	CRJy7L2YDZXsYxDhC3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826227238.597804	Cl2pecmmIw1GjkVJb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826227298.642536	CHWRw82poLxopSRDzg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826227358.735113	CnflkX1d2USQ4QeAK8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826227418.698844	C16ibw2KpRbXYrd0Yl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826227478.606937	CFiVSW1o9EVx5N4Jb6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826227538.632140	CbGXIX2xTZKRuIZwCj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826227598.843766	CCvExA2GM22zrnZkZi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826227658.607429	CV5jTHZXiRRacOOud	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826227778.631493	ClpAsC4U0tWM3Z6Gz1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826227838.700623	CGToTMGh5q3VrJjni	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826227898.735615	CfEaWC21ew1UaBmeLa	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826227958.728618	CoNHfb4cDZSJh2h1l2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826228018.837749	CAu0Oo4x3iftOu5dF4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826228078.611153	CoysEl2JglWGPKCEF8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826228138.664679	CfPVQm1k7F6Fd9dXi8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826228198.822629	CXEAGK24uAf1EMpLV4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826228258.998144	Cga10I1NjMZq5YSNWd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826228378.685506	CABy0s1rpWlZ6X6tW5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826228438.978170	CFIQPc4ShJClVxKPr4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826228498.661770	CIYmfgVlNE7B6N4ec	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826228558.651863	Ctu1Eu1GyUwEttbbRb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826228618.701470	CUBLiE4H0lDoOyqIr3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826228678.650545	CdoKkT2Ke5De7MWN6l	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826228738.665995	CkibYw4PuXuckQflIh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826228798.694152	C9HQs14k8DJZQaqRmd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826228858.666644	Ct2bcYZHIODrba6hg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826228918.714285	CgUlJjlqbB9Kzozkj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826228979.077767	CI6Avt2cWWdmpsQnb9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826229038.727630	CUn1iH2S48i4Heqnzh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826229098.860212	C7CXmL3ysk9qbtIpVl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826229160.016217	C1Zh983vVGDE8rpT2b	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826229218.786701	CwhQVj4Sr6YxoNBRek	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826229278.847042	CC1mwWtpL7QIsnIu	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826229338.642872	CqQ3mZ3WK7Dpj8ebI1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826229458.657132	Cuoe3c3Hv3XA5H3auc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826229518.649148	CNm68aOVy0Yxl7tHg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826229578.759279	CecHQz1SmJzVmrjLc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826229638.661509	C7FoyE15oylgO2D0vh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826229698.619359	CdjqSs1yLtNe7Xiylk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826229758.681659	CaQnjV3UHc2hg5HvJ9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826229818.639541	CPqeCK3u65w4FShPC2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826229878.937049	CJIWFo1ifuQFC3myBb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826229938.677242	CpIBX42j0JTDLqNky9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826229998.670222	CrDPHt2myMadMHRtGj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826230058.696392	ChUf2j8A2cckuCB9c	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826230118.687435	CodUX14FayPV287Dka	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826230178.687273	CpYISz2x0t1IB0QTDf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826230238.666614	C9aPOm1XvemsGRM5n2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826230298.675238	CwA7AO3h7M0tClfk14	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826230358.663380	C5OuLn1RyWY1Cbhc24	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826230418.669078	CTrEfQ2OTZ6XwuqzF6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826230478.769466	CB7oN32GMSHJRH46Q9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826230538.701949	Cts2Bw3UyYSC8eJbw5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826230598.701785	COVKbVuLViTpKix0i	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826230658.684023	CtcBaG9xFLC4GY3f	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826230718.697517	CEukfh1EN6VBqvS5V5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826230778.669049	CwK86z3GfLlLdBtjf7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826230838.655236	CgKGYB4pW3vOfMBV	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826230898.676545	CMn4xD3x1CpYubrX2f	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826230958.677362	CY9Su7UUQHd3QxCU7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826231018.675249	ChWyT7DaScEmURW7i	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826231078.648723	CHCWma4mS3ppsLP48e	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826231138.705163	CLDNHl1Z4OK0sDBoif	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826231198.675715	CM2JMA3ZfXFcSbIVb1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826231258.652131	CLe3ci30E20BAchq3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826231318.682228	CfgmfA4jTr8Y6eLJHg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826231378.688895	CW4Csw229iMW5e0Rlk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826231438.682849	CeoYqm4Iisj3ozpq92	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826231498.666083	Cbr3ZX2RpOAHKjmCff	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826231558.651282	COwrPBGIpzPLJeW68	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826231618.668673	CNsMUUGQHroPHA8Ci	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826231678.701684	C426X13okmzS5nezed	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826231738.666386	Ctvhwu1lrpdV6DZdwb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826231798.665239	C6b9XS2XeGtwYY87xk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826231858.658224	CYCYdh13mKTqx1ydmg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826231918.705874	CzzvQk2VG9RA5JUFa	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826231978.670582	C3qPT62UwGnCqVIHe3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826232038.659686	CsBdJ51j1nLK3tl2F3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826232098.654639	CGF4CK3UKYLwIPRwyl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826232158.749160	CS9Igm4X2rCHxh8EI2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826232218.694336	CZVWmQN2v8aUbBLrl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826232278.658067	CiWSbfVPxd3DU1Tkl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826232338.689134	CN8vYE2x91ejKzzsD1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826232398.689943	CWfGo22Wn4dNhEMG06	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826232458.685863	CQwX581RWAcdloUaCl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826232518.661313	CcHqZF4mAmTipPOItj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826232578.668970	CDbHurHHYzQh16a75	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826232638.677580	CeOJdl3twOYDJJ71De	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826232698.834546	CB2C6x1g0GQKuoDeTj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826232758.673342	CrynIf4rhiaSYubZmk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826232818.695626	Cgpa8U1xzUsAFVfqac	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826232878.693516	CLSa0ZadTj6WeeEu5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826232938.676758	CnxPqm1SEHF2WwWUG4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826232998.696103	CXhpq14dW9SZTBfHJ4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826233058.672523	CCgTLd2teo52h0Wstf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826233118.673347	CeFdYqfRlkaD4rak9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826233178.684889	C9mchV3W5GidlSM84	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826233238.710110	CMErzU3stNQPLKaMU9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826233298.683598	C0I0Rx1ymjsyaZC0jh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826233358.812265	CiKVFD1jyEZMI1gXIb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826233418.818938	Cdnacw1CFnnqrlU3O4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826233478.726052	CPStWmXe4km0Cl0ol	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826233538.712213	CJRkQA3jOwlmlfcqU1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826233598.675928	CeEFRd4qMWwv0Jh8k7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826233658.821184	CQ9bIuaEcQxsRROo5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826233718.692187	C284OX195pTFFffz36	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826233778.695922	CNGTy6cxx7ybLF9W9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826233838.705511	C7q4oH2DTPedalIPWe	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826233898.768793	ChBuyc19gI9J1KGmY	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826233958.691530	CqDFty3SRyrnf90hfi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826234018.686472	Cggwuf3G2K5ZN4oakd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826234078.765344	CM7VSScmo8RxJVRq4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826234138.676343	CouMIolaAAuU3uBsl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826234198.788417	CEAWkJ28DI9nEKRfOj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826234258.724814	CLYTyf2HBOn3UVjHO1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826234318.692441	CO6Ebe3kdaK8oiVzs	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826234378.781109	CGTZtF4cqefNQf85xi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826234438.715539	Ch03izqlxvJxYGLH2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826234498.765130	C9I5rZ3zk42R1XANoc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826234558.756185	CaU2kGXngY73q9ukb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826234618.754067	CTm5e81lzI1LnBExS	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826234678.682658	CxmPyngR6MzIa1Eh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826234738.705925	CbFrYB4DZH8tDkL0Y	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826234798.711622	CMXdX44qcXXU2h79Z3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826234858.698771	CEFFYl4SiGIgQVBwlj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826234918.694710	Ch7jT14FYeXA4zibfh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826234978.883896	CJGat7FcGiecvRUsg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826235038.712921	CNatvs4kRF4PKwSQa6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826235098.696154	C2NBCp3jV77cmR5Zt8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826235158.697939	C6WtsQczYdAqti8rf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826235218.836370	CUhe5I3aTm7jZot2n3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826235338.920938	CNFZJ71R8kIIoPNIk5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826235398.737276	CcUcWO2v7gHgNp7Q62	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826235458.732217	Cb3KX21dAVvTruW5u5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826235518.757406	Ck2Rvb2bOsJDxQIHh2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826235578.831421	CDI95K1GQpHhlE1WO3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826235638.732696	CkQ1G62jdm35jCXtlh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826235698.778410	CPVwfY3kLDmu8VeKdi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826235758.710891	CXOtEWMw2dl3XsTGj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826235818.701921	C96Nem3M5LAE4wmxq8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826235878.700775	Ch4s3N255T98eOAbg7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826235939.808964	CRfKrw2WpPG0f6YNab	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826235998.908367	CkvEuA3A1e1PDP6u9l	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826236058.833061	CJGA6LrfAhefNKwZg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826236118.756764	CxAT1S1sipPu2RSOK5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826236178.750737	CR9GIt1uVcCEzQmX0d	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826236238.758377	CG0N5A4T0LUzvnAdr9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826236298.718200	CfXYNY2Gtu2mOvJMAb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826236358.744379	CqUr0V2Ejojsue0UB2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826236418.820342	CvrWt84lulkHNvYqk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826236478.762593	CGb1NjWtOcccF7wwj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826236538.720468	CilF4d1b6woayAE906	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826236598.720300	C8j5rU2S8wOqxY7Xzf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826236658.811881	CuUrLB3Xprhr47zsPg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826236718.736563	CpIcgv424hVeESIlv2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826236778.761764	CgVp8E3o8WDS25ZEah	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826236838.741101	CaN1s3SLGBQ4aYcp4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826236898.722394	CLIxGjgqmKhRAW0A6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826236958.714419	CBcpca4v5bAbAgFPnk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826237018.722085	Cx0S392Jm2GGs57Vqh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826237078.810745	C0rM4y1xCN8gaJlx65	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826237139.031717	CWTYeZLvhVCqQ0Oii	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826237258.752607	CHdNJ23h8TGauylVzi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826237318.847110	CmlD1G1PBWF7V3AqC4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826237378.904555	CxD8fj1FHwuZnvlIDj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826237438.753128	CpXPjc2FWuGLYIHrq7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826237498.727592	CXStoPw0l608HE7Wa	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826237558.949964	CppWZ13XXmGNWo1sa5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826237618.841486	CsOsbJtpfytT4Zwmk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826237978.730259	CAp5VrBkO3ZBZDw7d	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826238038.726230	CdArbn3VkPQ2LQ6IZk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826238098.730892	CFQWWm3dCGqvIQuOIf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826238158.744403	Cuf8Te1rhfkUe3Ps39	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826238218.757871	CXQYhQ1U3eH1eCHbO1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826238278.772353	CLd7E94pRH1IAYvYYe	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826238338.739988	CXSjf889bs6zGkd1l	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826238398.789594	CmudKn4wcczZ81CgS	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826238458.816759	C7cysk1k80rr0XAVGc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826238518.761940	CeAngf2WowKEx9bxt4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826238578.781285	COlxFa21bPstCyqFbj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826238638.756717	CFLsus24dYUFU43gT4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826238698.789742	COPxfr3aAGe1RkBpY5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826239058.742858	CkChJz10kLSqA8jzMh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826239118.817844	CZLWOymP9apVN0cS1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826239178.749343	ClpiTi38HDCVH757G8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826239238.770674	Cc6Ywj2npKqeQWf0Xj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826239298.761685	CURyWM3JQc50i4uAy4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826239358.746873	CPlAAd1glpWofm9c48	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826239418.919459	Cs22AT1iDlXjpnEh23	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826239478.847061	CX9APc3bZVpG3EOoJ9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826239538.746371	Cu5n8i1eR1Uq7cpNp8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826239598.748166	CQZgXn37WW1G2MlGkd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826239658.781183	CfSvmp2TftQyAmW5Zi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826239718.803472	CjVLso4czHP84pCpIe	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826239778.818943	C4SV4k38RC1OUl5bJg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826239838.753386	CLODqD4BvYLZkLD46e	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826239898.798115	CYrTQs2MBgNd1gdB54	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826239958.766735	CEePRr28Y2Y1Mk7fol	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826240018.815379	Cp9nfP3Ll0DU202fD5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826240078.990916	CB1p8vzDu27Xh8mjb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826240138.857062	C1cf2A1IEXB6OWP7g8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826240198.789568	CNH2dH2ojKinxj8Znl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826240258.770860	CSw824rvuPrp6U7lb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826240318.877996	CSLQtD1VcMg50oXYij	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826240378.759724	CtS0rHoMhL7UNXlk9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826240438.752743	CpNVijnE2lWwqFUTd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826240498.795532	CjsNda3kT7BMmn79r5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826240558.806102	CgYgjg4uU6EPRMKrHe	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826240618.805927	CGv6GGMohalagEtfh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826240678.804787	CSW3Ia4wgHVN2LR2x6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826240738.827089	CIocUB2QmNtAt98Raa	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826240798.758610	Cc4qTzr0Vrfu3VYJ8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826240858.757472	CbTdzs3jEHRNU2hFC6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826240918.765106	CnxLUi2KiCwChGAqX8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826240978.797143	CQWG8r2dfrbg8LUlua	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826241218.771213	CngLM039cnn4Mvt3Df	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826241278.766164	CPchod2Y4uAM4sSS9c	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826241338.777724	CFTJ5k1BeIJn84TMH3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826241398.765852	CyZqmk3JlFJTzRoIM4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826241458.768609	CvI2Po42hxTw7EWx0d	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826241518.769419	CUNPU92OvaTuTi9Mn6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826241578.776090	CCljqz1dhNjSOwPtt2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826241638.772991	CQxarQ3Old0ATLJU34	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826241698.791353	Cw0Nu83mpEDdLy8MC6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826241758.774582	ChnNNF3g5zHZRnTnB4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826241818.771469	CuuVrm28b4g38DwYsc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826241878.863055	CMXwF2rCJiIRPl6jd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826241939.284125	Cvez3u2SD3arHlyAhb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826241998.780750	Ca4smwv5Bm87TV2Tl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826242059.025161	CPm8hfqbQLr7uupN8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826242118.790175	CpkkHm4vwb3YqzXCZf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826242178.788064	CfjnpA16loSFIdknW6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826242238.835729	Cps5Az3rXyb1nHevh1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826242298.779917	CXmQLh4nwA2enaBMqg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826242358.860709	Cw3UIy3L6yJtxXSNa2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826242418.804890	CZKPJ624uO7F4s4uH8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826242478.905255	CqPUf01ahHtGb1RWvf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826242538.810416	C0KvlV3xhBAS0TjIDj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826242598.786827	CyMvF62XUvVdRK9MI8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826242658.838395	CGOfGiDKJQjG94tMd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826242718.874347	CwA19D3CGPf5cw6el7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826242778.838084	CTR9yW1pU9hdggZRuk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826242838.787168	ChvW5E4jKCLmJGFNg5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826242898.920704	CjJLKQ1Tjc2vp8BG8a	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826242958.863934	CsXjRw16FavgTXwrbf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826243018.841315	CUCes41sQHFSrH1ZEe	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826243078.829442	CH3IYJ2c8Jen6r8iV8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826243138.797073	ClE3yWP7k1x6qEyPl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826243198.790087	CDMnmw29INxxeNQYE5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826243318.790753	CNncBmG60jrMYE6l	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826243378.939943	C8eX4r3Cp2UPufTe1c	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826243438.803122	Cgt8oPuPHbri1sDsf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826243498.837082	C0tU0J3qBSNPZvvCs2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826243558.806671	C8KI9R1ifxBOWmcYbk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826243618.902231	Chmysb4fi1r6OFHDDj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826243678.799713	C0QO6i301914TaOGJl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826243738.801488	C1ORxn3XJz6yGFeo1g	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826243798.797409	C16xpV1tjLQ8icxRRe	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826243858.808938	CEMDMT1e4PPAuvjdM8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826243918.824396	CIUQGp3FrmzWVrNbWi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826243978.811537	CmQYii6kvBaNTuNVk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826244038.808443	C75hcC2LEEqHPcTGQg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826244098.843419	CgOLAF3SB0Iuo1RoGb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826244158.807117	CdThD72YLnxl0tAhx9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826244218.805965	C7pyIc1SjyxmZqpP2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826244278.871193	CG40jK2kO1NXwdRjlf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826244338.832976	CFT5QX2NGkWvDoS73b	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826244398.829901	Culfcf32j5G4hy5STj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826244458.854146	CbyYXp3OuxgvSs1rnd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826244518.802259	CX4BSWvxCOPQSsoz8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826244578.812840	CJU0ts38Nm9alT7qOa	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826244638.889787	CmNRTy2A3u7dm89xd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826244698.804714	C0iw8dgSzn6Lt2l87	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826244758.866022	CaRZ9m4zUs222cMaf6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826244818.840494	CyNxcw4xw2VLy5xqM9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826244878.841322	CdRhWT3WJiNJd6yI4d	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826244938.838230	CCZZib3Y9pjgYtJW2f	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826244998.816588	C2lPJTbmBFDRGZltf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826245058.821315	CBNXBD24hjefp0LZkj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826245118.812373	CbnyaU2sWQc9hrOFsg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826245178.913723	CrSfRNn9Y6TpKSYwe	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826245238.866722	CfcTNZ3VzQGbNyOYm1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826245298.921238	CnrF0h45yKF5cL7XQ4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826245358.819586	Ccw4T01sNMI4v5qGs3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826245418.830157	CxZjbb1da9hcaT6Bt4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826245478.863177	C840ag3wJtif3z9DV	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826245538.856182	CoXTPA2KVYz9zNYlib	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826245598.824786	C92XxR3BCHdnrMocM5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826245658.816823	Cvjzja4a0xIU8nOkg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826245718.819596	Cadfsn2NN5nFfCVO97	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826245778.876048	CT2pLJkKDfRbdDUWk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826245838.875872	CgQAlXJSKaQ8YnvPg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826245898.863029	CQLrXR3icdsWYVPKg2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826245959.038160	CZxRwdVLWuciheCb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826246018.825643	C90m229PgBu1jrrF5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826246438.824533	C4Evyd2E8m6d4Xhqsi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826246558.835921	Ctt4oD26CzPAWcJQCl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826246618.829895	CAVH4i4ZVYN0WDoo27	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826246678.850235	CGiOCL3c4KjdZuXuff	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826246738.830559	Chc8Fa457qFmtuEYY8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826246798.832344	CKMhv2oB2z1eyRX6d	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826246858.832179	CSHS0H1H0rjxicgcAg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826246918.902298	CJuvoE1YyLGhjELqf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826246978.837724	CMdhHL152FlWWz9vr1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826247038.885394	CJfYiM1E2zyHG1NoGk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826247098.844228	CDvkJz2zlMjW4EqRb9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826247158.856738	CUozuC4RUktVWsM4C1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826247218.840973	C4LIRIHQPjU6UiSOh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826247278.845693	CkW4Mh33uCHmIm9Hdf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826247338.855270	CTjtV749YvoXcl8Nd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826247398.872668	CFEIoY1dUsibWoByJ5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826247458.842250	CgBkDF4bRECntkASrc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826247518.845986	CWSdwH3KEQ3oqHyRAe	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826247578.851689	CRwYxf2x9mIXyPwkJl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826247638.844676	C6IE5b4s4Qoqk5pgni	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826247698.862067	CxyBM33gWvfqTVKzb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826247758.911671	CogwD74Lz7PMpUif8i	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826247818.879290	C93l5e4yKVetWUxmIb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826247878.855719	CWKen9tbdg32AFm98	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826247938.917065	CeCoMC2Dl66C9enIj2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826247998.846648	CQnCV1iF8YjETdeQf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826248058.850394	CYmjX01wozt3Bngyne	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826248118.853168	CvDeSJECATHoiOMig	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826248178.851054	CcfaGF3WOUkVaqaPs2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826248238.858695	C4yqWO3VAbIxES2rH2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826248298.850725	CugL4P2LP2PttPSKNj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826248358.853490	CCWbyI1qxx4x5p9JCf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826248418.885526	Caiz9z3pIV3Vw8bLA2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826248478.865847	CLlaSu3305zpdumq64	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826248538.858860	CgUrgP2EUQhnVU0mhh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826248598.863576	CFS3FG2WRxrhm1dYj9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826248658.858523	Cu46pf3vovzIOnRuGj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826248718.861298	Cg6txW3WQysgx9vIN	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826248778.859179	CWV1P3151cMujgYXRk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826248838.870699	C2cQQGuP8RfmlD1yg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826248898.875419	C7HQwd40e8TI0qTbCf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826248958.899648	CwddlB7WvzDnYFgOi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826249018.864386	CEDuC91bJvWJYKl6d7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826249078.867101	CbmmXy37yurxWpeoib	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826249138.866899	CtooJF4JHtk2Dew0Vl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826249198.876445	CbCZuG4MmggnzhJmL7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826249258.863540	CLr3hj4nHaqHaIRjSf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826249318.949260	C3LL3aI2IfjynCCu5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826249378.880778	Cn15F21dn89NwMjUjh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826249438.919666	CniUKjRyvTYk6WBv9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826249498.916588	CghlGU17ItoPIDGyn1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826249558.883238	CJVKIq4FzEOY3CJmfl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826249618.870405	CjGaO63WQ0GHxJJSk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826249678.869265	CMI1IP3AFxaLd0eVOh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826249738.875938	CwrX304jrMjLIeAM5c	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826249798.879699	C3Mkiu9LkW3gl5KFc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826249858.873691	CAzVmk2t7tdRqXyzqk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826249918.969767	CeI5mjbpx6OYSJkrd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826249978.872403	CWMQeA3cuWTnRkxSKb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826250038.871257	CBjDGy2vGTS1KryS56	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826250098.889646	CuSlgI15ZcagsYuCRh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826250158.872911	CiFQosvqoGjiz52G2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826250218.873732	CuQyJQ1xb6qBH5mv0g	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826250278.874538	C8BMk54ff2CdTgLcB4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826250338.887065	CRoARV3xDWYArG9vL1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826250398.879104	CETFoW1N76CJjEjT9d	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826250458.879920	CTeOjNzx0LGGuuKX9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826250518.888560	CO7Hw14t1CywZ0yUwk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826250578.898170	Czne8F2sr7nAi9C5D5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826250638.880507	CqqsZIhawJagd7XAa	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826250698.881338	CIdqf72xgABNn2nYD1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826250758.997899	CcyrTu1f7iAFTnrVl5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826250818.914243	CrozhMW1WU9fALA72	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826250878.887750	CCvsjuhEYzjznKVi7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826250938.889540	Cvx5Qs2kADc9pywrK7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826250998.908891	C4wohC17dIkpiAbtv2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826251058.901889	CM5Lx21gZyMpPtOOob	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826251118.886125	CM4rP44To5Keaj6Xbj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826251178.894743	CiLI3a139hB8I8ntOf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826251238.889686	C4henr1eVw3EMMJQBa	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826251298.908089	CzhrlT2CAXztbzeFmk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826251358.887436	CifFNK2knaMKUFXnH1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826251418.918515	CXMQFe5QDnd36lRki	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826251478.896887	C8bErJ3q2mS9xxwSwc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826251538.901595	CDkOR54icnCqIB0tN8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826251598.893636	CJkGixVUU9nbF8rue	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826251658.898345	Cb2zqa3PSKO9Zh9Ull	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826251718.893305	CQZ5a64bHSy6ZYaGoe	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826251778.895096	C7yRPv4jexg8uI21ki	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826251838.895901	CDTQan1SsGgBKte2ld	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826251898.895715	CLv8H3vjbMwHcVIJ5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826251958.894582	Cq817s1MTFzkHnmih	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826252018.924681	CO4vvcBZfWsIRgFBl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826252078.901098	C5cF4Q1gr9Sq1DIJw9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826252138.910683	C2XXQN3HVBDKRX09Ui	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826252198.907574	CM6mii17UPgzVUOOSb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826252258.903484	C1miNmjS2Lo1RG2l	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826252318.967273	CStGtB4Si077kSmnP4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826252378.912848	CNJBsF4nhSDAXQ9An1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826252438.926355	CVDp5B1mDeUv2LkX22	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826252498.905693	CD7fKL2uNfgd9JUnv3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826252558.902612	CCK6ws41WuM7BfinG3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826252618.908308	CC0oNM20B5fEE2iDJd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826252678.907164	Cot7Du210ANamYj5Uf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826252739.201367	C8eIdf2rXg9IZJGZa	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826252798.934171	Cz1Rx629LLmmyzvfF3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826252858.911565	Cl9UtTOVQpbj8EQbe	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826252918.920173	C1vTL64Gr0Nv7uAH23	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826252979.015256	Cd4UghVP1yZSaJmh6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826253038.913020	CegO0K37XS9XyGQ0p3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826253098.913839	CyMu0h12iZg1usDPM6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826253158.920496	CeiKu03BGkM33M6hde	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826253218.912474	CuXCbU2pPFsSsDgG3e	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826253278.914220	C5R4aj3pNdq8ur7KJl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826253338.912114	CL8AQ43cVT3zg9mXVe	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826253398.914923	C4CPZlyAhV7lzddu3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826253458.918705	CBbEFo2iNwrO3EmNn4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826253518.917565	CU6agx2rD4wFNvYzF3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826253578.920324	CNf7VA2g9xKfDq3oic	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826253638.927971	CWba3C3KcZdjT76YV6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826253698.918042	CVukb93tlV2MQNu2R9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826253758.960352	C2kJEa2bWgLLSUMV6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826253818.920563	Cc0EBI3i4Sg2p5V1B4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826253878.977586	CbHKU34s9H2DTlSin7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826253938.921223	C79vGi3WgsbTVBMGYd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826253998.924959	CjpfZMPPll5f3aMO	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826254058.922838	Cy1NOD4AzXLyEkvF96	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826254118.925608	CgDsU32KkitFRq5lKl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826254178.921518	CcMyDA4phiU99YuPj9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826254238.924237	CWYF7J1GZoiMLC6p09	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826254298.945549	CwzvDa1UBD9o0gY6l	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826254358.930755	CTJexFQEEX6Q6Y147	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826254418.931575	CuURcXPy9Yf3fffp3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826254478.927493	C73nFd1kHhSg9H0we	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826254538.930243	CbJW752k4xO0AGgb86	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826254598.927136	CEQVKVBDKRxjES593	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826254659.050546	CBWXZk44HPgXMc89P2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826254718.934655	C8cd7s4s2BP6B2fJNi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826254778.945240	ClH5jbDR1LYIRXd71	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826254838.951909	CaICTV1ibR59BsqEjl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826254898.945901	C8SJ9k39WeDEkTYoO3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826254958.937938	CtUWcL3TWvF8KhVem5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826255018.934852	CyloG21FfI5ZrMVFn2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826255078.932744	C88UNG2NmUgRCRsNue	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826255138.978058	CLVT864ykyCrW11LY4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826255199.037442	C3IHPG3oSm29zc3p3f	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826255258.943011	Cw2LWlnnRKp1pyz1c	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826255318.937976	CoZu1c1NzNQYFKmJKb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826255378.936804	CEpktv1QzqZ01hu1Ll	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826255438.942466	COLt8K3RVsghUlwwlj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826255498.945244	CPNrE51wE94CGcz2y2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826255558.943115	CrHjBv4IxQageHT2hf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826255618.940043	CakBqG2eh8LpGPpMie	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826255678.939884	C8OTyM3QLLANhzAhS1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826255738.946546	ChJeRQ1Fk8dImYddYe	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826255798.959638	CZKmJe3BZnVOLOScJg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826255858.942307	Ck0ZIns7FRqEDteY6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826255918.943103	CEAAeHq9NVabX7dsl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826255978.952270	CRSG7beuuCV4Awie	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826256038.947620	CMGTqYUKMiEPlDu1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826256098.952922	C7N6YdogWVuNPxt5c	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826256158.947284	CHmJal1SqsPRLYVucf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826256218.950572	CGV5WX3XamXfeCPIQ4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826256278.950427	Csdqbs4Gl2KXcYu4c3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826256338.948722	CrSLew3moViFbz1qm6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826256398.955968	CRWY5P1O5XpXWdV5w8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826256458.950944	C6t8vm2lI5YLsixcL	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826256518.950800	CSkk3F4465nT62JjM6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826256578.962348	CySinR2Ukr7K255cYk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826256638.958265	CSmiWy2ijhhZYx51aj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826256698.966875	C5VCTW1d4Y04IFrmyd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826256758.955000	CJHfOa2essjP0bgKz2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826256818.981197	CgqUvZ1nEsLTpeM14h	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826256878.965414	CNHO3k4NgRtiR9LGg4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826256938.961351	CvTDqyv0AzFZYhvYa	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826256998.962186	Cwl5An2Zl1KmfDmeuh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826257058.977647	CrPiC82XSrQHnWbSX8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826257118.972604	CEqAJrLp6vnKEWMSe	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826257178.964625	CU1iZ02xS6oIywBvre	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826257238.978134	C0xJcY2DtdXEexKa73	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826257298.961371	CqqMfq1eRUAlRBVTil	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826257358.961204	ChPlIQn7hT4ielqD4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826257418.988368	CPzlHT1W7t9ae9GYod	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826257478.964774	C8L93h4WLd8rzjnDk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826257538.963626	CUxHYs1Khzuo2rNPrc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826257598.966389	CeAk8k1y2fNlUN41L9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826257659.124337	CNrfn43LSwXw9bRMT2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826257719.025602	CzgGhXxDgtHrQx1Cb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826257778.972750	CPCuNh4yfaVBf03vwe	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826257838.988161	CujTOp1hfr9YtLUL77	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826257898.970378	CMfhB12Y3M2xmf2lUh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826257958.970224	CMSugk33CuYdOCnrj2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826258018.973008	CQU75q2w6MKlL7TOw9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826258078.979685	C0jKCV1vJ5dNrFbKyj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826258138.973686	CGklVD3bA0Y144Jsd8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826258198.980376	C6HGJp3SJ9z8NWIWue	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826258258.974347	ClFEx44Cxokti2M5a3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826258318.979060	CeUHgQ10eSfaPljB8i	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826258379.042341	CtHB5M1FZqEMBsDqmc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826258438.981621	C3gaJq28J9Z0bJwkt4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826258498.980480	CGaqMT2Bkznty4vuRj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826258558.978357	C9Kktu3h8egsI8bXul	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826258618.979172	C4bhw0253RfFe8QQgb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826258678.982917	CkzPML2sTaC8EpDQq1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826258738.984715	CTFVYg3F6kPgvvigZ3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826258798.979677	C7alhG18cdswwf49B9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826258858.986344	CnwiJo3C6bzuaTB2Ng	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826258918.981304	CQZvsX2MZK2MLgB8W	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826258978.987979	C6JDfkEbDcWUF325l	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826259038.984881	CRo99W2oC6tPJyIqmb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826259098.983739	Cf8KoB2oIsPLUEaLTl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826259158.983560	CjsgRCNRaU0bXmXO6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826259218.984345	C98t3N3vGfFxouiY5e	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826259278.997890	CeJaoEsgZUUehqGXf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826259338.990890	CyWDN9mnZGMJ1saLe	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826259398.988756	CvZPT62WfToKxceyEf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826259458.988584	C9pfbjOVDc6OP6iY9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826259518.995258	CkO2bn2PlAVTlrXvra	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826259578.992149	CgaS9u2aLx3wKaTlml	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826259638.991957	C30LxW2Th1gjujVr22	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826259698.999553	CcEJR83FsF84gpOd99	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826259759.002304	CxSX2XRSWdjDgyNz6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826259818.992412	CWwkUh4P2SNipqOgL1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826259878.995197	C2ZaFAfQnfzGByPC7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826259939.010645	CxQLCs4niKD8U6Pz9i	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826259998.993883	CxCf8J2esw472Ielw	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826260058.994683	CuaG7w1ufkC6A9gtFh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826260119.000360	CPba6z3CUAMjAVWIk5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826260178.997278	CfYXN8RcLJE1ncGsf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826260238.999066	CtwsWy2janmDrrsrmi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826260298.997944	CCBUYR130FjWz8Bg6d	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826260359.003590	CSlCZo3oIlpqVFvL9i	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826260419.002447	CuLqt91wSykza0MUr	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826260479.004239	Cr6BDA1u5j3a1jfbMf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826260539.002119	CznkyN5OS360c7fzg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826260599.000967	Cjlzzx3hDTXYwCCZfi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826260659.002741	CBlqmd40gboMM18XRj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826260719.004517	C4AeuTNzLiWRGK4Te	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826260779.009235	Cg39xa3V4NdPUzWJP9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826260839.006152	CdN9Ip3sqmcRtT6c06	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826260899.006966	CvrdKi3MZkWWOHzZba	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826260959.010702	CsA0Ka1rED2oJVwNh9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826261019.008568	CoOuCA3ocam2A7NYCe	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826261079.025985	C8ECoi1gSfd8MF51Vi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826261139.007288	CaRKSZ2vQuFygUO8mk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826261199.011013	CbH8HE1wAvU9RKMdOi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826261259.012811	CaWQM53kzXuppddTD5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826261319.014622	CTGxwZ17I9IK4IPe7d	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826261379.010557	CZgDR43jpwQ9wjb3d4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826261439.011374	CsA5eg2ZCIorZpTdT2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826261499.012190	CGIniW2GzJdP6AIbJl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826261559.017896	CHDTTo3cs7h0VcRLyd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826261619.030434	CLPttK3P6NNlayture	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826261679.015624	C8XeSi2ysHv635JUMb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826261739.021299	CpApEnPgUSa06tsxb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826261799.057228	Cln6984XP6WQL2a6jh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826261859.016050	CqEAVT1aXMorGMNSvb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826261919.024671	Cg2HHq2uL1cpzLEWOj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826261979.153343	CUrs2G36GBmRYMAeUe	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826262039.022404	CYJ0oW3tQfJQCAst1d	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826262099.020289	CN8aXr1Q63uhBnt3gi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826262159.032811	CwFpNj16f144BTWjI3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826262219.027774	CKUInZ3I9NXuVRJ0Gh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826262279.032466	ClDE4n16xMQPvjODEf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826262339.024512	CML1AY3hOt5zvH1TT8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826262399.022397	COlSNEF18pudbNONd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826262459.037847	CYE02G18YwMa6n39k9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826262519.025947	CALuC816KX0SuRA93k	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826262579.053102	CLgXhW3nduerCXCJZh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826262639.027550	CUuqeQ1jV5e1C0hRW1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826262699.027365	Ci8Hhb32NQGkzEhQxb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826262759.030118	CiP0kcArU4JsR0Bg9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826262819.029939	CxrLmv46qzXI9L3Wad	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826262879.030732	C0CuYWAzapH9Y1N9h	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826262939.031549	CDXH4xJCnyb5tOLii	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826262999.030389	CykG4n3Dxwvrk8ST9e	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826263059.037025	CYbdBD1xNg67gOWIHe	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826263119.033946	CPEstI3RgL6nRsJ8W5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826263179.033778	CGoDMnzCLhEMKVLrc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826263239.035560	CVPyZY3yBTgzZRquV3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826263299.035377	CQghfc2KfUgjWFzIp	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826263359.038144	CHmtZi4dWdmwAF1le4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826263419.042855	Cr9A2y47TA7mm1zpt4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826263479.037751	CnK96q4UmUem8G4KUi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826263539.036572	CVKsXw3ESdgONGrYyk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826263599.037390	C8Cz1kEKMFmaBpwFk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826263659.120188	C1Oihq3c0CnGxnsyb7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826263719.051695	C8e6AA3EEmfxrlaA76	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826263779.062263	Cn8XC64o03t3dm0UYe	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826263839.039643	C1gS9LiwgpfSE6c1b	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826263899.054120	CaQlwk3hIHyw5CbUT3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826263959.041272	CANA543bVGTX8nPqc4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826264019.043036	CDqrws3sJtHbatTcof	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826264079.045815	CH9Ezw4lGM8yAvG9k9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826264139.057337	Clj6pF1D7hB5fnMBg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826264199.045453	C3TNnl1P9wFMmMTNll	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826264259.045283	CoeZek83RtKuXfxN5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826264319.054863	Ci3UVZ1k3npfds09I3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826264379.061528	CuMnFP3678h2jQ7ulh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826264439.057460	CenkCO2hmdyEL8FPKg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826264499.047530	CY2fO53hF8GwkyHa12	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826264559.049322	CGJT3l1VgeuACrsEr4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826264619.060880	CPt6WNG3WWvYoglu4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826264679.071437	CTNsnW3LZuKQ7ybUmj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826264739.055629	CtPqGp3ivrqkDfCHW9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826264799.057424	CDkrrE4xRnuwaOYzB1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826264859.057263	C9tgDs41wRFwrwMHDb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826264919.058088	C9VusU2DYszWdN5lv2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826264979.062782	CovX3L36kxML9jD8Ql	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826265039.054836	CK3H7F2i2EFuRQmHr8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826265099.056628	CcAWbc4k7xJ4cwzFcj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826267019.094978	CDsfJ83mBfShtP3ra3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826267079.081091	CtA8cD3dbZbDyD3ggb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826267139.076009	CIMc7c3MIoZBJIrN8l	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826267199.081708	CxfzyB3K82Ybv72ug7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826267319.084284	C4BrGE1jIIuMPtZJjk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826267379.081202	ChTknA2H7Dsub8YRxc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826267439.082032	CFMigc3cSgZsWMpKff	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826267499.082824	CLt9861h4kL32m3j7f	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826267559.080678	CZz5Al2VYRjHdflA8h	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826267619.117602	CI8Whj2h6r6LcSfVub	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826267679.082308	Cj7NVNNrbAqyXqUw5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826267739.085073	Cy6tdt3KfDywtI7Ob2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826267799.084918	CrAxoy2GoejEATJvDh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826267859.091594	CwaLTn4LXluo7UvqTf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826267919.092401	CZqwGT2kwjPGescsFe	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826267979.095153	CFKxJC2R9cBSw9fpjf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826268039.092073	Cpso3f36rgNdVupv79	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826268099.101672	CppBrMUywKphAbms5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826268159.091753	CkGInR1qK0eOnMHvkc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826268219.127714	CyGCzw47PTvCscGFQh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826268279.089493	CKRgKA35Bl8MptEZ98	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826268339.241580	CidM6JqQOb2FHVtUi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826268399.095944	Ci9Qqo4Mqhkhd7qFZb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826268459.097696	CHY8RiUHiFhKhES27	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826268519.100469	CjBnuMqmiaV3z7i7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826268579.100299	CAZ39E4TQkxd0lBVNg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826268639.100120	CLuA6a3JjPP1pqXDgl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826268699.104832	Cx3A5Z1dvTDKH5xurg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826268759.094878	Ct5q9b3OYGNtBKVNSb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826268819.097657	C9WYFL3vuvOx7uhvxg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826268879.097488	CPMkCm4JEbNgyx5Ewd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826268939.103179	Cva7PE4j6kICfsMksa	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826268999.132280	CPfswM1AJyRPS775mf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826269059.100881	CVLcgX1RZ13gUgyf5h	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826269119.099763	C42eDo2F7NJVIz04oa	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826269179.100583	CU2ANA1Yt4ObqJFRY9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826269239.111149	CX3IPy3pUxul2z02q6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826269299.439902	CcoTmD3IHZnRv6mtOi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826269359.264070	CGT6YF1SsJIs9T9lnf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826269419.120439	Cqlwx01oD12uO94Ib8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826269479.103684	CDLOMy2vjf76gI0rEb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826269539.222577	C1YUOM3kd8rSJQYu4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826269599.267269	Cu3NBQsaY2BAcBVN7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826269659.148995	CUSG2v16HRuh7yK0S8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826269719.104862	CJ0hRn2MsrZOv31smh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826269779.127139	CqGMy32Z8uKHOnELh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826269839.115267	CDWB1b1haIEHVS9sb3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826269899.113179	CRAZht1smUfIWWMRsl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826269959.112020	CBWnVl4AhC2yViYHq6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826270019.108940	C7viQw259LpLw1bef1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826270079.151713	CWeakb4xAgF95QleOe	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826270139.112488	Cay5bn2vtLHX9KwOje	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826270199.132810	C5LNRFqO8x4l43CF4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826270259.112162	CIhkRr4eHA71oq6BC	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826270319.135418	CTggH82xFpM171oygh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826270379.141103	CNtx0XvYoJ8ljgsj6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826270439.127287	CqKkoXjDIKqwN4xp8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826270499.117371	CN5oXL1vK53j2UehWc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826270559.123058	CyVWZ63RmCoT7Jda67	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826270619.126776	C4wshM3dMV4pJySvXi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826270679.121718	CDROSq1z8LAIXNUmhk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826270739.130345	CcXZsf1GB9mlwwT7F6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826270799.119478	ChGADDsCZhKs9BcFe	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826270859.127121	C5pIAZq3OcXUdJVx	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826270919.123056	CVxCZu2vfyEgzJTSZ4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826270979.122865	ChhFkQ36rFvb52Ye61	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826271039.124649	CR6t1A3SZnlSLUonm7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826271099.126441	CHYPfS2TDpyiCxWKY	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826271159.258051	CpjaKw2UzL2pMQIdsa	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826271219.127113	CPiEgIQRKv8QZLRWf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826271279.124989	CsMqt73dlmRROjwIUe	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826271339.312208	Ca9ZmG4i82iE2d0YR3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826271399.140270	CxR52Y3GzT5T7QPGrj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826271459.141075	C0m7qm2cK3rhFZySFb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826271519.250200	Cq4vle2OoD0gt9mBd6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826271579.409125	CiEIqD3A03Z25mZpP1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826271639.133701	CcxfVg2FUarIYu7CT7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826271699.173537	CkftvZ2kq3sDL3Kco8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826271759.143099	C9nivj101nFcyZv5A5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826271819.143934	CtefJ6ox2Y36z8fU2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826271879.135946	CJjRzu40yZQmdLa7af	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826271939.145541	CdEhA81a9gr5DFlDK8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826271999.175638	CpN0AM1QmlCca61py9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826272059.134518	CEdPh92zmv83S2Nkl7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826272119.147027	CN4lI43Zc9ELnQbdL9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826272179.165321	C3cZ3nRZ7QcfNlcA1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826272239.165094	Cfd5UC4SjyBeRgJLE5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826272299.148322	C22vJE3gkYDqoRi69f	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826272359.146201	Cyv1Q53irT6Dh7AgHc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826272419.156786	C3UJgq2A2RTuKRgt23	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826272479.147862	CchdFNQuAo3IiP823	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826272539.253121	CY3Z1SRmzjBaIwPZb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826272599.142672	CzZawy1pgVAgYUyYKi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826272659.190310	C3sEsF3VPXkvtnrzU4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826272719.281883	CiRblW13ZKi1thxWQb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826272779.149966	Cu35wahBF5Imcilk8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826272839.205443	Cm12m71K09UdwP4REb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826272899.287243	CFwye24v2TzbFWF6h2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826272959.229489	CDWNQu2lmBr3AjHR5l	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826273019.146353	Chn0u74Z84C8gRRMk9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826273079.280873	CvBNEh2BX7uj2WBB4k	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826273139.194825	C2wkTtkbOqgitNpie	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826273199.225903	CqelPd3lByl65cwW0i	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826273259.252096	CXXaK91JJmd6qlH3g2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826273319.162128	CeyA8eddGDVUGHUud	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826273379.159026	CDavIt2ice9TjDxiA3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826273439.171553	CkmozifGdEBYaNd2a	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826273499.155754	CRFhntGpfiLw8Pv0i	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826273559.177995	C1dZ433UvCCjRtEjzl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826273619.166103	Cw2cfZCugd0Q63rI6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826273679.164928	CK4u8R36tgECdnBZ04	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826273739.212569	C6sJ4j3d8WLg8YnFO7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826273799.387098	CofNlYPxkrXg6WnY1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826273859.390835	CSMq1t4LlwsA7FZxzc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826273919.382854	CJXpd22FaR9f85tITj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826273979.901520	CnKf1OWDIpFR3yip4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826274039.467417	CjIFm71sV0Kam01oac	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826274099.227156	CcdNPj2qOnTcLkcNej	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826274159.250414	CdMKxC2TJXnB2ycVhf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826274220.639673	CKByou4dCuNE1OUoPe	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826274279.311579	CAUTzU3lsdTflOr7Nj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826274339.187456	C7Ur701fO8ULRsKar	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826274399.171677	CeBTMV30QJxZRtURgj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826274459.276903	Cczxwh2v1MVpMCkWf3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826274519.208411	CMgjaQencP0Pv3kqj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826274579.166270	CAcVss2KDF0ton5JIh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826274639.178783	CBHupf4ZYdpKEW6qc1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826274699.193243	CVm1PF3PnRHFuJuSKk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826274759.247733	CA9q8t4O0VUp7uhQWl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826274819.455453	CcpP2rwrG9PfcdDki	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826274879.173217	CZAGCb3Fu0tfU51eD2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826274939.183773	C3b81P1uqoaf5M4IXi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826274999.291933	CFjfL12CkVQIBjKvb5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826275059.171716	CIuGzw4zzngxgGtPed	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826275119.176430	Cf2Jq43a5S93qH7Cx7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826275179.189919	CTMTvD2czD52f1cpS5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826275239.245368	ChIy11cKIY7wF59lb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826275299.176864	CS6FIu9dD05jdClR8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826275359.180574	CnNZty15Hqn2xhgJGg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826275419.174541	Cn8vaY3NVNZcimP1K2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826275479.181199	CxBtUd3YCJxBhKCNV6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826275539.177143	CpBKFj1oWgquf8Jq5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826275599.302874	CQSFxVDVIk4IIuHV4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826275659.277325	CZUtzG1SNOonX286De	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826275719.190276	CbDLnv3P4wxNruySI8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826275779.245738	Ce2gy92a3Zdxn8U5Q	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826275839.184073	CAmLMR3rs3nnp7BC7e	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826275899.188765	C9ni9syojCRMsSjzd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826275959.183704	C0B0K22KRamKeoqSz6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826276019.182550	CY5kdp51F3oeCijJ9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826276079.189208	CJKWcFBAgZzVVtF03	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826276139.187077	CY2VN44UarHiJwjbg6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826276199.201536	CQxEWi1F3d6K4qjmb5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826276259.191597	ChX0Vn4uasaGJIe7Fg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826276319.218739	CxO0Uf4uUDyFU7u9l4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826276379.186349	CzY97244I3S03VcMdf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826276439.283767	Cl1tlc2gLRTcw4Bcw7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826276499.197714	CjhFfB1x1TpkFpuwN	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826276559.229740	CrGRrI1ZI7AGukEkUd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826276619.195407	CHkdVF40CArtrW2IMb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826276679.191323	Ch7MMq0yqytJoNWpk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826276739.195159	C8INLO2H6kVl0oKAEc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826276799.217455	Cax5UJ3dNqfI1V9N38	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826276859.244611	CavCYn4sbKc30BxpQ7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826276919.195650	Crf81W1wnKqCkmdQQk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826276979.196463	CvGWHB3BSp1gpHFFKi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826277039.286081	C0Q2If35e26kj6oqL4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826277099.213676	CviTe74vjHLLx7AISe	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826277159.197878	Cf0ZeH1gKEDckEkJV1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826277219.225014	C1hQrk1L844cx5tTNd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826277279.235554	CBP3Hu4RKc79x58Y2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826277339.221727	CUbAnm2k9C1iEtTmgd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826277399.202051	CkWokd3nscpygp5lIc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+#close	2018-01-12-21-45-00
diff --git a/testing/btest/Baseline/scripts.policy.protocols.conn.vlan-logging/conn.log b/testing/btest/Baseline/scripts.policy.protocols.conn.vlan-logging/conn.log
index 44f440c310..ae6d54784f 100644
--- a/testing/btest/Baseline/scripts.policy.protocols.conn.vlan-logging/conn.log
+++ b/testing/btest/Baseline/scripts.policy.protocols.conn.vlan-logging/conn.log
@@ -6,6 +6,6 @@
 #open	2016-07-13-16-17-26
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	vlan	inner_vlan
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]	int	int
-1363900699.548138	CHhAvVGS1DHFjwGM9	172.19.51.37	47808	172.19.51.63	47808	udp	-	0.000100	36	0	S0	-	-	0	D	2	92	0	0	(empty)	13	10
-1363900699.549647	ClEkJM2Vm5giqnMf4h	193.1.186.60	9875	224.2.127.254	9875	udp	-	0.000139	552	0	S0	-	-	0	D	2	608	0	0	(empty)	13	10
+1363900699.548138	CHhAvVGS1DHFjwGM9	172.19.51.37	47808	172.19.51.63	47808	udp	-	0.000100	36	0	S0	-	-	0	D	2	92	0	0	-	13	10
+1363900699.549647	ClEkJM2Vm5giqnMf4h	193.1.186.60	9875	224.2.127.254	9875	udp	-	0.000139	552	0	S0	-	-	0	D	2	608	0	0	-	13	10
 #close	2016-07-13-16-17-26
diff --git a/testing/btest/Baseline/signatures.eval-condition/conn.log b/testing/btest/Baseline/signatures.eval-condition/conn.log
index 3350f2d588..ff4e18c846 100644
--- a/testing/btest/Baseline/signatures.eval-condition/conn.log
+++ b/testing/btest/Baseline/signatures.eval-condition/conn.log
@@ -6,9 +6,9 @@
 #open	2016-07-13-16-17-38
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
-1329843175.736107	ClEkJM2Vm5giqnMf4h	141.142.220.235	37604	199.233.217.249	56666	tcp	ftp-data	0.112432	0	342	SF	-	-	0	ShAdfFa	4	216	4	562	(empty)
-1329843179.871641	C4J4Th3PJpwUYZZ6gc	141.142.220.235	59378	199.233.217.249	56667	tcp	ftp-data	0.111218	0	77	SF	-	-	0	ShAdfFa	4	216	4	297	(empty)
-1329843194.151526	CtPZjS20MLrsMUOJi2	199.233.217.249	61920	141.142.220.235	33582	tcp	ftp-data	0.056211	342	0	SF	-	-	0	ShADaFf	5	614	3	164	(empty)
-1329843197.783443	CUM0KZ3MLUfNB0cl11	199.233.217.249	61918	141.142.220.235	37835	tcp	ftp-data	0.056005	77	0	SF	-	-	0	ShADaFf	5	349	3	164	(empty)
-1329843161.968492	CHhAvVGS1DHFjwGM9	141.142.220.235	50003	199.233.217.249	21	tcp	ftp,blah	38.055625	180	3146	SF	-	-	0	ShAdDfFa	38	2164	25	4458	(empty)
+1329843175.736107	ClEkJM2Vm5giqnMf4h	141.142.220.235	37604	199.233.217.249	56666	tcp	ftp-data	0.112432	0	342	SF	-	-	0	ShAdfFa	4	216	4	562	-
+1329843179.871641	C4J4Th3PJpwUYZZ6gc	141.142.220.235	59378	199.233.217.249	56667	tcp	ftp-data	0.111218	0	77	SF	-	-	0	ShAdfFa	4	216	4	297	-
+1329843194.151526	CtPZjS20MLrsMUOJi2	199.233.217.249	61920	141.142.220.235	33582	tcp	ftp-data	0.056211	342	0	SF	-	-	0	ShADaFf	5	614	3	164	-
+1329843197.783443	CUM0KZ3MLUfNB0cl11	199.233.217.249	61918	141.142.220.235	37835	tcp	ftp-data	0.056005	77	0	SF	-	-	0	ShADaFf	5	349	3	164	-
+1329843161.968492	CHhAvVGS1DHFjwGM9	141.142.220.235	50003	199.233.217.249	21	tcp	ftp,blah	38.055625	180	3146	SF	-	-	0	ShAdDfFa	38	2164	25	4458	-
 #close	2016-07-13-16-17-38

From 4bd066ef4f67dc61e00772b831ef6df3738d70c1 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Tue, 16 Jan 2018 13:01:19 -0600
Subject: [PATCH 292/631] Updating submodule(s).

 [nomail]
---
 aux/bro-aux | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/aux/bro-aux b/aux/bro-aux
index e9e91eac74..79c4bef8de 160000
--- a/aux/bro-aux
+++ b/aux/bro-aux
@@ -1 +1 @@
-Subproject commit e9e91eac74bf1a240e40bc62ad4f4dc3d88bc126
+Subproject commit 79c4bef8de1555be42a1a08d91476d06b62a53fc

From a4a9bf4199eb8af38ff4c51cd19bfd311516801f Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@corelight.com>
Date: Wed, 17 Jan 2018 09:29:41 -0800
Subject: [PATCH 293/631] Logging: implement get_filter_names and small fixes.

get_filter_names(id: ID) : set[string] returns the names of the current
list of filters for a specified log stream.

Furthermore this commit makes a number of logging functions more robust
by checking existence of values before trying to modify them. This
commit also really implements (and tests) the enable_stream function.
---
 scripts/base/frameworks/logging/main.bro      |  80 ++++++++--
 testing/btest/Baseline/plugins.hooks/output   | 143 +++++++++++++++++-
 .../ssh.log                                   |  10 ++
 .../.stdout                                   |   7 +
 .../base/frameworks/logging/adapt-filter.bro  |   2 +-
 .../frameworks/logging/disable-stream.bro     |   3 +-
 .../base/frameworks/logging/enable-stream.bro |  33 ++++
 .../base/frameworks/logging/remove.bro        |   5 +-
 8 files changed, 263 insertions(+), 20 deletions(-)
 create mode 100644 testing/btest/Baseline/scripts.base.frameworks.logging.enable-stream/ssh.log
 create mode 100644 testing/btest/Baseline/scripts.base.frameworks.logging.remove/.stdout
 create mode 100644 testing/btest/scripts/base/frameworks/logging/enable-stream.bro

diff --git a/scripts/base/frameworks/logging/main.bro b/scripts/base/frameworks/logging/main.bro
index 998a0e0f6c..234cd950df 100644
--- a/scripts/base/frameworks/logging/main.bro
+++ b/scripts/base/frameworks/logging/main.bro
@@ -300,7 +300,7 @@ export {
 	##          the correct type.
 	##
 	## .. bro:see:: Log::remove_filter Log::add_default_filter
-	##    Log::remove_default_filter
+	##    Log::remove_default_filter Log::get_filter Log::get_filter_names
 	global add_filter: function(id: ID, filter: Filter) : bool;
 
 	## Removes a filter from an existing logging stream.
@@ -315,9 +315,21 @@ export {
 	##          if no filter associated with *name* was found.
 	##
 	## .. bro:see:: Log::remove_filter Log::add_default_filter
-	##    Log::remove_default_filter
+	##    Log::remove_default_filter Log::get_filter Log::get_filter_names
 	global remove_filter: function(id: ID, name: string) : bool;
 
+	## Gets the names of all filters associated with an existing
+	## logging stream.
+	##
+	## id: The ID of a logging stream from which to obtain the list
+	##     of filter names.
+	##
+	## Returns: The set of filter names associated with the stream.
+	##
+	## ..bro:see:: Log::remove_filter Log::add_default_filter
+	##   Log::remove_default_filter Log::get_filter
+	global get_filter_names: function(id: ID) : set[string];
+
 	## Gets a filter associated with an existing logging stream.
 	##
 	## id: The ID associated with a logging stream from which to
@@ -331,7 +343,7 @@ export {
 	##          :bro:id:`Log::no_filter` sentinel value.
 	##
 	## .. bro:see:: Log::add_filter Log::remove_filter Log::add_default_filter
-	##              Log::remove_default_filter
+	##              Log::remove_default_filter Log::get_filter_names
 	global get_filter: function(id: ID, name: string) : Filter;
 
 	## Writes a new log line/entry to a logging stream.
@@ -432,6 +444,8 @@ export {
 
 global all_streams: table[ID] of Stream = table();
 
+global stream_filters: table[ID] of set[string] = table();
+
 # We keep a script-level copy of all filters so that we can manipulate them.
 global filters: table[ID, string] of Filter;
 
@@ -523,18 +537,49 @@ function create_stream(id: ID, stream: Stream) : bool
 
 function remove_stream(id: ID) : bool
 	{
-	delete active_streams[id];
-	delete all_streams[id];
+	if ( id in active_streams )
+		delete active_streams[id];
+	if ( id in all_streams )
+		delete all_streams[id];
+
+	if ( id in stream_filters )
+		{
+		for ( i in stream_filters[id] )
+			{
+			if ( [id, i] in filters )
+				delete filters[id, i];
+			}
+		delete stream_filters[id];
+		}
 	return __remove_stream(id);
 	}
 
 function disable_stream(id: ID) : bool
 	{
-	delete active_streams[id];
+	if ( id in active_streams )
+		delete active_streams[id];
 
 	return __disable_stream(id);
 	}
 
+function enable_stream(id: ID) : bool
+	{
+	if ( ! __enable_stream(id) )
+		return F;
+
+	if ( id in all_streams )
+		active_streams[id] = all_streams[id];
+	}
+
+# convenience function to add a filter name to stream_filters
+function add_stream_filters(id: ID, name: string)
+	{
+	if ( id in stream_filters )
+		add stream_filters[id][name];
+	else
+		stream_filters[id] = set(name);
+	}
+
 function add_filter(id: ID, filter: Filter) : bool
 	{
 	local stream = all_streams[id];
@@ -545,13 +590,22 @@ function add_filter(id: ID, filter: Filter) : bool
 	if ( ! filter?$path && ! filter?$path_func )
 		filter$path_func = default_path_func;
 
-	filters[id, filter$name] = filter;
-	return __add_filter(id, filter);
+	local res = __add_filter(id, filter);
+	if ( res )
+		{
+		add_stream_filters(id, filter$name);
+		filters[id, filter$name] = filter;
+		}
+	return res;
 	}
 
 function remove_filter(id: ID, name: string) : bool
 	{
-	delete filters[id, name];
+	if ( id in stream_filters && name in stream_filters[id] )
+		delete stream_filters[id][name];
+	if ( [id, name] in filters )
+		delete filters[id, name];
+
 	return __remove_filter(id, name);
 	}
 
@@ -563,6 +617,14 @@ function get_filter(id: ID, name: string) : Filter
 	return no_filter;
 	}
 
+function get_filter_names(id: ID) : set[string]
+	{
+	if ( id in stream_filters )
+		return stream_filters[id];
+	else
+		return set();
+	}
+
 function write(id: ID, columns: any) : bool
 	{
 	return __write(id, columns);
diff --git a/testing/btest/Baseline/plugins.hooks/output b/testing/btest/Baseline/plugins.hooks/output
index 1b967636a6..f6a5c4ad37 100644
--- a/testing/btest/Baseline/plugins.hooks/output
+++ b/testing/btest/Baseline/plugins.hooks/output
@@ -256,7 +256,7 @@
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1515793448.944163, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1516211213.330468, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (Cluster::LOG)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (Communication::LOG)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (Conn::LOG)) -> <no result>
@@ -343,6 +343,49 @@
 0.000000   MetaHookPost  CallFunction(Log::add_filter, <frame>, (Weird::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_filter, <frame>, (X509::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_filter, <frame>, (mysql::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::add_stream_filters, <frame>, (Cluster::LOG, default)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::add_stream_filters, <frame>, (Communication::LOG, default)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::add_stream_filters, <frame>, (Conn::LOG, default)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::add_stream_filters, <frame>, (DCE_RPC::LOG, default)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::add_stream_filters, <frame>, (DHCP::LOG, default)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::add_stream_filters, <frame>, (DNP3::LOG, default)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::add_stream_filters, <frame>, (DNS::LOG, default)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::add_stream_filters, <frame>, (DPD::LOG, default)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::add_stream_filters, <frame>, (FTP::LOG, default)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::add_stream_filters, <frame>, (Files::LOG, default)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::add_stream_filters, <frame>, (HTTP::LOG, default)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::add_stream_filters, <frame>, (IRC::LOG, default)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::add_stream_filters, <frame>, (Intel::LOG, default)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::add_stream_filters, <frame>, (KRB::LOG, default)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::add_stream_filters, <frame>, (Modbus::LOG, default)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::add_stream_filters, <frame>, (NTLM::LOG, default)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::add_stream_filters, <frame>, (NetControl::CATCH_RELEASE, default)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::add_stream_filters, <frame>, (NetControl::DROP, default)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::add_stream_filters, <frame>, (NetControl::LOG, default)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::add_stream_filters, <frame>, (NetControl::SHUNT, default)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::add_stream_filters, <frame>, (Notice::ALARM_LOG, default)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::add_stream_filters, <frame>, (Notice::LOG, default)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::add_stream_filters, <frame>, (OpenFlow::LOG, default)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::add_stream_filters, <frame>, (PE::LOG, default)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::add_stream_filters, <frame>, (PacketFilter::LOG, default)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::add_stream_filters, <frame>, (RADIUS::LOG, default)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::add_stream_filters, <frame>, (RDP::LOG, default)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::add_stream_filters, <frame>, (RFB::LOG, default)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::add_stream_filters, <frame>, (Reporter::LOG, default)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::add_stream_filters, <frame>, (SIP::LOG, default)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::add_stream_filters, <frame>, (SMTP::LOG, default)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::add_stream_filters, <frame>, (SNMP::LOG, default)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::add_stream_filters, <frame>, (SOCKS::LOG, default)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::add_stream_filters, <frame>, (SSH::LOG, default)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::add_stream_filters, <frame>, (SSL::LOG, default)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::add_stream_filters, <frame>, (Signatures::LOG, default)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::add_stream_filters, <frame>, (Software::LOG, default)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::add_stream_filters, <frame>, (Syslog::LOG, default)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::add_stream_filters, <frame>, (Tunnel::LOG, default)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::add_stream_filters, <frame>, (Unified2::LOG, default)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::add_stream_filters, <frame>, (Weird::LOG, default)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::add_stream_filters, <frame>, (X509::LOG, default)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::add_stream_filters, <frame>, (mysql::LOG, default)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (Cluster::LOG, [columns=<no value description>, ev=<uninitialized>, path=cluster])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (Communication::LOG, [columns=<no value description>, ev=<uninitialized>, path=communication])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (Conn::LOG, [columns=<no value description>, ev=Conn::log_conn, path=conn])) -> <no result>
@@ -386,7 +429,7 @@
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1515793448.944163, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1516211213.330468, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
 0.000000   MetaHookPost  CallFunction(NetControl::check_plugins, <frame>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(NetControl::init, <null>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(Notice::want_pp, <frame>, ()) -> <no result>
@@ -991,7 +1034,7 @@
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird]))
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509]))
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql]))
-0.000000   MetaHookPre   CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1515793448.944163, node=bro, filter=ip or not ip, init=T, success=T]))
+0.000000   MetaHookPre   CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1516211213.330468, node=bro, filter=ip or not ip, init=T, success=T]))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (Cluster::LOG))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (Communication::LOG))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (Conn::LOG))
@@ -1078,6 +1121,49 @@
 0.000000   MetaHookPre   CallFunction(Log::add_filter, <frame>, (Weird::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}]))
 0.000000   MetaHookPre   CallFunction(Log::add_filter, <frame>, (X509::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}]))
 0.000000   MetaHookPre   CallFunction(Log::add_filter, <frame>, (mysql::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::add_stream_filters, <frame>, (Cluster::LOG, default))
+0.000000   MetaHookPre   CallFunction(Log::add_stream_filters, <frame>, (Communication::LOG, default))
+0.000000   MetaHookPre   CallFunction(Log::add_stream_filters, <frame>, (Conn::LOG, default))
+0.000000   MetaHookPre   CallFunction(Log::add_stream_filters, <frame>, (DCE_RPC::LOG, default))
+0.000000   MetaHookPre   CallFunction(Log::add_stream_filters, <frame>, (DHCP::LOG, default))
+0.000000   MetaHookPre   CallFunction(Log::add_stream_filters, <frame>, (DNP3::LOG, default))
+0.000000   MetaHookPre   CallFunction(Log::add_stream_filters, <frame>, (DNS::LOG, default))
+0.000000   MetaHookPre   CallFunction(Log::add_stream_filters, <frame>, (DPD::LOG, default))
+0.000000   MetaHookPre   CallFunction(Log::add_stream_filters, <frame>, (FTP::LOG, default))
+0.000000   MetaHookPre   CallFunction(Log::add_stream_filters, <frame>, (Files::LOG, default))
+0.000000   MetaHookPre   CallFunction(Log::add_stream_filters, <frame>, (HTTP::LOG, default))
+0.000000   MetaHookPre   CallFunction(Log::add_stream_filters, <frame>, (IRC::LOG, default))
+0.000000   MetaHookPre   CallFunction(Log::add_stream_filters, <frame>, (Intel::LOG, default))
+0.000000   MetaHookPre   CallFunction(Log::add_stream_filters, <frame>, (KRB::LOG, default))
+0.000000   MetaHookPre   CallFunction(Log::add_stream_filters, <frame>, (Modbus::LOG, default))
+0.000000   MetaHookPre   CallFunction(Log::add_stream_filters, <frame>, (NTLM::LOG, default))
+0.000000   MetaHookPre   CallFunction(Log::add_stream_filters, <frame>, (NetControl::CATCH_RELEASE, default))
+0.000000   MetaHookPre   CallFunction(Log::add_stream_filters, <frame>, (NetControl::DROP, default))
+0.000000   MetaHookPre   CallFunction(Log::add_stream_filters, <frame>, (NetControl::LOG, default))
+0.000000   MetaHookPre   CallFunction(Log::add_stream_filters, <frame>, (NetControl::SHUNT, default))
+0.000000   MetaHookPre   CallFunction(Log::add_stream_filters, <frame>, (Notice::ALARM_LOG, default))
+0.000000   MetaHookPre   CallFunction(Log::add_stream_filters, <frame>, (Notice::LOG, default))
+0.000000   MetaHookPre   CallFunction(Log::add_stream_filters, <frame>, (OpenFlow::LOG, default))
+0.000000   MetaHookPre   CallFunction(Log::add_stream_filters, <frame>, (PE::LOG, default))
+0.000000   MetaHookPre   CallFunction(Log::add_stream_filters, <frame>, (PacketFilter::LOG, default))
+0.000000   MetaHookPre   CallFunction(Log::add_stream_filters, <frame>, (RADIUS::LOG, default))
+0.000000   MetaHookPre   CallFunction(Log::add_stream_filters, <frame>, (RDP::LOG, default))
+0.000000   MetaHookPre   CallFunction(Log::add_stream_filters, <frame>, (RFB::LOG, default))
+0.000000   MetaHookPre   CallFunction(Log::add_stream_filters, <frame>, (Reporter::LOG, default))
+0.000000   MetaHookPre   CallFunction(Log::add_stream_filters, <frame>, (SIP::LOG, default))
+0.000000   MetaHookPre   CallFunction(Log::add_stream_filters, <frame>, (SMTP::LOG, default))
+0.000000   MetaHookPre   CallFunction(Log::add_stream_filters, <frame>, (SNMP::LOG, default))
+0.000000   MetaHookPre   CallFunction(Log::add_stream_filters, <frame>, (SOCKS::LOG, default))
+0.000000   MetaHookPre   CallFunction(Log::add_stream_filters, <frame>, (SSH::LOG, default))
+0.000000   MetaHookPre   CallFunction(Log::add_stream_filters, <frame>, (SSL::LOG, default))
+0.000000   MetaHookPre   CallFunction(Log::add_stream_filters, <frame>, (Signatures::LOG, default))
+0.000000   MetaHookPre   CallFunction(Log::add_stream_filters, <frame>, (Software::LOG, default))
+0.000000   MetaHookPre   CallFunction(Log::add_stream_filters, <frame>, (Syslog::LOG, default))
+0.000000   MetaHookPre   CallFunction(Log::add_stream_filters, <frame>, (Tunnel::LOG, default))
+0.000000   MetaHookPre   CallFunction(Log::add_stream_filters, <frame>, (Unified2::LOG, default))
+0.000000   MetaHookPre   CallFunction(Log::add_stream_filters, <frame>, (Weird::LOG, default))
+0.000000   MetaHookPre   CallFunction(Log::add_stream_filters, <frame>, (X509::LOG, default))
+0.000000   MetaHookPre   CallFunction(Log::add_stream_filters, <frame>, (mysql::LOG, default))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (Cluster::LOG, [columns=<no value description>, ev=<uninitialized>, path=cluster]))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (Communication::LOG, [columns=<no value description>, ev=<uninitialized>, path=communication]))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (Conn::LOG, [columns=<no value description>, ev=Conn::log_conn, path=conn]))
@@ -1121,7 +1207,7 @@
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird]))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509]))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql]))
-0.000000   MetaHookPre   CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1515793448.944163, node=bro, filter=ip or not ip, init=T, success=T]))
+0.000000   MetaHookPre   CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1516211213.330468, node=bro, filter=ip or not ip, init=T, success=T]))
 0.000000   MetaHookPre   CallFunction(NetControl::check_plugins, <frame>, ())
 0.000000   MetaHookPre   CallFunction(NetControl::init, <null>, ())
 0.000000   MetaHookPre   CallFunction(Notice::want_pp, <frame>, ())
@@ -1725,7 +1811,7 @@
 0.000000 | HookCallFunction Log::__create_stream(Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird])
 0.000000 | HookCallFunction Log::__create_stream(X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509])
 0.000000 | HookCallFunction Log::__create_stream(mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql])
-0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1515793448.944163, node=bro, filter=ip or not ip, init=T, success=T])
+0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1516211213.330468, node=bro, filter=ip or not ip, init=T, success=T])
 0.000000 | HookCallFunction Log::add_default_filter(Cluster::LOG)
 0.000000 | HookCallFunction Log::add_default_filter(Communication::LOG)
 0.000000 | HookCallFunction Log::add_default_filter(Conn::LOG)
@@ -1812,6 +1898,49 @@
 0.000000 | HookCallFunction Log::add_filter(Weird::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])
 0.000000 | HookCallFunction Log::add_filter(X509::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])
 0.000000 | HookCallFunction Log::add_filter(mysql::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])
+0.000000 | HookCallFunction Log::add_stream_filters(Cluster::LOG, default)
+0.000000 | HookCallFunction Log::add_stream_filters(Communication::LOG, default)
+0.000000 | HookCallFunction Log::add_stream_filters(Conn::LOG, default)
+0.000000 | HookCallFunction Log::add_stream_filters(DCE_RPC::LOG, default)
+0.000000 | HookCallFunction Log::add_stream_filters(DHCP::LOG, default)
+0.000000 | HookCallFunction Log::add_stream_filters(DNP3::LOG, default)
+0.000000 | HookCallFunction Log::add_stream_filters(DNS::LOG, default)
+0.000000 | HookCallFunction Log::add_stream_filters(DPD::LOG, default)
+0.000000 | HookCallFunction Log::add_stream_filters(FTP::LOG, default)
+0.000000 | HookCallFunction Log::add_stream_filters(Files::LOG, default)
+0.000000 | HookCallFunction Log::add_stream_filters(HTTP::LOG, default)
+0.000000 | HookCallFunction Log::add_stream_filters(IRC::LOG, default)
+0.000000 | HookCallFunction Log::add_stream_filters(Intel::LOG, default)
+0.000000 | HookCallFunction Log::add_stream_filters(KRB::LOG, default)
+0.000000 | HookCallFunction Log::add_stream_filters(Modbus::LOG, default)
+0.000000 | HookCallFunction Log::add_stream_filters(NTLM::LOG, default)
+0.000000 | HookCallFunction Log::add_stream_filters(NetControl::CATCH_RELEASE, default)
+0.000000 | HookCallFunction Log::add_stream_filters(NetControl::DROP, default)
+0.000000 | HookCallFunction Log::add_stream_filters(NetControl::LOG, default)
+0.000000 | HookCallFunction Log::add_stream_filters(NetControl::SHUNT, default)
+0.000000 | HookCallFunction Log::add_stream_filters(Notice::ALARM_LOG, default)
+0.000000 | HookCallFunction Log::add_stream_filters(Notice::LOG, default)
+0.000000 | HookCallFunction Log::add_stream_filters(OpenFlow::LOG, default)
+0.000000 | HookCallFunction Log::add_stream_filters(PE::LOG, default)
+0.000000 | HookCallFunction Log::add_stream_filters(PacketFilter::LOG, default)
+0.000000 | HookCallFunction Log::add_stream_filters(RADIUS::LOG, default)
+0.000000 | HookCallFunction Log::add_stream_filters(RDP::LOG, default)
+0.000000 | HookCallFunction Log::add_stream_filters(RFB::LOG, default)
+0.000000 | HookCallFunction Log::add_stream_filters(Reporter::LOG, default)
+0.000000 | HookCallFunction Log::add_stream_filters(SIP::LOG, default)
+0.000000 | HookCallFunction Log::add_stream_filters(SMTP::LOG, default)
+0.000000 | HookCallFunction Log::add_stream_filters(SNMP::LOG, default)
+0.000000 | HookCallFunction Log::add_stream_filters(SOCKS::LOG, default)
+0.000000 | HookCallFunction Log::add_stream_filters(SSH::LOG, default)
+0.000000 | HookCallFunction Log::add_stream_filters(SSL::LOG, default)
+0.000000 | HookCallFunction Log::add_stream_filters(Signatures::LOG, default)
+0.000000 | HookCallFunction Log::add_stream_filters(Software::LOG, default)
+0.000000 | HookCallFunction Log::add_stream_filters(Syslog::LOG, default)
+0.000000 | HookCallFunction Log::add_stream_filters(Tunnel::LOG, default)
+0.000000 | HookCallFunction Log::add_stream_filters(Unified2::LOG, default)
+0.000000 | HookCallFunction Log::add_stream_filters(Weird::LOG, default)
+0.000000 | HookCallFunction Log::add_stream_filters(X509::LOG, default)
+0.000000 | HookCallFunction Log::add_stream_filters(mysql::LOG, default)
 0.000000 | HookCallFunction Log::create_stream(Cluster::LOG, [columns=<no value description>, ev=<uninitialized>, path=cluster])
 0.000000 | HookCallFunction Log::create_stream(Communication::LOG, [columns=<no value description>, ev=<uninitialized>, path=communication])
 0.000000 | HookCallFunction Log::create_stream(Conn::LOG, [columns=<no value description>, ev=Conn::log_conn, path=conn])
@@ -1855,7 +1984,7 @@
 0.000000 | HookCallFunction Log::create_stream(Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird])
 0.000000 | HookCallFunction Log::create_stream(X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509])
 0.000000 | HookCallFunction Log::create_stream(mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql])
-0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1515793448.944163, node=bro, filter=ip or not ip, init=T, success=T])
+0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1516211213.330468, node=bro, filter=ip or not ip, init=T, success=T])
 0.000000 | HookCallFunction NetControl::check_plugins()
 0.000000 | HookCallFunction NetControl::init()
 0.000000 | HookCallFunction Notice::want_pp()
@@ -2198,7 +2327,7 @@
 0.000000 | HookLoadFile  base<...>/x509
 0.000000 | HookLoadFile  base<...>/xmpp
 0.000000 | HookLogInit   packet_filter 1/1 {ts (time), node (string), filter (string), init (bool), success (bool)}
-0.000000 | HookLogWrite  packet_filter [ts=1515793448.944163, node=bro, filter=ip or not ip, init=T, success=T]
+0.000000 | HookLogWrite  packet_filter [ts=1516211213.330468, node=bro, filter=ip or not ip, init=T, success=T]
 0.000000 | HookQueueEvent NetControl::init()
 0.000000 | HookQueueEvent bro_init()
 0.000000 | HookQueueEvent filter_change_tracking()
diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.enable-stream/ssh.log b/testing/btest/Baseline/scripts.base.frameworks.logging.enable-stream/ssh.log
new file mode 100644
index 0000000000..6ae0bfd050
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.logging.enable-stream/ssh.log
@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	ssh
+#open	2018-01-09-22-31-37
+#fields	t	id.orig_h	id.orig_p	id.resp_h	id.resp_p	status	country
+#types	time	addr	port	addr	port	string	string
+1515537097.372589	1.2.3.4	1234	2.3.4.5	80	failure	MX
+#close	2018-01-09-22-31-37
diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.remove/.stdout b/testing/btest/Baseline/scripts.base.frameworks.logging.remove/.stdout
new file mode 100644
index 0000000000..10e5d0099a
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.logging.remove/.stdout
@@ -0,0 +1,7 @@
+{
+default,
+f1
+}
+{
+
+}
diff --git a/testing/btest/scripts/base/frameworks/logging/adapt-filter.bro b/testing/btest/scripts/base/frameworks/logging/adapt-filter.bro
index 53cfdd1655..2db881deea 100644
--- a/testing/btest/scripts/base/frameworks/logging/adapt-filter.bro
+++ b/testing/btest/scripts/base/frameworks/logging/adapt-filter.bro
@@ -27,7 +27,7 @@ event bro_init()
 	filter$path= "ssh-new-default";
 	Log::add_filter(SSH::LOG, filter);
 
-    local cid = [$orig_h=1.2.3.4, $orig_p=1234/tcp, $resp_h=2.3.4.5, $resp_p=80/tcp];
+	local cid = [$orig_h=1.2.3.4, $orig_p=1234/tcp, $resp_h=2.3.4.5, $resp_p=80/tcp];
 	Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="success"]);
 	Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="failure", $country="US"]);
 }
diff --git a/testing/btest/scripts/base/frameworks/logging/disable-stream.bro b/testing/btest/scripts/base/frameworks/logging/disable-stream.bro
index 6799f7ca2f..c2f64da8e6 100644
--- a/testing/btest/scripts/base/frameworks/logging/disable-stream.bro
+++ b/testing/btest/scripts/base/frameworks/logging/disable-stream.bro
@@ -21,13 +21,12 @@ event bro_init()
 
 	Log::disable_stream(SSH::LOG);
 
-    local cid = [$orig_h=1.2.3.4, $orig_p=1234/tcp, $resp_h=2.3.4.5, $resp_p=80/tcp];
+	local cid = [$orig_h=1.2.3.4, $orig_p=1234/tcp, $resp_h=2.3.4.5, $resp_p=80/tcp];
 
 	Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="success"]);
 	Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="failure", $country="US"]);
 	Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="failure", $country="UK"]);
 	Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="success", $country="BR"]);
 	Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="failure", $country="MX"]);
-	
 }
 
diff --git a/testing/btest/scripts/base/frameworks/logging/enable-stream.bro b/testing/btest/scripts/base/frameworks/logging/enable-stream.bro
new file mode 100644
index 0000000000..0f525eced1
--- /dev/null
+++ b/testing/btest/scripts/base/frameworks/logging/enable-stream.bro
@@ -0,0 +1,33 @@
+#
+# @TEST-EXEC: bro -b %INPUT
+# @TEST-EXEC: btest-diff ssh.log
+
+module SSH;
+
+export {
+	redef enum Log::ID += { LOG };
+
+	type Log: record {
+		t: time;
+		id: conn_id; # Will be rolled out into individual columns.
+		status: string &optional;
+		country: string &default="unknown";
+	} &log;
+}
+
+event bro_init()
+{
+	Log::create_stream(SSH::LOG, [$columns=Log]);
+
+	Log::disable_stream(SSH::LOG);
+
+	local cid = [$orig_h=1.2.3.4, $orig_p=1234/tcp, $resp_h=2.3.4.5, $resp_p=80/tcp];
+
+	Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="success"]);
+	Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="failure", $country="US"]);
+	Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="failure", $country="UK"]);
+	Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="success", $country="BR"]);
+	Log::enable_stream(SSH::LOG);
+	Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="failure", $country="MX"]);
+}
+
diff --git a/testing/btest/scripts/base/frameworks/logging/remove.bro b/testing/btest/scripts/base/frameworks/logging/remove.bro
index bb7c302942..3b80d24e9f 100644
--- a/testing/btest/scripts/base/frameworks/logging/remove.bro
+++ b/testing/btest/scripts/base/frameworks/logging/remove.bro
@@ -2,6 +2,7 @@
 # @TEST-EXEC: bro -b -B logging %INPUT
 # @TEST-EXEC: btest-diff ssh.log
 # @TEST-EXEC: btest-diff ssh.failure.log
+# @TEST-EXEC: btest-diff .stdout
 
 module SSH;
 
@@ -24,11 +25,12 @@ event bro_init()
 	Log::create_stream(SSH::LOG, [$columns=Log]);
 	Log::add_filter(SSH::LOG, [$name="f1", $path="ssh.failure", $pred=function(rec: Log): bool { return rec$status == "failure"; }]);
 
-    local cid = [$orig_h=1.2.3.4, $orig_p=1234/tcp, $resp_h=2.3.4.5, $resp_p=80/tcp];
+	local cid = [$orig_h=1.2.3.4, $orig_p=1234/tcp, $resp_h=2.3.4.5, $resp_p=80/tcp];
 
 	# Log something.
 	Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="failure", $country="US"]);
 	Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="failure", $country="UK"]);
+	print Log::get_filter_names(SSH::LOG);
 
 	Log::remove_filter(SSH::LOG, "f1");
 	Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="failure", $country="BR"]);
@@ -37,5 +39,6 @@ event bro_init()
 	Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="failure", $country="MX"]);
 
 	Log::remove_filter(SSH::LOG, "doesn-not-exist");
+	print Log::get_filter_names(SSH::LOG);
 }
 

From 3495b2fa9d84e8105a79e24e4e9a2f9181318f1a Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Thu, 18 Jan 2018 11:14:39 -0600
Subject: [PATCH 294/631] Fix problems with SumStats non-cluster.bro script

* Add proper namespace scoping to a 'SumStats::process_epoch_result'
  scheduled event.

* Fix iterator invalidation within 'SumStats::process_epoch_result'

* Give 'SumStats::process_epoch_result' a copy of the result table so
  that the SumStats framework can clear the original and move on to the
  next epoch immediately.

* The previous baseline of the basic sumstats unit test did look wrong
  to me and probably was actually indicative of the iterator invalidation
  problem.

Thanks to Jim Mellander for reporting the issues.
---
 .../base/frameworks/sumstats/non-cluster.bro  | 35 +++++++++----------
 .../standalone..stdout                        |  1 +
 2 files changed, 17 insertions(+), 19 deletions(-)

diff --git a/scripts/base/frameworks/sumstats/non-cluster.bro b/scripts/base/frameworks/sumstats/non-cluster.bro
index 9fdd012404..57785a03b2 100644
--- a/scripts/base/frameworks/sumstats/non-cluster.bro
+++ b/scripts/base/frameworks/sumstats/non-cluster.bro
@@ -6,28 +6,25 @@ event SumStats::process_epoch_result(ss: SumStat, now: time, data: ResultTable)
 	{
 	# TODO: is this the right processing group size?
 	local i = 50;
+	local keys_to_delete: vector of SumStats::Key = vector();
+
 	for ( key in data )
 		{
 		ss$epoch_result(now, key, data[key]);
-		delete data[key];
+		keys_to_delete[|keys_to_delete|] = key;
 
-		if ( |data| == 0 )
-			{
-			if ( ss?$epoch_finished )
-				ss$epoch_finished(now);
-
-			# Now that no data is left we can finish.
-			return;
-			}
-
-		i = i-1;
-		if ( i == 0 )
-			{
-			# TODO: is this the right interval?
-			schedule 0.01 secs { process_epoch_result(ss, now, data) };
+		if ( --i == 0 )
 			break;
-			}
 		}
+
+	for ( idx in keys_to_delete )
+		delete data[keys_to_delete[idx]];
+
+	if ( |data| > 0 )
+		# TODO: is this the right interval?
+		schedule 0.01 secs { SumStats::process_epoch_result(ss, now, data) };
+	else if ( ss?$epoch_finished )
+		ss$epoch_finished(now);
 	}
 
 event SumStats::finish_epoch(ss: SumStat)
@@ -46,9 +43,9 @@ event SumStats::finish_epoch(ss: SumStat)
 				if ( ss?$epoch_finished )
 					ss$epoch_finished(now);
 				}
-			else
+			else if ( |data| > 0 )
 				{
-				event SumStats::process_epoch_result(ss, now, data);
+				event SumStats::process_epoch_result(ss, now, copy(data));
 				}
 			}
 		
@@ -89,4 +86,4 @@ function request_key(ss_name: string, key: Key): Result
 		else
 			return table();
 		}
-	}
\ No newline at end of file
+	}
diff --git a/testing/btest/Baseline/scripts.base.frameworks.sumstats.basic/standalone..stdout b/testing/btest/Baseline/scripts.base.frameworks.sumstats.basic/standalone..stdout
index 6820df8d93..b345cbf850 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.sumstats.basic/standalone..stdout
+++ b/testing/btest/Baseline/scripts.base.frameworks.sumstats.basic/standalone..stdout
@@ -1,2 +1,3 @@
 Host: 1.2.3.4 - num:5 - sum:221.0 - var:1144.2 - avg:44.2 - max:94.0 - min:5.0 - std_dev:33.8 - unique:4 - hllunique:4
 Host: 6.5.4.3 - num:1 - sum:2.0 - var:0.0 - avg:2.0 - max:2.0 - min:2.0 - std_dev:0.0 - unique:1 - hllunique:1
+Host: 7.2.1.5 - num:1 - sum:1.0 - var:0.0 - avg:1.0 - max:1.0 - min:1.0 - std_dev:0.0 - unique:1 - hllunique:1

From 41285abea5ed20fd48978d833b4d0a0a22b61b5f Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@corelight.com>
Date: Thu, 18 Jan 2018 14:02:03 -0800
Subject: [PATCH 295/631] Make nearly all bool operators explicit.

These are a bit dangerous because the casting can happen in quite
unexpected circumstances and lead to undesirable comparison results.
---
 src/EventHandler.h                         | 2 +-
 src/UID.h                                  | 2 +-
 src/analyzer/Tag.h                         | 2 +-
 src/analyzer/protocol/sip/sip-analyzer.pac | 2 +-
 src/file_analysis/Manager.cc               | 2 +-
 src/file_analysis/Tag.h                    | 2 +-
 src/plugin/Plugin.h                        | 2 +-
 7 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/src/EventHandler.h b/src/EventHandler.h
index 2acd2569a6..6006f2e48e 100644
--- a/src/EventHandler.h
+++ b/src/EventHandler.h
@@ -102,7 +102,7 @@ public:
 
 	EventHandler* Ptr()	{ return handler; }
 
-	operator bool() const	{ return handler && *handler; }
+	explicit operator bool() const	{ return handler && *handler; }
 	EventHandler* operator->()	{ return handler; }
 	const EventHandler* operator->() const	{ return handler; }
 
diff --git a/src/UID.h b/src/UID.h
index 2cda02811f..3a32b843f0 100644
--- a/src/UID.h
+++ b/src/UID.h
@@ -61,7 +61,7 @@ public:
 	 *         and not yet initialized w/ Set().
 	 * TODO: this would be better as an "explicit" conversion operator (C++11)
 	 */
-	operator bool() const
+	explicit operator bool() const
 		{ return initialized; }
 
 	/**
diff --git a/src/analyzer/Tag.h b/src/analyzer/Tag.h
index 9ba04b2ef8..35dc3b2ac5 100644
--- a/src/analyzer/Tag.h
+++ b/src/analyzer/Tag.h
@@ -46,7 +46,7 @@ public:
 	 *       "safe bool" idiom (not necessary if "explicit" is available),
 	 *       otherwise this may allow nonsense/undesired comparison operations.
 	 */
-	operator bool() const	{ return *this != Tag(); }
+	explicit operator bool() const	{ return *this != Tag(); }
 
 	/**
 	 * Assignment operator.
diff --git a/src/analyzer/protocol/sip/sip-analyzer.pac b/src/analyzer/protocol/sip/sip-analyzer.pac
index 829904aa3a..3174e6a977 100644
--- a/src/analyzer/protocol/sip/sip-analyzer.pac
+++ b/src/analyzer/protocol/sip/sip-analyzer.pac
@@ -8,7 +8,7 @@ refine flow SIP_Flow += {
 
 	%init{
 		content_length = 0;
-		build_headers = (sip_all_headers != 0);
+		build_headers = bool(sip_all_headers);
 	%}
 
 	function get_content_length(): int
diff --git a/src/file_analysis/Manager.cc b/src/file_analysis/Manager.cc
index 41528e2ceb..177f5446dd 100644
--- a/src/file_analysis/Manager.cc
+++ b/src/file_analysis/Manager.cc
@@ -448,7 +448,7 @@ bool Manager::IsDisabled(analyzer::Tag tag)
 	if ( ! disabled )
 		disabled = internal_const_val("Files::disable")->AsTableVal();
 
-	Val* index = new Val(tag, TYPE_COUNT);
+	Val* index = new Val(bool(tag), TYPE_COUNT);
 	Val* yield = disabled->Lookup(index);
 	Unref(index);
 
diff --git a/src/file_analysis/Tag.h b/src/file_analysis/Tag.h
index c28183a07f..afa1a22ec0 100644
--- a/src/file_analysis/Tag.h
+++ b/src/file_analysis/Tag.h
@@ -46,7 +46,7 @@ public:
 	 *       otherwise this may allow nonsense/undesired comparison operations.
 	 *
 	 */
-	operator bool() const	{ return *this != Tag(); }
+	explicit operator bool() const	{ return *this != Tag(); }
 
 	/**
 	 * Assignment operator.
diff --git a/src/plugin/Plugin.h b/src/plugin/Plugin.h
index 2cec7cf453..9c5416230b 100644
--- a/src/plugin/Plugin.h
+++ b/src/plugin/Plugin.h
@@ -78,7 +78,7 @@ struct VersionNumber {
 	/**
 	 *  Returns true if the version is set to a non-negative value.
 	 */
-	operator bool() const { return major >= 0 && minor >= 0; }
+	explicit operator bool() const { return major >= 0 && minor >= 0; }
 };
 
 /**

From 314e992284eaf2b506869b7a16533399f7b7dd9d Mon Sep 17 00:00:00 2001
From: Jeffrey Bencteux <jeffrey.bencteux@ssi.gouv.fr>
Date: Thu, 18 Jan 2018 11:54:08 +0100
Subject: [PATCH 296/631] add test for smb1_com_transaction_secondary_request
 event changes

---
 .../.stdout                                      |   1 +
 .../smb/smb1_transaction_secondary_request.pcap  | Bin 0 -> 1740 bytes
 .../smb/smb1-transaction-secondary-request.test  |  12 ++++++++++++
 3 files changed, 13 insertions(+)
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.smb.smb1-transaction-secondary-request/.stdout
 create mode 100644 testing/btest/Traces/smb/smb1_transaction_secondary_request.pcap
 create mode 100644 testing/btest/scripts/base/protocols/smb/smb1-transaction-secondary-request.test

diff --git a/testing/btest/Baseline/scripts.base.protocols.smb.smb1-transaction-secondary-request/.stdout b/testing/btest/Baseline/scripts.base.protocols.smb.smb1-transaction-secondary-request/.stdout
new file mode 100644
index 0000000000..10cad0c702
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.smb.smb1-transaction-secondary-request/.stdout
@@ -0,0 +1 @@
+smb1_transaction_secondary_request hdr: [command=38, status=0, flags=0, flags2=0, tid=45374, pid=1, uid=57674, mid=2], args: [total_param_count=11, total_data_count=9, param_count=11, param_offset=52, param_displacement=9, data_count=9, data_offset=66, data_displacement=11], params: some_params, data: some_data
diff --git a/testing/btest/Traces/smb/smb1_transaction_secondary_request.pcap b/testing/btest/Traces/smb/smb1_transaction_secondary_request.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..4236b140d5d5504d03137fa20b3c01cbb25e8a05
GIT binary patch
literal 1740
zcmbVMUr1AN6#nkrjLkVy8#IDwU`;VubB#$tVVaeiGTcJaMO$hpWy)5~h`=5kKGuWu
z(1Sz;HP}OiL=TH71BpUGBZBY`^cp<`l7X#re!p$GU3{<$=Wy=t&$sV<-?>|O`|Q37
zJu*)!1t|3LU?|x2Zp;7=)g15ty!x@2SWIv>pb4ntWA)qCZoGaBg+h%bm1G9RtJ)B=
zNR+RHQb!vc^1j3pDAj~PC@)7CfsvGCEIFH4zD9?YU|BqV$PcLc)Mw^1_vJtMD1;XE
zme}xVN%EQBZ^Qt>b7;EiPIq;ZxiF`6R}#f)!|GkS1{_HF+8V-KSvhTdSUnXeg4*u4
zoocf=9W^c?=Mw#JMox_om6lQ#;?c!CA)<ul_Ljust%S)U9CH{kNsAmBlslF(fg-4H
zkW->q<MG02x(4)R>5uE`#Y#3w`lW!*MOx^O@`i%5w7mXv6z%tPa}BrWmFbkh2DP^6
z<MrqE3x1jhAIK=Qh{}g%o)AH|;(KAXX^q;O&5)ZsTNa)*N|Z^L2`>ndLxb`}diLvg
zo@Ww;JaaNN;3hX6;mXQQZhU0Z<`jbHH@VU~nUA7?-pk<)MIt9oH~9#wbKr9CP&8t5
zJDfSSp1vKjUO^cU2y`~LyIKRy-p0M4B*ggUF=3R>aA>>>TXqQV_T){#G98}sS`#yG
zK2QZ5&$cnH6AS;6f|eB(I;Npucb1#SQ3GFS@O+3E*E-zra~C{IyGqPkH)m=#u~Nn6
zER0BVcAhbV2aH2w&VV#$tuD_Ti9+T~92EQyb5~bInV)1=LR{`^GjVTqo6%2qIW*#S
zSu8?aPp-HtRdjfj#hsMmI<hoIbHzRKG)LS5;i(XDynOrCMO-Bj142Zau7_lWr-H;J
zG8`HaC(<Go=ZPp$NW}FRU8BD=X1`CAxhccG*aTzl4ov8vwIIzc?5UKU2G`r{Z3<k9
zgu=r;KxAmJ@7!=G92(>=N4)ihu7sHKj8VlHEplimN7Iz6b15r5qH&_!;S@w#nX+A!
WxhX^0z?4mJQ#PW3D*D6Sgw$VP-|jj9

literal 0
HcmV?d00001

diff --git a/testing/btest/scripts/base/protocols/smb/smb1-transaction-secondary-request.test b/testing/btest/scripts/base/protocols/smb/smb1-transaction-secondary-request.test
new file mode 100644
index 0000000000..03bddf7bf5
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/smb/smb1-transaction-secondary-request.test
@@ -0,0 +1,12 @@
+#@TEST-EXEC: bro -b -C -r $TRACES/smb/smb1_transaction_secondary_request.pcap %INPUT
+#@TEST-EXEC: btest-diff .stdout
+
+@load base/protocols/smb
+@load policy/protocols/smb
+
+# Check that smb1_transaction_secondary requests are parsed correctly
+
+event smb1_transaction_secondary_request(c: connection, hdr: SMB1::Header, args: SMB1::Trans_Sec_Args, parameters: string, data: string)
+{
+	print fmt("smb1_transaction_secondary_request hdr: %s, args: %s, params: %s, data: %s", hdr, args, parameters, data);
+}

From 4807b7d8479ecaf7a4366af7f6dc112070a908c3 Mon Sep 17 00:00:00 2001
From: Jeffrey Bencteux <jeffrey.bencteux@ssi.gouv.fr>
Date: Thu, 18 Jan 2018 15:20:47 +0100
Subject: [PATCH 297/631] add test for smb1_com_transaction2_request event
 changes

---
 .../.stdout                                      |   1 +
 .../Traces/smb/smb1_transaction2_request.pcap    | Bin 0 -> 1568 bytes
 .../protocols/smb/smb1-transaction2-request.test |  12 ++++++++++++
 3 files changed, 13 insertions(+)
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.smb.smb1-transaction2-request/.stdout
 create mode 100644 testing/btest/Traces/smb/smb1_transaction2_request.pcap
 create mode 100644 testing/btest/scripts/base/protocols/smb/smb1-transaction2-request.test

diff --git a/testing/btest/Baseline/scripts.base.protocols.smb.smb1-transaction2-request/.stdout b/testing/btest/Baseline/scripts.base.protocols.smb.smb1-transaction2-request/.stdout
new file mode 100644
index 0000000000..a31a286d1f
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.smb.smb1-transaction2-request/.stdout
@@ -0,0 +1 @@
+smb1_transaction2_request hdr: [command=50, status=0, flags=0, flags2=0, tid=47242, pid=1, uid=2017, mid=2], args: [total_param_count=13, total_data_count=0, max_param_count=0, max_data_count=0, max_setup_count=0, flags=0, trans_timeout=0, param_count=13, param_offset=69, data_count=0, data_offset=0, setup_count=1], sub_cmd: 5
diff --git a/testing/btest/Traces/smb/smb1_transaction2_request.pcap b/testing/btest/Traces/smb/smb1_transaction2_request.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..564579597ee6b17ce0967c2b74641841c3a011d5
GIT binary patch
literal 1568
zcmbVMUr19?9RAMT%r$2->CbwQE?BUjmX4ty7*?!WrEF~>=pLpd=tBigQ;2Gip+yh%
z*h>}$>0pF{ln;hcphZu)2qLBEJs%25A=mGB&hBu#`CtcrhjY(8=eysZb8h<e#A6Ls
z7%h_l1U<|=iM4z`Vn+>)x!$e4Tv|*mrntAk54d?*!<Ln+Gouhxn%^y^4V0j!V|GlT
z{34V(dcmdkD=dj}kT3{ks-F=UNlg3QBjY#cX|afvCzF=jfM(5nVm`YQ|G`HPS~^&!
z<IxVq$MV6BE`sMWscOxtI#r-bp}2I+yr*rz;Y_&kST~Pc+^uiyo(4FeHAVEZje3=*
z+AHlWrw<!;nv8IVirI+H-U1`igysvDC6haA75#;@9m6!qWkR_hvPqPZf1<dO$-N7-
z4d}?xAF?#anOvvnZwD-1^1^zQUkE(20Dpca;2gcx-+pgiyvf*f?7E_Pzs~JRMd&<)
z5ut^r<tU5*pAaef%Y-8*+T`{|XUI1)K2Xn@4fiXQr4<LB6C#%hWlUxEd$k}lg+iIF
z4$(H?8jFte$i*VpHzm3>gBUtXyxBL#r6{83N(9^D@ssEMVUpS0b?L(8zPRr5ROOAW
zbayCvfpQ=kZ4NYf&qM>k<NH9JG~>aV0|{EgWy-EQv{hzzAV0f-dRjagbfxB&Khp>}
zk&`h*q2x7zZ^arcOhcd|$F0Uwjd0t=_BLW%>+vDND)>Sj`nYZL;Y?CEgB;GolnN)H
zJJCm<<T8cRrNUXMD+ouSP&jYp2}3=r>djMQJSbJtT-LRbxfPX8bkZI!lesM+yEM0<
zz}!Jvyv*hf@*fBA<Y*-F&Asy?&)g!JDPEC@uBT%2CN7hSQ_@8GEi#JjhrnGTz-2P=
zde+4K1tuyKGO_grlgBw`ZyaAalkE)l&eHX>a$G8}DjQqG)>12$w<Frq5$}oOF9^c2
A8vp<R

literal 0
HcmV?d00001

diff --git a/testing/btest/scripts/base/protocols/smb/smb1-transaction2-request.test b/testing/btest/scripts/base/protocols/smb/smb1-transaction2-request.test
new file mode 100644
index 0000000000..9cd7c996f7
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/smb/smb1-transaction2-request.test
@@ -0,0 +1,12 @@
+#@TEST-EXEC: bro -b -C -r $TRACES/smb/smb1_transaction2_request.pcap %INPUT
+#@TEST-EXEC: btest-diff .stdout
+
+@load base/protocols/smb
+@load policy/protocols/smb
+
+# Check that smb1_transaction2 requests are parsed correctly
+
+event smb1_transaction2_request(c: connection, hdr: SMB1::Header, args: SMB1::Trans2_Args, sub_cmd: count)
+{
+	print fmt("smb1_transaction2_request hdr: %s, args: %s, sub_cmd: %x", hdr, args, sub_cmd);
+}

From 4c0b6e09840b332ada3521b7ac4e3c69ff4e058a Mon Sep 17 00:00:00 2001
From: Jeffrey Bencteux <jeffrey.bencteux@ssi.gouv.fr>
Date: Thu, 18 Jan 2018 17:46:51 +0100
Subject: [PATCH 298/631] add test for smb1_com_transaction2_secondary_request
 event changes

---
 .../.stdout                                      |   1 +
 .../smb/smb1_transaction2_secondary_request.pcap | Bin 0 -> 1789 bytes
 .../smb/smb1-transaction2-secondary-request.test |  12 ++++++++++++
 3 files changed, 13 insertions(+)
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.smb.smb1-transaction2-secondary-request/.stdout
 create mode 100644 testing/btest/Traces/smb/smb1_transaction2_secondary_request.pcap
 create mode 100644 testing/btest/scripts/base/protocols/smb/smb1-transaction2-secondary-request.test

diff --git a/testing/btest/Baseline/scripts.base.protocols.smb.smb1-transaction2-secondary-request/.stdout b/testing/btest/Baseline/scripts.base.protocols.smb.smb1-transaction2-secondary-request/.stdout
new file mode 100644
index 0000000000..7be34af9ea
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.smb.smb1-transaction2-secondary-request/.stdout
@@ -0,0 +1 @@
+smb1_transaction2_secondary_request hdr: [command=51, status=0, flags=0, flags2=0, tid=29550, pid=1, uid=25541, mid=2], args: [total_param_count=11, total_data_count=9, param_count=11, param_offset=54, param_displacement=9, data_count=9, data_offset=68, data_displacement=11, FID=65535], params: some_params, data: some_data
diff --git a/testing/btest/Traces/smb/smb1_transaction2_secondary_request.pcap b/testing/btest/Traces/smb/smb1_transaction2_secondary_request.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..923b9e0bbc191ea370128dd25277070fd54d6e43
GIT binary patch
literal 1789
zcmbVMT}V@57=F*$R<1St>1H?4ffh)_oO2imhF1QpoSoW2uthtyg$8PPH2cTASO#7s
z-gp<*O$~O@kA#5|s3bukC3Kb9O<-LJg)$>Mz3=z!tnHk<sCT>{?>Xl?&v~Ec`Q9x|
zKN%Cj3VLW7fPfdVH__JUodT%Dn)3Cpsg=dlVv5!Rr~@daZ8clguf2Q-0;ZT=5GHjL
zS(ISM21mJ$C{_4?lE2Tf7|K4xK$MBggg{8bWO`x9ZT*Owg=k4K`S~<}Xw}|RKZRfa
zqaOj$mgFJ{29|k0POlx>5uVb->QshRqk$DiaY^uC3||8%(?Y?6-Bh_~$qiCZ1lSH@
zb69E$N?uR7kIA_UKdj4X5~4IAkPsClXRZ)Sh~}4zlF77#w?FT*!#%u7X+jxJhzzCp
zuPCl$avGh(h-cd$wA8RW*@d@X3}Er07S>vNAi$~xVB>o~G)_%CzIykaFryVnP%+>h
zJuox+G>qpV1Yz8GgjFF3&<SCrzx>>mC2dlBvoqu$a@zvTvmi%Vu64k3M5HvKJmQ|E
ze;7RDDCpS-JVO{ah_p(Ti%8}MC+*ZA3T+Nw=7~NOHoV>qvZAUDC+k8;v!%T=*43v<
zevdb=w&Lud^#YUtL?SJLX5Z0BKtALKT$mWo>KxFIdnirbbtf#$yRv-mYysRnF1u25
zt0Ala>a#Qk(UiOpVD_8{7HUI)o!Q<hJ>?KmI?gKC@qUjV!o-3G>aFDbcXP(koDnkT
z)&MuBCFX=a{3NBxoOW)`dX>Q(j)LaAdci1E6RTcU8W+xriA%gT6Sw!g6WZ`yN|U&)
z2`dw~-XQJ>ZeAmC?+>%jda`Zw=Zo8^=80=#o<bZ&JdWo?A8Ql+%})3lia5(eEW~L<
zlw%QqA#8!tgmN<@;vR#D90f(ZRL#0SLEY=em)*%MdiRCS+`FuHvQZ^rZ6qzmRyG}x
zp19f*VZF^?_`}eoY-z&Al<hMpJByG_a&c<z+X`p+sX>I>2v2EZcqPMdZ$3kziRpw4
w8~8K^iD3nGX$YO6-2rxRpdohr9mY!2@E=<3>WH7YsB|kGH2>@>rt~Pk0Ytv_Z~y=R

literal 0
HcmV?d00001

diff --git a/testing/btest/scripts/base/protocols/smb/smb1-transaction2-secondary-request.test b/testing/btest/scripts/base/protocols/smb/smb1-transaction2-secondary-request.test
new file mode 100644
index 0000000000..48c7f8c197
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/smb/smb1-transaction2-secondary-request.test
@@ -0,0 +1,12 @@
+#@TEST-EXEC: bro -b -C -r $TRACES/smb/smb1_transaction2_secondary_request.pcap %INPUT
+#@TEST-EXEC: btest-diff .stdout
+
+@load base/protocols/smb
+@load policy/protocols/smb
+
+# Check that smb1_transaction2_secondary requests are parsed correctly
+
+event smb1_transaction2_secondary_request(c: connection, hdr: SMB1::Header, args: SMB1::Trans2_Sec_Args, parameters: string, data: string)
+{
+	print fmt("smb1_transaction2_secondary_request hdr: %s, args: %s, params: %s, data: %s", hdr, args, parameters, data);
+}

From 015eec8c71a0dc422a2e981d0d90a2d94b1600d1 Mon Sep 17 00:00:00 2001
From: Jeffrey Bencteux <jeffrey.bencteux@ssi.gouv.fr>
Date: Fri, 19 Jan 2018 17:06:37 +0100
Subject: [PATCH 299/631] add test for smb1_com_transaction_response event
 changes

---
 .../.stdout                                      |   1 +
 .../Traces/smb/smb1_transaction_response.pcap    | Bin 0 -> 1748 bytes
 .../protocols/smb/smb1-transaction-response.test |  12 ++++++++++++
 3 files changed, 13 insertions(+)
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.smb.smb1-transaction-response/.stdout
 create mode 100644 testing/btest/Traces/smb/smb1_transaction_response.pcap
 create mode 100644 testing/btest/scripts/base/protocols/smb/smb1-transaction-response.test

diff --git a/testing/btest/Baseline/scripts.base.protocols.smb.smb1-transaction-response/.stdout b/testing/btest/Baseline/scripts.base.protocols.smb.smb1-transaction-response/.stdout
new file mode 100644
index 0000000000..f4d00733bf
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.smb.smb1-transaction-response/.stdout
@@ -0,0 +1 @@
+smb1_transaction_response hdr: [command=37, status=0, flags=128, flags2=0, tid=41669, pid=1, uid=17768, mid=2], params: some_params, data: some_data
diff --git a/testing/btest/Traces/smb/smb1_transaction_response.pcap b/testing/btest/Traces/smb/smb1_transaction_response.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..c28689b76cc478bb2051fdf4d40efdbc31d4ea94
GIT binary patch
literal 1748
zcmbVNT}TvB6h1RM{tT;TKJ81}L?#lp>auJgMQgQfTe%JGhF}Xh{(zg=%8sQJ(V_$v
z^kC$pL<ymbLKG4`7}6hMy=C<v_!9Ig5{MQxopbN*<j&-ST{xHf`^|U0@7_BLubw;*
zL4sT{3;+Q;^V`~526jo{$2P_M?-$EU(@WD-7ef%BnwA9$*RRb@fPf*6g@oB0iYh9Q
zyv<QY5TyYpDENMk#ZYPx15ut25CS0yvtyyf75xG(7FsJZnW4J?qGWs_K3|{y2Oj~^
zy47+86gTHHxhg>d;VEocoy%r*+>#YXaVZe^jN1TejcC*16t!GbZ7igo2v7oIB&M8d
zQtCYQUMA-}emEzmO^9lLAqg>b#UeyEqWRSFOlCB|>Azi*;64sg*ic6NMGU3npD3<O
zrr(F#06I<j!;SzOF)L1gJAlKBT1bsFA%GW$e|=AbTc22L82Ko?Hi{J(oO*xr^r4@j
z7@mhH#BkvW)`~)yP6$gHz7?8D+tl9d4EfNr1@dg?AV-PqD}rZ;NMS>n<eshluz1E%
z(6g&}hOk_xq;+b!D9Me5CtYelD|9)%*_qs>D8T-1P&Hi-oef4Y&E~|Vj%2^C_&jxa
zZ3*uVS}#BaKs??Yj(AVT!|IVrz>0}cTVDieTti{=F6A#~-tDz`w}6XhRM+&o<ww{8
zIA*3X>|g_bD*?KKA~=YK06R=>eos9_wVpN&8SnS_AVyixg^I}X*3Fq&T<LR@Ic{`=
zP(DRu=*Le|*vv_AbJiOy=5Q1==VdA5e~_}e%$nAUXT`*&yfzbeN|m7t_fpuzZSl)Y
z+{S!y`|wSGRT4Ki!#?XVX{7VTee*C++ydq)OaF0=bL%3mqKGOJ@o4sh-*dt^QlPMj
zIGPo)%pxL3K@rE3jD3RG?_tgSD#yOe33C1nIN=PAwc@#jD#NJ4gR6$sVEm%4rFz=|
z^kh%x`Ccuh_0Y{>y$-EUBj0azmcktzq_7EoBTKo`BDjhcwyQ|_1O6VcL`}+R);B8)
VWhWfKDH&fF_PQcfe0Vn@_XoA~=Dh#_

literal 0
HcmV?d00001

diff --git a/testing/btest/scripts/base/protocols/smb/smb1-transaction-response.test b/testing/btest/scripts/base/protocols/smb/smb1-transaction-response.test
new file mode 100644
index 0000000000..ef00ed3772
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/smb/smb1-transaction-response.test
@@ -0,0 +1,12 @@
+#@TEST-EXEC: bro -b -C -r $TRACES/smb/smb1_transaction_response.pcap %INPUT
+#@TEST-EXEC: btest-diff .stdout
+
+@load base/protocols/smb
+@load policy/protocols/smb
+
+# Check that smb1_transaction_response requests are parsed correctly
+
+event smb1_transaction_response(c: connection, hdr: SMB1::Header, parameters: string, data: string)
+{
+	print fmt("smb1_transaction_response hdr: %s, params: %s, data: %s", hdr, parameters, data);
+}

From f25a1453ee5859969df8f966017cdbf220afd459 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Fri, 19 Jan 2018 11:39:34 -0600
Subject: [PATCH 300/631] Remove TODO comments about using explicit bool
 operators

---
 CHANGES                 | 4 ++++
 VERSION                 | 2 +-
 src/UID.h               | 1 -
 src/analyzer/Tag.h      | 3 ---
 src/file_analysis/Tag.h | 4 ----
 5 files changed, 5 insertions(+), 9 deletions(-)

diff --git a/CHANGES b/CHANGES
index e2dc9bc540..f78d03bf5f 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,8 @@
 
+2.5-392 | 2018-01-19 11:39:34 -0600
+
+  * Make nearly all bool conversion operators explicit. (Corelight)
+
 2.5-390 | 2018-01-17 16:09:55 -0600
 
   * Logging: implement get_filter_names and small fixes.
diff --git a/VERSION b/VERSION
index 9921a5c610..4967f412ea 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.5-390
+2.5-392
diff --git a/src/UID.h b/src/UID.h
index 3a32b843f0..367b67d56d 100644
--- a/src/UID.h
+++ b/src/UID.h
@@ -59,7 +59,6 @@ public:
 	/**
 	 * @return false if the UID instance was created via the default ctor
 	 *         and not yet initialized w/ Set().
-	 * TODO: this would be better as an "explicit" conversion operator (C++11)
 	 */
 	explicit operator bool() const
 		{ return initialized; }
diff --git a/src/analyzer/Tag.h b/src/analyzer/Tag.h
index 35dc3b2ac5..ad701a877f 100644
--- a/src/analyzer/Tag.h
+++ b/src/analyzer/Tag.h
@@ -42,9 +42,6 @@ public:
 	/**
 	 * Returns false if the tag represents an error value rather than a
 	 * legal analyzer type.
-	 * TODO: make this conversion operator "explicit" (C++11) or use a
-	 *       "safe bool" idiom (not necessary if "explicit" is available),
-	 *       otherwise this may allow nonsense/undesired comparison operations.
 	 */
 	explicit operator bool() const	{ return *this != Tag(); }
 
diff --git a/src/file_analysis/Tag.h b/src/file_analysis/Tag.h
index afa1a22ec0..33be048108 100644
--- a/src/file_analysis/Tag.h
+++ b/src/file_analysis/Tag.h
@@ -41,10 +41,6 @@ public:
 	/**
 	 * Returns false if the tag represents an error value rather than a
 	 * legal analyzer type.
-	 * TODO: make this conversion operator "explicit" (C++11) or use a
-	 *       "safe bool" idiom (not necessary if "explicit" is available),
-	 *       otherwise this may allow nonsense/undesired comparison operations.
-	 *
 	 */
 	explicit operator bool() const	{ return *this != Tag(); }
 

From 419e69f9e4ab675580d1f6471bb54217e53b0f83 Mon Sep 17 00:00:00 2001
From: Robin Sommer <robin@icir.org>
Date: Fri, 19 Jan 2018 15:17:32 -0800
Subject: [PATCH 301/631] Updating submodule(s).

 [nomail]
---
 aux/broctl | 2 +-
 aux/btest  | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/aux/broctl b/aux/broctl
index a075a80639..5a12aac3e8 160000
--- a/aux/broctl
+++ b/aux/broctl
@@ -1 +1 @@
-Subproject commit a075a80639b7d543b55cc31191965eb1364e3623
+Subproject commit 5a12aac3e83a9883c390c5e4cded99cc1108ac5d
diff --git a/aux/btest b/aux/btest
index b3a5742b6b..28196a00da 160000
--- a/aux/btest
+++ b/aux/btest
@@ -1 +1 @@
-Subproject commit b3a5742b6b04acdd851dba4e08723a568c4aa755
+Subproject commit 28196a00da17847fbf4e6fd642b35d0daf653008

From fd91f58192eeb612d60fff832d6abef69633c264 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Fri, 26 Jan 2018 11:32:03 -0600
Subject: [PATCH 302/631] Updating submodule(s).

 [nomail]
---
 aux/bro-aux | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/aux/bro-aux b/aux/bro-aux
index 79c4bef8de..c88ccbeb59 160000
--- a/aux/bro-aux
+++ b/aux/bro-aux
@@ -1 +1 @@
-Subproject commit 79c4bef8de1555be42a1a08d91476d06b62a53fc
+Subproject commit c88ccbeb5902554f231443552b9648cff8b3fa70

From 44175e099287de8ef829fee46f4e548dc93816b0 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Fri, 26 Jan 2018 15:46:05 -0600
Subject: [PATCH 303/631] BIT-1894: fix bad integer casts in BIFs: sort, rand,
 order, to_int

---
 CHANGES                                |  5 +++
 VERSION                                |  2 +-
 src/bro.bif                            | 59 ++++++++++++++++++--------
 testing/btest/Baseline/bifs.order/out  |  2 +
 testing/btest/Baseline/bifs.sort/out   |  2 +
 testing/btest/Baseline/bifs.to_int/out |  1 +
 testing/btest/bifs/order.bro           |  6 +++
 testing/btest/bifs/sort.bro            |  5 +++
 testing/btest/bifs/to_int.bro          |  1 +
 9 files changed, 64 insertions(+), 19 deletions(-)

diff --git a/CHANGES b/CHANGES
index f78d03bf5f..88f5eff206 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,9 @@
 
+2.5-395 | 2018-01-26 15:46:05 -0600
+
+  * BIT-1894: fix bad integer casts in BIFs: sort, rand, order, to_int
+    (Corelight)
+
 2.5-392 | 2018-01-19 11:39:34 -0600
 
   * Make nearly all bool conversion operators explicit. (Corelight)
diff --git a/VERSION b/VERSION
index 4967f412ea..c55bb4d45c 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.5-392
+2.5-395
diff --git a/src/bro.bif b/src/bro.bif
index b6922f9fab..1c500d7e75 100644
--- a/src/bro.bif
+++ b/src/bro.bif
@@ -796,8 +796,7 @@ function sha256_hash_finish%(handle: opaque of sha256%): string
 ##      provided by the OS.
 function rand%(max: count%): count
 	%{
-	int result;
-	result = bro_uint_t(double(max) * double(bro_random()) / (RAND_MAX + 1.0));
+	auto result = bro_uint_t(double(max) * double(bro_random()) / (RAND_MAX + 1.0));
 	return new Val(result, TYPE_COUNT);
 	%}
 
@@ -1211,33 +1210,48 @@ bool sort_function(Val* a, Val* b)
 	int int_result = result->CoerceToInt();
 	Unref(result);
 
-	sort_func_args.remove_nth(1);
-	sort_func_args.remove_nth(0);
-
 	return int_result < 0;
 	}
 
-bool indirect_sort_function(int a, int b)
+bool indirect_sort_function(size_t a, size_t b)
 	{
 	return sort_function(index_map[a], index_map[b]);
 	}
 
-bool int_sort_function (Val* a, Val* b)
+bool signed_sort_function (Val* a, Val* b)
 	{
 	if ( ! a )
 		return 0;
 	if ( ! b )
 		return 1;
 
-	int ia = a->CoerceToInt();
-	int ib = b->CoerceToInt();
+	auto ia = a->CoerceToInt();
+	auto ib = b->CoerceToInt();
 
 	return ia < ib;
 	}
 
-bool indirect_int_sort_function(int a, int b)
+bool unsigned_sort_function (Val* a, Val* b)
 	{
-	return int_sort_function(index_map[a], index_map[b]);
+	if ( ! a )
+		return 0;
+	if ( ! b )
+		return 1;
+
+	auto ia = a->CoerceToUnsigned();
+	auto ib = b->CoerceToUnsigned();
+
+	return ia < ib;
+	}
+
+bool indirect_signed_sort_function(size_t a, size_t b)
+	{
+	return signed_sort_function(index_map[a], index_map[b]);
+	}
+
+bool indirect_unsigned_sort_function(size_t a, size_t b)
+	{
+	return unsigned_sort_function(index_map[a], index_map[b]);
 	}
 %%}
 
@@ -1302,7 +1316,12 @@ function sort%(v: any, ...%) : any
 		sort(vv.begin(), vv.end(), sort_function);
 		}
 	else
-		sort(vv.begin(), vv.end(), int_sort_function);
+		{
+		if ( elt_type->InternalType() == TYPE_INTERNAL_UNSIGNED )
+			sort(vv.begin(), vv.end(), unsigned_sort_function);
+		else
+			sort(vv.begin(), vv.end(), signed_sort_function);
+		}
 
 	return v;
 	%}
@@ -1351,13 +1370,13 @@ function order%(v: any, ...%) : index_vec
 		builtin_error("comparison function required for order() with non-integral types");
 
 	vector<Val*>& vv = *v->AsVector();
-	int n = vv.size();
+	auto n = vv.size();
 
 	// Set up initial mapping of indices directly to corresponding
 	// elements.
-	vector<int> ind_vv(n);
+	vector<size_t> ind_vv(n);
 	index_map = new Val*[n];
-	int i;
+	size_t i;
 	for ( i = 0; i < n; ++i )
 		{
 		ind_vv[i] = i;
@@ -1379,7 +1398,12 @@ function order%(v: any, ...%) : index_vec
 		sort(ind_vv.begin(), ind_vv.end(), indirect_sort_function);
 		}
 	else
-		sort(ind_vv.begin(), ind_vv.end(), indirect_int_sort_function);
+		{
+		if ( elt_type->InternalType() == TYPE_INTERNAL_UNSIGNED )
+			sort(ind_vv.begin(), ind_vv.end(), indirect_unsigned_sort_function);
+		else
+			sort(ind_vv.begin(), ind_vv.end(), indirect_signed_sort_function);
+		}
 
 	delete [] index_map;
 	index_map = 0;
@@ -2131,8 +2155,7 @@ function to_int%(str: string%): int
 	const char* s = str->CheckString();
 	char* end_s;
 
-	long l = strtol(s, &end_s, 10);
-	int i = int(l);
+	bro_int_t i = strtoll(s, &end_s, 10);
 
 #if 0
 	// Not clear we should complain.  For example, is " 205 "
diff --git a/testing/btest/Baseline/bifs.order/out b/testing/btest/Baseline/bifs.order/out
index e77fbd310c..fd9ecd62c2 100644
--- a/testing/btest/Baseline/bifs.order/out
+++ b/testing/btest/Baseline/bifs.order/out
@@ -6,3 +6,5 @@
 [1, 2, 0]
 [3.03, 3.01, 3.02, 3.015]
 [1, 3, 2, 0]
+[2304, 1156, 13, 42, 4294967296]
+[2, 3, 1, 0, 4]
diff --git a/testing/btest/Baseline/bifs.sort/out b/testing/btest/Baseline/bifs.sort/out
index fed75265b9..f46ccaff68 100644
--- a/testing/btest/Baseline/bifs.sort/out
+++ b/testing/btest/Baseline/bifs.sort/out
@@ -14,3 +14,5 @@
 [10.0.0.157, 192.168.0.3, 192.168.123.200]
 [3.01, 3.015, 3.02, 3.03]
 [3.01, 3.015, 3.02, 3.03]
+[2304, 1156, 11, 42, 4294967296]
+[11, 42, 1156, 2304, 4294967296]
diff --git a/testing/btest/Baseline/bifs.to_int/out b/testing/btest/Baseline/bifs.to_int/out
index cde0c82987..e50334896d 100644
--- a/testing/btest/Baseline/bifs.to_int/out
+++ b/testing/btest/Baseline/bifs.to_int/out
@@ -1,3 +1,4 @@
 1
 -1
+4294967296
 0
diff --git a/testing/btest/bifs/order.bro b/testing/btest/bifs/order.bro
index 9e59caa827..cb4b050686 100644
--- a/testing/btest/bifs/order.bro
+++ b/testing/btest/bifs/order.bro
@@ -46,4 +46,10 @@ event bro_init()
 	local d2 = order(c2, myfunc2);
 	print c2;
 	print d2;
+
+	# Tests with large numbers
+
+	local l1 = vector(2304, 1156, 13, 42, 4294967296);
+	print l1;
+	print order(l1);
 	}
diff --git a/testing/btest/bifs/sort.bro b/testing/btest/bifs/sort.bro
index 7b4ac9ba63..2ddb44b8be 100644
--- a/testing/btest/bifs/sort.bro
+++ b/testing/btest/bifs/sort.bro
@@ -67,4 +67,9 @@ event bro_init()
 	local d2 = sort(c2, myfunc2);
 	print c2;
 	print d2;
+
+	# Testing large numbers
+	local l1 = vector(2304, 1156, 11, 42, 4294967296);
+	print l1;
+	print sort(l1);
 	}
diff --git a/testing/btest/bifs/to_int.bro b/testing/btest/bifs/to_int.bro
index 0562209cd0..e65a555cc4 100644
--- a/testing/btest/bifs/to_int.bro
+++ b/testing/btest/bifs/to_int.bro
@@ -6,5 +6,6 @@ event bro_init()
 	{
 	print to_int("1");
 	print to_int("-1");
+	print to_int("4294967296");
 	print to_int("not an int");
 	}

From b0be6c90fe46e4d2d9cfafea9fe774ae9647077f Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@corelight.com>
Date: Thu, 18 Jan 2018 12:32:56 -0800
Subject: [PATCH 304/631] Fix segmentation fault when parsing sets containing
 invalid elements.

Currently the destructor would try to free unallocated memory. This
could e.g. be triggered by the input framework reading a set with an
invalid element.
---
 src/threading/formatters/Ascii.cc             |  3 +
 .../.stderrwithoutfirstline                   |  8 +++
 .../out                                       | 14 ++++
 .../base/frameworks/input/invalidset.bro      | 65 +++++++++++++++++++
 4 files changed, 90 insertions(+)
 create mode 100644 testing/btest/Baseline/scripts.base.frameworks.input.invalidset/.stderrwithoutfirstline
 create mode 100644 testing/btest/Baseline/scripts.base.frameworks.input.invalidset/out
 create mode 100644 testing/btest/scripts/base/frameworks/input/invalidset.bro

diff --git a/src/threading/formatters/Ascii.cc b/src/threading/formatters/Ascii.cc
index 80edd42a61..1398a89d9b 100644
--- a/src/threading/formatters/Ascii.cc
+++ b/src/threading/formatters/Ascii.cc
@@ -400,6 +400,9 @@ threading::Value* Ascii::ParseValue(const string& s, const string& name, TypeTag
 			for ( unsigned int i = 0; i < pos; i++ )
 				delete lvals[i];
 
+			// and set the length of the set to 0, otherwhise the destructor will crash.
+			val->val.vector_val.size = 0;
+
 			goto parse_error;
 		}
 
diff --git a/testing/btest/Baseline/scripts.base.frameworks.input.invalidset/.stderrwithoutfirstline b/testing/btest/Baseline/scripts.base.frameworks.input.invalidset/.stderrwithoutfirstline
new file mode 100644
index 0000000000..69855535cf
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.input.invalidset/.stderrwithoutfirstline
@@ -0,0 +1,8 @@
+warning: ../input.log/Input::READER_ASCII: Invalid value for subnet: 127.0.0.1
+warning: ../input.log/Input::READER_ASCII: Error while reading set or vector
+warning: ../input.log/Input::READER_ASCII: Could not convert line 'name	127.0.0.1' to Val. Ignoring line.
+warning: ../input.log/Input::READER_ASCII: Invalid value for subnet: 127.0.0.1
+warning: ../input.log/Input::READER_ASCII: Error while reading set or vector
+warning: ../input.log/Input::READER_ASCII: Could not convert line 'name	127.0.0.1' to Val. Ignoring line.
+received termination signal
+>>>
diff --git a/testing/btest/Baseline/scripts.base.frameworks.input.invalidset/out b/testing/btest/Baseline/scripts.base.frameworks.input.invalidset/out
new file mode 100644
index 0000000000..80359cc005
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.input.invalidset/out
@@ -0,0 +1,14 @@
+TableErrorEvent, Invalid value for subnet: 127.0.0.1, Reporter::WARNING
+TableErrorEvent, Error while reading set or vector, Reporter::WARNING
+TableErrorEvent, Could not convert line 'name\x09127.0.0.1' to Val. Ignoring line., Reporter::WARNING
+Event, [s={
+
+}]
+EventErrorEvent, Invalid value for subnet: 127.0.0.1, Reporter::WARNING
+EventErrorEvent, Error while reading set or vector, Reporter::WARNING
+EventErrorEvent, Could not convert line 'name\x09127.0.0.1' to Val. Ignoring line., Reporter::WARNING
+{
+[name] = [s={
+
+}]
+}
diff --git a/testing/btest/scripts/base/frameworks/input/invalidset.bro b/testing/btest/scripts/base/frameworks/input/invalidset.bro
new file mode 100644
index 0000000000..932060424e
--- /dev/null
+++ b/testing/btest/scripts/base/frameworks/input/invalidset.bro
@@ -0,0 +1,65 @@
+# @TEST-EXEC: btest-bg-run bro bro -b %INPUT
+# @TEST-EXEC: btest-bg-wait 10
+# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-sort btest-diff out
+# @TEST-EXEC: sed 1d .stderr > .stderrwithoutfirstline
+# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff .stderrwithoutfirstline
+
+@TEST-START-FILE input.log
+#separator \x09
+#fields	i	s
+name	-
+name	127.0.0.1
+@TEST-END-FILE
+
+redef exit_only_after_terminate = T;
+redef InputAscii::fail_on_invalid_lines = T;
+
+global outfile: file;
+
+module A;
+
+type Idx: record {
+	i: string;
+};
+
+type Val: record {
+	s: set[subnet];
+};
+
+global endcount: count = 0;
+
+global servers: table[string] of Val = table();
+
+event handle_our_errors(desc: Input::TableDescription, msg: string, level: Reporter::Level)
+	{
+	print outfile, "TableErrorEvent", msg, level;
+	}
+
+event handle_our_errors_event(desc: Input::EventDescription, msg: string, level: Reporter::Level)
+	{
+	print outfile, "EventErrorEvent", msg, level;
+	}
+
+event line(description: Input::EventDescription, tpe: Input::Event, v: Val)
+	{
+	print outfile, "Event", v;
+	}
+
+event bro_init()
+	{
+	outfile = open("../out");
+	# first read in the old stuff into the table...
+	Input::add_table([$source="../input.log", $name="ssh", $error_ev=handle_our_errors, $idx=Idx, $val=Val, $destination=servers]);
+	Input::add_event([$source="../input.log", $name="sshevent", $error_ev=handle_our_errors_event, $fields=Val, $want_record=T, $ev=line]);
+	}
+
+event Input::end_of_data(name: string, source:string)
+	{
+	++endcount;
+
+	if ( endcount == 2 )
+		{
+		print outfile, servers;
+		terminate();
+		}
+	}

From 01005e99af7d7a42eb8941d81d33ddeecddadaf2 Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@corelight.com>
Date: Thu, 18 Jan 2018 15:17:02 -0800
Subject: [PATCH 305/631] Fix small bug in config reader.

The configure reader had a small bug that caused the tracking of changed
variables to be incorrect after the second update. This resulted in
change-events for unchanged variables.
---
 src/input/readers/config/Config.cc            |  2 +-
 .../bro.config.log                            | 39 ++++++++++---------
 .../base/frameworks/config/updates.bro        | 35 ++++++++++++++++-
 3 files changed, 55 insertions(+), 21 deletions(-)

diff --git a/src/input/readers/config/Config.cc b/src/input/readers/config/Config.cc
index d3f0d9e0a5..7b0a418b67 100644
--- a/src/input/readers/config/Config.cc
+++ b/src/input/readers/config/Config.cc
@@ -234,6 +234,7 @@ bool Config::DoUpdate()
 		// we only send the event if the underlying value has changed. Let's check that.
 		// (Yes, this means we keep all configuration options in memory twice - once here in
 		// the reader and once in memory in Bro; that is difficult to change.
+		unseen_options.erase(key);
 		auto search = option_values.find(key);
 		if ( search != option_values.end() && search->second == value )
 			{
@@ -242,7 +243,6 @@ bool Config::DoUpdate()
 			}
 
 		option_values[key] = value;
-		unseen_options.erase(key);
 
 			{
 			Value** fields = new Value*[2];
diff --git a/testing/btest/Baseline/scripts.base.frameworks.config.updates/bro.config.log b/testing/btest/Baseline/scripts.base.frameworks.config.updates/bro.config.log
index 2e4f75b903..1365648515 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.config.updates/bro.config.log
+++ b/testing/btest/Baseline/scripts.base.frameworks.config.updates/bro.config.log
@@ -3,24 +3,25 @@
 #empty_field	(empty)
 #unset_field	-
 #path	config
-#open	2017-10-11-21-00-06
+#open	2018-01-18-23-16-41
 #fields	ts	id	old_value	new_value	location
 #types	time	string	string	string	string
-1507755606.563360	testbool	T	F	../configfile
-1507755606.563360	testcount	0	1	../configfile
-1507755606.563360	testcount	1	2	../configfile
-1507755606.563360	testint	0	-1	../configfile
-1507755606.563360	testenum	SSH::LOG	Conn::LOG	../configfile
-1507755606.563360	testport	42/tcp	45/unknown	../configfile
-1507755606.563360	testaddr	127.0.0.1	127.0.0.1	../configfile
-1507755606.563360	testaddr	127.0.0.1	2607:f8b0:4005:801::200e	../configfile
-1507755606.563360	testinterval	1.0 sec	60.0	../configfile
-1507755606.563360	testtime	0.0	1507321987.0	../configfile
-1507755606.563360	test_set	(empty)	b,c,a,d,erdbeerschnitzel	../configfile
-1507755606.563360	test_vector	(empty)	1,2,3,4,5,6	../configfile
-1507755609.793956	testcount	2	1	../configfile
-1507755609.793956	testcount	1	2	../configfile
-1507755609.793956	testaddr	2607:f8b0:4005:801::200e	127.0.0.1	../configfile
-1507755609.793956	testaddr	127.0.0.1	2607:f8b0:4005:801::200e	../configfile
-1507755609.793956	test_vector	1,2,3,4,5,6	1,2,3,4,5,9	../configfile
-#close	2017-10-11-21-00-09
+1516317401.889929	testbool	T	F	../configfile
+1516317401.889929	testcount	0	1	../configfile
+1516317401.889929	testcount	1	2	../configfile
+1516317401.889929	testint	0	-1	../configfile
+1516317401.889929	testenum	SSH::LOG	Conn::LOG	../configfile
+1516317401.889929	testport	42/tcp	45/unknown	../configfile
+1516317401.889929	testaddr	127.0.0.1	127.0.0.1	../configfile
+1516317401.889929	testaddr	127.0.0.1	2607:f8b0:4005:801::200e	../configfile
+1516317401.889929	testinterval	1.0 sec	60.0	../configfile
+1516317401.889929	testtime	0.0	1507321987.0	../configfile
+1516317401.889929	test_set	(empty)	b,c,a,d,erdbeerschnitzel	../configfile
+1516317401.889929	test_vector	(empty)	1,2,3,4,5,6	../configfile
+1516317405.093522	testcount	2	1	../configfile
+1516317405.093522	testcount	1	2	../configfile
+1516317405.093522	testaddr	2607:f8b0:4005:801::200e	127.0.0.1	../configfile
+1516317405.093522	testaddr	127.0.0.1	2607:f8b0:4005:801::200e	../configfile
+1516317405.093522	test_vector	1,2,3,4,5,6	1,2,3,4,5,9	../configfile
+1516317409.199572	test_vector	1,2,3,4,5,9	1,2,3,4,5,9	../configfile
+#close	2018-01-18-23-16-49
diff --git a/testing/btest/scripts/base/frameworks/config/updates.bro b/testing/btest/scripts/base/frameworks/config/updates.bro
index 7e42162190..088157b079 100644
--- a/testing/btest/scripts/base/frameworks/config/updates.bro
+++ b/testing/btest/scripts/base/frameworks/config/updates.bro
@@ -2,6 +2,12 @@
 # @TEST-EXEC: sleep 2
 # @TEST-EXEC: mv configfile2 configfile
 # @TEST-EXEC: touch configfile
+# @TEST-EXEC: sleep 2
+# @TEST-EXEC: mv configfile3 configfile
+# @TEST-EXEC: touch configfile
+# @TEST-EXEC: sleep 2
+# @TEST-EXEC: mv configfile4 configfile
+# @TEST-EXEC: touch configfile
 # @TEST-EXEC: btest-bg-wait 10
 # @TEST-EXEC: btest-diff bro/config.log
 
@@ -44,6 +50,33 @@ test_set a,b,c,d,erdbeerschnitzel
 test_vector 1,2,3,4,5,9
 @TEST-END-FILE
 
+@TEST-START-FILE configfile3
+testbool F
+testcount    2
+testcount 2
+testcount 2
+testint		-1
+testenum Conn::LOG
+testport 45
+testinterval 60
+testtime 1507321987
+test_set a,b,c,d,erdbeerschnitzel
+@TEST-END-FILE
+
+@TEST-START-FILE configfile4
+testbool F
+testcount    2
+testcount 2
+testcount 2
+testint		-1
+testenum Conn::LOG
+testport 45
+testinterval 60
+testtime 1507321987
+test_set a,b,c,d,erdbeerschnitzel
+test_vector 1,2,3,4,5,9
+@TEST-END-FILE
+
 @load base/protocols/ssh
 @load base/protocols/conn
 
@@ -71,6 +104,6 @@ event Input::end_of_data(name: string, source:string)
 
 	eolcount += 1;
 
-	if ( eolcount == 2 )
+	if ( eolcount == 4 )
 		terminate();
 	}

From 196994a48d869429e1a84e1b9d9593be3c4efae8 Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@corelight.com>
Date: Mon, 29 Jan 2018 10:21:25 -0800
Subject: [PATCH 306/631] Allow the empty field separator to be empty; use in
 config framework.

This small change allows the empty field separator to be empty. This
means that we can represent an empty list by a empty input string, which
was not possible before.

Before, an empty empty field separator meant that there is no empty
field - to get back to this behavior one now has to set the empty field
separator to a string that is guaranteed to not be part of the input
data. Note that we did not use "empty" empty field separators anywhere
and I am not aware of this being used by anyone - the new behavior seems
like it is much more useful in practice.

This also changes the config framework to interpret empty lists as...
empty, instead of interpreting them as lists that have one zero-length
element; this seems like the saner default.
---
 scripts/base/frameworks/input/readers/config.bro             | 4 +++-
 src/threading/formatters/Ascii.cc                            | 3 +++
 testing/btest/scripts/base/frameworks/config/basic.bro       | 2 +-
 testing/btest/scripts/base/frameworks/config/read_config.bro | 1 +
 4 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/scripts/base/frameworks/input/readers/config.bro b/scripts/base/frameworks/input/readers/config.bro
index f97323d4a5..166228e81f 100644
--- a/scripts/base/frameworks/input/readers/config.bro
+++ b/scripts/base/frameworks/input/readers/config.bro
@@ -8,7 +8,9 @@ export {
 	const set_separator = Input::set_separator &redef;
 
 	## String to use for empty fields.
-	const empty_field = Input::empty_field &redef;
+	## By default this is the empty string, meaning that an empty input field
+	## will result in an empty set.
+	const empty_field = "" &redef;
 
 	## Fail on file read problems. If set to true, the config
 	## input reader will fail when encountering any problems
diff --git a/src/threading/formatters/Ascii.cc b/src/threading/formatters/Ascii.cc
index 1398a89d9b..e96290e793 100644
--- a/src/threading/formatters/Ascii.cc
+++ b/src/threading/formatters/Ascii.cc
@@ -329,6 +329,9 @@ threading::Value* Ascii::ParseValue(const string& s, const string& name, TypeTag
 		if ( separators.empty_field.size() > 0 && s.compare(separators.empty_field) == 0 )
 			length = 0;
 
+		if ( separators.empty_field.empty() && s.empty() )
+			length = 0;
+
 		threading::Value** lvals = new threading::Value* [length];
 
 		if ( type == TYPE_TABLE )
diff --git a/testing/btest/scripts/base/frameworks/config/basic.bro b/testing/btest/scripts/base/frameworks/config/basic.bro
index 19a1ecc64a..3b72f6572d 100644
--- a/testing/btest/scripts/base/frameworks/config/basic.bro
+++ b/testing/btest/scripts/base/frameworks/config/basic.bro
@@ -22,7 +22,7 @@ testinterval 60
 testtime 1507321987
 test_set a,b,c,d,erdbeerschnitzel
 test_vector 1,2,3,4,5,6
-test_set (empty)
+test_set 
 test_set -
 @TEST-END-FILE
 
diff --git a/testing/btest/scripts/base/frameworks/config/read_config.bro b/testing/btest/scripts/base/frameworks/config/read_config.bro
index 847bab6f8a..753186beab 100644
--- a/testing/btest/scripts/base/frameworks/config/read_config.bro
+++ b/testing/btest/scripts/base/frameworks/config/read_config.bro
@@ -6,6 +6,7 @@
 @load base/protocols/conn
 
 redef exit_only_after_terminate = T;
+redef InputConfig::empty_field = "(empty)";
 
 @TEST-START-FILE configfile
 testbool F

From eb32a44da5187bb09ac6e4e11b8cadd579758030 Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@corelight.com>
Date: Mon, 29 Jan 2018 14:43:39 -0800
Subject: [PATCH 307/631] Use port_mgr->Get() in the input framework config
 changes.

---
 src/input/Manager.cc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/input/Manager.cc b/src/input/Manager.cc
index 2bac2c1862..eb2b1af88d 100644
--- a/src/input/Manager.cc
+++ b/src/input/Manager.cc
@@ -2437,7 +2437,7 @@ Val* Manager::ValueToVal(const Stream* i, const Value* val, bool& have_error) co
 		}
 
 	case TYPE_PORT:
-		return new PortVal(val->val.port_val.port, val->val.port_val.proto);
+		return port_mgr->Get(val->val.port_val.port, val->val.port_val.proto);
 
 	case TYPE_ADDR:
 		{

From c2af3daa9fa21ccc7335fa81729c305acf6e3b39 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Wed, 31 Jan 2018 21:09:12 -0600
Subject: [PATCH 308/631] BIT-1854: fix the
 'tcp_excessive_data_without_further_acks' option

This previously checked against the amount of out-of-sequence data
being buffered by the reassembler.  It now checks against the total
size of all blocks being buffered in the reassembler, which, by nature
of still being buffered there, means it's not been acked yet.
---
 src/Reassem.cc                               | 33 +++++++++++---------
 src/Reassem.h                                | 14 +++++++--
 src/analyzer/protocol/tcp/TCP_Reassembler.cc |  2 +-
 3 files changed, 31 insertions(+), 18 deletions(-)

diff --git a/src/Reassem.cc b/src/Reassem.cc
index 14d894be4f..614805ae24 100644
--- a/src/Reassem.cc
+++ b/src/Reassem.cc
@@ -10,10 +10,11 @@
 
 static const bool DEBUG_reassem = false;
 
-DataBlock::DataBlock(const u_char* data, uint64 size, uint64 arg_seq,
-		     DataBlock* arg_prev, DataBlock* arg_next,
-		     ReassemblerType reassem_type)
+DataBlock::DataBlock(DataBlockListInfo* list_info, const u_char* data,
+                     uint64 size, uint64 arg_seq, DataBlock* arg_prev,
+                     DataBlock* arg_next, ReassemblerType reassem_type)
 	{
+	info = list_info;
 	seq = arg_seq;
 	upper = seq + size;
 	block = new u_char[size];
@@ -31,18 +32,19 @@ DataBlock::DataBlock(const u_char* data, uint64 size, uint64 arg_seq,
 	rtype = reassem_type;
 	Reassembler::sizes[rtype] += pad_size(size) + padded_sizeof(DataBlock);
 	Reassembler::total_size += pad_size(size) + padded_sizeof(DataBlock);
+	info->totalSize += size;
 	}
 
 uint64 Reassembler::total_size = 0;
 uint64 Reassembler::sizes[REASSEM_NUM];
 
 Reassembler::Reassembler(uint64 init_seq, ReassemblerType reassem_type)
+	: block_list_info(),
+	  blocks(), last_block(), old_blocks(), last_old_block(),
+	  last_reassem_seq(init_seq), trim_seq(init_seq),
+	  max_old_blocks(0), total_old_blocks(0),
+	  rtype(reassem_type)
 	{
-	blocks = last_block = 0;
-	old_blocks = last_old_block = 0;
-	total_old_blocks = max_old_blocks = 0;
-	trim_seq = last_reassem_seq = init_seq;
-	rtype = reassem_type;
 	}
 
 Reassembler::~Reassembler()
@@ -116,7 +118,7 @@ void Reassembler::NewBlock(double t, uint64 seq, uint64 len, const u_char* data)
 
 	if ( ! blocks )
 		blocks = last_block = start_block =
-			new DataBlock(data, len, seq, 0, 0, rtype);
+			new DataBlock(&block_list_info, data, len, seq, 0, 0, rtype);
 	else
 		start_block = AddAndCheck(blocks, seq, upper_seq, data);
 
@@ -280,8 +282,8 @@ DataBlock* Reassembler::AddAndCheck(DataBlock* b, uint64 seq, uint64 upper,
 	// Special check for the common case of appending to the end.
 	if ( last_block && seq == last_block->upper )
 		{
-		last_block = new DataBlock(data, upper - seq, seq,
-					   last_block, 0, rtype);
+		last_block = new DataBlock(&block_list_info, data, upper - seq,
+		                           seq, last_block, 0, rtype);
 		return last_block;
 		}
 
@@ -294,7 +296,8 @@ DataBlock* Reassembler::AddAndCheck(DataBlock* b, uint64 seq, uint64 upper,
 		{
 		// b is the last block, and it comes completely before
 		// the new block.
-		last_block = new DataBlock(data, upper - seq, seq, b, 0, rtype);
+		last_block = new DataBlock(&block_list_info, data, upper - seq,
+		                           seq, b, 0, rtype);
 		return last_block;
 		}
 
@@ -303,7 +306,8 @@ DataBlock* Reassembler::AddAndCheck(DataBlock* b, uint64 seq, uint64 upper,
 	if ( upper <= b->seq )
 		{
 		// The new block comes completely before b.
-		new_b = new DataBlock(data, upper - seq, seq, b->prev, b, rtype);
+		new_b = new DataBlock(&block_list_info, data, upper - seq, seq,
+		                      b->prev, b, rtype);
 		if ( b == blocks )
 			blocks = new_b;
 		return new_b;
@@ -314,7 +318,8 @@ DataBlock* Reassembler::AddAndCheck(DataBlock* b, uint64 seq, uint64 upper,
 		{
 		// The new block has a prefix that comes before b.
 		uint64 prefix_len = b->seq - seq;
-		new_b = new DataBlock(data, prefix_len, seq, b->prev, b, rtype);
+		new_b = new DataBlock(&block_list_info, data, prefix_len, seq,
+		                      b->prev, b, rtype);
 		if ( b == blocks )
 			blocks = new_b;
 
diff --git a/src/Reassem.h b/src/Reassem.h
index 1672a4f9dd..993969c08a 100644
--- a/src/Reassem.h
+++ b/src/Reassem.h
@@ -18,11 +18,16 @@ enum ReassemblerType {
 	REASSEM_NUM,
 };
 
+struct DataBlockListInfo {
+	uint64 totalSize;
+};
+
 class DataBlock {
 public:
-	DataBlock(const u_char* data, uint64 size, uint64 seq,
-		  DataBlock* prev, DataBlock* next,
-		  ReassemblerType reassem_type = REASSEM_UNKNOWN);
+	DataBlock(DataBlockListInfo* list_info, const u_char* data,
+	          uint64 size, uint64 seq,
+	          DataBlock* prev, DataBlock* next,
+	          ReassemblerType reassem_type = REASSEM_UNKNOWN);
 
 	~DataBlock();
 
@@ -33,6 +38,7 @@ public:
 	uint64 seq, upper;
 	u_char* block;
 	ReassemblerType rtype;
+	DataBlockListInfo* info;
 };
 
 class Reassembler : public BroObj {
@@ -86,6 +92,7 @@ protected:
 	void CheckOverlap(DataBlock *head, DataBlock *tail,
 				uint64 seq, uint64 len, const u_char* data);
 
+	DataBlockListInfo block_list_info;
 	DataBlock* blocks;
 	DataBlock* last_block;
 
@@ -105,6 +112,7 @@ protected:
 
 inline DataBlock::~DataBlock()
 	{
+	info->totalSize -= Size();
 	Reassembler::total_size -= pad_size(upper - seq) + padded_sizeof(DataBlock);
 	Reassembler::sizes[rtype] -= pad_size(upper - seq) + padded_sizeof(DataBlock);
 	delete [] block;
diff --git a/src/analyzer/protocol/tcp/TCP_Reassembler.cc b/src/analyzer/protocol/tcp/TCP_Reassembler.cc
index bcbe20d499..f19ace2c39 100644
--- a/src/analyzer/protocol/tcp/TCP_Reassembler.cc
+++ b/src/analyzer/protocol/tcp/TCP_Reassembler.cc
@@ -501,7 +501,7 @@ int TCP_Reassembler::DataSent(double t, uint64 seq, int len,
 		}
 
 	if ( tcp_excessive_data_without_further_acks &&
-	     NumUndeliveredBytes() > static_cast<uint64>(tcp_excessive_data_without_further_acks) )
+	     block_list_info.totalSize > static_cast<uint64>(tcp_excessive_data_without_further_acks) )
 		{
 		tcp_analyzer->Weird("excessive_data_without_further_acks");
 		ClearBlocks();

From 343dbf4100c96b283acd0e14b2c84a796a749801 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Wed, 31 Jan 2018 21:10:20 -0600
Subject: [PATCH 309/631] BIT-1854: improve reassembly overlap checking

It now skips looping over buffered blocks in the common case where the
new block is at the end and so can't possibly overlap anything.
---
 src/Reassem.cc | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/Reassem.cc b/src/Reassem.cc
index 614805ae24..432c0f6e5e 100644
--- a/src/Reassem.cc
+++ b/src/Reassem.cc
@@ -59,6 +59,10 @@ void Reassembler::CheckOverlap(DataBlock *head, DataBlock *tail,
 	if ( ! head || ! tail )
 		return;
 
+	if ( seq == tail->upper )
+		// Special case check for common case of appending to the end.
+		return;
+
 	uint64 upper = (seq + len);
 
 	for ( DataBlock* b = head; b; b = b->next )

From 5de87ce660825883e7dc45707eba8d28d0863323 Mon Sep 17 00:00:00 2001
From: Daniel Thayer <dnthayer@illinois.edu>
Date: Thu, 1 Feb 2018 14:44:20 -0600
Subject: [PATCH 310/631] Remove bro-plugins submodule from .gitmodules file

---
 .gitmodules | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/.gitmodules b/.gitmodules
index efd027e86b..738888bf85 100644
--- a/.gitmodules
+++ b/.gitmodules
@@ -19,9 +19,6 @@
 [submodule "src/3rdparty"]
 	path = src/3rdparty
 	url = git://git.bro.org/bro-3rdparty
-[submodule "aux/plugins"]
-	path = aux/plugins
-	url = git://git.bro.org/bro-plugins
 [submodule "aux/broker"]
 	path = aux/broker
 	url = git://git.bro.org/broker

From c2f35920fd1a045c893713557b2838fd38471c4d Mon Sep 17 00:00:00 2001
From: Seth Hall <seth@corelight.com>
Date: Fri, 2 Feb 2018 10:14:15 -0500
Subject: [PATCH 311/631] First step of DHCP analyzer rearchitecture.

Old event prototypes have changed and the events are broken right
now and may be removed in favor of the new generic "dhcp_message"
event.

DHCP option parsing is abstracted from the main code base of the
protocol parser and are all now located in their own file.

Documentation, tests, and final code cleanup are still pending.
---
 scripts/base/init-bare.bro                   |  48 +-
 scripts/base/protocols/dhcp/consts.bro       |  26 +-
 scripts/base/protocols/dhcp/main.bro         | 113 ++---
 src/NetVar.cc                                |   6 -
 src/NetVar.h                                 |   3 -
 src/analyzer/protocol/dhcp/CMakeLists.txt    |   2 +-
 src/analyzer/protocol/dhcp/DHCP.cc           |  11 +-
 src/analyzer/protocol/dhcp/DHCP.h            |   8 +-
 src/analyzer/protocol/dhcp/dhcp-analyzer.pac | 493 +++++++------------
 src/analyzer/protocol/dhcp/dhcp-options.pac  | 327 ++++++++++++
 src/analyzer/protocol/dhcp/dhcp-protocol.pac | 145 +++---
 src/analyzer/protocol/dhcp/dhcp.pac          |  10 +
 src/analyzer/protocol/dhcp/events.bif        |  19 +-
 src/analyzer/protocol/dhcp/types.bif         |  15 +-
 14 files changed, 728 insertions(+), 498 deletions(-)
 create mode 100644 src/analyzer/protocol/dhcp/dhcp-options.pac

diff --git a/scripts/base/init-bare.bro b/scripts/base/init-bare.bro
index a7047d4cfc..9ea7a4ce00 100644
--- a/scripts/base/init-bare.bro
+++ b/scripts/base/init-bare.bro
@@ -3064,11 +3064,12 @@ export {
 	## A list of router addresses offered by a DHCP server.
 	##
 	## .. bro:see:: dhcp_ack dhcp_offer
-	type DHCP::dhcp_router_list: table[count] of addr;
+	type DHCP::RouterList: table[count] of addr;
+
 	## A DHCP message.
 	## .. bro:see:: dhcp_ack dhcp_decline dhcp_discover dhcp_inform dhcp_nak
 	##    dhcp_offer dhcp_release dhcp_request
-	type DHCP::dhcp_msg: record {
+	type DHCP::Msg: record {
 		op: count;	##< Message OP code. 1 = BOOTREQUEST, 2 = BOOTREPLY
 		m_type: count;	##< The type of DHCP message.
 		xid: count;	##< Transaction ID of a DHCP session.
@@ -3076,22 +3077,55 @@ export {
 		ciaddr: addr;	##< Original IP address of the client.
 		yiaddr: addr;	##< IP address assigned to the client.
 	};
-	## DHCP Paremeter Reuqest list (Option 55)
+
+	## DHCP Parameter Request list (Option 55)
 	## .. bro:see:: dhcp_request dhcp_discover
-	type DHCP::dhcp_params_list: table[count] of count;
+	type DHCP::ParamsList: table[count] of count;
+
 	## DHCP Relay Agent Information Option (Option 82)
 	## .. bro:see:: dhcp_ack
-	type DHCP::dhcp_sub_opt: record {
+	type DHCP::SubOpt: record {
 		code: count;
 		value: string;
 	};
+
 	## DHCP Client Identifier (Option 61)
 	## .. bro:see:: dhcp_request dhcp_discover
-	type DHCP::dhcp_client_id: record {
+	type DHCP::ClientID: record {
 		hwtype: count;
 		hwaddr: string;
 	};
-	type DHCP::dhcp_sub_opt_list: table[count] of DHCP::dhcp_sub_opt;
+
+	type DHCP::SubOptList: table[count] of DHCP::SubOpt;
+
+	type DHCP::Options: record {
+		subnet_mask:    addr &optional;
+
+		host_name:      string &optional;
+
+		req_addr:       addr &optional;
+
+		router_list:    DHCP::RouterList &optional;
+
+		lease:          interval &optional;
+
+		serv_addr:      addr &optional;
+
+		## DHCP Parameter Request list (Option 55)
+		param_list:     DHCP::ParamsList &optional;
+
+		ren_time:       interval &optional;
+
+		reb_time:       interval &optional;
+
+		## DHCP Client Identifier (Option 61)
+		client_id:      DHCP::ClientID &optional;
+
+		## DHCP Relay Agent Information Option (Option 82)
+		sub_opt:        DHCP::SubOptList &optional;
+	};
+
+
 }
 
 module GLOBAL;
diff --git a/scripts/base/protocols/dhcp/consts.bro b/scripts/base/protocols/dhcp/consts.bro
index 5afdfc9415..1ca47ac36f 100644
--- a/scripts/base/protocols/dhcp/consts.bro
+++ b/scripts/base/protocols/dhcp/consts.bro
@@ -7,14 +7,24 @@ export {
 
 	## Types of DHCP messages. See :rfc:`1533`.
 	const message_types = {
-		[1] = "DHCP_DISCOVER",
-		[2] = "DHCP_OFFER",
-		[3] = "DHCP_REQUEST",
-		[4] = "DHCP_DECLINE",
-		[5] = "DHCP_ACK",
-		[6] = "DHCP_NAK",
-		[7] = "DHCP_RELEASE",
-		[8] = "DHCP_INFORM",
+		[1]  = "DHCP_DISCOVER",
+		[2]  = "DHCP_OFFER",
+		[3]  = "DHCP_REQUEST",
+		[4]  = "DHCP_DECLINE",
+		[5]  = "DHCP_ACK",
+		[6]  = "DHCP_NAK",
+		[7]  = "DHCP_RELEASE",
+		[8]  = "DHCP_INFORM",
+		[9]  = "DHCP_FORCERENEW",
+		[10] = "DHCP_LEASEQUERY",
+		[11] = "DHCP_LEASEUNASSIGNED",
+		[12] = "DHCP_DHCPLEASEUNKNOWN",
+		[13] = "DHCP_LEASEACTIVE",
+		[14] = "DHCP_BULKLEASEQUERY",
+		[15] = "DHCP_LEASEQUERYDONE",
+		[16] = "DHCP_ACTIVELEASEQUERY",
+		[17] = "DHCP_LEASEQUERYSTATUS",
+		[18] = "DHCP_TLS",
 	} &default = function(n: count): string { return fmt("unknown-message-type-%d", n); };
 
 }
diff --git a/scripts/base/protocols/dhcp/main.bro b/scripts/base/protocols/dhcp/main.bro
index 92b61697fe..0b45d69a4b 100644
--- a/scripts/base/protocols/dhcp/main.bro
+++ b/scripts/base/protocols/dhcp/main.bro
@@ -59,91 +59,60 @@ redef record connection += {
 const ports = { 67/udp, 68/udp };
 redef likely_server_ports += { 67/udp };
 
-global info: Info;
-
 event bro_init() &priority=5
 	{
 	Log::create_stream(DHCP::LOG, [$columns=Info, $ev=log_dhcp, $path="dhcp"]);
 	Analyzer::register_for_ports(Analyzer::ANALYZER_DHCP, ports);
 	}
 
-event dhcp_ack(c: connection, msg: dhcp_msg, mask: addr, router: dhcp_router_list, lease: interval, serv_addr: addr, host_name: string, reb_time: count, ren_time: count, sub_opt: dhcp_sub_opt_list) &priority=5
+event dhcp_message(c: connection, is_orig: bool, msg: DHCP::Msg, options: DHCP::Options) &priority=-5
 	{
-	#local info: Info;
-	info$ts          = network_time();
-	info$id          = c$id;
-	info$uid         = c$uid;
-	info$lease_time  = lease;
-	info$trans_id    = msg$xid;
-	info$msg_type	 = message_types[msg$m_type];
+	if ( msg$m_type == 5 ) # DHCP_ACK
+		{
+		local info = Info($ts       = network_time(),
+		                  $id       = c$id,
+		                  $uid      = c$uid,
+		                  $trans_id = msg$xid);
 
-	info$server_id	 = serv_addr;
-	info$host_name   = host_name;
+		if ( msg$h_addr != "" )
+			info$mac = msg$h_addr;
 
-	if ( msg$h_addr != "" )
-		info$mac = msg$h_addr;
+		if ( reverse_ip(msg$yiaddr) != 0.0.0.0 )
+			info$assigned_ip = reverse_ip(msg$yiaddr);
+		else
+			info$assigned_ip = c$id$orig_h;
 
-	if ( reverse_ip(msg$yiaddr) != 0.0.0.0 )
-		info$assigned_ip = reverse_ip(msg$yiaddr);
-	else
-		info$assigned_ip = c$id$orig_h;
+		if ( options?$lease )
+			info$lease_time  = options$lease;
 
-	for (param in sub_opt)
-	{
-		#if ( sub_opt[param]$code == 1 ) 
-                #{
-                #print fmt("Relay Agent Information:");
-                #print fmt( "sub option: code=%d circuit id=%s",sub_opt[param]$code,sub_opt[param]$value );
-                #}
-                if ( sub_opt[param]$code == 2 )
-                        info$agent_remote_id = bytestring_to_hexstr(sub_opt[param]$value);
+		if ( options?$sub_opt )
+			{
+			for ( param in options$sub_opt )
+				{
+				local sub_opt = options$sub_opt[param];
 
-                if ( sub_opt[param]$code == 6 )
-                        info$subscriber_id = (sub_opt[param]$value);
+				#if ( sub_opt$code == 1 ) 
+				#	{
+				#	print fmt("Relay Agent Information:");
+				#	print fmt( "sub option: code=%d circuit id=%s",sub_opt$code,sub_opt$value );
+				#	}
+				
+				if ( sub_opt$code == 2 )
+					info$agent_remote_id = bytestring_to_hexstr(sub_opt$value);
+
+				if ( sub_opt$code == 6 )
+					info$subscriber_id = (sub_opt$value);
+				}
+			}
+
+		c$dhcp = info;
+		}
 	}
 
-	c$dhcp = info;
-	}
-
-event dhcp_ack(c: connection, msg: dhcp_msg, mask: addr, router: dhcp_router_list, lease: interval, serv_addr: addr, host_name: string, reb_time: count, ren_time: count, sub_opt: dhcp_sub_opt_list) &priority=-5
+event dhcp_message(c: connection, is_orig: bool, msg: DHCP::Msg, options: DHCP::Options) &priority=-5
 	{
-	Log::write(DHCP::LOG, c$dhcp);
+	if ( msg$m_type == 5 ) # DHCP_ACK
+		{
+		Log::write(DHCP::LOG, c$dhcp);
+		}
 	}
-
-event dhcp_request(c: connection, msg: dhcp_msg, req_addr: addr, serv_addr: addr, host_name: string, c_id: dhcp_client_id, req_params: table[count] of count) &priority=5
-	{
-	info$ts          = network_time();
-	info$id          = c$id;
-	info$uid         = c$uid;
-	info$trans_id    = msg$xid;
-	info$msg_type	 = message_types[msg$m_type];
-	info$server_id	 = serv_addr;
-	info$host_name   = host_name;
-	info$client_id 	 = c_id$hwaddr;
-
-	c$dhcp = info;
-	}
-
-event dhcp_request(c: connection, msg: dhcp_msg, req_addr: addr, serv_addr: addr, host_name: string, c_id: dhcp_client_id, req_params: table[count] of count) &priority=-5
-	{
-	Log::write(DHCP::LOG, c$dhcp);
-	}
-
-event dhcp_discover(c: connection, msg: dhcp_msg, req_addr: addr, host_name: string, c_id: dhcp_client_id, req_params: table[count] of count) &priority=5
-	{
-	info$ts		= network_time();
-	info$id		= c$id;
-	info$uid	= c$uid;
-	info$trans_id	= msg$xid;
-	info$msg_type	= message_types[msg$m_type];
-	info$host_name	= host_name;
-	info$client_id	= c_id$hwaddr;
-
-	c$dhcp = info;
-	}
-
-event dhcp_discover(c: connection, msg: dhcp_msg, req_addr: addr, host_name: string, c_id: dhcp_client_id, req_params: table[count] of count) &priority=-5
-	{
-	Log::write(DHCP::LOG, c$dhcp);
-	}
-
diff --git a/src/NetVar.cc b/src/NetVar.cc
index 3f0967dbc4..93533b9627 100644
--- a/src/NetVar.cc
+++ b/src/NetVar.cc
@@ -110,9 +110,6 @@ RecordType* geo_location;
 
 RecordType* entropy_test_result;
 
-TableType* dhcp_router_list;
-RecordType* dhcp_msg;
-
 RecordType* dns_msg;
 RecordType* dns_answer;
 RecordType* dns_soa;
@@ -426,9 +423,6 @@ void init_net_var()
 
 	entropy_test_result = internal_type("entropy_test_result")->AsRecordType();
 
-	dhcp_router_list = internal_type("DHCP::dhcp_router_list")->AsTableType();
-	dhcp_msg = internal_type("DHCP::dhcp_msg")->AsRecordType();
-
 	dns_msg = internal_type("dns_msg")->AsRecordType();
 	dns_answer = internal_type("dns_answer")->AsRecordType();
 	dns_soa = internal_type("dns_soa")->AsRecordType();
diff --git a/src/NetVar.h b/src/NetVar.h
index 2b8ebd69c2..023be18867 100644
--- a/src/NetVar.h
+++ b/src/NetVar.h
@@ -113,9 +113,6 @@ extern RecordType* geo_location;
 
 extern RecordType* entropy_test_result;
 
-extern TableType* dhcp_router_list;
-extern RecordType* dhcp_msg;
-
 extern RecordType* dns_msg;
 extern RecordType* dns_answer;
 extern RecordType* dns_soa;
diff --git a/src/analyzer/protocol/dhcp/CMakeLists.txt b/src/analyzer/protocol/dhcp/CMakeLists.txt
index ece07e3a7e..6077adfeb6 100644
--- a/src/analyzer/protocol/dhcp/CMakeLists.txt
+++ b/src/analyzer/protocol/dhcp/CMakeLists.txt
@@ -7,5 +7,5 @@ bro_plugin_begin(Bro DHCP)
 bro_plugin_cc(DHCP.cc Plugin.cc)
 bro_plugin_bif(events.bif)
 bro_plugin_bif(types.bif)
-bro_plugin_pac(dhcp.pac dhcp-protocol.pac dhcp-analyzer.pac)
+bro_plugin_pac(dhcp.pac dhcp-protocol.pac dhcp-analyzer.pac dhcp-options.pac)
 bro_plugin_end()
diff --git a/src/analyzer/protocol/dhcp/DHCP.cc b/src/analyzer/protocol/dhcp/DHCP.cc
index 4ab77c09a4..11ecb91107 100644
--- a/src/analyzer/protocol/dhcp/DHCP.cc
+++ b/src/analyzer/protocol/dhcp/DHCP.cc
@@ -25,5 +25,14 @@ void DHCP_Analyzer::DeliverPacket(int len, const u_char* data,
 			bool orig, uint64 seq, const IP_Hdr* ip, int caplen)
 	{
 	Analyzer::DeliverPacket(len, data, orig, seq, ip, caplen);
-	interp->NewData(orig, data, data + len);
+
+	try
+		{
+		interp->NewData(orig, data, data + len);
+		}
+	catch ( const binpac::Exception& e )
+		{
+		ProtocolViolation(fmt("Binpac exception: %s", e.c_msg()));
+		}
+
 	}
diff --git a/src/analyzer/protocol/dhcp/DHCP.h b/src/analyzer/protocol/dhcp/DHCP.h
index f8f0449878..7d0f88724d 100644
--- a/src/analyzer/protocol/dhcp/DHCP.h
+++ b/src/analyzer/protocol/dhcp/DHCP.h
@@ -10,11 +10,11 @@ namespace analyzer { namespace dhcp {
 class DHCP_Analyzer : public analyzer::Analyzer {
 public:
 	DHCP_Analyzer(Connection* conn);
-	virtual ~DHCP_Analyzer();
+	~DHCP_Analyzer() override;
 
-	virtual void Done();
-	virtual void DeliverPacket(int len, const u_char* data, bool orig,
-					uint64 seq, const IP_Hdr* ip, int caplen);
+	void Done() override;
+	void DeliverPacket(int len, const u_char* data, bool orig,
+	                   uint64 seq, const IP_Hdr* ip, int caplen) override;
 
 	static analyzer::Analyzer* Instantiate(Connection* conn)
 		{ return new DHCP_Analyzer(conn); }
diff --git a/src/analyzer/protocol/dhcp/dhcp-analyzer.pac b/src/analyzer/protocol/dhcp/dhcp-analyzer.pac
index f9b195088e..6c43cb07e8 100644
--- a/src/analyzer/protocol/dhcp/dhcp-analyzer.pac
+++ b/src/analyzer/protocol/dhcp/dhcp-analyzer.pac
@@ -1,284 +1,140 @@
-connection DHCP_Conn(bro_analyzer: BroAnalyzer) {
-	upflow = DHCP_Flow(true);
-	downflow = DHCP_Flow(false);
-};
-
-flow DHCP_Flow(is_orig: bool) {
-	datagram = DHCP_Message withcontext(connection, this);
 
+refine flow DHCP_Flow += {
 	%member{
-		BroVal dhcp_msg_val_;
-		uint8 sum_len;
+		RecordVal *dhcp_msg_val;
+		RecordVal *options;
 	%}
 
 	%init{
-		dhcp_msg_val_ = 0;
-		sum_len = 0;
+		dhcp_msg_val = 0;
+		options = 0;
 	%}
 
 	%cleanup{
-		Unref(dhcp_msg_val_);
-		dhcp_msg_val_ = 0;
-		sum_len = 0;
+		Unref(dhcp_msg_val);
+		dhcp_msg_val = 0;
+
+		Unref(options);
+		options = 0;
 	%}
 
-	function get_dhcp_sumlen(len: uint8): uint8
+	function parse_request(options: Option[], type: uint8): bool
 		%{
-			sum_len = len + sum_len;
-			return sum_len;
-		%}
-
-	function get_dhcp_msgtype(options: DHCP_Option[]): uint8
-		%{
-		vector<DHCP_Option*>::const_iterator ptr;
-		uint8 type = 0;
-
-		// Leave the for loop if the message type is found.
-		bool parsed = false;
-
-		for ( ptr = options->begin();
-		      ptr != options->end() && ! (*ptr)->last(); ++ptr )
-			{
-			// We use a switch for future expandability.
-			switch ( (*ptr)->code() ) {
-			case MSG_TYPE_OPTION:
-				type = (*ptr)->info()->msg_type();
-				parsed = true;
-				break;
-			}
-
-			if ( parsed )
-				break;
-			}
-
-		if ( type == 0 )
-			connection()->bro_analyzer()->ProtocolViolation("no DHCP message type option");
-
-		return type;
-		%}
-
-	function parse_request(options: DHCP_Option[], type: uint8): bool
-		%{
-		vector<DHCP_Option*>::const_iterator ptr;
-
-		// Requested IP address to the server.
-		::uint32 req_addr = 0, serv_addr = 0;
-		StringVal* host_name = new StringVal("");
-
-		TableVal* params_list = 0;
-		RecordVal* client_id = new RecordVal(BifType::Record::DHCP::dhcp_client_id);
-		client_id->Assign(0,0);
-		client_id->Assign(1,new StringVal(""));
-
-		for ( ptr = options->begin();  ptr != options->end() && ! (*ptr)->last(); ++ptr )
-			{
-			switch ( (*ptr)->code() )
-				{
-				case REQ_IP_OPTION:
-					req_addr = htonl((*ptr)->info()->req_addr());
-					break;
-
-				case SERV_ID_OPTION:
-					serv_addr = htonl((*ptr)->info()->serv_addr());
-					break;
-
-				case HOST_NAME_OPTION:
-					host_name = new StringVal((*ptr)->info()->host_name().length(),
-								  (const char*) (*ptr)->info()->host_name().begin());
-					break;
-				case CLIENT_ID_OPTION:
-					client_id->Assign(0, new Val((*ptr)->info()->client_id()->hwtype(), TYPE_COUNT));
-					client_id->Assign(1, new StringVal(fmt_mac((*ptr)->info()->client_id()->hwaddr().begin(), (*ptr)->info()->client_id()->hwaddr().length())));
-					break;
-				case PAR_REQ_LIST:
-					params_list = new TableVal(BifType::Table::DHCP::dhcp_params_list);
-					int num_parms = (*ptr)->info()->par_req_list()->size();
-					for (int i=0; i < num_parms; ++i)
-					{
-						vector<uint8>* plist = (*ptr)->info()->par_req_list();
-						uint8 param = (*plist)[i];
-						Val* index = new Val(i+1, TYPE_COUNT);
-						params_list->Assign(index, new Val(param, TYPE_COUNT));
-						Unref(index);
-					}
-				break;
-				}
-			}
-
-		switch ( type )
-			{
-			case DHCPDISCOVER:
-				BifEvent::generate_dhcp_discover(connection()->bro_analyzer(),
-								 connection()->bro_analyzer()->Conn(),
-								 dhcp_msg_val_->Ref(), new AddrVal(req_addr),
-								 host_name, client_id, params_list);
-				break;
-
-			case DHCPREQUEST:
-				BifEvent::generate_dhcp_request(connection()->bro_analyzer(),
-								connection()->bro_analyzer()->Conn(),
-								dhcp_msg_val_->Ref(), new AddrVal(req_addr),
-								new AddrVal(serv_addr), host_name, client_id, params_list);
-				break;
-
-			case DHCPDECLINE:
-				BifEvent::generate_dhcp_decline(connection()->bro_analyzer(),
-								connection()->bro_analyzer()->Conn(),
-								dhcp_msg_val_->Ref(), host_name);
-				break;
-
-			case DHCPRELEASE:
-				BifEvent::generate_dhcp_release(connection()->bro_analyzer(),
-								connection()->bro_analyzer()->Conn(),
-								dhcp_msg_val_->Ref(), host_name);
-				break;
-
-			case DHCPINFORM:
-				BifEvent::generate_dhcp_inform(connection()->bro_analyzer(),
-							       connection()->bro_analyzer()->Conn(),
-							       dhcp_msg_val_->Ref(), host_name, params_list);
-				break;
-
-			default:
-				Unref(host_name);
-				break;
-			}
+//		// Requested IP address to the server.
+//		::uint32 req_addr = 0, serv_addr = 0;
+//		StringVal* host_name = new StringVal("");
+//
+//		TableVal* params_list = 0;
+//		RecordVal* client_id = new RecordVal(BifType::Record::DHCP::ClientID);
+//		client_id->Assign(0,0);
+//		client_id->Assign(1,new StringVal(""));
+//
+//		switch ( type )
+//			{
+//			case DHCPDISCOVER:
+//				BifEvent::generate_dhcp_discover(connection()->bro_analyzer(),
+//				                                 connection()->bro_analyzer()->Conn(),
+//				                                 dhcp_msg_val->Ref(), new AddrVal(req_addr),
+//				                                 host_name, client_id, params_list);
+//				break;
+//
+//			case DHCPREQUEST:
+//				BifEvent::generate_dhcp_request(connection()->bro_analyzer(),
+//				                                connection()->bro_analyzer()->Conn(),
+//				                                dhcp_msg_val->Ref(), new AddrVal(req_addr),
+//				                                new AddrVal(serv_addr), host_name, client_id, params_list);
+//				break;
+//
+//			case DHCPDECLINE:
+//				BifEvent::generate_dhcp_decline(connection()->bro_analyzer(),
+//				                                connection()->bro_analyzer()->Conn(),
+//				                                dhcp_msg_val->Ref(), host_name);
+//				break;
+//
+//			case DHCPRELEASE:
+//				BifEvent::generate_dhcp_release(connection()->bro_analyzer(),
+//				                                connection()->bro_analyzer()->Conn(),
+//				                                dhcp_msg_val->Ref(), host_name);
+//				break;
+//
+//			case DHCPINFORM:
+//				BifEvent::generate_dhcp_inform(connection()->bro_analyzer(),
+//				                               connection()->bro_analyzer()->Conn(),
+//				                               dhcp_msg_val->Ref(), host_name, params_list);
+//				break;
+//
+//			default:
+//				Unref(host_name);
+//				break;
+//			}
 
 		return true;
 		%}
 
-	function parse_reply(options: DHCP_Option[], type: uint8): bool
+	function parse_reply(options: Option[], type: uint8): bool
 		%{
-		vector<DHCP_Option*>::const_iterator ptr;
-		vector<Relay_Agent_SubOption*>::const_iterator ptrsubopt;
+//		// RFC 1533 allows a list of router addresses.
+//		TableVal* router_list = 0;
+//
+//		::uint32 subnet_mask = 0, serv_addr = 0;
+//
+//		uint32 lease = 0;
+//		StringVal* host_name = 0;
+//
+//		uint32 reb_time = 0;
+//		uint32 ren_time = 0;
+//		StringVal* agent_cir = 0;
+//		StringVal* agent_rem = 0;
+//		StringVal* agent_sub_opt = 0;
+//		TableVal* relay_agent_sub_opt = new TableVal(BifType::Table::DHCP::SubOptList);
+//
+//		if ( host_name == nullptr )
+//			host_name = new StringVal("");
+//
+//		switch ( type )
+//			{
+//			case DHCPOFFER:
+//				if ( ! router_list )
+//					router_list = new TableVal(BifType::Table::DHCP::RouterList);
+//
+//				BifEvent::generate_dhcp_offer(connection()->bro_analyzer(),
+//				                              connection()->bro_analyzer()->Conn(),
+//				                              dhcp_msg_val->Ref(), new AddrVal(subnet_mask),
+//				                              router_list, lease, new AddrVal(serv_addr), host_name);
+//				break;
+//
+//			case DHCPACK:
+//				if ( ! router_list )
+//					router_list = new TableVal(BifType::Table::DHCP::RouterList);
+//
+//				BifEvent::generate_dhcp_ack(connection()->bro_analyzer(),
+//				                            connection()->bro_analyzer()->Conn(),
+//				                            dhcp_msg_val->Ref(), new AddrVal(subnet_mask),
+//				                            router_list, lease, new AddrVal(serv_addr), host_name, reb_time, ren_time, relay_agent_sub_opt);
+//				break;
+//
+//			case DHCPNAK:
+//				//Unref(router_list);
+//				BifEvent::generate_dhcp_nak(connection()->bro_analyzer(),
+//				                            connection()->bro_analyzer()->Conn(),
+//				                            dhcp_msg_val->Ref(), host_name);
+//				break;
+//
+//			default:
+//				//Unref(router_list);
+//				//Unref(host_name);
+//				break;
+//			}
+//
+		return true;
+		%}
 
-		// RFC 1533 allows a list of router addresses.
-		TableVal* router_list = 0;
-
-		::uint32 subnet_mask = 0, serv_addr = 0;
-
-		uint32 lease = 0;
-		StringVal* host_name = 0;
-
-		uint32 reb_time = 0;
-		uint32 ren_time = 0;
-		StringVal* agent_cir = 0;
-		StringVal* agent_rem = 0;
-		StringVal* agent_sub_opt = 0;
-		TableVal* relay_agent_sub_opt = new TableVal(BifType::Table::DHCP::dhcp_sub_opt_list);
-
-		for ( ptr = options->begin();
-		      ptr != options->end() && ! (*ptr)->last(); ++ptr )
-			{
-			switch ( (*ptr)->code() )
-				{
-				case SUBNET_OPTION:
-					subnet_mask = htonl((*ptr)->info()->mask());
-					break;
-
-				case ROUTER_OPTION:
-					// Let's hope there aren't multiple
-					// such options.
-					//Unref(router_list);
-					router_list = new TableVal(dhcp_router_list);
-
-						{
-						int num_routers = (*ptr)->info()->router_list()->size();
-
-						for ( int i = 0; i < num_routers; ++i )
-							{
-							vector<uint32>* rlist = (*ptr)->info()->router_list();
-
-							uint32 raddr = (*rlist)[i];
-							::uint32 tmp_addr;
-							tmp_addr = htonl(raddr);
-
-							// index starting from 1
-							Val* index = new Val(i + 1, TYPE_COUNT);
-							router_list->Assign(index, new AddrVal(tmp_addr));
-							Unref(index);
-							}
-						}
-					break;
-
-				case LEASE_OPTION:
-					lease = (*ptr)->info()->lease();
-					break;
-
-				case SERV_ID_OPTION:
-					serv_addr = htonl((*ptr)->info()->serv_addr());
-					break;
-
-				case HOST_NAME_OPTION:
-					host_name = new StringVal((*ptr)->info()->host_name().length(),
-								  (const char*) (*ptr)->info()->host_name().begin());
-					break;
-
-				case REB_TIME_OPTION:
-					reb_time = (*ptr)->info()->reb_time();
-					break;
-
-				case REN_TIME_OPTION:
-					ren_time = (*ptr)->info()->ren_time();
-					break;
-
-				case RELAY_AGENT_INF:
-					RecordVal* r = new RecordVal(BifType::Record::DHCP::dhcp_sub_opt);
-					uint i = 0;
-					for( ptrsubopt = (*ptr)->info()->relay_agent_inf()->begin(); ptrsubopt != (*ptr)->info()->relay_agent_inf()->end(); ++ptrsubopt)
-					{
-						r = new RecordVal(BifType::Record::DHCP::dhcp_sub_opt);
-						Val* index = new Val(i + 1, TYPE_COUNT);
-						r->Assign(0, new Val((*ptrsubopt)->code(), TYPE_COUNT));
-						r->Assign(1, bytestring_to_val((*ptrsubopt)->value()));
-						relay_agent_sub_opt->Assign(index, r);
-						Unref(index);
-						++i;
-					}
-					break;
-				}
-			}
-
-			if ( host_name == 0 )
-				host_name = new StringVal("");
-
-		switch ( type )
-			{
-			case DHCPOFFER:
-				if ( ! router_list )
-					router_list = new TableVal(dhcp_router_list);
-
-				BifEvent::generate_dhcp_offer(connection()->bro_analyzer(),
-							      connection()->bro_analyzer()->Conn(),
-							      dhcp_msg_val_->Ref(), new AddrVal(subnet_mask),
-							      router_list, lease, new AddrVal(serv_addr), host_name);
-				break;
-
-			case DHCPACK:
-				if ( ! router_list )
-					router_list = new TableVal(dhcp_router_list);
-
-				BifEvent::generate_dhcp_ack(connection()->bro_analyzer(),
-							    connection()->bro_analyzer()->Conn(),
-							    dhcp_msg_val_->Ref(), new AddrVal(subnet_mask),
-							    router_list, lease, new AddrVal(serv_addr), host_name, reb_time, ren_time, relay_agent_sub_opt);
-				break;
-
-			case DHCPNAK:
-				//Unref(router_list);
-				BifEvent::generate_dhcp_nak(connection()->bro_analyzer(),
-							    connection()->bro_analyzer()->Conn(),
-							    dhcp_msg_val_->Ref(), host_name);
-				break;
-
-			default:
-				//Unref(router_list);
-				//Unref(host_name);
-				break;
-			}
+	function create_options(): bool
+		%{
+		if ( options == nullptr )
+			options = new RecordVal(BifType::Record::DHCP::Options);
 
 		return true;
-
 		%}
 
 	function process_dhcp_message(msg: DHCP_Message): bool
@@ -292,55 +148,81 @@ flow DHCP_Flow(is_orig: bool) {
 			return false;
 			}
 
-		Unref(dhcp_msg_val_);
+		Unref(dhcp_msg_val);
 
 		std::string mac_str = fmt_mac(${msg.chaddr}.data(), ${msg.chaddr}.length());
 
-		RecordVal* r = new RecordVal(dhcp_msg);
-		r->Assign(0, new Val(${msg.op}, TYPE_COUNT));
-		r->Assign(1, new Val(${msg.type}, TYPE_COUNT));
-		r->Assign(2, new Val(${msg.xid}, TYPE_COUNT));
-		r->Assign(3, new StringVal(mac_str));
-		r->Assign(4, new AddrVal(${msg.ciaddr}));
-		r->Assign(5, new AddrVal(${msg.yiaddr}));
+		dhcp_msg_val = new RecordVal(BifType::Record::DHCP::Msg);
+		dhcp_msg_val->Assign(0, new Val(${msg.op}, TYPE_COUNT));
+		dhcp_msg_val->Assign(1, new Val(${msg.type}, TYPE_COUNT));
+		dhcp_msg_val->Assign(2, new Val(${msg.xid}, TYPE_COUNT));
+		dhcp_msg_val->Assign(3, new StringVal(mac_str));
+		dhcp_msg_val->Assign(4, new AddrVal(${msg.ciaddr}));
+		dhcp_msg_val->Assign(5, new AddrVal(${msg.yiaddr}));
 
-		dhcp_msg_val_ = r;
+		if ( dhcp_message )
+			BifEvent::generate_dhcp_message(connection()->bro_analyzer(),
+			                                connection()->bro_analyzer()->Conn(),
+			                                ${msg.is_orig},
+			                                dhcp_msg_val->Ref(),
+			                                options->Ref());
 
-		switch ( ${msg.op} )
-			{
-			case BOOTREQUEST:	// presumably from client to server
-				if ( ${msg.type} == DHCPDISCOVER ||
-			     	     ${msg.type} == DHCPREQUEST ||
-			     	     ${msg.type} == DHCPDECLINE ||
-			     	     ${msg.type} == DHCPRELEASE ||
-			     	     ${msg.type} == DHCPINFORM )
-					parse_request(${msg.options}, ${msg.type});
-				else
-					connection()->bro_analyzer()->ProtocolViolation(fmt("unknown DHCP message type option for BOOTREQUEST (%d)",
-											    ${msg.type}));
-				break;
+		Unref(dhcp_msg_val);
+		dhcp_msg_val = 0;
+		Unref(options);
+		options = 0;
 
-			case BOOTREPLY:		// presumably from server to client
-				if ( ${msg.type} == DHCPOFFER ||
-			     	     ${msg.type} == DHCPACK ||
-				     ${msg.type} == DHCPNAK ||
-				     ${msg.type} == DHCPLEASEUNASSIGNED ||
-				     ${msg.type} == DHCPLEASEUNKNOWN ||
-				     ${msg.type} == DHCPLEASEACTIVE )
-					parse_reply(${msg.options}, ${msg.type});
-				else
-					connection()->bro_analyzer()->ProtocolViolation(fmt("unknown DHCP message type option for BOOTREPLY (%d)",
-											    ${msg.type}));
-
-				break;
-
-			default:
-				connection()->bro_analyzer()->ProtocolViolation(fmt("unknown DHCP message op code (%d). Known codes: 1=BOOTREQUEST, 2=BOOTREPLY",
-										${msg.op}));
-				break;
-			}
+		//switch ( ${msg.op} )
+		//	{
+		//	case BOOTREQUEST:	// presumably from client to server
+		//		if ( ${msg.type} == DHCPDISCOVER ||
+		//		     ${msg.type} == DHCPREQUEST ||
+		//		     ${msg.type} == DHCPDECLINE ||
+		//		     ${msg.type} == DHCPRELEASE ||
+		//		     ${msg.type} == DHCPINFORM )
+		//			{
+		//			parse_request(${msg.options}, ${msg.type});
+		//			}
+		//		else
+		//			{
+		//			connection()->bro_analyzer()->ProtocolViolation(fmt("unknown DHCP message type option for BOOTREQUEST (%d)",
+		//			                                                ${msg.type}));
+		//			}
+		//		break;
+		//
+		//	case BOOTREPLY:		// presumably from server to client
+		//		if ( ${msg.type} == DHCPOFFER ||
+		//		     ${msg.type} == DHCPACK ||
+		//		     ${msg.type} == DHCPNAK ||
+		//		     ${msg.type} == DHCPLEASEUNASSIGNED ||
+		//		     ${msg.type} == DHCPLEASEUNKNOWN ||
+		//		     ${msg.type} == DHCPLEASEACTIVE )
+		//			{
+		//			parse_reply(${msg.options}, ${msg.type});
+		//			}
+		//		else
+		//			{
+		//			connection()->bro_analyzer()->ProtocolViolation(fmt("unknown DHCP message type option for BOOTREPLY (%d)",
+		//			                                                ${msg.type}));
+		//			}
+		//
+		//		break;
+		//
+		//	default:
+		//		// Removing this because I've seen some packets with weird values
+		//		// but they still parse fine.
+		//		//connection()->bro_analyzer()->ProtocolViolation(fmt("unknown DHCP message op code (%d). Known codes: 1=BOOTREQUEST, 2=BOOTREPLY",
+		//		//                                                ${msg.op}));
+		//		break;
+		//	}
 
+		// A single message reaching this point is enough to confirm the protocol
+		// because it's not uncommon to see a single DHCP message
+		// on a "connection".
+		// The binpac analyzer would have thrown an error before this point
+		// if there was a problem too (and subsequently called ProtocolViolation).
 		connection()->bro_analyzer()->ProtocolConfirmation();
+
 		return true;
 		%}
 };
@@ -348,3 +230,8 @@ flow DHCP_Flow(is_orig: bool) {
 refine typeattr DHCP_Message += &let {
 	proc_dhcp_message = $context.flow.process_dhcp_message(this);
 };
+
+refine typeattr Option += &let {
+	proc_create_options = $context.flow.create_options();
+};
+
diff --git a/src/analyzer/protocol/dhcp/dhcp-options.pac b/src/analyzer/protocol/dhcp/dhcp-options.pac
new file mode 100644
index 0000000000..d39484ba96
--- /dev/null
+++ b/src/analyzer/protocol/dhcp/dhcp-options.pac
@@ -0,0 +1,327 @@
+
+##############################
+# SUBNET OPTION
+##############################
+let SUBNET_OPTION = 1;
+
+# Parse the option
+refine casetype OptionValue += {
+	SUBNET_OPTION -> mask : uint32;
+};
+
+refine flow DHCP_Flow += {
+	function process_subnet_option(v: OptionValue): bool
+		%{
+		${context.flow}->options->Assign(0, new AddrVal(htonl(${v.mask})));
+		return true;
+		%}
+};
+
+refine typeattr Option += &let {
+	proc_subnet_option = $context.flow.process_subnet_option(info) &if(code==SUBNET_OPTION);
+};
+
+
+##############################
+# HOST NAME OPTION
+##############################
+let HOST_NAME_OPTION = 12;
+
+# Parse the option
+refine casetype OptionValue += {
+	HOST_NAME_OPTION -> host_name : bytestring &length=length;
+};
+
+refine flow DHCP_Flow += {
+	function process_host_name_option(v: OptionValue): bool
+		%{
+		${context.flow}->options->Assign(1, new StringVal(${v.host_name}.length(), (const char*) ${v.host_name}.begin()));
+
+		return true;
+		%}
+};
+
+refine typeattr Option += &let {
+	proc_host_name_option = $context.flow.process_host_name_option(info) &if(code==HOST_NAME_OPTION);
+};
+
+
+##############################
+# REQ IP OPTION
+##############################
+let REQ_IP_OPTION = 50;
+
+# Parse the option
+refine casetype OptionValue += {
+	REQ_IP_OPTION -> req_addr : uint32;
+};
+
+refine flow DHCP_Flow += {
+	function process_req_ip_option(v: OptionValue): bool
+		%{
+		${context.flow}->options->Assign(2, new AddrVal(htonl(${v.req_addr})));
+
+		return true;
+		%}
+};
+
+refine typeattr Option += &let {
+	proc_req_ip_option = $context.flow.process_req_ip_option(info) &if(code==REQ_IP_OPTION);
+};
+
+##############################
+# ROUTER OPTION
+##############################
+let ROUTER_OPTION = 3;
+
+# Parse the option
+refine casetype OptionValue += {
+	ROUTER_OPTION -> router_list : uint32[length/4];
+};
+
+refine flow DHCP_Flow += {
+	function process_router_option(v: OptionValue): bool
+		%{
+		TableVal* router_list = new TableVal(BifType::Table::DHCP::RouterList);
+		int num_routers = ${v.router_list}->size();
+		vector<uint32>* rlist = ${v.router_list};
+
+		for ( int i = 0; i < num_routers; ++i )
+			{
+			uint32 raddr = (*rlist)[i];
+			::uint32 tmp_addr;
+			tmp_addr = htonl(raddr);
+			// index starting from 1
+			Val* index = new Val(i + 1, TYPE_COUNT);
+			router_list->Assign(index, new AddrVal(tmp_addr));
+			Unref(index);
+			}
+
+		${context.flow}->options->Assign(3, router_list);
+
+		return true;
+		%}
+};
+
+refine typeattr Option += &let {
+	proc_router_option = $context.flow.process_router_option(info) &if(code==ROUTER_OPTION);
+};
+
+
+##############################
+# LEASE_OPTION OPTION
+##############################
+let LEASE_OPTION = 51;
+
+# Parse the option
+refine casetype OptionValue += {
+	LEASE_OPTION -> lease : uint32;
+};
+
+refine flow DHCP_Flow += {
+	function process_lease_option(v: OptionValue): bool
+		%{
+		double lease = static_cast<double>(${v.lease});
+		${context.flow}->options->Assign(4, new Val(lease, TYPE_INTERVAL));
+
+		return true;
+		%}
+};
+
+refine typeattr Option += &let {
+	proc_lease_option = $context.flow.process_lease_option(info) &if(code==LEASE_OPTION);
+};
+
+##############################
+# SERV_ID_OPTION OPTION
+##############################
+let SERV_ID_OPTION = 54;
+
+# Parse the option
+refine casetype OptionValue += {
+	SERV_ID_OPTION -> serv_addr : uint32;
+};
+
+refine flow DHCP_Flow += {
+	function process_serv_id_option(v: OptionValue): bool
+		%{
+		${context.flow}->options->Assign(5, new AddrVal(htonl(${v.serv_addr})));
+
+		return true;
+		%}
+};
+
+refine typeattr Option += &let {
+	proc_serv_id_option = $context.flow.process_serv_id_option(info) &if(code==SERV_ID_OPTION);
+};
+
+
+##############################
+# PAR_REQ_LIST OPTION
+##############################
+let PAR_REQ_LIST_OPTION = 55;
+
+# Parse the option
+refine casetype OptionValue += {
+	PAR_REQ_LIST_OPTION -> par_req_list : uint8[length];
+};
+
+refine flow DHCP_Flow += {
+	function process_par_req_list_option(v: OptionValue): bool
+		%{
+		TableVal* params_list = new TableVal(BifType::Table::DHCP::ParamsList);
+		int num_parms = ${v.par_req_list}->size();
+		vector<uint8>* plist = ${v.par_req_list};
+		
+		for (int i=0; i < num_parms; ++i)
+			{
+			uint8 param = (*plist)[i];
+			Val* index = new Val(i+1, TYPE_COUNT);
+			params_list->Assign(index, new Val(param, TYPE_COUNT));
+			Unref(index);
+			}
+
+		${context.flow}->options->Assign(6, params_list);
+
+		return true;
+		%}
+};
+
+refine typeattr Option += &let {
+	proc_par_req_list_option = $context.flow.process_par_req_list_option(info) &if(code==PAR_REQ_LIST_OPTION);
+};
+
+
+##############################
+# REN_TIME_OPTION OPTION
+##############################
+let REN_TIME_OPTION = 58;
+
+# Parse the option
+refine casetype OptionValue += {
+	REN_TIME_OPTION -> ren_time : uint32;
+};
+
+refine flow DHCP_Flow += {
+	function process_ren_time_option(v: OptionValue): bool
+		%{
+		double ren_time = static_cast<double>(${v.ren_time});
+		${context.flow}->options->Assign(7, new Val(ren_time, TYPE_INTERVAL));
+
+		return true;
+		%}
+};
+
+refine typeattr Option += &let {
+	proc_ren_time_option = $context.flow.process_ren_time_option(info) &if(code==REN_TIME_OPTION);
+};
+
+
+##############################
+# REB_TIME_OPTION OPTION
+##############################
+let REB_TIME_OPTION = 59;
+
+# Parse the option
+refine casetype OptionValue += {
+	REB_TIME_OPTION -> reb_time : uint32;
+};
+
+refine flow DHCP_Flow += {
+	function process_reb_time_option(v: OptionValue): bool
+		%{
+		double reb_time = static_cast<double>(${v.reb_time});
+		${context.flow}->options->Assign(8, new Val(reb_time, TYPE_INTERVAL));
+
+		return true;
+		%}
+};
+
+refine typeattr Option += &let {
+	proc_reb_time_option = $context.flow.process_reb_time_option(info) &if(code==REB_TIME_OPTION);
+};
+
+
+##############################
+# CLIENT_ID_OPTION OPTION
+##############################
+let CLIENT_ID_OPTION = 61;
+
+type Client_Identifier(length: uint8) = record {
+	hwtype : uint8;
+	hwaddr : bytestring &length = length - 1;
+};
+
+# Parse the option
+refine casetype OptionValue += {
+	CLIENT_ID_OPTION -> client_id : Client_Identifier(length);
+};
+
+refine flow DHCP_Flow += {
+	function process_client_id_option(v: OptionValue): bool
+		%{
+		RecordVal* client_id = new RecordVal(BifType::Record::DHCP::ClientID);
+		client_id->Assign(0, new Val(${v.client_id.hwtype}, TYPE_COUNT));
+		client_id->Assign(1, new StringVal(fmt_mac(${v.client_id.hwaddr}.begin(), ${v.client_id.hwaddr}.length())));
+
+		${context.flow}->options->Assign(9, client_id);
+
+		return true;
+		%}
+};
+
+refine typeattr Option += &let {
+	proc_client_id_option = $context.flow.process_client_id_option(info) &if(code==CLIENT_ID_OPTION);
+};
+
+
+
+##############################
+# RELAY_AGENT_INF OPTION
+##############################
+let RELAY_AGENT_INF_OPTION = 82;
+
+type Relay_Agent_SubOption(tot_len: uint8) = record {
+	code   : uint8;
+	length : uint8;
+	value  : bytestring &length = length;
+} &let {
+	sum_len: uint8 = $context.flow.get_dhcp_sumlen(length + 2);
+	last: bool = (sum_len == tot_len);
+};
+
+# Parse the option
+refine casetype OptionValue += {
+	RELAY_AGENT_INF_OPTION -> relay_agent_inf : Relay_Agent_SubOption(length)[] &until($element.last);
+};
+
+refine flow DHCP_Flow += {
+	function process_relay_agent_inf_option(v: OptionValue): bool
+		%{
+		TableVal* relay_agent_sub_opt = new TableVal(BifType::Table::DHCP::SubOptList);
+		RecordVal* r = new RecordVal(BifType::Record::DHCP::SubOpt);
+		uint i = 1;
+		for ( auto ptrsubopt = ${v.relay_agent_inf}->begin();
+		      ptrsubopt != ${v.relay_agent_inf}->end(); ++ptrsubopt )
+			{
+			r = new RecordVal(BifType::Record::DHCP::SubOpt);
+			r->Assign(0, new Val((*ptrsubopt)->code(), TYPE_COUNT));
+			r->Assign(1, bytestring_to_val((*ptrsubopt)->value()));
+
+			Val* index = new Val(i, TYPE_COUNT);
+			relay_agent_sub_opt->Assign(index, r);
+			Unref(index);
+			++i;
+			}
+
+		${context.flow}->options->Assign(10, relay_agent_sub_opt);
+		return true;
+		%}
+};
+
+refine typeattr Option += &let {
+	proc_relay_agent_info_option = $context.flow.process_relay_agent_inf_option(info) &if(code==RELAY_AGENT_INF_OPTION);
+};
+
+
+
diff --git a/src/analyzer/protocol/dhcp/dhcp-protocol.pac b/src/analyzer/protocol/dhcp/dhcp-protocol.pac
index ebc1fd946a..43dade5989 100644
--- a/src/analyzer/protocol/dhcp/dhcp-protocol.pac
+++ b/src/analyzer/protocol/dhcp/dhcp-protocol.pac
@@ -6,24 +6,7 @@ enum OP_type {
 	BOOTREPLY	= 2
 };
 
-# Refer to RFC 1533 for option types.
-# The option types are by no means complete.
-# Anyone can add a new option type in RFC 1533 to be parsed here.
-enum OPTION_type {
-	SUBNET_OPTION	 = 1,
-	ROUTER_OPTION	 = 3,
-	HOST_NAME_OPTION = 12,
-	REQ_IP_OPTION	 = 50,
-	LEASE_OPTION	 = 51,
-	MSG_TYPE_OPTION  = 53,
-	SERV_ID_OPTION	 = 54, # Server address, actually :)
-	PAR_REQ_LIST	 = 55, # Parameters Request List - NEW
-	REN_TIME_OPTION	 = 58, # Renewal time - NEW
-	REB_TIME_OPTION  = 59, # Rebinding time - NEW
-	CLIENT_ID_OPTION = 61, # Client Identifier - NEW
-	RELAY_AGENT_INF  = 82, # Relay Agent Information - NEW
-	END_OPTION	 = 255
-};
+let MSG_TYPE_OPTION = 53;
 
 enum DHCP_message_type {
 	DHCPDISCOVER		= 1,
@@ -41,74 +24,82 @@ enum DHCP_message_type {
 	DHCPLEASEACTIVE		= 13	# RFC 4388
 };
 
-type Relay_Agent_SubOption(tot_len: uint8) = record {
-	code	: uint8;
-	length	: uint8;
-	value	: bytestring &length = length;
-} &let {
-	sum_len: uint8 = $context.flow.get_dhcp_sumlen(length + 2);
-	last: bool = (sum_len == tot_len);
+type OptionValue(code: uint8, length: uint8) = case code of {
+	# This is extended in dhcp-options.pac
+	MSG_TYPE_OPTION  -> msg_type     : uint8;
+	default          -> other        : bytestring &length = length;
 };
 
-type Client_Identifier(length: uint8) = record {
-	hwtype	: uint8;
-	hwaddr	: bytestring &length = length -1;
-};
-
-enum DHCP_hardware_type
-{
-	ETHERNET = 1,
-	EXPERIMENTAL_ETHERNET = 2
-};
-
-type Option_Info(code: uint8)  = record {
-	length		: uint8;
-	value		: case code of {
-		SUBNET_OPTION	 -> mask	 : uint32;
-		ROUTER_OPTION	 -> router_list  : uint32[length/4];
-		REQ_IP_OPTION	 -> req_addr	 : uint32;
-		LEASE_OPTION	 -> lease	 : uint32;
-		MSG_TYPE_OPTION	 -> msg_type	 : uint8;
-		SERV_ID_OPTION	 -> serv_addr	 : uint32;
-		HOST_NAME_OPTION -> host_name	 : bytestring &length = length;
-		PAR_REQ_LIST	 -> par_req_list : uint8[length];
-		REB_TIME_OPTION	 -> reb_time	 : uint32;
-		REN_TIME_OPTION  -> ren_time	 : uint32;
-		CLIENT_ID_OPTION -> client_id	 : Client_Identifier(length);
-		RELAY_AGENT_INF  -> relay_agent_inf : Relay_Agent_SubOption(length)[] &until($element.last);
-		default		 -> other	 : bytestring &length = length;
-	};
-};
-
-type DHCP_Option = record {
-	code		: uint8;
-	data		: case code of {
-		0, 255	-> none	: empty;
-		default	-> info	: Option_Info(code);
+type Option = record {
+	code   : uint8;
+	length : uint8;
+	data   : case code of {
+		0, 255  -> none : empty;
+		default -> info : OptionValue(code, length);
 	};
 } &let {
-	last: bool	= (code == END_OPTION);   # Mark the end of a list of options
+	last = (code == 255); # Mark the end of a list of options
 };
 
-type DHCP_Message = record {
-	op	: uint8;
-	htype	: uint8;
-	hlen	: uint8;
-	hops	: uint8;
-	xid	: uint32;
-	secs	: uint16;
-	flags	: uint16;
-	ciaddr	: uint32;
-	yiaddr	: uint32;
-	siaddr	: uint32;
-	giaddr	: uint32;
+type DHCP_Message(is_orig: bool) = record {
+	op      : uint8;
+	htype   : uint8;
+	hlen    : uint8;
+	hops    : uint8;
+	xid     : uint32;
+	secs    : uint16;
+	flags   : uint16;
+	ciaddr  : uint32;
+	yiaddr  : uint32;
+	siaddr  : uint32;
+	giaddr  : uint32;
 	chaddr  : bytestring &length = 16;
-	sname	: bytestring &length = 64;
-	file	: bytestring &length = 128;
+	sname   : bytestring &length = 64;
+	file    : bytestring &length = 128;
 	# Cookie belongs to options in RFC 2131, but we separate
 	# them here for easy parsing.
 	cookie  : uint32;
-	options	: DHCP_Option[] &until($element.last);
+	options : Option[] &until($element.last);
 } &let {
-	type	: uint8 = $context.flow.get_dhcp_msgtype(options);
+	type = $context.flow.get_dhcp_msgtype(options);
 } &byteorder = bigendian;
+
+refine flow DHCP_Flow += {
+	%member{
+		uint8 sum_len;
+	%}
+
+	%init{
+		sum_len = 0;
+	%}
+
+	%cleanup{
+		sum_len = 0;
+	%}
+
+	function get_dhcp_sumlen(len: uint8): uint8
+		%{
+		sum_len = len + sum_len;
+		return sum_len;
+		%}
+
+	function get_dhcp_msgtype(options: Option[]): uint8
+		%{
+		uint8 type = 0;
+		for ( auto ptr = options->begin();
+		      ptr != options->end() && ! (*ptr)->last(); ++ptr )
+			{
+			if ( (*ptr)->code() == MSG_TYPE_OPTION )
+				{
+				type = (*ptr)->info()->msg_type();
+				break;
+				}
+			}
+
+		if ( type == 0 )
+			connection()->bro_analyzer()->ProtocolViolation("no DHCP message type option");
+
+		return type;
+		%}
+};
+
diff --git a/src/analyzer/protocol/dhcp/dhcp.pac b/src/analyzer/protocol/dhcp/dhcp.pac
index 18439cf341..ac88726b3c 100644
--- a/src/analyzer/protocol/dhcp/dhcp.pac
+++ b/src/analyzer/protocol/dhcp/dhcp.pac
@@ -11,5 +11,15 @@ analyzer DHCP withcontext {
 	flow:		DHCP_Flow;
 };
 
+connection DHCP_Conn(bro_analyzer: BroAnalyzer) {
+	upflow = DHCP_Flow(true);
+	downflow = DHCP_Flow(false);
+};
+
+flow DHCP_Flow(is_orig: bool) {
+	datagram = DHCP_Message(is_orig) withcontext(connection, this);
+};
+
 %include dhcp-protocol.pac
 %include dhcp-analyzer.pac
+%include dhcp-options.pac
diff --git a/src/analyzer/protocol/dhcp/events.bif b/src/analyzer/protocol/dhcp/events.bif
index 057db36aff..663ba3c319 100644
--- a/src/analyzer/protocol/dhcp/events.bif
+++ b/src/analyzer/protocol/dhcp/events.bif
@@ -1,3 +1,6 @@
+
+event dhcp_message%(c: connection, is_orig: bool, msg: DHCP::Msg, options: DHCP::Options%);
+
 ## Generated for DHCP messages of type *DHCPDISCOVER* (client broadcast to locate
 ## available servers).
 ##
@@ -20,7 +23,7 @@
 ##    protocol). It treats broadcast addresses just like any other and
 ##    associates packets into transport-level flows in the same way as usual.
 ##
-event dhcp_discover%(c: connection, msg: DHCP::dhcp_msg, req_addr: addr, host_name: string, client_id: DHCP::dhcp_client_id, req_params: DHCP::dhcp_params_list%);
+event dhcp_discover%(c: connection, msg: DHCP::Msg, req_addr: addr, host_name: string, client_id: DHCP::ClientID, req_params: DHCP::ParamsList%);
 
 ## Generated for DHCP messages of type *DHCPOFFER* (server to client in response
 ## to DHCPDISCOVER with offer of configuration parameters).
@@ -47,7 +50,7 @@ event dhcp_discover%(c: connection, msg: DHCP::dhcp_msg, req_addr: addr, host_na
 ##    protocol). It treats broadcast addresses just like any other and
 ##    associates packets into transport-level flows in the same way as usual.
 ##
-event dhcp_offer%(c: connection, msg: DHCP::dhcp_msg, mask: addr, router: DHCP::dhcp_router_list, lease: interval, serv_addr: addr, host_name: string%);
+event dhcp_offer%(c: connection, msg: DHCP::Msg, mask: addr, router: DHCP::RouterList, lease: interval, serv_addr: addr, host_name: string%);
 
 ## Generated for DHCP messages of type *DHCPREQUEST* (Client message to servers either
 ## (a) requesting offered parameters from one server and implicitly declining offers
@@ -75,7 +78,7 @@ event dhcp_offer%(c: connection, msg: DHCP::dhcp_msg, mask: addr, router: DHCP::
 ##    protocol). It treats broadcast addresses just like any other and
 ##    associates packets into transport-level flows in the same way as usual.
 ##
-event dhcp_request%(c: connection, msg: DHCP::dhcp_msg, req_addr: addr, serv_addr: addr, host_name: string, client_id: DHCP::dhcp_client_id, req_params: DHCP::dhcp_params_list%);
+event dhcp_request%(c: connection, msg: DHCP::Msg, req_addr: addr, serv_addr: addr, host_name: string, client_id: DHCP::ClientID, req_params: DHCP::ParamsList%);
 
 ## Generated for DHCP messages of type *DHCPDECLINE* (Client to server indicating
 ## network address is already in use).
@@ -93,7 +96,7 @@ event dhcp_request%(c: connection, msg: DHCP::dhcp_msg, req_addr: addr, serv_add
 ##    protocol). It treats broadcast addresses just like any other and
 ##    associates packets into transport-level flows in the same way as usual.
 ##
-event dhcp_decline%(c: connection, msg: DHCP::dhcp_msg, host_name: string%);
+event dhcp_decline%(c: connection, msg: DHCP::Msg, host_name: string%);
 
 ## Generated for DHCP messages of type *DHCPACK* (Server to client with configuration
 ## parameters, including committed network address).
@@ -127,7 +130,7 @@ event dhcp_decline%(c: connection, msg: DHCP::dhcp_msg, host_name: string%);
 ## .. bro:see:: dhcp_discover dhcp_offer dhcp_request dhcp_decline dhcp_nak
 ##              dhcp_release dhcp_inform
 ##
-event dhcp_ack%(c: connection, msg: DHCP::dhcp_msg, mask: addr, router: DHCP::dhcp_router_list, lease: interval, serv_addr: addr, host_name: string, reb_time: count, ren_time: count, sub_opt: DHCP::dhcp_sub_opt_list%);
+event dhcp_ack%(c: connection, msg: DHCP::Msg, mask: addr, router: DHCP::RouterList, lease: interval, serv_addr: addr, host_name: string%);
 
 ## Generated for DHCP messages of type *DHCPNAK* (Server to client indicating client's
 ## notion of network address is incorrect (e.g., client has moved to new subnet) or
@@ -146,7 +149,7 @@ event dhcp_ack%(c: connection, msg: DHCP::dhcp_msg, mask: addr, router: DHCP::dh
 ##    protocol). It treats broadcast addresses just like any other and
 ##    associates packets into transport-level flows in the same way as usual.
 ##
-event dhcp_nak%(c: connection, msg: DHCP::dhcp_msg, host_name: string%);
+event dhcp_nak%(c: connection, msg: DHCP::Msg, host_name: string%);
 
 ## Generated for DHCP messages of type *DHCPRELEASE* (Client to server relinquishing
 ## network address and cancelling remaining lease).
@@ -160,7 +163,7 @@ event dhcp_nak%(c: connection, msg: DHCP::dhcp_msg, host_name: string%);
 ## .. bro:see:: dhcp_discover dhcp_offer dhcp_request dhcp_decline dhcp_ack dhcp_nak
 ##              dhcp_inform
 ##
-event dhcp_release%(c: connection, msg: DHCP::dhcp_msg, host_name: string%);
+event dhcp_release%(c: connection, msg: DHCP::Msg, host_name: string%);
 
 ## Generated for DHCP messages of type *DHCPINFORM* (Client to server, asking only for
 ## local configuration parameters; client already has externally configured network
@@ -181,5 +184,5 @@ event dhcp_release%(c: connection, msg: DHCP::dhcp_msg, host_name: string%);
 ##    protocol). It treats broadcast addresses just like any other and
 ##    associates packets into transport-level flows in the same way as usual.
 ##
-event dhcp_inform%(c: connection, msg: DHCP::dhcp_msg, host_name: string, req_params: DHCP::dhcp_params_list%);
+event dhcp_inform%(c: connection, msg: DHCP::Msg, host_name: string%);
 
diff --git a/src/analyzer/protocol/dhcp/types.bif b/src/analyzer/protocol/dhcp/types.bif
index 8f501fc7fd..bf55018b00 100644
--- a/src/analyzer/protocol/dhcp/types.bif
+++ b/src/analyzer/protocol/dhcp/types.bif
@@ -1,10 +1,9 @@
 module DHCP;
 
-type dhcp_msg: record;
-type dhcp_router_list: table;
-type dhcp_params_list:   table;
-type dhcp_sub_opt_list: table;
-type dhcp_sub_opt:      record;
-type dhcp_client_id: record;
-
-module GLOBAL;
+type Msg: record;
+type RouterList: table;
+type ParamsList:   table;
+type SubOptList: table;
+type SubOpt: record;
+type ClientID: record;
+type Options: record;

From 97160b15daf34c2a1a40f95ab682ebb2cbaf237c Mon Sep 17 00:00:00 2001
From: Daniel Thayer <dnthayer@illinois.edu>
Date: Fri, 2 Feb 2018 15:29:03 -0600
Subject: [PATCH 312/631] Add a .travis.yml file

---
 .travis.yml | 30 ++++++++++++++++++++++++++++++
 1 file changed, 30 insertions(+)
 create mode 100644 .travis.yml

diff --git a/.travis.yml b/.travis.yml
new file mode 100644
index 0000000000..c1383a886d
--- /dev/null
+++ b/.travis.yml
@@ -0,0 +1,30 @@
+language: cpp
+compiler:
+  - clang
+  - gcc
+
+addons:
+  apt:
+    sources:
+      - ubuntu-toolchain-r-test
+    packages:
+      - bison
+      - cmake
+      - flex
+      - libpcap-dev
+      - libssl-dev
+      - python-dev
+      - swig
+      - zlib1g-dev
+
+install: ./configure && make -j 4
+
+script:
+  - make -C testing/btest btest-verbose
+  - make -C testing/external init && make -C testing/external
+
+after_failure:
+  # Output each diag.log that contains failed test results.
+  - for i in testing/btest/diag.log testing/external/bro-testing/diag.log; do
+    grep -qs '... failed$' $i && cat $i ;
+    done

From 445e5bfc186c5dbedd0f4c0ca864f13b736a610c Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Mon, 5 Feb 2018 10:43:59 -0600
Subject: [PATCH 313/631] Fix (unlikely) memory leak in nb_dns.c

---
 CHANGES      | 6 ++++++
 VERSION      | 2 +-
 src/nb_dns.c | 1 +
 3 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/CHANGES b/CHANGES
index 0cfd91b52b..5decf23fc5 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,10 @@
 
+2.5-402 | 2018-02-05 10:43:59 -0600
+
+  * Fix (unlikely) memory leak in nb_dns.c (Corelight)
+
+  * Remove bro-plugins submodule from .gitmodules file (Daniel Thayer)
+
 2.5-399 | 2018-01-30 14:31:45 -0800
 
   * Adapt the X509 analyzer to partially support OpenSSL 1.1.
diff --git a/VERSION b/VERSION
index d701ed64b5..29dcd1f939 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.5-399
+2.5-402
diff --git a/src/nb_dns.c b/src/nb_dns.c
index be6ca66059..a1f0d018dd 100644
--- a/src/nb_dns.c
+++ b/src/nb_dns.c
@@ -166,6 +166,7 @@ nb_dns_init(char *errstr)
 		}
 
 	snprintf(errstr, NB_DNS_ERRSIZE, "no valid nameservers in resolver config");
+	free(nd);
 	return (NULL);
 }
 

From 7bdbcfc568149298fcae63626ebb13a16fa5e425 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Mon, 5 Feb 2018 15:18:41 -0600
Subject: [PATCH 314/631] Fix warnings when building sphinx docs

---
 CHANGES                              |  4 ++++
 VERSION                              |  2 +-
 src/analyzer/protocol/rpc/events.bif | 24 ++++++++++++------------
 3 files changed, 17 insertions(+), 13 deletions(-)

diff --git a/CHANGES b/CHANGES
index dfb832654a..f7d6321fbe 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,8 @@
 
+2.5-410 | 2018-02-05 15:18:41 -0600
+
+  * Fix warnings when building sphinx docs (Corelight)
+
 2.5-409 | 2018-02-05 14:12:21 -0600
 
   * Bug fix: nfs3_writeargs didn't properly return filehandle. (Devin Trejo)
diff --git a/VERSION b/VERSION
index 007f1a4806..4c07f9de0b 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.5-409
+2.5-410
diff --git a/src/analyzer/protocol/rpc/events.bif b/src/analyzer/protocol/rpc/events.bif
index f08b36e995..b811a60cda 100644
--- a/src/analyzer/protocol/rpc/events.bif
+++ b/src/analyzer/protocol/rpc/events.bif
@@ -859,8 +859,8 @@ event rpc_reply%(c: connection, xid: count, status: rpc_status, reply_len: count
 ##
 ## info: Reports the status of the dialogue, along with some meta information.
 ##
-## .. bro:see:: mount_proc_mnt mount_proc_dump mount_proc_umnt
-##    mount_proc_umntall mount_proc_export mount_proc_not_implemented
+## .. bro:see:: mount_proc_mnt mount_proc_umnt
+##    mount_proc_umnt_all mount_proc_not_implemented
 ##
 ## .. todo:: Bro's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
@@ -882,8 +882,8 @@ event mount_proc_null%(c: connection, info: MOUNT3::info_t%);
 ## rep: The response returned in the reply. The values may not be valid if the
 ##      request was unsuccessful.
 ##
-## .. bro:see:: mount_proc_mnt mount_proc_dump mount_proc_umnt
-##    mount_proc_umntall mount_proc_export mount_proc_not_implemented
+## .. bro:see:: mount_proc_mnt mount_proc_umnt
+##    mount_proc_umnt_all mount_proc_not_implemented
 ##
 ## .. todo:: Bro's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
@@ -902,8 +902,8 @@ event mount_proc_mnt%(c: connection, info: MOUNT3::info_t, req: MOUNT3::dirmntar
 ##
 ## req:  The arguments passed in the request.
 ##
-## .. bro:see:: mount_proc_mnt mount_proc_dump mount_proc_umnt
-##    mount_proc_umntall mount_proc_export mount_proc_not_implemented
+## .. bro:see:: mount_proc_mnt mount_proc_umnt
+##    mount_proc_umnt_all mount_proc_not_implemented
 ##
 ## .. todo:: Bro's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
@@ -922,8 +922,8 @@ event mount_proc_umnt%(c: connection, info: MOUNT3::info_t, req: MOUNT3::dirmnta
 ##
 ## req:  The arguments passed in the request.
 ##
-## .. bro:see:: mount_proc_mnt mount_proc_dump mount_proc_umnt
-##    mount_proc_umntall mount_proc_export mount_proc_not_implemented
+## .. bro:see:: mount_proc_mnt mount_proc_umnt
+##    mount_proc_umnt_all mount_proc_not_implemented
 ##
 ## .. todo:: Bro's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
@@ -940,8 +940,8 @@ event mount_proc_umnt_all%(c: connection, info: MOUNT3::info_t, req: MOUNT3::dir
 ##
 ## proc: The procedure called that Bro does not implement.
 ##
-## .. bro:see:: mount_proc_mnt mount_proc_dump mount_proc_umnt
-##    mount_proc_umntall mount_proc_export mount_proc_not_implemented
+## .. bro:see:: mount_proc_mnt mount_proc_umnt
+##    mount_proc_umnt_all mount_proc_not_implemented
 ##
 ## .. todo:: Bro's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
@@ -956,8 +956,8 @@ event mount_proc_not_implemented%(c: connection, info: MOUNT3::info_t, proc: MOU
 ##
 ## info: Reports the status included in the reply.
 ##
-## .. bro:see:: mount_proc_mnt mount_proc_dump mount_proc_umnt
-##    mount_proc_umntall mount_proc_export mount_proc_not_implemented
+## .. bro:see:: mount_proc_mnt mount_proc_umnt
+##    mount_proc_umnt_all mount_proc_not_implemented
 ##
 ## .. todo:: Bro's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet

From f735ad382bddea252a18c3bcba0de9bc0c826896 Mon Sep 17 00:00:00 2001
From: Robin Sommer <robin@icir.org>
Date: Mon, 5 Feb 2018 15:08:12 -0800
Subject: [PATCH 315/631] Updating submodule(s).

Closes BIT-1902.
---
 aux/bro-aux | 2 +-
 aux/broctl  | 2 +-
 aux/btest   | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/aux/bro-aux b/aux/bro-aux
index c88ccbeb59..dc077fb554 160000
--- a/aux/bro-aux
+++ b/aux/bro-aux
@@ -1 +1 @@
-Subproject commit c88ccbeb5902554f231443552b9648cff8b3fa70
+Subproject commit dc077fb5545016f7d38f630941369ce17949939a
diff --git a/aux/broctl b/aux/broctl
index 5a12aac3e8..3e27199f2c 160000
--- a/aux/broctl
+++ b/aux/broctl
@@ -1 +1 @@
-Subproject commit 5a12aac3e83a9883c390c5e4cded99cc1108ac5d
+Subproject commit 3e27199f2cb2b0a2ab3fbeacc86f8a3e48f19613
diff --git a/aux/btest b/aux/btest
index 28196a00da..fcecde7c07 160000
--- a/aux/btest
+++ b/aux/btest
@@ -1 +1 @@
-Subproject commit 28196a00da17847fbf4e6fd642b35d0daf653008
+Subproject commit fcecde7c072839c6e48c043e85987f52914e6646

From ae51f72de007a2ae55a34ed40ed0e0a4f5a58029 Mon Sep 17 00:00:00 2001
From: Robin Sommer <robin@icir.org>
Date: Tue, 6 Feb 2018 08:54:54 -0800
Subject: [PATCH 316/631] Updating NEWS.

---
 NEWS | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/NEWS b/NEWS
index 8296903ba9..27adf879fd 100644
--- a/NEWS
+++ b/NEWS
@@ -91,6 +91,10 @@ Changed Functionality
     and "data" strings
   - smb1_transaction2_request now has an additional "args" record argument
 
+- SSL event argument changes:
+  - event ssl_server_signature now has an additional argument
+    "signature_and_hashalgorithm".
+
 Removed Functionality
 ---------------------
 

From c0aab7cf15a8c145020952bf245400355449f9be Mon Sep 17 00:00:00 2001
From: Robin Sommer <robin@icir.org>
Date: Tue, 6 Feb 2018 16:56:00 -0800
Subject: [PATCH 317/631] Fix compile.

One final change hadn't made it in.
---
 CHANGES        | 2 +-
 VERSION        | 2 +-
 src/Reassem.cc | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/CHANGES b/CHANGES
index 20abb912a7..cace20cdec 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,5 +1,5 @@
 
-2.5-435 | 2018-02-06 08:40:38 -0800
+2.5-437 | 2018-02-06 16:56:00 -0800
 
   * BIT-1854: Improve reassembly overlap checking. (Corelight)
 
diff --git a/VERSION b/VERSION
index 3dcd487379..cbfc766b8d 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.5-435
+2.5-437
diff --git a/src/Reassem.cc b/src/Reassem.cc
index 6e41781fd4..a52bff01c6 100644
--- a/src/Reassem.cc
+++ b/src/Reassem.cc
@@ -42,7 +42,7 @@ uint64 Reassembler::sizes[REASSEM_NUM];
 Reassembler::Reassembler(uint64 init_seq, ReassemblerType reassem_type)
 	:  blocks(), last_block(), old_blocks(), last_old_block(),
 	  last_reassem_seq(init_seq), trim_seq(init_seq),
-	  max_old_blocks(0), total_old_blocks(0), size(0),
+	  max_old_blocks(0), total_old_blocks(0), size_of_all_blocks(0),
 	  rtype(reassem_type)
 	{
 	}

From 0e83bd3193c1a55c3c7bd06fe75ee140903404dc Mon Sep 17 00:00:00 2001
From: Robin Sommer <robin@icir.org>
Date: Wed, 7 Feb 2018 14:20:59 -0800
Subject: [PATCH 318/631] Fixing unstable test.

---
 CHANGES                                       |  2 +-
 VERSION                                       |  2 +-
 .../bro.config.log                            | 32 +++++++++----------
 .../base/frameworks/config/several-files.bro  |  1 +
 4 files changed, 19 insertions(+), 18 deletions(-)

diff --git a/CHANGES b/CHANGES
index c05cc7a314..4d13582a7a 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,5 +1,5 @@
 
-2.5-444 | 2018-02-06 17:11:26 -0800
+2.5-445 | 2018-02-07 14:20:59 -0800
 
   * Add new configuration framework for dynamically changing script
     options at runtime. See NEWS for more. (Corelight)
diff --git a/VERSION b/VERSION
index c85ef94d0c..bbd27fc84a 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.5-444
+2.5-445
diff --git a/testing/btest/Baseline/scripts.base.frameworks.config.several-files/bro.config.log b/testing/btest/Baseline/scripts.base.frameworks.config.several-files/bro.config.log
index d8e388f60b..90127d6c1d 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.config.several-files/bro.config.log
+++ b/testing/btest/Baseline/scripts.base.frameworks.config.several-files/bro.config.log
@@ -1,19 +1,19 @@
+#close	2018-02-07-22-20-13
+#empty_field	(empty)
+#fields	ts	id	old_value	new_value	location
+#open	2018-02-07-22-20-13
+#path	config
 #separator \x09
 #set_separator	,
-#empty_field	(empty)
-#unset_field	-
-#path	config
-#open	2017-10-11-21-01-26
-#fields	ts	id	old_value	new_value	location
 #types	time	string	string	string	string
-1507755686.516466	testbool	T	F	../configfile1
-1507755686.516466	testcount	0	2	../configfile1
-1507755686.516466	testint	0	-1	../configfile1
-1507755686.516466	testenum	SSH::LOG	Conn::LOG	../configfile1
-1507755686.516466	test_set	(empty)	b,c,a,d,erdbeerschnitzel	../configfile1
-1507755686.516466	test_vector	(empty)	1,2,3,4,5,6	../configfile1
-1507755686.516466	testport	42/tcp	45/unknown	../configfile2
-1507755686.516466	testaddr	127.0.0.1	127.0.0.1	../configfile2
-1507755686.516466	testinterval	1.0 sec	60.0	../configfile2
-1507755686.516466	testtime	0.0	1507321987.0	../configfile2
-#close	2017-10-11-21-01-26
+#unset_field	-
+1518042012.989543	test_set	(empty)	b,c,a,d,erdbeerschnitzel	../configfile1
+1518042012.989543	test_vector	(empty)	1,2,3,4,5,6	../configfile1
+1518042012.989543	testaddr	127.0.0.1	127.0.0.1	../configfile2
+1518042012.989543	testbool	T	F	../configfile1
+1518042012.989543	testcount	0	2	../configfile1
+1518042012.989543	testenum	SSH::LOG	Conn::LOG	../configfile1
+1518042012.989543	testint	0	-1	../configfile1
+1518042012.989543	testinterval	1.0 sec	60.0	../configfile2
+1518042012.989543	testport	42/tcp	45/unknown	../configfile2
+1518042012.989543	testtime	0.0	1507321987.0	../configfile2
diff --git a/testing/btest/scripts/base/frameworks/config/several-files.bro b/testing/btest/scripts/base/frameworks/config/several-files.bro
index d6b84cdaaa..a6742f115d 100644
--- a/testing/btest/scripts/base/frameworks/config/several-files.bro
+++ b/testing/btest/scripts/base/frameworks/config/several-files.bro
@@ -1,5 +1,6 @@
 # @TEST-EXEC: btest-bg-run bro bro -b %INPUT
 # @TEST-EXEC: btest-bg-wait 10
+# @TEST-EXEC: sort bro/config.log >bro/config.log.tmp && mv bro/config.log.tmp bro/config.log
 # @TEST-EXEC: btest-diff bro/config.log
 
 @load base/frameworks/config

From cbe585dd874fcccdea97e94835198c449b39031f Mon Sep 17 00:00:00 2001
From: Xiaogrill <qtxiao@protonmail.ch>
Date: Sun, 11 Feb 2018 09:02:57 -0800
Subject: [PATCH 319/631] Treat LibreSSL as an older OpenSSL

---
 src/file_analysis/analyzer/x509/X509.h        | 4 ++--
 src/file_analysis/analyzer/x509/functions.bif | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/file_analysis/analyzer/x509/X509.h b/src/file_analysis/analyzer/x509/X509.h
index 1e7cd05a62..8cf74fc4c6 100644
--- a/src/file_analysis/analyzer/x509/X509.h
+++ b/src/file_analysis/analyzer/x509/X509.h
@@ -8,13 +8,13 @@
 #include "Val.h"
 #include "X509Common.h"
 
-#if (OPENSSL_VERSION_NUMBER < 0x10002000L)
+#if (OPENSSL_VERSION_NUMBER < 0x10002000L || LIBRESSL_VERSION_NUMBER)
 
 #define X509_get_signature_nid(x) OBJ_obj2nid((x)->sig_alg->algorithm)
 
 #endif
 
-#if (OPENSSL_VERSION_NUMBER < 0x1010000fL)
+#if (OPENSSL_VERSION_NUMBER < 0x1010000fL || LIBRESSL_VERSION_NUMBER)
 
 #define X509_OBJECT_new()   (X509_OBJECT*)malloc(sizeof(X509_OBJECT))
 #define X509_OBJECT_free(a) free(a)
diff --git a/src/file_analysis/analyzer/x509/functions.bif b/src/file_analysis/analyzer/x509/functions.bif
index 6fdb695ce8..18f56758f5 100644
--- a/src/file_analysis/analyzer/x509/functions.bif
+++ b/src/file_analysis/analyzer/x509/functions.bif
@@ -668,7 +668,7 @@ function sct_verify%(cert: opaque of x509, logid: string, log_key: string, signa
 	uint32 cert_length;
 	if ( precert )
 		{
-#if (OPENSSL_VERSION_NUMBER < 0x10002000L)
+#if (OPENSSL_VERSION_NUMBER < 0x10002000L || LIBRESSL_VERSION_NUMBER)
 		x->cert_info->enc.modified = 1;
 		cert_length = i2d_X509_CINF(x->cert_info, &cert_out);
 #else

From 6766f52cddb46d05ec9e0ce311394f4f6db4a7e2 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Mon, 12 Feb 2018 11:00:44 -0600
Subject: [PATCH 320/631] Add limit to number of auth flavors parsed out of MNT
 replies

---
 CHANGES                            |  6 ++++++
 VERSION                            |  2 +-
 src/analyzer/protocol/rpc/MOUNT.cc | 22 +++++++++++++++++-----
 3 files changed, 24 insertions(+), 6 deletions(-)

diff --git a/CHANGES b/CHANGES
index 4d13582a7a..7b4ea99681 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,10 @@
 
+2.5-447 | 2018-02-12 11:00:44 -0600
+
+  * Add limit to number of auth flavors parsed out of MNT replies (Corelight)
+
+  * Treat LibreSSL as an older OpenSSL (Xiaogrill)
+
 2.5-445 | 2018-02-07 14:20:59 -0800
 
   * Add new configuration framework for dynamically changing script
diff --git a/VERSION b/VERSION
index bbd27fc84a..3be07dbdfb 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.5-445
+2.5-447
diff --git a/src/analyzer/protocol/rpc/MOUNT.cc b/src/analyzer/protocol/rpc/MOUNT.cc
index 9ec35ef4ab..dd2fcdc959 100644
--- a/src/analyzer/protocol/rpc/MOUNT.cc
+++ b/src/analyzer/protocol/rpc/MOUNT.cc
@@ -260,15 +260,27 @@ RecordVal* MOUNT_Interp::mount3_mnt_reply(const u_char*& buf, int& n,
 		{
 		rep->Assign(0, mount3_fh(buf,n));
 
-		int auth_flavors_count =  extract_XDR_uint32(buf, n);
+		auto auth_flavors_count_in_reply =  extract_XDR_uint32(buf, n);
+		auto auth_flavors_count = auth_flavors_count_in_reply;
+		const auto max_auth_flavors = 32u;
+
+		if ( auth_flavors_count_in_reply > max_auth_flavors )
+			{
+			Weird("excessive_MNT_auth_flavors");
+			auth_flavors_count = max_auth_flavors;
+			}
+
 		VectorType* enum_vector = new VectorType(base_type(TYPE_ENUM));
 		VectorVal* auth_flavors = new VectorVal(enum_vector);
 		Unref(enum_vector);
 
-		for (int i = 0; i < auth_flavors_count; i++)
-			{
-			auth_flavors->Assign(auth_flavors->Size(), mount3_auth_flavor(buf, n)); // authentication
-			}
+		for ( auto i = 0u; i < auth_flavors_count; ++i )
+			auth_flavors->Assign(auth_flavors->Size(),
+			                     mount3_auth_flavor(buf, n));
+
+		if ( auth_flavors_count_in_reply > max_auth_flavors )
+			// Prevent further "excess RPC" weirds
+			n = 0;
 
 		rep->Assign(1, auth_flavors);
 		}

From 85b5c6ffbd8697ff3182b97a30e048dc4c24f949 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Mon, 12 Feb 2018 11:09:00 -0600
Subject: [PATCH 321/631] Fix pessimizing-move compiler warning.

Returning via move() should never be needed and may result in a compiler
warning: "moving a local object in a return statement prevents copy
elision".
---
 CHANGES   | 4 ++++
 VERSION   | 2 +-
 src/ID.cc | 2 +-
 3 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/CHANGES b/CHANGES
index 7b4ea99681..d28e76872a 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,8 @@
 
+2.5-448 | 2018-02-12 11:09:00 -0600
+
+  * Fix pessimizing-move compiler warning. (Corelight)
+
 2.5-447 | 2018-02-12 11:00:44 -0600
 
   * Add limit to number of auth flavors parsed out of MNT replies (Corelight)
diff --git a/VERSION b/VERSION
index 3be07dbdfb..388b4fad5e 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.5-447
+2.5-448
diff --git a/src/ID.cc b/src/ID.cc
index eb9644ece0..4216422225 100644
--- a/src/ID.cc
+++ b/src/ID.cc
@@ -789,5 +789,5 @@ vector<Func*> ID::GetOptionHandlers() const
 	vector<Func*> v;
 	for ( auto& element : option_handlers )
 		v.push_back(element.second);
-	return std::move(v);
+	return v;
 	}

From 873049ce128f173e3c92232aa8f78cdd4bf96397 Mon Sep 17 00:00:00 2001
From: Daniel Thayer <dnthayer@illinois.edu>
Date: Mon, 12 Feb 2018 15:05:38 -0600
Subject: [PATCH 322/631] Fix the config framework several-files.bro test

The test script needs to wait until the Input::end_of_data event has
been raised for each of the config input files.
---
 .../base/frameworks/config/several-files.bro        | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/testing/btest/scripts/base/frameworks/config/several-files.bro b/testing/btest/scripts/base/frameworks/config/several-files.bro
index a6742f115d..57d15c0075 100644
--- a/testing/btest/scripts/base/frameworks/config/several-files.bro
+++ b/testing/btest/scripts/base/frameworks/config/several-files.bro
@@ -42,10 +42,17 @@ export {
 	option test_vector: vector of count = {};
 }
 
-event Input::end_of_data(name: string, source:string)
+global ct = 0;
+
+event Input::end_of_data(name: string, source: string)
 	{
-	if ( sub_bytes(name, 1,  7) != "config-" )
+	if ( sub_bytes(name, 1, 7) != "config-" )
 		return;
 
-	terminate();
+	++ct;
+
+	# Exit after this event has been raised for each config file.
+	if ( ct == 2 )
+		terminate();
+
 	}

From 1aa95780210865c559a63ab07c771a7ea59fcd14 Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@icir.org>
Date: Wed, 14 Feb 2018 08:49:27 -0800
Subject: [PATCH 323/631] Update submodule

 [nomail]
---
 aux/binpac | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/aux/binpac b/aux/binpac
index e6d13e5dfc..790250e6b3 160000
--- a/aux/binpac
+++ b/aux/binpac
@@ -1 +1 @@
-Subproject commit e6d13e5dfc9f727f7c59c0496b529bdb2a1d9b62
+Subproject commit 790250e6b35bfc35d6335ec0f3622b8a0aab3861

From 94b422c88dbc8d84eb4ba244cf6cabfe2f5cdcb6 Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@icir.org>
Date: Wed, 14 Feb 2018 10:01:17 -0800
Subject: [PATCH 324/631] Updating CHANGES and VERSION.

---
 CHANGES | 5 +++++
 VERSION | 2 +-
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/CHANGES b/CHANGES
index d28e76872a..6f66237d43 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,9 @@
 
+2.5-449 | 2018-02-14 08:49:27 -0800
+
+  * Patch in Binpac submodule that fixes an integer overflow
+    (Philippe Antoine/Catena cyber).
+
 2.5-448 | 2018-02-12 11:09:00 -0600
 
   * Fix pessimizing-move compiler warning. (Corelight)
diff --git a/VERSION b/VERSION
index 388b4fad5e..602858273f 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.5-448
+2.5-449

From d0c29e81e1294f15522d57f6ee253e9a0b410458 Mon Sep 17 00:00:00 2001
From: Daniel Thayer <dnthayer@illinois.edu>
Date: Wed, 14 Feb 2018 17:01:04 -0600
Subject: [PATCH 325/631] Fix a warning when building documentation

---
 src/analyzer/protocol/smb/smb1_com_transaction2_secondary.bif | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/analyzer/protocol/smb/smb1_com_transaction2_secondary.bif b/src/analyzer/protocol/smb/smb1_com_transaction2_secondary.bif
index d22c456ee9..7d02628de9 100644
--- a/src/analyzer/protocol/smb/smb1_com_transaction2_secondary.bif
+++ b/src/analyzer/protocol/smb/smb1_com_transaction2_secondary.bif
@@ -6,7 +6,7 @@
 ## c: The connection.
 ##
 ## hdr: The parsed header of the :abbr:`SMB (Server Message Block)`
-## version 1 message.
+##      version 1 message.
 ##
 ## args: arguments of the message (SMB_Parameters.Words)
 ##

From 45cc4d0e2f53cf27fc7bd14659b8473d57b9c488 Mon Sep 17 00:00:00 2001
From: Daniel Thayer <dnthayer@illinois.edu>
Date: Wed, 14 Feb 2018 18:43:34 -0600
Subject: [PATCH 326/631] Fix another warning when building the documentation

---
 doc/scripting/index.rst | 2 --
 1 file changed, 2 deletions(-)

diff --git a/doc/scripting/index.rst b/doc/scripting/index.rst
index 6808afe021..2d14ab1323 100644
--- a/doc/scripting/index.rst
+++ b/doc/scripting/index.rst
@@ -1009,8 +1009,6 @@ which is a factor of 5 to an alternate file, while writing the
 remaining logs to factor.log.  
 
 .. btest-include:: ${DOC_ROOT}/scripting/framework_logging_factorial_03.bro
-   :lines: 38-62
-   :linenos:
 
 To dynamically alter the file in which a stream writes its logs, a
 filter can specify a function that returns a string to be used as the

From 9bc42385f3ea95e8af66b4a53bb5909c2f213611 Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@icir.org>
Date: Fri, 16 Feb 2018 09:02:21 -0800
Subject: [PATCH 327/631] Update submodule

 [nomail]
---
 src/3rdparty | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/3rdparty b/src/3rdparty
index 1dc8599df2..207d60381c 160000
--- a/src/3rdparty
+++ b/src/3rdparty
@@ -1 +1 @@
-Subproject commit 1dc8599df24112504aac5e1256b478eec5054848
+Subproject commit 207d60381c194b400ffdfb97c78aa577661bd177

From 981c8893523c21597a3cd0d600a20f2e6b6eb87f Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@icir.org>
Date: Fri, 16 Feb 2018 10:44:29 -0800
Subject: [PATCH 328/631] Update list of Certificate Transparency logs.

---
 scripts/base/protocols/ssl/ct-list.bro | 44 +++++++++++++++++++-------
 1 file changed, 32 insertions(+), 12 deletions(-)

diff --git a/scripts/base/protocols/ssl/ct-list.bro b/scripts/base/protocols/ssl/ct-list.bro
index d48f58877c..1a06c67825 100644
--- a/scripts/base/protocols/ssl/ct-list.bro
+++ b/scripts/base/protocols/ssl/ct-list.bro
@@ -1,12 +1,17 @@
 #
 # Do not edit this file. This file is automatically generated by gen-ct-list.pl
-# File generated at Thu Jul 27 16:59:25 2017
+# File generated at Fri Feb 16 10:41:42 2018
 # File generated from https://www.gstatic.com/ct/log_list/all_logs_list.json
 #
 
 @load base/protocols/ssl
 module SSL;
 redef ct_logs += {
+["\xfa\xd4\xc9\x7c\xc4\x9e\xe2\xf8\xac\x85\xc5\xea\x5c\xea\x09\xd0\x22\x0d\xbb\xf4\xe4\x9c\x6b\x50\x66\x2f\xf8\x68\xf8\x6b\x8c\x28"] = CTInfo($description="Google 'Argon2017' log", $operator="Google", $url="ct.googleapis.com/logs/argon2017/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x54\x6d\x7c\x89\xdd\xea\x9d\xf0\xba\x5f\xf4\x6d\x60\x7a\x37\x4f\x02\x25\xbf\x1c\xf6\x6f\x85\xae\xaf\x15\xdf\x69\x6e\xed\xdb\xa9\x9a\x29\x97\xf2\x99\x76\x1e\xe6\x33\x46\x1e\x27\xf4\xbe\x70\xdd\x59\xd7\xba\xcf\xfe\xd0\x72\x8e\xb0\x57\x0f\x9d\x37\x89\x62\xa3"),
+["\xa4\x50\x12\x69\x05\x5a\x15\x54\x5e\x62\x11\xab\x37\xbc\x10\x3f\x62\xae\x55\x76\xa4\x5e\x4b\x17\x14\x45\x3e\x1b\x22\x10\x6a\x25"] = CTInfo($description="Google 'Argon2018' log", $operator="Google", $url="ct.googleapis.com/logs/argon2018/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xd2\x00\x55\x05\xad\xd5\x47\xb4\x19\xbb\xcd\x95\xfb\x29\xd7\x58\x3d\x78\x24\xcd\xce\x46\x9d\xfb\x32\xd4\x71\x4e\x60\x02\x25\x5e\x59\x3e\xd7\xd4\x03\xb8\x6d\x43\x68\x68\x7e\xe8\xa0\x65\x0b\x3e\x6e\x71\x59\x92\x37\xbe\xa9\xe8\xf1\xa3\x2b\xe4\xd9\x0d\x55\x68"),
+["\x63\xf2\xdb\xcd\xe8\x3b\xcc\x2c\xcf\x0b\x72\x84\x27\x57\x6b\x33\xa4\x8d\x61\x77\x8f\xbd\x75\xa6\x38\xb1\xc7\x68\x54\x4b\xd8\x8d"] = CTInfo($description="Google 'Argon2019' log", $operator="Google", $url="ct.googleapis.com/logs/argon2019/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x23\x73\x10\x9b\xe1\xf3\x5e\xf6\x98\x6b\x69\x95\x96\x10\x78\xce\x49\xdb\xb4\x04\xfc\x71\x2c\x5a\x92\x60\x68\x25\xc0\x4a\x1a\xa1\xb0\x61\x2d\x1b\x87\x14\xa9\xba\xf0\x01\x33\x59\x1d\x05\x30\xe9\x42\x15\xe7\x55\xd7\x2a\xf8\xb4\xa2\xba\x45\xc9\x46\x91\x87\x56"),
+["\xb2\x1e\x05\xcc\x8b\xa2\xcd\x8a\x20\x4e\x87\x66\xf9\x2b\xb9\x8a\x25\x20\x67\x6b\xda\xfa\x70\xe7\xb2\x49\x53\x2d\xef\x8b\x90\x5e"] = CTInfo($description="Google 'Argon2020' log", $operator="Google", $url="ct.googleapis.com/logs/argon2020/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xe9\x3c\x76\xa7\x5c\x8a\x63\x8d\x35\xe4\xdc\x88\x62\xf7\x6b\x93\x7e\x9e\xb3\x4b\x80\x73\x5c\xc0\xe0\xf4\x3e\x4c\x64\x58\xfb\x76\x63\x51\x32\x18\x63\xd5\xb2\xbb\xed\xea\xff\x5e\x3b\x24\x6e\x2f\x35\x52\x8b\xb4\x35\x9a\xad\x9c\x15\xa8\x69\x20\xea\x50\x18\xcc"),
+["\xf6\x5c\x94\x2f\xd1\x77\x30\x22\x14\x54\x18\x08\x30\x94\x56\x8e\xe3\x4d\x13\x19\x33\xbf\xdf\x0c\x2f\x20\x0b\xcc\x4e\xf1\x64\xe3"] = CTInfo($description="Google 'Argon2021' log", $operator="Google", $url="ct.googleapis.com/logs/argon2021/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x4d\xe0\x66\x64\xea\xf3\x64\xaa\x38\xc5\x89\x2d\xc7\xd8\x08\xd9\xc8\x44\x71\xed\xdc\xc3\xfb\x5b\xaf\x9c\x64\xa1\x09\x66\x84\x1d\x7c\x68\xa7\xec\xc4\x3f\x8c\x9c\x82\xe0\x18\xd9\x74\x14\xe9\xb4\x79\x81\xa2\x94\x55\x62\xf3\x9c\x0b\x44\x83\xa1\x2b\xc9\x71\x2b"),
 ["\x68\xf6\x98\xf8\x1f\x64\x82\xbe\x3a\x8c\xee\xb9\x28\x1d\x4c\xfc\x71\x51\x5d\x67\x93\xd4\x44\xd1\x0a\x67\xac\xbb\x4f\x4f\xfb\xc4"] = CTInfo($description="Google 'Aviator' log", $operator="Google", $url="ct.googleapis.com/aviator/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xd7\xf4\xcc\x69\xb2\xe4\x0e\x90\xa3\x8a\xea\x5a\x70\x09\x4f\xef\x13\x62\xd0\x8d\x49\x60\xff\x1b\x40\x50\x07\x0c\x6d\x71\x86\xda\x25\x49\x8d\x65\xe1\x08\x0d\x47\x34\x6b\xbd\x27\xbc\x96\x21\x3e\x34\xf5\x87\x76\x31\xb1\x7f\x1d\xc9\x85\x3b\x0d\xf7\x1f\x3f\xe9"),
 ["\x29\x3c\x51\x96\x54\xc8\x39\x65\xba\xaa\x50\xfc\x58\x07\xd4\xb7\x6f\xbf\x58\x7a\x29\x72\xdc\xa4\xc3\x0c\xf4\xe5\x45\x47\xf4\x78"] = CTInfo($description="Google 'Icarus' log", $operator="Google", $url="ct.googleapis.com/icarus/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x4e\xd2\xbc\xbf\xb3\x08\x0a\xf7\xb9\xea\xa4\xc7\x1c\x38\x61\x04\xeb\x95\xe0\x89\x54\x68\x44\xb1\x66\xbc\x82\x7e\x4f\x50\x6c\x6f\x5c\xa3\xf0\xaa\x3e\xf4\xec\x80\xf0\xdb\x0a\x9a\x7a\xa0\x5b\x72\x00\x7c\x25\x0e\x19\xef\xaf\xb2\x62\x8d\x74\x43\xf4\x26\xf6\x14"),
 ["\xa4\xb9\x09\x90\xb4\x18\x58\x14\x87\xbb\x13\xa2\xcc\x67\x70\x0a\x3c\x35\x98\x04\xf9\x1b\xdf\xb8\xe3\x77\xcd\x0e\xc8\x0d\xdc\x10"] = CTInfo($description="Google 'Pilot' log", $operator="Google", $url="ct.googleapis.com/pilot/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x7d\xa8\x4b\x12\x29\x80\xa3\x3d\xad\xd3\x5a\x77\xb8\xcc\xe2\x88\xb3\xa5\xfd\xf1\xd3\x0c\xcd\x18\x0c\xe8\x41\x46\xe8\x81\x01\x1b\x15\xe1\x4b\xf1\x1b\x62\xdd\x36\x0a\x08\x18\xba\xed\x0b\x35\x84\xd0\x9e\x40\x3c\x2d\x9e\x9b\x82\x65\xbd\x1f\x04\x10\x41\x4c\xa0"),
@@ -15,28 +20,43 @@ redef ct_logs += {
 ["\xa8\x99\xd8\x78\x0c\x92\x90\xaa\xf4\x62\xf3\x18\x80\xcc\xfb\xd5\x24\x51\xe9\x70\xd0\xfb\xf5\x91\xef\x75\xb0\xd9\x9b\x64\x56\x81"] = CTInfo($description="Google 'Submariner' log", $operator="Google", $url="ct.googleapis.com/submariner/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x39\xf8\x9f\x20\x62\xd4\x57\x55\x68\xa2\xef\x49\x2d\xf0\x39\x2d\x9a\xde\x44\xb4\x94\x30\xe0\x9e\x7a\x27\x3c\xab\x70\xf0\xd1\xfa\x51\x90\x63\x16\x57\x41\xad\xab\x6d\x1f\x80\x74\x30\x79\x02\x5e\x2d\x59\x84\x07\x24\x23\xf6\x9f\x35\xb8\x85\xb8\x42\x45\xa4\x4f"),
 ["\x1d\x02\x4b\x8e\xb1\x49\x8b\x34\x4d\xfd\x87\xea\x3e\xfc\x09\x96\xf7\x50\x6f\x23\x5d\x1d\x49\x70\x61\xa4\x77\x3c\x43\x9c\x25\xfb"] = CTInfo($description="Google 'Daedalus' log", $operator="Google", $url="ct.googleapis.com/daedalus/", $maximum_merge_delay=604800, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x6e\x0c\x1c\xba\xee\x2b\x6a\x41\x85\x60\x1d\x7b\x7e\xab\x08\x2c\xfc\x0c\x0a\xa5\x08\xb3\x3e\xd5\x70\x24\xd1\x6d\x1d\x2d\xb6\xb7\xf3\x8b\x36\xdc\x23\x4d\x95\x63\x12\xbb\xe4\x86\x8d\xcc\xe9\xd1\xee\xa1\x40\xa2\xdf\x0b\xa3\x06\x0a\x30\xca\x8d\xac\xa4\x29\x56"),
 ["\xb0\xcc\x83\xe5\xa5\xf9\x7d\x6b\xaf\x7c\x09\xcc\x28\x49\x04\x87\x2a\xc7\xe8\x8b\x13\x2c\x63\x50\xb7\xc6\xfd\x26\xe1\x6c\x6c\x77"] = CTInfo($description="Google 'Testtube' log", $operator="Google", $url="ct.googleapis.com/testtube/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xc3\xc8\xbc\x4b\xba\xa2\x18\x4b\x3d\x35\x7b\xf4\x64\x91\x61\xea\xeb\x8e\x99\x1d\x90\xed\xd3\xe9\xaf\x39\x3d\x5c\xd3\x46\x91\x45\xe3\xce\xac\x76\x48\x3b\xd1\x7e\x2c\x0a\x63\x00\x65\x8d\xf5\xae\x8e\x8c\xc7\x11\x25\x4f\x43\x2c\x9d\x19\xa1\xe1\x91\xa4\xb3\xfe"),
+["\x1f\xbc\x36\xe0\x02\xed\xe9\x7f\x40\x19\x9e\x86\xb3\x57\x3b\x8a\x42\x17\xd8\x01\x87\x74\x6a\xd0\xda\x03\xa0\x60\x54\xd2\x0d\xf4"] = CTInfo($description="Cloudflare 'Nimbus2017' Log", $operator="Cloudflare", $url="ct.cloudflare.com/logs/nimbus2017/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xd7\x9c\xa9\x07\x8d\x22\x41\xee\x93\xa0\x52\x41\xda\xf4\x80\xf0\x25\xbc\xeb\xfa\xf3\x3c\xd2\x7e\x91\xd8\x3f\x2c\xda\x51\xbd\xc8\xee\x2a\x72\xe3\xff\x18\x56\xe4\x3a\x22\x0f\x22\x3c\xc6\xd5\x30\xb3\x9b\x68\x2e\xab\x56\xc2\x41\x5f\xd6\x64\x57\x14\xb1\x5a\xaf"),
+["\xdb\x74\xaf\xee\xcb\x29\xec\xb1\xfe\xca\x3e\x71\x6d\x2c\xe5\xb9\xaa\xbb\x36\xf7\x84\x71\x83\xc7\x5d\x9d\x4f\x37\xb6\x1f\xbf\x64"] = CTInfo($description="Cloudflare 'Nimbus2018' Log", $operator="Cloudflare", $url="ct.cloudflare.com/logs/nimbus2018/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x02\xc5\x69\x5a\xfa\xc7\xdc\xa7\xb4\x55\x16\x8c\x83\xd6\x50\xa1\x08\xdb\xe6\x0f\xf1\x87\x5c\xf7\x0c\x36\xba\x22\xec\x58\xe4\x3c\x8f\xb2\x4e\x9b\xae\x5b\xeb\x50\xd5\xd9\xce\x82\x20\xd0\x37\x2f\x16\x20\x27\xda\x47\x7a\xc6\x6b\xb8\x39\xb9\x39\x5c\x0f\xe7\x46"),
+["\x74\x7e\xda\x83\x31\xad\x33\x10\x91\x21\x9c\xce\x25\x4f\x42\x70\xc2\xbf\xfd\x5e\x42\x20\x08\xc6\x37\x35\x79\xe6\x10\x7b\xcc\x56"] = CTInfo($description="Cloudflare 'Nimbus2019' Log", $operator="Cloudflare", $url="ct.cloudflare.com/logs/nimbus2019/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x91\x91\xf3\xd6\xfe\x6b\xf1\xaf\x4b\x99\x74\x8c\x7a\x06\x19\x02\x0e\x14\x5b\xe5\x20\xe7\xa1\xad\x35\xf2\x53\x0c\xd1\x59\xba\xe6\xc4\x25\x88\x16\x7f\x81\x5c\x0b\x90\xfe\x66\x46\x30\xb6\xd5\xd3\x0d\x2a\x38\x3a\x46\xa7\x1b\xd6\xf7\x00\x8e\x2c\xc0\x84\x36\xf2"),
+["\x5e\xa7\x73\xf9\xdf\x56\xc0\xe7\xb5\x36\x48\x7d\xd0\x49\xe0\x32\x7a\x91\x9a\x0c\x84\xa1\x12\x12\x84\x18\x75\x96\x81\x71\x45\x58"] = CTInfo($description="Cloudflare 'Nimbus2020' Log", $operator="Cloudflare", $url="ct.cloudflare.com/logs/nimbus2020/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xd3\x51\x00\x87\x1e\x28\xd3\x33\xd0\xad\x74\xdc\x62\x38\x02\xb7\x83\x15\x16\xc4\xf4\x3f\x08\xf3\x6f\x54\x70\xac\xcd\x25\x85\x60\xe5\xc4\x06\x0f\x3f\xaf\xe0\xc8\xc0\x97\x36\x43\xa7\xff\xb2\x85\xb2\x32\xfb\xaf\x09\x3b\xf2\xd1\xcc\xa5\x8f\x2b\x5e\x7f\x00\x62"),
+["\x44\x94\x65\x2e\xb0\xee\xce\xaf\xc4\x40\x07\xd8\xa8\xfe\x28\xc0\xda\xe6\x82\xbe\xd8\xcb\x31\xb5\x3f\xd3\x33\x96\xb5\xb6\x81\xa8"] = CTInfo($description="Cloudflare 'Nimbus2021' Log", $operator="Cloudflare", $url="ct.cloudflare.com/logs/nimbus2021/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xc6\x9a\x27\xee\x2a\x6c\xa9\xe8\x48\x79\x4d\x5b\x9a\x9a\x20\xf5\x31\x68\xe0\xf9\x3c\xfb\xda\x0d\xf0\xe6\x07\x97\x54\x36\x24\x65\x57\x9e\x45\x45\x9e\xeb\xaf\x3e\x04\xa8\xd8\x4a\x7e\xea\xf2\xdf\x7c\xd2\xdc\x98\x46\xf1\x3a\xe7\x33\xd3\x7b\x05\x89\xe9\x9a\xb6"),
 ["\x56\x14\x06\x9a\x2f\xd7\xc2\xec\xd3\xf5\xe1\xbd\x44\xb2\x3e\xc7\x46\x76\xb9\xbc\x99\x11\x5c\xc0\xef\x94\x98\x55\xd6\x89\xd0\xdd"] = CTInfo($description="DigiCert Log Server", $operator="DigiCert", $url="ct1.digicert-ct.com/log/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x02\x46\xc5\xbe\x1b\xbb\x82\x40\x16\xe8\xc1\xd2\xac\x19\x69\x13\x59\xf8\xf8\x70\x85\x46\x40\xb9\x38\xb0\x23\x82\xa8\x64\x4c\x7f\xbf\xbb\x34\x9f\x4a\x5f\x28\x8a\xcf\x19\xc4\x00\xf6\x36\x06\x93\x65\xed\x4c\xf5\xa9\x21\x62\x5a\xd8\x91\xeb\x38\x24\x40\xac\xe8"),
 ["\x87\x75\xbf\xe7\x59\x7c\xf8\x8c\x43\x99\x5f\xbd\xf3\x6e\xff\x56\x8d\x47\x56\x36\xff\x4a\xb5\x60\xc1\xb4\xea\xff\x5e\xa0\x83\x0f"] = CTInfo($description="DigiCert Log Server 2", $operator="DigiCert", $url="ct2.digicert-ct.com/log/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xcc\x5d\x39\x2f\x66\xb8\x4c\x7f\xc1\x2e\x03\xa1\x34\xa3\xe8\x8a\x86\x02\xae\x4a\x11\xc6\xf7\x26\x6a\x37\x9b\xf0\x38\xf8\x5d\x09\x8d\x63\xe8\x31\x6b\x86\x66\xcf\x79\xb3\x25\x3c\x1e\xdf\x78\xb4\xa8\xc5\x69\xfa\xb7\xf0\x82\x79\x62\x43\xf6\xcc\xfe\x81\x66\x84"),
-["\xdd\xeb\x1d\x2b\x7a\x0d\x4f\xa6\x20\x8b\x81\xad\x81\x68\x70\x7e\x2e\x8e\x9d\x01\xd5\x5c\x88\x8d\x3d\x11\xc4\xcd\xb6\xec\xbe\xcc"] = CTInfo($description="Symantec log", $operator="Symantec", $url="ct.ws.symantec.com/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x96\xea\xac\x1c\x46\x0c\x1b\x55\xdc\x0d\xfc\xb5\x94\x27\x46\x57\x42\x70\x3a\x69\x18\xe2\xbf\x3b\xc4\xdb\xab\xa0\xf4\xb6\x6c\xc0\x53\x3f\x4d\x42\x10\x33\xf0\x58\x97\x8f\x6b\xbe\x72\xf4\x2a\xec\x1c\x42\xaa\x03\x2f\x1a\x7e\x28\x35\x76\x99\x08\x3d\x21\x14\x86"),
-["\xbc\x78\xe1\xdf\xc5\xf6\x3c\x68\x46\x49\x33\x4d\xa1\x0f\xa1\x5f\x09\x79\x69\x20\x09\xc0\x81\xb4\xf3\xf6\x91\x7f\x3e\xd9\xb8\xa5"] = CTInfo($description="Symantec 'Vega' log", $operator="Symantec", $url="vega.ws.symantec.com/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xea\x95\x9e\x02\xff\xee\xf1\x33\x6d\x4b\x87\xbc\xcd\xfd\x19\x17\x62\xff\x94\xd3\xd0\x59\x07\x3f\x02\x2d\x1c\x90\xfe\xc8\x47\x30\x3b\xf1\xdd\x0d\xb8\x11\x0c\x5d\x1d\x86\xdd\xab\xd3\x2b\x46\x66\xfb\x6e\x65\xb7\x3b\xfd\x59\x68\xac\xdf\xa6\xf8\xce\xd2\x18\x4d"),
-["\xa7\xce\x4a\x4e\x62\x07\xe0\xad\xde\xe5\xfd\xaa\x4b\x1f\x86\x76\x87\x67\xb5\xd0\x02\xa5\x5d\x47\x31\x0e\x7e\x67\x0a\x95\xea\xb2"] = CTInfo($description="Symantec Deneb", $operator="Symantec", $url="deneb.ws.symantec.com/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x96\x82\x1e\xa3\xcd\x3a\x80\x84\x1e\x97\xb8\xb7\x07\x19\xae\x76\x1a\x0e\xf8\x55\x76\x9d\x12\x33\x4e\x91\x88\xe4\xd0\x48\x50\x5c\xc1\x9f\x6a\x72\xd6\x01\xf5\x14\xd6\xd0\x38\x6e\xe1\x32\xbc\x67\x0d\x37\xe8\xba\x22\x10\xd1\x72\x86\x79\x28\x96\xf9\x17\x1e\x98"),
-["\x15\x97\x04\x88\xd7\xb9\x97\xa0\x5b\xeb\x52\x51\x2a\xde\xe8\xd2\xe8\xb4\xa3\x16\x52\x64\x12\x1a\x9f\xab\xfb\xd5\xf8\x5a\xd9\x3f"] = CTInfo($description="Symantec 'Sirius' log", $operator="Symantec", $url="sirius.ws.symantec.com/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xa3\x02\x64\x84\x22\xbb\x25\xec\x0d\xe3\xbc\xc2\xc9\x89\x7d\xdd\x45\xd0\xee\xe6\x15\x85\x8f\xd9\xe7\x17\x1b\x13\x80\xea\xed\xb2\x85\x37\xad\x6a\xc5\xd8\x25\x9d\xfa\xf4\xb4\xf3\x6e\x16\x28\x25\x37\xea\xa3\x37\x64\xb2\xc7\x0b\xfd\x51\xe5\xc1\x05\xf4\x0e\xb5"),
+["\xc1\x16\x4a\xe0\xa7\x72\xd2\xd4\x39\x2d\xc8\x0a\xc1\x07\x70\xd4\xf0\xc4\x9b\xde\x99\x1a\x48\x40\xc1\xfa\x07\x51\x64\xf6\x33\x60"] = CTInfo($description="DigiCert Yeti2018 Log", $operator="DigiCert", $url="yeti2018.ct.digicert.com/log/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x49\x89\x4a\x14\x32\xcb\x16\x60\x3d\x25\x27\x1a\x89\xa3\x67\xaa\x55\x3c\xa1\x60\xf2\xb7\x12\x18\x31\xfb\x30\x1f\x2f\x44\xb2\x0d\x1a\x89\x7f\x96\x9c\xff\xf2\x8f\x83\xb4\x56\x21\x07\xb4\xbc\x1b\x98\xe4\x1e\x49\x60\x46\x90\x8b\xbd\x60\xaf\x42\x2d\xe7\xab\xfa"),
+["\xe2\x69\x4b\xae\x26\xe8\xe9\x40\x09\xe8\x86\x1b\xb6\x3b\x83\xd4\x3e\xe7\xfe\x74\x88\xfb\xa4\x8f\x28\x93\x01\x9d\xdd\xf1\xdb\xfe"] = CTInfo($description="DigiCert Yeti2019 Log", $operator="DigiCert", $url="yeti2019.ct.digicert.com/log/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x91\x97\x7f\xa3\x0f\x17\xf8\x54\x95\x58\x05\x52\x7f\xcc\x73\x90\x5a\x21\x70\xfa\x61\xff\x1e\xa9\x4b\x52\x47\x87\xb8\x35\xc2\x70\x99\xe7\x2f\xfc\x1e\x4e\xa3\xcc\x9c\x6c\xea\xdd\xd8\x30\x05\xb3\xd8\x23\xdd\xe1\x59\x02\x77\x1c\x0a\x7b\x11\xa1\x70\x5c\x43\xf4"),
+["\xf0\x95\xa4\x59\xf2\x00\xd1\x82\x40\x10\x2d\x2f\x93\x88\x8e\xad\x4b\xfe\x1d\x47\xe3\x99\xe1\xd0\x34\xa6\xb0\xa8\xaa\x8e\xb2\x73"] = CTInfo($description="DigiCert Yeti2020 Log", $operator="DigiCert", $url="yeti2020.ct.digicert.com/log/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x51\x10\x06\xf9\x9a\x34\x69\xcd\xe7\xdf\xb8\x9f\x64\xa5\x21\x04\x51\x15\xea\x37\xdc\x0b\x31\x88\x47\x3d\xed\xb2\xaf\x02\x6b\xd0\x4f\xff\x95\xd4\x1f\x2e\x99\x8a\xab\x0f\x68\x01\x1b\x54\xcd\x2e\x23\x74\xe6\xf5\x4d\xb8\x45\x50\x47\x47\xd2\x71\x0c\x49\x4f\x9a"),
+["\x5c\xdc\x43\x92\xfe\xe6\xab\x45\x44\xb1\x5e\x9a\xd4\x56\xe6\x10\x37\xfb\xd5\xfa\x47\xdc\xa1\x73\x94\xb2\x5e\xe6\xf6\xc7\x0e\xca"] = CTInfo($description="DigiCert Yeti2021 Log", $operator="DigiCert", $url="yeti2021.ct.digicert.com/log/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xe8\x9e\x04\x6d\xca\x48\x02\x5d\x7e\x02\x44\x91\xb1\xb8\x68\x63\x9a\x11\x4e\x3d\xd5\xa0\x57\xda\x7f\x50\xe5\x42\x47\xe2\xed\x16\xde\xfc\x77\x23\x7d\x5b\x6b\xc0\xdf\x23\x68\x2f\xad\x40\x31\xa3\x17\xe7\x6a\xbc\xa8\x56\x24\x04\x3a\x43\xa7\xaf\xea\xaf\x4c\x7b"),
+["\x22\x45\x45\x07\x59\x55\x24\x56\x96\x3f\xa1\x2f\xf1\xf7\x6d\x86\xe0\x23\x26\x63\xad\xc0\x4b\x7f\x5d\xc6\x83\x5c\x6e\xe2\x0f\x02"] = CTInfo($description="DigiCert Yeti2022 Log", $operator="DigiCert", $url="yeti2022.ct.digicert.com/log/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x9f\xf8\xd8\x1d\xde\xfb\x5b\x51\xb5\xfb\x5d\xf5\xb5\xde\x66\x11\xb0\x9d\x5f\xfd\x6f\xfc\xa8\x98\x5b\x98\x4f\x2d\xc3\x91\x3a\xfb\xfe\xc4\x0f\x0d\xc3\x60\x43\x8c\x1e\xf2\xf9\x11\xb2\xba\xd0\xf6\xbc\xa5\xd2\xb6\x9f\xf9\x5c\x87\xa2\x7d\xfc\xd4\x7d\xd6\x13\x26"),
+["\x6f\xf1\x41\xb5\x64\x7e\x42\x22\xf7\xef\x05\x2c\xef\xae\x7c\x21\xfd\x60\x8e\x27\xd2\xaf\x5a\x6e\x9f\x4b\x8a\x37\xd6\x63\x3e\xe5"] = CTInfo($description="DigiCert Nessie2018 Log", $operator="DigiCert", $url="nessie2018.ct.digicert.com/log/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x56\xaa\x4b\x6b\x65\xbe\x47\x3d\x57\x0d\x93\xc1\x23\x22\x89\x3b\xe2\x8a\x14\xe6\x19\x4e\x3f\x4c\xa4\x95\xa7\x65\xe1\x54\xab\x37\x39\x6a\x2b\xce\x89\x61\x15\x86\xcf\x06\xcb\x60\x25\x1f\x78\xab\x58\xf1\x63\x21\x93\xd9\x32\xcd\xc3\xbf\xb3\x3e\xd0\xb6\xcf\xc9"),
+["\xfe\x44\x61\x08\xb1\xd0\x1a\xb7\x8a\x62\xcc\xfe\xab\x6a\xb2\xb2\xba\xbf\xf3\xab\xda\xd8\x0a\x4d\x8b\x30\xdf\x2d\x00\x08\x83\x0c"] = CTInfo($description="DigiCert Nessie2019 Log", $operator="DigiCert", $url="nessie2019.ct.digicert.com/log/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x5f\xed\x27\xb9\xd0\x8a\x22\x67\x7b\x40\x2b\x5e\x96\x13\x2b\x0d\x6d\x0e\x5e\x78\xb9\x44\x4d\x74\xb6\x28\x82\x95\x97\xac\x9a\xbc\x14\x93\x68\x87\x2c\x2a\x13\x1c\x75\x55\xfb\x28\x39\x0f\x89\xff\xaf\x10\x91\x57\x24\x61\x8a\x43\xe9\x54\x33\x8b\x30\xbc\x49\x68"),
+["\xc6\x52\xa0\xec\x48\xce\xb3\xfc\xab\x17\x09\x92\xc4\x3a\x87\x41\x33\x09\xe8\x00\x65\xa2\x62\x52\x40\x1b\xa3\x36\x2a\x17\xc5\x65"] = CTInfo($description="DigiCert Nessie2020 Log", $operator="DigiCert", $url="nessie2020.ct.digicert.com/log/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xe2\x11\xc8\xc8\xc5\x48\xad\x1f\x68\x4a\x18\x1b\x40\xc6\x04\x93\xc5\x97\xd6\x59\xa4\x7c\x52\x81\xe3\x8f\x06\x9f\xdd\xca\x6e\xc6\x67\x9f\x09\x63\x0c\x76\x3a\x31\x0a\x84\x9d\x67\xca\x1a\x03\x0e\xab\x48\x21\xdd\x02\xb8\xf1\xce\x59\x07\x75\x0a\x48\x81\x59\xe2"),
+["\xee\xc0\x95\xee\x8d\x72\x64\x0f\x92\xe3\xc3\xb9\x1b\xc7\x12\xa3\x69\x6a\x09\x7b\x4b\x6a\x1a\x14\x38\xe6\x47\xb2\xcb\xed\xc5\xf9"] = CTInfo($description="DigiCert Nessie2021 Log", $operator="DigiCert", $url="nessie2021.ct.digicert.com/log/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xf6\x8e\xc0\x8b\x0a\xdb\x18\x12\x17\xe8\xb9\xdc\xe3\xb2\x3a\x39\xf2\xcc\x75\x99\xd1\xcc\xaa\x0f\xe6\xed\x3b\xda\x70\x62\xea\xfa\x48\x38\x4a\x28\x92\xd4\xe2\xd6\x03\x70\x95\x13\xf3\x18\x2d\xb2\x48\x67\xee\x73\x5c\x4b\x0d\xe6\x80\xff\x04\x85\x1a\x0a\x58\x16"),
+["\x51\xa3\xb0\xf5\xfd\x01\x79\x9c\x56\x6d\xb8\x37\x78\x8f\x0c\xa4\x7a\xcc\x1b\x27\xcb\xf7\x9e\x88\x42\x9a\x0d\xfe\xd4\x8b\x05\xe5"] = CTInfo($description="DigiCert Nessie2022 Log", $operator="DigiCert", $url="nessie2022.ct.digicert.com/log/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x27\x24\xdd\x68\x03\x28\xcb\xfe\x63\xbe\x0e\x11\x47\x4d\x7d\x17\x68\xa1\x11\x5d\x4c\x71\xc9\x41\x28\xc7\xb6\xa2\x4b\x97\xec\xc0\xaf\xfc\x2f\x3b\xbf\xe9\xf1\xb1\xfc\xf5\x01\xff\xa9\xfb\x49\x40\x0c\x63\x24\x98\xd7\x79\x2e\xa6\x55\xab\x16\xc6\xbe\x51\xd8\x71"),
+["\xdd\xeb\x1d\x2b\x7a\x0d\x4f\xa6\x20\x8b\x81\xad\x81\x68\x70\x7e\x2e\x8e\x9d\x01\xd5\x5c\x88\x8d\x3d\x11\xc4\xcd\xb6\xec\xbe\xcc"] = CTInfo($description="Symantec log", $operator="DigiCert", $url="ct.ws.symantec.com/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x96\xea\xac\x1c\x46\x0c\x1b\x55\xdc\x0d\xfc\xb5\x94\x27\x46\x57\x42\x70\x3a\x69\x18\xe2\xbf\x3b\xc4\xdb\xab\xa0\xf4\xb6\x6c\xc0\x53\x3f\x4d\x42\x10\x33\xf0\x58\x97\x8f\x6b\xbe\x72\xf4\x2a\xec\x1c\x42\xaa\x03\x2f\x1a\x7e\x28\x35\x76\x99\x08\x3d\x21\x14\x86"),
+["\xbc\x78\xe1\xdf\xc5\xf6\x3c\x68\x46\x49\x33\x4d\xa1\x0f\xa1\x5f\x09\x79\x69\x20\x09\xc0\x81\xb4\xf3\xf6\x91\x7f\x3e\xd9\xb8\xa5"] = CTInfo($description="Symantec 'Vega' log", $operator="DigiCert", $url="vega.ws.symantec.com/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xea\x95\x9e\x02\xff\xee\xf1\x33\x6d\x4b\x87\xbc\xcd\xfd\x19\x17\x62\xff\x94\xd3\xd0\x59\x07\x3f\x02\x2d\x1c\x90\xfe\xc8\x47\x30\x3b\xf1\xdd\x0d\xb8\x11\x0c\x5d\x1d\x86\xdd\xab\xd3\x2b\x46\x66\xfb\x6e\x65\xb7\x3b\xfd\x59\x68\xac\xdf\xa6\xf8\xce\xd2\x18\x4d"),
+["\xa7\xce\x4a\x4e\x62\x07\xe0\xad\xde\xe5\xfd\xaa\x4b\x1f\x86\x76\x87\x67\xb5\xd0\x02\xa5\x5d\x47\x31\x0e\x7e\x67\x0a\x95\xea\xb2"] = CTInfo($description="Symantec Deneb", $operator="DigiCert", $url="deneb.ws.symantec.com/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x96\x82\x1e\xa3\xcd\x3a\x80\x84\x1e\x97\xb8\xb7\x07\x19\xae\x76\x1a\x0e\xf8\x55\x76\x9d\x12\x33\x4e\x91\x88\xe4\xd0\x48\x50\x5c\xc1\x9f\x6a\x72\xd6\x01\xf5\x14\xd6\xd0\x38\x6e\xe1\x32\xbc\x67\x0d\x37\xe8\xba\x22\x10\xd1\x72\x86\x79\x28\x96\xf9\x17\x1e\x98"),
+["\x15\x97\x04\x88\xd7\xb9\x97\xa0\x5b\xeb\x52\x51\x2a\xde\xe8\xd2\xe8\xb4\xa3\x16\x52\x64\x12\x1a\x9f\xab\xfb\xd5\xf8\x5a\xd9\x3f"] = CTInfo($description="Symantec 'Sirius' log", $operator="DigiCert", $url="sirius.ws.symantec.com/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xa3\x02\x64\x84\x22\xbb\x25\xec\x0d\xe3\xbc\xc2\xc9\x89\x7d\xdd\x45\xd0\xee\xe6\x15\x85\x8f\xd9\xe7\x17\x1b\x13\x80\xea\xed\xb2\x85\x37\xad\x6a\xc5\xd8\x25\x9d\xfa\xf4\xb4\xf3\x6e\x16\x28\x25\x37\xea\xa3\x37\x64\xb2\xc7\x0b\xfd\x51\xe5\xc1\x05\xf4\x0e\xb5"),
 ["\xcd\xb5\x17\x9b\x7f\xc1\xc0\x46\xfe\xea\x31\x13\x6a\x3f\x8f\x00\x2e\x61\x82\xfa\xf8\x89\x6f\xec\xc8\xb2\xf5\xb5\xab\x60\x49\x00"] = CTInfo($description="Certly.IO log", $operator="Certly", $url="log.certly.io/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x0b\x23\xcb\x85\x62\x98\x61\x48\x04\x73\xeb\x54\x5d\xf3\xd0\x07\x8c\x2d\x19\x2d\x8c\x36\xf5\xeb\x8f\x01\x42\x0a\x7c\x98\x26\x27\xc1\xb5\xdd\x92\x93\xb0\xae\xf8\x9b\x3d\x0c\xd8\x4c\x4e\x1d\xf9\x15\xfb\x47\x68\x7b\xba\x66\xb7\x25\x9c\xd0\x4a\xc2\x66\xdb\x48"),
 ["\x74\x61\xb4\xa0\x9c\xfb\x3d\x41\xd7\x51\x59\x57\x5b\x2e\x76\x49\xa4\x45\xa8\xd2\x77\x09\xb0\xcc\x56\x4a\x64\x82\xb7\xeb\x41\xa3"] = CTInfo($description="Izenpe log", $operator="Izenpe", $url="ct.izenpe.com/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x27\x64\x39\x0c\x2d\xdc\x50\x18\xf8\x21\x00\xa2\x0e\xed\x2c\xea\x3e\x75\xba\x9f\x93\x64\x09\x00\x11\xc4\x11\x17\xab\x5c\xcf\x0f\x74\xac\xb5\x97\x90\x93\x00\x5b\xb8\xeb\xf7\x27\x3d\xd9\xb2\x0a\x81\x5f\x2f\x0d\x75\x38\x94\x37\x99\x1e\xf6\x07\x76\xe0\xee\xbe"),
 ["\x89\x41\x44\x9c\x70\x74\x2e\x06\xb9\xfc\x9c\xe7\xb1\x16\xba\x00\x24\xaa\x36\xd5\x9a\xf4\x4f\x02\x04\x40\x4f\x00\xf7\xea\x85\x66"] = CTInfo($description="Izenpe 'Argi' log", $operator="Izenpe", $url="ct.izenpe.eus/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xd7\xc8\x0e\x23\x3e\x9e\x02\x3c\x9a\xb8\x07\x4a\x2a\x05\xff\x4a\x4b\x88\xd4\x8a\x4d\x39\xce\xf7\xc5\xf2\xb6\x37\xe9\xa3\xed\xe4\xf5\x45\x09\x0e\x67\x14\xfd\x53\x24\xd5\x3a\x94\xf2\xea\xb5\x13\xd9\x1d\x8b\x5c\xa7\xc3\xf3\x6b\xd8\x3f\x2d\x3b\x65\x72\x58\xd6"),
-["\x9e\x4f\xf7\x3d\xc3\xce\x22\x0b\x69\x21\x7c\x89\x9e\x46\x80\x76\xab\xf8\xd7\x86\x36\xd5\xcc\xfc\x85\xa3\x1a\x75\x62\x8b\xa8\x8b"] = CTInfo($description="WoSign CT log #1", $operator="Wosign", $url="ct.wosign.com/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xd7\xec\x2f\x2b\x75\x4f\x37\xbc\xa3\x43\xba\x8b\x65\x66\x3c\x7d\x6a\xe5\x0c\x2a\xa6\xc2\xe5\x26\xfe\x0c\x7d\x4e\x7c\xf0\x3a\xbc\xe2\xd3\x22\xdc\x01\xd0\x1f\x6e\x43\x9c\x5c\x6e\x83\xad\x9c\x15\xf6\xc4\x8d\x60\xb5\x1d\xbb\xa3\x62\x69\x7e\xeb\xa7\xaa\x01\x9b"),
-["\x41\xb2\xdc\x2e\x89\xe6\x3c\xe4\xaf\x1b\xa7\xbb\x29\xbf\x68\xc6\xde\xe6\xf9\xf1\xcc\x04\x7e\x30\xdf\xfa\xe3\xb3\xba\x25\x92\x63"] = CTInfo($description="WoSign log", $operator="Wosign", $url="ctlog.wosign.com/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xcc\x11\x88\x7b\x2d\x66\xcb\xae\x8f\x4d\x30\x66\x27\x19\x25\x22\x93\x21\x46\xb4\x2f\x01\xd3\xc6\xf9\x2b\xd5\xc8\xba\x73\x9b\x06\xa2\xf0\x8a\x02\x9c\xd0\x6b\x46\x18\x30\x85\xba\xe9\x24\x8b\x0e\xd1\x5b\x70\x28\x0c\x7e\xf1\x3a\x45\x7f\x5a\xf3\x82\x42\x60\x31"),
-["\x63\xd0\x00\x60\x26\xdd\xe1\x0b\xb0\x60\x1f\x45\x24\x46\x96\x5e\xe2\xb6\xea\x2c\xd4\xfb\xc9\x5a\xc8\x66\xa5\x50\xaf\x90\x75\xb7"] = CTInfo($description="WoSign log 2", $operator="Wosign", $url="ctlog2.wosign.com/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xa5\x8c\xe8\x35\x2e\x8e\xe5\x6a\x75\xad\x5c\x4b\x31\x61\x29\x9d\x30\x57\x8e\x02\x13\x5f\xe9\xca\xbb\x52\xa8\x43\x05\x60\xbf\x0d\x73\x57\x77\xb2\x05\xd8\x67\xf6\xf0\x33\xc9\xf9\x44\xde\xb6\x53\x73\xaa\x0c\x55\xc2\x83\x0a\x4b\xce\x5e\x1a\xc7\x17\x1d\xb3\xcd"),
+["\x9e\x4f\xf7\x3d\xc3\xce\x22\x0b\x69\x21\x7c\x89\x9e\x46\x80\x76\xab\xf8\xd7\x86\x36\xd5\xcc\xfc\x85\xa3\x1a\x75\x62\x8b\xa8\x8b"] = CTInfo($description="WoSign CT log #1", $operator="WoSign", $url="ct.wosign.com/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xd7\xec\x2f\x2b\x75\x4f\x37\xbc\xa3\x43\xba\x8b\x65\x66\x3c\x7d\x6a\xe5\x0c\x2a\xa6\xc2\xe5\x26\xfe\x0c\x7d\x4e\x7c\xf0\x3a\xbc\xe2\xd3\x22\xdc\x01\xd0\x1f\x6e\x43\x9c\x5c\x6e\x83\xad\x9c\x15\xf6\xc4\x8d\x60\xb5\x1d\xbb\xa3\x62\x69\x7e\xeb\xa7\xaa\x01\x9b"),
+["\x41\xb2\xdc\x2e\x89\xe6\x3c\xe4\xaf\x1b\xa7\xbb\x29\xbf\x68\xc6\xde\xe6\xf9\xf1\xcc\x04\x7e\x30\xdf\xfa\xe3\xb3\xba\x25\x92\x63"] = CTInfo($description="WoSign log", $operator="WoSign", $url="ctlog.wosign.com/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xcc\x11\x88\x7b\x2d\x66\xcb\xae\x8f\x4d\x30\x66\x27\x19\x25\x22\x93\x21\x46\xb4\x2f\x01\xd3\xc6\xf9\x2b\xd5\xc8\xba\x73\x9b\x06\xa2\xf0\x8a\x02\x9c\xd0\x6b\x46\x18\x30\x85\xba\xe9\x24\x8b\x0e\xd1\x5b\x70\x28\x0c\x7e\xf1\x3a\x45\x7f\x5a\xf3\x82\x42\x60\x31"),
+["\x63\xd0\x00\x60\x26\xdd\xe1\x0b\xb0\x60\x1f\x45\x24\x46\x96\x5e\xe2\xb6\xea\x2c\xd4\xfb\xc9\x5a\xc8\x66\xa5\x50\xaf\x90\x75\xb7"] = CTInfo($description="WoSign log 2", $operator="WoSign", $url="ctlog2.wosign.com/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xa5\x8c\xe8\x35\x2e\x8e\xe5\x6a\x75\xad\x5c\x4b\x31\x61\x29\x9d\x30\x57\x8e\x02\x13\x5f\xe9\xca\xbb\x52\xa8\x43\x05\x60\xbf\x0d\x73\x57\x77\xb2\x05\xd8\x67\xf6\xf0\x33\xc9\xf9\x44\xde\xb6\x53\x73\xaa\x0c\x55\xc2\x83\x0a\x4b\xce\x5e\x1a\xc7\x17\x1d\xb3\xcd"),
 ["\xc9\xcf\x89\x0a\x21\x10\x9c\x66\x6c\xc1\x7a\x3e\xd0\x65\xc9\x30\xd0\xe0\x13\x5a\x9f\xeb\xa8\x5a\xf1\x42\x10\xb8\x07\x24\x21\xaa"] = CTInfo($description="GDCA CT log #1", $operator="Wang Shengnan", $url="ct.gdca.com.cn/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xad\x0f\x30\xad\x9e\x79\xa4\x38\x89\x26\x54\x86\xab\x41\x72\x90\x6f\xfb\xca\x17\xa6\xac\xee\xc6\x9f\x7d\x02\x05\xec\x41\xa8\xc7\x41\x9d\x32\x49\xad\xb0\x39\xbd\x3a\x87\x3e\x7c\xee\x68\x6c\x60\xd1\x47\x2a\x93\xae\xe1\x40\xf4\x0b\xc8\x35\x3c\x1d\x0f\x65\xd3"),
 ["\x92\x4a\x30\xf9\x09\x33\x6f\xf4\x35\xd6\x99\x3a\x10\xac\x75\xa2\xc6\x41\x72\x8e\x7f\xc2\xd6\x59\xae\x61\x88\xff\xad\x40\xce\x01"] = CTInfo($description="GDCA CT log #2", $operator="GDCA", $url="ctlog.gdca.com.cn/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x5b\x4a\xc7\x01\xb7\x74\x54\xba\x40\x9c\x43\x75\x94\x3f\xac\xef\xb3\x71\x56\xb8\xd3\xe2\x7b\xae\xa1\xb1\x3e\x53\xaa\x97\x33\xa1\x82\xbb\x5f\x5d\x1c\x0b\xfa\x85\x0d\xbc\xf7\xe5\xa0\xe0\x22\xf0\xa0\x89\xd9\x0a\x7f\x5f\x26\x94\xd3\x24\xe3\x99\x2e\xe4\x15\x8d"),
-["\xdb\x76\xfd\xad\xac\x65\xe7\xd0\x95\x08\x88\x6e\x21\x59\xbd\x8b\x90\x35\x2f\x5f\xea\xd3\xe3\xdc\x5e\x22\xeb\x35\x0a\xcc\x7b\x98"] = CTInfo($description="Comodo 'Dodo' CT log", $operator="Comodo", $url="dodo.ct.comodo.com/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x2c\xf5\xc2\x31\xf5\x63\x43\x6a\x16\x4a\x0a\xde\xc2\xee\x1f\x21\x6e\x12\x7e\x1d\xe5\x72\x8f\x74\x0b\x02\x99\xd3\xad\x69\xbc\x02\x35\x79\xf9\x61\xe9\xcf\x00\x08\x4f\x74\xa4\xa3\x34\x9a\xe0\x43\x1c\x23\x7e\x8f\x41\xd5\xee\xc7\x1c\xa3\x82\x8a\x40\xfa\xaa\xe0"),
+["\xdb\x76\xfd\xad\xac\x65\xe7\xd0\x95\x08\x88\x6e\x21\x59\xbd\x8b\x90\x35\x2f\x5f\xea\xd3\xe3\xdc\x5e\x22\xeb\x35\x0a\xcc\x7b\x98"] = CTInfo($description="Comodo 'Dodo' CT log", $operator="Comodo CA Limited", $url="dodo.ct.comodo.com/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x2c\xf5\xc2\x31\xf5\x63\x43\x6a\x16\x4a\x0a\xde\xc2\xee\x1f\x21\x6e\x12\x7e\x1d\xe5\x72\x8f\x74\x0b\x02\x99\xd3\xad\x69\xbc\x02\x35\x79\xf9\x61\xe9\xcf\x00\x08\x4f\x74\xa4\xa3\x34\x9a\xe0\x43\x1c\x23\x7e\x8f\x41\xd5\xee\xc7\x1c\xa3\x82\x8a\x40\xfa\xaa\xe0"),
 ["\xac\x3b\x9a\xed\x7f\xa9\x67\x47\x57\x15\x9e\x6d\x7d\x57\x56\x72\xf9\xd9\x81\x00\x94\x1e\x9b\xde\xff\xec\xa1\x31\x3b\x75\x78\x2d"] = CTInfo($description="Venafi log", $operator="Venafi", $url="ctlog.api.venafi.com/", $maximum_merge_delay=86400, $key="\x30\x82\x01\x22\x30\x0d\x06\x09\x2a\x86\x48\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x00\x30\x82\x01\x0a\x02\x82\x01\x01\x00\xa2\x5a\x48\x1f\x17\x52\x95\x35\xcb\xa3\x5b\x3a\x1f\x53\x82\x76\x94\xa3\xff\x80\xf2\x1c\x37\x3c\xc0\xb1\xbd\xc1\x59\x8b\xab\x2d\x65\x93\xd7\xf3\xe0\x04\xd5\x9a\x6f\xbf\xd6\x23\x76\x36\x4f\x23\x99\xcb\x54\x28\xad\x8c\x15\x4b\x65\x59\x76\x41\x4a\x9c\xa6\xf7\xb3\x3b\x7e\xb1\xa5\x49\xa4\x17\x51\x6c\x80\xdc\x2a\x90\x50\x4b\x88\x24\xe9\xa5\x12\x32\x93\x04\x48\x90\x02\xfa\x5f\x0e\x30\x87\x8e\x55\x76\x05\xee\x2a\x4c\xce\xa3\x6a\x69\x09\x6e\x25\xad\x82\x76\x0f\x84\x92\xfa\x38\xd6\x86\x4e\x24\x8f\x9b\xb0\x72\xcb\x9e\xe2\x6b\x3f\xe1\x6d\xc9\x25\x75\x23\x88\xa1\x18\x58\x06\x23\x33\x78\xda\x00\xd0\x38\x91\x67\xd2\xa6\x7d\x27\x97\x67\x5a\xc1\xf3\x2f\x17\xe6\xea\xd2\x5b\xe8\x81\xcd\xfd\x92\x68\xe7\xf3\x06\xf0\xe9\x72\x84\xee\x01\xa5\xb1\xd8\x33\xda\xce\x83\xa5\xdb\xc7\xcf\xd6\x16\x7e\x90\x75\x18\xbf\x16\xdc\x32\x3b\x6d\x8d\xab\x82\x17\x1f\x89\x20\x8d\x1d\x9a\xe6\x4d\x23\x08\xdf\x78\x6f\xc6\x05\xbf\x5f\xae\x94\x97\xdb\x5f\x64\xd4\xee\x16\x8b\xa3\x84\x6c\x71\x2b\xf1\xab\x7f\x5d\x0d\x32\xee\x04\xe2\x90\xec\x41\x9f\xfb\x39\xc1\x02\x03\x01\x00\x01"),
 ["\x03\x01\x9d\xf3\xfd\x85\xa6\x9a\x8e\xbd\x1f\xac\xc6\xda\x9b\xa7\x3e\x46\x97\x74\xfe\x77\xf5\x79\xfc\x5a\x08\xb8\x32\x8c\x1d\x6b"] = CTInfo($description="Venafi Gen2 CT log", $operator="Venafi", $url="ctlog-gen2.api.venafi.com/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x8e\x27\x27\x7a\xb6\x55\x09\x74\xeb\x6c\x4b\x94\x84\x65\xbc\xe4\x15\xf1\xea\x5a\xd8\x7c\x0e\x37\xce\xba\x3f\x6c\x09\xda\xe7\x29\x96\xd3\x45\x50\x6f\xde\x1e\xb4\x1c\xd2\x83\x88\xff\x29\x2f\xce\xa9\xff\xdf\x34\xde\x75\x0f\xc0\xcc\x18\x0d\x94\x2e\xfc\x37\x01"),
 ["\xa5\x77\xac\x9c\xed\x75\x48\xdd\x8f\x02\x5b\x67\xa2\x41\x08\x9d\xf8\x6e\x0f\x47\x6e\xc2\x03\xc2\xec\xbe\xdb\x18\x5f\x28\x26\x38"] = CTInfo($description="CNNIC CT log", $operator="CNNIC", $url="ctserver.cnnic.cn/", $maximum_merge_delay=86400, $key="\x30\x82\x01\x22\x30\x0d\x06\x09\x2a\x86\x48\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x00\x30\x82\x01\x0a\x02\x82\x01\x01\x00\xbf\xb5\x08\x61\x9a\x29\x32\x04\xd3\x25\x63\xe9\xd8\x85\xe1\x86\xe0\x1f\xd6\x5e\x9a\xf7\x33\x3b\x80\x1b\xe7\xb6\x3e\x5f\x2d\xa1\x66\xf6\x95\x4a\x84\xa6\x21\x56\x79\xe8\xf7\x85\xee\x5d\xe3\x7c\x12\xc0\xe0\x89\x22\x09\x22\x3e\xba\x16\x95\x06\xbd\xa8\xb9\xb1\xa9\xb2\x7a\xd6\x61\x2e\x87\x11\xb9\x78\x40\x89\x75\xdb\x0c\xdc\x90\xe0\xa4\x79\xd6\xd5\x5e\x6e\xd1\x2a\xdb\x34\xf4\x99\x3f\x65\x89\x3b\x46\xc2\x29\x2c\x15\x07\x1c\xc9\x4b\x1a\x54\xf8\x6c\x1e\xaf\x60\x27\x62\x0a\x65\xd5\x9a\xb9\x50\x36\x16\x6e\x71\xf6\x1f\x01\xf7\x12\xa7\xfc\xbf\xf6\x21\xa3\x29\x90\x86\x2d\x77\xde\xbb\x4c\xd4\xcf\xfd\xd2\xcf\x82\x2c\x4d\xd4\xf2\xc2\x2d\xac\xa9\xbe\xea\xc3\x19\x25\x43\xb2\xe5\x9a\x6c\x0d\xc5\x1c\xa5\x8b\xf7\x3f\x30\xaf\xb9\x01\x91\xb7\x69\x12\x12\xe5\x83\x61\xfe\x34\x00\xbe\xf6\x71\x8a\xc7\xeb\x50\x92\xe8\x59\xfe\x15\x91\xeb\x96\x97\xf8\x23\x54\x3f\x2d\x8e\x07\xdf\xee\xda\xb3\x4f\xc8\x3c\x9d\x6f\xdf\x3c\x2c\x43\x57\xa1\x47\x0c\x91\x04\xf4\x75\x4d\xda\x89\x81\xa4\x14\x06\x34\xb9\x98\xc3\xda\xf1\xfd\xed\x33\x36\xd3\x16\x2d\x35\x02\x03\x01\x00\x01"),
-["\x34\xbb\x6a\xd6\xc3\xdf\x9c\x03\xee\xa8\xa4\x99\xff\x78\x91\x48\x6c\x9d\x5e\x5c\xac\x92\xd0\x1f\x7b\xfd\x1b\xce\x19\xdb\x48\xef"] = CTInfo($description="StartCom log", $operator="StartSSL", $url="ct.startssl.com/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x48\xf3\x59\xf3\xf6\x05\x18\xd3\xdb\xb2\xed\x46\x7e\xcf\xc8\x11\xb5\x57\xb1\xa8\xd6\x4c\xe6\x9f\xb7\x4a\x1a\x14\x86\x43\xa9\x48\xb0\xcb\x5a\x3f\x3c\x4a\xca\xdf\xc4\x82\x14\x55\x9a\xf8\xf7\x8e\x40\x55\xdc\xf4\xd2\xaf\xea\x75\x74\xfb\x4e\x7f\x60\x86\x2e\x51"),
+["\x34\xbb\x6a\xd6\xc3\xdf\x9c\x03\xee\xa8\xa4\x99\xff\x78\x91\x48\x6c\x9d\x5e\x5c\xac\x92\xd0\x1f\x7b\xfd\x1b\xce\x19\xdb\x48\xef"] = CTInfo($description="StartCom log", $operator="StartCom", $url="ct.startssl.com/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x48\xf3\x59\xf3\xf6\x05\x18\xd3\xdb\xb2\xed\x46\x7e\xcf\xc8\x11\xb5\x57\xb1\xa8\xd6\x4c\xe6\x9f\xb7\x4a\x1a\x14\x86\x43\xa9\x48\xb0\xcb\x5a\x3f\x3c\x4a\xca\xdf\xc4\x82\x14\x55\x9a\xf8\xf7\x8e\x40\x55\xdc\xf4\xd2\xaf\xea\x75\x74\xfb\x4e\x7f\x60\x86\x2e\x51"),
 ["\xe0\x12\x76\x29\xe9\x04\x96\x56\x4e\x3d\x01\x47\x98\x44\x98\xaa\x48\xf8\xad\xb1\x66\x00\xeb\x79\x02\xa1\xef\x99\x09\x90\x62\x73"] = CTInfo($description="PuChuangSiDa CT log", $operator="Beijing PuChuangSiDa Technology Ltd.", $url="www.certificatetransparency.cn/ct/", $maximum_merge_delay=86400, $key="\x30\x82\x01\x22\x30\x0d\x06\x09\x2a\x86\x48\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x00\x30\x82\x01\x0a\x02\x82\x01\x01\x00\xac\xcf\x2f\x4b\x70\xac\xf1\x0d\x96\xbf\xe8\x0a\xfe\x44\x9d\xd4\x8c\x17\x9d\xc3\x9a\x10\x11\x84\x13\xed\x8c\xf9\x37\x6d\x83\xe4\x00\x6f\xb1\x4b\xc0\xa6\x89\xc7\x61\x8f\x9a\x34\xbb\x56\x52\xca\x03\x56\x50\xef\x24\x7f\x4b\x49\xe9\x35\x81\xdd\xf0\xe7\x17\xf5\x72\xd2\x23\xc5\xe3\x13\x7f\xd7\x8e\x78\x35\x8f\x49\xde\x98\x04\x8a\x63\xaf\xad\xa2\x39\x70\x95\x84\x68\x4b\x91\x33\xfe\x4c\xe1\x32\x17\xc2\xf2\x61\xb8\x3a\x8d\x39\x7f\xd5\x95\x82\x3e\x56\x19\x50\x45\x6f\xcb\x08\x33\x0d\xd5\x19\x42\x08\x1a\x48\x42\x10\xf1\x68\xc3\xc3\x41\x13\xcb\x0d\x1e\xdb\x02\xb7\x24\x7a\x51\x96\x6e\xbc\x08\xea\x69\xaf\x6d\xef\x92\x98\x8e\x55\xf3\x65\xe5\xe8\x9c\xbe\x1a\x47\x60\x30\x7d\x7a\x80\xad\x56\x83\x7a\x93\xc3\xae\x93\x2b\x6a\x28\x8a\xa6\x5f\x63\x19\x0c\xbe\x7c\x7b\x21\x63\x41\x38\xb7\xf7\xe8\x76\x73\x6b\x85\xcc\xbc\x72\x2b\xc1\x52\xd0\x5b\x5d\x31\x4e\x9d\x2a\xf3\x4d\x9b\x64\x14\x99\x26\xc6\x71\xf8\x7b\xf8\x44\xd5\xe3\x23\x20\xf3\x0a\xd7\x8b\x51\x3e\x72\x80\xd2\x78\x78\x35\x2d\x4a\xe7\x40\x99\x11\x95\x34\xd4\x2f\x7f\xf9\x5f\x35\x37\x02\x03\x01\x00\x01"),
-["\x55\x81\xd4\xc2\x16\x90\x36\x01\x4a\xea\x0b\x9b\x57\x3c\x53\xf0\xc0\xe4\x38\x78\x70\x25\x08\x17\x2f\xa3\xaa\x1d\x07\x13\xd3\x0c"] = CTInfo($description="Comodo 'Sabre' CT log", $operator="Comodo", $url="sabre.ct.comodo.com/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xf2\x6f\xd2\x89\x0f\x3f\xc5\xf8\x87\x1e\xab\x65\xb3\xd9\xbb\x17\x23\x8c\x06\x0e\x09\x55\x96\x3d\x0a\x08\xa2\xc5\x71\xb3\xd1\xa9\x2f\x28\x3e\x83\x10\xbf\x12\xd0\x44\x66\x15\xef\x54\xe1\x98\x80\xd0\xce\x24\x6d\x3e\x67\x9a\xe9\x37\x23\xce\x52\x93\x86\xda\x80"),
-["\x6f\x53\x76\xac\x31\xf0\x31\x19\xd8\x99\x00\xa4\x51\x15\xff\x77\x15\x1c\x11\xd9\x02\xc1\x00\x29\x06\x8d\xb2\x08\x9a\x37\xd9\x13"] = CTInfo($description="Comodo 'Mammoth' CT log", $operator="Comodo", $url="mammoth.ct.comodo.com/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xef\xe4\x7d\x74\x2e\x15\x15\xb6\xe9\xbb\x23\x8b\xfb\x2c\xb5\xe1\xc7\x80\x98\x47\xfb\x40\x69\x68\xfc\x49\xad\x61\x4e\x83\x47\x3c\x1a\xb7\x8d\xdf\xff\x7b\x30\xb4\xba\xff\x2f\xcb\xa0\x14\xe3\xad\xd5\x85\x3f\x44\x59\x8c\x8c\x60\x8b\xd7\xb8\xb1\xbf\xae\x8c\x67"),
+["\x55\x81\xd4\xc2\x16\x90\x36\x01\x4a\xea\x0b\x9b\x57\x3c\x53\xf0\xc0\xe4\x38\x78\x70\x25\x08\x17\x2f\xa3\xaa\x1d\x07\x13\xd3\x0c"] = CTInfo($description="Comodo 'Sabre' CT log", $operator="Comodo CA Limited", $url="sabre.ct.comodo.com/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xf2\x6f\xd2\x89\x0f\x3f\xc5\xf8\x87\x1e\xab\x65\xb3\xd9\xbb\x17\x23\x8c\x06\x0e\x09\x55\x96\x3d\x0a\x08\xa2\xc5\x71\xb3\xd1\xa9\x2f\x28\x3e\x83\x10\xbf\x12\xd0\x44\x66\x15\xef\x54\xe1\x98\x80\xd0\xce\x24\x6d\x3e\x67\x9a\xe9\x37\x23\xce\x52\x93\x86\xda\x80"),
+["\x6f\x53\x76\xac\x31\xf0\x31\x19\xd8\x99\x00\xa4\x51\x15\xff\x77\x15\x1c\x11\xd9\x02\xc1\x00\x29\x06\x8d\xb2\x08\x9a\x37\xd9\x13"] = CTInfo($description="Comodo 'Mammoth' CT log", $operator="Comodo CA Limited", $url="mammoth.ct.comodo.com/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xef\xe4\x7d\x74\x2e\x15\x15\xb6\xe9\xbb\x23\x8b\xfb\x2c\xb5\xe1\xc7\x80\x98\x47\xfb\x40\x69\x68\xfc\x49\xad\x61\x4e\x83\x47\x3c\x1a\xb7\x8d\xdf\xff\x7b\x30\xb4\xba\xff\x2f\xcb\xa0\x14\xe3\xad\xd5\x85\x3f\x44\x59\x8c\x8c\x60\x8b\xd7\xb8\xb1\xbf\xae\x8c\x67"),
 ["\x53\x7b\x69\xa3\x56\x43\x35\xa9\xc0\x49\x04\xe3\x95\x93\xb2\xc2\x98\xeb\x8d\x7a\x6e\x83\x02\x36\x35\xc6\x27\x24\x8c\xd6\xb4\x40"] = CTInfo($description="Nordu 'flimsy' log", $operator="NORDUnet", $url="flimsy.ct.nordu.net:8080/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xe2\xa5\xaa\xe9\xa7\xe1\x05\x48\xb4\x39\xd7\x16\x51\x88\x72\x24\xb3\x57\x4e\x41\xaa\x43\xd3\xcc\x4b\x99\x6a\xa0\x28\x24\x57\x68\x75\x66\xfa\x4d\x8c\x11\xf6\xbb\xc5\x1b\x81\xc3\x90\xc2\xa0\xe8\xeb\xac\xfa\x05\x64\x09\x1a\x89\x68\xcd\x96\x26\x34\x71\x36\x91"),
 ["\xaa\xe7\x0b\x7f\x3c\xb8\xd5\x66\xc8\x6c\x2f\x16\x97\x9c\x9f\x44\x5f\x69\xab\x0e\xb4\x53\x55\x89\xb2\xf7\x7a\x03\x01\x04\xf3\xcd"] = CTInfo($description="Nordu 'plausible' log", $operator="NORDUnet", $url="plausible.ct.nordu.net/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xf5\x45\x7d\xfa\x33\xb6\x30\x24\xf3\x91\xa6\xe8\x74\xed\x85\xec\xb3\x34\xdc\xc5\x01\x73\xc3\x2b\x74\x0b\x64\x71\x6e\xaf\xe8\x60\x3d\xb5\xa4\xd3\xc3\xd4\x09\xaa\x87\xe6\xd0\x16\xdd\x02\xc6\xed\x24\xbf\xee\x9f\x21\x1f\xd3\x32\x24\x46\x05\xe3\x8f\x36\x98\xa9"),
 ["\xcf\x55\xe2\x89\x23\x49\x7c\x34\x0d\x52\x06\xd0\x53\x53\xae\xb2\x58\x34\xb5\x2f\x1f\x8d\xc9\x52\x68\x09\xf2\x12\xef\xdd\x7c\xa6"] = CTInfo($description="SHECA CT log 1", $operator="SHECA", $url="ctlog.sheca.com/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x11\xa9\x60\x2b\xb4\x71\x45\x66\xe0\x2e\xde\xd5\x87\x3b\xd5\xfe\xf0\x92\x37\xf4\x68\xc6\x92\xdd\x3f\x1a\xe2\xbc\x0c\x22\xd6\x99\x63\x29\x6e\x32\x28\x14\xc0\x76\x2c\x80\xa8\x22\x51\x91\xd6\xeb\xa6\xd8\xf1\xec\xf0\x07\x7e\xb0\xfc\x76\x70\x76\x72\x7c\x91\xe9"),

From 8ea7de9380e2045e393b3bc22f6be0fa252a94ba Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@icir.org>
Date: Fri, 16 Feb 2018 10:52:13 -0800
Subject: [PATCH 329/631] Update Mozilla CA list to state of NSS 3.35.

---
 .../base/protocols/ssl/mozilla-ca-list.bro    | 58 ++++++-------------
 1 file changed, 17 insertions(+), 41 deletions(-)

diff --git a/scripts/base/protocols/ssl/mozilla-ca-list.bro b/scripts/base/protocols/ssl/mozilla-ca-list.bro
index b637c1b2bf..0e8f16d8b8 100644
--- a/scripts/base/protocols/ssl/mozilla-ca-list.bro
+++ b/scripts/base/protocols/ssl/mozilla-ca-list.bro
@@ -1,6 +1,6 @@
 # Don't edit!  This file is automatically generated.
-# Generated at: 2016-08-10 09:18:06 -0700
-# Generated from: NSS 3.26
+# Generated at: 2018-02-16 10:50:53 -0800
+# Generated from: NSS 3.35
 #
 # The original source file comes with this licensing statement:
 #
@@ -16,41 +16,27 @@ redef root_certs += {
 	["CN=VeriSign Class 3 Public Primary Certification Authority - G3,OU=(c) 1999 VeriSign\, Inc. - For authorized use only,OU=VeriSign Trust Network,O=VeriSign\, Inc.,C=US"] = "\x30\x82\x04\x1A\x30\x82\x03\x02\x02\x11\x00\x9B\x7E\x06\x49\xA3\x3E\x62\xB9\xD5\xEE\x90\x48\x71\x29\xEF\x57\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x81\xCA\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x17\x30\x15\x06\x03\x55\x04\x0A\x13\x0E\x56\x65\x72\x69\x53\x69\x67\x6E\x2C\x20\x49\x6E\x63\x2E\x31\x1F\x30\x1D\x06\x03\x55\x04\x0B\x13\x16\x56\x65\x72\x69\x53\x69\x67\x6E\x20\x54\x72\x75\x73\x74\x20\x4E\x65\x74\x77\x6F\x72\x6B\x31\x3A\x30\x38\x06\x03\x55\x04\x0B\x13\x31\x28\x63\x29\x20\x31\x39\x39\x39\x20\x56\x65\x72\x69\x53\x69\x67\x6E\x2C\x20\x49\x6E\x63\x2E\x20\x2D\x20\x46\x6F\x72\x20\x61\x75\x74\x68\x6F\x72\x69\x7A\x65\x64\x20\x75\x73\x65\x20\x6F\x6E\x6C\x79\x31\x45\x30\x43\x06\x03\x55\x04\x03\x13\x3C\x56\x65\x72\x69\x53\x69\x67\x6E\x20\x43\x6C\x61\x73\x73\x20\x33\x20\x50\x75\x62\x6C\x69\x63\x20\x50\x72\x69\x6D\x61\x72\x79\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x20\x2D\x20\x47\x33\x30\x1E\x17\x0D\x39\x39\x31\x30\x30\x31\x30\x30\x30\x30\x30\x30\x5A\x17\x0D\x33\x36\x30\x37\x31\x36\x32\x33\x35\x39\x35\x39\x5A\x30\x81\xCA\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x17\x30\x15\x06\x03\x55\x04\x0A\x13\x0E\x56\x65\x72\x69\x53\x69\x67\x6E\x2C\x20\x49\x6E\x63\x2E\x31\x1F\x30\x1D\x06\x03\x55\x04\x0B\x13\x16\x56\x65\x72\x69\x53\x69\x67\x6E\x20\x54\x72\x75\x73\x74\x20\x4E\x65\x74\x77\x6F\x72\x6B\x31\x3A\x30\x38\x06\x03\x55\x04\x0B\x13\x31\x28\x63\x29\x20\x31\x39\x39\x39\x20\x56\x65\x72\x69\x53\x69\x67\x6E\x2C\x20\x49\x6E\x63\x2E\x20\x2D\x20\x46\x6F\x72\x20\x61\x75\x74\x68\x6F\x72\x69\x7A\x65\x64\x20\x75\x73\x65\x20\x6F\x6E\x6C\x79\x31\x45\x30\x43\x06\x03\x55\x04\x03\x13\x3C\x56\x65\x72\x69\x53\x69\x67\x6E\x20\x43\x6C\x61\x73\x73\x20\x33\x20\x50\x75\x62\x6C\x69\x63\x20\x50\x72\x69\x6D\x61\x72\x79\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x20\x2D\x20\x47\x33\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xCB\xBA\x9C\x52\xFC\x78\x1F\x1A\x1E\x6F\x1B\x37\x73\xBD\xF8\xC9\x6B\x94\x12\x30\x4F\xF0\x36\x47\xF5\xD0\x91\x0A\xF5\x17\xC8\xA5\x61\xC1\x16\x40\x4D\xFB\x8A\x61\x90\xE5\x76\x20\xC1\x11\x06\x7D\xAB\x2C\x6E\xA6\xF5\x11\x41\x8E\xFA\x2D\xAD\x2A\x61\x59\xA4\x67\x26\x4C\xD0\xE8\xBC\x52\x5B\x70\x20\x04\x58\xD1\x7A\xC9\xA4\x69\xBC\x83\x17\x64\xAD\x05\x8B\xBC\xD0\x58\xCE\x8D\x8C\xF5\xEB\xF0\x42\x49\x0B\x9D\x97\x27\x67\x32\x6E\xE1\xAE\x93\x15\x1C\x70\xBC\x20\x4D\x2F\x18\xDE\x92\x88\xE8\x6C\x85\x57\x11\x1A\xE9\x7E\xE3\x26\x11\x54\xA2\x45\x96\x55\x83\xCA\x30\x89\xE8\xDC\xD8\xA3\xED\x2A\x80\x3F\x7F\x79\x65\x57\x3E\x15\x20\x66\x08\x2F\x95\x93\xBF\xAA\x47\x2F\xA8\x46\x97\xF0\x12\xE2\xFE\xC2\x0A\x2B\x51\xE6\x76\xE6\xB7\x46\xB7\xE2\x0D\xA6\xCC\xA8\xC3\x4C\x59\x55\x89\xE6\xE8\x53\x5C\x1C\xEA\x9D\xF0\x62\x16\x0B\xA7\xC9\x5F\x0C\xF0\xDE\xC2\x76\xCE\xAF\xF7\x6A\xF2\xFA\x41\xA6\xA2\x33\x14\xC9\xE5\x7A\x63\xD3\x9E\x62\x37\xD5\x85\x65\x9E\x0E\xE6\x53\x24\x74\x1B\x5E\x1D\x12\x53\x5B\xC7\x2C\xE7\x83\x49\x3B\x15\xAE\x8A\x68\xB9\x57\x97\x02\x03\x01\x00\x01\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x11\x14\x96\xC1\xAB\x92\x08\xF7\x3F\x2F\xC9\xB2\xFE\xE4\x5A\x9F\x64\xDE\xDB\x21\x4F\x86\x99\x34\x76\x36\x57\xDD\xD0\x15\x2F\xC5\xAD\x7F\x15\x1F\x37\x62\x73\x3E\xD4\xE7\x5F\xCE\x17\x03\xDB\x35\xFA\x2B\xDB\xAE\x60\x09\x5F\x1E\x5F\x8F\x6E\xBB\x0B\x3D\xEA\x5A\x13\x1E\x0C\x60\x6F\xB5\xC0\xB5\x23\x22\x2E\x07\x0B\xCB\xA9\x74\xCB\x47\xBB\x1D\xC1\xD7\xA5\x6B\xCC\x2F\xD2\x42\xFD\x49\xDD\xA7\x89\xCF\x53\xBA\xDA\x00\x5A\x28\xBF\x82\xDF\xF8\xBA\x13\x1D\x50\x86\x82\xFD\x8E\x30\x8F\x29\x46\xB0\x1E\x3D\x35\xDA\x38\x62\x16\x18\x4A\xAD\xE6\xB6\x51\x6C\xDE\xAF\x62\xEB\x01\xD0\x1E\x24\xFE\x7A\x8F\x12\x1A\x12\x68\xB8\xFB\x66\x99\x14\x14\x45\x5C\xAE\xE7\xAE\x69\x17\x81\x2B\x5A\x37\xC9\x5E\x2A\xF4\xC6\xE2\xA1\x5C\x54\x9B\xA6\x54\x00\xCF\xF0\xF1\xC1\xC7\x98\x30\x1A\x3B\x36\x16\xDB\xA3\x6E\xEA\xFD\xAD\xB2\xC2\xDA\xEF\x02\x47\x13\x8A\xC0\xF1\xB3\x31\xAD\x4F\x1C\xE1\x4F\x9C\xAF\x0F\x0C\x9D\xF7\x78\x0D\xD8\xF4\x35\x56\x80\xDA\xB7\x6D\x17\x8F\x9D\x1E\x81\x64\xE1\xFE\xC5\x45\xBA\xAD\x6B\xB9\x0A\x7A\x4E\x4F\x4B\x84\xEE\x4B\xF1\x7D\xDD\x11",
 	["CN=Entrust.net Certification Authority (2048),OU=(c) 1999 Entrust.net Limited,OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.),O=Entrust.net"] = "\x30\x82\x04\x2A\x30\x82\x03\x12\xA0\x03\x02\x01\x02\x02\x04\x38\x63\xDE\xF8\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x81\xB4\x31\x14\x30\x12\x06\x03\x55\x04\x0A\x13\x0B\x45\x6E\x74\x72\x75\x73\x74\x2E\x6E\x65\x74\x31\x40\x30\x3E\x06\x03\x55\x04\x0B\x14\x37\x77\x77\x77\x2E\x65\x6E\x74\x72\x75\x73\x74\x2E\x6E\x65\x74\x2F\x43\x50\x53\x5F\x32\x30\x34\x38\x20\x69\x6E\x63\x6F\x72\x70\x2E\x20\x62\x79\x20\x72\x65\x66\x2E\x20\x28\x6C\x69\x6D\x69\x74\x73\x20\x6C\x69\x61\x62\x2E\x29\x31\x25\x30\x23\x06\x03\x55\x04\x0B\x13\x1C\x28\x63\x29\x20\x31\x39\x39\x39\x20\x45\x6E\x74\x72\x75\x73\x74\x2E\x6E\x65\x74\x20\x4C\x69\x6D\x69\x74\x65\x64\x31\x33\x30\x31\x06\x03\x55\x04\x03\x13\x2A\x45\x6E\x74\x72\x75\x73\x74\x2E\x6E\x65\x74\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x20\x28\x32\x30\x34\x38\x29\x30\x1E\x17\x0D\x39\x39\x31\x32\x32\x34\x31\x37\x35\x30\x35\x31\x5A\x17\x0D\x32\x39\x30\x37\x32\x34\x31\x34\x31\x35\x31\x32\x5A\x30\x81\xB4\x31\x14\x30\x12\x06\x03\x55\x04\x0A\x13\x0B\x45\x6E\x74\x72\x75\x73\x74\x2E\x6E\x65\x74\x31\x40\x30\x3E\x06\x03\x55\x04\x0B\x14\x37\x77\x77\x77\x2E\x65\x6E\x74\x72\x75\x73\x74\x2E\x6E\x65\x74\x2F\x43\x50\x53\x5F\x32\x30\x34\x38\x20\x69\x6E\x63\x6F\x72\x70\x2E\x20\x62\x79\x20\x72\x65\x66\x2E\x20\x28\x6C\x69\x6D\x69\x74\x73\x20\x6C\x69\x61\x62\x2E\x29\x31\x25\x30\x23\x06\x03\x55\x04\x0B\x13\x1C\x28\x63\x29\x20\x31\x39\x39\x39\x20\x45\x6E\x74\x72\x75\x73\x74\x2E\x6E\x65\x74\x20\x4C\x69\x6D\x69\x74\x65\x64\x31\x33\x30\x31\x06\x03\x55\x04\x03\x13\x2A\x45\x6E\x74\x72\x75\x73\x74\x2E\x6E\x65\x74\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x20\x28\x32\x30\x34\x38\x29\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xAD\x4D\x4B\xA9\x12\x86\xB2\xEA\xA3\x20\x07\x15\x16\x64\x2A\x2B\x4B\xD1\xBF\x0B\x4A\x4D\x8E\xED\x80\x76\xA5\x67\xB7\x78\x40\xC0\x73\x42\xC8\x68\xC0\xDB\x53\x2B\xDD\x5E\xB8\x76\x98\x35\x93\x8B\x1A\x9D\x7C\x13\x3A\x0E\x1F\x5B\xB7\x1E\xCF\xE5\x24\x14\x1E\xB1\x81\xA9\x8D\x7D\xB8\xCC\x6B\x4B\x03\xF1\x02\x0C\xDC\xAB\xA5\x40\x24\x00\x7F\x74\x94\xA1\x9D\x08\x29\xB3\x88\x0B\xF5\x87\x77\x9D\x55\xCD\xE4\xC3\x7E\xD7\x6A\x64\xAB\x85\x14\x86\x95\x5B\x97\x32\x50\x6F\x3D\xC8\xBA\x66\x0C\xE3\xFC\xBD\xB8\x49\xC1\x76\x89\x49\x19\xFD\xC0\xA8\xBD\x89\xA3\x67\x2F\xC6\x9F\xBC\x71\x19\x60\xB8\x2D\xE9\x2C\xC9\x90\x76\x66\x7B\x94\xE2\xAF\x78\xD6\x65\x53\x5D\x3C\xD6\x9C\xB2\xCF\x29\x03\xF9\x2F\xA4\x50\xB2\xD4\x48\xCE\x05\x32\x55\x8A\xFD\xB2\x64\x4C\x0E\xE4\x98\x07\x75\xDB\x7F\xDF\xB9\x08\x55\x60\x85\x30\x29\xF9\x7B\x48\xA4\x69\x86\xE3\x35\x3F\x1E\x86\x5D\x7A\x7A\x15\xBD\xEF\x00\x8E\x15\x22\x54\x17\x00\x90\x26\x93\xBC\x0E\x49\x68\x91\xBF\xF8\x47\xD3\x9D\x95\x42\xC1\x0E\x4D\xDF\x6F\x26\xCF\xC3\x18\x21\x62\x66\x43\x70\xD6\xD5\xC0\x07\xE1\x02\x03\x01\x00\x01\xA3\x42\x30\x40\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x55\xE4\x81\xD1\x11\x80\xBE\xD8\x89\xB9\x08\xA3\x31\xF9\xA1\x24\x09\x16\xB9\x70\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x3B\x9B\x8F\x56\x9B\x30\xE7\x53\x99\x7C\x7A\x79\xA7\x4D\x97\xD7\x19\x95\x90\xFB\x06\x1F\xCA\x33\x7C\x46\x63\x8F\x96\x66\x24\xFA\x40\x1B\x21\x27\xCA\xE6\x72\x73\xF2\x4F\xFE\x31\x99\xFD\xC8\x0C\x4C\x68\x53\xC6\x80\x82\x13\x98\xFA\xB6\xAD\xDA\x5D\x3D\xF1\xCE\x6E\xF6\x15\x11\x94\x82\x0C\xEE\x3F\x95\xAF\x11\xAB\x0F\xD7\x2F\xDE\x1F\x03\x8F\x57\x2C\x1E\xC9\xBB\x9A\x1A\x44\x95\xEB\x18\x4F\xA6\x1F\xCD\x7D\x57\x10\x2F\x9B\x04\x09\x5A\x84\xB5\x6E\xD8\x1D\x3A\xE1\xD6\x9E\xD1\x6C\x79\x5E\x79\x1C\x14\xC5\xE3\xD0\x4C\x93\x3B\x65\x3C\xED\xDF\x3D\xBE\xA6\xE5\x95\x1A\xC3\xB5\x19\xC3\xBD\x5E\x5B\xBB\xFF\x23\xEF\x68\x19\xCB\x12\x93\x27\x5C\x03\x2D\x6F\x30\xD0\x1E\xB6\x1A\xAC\xDE\x5A\xF7\xD1\xAA\xA8\x27\xA6\xFE\x79\x81\xC4\x79\x99\x33\x57\xBA\x12\xB0\xA9\xE0\x42\x6C\x93\xCA\x56\xDE\xFE\x6D\x84\x0B\x08\x8B\x7E\x8D\xEA\xD7\x98\x21\xC6\xF3\xE7\x3C\x79\x2F\x5E\x9C\xD1\x4C\x15\x8D\xE1\xEC\x22\x37\xCC\x9A\x43\x0B\x97\xDC\x80\x90\x8D\xB3\x67\x9B\x6F\x48\x08\x15\x56\xCF\xBF\xF1\x2B\x7C\x5E\x9A\x76\xE9\x59\x90\xC5\x7C\x83\x35\x11\x65\x51",
 	["CN=Baltimore CyberTrust Root,OU=CyberTrust,O=Baltimore,C=IE"] = "\x30\x82\x03\x77\x30\x82\x02\x5F\xA0\x03\x02\x01\x02\x02\x04\x02\x00\x00\xB9\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x5A\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x49\x45\x31\x12\x30\x10\x06\x03\x55\x04\x0A\x13\x09\x42\x61\x6C\x74\x69\x6D\x6F\x72\x65\x31\x13\x30\x11\x06\x03\x55\x04\x0B\x13\x0A\x43\x79\x62\x65\x72\x54\x72\x75\x73\x74\x31\x22\x30\x20\x06\x03\x55\x04\x03\x13\x19\x42\x61\x6C\x74\x69\x6D\x6F\x72\x65\x20\x43\x79\x62\x65\x72\x54\x72\x75\x73\x74\x20\x52\x6F\x6F\x74\x30\x1E\x17\x0D\x30\x30\x30\x35\x31\x32\x31\x38\x34\x36\x30\x30\x5A\x17\x0D\x32\x35\x30\x35\x31\x32\x32\x33\x35\x39\x30\x30\x5A\x30\x5A\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x49\x45\x31\x12\x30\x10\x06\x03\x55\x04\x0A\x13\x09\x42\x61\x6C\x74\x69\x6D\x6F\x72\x65\x31\x13\x30\x11\x06\x03\x55\x04\x0B\x13\x0A\x43\x79\x62\x65\x72\x54\x72\x75\x73\x74\x31\x22\x30\x20\x06\x03\x55\x04\x03\x13\x19\x42\x61\x6C\x74\x69\x6D\x6F\x72\x65\x20\x43\x79\x62\x65\x72\x54\x72\x75\x73\x74\x20\x52\x6F\x6F\x74\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xA3\x04\xBB\x22\xAB\x98\x3D\x57\xE8\x26\x72\x9A\xB5\x79\xD4\x29\xE2\xE1\xE8\x95\x80\xB1\xB0\xE3\x5B\x8E\x2B\x29\x9A\x64\xDF\xA1\x5D\xED\xB0\x09\x05\x6D\xDB\x28\x2E\xCE\x62\xA2\x62\xFE\xB4\x88\xDA\x12\xEB\x38\xEB\x21\x9D\xC0\x41\x2B\x01\x52\x7B\x88\x77\xD3\x1C\x8F\xC7\xBA\xB9\x88\xB5\x6A\x09\xE7\x73\xE8\x11\x40\xA7\xD1\xCC\xCA\x62\x8D\x2D\xE5\x8F\x0B\xA6\x50\xD2\xA8\x50\xC3\x28\xEA\xF5\xAB\x25\x87\x8A\x9A\x96\x1C\xA9\x67\xB8\x3F\x0C\xD5\xF7\xF9\x52\x13\x2F\xC2\x1B\xD5\x70\x70\xF0\x8F\xC0\x12\xCA\x06\xCB\x9A\xE1\xD9\xCA\x33\x7A\x77\xD6\xF8\xEC\xB9\xF1\x68\x44\x42\x48\x13\xD2\xC0\xC2\xA4\xAE\x5E\x60\xFE\xB6\xA6\x05\xFC\xB4\xDD\x07\x59\x02\xD4\x59\x18\x98\x63\xF5\xA5\x63\xE0\x90\x0C\x7D\x5D\xB2\x06\x7A\xF3\x85\xEA\xEB\xD4\x03\xAE\x5E\x84\x3E\x5F\xFF\x15\xED\x69\xBC\xF9\x39\x36\x72\x75\xCF\x77\x52\x4D\xF3\xC9\x90\x2C\xB9\x3D\xE5\xC9\x23\x53\x3F\x1F\x24\x98\x21\x5C\x07\x99\x29\xBD\xC6\x3A\xEC\xE7\x6E\x86\x3A\x6B\x97\x74\x63\x33\xBD\x68\x18\x31\xF0\x78\x8D\x76\xBF\xFC\x9E\x8E\x5D\x2A\x86\xA7\x4D\x90\xDC\x27\x1A\x39\x02\x03\x01\x00\x01\xA3\x45\x30\x43\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xE5\x9D\x59\x30\x82\x47\x58\xCC\xAC\xFA\x08\x54\x36\x86\x7B\x3A\xB5\x04\x4D\xF0\x30\x12\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x08\x30\x06\x01\x01\xFF\x02\x01\x03\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x85\x0C\x5D\x8E\xE4\x6F\x51\x68\x42\x05\xA0\xDD\xBB\x4F\x27\x25\x84\x03\xBD\xF7\x64\xFD\x2D\xD7\x30\xE3\xA4\x10\x17\xEB\xDA\x29\x29\xB6\x79\x3F\x76\xF6\x19\x13\x23\xB8\x10\x0A\xF9\x58\xA4\xD4\x61\x70\xBD\x04\x61\x6A\x12\x8A\x17\xD5\x0A\xBD\xC5\xBC\x30\x7C\xD6\xE9\x0C\x25\x8D\x86\x40\x4F\xEC\xCC\xA3\x7E\x38\xC6\x37\x11\x4F\xED\xDD\x68\x31\x8E\x4C\xD2\xB3\x01\x74\xEE\xBE\x75\x5E\x07\x48\x1A\x7F\x70\xFF\x16\x5C\x84\xC0\x79\x85\xB8\x05\xFD\x7F\xBE\x65\x11\xA3\x0F\xC0\x02\xB4\xF8\x52\x37\x39\x04\xD5\xA9\x31\x7A\x18\xBF\xA0\x2A\xF4\x12\x99\xF7\xA3\x45\x82\xE3\x3C\x5E\xF5\x9D\x9E\xB5\xC8\x9E\x7C\x2E\xC8\xA4\x9E\x4E\x08\x14\x4B\x6D\xFD\x70\x6D\x6B\x1A\x63\xBD\x64\xE6\x1F\xB7\xCE\xF0\xF2\x9F\x2E\xBB\x1B\xB7\xF2\x50\x88\x73\x92\xC2\xE2\xE3\x16\x8D\x9A\x32\x02\xAB\x8E\x18\xDD\xE9\x10\x11\xEE\x7E\x35\xAB\x90\xAF\x3E\x30\x94\x7A\xD0\x33\x3D\xA7\x65\x0F\xF5\xFC\x8E\x9E\x62\xCF\x47\x44\x2C\x01\x5D\xBB\x1D\xB5\x32\xD2\x47\xD2\x38\x2E\xD0\xFE\x81\xDC\x32\x6A\x1E\xB5\xEE\x3C\xD5\xFC\xE7\x81\x1D\x19\xC3\x24\x42\xEA\x63\x39\xA9",
-	["CN=AddTrust Class 1 CA Root,OU=AddTrust TTP Network,O=AddTrust AB,C=SE"] = "\x30\x82\x04\x18\x30\x82\x03\x00\xA0\x03\x02\x01\x02\x02\x01\x01\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x65\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x53\x45\x31\x14\x30\x12\x06\x03\x55\x04\x0A\x13\x0B\x41\x64\x64\x54\x72\x75\x73\x74\x20\x41\x42\x31\x1D\x30\x1B\x06\x03\x55\x04\x0B\x13\x14\x41\x64\x64\x54\x72\x75\x73\x74\x20\x54\x54\x50\x20\x4E\x65\x74\x77\x6F\x72\x6B\x31\x21\x30\x1F\x06\x03\x55\x04\x03\x13\x18\x41\x64\x64\x54\x72\x75\x73\x74\x20\x43\x6C\x61\x73\x73\x20\x31\x20\x43\x41\x20\x52\x6F\x6F\x74\x30\x1E\x17\x0D\x30\x30\x30\x35\x33\x30\x31\x30\x33\x38\x33\x31\x5A\x17\x0D\x32\x30\x30\x35\x33\x30\x31\x30\x33\x38\x33\x31\x5A\x30\x65\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x53\x45\x31\x14\x30\x12\x06\x03\x55\x04\x0A\x13\x0B\x41\x64\x64\x54\x72\x75\x73\x74\x20\x41\x42\x31\x1D\x30\x1B\x06\x03\x55\x04\x0B\x13\x14\x41\x64\x64\x54\x72\x75\x73\x74\x20\x54\x54\x50\x20\x4E\x65\x74\x77\x6F\x72\x6B\x31\x21\x30\x1F\x06\x03\x55\x04\x03\x13\x18\x41\x64\x64\x54\x72\x75\x73\x74\x20\x43\x6C\x61\x73\x73\x20\x31\x20\x43\x41\x20\x52\x6F\x6F\x74\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\x96\x96\xD4\x21\x49\x60\xE2\x6B\xE8\x41\x07\x0C\xDE\xC4\xE0\xDC\x13\x23\xCD\xC1\x35\xC7\xFB\xD6\x4E\x11\x0A\x67\x5E\xF5\x06\x5B\x6B\xA5\x08\x3B\x5B\x29\x16\x3A\xE7\x87\xB2\x34\x06\xC5\xBC\x05\xA5\x03\x7C\x82\xCB\x29\x10\xAE\xE1\x88\x81\xBD\xD6\x9E\xD3\xFE\x2D\x56\xC1\x15\xCE\xE3\x26\x9D\x15\x2E\x10\xFB\x06\x8F\x30\x04\xDE\xA7\xB4\x63\xB4\xFF\xB1\x9C\xAE\x3C\xAF\x77\xB6\x56\xC5\xB5\xAB\xA2\xE9\x69\x3A\x3D\x0E\x33\x79\x32\x3F\x70\x82\x92\x99\x61\x6D\x8D\x30\x08\x8F\x71\x3F\xA6\x48\x57\x19\xF8\x25\xDC\x4B\x66\x5C\xA5\x74\x8F\x98\xAE\xC8\xF9\xC0\x06\x22\xE7\xAC\x73\xDF\xA5\x2E\xFB\x52\xDC\xB1\x15\x65\x20\xFA\x35\x66\x69\xDE\xDF\x2C\xF1\x6E\xBC\x30\xDB\x2C\x24\x12\xDB\xEB\x35\x35\x68\x90\xCB\x00\xB0\x97\x21\x3D\x74\x21\x23\x65\x34\x2B\xBB\x78\x59\xA3\xD6\xE1\x76\x39\x9A\xA4\x49\x8E\x8C\x74\xAF\x6E\xA4\x9A\xA3\xD9\x9B\xD2\x38\x5C\x9B\xA2\x18\xCC\x75\x23\x84\xBE\xEB\xE2\x4D\x33\x71\x8E\x1A\xF0\xC2\xF8\xC7\x1D\xA2\xAD\x03\x97\x2C\xF8\xCF\x25\xC6\xF6\xB8\x24\x31\xB1\x63\x5D\x92\x7F\x63\xF0\x25\xC9\x53\x2E\x1F\xBF\x4D\x02\x03\x01\x00\x01\xA3\x81\xD2\x30\x81\xCF\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x95\xB1\xB4\xF0\x94\xB6\xBD\xC7\xDA\xD1\x11\x09\x21\xBE\xC1\xAF\x49\xFD\x10\x7B\x30\x0B\x06\x03\x55\x1D\x0F\x04\x04\x03\x02\x01\x06\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x81\x8F\x06\x03\x55\x1D\x23\x04\x81\x87\x30\x81\x84\x80\x14\x95\xB1\xB4\xF0\x94\xB6\xBD\xC7\xDA\xD1\x11\x09\x21\xBE\xC1\xAF\x49\xFD\x10\x7B\xA1\x69\xA4\x67\x30\x65\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x53\x45\x31\x14\x30\x12\x06\x03\x55\x04\x0A\x13\x0B\x41\x64\x64\x54\x72\x75\x73\x74\x20\x41\x42\x31\x1D\x30\x1B\x06\x03\x55\x04\x0B\x13\x14\x41\x64\x64\x54\x72\x75\x73\x74\x20\x54\x54\x50\x20\x4E\x65\x74\x77\x6F\x72\x6B\x31\x21\x30\x1F\x06\x03\x55\x04\x03\x13\x18\x41\x64\x64\x54\x72\x75\x73\x74\x20\x43\x6C\x61\x73\x73\x20\x31\x20\x43\x41\x20\x52\x6F\x6F\x74\x82\x01\x01\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x2C\x6D\x64\x1B\x1F\xCD\x0D\xDD\xB9\x01\xFA\x96\x63\x34\x32\x48\x47\x99\xAE\x97\xED\xFD\x72\x16\xA6\x73\x47\x5A\xF4\xEB\xDD\xE9\xF5\xD6\xFB\x45\xCC\x29\x89\x44\x5D\xBF\x46\x39\x3D\xE8\xEE\xBC\x4D\x54\x86\x1E\x1D\x6C\xE3\x17\x27\x43\xE1\x89\x56\x2B\xA9\x6F\x72\x4E\x49\x33\xE3\x72\x7C\x2A\x23\x9A\xBC\x3E\xFF\x28\x2A\xED\xA3\xFF\x1C\x23\xBA\x43\x57\x09\x67\x4D\x4B\x62\x06\x2D\xF8\xFF\x6C\x9D\x60\x1E\xD8\x1C\x4B\x7D\xB5\x31\x2F\xD9\xD0\x7C\x5D\xF8\xDE\x6B\x83\x18\x78\x37\x57\x2F\xE8\x33\x07\x67\xDF\x1E\xC7\x6B\x2A\x95\x76\xAE\x8F\x57\xA3\xF0\xF4\x52\xB4\xA9\x53\x08\xCF\xE0\x4F\xD3\x7A\x53\x8B\xFD\xBB\x1C\x56\x36\xF2\xFE\xB2\xB6\xE5\x76\xBB\xD5\x22\x65\xA7\x3F\xFE\xD1\x66\xAD\x0B\xBC\x6B\x99\x86\xEF\x3F\x7D\xF3\x18\x32\xCA\x7B\xC6\xE3\xAB\x64\x46\x95\xF8\x26\x69\xD9\x55\x83\x7B\x2C\x96\x07\xFF\x59\x2C\x44\xA3\xC6\xE5\xE9\xA9\xDC\xA1\x63\x80\x5A\x21\x5E\x21\xCF\x53\x54\xF0\xBA\x6F\x89\xDB\xA8\xAA\x95\xCF\x8B\xE3\x71\xCC\x1E\x1B\x20\x44\x08\xC0\x7A\xB6\x40\xFD\xC4\xE4\x35\xE1\x1D\x16\x1C\xD0\xBC\x2B\x8E\xD6\x71\xD9",
 	["CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE"] = "\x30\x82\x04\x36\x30\x82\x03\x1E\xA0\x03\x02\x01\x02\x02\x01\x01\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x6F\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x53\x45\x31\x14\x30\x12\x06\x03\x55\x04\x0A\x13\x0B\x41\x64\x64\x54\x72\x75\x73\x74\x20\x41\x42\x31\x26\x30\x24\x06\x03\x55\x04\x0B\x13\x1D\x41\x64\x64\x54\x72\x75\x73\x74\x20\x45\x78\x74\x65\x72\x6E\x61\x6C\x20\x54\x54\x50\x20\x4E\x65\x74\x77\x6F\x72\x6B\x31\x22\x30\x20\x06\x03\x55\x04\x03\x13\x19\x41\x64\x64\x54\x72\x75\x73\x74\x20\x45\x78\x74\x65\x72\x6E\x61\x6C\x20\x43\x41\x20\x52\x6F\x6F\x74\x30\x1E\x17\x0D\x30\x30\x30\x35\x33\x30\x31\x30\x34\x38\x33\x38\x5A\x17\x0D\x32\x30\x30\x35\x33\x30\x31\x30\x34\x38\x33\x38\x5A\x30\x6F\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x53\x45\x31\x14\x30\x12\x06\x03\x55\x04\x0A\x13\x0B\x41\x64\x64\x54\x72\x75\x73\x74\x20\x41\x42\x31\x26\x30\x24\x06\x03\x55\x04\x0B\x13\x1D\x41\x64\x64\x54\x72\x75\x73\x74\x20\x45\x78\x74\x65\x72\x6E\x61\x6C\x20\x54\x54\x50\x20\x4E\x65\x74\x77\x6F\x72\x6B\x31\x22\x30\x20\x06\x03\x55\x04\x03\x13\x19\x41\x64\x64\x54\x72\x75\x73\x74\x20\x45\x78\x74\x65\x72\x6E\x61\x6C\x20\x43\x41\x20\x52\x6F\x6F\x74\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xB7\xF7\x1A\x33\xE6\xF2\x00\x04\x2D\x39\xE0\x4E\x5B\xED\x1F\xBC\x6C\x0F\xCD\xB5\xFA\x23\xB6\xCE\xDE\x9B\x11\x33\x97\xA4\x29\x4C\x7D\x93\x9F\xBD\x4A\xBC\x93\xED\x03\x1A\xE3\x8F\xCF\xE5\x6D\x50\x5A\xD6\x97\x29\x94\x5A\x80\xB0\x49\x7A\xDB\x2E\x95\xFD\xB8\xCA\xBF\x37\x38\x2D\x1E\x3E\x91\x41\xAD\x70\x56\xC7\xF0\x4F\x3F\xE8\x32\x9E\x74\xCA\xC8\x90\x54\xE9\xC6\x5F\x0F\x78\x9D\x9A\x40\x3C\x0E\xAC\x61\xAA\x5E\x14\x8F\x9E\x87\xA1\x6A\x50\xDC\xD7\x9A\x4E\xAF\x05\xB3\xA6\x71\x94\x9C\x71\xB3\x50\x60\x0A\xC7\x13\x9D\x38\x07\x86\x02\xA8\xE9\xA8\x69\x26\x18\x90\xAB\x4C\xB0\x4F\x23\xAB\x3A\x4F\x84\xD8\xDF\xCE\x9F\xE1\x69\x6F\xBB\xD7\x42\xD7\x6B\x44\xE4\xC7\xAD\xEE\x6D\x41\x5F\x72\x5A\x71\x08\x37\xB3\x79\x65\xA4\x59\xA0\x94\x37\xF7\x00\x2F\x0D\xC2\x92\x72\xDA\xD0\x38\x72\xDB\x14\xA8\x45\xC4\x5D\x2A\x7D\xB7\xB4\xD6\xC4\xEE\xAC\xCD\x13\x44\xB7\xC9\x2B\xDD\x43\x00\x25\xFA\x61\xB9\x69\x6A\x58\x23\x11\xB7\xA7\x33\x8F\x56\x75\x59\xF5\xCD\x29\xD7\x46\xB7\x0A\x2B\x65\xB6\xD3\x42\x6F\x15\xB2\xB8\x7B\xFB\xEF\xE9\x5D\x53\xD5\x34\x5A\x27\x02\x03\x01\x00\x01\xA3\x81\xDC\x30\x81\xD9\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xAD\xBD\x98\x7A\x34\xB4\x26\xF7\xFA\xC4\x26\x54\xEF\x03\xBD\xE0\x24\xCB\x54\x1A\x30\x0B\x06\x03\x55\x1D\x0F\x04\x04\x03\x02\x01\x06\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x81\x99\x06\x03\x55\x1D\x23\x04\x81\x91\x30\x81\x8E\x80\x14\xAD\xBD\x98\x7A\x34\xB4\x26\xF7\xFA\xC4\x26\x54\xEF\x03\xBD\xE0\x24\xCB\x54\x1A\xA1\x73\xA4\x71\x30\x6F\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x53\x45\x31\x14\x30\x12\x06\x03\x55\x04\x0A\x13\x0B\x41\x64\x64\x54\x72\x75\x73\x74\x20\x41\x42\x31\x26\x30\x24\x06\x03\x55\x04\x0B\x13\x1D\x41\x64\x64\x54\x72\x75\x73\x74\x20\x45\x78\x74\x65\x72\x6E\x61\x6C\x20\x54\x54\x50\x20\x4E\x65\x74\x77\x6F\x72\x6B\x31\x22\x30\x20\x06\x03\x55\x04\x03\x13\x19\x41\x64\x64\x54\x72\x75\x73\x74\x20\x45\x78\x74\x65\x72\x6E\x61\x6C\x20\x43\x41\x20\x52\x6F\x6F\x74\x82\x01\x01\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\xB0\x9B\xE0\x85\x25\xC2\xD6\x23\xE2\x0F\x96\x06\x92\x9D\x41\x98\x9C\xD9\x84\x79\x81\xD9\x1E\x5B\x14\x07\x23\x36\x65\x8F\xB0\xD8\x77\xBB\xAC\x41\x6C\x47\x60\x83\x51\xB0\xF9\x32\x3D\xE7\xFC\xF6\x26\x13\xC7\x80\x16\xA5\xBF\x5A\xFC\x87\xCF\x78\x79\x89\x21\x9A\xE2\x4C\x07\x0A\x86\x35\xBC\xF2\xDE\x51\xC4\xD2\x96\xB7\xDC\x7E\x4E\xEE\x70\xFD\x1C\x39\xEB\x0C\x02\x51\x14\x2D\x8E\xBD\x16\xE0\xC1\xDF\x46\x75\xE7\x24\xAD\xEC\xF4\x42\xB4\x85\x93\x70\x10\x67\xBA\x9D\x06\x35\x4A\x18\xD3\x2B\x7A\xCC\x51\x42\xA1\x7A\x63\xD1\xE6\xBB\xA1\xC5\x2B\xC2\x36\xBE\x13\x0D\xE6\xBD\x63\x7E\x79\x7B\xA7\x09\x0D\x40\xAB\x6A\xDD\x8F\x8A\xC3\xF6\xF6\x8C\x1A\x42\x05\x51\xD4\x45\xF5\x9F\xA7\x62\x21\x68\x15\x20\x43\x3C\x99\xE7\x7C\xBD\x24\xD8\xA9\x91\x17\x73\x88\x3F\x56\x1B\x31\x38\x18\xB4\x71\x0F\x9A\xCD\xC8\x0E\x9E\x8E\x2E\x1B\xE1\x8C\x98\x83\xCB\x1F\x31\xF1\x44\x4C\xC6\x04\x73\x49\x76\x60\x0F\xC7\xF8\xBD\x17\x80\x6B\x2E\xE9\xCC\x4C\x0E\x5A\x9A\x79\x0F\x20\x0A\x2E\xD5\x9E\x63\x26\x1E\x55\x92\x94\xD8\x82\x17\x5A\x7B\xD0\xBC\xC7\x8F\x4E\x86\x04",
-	["CN=AddTrust Public CA Root,OU=AddTrust TTP Network,O=AddTrust AB,C=SE"] = "\x30\x82\x04\x15\x30\x82\x02\xFD\xA0\x03\x02\x01\x02\x02\x01\x01\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x64\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x53\x45\x31\x14\x30\x12\x06\x03\x55\x04\x0A\x13\x0B\x41\x64\x64\x54\x72\x75\x73\x74\x20\x41\x42\x31\x1D\x30\x1B\x06\x03\x55\x04\x0B\x13\x14\x41\x64\x64\x54\x72\x75\x73\x74\x20\x54\x54\x50\x20\x4E\x65\x74\x77\x6F\x72\x6B\x31\x20\x30\x1E\x06\x03\x55\x04\x03\x13\x17\x41\x64\x64\x54\x72\x75\x73\x74\x20\x50\x75\x62\x6C\x69\x63\x20\x43\x41\x20\x52\x6F\x6F\x74\x30\x1E\x17\x0D\x30\x30\x30\x35\x33\x30\x31\x30\x34\x31\x35\x30\x5A\x17\x0D\x32\x30\x30\x35\x33\x30\x31\x30\x34\x31\x35\x30\x5A\x30\x64\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x53\x45\x31\x14\x30\x12\x06\x03\x55\x04\x0A\x13\x0B\x41\x64\x64\x54\x72\x75\x73\x74\x20\x41\x42\x31\x1D\x30\x1B\x06\x03\x55\x04\x0B\x13\x14\x41\x64\x64\x54\x72\x75\x73\x74\x20\x54\x54\x50\x20\x4E\x65\x74\x77\x6F\x72\x6B\x31\x20\x30\x1E\x06\x03\x55\x04\x03\x13\x17\x41\x64\x64\x54\x72\x75\x73\x74\x20\x50\x75\x62\x6C\x69\x63\x20\x43\x41\x20\x52\x6F\x6F\x74\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xE9\x1A\x30\x8F\x83\x88\x14\xC1\x20\xD8\x3C\x9B\x8F\x1B\x7E\x03\x74\xBB\xDA\x69\xD3\x46\xA5\xF8\x8E\xC2\x0C\x11\x90\x51\xA5\x2F\x66\x54\x40\x55\xEA\xDB\x1F\x4A\x56\xEE\x9F\x23\x6E\xF4\x39\xCB\xA1\xB9\x6F\xF2\x7E\xF9\x5D\x87\x26\x61\x9E\x1C\xF8\xE2\xEC\xA6\x81\xF8\x21\xC5\x24\xCC\x11\x0C\x3F\xDB\x26\x72\x7A\xC7\x01\x97\x07\x17\xF9\xD7\x18\x2C\x30\x7D\x0E\x7A\x1E\x62\x1E\xC6\x4B\xC0\xFD\x7D\x62\x77\xD3\x44\x1E\x27\xF6\x3F\x4B\x44\xB3\xB7\x38\xD9\x39\x1F\x60\xD5\x51\x92\x73\x03\xB4\x00\x69\xE3\xF3\x14\x4E\xEE\xD1\xDC\x09\xCF\x77\x34\x46\x50\xB0\xF8\x11\xF2\xFE\x38\x79\xF7\x07\x39\xFE\x51\x92\x97\x0B\x5B\x08\x5F\x34\x86\x01\xAD\x88\x97\xEB\x66\xCD\x5E\xD1\xFF\xDC\x7D\xF2\x84\xDA\xBA\x77\xAD\xDC\x80\x08\xC7\xA7\x87\xD6\x55\x9F\x97\x6A\xE8\xC8\x11\x64\xBA\xE7\x19\x29\x3F\x11\xB3\x78\x90\x84\x20\x52\x5B\x11\xEF\x78\xD0\x83\xF6\xD5\x48\x90\xD0\x30\x1C\xCF\x80\xF9\x60\xFE\x79\xE4\x88\xF2\xDD\x00\xEB\x94\x45\xEB\x65\x94\x69\x40\xBA\xC0\xD5\xB4\xB8\xBA\x7D\x04\x11\xA8\xEB\x31\x05\x96\x94\x4E\x58\x21\x8E\x9F\xD0\x60\xFD\x02\x03\x01\x00\x01\xA3\x81\xD1\x30\x81\xCE\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x81\x3E\x37\xD8\x92\xB0\x1F\x77\x9F\x5C\xB4\xAB\x73\xAA\xE7\xF6\x34\x60\x2F\xFA\x30\x0B\x06\x03\x55\x1D\x0F\x04\x04\x03\x02\x01\x06\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x81\x8E\x06\x03\x55\x1D\x23\x04\x81\x86\x30\x81\x83\x80\x14\x81\x3E\x37\xD8\x92\xB0\x1F\x77\x9F\x5C\xB4\xAB\x73\xAA\xE7\xF6\x34\x60\x2F\xFA\xA1\x68\xA4\x66\x30\x64\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x53\x45\x31\x14\x30\x12\x06\x03\x55\x04\x0A\x13\x0B\x41\x64\x64\x54\x72\x75\x73\x74\x20\x41\x42\x31\x1D\x30\x1B\x06\x03\x55\x04\x0B\x13\x14\x41\x64\x64\x54\x72\x75\x73\x74\x20\x54\x54\x50\x20\x4E\x65\x74\x77\x6F\x72\x6B\x31\x20\x30\x1E\x06\x03\x55\x04\x03\x13\x17\x41\x64\x64\x54\x72\x75\x73\x74\x20\x50\x75\x62\x6C\x69\x63\x20\x43\x41\x20\x52\x6F\x6F\x74\x82\x01\x01\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x03\xF7\x15\x4A\xF8\x24\xDA\x23\x56\x16\x93\x76\xDD\x36\x28\xB9\xAE\x1B\xB8\xC3\xF1\x64\xBA\x20\x18\x78\x95\x29\x27\x57\x05\xBC\x7C\x2A\xF4\xB9\x51\x55\xDA\x87\x02\xDE\x0F\x16\x17\x31\xF8\xAA\x79\x2E\x09\x13\xBB\xAF\xB2\x20\x19\x12\xE5\x93\xF9\x4B\xF9\x83\xE8\x44\xD5\xB2\x41\x25\xBF\x88\x75\x6F\xFF\x10\xFC\x4A\x54\xD0\x5F\xF0\xFA\xEF\x36\x73\x7D\x1B\x36\x45\xC6\x21\x6D\xB4\x15\xB8\x4E\xCF\x9C\x5C\xA5\x3D\x5A\x00\x8E\x06\xE3\x3C\x6B\x32\x7B\xF2\x9F\xF0\xB6\xFD\xDF\xF0\x28\x18\x48\xF0\xC6\xBC\xD0\xBF\x34\x80\x96\xC2\x4A\xB1\x6D\x8E\xC7\x90\x45\xDE\x2F\x67\xAC\x45\x04\xA3\x7A\xDC\x55\x92\xC9\x47\x66\xD8\x1A\x8C\xC7\xED\x9C\x4E\x9A\xE0\x12\xBB\xB5\x6A\x4C\x84\xE1\xE1\x22\x0D\x87\x00\x64\xFE\x8C\x7D\x62\x39\x65\xA6\xEF\x42\xB6\x80\x25\x12\x61\x01\xA8\x24\x13\x70\x00\x11\x26\x5F\xFA\x35\x50\xC5\x48\xCC\x06\x47\xE8\x27\xD8\x70\x8D\x5F\x64\xE6\xA1\x44\x26\x5E\x22\xEC\x92\xCD\xFF\x42\x9A\x44\x21\x6D\x5C\xC5\xE3\x22\x1D\x5F\x47\x12\xE7\xCE\x5F\x5D\xFA\xD8\xAA\xB1\x33\x2D\xD9\x76\xF2\x4E\x3A\x33\x0C\x2B\xB3\x2D\x90\x06",
-	["CN=AddTrust Qualified CA Root,OU=AddTrust TTP Network,O=AddTrust AB,C=SE"] = "\x30\x82\x04\x1E\x30\x82\x03\x06\xA0\x03\x02\x01\x02\x02\x01\x01\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x67\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x53\x45\x31\x14\x30\x12\x06\x03\x55\x04\x0A\x13\x0B\x41\x64\x64\x54\x72\x75\x73\x74\x20\x41\x42\x31\x1D\x30\x1B\x06\x03\x55\x04\x0B\x13\x14\x41\x64\x64\x54\x72\x75\x73\x74\x20\x54\x54\x50\x20\x4E\x65\x74\x77\x6F\x72\x6B\x31\x23\x30\x21\x06\x03\x55\x04\x03\x13\x1A\x41\x64\x64\x54\x72\x75\x73\x74\x20\x51\x75\x61\x6C\x69\x66\x69\x65\x64\x20\x43\x41\x20\x52\x6F\x6F\x74\x30\x1E\x17\x0D\x30\x30\x30\x35\x33\x30\x31\x30\x34\x34\x35\x30\x5A\x17\x0D\x32\x30\x30\x35\x33\x30\x31\x30\x34\x34\x35\x30\x5A\x30\x67\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x53\x45\x31\x14\x30\x12\x06\x03\x55\x04\x0A\x13\x0B\x41\x64\x64\x54\x72\x75\x73\x74\x20\x41\x42\x31\x1D\x30\x1B\x06\x03\x55\x04\x0B\x13\x14\x41\x64\x64\x54\x72\x75\x73\x74\x20\x54\x54\x50\x20\x4E\x65\x74\x77\x6F\x72\x6B\x31\x23\x30\x21\x06\x03\x55\x04\x03\x13\x1A\x41\x64\x64\x54\x72\x75\x73\x74\x20\x51\x75\x61\x6C\x69\x66\x69\x65\x64\x20\x43\x41\x20\x52\x6F\x6F\x74\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xE4\x1E\x9A\xFE\xDC\x09\x5A\x87\xA4\x9F\x47\xBE\x11\x5F\xAF\x84\x34\xDB\x62\x3C\x79\x78\xB7\xE9\x30\xB5\xEC\x0C\x1C\x2A\xC4\x16\xFF\xE0\xEC\x71\xEB\x8A\xF5\x11\x6E\xED\x4F\x0D\x91\xD2\x12\x18\x2D\x49\x15\x01\xC2\xA4\x22\x13\xC7\x11\x64\xFF\x22\x12\x9A\xB9\x8E\x5C\x2F\x08\xCF\x71\x6A\xB3\x67\x01\x59\xF1\x5D\x46\xF3\xB0\x78\xA5\xF6\x0E\x42\x7A\xE3\x7F\x1B\xCC\xD0\xF0\xB7\x28\xFD\x2A\xEA\x9E\xB3\xB0\xB9\x04\xAA\xFD\xF6\xC7\xB4\xB1\xB8\x2A\xA0\xFB\x58\xF1\x19\xA0\x6F\x70\x25\x7E\x3E\x69\x4A\x7F\x0F\x22\xD8\xEF\xAD\x08\x11\x9A\x29\x99\xE1\xAA\x44\x45\x9A\x12\x5E\x3E\x9D\x6D\x52\xFC\xE7\xA0\x3D\x68\x2F\xF0\x4B\x70\x7C\x13\x38\xAD\xBC\x15\x25\xF1\xD6\xCE\xAB\xA2\xC0\x31\xD6\x2F\x9F\xE0\xFF\x14\x59\xFC\x84\x93\xD9\x87\x7C\x4C\x54\x13\xEB\x9F\xD1\x2D\x11\xF8\x18\x3A\x3A\xDE\x25\xD9\xF7\xD3\x40\xED\xA4\x06\x12\xC4\x3B\xE1\x91\xC1\x56\x35\xF0\x14\xDC\x65\x36\x09\x6E\xAB\xA4\x07\xC7\x35\xD1\xC2\x03\x33\x36\x5B\x75\x26\x6D\x42\xF1\x12\x6B\x43\x6F\x4B\x71\x94\xFA\x34\x1D\xED\x13\x6E\xCA\x80\x7F\x98\x2F\x6C\xB9\x65\xD8\xE9\x02\x03\x01\x00\x01\xA3\x81\xD4\x30\x81\xD1\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x39\x95\x8B\x62\x8B\x5C\xC9\xD4\x80\xBA\x58\x0F\x97\x3F\x15\x08\x43\xCC\x98\xA7\x30\x0B\x06\x03\x55\x1D\x0F\x04\x04\x03\x02\x01\x06\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x81\x91\x06\x03\x55\x1D\x23\x04\x81\x89\x30\x81\x86\x80\x14\x39\x95\x8B\x62\x8B\x5C\xC9\xD4\x80\xBA\x58\x0F\x97\x3F\x15\x08\x43\xCC\x98\xA7\xA1\x6B\xA4\x69\x30\x67\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x53\x45\x31\x14\x30\x12\x06\x03\x55\x04\x0A\x13\x0B\x41\x64\x64\x54\x72\x75\x73\x74\x20\x41\x42\x31\x1D\x30\x1B\x06\x03\x55\x04\x0B\x13\x14\x41\x64\x64\x54\x72\x75\x73\x74\x20\x54\x54\x50\x20\x4E\x65\x74\x77\x6F\x72\x6B\x31\x23\x30\x21\x06\x03\x55\x04\x03\x13\x1A\x41\x64\x64\x54\x72\x75\x73\x74\x20\x51\x75\x61\x6C\x69\x66\x69\x65\x64\x20\x43\x41\x20\x52\x6F\x6F\x74\x82\x01\x01\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x19\xAB\x75\xEA\xF8\x8B\x65\x61\x95\x13\xBA\x69\x04\xEF\x86\xCA\x13\xA0\xC7\xAA\x4F\x64\x1B\x3F\x18\xF6\xA8\x2D\x2C\x55\x8F\x05\xB7\x30\xEA\x42\x6A\x1D\xC0\x25\x51\x2D\xA7\xBF\x0C\xB3\xED\xEF\x08\x7F\x6C\x3C\x46\x1A\xEA\x18\x43\xDF\x76\xCC\xF9\x66\x86\x9C\x2C\x68\xF5\xE9\x17\xF8\x31\xB3\x18\xC4\xD6\x48\x7D\x23\x4C\x68\xC1\x7E\xBB\x01\x14\x6F\xC5\xD9\x6E\xDE\xBB\x04\x42\x6A\xF8\xF6\x5C\x7D\xE5\xDA\xFA\x87\xEB\x0D\x35\x52\x67\xD0\x9E\x97\x76\x05\x93\x3F\x95\xC7\x01\xE6\x69\x55\x38\x7F\x10\x61\x99\xC9\xE3\x5F\xA6\xCA\x3E\x82\x63\x48\xAA\xE2\x08\x48\x3E\xAA\xF2\xB2\x85\x62\xA6\xB4\xA7\xD9\xBD\x37\x9C\x68\xB5\x2D\x56\x7D\xB0\xB7\x3F\xA0\xB1\x07\xD6\xE9\x4F\xDC\xDE\x45\x71\x30\x32\x7F\x1B\x2E\x09\xF9\xBF\x52\xA1\xEE\xC2\x80\x3E\x06\x5C\x2E\x55\x40\xC1\x1B\xF5\x70\x45\xB0\xDC\x5D\xFA\xF6\x72\x5A\x77\xD2\x63\xCD\xCF\x58\x89\x00\x42\x63\x3F\x79\x39\xD0\x44\xB0\x82\x6E\x41\x19\xE8\xDD\xE0\xC1\x88\x5A\xD1\x1E\x71\x93\x1F\x24\x30\x74\xE5\x1E\xA8\xDE\x3C\x27\x37\x7F\x83\xAE\x9E\x77\xCF\xF0\x30\xB1\xFF\x4B\x99\xE8\xC6\xA1",
 	["CN=Entrust Root Certification Authority,OU=(c) 2006 Entrust\, Inc.,OU=www.entrust.net/CPS is incorporated by reference,O=Entrust\, Inc.,C=US"] = "\x30\x82\x04\x91\x30\x82\x03\x79\xA0\x03\x02\x01\x02\x02\x04\x45\x6B\x50\x54\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x81\xB0\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x16\x30\x14\x06\x03\x55\x04\x0A\x13\x0D\x45\x6E\x74\x72\x75\x73\x74\x2C\x20\x49\x6E\x63\x2E\x31\x39\x30\x37\x06\x03\x55\x04\x0B\x13\x30\x77\x77\x77\x2E\x65\x6E\x74\x72\x75\x73\x74\x2E\x6E\x65\x74\x2F\x43\x50\x53\x20\x69\x73\x20\x69\x6E\x63\x6F\x72\x70\x6F\x72\x61\x74\x65\x64\x20\x62\x79\x20\x72\x65\x66\x65\x72\x65\x6E\x63\x65\x31\x1F\x30\x1D\x06\x03\x55\x04\x0B\x13\x16\x28\x63\x29\x20\x32\x30\x30\x36\x20\x45\x6E\x74\x72\x75\x73\x74\x2C\x20\x49\x6E\x63\x2E\x31\x2D\x30\x2B\x06\x03\x55\x04\x03\x13\x24\x45\x6E\x74\x72\x75\x73\x74\x20\x52\x6F\x6F\x74\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x30\x1E\x17\x0D\x30\x36\x31\x31\x32\x37\x32\x30\x32\x33\x34\x32\x5A\x17\x0D\x32\x36\x31\x31\x32\x37\x32\x30\x35\x33\x34\x32\x5A\x30\x81\xB0\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x16\x30\x14\x06\x03\x55\x04\x0A\x13\x0D\x45\x6E\x74\x72\x75\x73\x74\x2C\x20\x49\x6E\x63\x2E\x31\x39\x30\x37\x06\x03\x55\x04\x0B\x13\x30\x77\x77\x77\x2E\x65\x6E\x74\x72\x75\x73\x74\x2E\x6E\x65\x74\x2F\x43\x50\x53\x20\x69\x73\x20\x69\x6E\x63\x6F\x72\x70\x6F\x72\x61\x74\x65\x64\x20\x62\x79\x20\x72\x65\x66\x65\x72\x65\x6E\x63\x65\x31\x1F\x30\x1D\x06\x03\x55\x04\x0B\x13\x16\x28\x63\x29\x20\x32\x30\x30\x36\x20\x45\x6E\x74\x72\x75\x73\x74\x2C\x20\x49\x6E\x63\x2E\x31\x2D\x30\x2B\x06\x03\x55\x04\x03\x13\x24\x45\x6E\x74\x72\x75\x73\x74\x20\x52\x6F\x6F\x74\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xB6\x95\xB6\x43\x42\xFA\xC6\x6D\x2A\x6F\x48\xDF\x94\x4C\x39\x57\x05\xEE\xC3\x79\x11\x41\x68\x36\xED\xEC\xFE\x9A\x01\x8F\xA1\x38\x28\xFC\xF7\x10\x46\x66\x2E\x4D\x1E\x1A\xB1\x1A\x4E\xC6\xD1\xC0\x95\x88\xB0\xC9\xFF\x31\x8B\x33\x03\xDB\xB7\x83\x7B\x3E\x20\x84\x5E\xED\xB2\x56\x28\xA7\xF8\xE0\xB9\x40\x71\x37\xC5\xCB\x47\x0E\x97\x2A\x68\xC0\x22\x95\x62\x15\xDB\x47\xD9\xF5\xD0\x2B\xFF\x82\x4B\xC9\xAD\x3E\xDE\x4C\xDB\x90\x80\x50\x3F\x09\x8A\x84\x00\xEC\x30\x0A\x3D\x18\xCD\xFB\xFD\x2A\x59\x9A\x23\x95\x17\x2C\x45\x9E\x1F\x6E\x43\x79\x6D\x0C\x5C\x98\xFE\x48\xA7\xC5\x23\x47\x5C\x5E\xFD\x6E\xE7\x1E\xB4\xF6\x68\x45\xD1\x86\x83\x5B\xA2\x8A\x8D\xB1\xE3\x29\x80\xFE\x25\x71\x88\xAD\xBE\xBC\x8F\xAC\x52\x96\x4B\xAA\x51\x8D\xE4\x13\x31\x19\xE8\x4E\x4D\x9F\xDB\xAC\xB3\x6A\xD5\xBC\x39\x54\x71\xCA\x7A\x7A\x7F\x90\xDD\x7D\x1D\x80\xD9\x81\xBB\x59\x26\xC2\x11\xFE\xE6\x93\xE2\xF7\x80\xE4\x65\xFB\x34\x37\x0E\x29\x80\x70\x4D\xAF\x38\x86\x2E\x9E\x7F\x57\xAF\x9E\x17\xAE\xEB\x1C\xCB\x28\x21\x5F\xB6\x1C\xD8\xE7\xA2\x04\x22\xF9\xD3\xDA\xD8\xCB\x02\x03\x01\x00\x01\xA3\x81\xB0\x30\x81\xAD\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x2B\x06\x03\x55\x1D\x10\x04\x24\x30\x22\x80\x0F\x32\x30\x30\x36\x31\x31\x32\x37\x32\x30\x32\x33\x34\x32\x5A\x81\x0F\x32\x30\x32\x36\x31\x31\x32\x37\x32\x30\x35\x33\x34\x32\x5A\x30\x1F\x06\x03\x55\x1D\x23\x04\x18\x30\x16\x80\x14\x68\x90\xE4\x67\xA4\xA6\x53\x80\xC7\x86\x66\xA4\xF1\xF7\x4B\x43\xFB\x84\xBD\x6D\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x68\x90\xE4\x67\xA4\xA6\x53\x80\xC7\x86\x66\xA4\xF1\xF7\x4B\x43\xFB\x84\xBD\x6D\x30\x1D\x06\x09\x2A\x86\x48\x86\xF6\x7D\x07\x41\x00\x04\x10\x30\x0E\x1B\x08\x56\x37\x2E\x31\x3A\x34\x2E\x30\x03\x02\x04\x90\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x93\xD4\x30\xB0\xD7\x03\x20\x2A\xD0\xF9\x63\xE8\x91\x0C\x05\x20\xA9\x5F\x19\xCA\x7B\x72\x4E\xD4\xB1\xDB\xD0\x96\xFB\x54\x5A\x19\x2C\x0C\x08\xF7\xB2\xBC\x85\xA8\x9D\x7F\x6D\x3B\x52\xB3\x2A\xDB\xE7\xD4\x84\x8C\x63\xF6\x0F\xCB\x26\x01\x91\x50\x6C\xF4\x5F\x14\xE2\x93\x74\xC0\x13\x9E\x30\x3A\x50\xE3\xB4\x60\xC5\x1C\xF0\x22\x44\x8D\x71\x47\xAC\xC8\x1A\xC9\xE9\x9B\x9A\x00\x60\x13\xFF\x70\x7E\x5F\x11\x4D\x49\x1B\xB3\x15\x52\x7B\xC9\x54\xDA\xBF\x9D\x95\xAF\x6B\x9A\xD8\x9E\xE9\xF1\xE4\x43\x8D\xE2\x11\x44\x3A\xBF\xAF\xBD\x83\x42\x73\x52\x8B\xAA\xBB\xA7\x29\xCF\xF5\x64\x1C\x0A\x4D\xD1\xBC\xAA\xAC\x9F\x2A\xD0\xFF\x7F\x7F\xDA\x7D\xEA\xB1\xED\x30\x25\xC1\x84\xDA\x34\xD2\x5B\x78\x83\x56\xEC\x9C\x36\xC3\x26\xE2\x11\xF6\x67\x49\x1D\x92\xAB\x8C\xFB\xEB\xFF\x7A\xEE\x85\x4A\xA7\x50\x80\xF0\xA7\x5C\x4A\x94\x2E\x5F\x05\x99\x3C\x52\x41\xE0\xCD\xB4\x63\xCF\x01\x43\xBA\x9C\x83\xDC\x8F\x60\x3B\xF3\x5A\xB4\xB4\x7B\xAE\xDA\x0B\x90\x38\x75\xEF\x81\x1D\x66\xD2\xF7\x57\x70\x36\xB3\xBF\xFC\x28\xAF\x71\x25\x85\x5B\x13\xFE\x1E\x7F\x5A\xB4\x3C",
-	["OU=RSA Security 2048 V3,O=RSA Security Inc"] = "\x30\x82\x03\x61\x30\x82\x02\x49\xA0\x03\x02\x01\x02\x02\x10\x0A\x01\x01\x01\x00\x00\x02\x7C\x00\x00\x00\x0A\x00\x00\x00\x02\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x3A\x31\x19\x30\x17\x06\x03\x55\x04\x0A\x13\x10\x52\x53\x41\x20\x53\x65\x63\x75\x72\x69\x74\x79\x20\x49\x6E\x63\x31\x1D\x30\x1B\x06\x03\x55\x04\x0B\x13\x14\x52\x53\x41\x20\x53\x65\x63\x75\x72\x69\x74\x79\x20\x32\x30\x34\x38\x20\x56\x33\x30\x1E\x17\x0D\x30\x31\x30\x32\x32\x32\x32\x30\x33\x39\x32\x33\x5A\x17\x0D\x32\x36\x30\x32\x32\x32\x32\x30\x33\x39\x32\x33\x5A\x30\x3A\x31\x19\x30\x17\x06\x03\x55\x04\x0A\x13\x10\x52\x53\x41\x20\x53\x65\x63\x75\x72\x69\x74\x79\x20\x49\x6E\x63\x31\x1D\x30\x1B\x06\x03\x55\x04\x0B\x13\x14\x52\x53\x41\x20\x53\x65\x63\x75\x72\x69\x74\x79\x20\x32\x30\x34\x38\x20\x56\x33\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xB7\x8F\x55\x71\xD2\x80\xDD\x7B\x69\x79\xA7\xF0\x18\x50\x32\x3C\x62\x67\xF6\x0A\x95\x07\xDD\xE6\x1B\xF3\x9E\xD9\xD2\x41\x54\x6B\xAD\x9F\x7C\xBE\x19\xCD\xFB\x46\xAB\x41\x68\x1E\x18\xEA\x55\xC8\x2F\x91\x78\x89\x28\xFB\x27\x29\x60\xFF\xDF\x8F\x8C\x3B\xC9\x49\x9B\xB5\xA4\x94\xCE\x01\xEA\x3E\xB5\x63\x7B\x7F\x26\xFD\x19\xDD\xC0\x21\xBD\x84\xD1\x2D\x4F\x46\xC3\x4E\xDC\xD8\x37\x39\x3B\x28\xAF\xCB\x9D\x1A\xEA\x2B\xAF\x21\xA5\xC1\x23\x22\xB8\xB8\x1B\x5A\x13\x87\x57\x83\xD1\xF0\x20\xE7\xE8\x4F\x23\x42\xB0\x00\xA5\x7D\x89\xE9\xE9\x61\x73\x94\x98\x71\x26\xBC\x2D\x6A\xE0\xF7\x4D\xF0\xF1\xB6\x2A\x38\x31\x81\x0D\x29\xE1\x00\xC1\x51\x0F\x4C\x52\xF8\x04\x5A\xAA\x7D\x72\xD3\xB8\x87\x2A\xBB\x63\x10\x03\x2A\xB3\xA1\x4F\x0D\x5A\x5E\x46\xB7\x3D\x0E\xF5\x74\xEC\x99\x9F\xF9\x3D\x24\x81\x88\xA6\xDD\x60\x54\xE8\x95\x36\x3D\xC6\x09\x93\x9A\xA3\x12\x80\x00\x55\x99\x19\x47\xBD\xD0\xA5\x7C\xC3\xBA\xFB\x1F\xF7\xF5\x0F\xF8\xAC\xB9\xB5\xF4\x37\x98\x13\x18\xDE\x85\x5B\xB7\x0C\x82\x3B\x87\x6F\x95\x39\x58\x30\xDA\x6E\x01\x68\x17\x22\xCC\xC0\x0B\x02\x03\x01\x00\x01\xA3\x63\x30\x61\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x1F\x06\x03\x55\x1D\x23\x04\x18\x30\x16\x80\x14\x07\xC3\x51\x30\xA4\xAA\xE9\x45\xAE\x35\x24\xFA\xFF\x24\x2C\x33\xD0\xB1\x9D\x8C\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x07\xC3\x51\x30\xA4\xAA\xE9\x45\xAE\x35\x24\xFA\xFF\x24\x2C\x33\xD0\xB1\x9D\x8C\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x5F\x3E\x86\x76\x6E\xB8\x35\x3C\x4E\x36\x1C\x1E\x79\x98\xBF\xFD\xD5\x12\x11\x79\x52\x0E\xEE\x31\x89\xBC\xDD\x7F\xF9\xD1\xC6\x15\x21\xE8\x8A\x01\x54\x0D\x3A\xFB\x54\xB9\xD6\x63\xD4\xB1\xAA\x96\x4D\xA2\x42\x4D\xD4\x53\x1F\x8B\x10\xDE\x7F\x65\xBE\x60\x13\x27\x71\x88\xA4\x73\xE3\x84\x63\xD1\xA4\x55\xE1\x50\x93\xE6\x1B\x0E\x79\xD0\x67\xBC\x46\xC8\xBF\x3F\x17\x0D\x95\xE6\xC6\x90\x69\xDE\xE7\xB4\x2F\xDE\x95\x7D\xD0\x12\x3F\x3D\x3E\x7F\x4D\x3F\x14\x68\xF5\x11\x50\xD5\xC1\xF4\x90\xA5\x08\x1D\x31\x60\xFF\x60\x8C\x23\x54\x0A\xAF\xFE\xA1\x6E\xC5\xD1\x7A\x2A\x68\x78\xCF\x1E\x82\x0A\x20\xB4\x1F\xAD\xE5\x85\xB2\x6A\x68\x75\x4E\xAD\x25\x37\x94\x85\xBE\xBD\xA1\xD4\xEA\xB7\x0C\x4B\x3C\x9D\xE8\x12\x00\xF0\x5F\xAC\x0D\xE1\xAC\x70\x63\x73\xF7\x7F\x79\x9F\x32\x25\x42\x74\x05\x80\x28\xBF\xBD\xC1\x24\x96\x58\x15\xB1\x17\x21\xE9\x89\x4B\xDB\x07\x88\x67\xF4\x15\xAD\x70\x3E\x2F\x4D\x85\x3B\xC2\xB7\xDB\xFE\x98\x68\x23\x89\xE1\x74\x0F\xDE\xF4\xC5\x84\x63\x29\x1B\xCC\xCB\x07\xC9\x00\xA4\xA9\xD7\xC2\x22\x4F\x67\xD7\x77\xEC\x20\x05\x61\xDE",
 	["CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US"] = "\x30\x82\x03\x54\x30\x82\x02\x3C\xA0\x03\x02\x01\x02\x02\x03\x02\x34\x56\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x42\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x16\x30\x14\x06\x03\x55\x04\x0A\x13\x0D\x47\x65\x6F\x54\x72\x75\x73\x74\x20\x49\x6E\x63\x2E\x31\x1B\x30\x19\x06\x03\x55\x04\x03\x13\x12\x47\x65\x6F\x54\x72\x75\x73\x74\x20\x47\x6C\x6F\x62\x61\x6C\x20\x43\x41\x30\x1E\x17\x0D\x30\x32\x30\x35\x32\x31\x30\x34\x30\x30\x30\x30\x5A\x17\x0D\x32\x32\x30\x35\x32\x31\x30\x34\x30\x30\x30\x30\x5A\x30\x42\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x16\x30\x14\x06\x03\x55\x04\x0A\x13\x0D\x47\x65\x6F\x54\x72\x75\x73\x74\x20\x49\x6E\x63\x2E\x31\x1B\x30\x19\x06\x03\x55\x04\x03\x13\x12\x47\x65\x6F\x54\x72\x75\x73\x74\x20\x47\x6C\x6F\x62\x61\x6C\x20\x43\x41\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xDA\xCC\x18\x63\x30\xFD\xF4\x17\x23\x1A\x56\x7E\x5B\xDF\x3C\x6C\x38\xE4\x71\xB7\x78\x91\xD4\xBC\xA1\xD8\x4C\xF8\xA8\x43\xB6\x03\xE9\x4D\x21\x07\x08\x88\xDA\x58\x2F\x66\x39\x29\xBD\x05\x78\x8B\x9D\x38\xE8\x05\xB7\x6A\x7E\x71\xA4\xE6\xC4\x60\xA6\xB0\xEF\x80\xE4\x89\x28\x0F\x9E\x25\xD6\xED\x83\xF3\xAD\xA6\x91\xC7\x98\xC9\x42\x18\x35\x14\x9D\xAD\x98\x46\x92\x2E\x4F\xCA\xF1\x87\x43\xC1\x16\x95\x57\x2D\x50\xEF\x89\x2D\x80\x7A\x57\xAD\xF2\xEE\x5F\x6B\xD2\x00\x8D\xB9\x14\xF8\x14\x15\x35\xD9\xC0\x46\xA3\x7B\x72\xC8\x91\xBF\xC9\x55\x2B\xCD\xD0\x97\x3E\x9C\x26\x64\xCC\xDF\xCE\x83\x19\x71\xCA\x4E\xE6\xD4\xD5\x7B\xA9\x19\xCD\x55\xDE\xC8\xEC\xD2\x5E\x38\x53\xE5\x5C\x4F\x8C\x2D\xFE\x50\x23\x36\xFC\x66\xE6\xCB\x8E\xA4\x39\x19\x00\xB7\x95\x02\x39\x91\x0B\x0E\xFE\x38\x2E\xD1\x1D\x05\x9A\xF6\x4D\x3E\x6F\x0F\x07\x1D\xAF\x2C\x1E\x8F\x60\x39\xE2\xFA\x36\x53\x13\x39\xD4\x5E\x26\x2B\xDB\x3D\xA8\x14\xBD\x32\xEB\x18\x03\x28\x52\x04\x71\xE5\xAB\x33\x3D\xE1\x38\xBB\x07\x36\x84\x62\x9C\x79\xEA\x16\x30\xF4\x5F\xC0\x2B\xE8\x71\x6B\xE4\xF9\x02\x03\x01\x00\x01\xA3\x53\x30\x51\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xC0\x7A\x98\x68\x8D\x89\xFB\xAB\x05\x64\x0C\x11\x7D\xAA\x7D\x65\xB8\xCA\xCC\x4E\x30\x1F\x06\x03\x55\x1D\x23\x04\x18\x30\x16\x80\x14\xC0\x7A\x98\x68\x8D\x89\xFB\xAB\x05\x64\x0C\x11\x7D\xAA\x7D\x65\xB8\xCA\xCC\x4E\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x35\xE3\x29\x6A\xE5\x2F\x5D\x54\x8E\x29\x50\x94\x9F\x99\x1A\x14\xE4\x8F\x78\x2A\x62\x94\xA2\x27\x67\x9E\xD0\xCF\x1A\x5E\x47\xE9\xC1\xB2\xA4\xCF\xDD\x41\x1A\x05\x4E\x9B\x4B\xEE\x4A\x6F\x55\x52\xB3\x24\xA1\x37\x0A\xEB\x64\x76\x2A\x2E\x2C\xF3\xFD\x3B\x75\x90\xBF\xFA\x71\xD8\xC7\x3D\x37\xD2\xB5\x05\x95\x62\xB9\xA6\xDE\x89\x3D\x36\x7B\x38\x77\x48\x97\xAC\xA6\x20\x8F\x2E\xA6\xC9\x0C\xC2\xB2\x99\x45\x00\xC7\xCE\x11\x51\x22\x22\xE0\xA5\xEA\xB6\x15\x48\x09\x64\xEA\x5E\x4F\x74\xF7\x05\x3E\xC7\x8A\x52\x0C\xDB\x15\xB4\xBD\x6D\x9B\xE5\xC6\xB1\x54\x68\xA9\xE3\x69\x90\xB6\x9A\xA5\x0F\xB8\xB9\x3F\x20\x7D\xAE\x4A\xB5\xB8\x9C\xE4\x1D\xB6\xAB\xE6\x94\xA5\xC1\xC7\x83\xAD\xDB\xF5\x27\x87\x0E\x04\x6C\xD5\xFF\xDD\xA0\x5D\xED\x87\x52\xB7\x2B\x15\x02\xAE\x39\xA6\x6A\x74\xE9\xDA\xC4\xE7\xBC\x4D\x34\x1E\xA9\x5C\x4D\x33\x5F\x92\x09\x2F\x88\x66\x5D\x77\x97\xC7\x1D\x76\x13\xA9\xD5\xE5\xF1\x16\x09\x11\x35\xD5\xAC\xDB\x24\x71\x70\x2C\x98\x56\x0B\xD9\x17\xB4\xD1\xE3\x51\x2B\x5E\x75\xE8\xD5\xD0\xDC\x4F\x34\xED\xC2\x05\x66\x80\xA1\xCB\xE6\x33",
-	["CN=GeoTrust Global CA 2,O=GeoTrust Inc.,C=US"] = "\x30\x82\x03\x66\x30\x82\x02\x4E\xA0\x03\x02\x01\x02\x02\x01\x01\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x44\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x16\x30\x14\x06\x03\x55\x04\x0A\x13\x0D\x47\x65\x6F\x54\x72\x75\x73\x74\x20\x49\x6E\x63\x2E\x31\x1D\x30\x1B\x06\x03\x55\x04\x03\x13\x14\x47\x65\x6F\x54\x72\x75\x73\x74\x20\x47\x6C\x6F\x62\x61\x6C\x20\x43\x41\x20\x32\x30\x1E\x17\x0D\x30\x34\x30\x33\x30\x34\x30\x35\x30\x30\x30\x30\x5A\x17\x0D\x31\x39\x30\x33\x30\x34\x30\x35\x30\x30\x30\x30\x5A\x30\x44\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x16\x30\x14\x06\x03\x55\x04\x0A\x13\x0D\x47\x65\x6F\x54\x72\x75\x73\x74\x20\x49\x6E\x63\x2E\x31\x1D\x30\x1B\x06\x03\x55\x04\x03\x13\x14\x47\x65\x6F\x54\x72\x75\x73\x74\x20\x47\x6C\x6F\x62\x61\x6C\x20\x43\x41\x20\x32\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xEF\x3C\x4D\x40\x3D\x10\xDF\x3B\x53\x00\xE1\x67\xFE\x94\x60\x15\x3E\x85\x88\xF1\x89\x0D\x90\xC8\x28\x23\x99\x05\xE8\x2B\x20\x9D\xC6\xF3\x60\x46\xD8\xC1\xB2\xD5\x8C\x31\xD9\xDC\x20\x79\x24\x81\xBF\x35\x32\xFC\x63\x69\xDB\xB1\x2A\x6B\xEE\x21\x58\xF2\x08\xE9\x78\xCB\x6F\xCB\xFC\x16\x52\xC8\x91\xC4\xFF\x3D\x73\xDE\xB1\x3E\xA7\xC2\x7D\x66\xC1\xF5\x7E\x52\x24\x1A\xE2\xD5\x67\x91\xD0\x82\x10\xD7\x78\x4B\x4F\x2B\x42\x39\xBD\x64\x2D\x40\xA0\xB0\x10\xD3\x38\x48\x46\x88\xA1\x0C\xBB\x3A\x33\x2A\x62\x98\xFB\x00\x9D\x13\x59\x7F\x6F\x3B\x72\xAA\xEE\xA6\x0F\x86\xF9\x05\x61\xEA\x67\x7F\x0C\x37\x96\x8B\xE6\x69\x16\x47\x11\xC2\x27\x59\x03\xB3\xA6\x60\xC2\x21\x40\x56\xFA\xA0\xC7\x7D\x3A\x13\xE3\xEC\x57\xC7\xB3\xD6\xAE\x9D\x89\x80\xF7\x01\xE7\x2C\xF6\x96\x2B\x13\x0D\x79\x2C\xD9\xC0\xE4\x86\x7B\x4B\x8C\x0C\x72\x82\x8A\xFB\x17\xCD\x00\x6C\x3A\x13\x3C\xB0\x84\x87\x4B\x16\x7A\x29\xB2\x4F\xDB\x1D\xD4\x0B\xF3\x66\x37\xBD\xD8\xF6\x57\xBB\x5E\x24\x7A\xB8\x3C\x8B\xB9\xFA\x92\x1A\x1A\x84\x9E\xD8\x74\x8F\xAA\x1B\x7F\x5E\xF4\xFE\x45\x22\x21\x02\x03\x01\x00\x01\xA3\x63\x30\x61\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x71\x38\x36\xF2\x02\x31\x53\x47\x2B\x6E\xBA\x65\x46\xA9\x10\x15\x58\x20\x05\x09\x30\x1F\x06\x03\x55\x1D\x23\x04\x18\x30\x16\x80\x14\x71\x38\x36\xF2\x02\x31\x53\x47\x2B\x6E\xBA\x65\x46\xA9\x10\x15\x58\x20\x05\x09\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x86\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x03\xF7\xB5\x2B\xAB\x5D\x10\xFC\x7B\xB2\xB2\x5E\xAC\x9B\x0E\x7E\x53\x78\x59\x3E\x42\x04\xFE\x75\xA3\xAD\xAC\x81\x4E\xD7\x02\x8B\x5E\xC4\x2D\xC8\x52\x76\xC7\x2C\x1F\xFC\x81\x32\x98\xD1\x4B\xC6\x92\x93\x33\x35\x31\x2F\xFC\xD8\x1D\x44\xDD\xE0\x81\x7F\x9D\xE9\x8B\xE1\x64\x91\x62\x0B\x39\x08\x8C\xAC\x74\x9D\x59\xD9\x7A\x59\x52\x97\x11\xB9\x16\x7B\x6F\x45\xD3\x96\xD9\x31\x7D\x02\x36\x0F\x9C\x3B\x6E\xCF\x2C\x0D\x03\x46\x45\xEB\xA0\xF4\x7F\x48\x44\xC6\x08\x40\xCC\xDE\x1B\x70\xB5\x29\xAD\xBA\x8B\x3B\x34\x65\x75\x1B\x71\x21\x1D\x2C\x14\x0A\xB0\x96\x95\xB8\xD6\xEA\xF2\x65\xFB\x29\xBA\x4F\xEA\x91\x93\x74\x69\xB6\xF2\xFF\xE1\x1A\xD0\x0C\xD1\x76\x85\xCB\x8A\x25\xBD\x97\x5E\x2C\x6F\x15\x99\x26\xE7\xB6\x29\xFF\x22\xEC\xC9\x02\xC7\x56\x00\xCD\x49\xB9\xB3\x6C\x7B\x53\x04\x1A\xE2\xA8\xC9\xAA\x12\x05\x23\xC2\xCE\xE7\xBB\x04\x02\xCC\xC0\x47\xA2\xE4\xC4\x29\x2F\x5B\x45\x57\x89\x51\xEE\x3C\xEB\x52\x08\xFF\x07\x35\x1E\x9F\x35\x6A\x47\x4A\x56\x98\xD1\x5A\x85\x1F\x8C\xF5\x22\xBF\xAB\xCE\x83\xF3\xE2\x22\x29\xAE\x7D\x83\x40\xA8\xBA\x6C",
 	["CN=GeoTrust Universal CA,O=GeoTrust Inc.,C=US"] = "\x30\x82\x05\x68\x30\x82\x03\x50\xA0\x03\x02\x01\x02\x02\x01\x01\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x45\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x16\x30\x14\x06\x03\x55\x04\x0A\x13\x0D\x47\x65\x6F\x54\x72\x75\x73\x74\x20\x49\x6E\x63\x2E\x31\x1E\x30\x1C\x06\x03\x55\x04\x03\x13\x15\x47\x65\x6F\x54\x72\x75\x73\x74\x20\x55\x6E\x69\x76\x65\x72\x73\x61\x6C\x20\x43\x41\x30\x1E\x17\x0D\x30\x34\x30\x33\x30\x34\x30\x35\x30\x30\x30\x30\x5A\x17\x0D\x32\x39\x30\x33\x30\x34\x30\x35\x30\x30\x30\x30\x5A\x30\x45\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x16\x30\x14\x06\x03\x55\x04\x0A\x13\x0D\x47\x65\x6F\x54\x72\x75\x73\x74\x20\x49\x6E\x63\x2E\x31\x1E\x30\x1C\x06\x03\x55\x04\x03\x13\x15\x47\x65\x6F\x54\x72\x75\x73\x74\x20\x55\x6E\x69\x76\x65\x72\x73\x61\x6C\x20\x43\x41\x30\x82\x02\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x02\x0F\x00\x30\x82\x02\x0A\x02\x82\x02\x01\x00\xA6\x15\x55\xA0\xA3\xC6\xE0\x1F\x8C\x9D\x21\x50\xD7\xC1\xBE\x2B\x5B\xB5\xA4\x9E\xA1\xD9\x72\x58\xBD\x00\x1B\x4C\xBF\x61\xC9\x14\x1D\x45\x82\xAB\xC6\x1D\x80\xD6\x3D\xEB\x10\x9C\x3A\xAF\x6D\x24\xF8\xBC\x71\x01\x9E\x06\xF5\x7C\x5F\x1E\xC1\x0E\x55\xCA\x83\x9A\x59\x30\xAE\x19\xCB\x30\x48\x95\xED\x22\x37\x8D\xF4\x4A\x9A\x72\x66\x3E\xAD\x95\xC0\xE0\x16\x00\xE0\x10\x1F\x2B\x31\x0E\xD7\x94\x54\xD3\x42\x33\xA0\x34\x1D\x1E\x45\x76\xDD\x4F\xCA\x18\x37\xEC\x85\x15\x7A\x19\x08\xFC\xD5\xC7\x9C\xF0\xF2\xA9\x2E\x10\xA9\x92\xE6\x3D\x58\x3D\xA9\x16\x68\x3C\x2F\x75\x21\x18\x7F\x28\x77\xA5\xE1\x61\x17\xB7\xA6\xE9\xF8\x1E\x99\xDB\x73\x6E\xF4\x0A\xA2\x21\x6C\xEE\xDA\xAA\x85\x92\x66\xAF\xF6\x7A\x6B\x82\xDA\xBA\x22\x08\x35\x0F\xCF\x42\xF1\x35\xFA\x6A\xEE\x7E\x2B\x25\xCC\x3A\x11\xE4\x6D\xAF\x73\xB2\x76\x1D\xAD\xD0\xB2\x78\x67\x1A\xA4\x39\x1C\x51\x0B\x67\x56\x83\xFD\x38\x5D\x0D\xCE\xDD\xF0\xBB\x2B\x96\x1F\xDE\x7B\x32\x52\xFD\x1D\xBB\xB5\x06\xA1\xB2\x21\x5E\xA5\xD6\x95\x68\x7F\xF0\x99\x9E\xDC\x45\x08\x3E\xE7\xD2\x09\x0D\x35\x94\xDD\x80\x4E\x53\x97\xD7\xB5\x09\x44\x20\x64\x16\x17\x03\x02\x4C\x53\x0D\x68\xDE\xD5\xAA\x72\x4D\x93\x6D\x82\x0E\xDB\x9C\xBD\xCF\xB4\xF3\x5C\x5D\x54\x7A\x69\x09\x96\xD6\xDB\x11\xC1\x8D\x75\xA8\xB4\xCF\x39\xC8\xCE\x3C\xBC\x24\x7C\xE6\x62\xCA\xE1\xBD\x7D\xA7\xBD\x57\x65\x0B\xE4\xFE\x25\xED\xB6\x69\x10\xDC\x28\x1A\x46\xBD\x01\x1D\xD0\x97\xB5\xE1\x98\x3B\xC0\x37\x64\xD6\x3D\x94\xEE\x0B\xE1\xF5\x28\xAE\x0B\x56\xBF\x71\x8B\x23\x29\x41\x8E\x86\xC5\x4B\x52\x7B\xD8\x71\xAB\x1F\x8A\x15\xA6\x3B\x83\x5A\xD7\x58\x01\x51\xC6\x4C\x41\xD9\x7F\xD8\x41\x67\x72\xA2\x28\xDF\x60\x83\xA9\x9E\xC8\x7B\xFC\x53\x73\x72\x59\xF5\x93\x7A\x17\x76\x0E\xCE\xF7\xE5\x5C\xD9\x0B\x55\x34\xA2\xAA\x5B\xB5\x6A\x54\xE7\x13\xCA\x57\xEC\x97\x6D\xF4\x5E\x06\x2F\x45\x8B\x58\xD4\x23\x16\x92\xE4\x16\x6E\x28\x63\x59\x30\xDF\x50\x01\x9C\x63\x89\x1A\x9F\xDB\x17\x94\x82\x70\x37\xC3\x24\x9E\x9A\x47\xD6\x5A\xCA\x4E\xA8\x69\x89\x72\x1F\x91\x6C\xDB\x7E\x9E\x1B\xAD\xC7\x1F\x73\xDD\x2C\x4F\x19\x65\xFD\x7F\x93\x40\x10\x2E\xD2\xF0\xED\x3C\x9E\x2E\x28\x3E\x69\x26\x33\xC5\x7B\x02\x03\x01\x00\x01\xA3\x63\x30\x61\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xDA\xBB\x2E\xAA\xB0\x0C\xB8\x88\x26\x51\x74\x5C\x6D\x03\xD3\xC0\xD8\x8F\x7A\xD6\x30\x1F\x06\x03\x55\x1D\x23\x04\x18\x30\x16\x80\x14\xDA\xBB\x2E\xAA\xB0\x0C\xB8\x88\x26\x51\x74\x5C\x6D\x03\xD3\xC0\xD8\x8F\x7A\xD6\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x86\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x02\x01\x00\x31\x78\xE6\xC7\xB5\xDF\xB8\x94\x40\xC9\x71\xC4\xA8\x35\xEC\x46\x1D\xC2\x85\xF3\x28\x58\x86\xB0\x0B\xFC\x8E\xB2\x39\x8F\x44\x55\xAB\x64\x84\x5C\x69\xA9\xD0\x9A\x38\x3C\xFA\xE5\x1F\x35\xE5\x44\xE3\x80\x79\x94\x68\xA4\xBB\xC4\x9F\x3D\xE1\x34\xCD\x30\x46\x8B\x54\x2B\x95\xA5\xEF\xF7\x3F\x99\x84\xFD\x35\xE6\xCF\x31\xC6\xDC\x6A\xBF\xA7\xD7\x23\x08\xE1\x98\x5E\xC3\x5A\x08\x76\xA9\xA6\xAF\x77\x2F\xB7\x60\xBD\x44\x46\x6A\xEF\x97\xFF\x73\x95\xC1\x8E\xE8\x93\xFB\xFD\x31\xB7\xEC\x57\x11\x11\x45\x9B\x30\xF1\x1A\x88\x39\xC1\x4F\x3C\xA7\x00\xD5\xC7\xFC\xAB\x6D\x80\x22\x70\xA5\x0C\xE0\x5D\x04\x29\x02\xFB\xCB\xA0\x91\xD1\x7C\xD6\xC3\x7E\x50\xD5\x9D\x58\xBE\x41\x38\xEB\xB9\x75\x3C\x15\xD9\x9B\xC9\x4A\x83\x59\xC0\xDA\x53\xFD\x33\xBB\x36\x18\x9B\x85\x0F\x15\xDD\xEE\x2D\xAC\x76\x93\xB9\xD9\x01\x8D\x48\x10\xA8\xFB\xF5\x38\x86\xF1\xDB\x0A\xC6\xBD\x84\xA3\x23\x41\xDE\xD6\x77\x6F\x85\xD4\x85\x1C\x50\xE0\xAE\x51\x8A\xBA\x8D\x3E\x76\xE2\xB9\xCA\x27\xF2\x5F\x9F\xEF\x6E\x59\x0D\x06\xD8\x2B\x17\xA4\xD2\x7C\x6B\xBB\x5F\x14\x1A\x48\x8F\x1A\x4C\xE7\xB3\x47\x1C\x8E\x4C\x45\x2B\x20\xEE\x48\xDF\xE7\xDD\x09\x8E\x18\xA8\xDA\x40\x8D\x92\x26\x11\x53\x61\x73\x5D\xEB\xBD\xE7\xC4\x4D\x29\x37\x61\xEB\xAC\x39\x2D\x67\x2E\x16\xD6\xF5\x00\x83\x85\xA1\xCC\x7F\x76\xC4\x7D\xE4\xB7\x4B\x66\xEF\x03\x45\x60\x69\xB6\x0C\x52\x96\x92\x84\x5E\xA6\xA3\xB5\xA4\x3E\x2B\xD9\xCC\xD8\x1B\x47\xAA\xF2\x44\xDA\x4F\xF9\x03\xE8\xF0\x14\xCB\x3F\xF3\x83\xDE\xD0\xC1\x54\xE3\xB7\xE8\x0A\x37\x4D\x8B\x20\x59\x03\x30\x19\xA1\x2C\xC8\xBD\x11\x1F\xDF\xAE\xC9\x4A\xC5\xF3\x27\x66\x66\x86\xAC\x68\x91\xFF\xD9\xE6\x53\x1C\x0F\x8B\x5C\x69\x65\x0A\x26\xC8\x1E\x34\xC3\x5D\x51\x7B\xD7\xA9\x9C\x06\xA1\x36\xDD\xD5\x89\x94\xBC\xD9\xE4\x2D\x0C\x5E\x09\x6C\x08\x97\x7C\xA3\x3D\x7C\x93\xFF\x3F\xA1\x14\xA7\xCF\xB5\x5D\xEB\xDB\xDB\x1C\xC4\x76\xDF\x88\xB9\xBD\x45\x05\x95\x1B\xAE\xFC\x46\x6A\x4C\xAF\x48\xE3\xCE\xAE\x0F\xD2\x7E\xEB\xE6\x6C\x9C\x4F\x81\x6A\x7A\x64\xAC\xBB\x3E\xD5\xE7\xCB\x76\x2E\xC5\xA7\x48\xC1\x5C\x90\x0F\xCB\xC8\x3F\xFA\xE6\x32\xE1\x8D\x1B\x6F\xA4\xE6\x8E\xD8\xF9\x29\x48\x8A\xCE\x73\xFE\x2C",
 	["CN=GeoTrust Universal CA 2,O=GeoTrust Inc.,C=US"] = "\x30\x82\x05\x6C\x30\x82\x03\x54\xA0\x03\x02\x01\x02\x02\x01\x01\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x47\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x16\x30\x14\x06\x03\x55\x04\x0A\x13\x0D\x47\x65\x6F\x54\x72\x75\x73\x74\x20\x49\x6E\x63\x2E\x31\x20\x30\x1E\x06\x03\x55\x04\x03\x13\x17\x47\x65\x6F\x54\x72\x75\x73\x74\x20\x55\x6E\x69\x76\x65\x72\x73\x61\x6C\x20\x43\x41\x20\x32\x30\x1E\x17\x0D\x30\x34\x30\x33\x30\x34\x30\x35\x30\x30\x30\x30\x5A\x17\x0D\x32\x39\x30\x33\x30\x34\x30\x35\x30\x30\x30\x30\x5A\x30\x47\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x16\x30\x14\x06\x03\x55\x04\x0A\x13\x0D\x47\x65\x6F\x54\x72\x75\x73\x74\x20\x49\x6E\x63\x2E\x31\x20\x30\x1E\x06\x03\x55\x04\x03\x13\x17\x47\x65\x6F\x54\x72\x75\x73\x74\x20\x55\x6E\x69\x76\x65\x72\x73\x61\x6C\x20\x43\x41\x20\x32\x30\x82\x02\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x02\x0F\x00\x30\x82\x02\x0A\x02\x82\x02\x01\x00\xB3\x54\x52\xC1\xC9\x3E\xF2\xD9\xDC\xB1\x53\x1A\x59\x29\xE7\xB1\xC3\x45\x28\xE5\xD7\xD1\xED\xC5\xC5\x4B\xA1\xAA\x74\x7B\x57\xAF\x4A\x26\xFC\xD8\xF5\x5E\xA7\x6E\x19\xDB\x74\x0C\x4F\x35\x5B\x32\x0B\x01\xE3\xDB\xEB\x7A\x77\x35\xEA\xAA\x5A\xE0\xD6\xE8\xA1\x57\x94\xF0\x90\xA3\x74\x56\x94\x44\x30\x03\x1E\x5C\x4E\x2B\x85\x26\x74\x82\x7A\x0C\x76\xA0\x6F\x4D\xCE\x41\x2D\xA0\x15\x06\x14\x5F\xB7\x42\xCD\x7B\x8F\x58\x61\x34\xDC\x2A\x08\xF9\x2E\xC3\x01\xA6\x22\x44\x1C\x4C\x07\x82\xE6\x5B\xCE\xD0\x4A\x7C\x04\xD3\x19\x73\x27\xF0\xAA\x98\x7F\x2E\xAF\x4E\xEB\x87\x1E\x24\x77\x6A\x5D\xB6\xE8\x5B\x45\xBA\xDC\xC3\xA1\x05\x6F\x56\x8E\x8F\x10\x26\xA5\x49\xC3\x2E\xD7\x41\x87\x22\xE0\x4F\x86\xCA\x60\xB5\xEA\xA1\x63\xC0\x01\x97\x10\x79\xBD\x00\x3C\x12\x6D\x2B\x15\xB1\xAC\x4B\xB1\xEE\x18\xB9\x4E\x96\xDC\xDC\x76\xFF\x3B\xBE\xCF\x5F\x03\xC0\xFC\x3B\xE8\xBE\x46\x1B\xFF\xDA\x40\xC2\x52\xF7\xFE\xE3\x3A\xF7\x6A\x77\x35\xD0\xDA\x8D\xEB\x5E\x18\x6A\x31\xC7\x1E\xBA\x3C\x1B\x28\xD6\x6B\x54\xC6\xAA\x5B\xD7\xA2\x2C\x1B\x19\xCC\xA2\x02\xF6\x9B\x59\xBD\x37\x6B\x86\xB5\x6D\x82\xBA\xD8\xEA\xC9\x56\xBC\xA9\x36\x58\xFD\x3E\x19\xF3\xED\x0C\x26\xA9\x93\x38\xF8\x4F\xC1\x5D\x22\x06\xD0\x97\xEA\xE1\xAD\xC6\x55\xE0\x81\x2B\x28\x83\x3A\xFA\xF4\x7B\x21\x51\x00\xBE\x52\x38\xCE\xCD\x66\x79\xA8\xF4\x81\x56\xE2\xD0\x83\x09\x47\x51\x5B\x50\x6A\xCF\xDB\x48\x1A\x5D\x3E\xF7\xCB\xF6\x65\xF7\x6C\xF1\x95\xF8\x02\x3B\x32\x56\x82\x39\x7A\x5B\xBD\x2F\x89\x1B\xBF\xA1\xB4\xE8\xFF\x7F\x8D\x8C\xDF\x03\xF1\x60\x4E\x58\x11\x4C\xEB\xA3\x3F\x10\x2B\x83\x9A\x01\x73\xD9\x94\x6D\x84\x00\x27\x66\xAC\xF0\x70\x40\x09\x42\x92\xAD\x4F\x93\x0D\x61\x09\x51\x24\xD8\x92\xD5\x0B\x94\x61\xB2\x87\xB2\xED\xFF\x9A\x35\xFF\x85\x54\xCA\xED\x44\x43\xAC\x1B\x3C\x16\x6B\x48\x4A\x0A\x1C\x40\x88\x1F\x92\xC2\x0B\x00\x05\xFF\xF2\xC8\x02\x4A\xA4\xAA\xA9\xCC\x99\x96\x9C\x2F\x58\xE0\x7D\xE1\xBE\xBB\x07\xDC\x5F\x04\x72\x5C\x31\x34\xC3\xEC\x5F\x2D\xE0\x3D\x64\x90\x22\xE6\xD1\xEC\xB8\x2E\xDD\x59\xAE\xD9\xA1\x37\xBF\x54\x35\xDC\x73\x32\x4F\x8C\x04\x1E\x33\xB2\xC9\x46\xF1\xD8\x5C\xC8\x55\x50\xC9\x68\xBD\xA8\xBA\x36\x09\x02\x03\x01\x00\x01\xA3\x63\x30\x61\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x76\xF3\x55\xE1\xFA\xA4\x36\xFB\xF0\x9F\x5C\x62\x71\xED\x3C\xF4\x47\x38\x10\x2B\x30\x1F\x06\x03\x55\x1D\x23\x04\x18\x30\x16\x80\x14\x76\xF3\x55\xE1\xFA\xA4\x36\xFB\xF0\x9F\x5C\x62\x71\xED\x3C\xF4\x47\x38\x10\x2B\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x86\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x02\x01\x00\x66\xC1\xC6\x23\xF3\xD9\xE0\x2E\x6E\x5F\xE8\xCF\xAE\xB0\xB0\x25\x4D\x2B\xF8\x3B\x58\x9B\x40\x24\x37\x5A\xCB\xAB\x16\x49\xFF\xB3\x75\x79\x33\xA1\x2F\x6D\x70\x17\x34\x91\xFE\x67\x7E\x8F\xEC\x9B\xE5\x5E\x82\xA9\x55\x1F\x2F\xDC\xD4\x51\x07\x12\xFE\xAC\x16\x3E\x2C\x35\xC6\x63\xFC\xDC\x10\xEB\x0D\xA3\xAA\xD0\x7C\xCC\xD1\xD0\x2F\x51\x2E\xC4\x14\x5A\xDE\xE8\x19\xE1\x3E\xC6\xCC\xA4\x29\xE7\x2E\x84\xAA\x06\x30\x78\x76\x54\x73\x28\x98\x59\x38\xE0\x00\x0D\x62\xD3\x42\x7D\x21\x9F\xAE\x3D\x3A\x8C\xD5\xFA\x77\x0D\x18\x2B\x16\x0E\x5F\x36\xE1\xFC\x2A\xB5\x30\x24\xCF\xE0\x63\x0C\x7B\x58\x1A\xFE\x99\xBA\x42\x12\xB1\x91\xF4\x7C\x68\xE2\xC8\xE8\xAF\x2C\xEA\xC9\x7E\xAE\xBB\x2A\x3D\x0D\x15\xDC\x34\x95\xB6\x18\x74\xA8\x6A\x0F\xC7\xB4\xF4\x13\xC4\xE4\x5B\xED\x0A\xD2\xA4\x97\x4C\x2A\xED\x2F\x6C\x12\x89\x3D\xF1\x27\x70\xAA\x6A\x03\x52\x21\x9F\x40\xA8\x67\x50\xF2\xF3\x5A\x1F\xDF\xDF\x23\xF6\xDC\x78\x4E\xE6\x98\x4F\x55\x3A\x53\xE3\xEF\xF2\xF4\x9F\xC7\x7C\xD8\x58\xAF\x29\x22\x97\xB8\xE0\xBD\x91\x2E\xB0\x76\xEC\x57\x11\xCF\xEF\x29\x44\xF3\xE9\x85\x7A\x60\x63\xE4\x5D\x33\x89\x17\xD9\x31\xAA\xDA\xD6\xF3\x18\x35\x72\xCF\x87\x2B\x2F\x63\x23\x84\x5D\x84\x8C\x3F\x57\xA0\x88\xFC\x99\x91\x28\x26\x69\x99\xD4\x8F\x97\x44\xBE\x8E\xD5\x48\xB1\xA4\x28\x29\xF1\x15\xB4\xE1\xE5\x9E\xDD\xF8\x8F\xA6\x6F\x26\xD7\x09\x3C\x3A\x1C\x11\x0E\xA6\x6C\x37\xF7\xAD\x44\x87\x2C\x28\xC7\xD8\x74\x82\xB3\xD0\x6F\x4A\x57\xBB\x35\x29\x27\xA0\x8B\xE8\x21\xA7\x87\x64\x36\x5D\xCC\xD8\x16\xAC\xC7\xB2\x27\x40\x92\x55\x38\x28\x8D\x51\x6E\xDD\x14\x67\x53\x6C\x71\x5C\x26\x84\x4D\x75\x5A\xB6\x7E\x60\x56\xA9\x4D\xAD\xFB\x9B\x1E\x97\xF3\x0D\xD9\xD2\x97\x54\x77\xDA\x3D\x12\xB7\xE0\x1E\xEF\x08\x06\xAC\xF9\x85\x87\xE9\xA2\xDC\xAF\x7E\x18\x12\x83\xFD\x56\x17\x41\x2E\xD5\x29\x82\x7D\x99\xF4\x31\xF6\x71\xA9\xCF\x2C\x01\x27\xA5\x05\xB9\xAA\xB2\x48\x4E\x2A\xEF\x9F\x93\x52\x51\x95\x3C\x52\x73\x8E\x56\x4C\x17\x40\xC0\x09\x28\xE4\x8B\x6A\x48\x53\xDB\xEC\xCD\x55\x55\xF1\xC6\xF8\xE9\xA2\x2C\x4C\xA6\xD1\x26\x5F\x7E\xAF\x5A\x4C\xDA\x1F\xA6\xF2\x1C\x2C\x7E\xAE\x02\x16\xD2\x56\xD0\x2F\x57\x53\x47\xE8\x92",
 	["CN=Visa eCommerce Root,OU=Visa International Service Association,O=VISA,C=US"] = "\x30\x82\x03\xA2\x30\x82\x02\x8A\xA0\x03\x02\x01\x02\x02\x10\x13\x86\x35\x4D\x1D\x3F\x06\xF2\xC1\xF9\x65\x05\xD5\x90\x1C\x62\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x6B\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x0D\x30\x0B\x06\x03\x55\x04\x0A\x13\x04\x56\x49\x53\x41\x31\x2F\x30\x2D\x06\x03\x55\x04\x0B\x13\x26\x56\x69\x73\x61\x20\x49\x6E\x74\x65\x72\x6E\x61\x74\x69\x6F\x6E\x61\x6C\x20\x53\x65\x72\x76\x69\x63\x65\x20\x41\x73\x73\x6F\x63\x69\x61\x74\x69\x6F\x6E\x31\x1C\x30\x1A\x06\x03\x55\x04\x03\x13\x13\x56\x69\x73\x61\x20\x65\x43\x6F\x6D\x6D\x65\x72\x63\x65\x20\x52\x6F\x6F\x74\x30\x1E\x17\x0D\x30\x32\x30\x36\x32\x36\x30\x32\x31\x38\x33\x36\x5A\x17\x0D\x32\x32\x30\x36\x32\x34\x30\x30\x31\x36\x31\x32\x5A\x30\x6B\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x0D\x30\x0B\x06\x03\x55\x04\x0A\x13\x04\x56\x49\x53\x41\x31\x2F\x30\x2D\x06\x03\x55\x04\x0B\x13\x26\x56\x69\x73\x61\x20\x49\x6E\x74\x65\x72\x6E\x61\x74\x69\x6F\x6E\x61\x6C\x20\x53\x65\x72\x76\x69\x63\x65\x20\x41\x73\x73\x6F\x63\x69\x61\x74\x69\x6F\x6E\x31\x1C\x30\x1A\x06\x03\x55\x04\x03\x13\x13\x56\x69\x73\x61\x20\x65\x43\x6F\x6D\x6D\x65\x72\x63\x65\x20\x52\x6F\x6F\x74\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xAF\x57\xDE\x56\x1E\x6E\xA1\xDA\x60\xB1\x94\x27\xCB\x17\xDB\x07\x3F\x80\x85\x4F\xC8\x9C\xB6\xD0\xF4\x6F\x4F\xCF\x99\xD8\xE1\xDB\xC2\x48\x5C\x3A\xAC\x39\x33\xC7\x1F\x6A\x8B\x26\x3D\x2B\x35\xF5\x48\xB1\x91\xC1\x02\x4E\x04\x96\x91\x7B\xB0\x33\xF0\xB1\x14\x4E\x11\x6F\xB5\x40\xAF\x1B\x45\xA5\x4A\xEF\x7E\xB6\xAC\xF2\xA0\x1F\x58\x3F\x12\x46\x60\x3C\x8D\xA1\xE0\x7D\xCF\x57\x3E\x33\x1E\xFB\x47\xF1\xAA\x15\x97\x07\x55\x66\xA5\xB5\x2D\x2E\xD8\x80\x59\xB2\xA7\x0D\xB7\x46\xEC\x21\x63\xFF\x35\xAB\xA5\x02\xCF\x2A\xF4\x4C\xFE\x7B\xF5\x94\x5D\x84\x4D\xA8\xF2\x60\x8F\xDB\x0E\x25\x3C\x9F\x73\x71\xCF\x94\xDF\x4A\xEA\xDB\xDF\x72\x38\x8C\xF3\x96\xBD\xF1\x17\xBC\xD2\xBA\x3B\x45\x5A\xC6\xA7\xF6\xC6\x17\x8B\x01\x9D\xFC\x19\xA8\x2A\x83\x16\xB8\x3A\x48\xFE\x4E\x3E\xA0\xAB\x06\x19\xE9\x53\xF3\x80\x13\x07\xED\x2D\xBF\x3F\x0A\x3C\x55\x20\x39\x2C\x2C\x00\x69\x74\x95\x4A\xBC\x20\xB2\xA9\x79\xE5\x18\x89\x91\xA8\xDC\x1C\x4D\xEF\xBB\x7E\x37\x0B\x5D\xFE\x39\xA5\x88\x52\x8C\x00\x6C\xEC\x18\x7C\x41\xBD\xF6\x8B\x75\x77\xBA\x60\x9D\x84\xE7\xFE\x2D\x02\x03\x01\x00\x01\xA3\x42\x30\x40\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x15\x38\x83\x0F\x3F\x2C\x3F\x70\x33\x1E\xCD\x46\xFE\x07\x8C\x20\xE0\xD7\xC3\xB7\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x5F\xF1\x41\x7D\x7C\x5C\x08\xB9\x2B\xE0\xD5\x92\x47\xFA\x67\x5C\xA5\x13\xC3\x03\x21\x9B\x2B\x4C\x89\x46\xCF\x59\x4D\xC9\xFE\xA5\x40\xB6\x63\xCD\xDD\x71\x28\x95\x67\x11\xCC\x24\xAC\xD3\x44\x6C\x71\xAE\x01\x20\x6B\x03\xA2\x8F\x18\xB7\x29\x3A\x7D\xE5\x16\x60\x53\x78\x3C\xC0\xAF\x15\x83\xF7\x8F\x52\x33\x24\xBD\x64\x93\x97\xEE\x8B\xF7\xDB\x18\xA8\x6D\x71\xB3\xF7\x2C\x17\xD0\x74\x25\x69\xF7\xFE\x6B\x3C\x94\xBE\x4D\x4B\x41\x8C\x4E\xE2\x73\xD0\xE3\x90\x22\x73\x43\xCD\xF3\xEF\xEA\x73\xCE\x45\x8A\xB0\xA6\x49\xFF\x4C\x7D\x9D\x71\x88\xC4\x76\x1D\x90\x5B\x1D\xEE\xFD\xCC\xF7\xEE\xFD\x60\xA5\xB1\x7A\x16\x71\xD1\x16\xD0\x7C\x12\x3C\x6C\x69\x97\xDB\xAE\x5F\x39\x9A\x70\x2F\x05\x3C\x19\x46\x04\x99\x20\x36\xD0\x60\x6E\x61\x06\xBB\x16\x42\x8C\x70\xF7\x30\xFB\xE0\xDB\x66\xA3\x00\x01\xBD\xE6\x2C\xDA\x91\x5F\xA0\x46\x8B\x4D\x6A\x9C\x3D\x3D\xDD\x05\x46\xFE\x76\xBF\xA0\x0A\x3C\xE4\x00\xE6\x27\xB7\xFF\x84\x2D\xDE\xBA\x22\x27\x96\x10\x71\xEB\x22\xED\xDF\xDF\x33\x9C\xCF\xE3\xAD\xAE\x8E\xD4\x8E\xE6\x4F\x51\xAF\x16\x92\xE0\x5C\xF6\x07\x0F",
-	["CN=Certum CA,O=Unizeto Sp. z o.o.,C=PL"] = "\x30\x82\x03\x0C\x30\x82\x01\xF4\xA0\x03\x02\x01\x02\x02\x03\x01\x00\x20\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x3E\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x50\x4C\x31\x1B\x30\x19\x06\x03\x55\x04\x0A\x13\x12\x55\x6E\x69\x7A\x65\x74\x6F\x20\x53\x70\x2E\x20\x7A\x20\x6F\x2E\x6F\x2E\x31\x12\x30\x10\x06\x03\x55\x04\x03\x13\x09\x43\x65\x72\x74\x75\x6D\x20\x43\x41\x30\x1E\x17\x0D\x30\x32\x30\x36\x31\x31\x31\x30\x34\x36\x33\x39\x5A\x17\x0D\x32\x37\x30\x36\x31\x31\x31\x30\x34\x36\x33\x39\x5A\x30\x3E\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x50\x4C\x31\x1B\x30\x19\x06\x03\x55\x04\x0A\x13\x12\x55\x6E\x69\x7A\x65\x74\x6F\x20\x53\x70\x2E\x20\x7A\x20\x6F\x2E\x6F\x2E\x31\x12\x30\x10\x06\x03\x55\x04\x03\x13\x09\x43\x65\x72\x74\x75\x6D\x20\x43\x41\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xCE\xB1\xC1\x2E\xD3\x4F\x7C\xCD\x25\xCE\x18\x3E\x4F\xC4\x8C\x6F\x80\x6A\x73\xC8\x5B\x51\xF8\x9B\xD2\xDC\xBB\x00\x5C\xB1\xA0\xFC\x75\x03\xEE\x81\xF0\x88\xEE\x23\x52\xE9\xE6\x15\x33\x8D\xAC\x2D\x09\xC5\x76\xF9\x2B\x39\x80\x89\xE4\x97\x4B\x90\xA5\xA8\x78\xF8\x73\x43\x7B\xA4\x61\xB0\xD8\x58\xCC\xE1\x6C\x66\x7E\x9C\xF3\x09\x5E\x55\x63\x84\xD5\xA8\xEF\xF3\xB1\x2E\x30\x68\xB3\xC4\x3C\xD8\xAC\x6E\x8D\x99\x5A\x90\x4E\x34\xDC\x36\x9A\x8F\x81\x88\x50\xB7\x6D\x96\x42\x09\xF3\xD7\x95\x83\x0D\x41\x4B\xB0\x6A\x6B\xF8\xFC\x0F\x7E\x62\x9F\x67\xC4\xED\x26\x5F\x10\x26\x0F\x08\x4F\xF0\xA4\x57\x28\xCE\x8F\xB8\xED\x45\xF6\x6E\xEE\x25\x5D\xAA\x6E\x39\xBE\xE4\x93\x2F\xD9\x47\xA0\x72\xEB\xFA\xA6\x5B\xAF\xCA\x53\x3F\xE2\x0E\xC6\x96\x56\x11\x6E\xF7\xE9\x66\xA9\x26\xD8\x7F\x95\x53\xED\x0A\x85\x88\xBA\x4F\x29\xA5\x42\x8C\x5E\xB6\xFC\x85\x20\x00\xAA\x68\x0B\xA1\x1A\x85\x01\x9C\xC4\x46\x63\x82\x88\xB6\x22\xB1\xEE\xFE\xAA\x46\x59\x7E\xCF\x35\x2C\xD5\xB6\xDA\x5D\xF7\x48\x33\x14\x54\xB6\xEB\xD9\x6F\xCE\xCD\x88\xD6\xAB\x1B\xDA\x96\x3B\x1D\x59\x02\x03\x01\x00\x01\xA3\x13\x30\x11\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\xB8\x8D\xCE\xEF\xE7\x14\xBA\xCF\xEE\xB0\x44\x92\x6C\xB4\x39\x3E\xA2\x84\x6E\xAD\xB8\x21\x77\xD2\xD4\x77\x82\x87\xE6\x20\x41\x81\xEE\xE2\xF8\x11\xB7\x63\xD1\x17\x37\xBE\x19\x76\x24\x1C\x04\x1A\x4C\xEB\x3D\xAA\x67\x6F\x2D\xD4\xCD\xFE\x65\x31\x70\xC5\x1B\xA6\x02\x0A\xBA\x60\x7B\x6D\x58\xC2\x9A\x49\xFE\x63\x32\x0B\x6B\xE3\x3A\xC0\xAC\xAB\x3B\xB0\xE8\xD3\x09\x51\x8C\x10\x83\xC6\x34\xE0\xC5\x2B\xE0\x1A\xB6\x60\x14\x27\x6C\x32\x77\x8C\xBC\xB2\x72\x98\xCF\xCD\xCC\x3F\xB9\xC8\x24\x42\x14\xD6\x57\xFC\xE6\x26\x43\xA9\x1D\xE5\x80\x90\xCE\x03\x54\x28\x3E\xF7\x3F\xD3\xF8\x4D\xED\x6A\x0A\x3A\x93\x13\x9B\x3B\x14\x23\x13\x63\x9C\x3F\xD1\x87\x27\x79\xE5\x4C\x51\xE3\x01\xAD\x85\x5D\x1A\x3B\xB1\xD5\x73\x10\xA4\xD3\xF2\xBC\x6E\x64\xF5\x5A\x56\x90\xA8\xC7\x0E\x4C\x74\x0F\x2E\x71\x3B\xF7\xC8\x47\xF4\x69\x6F\x15\xF2\x11\x5E\x83\x1E\x9C\x7C\x52\xAE\xFD\x02\xDA\x12\xA8\x59\x67\x18\xDB\xBC\x70\xDD\x9B\xB1\x69\xED\x80\xCE\x89\x40\x48\x6A\x0E\x35\xCA\x29\x66\x15\x21\x94\x2C\xE8\x60\x2A\x9B\x85\x4A\x40\xF3\x6B\x8A\x24\xEC\x06\x16\x2C\x73",
 	["CN=AAA Certificate Services,O=Comodo CA Limited,L=Salford,ST=Greater Manchester,C=GB"] = "\x30\x82\x04\x32\x30\x82\x03\x1A\xA0\x03\x02\x01\x02\x02\x01\x01\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x7B\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x47\x42\x31\x1B\x30\x19\x06\x03\x55\x04\x08\x0C\x12\x47\x72\x65\x61\x74\x65\x72\x20\x4D\x61\x6E\x63\x68\x65\x73\x74\x65\x72\x31\x10\x30\x0E\x06\x03\x55\x04\x07\x0C\x07\x53\x61\x6C\x66\x6F\x72\x64\x31\x1A\x30\x18\x06\x03\x55\x04\x0A\x0C\x11\x43\x6F\x6D\x6F\x64\x6F\x20\x43\x41\x20\x4C\x69\x6D\x69\x74\x65\x64\x31\x21\x30\x1F\x06\x03\x55\x04\x03\x0C\x18\x41\x41\x41\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x20\x53\x65\x72\x76\x69\x63\x65\x73\x30\x1E\x17\x0D\x30\x34\x30\x31\x30\x31\x30\x30\x30\x30\x30\x30\x5A\x17\x0D\x32\x38\x31\x32\x33\x31\x32\x33\x35\x39\x35\x39\x5A\x30\x7B\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x47\x42\x31\x1B\x30\x19\x06\x03\x55\x04\x08\x0C\x12\x47\x72\x65\x61\x74\x65\x72\x20\x4D\x61\x6E\x63\x68\x65\x73\x74\x65\x72\x31\x10\x30\x0E\x06\x03\x55\x04\x07\x0C\x07\x53\x61\x6C\x66\x6F\x72\x64\x31\x1A\x30\x18\x06\x03\x55\x04\x0A\x0C\x11\x43\x6F\x6D\x6F\x64\x6F\x20\x43\x41\x20\x4C\x69\x6D\x69\x74\x65\x64\x31\x21\x30\x1F\x06\x03\x55\x04\x03\x0C\x18\x41\x41\x41\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x20\x53\x65\x72\x76\x69\x63\x65\x73\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xBE\x40\x9D\xF4\x6E\xE1\xEA\x76\x87\x1C\x4D\x45\x44\x8E\xBE\x46\xC8\x83\x06\x9D\xC1\x2A\xFE\x18\x1F\x8E\xE4\x02\xFA\xF3\xAB\x5D\x50\x8A\x16\x31\x0B\x9A\x06\xD0\xC5\x70\x22\xCD\x49\x2D\x54\x63\xCC\xB6\x6E\x68\x46\x0B\x53\xEA\xCB\x4C\x24\xC0\xBC\x72\x4E\xEA\xF1\x15\xAE\xF4\x54\x9A\x12\x0A\xC3\x7A\xB2\x33\x60\xE2\xDA\x89\x55\xF3\x22\x58\xF3\xDE\xDC\xCF\xEF\x83\x86\xA2\x8C\x94\x4F\x9F\x68\xF2\x98\x90\x46\x84\x27\xC7\x76\xBF\xE3\xCC\x35\x2C\x8B\x5E\x07\x64\x65\x82\xC0\x48\xB0\xA8\x91\xF9\x61\x9F\x76\x20\x50\xA8\x91\xC7\x66\xB5\xEB\x78\x62\x03\x56\xF0\x8A\x1A\x13\xEA\x31\xA3\x1E\xA0\x99\xFD\x38\xF6\xF6\x27\x32\x58\x6F\x07\xF5\x6B\xB8\xFB\x14\x2B\xAF\xB7\xAA\xCC\xD6\x63\x5F\x73\x8C\xDA\x05\x99\xA8\x38\xA8\xCB\x17\x78\x36\x51\xAC\xE9\x9E\xF4\x78\x3A\x8D\xCF\x0F\xD9\x42\xE2\x98\x0C\xAB\x2F\x9F\x0E\x01\xDE\xEF\x9F\x99\x49\xF1\x2D\xDF\xAC\x74\x4D\x1B\x98\xB5\x47\xC5\xE5\x29\xD1\xF9\x90\x18\xC7\x62\x9C\xBE\x83\xC7\x26\x7B\x3E\x8A\x25\xC7\xC0\xDD\x9D\xE6\x35\x68\x10\x20\x9D\x8F\xD8\xDE\xD2\xC3\x84\x9C\x0D\x5E\xE8\x2F\xC9\x02\x03\x01\x00\x01\xA3\x81\xC0\x30\x81\xBD\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xA0\x11\x0A\x23\x3E\x96\xF1\x07\xEC\xE2\xAF\x29\xEF\x82\xA5\x7F\xD0\x30\xA4\xB4\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x7B\x06\x03\x55\x1D\x1F\x04\x74\x30\x72\x30\x38\xA0\x36\xA0\x34\x86\x32\x68\x74\x74\x70\x3A\x2F\x2F\x63\x72\x6C\x2E\x63\x6F\x6D\x6F\x64\x6F\x63\x61\x2E\x63\x6F\x6D\x2F\x41\x41\x41\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x53\x65\x72\x76\x69\x63\x65\x73\x2E\x63\x72\x6C\x30\x36\xA0\x34\xA0\x32\x86\x30\x68\x74\x74\x70\x3A\x2F\x2F\x63\x72\x6C\x2E\x63\x6F\x6D\x6F\x64\x6F\x2E\x6E\x65\x74\x2F\x41\x41\x41\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x53\x65\x72\x76\x69\x63\x65\x73\x2E\x63\x72\x6C\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x08\x56\xFC\x02\xF0\x9B\xE8\xFF\xA4\xFA\xD6\x7B\xC6\x44\x80\xCE\x4F\xC4\xC5\xF6\x00\x58\xCC\xA6\xB6\xBC\x14\x49\x68\x04\x76\xE8\xE6\xEE\x5D\xEC\x02\x0F\x60\xD6\x8D\x50\x18\x4F\x26\x4E\x01\xE3\xE6\xB0\xA5\xEE\xBF\xBC\x74\x54\x41\xBF\xFD\xFC\x12\xB8\xC7\x4F\x5A\xF4\x89\x60\x05\x7F\x60\xB7\x05\x4A\xF3\xF6\xF1\xC2\xBF\xC4\xB9\x74\x86\xB6\x2D\x7D\x6B\xCC\xD2\xF3\x46\xDD\x2F\xC6\xE0\x6A\xC3\xC3\x34\x03\x2C\x7D\x96\xDD\x5A\xC2\x0E\xA7\x0A\x99\xC1\x05\x8B\xAB\x0C\x2F\xF3\x5C\x3A\xCF\x6C\x37\x55\x09\x87\xDE\x53\x40\x6C\x58\xEF\xFC\xB6\xAB\x65\x6E\x04\xF6\x1B\xDC\x3C\xE0\x5A\x15\xC6\x9E\xD9\xF1\x59\x48\x30\x21\x65\x03\x6C\xEC\xE9\x21\x73\xEC\x9B\x03\xA1\xE0\x37\xAD\xA0\x15\x18\x8F\xFA\xBA\x02\xCE\xA7\x2C\xA9\x10\x13\x2C\xD4\xE5\x08\x26\xAB\x22\x97\x60\xF8\x90\x5E\x74\xD4\xA2\x9A\x53\xBD\xF2\xA9\x68\xE0\xA2\x6E\xC2\xD7\x6C\xB1\xA3\x0F\x9E\xBF\xEB\x68\xE7\x56\xF2\xAE\xF2\xE3\x2B\x38\x3A\x09\x81\xB5\x6B\x85\xD7\xBE\x2D\xED\x3F\x1A\xB7\xB2\x63\xE2\xF5\x62\x2C\x82\xD4\x6A\x00\x41\x50\xF1\x39\x83\x9F\x95\xE9\x36\x96\x98\x6E",
-	["CN=Secure Certificate Services,O=Comodo CA Limited,L=Salford,ST=Greater Manchester,C=GB"] = "\x30\x82\x04\x3F\x30\x82\x03\x27\xA0\x03\x02\x01\x02\x02\x01\x01\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x7E\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x47\x42\x31\x1B\x30\x19\x06\x03\x55\x04\x08\x0C\x12\x47\x72\x65\x61\x74\x65\x72\x20\x4D\x61\x6E\x63\x68\x65\x73\x74\x65\x72\x31\x10\x30\x0E\x06\x03\x55\x04\x07\x0C\x07\x53\x61\x6C\x66\x6F\x72\x64\x31\x1A\x30\x18\x06\x03\x55\x04\x0A\x0C\x11\x43\x6F\x6D\x6F\x64\x6F\x20\x43\x41\x20\x4C\x69\x6D\x69\x74\x65\x64\x31\x24\x30\x22\x06\x03\x55\x04\x03\x0C\x1B\x53\x65\x63\x75\x72\x65\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x20\x53\x65\x72\x76\x69\x63\x65\x73\x30\x1E\x17\x0D\x30\x34\x30\x31\x30\x31\x30\x30\x30\x30\x30\x30\x5A\x17\x0D\x32\x38\x31\x32\x33\x31\x32\x33\x35\x39\x35\x39\x5A\x30\x7E\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x47\x42\x31\x1B\x30\x19\x06\x03\x55\x04\x08\x0C\x12\x47\x72\x65\x61\x74\x65\x72\x20\x4D\x61\x6E\x63\x68\x65\x73\x74\x65\x72\x31\x10\x30\x0E\x06\x03\x55\x04\x07\x0C\x07\x53\x61\x6C\x66\x6F\x72\x64\x31\x1A\x30\x18\x06\x03\x55\x04\x0A\x0C\x11\x43\x6F\x6D\x6F\x64\x6F\x20\x43\x41\x20\x4C\x69\x6D\x69\x74\x65\x64\x31\x24\x30\x22\x06\x03\x55\x04\x03\x0C\x1B\x53\x65\x63\x75\x72\x65\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x20\x53\x65\x72\x76\x69\x63\x65\x73\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xC0\x71\x33\x82\x8A\xD0\x70\xEB\x73\x87\x82\x40\xD5\x1D\xE4\xCB\xC9\x0E\x42\x90\xF9\xDE\x34\xB9\xA1\xBA\x11\xF4\x25\x85\xF3\xCC\x72\x6D\xF2\x7B\x97\x6B\xB3\x07\xF1\x77\x24\x91\x5F\x25\x8F\xF6\x74\x3D\xE4\x80\xC2\xF8\x3C\x0D\xF3\xBF\x40\xEA\xF7\xC8\x52\xD1\x72\x6F\xEF\xC8\xAB\x41\xB8\x6E\x2E\x17\x2A\x95\x69\x0C\xCD\xD2\x1E\x94\x7B\x2D\x94\x1D\xAA\x75\xD7\xB3\x98\xCB\xAC\xBC\x64\x53\x40\xBC\x8F\xAC\xAC\x36\xCB\x5C\xAD\xBB\xDD\xE0\x94\x17\xEC\xD1\x5C\xD0\xBF\xEF\xA5\x95\xC9\x90\xC5\xB0\xAC\xFB\x1B\x43\xDF\x7A\x08\x5D\xB7\xB8\xF2\x40\x1B\x2B\x27\x9E\x50\xCE\x5E\x65\x82\x88\x8C\x5E\xD3\x4E\x0C\x7A\xEA\x08\x91\xB6\x36\xAA\x2B\x42\xFB\xEA\xC2\xA3\x39\xE5\xDB\x26\x38\xAD\x8B\x0A\xEE\x19\x63\xC7\x1C\x24\xDF\x03\x78\xDA\xE6\xEA\xC1\x47\x1A\x0B\x0B\x46\x09\xDD\x02\xFC\xDE\xCB\x87\x5F\xD7\x30\x63\x68\xA1\xAE\xDC\x32\xA1\xBA\xBE\xFE\x44\xAB\x68\xB6\xA5\x17\x15\xFD\xBD\xD5\xA7\xA7\x9A\xE4\x44\x33\xE9\x88\x8E\xFC\xED\x51\xEB\x93\x71\x4E\xAD\x01\xE7\x44\x8E\xAB\x2D\xCB\xA8\xFE\x01\x49\x48\xF0\xC0\xDD\xC7\x68\xD8\x92\xFE\x3D\x02\x03\x01\x00\x01\xA3\x81\xC7\x30\x81\xC4\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x3C\xD8\x93\x88\xC2\xC0\x82\x09\xCC\x01\x99\x06\x93\x20\xE9\x9E\x70\x09\x63\x4F\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x81\x81\x06\x03\x55\x1D\x1F\x04\x7A\x30\x78\x30\x3B\xA0\x39\xA0\x37\x86\x35\x68\x74\x74\x70\x3A\x2F\x2F\x63\x72\x6C\x2E\x63\x6F\x6D\x6F\x64\x6F\x63\x61\x2E\x63\x6F\x6D\x2F\x53\x65\x63\x75\x72\x65\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x53\x65\x72\x76\x69\x63\x65\x73\x2E\x63\x72\x6C\x30\x39\xA0\x37\xA0\x35\x86\x33\x68\x74\x74\x70\x3A\x2F\x2F\x63\x72\x6C\x2E\x63\x6F\x6D\x6F\x64\x6F\x2E\x6E\x65\x74\x2F\x53\x65\x63\x75\x72\x65\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x53\x65\x72\x76\x69\x63\x65\x73\x2E\x63\x72\x6C\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x87\x01\x6D\x23\x1D\x7E\x5B\x17\x7D\xC1\x61\x32\xCF\x8F\xE7\xF3\x8A\x94\x59\x66\xE0\x9E\x28\xA8\x5E\xD3\xB7\xF4\x34\xE6\xAA\x39\xB2\x97\x16\xC5\x82\x6F\x32\xA4\xE9\x8C\xE7\xAF\xFD\xEF\xC2\xE8\xB9\x4B\xAA\xA3\xF4\xE6\xDA\x8D\x65\x21\xFB\xBA\x80\xEB\x26\x28\x85\x1A\xFE\x39\x8C\xDE\x5B\x04\x04\xB4\x54\xF9\xA3\x67\x9E\x41\xFA\x09\x52\xCC\x05\x48\xA8\xC9\x3F\x21\x04\x1E\xCE\x48\x6B\xFC\x85\xE8\xC2\x7B\xAF\x7F\xB7\xCC\xF8\x5F\x3A\xFD\x35\xC6\x0D\xEF\x97\xDC\x4C\xAB\x11\xE1\x6B\xCB\x31\xD1\x6C\xFB\x48\x80\xAB\xDC\x9C\x37\xB8\x21\x14\x4B\x0D\x71\x3D\xEC\x83\x33\x6E\xD1\x6E\x32\x16\xEC\x98\xC7\x16\x8B\x59\xA6\x34\xAB\x05\x57\x2D\x93\xF7\xAA\x13\xCB\xD2\x13\xE2\xB7\x2E\x3B\xCD\x6B\x50\x17\x09\x68\x3E\xB5\x26\x57\xEE\xB6\xE0\xB6\xDD\xB9\x29\x80\x79\x7D\x8F\xA3\xF0\xA4\x28\xA4\x15\xC4\x85\xF4\x27\xD4\x6B\xBF\xE5\x5C\xE4\x65\x02\x76\x54\xB4\xE3\x37\x66\x24\xD3\x19\x61\xC8\x52\x10\xE5\x8B\x37\x9A\xB9\xA9\xF9\x1D\xBF\xEA\x99\x92\x61\x96\xFF\x01\xCD\xA1\x5F\x0D\xBC\x71\xBC\x0E\xAC\x0B\x1D\x47\x45\x1D\xC1\xEC\x7C\xEC\xFD\x29",
-	["CN=Trusted Certificate Services,O=Comodo CA Limited,L=Salford,ST=Greater Manchester,C=GB"] = "\x30\x82\x04\x43\x30\x82\x03\x2B\xA0\x03\x02\x01\x02\x02\x01\x01\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x7F\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x47\x42\x31\x1B\x30\x19\x06\x03\x55\x04\x08\x0C\x12\x47\x72\x65\x61\x74\x65\x72\x20\x4D\x61\x6E\x63\x68\x65\x73\x74\x65\x72\x31\x10\x30\x0E\x06\x03\x55\x04\x07\x0C\x07\x53\x61\x6C\x66\x6F\x72\x64\x31\x1A\x30\x18\x06\x03\x55\x04\x0A\x0C\x11\x43\x6F\x6D\x6F\x64\x6F\x20\x43\x41\x20\x4C\x69\x6D\x69\x74\x65\x64\x31\x25\x30\x23\x06\x03\x55\x04\x03\x0C\x1C\x54\x72\x75\x73\x74\x65\x64\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x20\x53\x65\x72\x76\x69\x63\x65\x73\x30\x1E\x17\x0D\x30\x34\x30\x31\x30\x31\x30\x30\x30\x30\x30\x30\x5A\x17\x0D\x32\x38\x31\x32\x33\x31\x32\x33\x35\x39\x35\x39\x5A\x30\x7F\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x47\x42\x31\x1B\x30\x19\x06\x03\x55\x04\x08\x0C\x12\x47\x72\x65\x61\x74\x65\x72\x20\x4D\x61\x6E\x63\x68\x65\x73\x74\x65\x72\x31\x10\x30\x0E\x06\x03\x55\x04\x07\x0C\x07\x53\x61\x6C\x66\x6F\x72\x64\x31\x1A\x30\x18\x06\x03\x55\x04\x0A\x0C\x11\x43\x6F\x6D\x6F\x64\x6F\x20\x43\x41\x20\x4C\x69\x6D\x69\x74\x65\x64\x31\x25\x30\x23\x06\x03\x55\x04\x03\x0C\x1C\x54\x72\x75\x73\x74\x65\x64\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x20\x53\x65\x72\x76\x69\x63\x65\x73\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xDF\x71\x6F\x36\x58\x53\x5A\xF2\x36\x54\x57\x80\xC4\x74\x08\x20\xED\x18\x7F\x2A\x1D\xE6\x35\x9A\x1E\x25\xAC\x9C\xE5\x96\x7E\x72\x52\xA0\x15\x42\xDB\x59\xDD\x64\x7A\x1A\xD0\xB8\x7B\xDD\x39\x15\xBC\x55\x48\xC4\xED\x3A\x00\xEA\x31\x11\xBA\xF2\x71\x74\x1A\x67\xB8\xCF\x33\xCC\xA8\x31\xAF\xA3\xE3\xD7\x7F\xBF\x33\x2D\x4C\x6A\x3C\xEC\x8B\xC3\x92\xD2\x53\x77\x24\x74\x9C\x07\x6E\x70\xFC\xBD\x0B\x5B\x76\xBA\x5F\xF2\xFF\xD7\x37\x4B\x4A\x60\x78\xF7\xF0\xFA\xCA\x70\xB4\xEA\x59\xAA\xA3\xCE\x48\x2F\xA9\xC3\xB2\x0B\x7E\x17\x72\x16\x0C\xA6\x07\x0C\x1B\x38\xCF\xC9\x62\xB7\x3F\xA0\x93\xA5\x87\x41\xF2\xB7\x70\x40\x77\xD8\xBE\x14\x7C\xE3\xA8\xC0\x7A\x8E\xE9\x63\x6A\xD1\x0F\x9A\xC6\xD2\xF4\x8B\x3A\x14\x04\x56\xD4\xED\xB8\xCC\x6E\xF5\xFB\xE2\x2C\x58\xBD\x7F\x4F\x6B\x2B\xF7\x60\x24\x58\x24\xCE\x26\xEF\x34\x91\x3A\xD5\xE3\x81\xD0\xB2\xF0\x04\x02\xD7\x5B\xB7\x3E\x92\xAC\x6B\x12\x8A\xF9\xE4\x05\xB0\x3B\x91\x49\x5C\xB2\xEB\x53\xEA\xF8\x9F\x47\x86\xEE\xBF\x95\xC0\xC0\x06\x9F\xD2\x5B\x5E\x11\x1B\xF4\xC7\x04\x35\x29\xD2\x55\x5C\xE4\xED\xEB\x02\x03\x01\x00\x01\xA3\x81\xC9\x30\x81\xC6\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xC5\x7B\x58\xBD\xED\xDA\x25\x69\xD2\xF7\x59\x16\xA8\xB3\x32\xC0\x7B\x27\x5B\xF4\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x81\x83\x06\x03\x55\x1D\x1F\x04\x7C\x30\x7A\x30\x3C\xA0\x3A\xA0\x38\x86\x36\x68\x74\x74\x70\x3A\x2F\x2F\x63\x72\x6C\x2E\x63\x6F\x6D\x6F\x64\x6F\x63\x61\x2E\x63\x6F\x6D\x2F\x54\x72\x75\x73\x74\x65\x64\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x53\x65\x72\x76\x69\x63\x65\x73\x2E\x63\x72\x6C\x30\x3A\xA0\x38\xA0\x36\x86\x34\x68\x74\x74\x70\x3A\x2F\x2F\x63\x72\x6C\x2E\x63\x6F\x6D\x6F\x64\x6F\x2E\x6E\x65\x74\x2F\x54\x72\x75\x73\x74\x65\x64\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x53\x65\x72\x76\x69\x63\x65\x73\x2E\x63\x72\x6C\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\xC8\x93\x81\x3B\x89\xB4\xAF\xB8\x84\x12\x4C\x8D\xD2\xF0\xDB\x70\xBA\x57\x86\x15\x34\x10\xB9\x2F\x7F\x1E\xB0\xA8\x89\x60\xA1\x8A\xC2\x77\x0C\x50\x4A\x9B\x00\x8B\xD8\x8B\xF4\x41\xE2\xD0\x83\x8A\x4A\x1C\x14\x06\xB0\xA3\x68\x05\x70\x31\x30\xA7\x53\x9B\x0E\xE9\x4A\xA0\x58\x69\x67\x0E\xAE\x9D\xF6\xA5\x2C\x41\xBF\x3C\x06\x6B\xE4\x59\xCC\x6D\x10\xF1\x96\x6F\x1F\xDF\xF4\x04\x02\xA4\x9F\x45\x3E\xC8\xD8\xFA\x36\x46\x44\x50\x3F\x82\x97\x91\x1F\x28\xDB\x18\x11\x8C\x2A\xE4\x65\x83\x57\x12\x12\x8C\x17\x3F\x94\x36\xFE\x5D\xB0\xC0\x04\x77\x13\xB8\xF4\x15\xD5\x3F\x38\xCC\x94\x3A\x55\xD0\xAC\x98\xF5\xBA\x00\x5F\xE0\x86\x19\x81\x78\x2F\x28\xC0\x7E\xD3\xCC\x42\x0A\xF5\xAE\x50\xA0\xD1\x3E\xC6\xA1\x71\xEC\x3F\xA0\x20\x8C\x66\x3A\x89\xB4\x8E\xD4\xD8\xB1\x4D\x25\x47\xEE\x2F\x88\xC8\xB5\xE1\x05\x45\xC0\xBE\x14\x71\xDE\x7A\xFD\x8E\x7B\x7D\x4D\x08\x96\xA5\x12\x73\xF0\x2D\xCA\x37\x27\x74\x12\x27\x4C\xCB\xB6\x97\xE9\xD9\xAE\x08\x6D\x5A\x39\x40\xDD\x05\x47\x75\x6A\x5A\x21\xB3\xA3\x18\xCF\x4E\xF7\x2E\x57\xB7\x98\x70\x5E\xC8\xC4\x78\xB0\x62",
 	["CN=QuoVadis Root Certification Authority,OU=Root Certification Authority,O=QuoVadis Limited,C=BM"] = "\x30\x82\x05\xD0\x30\x82\x04\xB8\xA0\x03\x02\x01\x02\x02\x04\x3A\xB6\x50\x8B\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x7F\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x42\x4D\x31\x19\x30\x17\x06\x03\x55\x04\x0A\x13\x10\x51\x75\x6F\x56\x61\x64\x69\x73\x20\x4C\x69\x6D\x69\x74\x65\x64\x31\x25\x30\x23\x06\x03\x55\x04\x0B\x13\x1C\x52\x6F\x6F\x74\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x31\x2E\x30\x2C\x06\x03\x55\x04\x03\x13\x25\x51\x75\x6F\x56\x61\x64\x69\x73\x20\x52\x6F\x6F\x74\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x30\x1E\x17\x0D\x30\x31\x30\x33\x31\x39\x31\x38\x33\x33\x33\x33\x5A\x17\x0D\x32\x31\x30\x33\x31\x37\x31\x38\x33\x33\x33\x33\x5A\x30\x7F\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x42\x4D\x31\x19\x30\x17\x06\x03\x55\x04\x0A\x13\x10\x51\x75\x6F\x56\x61\x64\x69\x73\x20\x4C\x69\x6D\x69\x74\x65\x64\x31\x25\x30\x23\x06\x03\x55\x04\x0B\x13\x1C\x52\x6F\x6F\x74\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x31\x2E\x30\x2C\x06\x03\x55\x04\x03\x13\x25\x51\x75\x6F\x56\x61\x64\x69\x73\x20\x52\x6F\x6F\x74\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xBF\x61\xB5\x95\x53\xBA\x57\xFC\xFA\xF2\x67\x0B\x3A\x1A\xDF\x11\x80\x64\x95\xB4\xD1\xBC\xCD\x7A\xCF\xF6\x29\x96\x2E\x24\x54\x40\x24\x38\xF7\x1A\x85\xDC\x58\x4C\xCB\xA4\x27\x42\x97\xD0\x9F\x83\x8A\xC3\xE4\x06\x03\x5B\x00\xA5\x51\x1E\x70\x04\x74\xE2\xC1\xD4\x3A\xAB\xD7\xAD\x3B\x07\x18\x05\x8E\xFD\x83\xAC\xEA\x66\xD9\x18\x1B\x68\x8A\xF5\x57\x1A\x98\xBA\xF5\xED\x76\x3D\x7C\xD9\xDE\x94\x6A\x3B\x4B\x17\xC1\xD5\x8F\xBD\x65\x38\x3A\x95\xD0\x3D\x55\x36\x4E\xDF\x79\x57\x31\x2A\x1E\xD8\x59\x65\x49\x58\x20\x98\x7E\xAB\x5F\x7E\x9F\xE9\xD6\x4D\xEC\x83\x74\xA9\xC7\x6C\xD8\xEE\x29\x4A\x85\x2A\x06\x14\xF9\x54\xE6\xD3\xDA\x65\x07\x8B\x63\x37\x12\xD7\xD0\xEC\xC3\x7B\x20\x41\x44\xA3\xED\xCB\xA0\x17\xE1\x71\x65\xCE\x1D\x66\x31\xF7\x76\x01\x19\xC8\x7D\x03\x58\xB6\x95\x49\x1D\xA6\x12\x26\xE8\xC6\x0C\x76\xE0\xE3\x66\xCB\xEA\x5D\xA6\x26\xEE\xE5\xCC\x5F\xBD\x67\xA7\x01\x27\x0E\xA2\xCA\x54\xC5\xB1\x7A\x95\x1D\x71\x1E\x4A\x29\x8A\x03\xDC\x6A\x45\xC1\xA4\x19\x5E\x6F\x36\xCD\xC3\xA2\xB0\xB7\xFE\x5C\x38\xE2\x52\xBC\xF8\x44\x43\xE6\x90\xBB\x02\x03\x01\x00\x01\xA3\x82\x02\x52\x30\x82\x02\x4E\x30\x3D\x06\x08\x2B\x06\x01\x05\x05\x07\x01\x01\x04\x31\x30\x2F\x30\x2D\x06\x08\x2B\x06\x01\x05\x05\x07\x30\x01\x86\x21\x68\x74\x74\x70\x73\x3A\x2F\x2F\x6F\x63\x73\x70\x2E\x71\x75\x6F\x76\x61\x64\x69\x73\x6F\x66\x66\x73\x68\x6F\x72\x65\x2E\x63\x6F\x6D\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x82\x01\x1A\x06\x03\x55\x1D\x20\x04\x82\x01\x11\x30\x82\x01\x0D\x30\x82\x01\x09\x06\x09\x2B\x06\x01\x04\x01\xBE\x58\x00\x01\x30\x81\xFB\x30\x81\xD4\x06\x08\x2B\x06\x01\x05\x05\x07\x02\x02\x30\x81\xC7\x1A\x81\xC4\x52\x65\x6C\x69\x61\x6E\x63\x65\x20\x6F\x6E\x20\x74\x68\x65\x20\x51\x75\x6F\x56\x61\x64\x69\x73\x20\x52\x6F\x6F\x74\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x20\x62\x79\x20\x61\x6E\x79\x20\x70\x61\x72\x74\x79\x20\x61\x73\x73\x75\x6D\x65\x73\x20\x61\x63\x63\x65\x70\x74\x61\x6E\x63\x65\x20\x6F\x66\x20\x74\x68\x65\x20\x74\x68\x65\x6E\x20\x61\x70\x70\x6C\x69\x63\x61\x62\x6C\x65\x20\x73\x74\x61\x6E\x64\x61\x72\x64\x20\x74\x65\x72\x6D\x73\x20\x61\x6E\x64\x20\x63\x6F\x6E\x64\x69\x74\x69\x6F\x6E\x73\x20\x6F\x66\x20\x75\x73\x65\x2C\x20\x63\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x70\x72\x61\x63\x74\x69\x63\x65\x73\x2C\x20\x61\x6E\x64\x20\x74\x68\x65\x20\x51\x75\x6F\x56\x61\x64\x69\x73\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x20\x50\x6F\x6C\x69\x63\x79\x2E\x30\x22\x06\x08\x2B\x06\x01\x05\x05\x07\x02\x01\x16\x16\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x71\x75\x6F\x76\x61\x64\x69\x73\x2E\x62\x6D\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x8B\x4B\x6D\xED\xD3\x29\xB9\x06\x19\xEC\x39\x39\xA9\xF0\x97\x84\x6A\xCB\xEF\xDF\x30\x81\xAE\x06\x03\x55\x1D\x23\x04\x81\xA6\x30\x81\xA3\x80\x14\x8B\x4B\x6D\xED\xD3\x29\xB9\x06\x19\xEC\x39\x39\xA9\xF0\x97\x84\x6A\xCB\xEF\xDF\xA1\x81\x84\xA4\x81\x81\x30\x7F\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x42\x4D\x31\x19\x30\x17\x06\x03\x55\x04\x0A\x13\x10\x51\x75\x6F\x56\x61\x64\x69\x73\x20\x4C\x69\x6D\x69\x74\x65\x64\x31\x25\x30\x23\x06\x03\x55\x04\x0B\x13\x1C\x52\x6F\x6F\x74\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x31\x2E\x30\x2C\x06\x03\x55\x04\x03\x13\x25\x51\x75\x6F\x56\x61\x64\x69\x73\x20\x52\x6F\x6F\x74\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x82\x04\x3A\xB6\x50\x8B\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x8A\xD4\x14\xB5\xFE\xF4\x9A\x92\xA7\x19\xD4\xA4\x7E\x72\x18\x8F\xD9\x68\x7C\x52\x24\xDD\x67\x6F\x39\x7A\xC4\xAA\x5E\x3D\xE2\x58\xB0\x4D\x70\x98\x84\x61\xE8\x1B\xE3\x69\x18\x0E\xCE\xFB\x47\x50\xA0\x4E\xFF\xF0\x24\x1F\xBD\xB2\xCE\xF5\x27\xFC\xEC\x2F\x53\xAA\x73\x7B\x03\x3D\x74\x6E\xE6\x16\x9E\xEB\xA5\x2E\xC4\xBF\x56\x27\x50\x2B\x62\xBA\xBE\x4B\x1C\x3C\x55\x5C\x41\x1D\x24\xBE\x82\x20\x47\x5D\xD5\x44\x7E\x7A\x16\x68\xDF\x7D\x4D\x51\x70\x78\x57\x1D\x33\x1E\xFD\x02\x99\x9C\x0C\xCD\x0A\x05\x4F\xC7\xBB\x8E\xA4\x75\xFA\x4A\x6D\xB1\x80\x8E\x09\x56\xB9\x9C\x1A\x60\xFE\x5D\xC1\xD7\x7A\xDC\x11\x78\xD0\xD6\x5D\xC1\xB7\xD5\xAD\x32\x99\x03\x3A\x8A\xCC\x54\x25\x39\x31\x81\x7B\x13\x22\x51\xBA\x46\x6C\xA1\xBB\x9E\xFA\x04\x6C\x49\x26\x74\x8F\xD2\x73\xEB\xCC\x30\xA2\xE6\xEA\x59\x22\x87\xF8\x97\xF5\x0E\xFD\xEA\xCC\x92\xA4\x16\xC4\x52\x18\xEA\x21\xCE\xB1\xF1\xE6\x84\x81\xE5\xBA\xA9\x86\x28\xF2\x43\x5A\x5D\x12\x9D\xAC\x1E\xD9\xA8\xE5\x0A\x6A\xA7\x7F\xA0\x87\x29\xCF\xF2\x89\x4D\xD4\xEC\xC5\xE2\xE6\x7A\xD0\x36\x23\x8A\x4A\x74\x36\xF9",
 	["CN=QuoVadis Root CA 2,O=QuoVadis Limited,C=BM"] = "\x30\x82\x05\xB7\x30\x82\x03\x9F\xA0\x03\x02\x01\x02\x02\x02\x05\x09\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x45\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x42\x4D\x31\x19\x30\x17\x06\x03\x55\x04\x0A\x13\x10\x51\x75\x6F\x56\x61\x64\x69\x73\x20\x4C\x69\x6D\x69\x74\x65\x64\x31\x1B\x30\x19\x06\x03\x55\x04\x03\x13\x12\x51\x75\x6F\x56\x61\x64\x69\x73\x20\x52\x6F\x6F\x74\x20\x43\x41\x20\x32\x30\x1E\x17\x0D\x30\x36\x31\x31\x32\x34\x31\x38\x32\x37\x30\x30\x5A\x17\x0D\x33\x31\x31\x31\x32\x34\x31\x38\x32\x33\x33\x33\x5A\x30\x45\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x42\x4D\x31\x19\x30\x17\x06\x03\x55\x04\x0A\x13\x10\x51\x75\x6F\x56\x61\x64\x69\x73\x20\x4C\x69\x6D\x69\x74\x65\x64\x31\x1B\x30\x19\x06\x03\x55\x04\x03\x13\x12\x51\x75\x6F\x56\x61\x64\x69\x73\x20\x52\x6F\x6F\x74\x20\x43\x41\x20\x32\x30\x82\x02\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x02\x0F\x00\x30\x82\x02\x0A\x02\x82\x02\x01\x00\x9A\x18\xCA\x4B\x94\x0D\x00\x2D\xAF\x03\x29\x8A\xF0\x0F\x81\xC8\xAE\x4C\x19\x85\x1D\x08\x9F\xAB\x29\x44\x85\xF3\x2F\x81\xAD\x32\x1E\x90\x46\xBF\xA3\x86\x26\x1A\x1E\xFE\x7E\x1C\x18\x3A\x5C\x9C\x60\x17\x2A\x3A\x74\x83\x33\x30\x7D\x61\x54\x11\xCB\xED\xAB\xE0\xE6\xD2\xA2\x7E\xF5\x6B\x6F\x18\xB7\x0A\x0B\x2D\xFD\xE9\x3E\xEF\x0A\xC6\xB3\x10\xE9\xDC\xC2\x46\x17\xF8\x5D\xFD\xA4\xDA\xFF\x9E\x49\x5A\x9C\xE6\x33\xE6\x24\x96\xF7\x3F\xBA\x5B\x2B\x1C\x7A\x35\xC2\xD6\x67\xFE\xAB\x66\x50\x8B\x6D\x28\x60\x2B\xEF\xD7\x60\xC3\xC7\x93\xBC\x8D\x36\x91\xF3\x7F\xF8\xDB\x11\x13\xC4\x9C\x77\x76\xC1\xAE\xB7\x02\x6A\x81\x7A\xA9\x45\x83\xE2\x05\xE6\xB9\x56\xC1\x94\x37\x8F\x48\x71\x63\x22\xEC\x17\x65\x07\x95\x8A\x4B\xDF\x8F\xC6\x5A\x0A\xE5\xB0\xE3\x5F\x5E\x6B\x11\xAB\x0C\xF9\x85\xEB\x44\xE9\xF8\x04\x73\xF2\xE9\xFE\x5C\x98\x8C\xF5\x73\xAF\x6B\xB4\x7E\xCD\xD4\x5C\x02\x2B\x4C\x39\xE1\xB2\x95\x95\x2D\x42\x87\xD7\xD5\xB3\x90\x43\xB7\x6C\x13\xF1\xDE\xDD\xF6\xC4\xF8\x89\x3F\xD1\x75\xF5\x92\xC3\x91\xD5\x8A\x88\xD0\x90\xEC\xDC\x6D\xDE\x89\xC2\x65\x71\x96\x8B\x0D\x03\xFD\x9C\xBF\x5B\x16\xAC\x92\xDB\xEA\xFE\x79\x7C\xAD\xEB\xAF\xF7\x16\xCB\xDB\xCD\x25\x2B\xE5\x1F\xFB\x9A\x9F\xE2\x51\xCC\x3A\x53\x0C\x48\xE6\x0E\xBD\xC9\xB4\x76\x06\x52\xE6\x11\x13\x85\x72\x63\x03\x04\xE0\x04\x36\x2B\x20\x19\x02\xE8\x74\xA7\x1F\xB6\xC9\x56\x66\xF0\x75\x25\xDC\x67\xC1\x0E\x61\x60\x88\xB3\x3E\xD1\xA8\xFC\xA3\xDA\x1D\xB0\xD1\xB1\x23\x54\xDF\x44\x76\x6D\xED\x41\xD8\xC1\xB2\x22\xB6\x53\x1C\xDF\x35\x1D\xDC\xA1\x77\x2A\x31\xE4\x2D\xF5\xE5\xE5\xDB\xC8\xE0\xFF\xE5\x80\xD7\x0B\x63\xA0\xFF\x33\xA1\x0F\xBA\x2C\x15\x15\xEA\x97\xB3\xD2\xA2\xB5\xBE\xF2\x8C\x96\x1E\x1A\x8F\x1D\x6C\xA4\x61\x37\xB9\x86\x73\x33\xD7\x97\x96\x9E\x23\x7D\x82\xA4\x4C\x81\xE2\xA1\xD1\xBA\x67\x5F\x95\x07\xA3\x27\x11\xEE\x16\x10\x7B\xBC\x45\x4A\x4C\xB2\x04\xD2\xAB\xEF\xD5\xFD\x0C\x51\xCE\x50\x6A\x08\x31\xF9\x91\xDA\x0C\x8F\x64\x5C\x03\xC3\x3A\x8B\x20\x3F\x6E\x8D\x67\x3D\x3A\xD6\xFE\x7D\x5B\x88\xC9\x5E\xFB\xCC\x61\xDC\x8B\x33\x77\xD3\x44\x32\x35\x09\x62\x04\x92\x16\x10\xD8\x9E\x27\x47\xFB\x3B\x21\xE3\xF8\xEB\x1D\x5B\x02\x03\x01\x00\x01\xA3\x81\xB0\x30\x81\xAD\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x0B\x06\x03\x55\x1D\x0F\x04\x04\x03\x02\x01\x06\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x1A\x84\x62\xBC\x48\x4C\x33\x25\x04\xD4\xEE\xD0\xF6\x03\xC4\x19\x46\xD1\x94\x6B\x30\x6E\x06\x03\x55\x1D\x23\x04\x67\x30\x65\x80\x14\x1A\x84\x62\xBC\x48\x4C\x33\x25\x04\xD4\xEE\xD0\xF6\x03\xC4\x19\x46\xD1\x94\x6B\xA1\x49\xA4\x47\x30\x45\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x42\x4D\x31\x19\x30\x17\x06\x03\x55\x04\x0A\x13\x10\x51\x75\x6F\x56\x61\x64\x69\x73\x20\x4C\x69\x6D\x69\x74\x65\x64\x31\x1B\x30\x19\x06\x03\x55\x04\x03\x13\x12\x51\x75\x6F\x56\x61\x64\x69\x73\x20\x52\x6F\x6F\x74\x20\x43\x41\x20\x32\x82\x02\x05\x09\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x02\x01\x00\x3E\x0A\x16\x4D\x9F\x06\x5B\xA8\xAE\x71\x5D\x2F\x05\x2F\x67\xE6\x13\x45\x83\xC4\x36\xF6\xF3\xC0\x26\x0C\x0D\xB5\x47\x64\x5D\xF8\xB4\x72\xC9\x46\xA5\x03\x18\x27\x55\x89\x78\x7D\x76\xEA\x96\x34\x80\x17\x20\xDC\xE7\x83\xF8\x8D\xFC\x07\xB8\xDA\x5F\x4D\x2E\x67\xB2\x84\xFD\xD9\x44\xFC\x77\x50\x81\xE6\x7C\xB4\xC9\x0D\x0B\x72\x53\xF8\x76\x07\x07\x41\x47\x96\x0C\xFB\xE0\x82\x26\x93\x55\x8C\xFE\x22\x1F\x60\x65\x7C\x5F\xE7\x26\xB3\xF7\x32\x90\x98\x50\xD4\x37\x71\x55\xF6\x92\x21\x78\xF7\x95\x79\xFA\xF8\x2D\x26\x87\x66\x56\x30\x77\xA6\x37\x78\x33\x52\x10\x58\xAE\x3F\x61\x8E\xF2\x6A\xB1\xEF\x18\x7E\x4A\x59\x63\xCA\x8D\xA2\x56\xD5\xA7\x2F\xBC\x56\x1F\xCF\x39\xC1\xE2\xFB\x0A\xA8\x15\x2C\x7D\x4D\x7A\x63\xC6\x6C\x97\x44\x3C\xD2\x6F\xC3\x4A\x17\x0A\xF8\x90\xD2\x57\xA2\x19\x51\xA5\x2D\x97\x41\xDA\x07\x4F\xA9\x50\xDA\x90\x8D\x94\x46\xE1\x3E\xF0\x94\xFD\x10\x00\x38\xF5\x3B\xE8\x40\xE1\xB4\x6E\x56\x1A\x20\xCC\x6F\x58\x8D\xED\x2E\x45\x8F\xD6\xE9\x93\x3F\xE7\xB1\x2C\xDF\x3A\xD6\x22\x8C\xDC\x84\xBB\x22\x6F\xD0\xF8\xE4\xC6\x39\xE9\x04\x88\x3C\xC3\xBA\xEB\x55\x7A\x6D\x80\x99\x24\xF5\x6C\x01\xFB\xF8\x97\xB0\x94\x5B\xEB\xFD\xD2\x6F\xF1\x77\x68\x0D\x35\x64\x23\xAC\xB8\x55\xA1\x03\xD1\x4D\x42\x19\xDC\xF8\x75\x59\x56\xA3\xF9\xA8\x49\x79\xF8\xAF\x0E\xB9\x11\xA0\x7C\xB7\x6A\xED\x34\xD0\xB6\x26\x62\x38\x1A\x87\x0C\xF8\xE8\xFD\x2E\xD3\x90\x7F\x07\x91\x2A\x1D\xD6\x7E\x5C\x85\x83\x99\xB0\x38\x08\x3F\xE9\x5E\xF9\x35\x07\xE4\xC9\x62\x6E\x57\x7F\xA7\x50\x95\xF7\xBA\xC8\x9B\xE6\x8E\xA2\x01\xC5\xD6\x66\xBF\x79\x61\xF3\x3C\x1C\xE1\xB9\x82\x5C\x5D\xA0\xC3\xE9\xD8\x48\xBD\x19\xA2\x11\x14\x19\x6E\xB2\x86\x1B\x68\x3E\x48\x37\x1A\x88\xB7\x5D\x96\x5E\x9C\xC7\xEF\x27\x62\x08\xE2\x91\x19\x5C\xD2\xF1\x21\xDD\xBA\x17\x42\x82\x97\x71\x81\x53\x31\xA9\x9F\xF6\x7D\x62\xBF\x72\xE1\xA3\x93\x1D\xCC\x8A\x26\x5A\x09\x38\xD0\xCE\xD7\x0D\x80\x16\xB4\x78\xA5\x3A\x87\x4C\x8D\x8A\xA5\xD5\x46\x97\xF2\x2C\x10\xB9\xBC\x54\x22\xC0\x01\x50\x69\x43\x9E\xF4\xB2\xEF\x6D\xF8\xEC\xDA\xF1\xE3\xB1\xEF\xDF\x91\x8F\x54\x2A\x0B\x25\xC1\x26\x19\xC4\x52\x10\x05\x65\xD5\x82\x10\xEA\xC2\x31\xCD\x2E",
 	["CN=QuoVadis Root CA 3,O=QuoVadis Limited,C=BM"] = "\x30\x82\x06\x9D\x30\x82\x04\x85\xA0\x03\x02\x01\x02\x02\x02\x05\xC6\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x45\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x42\x4D\x31\x19\x30\x17\x06\x03\x55\x04\x0A\x13\x10\x51\x75\x6F\x56\x61\x64\x69\x73\x20\x4C\x69\x6D\x69\x74\x65\x64\x31\x1B\x30\x19\x06\x03\x55\x04\x03\x13\x12\x51\x75\x6F\x56\x61\x64\x69\x73\x20\x52\x6F\x6F\x74\x20\x43\x41\x20\x33\x30\x1E\x17\x0D\x30\x36\x31\x31\x32\x34\x31\x39\x31\x31\x32\x33\x5A\x17\x0D\x33\x31\x31\x31\x32\x34\x31\x39\x30\x36\x34\x34\x5A\x30\x45\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x42\x4D\x31\x19\x30\x17\x06\x03\x55\x04\x0A\x13\x10\x51\x75\x6F\x56\x61\x64\x69\x73\x20\x4C\x69\x6D\x69\x74\x65\x64\x31\x1B\x30\x19\x06\x03\x55\x04\x03\x13\x12\x51\x75\x6F\x56\x61\x64\x69\x73\x20\x52\x6F\x6F\x74\x20\x43\x41\x20\x33\x30\x82\x02\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x02\x0F\x00\x30\x82\x02\x0A\x02\x82\x02\x01\x00\xCC\x57\x42\x16\x54\x9C\xE6\x98\xD3\xD3\x4D\xEE\xFE\xED\xC7\x9F\x43\x39\x4A\x65\xB3\xE8\x16\x88\x34\xDB\x0D\x59\x91\x74\xCF\x92\xB8\x04\x40\xAD\x02\x4B\x31\xAB\xBC\x8D\x91\x68\xD8\x20\x0E\x1A\x01\xE2\x1A\x7B\x4E\x17\x5D\xE2\x8A\xB7\x3F\x99\x1A\xCD\xEB\x61\xAB\xC2\x65\xA6\x1F\xB7\xB7\xBD\xB7\x8F\xFC\xFD\x70\x8F\x0B\xA0\x67\xBE\x01\xA2\x59\xCF\x71\xE6\x0F\x29\x76\xFF\xB1\x56\x79\x45\x2B\x1F\x9E\x7A\x54\xE8\xA3\x29\x35\x68\xA4\x01\x4F\x0F\xA4\x2E\x37\xEF\x1B\xBF\xE3\x8F\x10\xA8\x72\xAB\x58\x57\xE7\x54\x86\xC8\xC9\xF3\x5B\xDA\x2C\xDA\x5D\x8E\x6E\x3C\xA3\x3E\xDA\xFB\x82\xE5\xDD\xF2\x5C\xB2\x05\x33\x6F\x8A\x36\xCE\xD0\x13\x4E\xFF\xBF\x4A\x0C\x34\x4C\xA6\xC3\x21\xBD\x50\x04\x55\xEB\xB1\xBB\x9D\xFB\x45\x1E\x64\x15\xDE\x55\x01\x8C\x02\x76\xB5\xCB\xA1\x3F\x42\x69\xBC\x2F\xBD\x68\x43\x16\x56\x89\x2A\x37\x61\x91\xFD\xA6\xAE\x4E\xC0\xCB\x14\x65\x94\x37\x4B\x92\x06\xEF\x04\xD0\xC8\x9C\x88\xDB\x0B\x7B\x81\xAF\xB1\x3D\x2A\xC4\x65\x3A\x78\xB6\xEE\xDC\x80\xB1\xD2\xD3\x99\x9C\x3A\xEE\x6B\x5A\x6B\xB3\x8D\xB7\xD5\xCE\x9C\xC2\xBE\xA5\x4B\x2F\x16\xB1\x9E\x68\x3B\x06\x6F\xAE\x7D\x9F\xF8\xDE\xEC\xCC\x29\xA7\x98\xA3\x25\x43\x2F\xEF\xF1\x5F\x26\xE1\x88\x4D\xF8\x5E\x6E\xD7\xD9\x14\x6E\x19\x33\x69\xA7\x3B\x84\x89\x93\xC4\x53\x55\x13\xA1\x51\x78\x40\xF8\xB8\xC9\xA2\xEE\x7B\xBA\x52\x42\x83\x9E\x14\xED\x05\x52\x5A\x59\x56\xA7\x97\xFC\x9D\x3F\x0A\x29\xD8\xDC\x4F\x91\x0E\x13\xBC\xDE\x95\xA4\xDF\x8B\x99\xBE\xAC\x9B\x33\x88\xEF\xB5\x81\xAF\x1B\xC6\x22\x53\xC8\xF6\xC7\xEE\x97\x14\xB0\xC5\x7C\x78\x52\xC8\xF0\xCE\x6E\x77\x60\x84\xA6\xE9\x2A\x76\x20\xED\x58\x01\x17\x30\x93\xE9\x1A\x8B\xE0\x73\x63\xD9\x6A\x92\x94\x49\x4E\xB4\xAD\x4A\x85\xC4\xA3\x22\x30\xFC\x09\xED\x68\x22\x73\xA6\x88\x0C\x55\x21\x58\xC5\xE1\x3A\x9F\x2A\xDD\xCA\xE1\x90\xE0\xD9\x73\xAB\x6C\x80\xB8\xE8\x0B\x64\x93\xA0\x9C\x8C\x19\xFF\xB3\xD2\x0C\xEC\x91\x26\x87\x8A\xB3\xA2\xE1\x70\x8F\x2C\x0A\xE5\xCD\x6D\x68\x51\xEB\xDA\x3F\x05\x7F\x8B\x32\xE6\x13\x5C\x6B\xFE\x5F\x40\xE2\x22\xC8\xB4\xB4\x64\x4F\xD6\xBA\x7D\x48\x3E\xA8\x69\x0C\xD7\xBB\x86\x71\xC9\x73\xB8\x3F\x3B\x9D\x25\x4B\xDA\xFF\x40\xEB\x02\x03\x01\x00\x01\xA3\x82\x01\x95\x30\x82\x01\x91\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x81\xE1\x06\x03\x55\x1D\x20\x04\x81\xD9\x30\x81\xD6\x30\x81\xD3\x06\x09\x2B\x06\x01\x04\x01\xBE\x58\x00\x03\x30\x81\xC5\x30\x81\x93\x06\x08\x2B\x06\x01\x05\x05\x07\x02\x02\x30\x81\x86\x1A\x81\x83\x41\x6E\x79\x20\x75\x73\x65\x20\x6F\x66\x20\x74\x68\x69\x73\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x20\x63\x6F\x6E\x73\x74\x69\x74\x75\x74\x65\x73\x20\x61\x63\x63\x65\x70\x74\x61\x6E\x63\x65\x20\x6F\x66\x20\x74\x68\x65\x20\x51\x75\x6F\x56\x61\x64\x69\x73\x20\x52\x6F\x6F\x74\x20\x43\x41\x20\x33\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x20\x50\x6F\x6C\x69\x63\x79\x20\x2F\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x50\x72\x61\x63\x74\x69\x63\x65\x20\x53\x74\x61\x74\x65\x6D\x65\x6E\x74\x2E\x30\x2D\x06\x08\x2B\x06\x01\x05\x05\x07\x02\x01\x16\x21\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x71\x75\x6F\x76\x61\x64\x69\x73\x67\x6C\x6F\x62\x61\x6C\x2E\x63\x6F\x6D\x2F\x63\x70\x73\x30\x0B\x06\x03\x55\x1D\x0F\x04\x04\x03\x02\x01\x06\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xF2\xC0\x13\xE0\x82\x43\x3E\xFB\xEE\x2F\x67\x32\x96\x35\x5C\xDB\xB8\xCB\x02\xD0\x30\x6E\x06\x03\x55\x1D\x23\x04\x67\x30\x65\x80\x14\xF2\xC0\x13\xE0\x82\x43\x3E\xFB\xEE\x2F\x67\x32\x96\x35\x5C\xDB\xB8\xCB\x02\xD0\xA1\x49\xA4\x47\x30\x45\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x42\x4D\x31\x19\x30\x17\x06\x03\x55\x04\x0A\x13\x10\x51\x75\x6F\x56\x61\x64\x69\x73\x20\x4C\x69\x6D\x69\x74\x65\x64\x31\x1B\x30\x19\x06\x03\x55\x04\x03\x13\x12\x51\x75\x6F\x56\x61\x64\x69\x73\x20\x52\x6F\x6F\x74\x20\x43\x41\x20\x33\x82\x02\x05\xC6\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x02\x01\x00\x4F\xAD\xA0\x2C\x4C\xFA\xC0\xF2\x6F\xF7\x66\x55\xAB\x23\x34\xEE\xE7\x29\xDA\xC3\x5B\xB6\xB0\x83\xD9\xD0\xD0\xE2\x21\xFB\xF3\x60\xA7\x3B\x5D\x60\x53\x27\xA2\x9B\xF6\x08\x22\x2A\xE7\xBF\xA0\x72\xE5\x9C\x24\x6A\x31\xB1\x90\x7A\x27\xDB\x84\x11\x89\x27\xA6\x77\x5A\x38\xD7\xBF\xAC\x86\xFC\xEE\x5D\x83\xBC\x06\xC6\xD1\x77\x6B\x0F\x6D\x24\x2F\x4B\x7A\x6C\xA7\x07\x96\xCA\xE3\x84\x9F\xAD\x88\x8B\x1D\xAB\x16\x8D\x5B\x66\x17\xD9\x16\xF4\x8B\x80\xD2\xDD\xF8\xB2\x76\xC3\xFC\x38\x13\xAA\x0C\xDE\x42\x69\x2B\x6E\xF3\x3C\xEB\x80\x27\xDB\xF5\xA6\x44\x0D\x9F\x5A\x55\x59\x0B\xD5\x0D\x52\x48\xC5\xAE\x9F\xF2\x2F\x80\xC5\xEA\x32\x50\x35\x12\x97\x2E\xC1\xE1\xFF\xF1\x23\x88\x51\x38\x9F\xF2\x66\x56\x76\xE7\x0F\x51\x97\xA5\x52\x0C\x4D\x49\x51\x95\x36\x3D\xBF\xA2\x4B\x0C\x10\x1D\x86\x99\x4C\xAA\xF3\x72\x11\x93\xE4\xEA\xF6\x9B\xDA\xA8\x5D\xA7\x4D\xB7\x9E\x02\xAE\x73\x00\xC8\xDA\x23\x03\xE8\xF9\xEA\x19\x74\x62\x00\x94\xCB\x22\x20\xBE\x94\xA7\x59\xB5\x82\x6A\xBE\x99\x79\x7A\xA9\xF2\x4A\x24\x52\xF7\x74\xFD\xBA\x4E\xE6\xA8\x1D\x02\x6E\xB1\x0D\x80\x44\xC1\xAE\xD3\x23\x37\x5F\xBB\x85\x7C\x2B\x92\x2E\xE8\x7E\xA5\x8B\xDD\x99\xE1\xBF\x27\x6F\x2D\x5D\xAA\x7B\x87\xFE\x0A\xDD\x4B\xFC\x8E\xF5\x26\xE4\x6E\x70\x42\x6E\x33\xEC\x31\x9E\x7B\x93\xC1\xE4\xC9\x69\x1A\x3D\xC0\x6B\x4E\x22\x6D\xEE\xAB\x58\x4D\xC6\xD0\x41\xC1\x2B\xEA\x4F\x12\x87\x5E\xEB\x45\xD8\x6C\xF5\x98\x02\xD3\xA0\xD8\x55\x8A\x06\x99\x19\xA2\xA0\x77\xD1\x30\x9E\xAC\xCC\x75\xEE\x83\xF5\xB0\x62\x39\xCF\x6C\x57\xE2\x4C\xD2\x91\x0B\x0E\x75\x28\x1B\x9A\xBF\xFD\x1A\x43\xF1\xCA\x77\xFB\x3B\x8F\x61\xB8\x69\x28\x16\x42\x04\x5E\x70\x2A\x1C\x21\xD8\x8F\xE1\xBD\x23\x5B\x2D\x74\x40\x92\xD9\x63\x19\x0D\x73\xDD\x69\xBC\x62\x47\xBC\xE0\x74\x2B\xB2\xEB\x7D\xBE\x41\x1B\xB5\xC0\x46\xC5\xA1\x22\xCB\x5F\x4E\xC1\x28\x92\xDE\x18\xBA\xD5\x2A\x28\xBB\x11\x8B\x17\x93\x98\x99\x60\x94\x5C\x23\xCF\x5A\x27\x97\x5E\x0B\x05\x06\x93\x37\x1E\x3B\x69\x36\xEB\xA9\x9E\x61\x1D\x8F\x32\xDA\x8E\x0C\xD6\x74\x3E\x7B\x09\x24\xDA\x01\x77\x47\xC4\x3B\xCD\x34\x8C\x99\xF5\xCA\xE1\x25\x61\x33\xB2\x59\x1B\xE2\x6E\xD7\x37\x57\xB6\x0D\xA9\x12\xDA",
 	["OU=Security Communication RootCA1,O=SECOM Trust.net,C=JP"] = "\x30\x82\x03\x5A\x30\x82\x02\x42\xA0\x03\x02\x01\x02\x02\x01\x00\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x50\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x4A\x50\x31\x18\x30\x16\x06\x03\x55\x04\x0A\x13\x0F\x53\x45\x43\x4F\x4D\x20\x54\x72\x75\x73\x74\x2E\x6E\x65\x74\x31\x27\x30\x25\x06\x03\x55\x04\x0B\x13\x1E\x53\x65\x63\x75\x72\x69\x74\x79\x20\x43\x6F\x6D\x6D\x75\x6E\x69\x63\x61\x74\x69\x6F\x6E\x20\x52\x6F\x6F\x74\x43\x41\x31\x30\x1E\x17\x0D\x30\x33\x30\x39\x33\x30\x30\x34\x32\x30\x34\x39\x5A\x17\x0D\x32\x33\x30\x39\x33\x30\x30\x34\x32\x30\x34\x39\x5A\x30\x50\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x4A\x50\x31\x18\x30\x16\x06\x03\x55\x04\x0A\x13\x0F\x53\x45\x43\x4F\x4D\x20\x54\x72\x75\x73\x74\x2E\x6E\x65\x74\x31\x27\x30\x25\x06\x03\x55\x04\x0B\x13\x1E\x53\x65\x63\x75\x72\x69\x74\x79\x20\x43\x6F\x6D\x6D\x75\x6E\x69\x63\x61\x74\x69\x6F\x6E\x20\x52\x6F\x6F\x74\x43\x41\x31\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xB3\xB3\xFE\x7F\xD3\x6D\xB1\xEF\x16\x7C\x57\xA5\x0C\x6D\x76\x8A\x2F\x4B\xBF\x64\xFB\x4C\xEE\x8A\xF0\xF3\x29\x7C\xF5\xFF\xEE\x2A\xE0\xE9\xE9\xBA\x5B\x64\x22\x9A\x9A\x6F\x2C\x3A\x26\x69\x51\x05\x99\x26\xDC\xD5\x1C\x6A\x71\xC6\x9A\x7D\x1E\x9D\xDD\x7C\x6C\xC6\x8C\x67\x67\x4A\x3E\xF8\x71\xB0\x19\x27\xA9\x09\x0C\xA6\x95\xBF\x4B\x8C\x0C\xFA\x55\x98\x3B\xD8\xE8\x22\xA1\x4B\x71\x38\x79\xAC\x97\x92\x69\xB3\x89\x7E\xEA\x21\x68\x06\x98\x14\x96\x87\xD2\x61\x36\xBC\x6D\x27\x56\x9E\x57\xEE\xC0\xC0\x56\xFD\x32\xCF\xA4\xD9\x8E\xC2\x23\xD7\x8D\xA8\xF3\xD8\x25\xAC\x97\xE4\x70\x38\xF4\xB6\x3A\xB4\x9D\x3B\x97\x26\x43\xA3\xA1\xBC\x49\x59\x72\x4C\x23\x30\x87\x01\x58\xF6\x4E\xBE\x1C\x68\x56\x66\xAF\xCD\x41\x5D\xC8\xB3\x4D\x2A\x55\x46\xAB\x1F\xDA\x1E\xE2\x40\x3D\xDB\xCD\x7D\xB9\x92\x80\x9C\x37\xDD\x0C\x96\x64\x9D\xDC\x22\xF7\x64\x8B\xDF\x61\xDE\x15\x94\x52\x15\xA0\x7D\x52\xC9\x4B\xA8\x21\xC9\xC6\xB1\xED\xCB\xC3\x95\x60\xD1\x0F\xF0\xAB\x70\xF8\xDF\xCB\x4D\x7E\xEC\xD6\xFA\xAB\xD9\xBD\x7F\x54\xF2\xA5\xE9\x79\xFA\xD9\xD6\x76\x24\x28\x73\x02\x03\x01\x00\x01\xA3\x3F\x30\x3D\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xA0\x73\x49\x99\x68\xDC\x85\x5B\x65\xE3\x9B\x28\x2F\x57\x9F\xBD\x33\xBC\x07\x48\x30\x0B\x06\x03\x55\x1D\x0F\x04\x04\x03\x02\x01\x06\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x68\x40\xA9\xA8\xBB\xE4\x4F\x5D\x79\xB3\x05\xB5\x17\xB3\x60\x13\xEB\xC6\x92\x5D\xE0\xD1\xD3\x6A\xFE\xFB\xBE\x9B\x6D\xBF\xC7\x05\x6D\x59\x20\xC4\x1C\xF0\xB7\xDA\x84\x58\x02\x63\xFA\x48\x16\xEF\x4F\xA5\x0B\xF7\x4A\x98\xF2\x3F\x9E\x1B\xAD\x47\x6B\x63\xCE\x08\x47\xEB\x52\x3F\x78\x9C\xAF\x4D\xAE\xF8\xD5\x4F\xCF\x9A\x98\x2A\x10\x41\x39\x52\xC4\xDD\xD9\x9B\x0E\xEF\x93\x01\xAE\xB2\x2E\xCA\x68\x42\x24\x42\x6C\xB0\xB3\x3A\x3E\xCD\xE9\xDA\x48\xC4\x15\xCB\xE9\xF9\x07\x0F\x92\x50\x49\x8A\xDD\x31\x97\x5F\xC9\xE9\x37\xAA\x3B\x59\x65\x97\x94\x32\xC9\xB3\x9F\x3E\x3A\x62\x58\xC5\x49\xAD\x62\x0E\x71\xA5\x32\xAA\x2F\xC6\x89\x76\x43\x40\x13\x13\x67\x3D\xA2\x54\x25\x10\xCB\xF1\x3A\xF2\xD9\xFA\xDB\x49\x56\xBB\xA6\xFE\xA7\x41\x35\xC3\xE0\x88\x61\xC9\x88\xC7\xDF\x36\x10\x22\x98\x59\xEA\xB0\x4A\xFB\x56\x16\x73\x6E\xAC\x4D\xF7\x22\xA1\x4F\xAD\x1D\x7A\x2D\x45\x27\xE5\x30\xC1\x5E\xF2\xDA\x13\xCB\x25\x42\x51\x95\x47\x03\x8C\x6C\x21\xCC\x74\x42\xED\x53\xFF\x33\x8B\x8F\x0F\x57\x01\x16\x2F\xCF\xA6\xEE\xC9\x70\x22\x14\xBD\xFD\xBE\x6C\x0B\x03",
 	["CN=Sonera Class2 CA,O=Sonera,C=FI"] = "\x30\x82\x03\x20\x30\x82\x02\x08\xA0\x03\x02\x01\x02\x02\x01\x1D\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x39\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x46\x49\x31\x0F\x30\x0D\x06\x03\x55\x04\x0A\x13\x06\x53\x6F\x6E\x65\x72\x61\x31\x19\x30\x17\x06\x03\x55\x04\x03\x13\x10\x53\x6F\x6E\x65\x72\x61\x20\x43\x6C\x61\x73\x73\x32\x20\x43\x41\x30\x1E\x17\x0D\x30\x31\x30\x34\x30\x36\x30\x37\x32\x39\x34\x30\x5A\x17\x0D\x32\x31\x30\x34\x30\x36\x30\x37\x32\x39\x34\x30\x5A\x30\x39\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x46\x49\x31\x0F\x30\x0D\x06\x03\x55\x04\x0A\x13\x06\x53\x6F\x6E\x65\x72\x61\x31\x19\x30\x17\x06\x03\x55\x04\x03\x13\x10\x53\x6F\x6E\x65\x72\x61\x20\x43\x6C\x61\x73\x73\x32\x20\x43\x41\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\x90\x17\x4A\x35\x9D\xCA\xF0\x0D\x96\xC7\x44\xFA\x16\x37\xFC\x48\xBD\xBD\x7F\x80\x2D\x35\x3B\xE1\x6F\xA8\x67\xA9\xBF\x03\x1C\x4D\x8C\x6F\x32\x47\xD5\x41\x68\xA4\x13\x04\xC1\x35\x0C\x9A\x84\x43\xFC\x5C\x1D\xFF\x89\xB3\xE8\x17\x18\xCD\x91\x5F\xFB\x89\xE3\xEA\xBF\x4E\x5D\x7C\x1B\x26\xD3\x75\x79\xED\xE6\x84\xE3\x57\xE5\xAD\x29\xC4\xF4\x3A\x28\xE7\xA5\x7B\x84\x36\x69\xB3\xFD\x5E\x76\xBD\xA3\x2D\x99\xD3\x90\x4E\x23\x28\x7D\x18\x63\xF1\x54\x3B\x26\x9D\x76\x5B\x97\x42\xB2\xFF\xAE\xF0\x4E\xEC\xDD\x39\x95\x4E\x83\x06\x7F\xE7\x49\x40\xC8\xC5\x01\xB2\x54\x5A\x66\x1D\x3D\xFC\xF9\xE9\x3C\x0A\x9E\x81\xB8\x70\xF0\x01\x8B\xE4\x23\x54\x7C\xC8\xAE\xF8\x90\x1E\x00\x96\x72\xD4\x54\xCF\x61\x23\xBC\xEA\xFB\x9D\x02\x95\xD1\xB6\xB9\x71\x3A\x69\x08\x3F\x0F\xB4\xE1\x42\xC7\x88\xF5\x3F\x98\xA8\xA7\xBA\x1C\xE0\x71\x71\xEF\x58\x57\x81\x50\x7A\x5C\x6B\x74\x46\x0E\x83\x03\x98\xC3\x8E\xA8\x6E\xF2\x76\x32\x6E\x27\x83\xC2\x73\xF3\xDC\x18\xE8\xB4\x93\xEA\x75\x44\x6B\x04\x60\x20\x71\x57\x87\x9D\xF3\xBE\xA0\x90\x23\x3D\x8A\x24\xE1\xDA\x21\xDB\xC3\x02\x03\x01\x00\x01\xA3\x33\x30\x31\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x11\x06\x03\x55\x1D\x0E\x04\x0A\x04\x08\x4A\xA0\xAA\x58\x84\xD3\x5E\x3C\x30\x0B\x06\x03\x55\x1D\x0F\x04\x04\x03\x02\x01\x06\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x5A\xCE\x87\xF9\x16\x72\x15\x57\x4B\x1D\xD9\x9B\xE7\xA2\x26\x30\xEC\x93\x67\xDF\xD6\x2D\xD2\x34\xAF\xF7\x38\xA5\xCE\xAB\x16\xB9\xAB\x2F\x7C\x35\xCB\xAC\xD0\x0F\xB4\x4C\x2B\xFC\x80\xEF\x6B\x8C\x91\x5F\x36\x76\xF7\xDB\xB3\x1B\x19\xEA\xF4\xB2\x11\xFD\x61\x71\x44\xBF\x28\xB3\x3A\x1D\xBF\xB3\x43\xE8\x9F\xBF\xDC\x31\x08\x71\xB0\x9D\x8D\xD6\x34\x47\x32\x90\xC6\x65\x24\xF7\xA0\x4A\x7C\x04\x73\x8F\x39\x6F\x17\x8C\x72\xB5\xBD\x4B\xC8\x7A\xF8\x7B\x83\xC3\x28\x4E\x9C\x09\xEA\x67\x3F\xB2\x67\x04\x1B\xC3\x14\xDA\xF8\xE7\x49\x24\x91\xD0\x1D\x6A\xFA\x61\x39\xEF\x6B\xE7\x21\x75\x06\x07\xD8\x12\xB4\x21\x20\x70\x42\x71\x81\xDA\x3C\x9A\x36\xBE\xA6\x5B\x0D\x6A\x6C\x9A\x1F\x91\x7B\xF9\xF9\xEF\x42\xBA\x4E\x4E\x9E\xCC\x0C\x8D\x94\xDC\xD9\x45\x9C\x5E\xEC\x42\x50\x63\xAE\xF4\x5D\xC4\xB1\x12\xDC\xCA\x3B\xA8\x2E\x9D\x14\x5A\x05\x75\xB7\xEC\xD7\x63\xE2\xBA\x35\xB6\x04\x08\x91\xE8\xDA\x9D\x9C\xF6\x66\xB5\x18\xAC\x0A\xA6\x54\x26\x34\x33\xD2\x1B\xC1\xD4\x7F\x1A\x3A\x8E\x0B\xAA\x32\x6E\xDB\xFC\x4F\x25\x9F\xD9\x32\xC7\x96\x5A\x70\xAC\xDF\x4C",
-	["CN=UTN-USERFirst-Hardware,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US"] = "\x30\x82\x04\x74\x30\x82\x03\x5C\xA0\x03\x02\x01\x02\x02\x10\x44\xBE\x0C\x8B\x50\x00\x24\xB4\x11\xD3\x36\x2A\xFE\x65\x0A\xFD\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x81\x97\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x0B\x30\x09\x06\x03\x55\x04\x08\x13\x02\x55\x54\x31\x17\x30\x15\x06\x03\x55\x04\x07\x13\x0E\x53\x61\x6C\x74\x20\x4C\x61\x6B\x65\x20\x43\x69\x74\x79\x31\x1E\x30\x1C\x06\x03\x55\x04\x0A\x13\x15\x54\x68\x65\x20\x55\x53\x45\x52\x54\x52\x55\x53\x54\x20\x4E\x65\x74\x77\x6F\x72\x6B\x31\x21\x30\x1F\x06\x03\x55\x04\x0B\x13\x18\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x75\x73\x65\x72\x74\x72\x75\x73\x74\x2E\x63\x6F\x6D\x31\x1F\x30\x1D\x06\x03\x55\x04\x03\x13\x16\x55\x54\x4E\x2D\x55\x53\x45\x52\x46\x69\x72\x73\x74\x2D\x48\x61\x72\x64\x77\x61\x72\x65\x30\x1E\x17\x0D\x39\x39\x30\x37\x30\x39\x31\x38\x31\x30\x34\x32\x5A\x17\x0D\x31\x39\x30\x37\x30\x39\x31\x38\x31\x39\x32\x32\x5A\x30\x81\x97\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x0B\x30\x09\x06\x03\x55\x04\x08\x13\x02\x55\x54\x31\x17\x30\x15\x06\x03\x55\x04\x07\x13\x0E\x53\x61\x6C\x74\x20\x4C\x61\x6B\x65\x20\x43\x69\x74\x79\x31\x1E\x30\x1C\x06\x03\x55\x04\x0A\x13\x15\x54\x68\x65\x20\x55\x53\x45\x52\x54\x52\x55\x53\x54\x20\x4E\x65\x74\x77\x6F\x72\x6B\x31\x21\x30\x1F\x06\x03\x55\x04\x0B\x13\x18\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x75\x73\x65\x72\x74\x72\x75\x73\x74\x2E\x63\x6F\x6D\x31\x1F\x30\x1D\x06\x03\x55\x04\x03\x13\x16\x55\x54\x4E\x2D\x55\x53\x45\x52\x46\x69\x72\x73\x74\x2D\x48\x61\x72\x64\x77\x61\x72\x65\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xB1\xF7\xC3\x38\x3F\xB4\xA8\x7F\xCF\x39\x82\x51\x67\xD0\x6D\x9F\xD2\xFF\x58\xF3\xE7\x9F\x2B\xEC\x0D\x89\x54\x99\xB9\x38\x99\x16\xF7\xE0\x21\x79\x48\xC2\xBB\x61\x74\x12\x96\x1D\x3C\x6A\x72\xD5\x3C\x10\x67\x3A\x39\xED\x2B\x13\xCD\x66\xEB\x95\x09\x33\xA4\x6C\x97\xB1\xE8\xC6\xEC\xC1\x75\x79\x9C\x46\x5E\x8D\xAB\xD0\x6A\xFD\xB9\x2A\x55\x17\x10\x54\xB3\x19\xF0\x9A\xF6\xF1\xB1\x5D\xB6\xA7\x6D\xFB\xE0\x71\x17\x6B\xA2\x88\xFB\x00\xDF\xFE\x1A\x31\x77\x0C\x9A\x01\x7A\xB1\x32\xE3\x2B\x01\x07\x38\x6E\xC3\xA5\x5E\x23\xBC\x45\x9B\x7B\x50\xC1\xC9\x30\x8F\xDB\xE5\x2B\x7A\xD3\x5B\xFB\x33\x40\x1E\xA0\xD5\x98\x17\xBC\x8B\x87\xC3\x89\xD3\x5D\xA0\x8E\xB2\xAA\xAA\xF6\x8E\x69\x88\x06\xC5\xFA\x89\x21\xF3\x08\x9D\x69\x2E\x09\x33\x9B\x29\x0D\x46\x0F\x8C\xCC\x49\x34\xB0\x69\x51\xBD\xF9\x06\xCD\x68\xAD\x66\x4C\xBC\x3E\xAC\x61\xBD\x0A\x88\x0E\xC8\xDF\x3D\xEE\x7C\x04\x4C\x9D\x0A\x5E\x6B\x91\xD6\xEE\xC7\xED\x28\x8D\xAB\x4D\x87\x89\x73\xD0\x6E\xA4\xD0\x1E\x16\x8B\x14\xE1\x76\x44\x03\x7F\x63\xAC\xE4\xCD\x49\x9C\xC5\x92\xF4\xAB\x32\xA1\x48\x5B\x02\x03\x01\x00\x01\xA3\x81\xB9\x30\x81\xB6\x30\x0B\x06\x03\x55\x1D\x0F\x04\x04\x03\x02\x01\xC6\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xA1\x72\x5F\x26\x1B\x28\x98\x43\x95\x5D\x07\x37\xD5\x85\x96\x9D\x4B\xD2\xC3\x45\x30\x44\x06\x03\x55\x1D\x1F\x04\x3D\x30\x3B\x30\x39\xA0\x37\xA0\x35\x86\x33\x68\x74\x74\x70\x3A\x2F\x2F\x63\x72\x6C\x2E\x75\x73\x65\x72\x74\x72\x75\x73\x74\x2E\x63\x6F\x6D\x2F\x55\x54\x4E\x2D\x55\x53\x45\x52\x46\x69\x72\x73\x74\x2D\x48\x61\x72\x64\x77\x61\x72\x65\x2E\x63\x72\x6C\x30\x31\x06\x03\x55\x1D\x25\x04\x2A\x30\x28\x06\x08\x2B\x06\x01\x05\x05\x07\x03\x01\x06\x08\x2B\x06\x01\x05\x05\x07\x03\x05\x06\x08\x2B\x06\x01\x05\x05\x07\x03\x06\x06\x08\x2B\x06\x01\x05\x05\x07\x03\x07\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x47\x19\x0F\xDE\x74\xC6\x99\x97\xAF\xFC\xAD\x28\x5E\x75\x8E\xEB\x2D\x67\xEE\x4E\x7B\x2B\xD7\x0C\xFF\xF6\xDE\xCB\x55\xA2\x0A\xE1\x4C\x54\x65\x93\x60\x6B\x9F\x12\x9C\xAD\x5E\x83\x2C\xEB\x5A\xAE\xC0\xE4\x2D\xF4\x00\x63\x1D\xB8\xC0\x6C\xF2\xCF\x49\xBB\x4D\x93\x6F\x06\xA6\x0A\x22\xB2\x49\x62\x08\x4E\xFF\xC8\xC8\x14\xB2\x88\x16\x5D\xE7\x01\xE4\x12\x95\xE5\x45\x34\xB3\x8B\x69\xBD\xCF\xB4\x85\x8F\x75\x51\x9E\x7D\x3A\x38\x3A\x14\x48\x12\xC6\xFB\xA7\x3B\x1A\x8D\x0D\x82\x40\x07\xE8\x04\x08\x90\xA1\x89\xCB\x19\x50\xDF\xCA\x1C\x01\xBC\x1D\x04\x19\x7B\x10\x76\x97\x3B\xEE\x90\x90\xCA\xC4\x0E\x1F\x16\x6E\x75\xEF\x33\xF8\xD3\x6F\x5B\x1E\x96\xE3\xE0\x74\x77\x74\x7B\x8A\xA2\x6E\x2D\xDD\x76\xD6\x39\x30\x82\xF0\xAB\x9C\x52\xF2\x2A\xC7\xAF\x49\x5E\x7E\xC7\x68\xE5\x82\x81\xC8\x6A\x27\xF9\x27\x88\x2A\xD5\x58\x50\x95\x1F\xF0\x3B\x1C\x57\xBB\x7D\x14\x39\x62\x2B\x9A\xC9\x94\x92\x2A\xA3\x22\x0C\xFF\x89\x26\x7D\x5F\x23\x2B\x47\xD7\x15\x1D\xA9\x6A\x9E\x51\x0D\x2A\x51\x9E\x81\xF9\xD4\x3B\x5E\x70\x12\x7F\x10\x32\x9C\x1E\xBB\x9D\xF8\x66\xA8",
-	["CN=Chambers of Commerce Root,OU=http://www.chambersign.org,O=AC Camerfirma SA CIF A82743287,C=EU"] = "\x30\x82\x04\xBD\x30\x82\x03\xA5\xA0\x03\x02\x01\x02\x02\x01\x00\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x7F\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x45\x55\x31\x27\x30\x25\x06\x03\x55\x04\x0A\x13\x1E\x41\x43\x20\x43\x61\x6D\x65\x72\x66\x69\x72\x6D\x61\x20\x53\x41\x20\x43\x49\x46\x20\x41\x38\x32\x37\x34\x33\x32\x38\x37\x31\x23\x30\x21\x06\x03\x55\x04\x0B\x13\x1A\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x63\x68\x61\x6D\x62\x65\x72\x73\x69\x67\x6E\x2E\x6F\x72\x67\x31\x22\x30\x20\x06\x03\x55\x04\x03\x13\x19\x43\x68\x61\x6D\x62\x65\x72\x73\x20\x6F\x66\x20\x43\x6F\x6D\x6D\x65\x72\x63\x65\x20\x52\x6F\x6F\x74\x30\x1E\x17\x0D\x30\x33\x30\x39\x33\x30\x31\x36\x31\x33\x34\x33\x5A\x17\x0D\x33\x37\x30\x39\x33\x30\x31\x36\x31\x33\x34\x34\x5A\x30\x7F\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x45\x55\x31\x27\x30\x25\x06\x03\x55\x04\x0A\x13\x1E\x41\x43\x20\x43\x61\x6D\x65\x72\x66\x69\x72\x6D\x61\x20\x53\x41\x20\x43\x49\x46\x20\x41\x38\x32\x37\x34\x33\x32\x38\x37\x31\x23\x30\x21\x06\x03\x55\x04\x0B\x13\x1A\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x63\x68\x61\x6D\x62\x65\x72\x73\x69\x67\x6E\x2E\x6F\x72\x67\x31\x22\x30\x20\x06\x03\x55\x04\x03\x13\x19\x43\x68\x61\x6D\x62\x65\x72\x73\x20\x6F\x66\x20\x43\x6F\x6D\x6D\x65\x72\x63\x65\x20\x52\x6F\x6F\x74\x30\x82\x01\x20\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0D\x00\x30\x82\x01\x08\x02\x82\x01\x01\x00\xB7\x36\x55\xE5\xA5\x5D\x18\x30\xE0\xDA\x89\x54\x91\xFC\xC8\xC7\x52\xF8\x2F\x50\xD9\xEF\xB1\x75\x73\x65\x47\x7D\x1B\x5B\xBA\x75\xC5\xFC\xA1\x88\x24\xFA\x2F\xED\xCA\x08\x4A\x39\x54\xC4\x51\x7A\xB5\xDA\x60\xEA\x38\x3C\x81\xB2\xCB\xF1\xBB\xD9\x91\x23\x3F\x48\x01\x70\x75\xA9\x05\x2A\xAD\x1F\x71\xF3\xC9\x54\x3D\x1D\x06\x6A\x40\x3E\xB3\x0C\x85\xEE\x5C\x1B\x79\xC2\x62\xC4\xB8\x36\x8E\x35\x5D\x01\x0C\x23\x04\x47\x35\xAA\x9B\x60\x4E\xA0\x66\x3D\xCB\x26\x0A\x9C\x40\xA1\xF4\x5D\x98\xBF\x71\xAB\xA5\x00\x68\x2A\xED\x83\x7A\x0F\xA2\x14\xB5\xD4\x22\xB3\x80\xB0\x3C\x0C\x5A\x51\x69\x2D\x58\x18\x8F\xED\x99\x9E\xF1\xAE\xE2\x95\xE6\xF6\x47\xA8\xD6\x0C\x0F\xB0\x58\x58\xDB\xC3\x66\x37\x9E\x9B\x91\x54\x33\x37\xD2\x94\x1C\x6A\x48\xC9\xC9\xF2\xA5\xDA\xA5\x0C\x23\xF7\x23\x0E\x9C\x32\x55\x5E\x71\x9C\x84\x05\x51\x9A\x2D\xFD\xE6\x4E\x2A\x34\x5A\xDE\xCA\x40\x37\x67\x0C\x54\x21\x55\x77\xDA\x0A\x0C\xCC\x97\xAE\x80\xDC\x94\x36\x4A\xF4\x3E\xCE\x36\x13\x1E\x53\xE4\xAC\x4E\x3A\x05\xEC\xDB\xAE\x72\x9C\x38\x8B\xD0\x39\x3B\x89\x0A\x3E\x77\xFE\x75\x02\x01\x03\xA3\x82\x01\x44\x30\x82\x01\x40\x30\x12\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x08\x30\x06\x01\x01\xFF\x02\x01\x0C\x30\x3C\x06\x03\x55\x1D\x1F\x04\x35\x30\x33\x30\x31\xA0\x2F\xA0\x2D\x86\x2B\x68\x74\x74\x70\x3A\x2F\x2F\x63\x72\x6C\x2E\x63\x68\x61\x6D\x62\x65\x72\x73\x69\x67\x6E\x2E\x6F\x72\x67\x2F\x63\x68\x61\x6D\x62\x65\x72\x73\x72\x6F\x6F\x74\x2E\x63\x72\x6C\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xE3\x94\xF5\xB1\x4D\xE9\xDB\xA1\x29\x5B\x57\x8B\x4D\x76\x06\x76\xE1\xD1\xA2\x8A\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x11\x06\x09\x60\x86\x48\x01\x86\xF8\x42\x01\x01\x04\x04\x03\x02\x00\x07\x30\x27\x06\x03\x55\x1D\x11\x04\x20\x30\x1E\x81\x1C\x63\x68\x61\x6D\x62\x65\x72\x73\x72\x6F\x6F\x74\x40\x63\x68\x61\x6D\x62\x65\x72\x73\x69\x67\x6E\x2E\x6F\x72\x67\x30\x27\x06\x03\x55\x1D\x12\x04\x20\x30\x1E\x81\x1C\x63\x68\x61\x6D\x62\x65\x72\x73\x72\x6F\x6F\x74\x40\x63\x68\x61\x6D\x62\x65\x72\x73\x69\x67\x6E\x2E\x6F\x72\x67\x30\x58\x06\x03\x55\x1D\x20\x04\x51\x30\x4F\x30\x4D\x06\x0B\x2B\x06\x01\x04\x01\x81\x87\x2E\x0A\x03\x01\x30\x3E\x30\x3C\x06\x08\x2B\x06\x01\x05\x05\x07\x02\x01\x16\x30\x68\x74\x74\x70\x3A\x2F\x2F\x63\x70\x73\x2E\x63\x68\x61\x6D\x62\x65\x72\x73\x69\x67\x6E\x2E\x6F\x72\x67\x2F\x63\x70\x73\x2F\x63\x68\x61\x6D\x62\x65\x72\x73\x72\x6F\x6F\x74\x2E\x68\x74\x6D\x6C\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x0C\x41\x97\xC2\x1A\x86\xC0\x22\x7C\x9F\xFB\x90\xF3\x1A\xD1\x03\xB1\xEF\x13\xF9\x21\x5F\x04\x9C\xDA\xC9\xA5\x8D\x27\x6C\x96\x87\x91\xBE\x41\x90\x01\x72\x93\xE7\x1E\x7D\x5F\xF6\x89\xC6\x5D\xA7\x40\x09\x3D\xAC\x49\x45\x45\xDC\x2E\x8D\x30\x68\xB2\x09\xBA\xFB\xC3\x2F\xCC\xBA\x0B\xDF\x3F\x77\x7B\x46\x7D\x3A\x12\x24\x8E\x96\x8F\x3C\x05\x0A\x6F\xD2\x94\x28\x1D\x6D\x0C\xC0\x2E\x88\x22\xD5\xD8\xCF\x1D\x13\xC7\xF0\x48\xD7\xD7\x05\xA7\xCF\xC7\x47\x9E\x3B\x3C\x34\xC8\x80\x4F\xD4\x14\xBB\xFC\x0D\x50\xF7\xFA\xB3\xEC\x42\x5F\xA9\xDD\x6D\xC8\xF4\x75\xCF\x7B\xC1\x72\x26\xB1\x01\x1C\x5C\x2C\xFD\x7A\x4E\xB4\x01\xC5\x05\x57\xB9\xE7\x3C\xAA\x05\xD9\x88\xE9\x07\x46\x41\xCE\xEF\x41\x81\xAE\x58\xDF\x83\xA2\xAE\xCA\xD7\x77\x1F\xE7\x00\x3C\x9D\x6F\x8E\xE4\x32\x09\x1D\x4D\x78\x34\x78\x34\x3C\x94\x9B\x26\xED\x4F\x71\xC6\x19\x7A\xBD\x20\x22\x48\x5A\xFE\x4B\x7D\x03\xB7\xE7\x58\xBE\xC6\x32\x4E\x74\x1E\x68\xDD\xA8\x68\x5B\xB3\x3E\xEE\x62\x7D\xD9\x80\xE8\x0A\x75\x7A\xB7\xEE\xB4\x65\x9A\x21\x90\xE0\xAA\xD0\x98\xBC\x38\xB5\x73\x3C\x8B\xF8\xDC",
-	["CN=Global Chambersign Root,OU=http://www.chambersign.org,O=AC Camerfirma SA CIF A82743287,C=EU"] = "\x30\x82\x04\xC5\x30\x82\x03\xAD\xA0\x03\x02\x01\x02\x02\x01\x00\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x7D\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x45\x55\x31\x27\x30\x25\x06\x03\x55\x04\x0A\x13\x1E\x41\x43\x20\x43\x61\x6D\x65\x72\x66\x69\x72\x6D\x61\x20\x53\x41\x20\x43\x49\x46\x20\x41\x38\x32\x37\x34\x33\x32\x38\x37\x31\x23\x30\x21\x06\x03\x55\x04\x0B\x13\x1A\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x63\x68\x61\x6D\x62\x65\x72\x73\x69\x67\x6E\x2E\x6F\x72\x67\x31\x20\x30\x1E\x06\x03\x55\x04\x03\x13\x17\x47\x6C\x6F\x62\x61\x6C\x20\x43\x68\x61\x6D\x62\x65\x72\x73\x69\x67\x6E\x20\x52\x6F\x6F\x74\x30\x1E\x17\x0D\x30\x33\x30\x39\x33\x30\x31\x36\x31\x34\x31\x38\x5A\x17\x0D\x33\x37\x30\x39\x33\x30\x31\x36\x31\x34\x31\x38\x5A\x30\x7D\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x45\x55\x31\x27\x30\x25\x06\x03\x55\x04\x0A\x13\x1E\x41\x43\x20\x43\x61\x6D\x65\x72\x66\x69\x72\x6D\x61\x20\x53\x41\x20\x43\x49\x46\x20\x41\x38\x32\x37\x34\x33\x32\x38\x37\x31\x23\x30\x21\x06\x03\x55\x04\x0B\x13\x1A\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x63\x68\x61\x6D\x62\x65\x72\x73\x69\x67\x6E\x2E\x6F\x72\x67\x31\x20\x30\x1E\x06\x03\x55\x04\x03\x13\x17\x47\x6C\x6F\x62\x61\x6C\x20\x43\x68\x61\x6D\x62\x65\x72\x73\x69\x67\x6E\x20\x52\x6F\x6F\x74\x30\x82\x01\x20\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0D\x00\x30\x82\x01\x08\x02\x82\x01\x01\x00\xA2\x70\xA2\xD0\x9F\x42\xAE\x5B\x17\xC7\xD8\x7D\xCF\x14\x83\xFC\x4F\xC9\xA1\xB7\x13\xAF\x8A\xD7\x9E\x3E\x04\x0A\x92\x8B\x60\x56\xFA\xB4\x32\x2F\x88\x4D\xA1\x60\x08\xF4\xB7\x09\x4E\xA0\x49\x2F\x49\xD6\xD3\xDF\x9D\x97\x5A\x9F\x94\x04\x70\xEC\x3F\x59\xD9\xB7\xCC\x66\x8B\x98\x52\x28\x09\x02\xDF\xC5\x2F\x84\x8D\x7A\x97\x77\xBF\xEC\x40\x9D\x25\x72\xAB\xB5\x3F\x32\x98\xFB\xB7\xB7\xFC\x72\x84\xE5\x35\x87\xF9\x55\xFA\xA3\x1F\x0E\x6F\x2E\x28\xDD\x69\xA0\xD9\x42\x10\xC6\xF8\xB5\x44\xC2\xD0\x43\x7F\xDB\xBC\xE4\xA2\x3C\x6A\x55\x78\x0A\x77\xA9\xD8\xEA\x19\x32\xB7\x2F\xFE\x5C\x3F\x1B\xEE\xB1\x98\xEC\xCA\xAD\x7A\x69\x45\xE3\x96\x0F\x55\xF6\xE6\xED\x75\xEA\x65\xE8\x32\x56\x93\x46\x89\xA8\x25\x8A\x65\x06\xEE\x6B\xBF\x79\x07\xD0\xF1\xB7\xAF\xED\x2C\x4D\x92\xBB\xC0\xA8\x5F\xA7\x67\x7D\x04\xF2\x15\x08\x70\xAC\x92\xD6\x7D\x04\xD2\x33\xFB\x4C\xB6\x0B\x0B\xFB\x1A\xC9\xC4\x8D\x03\xA9\x7E\x5C\xF2\x50\xAB\x12\xA5\xA1\xCF\x48\x50\xA5\xEF\xD2\xC8\x1A\x13\xFA\xB0\x7F\xB1\x82\x1C\x77\x6A\x0F\x5F\xDC\x0B\x95\x8F\xEF\x43\x7E\xE6\x45\x09\x25\x02\x01\x03\xA3\x82\x01\x50\x30\x82\x01\x4C\x30\x12\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x08\x30\x06\x01\x01\xFF\x02\x01\x0C\x30\x3F\x06\x03\x55\x1D\x1F\x04\x38\x30\x36\x30\x34\xA0\x32\xA0\x30\x86\x2E\x68\x74\x74\x70\x3A\x2F\x2F\x63\x72\x6C\x2E\x63\x68\x61\x6D\x62\x65\x72\x73\x69\x67\x6E\x2E\x6F\x72\x67\x2F\x63\x68\x61\x6D\x62\x65\x72\x73\x69\x67\x6E\x72\x6F\x6F\x74\x2E\x63\x72\x6C\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x43\x9C\x36\x9F\xB0\x9E\x30\x4D\xC6\xCE\x5F\xAD\x10\xAB\xE5\x03\xA5\xFA\xA9\x14\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x11\x06\x09\x60\x86\x48\x01\x86\xF8\x42\x01\x01\x04\x04\x03\x02\x00\x07\x30\x2A\x06\x03\x55\x1D\x11\x04\x23\x30\x21\x81\x1F\x63\x68\x61\x6D\x62\x65\x72\x73\x69\x67\x6E\x72\x6F\x6F\x74\x40\x63\x68\x61\x6D\x62\x65\x72\x73\x69\x67\x6E\x2E\x6F\x72\x67\x30\x2A\x06\x03\x55\x1D\x12\x04\x23\x30\x21\x81\x1F\x63\x68\x61\x6D\x62\x65\x72\x73\x69\x67\x6E\x72\x6F\x6F\x74\x40\x63\x68\x61\x6D\x62\x65\x72\x73\x69\x67\x6E\x2E\x6F\x72\x67\x30\x5B\x06\x03\x55\x1D\x20\x04\x54\x30\x52\x30\x50\x06\x0B\x2B\x06\x01\x04\x01\x81\x87\x2E\x0A\x01\x01\x30\x41\x30\x3F\x06\x08\x2B\x06\x01\x05\x05\x07\x02\x01\x16\x33\x68\x74\x74\x70\x3A\x2F\x2F\x63\x70\x73\x2E\x63\x68\x61\x6D\x62\x65\x72\x73\x69\x67\x6E\x2E\x6F\x72\x67\x2F\x63\x70\x73\x2F\x63\x68\x61\x6D\x62\x65\x72\x73\x69\x67\x6E\x72\x6F\x6F\x74\x2E\x68\x74\x6D\x6C\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x3C\x3B\x70\x91\xF9\x04\x54\x27\x91\xE1\xED\xED\xFE\x68\x7F\x61\x5D\xE5\x41\x65\x4F\x32\xF1\x18\x05\x94\x6A\x1C\xDE\x1F\x70\xDB\x3E\x7B\x32\x02\x34\xB5\x0C\x6C\xA1\x8A\x7C\xA5\xF4\x8F\xFF\xD4\xD8\xAD\x17\xD5\x2D\x04\xD1\x3F\x58\x80\xE2\x81\x59\x88\xBE\xC0\xE3\x46\x93\x24\xFE\x90\xBD\x26\xA2\x30\x2D\xE8\x97\x26\x57\x35\x89\x74\x96\x18\xF6\x15\xE2\xAF\x24\x19\x56\x02\x02\xB2\xBA\x0F\x14\xEA\xC6\x8A\x66\xC1\x86\x45\x55\x8B\xBE\x92\xBE\x9C\xA4\x04\xC7\x49\x3C\x9E\xE8\x29\x7A\x89\xD7\xFE\xAF\xFF\x68\xF5\xA5\x17\x90\xBD\xAC\x99\xCC\xA5\x86\x57\x09\x67\x46\xDB\xD6\x16\xC2\x46\xF1\xE4\xA9\x50\xF5\x8F\xD1\x92\x15\xD3\x5F\x3E\xC6\x00\x49\x3A\x6E\x58\xB2\xD1\xD1\x27\x0D\x25\xC8\x32\xF8\x20\x11\xCD\x7D\x32\x33\x48\x94\x54\x4C\xDD\xDC\x79\xC4\x30\x9F\xEB\x8E\xB8\x55\xB5\xD7\x88\x5C\xC5\x6A\x24\x3D\xB2\xD3\x05\x03\x51\xC6\x07\xEF\xCC\x14\x72\x74\x3D\x6E\x72\xCE\x18\x28\x8C\x4A\xA0\x77\xE5\x09\x2B\x45\x44\x47\xAC\xB7\x67\x7F\x01\x8A\x05\x5A\x93\xBE\xA1\xC1\xFF\xF8\xE7\x0E\x67\xA4\x47\x49\x76\x5D\x75\x90\x1A\xF5\x26\x8F\xF0",
 	["CN=XRamp Global Certification Authority,O=XRamp Security Services Inc,OU=www.xrampsecurity.com,C=US"] = "\x30\x82\x04\x30\x30\x82\x03\x18\xA0\x03\x02\x01\x02\x02\x10\x50\x94\x6C\xEC\x18\xEA\xD5\x9C\x4D\xD5\x97\xEF\x75\x8F\xA0\xAD\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x81\x82\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x1E\x30\x1C\x06\x03\x55\x04\x0B\x13\x15\x77\x77\x77\x2E\x78\x72\x61\x6D\x70\x73\x65\x63\x75\x72\x69\x74\x79\x2E\x63\x6F\x6D\x31\x24\x30\x22\x06\x03\x55\x04\x0A\x13\x1B\x58\x52\x61\x6D\x70\x20\x53\x65\x63\x75\x72\x69\x74\x79\x20\x53\x65\x72\x76\x69\x63\x65\x73\x20\x49\x6E\x63\x31\x2D\x30\x2B\x06\x03\x55\x04\x03\x13\x24\x58\x52\x61\x6D\x70\x20\x47\x6C\x6F\x62\x61\x6C\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x30\x1E\x17\x0D\x30\x34\x31\x31\x30\x31\x31\x37\x31\x34\x30\x34\x5A\x17\x0D\x33\x35\x30\x31\x30\x31\x30\x35\x33\x37\x31\x39\x5A\x30\x81\x82\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x1E\x30\x1C\x06\x03\x55\x04\x0B\x13\x15\x77\x77\x77\x2E\x78\x72\x61\x6D\x70\x73\x65\x63\x75\x72\x69\x74\x79\x2E\x63\x6F\x6D\x31\x24\x30\x22\x06\x03\x55\x04\x0A\x13\x1B\x58\x52\x61\x6D\x70\x20\x53\x65\x63\x75\x72\x69\x74\x79\x20\x53\x65\x72\x76\x69\x63\x65\x73\x20\x49\x6E\x63\x31\x2D\x30\x2B\x06\x03\x55\x04\x03\x13\x24\x58\x52\x61\x6D\x70\x20\x47\x6C\x6F\x62\x61\x6C\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\x98\x24\x1E\xBD\x15\xB4\xBA\xDF\xC7\x8C\xA5\x27\xB6\x38\x0B\x69\xF3\xB6\x4E\xA8\x2C\x2E\x21\x1D\x5C\x44\xDF\x21\x5D\x7E\x23\x74\xFE\x5E\x7E\xB4\x4A\xB7\xA6\xAD\x1F\xAE\xE0\x06\x16\xE2\x9B\x5B\xD9\x67\x74\x6B\x5D\x80\x8F\x29\x9D\x86\x1B\xD9\x9C\x0D\x98\x6D\x76\x10\x28\x58\xE4\x65\xB0\x7F\x4A\x98\x79\x9F\xE0\xC3\x31\x7E\x80\x2B\xB5\x8C\xC0\x40\x3B\x11\x86\xD0\xCB\xA2\x86\x36\x60\xA4\xD5\x30\x82\x6D\xD9\x6E\xD0\x0F\x12\x04\x33\x97\x5F\x4F\x61\x5A\xF0\xE4\xF9\x91\xAB\xE7\x1D\x3B\xBC\xE8\xCF\xF4\x6B\x2D\x34\x7C\xE2\x48\x61\x1C\x8E\xF3\x61\x44\xCC\x6F\xA0\x4A\xA9\x94\xB0\x4D\xDA\xE7\xA9\x34\x7A\x72\x38\xA8\x41\xCC\x3C\x94\x11\x7D\xEB\xC8\xA6\x8C\xB7\x86\xCB\xCA\x33\x3B\xD9\x3D\x37\x8B\xFB\x7A\x3E\x86\x2C\xE7\x73\xD7\x0A\x57\xAC\x64\x9B\x19\xEB\xF4\x0F\x04\x08\x8A\xAC\x03\x17\x19\x64\xF4\x5A\x25\x22\x8D\x34\x2C\xB2\xF6\x68\x1D\x12\x6D\xD3\x8A\x1E\x14\xDA\xC4\x8F\xA6\xE2\x23\x85\xD5\x7A\x0D\xBD\x6A\xE0\xE9\xEC\xEC\x17\xBB\x42\x1B\x67\xAA\x25\xED\x45\x83\x21\xFC\xC1\xC9\x7C\xD5\x62\x3E\xFA\xF2\xC5\x2D\xD3\xFD\xD4\x65\x02\x03\x01\x00\x01\xA3\x81\x9F\x30\x81\x9C\x30\x13\x06\x09\x2B\x06\x01\x04\x01\x82\x37\x14\x02\x04\x06\x1E\x04\x00\x43\x00\x41\x30\x0B\x06\x03\x55\x1D\x0F\x04\x04\x03\x02\x01\x86\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xC6\x4F\xA2\x3D\x06\x63\x84\x09\x9C\xCE\x62\xE4\x04\xAC\x8D\x5C\xB5\xE9\xB6\x1B\x30\x36\x06\x03\x55\x1D\x1F\x04\x2F\x30\x2D\x30\x2B\xA0\x29\xA0\x27\x86\x25\x68\x74\x74\x70\x3A\x2F\x2F\x63\x72\x6C\x2E\x78\x72\x61\x6D\x70\x73\x65\x63\x75\x72\x69\x74\x79\x2E\x63\x6F\x6D\x2F\x58\x47\x43\x41\x2E\x63\x72\x6C\x30\x10\x06\x09\x2B\x06\x01\x04\x01\x82\x37\x15\x01\x04\x03\x02\x01\x01\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x91\x15\x39\x03\x01\x1B\x67\xFB\x4A\x1C\xF9\x0A\x60\x5B\xA1\xDA\x4D\x97\x62\xF9\x24\x53\x27\xD7\x82\x64\x4E\x90\x2E\xC3\x49\x1B\x2B\x9A\xDC\xFC\xA8\x78\x67\x35\xF1\x1D\xF0\x11\xBD\xB7\x48\xE3\x10\xF6\x0D\xDF\x3F\xD2\xC9\xB6\xAA\x55\xA4\x48\xBA\x02\xDB\xDE\x59\x2E\x15\x5B\x3B\x9D\x16\x7D\x47\xD7\x37\xEA\x5F\x4D\x76\x12\x36\xBB\x1F\xD7\xA1\x81\x04\x46\x20\xA3\x2C\x6D\xA9\x9E\x01\x7E\x3F\x29\xCE\x00\x93\xDF\xFD\xC9\x92\x73\x89\x89\x64\x9E\xE7\x2B\xE4\x1C\x91\x2C\xD2\xB9\xCE\x7D\xCE\x6F\x31\x99\xD3\xE6\xBE\xD2\x1E\x90\xF0\x09\x14\x79\x5C\x23\xAB\x4D\xD2\xDA\x21\x1F\x4D\x99\x79\x9D\xE1\xCF\x27\x9F\x10\x9B\x1C\x88\x0D\xB0\x8A\x64\x41\x31\xB8\x0E\x6C\x90\x24\xA4\x9B\x5C\x71\x8F\xBA\xBB\x7E\x1C\x1B\xDB\x6A\x80\x0F\x21\xBC\xE9\xDB\xA6\xB7\x40\xF4\xB2\x8B\xA9\xB1\xE4\xEF\x9A\x1A\xD0\x3D\x69\x99\xEE\xA8\x28\xA3\xE1\x3C\xB3\xF0\xB2\x11\x9C\xCF\x7C\x40\xE6\xDD\xE7\x43\x7D\xA2\xD8\x3A\xB5\xA9\x8D\xF2\x34\x99\xC4\xD4\x10\xE1\x06\xFD\x09\x84\x10\x3B\xEE\xC4\x4C\xF4\xEC\x27\x7C\x42\xC2\x74\x7C\x82\x8A\x09\xC9\xB4\x03\x25\xBC",
 	["OU=Go Daddy Class 2 Certification Authority,O=The Go Daddy Group\, Inc.,C=US"] = "\x30\x82\x04\x00\x30\x82\x02\xE8\xA0\x03\x02\x01\x02\x02\x01\x00\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x63\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x21\x30\x1F\x06\x03\x55\x04\x0A\x13\x18\x54\x68\x65\x20\x47\x6F\x20\x44\x61\x64\x64\x79\x20\x47\x72\x6F\x75\x70\x2C\x20\x49\x6E\x63\x2E\x31\x31\x30\x2F\x06\x03\x55\x04\x0B\x13\x28\x47\x6F\x20\x44\x61\x64\x64\x79\x20\x43\x6C\x61\x73\x73\x20\x32\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x30\x1E\x17\x0D\x30\x34\x30\x36\x32\x39\x31\x37\x30\x36\x32\x30\x5A\x17\x0D\x33\x34\x30\x36\x32\x39\x31\x37\x30\x36\x32\x30\x5A\x30\x63\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x21\x30\x1F\x06\x03\x55\x04\x0A\x13\x18\x54\x68\x65\x20\x47\x6F\x20\x44\x61\x64\x64\x79\x20\x47\x72\x6F\x75\x70\x2C\x20\x49\x6E\x63\x2E\x31\x31\x30\x2F\x06\x03\x55\x04\x0B\x13\x28\x47\x6F\x20\x44\x61\x64\x64\x79\x20\x43\x6C\x61\x73\x73\x20\x32\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x30\x82\x01\x20\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0D\x00\x30\x82\x01\x08\x02\x82\x01\x01\x00\xDE\x9D\xD7\xEA\x57\x18\x49\xA1\x5B\xEB\xD7\x5F\x48\x86\xEA\xBE\xDD\xFF\xE4\xEF\x67\x1C\xF4\x65\x68\xB3\x57\x71\xA0\x5E\x77\xBB\xED\x9B\x49\xE9\x70\x80\x3D\x56\x18\x63\x08\x6F\xDA\xF2\xCC\xD0\x3F\x7F\x02\x54\x22\x54\x10\xD8\xB2\x81\xD4\xC0\x75\x3D\x4B\x7F\xC7\x77\xC3\x3E\x78\xAB\x1A\x03\xB5\x20\x6B\x2F\x6A\x2B\xB1\xC5\x88\x7E\xC4\xBB\x1E\xB0\xC1\xD8\x45\x27\x6F\xAA\x37\x58\xF7\x87\x26\xD7\xD8\x2D\xF6\xA9\x17\xB7\x1F\x72\x36\x4E\xA6\x17\x3F\x65\x98\x92\xDB\x2A\x6E\x5D\xA2\xFE\x88\xE0\x0B\xDE\x7F\xE5\x8D\x15\xE1\xEB\xCB\x3A\xD5\xE2\x12\xA2\x13\x2D\xD8\x8E\xAF\x5F\x12\x3D\xA0\x08\x05\x08\xB6\x5C\xA5\x65\x38\x04\x45\x99\x1E\xA3\x60\x60\x74\xC5\x41\xA5\x72\x62\x1B\x62\xC5\x1F\x6F\x5F\x1A\x42\xBE\x02\x51\x65\xA8\xAE\x23\x18\x6A\xFC\x78\x03\xA9\x4D\x7F\x80\xC3\xFA\xAB\x5A\xFC\xA1\x40\xA4\xCA\x19\x16\xFE\xB2\xC8\xEF\x5E\x73\x0D\xEE\x77\xBD\x9A\xF6\x79\x98\xBC\xB1\x07\x67\xA2\x15\x0D\xDD\xA0\x58\xC6\x44\x7B\x0A\x3E\x62\x28\x5F\xBA\x41\x07\x53\x58\xCF\x11\x7E\x38\x74\xC5\xF8\xFF\xB5\x69\x90\x8F\x84\x74\xEA\x97\x1B\xAF\x02\x01\x03\xA3\x81\xC0\x30\x81\xBD\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xD2\xC4\xB0\xD2\x91\xD4\x4C\x11\x71\xB3\x61\xCB\x3D\xA1\xFE\xDD\xA8\x6A\xD4\xE3\x30\x81\x8D\x06\x03\x55\x1D\x23\x04\x81\x85\x30\x81\x82\x80\x14\xD2\xC4\xB0\xD2\x91\xD4\x4C\x11\x71\xB3\x61\xCB\x3D\xA1\xFE\xDD\xA8\x6A\xD4\xE3\xA1\x67\xA4\x65\x30\x63\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x21\x30\x1F\x06\x03\x55\x04\x0A\x13\x18\x54\x68\x65\x20\x47\x6F\x20\x44\x61\x64\x64\x79\x20\x47\x72\x6F\x75\x70\x2C\x20\x49\x6E\x63\x2E\x31\x31\x30\x2F\x06\x03\x55\x04\x0B\x13\x28\x47\x6F\x20\x44\x61\x64\x64\x79\x20\x43\x6C\x61\x73\x73\x20\x32\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x82\x01\x00\x30\x0C\x06\x03\x55\x1D\x13\x04\x05\x30\x03\x01\x01\xFF\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x32\x4B\xF3\xB2\xCA\x3E\x91\xFC\x12\xC6\xA1\x07\x8C\x8E\x77\xA0\x33\x06\x14\x5C\x90\x1E\x18\xF7\x08\xA6\x3D\x0A\x19\xF9\x87\x80\x11\x6E\x69\xE4\x96\x17\x30\xFF\x34\x91\x63\x72\x38\xEE\xCC\x1C\x01\xA3\x1D\x94\x28\xA4\x31\xF6\x7A\xC4\x54\xD7\xF6\xE5\x31\x58\x03\xA2\xCC\xCE\x62\xDB\x94\x45\x73\xB5\xBF\x45\xC9\x24\xB5\xD5\x82\x02\xAD\x23\x79\x69\x8D\xB8\xB6\x4D\xCE\xCF\x4C\xCA\x33\x23\xE8\x1C\x88\xAA\x9D\x8B\x41\x6E\x16\xC9\x20\xE5\x89\x9E\xCD\x3B\xDA\x70\xF7\x7E\x99\x26\x20\x14\x54\x25\xAB\x6E\x73\x85\xE6\x9B\x21\x9D\x0A\x6C\x82\x0E\xA8\xF8\xC2\x0C\xFA\x10\x1E\x6C\x96\xEF\x87\x0D\xC4\x0F\x61\x8B\xAD\xEE\x83\x2B\x95\xF8\x8E\x92\x84\x72\x39\xEB\x20\xEA\x83\xED\x83\xCD\x97\x6E\x08\xBC\xEB\x4E\x26\xB6\x73\x2B\xE4\xD3\xF6\x4C\xFE\x26\x71\xE2\x61\x11\x74\x4A\xFF\x57\x1A\x87\x0F\x75\x48\x2E\xCF\x51\x69\x17\xA0\x02\x12\x61\x95\xD5\xD1\x40\xB2\x10\x4C\xEE\xC4\xAC\x10\x43\xA6\xA5\x9E\x0A\xD5\x95\x62\x9A\x0D\xCF\x88\x82\xC5\x32\x0C\xE4\x2B\x9F\x45\xE6\x0D\x9F\x28\x9C\xB1\xB9\x2A\x5A\x57\xAD\x37\x0F\xAF\x1D\x7F\xDB\xBD\x9F",
 	["OU=Starfield Class 2 Certification Authority,O=Starfield Technologies\, Inc.,C=US"] = "\x30\x82\x04\x0F\x30\x82\x02\xF7\xA0\x03\x02\x01\x02\x02\x01\x00\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x68\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x25\x30\x23\x06\x03\x55\x04\x0A\x13\x1C\x53\x74\x61\x72\x66\x69\x65\x6C\x64\x20\x54\x65\x63\x68\x6E\x6F\x6C\x6F\x67\x69\x65\x73\x2C\x20\x49\x6E\x63\x2E\x31\x32\x30\x30\x06\x03\x55\x04\x0B\x13\x29\x53\x74\x61\x72\x66\x69\x65\x6C\x64\x20\x43\x6C\x61\x73\x73\x20\x32\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x30\x1E\x17\x0D\x30\x34\x30\x36\x32\x39\x31\x37\x33\x39\x31\x36\x5A\x17\x0D\x33\x34\x30\x36\x32\x39\x31\x37\x33\x39\x31\x36\x5A\x30\x68\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x25\x30\x23\x06\x03\x55\x04\x0A\x13\x1C\x53\x74\x61\x72\x66\x69\x65\x6C\x64\x20\x54\x65\x63\x68\x6E\x6F\x6C\x6F\x67\x69\x65\x73\x2C\x20\x49\x6E\x63\x2E\x31\x32\x30\x30\x06\x03\x55\x04\x0B\x13\x29\x53\x74\x61\x72\x66\x69\x65\x6C\x64\x20\x43\x6C\x61\x73\x73\x20\x32\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x30\x82\x01\x20\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0D\x00\x30\x82\x01\x08\x02\x82\x01\x01\x00\xB7\x32\xC8\xFE\xE9\x71\xA6\x04\x85\xAD\x0C\x11\x64\xDF\xCE\x4D\xEF\xC8\x03\x18\x87\x3F\xA1\xAB\xFB\x3C\xA6\x9F\xF0\xC3\xA1\xDA\xD4\xD8\x6E\x2B\x53\x90\xFB\x24\xA4\x3E\x84\xF0\x9E\xE8\x5F\xEC\xE5\x27\x44\xF5\x28\xA6\x3F\x7B\xDE\xE0\x2A\xF0\xC8\xAF\x53\x2F\x9E\xCA\x05\x01\x93\x1E\x8F\x66\x1C\x39\xA7\x4D\xFA\x5A\xB6\x73\x04\x25\x66\xEB\x77\x7F\xE7\x59\xC6\x4A\x99\x25\x14\x54\xEB\x26\xC7\xF3\x7F\x19\xD5\x30\x70\x8F\xAF\xB0\x46\x2A\xFF\xAD\xEB\x29\xED\xD7\x9F\xAA\x04\x87\xA3\xD4\xF9\x89\xA5\x34\x5F\xDB\x43\x91\x82\x36\xD9\x66\x3C\xB1\xB8\xB9\x82\xFD\x9C\x3A\x3E\x10\xC8\x3B\xEF\x06\x65\x66\x7A\x9B\x19\x18\x3D\xFF\x71\x51\x3C\x30\x2E\x5F\xBE\x3D\x77\x73\xB2\x5D\x06\x6C\xC3\x23\x56\x9A\x2B\x85\x26\x92\x1C\xA7\x02\xB3\xE4\x3F\x0D\xAF\x08\x79\x82\xB8\x36\x3D\xEA\x9C\xD3\x35\xB3\xBC\x69\xCA\xF5\xCC\x9D\xE8\xFD\x64\x8D\x17\x80\x33\x6E\x5E\x4A\x5D\x99\xC9\x1E\x87\xB4\x9D\x1A\xC0\xD5\x6E\x13\x35\x23\x5E\xDF\x9B\x5F\x3D\xEF\xD6\xF7\x76\xC2\xEA\x3E\xBB\x78\x0D\x1C\x42\x67\x6B\x04\xD8\xF8\xD6\xDA\x6F\x8B\xF2\x44\xA0\x01\xAB\x02\x01\x03\xA3\x81\xC5\x30\x81\xC2\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xBF\x5F\xB7\xD1\xCE\xDD\x1F\x86\xF4\x5B\x55\xAC\xDC\xD7\x10\xC2\x0E\xA9\x88\xE7\x30\x81\x92\x06\x03\x55\x1D\x23\x04\x81\x8A\x30\x81\x87\x80\x14\xBF\x5F\xB7\xD1\xCE\xDD\x1F\x86\xF4\x5B\x55\xAC\xDC\xD7\x10\xC2\x0E\xA9\x88\xE7\xA1\x6C\xA4\x6A\x30\x68\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x25\x30\x23\x06\x03\x55\x04\x0A\x13\x1C\x53\x74\x61\x72\x66\x69\x65\x6C\x64\x20\x54\x65\x63\x68\x6E\x6F\x6C\x6F\x67\x69\x65\x73\x2C\x20\x49\x6E\x63\x2E\x31\x32\x30\x30\x06\x03\x55\x04\x0B\x13\x29\x53\x74\x61\x72\x66\x69\x65\x6C\x64\x20\x43\x6C\x61\x73\x73\x20\x32\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x82\x01\x00\x30\x0C\x06\x03\x55\x1D\x13\x04\x05\x30\x03\x01\x01\xFF\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x05\x9D\x3F\x88\x9D\xD1\xC9\x1A\x55\xA1\xAC\x69\xF3\xF3\x59\xDA\x9B\x01\x87\x1A\x4F\x57\xA9\xA1\x79\x09\x2A\xDB\xF7\x2F\xB2\x1E\xCC\xC7\x5E\x6A\xD8\x83\x87\xA1\x97\xEF\x49\x35\x3E\x77\x06\x41\x58\x62\xBF\x8E\x58\xB8\x0A\x67\x3F\xEC\xB3\xDD\x21\x66\x1F\xC9\x54\xFA\x72\xCC\x3D\x4C\x40\xD8\x81\xAF\x77\x9E\x83\x7A\xBB\xA2\xC7\xF5\x34\x17\x8E\xD9\x11\x40\xF4\xFC\x2C\x2A\x4D\x15\x7F\xA7\x62\x5D\x2E\x25\xD3\x00\x0B\x20\x1A\x1D\x68\xF9\x17\xB8\xF4\xBD\x8B\xED\x28\x59\xDD\x4D\x16\x8B\x17\x83\xC8\xB2\x65\xC7\x2D\x7A\xA5\xAA\xBC\x53\x86\x6D\xDD\x57\xA4\xCA\xF8\x20\x41\x0B\x68\xF0\xF4\xFB\x74\xBE\x56\x5D\x7A\x79\xF5\xF9\x1D\x85\xE3\x2D\x95\xBE\xF5\x71\x90\x43\xCC\x8D\x1F\x9A\x00\x0A\x87\x29\xE9\x55\x22\x58\x00\x23\xEA\xE3\x12\x43\x29\x5B\x47\x08\xDD\x8C\x41\x6A\x65\x06\xA8\xE5\x21\xAA\x41\xB4\x95\x21\x95\xB9\x7D\xD1\x34\xAB\x13\xD6\xAD\xBC\xDC\xE2\x3D\x39\xCD\xBD\x3E\x75\x70\xA1\x18\x59\x03\xC9\x22\xB4\x8F\x9C\xD5\x5E\x2A\xD7\xA5\xB6\xD4\x0A\x6D\xF8\xB7\x40\x11\x46\x9A\x1F\x79\x0E\x62\xBF\x0F\x97\xEC\xE0\x2F\x1F\x17\x94",
-	["CN=StartCom Certification Authority,OU=Secure Digital Certificate Signing,O=StartCom Ltd.,C=IL"] = "\x30\x82\x07\xC9\x30\x82\x05\xB1\xA0\x03\x02\x01\x02\x02\x01\x01\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x7D\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x49\x4C\x31\x16\x30\x14\x06\x03\x55\x04\x0A\x13\x0D\x53\x74\x61\x72\x74\x43\x6F\x6D\x20\x4C\x74\x64\x2E\x31\x2B\x30\x29\x06\x03\x55\x04\x0B\x13\x22\x53\x65\x63\x75\x72\x65\x20\x44\x69\x67\x69\x74\x61\x6C\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x20\x53\x69\x67\x6E\x69\x6E\x67\x31\x29\x30\x27\x06\x03\x55\x04\x03\x13\x20\x53\x74\x61\x72\x74\x43\x6F\x6D\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x30\x1E\x17\x0D\x30\x36\x30\x39\x31\x37\x31\x39\x34\x36\x33\x36\x5A\x17\x0D\x33\x36\x30\x39\x31\x37\x31\x39\x34\x36\x33\x36\x5A\x30\x7D\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x49\x4C\x31\x16\x30\x14\x06\x03\x55\x04\x0A\x13\x0D\x53\x74\x61\x72\x74\x43\x6F\x6D\x20\x4C\x74\x64\x2E\x31\x2B\x30\x29\x06\x03\x55\x04\x0B\x13\x22\x53\x65\x63\x75\x72\x65\x20\x44\x69\x67\x69\x74\x61\x6C\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x20\x53\x69\x67\x6E\x69\x6E\x67\x31\x29\x30\x27\x06\x03\x55\x04\x03\x13\x20\x53\x74\x61\x72\x74\x43\x6F\x6D\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x30\x82\x02\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x02\x0F\x00\x30\x82\x02\x0A\x02\x82\x02\x01\x00\xC1\x88\xDB\x09\xBC\x6C\x46\x7C\x78\x9F\x95\x7B\xB5\x33\x90\xF2\x72\x62\xD6\xC1\x36\x20\x22\x24\x5E\xCE\xE9\x77\xF2\x43\x0A\xA2\x06\x64\xA4\xCC\x8E\x36\xF8\x38\xE6\x23\xF0\x6E\x6D\xB1\x3C\xDD\x72\xA3\x85\x1C\xA1\xD3\x3D\xB4\x33\x2B\xD3\x2F\xAF\xFE\xEA\xB0\x41\x59\x67\xB6\xC4\x06\x7D\x0A\x9E\x74\x85\xD6\x79\x4C\x80\x37\x7A\xDF\x39\x05\x52\x59\xF7\xF4\x1B\x46\x43\xA4\xD2\x85\x85\xD2\xC3\x71\xF3\x75\x62\x34\xBA\x2C\x8A\x7F\x1E\x8F\xEE\xED\x34\xD0\x11\xC7\x96\xCD\x52\x3D\xBA\x33\xD6\xDD\x4D\xDE\x0B\x3B\x4A\x4B\x9F\xC2\x26\x2F\xFA\xB5\x16\x1C\x72\x35\x77\xCA\x3C\x5D\xE6\xCA\xE1\x26\x8B\x1A\x36\x76\x5C\x01\xDB\x74\x14\x25\xFE\xED\xB5\xA0\x88\x0F\xDD\x78\xCA\x2D\x1F\x07\x97\x30\x01\x2D\x72\x79\xFA\x46\xD6\x13\x2A\xA8\xB9\xA6\xAB\x83\x49\x1D\xE5\xF2\xEF\xDD\xE4\x01\x8E\x18\x0A\x8F\x63\x53\x16\x85\x62\xA9\x0E\x19\x3A\xCC\xB5\x66\xA6\xC2\x6B\x74\x07\xE4\x2B\xE1\x76\x3E\xB4\x6D\xD8\xF6\x44\xE1\x73\x62\x1F\x3B\xC4\xBE\xA0\x53\x56\x25\x6C\x51\x09\xF7\xAA\xAB\xCA\xBF\x76\xFD\x6D\x9B\xF3\x9D\xDB\xBF\x3D\x66\xBC\x0C\x56\xAA\xAF\x98\x48\x95\x3A\x4B\xDF\xA7\x58\x50\xD9\x38\x75\xA9\x5B\xEA\x43\x0C\x02\xFF\x99\xEB\xE8\x6C\x4D\x70\x5B\x29\x65\x9C\xDD\xAA\x5D\xCC\xAF\x01\x31\xEC\x0C\xEB\xD2\x8D\xE8\xEA\x9C\x7B\xE6\x6E\xF7\x27\x66\x0C\x1A\x48\xD7\x6E\x42\xE3\x3F\xDE\x21\x3E\x7B\xE1\x0D\x70\xFB\x63\xAA\xA8\x6C\x1A\x54\xB4\x5C\x25\x7A\xC9\xA2\xC9\x8B\x16\xA6\xBB\x2C\x7E\x17\x5E\x05\x4D\x58\x6E\x12\x1D\x01\xEE\x12\x10\x0D\xC6\x32\x7F\x18\xFF\xFC\xF4\xFA\xCD\x6E\x91\xE8\x36\x49\xBE\x1A\x48\x69\x8B\xC2\x96\x4D\x1A\x12\xB2\x69\x17\xC1\x0A\x90\xD6\xFA\x79\x22\x48\xBF\xBA\x7B\x69\xF8\x70\xC7\xFA\x7A\x37\xD8\xD8\x0D\xD2\x76\x4F\x57\xFF\x90\xB7\xE3\x91\xD2\xDD\xEF\xC2\x60\xB7\x67\x3A\xDD\xFE\xAA\x9C\xF0\xD4\x8B\x7F\x72\x22\xCE\xC6\x9F\x97\xB6\xF8\xAF\x8A\xA0\x10\xA8\xD9\xFB\x18\xC6\xB6\xB5\x5C\x52\x3C\x89\xB6\x19\x2A\x73\x01\x0A\x0F\x03\xB3\x12\x60\xF2\x7A\x2F\x81\xDB\xA3\x6E\xFF\x26\x30\x97\xF5\x8B\xDD\x89\x57\xB6\xAD\x3D\xB3\xAF\x2B\xC5\xB7\x76\x02\xF0\xA5\xD6\x2B\x9A\x86\x14\x2A\x72\xF6\xE3\x33\x8C\x5D\x09\x4B\x13\xDF\xBB\x8C\x74\x13\x52\x4B\x02\x03\x01\x00\x01\xA3\x82\x02\x52\x30\x82\x02\x4E\x30\x0C\x06\x03\x55\x1D\x13\x04\x05\x30\x03\x01\x01\xFF\x30\x0B\x06\x03\x55\x1D\x0F\x04\x04\x03\x02\x01\xAE\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x4E\x0B\xEF\x1A\xA4\x40\x5B\xA5\x17\x69\x87\x30\xCA\x34\x68\x43\xD0\x41\xAE\xF2\x30\x64\x06\x03\x55\x1D\x1F\x04\x5D\x30\x5B\x30\x2C\xA0\x2A\xA0\x28\x86\x26\x68\x74\x74\x70\x3A\x2F\x2F\x63\x65\x72\x74\x2E\x73\x74\x61\x72\x74\x63\x6F\x6D\x2E\x6F\x72\x67\x2F\x73\x66\x73\x63\x61\x2D\x63\x72\x6C\x2E\x63\x72\x6C\x30\x2B\xA0\x29\xA0\x27\x86\x25\x68\x74\x74\x70\x3A\x2F\x2F\x63\x72\x6C\x2E\x73\x74\x61\x72\x74\x63\x6F\x6D\x2E\x6F\x72\x67\x2F\x73\x66\x73\x63\x61\x2D\x63\x72\x6C\x2E\x63\x72\x6C\x30\x82\x01\x5D\x06\x03\x55\x1D\x20\x04\x82\x01\x54\x30\x82\x01\x50\x30\x82\x01\x4C\x06\x0B\x2B\x06\x01\x04\x01\x81\xB5\x37\x01\x01\x01\x30\x82\x01\x3B\x30\x2F\x06\x08\x2B\x06\x01\x05\x05\x07\x02\x01\x16\x23\x68\x74\x74\x70\x3A\x2F\x2F\x63\x65\x72\x74\x2E\x73\x74\x61\x72\x74\x63\x6F\x6D\x2E\x6F\x72\x67\x2F\x70\x6F\x6C\x69\x63\x79\x2E\x70\x64\x66\x30\x35\x06\x08\x2B\x06\x01\x05\x05\x07\x02\x01\x16\x29\x68\x74\x74\x70\x3A\x2F\x2F\x63\x65\x72\x74\x2E\x73\x74\x61\x72\x74\x63\x6F\x6D\x2E\x6F\x72\x67\x2F\x69\x6E\x74\x65\x72\x6D\x65\x64\x69\x61\x74\x65\x2E\x70\x64\x66\x30\x81\xD0\x06\x08\x2B\x06\x01\x05\x05\x07\x02\x02\x30\x81\xC3\x30\x27\x16\x20\x53\x74\x61\x72\x74\x20\x43\x6F\x6D\x6D\x65\x72\x63\x69\x61\x6C\x20\x28\x53\x74\x61\x72\x74\x43\x6F\x6D\x29\x20\x4C\x74\x64\x2E\x30\x03\x02\x01\x01\x1A\x81\x97\x4C\x69\x6D\x69\x74\x65\x64\x20\x4C\x69\x61\x62\x69\x6C\x69\x74\x79\x2C\x20\x72\x65\x61\x64\x20\x74\x68\x65\x20\x73\x65\x63\x74\x69\x6F\x6E\x20\x2A\x4C\x65\x67\x61\x6C\x20\x4C\x69\x6D\x69\x74\x61\x74\x69\x6F\x6E\x73\x2A\x20\x6F\x66\x20\x74\x68\x65\x20\x53\x74\x61\x72\x74\x43\x6F\x6D\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x20\x50\x6F\x6C\x69\x63\x79\x20\x61\x76\x61\x69\x6C\x61\x62\x6C\x65\x20\x61\x74\x20\x68\x74\x74\x70\x3A\x2F\x2F\x63\x65\x72\x74\x2E\x73\x74\x61\x72\x74\x63\x6F\x6D\x2E\x6F\x72\x67\x2F\x70\x6F\x6C\x69\x63\x79\x2E\x70\x64\x66\x30\x11\x06\x09\x60\x86\x48\x01\x86\xF8\x42\x01\x01\x04\x04\x03\x02\x00\x07\x30\x38\x06\x09\x60\x86\x48\x01\x86\xF8\x42\x01\x0D\x04\x2B\x16\x29\x53\x74\x61\x72\x74\x43\x6F\x6D\x20\x46\x72\x65\x65\x20\x53\x53\x4C\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x02\x01\x00\x16\x6C\x99\xF4\x66\x0C\x34\xF5\xD0\x85\x5E\x7D\x0A\xEC\xDA\x10\x4E\x38\x1C\x5E\xDF\xA6\x25\x05\x4B\x91\x32\xC1\xE8\x3B\xF1\x3D\xDD\x44\x09\x5B\x07\x49\x8A\x29\xCB\x66\x02\xB7\xB1\x9A\xF7\x25\x98\x09\x3C\x8E\x1B\xE1\xDD\x36\x87\x2B\x4B\xBB\x68\xD3\x39\x66\x3D\xA0\x26\xC7\xF2\x39\x91\x1D\x51\xAB\x82\x7B\x7E\xD5\xCE\x5A\xE4\xE2\x03\x57\x70\x69\x97\x08\xF9\x5E\x58\xA6\x0A\xDF\x8C\x06\x9A\x45\x16\x16\x38\x0A\x5E\x57\xF6\x62\xC7\x7A\x02\x05\xE6\xBC\x1E\xB5\xF2\x9E\xF4\xA9\x29\x83\xF8\xB2\x14\xE3\x6E\x28\x87\x44\xC3\x90\x1A\xDE\x38\xA9\x3C\xAC\x43\x4D\x64\x45\xCE\xDD\x28\xA9\x5C\xF2\x73\x7B\x04\xF8\x17\xE8\xAB\xB1\xF3\x2E\x5C\x64\x6E\x73\x31\x3A\x12\xB8\xBC\xB3\x11\xE4\x7D\x8F\x81\x51\x9A\x3B\x8D\x89\xF4\x4D\x93\x66\x7B\x3C\x03\xED\xD3\x9A\x1D\x9A\xF3\x65\x50\xF5\xA0\xD0\x75\x9F\x2F\xAF\xF0\xEA\x82\x43\x98\xF8\x69\x9C\x89\x79\xC4\x43\x8E\x46\x72\xE3\x64\x36\x12\xAF\xF7\x25\x1E\x38\x89\x90\x77\x7E\xC3\x6B\x6A\xB9\xC3\xCB\x44\x4B\xAC\x78\x90\x8B\xE7\xC7\x2C\x1E\x4B\x11\x44\xC8\x34\x52\x27\xCD\x0A\x5D\x9F\x85\xC1\x89\xD5\x1A\x78\xF2\x95\x10\x53\x32\xDD\x80\x84\x66\x75\xD9\xB5\x68\x28\xFB\x61\x2E\xBE\x84\xA8\x38\xC0\x99\x12\x86\xA5\x1E\x67\x64\xAD\x06\x2E\x2F\xA9\x70\x85\xC7\x96\x0F\x7C\x89\x65\xF5\x8E\x43\x54\x0E\xAB\xDD\xA5\x80\x39\x94\x60\xC0\x34\xC9\x96\x70\x2C\xA3\x12\xF5\x1F\x48\x7B\xBD\x1C\x7E\x6B\xB7\x9D\x90\xF4\x22\x3B\xAE\xF8\xFC\x2A\xCA\xFA\x82\x52\xA0\xEF\xAF\x4B\x55\x93\xEB\xC1\xB5\xF0\x22\x8B\xAC\x34\x4E\x26\x22\x04\xA1\x87\x2C\x75\x4A\xB7\xE5\x7D\x13\xD7\xB8\x0C\x64\xC0\x36\xD2\xC9\x2F\x86\x12\x8C\x23\x09\xC1\x1B\x82\x3B\x73\x49\xA3\x6A\x57\x87\x94\xE5\xD6\x78\xC5\x99\x43\x63\xE3\x4D\xE0\x77\x2D\xE1\x65\x99\x72\x69\x04\x1A\x47\x09\xE6\x0F\x01\x56\x24\xFB\x1F\xBF\x0E\x79\xA9\x58\x2E\xB9\xC4\x09\x01\x7E\x95\xBA\x6D\x00\x06\x3E\xB2\xEA\x4A\x10\x39\xD8\xD0\x2B\xF5\xBF\xEC\x75\xBF\x97\x02\xC5\x09\x1B\x08\xDC\x55\x37\xE2\x81\xFB\x37\x84\x43\x62\x20\xCA\xE7\x56\x4B\x65\xEA\xFE\x6C\xC1\x24\x93\x24\xA1\x34\xEB\x05\xFF\x9A\x22\xAE\x9B\x7D\x3F\xF1\x65\x51\x0A\xA6\x30\x6A\xB3\xF4\x88\x1C\x80\x0D\xFC\x72\x8A\xE8\x83\x5E",
 	["O=Government Root Certification Authority,C=TW"] = "\x30\x82\x05\x72\x30\x82\x03\x5A\xA0\x03\x02\x01\x02\x02\x10\x1F\x9D\x59\x5A\xD7\x2F\xC2\x06\x44\xA5\x80\x08\x69\xE3\x5E\xF6\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x3F\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x54\x57\x31\x30\x30\x2E\x06\x03\x55\x04\x0A\x0C\x27\x47\x6F\x76\x65\x72\x6E\x6D\x65\x6E\x74\x20\x52\x6F\x6F\x74\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x30\x1E\x17\x0D\x30\x32\x31\x32\x30\x35\x31\x33\x32\x33\x33\x33\x5A\x17\x0D\x33\x32\x31\x32\x30\x35\x31\x33\x32\x33\x33\x33\x5A\x30\x3F\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x54\x57\x31\x30\x30\x2E\x06\x03\x55\x04\x0A\x0C\x27\x47\x6F\x76\x65\x72\x6E\x6D\x65\x6E\x74\x20\x52\x6F\x6F\x74\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x30\x82\x02\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x02\x0F\x00\x30\x82\x02\x0A\x02\x82\x02\x01\x00\x9A\x25\xB8\xEC\xCC\xA2\x75\xA8\x7B\xF7\xCE\x5B\x59\x8A\xC9\xD1\x86\x12\x08\x54\xEC\x9C\xF2\xE7\x46\xF6\x88\xF3\x7C\xE9\xA5\xDF\x4C\x47\x36\xA4\x1B\x01\x1C\x7F\x1E\x57\x8A\x8D\xC3\xC5\xD1\x21\xE3\xDA\x24\x3F\x48\x2B\xFB\x9F\x2E\xA1\x94\xE7\x2C\x1C\x93\xD1\xBF\x1B\x01\x87\x53\x99\xCE\xA7\xF5\x0A\x21\x76\x77\xFF\xA9\xB7\xC6\x73\x94\x4F\x46\xF7\x10\x49\x37\xFA\xA8\x59\x49\x5D\x6A\x81\x07\x56\xF2\x8A\xF9\x06\xD0\xF7\x70\x22\x4D\xB4\xB7\x41\xB9\x32\xB8\xB1\xF0\xB1\xC3\x9C\x3F\x70\xFD\x53\xDD\x81\xAA\xD8\x63\x78\xF6\xD8\x53\x6E\xA1\xAC\x6A\x84\x24\x72\x54\x86\xC6\xD2\xB2\xCA\x1C\x0E\x79\x81\xD6\xB5\x70\x62\x08\x01\x2E\x4E\x4F\x0E\xD5\x11\xAF\xA9\xAF\xE5\x9A\xBF\xDC\xCC\x87\x6D\x26\xE4\xC9\x57\xA2\xFB\x96\xF9\xCC\xE1\x3F\x53\x8C\x6C\x4C\x7E\x9B\x53\x08\x0B\x6C\x17\xFB\x67\xC8\xC2\xAD\xB1\xCD\x80\xB4\x97\xDC\x76\x01\x16\x15\xE9\x6A\xD7\xA4\xE1\x78\x47\xCE\x86\xD5\xFB\x31\xF3\xFA\x31\xBE\x34\xAA\x28\xFB\x70\x4C\x1D\x49\xC7\xAF\x2C\x9D\x6D\x66\xA6\xB6\x8D\x64\x7E\xB5\x20\x6A\x9D\x3B\x81\xB6\x8F\x40\x00\x67\x4B\x89\x86\xB8\xCC\x65\xFE\x15\x53\xE9\x04\xC1\xD6\x5F\x1D\x44\xD7\x0A\x2F\x27\x9A\x46\x7D\xA1\x0D\x75\xAD\x54\x86\x15\xDC\x49\x3B\xF1\x96\xCE\x0F\x9B\xA0\xEC\xA3\x7A\x5D\xBE\xD5\x2A\x75\x42\xE5\x7B\xDE\xA5\xB6\xAA\xAF\x28\xAC\xAC\x90\xAC\x38\xB7\xD5\x68\x35\x26\x7A\xDC\xF7\x3B\xF3\xFD\x45\x9B\xD1\xBB\x43\x78\x6E\x6F\xF1\x42\x54\x6A\x98\xF0\x0D\xAD\x97\xE9\x52\x5E\xE9\xD5\x6A\x72\xDE\x6A\xF7\x1B\x60\x14\xF4\xA5\xE4\xB6\x71\x67\xAA\x1F\xEA\xE2\x4D\xC1\x42\x40\xFE\x67\x46\x17\x38\x2F\x47\x3F\x71\x9C\xAE\xE5\x21\xCA\x61\x2D\x6D\x07\xA8\x84\x7C\x2D\xEE\x51\x25\xF1\x63\x90\x9E\xFD\xE1\x57\x88\x6B\xEF\x8A\x23\x6D\xB1\xE6\xBD\x3F\xAD\xD1\x3D\x96\x0B\x85\x8D\xCD\x6B\x27\xBB\xB7\x05\x9B\xEC\xBB\x91\xA9\x0A\x07\x12\x02\x97\x4E\x20\x90\xF0\xFF\x0D\x1E\xE2\x41\x3B\xD3\x40\x3A\xE7\x8D\x5D\xDA\x66\xE4\x02\xB0\x07\x52\x98\x5C\x0E\x8E\x33\x9C\xC2\xA6\x95\xFB\x55\x19\x6E\x4C\x8E\xAE\x4B\x0F\xBD\xC1\x38\x4D\x5E\x8F\x84\x1D\x66\xCD\xC5\x60\x96\xB4\x52\x5A\x05\x89\x8E\x95\x7A\x98\xC1\x91\x3C\x95\x23\xB2\x0E\xF4\x79\xB4\xC9\x7C\xC1\x4A\x21\x02\x03\x01\x00\x01\xA3\x6A\x30\x68\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xCC\xCC\xEF\xCC\x29\x60\xA4\x3B\xB1\x92\xB6\x3C\xFA\x32\x62\x8F\xAC\x25\x15\x3B\x30\x0C\x06\x03\x55\x1D\x13\x04\x05\x30\x03\x01\x01\xFF\x30\x39\x06\x04\x67\x2A\x07\x00\x04\x31\x30\x2F\x30\x2D\x02\x01\x00\x30\x09\x06\x05\x2B\x0E\x03\x02\x1A\x05\x00\x30\x07\x06\x05\x67\x2A\x03\x00\x00\x04\x14\x03\x9B\xF0\x22\x13\xFF\x95\x28\x36\xD3\xDC\x9E\xC0\x32\xFB\x31\x3A\x8A\x51\x65\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x02\x01\x00\x40\x80\x4A\xFA\x26\xC9\xCE\x5E\x30\xDD\x4F\x86\x74\x76\x58\xF5\xAE\xB3\x83\x33\x78\xA4\x7A\x74\x17\x19\x4E\xE9\x52\xB5\xB9\xE0\x0A\x74\x62\xAA\x68\xCA\x78\xA0\x4C\x9A\x8E\x2C\x23\x2E\xD5\x6A\x12\x24\xBF\xD4\x68\xD3\x8A\xD0\xD8\x9C\x9F\xB4\x1F\x0C\xDE\x38\x7E\x57\x38\xFC\x8D\xE2\x4F\x5E\x0C\x9F\xAB\x3B\xD2\xFF\x75\x97\xCB\xA4\xE3\x67\x08\xFF\xE5\xC0\x16\xB5\x48\x01\x7D\xE9\xF9\x0A\xFF\x1B\xE5\x6A\x69\xBF\x78\x21\xA8\xC2\xA7\x23\xA9\x86\xAB\x76\x56\xE8\x0E\x0C\xF6\x13\xDD\x2A\x66\x8A\x64\x49\x3D\x1A\x18\x87\x90\x04\x9F\x42\x52\xB7\x4F\xCB\xFE\x47\x41\x76\x35\xEF\xFF\x00\x76\x36\x45\x32\x9B\xC6\x46\x85\x5D\xE2\x24\xB0\x1E\xE3\x48\x96\x98\x57\x47\x94\x55\x7A\x0F\x41\xB1\x44\x24\xF3\xC1\xFE\x1A\x6B\xBF\x88\xFD\xC1\xA6\xDA\x93\x60\x5E\x81\x4A\x99\x20\x9C\x48\x66\x19\xB5\x00\x79\x54\x0F\xB8\x2C\x2F\x4B\xBC\xA9\x5D\x5B\x60\x7F\x8C\x87\xA5\xE0\x52\x63\x2A\xBE\xD8\x3B\x85\x40\x15\xFE\x1E\xB6\x65\x3F\xC5\x4B\xDA\x7E\xB5\x7A\x35\x29\xA3\x2E\x7A\x98\x60\x22\xA3\xF4\x7D\x27\x4E\x2D\xEA\xB4\x74\x3C\xE9\x0F\xA4\x33\x0F\x10\x11\xBC\x13\x01\xD6\xE5\x0E\xD3\xBF\xB5\x12\xA2\xE1\x45\x23\xC0\xCC\x08\x6E\x61\xB7\x89\xAB\x83\xE3\x24\x1E\xE6\x5D\x07\xE7\x1F\x20\x3E\xCF\x67\xC8\xE7\xAC\x30\x6D\x27\x4B\x68\x6E\x4B\x2A\x5C\x02\x08\x34\xDB\xF8\x76\xE4\x67\xA3\x26\x9C\x3F\xA2\x32\xC2\x4A\xC5\x81\x18\x31\x10\x56\xAA\x84\xEF\x2D\x0A\xFF\xB8\x1F\x77\xD2\xBF\xA5\x58\xA0\x62\xE4\xD7\x4B\x91\x75\x8D\x89\x80\x98\x7E\x6D\xCB\x53\x4E\x5E\xAF\xF6\xB2\x97\x85\x97\xB9\xDA\x55\x06\xB9\x24\xEE\xD7\xC6\x38\x1E\x63\x1B\x12\x3B\x95\xE1\x58\xAC\xF2\xDF\x84\xD5\x5F\x99\x2F\x0D\x55\x5B\xE6\x38\xDB\x2E\x3F\x72\xE9\x48\x85\xCB\xBB\x29\x13\x8F\x1E\x38\x55\xB9\xF3\xB2\xC4\x30\x99\x23\x4E\x5D\xF2\x48\xA1\x12\x0C\xDC\x12\x90\x09\x90\x54\x91\x03\x3C\x47\xE5\xD5\xC9\x65\xE0\xB7\x4B\x7D\xEC\x47\xD3\xB3\x0B\x3E\xAD\x9E\xD0\x74\x00\x0E\xEB\xBD\x51\xAD\xC0\xDE\x2C\xC0\xC3\x6A\xFE\xEF\xDC\x0B\xA7\xFA\x46\xDF\x60\xDB\x9C\xA6\x59\x50\x75\x23\x69\x73\x93\xB2\xF9\xFC\x02\xD3\x47\xE6\x71\xCE\x10\x02\xEE\x27\x8C\x84\xFF\xAC\x45\x0D\x13\x5C\x83\x32\xE0\x25\xA5\x86\x2C\x7C\xF4\x12",
-	["CN=Swisscom Root CA 1,OU=Digital Certificate Services,O=Swisscom,C=ch"] = "\x30\x82\x05\xD9\x30\x82\x03\xC1\xA0\x03\x02\x01\x02\x02\x10\x5C\x0B\x85\x5C\x0B\xE7\x59\x41\xDF\x57\xCC\x3F\x7F\x9D\xA8\x36\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x64\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x63\x68\x31\x11\x30\x0F\x06\x03\x55\x04\x0A\x13\x08\x53\x77\x69\x73\x73\x63\x6F\x6D\x31\x25\x30\x23\x06\x03\x55\x04\x0B\x13\x1C\x44\x69\x67\x69\x74\x61\x6C\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x20\x53\x65\x72\x76\x69\x63\x65\x73\x31\x1B\x30\x19\x06\x03\x55\x04\x03\x13\x12\x53\x77\x69\x73\x73\x63\x6F\x6D\x20\x52\x6F\x6F\x74\x20\x43\x41\x20\x31\x30\x1E\x17\x0D\x30\x35\x30\x38\x31\x38\x31\x32\x30\x36\x32\x30\x5A\x17\x0D\x32\x35\x30\x38\x31\x38\x32\x32\x30\x36\x32\x30\x5A\x30\x64\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x63\x68\x31\x11\x30\x0F\x06\x03\x55\x04\x0A\x13\x08\x53\x77\x69\x73\x73\x63\x6F\x6D\x31\x25\x30\x23\x06\x03\x55\x04\x0B\x13\x1C\x44\x69\x67\x69\x74\x61\x6C\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x20\x53\x65\x72\x76\x69\x63\x65\x73\x31\x1B\x30\x19\x06\x03\x55\x04\x03\x13\x12\x53\x77\x69\x73\x73\x63\x6F\x6D\x20\x52\x6F\x6F\x74\x20\x43\x41\x20\x31\x30\x82\x02\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x02\x0F\x00\x30\x82\x02\x0A\x02\x82\x02\x01\x00\xD0\xB9\xB0\xA8\x0C\xD9\xBB\x3F\x21\xF8\x1B\xD5\x33\x93\x80\x16\x65\x20\x75\xB2\x3D\x9B\x60\x6D\x46\xC8\x8C\x31\x6F\x17\xC3\xFA\x9A\x6C\x56\xED\x3C\xC5\x91\x57\xC3\xCD\xAB\x96\x49\x90\x2A\x19\x4B\x1E\xA3\x6D\x57\xDD\xF1\x2B\x62\x28\x75\x45\x5E\xAA\xD6\x5B\xFA\x0B\x25\xD8\xA1\x16\xF9\x1C\xC4\x2E\xE6\x95\x2A\x67\xCC\xD0\x29\x6E\x3C\x85\x34\x38\x61\x49\xB1\x00\x9F\xD6\x3A\x71\x5F\x4D\x6D\xCE\x5F\xB9\xA9\xE4\x89\x7F\x6A\x52\xFA\xCA\x9B\xF2\xDC\xA9\xF9\x9D\x99\x47\x3F\x4E\x29\x5F\xB4\xA6\x8D\x5D\x7B\x0B\x99\x11\x03\x03\xFE\xE7\xDB\xDB\xA3\xFF\x1D\xA5\xCD\x90\x1E\x01\x1F\x35\xB0\x7F\x00\xDB\x90\x6F\xC6\x7E\x7B\xD1\xEE\x7A\x7A\xA7\xAA\x0C\x57\x6F\xA4\x6D\xC5\x13\x3B\xB0\xA5\xD9\xED\x32\x1C\xB4\x5E\x67\x8B\x54\xDC\x73\x87\xE5\xD3\x17\x7C\x66\x50\x72\x5D\xD4\x1A\x58\xC1\xD9\xCF\xD8\x89\x02\x6F\xA7\x49\xB4\x36\x5D\xD0\xA4\xDE\x07\x2C\xB6\x75\xB7\x28\x91\xD6\x97\xBE\x28\xF5\x98\x1E\xEA\x5B\x26\xC9\xBD\xB0\x97\x73\xDA\xAE\x91\x26\xEB\x68\xC1\xF9\x39\x15\xD6\x67\x4B\x0A\x6D\x4F\xCB\xCF\xB0\xE4\x42\x71\x8C\x53\x79\xE7\xEE\xE1\xDB\x1D\xA0\x6E\x1D\x8C\x1A\x77\x35\x5C\x16\x1E\x2B\x53\x1F\x34\x8B\xD1\x6C\xFC\xF2\x67\x07\x7A\xF5\xAD\xED\xD6\x9A\xAB\xA1\xB1\x4B\xE1\xCC\x37\x5F\xFD\x7F\xCD\x4D\xAE\xB8\x1F\x9C\x43\xF9\x2A\x58\x55\x43\x45\xBC\x96\xCD\x70\x0E\xFC\xC9\xE3\x66\xBA\x4E\x8D\x3B\x81\xCB\x15\x64\x7B\xB9\x94\xE8\x5D\x33\x52\x85\x71\x2E\x4F\x8E\xA2\x06\x11\x51\xC9\xE3\xCB\xA1\x6E\x31\x08\x64\x0C\xC2\xD2\x3C\xF5\x36\xE8\xD7\xD0\x0E\x78\x23\x20\x91\xC9\x24\x2A\x65\x29\x5B\x22\xF7\x21\xCE\x83\x5E\xA4\xF3\xDE\x4B\xD3\x68\x8F\x46\x75\x5C\x83\x09\x6E\x29\x6B\xC4\x70\x8C\xF5\x9D\xD7\x20\x2F\xFF\x46\xD2\x2B\x38\xC2\x2F\x75\x1C\x3D\x7E\xDA\xA5\xEF\x1E\x60\x85\x69\x42\xD3\xCC\xF8\x63\xFE\x1E\x43\x39\x85\xA6\xB6\x63\x41\x10\xB3\x73\x1E\xBC\xD3\xFA\xCA\x7D\x16\x47\xE2\xA7\xD5\xD0\xA3\x8A\x0A\x08\x96\x62\x56\x6E\x34\xDB\xD9\x02\xB9\x30\x75\xE3\x04\xD2\xE7\x8F\xC2\xB0\x11\x40\x0A\xAC\xD5\x71\x02\x62\x8B\x31\xBE\xDD\xC6\x23\x58\x31\x42\x43\x2D\x74\xF9\xC6\x9E\xA6\x8A\x0F\xE9\xFE\xBF\x83\xE6\x43\x57\x24\xBA\xEF\x46\x34\xAA\xD7\x12\x01\x38\xED\x02\x03\x01\x00\x01\xA3\x81\x86\x30\x81\x83\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x86\x30\x1D\x06\x03\x55\x1D\x21\x04\x16\x30\x14\x30\x12\x06\x07\x60\x85\x74\x01\x53\x00\x01\x06\x07\x60\x85\x74\x01\x53\x00\x01\x30\x12\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x08\x30\x06\x01\x01\xFF\x02\x01\x07\x30\x1F\x06\x03\x55\x1D\x23\x04\x18\x30\x16\x80\x14\x03\x25\x2F\xDE\x6F\x82\x01\x3A\x5C\x2C\xDC\x2B\xA1\x69\xB5\x67\xD4\x8C\xD3\xFD\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x03\x25\x2F\xDE\x6F\x82\x01\x3A\x5C\x2C\xDC\x2B\xA1\x69\xB5\x67\xD4\x8C\xD3\xFD\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x02\x01\x00\x35\x10\xCB\xEC\xA6\x04\x0D\x0D\x0F\xCD\xC0\xDB\xAB\xA8\xF2\x88\x97\x0C\xDF\x93\x2F\x4D\x7C\x40\x56\x31\x7A\xEB\xA4\x0F\x60\xCD\x7A\xF3\xBE\xC3\x27\x8E\x03\x3E\xA4\xDD\x12\xEF\x7E\x1E\x74\x06\x3C\x3F\x31\xF2\x1C\x7B\x91\x31\x21\xB4\xF0\xD0\x6C\x97\xD4\xE9\x97\xB2\x24\x56\x1E\x56\xC3\x35\xBD\x88\x05\x0F\x5B\x10\x1A\x64\xE1\xC7\x82\x30\xF9\x32\xAD\x9E\x50\x2C\xE7\x78\x05\xD0\x31\xB1\x5A\x98\x8A\x75\x4E\x90\x5C\x6A\x14\x2A\xE0\x52\x47\x82\x60\xE6\x1E\xDA\x81\xB1\xFB\x14\x0B\x5A\xF1\x9F\xD2\x95\xBA\x3E\xD0\x1B\xD6\x15\x1D\xA3\xBE\x86\xD5\xDB\x0F\xC0\x49\x64\xBB\x2E\x50\x19\x4B\xD2\x24\xF8\xDD\x1E\x07\x56\xD0\x38\xA0\x95\x70\x20\x76\x8C\xD7\xDD\x1E\xDE\x9F\x71\xC4\x23\xEF\x83\x13\x5C\xA3\x24\x15\x4D\x29\x40\x3C\x6A\xC4\xA9\xD8\xB7\xA6\x44\xA5\x0D\xF4\xE0\x9D\x77\x1E\x40\x70\x26\xFC\xDA\xD9\x36\xE4\x79\xE4\xB5\x3F\xBC\x9B\x65\xBE\xBB\x11\x96\xCF\xDB\xC6\x28\x39\x3A\x08\xCE\x47\x5B\x53\x5A\xC5\x99\xFE\x5D\xA9\xDD\xEF\x4C\xD4\xC6\xA5\xAD\x02\xE6\x8C\x07\x12\x1E\x6F\x03\xD1\x6F\xA0\xA3\xF3\x29\xBD\x12\xC7\x50\xA2\xB0\x7F\x88\xA9\x99\x77\x9A\xB1\xC0\xA5\x39\x2E\x5C\x7C\x69\xE2\x2C\xB0\xEA\x37\x6A\xA4\xE1\x5A\xE1\xF5\x50\xE5\x83\xEF\xA5\xBB\x2A\x88\xE7\x8C\xDB\xFD\x6D\x5E\x97\x19\xA8\x7E\x66\x75\x6B\x71\xEA\xBF\xB1\xC7\x6F\xA0\xF4\x8E\xA4\xEC\x34\x51\x5B\x8C\x26\x03\x70\xA1\x77\xD5\x01\x12\x57\x00\x35\xDB\x23\xDE\x0E\x8A\x28\x99\xFD\xB1\x10\x6F\x4B\xFF\x38\x2D\x60\x4E\x2C\x9C\xEB\x67\xB5\xAD\x49\xEE\x4B\x1F\xAC\xAF\xFB\x0D\x90\x5A\x66\x60\x70\x5D\xAA\xCD\x78\xD4\x24\xEE\xC8\x41\xA0\x93\x01\x92\x9C\x6A\x9E\xFC\xB9\x24\xC5\xB3\x15\x82\x7E\xBE\xAE\x95\x2B\xEB\xB1\xC0\xDA\xE3\x01\x60\x0B\x5E\x69\xAC\x84\x56\x61\xBE\x71\x17\xFE\x1D\x13\x0F\xFE\xC6\x87\x45\xE9\xFE\x32\xA0\x1A\x0D\x13\xA4\x94\x55\x71\xA5\x16\x8B\xBA\xCA\x89\xB0\xB2\xC7\xFC\x8F\xD8\x54\xB5\x93\x62\x9D\xCE\xCF\x59\xFB\x3D\x18\xCE\x2A\xCB\x35\x15\x82\x5D\xFF\x54\x22\x5B\x71\x52\xFB\xB7\xC9\xFE\x60\x9B\x00\x41\x64\xF0\xAA\x2A\xEC\xB6\x42\x43\xCE\x89\x66\x81\xC8\x8B\x9F\x39\x54\x03\x25\xD3\x16\x35\x8E\x84\xD0\x5F\xFA\x30\x1A\xF5\x9A\x6C\xF4\x0E\x53\xF9\x3A\x5B\xD1\x1C",
 	["CN=DigiCert Assured ID Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US"] = "\x30\x82\x03\xB7\x30\x82\x02\x9F\xA0\x03\x02\x01\x02\x02\x10\x0C\xE7\xE0\xE5\x17\xD8\x46\xFE\x8F\xE5\x60\xFC\x1B\xF0\x30\x39\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x65\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x15\x30\x13\x06\x03\x55\x04\x0A\x13\x0C\x44\x69\x67\x69\x43\x65\x72\x74\x20\x49\x6E\x63\x31\x19\x30\x17\x06\x03\x55\x04\x0B\x13\x10\x77\x77\x77\x2E\x64\x69\x67\x69\x63\x65\x72\x74\x2E\x63\x6F\x6D\x31\x24\x30\x22\x06\x03\x55\x04\x03\x13\x1B\x44\x69\x67\x69\x43\x65\x72\x74\x20\x41\x73\x73\x75\x72\x65\x64\x20\x49\x44\x20\x52\x6F\x6F\x74\x20\x43\x41\x30\x1E\x17\x0D\x30\x36\x31\x31\x31\x30\x30\x30\x30\x30\x30\x30\x5A\x17\x0D\x33\x31\x31\x31\x31\x30\x30\x30\x30\x30\x30\x30\x5A\x30\x65\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x15\x30\x13\x06\x03\x55\x04\x0A\x13\x0C\x44\x69\x67\x69\x43\x65\x72\x74\x20\x49\x6E\x63\x31\x19\x30\x17\x06\x03\x55\x04\x0B\x13\x10\x77\x77\x77\x2E\x64\x69\x67\x69\x63\x65\x72\x74\x2E\x63\x6F\x6D\x31\x24\x30\x22\x06\x03\x55\x04\x03\x13\x1B\x44\x69\x67\x69\x43\x65\x72\x74\x20\x41\x73\x73\x75\x72\x65\x64\x20\x49\x44\x20\x52\x6F\x6F\x74\x20\x43\x41\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xAD\x0E\x15\xCE\xE4\x43\x80\x5C\xB1\x87\xF3\xB7\x60\xF9\x71\x12\xA5\xAE\xDC\x26\x94\x88\xAA\xF4\xCE\xF5\x20\x39\x28\x58\x60\x0C\xF8\x80\xDA\xA9\x15\x95\x32\x61\x3C\xB5\xB1\x28\x84\x8A\x8A\xDC\x9F\x0A\x0C\x83\x17\x7A\x8F\x90\xAC\x8A\xE7\x79\x53\x5C\x31\x84\x2A\xF6\x0F\x98\x32\x36\x76\xCC\xDE\xDD\x3C\xA8\xA2\xEF\x6A\xFB\x21\xF2\x52\x61\xDF\x9F\x20\xD7\x1F\xE2\xB1\xD9\xFE\x18\x64\xD2\x12\x5B\x5F\xF9\x58\x18\x35\xBC\x47\xCD\xA1\x36\xF9\x6B\x7F\xD4\xB0\x38\x3E\xC1\x1B\xC3\x8C\x33\xD9\xD8\x2F\x18\xFE\x28\x0F\xB3\xA7\x83\xD6\xC3\x6E\x44\xC0\x61\x35\x96\x16\xFE\x59\x9C\x8B\x76\x6D\xD7\xF1\xA2\x4B\x0D\x2B\xFF\x0B\x72\xDA\x9E\x60\xD0\x8E\x90\x35\xC6\x78\x55\x87\x20\xA1\xCF\xE5\x6D\x0A\xC8\x49\x7C\x31\x98\x33\x6C\x22\xE9\x87\xD0\x32\x5A\xA2\xBA\x13\x82\x11\xED\x39\x17\x9D\x99\x3A\x72\xA1\xE6\xFA\xA4\xD9\xD5\x17\x31\x75\xAE\x85\x7D\x22\xAE\x3F\x01\x46\x86\xF6\x28\x79\xC8\xB1\xDA\xE4\x57\x17\xC4\x7E\x1C\x0E\xB0\xB4\x92\xA6\x56\xB3\xBD\xB2\x97\xED\xAA\xA7\xF0\xB7\xC5\xA8\x3F\x95\x16\xD0\xFF\xA1\x96\xEB\x08\x5F\x18\x77\x4F\x02\x03\x01\x00\x01\xA3\x63\x30\x61\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x86\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x45\xEB\xA2\xAF\xF4\x92\xCB\x82\x31\x2D\x51\x8B\xA7\xA7\x21\x9D\xF3\x6D\xC8\x0F\x30\x1F\x06\x03\x55\x1D\x23\x04\x18\x30\x16\x80\x14\x45\xEB\xA2\xAF\xF4\x92\xCB\x82\x31\x2D\x51\x8B\xA7\xA7\x21\x9D\xF3\x6D\xC8\x0F\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\xA2\x0E\xBC\xDF\xE2\xED\xF0\xE3\x72\x73\x7A\x64\x94\xBF\xF7\x72\x66\xD8\x32\xE4\x42\x75\x62\xAE\x87\xEB\xF2\xD5\xD9\xDE\x56\xB3\x9F\xCC\xCE\x14\x28\xB9\x0D\x97\x60\x5C\x12\x4C\x58\xE4\xD3\x3D\x83\x49\x45\x58\x97\x35\x69\x1A\xA8\x47\xEA\x56\xC6\x79\xAB\x12\xD8\x67\x81\x84\xDF\x7F\x09\x3C\x94\xE6\xB8\x26\x2C\x20\xBD\x3D\xB3\x28\x89\xF7\x5F\xFF\x22\xE2\x97\x84\x1F\xE9\x65\xEF\x87\xE0\xDF\xC1\x67\x49\xB3\x5D\xEB\xB2\x09\x2A\xEB\x26\xED\x78\xBE\x7D\x3F\x2B\xF3\xB7\x26\x35\x6D\x5F\x89\x01\xB6\x49\x5B\x9F\x01\x05\x9B\xAB\x3D\x25\xC1\xCC\xB6\x7F\xC2\xF1\x6F\x86\xC6\xFA\x64\x68\xEB\x81\x2D\x94\xEB\x42\xB7\xFA\x8C\x1E\xDD\x62\xF1\xBE\x50\x67\xB7\x6C\xBD\xF3\xF1\x1F\x6B\x0C\x36\x07\x16\x7F\x37\x7C\xA9\x5B\x6D\x7A\xF1\x12\x46\x60\x83\xD7\x27\x04\xBE\x4B\xCE\x97\xBE\xC3\x67\x2A\x68\x11\xDF\x80\xE7\x0C\x33\x66\xBF\x13\x0D\x14\x6E\xF3\x7F\x1F\x63\x10\x1E\xFA\x8D\x1B\x25\x6D\x6C\x8F\xA5\xB7\x61\x01\xB1\xD2\xA3\x26\xA1\x10\x71\x9D\xAD\xE2\xC3\xF9\xC3\x99\x51\xB7\x2B\x07\x08\xCE\x2E\xE6\x50\xB2\xA7\xFA\x0A\x45\x2F\xA2\xF0\xF2",
 	["CN=DigiCert Global Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US"] = "\x30\x82\x03\xAF\x30\x82\x02\x97\xA0\x03\x02\x01\x02\x02\x10\x08\x3B\xE0\x56\x90\x42\x46\xB1\xA1\x75\x6A\xC9\x59\x91\xC7\x4A\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x61\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x15\x30\x13\x06\x03\x55\x04\x0A\x13\x0C\x44\x69\x67\x69\x43\x65\x72\x74\x20\x49\x6E\x63\x31\x19\x30\x17\x06\x03\x55\x04\x0B\x13\x10\x77\x77\x77\x2E\x64\x69\x67\x69\x63\x65\x72\x74\x2E\x63\x6F\x6D\x31\x20\x30\x1E\x06\x03\x55\x04\x03\x13\x17\x44\x69\x67\x69\x43\x65\x72\x74\x20\x47\x6C\x6F\x62\x61\x6C\x20\x52\x6F\x6F\x74\x20\x43\x41\x30\x1E\x17\x0D\x30\x36\x31\x31\x31\x30\x30\x30\x30\x30\x30\x30\x5A\x17\x0D\x33\x31\x31\x31\x31\x30\x30\x30\x30\x30\x30\x30\x5A\x30\x61\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x15\x30\x13\x06\x03\x55\x04\x0A\x13\x0C\x44\x69\x67\x69\x43\x65\x72\x74\x20\x49\x6E\x63\x31\x19\x30\x17\x06\x03\x55\x04\x0B\x13\x10\x77\x77\x77\x2E\x64\x69\x67\x69\x63\x65\x72\x74\x2E\x63\x6F\x6D\x31\x20\x30\x1E\x06\x03\x55\x04\x03\x13\x17\x44\x69\x67\x69\x43\x65\x72\x74\x20\x47\x6C\x6F\x62\x61\x6C\x20\x52\x6F\x6F\x74\x20\x43\x41\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xE2\x3B\xE1\x11\x72\xDE\xA8\xA4\xD3\xA3\x57\xAA\x50\xA2\x8F\x0B\x77\x90\xC9\xA2\xA5\xEE\x12\xCE\x96\x5B\x01\x09\x20\xCC\x01\x93\xA7\x4E\x30\xB7\x53\xF7\x43\xC4\x69\x00\x57\x9D\xE2\x8D\x22\xDD\x87\x06\x40\x00\x81\x09\xCE\xCE\x1B\x83\xBF\xDF\xCD\x3B\x71\x46\xE2\xD6\x66\xC7\x05\xB3\x76\x27\x16\x8F\x7B\x9E\x1E\x95\x7D\xEE\xB7\x48\xA3\x08\xDA\xD6\xAF\x7A\x0C\x39\x06\x65\x7F\x4A\x5D\x1F\xBC\x17\xF8\xAB\xBE\xEE\x28\xD7\x74\x7F\x7A\x78\x99\x59\x85\x68\x6E\x5C\x23\x32\x4B\xBF\x4E\xC0\xE8\x5A\x6D\xE3\x70\xBF\x77\x10\xBF\xFC\x01\xF6\x85\xD9\xA8\x44\x10\x58\x32\xA9\x75\x18\xD5\xD1\xA2\xBE\x47\xE2\x27\x6A\xF4\x9A\x33\xF8\x49\x08\x60\x8B\xD4\x5F\xB4\x3A\x84\xBF\xA1\xAA\x4A\x4C\x7D\x3E\xCF\x4F\x5F\x6C\x76\x5E\xA0\x4B\x37\x91\x9E\xDC\x22\xE6\x6D\xCE\x14\x1A\x8E\x6A\xCB\xFE\xCD\xB3\x14\x64\x17\xC7\x5B\x29\x9E\x32\xBF\xF2\xEE\xFA\xD3\x0B\x42\xD4\xAB\xB7\x41\x32\xDA\x0C\xD4\xEF\xF8\x81\xD5\xBB\x8D\x58\x3F\xB5\x1B\xE8\x49\x28\xA2\x70\xDA\x31\x04\xDD\xF7\xB2\x16\xF2\x4C\x0A\x4E\x07\xA8\xED\x4A\x3D\x5E\xB5\x7F\xA3\x90\xC3\xAF\x27\x02\x03\x01\x00\x01\xA3\x63\x30\x61\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x86\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x03\xDE\x50\x35\x56\xD1\x4C\xBB\x66\xF0\xA3\xE2\x1B\x1B\xC3\x97\xB2\x3D\xD1\x55\x30\x1F\x06\x03\x55\x1D\x23\x04\x18\x30\x16\x80\x14\x03\xDE\x50\x35\x56\xD1\x4C\xBB\x66\xF0\xA3\xE2\x1B\x1B\xC3\x97\xB2\x3D\xD1\x55\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\xCB\x9C\x37\xAA\x48\x13\x12\x0A\xFA\xDD\x44\x9C\x4F\x52\xB0\xF4\xDF\xAE\x04\xF5\x79\x79\x08\xA3\x24\x18\xFC\x4B\x2B\x84\xC0\x2D\xB9\xD5\xC7\xFE\xF4\xC1\x1F\x58\xCB\xB8\x6D\x9C\x7A\x74\xE7\x98\x29\xAB\x11\xB5\xE3\x70\xA0\xA1\xCD\x4C\x88\x99\x93\x8C\x91\x70\xE2\xAB\x0F\x1C\xBE\x93\xA9\xFF\x63\xD5\xE4\x07\x60\xD3\xA3\xBF\x9D\x5B\x09\xF1\xD5\x8E\xE3\x53\xF4\x8E\x63\xFA\x3F\xA7\xDB\xB4\x66\xDF\x62\x66\xD6\xD1\x6E\x41\x8D\xF2\x2D\xB5\xEA\x77\x4A\x9F\x9D\x58\xE2\x2B\x59\xC0\x40\x23\xED\x2D\x28\x82\x45\x3E\x79\x54\x92\x26\x98\xE0\x80\x48\xA8\x37\xEF\xF0\xD6\x79\x60\x16\xDE\xAC\xE8\x0E\xCD\x6E\xAC\x44\x17\x38\x2F\x49\xDA\xE1\x45\x3E\x2A\xB9\x36\x53\xCF\x3A\x50\x06\xF7\x2E\xE8\xC4\x57\x49\x6C\x61\x21\x18\xD5\x04\xAD\x78\x3C\x2C\x3A\x80\x6B\xA7\xEB\xAF\x15\x14\xE9\xD8\x89\xC1\xB9\x38\x6C\xE2\x91\x6C\x8A\xFF\x64\xB9\x77\x25\x57\x30\xC0\x1B\x24\xA3\xE1\xDC\xE9\xDF\x47\x7C\xB5\xB4\x24\x08\x05\x30\xEC\x2D\xBD\x0B\xBF\x45\xBF\x50\xB9\xA9\xF3\xEB\x98\x01\x12\xAD\xC8\x88\xC6\x98\x34\x5F\x8D\x0A\x3C\xC6\xE9\xD5\x95\x95\x6D\xDE",
 	["CN=DigiCert High Assurance EV Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US"] = "\x30\x82\x03\xC5\x30\x82\x02\xAD\xA0\x03\x02\x01\x02\x02\x10\x02\xAC\x5C\x26\x6A\x0B\x40\x9B\x8F\x0B\x79\xF2\xAE\x46\x25\x77\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x6C\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x15\x30\x13\x06\x03\x55\x04\x0A\x13\x0C\x44\x69\x67\x69\x43\x65\x72\x74\x20\x49\x6E\x63\x31\x19\x30\x17\x06\x03\x55\x04\x0B\x13\x10\x77\x77\x77\x2E\x64\x69\x67\x69\x63\x65\x72\x74\x2E\x63\x6F\x6D\x31\x2B\x30\x29\x06\x03\x55\x04\x03\x13\x22\x44\x69\x67\x69\x43\x65\x72\x74\x20\x48\x69\x67\x68\x20\x41\x73\x73\x75\x72\x61\x6E\x63\x65\x20\x45\x56\x20\x52\x6F\x6F\x74\x20\x43\x41\x30\x1E\x17\x0D\x30\x36\x31\x31\x31\x30\x30\x30\x30\x30\x30\x30\x5A\x17\x0D\x33\x31\x31\x31\x31\x30\x30\x30\x30\x30\x30\x30\x5A\x30\x6C\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x15\x30\x13\x06\x03\x55\x04\x0A\x13\x0C\x44\x69\x67\x69\x43\x65\x72\x74\x20\x49\x6E\x63\x31\x19\x30\x17\x06\x03\x55\x04\x0B\x13\x10\x77\x77\x77\x2E\x64\x69\x67\x69\x63\x65\x72\x74\x2E\x63\x6F\x6D\x31\x2B\x30\x29\x06\x03\x55\x04\x03\x13\x22\x44\x69\x67\x69\x43\x65\x72\x74\x20\x48\x69\x67\x68\x20\x41\x73\x73\x75\x72\x61\x6E\x63\x65\x20\x45\x56\x20\x52\x6F\x6F\x74\x20\x43\x41\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xC6\xCC\xE5\x73\xE6\xFB\xD4\xBB\xE5\x2D\x2D\x32\xA6\xDF\xE5\x81\x3F\xC9\xCD\x25\x49\xB6\x71\x2A\xC3\xD5\x94\x34\x67\xA2\x0A\x1C\xB0\x5F\x69\xA6\x40\xB1\xC4\xB7\xB2\x8F\xD0\x98\xA4\xA9\x41\x59\x3A\xD3\xDC\x94\xD6\x3C\xDB\x74\x38\xA4\x4A\xCC\x4D\x25\x82\xF7\x4A\xA5\x53\x12\x38\xEE\xF3\x49\x6D\x71\x91\x7E\x63\xB6\xAB\xA6\x5F\xC3\xA4\x84\xF8\x4F\x62\x51\xBE\xF8\xC5\xEC\xDB\x38\x92\xE3\x06\xE5\x08\x91\x0C\xC4\x28\x41\x55\xFB\xCB\x5A\x89\x15\x7E\x71\xE8\x35\xBF\x4D\x72\x09\x3D\xBE\x3A\x38\x50\x5B\x77\x31\x1B\x8D\xB3\xC7\x24\x45\x9A\xA7\xAC\x6D\x00\x14\x5A\x04\xB7\xBA\x13\xEB\x51\x0A\x98\x41\x41\x22\x4E\x65\x61\x87\x81\x41\x50\xA6\x79\x5C\x89\xDE\x19\x4A\x57\xD5\x2E\xE6\x5D\x1C\x53\x2C\x7E\x98\xCD\x1A\x06\x16\xA4\x68\x73\xD0\x34\x04\x13\x5C\xA1\x71\xD3\x5A\x7C\x55\xDB\x5E\x64\xE1\x37\x87\x30\x56\x04\xE5\x11\xB4\x29\x80\x12\xF1\x79\x39\x88\xA2\x02\x11\x7C\x27\x66\xB7\x88\xB7\x78\xF2\xCA\x0A\xA8\x38\xAB\x0A\x64\xC2\xBF\x66\x5D\x95\x84\xC1\xA1\x25\x1E\x87\x5D\x1A\x50\x0B\x20\x12\xCC\x41\xBB\x6E\x0B\x51\x38\xB8\x4B\xCB\x02\x03\x01\x00\x01\xA3\x63\x30\x61\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x86\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xB1\x3E\xC3\x69\x03\xF8\xBF\x47\x01\xD4\x98\x26\x1A\x08\x02\xEF\x63\x64\x2B\xC3\x30\x1F\x06\x03\x55\x1D\x23\x04\x18\x30\x16\x80\x14\xB1\x3E\xC3\x69\x03\xF8\xBF\x47\x01\xD4\x98\x26\x1A\x08\x02\xEF\x63\x64\x2B\xC3\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x1C\x1A\x06\x97\xDC\xD7\x9C\x9F\x3C\x88\x66\x06\x08\x57\x21\xDB\x21\x47\xF8\x2A\x67\xAA\xBF\x18\x32\x76\x40\x10\x57\xC1\x8A\xF3\x7A\xD9\x11\x65\x8E\x35\xFA\x9E\xFC\x45\xB5\x9E\xD9\x4C\x31\x4B\xB8\x91\xE8\x43\x2C\x8E\xB3\x78\xCE\xDB\xE3\x53\x79\x71\xD6\xE5\x21\x94\x01\xDA\x55\x87\x9A\x24\x64\xF6\x8A\x66\xCC\xDE\x9C\x37\xCD\xA8\x34\xB1\x69\x9B\x23\xC8\x9E\x78\x22\x2B\x70\x43\xE3\x55\x47\x31\x61\x19\xEF\x58\xC5\x85\x2F\x4E\x30\xF6\xA0\x31\x16\x23\xC8\xE7\xE2\x65\x16\x33\xCB\xBF\x1A\x1B\xA0\x3D\xF8\xCA\x5E\x8B\x31\x8B\x60\x08\x89\x2D\x0C\x06\x5C\x52\xB7\xC4\xF9\x0A\x98\xD1\x15\x5F\x9F\x12\xBE\x7C\x36\x63\x38\xBD\x44\xA4\x7F\xE4\x26\x2B\x0A\xC4\x97\x69\x0D\xE9\x8C\xE2\xC0\x10\x57\xB8\xC8\x76\x12\x91\x55\xF2\x48\x69\xD8\xBC\x2A\x02\x5B\x0F\x44\xD4\x20\x31\xDB\xF4\xBA\x70\x26\x5D\x90\x60\x9E\xBC\x4B\x17\x09\x2F\xB4\xCB\x1E\x43\x68\xC9\x07\x27\xC1\xD2\x5C\xF7\xEA\x21\xB9\x68\x12\x9C\x3C\x9C\xBF\x9E\xFC\x80\x5C\x9B\x63\xCD\xEC\x47\xAA\x25\x27\x67\xA0\x37\xF3\x00\x82\x7D\x54\xD7\xA9\xF8\xE9\x2E\x13\xA3\x77\xE8\x1F\x4A",
 	["CN=Class 2 Primary CA,O=Certplus,C=FR"] = "\x30\x82\x03\x92\x30\x82\x02\x7A\xA0\x03\x02\x01\x02\x02\x11\x00\x85\xBD\x4B\xF3\xD8\xDA\xE3\x69\xF6\x94\xD7\x5F\xC3\xA5\x44\x23\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x3D\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x46\x52\x31\x11\x30\x0F\x06\x03\x55\x04\x0A\x13\x08\x43\x65\x72\x74\x70\x6C\x75\x73\x31\x1B\x30\x19\x06\x03\x55\x04\x03\x13\x12\x43\x6C\x61\x73\x73\x20\x32\x20\x50\x72\x69\x6D\x61\x72\x79\x20\x43\x41\x30\x1E\x17\x0D\x39\x39\x30\x37\x30\x37\x31\x37\x30\x35\x30\x30\x5A\x17\x0D\x31\x39\x30\x37\x30\x36\x32\x33\x35\x39\x35\x39\x5A\x30\x3D\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x46\x52\x31\x11\x30\x0F\x06\x03\x55\x04\x0A\x13\x08\x43\x65\x72\x74\x70\x6C\x75\x73\x31\x1B\x30\x19\x06\x03\x55\x04\x03\x13\x12\x43\x6C\x61\x73\x73\x20\x32\x20\x50\x72\x69\x6D\x61\x72\x79\x20\x43\x41\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xDC\x50\x96\xD0\x12\xF8\x35\xD2\x08\x78\x7A\xB6\x52\x70\xFD\x6F\xEE\xCF\xB9\x11\xCB\x5D\x77\xE1\xEC\xE9\x7E\x04\x8D\xD6\xCC\x6F\x73\x43\x57\x60\xAC\x33\x0A\x44\xEC\x03\x5F\x1C\x80\x24\x91\xE5\xA8\x91\x56\x12\x82\xF7\xE0\x2B\xF4\xDB\xAE\x61\x2E\x89\x10\x8D\x6B\x6C\xBA\xB3\x02\xBD\xD5\x36\xC5\x48\x37\x23\xE2\xF0\x5A\x37\x52\x33\x17\x12\xE2\xD1\x60\x4D\xBE\x2F\x41\x11\xE3\xF6\x17\x25\x0C\x8B\x91\xC0\x1B\x99\x7B\x99\x56\x0D\xAF\xEE\xD2\xBC\x47\x57\xE3\x79\x49\x7B\x34\x89\x27\x24\x84\xDE\xB1\xEC\xE9\x58\x4E\xFE\x4E\xDF\x5A\xBE\x41\xAD\xAC\x08\xC5\x18\x0E\xEF\xD2\x53\xEE\x6C\xD0\x9D\x12\x01\x13\x8D\xDC\x80\x62\xF7\x95\xA9\x44\x88\x4A\x71\x4E\x60\x55\x9E\xDB\x23\x19\x79\x56\x07\x0C\x3F\x63\x0B\x5C\xB0\xE2\xBE\x7E\x15\xFC\x94\x33\x58\x41\x38\x74\xC4\xE1\x8F\x8B\xDF\x26\xAC\x1F\xB5\x8B\x3B\xB7\x43\x59\x6B\xB0\x24\xA6\x6D\x90\x8B\xC4\x72\xEA\x5D\x33\x98\xB7\xCB\xDE\x5E\x7B\xEF\x94\xF1\x1B\x3E\xCA\xC9\x21\xC1\xC5\x98\x02\xAA\xA2\xF6\x5B\x77\x9B\xF5\x7E\x96\x55\x34\x1C\x67\x69\xC0\xF1\x42\xE3\x47\xAC\xFC\x28\x1C\x66\x55\x02\x03\x01\x00\x01\xA3\x81\x8C\x30\x81\x89\x30\x0F\x06\x03\x55\x1D\x13\x04\x08\x30\x06\x01\x01\xFF\x02\x01\x0A\x30\x0B\x06\x03\x55\x1D\x0F\x04\x04\x03\x02\x01\x06\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xE3\x73\x2D\xDF\xCB\x0E\x28\x0C\xDE\xDD\xB3\xA4\xCA\x79\xB8\x8E\xBB\xE8\x30\x89\x30\x11\x06\x09\x60\x86\x48\x01\x86\xF8\x42\x01\x01\x04\x04\x03\x02\x01\x06\x30\x37\x06\x03\x55\x1D\x1F\x04\x30\x30\x2E\x30\x2C\xA0\x2A\xA0\x28\x86\x26\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x63\x65\x72\x74\x70\x6C\x75\x73\x2E\x63\x6F\x6D\x2F\x43\x52\x4C\x2F\x63\x6C\x61\x73\x73\x32\x2E\x63\x72\x6C\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\xA7\x54\xCF\x88\x44\x19\xCB\xDF\xD4\x7F\x00\xDF\x56\x33\x62\xB5\xF7\x51\x01\x90\xEB\xC3\x3F\xD1\x88\x44\xE9\x24\x5D\xEF\xE7\x14\xBD\x20\xB7\x9A\x3C\x00\xFE\x6D\x9F\xDB\x90\xDC\xD7\xF4\x62\xD6\x8B\x70\x5D\xE7\xE5\x04\x48\xA9\x68\x7C\xC9\xF1\x42\xF3\x6C\x7F\xC5\x7A\x7C\x1D\x51\x88\xBA\xD2\x0A\x3E\x27\x5D\xDE\x2D\x51\x4E\xD3\x13\x64\x69\xE4\x2E\xE3\xD3\xE7\x9B\x09\x99\xA6\xE0\x95\x9B\xCE\x1A\xD7\x7F\xBE\x3C\xCE\x52\xB3\x11\x15\xC1\x0F\x17\xCD\x03\xBB\x9C\x25\x15\xBA\xA2\x76\x89\xFC\x06\xF1\x18\xD0\x93\x4B\x0E\x7C\x82\xB7\xA5\xF4\xF6\x5F\xFE\xED\x40\xA6\x9D\x84\x74\x39\xB9\xDC\x1E\x85\x16\xDA\x29\x1B\x86\x23\x00\xC9\xBB\x89\x7E\x6E\x80\x88\x1E\x2F\x14\xB4\x03\x24\xA8\x32\x6F\x03\x9A\x47\x2C\x30\xBE\x56\xC6\xA7\x42\x02\x70\x1B\xEA\x40\xD8\xBA\x05\x03\x70\x07\xA4\x96\xFF\xFD\x48\x33\x0A\xE1\xDC\xA5\x81\x90\x9B\x4D\xDD\x7D\xE7\xE7\xB2\xCD\x5C\xC8\x6A\x95\xF8\xA5\xF6\x8D\xC4\x5D\x78\x08\xBE\x7B\x06\xD6\x49\xCF\x19\x36\x50\x23\x2E\x08\xE6\x9E\x05\x4D\x47\x18\xD5\x16\xE9\xB1\xD6\xB6\x10\xD5\xBB\x97\xBF\xA2\x8E\xB4\x54",
 	["CN=DST Root CA X3,O=Digital Signature Trust Co."] = "\x30\x82\x03\x4A\x30\x82\x02\x32\xA0\x03\x02\x01\x02\x02\x10\x44\xAF\xB0\x80\xD6\xA3\x27\xBA\x89\x30\x39\x86\x2E\xF8\x40\x6B\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x3F\x31\x24\x30\x22\x06\x03\x55\x04\x0A\x13\x1B\x44\x69\x67\x69\x74\x61\x6C\x20\x53\x69\x67\x6E\x61\x74\x75\x72\x65\x20\x54\x72\x75\x73\x74\x20\x43\x6F\x2E\x31\x17\x30\x15\x06\x03\x55\x04\x03\x13\x0E\x44\x53\x54\x20\x52\x6F\x6F\x74\x20\x43\x41\x20\x58\x33\x30\x1E\x17\x0D\x30\x30\x30\x39\x33\x30\x32\x31\x31\x32\x31\x39\x5A\x17\x0D\x32\x31\x30\x39\x33\x30\x31\x34\x30\x31\x31\x35\x5A\x30\x3F\x31\x24\x30\x22\x06\x03\x55\x04\x0A\x13\x1B\x44\x69\x67\x69\x74\x61\x6C\x20\x53\x69\x67\x6E\x61\x74\x75\x72\x65\x20\x54\x72\x75\x73\x74\x20\x43\x6F\x2E\x31\x17\x30\x15\x06\x03\x55\x04\x03\x13\x0E\x44\x53\x54\x20\x52\x6F\x6F\x74\x20\x43\x41\x20\x58\x33\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xDF\xAF\xE9\x97\x50\x08\x83\x57\xB4\xCC\x62\x65\xF6\x90\x82\xEC\xC7\xD3\x2C\x6B\x30\xCA\x5B\xEC\xD9\xC3\x7D\xC7\x40\xC1\x18\x14\x8B\xE0\xE8\x33\x76\x49\x2A\xE3\x3F\x21\x49\x93\xAC\x4E\x0E\xAF\x3E\x48\xCB\x65\xEE\xFC\xD3\x21\x0F\x65\xD2\x2A\xD9\x32\x8F\x8C\xE5\xF7\x77\xB0\x12\x7B\xB5\x95\xC0\x89\xA3\xA9\xBA\xED\x73\x2E\x7A\x0C\x06\x32\x83\xA2\x7E\x8A\x14\x30\xCD\x11\xA0\xE1\x2A\x38\xB9\x79\x0A\x31\xFD\x50\xBD\x80\x65\xDF\xB7\x51\x63\x83\xC8\xE2\x88\x61\xEA\x4B\x61\x81\xEC\x52\x6B\xB9\xA2\xE2\x4B\x1A\x28\x9F\x48\xA3\x9E\x0C\xDA\x09\x8E\x3E\x17\x2E\x1E\xDD\x20\xDF\x5B\xC6\x2A\x8A\xAB\x2E\xBD\x70\xAD\xC5\x0B\x1A\x25\x90\x74\x72\xC5\x7B\x6A\xAB\x34\xD6\x30\x89\xFF\xE5\x68\x13\x7B\x54\x0B\xC8\xD6\xAE\xEC\x5A\x9C\x92\x1E\x3D\x64\xB3\x8C\xC6\xDF\xBF\xC9\x41\x70\xEC\x16\x72\xD5\x26\xEC\x38\x55\x39\x43\xD0\xFC\xFD\x18\x5C\x40\xF1\x97\xEB\xD5\x9A\x9B\x8D\x1D\xBA\xDA\x25\xB9\xC6\xD8\xDF\xC1\x15\x02\x3A\xAB\xDA\x6E\xF1\x3E\x2E\xF5\x5C\x08\x9C\x3C\xD6\x83\x69\xE4\x10\x9B\x19\x2A\xB6\x29\x57\xE3\xE5\x3D\x9B\x9F\xF0\x02\x5D\x02\x03\x01\x00\x01\xA3\x42\x30\x40\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xC4\xA7\xB1\xA4\x7B\x2C\x71\xFA\xDB\xE1\x4B\x90\x75\xFF\xC4\x15\x60\x85\x89\x10\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\xA3\x1A\x2C\x9B\x17\x00\x5C\xA9\x1E\xEE\x28\x66\x37\x3A\xBF\x83\xC7\x3F\x4B\xC3\x09\xA0\x95\x20\x5D\xE3\xD9\x59\x44\xD2\x3E\x0D\x3E\xBD\x8A\x4B\xA0\x74\x1F\xCE\x10\x82\x9C\x74\x1A\x1D\x7E\x98\x1A\xDD\xCB\x13\x4B\xB3\x20\x44\xE4\x91\xE9\xCC\xFC\x7D\xA5\xDB\x6A\xE5\xFE\xE6\xFD\xE0\x4E\xDD\xB7\x00\x3A\xB5\x70\x49\xAF\xF2\xE5\xEB\x02\xF1\xD1\x02\x8B\x19\xCB\x94\x3A\x5E\x48\xC4\x18\x1E\x58\x19\x5F\x1E\x02\x5A\xF0\x0C\xF1\xB1\xAD\xA9\xDC\x59\x86\x8B\x6E\xE9\x91\xF5\x86\xCA\xFA\xB9\x66\x33\xAA\x59\x5B\xCE\xE2\xA7\x16\x73\x47\xCB\x2B\xCC\x99\xB0\x37\x48\xCF\xE3\x56\x4B\xF5\xCF\x0F\x0C\x72\x32\x87\xC6\xF0\x44\xBB\x53\x72\x6D\x43\xF5\x26\x48\x9A\x52\x67\xB7\x58\xAB\xFE\x67\x76\x71\x78\xDB\x0D\xA2\x56\x14\x13\x39\x24\x31\x85\xA2\xA8\x02\x5A\x30\x47\xE1\xDD\x50\x07\xBC\x02\x09\x90\x00\xEB\x64\x63\x60\x9B\x16\xBC\x88\xC9\x12\xE6\xD2\x7D\x91\x8B\xF9\x3D\x32\x8D\x65\xB4\xE9\x7C\xB1\x57\x76\xEA\xC5\xB6\x28\x39\xBF\x15\x65\x1C\xC8\xF6\x77\x96\x6A\x0A\x8D\x77\x0B\xD8\x91\x0B\x04\x8E\x07\xDB\x29\xB6\x0A\xEE\x9D\x82\x35\x35\x10",
-	["CN=DST ACES CA X6,OU=DST ACES,O=Digital Signature Trust,C=US"] = "\x30\x82\x04\x09\x30\x82\x02\xF1\xA0\x03\x02\x01\x02\x02\x10\x0D\x5E\x99\x0A\xD6\x9D\xB7\x78\xEC\xD8\x07\x56\x3B\x86\x15\xD9\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x5B\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x20\x30\x1E\x06\x03\x55\x04\x0A\x13\x17\x44\x69\x67\x69\x74\x61\x6C\x20\x53\x69\x67\x6E\x61\x74\x75\x72\x65\x20\x54\x72\x75\x73\x74\x31\x11\x30\x0F\x06\x03\x55\x04\x0B\x13\x08\x44\x53\x54\x20\x41\x43\x45\x53\x31\x17\x30\x15\x06\x03\x55\x04\x03\x13\x0E\x44\x53\x54\x20\x41\x43\x45\x53\x20\x43\x41\x20\x58\x36\x30\x1E\x17\x0D\x30\x33\x31\x31\x32\x30\x32\x31\x31\x39\x35\x38\x5A\x17\x0D\x31\x37\x31\x31\x32\x30\x32\x31\x31\x39\x35\x38\x5A\x30\x5B\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x20\x30\x1E\x06\x03\x55\x04\x0A\x13\x17\x44\x69\x67\x69\x74\x61\x6C\x20\x53\x69\x67\x6E\x61\x74\x75\x72\x65\x20\x54\x72\x75\x73\x74\x31\x11\x30\x0F\x06\x03\x55\x04\x0B\x13\x08\x44\x53\x54\x20\x41\x43\x45\x53\x31\x17\x30\x15\x06\x03\x55\x04\x03\x13\x0E\x44\x53\x54\x20\x41\x43\x45\x53\x20\x43\x41\x20\x58\x36\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xB9\x3D\xF5\x2C\xC9\x94\xDC\x75\x8A\x95\x5D\x63\xE8\x84\x77\x76\x66\xB9\x59\x91\x5C\x46\xDD\x92\x3E\x9F\xF9\x0E\x03\xB4\x3D\x61\x92\xBD\x23\x26\xB5\x63\xEE\x92\xD2\x9E\xD6\x3C\xC8\x0D\x90\x5F\x64\x81\xB1\xA8\x08\x0D\x4C\xD8\xF9\xD3\x05\x28\x52\xB4\x01\x25\xC5\x95\x1C\x0C\x7E\x3E\x10\x84\x75\xCF\xC1\x19\x91\x63\xCF\xE8\xA8\x91\x88\xB9\x43\x52\xBB\x80\xB1\x55\x89\x8B\x31\xFA\xD0\xB7\x76\xBE\x41\x3D\x30\x9A\xA4\x22\x25\x17\x73\xE8\x1E\xE2\xD3\xAC\x2A\xBD\x5B\x38\x21\xD5\x2A\x4B\xD7\x55\x7D\xE3\x3A\x55\xBD\xD7\x6D\x6B\x02\x57\x6B\xE6\x47\x7C\x08\xC8\x82\xBA\xDE\xA7\x87\x3D\xA1\x6D\xB8\x30\x56\xC2\xB3\x02\x81\x5F\x2D\xF5\xE2\x9A\x30\x18\x28\xB8\x66\xD3\xCB\x01\x96\x6F\xEA\x8A\x45\x55\xD6\xE0\x9D\xFF\x67\x2B\x17\x02\xA6\x4E\x1A\x6A\x11\x0B\x7E\xB7\x7B\xE7\x98\xD6\x8C\x76\x6F\xC1\x3B\xDB\x50\x93\x7E\xE5\xD0\x8E\x1F\x37\xB8\xBD\xBA\xC6\x9F\x6C\xE9\x7C\x33\xF2\x32\x3C\x26\x47\xFA\x27\x24\x02\xC9\x7E\x1D\x5B\x88\x42\x13\x6A\x35\x7C\x7D\x35\xE9\x2E\x66\x91\x72\x93\xD5\x32\x26\xC4\x74\xF5\x53\xA3\xB3\x5D\x9A\xF6\x09\xCB\x02\x03\x01\x00\x01\xA3\x81\xC8\x30\x81\xC5\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\xC6\x30\x1F\x06\x03\x55\x1D\x11\x04\x18\x30\x16\x81\x14\x70\x6B\x69\x2D\x6F\x70\x73\x40\x74\x72\x75\x73\x74\x64\x73\x74\x2E\x63\x6F\x6D\x30\x62\x06\x03\x55\x1D\x20\x04\x5B\x30\x59\x30\x57\x06\x0A\x60\x86\x48\x01\x65\x03\x02\x01\x01\x01\x30\x49\x30\x47\x06\x08\x2B\x06\x01\x05\x05\x07\x02\x01\x16\x3B\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x74\x72\x75\x73\x74\x64\x73\x74\x2E\x63\x6F\x6D\x2F\x63\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x73\x2F\x70\x6F\x6C\x69\x63\x79\x2F\x41\x43\x45\x53\x2D\x69\x6E\x64\x65\x78\x2E\x68\x74\x6D\x6C\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x09\x72\x06\x4E\x18\x43\x0F\xE5\xD6\xCC\xC3\x6A\x8B\x31\x7B\x78\x8F\xA8\x83\xB8\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\xA3\xD8\x8E\xD6\xB2\xDB\xCE\x05\xE7\x32\xCD\x01\xD3\x04\x03\xE5\x76\xE4\x56\x2B\x9C\x99\x90\xE8\x08\x30\x6C\xDF\x7D\x3D\xEE\xE5\xBF\xB5\x24\x40\x84\x49\xE1\xD1\x28\xAE\xC4\xC2\x3A\x53\x30\x88\xF1\xF5\x77\x6E\x51\xCA\xFA\xFF\x99\xAF\x24\x5F\x1B\xA0\xFD\xF2\xAC\x84\xCA\xDF\xA9\xF0\x5F\x04\x2E\xAD\x16\xBF\x21\x97\x10\x81\x3D\xE3\xFF\x87\x8D\x32\xDC\x94\xE5\x47\x8A\x5E\x6A\x13\xC9\x94\x95\x3D\xD2\xEE\xC8\x34\x95\xD0\x80\xD4\xAD\x32\x08\x80\x54\x3C\xE0\xBD\x52\x53\xD7\x52\x7C\xB2\x69\x3F\x7F\x7A\xCF\x6A\x74\xCA\xFA\x04\x2A\x9C\x4C\x5A\x06\xA5\xE9\x20\xAD\x45\x66\x0F\x69\xF1\xDD\xBF\xE9\xE3\x32\x8B\xFA\xE0\xC1\x86\x4D\x72\x3C\x2E\xD8\x93\x78\x0A\x2A\xF8\xD8\xD2\x27\x3D\x19\x89\x5F\x5A\x7B\x8A\x3B\xCC\x0C\xDA\x51\xAE\xC7\x0B\xF7\x2B\xB0\x37\x05\xEC\xBC\x57\x23\xE2\x38\xD2\x9B\x68\xF3\x56\x12\x88\x4F\x42\x7C\xB8\x31\xC4\xB5\xDB\xE4\xC8\x21\x34\xE9\x48\x11\x35\xEE\xFA\xC7\x92\x57\xC5\x9F\x34\xE4\xC7\xF6\xF7\x0E\x0B\x4C\x9C\x68\x78\x7B\x71\x31\xC7\xEB\x1E\xE0\x67\x41\xF3\xB7\xA0\xA7\xCD\xE5\x7A\x33\x36\x6A\xFA\x9A\x2B",
 	["CN=SwissSign Gold CA - G2,O=SwissSign AG,C=CH"] = "\x30\x82\x05\xBA\x30\x82\x03\xA2\xA0\x03\x02\x01\x02\x02\x09\x00\xBB\x40\x1C\x43\xF5\x5E\x4F\xB0\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x45\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x43\x48\x31\x15\x30\x13\x06\x03\x55\x04\x0A\x13\x0C\x53\x77\x69\x73\x73\x53\x69\x67\x6E\x20\x41\x47\x31\x1F\x30\x1D\x06\x03\x55\x04\x03\x13\x16\x53\x77\x69\x73\x73\x53\x69\x67\x6E\x20\x47\x6F\x6C\x64\x20\x43\x41\x20\x2D\x20\x47\x32\x30\x1E\x17\x0D\x30\x36\x31\x30\x32\x35\x30\x38\x33\x30\x33\x35\x5A\x17\x0D\x33\x36\x31\x30\x32\x35\x30\x38\x33\x30\x33\x35\x5A\x30\x45\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x43\x48\x31\x15\x30\x13\x06\x03\x55\x04\x0A\x13\x0C\x53\x77\x69\x73\x73\x53\x69\x67\x6E\x20\x41\x47\x31\x1F\x30\x1D\x06\x03\x55\x04\x03\x13\x16\x53\x77\x69\x73\x73\x53\x69\x67\x6E\x20\x47\x6F\x6C\x64\x20\x43\x41\x20\x2D\x20\x47\x32\x30\x82\x02\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x02\x0F\x00\x30\x82\x02\x0A\x02\x82\x02\x01\x00\xAF\xE4\xEE\x7E\x8B\x24\x0E\x12\x6E\xA9\x50\x2D\x16\x44\x3B\x92\x92\x5C\xCA\xB8\x5D\x84\x92\x42\x13\x2A\xBC\x65\x57\x82\x40\x3E\x57\x24\xCD\x50\x8B\x25\x2A\xB7\x6F\xFC\xEF\xA2\xD0\xC0\x1F\x02\x24\x4A\x13\x96\x8F\x23\x13\xE6\x28\x58\x00\xA3\x47\xC7\x06\xA7\x84\x23\x2B\xBB\xBD\x96\x2B\x7F\x55\xCC\x8B\xC1\x57\x1F\x0E\x62\x65\x0F\xDD\x3D\x56\x8A\x73\xDA\xAE\x7E\x6D\xBA\x81\x1C\x7E\x42\x8C\x20\x35\xD9\x43\x4D\x84\xFA\x84\xDB\x52\x2C\xF3\x0E\x27\x77\x0B\x6B\xBF\x11\x2F\x72\x78\x9F\x2E\xD8\x3E\xE6\x18\x37\x5A\x2A\x72\xF9\xDA\x62\x90\x92\x95\xCA\x1F\x9C\xE9\xB3\x3C\x2B\xCB\xF3\x01\x13\xBF\x5A\xCF\xC1\xB5\x0A\x60\xBD\xDD\xB5\x99\x64\x53\xB8\xA0\x96\xB3\x6F\xE2\x26\x77\x91\x8C\xE0\x62\x10\x02\x9F\x34\x0F\xA4\xD5\x92\x33\x51\xDE\xBE\x8D\xBA\x84\x7A\x60\x3C\x6A\xDB\x9F\x2B\xEC\xDE\xDE\x01\x3F\x6E\x4D\xE5\x50\x86\xCB\xB4\xAF\xED\x44\x40\xC5\xCA\x5A\x8C\xDA\xD2\x2B\x7C\xA8\xEE\xBE\xA6\xE5\x0A\xAA\x0E\xA5\xDF\x05\x52\xB7\x55\xC7\x22\x5D\x32\x6A\x97\x97\x63\x13\xDB\xC9\xDB\x79\x36\x7B\x85\x3A\x4A\xC5\x52\x89\xF9\x24\xE7\x9D\x77\xA9\x82\xFF\x55\x1C\xA5\x71\x69\x2B\xD1\x02\x24\xF2\xB3\x26\xD4\x6B\xDA\x04\x55\xE5\xC1\x0A\xC7\x6D\x30\x37\x90\x2A\xE4\x9E\x14\x33\x5E\x16\x17\x55\xC5\x5B\xB5\xCB\x34\x89\x92\xF1\x9D\x26\x8F\xA1\x07\xD4\xC6\xB2\x78\x50\xDB\x0C\x0C\x0B\x7C\x0B\x8C\x41\xD7\xB9\xE9\xDD\x8C\x88\xF7\xA3\x4D\xB2\x32\xCC\xD8\x17\xDA\xCD\xB7\xCE\x66\x9D\xD4\xFD\x5E\xFF\xBD\x97\x3E\x29\x75\xE7\x7E\xA7\x62\x58\xAF\x25\x34\xA5\x41\xC7\x3D\xBC\x0D\x50\xCA\x03\x03\x0F\x08\x5A\x1F\x95\x73\x78\x62\xBF\xAF\x72\x14\x69\x0E\xA5\xE5\x03\x0E\x78\x8E\x26\x28\x42\xF0\x07\x0B\x62\x20\x10\x67\x39\x46\xFA\xA9\x03\xCC\x04\x38\x7A\x66\xEF\x20\x83\xB5\x8C\x4A\x56\x8E\x91\x00\xFC\x8E\x5C\x82\xDE\x88\xA0\xC3\xE2\x68\x6E\x7D\x8D\xEF\x3C\xDD\x65\xF4\x5D\xAC\x51\xEF\x24\x80\xAE\xAA\x56\x97\x6F\xF9\xAD\x7D\xDA\x61\x3F\x98\x77\x3C\xA5\x91\xB6\x1C\x8C\x26\xDA\x65\xA2\x09\x6D\xC1\xE2\x54\xE3\xB9\xCA\x4C\x4C\x80\x8F\x77\x7B\x60\x9A\x1E\xDF\xB6\xF2\x48\x1E\x0E\xBA\x4E\x54\x6D\x98\xE0\xE1\xA2\x1A\xA2\x77\x50\xCF\xC4\x63\x92\xEC\x47\x19\x9D\xEB\xE6\x6B\xCE\xC1\x02\x03\x01\x00\x01\xA3\x81\xAC\x30\x81\xA9\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x5B\x25\x7B\x96\xA4\x65\x51\x7E\xB8\x39\xF3\xC0\x78\x66\x5E\xE8\x3A\xE7\xF0\xEE\x30\x1F\x06\x03\x55\x1D\x23\x04\x18\x30\x16\x80\x14\x5B\x25\x7B\x96\xA4\x65\x51\x7E\xB8\x39\xF3\xC0\x78\x66\x5E\xE8\x3A\xE7\xF0\xEE\x30\x46\x06\x03\x55\x1D\x20\x04\x3F\x30\x3D\x30\x3B\x06\x09\x60\x85\x74\x01\x59\x01\x02\x01\x01\x30\x2E\x30\x2C\x06\x08\x2B\x06\x01\x05\x05\x07\x02\x01\x16\x20\x68\x74\x74\x70\x3A\x2F\x2F\x72\x65\x70\x6F\x73\x69\x74\x6F\x72\x79\x2E\x73\x77\x69\x73\x73\x73\x69\x67\x6E\x2E\x63\x6F\x6D\x2F\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x02\x01\x00\x27\xBA\xE3\x94\x7C\xF1\xAE\xC0\xDE\x17\xE6\xE5\xD8\xD5\xF5\x54\xB0\x83\xF4\xBB\xCD\x5E\x05\x7B\x4F\x9F\x75\x66\xAF\x3C\xE8\x56\x7E\xFC\x72\x78\x38\x03\xD9\x2B\x62\x1B\x00\xB9\xF8\xE9\x60\xCD\xCC\xCE\x51\x8A\xC7\x50\x31\x6E\xE1\x4A\x7E\x18\x2F\x69\x59\xB6\x3D\x64\x81\x2B\xE3\x83\x84\xE6\x22\x87\x8E\x7D\xE0\xEE\x02\x99\x61\xB8\x1E\xF4\xB8\x2B\x88\x12\x16\x84\xC2\x31\x93\x38\x96\x31\xA6\xB9\x3B\x53\x3F\xC3\x24\x93\x56\x5B\x69\x92\xEC\xC5\xC1\xBB\x38\x00\xE3\xEC\x17\xA9\xB8\xDC\xC7\x7C\x01\x83\x9F\x32\x47\xBA\x52\x22\x34\x1D\x32\x7A\x09\x56\xA7\x7C\x25\x36\xA9\x3D\x4B\xDA\xC0\x82\x6F\x0A\xBB\x12\xC8\x87\x4B\x27\x11\xF9\x1E\x2D\xC7\x93\x3F\x9E\xDB\x5F\x26\x6B\x52\xD9\x2E\x8A\xF1\x14\xC6\x44\x8D\x15\xA9\xB7\xBF\xBD\xDE\xA6\x1A\xEE\xAE\x2D\xFB\x48\x77\x17\xFE\xBB\xEC\xAF\x18\xF5\x2A\x51\xF0\x39\x84\x97\x95\x6C\x6E\x1B\xC3\x2B\xC4\x74\x60\x79\x25\xB0\x0A\x27\xDF\xDF\x5E\xD2\x39\xCF\x45\x7D\x42\x4B\xDF\xB3\x2C\x1E\xC5\xC6\x5D\xCA\x55\x3A\xA0\x9C\x69\x9A\x8F\xDA\xEF\xB2\xB0\x3C\x9F\x87\x6C\x12\x2B\x65\x70\x15\x52\x31\x1A\x24\xCF\x6F\x31\x23\x50\x1F\x8C\x4F\x8F\x23\xC3\x74\x41\x63\x1C\x55\xA8\x14\xDD\x3E\xE0\x51\x50\xCF\xF1\x1B\x30\x56\x0E\x92\xB0\x82\x85\xD8\x83\xCB\x22\x64\xBC\x2D\xB8\x25\xD5\x54\xA2\xB8\x06\xEA\xAD\x92\xA4\x24\xA0\xC1\x86\xB5\x4A\x13\x6A\x47\xCF\x2E\x0B\x56\x95\x54\xCB\xCE\x9A\xDB\x6A\xB4\xA6\xB2\xDB\x41\x08\x86\x27\x77\xF7\x6A\xA0\x42\x6C\x0B\x38\xCE\xD7\x75\x50\x32\x92\xC2\xDF\x2B\x30\x22\x48\xD0\xD5\x41\x38\x25\x5D\xA4\xE9\x5D\x9F\xC6\x94\x75\xD0\x45\xFD\x30\x97\x43\x8F\x90\xAB\x0A\xC7\x86\x73\x60\x4A\x69\x2D\xDE\xA5\x78\xD7\x06\xDA\x6A\x9E\x4B\x3E\x77\x3A\x20\x13\x22\x01\xD0\xBF\x68\x9E\x63\x60\x6B\x35\x4D\x0B\x6D\xBA\xA1\x3D\xC0\x93\xE0\x7F\x23\xB3\x55\xAD\x72\x25\x4E\x46\xF9\xD2\x16\xEF\xB0\x64\xC1\x01\x9E\xE9\xCA\xA0\x6A\x98\x0E\xCF\xD8\x60\xF2\x2F\x49\xB8\xE4\x42\xE1\x38\x35\x16\xF4\xC8\x6E\x4F\xF7\x81\x56\xE8\xBA\xA3\xBE\x23\xAF\xAE\xFD\x6F\x03\xE0\x02\x3B\x30\x76\xFA\x1B\x6D\x41\xCF\x01\xB1\xE9\xB8\xC9\x66\xF4\xDB\x26\xF3\x3A\xA4\x74\xF2\x49\x24\x5B\xC9\xB0\xD0\x57\xC1\xFA\x3E\x7A\xE1\x97\xC9",
 	["CN=SwissSign Silver CA - G2,O=SwissSign AG,C=CH"] = "\x30\x82\x05\xBD\x30\x82\x03\xA5\xA0\x03\x02\x01\x02\x02\x08\x4F\x1B\xD4\x2F\x54\xBB\x2F\x4B\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x47\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x43\x48\x31\x15\x30\x13\x06\x03\x55\x04\x0A\x13\x0C\x53\x77\x69\x73\x73\x53\x69\x67\x6E\x20\x41\x47\x31\x21\x30\x1F\x06\x03\x55\x04\x03\x13\x18\x53\x77\x69\x73\x73\x53\x69\x67\x6E\x20\x53\x69\x6C\x76\x65\x72\x20\x43\x41\x20\x2D\x20\x47\x32\x30\x1E\x17\x0D\x30\x36\x31\x30\x32\x35\x30\x38\x33\x32\x34\x36\x5A\x17\x0D\x33\x36\x31\x30\x32\x35\x30\x38\x33\x32\x34\x36\x5A\x30\x47\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x43\x48\x31\x15\x30\x13\x06\x03\x55\x04\x0A\x13\x0C\x53\x77\x69\x73\x73\x53\x69\x67\x6E\x20\x41\x47\x31\x21\x30\x1F\x06\x03\x55\x04\x03\x13\x18\x53\x77\x69\x73\x73\x53\x69\x67\x6E\x20\x53\x69\x6C\x76\x65\x72\x20\x43\x41\x20\x2D\x20\x47\x32\x30\x82\x02\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x02\x0F\x00\x30\x82\x02\x0A\x02\x82\x02\x01\x00\xC4\xF1\x87\x7F\xD3\x78\x31\xF7\x38\xC9\xF8\xC3\x99\x43\xBC\xC7\xF7\xBC\x37\xE7\x4E\x71\xBA\x4B\x8F\xA5\x73\x1D\x5C\x6E\x98\xAE\x03\x57\xAE\x38\x37\x43\x2F\x17\x3D\x1F\xC8\xCE\x68\x10\xC1\x78\xAE\x19\x03\x2B\x10\xFA\x2C\x79\x83\xF6\xE8\xB9\x68\xB9\x55\xF2\x04\x44\xA7\x39\xF9\xFC\x04\x8B\x1E\xF1\xA2\x4D\x27\xF9\x61\x7B\xBA\xB7\xE5\xA2\x13\xB6\xEB\x61\x3E\xD0\x6C\xD1\xE6\xFB\xFA\x5E\xED\x1D\xB4\x9E\xA0\x35\x5B\xA1\x92\xCB\xF0\x49\x92\xFE\x85\x0A\x05\x3E\xE6\xD9\x0B\xE2\x4F\xBB\xDC\x95\x37\xFC\x91\xE9\x32\x35\x22\xD1\x1F\x3A\x4E\x27\x85\x9D\xB0\x15\x94\x32\xDA\x61\x0D\x47\x4D\x60\x42\xAE\x92\x47\xE8\x83\x5A\x50\x58\xE9\x8A\x8B\xB9\x5D\xA1\xDC\xDD\x99\x4A\x1F\x36\x67\xBB\x48\xE4\x83\xB6\x37\xEB\x48\x3A\xAF\x0F\x67\x8F\x17\x07\xE8\x04\xCA\xEF\x6A\x31\x87\xD4\xC0\xB6\xF9\x94\x71\x7B\x67\x64\xB8\xB6\x91\x4A\x42\x7B\x65\x2E\x30\x6A\x0C\xF5\x90\xEE\x95\xE6\xF2\xCD\x82\xEC\xD9\xA1\x4A\xEC\xF6\xB2\x4B\xE5\x45\x85\xE6\x6D\x78\x93\x04\x2E\x9C\x82\x6D\x36\xA9\xC4\x31\x64\x1F\x86\x83\x0B\x2A\xF4\x35\x0A\x78\xC9\x55\xCF\x41\xB0\x47\xE9\x30\x9F\x99\xBE\x61\xA8\x06\x84\xB9\x28\x7A\x5F\x38\xD9\x1B\xA9\x38\xB0\x83\x7F\x73\xC1\xC3\x3B\x48\x2A\x82\x0F\x21\x9B\xB8\xCC\xA8\x35\xC3\x84\x1B\x83\xB3\x3E\xBE\xA4\x95\x69\x01\x3A\x89\x00\x78\x04\xD9\xC9\xF4\x99\x19\xAB\x56\x7E\x5B\x8B\x86\x39\x15\x91\xA4\x10\x2C\x09\x32\x80\x60\xB3\x93\xC0\x2A\xB6\x18\x0B\x9D\x7E\x8D\x49\xF2\x10\x4A\x7F\xF9\xD5\x46\x2F\x19\x92\xA3\x99\xA7\x26\xAC\xBB\x8C\x3C\xE6\x0E\xBC\x47\x07\xDC\x73\x51\xF1\x70\x64\x2F\x08\xF9\xB4\x47\x1D\x30\x6C\x44\xEA\x29\x37\x85\x92\x68\x66\xBC\x83\x38\xFE\x7B\x39\x2E\xD3\x50\xF0\x1F\xFB\x5E\x60\xB6\xA9\xA6\xFA\x27\x41\xF1\x9B\x18\x72\xF2\xF5\x84\x74\x4A\xC9\x67\xC4\x54\xAE\x48\x64\xDF\x8C\xD1\x6E\xB0\x1D\xE1\x07\x8F\x08\x1E\x99\x9C\x71\xE9\x4C\xD8\xA5\xF7\x47\x12\x1F\x74\xD1\x51\x9E\x86\xF3\xC2\xA2\x23\x40\x0B\x73\xDB\x4B\xA6\xE7\x73\x06\x8C\xC1\xA0\xE9\xC1\x59\xAC\x46\xFA\xE6\x2F\xF8\xCF\x71\x9C\x46\x6D\xB9\xC4\x15\x8D\x38\x79\x03\x45\x48\xEF\xC4\x5D\xD7\x08\xEE\x87\x39\x22\x86\xB2\x0D\x0F\x58\x43\xF7\x71\xA9\x48\x2E\xFD\xEA\xD6\x1F\x02\x03\x01\x00\x01\xA3\x81\xAC\x30\x81\xA9\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x17\xA0\xCD\xC1\xE4\x41\xB6\x3A\x5B\x3B\xCB\x45\x9D\xBD\x1C\xC2\x98\xFA\x86\x58\x30\x1F\x06\x03\x55\x1D\x23\x04\x18\x30\x16\x80\x14\x17\xA0\xCD\xC1\xE4\x41\xB6\x3A\x5B\x3B\xCB\x45\x9D\xBD\x1C\xC2\x98\xFA\x86\x58\x30\x46\x06\x03\x55\x1D\x20\x04\x3F\x30\x3D\x30\x3B\x06\x09\x60\x85\x74\x01\x59\x01\x03\x01\x01\x30\x2E\x30\x2C\x06\x08\x2B\x06\x01\x05\x05\x07\x02\x01\x16\x20\x68\x74\x74\x70\x3A\x2F\x2F\x72\x65\x70\x6F\x73\x69\x74\x6F\x72\x79\x2E\x73\x77\x69\x73\x73\x73\x69\x67\x6E\x2E\x63\x6F\x6D\x2F\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x02\x01\x00\x73\xC6\x81\xE0\x27\xD2\x2D\x0F\xE0\x95\x30\xE2\x9A\x41\x7F\x50\x2C\x5F\x5F\x62\x61\xA9\x86\x6A\x69\x18\x0C\x74\x49\xD6\x5D\x84\xEA\x41\x52\x18\x6F\x58\xAD\x50\x56\x20\x6A\xC6\xBD\x28\x69\x58\x91\xDC\x91\x11\x35\xA9\x3A\x1D\xBC\x1A\xA5\x60\x9E\xD8\x1F\x7F\x45\x91\x69\xD9\x7E\xBB\x78\x72\xC1\x06\x0F\x2A\xCE\x8F\x85\x70\x61\xAC\xA0\xCD\x0B\xB8\x39\x29\x56\x84\x32\x4E\x86\xBB\x3D\xC4\x2A\xD9\xD7\x1F\x72\xEE\xFE\x51\xA1\x22\x41\xB1\x71\x02\x63\x1A\x82\xB0\x62\xAB\x5E\x57\x12\x1F\xDF\xCB\xDD\x75\xA0\xC0\x5D\x79\x90\x8C\x1B\xE0\x50\xE6\xDE\x31\xFE\x98\x7B\x70\x5F\xA5\x90\xD8\xAD\xF8\x02\xB6\x6F\xD3\x60\xDD\x40\x4B\x22\xC5\x3D\xAD\x3A\x7A\x9F\x1A\x1A\x47\x91\x79\x33\xBA\x82\xDC\x32\x69\x03\x96\x6E\x1F\x4B\xF0\x71\xFE\xE3\x67\x72\xA0\xB1\xBF\x5C\x8B\xE4\xFA\x99\x22\xC7\x84\xB9\x1B\x8D\x23\x97\x3F\xED\x25\xE0\xCF\x65\xBB\xF5\x61\x04\xEF\xDD\x1E\xB2\x5A\x41\x22\x5A\xA1\x9F\x5D\x2C\xE8\x5B\xC9\x6D\xA9\x0C\x0C\x78\xAA\x60\xC6\x56\x8F\x01\x5A\x0C\x68\xBC\x69\x19\x79\xC4\x1F\x7E\x97\x05\xBF\xC5\xE9\x24\x51\x5E\xD4\xD5\x4B\x53\xED\xD9\x23\x5A\x36\x03\x65\xA3\xC1\x03\xAD\x41\x30\xF3\x46\x1B\x85\x90\xAF\x65\xB5\xD5\xB1\xE4\x16\x5B\x78\x75\x1D\x97\x7A\x6D\x59\xA9\x2A\x8F\x7B\xDE\xC3\x87\x89\x10\x99\x49\x73\x78\xC8\x3D\xBD\x51\x35\x74\x2A\xD5\xF1\x7E\x69\x1B\x2A\xBB\x3B\xBD\x25\xB8\x9A\x5A\x3D\x72\x61\x90\x66\x87\xEE\x0C\xD6\x4D\xD4\x11\x74\x0B\x6A\xFE\x0B\x03\xFC\xA3\x55\x57\x89\xFE\x4A\xCB\xAE\x5B\x17\x05\xC8\xF2\x8D\x23\x31\x53\x38\xD2\x2D\x6A\x3F\x82\xB9\x8D\x08\x6A\xF7\x5E\x41\x74\x6E\xC3\x11\x7E\x07\xAC\x29\x60\x91\x3F\x38\xCA\x57\x10\x0D\xBD\x30\x2F\xC7\xA5\xE6\x41\xA0\xDA\xAE\x05\x87\x9A\xA0\xA4\x65\x6C\x4C\x09\x0C\x89\xBA\xB8\xD3\xB9\xC0\x93\x8A\x30\xFA\x8D\xE5\x9A\x6B\x15\x01\x4E\x67\xAA\xDA\x62\x56\x3E\x84\x08\x66\xD2\xC4\x36\x7D\xA7\x3E\x10\xFC\x88\xE0\xD4\x80\xE5\x00\xBD\xAA\xF3\x4E\x06\xA3\x7A\x6A\xF9\x62\x72\xE3\x09\x4F\xEB\x9B\x0E\x01\x23\xF1\x9F\xBB\x7C\xDC\xDC\x6C\x11\x97\x25\xB2\xF2\xB4\x63\x14\xD2\x06\x2A\x67\x8C\x83\xF5\xCE\xEA\x07\xD8\x9A\x6A\x1E\xEC\xE4\x0A\xBB\x2A\x4C\xEB\x09\x60\x39\xCE\xCA\x62\xD8\x2E\x6E",
 	["CN=GeoTrust Primary Certification Authority,O=GeoTrust Inc.,C=US"] = "\x30\x82\x03\x7C\x30\x82\x02\x64\xA0\x03\x02\x01\x02\x02\x10\x18\xAC\xB5\x6A\xFD\x69\xB6\x15\x3A\x63\x6C\xAF\xDA\xFA\xC4\xA1\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x58\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x16\x30\x14\x06\x03\x55\x04\x0A\x13\x0D\x47\x65\x6F\x54\x72\x75\x73\x74\x20\x49\x6E\x63\x2E\x31\x31\x30\x2F\x06\x03\x55\x04\x03\x13\x28\x47\x65\x6F\x54\x72\x75\x73\x74\x20\x50\x72\x69\x6D\x61\x72\x79\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x30\x1E\x17\x0D\x30\x36\x31\x31\x32\x37\x30\x30\x30\x30\x30\x30\x5A\x17\x0D\x33\x36\x30\x37\x31\x36\x32\x33\x35\x39\x35\x39\x5A\x30\x58\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x16\x30\x14\x06\x03\x55\x04\x0A\x13\x0D\x47\x65\x6F\x54\x72\x75\x73\x74\x20\x49\x6E\x63\x2E\x31\x31\x30\x2F\x06\x03\x55\x04\x03\x13\x28\x47\x65\x6F\x54\x72\x75\x73\x74\x20\x50\x72\x69\x6D\x61\x72\x79\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xBE\xB8\x15\x7B\xFF\xD4\x7C\x7D\x67\xAD\x83\x64\x7B\xC8\x42\x53\x2D\xDF\xF6\x84\x08\x20\x61\xD6\x01\x59\x6A\x9C\x44\x11\xAF\xEF\x76\xFD\x95\x7E\xCE\x61\x30\xBB\x7A\x83\x5F\x02\xBD\x01\x66\xCA\xEE\x15\x8D\x6F\xA1\x30\x9C\xBD\xA1\x85\x9E\x94\x3A\xF3\x56\x88\x00\x31\xCF\xD8\xEE\x6A\x96\x02\xD9\xED\x03\x8C\xFB\x75\x6D\xE7\xEA\xB8\x55\x16\x05\x16\x9A\xF4\xE0\x5E\xB1\x88\xC0\x64\x85\x5C\x15\x4D\x88\xC7\xB7\xBA\xE0\x75\xE9\xAD\x05\x3D\x9D\xC7\x89\x48\xE0\xBB\x28\xC8\x03\xE1\x30\x93\x64\x5E\x52\xC0\x59\x70\x22\x35\x57\x88\x8A\xF1\x95\x0A\x83\xD7\xBC\x31\x73\x01\x34\xED\xEF\x46\x71\xE0\x6B\x02\xA8\x35\x72\x6B\x97\x9B\x66\xE0\xCB\x1C\x79\x5F\xD8\x1A\x04\x68\x1E\x47\x02\xE6\x9D\x60\xE2\x36\x97\x01\xDF\xCE\x35\x92\xDF\xBE\x67\xC7\x6D\x77\x59\x3B\x8F\x9D\xD6\x90\x15\x94\xBC\x42\x34\x10\xC1\x39\xF9\xB1\x27\x3E\x7E\xD6\x8A\x75\xC5\xB2\xAF\x96\xD3\xA2\xDE\x9B\xE4\x98\xBE\x7D\xE1\xE9\x81\xAD\xB6\x6F\xFC\xD7\x0E\xDA\xE0\x34\xB0\x0D\x1A\x77\xE7\xE3\x08\x98\xEF\x58\xFA\x9C\x84\xB7\x36\xAF\xC2\xDF\xAC\xD2\xF4\x10\x06\x70\x71\x35\x02\x03\x01\x00\x01\xA3\x42\x30\x40\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x2C\xD5\x50\x41\x97\x15\x8B\xF0\x8F\x36\x61\x5B\x4A\xFB\x6B\xD9\x99\xC9\x33\x92\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x5A\x70\x7F\x2C\xDD\xB7\x34\x4F\xF5\x86\x51\xA9\x26\xBE\x4B\xB8\xAA\xF1\x71\x0D\xDC\x61\xC7\xA0\xEA\x34\x1E\x7A\x77\x0F\x04\x35\xE8\x27\x8F\x6C\x90\xBF\x91\x16\x24\x46\x3E\x4A\x4E\xCE\x2B\x16\xD5\x0B\x52\x1D\xFC\x1F\x67\xA2\x02\x45\x31\x4F\xCE\xF3\xFA\x03\xA7\x79\x9D\x53\x6A\xD9\xDA\x63\x3A\xF8\x80\xD7\xD3\x99\xE1\xA5\xE1\xBE\xD4\x55\x71\x98\x35\x3A\xBE\x93\xEA\xAE\xAD\x42\xB2\x90\x6F\xE0\xFC\x21\x4D\x35\x63\x33\x89\x49\xD6\x9B\x4E\xCA\xC7\xE7\x4E\x09\x00\xF7\xDA\xC7\xEF\x99\x62\x99\x77\xB6\x95\x22\x5E\x8A\xA0\xAB\xF4\xB8\x78\x98\xCA\x38\x19\x99\xC9\x72\x9E\x78\xCD\x4B\xAC\xAF\x19\xA0\x73\x12\x2D\xFC\xC2\x41\xBA\x81\x91\xDA\x16\x5A\x31\xB7\xF9\xB4\x71\x80\x12\x48\x99\x72\x73\x5A\x59\x53\xC1\x63\x52\x33\xED\xA7\xC9\xD2\x39\x02\x70\xFA\xE0\xB1\x42\x66\x29\xAA\x9B\x51\xED\x30\x54\x22\x14\x5F\xD9\xAB\x1D\xC1\xE4\x94\xF0\xF8\xF5\x2B\xF7\xEA\xCA\x78\x46\xD6\xB8\x91\xFD\xA6\x0D\x2B\x1A\x14\x01\x3E\x80\xF0\x42\xA0\x95\x07\x5E\x6D\xCD\xCC\x4B\xA4\x45\x8D\xAB\x12\xE8\xB3\xDE\x5A\xE5\xA0\x7C\xE8\x0F\x22\x1D\x5A\xE9\x59",
@@ -60,22 +46,13 @@ redef root_certs += {
 	["CN=Secure Global CA,O=SecureTrust Corporation,C=US"] = "\x30\x82\x03\xBC\x30\x82\x02\xA4\xA0\x03\x02\x01\x02\x02\x10\x07\x56\x22\xA4\xE8\xD4\x8A\x89\x4D\xF4\x13\xC8\xF0\xF8\xEA\xA5\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x4A\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x20\x30\x1E\x06\x03\x55\x04\x0A\x13\x17\x53\x65\x63\x75\x72\x65\x54\x72\x75\x73\x74\x20\x43\x6F\x72\x70\x6F\x72\x61\x74\x69\x6F\x6E\x31\x19\x30\x17\x06\x03\x55\x04\x03\x13\x10\x53\x65\x63\x75\x72\x65\x20\x47\x6C\x6F\x62\x61\x6C\x20\x43\x41\x30\x1E\x17\x0D\x30\x36\x31\x31\x30\x37\x31\x39\x34\x32\x32\x38\x5A\x17\x0D\x32\x39\x31\x32\x33\x31\x31\x39\x35\x32\x30\x36\x5A\x30\x4A\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x20\x30\x1E\x06\x03\x55\x04\x0A\x13\x17\x53\x65\x63\x75\x72\x65\x54\x72\x75\x73\x74\x20\x43\x6F\x72\x70\x6F\x72\x61\x74\x69\x6F\x6E\x31\x19\x30\x17\x06\x03\x55\x04\x03\x13\x10\x53\x65\x63\x75\x72\x65\x20\x47\x6C\x6F\x62\x61\x6C\x20\x43\x41\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xAF\x35\x2E\xD8\xAC\x6C\x55\x69\x06\x71\xE5\x13\x68\x24\xB3\x4F\xD8\xCC\x21\x47\xF8\xF1\x60\x38\x89\x89\x03\xE9\xBD\xEA\x5E\x46\x53\x09\xDC\x5C\xF5\x5A\xE8\xF7\x45\x2A\x02\xEB\x31\x61\xD7\x29\x33\x4C\xCE\xC7\x7C\x0A\x37\x7E\x0F\xBA\x32\x98\xE1\x1D\x97\xAF\x8F\xC7\xDC\xC9\x38\x96\xF3\xDB\x1A\xFC\x51\xED\x68\xC6\xD0\x6E\xA4\x7C\x24\xD1\xAE\x42\xC8\x96\x50\x63\x2E\xE0\xFE\x75\xFE\x98\xA7\x5F\x49\x2E\x95\xE3\x39\x33\x64\x8E\x1E\xA4\x5F\x90\xD2\x67\x3C\xB2\xD9\xFE\x41\xB9\x55\xA7\x09\x8E\x72\x05\x1E\x8B\xDD\x44\x85\x82\x42\xD0\x49\xC0\x1D\x60\xF0\xD1\x17\x2C\x95\xEB\xF6\xA5\xC1\x92\xA3\xC5\xC2\xA7\x08\x60\x0D\x60\x04\x10\x96\x79\x9E\x16\x34\xE6\xA9\xB6\xFA\x25\x45\x39\xC8\x1E\x65\xF9\x93\xF5\xAA\xF1\x52\xDC\x99\x98\x3D\xA5\x86\x1A\x0C\x35\x33\xFA\x4B\xA5\x04\x06\x15\x1C\x31\x80\xEF\xAA\x18\x6B\xC2\x7B\xD7\xDA\xCE\xF9\x33\x20\xD5\xF5\xBD\x6A\x33\x2D\x81\x04\xFB\xB0\x5C\xD4\x9C\xA3\xE2\x5C\x1D\xE3\xA9\x42\x75\x5E\x7B\xD4\x77\xEF\x39\x54\xBA\xC9\x0A\x18\x1B\x12\x99\x49\x2F\x88\x4B\xFD\x50\x62\xD1\x73\xE7\x8F\x7A\x43\x02\x03\x01\x00\x01\xA3\x81\x9D\x30\x81\x9A\x30\x13\x06\x09\x2B\x06\x01\x04\x01\x82\x37\x14\x02\x04\x06\x1E\x04\x00\x43\x00\x41\x30\x0B\x06\x03\x55\x1D\x0F\x04\x04\x03\x02\x01\x86\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xAF\x44\x04\xC2\x41\x7E\x48\x83\xDB\x4E\x39\x02\xEC\xEC\x84\x7A\xE6\xCE\xC9\xA4\x30\x34\x06\x03\x55\x1D\x1F\x04\x2D\x30\x2B\x30\x29\xA0\x27\xA0\x25\x86\x23\x68\x74\x74\x70\x3A\x2F\x2F\x63\x72\x6C\x2E\x73\x65\x63\x75\x72\x65\x74\x72\x75\x73\x74\x2E\x63\x6F\x6D\x2F\x53\x47\x43\x41\x2E\x63\x72\x6C\x30\x10\x06\x09\x2B\x06\x01\x04\x01\x82\x37\x15\x01\x04\x03\x02\x01\x00\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x63\x1A\x08\x40\x7D\xA4\x5E\x53\x0D\x77\xD8\x7A\xAE\x1F\x0D\x0B\x51\x16\x03\xEF\x18\x7C\xC8\xE3\xAF\x6A\x58\x93\x14\x60\x91\xB2\x84\xDC\x88\x4E\xBE\x39\x8A\x3A\xF3\xE6\x82\x89\x5D\x01\x37\xB3\xAB\x24\xA4\x15\x0E\x92\x35\x5A\x4A\x44\x5E\x4E\x57\xFA\x75\xCE\x1F\x48\xCE\x66\xF4\x3C\x40\x26\x92\x98\x6C\x1B\xEE\x24\x46\x0C\x17\xB3\x52\xA5\xDB\xA5\x91\x91\xCF\x37\xD3\x6F\xE7\x27\x08\x3A\x4E\x19\x1F\x3A\xA7\x58\x5C\x17\xCF\x79\x3F\x8B\xE4\xA7\xD3\x26\x23\x9D\x26\x0F\x58\x69\xFC\x47\x7E\xB2\xD0\x8D\x8B\x93\xBF\x29\x4F\x43\x69\x74\x76\x67\x4B\xCF\x07\x8C\xE6\x02\xF7\xB5\xE1\xB4\x43\xB5\x4B\x2D\x14\x9F\xF9\xDC\x26\x0D\xBF\xA6\x47\x74\x06\xD8\x88\xD1\x3A\x29\x30\x84\xCE\xD2\x39\x80\x62\x1B\xA8\xC7\x57\x49\xBC\x6A\x55\x51\x67\x15\x4A\xBE\x35\x07\xE4\xD5\x75\x98\x37\x79\x30\x14\xDB\x29\x9D\x6C\xC5\x69\xCC\x47\x55\xA2\x30\xF7\xCC\x5C\x7F\xC2\xC3\x98\x1C\x6B\x4E\x16\x80\xEB\x7A\x78\x65\x45\xA2\x00\x1A\xAF\x0C\x0D\x55\x64\x34\x48\xB8\x92\xB9\xF1\xB4\x50\x29\xF2\x4F\x23\x1F\xDA\x6C\xAC\x1F\x44\xE1\xDD\x23\x78\x51\x5B\xC7\x16",
 	["CN=COMODO Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB"] = "\x30\x82\x04\x1D\x30\x82\x03\x05\xA0\x03\x02\x01\x02\x02\x10\x4E\x81\x2D\x8A\x82\x65\xE0\x0B\x02\xEE\x3E\x35\x02\x46\xE5\x3D\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x81\x81\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x47\x42\x31\x1B\x30\x19\x06\x03\x55\x04\x08\x13\x12\x47\x72\x65\x61\x74\x65\x72\x20\x4D\x61\x6E\x63\x68\x65\x73\x74\x65\x72\x31\x10\x30\x0E\x06\x03\x55\x04\x07\x13\x07\x53\x61\x6C\x66\x6F\x72\x64\x31\x1A\x30\x18\x06\x03\x55\x04\x0A\x13\x11\x43\x4F\x4D\x4F\x44\x4F\x20\x43\x41\x20\x4C\x69\x6D\x69\x74\x65\x64\x31\x27\x30\x25\x06\x03\x55\x04\x03\x13\x1E\x43\x4F\x4D\x4F\x44\x4F\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x30\x1E\x17\x0D\x30\x36\x31\x32\x30\x31\x30\x30\x30\x30\x30\x30\x5A\x17\x0D\x32\x39\x31\x32\x33\x31\x32\x33\x35\x39\x35\x39\x5A\x30\x81\x81\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x47\x42\x31\x1B\x30\x19\x06\x03\x55\x04\x08\x13\x12\x47\x72\x65\x61\x74\x65\x72\x20\x4D\x61\x6E\x63\x68\x65\x73\x74\x65\x72\x31\x10\x30\x0E\x06\x03\x55\x04\x07\x13\x07\x53\x61\x6C\x66\x6F\x72\x64\x31\x1A\x30\x18\x06\x03\x55\x04\x0A\x13\x11\x43\x4F\x4D\x4F\x44\x4F\x20\x43\x41\x20\x4C\x69\x6D\x69\x74\x65\x64\x31\x27\x30\x25\x06\x03\x55\x04\x03\x13\x1E\x43\x4F\x4D\x4F\x44\x4F\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xD0\x40\x8B\x8B\x72\xE3\x91\x1B\xF7\x51\xC1\x1B\x54\x04\x98\xD3\xA9\xBF\xC1\xE6\x8A\x5D\x3B\x87\xFB\xBB\x88\xCE\x0D\xE3\x2F\x3F\x06\x96\xF0\xA2\x29\x50\x99\xAE\xDB\x3B\xA1\x57\xB0\x74\x51\x71\xCD\xED\x42\x91\x4D\x41\xFE\xA9\xC8\xD8\x6A\x86\x77\x44\xBB\x59\x66\x97\x50\x5E\xB4\xD4\x2C\x70\x44\xCF\xDA\x37\x95\x42\x69\x3C\x30\xC4\x71\xB3\x52\xF0\x21\x4D\xA1\xD8\xBA\x39\x7C\x1C\x9E\xA3\x24\x9D\xF2\x83\x16\x98\xAA\x16\x7C\x43\x9B\x15\x5B\xB7\xAE\x34\x91\xFE\xD4\x62\x26\x18\x46\x9A\x3F\xEB\xC1\xF9\xF1\x90\x57\xEB\xAC\x7A\x0D\x8B\xDB\x72\x30\x6A\x66\xD5\xE0\x46\xA3\x70\xDC\x68\xD9\xFF\x04\x48\x89\x77\xDE\xB5\xE9\xFB\x67\x6D\x41\xE9\xBC\x39\xBD\x32\xD9\x62\x02\xF1\xB1\xA8\x3D\x6E\x37\x9C\xE2\x2F\xE2\xD3\xA2\x26\x8B\xC6\xB8\x55\x43\x88\xE1\x23\x3E\xA5\xD2\x24\x39\x6A\x47\xAB\x00\xD4\xA1\xB3\xA9\x25\xFE\x0D\x3F\xA7\x1D\xBA\xD3\x51\xC1\x0B\xA4\xDA\xAC\x38\xEF\x55\x50\x24\x05\x65\x46\x93\x34\x4F\x2D\x8D\xAD\xC6\xD4\x21\x19\xD2\x8E\xCA\x05\x61\x71\x07\x73\x47\xE5\x8A\x19\x12\xBD\x04\x4D\xCE\x4E\x9C\xA5\x48\xAC\xBB\x26\xF7\x02\x03\x01\x00\x01\xA3\x81\x8E\x30\x81\x8B\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x0B\x58\xE5\x8B\xC6\x4C\x15\x37\xA4\x40\xA9\x30\xA9\x21\xBE\x47\x36\x5A\x56\xFF\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x49\x06\x03\x55\x1D\x1F\x04\x42\x30\x40\x30\x3E\xA0\x3C\xA0\x3A\x86\x38\x68\x74\x74\x70\x3A\x2F\x2F\x63\x72\x6C\x2E\x63\x6F\x6D\x6F\x64\x6F\x63\x61\x2E\x63\x6F\x6D\x2F\x43\x4F\x4D\x4F\x44\x4F\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x2E\x63\x72\x6C\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x3E\x98\x9E\x9B\xF6\x1B\xE9\xD7\x39\xB7\x78\xAE\x1D\x72\x18\x49\xD3\x87\xE4\x43\x82\xEB\x3F\xC9\xAA\xF5\xA8\xB5\xEF\x55\x7C\x21\x52\x65\xF9\xD5\x0D\xE1\x6C\xF4\x3E\x8C\x93\x73\x91\x2E\x02\xC4\x4E\x07\x71\x6F\xC0\x8F\x38\x61\x08\xA8\x1E\x81\x0A\xC0\x2F\x20\x2F\x41\x8B\x91\xDC\x48\x45\xBC\xF1\xC6\xDE\xBA\x76\x6B\x33\xC8\x00\x2D\x31\x46\x4C\xED\xE7\x9D\xCF\x88\x94\xFF\x33\xC0\x56\xE8\x24\x86\x26\xB8\xD8\x38\x38\xDF\x2A\x6B\xDD\x12\xCC\xC7\x3F\x47\x17\x4C\xA2\xC2\x06\x96\x09\xD6\xDB\xFE\x3F\x3C\x46\x41\xDF\x58\xE2\x56\x0F\x3C\x3B\xC1\x1C\x93\x35\xD9\x38\x52\xAC\xEE\xC8\xEC\x2E\x30\x4E\x94\x35\xB4\x24\x1F\x4B\x78\x69\xDA\xF2\x02\x38\xCC\x95\x52\x93\xF0\x70\x25\x59\x9C\x20\x67\xC4\xEE\xF9\x8B\x57\x61\xF4\x92\x76\x7D\x3F\x84\x8D\x55\xB7\xE8\xE5\xAC\xD5\xF1\xF5\x19\x56\xA6\x5A\xFB\x90\x1C\xAF\x93\xEB\xE5\x1C\xD4\x67\x97\x5D\x04\x0E\xBE\x0B\x83\xA6\x17\x83\xB9\x30\x12\xA0\xC5\x33\x15\x05\xB9\x0D\xFB\xC7\x05\x76\xE3\xD8\x4A\x8D\xFC\x34\x17\xA3\xC6\x21\x28\xBE\x30\x45\x31\x1E\xC7\x78\xBE\x58\x61\x38\xAC\x3B\xE2\x01\x65",
 	["CN=Network Solutions Certificate Authority,O=Network Solutions L.L.C.,C=US"] = "\x30\x82\x03\xE6\x30\x82\x02\xCE\xA0\x03\x02\x01\x02\x02\x10\x57\xCB\x33\x6F\xC2\x5C\x16\xE6\x47\x16\x17\xE3\x90\x31\x68\xE0\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x62\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x21\x30\x1F\x06\x03\x55\x04\x0A\x13\x18\x4E\x65\x74\x77\x6F\x72\x6B\x20\x53\x6F\x6C\x75\x74\x69\x6F\x6E\x73\x20\x4C\x2E\x4C\x2E\x43\x2E\x31\x30\x30\x2E\x06\x03\x55\x04\x03\x13\x27\x4E\x65\x74\x77\x6F\x72\x6B\x20\x53\x6F\x6C\x75\x74\x69\x6F\x6E\x73\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x30\x1E\x17\x0D\x30\x36\x31\x32\x30\x31\x30\x30\x30\x30\x30\x30\x5A\x17\x0D\x32\x39\x31\x32\x33\x31\x32\x33\x35\x39\x35\x39\x5A\x30\x62\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x21\x30\x1F\x06\x03\x55\x04\x0A\x13\x18\x4E\x65\x74\x77\x6F\x72\x6B\x20\x53\x6F\x6C\x75\x74\x69\x6F\x6E\x73\x20\x4C\x2E\x4C\x2E\x43\x2E\x31\x30\x30\x2E\x06\x03\x55\x04\x03\x13\x27\x4E\x65\x74\x77\x6F\x72\x6B\x20\x53\x6F\x6C\x75\x74\x69\x6F\x6E\x73\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xE4\xBC\x7E\x92\x30\x6D\xC6\xD8\x8E\x2B\x0B\xBC\x46\xCE\xE0\x27\x96\xDE\xDE\xF9\xFA\x12\xD3\x3C\x33\x73\xB3\x04\x2F\xBC\x71\x8C\xE5\x9F\xB6\x22\x60\x3E\x5F\x5D\xCE\x09\xFF\x82\x0C\x1B\x9A\x51\x50\x1A\x26\x89\xDD\xD5\x61\x5D\x19\xDC\x12\x0F\x2D\x0A\xA2\x43\x5D\x17\xD0\x34\x92\x20\xEA\x73\xCF\x38\x2C\x06\x26\x09\x7A\x72\xF7\xFA\x50\x32\xF8\xC2\x93\xD3\x69\xA2\x23\xCE\x41\xB1\xCC\xE4\xD5\x1F\x36\xD1\x8A\x3A\xF8\x8C\x63\xE2\x14\x59\x69\xED\x0D\xD3\x7F\x6B\xE8\xB8\x03\xE5\x4F\x6A\xE5\x98\x63\x69\x48\x05\xBE\x2E\xFF\x33\xB6\xE9\x97\x59\x69\xF8\x67\x19\xAE\x93\x61\x96\x44\x15\xD3\x72\xB0\x3F\xBC\x6A\x7D\xEC\x48\x7F\x8D\xC3\xAB\xAA\x71\x2B\x53\x69\x41\x53\x34\xB5\xB0\xB9\xC5\x06\x0A\xC4\xB0\x45\xF5\x41\x5D\x6E\x89\x45\x7B\x3D\x3B\x26\x8C\x74\xC2\xE5\xD2\xD1\x7D\xB2\x11\xD4\xFB\x58\x32\x22\x9A\x80\xC9\xDC\xFD\x0C\xE9\x7F\x5E\x03\x97\xCE\x3B\x00\x14\x87\x27\x70\x38\xA9\x8E\x6E\xB3\x27\x76\x98\x51\xE0\x05\xE3\x21\xAB\x1A\xD5\x85\x22\x3C\x29\xB5\x9A\x16\xC5\x80\xA8\xF4\xBB\x6B\x30\x8F\x2F\x46\x02\xA2\xB1\x0C\x22\xE0\xD3\x02\x03\x01\x00\x01\xA3\x81\x97\x30\x81\x94\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x21\x30\xC9\xFB\x00\xD7\x4E\x98\xDA\x87\xAA\x2A\xD0\xA7\x2E\xB1\x40\x31\xA7\x4C\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x52\x06\x03\x55\x1D\x1F\x04\x4B\x30\x49\x30\x47\xA0\x45\xA0\x43\x86\x41\x68\x74\x74\x70\x3A\x2F\x2F\x63\x72\x6C\x2E\x6E\x65\x74\x73\x6F\x6C\x73\x73\x6C\x2E\x63\x6F\x6D\x2F\x4E\x65\x74\x77\x6F\x72\x6B\x53\x6F\x6C\x75\x74\x69\x6F\x6E\x73\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x2E\x63\x72\x6C\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\xBB\xAE\x4B\xE7\xB7\x57\xEB\x7F\xAA\x2D\xB7\x73\x47\x85\x6A\xC1\xE4\xA5\x1D\xE4\xE7\x3C\xE9\xF4\x59\x65\x77\xB5\x7A\x5B\x5A\x8D\x25\x36\xE0\x7A\x97\x2E\x38\xC0\x57\x60\x83\x98\x06\x83\x9F\xB9\x76\x7A\x6E\x50\xE0\xBA\x88\x2C\xFC\x45\xCC\x18\xB0\x99\x95\x51\x0E\xEC\x1D\xB8\x88\xFF\x87\x50\x1C\x82\xC2\xE3\xE0\x32\x80\xBF\xA0\x0B\x47\xC8\xC3\x31\xEF\x99\x67\x32\x80\x4F\x17\x21\x79\x0C\x69\x5C\xDE\x5E\x34\xAE\x02\xB5\x26\xEA\x50\xDF\x7F\x18\x65\x2C\xC9\xF2\x63\xE1\xA9\x07\xFE\x7C\x71\x1F\x6B\x33\x24\x6A\x1E\x05\xF7\x05\x68\xC0\x6A\x12\xCB\x2E\x5E\x61\xCB\xAE\x28\xD3\x7E\xC2\xB4\x66\x91\x26\x5F\x3C\x2E\x24\x5F\xCB\x58\x0F\xEB\x28\xEC\xAF\x11\x96\xF3\xDC\x7B\x6F\xC0\xA7\x88\xF2\x53\x77\xB3\x60\x5E\xAE\xAE\x28\xDA\x35\x2C\x6F\x34\x45\xD3\x26\xE1\xDE\xEC\x5B\x4F\x27\x6B\x16\x7C\xBD\x44\x04\x18\x82\xB3\x89\x79\x17\x10\x71\x3D\x7A\xA2\x16\x4E\xF5\x01\xCD\xA4\x6C\x65\x68\xA1\x49\x76\x5C\x43\xC9\xD8\xBC\x36\x67\x6C\xA5\x94\xB5\xD4\xCC\xB9\xBD\x6A\x35\x56\x21\xDE\xD8\xC3\xEB\xFB\xCB\xA4\x60\x4C\xB0\x55\xA0\xA0\x7B\x57\xB2",
-	["CN=WellsSecure Public Root Certificate Authority,OU=Wells Fargo Bank NA,O=Wells Fargo WellsSecure,C=US"] = "\x30\x82\x04\xBD\x30\x82\x03\xA5\xA0\x03\x02\x01\x02\x02\x01\x01\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x81\x85\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x20\x30\x1E\x06\x03\x55\x04\x0A\x0C\x17\x57\x65\x6C\x6C\x73\x20\x46\x61\x72\x67\x6F\x20\x57\x65\x6C\x6C\x73\x53\x65\x63\x75\x72\x65\x31\x1C\x30\x1A\x06\x03\x55\x04\x0B\x0C\x13\x57\x65\x6C\x6C\x73\x20\x46\x61\x72\x67\x6F\x20\x42\x61\x6E\x6B\x20\x4E\x41\x31\x36\x30\x34\x06\x03\x55\x04\x03\x0C\x2D\x57\x65\x6C\x6C\x73\x53\x65\x63\x75\x72\x65\x20\x50\x75\x62\x6C\x69\x63\x20\x52\x6F\x6F\x74\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x30\x1E\x17\x0D\x30\x37\x31\x32\x31\x33\x31\x37\x30\x37\x35\x34\x5A\x17\x0D\x32\x32\x31\x32\x31\x34\x30\x30\x30\x37\x35\x34\x5A\x30\x81\x85\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x20\x30\x1E\x06\x03\x55\x04\x0A\x0C\x17\x57\x65\x6C\x6C\x73\x20\x46\x61\x72\x67\x6F\x20\x57\x65\x6C\x6C\x73\x53\x65\x63\x75\x72\x65\x31\x1C\x30\x1A\x06\x03\x55\x04\x0B\x0C\x13\x57\x65\x6C\x6C\x73\x20\x46\x61\x72\x67\x6F\x20\x42\x61\x6E\x6B\x20\x4E\x41\x31\x36\x30\x34\x06\x03\x55\x04\x03\x0C\x2D\x57\x65\x6C\x6C\x73\x53\x65\x63\x75\x72\x65\x20\x50\x75\x62\x6C\x69\x63\x20\x52\x6F\x6F\x74\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xEE\x6F\xB4\xBD\x79\xE2\x8F\x08\x21\x9E\x38\x04\x41\x25\xEF\xAB\x5B\x1C\x53\x92\xAC\x6D\x9E\xDD\xC2\xC4\x2E\x45\x94\x03\x35\x88\x67\x74\x57\xE3\xDF\x8C\xB8\xA7\x76\x8F\x3B\xF7\xA8\xC4\xDB\x29\x63\x0E\x91\x68\x36\x8A\x97\x8E\x8A\x71\x68\x09\x07\xE4\xE8\xD4\x0E\x4F\xF8\xD6\x2B\x4C\xA4\x16\xF9\xEF\x43\x98\x8F\xB3\x9E\x52\xDF\x6D\x91\x39\x8F\x38\xBD\x77\x8B\x43\x63\xEB\xB7\x93\xFC\x30\x4C\x1C\x01\x93\xB6\x13\xFB\xF7\xA1\x1F\xBF\x25\xE1\x74\x37\x2C\x1E\xA4\x5E\x3C\x68\xF8\x4B\xBF\x0D\xB9\x1E\x2E\x36\xE8\xA9\xE4\xA7\xF8\x0F\xCB\x82\x75\x7C\x35\x2D\x22\xD6\xC2\xBF\x0B\xF3\xB4\xFC\x6C\x95\x61\x1E\x57\xD7\x04\x81\x32\x83\x52\x79\xE6\x83\x63\xCF\xB7\xCB\x63\x8B\x11\xE2\xBD\x5E\xEB\xF6\x8D\xED\x95\x72\x28\xB4\xAC\x12\x62\xE9\x4A\x33\xE6\x83\x32\xAE\x05\x75\x95\xBD\x84\x95\xDB\x2A\x5C\x9B\x8E\x2E\x0C\xB8\x81\x2B\x41\xE6\x38\x56\x9F\x49\x9B\x6C\x76\xFA\x8A\x5D\xF7\x01\x79\x81\x7C\xC1\x83\x40\x05\xFE\x71\xFD\x0C\x3F\xCC\x4E\x60\x09\x0E\x65\x47\x10\x2F\x01\xC0\x05\x3F\x8F\xF8\xB3\x41\xEF\x5A\x42\x7E\x59\xEF\xD2\x97\x0C\x65\x02\x03\x01\x00\x01\xA3\x82\x01\x34\x30\x82\x01\x30\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x39\x06\x03\x55\x1D\x1F\x04\x32\x30\x30\x30\x2E\xA0\x2C\xA0\x2A\x86\x28\x68\x74\x74\x70\x3A\x2F\x2F\x63\x72\x6C\x2E\x70\x6B\x69\x2E\x77\x65\x6C\x6C\x73\x66\x61\x72\x67\x6F\x2E\x63\x6F\x6D\x2F\x77\x73\x70\x72\x63\x61\x2E\x63\x72\x6C\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\xC6\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x26\x95\x19\x10\xD9\xE8\xA1\x97\x91\xFF\xDC\x19\xD9\xB5\x04\x3E\xD2\x73\x0A\x6A\x30\x81\xB2\x06\x03\x55\x1D\x23\x04\x81\xAA\x30\x81\xA7\x80\x14\x26\x95\x19\x10\xD9\xE8\xA1\x97\x91\xFF\xDC\x19\xD9\xB5\x04\x3E\xD2\x73\x0A\x6A\xA1\x81\x8B\xA4\x81\x88\x30\x81\x85\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x20\x30\x1E\x06\x03\x55\x04\x0A\x0C\x17\x57\x65\x6C\x6C\x73\x20\x46\x61\x72\x67\x6F\x20\x57\x65\x6C\x6C\x73\x53\x65\x63\x75\x72\x65\x31\x1C\x30\x1A\x06\x03\x55\x04\x0B\x0C\x13\x57\x65\x6C\x6C\x73\x20\x46\x61\x72\x67\x6F\x20\x42\x61\x6E\x6B\x20\x4E\x41\x31\x36\x30\x34\x06\x03\x55\x04\x03\x0C\x2D\x57\x65\x6C\x6C\x73\x53\x65\x63\x75\x72\x65\x20\x50\x75\x62\x6C\x69\x63\x20\x52\x6F\x6F\x74\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x82\x01\x01\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\xB9\x15\xB1\x44\x91\xCC\x23\xC8\x2B\x4D\x77\xE3\xF8\x9A\x7B\x27\x0D\xCD\x72\xBB\x99\x00\xCA\x7C\x66\x19\x50\xC6\xD5\x98\xED\xAB\xBF\x03\x5A\xE5\x4D\xE5\x1E\xC8\x4F\x71\x97\x86\xD5\xE3\x1D\xFD\x90\xC9\x3C\x75\x77\x57\x7A\x7D\xF8\xDE\xF4\xD4\xD5\xF7\x95\xE6\x74\x6E\x1D\x3C\xAE\x7C\x9D\xDB\x02\x03\x05\x2C\x71\x4B\x25\x3E\x07\xE3\x5E\x9A\xF5\x66\x17\x29\x88\x1A\x38\x9F\xCF\xAA\x41\x03\x84\x97\x6B\x93\x38\x7A\xCA\x30\x44\x1B\x24\x44\x33\xD0\xE4\xD1\xDC\x28\x38\xF4\x13\x43\x35\x35\x29\x63\xA8\x7C\xA2\xB5\xAD\x38\xA4\xED\xAD\xFD\xC6\x9A\x1F\xFF\x97\x73\xFE\xFB\xB3\x35\xA7\x93\x86\xC6\x76\x91\x00\xE6\xAC\x51\x16\xC4\x27\x32\x5C\xDB\x73\xDA\xA5\x93\x57\x8E\x3E\x6D\x35\x26\x08\x59\xD5\xE7\x44\xD7\x76\x20\x63\xE7\xAC\x13\x67\xC3\x6D\xB1\x70\x46\x7C\xD5\x96\x11\x3D\x89\x6F\x5D\xA8\xA1\xEB\x8D\x0A\xDA\xC3\x1D\x33\x6C\xA3\xEA\x67\x19\x9A\x99\x7F\x4B\x3D\x83\x51\x2A\x1D\xCA\x2F\x86\x0C\xA2\x7E\x10\x2D\x2B\xD4\x16\x95\x0B\x07\xAA\x2E\x14\x92\x49\xB7\x29\x6F\xD8\x6D\x31\x7D\xF5\xFC\xA1\x10\x07\x87\xCE\x2F\x59\xDC\x3E\x58\xDB",
 	["CN=COMODO ECC Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB"] = "\x30\x82\x02\x89\x30\x82\x02\x0F\xA0\x03\x02\x01\x02\x02\x10\x1F\x47\xAF\xAA\x62\x00\x70\x50\x54\x4C\x01\x9E\x9B\x63\x99\x2A\x30\x0A\x06\x08\x2A\x86\x48\xCE\x3D\x04\x03\x03\x30\x81\x85\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x47\x42\x31\x1B\x30\x19\x06\x03\x55\x04\x08\x13\x12\x47\x72\x65\x61\x74\x65\x72\x20\x4D\x61\x6E\x63\x68\x65\x73\x74\x65\x72\x31\x10\x30\x0E\x06\x03\x55\x04\x07\x13\x07\x53\x61\x6C\x66\x6F\x72\x64\x31\x1A\x30\x18\x06\x03\x55\x04\x0A\x13\x11\x43\x4F\x4D\x4F\x44\x4F\x20\x43\x41\x20\x4C\x69\x6D\x69\x74\x65\x64\x31\x2B\x30\x29\x06\x03\x55\x04\x03\x13\x22\x43\x4F\x4D\x4F\x44\x4F\x20\x45\x43\x43\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x30\x1E\x17\x0D\x30\x38\x30\x33\x30\x36\x30\x30\x30\x30\x30\x30\x5A\x17\x0D\x33\x38\x30\x31\x31\x38\x32\x33\x35\x39\x35\x39\x5A\x30\x81\x85\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x47\x42\x31\x1B\x30\x19\x06\x03\x55\x04\x08\x13\x12\x47\x72\x65\x61\x74\x65\x72\x20\x4D\x61\x6E\x63\x68\x65\x73\x74\x65\x72\x31\x10\x30\x0E\x06\x03\x55\x04\x07\x13\x07\x53\x61\x6C\x66\x6F\x72\x64\x31\x1A\x30\x18\x06\x03\x55\x04\x0A\x13\x11\x43\x4F\x4D\x4F\x44\x4F\x20\x43\x41\x20\x4C\x69\x6D\x69\x74\x65\x64\x31\x2B\x30\x29\x06\x03\x55\x04\x03\x13\x22\x43\x4F\x4D\x4F\x44\x4F\x20\x45\x43\x43\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x30\x76\x30\x10\x06\x07\x2A\x86\x48\xCE\x3D\x02\x01\x06\x05\x2B\x81\x04\x00\x22\x03\x62\x00\x04\x03\x47\x7B\x2F\x75\xC9\x82\x15\x85\xFB\x75\xE4\x91\x16\xD4\xAB\x62\x99\xF5\x3E\x52\x0B\x06\xCE\x41\x00\x7F\x97\xE1\x0A\x24\x3C\x1D\x01\x04\xEE\x3D\xD2\x8D\x09\x97\x0C\xE0\x75\xE4\xFA\xFB\x77\x8A\x2A\xF5\x03\x60\x4B\x36\x8B\x16\x23\x16\xAD\x09\x71\xF4\x4A\xF4\x28\x50\xB4\xFE\x88\x1C\x6E\x3F\x6C\x2F\x2F\x09\x59\x5B\xA5\x5B\x0B\x33\x99\xE2\xC3\x3D\x89\xF9\x6A\x2C\xEF\xB2\xD3\x06\xE9\xA3\x42\x30\x40\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x75\x71\xA7\x19\x48\x19\xBC\x9D\x9D\xEA\x41\x47\xDF\x94\xC4\x48\x77\x99\xD3\x79\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x0A\x06\x08\x2A\x86\x48\xCE\x3D\x04\x03\x03\x03\x68\x00\x30\x65\x02\x31\x00\xEF\x03\x5B\x7A\xAC\xB7\x78\x0A\x72\xB7\x88\xDF\xFF\xB5\x46\x14\x09\x0A\xFA\xA0\xE6\x7D\x08\xC6\x1A\x87\xBD\x18\xA8\x73\xBD\x26\xCA\x60\x0C\x9D\xCE\x99\x9F\xCF\x5C\x0F\x30\xE1\xBE\x14\x31\xEA\x02\x30\x14\xF4\x93\x3C\x49\xA7\x33\x7A\x90\x46\x47\xB3\x63\x7D\x13\x9B\x4E\xB7\x6F\x18\x37\x80\x53\xFE\xDD\x20\xE0\x35\x9A\x36\xD1\xC7\x01\xB9\xE6\xDC\xDD\xF3\xFF\x1D\x2C\x3A\x16\x57\xD9\x92\x39\xD6",
-	["emailAddress=igca@sgdn.pm.gouv.fr,CN=IGC/A,OU=DCSSI,O=PM/SGDN,L=Paris,ST=France,C=FR"] = "\x30\x82\x04\x02\x30\x82\x02\xEA\xA0\x03\x02\x01\x02\x02\x05\x39\x11\x45\x10\x94\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x81\x85\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x46\x52\x31\x0F\x30\x0D\x06\x03\x55\x04\x08\x13\x06\x46\x72\x61\x6E\x63\x65\x31\x0E\x30\x0C\x06\x03\x55\x04\x07\x13\x05\x50\x61\x72\x69\x73\x31\x10\x30\x0E\x06\x03\x55\x04\x0A\x13\x07\x50\x4D\x2F\x53\x47\x44\x4E\x31\x0E\x30\x0C\x06\x03\x55\x04\x0B\x13\x05\x44\x43\x53\x53\x49\x31\x0E\x30\x0C\x06\x03\x55\x04\x03\x13\x05\x49\x47\x43\x2F\x41\x31\x23\x30\x21\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x09\x01\x16\x14\x69\x67\x63\x61\x40\x73\x67\x64\x6E\x2E\x70\x6D\x2E\x67\x6F\x75\x76\x2E\x66\x72\x30\x1E\x17\x0D\x30\x32\x31\x32\x31\x33\x31\x34\x32\x39\x32\x33\x5A\x17\x0D\x32\x30\x31\x30\x31\x37\x31\x34\x32\x39\x32\x32\x5A\x30\x81\x85\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x46\x52\x31\x0F\x30\x0D\x06\x03\x55\x04\x08\x13\x06\x46\x72\x61\x6E\x63\x65\x31\x0E\x30\x0C\x06\x03\x55\x04\x07\x13\x05\x50\x61\x72\x69\x73\x31\x10\x30\x0E\x06\x03\x55\x04\x0A\x13\x07\x50\x4D\x2F\x53\x47\x44\x4E\x31\x0E\x30\x0C\x06\x03\x55\x04\x0B\x13\x05\x44\x43\x53\x53\x49\x31\x0E\x30\x0C\x06\x03\x55\x04\x03\x13\x05\x49\x47\x43\x2F\x41\x31\x23\x30\x21\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x09\x01\x16\x14\x69\x67\x63\x61\x40\x73\x67\x64\x6E\x2E\x70\x6D\x2E\x67\x6F\x75\x76\x2E\x66\x72\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xB2\x1F\xD1\xD0\x62\xC5\x33\x3B\xC0\x04\x86\x88\xB3\xDC\xF8\x88\xF7\xFD\xDF\x43\xDF\x7A\x8D\x9A\x49\x5C\xF6\x4E\xAA\xCC\x1C\xB9\xA1\xEB\x27\x89\xF2\x46\xE9\x3B\x4A\x71\xD5\x1D\x8E\x2D\xCF\xE6\xAD\xAB\x63\x50\xC7\x54\x0B\x6E\x12\xC9\x90\x36\xC6\xD8\x2F\xDA\x91\xAA\x68\xC5\x72\xFE\x17\x0A\xB2\x17\x7E\x79\xB5\x32\x88\x70\xCA\x70\xC0\x96\x4A\x8E\xE4\x55\xCD\x1D\x27\x94\xBF\xCE\x72\x2A\xEC\x5C\xF9\x73\x20\xFE\xBD\xF7\x2E\x89\x67\xB8\xBB\x47\x73\x12\xF7\xD1\x35\x69\x3A\xF2\x0A\xB9\xAE\xFF\x46\x42\x46\xA2\xBF\xA1\x85\x1A\xF9\xBF\xE4\xFF\x49\x85\xF7\xA3\x70\x86\x32\x1C\x5D\x9F\x60\xF7\xA9\xAD\xA5\xFF\xCF\xD1\x34\xF9\x7D\x5B\x17\xC6\xDC\xD6\x0E\x28\x6B\xC2\xDD\xF1\xF5\x33\x68\x9D\x4E\xFC\x87\x7C\x36\x12\xD6\xA3\x80\xE8\x43\x0D\x55\x61\x94\xEA\x64\x37\x47\xEA\x77\xCA\xD0\xB2\x58\x05\xC3\x5D\x7E\xB1\xA8\x46\x90\x31\x56\xCE\x70\x2A\x96\xB2\x30\xB8\x77\xE6\x79\xC0\xBD\x29\x3B\xFD\x94\x77\x4C\xBD\x20\xCD\x41\x25\xE0\x2E\xC7\x1B\xBB\xEE\xA4\x04\x41\xD2\x5D\xAD\x12\x6A\x8A\x9B\x47\xFB\xC9\xDD\x46\x40\xE1\x9D\x3C\x33\xD0\xB5\x02\x03\x01\x00\x01\xA3\x77\x30\x75\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x0B\x06\x03\x55\x1D\x0F\x04\x04\x03\x02\x01\x46\x30\x15\x06\x03\x55\x1D\x20\x04\x0E\x30\x0C\x30\x0A\x06\x08\x2A\x81\x7A\x01\x79\x01\x01\x01\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xA3\x05\x2F\x18\x60\x50\xC2\x89\x0A\xDD\x2B\x21\x4F\xFF\x8E\x4E\xA8\x30\x31\x36\x30\x1F\x06\x03\x55\x1D\x23\x04\x18\x30\x16\x80\x14\xA3\x05\x2F\x18\x60\x50\xC2\x89\x0A\xDD\x2B\x21\x4F\xFF\x8E\x4E\xA8\x30\x31\x36\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x05\xDC\x26\xD8\xFA\x77\x15\x44\x68\xFC\x2F\x66\x3A\x74\xE0\x5D\xE4\x29\xFF\x06\x07\x13\x84\x4A\xAB\xCF\x6D\xA0\x1F\x51\x94\xF8\x49\xCB\x74\x36\x14\xBC\x15\xDD\xDB\x89\x2F\xDD\x8F\xA0\x5D\x7C\xF5\x12\xEB\x9F\x9E\x38\xA4\x47\xCC\xB3\x96\xD9\xBE\x9C\x25\xAB\x03\x7E\x33\x0F\x95\x81\x0D\xFD\x16\xE0\x88\xBE\x37\xF0\x6C\x5D\xD0\x31\x9B\x32\x2B\x5D\x17\x65\x93\x98\x60\xBC\x6E\x8F\xB1\xA8\x3C\x1E\xD9\x1C\xF3\xA9\x26\x42\xF9\x64\x1D\xC2\xE7\x92\xF6\xF4\x1E\x5A\xAA\x19\x52\x5D\xAF\xE8\xA2\xF7\x60\xA0\xF6\x8D\xF0\x89\xF5\x6E\xE0\x0A\x05\x01\x95\xC9\x8B\x20\x0A\xBA\x5A\xFC\x9A\x2C\x3C\xBD\xC3\xB7\xC9\x5D\x78\x25\x05\x3F\x56\x14\x9B\x0C\xDA\xFB\x3A\x48\xFE\x97\x69\x5E\xCA\x10\x86\xF7\x4E\x96\x04\x08\x4D\xEC\xB0\xBE\x5D\xDC\x3B\x8E\x4F\xC1\xFD\x9A\x36\x34\x9A\x4C\x54\x7E\x17\x03\x48\x95\x08\x11\x1C\x07\x6F\x85\x08\x7E\x5D\x4D\xC4\x9D\xDB\xFB\xAE\xCE\xB2\xD1\xB3\xB8\x83\x6C\x1D\xB2\xB3\x79\xF1\xD8\x70\x99\x7E\xF0\x13\x02\xCE\x5E\xDD\x51\xD3\xDF\x36\x81\xA1\x1B\x78\x2F\x71\xB3\xF1\x59\x4C\x46\x18\x28\xAB\x85\xD2\x60\x56\x5A",
-	["OU=Security Communication EV RootCA1,O=SECOM Trust Systems CO.\,LTD.,C=JP"] = "\x30\x82\x03\x7D\x30\x82\x02\x65\xA0\x03\x02\x01\x02\x02\x01\x00\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x60\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x4A\x50\x31\x25\x30\x23\x06\x03\x55\x04\x0A\x13\x1C\x53\x45\x43\x4F\x4D\x20\x54\x72\x75\x73\x74\x20\x53\x79\x73\x74\x65\x6D\x73\x20\x43\x4F\x2E\x2C\x4C\x54\x44\x2E\x31\x2A\x30\x28\x06\x03\x55\x04\x0B\x13\x21\x53\x65\x63\x75\x72\x69\x74\x79\x20\x43\x6F\x6D\x6D\x75\x6E\x69\x63\x61\x74\x69\x6F\x6E\x20\x45\x56\x20\x52\x6F\x6F\x74\x43\x41\x31\x30\x1E\x17\x0D\x30\x37\x30\x36\x30\x36\x30\x32\x31\x32\x33\x32\x5A\x17\x0D\x33\x37\x30\x36\x30\x36\x30\x32\x31\x32\x33\x32\x5A\x30\x60\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x4A\x50\x31\x25\x30\x23\x06\x03\x55\x04\x0A\x13\x1C\x53\x45\x43\x4F\x4D\x20\x54\x72\x75\x73\x74\x20\x53\x79\x73\x74\x65\x6D\x73\x20\x43\x4F\x2E\x2C\x4C\x54\x44\x2E\x31\x2A\x30\x28\x06\x03\x55\x04\x0B\x13\x21\x53\x65\x63\x75\x72\x69\x74\x79\x20\x43\x6F\x6D\x6D\x75\x6E\x69\x63\x61\x74\x69\x6F\x6E\x20\x45\x56\x20\x52\x6F\x6F\x74\x43\x41\x31\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xBC\x7F\xEC\x57\x9B\x24\xE0\xFE\x9C\xBA\x42\x79\xA9\x88\x8A\xFA\x80\xE0\xF5\x07\x29\x43\xEA\x8E\x0A\x34\x36\x8D\x1C\xFA\xA7\xB5\x39\x78\xFF\x97\x75\xF7\x2F\xE4\xAA\x6B\x04\x84\x44\xCA\xA6\xE2\x68\x8E\xFD\x55\x50\x62\x0F\xA4\x71\x0E\xCE\x07\x38\x2D\x42\x85\x50\xAD\x3C\x96\x6F\x8B\xD5\xA2\x0E\xCF\xDE\x49\x89\x3D\xD6\x64\x2E\x38\xE5\x1E\x6C\xB5\x57\x8A\x9E\xEF\x48\x0E\xCD\x7A\x69\x16\x87\x44\xB5\x90\xE4\x06\x9D\xAE\xA1\x04\x97\x58\x79\xEF\x20\x4A\x82\x6B\x8C\x22\xBF\xEC\x1F\x0F\xE9\x84\x71\xED\xF1\x0E\xE4\xB8\x18\x13\xCC\x56\x36\x5D\xD1\x9A\x1E\x51\x6B\x39\x6E\x60\x76\x88\x34\x0B\xF3\xB3\xD1\xB0\x9D\xCA\x61\xE2\x64\x1D\xC1\x46\x07\xB8\x63\xDD\x1E\x33\x65\xB3\x8E\x09\x55\x52\x3D\xB5\xBD\xFF\x07\xEB\xAD\x61\x55\x18\x2C\xA9\x69\x98\x4A\xAA\x40\xC5\x33\x14\x65\x74\x00\xF9\x91\xDE\xAF\x03\x48\xC5\x40\x54\xDC\x0F\x84\x90\x68\x20\xC5\x92\x96\xDC\x2E\xE5\x02\x45\xAA\xC0\x5F\x54\xF8\x6D\xEA\x49\xCF\x5D\x6C\x4B\xAF\xEF\x9A\xC2\x56\x5C\xC6\x35\x56\x42\x6A\x30\x5F\xC2\xAB\xF6\xE2\x3D\x3F\xB3\xC9\x11\x8F\x31\x4C\xD7\x9F\x49\x02\x03\x01\x00\x01\xA3\x42\x30\x40\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x35\x4A\xF5\x4D\xAF\x3F\xD7\x82\x38\xAC\xAB\x71\x65\x17\x75\x8C\x9D\x55\x93\xE6\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\xA8\x87\xE9\xEC\xF8\x40\x67\x5D\xC3\xC1\x66\xC7\x40\x4B\x97\xFC\x87\x13\x90\x5A\xC4\xEF\xA0\xCA\x5F\x8B\xB7\xA7\xB7\xF1\xD6\xB5\x64\xB7\x8A\xB3\xB8\x1B\xCC\xDA\xFB\xAC\x66\x88\x41\xCE\xE8\xFC\xE4\xDB\x1E\x88\xA6\xED\x27\x50\x1B\x02\x30\x24\x46\x79\xFE\x04\x87\x70\x97\x40\x73\xD1\xC0\xC1\x57\x19\x9A\x69\xA5\x27\x99\xAB\x9D\x62\x84\xF6\x51\xC1\x2C\xC9\x23\x15\xD8\x28\xB7\xAB\x25\x13\xB5\x46\xE1\x86\x02\xFF\x26\x8C\xC4\x88\x92\x1D\x56\xFE\x19\x67\xF2\x55\xE4\x80\xA3\x6B\x9C\xAB\x77\xE1\x51\x71\x0D\x20\xDB\x10\x9A\xDB\xBD\x76\x79\x07\x77\x99\x28\xAD\x9A\x5E\xDA\xB1\x4F\x44\x2C\x35\x8E\xA5\x96\xC7\xFD\x83\xF0\x58\xC6\x79\xD6\x98\x7C\xA8\x8D\xFE\x86\x3E\x07\x16\x92\xE1\x7B\xE7\x1D\xEC\x33\x76\x7E\x42\x2E\x4A\x85\xF9\x91\x89\x68\x84\x03\x81\xA5\x9B\x9A\xBE\xE3\x37\xC5\x54\xAB\x56\x3B\x18\x2D\x41\xA4\x0C\xF8\x42\xDB\x99\xA0\xE0\x72\x6F\xBB\x5D\xE1\x16\x4F\x53\x0A\x64\xF9\x4E\xF4\xBF\x4E\x54\xBD\x78\x6C\x88\xEA\xBF\x9C\x13\x24\xC2\x70\x69\xA2\x7F\x0F\xC8\x3C\xAD\x08\xC9\xB0\x98\x40\xA3\x2A\xE7\x88\x83\xED\x77\x8F\x74",
 	["CN=OISTE WISeKey Global Root GA CA,OU=OISTE Foundation Endorsed,OU=Copyright (c) 2005,O=WISeKey,C=CH"] = "\x30\x82\x03\xF1\x30\x82\x02\xD9\xA0\x03\x02\x01\x02\x02\x10\x41\x3D\x72\xC7\xF4\x6B\x1F\x81\x43\x7D\xF1\xD2\x28\x54\xDF\x9A\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x81\x8A\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x43\x48\x31\x10\x30\x0E\x06\x03\x55\x04\x0A\x13\x07\x57\x49\x53\x65\x4B\x65\x79\x31\x1B\x30\x19\x06\x03\x55\x04\x0B\x13\x12\x43\x6F\x70\x79\x72\x69\x67\x68\x74\x20\x28\x63\x29\x20\x32\x30\x30\x35\x31\x22\x30\x20\x06\x03\x55\x04\x0B\x13\x19\x4F\x49\x53\x54\x45\x20\x46\x6F\x75\x6E\x64\x61\x74\x69\x6F\x6E\x20\x45\x6E\x64\x6F\x72\x73\x65\x64\x31\x28\x30\x26\x06\x03\x55\x04\x03\x13\x1F\x4F\x49\x53\x54\x45\x20\x57\x49\x53\x65\x4B\x65\x79\x20\x47\x6C\x6F\x62\x61\x6C\x20\x52\x6F\x6F\x74\x20\x47\x41\x20\x43\x41\x30\x1E\x17\x0D\x30\x35\x31\x32\x31\x31\x31\x36\x30\x33\x34\x34\x5A\x17\x0D\x33\x37\x31\x32\x31\x31\x31\x36\x30\x39\x35\x31\x5A\x30\x81\x8A\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x43\x48\x31\x10\x30\x0E\x06\x03\x55\x04\x0A\x13\x07\x57\x49\x53\x65\x4B\x65\x79\x31\x1B\x30\x19\x06\x03\x55\x04\x0B\x13\x12\x43\x6F\x70\x79\x72\x69\x67\x68\x74\x20\x28\x63\x29\x20\x32\x30\x30\x35\x31\x22\x30\x20\x06\x03\x55\x04\x0B\x13\x19\x4F\x49\x53\x54\x45\x20\x46\x6F\x75\x6E\x64\x61\x74\x69\x6F\x6E\x20\x45\x6E\x64\x6F\x72\x73\x65\x64\x31\x28\x30\x26\x06\x03\x55\x04\x03\x13\x1F\x4F\x49\x53\x54\x45\x20\x57\x49\x53\x65\x4B\x65\x79\x20\x47\x6C\x6F\x62\x61\x6C\x20\x52\x6F\x6F\x74\x20\x47\x41\x20\x43\x41\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xCB\x4F\xB3\x00\x9B\x3D\x36\xDD\xF9\xD1\x49\x6A\x6B\x10\x49\x1F\xEC\xD8\x2B\xB2\xC6\xF8\x32\x81\x29\x43\x95\x4C\x9A\x19\x23\x21\x15\x45\xDE\xE3\xC8\x1C\x51\x55\x5B\xAE\x93\xE8\x37\xFF\x2B\x6B\xE9\xD4\xEA\xBE\x2A\xDD\xA8\x51\x2B\xD7\x66\xC3\x61\x5C\x60\x02\xC8\xF5\xCE\x72\x7B\x3B\xB8\xF2\x4E\x65\x08\x9A\xCD\xA4\x6A\x19\xC1\x01\xBB\x73\xA6\xD7\xF6\xC3\xDD\xCD\xBC\xA4\x8B\xB5\x99\x61\xB8\x01\xA2\xA3\xD4\x4D\xD4\x05\x3D\x91\xAD\xF8\xB4\x08\x71\x64\xAF\x70\xF1\x1C\x6B\x7E\xF6\xC3\x77\x9D\x24\x73\x7B\xE4\x0C\x8C\xE1\xD9\x36\xE1\x99\x8B\x05\x99\x0B\xED\x45\x31\x09\xCA\xC2\x00\xDB\xF7\x72\xA0\x96\xAA\x95\x87\xD0\x8E\xC7\xB6\x61\x73\x0D\x76\x66\x8C\xDC\x1B\xB4\x63\xA2\x9F\x7F\x93\x13\x30\xF1\xA1\x27\xDB\xD9\xFF\x2C\x55\x88\x91\xA0\xE0\x4F\x07\xB0\x28\x56\x8C\x18\x1B\x97\x44\x8E\x89\xDD\xE0\x17\x6E\xE7\x2A\xEF\x8F\x39\x0A\x31\x84\x82\xD8\x40\x14\x49\x2E\x7A\x41\xE4\xA7\xFE\xE3\x64\xCC\xC1\x59\x71\x4B\x2C\x21\xA7\x5B\x7D\xE0\x1D\xD1\x2E\x81\x9B\xC3\xD8\x68\xF7\xBD\x96\x1B\xAC\x70\xB1\x16\x14\x0B\xDB\x60\xB9\x26\x01\x05\x02\x03\x01\x00\x01\xA3\x51\x30\x4F\x30\x0B\x06\x03\x55\x1D\x0F\x04\x04\x03\x02\x01\x86\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xB3\x03\x7E\xAE\x36\xBC\xB0\x79\xD1\xDC\x94\x26\xB6\x11\xBE\x21\xB2\x69\x86\x94\x30\x10\x06\x09\x2B\x06\x01\x04\x01\x82\x37\x15\x01\x04\x03\x02\x01\x00\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x4B\xA1\xFF\x0B\x87\x6E\xB3\xF9\xC1\x43\xB1\x48\xF3\x28\xC0\x1D\x2E\xC9\x09\x41\xFA\x94\x00\x1C\xA4\xA4\xAB\x49\x4F\x8F\x3D\x1E\xEF\x4D\x6F\xBD\xBC\xA4\xF6\xF2\x26\x30\xC9\x10\xCA\x1D\x88\xFB\x74\x19\x1F\x85\x45\xBD\xB0\x6C\x51\xF9\x36\x7E\xDB\xF5\x4C\x32\x3A\x41\x4F\x5B\x47\xCF\xE8\x0B\x2D\xB6\xC4\x19\x9D\x74\xC5\x47\xC6\x3B\x6A\x0F\xAC\x14\xDB\x3C\xF4\x73\x9C\xA9\x05\xDF\x00\xDC\x74\x78\xFA\xF8\x35\x60\x59\x02\x13\x18\x7C\xBC\xFB\x4D\xB0\x20\x6D\x43\xBB\x60\x30\x7A\x67\x33\x5C\xC5\x99\xD1\xF8\x2D\x39\x52\x73\xFB\x8C\xAA\x97\x25\x5C\x72\xD9\x08\x1E\xAB\x4E\x3C\xE3\x81\x31\x9F\x03\xA6\xFB\xC0\xFE\x29\x88\x55\xDA\x84\xD5\x50\x03\xB6\xE2\x84\xA3\xA6\x36\xAA\x11\x3A\x01\xE1\x18\x4B\xD6\x44\x68\xB3\x3D\xF9\x53\x74\x84\xB3\x46\x91\x46\x96\x00\xB7\x80\x2C\xB6\xE1\xE3\x10\xE2\xDB\xA2\xE7\x28\x8F\x01\x96\x62\x16\x3E\x00\xE3\x1C\xA5\x36\x81\x18\xA2\x4C\x52\x76\xC0\x11\xA3\x6E\xE6\x1D\xBA\xE3\x5A\xBE\x36\x53\xC5\x3E\x75\x8F\x86\x69\x29\x58\x53\xB5\x9C\xBB\x6F\x9F\x5C\xC5\x18\xEC\xDD\x2F\xE1\x98\xC9\xFC\xBE\xDF\x0A\x0D",
-	["CN=Microsec e-Szigno Root CA,OU=e-Szigno CA,O=Microsec Ltd.,L=Budapest,C=HU"] = "\x30\x82\x07\xA8\x30\x82\x06\x90\xA0\x03\x02\x01\x02\x02\x11\x00\xCC\xB8\xE7\xBF\x4E\x29\x1A\xFD\xA2\xDC\x66\xA5\x1C\x2C\x0F\x11\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x72\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x48\x55\x31\x11\x30\x0F\x06\x03\x55\x04\x07\x13\x08\x42\x75\x64\x61\x70\x65\x73\x74\x31\x16\x30\x14\x06\x03\x55\x04\x0A\x13\x0D\x4D\x69\x63\x72\x6F\x73\x65\x63\x20\x4C\x74\x64\x2E\x31\x14\x30\x12\x06\x03\x55\x04\x0B\x13\x0B\x65\x2D\x53\x7A\x69\x67\x6E\x6F\x20\x43\x41\x31\x22\x30\x20\x06\x03\x55\x04\x03\x13\x19\x4D\x69\x63\x72\x6F\x73\x65\x63\x20\x65\x2D\x53\x7A\x69\x67\x6E\x6F\x20\x52\x6F\x6F\x74\x20\x43\x41\x30\x1E\x17\x0D\x30\x35\x30\x34\x30\x36\x31\x32\x32\x38\x34\x34\x5A\x17\x0D\x31\x37\x30\x34\x30\x36\x31\x32\x32\x38\x34\x34\x5A\x30\x72\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x48\x55\x31\x11\x30\x0F\x06\x03\x55\x04\x07\x13\x08\x42\x75\x64\x61\x70\x65\x73\x74\x31\x16\x30\x14\x06\x03\x55\x04\x0A\x13\x0D\x4D\x69\x63\x72\x6F\x73\x65\x63\x20\x4C\x74\x64\x2E\x31\x14\x30\x12\x06\x03\x55\x04\x0B\x13\x0B\x65\x2D\x53\x7A\x69\x67\x6E\x6F\x20\x43\x41\x31\x22\x30\x20\x06\x03\x55\x04\x03\x13\x19\x4D\x69\x63\x72\x6F\x73\x65\x63\x20\x65\x2D\x53\x7A\x69\x67\x6E\x6F\x20\x52\x6F\x6F\x74\x20\x43\x41\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xED\xC8\x00\xD5\x81\x7B\xCD\x38\x00\x47\xCC\xDB\x84\xC1\x21\x69\x2C\x74\x90\x0C\x21\xD9\x53\x87\xED\x3E\x43\x44\x53\xAF\xAB\xF8\x80\x9B\x3C\x78\x8D\xD4\x8D\xAE\xB8\xEF\xD3\x11\xDC\x81\xE6\xCF\x3B\x96\x8C\xD6\x6F\x15\xC6\x77\x7E\xA1\x2F\xE0\x5F\x92\xB6\x27\xD7\x76\x9A\x1D\x43\x3C\xEA\xD9\xEC\x2F\xEE\x39\xF3\x6A\x67\x4B\x8B\x82\xCF\x22\xF8\x65\x55\xFE\x2C\xCB\x2F\x7D\x48\x7A\x3D\x75\xF9\xAA\xA0\x27\xBB\x78\xC2\x06\xCA\x51\xC2\x7E\x66\x4B\xAF\xCD\xA2\xA7\x4D\x02\x82\x3F\x82\xAC\x85\xC6\xE1\x0F\x90\x47\x99\x94\x0A\x71\x72\x93\x2A\xC9\xA6\xC0\xBE\x3C\x56\x4C\x73\x92\x27\xF1\x6B\xB5\xF5\xFD\xFC\x30\x05\x60\x92\xC6\xEB\x96\x7E\x01\x91\xC2\x69\xB1\x1E\x1D\x7B\x53\x45\xB8\xDC\x41\x1F\xC9\x8B\x71\xD6\x54\x14\xE3\x8B\x54\x78\x3F\xBE\xF4\x62\x3B\x5B\xF5\xA3\xEC\xD5\x92\x74\xE2\x74\x30\xEF\x01\xDB\xE1\xD4\xAB\x99\x9B\x2A\x6B\xF8\xBD\xA6\x1C\x86\x23\x42\x5F\xEC\x49\xDE\x9A\x8B\x5B\xF4\x72\x3A\x40\xC5\x49\x3E\xA5\xBE\x8E\xAA\x71\xEB\x6C\xFA\xF5\x1A\xE4\x6A\xFD\x7B\x7D\x55\x40\xEF\x58\x6E\xE6\xD9\xD5\xBC\x24\xAB\xC1\xEF\xB7\x02\x03\x01\x00\x01\xA3\x82\x04\x37\x30\x82\x04\x33\x30\x67\x06\x08\x2B\x06\x01\x05\x05\x07\x01\x01\x04\x5B\x30\x59\x30\x28\x06\x08\x2B\x06\x01\x05\x05\x07\x30\x01\x86\x1C\x68\x74\x74\x70\x73\x3A\x2F\x2F\x72\x63\x61\x2E\x65\x2D\x73\x7A\x69\x67\x6E\x6F\x2E\x68\x75\x2F\x6F\x63\x73\x70\x30\x2D\x06\x08\x2B\x06\x01\x05\x05\x07\x30\x02\x86\x21\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x65\x2D\x73\x7A\x69\x67\x6E\x6F\x2E\x68\x75\x2F\x52\x6F\x6F\x74\x43\x41\x2E\x63\x72\x74\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x82\x01\x73\x06\x03\x55\x1D\x20\x04\x82\x01\x6A\x30\x82\x01\x66\x30\x82\x01\x62\x06\x0C\x2B\x06\x01\x04\x01\x81\xA8\x18\x02\x01\x01\x01\x30\x82\x01\x50\x30\x28\x06\x08\x2B\x06\x01\x05\x05\x07\x02\x01\x16\x1C\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x65\x2D\x73\x7A\x69\x67\x6E\x6F\x2E\x68\x75\x2F\x53\x5A\x53\x5A\x2F\x30\x82\x01\x22\x06\x08\x2B\x06\x01\x05\x05\x07\x02\x02\x30\x82\x01\x14\x1E\x82\x01\x10\x00\x41\x00\x20\x00\x74\x00\x61\x00\x6E\x00\xFA\x00\x73\x00\xED\x00\x74\x00\x76\x00\xE1\x00\x6E\x00\x79\x00\x20\x00\xE9\x00\x72\x00\x74\x00\x65\x00\x6C\x00\x6D\x00\x65\x00\x7A\x00\xE9\x00\x73\x00\xE9\x00\x68\x00\x65\x00\x7A\x00\x20\x00\xE9\x00\x73\x00\x20\x00\x65\x00\x6C\x00\x66\x00\x6F\x00\x67\x00\x61\x00\x64\x00\xE1\x00\x73\x00\xE1\x00\x68\x00\x6F\x00\x7A\x00\x20\x00\x61\x00\x20\x00\x53\x00\x7A\x00\x6F\x00\x6C\x00\x67\x00\xE1\x00\x6C\x00\x74\x00\x61\x00\x74\x00\xF3\x00\x20\x00\x53\x00\x7A\x00\x6F\x00\x6C\x00\x67\x00\xE1\x00\x6C\x00\x74\x00\x61\x00\x74\x00\xE1\x00\x73\x00\x69\x00\x20\x00\x53\x00\x7A\x00\x61\x00\x62\x00\xE1\x00\x6C\x00\x79\x00\x7A\x00\x61\x00\x74\x00\x61\x00\x20\x00\x73\x00\x7A\x00\x65\x00\x72\x00\x69\x00\x6E\x00\x74\x00\x20\x00\x6B\x00\x65\x00\x6C\x00\x6C\x00\x20\x00\x65\x00\x6C\x00\x6A\x00\xE1\x00\x72\x00\x6E\x00\x69\x00\x3A\x00\x20\x00\x68\x00\x74\x00\x74\x00\x70\x00\x3A\x00\x2F\x00\x2F\x00\x77\x00\x77\x00\x77\x00\x2E\x00\x65\x00\x2D\x00\x73\x00\x7A\x00\x69\x00\x67\x00\x6E\x00\x6F\x00\x2E\x00\x68\x00\x75\x00\x2F\x00\x53\x00\x5A\x00\x53\x00\x5A\x00\x2F\x30\x81\xC8\x06\x03\x55\x1D\x1F\x04\x81\xC0\x30\x81\xBD\x30\x81\xBA\xA0\x81\xB7\xA0\x81\xB4\x86\x21\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x65\x2D\x73\x7A\x69\x67\x6E\x6F\x2E\x68\x75\x2F\x52\x6F\x6F\x74\x43\x41\x2E\x63\x72\x6C\x86\x81\x8E\x6C\x64\x61\x70\x3A\x2F\x2F\x6C\x64\x61\x70\x2E\x65\x2D\x73\x7A\x69\x67\x6E\x6F\x2E\x68\x75\x2F\x43\x4E\x3D\x4D\x69\x63\x72\x6F\x73\x65\x63\x25\x32\x30\x65\x2D\x53\x7A\x69\x67\x6E\x6F\x25\x32\x30\x52\x6F\x6F\x74\x25\x32\x30\x43\x41\x2C\x4F\x55\x3D\x65\x2D\x53\x7A\x69\x67\x6E\x6F\x25\x32\x30\x43\x41\x2C\x4F\x3D\x4D\x69\x63\x72\x6F\x73\x65\x63\x25\x32\x30\x4C\x74\x64\x2E\x2C\x4C\x3D\x42\x75\x64\x61\x70\x65\x73\x74\x2C\x43\x3D\x48\x55\x3F\x63\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x52\x65\x76\x6F\x63\x61\x74\x69\x6F\x6E\x4C\x69\x73\x74\x3B\x62\x69\x6E\x61\x72\x79\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x81\x96\x06\x03\x55\x1D\x11\x04\x81\x8E\x30\x81\x8B\x81\x10\x69\x6E\x66\x6F\x40\x65\x2D\x73\x7A\x69\x67\x6E\x6F\x2E\x68\x75\xA4\x77\x30\x75\x31\x23\x30\x21\x06\x03\x55\x04\x03\x0C\x1A\x4D\x69\x63\x72\x6F\x73\x65\x63\x20\x65\x2D\x53\x7A\x69\x67\x6E\xC3\xB3\x20\x52\x6F\x6F\x74\x20\x43\x41\x31\x16\x30\x14\x06\x03\x55\x04\x0B\x0C\x0D\x65\x2D\x53\x7A\x69\x67\x6E\xC3\xB3\x20\x48\x53\x5A\x31\x16\x30\x14\x06\x03\x55\x04\x0A\x13\x0D\x4D\x69\x63\x72\x6F\x73\x65\x63\x20\x4B\x66\x74\x2E\x31\x11\x30\x0F\x06\x03\x55\x04\x07\x13\x08\x42\x75\x64\x61\x70\x65\x73\x74\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x48\x55\x30\x81\xAC\x06\x03\x55\x1D\x23\x04\x81\xA4\x30\x81\xA1\x80\x14\xC7\xA0\x49\x75\x16\x61\x84\xDB\x31\x4B\x84\xD2\xF1\x37\x40\x90\xEF\x4E\xDC\xF7\xA1\x76\xA4\x74\x30\x72\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x48\x55\x31\x11\x30\x0F\x06\x03\x55\x04\x07\x13\x08\x42\x75\x64\x61\x70\x65\x73\x74\x31\x16\x30\x14\x06\x03\x55\x04\x0A\x13\x0D\x4D\x69\x63\x72\x6F\x73\x65\x63\x20\x4C\x74\x64\x2E\x31\x14\x30\x12\x06\x03\x55\x04\x0B\x13\x0B\x65\x2D\x53\x7A\x69\x67\x6E\x6F\x20\x43\x41\x31\x22\x30\x20\x06\x03\x55\x04\x03\x13\x19\x4D\x69\x63\x72\x6F\x73\x65\x63\x20\x65\x2D\x53\x7A\x69\x67\x6E\x6F\x20\x52\x6F\x6F\x74\x20\x43\x41\x82\x11\x00\xCC\xB8\xE7\xBF\x4E\x29\x1A\xFD\xA2\xDC\x66\xA5\x1C\x2C\x0F\x11\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xC7\xA0\x49\x75\x16\x61\x84\xDB\x31\x4B\x84\xD2\xF1\x37\x40\x90\xEF\x4E\xDC\xF7\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\xD3\x13\x9C\x66\x63\x59\x2E\xCA\x5C\x70\x0C\xFC\x83\xBC\x55\xB1\xF4\x8E\x07\x6C\x66\x27\xCE\xC1\x3B\x20\xA9\x1C\xBB\x46\x54\x70\xEE\x5A\xCC\xA0\x77\xEA\x68\x44\x27\xEB\xF2\x29\xDD\x77\xA9\xD5\xFB\xE3\xD4\xA7\x04\xC4\x95\xB8\x0B\xE1\x44\x68\x60\x07\x43\x30\x31\x42\x61\xE5\xEE\xD9\xE5\x24\xD5\x1B\xDF\xE1\x4A\x1B\xAA\x9F\xC7\x5F\xF8\x7A\x11\xEA\x13\x93\x00\xCA\x8A\x58\xB1\xEE\xED\x0E\x4D\xB4\xD7\xA8\x36\x26\x7C\xE0\x3A\xC1\xD5\x57\x82\xF1\x75\xB6\xFD\x89\x5F\xDA\xF3\xA8\x38\x9F\x35\x06\x08\xCE\x22\x95\xBE\xCD\xD5\xFC\xBE\x5B\xDE\x79\x6B\xDC\x7A\xA9\x65\x66\xBE\xB1\x25\x5A\x5F\xED\x7E\xD3\xAC\x46\x6D\x4C\xF4\x32\x87\xB4\x20\x04\xE0\x6C\x78\xB0\x77\xD1\x85\x46\x4B\xA6\x12\xB7\x75\xE8\x4A\xC9\x56\x6C\xD7\x92\xAB\x9D\xF5\x49\x38\xD2\x4F\x53\xE3\x55\x90\x11\xDB\x98\x96\xC6\x49\xF2\x3E\xF4\x9F\x1B\xE0\xF7\x88\xDC\x25\x62\x99\x44\xD8\x73\xBF\x3F\x30\xF3\x0C\x37\x3E\xD4\xC2\x28\x80\x73\xB1\x01\xB7\x9D\x5A\x96\x14\x01\x4B\xA9\x11\x9D\x29\x6A\x2E\xD0\x5D\x81\xC0\xCF\xB2\x20\x43\xC7\x03\xE0\x37\x4E\x5D\x0A\xDC\x59\x20\x25",
 	["CN=Certigna,O=Dhimyotis,C=FR"] = "\x30\x82\x03\xA8\x30\x82\x02\x90\xA0\x03\x02\x01\x02\x02\x09\x00\xFE\xDC\xE3\x01\x0F\xC9\x48\xFF\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x34\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x46\x52\x31\x12\x30\x10\x06\x03\x55\x04\x0A\x0C\x09\x44\x68\x69\x6D\x79\x6F\x74\x69\x73\x31\x11\x30\x0F\x06\x03\x55\x04\x03\x0C\x08\x43\x65\x72\x74\x69\x67\x6E\x61\x30\x1E\x17\x0D\x30\x37\x30\x36\x32\x39\x31\x35\x31\x33\x30\x35\x5A\x17\x0D\x32\x37\x30\x36\x32\x39\x31\x35\x31\x33\x30\x35\x5A\x30\x34\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x46\x52\x31\x12\x30\x10\x06\x03\x55\x04\x0A\x0C\x09\x44\x68\x69\x6D\x79\x6F\x74\x69\x73\x31\x11\x30\x0F\x06\x03\x55\x04\x03\x0C\x08\x43\x65\x72\x74\x69\x67\x6E\x61\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xC8\x68\xF1\xC9\xD6\xD6\xB3\x34\x75\x26\x82\x1E\xEC\xB4\xBE\xEA\x5C\xE1\x26\xED\x11\x47\x61\xE1\xA2\x7C\x16\x78\x40\x21\xE4\x60\x9E\x5A\xC8\x63\xE1\xC4\xB1\x96\x92\xFF\x18\x6D\x69\x23\xE1\x2B\x62\xF7\xDD\xE2\x36\x2F\x91\x07\xB9\x48\xCF\x0E\xEC\x79\xB6\x2C\xE7\x34\x4B\x70\x08\x25\xA3\x3C\x87\x1B\x19\xF2\x81\x07\x0F\x38\x90\x19\xD3\x11\xFE\x86\xB4\xF2\xD1\x5E\x1E\x1E\x96\xCD\x80\x6C\xCE\x3B\x31\x93\xB6\xF2\xA0\xD0\xA9\x95\x12\x7D\xA5\x9A\xCC\x6B\xC8\x84\x56\x8A\x33\xA9\xE7\x22\x15\x53\x16\xF0\xCC\x17\xEC\x57\x5F\xE9\xA2\x0A\x98\x09\xDE\xE3\x5F\x9C\x6F\xDC\x48\xE3\x85\x0B\x15\x5A\xA6\xBA\x9F\xAC\x48\xE3\x09\xB2\xF7\xF4\x32\xDE\x5E\x34\xBE\x1C\x78\x5D\x42\x5B\xCE\x0E\x22\x8F\x4D\x90\xD7\x7D\x32\x18\xB3\x0B\x2C\x6A\xBF\x8E\x3F\x14\x11\x89\x20\x0E\x77\x14\xB5\x3D\x94\x08\x87\xF7\x25\x1E\xD5\xB2\x60\x00\xEC\x6F\x2A\x28\x25\x6E\x2A\x3E\x18\x63\x17\x25\x3F\x3E\x44\x20\x16\xF6\x26\xC8\x25\xAE\x05\x4A\xB4\xE7\x63\x2C\xF3\x8C\x16\x53\x7E\x5C\xFB\x11\x1A\x08\xC1\x46\x62\x9F\x22\xB8\xF1\xC2\x8D\x69\xDC\xFA\x3A\x58\x06\xDF\x02\x03\x01\x00\x01\xA3\x81\xBC\x30\x81\xB9\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x1A\xED\xFE\x41\x39\x90\xB4\x24\x59\xBE\x01\xF2\x52\xD5\x45\xF6\x5A\x39\xDC\x11\x30\x64\x06\x03\x55\x1D\x23\x04\x5D\x30\x5B\x80\x14\x1A\xED\xFE\x41\x39\x90\xB4\x24\x59\xBE\x01\xF2\x52\xD5\x45\xF6\x5A\x39\xDC\x11\xA1\x38\xA4\x36\x30\x34\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x46\x52\x31\x12\x30\x10\x06\x03\x55\x04\x0A\x0C\x09\x44\x68\x69\x6D\x79\x6F\x74\x69\x73\x31\x11\x30\x0F\x06\x03\x55\x04\x03\x0C\x08\x43\x65\x72\x74\x69\x67\x6E\x61\x82\x09\x00\xFE\xDC\xE3\x01\x0F\xC9\x48\xFF\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x11\x06\x09\x60\x86\x48\x01\x86\xF8\x42\x01\x01\x04\x04\x03\x02\x00\x07\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x85\x03\x1E\x92\x71\xF6\x42\xAF\xE1\xA3\x61\x9E\xEB\xF3\xC0\x0F\xF2\xA5\xD4\xDA\x95\xE6\xD6\xBE\x68\x36\x3D\x7E\x6E\x1F\x4C\x8A\xEF\xD1\x0F\x21\x6D\x5E\xA5\x52\x63\xCE\x12\xF8\xEF\x2A\xDA\x6F\xEB\x37\xFE\x13\x02\xC7\xCB\x3B\x3E\x22\x6B\xDA\x61\x2E\x7F\xD4\x72\x3D\xDD\x30\xE1\x1E\x4C\x40\x19\x8C\x0F\xD7\x9C\xD1\x83\x30\x7B\x98\x59\xDC\x7D\xC6\xB9\x0C\x29\x4C\xA1\x33\xA2\xEB\x67\x3A\x65\x84\xD3\x96\xE2\xED\x76\x45\x70\x8F\xB5\x2B\xDE\xF9\x23\xD6\x49\x6E\x3C\x14\xB5\xC6\x9F\x35\x1E\x50\xD0\xC1\x8F\x6A\x70\x44\x02\x62\xCB\xAE\x1D\x68\x41\xA7\xAA\x57\xE8\x53\xAA\x07\xD2\x06\xF6\xD5\x14\x06\x0B\x91\x03\x75\x2C\x6C\x72\xB5\x61\x95\x9A\x0D\x8B\xB9\x0D\xE7\xF5\xDF\x54\xCD\xDE\xE6\xD8\xD6\x09\x08\x97\x63\xE5\xC1\x2E\xB0\xB7\x44\x26\xC0\x26\xC0\xAF\x55\x30\x9E\x3B\xD5\x36\x2A\x19\x04\xF4\x5C\x1E\xFF\xCF\x2C\xB7\xFF\xD0\xFD\x87\x40\x11\xD5\x11\x23\xBB\x48\xC0\x21\xA9\xA4\x28\x2D\xFD\x15\xF8\xB0\x4E\x2B\xF4\x30\x5B\x21\xFC\x11\x91\x34\xBE\x41\xEF\x7B\x9D\x97\x75\xFF\x97\x95\xC0\x96\x58\x2F\xEA\xBB\x46\xD7\xBB\xE4\xD9\x2E",
 	["CN=Deutsche Telekom Root CA 2,OU=T-TeleSec Trust Center,O=Deutsche Telekom AG,C=DE"] = "\x30\x82\x03\x9F\x30\x82\x02\x87\xA0\x03\x02\x01\x02\x02\x01\x26\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x71\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x44\x45\x31\x1C\x30\x1A\x06\x03\x55\x04\x0A\x13\x13\x44\x65\x75\x74\x73\x63\x68\x65\x20\x54\x65\x6C\x65\x6B\x6F\x6D\x20\x41\x47\x31\x1F\x30\x1D\x06\x03\x55\x04\x0B\x13\x16\x54\x2D\x54\x65\x6C\x65\x53\x65\x63\x20\x54\x72\x75\x73\x74\x20\x43\x65\x6E\x74\x65\x72\x31\x23\x30\x21\x06\x03\x55\x04\x03\x13\x1A\x44\x65\x75\x74\x73\x63\x68\x65\x20\x54\x65\x6C\x65\x6B\x6F\x6D\x20\x52\x6F\x6F\x74\x20\x43\x41\x20\x32\x30\x1E\x17\x0D\x39\x39\x30\x37\x30\x39\x31\x32\x31\x31\x30\x30\x5A\x17\x0D\x31\x39\x30\x37\x30\x39\x32\x33\x35\x39\x30\x30\x5A\x30\x71\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x44\x45\x31\x1C\x30\x1A\x06\x03\x55\x04\x0A\x13\x13\x44\x65\x75\x74\x73\x63\x68\x65\x20\x54\x65\x6C\x65\x6B\x6F\x6D\x20\x41\x47\x31\x1F\x30\x1D\x06\x03\x55\x04\x0B\x13\x16\x54\x2D\x54\x65\x6C\x65\x53\x65\x63\x20\x54\x72\x75\x73\x74\x20\x43\x65\x6E\x74\x65\x72\x31\x23\x30\x21\x06\x03\x55\x04\x03\x13\x1A\x44\x65\x75\x74\x73\x63\x68\x65\x20\x54\x65\x6C\x65\x6B\x6F\x6D\x20\x52\x6F\x6F\x74\x20\x43\x41\x20\x32\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xAB\x0B\xA3\x35\xE0\x8B\x29\x14\xB1\x14\x85\xAF\x3C\x10\xE4\x39\x6F\x35\x5D\x4A\xAE\xDD\xEA\x61\x8D\x95\x49\xF4\x6F\x64\xA3\x1A\x60\x66\xA4\xA9\x40\x22\x84\xD9\xD4\xA5\xE5\x78\x93\x0E\x68\x01\xAD\xB9\x4D\x5C\x3A\xCE\xD3\xB8\xA8\x42\x40\xDF\xCF\xA3\xBA\x82\x59\x6A\x92\x1B\xAC\x1C\x9A\xDA\x08\x2B\x25\x27\xF9\x69\x23\x47\xF1\xE0\xEB\x2C\x7A\x9B\xF5\x13\x02\xD0\x7E\x34\x7C\xC2\x9E\x3C\x00\x59\xAB\xF5\xDA\x0C\xF5\x32\x3C\x2B\xAC\x50\xDA\xD6\xC3\xDE\x83\x94\xCA\xA8\x0C\x99\x32\x0E\x08\x48\x56\x5B\x6A\xFB\xDA\xE1\x58\x58\x01\x49\x5F\x72\x41\x3C\x15\x06\x01\x8E\x5D\xAD\xAA\xB8\x93\xB4\xCD\x9E\xEB\xA7\xE8\x6A\x2D\x52\x34\xDB\x3A\xEF\x5C\x75\x51\xDA\xDB\xF3\x31\xF9\xEE\x71\x98\x32\xC4\x54\x15\x44\x0C\xF9\x9B\x55\xED\xAD\xDF\x18\x08\xA0\xA3\x86\x8A\x49\xEE\x53\x05\x8F\x19\x4C\xD5\xDE\x58\x79\x9B\xD2\x6A\x1C\x42\xAB\xC5\xD5\xA7\xCF\x68\x0F\x96\xE4\xE1\x61\x98\x76\x61\xC8\x91\x7C\xD6\x3E\x00\xE2\x91\x50\x87\xE1\x9D\x0A\xE6\xAD\x97\xD2\x1D\xC6\x3A\x7D\xCB\xBC\xDA\x03\x34\xD5\x8E\x5B\x01\xF5\x6A\x07\xB7\x16\xB6\x6E\x4A\x7F\x02\x03\x01\x00\x01\xA3\x42\x30\x40\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x31\xC3\x79\x1B\xBA\xF5\x53\xD7\x17\xE0\x89\x7A\x2D\x17\x6C\x0A\xB3\x2B\x9D\x33\x30\x0F\x06\x03\x55\x1D\x13\x04\x08\x30\x06\x01\x01\xFF\x02\x01\x05\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x94\x64\x59\xAD\x39\x64\xE7\x29\xEB\x13\xFE\x5A\xC3\x8B\x13\x57\xC8\x04\x24\xF0\x74\x77\xC0\x60\xE3\x67\xFB\xE9\x89\xA6\x83\xBF\x96\x82\x7C\x6E\xD4\xC3\x3D\xEF\x9E\x80\x6E\xBB\x29\xB4\x98\x7A\xB1\x3B\x54\xEB\x39\x17\x47\x7E\x1A\x8E\x0B\xFC\x1F\x31\x59\x31\x04\xB2\xCE\x17\xF3\x2C\xC7\x62\x36\x55\xE2\x22\xD8\x89\x55\xB4\x98\x48\xAA\x64\xFA\xD6\x1C\x36\xD8\x44\x78\x5A\x5A\x23\x3A\x57\x97\xF5\x7A\x30\x4F\xAE\x9F\x6A\x4C\x4B\x2B\x8E\xA0\x03\xE3\x3E\xE0\xA9\xD4\xD2\x7B\xD2\xB3\xA8\xE2\x72\x3C\xAD\x9E\xFF\x80\x59\xE4\x9B\x45\xB4\xF6\x3B\xB0\xCD\x39\x19\x98\x32\xE5\xEA\x21\x61\x90\xE4\x31\x21\x8E\x34\xB1\xF7\x2F\x35\x4A\x85\x10\xDA\xE7\x8A\x37\x21\xBE\x59\x63\xE0\xF2\x85\x88\x31\x53\xD4\x54\x14\x85\x70\x79\xF4\x2E\x06\x77\x27\x75\x2F\x1F\xB8\x8A\xF9\xFE\xC5\xBA\xD8\x36\xE4\x83\xEC\xE7\x65\xB7\xBF\x63\x5A\xF3\x46\xAF\x81\x94\x37\xD4\x41\x8C\xD6\x23\xD6\x1E\xCF\xF5\x68\x1B\x44\x63\xA2\x5A\xBA\xA7\x35\x59\xA1\xE5\x70\x05\x9B\x0E\x23\x57\x99\x94\x0A\x6D\xBA\x39\x63\x28\x86\x92\xF3\x18\x84\xD8\xFB\xD1\xCF\x05\x56\x64\x57",
 	["CN=Cybertrust Global Root,O=Cybertrust\, Inc"] = "\x30\x82\x03\xA1\x30\x82\x02\x89\xA0\x03\x02\x01\x02\x02\x0B\x04\x00\x00\x00\x00\x01\x0F\x85\xAA\x2D\x48\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x3B\x31\x18\x30\x16\x06\x03\x55\x04\x0A\x13\x0F\x43\x79\x62\x65\x72\x74\x72\x75\x73\x74\x2C\x20\x49\x6E\x63\x31\x1F\x30\x1D\x06\x03\x55\x04\x03\x13\x16\x43\x79\x62\x65\x72\x74\x72\x75\x73\x74\x20\x47\x6C\x6F\x62\x61\x6C\x20\x52\x6F\x6F\x74\x30\x1E\x17\x0D\x30\x36\x31\x32\x31\x35\x30\x38\x30\x30\x30\x30\x5A\x17\x0D\x32\x31\x31\x32\x31\x35\x30\x38\x30\x30\x30\x30\x5A\x30\x3B\x31\x18\x30\x16\x06\x03\x55\x04\x0A\x13\x0F\x43\x79\x62\x65\x72\x74\x72\x75\x73\x74\x2C\x20\x49\x6E\x63\x31\x1F\x30\x1D\x06\x03\x55\x04\x03\x13\x16\x43\x79\x62\x65\x72\x74\x72\x75\x73\x74\x20\x47\x6C\x6F\x62\x61\x6C\x20\x52\x6F\x6F\x74\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xF8\xC8\xBC\xBD\x14\x50\x66\x13\xFF\xF0\xD3\x79\xEC\x23\xF2\xB7\x1A\xC7\x8E\x85\xF1\x12\x73\xA6\x19\xAA\x10\xDB\x9C\xA2\x65\x74\x5A\x77\x3E\x51\x7D\x56\xF6\xDC\x23\xB6\xD4\xED\x5F\x58\xB1\x37\x4D\xD5\x49\x0E\x6E\xF5\x6A\x87\xD6\xD2\x8C\xD2\x27\xC6\xE2\xFF\x36\x9F\x98\x65\xA0\x13\x4E\xC6\x2A\x64\x9B\xD5\x90\x12\xCF\x14\x06\xF4\x3B\xE3\xD4\x28\xBE\xE8\x0E\xF8\xAB\x4E\x48\x94\x6D\x8E\x95\x31\x10\x5C\xED\xA2\x2D\xBD\xD5\x3A\x6D\xB2\x1C\xBB\x60\xC0\x46\x4B\x01\xF5\x49\xAE\x7E\x46\x8A\xD0\x74\x8D\xA1\x0C\x02\xCE\xEE\xFC\xE7\x8F\xB8\x6B\x66\xF3\x7F\x44\x00\xBF\x66\x25\x14\x2B\xDD\x10\x30\x1D\x07\x96\x3F\x4D\xF6\x6B\xB8\x8F\xB7\x7B\x0C\xA5\x38\xEB\xDE\x47\xDB\xD5\x5D\x39\xFC\x88\xA7\xF3\xD7\x2A\x74\xF1\xE8\x5A\xA2\x3B\x9F\x50\xBA\xA6\x8C\x45\x35\xC2\x50\x65\x95\xDC\x63\x82\xEF\xDD\xBF\x77\x4D\x9C\x62\xC9\x63\x73\x16\xD0\x29\x0F\x49\xA9\x48\xF0\xB3\xAA\xB7\x6C\xC5\xA7\x30\x39\x40\x5D\xAE\xC4\xE2\x5D\x26\x53\xF0\xCE\x1C\x23\x08\x61\xA8\x94\x19\xBA\x04\x62\x40\xEC\x1F\x38\x70\x77\x12\x06\x71\xA7\x30\x18\x5D\x25\x27\xA5\x02\x03\x01\x00\x01\xA3\x81\xA5\x30\x81\xA2\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xB6\x08\x7B\x0D\x7A\xCC\xAC\x20\x4C\x86\x56\x32\x5E\xCF\xAB\x6E\x85\x2D\x70\x57\x30\x3F\x06\x03\x55\x1D\x1F\x04\x38\x30\x36\x30\x34\xA0\x32\xA0\x30\x86\x2E\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x32\x2E\x70\x75\x62\x6C\x69\x63\x2D\x74\x72\x75\x73\x74\x2E\x63\x6F\x6D\x2F\x63\x72\x6C\x2F\x63\x74\x2F\x63\x74\x72\x6F\x6F\x74\x2E\x63\x72\x6C\x30\x1F\x06\x03\x55\x1D\x23\x04\x18\x30\x16\x80\x14\xB6\x08\x7B\x0D\x7A\xCC\xAC\x20\x4C\x86\x56\x32\x5E\xCF\xAB\x6E\x85\x2D\x70\x57\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x56\xEF\x0A\x23\xA0\x54\x4E\x95\x97\xC9\xF8\x89\xDA\x45\xC1\xD4\xA3\x00\x25\xF4\x1F\x13\xAB\xB7\xA3\x85\x58\x69\xC2\x30\xAD\xD8\x15\x8A\x2D\xE3\xC9\xCD\x81\x5A\xF8\x73\x23\x5A\xA7\x7C\x05\xF3\xFD\x22\x3B\x0E\xD1\x06\xC4\xDB\x36\x4C\x73\x04\x8E\xE5\xB0\x22\xE4\xC5\xF3\x2E\xA5\xD9\x23\xE3\xB8\x4E\x4A\x20\xA7\x6E\x02\x24\x9F\x22\x60\x67\x7B\x8B\x1D\x72\x09\xC5\x31\x5C\xE9\x79\x9F\x80\x47\x3D\xAD\xA1\x0B\x07\x14\x3D\x47\xFF\x03\x69\x1A\x0C\x0B\x44\xE7\x63\x25\xA7\x7F\xB2\xC9\xB8\x76\x84\xED\x23\xF6\x7D\x07\xAB\x45\x7E\xD3\xDF\xB3\xBF\xE9\x8A\xB6\xCD\xA8\xA2\x67\x2B\x52\xD5\xB7\x65\xF0\x39\x4C\x63\xA0\x91\x79\x93\x52\x0F\x54\xDD\x83\xBB\x9F\xD1\x8F\xA7\x53\x73\xC3\xCB\xFF\x30\xEC\x7C\x04\xB8\xD8\x44\x1F\x93\x5F\x71\x09\x22\xB7\x6E\x3E\xEA\x1C\x03\x4E\x9D\x1A\x20\x61\xFB\x81\x37\xEC\x5E\xFC\x0A\x45\xAB\xD7\xE7\x17\x55\xD0\xA0\xEA\x60\x9B\xA6\xF6\xE3\x8C\x5B\x29\xC2\x06\x60\x14\x9D\x2D\x97\x4C\xA9\x93\x15\x9D\x61\xC4\x01\x5F\x48\xD6\x58\xBD\x56\x31\x12\x4E\x11\xC8\x21\xE0\xB3\x11\x91\x65\xDB\xB4\xA6\x88\x38\xCE\x55",
 	["OU=ePKI Root Certification Authority,O=Chunghwa Telecom Co.\, Ltd.,C=TW"] = "\x30\x82\x05\xB0\x30\x82\x03\x98\xA0\x03\x02\x01\x02\x02\x10\x15\xC8\xBD\x65\x47\x5C\xAF\xB8\x97\x00\x5E\xE4\x06\xD2\xBC\x9D\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x5E\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x54\x57\x31\x23\x30\x21\x06\x03\x55\x04\x0A\x0C\x1A\x43\x68\x75\x6E\x67\x68\x77\x61\x20\x54\x65\x6C\x65\x63\x6F\x6D\x20\x43\x6F\x2E\x2C\x20\x4C\x74\x64\x2E\x31\x2A\x30\x28\x06\x03\x55\x04\x0B\x0C\x21\x65\x50\x4B\x49\x20\x52\x6F\x6F\x74\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x30\x1E\x17\x0D\x30\x34\x31\x32\x32\x30\x30\x32\x33\x31\x32\x37\x5A\x17\x0D\x33\x34\x31\x32\x32\x30\x30\x32\x33\x31\x32\x37\x5A\x30\x5E\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x54\x57\x31\x23\x30\x21\x06\x03\x55\x04\x0A\x0C\x1A\x43\x68\x75\x6E\x67\x68\x77\x61\x20\x54\x65\x6C\x65\x63\x6F\x6D\x20\x43\x6F\x2E\x2C\x20\x4C\x74\x64\x2E\x31\x2A\x30\x28\x06\x03\x55\x04\x0B\x0C\x21\x65\x50\x4B\x49\x20\x52\x6F\x6F\x74\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x30\x82\x02\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x02\x0F\x00\x30\x82\x02\x0A\x02\x82\x02\x01\x00\xE1\x25\x0F\xEE\x8D\xDB\x88\x33\x75\x67\xCD\xAD\x1F\x7D\x3A\x4E\x6D\x9D\xD3\x2F\x14\xF3\x63\x74\xCB\x01\x21\x6A\x37\xEA\x84\x50\x07\x4B\x26\x5B\x09\x43\x6C\x21\x9E\x6A\xC8\xD5\x03\xF5\x60\x69\x8F\xCC\xF0\x22\xE4\x1F\xE7\xF7\x6A\x22\x31\xB7\x2C\x15\xF2\xE0\xFE\x00\x6A\x43\xFF\x87\x65\xC6\xB5\x1A\xC1\xA7\x4C\x6D\x22\x70\x21\x8A\x31\xF2\x97\x74\x89\x09\x12\x26\x1C\x9E\xCA\xD9\x12\xA2\x95\x3C\xDA\xE9\x67\xBF\x08\xA0\x64\xE3\xD6\x42\xB7\x45\xEF\x97\xF4\xF6\xF5\xD7\xB5\x4A\x15\x02\x58\x7D\x98\x58\x4B\x60\xBC\xCD\xD7\x0D\x9A\x13\x33\x53\xD1\x61\xF9\x7A\xD5\xD7\x78\xB3\x9A\x33\xF7\x00\x86\xCE\x1D\x4D\x94\x38\xAF\xA8\xEC\x78\x51\x70\x8A\x5C\x10\x83\x51\x21\xF7\x11\x3D\x34\x86\x5E\xE5\x48\xCD\x97\x81\x82\x35\x4C\x19\xEC\x65\xF6\x6B\xC5\x05\xA1\xEE\x47\x13\xD6\xB3\x21\x27\x94\x10\x0A\xD9\x24\x3B\xBA\xBE\x44\x13\x46\x30\x3F\x97\x3C\xD8\xD7\xD7\x6A\xEE\x3B\x38\xE3\x2B\xD4\x97\x0E\xB9\x1B\xE7\x07\x49\x7F\x37\x2A\xF9\x77\x78\xCF\x54\xED\x5B\x46\x9D\xA3\x80\x0E\x91\x43\xC1\xD6\x5B\x5F\x14\xBA\x9F\xA6\x8D\x24\x47\x40\x59\xBF\x72\x38\xB2\x36\x6C\x37\xFF\x99\xD1\x5D\x0E\x59\x0A\xAB\x69\xF7\xC0\xB2\x04\x45\x7A\x54\x00\xAE\xBE\x53\xF6\xB5\xE7\xE1\xF8\x3C\xA3\x31\xD2\xA9\xFE\x21\x52\x64\xC5\xA6\x67\xF0\x75\x07\x06\x94\x14\x81\x55\xC6\x27\xE4\x01\x8F\x17\xC1\x6A\x71\xD7\xBE\x4B\xFB\x94\x58\x7D\x7E\x11\x33\xB1\x42\xF7\x62\x6C\x18\xD6\xCF\x09\x68\x3E\x7F\x6C\xF6\x1E\x8F\x62\xAD\xA5\x63\xDB\x09\xA7\x1F\x22\x42\x41\x1E\x6F\x99\x8A\x3E\xD7\xF9\x3F\x40\x7A\x79\xB0\xA5\x01\x92\xD2\x9D\x3D\x08\x15\xA5\x10\x01\x2D\xB3\x32\x76\xA8\x95\x0D\xB3\x7A\x9A\xFB\x07\x10\x78\x11\x6F\xE1\x8F\xC7\xBA\x0F\x25\x1A\x74\x2A\xE5\x1C\x98\x41\x99\xDF\x21\x87\xE8\x95\x06\x6A\x0A\xB3\x6A\x47\x76\x65\xF6\x3A\xCF\x8F\x62\x17\x19\x7B\x0A\x28\xCD\x1A\xD2\x83\x1E\x21\xC7\x2C\xBF\xBE\xFF\x61\x68\xB7\x67\x1B\xBB\x78\x4D\x8D\xCE\x67\xE5\xE4\xC1\x8E\xB7\x23\x66\xE2\x9D\x90\x75\x34\x98\xA9\x36\x2B\x8A\x9A\x94\xB9\x9D\xEC\xCC\x8A\xB1\xF8\x25\x89\x5C\x5A\xB6\x2F\x8C\x1F\x6D\x79\x24\xA7\x52\x68\xC3\x84\x35\xE2\x66\x8D\x63\x0E\x25\x4D\xD5\x19\xB2\xE6\x79\x37\xA7\x22\x9D\x54\x31\x02\x03\x01\x00\x01\xA3\x6A\x30\x68\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x1E\x0C\xF7\xB6\x67\xF2\xE1\x92\x26\x09\x45\xC0\x55\x39\x2E\x77\x3F\x42\x4A\xA2\x30\x0C\x06\x03\x55\x1D\x13\x04\x05\x30\x03\x01\x01\xFF\x30\x39\x06\x04\x67\x2A\x07\x00\x04\x31\x30\x2F\x30\x2D\x02\x01\x00\x30\x09\x06\x05\x2B\x0E\x03\x02\x1A\x05\x00\x30\x07\x06\x05\x67\x2A\x03\x00\x00\x04\x14\x45\xB0\xC2\xC7\x0A\x56\x7C\xEE\x5B\x78\x0C\x95\xF9\x18\x53\xC1\xA6\x1C\xD8\x10\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x02\x01\x00\x09\xB3\x83\x53\x59\x01\x3E\x95\x49\xB9\xF1\x81\xBA\xF9\x76\x20\x23\xB5\x27\x60\x74\xD4\x6A\x99\x34\x5E\x6C\x00\x53\xD9\x9F\xF2\xA6\xB1\x24\x07\x44\x6A\x2A\xC6\xA5\x8E\x78\x12\xE8\x47\xD9\x58\x1B\x13\x2A\x5E\x79\x9B\x9F\x0A\x2A\x67\xA6\x25\x3F\x06\x69\x56\x73\xC3\x8A\x66\x48\xFB\x29\x81\x57\x74\x06\xCA\x9C\xEA\x28\xE8\x38\x67\x26\x2B\xF1\xD5\xB5\x3F\x65\x93\xF8\x36\x5D\x8E\x8D\x8D\x40\x20\x87\x19\xEA\xEF\x27\xC0\x3D\xB4\x39\x0F\x25\x7B\x68\x50\x74\x55\x9C\x0C\x59\x7D\x5A\x3D\x41\x94\x25\x52\x08\xE0\x47\x2C\x15\x31\x19\xD5\xBF\x07\x55\xC6\xBB\x12\xB5\x97\xF4\x5F\x83\x85\xBA\x71\xC1\xD9\x6C\x81\x11\x76\x0A\x0A\xB0\xBF\x82\x97\xF7\xEA\x3D\xFA\xFA\xEC\x2D\xA9\x28\x94\x3B\x56\xDD\xD2\x51\x2E\xAE\xC0\xBD\x08\x15\x8C\x77\x52\x34\x96\xD6\x9B\xAC\xD3\x1D\x8E\x61\x0F\x35\x7B\x9B\xAE\x39\x69\x0B\x62\x60\x40\x20\x36\x8F\xAF\xFB\x36\xEE\x2D\x08\x4A\x1D\xB8\xBF\x9B\x5C\xF8\xEA\xA5\x1B\xA0\x73\xA6\xD8\xF8\x6E\xE0\x33\x04\x5F\x68\xAA\x27\x87\xED\xD9\xC1\x90\x9C\xED\xBD\xE3\x6A\x35\xAF\x63\xDF\xAB\x18\xD9\xBA\xE6\xE9\x4A\xEA\x50\x8A\x0F\x61\x93\x1E\xE2\x2D\x19\xE2\x30\x94\x35\x92\x5D\x0E\xB6\x07\xAF\x19\x80\x8F\x47\x90\x51\x4B\x2E\x4D\xDD\x85\xE2\xD2\x0A\x52\x0A\x17\x9A\xFC\x1A\xB0\x50\x02\xE5\x01\xA3\x63\x37\x21\x4C\x44\xC4\x9B\x51\x99\x11\x0E\x73\x9C\x06\x8F\x54\x2E\xA7\x28\x5E\x44\x39\x87\x56\x2D\x37\xBD\x85\x44\x94\xE1\x0C\x4B\x2C\x9C\xC3\x92\x85\x34\x61\xCB\x0F\xB8\x9B\x4A\x43\x52\xFE\x34\x3A\x7D\xB8\xE9\x29\xDC\x76\xA9\xC8\x30\xF8\x14\x71\x80\xC6\x1E\x36\x48\x74\x22\x41\x5C\x87\x82\xE8\x18\x71\x8B\x41\x89\x44\xE7\x7E\x58\x5B\xA8\xB8\x8D\x13\xE9\xA7\x6C\xC3\x47\xED\xB3\x1A\x9D\x62\xAE\x8D\x82\xEA\x94\x9E\xDD\x59\x10\xC3\xAD\xDD\xE2\x4D\xE3\x31\xD5\xC7\xEC\xE8\xF2\xB0\xFE\x92\x1E\x16\x0A\x1A\xFC\xD9\xF3\xF8\x27\xB6\xC9\xBE\x1D\xB4\x6C\x64\x90\x7F\xF4\xE4\xC4\x5B\xD7\x37\xAE\x42\x0E\xDD\xA4\x1A\x6F\x7C\x88\x54\xC5\x16\x6E\xE1\x7A\x68\x2E\xF8\x3A\xBF\x0D\xA4\x3C\x89\x3B\x78\xA7\x4E\x63\x83\x04\x21\x08\x67\x8D\xF2\x82\x49\xD0\x5B\xFD\xB1\xCD\x0F\x83\x84\xD4\x3E\x20\x85\xF7\x4A\x3D\x2B\x9C\xFD\x2A\x0A\x09\x4D\xEA\x81\xF8\x11\x9C",
-	["CN=T\C3\9CB\C4\B0TAK UEKAE K\C3\B6k Sertifika Hizmet Sa\C4\9Flay\C4\B1c\C4\B1s\C4\B1 - S\C3\BCr\C3\BCm 3,OU=Kamu Sertifikasyon Merkezi,OU=Ulusal Elektronik ve Kriptoloji Ara\C5\9Ft\C4\B1rma Enstit\C3\BCs\C3\BC - UEKAE,O=T\C3\BCrkiye Bilimsel ve Teknolojik Ara\C5\9Ft\C4\B1rma Kurumu - T\C3\9CB\C4\B0TAK,L=Gebze - Kocaeli,C=TR"] = "\x30\x82\x05\x17\x30\x82\x03\xFF\xA0\x03\x02\x01\x02\x02\x01\x11\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x82\x01\x2B\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x54\x52\x31\x18\x30\x16\x06\x03\x55\x04\x07\x0C\x0F\x47\x65\x62\x7A\x65\x20\x2D\x20\x4B\x6F\x63\x61\x65\x6C\x69\x31\x47\x30\x45\x06\x03\x55\x04\x0A\x0C\x3E\x54\xC3\xBC\x72\x6B\x69\x79\x65\x20\x42\x69\x6C\x69\x6D\x73\x65\x6C\x20\x76\x65\x20\x54\x65\x6B\x6E\x6F\x6C\x6F\x6A\x69\x6B\x20\x41\x72\x61\xC5\x9F\x74\xC4\xB1\x72\x6D\x61\x20\x4B\x75\x72\x75\x6D\x75\x20\x2D\x20\x54\xC3\x9C\x42\xC4\xB0\x54\x41\x4B\x31\x48\x30\x46\x06\x03\x55\x04\x0B\x0C\x3F\x55\x6C\x75\x73\x61\x6C\x20\x45\x6C\x65\x6B\x74\x72\x6F\x6E\x69\x6B\x20\x76\x65\x20\x4B\x72\x69\x70\x74\x6F\x6C\x6F\x6A\x69\x20\x41\x72\x61\xC5\x9F\x74\xC4\xB1\x72\x6D\x61\x20\x45\x6E\x73\x74\x69\x74\xC3\xBC\x73\xC3\xBC\x20\x2D\x20\x55\x45\x4B\x41\x45\x31\x23\x30\x21\x06\x03\x55\x04\x0B\x0C\x1A\x4B\x61\x6D\x75\x20\x53\x65\x72\x74\x69\x66\x69\x6B\x61\x73\x79\x6F\x6E\x20\x4D\x65\x72\x6B\x65\x7A\x69\x31\x4A\x30\x48\x06\x03\x55\x04\x03\x0C\x41\x54\xC3\x9C\x42\xC4\xB0\x54\x41\x4B\x20\x55\x45\x4B\x41\x45\x20\x4B\xC3\xB6\x6B\x20\x53\x65\x72\x74\x69\x66\x69\x6B\x61\x20\x48\x69\x7A\x6D\x65\x74\x20\x53\x61\xC4\x9F\x6C\x61\x79\xC4\xB1\x63\xC4\xB1\x73\xC4\xB1\x20\x2D\x20\x53\xC3\xBC\x72\xC3\xBC\x6D\x20\x33\x30\x1E\x17\x0D\x30\x37\x30\x38\x32\x34\x31\x31\x33\x37\x30\x37\x5A\x17\x0D\x31\x37\x30\x38\x32\x31\x31\x31\x33\x37\x30\x37\x5A\x30\x82\x01\x2B\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x54\x52\x31\x18\x30\x16\x06\x03\x55\x04\x07\x0C\x0F\x47\x65\x62\x7A\x65\x20\x2D\x20\x4B\x6F\x63\x61\x65\x6C\x69\x31\x47\x30\x45\x06\x03\x55\x04\x0A\x0C\x3E\x54\xC3\xBC\x72\x6B\x69\x79\x65\x20\x42\x69\x6C\x69\x6D\x73\x65\x6C\x20\x76\x65\x20\x54\x65\x6B\x6E\x6F\x6C\x6F\x6A\x69\x6B\x20\x41\x72\x61\xC5\x9F\x74\xC4\xB1\x72\x6D\x61\x20\x4B\x75\x72\x75\x6D\x75\x20\x2D\x20\x54\xC3\x9C\x42\xC4\xB0\x54\x41\x4B\x31\x48\x30\x46\x06\x03\x55\x04\x0B\x0C\x3F\x55\x6C\x75\x73\x61\x6C\x20\x45\x6C\x65\x6B\x74\x72\x6F\x6E\x69\x6B\x20\x76\x65\x20\x4B\x72\x69\x70\x74\x6F\x6C\x6F\x6A\x69\x20\x41\x72\x61\xC5\x9F\x74\xC4\xB1\x72\x6D\x61\x20\x45\x6E\x73\x74\x69\x74\xC3\xBC\x73\xC3\xBC\x20\x2D\x20\x55\x45\x4B\x41\x45\x31\x23\x30\x21\x06\x03\x55\x04\x0B\x0C\x1A\x4B\x61\x6D\x75\x20\x53\x65\x72\x74\x69\x66\x69\x6B\x61\x73\x79\x6F\x6E\x20\x4D\x65\x72\x6B\x65\x7A\x69\x31\x4A\x30\x48\x06\x03\x55\x04\x03\x0C\x41\x54\xC3\x9C\x42\xC4\xB0\x54\x41\x4B\x20\x55\x45\x4B\x41\x45\x20\x4B\xC3\xB6\x6B\x20\x53\x65\x72\x74\x69\x66\x69\x6B\x61\x20\x48\x69\x7A\x6D\x65\x74\x20\x53\x61\xC4\x9F\x6C\x61\x79\xC4\xB1\x63\xC4\xB1\x73\xC4\xB1\x20\x2D\x20\x53\xC3\xBC\x72\xC3\xBC\x6D\x20\x33\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\x8A\x6D\x4B\xFF\x10\x88\x3A\xC3\xF6\x7E\x94\xE8\xEA\x20\x64\x70\xAE\x21\x81\xBE\x3A\x7B\x3C\xDB\xF1\x1D\x52\x7F\x59\xFA\xF3\x22\x4C\x95\xA0\x90\xBC\x48\x4E\x11\xAB\xFB\xB7\xB5\x8D\x7A\x83\x28\x8C\x26\x46\xD8\x4E\x95\x40\x87\x61\x9F\xC5\x9E\x6D\x81\x87\x57\x6C\x8A\x3B\xB4\x66\xEA\xCC\x40\xFC\xE3\xAA\x6C\xB2\xCB\x01\xDB\x32\xBF\xD2\xEB\x85\xCF\xA1\x0D\x55\xC3\x5B\x38\x57\x70\xB8\x75\xC6\x79\xD1\x14\x30\xED\x1B\x58\x5B\x6B\xEF\x35\xF2\xA1\x21\x4E\xC5\xCE\x7C\x99\x5F\x6C\xB9\xB8\x22\x93\x50\xA7\xCD\x4C\x70\x6A\xBE\x6A\x05\x7F\x13\x9C\x2B\x1E\xEA\xFE\x47\xCE\x04\xA5\x6F\xAC\x93\x2E\x7C\x2B\x9F\x9E\x79\x13\x91\xE8\xEA\x9E\xCA\x38\x75\x8E\x62\xB0\x95\x93\x2A\xE5\xDF\xE9\x5E\x97\x6E\x20\x5F\x5F\x84\x7A\x44\x39\x19\x40\x1C\xBA\x55\x2B\xFB\x30\xB2\x81\xEF\x84\xE3\xDC\xEC\x98\x38\x39\x03\x85\x08\xA9\x54\x03\x05\x29\xF0\xC9\x8F\x8B\xEA\x0B\x86\x65\x19\x11\xD3\xE9\x09\x23\xDE\x68\x93\x03\xC9\x36\x1C\x21\x6E\xCE\x8C\x66\xF1\x99\x30\xD8\xD7\xB3\xC3\x1D\xF8\x81\x2E\xA8\xBD\x82\x0B\x66\xFE\x82\xCB\xE1\xE0\x1A\x82\xC3\x40\x81\x02\x03\x01\x00\x01\xA3\x42\x30\x40\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xBD\x88\x87\xC9\x8F\xF6\xA4\x0A\x0B\xAA\xEB\xC5\xFE\x91\x23\x9D\xAB\x4A\x8A\x32\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x1D\x7C\xFA\x49\x8F\x34\xE9\xB7\x26\x92\x16\x9A\x05\x74\xE7\x4B\xD0\x6D\x39\x6C\xC3\x26\xF6\xCE\xB8\x31\xBC\xC4\xDF\xBC\x2A\xF8\x37\x91\x18\xDC\x04\xC8\x64\x99\x2B\x18\x6D\x80\x03\x59\xC9\xAE\xF8\x58\xD0\x3E\xED\xC3\x23\x9F\x69\x3C\x86\x38\x1C\x9E\xEF\xDA\x27\x78\xD1\x84\x37\x71\x8A\x3C\x4B\x39\xCF\x7E\x45\x06\xD6\x2D\xD8\x8A\x4D\x78\x12\xD6\xAD\xC2\xD3\xCB\xD2\xD0\x41\xF3\x26\x36\x4A\x9B\x95\x6C\x0C\xEE\xE5\xD1\x43\x27\x66\xC1\x88\xF7\x7A\xB3\x20\x6C\xEA\xB0\x69\x2B\xC7\x20\xE8\x0C\x03\xC4\x41\x05\x99\xE2\x3F\xE4\x6B\xF8\xA0\x86\x81\xC7\x84\xC6\x1F\xD5\x4B\x81\x12\xB2\x16\x21\x2C\x13\xA1\x80\xB2\x5E\x0C\x4A\x13\x9E\x20\xD8\x62\x40\xAB\x90\xEA\x64\x4A\x2F\xAC\x0D\x01\x12\x79\x45\xA8\x2F\x87\x19\x68\xC8\xE2\x85\xC7\x30\xB2\x75\xF9\x38\x3F\xB2\xC0\x93\xB4\x6B\xE2\x03\x44\xCE\x67\xA0\xDF\x89\xD6\xAD\x8C\x76\xA3\x13\xC3\x94\x61\x2B\x6B\xD9\x6C\xC1\x07\x0A\x22\x07\x85\x6C\x85\x24\x46\xA9\xBE\x3F\x8B\x78\x84\x82\x7E\x24\x0C\x9D\xFD\x81\x37\xE3\x25\xA8\xED\x36\x4E\x95\x2C\xC9\x9C\x90\xDA\xEC\xA9\x42\x3C\xAD\xB6\x02",
-	["CN=Buypass Class 2 CA 1,O=Buypass AS-983163327,C=NO"] = "\x30\x82\x03\x53\x30\x82\x02\x3B\xA0\x03\x02\x01\x02\x02\x01\x01\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x4B\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x4E\x4F\x31\x1D\x30\x1B\x06\x03\x55\x04\x0A\x0C\x14\x42\x75\x79\x70\x61\x73\x73\x20\x41\x53\x2D\x39\x38\x33\x31\x36\x33\x33\x32\x37\x31\x1D\x30\x1B\x06\x03\x55\x04\x03\x0C\x14\x42\x75\x79\x70\x61\x73\x73\x20\x43\x6C\x61\x73\x73\x20\x32\x20\x43\x41\x20\x31\x30\x1E\x17\x0D\x30\x36\x31\x30\x31\x33\x31\x30\x32\x35\x30\x39\x5A\x17\x0D\x31\x36\x31\x30\x31\x33\x31\x30\x32\x35\x30\x39\x5A\x30\x4B\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x4E\x4F\x31\x1D\x30\x1B\x06\x03\x55\x04\x0A\x0C\x14\x42\x75\x79\x70\x61\x73\x73\x20\x41\x53\x2D\x39\x38\x33\x31\x36\x33\x33\x32\x37\x31\x1D\x30\x1B\x06\x03\x55\x04\x03\x0C\x14\x42\x75\x79\x70\x61\x73\x73\x20\x43\x6C\x61\x73\x73\x20\x32\x20\x43\x41\x20\x31\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\x8B\x3C\x07\x45\xD8\xF6\xDF\xE6\xC7\xCA\xBA\x8D\x43\xC5\x47\x8D\xB0\x5A\xC1\x38\xDB\x92\x84\x1C\xAF\x13\xD4\x0F\x6F\x36\x46\x20\xC4\x2E\xCC\x71\x70\x34\xA2\x34\xD3\x37\x2E\xD8\xDD\x3A\x77\x2F\xC0\xEB\x29\xE8\x5C\xD2\xB5\xA9\x91\x34\x87\x22\x59\xFE\xCC\xDB\xE7\x99\xAF\x96\xC1\xA8\xC7\x40\xDD\xA5\x15\x8C\x6E\xC8\x7C\x97\x03\xCB\xE6\x20\xF2\xD7\x97\x5F\x31\xA1\x2F\x37\xD2\xBE\xEE\xBE\xA9\xAD\xA8\x4C\x9E\x21\x66\x43\x3B\xA8\xBC\xF3\x09\xA3\x38\xD5\x59\x24\xC1\xC2\x47\x76\xB1\x88\x5C\x82\x3B\xBB\x2B\xA6\x04\xD7\x8C\x07\x8F\xCD\xD5\x41\x1D\xF0\xAE\xB8\x29\x2C\x94\x52\x60\x34\x94\x3B\xDA\xE0\x38\xD1\x9D\x33\x3E\x15\xF4\x93\x32\xC5\x00\xDA\xB5\x29\x66\x0E\x3A\x78\x0F\x21\x52\x5F\x02\xE5\x92\x7B\x25\xD3\x92\x1E\x2F\x15\x9D\x81\xE4\x9D\x8E\xE8\xEF\x89\xCE\x14\x4C\x54\x1D\x1C\x81\x12\x4D\x70\xA8\xBE\x10\x05\x17\x7E\x1F\xD1\xB8\x57\x55\xED\xCD\xBB\x52\xC2\xB0\x1E\x78\xC2\x4D\x36\x68\xCB\x56\x26\xC1\x52\xC1\xBD\x76\xF7\x58\xD5\x72\x7E\x1F\x44\x76\xBB\x00\x89\x1D\x16\x9D\x51\x35\xEF\x4D\xC2\x56\xEF\x6B\xE0\x8C\x3B\x0D\xE9\x02\x03\x01\x00\x01\xA3\x42\x30\x40\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x3F\x8D\x9A\x59\x8B\xFC\x7B\x7B\x9C\xA3\xAF\x38\xB0\x39\xED\x90\x71\x80\xD6\xC8\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x15\x1A\x7E\x13\x8A\xB9\xE8\x07\xA3\x4B\x27\x32\xB2\x40\x91\xF2\x21\xD1\x64\x85\xBE\x63\x6A\xD2\xCF\x81\xC2\x15\xD5\x7A\x7E\x0C\x29\xAC\x37\x1E\x1C\x7C\x76\x52\x95\xDA\xB5\x7F\x23\xA1\x29\x77\x65\xC9\x32\x9D\xA8\x2E\x56\xAB\x60\x76\xCE\x16\xB4\x8D\x7F\x78\xC0\xD5\x99\x51\x83\x7F\x5E\xD9\xBE\x0C\xA8\x50\xED\x22\xC7\xAD\x05\x4C\x76\xFB\xED\xEE\x1E\x47\x64\xF6\xF7\x27\x7D\x5C\x28\x0F\x45\xC5\x5C\x62\x5E\xA6\x9A\x91\x91\xB7\x53\x17\x2E\xDC\xAD\x60\x9D\x96\x64\x39\xBD\x67\x68\xB2\xAE\x05\xCB\x4D\xE7\x5F\x1F\x57\x86\xD5\x20\x9C\x28\xFB\x6F\x13\x38\xF5\xF6\x11\x92\xF6\x7D\x99\x5E\x1F\x0C\xE8\xAB\x44\x24\x29\x72\x40\x3D\x36\x52\xAF\x8C\x58\x90\x73\xC1\xEC\x61\x2C\x79\xA1\xEC\x87\xB5\x3F\xDA\x4D\xD9\x21\x00\x30\xDE\x90\xDA\x0E\xD3\x1A\x48\xA9\x3E\x85\x0B\x14\x8B\x8C\xBC\x41\x9E\x6A\xF7\x0E\x70\xC0\x35\xF7\x39\xA2\x5D\x66\xD0\x7B\x59\x9F\xA8\x47\x12\x9A\x27\x23\xA4\x2D\x8E\x27\x83\x92\x20\xA1\xD7\x15\x7F\xF1\x2E\x18\xEE\xF4\x48\x7F\x2F\x7F\xF1\xA1\x18\xB5\xA1\x0B\x94\xA0\x62\x20\x32\x9C\x1D\xF6\xD4\xEF\xBF\x4C\x88\x68",
-	["C=TR,O=EBG Bili\C5\9Fim Teknolojileri ve Hizmetleri A.\C5\9E.,CN=EBG Elektronik Sertifika Hizmet Sa\C4\9Flay\C4\B1c\C4\B1s\C4\B1"] = "\x30\x82\x05\xE7\x30\x82\x03\xCF\xA0\x03\x02\x01\x02\x02\x08\x4C\xAF\x73\x42\x1C\x8E\x74\x02\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x81\x80\x31\x38\x30\x36\x06\x03\x55\x04\x03\x0C\x2F\x45\x42\x47\x20\x45\x6C\x65\x6B\x74\x72\x6F\x6E\x69\x6B\x20\x53\x65\x72\x74\x69\x66\x69\x6B\x61\x20\x48\x69\x7A\x6D\x65\x74\x20\x53\x61\xC4\x9F\x6C\x61\x79\xC4\xB1\x63\xC4\xB1\x73\xC4\xB1\x31\x37\x30\x35\x06\x03\x55\x04\x0A\x0C\x2E\x45\x42\x47\x20\x42\x69\x6C\x69\xC5\x9F\x69\x6D\x20\x54\x65\x6B\x6E\x6F\x6C\x6F\x6A\x69\x6C\x65\x72\x69\x20\x76\x65\x20\x48\x69\x7A\x6D\x65\x74\x6C\x65\x72\x69\x20\x41\x2E\xC5\x9E\x2E\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x54\x52\x30\x1E\x17\x0D\x30\x36\x30\x38\x31\x37\x30\x30\x32\x31\x30\x39\x5A\x17\x0D\x31\x36\x30\x38\x31\x34\x30\x30\x33\x31\x30\x39\x5A\x30\x81\x80\x31\x38\x30\x36\x06\x03\x55\x04\x03\x0C\x2F\x45\x42\x47\x20\x45\x6C\x65\x6B\x74\x72\x6F\x6E\x69\x6B\x20\x53\x65\x72\x74\x69\x66\x69\x6B\x61\x20\x48\x69\x7A\x6D\x65\x74\x20\x53\x61\xC4\x9F\x6C\x61\x79\xC4\xB1\x63\xC4\xB1\x73\xC4\xB1\x31\x37\x30\x35\x06\x03\x55\x04\x0A\x0C\x2E\x45\x42\x47\x20\x42\x69\x6C\x69\xC5\x9F\x69\x6D\x20\x54\x65\x6B\x6E\x6F\x6C\x6F\x6A\x69\x6C\x65\x72\x69\x20\x76\x65\x20\x48\x69\x7A\x6D\x65\x74\x6C\x65\x72\x69\x20\x41\x2E\xC5\x9E\x2E\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x54\x52\x30\x82\x02\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x02\x0F\x00\x30\x82\x02\x0A\x02\x82\x02\x01\x00\xEE\xA0\x84\x61\xD0\x3A\x6A\x66\x10\x32\xD8\x31\x38\x7F\xA7\xA7\xE5\xFD\xA1\xE1\xFB\x97\x77\xB8\x71\x96\xE8\x13\x96\x46\x83\x4F\xB6\xF2\x5F\x72\x56\x6E\x13\x60\xA5\x01\x91\xE2\x5B\xC5\xCD\x57\x1F\x77\x63\x51\xFF\x2F\x3D\xDB\xB9\x3F\xAA\xA9\x35\xE7\x79\xD0\xF5\xD0\x24\xB6\x21\xEA\xEB\x23\x94\xFE\x29\xBF\xFB\x89\x91\x0C\x64\x9A\x05\x4A\x2B\xCC\x0C\xEE\xF1\x3D\x9B\x82\x69\xA4\x4C\xF8\x9A\x6F\xE7\x22\xDA\x10\xBA\x5F\x92\xFC\x18\x27\x0A\xA8\xAA\x44\xFA\x2E\x2C\xB4\xFB\x46\x9A\x08\x03\x83\x72\xAB\x88\xE4\x6A\x72\xC9\xE5\x65\x1F\x6E\x2A\x0F\x9D\xB3\xE8\x3B\xE4\x0C\x6E\x7A\xDA\x57\xFD\xD7\xEB\x79\x8B\x5E\x20\x06\xD3\x76\x0B\x6C\x02\x95\xA3\x96\xE4\xCB\x76\x51\xD1\x28\x9D\xA1\x1A\xFC\x44\xA2\x4D\xCC\x7A\x76\xA8\x0D\x3D\xBF\x17\x4F\x22\x88\x50\xFD\xAE\xB6\xEC\x90\x50\x4A\x5B\x9F\x95\x41\xAA\xCA\x0F\xB2\x4A\xFE\x80\x99\x4E\xA3\x46\x15\xAB\xF8\x73\x42\x6A\xC2\x66\x76\xB1\x0A\x26\x15\xDD\x93\x92\xEC\xDB\xA9\x5F\x54\x22\x52\x91\x70\x5D\x13\xEA\x48\xEC\x6E\x03\x6C\xD9\xDD\x6C\xFC\xEB\x0D\x03\xFF\xA6\x83\x12\x9B\xF1\xA9\x93\x0F\xC5\x26\x4C\x31\xB2\x63\x99\x61\x72\xE7\x2A\x64\x99\xD2\xB8\xE9\x75\xE2\x7C\xA9\xA9\x9A\x1A\xAA\xC3\x56\xDB\x10\x9A\x3C\x83\x52\xB6\x7B\x96\xB7\xAC\x87\x77\xA8\xB9\xF2\x67\x0B\x94\x43\xB3\xAF\x3E\x73\xFA\x42\x36\xB1\x25\xC5\x0A\x31\x26\x37\x56\x67\xBA\xA3\x0B\x7D\xD6\xF7\x89\xCD\x67\xA1\xB7\x3A\x1E\x66\x4F\xF6\xA0\x55\x14\x25\x4C\x2C\x33\x0D\xA6\x41\x8C\xBD\x04\x31\x6A\x10\x72\x0A\x9D\x0E\x2E\x76\xBD\x5E\xF3\x51\x89\x8B\xA8\x3F\x55\x73\xBF\xDB\x3A\xC6\x24\x05\x96\x92\x48\xAA\x4B\x8D\x2A\x03\xE5\x57\x91\x10\xF4\x6A\x28\x15\x6E\x47\x77\x84\x5C\x51\x74\x9F\x19\xE9\xE6\x1E\x63\x16\x39\xE3\x11\x15\xE3\x58\x1A\x44\xBD\xCB\xC4\x6C\x66\xD7\x84\x06\xDF\x30\xF4\x37\xA2\x43\x22\x79\xD2\x10\x6C\xDF\xBB\xE6\x13\x11\xFC\x9D\x84\x0A\x13\x7B\xF0\x3B\xD0\xFC\xA3\x0A\xD7\x89\xEA\x96\x7E\x8D\x48\x85\x1E\x64\x5F\xDB\x54\xA2\xAC\xD5\x7A\x02\x79\x6B\xD2\x8A\xF0\x67\xDA\x65\x72\x0D\x14\x70\xE4\xE9\x8E\x78\x8F\x32\x74\x7C\x57\xF2\xD6\xD6\xF4\x36\x89\x1B\xF8\x29\x6C\x8B\xB9\xF6\x97\xD1\xA4\x2E\xAA\xBE\x0B\x19\xC2\x45\xE9\x70\x5D\x02\x03\x00\x9D\xD9\xA3\x63\x30\x61\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xE7\xCE\xC6\x4F\xFC\x16\x67\x96\xFA\x4A\xA3\x07\xC1\x04\xA7\xCB\x6A\xDE\xDA\x47\x30\x1F\x06\x03\x55\x1D\x23\x04\x18\x30\x16\x80\x14\xE7\xCE\xC6\x4F\xFC\x16\x67\x96\xFA\x4A\xA3\x07\xC1\x04\xA7\xCB\x6A\xDE\xDA\x47\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x02\x01\x00\x9B\x98\x9A\x5D\xBE\xF3\x28\x23\x76\xC6\x6C\xF7\x7F\xE6\x40\x9E\xC0\x36\xDC\x95\x0D\x1D\xAD\x15\xC5\x36\xD8\xD5\x39\xEF\xF2\x1E\x22\x5E\xB3\x82\xB4\x5D\xBB\x4C\x1A\xCA\x92\x0D\xDF\x47\x24\x1E\xB3\x24\xDA\x91\x88\xE9\x83\x70\xDD\x93\xD7\xE9\xBA\xB3\xDF\x16\x5A\x3E\xDE\xE0\xC8\xFB\xD3\xFD\x6C\x29\xF8\x15\x46\xA0\x68\x26\xCC\x93\x52\xAE\x82\x01\x93\x90\xCA\x77\xCA\x4D\x49\xEF\xE2\x5A\xD9\x2A\xBD\x30\xCE\x4C\xB2\x81\xB6\x30\xCE\x59\x4F\xDA\x59\x1D\x6A\x7A\xA4\x45\xB0\x82\x26\x81\x86\x76\xF5\xF5\x10\x00\xB8\xEE\xB3\x09\xE8\x4F\x87\x02\x07\xAE\x24\x5C\xF0\x5F\xAC\x0A\x30\xCC\x8A\x40\xA0\x73\x04\xC1\xFB\x89\x24\xF6\x9A\x1C\x5C\xB7\x3C\x0A\x67\x36\x05\x08\x31\xB3\xAF\xD8\x01\x68\x2A\xE0\x78\x8F\x74\xDE\xB8\x51\xA4\x8C\x6C\x20\x3D\xA2\xFB\xB3\xD4\x09\xFD\x7B\xC2\x80\xAA\x93\x6C\x29\x98\x21\xA8\xBB\x16\xF3\xA9\x12\x5F\x74\xB5\x87\x98\xF2\x95\x26\xDF\x34\xEF\x8A\x53\x91\x88\x5D\x1A\x94\xA3\x3F\x7C\x22\xF8\xD7\x88\xBA\xA6\x8C\x96\xA8\x3D\x52\x34\x62\x9F\x00\x1E\x54\x55\x42\x67\xC6\x4D\x46\x8F\xBB\x14\x45\x3D\x0A\x96\x16\x8E\x10\xA1\x97\x99\xD5\xD3\x30\x85\xCC\xDE\xB4\x72\xB7\xBC\x8A\x3C\x18\x29\x68\xFD\xDC\x71\x07\xEE\x24\x39\x6A\xFA\xED\xA5\xAC\x38\x2F\xF9\x1E\x10\x0E\x06\x71\x1A\x10\x4C\xFE\x75\x7E\xFF\x1E\x57\x39\x42\xCA\xD7\xE1\x15\xA1\x56\x55\x59\x1B\xD1\xA3\xAF\x11\xD8\x4E\xC3\xA5\x2B\xEF\x90\xBF\xC0\xEC\x82\x13\x5B\x8D\xD6\x72\x2C\x93\x4E\x8F\x6A\x29\xDF\x85\x3C\xD3\x0D\xE0\xA2\x18\x12\xCC\x55\x2F\x47\xB7\xA7\x9B\x02\xFE\x41\xF6\x88\x4C\x6D\xDA\xA9\x01\x47\x83\x64\x27\x62\x10\x82\xD6\x12\x7B\x5E\x03\x1F\x34\xA9\xC9\x91\xFE\xAF\x5D\x6D\x86\x27\xB7\x23\xAA\x75\x18\xCA\x20\xE7\xB0\x0F\xD7\x89\x0E\xA6\x67\x22\x63\xF4\x83\x41\x2B\x06\x4B\xBB\x58\xD5\xD1\xD7\xB7\xB9\x10\x63\xD8\x89\x4A\xB4\xAA\xDD\x16\x63\xF5\x6E\xBE\x60\xA1\xF8\xED\xE8\xD6\x90\x4F\x1A\xC6\xC5\xA0\x29\xD3\xA7\x21\xA8\xF5\x5A\x3C\xF7\xC7\x49\xA2\x21\x9A\x4A\x95\x52\x20\x96\x72\x9A\x66\xCB\xF7\xD2\x86\x43\x7C\x22\xBE\x96\xF9\xBD\x01\xA8\x47\xDD\xE5\x3B\x40\xF9\x75\x2B\x9B\x2B\x46\x64\x86\x8D\x1E\xF4\x8F\xFB\x07\x77\xD0\xEA\x49\xA2\x1C\x8D\x52\x14\xA6\x0A\x93",
 	["OU=certSIGN ROOT CA,O=certSIGN,C=RO"] = "\x30\x82\x03\x38\x30\x82\x02\x20\xA0\x03\x02\x01\x02\x02\x06\x20\x06\x05\x16\x70\x02\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x3B\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x52\x4F\x31\x11\x30\x0F\x06\x03\x55\x04\x0A\x13\x08\x63\x65\x72\x74\x53\x49\x47\x4E\x31\x19\x30\x17\x06\x03\x55\x04\x0B\x13\x10\x63\x65\x72\x74\x53\x49\x47\x4E\x20\x52\x4F\x4F\x54\x20\x43\x41\x30\x1E\x17\x0D\x30\x36\x30\x37\x30\x34\x31\x37\x32\x30\x30\x34\x5A\x17\x0D\x33\x31\x30\x37\x30\x34\x31\x37\x32\x30\x30\x34\x5A\x30\x3B\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x52\x4F\x31\x11\x30\x0F\x06\x03\x55\x04\x0A\x13\x08\x63\x65\x72\x74\x53\x49\x47\x4E\x31\x19\x30\x17\x06\x03\x55\x04\x0B\x13\x10\x63\x65\x72\x74\x53\x49\x47\x4E\x20\x52\x4F\x4F\x54\x20\x43\x41\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xB7\x33\xB9\x7E\xC8\x25\x4A\x8E\xB5\xDB\xB4\x28\x1B\xAA\x57\x90\xE8\xD1\x22\xD3\x64\xBA\xD3\x93\xE8\xD4\xAC\x86\x61\x40\x6A\x60\x57\x68\x54\x84\x4D\xBC\x6A\x54\x02\x05\xFF\xDF\x9B\x9A\x2A\xAE\x5D\x07\x8F\x4A\xC3\x28\x7F\xEF\xFB\x2B\xFA\x79\xF1\xC7\xAD\xF0\x10\x53\x24\x90\x8B\x66\xC9\xA8\x88\xAB\xAF\x5A\xA3\x00\xE9\xBE\xBA\x46\xEE\x5B\x73\x7B\x2C\x17\x82\x81\x5E\x62\x2C\xA1\x02\x65\xB3\xBD\xC5\x2B\x00\x7E\xC4\xFC\x03\x33\x57\x0D\xED\xE2\xFA\xCE\x5D\x45\xD6\x38\xCD\x35\xB6\xB2\xC1\xD0\x9C\x81\x4A\xAA\xE4\xB2\x01\x5C\x1D\x8F\x5F\x99\xC4\xB1\xAD\xDB\x88\x21\xEB\x90\x08\x82\x80\xF3\x30\xA3\x43\xE6\x90\x82\xAE\x55\x28\x49\xED\x5B\xD7\xA9\x10\x38\x0E\xFE\x8F\x4C\x5B\x9B\x46\xEA\x41\xF5\xB0\x08\x74\xC3\xD0\x88\x33\xB6\x7C\xD7\x74\xDF\xDC\x84\xD1\x43\x0E\x75\x39\xA1\x25\x40\x28\xEA\x78\xCB\x0E\x2C\x2E\x39\x9D\x8C\x8B\x6E\x16\x1C\x2F\x26\x82\x10\xE2\xE3\x65\x94\x0A\x04\xC0\x5E\xF7\x5D\x5B\xF8\x10\xE2\xD0\xBA\x7A\x4B\xFB\xDE\x37\x00\x00\x1A\x5B\x28\xE3\xD2\x9C\x73\x3E\x32\x87\x98\xA1\xC9\x51\x2F\xD7\xDE\xAC\x33\xB3\x4F\x02\x03\x01\x00\x01\xA3\x42\x30\x40\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\xC6\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xE0\x8C\x9B\xDB\x25\x49\xB3\xF1\x7C\x86\xD6\xB2\x42\x87\x0B\xD0\x6B\xA0\xD9\xE4\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x3E\xD2\x1C\x89\x2E\x35\xFC\xF8\x75\xDD\xE6\x7F\x65\x88\xF4\x72\x4C\xC9\x2C\xD7\x32\x4E\xF3\xDD\x19\x79\x47\xBD\x8E\x3B\x5B\x93\x0F\x50\x49\x24\x13\x6B\x14\x06\x72\xEF\x09\xD3\xA1\xA1\xE3\x40\x84\xC9\xE7\x18\x32\x74\x3C\x48\x6E\x0F\x9F\x4B\xD4\xF7\x1E\xD3\x93\x86\x64\x54\x97\x63\x72\x50\xD5\x55\xCF\xFA\x20\x93\x02\xA2\x9B\xC3\x23\x93\x4E\x16\x55\x76\xA0\x70\x79\x6D\xCD\x21\x1F\xCF\x2F\x2D\xBC\x19\xE3\x88\x31\xF8\x59\x1A\x81\x09\xC8\x97\xA6\x74\xC7\x60\xC4\x5B\xCC\x57\x8E\xB2\x75\xFD\x1B\x02\x09\xDB\x59\x6F\x72\x93\x69\xF7\x31\x41\xD6\x88\x38\xBF\x87\xB2\xBD\x16\x79\xF9\xAA\xE4\xBE\x88\x25\xDD\x61\x27\x23\x1C\xB5\x31\x07\x04\x36\xB4\x1A\x90\xBD\xA0\x74\x71\x50\x89\x6D\xBC\x14\xE3\x0F\x86\xAE\xF1\xAB\x3E\xC7\xA0\x09\xCC\xA3\x48\xD1\xE0\xDB\x64\xE7\x92\xB5\xCF\xAF\x72\x43\x70\x8B\xF9\xC3\x84\x3C\x13\xAA\x7E\x92\x9B\x57\x53\x93\xFA\x70\xC2\x91\x0E\x31\xF9\x9B\x67\x5D\xE9\x96\x38\x5E\x5F\xB3\x73\x4E\x88\x15\x67\xDE\x9E\x76\x10\x62\x20\xBE\x55\x69\x95\x43\x00\x39\x4D\xF6\xEE\xB0\x5A\x4E\x49\x44\x54\x58\x5F\x42\x83",
-	["CN=CNNIC ROOT,O=CNNIC,C=CN"] = "\x30\x82\x03\x55\x30\x82\x02\x3D\xA0\x03\x02\x01\x02\x02\x04\x49\x33\x00\x01\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x32\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x43\x4E\x31\x0E\x30\x0C\x06\x03\x55\x04\x0A\x13\x05\x43\x4E\x4E\x49\x43\x31\x13\x30\x11\x06\x03\x55\x04\x03\x13\x0A\x43\x4E\x4E\x49\x43\x20\x52\x4F\x4F\x54\x30\x1E\x17\x0D\x30\x37\x30\x34\x31\x36\x30\x37\x30\x39\x31\x34\x5A\x17\x0D\x32\x37\x30\x34\x31\x36\x30\x37\x30\x39\x31\x34\x5A\x30\x32\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x43\x4E\x31\x0E\x30\x0C\x06\x03\x55\x04\x0A\x13\x05\x43\x4E\x4E\x49\x43\x31\x13\x30\x11\x06\x03\x55\x04\x03\x13\x0A\x43\x4E\x4E\x49\x43\x20\x52\x4F\x4F\x54\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xD3\x35\xF7\x3F\x73\x77\xAD\xE8\x5B\x73\x17\xC2\xD1\x6F\xED\x55\xBC\x6E\xEA\xE8\xA4\x79\xB2\x6C\xC3\xA3\xEF\xE1\x9F\xB1\x3B\x48\x85\xF5\x9A\x5C\x21\x22\x10\x2C\xC5\x82\xCE\xDA\xE3\x9A\x6E\x37\xE1\x87\x2C\xDC\xB9\x0C\x5A\xBA\x88\x55\xDF\xFD\xAA\xDB\x1F\x31\xEA\x01\xF1\xDF\x39\x01\xC1\x13\xFD\x48\x52\x21\xC4\x55\xDF\xDA\xD8\xB3\x54\x76\xBA\x74\xB1\xB7\x7D\xD7\xC0\xE8\xF6\x59\xC5\x4D\xC8\xBD\xAD\x1F\x14\xDA\xDF\x58\x44\x25\x32\x19\x2A\xC7\x7E\x7E\x8E\xAE\x38\xB0\x30\x7B\x47\x72\x09\x31\xF0\x30\xDB\xC3\x1B\x76\x29\xBB\x69\x76\x4E\x57\xF9\x1B\x64\xA2\x93\x56\xB7\x6F\x99\x6E\xDB\x0A\x04\x9C\x11\xE3\x80\x1F\xCB\x63\x94\x10\x0A\xA9\xE1\x64\x82\x31\xF9\x8C\x27\xED\xA6\x99\x00\xF6\x70\x93\x18\xF8\xA1\x34\x86\xA3\xDD\x7A\xC2\x18\x79\xF6\x7A\x65\x35\xCF\x90\xEB\xBD\x33\x93\x9F\x53\xAB\x73\x3B\xE6\x9B\x34\x20\x2F\x1D\xEF\xA9\x1D\x63\x1A\xA0\x80\xDB\x03\x2F\xF9\x26\x1A\x86\xD2\x8D\xBB\xA9\xBE\x52\x3A\x87\x67\x48\x0D\xBF\xB4\xA0\xD8\x26\xBE\x23\x5F\x73\x37\x7F\x26\xE6\x92\x04\xA3\x7F\xCF\x20\xA7\xB7\xF3\x3A\xCA\xCB\x99\xCB\x02\x03\x01\x00\x01\xA3\x73\x30\x71\x30\x11\x06\x09\x60\x86\x48\x01\x86\xF8\x42\x01\x01\x04\x04\x03\x02\x00\x07\x30\x1F\x06\x03\x55\x1D\x23\x04\x18\x30\x16\x80\x14\x65\xF2\x31\xAD\x2A\xF7\xF7\xDD\x52\x96\x0A\xC7\x02\xC1\x0E\xEF\xA6\xD5\x3B\x11\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x0B\x06\x03\x55\x1D\x0F\x04\x04\x03\x02\x01\xFE\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x65\xF2\x31\xAD\x2A\xF7\xF7\xDD\x52\x96\x0A\xC7\x02\xC1\x0E\xEF\xA6\xD5\x3B\x11\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x4B\x35\xEE\xCC\xE4\xAE\xBF\xC3\x6E\xAD\x9F\x95\x3B\x4B\x3F\x5B\x1E\xDF\x57\x29\xA2\x59\xCA\x38\xE2\xB9\x1A\xFF\x9E\xE6\x6E\x32\xDD\x1E\xAE\xEA\x35\xB7\xF5\x93\x91\x4E\xDA\x42\xE1\xC3\x17\x60\x50\xF2\xD1\x5C\x26\xB9\x82\xB7\xEA\x6D\xE4\x9C\x84\xE7\x03\x79\x17\xAF\x98\x3D\x94\xDB\xC7\xBA\x00\xE7\xB8\xBF\x01\x57\xC1\x77\x45\x32\x0C\x3B\xF1\xB4\x1C\x08\xB0\xFD\x51\xA0\xA1\xDD\x9A\x1D\x13\x36\x9A\x6D\xB7\xC7\x3C\xB9\xE1\xC5\xD9\x17\xFA\x83\xD5\x3D\x15\xA0\x3C\xBB\x1E\x0B\xE2\xC8\x90\x3F\xA8\x86\x0C\xFC\xF9\x8B\x5E\x85\xCB\x4F\x5B\x4B\x62\x11\x47\xC5\x45\x7C\x05\x2F\x41\xB1\x9E\x10\x69\x1B\x99\x96\xE0\x55\x79\xFB\x4E\x86\x99\xB8\x94\xDA\x86\x38\x6A\x93\xA3\xE7\xCB\x6E\xE5\xDF\xEA\x21\x55\x89\x9C\x7D\x7D\x7F\x98\xF5\x00\x89\xEE\xE3\x84\xC0\x5C\x96\xB5\xC5\x46\xEA\x46\xE0\x85\x55\xB6\x1B\xC9\x12\xD6\xC1\xCD\xCD\x80\xF3\x02\x01\x3C\xC8\x69\xCB\x45\x48\x63\xD8\x94\xD0\xEC\x85\x0E\x3B\x4E\x11\x65\xF4\x82\x8C\xA6\x3D\xAE\x2E\x22\x94\x09\xC8\x5C\xEA\x3C\x81\x5D\x16\x2A\x03\x97\x16\x55\x09\xDB\x8A\x41\x82\x9E\x66\x9B\x11",
-	["OU=ApplicationCA,O=Japanese Government,C=JP"] = "\x30\x82\x03\xA0\x30\x82\x02\x88\xA0\x03\x02\x01\x02\x02\x01\x31\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x43\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x4A\x50\x31\x1C\x30\x1A\x06\x03\x55\x04\x0A\x13\x13\x4A\x61\x70\x61\x6E\x65\x73\x65\x20\x47\x6F\x76\x65\x72\x6E\x6D\x65\x6E\x74\x31\x16\x30\x14\x06\x03\x55\x04\x0B\x13\x0D\x41\x70\x70\x6C\x69\x63\x61\x74\x69\x6F\x6E\x43\x41\x30\x1E\x17\x0D\x30\x37\x31\x32\x31\x32\x31\x35\x30\x30\x30\x30\x5A\x17\x0D\x31\x37\x31\x32\x31\x32\x31\x35\x30\x30\x30\x30\x5A\x30\x43\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x4A\x50\x31\x1C\x30\x1A\x06\x03\x55\x04\x0A\x13\x13\x4A\x61\x70\x61\x6E\x65\x73\x65\x20\x47\x6F\x76\x65\x72\x6E\x6D\x65\x6E\x74\x31\x16\x30\x14\x06\x03\x55\x04\x0B\x13\x0D\x41\x70\x70\x6C\x69\x63\x61\x74\x69\x6F\x6E\x43\x41\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xA7\x6D\xE0\x74\x4E\x87\x8F\xA5\x06\xDE\x68\xA2\xDB\x86\x99\x4B\x64\x0D\x71\xF0\x0A\x05\x9B\x8E\xAA\xE1\xCC\x2E\xD2\x6A\x3B\xC1\x7A\xB4\x97\x61\x8D\x8A\xBE\xC6\x9A\x9C\x06\xB4\x86\x51\xE4\x37\x0E\x74\x78\x7E\x5F\x8A\x7F\x94\xA4\xD7\x47\x08\xFD\x50\x5A\x56\xE4\x68\xAC\x28\x73\xA0\x7B\xE9\x7F\x18\x92\x40\x4F\x2D\x9D\xF5\xAE\x44\x48\x73\x36\x06\x9E\x64\x2C\x3B\x34\x23\xDB\x5C\x26\xE4\x71\x79\x8F\xD4\x6E\x79\x22\xB9\x93\xC1\xCA\xCD\xC1\x56\xED\x88\x6A\xD7\xA0\x39\x21\x04\x57\x2C\xA2\xF5\xBC\x47\x41\x4F\x5E\x34\x22\x95\xB5\x1F\x29\x6D\x5E\x4A\xF3\x4D\x72\xBE\x41\x56\x20\x87\xFC\xE9\x50\x47\xD7\x30\x14\xEE\x5C\x8C\x55\xBA\x59\x8D\x87\xFC\x23\xDE\x93\xD0\x04\x8C\xFD\xEF\x6D\xBD\xD0\x7A\xC9\xA5\x3A\x6A\x72\x33\xC6\x4A\x0D\x05\x17\x2A\x2D\x7B\xB1\xA7\xD8\xD6\xF0\xBE\xF4\x3F\xEA\x0E\x28\x6D\x41\x61\x23\x76\x78\xC3\xB8\x65\xA4\xF3\x5A\xAE\xCC\xC2\xAA\xD9\xE7\x58\xDE\xB6\x7E\x9D\x85\x6E\x9F\x2A\x0A\x6F\x9F\x03\x29\x30\x97\x28\x1D\xBC\xB7\xCF\x54\x29\x4E\x51\x31\xF9\x27\xB6\x28\x26\xFE\xA2\x63\xE6\x41\x16\xF0\x33\x98\x47\x02\x03\x01\x00\x01\xA3\x81\x9E\x30\x81\x9B\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x54\x5A\xCB\x26\x3F\x71\xCC\x94\x46\x0D\x96\x53\xEA\x6B\x48\xD0\x93\xFE\x42\x75\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x59\x06\x03\x55\x1D\x11\x04\x52\x30\x50\xA4\x4E\x30\x4C\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x4A\x50\x31\x18\x30\x16\x06\x03\x55\x04\x0A\x0C\x0F\xE6\x97\xA5\xE6\x9C\xAC\xE5\x9B\xBD\xE6\x94\xBF\xE5\xBA\x9C\x31\x23\x30\x21\x06\x03\x55\x04\x0B\x0C\x1A\xE3\x82\xA2\xE3\x83\x97\xE3\x83\xAA\xE3\x82\xB1\xE3\x83\xBC\xE3\x82\xB7\xE3\x83\xA7\xE3\x83\xB3\x43\x41\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x39\x6A\x44\x76\x77\x38\x3A\xEC\xA3\x67\x46\x0F\xF9\x8B\x06\xA8\xFB\x6A\x90\x31\xCE\x7E\xEC\xDA\xD1\x89\x7C\x7A\xEB\x2E\x0C\xBD\x99\x32\xE7\xB0\x24\xD6\xC3\xFF\xF5\xB2\x88\x09\x87\x2C\xE3\x54\xE1\xA3\xA6\xB2\x08\x0B\xC0\x85\xA8\xC8\xD2\x9C\x71\xF6\x1D\x9F\x60\xFC\x38\x33\x13\xE1\x9E\xDC\x0B\x5F\xDA\x16\x50\x29\x7B\x2F\x70\x91\x0F\x99\xBA\x34\x34\x8D\x95\x74\xC5\x7E\x78\xA9\x66\x5D\xBD\xCA\x21\x77\x42\x10\xAC\x66\x26\x3D\xDE\x91\xAB\xFD\x15\xF0\x6F\xED\x6C\x5F\x10\xF8\xF3\x16\xF6\x03\x8A\x8F\xA7\x12\x11\x0C\xCB\xFD\x3F\x79\xC1\x9C\xFD\x62\xEE\xA3\xCF\x54\x0C\xD1\x2B\x5F\x17\x3E\xE3\x3E\xBF\xC0\x2B\x3E\x09\x9B\xFE\x88\xA6\x7E\xB4\x92\x17\xFC\x23\x94\x81\xBD\x6E\xA7\xC5\x8C\xC2\xEB\x11\x45\xDB\xF8\x41\xC9\x96\x76\xEA\x70\x5F\x79\x12\x6B\xE4\xA3\x07\x5A\x05\xEF\x27\x49\xCF\x21\x9F\x8A\x4C\x09\x70\x66\xA9\x26\xC1\x2B\x11\x4E\x33\xD2\x0E\xFC\xD6\x6C\xD2\x0E\x32\x64\x68\xFF\xAD\x05\x78\x5F\x03\x1D\xA8\xE3\x90\xAC\x24\xE0\x0F\x40\xA7\x4B\xAE\x8B\x28\xB7\x82\xCA\x18\x07\xE6\xB7\x5B\x74\xE9\x20\x19\x7F\xB2\x1B\x89\x54",
 	["CN=GeoTrust Primary Certification Authority - G3,OU=(c) 2008 GeoTrust Inc. - For authorized use only,O=GeoTrust Inc.,C=US"] = "\x30\x82\x03\xFE\x30\x82\x02\xE6\xA0\x03\x02\x01\x02\x02\x10\x15\xAC\x6E\x94\x19\xB2\x79\x4B\x41\xF6\x27\xA9\xC3\x18\x0F\x1F\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x30\x81\x98\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x16\x30\x14\x06\x03\x55\x04\x0A\x13\x0D\x47\x65\x6F\x54\x72\x75\x73\x74\x20\x49\x6E\x63\x2E\x31\x39\x30\x37\x06\x03\x55\x04\x0B\x13\x30\x28\x63\x29\x20\x32\x30\x30\x38\x20\x47\x65\x6F\x54\x72\x75\x73\x74\x20\x49\x6E\x63\x2E\x20\x2D\x20\x46\x6F\x72\x20\x61\x75\x74\x68\x6F\x72\x69\x7A\x65\x64\x20\x75\x73\x65\x20\x6F\x6E\x6C\x79\x31\x36\x30\x34\x06\x03\x55\x04\x03\x13\x2D\x47\x65\x6F\x54\x72\x75\x73\x74\x20\x50\x72\x69\x6D\x61\x72\x79\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x20\x2D\x20\x47\x33\x30\x1E\x17\x0D\x30\x38\x30\x34\x30\x32\x30\x30\x30\x30\x30\x30\x5A\x17\x0D\x33\x37\x31\x32\x30\x31\x32\x33\x35\x39\x35\x39\x5A\x30\x81\x98\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x16\x30\x14\x06\x03\x55\x04\x0A\x13\x0D\x47\x65\x6F\x54\x72\x75\x73\x74\x20\x49\x6E\x63\x2E\x31\x39\x30\x37\x06\x03\x55\x04\x0B\x13\x30\x28\x63\x29\x20\x32\x30\x30\x38\x20\x47\x65\x6F\x54\x72\x75\x73\x74\x20\x49\x6E\x63\x2E\x20\x2D\x20\x46\x6F\x72\x20\x61\x75\x74\x68\x6F\x72\x69\x7A\x65\x64\x20\x75\x73\x65\x20\x6F\x6E\x6C\x79\x31\x36\x30\x34\x06\x03\x55\x04\x03\x13\x2D\x47\x65\x6F\x54\x72\x75\x73\x74\x20\x50\x72\x69\x6D\x61\x72\x79\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x20\x2D\x20\x47\x33\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xDC\xE2\x5E\x62\x58\x1D\x33\x57\x39\x32\x33\xFA\xEB\xCB\x87\x8C\xA7\xD4\x4A\xDD\x06\x88\xEA\x64\x8E\x31\x98\xA5\x38\x90\x1E\x98\xCF\x2E\x63\x2B\xF0\x46\xBC\x44\xB2\x89\xA1\xC0\x28\x0C\x49\x70\x21\x95\x9F\x64\xC0\xA6\x93\x12\x02\x65\x26\x86\xC6\xA5\x89\xF0\xFA\xD7\x84\xA0\x70\xAF\x4F\x1A\x97\x3F\x06\x44\xD5\xC9\xEB\x72\x10\x7D\xE4\x31\x28\xFB\x1C\x61\xE6\x28\x07\x44\x73\x92\x22\x69\xA7\x03\x88\x6C\x9D\x63\xC8\x52\xDA\x98\x27\xE7\x08\x4C\x70\x3E\xB4\xC9\x12\xC1\xC5\x67\x83\x5D\x33\xF3\x03\x11\xEC\x6A\xD0\x53\xE2\xD1\xBA\x36\x60\x94\x80\xBB\x61\x63\x6C\x5B\x17\x7E\xDF\x40\x94\x1E\xAB\x0D\xC2\x21\x28\x70\x88\xFF\xD6\x26\x6C\x6C\x60\x04\x25\x4E\x55\x7E\x7D\xEF\xBF\x94\x48\xDE\xB7\x1D\xDD\x70\x8D\x05\x5F\x88\xA5\x9B\xF2\xC2\xEE\xEA\xD1\x40\x41\x6D\x62\x38\x1D\x56\x06\xC5\x03\x47\x51\x20\x19\xFC\x7B\x10\x0B\x0E\x62\xAE\x76\x55\xBF\x5F\x77\xBE\x3E\x49\x01\x53\x3D\x98\x25\x03\x76\x24\x5A\x1D\xB4\xDB\x89\xEA\x79\xE5\xB6\xB3\x3B\x3F\xBA\x4C\x28\x41\x7F\x06\xAC\x6A\x8E\xC1\xD0\xF6\x05\x1D\x7D\xE6\x42\x86\xE3\xA5\xD5\x47\x02\x03\x01\x00\x01\xA3\x42\x30\x40\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xC4\x79\xCA\x8E\xA1\x4E\x03\x1D\x1C\xDC\x6B\xDB\x31\x5B\x94\x3E\x3F\x30\x7F\x2D\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x03\x82\x01\x01\x00\x2D\xC5\x13\xCF\x56\x80\x7B\x7A\x78\xBD\x9F\xAE\x2C\x99\xE7\xEF\xDA\xDF\x94\x5E\x09\x69\xA7\xE7\x6E\x68\x8C\xBD\x72\xBE\x47\xA9\x0E\x97\x12\xB8\x4A\xF1\x64\xD3\x39\xDF\x25\x34\xD4\xC1\xCD\x4E\x81\xF0\x0F\x04\xC4\x24\xB3\x34\x96\xC6\xA6\xAA\x30\xDF\x68\x61\x73\xD7\xF9\x8E\x85\x89\xEF\x0E\x5E\x95\x28\x4A\x2A\x27\x8F\x10\x8E\x2E\x7C\x86\xC4\x02\x9E\xDA\x0C\x77\x65\x0E\x44\x0D\x92\xFD\xFD\xB3\x16\x36\xFA\x11\x0D\x1D\x8C\x0E\x07\x89\x6A\x29\x56\xF7\x72\xF4\xDD\x15\x9C\x77\x35\x66\x57\xAB\x13\x53\xD8\x8E\xC1\x40\xC5\xD7\x13\x16\x5A\x72\xC7\xB7\x69\x01\xC4\x7A\xB1\x83\x01\x68\x7D\x8D\x41\xA1\x94\x18\xC1\x25\x5C\xFC\xF0\xFE\x83\x02\x87\x7C\x0D\x0D\xCF\x2E\x08\x5C\x4A\x40\x0D\x3E\xEC\x81\x61\xE6\x24\xDB\xCA\xE0\x0E\x2D\x07\xB2\x3E\x56\xDC\x8D\xF5\x41\x85\x07\x48\x9B\x0C\x0B\xCB\x49\x3F\x7D\xEC\xB7\xFD\xCB\x8D\x67\x89\x1A\xAB\xED\xBB\x1E\xA3\x00\x08\x08\x17\x2A\x82\x5C\x31\x5D\x46\x8A\x2D\x0F\x86\x9B\x74\xD9\x45\xFB\xD4\x40\xB1\x7A\xAA\x68\x2D\x86\xB2\x99\x22\xE1\xC1\x2B\xC7\x9C\xF8\xF3\x5F\xA8\x82\x12\xEB\x19\x11\x2D",
 	["CN=thawte Primary Root CA - G2,OU=(c) 2007 thawte\, Inc. - For authorized use only,O=thawte\, Inc.,C=US"] = "\x30\x82\x02\x88\x30\x82\x02\x0D\xA0\x03\x02\x01\x02\x02\x10\x35\xFC\x26\x5C\xD9\x84\x4F\xC9\x3D\x26\x3D\x57\x9B\xAE\xD7\x56\x30\x0A\x06\x08\x2A\x86\x48\xCE\x3D\x04\x03\x03\x30\x81\x84\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x15\x30\x13\x06\x03\x55\x04\x0A\x13\x0C\x74\x68\x61\x77\x74\x65\x2C\x20\x49\x6E\x63\x2E\x31\x38\x30\x36\x06\x03\x55\x04\x0B\x13\x2F\x28\x63\x29\x20\x32\x30\x30\x37\x20\x74\x68\x61\x77\x74\x65\x2C\x20\x49\x6E\x63\x2E\x20\x2D\x20\x46\x6F\x72\x20\x61\x75\x74\x68\x6F\x72\x69\x7A\x65\x64\x20\x75\x73\x65\x20\x6F\x6E\x6C\x79\x31\x24\x30\x22\x06\x03\x55\x04\x03\x13\x1B\x74\x68\x61\x77\x74\x65\x20\x50\x72\x69\x6D\x61\x72\x79\x20\x52\x6F\x6F\x74\x20\x43\x41\x20\x2D\x20\x47\x32\x30\x1E\x17\x0D\x30\x37\x31\x31\x30\x35\x30\x30\x30\x30\x30\x30\x5A\x17\x0D\x33\x38\x30\x31\x31\x38\x32\x33\x35\x39\x35\x39\x5A\x30\x81\x84\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x15\x30\x13\x06\x03\x55\x04\x0A\x13\x0C\x74\x68\x61\x77\x74\x65\x2C\x20\x49\x6E\x63\x2E\x31\x38\x30\x36\x06\x03\x55\x04\x0B\x13\x2F\x28\x63\x29\x20\x32\x30\x30\x37\x20\x74\x68\x61\x77\x74\x65\x2C\x20\x49\x6E\x63\x2E\x20\x2D\x20\x46\x6F\x72\x20\x61\x75\x74\x68\x6F\x72\x69\x7A\x65\x64\x20\x75\x73\x65\x20\x6F\x6E\x6C\x79\x31\x24\x30\x22\x06\x03\x55\x04\x03\x13\x1B\x74\x68\x61\x77\x74\x65\x20\x50\x72\x69\x6D\x61\x72\x79\x20\x52\x6F\x6F\x74\x20\x43\x41\x20\x2D\x20\x47\x32\x30\x76\x30\x10\x06\x07\x2A\x86\x48\xCE\x3D\x02\x01\x06\x05\x2B\x81\x04\x00\x22\x03\x62\x00\x04\xA2\xD5\x9C\x82\x7B\x95\x9D\xF1\x52\x78\x87\xFE\x8A\x16\xBF\x05\xE6\xDF\xA3\x02\x4F\x0D\x07\xC6\x00\x51\xBA\x0C\x02\x52\x2D\x22\xA4\x42\x39\xC4\xFE\x8F\xEA\xC9\xC1\xBE\xD4\x4D\xFF\x9F\x7A\x9E\xE2\xB1\x7C\x9A\xAD\xA7\x86\x09\x73\x87\xD1\xE7\x9A\xE3\x7A\xA5\xAA\x6E\xFB\xBA\xB3\x70\xC0\x67\x88\xA2\x35\xD4\xA3\x9A\xB1\xFD\xAD\xC2\xEF\x31\xFA\xA8\xB9\xF3\xFB\x08\xC6\x91\xD1\xFB\x29\x95\xA3\x42\x30\x40\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x9A\xD8\x00\x30\x00\xE7\x6B\x7F\x85\x18\xEE\x8B\xB6\xCE\x8A\x0C\xF8\x11\xE1\xBB\x30\x0A\x06\x08\x2A\x86\x48\xCE\x3D\x04\x03\x03\x03\x69\x00\x30\x66\x02\x31\x00\xDD\xF8\xE0\x57\x47\x5B\xA7\xE6\x0A\xC3\xBD\xF5\x80\x8A\x97\x35\x0D\x1B\x89\x3C\x54\x86\x77\x28\xCA\xA1\xF4\x79\xDE\xB5\xE6\x38\xB0\xF0\x65\x70\x8C\x7F\x02\x54\xC2\xBF\xFF\xD8\xA1\x3E\xD9\xCF\x02\x31\x00\xC4\x8D\x94\xFC\xDC\x53\xD2\xDC\x9D\x78\x16\x1F\x15\x33\x23\x53\x52\xE3\x5A\x31\x5D\x9D\xCA\xAE\xBD\x13\x29\x44\x0D\x27\x5B\xA8\xE7\x68\x9C\x12\xF7\x58\x3F\x2E\x72\x02\x57\xA3\x8F\xA1\x14\x2E",
 	["CN=thawte Primary Root CA - G3,OU=(c) 2008 thawte\, Inc. - For authorized use only,OU=Certification Services Division,O=thawte\, Inc.,C=US"] = "\x30\x82\x04\x2A\x30\x82\x03\x12\xA0\x03\x02\x01\x02\x02\x10\x60\x01\x97\xB7\x46\xA7\xEA\xB4\xB4\x9A\xD6\x4B\x2F\xF7\x90\xFB\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x30\x81\xAE\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x15\x30\x13\x06\x03\x55\x04\x0A\x13\x0C\x74\x68\x61\x77\x74\x65\x2C\x20\x49\x6E\x63\x2E\x31\x28\x30\x26\x06\x03\x55\x04\x0B\x13\x1F\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x53\x65\x72\x76\x69\x63\x65\x73\x20\x44\x69\x76\x69\x73\x69\x6F\x6E\x31\x38\x30\x36\x06\x03\x55\x04\x0B\x13\x2F\x28\x63\x29\x20\x32\x30\x30\x38\x20\x74\x68\x61\x77\x74\x65\x2C\x20\x49\x6E\x63\x2E\x20\x2D\x20\x46\x6F\x72\x20\x61\x75\x74\x68\x6F\x72\x69\x7A\x65\x64\x20\x75\x73\x65\x20\x6F\x6E\x6C\x79\x31\x24\x30\x22\x06\x03\x55\x04\x03\x13\x1B\x74\x68\x61\x77\x74\x65\x20\x50\x72\x69\x6D\x61\x72\x79\x20\x52\x6F\x6F\x74\x20\x43\x41\x20\x2D\x20\x47\x33\x30\x1E\x17\x0D\x30\x38\x30\x34\x30\x32\x30\x30\x30\x30\x30\x30\x5A\x17\x0D\x33\x37\x31\x32\x30\x31\x32\x33\x35\x39\x35\x39\x5A\x30\x81\xAE\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x15\x30\x13\x06\x03\x55\x04\x0A\x13\x0C\x74\x68\x61\x77\x74\x65\x2C\x20\x49\x6E\x63\x2E\x31\x28\x30\x26\x06\x03\x55\x04\x0B\x13\x1F\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x53\x65\x72\x76\x69\x63\x65\x73\x20\x44\x69\x76\x69\x73\x69\x6F\x6E\x31\x38\x30\x36\x06\x03\x55\x04\x0B\x13\x2F\x28\x63\x29\x20\x32\x30\x30\x38\x20\x74\x68\x61\x77\x74\x65\x2C\x20\x49\x6E\x63\x2E\x20\x2D\x20\x46\x6F\x72\x20\x61\x75\x74\x68\x6F\x72\x69\x7A\x65\x64\x20\x75\x73\x65\x20\x6F\x6E\x6C\x79\x31\x24\x30\x22\x06\x03\x55\x04\x03\x13\x1B\x74\x68\x61\x77\x74\x65\x20\x50\x72\x69\x6D\x61\x72\x79\x20\x52\x6F\x6F\x74\x20\x43\x41\x20\x2D\x20\x47\x33\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xB2\xBF\x27\x2C\xFB\xDB\xD8\x5B\xDD\x78\x7B\x1B\x9E\x77\x66\x81\xCB\x3E\xBC\x7C\xAE\xF3\xA6\x27\x9A\x34\xA3\x68\x31\x71\x38\x33\x62\xE4\xF3\x71\x66\x79\xB1\xA9\x65\xA3\xA5\x8B\xD5\x8F\x60\x2D\x3F\x42\xCC\xAA\x6B\x32\xC0\x23\xCB\x2C\x41\xDD\xE4\xDF\xFC\x61\x9C\xE2\x73\xB2\x22\x95\x11\x43\x18\x5F\xC4\xB6\x1F\x57\x6C\x0A\x05\x58\x22\xC8\x36\x4C\x3A\x7C\xA5\xD1\xCF\x86\xAF\x88\xA7\x44\x02\x13\x74\x71\x73\x0A\x42\x59\x02\xF8\x1B\x14\x6B\x42\xDF\x6F\x5F\xBA\x6B\x82\xA2\x9D\x5B\xE7\x4A\xBD\x1E\x01\x72\xDB\x4B\x74\xE8\x3B\x7F\x7F\x7D\x1F\x04\xB4\x26\x9B\xE0\xB4\x5A\xAC\x47\x3D\x55\xB8\xD7\xB0\x26\x52\x28\x01\x31\x40\x66\xD8\xD9\x24\xBD\xF6\x2A\xD8\xEC\x21\x49\x5C\x9B\xF6\x7A\xE9\x7F\x55\x35\x7E\x96\x6B\x8D\x93\x93\x27\xCB\x92\xBB\xEA\xAC\x40\xC0\x9F\xC2\xF8\x80\xCF\x5D\xF4\x5A\xDC\xCE\x74\x86\xA6\x3E\x6C\x0B\x53\xCA\xBD\x92\xCE\x19\x06\x72\xE6\x0C\x5C\x38\x69\xC7\x04\xD6\xBC\x6C\xCE\x5B\xF6\xF7\x68\x9C\xDC\x25\x15\x48\x88\xA1\xE9\xA9\xF8\x98\x9C\xE0\xF3\xD5\x31\x28\x61\x11\x6C\x67\x96\x8D\x39\x99\xCB\xC2\x45\x24\x39\x02\x03\x01\x00\x01\xA3\x42\x30\x40\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xAD\x6C\xAA\x94\x60\x9C\xED\xE4\xFF\xFA\x3E\x0A\x74\x2B\x63\x03\xF7\xB6\x59\xBF\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x03\x82\x01\x01\x00\x1A\x40\xD8\x95\x65\xAC\x09\x92\x89\xC6\x39\xF4\x10\xE5\xA9\x0E\x66\x53\x5D\x78\xDE\xFA\x24\x91\xBB\xE7\x44\x51\xDF\xC6\x16\x34\x0A\xEF\x6A\x44\x51\xEA\x2B\x07\x8A\x03\x7A\xC3\xEB\x3F\x0A\x2C\x52\x16\xA0\x2B\x43\xB9\x25\x90\x3F\x70\xA9\x33\x25\x6D\x45\x1A\x28\x3B\x27\xCF\xAA\xC3\x29\x42\x1B\xDF\x3B\x4C\xC0\x33\x34\x5B\x41\x88\xBF\x6B\x2B\x65\xAF\x28\xEF\xB2\xF5\xC3\xAA\x66\xCE\x7B\x56\xEE\xB7\xC8\xCB\x67\xC1\xC9\x9C\x1A\x18\xB8\xC4\xC3\x49\x03\xF1\x60\x0E\x50\xCD\x46\xC5\xF3\x77\x79\xF7\xB6\x15\xE0\x38\xDB\xC7\x2F\x28\xA0\x0C\x3F\x77\x26\x74\xD9\x25\x12\xDA\x31\xDA\x1A\x1E\xDC\x29\x41\x91\x22\x3C\x69\xA7\xBB\x02\xF2\xB6\x5C\x27\x03\x89\xF4\x06\xEA\x9B\xE4\x72\x82\xE3\xA1\x09\xC1\xE9\x00\x19\xD3\x3E\xD4\x70\x6B\xBA\x71\xA6\xAA\x58\xAE\xF4\xBB\xE9\x6C\xB6\xEF\x87\xCC\x9B\xBB\xFF\x39\xE6\x56\x61\xD3\x0A\xA7\xC4\x5C\x4C\x60\x7B\x05\x77\x26\x7A\xBF\xD8\x07\x52\x2C\x62\xF7\x70\x63\xD9\x39\xBC\x6F\x1C\xC2\x79\xDC\x76\x29\xAF\xCE\xC5\x2C\x64\x04\x5E\x88\x36\x6E\x31\xD4\x40\x1A\x62\x34\x36\x3F\x35\x01\xAE\xAC\x63\xA0",
@@ -84,10 +61,8 @@ redef root_certs += {
 	["CN=VeriSign Class 3 Public Primary Certification Authority - G4,OU=(c) 2007 VeriSign\, Inc. - For authorized use only,OU=VeriSign Trust Network,O=VeriSign\, Inc.,C=US"] = "\x30\x82\x03\x84\x30\x82\x03\x0A\xA0\x03\x02\x01\x02\x02\x10\x2F\x80\xFE\x23\x8C\x0E\x22\x0F\x48\x67\x12\x28\x91\x87\xAC\xB3\x30\x0A\x06\x08\x2A\x86\x48\xCE\x3D\x04\x03\x03\x30\x81\xCA\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x17\x30\x15\x06\x03\x55\x04\x0A\x13\x0E\x56\x65\x72\x69\x53\x69\x67\x6E\x2C\x20\x49\x6E\x63\x2E\x31\x1F\x30\x1D\x06\x03\x55\x04\x0B\x13\x16\x56\x65\x72\x69\x53\x69\x67\x6E\x20\x54\x72\x75\x73\x74\x20\x4E\x65\x74\x77\x6F\x72\x6B\x31\x3A\x30\x38\x06\x03\x55\x04\x0B\x13\x31\x28\x63\x29\x20\x32\x30\x30\x37\x20\x56\x65\x72\x69\x53\x69\x67\x6E\x2C\x20\x49\x6E\x63\x2E\x20\x2D\x20\x46\x6F\x72\x20\x61\x75\x74\x68\x6F\x72\x69\x7A\x65\x64\x20\x75\x73\x65\x20\x6F\x6E\x6C\x79\x31\x45\x30\x43\x06\x03\x55\x04\x03\x13\x3C\x56\x65\x72\x69\x53\x69\x67\x6E\x20\x43\x6C\x61\x73\x73\x20\x33\x20\x50\x75\x62\x6C\x69\x63\x20\x50\x72\x69\x6D\x61\x72\x79\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x20\x2D\x20\x47\x34\x30\x1E\x17\x0D\x30\x37\x31\x31\x30\x35\x30\x30\x30\x30\x30\x30\x5A\x17\x0D\x33\x38\x30\x31\x31\x38\x32\x33\x35\x39\x35\x39\x5A\x30\x81\xCA\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x17\x30\x15\x06\x03\x55\x04\x0A\x13\x0E\x56\x65\x72\x69\x53\x69\x67\x6E\x2C\x20\x49\x6E\x63\x2E\x31\x1F\x30\x1D\x06\x03\x55\x04\x0B\x13\x16\x56\x65\x72\x69\x53\x69\x67\x6E\x20\x54\x72\x75\x73\x74\x20\x4E\x65\x74\x77\x6F\x72\x6B\x31\x3A\x30\x38\x06\x03\x55\x04\x0B\x13\x31\x28\x63\x29\x20\x32\x30\x30\x37\x20\x56\x65\x72\x69\x53\x69\x67\x6E\x2C\x20\x49\x6E\x63\x2E\x20\x2D\x20\x46\x6F\x72\x20\x61\x75\x74\x68\x6F\x72\x69\x7A\x65\x64\x20\x75\x73\x65\x20\x6F\x6E\x6C\x79\x31\x45\x30\x43\x06\x03\x55\x04\x03\x13\x3C\x56\x65\x72\x69\x53\x69\x67\x6E\x20\x43\x6C\x61\x73\x73\x20\x33\x20\x50\x75\x62\x6C\x69\x63\x20\x50\x72\x69\x6D\x61\x72\x79\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x20\x2D\x20\x47\x34\x30\x76\x30\x10\x06\x07\x2A\x86\x48\xCE\x3D\x02\x01\x06\x05\x2B\x81\x04\x00\x22\x03\x62\x00\x04\xA7\x56\x7A\x7C\x52\xDA\x64\x9B\x0E\x2D\x5C\xD8\x5E\xAC\x92\x3D\xFE\x01\xE6\x19\x4A\x3D\x14\x03\x4B\xFA\x60\x27\x20\xD9\x83\x89\x69\xFA\x54\xC6\x9A\x18\x5E\x55\x2A\x64\xDE\x06\xF6\x8D\x4A\x3B\xAD\x10\x3C\x65\x3D\x90\x88\x04\x89\xE0\x30\x61\xB3\xAE\x5D\x01\xA7\x7B\xDE\x7C\xB2\xBE\xCA\x65\x61\x00\x86\xAE\xDA\x8F\x7B\xD0\x89\xAD\x4D\x1D\x59\x9A\x41\xB1\xBC\x47\x80\xDC\x9E\x62\xC3\xF9\xA3\x81\xB2\x30\x81\xAF\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x6D\x06\x08\x2B\x06\x01\x05\x05\x07\x01\x0C\x04\x61\x30\x5F\xA1\x5D\xA0\x5B\x30\x59\x30\x57\x30\x55\x16\x09\x69\x6D\x61\x67\x65\x2F\x67\x69\x66\x30\x21\x30\x1F\x30\x07\x06\x05\x2B\x0E\x03\x02\x1A\x04\x14\x8F\xE5\xD3\x1A\x86\xAC\x8D\x8E\x6B\xC3\xCF\x80\x6A\xD4\x48\x18\x2C\x7B\x19\x2E\x30\x25\x16\x23\x68\x74\x74\x70\x3A\x2F\x2F\x6C\x6F\x67\x6F\x2E\x76\x65\x72\x69\x73\x69\x67\x6E\x2E\x63\x6F\x6D\x2F\x76\x73\x6C\x6F\x67\x6F\x2E\x67\x69\x66\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xB3\x16\x91\xFD\xEE\xA6\x6E\xE4\xB5\x2E\x49\x8F\x87\x78\x81\x80\xEC\xE5\xB1\xB5\x30\x0A\x06\x08\x2A\x86\x48\xCE\x3D\x04\x03\x03\x03\x68\x00\x30\x65\x02\x30\x66\x21\x0C\x18\x26\x60\x5A\x38\x7B\x56\x42\xE0\xA7\xFC\x36\x84\x51\x91\x20\x2C\x76\x4D\x43\x3D\xC4\x1D\x84\x23\xD0\xAC\xD6\x7C\x35\x06\xCE\xCD\x69\xBD\x90\x0D\xDB\x6C\x48\x42\x1D\x0E\xAA\x42\x02\x31\x00\x9C\x3D\x48\x39\x23\x39\x58\x1A\x15\x12\x59\x6A\x9E\xEF\xD5\x59\xB2\x1D\x52\x2C\x99\x71\xCD\xC7\x29\xDF\x1B\x2A\x61\x7B\x71\xD1\xDE\xF3\xC0\xE5\x0D\x3A\x4A\xAA\x2D\xA7\xD8\x86\x2A\xDD\x2E\x10",
 	["CN=NetLock Arany (Class Gold) F\C5\91tan\C3\BAs\C3\ADtv\C3\A1ny,OU=Tan\C3\BAs\C3\ADtv\C3\A1nykiad\C3\B3k (Certification Services),O=NetLock Kft.,L=Budapest,C=HU"] = "\x30\x82\x04\x15\x30\x82\x02\xFD\xA0\x03\x02\x01\x02\x02\x06\x49\x41\x2C\xE4\x00\x10\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x30\x81\xA7\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x48\x55\x31\x11\x30\x0F\x06\x03\x55\x04\x07\x0C\x08\x42\x75\x64\x61\x70\x65\x73\x74\x31\x15\x30\x13\x06\x03\x55\x04\x0A\x0C\x0C\x4E\x65\x74\x4C\x6F\x63\x6B\x20\x4B\x66\x74\x2E\x31\x37\x30\x35\x06\x03\x55\x04\x0B\x0C\x2E\x54\x61\x6E\xC3\xBA\x73\xC3\xAD\x74\x76\xC3\xA1\x6E\x79\x6B\x69\x61\x64\xC3\xB3\x6B\x20\x28\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x53\x65\x72\x76\x69\x63\x65\x73\x29\x31\x35\x30\x33\x06\x03\x55\x04\x03\x0C\x2C\x4E\x65\x74\x4C\x6F\x63\x6B\x20\x41\x72\x61\x6E\x79\x20\x28\x43\x6C\x61\x73\x73\x20\x47\x6F\x6C\x64\x29\x20\x46\xC5\x91\x74\x61\x6E\xC3\xBA\x73\xC3\xAD\x74\x76\xC3\xA1\x6E\x79\x30\x1E\x17\x0D\x30\x38\x31\x32\x31\x31\x31\x35\x30\x38\x32\x31\x5A\x17\x0D\x32\x38\x31\x32\x30\x36\x31\x35\x30\x38\x32\x31\x5A\x30\x81\xA7\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x48\x55\x31\x11\x30\x0F\x06\x03\x55\x04\x07\x0C\x08\x42\x75\x64\x61\x70\x65\x73\x74\x31\x15\x30\x13\x06\x03\x55\x04\x0A\x0C\x0C\x4E\x65\x74\x4C\x6F\x63\x6B\x20\x4B\x66\x74\x2E\x31\x37\x30\x35\x06\x03\x55\x04\x0B\x0C\x2E\x54\x61\x6E\xC3\xBA\x73\xC3\xAD\x74\x76\xC3\xA1\x6E\x79\x6B\x69\x61\x64\xC3\xB3\x6B\x20\x28\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x53\x65\x72\x76\x69\x63\x65\x73\x29\x31\x35\x30\x33\x06\x03\x55\x04\x03\x0C\x2C\x4E\x65\x74\x4C\x6F\x63\x6B\x20\x41\x72\x61\x6E\x79\x20\x28\x43\x6C\x61\x73\x73\x20\x47\x6F\x6C\x64\x29\x20\x46\xC5\x91\x74\x61\x6E\xC3\xBA\x73\xC3\xAD\x74\x76\xC3\xA1\x6E\x79\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xC4\x24\x5E\x73\xBE\x4B\x6D\x14\xC3\xA1\xF4\xE3\x97\x90\x6E\xD2\x30\x45\x1E\x3C\xEE\x67\xD9\x64\xE0\x1A\x8A\x7F\xCA\x30\xCA\x83\xE3\x20\xC1\xE3\xF4\x3A\xD3\x94\x5F\x1A\x7C\x5B\x6D\xBF\x30\x4F\x84\x27\xF6\x9F\x1F\x49\xBC\xC6\x99\x0A\x90\xF2\x0F\xF5\x7F\x43\x84\x37\x63\x51\x8B\x7A\xA5\x70\xFC\x7A\x58\xCD\x8E\x9B\xED\xC3\x46\x6C\x84\x70\x5D\xDA\xF3\x01\x90\x23\xFC\x4E\x30\xA9\x7E\xE1\x27\x63\xE7\xED\x64\x3C\xA0\xB8\xC9\x33\x63\xFE\x16\x90\xFF\xB0\xB8\xFD\xD7\xA8\xC0\xC0\x94\x43\x0B\xB6\xD5\x59\xA6\x9E\x56\xD0\x24\x1F\x70\x79\xAF\xDB\x39\x54\x0D\x65\x75\xD9\x15\x41\x94\x01\xAF\x5E\xEC\xF6\x8D\xF1\xFF\xAD\x64\xFE\x20\x9A\xD7\x5C\xEB\xFE\xA6\x1F\x08\x64\xA3\x8B\x76\x55\xAD\x1E\x3B\x28\x60\x2E\x87\x25\xE8\xAA\xAF\x1F\xC6\x64\x46\x20\xB7\x70\x7F\x3C\xDE\x48\xDB\x96\x53\xB7\x39\x77\xE4\x1A\xE2\xC7\x16\x84\x76\x97\x5B\x2F\xBB\x19\x15\x85\xF8\x69\x85\xF5\x99\xA7\xA9\xF2\x34\xA7\xA9\xB6\xA6\x03\xFC\x6F\x86\x3D\x54\x7C\x76\x04\x9B\x6B\xF9\x40\x5D\x00\x34\xC7\x2E\x99\x75\x9D\xE5\x88\x03\xAA\x4D\xF8\x03\xD2\x42\x76\xC0\x1B\x02\x03\x00\xA8\x8B\xA3\x45\x30\x43\x30\x12\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x08\x30\x06\x01\x01\xFF\x02\x01\x04\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xCC\xFA\x67\x93\xF0\xB6\xB8\xD0\xA5\xC0\x1E\xF3\x53\xFD\x8C\x53\xDF\x83\xD7\x96\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x03\x82\x01\x01\x00\xAB\x7F\xEE\x1C\x16\xA9\x9C\x3C\x51\x00\xA0\xC0\x11\x08\x05\xA7\x99\xE6\x6F\x01\x88\x54\x61\x6E\xF1\xB9\x18\xAD\x4A\xAD\xFE\x81\x40\x23\x94\x2F\xFB\x75\x7C\x2F\x28\x4B\x62\x24\x81\x82\x0B\xF5\x61\xF1\x1C\x6E\xB8\x61\x38\xEB\x81\xFA\x62\xA1\x3B\x5A\x62\xD3\x94\x65\xC4\xE1\xE6\x6D\x82\xF8\x2F\x25\x70\xB2\x21\x26\xC1\x72\x51\x1F\x8C\x2C\xC3\x84\x90\xC3\x5A\x8F\xBA\xCF\xF4\xA7\x65\xA5\xEB\x98\xD1\xFB\x05\xB2\x46\x75\x15\x23\x6A\x6F\x85\x63\x30\x80\xF0\xD5\x9E\x1F\x29\x1C\xC2\x6C\xB0\x50\x59\x5D\x90\x5B\x3B\xA8\x0D\x30\xCF\xBF\x7D\x7F\xCE\xF1\x9D\x83\xBD\xC9\x46\x6E\x20\xA6\xF9\x61\x51\xBA\x21\x2F\x7B\xBE\xA5\x15\x63\xA1\xD4\x95\x87\xF1\x9E\xB9\xF3\x89\xF3\x3D\x85\xB8\xB8\xDB\xBE\xB5\xB9\x29\xF9\xDA\x37\x05\x00\x49\x94\x03\x84\x44\xE7\xBF\x43\x31\xCF\x75\x8B\x25\xD1\xF4\xA6\x64\xF5\x92\xF6\xAB\x05\xEB\x3D\xE9\xA5\x0B\x36\x62\xDA\xCC\x06\x5F\x36\x8B\xB6\x5E\x31\xB8\x2A\xFB\x5E\xF6\x71\xDF\x44\x26\x9E\xC4\xE6\x0D\x91\xB4\x2E\x75\x95\x80\x51\x6A\x4B\x30\xA6\xB0\x62\xA1\x93\xF1\x9B\xD8\xCE\xC4\x63\x75\x3F\x59\x47\xB1",
 	["CN=Staat der Nederlanden Root CA - G2,O=Staat der Nederlanden,C=NL"] = "\x30\x82\x05\xCA\x30\x82\x03\xB2\xA0\x03\x02\x01\x02\x02\x04\x00\x98\x96\x8C\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x30\x5A\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x4E\x4C\x31\x1E\x30\x1C\x06\x03\x55\x04\x0A\x0C\x15\x53\x74\x61\x61\x74\x20\x64\x65\x72\x20\x4E\x65\x64\x65\x72\x6C\x61\x6E\x64\x65\x6E\x31\x2B\x30\x29\x06\x03\x55\x04\x03\x0C\x22\x53\x74\x61\x61\x74\x20\x64\x65\x72\x20\x4E\x65\x64\x65\x72\x6C\x61\x6E\x64\x65\x6E\x20\x52\x6F\x6F\x74\x20\x43\x41\x20\x2D\x20\x47\x32\x30\x1E\x17\x0D\x30\x38\x30\x33\x32\x36\x31\x31\x31\x38\x31\x37\x5A\x17\x0D\x32\x30\x30\x33\x32\x35\x31\x31\x30\x33\x31\x30\x5A\x30\x5A\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x4E\x4C\x31\x1E\x30\x1C\x06\x03\x55\x04\x0A\x0C\x15\x53\x74\x61\x61\x74\x20\x64\x65\x72\x20\x4E\x65\x64\x65\x72\x6C\x61\x6E\x64\x65\x6E\x31\x2B\x30\x29\x06\x03\x55\x04\x03\x0C\x22\x53\x74\x61\x61\x74\x20\x64\x65\x72\x20\x4E\x65\x64\x65\x72\x6C\x61\x6E\x64\x65\x6E\x20\x52\x6F\x6F\x74\x20\x43\x41\x20\x2D\x20\x47\x32\x30\x82\x02\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x02\x0F\x00\x30\x82\x02\x0A\x02\x82\x02\x01\x00\xC5\x59\xE7\x6F\x75\xAA\x3E\x4B\x9C\xB5\xB8\xAC\x9E\x0B\xE4\xF9\xD9\xCA\xAB\x5D\x8F\xB5\x39\x10\x82\xD7\xAF\x51\xE0\x3B\xE1\x00\x48\x6A\xCF\xDA\xE1\x06\x43\x11\x99\xAA\x14\x25\x12\xAD\x22\xE8\x00\x6D\x43\xC4\xA9\xB8\xE5\x1F\x89\x4B\x67\xBD\x61\x48\xEF\xFD\xD2\xE0\x60\x88\xE5\xB9\x18\x60\x28\xC3\x77\x2B\xAD\xB0\x37\xAA\x37\xDE\x64\x59\x2A\x46\x57\xE4\x4B\xB9\xF8\x37\x7C\xD5\x36\xE7\x80\xC1\xB6\xF3\xD4\x67\x9B\x96\xE8\xCE\xD7\xC6\x0A\x53\xD0\x6B\x49\x96\xF3\xA3\x0B\x05\x77\x48\xF7\x25\xE5\x70\xAC\x30\x14\x20\x25\xE3\x7F\x75\x5A\xE5\x48\xF8\x4E\x7B\x03\x07\x04\xFA\x82\x61\x87\x6E\xF0\x3B\xC4\xA4\xC7\xD0\xF5\x74\x3E\xA5\x5D\x1A\x08\xF2\x9B\x25\xD2\xF6\xAC\x04\x26\x3E\x55\x3A\x62\x28\xA5\x7B\xB2\x30\xAF\xF8\x37\xC2\xD1\xBA\xD6\x38\xFD\xF4\xEF\x49\x30\x37\x99\x26\x21\x48\x85\x01\xA9\xE5\x16\xE7\xDC\x90\x55\xDF\x0F\xE8\x38\xCD\x99\x37\x21\x4F\x5D\xF5\x22\x6F\x6A\xC5\x12\x16\x60\x17\x55\xF2\x65\x66\xA6\xA7\x30\x91\x38\xC1\x38\x1D\x86\x04\x84\xBA\x1A\x25\x78\x5E\x9D\xAF\xCC\x50\x60\xD6\x13\x87\x52\xED\x63\x1F\x6D\x65\x7D\xC2\x15\x18\x74\xCA\xE1\x7E\x64\x29\x8C\x72\xD8\x16\x13\x7D\x0B\x49\x4A\xF1\x28\x1B\x20\x74\x6B\xC5\x3D\xDD\xB0\xAA\x48\x09\x3D\x2E\x82\x94\xCD\x1A\x65\xD9\x2B\x88\x9A\x99\xBC\x18\x7E\x9F\xEE\x7D\x66\x7C\x3E\xBD\x94\xB8\x81\xCE\xCD\x98\x30\x78\xC1\x6F\x67\xD0\xBE\x5F\xE0\x68\xED\xDE\xE2\xB1\xC9\x2C\x59\x78\x92\xAA\xDF\x2B\x60\x63\xF2\xE5\x5E\xB9\xE3\xCA\xFA\x7F\x50\x86\x3E\xA2\x34\x18\x0C\x09\x68\x28\x11\x1C\xE4\xE1\xB9\x5C\x3E\x47\xBA\x32\x3F\x18\xCC\x5B\x84\xF5\xF3\x6B\x74\xC4\x72\x74\xE1\xE3\x8B\xA0\x4A\xBD\x8D\x66\x2F\xEA\xAD\x35\xDA\x20\xD3\x88\x82\x61\xF0\x12\x22\xB6\xBC\xD0\xD5\xA4\xEC\xAF\x54\x88\x25\x24\x3C\xA7\x6D\xB1\x72\x29\x3F\x3E\x57\xA6\x7F\x55\xAF\x6E\x26\xC6\xFE\xE7\xCC\x40\x5C\x51\x44\x81\x0A\x78\xDE\x4A\xCE\x55\xBF\x1D\xD5\xD9\xB7\x56\xEF\xF0\x76\xFF\x0B\x79\xB5\xAF\xBD\xFB\xA9\x69\x91\x46\x97\x68\x80\x14\x36\x1D\xB3\x7F\xBB\x29\x98\x36\xA5\x20\xFA\x82\x60\x62\x33\xA4\xEC\xD6\xBA\x07\xA7\x6E\xC5\xCF\x14\xA6\xE7\xD6\x92\x34\xD8\x81\xF5\xFC\x1D\x5D\xAA\x5C\x1E\xF6\xA3\x4D\x3B\xB8\xF7\x39\x02\x03\x01\x00\x01\xA3\x81\x97\x30\x81\x94\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x52\x06\x03\x55\x1D\x20\x04\x4B\x30\x49\x30\x47\x06\x04\x55\x1D\x20\x00\x30\x3F\x30\x3D\x06\x08\x2B\x06\x01\x05\x05\x07\x02\x01\x16\x31\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x70\x6B\x69\x6F\x76\x65\x72\x68\x65\x69\x64\x2E\x6E\x6C\x2F\x70\x6F\x6C\x69\x63\x69\x65\x73\x2F\x72\x6F\x6F\x74\x2D\x70\x6F\x6C\x69\x63\x79\x2D\x47\x32\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x91\x68\x32\x87\x15\x1D\x89\xE2\xB5\xF1\xAC\x36\x28\x34\x8D\x0B\x7C\x62\x88\xEB\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x03\x82\x02\x01\x00\xA8\x41\x4A\x67\x2A\x92\x81\x82\x50\x6E\xE1\xD7\xD8\xB3\x39\x3B\xF3\x02\x15\x09\x50\x51\xEF\x2D\xBD\x24\x7B\x88\x86\x3B\xF9\xB4\xBC\x92\x09\x96\xB9\xF6\xC0\xAB\x23\x60\x06\x79\x8C\x11\x4E\x51\xD2\x79\x80\x33\xFB\x9D\x48\xBE\xEC\x41\x43\x81\x1F\x7E\x47\x40\x1C\xE5\x7A\x08\xCA\xAA\x8B\x75\xAD\x14\xC4\xC2\xE8\x66\x3C\x82\x07\xA7\xE6\x27\x82\x5B\x18\xE6\x0F\x6E\xD9\x50\x3E\x8A\x42\x18\x29\xC6\xB4\x56\xFC\x56\x10\xA0\x05\x17\xBD\x0C\x23\x7F\xF4\x93\xED\x9C\x1A\x51\xBE\xDD\x45\x41\xBF\x91\x24\xB4\x1F\x8C\xE9\x5F\xCF\x7B\x21\x99\x9F\x95\x9F\x39\x3A\x46\x1C\x6C\xF9\xCD\x7B\x9C\x90\xCD\x28\xA9\xC7\xA9\x55\xBB\xAC\x62\x34\x62\x35\x13\x4B\x14\x3A\x55\x83\xB9\x86\x8D\x92\xA6\xC6\xF4\x07\x25\x54\xCC\x16\x57\x12\x4A\x82\x78\xC8\x14\xD9\x17\x82\x26\x2D\x5D\x20\x1F\x79\xAE\xFE\xD4\x70\x16\x16\x95\x83\xD8\x35\x39\xFF\x52\x5D\x75\x1C\x16\xC5\x13\x55\xCF\x47\xCC\x75\x65\x52\x4A\xDE\xF0\xB0\xA7\xE4\x0A\x96\x0B\xFB\xAD\xC2\xE2\x25\x84\xB2\xDD\xE4\xBD\x7E\x59\x6C\x9B\xF0\xF0\xD8\xE7\xCA\xF2\xE9\x97\x38\x7E\x89\xBE\xCC\xFB\x39\x17\x61\x3F\x72\xDB\x3A\x91\xD8\x65\x01\x19\x1D\xAD\x50\xA4\x57\x0A\x7C\x4B\xBC\x9C\x71\x73\x2A\x45\x51\x19\x85\xCC\x8E\xFD\x47\xA7\x74\x95\x1D\xA8\xD1\xAF\x4E\x17\xB1\x69\x26\xC2\xAA\x78\x57\x5B\xC5\x4D\xA7\xE5\x9E\x05\x17\x94\xCA\xB2\x5F\xA0\x49\x18\x8D\x34\xE9\x26\x6C\x48\x1E\xAA\x68\x92\x05\xE1\x82\x73\x5A\x9B\xDC\x07\x5B\x08\x6D\x7D\x9D\xD7\x8D\x21\xD9\xFC\x14\x20\xAA\xC2\x45\xDF\x3F\xE7\x00\xB2\x51\xE4\xC2\xF8\x05\xB9\x79\x1A\x8C\x34\xF3\x9E\x5B\xE4\x37\x5B\x6B\x4A\xDF\x2C\x57\x8A\x40\x5A\x36\xBA\xDD\x75\x44\x08\x37\x42\x70\x0C\xFE\xDC\x5E\x21\xA0\xA3\x8A\xC0\x90\x9C\x68\xDA\x50\xE6\x45\x10\x47\x78\xB6\x4E\xD2\x65\xC9\xC3\x37\xDF\xE1\x42\x63\xB0\x57\x37\x45\x2D\x7B\x8A\x9C\xBF\x05\xEA\x65\x55\x33\xF7\x39\x10\xC5\x28\x2A\x21\x7A\x1B\x8A\xC4\x24\xF9\x3F\x15\xC8\x9A\x15\x20\xF5\x55\x62\x96\xED\x6D\x93\x50\xBC\xE4\xAA\x78\xAD\xD9\xCB\x0A\x65\x87\xA6\x66\xC1\xC4\x81\xA3\x77\x3A\x58\x1E\x0B\xEE\x83\x8B\x9D\x1E\xD2\x52\xA4\xCC\x1D\x6F\xB0\x98\x6D\x94\x31\xB5\xF8\x71\x0A\xDC\xB9\xFC\x7D\x32\x60\xE6\xEB\xAF\x8A\x01",
-	["CN=Juur-SK,O=AS Sertifitseerimiskeskus,C=EE,emailAddress=pki@sk.ee"] = "\x30\x82\x04\xE6\x30\x82\x03\xCE\xA0\x03\x02\x01\x02\x02\x04\x3B\x8E\x4B\xFC\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x5D\x31\x18\x30\x16\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x09\x01\x16\x09\x70\x6B\x69\x40\x73\x6B\x2E\x65\x65\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x45\x45\x31\x22\x30\x20\x06\x03\x55\x04\x0A\x13\x19\x41\x53\x20\x53\x65\x72\x74\x69\x66\x69\x74\x73\x65\x65\x72\x69\x6D\x69\x73\x6B\x65\x73\x6B\x75\x73\x31\x10\x30\x0E\x06\x03\x55\x04\x03\x13\x07\x4A\x75\x75\x72\x2D\x53\x4B\x30\x1E\x17\x0D\x30\x31\x30\x38\x33\x30\x31\x34\x32\x33\x30\x31\x5A\x17\x0D\x31\x36\x30\x38\x32\x36\x31\x34\x32\x33\x30\x31\x5A\x30\x5D\x31\x18\x30\x16\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x09\x01\x16\x09\x70\x6B\x69\x40\x73\x6B\x2E\x65\x65\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x45\x45\x31\x22\x30\x20\x06\x03\x55\x04\x0A\x13\x19\x41\x53\x20\x53\x65\x72\x74\x69\x66\x69\x74\x73\x65\x65\x72\x69\x6D\x69\x73\x6B\x65\x73\x6B\x75\x73\x31\x10\x30\x0E\x06\x03\x55\x04\x03\x13\x07\x4A\x75\x75\x72\x2D\x53\x4B\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\x81\x71\x36\x3E\x33\x07\xD6\xE3\x30\x8D\x13\x7E\x77\x32\x46\xCB\xCF\x19\xB2\x60\x31\x46\x97\x86\xF4\x98\x46\xA4\xC2\x65\x45\xCF\xD3\x40\x7C\xE3\x5A\x22\xA8\x10\x78\x33\xCC\x88\xB1\xD3\x81\x4A\xF6\x62\x17\x7B\x5F\x4D\x0A\x2E\xD0\xCF\x8B\x23\xEE\x4F\x02\x4E\xBB\xEB\x0E\xCA\xBD\x18\x63\xE8\x80\x1C\x8D\xE1\x1C\x8D\x3D\xE0\xFF\x5B\x5F\xEA\x64\xE5\x97\xE8\x3F\x99\x7F\x0C\x0A\x09\x33\x00\x1A\x53\xA7\x21\xE1\x38\x4B\xD6\x83\x1B\xAD\xAF\x64\xC2\xF9\x1C\x7A\x8C\x66\x48\x4D\x66\x1F\x18\x0A\xE2\x3E\xBB\x1F\x07\x65\x93\x85\xB9\x1A\xB0\xB9\xC4\xFB\x0D\x11\xF6\xF5\xD6\xF9\x1B\xC7\x2C\x2B\xB7\x18\x51\xFE\xE0\x7B\xF6\xA8\x48\xAF\x6C\x3B\x4F\x2F\xEF\xF8\xD1\x47\x1E\x26\x57\xF0\x51\x1D\x33\x96\xFF\xEF\x59\x3D\xDA\x4D\xD1\x15\x34\xC7\xEA\x3F\x16\x48\x7B\x91\x1C\x80\x43\x0F\x3D\xB8\x05\x3E\xD1\xB3\x95\xCD\xD8\xCA\x0F\xC2\x43\x67\xDB\xB7\x93\xE0\x22\x82\x2E\xBE\xF5\x68\x28\x83\xB9\xC1\x3B\x69\x7B\x20\xDA\x4E\x9C\x6D\xE1\xBA\xCD\x8F\x7A\x6C\xB0\x09\x22\xD7\x8B\x0B\xDB\x1C\xD5\x5A\x26\x5B\x0D\xC0\xEA\xE5\x60\xD0\x9F\xFE\x35\xDF\x3F\x02\x03\x01\x00\x01\xA3\x82\x01\xAC\x30\x82\x01\xA8\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x82\x01\x16\x06\x03\x55\x1D\x20\x04\x82\x01\x0D\x30\x82\x01\x09\x30\x82\x01\x05\x06\x0A\x2B\x06\x01\x04\x01\xCE\x1F\x01\x01\x01\x30\x81\xF6\x30\x81\xD0\x06\x08\x2B\x06\x01\x05\x05\x07\x02\x02\x30\x81\xC3\x1E\x81\xC0\x00\x53\x00\x65\x00\x65\x00\x20\x00\x73\x00\x65\x00\x72\x00\x74\x00\x69\x00\x66\x00\x69\x00\x6B\x00\x61\x00\x61\x00\x74\x00\x20\x00\x6F\x00\x6E\x00\x20\x00\x76\x00\xE4\x00\x6C\x00\x6A\x00\x61\x00\x73\x00\x74\x00\x61\x00\x74\x00\x75\x00\x64\x00\x20\x00\x41\x00\x53\x00\x2D\x00\x69\x00\x73\x00\x20\x00\x53\x00\x65\x00\x72\x00\x74\x00\x69\x00\x66\x00\x69\x00\x74\x00\x73\x00\x65\x00\x65\x00\x72\x00\x69\x00\x6D\x00\x69\x00\x73\x00\x6B\x00\x65\x00\x73\x00\x6B\x00\x75\x00\x73\x00\x20\x00\x61\x00\x6C\x00\x61\x00\x6D\x00\x2D\x00\x53\x00\x4B\x00\x20\x00\x73\x00\x65\x00\x72\x00\x74\x00\x69\x00\x66\x00\x69\x00\x6B\x00\x61\x00\x61\x00\x74\x00\x69\x00\x64\x00\x65\x00\x20\x00\x6B\x00\x69\x00\x6E\x00\x6E\x00\x69\x00\x74\x00\x61\x00\x6D\x00\x69\x00\x73\x00\x65\x00\x6B\x00\x73\x30\x21\x06\x08\x2B\x06\x01\x05\x05\x07\x02\x01\x16\x15\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x73\x6B\x2E\x65\x65\x2F\x63\x70\x73\x2F\x30\x2B\x06\x03\x55\x1D\x1F\x04\x24\x30\x22\x30\x20\xA0\x1E\xA0\x1C\x86\x1A\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x73\x6B\x2E\x65\x65\x2F\x6A\x75\x75\x72\x2F\x63\x72\x6C\x2F\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x04\xAA\x7A\x47\xA3\xE4\x89\xAF\x1A\xCF\x0A\x40\xA7\x18\x3F\x6F\xEF\xE9\x7D\xBE\x30\x1F\x06\x03\x55\x1D\x23\x04\x18\x30\x16\x80\x14\x04\xAA\x7A\x47\xA3\xE4\x89\xAF\x1A\xCF\x0A\x40\xA7\x18\x3F\x6F\xEF\xE9\x7D\xBE\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\xE6\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x7B\xC1\x18\x94\x53\xA2\x09\xF3\xFE\x26\x67\x9A\x50\xE4\xC3\x05\x2F\x2B\x35\x78\x91\x4C\x7C\xA8\x11\x11\x79\x4C\x49\x59\xAC\xC8\xF7\x85\x65\x5C\x46\xBB\x3B\x10\xA0\x02\xAF\xCD\x4F\xB5\xCC\x36\x2A\xEC\x5D\xFE\xEF\xA0\x91\xC9\xB6\x93\x6F\x7C\x80\x54\xEC\xC7\x08\x70\x0D\x8E\xFB\x82\xEC\x2A\x60\x78\x69\x36\x36\xD1\xC5\x9C\x8B\x69\xB5\x40\xC8\x94\x65\x77\xF2\x57\x21\x66\x3B\xCE\x85\x40\xB6\x33\x63\x1A\xBF\x79\x1E\xFC\x5C\x1D\xD3\x1D\x93\x1B\x8B\x0C\x5D\x85\xBD\x99\x30\x32\x18\x09\x91\x52\xE9\x7C\xA1\xBA\xFF\x64\x92\x9A\xEC\xFE\x35\xEE\x8C\x2F\xAE\xFC\x20\x86\xEC\x4A\xDE\x1B\x78\x32\x37\xA6\x81\xD2\x9D\xAF\x5A\x12\x16\xCA\x99\x5B\xFC\x6F\x6D\x0E\xC5\xA0\x1E\x86\xC9\x91\xD0\x5C\x98\x82\x5F\x63\x0C\x8A\x5A\xAB\xD8\x95\xA6\xCC\xCB\x8A\xD6\xBF\x64\x4B\x8E\xCA\x8A\xB2\xB0\xE9\x21\x32\x9E\xAA\xA8\x85\x98\x34\x81\x39\x21\x3B\xA8\x3A\x52\x32\x3D\xF6\x6B\x37\x86\x06\x5A\x15\x98\xDC\xF0\x11\x66\xFE\x34\x20\xB7\x03\xF4\x41\x10\x7D\x39\x84\x79\x96\x72\x63\xB6\x96\x02\xE5\x6B\xB9\xAD\x19\x4D\xBB\xC6\x44\xDB\x36\xCB\x2A\x9C\x8E",
 	["CN=Hongkong Post Root CA 1,O=Hongkong Post,C=HK"] = "\x30\x82\x03\x30\x30\x82\x02\x18\xA0\x03\x02\x01\x02\x02\x02\x03\xE8\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x47\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x48\x4B\x31\x16\x30\x14\x06\x03\x55\x04\x0A\x13\x0D\x48\x6F\x6E\x67\x6B\x6F\x6E\x67\x20\x50\x6F\x73\x74\x31\x20\x30\x1E\x06\x03\x55\x04\x03\x13\x17\x48\x6F\x6E\x67\x6B\x6F\x6E\x67\x20\x50\x6F\x73\x74\x20\x52\x6F\x6F\x74\x20\x43\x41\x20\x31\x30\x1E\x17\x0D\x30\x33\x30\x35\x31\x35\x30\x35\x31\x33\x31\x34\x5A\x17\x0D\x32\x33\x30\x35\x31\x35\x30\x34\x35\x32\x32\x39\x5A\x30\x47\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x48\x4B\x31\x16\x30\x14\x06\x03\x55\x04\x0A\x13\x0D\x48\x6F\x6E\x67\x6B\x6F\x6E\x67\x20\x50\x6F\x73\x74\x31\x20\x30\x1E\x06\x03\x55\x04\x03\x13\x17\x48\x6F\x6E\x67\x6B\x6F\x6E\x67\x20\x50\x6F\x73\x74\x20\x52\x6F\x6F\x74\x20\x43\x41\x20\x31\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xAC\xFF\x38\xB6\xE9\x66\x02\x49\xE3\xA2\xB4\xE1\x90\xF9\x40\x8F\x79\xF9\xE2\xBD\x79\xFE\x02\xBD\xEE\x24\x92\x1D\x22\xF6\xDA\x85\x72\x69\xFE\xD7\x3F\x09\xD4\xDD\x91\xB5\x02\x9C\xD0\x8D\x5A\xE1\x55\xC3\x50\x86\xB9\x29\x26\xC2\xE3\xD9\xA0\xF1\x69\x03\x28\x20\x80\x45\x22\x2D\x56\xA7\x3B\x54\x95\x56\x22\x59\x1F\x28\xDF\x1F\x20\x3D\x6D\xA2\x36\xBE\x23\xA0\xB1\x6E\xB5\xB1\x27\x3F\x39\x53\x09\xEA\xAB\x6A\xE8\x74\xB2\xC2\x65\x5C\x8E\xBF\x7C\xC3\x78\x84\xCD\x9E\x16\xFC\xF5\x2E\x4F\x20\x2A\x08\x9F\x77\xF3\xC5\x1E\xC4\x9A\x52\x66\x1E\x48\x5E\xE3\x10\x06\x8F\x22\x98\xE1\x65\x8E\x1B\x5D\x23\x66\x3B\xB8\xA5\x32\x51\xC8\x86\xAA\xA1\xA9\x9E\x7F\x76\x94\xC2\xA6\x6C\xB7\x41\xF0\xD5\xC8\x06\x38\xE6\xD4\x0C\xE2\xF3\x3B\x4C\x6D\x50\x8C\xC4\x83\x27\xC1\x13\x84\x59\x3D\x9E\x75\x74\xB6\xD8\x02\x5E\x3A\x90\x7A\xC0\x42\x36\x72\xEC\x6A\x4D\xDC\xEF\xC4\x00\xDF\x13\x18\x57\x5F\x26\x78\xC8\xD6\x0A\x79\x77\xBF\xF7\xAF\xB7\x76\xB9\xA5\x0B\x84\x17\x5D\x10\xEA\x6F\xE1\xAB\x95\x11\x5F\x6D\x3C\xA3\x5C\x4D\x83\x5B\xF2\xB3\x19\x8A\x80\x8B\x0B\x87\x02\x03\x01\x00\x01\xA3\x26\x30\x24\x30\x12\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x08\x30\x06\x01\x01\xFF\x02\x01\x03\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\xC6\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x0E\x46\xD5\x3C\xAE\xE2\x87\xD9\x5E\x81\x8B\x02\x98\x41\x08\x8C\x4C\xBC\xDA\xDB\xEE\x27\x1B\x82\xE7\x6A\x45\xEC\x16\x8B\x4F\x85\xA0\xF3\xB2\x70\xBD\x5A\x96\xBA\xCA\x6E\x6D\xEE\x46\x8B\x6E\xE7\x2A\x2E\x96\xB3\x19\x33\xEB\xB4\x9F\xA8\xB2\x37\xEE\x98\xA8\x97\xB6\x2E\xB6\x67\x27\xD4\xA6\x49\xFD\x1C\x93\x65\x76\x9E\x42\x2F\xDC\x22\x6C\x9A\x4F\xF2\x5A\x15\x39\xB1\x71\xD7\x2B\x51\xE8\x6D\x1C\x98\xC0\xD9\x2A\xF4\xA1\x82\x7B\xD5\xC9\x41\xA2\x23\x01\x74\x38\x55\x8B\x0F\xB9\x2E\x67\xA2\x20\x04\x37\xDA\x9C\x0B\xD3\x17\x21\xE0\x8F\x97\x79\x34\x6F\x84\x48\x02\x20\x33\x1B\xE6\x34\x44\x9F\x91\x70\xF4\x80\x5E\x84\x43\xC2\x29\xD2\x6C\x12\x14\xE4\x61\x8D\xAC\x10\x90\x9E\x84\x50\xBB\xF0\x96\x6F\x45\x9F\x8A\xF3\xCA\x6C\x4F\xFA\x11\x3A\x15\x15\x46\xC3\xCD\x1F\x83\x5B\x2D\x41\x12\xED\x50\x67\x41\x13\x3D\x21\xAB\x94\x8A\xAA\x4E\x7C\xC1\xB1\xFB\xA7\xD6\xB5\x27\x2F\x97\xAB\x6E\xE0\x1D\xE2\xD1\x1C\x2C\x1F\x44\xE2\xFC\xBE\x91\xA1\x9C\xFB\xD6\x29\x53\x73\x86\x9F\x53\xD8\x43\x0E\x5D\xD6\x63\x82\x71\x1D\x80\x74\xCA\xF6\xE2\x02\x6B\xD9\x5A",
 	["CN=SecureSign RootCA11,O=Japan Certification Services\, Inc.,C=JP"] = "\x30\x82\x03\x6D\x30\x82\x02\x55\xA0\x03\x02\x01\x02\x02\x01\x01\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x58\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x4A\x50\x31\x2B\x30\x29\x06\x03\x55\x04\x0A\x13\x22\x4A\x61\x70\x61\x6E\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x53\x65\x72\x76\x69\x63\x65\x73\x2C\x20\x49\x6E\x63\x2E\x31\x1C\x30\x1A\x06\x03\x55\x04\x03\x13\x13\x53\x65\x63\x75\x72\x65\x53\x69\x67\x6E\x20\x52\x6F\x6F\x74\x43\x41\x31\x31\x30\x1E\x17\x0D\x30\x39\x30\x34\x30\x38\x30\x34\x35\x36\x34\x37\x5A\x17\x0D\x32\x39\x30\x34\x30\x38\x30\x34\x35\x36\x34\x37\x5A\x30\x58\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x4A\x50\x31\x2B\x30\x29\x06\x03\x55\x04\x0A\x13\x22\x4A\x61\x70\x61\x6E\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x53\x65\x72\x76\x69\x63\x65\x73\x2C\x20\x49\x6E\x63\x2E\x31\x1C\x30\x1A\x06\x03\x55\x04\x03\x13\x13\x53\x65\x63\x75\x72\x65\x53\x69\x67\x6E\x20\x52\x6F\x6F\x74\x43\x41\x31\x31\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xFD\x77\xAA\xA5\x1C\x90\x05\x3B\xCB\x4C\x9B\x33\x8B\x5A\x14\x45\xA4\xE7\x90\x16\xD1\xDF\x57\xD2\x21\x10\xA4\x17\xFD\xDF\xAC\xD6\x1F\xA7\xE4\xDB\x7C\xF7\xEC\xDF\xB8\x03\xDA\x94\x58\xFD\x5D\x72\x7C\x8C\x3F\x5F\x01\x67\x74\x15\x96\xE3\x02\x3C\x87\xDB\xAE\xCB\x01\x8E\xC2\xF3\x66\xC6\x85\x45\xF4\x02\xC6\x3A\xB5\x62\xB2\xAF\xFA\x9C\xBF\xA4\xE6\xD4\x80\x30\x98\xF3\x0D\xB6\x93\x8F\xA9\xD4\xD8\x36\xF2\xB0\xFC\x8A\xCA\x2C\xA1\x15\x33\x95\x31\xDA\xC0\x1B\xF2\xEE\x62\x99\x86\x63\x3F\xBF\xDD\x93\x2A\x83\xA8\x76\xB9\x13\x1F\xB7\xCE\x4E\x42\x85\x8F\x22\xE7\x2E\x1A\xF2\x95\x09\xB2\x05\xB5\x44\x4E\x77\xA1\x20\xBD\xA9\xF2\x4E\x0A\x7D\x50\xAD\xF5\x05\x0D\x45\x4F\x46\x71\xFD\x28\x3E\x53\xFB\x04\xD8\x2D\xD7\x65\x1D\x4A\x1B\xFA\xCF\x3B\xB0\x31\x9A\x35\x6E\xC8\x8B\x06\xD3\x00\x91\xF2\x94\x08\x65\x4C\xB1\x34\x06\x00\x7A\x89\xE2\xF0\xC7\x03\x59\xCF\xD5\xD6\xE8\xA7\x32\xB3\xE6\x98\x40\x86\xC5\xCD\x27\x12\x8B\xCC\x7B\xCE\xB7\x11\x3C\x62\x60\x07\x23\x3E\x2B\x40\x6E\x94\x80\x09\x6D\xB6\xB3\x6F\x77\x6F\x35\x08\x50\xFB\x02\x87\xC5\x3E\x89\x02\x03\x01\x00\x01\xA3\x42\x30\x40\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x5B\xF8\x4D\x4F\xB2\xA5\x86\xD4\x3A\xD2\xF1\x63\x9A\xA0\xBE\x09\xF6\x57\xB7\xDE\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\xA0\xA1\x38\x16\x66\x2E\xA7\x56\x1F\x21\x9C\x06\xFA\x1D\xED\xB9\x22\xC5\x38\x26\xD8\x4E\x4F\xEC\xA3\x7F\x79\xDE\x46\x21\xA1\x87\x77\x8F\x07\x08\x9A\xB2\xA4\xC5\xAF\x0F\x32\x98\x0B\x7C\x66\x29\xB6\x9B\x7D\x25\x52\x49\x43\xAB\x4C\x2E\x2B\x6E\x7A\x70\xAF\x16\x0E\xE3\x02\x6C\xFB\x42\xE6\x18\x9D\x45\xD8\x55\xC8\xE8\x3B\xDD\xE7\xE1\xF4\x2E\x0B\x1C\x34\x5C\x6C\x58\x4A\xFB\x8C\x88\x50\x5F\x95\x1C\xBF\xED\xAB\x22\xB5\x65\xB3\x85\xBA\x9E\x0F\xB8\xAD\xE5\x7A\x1B\x8A\x50\x3A\x1D\xBD\x0D\xBC\x7B\x54\x50\x0B\xB9\x42\xAF\x55\xA0\x18\x81\xAD\x65\x99\xEF\xBE\xE4\x9C\xBF\xC4\x85\xAB\x41\xB2\x54\x6F\xDC\x25\xCD\xED\x78\xE2\x8E\x0C\x8D\x09\x49\xDD\x63\x7B\x5A\x69\x96\x02\x21\xA8\xBD\x52\x59\xE9\x7D\x35\xCB\xC8\x52\xCA\x7F\x81\xFE\xD9\x6B\xD3\xF7\x11\xED\x25\xDF\xF8\xE7\xF9\xA4\xFA\x72\x97\x84\x53\x0D\xA5\xD0\x32\x18\x51\x76\x59\x14\x6C\x0F\xEB\xEC\x5F\x80\x8C\x75\x43\x83\xC3\x85\x98\xFF\x4C\x9E\x2D\x0D\xE4\x77\x83\x93\x4E\xB5\x96\x07\x8B\x28\x13\x9B\x8C\x19\x8D\x41\x27\x49\x40\xEE\xDE\xE6\x23\x44\x39\xDC\xA1\x22\xD6\xBA\x03\xF2",
-	["C=ES,O=EDICOM,OU=PKI,CN=ACEDICOM Root"] = "\x30\x82\x05\xB5\x30\x82\x03\x9D\xA0\x03\x02\x01\x02\x02\x08\x61\x8D\xC7\x86\x3B\x01\x82\x05\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x44\x31\x16\x30\x14\x06\x03\x55\x04\x03\x0C\x0D\x41\x43\x45\x44\x49\x43\x4F\x4D\x20\x52\x6F\x6F\x74\x31\x0C\x30\x0A\x06\x03\x55\x04\x0B\x0C\x03\x50\x4B\x49\x31\x0F\x30\x0D\x06\x03\x55\x04\x0A\x0C\x06\x45\x44\x49\x43\x4F\x4D\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x45\x53\x30\x1E\x17\x0D\x30\x38\x30\x34\x31\x38\x31\x36\x32\x34\x32\x32\x5A\x17\x0D\x32\x38\x30\x34\x31\x33\x31\x36\x32\x34\x32\x32\x5A\x30\x44\x31\x16\x30\x14\x06\x03\x55\x04\x03\x0C\x0D\x41\x43\x45\x44\x49\x43\x4F\x4D\x20\x52\x6F\x6F\x74\x31\x0C\x30\x0A\x06\x03\x55\x04\x0B\x0C\x03\x50\x4B\x49\x31\x0F\x30\x0D\x06\x03\x55\x04\x0A\x0C\x06\x45\x44\x49\x43\x4F\x4D\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x45\x53\x30\x82\x02\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x02\x0F\x00\x30\x82\x02\x0A\x02\x82\x02\x01\x00\xFF\x92\x95\xE1\x68\x06\x76\xB4\x2C\xC8\x58\x48\xCA\xFD\x80\x54\x29\x55\x63\x24\xFF\x90\x65\x9B\x10\x75\x7B\xC3\x6A\xDB\x62\x02\x01\xF2\x18\x86\xB5\x7C\x5A\x38\xB1\xE4\x58\xB9\xFB\xD3\xD8\x2D\x9F\xBD\x32\x37\xBF\x2C\x15\x6D\xBE\xB5\xF4\x21\xD2\x13\x91\xD9\x07\xAD\x01\x05\xD6\xF3\xBD\x77\xCE\x5F\x42\x81\x0A\xF9\x6A\xE3\x83\x00\xA8\x2B\x2E\x55\x13\x63\x81\xCA\x47\x1C\x7B\x5C\x16\x57\x7A\x1B\x83\x60\x04\x3A\x3E\x65\xC3\xCD\x01\xDE\xDE\xA4\xD6\x0C\xBA\x8E\xDE\xD9\x04\xEE\x17\x56\x22\x9B\x8F\x63\xFD\x4D\x16\x0B\xB7\x7B\x77\x8C\xF9\x25\xB5\xD1\x6D\x99\x12\x2E\x4F\x1A\xB8\xE6\xEA\x04\x92\xAE\x3D\x11\xB9\x51\x42\x3D\x87\xB0\x31\x85\xAF\x79\x5A\x9C\xFE\xE7\x4E\x5E\x92\x4F\x43\xFC\xAB\x3A\xAD\xA5\x12\x26\x66\xB9\xE2\x0C\xD7\x98\xCE\xD4\x58\xA5\x95\x40\x0A\xB7\x44\x9D\x13\x74\x2B\xC2\xA5\xEB\x22\x15\x98\x10\xD8\x8B\xC5\x04\x9F\x1D\x8F\x60\xE5\x06\x1B\x9B\xCF\xB9\x79\xA0\x3D\xA2\x23\x3F\x42\x3F\x6B\xFA\x1C\x03\x7B\x30\x8D\xCE\x6C\xC0\xBF\xE6\x1B\x5F\xBF\x67\xB8\x84\x19\xD5\x15\xEF\x7B\xCB\x90\x36\x31\x62\xC9\xBC\x02\xAB\x46\x5F\x9B\xFE\x1A\x68\x94\x34\x3D\x90\x8E\xAD\xF6\xE4\x1D\x09\x7F\x4A\x88\x38\x3F\xBE\x67\xFD\x34\x96\xF5\x1D\xBC\x30\x74\xCB\x38\xEE\xD5\x6C\xAB\xD4\xFC\xF4\x00\xB7\x00\x5B\x85\x32\x16\x76\x33\xE9\xD8\xA3\x99\x9D\x05\x00\xAA\x16\xE6\xF3\x81\x7D\x6F\x7D\xAA\x86\x6D\xAD\x15\x74\xD3\xC4\xA2\x71\xAA\xF4\x14\x7D\xE7\x32\xB8\x1F\xBC\xD5\xF1\x4E\xBD\x6F\x17\x02\x39\xD7\x0E\x95\x42\x3A\xC7\x00\x3E\xE9\x26\x63\x11\xEA\x0B\xD1\x4A\xFF\x18\x9D\xB2\xD7\x7B\x2F\x3A\xD9\x96\xFB\xE8\x1E\x92\xAE\x13\x55\xC8\xD9\x27\xF6\xDC\x48\x1B\xB0\x24\xC1\x85\xE3\x77\x9D\x9A\xA4\xF3\x0C\x11\x1D\x0D\xC8\xB4\x14\xEE\xB5\x82\x57\x09\xBF\x20\x58\x7F\x2F\x22\x23\xD8\x70\xCB\x79\x6C\xC9\x4B\xF2\xA9\x2A\xC8\xFC\x87\x2B\xD7\x1A\x50\xF8\x27\xE8\x2F\x43\xE3\x3A\xBD\xD8\x57\x71\xFD\xCE\xA6\x52\x5B\xF9\xDD\x4D\xED\xE5\xF6\x6F\x89\xED\xBB\x93\x9C\x76\x21\x75\xF0\x92\x4C\x29\xF7\x2F\x9C\x01\x2E\xFE\x50\x46\x9E\x64\x0C\x14\xB3\x07\x5B\xC5\xC2\x73\x6C\xF1\x07\x5C\x45\x24\x14\x35\xAE\x83\xF1\x6A\x4D\x89\x7A\xFA\xB3\xD8\x2D\x66\xF0\x36\x87\xF5\x2B\x53\x02\x03\x01\x00\x01\xA3\x81\xAA\x30\x81\xA7\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x1F\x06\x03\x55\x1D\x23\x04\x18\x30\x16\x80\x14\xA6\xB3\xE1\x2B\x2B\x49\xB6\xD7\x73\xA1\xAA\x94\xF5\x01\xE7\x73\x65\x4C\xAC\x50\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x86\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xA6\xB3\xE1\x2B\x2B\x49\xB6\xD7\x73\xA1\xAA\x94\xF5\x01\xE7\x73\x65\x4C\xAC\x50\x30\x44\x06\x03\x55\x1D\x20\x04\x3D\x30\x3B\x30\x39\x06\x04\x55\x1D\x20\x00\x30\x31\x30\x2F\x06\x08\x2B\x06\x01\x05\x05\x07\x02\x01\x16\x23\x68\x74\x74\x70\x3A\x2F\x2F\x61\x63\x65\x64\x69\x63\x6F\x6D\x2E\x65\x64\x69\x63\x6F\x6D\x67\x72\x6F\x75\x70\x2E\x63\x6F\x6D\x2F\x64\x6F\x63\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x02\x01\x00\xCE\x2C\x0B\x52\x51\x62\x26\x7D\x0C\x27\x83\x8F\xC5\xF6\xDA\xA0\x68\x7B\x4F\x92\x5E\xEA\xA4\x73\x32\x11\x53\x44\xB2\x44\xCB\x9D\xEC\x0F\x79\x42\xB3\x10\xA6\xC7\x0D\x9D\xCB\xB6\xFA\x3F\x3A\x7C\xEA\xBF\x88\x53\x1B\x3C\xF7\x82\xFA\x05\x35\x33\xE1\x35\xA8\x57\xC0\xE7\xFD\x8D\x4F\x3F\x93\x32\x4F\x78\x66\x03\x77\x07\x58\xE9\x95\xC8\x7E\x3E\xD0\x79\x00\x8C\xF2\x1B\x51\x33\x9B\xBC\x94\xE9\x3A\x7B\x6E\x52\x2D\x32\x9E\x23\xA4\x45\xFB\xB6\x2E\x13\xB0\x8B\x18\xB1\xDD\xCE\xD5\x1D\xA7\x42\x7F\x55\xBE\xFB\x5B\xBB\x47\xD4\xFC\x24\xCD\x04\xAE\x96\x05\x15\xD6\xAC\xCE\x30\xF3\xCA\x0B\xC5\xBA\xE2\x22\xE0\xA6\xAD\x22\xE4\x02\xEE\x74\x11\x7F\x4C\xFF\x78\x1D\x35\xDA\xE6\x02\x34\xEB\x18\x12\x61\x77\x06\x09\x16\x63\xEA\x18\xAD\xA2\x87\x1F\xF2\xC7\x80\x09\x09\x75\x4E\x10\xA8\x8F\x3D\x86\xB8\x75\x11\xC0\x24\x62\x8A\x96\x7B\x4A\x45\xE9\xEC\x59\xC5\xBE\x6B\x83\xE6\xE1\xE8\xAC\xB5\x30\x1E\xFE\x05\x07\x80\xF9\xE1\x23\x0D\x50\x8F\x05\x98\xFF\x2C\x5F\xE8\x3B\xB6\xAD\xCF\x81\xB5\x21\x87\xCA\x08\x2A\x23\x27\x30\x20\x2B\xCF\xED\x94\x5B\xAC\xB2\x7A\xD2\xC7\x28\xA1\x8A\x0B\x9B\x4D\x4A\x2C\x6D\x85\x3F\x09\x72\x3C\x67\xE2\xD9\xDC\x07\xBA\xEB\x65\x7B\x5A\x01\x63\xD6\x90\x5B\x4F\x17\x66\x3D\x7F\x0B\x19\xA3\x93\x63\x10\x52\x2A\x9F\x14\x16\x58\xE2\xDC\xA5\xF4\xA1\x16\x8B\x0E\x91\x8B\x81\xCA\x9B\x59\xFA\xD8\x6B\x91\x07\x65\x55\x5F\x52\x1F\xAF\x3A\xFB\x90\xDD\x69\xA5\x5B\x9C\x6D\x0E\x2C\xB6\xFA\xCE\xAC\xA5\x7C\x32\x4A\x67\x40\xDC\x30\x34\x23\xDD\xD7\x04\x23\x66\xF0\xFC\x55\x80\xA7\xFB\x66\x19\x82\x35\x67\x62\x70\x39\x5E\x6F\xC7\xEA\x90\x40\x44\x08\x1E\xB8\xB2\xD6\xDB\xEE\x59\xA7\x0D\x18\x79\x34\xBC\x54\x18\x5E\x53\xCA\x34\x51\xED\x45\x0A\xE6\x8E\xC7\x82\x36\x3E\xA7\x38\x63\xA9\x30\x2C\x17\x10\x60\x92\x9F\x55\x87\x12\x59\x10\xC2\x0F\x67\x69\x11\xCC\x4E\x1E\x7E\x4A\x9A\xAD\xAF\x40\xA8\x75\xAC\x56\x90\x74\xB8\xA0\x9C\xA5\x79\x6F\xDC\xE9\x1A\xC8\x69\x05\xE9\xBA\xFA\x03\xB3\x7C\xE4\xE0\x4E\xC2\xCE\x9D\xE8\xB6\x46\x0D\x6E\x7E\x57\x3A\x67\x94\xC2\xCB\x1F\x9C\x77\x4A\x67\x4E\x69\x86\x43\x93\x38\xFB\xB6\xDB\x4F\x83\x91\xD4\x60\x7E\x4B\x3E\x2B\x38\x07\x55\x98\x5E\xA4",
 	["emailAddress=info@e-szigno.hu,CN=Microsec e-Szigno Root CA 2009,O=Microsec Ltd.,L=Budapest,C=HU"] = "\x30\x82\x04\x0A\x30\x82\x02\xF2\xA0\x03\x02\x01\x02\x02\x09\x00\xC2\x7E\x43\x04\x4E\x47\x3F\x19\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x30\x81\x82\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x48\x55\x31\x11\x30\x0F\x06\x03\x55\x04\x07\x0C\x08\x42\x75\x64\x61\x70\x65\x73\x74\x31\x16\x30\x14\x06\x03\x55\x04\x0A\x0C\x0D\x4D\x69\x63\x72\x6F\x73\x65\x63\x20\x4C\x74\x64\x2E\x31\x27\x30\x25\x06\x03\x55\x04\x03\x0C\x1E\x4D\x69\x63\x72\x6F\x73\x65\x63\x20\x65\x2D\x53\x7A\x69\x67\x6E\x6F\x20\x52\x6F\x6F\x74\x20\x43\x41\x20\x32\x30\x30\x39\x31\x1F\x30\x1D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x09\x01\x16\x10\x69\x6E\x66\x6F\x40\x65\x2D\x73\x7A\x69\x67\x6E\x6F\x2E\x68\x75\x30\x1E\x17\x0D\x30\x39\x30\x36\x31\x36\x31\x31\x33\x30\x31\x38\x5A\x17\x0D\x32\x39\x31\x32\x33\x30\x31\x31\x33\x30\x31\x38\x5A\x30\x81\x82\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x48\x55\x31\x11\x30\x0F\x06\x03\x55\x04\x07\x0C\x08\x42\x75\x64\x61\x70\x65\x73\x74\x31\x16\x30\x14\x06\x03\x55\x04\x0A\x0C\x0D\x4D\x69\x63\x72\x6F\x73\x65\x63\x20\x4C\x74\x64\x2E\x31\x27\x30\x25\x06\x03\x55\x04\x03\x0C\x1E\x4D\x69\x63\x72\x6F\x73\x65\x63\x20\x65\x2D\x53\x7A\x69\x67\x6E\x6F\x20\x52\x6F\x6F\x74\x20\x43\x41\x20\x32\x30\x30\x39\x31\x1F\x30\x1D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x09\x01\x16\x10\x69\x6E\x66\x6F\x40\x65\x2D\x73\x7A\x69\x67\x6E\x6F\x2E\x68\x75\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xE9\xF8\x8F\xF3\x63\xAD\xDA\x86\xD8\xA7\xE0\x42\xFB\xCF\x91\xDE\xA6\x26\xF8\x99\xA5\x63\x70\xAD\x9B\xAE\xCA\x33\x40\x7D\x6D\x96\x6E\xA1\x0E\x44\xEE\xE1\x13\x9D\x94\x42\x52\x9A\xBD\x75\x85\x74\x2C\xA8\x0E\x1D\x93\xB6\x18\xB7\x8C\x2C\xA8\xCF\xFB\x5C\x71\xB9\xDA\xEC\xFE\xE8\x7E\x8F\xE4\x2F\x1D\xB2\xA8\x75\x87\xD8\xB7\xA1\xE5\x3B\xCF\x99\x4A\x46\xD0\x83\x19\x7D\xC0\xA1\x12\x1C\x95\x6D\x4A\xF4\xD8\xC7\xA5\x4D\x33\x2E\x85\x39\x40\x75\x7E\x14\x7C\x80\x12\x98\x50\xC7\x41\x67\xB8\xA0\x80\x61\x54\xA6\x6C\x4E\x1F\xE0\x9D\x0E\x07\xE9\xC9\xBA\x33\xE7\xFE\xC0\x55\x28\x2C\x02\x80\xA7\x19\xF5\x9E\xDC\x55\x53\x03\x97\x7B\x07\x48\xFF\x99\xFB\x37\x8A\x24\xC4\x59\xCC\x50\x10\x63\x8E\xAA\xA9\x1A\xB0\x84\x1A\x86\xF9\x5F\xBB\xB1\x50\x6E\xA4\xD1\x0A\xCC\xD5\x71\x7E\x1F\xA7\x1B\x7C\xF5\x53\x6E\x22\x5F\xCB\x2B\xE6\xD4\x7C\x5D\xAE\xD6\xC2\xC6\x4C\xE5\x05\x01\xD9\xED\x57\xFC\xC1\x23\x79\xFC\xFA\xC8\x24\x83\x95\xF3\xB5\x6A\x51\x01\xD0\x77\xD6\xE9\x12\xA1\xF9\x1A\x83\xFB\x82\x1B\xB9\xB0\x97\xF4\x76\x06\x33\x43\x49\xA0\xFF\x0B\xB5\xFA\xB5\x02\x03\x01\x00\x01\xA3\x81\x80\x30\x7E\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xCB\x0F\xC6\xDF\x42\x43\xCC\x3D\xCB\xB5\x48\x23\xA1\x1A\x7A\xA6\x2A\xBB\x34\x68\x30\x1F\x06\x03\x55\x1D\x23\x04\x18\x30\x16\x80\x14\xCB\x0F\xC6\xDF\x42\x43\xCC\x3D\xCB\xB5\x48\x23\xA1\x1A\x7A\xA6\x2A\xBB\x34\x68\x30\x1B\x06\x03\x55\x1D\x11\x04\x14\x30\x12\x81\x10\x69\x6E\x66\x6F\x40\x65\x2D\x73\x7A\x69\x67\x6E\x6F\x2E\x68\x75\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x03\x82\x01\x01\x00\xC9\xD1\x0E\x5E\x2E\xD5\xCC\xB3\x7C\x3E\xCB\xFC\x3D\xFF\x0D\x28\x95\x93\x04\xC8\xBF\xDA\xCD\x79\xB8\x43\x90\xF0\xA4\xBE\xEF\xF2\xEF\x21\x98\xBC\xD4\xD4\x5D\x06\xF6\xEE\x42\xEC\x30\x6C\xA0\xAA\xA9\xCA\xF1\xAF\x8A\xFA\x3F\x0B\x73\x6A\x3E\xEA\x2E\x40\x7E\x1F\xAE\x54\x61\x79\xEB\x2E\x08\x37\xD7\x23\xF3\x8C\x9F\xBE\x1D\xB1\xE1\xA4\x75\xDB\xA0\xE2\x54\x14\xB1\xBA\x1C\x29\xA4\x18\xF6\x12\xBA\xA2\x14\x14\xE3\x31\x35\xC8\x40\xFF\xB7\xE0\x05\x76\x57\xC1\x1C\x59\xF2\xF8\xBF\xE4\xED\x25\x62\x5C\x84\xF0\x7E\x7E\x1F\xB3\xBE\xF9\xB7\x21\x11\xCC\x03\x01\x56\x70\xA7\x10\x92\x1E\x1B\x34\x81\x1E\xAD\x9C\x1A\xC3\x04\x3C\xED\x02\x61\xD6\x1E\x06\xF3\x5F\x3A\x87\xF2\x2B\xF1\x45\x87\xE5\x3D\xAC\xD1\xC7\x57\x84\xBD\x6B\xAE\xDC\xD8\xF9\xB6\x1B\x62\x70\x0B\x3D\x36\xC9\x42\xF2\x32\xD7\x7A\x61\xE6\xD2\xDB\x3D\xCF\xC8\xA9\xC9\x9B\xDC\xDB\x58\x44\xD7\x6F\x38\xAF\x7F\x78\xD3\xA3\xAD\x1A\x75\xBA\x1C\xC1\x36\x7C\x8F\x1E\x6D\x1C\xC3\x75\x46\xAE\x35\x05\xA6\xF6\x5C\x3D\x21\xEE\x56\xF0\xC9\x82\x22\x2D\x7A\x54\xAB\x70\xC3\x7D\x22\x65\x82\x70\x96",
 	["CN=GlobalSign,O=GlobalSign,OU=GlobalSign Root CA - R3"] = "\x30\x82\x03\x5F\x30\x82\x02\x47\xA0\x03\x02\x01\x02\x02\x0B\x04\x00\x00\x00\x00\x01\x21\x58\x53\x08\xA2\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x30\x4C\x31\x20\x30\x1E\x06\x03\x55\x04\x0B\x13\x17\x47\x6C\x6F\x62\x61\x6C\x53\x69\x67\x6E\x20\x52\x6F\x6F\x74\x20\x43\x41\x20\x2D\x20\x52\x33\x31\x13\x30\x11\x06\x03\x55\x04\x0A\x13\x0A\x47\x6C\x6F\x62\x61\x6C\x53\x69\x67\x6E\x31\x13\x30\x11\x06\x03\x55\x04\x03\x13\x0A\x47\x6C\x6F\x62\x61\x6C\x53\x69\x67\x6E\x30\x1E\x17\x0D\x30\x39\x30\x33\x31\x38\x31\x30\x30\x30\x30\x30\x5A\x17\x0D\x32\x39\x30\x33\x31\x38\x31\x30\x30\x30\x30\x30\x5A\x30\x4C\x31\x20\x30\x1E\x06\x03\x55\x04\x0B\x13\x17\x47\x6C\x6F\x62\x61\x6C\x53\x69\x67\x6E\x20\x52\x6F\x6F\x74\x20\x43\x41\x20\x2D\x20\x52\x33\x31\x13\x30\x11\x06\x03\x55\x04\x0A\x13\x0A\x47\x6C\x6F\x62\x61\x6C\x53\x69\x67\x6E\x31\x13\x30\x11\x06\x03\x55\x04\x03\x13\x0A\x47\x6C\x6F\x62\x61\x6C\x53\x69\x67\x6E\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xCC\x25\x76\x90\x79\x06\x78\x22\x16\xF5\xC0\x83\xB6\x84\xCA\x28\x9E\xFD\x05\x76\x11\xC5\xAD\x88\x72\xFC\x46\x02\x43\xC7\xB2\x8A\x9D\x04\x5F\x24\xCB\x2E\x4B\xE1\x60\x82\x46\xE1\x52\xAB\x0C\x81\x47\x70\x6C\xDD\x64\xD1\xEB\xF5\x2C\xA3\x0F\x82\x3D\x0C\x2B\xAE\x97\xD7\xB6\x14\x86\x10\x79\xBB\x3B\x13\x80\x77\x8C\x08\xE1\x49\xD2\x6A\x62\x2F\x1F\x5E\xFA\x96\x68\xDF\x89\x27\x95\x38\x9F\x06\xD7\x3E\xC9\xCB\x26\x59\x0D\x73\xDE\xB0\xC8\xE9\x26\x0E\x83\x15\xC6\xEF\x5B\x8B\xD2\x04\x60\xCA\x49\xA6\x28\xF6\x69\x3B\xF6\xCB\xC8\x28\x91\xE5\x9D\x8A\x61\x57\x37\xAC\x74\x14\xDC\x74\xE0\x3A\xEE\x72\x2F\x2E\x9C\xFB\xD0\xBB\xBF\xF5\x3D\x00\xE1\x06\x33\xE8\x82\x2B\xAE\x53\xA6\x3A\x16\x73\x8C\xDD\x41\x0E\x20\x3A\xC0\xB4\xA7\xA1\xE9\xB2\x4F\x90\x2E\x32\x60\xE9\x57\xCB\xB9\x04\x92\x68\x68\xE5\x38\x26\x60\x75\xB2\x9F\x77\xFF\x91\x14\xEF\xAE\x20\x49\xFC\xAD\x40\x15\x48\xD1\x02\x31\x61\x19\x5E\xB8\x97\xEF\xAD\x77\xB7\x64\x9A\x7A\xBF\x5F\xC1\x13\xEF\x9B\x62\xFB\x0D\x6C\xE0\x54\x69\x16\xA9\x03\xDA\x6E\xE9\x83\x93\x71\x76\xC6\x69\x85\x82\x17\x02\x03\x01\x00\x01\xA3\x42\x30\x40\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x8F\xF0\x4B\x7F\xA8\x2E\x45\x24\xAE\x4D\x50\xFA\x63\x9A\x8B\xDE\xE2\xDD\x1B\xBC\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x03\x82\x01\x01\x00\x4B\x40\xDB\xC0\x50\xAA\xFE\xC8\x0C\xEF\xF7\x96\x54\x45\x49\xBB\x96\x00\x09\x41\xAC\xB3\x13\x86\x86\x28\x07\x33\xCA\x6B\xE6\x74\xB9\xBA\x00\x2D\xAE\xA4\x0A\xD3\xF5\xF1\xF1\x0F\x8A\xBF\x73\x67\x4A\x83\xC7\x44\x7B\x78\xE0\xAF\x6E\x6C\x6F\x03\x29\x8E\x33\x39\x45\xC3\x8E\xE4\xB9\x57\x6C\xAA\xFC\x12\x96\xEC\x53\xC6\x2D\xE4\x24\x6C\xB9\x94\x63\xFB\xDC\x53\x68\x67\x56\x3E\x83\xB8\xCF\x35\x21\xC3\xC9\x68\xFE\xCE\xDA\xC2\x53\xAA\xCC\x90\x8A\xE9\xF0\x5D\x46\x8C\x95\xDD\x7A\x58\x28\x1A\x2F\x1D\xDE\xCD\x00\x37\x41\x8F\xED\x44\x6D\xD7\x53\x28\x97\x7E\xF3\x67\x04\x1E\x15\xD7\x8A\x96\xB4\xD3\xDE\x4C\x27\xA4\x4C\x1B\x73\x73\x76\xF4\x17\x99\xC2\x1F\x7A\x0E\xE3\x2D\x08\xAD\x0A\x1C\x2C\xFF\x3C\xAB\x55\x0E\x0F\x91\x7E\x36\xEB\xC3\x57\x49\xBE\xE1\x2E\x2D\x7C\x60\x8B\xC3\x41\x51\x13\x23\x9D\xCE\xF7\x32\x6B\x94\x01\xA8\x99\xE7\x2C\x33\x1F\x3A\x3B\x25\xD2\x86\x40\xCE\x3B\x2C\x86\x78\xC9\x61\x2F\x14\xBA\xEE\xDB\x55\x6F\xDF\x84\xEE\x05\x09\x4D\xBD\x28\xD8\x72\xCE\xD3\x62\x50\x65\x1E\xEB\x92\x97\x83\x31\xD9\xB3\xB5\xCA\x47\x58\x3F\x5F",
 	["CN=Autoridad de Certificacion Firmaprofesional CIF A62634068,C=ES"] = "\x30\x82\x06\x14\x30\x82\x03\xFC\xA0\x03\x02\x01\x02\x02\x08\x53\xEC\x3B\xEE\xFB\xB2\x48\x5F\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x51\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x45\x53\x31\x42\x30\x40\x06\x03\x55\x04\x03\x0C\x39\x41\x75\x74\x6F\x72\x69\x64\x61\x64\x20\x64\x65\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x63\x69\x6F\x6E\x20\x46\x69\x72\x6D\x61\x70\x72\x6F\x66\x65\x73\x69\x6F\x6E\x61\x6C\x20\x43\x49\x46\x20\x41\x36\x32\x36\x33\x34\x30\x36\x38\x30\x1E\x17\x0D\x30\x39\x30\x35\x32\x30\x30\x38\x33\x38\x31\x35\x5A\x17\x0D\x33\x30\x31\x32\x33\x31\x30\x38\x33\x38\x31\x35\x5A\x30\x51\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x45\x53\x31\x42\x30\x40\x06\x03\x55\x04\x03\x0C\x39\x41\x75\x74\x6F\x72\x69\x64\x61\x64\x20\x64\x65\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x63\x69\x6F\x6E\x20\x46\x69\x72\x6D\x61\x70\x72\x6F\x66\x65\x73\x69\x6F\x6E\x61\x6C\x20\x43\x49\x46\x20\x41\x36\x32\x36\x33\x34\x30\x36\x38\x30\x82\x02\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x02\x0F\x00\x30\x82\x02\x0A\x02\x82\x02\x01\x00\xCA\x96\x6B\x8E\xEA\xF8\xFB\xF1\xA2\x35\xE0\x7F\x4C\xDA\xE0\xC3\x52\xD7\x7D\xB6\x10\xC8\x02\x5E\xB3\x43\x2A\xC4\x4F\x6A\xB2\xCA\x1C\x5D\x28\x9A\x78\x11\x1A\x69\x59\x57\xAF\xB5\x20\x42\xE4\x8B\x0F\xE6\xDF\x5B\xA6\x03\x92\x2F\xF5\x11\xE4\x62\xD7\x32\x71\x38\xD9\x04\x0C\x71\xAB\x3D\x51\x7E\x0F\x07\xDF\x63\x05\x5C\xE9\xBF\x94\x6F\xC1\x29\x82\xC0\xB4\xDA\x51\xB0\xC1\x3C\xBB\xAD\x37\x4A\x5C\xCA\xF1\x4B\x36\x0E\x24\xAB\xBF\xC3\x84\x77\xFD\xA8\x50\xF4\xB1\xE7\xC6\x2F\xD2\x2D\x59\x8D\x7A\x0A\x4E\x96\x69\x52\x02\xAA\x36\x98\xEC\xFC\xFA\x14\x83\x0C\x37\x1F\xC9\x92\x37\x7F\xD7\x81\x2D\xE5\xC4\xB9\xE0\x3E\x34\xFE\x67\xF4\x3E\x66\xD1\xD3\xF4\x40\xCF\x5E\x62\x34\x0F\x70\x06\x3E\x20\x18\x5A\xCE\xF7\x72\x1B\x25\x6C\x93\x74\x14\x93\xA3\x73\xB1\x0E\xAA\x87\x10\x23\x59\x5F\x20\x05\x19\x47\xED\x68\x8E\x92\x12\xCA\x5D\xFC\xD6\x2B\xB2\x92\x3C\x20\xCF\xE1\x5F\xAF\x20\xBE\xA0\x76\x7F\x76\xE5\xEC\x1A\x86\x61\x33\x3E\xE7\x7B\xB4\x3F\xA0\x0F\x8E\xA2\xB9\x6A\x6F\xB9\x87\x26\x6F\x41\x6C\x88\xA6\x50\xFD\x6A\x63\x0B\xF5\x93\x16\x1B\x19\x8F\xB2\xED\x9B\x9B\xC9\x90\xF5\x01\x0C\xDF\x19\x3D\x0F\x3E\x38\x23\xC9\x2F\x8F\x0C\xD1\x02\xFE\x1B\x55\xD6\x4E\xD0\x8D\x3C\xAF\x4F\xA4\xF3\xFE\xAF\x2A\xD3\x05\x9D\x79\x08\xA1\xCB\x57\x31\xB4\x9C\xC8\x90\xB2\x67\xF4\x18\x16\x93\x3A\xFC\x47\xD8\xD1\x78\x96\x31\x1F\xBA\x2B\x0C\x5F\x5D\x99\xAD\x63\x89\x5A\x24\x20\x76\xD8\xDF\xFD\xAB\x4E\xA6\x22\xAA\x9D\x5E\xE6\x27\x8A\x7D\x68\x29\xA3\xE7\x8A\xB8\xDA\x11\xBB\x17\x2D\x99\x9D\x13\x24\x46\xF7\xC5\xE2\xD8\x9F\x8E\x7F\xC7\x8F\x74\x6D\x5A\xB2\xE8\x72\xF5\xAC\xEE\x24\x10\xAD\x2F\x14\xDA\xFF\x2D\x9A\x46\x71\x47\xBE\x42\xDF\xBB\x01\xDB\xF4\x7F\xD3\x28\x8F\x31\x59\x5B\xD3\xC9\x02\xA6\xB4\x52\xCA\x6E\x97\xFB\x43\xC5\x08\x26\x6F\x8A\xF4\xBB\xFD\x9F\x28\xAA\x0D\xD5\x45\xF3\x13\x3A\x1D\xD8\xC0\x78\x8F\x41\x67\x3C\x1E\x94\x64\xAE\x7B\x0B\xC5\xE8\xD9\x01\x88\x39\x1A\x97\x86\x64\x41\xD5\x3B\x87\x0C\x6E\xFA\x0F\xC6\xBD\x48\x14\xBF\x39\x4D\xD4\x9E\x41\xB6\x8F\x96\x1D\x63\x96\x93\xD9\x95\x06\x78\x31\x68\x9E\x37\x06\x3B\x80\x89\x45\x61\x39\x23\xC7\x1B\x44\xA3\x15\xE5\x1C\xF8\x92\x30\xBB\x02\x03\x01\x00\x01\xA3\x81\xEF\x30\x81\xEC\x30\x12\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x08\x30\x06\x01\x01\xFF\x02\x01\x01\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x65\xCD\xEB\xAB\x35\x1E\x00\x3E\x7E\xD5\x74\xC0\x1C\xB4\x73\x47\x0E\x1A\x64\x2F\x30\x81\xA6\x06\x03\x55\x1D\x20\x04\x81\x9E\x30\x81\x9B\x30\x81\x98\x06\x04\x55\x1D\x20\x00\x30\x81\x8F\x30\x2F\x06\x08\x2B\x06\x01\x05\x05\x07\x02\x01\x16\x23\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x66\x69\x72\x6D\x61\x70\x72\x6F\x66\x65\x73\x69\x6F\x6E\x61\x6C\x2E\x63\x6F\x6D\x2F\x63\x70\x73\x30\x5C\x06\x08\x2B\x06\x01\x05\x05\x07\x02\x02\x30\x50\x1E\x4E\x00\x50\x00\x61\x00\x73\x00\x65\x00\x6F\x00\x20\x00\x64\x00\x65\x00\x20\x00\x6C\x00\x61\x00\x20\x00\x42\x00\x6F\x00\x6E\x00\x61\x00\x6E\x00\x6F\x00\x76\x00\x61\x00\x20\x00\x34\x00\x37\x00\x20\x00\x42\x00\x61\x00\x72\x00\x63\x00\x65\x00\x6C\x00\x6F\x00\x6E\x00\x61\x00\x20\x00\x30\x00\x38\x00\x30\x00\x31\x00\x37\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x02\x01\x00\x17\x7D\xA0\xF9\xB4\xDD\xC5\xC5\xEB\xAD\x4B\x24\xB5\xA1\x02\xAB\xDD\xA5\x88\x4A\xB2\x0F\x55\x4B\x2B\x57\x8C\x3B\xE5\x31\xDD\xFE\xC4\x32\xF1\xE7\x5B\x64\x96\x36\x32\x18\xEC\xA5\x32\x77\xD7\xE3\x44\xB6\xC0\x11\x2A\x80\xB9\x3D\x6A\x6E\x7C\x9B\xD3\xAD\xFC\xC3\xD6\xA3\xE6\x64\x29\x7C\xD1\xE1\x38\x1E\x82\x2B\xFF\x27\x65\xAF\xFB\x16\x15\xC4\x2E\x71\x84\xE5\xB5\xFF\xFA\xA4\x47\xBD\x64\x32\xBB\xF6\x25\x84\xA2\x27\x42\xF5\x20\xB0\xC2\x13\x10\x11\xCD\x10\x15\xBA\x42\x90\x2A\xD2\x44\xE1\x96\x26\xEB\x31\x48\x12\xFD\x2A\xDA\xC9\x06\xCF\x74\x1E\xA9\x4B\xD5\x87\x28\xF9\x79\x34\x92\x3E\x2E\x44\xE8\xF6\x8F\x4F\x8F\x35\x3F\x25\xB3\x39\xDC\x63\x2A\x90\x6B\x20\x5F\xC4\x52\x12\x4E\x97\x2C\x2A\xAC\x9D\x97\xDE\x48\xF2\xA3\x66\xDB\xC2\xD2\x83\x95\xA6\x66\xA7\x9E\x25\x0F\xE9\x0B\x33\x91\x65\x0A\x5A\xC3\xD9\x54\x12\xDD\xAF\xC3\x4E\x0E\x1F\x26\x5E\x0D\xDC\xB3\x8D\xEC\xD5\x81\x70\xDE\xD2\x4F\x24\x05\xF3\x6C\x4E\xF5\x4C\x49\x66\x8D\xD1\xFF\xD2\x0B\x25\x41\x48\xFE\x51\x84\xC6\x42\xAF\x80\x04\xCF\xD0\x7E\x64\x49\xE4\xF2\xDF\xA2\xEC\xB1\x4C\xC0\x2A\x1D\xE7\xB4\xB1\x65\xA2\xC4\xBC\xF1\x98\xF4\xAA\x70\x07\x63\xB4\xB8\xDA\x3B\x4C\xFA\x40\x22\x30\x5B\x11\xA6\xF0\x05\x0E\xC6\x02\x03\x48\xAB\x86\x9B\x85\xDD\xDB\xDD\xEA\xA2\x76\x80\x73\x7D\xF5\x9C\x04\xC4\x45\x8D\xE7\xB9\x1C\x8B\x9E\xEA\xD7\x75\xD1\x72\xB1\xDE\x75\x44\xE7\x42\x7D\xE2\x57\x6B\x7D\xDC\x99\xBC\x3D\x83\x28\xEA\x80\x93\x8D\xC5\x4C\x65\xC1\x70\x81\xB8\x38\xFC\x43\x31\xB2\xF6\x03\x34\x47\xB2\xAC\xFB\x22\x06\xCB\x1E\xDD\x17\x47\x1C\x5F\x66\xB9\xD3\x1A\xA2\xDA\x11\xB1\xA4\xBC\x23\xC9\xE4\xBE\x87\xFF\xB9\x94\xB6\xF8\x5D\x20\x4A\xD4\x5F\xE7\xBD\x68\x7B\x65\xF2\x15\x1E\xD2\x3A\xA9\x2D\xE9\xD8\x6B\x24\xAC\x97\x58\x44\x47\xAD\x59\x18\xF1\x21\x65\x70\xDE\xCE\x34\x60\xA8\x40\xF1\xF3\x3C\xA4\xC3\x28\x23\x8C\xFE\x27\x33\x43\x40\xA0\x17\x3C\xEB\xEA\x3B\xB0\x72\xA6\xA3\xB9\x4A\x4B\x5E\x16\x48\xF4\xB2\xBC\xC8\x8C\x92\xC5\x9D\x9F\xAC\x72\x36\xBC\x34\x80\x34\x6B\xA9\x8B\x92\xC0\xB8\x17\xED\xEC\x76\x53\xF5\x24\x01\x8C\xB3\x22\xE8\x4B\x7C\x55\xC6\x9D\xFA\xA3\x14\xBB\x65\x85\x6E\x6E\x4F\x12\x7E\x0A\x3C\x9D\x95",
@@ -102,27 +77,18 @@ redef root_certs += {
 	["CN=AffirmTrust Premium,O=AffirmTrust,C=US"] = "\x30\x82\x05\x46\x30\x82\x03\x2E\xA0\x03\x02\x01\x02\x02\x08\x6D\x8C\x14\x46\xB1\xA6\x0A\xEE\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0C\x05\x00\x30\x41\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x14\x30\x12\x06\x03\x55\x04\x0A\x0C\x0B\x41\x66\x66\x69\x72\x6D\x54\x72\x75\x73\x74\x31\x1C\x30\x1A\x06\x03\x55\x04\x03\x0C\x13\x41\x66\x66\x69\x72\x6D\x54\x72\x75\x73\x74\x20\x50\x72\x65\x6D\x69\x75\x6D\x30\x1E\x17\x0D\x31\x30\x30\x31\x32\x39\x31\x34\x31\x30\x33\x36\x5A\x17\x0D\x34\x30\x31\x32\x33\x31\x31\x34\x31\x30\x33\x36\x5A\x30\x41\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x14\x30\x12\x06\x03\x55\x04\x0A\x0C\x0B\x41\x66\x66\x69\x72\x6D\x54\x72\x75\x73\x74\x31\x1C\x30\x1A\x06\x03\x55\x04\x03\x0C\x13\x41\x66\x66\x69\x72\x6D\x54\x72\x75\x73\x74\x20\x50\x72\x65\x6D\x69\x75\x6D\x30\x82\x02\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x02\x0F\x00\x30\x82\x02\x0A\x02\x82\x02\x01\x00\xC4\x12\xDF\xA9\x5F\xFE\x41\xDD\xDD\xF5\x9F\x8A\xE3\xF6\xAC\xE1\x3C\x78\x9A\xBC\xD8\xF0\x7F\x7A\xA0\x33\x2A\xDC\x8D\x20\x5B\xAE\x2D\x6F\xE7\x93\xD9\x36\x70\x6A\x68\xCF\x8E\x51\xA3\x85\x5B\x67\x04\xA0\x10\x24\x6F\x5D\x28\x82\xC1\x97\x57\xD8\x48\x29\x13\xB6\xE1\xBE\x91\x4D\xDF\x85\x0C\x53\x18\x9A\x1E\x24\xA2\x4F\x8F\xF0\xA2\x85\x0B\xCB\xF4\x29\x7F\xD2\xA4\x58\xEE\x26\x4D\xC9\xAA\xA8\x7B\x9A\xD9\xFA\x38\xDE\x44\x57\x15\xE5\xF8\x8C\xC8\xD9\x48\xE2\x0D\x16\x27\x1D\x1E\xC8\x83\x85\x25\xB7\xBA\xAA\x55\x41\xCC\x03\x22\x4B\x2D\x91\x8D\x8B\xE6\x89\xAF\x66\xC7\xE9\xFF\x2B\xE9\x3C\xAC\xDA\xD2\xB3\xC3\xE1\x68\x9C\x89\xF8\x7A\x00\x56\xDE\xF4\x55\x95\x6C\xFB\xBA\x64\xDD\x62\x8B\xDF\x0B\x77\x32\xEB\x62\xCC\x26\x9A\x9B\xBB\xAA\x62\x83\x4C\xB4\x06\x7A\x30\xC8\x29\xBF\xED\x06\x4D\x97\xB9\x1C\xC4\x31\x2B\xD5\x5F\xBC\x53\x12\x17\x9C\x99\x57\x29\x66\x77\x61\x21\x31\x07\x2E\x25\x49\x9D\x18\xF2\xEE\xF3\x2B\x71\x8C\xB5\xBA\x39\x07\x49\x77\xFC\xEF\x2E\x92\x90\x05\x8D\x2D\x2F\x77\x7B\xEF\x43\xBF\x35\xBB\x9A\xD8\xF9\x73\xA7\x2C\xF2\xD0\x57\xEE\x28\x4E\x26\x5F\x8F\x90\x68\x09\x2F\xB8\xF8\xDC\x06\xE9\x2E\x9A\x3E\x51\xA7\xD1\x22\xC4\x0A\xA7\x38\x48\x6C\xB3\xF9\xFF\x7D\xAB\x86\x57\xE3\xBA\xD6\x85\x78\x77\xBA\x43\xEA\x48\x7F\xF6\xD8\xBE\x23\x6D\x1E\xBF\xD1\x36\x6C\x58\x5C\xF1\xEE\xA4\x19\x54\x1A\xF5\x03\xD2\x76\xE6\xE1\x8C\xBD\x3C\xB3\xD3\x48\x4B\xE2\xC8\xF8\x7F\x92\xA8\x76\x46\x9C\x42\x65\x3E\xA4\x1E\xC1\x07\x03\x5A\x46\x2D\xB8\x97\xF3\xB7\xD5\xB2\x55\x21\xEF\xBA\xDC\x4C\x00\x97\xFB\x14\x95\x27\x33\xBF\xE8\x43\x47\x46\xD2\x08\x99\x16\x60\x3B\x9A\x7E\xD2\xE6\xED\x38\xEA\xEC\x01\x1E\x3C\x48\x56\x49\x09\xC7\x4C\x37\x00\x9E\x88\x0E\xC0\x73\xE1\x6F\x66\xE9\x72\x47\x30\x3E\x10\xE5\x0B\x03\xC9\x9A\x42\x00\x6C\xC5\x94\x7E\x61\xC4\x8A\xDF\x7F\x82\x1A\x0B\x59\xC4\x59\x32\x77\xB3\xBC\x60\x69\x56\x39\xFD\xB4\x06\x7B\x2C\xD6\x64\x36\xD9\xBD\x48\xED\x84\x1F\x7E\xA5\x22\x8F\x2A\xB8\x42\xF4\x82\xB7\xD4\x53\x90\x78\x4E\x2D\x1A\xFD\x81\x6F\x44\xD7\x3B\x01\x74\x96\x42\xE0\x00\xE2\x2E\x6B\xEA\xC5\xEE\x72\xAC\xBB\xBF\xFE\xEA\xAA\xA8\xF8\xDC\xF6\xB2\x79\x8A\xB6\x67\x02\x03\x01\x00\x01\xA3\x42\x30\x40\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x9D\xC0\x67\xA6\x0C\x22\xD9\x26\xF5\x45\xAB\xA6\x65\x52\x11\x27\xD8\x45\xAC\x63\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0C\x05\x00\x03\x82\x02\x01\x00\xB3\x57\x4D\x10\x62\x4E\x3A\xE4\xAC\xEA\xB8\x1C\xAF\x32\x23\xC8\xB3\x49\x5A\x51\x9C\x76\x28\x8D\x79\xAA\x57\x46\x17\xD5\xF5\x52\xF6\xB7\x44\xE8\x08\x44\xBF\x18\x84\xD2\x0B\x80\xCD\xC5\x12\xFD\x00\x55\x05\x61\x87\x41\xDC\xB5\x24\x9E\x3C\xC4\xD8\xC8\xFB\x70\x9E\x2F\x78\x96\x83\x20\x36\xDE\x7C\x0F\x69\x13\x88\xA5\x75\x36\x98\x08\xA6\xC6\xDF\xAC\xCE\xE3\x58\xD6\xB7\x3E\xDE\xBA\xF3\xEB\x34\x40\xD8\xA2\x81\xF5\x78\x3F\x2F\xD5\xA5\xFC\xD9\xA2\xD4\x5E\x04\x0E\x17\xAD\xFE\x41\xF0\xE5\xB2\x72\xFA\x44\x82\x33\x42\xE8\x2D\x58\xF7\x56\x8C\x62\x3F\xBA\x42\xB0\x9C\x0C\x5C\x7E\x2E\x65\x26\x5C\x53\x4F\x00\xB2\x78\x7E\xA1\x0D\x99\x2D\x8D\xB8\x1D\x8E\xA2\xC4\xB0\xFD\x60\xD0\x30\xA4\x8E\xC8\x04\x62\xA9\xC4\xED\x35\xDE\x7A\x97\xED\x0E\x38\x5E\x92\x2F\x93\x70\xA5\xA9\x9C\x6F\xA7\x7D\x13\x1D\x7E\xC6\x08\x48\xB1\x5E\x67\xEB\x51\x08\x25\xE9\xE6\x25\x6B\x52\x29\x91\x9C\xD2\x39\x73\x08\x57\xDE\x99\x06\xB4\x5B\x9D\x10\x06\xE1\xC2\x00\xA8\xB8\x1C\x4A\x02\x0A\x14\xD0\xC1\x41\xCA\xFB\x8C\x35\x21\x7D\x82\x38\xF2\xA9\x54\x91\x19\x35\x93\x94\x6D\x6A\x3A\xC5\xB2\xD0\xBB\x89\x86\x93\xE8\x9B\xC9\x0F\x3A\xA7\x7A\xB8\xA1\xF0\x78\x46\xFA\xFC\x37\x2F\xE5\x8A\x84\xF3\xDF\xFE\x04\xD9\xA1\x68\xA0\x2F\x24\xE2\x09\x95\x06\xD5\x95\xCA\xE1\x24\x96\xEB\x7C\xF6\x93\x05\xBB\xED\x73\xE9\x2D\xD1\x75\x39\xD7\xE7\x24\xDB\xD8\x4E\x5F\x43\x8F\x9E\xD0\x14\x39\xBF\x55\x70\x48\x99\x57\x31\xB4\x9C\xEE\x4A\x98\x03\x96\x30\x1F\x60\x06\xEE\x1B\x23\xFE\x81\x60\x23\x1A\x47\x62\x85\xA5\xCC\x19\x34\x80\x6F\xB3\xAC\x1A\xE3\x9F\xF0\x7B\x48\xAD\xD5\x01\xD9\x67\xB6\xA9\x72\x93\xEA\x2D\x66\xB5\xB2\xB8\xE4\x3D\x3C\xB2\xEF\x4C\x8C\xEA\xEB\x07\xBF\xAB\x35\x9A\x55\x86\xBC\x18\xA6\xB5\xA8\x5E\xB4\x83\x6C\x6B\x69\x40\xD3\x9F\xDC\xF1\xC3\x69\x6B\xB9\xE1\x6D\x09\xF4\xF1\xAA\x50\x76\x0A\x7A\x7D\x7A\x17\xA1\x55\x96\x42\x99\x31\x09\xDD\x60\x11\x8D\x05\x30\x7E\xE6\x8E\x46\xD1\x9D\x14\xDA\xC7\x17\xE4\x05\x96\x8C\xC4\x24\xB5\x1B\xCF\x14\x07\xB2\x40\xF8\xA3\x9E\x41\x86\xBC\x04\xD0\x6B\x96\xC8\x2A\x80\x34\xFD\xBF\xEF\x06\xA3\xDD\x58\xC5\x85\x3D\x3E\x8F\xFE\x9E\x29\xE0\xB6\xB8\x09\x68\x19\x1C\x18\x43",
 	["CN=AffirmTrust Premium ECC,O=AffirmTrust,C=US"] = "\x30\x82\x01\xFE\x30\x82\x01\x85\xA0\x03\x02\x01\x02\x02\x08\x74\x97\x25\x8A\xC7\x3F\x7A\x54\x30\x0A\x06\x08\x2A\x86\x48\xCE\x3D\x04\x03\x03\x30\x45\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x14\x30\x12\x06\x03\x55\x04\x0A\x0C\x0B\x41\x66\x66\x69\x72\x6D\x54\x72\x75\x73\x74\x31\x20\x30\x1E\x06\x03\x55\x04\x03\x0C\x17\x41\x66\x66\x69\x72\x6D\x54\x72\x75\x73\x74\x20\x50\x72\x65\x6D\x69\x75\x6D\x20\x45\x43\x43\x30\x1E\x17\x0D\x31\x30\x30\x31\x32\x39\x31\x34\x32\x30\x32\x34\x5A\x17\x0D\x34\x30\x31\x32\x33\x31\x31\x34\x32\x30\x32\x34\x5A\x30\x45\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x14\x30\x12\x06\x03\x55\x04\x0A\x0C\x0B\x41\x66\x66\x69\x72\x6D\x54\x72\x75\x73\x74\x31\x20\x30\x1E\x06\x03\x55\x04\x03\x0C\x17\x41\x66\x66\x69\x72\x6D\x54\x72\x75\x73\x74\x20\x50\x72\x65\x6D\x69\x75\x6D\x20\x45\x43\x43\x30\x76\x30\x10\x06\x07\x2A\x86\x48\xCE\x3D\x02\x01\x06\x05\x2B\x81\x04\x00\x22\x03\x62\x00\x04\x0D\x30\x5E\x1B\x15\x9D\x03\xD0\xA1\x79\x35\xB7\x3A\x3C\x92\x7A\xCA\x15\x1C\xCD\x62\xF3\x9C\x26\x5C\x07\x3D\xE5\x54\xFA\xA3\xD6\xCC\x12\xEA\xF4\x14\x5F\xE8\x8E\x19\xAB\x2F\x2E\x48\xE6\xAC\x18\x43\x78\xAC\xD0\x37\xC3\xBD\xB2\xCD\x2C\xE6\x47\xE2\x1A\xE6\x63\xB8\x3D\x2E\x2F\x78\xC4\x4F\xDB\xF4\x0F\xA4\x68\x4C\x55\x72\x6B\x95\x1D\x4E\x18\x42\x95\x78\xCC\x37\x3C\x91\xE2\x9B\x65\x2B\x29\xA3\x42\x30\x40\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x9A\xAF\x29\x7A\xC0\x11\x35\x35\x26\x51\x30\x00\xC3\x6A\xFE\x40\xD5\xAE\xD6\x3C\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x0A\x06\x08\x2A\x86\x48\xCE\x3D\x04\x03\x03\x03\x67\x00\x30\x64\x02\x30\x17\x09\xF3\x87\x88\x50\x5A\xAF\xC8\xC0\x42\xBF\x47\x5F\xF5\x6C\x6A\x86\xE0\xC4\x27\x74\xE4\x38\x53\xD7\x05\x7F\x1B\x34\xE3\xC6\x2F\xB3\xCA\x09\x3C\x37\x9D\xD7\xE7\xB8\x46\xF1\xFD\xA1\xE2\x71\x02\x30\x42\x59\x87\x43\xD4\x51\xDF\xBA\xD3\x09\x32\x5A\xCE\x88\x7E\x57\x3D\x9C\x5F\x42\x6B\xF5\x07\x2D\xB5\xF0\x82\x93\xF9\x59\x6F\xAE\x64\xFA\x58\xE5\x8B\x1E\xE3\x63\xBE\xB5\x81\xCD\x6F\x02\x8C\x79",
 	["CN=Certum Trusted Network CA,OU=Certum Certification Authority,O=Unizeto Technologies S.A.,C=PL"] = "\x30\x82\x03\xBB\x30\x82\x02\xA3\xA0\x03\x02\x01\x02\x02\x03\x04\x44\xC0\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x7E\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x50\x4C\x31\x22\x30\x20\x06\x03\x55\x04\x0A\x13\x19\x55\x6E\x69\x7A\x65\x74\x6F\x20\x54\x65\x63\x68\x6E\x6F\x6C\x6F\x67\x69\x65\x73\x20\x53\x2E\x41\x2E\x31\x27\x30\x25\x06\x03\x55\x04\x0B\x13\x1E\x43\x65\x72\x74\x75\x6D\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x31\x22\x30\x20\x06\x03\x55\x04\x03\x13\x19\x43\x65\x72\x74\x75\x6D\x20\x54\x72\x75\x73\x74\x65\x64\x20\x4E\x65\x74\x77\x6F\x72\x6B\x20\x43\x41\x30\x1E\x17\x0D\x30\x38\x31\x30\x32\x32\x31\x32\x30\x37\x33\x37\x5A\x17\x0D\x32\x39\x31\x32\x33\x31\x31\x32\x30\x37\x33\x37\x5A\x30\x7E\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x50\x4C\x31\x22\x30\x20\x06\x03\x55\x04\x0A\x13\x19\x55\x6E\x69\x7A\x65\x74\x6F\x20\x54\x65\x63\x68\x6E\x6F\x6C\x6F\x67\x69\x65\x73\x20\x53\x2E\x41\x2E\x31\x27\x30\x25\x06\x03\x55\x04\x0B\x13\x1E\x43\x65\x72\x74\x75\x6D\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x31\x22\x30\x20\x06\x03\x55\x04\x03\x13\x19\x43\x65\x72\x74\x75\x6D\x20\x54\x72\x75\x73\x74\x65\x64\x20\x4E\x65\x74\x77\x6F\x72\x6B\x20\x43\x41\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xE3\xFB\x7D\xA3\x72\xBA\xC2\xF0\xC9\x14\x87\xF5\x6B\x01\x4E\xE1\x6E\x40\x07\xBA\x6D\x27\x5D\x7F\xF7\x5B\x2D\xB3\x5A\xC7\x51\x5F\xAB\xA4\x32\xA6\x61\x87\xB6\x6E\x0F\x86\xD2\x30\x02\x97\xF8\xD7\x69\x57\xA1\x18\x39\x5D\x6A\x64\x79\xC6\x01\x59\xAC\x3C\x31\x4A\x38\x7C\xD2\x04\xD2\x4B\x28\xE8\x20\x5F\x3B\x07\xA2\xCC\x4D\x73\xDB\xF3\xAE\x4F\xC7\x56\xD5\x5A\xA7\x96\x89\xFA\xF3\xAB\x68\xD4\x23\x86\x59\x27\xCF\x09\x27\xBC\xAC\x6E\x72\x83\x1C\x30\x72\xDF\xE0\xA2\xE9\xD2\xE1\x74\x75\x19\xBD\x2A\x9E\x7B\x15\x54\x04\x1B\xD7\x43\x39\xAD\x55\x28\xC5\xE2\x1A\xBB\xF4\xC0\xE4\xAE\x38\x49\x33\xCC\x76\x85\x9F\x39\x45\xD2\xA4\x9E\xF2\x12\x8C\x51\xF8\x7C\xE4\x2D\x7F\xF5\xAC\x5F\xEB\x16\x9F\xB1\x2D\xD1\xBA\xCC\x91\x42\x77\x4C\x25\xC9\x90\x38\x6F\xDB\xF0\xCC\xFB\x8E\x1E\x97\x59\x3E\xD5\x60\x4E\xE6\x05\x28\xED\x49\x79\x13\x4B\xBA\x48\xDB\x2F\xF9\x72\xD3\x39\xCA\xFE\x1F\xD8\x34\x72\xF5\xB4\x40\xCF\x31\x01\xC3\xEC\xDE\x11\x2D\x17\x5D\x1F\xB8\x50\xD1\x5E\x19\xA7\x69\xDE\x07\x33\x28\xCA\x50\x95\xF9\xA7\x54\xCB\x54\x86\x50\x45\xA9\xF9\x49\x02\x03\x01\x00\x01\xA3\x42\x30\x40\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x08\x76\xCD\xCB\x07\xFF\x24\xF6\xC5\xCD\xED\xBB\x90\xBC\xE2\x84\x37\x46\x75\xF7\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\xA6\xA8\xAD\x22\xCE\x01\x3D\xA6\xA3\xFF\x62\xD0\x48\x9D\x8B\x5E\x72\xB0\x78\x44\xE3\xDC\x1C\xAF\x09\xFD\x23\x48\xFA\xBD\x2A\xC4\xB9\x55\x04\xB5\x10\xA3\x8D\x27\xDE\x0B\x82\x63\xD0\xEE\xDE\x0C\x37\x79\x41\x5B\x22\xB2\xB0\x9A\x41\x5C\xA6\x70\xE0\xD4\xD0\x77\xCB\x23\xD3\x00\xE0\x6C\x56\x2F\xE1\x69\x0D\x0D\xD9\xAA\xBF\x21\x81\x50\xD9\x06\xA5\xA8\xFF\x95\x37\xD0\xAA\xFE\xE2\xB3\xF5\x99\x2D\x45\x84\x8A\xE5\x42\x09\xD7\x74\x02\x2F\xF7\x89\xD8\x99\xE9\xBC\x27\xD4\x47\x8D\xBA\x0D\x46\x1C\x77\xCF\x14\xA4\x1C\xB9\xA4\x31\xC4\x9C\x28\x74\x03\x34\xFF\x33\x19\x26\xA5\xE9\x0D\x74\xB7\x3E\x97\xC6\x76\xE8\x27\x96\xA3\x66\xDD\xE1\xAE\xF2\x41\x5B\xCA\x98\x56\x83\x73\x70\xE4\x86\x1A\xD2\x31\x41\xBA\x2F\xBE\x2D\x13\x5A\x76\x6F\x4E\xE8\x4E\x81\x0E\x3F\x5B\x03\x22\xA0\x12\xBE\x66\x58\x11\x4A\xCB\x03\xC4\xB4\x2A\x2A\x2D\x96\x17\xE0\x39\x54\xBC\x48\xD3\x76\x27\x9D\x9A\x2D\x06\xA6\xC9\xEC\x39\xD2\xAB\xDB\x9F\x9A\x0B\x27\x02\x35\x29\xB1\x40\x95\xE7\xF9\xE8\x9C\x55\x88\x19\x46\xD6\xB7\x34\xF5\x7E\xCE\x39\x9A\xD9\x38\xF1\x51\xF7\x4F\x2C",
-	["CN=Certinomis - Autorit\C3\A9 Racine,OU=0002 433998903,O=Certinomis,C=FR"] = "\x30\x82\x05\x9C\x30\x82\x03\x84\xA0\x03\x02\x01\x02\x02\x01\x01\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x63\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x46\x52\x31\x13\x30\x11\x06\x03\x55\x04\x0A\x13\x0A\x43\x65\x72\x74\x69\x6E\x6F\x6D\x69\x73\x31\x17\x30\x15\x06\x03\x55\x04\x0B\x13\x0E\x30\x30\x30\x32\x20\x34\x33\x33\x39\x39\x38\x39\x30\x33\x31\x26\x30\x24\x06\x03\x55\x04\x03\x0C\x1D\x43\x65\x72\x74\x69\x6E\x6F\x6D\x69\x73\x20\x2D\x20\x41\x75\x74\x6F\x72\x69\x74\xC3\xA9\x20\x52\x61\x63\x69\x6E\x65\x30\x1E\x17\x0D\x30\x38\x30\x39\x31\x37\x30\x38\x32\x38\x35\x39\x5A\x17\x0D\x32\x38\x30\x39\x31\x37\x30\x38\x32\x38\x35\x39\x5A\x30\x63\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x46\x52\x31\x13\x30\x11\x06\x03\x55\x04\x0A\x13\x0A\x43\x65\x72\x74\x69\x6E\x6F\x6D\x69\x73\x31\x17\x30\x15\x06\x03\x55\x04\x0B\x13\x0E\x30\x30\x30\x32\x20\x34\x33\x33\x39\x39\x38\x39\x30\x33\x31\x26\x30\x24\x06\x03\x55\x04\x03\x0C\x1D\x43\x65\x72\x74\x69\x6E\x6F\x6D\x69\x73\x20\x2D\x20\x41\x75\x74\x6F\x72\x69\x74\xC3\xA9\x20\x52\x61\x63\x69\x6E\x65\x30\x82\x02\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x02\x0F\x00\x30\x82\x02\x0A\x02\x82\x02\x01\x00\x9D\x85\x9F\x86\xD3\xE3\xAF\xC7\xB2\x6B\x6E\x33\xE0\x9E\xB7\x42\x34\x55\x9D\xF9\x81\xBE\x63\xD8\x23\x76\x0E\x97\x54\xCD\x99\x4C\x1A\xF1\x39\xC7\x88\xD8\x17\x50\x0C\x9E\x61\xDA\xC0\x4E\x55\xDE\xE7\x5A\xB8\x7A\x4E\x77\x87\x0D\xE5\xB8\xEB\xFA\x9E\x5E\x7B\x1E\xC4\xCF\x28\x74\xC7\x93\xF5\x14\xC6\x22\x28\x04\xF9\x91\xC3\xAB\x27\x73\x6A\x0E\x2E\x4D\xF3\x2E\x28\x1F\x70\xDF\x55\x2F\x4E\xED\xC7\x71\x6F\x09\x72\x2E\xED\xD5\x32\x97\xD0\xF1\x58\x77\xD1\x60\xBC\x4E\x5E\xDB\x9A\x84\xF6\x47\x61\x45\x2B\xF6\x50\xA6\x7F\x6A\x71\x27\x48\x84\x35\x9E\xAC\xFE\x69\xA9\x9E\x7A\x5E\x35\x25\xFA\xB4\xA7\x49\x35\x77\x96\xA7\x36\x5B\xE1\xCD\xDF\x23\x70\xD8\x5D\x4C\xA5\x08\x83\xF1\xA6\x24\x38\x13\xA8\xEC\x2F\xA8\xA1\x67\xC7\xA6\x2D\x86\x47\xEE\x8A\xFC\xEC\x9B\x0E\x74\xF4\x2B\x49\x02\x7B\x90\x75\x8C\xFC\x99\x39\x01\x39\xD6\x4A\x89\xE5\x9E\x76\xAB\x3E\x96\x28\x38\x26\x8B\xDD\x8D\x8C\xC0\xF6\x01\x1E\x6F\xA5\x31\x12\x38\x7D\x95\xC2\x71\xEE\xED\x74\xAE\xE4\x36\xA2\x43\x75\xD5\xF1\x00\x9B\xE2\xE4\xD7\xCC\x42\x03\x4B\x78\x7A\xE5\x7D\xBB\xB8\xAE\x2E\x20\x93\xD3\xE4\x61\xDF\x71\xE1\x76\x67\x97\x3F\xB6\xDF\x6A\x73\x5A\x64\x22\xE5\x42\xDB\xCF\x81\x03\x93\xD8\xF4\xE3\x10\xE0\x72\xF6\x00\x70\xAC\xF0\xC1\x7A\x0F\x05\x7F\xCF\x34\x69\x45\xB5\x93\xE4\x19\xDB\x52\x16\x23\x05\x89\x0E\x8D\x48\xE4\x25\x6F\xB3\x78\xBF\x62\xF5\x07\xFA\x95\x24\xC2\x96\xB2\xE8\xA3\x23\xC2\x5D\x03\xFC\xC3\xD3\xE5\x7C\xC9\x75\x23\xD7\xF4\xF5\xBC\xDE\xE4\xDF\xCD\x80\xBF\x91\x88\x7D\xA7\x13\xB4\x39\xBA\x2C\xBA\xBD\xD1\x6B\xCC\xF3\xA5\x28\xED\x44\x9E\x7D\x52\xA3\x6F\x96\x2E\x19\x7E\x1C\xF3\x5B\xC7\x16\x8E\xBB\x60\x7D\x77\x66\x47\x54\x82\x00\x11\x60\x6C\x32\xC1\xA8\x38\x1B\xEB\x6E\x98\x13\xD6\xEE\x38\xF5\xF0\x9F\x0E\xEF\xFE\x31\x81\xC1\xD2\x24\x95\x2F\x53\x7A\x69\xA2\xF0\x0F\x86\x45\x8E\x58\x82\x2B\x4C\x22\xD4\x5E\xA0\xE7\x7D\x26\x27\x48\xDF\x25\x46\x8D\x4A\x28\x7C\x86\x9E\xF9\x9B\x1A\x59\xB9\x65\xBF\x05\xDD\xB6\x42\x5D\x3D\xE6\x00\x48\x82\x5E\x20\xF7\x11\x82\xDE\xCA\xD8\x9F\xE6\x37\x47\x26\x1E\xEB\x78\xF7\x61\xC3\x41\x64\x58\x02\x41\xF9\xDA\xE0\xD1\xF8\xF9\xE8\xFD\x52\x38\xB6\xF5\x89\xDF\x02\x03\x01\x00\x01\xA3\x5B\x30\x59\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x0D\x8C\xB6\x61\xDA\x44\xB8\xD1\x14\x7D\xC3\xBE\x7D\x5E\x48\xF0\xCE\xCA\x6A\xB0\x30\x17\x06\x03\x55\x1D\x20\x04\x10\x30\x0E\x30\x0C\x06\x0A\x2A\x81\x7A\x01\x56\x02\x02\x00\x01\x01\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x02\x01\x00\x24\x3E\x60\x06\x7E\x1D\xEF\x3A\x3E\xDB\xEA\xAF\x1C\x9A\x2C\x01\x0B\xF4\xC5\xB5\xD9\x49\x31\xF4\x5D\x41\x8D\x89\x0C\x4E\xFF\x6C\xA2\xFD\xFF\xE2\x06\xC8\x39\x9F\xF1\x5A\xA9\xDD\x22\x58\x15\xA8\x8A\xD3\xB1\xE6\x32\x09\x82\x03\x6C\xD7\x3F\x08\xC7\xF8\xB9\xBA\x00\x6D\xB9\xD6\xFC\x52\x32\x5D\xA4\x7F\xA4\x31\x94\xBB\xB6\x4C\x38\x7F\x28\x30\x35\xFF\x9F\x23\x53\xB7\xB6\xEE\x14\x70\x00\x40\x2B\xDA\x47\xAB\x34\x7E\x5E\xA7\x56\x30\x61\x2B\x8B\x43\xAC\xFD\xB6\x88\x28\xF5\x6B\xB6\x3E\x60\x4A\xBA\x42\x90\x34\x67\x8D\xEA\xEB\x5F\x45\x54\x3B\x17\xAC\x8B\xE4\xC6\x65\x0F\xEE\xD0\x8C\x5D\x66\x39\xCE\x32\xA7\xD8\x10\x97\xC0\x7E\x34\x9C\x9F\x94\xF3\xF6\x86\x1F\xCF\x1B\x73\xAD\x94\x79\x87\x68\x70\xC3\x33\xA5\x70\xE7\xD8\xD5\x38\x94\x6F\x63\x79\xEB\xBF\x0A\x0E\x08\xE7\xC5\x2F\x0F\x42\xA0\x2B\x14\x40\xFF\x21\xE0\x05\xC5\x27\xE1\x84\x11\x13\xBA\xD6\x86\x1D\x41\x0B\x13\x23\x89\xD3\xC9\x0B\xE8\x8A\xBA\x7A\xA3\xA3\x73\x37\x35\x80\x7D\x12\xB8\x33\x77\x40\x38\xC0\xFA\x5E\x30\xD2\xF2\xB6\xA3\xB1\xD6\xA2\x95\x97\x81\x9B\x52\xED\x69\x4C\xFF\x80\xE4\x53\xDB\x54\x5B\x03\x6D\x54\x5F\xB1\xB8\xEF\x24\xBD\x6F\x9F\x11\xC3\xC7\x64\xC2\x0F\x28\x62\x85\x66\x5E\x1A\x7B\xB2\xB7\xEF\xAE\x35\xC9\x19\x33\xA8\xB8\x27\xDB\x33\x55\xBF\x68\xE1\x75\x48\x44\x56\xFB\xCD\xD3\x48\xBB\x47\x89\x3A\xAC\x69\xF5\x80\xC6\xE4\x44\x50\x2F\x54\xC4\xAA\x43\xC5\x31\x31\x58\xBD\x96\xC5\xEA\x75\x6C\x9A\x75\xB1\x4D\xF8\xF7\x97\xFF\x96\x16\xF2\x97\x4D\xE8\xF6\xF3\x11\xF9\x3A\x7D\x8A\x38\x6E\x04\xCB\xE1\xD3\x45\x15\xAA\xA5\xD1\x1D\x9D\x5D\x63\xE8\x24\xE6\x36\x14\xE2\x87\xAD\x1B\x59\xF5\x44\x9B\xFB\xD7\x77\x7C\x1F\x01\x70\x62\xA1\x20\x1A\xA2\xC5\x1A\x28\xF4\x21\x03\xEE\x2E\xD9\xC1\x80\xEA\xB9\xD9\x82\xD6\x5B\x76\xC2\xCB\x3B\xB5\xD2\x00\xF0\xA3\x0E\xE1\xAD\x6E\x40\xF7\xDB\xA0\xB4\xD0\x46\xAE\x15\xD7\x44\xC2\x4D\x35\xF9\xD2\x0B\xF2\x17\xF6\xAC\x66\xD5\x24\xB2\x4F\xD1\x1C\x99\xC0\x6E\xF5\x7D\xEB\x74\x04\xB8\xF9\x4D\x77\x09\xD7\xB4\xCF\x07\x30\x09\xF1\xB8\x00\x56\xD9\x17\x16\x16\x0A\x2B\x86\xDF\x8F\x01\x19\x1A\xE5\xBB\x82\x63\xFF\xBE\x0B\x76\x16\x5E\x37\x37\xE6\xD8\x74\x97\xA2\x99\x45\x79",
-	["CN=Root CA Generalitat Valenciana,OU=PKIGVA,O=Generalitat Valenciana,C=ES"] = "\x30\x82\x06\x8B\x30\x82\x05\x73\xA0\x03\x02\x01\x02\x02\x04\x3B\x45\xE5\x68\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x68\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x45\x53\x31\x1F\x30\x1D\x06\x03\x55\x04\x0A\x13\x16\x47\x65\x6E\x65\x72\x61\x6C\x69\x74\x61\x74\x20\x56\x61\x6C\x65\x6E\x63\x69\x61\x6E\x61\x31\x0F\x30\x0D\x06\x03\x55\x04\x0B\x13\x06\x50\x4B\x49\x47\x56\x41\x31\x27\x30\x25\x06\x03\x55\x04\x03\x13\x1E\x52\x6F\x6F\x74\x20\x43\x41\x20\x47\x65\x6E\x65\x72\x61\x6C\x69\x74\x61\x74\x20\x56\x61\x6C\x65\x6E\x63\x69\x61\x6E\x61\x30\x1E\x17\x0D\x30\x31\x30\x37\x30\x36\x31\x36\x32\x32\x34\x37\x5A\x17\x0D\x32\x31\x30\x37\x30\x31\x31\x35\x32\x32\x34\x37\x5A\x30\x68\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x45\x53\x31\x1F\x30\x1D\x06\x03\x55\x04\x0A\x13\x16\x47\x65\x6E\x65\x72\x61\x6C\x69\x74\x61\x74\x20\x56\x61\x6C\x65\x6E\x63\x69\x61\x6E\x61\x31\x0F\x30\x0D\x06\x03\x55\x04\x0B\x13\x06\x50\x4B\x49\x47\x56\x41\x31\x27\x30\x25\x06\x03\x55\x04\x03\x13\x1E\x52\x6F\x6F\x74\x20\x43\x41\x20\x47\x65\x6E\x65\x72\x61\x6C\x69\x74\x61\x74\x20\x56\x61\x6C\x65\x6E\x63\x69\x61\x6E\x61\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xC6\x2A\xAB\x57\x11\x37\x2F\x22\x8A\xCA\x03\x74\x1D\xCA\xED\x2D\xA2\x0B\xBC\x33\x52\x40\x26\x47\xBE\x5A\x69\xA6\x3B\x72\x36\x17\x4C\xE8\xDF\xB8\xBB\x2F\x76\xE1\x40\x46\x74\x65\x02\x90\x52\x08\xB4\xFF\xA8\x8C\xC1\xE0\xC7\x89\x56\x10\x39\x33\xEF\x68\xB4\x5F\x5F\xDA\x6D\x23\xA1\x89\x5E\x22\xA3\x4A\x06\xF0\x27\xF0\x57\xB9\xF8\xE9\x4E\x32\x77\x0A\x3F\x41\x64\xF3\xEB\x65\xEE\x76\xFE\x54\xAA\x7D\x1D\x20\xAE\xF3\xD7\x74\xC2\x0A\x5F\xF5\x08\x28\x52\x08\xCC\x55\x5D\xD2\x0F\xDB\x9A\x81\xA5\xBB\xA1\xB3\xC1\x94\xCD\x54\xE0\x32\x75\x31\x91\x1A\x62\xB2\xDE\x75\xE2\xCF\x4F\x89\xD9\x91\x90\x0F\x41\x1B\xB4\x5A\x4A\x77\xBD\x67\x83\xE0\x93\xE7\x5E\xA7\x0C\xE7\x81\xD3\xF4\x52\xAC\x53\xB2\x03\xC7\x44\x26\xFB\x79\xE5\xCB\x34\x60\x50\x10\x7B\x1B\xDB\x6B\xD7\x47\xAB\x5F\x7C\x68\xCA\x6E\x9D\x41\x03\x10\xEE\x6B\x99\x7B\x5E\x25\xA8\xC2\xAB\xE4\xC0\xF3\x5C\x9C\xE3\xBE\xCE\x31\x4C\x64\x1E\x5E\x80\xA2\xF5\x83\x7E\x0C\xD6\xCA\x8C\x55\x8E\xBE\xE0\xBE\x49\x07\x0F\xA3\x24\x41\x7A\x58\x1D\x84\xEA\x58\x12\xC8\xE1\xB7\xED\xEF\x93\xDE\x94\x08\x31\x02\x03\x01\x00\x01\xA3\x82\x03\x3B\x30\x82\x03\x37\x30\x32\x06\x08\x2B\x06\x01\x05\x05\x07\x01\x01\x04\x26\x30\x24\x30\x22\x06\x08\x2B\x06\x01\x05\x05\x07\x30\x01\x86\x16\x68\x74\x74\x70\x3A\x2F\x2F\x6F\x63\x73\x70\x2E\x70\x6B\x69\x2E\x67\x76\x61\x2E\x65\x73\x30\x12\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x08\x30\x06\x01\x01\xFF\x02\x01\x02\x30\x82\x02\x34\x06\x03\x55\x1D\x20\x04\x82\x02\x2B\x30\x82\x02\x27\x30\x82\x02\x23\x06\x0A\x2B\x06\x01\x04\x01\xBF\x55\x02\x01\x00\x30\x82\x02\x13\x30\x82\x01\xE8\x06\x08\x2B\x06\x01\x05\x05\x07\x02\x02\x30\x82\x01\xDA\x1E\x82\x01\xD6\x00\x41\x00\x75\x00\x74\x00\x6F\x00\x72\x00\x69\x00\x64\x00\x61\x00\x64\x00\x20\x00\x64\x00\x65\x00\x20\x00\x43\x00\x65\x00\x72\x00\x74\x00\x69\x00\x66\x00\x69\x00\x63\x00\x61\x00\x63\x00\x69\x00\xF3\x00\x6E\x00\x20\x00\x52\x00\x61\x00\xED\x00\x7A\x00\x20\x00\x64\x00\x65\x00\x20\x00\x6C\x00\x61\x00\x20\x00\x47\x00\x65\x00\x6E\x00\x65\x00\x72\x00\x61\x00\x6C\x00\x69\x00\x74\x00\x61\x00\x74\x00\x20\x00\x56\x00\x61\x00\x6C\x00\x65\x00\x6E\x00\x63\x00\x69\x00\x61\x00\x6E\x00\x61\x00\x2E\x00\x0D\x00\x0A\x00\x4C\x00\x61\x00\x20\x00\x44\x00\x65\x00\x63\x00\x6C\x00\x61\x00\x72\x00\x61\x00\x63\x00\x69\x00\xF3\x00\x6E\x00\x20\x00\x64\x00\x65\x00\x20\x00\x50\x00\x72\x00\xE1\x00\x63\x00\x74\x00\x69\x00\x63\x00\x61\x00\x73\x00\x20\x00\x64\x00\x65\x00\x20\x00\x43\x00\x65\x00\x72\x00\x74\x00\x69\x00\x66\x00\x69\x00\x63\x00\x61\x00\x63\x00\x69\x00\xF3\x00\x6E\x00\x20\x00\x71\x00\x75\x00\x65\x00\x20\x00\x72\x00\x69\x00\x67\x00\x65\x00\x20\x00\x65\x00\x6C\x00\x20\x00\x66\x00\x75\x00\x6E\x00\x63\x00\x69\x00\x6F\x00\x6E\x00\x61\x00\x6D\x00\x69\x00\x65\x00\x6E\x00\x74\x00\x6F\x00\x20\x00\x64\x00\x65\x00\x20\x00\x6C\x00\x61\x00\x20\x00\x70\x00\x72\x00\x65\x00\x73\x00\x65\x00\x6E\x00\x74\x00\x65\x00\x20\x00\x41\x00\x75\x00\x74\x00\x6F\x00\x72\x00\x69\x00\x64\x00\x61\x00\x64\x00\x20\x00\x64\x00\x65\x00\x20\x00\x43\x00\x65\x00\x72\x00\x74\x00\x69\x00\x66\x00\x69\x00\x63\x00\x61\x00\x63\x00\x69\x00\xF3\x00\x6E\x00\x20\x00\x73\x00\x65\x00\x20\x00\x65\x00\x6E\x00\x63\x00\x75\x00\x65\x00\x6E\x00\x74\x00\x72\x00\x61\x00\x20\x00\x65\x00\x6E\x00\x20\x00\x6C\x00\x61\x00\x20\x00\x64\x00\x69\x00\x72\x00\x65\x00\x63\x00\x63\x00\x69\x00\xF3\x00\x6E\x00\x20\x00\x77\x00\x65\x00\x62\x00\x20\x00\x68\x00\x74\x00\x74\x00\x70\x00\x3A\x00\x2F\x00\x2F\x00\x77\x00\x77\x00\x77\x00\x2E\x00\x70\x00\x6B\x00\x69\x00\x2E\x00\x67\x00\x76\x00\x61\x00\x2E\x00\x65\x00\x73\x00\x2F\x00\x63\x00\x70\x00\x73\x30\x25\x06\x08\x2B\x06\x01\x05\x05\x07\x02\x01\x16\x19\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x70\x6B\x69\x2E\x67\x76\x61\x2E\x65\x73\x2F\x63\x70\x73\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x7B\x35\xD3\x40\xD2\x1C\x78\x19\x66\xEF\x74\x10\x28\xDC\x3E\x4F\xB2\x78\x04\xFC\x30\x81\x95\x06\x03\x55\x1D\x23\x04\x81\x8D\x30\x81\x8A\x80\x14\x7B\x35\xD3\x40\xD2\x1C\x78\x19\x66\xEF\x74\x10\x28\xDC\x3E\x4F\xB2\x78\x04\xFC\xA1\x6C\xA4\x6A\x30\x68\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x45\x53\x31\x1F\x30\x1D\x06\x03\x55\x04\x0A\x13\x16\x47\x65\x6E\x65\x72\x61\x6C\x69\x74\x61\x74\x20\x56\x61\x6C\x65\x6E\x63\x69\x61\x6E\x61\x31\x0F\x30\x0D\x06\x03\x55\x04\x0B\x13\x06\x50\x4B\x49\x47\x56\x41\x31\x27\x30\x25\x06\x03\x55\x04\x03\x13\x1E\x52\x6F\x6F\x74\x20\x43\x41\x20\x47\x65\x6E\x65\x72\x61\x6C\x69\x74\x61\x74\x20\x56\x61\x6C\x65\x6E\x63\x69\x61\x6E\x61\x82\x04\x3B\x45\xE5\x68\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x24\x61\x4E\xF5\xB5\xC8\x42\x02\x2A\xB3\x5C\x75\xAD\xC5\x6D\xCA\xE7\x94\x3F\xA5\x68\x95\x88\xC1\x54\xC0\x10\x69\xA2\x12\x2F\x18\x3F\x25\x50\xA8\x7C\x4A\xEA\xC6\x09\xD9\xF4\x75\xC6\x40\xDA\xAF\x50\x9D\x3D\xA5\x16\xBB\x6D\x31\xC6\xC7\x73\x0A\x48\xFE\x20\x72\xED\x6F\xCC\xE8\x83\x61\x16\x46\x90\x01\x95\x4B\x7D\x8E\x9A\x52\x09\x2F\xF6\x6F\x1C\xE4\xA1\x71\xCF\x8C\x2A\x5A\x17\x73\x83\x47\x4D\x0F\x36\xFB\x04\x4D\x49\x51\xE2\x14\xC9\x64\x61\xFB\xD4\x14\xE0\xF4\x9E\xB7\x34\x8F\x0A\x26\xBD\x97\x5C\xF4\x79\x3A\x4A\x30\x19\xCC\xAD\x4F\xA0\x98\x8A\xB4\x31\x97\x2A\xE2\x73\x6D\x7E\x78\xB8\xF8\x88\x89\x4F\xB1\x22\x91\x64\x4B\xF5\x50\xDE\x03\xDB\xE5\xC5\x76\xE7\x13\x66\x75\x7E\x65\xFB\x01\x9F\x93\x87\x88\x9D\xF9\x46\x57\x7C\x4D\x60\xAF\x98\x73\x13\x23\xA4\x20\x91\x81\xFA\xD0\x61\x66\xB8\x7D\xD1\xAF\xD6\x6F\x1E\x6C\x3D\xE9\x11\xFD\xA9\xF9\x82\x22\x86\x99\x33\x71\x5A\xEA\x19\x57\x3D\x91\xCD\xA9\xC0\xA3\x6E\x07\x13\xA6\xC9\xED\xF8\x68\xA3\x9E\xC3\x5A\x72\x09\x87\x28\xD1\xC4\x73\xC4\x73\x18\x5F\x50\x75\x16\x31\x9F\xB7\xE8\x7C\xC3",
 	["CN=TWCA Root Certification Authority,OU=Root CA,O=TAIWAN-CA,C=TW"] = "\x30\x82\x03\x7B\x30\x82\x02\x63\xA0\x03\x02\x01\x02\x02\x01\x01\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x5F\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x54\x57\x31\x12\x30\x10\x06\x03\x55\x04\x0A\x0C\x09\x54\x41\x49\x57\x41\x4E\x2D\x43\x41\x31\x10\x30\x0E\x06\x03\x55\x04\x0B\x0C\x07\x52\x6F\x6F\x74\x20\x43\x41\x31\x2A\x30\x28\x06\x03\x55\x04\x03\x0C\x21\x54\x57\x43\x41\x20\x52\x6F\x6F\x74\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x30\x1E\x17\x0D\x30\x38\x30\x38\x32\x38\x30\x37\x32\x34\x33\x33\x5A\x17\x0D\x33\x30\x31\x32\x33\x31\x31\x35\x35\x39\x35\x39\x5A\x30\x5F\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x54\x57\x31\x12\x30\x10\x06\x03\x55\x04\x0A\x0C\x09\x54\x41\x49\x57\x41\x4E\x2D\x43\x41\x31\x10\x30\x0E\x06\x03\x55\x04\x0B\x0C\x07\x52\x6F\x6F\x74\x20\x43\x41\x31\x2A\x30\x28\x06\x03\x55\x04\x03\x0C\x21\x54\x57\x43\x41\x20\x52\x6F\x6F\x74\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xB0\x7E\x72\xB8\xA4\x03\x94\xE6\xA7\xDE\x09\x38\x91\x4A\x11\x40\x87\xA7\x7C\x59\x64\x14\x7B\xB5\x11\x10\xDD\xFE\xBF\xD5\xC0\xBB\x56\xE2\x85\x25\xF4\x35\x72\x0F\xF8\x53\xD0\x41\xE1\x44\x01\xC2\xB4\x1C\xC3\x31\x42\x16\x47\x85\x33\x22\x76\xB2\x0A\x6F\x0F\xE5\x25\x50\x4F\x85\x86\xBE\xBF\x98\x2E\x10\x67\x1E\xBE\x11\x05\x86\x05\x90\xC4\x59\xD0\x7C\x78\x10\xB0\x80\x5C\xB7\xE1\xC7\x2B\x75\xCB\x7C\x9F\xAE\xB5\xD1\x9D\x23\x37\x63\xA7\xDC\x42\xA2\x2D\x92\x04\x1B\x50\xC1\x7B\xB8\x3E\x1B\xC9\x56\x04\x8B\x2F\x52\x9B\xAD\xA9\x56\xE9\xC1\xFF\xAD\xA9\x58\x87\x30\xB6\x81\xF7\x97\x45\xFC\x19\x57\x3B\x2B\x6F\xE4\x47\xF4\x99\x45\xFE\x1D\xF1\xF8\x97\xA3\x88\x1D\x37\x1C\x5C\x8F\xE0\x76\x25\x9A\x50\xF8\xA0\x54\xFF\x44\x90\x76\x23\xD2\x32\xC6\xC3\xAB\x06\xBF\xFC\xFB\xBF\xF3\xAD\x7D\x92\x62\x02\x5B\x29\xD3\x35\xA3\x93\x9A\x43\x64\x60\x5D\xB2\xFA\x32\xFF\x3B\x04\xAF\x4D\x40\x6A\xF9\xC7\xE3\xEF\x23\xFD\x6B\xCB\xE5\x0F\x8B\x38\x0D\xEE\x0A\xFC\xFE\x0F\x98\x9F\x30\x31\xDD\x6C\x52\x65\xF9\x8B\x81\xBE\x22\xE1\x1C\x58\x03\xBA\x91\x1B\x89\x07\x02\x03\x01\x00\x01\xA3\x42\x30\x40\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x6A\x38\x5B\x26\x8D\xDE\x8B\x5A\xF2\x4F\x7A\x54\x83\x19\x18\xE3\x08\x35\xA6\xBA\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x3C\xD5\x77\x3D\xDA\xDF\x89\xBA\x87\x0C\x08\x54\x6A\x20\x50\x92\xBE\xB0\x41\x3D\xB9\x26\x64\x83\x0A\x2F\xE8\x40\xC0\x97\x28\x27\x82\x30\x4A\xC9\x93\xFF\x6A\xE7\xA6\x00\x7F\x89\x42\x9A\xD6\x11\xE5\x53\xCE\x2F\xCC\xF2\xDA\x05\xC4\xFE\xE2\x50\xC4\x3A\x86\x7D\xCC\xDA\x7E\x10\x09\x3B\x92\x35\x2A\x53\xB2\xFE\xEB\x2B\x05\xD9\x6C\x5D\xE6\xD0\xEF\xD3\x6A\x66\x9E\x15\x28\x85\x7A\xE8\x82\x00\xAC\x1E\xA7\x09\x69\x56\x42\xD3\x68\x51\x18\xBE\x54\x9A\xBF\x44\x41\xBA\x49\xBE\x20\xBA\x69\x5C\xEE\xB8\x77\xCD\xCE\x6C\x1F\xAD\x83\x96\x18\x7D\x0E\xB5\x14\x39\x84\xF1\x28\xE9\x2D\xA3\x9E\x7B\x1E\x7A\x72\x5A\x83\xB3\x79\x6F\xEF\xB4\xFC\xD0\x0A\xA5\x58\x4F\x46\xDF\xFB\x6D\x79\x59\xF2\x84\x22\x52\xAE\x0F\xCC\xFB\x7C\x3B\xE7\x6A\xCA\x47\x61\xC3\x7A\xF8\xD3\x92\x04\x1F\xB8\x20\x84\xE1\x36\x54\x16\xC7\x40\xDE\x3B\x8A\x73\xDC\xDF\xC6\x09\x4C\xDF\xEC\xDA\xFF\xD4\x53\x42\xA1\xC9\xF2\x62\x1D\x22\x83\x3C\x97\xC5\xF9\x19\x62\x27\xAC\x65\x22\xD7\xD3\x3C\xC6\xE5\x8E\xB2\x53\xCC\x49\xCE\xBC\x30\xFE\x7B\x0E\x33\x90\xFB\xED\xD2\x14\x91\x1F\x07\xAF",
 	["OU=Security Communication RootCA2,O=SECOM Trust Systems CO.\,LTD.,C=JP"] = "\x30\x82\x03\x77\x30\x82\x02\x5F\xA0\x03\x02\x01\x02\x02\x01\x00\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x30\x5D\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x4A\x50\x31\x25\x30\x23\x06\x03\x55\x04\x0A\x13\x1C\x53\x45\x43\x4F\x4D\x20\x54\x72\x75\x73\x74\x20\x53\x79\x73\x74\x65\x6D\x73\x20\x43\x4F\x2E\x2C\x4C\x54\x44\x2E\x31\x27\x30\x25\x06\x03\x55\x04\x0B\x13\x1E\x53\x65\x63\x75\x72\x69\x74\x79\x20\x43\x6F\x6D\x6D\x75\x6E\x69\x63\x61\x74\x69\x6F\x6E\x20\x52\x6F\x6F\x74\x43\x41\x32\x30\x1E\x17\x0D\x30\x39\x30\x35\x32\x39\x30\x35\x30\x30\x33\x39\x5A\x17\x0D\x32\x39\x30\x35\x32\x39\x30\x35\x30\x30\x33\x39\x5A\x30\x5D\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x4A\x50\x31\x25\x30\x23\x06\x03\x55\x04\x0A\x13\x1C\x53\x45\x43\x4F\x4D\x20\x54\x72\x75\x73\x74\x20\x53\x79\x73\x74\x65\x6D\x73\x20\x43\x4F\x2E\x2C\x4C\x54\x44\x2E\x31\x27\x30\x25\x06\x03\x55\x04\x0B\x13\x1E\x53\x65\x63\x75\x72\x69\x74\x79\x20\x43\x6F\x6D\x6D\x75\x6E\x69\x63\x61\x74\x69\x6F\x6E\x20\x52\x6F\x6F\x74\x43\x41\x32\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xD0\x15\x39\x52\xB1\x52\xB3\xBA\xC5\x59\x82\xC4\x5D\x52\xAE\x3A\x43\x65\x80\x4B\xC7\xF2\x96\xBC\xDB\x36\x97\xD6\xA6\x64\x8C\xA8\x5E\xF0\xE3\x0A\x1C\xF7\xDF\x97\x3D\x4B\xAE\xF6\x5D\xEC\x21\xB5\x41\xAB\xCD\xB9\x7E\x76\x9F\xBE\xF9\x3E\x36\x34\xA0\x3B\xC1\xF6\x31\x11\x45\x74\x93\x3D\x57\x80\xC5\xF9\x89\x99\xCA\xE5\xAB\x6A\xD4\xB5\xDA\x41\x90\x10\xC1\xD6\xD6\x42\x89\xC2\xBF\xF4\x38\x12\x95\x4C\x54\x05\xF7\x36\xE4\x45\x83\x7B\x14\x65\xD6\xDC\x0C\x4D\xD1\xDE\x7E\x0C\xAB\x3B\xC4\x15\xBE\x3A\x56\xA6\x5A\x6F\x76\x69\x52\xA9\x7A\xB9\xC8\xEB\x6A\x9A\x5D\x52\xD0\x2D\x0A\x6B\x35\x16\x09\x10\x84\xD0\x6A\xCA\x3A\x06\x00\x37\x47\xE4\x7E\x57\x4F\x3F\x8B\xEB\x67\xB8\x88\xAA\xC5\xBE\x53\x55\xB2\x91\xC4\x7D\xB9\xB0\x85\x19\x06\x78\x2E\xDB\x61\x1A\xFA\x85\xF5\x4A\x91\xA1\xE7\x16\xD5\x8E\xA2\x39\xDF\x94\xB8\x70\x1F\x28\x3F\x8B\xFC\x40\x5E\x63\x83\x3C\x83\x2A\x1A\x99\x6B\xCF\xDE\x59\x6A\x3B\xFC\x6F\x16\xD7\x1F\xFD\x4A\x10\xEB\x4E\x82\x16\x3A\xAC\x27\x0C\x53\xF1\xAD\xD5\x24\xB0\x6B\x03\x50\xC1\x2D\x3C\x16\xDD\x44\x34\x27\x1A\x75\xFB\x02\x03\x01\x00\x01\xA3\x42\x30\x40\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x0A\x85\xA9\x77\x65\x05\x98\x7C\x40\x81\xF8\x0F\x97\x2C\x38\xF1\x0A\xEC\x3C\xCF\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x03\x82\x01\x01\x00\x4C\x3A\xA3\x44\xAC\xB9\x45\xB1\xC7\x93\x7E\xC8\x0B\x0A\x42\xDF\x64\xEA\x1C\xEE\x59\x6C\x08\xBA\x89\x5F\x6A\xCA\x4A\x95\x9E\x7A\x8F\x07\xC5\xDA\x45\x72\x82\x71\x0E\x3A\xD2\xCC\x6F\xA7\xB4\xA1\x23\xBB\xF6\x24\x9F\xCB\x17\xFE\x8C\xA6\xCE\xC2\xD2\xDB\xCC\x8D\xFC\x71\xFC\x03\x29\xC1\x6C\x5D\x33\x5F\x64\xB6\x65\x3B\x89\x6F\x18\x76\x78\xF5\xDC\xA2\x48\x1F\x19\x3F\x8E\x93\xEB\xF1\xFA\x17\xEE\xCD\x4E\xE3\x04\x12\x55\xD6\xE5\xE4\xDD\xFB\x3E\x05\x7C\xE2\x1D\x5E\xC6\xA7\xBC\x97\x4F\x68\x3A\xF5\xE9\x2E\x0A\x43\xB6\xAF\x57\x5C\x62\x68\x7C\xB7\xFD\xA3\x8A\x84\xA0\xAC\x62\xBE\x2B\x09\x87\x34\xF0\x6A\x01\xBB\x9B\x29\x56\x3C\xFE\x00\x37\xCF\x23\x6C\xF1\x4E\xAA\xB6\x74\x46\x12\x6C\x91\xEE\x34\xD5\xEC\x9A\x91\xE7\x44\xBE\x90\x31\x72\xD5\x49\x02\xF6\x02\xE5\xF4\x1F\xEB\x7C\xD9\x96\x55\xA9\xFF\xEC\x8A\xF9\x99\x47\xFF\x35\x5A\x02\xAA\x04\xCB\x8A\x5B\x87\x71\x29\x91\xBD\xA4\xB4\x7A\x0D\xBD\x9A\xF5\x57\x23\x00\x07\x21\x17\x3F\x4A\x39\xD1\x05\x49\x0B\xA7\xB6\x37\x81\xA5\x5D\x8C\xAA\x33\x5E\x81\x28\x7C\xA7\x7D\x27\xEB\x00\xAE\x8D\x37",
 	["CN=EC-ACC,OU=Jerarquia Entitats de Certificacio Catalanes,OU=Vegeu https://www.catcert.net/verarrel (c)03,OU=Serveis Publics de Certificacio,O=Agencia Catalana de Certificacio (NIF Q-0801176-I),C=ES"] = "\x30\x82\x05\x56\x30\x82\x04\x3E\xA0\x03\x02\x01\x02\x02\x10\xEE\x2B\x3D\xEB\xD4\x21\xDE\x14\xA8\x62\xAC\x04\xF3\xDD\xC4\x01\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x81\xF3\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x45\x53\x31\x3B\x30\x39\x06\x03\x55\x04\x0A\x13\x32\x41\x67\x65\x6E\x63\x69\x61\x20\x43\x61\x74\x61\x6C\x61\x6E\x61\x20\x64\x65\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x63\x69\x6F\x20\x28\x4E\x49\x46\x20\x51\x2D\x30\x38\x30\x31\x31\x37\x36\x2D\x49\x29\x31\x28\x30\x26\x06\x03\x55\x04\x0B\x13\x1F\x53\x65\x72\x76\x65\x69\x73\x20\x50\x75\x62\x6C\x69\x63\x73\x20\x64\x65\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x63\x69\x6F\x31\x35\x30\x33\x06\x03\x55\x04\x0B\x13\x2C\x56\x65\x67\x65\x75\x20\x68\x74\x74\x70\x73\x3A\x2F\x2F\x77\x77\x77\x2E\x63\x61\x74\x63\x65\x72\x74\x2E\x6E\x65\x74\x2F\x76\x65\x72\x61\x72\x72\x65\x6C\x20\x28\x63\x29\x30\x33\x31\x35\x30\x33\x06\x03\x55\x04\x0B\x13\x2C\x4A\x65\x72\x61\x72\x71\x75\x69\x61\x20\x45\x6E\x74\x69\x74\x61\x74\x73\x20\x64\x65\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x63\x69\x6F\x20\x43\x61\x74\x61\x6C\x61\x6E\x65\x73\x31\x0F\x30\x0D\x06\x03\x55\x04\x03\x13\x06\x45\x43\x2D\x41\x43\x43\x30\x1E\x17\x0D\x30\x33\x30\x31\x30\x37\x32\x33\x30\x30\x30\x30\x5A\x17\x0D\x33\x31\x30\x31\x30\x37\x32\x32\x35\x39\x35\x39\x5A\x30\x81\xF3\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x45\x53\x31\x3B\x30\x39\x06\x03\x55\x04\x0A\x13\x32\x41\x67\x65\x6E\x63\x69\x61\x20\x43\x61\x74\x61\x6C\x61\x6E\x61\x20\x64\x65\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x63\x69\x6F\x20\x28\x4E\x49\x46\x20\x51\x2D\x30\x38\x30\x31\x31\x37\x36\x2D\x49\x29\x31\x28\x30\x26\x06\x03\x55\x04\x0B\x13\x1F\x53\x65\x72\x76\x65\x69\x73\x20\x50\x75\x62\x6C\x69\x63\x73\x20\x64\x65\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x63\x69\x6F\x31\x35\x30\x33\x06\x03\x55\x04\x0B\x13\x2C\x56\x65\x67\x65\x75\x20\x68\x74\x74\x70\x73\x3A\x2F\x2F\x77\x77\x77\x2E\x63\x61\x74\x63\x65\x72\x74\x2E\x6E\x65\x74\x2F\x76\x65\x72\x61\x72\x72\x65\x6C\x20\x28\x63\x29\x30\x33\x31\x35\x30\x33\x06\x03\x55\x04\x0B\x13\x2C\x4A\x65\x72\x61\x72\x71\x75\x69\x61\x20\x45\x6E\x74\x69\x74\x61\x74\x73\x20\x64\x65\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x63\x69\x6F\x20\x43\x61\x74\x61\x6C\x61\x6E\x65\x73\x31\x0F\x30\x0D\x06\x03\x55\x04\x03\x13\x06\x45\x43\x2D\x41\x43\x43\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xB3\x22\xC7\x4F\xE2\x97\x42\x95\x88\x47\x83\x40\xF6\x1D\x17\xF3\x83\x73\x24\x1E\x51\xF3\x98\x8A\xC3\x92\xB8\xFF\x40\x90\x05\x70\x87\x60\xC9\x00\xA9\xB5\x94\x65\x19\x22\x15\x17\xC2\x43\x6C\x66\x44\x9A\x0D\x04\x3E\x39\x6F\xA5\x4B\x7A\xAA\x63\xB7\x8A\x44\x9D\xD9\x63\x91\x84\x66\xE0\x28\x0F\xBA\x42\xE3\x6E\x8E\xF7\x14\x27\x93\x69\xEE\x91\x0E\xA3\x5F\x0E\xB1\xEB\x66\xA2\x72\x4F\x12\x13\x86\x65\x7A\x3E\xDB\x4F\x07\xF4\xA7\x09\x60\xDA\x3A\x42\x99\xC7\xB2\x7F\xB3\x16\x95\x1C\xC7\xF9\x34\xB5\x94\x85\xD5\x99\x5E\xA0\x48\xA0\x7E\xE7\x17\x65\xB8\xA2\x75\xB8\x1E\xF3\xE5\x42\x7D\xAF\xED\xF3\x8A\x48\x64\x5D\x82\x14\x93\xD8\xC0\xE4\xFF\xB3\x50\x72\xF2\x76\xF6\xB3\x5D\x42\x50\x79\xD0\x94\x3E\x6B\x0C\x00\xBE\xD8\x6B\x0E\x4E\x2A\xEC\x3E\xD2\xCC\x82\xA2\x18\x65\x33\x13\x77\x9E\x9A\x5D\x1A\x13\xD8\xC3\xDB\x3D\xC8\x97\x7A\xEE\x70\xED\xA7\xE6\x7C\xDB\x71\xCF\x2D\x94\x62\xDF\x6D\xD6\xF5\x38\xBE\x3F\xA5\x85\x0A\x19\xB8\xA8\xD8\x09\x75\x42\x70\xC4\xEA\xEF\xCB\x0E\xC8\x34\xA8\x12\x22\x98\x0C\xB8\x13\x94\xB6\x4B\xEC\xF0\xD0\x90\xE7\x27\x02\x03\x01\x00\x01\xA3\x81\xE3\x30\x81\xE0\x30\x1D\x06\x03\x55\x1D\x11\x04\x16\x30\x14\x81\x12\x65\x63\x5F\x61\x63\x63\x40\x63\x61\x74\x63\x65\x72\x74\x2E\x6E\x65\x74\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xA0\xC3\x8B\x44\xAA\x37\xA5\x45\xBF\x97\x80\x5A\xD1\xF1\x78\xA2\x9B\xE9\x5D\x8D\x30\x7F\x06\x03\x55\x1D\x20\x04\x78\x30\x76\x30\x74\x06\x0B\x2B\x06\x01\x04\x01\xF5\x78\x01\x03\x01\x0A\x30\x65\x30\x2C\x06\x08\x2B\x06\x01\x05\x05\x07\x02\x01\x16\x20\x68\x74\x74\x70\x73\x3A\x2F\x2F\x77\x77\x77\x2E\x63\x61\x74\x63\x65\x72\x74\x2E\x6E\x65\x74\x2F\x76\x65\x72\x61\x72\x72\x65\x6C\x30\x35\x06\x08\x2B\x06\x01\x05\x05\x07\x02\x02\x30\x29\x1A\x27\x56\x65\x67\x65\x75\x20\x68\x74\x74\x70\x73\x3A\x2F\x2F\x77\x77\x77\x2E\x63\x61\x74\x63\x65\x72\x74\x2E\x6E\x65\x74\x2F\x76\x65\x72\x61\x72\x72\x65\x6C\x20\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\xA0\x48\x5B\x82\x01\xF6\x4D\x48\xB8\x39\x55\x35\x9C\x80\x7A\x53\x99\xD5\x5A\xFF\xB1\x71\x3B\xCC\x39\x09\x94\x5E\xD6\xDA\xEF\xBE\x01\x5B\x5D\xD3\x1E\xD8\xFD\x7D\x4F\xCD\xA0\x41\xE0\x34\x93\xBF\xCB\xE2\x86\x9C\x37\x92\x90\x56\x1C\xDC\xEB\x29\x05\xE5\xC4\x9E\xC7\x35\xDF\x8A\x0C\xCD\xC5\x21\x43\xE9\xAA\x88\xE5\x35\xC0\x19\x42\x63\x5A\x02\x5E\xA4\x48\x18\x3A\x85\x6F\xDC\x9D\xBC\x3F\x9D\x9C\xC1\x87\xB8\x7A\x61\x08\xE9\x77\x0B\x7F\x70\xAB\x7A\xDD\xD9\x97\x2C\x64\x1E\x85\xBF\xBC\x74\x96\xA1\xC3\x7A\x12\xEC\x0C\x1A\x6E\x83\x0C\x3C\xE8\x72\x46\x9F\xFB\x48\xD5\x5E\x97\xE6\xB1\xA1\xF8\xE4\xEF\x46\x25\x94\x9C\x89\xDB\x69\x38\xBE\xEC\x5C\x0E\x56\xC7\x65\x51\xE5\x50\x88\x88\xBF\x42\xD5\x2B\x3D\xE5\xF9\xBA\x9E\x2E\xB3\xCA\xF4\x73\x92\x02\x0B\xBE\x4C\x66\xEB\x20\xFE\xB9\xCB\xB5\x99\x7F\xE6\xB6\x13\xFA\xCA\x4B\x4D\xD9\xEE\x53\x46\x06\x3B\xC6\x4E\xAD\x93\x5A\x81\x7E\x6C\x2A\x4B\x6A\x05\x45\x8C\xF2\x21\xA4\x31\x90\x87\x6C\x65\x9C\x9D\xA5\x60\x95\x3A\x52\x7F\xF5\xD1\xAB\x08\x6E\xF3\xEE\x5B\xF9\x88\x3D\x7E\xB8\x6F\x6E\x03\xE4\x42",
 	["CN=Hellenic Academic and Research Institutions RootCA 2011,O=Hellenic Academic and Research Institutions Cert. Authority,C=GR"] = "\x30\x82\x04\x31\x30\x82\x03\x19\xA0\x03\x02\x01\x02\x02\x01\x00\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x81\x95\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x47\x52\x31\x44\x30\x42\x06\x03\x55\x04\x0A\x13\x3B\x48\x65\x6C\x6C\x65\x6E\x69\x63\x20\x41\x63\x61\x64\x65\x6D\x69\x63\x20\x61\x6E\x64\x20\x52\x65\x73\x65\x61\x72\x63\x68\x20\x49\x6E\x73\x74\x69\x74\x75\x74\x69\x6F\x6E\x73\x20\x43\x65\x72\x74\x2E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x31\x40\x30\x3E\x06\x03\x55\x04\x03\x13\x37\x48\x65\x6C\x6C\x65\x6E\x69\x63\x20\x41\x63\x61\x64\x65\x6D\x69\x63\x20\x61\x6E\x64\x20\x52\x65\x73\x65\x61\x72\x63\x68\x20\x49\x6E\x73\x74\x69\x74\x75\x74\x69\x6F\x6E\x73\x20\x52\x6F\x6F\x74\x43\x41\x20\x32\x30\x31\x31\x30\x1E\x17\x0D\x31\x31\x31\x32\x30\x36\x31\x33\x34\x39\x35\x32\x5A\x17\x0D\x33\x31\x31\x32\x30\x31\x31\x33\x34\x39\x35\x32\x5A\x30\x81\x95\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x47\x52\x31\x44\x30\x42\x06\x03\x55\x04\x0A\x13\x3B\x48\x65\x6C\x6C\x65\x6E\x69\x63\x20\x41\x63\x61\x64\x65\x6D\x69\x63\x20\x61\x6E\x64\x20\x52\x65\x73\x65\x61\x72\x63\x68\x20\x49\x6E\x73\x74\x69\x74\x75\x74\x69\x6F\x6E\x73\x20\x43\x65\x72\x74\x2E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x31\x40\x30\x3E\x06\x03\x55\x04\x03\x13\x37\x48\x65\x6C\x6C\x65\x6E\x69\x63\x20\x41\x63\x61\x64\x65\x6D\x69\x63\x20\x61\x6E\x64\x20\x52\x65\x73\x65\x61\x72\x63\x68\x20\x49\x6E\x73\x74\x69\x74\x75\x74\x69\x6F\x6E\x73\x20\x52\x6F\x6F\x74\x43\x41\x20\x32\x30\x31\x31\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xA9\x53\x00\xE3\x2E\xA6\xF6\x8E\xFA\x60\xD8\x2D\x95\x3E\xF8\x2C\x2A\x54\x4E\xCD\xB9\x84\x61\x94\x58\x4F\x8F\x3D\x8B\xE4\x43\xF3\x75\x89\x8D\x51\xE4\xC3\x37\xD2\x8A\x88\x4D\x79\x1E\xB7\x12\xDD\x43\x78\x4A\x8A\x92\xE6\xD7\x48\xD5\x0F\xA4\x3A\x29\x44\x35\xB8\x07\xF6\x68\x1D\x55\xCD\x38\x51\xF0\x8C\x24\x31\x85\xAF\x83\xC9\x7D\xE9\x77\xAF\xED\x1A\x7B\x9D\x17\xF9\xB3\x9D\x38\x50\x0F\xA6\x5A\x79\x91\x80\xAF\x37\xAE\xA6\xD3\x31\xFB\xB5\x26\x09\x9D\x3C\x5A\xEF\x51\xC5\x2B\xDF\x96\x5D\xEB\x32\x1E\x02\xDA\x70\x49\xEC\x6E\x0C\xC8\x9A\x37\x8D\xF7\xF1\x36\x60\x4B\x26\x2C\x82\x9E\xD0\x78\xF3\x0D\x0F\x63\xA4\x51\x30\xE1\xF9\x2B\x27\x12\x07\xD8\xEA\xBD\x18\x62\x98\xB0\x59\x37\x7D\xBE\xEE\xF3\x20\x51\x42\x5A\x83\xEF\x93\xBA\x69\x15\xF1\x62\x9D\x9F\x99\x39\x82\xA1\xB7\x74\x2E\x8B\xD4\xC5\x0B\x7B\x2F\xF0\xC8\x0A\xDA\x3D\x79\x0A\x9A\x93\x1C\xA5\x28\x72\x73\x91\x43\x9A\xA7\xD1\x4D\x85\x84\xB9\xA9\x74\x8F\x14\x40\xC7\xDC\xDE\xAC\x41\x64\x6C\xB4\x19\x9B\x02\x63\x6D\x24\x64\x8F\x44\xB2\x25\xEA\xCE\x5D\x74\x0C\x63\x32\x5C\x8D\x87\xE5\x02\x03\x01\x00\x01\xA3\x81\x89\x30\x81\x86\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x0B\x06\x03\x55\x1D\x0F\x04\x04\x03\x02\x01\x06\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xA6\x91\x42\xFD\x13\x61\x4A\x23\x9E\x08\xA4\x29\xE5\xD8\x13\x04\x23\xEE\x41\x25\x30\x47\x06\x03\x55\x1D\x1E\x04\x40\x30\x3E\xA0\x3C\x30\x05\x82\x03\x2E\x67\x72\x30\x05\x82\x03\x2E\x65\x75\x30\x06\x82\x04\x2E\x65\x64\x75\x30\x06\x82\x04\x2E\x6F\x72\x67\x30\x05\x81\x03\x2E\x67\x72\x30\x05\x81\x03\x2E\x65\x75\x30\x06\x81\x04\x2E\x65\x64\x75\x30\x06\x81\x04\x2E\x6F\x72\x67\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x1F\xEF\x79\x41\xE1\x7B\x6E\x3F\xB2\x8C\x86\x37\x42\x4A\x4E\x1C\x37\x1E\x8D\x66\xBA\x24\x81\xC9\x4F\x12\x0F\x21\xC0\x03\x97\x86\x25\x6D\x5D\xD3\x22\x29\xA8\x6C\xA2\x0D\xA9\xEB\x3D\x06\x5B\x99\x3A\xC7\xCC\xC3\x9A\x34\x7F\xAB\x0E\xC8\x4E\x1C\xE1\xFA\xE4\xDC\xCD\x0D\xBE\xBF\x24\xFE\x6C\xE7\x6B\xC2\x0D\xC8\x06\x9E\x4E\x8D\x61\x28\xA6\x6A\xFD\xE5\xF6\x62\xEA\x18\x3C\x4E\xA0\x53\x9D\xB2\x3A\x9C\xEB\xA5\x9C\x91\x16\xB6\x4D\x82\xE0\x0C\x05\x48\xA9\x6C\xF5\xCC\xF8\xCB\x9D\x49\xB4\xF0\x02\xA5\xFD\x70\x03\xED\x8A\x21\xA5\xAE\x13\x86\x49\xC3\x33\x73\xBE\x87\x3B\x74\x8B\x17\x45\x26\x4C\x16\x91\x83\xFE\x67\x7D\xCD\x4D\x63\x67\xFA\xF3\x03\x12\x96\x78\x06\x8D\xB1\x67\xED\x8E\x3F\xBE\x9F\x4F\x02\xF5\xB3\x09\x2F\xF3\x4C\x87\xDF\x2A\xCB\x95\x7C\x01\xCC\xAC\x36\x7A\xBF\xA2\x73\x7A\xF7\x8F\xC1\xB5\x9A\xA1\x14\xB2\x8F\x33\x9F\x0D\xEF\x22\xDC\x66\x7B\x84\xBD\x45\x17\x06\x3D\x3C\xCA\xB9\x77\x34\x8F\xCA\xEA\xCF\x3F\x31\x3E\xE3\x88\xE3\x80\x49\x25\xC8\x97\xB5\x9D\x9A\x99\x4D\xB0\x3C\xF8\x4A\x00\x9B\x64\xDD\x9F\x39\x4B\xD1\x27\xD7\xB8",
 	["CN=Actalis Authentication Root CA,O=Actalis S.p.A./03358520967,L=Milan,C=IT"] = "\x30\x82\x05\xBB\x30\x82\x03\xA3\xA0\x03\x02\x01\x02\x02\x08\x57\x0A\x11\x97\x42\xC4\xE3\xCC\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x30\x6B\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x49\x54\x31\x0E\x30\x0C\x06\x03\x55\x04\x07\x0C\x05\x4D\x69\x6C\x61\x6E\x31\x23\x30\x21\x06\x03\x55\x04\x0A\x0C\x1A\x41\x63\x74\x61\x6C\x69\x73\x20\x53\x2E\x70\x2E\x41\x2E\x2F\x30\x33\x33\x35\x38\x35\x32\x30\x39\x36\x37\x31\x27\x30\x25\x06\x03\x55\x04\x03\x0C\x1E\x41\x63\x74\x61\x6C\x69\x73\x20\x41\x75\x74\x68\x65\x6E\x74\x69\x63\x61\x74\x69\x6F\x6E\x20\x52\x6F\x6F\x74\x20\x43\x41\x30\x1E\x17\x0D\x31\x31\x30\x39\x32\x32\x31\x31\x32\x32\x30\x32\x5A\x17\x0D\x33\x30\x30\x39\x32\x32\x31\x31\x32\x32\x30\x32\x5A\x30\x6B\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x49\x54\x31\x0E\x30\x0C\x06\x03\x55\x04\x07\x0C\x05\x4D\x69\x6C\x61\x6E\x31\x23\x30\x21\x06\x03\x55\x04\x0A\x0C\x1A\x41\x63\x74\x61\x6C\x69\x73\x20\x53\x2E\x70\x2E\x41\x2E\x2F\x30\x33\x33\x35\x38\x35\x32\x30\x39\x36\x37\x31\x27\x30\x25\x06\x03\x55\x04\x03\x0C\x1E\x41\x63\x74\x61\x6C\x69\x73\x20\x41\x75\x74\x68\x65\x6E\x74\x69\x63\x61\x74\x69\x6F\x6E\x20\x52\x6F\x6F\x74\x20\x43\x41\x30\x82\x02\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x02\x0F\x00\x30\x82\x02\x0A\x02\x82\x02\x01\x00\xA7\xC6\xC4\xA5\x29\xA4\x2C\xEF\xE5\x18\xC5\xB0\x50\xA3\x6F\x51\x3B\x9F\x0A\x5A\xC9\xC2\x48\x38\x0A\xC2\x1C\xA0\x18\x7F\x91\xB5\x87\xB9\x40\x3F\xDD\x1D\x68\x1F\x08\x83\xD5\x2D\x1E\x88\xA0\xF8\x8F\x56\x8F\x6D\x99\x02\x92\x90\x16\xD5\x5F\x08\x6C\x89\xD7\xE1\xAC\xBC\x20\xC2\xB1\xE0\x83\x51\x8A\x69\x4D\x00\x96\x5A\x6F\x2F\xC0\x44\x7E\xA3\x0E\xE4\x91\xCD\x58\xEE\xDC\xFB\xC7\x1E\x45\x47\xDD\x27\xB9\x08\x01\x9F\xA6\x21\x1D\xF5\x41\x2D\x2F\x4C\xFD\x28\xAD\xE0\x8A\xAD\x22\xB4\x56\x65\x8E\x86\x54\x8F\x93\x43\x29\xDE\x39\x46\x78\xA3\x30\x23\xBA\xCD\xF0\x7D\x13\x57\xC0\x5D\xD2\x83\x6B\x48\x4C\xC4\xAB\x9F\x80\x5A\x5B\x3A\xBD\xC9\xA7\x22\x3F\x80\x27\x33\x5B\x0E\xB7\x8A\x0C\x5D\x07\x37\x08\xCB\x6C\xD2\x7A\x47\x22\x44\x35\xC5\xCC\xCC\x2E\x8E\xDD\x2A\xED\xB7\x7D\x66\x0D\x5F\x61\x51\x22\x55\x1B\xE3\x46\xE3\xE3\x3D\xD0\x35\x62\x9A\xDB\xAF\x14\xC8\x5B\xA1\xCC\x89\x1B\xE1\x30\x26\xFC\xA0\x9B\x1F\x81\xA7\x47\x1F\x04\xEB\xA3\x39\x92\x06\x9F\x99\xD3\xBF\xD3\xEA\x4F\x50\x9C\x19\xFE\x96\x87\x1E\x3C\x65\xF6\xA3\x18\x24\x83\x86\x10\xE7\x54\x3E\xA8\x3A\x76\x24\x4F\x81\x21\xC5\xE3\x0F\x02\xF8\x93\x94\x47\x20\xBB\xFE\xD4\x0E\xD3\x68\xB9\xDD\xC4\x7A\x84\x82\xE3\x53\x54\x79\xDD\xDB\x9C\xD2\xF2\x07\x9B\x2E\xB6\xBC\x3E\xED\x85\x6D\xEF\x25\x11\xF2\x97\x1A\x42\x61\xF7\x4A\x97\xE8\x8B\xB1\x10\x07\xFA\x65\x81\xB2\xA2\x39\xCF\xF7\x3C\xFF\x18\xFB\xC6\xF1\x5A\x8B\x59\xE2\x02\xAC\x7B\x92\xD0\x4E\x14\x4F\x59\x45\xF6\x0C\x5E\x28\x5F\xB0\xE8\x3F\x45\xCF\xCF\xAF\x9B\x6F\xFB\x84\xD3\x77\x5A\x95\x6F\xAC\x94\x84\x9E\xEE\xBC\xC0\x4A\x8F\x4A\x93\xF8\x44\x21\xE2\x31\x45\x61\x50\x4E\x10\xD8\xE3\x35\x7C\x4C\x19\xB4\xDE\x05\xBF\xA3\x06\x9F\xC8\xB5\xCD\xE4\x1F\xD7\x17\x06\x0D\x7A\x95\x74\x55\x0D\x68\x1A\xFC\x10\x1B\x62\x64\x9D\x6D\xE0\x95\xA0\xC3\x94\x07\x57\x0D\x14\xE6\xBD\x05\xFB\xB8\x9F\xE6\xDF\x8B\xE2\xC6\xE7\x7E\x96\xF6\x53\xC5\x80\x34\x50\x28\x58\xF0\x12\x50\x71\x17\x30\xBA\xE6\x78\x63\xBC\xF4\xB2\xAD\x9B\x2B\xB2\xFE\xE1\x39\x8C\x5E\xBA\x0B\x20\x94\xDE\x7B\x83\xB8\xFF\xE3\x56\x8D\xB7\x11\xE9\x3B\x8C\xF2\xB1\xC1\x5D\x9D\xA4\x0B\x4C\x2B\xD9\xB2\x18\xF5\xB5\x9F\x4B\x02\x03\x01\x00\x01\xA3\x63\x30\x61\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x52\xD8\x88\x3A\xC8\x9F\x78\x66\xED\x89\xF3\x7B\x38\x70\x94\xC9\x02\x02\x36\xD0\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x1F\x06\x03\x55\x1D\x23\x04\x18\x30\x16\x80\x14\x52\xD8\x88\x3A\xC8\x9F\x78\x66\xED\x89\xF3\x7B\x38\x70\x94\xC9\x02\x02\x36\xD0\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x03\x82\x02\x01\x00\x0B\x7B\x72\x87\xC0\x60\xA6\x49\x4C\x88\x58\xE6\x1D\x88\xF7\x14\x64\x48\xA6\xD8\x58\x0A\x0E\x4F\x13\x35\xDF\x35\x1D\xD4\xED\x06\x31\xC8\x81\x3E\x6A\xD5\xDD\x3B\x1A\x32\xEE\x90\x3D\x11\xD2\x2E\xF4\x8E\xC3\x63\x2E\x23\x66\xB0\x67\xBE\x6F\xB6\xC0\x13\x39\x60\xAA\xA2\x34\x25\x93\x75\x52\xDE\xA7\x9D\xAD\x0E\x87\x89\x52\x71\x6A\x16\x3C\x19\x1D\x83\xF8\x9A\x29\x65\xBE\xF4\x3F\x9A\xD9\xF0\xF3\x5A\x87\x21\x71\x80\x4D\xCB\xE0\x38\x9B\x3F\xBB\xFA\xE0\x30\x4D\xCF\x86\xD3\x65\x10\x19\x18\xD1\x97\x02\xB1\x2B\x72\x42\x68\xAC\xA0\xBD\x4E\x5A\xDA\x18\xBF\x6B\x98\x81\xD0\xFD\x9A\xBE\x5E\x15\x48\xCD\x11\x15\xB9\xC0\x29\x5C\xB4\xE8\x88\xF7\x3E\x36\xAE\xB7\x62\xFD\x1E\x62\xDE\x70\x78\x10\x1C\x48\x5B\xDA\xBC\xA4\x38\xBA\x67\xED\x55\x3E\x5E\x57\xDF\xD4\x03\x40\x4C\x81\xA4\xD2\x4F\x63\xA7\x09\x42\x09\x14\xFC\x00\xA9\xC2\x80\x73\x4F\x2E\xC0\x40\xD9\x11\x7B\x48\xEA\x7A\x02\xC0\xD3\xEB\x28\x01\x26\x58\x74\xC1\xC0\x73\x22\x6D\x93\x95\xFD\x39\x7D\xBB\x2A\xE3\xF6\x82\xE3\x2C\x97\x5F\x4E\x1F\x91\x94\xFA\xFE\x2C\xA3\xD8\x76\x1A\xB8\x4D\xB2\x38\x4F\x9B\xFA\x1D\x48\x60\x79\x26\xE2\xF3\xFD\xA9\xD0\x9A\xE8\x70\x8F\x49\x7A\xD6\xE5\xBD\x0A\x0E\xDB\x2D\xF3\x8D\xBF\xEB\xE3\xA4\x7D\xCB\xC7\x95\x71\xE8\xDA\xA3\x7C\xC5\xC2\xF8\x74\x92\x04\x1B\x86\xAC\xA4\x22\x53\x40\xB6\xAC\xFE\x4C\x76\xCF\xFB\x94\x32\xC0\x35\x9F\x76\x3F\x6E\xE5\x90\x6E\xA0\xA6\x26\xA2\xB8\x2C\xBE\xD1\x2B\x85\xFD\xA7\x68\xC8\xBA\x01\x2B\xB1\x6C\x74\x1D\xB8\x73\x95\xE7\xEE\xB7\xC7\x25\xF0\x00\x4C\x00\xB2\x7E\xB6\x0B\x8B\x1C\xF3\xC0\x50\x9E\x25\xB9\xE0\x08\xDE\x36\x66\xFF\x37\xA5\xD1\xBB\x54\x64\x2C\xC9\x27\xB5\x4B\x92\x7E\x65\xFF\xD3\x2D\xE1\xB9\x4E\xBC\x7F\xA4\x41\x21\x90\x41\x77\xA6\x39\x1F\xEA\x9E\xE3\x9F\xD0\x66\x6F\x05\xEC\xAA\x76\x7E\xBF\x6B\x16\xA0\xEB\xB5\xC7\xFC\x92\x54\x2F\x2B\x11\x27\x25\x37\x78\x4C\x51\x6A\xB0\xF3\xCC\x58\x5D\x14\xF1\x6A\x48\x15\xFF\xC2\x07\xB6\xB1\x8D\x0F\x8E\x5C\x50\x46\xB3\x3D\xBF\x01\x98\x4F\xB2\x59\x54\x47\x3E\x34\x7B\x78\x6D\x56\x93\x2E\x73\xEA\x66\x28\x78\xCD\x1D\x14\xBF\xA0\x8F\x2F\x2E\xB8\x2E\x8E\xF2\x14\x8A\xCC\xE9\xB5\x7C\xFB\x6C\x9D\x0C\xA5\xE1\x96",
 	["OU=Trustis FPS Root CA,O=Trustis Limited,C=GB"] = "\x30\x82\x03\x67\x30\x82\x02\x4F\xA0\x03\x02\x01\x02\x02\x10\x1B\x1F\xAD\xB6\x20\xF9\x24\xD3\x36\x6B\xF7\xC7\xF1\x8C\xA0\x59\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x45\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x47\x42\x31\x18\x30\x16\x06\x03\x55\x04\x0A\x13\x0F\x54\x72\x75\x73\x74\x69\x73\x20\x4C\x69\x6D\x69\x74\x65\x64\x31\x1C\x30\x1A\x06\x03\x55\x04\x0B\x13\x13\x54\x72\x75\x73\x74\x69\x73\x20\x46\x50\x53\x20\x52\x6F\x6F\x74\x20\x43\x41\x30\x1E\x17\x0D\x30\x33\x31\x32\x32\x33\x31\x32\x31\x34\x30\x36\x5A\x17\x0D\x32\x34\x30\x31\x32\x31\x31\x31\x33\x36\x35\x34\x5A\x30\x45\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x47\x42\x31\x18\x30\x16\x06\x03\x55\x04\x0A\x13\x0F\x54\x72\x75\x73\x74\x69\x73\x20\x4C\x69\x6D\x69\x74\x65\x64\x31\x1C\x30\x1A\x06\x03\x55\x04\x0B\x13\x13\x54\x72\x75\x73\x74\x69\x73\x20\x46\x50\x53\x20\x52\x6F\x6F\x74\x20\x43\x41\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xC5\x50\x7B\x9E\x3B\x35\xD0\xDF\xC4\x8C\xCD\x8E\x9B\xED\xA3\xC0\x36\x99\xF4\x42\xEA\xA7\x3E\x80\x83\x0F\xA6\xA7\x59\x87\xC9\x90\x45\x43\x7E\x00\xEA\x86\x79\x2A\x03\xBD\x3D\x37\x99\x89\x66\xB7\xE5\x8A\x56\x86\x93\x9C\x68\x4B\x68\x04\x8C\x93\x93\x02\x3E\x30\xD2\x37\x3A\x22\x61\x89\x1C\x85\x4E\x7D\x8F\xD5\xAF\x7B\x35\xF6\x7E\x28\x47\x89\x31\xDC\x0E\x79\x64\x1F\x99\xD2\x5B\xBA\xFE\x7F\x60\xBF\xAD\xEB\xE7\x3C\x38\x29\x6A\x2F\xE5\x91\x0B\x55\xFF\xEC\x6F\x58\xD5\x2D\xC9\xDE\x4C\x66\x71\x8F\x0C\xD7\x04\xDA\x07\xE6\x1E\x18\xE3\xBD\x29\x02\xA8\xFA\x1C\xE1\x5B\xB9\x83\xA8\x41\x48\xBC\x1A\x71\x8D\xE7\x62\xE5\x2D\xB2\xEB\xDF\x7C\xCF\xDB\xAB\x5A\xCA\x31\xF1\x4C\x22\xF3\x05\x13\xF7\x82\xF9\x73\x79\x0C\xBE\xD7\x4B\x1C\xC0\xD1\x15\x3C\x93\x41\x64\xD1\xE6\xBE\x23\x17\x22\x00\x89\x5E\x1F\x6B\xA5\xAC\x6E\xA7\x4B\x8C\xED\xA3\x72\xE6\xAF\x63\x4D\x2F\x85\xD2\x14\x35\x9A\x2E\x4E\x8C\xEA\x32\x98\x28\x86\xA1\x91\x09\x41\x3A\xB4\xE1\xE3\xF2\xFA\xF0\xC9\x0A\xA2\x41\xDD\xA9\xE3\x03\xC7\x88\x15\x3B\x1C\xD4\x1A\x94\xD7\x9F\x64\x59\x12\x6D\x02\x03\x01\x00\x01\xA3\x53\x30\x51\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x1F\x06\x03\x55\x1D\x23\x04\x18\x30\x16\x80\x14\xBA\xFA\x71\x25\x79\x8B\x57\x41\x25\x21\x86\x0B\x71\xEB\xB2\x64\x0E\x8B\x21\x67\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xBA\xFA\x71\x25\x79\x8B\x57\x41\x25\x21\x86\x0B\x71\xEB\xB2\x64\x0E\x8B\x21\x67\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x7E\x58\xFF\xFD\x35\x19\x7D\x9C\x18\x4F\x9E\xB0\x2B\xBC\x8E\x8C\x14\xFF\x2C\xA0\xDA\x47\x5B\xC3\xEF\x81\x2D\xAF\x05\xEA\x74\x48\x5B\xF3\x3E\x4E\x07\xC7\x6D\xC5\xB3\x93\xCF\x22\x35\x5C\xB6\x3F\x75\x27\x5F\x09\x96\xCD\xA0\xFE\xBE\x40\x0C\x5C\x12\x55\xF8\x93\x82\xCA\x29\xE9\x5E\x3F\x56\x57\x8B\x38\x36\xF7\x45\x1A\x4C\x28\xCD\x9E\x41\xB8\xED\x56\x4C\x84\xA4\x40\xC8\xB8\xB0\xA5\x2B\x69\x70\x04\x6A\xC3\xF8\xD4\x12\x32\xF9\x0E\xC3\xB1\xDC\x32\x84\x44\x2C\x6F\xCB\x46\x0F\xEA\x66\x41\x0F\x4F\xF1\x58\xA5\xA6\x0D\x0D\x0F\x61\xDE\xA5\x9E\x5D\x7D\x65\xA1\x3C\x17\xE7\xA8\x55\x4E\xEF\xA0\xC7\xED\xC6\x44\x7F\x54\xF5\xA3\xE0\x8F\xF0\x7C\x55\x22\x8F\x29\xB6\x81\xA3\xE1\x6D\x4E\x2C\x1B\x80\x67\xEC\xAD\x20\x9F\x0C\x62\x61\xD5\x97\xFF\x43\xED\x2D\xC1\xDA\x5D\x29\x2A\x85\x3F\xAC\x65\xEE\x86\x0F\x05\x8D\x90\x5F\xDF\xEE\x9F\xF4\xBF\xEE\x1D\xFB\x98\xE4\x7F\x90\x2B\x84\x78\x10\x0E\x6C\x49\x53\xEF\x15\x5B\x65\x46\x4A\x5D\xAF\xBA\xFB\x3A\x72\x1D\xCD\xF6\x25\x88\x1E\x97\xCC\x21\x9C\x29\x01\x0D\x65\xEB\x57\xD9\xF3\x57\x96\xBB\x48\xCD\x81",
-	["CN=StartCom Certification Authority G2,O=StartCom Ltd.,C=IL"] = "\x30\x82\x05\x63\x30\x82\x03\x4B\xA0\x03\x02\x01\x02\x02\x01\x3B\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x30\x53\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x49\x4C\x31\x16\x30\x14\x06\x03\x55\x04\x0A\x13\x0D\x53\x74\x61\x72\x74\x43\x6F\x6D\x20\x4C\x74\x64\x2E\x31\x2C\x30\x2A\x06\x03\x55\x04\x03\x13\x23\x53\x74\x61\x72\x74\x43\x6F\x6D\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x20\x47\x32\x30\x1E\x17\x0D\x31\x30\x30\x31\x30\x31\x30\x31\x30\x30\x30\x31\x5A\x17\x0D\x33\x39\x31\x32\x33\x31\x32\x33\x35\x39\x30\x31\x5A\x30\x53\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x49\x4C\x31\x16\x30\x14\x06\x03\x55\x04\x0A\x13\x0D\x53\x74\x61\x72\x74\x43\x6F\x6D\x20\x4C\x74\x64\x2E\x31\x2C\x30\x2A\x06\x03\x55\x04\x03\x13\x23\x53\x74\x61\x72\x74\x43\x6F\x6D\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x20\x47\x32\x30\x82\x02\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x02\x0F\x00\x30\x82\x02\x0A\x02\x82\x02\x01\x00\xB6\x89\x36\x5B\x07\xB7\x20\x36\xBD\x82\xBB\xE1\x16\x20\x03\x95\x7A\xAF\x0E\xA3\x55\xC9\x25\x99\x4A\xC5\xD0\x56\x41\x87\x90\x4D\x21\x60\xA4\x14\x87\x3B\xCD\xFD\xB2\x3E\xB4\x67\x03\x6A\xED\xE1\x0F\x4B\xC0\x91\x85\x70\x45\xE0\x42\x9E\xDE\x29\x23\xD4\x01\x0D\xA0\x10\x79\xB8\xDB\x03\xBD\xF3\xA9\x2F\xD1\xC6\xE0\x0F\xCB\x9E\x8A\x14\x0A\xB8\xBD\xF6\x56\x62\xF1\xC5\x72\xB6\x32\x25\xD9\xB2\xF3\xBD\x65\xC5\x0D\x2C\x6E\xD5\x92\x6F\x18\x8B\x00\x41\x14\x82\x6F\x40\x20\x26\x7A\x28\x0F\xF5\x1E\x7F\x27\xF7\x94\xB1\x37\x3D\xB7\xC7\x91\xF7\xE2\x01\xEC\xFD\x94\x89\xE1\xCC\x6E\xD3\x36\xD6\x0A\x19\x79\xAE\xD7\x34\x82\x65\xFF\x7C\x42\xBB\xB6\xDD\x0B\xA6\x34\xAF\x4B\x60\xFE\x7F\x43\x49\x06\x8B\x8C\x43\xB8\x56\xF2\xD9\x7F\x21\x43\x17\xEA\xA7\x48\x95\x01\x75\x75\xEA\x2B\xA5\x43\x95\xEA\x15\x84\x9D\x08\x8D\x26\x6E\x55\x9B\xAB\xDC\xD2\x39\xD2\x31\x1D\x60\xE2\xAC\xCC\x56\x45\x24\xF5\x1C\x54\xAB\xEE\x86\xDD\x96\x32\x85\xF8\x4C\x4F\xE8\x95\x76\xB6\x05\xDD\x36\x23\x67\xBC\xFF\x15\xE2\xCA\x3B\xE6\xA6\xEC\x3B\xEC\x26\x11\x34\x48\x8D\xF6\x80\x2B\x1A\x23\x02\xEB\x8A\x1C\x3A\x76\x2A\x7B\x56\x16\x1C\x72\x2A\xB3\xAA\xE3\x60\xA5\x00\x9F\x04\x9B\xE2\x6F\x1E\x14\x58\x5B\xA5\x6C\x8B\x58\x3C\xC3\xBA\x4E\x3A\x5C\xF7\xE1\x96\x2B\x3E\xEF\x07\xBC\xA4\xE5\x5D\xCC\x4D\x9F\x0D\xE1\xDC\xAA\xBB\xE1\x6E\x1A\xEC\x8F\xE1\xB6\x4C\x4D\x79\x72\x5D\x17\x35\x0B\x1D\xD7\xC1\x47\xDA\x96\x24\xE0\xD0\x72\xA8\x5A\x5F\x66\x2D\x10\xDC\x2F\x2A\x13\xAE\x26\xFE\x0A\x1C\x19\xCC\xD0\x3E\x0B\x9C\xC8\x09\x2E\xF9\x5B\x96\x7A\x47\x9C\xE9\x7A\xF3\x05\x50\x74\x95\x73\x9E\x30\x09\xF3\x97\x82\x5E\xE6\x8F\x39\x08\x1E\x59\xE5\x35\x14\x42\x13\xFF\x00\x9C\xF7\xBE\xAA\x50\xCF\xE2\x51\x48\xD7\xB8\x6F\xAF\xF8\x4E\x7E\x33\x98\x92\x14\x62\x3A\x75\x63\xCF\x7B\xFA\xDE\x82\x3B\xA9\xBB\x39\xE2\xC4\xBD\x2C\x00\x0E\xC8\x17\xAC\x13\xEF\x4D\x25\x8E\xD8\xB3\x90\x2F\xA9\xDA\x29\x7D\x1D\xAF\x74\x3A\xB2\x27\xC0\xC1\x1E\x3E\x75\xA3\x16\xA9\xAF\x7A\x22\x5D\x9F\x13\x1A\xCF\xA7\xA0\xEB\xE3\x86\x0A\xD3\xFD\xE6\x96\x95\xD7\x23\xC8\x37\xDD\xC4\x7C\xAA\x36\xAC\x98\x1A\x12\xB1\xE0\x4E\xE8\xB1\x3B\xF5\xD6\x6F\xF1\x30\xD7\x02\x03\x01\x00\x01\xA3\x42\x30\x40\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x4B\xC5\xB4\x40\x6B\xAD\x1C\xB3\xA5\x1C\x65\x6E\x46\x36\x89\x87\x05\x0C\x0E\xB6\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x03\x82\x02\x01\x00\x73\x57\x3F\x2C\xD5\x95\x32\x7E\x37\xDB\x96\x92\xEB\x19\x5E\x7E\x53\xE7\x41\xEC\x11\xB6\x47\xEF\xB5\xDE\xED\x74\x5C\xC5\xF1\x8E\x49\xE0\xFC\x6E\x99\x13\xCD\x9F\x8A\xDA\xCD\x3A\x0A\xD8\x3A\x5A\x09\x3F\x5F\x34\xD0\x2F\x03\xD2\x66\x1D\x1A\xBD\x9C\x90\x37\xC8\x0C\x8E\x07\x5A\x94\x45\x46\x2A\xE6\xBE\x7A\xDA\xA1\xA9\xA4\x69\x12\x92\xB0\x7D\x36\xD4\x44\x87\xD7\x51\xF1\x29\x63\xD6\x75\xCD\x16\xE4\x27\x89\x1D\xF8\xC2\x32\x48\xFD\xDB\x99\xD0\x8F\x5F\x54\x74\xCC\xAC\x67\x34\x11\x62\xD9\x0C\x0A\x37\x87\xD1\xA3\x17\x48\x8E\xD2\x17\x1D\xF6\xD7\xFD\xDB\x65\xEB\xFD\xA8\xD4\xF5\xD6\x4F\xA4\x5B\x75\xE8\xC5\xD2\x60\xB2\xDB\x09\x7E\x25\x8B\x7B\xBA\x52\x92\x9E\x3E\xE8\xC5\x77\xA1\x3C\xE0\x4A\x73\x6B\x61\xCF\x86\xDC\x43\xFF\xFF\x21\xFE\x23\x5D\x24\x4A\xF5\xD3\x6D\x0F\x62\x04\x05\x57\x82\xDA\x6E\xA4\x33\x25\x79\x4B\x2E\x54\x19\x8B\xCC\x2C\x3D\x30\xE9\xD1\x06\xFF\xE8\x32\x46\xBE\xB5\x33\x76\x77\xA8\x01\x5D\x96\xC1\xC1\xD5\xBE\xAE\x25\xC0\xC9\x1E\x0A\x09\x20\x88\xA1\x0E\xC9\xF3\x6F\x4D\x82\x54\x00\x20\xA7\xD2\x8F\xE4\x39\x54\x17\x2E\x8D\x1E\xB8\x1B\xBB\x1B\xBD\x9A\x4E\x3B\x10\x34\xDC\x9C\x88\x53\xEF\xA2\x31\x5B\x58\x4F\x91\x62\xC8\xC2\x9A\x9A\xCD\x15\x5D\x38\xA9\xD6\xBE\xF8\x13\xB5\x9F\x12\x69\xF2\x50\x62\xAC\xFB\x17\x37\xF4\xEE\xB8\x75\x67\x60\x10\xFB\x83\x50\xF9\x44\xB5\x75\x9C\x40\x17\xB2\xFE\xFD\x79\x5D\x6E\x58\x58\x5F\x30\xFC\x00\xAE\xAF\x33\xC1\x0E\x4E\x6C\xBA\xA7\xA6\xA1\x7F\x32\xDB\x38\xE0\xB1\x72\x17\x0A\x2B\x91\xEC\x6A\x63\x26\xED\x89\xD4\x78\xCC\x74\x1E\x05\xF8\x6B\xFE\x8C\x6A\x76\x39\x29\xAE\x65\x23\x12\x95\x08\x22\x1C\x97\xCE\x5B\x06\xEE\x0C\xE2\xBB\xBC\x1F\x44\x93\xF6\xD8\x38\x45\x05\x21\xED\xE4\xAD\xAB\x12\xB6\x03\xA4\x42\x2E\x2D\xC4\x09\x3A\x03\x67\x69\x84\x9A\xE1\x59\x90\x8A\x28\x85\xD5\x5D\x74\xB1\xD1\x0E\x20\x58\x9B\x13\xA5\xB0\x63\xA6\xED\x7B\x47\xFD\x45\x55\x30\xA4\xEE\x9A\xD4\xE6\xE2\x87\xEF\x98\xC9\x32\x82\x11\x29\x22\xBC\x00\x0A\x31\x5E\x2D\x0F\xC0\x8E\xE9\x6B\xB2\x8F\x2E\x06\xD8\xD1\x91\xC7\xC6\x12\xF4\x4C\xFD\x30\x17\xC3\xC1\xDA\x38\x5B\xE3\xA9\xEA\xE6\xA1\xBA\x79\xEF\x73\xD8\xB6\x53\x57\x2D\xF6\xD0\xE1\xD7\x48",
 	["CN=Buypass Class 2 Root CA,O=Buypass AS-983163327,C=NO"] = "\x30\x82\x05\x59\x30\x82\x03\x41\xA0\x03\x02\x01\x02\x02\x01\x02\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x30\x4E\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x4E\x4F\x31\x1D\x30\x1B\x06\x03\x55\x04\x0A\x0C\x14\x42\x75\x79\x70\x61\x73\x73\x20\x41\x53\x2D\x39\x38\x33\x31\x36\x33\x33\x32\x37\x31\x20\x30\x1E\x06\x03\x55\x04\x03\x0C\x17\x42\x75\x79\x70\x61\x73\x73\x20\x43\x6C\x61\x73\x73\x20\x32\x20\x52\x6F\x6F\x74\x20\x43\x41\x30\x1E\x17\x0D\x31\x30\x31\x30\x32\x36\x30\x38\x33\x38\x30\x33\x5A\x17\x0D\x34\x30\x31\x30\x32\x36\x30\x38\x33\x38\x30\x33\x5A\x30\x4E\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x4E\x4F\x31\x1D\x30\x1B\x06\x03\x55\x04\x0A\x0C\x14\x42\x75\x79\x70\x61\x73\x73\x20\x41\x53\x2D\x39\x38\x33\x31\x36\x33\x33\x32\x37\x31\x20\x30\x1E\x06\x03\x55\x04\x03\x0C\x17\x42\x75\x79\x70\x61\x73\x73\x20\x43\x6C\x61\x73\x73\x20\x32\x20\x52\x6F\x6F\x74\x20\x43\x41\x30\x82\x02\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x02\x0F\x00\x30\x82\x02\x0A\x02\x82\x02\x01\x00\xD7\xC7\x5E\xF7\xC1\x07\xD4\x77\xFB\x43\x21\xF4\xF4\xF5\x69\xE4\xEE\x32\x01\xDB\xA3\x86\x1F\xE4\x59\x0D\xBA\xE7\x75\x83\x52\xEB\xEA\x1C\x61\x15\x48\xBB\x1D\x07\xCA\x8C\xAE\xB0\xDC\x96\x9D\xEA\xC3\x60\x92\x86\x82\x28\x73\x9C\x56\x06\xFF\x4B\x64\xF0\x0C\x2A\x37\x49\xB5\xE5\xCF\x0C\x7C\xEE\xF1\x4A\xBB\x73\x30\x65\xF3\xD5\x2F\x83\xB6\x7E\xE3\xE7\xF5\x9E\xAB\x60\xF9\xD3\xF1\x9D\x92\x74\x8A\xE4\x1C\x96\xAC\x5B\x80\xE9\xB5\xF4\x31\x87\xA3\x51\xFC\xC7\x7E\xA1\x6F\x8E\x53\x77\xD4\x97\xC1\x55\x33\x92\x3E\x18\x2F\x75\xD4\xAD\x86\x49\xCB\x95\xAF\x54\x06\x6C\xD8\x06\x13\x8D\x5B\xFF\xE1\x26\x19\x59\xC0\x24\xBA\x81\x71\x79\x90\x44\x50\x68\x24\x94\x5F\xB8\xB3\x11\xF1\x29\x41\x61\xA3\x41\xCB\x23\x36\xD5\xC1\xF1\x32\x50\x10\x4E\x7F\xF4\x86\x93\xEC\x84\xD3\x8E\xBC\x4B\xBF\x5C\x01\x4E\x07\x3D\xDC\x14\x8A\x94\x0A\xA4\xEA\x73\xFB\x0B\x51\xE8\x13\x07\x18\xFA\x0E\xF1\x2B\xD1\x54\x15\x7D\x3C\xE1\xF7\xB4\x19\x42\x67\x62\x5E\x77\xE0\xA2\x55\xEC\xB6\xD9\x69\x17\xD5\x3A\xAF\x44\xED\x4A\xC5\x9E\xE4\x7A\x27\x7C\xE5\x75\xD7\xAA\xCB\x25\xE7\xDF\x6B\x0A\xDB\x0F\x4D\x93\x4E\xA8\xA0\xCD\x7B\x2E\xF2\x59\x01\x6A\xB7\x0D\xB8\x07\x81\x7E\x8B\x38\x1B\x38\xE6\x0A\x57\x99\x3D\xEE\x21\xE8\xA3\xF5\x0C\x16\xDD\x8B\xEC\x34\x8E\x9C\x2A\x1C\x00\x15\x17\x8D\x68\x83\xD2\x70\x9F\x18\x08\xCD\x11\x68\xD5\xC9\x6B\x52\xCD\xC4\x46\x8F\xDC\xB5\xF3\xD8\x57\x73\x1E\xE9\x94\x39\x04\xBF\xD3\xDE\x38\xDE\xB4\x53\xEC\x69\x1C\xA2\x7E\xC4\x8F\xE4\x1B\x70\xAD\xF2\xA2\xF9\xFB\xF7\x16\x64\x66\x69\x9F\x49\x51\xA2\xE2\x15\x18\x67\x06\x4A\x7F\xD5\x6C\xB5\x4D\xB3\x33\xE0\x61\xEB\x5D\xBE\xE9\x98\x0F\x32\xD7\x1D\x4B\x3C\x2E\x5A\x01\x52\x91\x09\xF2\xDF\xEA\x8D\xD8\x06\x40\x63\xAA\x11\xE4\xFE\xC3\x37\x9E\x14\x52\x3F\xF4\xE2\xCC\xF2\x61\x93\xD1\xFD\x67\x6B\xD7\x52\xAE\xBF\x68\xAB\x40\x43\xA0\x57\x35\x53\x78\xF0\x53\xF8\x61\x42\x07\x64\xC6\xD7\x6F\x9B\x4C\x38\x0D\x63\xAC\x62\xAF\x36\x8B\xA2\x73\x0A\x0D\xF5\x21\xBD\x74\xAA\x4D\xEA\x72\x03\x49\xDB\xC7\x5F\x1D\x62\x63\xC7\xFD\xDD\x91\xEC\x33\xEE\xF5\x6D\xB4\x6E\x30\x68\xDE\xC8\xD6\x26\xB0\x75\x5E\x7B\xB4\x07\x20\x98\xA1\x76\x32\xB8\x4D\x6C\x4F\x02\x03\x01\x00\x01\xA3\x42\x30\x40\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xC9\x80\x77\xE0\x62\x92\x82\xF5\x46\x9C\xF3\xBA\xF7\x4C\xC3\xDE\xB8\xA3\xAD\x39\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x03\x82\x02\x01\x00\x53\x5F\x21\xF5\xBA\xB0\x3A\x52\x39\x2C\x92\xB0\x6C\x00\xC9\xEF\xCE\x20\xEF\x06\xF2\x96\x9E\xE9\xA4\x74\x7F\x7A\x16\xFC\xB7\xF5\xB6\xFB\x15\x1B\x3F\xAB\xA6\xC0\x72\x5D\x10\xB1\x71\xEE\xBC\x4F\xE3\xAD\xAC\x03\x6D\x2E\x71\x2E\xAF\xC4\xE3\xAD\xA3\xBD\x0C\x11\xA7\xB4\xFF\x4A\xB2\x7B\x10\x10\x1F\xA7\x57\x41\xB2\xC0\xAE\xF4\x2C\x59\xD6\x47\x10\x88\xF3\x21\x51\x29\x30\xCA\x60\x86\xAF\x46\xAB\x1D\xED\x3A\x5B\xB0\x94\xDE\x44\xE3\x41\x08\xA2\xC1\xEC\x1D\xD6\xFD\x4F\xB6\xD6\x47\xD0\x14\x0B\xCA\xE6\xCA\xB5\x7B\x77\x7E\x41\x1F\x5E\x83\xC7\xB6\x8C\x39\x96\xB0\x3F\x96\x81\x41\x6F\x60\x90\xE2\xE8\xF9\xFB\x22\x71\xD9\x7D\xB3\x3D\x46\xBF\xB4\x84\xAF\x90\x1C\x0F\x8F\x12\x6A\xAF\xEF\xEE\x1E\x7A\xAE\x02\x4A\x8A\x17\x2B\x76\xFE\xAC\x54\x89\x24\x2C\x4F\x3F\xB6\xB2\xA7\x4E\x8C\xA8\x91\x97\xFB\x29\xC6\x7B\x5C\x2D\xB9\xCB\x66\xB6\xB7\xA8\x5B\x12\x51\x85\xB5\x09\x7E\x62\x78\x70\xFE\xA9\x6A\x60\xB6\x1D\x0E\x79\x0C\xFD\xCA\xEA\x24\x80\x72\xC3\x97\x3F\xF2\x77\xAB\x43\x22\x0A\xC7\xEB\xB6\x0C\x84\x82\x2C\x80\x6B\x41\x8A\x08\xC0\xEB\xA5\x6B\xDF\x99\x12\xCB\x8A\xD5\x5E\x80\x0C\x91\xE0\x26\x08\x36\x48\xC5\xFA\x38\x11\x35\xFF\x25\x83\x2D\xF2\x7A\xBF\xDA\xFD\x8E\xFE\xA5\xCB\x45\x2C\x1F\xC4\x88\x53\xAE\x77\x0E\xD9\x9A\x76\xC5\x8E\x2C\x1D\xA3\xBA\xD5\xEC\x32\xAE\xC0\xAA\xAC\xF7\xD1\x7A\x4D\xEB\xD4\x07\xE2\x48\xF7\x22\x8E\xB0\xA4\x9F\x6A\xCE\x8E\xB2\xB2\x60\xF4\xA3\x22\xD0\x23\xEB\x94\x5A\x7A\x69\xDD\x0F\xBF\x40\x57\xAC\x6B\x59\x50\xD9\xA3\x99\xE1\x6E\xFE\x8D\x01\x79\x27\x23\x15\xDE\x92\x9D\x7B\x09\x4D\x5A\xE7\x4B\x48\x30\x5A\x18\xE6\x0A\x6D\xE6\x8F\xE0\xD2\xBB\xE6\xDF\x7C\x6E\x21\x82\xC1\x68\x39\x4D\xB4\x98\x58\x66\x62\xCC\x4A\x90\x5E\xC3\xFA\x27\x04\xB1\x79\x15\x74\x99\xCC\xBE\xAD\x20\xDE\x26\x60\x1C\xEB\x56\x51\xA6\xA3\xEA\xE4\xA3\x3F\xA7\xFF\x61\xDC\xF1\x5A\x4D\x6C\x32\x23\x43\xEE\xAC\xA8\xEE\xEE\x4A\x12\x09\x3C\x5D\x71\xC2\xBE\x79\xFA\xC2\x87\x68\x1D\x0B\xFD\x5C\x69\xCC\x06\xD0\x9A\x7D\x54\x99\x2A\xC9\x39\x1A\x19\xAF\x4B\x2A\x43\xF3\x63\x5D\x5A\x58\xE2\x2F\xE3\x1D\xE4\xA9\xD6\xD0\x0A\xD0\x9E\xBF\xD7\x81\x09\xF1\xC9\xC7\x26\x0D\xAC\x98\x16\x56\xA0",
 	["CN=Buypass Class 3 Root CA,O=Buypass AS-983163327,C=NO"] = "\x30\x82\x05\x59\x30\x82\x03\x41\xA0\x03\x02\x01\x02\x02\x01\x02\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x30\x4E\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x4E\x4F\x31\x1D\x30\x1B\x06\x03\x55\x04\x0A\x0C\x14\x42\x75\x79\x70\x61\x73\x73\x20\x41\x53\x2D\x39\x38\x33\x31\x36\x33\x33\x32\x37\x31\x20\x30\x1E\x06\x03\x55\x04\x03\x0C\x17\x42\x75\x79\x70\x61\x73\x73\x20\x43\x6C\x61\x73\x73\x20\x33\x20\x52\x6F\x6F\x74\x20\x43\x41\x30\x1E\x17\x0D\x31\x30\x31\x30\x32\x36\x30\x38\x32\x38\x35\x38\x5A\x17\x0D\x34\x30\x31\x30\x32\x36\x30\x38\x32\x38\x35\x38\x5A\x30\x4E\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x4E\x4F\x31\x1D\x30\x1B\x06\x03\x55\x04\x0A\x0C\x14\x42\x75\x79\x70\x61\x73\x73\x20\x41\x53\x2D\x39\x38\x33\x31\x36\x33\x33\x32\x37\x31\x20\x30\x1E\x06\x03\x55\x04\x03\x0C\x17\x42\x75\x79\x70\x61\x73\x73\x20\x43\x6C\x61\x73\x73\x20\x33\x20\x52\x6F\x6F\x74\x20\x43\x41\x30\x82\x02\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x02\x0F\x00\x30\x82\x02\x0A\x02\x82\x02\x01\x00\xA5\xDA\x0A\x95\x16\x50\xE3\x95\xF2\x5E\x9D\x76\x31\x06\x32\x7A\x9B\xF1\x10\x76\xB8\x00\x9A\xB5\x52\x36\xCD\x24\x47\xB0\x9F\x18\x64\xBC\x9A\xF6\xFA\xD5\x79\xD8\x90\x62\x4C\x22\x2F\xDE\x38\x3D\xD6\xE0\xA8\xE9\x1C\x2C\xDB\x78\x11\xE9\x8E\x68\x51\x15\x72\xC7\xF3\x33\x87\xE4\xA0\x5D\x0B\x5C\xE0\x57\x07\x2A\x30\xF5\xCD\xC4\x37\x77\x28\x4D\x18\x91\xE6\xBF\xD5\x52\xFD\x71\x2D\x70\x3E\xE7\xC6\xC4\x8A\xE3\xF0\x28\x0B\xF4\x76\x98\xA1\x8B\x87\x55\xB2\x3A\x13\xFC\xB7\x3E\x27\x37\x8E\x22\xE3\xA8\x4F\x2A\xEF\x60\xBB\x3D\xB7\x39\xC3\x0E\x01\x47\x99\x5D\x12\x4F\xDB\x43\xFA\x57\xA1\xED\xF9\x9D\xBE\x11\x47\x26\x5B\x13\x98\xAB\x5D\x16\x8A\xB0\x37\x1C\x57\x9D\x45\xFF\x88\x96\x36\xBF\xBB\xCA\x07\x7B\x6F\x87\x63\xD7\xD0\x32\x6A\xD6\x5D\x6C\x0C\xF1\xB3\x6E\x39\xE2\x6B\x31\x2E\x39\x00\x27\x14\xDE\x38\xC0\xEC\x19\x66\x86\x12\xE8\x9D\x72\x16\x13\x64\x52\xC7\xA9\x37\x1C\xFD\x82\x30\xED\x84\x18\x1D\xF4\xAE\x5C\xFF\x70\x13\x00\xEB\xB1\xF5\x33\x7A\x4B\xD6\x55\xF8\x05\x8D\x4B\x69\xB0\xF5\xB3\x28\x36\x5C\x14\xC4\x51\x73\x4D\x6B\x0B\xF1\x34\x07\xDB\x17\x39\xD7\xDC\x28\x7B\x6B\xF5\x9F\xF3\x2E\xC1\x4F\x17\x2A\x10\xF3\xCC\xCA\xE8\xEB\xFD\x6B\xAB\x2E\x9A\x9F\x2D\x82\x6E\x04\xD4\x52\x01\x93\x2D\x3D\x86\xFC\x7E\xFC\xDF\xEF\x42\x1D\xA6\x6B\xEF\xB9\x20\xC6\xF7\xBD\xA0\xA7\x95\xFD\xA7\xE6\x89\x24\xD8\xCC\x8C\x34\x6C\xE2\x23\x2F\xD9\x12\x1A\x21\xB9\x55\x91\x6F\x0B\x91\x79\x19\x0C\xAD\x40\x88\x0B\x70\xE2\x7A\xD2\x0E\xD8\x68\x48\xBB\x82\x13\x39\x10\x58\xE9\xD8\x2A\x07\xC6\x12\xDB\x58\xDB\xD2\x3B\x55\x10\x47\x05\x15\x67\x62\x7E\x18\x63\xA6\x46\x3F\x09\x0E\x54\x32\x5E\xBF\x0D\x62\x7A\x27\xEF\x80\xE8\xDB\xD9\x4B\x06\x5A\x37\x5A\x25\xD0\x08\x12\x77\xD4\x6F\x09\x50\x97\x3D\xC8\x1D\xC3\xDF\x8C\x45\x30\x56\xC6\xD3\x64\xAB\x66\xF3\xC0\x5E\x96\x9C\xC3\xC4\xEF\xC3\x7C\x6B\x8B\x3A\x79\x7F\xB3\x49\xCF\x3D\xE2\x89\x9F\xA0\x30\x4B\x85\xB9\x9C\x94\x24\x79\x8F\x7D\x6B\xA9\x45\x68\x0F\x2B\xD0\xF1\xDA\x1C\xCB\x69\xB8\xCA\x49\x62\x6D\xC8\xD0\x63\x62\xDD\x60\x0F\x58\xAA\x8F\xA1\xBC\x05\xA5\x66\xA2\xCF\x1B\x76\xB2\x84\x64\xB1\x4C\x39\x52\xC0\x30\xBA\xF0\x8C\x4B\x02\xB0\xB6\xB7\x02\x03\x01\x00\x01\xA3\x42\x30\x40\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x47\xB8\xCD\xFF\xE5\x6F\xEE\xF8\xB2\xEC\x2F\x4E\x0E\xF9\x25\xB0\x8E\x3C\x6B\xC3\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x03\x82\x02\x01\x00\x00\x20\x23\x41\x35\x04\x90\xC2\x40\x62\x60\xEF\xE2\x35\x4C\xD7\x3F\xAC\xE2\x34\x90\xB8\xA1\x6F\x76\xFA\x16\x16\xA4\x48\x37\x2C\xE9\x90\xC2\xF2\x3C\xF8\x0A\x9F\xD8\x81\xE5\xBB\x5B\xDA\x25\x2C\xA4\xA7\x55\x71\x24\x32\xF6\xC8\x0B\xF2\xBC\x6A\xF8\x93\xAC\xB2\x07\xC2\x5F\x9F\xDB\xCC\xC8\x8A\xAA\xBE\x6A\x6F\xE1\x49\x10\xCC\x31\xD7\x80\xBB\xBB\xC8\xD8\xA2\x0E\x64\x57\xEA\xA2\xF5\xC2\xA9\x31\x15\xD2\x20\x6A\xEC\xFC\x22\x01\x28\xCF\x86\xB8\x80\x1E\xA9\xCC\x11\xA5\x3C\xF2\x16\xB3\x47\x9D\xFC\xD2\x80\x21\xC4\xCB\xD0\x47\x70\x41\xA1\xCA\x83\x19\x08\x2C\x6D\xF2\x5D\x77\x9C\x8A\x14\x13\xD4\x36\x1C\x92\xF0\xE5\x06\x37\xDC\xA6\xE6\x90\x9B\x38\x8F\x5C\x6B\x1B\x46\x86\x43\x42\x5F\x3E\x01\x07\x53\x54\x5D\x65\x7D\xF7\x8A\x73\xA1\x9A\x54\x5A\x1F\x29\x43\x14\x27\xC2\x85\x0F\xB5\x88\x7B\x1A\x3B\x94\xB7\x1D\x60\xA7\xB5\x9C\xE7\x29\x69\x57\x5A\x9B\x93\x7A\x43\x30\x1B\x03\xD7\x62\xC8\x40\xA6\xAA\xFC\x64\xE4\x4A\xD7\x91\x53\x01\xA8\x20\x88\x6E\x9C\x5F\x44\xB9\xCB\x60\x81\x34\xEC\x6F\xD3\x7D\xDA\x48\x5F\xEB\xB4\x90\xBC\x2D\xA9\x1C\x0B\xAC\x1C\xD5\xA2\x68\x20\x80\x04\xD6\xFC\xB1\x8F\x2F\xBB\x4A\x31\x0D\x4A\x86\x1C\xEB\xE2\x36\x29\x26\xF5\xDA\xD8\xC4\xF2\x75\x61\xCF\x7E\xAE\x76\x63\x4A\x7A\x40\x65\x93\x87\xF8\x1E\x80\x8C\x86\xE5\x86\xD6\x8F\x0E\xFC\x53\x2C\x60\xE8\x16\x61\x1A\xA2\x3E\x43\x7B\xCD\x39\x60\x54\x6A\xF5\xF2\x89\x26\x01\x68\x83\x48\xA2\x33\xE8\xC9\x04\x91\xB2\x11\x34\x11\x3E\xEA\xD0\x43\x19\x1F\x03\x93\x90\x0C\xFF\x51\x3D\x57\xF4\x41\x6E\xE1\xCB\xA0\xBE\xEB\xC9\x63\xCD\x6D\xCC\xE4\xF8\x36\xAA\x68\x9D\xED\xBD\x5D\x97\x70\x44\x0D\xB6\x0E\x35\xDC\xE1\x0C\x5D\xBB\xA0\x51\x94\xCB\x7E\x16\xEB\x11\x2F\xA3\x92\x45\xC8\x4C\x71\xD9\xBC\xC9\x99\x52\x57\x46\x2F\x50\xCF\xBD\x35\x69\xF4\x3D\x15\xCE\x06\xA5\x2C\x0F\x3E\xF6\x81\xBA\x94\xBB\xC3\xBB\xBF\x65\x78\xD2\x86\x79\xFF\x49\x3B\x1A\x83\x0C\xF0\xDE\x78\xEC\xC8\xF2\x4D\x4C\x1A\xDE\x82\x29\xF8\xC1\x5A\xDA\xED\xEE\xE6\x27\x5E\xE8\x45\xD0\x9D\x1C\x51\xA8\x68\xAB\x44\xE3\xD0\x8B\x6A\xE3\xF8\x3B\xBB\xDC\x4D\xD7\x64\xF2\x51\xBE\xE6\xAA\xAB\x5A\xE9\x31\xEE\x06\xBC\x73\xBF\x13\x62\x0A\x9F\xC7\xB9\x97",
 	["CN=T-TeleSec GlobalRoot Class 3,OU=T-Systems Trust Center,O=T-Systems Enterprise Services GmbH,C=DE"] = "\x30\x82\x03\xC3\x30\x82\x02\xAB\xA0\x03\x02\x01\x02\x02\x01\x01\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x30\x81\x82\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x44\x45\x31\x2B\x30\x29\x06\x03\x55\x04\x0A\x0C\x22\x54\x2D\x53\x79\x73\x74\x65\x6D\x73\x20\x45\x6E\x74\x65\x72\x70\x72\x69\x73\x65\x20\x53\x65\x72\x76\x69\x63\x65\x73\x20\x47\x6D\x62\x48\x31\x1F\x30\x1D\x06\x03\x55\x04\x0B\x0C\x16\x54\x2D\x53\x79\x73\x74\x65\x6D\x73\x20\x54\x72\x75\x73\x74\x20\x43\x65\x6E\x74\x65\x72\x31\x25\x30\x23\x06\x03\x55\x04\x03\x0C\x1C\x54\x2D\x54\x65\x6C\x65\x53\x65\x63\x20\x47\x6C\x6F\x62\x61\x6C\x52\x6F\x6F\x74\x20\x43\x6C\x61\x73\x73\x20\x33\x30\x1E\x17\x0D\x30\x38\x31\x30\x30\x31\x31\x30\x32\x39\x35\x36\x5A\x17\x0D\x33\x33\x31\x30\x30\x31\x32\x33\x35\x39\x35\x39\x5A\x30\x81\x82\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x44\x45\x31\x2B\x30\x29\x06\x03\x55\x04\x0A\x0C\x22\x54\x2D\x53\x79\x73\x74\x65\x6D\x73\x20\x45\x6E\x74\x65\x72\x70\x72\x69\x73\x65\x20\x53\x65\x72\x76\x69\x63\x65\x73\x20\x47\x6D\x62\x48\x31\x1F\x30\x1D\x06\x03\x55\x04\x0B\x0C\x16\x54\x2D\x53\x79\x73\x74\x65\x6D\x73\x20\x54\x72\x75\x73\x74\x20\x43\x65\x6E\x74\x65\x72\x31\x25\x30\x23\x06\x03\x55\x04\x03\x0C\x1C\x54\x2D\x54\x65\x6C\x65\x53\x65\x63\x20\x47\x6C\x6F\x62\x61\x6C\x52\x6F\x6F\x74\x20\x43\x6C\x61\x73\x73\x20\x33\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xBD\x75\x93\xF0\x62\x22\x6F\x24\xAE\xE0\x7A\x76\xAC\x7D\xBD\xD9\x24\xD5\xB8\xB7\xFC\xCD\xF0\x42\xE0\xEB\x78\x88\x56\x5E\x9B\x9A\x54\x1D\x4D\x0C\x8A\xF6\xD3\xCF\x70\xF4\x52\xB5\xD8\x93\x04\xE3\x46\x86\x71\x41\x4A\x2B\xF0\x2A\x2C\x55\x03\xD6\x48\xC3\xE0\x39\x38\xED\xF2\x5C\x3C\x3F\x44\xBC\x93\x3D\x61\xAB\x4E\xCD\x0D\xBE\xF0\x20\x27\x58\x0E\x44\x7F\x04\x1A\x87\xA5\xD7\x96\x14\x36\x90\xD0\x49\x7B\xA1\x75\xFB\x1A\x6B\x73\xB1\xF8\xCE\xA9\x09\x2C\xF2\x53\xD5\xC3\x14\x44\xB8\x86\xA5\xF6\x8B\x2B\x39\xDA\xA3\x33\x54\xD9\xFA\x72\x1A\xF7\x22\x15\x1C\x88\x91\x6B\x7F\x66\xE5\xC3\x6A\x80\xB0\x24\xF3\xDF\x86\x45\x88\xFD\x19\x7F\x75\x87\x1F\x1F\xB1\x1B\x0A\x73\x24\x5B\xB9\x65\xE0\x2C\x54\xC8\x60\xD3\x66\x17\x3F\xE1\xCC\x54\x33\x73\x91\x02\x3A\xA6\x7F\x7B\x76\x39\xA2\x1F\x96\xB6\x38\xAE\xB5\xC8\x93\x74\x1D\x9E\xB9\xB4\xE5\x60\x9D\x2F\x56\xD1\xE0\xEB\x5E\x5B\x4C\x12\x70\x0C\x6C\x44\x20\xAB\x11\xD8\xF4\x19\xF6\xD2\x9C\x52\x37\xE7\xFA\xB6\xC2\x31\x3B\x4A\xD4\x14\x99\xAD\xC7\x1A\xF5\x5D\x5F\xFA\x07\xB8\x7C\x0D\x1F\xD6\x83\x1E\xB3\x02\x03\x01\x00\x01\xA3\x42\x30\x40\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xB5\x03\xF7\x76\x3B\x61\x82\x6A\x12\xAA\x18\x53\xEB\x03\x21\x94\xBF\xFE\xCE\xCA\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x03\x82\x01\x01\x00\x56\x3D\xEF\x94\xD5\xBD\xDA\x73\xB2\x58\xBE\xAE\x90\xAD\x98\x27\x97\xFE\x01\xB1\xB0\x52\x00\xB8\x4D\xE4\x1B\x21\x74\x1B\x7E\xC0\xEE\x5E\x69\x2A\x25\xAF\x5C\xD6\x1D\xDA\xD2\x79\xC9\xF3\x97\x29\xE0\x86\x87\xDE\x04\x59\x0F\xF1\x59\xD4\x64\x85\x4B\x99\xAF\x25\x04\x1E\xC9\x46\xA9\x97\xDE\x82\xB2\x1B\x70\x9F\x9C\xF6\xAF\x71\x31\xDD\x7B\x05\xA5\x2C\xD3\xB9\xCA\x47\xF6\xCA\xF2\xF6\xE7\xAD\xB9\x48\x3F\xBC\x16\xB7\xC1\x6D\xF4\xEA\x09\xAF\xEC\xF3\xB5\xE7\x05\x9E\xA6\x1E\x8A\x53\x51\xD6\x93\x81\xCC\x74\x93\xF6\xB9\xDA\xA6\x25\x05\x74\x79\x5A\x7E\x40\x3E\x82\x4B\x26\x11\x30\x6E\xE1\x3F\x41\xC7\x47\x00\x35\xD5\xF5\xD3\xF7\x54\x3E\x81\x3D\xDA\x49\x6A\x9A\xB3\xEF\x10\x3D\xE6\xEB\x6F\xD1\xC8\x22\x47\xCB\xCC\xCF\x01\x31\x92\xD9\x18\xE3\x22\xBE\x09\x1E\x1A\x3E\x5A\xB2\xE4\x6B\x0C\x54\x7A\x7D\x43\x4E\xB8\x89\xA5\x7B\xD7\xA2\x3D\x96\x86\xCC\xF2\x26\x34\x2D\x6A\x92\x9D\x9A\x1A\xD0\x30\xE2\x5D\x4E\x04\xB0\x5F\x8B\x20\x7E\x77\xC1\x3D\x95\x82\xD1\x46\x9A\x3B\x3C\x78\xB8\x6F\xA1\xD0\x0D\x64\xA2\x78\x1E\x29\x4E\x93\xC3\xA4\x54\x14\x5B",
 	["emailAddress=pki@sk.ee,CN=EE Certification Centre Root CA,O=AS Sertifitseerimiskeskus,C=EE"] = "\x30\x82\x04\x03\x30\x82\x02\xEB\xA0\x03\x02\x01\x02\x02\x10\x54\x80\xF9\xA0\x73\xED\x3F\x00\x4C\xCA\x89\xD8\xE3\x71\xE6\x4A\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x75\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x45\x45\x31\x22\x30\x20\x06\x03\x55\x04\x0A\x0C\x19\x41\x53\x20\x53\x65\x72\x74\x69\x66\x69\x74\x73\x65\x65\x72\x69\x6D\x69\x73\x6B\x65\x73\x6B\x75\x73\x31\x28\x30\x26\x06\x03\x55\x04\x03\x0C\x1F\x45\x45\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x43\x65\x6E\x74\x72\x65\x20\x52\x6F\x6F\x74\x20\x43\x41\x31\x18\x30\x16\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x09\x01\x16\x09\x70\x6B\x69\x40\x73\x6B\x2E\x65\x65\x30\x22\x18\x0F\x32\x30\x31\x30\x31\x30\x33\x30\x31\x30\x31\x30\x33\x30\x5A\x18\x0F\x32\x30\x33\x30\x31\x32\x31\x37\x32\x33\x35\x39\x35\x39\x5A\x30\x75\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x45\x45\x31\x22\x30\x20\x06\x03\x55\x04\x0A\x0C\x19\x41\x53\x20\x53\x65\x72\x74\x69\x66\x69\x74\x73\x65\x65\x72\x69\x6D\x69\x73\x6B\x65\x73\x6B\x75\x73\x31\x28\x30\x26\x06\x03\x55\x04\x03\x0C\x1F\x45\x45\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x43\x65\x6E\x74\x72\x65\x20\x52\x6F\x6F\x74\x20\x43\x41\x31\x18\x30\x16\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x09\x01\x16\x09\x70\x6B\x69\x40\x73\x6B\x2E\x65\x65\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xC8\x20\xC0\xEC\xE0\xC5\x4B\xAB\x07\x78\x95\xF3\x44\xEE\xFB\x0B\x0C\xFF\x74\x8E\x61\xBB\xB1\x62\xEA\x23\xD8\xAB\xA1\x65\x32\x7A\xEB\x8E\x17\x4F\x96\xD8\x0A\x7B\x91\xA2\x63\x6C\xC7\x8C\x4C\x2E\x79\xBF\xA9\x05\xFC\x69\x5C\x95\x8D\x62\xF9\xB9\x70\xED\xC3\x51\x7D\xD0\x93\xE6\x6C\xEB\x30\x4B\xE1\xBC\x7D\xBF\x52\x9B\xCE\x6E\x7B\x65\xF2\x38\xB1\xC0\xA2\x32\xEF\x62\xB2\x68\xE0\x61\x53\xC1\x36\x95\xFF\xEC\x94\xBA\x36\xAE\x9C\x1C\xA7\x32\x0F\xE5\x7C\xB4\xC6\x6F\x74\xFD\x7B\x18\xE8\xAC\x57\xED\x06\x20\x4B\x32\x30\x58\x5B\xFD\xCD\xA8\xE6\xA1\xFC\x70\xBC\x8E\x92\x73\xDB\x97\xA7\x7C\x21\xAE\x3D\xC1\xF5\x48\x87\x6C\x27\xBD\x9F\x25\x74\x81\x55\xB0\xF7\x75\xF6\x3D\xA4\x64\x6B\xD6\x4F\xE7\xCE\x40\xAD\x0F\xDD\x32\xD3\xBC\x8A\x12\x53\x98\xC9\x89\xFB\x10\x1D\x4D\x7E\xCD\x7E\x1F\x56\x0D\x21\x70\x85\xF6\x20\x83\x1F\xF6\xBA\x1F\x04\x8F\xEA\x77\x88\x35\xC4\xFF\xEA\x4E\xA1\x8B\x4D\x3F\x63\x1B\x44\xC3\x44\xD4\x25\x76\xCA\xB7\x8D\xD7\x1E\x4A\x66\x64\xCD\x5C\xC5\x9C\x83\xE1\xC2\x08\x88\x9A\xEC\x4E\xA3\xF1\x3E\x1C\x2C\xD9\x6C\x1D\xA1\x4B\x02\x03\x01\x00\x01\xA3\x81\x8A\x30\x81\x87\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x12\xF2\x5A\x3E\xEA\x56\x1C\xBF\xCD\x06\xAC\xF1\xF1\x25\xC9\xA9\x4B\xD4\x14\x99\x30\x45\x06\x03\x55\x1D\x25\x04\x3E\x30\x3C\x06\x08\x2B\x06\x01\x05\x05\x07\x03\x02\x06\x08\x2B\x06\x01\x05\x05\x07\x03\x01\x06\x08\x2B\x06\x01\x05\x05\x07\x03\x03\x06\x08\x2B\x06\x01\x05\x05\x07\x03\x04\x06\x08\x2B\x06\x01\x05\x05\x07\x03\x08\x06\x08\x2B\x06\x01\x05\x05\x07\x03\x09\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x7B\xF6\xE4\xC0\x0D\xAA\x19\x47\xB7\x4D\x57\xA3\xFE\xAD\xBB\xB1\x6A\xD5\x0F\x9E\xDB\xE4\x63\xC5\x8E\xA1\x50\x56\x93\x96\xB8\x38\xC0\x24\x22\x66\xBC\x53\x14\x61\x95\xBF\xD0\xC7\x2A\x96\x39\x3F\x7D\x28\xB3\x10\x40\x21\x6A\xC4\xAF\xB0\x52\x77\x18\xE1\x96\xD8\x56\x5D\xE3\xDD\x36\x5E\x1D\xA7\x50\x54\xA0\xC5\x2A\xE4\xAA\x8C\x94\x8A\x4F\x9D\x35\xFF\x76\xA4\x06\x13\x91\xA2\xA2\x7D\x00\x44\x3F\x55\xD3\x82\x3C\x1A\xD5\x5B\xBC\x56\x4C\x22\x2E\x46\x43\x8A\x24\x40\x2D\xF3\x12\xB8\x3B\x70\x1A\xA4\x96\xB9\x1A\xAF\x87\x41\x1A\x6A\x18\x0D\x06\x4F\xC7\x3E\x6E\xB9\x29\x4D\x0D\x49\x89\x11\x87\x32\x5B\xE6\x4B\x04\xC8\xE4\x5C\xE6\x74\x73\x94\x5D\x16\x98\x13\x95\xFE\xFB\xDB\xB1\x44\xE5\x3A\x70\xAC\x37\x6B\xE6\xB3\x33\x72\x28\xC9\xB3\x57\xA0\xF6\x02\x16\x88\x06\x0B\xB6\xA6\x4B\x20\x28\xD4\xDE\x3D\x8B\xAD\x37\x05\x53\x74\xFE\x6E\xCC\xBC\x43\x17\x71\x5E\xF9\xC5\xCC\x1A\xA9\x61\xEE\xF7\x76\x0C\xF3\x72\xF4\x72\xAD\xCF\x72\x02\x36\x07\x47\xCF\xEF\x19\x50\x89\x60\xCC\xE9\x24\x95\x0F\xC2\xCB\x1D\xF2\x6F\x76\x90\xC7\xCC\x75\xC1\x96\xC5\x9D",
-	["O=T\C3\9CRKTRUST Bilgi \C4\B0leti\C5\9Fim ve Bili\C5\9Fim G\C3\BCvenli\C4\9Fi Hizmetleri A.\C5\9E. (c) Aral\C4\B1k 2007,L=Ankara,C=TR,CN=T\C3\9CRKTRUST Elektronik Sertifika Hizmet Sa\C4\9Flay\C4\B1c\C4\B1s\C4\B1"] = "\x30\x82\x04\x3D\x30\x82\x03\x25\xA0\x03\x02\x01\x02\x02\x01\x01\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x81\xBF\x31\x3F\x30\x3D\x06\x03\x55\x04\x03\x0C\x36\x54\xC3\x9C\x52\x4B\x54\x52\x55\x53\x54\x20\x45\x6C\x65\x6B\x74\x72\x6F\x6E\x69\x6B\x20\x53\x65\x72\x74\x69\x66\x69\x6B\x61\x20\x48\x69\x7A\x6D\x65\x74\x20\x53\x61\xC4\x9F\x6C\x61\x79\xC4\xB1\x63\xC4\xB1\x73\xC4\xB1\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x54\x52\x31\x0F\x30\x0D\x06\x03\x55\x04\x07\x0C\x06\x41\x6E\x6B\x61\x72\x61\x31\x5E\x30\x5C\x06\x03\x55\x04\x0A\x0C\x55\x54\xC3\x9C\x52\x4B\x54\x52\x55\x53\x54\x20\x42\x69\x6C\x67\x69\x20\xC4\xB0\x6C\x65\x74\x69\xC5\x9F\x69\x6D\x20\x76\x65\x20\x42\x69\x6C\x69\xC5\x9F\x69\x6D\x20\x47\xC3\xBC\x76\x65\x6E\x6C\x69\xC4\x9F\x69\x20\x48\x69\x7A\x6D\x65\x74\x6C\x65\x72\x69\x20\x41\x2E\xC5\x9E\x2E\x20\x28\x63\x29\x20\x41\x72\x61\x6C\xC4\xB1\x6B\x20\x32\x30\x30\x37\x30\x1E\x17\x0D\x30\x37\x31\x32\x32\x35\x31\x38\x33\x37\x31\x39\x5A\x17\x0D\x31\x37\x31\x32\x32\x32\x31\x38\x33\x37\x31\x39\x5A\x30\x81\xBF\x31\x3F\x30\x3D\x06\x03\x55\x04\x03\x0C\x36\x54\xC3\x9C\x52\x4B\x54\x52\x55\x53\x54\x20\x45\x6C\x65\x6B\x74\x72\x6F\x6E\x69\x6B\x20\x53\x65\x72\x74\x69\x66\x69\x6B\x61\x20\x48\x69\x7A\x6D\x65\x74\x20\x53\x61\xC4\x9F\x6C\x61\x79\xC4\xB1\x63\xC4\xB1\x73\xC4\xB1\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x54\x52\x31\x0F\x30\x0D\x06\x03\x55\x04\x07\x0C\x06\x41\x6E\x6B\x61\x72\x61\x31\x5E\x30\x5C\x06\x03\x55\x04\x0A\x0C\x55\x54\xC3\x9C\x52\x4B\x54\x52\x55\x53\x54\x20\x42\x69\x6C\x67\x69\x20\xC4\xB0\x6C\x65\x74\x69\xC5\x9F\x69\x6D\x20\x76\x65\x20\x42\x69\x6C\x69\xC5\x9F\x69\x6D\x20\x47\xC3\xBC\x76\x65\x6E\x6C\x69\xC4\x9F\x69\x20\x48\x69\x7A\x6D\x65\x74\x6C\x65\x72\x69\x20\x41\x2E\xC5\x9E\x2E\x20\x28\x63\x29\x20\x41\x72\x61\x6C\xC4\xB1\x6B\x20\x32\x30\x30\x37\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xAB\xB7\x3E\x0A\x8C\xC8\xA5\x58\x15\xE6\x8A\xEF\x27\x3D\x4A\xB4\xE8\x25\xD3\xCD\x33\xC2\x20\xDC\x19\xEE\x88\x3F\x4D\x62\xF0\xDD\x13\x77\x8F\x61\xA9\x2A\xB5\xD4\xF2\xB9\x31\x58\x29\x3B\x2F\x3F\x6A\x9C\x6F\x73\x76\x25\xEE\x34\x20\x80\xEE\xEA\xB7\xF0\xC4\x0A\xCD\x2B\x86\x94\xC9\xE3\x60\xB1\x44\x52\xB2\x5A\x29\xB4\x91\x97\x83\xD8\xB7\xA6\x14\x2F\x29\x49\xA2\xF3\x05\x06\xFB\xB4\x4F\xDA\xA1\x6C\x9A\x66\x9F\xF0\x43\x09\xCA\xEA\x72\x8F\xEB\x00\xD7\x35\x39\xD7\x56\x17\x47\x17\x30\xF4\xBE\xBF\x3F\xC2\x68\xAF\x36\x40\xC1\xA9\xF4\xA9\xA7\xE8\x10\x6B\x08\x8A\xF7\x86\x1E\xDC\x9A\x2A\x15\x06\xF6\xA3\xF0\xF4\xE0\xC7\x14\xD4\x51\x7F\xCF\xB4\xDB\x6D\xAF\x47\x96\x17\x9B\x77\x71\xD8\xA7\x71\x9D\x24\x0C\xF6\x94\x3F\x85\x31\x12\x4F\xBA\xEE\x4E\x82\xB8\xB9\x3E\x8F\x23\x37\x5E\xCC\xA2\xAA\x75\xF7\x18\x6F\x09\xD3\xAE\xA7\x54\x28\x34\xFB\xE1\xE0\x3B\x60\x7D\xA0\xBE\x79\x89\x86\xC8\x9F\x2D\xF9\x0A\x4B\xC4\x50\xA2\xE7\xFD\x79\x16\xC7\x7A\x0B\x18\xCF\xCE\x4C\xEF\x7D\xD6\x07\x6F\x98\xF1\xAF\xB1\xC1\x7A\xD7\x81\x35\xB8\xAA\x17\xB4\xE0\xCB\x02\x03\x01\x00\x01\xA3\x42\x30\x40\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x29\xC5\x90\xAB\x25\xAF\x11\xE4\x61\xBF\xA3\xFF\x88\x61\x91\xE6\x0E\xFE\x9C\x81\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x10\x0D\xDA\xF8\x3A\xEC\x28\xD1\x14\x95\x82\xB1\x12\x2C\x51\x7A\x41\x25\x36\x4C\x9F\xEC\x3F\x1F\x84\x9D\x65\x54\x5C\xA8\x16\x02\x40\xFA\x6E\x1A\x37\x84\xEF\x72\x9D\x86\x0A\x55\x9D\x56\x28\xAC\x66\x2C\xD0\x3A\x56\x93\x34\x07\x25\xAD\x08\xB0\x8F\xC8\x0F\x09\x59\xCA\x9D\x98\x1C\xE5\x54\xF8\xB9\x45\x7F\x6A\x97\x6F\x88\x68\x4D\x4A\x06\x26\x37\x88\x02\x0E\xB6\xC6\xD6\x72\x99\xCE\x6B\x77\xDA\x62\x31\xA4\x56\x1F\xAE\x5F\x8D\x77\xDA\x5D\xF6\x88\xFC\x1A\xD9\x9E\xB5\x81\xF0\x32\xB8\xE3\x88\xD0\x9C\xF3\x6A\xA0\xB9\x9B\x14\x59\x35\x36\x4F\xCF\xF3\x8E\x5E\x5D\x17\xAD\x15\x95\xD8\xDD\xB2\xD5\x15\x6E\x00\x4E\xB3\x4B\xCF\x66\x94\xE4\xE0\xCD\xB5\x05\xDA\x63\x57\x8B\xE5\xB3\xAA\xDB\xC0\x2E\x1C\x90\x44\xDB\x1A\x5D\x18\xA4\xEE\xBE\x04\x5B\x99\xD5\x71\x5F\x55\x65\x64\x62\xD5\xA2\x9B\x04\x59\x86\xC8\x62\x77\xE7\x7C\x82\x45\x6A\x3D\x17\xBF\xEC\x9D\x75\x0C\xAE\xA3\x6F\x5A\xD3\x2F\x98\x36\xF4\xF0\xF5\x19\xAB\x11\x5D\xC8\xA6\xE3\x2A\x58\x6A\x42\x09\xC3\xBD\x92\x26\x66\x32\x0D\x5D\x08\x55\x74\xFF\x8C\x98\xD0\x0A\xA6\x84\x6A\xD1\x39\x7D",
 	["CN=D-TRUST Root Class 3 CA 2 2009,O=D-Trust GmbH,C=DE"] = "\x30\x82\x04\x33\x30\x82\x03\x1B\xA0\x03\x02\x01\x02\x02\x03\x09\x83\xF3\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x30\x4D\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x44\x45\x31\x15\x30\x13\x06\x03\x55\x04\x0A\x0C\x0C\x44\x2D\x54\x72\x75\x73\x74\x20\x47\x6D\x62\x48\x31\x27\x30\x25\x06\x03\x55\x04\x03\x0C\x1E\x44\x2D\x54\x52\x55\x53\x54\x20\x52\x6F\x6F\x74\x20\x43\x6C\x61\x73\x73\x20\x33\x20\x43\x41\x20\x32\x20\x32\x30\x30\x39\x30\x1E\x17\x0D\x30\x39\x31\x31\x30\x35\x30\x38\x33\x35\x35\x38\x5A\x17\x0D\x32\x39\x31\x31\x30\x35\x30\x38\x33\x35\x35\x38\x5A\x30\x4D\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x44\x45\x31\x15\x30\x13\x06\x03\x55\x04\x0A\x0C\x0C\x44\x2D\x54\x72\x75\x73\x74\x20\x47\x6D\x62\x48\x31\x27\x30\x25\x06\x03\x55\x04\x03\x0C\x1E\x44\x2D\x54\x52\x55\x53\x54\x20\x52\x6F\x6F\x74\x20\x43\x6C\x61\x73\x73\x20\x33\x20\x43\x41\x20\x32\x20\x32\x30\x30\x39\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xD3\xB2\x4A\xCF\x7A\x47\xEF\x75\x9B\x23\xFA\x3A\x2F\xD6\x50\x45\x89\x35\x3A\xC6\x6B\xDB\xFE\xDB\x00\x68\xA8\xE0\x03\x11\x1D\x37\x50\x08\x9F\x4D\x4A\x68\x94\x35\xB3\x53\xD1\x94\x63\xA7\x20\x56\xAF\xDE\x51\x78\xEC\x2A\x3D\xF3\x48\x48\x50\x3E\x0A\xDF\x46\x55\x8B\x27\x6D\xC3\x10\x4D\x0D\x91\x52\x43\xD8\x87\xE0\x5D\x4E\x36\xB5\x21\xCA\x5F\x39\x40\x04\x5F\x5B\x7E\xCC\xA3\xC6\x2B\xA9\x40\x1E\xD9\x36\x84\xD6\x48\xF3\x92\x1E\x34\x46\x20\x24\xC1\xA4\x51\x8E\x4A\x1A\xEF\x50\x3F\x69\x5D\x19\x7F\x45\xC3\xC7\x01\x8F\x51\xC9\x23\xE8\x72\xAE\xB4\xBC\x56\x09\x7F\x12\xCB\x1C\xB1\xAF\x29\x90\x0A\xC9\x55\xCC\x0F\xD3\xB4\x1A\xED\x47\x35\x5A\x4A\xED\x9C\x73\x04\x21\xD0\xAA\xBD\x0C\x13\xB5\x00\xCA\x26\x6C\xC4\x6B\x0C\x94\x5A\x95\x94\xDA\x50\x9A\xF1\xFF\xA5\x2B\x66\x31\xA4\xC9\x38\xA0\xDF\x1D\x1F\xB8\x09\x2E\xF3\xA7\xE8\x67\x52\xAB\x95\x1F\xE0\x46\x3E\xD8\xA4\xC3\xCA\x5A\xC5\x31\x80\xE8\x48\x9A\x9F\x94\x69\xFE\x19\xDD\xD8\x73\x7C\x81\xCA\x96\xDE\x8E\xED\xB3\x32\x05\x65\x84\x34\xE6\xE6\xFD\x57\x10\xB5\x5F\x76\xBF\x2F\xB0\x10\x0D\xC5\x02\x03\x01\x00\x01\xA3\x82\x01\x1A\x30\x82\x01\x16\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xFD\xDA\x14\xC4\x9F\x30\xDE\x21\xBD\x1E\x42\x39\xFC\xAB\x63\x23\x49\xE0\xF1\x84\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x81\xD3\x06\x03\x55\x1D\x1F\x04\x81\xCB\x30\x81\xC8\x30\x81\x80\xA0\x7E\xA0\x7C\x86\x7A\x6C\x64\x61\x70\x3A\x2F\x2F\x64\x69\x72\x65\x63\x74\x6F\x72\x79\x2E\x64\x2D\x74\x72\x75\x73\x74\x2E\x6E\x65\x74\x2F\x43\x4E\x3D\x44\x2D\x54\x52\x55\x53\x54\x25\x32\x30\x52\x6F\x6F\x74\x25\x32\x30\x43\x6C\x61\x73\x73\x25\x32\x30\x33\x25\x32\x30\x43\x41\x25\x32\x30\x32\x25\x32\x30\x32\x30\x30\x39\x2C\x4F\x3D\x44\x2D\x54\x72\x75\x73\x74\x25\x32\x30\x47\x6D\x62\x48\x2C\x43\x3D\x44\x45\x3F\x63\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x72\x65\x76\x6F\x63\x61\x74\x69\x6F\x6E\x6C\x69\x73\x74\x30\x43\xA0\x41\xA0\x3F\x86\x3D\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x64\x2D\x74\x72\x75\x73\x74\x2E\x6E\x65\x74\x2F\x63\x72\x6C\x2F\x64\x2D\x74\x72\x75\x73\x74\x5F\x72\x6F\x6F\x74\x5F\x63\x6C\x61\x73\x73\x5F\x33\x5F\x63\x61\x5F\x32\x5F\x32\x30\x30\x39\x2E\x63\x72\x6C\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x03\x82\x01\x01\x00\x7F\x97\xDB\x30\xC8\xDF\xA4\x9C\x7D\x21\x7A\x80\x70\xCE\x14\x12\x69\x88\x14\x95\x60\x44\x01\xAC\xB2\xE9\x30\x4F\x9B\x50\xC2\x66\xD8\x7E\x8D\x30\xB5\x70\x31\xE9\xE2\x69\xC7\xF3\x70\xDB\x20\x15\x86\xD0\x0D\xF0\xBE\xAC\x01\x75\x84\xCE\x7E\x9F\x4D\xBF\xB7\x60\x3B\x9C\xF3\xCA\x1D\xE2\x5E\x68\xD8\xA3\x9D\x97\xE5\x40\x60\xD2\x36\x21\xFE\xD0\xB4\xB8\x17\xDA\x74\xA3\x7F\xD4\xDF\xB0\x98\x02\xAC\x6F\x6B\x6B\x2C\x25\x24\x72\xA1\x65\xEE\x25\x5A\xE5\xE6\x32\xE7\xF2\xDF\xAB\x49\xFA\xF3\x90\x69\x23\xDB\x04\xD9\xE7\x5C\x58\xFC\x65\xD4\x97\xBE\xCC\xFC\x2E\x0A\xCC\x25\x2A\x35\x04\xF8\x60\x91\x15\x75\x3D\x41\xFF\x23\x1F\x19\xC8\x6C\xEB\x82\x53\x04\xA6\xE4\x4C\x22\x4D\x8D\x8C\xBA\xCE\x5B\x73\xEC\x64\x54\x50\x6D\xD1\x9C\x55\xFB\x69\xC3\x36\xC3\x8C\xBC\x3C\x85\xA6\x6B\x0A\x26\x0D\xE0\x93\x98\x60\xAE\x7E\xC6\x24\x97\x8A\x61\x5F\x91\x8E\x66\x92\x09\x87\x36\xCD\x8B\x9B\x2D\x3E\xF6\x51\xD4\x50\xD4\x59\x28\xBD\x83\xF2\xCC\x28\x7B\x53\x86\x6D\xD8\x26\x88\x70\xD7\xEA\x91\xCD\x3E\xB9\xCA\xC0\x90\x6E\x5A\xC6\x5E\x74\x65\xD7\x5C\xFE\xA3\xE2",
 	["CN=D-TRUST Root Class 3 CA 2 EV 2009,O=D-Trust GmbH,C=DE"] = "\x30\x82\x04\x43\x30\x82\x03\x2B\xA0\x03\x02\x01\x02\x02\x03\x09\x83\xF4\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x30\x50\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x44\x45\x31\x15\x30\x13\x06\x03\x55\x04\x0A\x0C\x0C\x44\x2D\x54\x72\x75\x73\x74\x20\x47\x6D\x62\x48\x31\x2A\x30\x28\x06\x03\x55\x04\x03\x0C\x21\x44\x2D\x54\x52\x55\x53\x54\x20\x52\x6F\x6F\x74\x20\x43\x6C\x61\x73\x73\x20\x33\x20\x43\x41\x20\x32\x20\x45\x56\x20\x32\x30\x30\x39\x30\x1E\x17\x0D\x30\x39\x31\x31\x30\x35\x30\x38\x35\x30\x34\x36\x5A\x17\x0D\x32\x39\x31\x31\x30\x35\x30\x38\x35\x30\x34\x36\x5A\x30\x50\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x44\x45\x31\x15\x30\x13\x06\x03\x55\x04\x0A\x0C\x0C\x44\x2D\x54\x72\x75\x73\x74\x20\x47\x6D\x62\x48\x31\x2A\x30\x28\x06\x03\x55\x04\x03\x0C\x21\x44\x2D\x54\x52\x55\x53\x54\x20\x52\x6F\x6F\x74\x20\x43\x6C\x61\x73\x73\x20\x33\x20\x43\x41\x20\x32\x20\x45\x56\x20\x32\x30\x30\x39\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\x99\xF1\x84\x34\x70\xBA\x2F\xB7\x30\xA0\x8E\xBD\x7C\x04\xCF\xBE\x62\xBC\x99\xFD\x82\x97\xD2\x7A\x0A\x67\x96\x38\x09\xF6\x10\x4E\x95\x22\x73\x99\x8D\xDA\x15\x2D\xE7\x05\xFC\x19\x73\x22\xB7\x8E\x98\x00\xBC\x3C\x3D\xAC\xA1\x6C\xFB\xD6\x79\x25\x4B\xAD\xF0\xCC\x64\xDA\x88\x3E\x29\xB8\x0F\x09\xD3\x34\xDD\x33\xF5\x62\xD1\xE1\xCD\x19\xE9\xEE\x18\x4F\x4C\x58\xAE\xE2\x1E\xD6\x0C\x5B\x15\x5A\xD8\x3A\xB8\xC4\x18\x64\x1E\xE3\x33\xB2\xB5\x89\x77\x4E\x0C\xBF\xD9\x94\x6B\x13\x97\x6F\x12\xA3\xFE\x99\xA9\x04\xCC\x15\xEC\x60\x68\x36\xED\x08\x7B\xB7\xF5\xBF\x93\xED\x66\x31\x83\x8C\xC6\x71\x34\x87\x4E\x17\xEA\xAF\x8B\x91\x8D\x1C\x56\x41\xAE\x22\x37\x5E\x37\xF2\x1D\xD9\xD1\x2D\x0D\x2F\x69\x51\xA7\xBE\x66\xA6\x8A\x3A\x2A\xBD\xC7\x1A\xB1\xE1\x14\xF0\xBE\x3A\x1D\xB9\xCF\x5B\xB1\x6A\xFE\xB4\xB1\x46\x20\xA2\xFB\x1E\x3B\x70\xEF\x93\x98\x7D\x8C\x73\x96\xF2\xC5\xEF\x85\x70\xAD\x29\x26\xFC\x1E\x04\x3E\x1C\xA0\xD8\x0F\xCB\x52\x83\x62\x7C\xEE\x8B\x53\x95\x90\xA9\x57\xA2\xEA\x61\x05\xD8\xF9\x4D\xC4\x27\xFA\x6E\xAD\xED\xF9\xD7\x51\xF7\x6B\xA5\x02\x03\x01\x00\x01\xA3\x82\x01\x24\x30\x82\x01\x20\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xD3\x94\x8A\x4C\x62\x13\x2A\x19\x2E\xCC\xAF\x72\x8A\x7D\x36\xD7\x9A\x1C\xDC\x67\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x81\xDD\x06\x03\x55\x1D\x1F\x04\x81\xD5\x30\x81\xD2\x30\x81\x87\xA0\x81\x84\xA0\x81\x81\x86\x7F\x6C\x64\x61\x70\x3A\x2F\x2F\x64\x69\x72\x65\x63\x74\x6F\x72\x79\x2E\x64\x2D\x74\x72\x75\x73\x74\x2E\x6E\x65\x74\x2F\x43\x4E\x3D\x44\x2D\x54\x52\x55\x53\x54\x25\x32\x30\x52\x6F\x6F\x74\x25\x32\x30\x43\x6C\x61\x73\x73\x25\x32\x30\x33\x25\x32\x30\x43\x41\x25\x32\x30\x32\x25\x32\x30\x45\x56\x25\x32\x30\x32\x30\x30\x39\x2C\x4F\x3D\x44\x2D\x54\x72\x75\x73\x74\x25\x32\x30\x47\x6D\x62\x48\x2C\x43\x3D\x44\x45\x3F\x63\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x72\x65\x76\x6F\x63\x61\x74\x69\x6F\x6E\x6C\x69\x73\x74\x30\x46\xA0\x44\xA0\x42\x86\x40\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x64\x2D\x74\x72\x75\x73\x74\x2E\x6E\x65\x74\x2F\x63\x72\x6C\x2F\x64\x2D\x74\x72\x75\x73\x74\x5F\x72\x6F\x6F\x74\x5F\x63\x6C\x61\x73\x73\x5F\x33\x5F\x63\x61\x5F\x32\x5F\x65\x76\x5F\x32\x30\x30\x39\x2E\x63\x72\x6C\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x03\x82\x01\x01\x00\x34\xED\x7B\x5A\x3C\xA4\x94\x88\xEF\x1A\x11\x75\x07\x2F\xB3\xFE\x3C\xFA\x1E\x51\x26\xEB\x87\xF6\x29\xDE\xE0\xF1\xD4\xC6\x24\x09\xE9\xC1\xCF\x55\x1B\xB4\x30\xD9\xCE\x1A\xFE\x06\x51\xA6\x15\xA4\x2D\xEF\xB2\x4B\xBF\x20\x28\x25\x49\xD1\xA6\x36\x77\x34\xE8\x64\xDF\x52\xB1\x11\xC7\x73\x7A\xCD\x39\x9E\xC2\xAD\x8C\x71\x21\xF2\x5A\x6B\xAF\xDF\x3C\x4E\x55\xAF\xB2\x84\x65\x14\x89\xB9\x77\xCB\x2A\x31\xBE\xCF\xA3\x6D\xCF\x6F\x48\x94\x32\x46\x6F\xE7\x71\x8C\xA0\xA6\x84\x19\x37\x07\xF2\x03\x45\x09\x2B\x86\x75\x7C\xDF\x5F\x69\x57\x00\xDB\x6E\xD8\xA6\x72\x22\x4B\x50\xD4\x75\x98\x56\xDF\xB7\x18\xFF\x43\x43\x50\xAE\x7A\x44\x7B\xF0\x79\x51\xD7\x43\x3D\xA7\xD3\x81\xD3\xF0\xC9\x4F\xB9\xDA\xC6\x97\x86\xD0\x82\xC3\xE4\x42\x6D\xFE\xB0\xE2\x64\x4E\x0E\x26\xE7\x40\x34\x26\xB5\x08\x89\xD7\x08\x63\x63\x38\x27\x75\x1E\x33\xEA\x6E\xA8\xDD\x9F\x99\x4F\x74\x4D\x81\x89\x80\x4B\xDD\x9A\x97\x29\x5C\x2F\xBE\x81\x41\xB9\x8C\xFF\xEA\x7D\x60\x06\x9E\xCD\xD7\x3D\xD3\x2E\xA3\x15\xBC\xA8\xE6\x26\xE5\x6F\xC3\xDC\xB8\x03\x21\xEA\x9F\x16\xF1\x2C\x54\xB5",
-	["CN=PSCProcert,C=VE,O=Sistema Nacional de Certificacion Electronica,OU=Proveedor de Certificados PROCERT,ST=Miranda,L=Chacao,emailAddress=contacto@procert.net.ve"] = "\x30\x82\x09\x86\x30\x82\x07\x6E\xA0\x03\x02\x01\x02\x02\x01\x0B\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x30\x82\x01\x1E\x31\x3E\x30\x3C\x06\x03\x55\x04\x03\x13\x35\x41\x75\x74\x6F\x72\x69\x64\x61\x64\x20\x64\x65\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x63\x69\x6F\x6E\x20\x52\x61\x69\x7A\x20\x64\x65\x6C\x20\x45\x73\x74\x61\x64\x6F\x20\x56\x65\x6E\x65\x7A\x6F\x6C\x61\x6E\x6F\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x56\x45\x31\x10\x30\x0E\x06\x03\x55\x04\x07\x13\x07\x43\x61\x72\x61\x63\x61\x73\x31\x19\x30\x17\x06\x03\x55\x04\x08\x13\x10\x44\x69\x73\x74\x72\x69\x74\x6F\x20\x43\x61\x70\x69\x74\x61\x6C\x31\x36\x30\x34\x06\x03\x55\x04\x0A\x13\x2D\x53\x69\x73\x74\x65\x6D\x61\x20\x4E\x61\x63\x69\x6F\x6E\x61\x6C\x20\x64\x65\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x63\x69\x6F\x6E\x20\x45\x6C\x65\x63\x74\x72\x6F\x6E\x69\x63\x61\x31\x43\x30\x41\x06\x03\x55\x04\x0B\x13\x3A\x53\x75\x70\x65\x72\x69\x6E\x74\x65\x6E\x64\x65\x6E\x63\x69\x61\x20\x64\x65\x20\x53\x65\x72\x76\x69\x63\x69\x6F\x73\x20\x64\x65\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x63\x69\x6F\x6E\x20\x45\x6C\x65\x63\x74\x72\x6F\x6E\x69\x63\x61\x31\x25\x30\x23\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x09\x01\x16\x16\x61\x63\x72\x61\x69\x7A\x40\x73\x75\x73\x63\x65\x72\x74\x65\x2E\x67\x6F\x62\x2E\x76\x65\x30\x1E\x17\x0D\x31\x30\x31\x32\x32\x38\x31\x36\x35\x31\x30\x30\x5A\x17\x0D\x32\x30\x31\x32\x32\x35\x32\x33\x35\x39\x35\x39\x5A\x30\x81\xD1\x31\x26\x30\x24\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x09\x01\x16\x17\x63\x6F\x6E\x74\x61\x63\x74\x6F\x40\x70\x72\x6F\x63\x65\x72\x74\x2E\x6E\x65\x74\x2E\x76\x65\x31\x0F\x30\x0D\x06\x03\x55\x04\x07\x13\x06\x43\x68\x61\x63\x61\x6F\x31\x10\x30\x0E\x06\x03\x55\x04\x08\x13\x07\x4D\x69\x72\x61\x6E\x64\x61\x31\x2A\x30\x28\x06\x03\x55\x04\x0B\x13\x21\x50\x72\x6F\x76\x65\x65\x64\x6F\x72\x20\x64\x65\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x64\x6F\x73\x20\x50\x52\x4F\x43\x45\x52\x54\x31\x36\x30\x34\x06\x03\x55\x04\x0A\x13\x2D\x53\x69\x73\x74\x65\x6D\x61\x20\x4E\x61\x63\x69\x6F\x6E\x61\x6C\x20\x64\x65\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x63\x69\x6F\x6E\x20\x45\x6C\x65\x63\x74\x72\x6F\x6E\x69\x63\x61\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x56\x45\x31\x13\x30\x11\x06\x03\x55\x04\x03\x13\x0A\x50\x53\x43\x50\x72\x6F\x63\x65\x72\x74\x30\x82\x02\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x02\x0F\x00\x30\x82\x02\x0A\x02\x82\x02\x01\x00\xD5\xB7\xF4\xA3\x94\x33\xA1\x46\xA9\x55\x61\x49\x0D\xA8\x87\x73\x5E\x91\x2D\x70\xC1\x06\x1A\x94\xDA\x3D\xEC\x15\x42\xC1\xF5\x8C\xAE\x6A\x17\xF1\x8A\xAD\xFC\x80\x95\xEA\x83\x44\xA2\x5B\x7A\x55\xCE\x4F\xA7\xA5\xD5\xBA\xB8\x1F\xA0\x27\xC0\x50\x53\x3E\x8D\xB9\xC0\x0E\xB8\x15\xDC\xD6\x6C\xF8\x9E\xF8\x04\x25\xDF\x80\x8F\x10\x85\xDD\x7D\x2F\x7B\x80\xDD\x57\x00\x64\x23\xF8\x6E\xC9\xBE\x95\x4F\xE1\x75\xEC\xE0\x7E\x5E\x95\xCD\xB1\xEF\xBE\x7A\x42\xD8\xC9\x2C\xD3\xEB\x1A\x1A\x22\x8B\xB7\x7F\x06\x89\xE5\x3C\xF5\x12\xC0\xBB\xD3\x0B\x99\x5F\x90\x7C\x8E\x2D\x2F\x77\x33\x92\x4A\x21\x46\xA8\xA9\x08\xAC\xF1\xF6\x11\x02\xD9\x95\x16\x9E\x8D\x2F\x96\xE6\x02\xDD\x75\xC2\x14\x2A\x5A\xD6\xC9\x7D\x25\xC2\xC1\xFC\xAA\x67\x85\xE2\xEC\xBE\xD1\x7C\x3C\xFA\xAF\xD5\x6E\xFF\x53\x41\xD4\xF5\x32\x38\xB1\xE2\x5F\xC4\xF9\x8E\x10\xEF\x06\xA9\x02\x89\xFF\xE3\x0C\x6E\x97\xE0\xDF\x9D\xDB\x21\xD0\xF4\x3E\x08\x69\x6C\xD8\xD4\xE4\x36\xF8\x83\xB6\xB2\x36\x8F\x9C\xEF\x3A\x37\x16\x7D\xBF\xA2\x69\xD7\x3B\x5B\x72\xD0\xAF\xAA\x3F\x5C\x66\x93\xAC\x0A\x22\x61\xB6\xD2\xA0\x99\xC8\x54\x93\x5D\xA8\xB6\xD1\xBD\x5D\x0A\x5E\x77\x94\xA2\x2D\xC0\x82\x8E\xBC\xCA\x03\x2A\x34\xAE\x73\xF1\xD4\xB5\x0C\xBD\xBE\x67\x9B\x54\xEB\xE1\xFA\xA0\x5A\xEC\x38\x7E\x3E\xC1\xCC\xA2\xC7\x44\x31\x75\xEA\x3F\xE5\x07\xD2\xAB\xA1\x25\x96\xF6\xE6\xE4\xA0\x5D\x37\x18\x39\x61\x00\x33\x5D\x46\xD4\x00\xC4\xB4\xCA\x3C\xF1\xA2\xA3\x3E\xF3\x3A\xFF\x69\x30\x2E\x40\xDD\xF6\x9F\x9C\x26\xC9\x96\x37\xAD\xE7\x39\xA2\xBF\xEA\x69\xDB\x55\x22\x95\x53\x2A\x94\xB5\xDF\xAD\x16\x38\x81\x75\x66\xE3\xC7\x2C\x1B\x93\x9C\xAA\x8C\xA3\xCA\xD9\x6C\x3C\x17\x6D\x9C\xDC\x7C\x53\xE0\x20\x27\x43\x36\xF9\x12\xE1\x3C\x5C\xBD\x66\xBF\xA2\x69\x23\x38\xB8\x99\x60\x99\x0E\x56\x53\x3A\x9C\x7E\x14\x8C\xB0\x06\x6F\xF1\x86\x76\x90\xAF\xFD\xAF\xFE\x90\xC6\x8F\x9F\x7F\x8B\x92\x23\x9C\xE7\x15\x76\x8F\xD5\x8B\x94\x13\x72\x69\xFB\x2B\x61\x63\x88\xEF\xE6\xA4\x5E\xE6\xA3\x17\x6A\x58\x47\xCB\x71\x4F\x14\x0B\x5E\xC8\x02\x08\x26\xA2\xCB\xE9\xAF\x6B\x8A\x19\xC7\xCB\x14\x56\xF5\xE1\xDA\xB5\xD9\xFC\xBF\x73\x38\xDA\xF9\xE7\xAF\x6E\xA4\x37\xE2\x07\x27\x02\x03\x01\x00\x01\xA3\x82\x03\x17\x30\x82\x03\x13\x30\x12\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x08\x30\x06\x01\x01\xFF\x02\x01\x01\x30\x37\x06\x03\x55\x1D\x12\x04\x30\x30\x2E\x82\x0F\x73\x75\x73\x63\x65\x72\x74\x65\x2E\x67\x6F\x62\x2E\x76\x65\xA0\x1B\x06\x05\x60\x86\x5E\x02\x02\xA0\x12\x0C\x10\x52\x49\x46\x2D\x47\x2D\x32\x30\x30\x30\x34\x30\x33\x36\x2D\x30\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x41\x0F\x19\x38\xAA\x99\x7F\x42\x0B\xA4\xD7\x27\x98\x54\xA2\x17\x4C\x2D\x51\x54\x30\x82\x01\x50\x06\x03\x55\x1D\x23\x04\x82\x01\x47\x30\x82\x01\x43\x80\x14\xAD\xBB\x22\x1D\xC6\xE0\xD2\x01\xA8\xFD\x76\x50\x52\x93\xED\x98\xC1\x4D\xAE\xD3\xA1\x82\x01\x26\xA4\x82\x01\x22\x30\x82\x01\x1E\x31\x3E\x30\x3C\x06\x03\x55\x04\x03\x13\x35\x41\x75\x74\x6F\x72\x69\x64\x61\x64\x20\x64\x65\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x63\x69\x6F\x6E\x20\x52\x61\x69\x7A\x20\x64\x65\x6C\x20\x45\x73\x74\x61\x64\x6F\x20\x56\x65\x6E\x65\x7A\x6F\x6C\x61\x6E\x6F\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x56\x45\x31\x10\x30\x0E\x06\x03\x55\x04\x07\x13\x07\x43\x61\x72\x61\x63\x61\x73\x31\x19\x30\x17\x06\x03\x55\x04\x08\x13\x10\x44\x69\x73\x74\x72\x69\x74\x6F\x20\x43\x61\x70\x69\x74\x61\x6C\x31\x36\x30\x34\x06\x03\x55\x04\x0A\x13\x2D\x53\x69\x73\x74\x65\x6D\x61\x20\x4E\x61\x63\x69\x6F\x6E\x61\x6C\x20\x64\x65\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x63\x69\x6F\x6E\x20\x45\x6C\x65\x63\x74\x72\x6F\x6E\x69\x63\x61\x31\x43\x30\x41\x06\x03\x55\x04\x0B\x13\x3A\x53\x75\x70\x65\x72\x69\x6E\x74\x65\x6E\x64\x65\x6E\x63\x69\x61\x20\x64\x65\x20\x53\x65\x72\x76\x69\x63\x69\x6F\x73\x20\x64\x65\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x63\x69\x6F\x6E\x20\x45\x6C\x65\x63\x74\x72\x6F\x6E\x69\x63\x61\x31\x25\x30\x23\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x09\x01\x16\x16\x61\x63\x72\x61\x69\x7A\x40\x73\x75\x73\x63\x65\x72\x74\x65\x2E\x67\x6F\x62\x2E\x76\x65\x82\x01\x0A\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x4D\x06\x03\x55\x1D\x11\x04\x46\x30\x44\x82\x0E\x70\x72\x6F\x63\x65\x72\x74\x2E\x6E\x65\x74\x2E\x76\x65\xA0\x15\x06\x05\x60\x86\x5E\x02\x01\xA0\x0C\x0C\x0A\x50\x53\x43\x2D\x30\x30\x30\x30\x30\x32\xA0\x1B\x06\x05\x60\x86\x5E\x02\x02\xA0\x12\x0C\x10\x52\x49\x46\x2D\x4A\x2D\x33\x31\x36\x33\x35\x33\x37\x33\x2D\x37\x30\x76\x06\x03\x55\x1D\x1F\x04\x6F\x30\x6D\x30\x46\xA0\x44\xA0\x42\x86\x40\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x73\x75\x73\x63\x65\x72\x74\x65\x2E\x67\x6F\x62\x2E\x76\x65\x2F\x6C\x63\x72\x2F\x43\x45\x52\x54\x49\x46\x49\x43\x41\x44\x4F\x2D\x52\x41\x49\x5A\x2D\x53\x48\x41\x33\x38\x34\x43\x52\x4C\x44\x45\x52\x2E\x63\x72\x6C\x30\x23\xA0\x21\xA0\x1F\x86\x1D\x6C\x64\x61\x70\x3A\x2F\x2F\x61\x63\x72\x61\x69\x7A\x2E\x73\x75\x73\x63\x65\x72\x74\x65\x2E\x67\x6F\x62\x2E\x76\x65\x30\x37\x06\x08\x2B\x06\x01\x05\x05\x07\x01\x01\x04\x2B\x30\x29\x30\x27\x06\x08\x2B\x06\x01\x05\x05\x07\x30\x01\x86\x1B\x68\x74\x74\x70\x3A\x2F\x2F\x6F\x63\x73\x70\x2E\x73\x75\x73\x63\x65\x72\x74\x65\x2E\x67\x6F\x62\x2E\x76\x65\x30\x41\x06\x03\x55\x1D\x20\x04\x3A\x30\x38\x30\x36\x06\x06\x60\x86\x5E\x03\x01\x02\x30\x2C\x30\x2A\x06\x08\x2B\x06\x01\x05\x05\x07\x02\x01\x16\x1E\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x73\x75\x73\x63\x65\x72\x74\x65\x2E\x67\x6F\x62\x2E\x76\x65\x2F\x64\x70\x63\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x03\x82\x02\x01\x00\x2B\x59\xEB\x22\x99\xBB\x84\xAA\x4F\xDE\x90\xC6\xD1\x86\x71\x23\x9E\x4B\x03\x91\x47\x70\xBB\xC0\x92\x60\xEC\xE0\xD4\xE7\x6D\xC6\xD3\xED\x67\x83\x77\x52\xD5\xF2\xE5\x77\xA7\x36\xB2\xE3\x54\xBE\xD9\xBB\x0A\x9B\x11\xEF\x61\xF4\xC6\x99\x33\x99\xF5\xAF\x00\x39\x8D\x83\xBF\xA6\xBD\x35\x7E\x2C\x5C\x31\x34\x6F\x6C\xDB\xF3\x64\x01\x98\xAA\x94\x2C\x41\xDD\x15\x86\xCA\x6B\x29\x4E\x16\xC0\x49\xFC\xD7\x83\x48\x13\x07\x51\x84\x31\x52\x88\xBB\x86\x17\xC7\x6B\x2F\x8A\x20\xAD\xC5\x0B\x8F\x70\x3E\x2A\xBB\x1B\x71\x8F\xB9\xA4\xA0\xFD\xD8\x95\xD9\xAF\x59\xBF\x25\x2B\x98\xE9\x63\x93\x2F\x60\x1E\xC4\xAA\xF8\x77\xF5\x8B\x6C\x2F\xED\x7E\x2E\xB5\x4F\x40\x0D\xEE\xBC\x57\x77\xE7\xD9\xB6\xD4\x3F\x95\x27\x3A\x20\xD5\xE5\xAE\xAB\x6C\x35\x9F\xC1\xA1\x1D\x59\xDC\x84\x81\xEE\x4D\x07\xE2\x48\xB6\x9E\x4B\x95\x2D\x41\xB1\xE1\xE8\xDE\x7E\x2F\x05\x1E\x68\xEE\xBF\xBB\x90\x65\x3A\xC8\xEE\xEA\xB1\x18\x37\x1C\x62\x93\xA4\xA0\x31\xEC\x71\x6C\x91\xE6\xA4\x79\x89\x5A\x14\xA7\x14\x50\x05\x4C\xA4\x00\x57\x30\x2C\xC1\xB5\x61\x96\xDC\x3E\x1E\x84\xAF\x39\x42\xCF\xE5\xD0\x2C\xB1\x24\xBC\xDF\x40\xC3\xED\x7F\x63\x4A\xBD\xE1\x4F\x12\x64\x86\x95\xF3\xB0\xE7\xC8\xB7\xE1\x53\xBD\x92\xE6\xF3\x0C\x96\xB9\xEB\xE8\xE6\x92\xED\xA7\x81\x09\x14\x0B\xFC\x95\x7A\xCF\x8F\xD6\x34\x4F\x36\x12\xDC\x5E\xD1\x34\x75\xC6\x46\x80\x2F\x95\x04\x8C\xC7\x86\xC4\xA8\x26\x89\xA8\x3F\x19\x9B\x81\xBB\x51\xA4\x4A\x86\xAB\x0B\x11\x0F\xB1\xAE\x63\x53\x6D\x28\xEA\xDD\x33\x56\x38\x1C\xB2\xAD\x80\xD3\xD7\x72\xBD\x9A\x6C\x99\x63\xE8\x00\xBB\x41\x76\x05\xB7\x5B\x99\x18\x8A\xC3\xB8\x12\x5C\x56\xCF\x56\x0C\x7D\xE8\xE2\xCF\xED\xBC\x74\x47\xFB\xEE\xD3\x17\x4E\x22\x4F\x56\xFF\x50\xF3\x2E\xE6\x39\xA6\x82\xD6\x71\xCA\xDE\xB7\xD5\xBA\x68\x08\xED\x99\xCC\xFD\xA2\x92\xCB\x69\xB8\x9D\xF9\x0A\xA4\xA6\x3E\x4F\x93\x28\x2A\x61\x6C\x07\x26\x00\xFF\x96\x5F\x68\x86\xB8\xB8\xCE\xCA\x55\xE0\xAB\xB1\x3D\x7F\x98\xD7\x33\x0E\x5A\x3D\xD8\x78\xC2\xC4\x60\x2F\xC7\x62\xF0\x61\x91\xD2\x38\xB0\xF6\x9E\x55\xDB\x40\x80\x05\x12\x33\xCE\x1D\x92\x9B\xD1\x69\xB3\xFF\xBF\xF1\x92\x0A\x61\x35\x3F\xDD\xFE\x86\xF4\xBC\xE0\x1A\x71\xB3\x62\xA6",
-	["CN=China Internet Network Information Center EV Certificates Root,O=China Internet Network Information Center,C=CN"] = "\x30\x82\x03\xF7\x30\x82\x02\xDF\xA0\x03\x02\x01\x02\x02\x04\x48\x9F\x00\x01\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x81\x8A\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x43\x4E\x31\x32\x30\x30\x06\x03\x55\x04\x0A\x0C\x29\x43\x68\x69\x6E\x61\x20\x49\x6E\x74\x65\x72\x6E\x65\x74\x20\x4E\x65\x74\x77\x6F\x72\x6B\x20\x49\x6E\x66\x6F\x72\x6D\x61\x74\x69\x6F\x6E\x20\x43\x65\x6E\x74\x65\x72\x31\x47\x30\x45\x06\x03\x55\x04\x03\x0C\x3E\x43\x68\x69\x6E\x61\x20\x49\x6E\x74\x65\x72\x6E\x65\x74\x20\x4E\x65\x74\x77\x6F\x72\x6B\x20\x49\x6E\x66\x6F\x72\x6D\x61\x74\x69\x6F\x6E\x20\x43\x65\x6E\x74\x65\x72\x20\x45\x56\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x73\x20\x52\x6F\x6F\x74\x30\x1E\x17\x0D\x31\x30\x30\x38\x33\x31\x30\x37\x31\x31\x32\x35\x5A\x17\x0D\x33\x30\x30\x38\x33\x31\x30\x37\x31\x31\x32\x35\x5A\x30\x81\x8A\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x43\x4E\x31\x32\x30\x30\x06\x03\x55\x04\x0A\x0C\x29\x43\x68\x69\x6E\x61\x20\x49\x6E\x74\x65\x72\x6E\x65\x74\x20\x4E\x65\x74\x77\x6F\x72\x6B\x20\x49\x6E\x66\x6F\x72\x6D\x61\x74\x69\x6F\x6E\x20\x43\x65\x6E\x74\x65\x72\x31\x47\x30\x45\x06\x03\x55\x04\x03\x0C\x3E\x43\x68\x69\x6E\x61\x20\x49\x6E\x74\x65\x72\x6E\x65\x74\x20\x4E\x65\x74\x77\x6F\x72\x6B\x20\x49\x6E\x66\x6F\x72\x6D\x61\x74\x69\x6F\x6E\x20\x43\x65\x6E\x74\x65\x72\x20\x45\x56\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x73\x20\x52\x6F\x6F\x74\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\x9B\x7E\x73\xEE\xBD\x3B\x78\xAA\x64\x43\x41\xF5\x50\xDF\x94\xF2\x2E\xB2\x8D\x4A\x8E\x46\x54\xD2\x21\x12\xC8\x39\x32\x42\x06\xE9\x83\xD5\x9F\x52\xED\xE5\x67\x03\x3B\x54\xC1\x8C\x99\x99\xCC\xE9\xC0\x0F\xFF\x0D\xD9\x84\x11\xB2\xB8\xD1\xCB\x5B\xDC\x1E\xF9\x68\x31\x64\xE1\x9B\xFA\x74\xEB\x68\xB9\x20\x95\xF7\xC6\x0F\x8D\x47\xAC\x5A\x06\xDD\x61\xAB\xE2\xEC\xD8\x9F\x17\x2D\x9C\xCA\x3C\x35\x97\x55\x71\xCD\x43\x85\xB1\x47\x16\xF5\x2C\x53\x80\x76\xCF\xD3\x00\x64\xBD\x40\x99\xDD\xCC\xD8\xDB\xC4\x9F\xD6\x13\x5F\x41\x83\x8B\xF9\x0D\x87\x92\x56\x34\x6C\x1A\x10\x0B\x17\xD5\x5A\x1C\x97\x58\x84\x3C\x84\x1A\x2E\x5C\x91\x34\x6E\x19\x5F\x7F\x17\x69\xC5\x65\xEF\x6B\x21\xC6\xD5\x50\x3A\xBF\x61\xB9\x05\x8D\xEF\x6F\x34\x3A\xB2\x6F\x14\x63\xBF\x16\x3B\x9B\xA9\x2A\xFD\xB7\x2B\x38\x66\x06\xC5\x2C\xE2\xAA\x67\x1E\x45\xA7\x8D\x04\x66\x42\xF6\x8F\x2B\xEF\x88\x20\x69\x8F\x32\x8C\x14\x73\xDA\x2B\x86\x91\x63\x22\x9A\xF2\xA7\xDB\xCE\x89\x8B\xAB\x5D\xC7\x14\xC1\x5B\x30\x6A\x1F\xB1\xB7\x9E\x2E\x81\x01\x02\xED\xCF\x96\x5E\x63\xDB\xA8\xE6\x38\xB7\x02\x03\x01\x00\x01\xA3\x63\x30\x61\x30\x1F\x06\x03\x55\x1D\x23\x04\x18\x30\x16\x80\x14\x7C\x72\x4B\x39\xC7\xC0\xDB\x62\xA5\x4F\x9B\xAA\x18\x34\x92\xA2\xCA\x83\x82\x59\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x7C\x72\x4B\x39\xC7\xC0\xDB\x62\xA5\x4F\x9B\xAA\x18\x34\x92\xA2\xCA\x83\x82\x59\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x2A\xC3\xC7\x43\x37\x8F\xDD\xAD\xA4\xB2\x0C\xEE\xDC\x14\x6D\x8F\x28\xA4\x98\x49\xCB\x0C\x80\xEA\xF3\xED\x23\x66\x75\x7D\xC5\xD3\x21\x67\x79\xD1\x73\xC5\xB5\x03\xB7\x58\xAC\x0C\x54\x2F\xC6\x56\x13\x0F\x31\xDA\x06\xE7\x65\x3B\x1D\x6F\x36\xDB\xC8\x1D\xF9\xFD\x80\x06\xCA\xA3\x3D\x66\x16\xA8\x9D\x4C\x16\x7D\xC0\x95\x46\xB5\x51\xE4\xE2\x1F\xD7\xEA\x06\x4D\x63\x8D\x96\x8C\xEF\xE7\x33\x57\x42\x3A\xEB\x8C\xC1\x79\xC8\x4D\x76\x7D\xDE\xF6\xB1\xB7\x81\xE0\xA0\xF9\xA1\x78\x46\x17\x1A\x56\x98\xF0\x4E\x3D\xAB\x1C\xED\xEC\x39\xDC\x07\x48\xF7\x63\xFE\x06\xAE\xC2\xA4\x5C\x6A\x5B\x32\x88\xC5\xC7\x33\x85\xAC\x66\x42\x47\xC2\x58\x24\x99\xE1\xE5\x3E\xE5\x75\x2C\x8E\x43\xD6\x5D\x3C\x78\x1E\xA8\x95\x82\x29\x50\xD1\xD1\x16\xBA\xEF\xC1\xBE\x7A\xD9\xB4\xD8\xCC\x1E\x4C\x46\xE1\x77\xB1\x31\xAB\xBD\x2A\xC8\xCE\x8F\x6E\xA1\x5D\x7F\x03\x75\x34\xE4\xAD\x89\x45\x54\x5E\xBE\xAE\x28\xA5\xBB\x3F\x78\x79\xEB\x73\xB3\x0A\x0D\xFD\xBE\xC9\xF7\x56\xAC\xF6\xB7\xED\x2F\x9B\x21\x29\xC7\x38\xB6\x95\xC4\x04\xF2\xC3\x2D\xFD\x14\x2A\x90\x99\xB9\x07\xCC\x9F",
-	["CN=Swisscom Root CA 2,OU=Digital Certificate Services,O=Swisscom,C=ch"] = "\x30\x82\x05\xD9\x30\x82\x03\xC1\xA0\x03\x02\x01\x02\x02\x10\x1E\x9E\x28\xE8\x48\xF2\xE5\xEF\xC3\x7C\x4A\x1E\x5A\x18\x67\xB6\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x30\x64\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x63\x68\x31\x11\x30\x0F\x06\x03\x55\x04\x0A\x13\x08\x53\x77\x69\x73\x73\x63\x6F\x6D\x31\x25\x30\x23\x06\x03\x55\x04\x0B\x13\x1C\x44\x69\x67\x69\x74\x61\x6C\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x20\x53\x65\x72\x76\x69\x63\x65\x73\x31\x1B\x30\x19\x06\x03\x55\x04\x03\x13\x12\x53\x77\x69\x73\x73\x63\x6F\x6D\x20\x52\x6F\x6F\x74\x20\x43\x41\x20\x32\x30\x1E\x17\x0D\x31\x31\x30\x36\x32\x34\x30\x38\x33\x38\x31\x34\x5A\x17\x0D\x33\x31\x30\x36\x32\x35\x30\x37\x33\x38\x31\x34\x5A\x30\x64\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x63\x68\x31\x11\x30\x0F\x06\x03\x55\x04\x0A\x13\x08\x53\x77\x69\x73\x73\x63\x6F\x6D\x31\x25\x30\x23\x06\x03\x55\x04\x0B\x13\x1C\x44\x69\x67\x69\x74\x61\x6C\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x20\x53\x65\x72\x76\x69\x63\x65\x73\x31\x1B\x30\x19\x06\x03\x55\x04\x03\x13\x12\x53\x77\x69\x73\x73\x63\x6F\x6D\x20\x52\x6F\x6F\x74\x20\x43\x41\x20\x32\x30\x82\x02\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x02\x0F\x00\x30\x82\x02\x0A\x02\x82\x02\x01\x00\x95\x42\x4E\x84\x9D\x51\xE6\xD3\x09\xE8\x72\x5A\x23\x69\xDB\x78\x70\x8E\x16\xF1\x2B\x8F\x0D\x03\xCE\x93\xCC\x2E\x00\x08\x7B\xAB\x33\x8C\xF4\xE9\x40\xE6\x17\x4C\xAB\x9E\xB8\x47\x14\x32\x77\x32\xDD\x28\x0C\xDE\x18\x4B\x5F\x76\x9F\xF8\x39\x3B\xFC\x4E\x89\xD8\x7C\xC5\x67\xEF\xAB\xD2\xB9\x34\x5F\x6B\x3A\xF3\x64\x36\xCE\xC2\xB0\xCF\x13\x68\xCA\xC8\xCB\xEB\xB5\xE2\x3D\x2E\x21\xDF\xEA\x2C\xD4\xE0\xF9\x70\x96\x4C\xFF\x6A\x58\x98\xB7\x17\xE4\x1B\x52\xE5\x7E\x07\x00\x1D\x5F\xDA\xE6\x3E\x95\x04\xB7\x69\x88\x39\xA1\x41\x60\x25\x61\x4B\x95\x39\x68\x62\x1C\xB1\x0B\x05\x89\xC0\x36\x82\x14\x21\x3F\xAE\xDB\xA1\xFD\xBC\x6F\x1C\x60\x86\xB6\x53\x94\x49\xB9\x2B\x46\xC5\x4F\x00\x2B\xBF\xA1\xBB\xCB\x3F\xE0\xC7\x57\x1C\x57\xE8\xD6\x69\xF8\xC1\x24\x52\x9D\x88\x55\xDD\xC2\x87\x2E\x74\x23\xD0\x14\xFD\x2A\x47\x5A\xBB\xA6\x9D\xFD\x94\xE4\xD1\x8A\xA5\x5F\x86\x63\x76\x85\xCB\xAF\xFF\x49\x28\xFC\x80\xED\x4C\x79\xD2\xBB\xE4\xC0\xEF\x01\xEE\x50\x41\x08\x35\x23\x70\x2B\xA9\x16\xB4\x8C\x6E\x85\xE9\xB6\x11\xCF\x31\xDD\x53\x26\x1B\xDF\x2D\x5A\x4A\x02\x40\xFC\xC4\xC0\xB6\xE9\x31\x1A\x08\x28\xE5\x60\xC3\x1F\xC4\x90\x8E\x10\x62\x60\x44\x0D\xEC\x0A\xBE\x55\x18\x71\x2C\xA5\xF4\xB2\xBC\x15\x62\xFF\x1C\xE3\xBE\x1D\xDA\x1E\x57\xB3\x3C\x7E\xCD\x82\x1D\x91\xE3\x4B\xEB\x2C\x52\x34\xB0\x8A\xFD\x12\x4E\x96\xB0\xEB\x70\x7F\x9E\x39\xF7\x66\x42\xB1\xAB\xAC\x52\xDA\x76\x40\x57\x7B\x2A\xBD\xE8\x6E\x03\xB2\x0B\x80\x85\x88\x9D\x0C\xC7\xC2\x77\xB0\x9A\x9A\x57\xF4\xB8\xFA\x13\x5C\x68\x93\x3A\x67\xA4\x97\xD0\x1B\x99\xB7\x86\x32\x4B\x60\xD8\xCE\xEF\xD0\x0C\x7F\x95\x9F\x6F\x87\x4F\x87\x8A\x8E\x5F\x08\x7C\xAA\x5B\xFC\x5A\xBE\xA1\x91\x9F\x55\x7D\x4E\xB0\x0B\x69\xCC\xB0\x94\xA8\xA7\x87\xF2\xD3\x4A\x50\xDC\x5F\x72\xB0\x16\x75\x1E\xCB\xB4\x18\x62\x9A\xB0\xA7\x39\xAA\x9B\x9F\x66\xD8\x8D\xA6\x6C\x96\x15\xE3\xE6\xF2\xF8\xF1\x83\x62\x6C\xBB\x55\xE9\x61\x93\xA3\x3D\xF5\xB1\x57\x8B\x4F\x23\xB0\x9B\xE5\x94\x6A\x2F\xDF\x8C\xDF\x95\x51\x29\x60\xA1\x0B\x29\xE4\x5C\x55\x58\xB7\xA8\xFC\x99\xEE\x25\x4D\x4C\x0E\xB3\xD3\x4C\x8F\x84\xE8\x29\x0F\xFD\x10\x54\x02\x85\xC8\xF9\xE5\xC3\x8B\xCF\xE7\x0F\x02\x03\x01\x00\x01\xA3\x81\x86\x30\x81\x83\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x86\x30\x1D\x06\x03\x55\x1D\x21\x04\x16\x30\x14\x30\x12\x06\x07\x60\x85\x74\x01\x53\x02\x01\x06\x07\x60\x85\x74\x01\x53\x02\x01\x30\x12\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x08\x30\x06\x01\x01\xFF\x02\x01\x07\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x4D\x26\x20\x22\x89\x4B\xD3\xD5\xA4\x0A\xA1\x6F\xDE\xE2\x12\x81\xC5\xF1\x3C\x2E\x30\x1F\x06\x03\x55\x1D\x23\x04\x18\x30\x16\x80\x14\x4D\x26\x20\x22\x89\x4B\xD3\xD5\xA4\x0A\xA1\x6F\xDE\xE2\x12\x81\xC5\xF1\x3C\x2E\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x03\x82\x02\x01\x00\x32\x0A\xB2\xA4\x1B\xCB\x7D\xBE\x82\x57\x89\xB9\x6A\x7F\xF3\xF4\xC1\x2E\x11\x7D\xB8\x19\x3E\x79\xB7\xA8\xA8\x72\x37\x66\x9B\x1A\xED\xAC\x13\x3B\x0E\xBF\x62\xF0\x9C\xDF\x9E\x7B\xA1\x53\x48\x0E\x41\x7A\xCA\x20\xA7\x17\x1B\xB6\x78\xEC\x40\x91\xF3\x42\xAD\x10\xC3\x5C\xEF\xFF\x60\x59\x7F\xCD\x85\xA3\x8B\x3D\x48\x1C\x25\x02\x3C\x67\x7D\xF5\x32\xE9\x2F\x30\xE5\x7D\xA5\x7A\x38\xD0\xF3\x66\x2A\x66\x1E\x8D\x33\x83\x8A\x6F\x7C\x6E\xA8\x5A\x75\x9A\xB8\xD7\xDA\x58\x48\x44\x47\xA8\x4C\xFA\x4C\x49\x0A\x4A\xC2\x12\x37\xA8\x40\x0C\xC3\xC8\xE1\xD0\x57\x0D\x97\x32\x95\xC7\x3A\x9F\x97\xD3\x57\xF8\x0B\xDE\xE5\x72\xF3\xA3\xDB\xFF\xB5\xD8\x59\xB2\x73\xDD\x4D\x2A\x71\xB2\xBA\x49\xF5\xCB\x1C\xD5\xF5\x79\xC8\x99\xB3\xFC\xC1\x4C\x74\xE3\xB4\xBD\x29\x37\x15\x04\x28\x1E\xDE\x45\x46\x70\xEC\xAF\xBA\x78\x0E\x8A\x2A\xCE\x00\x79\xDC\xC0\x5F\x19\x67\x2C\x6B\x4B\xEF\x68\x68\x0B\x43\xE3\xAC\xC1\x62\x09\xEF\xA6\xDD\x65\x61\xA0\xAF\x84\x55\x48\x91\x52\x1C\xC6\x25\x91\x2A\xD0\xC1\x22\x23\x61\x59\xAF\x45\x11\x85\x1D\x01\x24\x34\x8F\xCF\xB3\xFF\x17\x72\x20\x13\xC2\x80\xAA\x21\x2C\x71\x39\x0E\xD0\x8F\x5C\xC1\xD3\xD1\x8E\x22\x72\x46\x4C\x1D\x96\xAE\x4F\x71\xB1\xE1\x05\x29\x96\x59\xF4\xBB\x9E\x75\x3D\xCF\x0D\x37\x0D\x62\xDB\x26\x8C\x63\xA9\x23\xDF\x67\x06\x3C\x7C\x3A\xDA\x34\x42\xE1\x66\xB4\x46\x04\xDE\xC6\x96\x98\x0F\x4B\x48\x7A\x24\x32\x75\x91\x9F\xAC\xF7\x68\xE9\x2A\xB9\x55\x65\xCE\x5D\x61\xD3\x27\x70\xD8\x37\xFE\x9F\xB9\xAF\xA0\x2E\x56\xB7\xA3\x65\x51\xED\x3B\xAB\x14\xBF\x4C\x51\x03\xE8\x5F\x8A\x05\x9B\xEE\x8A\x6E\x9C\xEF\xBF\x68\xFA\xC8\xDA\x0B\xE3\x42\xC9\xD0\x17\x14\x9C\xB7\x4A\xE0\xAF\x93\x27\x21\x55\x26\xB5\x64\x2F\x8D\xF1\xFF\xA6\x40\x05\x85\x05\x5C\xCA\x07\x19\x5C\x0B\x13\x28\x4C\x58\x7F\xC2\xA5\xEF\x45\xDA\x60\xD3\xAE\x65\x61\x9D\x53\x83\x74\xC2\xAE\xF2\x5C\xC2\x16\xED\x92\x3E\x84\x3E\x73\x60\x88\xBC\x76\xF4\x2C\xCF\xD0\x7D\x7D\xD3\xB8\x5E\xD1\x91\x12\x10\xE9\xCD\xDD\xCA\x25\xE3\xD5\xED\x99\x2F\xBE\x75\x81\x4B\x24\xF9\x45\x46\x94\xC9\x29\x21\x53\x9C\x26\x45\xAA\x13\x17\xE4\xE7\xCD\x78\xE2\x39\xC1\x2B\x12\x9E\xA6\x9E\x1B\xC5\xE6\x0E\xD9\x31\xD9",
-	["CN=Swisscom Root EV CA 2,OU=Digital Certificate Services,O=Swisscom,C=ch"] = "\x30\x82\x05\xE0\x30\x82\x03\xC8\xA0\x03\x02\x01\x02\x02\x11\x00\xF2\xFA\x64\xE2\x74\x63\xD3\x8D\xFD\x10\x1D\x04\x1F\x76\xCA\x58\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x30\x67\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x63\x68\x31\x11\x30\x0F\x06\x03\x55\x04\x0A\x13\x08\x53\x77\x69\x73\x73\x63\x6F\x6D\x31\x25\x30\x23\x06\x03\x55\x04\x0B\x13\x1C\x44\x69\x67\x69\x74\x61\x6C\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x20\x53\x65\x72\x76\x69\x63\x65\x73\x31\x1E\x30\x1C\x06\x03\x55\x04\x03\x13\x15\x53\x77\x69\x73\x73\x63\x6F\x6D\x20\x52\x6F\x6F\x74\x20\x45\x56\x20\x43\x41\x20\x32\x30\x1E\x17\x0D\x31\x31\x30\x36\x32\x34\x30\x39\x34\x35\x30\x38\x5A\x17\x0D\x33\x31\x30\x36\x32\x35\x30\x38\x34\x35\x30\x38\x5A\x30\x67\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x63\x68\x31\x11\x30\x0F\x06\x03\x55\x04\x0A\x13\x08\x53\x77\x69\x73\x73\x63\x6F\x6D\x31\x25\x30\x23\x06\x03\x55\x04\x0B\x13\x1C\x44\x69\x67\x69\x74\x61\x6C\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x20\x53\x65\x72\x76\x69\x63\x65\x73\x31\x1E\x30\x1C\x06\x03\x55\x04\x03\x13\x15\x53\x77\x69\x73\x73\x63\x6F\x6D\x20\x52\x6F\x6F\x74\x20\x45\x56\x20\x43\x41\x20\x32\x30\x82\x02\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x02\x0F\x00\x30\x82\x02\x0A\x02\x82\x02\x01\x00\xC4\xF7\x1D\x2F\x57\xEA\x57\x6C\xF7\x70\x5D\x63\xB0\x71\x52\x09\x60\x44\x28\x33\xA3\x7A\x4E\x0A\xFA\xD8\xEA\x6C\x8B\x51\x16\x1A\x55\xAE\x54\x26\xC4\xCC\x45\x07\x41\x4F\x10\x79\x7F\x71\xD2\x7A\x4E\x3F\x38\x4E\xB3\x00\xC6\x95\xCA\x5B\xCD\xC1\x2A\x83\xD7\x27\x1F\x31\x0E\x23\x16\xB7\x25\xCB\x1C\xB4\xB9\x80\x32\x5E\x1A\x9D\x93\xF1\xE8\x3C\x60\x2C\xA7\x5E\x57\x19\x58\x51\x5E\xBC\x2C\x56\x0B\xB8\xD8\xEF\x8B\x82\xB4\x3C\xB8\xC2\x24\xA8\x13\xC7\xA0\x21\x36\x1B\x7A\x57\x29\x28\xA7\x2E\xBF\x71\x25\x90\xF3\x44\x83\x69\x50\xA4\xE4\xE1\x1B\x62\x19\x94\x09\xA3\xF3\xC3\xBC\xEF\xF4\xBD\xEC\xDB\x13\x9D\xCF\x9D\x48\x09\x52\x67\xC0\x37\x29\x11\x1E\xFB\xD2\x11\xA7\x85\x18\x74\x79\xE4\x4F\x85\x14\xEB\x52\x37\xE2\xB1\x45\xD8\xCC\x0D\x43\x7F\xAE\x13\xD2\x6B\x2B\x3F\xA7\xC2\xE2\xA8\x6D\x76\x5B\x43\x9F\xBE\xB4\x9D\xB3\x26\x86\x3B\x1F\x7F\xE5\xF2\xE8\x66\x28\x16\x25\xD0\x4B\x97\x38\xA7\xE4\xCF\x09\xD1\x36\xC3\x0B\xBE\xDA\x3B\x44\x58\x8D\xBE\xF1\x9E\x09\x6B\x3E\xF3\x32\xC7\x2B\x87\xC6\xEC\x5E\x9C\xF6\x87\x65\xAD\x33\x29\xC4\x2F\x89\xD9\xB9\xCB\xC9\x03\x9D\xFB\x6C\x94\x51\x97\x10\x1B\x86\x0B\x1A\x1B\x3F\xF6\x02\x7E\x7B\xD4\xC5\x51\x64\x28\x9D\xF5\xD3\xAC\x83\x81\x88\xD3\x74\xB4\x59\x9D\xC1\xEB\x61\x33\x5A\x45\xD1\xCB\x39\xD0\x06\x6A\x53\x60\x1D\xAF\xF6\xFB\x69\xBC\x6A\xDC\x01\xCF\xBD\xF9\x8F\xD9\xBD\x5B\xC1\x3A\x5F\x8E\xDA\x0F\x4B\xA9\x9B\x9D\x2A\x28\x6B\x1A\x0A\x7C\x3C\xAB\x22\x0B\xE5\x77\x2D\x71\xF6\x82\x35\x81\xAE\xF8\x7B\x81\xE6\xEA\xFE\xAC\xF4\x1A\x9B\x74\x5C\xE8\x8F\x24\xF6\x5D\x9D\x46\xC4\x2C\xD2\x1E\x2B\x21\x6A\x83\x27\x67\x55\x4A\xA4\xE3\xC8\x32\x97\x66\x90\x72\xDA\xE3\xD4\x64\x2E\x5F\xE3\xA1\x6A\xF6\x60\xD4\xE7\x35\xCD\xCA\xC4\x68\x8D\xD7\x71\xC8\xD3\x24\x33\x73\xB1\x6C\xF9\x6A\xE1\x28\xDB\x5F\xC6\x3D\xE8\xBE\x55\xE6\x37\x1B\xED\x24\xD9\x0F\x19\x8F\x5F\x63\x18\x58\x50\x81\x51\x65\x6F\xF2\x9F\x7E\x6A\x04\xE7\x34\x24\x71\xBA\x76\x4B\x58\x1E\x19\xBD\x15\x60\x45\xAA\x0C\x12\x40\x01\x9D\x10\xE2\xC7\x38\x07\x72\x0A\x65\xC0\xB6\xBB\x25\x29\xDA\x16\x9E\x8B\x35\x8B\x61\xED\xE5\x71\x57\x83\xB5\x3C\x71\x9F\xE3\x4F\xBF\x7E\x1E\x81\x9F\x41\x97\x02\x03\x01\x00\x01\xA3\x81\x86\x30\x81\x83\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x86\x30\x1D\x06\x03\x55\x1D\x21\x04\x16\x30\x14\x30\x12\x06\x07\x60\x85\x74\x01\x53\x02\x02\x06\x07\x60\x85\x74\x01\x53\x02\x02\x30\x12\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x08\x30\x06\x01\x01\xFF\x02\x01\x03\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x45\xD9\xA5\x81\x6E\x3D\x88\x4D\x8D\x71\xD2\x46\xC1\x6E\x45\x1E\xF3\xC4\x80\x9D\x30\x1F\x06\x03\x55\x1D\x23\x04\x18\x30\x16\x80\x14\x45\xD9\xA5\x81\x6E\x3D\x88\x4D\x8D\x71\xD2\x46\xC1\x6E\x45\x1E\xF3\xC4\x80\x9D\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x03\x82\x02\x01\x00\x94\x3A\x73\x06\x9F\x52\x4B\x30\x5C\xD4\xFE\xB1\x5C\x25\xF9\xD7\x8E\x6F\xF5\x87\x64\x9F\xED\x14\x8E\xB8\x04\x8E\x28\x4B\x8F\xAA\x7B\x8E\x39\xB4\xD9\x58\xF6\x7B\xA1\x35\x0A\xA1\x9D\x8A\xF7\x63\xE5\xEB\xBD\x39\x82\xD4\xE3\x7A\x2D\x6F\xDF\x13\x3C\xBA\xFE\x7E\x56\x98\x0B\xF3\x54\x9F\xCD\x44\x4E\x6E\x3C\xE1\x3E\x15\xBF\x06\x26\x9D\xE4\xF0\x90\xB6\xD4\xC2\x9E\x30\x2E\x1F\xEF\xC7\x7A\xC4\x50\xC7\xEA\x7B\xDA\x50\xCB\x7A\x26\xCB\x00\xB4\x5A\xAB\xB5\x93\x1F\x80\x89\x84\x04\x95\x8D\x8D\x7F\x09\x93\xBF\xD4\xA8\xA8\xE4\x63\x6D\xD9\x64\xE4\xB8\x29\x5A\x08\xBF\x50\xE1\x84\x0F\x55\x7B\x5F\x08\x22\x1B\xF5\xBD\x99\x1E\x14\xF6\xCE\xF4\x58\x10\x82\xB3\x0A\x3D\x19\xC1\xBF\x5B\xAB\xAA\x99\xD8\xF2\x31\xBD\xE5\x38\x66\xDC\x58\x05\xC7\xED\x63\x1A\x2E\x0A\x97\x7C\x87\x93\x2B\xB2\x8A\xE3\xF1\xEC\x18\xE5\x75\xB6\x29\x87\xE7\xDC\x8B\x1A\x7E\xB4\xD8\xC9\xD3\x8A\x17\x6C\x7D\x29\x44\xBE\x8A\xAA\xF5\x7E\x3A\x2E\x68\x31\x93\xB9\x6A\xDA\x9A\xE0\xDB\xE9\x2E\xA5\x84\xCD\x1C\x0A\xB8\x4A\x08\xF9\x9C\xF1\x61\x26\x98\x93\xB7\x7B\x66\xEC\x91\x5E\xDD\x51\x3F\xDB\x73\x0F\xAD\x04\x58\x09\xDD\x04\x02\x95\x0A\x3E\xD3\x76\xDF\xA6\x10\x1E\x80\x3D\xE8\xCD\xA4\x64\xD1\x33\xC7\x92\xC7\xE2\x4E\x44\xE3\x09\xC9\x4E\xC2\x5D\x87\x0E\x12\x9E\xBF\x0F\xC9\x05\x10\xDE\x7A\xA3\xB1\x3C\xF2\x3F\xA5\xAA\x27\x79\xAD\x31\x7D\x1F\xFD\xFC\x19\x69\xC5\xDD\xB9\x3F\x7C\xCD\xC6\xB4\xC2\x30\x1E\x7E\x6E\x92\xD7\x7F\x61\x76\x5A\x8F\xEB\x95\x4D\xBC\x11\x6E\x21\x7C\x59\x37\x99\xD0\x06\xBC\xF9\x06\x6D\x32\x16\xA5\xD9\x69\xA8\xE1\xDC\x3C\x80\x1E\x60\x51\xDC\xD7\x54\x21\x1E\xCA\x62\x77\x4F\xFA\xD8\x8F\xB3\x2B\x3A\x0D\x78\x72\xC9\x68\x41\x5A\x47\x4A\xC2\xA3\xEB\x1A\xD7\x0A\xAB\x3C\x32\x55\xC8\x0A\x11\x9C\xDF\x74\xD6\xF0\x40\x15\x1D\xC8\xB9\x8F\xB5\x36\xC5\xAF\xF8\x22\xB8\xCA\x1D\xF3\xD6\xB6\x19\x0F\x9F\x61\x65\x6A\xEA\x74\xC8\x7C\x8F\xC3\x4F\x5D\x65\x82\x1F\xD9\x0D\x89\xDA\x75\x72\xFB\xEF\xF1\x47\x67\x13\xB3\xC8\xD1\x19\x88\x27\x26\x9A\x99\x79\x7F\x1E\xE4\x2C\x3F\x7B\xEE\xF1\xDE\x4D\x8B\x96\x97\xC3\xD5\x3F\x7C\x1B\x23\xED\xA4\xB3\x1D\x16\x72\x43\x4B\x20\xE1\x59\x7E\xC2\xE8\xAD\x26\xBF\xA2\xF7",
-	["CN=CA Disig Root R1,O=Disig a.s.,L=Bratislava,C=SK"] = "\x30\x82\x05\x69\x30\x82\x03\x51\xA0\x03\x02\x01\x02\x02\x09\x00\xC3\x03\x9A\xEE\x50\x90\x6E\x28\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x52\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x53\x4B\x31\x13\x30\x11\x06\x03\x55\x04\x07\x13\x0A\x42\x72\x61\x74\x69\x73\x6C\x61\x76\x61\x31\x13\x30\x11\x06\x03\x55\x04\x0A\x13\x0A\x44\x69\x73\x69\x67\x20\x61\x2E\x73\x2E\x31\x19\x30\x17\x06\x03\x55\x04\x03\x13\x10\x43\x41\x20\x44\x69\x73\x69\x67\x20\x52\x6F\x6F\x74\x20\x52\x31\x30\x1E\x17\x0D\x31\x32\x30\x37\x31\x39\x30\x39\x30\x36\x35\x36\x5A\x17\x0D\x34\x32\x30\x37\x31\x39\x30\x39\x30\x36\x35\x36\x5A\x30\x52\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x53\x4B\x31\x13\x30\x11\x06\x03\x55\x04\x07\x13\x0A\x42\x72\x61\x74\x69\x73\x6C\x61\x76\x61\x31\x13\x30\x11\x06\x03\x55\x04\x0A\x13\x0A\x44\x69\x73\x69\x67\x20\x61\x2E\x73\x2E\x31\x19\x30\x17\x06\x03\x55\x04\x03\x13\x10\x43\x41\x20\x44\x69\x73\x69\x67\x20\x52\x6F\x6F\x74\x20\x52\x31\x30\x82\x02\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x02\x0F\x00\x30\x82\x02\x0A\x02\x82\x02\x01\x00\xAA\xC3\x78\xF7\xDC\x98\xA3\xA7\x5A\x5E\x77\x18\xB2\xDD\x04\x64\x0F\x63\xFD\x9B\x96\x09\x80\xD5\xE8\xAA\xA5\xE2\x9C\x26\x94\x3A\xE8\x99\x73\x8C\x9D\xDF\xD7\xDF\x83\xF3\x78\x4F\x40\xE1\x7F\xD2\xA7\xD2\xE5\xCA\x13\x93\xE7\xED\xC6\x77\x5F\x36\xB5\x94\xAF\xE8\x38\x8E\xDB\x9B\xE5\x7C\xBB\xCC\x8D\xEB\x75\x73\xE1\x24\xCD\xE6\xA7\x2D\x19\x2E\xD8\xD6\x8A\x6B\x14\xEB\x08\x62\x0A\xD8\xDC\xB3\x00\x4D\xC3\x23\x7C\x5F\x43\x08\x23\x32\x12\xDC\xED\x0C\xAD\xC0\x7D\x0F\xA5\x7A\x42\xD9\x5A\x70\xD9\xBF\xA7\xD7\x01\x1C\xF6\x9B\xAB\x8E\xB7\x4A\x86\x78\xA0\x1E\x56\x31\xAE\xEF\x82\x0A\x80\x41\xF7\x1B\xC9\xAE\xAB\x32\x26\xD4\x2C\x6B\xED\x7D\x6B\xE4\xE2\x5E\x22\x0A\x45\xCB\x84\x31\x4D\xAC\xFE\xDB\xD1\x47\xBA\xF9\x60\x97\x39\xB1\x65\xC7\xDE\xFB\x99\xE4\x0A\x22\xB1\x2D\x4D\xE5\x48\x26\x69\xAB\xE2\xAA\xF3\xFB\xFC\x92\x29\x32\xE9\xB3\x3E\x4D\x1F\x27\xA1\xCD\x8E\xB9\x17\xFB\x25\x3E\xC9\x6E\xF3\x77\xDA\x0D\x12\xF6\x5D\xC7\xBB\x36\x10\xD5\x54\xD6\xF3\xE0\xE2\x47\x48\xE6\xDE\x14\xDA\x61\x52\xAF\x26\xB4\xF5\x71\x4F\xC9\xD7\xD2\x06\xDF\x63\xCA\xFF\x21\xE8\x59\x06\xE0\x08\xD5\x84\x15\x53\xF7\x43\xE5\x7C\xC5\xA0\x89\x98\x6B\x73\xC6\x68\xCE\x65\xDE\xBD\x7F\x05\xF7\xB1\xEE\xF6\x57\xA1\x60\x95\xC5\xCC\xEA\x93\x3A\xBE\x99\xAE\x9B\x02\xA3\xAD\xC9\x16\xB5\xCE\xDD\x5E\x99\x78\x7E\x1A\x39\x7E\xB2\xC0\x05\xA4\xC0\x82\xA5\xA3\x47\x9E\x8C\xEA\x5C\xB6\xBC\x67\xDB\xE6\x2A\x4D\xD2\x04\xDC\xA3\xAE\x45\xF7\xBC\x8B\x9C\x1C\xA7\xD6\xD5\x03\xDC\x08\xCB\x2E\x16\xCA\x5C\x40\x33\xE8\x67\xC3\x2E\xE7\xA6\x44\xEA\x11\x45\x1C\x35\x65\x2D\x1E\x45\x61\x24\x1B\x82\x2E\xA5\x9D\x33\x5D\x65\xF8\x41\xF9\x2E\xCB\x94\x3F\x1F\xA3\x0C\x31\x24\x44\xED\xC7\x5E\xAD\x50\xBA\xC6\x41\x9B\xAC\xF0\x17\x65\xC0\xF8\x5D\x6F\x5B\xA0\x0A\x34\x3C\xEE\xD7\xEA\x88\x9F\x98\xF9\xAF\x4E\x24\xFA\x97\xB2\x64\x76\xDA\xAB\xF4\xED\xE3\xC3\x60\xEF\xD5\xF9\x02\xC8\x2D\x9F\x83\xAF\x67\x69\x06\xA7\x31\x55\xD5\xCF\x4B\x6F\xFF\x04\x05\xC7\x58\xAC\x5F\x16\x1B\xE5\xD2\xA3\xEB\x31\xDB\x1F\x33\x15\x4D\xD0\xF2\xA5\x53\xF5\xCB\xE1\x3D\x4E\x68\x2D\xD8\x12\xDD\xAA\xF2\xE6\x4D\x9B\x49\xE5\xC5\x28\xA1\xBA\xB0\x5A\xC6\xA0\xB5\x02\x03\x01\x00\x01\xA3\x42\x30\x40\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x89\x0A\xB4\x38\x93\x1A\xE6\xAB\xEE\x9B\x91\x18\xF9\xF5\x3C\x3E\x35\xD0\xD3\x82\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x02\x01\x00\x32\x8B\xF6\x9D\x4A\xC9\xBE\x14\xE5\x8C\xAC\x38\xCA\x3A\x09\xD4\x1B\xCE\x86\xB3\xDD\xEB\xD4\xBA\x28\xBE\x12\xAE\x45\x2C\x04\x74\xAC\x13\x51\xC5\x58\x18\x66\x4D\x82\xDA\xD5\xDC\x93\xC0\x27\xE1\xBE\x7C\x9F\x52\x9E\x12\x56\xF6\xD5\x9C\xA9\xF4\x75\x9C\xFA\x37\x12\x8F\x1C\x93\xEC\x57\xFE\x07\x0F\xAB\xD5\x12\xF7\x0F\xAE\x61\x5E\x56\x80\x49\xF5\xFC\x30\xF5\x9B\x4F\x1F\x41\x2F\x1C\x84\xD3\x89\xC7\xE2\xDA\x02\x76\xED\x09\xCF\x6C\xC1\xB8\x1C\x83\x1C\x16\xFA\x94\xCD\x7D\xA0\xC8\x18\xD2\xC8\x9D\x6E\xF5\xBD\x69\xD4\x6D\x3D\x35\xE8\x1E\xA2\x4F\x60\xD7\x07\x29\xFC\xB2\xA3\xA4\x9D\x6E\x15\x92\x56\x19\x4C\x0A\xB0\xE9\x7C\xD2\x19\x4D\x42\x46\xEC\xBD\xFD\xF6\x57\x5B\xDD\x98\x7E\xA4\x4D\xCC\x72\x03\x83\x58\x5D\xEF\x93\x3A\x41\x7A\x63\xAA\x7C\x3A\xA8\xF5\xAC\xA4\xD1\xDD\xA2\x2D\xB6\x2A\xFC\x9F\x01\x8E\xE2\x10\xB1\xC4\xCA\xE4\x67\xDB\x55\x25\x19\x3F\xFD\xE8\x36\x7E\xB3\xE1\xE1\x81\xAF\x11\x16\x8B\x50\x97\x60\x19\x82\x00\xC0\x6B\x4D\x73\xB8\xD1\x13\x07\x3E\xEA\xB6\x31\x4F\xF0\x42\x9A\x6D\xE2\x11\x74\xE5\x94\xAC\x8D\x84\x95\x3C\x21\xAF\xC5\xDA\x47\xC8\xDF\x39\x62\x62\xCB\x5B\x50\x0B\xD7\x81\x40\x05\x9C\x9B\xED\xBA\xB6\x8B\x1E\x04\x6F\x96\x20\x39\xED\xA4\x7D\x29\xDB\x48\xCE\x82\xDC\xD4\x02\x8D\x1D\x04\x31\x5A\xC7\x4B\xF0\x6C\x61\x52\xD7\xB4\x51\xC2\x81\x6C\xCD\xE1\xFB\xA7\xA1\xD2\x92\x76\xCF\xB1\x0F\x37\x58\xA4\xF2\x52\x71\x67\x3F\x0C\x88\x78\x80\x89\xC1\xC8\xB5\x1F\x92\x63\xBE\xA7\x7A\x8A\x56\x2C\x1A\xA8\xA6\x9C\xB5\x5D\xB3\x63\xD0\x13\x20\xA1\xEB\x91\x6C\xD0\x8D\x7D\xAF\xDF\x0B\xE4\x17\xB9\x86\x9E\x38\xB1\x94\x0C\x58\x8C\xE0\x55\xAA\x3B\x63\x6D\x9A\x89\x60\xB8\x64\x2A\x92\xC6\x37\xF4\x7E\x43\x43\xB7\x73\xE8\x01\xE7\x7F\x97\x0F\xD7\xF2\x7B\x19\xFD\x1A\xD7\x8F\xC9\xFA\x85\x6B\x7A\x9D\x9E\x89\xB6\xA6\x28\x99\x93\x88\x40\xF7\x3E\xCD\x51\xA3\xCA\xEA\xEF\x79\x47\x21\xB5\xFE\x32\xE2\xC7\xC3\x51\x6F\xBE\x80\x74\xF0\xA4\xC3\x3A\xF2\x4F\xE9\x5F\xDF\x19\x0A\xF2\x3B\x13\x43\xAC\x31\xA4\xB3\xE7\xEB\xFC\x18\xD6\x01\xA9\xF3\x2A\x8F\x36\x0E\xEB\xB4\xB1\xBC\xB7\x4C\xC9\x6B\xBF\xA1\xF3\xD9\xF4\xED\xE2\xF0\xE3\xED\x64\x9E\x3D\x2F\x96\x52\x4F\x80\x53\x8B",
 	["CN=CA Disig Root R2,O=Disig a.s.,L=Bratislava,C=SK"] = "\x30\x82\x05\x69\x30\x82\x03\x51\xA0\x03\x02\x01\x02\x02\x09\x00\x92\xB8\x88\xDB\xB0\x8A\xC1\x63\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x30\x52\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x53\x4B\x31\x13\x30\x11\x06\x03\x55\x04\x07\x13\x0A\x42\x72\x61\x74\x69\x73\x6C\x61\x76\x61\x31\x13\x30\x11\x06\x03\x55\x04\x0A\x13\x0A\x44\x69\x73\x69\x67\x20\x61\x2E\x73\x2E\x31\x19\x30\x17\x06\x03\x55\x04\x03\x13\x10\x43\x41\x20\x44\x69\x73\x69\x67\x20\x52\x6F\x6F\x74\x20\x52\x32\x30\x1E\x17\x0D\x31\x32\x30\x37\x31\x39\x30\x39\x31\x35\x33\x30\x5A\x17\x0D\x34\x32\x30\x37\x31\x39\x30\x39\x31\x35\x33\x30\x5A\x30\x52\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x53\x4B\x31\x13\x30\x11\x06\x03\x55\x04\x07\x13\x0A\x42\x72\x61\x74\x69\x73\x6C\x61\x76\x61\x31\x13\x30\x11\x06\x03\x55\x04\x0A\x13\x0A\x44\x69\x73\x69\x67\x20\x61\x2E\x73\x2E\x31\x19\x30\x17\x06\x03\x55\x04\x03\x13\x10\x43\x41\x20\x44\x69\x73\x69\x67\x20\x52\x6F\x6F\x74\x20\x52\x32\x30\x82\x02\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x02\x0F\x00\x30\x82\x02\x0A\x02\x82\x02\x01\x00\xA2\xA3\xC4\x00\x09\xD6\x85\x5D\x2D\x6D\x14\xF6\xC2\xC3\x73\x9E\x35\xC2\x71\x55\x7E\x81\xFB\xAB\x46\x50\xE0\xC1\x7C\x49\x78\xE6\xAB\x79\x58\x3C\xDA\xFF\x7C\x1C\x9F\xD8\x97\x02\x78\x3E\x6B\x41\x04\xE9\x41\xBD\xBE\x03\x2C\x45\xF6\x2F\x64\xD4\xAB\x5D\xA3\x47\x3D\x64\x9B\xE9\x68\x9A\xC6\xCC\x1B\x3F\xBA\xBE\xB2\x8B\x34\x02\x2E\x98\x55\x19\xFC\x8C\x6F\xAA\x5F\xDA\x4C\xCE\x4D\x03\x21\xA3\xD8\xD2\x34\x93\x56\x96\xCB\x4C\x0C\x00\x16\x3C\x5F\x1A\xCD\xC8\xC7\x6C\xA6\xAD\xD3\x31\xA7\xBC\xE8\xE5\xE1\x66\xD6\xD2\xFB\x03\xB4\x41\x65\xC9\x10\xAE\x0E\x05\x63\xC6\x80\x6A\x69\x30\xFD\xD2\xEE\x90\xEF\x0D\x27\xDF\x9F\x95\x73\xF4\xE1\x25\xDA\x6C\x16\xDE\x41\x38\x34\xEA\x8B\xFC\xD1\xE8\x04\x14\x61\x2D\x41\x7E\xAC\xC7\x77\x4E\xCB\x51\x54\xFB\x5E\x92\x18\x1B\x04\x5A\x68\xC6\xC9\xC4\xFA\xB7\x13\xA0\x98\xB7\x11\x2B\xB7\xD6\x57\xCC\x7C\x9E\x17\xD1\xCB\x25\xFE\x86\x4E\x24\x2E\x56\x0C\x78\x4D\x9E\x01\x12\xA6\x2B\xA7\x01\x65\x6E\x7C\x62\x1D\x84\x84\xDF\xEA\xC0\x6B\xB5\xA5\x2A\x95\x83\xC3\x53\x11\x0C\x73\x1D\x0B\xB2\x46\x90\xD1\x42\x3A\xCE\x40\x6E\x95\xAD\xFF\xC6\x94\xAD\x6E\x97\x84\x8E\x7D\x6F\x9E\x8A\x80\x0D\x49\x6D\x73\xE2\x7B\x92\x1E\xC3\xF3\xC1\xF3\xEB\x2E\x05\x6F\xD9\x1B\xCF\x37\x76\x04\xC8\xB4\x5A\xE4\x17\xA7\xCB\xDD\x76\x1F\xD0\x19\x76\xE8\x2C\x05\xB3\xD6\x9C\x34\xD8\x96\xDC\x61\x87\x91\x05\xE4\x44\x08\x33\xC1\xDA\xB9\x08\x65\xD4\xAE\xB2\x36\x0D\xEB\xBA\x38\xBA\x0C\xE5\x9B\x9E\xEB\x8D\x66\xDD\x99\xCF\xD6\x89\x41\xF6\x04\x92\x8A\x29\x29\x6D\x6B\x3A\x1C\xE7\x75\x7D\x02\x71\x0E\xF3\xC0\xE7\xBD\xCB\x19\xDD\x9D\x60\xB2\xC2\x66\x60\xB6\xB1\x04\xEE\xC9\xE6\x86\xB9\x9A\x66\x40\xA8\xE7\x11\xED\x81\x45\x03\x8B\xF6\x67\x59\xE8\xC1\x06\x11\xBD\xDD\xCF\x80\x02\x4F\x65\x40\x78\x5C\x47\x50\xC8\x9B\xE6\x1F\x81\x7B\xE4\x44\xA8\x5B\x85\x9A\xE2\xDE\x5A\xD5\xC7\xF9\x3A\x44\x66\x4B\xE4\x32\x54\x7C\xE4\x6C\x9C\xB3\x0E\x3D\x17\xA2\xB2\x34\x12\xD6\x7E\xB2\xA8\x49\xBB\xD1\x7A\x28\x40\xBE\xA2\x16\x1F\xDF\xE4\x37\x1F\x11\x73\xFB\x90\x0A\x65\x43\xA2\x0D\x7C\xF8\x06\x01\x55\x33\x7D\xB0\x0D\xB8\xF4\xF5\xAE\xA5\x42\x57\x7C\x36\x11\x8C\x7B\x5E\xC4\x03\x9D\x8C\x79\x9D\x02\x03\x01\x00\x01\xA3\x42\x30\x40\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xB5\x99\xF8\xAF\xB0\x94\xF5\xE3\x20\xD6\x0A\xAD\xCE\x4E\x56\xA4\x2E\x6E\x42\xED\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x03\x82\x02\x01\x00\x26\x06\x5E\x70\xE7\x65\x33\xC8\x82\x6E\xD9\x9C\x17\x3A\x1B\x7A\x66\xB2\x01\xF6\x78\x3B\x69\x5E\x2F\xEA\xFF\x4E\xF9\x28\xC3\x98\x2A\x61\x4C\xB4\x24\x12\x8A\x7D\x6D\x11\x14\xF7\x9C\xB5\xCA\xE6\xBC\x9E\x27\x8E\x4C\x19\xC8\xA9\xBD\x7A\xC0\xD7\x36\x0E\x6D\x85\x72\x6E\xA8\xC6\xA2\x6D\xF6\xFA\x73\x63\x7F\xBC\x6E\x79\x08\x1C\x9D\x8A\x9F\x1A\x8A\x53\xA6\xD8\xBB\xD9\x35\x55\xB1\x11\xC5\xA9\x03\xB3\x56\x3B\xB9\x84\x93\x22\x5E\x7E\xC1\xF6\x12\x52\x8B\xEA\x2C\x67\xBC\xFE\x36\x4C\xF5\xB8\xCF\xD1\xB3\x49\x92\x3B\xD3\x29\x0E\x99\x1B\x96\xF7\x61\xB8\x3B\xC4\x2B\xB6\x78\x6C\xB4\x23\x6F\xF0\xFD\xD3\xB2\x5E\x75\x1F\x99\x95\xA8\xAC\xF6\xDA\xE1\xC5\x31\x7B\xFB\xD1\x46\xB3\xD2\xBC\x67\xB4\x62\x54\xBA\x09\xF7\x63\xB0\x93\xA2\x9A\xF9\xE9\x52\x2E\x8B\x60\x12\xAB\xFC\xF5\x60\x56\xEF\x10\x5C\x8B\xC4\x1A\x42\xDC\x83\x5B\x64\x0E\xCB\xB5\xBC\xD6\x4F\xC1\x7C\x3C\x6E\x8D\x13\x6D\xFB\x7B\xEB\x30\xD0\xDC\x4D\xAF\xC5\xD5\xB6\xA5\x4C\x5B\x71\xC9\xE8\x31\xBE\xE8\x38\x06\x48\xA1\x1A\xE2\xEA\xD2\xDE\x12\x39\x58\x1A\xFF\x80\x0E\x82\x75\xE6\xB7\xC9\x07\x6C\x0E\xEF\xFF\x38\xF1\x98\x71\xC4\xB7\x7F\x0E\x15\xD0\x25\x69\xBD\x22\x9D\x2B\xED\x05\xF6\x46\x47\xAC\xED\xC0\xF0\xD4\x3B\xE2\xEC\xEE\x96\x5B\x90\x13\x4E\x1E\x56\x3A\xEB\xB0\xEF\x96\xBB\x96\x23\x11\xBA\xF2\x43\x86\x74\x64\x95\xC8\x28\x75\xDF\x1D\x35\xBA\xD2\x37\x83\x38\x53\x38\x36\x3B\xCF\x6C\xE9\xF9\x6B\x0E\xD0\xFB\x04\xE8\x4F\x77\xD7\x65\x01\x78\x86\x0C\x7A\x3E\x21\x62\xF1\x7F\x63\x71\x0C\xC9\x9F\x44\xDB\xA8\x27\xA2\x75\xBE\x6E\x81\x3E\xD7\xC0\xEB\x1B\x98\x0F\x70\x5C\x34\xB2\x8A\xCC\xC0\x85\x18\xEB\x6E\x7A\xB3\xF7\x5A\xA1\x07\xBF\xA9\x42\x92\xF3\x60\x22\x97\xE4\x14\xA1\x07\x9B\x4E\x76\xC0\x8E\x7D\xFD\xA4\x25\xC7\x47\xED\xFF\x1F\x73\xAC\xCC\xC3\xA5\xE9\x6F\x0A\x8E\x9B\x65\xC2\x50\x85\xB5\xA3\xA0\x53\x12\xCC\x55\x87\x61\xF3\x81\xAE\x10\x46\x61\xBD\x44\x21\xB8\xC2\x3D\x74\xCF\x7E\x24\x35\xFA\x1C\x07\x0E\x9B\x3D\x22\xCA\xEF\x31\x2F\x8C\xAC\x12\xBD\xEF\x40\x28\xFC\x29\x67\x9F\xB2\x13\x4F\x66\x24\xC4\x53\x19\xE9\x1E\x29\x15\xEF\xE6\x6D\xB0\x7F\x2D\x67\xFD\xF3\x6C\x1B\x75\x46\xA3\xE5\x4A\x17\xE9\xA4\xD7\x0B",
 	["C=ES,O=ACCV,OU=PKIACCV,CN=ACCVRAIZ1"] = "\x30\x82\x07\xD3\x30\x82\x05\xBB\xA0\x03\x02\x01\x02\x02\x08\x5E\xC3\xB7\xA6\x43\x7F\xA4\xE0\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x42\x31\x12\x30\x10\x06\x03\x55\x04\x03\x0C\x09\x41\x43\x43\x56\x52\x41\x49\x5A\x31\x31\x10\x30\x0E\x06\x03\x55\x04\x0B\x0C\x07\x50\x4B\x49\x41\x43\x43\x56\x31\x0D\x30\x0B\x06\x03\x55\x04\x0A\x0C\x04\x41\x43\x43\x56\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x45\x53\x30\x1E\x17\x0D\x31\x31\x30\x35\x30\x35\x30\x39\x33\x37\x33\x37\x5A\x17\x0D\x33\x30\x31\x32\x33\x31\x30\x39\x33\x37\x33\x37\x5A\x30\x42\x31\x12\x30\x10\x06\x03\x55\x04\x03\x0C\x09\x41\x43\x43\x56\x52\x41\x49\x5A\x31\x31\x10\x30\x0E\x06\x03\x55\x04\x0B\x0C\x07\x50\x4B\x49\x41\x43\x43\x56\x31\x0D\x30\x0B\x06\x03\x55\x04\x0A\x0C\x04\x41\x43\x43\x56\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x45\x53\x30\x82\x02\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x02\x0F\x00\x30\x82\x02\x0A\x02\x82\x02\x01\x00\x9B\xA9\xAB\xBF\x61\x4A\x97\xAF\x2F\x97\x66\x9A\x74\x5F\xD0\xD9\x96\xFD\xCF\xE2\xE4\x66\xEF\x1F\x1F\x47\x33\xC2\x44\xA3\xDF\x9A\xDE\x1F\xB5\x54\xDD\x15\x7C\x69\x35\x11\x6F\xBB\xC8\x0C\x8E\x6A\x18\x1E\xD8\x8F\xD9\x16\xBC\x10\x48\x36\x5C\xF0\x63\xB3\x90\x5A\x5C\x24\x37\xD7\xA3\xD6\xCB\x09\x71\xB9\xF1\x01\x72\x84\xB0\x7D\xDB\x4D\x80\xCD\xFC\xD3\x6F\xC9\xF8\xDA\xB6\x0E\x82\xD2\x45\x85\xA8\x1B\x68\xA8\x3D\xE8\xF4\x44\x6C\xBD\xA1\xC2\xCB\x03\xBE\x8C\x3E\x13\x00\x84\xDF\x4A\x48\xC0\xE3\x22\x0A\xE8\xE9\x37\xA7\x18\x4C\xB1\x09\x0D\x23\x56\x7F\x04\x4D\xD9\x17\x84\x18\xA5\xC8\xDA\x40\x94\x73\xEB\xCE\x0E\x57\x3C\x03\x81\x3A\x9D\x0A\xA1\x57\x43\x69\xAC\x57\x6D\x79\x90\x78\xE5\xB5\xB4\x3B\xD8\xBC\x4C\x8D\x28\xA1\xA7\xA3\xA7\xBA\x02\x4E\x25\xD1\x2A\xAE\xED\xAE\x03\x22\xB8\x6B\x20\x0F\x30\x28\x54\x95\x7F\xE0\xEE\xCE\x0A\x66\x9D\xD1\x40\x2D\x6E\x22\xAF\x9D\x1A\xC1\x05\x19\xD2\x6F\xC0\xF2\x9F\xF8\x7B\xB3\x02\x42\xFB\x50\xA9\x1D\x2D\x93\x0F\x23\xAB\xC6\xC1\x0F\x92\xFF\xD0\xA2\x15\xF5\x53\x09\x71\x1C\xFF\x45\x13\x84\xE6\x26\x5E\xF8\xE0\x88\x1C\x0A\xFC\x16\xB6\xA8\x73\x06\xB8\xF0\x63\x84\x02\xA0\xC6\x5A\xEC\xE7\x74\xDF\x70\xAE\xA3\x83\x25\xEA\xD6\xC7\x97\x87\x93\xA7\xC6\x8A\x8A\x33\x97\x60\x37\x10\x3E\x97\x3E\x6E\x29\x15\xD6\xA1\x0F\xD1\x88\x2C\x12\x9F\x6F\xAA\xA4\xC6\x42\xEB\x41\xA2\xE3\x95\x43\xD3\x01\x85\x6D\x8E\xBB\x3B\xF3\x23\x36\xC7\xFE\x3B\xE0\xA1\x25\x07\x48\xAB\xC9\x89\x74\xFF\x08\x8F\x80\xBF\xC0\x96\x65\xF3\xEE\xEC\x4B\x68\xBD\x9D\x88\xC3\x31\xB3\x40\xF1\xE8\xCF\xF6\x38\xBB\x9C\xE4\xD1\x7F\xD4\xE5\x58\x9B\x7C\xFA\xD4\xF3\x0E\x9B\x75\x91\xE4\xBA\x52\x2E\x19\x7E\xD1\xF5\xCD\x5A\x19\xFC\xBA\x06\xF6\xFB\x52\xA8\x4B\x99\x04\xDD\xF8\xF9\xB4\x8B\x50\xA3\x4E\x62\x89\xF0\x87\x24\xFA\x83\x42\xC1\x87\xFA\xD5\x2D\x29\x2A\x5A\x71\x7A\x64\x6A\xD7\x27\x60\x63\x0D\xDB\xCE\x49\xF5\x8D\x1F\x90\x89\x32\x17\xF8\x73\x43\xB8\xD2\x5A\x93\x86\x61\xD6\xE1\x75\x0A\xEA\x79\x66\x76\x88\x4F\x71\xEB\x04\x25\xD6\x0A\x5A\x7A\x93\xE5\xB9\x4B\x17\x40\x0F\xB1\xB6\xB9\xF5\xDE\x4F\xDC\xE0\xB3\xAC\x3B\x11\x70\x60\x84\x4A\x43\x6E\x99\x20\xC0\x29\x71\x0A\xC0\x65\x02\x03\x01\x00\x01\xA3\x82\x02\xCB\x30\x82\x02\xC7\x30\x7D\x06\x08\x2B\x06\x01\x05\x05\x07\x01\x01\x04\x71\x30\x6F\x30\x4C\x06\x08\x2B\x06\x01\x05\x05\x07\x30\x02\x86\x40\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x61\x63\x63\x76\x2E\x65\x73\x2F\x66\x69\x6C\x65\x61\x64\x6D\x69\x6E\x2F\x41\x72\x63\x68\x69\x76\x6F\x73\x2F\x63\x65\x72\x74\x69\x66\x69\x63\x61\x64\x6F\x73\x2F\x72\x61\x69\x7A\x61\x63\x63\x76\x31\x2E\x63\x72\x74\x30\x1F\x06\x08\x2B\x06\x01\x05\x05\x07\x30\x01\x86\x13\x68\x74\x74\x70\x3A\x2F\x2F\x6F\x63\x73\x70\x2E\x61\x63\x63\x76\x2E\x65\x73\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xD2\x87\xB4\xE3\xDF\x37\x27\x93\x55\xF6\x56\xEA\x81\xE5\x36\xCC\x8C\x1E\x3F\xBD\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x1F\x06\x03\x55\x1D\x23\x04\x18\x30\x16\x80\x14\xD2\x87\xB4\xE3\xDF\x37\x27\x93\x55\xF6\x56\xEA\x81\xE5\x36\xCC\x8C\x1E\x3F\xBD\x30\x82\x01\x73\x06\x03\x55\x1D\x20\x04\x82\x01\x6A\x30\x82\x01\x66\x30\x82\x01\x62\x06\x04\x55\x1D\x20\x00\x30\x82\x01\x58\x30\x82\x01\x22\x06\x08\x2B\x06\x01\x05\x05\x07\x02\x02\x30\x82\x01\x14\x1E\x82\x01\x10\x00\x41\x00\x75\x00\x74\x00\x6F\x00\x72\x00\x69\x00\x64\x00\x61\x00\x64\x00\x20\x00\x64\x00\x65\x00\x20\x00\x43\x00\x65\x00\x72\x00\x74\x00\x69\x00\x66\x00\x69\x00\x63\x00\x61\x00\x63\x00\x69\x00\xF3\x00\x6E\x00\x20\x00\x52\x00\x61\x00\xED\x00\x7A\x00\x20\x00\x64\x00\x65\x00\x20\x00\x6C\x00\x61\x00\x20\x00\x41\x00\x43\x00\x43\x00\x56\x00\x20\x00\x28\x00\x41\x00\x67\x00\x65\x00\x6E\x00\x63\x00\x69\x00\x61\x00\x20\x00\x64\x00\x65\x00\x20\x00\x54\x00\x65\x00\x63\x00\x6E\x00\x6F\x00\x6C\x00\x6F\x00\x67\x00\xED\x00\x61\x00\x20\x00\x79\x00\x20\x00\x43\x00\x65\x00\x72\x00\x74\x00\x69\x00\x66\x00\x69\x00\x63\x00\x61\x00\x63\x00\x69\x00\xF3\x00\x6E\x00\x20\x00\x45\x00\x6C\x00\x65\x00\x63\x00\x74\x00\x72\x00\xF3\x00\x6E\x00\x69\x00\x63\x00\x61\x00\x2C\x00\x20\x00\x43\x00\x49\x00\x46\x00\x20\x00\x51\x00\x34\x00\x36\x00\x30\x00\x31\x00\x31\x00\x35\x00\x36\x00\x45\x00\x29\x00\x2E\x00\x20\x00\x43\x00\x50\x00\x53\x00\x20\x00\x65\x00\x6E\x00\x20\x00\x68\x00\x74\x00\x74\x00\x70\x00\x3A\x00\x2F\x00\x2F\x00\x77\x00\x77\x00\x77\x00\x2E\x00\x61\x00\x63\x00\x63\x00\x76\x00\x2E\x00\x65\x00\x73\x30\x30\x06\x08\x2B\x06\x01\x05\x05\x07\x02\x01\x16\x24\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x61\x63\x63\x76\x2E\x65\x73\x2F\x6C\x65\x67\x69\x73\x6C\x61\x63\x69\x6F\x6E\x5F\x63\x2E\x68\x74\x6D\x30\x55\x06\x03\x55\x1D\x1F\x04\x4E\x30\x4C\x30\x4A\xA0\x48\xA0\x46\x86\x44\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x61\x63\x63\x76\x2E\x65\x73\x2F\x66\x69\x6C\x65\x61\x64\x6D\x69\x6E\x2F\x41\x72\x63\x68\x69\x76\x6F\x73\x2F\x63\x65\x72\x74\x69\x66\x69\x63\x61\x64\x6F\x73\x2F\x72\x61\x69\x7A\x61\x63\x63\x76\x31\x5F\x64\x65\x72\x2E\x63\x72\x6C\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x17\x06\x03\x55\x1D\x11\x04\x10\x30\x0E\x81\x0C\x61\x63\x63\x76\x40\x61\x63\x63\x76\x2E\x65\x73\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x02\x01\x00\x97\x31\x02\x9F\xE7\xFD\x43\x67\x48\x44\x14\xE4\x29\x87\xED\x4C\x28\x66\xD0\x8F\x35\xDA\x4D\x61\xB7\x4A\x97\x4D\xB5\xDB\x90\xE0\x05\x2E\x0E\xC6\x79\xD0\xF2\x97\x69\x0F\xBD\x04\x47\xD9\xBE\xDB\xB5\x29\xDA\x9B\xD9\xAE\xA9\x99\xD5\xD3\x3C\x30\x93\xF5\x8D\xA1\xA8\xFC\x06\x8D\x44\xF4\xCA\x16\x95\x7C\x33\xDC\x62\x8B\xA8\x37\xF8\x27\xD8\x09\x2D\x1B\xEF\xC8\x14\x27\x20\xA9\x64\x44\xFF\x2E\xD6\x75\xAA\x6C\x4D\x60\x40\x19\x49\x43\x54\x63\xDA\xE2\xCC\xBA\x66\xE5\x4F\x44\x7A\x5B\xD9\x6A\x81\x2B\x40\xD5\x7F\xF9\x01\x27\x58\x2C\xC8\xED\x48\x91\x7C\x3F\xA6\x00\xCF\xC4\x29\x73\x11\x36\xDE\x86\x19\x3E\x9D\xEE\x19\x8A\x1B\xD5\xB0\xED\x8E\x3D\x9C\x2A\xC0\x0D\xD8\x3D\x66\xE3\x3C\x0D\xBD\xD5\x94\x5C\xE2\xE2\xA7\x35\x1B\x04\x00\xF6\x3F\x5A\x8D\xEA\x43\xBD\x5F\x89\x1D\xA9\xC1\xB0\xCC\x99\xE2\x4D\x00\x0A\xDA\xC9\x27\x5B\xE7\x13\x90\x5C\xE4\xF5\x33\xA2\x55\x6D\xDC\xE0\x09\x4D\x2F\xB1\x26\x5B\x27\x75\x00\x09\xC4\x62\x77\x29\x08\x5F\x9E\x59\xAC\xB6\x7E\xAD\x9F\x54\x30\x22\x03\xC1\x1E\x71\x64\xFE\xF9\x38\x0A\x96\x18\xDD\x02\x14\xAC\x23\xCB\x06\x1C\x1E\xA4\x7D\x8D\x0D\xDE\x27\x41\xE8\xAD\xDA\x15\xB7\xB0\x23\xDD\x2B\xA8\xD3\xDA\x25\x87\xED\xE8\x55\x44\x4D\x88\xF4\x36\x7E\x84\x9A\x78\xAC\xF7\x0E\x56\x49\x0E\xD6\x33\x25\xD6\x84\x50\x42\x6C\x20\x12\x1D\x2A\xD5\xBE\xBC\xF2\x70\x81\xA4\x70\x60\xBE\x05\xB5\x9B\x9E\x04\x44\xBE\x61\x23\xAC\xE9\xA5\x24\x8C\x11\x80\x94\x5A\xA2\xA2\xB9\x49\xD2\xC1\xDC\xD1\xA7\xED\x31\x11\x2C\x9E\x19\xA6\xEE\xE1\x55\xE1\xC0\xEA\xCF\x0D\x84\xE4\x17\xB7\xA2\x7C\xA5\xDE\x55\x25\x06\xEE\xCC\xC0\x87\x5C\x40\xDA\xCC\x95\x3F\x55\xE0\x35\xC7\xB8\x84\xBE\xB4\x5D\xCD\x7A\x83\x01\x72\xEE\x87\xE6\x5F\x1D\xAE\xB5\x85\xC6\x26\xDF\xE6\xC1\x9A\xE9\x1E\x02\x47\x9F\x2A\xA8\x6D\xA9\x5B\xCF\xEC\x45\x77\x7F\x98\x27\x9A\x32\x5D\x2A\xE3\x84\xEE\xC5\x98\x66\x2F\x96\x20\x1D\xDD\xD8\xC3\x27\xD7\xB0\xF9\xFE\xD9\x7D\xCD\xD0\x9F\x8F\x0B\x14\x58\x51\x9F\x2F\x8B\xC3\x38\x2D\xDE\xE8\x8F\xD6\x8D\x87\xA4\xF5\x56\x43\x16\x99\x2C\xF4\xA4\x56\xB4\x34\xB8\x61\x37\xC9\xC2\x58\x80\x1B\xA0\x97\xA1\xFC\x59\x8D\xE9\x11\xF6\xD1\x0F\x4B\x55\x34\x46\x2A\x8B\x86\x3B",
 	["CN=TWCA Global Root CA,OU=Root CA,O=TAIWAN-CA,C=TW"] = "\x30\x82\x05\x41\x30\x82\x03\x29\xA0\x03\x02\x01\x02\x02\x02\x0C\xBE\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x30\x51\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x54\x57\x31\x12\x30\x10\x06\x03\x55\x04\x0A\x13\x09\x54\x41\x49\x57\x41\x4E\x2D\x43\x41\x31\x10\x30\x0E\x06\x03\x55\x04\x0B\x13\x07\x52\x6F\x6F\x74\x20\x43\x41\x31\x1C\x30\x1A\x06\x03\x55\x04\x03\x13\x13\x54\x57\x43\x41\x20\x47\x6C\x6F\x62\x61\x6C\x20\x52\x6F\x6F\x74\x20\x43\x41\x30\x1E\x17\x0D\x31\x32\x30\x36\x32\x37\x30\x36\x32\x38\x33\x33\x5A\x17\x0D\x33\x30\x31\x32\x33\x31\x31\x35\x35\x39\x35\x39\x5A\x30\x51\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x54\x57\x31\x12\x30\x10\x06\x03\x55\x04\x0A\x13\x09\x54\x41\x49\x57\x41\x4E\x2D\x43\x41\x31\x10\x30\x0E\x06\x03\x55\x04\x0B\x13\x07\x52\x6F\x6F\x74\x20\x43\x41\x31\x1C\x30\x1A\x06\x03\x55\x04\x03\x13\x13\x54\x57\x43\x41\x20\x47\x6C\x6F\x62\x61\x6C\x20\x52\x6F\x6F\x74\x20\x43\x41\x30\x82\x02\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x02\x0F\x00\x30\x82\x02\x0A\x02\x82\x02\x01\x00\xB0\x05\xDB\xC8\xEB\x8C\xC4\x6E\x8A\x21\xEF\x8E\x4D\x9C\x71\x0A\x1F\x52\x70\xED\x6D\x82\x9C\x97\xC5\xD7\x4C\x4E\x45\x49\xCB\x40\x42\xB5\x12\x34\x6C\x19\xC2\x74\xA4\x31\x5F\x85\x02\x97\xEC\x43\x33\x0A\x53\xD2\x9C\x8C\x8E\xB7\xB8\x79\xDB\x2B\xD5\x6A\xF2\x8E\x66\xC4\xEE\x2B\x01\x07\x92\xD4\xB3\xD0\x02\xDF\x50\xF6\x55\xAF\x66\x0E\xCB\xE0\x47\x60\x2F\x2B\x32\x39\x35\x52\x3A\x28\x83\xF8\x7B\x16\xC6\x18\xB8\x62\xD6\x47\x25\x91\xCE\xF0\x19\x12\x4D\xAD\x63\xF5\xD3\x3F\x75\x5F\x29\xF0\xA1\x30\x1C\x2A\xA0\x98\xA6\x15\xBD\xEE\xFD\x19\x36\xF0\xE2\x91\x43\x8F\xFA\xCA\xD6\x10\x27\x49\x4C\xEF\xDD\xC1\xF1\x85\x70\x9B\xCA\xEA\xA8\x5A\x43\xFC\x6D\x86\x6F\x73\xE9\x37\x45\xA9\xF0\x36\xC7\xCC\x88\x75\x1E\xBB\x6C\x06\xFF\x9B\x6B\x3E\x17\xEC\x61\xAA\x71\x7C\xC6\x1D\xA2\xF7\x49\xE9\x15\xB5\x3C\xD6\xA1\x61\xF5\x11\xF7\x05\x6F\x1D\xFD\x11\xBE\xD0\x30\x07\xC2\x29\xB0\x09\x4E\x26\xDC\xE3\xA2\xA8\x91\x6A\x1F\xC2\x91\x45\x88\x5C\xE5\x98\xB8\x71\xA5\x15\x19\xC9\x7C\x75\x11\xCC\x70\x74\x4F\x2D\x9B\x1D\x91\x44\xFD\x56\x28\xA0\xFE\xBB\x86\x6A\xC8\xFA\x5C\x0B\x58\xDC\xC6\x4B\x76\xC8\xAB\x22\xD9\x73\x0F\xA5\xF4\x5A\x02\x89\x3F\x4F\x9E\x22\x82\xEE\xA2\x74\x53\x2A\x3D\x53\x27\x69\x1D\x6C\x8E\x32\x2C\x64\x00\x26\x63\x61\x36\x4E\xA3\x46\xB7\x3F\x7D\xB3\x2D\xAC\x6D\x90\xA2\x95\xA2\xCE\xCF\xDA\x82\xE7\x07\x34\x19\x96\xE9\xB8\x21\xAA\x29\x7E\xA6\x38\xBE\x8E\x29\x4A\x21\x66\x79\x1F\xB3\xC3\xB5\x09\x67\xDE\xD6\xD4\x07\x46\xF3\x2A\xDA\xE6\x22\x37\x60\xCB\x81\xB6\x0F\xA0\x0F\xE9\xC8\x95\x7F\xBF\x55\x91\x05\x7A\xCF\x3D\x15\xC0\x6F\xDE\x09\x94\x01\x83\xD7\x34\x1B\xCC\x40\xA5\xF0\xB8\x9B\x67\xD5\x98\x91\x3B\xA7\x84\x78\x95\x26\xA4\x5A\x08\xF8\x2B\x74\xB4\x00\x04\x3C\xDF\xB8\x14\x8E\xE8\xDF\xA9\x8D\x6C\x67\x92\x33\x1D\xC0\xB7\xD2\xEC\x92\xC8\xBE\x09\xBF\x2C\x29\x05\x6F\x02\x6B\x9E\xEF\xBC\xBF\x2A\xBC\x5B\xC0\x50\x8F\x41\x70\x71\x87\xB2\x4D\xB7\x04\xA9\x84\xA3\x32\xAF\xAE\xEE\x6B\x17\x8B\xB2\xB1\xFE\x6C\xE1\x90\x8C\x88\xA8\x97\x48\xCE\xC8\x4D\xCB\xF3\x06\xCF\x5F\x6A\x0A\x42\xB1\x1E\x1E\x77\x2F\x8E\xA0\xE6\x92\x0E\x06\xFC\x05\x22\xD2\x26\xE1\x31\x51\x7D\x32\xDC\x0F\x02\x03\x01\x00\x01\xA3\x23\x30\x21\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x03\x82\x02\x01\x00\x5F\x34\x81\x76\xEF\x96\x1D\xD5\xE5\xB5\xD9\x02\x63\x84\x16\xC1\xAE\xA0\x70\x51\xA7\xF7\x4C\x47\x35\xC8\x0B\xD7\x28\x3D\x89\x71\xD9\xAA\x33\x41\xEA\x14\x1B\x6C\x21\x00\xC0\x6C\x42\x19\x7E\x9F\x69\x5B\x20\x42\xDF\xA2\xD2\xDA\xC4\x7C\x97\x4B\x8D\xB0\xE8\xAC\xC8\xEE\xA5\x69\x04\x99\x0A\x92\xA6\xAB\x27\x2E\x1A\x4D\x81\xBF\x84\xD4\x70\x1E\xAD\x47\xFE\xFD\x4A\x9D\x33\xE0\xF2\xB9\xC4\x45\x08\x21\x0A\xDA\x69\x69\x73\x72\x0D\xBE\x34\xFE\x94\x8B\xAD\xC3\x1E\x35\xD7\xA2\x83\xEF\xE5\x38\xC7\xA5\x85\x1F\xAB\xCF\x34\xEC\x3F\x28\xFE\x0C\xF1\x57\x86\x4E\xC9\x55\xF7\x1C\xD4\xD8\xA5\x7D\x06\x7A\x6F\xD5\xDF\x10\xDF\x81\x4E\x21\x65\xB1\xB6\xE1\x17\x79\x95\x45\x06\xCE\x5F\xCC\xDC\x46\x89\x63\x68\x44\x8D\x93\xF4\x64\x70\xA0\x3D\x9D\x28\x05\xC3\x39\x70\xB8\x62\x7B\x20\xFD\xE4\xDB\xE9\x08\xA1\xB8\x9E\x3D\x09\xC7\x4F\xFB\x2C\xF8\x93\x76\x41\xDE\x52\xE0\xE1\x57\xD2\x9D\x03\xBC\x77\x9E\xFE\x9E\x29\x5E\xF7\xC1\x51\x60\x1F\xDE\xDA\x0B\xB2\x2D\x75\xB7\x43\x48\x93\xE7\xF6\x79\xC6\x84\x5D\x80\x59\x60\x94\xFC\x78\x98\x8F\x3C\x93\x51\xED\x40\x90\x07\xDF\x64\x63\x24\xCB\x4E\x71\x05\xA1\xD7\x94\x1A\x88\x32\xF1\x22\x74\x22\xAE\xA5\xA6\xD8\x12\x69\x4C\x60\xA3\x02\xEE\x2B\xEC\xD4\x63\x92\x0B\x5E\xBE\x2F\x76\x6B\xA3\xB6\x26\xBC\x8F\x03\xD8\x0A\xF2\x4C\x64\x46\xBD\x39\x62\xE5\x96\xEB\x34\x63\x11\x28\xCC\x95\xF1\xAD\xEF\xEF\xDC\x80\x58\x48\xE9\x4B\xB8\xEA\x65\xAC\xE9\xFC\x80\xB5\xB5\xC8\x45\xF9\xAC\xC1\x9F\xD9\xB9\xEA\x62\x88\x8E\xC4\xF1\x4B\x83\x12\xAD\xE6\x8B\x84\xD6\x9E\xC2\xEB\x83\x18\x9F\x6A\xBB\x1B\x24\x60\x33\x70\xCC\xEC\xF7\x32\xF3\x5C\xD9\x79\x7D\xEF\x9E\xA4\xFE\xC9\x23\xC3\x24\xEE\x15\x92\xB1\x3D\x91\x4F\x26\x86\xBD\x66\x73\x24\x13\xEA\xA4\xAE\x63\xC1\xAD\x7D\x84\x03\x3C\x10\x78\x86\x1B\x79\xE3\xC4\xF3\xF2\x04\x95\x20\xAE\x23\x82\xC4\xB3\x3A\x00\x62\xBF\xE6\x36\x24\xE1\x57\xBA\xC7\x1E\x90\x75\xD5\x5F\x3F\x95\x61\x2B\xC1\x3B\xCD\xE5\xB3\x68\x61\xD0\x46\x26\xA9\x21\x52\x69\x2D\xEB\x2E\xC7\xEB\x77\xCE\xA6\x3A\xB5\x03\x33\x4F\x76\xD1\xE7\x5C\x54\x01\x5D\xCB\x78\xF4\xC9\x0C\xBF\xCF\x12\x8E\x17\x2D\x23\x68\x94\xE7\xAB\xFE\xA9\xB2\x2B\x06\xD0\x04\xCD",
@@ -138,8 +104,6 @@ redef root_certs += {
 	["CN=DigiCert Global Root G2,OU=www.digicert.com,O=DigiCert Inc,C=US"] = "\x30\x82\x03\x8E\x30\x82\x02\x76\xA0\x03\x02\x01\x02\x02\x10\x03\x3A\xF1\xE6\xA7\x11\xA9\xA0\xBB\x28\x64\xB1\x1D\x09\xFA\xE5\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x30\x61\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x15\x30\x13\x06\x03\x55\x04\x0A\x13\x0C\x44\x69\x67\x69\x43\x65\x72\x74\x20\x49\x6E\x63\x31\x19\x30\x17\x06\x03\x55\x04\x0B\x13\x10\x77\x77\x77\x2E\x64\x69\x67\x69\x63\x65\x72\x74\x2E\x63\x6F\x6D\x31\x20\x30\x1E\x06\x03\x55\x04\x03\x13\x17\x44\x69\x67\x69\x43\x65\x72\x74\x20\x47\x6C\x6F\x62\x61\x6C\x20\x52\x6F\x6F\x74\x20\x47\x32\x30\x1E\x17\x0D\x31\x33\x30\x38\x30\x31\x31\x32\x30\x30\x30\x30\x5A\x17\x0D\x33\x38\x30\x31\x31\x35\x31\x32\x30\x30\x30\x30\x5A\x30\x61\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x15\x30\x13\x06\x03\x55\x04\x0A\x13\x0C\x44\x69\x67\x69\x43\x65\x72\x74\x20\x49\x6E\x63\x31\x19\x30\x17\x06\x03\x55\x04\x0B\x13\x10\x77\x77\x77\x2E\x64\x69\x67\x69\x63\x65\x72\x74\x2E\x63\x6F\x6D\x31\x20\x30\x1E\x06\x03\x55\x04\x03\x13\x17\x44\x69\x67\x69\x43\x65\x72\x74\x20\x47\x6C\x6F\x62\x61\x6C\x20\x52\x6F\x6F\x74\x20\x47\x32\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xBB\x37\xCD\x34\xDC\x7B\x6B\xC9\xB2\x68\x90\xAD\x4A\x75\xFF\x46\xBA\x21\x0A\x08\x8D\xF5\x19\x54\xC9\xFB\x88\xDB\xF3\xAE\xF2\x3A\x89\x91\x3C\x7A\xE6\xAB\x06\x1A\x6B\xCF\xAC\x2D\xE8\x5E\x09\x24\x44\xBA\x62\x9A\x7E\xD6\xA3\xA8\x7E\xE0\x54\x75\x20\x05\xAC\x50\xB7\x9C\x63\x1A\x6C\x30\xDC\xDA\x1F\x19\xB1\xD7\x1E\xDE\xFD\xD7\xE0\xCB\x94\x83\x37\xAE\xEC\x1F\x43\x4E\xDD\x7B\x2C\xD2\xBD\x2E\xA5\x2F\xE4\xA9\xB8\xAD\x3A\xD4\x99\xA4\xB6\x25\xE9\x9B\x6B\x00\x60\x92\x60\xFF\x4F\x21\x49\x18\xF7\x67\x90\xAB\x61\x06\x9C\x8F\xF2\xBA\xE9\xB4\xE9\x92\x32\x6B\xB5\xF3\x57\xE8\x5D\x1B\xCD\x8C\x1D\xAB\x95\x04\x95\x49\xF3\x35\x2D\x96\xE3\x49\x6D\xDD\x77\xE3\xFB\x49\x4B\xB4\xAC\x55\x07\xA9\x8F\x95\xB3\xB4\x23\xBB\x4C\x6D\x45\xF0\xF6\xA9\xB2\x95\x30\xB4\xFD\x4C\x55\x8C\x27\x4A\x57\x14\x7C\x82\x9D\xCD\x73\x92\xD3\x16\x4A\x06\x0C\x8C\x50\xD1\x8F\x1E\x09\xBE\x17\xA1\xE6\x21\xCA\xFD\x83\xE5\x10\xBC\x83\xA5\x0A\xC4\x67\x28\xF6\x73\x14\x14\x3D\x46\x76\xC3\x87\x14\x89\x21\x34\x4D\xAF\x0F\x45\x0C\xA6\x49\xA1\xBA\xBB\x9C\xC5\xB1\x33\x83\x29\x85\x02\x03\x01\x00\x01\xA3\x42\x30\x40\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x86\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x4E\x22\x54\x20\x18\x95\xE6\xE3\x6E\xE6\x0F\xFA\xFA\xB9\x12\xED\x06\x17\x8F\x39\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x03\x82\x01\x01\x00\x60\x67\x28\x94\x6F\x0E\x48\x63\xEB\x31\xDD\xEA\x67\x18\xD5\x89\x7D\x3C\xC5\x8B\x4A\x7F\xE9\xBE\xDB\x2B\x17\xDF\xB0\x5F\x73\x77\x2A\x32\x13\x39\x81\x67\x42\x84\x23\xF2\x45\x67\x35\xEC\x88\xBF\xF8\x8F\xB0\x61\x0C\x34\xA4\xAE\x20\x4C\x84\xC6\xDB\xF8\x35\xE1\x76\xD9\xDF\xA6\x42\xBB\xC7\x44\x08\x86\x7F\x36\x74\x24\x5A\xDA\x6C\x0D\x14\x59\x35\xBD\xF2\x49\xDD\xB6\x1F\xC9\xB3\x0D\x47\x2A\x3D\x99\x2F\xBB\x5C\xBB\xB5\xD4\x20\xE1\x99\x5F\x53\x46\x15\xDB\x68\x9B\xF0\xF3\x30\xD5\x3E\x31\xE2\x8D\x84\x9E\xE3\x8A\xDA\xDA\x96\x3E\x35\x13\xA5\x5F\xF0\xF9\x70\x50\x70\x47\x41\x11\x57\x19\x4E\xC0\x8F\xAE\x06\xC4\x95\x13\x17\x2F\x1B\x25\x9F\x75\xF2\xB1\x8E\x99\xA1\x6F\x13\xB1\x41\x71\xFE\x88\x2A\xC8\x4F\x10\x20\x55\xD7\xF3\x14\x45\xE5\xE0\x44\xF4\xEA\x87\x95\x32\x93\x0E\xFE\x53\x46\xFA\x2C\x9D\xFF\x8B\x22\xB9\x4B\xD9\x09\x45\xA4\xDE\xA4\xB8\x9A\x58\xDD\x1B\x7D\x52\x9F\x8E\x59\x43\x88\x81\xA4\x9E\x26\xD5\x6F\xAD\xDD\x0D\xC6\x37\x7D\xED\x03\x92\x1B\xE5\x77\x5F\x76\xEE\x3C\x8D\xC4\x5D\x56\x5B\xA2\xD9\x66\x6E\xB3\x35\x37\xE5\x32\xB6",
 	["CN=DigiCert Global Root G3,OU=www.digicert.com,O=DigiCert Inc,C=US"] = "\x30\x82\x02\x3F\x30\x82\x01\xC5\xA0\x03\x02\x01\x02\x02\x10\x05\x55\x56\xBC\xF2\x5E\xA4\x35\x35\xC3\xA4\x0F\xD5\xAB\x45\x72\x30\x0A\x06\x08\x2A\x86\x48\xCE\x3D\x04\x03\x03\x30\x61\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x15\x30\x13\x06\x03\x55\x04\x0A\x13\x0C\x44\x69\x67\x69\x43\x65\x72\x74\x20\x49\x6E\x63\x31\x19\x30\x17\x06\x03\x55\x04\x0B\x13\x10\x77\x77\x77\x2E\x64\x69\x67\x69\x63\x65\x72\x74\x2E\x63\x6F\x6D\x31\x20\x30\x1E\x06\x03\x55\x04\x03\x13\x17\x44\x69\x67\x69\x43\x65\x72\x74\x20\x47\x6C\x6F\x62\x61\x6C\x20\x52\x6F\x6F\x74\x20\x47\x33\x30\x1E\x17\x0D\x31\x33\x30\x38\x30\x31\x31\x32\x30\x30\x30\x30\x5A\x17\x0D\x33\x38\x30\x31\x31\x35\x31\x32\x30\x30\x30\x30\x5A\x30\x61\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x15\x30\x13\x06\x03\x55\x04\x0A\x13\x0C\x44\x69\x67\x69\x43\x65\x72\x74\x20\x49\x6E\x63\x31\x19\x30\x17\x06\x03\x55\x04\x0B\x13\x10\x77\x77\x77\x2E\x64\x69\x67\x69\x63\x65\x72\x74\x2E\x63\x6F\x6D\x31\x20\x30\x1E\x06\x03\x55\x04\x03\x13\x17\x44\x69\x67\x69\x43\x65\x72\x74\x20\x47\x6C\x6F\x62\x61\x6C\x20\x52\x6F\x6F\x74\x20\x47\x33\x30\x76\x30\x10\x06\x07\x2A\x86\x48\xCE\x3D\x02\x01\x06\x05\x2B\x81\x04\x00\x22\x03\x62\x00\x04\xDD\xA7\xD9\xBB\x8A\xB8\x0B\xFB\x0B\x7F\x21\xD2\xF0\xBE\xBE\x73\xF3\x33\x5D\x1A\xBC\x34\xEA\xDE\xC6\x9B\xBC\xD0\x95\xF6\xF0\xCC\xD0\x0B\xBA\x61\x5B\x51\x46\x7E\x9E\x2D\x9F\xEE\x8E\x63\x0C\x17\xEC\x07\x70\xF5\xCF\x84\x2E\x40\x83\x9C\xE8\x3F\x41\x6D\x3B\xAD\xD3\xA4\x14\x59\x36\x78\x9D\x03\x43\xEE\x10\x13\x6C\x72\xDE\xAE\x88\xA7\xA1\x6B\xB5\x43\xCE\x67\xDC\x23\xFF\x03\x1C\xA3\xE2\x3E\xA3\x42\x30\x40\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x86\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xB3\xDB\x48\xA4\xF9\xA1\xC5\xD8\xAE\x36\x41\xCC\x11\x63\x69\x62\x29\xBC\x4B\xC6\x30\x0A\x06\x08\x2A\x86\x48\xCE\x3D\x04\x03\x03\x03\x68\x00\x30\x65\x02\x31\x00\xAD\xBC\xF2\x6C\x3F\x12\x4A\xD1\x2D\x39\xC3\x0A\x09\x97\x73\xF4\x88\x36\x8C\x88\x27\xBB\xE6\x88\x8D\x50\x85\xA7\x63\xF9\x9E\x32\xDE\x66\x93\x0F\xF1\xCC\xB1\x09\x8F\xDD\x6C\xAB\xFA\x6B\x7F\xA0\x02\x30\x39\x66\x5B\xC2\x64\x8D\xB8\x9E\x50\xDC\xA8\xD5\x49\xA2\xED\xC7\xDC\xD1\x49\x7F\x17\x01\xB8\xC8\x86\x8F\x4E\x8C\x88\x2B\xA8\x9A\xA9\x8A\xC5\xD1\x00\xBD\xF8\x54\xE2\x9A\xE5\x5B\x7C\xB3\x27\x17",
 	["CN=DigiCert Trusted Root G4,OU=www.digicert.com,O=DigiCert Inc,C=US"] = "\x30\x82\x05\x90\x30\x82\x03\x78\xA0\x03\x02\x01\x02\x02\x10\x05\x9B\x1B\x57\x9E\x8E\x21\x32\xE2\x39\x07\xBD\xA7\x77\x75\x5C\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0C\x05\x00\x30\x62\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x15\x30\x13\x06\x03\x55\x04\x0A\x13\x0C\x44\x69\x67\x69\x43\x65\x72\x74\x20\x49\x6E\x63\x31\x19\x30\x17\x06\x03\x55\x04\x0B\x13\x10\x77\x77\x77\x2E\x64\x69\x67\x69\x63\x65\x72\x74\x2E\x63\x6F\x6D\x31\x21\x30\x1F\x06\x03\x55\x04\x03\x13\x18\x44\x69\x67\x69\x43\x65\x72\x74\x20\x54\x72\x75\x73\x74\x65\x64\x20\x52\x6F\x6F\x74\x20\x47\x34\x30\x1E\x17\x0D\x31\x33\x30\x38\x30\x31\x31\x32\x30\x30\x30\x30\x5A\x17\x0D\x33\x38\x30\x31\x31\x35\x31\x32\x30\x30\x30\x30\x5A\x30\x62\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x15\x30\x13\x06\x03\x55\x04\x0A\x13\x0C\x44\x69\x67\x69\x43\x65\x72\x74\x20\x49\x6E\x63\x31\x19\x30\x17\x06\x03\x55\x04\x0B\x13\x10\x77\x77\x77\x2E\x64\x69\x67\x69\x63\x65\x72\x74\x2E\x63\x6F\x6D\x31\x21\x30\x1F\x06\x03\x55\x04\x03\x13\x18\x44\x69\x67\x69\x43\x65\x72\x74\x20\x54\x72\x75\x73\x74\x65\x64\x20\x52\x6F\x6F\x74\x20\x47\x34\x30\x82\x02\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x02\x0F\x00\x30\x82\x02\x0A\x02\x82\x02\x01\x00\xBF\xE6\x90\x73\x68\xDE\xBB\xE4\x5D\x4A\x3C\x30\x22\x30\x69\x33\xEC\xC2\xA7\x25\x2E\xC9\x21\x3D\xF2\x8A\xD8\x59\xC2\xE1\x29\xA7\x3D\x58\xAB\x76\x9A\xCD\xAE\x7B\x1B\x84\x0D\xC4\x30\x1F\xF3\x1B\xA4\x38\x16\xEB\x56\xC6\x97\x6D\x1D\xAB\xB2\x79\xF2\xCA\x11\xD2\xE4\x5F\xD6\x05\x3C\x52\x0F\x52\x1F\xC6\x9E\x15\xA5\x7E\xBE\x9F\xA9\x57\x16\x59\x55\x72\xAF\x68\x93\x70\xC2\xB2\xBA\x75\x99\x6A\x73\x32\x94\xD1\x10\x44\x10\x2E\xDF\x82\xF3\x07\x84\xE6\x74\x3B\x6D\x71\xE2\x2D\x0C\x1B\xEE\x20\xD5\xC9\x20\x1D\x63\x29\x2D\xCE\xEC\x5E\x4E\xC8\x93\xF8\x21\x61\x9B\x34\xEB\x05\xC6\x5E\xEC\x5B\x1A\xBC\xEB\xC9\xCF\xCD\xAC\x34\x40\x5F\xB1\x7A\x66\xEE\x77\xC8\x48\xA8\x66\x57\x57\x9F\x54\x58\x8E\x0C\x2B\xB7\x4F\xA7\x30\xD9\x56\xEE\xCA\x7B\x5D\xE3\xAD\xC9\x4F\x5E\xE5\x35\xE7\x31\xCB\xDA\x93\x5E\xDC\x8E\x8F\x80\xDA\xB6\x91\x98\x40\x90\x79\xC3\x78\xC7\xB6\xB1\xC4\xB5\x6A\x18\x38\x03\x10\x8D\xD8\xD4\x37\xA4\x2E\x05\x7D\x88\xF5\x82\x3E\x10\x91\x70\xAB\x55\x82\x41\x32\xD7\xDB\x04\x73\x2A\x6E\x91\x01\x7C\x21\x4C\xD4\xBC\xAE\x1B\x03\x75\x5D\x78\x66\xD9\x3A\x31\x44\x9A\x33\x40\xBF\x08\xD7\x5A\x49\xA4\xC2\xE6\xA9\xA0\x67\xDD\xA4\x27\xBC\xA1\x4F\x39\xB5\x11\x58\x17\xF7\x24\x5C\x46\x8F\x64\xF7\xC1\x69\x88\x76\x98\x76\x3D\x59\x5D\x42\x76\x87\x89\x97\x69\x7A\x48\xF0\xE0\xA2\x12\x1B\x66\x9A\x74\xCA\xDE\x4B\x1E\xE7\x0E\x63\xAE\xE6\xD4\xEF\x92\x92\x3A\x9E\x3D\xDC\x00\xE4\x45\x25\x89\xB6\x9A\x44\x19\x2B\x7E\xC0\x94\xB4\xD2\x61\x6D\xEB\x33\xD9\xC5\xDF\x4B\x04\x00\xCC\x7D\x1C\x95\xC3\x8F\xF7\x21\xB2\xB2\x11\xB7\xBB\x7F\xF2\xD5\x8C\x70\x2C\x41\x60\xAA\xB1\x63\x18\x44\x95\x1A\x76\x62\x7E\xF6\x80\xB0\xFB\xE8\x64\xA6\x33\xD1\x89\x07\xE1\xBD\xB7\xE6\x43\xA4\x18\xB8\xA6\x77\x01\xE1\x0F\x94\x0C\x21\x1D\xB2\x54\x29\x25\x89\x6C\xE5\x0E\x52\x51\x47\x74\xBE\x26\xAC\xB6\x41\x75\xDE\x7A\xAC\x5F\x8D\x3F\xC9\xBC\xD3\x41\x11\x12\x5B\xE5\x10\x50\xEB\x31\xC5\xCA\x72\x16\x22\x09\xDF\x7C\x4C\x75\x3F\x63\xEC\x21\x5F\xC4\x20\x51\x6B\x6F\xB1\xAB\x86\x8B\x4F\xC2\xD6\x45\x5F\x9D\x20\xFC\xA1\x1E\xC5\xC0\x8F\xA2\xB1\x7E\x0A\x26\x99\xF5\xE4\x69\x2F\x98\x1D\x2D\xF5\xD9\xA9\xB2\x1D\xE5\x1B\x02\x03\x01\x00\x01\xA3\x42\x30\x40\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x86\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xEC\xD7\xE3\x82\xD2\x71\x5D\x64\x4C\xDF\x2E\x67\x3F\xE7\xBA\x98\xAE\x1C\x0F\x4F\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0C\x05\x00\x03\x82\x02\x01\x00\xBB\x61\xD9\x7D\xA9\x6C\xBE\x17\xC4\x91\x1B\xC3\xA1\xA2\x00\x8D\xE3\x64\x68\x0F\x56\xCF\x77\xAE\x70\xF9\xFD\x9A\x4A\x99\xB9\xC9\x78\x5C\x0C\x0C\x5F\xE4\xE6\x14\x29\x56\x0B\x36\x49\x5D\x44\x63\xE0\xAD\x9C\x96\x18\x66\x1B\x23\x0D\x3D\x79\xE9\x6D\x6B\xD6\x54\xF8\xD2\x3C\xC1\x43\x40\xAE\x1D\x50\xF5\x52\xFC\x90\x3B\xBB\x98\x99\x69\x6B\xC7\xC1\xA7\xA8\x68\xA4\x27\xDC\x9D\xF9\x27\xAE\x30\x85\xB9\xF6\x67\x4D\x3A\x3E\x8F\x59\x39\x22\x53\x44\xEB\xC8\x5D\x03\xCA\xED\x50\x7A\x7D\x62\x21\x0A\x80\xC8\x73\x66\xD1\xA0\x05\x60\x5F\xE8\xA5\xB4\xA7\xAF\xA8\xF7\x6D\x35\x9C\x7C\x5A\x8A\xD6\xA2\x38\x99\xF3\x78\x8B\xF4\x4D\xD2\x20\x0B\xDE\x04\xEE\x8C\x9B\x47\x81\x72\x0D\xC0\x14\x32\xEF\x30\x59\x2E\xAE\xE0\x71\xF2\x56\xE4\x6A\x97\x6F\x92\x50\x6D\x96\x8D\x68\x7A\x9A\xB2\x36\x14\x7A\x06\xF2\x24\xB9\x09\x11\x50\xD7\x08\xB1\xB8\x89\x7A\x84\x23\x61\x42\x29\xE5\xA3\xCD\xA2\x20\x41\xD7\xD1\x9C\x64\xD9\xEA\x26\xA1\x8B\x14\xD7\x4C\x19\xB2\x50\x41\x71\x3D\x3F\x4D\x70\x23\x86\x0C\x4A\xDC\x81\xD2\xCC\x32\x94\x84\x0D\x08\x09\x97\x1C\x4F\xC0\xEE\x6B\x20\x74\x30\xD2\xE0\x39\x34\x10\x85\x21\x15\x01\x08\xE8\x55\x32\xDE\x71\x49\xD9\x28\x17\x50\x4D\xE6\xBE\x4D\xD1\x75\xAC\xD0\xCA\xFB\x41\xB8\x43\xA5\xAA\xD3\xC3\x05\x44\x4F\x2C\x36\x9B\xE2\xFA\xE2\x45\xB8\x23\x53\x6C\x06\x6F\x67\x55\x7F\x46\xB5\x4C\x3F\x6E\x28\x5A\x79\x26\xD2\xA4\xA8\x62\x97\xD2\x1E\xE2\xED\x4A\x8B\xBC\x1B\xFD\x47\x4A\x0D\xDF\x67\x66\x7E\xB2\x5B\x41\xD0\x3B\xE4\xF4\x3B\xF4\x04\x63\xE9\xEF\xC2\x54\x00\x51\xA0\x8A\x2A\xC9\xCE\x78\xCC\xD5\xEA\x87\x04\x18\xB3\xCE\xAF\x49\x88\xAF\xF3\x92\x99\xB6\xB3\xE6\x61\x0F\xD2\x85\x00\xE7\x50\x1A\xE4\x1B\x95\x9D\x19\xA1\xB9\x9C\xB1\x9B\xB1\x00\x1E\xEF\xD0\x0F\x4F\x42\x6C\xC9\x0A\xBC\xEE\x43\xFA\x3A\x71\xA5\xC8\x4D\x26\xA5\x35\xFD\x89\x5D\xBC\x85\x62\x1D\x32\xD2\xA0\x2B\x54\xED\x9A\x57\xC1\xDB\xFA\x10\xCF\x19\xB7\x8B\x4A\x1B\x8F\x01\xB6\x27\x95\x53\xE8\xB6\x89\x6D\x5B\xBC\x68\xD4\x23\xE8\x8B\x51\xA2\x56\xF9\xF0\xA6\x80\xA0\xD6\x1E\xB3\xBC\x0F\x0F\x53\x75\x29\xAA\xEA\x13\x77\xE4\xDE\x8C\x81\x21\xAD\x07\x10\x47\x11\xAD\x87\x3D\x07\xD1\x75\xBC\xCF\xF3\x66\x7E",
-	["CN=Certification Authority of WoSign,O=WoSign CA Limited,C=CN"] = "\x30\x82\x05\x76\x30\x82\x03\x5E\xA0\x03\x02\x01\x02\x02\x10\x5E\x68\xD6\x11\x71\x94\x63\x50\x56\x00\x68\xF3\x3E\xC9\xC5\x91\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x55\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x43\x4E\x31\x1A\x30\x18\x06\x03\x55\x04\x0A\x13\x11\x57\x6F\x53\x69\x67\x6E\x20\x43\x41\x20\x4C\x69\x6D\x69\x74\x65\x64\x31\x2A\x30\x28\x06\x03\x55\x04\x03\x13\x21\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x20\x6F\x66\x20\x57\x6F\x53\x69\x67\x6E\x30\x1E\x17\x0D\x30\x39\x30\x38\x30\x38\x30\x31\x30\x30\x30\x31\x5A\x17\x0D\x33\x39\x30\x38\x30\x38\x30\x31\x30\x30\x30\x31\x5A\x30\x55\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x43\x4E\x31\x1A\x30\x18\x06\x03\x55\x04\x0A\x13\x11\x57\x6F\x53\x69\x67\x6E\x20\x43\x41\x20\x4C\x69\x6D\x69\x74\x65\x64\x31\x2A\x30\x28\x06\x03\x55\x04\x03\x13\x21\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x20\x6F\x66\x20\x57\x6F\x53\x69\x67\x6E\x30\x82\x02\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x02\x0F\x00\x30\x82\x02\x0A\x02\x82\x02\x01\x00\xBD\xCA\x8D\xAC\xB8\x91\x15\x56\x97\x7B\x6B\x5C\x7A\xC2\xDE\x6B\xD9\xA1\xB0\xC3\x10\x23\xFA\xA7\xA1\xB2\xCC\x31\xFA\x3E\xD9\xA6\x29\x6F\x16\x3D\xE0\x6B\xF8\xB8\x40\x5F\xDB\x39\xA8\x00\x7A\x8B\xA0\x4D\x54\x7D\xC2\x22\x78\xFC\x8E\x09\xB8\xA8\x85\xD7\xCC\x95\x97\x4B\x74\xD8\x9E\x7E\xF0\x00\xE4\x0E\x89\xAE\x49\x28\x44\x1A\x10\x99\x32\x0F\x25\x88\x53\xA4\x0D\xB3\x0F\x12\x08\x16\x0B\x03\x71\x27\x1C\x7F\xE1\xDB\xD2\xFD\x67\x68\xC4\x05\x5D\x0A\x0E\x5D\x70\xD7\xD8\x97\xA0\xBC\x53\x41\x9A\x91\x8D\xF4\x9E\x36\x66\x7A\x7E\x56\xC1\x90\x5F\xE6\xB1\x68\x20\x36\xA4\x8C\x24\x2C\x2C\x47\x0B\x59\x76\x66\x30\xB5\xBE\xDE\xED\x8F\xF8\x9D\xD3\xBB\x01\x30\xE6\xF2\xF3\x0E\xE0\x2C\x92\x80\xF3\x85\xF9\x28\x8A\xB4\x54\x2E\x9A\xED\xF7\x76\xFC\x15\x68\x16\xEB\x4A\x6C\xEB\x2E\x12\x8F\xD4\xCF\xFE\x0C\xC7\x5C\x1D\x0B\x7E\x05\x32\xBE\x5E\xB0\x09\x2A\x42\xD5\xC9\x4E\x90\xB3\x59\x0D\xBB\x7A\x7E\xCD\xD5\x08\x5A\xB4\x7F\xD8\x1C\x69\x11\xF9\x27\x0F\x7B\x06\xAF\x54\x83\x18\x7B\xE1\xDD\x54\x7A\x51\x68\x6E\x77\xFC\xC6\xBF\x52\x4A\x66\x46\xA1\xB2\x67\x1A\xBB\xA3\x4F\x77\xA0\xBE\x5D\xFF\xFC\x56\x0B\x43\x72\x77\x90\xCA\x9E\xF9\xF2\x39\xF5\x0D\xA9\xF4\xEA\xD7\xE7\xB3\x10\x2F\x30\x42\x37\x21\xCC\x30\x70\xC9\x86\x98\x0F\xCC\x58\x4D\x83\xBB\x7D\xE5\x1A\xA5\x37\x8D\xB6\xAC\x32\x97\x00\x3A\x63\x71\x24\x1E\x9E\x37\xC4\xFF\x74\xD4\x37\xC0\xE2\xFE\x88\x46\x60\x11\xDD\x08\x3F\x50\x36\xAB\xB8\x7A\xA4\x95\x62\x6A\x6E\xB0\xCA\x6A\x21\x5A\x69\xF3\xF3\xFB\x1D\x70\x39\x95\xF3\xA7\x6E\xA6\x81\x89\xA1\x88\xC5\x3B\x71\xCA\xA3\x52\xEE\x83\xBB\xFD\xA0\x77\xF4\xE4\x6F\xE7\x42\xDB\x6D\x4A\x99\x8A\x34\x48\xBC\x17\xDC\xE4\x80\x08\x22\xB6\xF2\x31\xC0\x3F\x04\x3E\xEB\x9F\x20\x79\xD6\xB8\x06\x64\x64\x02\x31\xD7\xA9\xCD\x52\xFB\x84\x45\x69\x09\x00\x2A\xDC\x55\x8B\xC4\x06\x46\x4B\xC0\x4A\x1D\x09\x5B\x39\x28\xFD\xA9\xAB\xCE\x00\xF9\x2E\x48\x4B\x26\xE6\x30\x4C\xA5\x58\xCA\xB4\x44\x82\x4F\xE7\x91\x1E\x33\xC3\xB0\x93\xFF\x11\xFC\x81\xD2\xCA\x1F\x71\x29\xDD\x76\x4F\x92\x25\xAF\x1D\x81\xB7\x0F\x2F\x8C\xC3\x06\xCC\x2F\x27\xA3\x4A\xE4\x0E\x99\xBA\x7C\x1E\x45\x1F\x7F\xAA\x19\x45\x96\xFD\xFC\x3D\x02\x03\x01\x00\x01\xA3\x42\x30\x40\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xE1\x66\xCF\x0E\xD1\xF1\xB3\x4B\xB7\x06\x20\x14\xFE\x87\x12\xD5\xF6\xFE\xFB\x3E\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x02\x01\x00\xA8\xCB\x72\x40\xB2\x76\xC1\x7E\x7B\xFC\xAD\x64\xE3\x32\x7B\xCC\x3C\xB6\x5D\x46\xD3\xF5\x2C\xE2\x70\x5D\xC8\x2E\xD8\x06\x7D\x98\xD1\x0B\x21\xA0\x89\x59\x24\x01\x9D\xF9\xAF\x09\x7D\x0A\x23\x82\x34\xD5\xFC\x7C\x72\x99\xB9\xA3\xD7\x54\xF4\xEA\x52\x70\x0E\xC5\xF5\xD6\x3B\xE1\x3A\x09\x32\xE6\x21\x39\x93\xBD\xB3\x15\xEA\x4F\x6A\xF4\xF5\x8B\x3F\x2F\x7C\x8D\x58\x2E\xC5\xE1\x39\xA0\x3E\xC7\x3D\x4A\x73\x9E\x40\x7A\xC0\x2B\x61\xA9\x67\xC9\xF3\x24\xB9\xB3\x6D\x55\x2C\x5A\x1D\x9E\x25\x72\xCE\x0B\xAD\xAA\xC7\x55\x62\x0B\xBE\xFB\x63\xB3\x61\x44\x23\xA3\xCB\xE1\x1A\x0E\xF7\x9A\x06\x4D\xDE\xD4\x23\x4E\x21\x96\x5B\x39\x5B\x57\x1D\x2F\x5D\x08\x5E\x09\x79\xFF\x7C\x97\xB5\x4D\x83\xAE\x0D\xD6\xE6\xA3\x79\xE0\x33\xD0\x99\x96\x02\x30\xA7\x3E\xFF\xD2\xA3\x43\x3F\x05\x5A\x06\xEA\x44\x02\xDA\x7C\xF8\x48\xD0\x33\xA9\xF9\x07\xC7\x95\xE1\xF5\x3E\xF5\x5D\x71\xBA\xF2\x95\xA9\x74\x88\x61\x59\xE3\xBF\xCA\x5A\x13\xBA\x72\xB4\x8C\x5D\x36\x87\xE9\xA6\xC5\x3C\x13\xBF\xDE\xD0\x44\x26\xEE\xB7\xEC\x2E\x70\xFA\xD7\x9D\xB7\xAC\xE5\xC5\x40\x5A\xE6\xD7\x6C\x7B\x2C\xC3\x56\x9B\x47\xCD\x0B\xCE\xFA\x1B\xB4\x21\xD7\xB7\x66\xB8\xF4\x25\x30\x8B\x5C\x0D\xB9\xEA\x67\xB2\xF4\x6D\xAE\xD5\xA1\x9E\x4F\xD8\x9F\xE9\x27\x02\xB0\x1D\x06\xD6\x8F\xE3\xFB\x48\x12\x9F\x7F\x11\xA1\x10\x3E\x4C\x51\x3A\x96\xB0\xD1\x13\xF1\xC7\xD8\x26\xAE\x3A\xCA\x91\xC4\x69\x9D\xDF\x01\x29\x64\x51\x6F\x68\xDA\x14\xEC\x08\x41\x97\x90\x8D\xD0\xB2\x80\xF2\xCF\xC2\x3D\xBF\x91\x68\xC5\x80\x67\x1E\xC4\x60\x13\x55\xD5\x61\x99\x57\x7C\xBA\x95\x0F\x61\x49\x3A\xCA\x75\xBC\xC9\x0A\x93\x3F\x67\x0E\x12\xF2\x28\xE2\x31\x1B\xC0\x57\x16\xDF\x08\x7C\x19\xC1\x7E\x0F\x1F\x85\x1E\x0A\x36\x7C\x5B\x7E\x27\xBC\x7A\xBF\xE0\xDB\xF4\xDA\x52\xBD\xDE\x0C\x54\x70\x31\x91\x43\x95\xC8\xBC\xF0\x3E\xDD\x09\x7E\x30\x64\x50\xED\x7F\x01\xA4\x33\x67\x4D\x68\x4F\xBE\x15\xEF\xB0\xF6\x02\x11\xA2\x1B\x13\x25\x3A\xDC\xC2\x59\xF1\xE3\x5C\x46\xBB\x67\x2C\x02\x46\xEA\x1E\x48\xA6\xE6\x5B\xD9\xB5\xBC\x51\xA2\x92\x96\xDB\xAA\xC6\x37\x22\xA6\xFE\xCC\x20\x74\xA3\x2D\xA9\x2E\x6B\xCB\xC0\x82\x11\x21\xB5\x93\x79\xEE\x44\x86\xBE\xD7\x1E\xE4\x1E\xFB",
-	["CN=CA \E6\B2\83\E9\80\9A\E6\A0\B9\E8\AF\81\E4\B9\A6,O=WoSign CA Limited,C=CN"] = "\x30\x82\x05\x58\x30\x82\x03\x40\xA0\x03\x02\x01\x02\x02\x10\x50\x70\x6B\xCD\xD8\x13\xFC\x1B\x4E\x3B\x33\x72\xD2\x11\x48\x8D\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x30\x46\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x43\x4E\x31\x1A\x30\x18\x06\x03\x55\x04\x0A\x13\x11\x57\x6F\x53\x69\x67\x6E\x20\x43\x41\x20\x4C\x69\x6D\x69\x74\x65\x64\x31\x1B\x30\x19\x06\x03\x55\x04\x03\x0C\x12\x43\x41\x20\xE6\xB2\x83\xE9\x80\x9A\xE6\xA0\xB9\xE8\xAF\x81\xE4\xB9\xA6\x30\x1E\x17\x0D\x30\x39\x30\x38\x30\x38\x30\x31\x30\x30\x30\x31\x5A\x17\x0D\x33\x39\x30\x38\x30\x38\x30\x31\x30\x30\x30\x31\x5A\x30\x46\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x43\x4E\x31\x1A\x30\x18\x06\x03\x55\x04\x0A\x13\x11\x57\x6F\x53\x69\x67\x6E\x20\x43\x41\x20\x4C\x69\x6D\x69\x74\x65\x64\x31\x1B\x30\x19\x06\x03\x55\x04\x03\x0C\x12\x43\x41\x20\xE6\xB2\x83\xE9\x80\x9A\xE6\xA0\xB9\xE8\xAF\x81\xE4\xB9\xA6\x30\x82\x02\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x02\x0F\x00\x30\x82\x02\x0A\x02\x82\x02\x01\x00\xD0\x49\x21\x1E\x25\xFC\x87\xC1\x2A\xC2\xAC\xDB\x76\x86\x06\x4E\xE7\xD0\x74\x34\xDC\xED\x65\x35\xFC\x50\xD6\x88\x3F\xA4\xF0\x7F\xEB\x0F\x5F\x79\x2F\x89\xB1\xFD\xBC\x63\x58\x37\x93\x9B\x38\xF8\xB7\x5B\xA9\xFA\xD8\x71\xC7\xB4\xBC\x80\x97\x8D\x6C\x4B\xF1\x50\xD5\x2A\x29\xAA\xA8\x19\x7A\x96\xE6\x95\x8E\x74\xED\x97\x0A\x57\x75\xF4\x05\xDB\x6D\x0B\x39\xB9\x01\x7F\xAA\xF6\xD6\xDA\x6C\xE6\x05\xE0\xA4\x4D\x52\xFC\xDB\xD0\x74\xB7\x11\x8C\x7B\x8D\x4F\xFF\x87\x83\xAE\xFF\x05\x03\x13\x57\x50\x37\xFE\x8C\x96\x52\x10\x4C\x5F\xBF\x94\x71\x69\xD9\x96\x3E\x0C\x43\x4F\xBE\x30\xC0\x9F\x39\x74\x4F\x06\x45\x5D\xA3\xD6\x56\x39\x68\x07\xCC\x87\x4F\x50\x77\x93\x71\xD9\x44\x08\xB1\x8A\x34\xE9\x89\xAC\xDB\x9B\x4E\xE1\xD9\xE4\x52\x45\x8C\x2E\x14\x1F\x91\x6B\x19\x1D\x68\x29\x2C\x56\xC4\xE2\x1E\x13\x57\x64\xF0\x61\xE3\xB9\x11\xDF\xB0\xE1\x57\xA0\x1B\xAD\xD7\x5F\xD1\xAF\xDB\x2B\x2D\x3F\xD0\x68\x8E\x0F\xEA\x9F\x0F\x8B\x35\x58\x1B\x13\x1C\xF4\xDE\x35\xA1\x0A\x5D\xD6\xEA\xDF\x12\x6F\xC0\xFB\x69\x07\x46\x72\xDC\x81\xF6\x04\x23\x17\xE0\x4D\x75\xE1\x72\x6F\xB0\x28\xEB\x9B\xE1\xE1\x83\xA1\x9F\x4A\x5D\xAF\xCC\x9B\xFA\x02\x20\xB6\x18\x62\x77\x91\x3B\xA3\xD5\x65\xAD\xDC\x7C\x90\x77\x1C\x44\x41\xA4\x4A\x8B\xEB\x95\x72\xE9\xF6\x09\x64\xDC\xA8\x2D\x9F\x74\x78\xE8\xC1\xA2\x09\x63\x9C\xEF\xA0\xDB\x4F\x9D\x95\xAB\x20\x4F\xB7\xB0\xF7\x87\x5C\xA6\xA0\xE4\x37\x38\xC7\x5C\xE3\x35\x0F\x2C\xAD\xA3\x80\xA2\xEC\x2E\x5D\xC0\xCF\xED\x8B\x05\xC2\xE6\x73\x6E\xF6\x89\xD5\xF5\xD2\x46\x8E\xEA\x6D\x63\x1B\x1E\x8A\xC9\x7D\xA6\xF8\x9C\xEB\xE5\xD5\x63\x85\x4D\x73\x66\x69\x11\xFE\xC8\x0E\xF4\xC1\xC7\x66\x49\x53\x7E\xE4\x19\x6B\xF1\xE9\x7A\x59\xA3\x6D\x7E\xC5\x17\xE6\x27\xC6\xEF\x1B\xDB\x6F\xFC\x0D\x4D\x06\x01\xB4\x0E\x5C\x30\x46\x55\x60\xAF\x38\x65\x3A\xCA\x47\xBA\xAC\x2C\xCC\x46\x1F\xB2\x46\x96\x3F\xF3\xED\x26\x05\xEE\x77\xA1\x6A\x6B\x7E\x2D\x6D\x58\x5C\x4A\xD4\x8E\x67\xB8\xF1\xDA\xD5\x46\x8A\x27\xF9\x11\xF2\xC9\x42\xFE\x4E\xDE\xDF\x1F\x5C\xC4\xA4\x86\x87\x16\x33\xA1\xA7\x17\x18\xA5\x0D\xE4\x05\xE5\x2B\xC2\x2B\x0B\xA2\x95\x90\xB9\xFD\x60\x3C\x4E\x89\x3E\xE7\x9C\xEE\x1F\xBB\x01\x02\x03\x01\x00\x01\xA3\x42\x30\x40\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xE0\x4D\xBF\xDC\x9B\x41\x5D\x13\xE8\x64\xF0\xA7\xE9\x15\xA4\xE1\x81\xC1\xBA\x31\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x03\x82\x02\x01\x00\x6A\x8A\x70\x38\x59\xB6\xDA\x8B\x18\xC8\xBE\x2A\xD3\xB6\x19\xD5\x66\x29\x7A\x5D\xCD\x5B\x2F\x73\x1C\x26\x4E\xA3\x7D\x6F\xAB\xB7\x29\x4D\xA6\xE9\xA5\x11\x83\xA7\x39\x73\xAF\x10\x44\x92\xE6\x25\x5D\x4F\x61\xFA\xC8\x06\xBE\x4E\x4B\xEF\xFE\xF3\x31\xFE\xC6\x7C\x70\x0A\x41\x58\xDA\xE8\x99\x4B\x96\xC9\x78\xBC\x98\x7C\x02\x29\xED\x09\x80\xE6\x0A\x3A\x82\x02\x2A\xE2\xC9\x2F\xC8\x56\x19\x26\xEE\x78\x1C\x23\xFD\xF7\x93\x65\x4E\xE7\xF3\x98\x98\xAF\xCD\xDD\xD9\x9E\x40\x88\x31\x28\x3A\xAB\x2E\x0B\xB0\xAC\x0C\x24\xFA\x7A\x26\x98\xF3\x12\x61\x10\xF4\x5D\x17\xF7\x7E\xE2\x78\x97\x54\xE2\x8C\xE8\x29\xBA\x8C\x10\x32\xBD\xDD\x33\x6B\x38\x86\x7E\x39\x3D\x0E\x03\x72\xA7\x5D\x79\x8F\x45\x8A\x59\xAE\x5B\x21\x6E\x31\x46\xD5\x59\x8D\xCF\x15\x5F\xDD\x31\x25\xCF\xDB\x60\xD6\x81\x44\x72\x29\x02\x57\xF6\x96\xD4\xD6\xFF\xEA\x29\xDB\x39\xC5\xB8\x2C\x8A\x1A\x8D\xCE\xCB\xE7\x42\x31\x86\x05\x68\x0E\x9E\x14\xDD\x00\x90\xBA\x69\x45\x08\xDB\x6E\x90\x81\x86\xA7\x2A\x05\x3F\xE6\x84\x39\xF8\xB7\xF9\x57\x5F\x4C\xA4\x79\x5A\x10\x0C\x5E\xD5\x6B\xFF\x35\x5F\x05\x51\x1E\x6C\xA3\x75\xA9\xCF\x50\x83\xD3\x7C\xF4\x66\xF7\x82\x8D\x3D\x0C\x7D\xE8\xDF\x7B\xA8\x0E\x1B\x2C\x9C\xAE\x40\x70\x87\xDA\xED\xA7\x16\x82\x5A\xBE\x35\x6C\x20\x4E\x22\x61\xD9\xBC\x51\x7A\xCD\x7A\x61\xDC\x4B\x11\xF9\xFE\x67\x34\xCF\x2E\x04\x66\x61\x5C\x57\x97\x23\x8C\xF3\x86\x1B\x48\xDF\x2A\xAF\xA7\xC1\xFF\xD8\x8E\x3E\x03\xBB\xD8\x2A\xB0\xFA\x14\x25\xB2\x51\x6B\x86\x43\x85\x2E\x07\x23\x16\x80\x8D\x4C\xFB\xB4\x63\x3B\xCC\xC3\x74\xED\x1B\xA3\x1E\xFE\x35\x0F\x5F\x7C\x1D\x16\x86\xF5\x0E\xC3\x95\xF1\x2F\xAF\x5D\x25\x3B\x51\xE6\xD7\x76\x41\x38\xD1\x4B\x03\x39\x28\xA5\x1E\x91\x72\xD4\x7D\xAB\x97\x33\xC4\xD3\x3E\xE0\x69\xB6\x28\x79\xA0\x09\x8D\x1C\xD1\xFF\x41\x72\x48\x06\xFC\x9A\x2E\xE7\x20\xF9\x9B\xA2\xDE\x89\xED\xAE\x3C\x09\xAF\xCA\x57\xB3\x92\x89\x70\x40\xE4\x2F\x4F\xC2\x70\x83\x40\xD7\x24\x2C\x6B\xE7\x09\x1F\xD3\xD5\xC7\xC1\x08\xF4\xDB\x0E\x3B\x1C\x07\x0B\x43\x11\x84\x21\x86\xE9\x80\xD4\x75\xD8\xAB\xF1\x02\x62\xC1\xB1\x7E\x55\x61\xCF\x13\xD7\x26\xB0\xD7\x9C\xCB\x29\x8B\x38\x4A\x0B\x0E\x90\x8D\xBA\xA1",
 	["CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB"] = "\x30\x82\x05\xD8\x30\x82\x03\xC0\xA0\x03\x02\x01\x02\x02\x10\x4C\xAA\xF9\xCA\xDB\x63\x6F\xE0\x1F\xF7\x4E\xD8\x5B\x03\x86\x9D\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0C\x05\x00\x30\x81\x85\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x47\x42\x31\x1B\x30\x19\x06\x03\x55\x04\x08\x13\x12\x47\x72\x65\x61\x74\x65\x72\x20\x4D\x61\x6E\x63\x68\x65\x73\x74\x65\x72\x31\x10\x30\x0E\x06\x03\x55\x04\x07\x13\x07\x53\x61\x6C\x66\x6F\x72\x64\x31\x1A\x30\x18\x06\x03\x55\x04\x0A\x13\x11\x43\x4F\x4D\x4F\x44\x4F\x20\x43\x41\x20\x4C\x69\x6D\x69\x74\x65\x64\x31\x2B\x30\x29\x06\x03\x55\x04\x03\x13\x22\x43\x4F\x4D\x4F\x44\x4F\x20\x52\x53\x41\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x30\x1E\x17\x0D\x31\x30\x30\x31\x31\x39\x30\x30\x30\x30\x30\x30\x5A\x17\x0D\x33\x38\x30\x31\x31\x38\x32\x33\x35\x39\x35\x39\x5A\x30\x81\x85\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x47\x42\x31\x1B\x30\x19\x06\x03\x55\x04\x08\x13\x12\x47\x72\x65\x61\x74\x65\x72\x20\x4D\x61\x6E\x63\x68\x65\x73\x74\x65\x72\x31\x10\x30\x0E\x06\x03\x55\x04\x07\x13\x07\x53\x61\x6C\x66\x6F\x72\x64\x31\x1A\x30\x18\x06\x03\x55\x04\x0A\x13\x11\x43\x4F\x4D\x4F\x44\x4F\x20\x43\x41\x20\x4C\x69\x6D\x69\x74\x65\x64\x31\x2B\x30\x29\x06\x03\x55\x04\x03\x13\x22\x43\x4F\x4D\x4F\x44\x4F\x20\x52\x53\x41\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x30\x82\x02\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x02\x0F\x00\x30\x82\x02\x0A\x02\x82\x02\x01\x00\x91\xE8\x54\x92\xD2\x0A\x56\xB1\xAC\x0D\x24\xDD\xC5\xCF\x44\x67\x74\x99\x2B\x37\xA3\x7D\x23\x70\x00\x71\xBC\x53\xDF\xC4\xFA\x2A\x12\x8F\x4B\x7F\x10\x56\xBD\x9F\x70\x72\xB7\x61\x7F\xC9\x4B\x0F\x17\xA7\x3D\xE3\xB0\x04\x61\xEE\xFF\x11\x97\xC7\xF4\x86\x3E\x0A\xFA\x3E\x5C\xF9\x93\xE6\x34\x7A\xD9\x14\x6B\xE7\x9C\xB3\x85\xA0\x82\x7A\x76\xAF\x71\x90\xD7\xEC\xFD\x0D\xFA\x9C\x6C\xFA\xDF\xB0\x82\xF4\x14\x7E\xF9\xBE\xC4\xA6\x2F\x4F\x7F\x99\x7F\xB5\xFC\x67\x43\x72\xBD\x0C\x00\xD6\x89\xEB\x6B\x2C\xD3\xED\x8F\x98\x1C\x14\xAB\x7E\xE5\xE3\x6E\xFC\xD8\xA8\xE4\x92\x24\xDA\x43\x6B\x62\xB8\x55\xFD\xEA\xC1\xBC\x6C\xB6\x8B\xF3\x0E\x8D\x9A\xE4\x9B\x6C\x69\x99\xF8\x78\x48\x30\x45\xD5\xAD\xE1\x0D\x3C\x45\x60\xFC\x32\x96\x51\x27\xBC\x67\xC3\xCA\x2E\xB6\x6B\xEA\x46\xC7\xC7\x20\xA0\xB1\x1F\x65\xDE\x48\x08\xBA\xA4\x4E\xA9\xF2\x83\x46\x37\x84\xEB\xE8\xCC\x81\x48\x43\x67\x4E\x72\x2A\x9B\x5C\xBD\x4C\x1B\x28\x8A\x5C\x22\x7B\xB4\xAB\x98\xD9\xEE\xE0\x51\x83\xC3\x09\x46\x4E\x6D\x3E\x99\xFA\x95\x17\xDA\x7C\x33\x57\x41\x3C\x8D\x51\xED\x0B\xB6\x5C\xAF\x2C\x63\x1A\xDF\x57\xC8\x3F\xBC\xE9\x5D\xC4\x9B\xAF\x45\x99\xE2\xA3\x5A\x24\xB4\xBA\xA9\x56\x3D\xCF\x6F\xAA\xFF\x49\x58\xBE\xF0\xA8\xFF\xF4\xB8\xAD\xE9\x37\xFB\xBA\xB8\xF4\x0B\x3A\xF9\xE8\x43\x42\x1E\x89\xD8\x84\xCB\x13\xF1\xD9\xBB\xE1\x89\x60\xB8\x8C\x28\x56\xAC\x14\x1D\x9C\x0A\xE7\x71\xEB\xCF\x0E\xDD\x3D\xA9\x96\xA1\x48\xBD\x3C\xF7\xAF\xB5\x0D\x22\x4C\xC0\x11\x81\xEC\x56\x3B\xF6\xD3\xA2\xE2\x5B\xB7\xB2\x04\x22\x52\x95\x80\x93\x69\xE8\x8E\x4C\x65\xF1\x91\x03\x2D\x70\x74\x02\xEA\x8B\x67\x15\x29\x69\x52\x02\xBB\xD7\xDF\x50\x6A\x55\x46\xBF\xA0\xA3\x28\x61\x7F\x70\xD0\xC3\xA2\xAA\x2C\x21\xAA\x47\xCE\x28\x9C\x06\x45\x76\xBF\x82\x18\x27\xB4\xD5\xAE\xB4\xCB\x50\xE6\x6B\xF4\x4C\x86\x71\x30\xE9\xA6\xDF\x16\x86\xE0\xD8\xFF\x40\xDD\xFB\xD0\x42\x88\x7F\xA3\x33\x3A\x2E\x5C\x1E\x41\x11\x81\x63\xCE\x18\x71\x6B\x2B\xEC\xA6\x8A\xB7\x31\x5C\x3A\x6A\x47\xE0\xC3\x79\x59\xD6\x20\x1A\xAF\xF2\x6A\x98\xAA\x72\xBC\x57\x4A\xD2\x4B\x9D\xBB\x10\xFC\xB0\x4C\x41\xE5\xED\x1D\x3D\x5E\x28\x9D\x9C\xCC\xBF\xB3\x51\xDA\xA7\x47\xE5\x84\x53\x02\x03\x01\x00\x01\xA3\x42\x30\x40\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xBB\xAF\x7E\x02\x3D\xFA\xA6\xF1\x3C\x84\x8E\xAD\xEE\x38\x98\xEC\xD9\x32\x32\xD4\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0C\x05\x00\x03\x82\x02\x01\x00\x0A\xF1\xD5\x46\x84\xB7\xAE\x51\xBB\x6C\xB2\x4D\x41\x14\x00\x93\x4C\x9C\xCB\xE5\xC0\x54\xCF\xA0\x25\x8E\x02\xF9\xFD\xB0\xA2\x0D\xF5\x20\x98\x3C\x13\x2D\xAC\x56\xA2\xB0\xD6\x7E\x11\x92\xE9\x2E\xBA\x9E\x2E\x9A\x72\xB1\xBD\x19\x44\x6C\x61\x35\xA2\x9A\xB4\x16\x12\x69\x5A\x8C\xE1\xD7\x3E\xA4\x1A\xE8\x2F\x03\xF4\xAE\x61\x1D\x10\x1B\x2A\xA4\x8B\x7A\xC5\xFE\x05\xA6\xE1\xC0\xD6\xC8\xFE\x9E\xAE\x8F\x2B\xBA\x3D\x99\xF8\xD8\x73\x09\x58\x46\x6E\xA6\x9C\xF4\xD7\x27\xD3\x95\xDA\x37\x83\x72\x1C\xD3\x73\xE0\xA2\x47\x99\x03\x38\x5D\xD5\x49\x79\x00\x29\x1C\xC7\xEC\x9B\x20\x1C\x07\x24\x69\x57\x78\xB2\x39\xFC\x3A\x84\xA0\xB5\x9C\x7C\x8D\xBF\x2E\x93\x62\x27\xB7\x39\xDA\x17\x18\xAE\xBD\x3C\x09\x68\xFF\x84\x9B\x3C\xD5\xD6\x0B\x03\xE3\x57\x9E\x14\xF7\xD1\xEB\x4F\xC8\xBD\x87\x23\xB7\xB6\x49\x43\x79\x85\x5C\xBA\xEB\x92\x0B\xA1\xC6\xE8\x68\xA8\x4C\x16\xB1\x1A\x99\x0A\xE8\x53\x2C\x92\xBB\xA1\x09\x18\x75\x0C\x65\xA8\x7B\xCB\x23\xB7\x1A\xC2\x28\x85\xC3\x1B\xFF\xD0\x2B\x62\xEF\xA4\x7B\x09\x91\x98\x67\x8C\x14\x01\xCD\x68\x06\x6A\x63\x21\x75\x03\x80\x88\x8A\x6E\x81\xC6\x85\xF2\xA9\xA4\x2D\xE7\xF4\xA5\x24\x10\x47\x83\xCA\xCD\xF4\x8D\x79\x58\xB1\x06\x9B\xE7\x1A\x2A\xD9\x9D\x01\xD7\x94\x7D\xED\x03\x4A\xCA\xF0\xDB\xE8\xA9\x01\x3E\xF5\x56\x99\xC9\x1E\x8E\x49\x3D\xBB\xE5\x09\xB9\xE0\x4F\x49\x92\x3D\x16\x82\x40\xCC\xCC\x59\xC6\xE6\x3A\xED\x12\x2E\x69\x3C\x6C\x95\xB1\xFD\xAA\x1D\x7B\x7F\x86\xBE\x1E\x0E\x32\x46\xFB\xFB\x13\x8F\x75\x7F\x4C\x8B\x4B\x46\x63\xFE\x00\x34\x40\x70\xC1\xC3\xB9\xA1\xDD\xA6\x70\xE2\x04\xB3\x41\xBC\xE9\x80\x91\xEA\x64\x9C\x7A\xE1\x22\x03\xA9\x9C\x6E\x6F\x0E\x65\x4F\x6C\x87\x87\x5E\xF3\x6E\xA0\xF9\x75\xA5\x9B\x40\xE8\x53\xB2\x27\x9D\x4A\xB9\xC0\x77\x21\x8D\xFF\x87\xF2\xDE\xBC\x8C\xEF\x17\xDF\xB7\x49\x0B\xD1\xF2\x6E\x30\x0B\x1A\x0E\x4E\x76\xED\x11\xFC\xF5\xE9\x56\xB2\x7D\xBF\xC7\x6D\x0A\x93\x8C\xA5\xD0\xC0\xB6\x1D\xBE\x3A\x4E\x94\xA2\xD7\x6E\x6C\x0B\xC2\x8A\x7C\xFA\x20\xF3\xC4\xE4\xE5\xCD\x0D\xA8\xCB\x91\x92\xB1\x7C\x85\xEC\xB5\x14\x69\x66\x0E\x82\xE7\xCD\xCE\xC8\x2D\xA6\x51\x7F\x21\xC1\x35\x53\x85\x06\x4A\x5D\x9F\xAD\xBB\x1B\x5F\x74",
 	["CN=USERTrust RSA Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US"] = "\x30\x82\x05\xDE\x30\x82\x03\xC6\xA0\x03\x02\x01\x02\x02\x10\x01\xFD\x6D\x30\xFC\xA3\xCA\x51\xA8\x1B\xBC\x64\x0E\x35\x03\x2D\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0C\x05\x00\x30\x81\x88\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x13\x30\x11\x06\x03\x55\x04\x08\x13\x0A\x4E\x65\x77\x20\x4A\x65\x72\x73\x65\x79\x31\x14\x30\x12\x06\x03\x55\x04\x07\x13\x0B\x4A\x65\x72\x73\x65\x79\x20\x43\x69\x74\x79\x31\x1E\x30\x1C\x06\x03\x55\x04\x0A\x13\x15\x54\x68\x65\x20\x55\x53\x45\x52\x54\x52\x55\x53\x54\x20\x4E\x65\x74\x77\x6F\x72\x6B\x31\x2E\x30\x2C\x06\x03\x55\x04\x03\x13\x25\x55\x53\x45\x52\x54\x72\x75\x73\x74\x20\x52\x53\x41\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x30\x1E\x17\x0D\x31\x30\x30\x32\x30\x31\x30\x30\x30\x30\x30\x30\x5A\x17\x0D\x33\x38\x30\x31\x31\x38\x32\x33\x35\x39\x35\x39\x5A\x30\x81\x88\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x13\x30\x11\x06\x03\x55\x04\x08\x13\x0A\x4E\x65\x77\x20\x4A\x65\x72\x73\x65\x79\x31\x14\x30\x12\x06\x03\x55\x04\x07\x13\x0B\x4A\x65\x72\x73\x65\x79\x20\x43\x69\x74\x79\x31\x1E\x30\x1C\x06\x03\x55\x04\x0A\x13\x15\x54\x68\x65\x20\x55\x53\x45\x52\x54\x52\x55\x53\x54\x20\x4E\x65\x74\x77\x6F\x72\x6B\x31\x2E\x30\x2C\x06\x03\x55\x04\x03\x13\x25\x55\x53\x45\x52\x54\x72\x75\x73\x74\x20\x52\x53\x41\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x30\x82\x02\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x02\x0F\x00\x30\x82\x02\x0A\x02\x82\x02\x01\x00\x80\x12\x65\x17\x36\x0E\xC3\xDB\x08\xB3\xD0\xAC\x57\x0D\x76\xED\xCD\x27\xD3\x4C\xAD\x50\x83\x61\xE2\xAA\x20\x4D\x09\x2D\x64\x09\xDC\xCE\x89\x9F\xCC\x3D\xA9\xEC\xF6\xCF\xC1\xDC\xF1\xD3\xB1\xD6\x7B\x37\x28\x11\x2B\x47\xDA\x39\xC6\xBC\x3A\x19\xB4\x5F\xA6\xBD\x7D\x9D\xA3\x63\x42\xB6\x76\xF2\xA9\x3B\x2B\x91\xF8\xE2\x6F\xD0\xEC\x16\x20\x90\x09\x3E\xE2\xE8\x74\xC9\x18\xB4\x91\xD4\x62\x64\xDB\x7F\xA3\x06\xF1\x88\x18\x6A\x90\x22\x3C\xBC\xFE\x13\xF0\x87\x14\x7B\xF6\xE4\x1F\x8E\xD4\xE4\x51\xC6\x11\x67\x46\x08\x51\xCB\x86\x14\x54\x3F\xBC\x33\xFE\x7E\x6C\x9C\xFF\x16\x9D\x18\xBD\x51\x8E\x35\xA6\xA7\x66\xC8\x72\x67\xDB\x21\x66\xB1\xD4\x9B\x78\x03\xC0\x50\x3A\xE8\xCC\xF0\xDC\xBC\x9E\x4C\xFE\xAF\x05\x96\x35\x1F\x57\x5A\xB7\xFF\xCE\xF9\x3D\xB7\x2C\xB6\xF6\x54\xDD\xC8\xE7\x12\x3A\x4D\xAE\x4C\x8A\xB7\x5C\x9A\xB4\xB7\x20\x3D\xCA\x7F\x22\x34\xAE\x7E\x3B\x68\x66\x01\x44\xE7\x01\x4E\x46\x53\x9B\x33\x60\xF7\x94\xBE\x53\x37\x90\x73\x43\xF3\x32\xC3\x53\xEF\xDB\xAA\xFE\x74\x4E\x69\xC7\x6B\x8C\x60\x93\xDE\xC4\xC7\x0C\xDF\xE1\x32\xAE\xCC\x93\x3B\x51\x78\x95\x67\x8B\xEE\x3D\x56\xFE\x0C\xD0\x69\x0F\x1B\x0F\xF3\x25\x26\x6B\x33\x6D\xF7\x6E\x47\xFA\x73\x43\xE5\x7E\x0E\xA5\x66\xB1\x29\x7C\x32\x84\x63\x55\x89\xC4\x0D\xC1\x93\x54\x30\x19\x13\xAC\xD3\x7D\x37\xA7\xEB\x5D\x3A\x6C\x35\x5C\xDB\x41\xD7\x12\xDA\xA9\x49\x0B\xDF\xD8\x80\x8A\x09\x93\x62\x8E\xB5\x66\xCF\x25\x88\xCD\x84\xB8\xB1\x3F\xA4\x39\x0F\xD9\x02\x9E\xEB\x12\x4C\x95\x7C\xF3\x6B\x05\xA9\x5E\x16\x83\xCC\xB8\x67\xE2\xE8\x13\x9D\xCC\x5B\x82\xD3\x4C\xB3\xED\x5B\xFF\xDE\xE5\x73\xAC\x23\x3B\x2D\x00\xBF\x35\x55\x74\x09\x49\xD8\x49\x58\x1A\x7F\x92\x36\xE6\x51\x92\x0E\xF3\x26\x7D\x1C\x4D\x17\xBC\xC9\xEC\x43\x26\xD0\xBF\x41\x5F\x40\xA9\x44\x44\xF4\x99\xE7\x57\x87\x9E\x50\x1F\x57\x54\xA8\x3E\xFD\x74\x63\x2F\xB1\x50\x65\x09\xE6\x58\x42\x2E\x43\x1A\x4C\xB4\xF0\x25\x47\x59\xFA\x04\x1E\x93\xD4\x26\x46\x4A\x50\x81\xB2\xDE\xBE\x78\xB7\xFC\x67\x15\xE1\xC9\x57\x84\x1E\x0F\x63\xD6\xE9\x62\xBA\xD6\x5F\x55\x2E\xEA\x5C\xC6\x28\x08\x04\x25\x39\xB8\x0E\x2B\xA9\xF2\x4C\x97\x1C\x07\x3F\x0D\x52\xF5\xED\xEF\x2F\x82\x0F\x02\x03\x01\x00\x01\xA3\x42\x30\x40\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x53\x79\xBF\x5A\xAA\x2B\x4A\xCF\x54\x80\xE1\xD8\x9B\xC0\x9D\xF2\xB2\x03\x66\xCB\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0C\x05\x00\x03\x82\x02\x01\x00\x5C\xD4\x7C\x0D\xCF\xF7\x01\x7D\x41\x99\x65\x0C\x73\xC5\x52\x9F\xCB\xF8\xCF\x99\x06\x7F\x1B\xDA\x43\x15\x9F\x9E\x02\x55\x57\x96\x14\xF1\x52\x3C\x27\x87\x94\x28\xED\x1F\x3A\x01\x37\xA2\x76\xFC\x53\x50\xC0\x84\x9B\xC6\x6B\x4E\xBA\x8C\x21\x4F\xA2\x8E\x55\x62\x91\xF3\x69\x15\xD8\xBC\x88\xE3\xC4\xAA\x0B\xFD\xEF\xA8\xE9\x4B\x55\x2A\x06\x20\x6D\x55\x78\x29\x19\xEE\x5F\x30\x5C\x4B\x24\x11\x55\xFF\x24\x9A\x6E\x5E\x2A\x2B\xEE\x0B\x4D\x9F\x7F\xF7\x01\x38\x94\x14\x95\x43\x07\x09\xFB\x60\xA9\xEE\x1C\xAB\x12\x8C\xA0\x9A\x5E\xA7\x98\x6A\x59\x6D\x8B\x3F\x08\xFB\xC8\xD1\x45\xAF\x18\x15\x64\x90\x12\x0F\x73\x28\x2E\xC5\xE2\x24\x4E\xFC\x58\xEC\xF0\xF4\x45\xFE\x22\xB3\xEB\x2F\x8E\xD2\xD9\x45\x61\x05\xC1\x97\x6F\xA8\x76\x72\x8F\x8B\x8C\x36\xAF\xBF\x0D\x05\xCE\x71\x8D\xE6\xA6\x6F\x1F\x6C\xA6\x71\x62\xC5\xD8\xD0\x83\x72\x0C\xF1\x67\x11\x89\x0C\x9C\x13\x4C\x72\x34\xDF\xBC\xD5\x71\xDF\xAA\x71\xDD\xE1\xB9\x6C\x8C\x3C\x12\x5D\x65\xDA\xBD\x57\x12\xB6\x43\x6B\xFF\xE5\xDE\x4D\x66\x11\x51\xCF\x99\xAE\xEC\x17\xB6\xE8\x71\x91\x8C\xDE\x49\xFE\xDD\x35\x71\xA2\x15\x27\x94\x1C\xCF\x61\xE3\x26\xBB\x6F\xA3\x67\x25\x21\x5D\xE6\xDD\x1D\x0B\x2E\x68\x1B\x3B\x82\xAF\xEC\x83\x67\x85\xD4\x98\x51\x74\xB1\xB9\x99\x80\x89\xFF\x7F\x78\x19\x5C\x79\x4A\x60\x2E\x92\x40\xAE\x4C\x37\x2A\x2C\xC9\xC7\x62\xC8\x0E\x5D\xF7\x36\x5B\xCA\xE0\x25\x25\x01\xB4\xDD\x1A\x07\x9C\x77\x00\x3F\xD0\xDC\xD5\xEC\x3D\xD4\xFA\xBB\x3F\xCC\x85\xD6\x6F\x7F\xA9\x2D\xDF\xB9\x02\xF7\xF5\x97\x9A\xB5\x35\xDA\xC3\x67\xB0\x87\x4A\xA9\x28\x9E\x23\x8E\xFF\x5C\x27\x6B\xE1\xB0\x4F\xF3\x07\xEE\x00\x2E\xD4\x59\x87\xCB\x52\x41\x95\xEA\xF4\x47\xD7\xEE\x64\x41\x55\x7C\x8D\x59\x02\x95\xDD\x62\x9D\xC2\xB9\xEE\x5A\x28\x74\x84\xA5\x9B\xB7\x90\xC7\x0C\x07\xDF\xF5\x89\x36\x74\x32\xD6\x28\xC1\xB0\xB0\x0B\xE0\x9C\x4C\xC3\x1C\xD6\xFC\xE3\x69\xB5\x47\x46\x81\x2F\xA2\x82\xAB\xD3\x63\x44\x70\xC4\x8D\xFF\x2D\x33\xBA\xAD\x8F\x7B\xB5\x70\x88\xAE\x3E\x19\xCF\x40\x28\xD8\xFC\xC8\x90\xBB\x5D\x99\x22\xF5\x52\xE6\x58\xC5\x1F\x88\x31\x43\xEE\x88\x1D\xD7\xC6\x8E\x3C\x43\x6A\x1D\xA7\x18\xDE\x7D\x3D\x16\xF1\x62\xF9\xCA\x90\xA8\xFD",
 	["CN=USERTrust ECC Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US"] = "\x30\x82\x02\x8F\x30\x82\x02\x15\xA0\x03\x02\x01\x02\x02\x10\x5C\x8B\x99\xC5\x5A\x94\xC5\xD2\x71\x56\xDE\xCD\x89\x80\xCC\x26\x30\x0A\x06\x08\x2A\x86\x48\xCE\x3D\x04\x03\x03\x30\x81\x88\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x13\x30\x11\x06\x03\x55\x04\x08\x13\x0A\x4E\x65\x77\x20\x4A\x65\x72\x73\x65\x79\x31\x14\x30\x12\x06\x03\x55\x04\x07\x13\x0B\x4A\x65\x72\x73\x65\x79\x20\x43\x69\x74\x79\x31\x1E\x30\x1C\x06\x03\x55\x04\x0A\x13\x15\x54\x68\x65\x20\x55\x53\x45\x52\x54\x52\x55\x53\x54\x20\x4E\x65\x74\x77\x6F\x72\x6B\x31\x2E\x30\x2C\x06\x03\x55\x04\x03\x13\x25\x55\x53\x45\x52\x54\x72\x75\x73\x74\x20\x45\x43\x43\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x30\x1E\x17\x0D\x31\x30\x30\x32\x30\x31\x30\x30\x30\x30\x30\x30\x5A\x17\x0D\x33\x38\x30\x31\x31\x38\x32\x33\x35\x39\x35\x39\x5A\x30\x81\x88\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x13\x30\x11\x06\x03\x55\x04\x08\x13\x0A\x4E\x65\x77\x20\x4A\x65\x72\x73\x65\x79\x31\x14\x30\x12\x06\x03\x55\x04\x07\x13\x0B\x4A\x65\x72\x73\x65\x79\x20\x43\x69\x74\x79\x31\x1E\x30\x1C\x06\x03\x55\x04\x0A\x13\x15\x54\x68\x65\x20\x55\x53\x45\x52\x54\x52\x55\x53\x54\x20\x4E\x65\x74\x77\x6F\x72\x6B\x31\x2E\x30\x2C\x06\x03\x55\x04\x03\x13\x25\x55\x53\x45\x52\x54\x72\x75\x73\x74\x20\x45\x43\x43\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x30\x76\x30\x10\x06\x07\x2A\x86\x48\xCE\x3D\x02\x01\x06\x05\x2B\x81\x04\x00\x22\x03\x62\x00\x04\x1A\xAC\x54\x5A\xA9\xF9\x68\x23\xE7\x7A\xD5\x24\x6F\x53\xC6\x5A\xD8\x4B\xAB\xC6\xD5\xB6\xD1\xE6\x73\x71\xAE\xDD\x9C\xD6\x0C\x61\xFD\xDB\xA0\x89\x03\xB8\x05\x14\xEC\x57\xCE\xEE\x5D\x3F\xE2\x21\xB3\xCE\xF7\xD4\x8A\x79\xE0\xA3\x83\x7E\x2D\x97\xD0\x61\xC4\xF1\x99\xDC\x25\x91\x63\xAB\x7F\x30\xA3\xB4\x70\xE2\xC7\xA1\x33\x9C\xF3\xBF\x2E\x5C\x53\xB1\x5F\xB3\x7D\x32\x7F\x8A\x34\xE3\x79\x79\xA3\x42\x30\x40\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x3A\xE1\x09\x86\xD4\xCF\x19\xC2\x96\x76\x74\x49\x76\xDC\xE0\x35\xC6\x63\x63\x9A\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x0A\x06\x08\x2A\x86\x48\xCE\x3D\x04\x03\x03\x03\x68\x00\x30\x65\x02\x30\x36\x67\xA1\x16\x08\xDC\xE4\x97\x00\x41\x1D\x4E\xBE\xE1\x63\x01\xCF\x3B\xAA\x42\x11\x64\xA0\x9D\x94\x39\x02\x11\x79\x5C\x7B\x1D\xFA\x64\xB9\xEE\x16\x42\xB3\xBF\x8A\xC2\x09\xC4\xEC\xE4\xB1\x4D\x02\x31\x00\xE9\x2A\x61\x47\x8C\x52\x4A\x4B\x4E\x18\x70\xF6\xD6\x44\xD6\x6E\xF5\x83\xBA\x6D\x58\xBD\x24\xD9\x56\x48\xEA\xEF\xC4\xA2\x46\x81\x88\x6A\x3A\x46\xD1\xA9\x9B\x4D\xC9\x61\xDA\xD1\x5D\x57\x6A\x18",
@@ -153,11 +117,8 @@ redef root_certs += {
 	["CN=Entrust Root Certification Authority - EC1,OU=(c) 2012 Entrust\, Inc. - for authorized use only,OU=See www.entrust.net/legal-terms,O=Entrust\, Inc.,C=US"] = "\x30\x82\x02\xF9\x30\x82\x02\x80\xA0\x03\x02\x01\x02\x02\x0D\x00\xA6\x8B\x79\x29\x00\x00\x00\x00\x50\xD0\x91\xF9\x30\x0A\x06\x08\x2A\x86\x48\xCE\x3D\x04\x03\x03\x30\x81\xBF\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x16\x30\x14\x06\x03\x55\x04\x0A\x13\x0D\x45\x6E\x74\x72\x75\x73\x74\x2C\x20\x49\x6E\x63\x2E\x31\x28\x30\x26\x06\x03\x55\x04\x0B\x13\x1F\x53\x65\x65\x20\x77\x77\x77\x2E\x65\x6E\x74\x72\x75\x73\x74\x2E\x6E\x65\x74\x2F\x6C\x65\x67\x61\x6C\x2D\x74\x65\x72\x6D\x73\x31\x39\x30\x37\x06\x03\x55\x04\x0B\x13\x30\x28\x63\x29\x20\x32\x30\x31\x32\x20\x45\x6E\x74\x72\x75\x73\x74\x2C\x20\x49\x6E\x63\x2E\x20\x2D\x20\x66\x6F\x72\x20\x61\x75\x74\x68\x6F\x72\x69\x7A\x65\x64\x20\x75\x73\x65\x20\x6F\x6E\x6C\x79\x31\x33\x30\x31\x06\x03\x55\x04\x03\x13\x2A\x45\x6E\x74\x72\x75\x73\x74\x20\x52\x6F\x6F\x74\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x20\x2D\x20\x45\x43\x31\x30\x1E\x17\x0D\x31\x32\x31\x32\x31\x38\x31\x35\x32\x35\x33\x36\x5A\x17\x0D\x33\x37\x31\x32\x31\x38\x31\x35\x35\x35\x33\x36\x5A\x30\x81\xBF\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x16\x30\x14\x06\x03\x55\x04\x0A\x13\x0D\x45\x6E\x74\x72\x75\x73\x74\x2C\x20\x49\x6E\x63\x2E\x31\x28\x30\x26\x06\x03\x55\x04\x0B\x13\x1F\x53\x65\x65\x20\x77\x77\x77\x2E\x65\x6E\x74\x72\x75\x73\x74\x2E\x6E\x65\x74\x2F\x6C\x65\x67\x61\x6C\x2D\x74\x65\x72\x6D\x73\x31\x39\x30\x37\x06\x03\x55\x04\x0B\x13\x30\x28\x63\x29\x20\x32\x30\x31\x32\x20\x45\x6E\x74\x72\x75\x73\x74\x2C\x20\x49\x6E\x63\x2E\x20\x2D\x20\x66\x6F\x72\x20\x61\x75\x74\x68\x6F\x72\x69\x7A\x65\x64\x20\x75\x73\x65\x20\x6F\x6E\x6C\x79\x31\x33\x30\x31\x06\x03\x55\x04\x03\x13\x2A\x45\x6E\x74\x72\x75\x73\x74\x20\x52\x6F\x6F\x74\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x20\x2D\x20\x45\x43\x31\x30\x76\x30\x10\x06\x07\x2A\x86\x48\xCE\x3D\x02\x01\x06\x05\x2B\x81\x04\x00\x22\x03\x62\x00\x04\x84\x13\xC9\xD0\xBA\x6D\x41\x7B\xE2\x6C\xD0\xEB\x55\x5F\x66\x02\x1A\x24\xF4\x5B\x89\x69\x47\xE3\xB8\xC2\x7D\xF1\xF2\x02\xC5\x9F\xA0\xF6\x5B\xD5\x8B\x06\x19\x86\x4F\x53\x10\x6D\x07\x24\x27\xA1\xA0\xF8\xD5\x47\x19\x61\x4C\x7D\xCA\x93\x27\xEA\x74\x0C\xEF\x6F\x96\x09\xFE\x63\xEC\x70\x5D\x36\xAD\x67\x77\xAE\xC9\x9D\x7C\x55\x44\x3A\xA2\x63\x51\x1F\xF5\xE3\x62\xD4\xA9\x47\x07\x3E\xCC\x20\xA3\x42\x30\x40\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xB7\x63\xE7\x1A\xDD\x8D\xE9\x08\xA6\x55\x83\xA4\xE0\x6A\x50\x41\x65\x11\x42\x49\x30\x0A\x06\x08\x2A\x86\x48\xCE\x3D\x04\x03\x03\x03\x67\x00\x30\x64\x02\x30\x61\x79\xD8\xE5\x42\x47\xDF\x1C\xAE\x53\x99\x17\xB6\x6F\x1C\x7D\xE1\xBF\x11\x94\xD1\x03\x88\x75\xE4\x8D\x89\xA4\x8A\x77\x46\xDE\x6D\x61\xEF\x02\xF5\xFB\xB5\xDF\xCC\xFE\x4E\xFF\xFE\xA9\xE6\xA7\x02\x30\x5B\x99\xD7\x85\x37\x06\xB5\x7B\x08\xFD\xEB\x27\x8B\x4A\x94\xF9\xE1\xFA\xA7\x8E\x26\x08\xE8\x7C\x92\x68\x6D\x73\xD8\x6F\x26\xAC\x21\x02\xB8\x99\xB7\x26\x41\x5B\x25\x60\xAE\xD0\x48\x1A\xEE\x06",
 	["CN=CFCA EV ROOT,O=China Financial Certification Authority,C=CN"] = "\x30\x82\x05\x8D\x30\x82\x03\x75\xA0\x03\x02\x01\x02\x02\x04\x18\x4A\xCC\xD6\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x30\x56\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x43\x4E\x31\x30\x30\x2E\x06\x03\x55\x04\x0A\x0C\x27\x43\x68\x69\x6E\x61\x20\x46\x69\x6E\x61\x6E\x63\x69\x61\x6C\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x31\x15\x30\x13\x06\x03\x55\x04\x03\x0C\x0C\x43\x46\x43\x41\x20\x45\x56\x20\x52\x4F\x4F\x54\x30\x1E\x17\x0D\x31\x32\x30\x38\x30\x38\x30\x33\x30\x37\x30\x31\x5A\x17\x0D\x32\x39\x31\x32\x33\x31\x30\x33\x30\x37\x30\x31\x5A\x30\x56\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x43\x4E\x31\x30\x30\x2E\x06\x03\x55\x04\x0A\x0C\x27\x43\x68\x69\x6E\x61\x20\x46\x69\x6E\x61\x6E\x63\x69\x61\x6C\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x31\x15\x30\x13\x06\x03\x55\x04\x03\x0C\x0C\x43\x46\x43\x41\x20\x45\x56\x20\x52\x4F\x4F\x54\x30\x82\x02\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x02\x0F\x00\x30\x82\x02\x0A\x02\x82\x02\x01\x00\xD7\x5D\x6B\xCD\x10\x3F\x1F\x05\x59\xD5\x05\x4D\x37\xB1\x0E\xEC\x98\x2B\x8E\x15\x1D\xFA\x93\x4B\x17\x82\x21\x71\x10\x52\xD7\x51\x64\x70\x16\xC2\x55\x69\x4D\x8E\x15\x6D\x9F\xBF\x0C\x1B\xC2\xE0\xA3\x67\xD6\x0C\xAC\xCF\x22\xAE\xAF\x77\x54\x2A\x4B\x4C\x8A\x53\x52\x7A\xC3\xEE\x2E\xDE\xB3\x71\x25\xC1\xE9\x5D\x3D\xEE\xA1\x2F\xA3\xF7\x2A\x3C\xC9\x23\x1D\x6A\xAB\x1D\xA1\xA7\xF1\xF3\xEC\xA0\xD5\x44\xCF\x15\xCF\x72\x2F\x1D\x63\x97\xE8\x99\xF9\xFD\x93\xA4\x54\x80\x4C\x52\xD4\x52\xAB\x2E\x49\xDF\x90\xCD\xB8\x5F\xBE\x3F\xDE\xA1\xCA\x4D\x20\xD4\x25\xE8\x84\x29\x53\xB7\xB1\x88\x1F\xFF\xFA\xDA\x90\x9F\x0A\xA9\x2D\x41\x3F\xB1\xF1\x18\x29\xEE\x16\x59\x2C\x34\x49\x1A\xA8\x06\xD7\xA8\x88\xD2\x03\x72\x7A\x32\xE2\xEA\x68\x4D\x6E\x2C\x96\x65\x7B\xCA\x59\xFA\xF2\xE2\xDD\xEE\x30\x2C\xFB\xCC\x46\xAC\xC4\x63\xEB\x6F\x7F\x36\x2B\x34\x73\x12\x94\x7F\xDF\xCC\x26\x9E\xF1\x72\x5D\x50\x65\x59\x8F\x69\xB3\x87\x5E\x32\x6F\xC3\x18\x8A\xB5\x95\x8F\xB0\x7A\x37\xDE\x5A\x45\x3B\xC7\x36\xE1\xEF\x67\xD1\x39\xD3\x97\x5B\x73\x62\x19\x48\x2D\x87\x1C\x06\xFB\x74\x98\x20\x49\x73\xF0\x05\xD2\x1B\xB1\xA0\xA3\xB7\x1B\x70\xD3\x88\x69\xB9\x5A\xD6\x38\xF4\x62\xDC\x25\x8B\x78\xBF\xF8\xE8\x7E\xB8\x5C\xC9\x95\x4F\x5F\xA7\x2D\xB9\x20\x6B\xCF\x6B\xDD\xF5\x0D\xF4\x82\xB7\xF4\xB2\x66\x2E\x10\x28\xF6\x97\x5A\x7B\x96\x16\x8F\x01\x19\x2D\x6C\x6E\x7F\x39\x58\x06\x64\x83\x01\x83\x83\xC3\x4D\x92\xDD\x32\xC6\x87\xA4\x37\xE9\x16\xCE\xAA\x2D\x68\xAF\x0A\x81\x65\x3A\x70\xC1\x9B\xAD\x4D\x6D\x54\xCA\x2A\x2D\x4B\x85\x1B\xB3\x80\xE6\x70\x45\x0D\x6B\x5E\x35\xF0\x7F\x3B\xB8\x9C\xE4\x04\x70\x89\x12\x25\x93\xDA\x0A\x99\x22\x60\x6A\x63\x60\x4E\x76\x06\x98\x4E\xBD\x83\xAD\x1D\x58\x8A\x25\x85\xD2\xC7\x65\x1E\x2D\x8E\xC6\xDF\xB6\xC6\xE1\x7F\x8A\x04\x21\x15\x29\x74\xF0\x3E\x9C\x90\x9D\x0C\x2E\xF1\x8A\x3E\x5A\xAA\x0C\x09\x1E\xC7\xD5\x3C\xA3\xED\x97\xC3\x1E\x34\xFA\x38\xF9\x08\x0E\xE3\xC0\x5D\x2B\x83\xD1\x56\x6A\xC9\xB6\xA8\x54\x53\x2E\x78\x32\x67\x3D\x82\x7F\x74\xD0\xFB\xE1\xB6\x05\x60\xB9\x70\xDB\x8E\x0B\xF9\x13\x58\x6F\x71\x60\x10\x52\x10\xB9\xC1\x41\x09\xEF\x72\x1F\x67\x31\x78\xFF\x96\x05\x8D\x02\x03\x01\x00\x01\xA3\x63\x30\x61\x30\x1F\x06\x03\x55\x1D\x23\x04\x18\x30\x16\x80\x14\xE3\xFE\x2D\xFD\x28\xD0\x0B\xB5\xBA\xB6\xA2\xC4\xBF\x06\xAA\x05\x8C\x93\xFB\x2F\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xE3\xFE\x2D\xFD\x28\xD0\x0B\xB5\xBA\xB6\xA2\xC4\xBF\x06\xAA\x05\x8C\x93\xFB\x2F\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x03\x82\x02\x01\x00\x25\xC6\xBA\x6B\xEB\x87\xCB\xDE\x82\x39\x96\x3D\xF0\x44\xA7\x6B\x84\x73\x03\xDE\x9D\x2B\x4F\xBA\x20\x7F\xBC\x78\xB2\xCF\x97\xB0\x1B\x9C\xF3\xD7\x79\x2E\xF5\x48\xB6\xD2\xFB\x17\x88\xE6\xD3\x7A\x3F\xED\x53\x13\xD0\xE2\x2F\x6A\x79\xCB\x00\x23\x28\xE6\x1E\x37\x57\x35\x89\x84\xC2\x76\x4F\x34\x36\xAD\x67\xC3\xCE\x41\x06\x88\xC5\xF7\xEE\xD8\x1A\xB8\xD6\x0B\x7F\x50\xFF\x93\xAA\x17\x4B\x8C\xEC\xED\x52\x60\xB2\xA4\x06\xEA\x4E\xEB\xF4\x6B\x19\xFD\xEB\xF5\x1A\xE0\x25\x2A\x9A\xDC\xC7\x41\x36\xF7\xC8\x74\x05\x84\x39\x95\x39\xD6\x0B\x3B\xA4\x27\xFA\x08\xD8\x5C\x1E\xF8\x04\x60\x52\x11\x28\x28\x03\xFF\xEF\x53\x66\x00\xA5\x4A\x34\x16\x66\x7C\xFD\x09\xA4\xAE\x9E\x67\x1A\x6F\x41\x0B\x6B\x06\x13\x9B\x8F\x86\x71\x05\xB4\x2F\x8D\x89\x66\x33\x29\x76\x54\x9A\x11\xF8\x27\xFA\xB2\x3F\x91\xE0\xCE\x0D\x1B\xF3\x30\x1A\xAD\xBF\x22\x5D\x1B\xD3\xBF\x25\x05\x4D\xE1\x92\x1A\x7F\x99\x9F\x3C\x44\x93\xCA\xD4\x40\x49\x6C\x80\x87\xD7\x04\x3A\xC3\x32\x52\x35\x0E\x56\xF8\xA5\xDD\x7D\xC4\x8B\x0D\x11\x1F\x53\xCB\x1E\xB2\x17\xB6\x68\x77\x5A\xE0\xD4\xCB\xC8\x07\xAE\xF5\x3A\x2E\x8E\x37\xB7\xD0\x01\x4B\x43\x29\x77\x8C\x39\x97\x8F\x82\x5A\xF8\x51\xE5\x89\xA0\x18\xE7\x68\x7F\x5D\x0A\x2E\xFB\xA3\x47\x0E\x3D\xA6\x23\x7A\xC6\x01\xC7\x8F\xC8\x5E\xBF\x6D\x80\x56\xBE\x8A\x24\xBA\x33\xEA\x9F\xE1\x32\x11\x9E\xF1\xD2\x4F\x80\xF6\x1B\x40\xAF\x38\x9E\x11\x50\x79\x73\x12\x12\xCD\xE6\x6C\x9D\x2C\x88\x72\x3C\x30\x81\x06\x91\x22\xEA\x59\xAD\xDA\x19\x2E\x22\xC2\x8D\xB9\x8C\x87\xE0\x66\xBC\x73\x23\x5F\x21\x64\x63\x80\x48\xF5\xA0\x3C\x18\x3D\x94\xC8\x48\x41\x1D\x40\xBA\x5E\xFE\xFE\x56\x39\xA1\xC8\xCF\x5E\x9E\x19\x64\x46\x10\xDA\x17\x91\xB7\x05\x80\xAC\x8B\x99\x92\x7D\xE7\xA2\xD8\x07\x0B\x36\x27\xE7\x48\x79\x60\x8A\xC3\xD7\x13\x5C\xF8\x72\x40\xDF\x4A\xCB\xCF\x99\x00\x0A\x00\x0B\x11\x95\xDA\x56\x45\x03\x88\x0A\x9F\x67\xD0\xD5\x79\xB1\xA8\x8D\x40\x6D\x0D\xC2\x7A\x40\xFA\xF3\x5F\x64\x47\x92\xCB\x53\xB9\xBB\x59\xCE\x4F\xFD\xD0\x15\x53\x01\xD8\xDF\xEB\xD9\xE6\x76\xEF\xD0\x23\xBB\x3B\xA9\x79\xB3\xD5\x02\x29\xCD\x89\xA3\x96\x0F\x4A\x35\xE7\x4E\x42\xC0\x75\xCD\x07\xCF\xE6\x2C\xEB\x7B\x2E",
 	["CN=T\C3\9CRKTRUST Elektronik Sertifika Hizmet Sa\C4\9Flay\C4\B1c\C4\B1s\C4\B1 H5,O=T\C3\9CRKTRUST Bilgi \C4\B0leti\C5\9Fim ve Bili\C5\9Fim G\C3\BCvenli\C4\9Fi Hizmetleri A.\C5\9E.,L=Ankara,C=TR"] = "\x30\x82\x04\x27\x30\x82\x03\x0F\xA0\x03\x02\x01\x02\x02\x07\x00\x8E\x17\xFE\x24\x20\x81\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x30\x81\xB1\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x54\x52\x31\x0F\x30\x0D\x06\x03\x55\x04\x07\x0C\x06\x41\x6E\x6B\x61\x72\x61\x31\x4D\x30\x4B\x06\x03\x55\x04\x0A\x0C\x44\x54\xC3\x9C\x52\x4B\x54\x52\x55\x53\x54\x20\x42\x69\x6C\x67\x69\x20\xC4\xB0\x6C\x65\x74\x69\xC5\x9F\x69\x6D\x20\x76\x65\x20\x42\x69\x6C\x69\xC5\x9F\x69\x6D\x20\x47\xC3\xBC\x76\x65\x6E\x6C\x69\xC4\x9F\x69\x20\x48\x69\x7A\x6D\x65\x74\x6C\x65\x72\x69\x20\x41\x2E\xC5\x9E\x2E\x31\x42\x30\x40\x06\x03\x55\x04\x03\x0C\x39\x54\xC3\x9C\x52\x4B\x54\x52\x55\x53\x54\x20\x45\x6C\x65\x6B\x74\x72\x6F\x6E\x69\x6B\x20\x53\x65\x72\x74\x69\x66\x69\x6B\x61\x20\x48\x69\x7A\x6D\x65\x74\x20\x53\x61\xC4\x9F\x6C\x61\x79\xC4\xB1\x63\xC4\xB1\x73\xC4\xB1\x20\x48\x35\x30\x1E\x17\x0D\x31\x33\x30\x34\x33\x30\x30\x38\x30\x37\x30\x31\x5A\x17\x0D\x32\x33\x30\x34\x32\x38\x30\x38\x30\x37\x30\x31\x5A\x30\x81\xB1\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x54\x52\x31\x0F\x30\x0D\x06\x03\x55\x04\x07\x0C\x06\x41\x6E\x6B\x61\x72\x61\x31\x4D\x30\x4B\x06\x03\x55\x04\x0A\x0C\x44\x54\xC3\x9C\x52\x4B\x54\x52\x55\x53\x54\x20\x42\x69\x6C\x67\x69\x20\xC4\xB0\x6C\x65\x74\x69\xC5\x9F\x69\x6D\x20\x76\x65\x20\x42\x69\x6C\x69\xC5\x9F\x69\x6D\x20\x47\xC3\xBC\x76\x65\x6E\x6C\x69\xC4\x9F\x69\x20\x48\x69\x7A\x6D\x65\x74\x6C\x65\x72\x69\x20\x41\x2E\xC5\x9E\x2E\x31\x42\x30\x40\x06\x03\x55\x04\x03\x0C\x39\x54\xC3\x9C\x52\x4B\x54\x52\x55\x53\x54\x20\x45\x6C\x65\x6B\x74\x72\x6F\x6E\x69\x6B\x20\x53\x65\x72\x74\x69\x66\x69\x6B\x61\x20\x48\x69\x7A\x6D\x65\x74\x20\x53\x61\xC4\x9F\x6C\x61\x79\xC4\xB1\x63\xC4\xB1\x73\xC4\xB1\x20\x48\x35\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xA4\x25\x19\xE1\x65\x9E\xEB\x48\x21\x50\x4A\x08\xE5\x11\xF0\x5A\xBA\x26\xFF\x83\x59\xCE\x44\x2A\x2F\xFE\xE1\xCE\x60\x03\xFC\x8D\x03\xA5\xED\xFF\x6B\xA8\xBA\xCC\x34\x06\x9F\x59\x35\xF6\xEC\x2C\xBB\x9D\xFB\x8D\x52\x69\xE3\x9C\x27\x10\x53\xF3\xA4\x02\xC5\xA7\xF9\x11\x1A\x69\x75\x6E\xC3\x1D\x8B\xD1\x98\x8D\x93\x87\xA7\x71\x97\x0D\x21\xC7\x99\xF9\x52\xD3\x2C\x63\x5D\x55\xBC\xE8\x1F\x01\x48\xB9\x60\xFE\x42\x4A\xF6\xC8\x80\xAE\xCD\x66\x7A\x9E\x45\x8A\x68\x77\xE2\x48\x68\x9F\xA2\xDA\xF1\xE1\xC1\x10\x9F\xEB\x3C\x29\x81\xA7\xE1\x32\x08\xD4\xA0\x05\xB1\x8C\xFB\x8D\x96\x00\x0E\x3E\x25\xDF\x53\x86\x22\x3B\xFC\xF4\xBD\xF3\x09\x7E\x77\xEC\x86\xEB\x0F\x33\xE5\x43\x4F\xF4\x54\x75\x6D\x29\x99\x2E\x66\x5A\x43\xDF\xCB\x5C\xCA\xC8\xE5\x38\xF1\x7E\x3B\x35\x9D\x0F\xF4\xC5\x5A\xA1\xCC\xF3\x20\x80\x24\xD3\x57\xEC\x15\xBA\x75\x25\x9B\xE8\x64\x4B\xB3\x34\x84\xEF\x04\xB8\xF6\xC9\x6C\xAA\x02\x3E\xB6\x55\xE2\x32\x37\x5F\xFC\x66\x97\x5F\xCD\xD6\x9E\xC7\x20\xBF\x4D\xC6\xAC\x3F\x75\x5F\x1C\xED\x32\x9C\x7C\x69\x00\x69\x91\xE3\x23\x18\x53\xE9\x02\x03\x01\x00\x01\xA3\x42\x30\x40\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x56\x99\x07\x1E\xD3\xAC\x0C\x69\x64\xB4\x0C\x50\x47\xDE\x43\x2C\xBE\x20\xC0\xFB\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x03\x82\x01\x01\x00\x9E\x45\x76\x7B\x17\x48\x32\xF2\x38\x8B\x29\xBD\xEE\x96\x4A\x4E\x81\x18\xB1\x51\x47\x20\xCD\xD0\x64\xB1\x0E\xC9\xD9\x01\xD9\x09\xCE\xC8\x99\xDC\x68\x25\x13\xD4\x5C\xF2\xA3\xE8\x04\xFE\x72\x09\xC7\x0B\xAA\x1D\x25\x55\x7E\x96\x9A\x57\xB7\xBA\xC5\x11\x7A\x19\xE6\xA7\x7E\x3D\x85\x0E\xF5\xF9\x2E\x29\x2F\xE7\xF9\x6C\x58\x16\x57\x50\x25\xF6\x3E\x2E\x3E\xAA\xED\x77\x71\xAA\xAA\x99\x96\x46\x0A\xAE\x8E\xEC\x2A\x51\x16\xB0\x5E\xCD\xEA\x67\x04\x1C\x58\x30\xF5\x60\x8A\xBD\xA6\xBD\x4D\xE5\x96\xB4\xFC\x42\x89\x01\x6B\xF6\x70\xC8\x50\x39\x0C\x2D\xD5\x66\xD9\xC8\xD2\xB3\x32\xB7\x1B\x19\x6D\xCB\x33\xF9\xDF\xA5\xE6\x15\x84\x37\xF0\xC2\xF2\x65\x96\x92\x90\x77\xF0\xAD\xF4\x90\xE9\x11\x78\xD7\x93\x89\xC0\x3D\x0B\xBA\x29\xF4\xE8\x99\x9D\x72\x8E\xED\x9D\x2F\xEE\x92\x7D\xA1\xF1\xFF\x5D\xBA\x33\x60\x85\x62\xFE\x07\x02\xA1\x84\x56\x46\xBE\x96\x0A\x9A\x13\xD7\x21\x4C\xB7\x7C\x07\x9F\x4E\x4E\x3F\x91\x74\xFB\x27\x9D\x11\xCC\xDD\xE6\xB1\xCA\x71\x4D\x13\x17\x39\x26\xC5\x29\x21\x2B\x93\x29\x6A\x96\xFA\xAB\x41\xE1\x4B\xB6\x35\x0B\xC0\x9B\x15",
-	["CN=T\C3\9CRKTRUST Elektronik Sertifika Hizmet Sa\C4\9Flay\C4\B1c\C4\B1s\C4\B1 H6,O=T\C3\9CRKTRUST Bilgi \C4\B0leti\C5\9Fim ve Bili\C5\9Fim G\C3\BCvenli\C4\9Fi Hizmetleri A.\C5\9E.,L=Ankara,C=TR"] = "\x30\x82\x04\x26\x30\x82\x03\x0E\xA0\x03\x02\x01\x02\x02\x06\x7D\xA1\xF2\x65\xEC\x8A\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x30\x81\xB1\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x54\x52\x31\x0F\x30\x0D\x06\x03\x55\x04\x07\x0C\x06\x41\x6E\x6B\x61\x72\x61\x31\x4D\x30\x4B\x06\x03\x55\x04\x0A\x0C\x44\x54\xC3\x9C\x52\x4B\x54\x52\x55\x53\x54\x20\x42\x69\x6C\x67\x69\x20\xC4\xB0\x6C\x65\x74\x69\xC5\x9F\x69\x6D\x20\x76\x65\x20\x42\x69\x6C\x69\xC5\x9F\x69\x6D\x20\x47\xC3\xBC\x76\x65\x6E\x6C\x69\xC4\x9F\x69\x20\x48\x69\x7A\x6D\x65\x74\x6C\x65\x72\x69\x20\x41\x2E\xC5\x9E\x2E\x31\x42\x30\x40\x06\x03\x55\x04\x03\x0C\x39\x54\xC3\x9C\x52\x4B\x54\x52\x55\x53\x54\x20\x45\x6C\x65\x6B\x74\x72\x6F\x6E\x69\x6B\x20\x53\x65\x72\x74\x69\x66\x69\x6B\x61\x20\x48\x69\x7A\x6D\x65\x74\x20\x53\x61\xC4\x9F\x6C\x61\x79\xC4\xB1\x63\xC4\xB1\x73\xC4\xB1\x20\x48\x36\x30\x1E\x17\x0D\x31\x33\x31\x32\x31\x38\x30\x39\x30\x34\x31\x30\x5A\x17\x0D\x32\x33\x31\x32\x31\x36\x30\x39\x30\x34\x31\x30\x5A\x30\x81\xB1\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x54\x52\x31\x0F\x30\x0D\x06\x03\x55\x04\x07\x0C\x06\x41\x6E\x6B\x61\x72\x61\x31\x4D\x30\x4B\x06\x03\x55\x04\x0A\x0C\x44\x54\xC3\x9C\x52\x4B\x54\x52\x55\x53\x54\x20\x42\x69\x6C\x67\x69\x20\xC4\xB0\x6C\x65\x74\x69\xC5\x9F\x69\x6D\x20\x76\x65\x20\x42\x69\x6C\x69\xC5\x9F\x69\x6D\x20\x47\xC3\xBC\x76\x65\x6E\x6C\x69\xC4\x9F\x69\x20\x48\x69\x7A\x6D\x65\x74\x6C\x65\x72\x69\x20\x41\x2E\xC5\x9E\x2E\x31\x42\x30\x40\x06\x03\x55\x04\x03\x0C\x39\x54\xC3\x9C\x52\x4B\x54\x52\x55\x53\x54\x20\x45\x6C\x65\x6B\x74\x72\x6F\x6E\x69\x6B\x20\x53\x65\x72\x74\x69\x66\x69\x6B\x61\x20\x48\x69\x7A\x6D\x65\x74\x20\x53\x61\xC4\x9F\x6C\x61\x79\xC4\xB1\x63\xC4\xB1\x73\xC4\xB1\x20\x48\x36\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\x9D\xB0\x68\xD6\xE8\xBD\x14\x96\xA3\x00\x0A\x9A\xF1\xF4\xC7\xCC\x91\x4D\x71\x78\x77\xB9\xF7\x21\x26\x15\x73\x51\x16\x94\x09\x47\x05\xE2\x33\xF5\x68\x9A\x35\xFF\xDC\x4B\x2F\x32\xC7\xB0\xED\xE2\x82\xE5\x6F\xDA\xDA\xEA\xAC\xC6\x06\xCF\x25\x0D\x41\x81\xF6\xC1\x38\x22\xBD\xF9\xB1\xA5\xA6\xB3\x01\xBC\x3F\x50\x17\x2B\xF6\xE9\x66\x55\xD4\x33\xB3\x5C\xF8\x43\x20\x78\x93\x55\x16\x70\x19\x32\xE6\x89\xD7\x64\xEB\xBD\x48\x50\xFD\xF6\xD0\x41\x03\xC2\x74\xB7\xFD\xF6\x80\xCF\x5B\xC5\xAB\xA4\xD6\x95\x12\x9B\xE7\x97\x13\x32\x03\xE9\xD4\xAB\x43\x5B\x16\xED\x33\x22\x64\x29\xB6\xD2\x93\xAD\x2F\x6C\xD8\x3D\xB6\xF6\x1D\x0E\x34\xEE\xD2\x7D\xA9\x55\x0F\x20\xF4\xFD\x29\xBB\x91\x5B\x1C\x7D\xC6\x42\x38\x6D\x42\x28\x6D\xD4\x01\xFB\xCD\x88\x97\x49\x7E\xB8\xF3\x83\xF8\xB5\x98\x2F\xB3\x27\x0B\x48\x5E\x56\xE7\x4E\xA3\x33\xB3\x44\xD6\xA5\xF2\x18\x94\xED\x1C\x1E\xA9\x95\x5C\x62\x4A\xF8\x0D\x67\x51\xA9\xAF\x21\xD5\xF8\x32\x9D\x79\xBA\x1A\x5F\xE5\x04\x55\x4D\x13\x46\xFF\xF2\xCF\x74\xC7\x1A\x63\x6D\xC3\x1F\x17\x12\xC3\x1E\x10\x3E\x60\x08\xB3\x31\x02\x03\x01\x00\x01\xA3\x42\x30\x40\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xDD\x55\x17\x13\xF6\xAC\xE8\x48\x21\xCA\xEF\xB5\xAF\xD1\x00\x32\xED\x9E\x8C\xB5\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x03\x82\x01\x01\x00\x6F\x58\x0D\x97\x43\xAA\x16\x54\x3E\xBF\xA9\xDF\x92\x45\x3F\x85\x0B\xBB\x56\xD3\x0C\x52\xCC\xC8\xBF\x76\x67\x5E\xE6\xAA\xB3\xA7\xEF\xB9\xAC\xB4\x10\x14\x0D\x74\x7E\x3D\x6D\xAD\xD1\x7D\xD0\x9A\xA9\xA5\xCA\x18\x3B\x02\x40\x2E\x2A\x9C\x50\x14\x8B\xFE\x57\x7E\x57\x5C\x11\x09\x4B\x36\x45\x52\xF7\x3D\xAC\x14\xFD\x44\xDF\x8B\x97\x23\xD4\xC3\xC1\xEE\xD4\x53\x95\xFE\x2C\x4A\xFE\x0D\x70\xAA\xBB\x8B\x2F\x2D\xCB\x32\xA3\x82\xF2\x54\xDF\xD8\xF2\xDD\xD7\x48\x72\xEE\x4A\xA3\x29\x96\xC3\x44\xCE\x6E\xB5\x92\x87\x76\xA4\xBB\xF4\x92\x6C\xCE\x2C\x14\x09\x66\x8E\x8D\xAD\x16\xB5\xC7\x1B\x09\x61\x3B\xE3\x20\xA2\x03\x80\x8E\xAD\x7E\x51\x00\x4E\xC7\x96\x86\xFB\x43\x98\x77\x7D\x28\xC7\x8F\xD8\x2A\x6E\xE7\x84\x6F\x97\x41\x29\x00\x16\x5E\x4D\xE2\x13\xEA\x59\xC0\x63\x67\x3A\x44\xFB\x98\xFC\x04\xD3\x30\x72\xA6\xF6\x87\x09\x57\xAD\x76\xA6\x1D\x63\x9A\xFD\xD7\x65\xC8\x78\x83\x2B\x75\x3B\xA5\x5B\xB8\x0D\x5D\x7F\xBE\x23\xAE\x56\x55\x94\x58\xEF\x1F\x81\x8C\x2A\xB2\xCD\xE6\x9B\x63\x9E\x18\xBC\xE5\x6B\x06\xB4\x0B\x98\x4B\x28\x5E\xAF\x88\x58\xCB",
 	["CN=Certinomis - Root CA,OU=0002 433998903,O=Certinomis,C=FR"] = "\x30\x82\x05\x92\x30\x82\x03\x7A\xA0\x03\x02\x01\x02\x02\x01\x01\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x30\x5A\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x46\x52\x31\x13\x30\x11\x06\x03\x55\x04\x0A\x13\x0A\x43\x65\x72\x74\x69\x6E\x6F\x6D\x69\x73\x31\x17\x30\x15\x06\x03\x55\x04\x0B\x13\x0E\x30\x30\x30\x32\x20\x34\x33\x33\x39\x39\x38\x39\x30\x33\x31\x1D\x30\x1B\x06\x03\x55\x04\x03\x13\x14\x43\x65\x72\x74\x69\x6E\x6F\x6D\x69\x73\x20\x2D\x20\x52\x6F\x6F\x74\x20\x43\x41\x30\x1E\x17\x0D\x31\x33\x31\x30\x32\x31\x30\x39\x31\x37\x31\x38\x5A\x17\x0D\x33\x33\x31\x30\x32\x31\x30\x39\x31\x37\x31\x38\x5A\x30\x5A\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x46\x52\x31\x13\x30\x11\x06\x03\x55\x04\x0A\x13\x0A\x43\x65\x72\x74\x69\x6E\x6F\x6D\x69\x73\x31\x17\x30\x15\x06\x03\x55\x04\x0B\x13\x0E\x30\x30\x30\x32\x20\x34\x33\x33\x39\x39\x38\x39\x30\x33\x31\x1D\x30\x1B\x06\x03\x55\x04\x03\x13\x14\x43\x65\x72\x74\x69\x6E\x6F\x6D\x69\x73\x20\x2D\x20\x52\x6F\x6F\x74\x20\x43\x41\x30\x82\x02\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x02\x0F\x00\x30\x82\x02\x0A\x02\x82\x02\x01\x00\xD4\xCC\x09\x0A\x2C\x3F\x92\xF6\x7F\x14\x9E\x0B\x9C\x9A\x6A\x1D\x40\x30\x64\xFD\xAA\xDF\x0E\x1E\x06\x5B\x9F\x50\x85\xEA\xCD\x8D\xAB\x43\x67\xDE\xB0\xFA\x7E\x80\x96\x9E\x84\x78\x92\x48\xD6\xE3\x39\xEE\xCE\xE4\x59\x58\x97\xE5\x2E\x27\x98\xEA\x93\xA8\x77\x9B\x4A\xF0\xEF\x74\x80\x2D\xEB\x30\x1F\xB5\xD9\xC7\x80\x9C\x62\x27\x91\x88\xF0\x4A\x89\xDD\xDC\x88\xE6\x14\xF9\xD5\x03\x2F\xFF\x95\xDB\xBD\x9F\xEC\x2C\xFA\x14\x15\x59\x95\x0A\xC6\x47\x7C\x69\x18\xB9\xA7\x03\xF9\xCA\x76\xA9\xCF\xC7\x6F\xB4\x5E\x05\xFE\xEE\xC1\x52\xB2\x75\x32\x87\xEC\xED\x29\x66\x3B\xF3\x4A\x16\x82\xF6\xD6\x9A\xDB\x72\x98\xE9\xDE\xF0\xC5\x4C\xA5\xAB\xB5\xEA\x01\xE2\x8C\x2E\x64\x7F\x64\x6F\xFD\xA3\x25\x93\x8B\xC8\xA2\x0E\x49\x8D\x34\xF0\x1F\xEC\x58\x45\x2E\x34\xAA\x84\x50\xBD\xE7\xB2\x4A\x13\xB8\xB0\x0F\xAE\x38\x5D\xB0\xA9\x1B\xE6\x73\xC9\x5A\xA1\xD9\x66\x40\xAA\xA9\x4D\xA6\x34\x02\xAD\x84\x7E\xB2\x23\xC1\xFB\x2A\xC6\x67\xF4\x34\xB6\xB0\x95\x6A\x33\x4F\x71\x44\xB5\xAD\xC0\x79\x33\x88\xE0\xBF\xED\xA3\xA0\x14\xB4\x9C\x09\xB0\x0A\xE3\x60\xBE\xF8\xF8\x66\x88\xCD\x5B\xF1\x77\x05\xE0\xB5\x73\x6E\xC1\x7D\x46\x2E\x8E\x4B\x27\xA6\xCD\x35\x0A\xFD\xE5\x4D\x7D\xAA\x2A\xA3\x29\xC7\x5A\x68\x04\xE8\xE5\xD6\x93\xA4\x62\xC2\xC5\xE6\xF4\x4F\xC6\xF9\x9F\x1A\x8D\x82\x49\x19\x8A\xCA\x59\x43\x3A\xE8\x0D\x32\xC1\xF4\x4C\x13\x03\x6F\x6E\xA6\x3F\x91\x73\xCB\xCA\x73\x6F\x12\x20\x8B\xEE\xC0\x82\x78\xDE\x4B\x2E\xC2\x49\xC3\x1D\xED\x16\xF6\x24\xF4\x27\x1B\x5C\x57\x31\xDC\x55\xEE\xA8\x1E\x6F\x6C\xAC\xE2\x45\xCC\x57\x57\x8A\x75\x57\x19\xE0\xB5\x58\x99\x49\x36\x31\x3C\x33\x01\x6D\x16\x4A\xCD\xB8\x2A\x83\x84\x86\x9B\xF9\x60\xD2\x1F\x6D\x91\x03\xD3\x60\xA6\xD5\x3D\x9A\xDD\x77\x90\x3D\x35\xA4\x9F\x0F\x5E\xF5\x52\x44\x69\xB9\xC0\xBA\xDC\xCF\x7D\xDF\x7C\xD9\xC4\xAC\x86\x22\x32\xBC\x7B\x6B\x91\xEF\x7A\xF8\x17\x68\xB0\xE2\x53\x55\x60\x2D\xAF\x3E\xC2\x83\xD8\xD9\x09\x2B\xF0\xC0\x64\xDB\x87\x8B\x91\xCC\x91\xEB\x04\xFD\x76\xB4\x95\x9A\xE6\x14\x06\x1B\xD5\x34\x1D\xBE\xD8\xFF\x74\x1C\x53\x85\x99\xE0\x59\x52\x4A\x61\xED\x88\x9E\x6B\x49\x89\x46\x7E\x20\x5A\xD9\xE7\x4A\xE5\x6A\xEE\xD2\x65\x11\x43\x02\x03\x01\x00\x01\xA3\x63\x30\x61\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xEF\x91\x4C\xF5\xA5\xC3\x30\xE8\x2F\x08\xEA\xD3\x71\x22\xA4\x92\x68\x78\x74\xD9\x30\x1F\x06\x03\x55\x1D\x23\x04\x18\x30\x16\x80\x14\xEF\x91\x4C\xF5\xA5\xC3\x30\xE8\x2F\x08\xEA\xD3\x71\x22\xA4\x92\x68\x78\x74\xD9\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x03\x82\x02\x01\x00\x7E\x3D\x54\xDA\x22\x5D\x1A\x58\x3E\x3B\x54\x27\xBA\xBA\xCC\xC8\xE3\x1A\x6A\xEA\x3E\xF9\x12\xEB\x56\x5F\x3D\x50\xCE\xE0\xEA\x48\x26\x26\xCF\x79\x56\x7E\x91\x1C\x99\x3F\xD0\xA1\x91\x1C\x2C\x0F\x4F\x98\x95\x59\x53\xBD\xD0\x22\xD8\x88\x5D\x9C\x37\xFC\xFB\x64\xC1\x78\x8C\x8B\x9A\x60\x09\xEA\xD5\xFA\x21\x5F\xD0\x74\x65\xE7\x50\xC5\xBF\x2E\xB9\x0B\x0B\xAD\xB5\xB0\x17\xA6\x12\x8C\xD4\x62\x78\xEA\x56\x6A\xEC\x0A\xD2\x40\xC3\x3C\x05\x30\x3E\x4D\x94\xB7\x9F\x4A\x03\xD3\x7D\x27\x4B\xB6\xFE\x44\xCE\xFA\x19\x33\x1A\x6D\xA4\x42\xD1\xDD\xCC\xC8\xC8\xD7\x16\x52\x83\x4F\x35\x94\xB3\x12\x55\x7D\xE5\xE2\x42\xEB\xE4\x9C\x93\x09\xC0\x4C\x5B\x07\xAB\xC7\x6D\x11\xA0\x50\x17\x94\x23\xA8\xB5\x0A\x92\x0F\xB2\x7A\xC1\x60\x2C\x38\xCC\x1A\xA6\x5B\xFF\xF2\x0C\xE3\xAA\x1F\x1C\xDC\xB8\xA0\x93\x27\xDE\x63\xE3\x7F\x21\x9F\x3A\xE5\x9E\xFA\xE0\x13\x6A\x75\xEB\x96\x5C\x62\x91\x94\x8E\x67\x53\xB6\x89\xF8\x12\x09\xCB\x6F\x52\x5B\x03\x72\x86\x50\x95\x08\xD4\x8D\x87\x86\x15\x1F\x95\x24\xD8\xA4\x6F\x9A\xCE\xA4\x9D\x9B\x6D\xD2\xB2\x76\x06\x86\xC6\x56\x08\xC5\xEB\x09\xDA\x36\xC2\x1B\x5B\x41\xBE\x61\x2A\xE3\x70\xE6\xB8\xA6\xF8\xB6\x5A\xC4\xBD\x21\xF7\xFF\xAA\x5F\xA1\x6C\x76\x39\x66\xD6\xEA\x4C\x55\xE1\x00\x33\x9B\x13\x98\x63\xC9\x6F\xD0\x01\x20\x09\x37\x52\xE7\x0C\x4F\x3E\xCD\xBC\xF5\x5F\x96\x27\xA7\x20\x02\x95\xE0\x2E\xE8\x07\x41\x05\x1F\x15\x6E\xD6\xB0\xE4\x19\xE0\x0F\x02\x93\x00\x27\x72\xC5\x8B\xD1\x54\x1F\x5D\x4A\xC3\x40\x97\x7E\x55\xA6\x7C\xC1\x33\x04\x14\x01\x1D\x49\x20\x69\x0B\x19\x93\x9D\x6E\x58\x22\xF7\x40\x0C\x46\x0C\x23\x63\xF3\x39\xD2\x7F\x76\x51\xA7\xF4\xC8\xA1\xF1\x0C\x76\x22\x23\x46\x52\x29\x2D\xE2\xA3\x41\x07\x56\x69\x98\xD2\x05\x09\xBC\x69\xC7\x5A\x61\xCD\x8F\x81\x60\x15\x4D\x80\xDD\x90\xE2\x7D\xC4\x50\xF2\x8C\x3B\x6E\x4A\xC7\xC6\xE6\x80\x2B\x3C\x81\xBC\x11\x80\x16\x10\x27\xD7\xF0\xCD\x3F\x79\xCC\x73\x2A\xC3\x7E\x53\x91\xD6\x6E\xF8\xF5\xF3\xC7\xD0\x51\x4D\x8E\x4B\xA5\x5B\xE6\x19\x17\x3B\xD6\x81\x09\xDC\x22\xDC\xEE\x8E\xB9\xC4\x8F\x53\xE1\x67\xBB\x33\xB8\x88\x15\x46\xCF\xED\x69\x35\xFF\x75\x0D\x46\xF3\xCE\x71\xE1\xC5\x6B\x86\x42\x06\xB9\x41",
 	["CN=OISTE WISeKey Global Root GB CA,OU=OISTE Foundation Endorsed,O=WISeKey,C=CH"] = "\x30\x82\x03\xB5\x30\x82\x02\x9D\xA0\x03\x02\x01\x02\x02\x10\x76\xB1\x20\x52\x74\xF0\x85\x87\x46\xB3\xF8\x23\x1A\xF6\xC2\xC0\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x30\x6D\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x43\x48\x31\x10\x30\x0E\x06\x03\x55\x04\x0A\x13\x07\x57\x49\x53\x65\x4B\x65\x79\x31\x22\x30\x20\x06\x03\x55\x04\x0B\x13\x19\x4F\x49\x53\x54\x45\x20\x46\x6F\x75\x6E\x64\x61\x74\x69\x6F\x6E\x20\x45\x6E\x64\x6F\x72\x73\x65\x64\x31\x28\x30\x26\x06\x03\x55\x04\x03\x13\x1F\x4F\x49\x53\x54\x45\x20\x57\x49\x53\x65\x4B\x65\x79\x20\x47\x6C\x6F\x62\x61\x6C\x20\x52\x6F\x6F\x74\x20\x47\x42\x20\x43\x41\x30\x1E\x17\x0D\x31\x34\x31\x32\x30\x31\x31\x35\x30\x30\x33\x32\x5A\x17\x0D\x33\x39\x31\x32\x30\x31\x31\x35\x31\x30\x33\x31\x5A\x30\x6D\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x43\x48\x31\x10\x30\x0E\x06\x03\x55\x04\x0A\x13\x07\x57\x49\x53\x65\x4B\x65\x79\x31\x22\x30\x20\x06\x03\x55\x04\x0B\x13\x19\x4F\x49\x53\x54\x45\x20\x46\x6F\x75\x6E\x64\x61\x74\x69\x6F\x6E\x20\x45\x6E\x64\x6F\x72\x73\x65\x64\x31\x28\x30\x26\x06\x03\x55\x04\x03\x13\x1F\x4F\x49\x53\x54\x45\x20\x57\x49\x53\x65\x4B\x65\x79\x20\x47\x6C\x6F\x62\x61\x6C\x20\x52\x6F\x6F\x74\x20\x47\x42\x20\x43\x41\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xD8\x17\xB7\x1C\x4A\x24\x2A\xD6\x97\xB1\xCA\xE2\x1E\xFB\x7D\x38\xEF\x98\xF5\xB2\x39\x98\x4E\x27\xB8\x11\x5D\x7B\xD2\x25\x94\x88\x82\x15\x26\x6A\x1B\x31\xBB\xA8\x5B\x21\x21\x2B\xD8\x0F\x4E\x9F\x5A\xF1\xB1\x5A\xE4\x79\xD6\x32\x23\x2B\xE1\x53\xCC\x99\x45\x5C\x7B\x4F\xAD\xBC\xBF\x87\x4A\x0B\x4B\x97\x5A\xA8\xF6\x48\xEC\x7D\x7B\x0D\xCD\x21\x06\xDF\x9E\x15\xFD\x41\x8A\x48\xB7\x20\xF4\xA1\x7A\x1B\x57\xD4\x5D\x50\xFF\xBA\x67\xD8\x23\x99\x1F\xC8\x3F\xE3\xDE\xFF\x6F\x5B\x77\xB1\x6B\x6E\xB8\xC9\x64\xF7\xE1\xCA\x41\x46\x0E\x29\x71\xD0\xB9\x23\xFC\xC9\x81\x5F\x4E\xF7\x6F\xDF\xBF\x84\xAD\x73\x64\xBB\xB7\x42\x8E\x69\xF6\xD4\x76\x1D\x7E\x9D\xA7\xB8\x57\x8A\x51\x67\x72\xD7\xD4\xA8\xB8\x95\x54\x40\x73\x03\xF6\xEA\xF4\xEB\xFE\x28\x42\x77\x3F\x9D\x23\x1B\xB2\xB6\x3D\x80\x14\x07\x4C\x2E\x4F\xF7\xD5\x0A\x16\x0D\xBD\x66\x43\x37\x7E\x23\x43\x79\xC3\x40\x86\xF5\x4C\x29\xDA\x8E\x9A\xAD\x0D\xA5\x04\x87\x88\x1E\x85\xE3\xE9\x53\xD5\x9B\xC8\x8B\x03\x63\x78\xEB\xE0\x19\x4A\x6E\xBB\x2F\x6B\x33\x64\x58\x93\xAD\x69\xBF\x8F\x1B\xEF\x82\x48\xC7\x02\x03\x01\x00\x01\xA3\x51\x30\x4F\x30\x0B\x06\x03\x55\x1D\x0F\x04\x04\x03\x02\x01\x86\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x35\x0F\xC8\x36\x63\x5E\xE2\xA3\xEC\xF9\x3B\x66\x15\xCE\x51\x52\xE3\x91\x9A\x3D\x30\x10\x06\x09\x2B\x06\x01\x04\x01\x82\x37\x15\x01\x04\x03\x02\x01\x00\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x03\x82\x01\x01\x00\x40\x4C\xFB\x87\xB2\x99\x81\x90\x7E\x9D\xC5\xB0\xB0\x26\xCD\x88\x7B\x2B\x32\x8D\x6E\xB8\x21\x71\x58\x97\x7D\xAE\x37\x14\xAF\x3E\xE7\xF7\x9A\xE2\x7D\xF6\x71\x98\x99\x04\xAA\x43\x74\x78\xA3\xE3\x49\x61\x3E\x73\x8C\x4D\x94\xE0\xF9\x71\xC4\xB6\x16\x0E\x53\x78\x1F\xD6\xA2\x87\x2F\x02\x39\x81\x29\x3C\xAF\x15\x98\x21\x30\xFE\x28\x90\x00\x8C\xD1\xE1\xCB\xFA\x5E\xC8\xFD\xF8\x10\x46\x3B\xA2\x78\x42\x91\x17\x74\x55\x0A\xDE\x50\x67\x4D\x66\xD1\xA7\xFF\xFD\xD9\xC0\xB5\xA8\xA3\x8A\xCE\x66\xF5\x0F\x43\xCD\xA7\x2B\x57\x7B\x63\x46\x6A\xAA\x2E\x52\xD8\xF4\xED\xE1\x6D\xAD\x29\x90\x78\x48\xBA\xE1\x23\xAA\xA3\x89\xEC\xB5\xAB\x96\xC0\xB4\x4B\xA2\x1D\x97\x9E\x7A\xF2\x6E\x40\x71\xDF\x68\xF1\x65\x4D\xCE\x7C\x05\xDF\x53\x65\xA9\xA5\xF0\xB1\x97\x04\x70\x15\x46\x03\x98\xD4\xD2\xBF\x54\xB4\xA0\x58\x7D\x52\x6F\xDA\x56\x26\x62\xD4\xD8\xDB\x89\x31\x6F\x1C\xF0\x22\xC2\xD3\x62\x1C\x35\xCD\x4C\x69\x15\x54\x1A\x90\x98\xDE\xEB\x1E\x5F\xCA\x77\xC7\xCB\x8E\x3D\x43\x69\x9C\x9A\x58\xD0\x24\x3B\xDF\x1B\x40\x96\x7E\x35\xAD\x81\xC7\x4E\x71\xBA\x88\x13",
-	["CN=Certification Authority of WoSign G2,O=WoSign CA Limited,C=CN"] = "\x30\x82\x03\x7C\x30\x82\x02\x64\xA0\x03\x02\x01\x02\x02\x10\x6B\x25\xDA\x8A\x88\x9D\x7C\xBC\x0F\x05\xB3\xB1\x7A\x61\x45\x44\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x30\x58\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x43\x4E\x31\x1A\x30\x18\x06\x03\x55\x04\x0A\x13\x11\x57\x6F\x53\x69\x67\x6E\x20\x43\x41\x20\x4C\x69\x6D\x69\x74\x65\x64\x31\x2D\x30\x2B\x06\x03\x55\x04\x03\x13\x24\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x20\x6F\x66\x20\x57\x6F\x53\x69\x67\x6E\x20\x47\x32\x30\x1E\x17\x0D\x31\x34\x31\x31\x30\x38\x30\x30\x35\x38\x35\x38\x5A\x17\x0D\x34\x34\x31\x31\x30\x38\x30\x30\x35\x38\x35\x38\x5A\x30\x58\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x43\x4E\x31\x1A\x30\x18\x06\x03\x55\x04\x0A\x13\x11\x57\x6F\x53\x69\x67\x6E\x20\x43\x41\x20\x4C\x69\x6D\x69\x74\x65\x64\x31\x2D\x30\x2B\x06\x03\x55\x04\x03\x13\x24\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x20\x6F\x66\x20\x57\x6F\x53\x69\x67\x6E\x20\x47\x32\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xBE\xC5\xC4\xA0\x22\x80\x49\x4F\xBF\xD9\x87\x11\xC6\x53\xE1\xBB\x0F\xBD\x60\x7F\xAF\xF6\x82\x0E\x1F\xDC\xB0\x8E\x3D\x97\xE0\x50\x3C\x8F\x3A\xEF\x66\x3B\x45\x07\x9B\x20\xF8\xE3\xD7\x25\x86\x35\x90\x16\xA2\x5D\x6F\x30\x19\x08\x87\x0B\x7F\x06\xB2\x9D\x62\x8F\xDE\xAF\x92\xA5\x60\xD4\x2B\x80\x9A\x52\x3F\xF5\x9A\x83\xE9\x34\x5A\xCB\xD9\xD5\x62\x5C\xE6\x0E\xE0\xDF\x06\x98\x0E\x80\x7C\xCA\xB4\x1D\x13\x88\x6B\x0E\xA8\x24\x77\x03\xD0\xEE\x5B\xF3\xCA\x69\x91\x35\x39\x56\xC5\x6D\xE3\xF7\x3D\x4F\x5E\x93\x38\x24\xCA\x18\xE9\x24\xCB\x92\x03\xDD\xCC\x1C\x3D\x09\x70\xE4\x20\xE4\xF1\xAE\xAC\xBB\x73\x69\xA3\x63\x3A\x0F\x45\x0F\xA1\x4A\x9A\xC2\xD1\x63\xAC\xCB\x10\xF8\x3D\xE6\x4E\x28\xB7\xEB\xC4\x95\xB1\xAC\xFD\x5E\xAB\xFA\x41\xCB\x5D\x9D\x4B\xDC\xF4\x7C\x76\xEF\x67\x7F\x00\x7A\x8D\xD2\xA0\x1A\x5C\x4D\x22\xE1\xB5\xDA\xDD\x76\xB3\xD4\x76\xDF\x5E\xB8\x8B\x98\xC8\x14\x54\xCC\x6B\x17\x92\xB7\xE0\x4A\xBF\x49\x94\x61\x0B\x38\x90\x8F\x5D\x24\x6C\x25\x7B\x3B\x79\xD9\xE2\x7E\x9D\xAD\x9F\x98\xA1\x06\xFC\x78\x14\x60\x57\xF8\xEE\x80\x77\xB1\x02\x03\x01\x00\x01\xA3\x42\x30\x40\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xFA\x60\xA9\xEB\x65\xC5\xDD\x16\x14\x08\x4E\x0C\x0F\x8D\x9B\xE0\xF7\x64\xAF\x67\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x03\x82\x01\x01\x00\x57\xC3\x7A\x36\x82\x9C\x8D\x98\xE2\xAB\x40\xAA\x47\x8F\xC7\xA7\x5B\xED\x7C\xE7\x3D\x66\x5A\x3B\x31\xBB\xDF\xF3\x16\x33\x91\xFC\x7C\x7B\xA5\xC2\xA6\x66\xE3\xAA\xB0\xB7\x27\x98\x3F\x49\xD7\x60\x67\x67\x3F\x36\x4F\x4A\xCB\xF1\x14\xFA\x5A\x87\x28\x1C\xED\x8F\x41\x32\xC6\x95\xF9\x7D\xDA\xBD\x7B\x5B\xC2\xB0\x21\xE3\x8F\x46\xDC\x21\x38\x43\x74\x4C\xFB\x30\xF8\x17\x72\xC1\x32\xFC\xC8\x91\x17\xC4\xCC\x58\x37\x4E\x0B\xCC\x5A\xF7\x21\x35\x28\x83\x6C\x60\x2D\x44\xEB\x52\x8C\x50\x3D\xB5\x6C\x12\xD7\xFA\x09\xBB\x6C\xB2\x4A\xB1\xC5\x89\xE4\xFC\xD3\x52\xD8\x61\x17\xFE\x7A\x94\x84\x8F\x79\xB6\x33\x59\xBA\x0F\xC4\x0B\xE2\x70\xA0\x4B\x78\x2E\xFA\xC8\x9F\xFD\xAF\x91\x65\x0A\x78\x38\x15\xE5\x97\x17\x14\xDD\xF9\xE0\x2C\x34\xF8\x38\xD0\x84\x22\x00\xC0\x14\x51\x18\x2B\x02\xDC\x30\x5A\xF0\xE8\x01\x7C\x35\x3A\x23\xAF\x08\xE4\xAF\xAA\x8E\x28\x42\x49\x2E\xF0\xF5\x99\x34\xBE\xED\x0F\x4B\x18\xE1\xD2\x24\x3C\xBB\x5D\x47\xB7\x21\xF2\x8D\xD1\x0A\x99\x8E\xE3\x6E\x3E\xAD\x70\xE0\x8F\xB9\xCA\xCC\x6E\x81\x31\xF6\x7B\x9C\x7A\x79\xE4\x67\x71\x18",
-	["CN=CA WoSign ECC Root,O=WoSign CA Limited,C=CN"] = "\x30\x82\x02\x09\x30\x82\x01\x8F\xA0\x03\x02\x01\x02\x02\x10\x68\x4A\x58\x70\x80\x6B\xF0\x8F\x02\xFA\xF6\xDE\xE8\xB0\x90\x90\x30\x0A\x06\x08\x2A\x86\x48\xCE\x3D\x04\x03\x03\x30\x46\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x43\x4E\x31\x1A\x30\x18\x06\x03\x55\x04\x0A\x13\x11\x57\x6F\x53\x69\x67\x6E\x20\x43\x41\x20\x4C\x69\x6D\x69\x74\x65\x64\x31\x1B\x30\x19\x06\x03\x55\x04\x03\x13\x12\x43\x41\x20\x57\x6F\x53\x69\x67\x6E\x20\x45\x43\x43\x20\x52\x6F\x6F\x74\x30\x1E\x17\x0D\x31\x34\x31\x31\x30\x38\x30\x30\x35\x38\x35\x38\x5A\x17\x0D\x34\x34\x31\x31\x30\x38\x30\x30\x35\x38\x35\x38\x5A\x30\x46\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x43\x4E\x31\x1A\x30\x18\x06\x03\x55\x04\x0A\x13\x11\x57\x6F\x53\x69\x67\x6E\x20\x43\x41\x20\x4C\x69\x6D\x69\x74\x65\x64\x31\x1B\x30\x19\x06\x03\x55\x04\x03\x13\x12\x43\x41\x20\x57\x6F\x53\x69\x67\x6E\x20\x45\x43\x43\x20\x52\x6F\x6F\x74\x30\x76\x30\x10\x06\x07\x2A\x86\x48\xCE\x3D\x02\x01\x06\x05\x2B\x81\x04\x00\x22\x03\x62\x00\x04\xE1\xFD\x8E\xB8\x43\x24\xAB\x96\x7B\x85\xC2\xBA\x0B\xAD\x8D\xE0\x3A\xE3\x24\xB9\xD2\xB1\xBE\x88\x3A\xCA\xBF\x4A\xB8\xF9\xEF\x2C\x2F\xAF\x51\x50\x3C\x47\x75\x6C\xF8\x94\xB7\x9B\xFC\x28\x1E\xC5\x54\xCC\x63\x9D\x16\x4B\x53\xC1\xE7\x20\xAB\xCD\xAC\x25\xD2\x7F\x8F\xC2\xC1\x5A\x82\x5E\x30\x8B\x7A\x54\xCE\x03\xB5\x91\x7F\xAA\x94\xD0\xD1\x8A\x48\xCC\x82\x05\x26\xA1\xD5\x51\x12\xD6\x7B\x36\xA3\x42\x30\x40\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xAA\xFD\xD5\x5A\xA3\xF6\x87\x8B\x32\x85\xFD\xD1\x32\x5B\x80\x45\x93\xF3\x03\xB8\x30\x0A\x06\x08\x2A\x86\x48\xCE\x3D\x04\x03\x03\x03\x68\x00\x30\x65\x02\x31\x00\xE4\xA4\x84\xB0\x81\xD5\x3D\xB0\x74\xAC\x94\xA4\xE8\x0E\x3D\x00\x74\x4C\xA1\x97\x6B\xF9\x0D\x51\x3C\xA1\xD9\x3B\xF4\x0D\xAB\xA9\x9F\xBE\x4E\x72\xCA\x85\xD4\xD9\xEC\xB5\x32\x45\x18\x6F\xAB\xAD\x02\x30\x7D\xC7\xF7\x69\x63\x2F\xA1\xE1\x98\xEF\x13\x10\xD1\x79\x3F\xD1\xFE\xEA\x3B\x7F\xDE\x56\xF4\x90\xB1\x15\x11\xD8\xB2\x22\x15\xD0\x2F\xC3\x26\x2E\x6B\xF1\x91\xB2\x90\x65\xF4\x9A\xE6\x90\xEE\x4A",
 	["CN=SZAFIR ROOT CA2,O=Krajowa Izba Rozliczeniowa S.A.,C=PL"] = "\x30\x82\x03\x72\x30\x82\x02\x5A\xA0\x03\x02\x01\x02\x02\x14\x3E\x8A\x5D\x07\xEC\x55\xD2\x32\xD5\xB7\xE3\xB6\x5F\x01\xEB\x2D\xDC\xE4\xD6\xE4\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x30\x51\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x50\x4C\x31\x28\x30\x26\x06\x03\x55\x04\x0A\x0C\x1F\x4B\x72\x61\x6A\x6F\x77\x61\x20\x49\x7A\x62\x61\x20\x52\x6F\x7A\x6C\x69\x63\x7A\x65\x6E\x69\x6F\x77\x61\x20\x53\x2E\x41\x2E\x31\x18\x30\x16\x06\x03\x55\x04\x03\x0C\x0F\x53\x5A\x41\x46\x49\x52\x20\x52\x4F\x4F\x54\x20\x43\x41\x32\x30\x1E\x17\x0D\x31\x35\x31\x30\x31\x39\x30\x37\x34\x33\x33\x30\x5A\x17\x0D\x33\x35\x31\x30\x31\x39\x30\x37\x34\x33\x33\x30\x5A\x30\x51\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x50\x4C\x31\x28\x30\x26\x06\x03\x55\x04\x0A\x0C\x1F\x4B\x72\x61\x6A\x6F\x77\x61\x20\x49\x7A\x62\x61\x20\x52\x6F\x7A\x6C\x69\x63\x7A\x65\x6E\x69\x6F\x77\x61\x20\x53\x2E\x41\x2E\x31\x18\x30\x16\x06\x03\x55\x04\x03\x0C\x0F\x53\x5A\x41\x46\x49\x52\x20\x52\x4F\x4F\x54\x20\x43\x41\x32\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xB7\xBC\x3E\x50\xA8\x4B\xCD\x40\xB5\xCE\x61\xE7\x96\xCA\xB4\xA1\xDA\x0C\x22\xB0\xFA\xB5\x7B\x76\x00\x77\x8C\x0B\xCF\x7D\xA8\x86\xCC\x26\x51\xE4\x20\x3D\x85\x0C\xD6\x58\xE3\xE7\xF4\x2A\x18\x9D\xDA\xD1\xAE\x26\xEE\xEB\x53\xDC\xF4\x90\xD6\x13\x4A\x0C\x90\x3C\xC3\xF4\xDA\xD2\x8E\x0D\x92\x3A\xDC\xB1\xB1\xFF\x38\xDE\xC3\xBA\x2D\x5F\x80\xB9\x02\xBD\x4A\x9D\x1B\x0F\xB4\xC3\xC2\xC1\x67\x03\xDD\xDC\x1B\x9C\x3D\xB3\xB0\xDE\x00\x1E\xA8\x34\x47\xBB\x9A\xEB\xFE\x0B\x14\xBD\x36\x84\xDA\x0D\x20\xBF\xFA\x5B\xCB\xA9\x16\x20\xAD\x39\x60\xEE\x2F\x75\xB6\xE7\x97\x9C\xF9\x3E\xFD\x7E\x4D\x6F\x4D\x2F\xEF\x88\x0D\x6A\xFA\xDD\xF1\x3D\x6E\x20\xA5\xA0\x12\xB4\x4D\x70\xB9\xCE\xD7\x72\x3B\x89\x93\xA7\x80\x84\x1C\x27\x49\x72\x49\xB5\xFF\x3B\x95\x9E\xC1\xCC\xC8\x01\xEC\xE8\x0E\x8A\x0A\x96\xE7\xB3\xA6\x87\xE5\xD6\xF9\x05\x2B\x0D\x97\x40\x70\x3C\xBA\xAC\x75\x5A\x9C\xD5\x4D\x9D\x02\x0A\xD2\x4B\x9B\x66\x4B\x46\x07\x17\x65\xAD\x9F\x6C\x88\x00\xDC\x22\x89\xE0\xE1\x64\xD4\x67\xBC\x31\x79\x61\x3C\xBB\xCA\x41\xCD\x5C\x6A\x00\xC8\x3C\x38\x8E\x58\xAF\x02\x03\x01\x00\x01\xA3\x42\x30\x40\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x2E\x16\xA9\x4A\x18\xB5\xCB\xCC\xF5\x6F\x50\xF3\x23\x5F\xF8\x5D\xE7\xAC\xF0\xC8\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x03\x82\x01\x01\x00\xB5\x73\xF8\x03\xDC\x59\x5B\x1D\x76\xE9\xA3\x2A\x7B\x90\x28\xB2\x4D\xC0\x33\x4F\xAA\x9A\xB1\xD4\xB8\xE4\x27\xFF\xA9\x96\x99\xCE\x46\xE0\x6D\x7C\x4C\xA2\x38\xA4\x06\x70\xF0\xF4\x41\x11\xEC\x3F\x47\x8D\x3F\x72\x87\xF9\x3B\xFD\xA4\x6F\x2B\x53\x00\xE0\xFF\x39\xB9\x6A\x07\x0E\xEB\x1D\x1C\xF6\xA2\x72\x90\xCB\x82\x3D\x11\x82\x8B\xD2\xBB\x9F\x2A\xAF\x21\xE6\x63\x86\x9D\x79\x19\xEF\xF7\xBB\x0C\x35\x90\xC3\x8A\xED\x4F\x0F\xF5\xCC\x12\xD9\xA4\x3E\xBB\xA0\xFC\x20\x95\x5F\x4F\x26\x2F\x11\x23\x83\x4E\x75\x07\x0F\xBF\x9B\xD1\xB4\x1D\xE9\x10\x04\xFE\xCA\x60\x8F\xA2\x4C\xB8\xAD\xCF\xE1\x90\x0F\xCD\xAE\x0A\xC7\x5D\x7B\xB7\x50\xD2\xD4\x61\xFA\xD5\x15\xDB\xD7\x9F\x87\x51\x54\xEB\xA5\xE3\xEB\xC9\x85\xA0\x25\x20\x37\xFB\x8E\xCE\x0C\x34\x84\xE1\x3C\x81\xB2\x77\x4E\x43\xA5\x88\x5F\x86\x67\xA1\x3D\xE6\xB4\x5C\x61\xB6\x3E\xDB\xFE\xB7\x28\xC5\xA2\x07\xAE\xB5\xCA\xCA\x8D\x2A\x12\xEF\x97\xED\xC2\x30\xA4\xC9\x2A\x7A\xFB\xF3\x4D\x23\x1B\x99\x33\x34\xA0\x2E\xF5\xA9\x0B\x3F\xD4\x5D\xE1\xCF\x84\x9F\xE2\x19\xC2\x5F\x8A\xD6\x20\x1E\xE3\x73\xB7",
 	["CN=Certum Trusted Network CA 2,OU=Certum Certification Authority,O=Unizeto Technologies S.A.,C=PL"] = "\x30\x82\x05\xD2\x30\x82\x03\xBA\xA0\x03\x02\x01\x02\x02\x10\x21\xD6\xD0\x4A\x4F\x25\x0F\xC9\x32\x37\xFC\xAA\x5E\x12\x8D\xE9\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0D\x05\x00\x30\x81\x80\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x50\x4C\x31\x22\x30\x20\x06\x03\x55\x04\x0A\x13\x19\x55\x6E\x69\x7A\x65\x74\x6F\x20\x54\x65\x63\x68\x6E\x6F\x6C\x6F\x67\x69\x65\x73\x20\x53\x2E\x41\x2E\x31\x27\x30\x25\x06\x03\x55\x04\x0B\x13\x1E\x43\x65\x72\x74\x75\x6D\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x31\x24\x30\x22\x06\x03\x55\x04\x03\x13\x1B\x43\x65\x72\x74\x75\x6D\x20\x54\x72\x75\x73\x74\x65\x64\x20\x4E\x65\x74\x77\x6F\x72\x6B\x20\x43\x41\x20\x32\x30\x22\x18\x0F\x32\x30\x31\x31\x31\x30\x30\x36\x30\x38\x33\x39\x35\x36\x5A\x18\x0F\x32\x30\x34\x36\x31\x30\x30\x36\x30\x38\x33\x39\x35\x36\x5A\x30\x81\x80\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x50\x4C\x31\x22\x30\x20\x06\x03\x55\x04\x0A\x13\x19\x55\x6E\x69\x7A\x65\x74\x6F\x20\x54\x65\x63\x68\x6E\x6F\x6C\x6F\x67\x69\x65\x73\x20\x53\x2E\x41\x2E\x31\x27\x30\x25\x06\x03\x55\x04\x0B\x13\x1E\x43\x65\x72\x74\x75\x6D\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x31\x24\x30\x22\x06\x03\x55\x04\x03\x13\x1B\x43\x65\x72\x74\x75\x6D\x20\x54\x72\x75\x73\x74\x65\x64\x20\x4E\x65\x74\x77\x6F\x72\x6B\x20\x43\x41\x20\x32\x30\x82\x02\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x02\x0F\x00\x30\x82\x02\x0A\x02\x82\x02\x01\x00\xBD\xF9\x78\xF8\xE6\xD5\x80\x0C\x64\x9D\x86\x1B\x96\x64\x67\x3F\x22\x3A\x1E\x75\x01\x7D\xEF\xFB\x5C\x67\x8C\xC9\xCC\x5C\x6B\xA9\x91\xE6\xB9\x42\xE5\x20\x4B\x9B\xDA\x9B\x7B\xB9\x99\x5D\xD9\x9B\x80\x4B\xD7\x84\x40\x2B\x27\xD3\xE8\xBA\x30\xBB\x3E\x09\x1A\xA7\x49\x95\xEF\x2B\x40\x24\xC2\x97\xC7\xA7\xEE\x9B\x25\xEF\xA8\x0A\x00\x97\x85\x5A\xAA\x9D\xDC\x29\xC9\xE2\x35\x07\xEB\x70\x4D\x4A\xD6\xC1\xB3\x56\xB8\xA1\x41\x38\x9B\xD1\xFB\x31\x7F\x8F\xE0\x5F\xE1\xB1\x3F\x0F\x8E\x16\x49\x60\xD7\x06\x8D\x18\xF9\xAA\x26\x10\xAB\x2A\xD3\xD0\xD1\x67\x8D\x1B\x46\xBE\x47\x30\xD5\x2E\x72\xD1\xC5\x63\xDA\xE7\x63\x79\x44\x7E\x4B\x63\x24\x89\x86\x2E\x34\x3F\x29\x4C\x52\x8B\x2A\xA7\xC0\xE2\x91\x28\x89\xB9\xC0\x5B\xF9\x1D\xD9\xE7\x27\xAD\xFF\x9A\x02\x97\xC1\xC6\x50\x92\x9B\x02\x2C\xBD\xA9\xB9\x34\x59\x0A\xBF\x84\x4A\xFF\xDF\xFE\xB3\x9F\xEB\xD9\x9E\xE0\x98\x23\xEC\xA6\x6B\x77\x16\x2A\xDB\xCC\xAD\x3B\x1C\xA4\x87\xDC\x46\x73\x5E\x19\x62\x68\x45\x57\xE4\x90\x82\x42\xBB\x42\xD6\xF0\x61\xE0\xC1\xA3\x3D\x66\xA3\x5D\xF4\x18\xEE\x88\xC9\x8D\x17\x45\x29\x99\x32\x75\x02\x31\xEE\x29\x26\xC8\x6B\x02\xE6\xB5\x62\x45\x7F\x37\x15\x5A\x23\x68\x89\xD4\x3E\xDE\x4E\x27\xB0\xF0\x40\x0C\xBC\x4D\x17\xCB\x4D\xA2\xB3\x1E\xD0\x06\x5A\xDD\xF6\x93\xCF\x57\x75\x99\xF5\xFA\x86\x1A\x67\x78\xB3\xBF\x96\xFE\x34\xDC\xBD\xE7\x52\x56\xE5\xB3\xE5\x75\x7B\xD7\x41\x91\x05\xDC\x5D\x69\xE3\x95\x0D\x43\xB9\xFC\x83\x96\x39\x95\x7B\x6C\x80\x5A\x4F\x13\x72\xC6\xD7\x7D\x29\x7A\x44\xBA\x52\xA4\x2A\xD5\x41\x46\x09\x20\xFE\x22\xA0\xB6\x5B\x30\x8D\xBC\x89\x0C\xD5\xD7\x70\xF8\x87\x52\xFD\xDA\xEF\xAC\x51\x2E\x07\xB3\x4E\xFE\xD0\x09\xDA\x70\xEF\x98\xFA\x56\xE6\x6D\xDB\xB5\x57\x4B\xDC\xE5\x2C\x25\x15\xC8\x9E\x2E\x78\x4E\xF8\xDA\x9C\x9E\x86\x2C\xCA\x57\xF3\x1A\xE5\xC8\x92\x8B\x1A\x82\x96\x7A\xC3\xBC\x50\x12\x69\xD8\x0E\x5A\x46\x8B\x3A\xEB\x26\xFA\x23\xC9\xB6\xB0\x81\xBE\x42\x00\xA4\xF8\xD6\xFE\x30\x2E\xC7\xD2\x46\xF6\xE5\x8E\x75\xFD\xF2\xCC\xB9\xD0\x87\x5B\xCC\x06\x10\x60\xBB\x83\x35\xB7\x5E\x67\xDE\x47\xEC\x99\x48\xF1\xA4\xA1\x15\xFE\xAD\x8C\x62\x8E\x39\x55\x4F\x39\x16\xB9\xB1\x63\x9D\xFF\xB7\x02\x03\x01\x00\x01\xA3\x42\x30\x40\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xB6\xA1\x54\x39\x02\xC3\xA0\x3F\x8E\x8A\xBC\xFA\xD4\xF8\x1C\xA6\xD1\x3A\x0E\xFD\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0D\x05\x00\x03\x82\x02\x01\x00\x71\xA5\x0E\xCE\xE4\xE9\xBF\x3F\x38\xD5\x89\x5A\xC4\x02\x61\xFB\x4C\xC5\x14\x17\x2D\x8B\x4F\x53\x6B\x10\x17\xFC\x65\x84\xC7\x10\x49\x90\xDE\xDB\xC7\x26\x93\x88\x26\x6F\x70\xD6\x02\x5E\x39\xA0\xF7\x8F\xAB\x96\xB5\xA5\x13\x5C\x81\x14\x6D\x0E\x81\x82\x11\x1B\x8A\x4E\xC6\x4F\xA5\xDD\x62\x1E\x44\xDF\x09\x59\xF4\x5B\x77\x0B\x37\xE9\x8B\x20\xC6\xF8\x0A\x4E\x2E\x58\x1C\xEB\x33\xD0\xCF\x86\x60\xC9\xDA\xFB\x80\x2F\x9E\x4C\x60\x84\x78\x3D\x21\x64\xD6\xFB\x41\x1F\x18\x0F\xE7\xC9\x75\x71\xBD\xBD\x5C\xDE\x34\x87\x3E\x41\xB0\x0E\xF6\xB9\xD6\x3F\x09\x13\x96\x14\x2F\xDE\x9A\x1D\x5A\xB9\x56\xCE\x35\x3A\xB0\x5F\x70\x4D\x5E\xE3\x29\xF1\x23\x28\x72\x59\xB6\xAB\xC2\x8C\x66\x26\x1C\x77\x2C\x26\x76\x35\x8B\x28\xA7\x69\xA0\xF9\x3B\xF5\x23\xDD\x85\x10\x74\xC9\x90\x03\x56\x91\xE7\xAF\xBA\x47\xD4\x12\x97\x11\x22\xE3\xA2\x49\x94\x6C\xE7\xB7\x94\x4B\xBA\x2D\xA4\xDA\x33\x8B\x4C\xA6\x44\xFF\x5A\x3C\xC6\x1D\x64\xD8\xB5\x31\xE4\xA6\x3C\x7A\xA8\x57\x0B\xDB\xED\x61\x1A\xCB\xF1\xCE\x73\x77\x63\xA4\x87\x6F\x4C\x51\x38\xD6\xE4\x5F\xC7\x9F\xB6\x81\x2A\xE4\x85\x48\x79\x58\x5E\x3B\xF8\xDB\x02\x82\x67\xC1\x39\xDB\xC3\x74\x4B\x3D\x36\x1E\xF9\x29\x93\x88\x68\x5B\xA8\x44\x19\x21\xF0\xA7\xE8\x81\x0D\x2C\xE8\x93\x36\xB4\x37\xB2\xCA\xB0\x1B\x26\x7A\x9A\x25\x1F\x9A\x9A\x80\x9E\x4B\x2A\x3F\xFB\xA3\x9A\xFE\x73\x32\x71\xC2\x9E\xC6\x72\xE1\x8A\x68\x27\xF1\xE4\x0F\xB4\xC4\x4C\xA5\x61\x93\xF8\x97\x10\x07\x2A\x30\x25\xA9\xB9\xC8\x71\xB8\xEF\x68\xCC\x2D\x7E\xF5\xE0\x7E\x0F\x82\xA8\x6F\xB6\xBA\x6C\x83\x43\x77\xCD\x8A\x92\x17\xA1\x9E\x5B\x78\x16\x3D\x45\xE2\x33\x72\xDD\xE1\x66\xCA\x99\xD3\xC9\xC5\x26\xFD\x0D\x68\x04\x46\xAE\xB6\xD9\x9B\x8C\xBE\x19\xBE\xB1\xC6\xF2\x19\xE3\x5C\x02\xCA\x2C\xD8\x6F\x4A\x07\xD9\xC9\x35\xDA\x40\x75\xF2\xC4\xA7\x19\x6F\x9E\x42\x10\x98\x75\xE6\x95\x8B\x60\xBC\xED\xC5\x12\xD7\x8A\xCE\xD5\x98\x5C\x56\x96\x03\xC5\xEE\x77\x06\x35\xFF\xCF\xE4\xEE\x3F\x13\x61\xEE\xDB\xDA\x2D\x85\xF0\xCD\xAE\x9D\xB2\x18\x09\x45\xC3\x92\xA1\x72\x17\xFC\x47\xB6\xA0\x0B\x2C\xF1\xC4\xDE\x43\x68\x08\x6A\x5F\x3B\xF0\x76\x63\xFB\xCC\x06\x2C\xA6\xC6\xE2\x0E\xB5\xB9\xBE\x24\x8F",
 	["CN=Hellenic Academic and Research Institutions RootCA 2015,O=Hellenic Academic and Research Institutions Cert. Authority,L=Athens,C=GR"] = "\x30\x82\x06\x0B\x30\x82\x03\xF3\xA0\x03\x02\x01\x02\x02\x01\x00\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x30\x81\xA6\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x47\x52\x31\x0F\x30\x0D\x06\x03\x55\x04\x07\x13\x06\x41\x74\x68\x65\x6E\x73\x31\x44\x30\x42\x06\x03\x55\x04\x0A\x13\x3B\x48\x65\x6C\x6C\x65\x6E\x69\x63\x20\x41\x63\x61\x64\x65\x6D\x69\x63\x20\x61\x6E\x64\x20\x52\x65\x73\x65\x61\x72\x63\x68\x20\x49\x6E\x73\x74\x69\x74\x75\x74\x69\x6F\x6E\x73\x20\x43\x65\x72\x74\x2E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x31\x40\x30\x3E\x06\x03\x55\x04\x03\x13\x37\x48\x65\x6C\x6C\x65\x6E\x69\x63\x20\x41\x63\x61\x64\x65\x6D\x69\x63\x20\x61\x6E\x64\x20\x52\x65\x73\x65\x61\x72\x63\x68\x20\x49\x6E\x73\x74\x69\x74\x75\x74\x69\x6F\x6E\x73\x20\x52\x6F\x6F\x74\x43\x41\x20\x32\x30\x31\x35\x30\x1E\x17\x0D\x31\x35\x30\x37\x30\x37\x31\x30\x31\x31\x32\x31\x5A\x17\x0D\x34\x30\x30\x36\x33\x30\x31\x30\x31\x31\x32\x31\x5A\x30\x81\xA6\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x47\x52\x31\x0F\x30\x0D\x06\x03\x55\x04\x07\x13\x06\x41\x74\x68\x65\x6E\x73\x31\x44\x30\x42\x06\x03\x55\x04\x0A\x13\x3B\x48\x65\x6C\x6C\x65\x6E\x69\x63\x20\x41\x63\x61\x64\x65\x6D\x69\x63\x20\x61\x6E\x64\x20\x52\x65\x73\x65\x61\x72\x63\x68\x20\x49\x6E\x73\x74\x69\x74\x75\x74\x69\x6F\x6E\x73\x20\x43\x65\x72\x74\x2E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x31\x40\x30\x3E\x06\x03\x55\x04\x03\x13\x37\x48\x65\x6C\x6C\x65\x6E\x69\x63\x20\x41\x63\x61\x64\x65\x6D\x69\x63\x20\x61\x6E\x64\x20\x52\x65\x73\x65\x61\x72\x63\x68\x20\x49\x6E\x73\x74\x69\x74\x75\x74\x69\x6F\x6E\x73\x20\x52\x6F\x6F\x74\x43\x41\x20\x32\x30\x31\x35\x30\x82\x02\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x02\x0F\x00\x30\x82\x02\x0A\x02\x82\x02\x01\x00\xC2\xF8\xA9\x3F\x1B\x89\xFC\x3C\x3C\x04\x5D\x3D\x90\x36\xB0\x91\x3A\x79\x3C\x66\x5A\xEF\x6D\x39\x01\x49\x1A\xB4\xB7\xCF\x7F\x4D\x23\x53\xB7\x90\x00\xE3\x13\x2A\x28\xA6\x31\xF1\x91\x00\xE3\x28\xEC\xAE\x21\x41\xCE\x1F\xDA\xFD\x7D\x12\x5B\x01\x83\x0F\xB9\xB0\x5F\x99\xE1\xF2\x12\x83\x80\x4D\x06\x3E\xDF\xAC\xAF\xE7\xA1\x88\x6B\x31\xAF\xF0\x8B\xD0\x18\x33\xB8\xDB\x45\x6A\x34\xF4\x02\x80\x24\x28\x0A\x02\x15\x95\x5E\x76\x2A\x0D\x99\x3A\x14\x5B\xF6\xCB\xCB\x53\xBC\x13\x4D\x01\x88\x37\x94\x25\x1B\x42\xBC\x22\xD8\x8E\xA3\x96\x5E\x3A\xD9\x32\xDB\x3E\xE8\xF0\x10\x65\xED\x74\xE1\x2F\xA7\x7C\xAF\x27\x34\xBB\x29\x7D\x9B\xB6\xCF\x09\xC8\xE5\xD3\x0A\xFC\x88\x65\x65\x74\x0A\xDC\x73\x1C\x5C\xCD\x40\xB1\x1C\xD4\xB6\x84\x8C\x4C\x50\xCF\x68\x8E\xA8\x59\xAE\xC2\x27\x4E\x82\xA2\x35\xDD\x14\xF4\x1F\xFF\xB2\x77\xD5\x87\x2F\xAA\x6E\x7D\x24\x27\xE7\xC6\xCB\x26\xE6\xE5\xFE\x67\x07\x63\xD8\x45\x0D\xDD\x3A\x59\x65\x39\x58\x7A\x92\x99\x72\x3D\x9C\x84\x5E\x88\x21\xB8\xD5\xF4\x2C\xFC\xD9\x70\x52\x4F\x78\xB8\xBD\x3C\x2B\x8B\x95\x98\xF5\xB3\xD1\x68\xCF\x20\x14\x7E\x4C\x5C\x5F\xE7\x8B\xE5\xF5\x35\x81\x19\x37\xD7\x11\x08\xB7\x66\xBE\xD3\x4A\xCE\x83\x57\x00\x3A\xC3\x81\xF8\x17\xCB\x92\x36\x5D\xD1\xA3\xD8\x75\x1B\xE1\x8B\x27\xEA\x7A\x48\x41\xFD\x45\x19\x06\xAD\x27\x99\x4E\xC1\x70\x47\xDD\xB5\x9F\x81\x53\x12\xE5\xB1\x8C\x48\x5D\x31\x43\x17\xE3\x8C\xC6\x7A\x63\x96\x4B\x29\x30\x4E\x84\x4E\x62\x19\x5E\x3C\xCE\x97\x90\xA5\x7F\x01\xEB\x9D\xE0\xF8\x8B\x89\xDD\x25\x98\x3D\x92\xB6\x7E\xEF\xD9\xF1\x51\x51\x7D\x2D\x26\xC8\x69\x59\x61\xE0\xAC\x6A\xB8\x2A\x36\x11\x04\x7A\x50\xBD\x32\x84\xBE\x2F\xDC\x72\xD5\xD7\x1D\x16\x47\xE4\x47\x66\x20\x3F\xF4\x96\xC5\xAF\x8E\x01\x7A\xA5\x0F\x7A\x64\xF5\x0D\x18\x87\xD9\xAE\x88\xD5\xFA\x84\xC1\x3A\xC0\x69\x28\x2D\xF2\x0D\x68\x51\xAA\xE3\xA5\x77\xC6\xA4\x90\x0E\xA1\x37\x8B\x31\x23\x47\xC1\x09\x08\xEB\x6E\xF7\x78\x9B\xD7\x82\xFC\x84\x20\x99\x49\x19\xB6\x12\x46\xB1\xFB\x45\x55\x16\xA9\xA3\x65\xAC\x9C\x07\x0F\xEA\x6B\xDC\x1F\x2E\x06\x72\xEC\x86\x88\x12\xE4\x2D\xDB\x5F\x05\x2F\xE4\xF0\x03\xD3\x26\x33\xE7\x80\xC2\xCD\x42\xA1\x17\x34\x0B\x02\x03\x01\x00\x01\xA3\x42\x30\x40\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x71\x15\x67\xC8\xC8\xC9\xBD\x75\x5D\x72\xD0\x38\x18\x6A\x9D\xF3\x71\x24\x54\x0B\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x03\x82\x02\x01\x00\x75\xBB\x6D\x54\x4B\xAA\x10\x58\x46\x34\xF2\x62\xD7\x16\x36\x5D\x08\x5E\xD5\x6C\xC8\x87\xBD\xB4\x2E\x46\xF2\x31\xF8\x7C\xEA\x42\xB5\x93\x16\x55\xDC\xA1\x0C\x12\xA0\xDA\x61\x7E\x0F\x58\x58\x73\x64\x72\xC7\xE8\x45\x8E\xDC\xA9\xF2\x26\x3F\xC6\x79\x8C\xB1\x53\x08\x33\x81\xB0\x56\x13\xBE\xE6\x51\x5C\xD8\x9B\x0A\x4F\x4B\x9C\x56\x53\x02\xE9\x4F\xF6\x0D\x60\xEA\x4D\x42\x55\xE8\x7C\x1B\x21\x21\xD3\x1B\x3A\xCC\x77\xF2\xB8\x90\xF1\x68\xC7\xF9\x5A\xFE\xFA\x2D\xF4\xBF\xC9\xF5\x45\x1B\xCE\x38\x10\x2A\x37\x8A\x79\xA3\xB4\xE3\x09\x6C\x85\x86\x93\xFF\x89\x96\x27\x78\x81\x8F\x67\xE3\x46\x74\x54\x8E\xD9\x0D\x69\xE2\x4A\xF4\x4D\x74\x03\xFF\xB2\x77\xED\x95\x67\x97\xE4\xB1\xC5\xAB\xBF\x6A\x23\xE8\xD4\x94\xE2\x44\x28\x62\xC4\x4B\xE2\xF0\xD8\xE2\x29\x6B\x1A\x70\x7E\x24\x61\x93\x7B\x4F\x03\x32\x25\x0D\x45\x24\x2B\x96\xB4\x46\x6A\xBF\x4A\x0B\xF7\x9A\x8F\xC1\xAC\x1A\xC5\x67\xF3\x6F\x34\xD2\xFA\x73\x63\x8C\xEF\x16\xB0\xA8\xA4\x46\x2A\xF8\xEB\x12\xEC\x72\xB4\xEF\xF8\x2B\x7E\x8C\x52\xC0\x8B\x84\x54\xF9\x2F\x3E\xE3\x55\xA8\xDC\x66\xB1\xD9\xE1\x5F\xD8\xB3\x8C\x59\x34\x59\xA4\xAB\x4F\x6C\xBB\x1F\x18\xDB\x75\xAB\xD8\xCB\x92\xCD\x94\x38\x61\x0E\x07\x06\x1F\x4B\x46\x10\xF1\x15\xBE\x8D\x85\x5C\x3B\x4A\x2B\x81\x79\x0F\xB4\x69\x9F\x49\x50\x97\x4D\xF7\x0E\x56\x5D\xC0\x95\x6A\xC2\x36\xC3\x1B\x68\xC9\xF5\x2A\xDC\x47\x9A\xBE\xB2\xCE\xC5\x25\xE8\xFA\x03\xB9\xDA\xF9\x16\x6E\x91\x84\xF5\x1C\x28\xC8\xFC\x26\xCC\xD7\x1C\x90\x56\xA7\x5F\x6F\x3A\x04\xBC\xCD\x78\x89\x0B\x8E\x0F\x2F\xA3\xAA\x4F\xA2\x1B\x12\x3D\x16\x08\x40\x0F\xF1\x46\x4C\xD7\xAA\x7B\x08\xC1\x0A\xF5\x6D\x27\xDE\x02\x8F\xCA\xC3\xB5\x2B\xCA\xE9\xEB\xC8\x21\x53\x38\xA5\xCC\x3B\xD8\x77\x37\x30\xA2\x4F\xD9\x6F\xD1\xF2\x40\xAD\x41\x7A\x17\xC5\xD6\x4A\x35\x89\xB7\x41\xD5\x7C\x86\x7F\x55\x4D\x83\x4A\xA5\x73\x20\xC0\x3A\xAF\x90\xF1\x9A\x24\x8E\xD9\x8E\x71\xCA\x7B\xB8\x86\xDA\xB2\x8F\x99\x3E\x1D\x13\x0D\x12\x11\xEE\xD4\xAB\xF0\xE9\x15\x76\x02\xE4\xE0\xDF\xAA\x20\x1E\x5B\x61\x85\x64\x40\xA9\x90\x97\x0D\xAD\x53\xD2\x5A\x1D\x87\x6A\x00\x97\x65\x62\xB4\xBE\x6F\x6A\xA7\xF5\x2C\x42\xED\x32\xAD\xB6\x21\x9E\xBE\xBC",
@@ -168,4 +129,19 @@ redef root_certs += {
 	["CN=OpenTrust Root CA G2,O=OpenTrust,C=FR"] = "\x30\x82\x05\x6F\x30\x82\x03\x57\xA0\x03\x02\x01\x02\x02\x12\x11\x20\xA1\x69\x1B\xBF\xBD\xB9\xBD\x52\x96\x8F\x23\xE8\x48\xBF\x26\x11\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0D\x05\x00\x30\x40\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x46\x52\x31\x12\x30\x10\x06\x03\x55\x04\x0A\x0C\x09\x4F\x70\x65\x6E\x54\x72\x75\x73\x74\x31\x1D\x30\x1B\x06\x03\x55\x04\x03\x0C\x14\x4F\x70\x65\x6E\x54\x72\x75\x73\x74\x20\x52\x6F\x6F\x74\x20\x43\x41\x20\x47\x32\x30\x1E\x17\x0D\x31\x34\x30\x35\x32\x36\x30\x30\x30\x30\x30\x30\x5A\x17\x0D\x33\x38\x30\x31\x31\x35\x30\x30\x30\x30\x30\x30\x5A\x30\x40\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x46\x52\x31\x12\x30\x10\x06\x03\x55\x04\x0A\x0C\x09\x4F\x70\x65\x6E\x54\x72\x75\x73\x74\x31\x1D\x30\x1B\x06\x03\x55\x04\x03\x0C\x14\x4F\x70\x65\x6E\x54\x72\x75\x73\x74\x20\x52\x6F\x6F\x74\x20\x43\x41\x20\x47\x32\x30\x82\x02\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x02\x0F\x00\x30\x82\x02\x0A\x02\x82\x02\x01\x00\xCC\xB6\x57\xA5\x33\x94\x10\x81\x32\x53\xDF\x61\x7E\x0F\x76\x39\xCF\x5C\xC2\x53\x75\x1D\x49\x7A\x96\x38\xDD\xA2\x73\x6A\xF1\x6F\xDE\x5E\xA2\x5A\xB9\x71\x21\xBE\x36\xD9\xA1\xFC\xBC\xEE\x6C\xA8\x7C\x34\x1A\x71\x1A\xE8\x1A\xD8\x5F\x0E\x44\x06\xED\xA7\xE0\xF3\xD2\x61\x0B\xE0\x32\xA2\x96\xD1\x38\xF0\xC2\xDA\x01\x17\xFC\xE4\xAC\x4F\xE8\xEE\x89\x1E\x74\xAB\x4F\xBF\x1E\x09\xB6\x36\x6A\x56\xF3\xE1\xEE\x96\x89\x66\x24\x06\xE4\xCD\x42\x3A\x4A\xDD\xE0\x9A\xB0\xC4\x82\x45\xB3\xFE\xC9\xAB\x5C\x7C\x3E\xC9\xEB\x17\x2F\x0C\x7D\x6E\xAE\xA5\x8F\xC8\xAC\x25\x0A\x6F\xFA\xD5\x45\x98\xD2\x35\x09\xF6\x03\x43\x94\xFE\xD9\xBF\x20\x95\x79\x80\x98\x8A\xD9\x89\x35\xBB\x51\x1B\xA4\x37\x7D\xFC\x99\x3B\xAB\xFF\xBF\xAC\x0D\x8F\x43\xB1\x99\x7B\x16\x10\x7E\x1D\x6F\x47\xC4\x15\x8F\x04\x96\x08\x06\x42\x04\xF8\x84\xD6\x1D\xBC\x91\xA6\x42\xBE\x49\xD5\x6A\x88\x3F\xBC\x2D\x51\xD1\x9E\x8D\xE0\x52\xCC\x57\xDD\x35\x35\x58\xDB\xB4\x8F\x24\x88\xE4\x8B\xDF\xDC\x6B\x54\xD2\x81\x2B\xB2\xCE\x92\x4B\x1C\x1F\x46\xFA\x1D\xD8\x92\xCB\x76\x67\xB5\x09\x99\x09\xE5\xAC\x17\x14\x55\x70\xC6\x3C\xA0\x56\x0A\x03\xB3\xDC\x62\x19\xDF\xC8\xB5\x30\x7F\xF5\x3C\x26\x75\x11\xBD\xD7\x1B\xB3\x87\x9E\x07\xAF\x65\x71\xE5\xA0\xCF\x1A\xA7\x09\x10\x1D\x93\x89\x66\x5B\xE8\x3C\x62\x32\xB5\xB5\x3A\x6E\xE9\x85\x01\x8B\x9E\x43\x8C\x67\x73\x28\x59\x5B\xEB\xE3\xDC\x2C\xCC\xA5\x26\x72\x62\x12\xB4\xE6\x9C\x83\x44\xF6\x51\xA4\xE2\xC0\x7A\x24\x57\xCA\x0E\xA5\x3F\x3A\xB5\x3B\x8B\xE5\x76\xEE\x70\xE6\x92\xDE\x16\x5C\x28\x5B\x97\x19\x27\x92\xFE\x7A\x92\x54\xCE\x93\x39\x0A\x16\x87\xBC\x63\xB3\xF5\xB1\x93\x5C\xE0\x6E\xB7\xD0\xEA\xF9\x62\x32\x88\x44\xFB\xBF\x27\x28\xB6\x30\x95\x5D\x12\x28\xB9\x95\xBE\x8F\x53\x18\xE5\xA2\x18\x16\xE2\x56\xA4\xB2\x2C\x10\xF5\x1D\x37\xA6\xF8\xB7\xF6\xD0\x59\x5C\x89\xF7\xC2\xD5\xB5\x94\x74\xD1\xD5\xFE\x1B\xB6\xF0\xE6\xD6\x1E\x7B\xD2\x3C\xCB\xA8\xE3\xF5\x18\xF3\x21\x1F\x6E\xEF\x4D\x68\x06\x7B\x2D\x5D\x6E\x43\x89\xA6\xC0\xF9\xA0\xBF\x82\x1E\xCF\x53\x7F\xB4\xEB\x2C\xDB\x5D\xF6\x6A\x7D\x40\x24\x05\x72\x89\x38\x01\x93\xCB\x71\xC2\x39\x5D\x06\x11\xF6\x6F\x78\xF8\x37\x0D\x39\x84\x27\x02\x03\x01\x00\x01\xA3\x63\x30\x61\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x6A\x39\xFA\x42\x22\xF7\xE6\x89\x00\x4D\x5E\x7D\x33\x83\xCB\xB8\x6E\x77\x86\xAF\x30\x1F\x06\x03\x55\x1D\x23\x04\x18\x30\x16\x80\x14\x6A\x39\xFA\x42\x22\xF7\xE6\x89\x00\x4D\x5E\x7D\x33\x83\xCB\xB8\x6E\x77\x86\xAF\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0D\x05\x00\x03\x82\x02\x01\x00\x98\xCB\xAB\x40\x3C\xE5\x33\x02\x97\x7F\x2D\x87\xA6\x8F\xD4\x5E\x4A\xAF\xB8\x1E\xE7\xBB\x71\xFB\x80\x64\x25\xA9\xB3\x1A\x3E\x68\x5D\x27\x26\xA7\xBA\x2A\xE1\xF0\x57\x83\x0A\x64\x4F\x1E\x22\x74\x1B\xE9\x90\x5F\xF0\xAC\xCF\xFF\x4F\x68\x7A\x38\xA4\x10\x6C\x0D\xB1\xC7\xA4\x77\x80\x18\xB6\xA2\x28\x44\x76\xA7\x34\x9D\x71\x84\x2F\xCA\x59\xD2\x47\x88\x99\x41\x22\xC9\x30\x98\x61\x6E\x3D\xA8\xA8\x05\x6D\xD1\x1F\xC0\x51\x44\x56\x7F\x27\x35\x02\xDD\x5E\x98\x0A\x42\xEB\x30\xBF\x8D\xA1\x9B\x51\xAA\x3B\xEA\x93\x46\x64\xC5\x00\x79\xDE\x21\x6B\xF6\x57\xA0\x86\xD7\x06\x72\xEC\x70\x46\x4B\x8B\x73\xDD\xA0\x21\x75\x3E\xDC\x1D\xC0\x8F\xD3\x4F\x73\x1C\x85\xD9\xFE\x7F\x62\xC8\x95\x6F\xB6\xD3\x7B\x8C\xBA\x53\xC2\x6F\x9B\x44\x4C\x79\xD0\x1D\x70\xB3\xD7\x9F\x02\xF4\xB2\x07\xB0\xC7\xE5\xF8\xAD\x23\x0E\xA6\x56\xC9\x29\x12\x77\x48\xD9\x2F\x46\xFD\x3B\xF0\xFC\x74\x70\x92\xA5\x8E\x38\x08\x1F\x64\x30\xB6\xB7\x4B\xFB\x36\xAC\x10\x8E\xA0\x52\x33\x63\x9D\x03\x35\x56\xC5\x69\xBD\xC6\x23\x5A\x27\x94\xF6\xA4\x12\xF8\x2D\x33\x3C\xA1\x56\xA5\x5F\xD6\x19\xE9\xED\x7C\x08\xBD\x77\xCD\x27\x64\xCC\x94\xDA\x4E\x46\x50\x87\xE0\xF9\xC1\x53\x80\x1E\xBB\xAD\xFB\x47\x52\x8B\x1B\xFD\xA2\xF9\xDE\x0E\x22\xB7\x3D\x33\x59\x6C\xD4\xDE\xF5\x95\x06\x32\x0D\x51\x19\x41\x5C\x3E\x4F\x06\xF7\xB9\x2B\x80\x27\xF6\xA3\xAA\x7A\x7C\x06\xE1\x43\xC3\x13\x39\x62\x1A\x36\xBD\xE0\x28\x2E\x94\x02\xE4\x29\x2E\x60\x55\xAE\x40\x3D\xB0\x74\x92\x5E\xF0\x20\x64\x96\x3F\x5F\x45\x5D\x88\xB5\x8A\xDA\x02\xA0\x5B\x45\x54\xDE\x38\x3D\x09\xC0\xA8\x4A\x65\x46\x16\xFC\xAA\xBF\x54\x4E\x4D\x5B\xBE\x38\x43\xB7\x28\xCA\x8B\x33\xAA\x1A\x25\xBA\x25\x5C\x29\x2F\x5B\x4A\x6E\x8C\xEA\x2D\x9C\x2A\xF6\x05\x76\xE0\x77\x97\x80\x88\xDD\x67\x13\x6F\x1D\x68\x24\x8B\x4F\xB7\x74\x81\xE5\xF4\x60\x9F\x7A\x55\xD7\x3E\x37\xDA\x16\x6B\x3E\x77\xAC\xAE\x18\x70\x95\x08\x79\x29\x03\x8A\xFE\xC1\x3B\xB3\x3F\x1A\x0F\xA4\x3B\x5E\x1F\x58\xA1\x95\xC9\xAB\x2F\x73\x4A\xD0\x2D\x6E\x9A\x59\x0F\x55\x18\x78\x2D\x3C\x51\xA6\x97\x8B\xE6\xBB\xB2\x70\xAA\x4C\x11\xDE\xFF\x7C\x2B\x37\xD4\x7A\xD1\x77\x34\x8F\xE7\xF9\x42\xF7\x3C\x81\x0C\x4B\x52\x0A",
 	["CN=OpenTrust Root CA G3,O=OpenTrust,C=FR"] = "\x30\x82\x02\x21\x30\x82\x01\xA6\xA0\x03\x02\x01\x02\x02\x12\x11\x20\xE6\xF8\x4C\xFC\x24\xB0\xBE\x05\x40\xAC\xDA\x83\x1B\x34\x60\x3F\x30\x0A\x06\x08\x2A\x86\x48\xCE\x3D\x04\x03\x03\x30\x40\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x46\x52\x31\x12\x30\x10\x06\x03\x55\x04\x0A\x0C\x09\x4F\x70\x65\x6E\x54\x72\x75\x73\x74\x31\x1D\x30\x1B\x06\x03\x55\x04\x03\x0C\x14\x4F\x70\x65\x6E\x54\x72\x75\x73\x74\x20\x52\x6F\x6F\x74\x20\x43\x41\x20\x47\x33\x30\x1E\x17\x0D\x31\x34\x30\x35\x32\x36\x30\x30\x30\x30\x30\x30\x5A\x17\x0D\x33\x38\x30\x31\x31\x35\x30\x30\x30\x30\x30\x30\x5A\x30\x40\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x46\x52\x31\x12\x30\x10\x06\x03\x55\x04\x0A\x0C\x09\x4F\x70\x65\x6E\x54\x72\x75\x73\x74\x31\x1D\x30\x1B\x06\x03\x55\x04\x03\x0C\x14\x4F\x70\x65\x6E\x54\x72\x75\x73\x74\x20\x52\x6F\x6F\x74\x20\x43\x41\x20\x47\x33\x30\x76\x30\x10\x06\x07\x2A\x86\x48\xCE\x3D\x02\x01\x06\x05\x2B\x81\x04\x00\x22\x03\x62\x00\x04\x4A\xEE\x58\xAE\x4D\xCA\x66\xDE\x06\x3A\xA3\x11\xFC\xE0\x18\xF0\x6E\x1C\xBA\x2D\x30\x0C\x89\xD9\xD6\xEE\x9B\x73\x83\xA9\x23\x15\x8C\x2F\x59\x8A\x5A\xDD\x14\xEA\x9D\x59\x2B\x43\xB7\x06\xEC\x32\xB6\xBA\xEE\x41\xB5\xAD\x5D\xA1\x85\xCC\xEA\x1D\x14\x66\xA3\x67\x7E\x46\xE2\x94\xF3\xE7\xB6\x56\xA1\x15\x59\xA1\x4F\x37\x97\xB9\x22\x1E\xBD\x11\xEB\xF4\xB2\x1F\x5E\xC3\x14\x9A\xE5\xD9\x97\x99\xA3\x63\x30\x61\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x47\x77\xC3\x14\x8B\x62\x39\x0C\xC9\x6F\xE1\x50\x4D\xD0\x10\x58\xDC\x95\x88\x6D\x30\x1F\x06\x03\x55\x1D\x23\x04\x18\x30\x16\x80\x14\x47\x77\xC3\x14\x8B\x62\x39\x0C\xC9\x6F\xE1\x50\x4D\xD0\x10\x58\xDC\x95\x88\x6D\x30\x0A\x06\x08\x2A\x86\x48\xCE\x3D\x04\x03\x03\x03\x69\x00\x30\x66\x02\x31\x00\x8F\xA8\xDC\x9D\xBA\x0C\x04\x17\xFA\x15\xE9\x3D\x2F\x29\x01\x97\xBF\x81\x16\x33\x40\x93\x6C\xFC\xF9\xED\x80\x70\x6F\xAA\x8F\xDB\x84\xC2\x8B\xF5\x35\xCA\x06\xDC\x64\x6F\x68\x16\xE1\x8F\x91\xB9\x02\x31\x00\xD8\x4B\xA5\xCB\xC2\xD0\x08\x6C\xE9\x18\xFB\x5A\xDD\x4D\x5F\x24\x0B\xB0\x00\x21\x25\xEF\x8F\xA7\x04\x26\x71\xE2\x7C\x69\xE5\x5D\x9A\xF8\x41\x1F\x3B\x39\x93\x93\x9D\x55\xEA\xCD\x8D\xF1\xFB\xC1",
 	["CN=ISRG Root X1,O=Internet Security Research Group,C=US"] = "\x30\x82\x05\x6B\x30\x82\x03\x53\xA0\x03\x02\x01\x02\x02\x11\x00\x82\x10\xCF\xB0\xD2\x40\xE3\x59\x44\x63\xE0\xBB\x63\x82\x8B\x00\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x30\x4F\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x29\x30\x27\x06\x03\x55\x04\x0A\x13\x20\x49\x6E\x74\x65\x72\x6E\x65\x74\x20\x53\x65\x63\x75\x72\x69\x74\x79\x20\x52\x65\x73\x65\x61\x72\x63\x68\x20\x47\x72\x6F\x75\x70\x31\x15\x30\x13\x06\x03\x55\x04\x03\x13\x0C\x49\x53\x52\x47\x20\x52\x6F\x6F\x74\x20\x58\x31\x30\x1E\x17\x0D\x31\x35\x30\x36\x30\x34\x31\x31\x30\x34\x33\x38\x5A\x17\x0D\x33\x35\x30\x36\x30\x34\x31\x31\x30\x34\x33\x38\x5A\x30\x4F\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x29\x30\x27\x06\x03\x55\x04\x0A\x13\x20\x49\x6E\x74\x65\x72\x6E\x65\x74\x20\x53\x65\x63\x75\x72\x69\x74\x79\x20\x52\x65\x73\x65\x61\x72\x63\x68\x20\x47\x72\x6F\x75\x70\x31\x15\x30\x13\x06\x03\x55\x04\x03\x13\x0C\x49\x53\x52\x47\x20\x52\x6F\x6F\x74\x20\x58\x31\x30\x82\x02\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x02\x0F\x00\x30\x82\x02\x0A\x02\x82\x02\x01\x00\xAD\xE8\x24\x73\xF4\x14\x37\xF3\x9B\x9E\x2B\x57\x28\x1C\x87\xBE\xDC\xB7\xDF\x38\x90\x8C\x6E\x3C\xE6\x57\xA0\x78\xF7\x75\xC2\xA2\xFE\xF5\x6A\x6E\xF6\x00\x4F\x28\xDB\xDE\x68\x86\x6C\x44\x93\xB6\xB1\x63\xFD\x14\x12\x6B\xBF\x1F\xD2\xEA\x31\x9B\x21\x7E\xD1\x33\x3C\xBA\x48\xF5\xDD\x79\xDF\xB3\xB8\xFF\x12\xF1\x21\x9A\x4B\xC1\x8A\x86\x71\x69\x4A\x66\x66\x6C\x8F\x7E\x3C\x70\xBF\xAD\x29\x22\x06\xF3\xE4\xC0\xE6\x80\xAE\xE2\x4B\x8F\xB7\x99\x7E\x94\x03\x9F\xD3\x47\x97\x7C\x99\x48\x23\x53\xE8\x38\xAE\x4F\x0A\x6F\x83\x2E\xD1\x49\x57\x8C\x80\x74\xB6\xDA\x2F\xD0\x38\x8D\x7B\x03\x70\x21\x1B\x75\xF2\x30\x3C\xFA\x8F\xAE\xDD\xDA\x63\xAB\xEB\x16\x4F\xC2\x8E\x11\x4B\x7E\xCF\x0B\xE8\xFF\xB5\x77\x2E\xF4\xB2\x7B\x4A\xE0\x4C\x12\x25\x0C\x70\x8D\x03\x29\xA0\xE1\x53\x24\xEC\x13\xD9\xEE\x19\xBF\x10\xB3\x4A\x8C\x3F\x89\xA3\x61\x51\xDE\xAC\x87\x07\x94\xF4\x63\x71\xEC\x2E\xE2\x6F\x5B\x98\x81\xE1\x89\x5C\x34\x79\x6C\x76\xEF\x3B\x90\x62\x79\xE6\xDB\xA4\x9A\x2F\x26\xC5\xD0\x10\xE1\x0E\xDE\xD9\x10\x8E\x16\xFB\xB7\xF7\xA8\xF7\xC7\xE5\x02\x07\x98\x8F\x36\x08\x95\xE7\xE2\x37\x96\x0D\x36\x75\x9E\xFB\x0E\x72\xB1\x1D\x9B\xBC\x03\xF9\x49\x05\xD8\x81\xDD\x05\xB4\x2A\xD6\x41\xE9\xAC\x01\x76\x95\x0A\x0F\xD8\xDF\xD5\xBD\x12\x1F\x35\x2F\x28\x17\x6C\xD2\x98\xC1\xA8\x09\x64\x77\x6E\x47\x37\xBA\xCE\xAC\x59\x5E\x68\x9D\x7F\x72\xD6\x89\xC5\x06\x41\x29\x3E\x59\x3E\xDD\x26\xF5\x24\xC9\x11\xA7\x5A\xA3\x4C\x40\x1F\x46\xA1\x99\xB5\xA7\x3A\x51\x6E\x86\x3B\x9E\x7D\x72\xA7\x12\x05\x78\x59\xED\x3E\x51\x78\x15\x0B\x03\x8F\x8D\xD0\x2F\x05\xB2\x3E\x7B\x4A\x1C\x4B\x73\x05\x12\xFC\xC6\xEA\xE0\x50\x13\x7C\x43\x93\x74\xB3\xCA\x74\xE7\x8E\x1F\x01\x08\xD0\x30\xD4\x5B\x71\x36\xB4\x07\xBA\xC1\x30\x30\x5C\x48\xB7\x82\x3B\x98\xA6\x7D\x60\x8A\xA2\xA3\x29\x82\xCC\xBA\xBD\x83\x04\x1B\xA2\x83\x03\x41\xA1\xD6\x05\xF1\x1B\xC2\xB6\xF0\xA8\x7C\x86\x3B\x46\xA8\x48\x2A\x88\xDC\x76\x9A\x76\xBF\x1F\x6A\xA5\x3D\x19\x8F\xEB\x38\xF3\x64\xDE\xC8\x2B\x0D\x0A\x28\xFF\xF7\xDB\xE2\x15\x42\xD4\x22\xD0\x27\x5D\xE1\x79\xFE\x18\xE7\x70\x88\xAD\x4E\xE6\xD9\x8B\x3A\xC6\xDD\x27\x51\x6E\xFF\xBC\x64\xF5\x33\x43\x4F\x02\x03\x01\x00\x01\xA3\x42\x30\x40\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x79\xB4\x59\xE6\x7B\xB6\xE5\xE4\x01\x73\x80\x08\x88\xC8\x1A\x58\xF6\xE9\x9B\x6E\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x03\x82\x02\x01\x00\x55\x1F\x58\xA9\xBC\xB2\xA8\x50\xD0\x0C\xB1\xD8\x1A\x69\x20\x27\x29\x08\xAC\x61\x75\x5C\x8A\x6E\xF8\x82\xE5\x69\x2F\xD5\xF6\x56\x4B\xB9\xB8\x73\x10\x59\xD3\x21\x97\x7E\xE7\x4C\x71\xFB\xB2\xD2\x60\xAD\x39\xA8\x0B\xEA\x17\x21\x56\x85\xF1\x50\x0E\x59\xEB\xCE\xE0\x59\xE9\xBA\xC9\x15\xEF\x86\x9D\x8F\x84\x80\xF6\xE4\xE9\x91\x90\xDC\x17\x9B\x62\x1B\x45\xF0\x66\x95\xD2\x7C\x6F\xC2\xEA\x3B\xEF\x1F\xCF\xCB\xD6\xAE\x27\xF1\xA9\xB0\xC8\xAE\xFD\x7D\x7E\x9A\xFA\x22\x04\xEB\xFF\xD9\x7F\xEA\x91\x2B\x22\xB1\x17\x0E\x8F\xF2\x8A\x34\x5B\x58\xD8\xFC\x01\xC9\x54\xB9\xB8\x26\xCC\x8A\x88\x33\x89\x4C\x2D\x84\x3C\x82\xDF\xEE\x96\x57\x05\xBA\x2C\xBB\xF7\xC4\xB7\xC7\x4E\x3B\x82\xBE\x31\xC8\x22\x73\x73\x92\xD1\xC2\x80\xA4\x39\x39\x10\x33\x23\x82\x4C\x3C\x9F\x86\xB2\x55\x98\x1D\xBE\x29\x86\x8C\x22\x9B\x9E\xE2\x6B\x3B\x57\x3A\x82\x70\x4D\xDC\x09\xC7\x89\xCB\x0A\x07\x4D\x6C\xE8\x5D\x8E\xC9\xEF\xCE\xAB\xC7\xBB\xB5\x2B\x4E\x45\xD6\x4A\xD0\x26\xCC\xE5\x72\xCA\x08\x6A\xA5\x95\xE3\x15\xA1\xF7\xA4\xED\xC9\x2C\x5F\xA5\xFB\xFF\xAC\x28\x02\x2E\xBE\xD7\x7B\xBB\xE3\x71\x7B\x90\x16\xD3\x07\x5E\x46\x53\x7C\x37\x07\x42\x8C\xD3\xC4\x96\x9C\xD5\x99\xB5\x2A\xE0\x95\x1A\x80\x48\xAE\x4C\x39\x07\xCE\xCC\x47\xA4\x52\x95\x2B\xBA\xB8\xFB\xAD\xD2\x33\x53\x7D\xE5\x1D\x4D\x6D\xD5\xA1\xB1\xC7\x42\x6F\xE6\x40\x27\x35\x5C\xA3\x28\xB7\x07\x8D\xE7\x8D\x33\x90\xE7\x23\x9F\xFB\x50\x9C\x79\x6C\x46\xD5\xB4\x15\xB3\x96\x6E\x7E\x9B\x0C\x96\x3A\xB8\x52\x2D\x3F\xD6\x5B\xE1\xFB\x08\xC2\x84\xFE\x24\xA8\xA3\x89\xDA\xAC\x6A\xE1\x18\x2A\xB1\xA8\x43\x61\x5B\xD3\x1F\xDC\x3B\x8D\x76\xF2\x2D\xE8\x8D\x75\xDF\x17\x33\x6C\x3D\x53\xFB\x7B\xCB\x41\x5F\xFF\xDC\xA2\xD0\x61\x38\xE1\x96\xB8\xAC\x5D\x8B\x37\xD7\x75\xD5\x33\xC0\x99\x11\xAE\x9D\x41\xC1\x72\x75\x84\xBE\x02\x41\x42\x5F\x67\x24\x48\x94\xD1\x9B\x27\xBE\x07\x3F\xB9\xB8\x4F\x81\x74\x51\xE1\x7A\xB7\xED\x9D\x23\xE2\xBE\xE0\xD5\x28\x04\x13\x3C\x31\x03\x9E\xDD\x7A\x6C\x8F\xC6\x07\x18\xC6\x7F\xDE\x47\x8E\x3F\x28\x9E\x04\x06\xCF\xA5\x54\x34\x77\xBD\xEC\x89\x9B\xE9\x17\x43\xDF\x5B\xDB\x5F\xFE\x8E\x1E\x57\xA2\xCD\x40\x9D\x7E\x62\x22\xDA\xDE\x18\x27",
+	["OU=AC RAIZ FNMT-RCM,O=FNMT-RCM,C=ES"] = "\x30\x82\x05\x83\x30\x82\x03\x6B\xA0\x03\x02\x01\x02\x02\x0F\x5D\x93\x8D\x30\x67\x36\xC8\x06\x1D\x1A\xC7\x54\x84\x69\x07\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x30\x3B\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x45\x53\x31\x11\x30\x0F\x06\x03\x55\x04\x0A\x0C\x08\x46\x4E\x4D\x54\x2D\x52\x43\x4D\x31\x19\x30\x17\x06\x03\x55\x04\x0B\x0C\x10\x41\x43\x20\x52\x41\x49\x5A\x20\x46\x4E\x4D\x54\x2D\x52\x43\x4D\x30\x1E\x17\x0D\x30\x38\x31\x30\x32\x39\x31\x35\x35\x39\x35\x36\x5A\x17\x0D\x33\x30\x30\x31\x30\x31\x30\x30\x30\x30\x30\x30\x5A\x30\x3B\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x45\x53\x31\x11\x30\x0F\x06\x03\x55\x04\x0A\x0C\x08\x46\x4E\x4D\x54\x2D\x52\x43\x4D\x31\x19\x30\x17\x06\x03\x55\x04\x0B\x0C\x10\x41\x43\x20\x52\x41\x49\x5A\x20\x46\x4E\x4D\x54\x2D\x52\x43\x4D\x30\x82\x02\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x02\x0F\x00\x30\x82\x02\x0A\x02\x82\x02\x01\x00\xBA\x71\x80\x7A\x4C\x86\x6E\x7F\xC8\x13\x6D\xC0\xC6\x7D\x1C\x00\x97\x8F\x2C\x0C\x23\xBB\x10\x9A\x40\xA9\x1A\xB7\x87\x88\xF8\x9B\x56\x6A\xFB\xE6\x7B\x8E\x8B\x92\x8E\xA7\x25\x5D\x59\x11\xDB\x36\x2E\xB7\x51\x17\x1F\xA9\x08\x1F\x04\x17\x24\x58\xAA\x37\x4A\x18\xDF\xE5\x39\xD4\x57\xFD\xD7\xC1\x2C\x91\x01\x91\xE2\x22\xD4\x03\xC0\x58\xFC\x77\x47\xEC\x8F\x3E\x74\x43\xBA\xAC\x34\x8D\x4D\x38\x76\x67\x8E\xB0\xC8\x6F\x30\x33\x58\x71\x5C\xB4\xF5\x6B\x6E\xD4\x01\x50\xB8\x13\x7E\x6C\x4A\xA3\x49\xD1\x20\x19\xEE\xBC\xC0\x29\x18\x65\xA7\xDE\xFE\xEF\xDD\x0A\x90\x21\xE7\x1A\x67\x92\x42\x10\x98\x5F\x4F\x30\xBC\x3E\x1C\x45\xB4\x10\xD7\x68\x40\x14\xC0\x40\xFA\xE7\x77\x17\x7A\xE6\x0B\x8F\x65\x5B\x3C\xD9\x9A\x52\xDB\xB5\xBD\x9E\x46\xCF\x3D\xEB\x91\x05\x02\xC0\x96\xB2\x76\x4C\x4D\x10\x96\x3B\x92\xFA\x9C\x7F\x0F\x99\xDF\xBE\x23\x35\x45\x1E\x02\x5C\xFE\xB5\xA8\x9B\x99\x25\xDA\x5E\xF3\x22\xC3\x39\xF5\xE4\x2A\x2E\xD3\xC6\x1F\xC4\x6C\xAA\xC5\x1C\x6A\x01\x05\x4A\x2F\xD2\xC5\xC1\xA8\x34\x26\x5D\x66\xA5\xD2\x02\x21\xF9\x18\xB7\x06\xF5\x4E\x99\x6F\xA8\xAB\x4C\x51\xE8\xCF\x50\x18\xC5\x77\xC8\x39\x09\x2C\x49\x92\x32\x99\xA8\xBB\x17\x17\x79\xB0\x5A\xC5\xE6\xA3\xC4\x59\x65\x47\x35\x83\x5E\xA9\xE8\x35\x0B\x99\xBB\xE4\xCD\x20\xC6\x9B\x4A\x06\x39\xB5\x68\xFC\x22\xBA\xEE\x55\x8C\x2B\x4E\xEA\xF3\xB1\xE3\xFC\xB6\x99\x9A\xD5\x42\xFA\x71\x4D\x08\xCF\x87\x1E\x6A\x71\x7D\xF9\xD3\xB4\xE9\xA5\x71\x81\x7B\xC2\x4E\x47\x96\xA5\xF6\x76\x85\xA3\x28\x8F\xE9\x80\x6E\x81\x53\xA5\x6D\x5F\xB8\x48\xF9\xC2\xF9\x36\xA6\x2E\x49\xFF\xB8\x96\xC2\x8C\x07\xB3\x9B\x88\x58\xFC\xEB\x1B\x1C\xDE\x2D\x70\xE2\x97\x92\x30\xA1\x89\xE3\xBC\x55\xA8\x27\xD6\x4B\xED\x90\xAD\x8B\xFA\x63\x25\x59\x2D\xA8\x35\xDD\xCA\x97\x33\xBC\xE5\xCD\xC7\x9D\xD1\xEC\xEF\x5E\x0E\x4A\x90\x06\x26\x63\xAD\xB9\xD9\x35\x2D\x07\xBA\x76\x65\x2C\xAC\x57\x8F\x7D\xF4\x07\x94\xD7\x81\x02\x96\x5D\xA3\x07\x49\xD5\x7A\xD0\x57\xF9\x1B\xE7\x53\x46\x75\xAA\xB0\x79\x42\xCB\x68\x71\x08\xE9\x60\xBD\x39\x69\xCE\xF4\xAF\xC3\x56\x40\xC7\xAD\x52\xA2\x09\xE4\x6F\x86\x47\x8A\x1F\xEB\x28\x27\x5D\x83\x20\xAF\x04\xC9\x6C\x56\x9A\x8B\x46\xF5\x02\x03\x01\x00\x01\xA3\x81\x83\x30\x81\x80\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xF7\x7D\xC5\xFD\xC4\xE8\x9A\x1B\x77\x64\xA7\xF5\x1D\xA0\xCC\xBF\x87\x60\x9A\x6D\x30\x3E\x06\x03\x55\x1D\x20\x04\x37\x30\x35\x30\x33\x06\x04\x55\x1D\x20\x00\x30\x2B\x30\x29\x06\x08\x2B\x06\x01\x05\x05\x07\x02\x01\x16\x1D\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x63\x65\x72\x74\x2E\x66\x6E\x6D\x74\x2E\x65\x73\x2F\x64\x70\x63\x73\x2F\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x03\x82\x02\x01\x00\x07\x90\x4A\xDF\xF3\x23\x4E\xF0\xC3\x9C\x51\x65\x9B\x9C\x22\xA2\x8A\x0C\x85\xF3\x73\x29\x6B\x4D\xFE\x01\xE2\xA9\x0C\x63\x01\xBF\x04\x67\xA5\x9D\x98\x5F\xFD\x01\x13\xFA\xEC\x9A\x62\xE9\x86\xFE\xB6\x62\xD2\x6E\x4C\x94\xFB\xC0\x75\x45\x7C\x65\x0C\xF8\xB2\x37\xCF\xAC\x0F\xCF\x8D\x6F\xF9\x19\xF7\x8F\xEC\x1E\xF2\x70\x9E\xF0\xCA\xB8\xEF\xB7\xFF\x76\x37\x76\x5B\xF6\x6E\x88\xF3\xAF\x62\x32\x22\x93\x0D\x3A\x6A\x8E\x14\x66\x0C\x2D\x53\x74\x57\x65\x1E\xD5\xB2\xDD\x23\x81\x3B\xA5\x66\x23\x27\x67\x09\x8F\xE1\x77\xAA\x43\xCD\x65\x51\x08\xED\x51\x58\xFE\xE6\x39\xF9\xCB\x47\x84\xA4\x15\xF1\x76\xBB\xA4\xEE\xA4\x3B\xC4\x5F\xEF\xB2\x33\x96\x11\x18\xB7\xC9\x65\xBE\x18\xE1\xA3\xA4\xDC\xFA\x18\xF9\xD3\xBC\x13\x9B\x39\x7A\x34\xBA\xD3\x41\xFB\xFA\x32\x8A\x2A\xB7\x2B\x86\x0B\x69\x83\x38\xBE\xCD\x8A\x2E\x0B\x70\xAD\x8D\x26\x92\xEE\x1E\xF5\x01\x2B\x0A\xD9\xD6\x97\x9B\x6E\xE0\xA8\x19\x1C\x3A\x21\x8B\x0C\x1E\x40\xAD\x03\xE7\xDD\x66\x7E\xF5\xB9\x20\x0D\x03\xE8\x96\xF9\x82\x45\xD4\x39\xE0\xA0\x00\x5D\xD7\x98\xE6\x7D\x9E\x67\x73\xC3\x9A\x2A\xF7\xAB\x8B\xA1\x3A\x14\xEF\x34\xBC\x52\x0E\x89\x98\x9A\x04\x40\x84\x1D\x7E\x45\x69\x93\x57\xCE\xEB\xCE\xF8\x50\x7C\x4F\x1C\x6E\x04\x43\x9B\xF9\xD6\x3B\x23\x18\xE9\xEA\x8E\xD1\x4D\x46\x8D\xF1\x3B\xE4\x6A\xCA\xBA\xFB\x23\xB7\x9B\xFA\x99\x01\x29\x5A\x58\x5A\x2D\xE3\xF9\xD4\x6D\x0E\x26\xAD\xC1\x6E\x34\xBC\x32\xF8\x0C\x05\xFA\x65\xA3\xDB\x3B\x37\x83\x22\xE9\xD6\xDC\x72\x33\xFD\x5D\xF2\x20\xBD\x76\x3C\x23\xDA\x28\xF7\xF9\x1B\xEB\x59\x64\xD5\xDC\x5F\x72\x7E\x20\xFC\xCD\x89\xB5\x90\x67\x4D\x62\x7A\x3F\x4E\xAD\x1D\xC3\x39\xFE\x7A\xF4\x28\x16\xDF\x41\xF6\x48\x80\x05\xD7\x0F\x51\x79\xAC\x10\xAB\xD4\xEC\x03\x66\xE6\x6A\xB0\xBA\x31\x92\x42\x40\x6A\xBE\x3A\xD3\x72\xE1\x6A\x37\x55\xBC\xAC\x1D\x95\xB7\x69\x61\xF2\x43\x91\x74\xE6\xA0\xD3\x0A\x24\x46\xA1\x08\xAF\xD6\xDA\x45\x19\x96\xD4\x53\x1D\x5B\x84\x79\xF0\xC0\xF7\x47\xEF\x8B\x8F\xC5\x06\xAE\x9D\x4C\x62\x9D\xFF\x46\x04\xF8\xD3\xC9\xB6\x10\x25\x40\x75\xFE\x16\xAA\xC9\x4A\x60\x86\x2F\xBA\xEF\x30\x77\xE4\x54\xE2\xB8\x84\x99\x58\x80\xAA\x13\x8B\x51\x3A\x4F\x48\xF6\x8B\xB6\xB3",
+	["CN=Amazon Root CA 1,O=Amazon,C=US"] = "\x30\x82\x03\x41\x30\x82\x02\x29\xA0\x03\x02\x01\x02\x02\x13\x06\x6C\x9F\xCF\x99\xBF\x8C\x0A\x39\xE2\xF0\x78\x8A\x43\xE6\x96\x36\x5B\xCA\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x30\x39\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x0F\x30\x0D\x06\x03\x55\x04\x0A\x13\x06\x41\x6D\x61\x7A\x6F\x6E\x31\x19\x30\x17\x06\x03\x55\x04\x03\x13\x10\x41\x6D\x61\x7A\x6F\x6E\x20\x52\x6F\x6F\x74\x20\x43\x41\x20\x31\x30\x1E\x17\x0D\x31\x35\x30\x35\x32\x36\x30\x30\x30\x30\x30\x30\x5A\x17\x0D\x33\x38\x30\x31\x31\x37\x30\x30\x30\x30\x30\x30\x5A\x30\x39\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x0F\x30\x0D\x06\x03\x55\x04\x0A\x13\x06\x41\x6D\x61\x7A\x6F\x6E\x31\x19\x30\x17\x06\x03\x55\x04\x03\x13\x10\x41\x6D\x61\x7A\x6F\x6E\x20\x52\x6F\x6F\x74\x20\x43\x41\x20\x31\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xB2\x78\x80\x71\xCA\x78\xD5\xE3\x71\xAF\x47\x80\x50\x74\x7D\x6E\xD8\xD7\x88\x76\xF4\x99\x68\xF7\x58\x21\x60\xF9\x74\x84\x01\x2F\xAC\x02\x2D\x86\xD3\xA0\x43\x7A\x4E\xB2\xA4\xD0\x36\xBA\x01\xBE\x8D\xDB\x48\xC8\x07\x17\x36\x4C\xF4\xEE\x88\x23\xC7\x3E\xEB\x37\xF5\xB5\x19\xF8\x49\x68\xB0\xDE\xD7\xB9\x76\x38\x1D\x61\x9E\xA4\xFE\x82\x36\xA5\xE5\x4A\x56\xE4\x45\xE1\xF9\xFD\xB4\x16\xFA\x74\xDA\x9C\x9B\x35\x39\x2F\xFA\xB0\x20\x50\x06\x6C\x7A\xD0\x80\xB2\xA6\xF9\xAF\xEC\x47\x19\x8F\x50\x38\x07\xDC\xA2\x87\x39\x58\xF8\xBA\xD5\xA9\xF9\x48\x67\x30\x96\xEE\x94\x78\x5E\x6F\x89\xA3\x51\xC0\x30\x86\x66\xA1\x45\x66\xBA\x54\xEB\xA3\xC3\x91\xF9\x48\xDC\xFF\xD1\xE8\x30\x2D\x7D\x2D\x74\x70\x35\xD7\x88\x24\xF7\x9E\xC4\x59\x6E\xBB\x73\x87\x17\xF2\x32\x46\x28\xB8\x43\xFA\xB7\x1D\xAA\xCA\xB4\xF2\x9F\x24\x0E\x2D\x4B\xF7\x71\x5C\x5E\x69\xFF\xEA\x95\x02\xCB\x38\x8A\xAE\x50\x38\x6F\xDB\xFB\x2D\x62\x1B\xC5\xC7\x1E\x54\xE1\x77\xE0\x67\xC8\x0F\x9C\x87\x23\xD6\x3F\x40\x20\x7F\x20\x80\xC4\x80\x4C\x3E\x3B\x24\x26\x8E\x04\xAE\x6C\x9A\xC8\xAA\x0D\x02\x03\x01\x00\x01\xA3\x42\x30\x40\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x86\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x84\x18\xCC\x85\x34\xEC\xBC\x0C\x94\x94\x2E\x08\x59\x9C\xC7\xB2\x10\x4E\x0A\x08\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x03\x82\x01\x01\x00\x98\xF2\x37\x5A\x41\x90\xA1\x1A\xC5\x76\x51\x28\x20\x36\x23\x0E\xAE\xE6\x28\xBB\xAA\xF8\x94\xAE\x48\xA4\x30\x7F\x1B\xFC\x24\x8D\x4B\xB4\xC8\xA1\x97\xF6\xB6\xF1\x7A\x70\xC8\x53\x93\xCC\x08\x28\xE3\x98\x25\xCF\x23\xA4\xF9\xDE\x21\xD3\x7C\x85\x09\xAD\x4E\x9A\x75\x3A\xC2\x0B\x6A\x89\x78\x76\x44\x47\x18\x65\x6C\x8D\x41\x8E\x3B\x7F\x9A\xCB\xF4\xB5\xA7\x50\xD7\x05\x2C\x37\xE8\x03\x4B\xAD\xE9\x61\xA0\x02\x6E\xF5\xF2\xF0\xC5\xB2\xED\x5B\xB7\xDC\xFA\x94\x5C\x77\x9E\x13\xA5\x7F\x52\xAD\x95\xF2\xF8\x93\x3B\xDE\x8B\x5C\x5B\xCA\x5A\x52\x5B\x60\xAF\x14\xF7\x4B\xEF\xA3\xFB\x9F\x40\x95\x6D\x31\x54\xFC\x42\xD3\xC7\x46\x1F\x23\xAD\xD9\x0F\x48\x70\x9A\xD9\x75\x78\x71\xD1\x72\x43\x34\x75\x6E\x57\x59\xC2\x02\x5C\x26\x60\x29\xCF\x23\x19\x16\x8E\x88\x43\xA5\xD4\xE4\xCB\x08\xFB\x23\x11\x43\xE8\x43\x29\x72\x62\xA1\xA9\x5D\x5E\x08\xD4\x90\xAE\xB8\xD8\xCE\x14\xC2\xD0\x55\xF2\x86\xF6\xC4\x93\x43\x77\x66\x61\xC0\xB9\xE8\x41\xD7\x97\x78\x60\x03\x6E\x4A\x72\xAE\xA5\xD1\x7D\xBA\x10\x9E\x86\x6C\x1B\x8A\xB9\x59\x33\xF8\xEB\xC4\x90\xBE\xF1\xB9",
+	["CN=Amazon Root CA 2,O=Amazon,C=US"] = "\x30\x82\x05\x41\x30\x82\x03\x29\xA0\x03\x02\x01\x02\x02\x13\x06\x6C\x9F\xD2\x96\x35\x86\x9F\x0A\x0F\xE5\x86\x78\xF8\x5B\x26\xBB\x8A\x37\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0C\x05\x00\x30\x39\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x0F\x30\x0D\x06\x03\x55\x04\x0A\x13\x06\x41\x6D\x61\x7A\x6F\x6E\x31\x19\x30\x17\x06\x03\x55\x04\x03\x13\x10\x41\x6D\x61\x7A\x6F\x6E\x20\x52\x6F\x6F\x74\x20\x43\x41\x20\x32\x30\x1E\x17\x0D\x31\x35\x30\x35\x32\x36\x30\x30\x30\x30\x30\x30\x5A\x17\x0D\x34\x30\x30\x35\x32\x36\x30\x30\x30\x30\x30\x30\x5A\x30\x39\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x0F\x30\x0D\x06\x03\x55\x04\x0A\x13\x06\x41\x6D\x61\x7A\x6F\x6E\x31\x19\x30\x17\x06\x03\x55\x04\x03\x13\x10\x41\x6D\x61\x7A\x6F\x6E\x20\x52\x6F\x6F\x74\x20\x43\x41\x20\x32\x30\x82\x02\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x02\x0F\x00\x30\x82\x02\x0A\x02\x82\x02\x01\x00\xAD\x96\x9F\x2D\x9C\x4A\x4C\x4A\x81\x79\x51\x99\xEC\x8A\xCB\x6B\x60\x51\x13\xBC\x4D\x6D\x06\xFC\xB0\x08\x8D\xDD\x19\x10\x6A\xC7\x26\x0C\x35\xD8\xC0\x6F\x20\x84\xE9\x94\xB1\x9B\x85\x03\xC3\x5B\xDB\x4A\xE8\xC8\xF8\x90\x76\xD9\x5B\x4F\xE3\x4C\xE8\x06\x36\x4D\xCC\x9A\xAC\x3D\x0C\x90\x2B\x92\xD4\x06\x19\x60\xAC\x37\x44\x79\x85\x81\x82\xAD\x5A\x37\xE0\x0D\xCC\x9D\xA6\x4C\x52\x76\xEA\x43\x9D\xB7\x04\xD1\x50\xF6\x55\xE0\xD5\xD2\xA6\x49\x85\xE9\x37\xE9\xCA\x7E\xAE\x5C\x95\x4D\x48\x9A\x3F\xAE\x20\x5A\x6D\x88\x95\xD9\x34\xB8\x52\x1A\x43\x90\xB0\xBF\x6C\x05\xB9\xB6\x78\xB7\xEA\xD0\xE4\x3A\x3C\x12\x53\x62\xFF\x4A\xF2\x7B\xBE\x35\x05\xA9\x12\x34\xE3\xF3\x64\x74\x62\x2C\x3D\x00\x49\x5A\x28\xFE\x32\x44\xBB\x87\xDD\x65\x27\x02\x71\x3B\xDA\x4A\xF7\x1F\xDA\xCD\xF7\x21\x55\x90\x4F\x0F\xEC\xAE\x82\xE1\x9F\x6B\xD9\x45\xD3\xBB\xF0\x5F\x87\xED\x3C\x2C\x39\x86\xDA\x3F\xDE\xEC\x72\x55\xEB\x79\xA3\xAD\xDB\xDD\x7C\xB0\xBA\x1C\xCE\xFC\xDE\x4F\x35\x76\xCF\x0F\xF8\x78\x1F\x6A\x36\x51\x46\x27\x61\x5B\xE9\x9E\xCF\xF0\xA2\x55\x7D\x7C\x25\x8A\x6F\x2F\xB4\xC5\xCF\x84\x2E\x2B\xFD\x0D\x51\x10\x6C\xFB\x5F\x1B\xBC\x1B\x7E\xC5\xAE\x3B\x98\x01\x31\x92\xFF\x0B\x57\xF4\x9A\xB2\xB9\x57\xE9\xAB\xEF\x0D\x76\xD1\xF0\xEE\xF4\xCE\x86\xA7\xE0\x6E\xE9\xB4\x69\xA1\xDF\x69\xF6\x33\xC6\x69\x2E\x97\x13\x9E\xA5\x87\xB0\x57\x10\x81\x37\xC9\x53\xB3\xBB\x7F\xF6\x92\xD1\x9C\xD0\x18\xF4\x92\x6E\xDA\x83\x4F\xA6\x63\x99\x4C\xA5\xFB\x5E\xEF\x21\x64\x7A\x20\x5F\x6C\x64\x85\x15\xCB\x37\xE9\x62\x0C\x0B\x2A\x16\xDC\x01\x2E\x32\xDA\x3E\x4B\xF5\x9E\x3A\xF6\x17\x40\x94\xEF\x9E\x91\x08\x86\xFA\xBE\x63\xA8\x5A\x33\xEC\xCB\x74\x43\x95\xF9\x6C\x69\x52\x36\xC7\x29\x6F\xFC\x55\x03\x5C\x1F\xFB\x9F\xBD\x47\xEB\xE7\x49\x47\x95\x0B\x4E\x89\x22\x09\x49\xE0\xF5\x61\x1E\xF1\xBF\x2E\x8A\x72\x6E\x80\x59\xFF\x57\x3A\xF9\x75\x32\xA3\x4E\x5F\xEC\xED\x28\x62\xD9\x4D\x73\xF2\xCC\x81\x17\x60\xED\xCD\xEB\xDC\xDB\xA7\xCA\xC5\x7E\x02\xBD\xF2\x54\x08\x54\xFD\xB4\x2D\x09\x2C\x17\x54\x4A\x98\xD1\x54\xE1\x51\x67\x08\xD2\xED\x6E\x7E\x6F\x3F\xD2\x2D\x81\x59\x29\x66\xCB\x90\x39\x95\x11\x1E\x74\x27\xFE\xDD\xEB\xAF\x02\x03\x01\x00\x01\xA3\x42\x30\x40\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x86\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xB0\x0C\xF0\x4C\x30\xF4\x05\x58\x02\x48\xFD\x33\xE5\x52\xAF\x4B\x84\xE3\x66\x52\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0C\x05\x00\x03\x82\x02\x01\x00\xAA\xA8\x80\x8F\x0E\x78\xA3\xE0\xA2\xD4\xCD\xE6\xF5\x98\x7A\x3B\xEA\x00\x03\xB0\x97\x0E\x93\xBC\x5A\xA8\xF6\x2C\x8C\x72\x87\xA9\xB1\xFC\x7F\x73\xFD\x63\x71\x78\xA5\x87\x59\xCF\x30\xE1\x0D\x10\xB2\x13\x5A\x6D\x82\xF5\x6A\xE6\x80\x9F\xA0\x05\x0B\x68\xE4\x47\x6B\xC7\x6A\xDF\xB6\xFD\x77\x32\x72\xE5\x18\xFA\x09\xF4\xA0\x93\x2C\x5D\xD2\x8C\x75\x85\x76\x65\x90\x0C\x03\x79\xB7\x31\x23\x63\xAD\x78\x83\x09\x86\x68\x84\xCA\xFF\xF9\xCF\x26\x9A\x92\x79\xE7\xCD\x4B\xC5\xE7\x61\xA7\x17\xCB\xF3\xA9\x12\x93\x93\x6B\xA7\xE8\x2F\x53\x92\xC4\x60\x58\xB0\xCC\x02\x51\x18\x5B\x85\x8D\x62\x59\x63\xB6\xAD\xB4\xDE\x9A\xFB\x26\xF7\x00\x27\xC0\x5D\x55\x37\x74\x99\xC9\x50\x7F\xE3\x59\x2E\x44\xE3\x2C\x25\xEE\xEC\x4C\x32\x77\xB4\x9F\x1A\xE9\x4B\x5D\x20\xC5\xDA\xFD\x1C\x87\x16\xC6\x43\xE8\xD4\xBB\x26\x9A\x45\x70\x5E\xA9\x0B\x37\x53\xE2\x46\x7B\x27\xFD\xE0\x46\xF2\x89\xB7\xCC\x42\xB6\xCB\x28\x26\x6E\xD9\xA5\xC9\x3A\xC8\x41\x13\x60\xF7\x50\x8C\x15\xAE\xB2\x6D\x1A\x15\x1A\x57\x78\xE6\x92\x2A\xD9\x65\x90\x82\x3F\x6C\x02\xAF\xAE\x12\x3A\x27\x96\x36\x04\xD7\x1D\xA2\x80\x63\xA9\x9B\xF1\xE5\xBA\xB4\x7C\x14\xB0\x4E\xC9\xB1\x1F\x74\x5F\x38\xF6\x51\xEA\x9B\xFA\x2C\xA2\x11\xD4\xA9\x2D\x27\x1A\x45\xB1\xAF\xB2\x4E\x71\x0D\xC0\x58\x46\xD6\x69\x06\xCB\x53\xCB\xB3\xFE\x6B\x41\xCD\x41\x7E\x7D\x4C\x0F\x7C\x72\x79\x7A\x59\xCD\x5E\x4A\x0E\xAC\x9B\xA9\x98\x73\x79\x7C\xB4\xF4\xCC\xB9\xB8\x07\x0C\xB2\x74\x5C\xB8\xC7\x6F\x88\xA1\x90\xA7\xF4\xAA\xF9\xBF\x67\x3A\xF4\x1A\x15\x62\x1E\xB7\x9F\xBE\x3D\xB1\x29\xAF\x67\xA1\x12\xF2\x58\x10\x19\x53\x03\x30\x1B\xB8\x1A\x89\xF6\x9C\xBD\x97\x03\x8E\xA3\x09\xF3\x1D\x8B\x21\xF1\xB4\xDF\xE4\x1C\xD1\x9F\x65\x02\x06\xEA\x5C\xD6\x13\xB3\x84\xEF\xA2\xA5\x5C\x8C\x77\x29\xA7\x68\xC0\x6B\xAE\x40\xD2\xA8\xB4\xEA\xCD\xF0\x8D\x4B\x38\x9C\x19\x9A\x1B\x28\x54\xB8\x89\x90\xEF\xCA\x75\x81\x3E\x1E\xF2\x64\x24\xC7\x18\xAF\x4E\xFF\x47\x9E\x07\xF6\x35\x65\xA4\xD3\x0A\x56\xFF\xF5\x17\x64\x6C\xEF\xA8\x22\x25\x49\x93\xB6\xDF\x00\x17\xDA\x58\x7E\x5D\xEE\xC5\x1B\xB0\xD1\xD1\x5F\x21\x10\xC7\xF9\xF3\xBA\x02\x0A\x27\x07\xC5\xF1\xD6\xC7\xD3\xE0\xFB\x09\x60\x6C",
+	["CN=Amazon Root CA 3,O=Amazon,C=US"] = "\x30\x82\x01\xB6\x30\x82\x01\x5B\xA0\x03\x02\x01\x02\x02\x13\x06\x6C\x9F\xD5\x74\x97\x36\x66\x3F\x3B\x0B\x9A\xD9\xE8\x9E\x76\x03\xF2\x4A\x30\x0A\x06\x08\x2A\x86\x48\xCE\x3D\x04\x03\x02\x30\x39\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x0F\x30\x0D\x06\x03\x55\x04\x0A\x13\x06\x41\x6D\x61\x7A\x6F\x6E\x31\x19\x30\x17\x06\x03\x55\x04\x03\x13\x10\x41\x6D\x61\x7A\x6F\x6E\x20\x52\x6F\x6F\x74\x20\x43\x41\x20\x33\x30\x1E\x17\x0D\x31\x35\x30\x35\x32\x36\x30\x30\x30\x30\x30\x30\x5A\x17\x0D\x34\x30\x30\x35\x32\x36\x30\x30\x30\x30\x30\x30\x5A\x30\x39\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x0F\x30\x0D\x06\x03\x55\x04\x0A\x13\x06\x41\x6D\x61\x7A\x6F\x6E\x31\x19\x30\x17\x06\x03\x55\x04\x03\x13\x10\x41\x6D\x61\x7A\x6F\x6E\x20\x52\x6F\x6F\x74\x20\x43\x41\x20\x33\x30\x59\x30\x13\x06\x07\x2A\x86\x48\xCE\x3D\x02\x01\x06\x08\x2A\x86\x48\xCE\x3D\x03\x01\x07\x03\x42\x00\x04\x29\x97\xA7\xC6\x41\x7F\xC0\x0D\x9B\xE8\x01\x1B\x56\xC6\xF2\x52\xA5\xBA\x2D\xB2\x12\xE8\xD2\x2E\xD7\xFA\xC9\xC5\xD8\xAA\x6D\x1F\x73\x81\x3B\x3B\x98\x6B\x39\x7C\x33\xA5\xC5\x4E\x86\x8E\x80\x17\x68\x62\x45\x57\x7D\x44\x58\x1D\xB3\x37\xE5\x67\x08\xEB\x66\xDE\xA3\x42\x30\x40\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x86\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xAB\xB6\xDB\xD7\x06\x9E\x37\xAC\x30\x86\x07\x91\x70\xC7\x9C\xC4\x19\xB1\x78\xC0\x30\x0A\x06\x08\x2A\x86\x48\xCE\x3D\x04\x03\x02\x03\x49\x00\x30\x46\x02\x21\x00\xE0\x85\x92\xA3\x17\xB7\x8D\xF9\x2B\x06\xA5\x93\xAC\x1A\x98\x68\x61\x72\xFA\xE1\xA1\xD0\xFB\x1C\x78\x60\xA6\x43\x99\xC5\xB8\xC4\x02\x21\x00\x9C\x02\xEF\xF1\x94\x9C\xB3\x96\xF9\xEB\xC6\x2A\xF8\xB6\x2C\xFE\x3A\x90\x14\x16\xD7\x8C\x63\x24\x48\x1C\xDF\x30\x7D\xD5\x68\x3B",
+	["CN=Amazon Root CA 4,O=Amazon,C=US"] = "\x30\x82\x01\xF2\x30\x82\x01\x78\xA0\x03\x02\x01\x02\x02\x13\x06\x6C\x9F\xD7\xC1\xBB\x10\x4C\x29\x43\xE5\x71\x7B\x7B\x2C\xC8\x1A\xC1\x0E\x30\x0A\x06\x08\x2A\x86\x48\xCE\x3D\x04\x03\x03\x30\x39\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x0F\x30\x0D\x06\x03\x55\x04\x0A\x13\x06\x41\x6D\x61\x7A\x6F\x6E\x31\x19\x30\x17\x06\x03\x55\x04\x03\x13\x10\x41\x6D\x61\x7A\x6F\x6E\x20\x52\x6F\x6F\x74\x20\x43\x41\x20\x34\x30\x1E\x17\x0D\x31\x35\x30\x35\x32\x36\x30\x30\x30\x30\x30\x30\x5A\x17\x0D\x34\x30\x30\x35\x32\x36\x30\x30\x30\x30\x30\x30\x5A\x30\x39\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x0F\x30\x0D\x06\x03\x55\x04\x0A\x13\x06\x41\x6D\x61\x7A\x6F\x6E\x31\x19\x30\x17\x06\x03\x55\x04\x03\x13\x10\x41\x6D\x61\x7A\x6F\x6E\x20\x52\x6F\x6F\x74\x20\x43\x41\x20\x34\x30\x76\x30\x10\x06\x07\x2A\x86\x48\xCE\x3D\x02\x01\x06\x05\x2B\x81\x04\x00\x22\x03\x62\x00\x04\xD2\xAB\x8A\x37\x4F\xA3\x53\x0D\xFE\xC1\x8A\x7B\x4B\xA8\x7B\x46\x4B\x63\xB0\x62\xF6\x2D\x1B\xDB\x08\x71\x21\xD2\x00\xE8\x63\xBD\x9A\x27\xFB\xF0\x39\x6E\x5D\xEA\x3D\xA5\xC9\x81\xAA\xA3\x5B\x20\x98\x45\x5D\x16\xDB\xFD\xE8\x10\x6D\xE3\x9C\xE0\xE3\xBD\x5F\x84\x62\xF3\x70\x64\x33\xA0\xCB\x24\x2F\x70\xBA\x88\xA1\x2A\xA0\x75\xF8\x81\xAE\x62\x06\xC4\x81\xDB\x39\x6E\x29\xB0\x1E\xFA\x2E\x5C\xA3\x42\x30\x40\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x86\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xD3\xEC\xC7\x3A\x65\x6E\xCC\xE1\xDA\x76\x9A\x56\xFB\x9C\xF3\x86\x6D\x57\xE5\x81\x30\x0A\x06\x08\x2A\x86\x48\xCE\x3D\x04\x03\x03\x03\x68\x00\x30\x65\x02\x30\x3A\x8B\x21\xF1\xBD\x7E\x11\xAD\xD0\xEF\x58\x96\x2F\xD6\xEB\x9D\x7E\x90\x8D\x2B\xCF\x66\x55\xC3\x2C\xE3\x28\xA9\x70\x0A\x47\x0E\xF0\x37\x59\x12\xFF\x2D\x99\x94\x28\x4E\x2A\x4F\x35\x4D\x33\x5A\x02\x31\x00\xEA\x75\x00\x4E\x3B\xC4\x3A\x94\x12\x91\xC9\x58\x46\x9D\x21\x13\x72\xA7\x88\x9C\x8A\xE4\x4C\x4A\xDB\x96\xD4\xAC\x8B\x6B\x6B\x49\x12\x53\x33\xAD\xD7\xE4\xBE\x24\xFC\xB5\x0A\x76\xD4\xA5\xBC\x10",
+	["CN=LuxTrust Global Root 2,O=LuxTrust S.A.,C=LU"] = "\x30\x82\x05\xC3\x30\x82\x03\xAB\xA0\x03\x02\x01\x02\x02\x14\x0A\x7E\xA6\xDF\x4B\x44\x9E\xDA\x6A\x24\x85\x9E\xE6\xB8\x15\xD3\x16\x7F\xBB\xB1\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x30\x46\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x4C\x55\x31\x16\x30\x14\x06\x03\x55\x04\x0A\x0C\x0D\x4C\x75\x78\x54\x72\x75\x73\x74\x20\x53\x2E\x41\x2E\x31\x1F\x30\x1D\x06\x03\x55\x04\x03\x0C\x16\x4C\x75\x78\x54\x72\x75\x73\x74\x20\x47\x6C\x6F\x62\x61\x6C\x20\x52\x6F\x6F\x74\x20\x32\x30\x1E\x17\x0D\x31\x35\x30\x33\x30\x35\x31\x33\x32\x31\x35\x37\x5A\x17\x0D\x33\x35\x30\x33\x30\x35\x31\x33\x32\x31\x35\x37\x5A\x30\x46\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x4C\x55\x31\x16\x30\x14\x06\x03\x55\x04\x0A\x0C\x0D\x4C\x75\x78\x54\x72\x75\x73\x74\x20\x53\x2E\x41\x2E\x31\x1F\x30\x1D\x06\x03\x55\x04\x03\x0C\x16\x4C\x75\x78\x54\x72\x75\x73\x74\x20\x47\x6C\x6F\x62\x61\x6C\x20\x52\x6F\x6F\x74\x20\x32\x30\x82\x02\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x02\x0F\x00\x30\x82\x02\x0A\x02\x82\x02\x01\x00\xD7\x85\x97\xBF\x11\x98\xE9\xF0\x62\x83\x4C\x3C\x87\xF9\x53\x6A\x37\x0B\xF2\x0F\x3C\x87\xCE\x6F\xDC\x26\x29\xBD\xC5\x89\xBA\xC9\x83\x3D\xF7\xEE\xCA\x5B\xC6\x6D\x49\x73\xB4\xC9\x46\xA3\x1B\x34\x13\x3F\xC1\x89\x45\x57\xF4\xD9\xB1\xFB\x36\x65\x4B\xFB\x08\xE2\x48\x71\x11\xC8\x6E\x3B\x9E\x9D\xDF\x89\x65\x37\xA6\x85\xF6\x3B\x44\x18\xB6\xC6\x37\x30\x62\x44\x92\x97\x69\x7D\x42\x30\x24\xE4\x0D\x0C\x89\x6B\x63\xDE\xC5\xE1\xDF\x4E\xA9\x14\x6C\x53\xE0\x61\xCE\xF6\x17\x2F\x1D\x3C\xBD\xE6\x22\x4C\x1D\x93\xF5\x10\xC4\xA1\x76\xEC\x6A\xDE\xC5\x6C\xDF\x96\xB4\x56\x40\x42\xC0\x62\x92\x30\xA1\x2D\x15\x94\xA0\xD2\x20\x06\x09\x6E\x6A\x6D\xE5\xEB\xB7\xBE\xD4\xF0\xF1\x15\x7C\x8B\xE6\x4E\xBA\x13\xCC\x4B\x27\x5E\x99\x3C\x17\x5D\x8F\x81\x7F\x33\x3D\x4F\xD3\x3F\x1B\xEC\x5C\x3F\xF0\x3C\x4C\x75\x6E\xF2\xA6\xD5\x9D\xDA\x2D\x07\x63\x02\xC6\x72\xE9\x94\xBC\x4C\x49\x95\x4F\x88\x52\xC8\xDB\xE8\x69\x82\xF8\xCC\x34\x5B\x22\xF0\x86\xA7\x89\xBD\x48\x0A\x6D\x66\x81\x6D\xC8\xC8\x64\xFB\x01\xE1\xF4\xE1\xDE\xD9\x9E\xDD\xDB\x5B\xD4\x2A\x99\x26\x15\x1B\x1E\x4C\x92\x29\x82\x9E\xD5\x92\x81\x92\x41\x70\x19\xF7\xA4\xE5\x93\x4B\xBC\x77\x67\x31\xDD\x1C\xFD\x31\x70\x0D\x17\x99\x0C\xF9\x0C\x39\x19\x2A\x17\xB5\x30\x71\x55\xD5\x0F\xAE\x58\xE1\x3D\x2F\x34\x9B\xCF\x9F\xF6\x78\x85\xC2\x93\x7A\x72\x3E\x66\x8F\x9C\x16\x11\x60\x8F\x9E\x89\x6F\x67\xBE\xE0\x47\x5A\x3B\x0C\x9A\x67\x8B\xCF\x46\xC6\xAE\x38\xA3\xF2\xA7\xBC\xE6\xD6\x85\x6B\x33\x24\x70\x22\x4B\xCB\x08\x9B\xBB\xC8\xF8\x02\x29\x1D\xBE\x20\x0C\x46\xBF\x6B\x87\x9B\xB3\x2A\x66\x42\x35\x46\x6C\xAA\xBA\xAD\xF9\x98\x7B\xE9\x50\x55\x14\x31\xBF\xB1\xDA\x2D\xED\x80\xAD\x68\x24\xFB\x69\xAB\xD8\x71\x13\x30\xE6\x67\xB3\x87\x40\xFD\x89\x7E\xF2\x43\xD1\x11\xDF\x2F\x65\x2F\x64\xCE\x5F\x14\xB9\xB1\xBF\x31\xBD\x87\x78\x5A\x59\x65\x88\xAA\xFC\x59\x32\x48\x86\xD6\x4C\xB9\x29\x4B\x95\xD3\x76\xF3\x77\x25\x6D\x42\x1C\x38\x83\x4D\xFD\xA3\x5F\x9B\x7F\x2D\xAC\x79\x1B\x0E\x42\x31\x97\x63\xA4\xFB\x8A\x69\xD5\x22\x0D\x34\x90\x30\x2E\xA8\xB4\xE0\x6D\xB6\x94\xAC\xBC\x8B\x4E\xD7\x70\xFC\xC5\x38\x8E\x64\x25\xE1\x4D\x39\x90\xCE\xC9\x87\x84\x58\x71\x02\x03\x01\x00\x01\xA3\x81\xA8\x30\x81\xA5\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x42\x06\x03\x55\x1D\x20\x04\x3B\x30\x39\x30\x37\x06\x07\x2B\x81\x2B\x01\x01\x01\x0A\x30\x2C\x30\x2A\x06\x08\x2B\x06\x01\x05\x05\x07\x02\x01\x16\x1E\x68\x74\x74\x70\x73\x3A\x2F\x2F\x72\x65\x70\x6F\x73\x69\x74\x6F\x72\x79\x2E\x6C\x75\x78\x74\x72\x75\x73\x74\x2E\x6C\x75\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x1F\x06\x03\x55\x1D\x23\x04\x18\x30\x16\x80\x14\xFF\x18\x28\x76\xF9\x48\x05\x2C\xA1\xAE\xF1\x2B\x1B\x2B\xB2\x53\xF8\x4B\x7C\xB3\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xFF\x18\x28\x76\xF9\x48\x05\x2C\xA1\xAE\xF1\x2B\x1B\x2B\xB2\x53\xF8\x4B\x7C\xB3\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x03\x82\x02\x01\x00\x6A\x19\x14\xED\x6E\x79\xC1\x2C\x87\xD4\x0D\x70\x7E\xD7\xF6\x78\xC9\x0B\x04\x4E\xC4\xB1\xCE\x93\x70\xFE\xB0\x54\xC0\x32\xCD\x99\x30\x64\x17\xBF\x0F\xE5\xE2\x33\xFD\x07\x36\x40\x72\x0E\x1A\xB6\x6A\x59\xD6\x00\xE5\x68\x20\xDD\x2E\x72\x0D\x1F\x6A\x64\x31\x20\x84\x7D\x49\xA6\x5A\x37\xEB\x45\xC9\x85\xF5\xD4\xC7\x17\x99\x07\xE6\x9B\x55\xE4\x0C\xE8\xA9\xB4\xCE\x8C\x5B\xB5\x11\x5C\xCF\x8A\x0E\x0D\xD6\xAC\x77\x81\xFE\x32\x9C\x24\x9E\x72\xCE\x54\xF3\xD0\x6F\xA2\x56\xD6\xEC\xC3\x37\x2C\x65\x58\xBE\x57\x00\x1A\xF2\x35\xFA\xEB\x7B\x31\x5D\xC2\xC1\x12\x3D\x96\x81\x88\x96\x89\xC1\x59\x5C\x7A\xE6\x7F\x70\x34\xE7\x83\xE2\xB1\xE1\xE1\xB8\x58\xEF\xD4\x95\xE4\x60\x9C\xF0\x96\x97\x72\x8C\xEB\x84\x02\x2E\x65\x8F\xA4\xB7\xD2\x7F\x67\xDD\xC8\xD3\x9E\x5C\xAA\xA9\xA4\xA0\x25\x14\x06\x9B\xEC\x4F\x7E\x2D\x0B\x7F\x1D\x75\xF1\x33\xD8\xED\xCE\xB8\x75\x6D\x3E\x5B\xB9\x98\x1D\x31\x0D\x56\xD8\x43\x0F\x30\x91\xB2\x04\x6B\xDD\x56\xBE\x95\x80\x55\x67\xBE\xD8\xCD\x83\xD9\x18\xEE\x2E\x0F\x86\x2D\x92\x9E\x70\x13\xEC\xDE\x51\xC9\x43\x78\x02\xA5\x4D\xC8\xF9\x5F\xC4\x91\x58\x46\x16\x77\x5A\x74\xAA\x40\xBC\x07\x9F\x30\xB9\xB1\xF7\x12\x17\xDD\xE3\xFF\x24\x40\x1D\x7A\x6A\xD1\x4F\x18\x0A\xAA\x90\x1D\xEB\x40\x1E\xDF\xA1\x1E\x44\x92\x10\x9A\xF2\x8D\xE1\xD1\x4B\x46\x9E\xE8\x45\x42\x97\xEA\x45\x99\xF3\xEC\x66\xD5\x02\xFA\xF2\xA6\x4A\x24\xAA\xDE\xCE\xB9\xCA\xF9\x3F\x93\x6F\xF9\xA3\xBA\xEA\xA5\x3E\x99\xAD\xFD\xFF\x7B\x99\xF5\x65\xEE\xF0\x59\x28\x67\xD7\x90\x95\xA4\x13\x84\xA9\x84\xC1\xE8\xCE\xCE\x75\x93\x63\x1A\xBC\x3C\xEA\xD5\x64\x1F\x2D\x2A\x12\x39\xC6\xC3\x5A\x32\xED\x47\x91\x16\x0E\xBC\x38\xC1\x50\xDE\x8F\xCA\x2A\x90\x34\x1C\xEE\x41\x94\x9C\x5E\x19\x2E\xF8\x45\x49\x99\x74\x91\xB0\x04\x6F\xE3\x04\x5A\xB1\xAB\x2A\xAB\xFE\xC7\xD0\x96\xB6\xDA\xE1\x4A\x64\x06\x6E\x60\x4D\xBD\x42\x4E\xFF\x78\xDA\x24\xCA\x1B\xB4\xD7\x96\x39\x6C\xAE\xF1\x0E\xAA\xA7\x7D\x48\x8B\x20\x4C\xCF\x64\xD6\xB8\x97\x46\xB0\x4E\xD1\x2A\x56\x3A\xA0\x93\xBD\xAF\x80\x24\xE0\x0A\x7E\xE7\xCA\xD5\xCA\xE8\x85\x55\xDC\x36\x2A\xE1\x94\x68\x93\xC7\x66\x72\x44\x0F\x80\x21\x32\x6C\x25\xC7\x23\x80\x83\x0A\xEB",
+	["CN=TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1,OU=Kamu Sertifikasyon Merkezi - Kamu SM,O=Turkiye Bilimsel ve Teknolojik Arastirma Kurumu - TUBITAK,L=Gebze - Kocaeli,C=TR"] = "\x30\x82\x04\x63\x30\x82\x03\x4B\xA0\x03\x02\x01\x02\x02\x01\x01\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x30\x81\xD2\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x54\x52\x31\x18\x30\x16\x06\x03\x55\x04\x07\x13\x0F\x47\x65\x62\x7A\x65\x20\x2D\x20\x4B\x6F\x63\x61\x65\x6C\x69\x31\x42\x30\x40\x06\x03\x55\x04\x0A\x13\x39\x54\x75\x72\x6B\x69\x79\x65\x20\x42\x69\x6C\x69\x6D\x73\x65\x6C\x20\x76\x65\x20\x54\x65\x6B\x6E\x6F\x6C\x6F\x6A\x69\x6B\x20\x41\x72\x61\x73\x74\x69\x72\x6D\x61\x20\x4B\x75\x72\x75\x6D\x75\x20\x2D\x20\x54\x55\x42\x49\x54\x41\x4B\x31\x2D\x30\x2B\x06\x03\x55\x04\x0B\x13\x24\x4B\x61\x6D\x75\x20\x53\x65\x72\x74\x69\x66\x69\x6B\x61\x73\x79\x6F\x6E\x20\x4D\x65\x72\x6B\x65\x7A\x69\x20\x2D\x20\x4B\x61\x6D\x75\x20\x53\x4D\x31\x36\x30\x34\x06\x03\x55\x04\x03\x13\x2D\x54\x55\x42\x49\x54\x41\x4B\x20\x4B\x61\x6D\x75\x20\x53\x4D\x20\x53\x53\x4C\x20\x4B\x6F\x6B\x20\x53\x65\x72\x74\x69\x66\x69\x6B\x61\x73\x69\x20\x2D\x20\x53\x75\x72\x75\x6D\x20\x31\x30\x1E\x17\x0D\x31\x33\x31\x31\x32\x35\x30\x38\x32\x35\x35\x35\x5A\x17\x0D\x34\x33\x31\x30\x32\x35\x30\x38\x32\x35\x35\x35\x5A\x30\x81\xD2\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x54\x52\x31\x18\x30\x16\x06\x03\x55\x04\x07\x13\x0F\x47\x65\x62\x7A\x65\x20\x2D\x20\x4B\x6F\x63\x61\x65\x6C\x69\x31\x42\x30\x40\x06\x03\x55\x04\x0A\x13\x39\x54\x75\x72\x6B\x69\x79\x65\x20\x42\x69\x6C\x69\x6D\x73\x65\x6C\x20\x76\x65\x20\x54\x65\x6B\x6E\x6F\x6C\x6F\x6A\x69\x6B\x20\x41\x72\x61\x73\x74\x69\x72\x6D\x61\x20\x4B\x75\x72\x75\x6D\x75\x20\x2D\x20\x54\x55\x42\x49\x54\x41\x4B\x31\x2D\x30\x2B\x06\x03\x55\x04\x0B\x13\x24\x4B\x61\x6D\x75\x20\x53\x65\x72\x74\x69\x66\x69\x6B\x61\x73\x79\x6F\x6E\x20\x4D\x65\x72\x6B\x65\x7A\x69\x20\x2D\x20\x4B\x61\x6D\x75\x20\x53\x4D\x31\x36\x30\x34\x06\x03\x55\x04\x03\x13\x2D\x54\x55\x42\x49\x54\x41\x4B\x20\x4B\x61\x6D\x75\x20\x53\x4D\x20\x53\x53\x4C\x20\x4B\x6F\x6B\x20\x53\x65\x72\x74\x69\x66\x69\x6B\x61\x73\x69\x20\x2D\x20\x53\x75\x72\x75\x6D\x20\x31\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xAF\x75\x30\x33\xAA\xBB\x6B\xD3\x99\x2C\x12\x37\x84\xD9\x8D\x7B\x97\x80\xD3\x6E\xE7\xFF\x9B\x50\x95\x3E\x90\x95\x56\x42\xD7\x19\x7C\x26\x84\x8D\x92\xFA\x01\x1D\x3A\x0F\xE2\x64\x38\xB7\x8C\xBC\xE8\x88\xF9\x8B\x24\xAB\x2E\xA3\xF5\x37\xE4\x40\x8E\x18\x25\x79\x83\x75\x1F\x3B\xFF\x6C\xA8\xC5\xC6\x56\xF8\xB4\xED\x8A\x44\xA3\xAB\x6C\x4C\xFC\x1D\xD0\xDC\xEF\x68\xBD\xCF\xE4\xAA\xCE\xF0\x55\xF7\xA2\x34\xD4\x83\x6B\x37\x7C\x1C\xC2\xFE\xB5\x03\xEC\x57\xCE\xBC\xB4\xB5\xC5\xED\x00\x0F\x53\x37\x2A\x4D\xF4\x4F\x0C\x83\xFB\x86\xCF\xCB\xFE\x8C\x4E\xBD\x87\xF9\xA7\x8B\x21\x57\x9C\x7A\xDF\x03\x67\x89\x2C\x9D\x97\x61\xA7\x10\xB8\x55\x90\x7F\x0E\x2D\x27\x38\x74\xDF\xE7\xFD\xDA\x4E\x12\xE3\x4D\x15\x22\x02\xC8\xE0\xE0\xFC\x0F\xAD\x8A\xD7\xC9\x54\x50\xCC\x3B\x0F\xCA\x16\x80\x84\xD0\x51\x56\xC3\x8E\x56\x7F\x89\x22\x33\x2F\xE6\x85\x0A\xBD\xA5\xA8\x1B\x36\xDE\xD3\xDC\x2C\x6D\x3B\xC7\x13\xBD\x59\x23\x2C\xE6\xE5\xA4\xF7\xD8\x0B\xED\xEA\x90\x40\x44\xA8\x95\xBB\x93\xD5\xD0\x80\x34\xB6\x46\x78\x0E\x1F\x00\x93\x46\xE1\xEE\xE9\xF9\xEC\x4F\x17\x02\x03\x01\x00\x01\xA3\x42\x30\x40\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x65\x3F\xC7\x8A\x86\xC6\x3C\xDD\x3C\x54\x5C\x35\xF8\x3A\xED\x52\x0C\x47\x57\xC8\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x03\x82\x01\x01\x00\x2A\x3F\xE1\xF1\x32\x8E\xAE\xE1\x98\x5C\x4B\x5E\xCF\x6B\x1E\x6A\x09\xD2\x22\xA9\x12\xC7\x5E\x57\x7D\x73\x56\x64\x80\x84\x7A\x93\xE4\x09\xB9\x10\xCD\x9F\x2A\x27\xE1\x00\x77\xBE\x48\xC8\x35\xA8\x81\x9F\xE4\xB8\x2C\xC9\x7F\x0E\xB0\xD2\x4B\x37\x5D\xEA\xB9\xD5\x0B\x5E\x34\xBD\xF4\x73\x29\xC3\xED\x26\x15\x9C\x7E\x08\x53\x8A\x58\x8D\xD0\x4B\x28\xDF\xC1\xB3\xDF\x20\xF3\xF9\xE3\xE3\x3A\xDF\xCC\x9C\x94\xD8\x4E\x4F\xC3\x6B\x17\xB7\xF7\x72\xE8\xAD\x66\x33\xB5\x25\x53\xAB\xE0\xF8\x4C\xA9\x9D\xFD\xF2\x0D\xBA\xAE\xB9\xD9\xAA\xC6\x6B\xF9\x93\xBB\xAE\xAB\xB8\x97\x3C\x03\x1A\xBA\x43\xC6\x96\xB9\x45\x72\x38\xB3\xA7\xA1\x96\x3D\x91\x7B\x7E\xC0\x21\x53\x4C\x87\xED\xF2\x0B\x54\x95\x51\x93\xD5\x22\xA5\x0D\x8A\xF1\x93\x0E\x3E\x54\x0E\xB0\xD8\xC9\x4E\xDC\xF2\x31\x32\x56\xEA\x64\xF9\xEA\xB5\x9D\x16\x66\x42\x72\xF3\x7F\xD3\xB1\x31\x43\xFC\xA4\x8E\x17\xF1\x6D\x23\xAB\x94\x66\xF8\xAD\xFB\x0F\x08\x6E\x26\x2D\x7F\x17\x07\x09\xB2\x8C\xFB\x50\xC0\x9F\x96\x8D\xCF\xB6\xFD\x00\x9D\x5A\x14\x9A\xBF\x02\x44\xF5\xC1\xC2\x9F\x22\x5E\xA2\x0F\xA1\xE3",
+	["CN=GDCA TrustAUTH R5 ROOT,O=GUANG DONG CERTIFICATE AUTHORITY CO.\,LTD.,C=CN"] = "\x30\x82\x05\x88\x30\x82\x03\x70\xA0\x03\x02\x01\x02\x02\x08\x7D\x09\x97\xFE\xF0\x47\xEA\x7A\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x30\x62\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x43\x4E\x31\x32\x30\x30\x06\x03\x55\x04\x0A\x0C\x29\x47\x55\x41\x4E\x47\x20\x44\x4F\x4E\x47\x20\x43\x45\x52\x54\x49\x46\x49\x43\x41\x54\x45\x20\x41\x55\x54\x48\x4F\x52\x49\x54\x59\x20\x43\x4F\x2E\x2C\x4C\x54\x44\x2E\x31\x1F\x30\x1D\x06\x03\x55\x04\x03\x0C\x16\x47\x44\x43\x41\x20\x54\x72\x75\x73\x74\x41\x55\x54\x48\x20\x52\x35\x20\x52\x4F\x4F\x54\x30\x1E\x17\x0D\x31\x34\x31\x31\x32\x36\x30\x35\x31\x33\x31\x35\x5A\x17\x0D\x34\x30\x31\x32\x33\x31\x31\x35\x35\x39\x35\x39\x5A\x30\x62\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x43\x4E\x31\x32\x30\x30\x06\x03\x55\x04\x0A\x0C\x29\x47\x55\x41\x4E\x47\x20\x44\x4F\x4E\x47\x20\x43\x45\x52\x54\x49\x46\x49\x43\x41\x54\x45\x20\x41\x55\x54\x48\x4F\x52\x49\x54\x59\x20\x43\x4F\x2E\x2C\x4C\x54\x44\x2E\x31\x1F\x30\x1D\x06\x03\x55\x04\x03\x0C\x16\x47\x44\x43\x41\x20\x54\x72\x75\x73\x74\x41\x55\x54\x48\x20\x52\x35\x20\x52\x4F\x4F\x54\x30\x82\x02\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x02\x0F\x00\x30\x82\x02\x0A\x02\x82\x02\x01\x00\xD9\xA3\x16\xF0\xC8\x74\x74\x77\x9B\xEF\x33\x0D\x3B\x06\x7E\x55\xFC\xB5\x60\x8F\x76\x86\x12\x42\x7D\x56\x66\x3E\x88\x82\xED\x72\x63\x0E\x9E\x8B\xDD\x34\x2C\x02\x51\x51\xC3\x19\xFD\x59\x54\x84\xC9\xF1\x6B\xB3\x4C\xB0\xE9\xE8\x46\x5D\x38\xC6\xA2\xA7\x2E\x11\x57\xBA\x82\x15\xA2\x9C\x8F\x6D\xB0\x99\x4A\x0A\xF2\xEB\x89\x70\x63\x4E\x79\xC4\xB7\x5B\xBD\xA2\x5D\xB1\xF2\x41\x02\x2B\xAD\xA9\x3A\xA3\xEC\x79\x0A\xEC\x5F\x3A\xE3\xFD\xEF\x80\x3C\xAD\x34\x9B\x1A\xAB\x88\x26\x7B\x56\xA2\x82\x86\x1F\xEB\x35\x89\x83\x7F\x5F\xAE\x29\x4E\x3D\xB6\x6E\xEC\xAE\xC1\xF0\x27\x9B\xAE\xE3\xF4\xEC\xEF\xAE\x7F\xF7\x86\x3D\x72\x7A\xEB\xA5\xFB\x59\x4E\xA7\xEB\x95\x8C\x22\x39\x79\xE1\x2D\x08\x8F\xCC\xBC\x91\xB8\x41\xF7\x14\xC1\x23\xA9\xC3\xAD\x9A\x45\x44\xB3\xB2\xD7\x2C\xCD\xC6\x29\xE2\x50\x10\xAE\x5C\xCB\x82\x8E\x17\x18\x36\x7D\x97\xE6\x88\x9A\xB0\x4D\x34\x09\xF4\x2C\xB9\x5A\x66\x2A\xB0\x17\x9B\x9E\x1E\x76\x9D\x4A\x66\x31\x41\xDF\x3F\xFB\xC5\x06\xEF\x1B\xB6\x7E\x1A\x46\x36\xF7\x64\x63\x3B\xE3\x39\x18\x23\xE7\x67\x75\x14\xD5\x75\x57\x92\x37\xBD\xBE\x6A\x1B\x26\x50\xF2\x36\x26\x06\x90\xC5\x70\x01\x64\x6D\x76\x66\xE1\x91\xDB\x6E\x07\xC0\x61\x80\x2E\xB2\x2E\x2F\x8C\x70\xA7\xD1\x3B\x3C\xB3\x91\xE4\x6E\xB6\xC4\x3B\x70\xF2\x6C\x92\x97\x09\xCD\x47\x7D\x18\xC0\xF3\xBB\x9E\x0F\xD6\x8B\xAE\x07\xB6\x5A\x0F\xCE\x0B\x0C\x47\xA7\xE5\x3E\xB8\xBD\x7D\xC7\x9B\x35\xA0\x61\x97\x3A\x41\x75\x17\xCC\x2B\x96\x77\x2A\x92\x21\x1E\xD9\x95\x76\x20\x67\x68\xCF\x0D\xBD\xDF\xD6\x1F\x09\x6A\x9A\xE2\xCC\x73\x71\xA4\x2F\x7D\x12\x80\xB7\x53\x30\x46\x5E\x4B\x54\x99\x0F\x67\xC9\xA5\xC8\xF2\x20\xC1\x82\xEC\x9D\x11\xDF\xC2\x02\xFB\x1A\x3B\xD1\xED\x20\x9A\xEF\x65\x64\x92\x10\x0D\x2A\xE2\xDE\x70\xF1\x18\x67\x82\x8C\x61\xDE\xB8\xBC\xD1\x2F\x9C\xFB\x0F\xD0\x2B\xED\x1B\x76\xB9\xE4\x39\x55\xF8\xF8\xA1\x1D\xB8\xAA\x80\x00\x4C\x82\xE7\xB2\x7F\x09\xB8\xBC\x30\xA0\x2F\x0D\xF5\x52\x9E\x8E\xF7\x92\xB3\x0A\x00\x1D\x00\x54\x97\x06\xE0\xB1\x07\xD9\xC7\x0F\x5C\x65\x7D\x3C\x6D\x59\x57\xE4\xED\xA5\x8D\xE9\x40\x53\x9F\x15\x4B\xA0\x71\xF6\x1A\x21\xE3\xDA\x70\x06\x21\x58\x14\x87\x85\x77\x79\xAA\x82\x79\x02\x03\x01\x00\x01\xA3\x42\x30\x40\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xE2\xC9\x40\x9F\x4D\xCE\xE8\x9A\xA1\x7C\xCF\x0E\x3F\x65\xC5\x29\x88\x6A\x19\x51\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x86\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x03\x82\x02\x01\x00\xD1\x49\x57\xE0\xA7\xCC\x68\x58\xBA\x01\x0F\x2B\x19\xCD\x8D\xB0\x61\x45\xAC\x11\xED\x63\x50\x69\xF8\x1F\x7F\xBE\x16\x8F\xFD\x9D\xEB\x0B\xAA\x32\x47\x76\xD2\x67\x24\xED\xBD\x7C\x33\x32\x97\x2A\xC7\x05\x86\x66\x0D\x17\x7D\x14\x15\x1B\xD4\xEB\xFD\x1F\x9A\xF6\x5E\x97\x69\xB7\x1A\x25\xA4\x0A\xB3\x91\x3F\x5F\x36\xAC\x8B\xEC\x57\xA8\x3E\xE7\x81\x8A\x18\x57\x39\x85\x74\x1A\x42\xC7\xE9\x5B\x13\x5F\x8F\xF9\x08\xE9\x92\x74\x8D\xF5\x47\xD2\xAB\x3B\xD6\xFB\x78\x66\x4E\x36\x7D\xF9\xE9\x92\xE9\x04\xDE\xFD\x49\x63\xFC\x6D\xFB\x14\x71\x93\x67\x2F\x47\x4A\xB7\xB9\xFF\x1E\x2A\x73\x70\x46\x30\xBF\x5A\xF2\x2F\x79\xA5\xE1\x8D\x0C\xD9\xF9\xB2\x63\x37\x8C\x37\x65\x85\x70\x6A\x5C\x5B\x09\x72\xB9\xAD\x63\x3C\xB1\xDD\xF8\xFC\x32\xBF\x37\x86\xE4\xBB\x8E\x98\x27\x7E\xBA\x1F\x16\xE1\x70\x11\xF2\x03\xDF\x25\x62\x32\x27\x26\x18\x32\x84\x9F\xFF\x00\x3A\x13\xBA\x9A\x4D\xF4\x4F\xB8\x14\x70\x22\xB1\xCA\x2B\x90\xCE\x29\xC1\x70\xF4\x2F\x9D\x7F\xF2\x90\x1E\xD6\x5A\xDF\xB7\x46\xFC\xE6\x86\xFA\xCB\xE0\x20\x76\x7A\xBA\xA6\xCB\xF5\x7C\xDE\x62\xA5\xB1\x8B\xEE\xDE\x82\x66\x8A\x4E\x3A\x30\x1F\x3F\x80\xCB\xAD\x27\xBA\x0C\x5E\xD7\xD0\xB1\x56\xCA\x77\x71\xB2\xB5\x75\xA1\x50\xA9\x40\x43\x17\xC2\x28\xD9\xCF\x52\x8B\x5B\xC8\x63\xD4\x42\x3E\xA0\x33\x7A\x46\x2E\xF7\x0A\x20\x46\x54\x7E\x6A\x4F\x31\xF1\x81\x7E\x42\x74\x38\x65\x73\x27\xEE\xC6\x7C\xB8\x8E\xD7\xA5\x3A\xD7\x98\xA1\x9C\x8C\x10\x55\xD3\xDB\x4B\xEC\x40\x90\xF2\xCD\x6E\x57\xD2\x62\x0E\x7C\x57\x93\xB1\xA7\x6D\xCD\x9D\x83\xBB\x2A\xE7\xE5\xB6\x3B\x71\x58\xAD\xFD\xD1\x45\xBC\x5A\x91\xEE\x53\x15\x6F\xD3\x45\x09\x75\x6E\xBA\x90\x5D\x1E\x04\xCF\x37\xDF\x1E\xA8\x66\xB1\x8C\xE6\x20\x6A\xEF\xFC\x48\x4E\x74\x98\x42\xAF\x29\x6F\x2E\x6A\xC7\xFB\x7D\xD1\x66\x31\x22\xCC\x86\x00\x7E\x66\x83\x0C\x42\xF4\xBD\x34\x92\xC3\x1A\xEA\x4F\xCA\x7E\x72\x4D\x0B\x70\x8C\xA6\x48\xBB\xA6\xA1\x14\xF6\xFB\x58\x44\x99\x14\xAE\xAA\x0B\x93\x69\xA0\x29\x25\x4A\xA5\xCB\x2B\xDD\x8A\x66\x07\x16\x78\x15\x57\x71\x1B\xEC\xF5\x47\x84\xF3\x9E\x31\x37\x7A\xD5\x7F\x24\xAD\xE4\xBC\xFD\xFD\xCC\x6E\x83\xE8\x0C\xA8\xB7\x41\x6C\x07\xDD\xBD\x3C\x86\x97\x2F\xD2",
+	["CN=TrustCor RootCert CA-1,OU=TrustCor Certificate Authority,O=TrustCor Systems S. de R.L.,L=Panama City,ST=Panama,C=PA"] = "\x30\x82\x04\x30\x30\x82\x03\x18\xA0\x03\x02\x01\x02\x02\x09\x00\xDA\x9B\xEC\x71\xF3\x03\xB0\x19\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x30\x81\xA4\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x50\x41\x31\x0F\x30\x0D\x06\x03\x55\x04\x08\x0C\x06\x50\x61\x6E\x61\x6D\x61\x31\x14\x30\x12\x06\x03\x55\x04\x07\x0C\x0B\x50\x61\x6E\x61\x6D\x61\x20\x43\x69\x74\x79\x31\x24\x30\x22\x06\x03\x55\x04\x0A\x0C\x1B\x54\x72\x75\x73\x74\x43\x6F\x72\x20\x53\x79\x73\x74\x65\x6D\x73\x20\x53\x2E\x20\x64\x65\x20\x52\x2E\x4C\x2E\x31\x27\x30\x25\x06\x03\x55\x04\x0B\x0C\x1E\x54\x72\x75\x73\x74\x43\x6F\x72\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x31\x1F\x30\x1D\x06\x03\x55\x04\x03\x0C\x16\x54\x72\x75\x73\x74\x43\x6F\x72\x20\x52\x6F\x6F\x74\x43\x65\x72\x74\x20\x43\x41\x2D\x31\x30\x1E\x17\x0D\x31\x36\x30\x32\x30\x34\x31\x32\x33\x32\x31\x36\x5A\x17\x0D\x32\x39\x31\x32\x33\x31\x31\x37\x32\x33\x31\x36\x5A\x30\x81\xA4\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x50\x41\x31\x0F\x30\x0D\x06\x03\x55\x04\x08\x0C\x06\x50\x61\x6E\x61\x6D\x61\x31\x14\x30\x12\x06\x03\x55\x04\x07\x0C\x0B\x50\x61\x6E\x61\x6D\x61\x20\x43\x69\x74\x79\x31\x24\x30\x22\x06\x03\x55\x04\x0A\x0C\x1B\x54\x72\x75\x73\x74\x43\x6F\x72\x20\x53\x79\x73\x74\x65\x6D\x73\x20\x53\x2E\x20\x64\x65\x20\x52\x2E\x4C\x2E\x31\x27\x30\x25\x06\x03\x55\x04\x0B\x0C\x1E\x54\x72\x75\x73\x74\x43\x6F\x72\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x31\x1F\x30\x1D\x06\x03\x55\x04\x03\x0C\x16\x54\x72\x75\x73\x74\x43\x6F\x72\x20\x52\x6F\x6F\x74\x43\x65\x72\x74\x20\x43\x41\x2D\x31\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xBF\x8E\xB7\x95\xE2\xC2\x26\x12\x6B\x33\x19\xC7\x40\x58\x0A\xAB\x59\xAA\x8D\x00\xA3\xFC\x80\xC7\x50\x7B\x8E\xD4\x20\x26\xBA\x32\x12\xD8\x23\x54\x49\x25\x10\x22\x98\x9D\x46\xD2\xC1\xC9\x9E\x4E\x1B\x2E\x2C\x0E\x38\xF3\x1A\x25\x68\x1C\xA6\x5A\x05\xE6\x1E\x8B\x48\xBF\x98\x96\x74\x3E\x69\xCA\xE9\xB5\x78\xA5\x06\xBC\xD5\x00\x5E\x09\x0A\xF2\x27\x7A\x52\xFC\x2D\xD5\xB1\xEA\xB4\x89\x61\x24\xF3\x1A\x13\xDB\xA9\xCF\x52\xED\x0C\x24\xBA\xB9\x9E\xEC\x7E\x00\x74\xFA\x93\xAD\x6C\x29\x92\xAE\x51\xB4\xBB\xD3\x57\xBF\xB3\xF3\xA8\x8D\x9C\xF4\x24\x4B\x2A\xD6\x99\x9E\xF4\x9E\xFE\xC0\x7E\x42\x3A\xE7\x0B\x95\x53\xDA\xB7\x68\x0E\x90\x4C\xFB\x70\x3F\x8F\x4A\x2C\x94\xF3\x26\xDD\x63\x69\xA9\x94\xD8\x10\x4E\xC5\x47\x08\x90\x99\x1B\x17\x4D\xB9\x6C\x6E\xEF\x60\x95\x11\x8E\x21\x80\xB5\xBD\xA0\x73\xD8\xD0\xB2\x77\xC4\x45\xEA\x5A\x26\xFB\x66\x76\x76\xF8\x06\x1F\x61\x6D\x0F\x55\xC5\x83\xB7\x10\x56\x72\x06\x07\xA5\xF3\xB1\x1A\x03\x05\x64\x0E\x9D\x5A\x8A\xD6\x86\x70\x1B\x24\xDE\xFE\x28\x8A\x2B\xD0\x6A\xB0\xFC\x7A\xA2\xDC\xB2\x79\x0E\x8B\x65\x0F\x02\x03\x01\x00\x01\xA3\x63\x30\x61\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xEE\x6B\x49\x3C\x7A\x3F\x0D\xE3\xB1\x09\xB7\x8A\xC8\xAB\x19\x9F\x73\x33\x50\xE7\x30\x1F\x06\x03\x55\x1D\x23\x04\x18\x30\x16\x80\x14\xEE\x6B\x49\x3C\x7A\x3F\x0D\xE3\xB1\x09\xB7\x8A\xC8\xAB\x19\x9F\x73\x33\x50\xE7\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x86\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x03\x82\x01\x01\x00\x25\x18\xD4\x91\x8F\x13\xEE\x8F\x1E\x1D\x11\x53\xDA\x2D\x44\x29\x19\xA0\x1E\x6B\x31\x9E\x4D\x0E\x9E\xAD\x3D\x5C\x41\x6F\x95\x2B\x24\xA1\x79\x98\x3A\x38\x36\xFB\xBB\x66\x9E\x48\xFF\x90\x90\xEF\x3D\xD4\xB8\x9B\xB4\x87\x75\x3F\x20\x9B\xCE\x72\xCF\xA1\x55\xC1\x4D\x64\xA2\x19\x06\xA1\x07\x33\x0C\x0B\x29\xE5\xF1\xEA\xAB\xA3\xEC\xB5\x0A\x74\x90\xC7\x7D\x72\xF2\xD7\x5C\x9F\x91\xEF\x91\x8B\xB7\xDC\xED\x66\xA2\xCF\x8E\x66\x3B\xBC\x9F\x3A\x02\xE0\x27\xDD\x16\x98\xC0\x95\xD4\x0A\xA4\xE4\x81\x9A\x75\x94\x35\x9C\x90\x5F\x88\x37\x06\xAD\x59\x95\x0A\xB0\xD1\x67\xD3\x19\xCA\x89\xE7\x32\x5A\x36\x1C\x3E\x82\xA8\x5A\x93\xBE\xC6\xD0\x64\x91\xB6\xCF\xD9\xB6\x18\xCF\xDB\x7E\xD2\x65\xA3\xA6\xC4\x8E\x17\x31\xC1\xFB\x7E\x76\xDB\xD3\x85\xE3\x58\xB2\x77\x7A\x76\x3B\x6C\x2F\x50\x1C\xE7\xDB\xF6\x67\x79\x1F\xF5\x82\x95\x9A\x07\xA7\x14\xAF\x8F\xDC\x28\x21\x67\x09\xD2\xD6\x4D\x5A\x1C\x19\x1C\x8E\x77\x5C\xC3\x94\x24\x3D\x32\x6B\x4B\x7E\xD4\x78\x94\x83\xBE\x37\x4D\xCE\x5F\xC7\x1E\x4E\x3C\xE0\x89\x33\x95\x0B\x0F\xA5\x32\xD6\x3C\x5A\x79\x2C\x19",
+	["CN=TrustCor RootCert CA-2,OU=TrustCor Certificate Authority,O=TrustCor Systems S. de R.L.,L=Panama City,ST=Panama,C=PA"] = "\x30\x82\x06\x2F\x30\x82\x04\x17\xA0\x03\x02\x01\x02\x02\x08\x25\xA1\xDF\xCA\x33\xCB\x59\x02\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x30\x81\xA4\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x50\x41\x31\x0F\x30\x0D\x06\x03\x55\x04\x08\x0C\x06\x50\x61\x6E\x61\x6D\x61\x31\x14\x30\x12\x06\x03\x55\x04\x07\x0C\x0B\x50\x61\x6E\x61\x6D\x61\x20\x43\x69\x74\x79\x31\x24\x30\x22\x06\x03\x55\x04\x0A\x0C\x1B\x54\x72\x75\x73\x74\x43\x6F\x72\x20\x53\x79\x73\x74\x65\x6D\x73\x20\x53\x2E\x20\x64\x65\x20\x52\x2E\x4C\x2E\x31\x27\x30\x25\x06\x03\x55\x04\x0B\x0C\x1E\x54\x72\x75\x73\x74\x43\x6F\x72\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x31\x1F\x30\x1D\x06\x03\x55\x04\x03\x0C\x16\x54\x72\x75\x73\x74\x43\x6F\x72\x20\x52\x6F\x6F\x74\x43\x65\x72\x74\x20\x43\x41\x2D\x32\x30\x1E\x17\x0D\x31\x36\x30\x32\x30\x34\x31\x32\x33\x32\x32\x33\x5A\x17\x0D\x33\x34\x31\x32\x33\x31\x31\x37\x32\x36\x33\x39\x5A\x30\x81\xA4\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x50\x41\x31\x0F\x30\x0D\x06\x03\x55\x04\x08\x0C\x06\x50\x61\x6E\x61\x6D\x61\x31\x14\x30\x12\x06\x03\x55\x04\x07\x0C\x0B\x50\x61\x6E\x61\x6D\x61\x20\x43\x69\x74\x79\x31\x24\x30\x22\x06\x03\x55\x04\x0A\x0C\x1B\x54\x72\x75\x73\x74\x43\x6F\x72\x20\x53\x79\x73\x74\x65\x6D\x73\x20\x53\x2E\x20\x64\x65\x20\x52\x2E\x4C\x2E\x31\x27\x30\x25\x06\x03\x55\x04\x0B\x0C\x1E\x54\x72\x75\x73\x74\x43\x6F\x72\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x31\x1F\x30\x1D\x06\x03\x55\x04\x03\x0C\x16\x54\x72\x75\x73\x74\x43\x6F\x72\x20\x52\x6F\x6F\x74\x43\x65\x72\x74\x20\x43\x41\x2D\x32\x30\x82\x02\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x02\x0F\x00\x30\x82\x02\x0A\x02\x82\x02\x01\x00\xA7\x20\x6E\xC2\x2A\xA2\x62\x24\x95\x90\x76\xC8\x38\x7E\x80\xD2\xAB\xC1\x9B\x65\x05\x94\xF4\xC1\x0A\x10\xD5\x02\xAC\xED\x9F\x93\xC7\x87\xC8\xB0\x27\x2B\x42\x0C\x3D\x0A\x3E\x41\x5A\x9E\x75\xDD\x8D\xCA\xE0\x9B\xEC\x68\x32\xA4\x69\x92\x68\x8C\x0B\x81\x0E\x56\xA0\x3E\x1A\xDD\x2C\x25\x14\x82\x2F\x97\xD3\x64\x46\xF4\x54\xA9\xDC\x3A\x54\x2D\x31\x2B\x99\x82\xF2\xD9\x2A\xD7\xEF\x71\x00\xB8\x31\xA4\xBE\x7A\x24\x07\xC3\x42\x20\xF2\x8A\xD4\x92\x04\x1B\x65\x56\x4C\x6C\xD4\xFB\xB6\x61\x5A\x47\x23\xB4\xD8\x69\xB4\xB7\x3A\xD0\x74\x3C\x0C\x75\xA1\x8C\x4E\x76\xA1\xE9\xDB\x2A\xA5\x3B\xFA\xCE\xB0\xFF\x7E\x6A\x28\xFD\x27\x1C\xC8\xB1\xE9\x29\xF1\x57\x6E\x64\xB4\xD0\xC1\x15\x6D\x0E\xBE\x2E\x0E\x46\xC8\x5E\xF4\x51\xFE\xEF\x0E\x63\x3A\x3B\x71\xBA\xCF\x6F\x59\xCA\x0C\xE3\x9B\x5D\x49\xB8\x4C\xE2\x57\xB1\x98\x8A\x42\x57\x9C\x76\xEF\xEF\xBD\xD1\x68\xA8\xD2\xF4\x09\xBB\x77\x35\xBE\x25\x82\x08\xC4\x16\x2C\x44\x20\x56\xA9\x44\x11\x77\xEF\x5D\xB4\x1D\xAA\x5E\x6B\x3E\x8B\x32\xF6\x07\x2F\x57\x04\x92\xCA\xF5\xFE\x9D\xC2\xE9\xE8\xB3\x8E\x4C\x4B\x02\x31\xD9\xE4\x3C\x48\x82\x27\xF7\x18\x82\x76\x48\x3A\x71\xB1\x13\xA1\x39\xD5\x2E\xC5\x34\xC2\x1D\x62\x85\xDF\x03\xFE\x4D\xF4\xAF\x3D\xDF\x5C\x5B\x8D\xFA\x70\xE1\xA5\x7E\x27\xC7\x86\x2E\x6A\x8F\x12\xC6\x84\x5E\x43\x51\x50\x9C\x19\x9B\x78\xE6\xFC\xF6\xED\x47\x7E\x7B\x3D\x66\xEF\x13\x13\x88\x5F\x3C\xA1\x63\xFB\xF9\xAC\x87\x35\x9F\xF3\x82\x9E\xA4\x3F\x0A\x9C\x31\x69\x8B\x99\xA4\x88\x4A\x8E\x6E\x66\x4D\xEF\x16\xC4\x0F\x79\x28\x21\x60\x0D\x85\x16\x7D\xD7\x54\x38\xF1\x92\x56\xFD\xB5\x33\x4C\x83\xDC\xD7\x10\x9F\x4B\xFD\xC6\xF8\x42\xBD\xBA\x7C\x73\x02\xE0\xFF\x7D\xCD\x5B\xE1\xD4\xAC\x61\x7B\x57\xD5\x4A\x7B\x5B\xD4\x85\x58\x27\x5D\xBF\xF8\x2B\x60\xAC\xA0\x26\xAE\x14\x21\x27\xC6\x77\x9A\x33\x80\x3C\x5E\x46\x3F\xF7\xC3\xB1\xA3\x86\x33\xC6\xE8\x5E\x0D\xB9\x35\x2C\xAA\x46\xC1\x85\x02\x75\x80\xA0\xEB\x24\xFB\x15\xAA\xE4\x67\x7F\x6E\x77\x3F\xF4\x04\x8A\x2F\x7C\x7B\xE3\x17\x61\xF0\xDD\x09\xA9\x20\xC8\xBE\x09\xA4\xD0\x7E\x44\xC3\xB2\x30\x4A\x38\xAA\xA9\xEC\x18\x9A\x07\x82\x2B\xDB\xB8\x9C\x18\xAD\xDA\xE0\x46\x17\xAC\xCF\x5D\x02\x03\x01\x00\x01\xA3\x63\x30\x61\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xD9\xFE\x21\x40\x6E\x94\x9E\xBC\x9B\x3D\x9C\x7D\x98\x20\x19\xE5\x8C\x30\x62\xB2\x30\x1F\x06\x03\x55\x1D\x23\x04\x18\x30\x16\x80\x14\xD9\xFE\x21\x40\x6E\x94\x9E\xBC\x9B\x3D\x9C\x7D\x98\x20\x19\xE5\x8C\x30\x62\xB2\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x86\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x03\x82\x02\x01\x00\x9E\x45\x9E\x0C\x3B\xB6\xEF\xE1\x3A\xC8\x7C\xD1\x00\x3D\xCF\xE2\xEA\x06\xB5\xB2\x3A\xBB\x06\x4B\x68\x7A\xD0\x23\x97\x74\xA7\x2C\xF0\x08\xD8\x79\x5A\xD7\x5A\x84\x8A\xD8\x12\x9A\x1B\xD9\x7D\x5C\x4D\x70\xC5\xA5\xF9\xAB\xE5\xA3\x89\x89\xDD\x01\xFA\xEC\xDD\xF9\xE9\x92\x97\xDB\xB0\x46\x42\xF3\xD3\x62\xAA\x95\xFE\x31\x67\x14\x69\x58\x90\x0A\xAA\x0B\xEE\x37\x23\xC7\x50\x51\xB4\xF5\x7E\x9E\xE3\x7B\xF7\xE4\xCC\x42\x32\x2D\x49\x0C\xCB\xFF\x49\x0C\x9B\x1E\x34\xFD\x6E\x6E\x96\x8A\x79\x03\xB6\x6F\xDB\x09\xCB\xFD\x5F\x65\x14\x37\xE1\x38\xF5\xF3\x61\x16\x58\xE4\xB5\x6D\x0D\x0B\x04\x1B\x3F\x50\x2D\x7F\xB3\xC7\x7A\x1A\x16\x80\x60\xF8\x8A\x1F\xE9\x1B\x2A\xC6\xF9\xBA\x01\x1A\x69\xBF\xD2\x58\xC7\x54\x57\x08\x8F\xE1\x39\x60\x77\x4B\xAC\x59\x84\x1A\x88\xF1\xDD\xCB\x4F\x78\xD7\xE7\xE1\x33\x2D\xFC\xEE\x41\xFA\x20\xB0\xBE\xCB\xF7\x38\x94\xC0\xE1\xD0\x85\x0F\xBB\xED\x2C\x73\xAB\xED\xFE\x92\x76\x1A\x64\x7F\x5B\x0D\x33\x09\x07\x33\x7B\x06\x3F\x11\xA4\x5C\x70\x3C\x85\xC0\xCF\xE3\x90\xA8\x83\x77\xFA\xDB\xE6\xC5\x8C\x68\x67\x10\x67\xA5\x52\x2D\xF0\xC4\x99\x8F\x7F\xBF\xD1\x6B\xE2\xB5\x47\xD6\xD9\xD0\x85\x99\x4D\x94\x9B\x0F\x4B\x8D\xEE\x00\x5A\x47\x1D\x11\x03\xAC\x41\x18\xAF\x87\xB7\x6F\x0C\x3A\x8F\xCA\xCF\xDC\x03\xC1\xA2\x09\xC8\xE5\xFD\x80\x5E\xC8\x60\x42\x01\x1B\x1A\x53\x5A\xBB\x37\xA6\xB7\xBC\xBA\x84\xE9\x1E\x6C\x1A\xD4\x64\xDA\xD4\x43\xFE\x93\x8B\x4B\xF2\x2C\x79\x16\x10\xD4\x93\x0B\x88\x8F\xA1\xD8\x86\x14\x46\x91\x47\x9B\x28\x24\xEF\x57\x52\x4E\x5C\x42\x9C\xAA\xF7\x49\xEC\x27\xE8\x40\x1E\xB3\xA6\x89\x22\x72\x9C\xF5\x0D\x33\xB4\x58\xA3\x30\x3B\xDD\xD4\x6A\x54\x93\xBE\x1A\x4D\xF3\x93\x94\xF7\xFC\x84\x0B\x3F\x84\x20\x5C\x34\x03\x44\xC5\xDA\xAD\xBC\x0A\xC1\x02\xCF\x1E\xE5\x94\xD9\xF3\x8E\x5B\xD8\x4C\xF0\x9D\xEC\x61\x17\xBB\x14\x32\x54\x0C\x02\x29\x93\x1E\x92\x86\xF6\x7F\xEF\xE7\x92\x05\x0E\x59\xDD\x99\x08\x2E\x2E\xFA\x9C\x00\x52\xD3\xC5\x66\x29\xE4\xA7\x97\x44\xA4\x0E\x28\x81\x13\x35\xC5\xF6\x6F\x64\xE6\x41\xC4\xD5\x2F\xCC\x34\x45\x25\xCF\x41\x00\x96\x3D\x4A\x2E\xC2\x96\x98\x4F\x4E\x4A\x9C\x97\xB7\xDB\x1F\x92\x32\xC8\xFF\x0F\x51\x6E\xD6\xEC\x09",
+	["CN=TrustCor ECA-1,OU=TrustCor Certificate Authority,O=TrustCor Systems S. de R.L.,L=Panama City,ST=Panama,C=PA"] = "\x30\x82\x04\x20\x30\x82\x03\x08\xA0\x03\x02\x01\x02\x02\x09\x00\x84\x82\x2C\x5F\x1C\x62\xD0\x40\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x30\x81\x9C\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x50\x41\x31\x0F\x30\x0D\x06\x03\x55\x04\x08\x0C\x06\x50\x61\x6E\x61\x6D\x61\x31\x14\x30\x12\x06\x03\x55\x04\x07\x0C\x0B\x50\x61\x6E\x61\x6D\x61\x20\x43\x69\x74\x79\x31\x24\x30\x22\x06\x03\x55\x04\x0A\x0C\x1B\x54\x72\x75\x73\x74\x43\x6F\x72\x20\x53\x79\x73\x74\x65\x6D\x73\x20\x53\x2E\x20\x64\x65\x20\x52\x2E\x4C\x2E\x31\x27\x30\x25\x06\x03\x55\x04\x0B\x0C\x1E\x54\x72\x75\x73\x74\x43\x6F\x72\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x31\x17\x30\x15\x06\x03\x55\x04\x03\x0C\x0E\x54\x72\x75\x73\x74\x43\x6F\x72\x20\x45\x43\x41\x2D\x31\x30\x1E\x17\x0D\x31\x36\x30\x32\x30\x34\x31\x32\x33\x32\x33\x33\x5A\x17\x0D\x32\x39\x31\x32\x33\x31\x31\x37\x32\x38\x30\x37\x5A\x30\x81\x9C\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x50\x41\x31\x0F\x30\x0D\x06\x03\x55\x04\x08\x0C\x06\x50\x61\x6E\x61\x6D\x61\x31\x14\x30\x12\x06\x03\x55\x04\x07\x0C\x0B\x50\x61\x6E\x61\x6D\x61\x20\x43\x69\x74\x79\x31\x24\x30\x22\x06\x03\x55\x04\x0A\x0C\x1B\x54\x72\x75\x73\x74\x43\x6F\x72\x20\x53\x79\x73\x74\x65\x6D\x73\x20\x53\x2E\x20\x64\x65\x20\x52\x2E\x4C\x2E\x31\x27\x30\x25\x06\x03\x55\x04\x0B\x0C\x1E\x54\x72\x75\x73\x74\x43\x6F\x72\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x31\x17\x30\x15\x06\x03\x55\x04\x03\x0C\x0E\x54\x72\x75\x73\x74\x43\x6F\x72\x20\x45\x43\x41\x2D\x31\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xCF\x8F\xE0\x11\xB5\x9F\xA8\x76\x76\xDB\xDF\x0F\x54\xEF\x73\x63\x29\x82\xAD\x47\xC6\xA3\x6B\xED\xFE\x5F\x33\xF8\x43\x51\xE9\x1A\x33\x91\x31\x17\xA0\x74\xC4\xD4\xA7\x01\xE6\xB2\x92\x3E\x6A\x9D\xED\x0E\xF9\x74\x98\x40\xD3\x3F\x03\x80\x06\x82\x40\xE8\xB1\xE2\xA7\x51\xA7\x1D\x83\x26\x6B\xAB\xDE\xFA\x17\x91\x2B\xD8\xC6\xAC\x1E\xB1\x9E\x19\x01\xD5\x97\xA6\xEA\x0D\xB7\xC4\x55\x1F\x27\x7C\xD2\x08\xD5\x76\x1F\x29\x15\x87\x40\x39\xDD\x38\x45\x11\x75\xD0\x9A\xA7\x34\xE0\xBF\xCD\xC8\x52\x1D\xB9\x47\x7E\x0D\xB8\xBB\xC6\x0C\xF6\x73\x57\x16\x5A\x7E\x43\x91\x1F\x55\x3A\xC6\x6D\x44\x04\xAA\x9C\xA9\x9C\xA7\x4C\x89\x17\x83\xAE\xA3\x04\x5E\x52\x80\x8B\x1E\x12\x25\x11\x19\xD7\x0C\x7D\x7D\x31\x44\x41\xEA\xDB\xAF\xB0\x1C\xEF\x81\xD0\x2C\xC5\x9A\x21\x9B\x3D\xED\x42\x3B\x50\x26\xF2\xEC\xCE\x71\x61\x06\x62\x21\x54\x4E\x7F\xC1\x9D\x3E\x7F\x20\x8C\x80\xCB\x2A\xD8\x97\x62\xC8\x83\x33\x91\x7D\xB0\xA2\x5A\x0F\x57\xE8\x3B\xCC\xF2\x25\xB2\xD4\x7C\x2F\xEC\x4D\xC6\xA1\x3A\x15\x7A\xE7\xB6\x5D\x35\xF5\xF6\x48\x4A\x36\x45\x66\xD4\xBA\x98\x58\xC1\x02\x03\x01\x00\x01\xA3\x63\x30\x61\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x44\x9E\x48\xF5\xCC\x6D\x48\xD4\xA0\x4B\x7F\xFE\x59\x24\x2F\x83\x97\x99\x9A\x86\x30\x1F\x06\x03\x55\x1D\x23\x04\x18\x30\x16\x80\x14\x44\x9E\x48\xF5\xCC\x6D\x48\xD4\xA0\x4B\x7F\xFE\x59\x24\x2F\x83\x97\x99\x9A\x86\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x86\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x03\x82\x01\x01\x00\x05\x3E\x35\x5C\x15\x70\x9B\xC9\xC7\x73\x61\x6F\x72\x2B\xD4\xC2\x8F\xF2\x43\x5D\x02\xCE\xC4\x94\xB9\x94\x11\x83\x67\x5D\xE2\x67\x6C\x75\x76\xBF\xBB\x0C\xAA\x36\xC6\xAD\x47\x93\x63\xDC\x1E\x7E\xD6\xDE\x2E\xFE\xE9\x19\x32\x38\x03\x7F\x14\xF6\x00\x73\x2C\x59\xB1\x21\x06\xE1\xFB\xAC\x18\x95\x0C\xA3\xFF\x99\x96\xF7\x2B\x27\x9B\xD5\x24\xCC\x1D\xDD\xC1\x3A\xE0\x98\x44\xB0\xC4\xE4\x3E\x77\xB1\x73\xA9\x64\x2C\xF6\x1C\x01\x7C\x3F\x5D\x45\x85\xC0\x85\xE7\x25\x8F\x95\xDC\x17\xF3\x3C\x9F\x1A\x6E\xB0\xCA\xE3\x1D\x2A\xE9\x4C\x63\xFA\x24\x61\x62\xD6\xDA\x7E\xB6\x1C\x6C\xF5\x02\x1D\xD4\x2A\xDD\x55\x90\xEB\x2A\x11\x47\x3C\x2E\x5E\x74\xB2\x82\x22\xA5\x7D\x53\x1F\x45\xEC\x27\x91\x7D\xE7\x22\x16\xE8\xC0\x68\x36\xD8\xC6\xF1\x4F\x80\x44\x32\xF9\xE1\xD1\xD1\x1D\xAA\xDE\xA8\xAB\x9C\x04\xAF\xAD\x20\x0E\x64\x98\x4D\xA5\x6B\xC0\x48\x58\x96\x69\x4D\xDC\x07\x8C\x51\x93\xA2\xDF\x9F\x0F\x3D\x8B\x60\xB4\x82\x8D\xAA\x08\x4E\x62\x45\xE0\xF9\x0B\xD2\xE0\xE0\x3C\x5B\xDE\x5C\x71\x27\x25\xC2\xE6\x03\x81\x8B\x10\x53\xE3\xC7\x55\xA2\xB4\x9F\xD7\xE6",
+	["CN=SSL.com Root Certification Authority RSA,O=SSL Corporation,L=Houston,ST=Texas,C=US"] = "\x30\x82\x05\xDD\x30\x82\x03\xC5\xA0\x03\x02\x01\x02\x02\x08\x7B\x2C\x9B\xD3\x16\x80\x32\x99\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x30\x7C\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x0E\x30\x0C\x06\x03\x55\x04\x08\x0C\x05\x54\x65\x78\x61\x73\x31\x10\x30\x0E\x06\x03\x55\x04\x07\x0C\x07\x48\x6F\x75\x73\x74\x6F\x6E\x31\x18\x30\x16\x06\x03\x55\x04\x0A\x0C\x0F\x53\x53\x4C\x20\x43\x6F\x72\x70\x6F\x72\x61\x74\x69\x6F\x6E\x31\x31\x30\x2F\x06\x03\x55\x04\x03\x0C\x28\x53\x53\x4C\x2E\x63\x6F\x6D\x20\x52\x6F\x6F\x74\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x20\x52\x53\x41\x30\x1E\x17\x0D\x31\x36\x30\x32\x31\x32\x31\x37\x33\x39\x33\x39\x5A\x17\x0D\x34\x31\x30\x32\x31\x32\x31\x37\x33\x39\x33\x39\x5A\x30\x7C\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x0E\x30\x0C\x06\x03\x55\x04\x08\x0C\x05\x54\x65\x78\x61\x73\x31\x10\x30\x0E\x06\x03\x55\x04\x07\x0C\x07\x48\x6F\x75\x73\x74\x6F\x6E\x31\x18\x30\x16\x06\x03\x55\x04\x0A\x0C\x0F\x53\x53\x4C\x20\x43\x6F\x72\x70\x6F\x72\x61\x74\x69\x6F\x6E\x31\x31\x30\x2F\x06\x03\x55\x04\x03\x0C\x28\x53\x53\x4C\x2E\x63\x6F\x6D\x20\x52\x6F\x6F\x74\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x20\x52\x53\x41\x30\x82\x02\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x02\x0F\x00\x30\x82\x02\x0A\x02\x82\x02\x01\x00\xF9\x0F\xDD\xA3\x2B\x7D\xCB\xD0\x2A\xFE\xEC\x67\x85\xA6\xE7\x2E\x1B\xBA\x77\xE1\xE3\xF5\xAF\xA4\xEC\xFA\x4A\x5D\x91\xC4\x57\x47\x6B\x18\x77\x6B\x76\xF2\xFD\x93\xE4\x3D\x0F\xC2\x16\x9E\x0B\x66\xC3\x56\x94\x9E\x17\x83\x85\xCE\x56\xEF\xF2\x16\xFD\x00\x62\xF5\x22\x09\x54\xE8\x65\x17\x4E\x41\xB9\xE0\x4F\x46\x97\xAA\x1B\xC8\xB8\x6E\x62\x5E\x69\xB1\x5F\xDB\x2A\x02\x7E\xFC\x6C\xCA\xF3\x41\xD8\xED\xD0\xE8\xFC\x3F\x61\x48\xED\xB0\x03\x14\x1D\x10\x0E\x4B\x19\xE0\xBB\x4E\xEC\x86\x65\xFF\x36\xF3\x5E\x67\x02\x0B\x9D\x86\x55\x61\xFD\x7A\x38\xED\xFE\xE2\x19\x00\xB7\x6F\xA1\x50\x62\x75\x74\x3C\xA0\xFA\xC8\x25\x92\xB4\x6E\x7A\x22\xC7\xF8\x1E\xA1\xE3\xB2\xDD\x91\x31\xAB\x2B\x1D\x04\xFF\xA5\x4A\x04\x37\xE9\x85\xA4\x33\x2B\xFD\xE2\xD6\x55\x34\x7C\x19\xA4\x4A\x68\xC7\xB2\xA8\xD3\xB7\xCA\xA1\x93\x88\xEB\xC1\x97\xBC\x8C\xF9\x1D\xD9\x22\x84\x24\x74\xC7\x04\x3D\x6A\xA9\x29\x93\xCC\xEB\xB8\x5B\xE1\xFE\x5F\x25\xAA\x34\x58\xC8\xC1\x23\x54\x9D\x1B\x98\x11\xC3\x38\x9C\x7E\x3D\x86\x6C\xA5\x0F\x40\x86\x7C\x02\xF4\x5C\x02\x4F\x28\xCB\xAE\x71\x9F\x0F\x3A\xC8\x33\xFE\x11\x25\x35\xEA\xFC\xBA\xC5\x60\x3D\xD9\x7C\x18\xD5\xB2\xA9\xD3\x75\x78\x03\x72\x22\xCA\x3A\xC3\x1F\xEF\x2C\xE5\x2E\xA9\xFA\x9E\x2C\xB6\x51\x46\xFD\xAF\x03\xD6\xEA\x60\x68\xEA\x85\x16\x36\x6B\x85\xE9\x1E\xC0\xB3\xDD\xC4\x24\xDC\x80\x2A\x81\x41\x6D\x94\x3E\xC8\xE0\xC9\x81\x41\x00\x9E\x5E\xBF\x7F\xC5\x08\x98\xA2\x18\x2C\x42\x40\xB3\xF9\x6F\x38\x27\x4B\x4E\x80\xF4\x3D\x81\x47\xE0\x88\x7C\xEA\x1C\xCE\xB5\x75\x5C\x51\x2E\x1C\x2B\x7F\x1A\x72\x28\xE7\x00\xB5\xD1\x74\xC6\xD7\xE4\x9F\xAD\x07\x93\xB6\x53\x35\x35\xFC\x37\xE4\xC3\xF6\x5D\x16\xBE\x21\x73\xDE\x92\x0A\xF8\xA0\x63\x6A\xBC\x96\x92\x6A\x3E\xF8\xBC\x65\x55\x9B\xDE\xF5\x0D\x89\x26\x04\xFC\x25\x1A\xA6\x25\x69\xCB\xC2\x6D\xCA\x7C\xE2\x59\x5F\x97\xAC\xEB\xEF\x2E\xC8\xBC\xD7\x1B\x59\x3C\x2B\xCC\xF2\x19\xC8\x93\x6B\x27\x63\x19\xCF\xFC\xE9\x26\xF8\xCA\x71\x9B\x7F\x93\xFE\x34\x67\x84\x4E\x99\xEB\xFC\xB3\x78\x09\x33\x70\xBA\x66\xA6\x76\xED\x1B\x73\xEB\x1A\xA5\x0D\xC4\x22\x13\x20\x94\x56\x0A\x4E\x2C\x6C\x4E\xB1\xFD\xCF\x9C\x09\xBA\xA2\x33\xED\x87\x02\x03\x01\x00\x01\xA3\x63\x30\x61\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xDD\x04\x09\x07\xA2\xF5\x7A\x7D\x52\x53\x12\x92\x95\xEE\x38\x80\x25\x0D\xA6\x59\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x1F\x06\x03\x55\x1D\x23\x04\x18\x30\x16\x80\x14\xDD\x04\x09\x07\xA2\xF5\x7A\x7D\x52\x53\x12\x92\x95\xEE\x38\x80\x25\x0D\xA6\x59\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x86\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x03\x82\x02\x01\x00\x20\x18\x11\x94\x29\xFB\x26\x9D\x1C\x1E\x1E\x70\x61\xF1\x95\x72\x93\x71\x24\xAD\x68\x93\x58\x8E\x32\xAF\x1B\xB3\x70\x03\xFC\x25\x2B\x74\x85\x90\x3D\x78\x6A\xF4\xB9\x8B\xA5\x97\x3B\xB5\x18\x91\xBB\x1E\xA7\xF9\x40\x5B\x91\xF9\x55\x99\xAF\x1E\x11\xD0\x5C\x1D\xA7\x66\xE3\xB1\x94\x07\x0C\x32\x39\xA6\xEA\x1B\xB0\x79\xD8\x1D\x9C\x70\x44\xE3\x8A\xDD\xC4\xF9\x95\x1F\x8A\x38\x43\x3F\x01\x85\xA5\x47\xA7\x3D\x46\xB2\xBC\xE5\x22\x68\xF7\x7B\x9C\xD8\x2C\x3E\x0A\x21\xC8\x2D\x33\xAC\xBF\xC5\x81\x99\x31\x74\xC1\x75\x71\xC5\xBE\xB1\xF0\x23\x45\xF4\x9D\x6B\xFC\x19\x63\x9D\xA3\xBC\x04\xC6\x18\x0B\x25\xBB\x53\x89\x0F\xB3\x80\x50\xDE\x45\xEE\x44\x7F\xAB\x94\x78\x64\x98\xD3\xF6\x28\xDD\x87\xD8\x70\x65\x74\xFB\x0E\xB9\x13\xEB\xA7\x0F\x61\xA9\x32\x96\xCC\xDE\xBB\xED\x63\x4C\x18\xBB\xA9\x40\xF7\xA0\x54\x6E\x20\x88\x71\x75\x18\xEA\x7A\xB4\x34\x72\xE0\x23\x27\x77\x5C\xB6\x90\xEA\x86\x25\x40\xAB\xEF\x33\x0F\xCB\x9F\x82\xBE\xA2\x20\xFB\xF6\xB5\x2D\x1A\xE6\xC2\x85\xB1\x74\x0F\xFB\xC8\x65\x02\xA4\x52\x01\x47\xDD\x49\x22\xC1\xBF\xD8\xEB\x6B\xAC\x7E\xDE\xEC\x63\x33\x15\xB7\x23\x08\x8F\xC6\x0F\x8D\x41\x5A\xDD\x8E\xC5\xB9\x8F\xE5\x45\x3F\x78\xDB\xBA\xD2\x1B\x40\xB1\xFE\x71\x4D\x3F\xE0\x81\xA2\xBA\x5E\xB4\xEC\x15\xE0\x93\xDD\x08\x1F\x7E\xE1\x55\x99\x0B\x21\xDE\x93\x9E\x0A\xFB\xE6\xA3\x49\xBD\x36\x30\xFE\xE7\x77\xB2\xA0\x75\x97\xB5\x2D\x81\x88\x17\x65\x20\xF7\xDA\x90\x00\x9F\xC9\x52\xCC\x32\xCA\x35\x7C\xF5\x3D\x0F\xD8\x2B\xD7\xF5\x26\x6C\xC9\x06\x34\x96\x16\xEA\x70\x59\x1A\x32\x79\x79\x0B\xB6\x88\x7F\x0F\x52\x48\x3D\xBF\x6C\xD8\xA2\x44\x2E\xD1\x4E\xB7\x72\x58\xD3\x89\x13\x95\xFE\x44\xAB\xF8\xD7\x8B\x1B\x6E\x9C\xBC\x2C\xA0\x5B\xD5\x6A\x00\xAF\x5F\x37\xE1\xD5\xFA\x10\x0B\x98\x9C\x86\xE7\x26\x8F\xCE\xF0\xEC\x6E\x8A\x57\x0B\x80\xE3\x4E\xB2\xC0\xA0\x63\x61\x90\xBA\x55\x68\x37\x74\x6A\xB6\x92\xDB\x9F\xA1\x86\x22\xB6\x65\x27\x0E\xEC\xB6\x9F\x42\x60\xE4\x67\xC2\xB5\xDA\x41\x0B\xC4\xD3\x8B\x61\x1B\xBC\xFA\x1F\x91\x2B\xD7\x44\x07\x5E\xBA\x29\xAC\xD9\xC5\xE9\xEF\x53\x48\x5A\xEB\x80\xF1\x28\x58\x21\xCD\xB0\x06\x55\xFB\x27\x3F\x53\x90\x70\xA9\x04\x1E\x57\x27\xB9",
+	["CN=SSL.com Root Certification Authority ECC,O=SSL Corporation,L=Houston,ST=Texas,C=US"] = "\x30\x82\x02\x8D\x30\x82\x02\x14\xA0\x03\x02\x01\x02\x02\x08\x75\xE6\xDF\xCB\xC1\x68\x5B\xA8\x30\x0A\x06\x08\x2A\x86\x48\xCE\x3D\x04\x03\x02\x30\x7C\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x0E\x30\x0C\x06\x03\x55\x04\x08\x0C\x05\x54\x65\x78\x61\x73\x31\x10\x30\x0E\x06\x03\x55\x04\x07\x0C\x07\x48\x6F\x75\x73\x74\x6F\x6E\x31\x18\x30\x16\x06\x03\x55\x04\x0A\x0C\x0F\x53\x53\x4C\x20\x43\x6F\x72\x70\x6F\x72\x61\x74\x69\x6F\x6E\x31\x31\x30\x2F\x06\x03\x55\x04\x03\x0C\x28\x53\x53\x4C\x2E\x63\x6F\x6D\x20\x52\x6F\x6F\x74\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x20\x45\x43\x43\x30\x1E\x17\x0D\x31\x36\x30\x32\x31\x32\x31\x38\x31\x34\x30\x33\x5A\x17\x0D\x34\x31\x30\x32\x31\x32\x31\x38\x31\x34\x30\x33\x5A\x30\x7C\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x0E\x30\x0C\x06\x03\x55\x04\x08\x0C\x05\x54\x65\x78\x61\x73\x31\x10\x30\x0E\x06\x03\x55\x04\x07\x0C\x07\x48\x6F\x75\x73\x74\x6F\x6E\x31\x18\x30\x16\x06\x03\x55\x04\x0A\x0C\x0F\x53\x53\x4C\x20\x43\x6F\x72\x70\x6F\x72\x61\x74\x69\x6F\x6E\x31\x31\x30\x2F\x06\x03\x55\x04\x03\x0C\x28\x53\x53\x4C\x2E\x63\x6F\x6D\x20\x52\x6F\x6F\x74\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x20\x45\x43\x43\x30\x76\x30\x10\x06\x07\x2A\x86\x48\xCE\x3D\x02\x01\x06\x05\x2B\x81\x04\x00\x22\x03\x62\x00\x04\x45\x6E\xA9\x50\xC4\xA6\x23\x36\x9E\x5F\x28\x8D\x17\xCB\x96\x22\x64\x3F\xDC\x7A\x8E\x1D\xCC\x08\xB3\xA2\x71\x24\xBA\x8E\x49\xB9\x04\x1B\x47\x96\x58\xAB\x2D\x95\xC8\xED\x9E\x08\x35\xC8\x27\xEB\x89\x8C\x53\x58\xEB\x62\x8A\xFE\xF0\x5B\x0F\x6B\x31\x52\x63\x41\x3B\x89\xCD\xEC\xEC\xB6\x8D\x19\xD3\x34\x07\xDC\xBB\xC6\x06\x7F\xC2\x45\x95\xEC\xCB\x7F\xA8\x23\xE0\x09\xE9\x81\xFA\xF3\x47\xD3\xA3\x63\x30\x61\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x82\xD1\x85\x73\x30\xE7\x35\x04\xD3\x8E\x02\x92\xFB\xE5\xA4\xD1\xC4\x21\xE8\xCD\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x1F\x06\x03\x55\x1D\x23\x04\x18\x30\x16\x80\x14\x82\xD1\x85\x73\x30\xE7\x35\x04\xD3\x8E\x02\x92\xFB\xE5\xA4\xD1\xC4\x21\xE8\xCD\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x86\x30\x0A\x06\x08\x2A\x86\x48\xCE\x3D\x04\x03\x02\x03\x67\x00\x30\x64\x02\x30\x6F\xE7\xEB\x59\x11\xA4\x60\xCF\x61\xB0\x96\x7B\xED\x05\xF9\x2F\x13\x91\xDC\xED\xE5\xFC\x50\x6B\x11\x46\x46\xB3\x1C\x21\x00\x62\xBB\xBE\xC3\xE7\xE8\xCD\x07\x99\xF9\x0D\x0B\x5D\x72\x3E\xC4\xAA\x02\x30\x1F\xBC\xBA\x0B\xE2\x30\x24\xFB\x7C\x6D\x80\x55\x0A\x99\x3E\x80\x0D\x33\xE5\x66\xA3\xB3\xA3\xBB\xA5\xD5\x8B\x8F\x09\x2C\xA6\x5D\x7E\xE2\xF0\x07\x08\x68\x6D\xD2\x7C\x69\x6E\x5F\xDF\xE5\x6A\x65",
+	["CN=SSL.com EV Root Certification Authority RSA R2,O=SSL Corporation,L=Houston,ST=Texas,C=US"] = "\x30\x82\x05\xEB\x30\x82\x03\xD3\xA0\x03\x02\x01\x02\x02\x08\x56\xB6\x29\xCD\x34\xBC\x78\xF6\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x30\x81\x82\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x0E\x30\x0C\x06\x03\x55\x04\x08\x0C\x05\x54\x65\x78\x61\x73\x31\x10\x30\x0E\x06\x03\x55\x04\x07\x0C\x07\x48\x6F\x75\x73\x74\x6F\x6E\x31\x18\x30\x16\x06\x03\x55\x04\x0A\x0C\x0F\x53\x53\x4C\x20\x43\x6F\x72\x70\x6F\x72\x61\x74\x69\x6F\x6E\x31\x37\x30\x35\x06\x03\x55\x04\x03\x0C\x2E\x53\x53\x4C\x2E\x63\x6F\x6D\x20\x45\x56\x20\x52\x6F\x6F\x74\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x20\x52\x53\x41\x20\x52\x32\x30\x1E\x17\x0D\x31\x37\x30\x35\x33\x31\x31\x38\x31\x34\x33\x37\x5A\x17\x0D\x34\x32\x30\x35\x33\x30\x31\x38\x31\x34\x33\x37\x5A\x30\x81\x82\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x0E\x30\x0C\x06\x03\x55\x04\x08\x0C\x05\x54\x65\x78\x61\x73\x31\x10\x30\x0E\x06\x03\x55\x04\x07\x0C\x07\x48\x6F\x75\x73\x74\x6F\x6E\x31\x18\x30\x16\x06\x03\x55\x04\x0A\x0C\x0F\x53\x53\x4C\x20\x43\x6F\x72\x70\x6F\x72\x61\x74\x69\x6F\x6E\x31\x37\x30\x35\x06\x03\x55\x04\x03\x0C\x2E\x53\x53\x4C\x2E\x63\x6F\x6D\x20\x45\x56\x20\x52\x6F\x6F\x74\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x20\x52\x53\x41\x20\x52\x32\x30\x82\x02\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x02\x0F\x00\x30\x82\x02\x0A\x02\x82\x02\x01\x00\x8F\x36\x65\x40\xE1\xD6\x4D\xC0\xD7\xB4\xE9\x46\xDA\x6B\xEA\x33\x47\xCD\x4C\xF9\x7D\x7D\xBE\xBD\x2D\x3D\xF0\xDB\x78\xE1\x86\xA5\xD9\xBA\x09\x57\x68\xED\x57\x3E\xA0\xD0\x08\x41\x83\xE7\x28\x41\x24\x1F\xE3\x72\x15\xD0\x01\x1A\xFB\x5E\x70\x23\xB2\xCB\x9F\x39\xE3\xCF\xC5\x4E\xC6\x92\x6D\x26\xC6\x7B\xBB\xB3\xDA\x27\x9D\x0A\x86\xE9\x81\x37\x05\xFE\xF0\x71\x71\xEC\xC3\x1C\xE9\x63\xA2\x17\x14\x9D\xEF\x1B\x67\xD3\x85\x55\x02\x02\xD6\x49\xC9\xCC\x5A\xE1\xB1\xF7\x6F\x32\x9F\xC9\xD4\x3B\x88\x41\xA8\x9C\xBD\xCB\xAB\xDB\x6D\x7B\x09\x1F\xA2\x4C\x72\x90\xDA\x2B\x08\xFC\xCF\x3C\x54\xCE\x67\x0F\xA8\xCF\x5D\x96\x19\x0B\xC4\xE3\x72\xEB\xAD\xD1\x7D\x1D\x27\xEF\x92\xEB\x10\xBF\x5B\xEB\x3B\xAF\xCF\x80\xDD\xC1\xD2\x96\x04\x5B\x7A\x7E\xA4\xA9\x3C\x38\x76\xA4\x62\x8E\xA0\x39\x5E\xEA\x77\xCF\x5D\x00\x59\x8F\x66\x2C\x3E\x07\xA2\xA3\x05\x26\x11\x69\x97\xEA\x85\xB7\x0F\x96\x0B\x4B\xC8\x40\xE1\x50\xBA\x2E\x8A\xCB\xF7\x0F\x9A\x22\xE7\x7F\x9A\x37\x13\xCD\xF2\x4D\x13\x6B\x21\xD1\xC0\xCC\x22\xF2\xA1\x46\xF6\x44\x69\x9C\xCA\x61\x35\x07\x00\x6F\xD6\x61\x08\x11\xEA\xBA\xB8\xF6\xE9\xB3\x60\xE5\x4D\xB9\xEC\x9F\x14\x66\xC9\x57\x58\xDB\xCD\x87\x69\xF8\x8A\x86\x12\x03\x47\xBF\x66\x13\x76\xAC\x77\x7D\x34\x24\x85\x83\xCD\xD7\xAA\x9C\x90\x1A\x9F\x21\x2C\x7F\x78\xB7\x64\xB8\xD8\xE8\xA6\xF4\x78\xB3\x55\xCB\x84\xD2\x32\xC4\x78\xAE\xA3\x8F\x61\xDD\xCE\x08\x53\xAD\xEC\x88\xFC\x15\xE4\x9A\x0D\xE6\x9F\x1A\x77\xCE\x4C\x8F\xB8\x14\x15\x3D\x62\x9C\x86\x38\x06\x00\x66\x12\xE4\x59\x76\x5A\x53\xC0\x02\x98\xA2\x10\x2B\x68\x44\x7B\x8E\x79\xCE\x33\x4A\x76\xAA\x5B\x81\x16\x1B\xB5\x8A\xD8\xD0\x00\x7B\x5E\x62\xB4\x09\xD6\x86\x63\x0E\xA6\x05\x95\x49\xBA\x28\x8B\x88\x93\xB2\x34\x1C\xD8\xA4\x55\x6E\xB7\x1C\xD0\xDE\x99\x55\x3B\x23\xF4\x22\xE0\xF9\x29\x66\x26\xEC\x20\x50\x77\xDB\x4A\x0B\x8F\xBE\xE5\x02\x60\x70\x41\x5E\xD4\xAE\x50\x39\x22\x14\x26\xCB\xB2\x3B\x73\x74\x55\x47\x07\x79\x81\x39\xA8\x30\x13\x44\xE5\x04\x8A\xAE\x96\x13\x25\x42\x0F\xB9\x53\xC4\x9B\xFC\xCD\xE4\x1C\xDE\x3C\xFA\xAB\xD6\x06\x4A\x1F\x67\xA6\x98\x30\x1C\xDD\x2C\xDB\xDC\x18\x95\x57\x66\xC6\xFF\x5C\x8B\x56\xF5\x77\x02\x03\x01\x00\x01\xA3\x63\x30\x61\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x1F\x06\x03\x55\x1D\x23\x04\x18\x30\x16\x80\x14\xF9\x60\xBB\xD4\xE3\xD5\x34\xF6\xB8\xF5\x06\x80\x25\xA7\x73\xDB\x46\x69\xA8\x9E\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xF9\x60\xBB\xD4\xE3\xD5\x34\xF6\xB8\xF5\x06\x80\x25\xA7\x73\xDB\x46\x69\xA8\x9E\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x86\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x03\x82\x02\x01\x00\x56\xB3\x8E\xCB\x0A\x9D\x49\x8E\xBF\xA4\xC4\x91\xBB\x66\x17\x05\x51\x98\x75\xFB\xE5\x50\x2C\x7A\x9E\xF1\x14\xFA\xAB\xD3\x8A\x3E\xFF\x91\x29\x8F\x63\x8B\xD8\xB4\xA9\x54\x01\x0D\xBE\x93\x86\x2F\xF9\x4A\x6D\xC7\x5E\xF5\x57\xF9\xCA\x55\x1C\x12\xBE\x47\x0F\x36\xC5\xDF\x6A\xB7\xDB\x75\xC2\x47\x25\x7F\xB9\xF1\x63\xF8\x68\x2D\x55\x04\xD1\xF2\x8D\xB0\xA4\xCF\xBC\x3C\x5E\x1F\x78\xE7\xA5\xA0\x20\x70\xB0\x04\xC5\xB7\xF7\x72\xA7\xDE\x22\x0D\xBD\x33\x25\x46\x8C\x64\x92\x26\xE3\x3E\x2E\x63\x96\xDA\x9B\x8C\x3D\xF8\x18\x09\xD7\x03\xCC\x7D\x86\x82\xE0\xCA\x04\x07\x51\x50\xD7\xFF\x92\xD5\x0C\xEF\xDA\x86\x9F\x99\xD7\xEB\xB7\xAF\x68\xE2\x39\x26\x94\xBA\x68\xB7\xBF\x83\xD3\xEA\x7A\x67\x3D\x62\x67\xAE\x25\xE5\x72\xE8\xE2\xE4\xEC\xAE\x12\xF6\x4B\x2B\x3C\x9F\xE9\xB0\x40\xF3\x38\x54\xB3\xFD\xB7\x68\xC8\xDA\xC6\x8F\x51\x3C\xB2\xFB\x91\xDC\x1C\xE7\x9B\x9D\xE1\xB7\x0D\x72\x8F\xE2\xA4\xC4\xA9\x78\xF9\xEB\x14\xAC\xC6\x43\x05\xC2\x65\x39\x28\x18\x02\xC3\x82\xB2\x9D\x05\xBE\x65\xED\x96\x5F\x65\x74\x3C\xFB\x09\x35\x2E\x7B\x9C\x13\xFD\x1B\x0F\x5D\xC7\x6D\x81\x3A\x56\x0F\xCC\x3B\xE1\xAF\x02\x2F\x22\xAC\x46\xCA\x46\x3C\xA0\x1C\x4C\xD6\x44\xB4\x5E\x2E\x5C\x15\x66\x09\xE1\x26\x29\xFE\xC6\x52\x61\xBA\xB1\x73\xFF\xC3\x0C\x9C\xE5\x6C\x6A\x94\x3F\x14\xCA\x40\x16\x95\x84\xF3\x59\xA9\xAC\x5F\x4C\x61\x93\x6D\xD1\x3B\xCC\xA2\x95\x0C\x22\xA6\x67\x67\x44\x2E\xB9\xD9\xD2\x8A\x41\xB3\x66\x0B\x5A\xFB\x7D\x23\xA5\xF2\x1A\xB0\xFF\xDE\x9B\x83\x94\x2E\xD1\x3F\xDF\x92\xB7\x91\xAF\x05\x3B\x65\xC7\xA0\x6C\xB1\xCD\x62\x12\xC3\x90\x1B\xE3\x25\xCE\x34\xBC\x6F\x77\x76\xB1\x10\xC3\xF7\x05\x1A\xC0\xD6\xAF\x74\x62\x48\x17\x77\x92\x69\x90\x61\x1C\xDE\x95\x80\x74\x54\x8F\x18\x1C\xC3\xF3\x03\xD0\xBF\xA4\x43\x75\x86\x53\x18\x7A\x0A\x2E\x09\x1C\x36\x9F\x91\xFD\x82\x8A\x22\x4B\xD1\x0E\x50\x25\xDD\xCB\x03\x0C\x17\xC9\x83\x00\x08\x4E\x35\x4D\x8A\x8B\xED\xF0\x02\x94\x66\x2C\x44\x7F\xCB\x95\x27\x96\x17\xAD\x09\x30\xAC\xB6\x71\x17\x6E\x8B\x17\xF6\x1C\x09\xD4\x2D\x3B\x98\xA5\x71\xD3\x54\x13\xD9\x60\xF3\xF5\x4B\x66\x4F\xFA\xF1\xEE\x20\x12\x8D\xB4\xAC\x57\xB1\x45\x63\xA1\xAC\x76\xA9\xC2\xFB",
+	["CN=SSL.com EV Root Certification Authority ECC,O=SSL Corporation,L=Houston,ST=Texas,C=US"] = "\x30\x82\x02\x94\x30\x82\x02\x1A\xA0\x03\x02\x01\x02\x02\x08\x2C\x29\x9C\x5B\x16\xED\x05\x95\x30\x0A\x06\x08\x2A\x86\x48\xCE\x3D\x04\x03\x02\x30\x7F\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x0E\x30\x0C\x06\x03\x55\x04\x08\x0C\x05\x54\x65\x78\x61\x73\x31\x10\x30\x0E\x06\x03\x55\x04\x07\x0C\x07\x48\x6F\x75\x73\x74\x6F\x6E\x31\x18\x30\x16\x06\x03\x55\x04\x0A\x0C\x0F\x53\x53\x4C\x20\x43\x6F\x72\x70\x6F\x72\x61\x74\x69\x6F\x6E\x31\x34\x30\x32\x06\x03\x55\x04\x03\x0C\x2B\x53\x53\x4C\x2E\x63\x6F\x6D\x20\x45\x56\x20\x52\x6F\x6F\x74\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x20\x45\x43\x43\x30\x1E\x17\x0D\x31\x36\x30\x32\x31\x32\x31\x38\x31\x35\x32\x33\x5A\x17\x0D\x34\x31\x30\x32\x31\x32\x31\x38\x31\x35\x32\x33\x5A\x30\x7F\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x0E\x30\x0C\x06\x03\x55\x04\x08\x0C\x05\x54\x65\x78\x61\x73\x31\x10\x30\x0E\x06\x03\x55\x04\x07\x0C\x07\x48\x6F\x75\x73\x74\x6F\x6E\x31\x18\x30\x16\x06\x03\x55\x04\x0A\x0C\x0F\x53\x53\x4C\x20\x43\x6F\x72\x70\x6F\x72\x61\x74\x69\x6F\x6E\x31\x34\x30\x32\x06\x03\x55\x04\x03\x0C\x2B\x53\x53\x4C\x2E\x63\x6F\x6D\x20\x45\x56\x20\x52\x6F\x6F\x74\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x20\x45\x43\x43\x30\x76\x30\x10\x06\x07\x2A\x86\x48\xCE\x3D\x02\x01\x06\x05\x2B\x81\x04\x00\x22\x03\x62\x00\x04\xAA\x12\x47\x90\x98\x1B\xFB\xEF\xC3\x40\x07\x83\x20\x4E\xF1\x30\x82\xA2\x06\xD1\xF2\x92\x86\x61\xF2\xF6\x21\x68\xCA\x00\xC4\xC7\xEA\x43\x00\x54\x86\xDC\xFD\x1F\xDF\x00\xB8\x41\x62\x5C\xDC\x70\x16\x32\xDE\x1F\x99\xD4\xCC\xC5\x07\xC8\x08\x1F\x61\x16\x07\x51\x3D\x7D\x5C\x07\x53\xE3\x35\x38\x8C\xDF\xCD\x9F\xD9\x2E\x0D\x4A\xB6\x19\x2E\x5A\x70\x5A\x06\xED\xBE\xF0\xA1\xB0\xCA\xD0\x09\x29\xA3\x63\x30\x61\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x5B\xCA\x5E\xE5\xDE\xD2\x81\xAA\xCD\xA8\x2D\x64\x51\xB6\xD9\x72\x9B\x97\xE6\x4F\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x1F\x06\x03\x55\x1D\x23\x04\x18\x30\x16\x80\x14\x5B\xCA\x5E\xE5\xDE\xD2\x81\xAA\xCD\xA8\x2D\x64\x51\xB6\xD9\x72\x9B\x97\xE6\x4F\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x86\x30\x0A\x06\x08\x2A\x86\x48\xCE\x3D\x04\x03\x02\x03\x68\x00\x30\x65\x02\x31\x00\x8A\xE6\x40\x89\x37\xEB\xE9\xD5\x13\xD9\xCA\xD4\x6B\x24\xF3\xB0\x3D\x87\x46\x58\x1A\xEC\xB1\xDF\x6F\xFB\x56\xBA\x70\x6B\xC7\x38\xCC\xE8\xB1\x8C\x4F\x0F\xF7\xF1\x67\x76\x0E\x83\xD0\x1E\x51\x8F\x02\x30\x3D\xF6\x23\x28\x26\x4C\xC6\x60\x87\x93\x26\x9B\xB2\x35\x1E\xBA\xD6\xF7\x3C\xD1\x1C\xCE\xFA\x25\x3C\xA6\x1A\x81\x15\x5B\xF3\x12\x0F\x6C\xEE\x65\x8A\xC9\x87\xA8\xF9\x07\xE0\x62\x9A\x8C\x5C\x4A",
 };

From 01a96239e11ce478b2b58e4d1a51fc0a0f3ee1b7 Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@icir.org>
Date: Tue, 20 Feb 2018 09:02:15 -0800
Subject: [PATCH 330/631] Add removed root certificate back to test that
 requires it.

Test has a trace that contains a WoSign certificate - they are no longer
recognized by pretty much anyone.
---
 .../base/files/x509/signed_certificate_timestamp.test        | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/testing/btest/scripts/base/files/x509/signed_certificate_timestamp.test b/testing/btest/scripts/base/files/x509/signed_certificate_timestamp.test
index 8bb920ee71..7ca60faf96 100644
--- a/testing/btest/scripts/base/files/x509/signed_certificate_timestamp.test
+++ b/testing/btest/scripts/base/files/x509/signed_certificate_timestamp.test
@@ -5,6 +5,11 @@
 
 redef SSL::ssl_store_valid_chain = T;
 
+# Test needs a certificate that has since been removed from root stores
+redef SSL::root_certs += {
+	["CN=Certification Authority of WoSign,O=WoSign CA Limited,C=CN"] = "\x30\x82\x05\x76\x30\x82\x03\x5E\xA0\x03\x02\x01\x02\x02\x10\x5E\x68\xD6\x11\x71\x94\x63\x50\x56\x00\x68\xF3\x3E\xC9\xC5\x91\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x55\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x43\x4E\x31\x1A\x30\x18\x06\x03\x55\x04\x0A\x13\x11\x57\x6F\x53\x69\x67\x6E\x20\x43\x41\x20\x4C\x69\x6D\x69\x74\x65\x64\x31\x2A\x30\x28\x06\x03\x55\x04\x03\x13\x21\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x20\x6F\x66\x20\x57\x6F\x53\x69\x67\x6E\x30\x1E\x17\x0D\x30\x39\x30\x38\x30\x38\x30\x31\x30\x30\x30\x31\x5A\x17\x0D\x33\x39\x30\x38\x30\x38\x30\x31\x30\x30\x30\x31\x5A\x30\x55\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x43\x4E\x31\x1A\x30\x18\x06\x03\x55\x04\x0A\x13\x11\x57\x6F\x53\x69\x67\x6E\x20\x43\x41\x20\x4C\x69\x6D\x69\x74\x65\x64\x31\x2A\x30\x28\x06\x03\x55\x04\x03\x13\x21\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x20\x6F\x66\x20\x57\x6F\x53\x69\x67\x6E\x30\x82\x02\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x02\x0F\x00\x30\x82\x02\x0A\x02\x82\x02\x01\x00\xBD\xCA\x8D\xAC\xB8\x91\x15\x56\x97\x7B\x6B\x5C\x7A\xC2\xDE\x6B\xD9\xA1\xB0\xC3\x10\x23\xFA\xA7\xA1\xB2\xCC\x31\xFA\x3E\xD9\xA6\x29\x6F\x16\x3D\xE0\x6B\xF8\xB8\x40\x5F\xDB\x39\xA8\x00\x7A\x8B\xA0\x4D\x54\x7D\xC2\x22\x78\xFC\x8E\x09\xB8\xA8\x85\xD7\xCC\x95\x97\x4B\x74\xD8\x9E\x7E\xF0\x00\xE4\x0E\x89\xAE\x49\x28\x44\x1A\x10\x99\x32\x0F\x25\x88\x53\xA4\x0D\xB3\x0F\x12\x08\x16\x0B\x03\x71\x27\x1C\x7F\xE1\xDB\xD2\xFD\x67\x68\xC4\x05\x5D\x0A\x0E\x5D\x70\xD7\xD8\x97\xA0\xBC\x53\x41\x9A\x91\x8D\xF4\x9E\x36\x66\x7A\x7E\x56\xC1\x90\x5F\xE6\xB1\x68\x20\x36\xA4\x8C\x24\x2C\x2C\x47\x0B\x59\x76\x66\x30\xB5\xBE\xDE\xED\x8F\xF8\x9D\xD3\xBB\x01\x30\xE6\xF2\xF3\x0E\xE0\x2C\x92\x80\xF3\x85\xF9\x28\x8A\xB4\x54\x2E\x9A\xED\xF7\x76\xFC\x15\x68\x16\xEB\x4A\x6C\xEB\x2E\x12\x8F\xD4\xCF\xFE\x0C\xC7\x5C\x1D\x0B\x7E\x05\x32\xBE\x5E\xB0\x09\x2A\x42\xD5\xC9\x4E\x90\xB3\x59\x0D\xBB\x7A\x7E\xCD\xD5\x08\x5A\xB4\x7F\xD8\x1C\x69\x11\xF9\x27\x0F\x7B\x06\xAF\x54\x83\x18\x7B\xE1\xDD\x54\x7A\x51\x68\x6E\x77\xFC\xC6\xBF\x52\x4A\x66\x46\xA1\xB2\x67\x1A\xBB\xA3\x4F\x77\xA0\xBE\x5D\xFF\xFC\x56\x0B\x43\x72\x77\x90\xCA\x9E\xF9\xF2\x39\xF5\x0D\xA9\xF4\xEA\xD7\xE7\xB3\x10\x2F\x30\x42\x37\x21\xCC\x30\x70\xC9\x86\x98\x0F\xCC\x58\x4D\x83\xBB\x7D\xE5\x1A\xA5\x37\x8D\xB6\xAC\x32\x97\x00\x3A\x63\x71\x24\x1E\x9E\x37\xC4\xFF\x74\xD4\x37\xC0\xE2\xFE\x88\x46\x60\x11\xDD\x08\x3F\x50\x36\xAB\xB8\x7A\xA4\x95\x62\x6A\x6E\xB0\xCA\x6A\x21\x5A\x69\xF3\xF3\xFB\x1D\x70\x39\x95\xF3\xA7\x6E\xA6\x81\x89\xA1\x88\xC5\x3B\x71\xCA\xA3\x52\xEE\x83\xBB\xFD\xA0\x77\xF4\xE4\x6F\xE7\x42\xDB\x6D\x4A\x99\x8A\x34\x48\xBC\x17\xDC\xE4\x80\x08\x22\xB6\xF2\x31\xC0\x3F\x04\x3E\xEB\x9F\x20\x79\xD6\xB8\x06\x64\x64\x02\x31\xD7\xA9\xCD\x52\xFB\x84\x45\x69\x09\x00\x2A\xDC\x55\x8B\xC4\x06\x46\x4B\xC0\x4A\x1D\x09\x5B\x39\x28\xFD\xA9\xAB\xCE\x00\xF9\x2E\x48\x4B\x26\xE6\x30\x4C\xA5\x58\xCA\xB4\x44\x82\x4F\xE7\x91\x1E\x33\xC3\xB0\x93\xFF\x11\xFC\x81\xD2\xCA\x1F\x71\x29\xDD\x76\x4F\x92\x25\xAF\x1D\x81\xB7\x0F\x2F\x8C\xC3\x06\xCC\x2F\x27\xA3\x4A\xE4\x0E\x99\xBA\x7C\x1E\x45\x1F\x7F\xAA\x19\x45\x96\xFD\xFC\x3D\x02\x03\x01\x00\x01\xA3\x42\x30\x40\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xE1\x66\xCF\x0E\xD1\xF1\xB3\x4B\xB7\x06\x20\x14\xFE\x87\x12\xD5\xF6\xFE\xFB\x3E\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x02\x01\x00\xA8\xCB\x72\x40\xB2\x76\xC1\x7E\x7B\xFC\xAD\x64\xE3\x32\x7B\xCC\x3C\xB6\x5D\x46\xD3\xF5\x2C\xE2\x70\x5D\xC8\x2E\xD8\x06\x7D\x98\xD1\x0B\x21\xA0\x89\x59\x24\x01\x9D\xF9\xAF\x09\x7D\x0A\x23\x82\x34\xD5\xFC\x7C\x72\x99\xB9\xA3\xD7\x54\xF4\xEA\x52\x70\x0E\xC5\xF5\xD6\x3B\xE1\x3A\x09\x32\xE6\x21\x39\x93\xBD\xB3\x15\xEA\x4F\x6A\xF4\xF5\x8B\x3F\x2F\x7C\x8D\x58\x2E\xC5\xE1\x39\xA0\x3E\xC7\x3D\x4A\x73\x9E\x40\x7A\xC0\x2B\x61\xA9\x67\xC9\xF3\x24\xB9\xB3\x6D\x55\x2C\x5A\x1D\x9E\x25\x72\xCE\x0B\xAD\xAA\xC7\x55\x62\x0B\xBE\xFB\x63\xB3\x61\x44\x23\xA3\xCB\xE1\x1A\x0E\xF7\x9A\x06\x4D\xDE\xD4\x23\x4E\x21\x96\x5B\x39\x5B\x57\x1D\x2F\x5D\x08\x5E\x09\x79\xFF\x7C\x97\xB5\x4D\x83\xAE\x0D\xD6\xE6\xA3\x79\xE0\x33\xD0\x99\x96\x02\x30\xA7\x3E\xFF\xD2\xA3\x43\x3F\x05\x5A\x06\xEA\x44\x02\xDA\x7C\xF8\x48\xD0\x33\xA9\xF9\x07\xC7\x95\xE1\xF5\x3E\xF5\x5D\x71\xBA\xF2\x95\xA9\x74\x88\x61\x59\xE3\xBF\xCA\x5A\x13\xBA\x72\xB4\x8C\x5D\x36\x87\xE9\xA6\xC5\x3C\x13\xBF\xDE\xD0\x44\x26\xEE\xB7\xEC\x2E\x70\xFA\xD7\x9D\xB7\xAC\xE5\xC5\x40\x5A\xE6\xD7\x6C\x7B\x2C\xC3\x56\x9B\x47\xCD\x0B\xCE\xFA\x1B\xB4\x21\xD7\xB7\x66\xB8\xF4\x25\x30\x8B\x5C\x0D\xB9\xEA\x67\xB2\xF4\x6D\xAE\xD5\xA1\x9E\x4F\xD8\x9F\xE9\x27\x02\xB0\x1D\x06\xD6\x8F\xE3\xFB\x48\x12\x9F\x7F\x11\xA1\x10\x3E\x4C\x51\x3A\x96\xB0\xD1\x13\xF1\xC7\xD8\x26\xAE\x3A\xCA\x91\xC4\x69\x9D\xDF\x01\x29\x64\x51\x6F\x68\xDA\x14\xEC\x08\x41\x97\x90\x8D\xD0\xB2\x80\xF2\xCF\xC2\x3D\xBF\x91\x68\xC5\x80\x67\x1E\xC4\x60\x13\x55\xD5\x61\x99\x57\x7C\xBA\x95\x0F\x61\x49\x3A\xCA\x75\xBC\xC9\x0A\x93\x3F\x67\x0E\x12\xF2\x28\xE2\x31\x1B\xC0\x57\x16\xDF\x08\x7C\x19\xC1\x7E\x0F\x1F\x85\x1E\x0A\x36\x7C\x5B\x7E\x27\xBC\x7A\xBF\xE0\xDB\xF4\xDA\x52\xBD\xDE\x0C\x54\x70\x31\x91\x43\x95\xC8\xBC\xF0\x3E\xDD\x09\x7E\x30\x64\x50\xED\x7F\x01\xA4\x33\x67\x4D\x68\x4F\xBE\x15\xEF\xB0\xF6\x02\x11\xA2\x1B\x13\x25\x3A\xDC\xC2\x59\xF1\xE3\x5C\x46\xBB\x67\x2C\x02\x46\xEA\x1E\x48\xA6\xE6\x5B\xD9\xB5\xBC\x51\xA2\x92\x96\xDB\xAA\xC6\x37\x22\xA6\xFE\xCC\x20\x74\xA3\x2D\xA9\x2E\x6B\xCB\xC0\x82\x11\x21\xB5\x93\x79\xEE\x44\x86\xBE\xD7\x1E\xE4\x1E\xFB",
+};
+
 export {
 	type LogInfo: record {
 		version: count;

From 1d3a0e26e4942112d66614f50d7d3e1c0a2f209b Mon Sep 17 00:00:00 2001
From: Daniel Thayer <dnthayer@illinois.edu>
Date: Thu, 22 Feb 2018 14:59:04 -0600
Subject: [PATCH 331/631] Configure Travis CI email recipients and build
 branches

---
 .travis.yml | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/.travis.yml b/.travis.yml
index c1383a886d..47cdea3ea7 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -17,6 +17,15 @@ addons:
       - swig
       - zlib1g-dev
 
+branches:
+  only:
+  - master
+
+notifications:
+  email:
+    recipients:
+    - bro-commits-internal@bro.org
+
 install: ./configure && make -j 4
 
 script:

From e76b56ce530aff67422ab24c66c4de2ed8b467d7 Mon Sep 17 00:00:00 2001
From: Seth Hall <seth@corelight.com>
Date: Thu, 1 Mar 2018 08:36:32 -0800
Subject: [PATCH 332/631] Rework to the DHCP analyzer.

Highlights:
 - Reduced all DHCP events into a single dhcp_message event. (removed legacy events since they weren't widely used anyway)
 - Support many more DHCP options.
 - DHCP log is completely reworked and now represents DHCP sessions
   based on the transaction ID (and works on clusters).
 - Removed the known-devices-and-hostnames script since it's generally
   less relevant now with the updated log.
---
 scripts/base/init-bare.bro                    | 157 ++++--
 scripts/base/protocols/dhcp/consts.bro        | 199 ++++++-
 scripts/base/protocols/dhcp/dpd.sig           |   4 +-
 scripts/base/protocols/dhcp/main.bro          | 277 ++++++---
 scripts/base/protocols/dhcp/utils.bro         |  19 -
 scripts/policy/misc/known-devices.bro         |   6 -
 .../dhcp/known-devices-and-hostnames.bro      |  37 --
 scripts/policy/protocols/dhcp/msg-orig.bro    |  21 +
 scripts/policy/protocols/dhcp/software.bro    |  63 +++
 scripts/policy/protocols/dhcp/sub-opts.bro    |  45 ++
 scripts/test-all-policy.bro                   |   4 +-
 src/analyzer/protocol/dhcp/dhcp-analyzer.pac  | 234 ++------
 src/analyzer/protocol/dhcp/dhcp-options.pac   | 530 +++++++++++++++---
 src/analyzer/protocol/dhcp/dhcp-protocol.pac  |  50 +-
 src/analyzer/protocol/dhcp/events.bif         | 198 +------
 src/analyzer/protocol/dhcp/types.bif          |   6 +-
 .../Baseline/core.print-bpf-filters/output2   |   9 +-
 .../canonified_loaded_scripts.log             |   5 +-
 .../canonified_loaded_scripts.log             |   6 +-
 testing/btest/Baseline/plugins.hooks/output   |  23 +-
 .../dhcp.log                                  |  10 +-
 .../dhcp.log                                  |  12 +-
 .../dhcp.log                                  |  10 +-
 .../dhcp.log                                  |  10 +
 .../dhcp.log                                  |  10 +-
 .../known_devices.log                         |  11 -
 .../base/protocols/dhcp/dhcp-sub-opts.btest   |   2 +
 .../known-devices-and-hostnames/basic.test    |   8 -
 28 files changed, 1234 insertions(+), 732 deletions(-)
 delete mode 100644 scripts/base/protocols/dhcp/utils.bro
 delete mode 100644 scripts/policy/protocols/dhcp/known-devices-and-hostnames.bro
 create mode 100644 scripts/policy/protocols/dhcp/msg-orig.bro
 create mode 100644 scripts/policy/protocols/dhcp/software.bro
 create mode 100644 scripts/policy/protocols/dhcp/sub-opts.bro
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.dhcp.dhcp-sub-opts/dhcp.log
 delete mode 100644 testing/btest/Baseline/scripts.policy.protocols.dhcp.known-devices-and-hostnames.basic/known_devices.log
 create mode 100644 testing/btest/scripts/base/protocols/dhcp/dhcp-sub-opts.btest
 delete mode 100644 testing/btest/scripts/policy/protocols/dhcp/known-devices-and-hostnames/basic.test

diff --git a/scripts/base/init-bare.bro b/scripts/base/init-bare.bro
index 9ea7a4ce00..cfffdc4af5 100644
--- a/scripts/base/init-bare.bro
+++ b/scripts/base/init-bare.bro
@@ -3061,10 +3061,11 @@ module GLOBAL;
 module DHCP;
 
 export {
-	## A list of router addresses offered by a DHCP server.
+	## A list of addresses offered by a DHCP server.  Could be routers,
+	## DNS servers, or other.
 	##
 	## .. bro:see:: dhcp_ack dhcp_offer
-	type DHCP::RouterList: table[count] of addr;
+	type DHCP::Addrs: vector of addr;
 
 	## A DHCP message.
 	## .. bro:see:: dhcp_ack dhcp_decline dhcp_discover dhcp_inform dhcp_nak
@@ -3073,20 +3074,17 @@ export {
 		op: count;	##< Message OP code. 1 = BOOTREQUEST, 2 = BOOTREPLY
 		m_type: count;	##< The type of DHCP message.
 		xid: count;	##< Transaction ID of a DHCP session.
-		h_addr: string;	##< Hardware address of the client.
+		## Number of seconds since client began address acquisition 
+		## or renewal process
+		secs: interval;
+		flags: count;
 		ciaddr: addr;	##< Original IP address of the client.
 		yiaddr: addr;	##< IP address assigned to the client.
-	};
-
-	## DHCP Parameter Request list (Option 55)
-	## .. bro:see:: dhcp_request dhcp_discover
-	type DHCP::ParamsList: table[count] of count;
-
-	## DHCP Relay Agent Information Option (Option 82)
-	## .. bro:see:: dhcp_ack
-	type DHCP::SubOpt: record {
-		code: count;
-		value: string;
+		siaddr: addr;	##< IP address of the server.
+		giaddr: addr;	##< IP address of the relaying gateway.
+		chaddr: string; ##< Client hardware address.
+		sname:  string &default=""; ##< Server host name.
+		file_n: string &default=""; ##< Boot file name.
 	};
 
 	## DHCP Client Identifier (Option 61)
@@ -3096,36 +3094,113 @@ export {
 		hwaddr: string;
 	};
 
-	type DHCP::SubOptList: table[count] of DHCP::SubOpt;
-
-	type DHCP::Options: record {
-		subnet_mask:    addr &optional;
-
-		host_name:      string &optional;
-
-		req_addr:       addr &optional;
-
-		router_list:    DHCP::RouterList &optional;
-
-		lease:          interval &optional;
-
-		serv_addr:      addr &optional;
-
-		## DHCP Parameter Request list (Option 55)
-		param_list:     DHCP::ParamsList &optional;
-
-		ren_time:       interval &optional;
-
-		reb_time:       interval &optional;
-
-		## DHCP Client Identifier (Option 61)
-		client_id:      DHCP::ClientID &optional;
-
-		## DHCP Relay Agent Information Option (Option 82)
-		sub_opt:        DHCP::SubOptList &optional;
+	## DHCP Client FQDN Option information (Option 81)
+	type DHCP::ClientFQDN: record {
+		## An unparsed bitfield of flags (refer to RFC 4702).
+		flags: count;
+		## This field is deprecated in the standard.
+		rcode1: count;
+		## This field is deprecated in the standard.
+		rcode2: count;
+		## The Domain Name part of the option carries all or part of the FQDN of
+		## a DHCP client. 
+		domain_name: string;
 	};
 
+	## DHCP Relay Agent Information Option (Option 82)
+	## .. bro:see:: dhcp_ack
+	type DHCP::SubOpt: record {
+		code: count;
+		value: string;
+	};
 
+	type DHCP::SubOpts: vector of DHCP::SubOpt;
+
+	type DHCP::Options: record {
+		## The ordered list of DHCP all DHCP options numbers.
+		options:         index_vec &optional;
+
+		## Subnet Mask Value (option 1)
+		subnet_mask:     addr &optional;
+
+		## Router addresses (option 3)
+		routers:         DHCP::Addrs &optional;
+
+		## DNS Server addresses (option 6)
+		dns_servers:     DHCP::Addrs &optional;
+
+		## The Hostname of the client (option 12)
+		host_name:       string &optional;
+
+		## The DNS domain name of the client (option 15)
+		domain_name:     string &optional;
+
+		## Enable/Disable IP Forwarding (option 19)
+		forwarding:      bool &optional;
+
+		## Broadcast Address (option 28)
+		broadcast:       addr &optional;
+
+		## Vendor specific data. This can frequently
+		## be unparsed binary data. (option 43)
+		vendor:          string &optional;
+
+		## NETBIOS name server list (option 44)
+		nbns:            DHCP::Addrs &optional;
+
+		## Address requested by the client (option 50)
+		addr_request:    addr &optional;
+
+		## Lease time offered by the server. (option 51)
+		lease:           interval &optional;
+
+		## Server address to allow clients to distinguish
+		## between lease offers. (option 54)
+		serv_addr:       addr &optional;
+
+		## DHCP Parameter Request list (option 55)
+		param_list:      index_vec &optional;
+
+		## Textual error message (option 56)
+		message:         string &optional;
+		
+		## Maximum Message Size (option 57)
+		max_msg_size:    count &optional;
+
+		## This option specifies the time interval from address 
+		## assignment until the client transitions to the 
+		## RENEWING state. (option 58)
+		renewal_time:    interval &optional;
+
+		## This option specifies the time interval from address 
+		## assignment until the client transitions to the 
+		## REBINDING state. (option 59)
+		rebinding_time:  interval &optional;
+
+		## This option is used by DHCP clients to optionally 
+		## identify the vendor type and configuration of a DHCP 
+		## client. (option 60)
+		vendor_class:    string &optional;
+
+		## DHCP Client Identifier (Option 61)
+		client_id:       DHCP::ClientID &optional;
+
+		## User Class opaque value (Option 77)
+		user_class:      string &optional;
+
+		## DHCP Client FQDN (Option 81)
+		client_fqdn:     DHCP::ClientFQDN &optional;
+
+		## DHCP Relay Agent Information Option (Option 82)
+		sub_opt:         DHCP::SubOpts &optional;
+
+		## Auto Config option to let host know if it's allowed to 
+		## auto assign an IP address. (Option 116)
+		auto_config:     bool &optional;
+
+		## URL to find a proxy.pac for auto proxy config (Option 252)
+		auto_proxy_config: string &optional;
+	};
 }
 
 module GLOBAL;
diff --git a/scripts/base/protocols/dhcp/consts.bro b/scripts/base/protocols/dhcp/consts.bro
index 1ca47ac36f..6a7c1cea6c 100644
--- a/scripts/base/protocols/dhcp/consts.bro
+++ b/scripts/base/protocols/dhcp/consts.bro
@@ -4,27 +4,186 @@
 module DHCP;
 
 export {
-
-	## Types of DHCP messages. See :rfc:`1533`.
+	## Types of DHCP messages. See :rfc:`1533`, :rfc:`3203`, 
+	## :rfc:`4388`, :rfc:`6926`, and :rfc:`7724`.
 	const message_types = {
-		[1]  = "DHCP_DISCOVER",
-		[2]  = "DHCP_OFFER",
-		[3]  = "DHCP_REQUEST",
-		[4]  = "DHCP_DECLINE",
-		[5]  = "DHCP_ACK",
-		[6]  = "DHCP_NAK",
-		[7]  = "DHCP_RELEASE",
-		[8]  = "DHCP_INFORM",
-		[9]  = "DHCP_FORCERENEW",
-		[10] = "DHCP_LEASEQUERY",
-		[11] = "DHCP_LEASEUNASSIGNED",
-		[12] = "DHCP_DHCPLEASEUNKNOWN",
-		[13] = "DHCP_LEASEACTIVE",
-		[14] = "DHCP_BULKLEASEQUERY",
-		[15] = "DHCP_LEASEQUERYDONE",
-		[16] = "DHCP_ACTIVELEASEQUERY",
-		[17] = "DHCP_LEASEQUERYSTATUS",
-		[18] = "DHCP_TLS",
+		[1]  = "DISCOVER",
+		[2]  = "OFFER",
+		[3]  = "REQUEST",
+		[4]  = "DECLINE",
+		[5]  = "ACK",
+		[6]  = "NAK",
+		[7]  = "RELEASE",
+		[8]  = "INFORM",
+		[9]  = "FORCERENEW",       # RFC3203
+		[10] = "LEASEQUERY",       # RFC4388
+		[11] = "LEASEUNASSIGNED",  # RFC4388
+		[12] = "LEASEUNKNOWN",     # RFC4388
+		[13] = "LEASEACTIVE",      # RFC4388
+		[14] = "BULKLEASEQUERY",   # RFC6926
+		[15] = "LEASEQUERYDONE",   # RFC6926
+		[16] = "ACTIVELEASEQUERY", # RFC7724
+		[17] = "LEASEQUERYSTATUS", # RFC7724
+		[18] = "TLS",              # RFC7724
 	} &default = function(n: count): string { return fmt("unknown-message-type-%d", n); };
 
+	## Option types mapped to their names.
+	const option_types: table[int] of string = {
+		[0] = "Pad",
+		[1] = "Subnet Mask",
+		[2] = "Time Offset",
+		[3] = "Router",
+		[4] = "Time Server",
+		[5] = "Name Server",
+		[6] = "Domain Server",
+		[7] = "Log Server",
+		[8] = "Quotes Server",
+		[9] = "LPR Server",
+		[10] = "Impress Server",
+		[11] = "RLP Server",
+		[12] = "Hostname",
+		[13] = "Boot File Size",
+		[14] = "Merit Dump File",
+		[15] = "Domain Name",
+		[16] = "Swap Server",
+		[17] = "Root Path",
+		[18] = "Extension File",
+		[19] = "Forward On/Off",
+		[20] = "SrcRte On/Off",
+		[21] = "Policy Filter",
+		[22] = "Max DG Assembly",
+		[23] = "Default IP TTL",
+		[24] = "MTU Timeout",
+		[25] = "MTU Plateau",
+		[26] = "MTU Interface",
+		[27] = "MTU Subnet",
+		[28] = "Broadcast Address",
+		[29] = "Mask Discovery",
+		[30] = "Mask Supplier",
+		[31] = "Router Discovery",
+		[32] = "Router Request",
+		[33] = "Static Route",
+		[34] = "Trailers",
+		[35] = "ARP Timeout",
+		[36] = "Ethernet",
+		[37] = "Default TCP TTL",
+		[38] = "Keepalive Time",
+		[39] = "Keepalive Data",
+		[40] = "NIS Domain",
+		[41] = "NIS Servers",
+		[42] = "NTP Servers",
+		[43] = "Vendor Specific",
+		[44] = "NETBIOS Name Srv",
+		[45] = "NETBIOS Dist Srv",
+		[46] = "NETBIOS Node Type",
+		[47] = "NETBIOS Scope",
+		[48] = "X Window Font",
+		[49] = "X Window Manager",
+		[50] = "Address Request",
+		[51] = "Address Time",
+		[52] = "Overload",
+		[53] = "DHCP Msg Type",
+		[54] = "DHCP Server Id",
+		[55] = "Parameter List",
+		[56] = "DHCP Message",
+		[57] = "DHCP Max Msg Size",
+		[58] = "Renewal Time",
+		[59] = "Rebinding Time",
+		[60] = "Class Id",
+		[61] = "Client Id",
+		[62] = "NetWare/IP Domain",
+		[63] = "NetWare/IP Option",
+		[64] = "NIS-Domain-Name",
+		[65] = "NIS-Server-Addr",
+		[66] = "Server-Name",
+		[67] = "Bootfile-Name",
+		[68] = "Home-Agent-Addrs",
+		[69] = "SMTP-Server",
+		[70] = "POP3-Server",
+		[71] = "NNTP-Server",
+		[72] = "WWW-Server",
+		[73] = "Finger-Server",
+		[74] = "IRC-Server",
+		[75] = "StreetTalk-Server",
+		[76] = "STDA-Server",
+		[77] = "User-Class",
+		[78] = "Directory Agent",
+		[79] = "Service Scope",
+		[80] = "Rapid Commit",
+		[81] = "Client FQDN",
+		[82] = "Relay Agent Information",
+		[83] = "iSNS",
+		[85] = "NDS Servers",
+		[86] = "NDS Tree Name",
+		[87] = "NDS Context",
+		[88] = "BCMCS Controller Domain Name list",
+		[89] = "BCMCS Controller IPv4 address option",
+		[90] = "Authentication",
+		[91] = "client-last-transaction-time option",
+		[92] = "associated-ip option",
+		[93] = "Client System",
+		[94] = "Client NDI",
+		[95] = "LDAP",
+		[97] = "UUID/GUID",
+		[98] = "User-Auth",
+		[99] = "GEOCONF_CIVIC",
+		[100] = "PCode",
+		[101] = "TCode",
+		[112] = "Netinfo Address",
+		[113] = "Netinfo Tag",
+		[114] = "URL",
+		[116] = "Auto-Config",
+		[117] = "Name Service Search",
+		[118] = "Subnet Selection Option",
+		[119] = "Domain Search",
+		[120] = "SIP Servers DHCP Option",
+		[121] = "Classless Static Route Option",
+		[122] = "CCC",
+		[123] = "GeoConf Option",
+		[124] = "V-I Vendor Class",
+		[125] = "V-I Vendor-Specific Information",
+		[128] = "PXE - undefined (vendor specific)",
+		[129] = "PXE - undefined (vendor specific)",
+		[130] = "PXE - undefined (vendor specific)",
+		[131] = "PXE - undefined (vendor specific)",
+		[132] = "IEEE 802.1Q VLAN ID",
+		[133] = "IEEE 802.1D/p Layer 2 Priority",
+		[134] = "Diffserv Code Point (DSCP) for VoIP signalling and media streams",
+		[135] = "HTTP Proxy for phone-specific applications",
+		[136] = "OPTION_PANA_AGENT",
+		[137] = "OPTION_V4_LOST",
+		[138] = "OPTION_CAPWAP_AC_V4",
+		[139] = "OPTION-IPv4_Address-MoS",
+		[140] = "OPTION-IPv4_FQDN-MoS",
+		[141] = "SIP UA Configuration Service Domains",
+		[142] = "OPTION-IPv4_Address-ANDSF",
+		[144] = "GeoLoc",
+		[145] = "FORCERENEW_NONCE_CAPABLE",
+		[146] = "RDNSS Selection",
+		[150] = "TFTP server address",
+		[151] = "status-code",
+		[152] = "base-time",
+		[153] = "start-time-of-state",
+		[154] = "query-start-time",
+		[155] = "query-end-time",
+		[156] = "dhcp-state",
+		[157] = "data-source",
+		[158] = "OPTION_V4_PCP_SERVER",
+		[159] = "OPTION_V4_PORTPARAMS",
+		[160] = "DHCP Captive-Portal",
+		[161] = "OPTION_MUD_URL_V4 (TEMPORARY - registered 2016-11-17)",
+		[175] = "Etherboot (Tentatively Assigned - 2005-06-23)",
+		[176] = "IP Telephone (Tentatively Assigned - 2005-06-23)",
+		[177] = "PacketCable and CableHome (replaced by 122)",
+		[208] = "PXELINUX Magic",
+		[209] = "Configuration File",
+		[210] = "Path Prefix",
+		[211] = "Reboot Time",
+		[212] = "OPTION_6RD",
+		[213] = "OPTION_V4_ACCESS_DOMAIN",
+		[220] = "Subnet Allocation Option",
+		[221] = "Virtual Subnet Selection (VSS) Option",
+		[252] = "auto-proxy-config",
+		[255] = "End",
+	} &default = function(n: int): string { return fmt("unknown-option-type-%d", n); };
 }
diff --git a/scripts/base/protocols/dhcp/dpd.sig b/scripts/base/protocols/dhcp/dpd.sig
index 010920e2d8..85aa23ea16 100644
--- a/scripts/base/protocols/dhcp/dpd.sig
+++ b/scripts/base/protocols/dhcp/dpd.sig
@@ -1,5 +1,5 @@
 signature dhcp_cookie {
   ip-proto == udp
-  payload /^.*\x63\x82\x53\x63/
+  payload /^.{236}\x63\x82\x53\x63/
   enable "dhcp"
-}
\ No newline at end of file
+}
diff --git a/scripts/base/protocols/dhcp/main.bro b/scripts/base/protocols/dhcp/main.bro
index 0b45d69a4b..01ca96225c 100644
--- a/scripts/base/protocols/dhcp/main.bro
+++ b/scripts/base/protocols/dhcp/main.bro
@@ -1,12 +1,11 @@
-##! Analyzes DHCP traffic in order to log DHCP leases given to clients.
-##! This script ignores large swaths of the protocol, since it is rather
-##! noisy on most networks, and focuses on the end-result: assigned leases.
-##!
-##! If you'd like to track known DHCP devices and to log the hostname
-##! supplied by the client, see
-##! :doc:`/scripts/policy/protocols/dhcp/known-devices-and-hostnames.bro`.
+##! Analyze DHCP traffic and provide a log that is organized around
+##! the idea of a DHCP "conversation" defined by messaes exchanged within
+##! a relatively short period of time using the same transaction ID.  
+##! The log will have information from clients and servers to give a more 
+##! complete picture of what happened.
 
-@load ./utils.bro
+@load base/frameworks/cluster
+@load ./consts
 
 module DHCP;
 
@@ -17,34 +16,81 @@ export {
 	type Info: record {
 		## The earliest time at which a DHCP message over the
 		## associated connection is observed.
-		ts:			time			&log;
-		## A unique identifier of the connection over which DHCP is
-		## occurring.
-		uid:			string			&log;
-		## The connection's 4-tuple of endpoint addresses/ports.
-		id:		 	conn_id			&log;
+		ts:             time        &log;
+
+		## A series of unique identifiers of the connections over which 
+		## DHCP is occurring.  This behavior with multiple connections is
+		## unique to DHCP because of the way it uses broadcast packets
+		## on local networks.
+		uids:           set[string] &log;
+
+		## IP address of the client.  If a transaction 
+		## is only a client sending INFORM messages then 
+		## there is no lease information exchanged so this
+		## is helpful to know who sent the messages.  
+		## Getting an address in this field does require 
+		## that the client sources at least one DHCP message 
+		## using a non-broadcast address.
+		client_addr:    addr        &log &optional;
+		## IP address of the server involved in actually
+		## handing out the lease.  There could be other
+		## servers replying with OFFER messages which won't 
+		## be represented here.  Getting an address in this 
+		## field also requires that the server handing out 
+		## the lease also sources packets from a non-broadcast
+		## IP address.
+		server_addr:    addr        &log &optional;
+
 		## Client's hardware address.
-		mac:		 	string			&log &optional;
-		## Client's actual assigned IP address.
-		assigned_ip:	 	addr			&log &optional;
+		mac:            string      &log &optional;
+
+		## Name given by client in Hostname option 12.
+		host_name:      string      &log &optional;
+		## FQDN given by client in Client FQDN option 81.
+		client_fqdn:    string      &log &optional;
+		## Domain given by the server in option 15.
+		domain:         string      &log &optional;
+
+		## IP address requested by the client.
+		requested_addr: addr        &log &optional;
+		## IP address assigned by the server.
+		assigned_addr:  addr        &log &optional;
 		## IP address lease interval.
-		lease_time:	 	interval		&log &optional;
-		## A random number chosen by the client for this transaction.
-		trans_id:	 	count			&log;
-		## the message type
-		msg_type:	 	string			&log &optional;
-		## client ID
-		client_id:		string			&log &optional;
-		## the server ID
-		server_id: 	 	addr			&log &optional;
-		## the host name
-		host_name:	 	string			&log &optional;
-		## the subscriber id (if present)
-		subscriber_id:	 	string			&log &optional;
-		## the agent remote id (if present)
-		agent_remote_id:	string			&log &optional;
+		lease_time:     interval    &log &optional;
+
+		## Message typically accompanied with a DHCP_DECLINE 
+		## so the client can tell the server why it rejected 
+		## an address.
+		client_message: string      &log &optional;
+		## Message typically accompanied with a DHCP_NAK to let
+		## the client know why it rejected the request.
+		server_message: string      &log &optional;
+
+		## The DHCP message types seen by this DHCP transaction
+		msg_types:      vector of string &log &default=string_vec();
+
+		## Duration of the DHCP "session" representing the 
+		## time from the first message to the last.
+		duration:       interval    &log &default=0secs;
 	};
 
+	## The maximum amount of time that a transation ID will be watched
+	## for to try and tie messages together into a single DHCP 
+	## transaction narrative.
+	const DHCP::max_txid_watch_time = 30secs &redef;
+
+	## This event is used internally to distribute data around clusters
+	## since DHCP doesn't follow the normal "connection" model used by
+	## most protocols. It can also be handled to extend the DHCP log.
+	## bro:see::`DHCP::log_info`.
+	global DHCP::aggregate_msgs: event(ts: time, id: conn_id, uid: string, is_orig: bool, msg: DHCP::Msg, options: DHCP::Options);
+
+	## This is a global variable that is only to be used in the
+	## :bro::see::`DHCP::aggregate_msgs` event. It can be used to avoid 
+	## looking up the info record for a transaction ID in every event handler 
+	## for :bro:see::`DHCP::aggregate_msgs`.
+	global DHCP::log_info: Info;
+
 	## Event that can be handled to access the DHCP
 	## record as it is sent on to the logging framework.
 	global log_dhcp: event(rec: Info);
@@ -55,8 +101,13 @@ redef record connection += {
 	dhcp: Info &optional;
 };
 
+redef record Info += {
+	last_message_ts: time &optional;
+};
+
 # 67/udp is the server's port, 68/udp the client.
-const ports = { 67/udp, 68/udp };
+# 4011/udp seems to be some proxyDHCP thing.
+const ports = { 67/udp, 68/udp, 4011/udp };
 redef likely_server_ports += { 67/udp };
 
 event bro_init() &priority=5
@@ -65,54 +116,144 @@ event bro_init() &priority=5
 	Analyzer::register_for_ports(Analyzer::ANALYZER_DHCP, ports);
 	}
 
-event dhcp_message(c: connection, is_orig: bool, msg: DHCP::Msg, options: DHCP::Options) &priority=-5
+# Setup the clusterized config that is needed to tie messages together on a cluster.
+redef Cluster::worker2manager_events += /DHCP::aggregate_msgs/;
+
+function join_data_expiration(t: table[count] of Info, idx: count): interval
 	{
-	if ( msg$m_type == 5 ) # DHCP_ACK
+	local info = t[idx];
+
+	local now = network_time();
+	# If a message hasn't been seen in the past 5 seconds or the 
+	# total time watching has been more than the maximum time 
+	# allowed by the configuration then log this data and expire it.
+	# Also, if Bro is shutting down.
+	if ( (now - info$last_message_ts) > 5sec ||
+	     (now - info$ts) > max_txid_watch_time || 
+	     bro_is_terminating() )
 		{
-		local info = Info($ts       = network_time(),
-		                  $id       = c$id,
-		                  $uid      = c$uid,
-		                  $trans_id = msg$xid);
+		Log::write(LOG, info);
 
-		if ( msg$h_addr != "" )
-			info$mac = msg$h_addr;
+		# Go ahead and expire the data now that the log
+		# entry has been written.
+		return 0secs;
+		}
+	else
+		{
+		return 5secs;
+		}
+	}
 
-		if ( reverse_ip(msg$yiaddr) != 0.0.0.0 )
-			info$assigned_ip = reverse_ip(msg$yiaddr);
+# This is where the data is stored as it's centralized. All data for a log must 
+# arrive within the expiration interval if it's to be logged fully. On a cluster,
+# this data is only maintained on the manager.
+global join_data: table[count] of Info = table() 
+	&create_expire=10secs &expire_func=join_data_expiration;
+
+
+
+@if ( ! Cluster::is_enabled() || Cluster::local_node_type() == Cluster::MANAGER )
+# We are handling this event at priority 1000 because we really want 
+# the DHCP::log_info global to be set correctly before a user might try 
+# to access it.
+event DHCP::aggregate_msgs(ts: time, id: conn_id, uid: string, is_orig: bool, msg: DHCP::Msg, options: DHCP::Options) &priority=1000
+	{
+	if ( msg$xid !in join_data )
+		{
+		join_data[msg$xid] = Info($ts=ts,
+		                          $uids=set(uid));
+		}
+
+	log_info = join_data[msg$xid];
+	}
+
+event DHCP::aggregate_msgs(ts: time, id: conn_id, uid: string, is_orig: bool, msg: DHCP::Msg, options: DHCP::Options) &priority=5
+	{
+	log_info$duration = ts - log_info$ts;
+
+	if ( uid !in log_info$uids )
+		add log_info$uids[uid];
+
+	log_info$msg_types[|log_info$msg_types|] = DHCP::message_types[msg$m_type];
+
+	# Let's watch for messages in any DHCP message type
+	# and split them out based on client and server.
+	if ( options?$message )
+		{
+		if ( is_orig )
+			log_info$client_message = options$message;
 		else
-			info$assigned_ip = c$id$orig_h;
+			log_info$server_message = options$message;
+		}
 
-		if ( options?$lease )
-			info$lease_time  = options$lease;
+	# Update the last message time so that we can do some data 
+	# expiration handling.
+	log_info$last_message_ts = ts;
 
-		if ( options?$sub_opt )
+	if ( is_orig ) # client requests
+		{
+		# Assign the client addr in case this is a session 
+		# of only INFORM messages (no lease handed out).
+		# This also works if a normal lease handout uses 
+		# unicast.
+		if ( id$orig_h != 0.0.0.0 && id$orig_h != 255.255.255.255 )
+			log_info$client_addr = id$orig_h;
+
+		if ( options?$host_name )
+			log_info$host_name = options$host_name;
+
+		if ( options?$client_fqdn )
+			log_info$client_fqdn = options$client_fqdn$domain_name;
+
+		if ( options?$client_id &&
+		     options$client_id$hwtype == 1 ) # ETHERNET
+			log_info$mac = options$client_id$hwaddr;
+
+		if ( options?$addr_request )
+			log_info$requested_addr = options$addr_request;
+		}
+	else # server reply messages
+		{
+		# Only log the address of the server if it handed out 
+		# an IP address.
+		if ( msg$yiaddr != 0.0.0.0 && 
+		     id$resp_h != 255.255.255.255 )
 			{
-			for ( param in options$sub_opt )
-				{
-				local sub_opt = options$sub_opt[param];
-
-				#if ( sub_opt$code == 1 ) 
-				#	{
-				#	print fmt("Relay Agent Information:");
-				#	print fmt( "sub option: code=%d circuit id=%s",sub_opt$code,sub_opt$value );
-				#	}
-				
-				if ( sub_opt$code == 2 )
-					info$agent_remote_id = bytestring_to_hexstr(sub_opt$value);
-
-				if ( sub_opt$code == 6 )
-					info$subscriber_id = (sub_opt$value);
-				}
+			log_info$server_addr = id$resp_h;
 			}
 
-		c$dhcp = info;
+		# Only use the client hardware address from the server
+		# if we didn't already pick one up from the client.  
+		if ( msg$chaddr != "" && !log_info?$mac )
+			log_info$mac = msg$chaddr;
+
+		if ( msg$yiaddr != 0.0.0.0 )
+			log_info$assigned_addr = msg$yiaddr;
+
+		# If no client address has been seen yet, let's use the assigned addr.
+		if ( ! log_info?$client_addr && log_info?$assigned_addr )
+			log_info$client_addr = log_info$assigned_addr;
+
+		if ( options?$domain_name )
+			log_info$domain = options$domain_name;
+
+		if ( options?$lease )
+			log_info$lease_time = options$lease;
 		}
 	}
+@endif
 
+
+
+# Aggregate DHCP messages to the manager.
 event dhcp_message(c: connection, is_orig: bool, msg: DHCP::Msg, options: DHCP::Options) &priority=-5
 	{
-	if ( msg$m_type == 5 ) # DHCP_ACK
-		{
-		Log::write(DHCP::LOG, c$dhcp);
-		}
+	event DHCP::aggregate_msgs(network_time(), c$id, c$uid, is_orig, msg, options);
+	}
+
+event bro_done() &priority=-5
+	{
+	# Log any remaining data that hasn't already been logged!
+	for ( i in DHCP::join_data )
+		join_data_expiration(DHCP::join_data, i);
 	}
diff --git a/scripts/base/protocols/dhcp/utils.bro b/scripts/base/protocols/dhcp/utils.bro
deleted file mode 100644
index 9d5a422128..0000000000
--- a/scripts/base/protocols/dhcp/utils.bro
+++ /dev/null
@@ -1,19 +0,0 @@
-##! Utilities specific for DHCP processing.
-
-module DHCP;
-
-export {
-	## Reverse the octets of an IPv4 address.
-	##
-	## ip: An IPv4 address.
-	##
-	## Returns: A reversed IPv4 address.
-	global reverse_ip: function(ip: addr): addr;
-}
-
-function reverse_ip(ip: addr): addr
-	{
-	local octets = split_string(cat(ip), /\./);
-	return to_addr(cat(octets[3], ".", octets[2], ".", octets[1], ".", octets[0]));
-	}
-
diff --git a/scripts/policy/misc/known-devices.bro b/scripts/policy/misc/known-devices.bro
index 2f1f81524f..35ea9bff8b 100644
--- a/scripts/policy/misc/known-devices.bro
+++ b/scripts/policy/misc/known-devices.bro
@@ -2,12 +2,6 @@
 ##! been able to determine the MAC address, and it logs them once per day (by
 ##! default).  The log that is output provides an easy way to determine a count
 ##! of the devices in use on a network per day.
-##!
-##! .. note::
-##!
-##!     This script will not generate any logs on its own, it needs to be
-##!     supplied with information from elsewhere, such as
-##!     :doc:`/scripts/policy/protocols/dhcp/known-devices-and-hostnames.bro`.
 
 module Known;
 
diff --git a/scripts/policy/protocols/dhcp/known-devices-and-hostnames.bro b/scripts/policy/protocols/dhcp/known-devices-and-hostnames.bro
deleted file mode 100644
index 39ea02c759..0000000000
--- a/scripts/policy/protocols/dhcp/known-devices-and-hostnames.bro
+++ /dev/null
@@ -1,37 +0,0 @@
-##! Tracks MAC address with hostnames seen in DHCP traffic. They are logged into
-##! ``devices.log``.
-
-@load policy/misc/known-devices
-
-module Known;
-
-export {
-	redef record DevicesInfo += {
-		## The value of the DHCP host name option, if seen.
-		dhcp_host_name:	string		&log &optional;
-	};
-}
-
-event dhcp_request(c: connection, msg: DHCP::dhcp_msg, req_addr: addr, serv_addr: addr, host_name: string, client_id: DHCP::dhcp_client_id, req_params: DHCP::dhcp_params_list)
-	{
-	if ( msg$h_addr == "" )
-		return;
-
-	if ( msg$h_addr !in known_devices )
-		{
-		add known_devices[msg$h_addr];
-		Log::write(Known::DEVICES_LOG, [$ts=network_time(), $mac=msg$h_addr, $dhcp_host_name=host_name]);
-		}
-	}
-
-event dhcp_inform(c: connection, msg: DHCP::dhcp_msg, host_name: string, req_params: DHCP::dhcp_params_list)
-	{
-	if ( msg$h_addr == "" )
-		return;
-
-	if ( msg$h_addr !in known_devices )
-		{
-		add known_devices[msg$h_addr];
-		Log::write(Known::DEVICES_LOG, [$ts=network_time(), $mac=msg$h_addr, $dhcp_host_name=host_name]);
-		}
-	}
diff --git a/scripts/policy/protocols/dhcp/msg-orig.bro b/scripts/policy/protocols/dhcp/msg-orig.bro
new file mode 100644
index 0000000000..56a0e8c66e
--- /dev/null
+++ b/scripts/policy/protocols/dhcp/msg-orig.bro
@@ -0,0 +1,21 @@
+##! Add a field that logs the order of hosts sending messages
+##! using the same DHCP transaction ID.  This information is 
+##! occasionally needed on some networks to fully explain the 
+##! DHCP sequence.
+
+@load base/protocols/dhcp
+
+module DHCP;
+
+export {
+	redef record DHCP::Info += {
+		## The address that originated each message from the 
+		## `msg_types` field.
+		msg_orig: vector of addr &log &default=addr_vec();
+	};
+}
+
+event DHCP::aggregate_msgs(ts: time, id: conn_id, uid: string, is_orig: bool, msg: DHCP::Msg, options: DHCP::Options) &priority=3
+	{
+	log_info$msg_orig[|log_info$msg_orig|] = is_orig ? id$orig_h : id$resp_h;
+	}
diff --git a/scripts/policy/protocols/dhcp/software.bro b/scripts/policy/protocols/dhcp/software.bro
new file mode 100644
index 0000000000..4aa4bdd7ff
--- /dev/null
+++ b/scripts/policy/protocols/dhcp/software.bro
@@ -0,0 +1,63 @@
+##! Software identification and extraction for DHCP traffic.
+
+@load base/protocols/dhcp
+@load base/frameworks/software
+
+module DHCP;
+
+export {
+	redef enum Software::Type += {
+		## Identifier for web servers in the software framework.
+		DHCP::SERVER,
+		## Identifier for web browsers in the software framework.
+		DHCP::CLIENT,
+	};
+
+	redef record DHCP::Info += {
+		## Software reported by the client in the `vendor_class` option.
+		client_software: string &log &optional;
+		## Software reported by the server in the `vendor_class` option.
+		server_software: string &log &optional;
+	};
+}
+
+event DHCP::aggregate_msgs(ts: time, id: conn_id, uid: string, is_orig: bool, msg: DHCP::Msg, options: DHCP::Options) &priority=5
+	{
+	if ( options?$vendor_class )
+		{
+		if ( is_orig )
+			log_info$client_software = options$vendor_class;
+		else
+			{
+			log_info$server_software = options$vendor_class;
+			Software::found(id, [$unparsed_version=options$vendor_class,
+			                     $host=id$resp_h,
+			                     $software_type=DHCP::SERVER]);
+			}
+		}
+	}
+
+event DHCP::log_dhcp(rec: DHCP::Info)
+	{
+	if ( rec?$assigned_addr && rec?$server_addr &&
+	     (rec?$client_software || rec?$server_software) )
+		{
+		# Not quite right to just blindly use 67 and 68 as the ports
+		local id: conn_id = [$orig_h=rec$assigned_addr, $orig_p=68/udp,
+		                     $resp_h=rec$server_addr, $resp_p=67/udp];
+
+		if ( rec?$client_software && rec$assigned_addr != 255.255.255.255 )
+			{
+			Software::found(id, [$unparsed_version=rec$client_software,
+			                     $host=rec$assigned_addr,
+			                     $software_type=DHCP::CLIENT]);
+			}
+		
+		if ( rec?$server_software )
+			{
+			Software::found(id, [$unparsed_version=rec$server_software,
+			                     $host=rec$server_addr,
+			                     $software_type=DHCP::SERVER]);
+			}
+		}
+	}
diff --git a/scripts/policy/protocols/dhcp/sub-opts.bro b/scripts/policy/protocols/dhcp/sub-opts.bro
new file mode 100644
index 0000000000..af5056bf39
--- /dev/null
+++ b/scripts/policy/protocols/dhcp/sub-opts.bro
@@ -0,0 +1,45 @@
+
+@load base/protocols/dhcp
+
+module DHCP;
+
+export {
+	redef record DHCP::Info += {
+		## Added by DHCP relay agents which terminate switched or 
+		## permanent circuits.  It encodes an agent-local identifier
+		## of the circuit from which a DHCP client-to-server packet was
+		## received.  Typically it should represent a router or switch
+		## interface number.
+		circuit_id:      string &log &optional;
+
+		## A globally unique identifier added by relay agents to identify
+		## the remote host end of the circuit.
+		agent_remote_id: string &log &optional;
+
+		## The subscriber ID is a value independent of the physical
+		## network configuration so that a customer's DHCP configuration
+		## can be given to them correctly no matter where they are 
+		## physically connected.
+		subscriber_id:   string &log &optional;
+	};
+}
+
+event DHCP::aggregate_msgs(ts: time, id: conn_id, uid: string, is_orig: bool, msg: DHCP::Msg, options: DHCP::Options)
+	{
+	if ( options?$sub_opt )
+		{
+		for ( i in options$sub_opt )
+			{
+			local sub_opt = options$sub_opt[i];
+
+			if ( sub_opt$code == 1 )
+				DHCP::log_info$circuit_id = sub_opt$value;
+			
+			if ( sub_opt$code == 2 )
+				DHCP::log_info$agent_remote_id = sub_opt$value;
+			
+			if ( sub_opt$code == 6 )
+				DHCP::log_info$subscriber_id = sub_opt$value;
+			}
+		}
+	}
diff --git a/scripts/test-all-policy.bro b/scripts/test-all-policy.bro
index 7c828241d0..26eb6b8d9e 100644
--- a/scripts/test-all-policy.bro
+++ b/scripts/test-all-policy.bro
@@ -60,7 +60,9 @@
 @load protocols/conn/mac-logging.bro
 @load protocols/conn/vlan-logging.bro
 @load protocols/conn/weirds.bro
-@load protocols/dhcp/known-devices-and-hostnames.bro
+@load protocols/dhcp/msg-orig.bro
+@load protocols/dhcp/software.bro
+@load protocols/dhcp/sub-opts.bro
 @load protocols/dns/auth-addl.bro
 @load protocols/dns/detect-external-names.bro
 @load protocols/ftp/detect-bruteforcing.bro
diff --git a/src/analyzer/protocol/dhcp/dhcp-analyzer.pac b/src/analyzer/protocol/dhcp/dhcp-analyzer.pac
index 6c43cb07e8..df9223f0a6 100644
--- a/src/analyzer/protocol/dhcp/dhcp-analyzer.pac
+++ b/src/analyzer/protocol/dhcp/dhcp-analyzer.pac
@@ -3,11 +3,13 @@ refine flow DHCP_Flow += {
 	%member{
 		RecordVal *dhcp_msg_val;
 		RecordVal *options;
+		VectorVal* all_options;
 	%}
 
 	%init{
 		dhcp_msg_val = 0;
 		options = 0;
+		all_options = 0;
 	%}
 
 	%cleanup{
@@ -16,123 +18,22 @@ refine flow DHCP_Flow += {
 
 		Unref(options);
 		options = 0;
+
+		Unref(all_options);
+		all_options = 0;
 	%}
 
-	function parse_request(options: Option[], type: uint8): bool
-		%{
-//		// Requested IP address to the server.
-//		::uint32 req_addr = 0, serv_addr = 0;
-//		StringVal* host_name = new StringVal("");
-//
-//		TableVal* params_list = 0;
-//		RecordVal* client_id = new RecordVal(BifType::Record::DHCP::ClientID);
-//		client_id->Assign(0,0);
-//		client_id->Assign(1,new StringVal(""));
-//
-//		switch ( type )
-//			{
-//			case DHCPDISCOVER:
-//				BifEvent::generate_dhcp_discover(connection()->bro_analyzer(),
-//				                                 connection()->bro_analyzer()->Conn(),
-//				                                 dhcp_msg_val->Ref(), new AddrVal(req_addr),
-//				                                 host_name, client_id, params_list);
-//				break;
-//
-//			case DHCPREQUEST:
-//				BifEvent::generate_dhcp_request(connection()->bro_analyzer(),
-//				                                connection()->bro_analyzer()->Conn(),
-//				                                dhcp_msg_val->Ref(), new AddrVal(req_addr),
-//				                                new AddrVal(serv_addr), host_name, client_id, params_list);
-//				break;
-//
-//			case DHCPDECLINE:
-//				BifEvent::generate_dhcp_decline(connection()->bro_analyzer(),
-//				                                connection()->bro_analyzer()->Conn(),
-//				                                dhcp_msg_val->Ref(), host_name);
-//				break;
-//
-//			case DHCPRELEASE:
-//				BifEvent::generate_dhcp_release(connection()->bro_analyzer(),
-//				                                connection()->bro_analyzer()->Conn(),
-//				                                dhcp_msg_val->Ref(), host_name);
-//				break;
-//
-//			case DHCPINFORM:
-//				BifEvent::generate_dhcp_inform(connection()->bro_analyzer(),
-//				                               connection()->bro_analyzer()->Conn(),
-//				                               dhcp_msg_val->Ref(), host_name, params_list);
-//				break;
-//
-//			default:
-//				Unref(host_name);
-//				break;
-//			}
-
-		return true;
-		%}
-
-	function parse_reply(options: Option[], type: uint8): bool
-		%{
-//		// RFC 1533 allows a list of router addresses.
-//		TableVal* router_list = 0;
-//
-//		::uint32 subnet_mask = 0, serv_addr = 0;
-//
-//		uint32 lease = 0;
-//		StringVal* host_name = 0;
-//
-//		uint32 reb_time = 0;
-//		uint32 ren_time = 0;
-//		StringVal* agent_cir = 0;
-//		StringVal* agent_rem = 0;
-//		StringVal* agent_sub_opt = 0;
-//		TableVal* relay_agent_sub_opt = new TableVal(BifType::Table::DHCP::SubOptList);
-//
-//		if ( host_name == nullptr )
-//			host_name = new StringVal("");
-//
-//		switch ( type )
-//			{
-//			case DHCPOFFER:
-//				if ( ! router_list )
-//					router_list = new TableVal(BifType::Table::DHCP::RouterList);
-//
-//				BifEvent::generate_dhcp_offer(connection()->bro_analyzer(),
-//				                              connection()->bro_analyzer()->Conn(),
-//				                              dhcp_msg_val->Ref(), new AddrVal(subnet_mask),
-//				                              router_list, lease, new AddrVal(serv_addr), host_name);
-//				break;
-//
-//			case DHCPACK:
-//				if ( ! router_list )
-//					router_list = new TableVal(BifType::Table::DHCP::RouterList);
-//
-//				BifEvent::generate_dhcp_ack(connection()->bro_analyzer(),
-//				                            connection()->bro_analyzer()->Conn(),
-//				                            dhcp_msg_val->Ref(), new AddrVal(subnet_mask),
-//				                            router_list, lease, new AddrVal(serv_addr), host_name, reb_time, ren_time, relay_agent_sub_opt);
-//				break;
-//
-//			case DHCPNAK:
-//				//Unref(router_list);
-//				BifEvent::generate_dhcp_nak(connection()->bro_analyzer(),
-//				                            connection()->bro_analyzer()->Conn(),
-//				                            dhcp_msg_val->Ref(), host_name);
-//				break;
-//
-//			default:
-//				//Unref(router_list);
-//				//Unref(host_name);
-//				break;
-//			}
-//
-		return true;
-		%}
-
-	function create_options(): bool
+	function create_options(code: uint8): bool
 		%{
 		if ( options == nullptr )
+			{
 			options = new RecordVal(BifType::Record::DHCP::Options);
+			all_options = new VectorVal(index_vec);
+			options->Assign(0, all_options->Ref());
+			}
+
+		if ( code != 255 )
+			all_options->Assign(all_options->Size(), new Val(code, TYPE_COUNT));
 
 		return true;
 		%}
@@ -148,73 +49,60 @@ refine flow DHCP_Flow += {
 			return false;
 			}
 
-		Unref(dhcp_msg_val);
-
-		std::string mac_str = fmt_mac(${msg.chaddr}.data(), ${msg.chaddr}.length());
-
-		dhcp_msg_val = new RecordVal(BifType::Record::DHCP::Msg);
-		dhcp_msg_val->Assign(0, new Val(${msg.op}, TYPE_COUNT));
-		dhcp_msg_val->Assign(1, new Val(${msg.type}, TYPE_COUNT));
-		dhcp_msg_val->Assign(2, new Val(${msg.xid}, TYPE_COUNT));
-		dhcp_msg_val->Assign(3, new StringVal(mac_str));
-		dhcp_msg_val->Assign(4, new AddrVal(${msg.ciaddr}));
-		dhcp_msg_val->Assign(5, new AddrVal(${msg.yiaddr}));
-
 		if ( dhcp_message )
+			{
+			// Since this is a new message, let's make sure an old 
+			// one is gone.
+			Unref(dhcp_msg_val);
+
+			std::string mac_str = fmt_mac(${msg.chaddr}.data(), ${msg.chaddr}.length());
+			double secs = static_cast<double>(${msg.secs});
+
+			dhcp_msg_val = new RecordVal(BifType::Record::DHCP::Msg);
+			dhcp_msg_val->Assign(0, new Val(${msg.op}, TYPE_COUNT));
+			dhcp_msg_val->Assign(1, new Val(${msg.type}, TYPE_COUNT));
+			dhcp_msg_val->Assign(2, new Val(${msg.xid}, TYPE_COUNT));
+			dhcp_msg_val->Assign(3, new Val(secs, TYPE_INTERVAL));
+			dhcp_msg_val->Assign(4, new Val(${msg.flags}, TYPE_COUNT));
+			dhcp_msg_val->Assign(5, new AddrVal(htonl(${msg.ciaddr})));
+			dhcp_msg_val->Assign(6, new AddrVal(htonl(${msg.yiaddr})));
+			dhcp_msg_val->Assign(7, new AddrVal(htonl(${msg.siaddr})));
+			dhcp_msg_val->Assign(8, new AddrVal(htonl(${msg.giaddr})));
+			dhcp_msg_val->Assign(9, new StringVal(mac_str));
+
+			int last_non_null = 0;
+			for ( int i=0; i < ${msg.sname}.length(); i++ )
+				{
+				if ( *(${msg.sname}.begin()+i) != 0 )
+					last_non_null = i;
+				}
+			if ( last_non_null > 0 )
+				dhcp_msg_val->Assign(10, new StringVal(last_non_null+1,
+				                                       reinterpret_cast<const char*>(${msg.sname}.begin())));
+
+			last_non_null = 0;
+			for ( int i=0; i < ${msg.file_n}.length(); i++ )
+				{
+				if ( *(${msg.file_n}.begin()+i) != 0 )
+					last_non_null = i;
+				}
+			if ( last_non_null > 0 )
+				dhcp_msg_val->Assign(11, new StringVal(last_non_null+1,
+				                                       reinterpret_cast<const char*>(${msg.file_n}.begin())));
+
 			BifEvent::generate_dhcp_message(connection()->bro_analyzer(),
 			                                connection()->bro_analyzer()->Conn(),
 			                                ${msg.is_orig},
 			                                dhcp_msg_val->Ref(),
 			                                options->Ref());
 
-		Unref(dhcp_msg_val);
-		dhcp_msg_val = 0;
-		Unref(options);
-		options = 0;
-
-		//switch ( ${msg.op} )
-		//	{
-		//	case BOOTREQUEST:	// presumably from client to server
-		//		if ( ${msg.type} == DHCPDISCOVER ||
-		//		     ${msg.type} == DHCPREQUEST ||
-		//		     ${msg.type} == DHCPDECLINE ||
-		//		     ${msg.type} == DHCPRELEASE ||
-		//		     ${msg.type} == DHCPINFORM )
-		//			{
-		//			parse_request(${msg.options}, ${msg.type});
-		//			}
-		//		else
-		//			{
-		//			connection()->bro_analyzer()->ProtocolViolation(fmt("unknown DHCP message type option for BOOTREQUEST (%d)",
-		//			                                                ${msg.type}));
-		//			}
-		//		break;
-		//
-		//	case BOOTREPLY:		// presumably from server to client
-		//		if ( ${msg.type} == DHCPOFFER ||
-		//		     ${msg.type} == DHCPACK ||
-		//		     ${msg.type} == DHCPNAK ||
-		//		     ${msg.type} == DHCPLEASEUNASSIGNED ||
-		//		     ${msg.type} == DHCPLEASEUNKNOWN ||
-		//		     ${msg.type} == DHCPLEASEACTIVE )
-		//			{
-		//			parse_reply(${msg.options}, ${msg.type});
-		//			}
-		//		else
-		//			{
-		//			connection()->bro_analyzer()->ProtocolViolation(fmt("unknown DHCP message type option for BOOTREPLY (%d)",
-		//			                                                ${msg.type}));
-		//			}
-		//
-		//		break;
-		//
-		//	default:
-		//		// Removing this because I've seen some packets with weird values
-		//		// but they still parse fine.
-		//		//connection()->bro_analyzer()->ProtocolViolation(fmt("unknown DHCP message op code (%d). Known codes: 1=BOOTREQUEST, 2=BOOTREPLY",
-		//		//                                                ${msg.op}));
-		//		break;
-		//	}
+			Unref(dhcp_msg_val);
+			dhcp_msg_val = 0;
+			Unref(options);
+			options = 0;
+			Unref(all_options);
+			all_options = 0;
+			}
 
 		// A single message reaching this point is enough to confirm the protocol
 		// because it's not uncommon to see a single DHCP message
@@ -232,6 +120,6 @@ refine typeattr DHCP_Message += &let {
 };
 
 refine typeattr Option += &let {
-	proc_create_options = $context.flow.create_options();
+	proc_create_options = $context.flow.create_options(code);
 };
 
diff --git a/src/analyzer/protocol/dhcp/dhcp-options.pac b/src/analyzer/protocol/dhcp/dhcp-options.pac
index d39484ba96..fcc7cf32aa 100644
--- a/src/analyzer/protocol/dhcp/dhcp-options.pac
+++ b/src/analyzer/protocol/dhcp/dhcp-options.pac
@@ -1,4 +1,3 @@
-
 ##############################
 # SUBNET OPTION
 ##############################
@@ -6,19 +5,86 @@ let SUBNET_OPTION = 1;
 
 # Parse the option
 refine casetype OptionValue += {
-	SUBNET_OPTION -> mask : uint32;
+	SUBNET_OPTION -> subnet : uint32;
 };
 
 refine flow DHCP_Flow += {
 	function process_subnet_option(v: OptionValue): bool
 		%{
-		${context.flow}->options->Assign(0, new AddrVal(htonl(${v.mask})));
+		${context.flow}->options->Assign(1, new AddrVal(htonl(${v.subnet})));
 		return true;
 		%}
 };
 
 refine typeattr Option += &let {
-	proc_subnet_option = $context.flow.process_subnet_option(info) &if(code==SUBNET_OPTION);
+	proc_subnet_option = $context.flow.process_subnet_option(info.value) &if(code==SUBNET_OPTION);
+};
+
+
+##############################
+# ROUTER OPTION
+##############################
+let ROUTER_OPTION = 3;
+
+# Parse the option
+refine casetype OptionValue += {
+	ROUTER_OPTION -> router_list : uint32[length/4];
+};
+
+refine flow DHCP_Flow += {
+	function process_router_option(v: OptionValue): bool
+		%{
+		VectorVal* router_list = new VectorVal(BifType::Vector::DHCP::Addrs);
+		int num_routers = ${v.router_list}->size();
+		vector<uint32>* rlist = ${v.router_list};
+
+		for ( int i = 0; i < num_routers; ++i )
+			{
+			uint32 raddr = (*rlist)[i];
+			router_list->Assign(i, new AddrVal(htonl(raddr)));
+			}
+
+		${context.flow}->options->Assign(2, router_list);
+
+		return true;
+		%}
+};
+
+refine typeattr Option += &let {
+	proc_router_option = $context.flow.process_router_option(info.value) &if(code==ROUTER_OPTION);
+};
+
+
+##############################
+# DNS SERVER OPTION
+##############################
+let DNS_SERVER_OPTION = 6;
+
+# Parse the option
+refine casetype OptionValue += {
+	DNS_SERVER_OPTION -> dns_server_list : uint32[length/4];
+};
+
+refine flow DHCP_Flow += {
+	function process_dns_server_option(v: OptionValue): bool
+		%{
+		VectorVal* server_list = new VectorVal(BifType::Vector::DHCP::Addrs);
+		int num_servers = ${v.dns_server_list}->size();
+		vector<uint32>* rlist = ${v.dns_server_list};
+
+		for ( int i = 0; i < num_servers; ++i )
+			{
+			uint32 raddr = (*rlist)[i];
+			server_list->Assign(i, new AddrVal(htonl(raddr)));
+			}
+
+		${context.flow}->options->Assign(3, server_list);
+		return true;
+		%}
+};
+
+refine typeattr Option += &let {
+	proc_dns_server_option = $context.flow.process_dns_server_option(info.value) &if(code==DNS_SERVER_OPTION);
 };
 
 
@@ -35,76 +101,177 @@ refine casetype OptionValue += {
 refine flow DHCP_Flow += {
 	function process_host_name_option(v: OptionValue): bool
 		%{
-		${context.flow}->options->Assign(1, new StringVal(${v.host_name}.length(), (const char*) ${v.host_name}.begin()));
+		${context.flow}->options->Assign(4, new StringVal(${v.host_name}.length(),
+		                                                  reinterpret_cast<const char*>(${v.host_name}.begin())));
 
 		return true;
 		%}
 };
 
 refine typeattr Option += &let {
-	proc_host_name_option = $context.flow.process_host_name_option(info) &if(code==HOST_NAME_OPTION);
+	proc_host_name_option = $context.flow.process_host_name_option(info.value) &if(code==HOST_NAME_OPTION);
 };
 
 
 ##############################
-# REQ IP OPTION
+# DOMAIN NAME OPTION
 ##############################
-let REQ_IP_OPTION = 50;
+let DOMAIN_NAME_OPTION = 15;
 
 # Parse the option
 refine casetype OptionValue += {
-	REQ_IP_OPTION -> req_addr : uint32;
+	DOMAIN_NAME_OPTION -> domain_name : bytestring &length=length;
 };
 
 refine flow DHCP_Flow += {
-	function process_req_ip_option(v: OptionValue): bool
+	function process_domain_name_option(v: OptionValue): bool
 		%{
-		${context.flow}->options->Assign(2, new AddrVal(htonl(${v.req_addr})));
-
-		return true;
-		%}
-};
-
-refine typeattr Option += &let {
-	proc_req_ip_option = $context.flow.process_req_ip_option(info) &if(code==REQ_IP_OPTION);
-};
-
-##############################
-# ROUTER OPTION
-##############################
-let ROUTER_OPTION = 3;
-
-# Parse the option
-refine casetype OptionValue += {
-	ROUTER_OPTION -> router_list : uint32[length/4];
-};
-
-refine flow DHCP_Flow += {
-	function process_router_option(v: OptionValue): bool
-		%{
-		TableVal* router_list = new TableVal(BifType::Table::DHCP::RouterList);
-		int num_routers = ${v.router_list}->size();
-		vector<uint32>* rlist = ${v.router_list};
-
-		for ( int i = 0; i < num_routers; ++i )
+		int last_non_null = 0;
+		for ( int i=0; i < ${v.domain_name}.length(); i++)
 			{
-			uint32 raddr = (*rlist)[i];
-			::uint32 tmp_addr;
-			tmp_addr = htonl(raddr);
-			// index starting from 1
-			Val* index = new Val(i + 1, TYPE_COUNT);
-			router_list->Assign(index, new AddrVal(tmp_addr));
-			Unref(index);
+			if ( *(${v.domain_name}.begin()+i) != 0 )
+				last_non_null = i;
 			}
 
-		${context.flow}->options->Assign(3, router_list);
+		${context.flow}->options->Assign(5, new StringVal(last_non_null == 0 ? 0 : last_non_null+1,
+		                                                  reinterpret_cast<const char*>(${v.domain_name}.begin())));
 
 		return true;
 		%}
 };
 
 refine typeattr Option += &let {
-	proc_router_option = $context.flow.process_router_option(info) &if(code==ROUTER_OPTION);
+	proc_domain_name_option = $context.flow.process_domain_name_option(info.value) &if(code==DOMAIN_NAME_OPTION);
+};
+
+
+##############################
+# FORWARDING OPTION
+##############################
+let FORWARDING_OPTION = 19;
+
+# Parse the option
+refine casetype OptionValue += {
+	FORWARDING_OPTION -> forwarding : uint8;
+};
+
+refine flow DHCP_Flow += {
+	function process_forwarding_option(v: OptionValue): bool
+		%{
+		${context.flow}->options->Assign(6, new Val(${v.forwarding} == 0 ? false : true, TYPE_BOOL));
+
+		return true;
+		%}
+};
+
+refine typeattr Option += &let {
+	proc_forwarding_option = $context.flow.process_forwarding_option(info.value) &if(code==FORWARDING_OPTION);
+};
+
+
+##############################
+# BROADCAST ADDRESS OPTION
+##############################
+let BROADCAST_ADDRESS_OPTION = 28;
+
+# Parse the option
+refine casetype OptionValue += {
+	BROADCAST_ADDRESS_OPTION -> broadcast_address : uint32;
+};
+
+refine flow DHCP_Flow += {
+	function process_broadcast_address_option(v: OptionValue): bool
+		%{
+		${context.flow}->options->Assign(7, new AddrVal(htonl(${v.broadcast_address})));
+
+		return true;
+		%}
+};
+
+refine typeattr Option += &let {
+	proc_broadcast_address_option = $context.flow.process_broadcast_address_option(info.value) &if(code==BROADCAST_ADDRESS_OPTION);
+};
+
+
+##############################
+# VENDOR SPECIFIC OPTION
+##############################
+let VENDOR_SPECIFIC_OPTION = 43;
+
+# Parse the option
+refine casetype OptionValue += {
+	VENDOR_SPECIFIC_OPTION -> vendor_specific : bytestring &length=length;
+};
+
+refine flow DHCP_Flow += {
+	function process_vendor_specific_option(v: OptionValue): bool
+		%{
+		${context.flow}->options->Assign(8, new StringVal(${v.vendor_specific}.length(),
+		                                                  reinterpret_cast<const char*>(${v.vendor_specific}.begin())));
+
+		return true;
+		%}
+};
+
+refine typeattr Option += &let {
+	proc_vendor_specific_option = $context.flow.process_vendor_specific_option(info.value) &if(code==VENDOR_SPECIFIC_OPTION);
+};
+
+
+##############################
+# NETBIOS NAME SERVER OPTION
+##############################
+let NBNS_OPTION = 44;
+
+# Parse the option
+refine casetype OptionValue += {
+	NBNS_OPTION -> nbns : uint32[length/4];
+};
+
+refine flow DHCP_Flow += {
+	function process_nbns_option(v: OptionValue): bool
+		%{
+		VectorVal* server_list = new VectorVal(BifType::Vector::DHCP::Addrs);
+		int num_servers = ${v.nbns}->size();
+		vector<uint32>* rlist = ${v.nbns};
+
+		for ( int i = 0; i < num_servers; ++i )
+			{
+			uint32 raddr = (*rlist)[i];
+			server_list->Assign(i, new AddrVal(htonl(raddr)));
+			}
+
+		${context.flow}->options->Assign(9, server_list);
+		return true;
+		%}
+};
+
+refine typeattr Option += &let {
+	proc_nbns_option = $context.flow.process_nbns_option(info.value) &if(code==NBNS_OPTION);
+};
+
+
+##############################
+# ADDR REQUEST OPTION
+##############################
+let ADDR_REQUEST_OPTION = 50;
+
+# Parse the option
+refine casetype OptionValue += {
+	ADDR_REQUEST_OPTION -> addr_request : uint32;
+};
+
+refine flow DHCP_Flow += {
+	function process_addr_request_option(v: OptionValue): bool
+		%{
+		${context.flow}->options->Assign(10, new AddrVal(htonl(${v.addr_request})));
+
+		return true;
+		%}
+};
+
+refine typeattr Option += &let {
+	proc_addr_request_option = $context.flow.process_addr_request_option(info.value) &if(code==ADDR_REQUEST_OPTION);
 };
 
 
@@ -122,16 +289,17 @@ refine flow DHCP_Flow += {
 	function process_lease_option(v: OptionValue): bool
 		%{
 		double lease = static_cast<double>(${v.lease});
-		${context.flow}->options->Assign(4, new Val(lease, TYPE_INTERVAL));
+		${context.flow}->options->Assign(11, new Val(lease, TYPE_INTERVAL));
 
 		return true;
 		%}
 };
 
 refine typeattr Option += &let {
-	proc_lease_option = $context.flow.process_lease_option(info) &if(code==LEASE_OPTION);
+	proc_lease_option = $context.flow.process_lease_option(info.value) &if(code==LEASE_OPTION);
 };
 
+
 ##############################
 # SERV_ID_OPTION OPTION
 ##############################
@@ -145,14 +313,14 @@ refine casetype OptionValue += {
 refine flow DHCP_Flow += {
 	function process_serv_id_option(v: OptionValue): bool
 		%{
-		${context.flow}->options->Assign(5, new AddrVal(htonl(${v.serv_addr})));
+		${context.flow}->options->Assign(12, new AddrVal(htonl(${v.serv_addr})));
 
 		return true;
 		%}
 };
 
 refine typeattr Option += &let {
-	proc_serv_id_option = $context.flow.process_serv_id_option(info) &if(code==SERV_ID_OPTION);
+	proc_serv_id_option = $context.flow.process_serv_id_option(info.value) &if(code==SERV_ID_OPTION);
 };
 
 
@@ -169,76 +337,148 @@ refine casetype OptionValue += {
 refine flow DHCP_Flow += {
 	function process_par_req_list_option(v: OptionValue): bool
 		%{
-		TableVal* params_list = new TableVal(BifType::Table::DHCP::ParamsList);
+		VectorVal* params = new VectorVal(index_vec);
 		int num_parms = ${v.par_req_list}->size();
 		vector<uint8>* plist = ${v.par_req_list};
 		
 		for (int i=0; i < num_parms; ++i)
 			{
 			uint8 param = (*plist)[i];
-			Val* index = new Val(i+1, TYPE_COUNT);
-			params_list->Assign(index, new Val(param, TYPE_COUNT));
-			Unref(index);
+			params->Assign(i, new Val(param, TYPE_COUNT));
 			}
 
-		${context.flow}->options->Assign(6, params_list);
+		${context.flow}->options->Assign(13, params);
 
 		return true;
 		%}
 };
 
 refine typeattr Option += &let {
-	proc_par_req_list_option = $context.flow.process_par_req_list_option(info) &if(code==PAR_REQ_LIST_OPTION);
+	proc_par_req_list_option = $context.flow.process_par_req_list_option(info.value) &if(code==PAR_REQ_LIST_OPTION);
 };
 
 
 ##############################
-# REN_TIME_OPTION OPTION
+# MESSAGE OPTION
 ##############################
-let REN_TIME_OPTION = 58;
+let MESSAGE_OPTION = 56;
 
 # Parse the option
 refine casetype OptionValue += {
-	REN_TIME_OPTION -> ren_time : uint32;
+	MESSAGE_OPTION -> message : bytestring &length=length;
 };
 
 refine flow DHCP_Flow += {
-	function process_ren_time_option(v: OptionValue): bool
+	function process_message_option(v: OptionValue): bool
 		%{
-		double ren_time = static_cast<double>(${v.ren_time});
-		${context.flow}->options->Assign(7, new Val(ren_time, TYPE_INTERVAL));
+		${context.flow}->options->Assign(14, new StringVal(${v.message}.length(), 
+		                                                   reinterpret_cast<const char*>(${v.message}.begin())));
 
 		return true;
 		%}
 };
 
 refine typeattr Option += &let {
-	proc_ren_time_option = $context.flow.process_ren_time_option(info) &if(code==REN_TIME_OPTION);
+	proc_message_option = $context.flow.process_message_option(info.value) &if(code==MESSAGE_OPTION);
 };
 
 
 ##############################
-# REB_TIME_OPTION OPTION
+# MAX MESSAGE SIZE OPTION
 ##############################
-let REB_TIME_OPTION = 59;
+let MAX_MESSAGE_SIZE_OPTION = 57;
 
 # Parse the option
 refine casetype OptionValue += {
-	REB_TIME_OPTION -> reb_time : uint32;
+	MAX_MESSAGE_SIZE_OPTION -> max_msg_size : uint16;
 };
 
 refine flow DHCP_Flow += {
-	function process_reb_time_option(v: OptionValue): bool
+	function process_max_message_size_option(v: OptionValue): bool
 		%{
-		double reb_time = static_cast<double>(${v.reb_time});
-		${context.flow}->options->Assign(8, new Val(reb_time, TYPE_INTERVAL));
+		${context.flow}->options->Assign(15, new Val(${v.max_msg_size}, TYPE_COUNT));
 
 		return true;
 		%}
 };
 
 refine typeattr Option += &let {
-	proc_reb_time_option = $context.flow.process_reb_time_option(info) &if(code==REB_TIME_OPTION);
+	proc_max_message_size_option = $context.flow.process_max_message_size_option(info.value) &if(code==MAX_MESSAGE_SIZE_OPTION);
+};
+
+
+##############################
+# RENEWAL_TIME_OPTION OPTION
+##############################
+let RENEWAL_TIME_OPTION = 58;
+
+# Parse the option
+refine casetype OptionValue += {
+	RENEWAL_TIME_OPTION -> renewal_time : uint32;
+};
+
+refine flow DHCP_Flow += {
+	function process_renewal_time_option(v: OptionValue): bool
+		%{
+		double renewal_time = static_cast<double>(${v.renewal_time});
+		${context.flow}->options->Assign(16, new Val(renewal_time, TYPE_INTERVAL));
+
+		return true;
+		%}
+};
+
+refine typeattr Option += &let {
+	proc_renewal_time_option = $context.flow.process_renewal_time_option(info.value) &if(code==RENEWAL_TIME_OPTION);
+};
+
+
+##############################
+# REBINDING_TIME_OPTION OPTION
+##############################
+let REBINDING_TIME_OPTION = 59;
+
+# Parse the option
+refine casetype OptionValue += {
+	REBINDING_TIME_OPTION -> rebinding_time : uint32;
+};
+
+refine flow DHCP_Flow += {
+	function process_rebinding_time_option(v: OptionValue): bool
+		%{
+		double rebinding_time = static_cast<double>(${v.rebinding_time});
+		${context.flow}->options->Assign(17, new Val(rebinding_time, TYPE_INTERVAL));
+
+		return true;
+		%}
+};
+
+refine typeattr Option += &let {
+	proc_rebinding_time_option = $context.flow.process_rebinding_time_option(info.value) &if(code==REBINDING_TIME_OPTION);
+};
+
+
+##############################
+# VENDOR CLASS OPTION
+##############################
+let VENDOR_CLASS_OPTION = 60;
+
+# Parse the option
+refine casetype OptionValue += {
+	VENDOR_CLASS_OPTION -> vendor_class : bytestring &length=length;
+};
+
+refine flow DHCP_Flow += {
+	function process_vendor_class_option(v: OptionValue): bool
+		%{
+		${context.flow}->options->Assign(18, new StringVal(${v.vendor_class}.length(), 
+		                                                   reinterpret_cast<const char*>(${v.vendor_class}.begin())));
+
+		return true;
+		%}
+};
+
+refine typeattr Option += &let {
+	proc_vendor_class_option = $context.flow.process_vendor_class_option(info.value) &if(code==VENDOR_CLASS_OPTION);
 };
 
 
@@ -264,17 +504,79 @@ refine flow DHCP_Flow += {
 		client_id->Assign(0, new Val(${v.client_id.hwtype}, TYPE_COUNT));
 		client_id->Assign(1, new StringVal(fmt_mac(${v.client_id.hwaddr}.begin(), ${v.client_id.hwaddr}.length())));
 
-		${context.flow}->options->Assign(9, client_id);
+		${context.flow}->options->Assign(19, client_id);
 
 		return true;
 		%}
 };
 
 refine typeattr Option += &let {
-	proc_client_id_option = $context.flow.process_client_id_option(info) &if(code==CLIENT_ID_OPTION);
+	proc_client_id_option = $context.flow.process_client_id_option(info.value) &if(code==CLIENT_ID_OPTION);
 };
 
 
+##############################
+# USER CLASS OPTION
+##############################
+let USER_CLASS_OPTION = 77;
+
+# Parse the option
+refine casetype OptionValue += {
+	USER_CLASS_OPTION -> user_class : bytestring &length=length;
+};
+
+refine flow DHCP_Flow += {
+	function process_user_class_option(v: OptionValue): bool
+		%{
+		${context.flow}->options->Assign(20, new StringVal(${v.user_class}.length(),
+		                                                   reinterpret_cast<const char*>(${v.user_class}.begin())));
+
+		return true;
+		%}
+};
+
+refine typeattr Option += &let {
+	proc_user_class_option = $context.flow.process_user_class_option(info.value) &if(code==USER_CLASS_OPTION);
+};
+
+
+##############################
+# CLIENT FQDN OPTION
+##############################
+let CLIENT_FQDN_OPTION = 81;
+
+type Client_FQDN(length: uint8) = record {
+	flags       : uint8;
+	rcode1      : uint8;
+	rcode2      : uint8;
+	domain_name : bytestring &length=length-3;
+};
+
+# Parse the option
+refine casetype OptionValue += {
+	CLIENT_FQDN_OPTION -> client_fqdn : Client_FQDN(length);
+};
+
+refine flow DHCP_Flow += {
+	function process_client_fqdn_option(v: OptionValue): bool
+		%{
+		RecordVal* client_fqdn = new RecordVal(BifType::Record::DHCP::ClientFQDN);
+		client_fqdn->Assign(0, new Val(${v.client_fqdn.flags}, TYPE_COUNT));
+		client_fqdn->Assign(1, new Val(${v.client_fqdn.rcode1}, TYPE_COUNT));
+		client_fqdn->Assign(2, new Val(${v.client_fqdn.rcode2}, TYPE_COUNT));
+		const char* domain_name = reinterpret_cast<const char*>(${v.client_fqdn.domain_name}.begin());
+		client_fqdn->Assign(3, new StringVal(${v.client_fqdn.domain_name}.length(), domain_name));
+
+		${context.flow}->options->Assign(21, client_fqdn);
+
+		return true;
+		%}
+};
+
+refine typeattr Option += &let {
+	proc_client_fqdn_option = $context.flow.process_client_fqdn_option(info.value) &if(code==CLIENT_FQDN_OPTION);
+};
+
 
 ##############################
 # RELAY_AGENT_INF OPTION
@@ -296,11 +598,30 @@ refine casetype OptionValue += {
 };
 
 refine flow DHCP_Flow += {
+	%member{
+		uint8 sum_len;
+	%}
+
+	%init{
+		sum_len = 0;
+	%}
+
+	%cleanup{
+		sum_len = 0;
+	%}
+
+	function get_dhcp_sumlen(len: uint8): uint8
+		%{
+		sum_len = len + sum_len;
+		return sum_len;
+		%}
+
 	function process_relay_agent_inf_option(v: OptionValue): bool
 		%{
-		TableVal* relay_agent_sub_opt = new TableVal(BifType::Table::DHCP::SubOptList);
+		VectorVal* relay_agent_sub_opt = new VectorVal(BifType::Vector::DHCP::SubOpts);
 		RecordVal* r = new RecordVal(BifType::Record::DHCP::SubOpt);
-		uint i = 1;
+
+		uint16 i = 0;
 		for ( auto ptrsubopt = ${v.relay_agent_inf}->begin();
 		      ptrsubopt != ${v.relay_agent_inf}->end(); ++ptrsubopt )
 			{
@@ -308,20 +629,69 @@ refine flow DHCP_Flow += {
 			r->Assign(0, new Val((*ptrsubopt)->code(), TYPE_COUNT));
 			r->Assign(1, bytestring_to_val((*ptrsubopt)->value()));
 
-			Val* index = new Val(i, TYPE_COUNT);
-			relay_agent_sub_opt->Assign(index, r);
-			Unref(index);
+			relay_agent_sub_opt->Assign(i, r);
 			++i;
 			}
 
-		${context.flow}->options->Assign(10, relay_agent_sub_opt);
+		${context.flow}->options->Assign(22, relay_agent_sub_opt);
 		return true;
 		%}
 };
 
 refine typeattr Option += &let {
-	proc_relay_agent_info_option = $context.flow.process_relay_agent_inf_option(info) &if(code==RELAY_AGENT_INF_OPTION);
+	proc_relay_agent_info_option = $context.flow.process_relay_agent_inf_option(info.value) &if(code==RELAY_AGENT_INF_OPTION);
 };
 
 
+##############################
+# AUTO_CONFIG OPTION
+##############################
+let AUTO_CONFIG_OPTION = 116;
+
+# Parse the option
+refine casetype OptionValue += {
+	AUTO_CONFIG_OPTION -> auto_config : uint8;
+};
+
+refine flow DHCP_Flow += {
+	function process_auto_config_option(v: OptionValue): bool
+		%{
+		${context.flow}->options->Assign(23, new Val(${v.auto_config} == 0 ? false : true, TYPE_BOOL));
+
+		return true;
+		%}
+};
+
+refine typeattr Option += &let {
+	proc_auto_config_option = $context.flow.process_auto_config_option(info.value) &if(code==AUTO_CONFIG_OPTION);
+};
+
+
+##############################
+# AUTO PROXY CONFIG OPTION
+##############################
+let AUTO_PROXY_CONFIG_OPTION = 252;
+
+# Parse the option
+refine casetype OptionValue += {
+	AUTO_PROXY_CONFIG_OPTION -> auto_proxy_config : bytestring &length=length;
+};
+
+refine flow DHCP_Flow += {
+	function process_auto_proxy_config_option(v: OptionValue): bool
+		%{
+		int string_len = ${v.auto_proxy_config}.length();
+		const char* last_char = reinterpret_cast<const char*>(${v.auto_proxy_config}.begin()+${v.auto_proxy_config}.length());
+		bool has_newline = strncmp(last_char, "\x0a", 1);
+		${context.flow}->options->Assign(24, new StringVal(string_len - (has_newline ? 1 : 0),
+		                                                   reinterpret_cast<const char*>(${v.auto_proxy_config}.begin())));
+
+		return true;
+		%}
+};
+
+refine typeattr Option += &let {
+	proc_auto_proxy_config_option = $context.flow.process_auto_proxy_config_option(info.value) &if(code==AUTO_PROXY_CONFIG_OPTION);
+};
+
 
diff --git a/src/analyzer/protocol/dhcp/dhcp-protocol.pac b/src/analyzer/protocol/dhcp/dhcp-protocol.pac
index 43dade5989..af48a416c4 100644
--- a/src/analyzer/protocol/dhcp/dhcp-protocol.pac
+++ b/src/analyzer/protocol/dhcp/dhcp-protocol.pac
@@ -8,34 +8,22 @@ enum OP_type {
 
 let MSG_TYPE_OPTION = 53;
 
-enum DHCP_message_type {
-	DHCPDISCOVER		= 1,
-	DHCPOFFER		= 2,
-	DHCPREQUEST		= 3,
-	DHCPDECLINE		= 4,
-	DHCPACK			= 5,
-	DHCPNAK			= 6,
-	DHCPRELEASE		= 7,
-	DHCPINFORM		= 8,
-	DHCPFORCERENEW  	= 9,	# RFC 2132
-	DHCPLEASEQUERY 		= 10,	# RFC 4388
-	DHCPLEASEUNASSIGNED 	= 11, 	# RFC 4388
-	DHCPLEASEUNKNOWN	= 12,	# RFC 4388
-	DHCPLEASEACTIVE		= 13	# RFC 4388
-};
-
 type OptionValue(code: uint8, length: uint8) = case code of {
 	# This is extended in dhcp-options.pac
-	MSG_TYPE_OPTION  -> msg_type     : uint8;
-	default          -> other        : bytestring &length = length;
+	MSG_TYPE_OPTION -> msg_type     : uint8;
+	default         -> other        : bytestring &length = length;
+};
+
+type OptionValueWrapper(code: uint8) = record {
+	length : uint8;
+	value  : OptionValue(code, length);
 };
 
 type Option = record {
 	code   : uint8;
-	length : uint8;
 	data   : case code of {
 		0, 255  -> none : empty;
-		default -> info : OptionValue(code, length);
+		default -> info : OptionValueWrapper(code);
 	};
 } &let {
 	last = (code == 255); # Mark the end of a list of options
@@ -55,7 +43,7 @@ type DHCP_Message(is_orig: bool) = record {
 	giaddr  : uint32;
 	chaddr  : bytestring &length = 16;
 	sname   : bytestring &length = 64;
-	file    : bytestring &length = 128;
+	file_n  : bytestring &length = 128;
 	# Cookie belongs to options in RFC 2131, but we separate
 	# them here for easy parsing.
 	cookie  : uint32;
@@ -65,24 +53,6 @@ type DHCP_Message(is_orig: bool) = record {
 } &byteorder = bigendian;
 
 refine flow DHCP_Flow += {
-	%member{
-		uint8 sum_len;
-	%}
-
-	%init{
-		sum_len = 0;
-	%}
-
-	%cleanup{
-		sum_len = 0;
-	%}
-
-	function get_dhcp_sumlen(len: uint8): uint8
-		%{
-		sum_len = len + sum_len;
-		return sum_len;
-		%}
-
 	function get_dhcp_msgtype(options: Option[]): uint8
 		%{
 		uint8 type = 0;
@@ -91,7 +61,7 @@ refine flow DHCP_Flow += {
 			{
 			if ( (*ptr)->code() == MSG_TYPE_OPTION )
 				{
-				type = (*ptr)->info()->msg_type();
+				type = (*ptr)->info()->value()->msg_type();
 				break;
 				}
 			}
diff --git a/src/analyzer/protocol/dhcp/events.bif b/src/analyzer/protocol/dhcp/events.bif
index 663ba3c319..3b2e6366a8 100644
--- a/src/analyzer/protocol/dhcp/events.bif
+++ b/src/analyzer/protocol/dhcp/events.bif
@@ -1,188 +1,12 @@
-
+## Generated for all DHCP messages.
+##
+## c: The connection record describing the underlying UDP flow.
+## 
+## is_orig: Indicate if the message came in a packet from the originator/client
+##          of the udp flow or the responder/server.
+##
+## msg: The parsed type-independent part of the DHCP message. The message type
+##      is indicated in this record.
+##
+## options: The full set of supported and parsed DHCP options.
 event dhcp_message%(c: connection, is_orig: bool, msg: DHCP::Msg, options: DHCP::Options%);
-
-## Generated for DHCP messages of type *DHCPDISCOVER* (client broadcast to locate
-## available servers).
-##
-## c: The connection record describing the underlying UDP flow.
-##
-## msg: The parsed type-independent part of the DHCP message.
-##
-## req_addr: The specific address requested by the client.
-##
-## host_name: The value of the host name option, if specified by the client.
-##
-## client_id: The value of the client id (usually the MAC ADDRESS).
-##
-## req_params: The Parameters Request List.
-##
-## .. bro:see:: dhcp_discover dhcp_offer dhcp_request dhcp_decline dhcp_ack dhcp_nak
-##              dhcp_release dhcp_inform
-##
-## .. note:: Bro does not support broadcast packets (as used by the DHCP
-##    protocol). It treats broadcast addresses just like any other and
-##    associates packets into transport-level flows in the same way as usual.
-##
-event dhcp_discover%(c: connection, msg: DHCP::Msg, req_addr: addr, host_name: string, client_id: DHCP::ClientID, req_params: DHCP::ParamsList%);
-
-## Generated for DHCP messages of type *DHCPOFFER* (server to client in response
-## to DHCPDISCOVER with offer of configuration parameters).
-##
-## c: The connection record describing the underlying UDP flow.
-##
-## msg: The parsed type-independent part of the DHCP message.
-##
-## mask: The subnet mask specified by the message.
-##
-## router: The list of routers specified by the message.
-##
-## lease: The least interval specified by the message.
-##
-## serv_addr: The server address specified by the message.
-##
-## host_name: Optional host name value. May differ from the host name requested
-##            from the client.
-##
-## .. bro:see:: dhcp_discover dhcp_request dhcp_decline dhcp_ack dhcp_nak
-##              dhcp_release dhcp_inform
-##
-## .. note:: Bro does not support broadcast packets (as used by the DHCP
-##    protocol). It treats broadcast addresses just like any other and
-##    associates packets into transport-level flows in the same way as usual.
-##
-event dhcp_offer%(c: connection, msg: DHCP::Msg, mask: addr, router: DHCP::RouterList, lease: interval, serv_addr: addr, host_name: string%);
-
-## Generated for DHCP messages of type *DHCPREQUEST* (Client message to servers either
-## (a) requesting offered parameters from one server and implicitly declining offers
-## from all others, (b) confirming correctness of previously allocated address after,
-## e.g., system reboot, or (c) extending the lease on a particular network address.)
-##
-## c: The connection record describing the underlying UDP flow.
-##
-## msg: The parsed type-independent part of the DHCP message.
-##
-## req_addr: The client address specified by the message.
-##
-## serv_addr: The server address specified by the message.
-##
-## host_name: The value of the host name option, if specified by the client.
-##
-## client_id: The client id.
-##
-## req_parms: The Parameters Request List.
-##
-## .. bro:see:: dhcp_discover dhcp_offer dhcp_decline dhcp_ack dhcp_nak
-##              dhcp_release dhcp_inform
-##
-## .. note:: Bro does not support broadcast packets (as used by the DHCP
-##    protocol). It treats broadcast addresses just like any other and
-##    associates packets into transport-level flows in the same way as usual.
-##
-event dhcp_request%(c: connection, msg: DHCP::Msg, req_addr: addr, serv_addr: addr, host_name: string, client_id: DHCP::ClientID, req_params: DHCP::ParamsList%);
-
-## Generated for DHCP messages of type *DHCPDECLINE* (Client to server indicating
-## network address is already in use).
-##
-## c: The connection record describing the underlying UDP flow.
-##
-## msg: The parsed type-independent part of the DHCP message.
-##
-## host_name: Optional host name value.
-##
-## .. bro:see:: dhcp_discover dhcp_offer dhcp_request dhcp_ack dhcp_nak
-##              dhcp_release dhcp_inform
-##
-## .. note:: Bro does not support broadcast packets (as used by the DHCP
-##    protocol). It treats broadcast addresses just like any other and
-##    associates packets into transport-level flows in the same way as usual.
-##
-event dhcp_decline%(c: connection, msg: DHCP::Msg, host_name: string%);
-
-## Generated for DHCP messages of type *DHCPACK* (Server to client with configuration
-## parameters, including committed network address).
-##
-## c: The connection record describing the underlying UDP flow.
-##
-## msg: The parsed type-independent part of the DHCP message.
-##
-## mask: The subnet mask specified by the message.
-##
-## router: The list of routers specified by the message.
-##
-## lease: The least interval specified by the message.
-##
-## serv_addr: The server address specified by the message.
-##
-## host_name: Optional host name value. May differ from the host name requested
-##            from the client.
-##
-## reb_time: A 32-bit unsigned integer indicating the number of seconds before
-##	     the cilent enters the rebinding state if it has not renewed its
-##           current address lease with the DHCP server.
-##
-## ren_time: A 32-bit unsigned integer indicating the number of seconds before
-##	     the client begins to renew its address lease with the DHCP server.
-##
-## sub_opt: DHCP relay agent information option list of suboption values
-##          (see http://slaptijack.com/networking/what-is-dhcp-option-82/ or
-##           http://www.juniper.net/documentation/en_US/junose14.3/topics/concept/dhcp-relay-option-82-suboptions-overview.html)
-##
-## .. bro:see:: dhcp_discover dhcp_offer dhcp_request dhcp_decline dhcp_nak
-##              dhcp_release dhcp_inform
-##
-event dhcp_ack%(c: connection, msg: DHCP::Msg, mask: addr, router: DHCP::RouterList, lease: interval, serv_addr: addr, host_name: string%);
-
-## Generated for DHCP messages of type *DHCPNAK* (Server to client indicating client's
-## notion of network address is incorrect (e.g., client has moved to new subnet) or
-## client's lease has expired).
-##
-## c: The connection record describing the underlying UDP flow.
-##
-## msg: The parsed type-independent part of the DHCP message.
-##
-## host_name: Optional host name value.
-##
-## .. bro:see:: dhcp_discover dhcp_offer dhcp_request dhcp_decline dhcp_ack dhcp_release
-##              dhcp_inform
-##
-## .. note:: Bro does not support broadcast packets (as used by the DHCP
-##    protocol). It treats broadcast addresses just like any other and
-##    associates packets into transport-level flows in the same way as usual.
-##
-event dhcp_nak%(c: connection, msg: DHCP::Msg, host_name: string%);
-
-## Generated for DHCP messages of type *DHCPRELEASE* (Client to server relinquishing
-## network address and cancelling remaining lease).
-##
-## c: The connection record describing the underlying UDP flow.
-##
-## msg: The parsed type-independent part of the DHCP message.
-##
-## host_name: The value of the host name option, if specified by the client.
-##
-## .. bro:see:: dhcp_discover dhcp_offer dhcp_request dhcp_decline dhcp_ack dhcp_nak
-##              dhcp_inform
-##
-event dhcp_release%(c: connection, msg: DHCP::Msg, host_name: string%);
-
-## Generated for DHCP messages of type *DHCPINFORM* (Client to server, asking only for
-## local configuration parameters; client already has externally configured network
-## address).
-##
-## c: The connection record describing the underlying UDP flow.
-##
-## msg: The parsed type-independent part of the DHCP message.
-##
-## host_name: The value of the host name option, if specified by the client.
-##
-## req_parms: The Parameters Request List.
-##
-## .. bro:see:: dhcp_discover dhcp_offer dhcp_request dhcp_decline dhcp_ack dhcp_nak
-##              dhcp_release
-##
-## .. note:: Bro does not support broadcast packets (as used by the DHCP
-##    protocol). It treats broadcast addresses just like any other and
-##    associates packets into transport-level flows in the same way as usual.
-##
-event dhcp_inform%(c: connection, msg: DHCP::Msg, host_name: string%);
-
diff --git a/src/analyzer/protocol/dhcp/types.bif b/src/analyzer/protocol/dhcp/types.bif
index bf55018b00..d0062e312c 100644
--- a/src/analyzer/protocol/dhcp/types.bif
+++ b/src/analyzer/protocol/dhcp/types.bif
@@ -1,9 +1,9 @@
 module DHCP;
 
 type Msg: record;
-type RouterList: table;
-type ParamsList:   table;
-type SubOptList: table;
+type Addrs: vector;
 type SubOpt: record;
+type SubOpts: vector;
+type ClientFQDN: record;
 type ClientID: record;
 type Options: record;
diff --git a/testing/btest/Baseline/core.print-bpf-filters/output2 b/testing/btest/Baseline/core.print-bpf-filters/output2
index 53d4189bf7..af9ccda1ae 100644
--- a/testing/btest/Baseline/core.print-bpf-filters/output2
+++ b/testing/btest/Baseline/core.print-bpf-filters/output2
@@ -17,6 +17,7 @@
 1 3306
 1 3389
 1 3544
+1 4011
 2 443
 1 502
 1 5060
@@ -51,8 +52,8 @@
 1 992
 1 993
 1 995
-58 and
-57 or
-58 port
+59 and
+58 or
+59 port
 40 tcp
-18 udp
+19 udp
diff --git a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log
index 52a660261c..c55bb605ae 100644
--- a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log
+++ b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log
@@ -3,7 +3,7 @@
 #empty_field	(empty)
 #unset_field	-
 #path	loaded_scripts
-#open	2017-05-02-20-38-47
+#open	2018-03-01-16-07-03
 #fields	name
 #types	string
 scripts/base/init-bare.bro
@@ -66,6 +66,7 @@ scripts/base/init-bare.bro
     build/scripts/base/bif/plugins/Bro_DCE_RPC.types.bif.bro
     build/scripts/base/bif/plugins/Bro_DCE_RPC.events.bif.bro
     build/scripts/base/bif/plugins/Bro_DHCP.events.bif.bro
+    build/scripts/base/bif/plugins/Bro_DHCP.types.bif.bro
     build/scripts/base/bif/plugins/Bro_DNP3.events.bif.bro
     build/scripts/base/bif/plugins/Bro_DNS.events.bif.bro
     build/scripts/base/bif/plugins/Bro_File.events.bif.bro
@@ -168,4 +169,4 @@ scripts/base/init-bare.bro
     build/scripts/base/bif/plugins/Bro_SQLiteWriter.sqlite.bif.bro
 scripts/policy/misc/loaded-scripts.bro
   scripts/base/utils/paths.bro
-#close	2017-05-02-20-38-47
+#close	2018-03-01-16-07-03
diff --git a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
index 75ef872a95..7259566568 100644
--- a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
+++ b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
@@ -3,7 +3,7 @@
 #empty_field	(empty)
 #unset_field	-
 #path	loaded_scripts
-#open	2017-05-02-20-39-05
+#open	2018-03-01-16-09-46
 #fields	name
 #types	string
 scripts/base/init-bare.bro
@@ -66,6 +66,7 @@ scripts/base/init-bare.bro
     build/scripts/base/bif/plugins/Bro_DCE_RPC.types.bif.bro
     build/scripts/base/bif/plugins/Bro_DCE_RPC.events.bif.bro
     build/scripts/base/bif/plugins/Bro_DHCP.events.bif.bro
+    build/scripts/base/bif/plugins/Bro_DHCP.types.bif.bro
     build/scripts/base/bif/plugins/Bro_DNP3.events.bif.bro
     build/scripts/base/bif/plugins/Bro_DNS.events.bif.bro
     build/scripts/base/bif/plugins/Bro_File.events.bif.bro
@@ -267,7 +268,6 @@ scripts/base/init-default.bro
   scripts/base/protocols/dhcp/__load__.bro
     scripts/base/protocols/dhcp/consts.bro
     scripts/base/protocols/dhcp/main.bro
-      scripts/base/protocols/dhcp/utils.bro
   scripts/base/protocols/dnp3/__load__.bro
     scripts/base/protocols/dnp3/main.bro
       scripts/base/protocols/dnp3/consts.bro
@@ -357,4 +357,4 @@ scripts/base/init-default.bro
   scripts/base/misc/find-filtered-trace.bro
   scripts/base/misc/version.bro
 scripts/policy/misc/loaded-scripts.bro
-#close	2017-05-02-20-39-05
+#close	2018-03-01-16-09-46
diff --git a/testing/btest/Baseline/plugins.hooks/output b/testing/btest/Baseline/plugins.hooks/output
index f6a5c4ad37..07364ecbd3 100644
--- a/testing/btest/Baseline/plugins.hooks/output
+++ b/testing/btest/Baseline/plugins.hooks/output
@@ -4,6 +4,7 @@
 0.000000   MetaHookPost  CallFunction(Analyzer::__disable_analyzer, <frame>, (Analyzer::ANALYZER_TCPSTATS)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_AYIYA, 5072/udp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_DCE_RPC, 135/tcp)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_DHCP, 4011/udp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_DHCP, 67/udp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_DHCP, 68/udp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_DNP3_TCP, 20000/tcp)) -> <no result>
@@ -66,6 +67,7 @@
 0.000000   MetaHookPost  CallFunction(Analyzer::disable_analyzer, <frame>, (Analyzer::ANALYZER_TCPSTATS)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_AYIYA, 5072/udp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_DCE_RPC, 135/tcp)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_DHCP, 4011/udp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_DHCP, 67/udp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_DHCP, 68/udp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_DNP3_TCP, 20000/tcp)) -> <no result>
@@ -256,7 +258,7 @@
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1516211213.330468, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1519920860.516463, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (Cluster::LOG)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (Communication::LOG)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (Conn::LOG)) -> <no result>
@@ -429,7 +431,7 @@
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1516211213.330468, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1519920860.516463, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
 0.000000   MetaHookPost  CallFunction(NetControl::check_plugins, <frame>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(NetControl::init, <null>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(Notice::want_pp, <frame>, ()) -> <no result>
@@ -480,6 +482,7 @@
 0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_DCE_RPC.events.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_DCE_RPC.types.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_DHCP.events.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_DHCP.types.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_DNP3.events.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_DNS.events.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_FTP.events.bif.bro) -> -1
@@ -782,6 +785,7 @@
 0.000000   MetaHookPre   CallFunction(Analyzer::__disable_analyzer, <frame>, (Analyzer::ANALYZER_TCPSTATS))
 0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_AYIYA, 5072/udp))
 0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_DCE_RPC, 135/tcp))
+0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_DHCP, 4011/udp))
 0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_DHCP, 67/udp))
 0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_DHCP, 68/udp))
 0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_DNP3_TCP, 20000/tcp))
@@ -844,6 +848,7 @@
 0.000000   MetaHookPre   CallFunction(Analyzer::disable_analyzer, <frame>, (Analyzer::ANALYZER_TCPSTATS))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_AYIYA, 5072/udp))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_DCE_RPC, 135/tcp))
+0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_DHCP, 4011/udp))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_DHCP, 67/udp))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_DHCP, 68/udp))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_DNP3_TCP, 20000/tcp))
@@ -1034,7 +1039,7 @@
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird]))
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509]))
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql]))
-0.000000   MetaHookPre   CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1516211213.330468, node=bro, filter=ip or not ip, init=T, success=T]))
+0.000000   MetaHookPre   CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1519920860.516463, node=bro, filter=ip or not ip, init=T, success=T]))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (Cluster::LOG))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (Communication::LOG))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (Conn::LOG))
@@ -1207,7 +1212,7 @@
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird]))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509]))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql]))
-0.000000   MetaHookPre   CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1516211213.330468, node=bro, filter=ip or not ip, init=T, success=T]))
+0.000000   MetaHookPre   CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1519920860.516463, node=bro, filter=ip or not ip, init=T, success=T]))
 0.000000   MetaHookPre   CallFunction(NetControl::check_plugins, <frame>, ())
 0.000000   MetaHookPre   CallFunction(NetControl::init, <null>, ())
 0.000000   MetaHookPre   CallFunction(Notice::want_pp, <frame>, ())
@@ -1258,6 +1263,7 @@
 0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_DCE_RPC.events.bif.bro)
 0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_DCE_RPC.types.bif.bro)
 0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_DHCP.events.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_DHCP.types.bif.bro)
 0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_DNP3.events.bif.bro)
 0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_DNS.events.bif.bro)
 0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_FTP.events.bif.bro)
@@ -1560,6 +1566,7 @@
 0.000000 | HookCallFunction Analyzer::__disable_analyzer(Analyzer::ANALYZER_TCPSTATS)
 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_AYIYA, 5072/udp)
 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_DCE_RPC, 135/tcp)
+0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_DHCP, 4011/udp)
 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_DHCP, 67/udp)
 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_DHCP, 68/udp)
 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_DNP3_TCP, 20000/tcp)
@@ -1622,6 +1629,7 @@
 0.000000 | HookCallFunction Analyzer::disable_analyzer(Analyzer::ANALYZER_TCPSTATS)
 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_AYIYA, 5072/udp)
 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_DCE_RPC, 135/tcp)
+0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_DHCP, 4011/udp)
 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_DHCP, 67/udp)
 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_DHCP, 68/udp)
 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_DNP3_TCP, 20000/tcp)
@@ -1811,7 +1819,7 @@
 0.000000 | HookCallFunction Log::__create_stream(Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird])
 0.000000 | HookCallFunction Log::__create_stream(X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509])
 0.000000 | HookCallFunction Log::__create_stream(mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql])
-0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1516211213.330468, node=bro, filter=ip or not ip, init=T, success=T])
+0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1519920860.516463, node=bro, filter=ip or not ip, init=T, success=T])
 0.000000 | HookCallFunction Log::add_default_filter(Cluster::LOG)
 0.000000 | HookCallFunction Log::add_default_filter(Communication::LOG)
 0.000000 | HookCallFunction Log::add_default_filter(Conn::LOG)
@@ -1984,7 +1992,7 @@
 0.000000 | HookCallFunction Log::create_stream(Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird])
 0.000000 | HookCallFunction Log::create_stream(X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509])
 0.000000 | HookCallFunction Log::create_stream(mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql])
-0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1516211213.330468, node=bro, filter=ip or not ip, init=T, success=T])
+0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1519920860.516463, node=bro, filter=ip or not ip, init=T, success=T])
 0.000000 | HookCallFunction NetControl::check_plugins()
 0.000000 | HookCallFunction NetControl::init()
 0.000000 | HookCallFunction Notice::want_pp()
@@ -2035,6 +2043,7 @@
 0.000000 | HookLoadFile  .<...>/Bro_DCE_RPC.events.bif.bro
 0.000000 | HookLoadFile  .<...>/Bro_DCE_RPC.types.bif.bro
 0.000000 | HookLoadFile  .<...>/Bro_DHCP.events.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_DHCP.types.bif.bro
 0.000000 | HookLoadFile  .<...>/Bro_DNP3.events.bif.bro
 0.000000 | HookLoadFile  .<...>/Bro_DNS.events.bif.bro
 0.000000 | HookLoadFile  .<...>/Bro_FTP.events.bif.bro
@@ -2327,7 +2336,7 @@
 0.000000 | HookLoadFile  base<...>/x509
 0.000000 | HookLoadFile  base<...>/xmpp
 0.000000 | HookLogInit   packet_filter 1/1 {ts (time), node (string), filter (string), init (bool), success (bool)}
-0.000000 | HookLogWrite  packet_filter [ts=1516211213.330468, node=bro, filter=ip or not ip, init=T, success=T]
+0.000000 | HookLogWrite  packet_filter [ts=1519920860.516463, node=bro, filter=ip or not ip, init=T, success=T]
 0.000000 | HookQueueEvent NetControl::init()
 0.000000 | HookQueueEvent bro_init()
 0.000000 | HookQueueEvent filter_change_tracking()
diff --git a/testing/btest/Baseline/scripts.base.protocols.dhcp.dhcp-ack-msg-types/dhcp.log b/testing/btest/Baseline/scripts.base.protocols.dhcp.dhcp-ack-msg-types/dhcp.log
index 1edaec49ee..7131010acb 100644
--- a/testing/btest/Baseline/scripts.base.protocols.dhcp.dhcp-ack-msg-types/dhcp.log
+++ b/testing/btest/Baseline/scripts.base.protocols.dhcp.dhcp-ack-msg-types/dhcp.log
@@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	dhcp
-#open	2018-01-08-17-58-31
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	mac	assigned_ip	lease_time	trans_id	msg_type	client_id	server_id	host_name	subscriber_id	agent_remote_id
-#types	time	string	addr	port	addr	port	string	addr	interval	count	string	string	addr	string	string	string
-1102274184.387798	CHhAvVGS1DHFjwGM9	10.10.0.10	68	10.10.0.1	67	00:0a:28:00:fa:42	192.168.0.10	3600.000000	15633	DHCP_ACK	-	10.10.0.1	(empty)	-subID-	13
-#close	2018-01-08-17-58-31
+#open	2018-03-01-15-18-30
+#fields	ts	uids	client_addr	server_addr	mac	host_name	client_fqdn	domain	requested_addr	assigned_addr	lease_time	client_message	server_message	msg_types	duration
+#types	time	set[string]	addr	addr	string	string	string	string	addr	addr	interval	string	string	vector[string]	interval
+1102274184.387798	CHhAvVGS1DHFjwGM9	192.168.0.10	10.10.0.1	00:0a:28:00:fa:42	-	-	-	-	192.168.0.10	3600.000000	-	-	ACK	0.000000
+#close	2018-03-01-15-18-30
diff --git a/testing/btest/Baseline/scripts.base.protocols.dhcp.dhcp-all-msg-types/dhcp.log b/testing/btest/Baseline/scripts.base.protocols.dhcp.dhcp-all-msg-types/dhcp.log
index 5f7aeee659..cf36777c6d 100644
--- a/testing/btest/Baseline/scripts.base.protocols.dhcp.dhcp-all-msg-types/dhcp.log
+++ b/testing/btest/Baseline/scripts.base.protocols.dhcp.dhcp-all-msg-types/dhcp.log
@@ -3,8 +3,10 @@
 #empty_field	(empty)
 #unset_field	-
 #path	dhcp
-#open	2016-07-13-16-15-58
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	mac	assigned_ip	lease_time	trans_id
-#types	time	string	addr	port	addr	port	string	addr	interval	count
-1370200444.371332	CtPZjS20MLrsMUOJi2	128.2.6.189	68	128.2.6.152	67	90:b1:1c:99:49:29	128.2.6.189	900.000000	1984
-#close	2016-07-13-16-15-58
+#open	2018-03-01-15-19-24
+#fields	ts	uids	client_addr	server_addr	mac	host_name	client_fqdn	domain	requested_addr	assigned_addr	lease_time	client_message	server_message	msg_types	duration
+#types	time	set[string]	addr	addr	string	string	string	string	addr	addr	interval	string	string	vector[string]	interval
+1370200447.422207	CHhAvVGS1DHFjwGM9	-	-	-	btest.is.cool	-	-	128.2.6.189	-	-	-	-	INFORM	0.000000
+1370200442.323173	CtPZjS20MLrsMUOJi2,CHhAvVGS1DHFjwGM9,C4J4Th3PJpwUYZZ6gc,ClEkJM2Vm5giqnMf4h	128.2.6.97	128.2.6.152	90:b1:1c:99:49:29	btest.is.cool	-	cmu.edu	128.2.6.189	128.2.6.189	900.000000	-	requested address not available	DISCOVER,OFFER,REQUEST,NAK,REQUEST,ACK,DECLINE	3.058797
+1370200446.402928	CHhAvVGS1DHFjwGM9	-	-	-	-	-	-	-	-	-	-	-	RELEASE	0.000000
+#close	2018-03-01-15-19-24
diff --git a/testing/btest/Baseline/scripts.base.protocols.dhcp.dhcp-discover-msg-types/dhcp.log b/testing/btest/Baseline/scripts.base.protocols.dhcp.dhcp-discover-msg-types/dhcp.log
index 13e87b3855..48c6f36cf1 100644
--- a/testing/btest/Baseline/scripts.base.protocols.dhcp.dhcp-discover-msg-types/dhcp.log
+++ b/testing/btest/Baseline/scripts.base.protocols.dhcp.dhcp-discover-msg-types/dhcp.log
@@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	dhcp
-#open	2018-01-08-17-58-41
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	mac	assigned_ip	lease_time	trans_id	msg_type	client_id	server_id	host_name	subscriber_id	agent_remote_id
-#types	time	string	addr	port	addr	port	string	addr	interval	count	string	string	addr	string	string	string
-1102274184.317453	CHhAvVGS1DHFjwGM9	0.0.0.0	68	255.255.255.255	67	-	-	-	15633	DHCP_DISCOVER	00:0b:82:01:fc:42	-	test0000	-	-
-#close	2018-01-08-17-58-41
+#open	2018-03-01-15-30-31
+#fields	ts	uids	client_addr	server_addr	mac	host_name	client_fqdn	domain	requested_addr	assigned_addr	lease_time	client_message	server_message	msg_types	duration
+#types	time	set[string]	addr	addr	string	string	string	string	addr	addr	interval	string	string	vector[string]	interval
+1102274184.317453	CHhAvVGS1DHFjwGM9	-	-	00:0b:82:01:fc:42	test0000	-	-	208.67.222.222	-	-	-	-	DISCOVER	0.000000
+#close	2018-03-01-15-30-31
diff --git a/testing/btest/Baseline/scripts.base.protocols.dhcp.dhcp-sub-opts/dhcp.log b/testing/btest/Baseline/scripts.base.protocols.dhcp.dhcp-sub-opts/dhcp.log
new file mode 100644
index 0000000000..5534459dd2
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.dhcp.dhcp-sub-opts/dhcp.log
@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	dhcp
+#open	2018-03-01-15-30-58
+#fields	ts	uids	client_addr	server_addr	mac	host_name	client_fqdn	domain	requested_addr	assigned_addr	lease_time	client_message	server_message	msg_types	duration	circuit_id	agent_remote_id	subscriber_id
+#types	time	set[string]	addr	addr	string	string	string	string	addr	addr	interval	string	string	vector[string]	interval	string	string	string
+1102274184.387798	CHhAvVGS1DHFjwGM9	192.168.0.10	10.10.0.1	00:0a:28:00:fa:42	-	-	-	-	192.168.0.10	3600.000000	-	-	ACK	0.000000	this is only a test...	\x13	-subID-
+#close	2018-03-01-15-30-58
diff --git a/testing/btest/Baseline/scripts.base.protocols.dhcp.inform/dhcp.log b/testing/btest/Baseline/scripts.base.protocols.dhcp.inform/dhcp.log
index 0a92c6c32d..ef1f5483ce 100644
--- a/testing/btest/Baseline/scripts.base.protocols.dhcp.inform/dhcp.log
+++ b/testing/btest/Baseline/scripts.base.protocols.dhcp.inform/dhcp.log
@@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	dhcp
-#open	2016-07-13-16-15-59
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	mac	assigned_ip	lease_time	trans_id
-#types	time	string	addr	port	addr	port	string	addr	interval	count
-1374432420.191205	CHhAvVGS1DHFjwGM9	128.2.6.122	68	128.2.6.152	67	90:b1:1c:99:49:29	128.2.6.122	0.000000	2754407505
-#close	2016-07-13-16-15-59
+#open	2018-03-01-15-32-52
+#fields	ts	uids	client_addr	server_addr	mac	host_name	client_fqdn	domain	requested_addr	assigned_addr	lease_time	client_message	server_message	msg_types	duration
+#types	time	set[string]	addr	addr	string	string	string	string	addr	addr	interval	string	string	vector[string]	interval
+1374432420.186878	CHhAvVGS1DHFjwGM9	128.2.6.122	-	90:b1:1c:99:49:29	-	-	-	-	-	-	-	-	INFORM,ACK	0.004327
+#close	2018-03-01-15-32-52
diff --git a/testing/btest/Baseline/scripts.policy.protocols.dhcp.known-devices-and-hostnames.basic/known_devices.log b/testing/btest/Baseline/scripts.policy.protocols.dhcp.known-devices-and-hostnames.basic/known_devices.log
deleted file mode 100644
index 91d37f8950..0000000000
--- a/testing/btest/Baseline/scripts.policy.protocols.dhcp.known-devices-and-hostnames.basic/known_devices.log
+++ /dev/null
@@ -1,11 +0,0 @@
-#separator \x09
-#set_separator	,
-#empty_field	(empty)
-#unset_field	-
-#path	known_devices
-#open	2013-07-31-21-27-41
-#fields	ts	mac	dhcp_host_name
-#types	time	string	string
-1370200443.344965	90:b1:1c:99:49:29	btest.is.cool
-1374432420.186878	90:b1:1c:99:49:29	(empty)
-#close	2013-07-31-21-27-41
diff --git a/testing/btest/scripts/base/protocols/dhcp/dhcp-sub-opts.btest b/testing/btest/scripts/base/protocols/dhcp/dhcp-sub-opts.btest
new file mode 100644
index 0000000000..3bd37a996b
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/dhcp/dhcp-sub-opts.btest
@@ -0,0 +1,2 @@
+# @TEST-EXEC: bro -r $TRACES/dhcp/dhcp_ack_subscriber_id_and_agent_remote_id.trace %INPUT protocols/dhcp/sub-opts
+# @TEST-EXEC: btest-diff dhcp.log
diff --git a/testing/btest/scripts/policy/protocols/dhcp/known-devices-and-hostnames/basic.test b/testing/btest/scripts/policy/protocols/dhcp/known-devices-and-hostnames/basic.test
deleted file mode 100644
index 1144ae1377..0000000000
--- a/testing/btest/scripts/policy/protocols/dhcp/known-devices-and-hostnames/basic.test
+++ /dev/null
@@ -1,8 +0,0 @@
-# This tests that the known_devices log is created,
-# that devices are logged by MAC address, and that
-# the DHCP hostname is added, if available.
-
-# @TEST-EXEC: bro -r $TRACES/dhcp/dhcp.trace -r $TRACES/dhcp/dhcp_inform.trace %INPUT
-# @TEST-EXEC: btest-diff known_devices.log
-
-@load policy/protocols/dhcp/known-devices-and-hostnames

From 57fa8f270802945c8d318d88a1509628b25df3f6 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Wed, 7 Mar 2018 12:46:57 -0600
Subject: [PATCH 333/631] Update a doc test/baseline

---
 CHANGES                                       |  9 +++++
 VERSION                                       |  2 +-
 .../output                                    | 37 +++++++++++++++++++
 ...g_framework_logging_factorial_03_bro.btest | 37 +++++++++++++++++++
 4 files changed, 84 insertions(+), 1 deletion(-)

diff --git a/CHANGES b/CHANGES
index 61146d422d..17c152a539 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,13 @@
 
+2.5-459 | 2018-03-07 12:46:57 -0600
+
+  * Update a doc test/baseline (Corelight)
+
+  * Add removed root certificate back to test that requires it.
+
+    Test has a trace that contains a WoSign certificate - they are no longer
+    recognized by pretty much anyone. (Johanna Amann)
+
 2.5-457 | 2018-02-18 17:35:50 -0600
 
   * Fix another warning when building the documentation (Daniel Thayer)
diff --git a/VERSION b/VERSION
index 08b0813b1e..4ad459c35c 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.5-457
+2.5-459
diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_scripting_framework_logging_factorial_03_bro/output b/testing/btest/Baseline/doc.sphinx.include-doc_scripting_framework_logging_factorial_03_bro/output
index d5d1c23b2b..01ed659c75 100644
--- a/testing/btest/Baseline/doc.sphinx.include-doc_scripting_framework_logging_factorial_03_bro/output
+++ b/testing/btest/Baseline/doc.sphinx.include-doc_scripting_framework_logging_factorial_03_bro/output
@@ -2,6 +2,43 @@
 
 framework_logging_factorial_03.bro
 
+module Factor;
+
+export {
+    redef enum Log::ID += { LOG };
+
+    type Info: record {
+        num:           count &log;
+        factorial_num: count &log;
+        };
+    }
+
+function factorial(n: count): count
+    {
+    if ( n == 0 )
+        return 1;
+    
+    else
+        return (n * factorial(n - 1));
+    }
+
+event bro_done()
+    {
+    local numbers: vector of count = vector(1, 2, 3, 4, 5, 6, 7, 8, 9, 10);    
+    for ( n in numbers )
+        Log::write( Factor::LOG, [$num=numbers[n],
+                                  $factorial_num=factorial(numbers[n])]);
+    }
+
+function mod5(id: Log::ID, path: string, rec: Factor::Info) : string    
+    {
+    if ( rec$factorial_num % 5 == 0 )
+        return "factor-mod5";
+    
+    else
+        return "factor-non5";
+    }
+
 event bro_init()
     {
     Log::create_stream(LOG, [$columns=Info, $path="factor"]);
diff --git a/testing/btest/doc/sphinx/include-doc_scripting_framework_logging_factorial_03_bro.btest b/testing/btest/doc/sphinx/include-doc_scripting_framework_logging_factorial_03_bro.btest
index d5d1c23b2b..01ed659c75 100644
--- a/testing/btest/doc/sphinx/include-doc_scripting_framework_logging_factorial_03_bro.btest
+++ b/testing/btest/doc/sphinx/include-doc_scripting_framework_logging_factorial_03_bro.btest
@@ -2,6 +2,43 @@
 
 framework_logging_factorial_03.bro
 
+module Factor;
+
+export {
+    redef enum Log::ID += { LOG };
+
+    type Info: record {
+        num:           count &log;
+        factorial_num: count &log;
+        };
+    }
+
+function factorial(n: count): count
+    {
+    if ( n == 0 )
+        return 1;
+    
+    else
+        return (n * factorial(n - 1));
+    }
+
+event bro_done()
+    {
+    local numbers: vector of count = vector(1, 2, 3, 4, 5, 6, 7, 8, 9, 10);    
+    for ( n in numbers )
+        Log::write( Factor::LOG, [$num=numbers[n],
+                                  $factorial_num=factorial(numbers[n])]);
+    }
+
+function mod5(id: Log::ID, path: string, rec: Factor::Info) : string    
+    {
+    if ( rec$factorial_num % 5 == 0 )
+        return "factor-mod5";
+    
+    else
+        return "factor-non5";
+    }
+
 event bro_init()
     {
     Log::create_stream(LOG, [$columns=Info, $path="factor"]);

From 54aa7d19113d84e951f09cdd3a414bb2fe24b546 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Wed, 7 Mar 2018 13:54:53 -0600
Subject: [PATCH 334/631] Updating submodule(s).

 [nomail]
---
 aux/binpac   | 2 +-
 aux/bro-aux  | 2 +-
 aux/broccoli | 2 +-
 aux/broctl   | 2 +-
 aux/broker   | 2 +-
 cmake        | 2 +-
 6 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/aux/binpac b/aux/binpac
index 790250e6b3..c8d860a2e8 160000
--- a/aux/binpac
+++ b/aux/binpac
@@ -1 +1 @@
-Subproject commit 790250e6b35bfc35d6335ec0f3622b8a0aab3861
+Subproject commit c8d860a2e8fd42c725aca0000c9f96ec53cde900
diff --git a/aux/bro-aux b/aux/bro-aux
index dc077fb554..63752fbfdb 160000
--- a/aux/bro-aux
+++ b/aux/bro-aux
@@ -1 +1 @@
-Subproject commit dc077fb5545016f7d38f630941369ce17949939a
+Subproject commit 63752fbfdb72a2bf62507ea05ee2d3dbe3dcb1e7
diff --git a/aux/broccoli b/aux/broccoli
index 13fe5fba7e..22a35f3378 160000
--- a/aux/broccoli
+++ b/aux/broccoli
@@ -1 +1 @@
-Subproject commit 13fe5fba7ebd314e6bf2bedbac465d4c3f2e4301
+Subproject commit 22a35f33786b2ede5f3efe7e2b24237a4fe974fb
diff --git a/aux/broctl b/aux/broctl
index 3e27199f2c..76b8e0c301 160000
--- a/aux/broctl
+++ b/aux/broctl
@@ -1 +1 @@
-Subproject commit 3e27199f2cb2b0a2ab3fbeacc86f8a3e48f19613
+Subproject commit 76b8e0c3017d81bfc0907a6e9285f19bddfd400a
diff --git a/aux/broker b/aux/broker
index 761ef15d9b..066fb75d1e 160000
--- a/aux/broker
+++ b/aux/broker
@@ -1 +1 @@
-Subproject commit 761ef15d9b72d189d29af7dd09c9e576d61fd78f
+Subproject commit 066fb75d1ea46e919a2d9c56faff1e605c64756c
diff --git a/cmake b/cmake
index 9bac595066..c40d8f9831 160000
--- a/cmake
+++ b/cmake
@@ -1 +1 @@
-Subproject commit 9bac5950664ac7b50fb576a2f9422b819b505e21
+Subproject commit c40d8f9831b69259bfa930a64662d91cfdbf97bf

From c759583d116b279d8b66269b48101a47d4fdc32d Mon Sep 17 00:00:00 2001
From: Daniel Thayer <dnthayer@illinois.edu>
Date: Thu, 15 Mar 2018 14:13:54 -0500
Subject: [PATCH 335/631] Fix minor typos and doc build warnings in NEWS

---
 NEWS | 49 ++++++++++++++++++++++++++-----------------------
 1 file changed, 26 insertions(+), 23 deletions(-)

diff --git a/NEWS b/NEWS
index 4e518a4261..aa43682047 100644
--- a/NEWS
+++ b/NEWS
@@ -20,14 +20,14 @@ New Functionality
     using normal assignments. Instead, they can be changed using the
     new function Option::set.
 
-    It is possible to "subscribe" to option through
+    It is possible to "subscribe" to an option through
     Option::set_change_handler, which will trigger a handler callback
     when an option changes. Change handlers can optionally modify
     values before they are applied by returning the desired value, or
     reject updates by returning the old value. Priorities can be
     specified if there are several handlers for one option.
 
-    Example script:
+    Example script::
 
         option testbool: bool = T;
 
@@ -55,7 +55,7 @@ New Functionality
     Configuration files to read can be specified by adding them to
     Config::config_files.
 
-    Usage example:
+    Usage example::
 
         redef Config::config_files += { "/path/to/config.dat" };
 
@@ -65,38 +65,38 @@ New Functionality
             option testbool: bool = F;
         }
 
-    The specified file will now monitored contionoulsy for changes, so
+    The specified file will now be monitored continuously for changes, so
     that writing "testbool T" into /path/to/config.dat will
     automatically update the option's value accordingly.
 
-    The configutation framework creates a config.log that shows all
+    The configuration framework creates a config.log that shows all
     value changes that took place.
 
-  - Config reader: Internally, the configuration framework use a new
+  - Config reader: Internally, the configuration framework uses a new
     type of input reader to read such configuration files into Bro.
     The reader uses the option name to look up the type that variable
     has, converts the read value to the correct type, and then updates
-    the option's value. Example script use:
+    the option's value. Example script use::
 
-    type Idx: record {
-        option_name: string;
-    };
+        type Idx: record {
+            option_name: string;
+        };
 
-    type Val: record {
-        option_val: string;
-    };
+        type Val: record {
+            option_val: string;
+        };
 
-    global currconfig: table[string] of string = table();
+        global currconfig: table[string] of string = table();
 
-    event InputConfig::new_value(name: string, source: string, id: string, value: any)
-        {
-        print id, value;
-        }
+        event InputConfig::new_value(name: string, source: string, id: string, value: any)
+            {
+            print id, value;
+            }
 
-    event bro_init()
-        {
-        Input::add_table([$reader=Input::READER_CONFIG, $source="../configfile", $name="configuration", $idx=Idx, $val=Val, $destination=currconfig, $want_record=F]);
-        }
+        event bro_init()
+            {
+            Input::add_table([$reader=Input::READER_CONFIG, $source="../configfile", $name="configuration", $idx=Idx, $val=Val, $destination=currconfig, $want_record=F]);
+            }
 
 - Support for OCSP and Signed Certificate Timestamp. This adds the
   following events and BIFs:
@@ -173,12 +173,15 @@ Changed Functionality
   the default configuration of logs, this field will show "-" instead of
   "(empty)" for connections that lack any tunelling.
 
-- SMB event argument changes
+- SMB event argument changes:
+
   - smb1_transaction_request now has two additional arguments, "parameters"
     and "data" strings
+
   - smb1_transaction2_request now has an additional "args" record argument
 
 - SSL event argument changes:
+
   - event ssl_server_signature now has an additional argument
     "signature_and_hashalgorithm".
 

From f3e42874b80ebfe86e7ca7db228ec1ffa34d4445 Mon Sep 17 00:00:00 2001
From: Daniel Thayer <dnthayer@illinois.edu>
Date: Thu, 15 Mar 2018 14:16:00 -0500
Subject: [PATCH 336/631] Improve config framework documentation comments

Fixed typos and formatting.
---
 scripts/base/frameworks/config/README         |  2 +-
 scripts/base/frameworks/config/main.bro       |  4 +-
 .../base/frameworks/input/readers/config.bro  |  6 +--
 src/option.bif                                | 43 ++++++++++---------
 4 files changed, 28 insertions(+), 27 deletions(-)

diff --git a/scripts/base/frameworks/config/README b/scripts/base/frameworks/config/README
index 95193b49a3..3640d1e8c4 100644
--- a/scripts/base/frameworks/config/README
+++ b/scripts/base/frameworks/config/README
@@ -1,2 +1,2 @@
-The configuration famework provides a way to change the Bro configuration
+The configuration framework provides a way to change the Bro configuration
 in "option" values at run-time.
diff --git a/scripts/base/frameworks/config/main.bro b/scripts/base/frameworks/config/main.bro
index 372bb10eb4..ffd9e764ef 100644
--- a/scripts/base/frameworks/config/main.bro
+++ b/scripts/base/frameworks/config/main.bro
@@ -1,6 +1,6 @@
 ##! The configuration framework provides a way to change Bro options
-##! (as specified by the option keyword) at runtime. It also logs runtime changes
-##! to options to config.log.
+##! (as specified by the "option" keyword) at runtime. It also logs runtime
+##! changes to options to config.log.
 
 module Config;
 
diff --git a/scripts/base/frameworks/input/readers/config.bro b/scripts/base/frameworks/input/readers/config.bro
index 166228e81f..0d334b9b65 100644
--- a/scripts/base/frameworks/input/readers/config.bro
+++ b/scripts/base/frameworks/input/readers/config.bro
@@ -33,12 +33,12 @@ export {
 	## and also does not track removals. If you need this, combine the event
 	## with a table reader.
 	##
-	## name: name of the input stream.
+	## name: Name of the input stream.
 	##
-	## source: source of the input stream.
+	## source: Source of the input stream.
 	##
 	## id: ID of the configuration option being set.
 	##
-	## value: new value of the configuration option being set.
+	## value: New value of the configuration option being set.
 	global new_value: event(name: string, source: string, id: string, value: any);
 }
diff --git a/src/option.bif b/src/option.bif
index 59f4a0fec4..011db2f069 100644
--- a/src/option.bif
+++ b/src/option.bif
@@ -1,6 +1,5 @@
-##! The option built-in functions allow the scripting layer to
-##! change the value of option-values and to be notified when
-##! option values change.
+##! Definitions of built-in functions that allow the scripting layer to
+##! change the value of options and to be notified when option values change.
 
 module Option;
 
@@ -8,16 +7,16 @@ module Option;
 #include "NetVar.h"
 %%}
 
-## Sets an option to a new value. This change will also cause the option change handlers
-## to be called.
+## Set an option to a new value. This change will also cause the option change
+## handlers to be called.
 ##
 ## ID: The ID of the option to update.
 ##
 ## val: The new value of the option.
 ##
-## location: optional parameter detailing where this change originated from.
+## location: Optional parameter detailing where this change originated from.
 ##
-## Returns: true on success, false when an error occured.
+## Returns: true on success, false when an error occurred.
 ##
 ## .. bro:see:: Option::set_change_handler
 function Option::set%(ID: string, val: any, location: string &default=""%): bool
@@ -74,24 +73,26 @@ function Option::set%(ID: string, val: any, location: string &default=""%): bool
 	return new Val(1, TYPE_BOOL);
 	%}
 
-## Set the change handler for the option *ID*. The change handler will be called anytime
-## :bro:id:`Option::set` is called fot *ID*.
+## Set a change handler for an option. The change handler will be
+## called anytime :bro:id:`Option::set` is called for the option.
 ##
 ## ID: The ID of the option for which change notifications are desired.
 ##
-## on_change: The function that will be called when a change occurs. The function can choose to
-##            receive two or three parameters: the first parameter is a string containing *ID*,
-##            the second parameter is the new option value. The third, optional, parameter is the
-##            location string as passed to Option::set. Note that the global value is not yet changed
-##            when the function is called. The passed function has to return the new value that
-##            it wants the option to be set to. This enables it to reject changes, or change values
-##            that are being set. When several change handlers are set for an option they are chained;
-##            the second change handler will see the return value of the first change handler as the
-##            "new value".
+## on_change: The function that will be called when a change occurs. The
+##            function can choose to receive two or three parameters: the first
+##            parameter is a string containing *ID*, the second parameter is
+##            the new option value. The third, optional, parameter is the
+##            location string as passed to Option::set. Note that the global
+##            value is not yet changed when the function is called. The passed
+##            function has to return the new value that it wants the option to
+##            be set to. This enables it to reject changes, or change values
+##            that are being set. When several change handlers are set for an
+##            option they are chained; the second change handler will see the
+##            return value of the first change handler as the "new value".
 ##
-## priority: The priority of the function that was added; functions with higher priority are
-##           called first, functions with the same priority are called in the order in which
-##           they were added.
+## priority: The priority of the function that was added; functions with higher
+##           priority are called first, functions with the same priority are
+##           called in the order in which they were added.
 ##
 ## Returns: true when the change handler was set, false when an error occurred.
 ##

From 79afd99229fc5abc19fbe973271778e424ae4613 Mon Sep 17 00:00:00 2001
From: Daniel Thayer <dnthayer@illinois.edu>
Date: Thu, 15 Mar 2018 14:29:26 -0500
Subject: [PATCH 337/631] Add documentation of "option" declarations

---
 doc/script-reference/statements.rst | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)

diff --git a/doc/script-reference/statements.rst b/doc/script-reference/statements.rst
index 14e0cc3c32..963d4dc7a2 100644
--- a/doc/script-reference/statements.rst
+++ b/doc/script-reference/statements.rst
@@ -20,6 +20,9 @@ Declarations
 +----------------------------+-----------------------------+
 | :bro:keyword:`const`       | Declare a constant          |
 +----------------------------+-----------------------------+
+| :bro:keyword:`option`      | Declare a configuration     |
+|                            | option                      |
++----------------------------+-----------------------------+
 | :bro:keyword:`type`        | Declare a user-defined type |
 +----------------------------+-----------------------------+
 | :bro:keyword:`redef`       | Redefine a global value or  |
@@ -176,6 +179,25 @@ all loaded Bro scripts.
     or "global" keywords (i.e., "const" replaces "local" and "global").
 
 
+.. bro:keyword:: option
+
+    A variable declared with the "option" keyword is a configuration option.
+
+    Options are required to be initialized at the
+    time of declaration.  Normally, the type is inferred from the initializer,
+    but the type can be explicitly specified.  Example::
+
+        option hostname = "host-1";
+        option peers: set[addr] = {};
+
+    The value of an option cannot be changed by an assignment statement.
+
+    The scope of an option is global.
+
+    Note that an "option" declaration cannot also use the "local", "global",
+    or "const" keywords.
+
+
 .. bro:keyword:: type
 
    The "type" keyword is used to declare a user-defined type.  The name

From 8aeedba066877633e9bf18576ab6c6e5130df1ca Mon Sep 17 00:00:00 2001
From: Daniel Thayer <dnthayer@illinois.edu>
Date: Thu, 15 Mar 2018 14:50:42 -0500
Subject: [PATCH 338/631] Add documentation of the configuration framework

---
 doc/frameworks/configuration.rst | 156 +++++++++++++++++++++++++++++++
 doc/frameworks/index.rst         |   1 +
 2 files changed, 157 insertions(+)
 create mode 100644 doc/frameworks/configuration.rst

diff --git a/doc/frameworks/configuration.rst b/doc/frameworks/configuration.rst
new file mode 100644
index 0000000000..fba8b46f5f
--- /dev/null
+++ b/doc/frameworks/configuration.rst
@@ -0,0 +1,156 @@
+
+.. _framework-configuration:
+
+=======================
+Configuration Framework
+=======================
+
+.. rst-class:: opening
+
+Bro now includes a "configuration framework" that allows
+updating script options dynamically at runtime. This functionality
+consists of several components: an "option" declaration, the
+ability to specify input files to enable changing the value of options at
+runtime, a couple of built-in functions, and a log file "config.log"
+which contains information about every change to option values.
+
+
+.. contents::
+
+
+Introduction
+------------
+
+The configuration framework provides an alternative to using Bro script
+constants to store various Bro settings.  In general, constants can be used
+when a value is not expected to change at runtime, but they cannot be used
+for values that need to be modified occasionally.
+
+A "redef" allows the re-definition of an already defined constant in Bro.
+For example, to modify the constant "Site::local_nets", you can use code
+similar to this:
+
+    redef Site::local_nets += { 10.1.0.0/16 };
+
+A disadvantage of redefs is that these redefinitions can only be
+performed when Bro first starts. Afterwards, Site::local_nets is just a
+normal constant and can no longer be modified.
+
+However, it is clearly desirable to be able to change at runtime many of the
+configuration options that Bro offers. Having to restart Bro can be
+time-consuming and causes Bro to lose all connection state and knowledge
+that it accumulated. To solve this problem, the Bro configuration framework
+was created, which allows changing configuration options at runtime.
+
+
+Declaring options
+-----------------
+
+The "option" keyword allows variables to be declared as configuration options.
+
+.. code:: bro
+
+    module TestModule;
+
+    export {
+        option my_networks: set[subnet] = {};
+        option enable_feature = F;
+        option hostname = "testsystem";
+    }
+
+The rules regarding options can be thought of as being in between global
+variables and constants.  Like global variables, options cannot be declared
+inside a function, hook, or event handler.  Like constants, options must be
+initialized when declared.  The value of an option can change at runtime,
+but options cannot be assigned a new value using normal assignments.
+
+
+Changing options
+----------------
+
+The configuration framework facilitates reading in new option values
+from external files at runtime.
+
+Configuration files contain a mapping between option names and their values.
+The format for these files looks like this:
+
+    [option name][tab/spaces][new value]
+
+Configuration files can be specified by adding them to Config::config_files.
+For example, simply add something like this to local.bro:
+
+.. code:: bro
+
+    redef Config::config_files += { "/path/to/config.dat" };
+
+The specified configuration file will be monitored continuously for changes,
+so that writing "TestModule::enable_feature T" into that file will
+automatically update the option's value accordingly.  Here is an example
+configuration file::
+
+    TestModule::my_networks 10.0.12.0/24,192.168.17.0/24
+    TestModule::enable_feature  T
+    TestModule::hostname  host-1
+
+Internally, the configuration framework uses the Bro input framework
+with a type of input reader specifically for reading config files. Users
+familiar with the Bro input framework might be aware that the input framework
+is usually very strict about the syntax of input files. This is not true
+for configuration files: the files need no header lines and either
+tabs or spaces are accepted as separators.
+
+If you inspect the configuration framework scripts, you will notice that the
+scripts simply catch events from the input framework and then a built-in
+function :bro:see:`Option::set` is called to set an option to the new value.
+If you want to change an option yourself during runtime, you can
+call Option::set directly from a script.
+
+The log file "config.log" contains information about each configuration
+change that occurs during runtime.
+
+
+Change handlers
+---------------
+
+A change handler is a user-defined function that is called automatically
+each time an option value changes.  This example shows how to register a
+change handler for an option that has a data type of "addr" (for other
+data types, the return type and 2nd parameter data type must be adjusted
+accordingly):
+
+.. code:: bro
+
+    option testaddr = 127.0.0.1;
+
+    # Note: the data type of 2nd parameter and return type must match
+    function change_addr(ID: string, new_value: addr): addr
+        {
+        print fmt("Value of %s changed from %s to %s", ID, testaddr, new_value);
+        return new_value;
+        }
+
+    event bro_init()
+        {
+        Option::set_change_handler("testaddr", change_addr);
+        }
+
+Each time the specified option value is changed, the change handler
+function will be called before the change is performed.  The value returned
+by the change handler is the value finally assigned to the option. This
+allows, for example, checking of values to reject invalid input (the original
+value can be returned to reject the change).
+
+A change handler can optionally have a third argument, which is the location
+string (this is normally the pathname of the configuration file that triggered
+the change).
+
+It is also possible to chain together multiple change handlers.  In this
+case, the value returned by the first change handler is the "new value" seen
+by the next change handler, and so on.  The built-in function
+:bro:see:`Option::set_change_handler` takes an optional third argument
+that can specify a priority for the handlers.
+
+Note that change handlers are also used internally by the
+configuration framework. If you look at the script level source code of
+the config framework, you can see that change handlers are used for
+logging the option changes to config.log.
diff --git a/doc/frameworks/index.rst b/doc/frameworks/index.rst
index 4f87df3b53..ab46939c38 100644
--- a/doc/frameworks/index.rst
+++ b/doc/frameworks/index.rst
@@ -6,6 +6,7 @@ Frameworks
 .. toctree::
    :maxdepth: 1
 
+   configuration
    file-analysis
    geoip
    input

From 77bc5da6f94b8436138ddfd5de4ac367753c48ed Mon Sep 17 00:00:00 2001
From: Robin Sommer <robin@icir.org>
Date: Thu, 15 Mar 2018 15:00:34 -0700
Subject: [PATCH 339/631] Updating submodule(s).

 [nomail]
---
 aux/bro-aux | 2 +-
 aux/broctl  | 2 +-
 aux/btest   | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/aux/bro-aux b/aux/bro-aux
index 63752fbfdb..f7cc11d97b 160000
--- a/aux/bro-aux
+++ b/aux/bro-aux
@@ -1 +1 @@
-Subproject commit 63752fbfdb72a2bf62507ea05ee2d3dbe3dcb1e7
+Subproject commit f7cc11d97b3298bbfc5d01ff544e871b67f0fc5a
diff --git a/aux/broctl b/aux/broctl
index 76b8e0c301..1824853baf 160000
--- a/aux/broctl
+++ b/aux/broctl
@@ -1 +1 @@
-Subproject commit 76b8e0c3017d81bfc0907a6e9285f19bddfd400a
+Subproject commit 1824853baf8f7369256f22992d7f10215634ec9d
diff --git a/aux/btest b/aux/btest
index fcecde7c07..8d10f39729 160000
--- a/aux/btest
+++ b/aux/btest
@@ -1 +1 @@
-Subproject commit fcecde7c072839c6e48c043e85987f52914e6646
+Subproject commit 8d10f397299bab7e2f722142b019b24f2aa490f1

From 8fe998c5f73d416524ac208b5c4dbb843ad8da75 Mon Sep 17 00:00:00 2001
From: Daniel Thayer <dnthayer@illinois.edu>
Date: Thu, 15 Mar 2018 18:52:08 -0500
Subject: [PATCH 340/631] Fix one new minor typo in the config framework docs

---
 doc/frameworks/configuration.rst | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/doc/frameworks/configuration.rst b/doc/frameworks/configuration.rst
index e8e60dcac7..efb5182301 100644
--- a/doc/frameworks/configuration.rst
+++ b/doc/frameworks/configuration.rst
@@ -29,7 +29,7 @@ expected to change at runtime, but they cannot be used for values that
 need to be modified occasionally. While a "redef" allows a
 re-definition of an already defined constant in Bro, these
 redefinitions can only be performed when Bro first starts. Afterwards,
-constants no longer be modified.
+constants can no longer be modified.
 
 However, it is clearly desirable to be able to change at runtime many
 of the configuration options that Bro offers. Having to restart Bro

From 911018347f893687454fa4858846ac66900bba39 Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@icir.org>
Date: Fri, 16 Mar 2018 14:36:13 -0700
Subject: [PATCH 341/631] Make data flow more explicit for complilers.

gcc likes complaining about ev potentially not being initialized. Make
it clear that this cannot happen by marking the default case as
unreachable after the error output.
---
 src/input/Manager.cc | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/input/Manager.cc b/src/input/Manager.cc
index 8b044a4e61..4cc084285d 100644
--- a/src/input/Manager.cc
+++ b/src/input/Manager.cc
@@ -2710,6 +2710,7 @@ void Manager::ErrorHandler(const Stream* i, ErrorType et, bool reporter_send, co
 
 			default:
 				reporter->InternalError("Unknown error type while trying to report input error %s", fmt);
+				__builtin_unreachable();
 			}
 
 		StringVal* message = new StringVal(buf);

From 1f2bf50b491d70f1e5e249e510ec88d63476a3b2 Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@icir.org>
Date: Fri, 16 Mar 2018 18:38:04 -0700
Subject: [PATCH 342/631] Remove unimplemented & unused functions from header
 files.

All of these functions were defined in header files without ever being
implemented or used.
---
 src/DFA.h                             |  2 --
 src/Dict.h                            |  2 --
 src/ID.h                              |  1 -
 src/OSFinger.h                        |  7 -------
 src/OpaqueVal.h                       |  1 -
 src/RE.h                              |  1 -
 src/Timer.h                           |  1 -
 src/analyzer/protocol/ayiya/AYIYA.h   |  2 --
 src/analyzer/protocol/gtpv1/GTPv1.h   |  2 --
 src/analyzer/protocol/http/HTTP.h     |  2 --
 src/analyzer/protocol/icmp/ICMP.h     |  4 ----
 src/analyzer/protocol/rpc/NFS.h       |  1 -
 src/analyzer/protocol/syslog/Syslog.h |  2 --
 src/analyzer/protocol/teredo/Teredo.h |  2 --
 src/iosource/Component.h              |  5 -----
 src/iosource/PktDumper.h              |  7 -------
 src/iosource/PktSrc.h                 |  5 -----
 src/logging/Manager.h                 |  1 -
 src/logging/WriterFrontend.h          | 13 -------------
 19 files changed, 61 deletions(-)

diff --git a/src/DFA.h b/src/DFA.h
index a63beca9ac..8af4907da1 100644
--- a/src/DFA.h
+++ b/src/DFA.h
@@ -117,8 +117,6 @@ typedef PList(DFA_State) DFA_state_list;
 class DFA_Machine : public BroObj {
 public:
 	DFA_Machine(NFA_Machine* n, EquivClass* ec);
-	DFA_Machine(int** xtion_ptrs, int num_states, int num_ecs,
-			int* acc_array);
 	~DFA_Machine();
 
 	DFA_State* StartState() const	{ return start_state; }
diff --git a/src/Dict.h b/src/Dict.h
index 2def5ea28f..8a0b6b4f3d 100644
--- a/src/Dict.h
+++ b/src/Dict.h
@@ -109,8 +109,6 @@ public:
 	// which should be delete'd when no longer needed.
 	IterCookie* InitForIteration() const;
 	void* NextEntry(HashKey*& h, IterCookie*& cookie, int return_hash) const;
-	void* NextEntry(const void*& key, int& key_len, IterCookie*& cookie)
-		const;
 	void StopIteration(IterCookie* cookie) const;
 
 	void SetDeleteFunc(dict_delete_func f)		{ delete_func = f; }
diff --git a/src/ID.h b/src/ID.h
index 8eb890b732..177adcdfde 100644
--- a/src/ID.h
+++ b/src/ID.h
@@ -118,7 +118,6 @@ public:
 protected:
 	ID()	{ name = 0; type = 0; val = 0; attrs = 0; }
 
-	void CheckAttr(Attr* attr);
 	void EvalFunc(Expr* ef, Expr* ev);
 
 #ifdef DEBUG
diff --git a/src/OSFinger.h b/src/OSFinger.h
index 0968fb5fd3..2f0dde976b 100644
--- a/src/OSFinger.h
+++ b/src/OSFinger.h
@@ -90,13 +90,6 @@ public:
 		uint8 TTL, uint16 WSS, uint8 ocnt, uint8* op, uint16 MSS,
 		uint8 win_scale, uint32 tstamp, uint32 quirks, uint8 ECN) const;
 	bool CacheMatch(const IPAddr& addr, int id);
-
-	int Get_OS_From_SYN(struct os_type* retval,
-			uint16 tot, uint8 DF_flag, uint8 TTL, uint16 WSS,
-			uint8 ocnt, uint8* op, uint16 MSS, uint8 win_scale,
-			uint32 tstamp, /* uint8 TOS, */ uint32 quirks,
-			uint8 ecn) const;
-
 	void load_config(const char* file);
 
 protected:
diff --git a/src/OpaqueVal.h b/src/OpaqueVal.h
index df928dff60..7954653c6c 100644
--- a/src/OpaqueVal.h
+++ b/src/OpaqueVal.h
@@ -106,7 +106,6 @@ public:
 
 protected:
 	friend class Val;
-	EntropyVal(OpaqueType* t);
 
 	DECLARE_SERIAL(EntropyVal);
 
diff --git a/src/RE.h b/src/RE.h
index 7437dbb8b8..ad38aeb306 100644
--- a/src/RE.h
+++ b/src/RE.h
@@ -175,7 +175,6 @@ public:
 	RE_Matcher(const char* pat);
 	virtual ~RE_Matcher();
 
-	void AddDef(const char* defn_name, const char* defn_val);
 	void AddPat(const char* pat);
 
 	int Compile(int lazy = 0);
diff --git a/src/Timer.h b/src/Timer.h
index e095421c30..8fba53d3b7 100644
--- a/src/Timer.h
+++ b/src/Timer.h
@@ -150,7 +150,6 @@ public:
 	int Size() const	{ return q->Size(); }
 	int PeakSize() const	{ return q->PeakSize(); }
 	uint64 CumulativeNum() const	{ return q->CumulativeNum(); }
-	unsigned int MemoryUsage() const;
 
 protected:
 	int DoAdvance(double t, int max_expire);
diff --git a/src/analyzer/protocol/ayiya/AYIYA.h b/src/analyzer/protocol/ayiya/AYIYA.h
index 6e8baa11f8..bffc7aabf8 100644
--- a/src/analyzer/protocol/ayiya/AYIYA.h
+++ b/src/analyzer/protocol/ayiya/AYIYA.h
@@ -18,8 +18,6 @@ public:
 		{ return new AYIYA_Analyzer(conn); }
 
 protected:
-	void ExpireTimer(double t);
-
 	binpac::AYIYA::AYIYA_Conn* interp;
 };
 
diff --git a/src/analyzer/protocol/gtpv1/GTPv1.h b/src/analyzer/protocol/gtpv1/GTPv1.h
index d8a04bc0b0..45cacaa17a 100644
--- a/src/analyzer/protocol/gtpv1/GTPv1.h
+++ b/src/analyzer/protocol/gtpv1/GTPv1.h
@@ -18,8 +18,6 @@ public:
 		{ return new GTPv1_Analyzer(conn); }
 
 protected:
-	void ExpireTimer(double t);
-
 	binpac::GTPv1::GTPv1_Conn* interp;
 };
 
diff --git a/src/analyzer/protocol/http/HTTP.h b/src/analyzer/protocol/http/HTTP.h
index bfc079187f..31bc485f35 100644
--- a/src/analyzer/protocol/http/HTTP.h
+++ b/src/analyzer/protocol/http/HTTP.h
@@ -155,8 +155,6 @@ public:
 	HTTP_Analyzer(Connection* conn);
 	~HTTP_Analyzer();
 
-	void Undelivered(tcp::TCP_Endpoint* sender, uint64 seq, int len);
-
 	void HTTP_Header(int is_orig, mime::MIME_Header* h);
 	void HTTP_EntityData(int is_orig, BroString* entity_data);
 	void HTTP_MessageDone(int is_orig, HTTP_Message* message);
diff --git a/src/analyzer/protocol/icmp/ICMP.h b/src/analyzer/protocol/icmp/ICMP.h
index 1de6a4afea..391ab4d7a7 100644
--- a/src/analyzer/protocol/icmp/ICMP.h
+++ b/src/analyzer/protocol/icmp/ICMP.h
@@ -25,8 +25,6 @@ public:
 		{ return new ICMP_Analyzer(conn); }
 
 protected:
-	ICMP_Analyzer(analyzer::Tag tag, Connection* conn);
-
 	virtual void Done();
 	virtual void DeliverPacket(int len, const u_char* data, bool orig,
 					uint64 seq, const IP_Hdr* ip, int caplen);
@@ -38,8 +36,6 @@ protected:
 
 	void Echo(double t, const struct icmp* icmpp, int len,
 			 int caplen, const u_char*& data, const IP_Hdr* ip_hdr);
-	void Context(double t, const struct icmp* icmpp, int len,
-			 int caplen, const u_char*& data, const IP_Hdr* ip_hdr);
 	void Redirect(double t, const struct icmp* icmpp, int len,
 			 int caplen, const u_char*& data, const IP_Hdr* ip_hdr);
 	void RouterAdvert(double t, const struct icmp* icmpp, int len,
diff --git a/src/analyzer/protocol/rpc/NFS.h b/src/analyzer/protocol/rpc/NFS.h
index 3a6da1f765..dd336d7dee 100644
--- a/src/analyzer/protocol/rpc/NFS.h
+++ b/src/analyzer/protocol/rpc/NFS.h
@@ -74,7 +74,6 @@ protected:
 	//   * size is the amount of bytes read (or requested to be written),
 	StringVal* nfs3_file_data(const u_char*& buf, int& n, uint64_t offset, int size);
 
-	RecordVal* ExtractOptAttrs(const u_char*& buf, int& n);
 	Val* ExtractUint32(const u_char*& buf, int& n);
 	Val* ExtractUint64(const u_char*& buf, int& n);
 	Val* ExtractTime(const u_char*& buf, int& n);
diff --git a/src/analyzer/protocol/syslog/Syslog.h b/src/analyzer/protocol/syslog/Syslog.h
index f1568e0b6f..8f2580806c 100644
--- a/src/analyzer/protocol/syslog/Syslog.h
+++ b/src/analyzer/protocol/syslog/Syslog.h
@@ -22,8 +22,6 @@ public:
 		{ return new Syslog_Analyzer(conn); }
 
 protected:
-	void ExpireTimer(double t);
-
 	int did_session_done;
 
 	binpac::Syslog::Syslog_Conn* interp;
diff --git a/src/analyzer/protocol/teredo/Teredo.h b/src/analyzer/protocol/teredo/Teredo.h
index 4882dd97ca..af733b8814 100644
--- a/src/analyzer/protocol/teredo/Teredo.h
+++ b/src/analyzer/protocol/teredo/Teredo.h
@@ -49,8 +49,6 @@ public:
 		}
 
 protected:
-	void ExpireTimer(double t);
-
 	bool valid_orig;
 	bool valid_resp;
 };
diff --git a/src/iosource/Component.h b/src/iosource/Component.h
index 4a38a9cd22..57e1084d3a 100644
--- a/src/iosource/Component.h
+++ b/src/iosource/Component.h
@@ -29,11 +29,6 @@ public:
 	 */
 	Component(const std::string& name);
 
-	/**
-	 * Copy constructor.
-	 */
-	Component(const Component& other);
-
 	/**
 	 * Destructor.
 	 */
diff --git a/src/iosource/PktDumper.h b/src/iosource/PktDumper.h
index dcfda2030b..4e53cd7aff 100644
--- a/src/iosource/PktDumper.h
+++ b/src/iosource/PktDumper.h
@@ -54,13 +54,6 @@ public:
 	 */
 	int HdrSize() const;
 
-	/**
-	 * Writes a packet to the dumper.
-	 *
-	 * @param pkt The packet to record.
-	 */
-	bool Record(const Packet* pkt);
-
 	// PktDumper interface for derived classes to implement.
 
 	/**
diff --git a/src/iosource/PktSrc.h b/src/iosource/PktSrc.h
index 25a743dc53..f2f14aa9c2 100644
--- a/src/iosource/PktSrc.h
+++ b/src/iosource/PktSrc.h
@@ -92,11 +92,6 @@ public:
 	 */
 	const char* ErrorMsg() const;
 
-	/**
-	 * Returns the size of the link-layer header for this source.
-	 */
-	int HdrSize() const;
-
 	/**
 	 * In pseudo-realtime mode, returns the logical timestamp of the
 	 * current packet. Undefined if not running pseudo-realtime mode.
diff --git a/src/logging/Manager.h b/src/logging/Manager.h
index 56626f39d3..ad526ec915 100644
--- a/src/logging/Manager.h
+++ b/src/logging/Manager.h
@@ -275,7 +275,6 @@ private:
 	void RemoveDisabledWriters(Stream* stream);
 	void InstallRotationTimer(WriterInfo* winfo);
 	void Rotate(WriterInfo* info);
-	Filter* FindFilter(EnumVal* id, StringVal* filter);
 	WriterInfo* FindWriter(WriterFrontend* writer);
 	bool CompareFields(const Filter* filter, const WriterFrontend* writer);
 	bool CheckFilterWriterConflict(const WriterInfo* winfo, const Filter* filter);
diff --git a/src/logging/WriterFrontend.h b/src/logging/WriterFrontend.h
index ae37613261..9228aeac45 100644
--- a/src/logging/WriterFrontend.h
+++ b/src/logging/WriterFrontend.h
@@ -138,19 +138,6 @@ public:
 	 */
 	void Rotate(const char* rotated_path, double open, double close, bool terminating);
 
-	/**
-	 * Finalizes writing to this tream.
-	 *
-	 * This method generates a message to the backend writer and triggers
-	 * the corresponding message there. If the backend method fails, it
-	 * sends a message back that will asynchronously call Disable().
-	 *
-	 * This method must only be called from the main thread.
-	 *
-	 * @param network_time The network time when the finish was triggered.
-	 */
-	void Finish(double network_time);
-
 	/**
 	 * Explicitly triggers a transfer of all potentially buffered Write()
 	 * operations over to the backend.

From 9ee739421b34d50569f2713782e3af2fadd805ce Mon Sep 17 00:00:00 2001
From: Daniel Thayer <dnthayer@illinois.edu>
Date: Wed, 21 Mar 2018 14:05:52 -0500
Subject: [PATCH 343/631] Add coverity scan and private testing to Travis CI

---
 .travis.job | 110 ++++++++++++++++++++++++++++++++++++++++++++++++++++
 .travis.yml |  13 ++-----
 2 files changed, 114 insertions(+), 9 deletions(-)
 create mode 100644 .travis.job

diff --git a/.travis.job b/.travis.job
new file mode 100644
index 0000000000..3430a07898
--- /dev/null
+++ b/.travis.job
@@ -0,0 +1,110 @@
+#!/bin/sh
+
+if [ "${TRAVIS}" != "true" ]; then
+    echo "$0: this script is intended for Travis CI"
+    exit 1
+fi
+
+if [ $# -ne 1 ]; then
+    echo "usage: $0 build|run|failure"
+    exit 1
+fi
+
+step=$1
+
+build() {
+    ./configure && make -j 4
+}
+
+build_coverity() {
+    # Get the coverity tools
+    set -e
+    wget -nv https://scan.coverity.com/download/cxx/linux64 --post-data "token=${COV_TOKEN}&project=Bro" -O coverity_tool.tgz
+    tar xzf coverity_tool.tgz
+    mv cov-analysis* coverity-tools
+    rm coverity_tool.tgz
+
+    # Configure Bro
+    ./configure --prefix=`pwd`/build/root --enable-debug --disable-perftools
+
+    # Build Bro with coverity tools
+    export PATH=`pwd`/coverity-tools/bin:$PATH
+    cd build
+    cov-build --dir cov-int make -j 4
+}
+
+run_coverity() {
+    set -e
+
+    EMAIL=bro-commits-internal@bro.org
+    FILE=myproject.bz2
+    VER=`cat VERSION`
+    DESC=`git rev-parse HEAD`
+
+    cd build
+    tar cjf ${FILE} cov-int
+    curl --form token=${COV_TOKEN} --form email=${EMAIL} --form file=@${FILE} --form version=${VER} --form description=${DESC} https://scan.coverity.com/builds?project=Bro
+}
+
+run() {
+    set -e
+
+    # Run the tests
+    make -C testing/btest btest-verbose
+
+    # Get the test repo
+    make -C testing/external init
+
+    # Get the private test repo
+    curl https://www.bro.org/static/travis-ci/travis_key.enc -o travis_key.enc
+    openssl aes-256-cbc -K $encrypted_6a6fe747ff7b_key -iv $encrypted_6a6fe747ff7b_iv -in travis_key.enc -out travis_key -d
+    chmod 600 travis_key
+    mv travis_key $HOME/.ssh/id_rsa
+    cd testing/external
+    git clone ssh://git@git.bro.org/bro-testing-private
+    cd ../..
+    rm $HOME/.ssh/id_rsa
+
+    # Run the external tests
+    make -C testing/external
+}
+
+failure() {
+    # Output each diag.log that contains failed test results.
+    for i in testing/btest/diag.log testing/external/bro-testing/diag.log; do
+        grep -qs '... failed$' $i && cat $i ;
+    done
+}
+
+# Coverity scan is run from a Travis CI cron job.
+if [ "$TRAVIS_EVENT_TYPE" = "cron" ]; then
+    # Each Travis CI build consists of multiple jobs.  Here we choose one job
+    # to run the coverity scan.
+    JOB=`echo $TRAVIS_JOB_NUMBER | cut -d . -f 2`
+
+    if [ "$JOB" != "1" ]; then
+        echo "Coverity scan is performed only in the first job of this build"
+        exit 0
+    fi
+
+    # This is split up into two steps because the build outputs thousands of
+    # lines (which are collapsed into a single line on the web page).
+    if [ "$step" = "build" ]; then
+        build_coverity
+    elif [ "$step" = "run" ]; then
+        run_coverity
+    fi
+    exit 0
+fi
+
+# Run one step of a Travis CI job.  The "build" and "run" are split up into
+# separate steps because the build outputs thousands of lines (which are
+# collapsed into a single line on the web page).  The "failure" step is run
+# only when at least one test fails.
+if [ "$step" = "build" ]; then
+    build
+elif [ "$step" = "run" ]; then
+    run
+elif [ "$step" = "failure" ]; then
+    failure
+fi
diff --git a/.travis.yml b/.travis.yml
index 47cdea3ea7..c849ef1803 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -4,6 +4,7 @@ compiler:
   - gcc
 
 addons:
+  ssh_known_hosts: git.bro.org
   apt:
     sources:
       - ubuntu-toolchain-r-test
@@ -26,14 +27,8 @@ notifications:
     recipients:
     - bro-commits-internal@bro.org
 
-install: ./configure && make -j 4
+before_script: sh .travis.job build
 
-script:
-  - make -C testing/btest btest-verbose
-  - make -C testing/external init && make -C testing/external
+script: sh .travis.job run
 
-after_failure:
-  # Output each diag.log that contains failed test results.
-  - for i in testing/btest/diag.log testing/external/bro-testing/diag.log; do
-    grep -qs '... failed$' $i && cat $i ;
-    done
+after_failure: sh .travis.job failure

From 3584495562740d48997a9d56e7f7a12b41f43138 Mon Sep 17 00:00:00 2001
From: Daniel Thayer <dnthayer@illinois.edu>
Date: Wed, 21 Mar 2018 15:24:29 -0500
Subject: [PATCH 344/631] Fix information leak in the update-traces script

For trace files that require authentication to download, hide
part of the URL in output messages.  This avoids leaking potentially
sensitive info when running tests using a continuous integration
service.
---
 testing/external/scripts/update-traces | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/testing/external/scripts/update-traces b/testing/external/scripts/update-traces
index 8dd8d09e9c..ebf2a93896 100755
--- a/testing/external/scripts/update-traces
+++ b/testing/external/scripts/update-traces
@@ -2,7 +2,7 @@
 #
 # Downloads all traces as specified in <cwd>/traces.cfg to directory $1.
 #
-# traces.cfg must consist of lines of the form "<url> <md5sum>"
+# traces.cfg must consist of lines of the form "<url> [<http-user>[:<http-password>]]"
 
 if [ "$1" == "" ]; then
     echo "usage: `basename $0` <traces-directory>"
@@ -45,11 +45,15 @@ cat $cfg | while read line; do
 
     if [ "$auth" != "" ]; then
         auth="-u $auth"
+        # Hide the hostname and directory names in output messages
+        safe_url=`echo $url | sed 's#/[A-Za-z].*/#/[hidden]/#'`
+    else
+        safe_url=$url
     fi
 
     # Get the fingerprint file.
     if ! eval "$proxy curl $auth -fsS --anyauth $url.md5sum -o $fp.tmp"; then
-        echo "Error: Could not get $url.md5sum, skipping download."
+        echo "Error: Could not get $safe_url.md5sum, skipping download."
         continue
     fi
 
@@ -64,7 +68,7 @@ cat $cfg | while read line; do
     fi
 
     if [ "$download" = "1" ]; then
-        echo Getting $url ...
+        echo Getting $safe_url ...
         echo
         eval "$proxy curl $auth -f --anyauth $url -o $file"
         echo

From 551f57ea97b810634a203cd5857590414e970529 Mon Sep 17 00:00:00 2001
From: Seth Hall <seth@corelight.com>
Date: Wed, 21 Mar 2018 16:29:59 -0400
Subject: [PATCH 345/631] Fix a memory leak in SMBv1 share mapping

---
 .../protocol/smb/smb1-com-tree-connect-andx.pac       | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/src/analyzer/protocol/smb/smb1-com-tree-connect-andx.pac b/src/analyzer/protocol/smb/smb1-com-tree-connect-andx.pac
index 526febce39..4bf208b33b 100644
--- a/src/analyzer/protocol/smb/smb1-com-tree-connect-andx.pac
+++ b/src/analyzer/protocol/smb/smb1-com-tree-connect-andx.pac
@@ -13,8 +13,9 @@ refine connection SMB_Conn += {
 
 	function proc_smb1_tree_connect_andx_response(header: SMB_Header, val: SMB1_tree_connect_andx_response): bool
 		%{
-		if ( strncmp((const char*) smb_string2stringval(${val.service})->Bytes(),
-		     "IPC", 3) == 0 )
+		auto service_string = smb_string2stringval(${val.service});
+		auto s = reinterpret_cast<const char*>(service_string->Bytes());
+		if ( strncmp(s, "IPC", 3) == 0 )
 			{
 			set_tree_is_pipe(${header.tid});
 			}
@@ -24,9 +25,13 @@ refine connection SMB_Conn += {
 			BifEvent::generate_smb1_tree_connect_andx_response(bro_analyzer(),
 			                                                   bro_analyzer()->Conn(),
 			                                                   BuildHeaderVal(header),
-			                                                   smb_string2stringval(${val.service}),
+			                                                   service_string,
 			                                                   ${val.byte_count} > ${val.service.a}->size() ? smb_string2stringval(${val.native_file_system[0]}) : new StringVal(""));
 			}
+		else
+			{
+			Unref(service_string);
+			}
 
 		return true;
 		%}

From aadcd5d2cc4f12aa3f918f3beb9b7410f6d629bb Mon Sep 17 00:00:00 2001
From: Daniel Thayer <dnthayer@illinois.edu>
Date: Thu, 22 Mar 2018 19:36:40 -0500
Subject: [PATCH 346/631] Fix the travis-job script to always run external
 tests

Run the external tests even when the Bro tests fail.
---
 testing/scripts/travis-job | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/testing/scripts/travis-job b/testing/scripts/travis-job
index 3430a07898..95605eef1f 100644
--- a/testing/scripts/travis-job
+++ b/testing/scripts/travis-job
@@ -47,10 +47,11 @@ run_coverity() {
 }
 
 run() {
-    set -e
-
-    # Run the tests
+    # Run the tests, but don't exit upon failure.
     make -C testing/btest btest-verbose
+    ret=$?
+
+    set -e
 
     # Get the test repo
     make -C testing/external init
@@ -67,6 +68,9 @@ run() {
 
     # Run the external tests
     make -C testing/external
+
+    # If we get here, then external tests were successful.
+    exit $ret
 }
 
 failure() {

From ecf278874006c641e1ac486a90a885c2dbcdbb8a Mon Sep 17 00:00:00 2001
From: Philippe Antoine <contact@catenacyber.fr>
Date: Fri, 23 Mar 2018 10:10:01 +0100
Subject: [PATCH 347/631] Better reporter for Brostring with embedded NUL

Can be reproduced with something like
curl 127.0.0.1:8002/readme.html%00lol
---
 src/BroString.cc | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/src/BroString.cc b/src/BroString.cc
index c86e14cf37..0fd7a52a65 100644
--- a/src/BroString.cc
+++ b/src/BroString.cc
@@ -166,14 +166,16 @@ void BroString::Set(const BroString& str)
 
 const char* BroString::CheckString() const
 	{
+	void * nulTerm;
 	if ( n == 0 )
 		return "";
 
-	if ( memchr(b, '\0', n + final_NUL) != &b[n] )
+	nulTerm = memchr(b, '\0', n + final_NUL);
+	if ( nulTerm != &b[n] )
 		{
 		// Either an embedded NUL, or no final NUL.
 		char* exp_s = Render();
-		if ( b[n-1] != '\0' )
+		if ( nulTerm == NULL )
 			reporter->Error("string without NUL terminator: \"%s\"", exp_s);
 		else
 			reporter->Error("string with embedded NUL: \"%s\"", exp_s);

From 6d612ced3d3c6836f88000594676e100cf44d5a6 Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@icir.org>
Date: Fri, 16 Mar 2018 22:14:22 -0700
Subject: [PATCH 348/631] Mark one-parameter constructors as explicit & use
 override where possible

This commit marks (hopefully) ever one-parameter constructor as explicit.

It also uses override in (hopefully) all circumstances where a virtual
method is overridden.

There are a very few other minor changes - most of them were necessary
to get everything to compile (like one additional constructor). In one
case I changed an implicit operation to an explicit string conversion -
I think the automatically chosen conversion was much more convoluted.

This took longer than I want to admit but not as long as I feared :)
---
 src/Anon.h                                    | 12 +--
 src/Attr.h                                    |  8 +-
 src/Base64.h                                  |  2 +-
 src/BroString.h                               |  6 +-
 src/ChunkedIO.h                               | 90 +++++++++----------
 src/CompHash.h                                |  2 +-
 src/Conn.h                                    |  6 +-
 src/DFA.h                                     |  8 +-
 src/DNS_Mgr.cc                                |  2 +-
 src/DNS_Mgr.h                                 | 14 +--
 src/DbgWatch.h                                |  4 +-
 src/Desc.h                                    |  2 +-
 src/Dict.h                                    |  8 +-
 src/EquivClass.h                              |  2 +-
 src/Event.h                                   | 10 +--
 src/EventHandler.h                            |  4 +-
 src/Expr.h                                    | 70 +++++++--------
 src/File.h                                    |  4 +-
 src/Frag.h                                    | 10 +--
 src/Frame.h                                   |  4 +-
 src/Func.h                                    | 10 +--
 src/Hash.h                                    | 14 +--
 src/ID.h                                      |  2 +-
 src/IPAddr.h                                  |  2 +-
 src/IntSet.h                                  |  2 +-
 src/List.h                                    | 10 +--
 src/NFA.h                                     | 12 +--
 src/OSFinger.h                                |  2 +-
 src/Obj.h                                     |  4 +-
 src/OpaqueVal.h                               | 27 +++---
 src/PacketDumper.h                            |  2 +-
 src/PacketFilter.h                            |  2 +-
 src/PersistenceSerializer.h                   | 21 ++---
 src/Pipe.h                                    |  2 +-
 src/PriorityQueue.h                           |  4 +-
 src/Queue.h                                   |  6 +-
 src/RE.h                                      |  8 +-
 src/Reassem.h                                 |  4 +-
 src/RemoteSerializer.h                        | 34 +++----
 src/RuleAction.h                              | 44 ++++-----
 src/RuleCondition.h                           | 48 +++++-----
 src/Scope.h                                   |  6 +-
 src/SerialObj.h                               | 12 +--
 src/SerializationFormat.h                     | 66 +++++++-------
 src/Serializer.h                              | 76 ++++++++--------
 src/Sessions.h                                |  6 +-
 src/SmithWaterman.h                           |  8 +-
 src/StateAccess.h                             |  2 +-
 src/Stats.h                                   |  8 +-
 src/Stmt.h                                    | 50 +++++------
 src/Tag.h                                     |  2 +-
 src/Timer.h                                   | 40 ++++-----
 src/Trigger.h                                 | 12 +--
 src/Type.h                                    | 44 ++++-----
 src/UID.h                                     |  2 +-
 src/Val.cc                                    |  5 ++
 src/Val.h                                     | 75 ++++++++--------
 src/analyzer/Analyzer.h                       | 14 +--
 src/analyzer/Component.h                      |  2 +-
 src/analyzer/Tag.h                            |  4 +-
 src/analyzer/protocol/arp/ARP.h               |  4 +-
 src/analyzer/protocol/ayiya/AYIYA.h           |  2 +-
 src/analyzer/protocol/backdoor/BackDoor.h     | 20 ++---
 src/analyzer/protocol/bittorrent/BitTorrent.h | 12 +--
 .../protocol/bittorrent/BitTorrentTracker.h   | 22 ++---
 src/analyzer/protocol/conn-size/ConnSize.h    | 16 ++--
 src/analyzer/protocol/dce-rpc/DCE_RPC.h       |  4 +-
 src/analyzer/protocol/dhcp/DHCP.h             | 10 +--
 src/analyzer/protocol/dnp3/DNP3.h             | 22 ++---
 src/analyzer/protocol/dns/DNS.cc              |  2 +-
 src/analyzer/protocol/dns/DNS.h               | 22 ++---
 src/analyzer/protocol/file/File.h             | 10 +--
 src/analyzer/protocol/finger/Finger.h         |  8 +-
 src/analyzer/protocol/ftp/FTP.h               |  8 +-
 src/analyzer/protocol/gnutella/Gnutella.h     |  8 +-
 src/analyzer/protocol/gssapi/GSSAPI.h         |  4 +-
 src/analyzer/protocol/gtpv1/GTPv1.h           |  2 +-
 src/analyzer/protocol/http/HTTP.h             |  6 +-
 src/analyzer/protocol/icmp/ICMP.h             | 14 +--
 src/analyzer/protocol/ident/Ident.h           |  6 +-
 src/analyzer/protocol/imap/IMAP.h             | 12 +--
 src/analyzer/protocol/interconn/InterConn.h   | 20 ++---
 src/analyzer/protocol/irc/IRC.h               |  2 +-
 src/analyzer/protocol/krb/KRB.h               |  2 +-
 src/analyzer/protocol/krb/KRB_TCP.h           | 12 +--
 src/analyzer/protocol/login/Login.h           |  8 +-
 src/analyzer/protocol/login/NVT.h             | 26 +++---
 src/analyzer/protocol/login/RSH.h             |  8 +-
 src/analyzer/protocol/login/Rlogin.h          |  6 +-
 src/analyzer/protocol/login/Telnet.h          |  4 +-
 src/analyzer/protocol/mime/MIME.h             |  6 +-
 src/analyzer/protocol/modbus/Modbus.h         | 12 +--
 src/analyzer/protocol/mysql/MySQL.h           | 12 +--
 src/analyzer/protocol/ncp/NCP.h               | 16 ++--
 src/analyzer/protocol/netbios/NetbiosSSN.h    |  8 +-
 src/analyzer/protocol/ntlm/NTLM.h             |  4 +-
 src/analyzer/protocol/ntp/NTP.h               |  8 +-
 src/analyzer/protocol/pia/PIA.h               | 38 ++++----
 src/analyzer/protocol/pop3/POP3.h             |  8 +-
 src/analyzer/protocol/radius/RADIUS.h         | 10 +--
 src/analyzer/protocol/rdp/RDP.h               | 13 ++-
 src/analyzer/protocol/rfb/RFB.h               | 12 +--
 src/analyzer/protocol/rpc/MOUNT.h             | 10 +--
 src/analyzer/protocol/rpc/NFS.h               | 10 +--
 src/analyzer/protocol/rpc/Portmap.h           | 12 +--
 src/analyzer/protocol/rpc/RPC.h               | 18 ++--
 src/analyzer/protocol/sip/SIP.h               | 10 +--
 src/analyzer/protocol/sip/SIP_TCP.h           | 12 +--
 src/analyzer/protocol/smb/SMB.h               |  4 +-
 src/analyzer/protocol/smtp/SMTP.h             | 12 +--
 src/analyzer/protocol/snmp/SNMP.h             |  2 +-
 src/analyzer/protocol/socks/SOCKS.h           | 12 +--
 src/analyzer/protocol/ssh/SSH.h               | 12 +--
 src/analyzer/protocol/ssl/DTLS.h              | 12 +--
 src/analyzer/protocol/ssl/SSL.h               | 12 +--
 .../protocol/stepping-stone/SteppingStone.h   | 16 ++--
 src/analyzer/protocol/syslog/Syslog.h         | 10 +--
 src/analyzer/protocol/tcp/ContentLine.h       |  8 +-
 src/analyzer/protocol/tcp/TCP.h               | 58 ++++++------
 src/analyzer/protocol/tcp/TCP_Reassembler.h   |  2 +-
 src/analyzer/protocol/teredo/Teredo.h         | 12 +--
 src/analyzer/protocol/udp/UDP.h               | 19 ++--
 src/analyzer/protocol/xmpp/XMPP.h             |  4 +-
 src/analyzer/protocol/zip/ZIP.h               |  6 +-
 src/broxygen/Configuration.h                  |  2 +-
 src/broxygen/IdentifierInfo.h                 |  8 +-
 src/broxygen/PackageInfo.h                    |  8 +-
 src/broxygen/ReStructuredTextTable.h          |  2 +-
 src/broxygen/ScriptInfo.h                     |  8 +-
 src/broxygen/Target.h                         | 32 +++----
 src/file_analysis/AnalyzerSet.h               | 14 +--
 src/file_analysis/Component.h                 |  2 +-
 src/file_analysis/FileReassembler.h           |  2 +-
 src/file_analysis/FileTimer.h                 |  2 +-
 src/file_analysis/Tag.h                       |  4 +-
 .../analyzer/data_event/DataEvent.h           |  4 +-
 src/file_analysis/analyzer/entropy/Entropy.h  |  8 +-
 src/file_analysis/analyzer/extract/Extract.h  |  6 +-
 src/file_analysis/analyzer/hash/Hash.h        |  8 +-
 .../analyzer/unified2/Unified2.h              |  4 +-
 src/file_analysis/analyzer/x509/OCSP.h        |  2 +-
 src/file_analysis/analyzer/x509/X509.h        |  2 +-
 src/file_analysis/analyzer/x509/X509Common.h  |  2 +-
 src/input/Component.h                         |  2 +-
 src/input/ReaderBackend.h                     |  2 +-
 src/input/Tag.h                               |  4 +-
 src/input/readers/ascii/Ascii.h               |  2 +-
 src/input/readers/benchmark/Benchmark.h       | 12 +--
 src/input/readers/binary/Binary.h             | 15 ++--
 src/input/readers/config/Config.h             |  2 +-
 src/input/readers/raw/Plugin.h                |  6 +-
 src/input/readers/raw/Raw.h                   |  2 +-
 src/input/readers/sqlite/SQLite.h             | 12 +--
 src/iosource/Component.h                      | 12 +--
 src/iosource/PktSrc.h                         | 16 ++--
 src/iosource/pcap/Dumper.h                    |  8 +-
 src/iosource/pcap/Source.h                    | 16 ++--
 src/logging/Component.h                       |  2 +-
 src/logging/Tag.h                             |  4 +-
 src/logging/WriterBackend.h                   |  2 +-
 src/logging/writers/ascii/Ascii.h             | 26 +++---
 src/logging/writers/none/None.h               | 25 +++---
 src/logging/writers/sqlite/Plugin.cc          |  2 +-
 src/logging/writers/sqlite/SQLite.h           | 24 ++---
 src/plugin/TaggedComponent.h                  |  2 +-
 src/probabilistic/BloomFilter.h               | 36 ++++----
 src/probabilistic/CounterVector.h             |  4 +-
 src/probabilistic/Hasher.h                    | 16 ++--
 src/probabilistic/Topk.h                      |  4 +-
 src/threading/Manager.h                       | 12 +--
 src/threading/MsgThread.h                     |  6 +-
 src/threading/formatters/JSON.h               | 10 +--
 src/util.h                                    |  8 +-
 173 files changed, 1052 insertions(+), 1046 deletions(-)

diff --git a/src/Anon.h b/src/Anon.h
index ce234f4680..4270b88d45 100644
--- a/src/Anon.h
+++ b/src/Anon.h
@@ -66,7 +66,7 @@ protected:
 class AnonymizeIPAddr_Seq : public AnonymizeIPAddr {
 public:
 	AnonymizeIPAddr_Seq()	{ seq = 1; }
-	ipaddr32_t anonymize(ipaddr32_t addr);
+	ipaddr32_t anonymize(ipaddr32_t addr) override;
 
 protected:
 	ipaddr32_t seq;
@@ -74,12 +74,12 @@ protected:
 
 class AnonymizeIPAddr_RandomMD5 : public AnonymizeIPAddr {
 public:
-	ipaddr32_t anonymize(ipaddr32_t addr);
+	ipaddr32_t anonymize(ipaddr32_t addr) override;
 };
 
 class AnonymizeIPAddr_PrefixMD5 : public AnonymizeIPAddr {
 public:
-	ipaddr32_t anonymize(ipaddr32_t addr);
+	ipaddr32_t anonymize(ipaddr32_t addr) override;
 
 protected:
 	struct anon_prefix {
@@ -91,10 +91,10 @@ protected:
 class AnonymizeIPAddr_A50 : public AnonymizeIPAddr {
 public:
 	AnonymizeIPAddr_A50()	{ init(); }
-	~AnonymizeIPAddr_A50();
+	~AnonymizeIPAddr_A50() override;
 
-	ipaddr32_t anonymize(ipaddr32_t addr);
-	int PreservePrefix(ipaddr32_t input, int num_bits);
+	ipaddr32_t anonymize(ipaddr32_t addr) override;
+	int PreservePrefix(ipaddr32_t input, int num_bits) override;
 
 protected:
 	struct Node {
diff --git a/src/Attr.h b/src/Attr.h
index 0960a9d5f9..bfb7c4803c 100644
--- a/src/Attr.h
+++ b/src/Attr.h
@@ -40,8 +40,8 @@ typedef enum {
 
 class Attr : public BroObj {
 public:
-	Attr(attr_tag t, Expr* e = 0);
-	~Attr();
+	explicit Attr(attr_tag t, Expr* e = 0);
+	~Attr() override;
 
 	attr_tag Tag() const	{ return tag; }
 	Expr* AttrExpr() const	{ return expr; }
@@ -56,7 +56,7 @@ public:
 	int RedundantAttrOkay() const
 		{ return tag == ATTR_REDEF || tag == ATTR_OPTIONAL; }
 
-	void Describe(ODesc* d) const;
+	void Describe(ODesc* d) const override;
 	void DescribeReST(ODesc* d) const;
 
 	bool operator==(const Attr& other) const
@@ -84,7 +84,7 @@ protected:
 class Attributes : public BroObj {
 public:
 	Attributes(attr_list* a, BroType* t, bool in_record);
-	~Attributes();
+	~Attributes() override;
 
 	void AddAttr(Attr* a);
 	void AddAttrs(Attributes* a);	// Unref's 'a' when done
diff --git a/src/Base64.h b/src/Base64.h
index fb030915ef..b1f5200cd6 100644
--- a/src/Base64.h
+++ b/src/Base64.h
@@ -18,7 +18,7 @@ public:
 	// encode_base64()), encoding-errors will go to Reporter instead of
 	// Weird. Usage errors go to Reporter in any case. Empty alphabet
 	// indicates the default base64 alphabet.
-	Base64Converter(Connection* conn, const string& alphabet = "");
+	explicit Base64Converter(Connection* conn, const string& alphabet = "");
 	~Base64Converter();
 
 	// A note on Decode():
diff --git a/src/BroString.h b/src/BroString.h
index 9afd40e5d7..cad03e83d8 100644
--- a/src/BroString.h
+++ b/src/BroString.h
@@ -36,8 +36,8 @@ public:
 
 	// Constructors creating internal copies of the data passed in.
 	BroString(const u_char* str, int arg_n, int add_NUL);
-	BroString(const char* str);
-	BroString(const string& str);
+	explicit BroString(const char* str);
+	explicit BroString(const string& str);
 	BroString(const BroString& bs);
 
 	// Constructor that takes owernship of the vector passed in.
@@ -158,7 +158,7 @@ protected:
 //
 class BroStringLenCmp {
 public:
-	BroStringLenCmp(bool increasing = true) { _increasing = increasing; }
+	explicit BroStringLenCmp(bool increasing = true) { _increasing = increasing; }
 	bool operator()(BroString*const& bst1, BroString*const& bst2);
 
  private:
diff --git a/src/ChunkedIO.h b/src/ChunkedIO.h
index de3e143b66..e9b41476df 100644
--- a/src/ChunkedIO.h
+++ b/src/ChunkedIO.h
@@ -167,21 +167,21 @@ public:
 	// messages, and pid gives a pid to monitor (if the process dies, we
 	// return EOF).
 	ChunkedIOFd(int fd, const char* tag, pid_t pid = 0);
-	virtual ~ChunkedIOFd();
+	~ChunkedIOFd() override;
 
-	virtual bool Read(Chunk** chunk, bool may_block = false);
-	virtual bool Write(Chunk* chunk);
-	virtual bool Flush();
-	virtual const char* Error();
-	virtual bool CanRead();
-	virtual bool CanWrite();
-	virtual bool IsIdle();
-	virtual bool IsFillingUp();
-	virtual void Clear();
-	virtual bool Eof()	{ return eof; }
-	virtual int Fd()	{ return fd; }
-	virtual iosource::FD_Set ExtraReadFDs() const;
-	virtual void Stats(char* buffer, int length);
+	bool Read(Chunk** chunk, bool may_block = false) override;
+	bool Write(Chunk* chunk) override;
+	bool Flush() override;
+	const char* Error() override;
+	bool CanRead() override;
+	bool CanWrite() override;
+	bool IsIdle() override;
+	bool IsFillingUp() override;
+	void Clear() override;
+	bool Eof() override { return eof; }
+	int Fd() override { return fd; }
+	iosource::FD_Set ExtraReadFDs() const override;
+	void Stats(char* buffer, int length) override;
 
 private:
 
@@ -252,22 +252,22 @@ public:
 	// Argument is an open socket and a flag indicating whether we are the
 	// server side of the connection.
 	ChunkedIOSSL(int socket, bool server);
-	virtual ~ChunkedIOSSL();
+	~ChunkedIOSSL() override;
 
-	virtual bool Init();
-	virtual bool Read(Chunk** chunk, bool mayblock = false);
-	virtual bool Write(Chunk* chunk);
-	virtual bool Flush();
-	virtual const char* Error();
-	virtual bool CanRead();
-	virtual bool CanWrite();
-	virtual bool IsIdle();
-	virtual bool IsFillingUp();
-	virtual void Clear();
-	virtual bool Eof()	{ return eof; }
-	virtual int Fd()	{ return socket; }
-	virtual iosource::FD_Set ExtraReadFDs() const;
-	virtual void Stats(char* buffer, int length);
+	bool Init() override;
+	bool Read(Chunk** chunk, bool mayblock = false) override;
+	bool Write(Chunk* chunk) override;
+	bool Flush() override;
+	const char* Error() override;
+	bool CanRead() override;
+	bool CanWrite() override;
+	bool IsIdle() override;
+	bool IsFillingUp() override;
+	void Clear() override;
+	bool Eof() override { return eof; }
+	int Fd() override { return socket; }
+	iosource::FD_Set ExtraReadFDs() const override;
+	void Stats(char* buffer, int length) override;
 
 private:
 
@@ -315,27 +315,27 @@ private:
 // Wrapper class around a another ChunkedIO which the (un-)compresses data.
 class CompressedChunkedIO : public ChunkedIO {
 public:
-	CompressedChunkedIO(ChunkedIO* arg_io) // takes ownership
+	explicit CompressedChunkedIO(ChunkedIO* arg_io) // takes ownership
 	    : io(arg_io), zin(), zout(), error(), compress(), uncompress(),
 	      uncompressed_bytes_read(), uncompressed_bytes_written() {}
-	virtual ~CompressedChunkedIO()	{ delete io; }
+	~CompressedChunkedIO() override { delete io; }
 
-	virtual bool Init(); // does *not* call arg_io->Init()
-	virtual bool Read(Chunk** chunk, bool may_block = false);
-	virtual bool Write(Chunk* chunk);
-	virtual bool Flush()	{ return io->Flush(); }
-	virtual const char* Error()	{ return error ? error : io->Error(); }
-	virtual bool CanRead()	{ return io->CanRead(); }
-	virtual bool CanWrite()	{ return io->CanWrite(); }
-	virtual bool IsIdle()	{ return io->IsIdle(); }
-	virtual bool IsFillingUp()	{ return io->IsFillingUp(); }
-	virtual void Clear()	{ return io->Clear(); }
+	bool Init() override; // does *not* call arg_io->Init()
+	bool Read(Chunk** chunk, bool may_block = false) override;
+	bool Write(Chunk* chunk) override;
+	bool Flush() override { return io->Flush(); }
+	const char* Error() override { return error ? error : io->Error(); }
+	bool CanRead() override { return io->CanRead(); }
+	bool CanWrite() override { return io->CanWrite(); }
+	bool IsIdle() override { return io->IsIdle(); }
+	bool IsFillingUp() override { return io->IsFillingUp(); }
+	void Clear() override { return io->Clear(); }
+	bool Eof() override { return io->Eof(); }
 
-	virtual bool Eof()	{ return io->Eof(); }
-	virtual int Fd()	{ return io->Fd(); }
-	virtual iosource::FD_Set ExtraReadFDs() const
+	int Fd() override { return io->Fd(); }
+	iosource::FD_Set ExtraReadFDs() const override
 		{ return io->ExtraReadFDs(); }
-	virtual void Stats(char* buffer, int length);
+	void Stats(char* buffer, int length) override;
 
 	void EnableCompression(int level)
 		{ deflateInit(&zout, level); compress = true; }
diff --git a/src/CompHash.h b/src/CompHash.h
index 1a02114358..532b2781ae 100644
--- a/src/CompHash.h
+++ b/src/CompHash.h
@@ -10,7 +10,7 @@ class ListVal;
 
 class CompositeHash {
 public:
-	CompositeHash(TypeList* composite_type);
+	explicit CompositeHash(TypeList* composite_type);
 	~CompositeHash();
 
 	// Compute the hash corresponding to the given index val,
diff --git a/src/Conn.h b/src/Conn.h
index b58ed0c2b8..db0cb2fe55 100644
--- a/src/Conn.h
+++ b/src/Conn.h
@@ -57,7 +57,7 @@ class Connection : public BroObj {
 public:
 	Connection(NetSessions* s, HashKey* k, double t, const ConnID* id,
 	           uint32 flow, const Packet* pkt, const EncapsulationStack* arg_encap);
-	virtual ~Connection();
+	~Connection() override;
 
 	// Invoked when an encapsulation is discovered. It records the
 	// encapsulation with the connection and raises a "tunnel_changed"
@@ -252,7 +252,7 @@ public:
 	// Sets the transport protocol in use.
 	void SetTransport(TransportProto arg_proto)	{ proto = arg_proto; }
 
-	void SetUID(Bro::UID arg_uid)	 { uid = arg_uid; }
+	void SetUID(const Bro::UID &arg_uid)	 { uid = arg_uid; }
 
 	Bro::UID GetUID() const { return uid; }
 
@@ -336,7 +336,7 @@ public:
 			double arg_t, int arg_do_expire, TimerType arg_type)
 		: Timer(arg_t, arg_type)
 		{ Init(arg_conn, arg_timer, arg_do_expire); }
-	virtual ~ConnectionTimer();
+	~ConnectionTimer() override;
 
 	void Dispatch(double t, int is_expire) override;
 
diff --git a/src/DFA.h b/src/DFA.h
index 8af4907da1..2f06f4e98f 100644
--- a/src/DFA.h
+++ b/src/DFA.h
@@ -23,7 +23,7 @@ class DFA_State : public BroObj {
 public:
 	DFA_State(int state_num, const EquivClass* ec,
 			NFA_state_list* nfa_states, AcceptingSet* accept);
-	~DFA_State();
+	~DFA_State() override;
 
 	int StateNum() const		{ return state_num; }
 	int NFAStateNum() const		{ return nfa_states->length(); }
@@ -44,7 +44,7 @@ public:
 	// Returns the equivalence classes of ec's corresponding to this state.
 	const EquivClass* MetaECs() const	{ return meta_ec; }
 
-	void Describe(ODesc* d) const;
+	void Describe(ODesc* d) const override;
 	void Dump(FILE* f, DFA_Machine* m);
 	void Stats(unsigned int* computed, unsigned int* uncomputed);
 	unsigned int Size();
@@ -117,7 +117,7 @@ typedef PList(DFA_State) DFA_state_list;
 class DFA_Machine : public BroObj {
 public:
 	DFA_Machine(NFA_Machine* n, EquivClass* ec);
-	~DFA_Machine();
+	~DFA_Machine() override;
 
 	DFA_State* StartState() const	{ return start_state; }
 
@@ -127,7 +127,7 @@ public:
 
 	int Rep(int sym);
 
-	void Describe(ODesc* d) const;
+	void Describe(ODesc* d) const override;
 	void Dump(FILE* f);
 
 	unsigned int MemoryAllocation() const;
diff --git a/src/DNS_Mgr.cc b/src/DNS_Mgr.cc
index 7040b9a882..7f651b5fdd 100644
--- a/src/DNS_Mgr.cc
+++ b/src/DNS_Mgr.cc
@@ -112,7 +112,7 @@ public:
 	IPAddr ReqAddr() const		{ return req_addr; }
 	string ReqStr() const
 		{
-		return req_host ? req_host : req_addr;
+		return req_host ? req_host : req_addr.AsString();
 		}
 
 	ListVal* Addrs();
diff --git a/src/DNS_Mgr.h b/src/DNS_Mgr.h
index d8f420e6cc..0358ceba18 100644
--- a/src/DNS_Mgr.h
+++ b/src/DNS_Mgr.h
@@ -42,8 +42,8 @@ enum DNS_MgrMode {
 
 class DNS_Mgr : public iosource::IOSource {
 public:
-	DNS_Mgr(DNS_MgrMode mode);
-	virtual ~DNS_Mgr();
+	explicit DNS_Mgr(DNS_MgrMode mode);
+	~DNS_Mgr() override;
 
 	void InitPostScript();
 	void Flush();
@@ -132,11 +132,11 @@ protected:
 	void DoProcess(bool flush);
 
 	// IOSource interface.
-	virtual void GetFds(iosource::FD_Set* read, iosource::FD_Set* write,
-	                    iosource::FD_Set* except);
-	virtual double NextTimestamp(double* network_time);
-	virtual void Process();
-	virtual const char* Tag()	{ return "DNS_Mgr"; }
+	void GetFds(iosource::FD_Set* read, iosource::FD_Set* write,
+	                    iosource::FD_Set* except) override;
+	double NextTimestamp(double* network_time) override;
+	void Process() override;
+	const char* Tag() override { return "DNS_Mgr"; }
 
 	DNS_MgrMode mode;
 
diff --git a/src/DbgWatch.h b/src/DbgWatch.h
index e3359f53ad..3722d10e69 100644
--- a/src/DbgWatch.h
+++ b/src/DbgWatch.h
@@ -7,8 +7,8 @@
 
 class DbgWatch {
 public:
-	DbgWatch(BroObj* var_to_watch);
-	DbgWatch(Expr* expr_to_watch);
+	explicit DbgWatch(BroObj* var_to_watch);
+	explicit DbgWatch(Expr* expr_to_watch);
 	~DbgWatch();
 
 protected:
diff --git a/src/Desc.h b/src/Desc.h
index fb56aad9ea..8f7ae53ac4 100644
--- a/src/Desc.h
+++ b/src/Desc.h
@@ -27,7 +27,7 @@ class BroType;
 
 class ODesc {
 public:
-	ODesc(desc_type t=DESC_READABLE, BroFile* f=0);
+	explicit ODesc(desc_type t=DESC_READABLE, BroFile* f=0);
 
 	~ODesc();
 
diff --git a/src/Dict.h b/src/Dict.h
index 8a0b6b4f3d..a929319450 100644
--- a/src/Dict.h
+++ b/src/Dict.h
@@ -29,7 +29,7 @@ extern void generic_delete_func(void*);
 
 class Dictionary {
 public:
-	Dictionary(dict_order ordering = UNORDERED,
+	explicit Dictionary(dict_order ordering = UNORDERED,
 			int initial_size = DEFAULT_DICT_SIZE);
 	virtual ~Dictionary();
 
@@ -141,8 +141,8 @@ private:
 	int NextPrime(int n) const;
 	int IsPrime(int n) const;
 	void StartChangeSize(int new_size);
-	void FinishChangeSize(void);
-	void MoveChains(void);
+	void FinishChangeSize();
+	void MoveChains();
 
 	// The following get and set the "density" threshold - if the
 	// average hash chain length exceeds this threshold, the
@@ -195,7 +195,7 @@ private:
 #define PDictdeclare(type)	\
 class PDict(type) : public Dictionary {	\
 public:	\
-	PDict(type)(dict_order ordering = UNORDERED,	\
+	explicit PDict(type)(dict_order ordering = UNORDERED,	\
 			int initial_size = DEFAULT_DICT_SIZE) :	\
 		Dictionary(ordering, initial_size) {}	\
 	type* Lookup(const char* key) const	\
diff --git a/src/EquivClass.h b/src/EquivClass.h
index e5193cde47..7ac5931326 100644
--- a/src/EquivClass.h
+++ b/src/EquivClass.h
@@ -9,7 +9,7 @@
 
 class EquivClass {
 public:
-	EquivClass(int size);
+	explicit EquivClass(int size);
 	~EquivClass();
 
 	void UniqueChar(int sym);
diff --git a/src/Event.h b/src/Event.h
index 1b76928f10..d81a7717eb 100644
--- a/src/Event.h
+++ b/src/Event.h
@@ -16,7 +16,7 @@ public:
 	Event(EventHandlerPtr handler, val_list* args,
 		SourceID src = SOURCE_LOCAL, analyzer::ID aid = 0,
 		TimerMgr* mgr = 0, BroObj* obj = 0);
-	~Event();
+	~Event() override;
 
 	void SetNext(Event* n)		{ next_event = n; }
 	Event* NextEvent() const	{ return next_event; }
@@ -27,7 +27,7 @@ public:
 	EventHandlerPtr Handler() const	{ return handler; }
 	val_list* Args() const	{ return args; }
 
-	void Describe(ODesc* d) const;
+	void Describe(ODesc* d) const override;
 
 protected:
 	friend class EventMgr;
@@ -78,9 +78,9 @@ extern uint64 num_events_dispatched;
 class EventMgr : public BroObj {
 public:
 	EventMgr();
-	~EventMgr();
+	~EventMgr() override;
 
-	void QueueEvent(EventHandlerPtr h, val_list* vl,
+	void QueueEvent(const EventHandlerPtr &h, val_list* vl,
 			SourceID src = SOURCE_LOCAL, analyzer::ID aid = 0,
 			TimerMgr* mgr = 0, BroObj* obj = 0)
 		{
@@ -118,7 +118,7 @@ public:
 	// Returns a peer record describing the local Bro.
 	RecordVal* GetLocalPeerVal();
 
-	void Describe(ODesc* d) const;
+	void Describe(ODesc* d) const override;
 
 protected:
 	void QueueEvent(Event* event);
diff --git a/src/EventHandler.h b/src/EventHandler.h
index 6006f2e48e..af5d561a46 100644
--- a/src/EventHandler.h
+++ b/src/EventHandler.h
@@ -17,7 +17,7 @@ class UnserialInfo;
 
 class EventHandler {
 public:
-	EventHandler(const char* name);
+	explicit EventHandler(const char* name);
 	~EventHandler();
 
 	const char* Name()	{ return name; }
@@ -44,7 +44,7 @@ public:
 	void Call(val_list* vl, bool no_remote = false);
 
 	// Returns true if there is at least one local or remote handler.
-	operator  bool() const;
+	explicit operator  bool() const;
 
 	void SetUsed()	{ used = true; }
 	bool Used()	{ return used; }
diff --git a/src/Expr.h b/src/Expr.h
index fb533b1469..d50506f493 100644
--- a/src/Expr.h
+++ b/src/Expr.h
@@ -63,7 +63,7 @@ public:
 	BroType* Type() const		{ return type; }
 	BroExprTag Tag() const	{ return tag; }
 
-	virtual ~Expr();
+	~Expr() override;
 
 	Expr* Ref()			{ ::Ref(this); return this; }
 
@@ -182,7 +182,7 @@ public:
 		return (AssignExpr*) this;
 		}
 
-	void Describe(ODesc* d) const;
+	void Describe(ODesc* d) const override;
 
 	bool Serialize(SerialInfo* info) const;
 	static Expr* Unserialize(UnserialInfo* info, BroExprTag want = EXPR_ANY);
@@ -191,7 +191,7 @@ public:
 
 protected:
 	Expr()	{ type = 0; }
-	Expr(BroExprTag arg_tag);
+	explicit Expr(BroExprTag arg_tag);
 
 	virtual void ExprDescribe(ODesc* d) const = 0;
 	void AddTag(ODesc* d) const;
@@ -215,8 +215,8 @@ protected:
 
 class NameExpr : public Expr {
 public:
-	NameExpr(ID* id, bool const_init = false);
-	~NameExpr();
+	explicit NameExpr(ID* id, bool const_init = false);
+	~NameExpr() override;
 
 	ID* Id() const		{ return id; }
 
@@ -241,8 +241,8 @@ protected:
 
 class ConstExpr : public Expr {
 public:
-	ConstExpr(Val* val);
-	~ConstExpr();
+	explicit ConstExpr(Val* val);
+	~ConstExpr() override;
 
 	Val* Value() const	{ return val; }
 
@@ -278,7 +278,7 @@ protected:
 	UnaryExpr()	{ op = 0; }
 
 	UnaryExpr(BroExprTag arg_tag, Expr* arg_op);
-	virtual ~UnaryExpr();
+	~UnaryExpr() override;
 
 	void ExprDescribe(ODesc* d) const override;
 
@@ -316,7 +316,7 @@ protected:
 		if ( op1->IsError() || op2->IsError() )
 			SetError();
 		}
-	virtual ~BinaryExpr();
+	~BinaryExpr() override;
 
 	// Returns the expression folded using the given constants.
 	virtual Val* Fold(Val* v1, Val* v2) const;
@@ -350,7 +350,7 @@ protected:
 
 class CloneExpr : public UnaryExpr {
 public:
-	CloneExpr(Expr* op);
+	explicit CloneExpr(Expr* op);
 	Val* Eval(Frame* f) const override;
 
 protected:
@@ -379,7 +379,7 @@ protected:
 
 class NotExpr : public UnaryExpr {
 public:
-	NotExpr(Expr* op);
+	explicit NotExpr(Expr* op);
 
 protected:
 	friend class Expr;
@@ -392,7 +392,7 @@ protected:
 
 class PosExpr : public UnaryExpr {
 public:
-	PosExpr(Expr* op);
+	explicit PosExpr(Expr* op);
 
 protected:
 	friend class Expr;
@@ -405,7 +405,7 @@ protected:
 
 class NegExpr : public UnaryExpr {
 public:
-	NegExpr(Expr* op);
+	explicit NegExpr(Expr* op);
 
 protected:
 	friend class Expr;
@@ -418,7 +418,7 @@ protected:
 
 class SizeExpr : public UnaryExpr {
 public:
-	SizeExpr(Expr* op);
+	explicit SizeExpr(Expr* op);
 	Val* Eval(Frame* f) const override;
 
 protected:
@@ -559,7 +559,7 @@ protected:
 class CondExpr : public Expr {
 public:
 	CondExpr(Expr* op1, Expr* op2, Expr* op3);
-	~CondExpr();
+	~CondExpr() override;
 
 	const Expr* Op1() const	{ return op1; }
 	const Expr* Op2() const	{ return op2; }
@@ -585,7 +585,7 @@ protected:
 
 class RefExpr : public UnaryExpr {
 public:
-	RefExpr(Expr* op);
+	explicit RefExpr(Expr* op);
 
 	void Assign(Frame* f, Val* v, Opcode op = OP_ASSIGN) override;
 	Expr* MakeLvalue() override;
@@ -602,7 +602,7 @@ public:
 	// If val is given, evaluating this expression will always yield the val
 	// yet still perform the assignment.  Used for triggers.
 	AssignExpr(Expr* op1, Expr* op2, int is_init, Val* val = 0, attr_list* attrs = 0);
-	virtual ~AssignExpr()	{ Unref(val); }
+	~AssignExpr() override { Unref(val); }
 
 	Val* Eval(Frame* f) const override;
 	void EvalIntoAggregate(const BroType* t, Val* aggr, Frame* f) const override;
@@ -657,7 +657,7 @@ protected:
 class FieldExpr : public UnaryExpr {
 public:
 	FieldExpr(Expr* op, const char* field_name);
-	~FieldExpr();
+	~FieldExpr() override;
 
 	int Field() const	{ return field; }
 	const char* FieldName() const	{ return field_name; }
@@ -689,7 +689,7 @@ protected:
 class HasFieldExpr : public UnaryExpr {
 public:
 	HasFieldExpr(Expr* op, const char* field_name);
-	~HasFieldExpr();
+	~HasFieldExpr() override;
 
 	const char* FieldName() const	{ return field_name; }
 
@@ -709,8 +709,8 @@ protected:
 
 class RecordConstructorExpr : public UnaryExpr {
 public:
-	RecordConstructorExpr(ListExpr* constructor_list);
-	~RecordConstructorExpr();
+	explicit RecordConstructorExpr(ListExpr* constructor_list);
+	~RecordConstructorExpr() override;
 
 protected:
 	friend class Expr;
@@ -728,7 +728,7 @@ class TableConstructorExpr : public UnaryExpr {
 public:
 	TableConstructorExpr(ListExpr* constructor_list, attr_list* attrs,
 	                     BroType* arg_type = 0);
-	~TableConstructorExpr()	{ Unref(attrs); }
+	~TableConstructorExpr() override { Unref(attrs); }
 
 	Attributes* Attrs() { return attrs; }
 
@@ -751,7 +751,7 @@ class SetConstructorExpr : public UnaryExpr {
 public:
 	SetConstructorExpr(ListExpr* constructor_list, attr_list* attrs,
 	                   BroType* arg_type = 0);
-	~SetConstructorExpr()	{ Unref(attrs); }
+	~SetConstructorExpr() override { Unref(attrs); }
 
 	Attributes* Attrs() { return attrs; }
 
@@ -772,7 +772,7 @@ protected:
 
 class VectorConstructorExpr : public UnaryExpr {
 public:
-	VectorConstructorExpr(ListExpr* constructor_list, BroType* arg_type = 0);
+	explicit VectorConstructorExpr(ListExpr* constructor_list, BroType* arg_type = 0);
 
 	Val* Eval(Frame* f) const override;
 
@@ -824,7 +824,7 @@ protected:
 class RecordCoerceExpr : public UnaryExpr {
 public:
 	RecordCoerceExpr(Expr* op, RecordType* r);
-	~RecordCoerceExpr();
+	~RecordCoerceExpr() override;
 
 protected:
 	friend class Expr;
@@ -844,7 +844,7 @@ protected:
 class TableCoerceExpr : public UnaryExpr {
 public:
 	TableCoerceExpr(Expr* op, TableType* r);
-	~TableCoerceExpr();
+	~TableCoerceExpr() override;
 
 protected:
 	friend class Expr;
@@ -858,7 +858,7 @@ protected:
 class VectorCoerceExpr : public UnaryExpr {
 public:
 	VectorCoerceExpr(Expr* op, VectorType* v);
-	~VectorCoerceExpr();
+	~VectorCoerceExpr() override;
 
 protected:
 	friend class Expr;
@@ -873,7 +873,7 @@ protected:
 // into a list of individual values.
 class FlattenExpr : public UnaryExpr {
 public:
-	FlattenExpr(Expr* op);
+	explicit FlattenExpr(Expr* op);
 
 protected:
 	friend class Expr;
@@ -892,9 +892,9 @@ class ScheduleTimer : public Timer {
 public:
 	ScheduleTimer(EventHandlerPtr event, val_list* args, double t,
 			TimerMgr* tmgr);
-	~ScheduleTimer();
+	~ScheduleTimer() override;
 
-	void Dispatch(double t, int is_expire);
+	void Dispatch(double t, int is_expire) override;
 
 protected:
 	EventHandlerPtr event;
@@ -905,7 +905,7 @@ protected:
 class ScheduleExpr : public Expr {
 public:
 	ScheduleExpr(Expr* when, EventExpr* event);
-	~ScheduleExpr();
+	~ScheduleExpr() override;
 
 	int IsPure() const override;
 
@@ -945,7 +945,7 @@ protected:
 class CallExpr : public Expr {
 public:
 	CallExpr(Expr* func, ListExpr* args, bool in_hook = false);
-	~CallExpr();
+	~CallExpr() override;
 
 	Expr* Func() const	{ return func; }
 	ListExpr* Args() const	{ return args; }
@@ -971,7 +971,7 @@ protected:
 class EventExpr : public Expr {
 public:
 	EventExpr(const char* name, ListExpr* args);
-	~EventExpr();
+	~EventExpr() override;
 
 	const char* Name() const	{ return name.c_str(); }
 	ListExpr* Args() const		{ return args; }
@@ -997,8 +997,8 @@ protected:
 class ListExpr : public Expr {
 public:
 	ListExpr();
-	ListExpr(Expr* e);
-	~ListExpr();
+	explicit ListExpr(Expr* e);
+	~ListExpr() override;
 
 	void Append(Expr* e);
 
diff --git a/src/File.h b/src/File.h
index 6410a67624..3660d3caa4 100644
--- a/src/File.h
+++ b/src/File.h
@@ -22,10 +22,10 @@ class RotateTimer;
 
 class BroFile : public BroObj {
 public:
-	BroFile(FILE* arg_f);
+	explicit BroFile(FILE* arg_f);
 	BroFile(FILE* arg_f, const char* filename, const char* access);
 	BroFile(const char* filename, const char* access, BroType* arg_t = 0);
-	virtual ~BroFile();
+	~BroFile() override;
 
 	const char* Name() const;
 
diff --git a/src/Frag.h b/src/Frag.h
index 7f3a0eec02..4d4ff1cccb 100644
--- a/src/Frag.h
+++ b/src/Frag.h
@@ -21,7 +21,7 @@ class FragReassembler : public Reassembler {
 public:
 	FragReassembler(NetSessions* s, const IP_Hdr* ip, const u_char* pkt,
 			HashKey* k, double t);
-	~FragReassembler();
+	~FragReassembler() override;
 
 	void AddFragment(double t, const IP_Hdr* ip, const u_char* pkt);
 
@@ -33,8 +33,8 @@ public:
 	HashKey* Key() const	{ return key; }
 
 protected:
-	void BlockInserted(DataBlock* start_block);
-	void Overlap(const u_char* b1, const u_char* b2, uint64 n);
+	void BlockInserted(DataBlock* start_block) override;
+	void Overlap(const u_char* b1, const u_char* b2, uint64 n) override;
 	void Weird(const char* name) const;
 
 	u_char* proto_hdr;
@@ -53,9 +53,9 @@ public:
 	FragTimer(FragReassembler* arg_f, double arg_t)
 		: Timer(arg_t, TIMER_FRAG)
 			{ f = arg_f; }
-	~FragTimer();
+	~FragTimer() override;
 
-	void Dispatch(double t, int is_expire);
+	void Dispatch(double t, int is_expire) override;
 
 	// Break the association between this timer and its creator.
 	void ClearReassembler()	{ f = 0; }
diff --git a/src/Frame.h b/src/Frame.h
index 0c22fa0e4e..1469543e10 100644
--- a/src/Frame.h
+++ b/src/Frame.h
@@ -15,7 +15,7 @@ class CallExpr;
 class Frame : public BroObj {
 public:
 	Frame(int size, const BroFunc* func, const val_list *fn_args);
-	~Frame();
+	~Frame() override;
 
 	Val* NthElement(int n)		{ return frame[n]; }
 	void SetElement(int n, Val* v)
@@ -27,7 +27,7 @@ public:
 	void Reset(int startIdx);
 	void Release();
 
-	void Describe(ODesc* d) const;
+	void Describe(ODesc* d) const override;
 
 	// For which function is this stack frame.
 	const BroFunc* GetFunction() const	{ return function; }
diff --git a/src/Func.h b/src/Func.h
index 791f8b7135..1c9e48549b 100644
--- a/src/Func.h
+++ b/src/Func.h
@@ -22,9 +22,9 @@ public:
 
 	enum Kind { BRO_FUNC, BUILTIN_FUNC };
 
-	Func(Kind arg_kind);
+	explicit Func(Kind arg_kind);
 
-	virtual ~Func();
+	~Func() override;
 
 	virtual int IsPure() const = 0;
 	function_flavor Flavor() const	{ return FType()->Flavor(); }
@@ -56,7 +56,7 @@ public:
 	const char* Name() const { return name.c_str(); }
 	void SetName(const char* arg_name)	{ name = arg_name; }
 
-	virtual void Describe(ODesc* d) const = 0;
+	void Describe(ODesc* d) const override = 0;
 	virtual void DescribeDebug(ODesc* d, const val_list* args) const;
 
 	// This (un-)serializes only a single body (as given in SerialInfo).
@@ -90,7 +90,7 @@ protected:
 class BroFunc : public Func {
 public:
 	BroFunc(ID* id, Stmt* body, id_list* inits, int frame_size, int priority);
-	~BroFunc();
+	~BroFunc() override;
 
 	int IsPure() const override;
 	Val* Call(val_list* args, Frame* parent) const override;
@@ -116,7 +116,7 @@ typedef Val* (*built_in_func)(Frame* frame, val_list* args);
 class BuiltinFunc : public Func {
 public:
 	BuiltinFunc(built_in_func func, const char* name, int is_pure);
-	~BuiltinFunc();
+	~BuiltinFunc() override;
 
 	int IsPure() const override;
 	Val* Call(val_list* args, Frame* parent) const override;
diff --git a/src/Hash.h b/src/Hash.h
index b8c998f461..922acdc74f 100644
--- a/src/Hash.h
+++ b/src/Hash.h
@@ -20,14 +20,14 @@ typedef enum {
 
 class HashKey {
 public:
-	HashKey(bro_int_t i);
-	HashKey(bro_uint_t u);
-	HashKey(uint32 u);
+	explicit HashKey(bro_int_t i);
+	explicit HashKey(bro_uint_t u);
+	explicit HashKey(uint32 u);
 	HashKey(const uint32 u[], int n);
-	HashKey(double d);
-	HashKey(const void* p);
-	HashKey(const char* s);
-	HashKey(const BroString* s);
+	explicit HashKey(double d);
+	explicit HashKey(const void* p);
+	explicit HashKey(const char* s);
+	explicit HashKey(const BroString* s);
 	~HashKey()
 		{
 		if ( is_our_dynamic )
diff --git a/src/ID.h b/src/ID.h
index 177adcdfde..442a13dfcc 100644
--- a/src/ID.h
+++ b/src/ID.h
@@ -19,7 +19,7 @@ typedef enum { SCOPE_FUNCTION, SCOPE_MODULE, SCOPE_GLOBAL } IDScope;
 class ID : public BroObj {
 public:
 	ID(const char* name, IDScope arg_scope, bool arg_is_export);
-	~ID();
+	~ID() override;
 
 	const char* Name() const	{ return name; }
 
diff --git a/src/IPAddr.h b/src/IPAddr.h
index cc7b2baa6e..8ff258a860 100644
--- a/src/IPAddr.h
+++ b/src/IPAddr.h
@@ -88,7 +88,7 @@ public:
 	 * @param s String containing an IP address as either a dotted IPv4
 	 * address or a hex IPv6 address.
 	 */
-	IPAddr(const BroString& s)
+	explicit IPAddr(const BroString& s)
 		{
 		Init(s.CheckString());
 		}
diff --git a/src/IntSet.h b/src/IntSet.h
index ef58e8b12f..5bbdf88d9b 100644
--- a/src/IntSet.h
+++ b/src/IntSet.h
@@ -12,7 +12,7 @@
 class IntSet {
 public:
 	// n is a hint for the value of the largest integer.
-	IntSet(unsigned int n = 1);
+	explicit IntSet(unsigned int n = 1);
 	~IntSet();
 
 	void Insert(unsigned int i);
diff --git a/src/List.h b/src/List.h
index bf87ade67d..fcc0274225 100644
--- a/src/List.h
+++ b/src/List.h
@@ -42,7 +42,7 @@ public:
 		{ return padded_sizeof(*this) + pad_size(max_entries * sizeof(ent)); }
 
 protected:
-	BaseList(int = 0);
+	explicit BaseList(int = 0);
 	BaseList(BaseList&);
 
 	void insert(ent);	// add at head of list
@@ -102,9 +102,9 @@ protected:
 #define Listdeclare(type)						\
 struct List(type) : BaseList						\
 	{								\
-	List(type)(type ...);						\
+	explicit List(type)(type ...);						\
 	List(type)() : BaseList(0) {}					\
-	List(type)(int sz) : BaseList(sz) {}				\
+	explicit List(type)(int sz) : BaseList(sz) {}				\
 	List(type)(List(type)& l) : BaseList((BaseList&)l) {}		\
 									\
 	void operator=(List(type)& l)					\
@@ -143,9 +143,9 @@ List(type)::List(type)(type e1 ...) : BaseList()			\
 #define PListdeclare(type)						\
 struct PList(type) : BaseList						\
 	{								\
-	PList(type)(type* ...);						\
+	explicit PList(type)(type* ...);						\
 	PList(type)() : BaseList(0) {}					\
-	PList(type)(int sz) : BaseList(sz) {}				\
+	explicit PList(type)(int sz) : BaseList(sz) {}				\
 	PList(type)(PList(type)& l) : BaseList((BaseList&)l) {}		\
 									\
 	void operator=(PList(type)& l)					\
diff --git a/src/NFA.h b/src/NFA.h
index 88ce3429c9..560f0930b4 100644
--- a/src/NFA.h
+++ b/src/NFA.h
@@ -27,8 +27,8 @@ typedef PList(NFA_State) NFA_state_list;
 class NFA_State : public BroObj  {
 public:
 	NFA_State(int sym, EquivClass* ec);
-	NFA_State(CCL* ccl);
-	~NFA_State();
+	explicit NFA_State(CCL* ccl);
+	~NFA_State() override;
 
 	void AddXtion(NFA_State* next_state)	{ xtions.append(next_state); }
 	NFA_state_list* Transitions()		{ return &xtions; }
@@ -52,7 +52,7 @@ public:
 
 	NFA_state_list* EpsilonClosure();
 
-	void Describe(ODesc* d) const;
+	void Describe(ODesc* d) const override;
 	void Dump(FILE* f);
 
 	// Recursivly count all the reachable states.
@@ -75,8 +75,8 @@ public:
 
 class NFA_Machine : public BroObj {
 public:
-	NFA_Machine(NFA_State* first, NFA_State* final = 0);
-	~NFA_Machine();
+	explicit NFA_Machine(NFA_State* first, NFA_State* final = 0);
+	~NFA_Machine() override;
 
 	NFA_State* FirstState() const	{ return first_state; }
 
@@ -103,7 +103,7 @@ public:
 	void AppendState(NFA_State* new_state);
 	void AppendMachine(NFA_Machine* new_mach);
 
-	void Describe(ODesc* d) const;
+	void Describe(ODesc* d) const override;
 	void Dump(FILE* f);
 
 	unsigned int MemoryAllocation() const
diff --git a/src/OSFinger.h b/src/OSFinger.h
index 2f0dde976b..b7c731900c 100644
--- a/src/OSFinger.h
+++ b/src/OSFinger.h
@@ -81,7 +81,7 @@ enum FingerprintMode {
 
 class OSFingerprint {
 public:
-	OSFingerprint(FingerprintMode mode);
+	explicit OSFingerprint(FingerprintMode mode);
 	~OSFingerprint()	{}
 
 	bool Error() const	{ return err; }
diff --git a/src/Obj.h b/src/Obj.h
index 59a1589afa..047eec0856 100644
--- a/src/Obj.h
+++ b/src/Obj.h
@@ -36,7 +36,7 @@ public:
 		text = 0;
 		}
 
-	virtual ~Location()
+	~Location() override
 		{
 		if ( delete_data )
 			delete [] filename;
@@ -112,7 +112,7 @@ public:
 			SetLocationInfo(&start_location, &end_location);
 		}
 
-	virtual ~BroObj();
+	~BroObj() override;
 
 	// Report user warnings/errors.  If obj2 is given, then it's
 	// included in the message, though if pinpoint_only is non-zero,
diff --git a/src/OpaqueVal.h b/src/OpaqueVal.h
index 7954653c6c..61549f414a 100644
--- a/src/OpaqueVal.h
+++ b/src/OpaqueVal.h
@@ -23,7 +23,8 @@ public:
 
 protected:
 	HashVal() { };
-	HashVal(OpaqueType* t);
+	explicit HashVal(OpaqueType* t);
+
 	virtual bool DoInit();
 	virtual bool DoFeed(const void* data, size_t size);
 	virtual StringVal* DoGet();
@@ -48,9 +49,9 @@ public:
 protected:
 	friend class Val;
 
-	virtual bool DoInit() override;
-	virtual bool DoFeed(const void* data, size_t size) override;
-	virtual StringVal* DoGet() override;
+	bool DoInit() override;
+	bool DoFeed(const void* data, size_t size) override;
+	StringVal* DoGet() override;
 
 	DECLARE_SERIAL(MD5Val);
 
@@ -67,9 +68,9 @@ public:
 protected:
 	friend class Val;
 
-	virtual bool DoInit() override;
-	virtual bool DoFeed(const void* data, size_t size) override;
-	virtual StringVal* DoGet() override;
+	bool DoInit() override;
+	bool DoFeed(const void* data, size_t size) override;
+	StringVal* DoGet() override;
 
 	DECLARE_SERIAL(SHA1Val);
 
@@ -86,9 +87,9 @@ public:
 protected:
 	friend class Val;
 
-	virtual bool DoInit() override;
-	virtual bool DoFeed(const void* data, size_t size) override;
-	virtual StringVal* DoGet() override;
+	bool DoInit() override;
+	bool DoFeed(const void* data, size_t size) override;
+	StringVal* DoGet() override;
 
 	DECLARE_SERIAL(SHA256Val);
 
@@ -116,7 +117,7 @@ private:
 class BloomFilterVal : public OpaqueVal {
 public:
 	explicit BloomFilterVal(probabilistic::BloomFilter* bf);
-	virtual ~BloomFilterVal();
+	~BloomFilterVal() override;
 
 	BroType* Type() const;
 	bool Typify(BroType* type);
@@ -133,7 +134,7 @@ public:
 protected:
 	friend class Val;
 	BloomFilterVal();
-	BloomFilterVal(OpaqueType* t);
+	explicit BloomFilterVal(OpaqueType* t);
 
 	DECLARE_SERIAL(BloomFilterVal);
 
@@ -151,7 +152,7 @@ private:
 class CardinalityVal: public OpaqueVal {
 public:
 	explicit CardinalityVal(probabilistic::CardinalityCounter*);
-	virtual ~CardinalityVal();
+	~CardinalityVal() override;
 
 	void Add(const Val* val);
 
diff --git a/src/PacketDumper.h b/src/PacketDumper.h
index baace47876..080d9af724 100644
--- a/src/PacketDumper.h
+++ b/src/PacketDumper.h
@@ -12,7 +12,7 @@ using namespace std;
 
 class PacketDumper {
 public:
-	PacketDumper(pcap_dumper_t* pkt_dump);
+	explicit PacketDumper(pcap_dumper_t* pkt_dump);
 
 	void DumpPacket(const struct pcap_pkthdr* hdr,
 			const u_char* pkt, int len);
diff --git a/src/PacketFilter.h b/src/PacketFilter.h
index 3d7a3aa3be..6369a84323 100644
--- a/src/PacketFilter.h
+++ b/src/PacketFilter.h
@@ -8,7 +8,7 @@
 
 class PacketFilter {
 public:
-	PacketFilter(bool arg_default)	{ default_match = arg_default; }
+	explicit PacketFilter(bool arg_default)	{ default_match = arg_default; }
 	~PacketFilter()	{}
 
 	// Drops all packets from a particular source (which may be given
diff --git a/src/PersistenceSerializer.h b/src/PersistenceSerializer.h
index 7274e60569..99d8da88c4 100644
--- a/src/PersistenceSerializer.h
+++ b/src/PersistenceSerializer.h
@@ -11,7 +11,8 @@ class StateAccess;
 class PersistenceSerializer : public FileSerializer {
 public:
 	PersistenceSerializer();
-	virtual ~PersistenceSerializer();
+
+	~PersistenceSerializer() override;
 
 	// Define the directory where to store the data.
 	void SetDir(const char* arg_dir)	{ dir = copy_string(arg_dir); }
@@ -59,15 +60,15 @@ protected:
 	friend class RemoteSerializer;
 	friend class IncrementalWriteTimer;
 
-	virtual void GotID(ID* id, Val* val);
-	virtual void GotEvent(const char* name, double time,
-				EventHandlerPtr event, val_list* args);
-	virtual void GotFunctionCall(const char* name, double time,
-				Func* func, val_list* args) ;
-	virtual void GotStateAccess(StateAccess* s);
-	virtual void GotTimer(Timer* t);
-	virtual void GotConnection(Connection* c);
-	virtual void GotPacket(Packet* packet);
+	void GotID(ID* id, Val* val) override;
+	void GotEvent(const char* name, double time,
+				EventHandlerPtr event, val_list* args) override;
+	void GotFunctionCall(const char* name, double time,
+				Func* func, val_list* args) override;
+	void GotStateAccess(StateAccess* s) override;
+	void GotTimer(Timer* t) override;
+	void GotConnection(Connection* c) override;
+	void GotPacket(Packet* packet) override;
 
 	// If file has changed since last check, read it.
 	bool CheckForFile(UnserialInfo* info, const char* file,
diff --git a/src/Pipe.h b/src/Pipe.h
index 77b341117e..05153bfd4d 100644
--- a/src/Pipe.h
+++ b/src/Pipe.h
@@ -15,7 +15,7 @@ public:
 	 * @param status_flags0 descriptor status flags to set on read end of pipe.
 	 * @param status_flags1 descriptor status flags to set on write end of pipe.
 	 */
-	Pipe(int flags0 = 0, int flags1 = 0, int status_flags0 = 0,
+	explicit Pipe(int flags0 = 0, int flags1 = 0, int status_flags0 = 0,
 	     int status_flags1 = 0);
 
 	/**
diff --git a/src/PriorityQueue.h b/src/PriorityQueue.h
index 6fe36f43fe..e1700f5b38 100644
--- a/src/PriorityQueue.h
+++ b/src/PriorityQueue.h
@@ -10,7 +10,7 @@ class PriorityQueue;
 
 class PQ_Element {
 public:
-	PQ_Element(double t)	{ time = t; offset = -1; }
+	explicit PQ_Element(double t)	{ time = t; offset = -1; }
 	virtual ~PQ_Element()	{ }
 
 	double Time() const	{ return time; }
@@ -28,7 +28,7 @@ protected:
 
 class PriorityQueue {
 public:
-	PriorityQueue(int initial_size = 16);
+	explicit PriorityQueue(int initial_size = 16);
 	~PriorityQueue();
 
 	// Returns the top of queue, or nil if the queue is empty.
diff --git a/src/Queue.h b/src/Queue.h
index c9a69ad926..691b5b9908 100644
--- a/src/Queue.h
+++ b/src/Queue.h
@@ -39,7 +39,7 @@ public:
 	void incr(int& index)	{ index < max_entries ? ++index : index = 0; }
 
 protected:
-	BaseQueue(int = 0);
+	explicit BaseQueue(int = 0);
 
 	void push_front(ent);	// add in front of queue
 	void push_back(ent);	// add at end of queue
@@ -73,7 +73,7 @@ protected:
 struct Queue(type) : BaseQueue						\
 	{								\
 	Queue(type)() : BaseQueue(0) {}					\
-	Queue(type)(int sz) : BaseQueue(sz) {}				\
+	explicit Queue(type)(int sz) : BaseQueue(sz) {}				\
 									\
 	void push_front(type a)	{ BaseQueue::push_front(ent(a)); }	\
 	void push_back(type a)	{ BaseQueue::push_back(ent(a)); }	\
@@ -88,7 +88,7 @@ struct Queue(type) : BaseQueue						\
 struct PQueue(type) : BaseQueue						\
 	{								\
 	PQueue(type)() : BaseQueue(0) {}				\
-	PQueue(type)(int sz) : BaseQueue(sz) {}				\
+	explicit PQueue(type)(int sz) : BaseQueue(sz) {}				\
 									\
 	void push_front(type* a){ BaseQueue::push_front(ent(a)); }	\
 	void push_back(type* a)	{ BaseQueue::push_back(ent(a)); }	\
diff --git a/src/RE.h b/src/RE.h
index ad38aeb306..943751fddc 100644
--- a/src/RE.h
+++ b/src/RE.h
@@ -49,7 +49,7 @@ typedef enum { MATCH_ANYWHERE, MATCH_EXACTLY, } match_type;
 
 class Specific_RE_Matcher {
 public:
-	Specific_RE_Matcher(match_type mt, int multiline=0);
+	explicit Specific_RE_Matcher(match_type mt, int multiline=0);
 	~Specific_RE_Matcher();
 
 	void AddPat(const char* pat);
@@ -133,7 +133,7 @@ protected:
 
 class RE_Match_State {
 public:
-	RE_Match_State(Specific_RE_Matcher* matcher)
+	explicit RE_Match_State(Specific_RE_Matcher* matcher)
 		{
 		dfa = matcher->DFA() ? matcher->DFA() : 0;
 		ecs = matcher->EC()->EquivClasses();
@@ -172,8 +172,8 @@ protected:
 class RE_Matcher : SerialObj {
 public:
 	RE_Matcher();
-	RE_Matcher(const char* pat);
-	virtual ~RE_Matcher();
+	explicit RE_Matcher(const char* pat);
+	~RE_Matcher() override;
 
 	void AddPat(const char* pat);
 
diff --git a/src/Reassem.h b/src/Reassem.h
index 6b27d95678..501cd23a18 100644
--- a/src/Reassem.h
+++ b/src/Reassem.h
@@ -43,7 +43,7 @@ public:
 class Reassembler : public BroObj {
 public:
 	Reassembler(uint64 init_seq, ReassemblerType reassem_type = REASSEM_UNKNOWN);
-	virtual ~Reassembler();
+	~Reassembler() override;
 
 	void NewBlock(double t, uint64 seq, uint64 len, const u_char* data);
 
@@ -60,7 +60,7 @@ public:
 
 	uint64 TotalSize() const;	// number of bytes buffered up
 
-	void Describe(ODesc* d) const;
+	void Describe(ODesc* d) const override;
 
 	bool Serialize(SerialInfo* info) const;
 	static Reassembler* Unserialize(UnserialInfo* info);
diff --git a/src/RemoteSerializer.h b/src/RemoteSerializer.h
index 2af7610a7c..28ca495f17 100644
--- a/src/RemoteSerializer.h
+++ b/src/RemoteSerializer.h
@@ -25,7 +25,7 @@ namespace threading {
 class RemoteSerializer : public Serializer, public iosource::IOSource {
 public:
 	RemoteSerializer();
-	virtual ~RemoteSerializer();
+	~RemoteSerializer() override;
 
 	// Initialize the remote serializer (calling this will fork).
 	void Enable();
@@ -140,12 +140,12 @@ public:
 	void Finish();
 
 	// Overidden from IOSource:
-	virtual void GetFds(iosource::FD_Set* read, iosource::FD_Set* write,
-	                    iosource::FD_Set* except);
-	virtual double NextTimestamp(double* local_network_time);
-	virtual void Process();
-	virtual TimerMgr::Tag* GetCurrentTag();
-	virtual const char* Tag()	{ return "RemoteSerializer"; }
+	void GetFds(iosource::FD_Set* read, iosource::FD_Set* write,
+	                    iosource::FD_Set* except) override;
+	double NextTimestamp(double* local_network_time) override;
+	void Process() override;
+	TimerMgr::Tag* GetCurrentTag() override;
+	const char* Tag() override { return "RemoteSerializer"; }
 
 	// Gracefully finishes communication by first making sure that all
 	// remaining data (parent & child) has been sent out.
@@ -246,17 +246,17 @@ protected:
 
 	static void Log(LogLevel level, const char* msg, Peer* peer, LogSrc src = LogParent);
 
-	virtual void ReportError(const char* msg);
+	void ReportError(const char* msg) override;
 
-	virtual void GotEvent(const char* name, double time,
-				EventHandlerPtr event, val_list* args);
-	virtual void GotFunctionCall(const char* name, double time,
-				Func* func, val_list* args);
-	virtual void GotID(ID* id, Val* val);
-	virtual void GotStateAccess(StateAccess* s);
-	virtual void GotTimer(Timer* t);
-	virtual void GotConnection(Connection* c);
-	virtual void GotPacket(Packet* packet);
+	void GotEvent(const char* name, double time,
+				EventHandlerPtr event, val_list* args) override;
+	void GotFunctionCall(const char* name, double time,
+				Func* func, val_list* args) override;
+	void GotID(ID* id, Val* val) override;
+	void GotStateAccess(StateAccess* s) override;
+	void GotTimer(Timer* t) override;
+	void GotConnection(Connection* c) override;
+	void GotPacket(Packet* packet) override;
 
 	void Fork();
 
diff --git a/src/RuleAction.h b/src/RuleAction.h
index 7b5a76fad5..8499065ea0 100644
--- a/src/RuleAction.h
+++ b/src/RuleAction.h
@@ -24,13 +24,13 @@ public:
 // Implements the "event" keyword.
 class RuleActionEvent : public RuleAction {
 public:
-	RuleActionEvent(const char* arg_msg)	{ msg = copy_string(arg_msg); }
-	virtual ~RuleActionEvent()	{ delete [] msg; }
+	explicit RuleActionEvent(const char* arg_msg)	{ msg = copy_string(arg_msg); }
+	~RuleActionEvent() override { delete [] msg; }
 
-	virtual void DoAction(const Rule* parent, RuleEndpointState* state,
-				const u_char* data, int len);
+	void DoAction(const Rule* parent, RuleEndpointState* state,
+				const u_char* data, int len) override;
 
-	virtual void PrintDebug();
+	void PrintDebug() override;
 
 private:
 	const char* msg;
@@ -38,17 +38,17 @@ private:
 
 class RuleActionMIME : public RuleAction {
 public:
-	RuleActionMIME(const char* arg_mime, int arg_strength = 0)
+	explicit RuleActionMIME(const char* arg_mime, int arg_strength = 0)
 		{ mime = copy_string(arg_mime); strength = arg_strength; }
 
-	virtual ~RuleActionMIME()
+	~RuleActionMIME() override
 		{ delete [] mime; }
 
-	virtual void DoAction(const Rule* parent, RuleEndpointState* state,
-	                      const u_char* data, int len)
+	void DoAction(const Rule* parent, RuleEndpointState* state,
+	                      const u_char* data, int len) override
 		{ }
 
-	virtual void PrintDebug();
+	void PrintDebug() override;
 
 	string GetMIME() const
 		{ return mime; }
@@ -64,12 +64,12 @@ private:
 // Base class for enable/disable actions.
 class RuleActionAnalyzer : public RuleAction {
 public:
-	RuleActionAnalyzer(const char* analyzer);
+	explicit RuleActionAnalyzer(const char* analyzer);
 
-	virtual void DoAction(const Rule* parent, RuleEndpointState* state,
-			      const u_char* data, int len) = 0;
+	void DoAction(const Rule* parent, RuleEndpointState* state,
+			      const u_char* data, int len) override = 0;
 
-	virtual void PrintDebug();
+	void PrintDebug() override;
 
 	analyzer::Tag Analyzer() const { return analyzer; }
 	analyzer::Tag ChildAnalyzer() const { return child_analyzer; }
@@ -81,22 +81,22 @@ private:
 
 class RuleActionEnable : public RuleActionAnalyzer {
 public:
-	RuleActionEnable(const char* analyzer) : RuleActionAnalyzer(analyzer)	{}
+	explicit RuleActionEnable(const char* analyzer) : RuleActionAnalyzer(analyzer)	{}
 
-	virtual void DoAction(const Rule* parent, RuleEndpointState* state,
-				const u_char* data, int len);
+	void DoAction(const Rule* parent, RuleEndpointState* state,
+				const u_char* data, int len) override;
 
-	virtual void PrintDebug();
+	void PrintDebug() override;
 };
 
 class RuleActionDisable : public RuleActionAnalyzer {
 public:
-	RuleActionDisable(const char* analyzer) : RuleActionAnalyzer(analyzer)	{}
+	explicit RuleActionDisable(const char* analyzer) : RuleActionAnalyzer(analyzer)	{}
 
-	virtual void DoAction(const Rule* parent, RuleEndpointState* state,
-				const u_char* data, int len);
+	void DoAction(const Rule* parent, RuleEndpointState* state,
+				const u_char* data, int len) override;
 
-	virtual void PrintDebug();
+	void PrintDebug() override;
 };
 
 #endif
diff --git a/src/RuleCondition.h b/src/RuleCondition.h
index b859930581..4b1fbf6c57 100644
--- a/src/RuleCondition.h
+++ b/src/RuleCondition.h
@@ -31,15 +31,15 @@ public:
 		STATE_STATELESS = 8
 	};
 
-	RuleConditionTCPState(int arg_tcpstates)
+	explicit RuleConditionTCPState(int arg_tcpstates)
 		{ tcpstates = arg_tcpstates; }
 
-	virtual ~RuleConditionTCPState()	{ }
+	~RuleConditionTCPState() override { }
 
-	virtual bool DoMatch(Rule* rule, RuleEndpointState* state,
-				const u_char* data, int len);
+	bool DoMatch(Rule* rule, RuleEndpointState* state,
+				const u_char* data, int len) override;
 
-	virtual void PrintDebug();
+	void PrintDebug() override;
 
 private:
 	int tcpstates;
@@ -56,13 +56,15 @@ public:
 		OPT_SSRR = 8,
 	};
 
-	RuleConditionIPOptions(int arg_options)	{ options = arg_options; }
-	virtual ~RuleConditionIPOptions()	{ }
+	explicit RuleConditionIPOptions(int arg_options)	{ options = arg_options; }
 
-	virtual bool DoMatch(Rule* rule, RuleEndpointState* state,
-				const u_char* data, int len);
+	~RuleConditionIPOptions() override
+		{ }
 
-	virtual void PrintDebug();
+	bool DoMatch(Rule* rule, RuleEndpointState* state,
+				const u_char* data, int len) override;
+
+	void PrintDebug() override;
 
 private:
 	int options;
@@ -72,12 +74,12 @@ private:
 class RuleConditionSameIP : public RuleCondition {
 public:
 	RuleConditionSameIP()	{ }
-	virtual ~RuleConditionSameIP()	{}
+	~RuleConditionSameIP() override {}
 
-	virtual bool DoMatch(Rule* rule, RuleEndpointState* state,
-				const u_char* data, int len);
+	bool DoMatch(Rule* rule, RuleEndpointState* state,
+				const u_char* data, int len) override;
 
-	virtual void PrintDebug();
+	void PrintDebug() override;
 };
 
 // Implements "payload-size".
@@ -88,12 +90,12 @@ public:
 	RuleConditionPayloadSize(uint32 arg_val, Comp arg_comp)
 		{ val = arg_val; comp = arg_comp; }
 
-	virtual ~RuleConditionPayloadSize()	{}
+	~RuleConditionPayloadSize() override {}
 
-	virtual bool DoMatch(Rule* rule, RuleEndpointState* state,
-				const u_char* data, int len);
+	bool DoMatch(Rule* rule, RuleEndpointState* state,
+				const u_char* data, int len) override;
 
-	virtual void PrintDebug();
+	void PrintDebug() override;
 
 private:
 	uint32 val;
@@ -103,13 +105,13 @@ private:
 // Implements "eval" which evaluates the given Bro identifier.
 class RuleConditionEval : public RuleCondition {
 public:
-	RuleConditionEval(const char* func);
-	virtual ~RuleConditionEval() {}
+	explicit RuleConditionEval(const char* func);
+	~RuleConditionEval() override {}
 
-	virtual bool DoMatch(Rule* rule, RuleEndpointState* state,
-				const u_char* data, int len);
+	bool DoMatch(Rule* rule, RuleEndpointState* state,
+				const u_char* data, int len) override;
 
-	virtual void PrintDebug();
+	void PrintDebug() override;
 private:
 	ID* id;
 };
diff --git a/src/Scope.h b/src/Scope.h
index 265d624a66..0e8e81c1a5 100644
--- a/src/Scope.h
+++ b/src/Scope.h
@@ -19,8 +19,8 @@ declare(PDict,ID);
 
 class Scope : public BroObj {
 public:
-	Scope(ID* id);
-	~Scope();
+	explicit Scope(ID* id);
+	~Scope() override;
 
 	ID* Lookup(const char* name) const	{ return local->Lookup(name); }
 	void Insert(const char* name, ID* id)	{ local->Insert(name, id); }
@@ -47,7 +47,7 @@ public:
 	// Adds a variable to the list.
 	void AddInit(ID* id)		{ inits->append(id); }
 
-	void Describe(ODesc* d) const;
+	void Describe(ODesc* d) const override;
 
 	TraversalCode Traverse(TraversalCallback* cb) const;
 
diff --git a/src/SerialObj.h b/src/SerialObj.h
index ca661db8af..77dc28aefd 100644
--- a/src/SerialObj.h
+++ b/src/SerialObj.h
@@ -163,16 +163,16 @@ public:
 // Macro helpers.
 
 #define DECLARE_ABSTRACT_SERIAL(classname) \
-	virtual bool DoSerialize(SerialInfo*) const; \
-	virtual bool DoUnserialize(UnserialInfo*); \
+	bool DoSerialize(SerialInfo*) const override; \
+	bool DoUnserialize(UnserialInfo*) override; \
 
 #define DECLARE_SERIAL(classname) \
 	static classname* Instantiate(); \
 	static SerialTypeRegistrator register_type; \
-	virtual bool DoSerialize(SerialInfo*) const override; \
-	virtual bool DoUnserialize(UnserialInfo*) override; \
-	virtual const TransientID*  GetTID() const override	{ return &tid; } \
-	virtual SerialType GetSerialType() const override; \
+	bool DoSerialize(SerialInfo*) const override; \
+	bool DoUnserialize(UnserialInfo*) override; \
+	const TransientID*  GetTID() const override	{ return &tid; } \
+	SerialType GetSerialType() const override; \
 	TransientID tid;
 
 // Only needed (and usable) for non-abstract classes.
diff --git a/src/SerializationFormat.h b/src/SerializationFormat.h
index 3a6a578653..1248b7f74b 100644
--- a/src/SerializationFormat.h
+++ b/src/SerializationFormat.h
@@ -98,40 +98,40 @@ protected:
 class BinarySerializationFormat : public SerializationFormat {
 public:
 	BinarySerializationFormat();
-	virtual ~BinarySerializationFormat();
+	~BinarySerializationFormat() override;
 
-	virtual bool Read(int* v, const char* tag);
-	virtual bool Read(uint16* v, const char* tag);
-	virtual bool Read(uint32* v, const char* tag);
-	virtual bool Read(int64* v, const char* tag);
-	virtual bool Read(uint64* v, const char* tag);
-	virtual bool Read(char* v, const char* tag);
-	virtual bool Read(bool* v, const char* tag);
-	virtual bool Read(double* d, const char* tag);
-	virtual bool Read(char** str, int* len, const char* tag);
-	virtual bool Read(string* s, const char* tag);
-	virtual bool Read(IPAddr* addr, const char* tag);
-	virtual bool Read(IPPrefix* prefix, const char* tag);
-	virtual bool Read(struct in_addr* addr, const char* tag);
-	virtual bool Read(struct in6_addr* addr, const char* tag);
-	virtual bool Write(int v, const char* tag);
-	virtual bool Write(uint16 v, const char* tag);
-	virtual bool Write(uint32 v, const char* tag);
-	virtual bool Write(int64 v, const char* tag);
-	virtual bool Write(uint64 v, const char* tag);
-	virtual bool Write(char v, const char* tag);
-	virtual bool Write(bool v, const char* tag);
-	virtual bool Write(double d, const char* tag);
-	virtual bool Write(const char* s, const char* tag);
-	virtual bool Write(const char* buf, int len, const char* tag);
-	virtual bool Write(const string& s, const char* tag);
-	virtual bool Write(const IPAddr& addr, const char* tag);
-	virtual bool Write(const IPPrefix& prefix, const char* tag);
-	virtual bool Write(const struct in_addr& addr, const char* tag);
-	virtual bool Write(const struct in6_addr& addr, const char* tag);
-	virtual bool WriteOpenTag(const char* tag);
-	virtual bool WriteCloseTag(const char* tag);
-	virtual bool WriteSeparator();
+	bool Read(int* v, const char* tag) override;
+	bool Read(uint16* v, const char* tag) override;
+	bool Read(uint32* v, const char* tag) override;
+	bool Read(int64* v, const char* tag) override;
+	bool Read(uint64* v, const char* tag) override;
+	bool Read(char* v, const char* tag) override;
+	bool Read(bool* v, const char* tag) override;
+	bool Read(double* d, const char* tag) override;
+	bool Read(char** str, int* len, const char* tag) override;
+	bool Read(string* s, const char* tag) override;
+	bool Read(IPAddr* addr, const char* tag) override;
+	bool Read(IPPrefix* prefix, const char* tag) override;
+	bool Read(struct in_addr* addr, const char* tag) override;
+	bool Read(struct in6_addr* addr, const char* tag) override;
+	bool Write(int v, const char* tag) override;
+	bool Write(uint16 v, const char* tag) override;
+	bool Write(uint32 v, const char* tag) override;
+	bool Write(int64 v, const char* tag) override;
+	bool Write(uint64 v, const char* tag) override;
+	bool Write(char v, const char* tag) override;
+	bool Write(bool v, const char* tag) override;
+	bool Write(double d, const char* tag) override;
+	bool Write(const char* s, const char* tag) override;
+	bool Write(const char* buf, int len, const char* tag) override;
+	bool Write(const string& s, const char* tag) override;
+	bool Write(const IPAddr& addr, const char* tag) override;
+	bool Write(const IPPrefix& prefix, const char* tag) override;
+	bool Write(const struct in_addr& addr, const char* tag) override;
+	bool Write(const struct in6_addr& addr, const char* tag) override;
+	bool WriteOpenTag(const char* tag) override;
+	bool WriteCloseTag(const char* tag) override;
+	bool WriteSeparator() override;
 };
 
 #endif
diff --git a/src/Serializer.h b/src/Serializer.h
index 7f31e27d55..3b863a5b6e 100644
--- a/src/Serializer.h
+++ b/src/Serializer.h
@@ -96,7 +96,7 @@ public:
 
 protected:
 	// Format defaults to binary serialization.
-	Serializer(SerializationFormat* format = 0);
+	explicit Serializer(SerializationFormat* format = 0);
 	virtual ~Serializer();
 
 	// Reads next object.
@@ -159,7 +159,7 @@ public:
 
 	// If max_cache_size is greater than zero, we'll remove old entries
 	// automatically if limit is reached (LRU expiration).
-	SerializationCache(unsigned int max_cache_size = 0);
+	explicit SerializationCache(unsigned int max_cache_size = 0);
 	~SerializationCache();
 
 	PermanentID Register(const SerialObj* obj, PermanentID pid,
@@ -261,27 +261,27 @@ private:
 // minimal implementation of Serializer!
 class CloneSerializer : public Serializer {
 public:
-	CloneSerializer(SerializationFormat* format = 0) : Serializer(format) { }
-	virtual ~CloneSerializer()	{ }
+	explicit CloneSerializer(SerializationFormat* format = 0) : Serializer(format) { }
+	~CloneSerializer() override
+		{ }
 
 protected:
-	virtual void ReportError(const char* msg)	{ reporter->Error("%s", msg); }
-	virtual void GotID(ID* id, Val* val)	{ }
-	virtual void GotEvent(const char* name, double time,
-				EventHandlerPtr event, val_list* args)	{ }
-	virtual void GotFunctionCall(const char* name, double time,
-				Func* func, val_list* args)	{ }
-	virtual void GotStateAccess(StateAccess* s)	{ delete s; }
-	virtual void GotTimer(Timer* t)	{ }
-	virtual void GotConnection(Connection* c)	{ }
-	virtual void GotPacket(Packet* packet)	{ }
+	void ReportError(const char* msg) override { reporter->Error("%s", msg); }
+	void GotID(ID* id, Val* val) override { }
+	void GotEvent(const char* name, double time, EventHandlerPtr event, val_list* args) override { }
+	void GotFunctionCall(const char* name, double time,
+				Func* func, val_list* args) override { }
+	void GotStateAccess(StateAccess* s) override { delete s; }
+	void GotTimer(Timer* t) override { }
+	void GotConnection(Connection* c) override { }
+	void GotPacket(Packet* packet) override { }
 };
 
 // Write values/events to file or fd.
 class FileSerializer : public Serializer {
 public:
-	FileSerializer(SerializationFormat* format = 0);
-	virtual ~FileSerializer();
+	explicit FileSerializer(SerializationFormat* format = 0);
+	~FileSerializer() override;
 
 	// Opens the file for serialization.
 	bool Open(const char* file, bool pure = false);
@@ -291,16 +291,16 @@ public:
 	bool Read(UnserialInfo* info, const char* file, bool header = true);
 
 protected:
-	virtual void ReportError(const char* msg);
-	virtual void GotID(ID* id, Val* val);
-	virtual void GotEvent(const char* name, double time,
-				EventHandlerPtr event, val_list* args);
-	virtual void GotFunctionCall(const char* name, double time,
-				Func* func, val_list* args);
-	virtual void GotStateAccess(StateAccess* s);
-	virtual void GotTimer(Timer* t);
-	virtual void GotConnection(Connection* c);
-	virtual void GotPacket(Packet* packet);
+	void ReportError(const char* msg) override;
+	void GotID(ID* id, Val* val) override;
+	void GotEvent(const char* name, double time,
+				EventHandlerPtr event, val_list* args) override;
+	void GotFunctionCall(const char* name, double time,
+				Func* func, val_list* args) override;
+	void GotStateAccess(StateAccess* s) override;
+	void GotTimer(Timer* t) override;
+	void GotConnection(Connection* c) override;
+	void GotPacket(Packet* packet) override;
 
 	bool OpenFile(const char* file, bool readonly, bool should_exist = false);
 	void CloseFile();
@@ -331,21 +331,21 @@ public:
 // Plays a file of events back.
 class EventPlayer : public FileSerializer, public iosource::IOSource {
 public:
-	EventPlayer(const char* file);
-	virtual ~EventPlayer();
+	explicit EventPlayer(const char* file);
+	~EventPlayer() override;
 
-	virtual void GetFds(iosource::FD_Set* read, iosource::FD_Set* write,
-	                    iosource::FD_Set* except);
-	virtual double NextTimestamp(double* local_network_time);
-	virtual void Process();
-	virtual const char* Tag()	{ return "EventPlayer"; }
+	void GetFds(iosource::FD_Set* read, iosource::FD_Set* write,
+	                    iosource::FD_Set* except) override;
+	double NextTimestamp(double* local_network_time) override;
+	void Process() override;
+	const char* Tag() override { return "EventPlayer"; }
 
 protected:
-	virtual void GotID(ID* id, Val* val)	{}
-	virtual void GotEvent(const char* name, double time,
-				EventHandlerPtr event, val_list* args);
-	virtual void GotFunctionCall(const char* name, double time,
-				Func* func, val_list* args);
+	void GotID(ID* id, Val* val) override {}
+	void GotEvent(const char* name, double time,
+				EventHandlerPtr event, val_list* args) override;
+	void GotFunctionCall(const char* name, double time,
+				Func* func, val_list* args) override;
 
 	double stream_time;	// time of first captured event
 	double replay_time;	// network time of replay start
diff --git a/src/Sessions.h b/src/Sessions.h
index 37fa81016e..915b2f5631 100644
--- a/src/Sessions.h
+++ b/src/Sessions.h
@@ -56,7 +56,7 @@ public:
 	    : Timer(t, TIMER_TIMERMGR_EXPIRE), mgr(arg_mgr)
 		{ }
 
-	virtual void Dispatch(double t, int is_expire);
+	void Dispatch(double t, int is_expire) override;
 
 protected:
 	TimerMgr* mgr;
@@ -260,9 +260,9 @@ public:
 	: Timer(t + BifConst::Tunnel::ip_tunnel_timeout,
 			TIMER_IP_TUNNEL_INACTIVITY), tunnel_idx(p) {}
 
-	~IPTunnelTimer() {}
+	~IPTunnelTimer() override {}
 
-	void Dispatch(double t, int is_expire);
+	void Dispatch(double t, int is_expire) override;
 
 protected:
 	NetSessions::IPPair tunnel_idx;
diff --git a/src/SmithWaterman.h b/src/SmithWaterman.h
index 190ecda597..2eb359dec0 100644
--- a/src/SmithWaterman.h
+++ b/src/SmithWaterman.h
@@ -41,10 +41,10 @@ public:
 	typedef BSSAlignVec::iterator BSSAlignVecIt;
 	typedef BSSAlignVec::const_iterator BSSAlignVecCIt;
 
-	BroSubstring(const string& string)
+	explicit BroSubstring(const string& string)
 		: BroString(string), _num(), _new(false) { }
 
-	BroSubstring(const BroString& string)
+	explicit BroSubstring(const BroString& string)
 		: BroString(string), _num(), _new(false) { }
 
 	BroSubstring(const BroSubstring& bst);
@@ -97,7 +97,7 @@ private:
 //
 class BroSubstringCmp {
 public:
-	BroSubstringCmp(unsigned int index)	{ _index = index; }
+	explicit BroSubstringCmp(unsigned int index)	{ _index = index; }
 	bool operator()(const BroSubstring* bst1, const BroSubstring* bst2) const;
 
  private:
@@ -119,7 +119,7 @@ enum SWVariant {
 // Parameters for Smith-Waterman are stored in this simple record.
 //
 struct SWParams {
-	SWParams(unsigned int min_toklen = 3, SWVariant sw_variant = SW_SINGLE)
+	explicit SWParams(unsigned int min_toklen = 3, SWVariant sw_variant = SW_SINGLE)
 		{
 		_min_toklen = min_toklen;
 		_sw_variant = sw_variant;
diff --git a/src/StateAccess.h b/src/StateAccess.h
index bc5064602b..1e84430956 100644
--- a/src/StateAccess.h
+++ b/src/StateAccess.h
@@ -48,7 +48,7 @@ public:
 
 	StateAccess(const StateAccess& sa);
 
-	virtual ~StateAccess();
+	~StateAccess() override;
 
 	// Replays this access in the our environment.
 	void Replay();
diff --git a/src/Stats.h b/src/Stats.h
index 7fbec8cab6..af9a0e1f3c 100644
--- a/src/Stats.h
+++ b/src/Stats.h
@@ -63,14 +63,14 @@ protected:
 class ProfileLogger : public SegmentStatsReporter {
 public:
 	ProfileLogger(BroFile* file, double interval);
-	~ProfileLogger();
+	~ProfileLogger() override;
 
 	void Log();
 	BroFile* File()	{ return file; }
 
 protected:
 	void SegmentProfile(const char* name, const Location* loc,
-				double dtime, int dmem);
+				double dtime, int dmem) override;
 
 private:
 	BroFile* file;
@@ -82,7 +82,7 @@ private:
 class SampleLogger : public SegmentStatsReporter {
 public:
 	SampleLogger();
-	~SampleLogger();
+	~SampleLogger() override;
 
 	// These are called to report that a given function or location
 	// has been seen during the sampling.
@@ -91,7 +91,7 @@ public:
 
 protected:
 	void SegmentProfile(const char* name, const Location* loc,
-				double dtime, int dmem);
+				double dtime, int dmem) override;
 
 	TableVal* load_samples;
 };
diff --git a/src/Stmt.h b/src/Stmt.h
index 1c3bef2984..7fed08ed33 100644
--- a/src/Stmt.h
+++ b/src/Stmt.h
@@ -23,15 +23,15 @@ class Stmt : public BroObj {
 public:
 	BroStmtTag Tag() const	{ return tag; }
 
-	virtual ~Stmt();
+	~Stmt() override;
 
 	virtual Val* Exec(Frame* f, stmt_flow_type& flow) const = 0;
 
 	Stmt* Ref()			{ ::Ref(this); return this; }
 
-	bool SetLocationInfo(const Location* loc)
+	bool SetLocationInfo(const Location* loc) override
 		{ return Stmt::SetLocationInfo(loc, loc); }
-	bool SetLocationInfo(const Location* start, const Location* end);
+	bool SetLocationInfo(const Location* start, const Location* end) override;
 
 	// True if the statement has no side effects, false otherwise.
 	virtual int IsPure() const;
@@ -58,7 +58,7 @@ public:
 	void AccessStats(ODesc* d) const;
 	uint32 GetAccessCount() const { return access_count; }
 
-	virtual void Describe(ODesc* d) const;
+	void Describe(ODesc* d) const override;
 
 	virtual void IncrBPCount()	{ ++breakpoint_count; }
 	virtual void DecrBPCount()
@@ -78,7 +78,7 @@ public:
 
 protected:
 	Stmt()	{}
-	Stmt(BroStmtTag arg_tag);
+	explicit Stmt(BroStmtTag arg_tag);
 
 	void AddTag(ODesc* d) const;
 	void DescribeDone(ODesc* d) const;
@@ -97,18 +97,18 @@ class ExprListStmt : public Stmt {
 public:
 	const ListExpr* ExprList() const	{ return l; }
 
-	TraversalCode Traverse(TraversalCallback* cb) const;
+	TraversalCode Traverse(TraversalCallback* cb) const override;
 
 protected:
 	ExprListStmt()	{ l = 0; }
 	ExprListStmt(BroStmtTag t, ListExpr* arg_l);
 
-	virtual ~ExprListStmt();
+	~ExprListStmt() override;
 
-	Val* Exec(Frame* f, stmt_flow_type& flow) const;
+	Val* Exec(Frame* f, stmt_flow_type& flow) const override;
 	virtual Val* DoExec(val_list* vals, stmt_flow_type& flow) const = 0;
 
-	void Describe(ODesc* d) const;
+	void Describe(ODesc* d) const override;
 	void PrintVals(ODesc* d, val_list* vals, int offset) const;
 
 	DECLARE_ABSTRACT_SERIAL(ExprListStmt);
@@ -118,7 +118,7 @@ protected:
 
 class PrintStmt : public ExprListStmt {
 public:
-	PrintStmt(ListExpr* l) : ExprListStmt(STMT_PRINT, l)	{ }
+	explicit PrintStmt(ListExpr* l) : ExprListStmt(STMT_PRINT, l)	{ }
 
 protected:
 	friend class Stmt;
@@ -131,8 +131,8 @@ protected:
 
 class ExprStmt : public Stmt {
 public:
-	ExprStmt(Expr* e);
-	virtual ~ExprStmt();
+	explicit ExprStmt(Expr* e);
+	~ExprStmt() override;
 
 	Val* Exec(Frame* f, stmt_flow_type& flow) const override;
 
@@ -159,7 +159,7 @@ protected:
 class IfStmt : public ExprStmt {
 public:
 	IfStmt(Expr* test, Stmt* s1, Stmt* s2);
-	~IfStmt();
+	~IfStmt() override;
 
 	const Stmt* TrueBranch() const	{ return s1; }
 	const Stmt* FalseBranch() const	{ return s2; }
@@ -184,7 +184,7 @@ protected:
 class Case : public BroObj {
 public:
 	Case(ListExpr* c, Stmt* arg_s);
-	~Case();
+	~Case() override;
 
 	const ListExpr* Cases() const	{ return cases; }
 	ListExpr* Cases()		{ return cases; }
@@ -212,7 +212,7 @@ protected:
 class SwitchStmt : public ExprStmt {
 public:
 	SwitchStmt(Expr* index, case_list* cases);
-	~SwitchStmt();
+	~SwitchStmt() override;
 
 	const case_list* Cases() const	{ return cases; }
 
@@ -250,7 +250,7 @@ protected:
 
 class AddStmt : public ExprStmt {
 public:
-	AddStmt(Expr* e);
+	explicit AddStmt(Expr* e);
 
 	int IsPure() const override;
 	Val* Exec(Frame* f, stmt_flow_type& flow) const override;
@@ -266,7 +266,7 @@ protected:
 
 class DelStmt : public ExprStmt {
 public:
-	DelStmt(Expr* e);
+	explicit DelStmt(Expr* e);
 
 	int IsPure() const override;
 	Val* Exec(Frame* f, stmt_flow_type& flow) const override;
@@ -282,7 +282,7 @@ protected:
 
 class EventStmt : public ExprStmt {
 public:
-	EventStmt(EventExpr* e);
+	explicit EventStmt(EventExpr* e);
 
 	Val* Exec(Frame* f, stmt_flow_type& flow) const override;
 
@@ -301,7 +301,7 @@ class WhileStmt : public Stmt {
 public:
 
 	WhileStmt(Expr* loop_condition, Stmt* body);
-	~WhileStmt();
+	~WhileStmt() override;
 
 	int IsPure() const override;
 
@@ -326,7 +326,7 @@ protected:
 class ForStmt : public ExprStmt {
 public:
 	ForStmt(id_list* loop_vars, Expr* loop_expr);
-	~ForStmt();
+	~ForStmt() override;
 
 	void AddBody(Stmt* arg_body)	{ body = arg_body; }
 
@@ -399,7 +399,7 @@ protected:
 
 class ReturnStmt : public ExprStmt {
 public:
-	ReturnStmt(Expr* e);
+	explicit ReturnStmt(Expr* e);
 
 	Val* Exec(Frame* f, stmt_flow_type& flow) const override;
 
@@ -415,7 +415,7 @@ protected:
 class StmtList : public Stmt {
 public:
 	StmtList();
-	~StmtList();
+	~StmtList() override;
 
 	Val* Exec(Frame* f, stmt_flow_type& flow) const override;
 
@@ -456,14 +456,14 @@ protected:
 
 class InitStmt : public Stmt {
 public:
-	InitStmt(id_list* arg_inits) : Stmt(STMT_INIT)
+	explicit InitStmt(id_list* arg_inits) : Stmt(STMT_INIT)
 		{
 		inits = arg_inits;
 		if ( arg_inits && arg_inits->length() )
 			SetLocationInfo((*arg_inits)[0]->GetLocationInfo());
 		}
 
-	~InitStmt();
+	~InitStmt() override;
 
 	Val* Exec(Frame* f, stmt_flow_type& flow) const override;
 
@@ -501,7 +501,7 @@ class WhenStmt : public Stmt {
 public:
 	// s2 is null if no timeout block given.
 	WhenStmt(Expr* cond, Stmt* s1, Stmt* s2, Expr* timeout, bool is_return);
-	~WhenStmt();
+	~WhenStmt() override;
 
 	Val* Exec(Frame* f, stmt_flow_type& flow) const override;
 	int IsPure() const override;
diff --git a/src/Tag.h b/src/Tag.h
index 224fdd40f3..efc3e359c2 100644
--- a/src/Tag.h
+++ b/src/Tag.h
@@ -132,7 +132,7 @@ protected:
 	 *
 	 * @param val An enum value of script type \c Analyzer::Tag.
 	 */
-	Tag(EnumVal* val);
+	explicit Tag(EnumVal* val);
 
 private:
 	type_t type;            // Main type.
diff --git a/src/Timer.h b/src/Timer.h
index 8fba53d3b7..ea410e5c7b 100644
--- a/src/Timer.h
+++ b/src/Timer.h
@@ -56,7 +56,7 @@ class Timer : public SerialObj, public PQ_Element {
 public:
 	Timer(double t, TimerType arg_type) : PQ_Element(t)
 		{ type = (char) arg_type; }
-	virtual ~Timer()	{ }
+	~Timer() override { }
 
 	TimerType Type() const	{ return (TimerType) type; }
 
@@ -118,7 +118,7 @@ public:
 	static unsigned int* CurrentTimers()	{ return current_timers; }
 
 protected:
- 	TimerMgr(const Tag& arg_tag)
+	explicit TimerMgr(const Tag& arg_tag)
  		{
  		t = 0.0;
  		num_expired = 0;
@@ -141,19 +141,19 @@ protected:
 
 class PQ_TimerMgr : public TimerMgr {
 public:
-	PQ_TimerMgr(const Tag& arg_tag);
-	~PQ_TimerMgr();
+	explicit PQ_TimerMgr(const Tag& arg_tag);
+	~PQ_TimerMgr() override;
 
-	void Add(Timer* timer);
-	void Expire();
+	void Add(Timer* timer) override;
+	void Expire() override;
 
-	int Size() const	{ return q->Size(); }
-	int PeakSize() const	{ return q->PeakSize(); }
-	uint64 CumulativeNum() const	{ return q->CumulativeNum(); }
+	int Size() const override { return q->Size(); }
+	int PeakSize() const override { return q->PeakSize(); }
+	uint64 CumulativeNum() const override { return q->CumulativeNum(); }
 
 protected:
-	int DoAdvance(double t, int max_expire);
-	void Remove(Timer* timer);
+	int DoAdvance(double t, int max_expire) override;
+	void Remove(Timer* timer) override;
 
 	Timer* Remove()			{ return (Timer*) q->Remove(); }
 	Timer* Top()			{ return (Timer*) q->Top(); }
@@ -163,20 +163,20 @@ protected:
 
 class CQ_TimerMgr : public TimerMgr {
 public:
-	CQ_TimerMgr(const Tag& arg_tag);
-	~CQ_TimerMgr();
+	explicit CQ_TimerMgr(const Tag& arg_tag);
+	~CQ_TimerMgr() override;
 
-	void Add(Timer* timer);
-	void Expire();
+	void Add(Timer* timer) override;
+	void Expire() override;
 
-	int Size() const	{ return cq_size(cq); }
-	int PeakSize() const	{ return cq_max_size(cq); }
-	uint64 CumulativeNum() const	{ return cq_cumulative_num(cq); }
+	int Size() const override { return cq_size(cq); }
+	int PeakSize() const override { return cq_max_size(cq); }
+	uint64 CumulativeNum() const override { return cq_cumulative_num(cq); }
 	unsigned int MemoryUsage() const;
 
 protected:
-	int DoAdvance(double t, int max_expire);
-	void Remove(Timer* timer);
+	int DoAdvance(double t, int max_expire) override;
+	void Remove(Timer* timer) override;
 
 	struct cq_handle *cq;
 };
diff --git a/src/Trigger.h b/src/Trigger.h
index 3af9ddf1b0..0f7889d19a 100644
--- a/src/Trigger.h
+++ b/src/Trigger.h
@@ -21,7 +21,7 @@ public:
 	// right away.
 	Trigger(Expr* cond, Stmt* body, Stmt* timeout_stmts, Expr* timeout,
 		Frame* f, bool is_return, const Location* loc);
-	~Trigger();
+	~Trigger() override;
 
 	// Evaluates the condition. If true, executes the body and deletes
 	// the object deleted.
@@ -57,16 +57,16 @@ public:
 
 	bool Disabled() const { return disabled; }
 
-	virtual void Describe(ODesc* d) const { d->Add("<trigger>"); }
-
+	void Describe(ODesc* d) const override
+		{ d->Add("<trigger>"); }
 	// Overidden from Notifier.  We queue the trigger and evaluate it
 	// later to avoid race conditions.
-	virtual void Access(ID* id, const StateAccess& sa)
+	void Access(ID* id, const StateAccess& sa) override
 		{ QueueTrigger(this); }
-	virtual void Access(Val* val, const StateAccess& sa)
+	void Access(Val* val, const StateAccess& sa) override
 		{ QueueTrigger(this); }
 
-	virtual const char* Name() const;
+	const char* Name() const override;
 
 	static void QueueTrigger(Trigger* trigger);
 
diff --git a/src/Type.h b/src/Type.h
index ab52e10734..9366548902 100644
--- a/src/Type.h
+++ b/src/Type.h
@@ -82,8 +82,8 @@ const int MATCHES_INDEX_VECTOR = 2;
 
 class BroType : public BroObj {
 public:
-	BroType(TypeTag tag, bool base_type = false);
-	~BroType() { }
+	explicit BroType(TypeTag tag, bool base_type = false);
+	~BroType() override { }
 
 	BroType* Clone() const;
 
@@ -249,7 +249,7 @@ public:
 
 	BroType* Ref()		{ ::Ref(this); return this; }
 
-	virtual void Describe(ODesc* d) const override;
+	void Describe(ODesc* d) const override;
 	virtual void DescribeReST(ODesc* d, bool roles_only = false) const;
 
 	virtual unsigned MemoryAllocation() const;
@@ -265,7 +265,7 @@ public:
 	static std::set<BroType*> GetAliases(const std::string& type_name)
 		{ return BroType::type_aliases[type_name]; }
 
-	static void AddAlias(const std::string type_name, BroType* type)
+	static void AddAlias(const std::string &type_name, BroType* type)
 		{ BroType::type_aliases[type_name].insert(type); }
 
 protected:
@@ -287,13 +287,13 @@ private:
 
 class TypeList : public BroType {
 public:
-	TypeList(BroType* arg_pure_type = 0) : BroType(TYPE_LIST)
+	explicit TypeList(BroType* arg_pure_type = 0) : BroType(TYPE_LIST)
 		{
 		pure_type = arg_pure_type;
 		if ( pure_type )
 			pure_type->Ref();
 		}
-	~TypeList();
+	~TypeList() override;
 
 	const type_list* Types() const	{ return &types; }
 	type_list* Types()		{ return &types; }
@@ -352,7 +352,7 @@ protected:
 		indices = arg_indices;
 		yield_type = arg_yield_type;
 		}
-	~IndexType();
+	~IndexType() override;
 
 	DECLARE_SERIAL(IndexType)
 
@@ -379,7 +379,7 @@ protected:
 class SetType : public TableType {
 public:
 	SetType(TypeList* ind, ListExpr* arg_elements);
-	~SetType();
+	~SetType() override;
 
 	ListExpr* SetElements() const	{ return elements; }
 
@@ -395,7 +395,7 @@ class FuncType : public BroType {
 public:
 	FuncType(RecordType* args, BroType* yield, function_flavor f);
 
-	~FuncType();
+	~FuncType() override;
 
 	RecordType* Args() const	{ return args; }
 	BroType* YieldType() override;
@@ -428,8 +428,8 @@ protected:
 
 class TypeType : public BroType {
 public:
-	TypeType(BroType* t) : BroType(TYPE_TYPE)	{ type = t->Ref(); }
-	~TypeType()	{ Unref(type); }
+	explicit TypeType(BroType* t) : BroType(TYPE_TYPE)	{ type = t->Ref(); }
+	~TypeType() override { Unref(type); }
 
 	BroType* Type()	{ return type; }
 
@@ -460,9 +460,9 @@ public:
 
 class RecordType : public BroType {
 public:
-	RecordType(type_decl_list* types);
+	explicit RecordType(type_decl_list* types);
 
-	~RecordType();
+	~RecordType() override;
 
 	int HasField(const char* field) const override;
 	BroType* FieldType(const char* field) const override;
@@ -512,8 +512,8 @@ protected:
 
 class FileType : public BroType {
 public:
-	FileType(BroType* yield_type);
-	~FileType();
+	explicit FileType(BroType* yield_type);
+	~FileType() override;
 
 	BroType* YieldType() override;
 
@@ -529,8 +529,8 @@ protected:
 
 class OpaqueType : public BroType {
 public:
-	OpaqueType(const string& name);
-	virtual ~OpaqueType() { };
+	explicit OpaqueType(const string& name);
+	~OpaqueType() override { };
 
 	const string& Name() const { return name; }
 
@@ -549,9 +549,9 @@ class EnumType : public BroType {
 public:
 	typedef std::list<std::pair<string, bro_int_t> > enum_name_list;
 
-	EnumType(EnumType* e);
-	EnumType(const string& arg_name);
-	~EnumType();
+	explicit EnumType(EnumType* e);
+	explicit EnumType(const string& arg_name);
+	~EnumType() override;
 
 	// The value of this name is next internal counter value, starting
 	// with zero. The internal counter is incremented.
@@ -598,8 +598,8 @@ protected:
 
 class VectorType : public BroType {
 public:
-	VectorType(BroType* t);
-	virtual ~VectorType();
+	explicit VectorType(BroType* t);
+	~VectorType() override;
 	BroType* YieldType() override;
 	const BroType* YieldType() const;
 
diff --git a/src/UID.h b/src/UID.h
index 367b67d56d..642ecf4b48 100644
--- a/src/UID.h
+++ b/src/UID.h
@@ -28,7 +28,7 @@ public:
 	 * Construct a UID of a given bit-length, optionally from given values.
 	 * @see UID::Set
 	 */
-	UID(bro_uint_t bits, const uint64* v = 0, size_t n = 0)
+	explicit UID(bro_uint_t bits, const uint64* v = 0, size_t n = 0)
 		{ Set(bits, v, n); }
 
 	/**
diff --git a/src/Val.cc b/src/Val.cc
index 4db8aedd73..95bb8263a9 100644
--- a/src/Val.cc
+++ b/src/Val.cc
@@ -914,6 +914,11 @@ AddrVal::AddrVal(const char* text) : Val(TYPE_ADDR)
 	val.addr_val = new IPAddr(text);
 	}
 
+AddrVal::AddrVal(const std::string& text) : Val(TYPE_ADDR)
+	{
+	val.addr_val = new IPAddr(text);
+	}
+
 AddrVal::AddrVal(uint32 addr) : Val(TYPE_ADDR)
 	{
 	// ### perhaps do gethostbyaddr here?
diff --git a/src/Val.h b/src/Val.h
index 6da37b7137..ca04381176 100644
--- a/src/Val.h
+++ b/src/Val.h
@@ -131,11 +131,11 @@ public:
 #endif
 		}
 
-	Val(Func* f);
+	explicit Val(Func* f);
 
 	// Note, will unref 'f' when it's done, closing it unless
 	// class has ref'd it.
-	Val(BroFile* f);
+	explicit Val(BroFile* f);
 
 	Val(BroType* t, bool type_type) // Extra arg to differentiate from protected version.
 		{
@@ -154,7 +154,7 @@ public:
 #endif
 		}
 
-	virtual ~Val();
+	~Val() override;
 
 	Val* Ref()			{ ::Ref(this); return this; }
 	virtual Val* Clone() const;
@@ -365,7 +365,7 @@ protected:
 	virtual void ValDescribe(ODesc* d) const;
 	virtual void ValDescribeReST(ODesc* d) const;
 
-	Val(TypeTag t)
+	explicit Val(TypeTag t)
 		{
 		type = base_type(t);
 #ifdef DEBUG
@@ -373,7 +373,7 @@ protected:
 #endif
 		}
 
-	Val(BroType* t)
+	explicit Val(BroType* t)
 		{
 		type = t->Ref();
 #ifdef DEBUG
@@ -444,7 +444,7 @@ public:
 #endif
 		}
 
-	virtual uint64 LastModified() const override	{ return last_modified; }
+	uint64 LastModified() const override	{ return last_modified; }
 
 	// Mark value as changed.
 	void Modified()
@@ -453,10 +453,10 @@ public:
 		}
 
 protected:
-	MutableVal(BroType* t) : Val(t)
+	explicit MutableVal(BroType* t) : Val(t)
 		{ props = 0; id = 0; last_modified = SerialObj::ALWAYS; }
 	MutableVal()	{ props = 0; id = 0; last_modified = SerialObj::ALWAYS; }
-	~MutableVal();
+	~MutableVal() override;
 
 	friend class ID;
 	friend class Val;
@@ -532,7 +532,7 @@ public:
 
 	// Host-order port number already masked with port space protocol mask.
 	BRO_DEPRECATED("use port_mgr->Get() instead")
-	PortVal(uint32 p);
+	explicit PortVal(uint32 p);
 
 	Val* SizeVal() const override	{ return new Val(val.uint_val, TYPE_INT); }
 
@@ -569,36 +569,37 @@ protected:
 
 class AddrVal : public Val {
 public:
-	AddrVal(const char* text);
-	~AddrVal();
+	explicit AddrVal(const char* text);
+	explicit AddrVal(const std::string& text);
+	~AddrVal() override;
 
 	Val* SizeVal() const override;
 
 	// Constructor for address already in network order.
-	AddrVal(uint32 addr);          // IPv4.
-	AddrVal(const uint32 addr[4]); // IPv6.
-	AddrVal(const IPAddr& addr);
+	explicit AddrVal(uint32 addr);          // IPv4.
+	explicit AddrVal(const uint32 addr[4]); // IPv6.
+	explicit AddrVal(const IPAddr& addr);
 
 	unsigned int MemoryAllocation() const override;
 
 protected:
 	friend class Val;
 	AddrVal()	{}
-	AddrVal(TypeTag t) : Val(t)	{ }
-	AddrVal(BroType* t) : Val(t)	{ }
+	explicit AddrVal(TypeTag t) : Val(t)	{ }
+	explicit AddrVal(BroType* t) : Val(t)	{ }
 
 	DECLARE_SERIAL(AddrVal);
 };
 
 class SubNetVal : public Val {
 public:
-	SubNetVal(const char* text);
+	explicit SubNetVal(const char* text);
 	SubNetVal(const char* text, int width);
 	SubNetVal(uint32 addr, int width); // IPv4.
 	SubNetVal(const uint32 addr[4], int width); // IPv6.
 	SubNetVal(const IPAddr& addr, int width);
-	SubNetVal(const IPPrefix& prefix);
-	~SubNetVal();
+	explicit SubNetVal(const IPPrefix& prefix);
+	~SubNetVal() override;
 
 	Val* SizeVal() const override;
 
@@ -621,9 +622,9 @@ protected:
 
 class StringVal : public Val {
 public:
-	StringVal(BroString* s);
-	StringVal(const char* s);
-	StringVal(const string& s);
+	explicit StringVal(BroString* s);
+	explicit StringVal(const char* s);
+	explicit StringVal(const string& s);
 	StringVal(int length, const char* s);
 
 	Val* SizeVal() const override
@@ -653,8 +654,8 @@ protected:
 
 class PatternVal : public Val {
 public:
-	PatternVal(RE_Matcher* re);
-	~PatternVal();
+	explicit PatternVal(RE_Matcher* re);
+	~PatternVal() override;
 
 	int AddTo(Val* v, int is_first_init) const override;
 
@@ -675,8 +676,8 @@ protected:
 // element in their index.
 class ListVal : public Val {
 public:
-	ListVal(TypeTag t);
-	~ListVal();
+	explicit ListVal(TypeTag t);
+	~ListVal() override;
 
 	TypeTag BaseTag() const		{ return tag; }
 
@@ -722,7 +723,7 @@ extern double bro_start_network_time;
 
 class TableEntryVal {
 public:
-	TableEntryVal(Val* v)
+	explicit TableEntryVal(Val* v)
 		{
 		val = v;
 		last_access_time = network_time;
@@ -764,9 +765,9 @@ protected:
 class TableValTimer : public Timer {
 public:
 	TableValTimer(TableVal* val, double t);
-	~TableValTimer();
+	~TableValTimer() override;
 
-	virtual void Dispatch(double t, int is_expire);
+	void Dispatch(double t, int is_expire) override;
 
 	TableVal* Table()	{ return table; }
 
@@ -777,8 +778,8 @@ protected:
 class CompositeHash;
 class TableVal : public MutableVal {
 public:
-	TableVal(TableType* t, Attributes* attrs = 0);
-	~TableVal();
+	explicit TableVal(TableType* t, Attributes* attrs = 0);
+	~TableVal() override;
 
 	// Returns true if the assignment typechecked, false if not. The
 	// methods take ownership of new_val, but not of the index. Second
@@ -919,8 +920,8 @@ protected:
 
 class RecordVal : public MutableVal {
 public:
-	RecordVal(RecordType* t);
-	~RecordVal();
+	explicit RecordVal(RecordType* t);
+	~RecordVal() override;
 
 	Val* SizeVal() const override
 		{ return new Val(record_type->NumFields(), TYPE_COUNT); }
@@ -999,8 +1000,8 @@ protected:
 
 class VectorVal : public MutableVal {
 public:
-	VectorVal(VectorType* t);
-	~VectorVal();
+	explicit VectorVal(VectorType* t);
+	~VectorVal() override;
 
 	Val* SizeVal() const override
 		{ return new Val(uint32(val.vector_val->size()), TYPE_COUNT); }
@@ -1061,8 +1062,8 @@ protected:
 // functions). See OpaqueVal.h for derived classes.
 class OpaqueVal : public Val {
 public:
-	OpaqueVal(OpaqueType* t);
-	virtual ~OpaqueVal();
+	explicit OpaqueVal(OpaqueType* t);
+	~OpaqueVal() override;
 
 protected:
 	friend class Val;
diff --git a/src/analyzer/Analyzer.h b/src/analyzer/Analyzer.h
index df77a990ce..a13df7e21e 100644
--- a/src/analyzer/Analyzer.h
+++ b/src/analyzer/Analyzer.h
@@ -102,7 +102,7 @@ public:
 	 *
 	 * @param conn The connection the analyzer is associated with.
 	 */
-	Analyzer(Connection* conn);
+	explicit Analyzer(Connection* conn);
 
 	/**
 	 * Destructor.
@@ -731,7 +731,7 @@ public:
 	/**
 	 * Destructor.
 	 */
-	virtual ~SupportAnalyzer() {}
+	~SupportAnalyzer() override {}
 
 	/**
 	 * Returns true if this is a support analyzer for the connection's
@@ -755,8 +755,8 @@ public:
 	*
 	* Parameters same as for Analyzer::ForwardPacket.
 	*/
-	virtual void ForwardPacket(int len, const u_char* data, bool orig,
-					uint64 seq, const IP_Hdr* ip, int caplen);
+	void ForwardPacket(int len, const u_char* data, bool orig,
+					uint64 seq, const IP_Hdr* ip, int caplen) override;
 
 	/**
 	* Passes stream input to the next sibling SupportAnalyzer if any, or
@@ -766,7 +766,7 @@ public:
 	*
 	* Parameters same as for Analyzer::ForwardStream.
 	*/
-	virtual void ForwardStream(int len, const u_char* data, bool orig);
+	void ForwardStream(int len, const u_char* data, bool orig) override;
 
 	/**
 	* Passes gap information to the next sibling SupportAnalyzer if any,
@@ -776,7 +776,7 @@ public:
 	*
 	* Parameters same as for Analyzer::ForwardPacket.
 	*/
-	virtual void ForwardUndelivered(uint64 seq, int len, bool orig);
+	void ForwardUndelivered(uint64 seq, int len, bool orig) override;
 
 protected:
 	friend class Analyzer;
@@ -814,7 +814,7 @@ public:
 	/**
 	 * Overridden from parent class.
 	 */
-	virtual void Done();
+	void Done() override;
 
 	/**
 	 * Returns true if the analyzer determines that in fact a new
diff --git a/src/analyzer/Component.h b/src/analyzer/Component.h
index cff79c2774..c52bf05fc6 100644
--- a/src/analyzer/Component.h
+++ b/src/analyzer/Component.h
@@ -61,7 +61,7 @@ public:
 	/**
 	 * Destructor.
 	 */
-	~Component();
+	~Component() override;
 
 	/**
 	 * Initialization function. This function has to be called before any
diff --git a/src/analyzer/Tag.h b/src/analyzer/Tag.h
index ad701a877f..926196c747 100644
--- a/src/analyzer/Tag.h
+++ b/src/analyzer/Tag.h
@@ -99,14 +99,14 @@ protected:
 	 * @param subtype The sub type, which is left to an analyzer for
 	 * interpretation. By default it's set to zero.
 	 */
-	Tag(type_t type, subtype_t subtype = 0);
+	explicit Tag(type_t type, subtype_t subtype = 0);
 
 	/**
 	 * Constructor.
 	 *
 	 * @param val An enum value of script type \c Analyzer::Tag.
 	 */
-	Tag(EnumVal* val) : ::Tag(val) {}
+	explicit Tag(EnumVal* val) : ::Tag(val) {}
 };
 
 }
diff --git a/src/analyzer/protocol/arp/ARP.h b/src/analyzer/protocol/arp/ARP.h
index 1bdd382714..86ea14d694 100644
--- a/src/analyzer/protocol/arp/ARP.h
+++ b/src/analyzer/protocol/arp/ARP.h
@@ -36,11 +36,11 @@ namespace analyzer { namespace arp {
 class ARP_Analyzer : public BroObj {
 public:
 	ARP_Analyzer();
-	virtual ~ARP_Analyzer();
+	~ARP_Analyzer() override;
 
 	void NextPacket(double t, const Packet* pkt);
 
-	void Describe(ODesc* d) const;
+	void Describe(ODesc* d) const override;
 	void RREvent(EventHandlerPtr e, const u_char* src, const u_char* dst,
 			const char* spa, const char* sha,
 			const char* tpa, const char* tha);
diff --git a/src/analyzer/protocol/ayiya/AYIYA.h b/src/analyzer/protocol/ayiya/AYIYA.h
index bffc7aabf8..4deb98c560 100644
--- a/src/analyzer/protocol/ayiya/AYIYA.h
+++ b/src/analyzer/protocol/ayiya/AYIYA.h
@@ -7,7 +7,7 @@ namespace analyzer { namespace ayiya {
 
 class AYIYA_Analyzer : public analyzer::Analyzer {
 public:
-	AYIYA_Analyzer(Connection* conn);
+	explicit AYIYA_Analyzer(Connection* conn);
 	virtual ~AYIYA_Analyzer();
 
 	virtual void Done();
diff --git a/src/analyzer/protocol/backdoor/BackDoor.h b/src/analyzer/protocol/backdoor/BackDoor.h
index 151eb51670..c954d176d5 100644
--- a/src/analyzer/protocol/backdoor/BackDoor.h
+++ b/src/analyzer/protocol/backdoor/BackDoor.h
@@ -12,7 +12,7 @@ namespace analyzer { namespace backdoor {
 
 class BackDoorEndpoint {
 public:
-	BackDoorEndpoint(tcp::TCP_Endpoint* e);
+	explicit BackDoorEndpoint(tcp::TCP_Endpoint* e);
 
 	int DataSent(double t, uint64 seq, int len, int caplen, const u_char* data,
 		     const IP_Hdr* ip, const struct tcphdr* tp);
@@ -66,11 +66,11 @@ protected:
 
 class BackDoor_Analyzer : public tcp::TCP_ApplicationAnalyzer {
 public:
-	BackDoor_Analyzer(Connection* c);
-	~BackDoor_Analyzer();
+	explicit BackDoor_Analyzer(Connection* c);
+	~BackDoor_Analyzer() override;
 
-	virtual void Init();
-	virtual void Done();
+	void Init() override;
+	void Done() override;
 	void StatTimer(double t, int is_expire);
 
 	static analyzer::Analyzer* Instantiate(Connection* conn)
@@ -79,9 +79,9 @@ public:
 protected:
 	// We support both packet and stream input, and can be instantiated
 	// even if the TCP analyzer is not yet reassembling.
-	virtual void DeliverPacket(int len, const u_char* data, bool is_orig,
-					uint64 seq, const IP_Hdr* ip, int caplen);
-	virtual void DeliverStream(int len, const u_char* data, bool is_orig);
+	void DeliverPacket(int len, const u_char* data, bool is_orig,
+					uint64 seq, const IP_Hdr* ip, int caplen) override;
+	void DeliverStream(int len, const u_char* data, bool is_orig) override;
 
 	void StatEvent();
 	void RemoveEvent();
@@ -99,9 +99,9 @@ protected:
 class BackDoorTimer : public Timer {
 public:
 	BackDoorTimer(double t, BackDoor_Analyzer* a);
-	~BackDoorTimer();
+	~BackDoorTimer() override;
 
-	void Dispatch(double t, int is_expire);
+	void Dispatch(double t, int is_expire) override;
 
 protected:
 	BackDoor_Analyzer* analyzer;
diff --git a/src/analyzer/protocol/bittorrent/BitTorrent.h b/src/analyzer/protocol/bittorrent/BitTorrent.h
index f1cd90c727..eb0cf6188a 100644
--- a/src/analyzer/protocol/bittorrent/BitTorrent.h
+++ b/src/analyzer/protocol/bittorrent/BitTorrent.h
@@ -11,13 +11,13 @@ namespace analyzer { namespace bittorrent {
 
 class BitTorrent_Analyzer : public tcp::TCP_ApplicationAnalyzer {
 public:
-	BitTorrent_Analyzer(Connection* conn);
-	virtual ~BitTorrent_Analyzer();
+	explicit BitTorrent_Analyzer(Connection* conn);
+	~BitTorrent_Analyzer() override;
 
-	virtual void Done();
-	virtual void DeliverStream(int len, const u_char* data, bool orig);
-	virtual void Undelivered(uint64 seq, int len, bool orig);
-	virtual void EndpointEOF(bool is_orig);
+	void Done() override;
+	void DeliverStream(int len, const u_char* data, bool orig) override;
+	void Undelivered(uint64 seq, int len, bool orig) override;
+	void EndpointEOF(bool is_orig) override;
 
 	static analyzer::Analyzer* Instantiate(Connection* conn)
 		{ return new BitTorrent_Analyzer(conn); }
diff --git a/src/analyzer/protocol/bittorrent/BitTorrentTracker.h b/src/analyzer/protocol/bittorrent/BitTorrentTracker.h
index 532f7304fe..4f01d2a146 100644
--- a/src/analyzer/protocol/bittorrent/BitTorrentTracker.h
+++ b/src/analyzer/protocol/bittorrent/BitTorrentTracker.h
@@ -44,13 +44,13 @@ enum btt_benc_states {
 
 class BitTorrentTracker_Analyzer : public tcp::TCP_ApplicationAnalyzer {
 public:
-	BitTorrentTracker_Analyzer(Connection* conn);
-	virtual ~BitTorrentTracker_Analyzer();
+	explicit BitTorrentTracker_Analyzer(Connection* conn);
+	~BitTorrentTracker_Analyzer() override;
 
-	virtual void Done();
-	virtual void DeliverStream(int len, const u_char* data, bool orig);
-	virtual void Undelivered(uint64 seq, int len, bool orig);
-	virtual void EndpointEOF(bool is_orig);
+	void Done() override;
+	void DeliverStream(int len, const u_char* data, bool orig) override;
+	void Undelivered(uint64 seq, int len, bool orig) override;
+	void EndpointEOF(bool is_orig) override;
 
 	static analyzer::Analyzer* Instantiate(Connection* conn)
 		{ return new BitTorrentTracker_Analyzer(conn); }
@@ -59,7 +59,7 @@ protected:
 	void ClientRequest(int len, const u_char* data);
 	void ServerReply(int len, const u_char* data);
 
-	void InitBencParser(void);
+	void InitBencParser();
 
 	void DeliverWeird(const char* msg, bool orig);
 
@@ -67,19 +67,19 @@ protected:
 	void RequestGet(char* uri);
 	void RequestHeader(char* name, char* value)
 		{ ParseHeader(name, value, true); }
-	void EmitRequest(void);
+	void EmitRequest();
 
 	bool ParseResponse(char* line);
 	void ResponseStatus(char* status);
 	void ResponseHeader(char* name, char* value)
 		{ ParseHeader(name, value, false); }
-	void ResponseBody(void);
+	void ResponseBody();
 	void ResponseBenc(int name_len, char* name, enum btt_benc_types type,
 				int value_len, char* value);
 	void ResponseBenc(int name_len, char* name, enum btt_benc_types type,
 				bro_int_t value);
-	int ResponseParseBenc(void);
-	void EmitResponse(void);
+	int ResponseParseBenc();
+	void EmitResponse();
 
 	void ParseHeader(char* name, char* value, bool is_request);
 
diff --git a/src/analyzer/protocol/conn-size/ConnSize.h b/src/analyzer/protocol/conn-size/ConnSize.h
index d8dff57a1b..b272f8539c 100644
--- a/src/analyzer/protocol/conn-size/ConnSize.h
+++ b/src/analyzer/protocol/conn-size/ConnSize.h
@@ -11,15 +11,15 @@ namespace analyzer { namespace conn_size {
 
 class ConnSize_Analyzer : public analyzer::Analyzer {
 public:
-	ConnSize_Analyzer(Connection* c);
-	virtual ~ConnSize_Analyzer();
+	explicit ConnSize_Analyzer(Connection* c);
+	~ConnSize_Analyzer() override;
 
-	virtual void Init();
-	virtual void Done();
+	void Init() override;
+	void Done() override;
 
 	// from Analyzer.h
-	virtual void UpdateConnVal(RecordVal *conn_val);
-	virtual void FlipRoles();
+	void UpdateConnVal(RecordVal *conn_val) override;
+	void FlipRoles() override;
 
 	void SetThreshold(uint64_t threshold, bool bytes, bool orig);
 	uint64 GetThreshold(bool bytes, bool orig);
@@ -28,8 +28,8 @@ public:
 		{ return new ConnSize_Analyzer(conn); }
 
 protected:
-	virtual void DeliverPacket(int len, const u_char* data, bool is_orig,
-					uint64 seq, const IP_Hdr* ip, int caplen);
+	void DeliverPacket(int len, const u_char* data, bool is_orig,
+					uint64 seq, const IP_Hdr* ip, int caplen) override;
 	void CheckSizes(bool is_orig);
 
 	void ThresholdEvent(EventHandlerPtr f, uint64 threshold, bool is_orig);
diff --git a/src/analyzer/protocol/dce-rpc/DCE_RPC.h b/src/analyzer/protocol/dce-rpc/DCE_RPC.h
index 498e055e0a..c3e7aa54a3 100644
--- a/src/analyzer/protocol/dce-rpc/DCE_RPC.h
+++ b/src/analyzer/protocol/dce-rpc/DCE_RPC.h
@@ -14,8 +14,8 @@ namespace analyzer { namespace dce_rpc {
 
 class DCE_RPC_Analyzer : public tcp::TCP_ApplicationAnalyzer {
 public:
-	DCE_RPC_Analyzer(Connection* conn);
-	~DCE_RPC_Analyzer();
+	explicit DCE_RPC_Analyzer(Connection* conn);
+	~DCE_RPC_Analyzer() override;
 
 	void Done() override;
 	void DeliverStream(int len, const u_char* data, bool orig) override;
diff --git a/src/analyzer/protocol/dhcp/DHCP.h b/src/analyzer/protocol/dhcp/DHCP.h
index f8f0449878..95510ddf97 100644
--- a/src/analyzer/protocol/dhcp/DHCP.h
+++ b/src/analyzer/protocol/dhcp/DHCP.h
@@ -9,12 +9,12 @@ namespace analyzer { namespace dhcp {
 
 class DHCP_Analyzer : public analyzer::Analyzer {
 public:
-	DHCP_Analyzer(Connection* conn);
-	virtual ~DHCP_Analyzer();
+	explicit DHCP_Analyzer(Connection* conn);
+	~DHCP_Analyzer() override;
 
-	virtual void Done();
-	virtual void DeliverPacket(int len, const u_char* data, bool orig,
-					uint64 seq, const IP_Hdr* ip, int caplen);
+	void Done() override;
+	void DeliverPacket(int len, const u_char* data, bool orig,
+					uint64 seq, const IP_Hdr* ip, int caplen) override;
 
 	static analyzer::Analyzer* Instantiate(Connection* conn)
 		{ return new DHCP_Analyzer(conn); }
diff --git a/src/analyzer/protocol/dnp3/DNP3.h b/src/analyzer/protocol/dnp3/DNP3.h
index aa4ef78479..4eaec3a214 100644
--- a/src/analyzer/protocol/dnp3/DNP3.h
+++ b/src/analyzer/protocol/dnp3/DNP3.h
@@ -11,7 +11,7 @@ namespace analyzer { namespace dnp3 {
 
 class DNP3_Base {
 public:
-	DNP3_Base(analyzer::Analyzer* analyzer);
+	explicit DNP3_Base(analyzer::Analyzer* analyzer);
 	virtual ~DNP3_Base();
 
 	binpac::DNP3::DNP3_Conn* Interpreter()	{ return interp; }
@@ -64,13 +64,13 @@ protected:
 
 class DNP3_TCP_Analyzer : public DNP3_Base, public tcp::TCP_ApplicationAnalyzer {
 public:
-	DNP3_TCP_Analyzer(Connection* conn);
-	virtual ~DNP3_TCP_Analyzer();
+	explicit DNP3_TCP_Analyzer(Connection* conn);
+	~DNP3_TCP_Analyzer() override;
 
-	virtual void Done();
-	virtual void DeliverStream(int len, const u_char* data, bool orig);
-	virtual void Undelivered(uint64 seq, int len, bool orig);
-	virtual void EndpointEOF(bool is_orig);
+	void Done() override;
+	void DeliverStream(int len, const u_char* data, bool orig) override;
+	void Undelivered(uint64 seq, int len, bool orig) override;
+	void EndpointEOF(bool is_orig) override;
 
 	static Analyzer* Instantiate(Connection* conn)
 		{ return new DNP3_TCP_Analyzer(conn); }
@@ -78,11 +78,11 @@ public:
 
 class DNP3_UDP_Analyzer : public DNP3_Base, public analyzer::Analyzer {
 public:
-	DNP3_UDP_Analyzer(Connection* conn);
-	virtual ~DNP3_UDP_Analyzer();
+	explicit DNP3_UDP_Analyzer(Connection* conn);
+	~DNP3_UDP_Analyzer() override;
 
-	virtual void DeliverPacket(int len, const u_char* data, bool orig,
-                    uint64 seq, const IP_Hdr* ip, int caplen);
+	void DeliverPacket(int len, const u_char* data, bool orig,
+                    uint64 seq, const IP_Hdr* ip, int caplen) override;
 
 	static analyzer::Analyzer* Instantiate(Connection* conn)
 		{ return new DNP3_UDP_Analyzer(conn); }
diff --git a/src/analyzer/protocol/dns/DNS.cc b/src/analyzer/protocol/dns/DNS.cc
index 1fc94a80ba..145d19950f 100644
--- a/src/analyzer/protocol/dns/DNS.cc
+++ b/src/analyzer/protocol/dns/DNS.cc
@@ -182,7 +182,7 @@ int DNS_Interpreter::ParseQuestion(DNS_MsgInfo* msg,
 		return 0;
 		}
 
-	EventHandlerPtr dns_event = 0;
+	EventHandlerPtr dns_event = nullptr;
 
 	if ( msg->QR == 0 )
 		dns_event = dns_request;
diff --git a/src/analyzer/protocol/dns/DNS.h b/src/analyzer/protocol/dns/DNS.h
index 87618cd18e..58a263637e 100644
--- a/src/analyzer/protocol/dns/DNS.h
+++ b/src/analyzer/protocol/dns/DNS.h
@@ -151,7 +151,7 @@ public:
 
 class DNS_Interpreter {
 public:
-	DNS_Interpreter(analyzer::Analyzer* analyzer);
+	explicit DNS_Interpreter(analyzer::Analyzer* analyzer);
 
 	int ParseMessage(const u_char* data, int len, int is_query);
 
@@ -239,14 +239,14 @@ typedef enum {
 class Contents_DNS : public tcp::TCP_SupportAnalyzer {
 public:
 	Contents_DNS(Connection* c, bool orig, DNS_Interpreter* interp);
-	~Contents_DNS();
+	~Contents_DNS() override;
 
 	void Flush();		///< process any partially-received data
 
 	TCP_DNS_state State() const	{ return state; }
 
 protected:
-	virtual void DeliverStream(int len, const u_char* data, bool orig);
+	void DeliverStream(int len, const u_char* data, bool orig) override;
 
 	DNS_Interpreter* interp;
 
@@ -260,16 +260,16 @@ protected:
 // Works for both TCP and UDP.
 class DNS_Analyzer : public tcp::TCP_ApplicationAnalyzer {
 public:
-	DNS_Analyzer(Connection* conn);
-	~DNS_Analyzer();
+	explicit DNS_Analyzer(Connection* conn);
+	~DNS_Analyzer() override;
 
-	virtual void DeliverPacket(int len, const u_char* data, bool orig,
-					uint64 seq, const IP_Hdr* ip, int caplen);
+	void DeliverPacket(int len, const u_char* data, bool orig,
+					uint64 seq, const IP_Hdr* ip, int caplen) override;
 
-	virtual void Init();
-	virtual void Done();
-	virtual void ConnectionClosed(tcp::TCP_Endpoint* endpoint,
-					tcp::TCP_Endpoint* peer, int gen_event);
+	void Init() override;
+	void Done() override;
+	void ConnectionClosed(tcp::TCP_Endpoint* endpoint,
+					tcp::TCP_Endpoint* peer, int gen_event) override;
 
 	void ExpireTimer(double t);
 
diff --git a/src/analyzer/protocol/file/File.h b/src/analyzer/protocol/file/File.h
index 8e611fe0c3..58073afa6e 100644
--- a/src/analyzer/protocol/file/File.h
+++ b/src/analyzer/protocol/file/File.h
@@ -13,11 +13,11 @@ class File_Analyzer : public tcp::TCP_ApplicationAnalyzer {
 public:
 	File_Analyzer(const char* name, Connection* conn);
 
-	virtual void Done();
+	void Done() override;
 
-	virtual void DeliverStream(int len, const u_char* data, bool orig);
+	void DeliverStream(int len, const u_char* data, bool orig) override;
 
-	void Undelivered(uint64 seq, int len, bool orig);
+	void Undelivered(uint64 seq, int len, bool orig) override;
 
 //	static analyzer::Analyzer* Instantiate(Connection* conn)
 //		{ return new File_Analyzer(conn); }
@@ -34,7 +34,7 @@ protected:
 
 class IRC_Data : public File_Analyzer {
 public:
-	IRC_Data(Connection* conn)
+	explicit IRC_Data(Connection* conn)
 		: File_Analyzer("IRC_Data", conn)
 		{ }
 
@@ -44,7 +44,7 @@ public:
 
 class FTP_Data : public File_Analyzer {
 public:
-	FTP_Data(Connection* conn)
+	explicit FTP_Data(Connection* conn)
 		: File_Analyzer("FTP_Data", conn)
 		{ }
 
diff --git a/src/analyzer/protocol/finger/Finger.h b/src/analyzer/protocol/finger/Finger.h
index c677f4c599..d7ea81f430 100644
--- a/src/analyzer/protocol/finger/Finger.h
+++ b/src/analyzer/protocol/finger/Finger.h
@@ -10,12 +10,12 @@ namespace analyzer { namespace finger {
 
 class Finger_Analyzer : public tcp::TCP_ApplicationAnalyzer {
 public:
-	Finger_Analyzer(Connection* conn);
-	virtual ~Finger_Analyzer()	{}
+	explicit Finger_Analyzer(Connection* conn);
+	~Finger_Analyzer() override {}
 
-	virtual void Done();
+	void Done() override;
 	// Line-based input.
-	virtual void DeliverStream(int len, const u_char* data, bool orig);
+	void DeliverStream(int len, const u_char* data, bool orig) override;
 
 	static analyzer::Analyzer* Instantiate(Connection* conn)
 		{ return new Finger_Analyzer(conn); }
diff --git a/src/analyzer/protocol/ftp/FTP.h b/src/analyzer/protocol/ftp/FTP.h
index f829547f36..668e2da83e 100644
--- a/src/analyzer/protocol/ftp/FTP.h
+++ b/src/analyzer/protocol/ftp/FTP.h
@@ -10,10 +10,10 @@ namespace analyzer { namespace ftp {
 
 class FTP_Analyzer : public tcp::TCP_ApplicationAnalyzer {
 public:
-	FTP_Analyzer(Connection* conn);
+	explicit FTP_Analyzer(Connection* conn);
 
-	virtual void Done();
-	virtual void DeliverStream(int len, const u_char* data, bool orig);
+	void Done() override;
+	void DeliverStream(int len, const u_char* data, bool orig) override;
 
 	static analyzer::Analyzer* Instantiate(Connection* conn)
 		{
@@ -40,7 +40,7 @@ public:
 	    : SupportAnalyzer("FTP_ADAT", conn, arg_orig),
 	      first_token(true) { }
 
-	void DeliverStream(int len, const u_char* data, bool orig);
+	void DeliverStream(int len, const u_char* data, bool orig) override;
 
 protected:
 	// Used by the client-side analyzer to tell if it needs to peek at the
diff --git a/src/analyzer/protocol/gnutella/Gnutella.h b/src/analyzer/protocol/gnutella/Gnutella.h
index c2b161ec04..895116cfbb 100644
--- a/src/analyzer/protocol/gnutella/Gnutella.h
+++ b/src/analyzer/protocol/gnutella/Gnutella.h
@@ -36,11 +36,11 @@ public:
 
 class Gnutella_Analyzer : public tcp::TCP_ApplicationAnalyzer {
 public:
-	Gnutella_Analyzer(Connection* conn);
-	~Gnutella_Analyzer();
+	explicit Gnutella_Analyzer(Connection* conn);
+	~Gnutella_Analyzer() override;
 
-	virtual void Done ();
-	virtual void DeliverStream(int len, const u_char* data, bool orig);
+	void Done () override;
+	void DeliverStream(int len, const u_char* data, bool orig) override;
 
 	static analyzer::Analyzer* Instantiate(Connection* conn)
 		{ return new Gnutella_Analyzer(conn); }
diff --git a/src/analyzer/protocol/gssapi/GSSAPI.h b/src/analyzer/protocol/gssapi/GSSAPI.h
index 2fd01a3ab5..e99eab2abd 100644
--- a/src/analyzer/protocol/gssapi/GSSAPI.h
+++ b/src/analyzer/protocol/gssapi/GSSAPI.h
@@ -15,8 +15,8 @@ class GSSAPI_Analyzer
 : public tcp::TCP_ApplicationAnalyzer {
 
 public:
-	GSSAPI_Analyzer(Connection* conn);
-	virtual ~GSSAPI_Analyzer();
+	explicit GSSAPI_Analyzer(Connection* conn);
+	~GSSAPI_Analyzer() override;
 
 	// Overriden from Analyzer.
 	void Done() override;
diff --git a/src/analyzer/protocol/gtpv1/GTPv1.h b/src/analyzer/protocol/gtpv1/GTPv1.h
index 45cacaa17a..d7487a2881 100644
--- a/src/analyzer/protocol/gtpv1/GTPv1.h
+++ b/src/analyzer/protocol/gtpv1/GTPv1.h
@@ -7,7 +7,7 @@ namespace analyzer { namespace gtpv1 {
 
 class GTPv1_Analyzer : public analyzer::Analyzer {
 public:
-	GTPv1_Analyzer(Connection* conn);
+	explicit GTPv1_Analyzer(Connection* conn);
 	virtual ~GTPv1_Analyzer();
 
 	virtual void Done();
diff --git a/src/analyzer/protocol/http/HTTP.h b/src/analyzer/protocol/http/HTTP.h
index 31bc485f35..a9b781a269 100644
--- a/src/analyzer/protocol/http/HTTP.h
+++ b/src/analyzer/protocol/http/HTTP.h
@@ -34,7 +34,7 @@ class HTTP_Entity : public mime::MIME_Entity {
 public:
 	HTTP_Entity(HTTP_Message* msg, MIME_Entity* parent_entity,
 			int expect_body);
-	~HTTP_Entity()
+	~HTTP_Entity() override
 		{
 		if ( zip )
 			{ zip->Done(); delete zip; }
@@ -104,7 +104,7 @@ friend class HTTP_Entity;
 public:
 	HTTP_Message(HTTP_Analyzer* analyzer, tcp::ContentLine_Analyzer* cl,
 			 bool is_orig, int expect_body, int64_t init_header_length);
-	~HTTP_Message();
+	~HTTP_Message() override;
 	void Done(const int interrupted, const char* msg);
 	void Done() override { Done(0, "message ends normally"); }
 
@@ -153,7 +153,7 @@ protected:
 class HTTP_Analyzer : public tcp::TCP_ApplicationAnalyzer {
 public:
 	HTTP_Analyzer(Connection* conn);
-	~HTTP_Analyzer();
+	~HTTP_Analyzer() override;
 
 	void HTTP_Header(int is_orig, mime::MIME_Header* h);
 	void HTTP_EntityData(int is_orig, BroString* entity_data);
diff --git a/src/analyzer/protocol/icmp/ICMP.h b/src/analyzer/protocol/icmp/ICMP.h
index 391ab4d7a7..4fee289d5b 100644
--- a/src/analyzer/protocol/icmp/ICMP.h
+++ b/src/analyzer/protocol/icmp/ICMP.h
@@ -17,19 +17,19 @@ typedef enum {
 // RuleMatcherState to perform our own matching.
 class ICMP_Analyzer : public analyzer::TransportLayerAnalyzer {
 public:
-	ICMP_Analyzer(Connection* conn);
+	explicit ICMP_Analyzer(Connection* conn);
 
-	virtual void UpdateConnVal(RecordVal *conn_val);
+	void UpdateConnVal(RecordVal *conn_val) override;
 
 	static analyzer::Analyzer* Instantiate(Connection* conn)
 		{ return new ICMP_Analyzer(conn); }
 
 protected:
-	virtual void Done();
-	virtual void DeliverPacket(int len, const u_char* data, bool orig,
-					uint64 seq, const IP_Hdr* ip, int caplen);
-	virtual bool IsReuse(double t, const u_char* pkt);
-	virtual unsigned int MemoryAllocation() const;
+	void Done() override;
+	void DeliverPacket(int len, const u_char* data, bool orig,
+					uint64 seq, const IP_Hdr* ip, int caplen) override;
+	bool IsReuse(double t, const u_char* pkt) override;
+	unsigned int MemoryAllocation() const override;
 
 	void ICMP_Sent(const struct icmp* icmpp, int len, int caplen, int icmpv6,
 	               const u_char* data, const IP_Hdr* ip_hdr);
diff --git a/src/analyzer/protocol/ident/Ident.h b/src/analyzer/protocol/ident/Ident.h
index 07fe8c116f..daaef3fb38 100644
--- a/src/analyzer/protocol/ident/Ident.h
+++ b/src/analyzer/protocol/ident/Ident.h
@@ -10,10 +10,10 @@ namespace analyzer { namespace ident {
 
 class Ident_Analyzer : public tcp::TCP_ApplicationAnalyzer {
 public:
-	Ident_Analyzer(Connection* conn);
-	virtual void Done();
+	explicit Ident_Analyzer(Connection* conn);
+	void Done() override;
 
-	virtual void DeliverStream(int length, const u_char* data, bool is_orig);
+	void DeliverStream(int length, const u_char* data, bool is_orig) override;
 
 	static analyzer::Analyzer* Instantiate(Connection* conn)
 		{ return new Ident_Analyzer(conn); }
diff --git a/src/analyzer/protocol/imap/IMAP.h b/src/analyzer/protocol/imap/IMAP.h
index e71770d360..631660d452 100644
--- a/src/analyzer/protocol/imap/IMAP.h
+++ b/src/analyzer/protocol/imap/IMAP.h
@@ -13,15 +13,15 @@ namespace analyzer { namespace imap {
 
 class IMAP_Analyzer : public tcp::TCP_ApplicationAnalyzer {
 public:
-	IMAP_Analyzer(Connection* conn);
-	virtual ~IMAP_Analyzer();
+	explicit IMAP_Analyzer(Connection* conn);
+	~IMAP_Analyzer() override;
 
-	virtual void Done();
-	virtual void DeliverStream(int len, const u_char* data, bool orig);
-	virtual void Undelivered(uint64 seq, int len, bool orig);
+	void Done() override;
+	void DeliverStream(int len, const u_char* data, bool orig) override;
+	void Undelivered(uint64 seq, int len, bool orig) override;
 
 	// Overriden from tcp::TCP_ApplicationAnalyzer.
-	virtual void EndpointEOF(bool is_orig);
+	void EndpointEOF(bool is_orig) override;
 
 	void StartTLS();
 
diff --git a/src/analyzer/protocol/interconn/InterConn.h b/src/analyzer/protocol/interconn/InterConn.h
index 6ab7f138b2..04d5a2b5c6 100644
--- a/src/analyzer/protocol/interconn/InterConn.h
+++ b/src/analyzer/protocol/interconn/InterConn.h
@@ -11,7 +11,7 @@ namespace analyzer { namespace interconn {
 
 class InterConnEndpoint : public BroObj {
 public:
-	InterConnEndpoint(tcp::TCP_Endpoint* e);
+	explicit InterConnEndpoint(tcp::TCP_Endpoint* e);
 
 	int DataSent(double t, uint64 seq, int len, int caplen, const u_char* data,
 		     const IP_Hdr* ip, const struct tcphdr* tp);
@@ -42,11 +42,11 @@ protected:
 
 class InterConn_Analyzer : public tcp::TCP_ApplicationAnalyzer {
 public:
-	InterConn_Analyzer(Connection* c);
-	~InterConn_Analyzer();
+	explicit InterConn_Analyzer(Connection* c);
+	~InterConn_Analyzer() override;
 
-	virtual void Init();
-	virtual void Done();
+	void Init() override;
+	void Done() override;
 	void StatTimer(double t, int is_expire);
 
 	static analyzer::Analyzer* Instantiate(Connection* conn)
@@ -55,9 +55,9 @@ public:
 protected:
 	// We support both packet and stream input and can be put in place even
 	// if the TCP analyzer is not yet reassembling.
-	virtual void DeliverPacket(int len, const u_char* data, bool is_orig,
-					uint64 seq, const IP_Hdr* ip, int caplen);
-	virtual void DeliverStream(int len, const u_char* data, bool is_orig);
+	void DeliverPacket(int len, const u_char* data, bool is_orig,
+					uint64 seq, const IP_Hdr* ip, int caplen) override;
+	void DeliverStream(int len, const u_char* data, bool is_orig) override;
 
 	void StatEvent();
 	void RemoveEvent();
@@ -75,9 +75,9 @@ protected:
 class InterConnTimer : public Timer {
 public:
 	InterConnTimer(double t, InterConn_Analyzer* a);
-	~InterConnTimer();
+	~InterConnTimer() override;
 
-	void Dispatch(double t, int is_expire);
+	void Dispatch(double t, int is_expire) override;
 
 protected:
 	InterConn_Analyzer* analyzer;
diff --git a/src/analyzer/protocol/irc/IRC.h b/src/analyzer/protocol/irc/IRC.h
index 497225846d..8981d2ee65 100644
--- a/src/analyzer/protocol/irc/IRC.h
+++ b/src/analyzer/protocol/irc/IRC.h
@@ -17,7 +17,7 @@ public:
 	/**
 	* \brief Constructor, builds a new analyzer object.
 	*/
-	IRC_Analyzer(Connection* conn);
+	explicit IRC_Analyzer(Connection* conn);
 
 	/**
 	* \brief Called when connection is closed.
diff --git a/src/analyzer/protocol/krb/KRB.h b/src/analyzer/protocol/krb/KRB.h
index 392df5c13d..99e0529ff1 100644
--- a/src/analyzer/protocol/krb/KRB.h
+++ b/src/analyzer/protocol/krb/KRB.h
@@ -10,7 +10,7 @@ namespace analyzer { namespace krb {
 class KRB_Analyzer : public analyzer::Analyzer {
 
 public:
-	KRB_Analyzer(Connection* conn);
+	explicit KRB_Analyzer(Connection* conn);
 	virtual ~KRB_Analyzer();
 
 	virtual void Done();
diff --git a/src/analyzer/protocol/krb/KRB_TCP.h b/src/analyzer/protocol/krb/KRB_TCP.h
index 0dcf99ca97..0ce4d5f65d 100644
--- a/src/analyzer/protocol/krb/KRB_TCP.h
+++ b/src/analyzer/protocol/krb/KRB_TCP.h
@@ -12,15 +12,15 @@ namespace analyzer { namespace krb_tcp {
 class KRB_Analyzer : public tcp::TCP_ApplicationAnalyzer {
 
 public:
-	KRB_Analyzer(Connection* conn);
-	virtual ~KRB_Analyzer();
+	explicit KRB_Analyzer(Connection* conn);
+	~KRB_Analyzer() override;
 
-	virtual void Done();
-	virtual void DeliverStream(int len, const u_char* data, bool orig);
-	virtual void Undelivered(uint64 seq, int len, bool orig);
+	void Done() override;
+	void DeliverStream(int len, const u_char* data, bool orig) override;
+	void Undelivered(uint64 seq, int len, bool orig) override;
 
 	// Overriden from tcp::TCP_ApplicationAnalyzer.
-	virtual void EndpointEOF(bool is_orig);
+	void EndpointEOF(bool is_orig) override;
 
 	static analyzer::Analyzer* Instantiate(Connection* conn)
 		{ return new KRB_Analyzer(conn); }
diff --git a/src/analyzer/protocol/login/Login.h b/src/analyzer/protocol/login/Login.h
index 25d1b24005..a17b636685 100644
--- a/src/analyzer/protocol/login/Login.h
+++ b/src/analyzer/protocol/login/Login.h
@@ -24,16 +24,16 @@ typedef enum {
 class Login_Analyzer : public tcp::TCP_ApplicationAnalyzer {
 public:
 	Login_Analyzer(const char* name, Connection* conn);
-	~Login_Analyzer();
+	~Login_Analyzer() override;
 
-	virtual void DeliverStream(int len, const u_char* data, bool orig);
+	void DeliverStream(int len, const u_char* data, bool orig) override;
 
-	virtual void SetEnv(bool orig, char* name, char* val);
+	void SetEnv(bool orig, char* name, char* val) override;
 
 	login_state LoginState() const		{ return state; }
 	void SetLoginState(login_state s)	{ state = s; }
 
-	virtual void EndpointEOF(bool is_orig);
+	void EndpointEOF(bool is_orig) override;
 
 protected:
 	void NewLine(bool orig, char* line);
diff --git a/src/analyzer/protocol/login/NVT.h b/src/analyzer/protocol/login/NVT.h
index 3bcadcdc8e..c967962953 100644
--- a/src/analyzer/protocol/login/NVT.h
+++ b/src/analyzer/protocol/login/NVT.h
@@ -61,19 +61,19 @@ protected:
 
 class TelnetTerminalOption : public TelnetOption {
 public:
-	TelnetTerminalOption(NVT_Analyzer* arg_endp)
+	explicit TelnetTerminalOption(NVT_Analyzer* arg_endp)
 		: TelnetOption(arg_endp, TELNET_OPTION_TERMINAL)	{ }
 
-	void RecvSubOption(u_char* data, int len);
+	void RecvSubOption(u_char* data, int len) override;
 };
 
 class TelnetEncryptOption : public TelnetOption {
 public:
-	TelnetEncryptOption(NVT_Analyzer* arg_endp)
+	explicit TelnetEncryptOption(NVT_Analyzer* arg_endp)
 		: TelnetOption(arg_endp, TELNET_OPTION_ENCRYPT)
 			{ did_encrypt_request = doing_encryption = 0; }
 
-	void RecvSubOption(u_char* data, int len);
+	void RecvSubOption(u_char* data, int len) override;
 
 	int DidRequest() const		{ return did_encrypt_request; }
 	int DoingEncryption() const	{ return doing_encryption; }
@@ -85,11 +85,11 @@ protected:
 
 class TelnetAuthenticateOption : public TelnetOption {
 public:
-	TelnetAuthenticateOption(NVT_Analyzer* arg_endp)
+	explicit TelnetAuthenticateOption(NVT_Analyzer* arg_endp)
 		: TelnetOption(arg_endp, TELNET_OPTION_AUTHENTICATE)
 			{ authentication_requested = 0; }
 
-	void RecvSubOption(u_char* data, int len);
+	void RecvSubOption(u_char* data, int len) override;
 
 	int DidRequestAuthentication() const
 		{ return authentication_requested; }
@@ -101,11 +101,11 @@ protected:
 
 class TelnetEnvironmentOption : public TelnetOption {
 public:
-	TelnetEnvironmentOption(NVT_Analyzer* arg_endp)
+	explicit TelnetEnvironmentOption(NVT_Analyzer* arg_endp)
 		: TelnetOption(arg_endp, TELNET_OPTION_ENVIRON)
 			{ }
 
-	void RecvSubOption(u_char* data, int len);
+	void RecvSubOption(u_char* data, int len) override;
 
 protected:
 	char* ExtractEnv(u_char*& data, int& len, int& code);
@@ -113,20 +113,20 @@ protected:
 
 class TelnetBinaryOption : public TelnetOption {
 public:
-	TelnetBinaryOption(NVT_Analyzer* arg_endp)
+	explicit TelnetBinaryOption(NVT_Analyzer* arg_endp)
 		: TelnetOption(arg_endp, TELNET_OPTION_BINARY)
 			{ }
 
-	void SetActive(int is_active);
+	void SetActive(int is_active) override;
 
 protected:
-	void InconsistentOption(unsigned int type);
+	void InconsistentOption(unsigned int type) override;
 };
 
 class NVT_Analyzer : public tcp::ContentLine_Analyzer {
 public:
 	NVT_Analyzer(Connection* conn, bool orig);
-	~NVT_Analyzer();
+	~NVT_Analyzer() override;
 
 	TelnetOption* FindOption(unsigned int code);
 	TelnetOption* FindPeerOption(unsigned int code);
@@ -146,7 +146,7 @@ public:
 		{ return authentication_has_been_accepted; }
 
 protected:
-	void DoDeliver(int len, const u_char* data);
+	void DoDeliver(int len, const u_char* data) override;
 
 	void ScanOption(int seq, int len, const u_char* data);
 	virtual void SawOption(unsigned int code);
diff --git a/src/analyzer/protocol/login/RSH.h b/src/analyzer/protocol/login/RSH.h
index 3f6e9851f1..44a9609a53 100644
--- a/src/analyzer/protocol/login/RSH.h
+++ b/src/analyzer/protocol/login/RSH.h
@@ -26,12 +26,12 @@ class Rsh_Analyzer;
 class Contents_Rsh_Analyzer : public tcp::ContentLine_Analyzer {
 public:
 	Contents_Rsh_Analyzer(Connection* conn, bool orig, Rsh_Analyzer* analyzer);
-	~Contents_Rsh_Analyzer();
+	~Contents_Rsh_Analyzer() override;
 
 	rsh_state RshSaveState() const	{ return save_state; }
 
 protected:
-	virtual void DoDeliver(int len, const u_char* data);
+	void DoDeliver(int len, const u_char* data) override;
 	void BadProlog();
 
 	rsh_state state, save_state;
@@ -42,9 +42,9 @@ protected:
 
 class Rsh_Analyzer : public Login_Analyzer {
 public:
-	Rsh_Analyzer(Connection* conn);
+	explicit Rsh_Analyzer(Connection* conn);
 
-	virtual void DeliverStream(int len, const u_char* data, bool orig);
+	void DeliverStream(int len, const u_char* data, bool orig) override;
 
 	void ClientUserName(const char* s);
 	void ServerUserName(const char* s);
diff --git a/src/analyzer/protocol/login/Rlogin.h b/src/analyzer/protocol/login/Rlogin.h
index 0e8a7eb93b..ffce6214ea 100644
--- a/src/analyzer/protocol/login/Rlogin.h
+++ b/src/analyzer/protocol/login/Rlogin.h
@@ -35,7 +35,7 @@ class Contents_Rlogin_Analyzer : public tcp::ContentLine_Analyzer {
 public:
 	Contents_Rlogin_Analyzer(Connection* conn, bool orig,
 					Rlogin_Analyzer* analyzer);
-	~Contents_Rlogin_Analyzer();
+	~Contents_Rlogin_Analyzer() override;
 
 	void SetPeer(Contents_Rlogin_Analyzer* arg_peer)
 		{ peer = arg_peer; }
@@ -44,7 +44,7 @@ public:
 		{ return state; }
 
 protected:
-	void DoDeliver(int len, const u_char* data);
+	void DoDeliver(int len, const u_char* data) override;
 	void BadProlog();
 
 	rlogin_state state, save_state;
@@ -56,7 +56,7 @@ protected:
 
 class Rlogin_Analyzer : public Login_Analyzer {
 public:
-	Rlogin_Analyzer(Connection* conn);
+	explicit Rlogin_Analyzer(Connection* conn);
 
 	void ClientUserName(const char* s);
 	void ServerUserName(const char* s);
diff --git a/src/analyzer/protocol/login/Telnet.h b/src/analyzer/protocol/login/Telnet.h
index 936d7a8427..3bafff8e78 100644
--- a/src/analyzer/protocol/login/Telnet.h
+++ b/src/analyzer/protocol/login/Telnet.h
@@ -9,8 +9,8 @@ namespace analyzer { namespace login {
 
 class Telnet_Analyzer : public Login_Analyzer {
 public:
-	Telnet_Analyzer(Connection* conn);
-	virtual ~Telnet_Analyzer()	{}
+	explicit Telnet_Analyzer(Connection* conn);
+	~Telnet_Analyzer() override {}
 
 	static analyzer::Analyzer* Instantiate(Connection* conn)
 		{ return new Telnet_Analyzer(conn); }
diff --git a/src/analyzer/protocol/mime/MIME.h b/src/analyzer/protocol/mime/MIME.h
index fcc921993d..2ee58f24d1 100644
--- a/src/analyzer/protocol/mime/MIME.h
+++ b/src/analyzer/protocol/mime/MIME.h
@@ -65,7 +65,7 @@ protected:
 
 class MIME_Header {
 public:
-	MIME_Header(MIME_Multiline* hl);
+	explicit MIME_Header(MIME_Multiline* hl);
 	~MIME_Header();
 
 	data_chunk_t get_name() const	{ return name; }
@@ -181,7 +181,7 @@ protected:
 
 class MIME_Message {
 public:
-	MIME_Message(analyzer::Analyzer* arg_analyzer)
+	explicit MIME_Message(analyzer::Analyzer* arg_analyzer)
 		{
 		// Cannot initialize top_level entity because we do
 		// not know its type yet (MIME_Entity / MIME_Mail /
@@ -231,7 +231,7 @@ protected:
 class MIME_Mail : public MIME_Message {
 public:
 	MIME_Mail(analyzer::Analyzer* mail_conn, bool is_orig, int buf_size = 0);
-	~MIME_Mail();
+	~MIME_Mail() override;
 	void Done() override;
 
 	void BeginEntity(MIME_Entity* entity) override;
diff --git a/src/analyzer/protocol/modbus/Modbus.h b/src/analyzer/protocol/modbus/Modbus.h
index b60331fea9..c871e37610 100644
--- a/src/analyzer/protocol/modbus/Modbus.h
+++ b/src/analyzer/protocol/modbus/Modbus.h
@@ -8,14 +8,14 @@ namespace analyzer { namespace modbus {
 
 class ModbusTCP_Analyzer : public tcp::TCP_ApplicationAnalyzer {
 public:
-	ModbusTCP_Analyzer(Connection* conn);
-	virtual ~ModbusTCP_Analyzer();
+	explicit ModbusTCP_Analyzer(Connection* conn);
+	~ModbusTCP_Analyzer() override;
 
-	virtual void Done();
-	virtual void DeliverStream(int len, const u_char* data, bool orig);
+	void Done() override;
+	void DeliverStream(int len, const u_char* data, bool orig) override;
 
-	virtual void Undelivered(uint64 seq, int len, bool orig);
-	virtual void EndpointEOF(bool is_orig);
+	void Undelivered(uint64 seq, int len, bool orig) override;
+	void EndpointEOF(bool is_orig) override;
 
 	static analyzer::Analyzer* Instantiate(Connection* conn)
 		{ return new ModbusTCP_Analyzer(conn); }
diff --git a/src/analyzer/protocol/mysql/MySQL.h b/src/analyzer/protocol/mysql/MySQL.h
index 5512a80941..a82acdb6d1 100644
--- a/src/analyzer/protocol/mysql/MySQL.h
+++ b/src/analyzer/protocol/mysql/MySQL.h
@@ -15,17 +15,17 @@ class MySQL_Analyzer
 : public tcp::TCP_ApplicationAnalyzer {
 
 public:
-	MySQL_Analyzer(Connection* conn);
-	virtual ~MySQL_Analyzer();
+	explicit MySQL_Analyzer(Connection* conn);
+	~MySQL_Analyzer() override;
 
 	// Overriden from Analyzer.
-	virtual void Done();
+	void Done() override;
 
-	virtual void DeliverStream(int len, const u_char* data, bool orig);
-	virtual void Undelivered(uint64 seq, int len, bool orig);
+	void DeliverStream(int len, const u_char* data, bool orig) override;
+	void Undelivered(uint64 seq, int len, bool orig) override;
 
 	// Overriden from tcp::TCP_ApplicationAnalyzer.
-	virtual void EndpointEOF(bool is_orig);
+	void EndpointEOF(bool is_orig) override;
 
 	static analyzer::Analyzer* Instantiate(Connection* conn)
 		{ return new MySQL_Analyzer(conn); }
diff --git a/src/analyzer/protocol/ncp/NCP.h b/src/analyzer/protocol/ncp/NCP.h
index 11a7d6c6e2..713eca756d 100644
--- a/src/analyzer/protocol/ncp/NCP.h
+++ b/src/analyzer/protocol/ncp/NCP.h
@@ -31,7 +31,7 @@ namespace analyzer { namespace ncp {
 
 class NCP_Session {
 public:
-	NCP_Session(analyzer::Analyzer* analyzer);
+	explicit NCP_Session(analyzer::Analyzer* analyzer);
 	virtual ~NCP_Session() {}
 
 	virtual void Deliver(int is_orig, int len, const u_char* data);
@@ -51,7 +51,7 @@ protected:
 
 class FrameBuffer {
 public:
-	FrameBuffer(int header_length);
+	explicit FrameBuffer(int header_length);
 	virtual ~FrameBuffer();
 
 	// Returns true if a frame is ready
@@ -80,17 +80,17 @@ public:
 	NCP_FrameBuffer() : FrameBuffer(NCP_TCPIP_HEADER_LENGTH) {}
 
 protected:
-	void compute_msg_length();
+	void compute_msg_length() override;
 };
 
 class Contents_NCP_Analyzer : public tcp::TCP_SupportAnalyzer {
 public:
 	Contents_NCP_Analyzer(Connection* conn, bool orig, NCP_Session* session);
-	~Contents_NCP_Analyzer();
+	~Contents_NCP_Analyzer() override;
 
 protected:
-	virtual void DeliverStream(int len, const u_char* data, bool orig);
-	virtual void Undelivered(uint64 seq, int len, bool orig);
+	void DeliverStream(int len, const u_char* data, bool orig) override;
+	void Undelivered(uint64 seq, int len, bool orig) override;
 
 	NCP_FrameBuffer buffer;
 	NCP_Session* session;
@@ -101,8 +101,8 @@ protected:
 
 class NCP_Analyzer : public tcp::TCP_ApplicationAnalyzer {
 public:
-	NCP_Analyzer(Connection* conn);
-	virtual ~NCP_Analyzer();
+	explicit NCP_Analyzer(Connection* conn);
+	~NCP_Analyzer() override;
 
 	static analyzer::Analyzer* Instantiate(Connection* conn)
 		{ return new NCP_Analyzer(conn); }
diff --git a/src/analyzer/protocol/netbios/NetbiosSSN.h b/src/analyzer/protocol/netbios/NetbiosSSN.h
index 1d7ad284e0..cfc15fceb1 100644
--- a/src/analyzer/protocol/netbios/NetbiosSSN.h
+++ b/src/analyzer/protocol/netbios/NetbiosSSN.h
@@ -64,7 +64,7 @@ struct NetbiosDGM_RawMsgHdr {
 
 class NetbiosSSN_Interpreter {
 public:
-	NetbiosSSN_Interpreter(Analyzer* analyzer);
+	explicit NetbiosSSN_Interpreter(Analyzer* analyzer);
 
 	int ParseMessage(unsigned int type, unsigned int flags,
 			const u_char* data, int len, int is_query);
@@ -117,7 +117,7 @@ class Contents_NetbiosSSN : public tcp::TCP_SupportAnalyzer {
 public:
 	Contents_NetbiosSSN(Connection* conn, bool orig,
 				NetbiosSSN_Interpreter* interp);
-	~Contents_NetbiosSSN();
+	~Contents_NetbiosSSN() override;
 
 	void Flush();	// process any partially-received data
 
@@ -141,8 +141,8 @@ protected:
 
 class NetbiosSSN_Analyzer : public tcp::TCP_ApplicationAnalyzer {
 public:
-	NetbiosSSN_Analyzer(Connection* conn);
-	~NetbiosSSN_Analyzer();
+	explicit NetbiosSSN_Analyzer(Connection* conn);
+	~NetbiosSSN_Analyzer() override;
 
 	void Done() override;
 	void DeliverPacket(int len, const u_char* data, bool orig,
diff --git a/src/analyzer/protocol/ntlm/NTLM.h b/src/analyzer/protocol/ntlm/NTLM.h
index 41117ac176..e8be2c809a 100644
--- a/src/analyzer/protocol/ntlm/NTLM.h
+++ b/src/analyzer/protocol/ntlm/NTLM.h
@@ -15,8 +15,8 @@ class NTLM_Analyzer
 : public tcp::TCP_ApplicationAnalyzer {
 
 public:
-	NTLM_Analyzer(Connection* conn);
-	virtual ~NTLM_Analyzer();
+	explicit NTLM_Analyzer(Connection* conn);
+	~NTLM_Analyzer() override;
 
 	// Overriden from Analyzer.
 	void Done() override;
diff --git a/src/analyzer/protocol/ntp/NTP.h b/src/analyzer/protocol/ntp/NTP.h
index 7987f3086d..5b5d3d7baa 100644
--- a/src/analyzer/protocol/ntp/NTP.h
+++ b/src/analyzer/protocol/ntp/NTP.h
@@ -38,15 +38,15 @@ struct ntpdata {
 
 class NTP_Analyzer : public analyzer::Analyzer {
 public:
-	NTP_Analyzer(Connection* conn);
+	explicit NTP_Analyzer(Connection* conn);
 
 	static analyzer::Analyzer* Instantiate(Connection* conn)
 		{ return new NTP_Analyzer(conn); }
 
 protected:
-	virtual void Done();
-	virtual void DeliverPacket(int len, const u_char* data, bool orig,
-					uint64 seq, const IP_Hdr* ip, int caplen);
+	void Done() override;
+	void DeliverPacket(int len, const u_char* data, bool orig,
+					uint64 seq, const IP_Hdr* ip, int caplen) override;
 
 	int Request(const u_char* data, int len);
 	int Reply(const u_char* data, int len);
diff --git a/src/analyzer/protocol/pia/PIA.h b/src/analyzer/protocol/pia/PIA.h
index 85683289a9..924b405987 100644
--- a/src/analyzer/protocol/pia/PIA.h
+++ b/src/analyzer/protocol/pia/PIA.h
@@ -19,7 +19,7 @@ namespace analyzer { namespace pia {
 // PIAs and then each needs its own matching-state.
 class PIA : public RuleMatcherState {
 public:
-	PIA(analyzer::Analyzer* as_analyzer);
+	explicit PIA(analyzer::Analyzer* as_analyzer);
 	virtual ~PIA();
 
 	// Called when PIA wants to put an Analyzer in charge.  rule is the
@@ -90,43 +90,43 @@ private:
 // PIA for UDP.
 class PIA_UDP : public PIA, public analyzer::Analyzer {
 public:
-	PIA_UDP(Connection* conn)
+	explicit PIA_UDP(Connection* conn)
 	: PIA(this), Analyzer("PIA_UDP", conn)
 		{ SetConn(conn); }
-	virtual ~PIA_UDP()	{ }
+	~PIA_UDP() override { }
 
 	static analyzer::Analyzer* Instantiate(Connection* conn)
 		{ return new PIA_UDP(conn); }
 
 protected:
-	virtual void Done()
+	void Done() override
 		{
 		Analyzer::Done();
 		PIA_Done();
 		}
 
-	virtual void DeliverPacket(int len, const u_char* data, bool is_orig,
-					uint64 seq, const IP_Hdr* ip, int caplen)
+	void DeliverPacket(int len, const u_char* data, bool is_orig,
+					uint64 seq, const IP_Hdr* ip, int caplen) override
 		{
 		Analyzer::DeliverPacket(len, data, is_orig, seq, ip, caplen);
 		PIA_DeliverPacket(len, data, is_orig, seq, ip, caplen, true);
 		}
 
-	virtual void ActivateAnalyzer(analyzer::Tag tag, const Rule* rule);
-	virtual void DeactivateAnalyzer(analyzer::Tag tag);
+	void ActivateAnalyzer(analyzer::Tag tag, const Rule* rule) override;
+	void DeactivateAnalyzer(analyzer::Tag tag) override;
 };
 
 // PIA for TCP.  Accepts both packet and stream input (and reassembles
 // packets before passing payload on to children).
 class PIA_TCP : public PIA, public tcp::TCP_ApplicationAnalyzer {
 public:
-	PIA_TCP(Connection* conn)
+	explicit PIA_TCP(Connection* conn)
 		: PIA(this), tcp::TCP_ApplicationAnalyzer("PIA_TCP", conn)
 		{ stream_mode = false; SetConn(conn); }
 
-	virtual ~PIA_TCP();
+	~PIA_TCP() override;
 
-	virtual void Init();
+	void Init() override;
 
 	// The first packet for each direction of a connection is passed
 	// in here.
@@ -144,25 +144,25 @@ public:
 		{ return new PIA_TCP(conn); }
 
 protected:
-	virtual void Done()
+	void Done() override
 		{
 		Analyzer::Done();
 		PIA_Done();
 		}
 
-	virtual void DeliverPacket(int len, const u_char* data, bool is_orig,
-					uint64 seq, const IP_Hdr* ip, int caplen)
+	void DeliverPacket(int len, const u_char* data, bool is_orig,
+					uint64 seq, const IP_Hdr* ip, int caplen) override
 		{
 		Analyzer::DeliverPacket(len, data, is_orig, seq, ip, caplen);
 		PIA_DeliverPacket(len, data, is_orig, seq, ip, caplen, false);
 		}
 
-	virtual void DeliverStream(int len, const u_char* data, bool is_orig);
-	virtual void Undelivered(uint64 seq, int len, bool is_orig);
+	void DeliverStream(int len, const u_char* data, bool is_orig) override;
+	void Undelivered(uint64 seq, int len, bool is_orig) override;
 
-	virtual void ActivateAnalyzer(analyzer::Tag tag,
-					const Rule* rule = 0);
-	virtual void DeactivateAnalyzer(analyzer::Tag tag);
+	void ActivateAnalyzer(analyzer::Tag tag,
+					const Rule* rule = 0) override;
+	void DeactivateAnalyzer(analyzer::Tag tag) override;
 
 private:
 	// FIXME: Not sure yet whether we need both pkt_buffer and stream_buffer.
diff --git a/src/analyzer/protocol/pop3/POP3.h b/src/analyzer/protocol/pop3/POP3.h
index 7b4b592810..9bc48a08f3 100644
--- a/src/analyzer/protocol/pop3/POP3.h
+++ b/src/analyzer/protocol/pop3/POP3.h
@@ -64,11 +64,11 @@ typedef enum {
 
 class POP3_Analyzer : public tcp::TCP_ApplicationAnalyzer {
 public:
-	POP3_Analyzer(Connection* conn);
-	~POP3_Analyzer();
+	explicit POP3_Analyzer(Connection* conn);
+	~POP3_Analyzer() override;
 
-	virtual void Done();
-	virtual void DeliverStream(int len, const u_char* data, bool orig);
+	void Done() override;
+	void DeliverStream(int len, const u_char* data, bool orig) override;
 
 	static analyzer::Analyzer* Instantiate(Connection* conn)
 		{
diff --git a/src/analyzer/protocol/radius/RADIUS.h b/src/analyzer/protocol/radius/RADIUS.h
index e91b13bbcb..b7dae6fbdd 100644
--- a/src/analyzer/protocol/radius/RADIUS.h
+++ b/src/analyzer/protocol/radius/RADIUS.h
@@ -14,13 +14,13 @@ namespace analyzer { namespace RADIUS {
 
 class RADIUS_Analyzer : public analyzer::Analyzer {
 public:
-	RADIUS_Analyzer(Connection* conn);
-	virtual ~RADIUS_Analyzer();
+	explicit RADIUS_Analyzer(Connection* conn);
+	~RADIUS_Analyzer() override;
 
 	// Overriden from Analyzer.
-	virtual void Done();
-	virtual void DeliverPacket(int len, const u_char* data, bool orig,
-					uint64 seq, const IP_Hdr* ip, int caplen);
+	void Done() override;
+	void DeliverPacket(int len, const u_char* data, bool orig,
+					uint64 seq, const IP_Hdr* ip, int caplen) override;
 
 	static analyzer::Analyzer* Instantiate(Connection* conn)
 		{ return new RADIUS_Analyzer(conn); }
diff --git a/src/analyzer/protocol/rdp/RDP.h b/src/analyzer/protocol/rdp/RDP.h
index 9d4eda1db8..bc97e5999d 100644
--- a/src/analyzer/protocol/rdp/RDP.h
+++ b/src/analyzer/protocol/rdp/RDP.h
@@ -14,15 +14,14 @@ namespace analyzer { namespace rdp {
 class RDP_Analyzer : public tcp::TCP_ApplicationAnalyzer {
 
 public:
-	RDP_Analyzer(Connection* conn);
-	virtual ~RDP_Analyzer();
+	explicit RDP_Analyzer(Connection* conn);
+	~RDP_Analyzer() override;
 
 	// Overriden from Analyzer.
-	virtual void Done();
-	
-	virtual void DeliverStream(int len, const u_char* data, bool orig);
-	virtual void Undelivered(uint64 seq, int len, bool orig);
-	virtual void EndpointEOF(bool is_orig);
+	void Done() override;
+	void DeliverStream(int len, const u_char* data, bool orig) override;
+	void Undelivered(uint64 seq, int len, bool orig) override;
+	void EndpointEOF(bool is_orig) override;
 
 	static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn)
 		{ return new RDP_Analyzer(conn); }
diff --git a/src/analyzer/protocol/rfb/RFB.h b/src/analyzer/protocol/rfb/RFB.h
index 88a17eea5a..3b440e7740 100644
--- a/src/analyzer/protocol/rfb/RFB.h
+++ b/src/analyzer/protocol/rfb/RFB.h
@@ -15,17 +15,17 @@ class RFB_Analyzer
 : public tcp::TCP_ApplicationAnalyzer {
 
 public:
-	RFB_Analyzer(Connection* conn);
-	virtual ~RFB_Analyzer();
+	explicit RFB_Analyzer(Connection* conn);
+	~RFB_Analyzer() override;
 
 	// Overriden from Analyzer.
-	virtual void Done();
+	void Done() override;
 
-	virtual void DeliverStream(int len, const u_char* data, bool orig);
-	virtual void Undelivered(uint64 seq, int len, bool orig);
+	void DeliverStream(int len, const u_char* data, bool orig) override;
+	void Undelivered(uint64 seq, int len, bool orig) override;
 
 	// Overriden from tcp::TCP_ApplicationAnalyzer.
-	virtual void EndpointEOF(bool is_orig);
+	void EndpointEOF(bool is_orig) override;
 
 
 	static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn)
diff --git a/src/analyzer/protocol/rpc/MOUNT.h b/src/analyzer/protocol/rpc/MOUNT.h
index ed0c8fc9fc..42da4f61ed 100644
--- a/src/analyzer/protocol/rpc/MOUNT.h
+++ b/src/analyzer/protocol/rpc/MOUNT.h
@@ -11,13 +11,13 @@ namespace analyzer { namespace rpc {
 
 class MOUNT_Interp : public RPC_Interpreter {
 public:
-	MOUNT_Interp(analyzer::Analyzer* arg_analyzer) : RPC_Interpreter(arg_analyzer) { }
+	explicit MOUNT_Interp(analyzer::Analyzer* arg_analyzer) : RPC_Interpreter(arg_analyzer) { }
 
 protected:
-	int RPC_BuildCall(RPC_CallInfo* c, const u_char*& buf, int& n);
+	int RPC_BuildCall(RPC_CallInfo* c, const u_char*& buf, int& n) override;
 	int RPC_BuildReply(RPC_CallInfo* c, BifEnum::rpc_status rpc_status,
 				const u_char*& buf, int& n, double start_time,
-				double last_time, int reply_len);
+				double last_time, int reply_len) override;
 
 	// Returns a new val_list that already has a conn_val, rpc_status and
 	// mount_status. These are the first parameters for each mount_* event
@@ -42,8 +42,8 @@ protected:
 
 class MOUNT_Analyzer : public RPC_Analyzer {
 public:
-	MOUNT_Analyzer(Connection* conn);
-	virtual void Init();
+	explicit MOUNT_Analyzer(Connection* conn);
+	void Init() override;
 
 	static analyzer::Analyzer* Instantiate(Connection* conn)
 		{ return new MOUNT_Analyzer(conn); }
diff --git a/src/analyzer/protocol/rpc/NFS.h b/src/analyzer/protocol/rpc/NFS.h
index dd336d7dee..2ec4047946 100644
--- a/src/analyzer/protocol/rpc/NFS.h
+++ b/src/analyzer/protocol/rpc/NFS.h
@@ -11,13 +11,13 @@ namespace analyzer { namespace rpc {
 
 class NFS_Interp : public RPC_Interpreter {
 public:
-	NFS_Interp(analyzer::Analyzer* arg_analyzer) : RPC_Interpreter(arg_analyzer) { }
+	explicit NFS_Interp(analyzer::Analyzer* arg_analyzer) : RPC_Interpreter(arg_analyzer) { }
 
 protected:
-	int RPC_BuildCall(RPC_CallInfo* c, const u_char*& buf, int& n);
+	int RPC_BuildCall(RPC_CallInfo* c, const u_char*& buf, int& n) override;
 	int RPC_BuildReply(RPC_CallInfo* c, BifEnum::rpc_status rpc_status,
 				const u_char*& buf, int& n, double start_time,
-				double last_time, int reply_len);
+				double last_time, int reply_len) override;
 
 	// Returns a new val_list that already has a conn_val, rpc_status and
 	// nfs_status. These are the first parameters for each nfs_* event
@@ -83,8 +83,8 @@ protected:
 
 class NFS_Analyzer : public RPC_Analyzer {
 public:
-	NFS_Analyzer(Connection* conn);
-	virtual void Init();
+	explicit NFS_Analyzer(Connection* conn);
+	void Init() override;
 
 	static analyzer::Analyzer* Instantiate(Connection* conn)
 		{ return new NFS_Analyzer(conn); }
diff --git a/src/analyzer/protocol/rpc/Portmap.h b/src/analyzer/protocol/rpc/Portmap.h
index 3704bd8383..06eed3157d 100644
--- a/src/analyzer/protocol/rpc/Portmap.h
+++ b/src/analyzer/protocol/rpc/Portmap.h
@@ -9,13 +9,13 @@ namespace analyzer { namespace rpc {
 
 class PortmapperInterp : public RPC_Interpreter {
 public:
-	PortmapperInterp(analyzer::Analyzer* arg_analyzer) : RPC_Interpreter(arg_analyzer) { }
+	explicit PortmapperInterp(analyzer::Analyzer* arg_analyzer) : RPC_Interpreter(arg_analyzer) { }
 
 protected:
-	int RPC_BuildCall(RPC_CallInfo* c, const u_char*& buf, int& n);
+	int RPC_BuildCall(RPC_CallInfo* c, const u_char*& buf, int& n) override;
 	int RPC_BuildReply(RPC_CallInfo* c, BifEnum::rpc_status success,
 			   const u_char*& buf, int& n, double start_time,
-			   double last_time, int reply_len);
+			   double last_time, int reply_len) override;
 	uint32 CheckPort(uint32 port);
 
 	void Event(EventHandlerPtr f, Val* request, BifEnum::rpc_status status, Val* reply);
@@ -27,9 +27,9 @@ protected:
 
 class Portmapper_Analyzer : public RPC_Analyzer {
 public:
-	Portmapper_Analyzer(Connection* conn);
-	virtual ~Portmapper_Analyzer();
-	virtual void Init();
+	explicit Portmapper_Analyzer(Connection* conn);
+	~Portmapper_Analyzer() override;
+	void Init() override;
 
 	static analyzer::Analyzer* Instantiate(Connection* conn)
 		{ return new Portmapper_Analyzer(conn); }
diff --git a/src/analyzer/protocol/rpc/RPC.h b/src/analyzer/protocol/rpc/RPC.h
index ab7b3968c7..8fa19b8d53 100644
--- a/src/analyzer/protocol/rpc/RPC.h
+++ b/src/analyzer/protocol/rpc/RPC.h
@@ -103,7 +103,7 @@ declare(PDict,RPC_CallInfo);
 
 class RPC_Interpreter {
 public:
-	RPC_Interpreter(analyzer::Analyzer* analyzer);
+	explicit RPC_Interpreter(analyzer::Analyzer* analyzer);
 	virtual ~RPC_Interpreter();
 
 	// Delivers the given RPC.  Returns true if "len" bytes were
@@ -190,7 +190,7 @@ protected:
 class Contents_RPC : public tcp::TCP_SupportAnalyzer {
 public:
 	Contents_RPC(Connection* conn, bool orig, RPC_Interpreter* interp);
-	virtual ~Contents_RPC();
+	~Contents_RPC() override;
 
 protected:
 	typedef enum {
@@ -209,10 +209,10 @@ protected:
 		RESYNC_INIT,
 	} resync_state_t;
 
-	virtual void Init();
+	void Init() override;
 	virtual bool CheckResync(int& len, const u_char*& data, bool orig);
-	virtual void DeliverStream(int len, const u_char* data, bool orig);
-	virtual void Undelivered(uint64 seq, int len, bool orig);
+	void DeliverStream(int len, const u_char* data, bool orig) override;
+	void Undelivered(uint64 seq, int len, bool orig) override;
 
 	virtual void NeedResync() {
 		resync_state = NEED_RESYNC;
@@ -237,13 +237,13 @@ class RPC_Analyzer : public tcp::TCP_ApplicationAnalyzer {
 public:
 	RPC_Analyzer(const char* name, Connection* conn,
 			RPC_Interpreter* arg_interp);
-	virtual ~RPC_Analyzer();
+	~RPC_Analyzer() override;
 
-	virtual void Done();
+	void Done() override;
 
 protected:
-	virtual void DeliverPacket(int len, const u_char* data, bool orig,
-					uint64 seq, const IP_Hdr* ip, int caplen);
+	void DeliverPacket(int len, const u_char* data, bool orig,
+					uint64 seq, const IP_Hdr* ip, int caplen) override;
 
 	void ExpireTimer(double t);
 
diff --git a/src/analyzer/protocol/sip/SIP.h b/src/analyzer/protocol/sip/SIP.h
index 130e70f46a..4e4496f2cb 100644
--- a/src/analyzer/protocol/sip/SIP.h
+++ b/src/analyzer/protocol/sip/SIP.h
@@ -10,14 +10,14 @@ namespace analyzer { namespace SIP {
 
 class SIP_Analyzer : public analyzer::Analyzer {
 public:
-	SIP_Analyzer(Connection* conn);
-	virtual ~SIP_Analyzer();
+	explicit SIP_Analyzer(Connection* conn);
+	~SIP_Analyzer() override;
 
 	// Overridden from Analyzer
 
-	virtual void Done();
-	virtual void DeliverPacket(int len, const u_char* data, bool orig,
-				   	   uint64 seq, const IP_Hdr* ip, int caplen);
+	void Done() override;
+	void DeliverPacket(int len, const u_char* data, bool orig,
+				   	   uint64 seq, const IP_Hdr* ip, int caplen) override;
 
 	static analyzer::Analyzer* Instantiate(Connection* conn)
 	{ return new SIP_Analyzer(conn); }
diff --git a/src/analyzer/protocol/sip/SIP_TCP.h b/src/analyzer/protocol/sip/SIP_TCP.h
index f2a4dad479..b96e1db069 100644
--- a/src/analyzer/protocol/sip/SIP_TCP.h
+++ b/src/analyzer/protocol/sip/SIP_TCP.h
@@ -14,15 +14,15 @@ namespace analyzer { namespace sip_tcp {
 
 class SIP_Analyzer : public tcp::TCP_ApplicationAnalyzer {
 public:
-	SIP_Analyzer(Connection* conn);
-	virtual ~SIP_Analyzer();
+	explicit SIP_Analyzer(Connection* conn);
+	~SIP_Analyzer() override;
 
-	virtual void Done();
-	virtual void DeliverStream(int len, const u_char* data, bool orig);
-	virtual void Undelivered(uint64 seq, int len, bool orig);
+	void Done() override;
+	void DeliverStream(int len, const u_char* data, bool orig) override;
+	void Undelivered(uint64 seq, int len, bool orig) override;
 
 	// Overriden from tcp::TCP_ApplicationAnalyzer.
-	virtual void EndpointEOF(bool is_orig);
+	void EndpointEOF(bool is_orig) override;
 
 	static analyzer::Analyzer* Instantiate(Connection* conn)
 		{ return new SIP_Analyzer(conn); }
diff --git a/src/analyzer/protocol/smb/SMB.h b/src/analyzer/protocol/smb/SMB.h
index ea9ec2e6a5..37aaa071a5 100644
--- a/src/analyzer/protocol/smb/SMB.h
+++ b/src/analyzer/protocol/smb/SMB.h
@@ -8,8 +8,8 @@ namespace analyzer { namespace smb {
 
 class SMB_Analyzer : public tcp::TCP_ApplicationAnalyzer {
 public:
-	SMB_Analyzer(Connection* conn);
-	virtual ~SMB_Analyzer();
+	explicit SMB_Analyzer(Connection* conn);
+	~SMB_Analyzer() override;
 
 	void Done() override;
 	void DeliverStream(int len, const u_char* data, bool orig) override;
diff --git a/src/analyzer/protocol/smtp/SMTP.h b/src/analyzer/protocol/smtp/SMTP.h
index b4396f28f7..846e21e57e 100644
--- a/src/analyzer/protocol/smtp/SMTP.h
+++ b/src/analyzer/protocol/smtp/SMTP.h
@@ -39,13 +39,13 @@ typedef enum {
 
 class SMTP_Analyzer : public tcp::TCP_ApplicationAnalyzer {
 public:
-	SMTP_Analyzer(Connection* conn);
-	~SMTP_Analyzer();
+	explicit SMTP_Analyzer(Connection* conn);
+	~SMTP_Analyzer() override;
 
-	virtual void Done();
-	virtual void DeliverStream(int len, const u_char* data, bool orig);
-	virtual void ConnectionFinished(int half_finished);
-	virtual void Undelivered(uint64 seq, int len, bool orig);
+	void Done() override;
+	void DeliverStream(int len, const u_char* data, bool orig) override;
+	void ConnectionFinished(int half_finished) override;
+	void Undelivered(uint64 seq, int len, bool orig) override;
 
 	void SkipData()	{ skip_data = 1; }	// skip delivery of data lines
 
diff --git a/src/analyzer/protocol/snmp/SNMP.h b/src/analyzer/protocol/snmp/SNMP.h
index d01704d2ae..3d709d362a 100644
--- a/src/analyzer/protocol/snmp/SNMP.h
+++ b/src/analyzer/protocol/snmp/SNMP.h
@@ -11,7 +11,7 @@ class SNMP_Analyzer : public analyzer::Analyzer {
 
 public:
 
-	SNMP_Analyzer(Connection* conn);
+	explicit SNMP_Analyzer(Connection* conn);
 	virtual ~SNMP_Analyzer();
 
 	virtual void Done();
diff --git a/src/analyzer/protocol/socks/SOCKS.h b/src/analyzer/protocol/socks/SOCKS.h
index 841f2ee2ab..eaec5c7ee2 100644
--- a/src/analyzer/protocol/socks/SOCKS.h
+++ b/src/analyzer/protocol/socks/SOCKS.h
@@ -16,15 +16,15 @@ namespace analyzer { namespace socks {
 
 class SOCKS_Analyzer : public tcp::TCP_ApplicationAnalyzer {
 public:
-	SOCKS_Analyzer(Connection* conn);
-	~SOCKS_Analyzer();
+	explicit SOCKS_Analyzer(Connection* conn);
+	~SOCKS_Analyzer() override;
 
 	void EndpointDone(bool orig);
 
-	virtual void Done();
-	virtual void DeliverStream(int len, const u_char* data, bool orig);
-	virtual void Undelivered(uint64 seq, int len, bool orig);
-	virtual void EndpointEOF(bool is_orig);
+	void Done() override;
+	void DeliverStream(int len, const u_char* data, bool orig) override;
+	void Undelivered(uint64 seq, int len, bool orig) override;
+	void EndpointEOF(bool is_orig) override;
 
 	static analyzer::Analyzer* Instantiate(Connection* conn)
 		{ return new SOCKS_Analyzer(conn); }
diff --git a/src/analyzer/protocol/ssh/SSH.h b/src/analyzer/protocol/ssh/SSH.h
index dc3a7c5e39..36a8919722 100644
--- a/src/analyzer/protocol/ssh/SSH.h
+++ b/src/analyzer/protocol/ssh/SSH.h
@@ -13,16 +13,16 @@ namespace analyzer {
 		class SSH_Analyzer : public tcp::TCP_ApplicationAnalyzer {
 
 		public:
-			SSH_Analyzer(Connection* conn);
-			virtual ~SSH_Analyzer();
+			explicit SSH_Analyzer(Connection* conn);
+			~SSH_Analyzer() override;
 
 			// Overriden from Analyzer.
-			virtual void Done();
-			virtual void DeliverStream(int len, const u_char* data, bool orig);
-			virtual void Undelivered(uint64 seq, int len, bool orig);
+			void Done() override;
+			void DeliverStream(int len, const u_char* data, bool orig) override;
+			void Undelivered(uint64 seq, int len, bool orig) override;
 
 			// Overriden from tcp::TCP_ApplicationAnalyzer.
-			virtual void EndpointEOF(bool is_orig);
+			void EndpointEOF(bool is_orig) override;
 
 			static analyzer::Analyzer* Instantiate(Connection* conn)
 				{ return new SSH_Analyzer(conn); }
diff --git a/src/analyzer/protocol/ssl/DTLS.h b/src/analyzer/protocol/ssl/DTLS.h
index 6611a6974e..fc862707fd 100644
--- a/src/analyzer/protocol/ssl/DTLS.h
+++ b/src/analyzer/protocol/ssl/DTLS.h
@@ -13,14 +13,14 @@ namespace analyzer { namespace dtls {
 
 class DTLS_Analyzer : public analyzer::Analyzer {
 public:
-	DTLS_Analyzer(Connection* conn);
-	virtual ~DTLS_Analyzer();
+	explicit DTLS_Analyzer(Connection* conn);
+	~DTLS_Analyzer() override;
 
 	// Overriden from Analyzer.
-	virtual void Done();
-	virtual void DeliverPacket(int len, const u_char* data, bool orig,
-					uint64 seq, const IP_Hdr* ip, int caplen);
-	virtual void EndOfData(bool is_orig);
+	void Done() override;
+	void DeliverPacket(int len, const u_char* data, bool orig,
+					uint64 seq, const IP_Hdr* ip, int caplen) override;
+	void EndOfData(bool is_orig) override;
 
 	void SendHandshake(uint8 msg_type, uint32 length, const u_char* begin, const u_char* end, bool orig);
 
diff --git a/src/analyzer/protocol/ssl/SSL.h b/src/analyzer/protocol/ssl/SSL.h
index 4d3bceaec1..4119d72a91 100644
--- a/src/analyzer/protocol/ssl/SSL.h
+++ b/src/analyzer/protocol/ssl/SSL.h
@@ -13,13 +13,13 @@ namespace analyzer { namespace ssl {
 
 class SSL_Analyzer : public tcp::TCP_ApplicationAnalyzer {
 public:
-	SSL_Analyzer(Connection* conn);
-	virtual ~SSL_Analyzer();
+	explicit SSL_Analyzer(Connection* conn);
+	~SSL_Analyzer() override;
 
 	// Overriden from Analyzer.
-	virtual void Done();
-	virtual void DeliverStream(int len, const u_char* data, bool orig);
-	virtual void Undelivered(uint64 seq, int len, bool orig);
+	void Done() override;
+	void DeliverStream(int len, const u_char* data, bool orig) override;
+	void Undelivered(uint64 seq, int len, bool orig) override;
 
 	void SendHandshake(const u_char* begin, const u_char* end, bool orig);
 
@@ -27,7 +27,7 @@ public:
 	void StartEncryption();
 
 	// Overriden from tcp::TCP_ApplicationAnalyzer.
-	virtual void EndpointEOF(bool is_orig);
+	void EndpointEOF(bool is_orig) override;
 
 	static analyzer::Analyzer* Instantiate(Connection* conn)
 		{ return new SSL_Analyzer(conn); }
diff --git a/src/analyzer/protocol/stepping-stone/SteppingStone.h b/src/analyzer/protocol/stepping-stone/SteppingStone.h
index c0b06d79e7..b9ebd1ff8b 100644
--- a/src/analyzer/protocol/stepping-stone/SteppingStone.h
+++ b/src/analyzer/protocol/stepping-stone/SteppingStone.h
@@ -19,7 +19,7 @@ declare(PDict,SteppingStoneEndpoint);
 class SteppingStoneEndpoint : public BroObj {
 public:
 	SteppingStoneEndpoint(tcp::TCP_Endpoint* e, SteppingStoneManager* m);
-	~SteppingStoneEndpoint();
+	~SteppingStoneEndpoint() override;
 	void Done();
 
 	int DataSent(double t, uint64 seq, int len, int caplen, const u_char* data,
@@ -47,11 +47,11 @@ protected:
 
 class SteppingStone_Analyzer : public tcp::TCP_ApplicationAnalyzer {
 public:
-	SteppingStone_Analyzer(Connection* c);
-	virtual ~SteppingStone_Analyzer() {};
+	explicit SteppingStone_Analyzer(Connection* c);
+	~SteppingStone_Analyzer() override {};
 
-	virtual void Init();
-	virtual void Done();
+	void Init() override;
+	void Done() override;
 
 	static analyzer::Analyzer* Instantiate(Connection* conn)
 		{ return new SteppingStone_Analyzer(conn); }
@@ -59,9 +59,9 @@ public:
 protected:
 	// We support both packet and stream input and can be put in place even
 	// if the TCP analyzer is not yet reassebmling.
-	virtual void DeliverPacket(int len, const u_char* data, bool is_orig,
-					uint64 seq, const IP_Hdr* ip, int caplen);
-	virtual void DeliverStream(int len, const u_char* data, bool is_orig);
+	void DeliverPacket(int len, const u_char* data, bool is_orig,
+					uint64 seq, const IP_Hdr* ip, int caplen) override;
+	void DeliverStream(int len, const u_char* data, bool is_orig) override;
 
 	int orig_stream_pos;
 	int resp_stream_pos;
diff --git a/src/analyzer/protocol/syslog/Syslog.h b/src/analyzer/protocol/syslog/Syslog.h
index 8f2580806c..8701277497 100644
--- a/src/analyzer/protocol/syslog/Syslog.h
+++ b/src/analyzer/protocol/syslog/Syslog.h
@@ -11,12 +11,12 @@ namespace analyzer { namespace syslog {
 
 class Syslog_Analyzer : public analyzer::Analyzer {
 public:
-	Syslog_Analyzer(Connection* conn);
-	virtual ~Syslog_Analyzer();
+	explicit Syslog_Analyzer(Connection* conn);
+	~Syslog_Analyzer() override;
 
-	virtual void Done();
-	virtual void DeliverPacket(int len, const u_char* data, bool orig,
-					uint64 seq, const IP_Hdr* ip, int caplen);
+	void Done() override;
+	void DeliverPacket(int len, const u_char* data, bool orig,
+					uint64 seq, const IP_Hdr* ip, int caplen) override;
 
 	static analyzer::Analyzer* Instantiate(Connection* conn)
 		{ return new Syslog_Analyzer(conn); }
diff --git a/src/analyzer/protocol/tcp/ContentLine.h b/src/analyzer/protocol/tcp/ContentLine.h
index 5cb6d2f3d4..f225db8029 100644
--- a/src/analyzer/protocol/tcp/ContentLine.h
+++ b/src/analyzer/protocol/tcp/ContentLine.h
@@ -16,7 +16,7 @@ namespace analyzer { namespace tcp {
 class ContentLine_Analyzer : public TCP_SupportAnalyzer {
 public:
 	ContentLine_Analyzer(Connection* conn, bool orig, int max_line_length=DEFAULT_MAX_LINE_LENGTH);
-	~ContentLine_Analyzer();
+	~ContentLine_Analyzer() override;
 
 	void SupressWeirds(bool enable)
 		{ suppress_weirds = enable; }
@@ -65,9 +65,9 @@ public:
 protected:
 	ContentLine_Analyzer(const char* name, Connection* conn, bool orig, int max_line_length=DEFAULT_MAX_LINE_LENGTH);
 
-	virtual void DeliverStream(int len, const u_char* data, bool is_orig);
-	virtual void Undelivered(uint64 seq, int len, bool orig);
-	virtual void EndpointEOF(bool is_orig);
+	void DeliverStream(int len, const u_char* data, bool is_orig) override;
+	void Undelivered(uint64 seq, int len, bool orig) override;
+	void EndpointEOF(bool is_orig) override;
 
 	class State;
 	void InitState();
diff --git a/src/analyzer/protocol/tcp/TCP.h b/src/analyzer/protocol/tcp/TCP.h
index e5589b01a3..db3c2efa91 100644
--- a/src/analyzer/protocol/tcp/TCP.h
+++ b/src/analyzer/protocol/tcp/TCP.h
@@ -26,8 +26,8 @@ class TCP_Reassembler;
 
 class TCP_Analyzer : public analyzer::TransportLayerAnalyzer {
 public:
-	TCP_Analyzer(Connection* conn);
-	virtual ~TCP_Analyzer();
+	explicit TCP_Analyzer(Connection* conn);
+	~TCP_Analyzer() override;
 
 	void EnableReassembly();
 
@@ -35,8 +35,8 @@ public:
 	// independently of whether we do any reassembly.
 	void AddChildPacketAnalyzer(analyzer::Analyzer* a);
 
-	virtual Analyzer* FindChild(ID id);
-	virtual Analyzer* FindChild(Tag tag);
+	Analyzer* FindChild(ID id) override;
+	Analyzer* FindChild(Tag tag) override;
 
 	// True if the connection has closed in some sense, false otherwise.
 	int IsClosed() const	{ return orig->did_close || resp->did_close; }
@@ -62,8 +62,8 @@ public:
 	// the test is whether it has any outstanding, un-acked data.
 	int DataPending(TCP_Endpoint* closing_endp);
 
-	virtual void SetContentsFile(unsigned int direction, BroFile* f);
-	virtual BroFile* GetContentsFile(unsigned int direction) const;
+	void SetContentsFile(unsigned int direction, BroFile* f) override;
+	BroFile* GetContentsFile(unsigned int direction) const override;
 
 	// Callback to process a TCP option.
 	typedef int (*proc_tcp_option_t)(unsigned int opt, unsigned int optlen,
@@ -71,7 +71,7 @@ public:
 			bool is_orig, void* cookie);
 
 	// From Analyzer.h
-	virtual void UpdateConnVal(RecordVal *conn_val);
+	void UpdateConnVal(RecordVal *conn_val) override;
 
 	// Needs to be static because it's passed as a pointer-to-function
 	// rather than pointer-to-member-function.
@@ -88,13 +88,13 @@ protected:
 	friend class analyzer::pia::PIA_TCP;
 
 	// Analyzer interface.
-	virtual void Init();
-	virtual void Done();
-	virtual void DeliverPacket(int len, const u_char* data, bool orig, uint64 seq, const IP_Hdr* ip, int caplen);
-	virtual void DeliverStream(int len, const u_char* data, bool orig);
-	virtual void Undelivered(uint64 seq, int len, bool orig);
-	virtual void FlipRoles();
-	virtual bool IsReuse(double t, const u_char* pkt);
+	void Init() override;
+	void Done() override;
+	void DeliverPacket(int len, const u_char* data, bool orig, uint64 seq, const IP_Hdr* ip, int caplen) override;
+	void DeliverStream(int len, const u_char* data, bool orig) override;
+	void Undelivered(uint64 seq, int len, bool orig) override;
+	void FlipRoles() override;
+	bool IsReuse(double t, const u_char* pkt) override;
 
 	// Returns the TCP header pointed to by data (which we assume is
 	// aligned), updating data, len & caplen.  Returns nil if the header
@@ -205,11 +205,11 @@ public:
 	: Analyzer(name, conn)
 		{ tcp = 0; }
 
-	TCP_ApplicationAnalyzer(Connection* conn)
+	explicit TCP_ApplicationAnalyzer(Connection* conn)
 	: Analyzer(conn)
 		{ tcp = 0; }
 
-	virtual ~TCP_ApplicationAnalyzer()	{ }
+	~TCP_ApplicationAnalyzer() override { }
 
 	// This may be nil if we are not directly associated with a TCP
 	// analyzer (e.g., we're part of a tunnel decapsulation pipeline).
@@ -238,14 +238,14 @@ public:
 	// of ConnectionReset is delayed.
 	virtual void PacketWithRST();
 
-	virtual void DeliverPacket(int len, const u_char* data, bool orig,
-					uint64 seq, const IP_Hdr* ip, int caplen);
-	virtual void Init();
+	void DeliverPacket(int len, const u_char* data, bool orig,
+					uint64 seq, const IP_Hdr* ip, int caplen) override;
+	void Init() override;
 
 	// This suppresses violations if the TCP connection wasn't
 	// fully established.
-	virtual void ProtocolViolation(const char* reason,
-					const char* data = 0, int len = 0);
+	void ProtocolViolation(const char* reason,
+					const char* data = 0, int len = 0) override;
 
 	// "name" and "val" both now belong to this object, which needs to
 	//  delete them when done with them.
@@ -260,7 +260,7 @@ public:
 	TCP_SupportAnalyzer(const char* name, Connection* conn, bool arg_orig)
 		: analyzer::SupportAnalyzer(name, conn, arg_orig)	{ }
 
-	virtual ~TCP_SupportAnalyzer() {}
+	~TCP_SupportAnalyzer() override {}
 
 	// These are passed on from TCP_Analyzer.
 	virtual void EndpointEOF(bool is_orig)	{ }
@@ -274,7 +274,7 @@ public:
 
 class TCPStats_Endpoint {
 public:
-	TCPStats_Endpoint(TCP_Endpoint* endp);
+	explicit TCPStats_Endpoint(TCP_Endpoint* endp);
 
 	int DataSent(double t, uint64 seq, int len, int caplen, const u_char* data,
 			const IP_Hdr* ip, const struct tcphdr* tp);
@@ -296,18 +296,18 @@ protected:
 
 class TCPStats_Analyzer : public tcp::TCP_ApplicationAnalyzer {
 public:
-	TCPStats_Analyzer(Connection* c);
-	~TCPStats_Analyzer();
+	explicit TCPStats_Analyzer(Connection* c);
+	~TCPStats_Analyzer() override;
 
-	virtual void Init();
-	virtual void Done();
+	void Init() override;
+	void Done() override;
 
 	static analyzer::Analyzer* Instantiate(Connection* conn)
 		{ return new TCPStats_Analyzer(conn); }
 
 protected:
-	virtual void DeliverPacket(int len, const u_char* data, bool is_orig,
-					uint64 seq, const IP_Hdr* ip, int caplen);
+	void DeliverPacket(int len, const u_char* data, bool is_orig,
+					uint64 seq, const IP_Hdr* ip, int caplen) override;
 
 	TCPStats_Endpoint* orig_stats;
 	TCPStats_Endpoint* resp_stats;
diff --git a/src/analyzer/protocol/tcp/TCP_Reassembler.h b/src/analyzer/protocol/tcp/TCP_Reassembler.h
index 2e85e48e2f..bacfa663e0 100644
--- a/src/analyzer/protocol/tcp/TCP_Reassembler.h
+++ b/src/analyzer/protocol/tcp/TCP_Reassembler.h
@@ -22,7 +22,7 @@ public:
 	TCP_Reassembler(Analyzer* arg_dst_analyzer, TCP_Analyzer* arg_tcp_analyzer,
 	                Type arg_type, TCP_Endpoint* arg_endp);
 
-	virtual ~TCP_Reassembler();
+	~TCP_Reassembler() override;
 
 	void Done();
 
diff --git a/src/analyzer/protocol/teredo/Teredo.h b/src/analyzer/protocol/teredo/Teredo.h
index af733b8814..29eeadc968 100644
--- a/src/analyzer/protocol/teredo/Teredo.h
+++ b/src/analyzer/protocol/teredo/Teredo.h
@@ -9,17 +9,17 @@ namespace analyzer { namespace teredo {
 
 class Teredo_Analyzer : public analyzer::Analyzer {
 public:
-	Teredo_Analyzer(Connection* conn) : Analyzer("TEREDO", conn),
+	explicit Teredo_Analyzer(Connection* conn) : Analyzer("TEREDO", conn),
 	                                    valid_orig(false), valid_resp(false)
 		{}
 
-	virtual ~Teredo_Analyzer()
+	~Teredo_Analyzer() override
 		{}
 
-	virtual void Done();
+	void Done() override;
 
-	virtual void DeliverPacket(int len, const u_char* data, bool orig,
-					uint64 seq, const IP_Hdr* ip, int caplen);
+	void DeliverPacket(int len, const u_char* data, bool orig,
+					uint64 seq, const IP_Hdr* ip, int caplen) override;
 
 	static analyzer::Analyzer* Instantiate(Connection* conn)
 		{ return new Teredo_Analyzer(conn); }
@@ -55,7 +55,7 @@ protected:
 
 class TeredoEncapsulation {
 public:
-	TeredoEncapsulation(const Teredo_Analyzer* ta)
+	explicit TeredoEncapsulation(const Teredo_Analyzer* ta)
 		: inner_ip(0), origin_indication(0), auth(0), analyzer(ta)
 		{}
 
diff --git a/src/analyzer/protocol/udp/UDP.h b/src/analyzer/protocol/udp/UDP.h
index ae00a4c61e..2c7f3ce150 100644
--- a/src/analyzer/protocol/udp/UDP.h
+++ b/src/analyzer/protocol/udp/UDP.h
@@ -15,22 +15,21 @@ typedef enum {
 
 class UDP_Analyzer : public analyzer::TransportLayerAnalyzer {
 public:
-	UDP_Analyzer(Connection* conn);
-	virtual ~UDP_Analyzer();
+	explicit UDP_Analyzer(Connection* conn);
+	~UDP_Analyzer() override;
 
-	virtual void Init();
-
-	virtual void UpdateConnVal(RecordVal *conn_val);
+	void Init() override;
+	void UpdateConnVal(RecordVal *conn_val) override;
 
 	static analyzer::Analyzer* Instantiate(Connection* conn)
 		{ return new UDP_Analyzer(conn); }
 
 protected:
-	virtual void Done();
-	virtual void DeliverPacket(int len, const u_char* data, bool orig,
-					uint64 seq, const IP_Hdr* ip, int caplen);
-	virtual bool IsReuse(double t, const u_char* pkt);
-	virtual unsigned int MemoryAllocation() const;
+	void Done() override;
+	void DeliverPacket(int len, const u_char* data, bool orig,
+					uint64 seq, const IP_Hdr* ip, int caplen) override;
+	bool IsReuse(double t, const u_char* pkt) override;
+	unsigned int MemoryAllocation() const override;
 
 	// Returns true if the checksum is valid, false if not
 	static bool ValidateChecksum(const IP_Hdr* ip, const struct udphdr* up,
diff --git a/src/analyzer/protocol/xmpp/XMPP.h b/src/analyzer/protocol/xmpp/XMPP.h
index 202403748a..595a86d56b 100644
--- a/src/analyzer/protocol/xmpp/XMPP.h
+++ b/src/analyzer/protocol/xmpp/XMPP.h
@@ -11,8 +11,8 @@ namespace analyzer { namespace xmpp {
 
 class XMPP_Analyzer : public tcp::TCP_ApplicationAnalyzer {
 public:
-	XMPP_Analyzer(Connection* conn);
-	virtual ~XMPP_Analyzer();
+	explicit XMPP_Analyzer(Connection* conn);
+	~XMPP_Analyzer() override;
 
 	void Done() override;
 	void DeliverStream(int len, const u_char* data, bool orig) override;
diff --git a/src/analyzer/protocol/zip/ZIP.h b/src/analyzer/protocol/zip/ZIP.h
index 580235ec63..de22803b26 100644
--- a/src/analyzer/protocol/zip/ZIP.h
+++ b/src/analyzer/protocol/zip/ZIP.h
@@ -15,11 +15,11 @@ public:
 	enum Method { GZIP, DEFLATE };
 
 	ZIP_Analyzer(Connection* conn, bool orig, Method method = GZIP);
-	~ZIP_Analyzer();
+	~ZIP_Analyzer() override;
 
-	virtual void Done();
+	void Done() override;
 
-	virtual void DeliverStream(int len, const u_char* data, bool orig);
+	void DeliverStream(int len, const u_char* data, bool orig) override;
 
 protected:
 	enum { NONE, ZIP_OK, ZIP_FAIL };
diff --git a/src/broxygen/Configuration.h b/src/broxygen/Configuration.h
index 7729c800b3..d41deb2c71 100644
--- a/src/broxygen/Configuration.h
+++ b/src/broxygen/Configuration.h
@@ -27,7 +27,7 @@ public:
 	 * an empty string most methods are a no-op.
 	 * @param delim The delimiter between target fields.
 	 */
-	Config(const std::string& file, const std::string& delim = "\t");
+	explicit Config(const std::string& file, const std::string& delim = "\t");
 
 	/**
 	  * Destructor, cleans up targets created when parsing config file.
diff --git a/src/broxygen/IdentifierInfo.h b/src/broxygen/IdentifierInfo.h
index 9a315ed3a5..be7e721838 100644
--- a/src/broxygen/IdentifierInfo.h
+++ b/src/broxygen/IdentifierInfo.h
@@ -36,7 +36,7 @@ public:
 	/**
 	 * Dtor.  Releases any references to script-level objects.
 	 */
-	~IdentifierInfo();
+	~IdentifierInfo() override;
 
 	/**
 	 * Add a comment associated with the identifier.  If the identifier is a
@@ -131,12 +131,12 @@ public:
 
 private:
 
-	time_t DoGetModificationTime() const;
+	time_t DoGetModificationTime() const override;
 
-	std::string DoName() const
+	std::string DoName() const override
 		{ return id->Name(); }
 
-	std::string DoReStructuredText(bool roles_only) const;
+	std::string DoReStructuredText(bool roles_only) const override;
 
 	struct RecordField {
 		~RecordField()
diff --git a/src/broxygen/PackageInfo.h b/src/broxygen/PackageInfo.h
index 67dd36da5f..967bbe3443 100644
--- a/src/broxygen/PackageInfo.h
+++ b/src/broxygen/PackageInfo.h
@@ -22,7 +22,7 @@ public:
 	 * @param name The name of the Bro script package (relative path from a
 	 * component within BROPATH.
 	 */
-	PackageInfo(const std::string& name);
+	explicit PackageInfo(const std::string& name);
 
 	/**
 	 * @return The content of the package's README file, each line being
@@ -34,12 +34,12 @@ public:
 
 private:
 
-	time_t DoGetModificationTime() const;
+	time_t DoGetModificationTime() const override;
 
-	std::string DoName() const
+	std::string DoName() const override
 		{ return pkg_name; }
 
-	std::string DoReStructuredText(bool roles_only) const;
+	std::string DoReStructuredText(bool roles_only) const override;
 
 	std::string pkg_name;
 	std::vector<std::string> readme;
diff --git a/src/broxygen/ReStructuredTextTable.h b/src/broxygen/ReStructuredTextTable.h
index c3679e6fac..34cc30c332 100644
--- a/src/broxygen/ReStructuredTextTable.h
+++ b/src/broxygen/ReStructuredTextTable.h
@@ -18,7 +18,7 @@ public:
 	 * Create the reST table object.
 	 * @param arg_num_cols The number of columns in the table.
 	 */
-	ReStructuredTextTable(size_t arg_num_cols);
+	explicit ReStructuredTextTable(size_t arg_num_cols);
 
 	/**
 	 * Add a new content row to the table.
diff --git a/src/broxygen/ScriptInfo.h b/src/broxygen/ScriptInfo.h
index 178ebdab44..d7328ef7c8 100644
--- a/src/broxygen/ScriptInfo.h
+++ b/src/broxygen/ScriptInfo.h
@@ -92,14 +92,14 @@ private:
 	typedef std::map<std::string, IdentifierInfo*> id_info_map;
 	typedef std::set<std::string> string_set;
 
-	time_t DoGetModificationTime() const;
+	time_t DoGetModificationTime() const override;
 
-	std::string DoName() const
+	std::string DoName() const override
 		{ return name; }
 
-	std::string DoReStructuredText(bool roles_only) const;
+	std::string DoReStructuredText(bool roles_only) const override;
 
-	void DoInitPostScript() /* override */;
+	void DoInitPostScript() override /* override */;
 
 	std::string name;
 	std::string path;
diff --git a/src/broxygen/Target.h b/src/broxygen/Target.h
index 1615ae090d..9a5a23107c 100644
--- a/src/broxygen/Target.h
+++ b/src/broxygen/Target.h
@@ -27,7 +27,7 @@ struct TargetFile {
 	 * directories that don't already exist.
 	 *
 	 */
-	TargetFile(const std::string& arg_name);
+	explicit TargetFile(const std::string& arg_name);
 
 	/**
 	 * Close the file.
@@ -185,9 +185,9 @@ protected:
 
 private:
 
-	void DoFindDependencies(const std::vector<Info*>& infos);
+	void DoFindDependencies(const std::vector<Info*>& infos) override;
 
-	void DoGenerate() const;
+	void DoGenerate() const override;
 
 	virtual void DoCreateAnalyzerDoc(FILE* f) const = 0;
 };
@@ -209,7 +209,7 @@ public:
 
 private:
 
-	void DoCreateAnalyzerDoc(FILE* f) const;
+	void DoCreateAnalyzerDoc(FILE* f) const override;
 };
 
 /**
@@ -229,7 +229,7 @@ public:
 
 private:
 
-	void DoCreateAnalyzerDoc(FILE* f) const;
+	void DoCreateAnalyzerDoc(FILE* f) const override;
 };
 
 /**
@@ -249,9 +249,9 @@ public:
 
 private:
 
-	void DoFindDependencies(const std::vector<Info*>& infos);
+	void DoFindDependencies(const std::vector<Info*>& infos) override;
 
-	void DoGenerate() const;
+	void DoGenerate() const override;
 
 	std::vector<PackageInfo*> pkg_deps;
 	std::vector<ScriptInfo*> script_deps;
@@ -276,9 +276,9 @@ public:
 
 private:
 
-	void DoFindDependencies(const std::vector<Info*>& infos);
+	void DoFindDependencies(const std::vector<Info*>& infos) override;
 
-	void DoGenerate() const;
+	void DoGenerate() const override;
 
 	std::vector<PackageInfo*> pkg_deps;
 };
@@ -301,7 +301,7 @@ public:
 		: Target(name, pattern), script_deps()
 		{ }
 
-	~ScriptTarget()
+	~ScriptTarget() override
 		{ for ( size_t i = 0; i < pkg_deps.size(); ++i ) delete pkg_deps[i]; }
 
 protected:
@@ -310,9 +310,9 @@ protected:
 
 private:
 
-	void DoFindDependencies(const std::vector<Info*>& infos);
+	void DoFindDependencies(const std::vector<Info*>& infos) override;
 
-	void DoGenerate() const;
+	void DoGenerate() const override;
 
 	bool IsDir() const
 		{ return Name()[Name().size() - 1] == '/'; }
@@ -337,7 +337,7 @@ public:
 
 private:
 
-	void DoGenerate() const /* override */;
+	void DoGenerate() const override /* override */;
 };
 
 /**
@@ -357,7 +357,7 @@ public:
 
 private:
 
-	void DoGenerate() const /* override */;
+	void DoGenerate() const override /* override */;
 };
 
 /**
@@ -377,9 +377,9 @@ public:
 
 private:
 
-	void DoFindDependencies(const std::vector<Info*>& infos);
+	void DoFindDependencies(const std::vector<Info*>& infos) override;
 
-	void DoGenerate() const;
+	void DoGenerate() const override;
 
 	std::vector<IdentifierInfo*> id_deps;
 };
diff --git a/src/file_analysis/AnalyzerSet.h b/src/file_analysis/AnalyzerSet.h
index 642792f776..3cbe5b1898 100644
--- a/src/file_analysis/AnalyzerSet.h
+++ b/src/file_analysis/AnalyzerSet.h
@@ -29,7 +29,7 @@ public:
 	 * Constructor.  Nothing special.
 	 * @param arg_file the file to which all analyzers in the set are attached.
 	 */
-	AnalyzerSet(File* arg_file);
+	explicit AnalyzerSet(File* arg_file);
 
 	/**
 	 * Destructor.  Any queued analyzer additions/removals are aborted and
@@ -173,9 +173,9 @@ private:
 		 */
 		AddMod(file_analysis::Analyzer* arg_a, HashKey* arg_key)
 			: Modification(), a(arg_a), key(arg_key) {}
-		virtual ~AddMod() {}
-		virtual bool Perform(AnalyzerSet* set);
-		virtual void Abort() { delete a; delete key; }
+		~AddMod() override {}
+		bool Perform(AnalyzerSet* set) override;
+		void Abort() override { delete a; delete key; }
 
 	protected:
 		file_analysis::Analyzer* a;
@@ -194,9 +194,9 @@ private:
 		 */
 		RemoveMod(file_analysis::Tag arg_tag, HashKey* arg_key)
 			: Modification(), tag(arg_tag), key(arg_key) {}
-		virtual ~RemoveMod() {}
-		virtual bool Perform(AnalyzerSet* set);
-		virtual void Abort() { delete key; }
+		~RemoveMod() override {}
+		bool Perform(AnalyzerSet* set) override;
+		void Abort() override { delete key; }
 
 	protected:
 		file_analysis::Tag tag;
diff --git a/src/file_analysis/Component.h b/src/file_analysis/Component.h
index 1a4d8a2fb6..b4bcbb9552 100644
--- a/src/file_analysis/Component.h
+++ b/src/file_analysis/Component.h
@@ -52,7 +52,7 @@ public:
 	/**
 	 * Destructor.
 	 */
-	~Component();
+	~Component() override;
 
 	/**
 	 * Initialization function. This function has to be called before any
diff --git a/src/file_analysis/FileReassembler.h b/src/file_analysis/FileReassembler.h
index aa07a84d42..c6143a5565 100644
--- a/src/file_analysis/FileReassembler.h
+++ b/src/file_analysis/FileReassembler.h
@@ -15,7 +15,7 @@ class FileReassembler : public Reassembler {
 public:
 
 	FileReassembler(File* f, uint64 starting_offset);
-	virtual ~FileReassembler();
+	~FileReassembler() override;
 
 	void Done();
 
diff --git a/src/file_analysis/FileTimer.h b/src/file_analysis/FileTimer.h
index bdfd1fe165..57f4afb5ea 100644
--- a/src/file_analysis/FileTimer.h
+++ b/src/file_analysis/FileTimer.h
@@ -28,7 +28,7 @@ public:
 	 * @param t current unix time
 	 * @param is_expire true if all pending timers are being expired.
 	 */
-	void Dispatch(double t, int is_expire);
+	void Dispatch(double t, int is_expire) override;
 
 private:
 	string file_id;
diff --git a/src/file_analysis/Tag.h b/src/file_analysis/Tag.h
index 33be048108..9d131fa808 100644
--- a/src/file_analysis/Tag.h
+++ b/src/file_analysis/Tag.h
@@ -97,14 +97,14 @@ protected:
 	 * @param subtype The sub type, which is left to an analyzer for
 	 * interpretation. By default it's set to zero.
 	 */
-	Tag(type_t type, subtype_t subtype = 0);
+	explicit Tag(type_t type, subtype_t subtype = 0);
 
 	/**
 	 * Constructor.
 	 *
 	 * @param val An enum value of script type \c Files::Tag.
 	 */
-	Tag(EnumVal* val) : ::Tag(val) {}
+	explicit Tag(EnumVal* val) : ::Tag(val) {}
 };
 
 }
diff --git a/src/file_analysis/analyzer/data_event/DataEvent.h b/src/file_analysis/analyzer/data_event/DataEvent.h
index 60b0487a6f..fe1fe2cc56 100644
--- a/src/file_analysis/analyzer/data_event/DataEvent.h
+++ b/src/file_analysis/analyzer/data_event/DataEvent.h
@@ -25,7 +25,7 @@ public:
 	 * @param offset number of bytes from start of file at which chunk occurs.
 	 * @return always true
 	 */
-	virtual bool DeliverChunk(const u_char* data, uint64 len, uint64 offset);
+	bool DeliverChunk(const u_char* data, uint64 len, uint64 offset) override;
 
 	/**
 	 * Generates the event, if any, specified by the "stream_event" field of
@@ -34,7 +34,7 @@ public:
 	 * @param len number of bytes in the data chunk.
 	 * @return always true
 	 */
-	virtual bool DeliverStream(const u_char* data, uint64 len);
+	bool DeliverStream(const u_char* data, uint64 len) override;
 
 	/**
 	 * Create a new instance of a DataEvent analyzer.
diff --git a/src/file_analysis/analyzer/entropy/Entropy.h b/src/file_analysis/analyzer/entropy/Entropy.h
index 6a5075263c..955c8484c2 100644
--- a/src/file_analysis/analyzer/entropy/Entropy.h
+++ b/src/file_analysis/analyzer/entropy/Entropy.h
@@ -23,7 +23,7 @@ public:
 	/**
 	 * Destructor.
 	 */
-	virtual ~Entropy();
+	~Entropy() override;
 
 	/**
 	 * Create a new instance of an Extract analyzer.
@@ -40,13 +40,13 @@ public:
 	 * @param len number of bytes in the data chunk.
 	 * @return false if the digest is in an invalid state, else true.
 	 */
-	virtual bool DeliverStream(const u_char* data, uint64 len);
+	bool DeliverStream(const u_char* data, uint64 len) override;
 
 	/**
 	 * Finalizes the hash and raises a "file_entropy_test" event.
 	 * @return always false so analyze will be deteched from file.
 	 */
-	virtual bool EndOfFile();
+	bool EndOfFile() override;
 
 	/**
 	 * Missing data can't be handled, so just indicate the this analyzer should
@@ -55,7 +55,7 @@ public:
 	 * @param len number of missing bytes.
 	 * @return always false so analyzer will detach from file.
 	 */
-	virtual bool Undelivered(uint64 offset, uint64 len);
+	bool Undelivered(uint64 offset, uint64 len) override;
 
 protected:
 
diff --git a/src/file_analysis/analyzer/extract/Extract.h b/src/file_analysis/analyzer/extract/Extract.h
index cb57950d4c..c19440ee31 100644
--- a/src/file_analysis/analyzer/extract/Extract.h
+++ b/src/file_analysis/analyzer/extract/Extract.h
@@ -22,7 +22,7 @@ public:
 	/**
 	 * Destructor.  Will close the file that was used for data extraction.
 	 */
-	virtual ~Extract();
+	~Extract() override;
 
 	/**
 	 * Write a chunk of file data to the local extraction file.
@@ -31,7 +31,7 @@ public:
 	 * @return false if there was no extraction file open and the data couldn't
 	 *         be written, else true.
 	 */
-	virtual bool DeliverStream(const u_char* data, uint64 len);
+	bool DeliverStream(const u_char* data, uint64 len) override;
 
 	/**
 	 * Report undelivered bytes.
@@ -39,7 +39,7 @@ public:
 	 * @param len number of bytes undelivered.
 	 * @return true
 	 */
-	virtual bool Undelivered(uint64 offset, uint64 len);
+	bool Undelivered(uint64 offset, uint64 len) override;
 
 	/**
 	 * Create a new instance of an Extract analyzer.
diff --git a/src/file_analysis/analyzer/hash/Hash.h b/src/file_analysis/analyzer/hash/Hash.h
index 13303e21fc..f3ec222e9a 100644
--- a/src/file_analysis/analyzer/hash/Hash.h
+++ b/src/file_analysis/analyzer/hash/Hash.h
@@ -23,7 +23,7 @@ public:
 	/**
 	 * Destructor.
 	 */
-	virtual ~Hash();
+	~Hash() override;
 
 	/**
 	 * Incrementally hash next chunk of file contents.
@@ -31,13 +31,13 @@ public:
 	 * @param len number of bytes in the data chunk.
 	 * @return false if the digest is in an invalid state, else true.
 	 */
-	virtual bool DeliverStream(const u_char* data, uint64 len);
+	bool DeliverStream(const u_char* data, uint64 len) override;
 
 	/**
 	 * Finalizes the hash and raises a "file_hash" event.
 	 * @return always false so analyze will be deteched from file.
 	 */
-	virtual bool EndOfFile();
+	bool EndOfFile() override;
 
 	/**
 	 * Missing data can't be handled, so just indicate the this analyzer should
@@ -46,7 +46,7 @@ public:
 	 * @param len number of missing bytes.
 	 * @return always false so analyzer will detach from file.
 	 */
-	virtual bool Undelivered(uint64 offset, uint64 len);
+	bool Undelivered(uint64 offset, uint64 len) override;
 
 protected:
 
diff --git a/src/file_analysis/analyzer/unified2/Unified2.h b/src/file_analysis/analyzer/unified2/Unified2.h
index c2ee9e00da..b2e289c726 100644
--- a/src/file_analysis/analyzer/unified2/Unified2.h
+++ b/src/file_analysis/analyzer/unified2/Unified2.h
@@ -17,9 +17,9 @@ namespace file_analysis {
  */
 class Unified2 : public file_analysis::Analyzer {
 public:
-	virtual ~Unified2();
+	~Unified2() override;
 
-	virtual bool DeliverStream(const u_char* data, uint64 len);
+	bool DeliverStream(const u_char* data, uint64 len) override;
 
 	static file_analysis::Analyzer* Instantiate(RecordVal* args, File* file);
 
diff --git a/src/file_analysis/analyzer/x509/OCSP.h b/src/file_analysis/analyzer/x509/OCSP.h
index d1d15dd14f..ca8c2c563e 100644
--- a/src/file_analysis/analyzer/x509/OCSP.h
+++ b/src/file_analysis/analyzer/x509/OCSP.h
@@ -40,7 +40,7 @@ private:
 class OCSP_RESPVal: public OpaqueVal {
 public:
 	explicit OCSP_RESPVal(OCSP_RESPONSE *);
-	~OCSP_RESPVal();
+	~OCSP_RESPVal() override;
 	OCSP_RESPONSE *GetResp() const;
 protected:
 	OCSP_RESPVal();
diff --git a/src/file_analysis/analyzer/x509/X509.h b/src/file_analysis/analyzer/x509/X509.h
index 8cf74fc4c6..b808b676fe 100644
--- a/src/file_analysis/analyzer/x509/X509.h
+++ b/src/file_analysis/analyzer/x509/X509.h
@@ -121,7 +121,7 @@ public:
 	/**
 	 * Destructor.
 	 */
-	~X509Val();
+	~X509Val() override;
 
 	/**
 	 * Get the wrapped X509 certificate. Please take care, that the
diff --git a/src/file_analysis/analyzer/x509/X509Common.h b/src/file_analysis/analyzer/x509/X509Common.h
index 7e9bdd9be4..a7015bc235 100644
--- a/src/file_analysis/analyzer/x509/X509Common.h
+++ b/src/file_analysis/analyzer/x509/X509Common.h
@@ -16,7 +16,7 @@ namespace file_analysis {
 
 class X509Common : public file_analysis::Analyzer {
 public:
-	virtual ~X509Common() {};
+	~X509Common() override {};
 
 	/**
 	 * Retrieve an X509 extension value from an OpenSSL BIO to which it was
diff --git a/src/input/Component.h b/src/input/Component.h
index ce24d447e5..cd3c1ea24d 100644
--- a/src/input/Component.h
+++ b/src/input/Component.h
@@ -37,7 +37,7 @@ public:
 	/**
 	 * Destructor.
 	 */
-	~Component();
+	~Component() override;
 
 	/**
 	 * Initialization function. This function has to be called before any
diff --git a/src/input/ReaderBackend.h b/src/input/ReaderBackend.h
index 944f059fb1..84f6635da5 100644
--- a/src/input/ReaderBackend.h
+++ b/src/input/ReaderBackend.h
@@ -68,7 +68,7 @@ public:
 	/**
 	 * Destructor.
 	 */
-	virtual ~ReaderBackend();
+	~ReaderBackend() override;
 
 	/**
 	 * A struct passing information to the reader at initialization time.
diff --git a/src/input/Tag.h b/src/input/Tag.h
index 78dd65676f..91d7539a39 100644
--- a/src/input/Tag.h
+++ b/src/input/Tag.h
@@ -98,14 +98,14 @@ protected:
 	 * @param subtype The sub type, which is left to an reader for
 	 * interpretation. By default it's set to zero.
 	 */
-	Tag(type_t type, subtype_t subtype = 0);
+	explicit Tag(type_t type, subtype_t subtype = 0);
 
 	/**
 	 * Constructor.
 	 *
 	 * @param val An enum value of script type \c Input::Reader.
 	 */
-	Tag(EnumVal* val) : ::Tag(val) {}
+	explicit Tag(EnumVal* val) : ::Tag(val) {}
 };
 
 }
diff --git a/src/input/readers/ascii/Ascii.h b/src/input/readers/ascii/Ascii.h
index 7a7fa52590..130fc25075 100644
--- a/src/input/readers/ascii/Ascii.h
+++ b/src/input/readers/ascii/Ascii.h
@@ -36,7 +36,7 @@ struct FieldMapping {
 class Ascii : public ReaderBackend {
 public:
 	explicit Ascii(ReaderFrontend* frontend);
-	~Ascii();
+	~Ascii() override;
 
 	// prohibit copying and moving
 	Ascii(const Ascii&) = delete;
diff --git a/src/input/readers/benchmark/Benchmark.h b/src/input/readers/benchmark/Benchmark.h
index 42501c1c29..2c71845723 100644
--- a/src/input/readers/benchmark/Benchmark.h
+++ b/src/input/readers/benchmark/Benchmark.h
@@ -13,16 +13,16 @@ namespace input { namespace reader {
  */
 class Benchmark : public ReaderBackend {
 public:
-	Benchmark(ReaderFrontend* frontend);
-	~Benchmark();
+	explicit Benchmark(ReaderFrontend* frontend);
+	~Benchmark() override;
 
 	static ReaderBackend* Instantiate(ReaderFrontend* frontend) { return new Benchmark(frontend); }
 
 protected:
-	virtual bool DoInit(const ReaderInfo& info, int arg_num_fields, const threading::Field* const* fields);
-	virtual void DoClose();
-	virtual bool DoUpdate();
-	virtual bool DoHeartbeat(double network_time, double current_time);
+	bool DoInit(const ReaderInfo& info, int arg_num_fields, const threading::Field* const* fields) override;
+	void DoClose() override;
+	bool DoUpdate() override;
+	bool DoHeartbeat(double network_time, double current_time) override;
 
 private:
 	double CurrTime();
diff --git a/src/input/readers/binary/Binary.h b/src/input/readers/binary/Binary.h
index 587d56cfa7..6fd5a3b001 100644
--- a/src/input/readers/binary/Binary.h
+++ b/src/input/readers/binary/Binary.h
@@ -14,19 +14,18 @@ namespace input { namespace reader {
  */
 class Binary : public ReaderBackend {
 public:
-	Binary(ReaderFrontend* frontend);
-
-	~Binary();
+	explicit Binary(ReaderFrontend* frontend);
+	~Binary() override;
 
 	static ReaderBackend* Instantiate(ReaderFrontend* frontend)
 		{ return new Binary(frontend); }
 
 protected:
-	virtual bool DoInit(const ReaderInfo& info, int arg_num_fields,
-	                    const threading::Field* const* fields);
-	virtual void DoClose();
-	virtual bool DoUpdate();
-	virtual bool DoHeartbeat(double network_time, double current_time);
+	bool DoInit(const ReaderInfo& info, int arg_num_fields,
+	            const threading::Field* const* fields) override;
+	void DoClose() override;
+	bool DoUpdate() override;
+	bool DoHeartbeat(double network_time, double current_time) override;
 
 private:
 	bool OpenInput();
diff --git a/src/input/readers/config/Config.h b/src/input/readers/config/Config.h
index 05f1f6b767..b0dc83f725 100644
--- a/src/input/readers/config/Config.h
+++ b/src/input/readers/config/Config.h
@@ -20,7 +20,7 @@ namespace input { namespace reader {
 class Config : public ReaderBackend {
 public:
 	explicit Config(ReaderFrontend* frontend);
-	~Config();
+	~Config() override;
 
 	// prohibit copying and moving
 	Config(const Config&) = delete;
diff --git a/src/input/readers/raw/Plugin.h b/src/input/readers/raw/Plugin.h
index 8b7f9edc10..31fa611130 100644
--- a/src/input/readers/raw/Plugin.h
+++ b/src/input/readers/raw/Plugin.h
@@ -13,10 +13,10 @@ class Plugin : public plugin::Plugin {
 public:
 	Plugin();
 
-	plugin::Configuration Configure();
+	plugin::Configuration Configure() override;
 
-	virtual void InitPreScript();
-	virtual void Done();
+	void InitPreScript() override;
+	void Done() override;
 
 	std::unique_lock<std::mutex> ForkMutex();
 
diff --git a/src/input/readers/raw/Raw.h b/src/input/readers/raw/Raw.h
index ec50ade8fe..c6075cbe70 100644
--- a/src/input/readers/raw/Raw.h
+++ b/src/input/readers/raw/Raw.h
@@ -18,7 +18,7 @@ namespace input { namespace reader {
 class Raw : public ReaderBackend {
 public:
 	explicit Raw(ReaderFrontend* frontend);
-	~Raw();
+	~Raw() override;
 
 	// prohibit copying and moving
 	Raw(const Raw&) = delete;
diff --git a/src/input/readers/sqlite/SQLite.h b/src/input/readers/sqlite/SQLite.h
index 5add678b16..2aa01017e1 100644
--- a/src/input/readers/sqlite/SQLite.h
+++ b/src/input/readers/sqlite/SQLite.h
@@ -16,16 +16,16 @@ namespace input { namespace reader {
 
 class SQLite : public ReaderBackend {
 public:
-	SQLite(ReaderFrontend* frontend);
-	~SQLite();
+	explicit SQLite(ReaderFrontend* frontend);
+	~SQLite() override;
 
 	static ReaderBackend* Instantiate(ReaderFrontend* frontend) { return new SQLite(frontend); }
 
 protected:
-	virtual bool DoInit(const ReaderInfo& info, int arg_num_fields, const threading::Field* const* arg_fields);
-	virtual void DoClose();
-	virtual bool DoUpdate();
-	virtual bool DoHeartbeat(double network_time, double current_time)	{ return true; }
+	bool DoInit(const ReaderInfo& info, int arg_num_fields, const threading::Field* const* arg_fields) override;
+	void DoClose() override;
+	bool DoUpdate() override;
+	bool DoHeartbeat(double network_time, double current_time) override { return true; }
 
 private:
 	bool checkError(int code);
diff --git a/src/iosource/Component.h b/src/iosource/Component.h
index 57e1084d3a..2d9d19e799 100644
--- a/src/iosource/Component.h
+++ b/src/iosource/Component.h
@@ -27,12 +27,12 @@ public:
 	 * @param name A descriptive name for the component.  This name must
 	 * be unique across all components of this type.
 	 */
-	Component(const std::string& name);
+	explicit Component(const std::string& name);
 
 	/**
 	 * Destructor.
 	 */
-	~Component();
+	~Component() override;
 
 protected:
 	/**
@@ -80,7 +80,7 @@ public:
 	/**
 	 * Destructor.
 	 */
-	virtual ~PktSrcComponent();
+	~PktSrcComponent() override;
 
 	/**
 	 * Returns the prefix(es) passed to the constructor.
@@ -113,7 +113,7 @@ public:
 	 * Generates a human-readable description of the component. This goes
 	 * into the output of \c "bro -NN".
 	 */
-	virtual void DoDescribe(ODesc* d) const;
+	void DoDescribe(ODesc* d) const override;
 
 private:
 	std::vector<std::string> prefixes;
@@ -139,7 +139,7 @@ public:
 	/**
 	 * Destructor.
 	 */
-	~PktDumperComponent();
+	~PktDumperComponent() override;
 
 	/**
 	 * Returns the prefix(es) passed to the constructor.
@@ -160,7 +160,7 @@ public:
 	 * Generates a human-readable description of the component. This goes
 	 * into the output of \c "bro -NN".
 	 */
-	virtual void DoDescribe(ODesc* d) const;
+	void DoDescribe(ODesc* d) const override;
 
 private:
 	std::vector<std::string> prefixes;
diff --git a/src/iosource/PktSrc.h b/src/iosource/PktSrc.h
index f2f14aa9c2..dcf5f38de8 100644
--- a/src/iosource/PktSrc.h
+++ b/src/iosource/PktSrc.h
@@ -57,7 +57,7 @@ public:
 	/**
 	 * Destructor.
 	 */
-	virtual ~PktSrc();
+	~PktSrc() override;
 
 	/**
 	 * Returns the path associated with the source. This is the interface
@@ -345,13 +345,13 @@ private:
 	bool ExtractNextPacketInternal();
 
 	// IOSource interface implementation.
-	virtual void Init();
-	virtual void Done();
-	virtual void GetFds(iosource::FD_Set* read, iosource::FD_Set* write,
-	                    iosource::FD_Set* except);
-	virtual double NextTimestamp(double* local_network_time);
-	virtual void Process();
-	virtual const char* Tag();
+	void Init() override;
+	void Done() override;
+	void GetFds(iosource::FD_Set* read, iosource::FD_Set* write,
+	                    iosource::FD_Set* except) override;
+	double NextTimestamp(double* local_network_time) override;
+	void Process() override;
+	const char* Tag() override;
 
 	Properties props;
 
diff --git a/src/iosource/pcap/Dumper.h b/src/iosource/pcap/Dumper.h
index 7950912d56..19defc627f 100644
--- a/src/iosource/pcap/Dumper.h
+++ b/src/iosource/pcap/Dumper.h
@@ -15,15 +15,15 @@ namespace pcap {
 class PcapDumper : public PktDumper {
 public:
 	PcapDumper(const std::string& path, bool append);
-	virtual ~PcapDumper();
+	~PcapDumper() override;
 
 	static PktDumper* Instantiate(const std::string& path, bool appen);
 
 protected:
 	// PktDumper interface.
-	virtual void Open();
-	virtual void Close();
-	virtual bool Dump(const Packet* pkt);
+	void Open() override;
+	void Close() override;
+	bool Dump(const Packet* pkt) override;
 
 private:
 	Properties props;
diff --git a/src/iosource/pcap/Source.h b/src/iosource/pcap/Source.h
index f3c193d855..1672d1c10f 100644
--- a/src/iosource/pcap/Source.h
+++ b/src/iosource/pcap/Source.h
@@ -11,19 +11,19 @@ namespace pcap {
 class PcapSource : public iosource::PktSrc {
 public:
 	PcapSource(const std::string& path, bool is_live);
-	virtual ~PcapSource();
+	~PcapSource() override;
 
 	static PktSrc* Instantiate(const std::string& path, bool is_live);
 
 protected:
 	// PktSrc interface.
-	virtual void Open();
-	virtual void Close();
-	virtual bool ExtractNextPacket(Packet* pkt);
-	virtual void DoneWithPacket();
-	virtual bool PrecompileFilter(int index, const std::string& filter);
-	virtual bool SetFilter(int index);
-	virtual void Statistics(Stats* stats);
+	void Open() override;
+	void Close() override;
+	bool ExtractNextPacket(Packet* pkt) override;
+	void DoneWithPacket() override;
+	bool PrecompileFilter(int index, const std::string& filter) override;
+	bool SetFilter(int index) override;
+	void Statistics(Stats* stats) override;
 
 private:
 	void OpenLive();
diff --git a/src/logging/Component.h b/src/logging/Component.h
index a7ef2a0c31..d99803b165 100644
--- a/src/logging/Component.h
+++ b/src/logging/Component.h
@@ -37,7 +37,7 @@ public:
 	/**
 	 * Destructor.
 	 */
-	~Component();
+	~Component() override;
 
 	/**
 	 * Initialization function. This function has to be called before any
diff --git a/src/logging/Tag.h b/src/logging/Tag.h
index bcb7af946b..ab0a702d47 100644
--- a/src/logging/Tag.h
+++ b/src/logging/Tag.h
@@ -98,14 +98,14 @@ protected:
 	 * @param subtype The sub type, which is left to an writer for
 	 * interpretation. By default it's set to zero.
 	 */
-	Tag(type_t type, subtype_t subtype = 0);
+	explicit Tag(type_t type, subtype_t subtype = 0);
 
 	/**
 	 * Constructor.
 	 *
 	 * @param val An enum value of script type \c Log::Writer.
 	 */
-	Tag(EnumVal* val) : ::Tag(val) {}
+	explicit Tag(EnumVal* val) : ::Tag(val) {}
 };
 
 }
diff --git a/src/logging/WriterBackend.h b/src/logging/WriterBackend.h
index f6602cc8ca..49c7a95857 100644
--- a/src/logging/WriterBackend.h
+++ b/src/logging/WriterBackend.h
@@ -47,7 +47,7 @@ public:
 	/**
 	 * Destructor.
 	 */
-	virtual ~WriterBackend();
+	~WriterBackend() override;
 
 	/**
 	 * A struct passing information to the writer at initialization time.
diff --git a/src/logging/writers/ascii/Ascii.h b/src/logging/writers/ascii/Ascii.h
index eabeda4242..d1a6f2d0f3 100644
--- a/src/logging/writers/ascii/Ascii.h
+++ b/src/logging/writers/ascii/Ascii.h
@@ -14,8 +14,8 @@ namespace logging { namespace writer {
 
 class Ascii : public WriterBackend {
 public:
-	Ascii(WriterFrontend* frontend);
-	~Ascii();
+	explicit Ascii(WriterFrontend* frontend);
+	~Ascii() override;
 
 	static string LogExt();
 
@@ -23,19 +23,19 @@ public:
 		{ return new Ascii(frontend); }
 
 protected:
-	virtual bool DoInit(const WriterInfo& info, int num_fields,
-			    const threading::Field* const* fields);
-	virtual bool DoWrite(int num_fields, const threading::Field* const* fields,
-			     threading::Value** vals);
-	virtual bool DoSetBuf(bool enabled);
-	virtual bool DoRotate(const char* rotated_path, double open,
-			      double close, bool terminating);
-	virtual bool DoFlush(double network_time);
-	virtual bool DoFinish(double network_time);
-	virtual bool DoHeartbeat(double network_time, double current_time);
+	bool DoInit(const WriterInfo& info, int num_fields,
+			    const threading::Field* const* fields) override;
+	bool DoWrite(int num_fields, const threading::Field* const* fields,
+			     threading::Value** vals) override;
+	bool DoSetBuf(bool enabled) override;
+	bool DoRotate(const char* rotated_path, double open,
+			      double close, bool terminating) override;
+	bool DoFlush(double network_time) override;
+	bool DoFinish(double network_time) override;
+	bool DoHeartbeat(double network_time, double current_time) override;
 
 private:
-	bool IsSpecial(string path) 	{ return path.find("/dev/") == 0; }
+	bool IsSpecial(const string &path) 	{ return path.find("/dev/") == 0; }
 	bool WriteHeader(const string& path);
 	bool WriteHeaderField(const string& key, const string& value);
 	void CloseFile(double t);
diff --git a/src/logging/writers/none/None.h b/src/logging/writers/none/None.h
index fda9a35330..24193341b5 100644
--- a/src/logging/writers/none/None.h
+++ b/src/logging/writers/none/None.h
@@ -11,24 +11,23 @@ namespace logging { namespace writer {
 
 class None : public WriterBackend {
 public:
-	None(WriterFrontend* frontend) : WriterBackend(frontend)	{}
-	~None()	{};
+	explicit None(WriterFrontend* frontend) : WriterBackend(frontend)	{}
+	~None() override {};
 
 	static WriterBackend* Instantiate(WriterFrontend* frontend)
 		{ return new None(frontend); }
 
 protected:
-	virtual bool DoInit(const WriterInfo& info, int num_fields,
-			    const threading::Field* const * fields);
-
-	virtual bool DoWrite(int num_fields, const threading::Field* const* fields,
-			     threading::Value** vals)	{ return true; }
-	virtual bool DoSetBuf(bool enabled)	{ return true; }
-	virtual bool DoRotate(const char* rotated_path, double open,
-			      double close, bool terminating);
-	virtual bool DoFlush(double network_time)	{ return true; }
-	virtual bool DoFinish(double network_time)	{ return true; }
-	virtual bool DoHeartbeat(double network_time, double current_time)	{ return true; }
+	bool DoInit(const WriterInfo& info, int num_fields,
+			    const threading::Field* const * fields) override;
+	bool DoWrite(int num_fields, const threading::Field* const* fields,
+			     threading::Value** vals) override { return true; }
+	bool DoSetBuf(bool enabled) override { return true; }
+	bool DoRotate(const char* rotated_path, double open,
+			      double close, bool terminating) override;
+	bool DoFlush(double network_time) override { return true; }
+	bool DoFinish(double network_time) override { return true; }
+	bool DoHeartbeat(double network_time, double current_time) override { return true; }
 };
 
 }
diff --git a/src/logging/writers/sqlite/Plugin.cc b/src/logging/writers/sqlite/Plugin.cc
index 75e6497c99..f48ec838f1 100644
--- a/src/logging/writers/sqlite/Plugin.cc
+++ b/src/logging/writers/sqlite/Plugin.cc
@@ -10,7 +10,7 @@ namespace Bro_SQLiteWriter {
 
 class Plugin : public plugin::Plugin {
 public:
-	plugin::Configuration Configure()
+	plugin::Configuration Configure() override
 		{
 		AddComponent(new ::logging::Component("SQLite", ::logging::writer::SQLite::Instantiate));
 
diff --git a/src/logging/writers/sqlite/SQLite.h b/src/logging/writers/sqlite/SQLite.h
index 1db53614a2..3ad535e543 100644
--- a/src/logging/writers/sqlite/SQLite.h
+++ b/src/logging/writers/sqlite/SQLite.h
@@ -15,23 +15,23 @@ namespace logging { namespace writer {
 
 class SQLite : public WriterBackend {
 public:
-	SQLite(WriterFrontend* frontend);
-	~SQLite();
+	explicit SQLite(WriterFrontend* frontend);
+	~SQLite() override;
 
 	static WriterBackend* Instantiate(WriterFrontend* frontend)
 		{ return new SQLite(frontend); }
 
 protected:
-	virtual bool DoInit(const WriterInfo& info, int arg_num_fields,
-			    const threading::Field* const* arg_fields);
-	virtual bool DoWrite(int num_fields, const threading::Field* const* fields,
-			     threading::Value** vals);
-	virtual bool DoSetBuf(bool enabled) { return true; }
-	virtual bool DoRotate(const char* rotated_path, double open,
-			      double close, bool terminating);
-	virtual bool DoFlush(double network_time)	{ return true; }
-	virtual bool DoFinish(double network_time)	{ return true; }
-	virtual bool DoHeartbeat(double network_time, double current_time)	{ return true; }
+	bool DoInit(const WriterInfo& info, int arg_num_fields,
+			    const threading::Field* const* arg_fields) override;
+	bool DoWrite(int num_fields, const threading::Field* const* fields,
+			     threading::Value** vals) override;
+	bool DoSetBuf(bool enabled) override { return true; }
+	bool DoRotate(const char* rotated_path, double open,
+			      double close, bool terminating) override;
+	bool DoFlush(double network_time) override { return true; }
+	bool DoFinish(double network_time) override { return true; }
+	bool DoHeartbeat(double network_time, double current_time) override { return true; }
 
 private:
 	bool checkError(int code);
diff --git a/src/plugin/TaggedComponent.h b/src/plugin/TaggedComponent.h
index 4c7adc1bd6..2d507660c2 100644
--- a/src/plugin/TaggedComponent.h
+++ b/src/plugin/TaggedComponent.h
@@ -25,7 +25,7 @@ public:
 	 * and component instances can accordingly access it via Tag().
 	 * If not used, leave at zero.
 	 */
-	TaggedComponent(typename T::subtype_t subtype = 0);
+	explicit TaggedComponent(typename T::subtype_t subtype = 0);
 
 	/**
 	 * Initializes tag by creating the unique tag value for thos componend.
diff --git a/src/probabilistic/BloomFilter.h b/src/probabilistic/BloomFilter.h
index 7fc32a9442..288a24d416 100644
--- a/src/probabilistic/BloomFilter.h
+++ b/src/probabilistic/BloomFilter.h
@@ -19,7 +19,7 @@ public:
 	/**
 	 * Destructor.
 	 */
-	virtual ~BloomFilter();
+	~BloomFilter() override;
 
 	/**
 	 * Adds an element to the Bloom filter.
@@ -103,7 +103,7 @@ protected:
 	 *
 	 * @param hasher The hasher to use for this Bloom filter.
 	 */
-	BloomFilter(const Hasher* hasher);
+	explicit BloomFilter(const Hasher* hasher);
 
 	const Hasher* hasher;
 };
@@ -127,7 +127,7 @@ public:
 	/**
 	 * Destructor.
 	 */
-	~BasicBloomFilter();
+	~BasicBloomFilter() override;
 
 	/**
 	 * Computes the number of cells based on a given false positive rate
@@ -158,11 +158,11 @@ public:
 	static size_t K(size_t cells, size_t capacity);
 
 	// Overridden from BloomFilter.
-	virtual bool Empty() const override;
-	virtual void Clear() override;
-	virtual bool Merge(const BloomFilter* other) override;
-	virtual BasicBloomFilter* Clone() const override;
-	virtual string InternalState() const override;
+	bool Empty() const override;
+	void Clear() override;
+	bool Merge(const BloomFilter* other) override;
+	BasicBloomFilter* Clone() const override;
+	string InternalState() const override;
 
 protected:
 	DECLARE_SERIAL(BasicBloomFilter);
@@ -173,8 +173,8 @@ protected:
 	BasicBloomFilter();
 
 	// Overridden from BloomFilter.
-	virtual void Add(const HashKey* key) override;
-	virtual size_t Count(const HashKey* key) const override;
+	void Add(const HashKey* key) override;
+	size_t Count(const HashKey* key) const override;
 
 private:
 	BitVector* bits;
@@ -200,14 +200,14 @@ public:
 	/**
 	 * Destructor.
 	 */
-	~CountingBloomFilter();
+	~CountingBloomFilter() override;
 
 	// Overridden from BloomFilter.
-	virtual bool Empty() const override;
-	virtual void Clear() override;
-	virtual bool Merge(const BloomFilter* other) override;
-	virtual CountingBloomFilter* Clone() const override;
-	virtual string InternalState() const override;
+	bool Empty() const override;
+	void Clear() override;
+	bool Merge(const BloomFilter* other) override;
+	CountingBloomFilter* Clone() const override;
+	string InternalState() const override;
 
 protected:
 	DECLARE_SERIAL(CountingBloomFilter);
@@ -218,8 +218,8 @@ protected:
 	CountingBloomFilter();
 
 	// Overridden from BloomFilter.
-	virtual void Add(const HashKey* key) override;
-	virtual size_t Count(const HashKey* key) const override;
+	void Add(const HashKey* key) override;
+	size_t Count(const HashKey* key) const override;
 
 private:
 	CounterVector* cells;
diff --git a/src/probabilistic/CounterVector.h b/src/probabilistic/CounterVector.h
index 247a646eb1..422d172292 100644
--- a/src/probabilistic/CounterVector.h
+++ b/src/probabilistic/CounterVector.h
@@ -26,7 +26,7 @@ public:
 	 *
 	 * @pre `cells > 0 && width > 0`
 	 */
-	CounterVector(size_t width, size_t cells = 1024);
+	explicit CounterVector(size_t width, size_t cells = 1024);
 
 	/**
 	 * Copy-constructs a counter vector.
@@ -38,7 +38,7 @@ public:
 	/**
 	 * Destructor.
 	 */
-	~CounterVector();
+	~CounterVector() override;
 
 	/**
 	 * Increments a given cell.
diff --git a/src/probabilistic/Hasher.h b/src/probabilistic/Hasher.h
index da83104e9d..7fd2e4fb2f 100644
--- a/src/probabilistic/Hasher.h
+++ b/src/probabilistic/Hasher.h
@@ -43,7 +43,7 @@ public:
 	/**
 	 * Destructor.
 	 */
-	virtual ~Hasher() { }
+	~Hasher() override { }
 
 	/**
 	 * Computes hash values for an element.
@@ -138,7 +138,7 @@ public:
 	 *
 	 * @param arg_seed The seed to use for this instance.
 	 */
-	UHF(Hasher::seed_t arg_seed);
+	explicit UHF(Hasher::seed_t arg_seed);
 
 	template <typename T>
 	Hasher::digest operator()(const T& x) const
@@ -204,9 +204,9 @@ public:
 	DefaultHasher(size_t k, Hasher::seed_t seed);
 
 	// Overridden from Hasher.
-	virtual digest_vector Hash(const void* x, size_t n) const final;
-	virtual DefaultHasher* Clone() const final;
-	virtual bool Equals(const Hasher* other) const final;
+	digest_vector Hash(const void* x, size_t n) const final;
+	DefaultHasher* Clone() const final;
+	bool Equals(const Hasher* other) const final;
 
 	DECLARE_SERIAL(DefaultHasher);
 
@@ -232,9 +232,9 @@ public:
 	DoubleHasher(size_t k, Hasher::seed_t seed);
 
 	// Overridden from Hasher.
-	virtual digest_vector Hash(const void* x, size_t n) const final;
-	virtual DoubleHasher* Clone() const final;
-	virtual bool Equals(const Hasher* other) const final;
+	digest_vector Hash(const void* x, size_t n) const final;
+	DoubleHasher* Clone() const final;
+	bool Equals(const Hasher* other) const final;
 
 	DECLARE_SERIAL(DoubleHasher);
 
diff --git a/src/probabilistic/Topk.h b/src/probabilistic/Topk.h
index a9a0d80818..fac677a454 100644
--- a/src/probabilistic/Topk.h
+++ b/src/probabilistic/Topk.h
@@ -45,12 +45,12 @@ public:
 	 *
 	 * @return A newly initialized TopkVal
 	 */
-	TopkVal(uint64 size);
+	explicit TopkVal(uint64 size);
 
 	/**
 	 * Destructor.
 	 */
-	~TopkVal();
+	~TopkVal() override;
 
 	/**
 	 * Call this when a new value is encountered. Note that on the first
diff --git a/src/threading/Manager.h b/src/threading/Manager.h
index 70e592fa10..dce35cde3a 100644
--- a/src/threading/Manager.h
+++ b/src/threading/Manager.h
@@ -33,7 +33,7 @@ public:
 	/**
 	 * Destructir.
 	 */
-	~Manager();
+	~Manager() override;
 
 	/**
 	 * Terminates the manager's processor. The method signals all threads
@@ -103,23 +103,23 @@ protected:
 	/**
 	 * Part of the IOSource interface.
 	 */
-	virtual void GetFds(iosource::FD_Set* read, iosource::FD_Set* write,
-	                    iosource::FD_Set* except);
+	void GetFds(iosource::FD_Set* read, iosource::FD_Set* write,
+	                    iosource::FD_Set* except) override;
 
 	/**
 	 * Part of the IOSource interface.
 	 */
-	virtual double NextTimestamp(double* network_time);
+	double NextTimestamp(double* network_time) override;
 
 	/**
 	 * Part of the IOSource interface.
 	 */
-	virtual void Process();
+	void Process() override;
 
 	/**
 	 * Part of the IOSource interface.
 	 */
-	virtual const char* Tag()	{ return "threading::Manager"; }
+	const char* Tag() override { return "threading::Manager"; }
 
 private:
 	typedef std::list<BasicThread*> all_thread_list;
diff --git a/src/threading/MsgThread.h b/src/threading/MsgThread.h
index 480ab2974c..60da2d9668 100644
--- a/src/threading/MsgThread.h
+++ b/src/threading/MsgThread.h
@@ -339,7 +339,7 @@ protected:
 	 * @param arg_name A descriptive name for the type of message. Used
 	 * mainly for debugging purposes.
 	 */
-	Message(const char* arg_name)
+	explicit Message(const char* arg_name)
 		{ name = copy_string(arg_name); }
 
 private:
@@ -358,7 +358,7 @@ protected:
 	 * @param name A descriptive name for the type of message. Used
 	 * mainly for debugging purposes.
 	 */
-	BasicInputMessage(const char* name) : Message(name)	{}
+	explicit BasicInputMessage(const char* name) : Message(name)	{}
 };
 
 /**
@@ -373,7 +373,7 @@ protected:
 	 * @param name A descriptive name for the type of message. Used
 	 * mainly for debugging purposes.
 	 */
-	BasicOutputMessage(const char* name) : Message(name)	{}
+	explicit BasicOutputMessage(const char* name) : Message(name)	{}
 };
 
 /**
diff --git a/src/threading/formatters/JSON.h b/src/threading/formatters/JSON.h
index 04209fbde9..4984f74067 100644
--- a/src/threading/formatters/JSON.h
+++ b/src/threading/formatters/JSON.h
@@ -20,12 +20,12 @@ public:
 		};
 
 	JSON(threading::MsgThread* t, TimeFormat tf);
-	virtual ~JSON();
+	~JSON() override;
 
-	virtual bool Describe(ODesc* desc, threading::Value* val, const string& name = "") const;
-	virtual bool Describe(ODesc* desc, int num_fields, const threading::Field* const * fields,
-	                      threading::Value** vals) const;
-	virtual threading::Value* ParseValue(const string& s, const string& name, TypeTag type, TypeTag subtype = TYPE_ERROR) const;
+	bool Describe(ODesc* desc, threading::Value* val, const string& name = "") const override;
+	bool Describe(ODesc* desc, int num_fields, const threading::Field* const * fields,
+	                      threading::Value** vals) const override;
+	threading::Value* ParseValue(const string& s, const string& name, TypeTag type, TypeTag subtype = TYPE_ERROR) const override;
 
 	void SurroundingBraces(bool use_braces);
 
diff --git a/src/util.h b/src/util.h
index 5dc2484319..05305dd55c 100644
--- a/src/util.h
+++ b/src/util.h
@@ -275,8 +275,8 @@ protected:
 class SafeDirname : public SafePathOp {
 public:
 
-	SafeDirname(const char* path, bool error_aborts = true);
-	SafeDirname(const std::string& path, bool error_aborts = true);
+	explicit SafeDirname(const char* path, bool error_aborts = true);
+	explicit SafeDirname(const std::string& path, bool error_aborts = true);
 
 private:
 
@@ -286,8 +286,8 @@ private:
 class SafeBasename : public SafePathOp {
 public:
 
-	SafeBasename(const char* path, bool error_aborts = true);
-	SafeBasename(const std::string& path, bool error_aborts = true);
+	explicit SafeBasename(const char* path, bool error_aborts = true);
+	explicit SafeBasename(const std::string& path, bool error_aborts = true);
 
 private:
 

From 5145b5cb4e855d7f2d254a2c68301a9f1272ddc4 Mon Sep 17 00:00:00 2001
From: Vladimir Ruzanov <nnovzver@gmail.com>
Date: Tue, 27 Mar 2018 23:32:06 +0300
Subject: [PATCH 349/631] Fix NETBIOSSSN analyzer name

---
 src/analyzer/protocol/netbios/NetbiosSSN.cc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/analyzer/protocol/netbios/NetbiosSSN.cc b/src/analyzer/protocol/netbios/NetbiosSSN.cc
index 5e6231de37..2153b9cad7 100644
--- a/src/analyzer/protocol/netbios/NetbiosSSN.cc
+++ b/src/analyzer/protocol/netbios/NetbiosSSN.cc
@@ -455,7 +455,7 @@ void Contents_NetbiosSSN::DeliverStream(int len, const u_char* data, bool orig)
 	}
 
 NetbiosSSN_Analyzer::NetbiosSSN_Analyzer(Connection* conn)
-: tcp::TCP_ApplicationAnalyzer("NETBIOS", conn)
+: tcp::TCP_ApplicationAnalyzer("NETBIOSSSN", conn)
 	{
 	//smb_session = new SMB_Session(this);
 	interp = new NetbiosSSN_Interpreter(this);

From f39efd03172369b373b1f2b1d90d1de76ffa37f5 Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@icir.org>
Date: Tue, 27 Mar 2018 14:58:06 -0700
Subject: [PATCH 350/631] Recognize TLS 1.3 negotiation correctly.

The way in which TLS 1.3 is negotiated was changed slightly in later
revisions of the standard. The final version is only sent in an
extension - while the version field in the server hello still shows TLS
1.2.

This patch makes ssl.log show the correct version again.
---
 scripts/base/protocols/ssl/main.bro           |  19 ++++++++++++++++--
 .../protocol/ssl/tls-handshake-analyzer.pac   |  15 ++++++++++++++
 .../protocol/ssl/tls-handshake-protocol.pac   |   6 +++++-
 .../ssl.log                                   |   6 +++---
 .../ssl.log                                   |  10 +++++++++
 ...tls13draft23-chrome67.0.3368.0-canary.pcap | Bin 0 -> 5816 bytes
 .../base/protocols/ssl/tls13-experiment.test  |   3 +++
 .../base/protocols/ssl/tls13-version.test     |   4 ++++
 8 files changed, 57 insertions(+), 6 deletions(-)
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.ssl.tls13-version/ssl.log
 create mode 100644 testing/btest/Traces/tls/tls13draft23-chrome67.0.3368.0-canary.pcap
 create mode 100644 testing/btest/scripts/base/protocols/ssl/tls13-version.test

diff --git a/scripts/base/protocols/ssl/main.bro b/scripts/base/protocols/ssl/main.bro
index 5a50d4a4c3..6ac4260537 100644
--- a/scripts/base/protocols/ssl/main.bro
+++ b/scripts/base/protocols/ssl/main.bro
@@ -216,14 +216,29 @@ event ssl_server_hello(c: connection, version: count, possible_ts: time, server_
 	{
 	set_session(c);
 
-	c$ssl$version_num = version;
-	c$ssl$version = version_strings[version];
+	# If it is already filled, we saw a supported_versions extensions which overrides this.
+	if ( ! c$ssl?$version_num )
+		{
+		c$ssl$version_num = version;
+		c$ssl$version = version_strings[version];
+		}
 	c$ssl$cipher = cipher_desc[cipher];
 
 	if ( c$ssl?$session_id && c$ssl$session_id == bytestring_to_hexstr(session_id) )
 		c$ssl$resumed = T;
 	}
 
+event ssl_extension_supported_versions(c: connection, is_orig: bool, versions: index_vec)
+	{
+	if ( is_orig || |versions| != 1 )
+		return;
+
+	set_session(c);
+
+	c$ssl$version_num = versions[0];
+	c$ssl$version = version_strings[versions[0]];
+	}
+
 event ssl_ecdh_server_params(c: connection, curve: count, point: string) &priority=5
 	{
 	set_session(c);
diff --git a/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac b/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac
index b45fb7d2a9..fde5ee9cbc 100644
--- a/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac
+++ b/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac
@@ -205,6 +205,17 @@ refine connection Handshake_Conn += {
 		return true;
 		%}
 
+	function proc_one_supported_version(rec: HandshakeRecord, version: uint16) : bool
+		%{
+		VectorVal* versions = new VectorVal(internal_type("index_vec")->AsVectorType());
+		versions->Assign(0u, new Val(version, TYPE_COUNT));
+
+		BifEvent::generate_ssl_extension_supported_versions(bro_analyzer(), bro_analyzer()->Conn(),
+			${rec.is_orig}, versions);
+
+		return true;
+		%}
+
 	function proc_psk_key_exchange_modes(rec: HandshakeRecord, mode_list: uint8[]) : bool
 		%{
 		VectorVal* modes = new VectorVal(internal_type("index_vec")->AsVectorType());
@@ -501,6 +512,10 @@ refine typeattr SupportedVersions += &let {
 	proc : bool = $context.connection.proc_supported_versions(rec, versions);
 };
 
+refine typeattr OneSupportedVersion += &let {
+	proc : bool = $context.connection.proc_one_supported_version(rec, version);
+};
+
 refine typeattr PSKKeyExchangeModes += &let {
 	proc : bool = $context.connection.proc_psk_key_exchange_modes(rec, modes);
 };
diff --git a/src/analyzer/protocol/ssl/tls-handshake-protocol.pac b/src/analyzer/protocol/ssl/tls-handshake-protocol.pac
index e6b3754d07..33c75294a8 100644
--- a/src/analyzer/protocol/ssl/tls-handshake-protocol.pac
+++ b/src/analyzer/protocol/ssl/tls-handshake-protocol.pac
@@ -786,7 +786,7 @@ type SSLExtension(rec: HandshakeRecord) = record {
 
 type SupportedVersionsSelector(rec: HandshakeRecord, data_len: uint16) = case rec.is_orig of {
 	true -> a: SupportedVersions(rec);
-	false -> b: bytestring &length=data_len &transient;
+	false -> b: OneSupportedVersion(rec);
 }
 
 type SupportedVersions(rec: HandshakeRecord) = record {
@@ -794,6 +794,10 @@ type SupportedVersions(rec: HandshakeRecord) = record {
 	versions: uint16[] &until($input.length() == 0);
 } &length=length+1;
 
+type OneSupportedVersion(rec: HandshakeRecord) = record {
+	version: uint16;
+};
+
 type PSKKeyExchangeModes(rec: HandshakeRecord) = record {
 	length: uint8;
 	modes: uint8[] &until($input.length() == 0);
diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.tls13-experiment/ssl.log b/testing/btest/Baseline/scripts.base.protocols.ssl.tls13-experiment/ssl.log
index c88237dd18..e7e6bc5f54 100644
--- a/testing/btest/Baseline/scripts.base.protocols.ssl.tls13-experiment/ssl.log
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.tls13-experiment/ssl.log
@@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	ssl
-#open	2017-09-10-05-23-15
+#open	2018-03-27-21-54-13
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	curve	server_name	resumed	last_alert	next_protocol	established	cert_chain_fuids	client_cert_chain_fuids	subject	issuer	client_subject	client_issuer
 #types	time	string	addr	port	addr	port	string	string	string	string	bool	string	string	bool	vector[string]	vector[string]	string	string	string	string
-1505019126.007778	CHhAvVGS1DHFjwGM9	192.168.0.2	62873	104.196.219.53	443	TLSv12	TLS_AES_128_GCM_SHA256	x25519	tls.ctf.network	T	-	-	T	-	-	-	-	-	-
-#close	2017-09-10-05-23-16
+1505019126.007778	CHhAvVGS1DHFjwGM9	192.168.0.2	62873	104.196.219.53	443	unknown-32257	TLS_AES_128_GCM_SHA256	x25519	tls.ctf.network	T	-	-	T	-	-	-	-	-	-
+#close	2018-03-27-21-54-13
diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.tls13-version/ssl.log b/testing/btest/Baseline/scripts.base.protocols.ssl.tls13-version/ssl.log
new file mode 100644
index 0000000000..b5106d5830
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.tls13-version/ssl.log
@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	ssl
+#open	2018-03-27-21-57-37
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	curve	server_name	resumed	last_alert	next_protocol	established	cert_chain_fuids	client_cert_chain_fuids	subject	issuer	client_subject	client_issuer
+#types	time	string	addr	port	addr	port	string	string	string	string	bool	string	string	bool	vector[string]	vector[string]	string	string	string	string
+1520820013.621497	CHhAvVGS1DHFjwGM9	192.168.86.23	63449	52.32.149.186	443	TLSv13-draft23	TLS_AES_128_GCM_SHA256	-	tls13.crypto.mozilla.org	T	-	-	T	-	-	-	-	-	-
+#close	2018-03-27-21-57-37
diff --git a/testing/btest/Traces/tls/tls13draft23-chrome67.0.3368.0-canary.pcap b/testing/btest/Traces/tls/tls13draft23-chrome67.0.3368.0-canary.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..15c80ef84988c254f02a2dad1afb2cb262109ac6
GIT binary patch
literal 5816
zcmdUzc|4R2*T=6hW{f4qzKbOLP9$q(U!r7>vXkt~AX|3H&K<HVBs*EgE}CQ~LMbY;
z@02XhH9U3S>3u)<b3dQ=pLb@?=QGPS-*c|tb<UYNXQ-__3kSdj{=DG=5by=>`$q;X
zCU}4b_#A7F60a2La#4aU9Wt#5Kpp^Ou@70e0aJ6n4z&n#V%_#A1Wo!-qYOM4D8)HA
zsAB>E99&o>1PX;gAP53N^RxTd&v0>$=)3cXe?lLFpc}M4EdQW;w;!jAnf{gD<Ao2X
zfNx;!DC(m#0AptcB(bq`!5wk1abx3$ptna0VrJ{X_{%fNtlwvBAJK7f5Crnb*>P;_
z;CbL-Re^cq0~bIl)_zk(<lm}r9aE(oq&N5@k(BIk060=ZECfr&5^F)CA`Wn9$B8)S
zj);0}|09tGNomyjE0GEc!2vHJWETnzY4kx5JRETF39k~zNXZl3XgMcCp{pijQ{s0U
zc?BKKd@_SIm~`-In$03-84p{#J!RZQy0J>tb6>5Nw>pzK?157$DdZ4x9CBzgcQb!8
zPqRQ*L05h=c{2s@5J&^~0a1VebQP-t%6tGm0VM$#0eS$SakX<16y`H?_H=Z0;JfYM
zWn*V|lh47~3ZMoLVFm33Kmm~9LJ_#Q5Ev8zgFz5*I0Od*zyR1G1|S0uLIT795stMG
z!rIl<kzbHc&`lG3mk<Dt1B3x?fHNfp>y!~-9yMI*Vvb!~2;s}_T`yi;h_DFt+f2xm
zeW`*$Wy|Xd0=(dtAmCRB3C70!sG(3O4io|qfOiDQU<AXW0q?i~5`yF9g=JC#XwcRF
z*BdsinrMmsrUZE4_J1vbF%5^O!(frEU`yaz;4dYxM`$i)`lAF|LGq6h_^r4^fD72-
za=;ubt_ISFn$`YDU|a-D0c;6?>3;xHL$I;7fy6l&aA?Pgu(!ZPEYbGl|3;k9`$3!o
zutX{-6z~EI${h;5Fn%rTiO=OFcP(Y_Jx`v>voQgKnDIvtyi4?c-F^WIe_I0NU@q{1
z$#xo>WxH>N3yFPvJ1u0l@F)05z7P}Z?=lOd!J}6F)>bWSu7ml7<3~*ax`#l(93v!K
zzTDFzSd-%VW_WvCR#N<PQ#?Z2mYeCpbx2+3w3~2@;Mbe1IYzgAzNMdn7WkIJhz8iK
zKS{O>jW*PnefNrfETJLFUMc)tbyT5rZ{~x>nwJUD>{C3Zp-c8dsm<M?Y6&{i1}((u
zCg_W(m<Z{9pNEAtU%QA6cZ---YF`F^EaP`(naqdCkN6rzYhHJe7)%?~!3$qiTq0Pp
z@II-FW?YFyv1z_0!w-)|82htOny<+BjYXMVcZrwPb+M(S4NHozU?H2xlr*~*oo{+C
z-y!B>*GoRU8pSlfowUf|3b?Y2%*RmjBxg^ww<!88L&OK)8t032GW87E3QFYh){8nJ
za%m;|YmbCluSE%kN!ca!9-z1$zWQSLLWr4AN5LZXj#><j<rSVjXMH#qRZYUFs@JbC
zy4jArCVq7<NHSSTQkFOGs+?lBw$$Qo<ayj#Km96!(@(-_@;dS_uCHOlyrxC6r~6i_
z81qnrXZ1+xw(X%6xYjug^kGR-=~vC1UAl+fCC5~BqXS<%h}RpmJA5@WdY>j|B#BIC
zvSbZv-krul`#vcrAFiwH>EQ14c+QOIucasG>$ibNhJ2^4%KV`I7KbT=Ri=lEDAk1a
zgpG%nfk7l@k`VD6F7&l5J7AO+6&dkej~LNVx;R=iGAppBOm#Ek`nEQvUBM)=g*yEV
zeM05w$f?XCLXHsC!hA!oyO(A-xYW*b51V^gme`j!JLP!wiBucQ^qF}|l4zT{U-<H3
ziYlt|eL#6fP}q}q5ovew#*_6O;9B|*9xLy8=_``A)Q8{9@Z@zj`7DvznPnRz&+P52
zg9^LFscL_#z}Ok{DSiB;M+x`+=y;2{%N=6F@K_PZ)cf1$+1&L|L4|JbMAfjshQ}dY
z%v&6q$kBk7TQW@gT=*yDVo-F$2$^SrLDJ)?+14eSeTe)I*~GU*7AS3Z8mctQJgTL*
zHqzgv8c|5$=mV@<6QwD4YP`P)HD(c7%i3@WjH8<mo_e1mxM^YIslm`-#iP97ST;xR
zxy@Hz=jx*OrdwYujkxh{tAyX~ep*w$k%2l%<7H;<{_KQH^QYp+ALM1b1l^FhWTSF!
zTChJ~aL4~P#~V;6qqVV5mzN91w74qvw(NM#h;?EntV;J3Rp!4L>)3eR38TUE-<-2A
zK6S|(FWa@G=fuW>Ava@nSIAB*5LRX?Y$_GFl>13_e&H3=&NsK^EpIVn<m@Av;A><m
zbJOBQA#bPVZn5py>N;Pw^PP*HvzzB^Xw5RvPS-H4V0<Jvx$uT}%%ra3dzKDbduN`I
z4#x9tq%YfY@StHVpO#vQencxgu7-oISy*ILf>40EIY)Q~<|Vs<S(ZV>9gz5*saBqk
z0lL3C+wy)R@7Ij?`>-%VGBFKXyjaii{J^2N+JRs4pyb{Z+5(Rk&uoXN`M^3USSP0P
zQmz^u`tjzt1HQdF5lr9@CxxdiL(l3RBqS~Hlnf*$C>$sC1+&ygniD+Hvf3F{s%2A8
zY-t6SF)2%asWTKY*@8k6Gg7gr)N2GhDaM)eI||{&6OUzg1*Nk@`I=xa;NNYE&@*NG
z!b9ZjS1oj1rC>9K-v<M5nTm;CVJ^1YCR@%k?Z20E@=hRQA4aOLpLZ%Lz(ZB%4Z~F~
zIEOLdvrd|wH=|1!doF|~+fN_88@F`D^ucX*$NPJ?^hT^Fsm^oSmsD17pPj**p_;A#
zx{$hXq1EHO&|qXsnRwPqb;<xoxw`+L^Itmb{7k=g{$-0Fza?{azjpoypPn1t)6<e6
ztU)c{XIAnn8MG0ys4Zs(K0ZHDeY%fbvj-xn7|$TH*xXH)*m~{7U~&jM15$Y7;qJGJ
z=d}1JxrMmr>y1+C0xel#%>=rZQ2lr714T95>n6OBEd;02K5El$Nfu5FFf2x?Cl2*>
zX#62!g1-{>WT5xvG@kh?_h(t7(>Vn|tezxNnXXf}qST%w_zedu35Q!^c3t*Ja=@BK
zIr%LcH%tB7-t!cZXZg>~*y|^S#g5n-g`jVR<a-Ylv*OG9<NIA08*8NeTpLdve65Fj
z=cy>wwbgj5-Y;^RU44~)uVQU5CC{4V8<}R^x9Y<wxygu4*gh9MsV(eq4|RvLr`#8t
znoJD`nu2$>BZilE!>%;>3%JcwzoxH$q$hU&M(_c9IG-en<u$YOLLHgKg8-ui2Tm>9
zTKP$z@=va6Hp+&Q!Bu(wGp2ezPN#B6XC>td{4qgcc&GOIjVhwJs?^4pk`hBFW;&?M
z4VsMc3H)Szt0IuBDy~|}N!siY{^(xF;=O~sd4}N-iQt&U96H2Q`I5WP9pS!K26QTl
zFqDc|jvzE~{slg-<6Ba0i`6=Q%4Z`V^P8tVJ`HSYXoV86#2eS9)}9OwZ{svtA#1Ev
z%MY@gzEUVgd5zGmVXo(~NwJg)VaptcTNA7#OY__H@J*ruA{MdyTJ}qE6=yVXX?gWE
zn_2Fo7Fw-0xGw9eTMEKkJWwo(dCqmu_t;xH&4rRo;<+}d8!PiSHzxE`DK?*3ehGcU
z$f{~2$v4zRb~B1%sSNz(ORVpy8D{1%eqUTUc)7Y^e<tXLKwjpHPqLI{$wl)`?ZGrf
zqA6m_E0FN&(n5r|qT2enrs5_tw{fEUTR-oFwu2@EFHEQDeV8U8dE@;Hi=_rv^zRo1
z)f4u+?Y@@Y_bbX(q(!FdJur(GRuU1eRSed+X*M#DU9{(b<}(^3${~(mE>p|cY75Ri
znCrXI$%=gVBuw2j_(BRPffAh4Ua{Zh%=?#VFKmK4d3+=J>m$Y=wZS>6gshUJs%1N4
zNz5KV+&{lu9kJ~&c{EG1yMckE&{SV`s>)IBqNVmXFyPnZgL1`^=A;BZLqVgLD5v{g
zFX&>p63!A8P`=%%{60dKG#N*$3ZESMmPAE$$7+$|)IrvX7?TVYqH`~hylT5e0T#vO
zVkFb0Mq?(dcT_7HGtx|Z^|dRs^kiZpBt#dYp%1^B4U#UCNVoB8O%fGEZw(8=`OogB
zTzooWD<Ed@+{17w`a56d>M+L6flO&Q*4+tV!2-QaT^Hm#Tw@j1(ag5zDjM#G>DqD}
zi}w1eOOcS=qEhc(+Ow$K3LF&Ddbf4GjEYyE4!lVH4sRZxGznALq6Xw1;Dyw@lUHLf
z&txhnS#?aX94&>Ax*;7`=O%iM8}4v;dyW_5Z)~B=P0EBHxHqzX-0tjr<#NKe{d;aZ
z{#yAsv8|25mAWq)%E|iR0eKq+YOChag~{4*3lRs`^i3y)5ZMpKN@B+9<2H?Ru&Lct
z(I!W(<Y|NPx{0W7S)32>Ev~b4?|o@l$zpiL8xr>fPGD`Q``C9qe(|caWovtd-hkb^
z6DgjnVqqUVKC?w2Znm{|R0hUbZ>Ts;*4dn;4}I2Wj*RFzz)1_2@)?q3eYBW)#p_f@
z>#{P}zSd1*H@$Shv2CehzN&9SEzO$uirshL%?|bU7nHGTaoz~W+{^2!toNcwG;6n_
zd!uH|NRn9IChv{GRde^L`YgQ~diAxH+oby79XdxVn@hr_rjt`&jX9QO8~r^B=p~SB
zb7!bYo3+j3(nv^Oe!yIbiGBN&%=s0Da_Di%&J|SrG+vO4t0JS5X43xTlcx8Y1R<$Y
z{n`Uu8>)d$&l=$h23K=4Y&T5gPKItf4`|cz#&=3ZIktP4P3aU4=YOP;j?D4EcK&wo
zKYtWBU}5d}e}2FpkUyLvJb&%{n<oxCKMgQ`&EnV2AF!G?x*A``QS*nNX3_$$;&s+!
z7{R17Ei+w`Sxz0{3`QZ!#XSBI#OF(C2lPdi@4Dt@73H(bR&hBn&tP8|7a>p2jQXv$
zQOlHVTx@hux<6-}<3l;{`<Q>Uo>&1Vs1fX#@2`3k9ih3nAUNmjVTt1ZjCi<C(X1|r
z**xKoBtg@j|0{9sa6xnKza{E}#2T8l--(m-M8I9}dSLChvvxgNMd;7{x{5fAQQw~i
z2~3s$O8hwp0ir9ToIVZ|dyRKl0k+$0x)t_Xd8anv4zc7D8R`5<q8&SZNs+S*qpfYJ
zIP6^M?3}nYb&L#H)jp{Iqw8>_+BT?~zCS4vpfUOxk+eMWNVN~8#DFL`)nV;;-a*&_
z1#I5g_aDnUeK7B~{lUEJaXKP`G*0Z*1;;#KDRw>Ju6bApZLGUs!9p#0jAuW$q@d$+
zZ;X&shkfboj8ZpgVP4_<ep=7R!Nd1F1V^IJa+>rS3SaW{iE9$^ZhOBFm}K!ROxyyn
z6M&>K;Tz)YcOypVJd>uXA8!#Kh&T2vyLKytGvdi+*Fw{c?i_4)Pw0lfbP)3qmDEt8
zaz~MRN>#8im@2K)zPl@KWjcsf0b&UT+6*dt;BDT!RIb$bcNc<9;;c+D2|)$%2NONS
z*X-o%cYDR%?6Z1z)#uu7BMM}>C~;W~AMt6R+VJex%9$7zPR2<2CmKI=*6!(|IWy8^
z_)4^&gP-IK_Og5gMKl1D1Z&4d1k?b<!{ROcRm3edP{glT5vjs{ipUL$D2)}7oRcG>
zNnK5_(V$^9b?QlD9}oR4tfx<)rwgDLto`Om1W-Ek)OyU5`JpFLVEhcYnL1iF%pH2d
z61mEVfwLeDYsZqD8Q}Q$29N4kl7kyT0MG;%r7qxJ^S`Ei{Yhc`zoPJiXXK#({i)Hh
zGXnmmS&<?sy)ZwDM5+SYtgyuCRoGAB@2V@h$O1g@Gk^R=b?owJ1Y91i`jY|!VP-#6
kpU)*Um#V-L4c7i7{>L${g48$IhKlm|5u>z`JaRtwUxw=|oB#j-

literal 0
HcmV?d00001

diff --git a/testing/btest/scripts/base/protocols/ssl/tls13-experiment.test b/testing/btest/scripts/base/protocols/ssl/tls13-experiment.test
index d49cd928f6..e074535692 100644
--- a/testing/btest/scripts/base/protocols/ssl/tls13-experiment.test
+++ b/testing/btest/scripts/base/protocols/ssl/tls13-experiment.test
@@ -8,6 +8,9 @@
 #
 # This only seems to happen with Chrome talking to google servers. We do not recognize this as
 # TLS 1.3, but we do not abort when encountering traffic like this.
+#
+# In the meantime this way of establishing TLS 1.3 was standardized. Still keeping the test even
+# though we parse this correctly now.
 
 event ssl_extension(c: connection, is_orig: bool, code: count, val: string)
 	{
diff --git a/testing/btest/scripts/base/protocols/ssl/tls13-version.test b/testing/btest/scripts/base/protocols/ssl/tls13-version.test
new file mode 100644
index 0000000000..9194c861e1
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/ssl/tls13-version.test
@@ -0,0 +1,4 @@
+# @TEST-EXEC: bro -C -r $TRACES/tls/tls13draft23-chrome67.0.3368.0-canary.pcap %INPUT
+# @TEST-EXEC: btest-diff ssl.log
+
+# Test that we correctly parse the version out of the extension in an 1.3 connection

From f710d9a19918a8b1d135884795aeba4e1d7fc618 Mon Sep 17 00:00:00 2001
From: Robin Sommer <robin@icir.org>
Date: Thu, 29 Mar 2018 14:10:48 -0700
Subject: [PATCH 351/631] Updating submodule(s).

 [nomail]
---
 CHANGES    | 8 ++++----
 VERSION    | 2 +-
 aux/broctl | 2 +-
 3 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/CHANGES b/CHANGES
index 6cbda2575c..c07db9563b 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,10 +1,10 @@
 
-2.5-482 | 2018-03-29 13:21:21 -0700
+2.5-483 | 2018-03-29 14:10:48 -0700
 
   * Source code clean up (Johanna Amann)
-        - Mark one-parameter constructors as explicit & use override where possible
-        - Remove unimplemented & unused functions from header files.
-        - Make some data flows more explicit for complilers.
+      - Mark one-parameter constructors as 'explicit' & use 'override' where possible
+      - Remove unimplemented & unused functions from header files.
+      - Make some data flows more explicit for compilers.
 
 2.5-478 | 2018-03-29 12:59:49 -0700
 
diff --git a/VERSION b/VERSION
index 84d7cbfeca..c97e09d82b 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.5-482
+2.5-483
diff --git a/aux/broctl b/aux/broctl
index 1824853baf..60eeea9f98 160000
--- a/aux/broctl
+++ b/aux/broctl
@@ -1 +1 @@
-Subproject commit 1824853baf8f7369256f22992d7f10215634ec9d
+Subproject commit 60eeea9f98455ea613bcfc02e09f2c9665c97f58

From 95fbe150dfd5c2cbfcd213b9f9fe3ab888d4050d Mon Sep 17 00:00:00 2001
From: Seth Hall <seth@corelight.com>
Date: Mon, 2 Apr 2018 22:25:51 -0400
Subject: [PATCH 352/631] Improving the new SMB2 create command test.

It's now a less fragile test than it was.
---
 .../scripts.base.protocols.smb.smb2/.stdout   | 249 +-----------------
 .../scripts/base/protocols/smb/smb2.test      |   9 +-
 2 files changed, 16 insertions(+), 242 deletions(-)

diff --git a/testing/btest/Baseline/scripts.base.protocols.smb.smb2/.stdout b/testing/btest/Baseline/scripts.base.protocols.smb.smb2/.stdout
index 015b55c71d..bc605dcbb2 100644
--- a/testing/btest/Baseline/scripts.base.protocols.smb.smb2/.stdout
+++ b/testing/btest/Baseline/scripts.base.protocols.smb.smb2/.stdout
@@ -1,238 +1,11 @@
-smb2_create_request, [id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], orig=[size=1225, state=4, num_pkts=6, num_bytes_ip=1257, flow_label=0, l2_addr=00:0c:29:6b:99:0f], resp=[size=760, state=4, num_pkts=5, num_bytes_ip=972, flow_label=0, l2_addr=00:0c:29:4e:b0:d0], start_time=1323202695.370647, duration=0.006812, service={
-SMB,
-GSSAPI,
-NTLM
-}, history=ShADd, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=[ts=1323202695.372863, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], username=Administrator, hostname=SERVER01, domainname=CONTOSO, success=T, status=SUCCESS, done=T], radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>, smb_state=[current_cmd=[ts=1323202695.377459, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], command=CREATE, sub_command=<uninitialized>, argument=<uninitialized>, status=<uninitialized>, rtt=<uninitialized>, version=SMB2, username=<uninitialized>, tree=<uninitialized>, tree_service=<uninitialized>, referenced_file=[ts=1323202695.377459, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=<uninitialized>, action=SMB::FILE_OPEN, path=<uninitialized>, name=<share_root>, size=0, prev_name=<uninitialized>, times=<uninitialized>, fid=<uninitialized>, uuid=<uninitialized>], referenced_tree=[ts=1323202695.377084, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\smb2, service=<uninitialized>, native_file_system=<uninitialized>, share_type=DISK], smb1_offered_dialects=<uninitialized>, smb2_offered_dialects=<uninitialized>], current_file=[ts=1323202695.377459, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=<uninitialized>, action=SMB::FILE_OPEN, path=<uninitialized>, name=<share_root>, size=0, prev_name=<uninitialized>, times=<uninitialized>, fid=<uninitialized>, uuid=<uninitialized>], current_tree=[ts=1323202695.377084, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\smb2, service=<uninitialized>, native_file_system=<uninitialized>, share_type=DISK], pending_cmds={
-[4] = [ts=1323202695.377459, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], command=CREATE, sub_command=<uninitialized>, argument=<uninitialized>, status=<uninitialized>, rtt=<uninitialized>, version=SMB2, username=<uninitialized>, tree=<uninitialized>, tree_service=<uninitialized>, referenced_file=[ts=1323202695.377459, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=<uninitialized>, action=SMB::FILE_OPEN, path=<uninitialized>, name=<share_root>, size=0, prev_name=<uninitialized>, times=<uninitialized>, fid=<uninitialized>, uuid=<uninitialized>], referenced_tree=[ts=1323202695.377084, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\smb2, service=<uninitialized>, native_file_system=<uninitialized>, share_type=DISK], smb1_offered_dialects=<uninitialized>, smb2_offered_dialects=<uninitialized>]
-}, fid_map={
-
-}, tid_map={
-[1] = [ts=1323202695.377084, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\smb2, service=<uninitialized>, native_file_system=<uninitialized>, share_type=DISK],
-[65535] = [ts=<uninitialized>, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=<uninitialized>, service=<uninitialized>, native_file_system=<uninitialized>, share_type=DISK]
-}, uid_map={
-
-}, pipe_map={
-
-}, recent_files={
-
-}]], [credit_charge=0, status=0, command=5, credits=1, flags=0, message_id=4, process_id=65279, tree_id=1, session_id=4398046511109, signature=\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00], [filename=<share_root>, disposition=1, create_options=32]
-smb2_create_response, [id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], orig=[size=1225, state=4, num_pkts=7, num_bytes_ip=1517, flow_label=0, l2_addr=00:0c:29:6b:99:0f], resp=[size=1004, state=4, num_pkts=5, num_bytes_ip=972, flow_label=0, l2_addr=00:0c:29:4e:b0:d0], start_time=1323202695.370647, duration=0.006958, service={
-SMB,
-GSSAPI,
-NTLM
-}, history=ShADd, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=[ts=1323202695.372863, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], username=Administrator, hostname=SERVER01, domainname=CONTOSO, success=T, status=SUCCESS, done=T], radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>, smb_state=[current_cmd=[ts=1323202695.377459, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], command=CREATE, sub_command=<uninitialized>, argument=<uninitialized>, status=SUCCESS, rtt=145.0 usecs, version=SMB2, username=<uninitialized>, tree=<uninitialized>, tree_service=<uninitialized>, referenced_file=[ts=1323202695.377459, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=<uninitialized>, action=SMB::FILE_OPEN, path=\\10.0.0.12\smb2, name=<share_root>, size=8192, prev_name=<uninitialized>, times=[modified=1323202604.512058, accessed=1323202604.512058, created=1322343963.945297, changed=1323202604.512058], fid=18446744069414584390, uuid=<uninitialized>], referenced_tree=[ts=1323202695.377084, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\smb2, service=<uninitialized>, native_file_system=<uninitialized>, share_type=DISK], smb1_offered_dialects=<uninitialized>, smb2_offered_dialects=<uninitialized>], current_file=[ts=1323202695.377459, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=<uninitialized>, action=SMB::FILE_OPEN, path=\\10.0.0.12\smb2, name=<share_root>, size=8192, prev_name=<uninitialized>, times=[modified=1323202604.512058, accessed=1323202604.512058, created=1322343963.945297, changed=1323202604.512058], fid=18446744069414584390, uuid=<uninitialized>], current_tree=[ts=1323202695.377084, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\smb2, service=<uninitialized>, native_file_system=<uninitialized>, share_type=DISK], pending_cmds={
-
-}, fid_map={
-[18446744069414584390] = [ts=1323202695.377459, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=<uninitialized>, action=SMB::FILE_OPEN, path=\\10.0.0.12\smb2, name=<share_root>, size=8192, prev_name=<uninitialized>, times=[modified=1323202604.512058, accessed=1323202604.512058, created=1322343963.945297, changed=1323202604.512058], fid=18446744069414584390, uuid=<uninitialized>]
-}, tid_map={
-[1] = [ts=1323202695.377084, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\smb2, service=<uninitialized>, native_file_system=<uninitialized>, share_type=DISK],
-[65535] = [ts=<uninitialized>, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=<uninitialized>, service=<uninitialized>, native_file_system=<uninitialized>, share_type=DISK]
-}, uid_map={
-
-}, pipe_map={
-
-}, recent_files={
-
-}]], [credit_charge=0, status=0, command=5, credits=1, flags=1, message_id=4, process_id=65279, tree_id=1, session_id=4398046511109, signature=\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00], [file_id=[persistent=69, volatile=18446744069414584321], size=8192, times=[modified=1323202604.512058, accessed=1323202604.512058, created=1322343963.945297, changed=1323202604.512058], attrs=[read_only=F, hidden=F, system=F, directory=T, archive=F, normal=F, temporary=F, sparse_file=F, reparse_point=F, compressed=F, offline=F, not_content_indexed=F, encrypted=F, integrity_stream=F, no_scrub_data=F], create_action=1]
-smb2_create_request, [id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], orig=[size=1469, state=4, num_pkts=8, num_bytes_ip=1665, flow_label=0, l2_addr=00:0c:29:6b:99:0f], resp=[size=1088, state=4, num_pkts=7, num_bytes_ip=1380, flow_label=0, l2_addr=00:0c:29:4e:b0:d0], start_time=1323202695.370647, duration=0.007847, service={
-SMB,
-GSSAPI,
-NTLM
-}, history=ShADd, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=[ts=1323202695.372863, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], username=Administrator, hostname=SERVER01, domainname=CONTOSO, success=T, status=SUCCESS, done=T], radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>, smb_state=[current_cmd=[ts=1323202695.378494, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], command=CREATE, sub_command=<uninitialized>, argument=<uninitialized>, status=<uninitialized>, rtt=<uninitialized>, version=SMB2, username=<uninitialized>, tree=<uninitialized>, tree_service=<uninitialized>, referenced_file=[ts=1323202695.378494, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=<uninitialized>, action=SMB::PIPE_OPEN, path=<uninitialized>, name=srvsvc, size=0, prev_name=<uninitialized>, times=<uninitialized>, fid=<uninitialized>, uuid=<uninitialized>], referenced_tree=[ts=1323202695.378188, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\IPC$, service=<uninitialized>, native_file_system=<uninitialized>, share_type=PIPE], smb1_offered_dialects=<uninitialized>, smb2_offered_dialects=<uninitialized>], current_file=[ts=1323202695.378494, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=<uninitialized>, action=SMB::PIPE_OPEN, path=<uninitialized>, name=srvsvc, size=0, prev_name=<uninitialized>, times=<uninitialized>, fid=<uninitialized>, uuid=<uninitialized>], current_tree=[ts=1323202695.378188, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\IPC$, service=<uninitialized>, native_file_system=<uninitialized>, share_type=PIPE], pending_cmds={
-[6] = [ts=1323202695.378494, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], command=CREATE, sub_command=<uninitialized>, argument=<uninitialized>, status=<uninitialized>, rtt=<uninitialized>, version=SMB2, username=<uninitialized>, tree=<uninitialized>, tree_service=<uninitialized>, referenced_file=[ts=1323202695.378494, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=<uninitialized>, action=SMB::PIPE_OPEN, path=<uninitialized>, name=srvsvc, size=0, prev_name=<uninitialized>, times=<uninitialized>, fid=<uninitialized>, uuid=<uninitialized>], referenced_tree=[ts=1323202695.378188, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\IPC$, service=<uninitialized>, native_file_system=<uninitialized>, share_type=PIPE], smb1_offered_dialects=<uninitialized>, smb2_offered_dialects=<uninitialized>]
-}, fid_map={
-[18446744069414584390] = [ts=1323202695.377459, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=<uninitialized>, action=SMB::FILE_OPEN, path=\\10.0.0.12\smb2, name=<share_root>, size=8192, prev_name=<uninitialized>, times=[modified=1323202604.512058, accessed=1323202604.512058, created=1322343963.945297, changed=1323202604.512058], fid=18446744069414584390, uuid=<uninitialized>]
-}, tid_map={
-[1] = [ts=1323202695.377084, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\smb2, service=<uninitialized>, native_file_system=<uninitialized>, share_type=DISK],
-[65535] = [ts=<uninitialized>, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=<uninitialized>, service=<uninitialized>, native_file_system=<uninitialized>, share_type=DISK],
-[5] = [ts=1323202695.378188, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\IPC$, service=<uninitialized>, native_file_system=<uninitialized>, share_type=PIPE]
-}, uid_map={
-
-}, pipe_map={
-
-}, recent_files={
-SMB::FILE_OPEN<share_root>\\10.0.0.12\smb28192[modified=1323202604.512058, accessed=1323202604.512058, created=1322343963.945297, changed=1323202604.512058]
-}]], [credit_charge=0, status=0, command=5, credits=1, flags=0, message_id=6, process_id=65279, tree_id=5, session_id=4398046511109, signature=\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00], [filename=srvsvc, disposition=1, create_options=4194368]
-smb2_create_response, [id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], orig=[size=1469, state=4, num_pkts=9, num_bytes_ip=1841, flow_label=0, l2_addr=00:0c:29:6b:99:0f], resp=[size=1244, state=4, num_pkts=7, num_bytes_ip=1380, flow_label=0, l2_addr=00:0c:29:4e:b0:d0], start_time=1323202695.370647, duration=0.008011, service={
-SMB,
-GSSAPI,
-NTLM
-}, history=ShADd, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=[ts=1323202695.372863, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], username=Administrator, hostname=SERVER01, domainname=CONTOSO, success=T, status=SUCCESS, done=T], radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>, smb_state=[current_cmd=[ts=1323202695.378494, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], command=CREATE, sub_command=<uninitialized>, argument=<uninitialized>, status=SUCCESS, rtt=164.0 usecs, version=SMB2, username=<uninitialized>, tree=<uninitialized>, tree_service=<uninitialized>, referenced_file=[ts=1323202695.378494, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=<uninitialized>, action=SMB::PIPE_OPEN, path=\\10.0.0.12\IPC$, name=srvsvc, size=0, prev_name=<uninitialized>, times=<uninitialized>, fid=18446744069414584398, uuid=<uninitialized>], referenced_tree=[ts=1323202695.378188, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\IPC$, service=<uninitialized>, native_file_system=<uninitialized>, share_type=PIPE], smb1_offered_dialects=<uninitialized>, smb2_offered_dialects=<uninitialized>], current_file=[ts=1323202695.378494, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=<uninitialized>, action=SMB::PIPE_OPEN, path=\\10.0.0.12\IPC$, name=srvsvc, size=0, prev_name=<uninitialized>, times=<uninitialized>, fid=18446744069414584398, uuid=<uninitialized>], current_tree=[ts=1323202695.378188, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\IPC$, service=<uninitialized>, native_file_system=<uninitialized>, share_type=PIPE], pending_cmds={
-
-}, fid_map={
-[18446744069414584398] = [ts=1323202695.378494, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=<uninitialized>, action=SMB::PIPE_OPEN, path=\\10.0.0.12\IPC$, name=srvsvc, size=0, prev_name=<uninitialized>, times=<uninitialized>, fid=18446744069414584398, uuid=<uninitialized>],
-[18446744069414584390] = [ts=1323202695.377459, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=<uninitialized>, action=SMB::FILE_OPEN, path=\\10.0.0.12\smb2, name=<share_root>, size=8192, prev_name=<uninitialized>, times=[modified=1323202604.512058, accessed=1323202604.512058, created=1322343963.945297, changed=1323202604.512058], fid=18446744069414584390, uuid=<uninitialized>]
-}, tid_map={
-[1] = [ts=1323202695.377084, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\smb2, service=<uninitialized>, native_file_system=<uninitialized>, share_type=DISK],
-[65535] = [ts=<uninitialized>, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=<uninitialized>, service=<uninitialized>, native_file_system=<uninitialized>, share_type=DISK],
-[5] = [ts=1323202695.378188, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\IPC$, service=<uninitialized>, native_file_system=<uninitialized>, share_type=PIPE]
-}, uid_map={
-
-}, pipe_map={
-
-}, recent_files={
-SMB::FILE_OPEN<share_root>\\10.0.0.12\smb28192[modified=1323202604.512058, accessed=1323202604.512058, created=1322343963.945297, changed=1323202604.512058]
-}]], [credit_charge=0, status=0, command=5, credits=1, flags=1, message_id=6, process_id=65279, tree_id=5, session_id=4398046511109, signature=\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00], [file_id=[persistent=73, volatile=18446744069414584325], size=0, times=[modified=-1.164447e+10, accessed=-1.164447e+10, created=-1.164447e+10, changed=-1.164447e+10], attrs=[read_only=F, hidden=F, system=F, directory=F, archive=F, normal=T, temporary=F, sparse_file=F, reparse_point=F, compressed=F, offline=F, not_content_indexed=F, encrypted=F, integrity_stream=F, no_scrub_data=F], create_action=1]
-smb2_create_request, [id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], orig=[size=2342, state=4, num_pkts=13, num_bytes_ip=2654, flow_label=0, l2_addr=00:0c:29:6b:99:0f], resp=[size=1924, state=4, num_pkts=12, num_bytes_ip=2416, flow_label=0, l2_addr=00:0c:29:4e:b0:d0], start_time=1323202695.370647, duration=0.010734, service={
-SMB,
-GSSAPI,
-NTLM,
-DCE_RPC
-}, history=ShADd, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=[uuid=4b324fc8-1670-01d3-1278-5a47bf6ee188, named_pipe=\PIPE\srvsvc], dce_rpc_backing={
-[18446744069414584398] = [info=[ts=1323202695.379517, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], rtt=183.0 usecs, named_pipe=\PIPE\srvsvc, endpoint=srvsvc, operation=NetrShareGetInfo], state=[uuid=4b324fc8-1670-01d3-1278-5a47bf6ee188, named_pipe=\PIPE\srvsvc]]
-}, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=[ts=1323202695.372863, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], username=Administrator, hostname=SERVER01, domainname=CONTOSO, success=T, status=SUCCESS, done=T], radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>, smb_state=[current_cmd=[ts=1323202695.381381, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], command=CREATE, sub_command=<uninitialized>, argument=<uninitialized>, status=<uninitialized>, rtt=<uninitialized>, version=SMB2, username=<uninitialized>, tree=<uninitialized>, tree_service=<uninitialized>, referenced_file=[ts=1323202695.381381, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=<uninitialized>, action=SMB::FILE_OPEN, path=<uninitialized>, name=<share_root>, size=0, prev_name=<uninitialized>, times=<uninitialized>, fid=<uninitialized>, uuid=<uninitialized>], referenced_tree=[ts=1323202695.377084, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\smb2, service=<uninitialized>, native_file_system=<uninitialized>, share_type=DISK], smb1_offered_dialects=<uninitialized>, smb2_offered_dialects=<uninitialized>], current_file=[ts=1323202695.381381, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=<uninitialized>, action=SMB::FILE_OPEN, path=<uninitialized>, name=<share_root>, size=0, prev_name=<uninitialized>, times=<uninitialized>, fid=<uninitialized>, uuid=<uninitialized>], current_tree=[ts=1323202695.377084, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\smb2, service=<uninitialized>, native_file_system=<uninitialized>, share_type=DISK], pending_cmds={
-[11] = [ts=1323202695.381381, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], command=CREATE, sub_command=<uninitialized>, argument=<uninitialized>, status=<uninitialized>, rtt=<uninitialized>, version=SMB2, username=<uninitialized>, tree=<uninitialized>, tree_service=<uninitialized>, referenced_file=[ts=1323202695.381381, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=<uninitialized>, action=SMB::FILE_OPEN, path=<uninitialized>, name=<share_root>, size=0, prev_name=<uninitialized>, times=<uninitialized>, fid=<uninitialized>, uuid=<uninitialized>], referenced_tree=[ts=1323202695.377084, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\smb2, service=<uninitialized>, native_file_system=<uninitialized>, share_type=DISK], smb1_offered_dialects=<uninitialized>, smb2_offered_dialects=<uninitialized>]
-}, fid_map={
-[18446744069414584390] = [ts=1323202695.377459, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=<uninitialized>, action=SMB::FILE_OPEN, path=\\10.0.0.12\smb2, name=<share_root>, size=8192, prev_name=<uninitialized>, times=[modified=1323202604.512058, accessed=1323202604.512058, created=1322343963.945297, changed=1323202604.512058], fid=18446744069414584390, uuid=<uninitialized>]
-}, tid_map={
-[1] = [ts=1323202695.377084, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\smb2, service=<uninitialized>, native_file_system=<uninitialized>, share_type=DISK],
-[65535] = [ts=<uninitialized>, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=<uninitialized>, service=<uninitialized>, native_file_system=<uninitialized>, share_type=DISK],
-[5] = [ts=1323202695.378188, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\IPC$, service=<uninitialized>, native_file_system=<uninitialized>, share_type=PIPE]
-}, uid_map={
-
-}, pipe_map={
-
-}, recent_files={
-SMB::FILE_OPEN<share_root>\\10.0.0.12\smb28192[modified=1323202604.512058, accessed=1323202604.512058, created=1322343963.945297, changed=1323202604.512058]
-}]], [credit_charge=0, status=0, command=5, credits=1, flags=0, message_id=11, process_id=65279, tree_id=1, session_id=4398046511109, signature=\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00], [filename=<share_root>, disposition=2, create_options=2097185]
-smb2_create_request, [id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], orig=[size=2947, state=4, num_pkts=16, num_bytes_ip=3323, flow_label=0, l2_addr=00:0c:29:6b:99:0f], resp=[size=2297, state=4, num_pkts=15, num_bytes_ip=2909, flow_label=0, l2_addr=00:0c:29:4e:b0:d0], start_time=1323202695.370647, duration=0.061545, service={
-SMB,
-GSSAPI,
-NTLM,
-DCE_RPC
-}, history=ShADd, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=[uuid=4b324fc8-1670-01d3-1278-5a47bf6ee188, named_pipe=\PIPE\srvsvc], dce_rpc_backing={
-[18446744069414584398] = [info=[ts=1323202695.379517, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], rtt=183.0 usecs, named_pipe=\PIPE\srvsvc, endpoint=srvsvc, operation=NetrShareGetInfo], state=[uuid=4b324fc8-1670-01d3-1278-5a47bf6ee188, named_pipe=\PIPE\srvsvc]]
-}, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=[ts=1323202695.372863, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], username=Administrator, hostname=SERVER01, domainname=CONTOSO, success=T, status=SUCCESS, done=T], radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>, smb_state=[current_cmd=[ts=1323202695.432192, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], command=CREATE, sub_command=<uninitialized>, argument=<uninitialized>, status=<uninitialized>, rtt=<uninitialized>, version=SMB2, username=<uninitialized>, tree=<uninitialized>, tree_service=<uninitialized>, referenced_file=[ts=1323202695.432192, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=<uninitialized>, action=SMB::FILE_OPEN, path=<uninitialized>, name=WP_SMBPlugin.pdf, size=0, prev_name=<uninitialized>, times=<uninitialized>, fid=<uninitialized>, uuid=<uninitialized>], referenced_tree=[ts=1323202695.377084, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\smb2, service=<uninitialized>, native_file_system=<uninitialized>, share_type=DISK], smb1_offered_dialects=<uninitialized>, smb2_offered_dialects=<uninitialized>], current_file=[ts=1323202695.432192, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=<uninitialized>, action=SMB::FILE_OPEN, path=<uninitialized>, name=WP_SMBPlugin.pdf, size=0, prev_name=<uninitialized>, times=<uninitialized>, fid=<uninitialized>, uuid=<uninitialized>], current_tree=[ts=1323202695.377084, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\smb2, service=<uninitialized>, native_file_system=<uninitialized>, share_type=DISK], pending_cmds={
-[15] = [ts=1323202695.432192, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], command=CREATE, sub_command=<uninitialized>, argument=<uninitialized>, status=<uninitialized>, rtt=<uninitialized>, version=SMB2, username=<uninitialized>, tree=<uninitialized>, tree_service=<uninitialized>, referenced_file=[ts=1323202695.432192, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=<uninitialized>, action=SMB::FILE_OPEN, path=<uninitialized>, name=WP_SMBPlugin.pdf, size=0, prev_name=<uninitialized>, times=<uninitialized>, fid=<uninitialized>, uuid=<uninitialized>], referenced_tree=[ts=1323202695.377084, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\smb2, service=<uninitialized>, native_file_system=<uninitialized>, share_type=DISK], smb1_offered_dialects=<uninitialized>, smb2_offered_dialects=<uninitialized>]
-}, fid_map={
-[18446744069414584390] = [ts=1323202695.377459, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=<uninitialized>, action=SMB::FILE_OPEN, path=\\10.0.0.12\smb2, name=<share_root>, size=8192, prev_name=<uninitialized>, times=[modified=1323202604.512058, accessed=1323202604.512058, created=1322343963.945297, changed=1323202604.512058], fid=18446744069414584390, uuid=<uninitialized>]
-}, tid_map={
-[1] = [ts=1323202695.377084, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\smb2, service=<uninitialized>, native_file_system=<uninitialized>, share_type=DISK],
-[65535] = [ts=<uninitialized>, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=<uninitialized>, service=<uninitialized>, native_file_system=<uninitialized>, share_type=DISK],
-[5] = [ts=1323202695.378188, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\IPC$, service=<uninitialized>, native_file_system=<uninitialized>, share_type=PIPE]
-}, uid_map={
-
-}, pipe_map={
-
-}, recent_files={
-SMB::FILE_OPEN<share_root>\\10.0.0.12\smb28192[modified=1323202604.512058, accessed=1323202604.512058, created=1322343963.945297, changed=1323202604.512058]
-}]], [credit_charge=0, status=0, command=5, credits=1, flags=0, message_id=15, process_id=65279, tree_id=1, session_id=4398046511109, signature=\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00], [filename=WP_SMBPlugin.pdf, disposition=2, create_options=68]
-smb2_create_response, [id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], orig=[size=2947, state=4, num_pkts=17, num_bytes_ip=3639, flow_label=0, l2_addr=00:0c:29:6b:99:0f], resp=[size=2573, state=4, num_pkts=15, num_bytes_ip=2909, flow_label=0, l2_addr=00:0c:29:4e:b0:d0], start_time=1323202695.370647, duration=0.062223, service={
-SMB,
-GSSAPI,
-NTLM,
-DCE_RPC
-}, history=ShADd, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=[uuid=4b324fc8-1670-01d3-1278-5a47bf6ee188, named_pipe=\PIPE\srvsvc], dce_rpc_backing={
-[18446744069414584398] = [info=[ts=1323202695.379517, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], rtt=183.0 usecs, named_pipe=\PIPE\srvsvc, endpoint=srvsvc, operation=NetrShareGetInfo], state=[uuid=4b324fc8-1670-01d3-1278-5a47bf6ee188, named_pipe=\PIPE\srvsvc]]
-}, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=[ts=1323202695.372863, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], username=Administrator, hostname=SERVER01, domainname=CONTOSO, success=T, status=SUCCESS, done=T], radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>, smb_state=[current_cmd=[ts=1323202695.432192, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], command=CREATE, sub_command=<uninitialized>, argument=<uninitialized>, status=SUCCESS, rtt=677.0 usecs, version=SMB2, username=<uninitialized>, tree=<uninitialized>, tree_service=<uninitialized>, referenced_file=[ts=1323202695.432192, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=<uninitialized>, action=SMB::FILE_OPEN, path=\\10.0.0.12\smb2, name=WP_SMBPlugin.pdf, size=0, prev_name=<uninitialized>, times=[modified=1323202695.427036, accessed=1323202695.427036, created=1323202695.427036, changed=1323202695.427036], fid=18446744069414584406, uuid=<uninitialized>], referenced_tree=[ts=1323202695.377084, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\smb2, service=<uninitialized>, native_file_system=<uninitialized>, share_type=DISK], smb1_offered_dialects=<uninitialized>, smb2_offered_dialects=<uninitialized>], current_file=[ts=1323202695.432192, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=<uninitialized>, action=SMB::FILE_OPEN, path=\\10.0.0.12\smb2, name=WP_SMBPlugin.pdf, size=0, prev_name=<uninitialized>, times=[modified=1323202695.427036, accessed=1323202695.427036, created=1323202695.427036, changed=1323202695.427036], fid=18446744069414584406, uuid=<uninitialized>], current_tree=[ts=1323202695.377084, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\smb2, service=<uninitialized>, native_file_system=<uninitialized>, share_type=DISK], pending_cmds={
-
-}, fid_map={
-[18446744069414584406] = [ts=1323202695.432192, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=<uninitialized>, action=SMB::FILE_OPEN, path=\\10.0.0.12\smb2, name=WP_SMBPlugin.pdf, size=0, prev_name=<uninitialized>, times=[modified=1323202695.427036, accessed=1323202695.427036, created=1323202695.427036, changed=1323202695.427036], fid=18446744069414584406, uuid=<uninitialized>],
-[18446744069414584390] = [ts=1323202695.377459, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=<uninitialized>, action=SMB::FILE_OPEN, path=\\10.0.0.12\smb2, name=<share_root>, size=8192, prev_name=<uninitialized>, times=[modified=1323202604.512058, accessed=1323202604.512058, created=1322343963.945297, changed=1323202604.512058], fid=18446744069414584390, uuid=<uninitialized>]
-}, tid_map={
-[1] = [ts=1323202695.377084, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\smb2, service=<uninitialized>, native_file_system=<uninitialized>, share_type=DISK],
-[65535] = [ts=<uninitialized>, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=<uninitialized>, service=<uninitialized>, native_file_system=<uninitialized>, share_type=DISK],
-[5] = [ts=1323202695.378188, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\IPC$, service=<uninitialized>, native_file_system=<uninitialized>, share_type=PIPE]
-}, uid_map={
-
-}, pipe_map={
-
-}, recent_files={
-SMB::FILE_OPEN<share_root>\\10.0.0.12\smb28192[modified=1323202604.512058, accessed=1323202604.512058, created=1322343963.945297, changed=1323202604.512058]
-}]], [credit_charge=0, status=0, command=5, credits=1, flags=1, message_id=15, process_id=65279, tree_id=1, session_id=4398046511109, signature=\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00], [file_id=[persistent=77, volatile=18446744069414584329], size=0, times=[modified=1323202695.427036, accessed=1323202695.427036, created=1323202695.427036, changed=1323202695.427036], attrs=[read_only=F, hidden=F, system=F, directory=F, archive=T, normal=F, temporary=F, sparse_file=F, reparse_point=F, compressed=F, offline=F, not_content_indexed=F, encrypted=F, integrity_stream=F, no_scrub_data=F], create_action=2]
-smb2_create_request, [id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], orig=[size=1515338, state=4, num_pkts=1064, num_bytes_ip=1557690, flow_label=0, l2_addr=00:0c:29:6b:99:0f], resp=[size=4957, state=4, num_pkts=101, num_bytes_ip=9009, flow_label=0, l2_addr=00:0c:29:4e:b0:d0], start_time=1323202695.370647, duration=0.229267, service={
-SMB,
-GSSAPI,
-NTLM,
-DCE_RPC
-}, history=ShADda, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=[uuid=4b324fc8-1670-01d3-1278-5a47bf6ee188, named_pipe=\PIPE\srvsvc], dce_rpc_backing={
-[18446744069414584398] = [info=[ts=1323202695.379517, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], rtt=183.0 usecs, named_pipe=\PIPE\srvsvc, endpoint=srvsvc, operation=NetrShareGetInfo], state=[uuid=4b324fc8-1670-01d3-1278-5a47bf6ee188, named_pipe=\PIPE\srvsvc]]
-}, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=[ts=1323202695.372863, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], username=Administrator, hostname=SERVER01, domainname=CONTOSO, success=T, status=SUCCESS, done=T], radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>, smb_state=[current_cmd=[ts=1323202695.599914, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], command=CREATE, sub_command=<uninitialized>, argument=<uninitialized>, status=<uninitialized>, rtt=<uninitialized>, version=SMB2, username=<uninitialized>, tree=<uninitialized>, tree_service=<uninitialized>, referenced_file=[ts=1323202695.599914, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=<uninitialized>, action=SMB::FILE_OPEN, path=<uninitialized>, name=<share_root>, size=0, prev_name=<uninitialized>, times=<uninitialized>, fid=<uninitialized>, uuid=<uninitialized>], referenced_tree=[ts=1323202695.377084, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\smb2, service=<uninitialized>, native_file_system=<uninitialized>, share_type=DISK], smb1_offered_dialects=<uninitialized>, smb2_offered_dialects=<uninitialized>], current_file=[ts=1323202695.599914, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=<uninitialized>, action=SMB::FILE_OPEN, path=<uninitialized>, name=<share_root>, size=0, prev_name=<uninitialized>, times=<uninitialized>, fid=<uninitialized>, uuid=<uninitialized>], current_tree=[ts=1323202695.377084, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\smb2, service=<uninitialized>, native_file_system=<uninitialized>, share_type=DISK], pending_cmds={
-[44] = [ts=1323202695.599914, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], command=CREATE, sub_command=<uninitialized>, argument=<uninitialized>, status=<uninitialized>, rtt=<uninitialized>, version=SMB2, username=<uninitialized>, tree=<uninitialized>, tree_service=<uninitialized>, referenced_file=[ts=1323202695.599914, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=<uninitialized>, action=SMB::FILE_OPEN, path=<uninitialized>, name=<share_root>, size=0, prev_name=<uninitialized>, times=<uninitialized>, fid=<uninitialized>, uuid=<uninitialized>], referenced_tree=[ts=1323202695.377084, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\smb2, service=<uninitialized>, native_file_system=<uninitialized>, share_type=DISK], smb1_offered_dialects=<uninitialized>, smb2_offered_dialects=<uninitialized>]
-}, fid_map={
-[18446744069414584390] = [ts=1323202695.377459, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=<uninitialized>, action=SMB::FILE_OPEN, path=\\10.0.0.12\smb2, name=<share_root>, size=8192, prev_name=<uninitialized>, times=[modified=1323202604.512058, accessed=1323202604.512058, created=1322343963.945297, changed=1323202604.512058], fid=18446744069414584390, uuid=<uninitialized>]
-}, tid_map={
-[1] = [ts=1323202695.377084, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\smb2, service=<uninitialized>, native_file_system=<uninitialized>, share_type=DISK],
-[65535] = [ts=<uninitialized>, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=<uninitialized>, service=<uninitialized>, native_file_system=<uninitialized>, share_type=DISK],
-[5] = [ts=1323202695.378188, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\IPC$, service=<uninitialized>, native_file_system=<uninitialized>, share_type=PIPE]
-}, uid_map={
-
-}, pipe_map={
-
-}, recent_files={
-SMB::FILE_OPEN<share_root>\\10.0.0.12\smb28192[modified=1323202604.512058, accessed=1323202604.512058, created=1322343963.945297, changed=1323202604.512058],
-SMB::FILE_OPENWP_SMBPlugin.pdf\\10.0.0.12\smb20[modified=1323202695.427036, accessed=1323202695.427036, created=1323202695.427036, changed=1323202695.427036]
-}]], [credit_charge=0, status=0, command=5, credits=104, flags=0, message_id=44, process_id=65279, tree_id=1, session_id=4398046511109, signature=\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00], [filename=<share_root>, disposition=1, create_options=32]
-smb2_create_response, [id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], orig=[size=1515338, state=4, num_pkts=1065, num_bytes_ip=1557950, flow_label=0, l2_addr=00:0c:29:6b:99:0f], resp=[size=5201, state=4, num_pkts=101, num_bytes_ip=9009, flow_label=0, l2_addr=00:0c:29:4e:b0:d0], start_time=1323202695.370647, duration=0.229443, service={
-SMB,
-GSSAPI,
-NTLM,
-DCE_RPC
-}, history=ShADda, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=[uuid=4b324fc8-1670-01d3-1278-5a47bf6ee188, named_pipe=\PIPE\srvsvc], dce_rpc_backing={
-[18446744069414584398] = [info=[ts=1323202695.379517, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], rtt=183.0 usecs, named_pipe=\PIPE\srvsvc, endpoint=srvsvc, operation=NetrShareGetInfo], state=[uuid=4b324fc8-1670-01d3-1278-5a47bf6ee188, named_pipe=\PIPE\srvsvc]]
-}, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=[ts=1323202695.372863, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], username=Administrator, hostname=SERVER01, domainname=CONTOSO, success=T, status=SUCCESS, done=T], radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>, smb_state=[current_cmd=[ts=1323202695.599914, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], command=CREATE, sub_command=<uninitialized>, argument=<uninitialized>, status=SUCCESS, rtt=175.0 usecs, version=SMB2, username=<uninitialized>, tree=<uninitialized>, tree_service=<uninitialized>, referenced_file=[ts=1323202695.599914, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=<uninitialized>, action=SMB::FILE_OPEN, path=\\10.0.0.12\smb2, name=<share_root>, size=8192, prev_name=<uninitialized>, times=[modified=1323202695.427036, accessed=1323202695.427036, created=1322343963.945297, changed=1323202695.427036], fid=18446744069414584414, uuid=<uninitialized>], referenced_tree=[ts=1323202695.377084, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\smb2, service=<uninitialized>, native_file_system=<uninitialized>, share_type=DISK], smb1_offered_dialects=<uninitialized>, smb2_offered_dialects=<uninitialized>], current_file=[ts=1323202695.599914, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=<uninitialized>, action=SMB::FILE_OPEN, path=\\10.0.0.12\smb2, name=<share_root>, size=8192, prev_name=<uninitialized>, times=[modified=1323202695.427036, accessed=1323202695.427036, created=1322343963.945297, changed=1323202695.427036], fid=18446744069414584414, uuid=<uninitialized>], current_tree=[ts=1323202695.377084, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\smb2, service=<uninitialized>, native_file_system=<uninitialized>, share_type=DISK], pending_cmds={
-
-}, fid_map={
-[18446744069414584390] = [ts=1323202695.377459, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=<uninitialized>, action=SMB::FILE_OPEN, path=\\10.0.0.12\smb2, name=<share_root>, size=8192, prev_name=<uninitialized>, times=[modified=1323202604.512058, accessed=1323202604.512058, created=1322343963.945297, changed=1323202604.512058], fid=18446744069414584390, uuid=<uninitialized>],
-[18446744069414584414] = [ts=1323202695.599914, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=<uninitialized>, action=SMB::FILE_OPEN, path=\\10.0.0.12\smb2, name=<share_root>, size=8192, prev_name=<uninitialized>, times=[modified=1323202695.427036, accessed=1323202695.427036, created=1322343963.945297, changed=1323202695.427036], fid=18446744069414584414, uuid=<uninitialized>]
-}, tid_map={
-[1] = [ts=1323202695.377084, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\smb2, service=<uninitialized>, native_file_system=<uninitialized>, share_type=DISK],
-[65535] = [ts=<uninitialized>, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=<uninitialized>, service=<uninitialized>, native_file_system=<uninitialized>, share_type=DISK],
-[5] = [ts=1323202695.378188, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\IPC$, service=<uninitialized>, native_file_system=<uninitialized>, share_type=PIPE]
-}, uid_map={
-
-}, pipe_map={
-
-}, recent_files={
-SMB::FILE_OPEN<share_root>\\10.0.0.12\smb28192[modified=1323202604.512058, accessed=1323202604.512058, created=1322343963.945297, changed=1323202604.512058],
-SMB::FILE_OPENWP_SMBPlugin.pdf\\10.0.0.12\smb20[modified=1323202695.427036, accessed=1323202695.427036, created=1323202695.427036, changed=1323202695.427036]
-}]], [credit_charge=0, status=0, command=5, credits=9, flags=1, message_id=44, process_id=65279, tree_id=1, session_id=4398046511109, signature=\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00], [file_id=[persistent=81, volatile=18446744069414584333], size=8192, times=[modified=1323202695.427036, accessed=1323202695.427036, created=1322343963.945297, changed=1323202695.427036], attrs=[read_only=F, hidden=F, system=F, directory=T, archive=F, normal=F, temporary=F, sparse_file=F, reparse_point=F, compressed=F, offline=F, not_content_indexed=F, encrypted=F, integrity_stream=F, no_scrub_data=F], create_action=1]
-smb2_create_request, [id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], orig=[size=1515782, state=4, num_pkts=1067, num_bytes_ip=1558254, flow_label=0, l2_addr=00:0c:29:6b:99:0f], resp=[size=5541, state=4, num_pkts=104, num_bytes_ip=9713, flow_label=0, l2_addr=00:0c:29:4e:b0:d0], start_time=1323202695.370647, duration=0.233359, service={
-SMB,
-GSSAPI,
-NTLM,
-DCE_RPC
-}, history=ShADda, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=[uuid=4b324fc8-1670-01d3-1278-5a47bf6ee188, named_pipe=\PIPE\srvsvc], dce_rpc_backing={
-[18446744069414584398] = [info=[ts=1323202695.379517, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], rtt=183.0 usecs, named_pipe=\PIPE\srvsvc, endpoint=srvsvc, operation=NetrShareGetInfo], state=[uuid=4b324fc8-1670-01d3-1278-5a47bf6ee188, named_pipe=\PIPE\srvsvc]]
-}, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=[ts=1323202695.372863, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], username=Administrator, hostname=SERVER01, domainname=CONTOSO, success=T, status=SUCCESS, done=T], radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>, smb_state=[current_cmd=[ts=1323202695.604006, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], command=CREATE, sub_command=<uninitialized>, argument=<uninitialized>, status=<uninitialized>, rtt=<uninitialized>, version=SMB2, username=<uninitialized>, tree=<uninitialized>, tree_service=<uninitialized>, referenced_file=[ts=1323202695.604006, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=<uninitialized>, action=SMB::FILE_OPEN, path=<uninitialized>, name=<share_root>, size=0, prev_name=<uninitialized>, times=<uninitialized>, fid=<uninitialized>, uuid=<uninitialized>], referenced_tree=[ts=1323202695.377084, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\smb2, service=<uninitialized>, native_file_system=<uninitialized>, share_type=DISK], smb1_offered_dialects=<uninitialized>, smb2_offered_dialects=<uninitialized>], current_file=[ts=1323202695.604006, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=<uninitialized>, action=SMB::FILE_OPEN, path=<uninitialized>, name=<share_root>, size=0, prev_name=<uninitialized>, times=<uninitialized>, fid=<uninitialized>, uuid=<uninitialized>], current_tree=[ts=1323202695.377084, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\smb2, service=<uninitialized>, native_file_system=<uninitialized>, share_type=DISK], pending_cmds={
-[47] = [ts=1323202695.604006, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], command=CREATE, sub_command=<uninitialized>, argument=<uninitialized>, status=<uninitialized>, rtt=<uninitialized>, version=SMB2, username=<uninitialized>, tree=<uninitialized>, tree_service=<uninitialized>, referenced_file=[ts=1323202695.604006, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=<uninitialized>, action=SMB::FILE_OPEN, path=<uninitialized>, name=<share_root>, size=0, prev_name=<uninitialized>, times=<uninitialized>, fid=<uninitialized>, uuid=<uninitialized>], referenced_tree=[ts=1323202695.377084, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\smb2, service=<uninitialized>, native_file_system=<uninitialized>, share_type=DISK], smb1_offered_dialects=<uninitialized>, smb2_offered_dialects=<uninitialized>]
-}, fid_map={
-[18446744069414584390] = [ts=1323202695.377459, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=<uninitialized>, action=SMB::FILE_OPEN, path=\\10.0.0.12\smb2, name=<share_root>, size=8192, prev_name=<uninitialized>, times=[modified=1323202604.512058, accessed=1323202604.512058, created=1322343963.945297, changed=1323202604.512058], fid=18446744069414584390, uuid=<uninitialized>]
-}, tid_map={
-[1] = [ts=1323202695.377084, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\smb2, service=<uninitialized>, native_file_system=<uninitialized>, share_type=DISK],
-[65535] = [ts=<uninitialized>, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=<uninitialized>, service=<uninitialized>, native_file_system=<uninitialized>, share_type=DISK],
-[5] = [ts=1323202695.378188, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\IPC$, service=<uninitialized>, native_file_system=<uninitialized>, share_type=PIPE]
-}, uid_map={
-
-}, pipe_map={
-
-}, recent_files={
-SMB::FILE_OPEN<share_root>\\10.0.0.12\smb28192[modified=1323202695.427036, accessed=1323202695.427036, created=1322343963.945297, changed=1323202695.427036],
-SMB::FILE_OPEN<share_root>\\10.0.0.12\smb28192[modified=1323202604.512058, accessed=1323202604.512058, created=1322343963.945297, changed=1323202604.512058],
-SMB::FILE_OPENWP_SMBPlugin.pdf\\10.0.0.12\smb20[modified=1323202695.427036, accessed=1323202695.427036, created=1323202695.427036, changed=1323202695.427036]
-}]], [credit_charge=0, status=0, command=5, credits=80, flags=0, message_id=47, process_id=65279, tree_id=1, session_id=4398046511109, signature=\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00], [filename=<share_root>, disposition=1, create_options=32]
-smb2_create_response, [id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], orig=[size=1515782, state=4, num_pkts=1068, num_bytes_ip=1558514, flow_label=0, l2_addr=00:0c:29:6b:99:0f], resp=[size=5785, state=4, num_pkts=104, num_bytes_ip=9713, flow_label=0, l2_addr=00:0c:29:4e:b0:d0], start_time=1323202695.370647, duration=0.233475, service={
-SMB,
-GSSAPI,
-NTLM,
-DCE_RPC
-}, history=ShADda, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=[uuid=4b324fc8-1670-01d3-1278-5a47bf6ee188, named_pipe=\PIPE\srvsvc], dce_rpc_backing={
-[18446744069414584398] = [info=[ts=1323202695.379517, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], rtt=183.0 usecs, named_pipe=\PIPE\srvsvc, endpoint=srvsvc, operation=NetrShareGetInfo], state=[uuid=4b324fc8-1670-01d3-1278-5a47bf6ee188, named_pipe=\PIPE\srvsvc]]
-}, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=[ts=1323202695.372863, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], username=Administrator, hostname=SERVER01, domainname=CONTOSO, success=T, status=SUCCESS, done=T], radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>, smb_state=[current_cmd=[ts=1323202695.604006, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], command=CREATE, sub_command=<uninitialized>, argument=<uninitialized>, status=SUCCESS, rtt=115.0 usecs, version=SMB2, username=<uninitialized>, tree=<uninitialized>, tree_service=<uninitialized>, referenced_file=[ts=1323202695.604006, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=<uninitialized>, action=SMB::FILE_OPEN, path=\\10.0.0.12\smb2, name=<share_root>, size=8192, prev_name=<uninitialized>, times=[modified=1323202695.427036, accessed=1323202695.427036, created=1322343963.945297, changed=1323202695.427036], fid=18446744069414584422, uuid=<uninitialized>], referenced_tree=[ts=1323202695.377084, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\smb2, service=<uninitialized>, native_file_system=<uninitialized>, share_type=DISK], smb1_offered_dialects=<uninitialized>, smb2_offered_dialects=<uninitialized>], current_file=[ts=1323202695.604006, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=<uninitialized>, action=SMB::FILE_OPEN, path=\\10.0.0.12\smb2, name=<share_root>, size=8192, prev_name=<uninitialized>, times=[modified=1323202695.427036, accessed=1323202695.427036, created=1322343963.945297, changed=1323202695.427036], fid=18446744069414584422, uuid=<uninitialized>], current_tree=[ts=1323202695.377084, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\smb2, service=<uninitialized>, native_file_system=<uninitialized>, share_type=DISK], pending_cmds={
-
-}, fid_map={
-[18446744069414584390] = [ts=1323202695.377459, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=<uninitialized>, action=SMB::FILE_OPEN, path=\\10.0.0.12\smb2, name=<share_root>, size=8192, prev_name=<uninitialized>, times=[modified=1323202604.512058, accessed=1323202604.512058, created=1322343963.945297, changed=1323202604.512058], fid=18446744069414584390, uuid=<uninitialized>],
-[18446744069414584422] = [ts=1323202695.604006, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], fuid=<uninitialized>, action=SMB::FILE_OPEN, path=\\10.0.0.12\smb2, name=<share_root>, size=8192, prev_name=<uninitialized>, times=[modified=1323202695.427036, accessed=1323202695.427036, created=1322343963.945297, changed=1323202695.427036], fid=18446744069414584422, uuid=<uninitialized>]
-}, tid_map={
-[1] = [ts=1323202695.377084, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\smb2, service=<uninitialized>, native_file_system=<uninitialized>, share_type=DISK],
-[65535] = [ts=<uninitialized>, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=<uninitialized>, service=<uninitialized>, native_file_system=<uninitialized>, share_type=DISK],
-[5] = [ts=1323202695.378188, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.0.0.11, orig_p=49208/tcp, resp_h=10.0.0.12, resp_p=445/tcp], path=\\10.0.0.12\IPC$, service=<uninitialized>, native_file_system=<uninitialized>, share_type=PIPE]
-}, uid_map={
-
-}, pipe_map={
-
-}, recent_files={
-SMB::FILE_OPEN<share_root>\\10.0.0.12\smb28192[modified=1323202695.427036, accessed=1323202695.427036, created=1322343963.945297, changed=1323202695.427036],
-SMB::FILE_OPEN<share_root>\\10.0.0.12\smb28192[modified=1323202604.512058, accessed=1323202604.512058, created=1322343963.945297, changed=1323202604.512058],
-SMB::FILE_OPENWP_SMBPlugin.pdf\\10.0.0.12\smb20[modified=1323202695.427036, accessed=1323202695.427036, created=1323202695.427036, changed=1323202695.427036]
-}]], [credit_charge=0, status=0, command=5, credits=9, flags=1, message_id=47, process_id=65279, tree_id=1, session_id=4398046511109, signature=\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00], [file_id=[persistent=85, volatile=18446744069414584337], size=8192, times=[modified=1323202695.427036, accessed=1323202695.427036, created=1322343963.945297, changed=1323202695.427036], attrs=[read_only=F, hidden=F, system=F, directory=T, archive=F, normal=F, temporary=F, sparse_file=F, reparse_point=F, compressed=F, offline=F, not_content_indexed=F, encrypted=F, integrity_stream=F, no_scrub_data=F], create_action=1]
+smb2_create_request 10.0.0.11 -> 10.0.0.12:445 [filename=<share_root>, disposition=1, create_options=32]
+smb2_create_response 10.0.0.11 -> 10.0.0.12:445 [file_id=[persistent=69, volatile=18446744069414584321], size=8192, times=[modified=1323202604.512058, accessed=1323202604.512058, created=1322343963.945297, changed=1323202604.512058], attrs=[read_only=F, hidden=F, system=F, directory=T, archive=F, normal=F, temporary=F, sparse_file=F, reparse_point=F, compressed=F, offline=F, not_content_indexed=F, encrypted=F, integrity_stream=F, no_scrub_data=F], create_action=1]
+smb2_create_request 10.0.0.11 -> 10.0.0.12:445 [filename=srvsvc, disposition=1, create_options=4194368]
+smb2_create_response 10.0.0.11 -> 10.0.0.12:445 [file_id=[persistent=73, volatile=18446744069414584325], size=0, times=[modified=-1.164447e+10, accessed=-1.164447e+10, created=-1.164447e+10, changed=-1.164447e+10], attrs=[read_only=F, hidden=F, system=F, directory=F, archive=F, normal=T, temporary=F, sparse_file=F, reparse_point=F, compressed=F, offline=F, not_content_indexed=F, encrypted=F, integrity_stream=F, no_scrub_data=F], create_action=1]
+smb2_create_request 10.0.0.11 -> 10.0.0.12:445 [filename=<share_root>, disposition=2, create_options=2097185]
+smb2_create_request 10.0.0.11 -> 10.0.0.12:445 [filename=WP_SMBPlugin.pdf, disposition=2, create_options=68]
+smb2_create_response 10.0.0.11 -> 10.0.0.12:445 [file_id=[persistent=77, volatile=18446744069414584329], size=0, times=[modified=1323202695.427036, accessed=1323202695.427036, created=1323202695.427036, changed=1323202695.427036], attrs=[read_only=F, hidden=F, system=F, directory=F, archive=T, normal=F, temporary=F, sparse_file=F, reparse_point=F, compressed=F, offline=F, not_content_indexed=F, encrypted=F, integrity_stream=F, no_scrub_data=F], create_action=2]
+smb2_create_request 10.0.0.11 -> 10.0.0.12:445 [filename=<share_root>, disposition=1, create_options=32]
+smb2_create_response 10.0.0.11 -> 10.0.0.12:445 [file_id=[persistent=81, volatile=18446744069414584333], size=8192, times=[modified=1323202695.427036, accessed=1323202695.427036, created=1322343963.945297, changed=1323202695.427036], attrs=[read_only=F, hidden=F, system=F, directory=T, archive=F, normal=F, temporary=F, sparse_file=F, reparse_point=F, compressed=F, offline=F, not_content_indexed=F, encrypted=F, integrity_stream=F, no_scrub_data=F], create_action=1]
+smb2_create_request 10.0.0.11 -> 10.0.0.12:445 [filename=<share_root>, disposition=1, create_options=32]
+smb2_create_response 10.0.0.11 -> 10.0.0.12:445 [file_id=[persistent=85, volatile=18446744069414584337], size=8192, times=[modified=1323202695.427036, accessed=1323202695.427036, created=1322343963.945297, changed=1323202695.427036], attrs=[read_only=F, hidden=F, system=F, directory=T, archive=F, normal=F, temporary=F, sparse_file=F, reparse_point=F, compressed=F, offline=F, not_content_indexed=F, encrypted=F, integrity_stream=F, no_scrub_data=F], create_action=1]
diff --git a/testing/btest/scripts/base/protocols/smb/smb2.test b/testing/btest/scripts/base/protocols/smb/smb2.test
index 3b8c45de47..33ce0e29a3 100644
--- a/testing/btest/scripts/base/protocols/smb/smb2.test
+++ b/testing/btest/scripts/base/protocols/smb/smb2.test
@@ -8,13 +8,14 @@
 
 @load policy/protocols/smb
 
-event smb2_create_request(c: connection, hdr: SMB2::Header, request: SMB2::CreateRequest )
+# Add some tests for SMB2 create request and response.
+event smb2_create_request(c: connection, hdr: SMB2::Header, request: SMB2::CreateRequest)
 	{
-	print "smb2_create_request", c, hdr, request;
+	print fmt("smb2_create_request %s -> %s:%d %s", c$id$orig_h, c$id$resp_h, c$id$resp_p, request);
 	}
 
-event smb2_create_response(c: connection, hdr: SMB2::Header, response: SMB2::CreateResponse )
+event smb2_create_response(c: connection, hdr: SMB2::Header, response: SMB2::CreateResponse)
 	{
-	print "smb2_create_response", c, hdr, response;
+	print fmt("smb2_create_response %s -> %s:%d %s", c$id$orig_h, c$id$resp_h, c$id$resp_p, response);
 	}
 

From 313195276206a384ffdb93731532e688f0cfa2a8 Mon Sep 17 00:00:00 2001
From: Seth Hall <seth@corelight.com>
Date: Tue, 3 Apr 2018 01:56:34 -0400
Subject: [PATCH 353/631] Cleaned up and moved parsing to binpac.

Too much parsing was being done in C++ so I moved more of
it into binpac.  Also, fixed up a bunch of the whitespace
(the new code was indented with spaces).
---
 .../protocol/gssapi/gssapi-analyzer.pac       | 73 ++++++-------------
 .../protocol/gssapi/gssapi-protocol.pac       | 21 +++++-
 2 files changed, 41 insertions(+), 53 deletions(-)

diff --git a/src/analyzer/protocol/gssapi/gssapi-analyzer.pac b/src/analyzer/protocol/gssapi/gssapi-analyzer.pac
index 28516bd9a3..3478e66c93 100644
--- a/src/analyzer/protocol/gssapi/gssapi-analyzer.pac
+++ b/src/analyzer/protocol/gssapi/gssapi-analyzer.pac
@@ -28,61 +28,32 @@ refine connection GSSAPI_Conn += {
 
 	function forward_blob(val: GSSAPI_NEG_TOKEN_MECH_TOKEN, is_orig: bool): bool
 		%{
-        if ( ${val.token}.length() >= 7 &&
-             memcmp("NTLMSSP", ${val.token}.begin(), 7) == 0 )
-            {
-            // ntlmssp
-            if ( ! ntlm )
-                ntlm = analyzer_mgr->InstantiateAnalyzer("NTLM", bro_analyzer()->Conn());
+		if ( ${val.has_ntlm} &&
+		     ${val.ntlm}.length() >= 7 &&
+		     memcmp("NTLMSSP", ${val.ntlm}.begin(), 7) == 0 )
+			{
+			// ntlmssp
+			if ( ! ntlm )
+				ntlm = analyzer_mgr->InstantiateAnalyzer("NTLM", bro_analyzer()->Conn());
 
-            if ( ntlm )
-                ntlm->DeliverStream(${val.token}.length(),
-                                    ${val.token}.begin(), is_orig);
-            }
+			if ( ntlm )
+				ntlm->DeliverStream(${val.ntlm}.length(),
+				                    ${val.ntlm}.begin(), is_orig);
+			}
 
+		else if ( ${val.has_krb} )
+			{
+			if ( ! krb5 )
+				krb5 = analyzer_mgr->InstantiateAnalyzer("KRB", bro_analyzer()->Conn());
 
-        else if ( 0x60 == *(${val.token}.begin()) )
-            {
-            // probably KRB
+			if ( krb5 ) // accepting all KRB types (REQ, REP, etc)
+				{
+				krb5->DeliverPacket(${val.krb.blob}.length(),
+				                    ${val.krb.blob}.begin(),
+				                    is_orig, 0, 0, 0);
+				}
+			}
 
-            const unsigned char *p = ${val.token}.begin();
-            int len_to_send = ${val.token}.length();
-            p++;
-            len_to_send--;
-
-            int shift = 1;
-            if ( ((*p) & 0x80) > 0 )
-                {
-                    shift += (*p) & 0x7f;
-                }
-
-            p += shift;  // eating an ASN.1 meta
-            len_to_send -= shift;
-
-            // should now be pointing at OID
-            if ( (*p) == 0x06 )
-                {
-                    p++;
-                    len_to_send--;
-                    len_to_send -= (*p) + 1;
-                    p += (*p) + 1;  // eating the OID.  assuming short form on
-                                    // OID len
-
-                    // should now be pointing at the type of KRB
-                    // 0x0100 or 0x0200
-                    // krb5 && ms-krb5
-                    if ( ! krb5 )
-                        krb5 = analyzer_mgr->InstantiateAnalyzer("KRB", bro_analyzer()->Conn());
-
-                    if ( krb5 ) // accepting all KRB types (REQ, REP, etc)
-                          
-                        {
-                        krb5->DeliverPacket(len_to_send-2,
-                                            p+2, 
-                                            is_orig, 0, 0, 0);
-                        }
-                }
-            } 
 		return true;
 		%}
 
diff --git a/src/analyzer/protocol/gssapi/gssapi-protocol.pac b/src/analyzer/protocol/gssapi/gssapi-protocol.pac
index 8038e52b25..48e360d295 100644
--- a/src/analyzer/protocol/gssapi/gssapi-protocol.pac
+++ b/src/analyzer/protocol/gssapi/gssapi-protocol.pac
@@ -50,6 +50,23 @@ type GSSAPI_NEG_TOKEN_RESP_Arg = record {
 };
 
 type GSSAPI_NEG_TOKEN_MECH_TOKEN(is_orig: bool) = record {
-	meta    : ASN1EncodingMeta;
-	token   : bytestring &length=meta.length;
+	meta  : ASN1EncodingMeta;
+	token : bytestring &length=meta.length;
+} &let {
+	ntlm = token &if($context.connection.is_first_byte(token, 0x43));
+	krb : KRB_BLOB withinput token &if($context.connection.is_first_byte(token, 0x60)) &restofdata;
+};
+
+type KRB_BLOB = record {
+	meta     : ASN1EncodingMeta;
+	oid      : ASN1OctetString;
+	token_id : uint16 &byteorder=littleendian;
+	blob     : bytestring &restofdata;
+};
+
+refine connection GSSAPI_Conn += {
+	function is_first_byte(token: bytestring, byte: uint8): bool
+		%{
+		return token[0] == byte;
+		%}
 };

From f6e5f0b1a5eecd6fd97c65cea72154897b7f66af Mon Sep 17 00:00:00 2001
From: Seth Hall <seth@corelight.com>
Date: Tue, 3 Apr 2018 02:58:54 -0400
Subject: [PATCH 354/631] A small fix for the last merge related to fixing
 Kerberos in GSSAPI.

We really need to figure out some way to expand our public tests
for SMB.  This problem crept in due to not having a test for
this particular case.
---
 src/analyzer/protocol/gssapi/gssapi-protocol.pac | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/analyzer/protocol/gssapi/gssapi-protocol.pac b/src/analyzer/protocol/gssapi/gssapi-protocol.pac
index 48e360d295..a2df047ffd 100644
--- a/src/analyzer/protocol/gssapi/gssapi-protocol.pac
+++ b/src/analyzer/protocol/gssapi/gssapi-protocol.pac
@@ -53,7 +53,7 @@ type GSSAPI_NEG_TOKEN_MECH_TOKEN(is_orig: bool) = record {
 	meta  : ASN1EncodingMeta;
 	token : bytestring &length=meta.length;
 } &let {
-	ntlm = token &if($context.connection.is_first_byte(token, 0x43));
+	ntlm : bytestring withinput token &if($context.connection.is_first_byte(token, 0x4E)) &restofdata;
 	krb : KRB_BLOB withinput token &if($context.connection.is_first_byte(token, 0x60)) &restofdata;
 };
 

From 31223caccd8ebaac84ff17227d5cca26efdb3ec8 Mon Sep 17 00:00:00 2001
From: Seth Hall <seth@corelight.com>
Date: Tue, 3 Apr 2018 02:41:24 -0400
Subject: [PATCH 355/631] Fix an issue with pending commands.

This is a change from Stefano Rinaldi in ticket number 1862
---
 scripts/policy/protocols/smb/smb2-main.bro | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/scripts/policy/protocols/smb/smb2-main.bro b/scripts/policy/protocols/smb/smb2-main.bro
index 750a7ff1bc..52c8f8060c 100644
--- a/scripts/policy/protocols/smb/smb2-main.bro
+++ b/scripts/policy/protocols/smb/smb2-main.bro
@@ -68,6 +68,12 @@ event smb2_message(c: connection, hdr: SMB2::Header, is_orig: bool) &priority=-5
 	# Is this a response?
 	if ( !is_orig )
 		{
+		# If the command that is being looked at right now was 
+		# marked as PENDING, then we'll skip all of this and wait
+		# for a reply that isn't marked pending.
+		if ( c$smb_state$current_cmd$status == "PENDING" )
+			return;
+
 		if ( SMB::write_cmd_log &&
 		     c$smb_state$current_cmd$status !in SMB::ignored_command_statuses &&
 		     c$smb_state$current_cmd$command !in SMB::deferred_logging_cmds )

From 868cb5838de5cfbc33aaf9b51892d0d04287238e Mon Sep 17 00:00:00 2001
From: Devin Trejo <trejo@sig.com>
Date: Fri, 12 Jan 2018 13:53:22 -0500
Subject: [PATCH 356/631] Add smb2_file_sattr

---
 scripts/policy/protocols/smb/main.bro         |  1 +
 scripts/policy/protocols/smb/smb2-main.bro    | 20 +++++++++++++
 .../protocol/smb/smb2-com-set-info.pac        | 28 +++++++++++++++++++
 .../protocol/smb/smb2_com_set_info.bif        | 24 ++++++++++++++--
 4 files changed, 71 insertions(+), 2 deletions(-)

diff --git a/scripts/policy/protocols/smb/main.bro b/scripts/policy/protocols/smb/main.bro
index f94db17f38..51aab775c0 100644
--- a/scripts/policy/protocols/smb/main.bro
+++ b/scripts/policy/protocols/smb/main.bro
@@ -18,6 +18,7 @@ export {
 		FILE_CLOSE,
 		FILE_DELETE,
 		FILE_RENAME,
+		FILE_SET_ATTRIBUTE,
 
 		PIPE_READ,
 		PIPE_WRITE,
diff --git a/scripts/policy/protocols/smb/smb2-main.bro b/scripts/policy/protocols/smb/smb2-main.bro
index 750a7ff1bc..9faf4b5a8a 100644
--- a/scripts/policy/protocols/smb/smb2-main.bro
+++ b/scripts/policy/protocols/smb/smb2-main.bro
@@ -231,6 +231,26 @@ event smb2_write_request(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID,
 	SMB::write_file_log(c$smb_state);
 	}
 
+event smb2_file_sattr(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, times: SMB::MACTimes, attrs: SMB2::FileAttrs) &priority=-5
+{
+	SMB::write_file_log(c$smb_state);
+}
+
+event smb2_file_sattr(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, times: SMB::MACTimes, attrs: SMB2::FileAttrs) &priority=5
+{
+	SMB::set_current_file(c$smb_state, file_id$persistent+file_id$volatile);
+
+	switch ( c$smb_state$current_tree$share_type )
+		{
+		case "DISK":
+			c$smb_state$current_file$action = SMB::FILE_SET_ATTRIBUTE;
+			break;
+		default:
+			c$smb_state$current_file$action = SMB::FILE_SET_ATTRIBUTE;
+			break;
+		}
+}
+
 event smb2_file_rename(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, dst_filename: string) &priority=5
 	{
 	SMB::set_current_file(c$smb_state, file_id$persistent+file_id$volatile);
diff --git a/src/analyzer/protocol/smb/smb2-com-set-info.pac b/src/analyzer/protocol/smb/smb2-com-set-info.pac
index 379c919d7d..6874808da9 100644
--- a/src/analyzer/protocol/smb/smb2-com-set-info.pac
+++ b/src/analyzer/protocol/smb/smb2-com-set-info.pac
@@ -6,12 +6,29 @@ enum smb2_set_info_type {
 };
 
 enum smb_file_info_type {
+	SMB2_FILE_BASIC_INFO        = 0x04,
 	SMB2_FILE_RENAME_INFO       = 0x0a,
 	SMB2_FILE_DISPOSITION_INFO = 0x0d,
 }
 
 refine connection SMB_Conn += {
 
+	function proc_smb2_set_info_request_file(val: SMB2_file_basic_info): bool
+		%{
+		if ( smb2_file_sattr )
+			BifEvent::generate_smb2_file_sattr(bro_analyzer(),
+			                                      bro_analyzer()->Conn(),
+			                                      BuildSMB2HeaderVal(${val.sir.header}),
+			                                      BuildSMB2GUID(${val.sir.file_id}),
+			                                      SMB_BuildMACTimes(${val.last_write_time},
+			                                                        ${val.last_access_time},
+			                                                        ${val.creation_time},
+			                                                        ${val.change_time}),
+			                                      smb2_file_attrs_to_bro(${val.file_attrs}));
+
+		return true;
+		%}
+
 	function proc_smb2_set_info_request_file_rename(val: SMB2_file_rename_info): bool
 		%{
 		if ( smb2_file_rename )
@@ -38,6 +55,16 @@ refine connection SMB_Conn += {
 
 };
 
+type SMB2_file_basic_info(sir: SMB2_set_info_request) = record {
+	creation_time    : SMB_timestamp;
+	last_access_time : SMB_timestamp;
+	last_write_time  : SMB_timestamp;
+	change_time      : SMB_timestamp;
+	file_attrs       : SMB2_file_attributes;
+} &let {
+	proc: bool = $context.connection.proc_smb2_set_info_request_file(this);
+};
+
 type SMB2_file_rename_info(sir: SMB2_set_info_request) = record {
 	replace_if_exists : uint8;
 	reserved          : uint8[7];
@@ -55,6 +82,7 @@ type SMB2_file_disposition_info(sir: SMB2_set_info_request) = record {
 };
 
 type SMB2_set_info_file_class(sir: SMB2_set_info_request) = case sir.info_level of {
+	SMB2_FILE_BASIC_INFO       -> file_basic          : SMB2_file_basic_info(sir);
 	SMB2_FILE_RENAME_INFO      -> file_rename         : SMB2_file_rename_info(sir);
 	SMB2_FILE_DISPOSITION_INFO -> file_disposition    : SMB2_file_disposition_info(sir);
 	default                    -> info_file_unhandled : empty;
diff --git a/src/analyzer/protocol/smb/smb2_com_set_info.bif b/src/analyzer/protocol/smb/smb2_com_set_info.bif
index 3aeeb579fe..1f6d9386f8 100644
--- a/src/analyzer/protocol/smb/smb2_com_set_info.bif
+++ b/src/analyzer/protocol/smb/smb2_com_set_info.bif
@@ -11,7 +11,7 @@
 ##
 ## dst_filename: The filename to rename the file into.
 ##
-## .. bro:see:: smb2_message smb2_file_delete
+## .. bro:see:: smb2_message smb2_file_delete smb2_file_sattr
 event smb2_file_rename%(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, dst_filename: string%);
 
 ## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
@@ -23,12 +23,32 @@ event smb2_file_rename%(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, d
 ##
 ## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message.
 ##
+## file_id: The SMB2 GUID for the file.
+##
 ## delete_pending: A boolean value to indicate that a file should be deleted 
 ##                 when it's closed if set to T.
 ##
-## .. bro:see:: smb2_message smb2_file_rename
+## .. bro:see:: smb2_message smb2_file_rename smb2_file_sattr
 event smb2_file_delete%(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, delete_pending: bool%);
 
+## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+## version 2 requests of type *set_info* of the *file* subtype
+##
+## For more infomation, see MS-SMB2:2.2.39
+##
+## c: The connection.
+##
+## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message.
+##
+## file_id: The SMB2 GUID for the file.
+##
+## times: Timestamps associated with the file in question.
+##
+## attrs: File attributes.
+##
+## .. bro:see:: smb2_message smb2_file_rename smb2_file_delete
+event smb2_file_sattr%(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, times: SMB::MACTimes, attrs: SMB2::FileAttrs%);
+
 # TODO - Not implemented
 
 # Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`

From 17202e9df453a6ad319f0947ef1e29c6927540c1 Mon Sep 17 00:00:00 2001
From: Devin Trejo <trejo@sig.com>
Date: Wed, 4 Apr 2018 16:55:10 -0400
Subject: [PATCH 357/631] Add unit tests for new SMB2 event -- smb2_file_sattr.

---
 .../btest/Baseline/scripts.base.protocols.smb.smb2/.stdout  | 1 +
 testing/btest/scripts/base/protocols/smb/smb2.test          | 6 ++++++
 2 files changed, 7 insertions(+)

diff --git a/testing/btest/Baseline/scripts.base.protocols.smb.smb2/.stdout b/testing/btest/Baseline/scripts.base.protocols.smb.smb2/.stdout
index bc605dcbb2..299b36fd33 100644
--- a/testing/btest/Baseline/scripts.base.protocols.smb.smb2/.stdout
+++ b/testing/btest/Baseline/scripts.base.protocols.smb.smb2/.stdout
@@ -5,6 +5,7 @@ smb2_create_response 10.0.0.11 -> 10.0.0.12:445 [file_id=[persistent=73, volatil
 smb2_create_request 10.0.0.11 -> 10.0.0.12:445 [filename=<share_root>, disposition=2, create_options=2097185]
 smb2_create_request 10.0.0.11 -> 10.0.0.12:445 [filename=WP_SMBPlugin.pdf, disposition=2, create_options=68]
 smb2_create_response 10.0.0.11 -> 10.0.0.12:445 [file_id=[persistent=77, volatile=18446744069414584329], size=0, times=[modified=1323202695.427036, accessed=1323202695.427036, created=1323202695.427036, changed=1323202695.427036], attrs=[read_only=F, hidden=F, system=F, directory=F, archive=T, normal=F, temporary=F, sparse_file=F, reparse_point=F, compressed=F, offline=F, not_content_indexed=F, encrypted=F, integrity_stream=F, no_scrub_data=F], create_action=2]
+smb2_file_sattr 10.0.0.11 -> 10.0.0.12:445 [persistent=77, volatile=18446744069414584329] MACTimes:[modified=1319047808.3125, accessed=-1.164447e+10, created=-1.164447e+10, changed=-1.164447e+10] FileAttrs:[read_only=F, hidden=F, system=F, directory=F, archive=F, normal=F, temporary=F, sparse_file=F, reparse_point=F, compressed=F, offline=F, not_content_indexed=F, encrypted=F, integrity_stream=F, no_scrub_data=F]
 smb2_create_request 10.0.0.11 -> 10.0.0.12:445 [filename=<share_root>, disposition=1, create_options=32]
 smb2_create_response 10.0.0.11 -> 10.0.0.12:445 [file_id=[persistent=81, volatile=18446744069414584333], size=8192, times=[modified=1323202695.427036, accessed=1323202695.427036, created=1322343963.945297, changed=1323202695.427036], attrs=[read_only=F, hidden=F, system=F, directory=T, archive=F, normal=F, temporary=F, sparse_file=F, reparse_point=F, compressed=F, offline=F, not_content_indexed=F, encrypted=F, integrity_stream=F, no_scrub_data=F], create_action=1]
 smb2_create_request 10.0.0.11 -> 10.0.0.12:445 [filename=<share_root>, disposition=1, create_options=32]
diff --git a/testing/btest/scripts/base/protocols/smb/smb2.test b/testing/btest/scripts/base/protocols/smb/smb2.test
index 33ce0e29a3..2a05d5edf3 100644
--- a/testing/btest/scripts/base/protocols/smb/smb2.test
+++ b/testing/btest/scripts/base/protocols/smb/smb2.test
@@ -19,3 +19,9 @@ event smb2_create_response(c: connection, hdr: SMB2::Header, response: SMB2::Cre
 	print fmt("smb2_create_response %s -> %s:%d %s", c$id$orig_h, c$id$resp_h, c$id$resp_p, response);
 	}
 
+event smb2_file_sattr(c: connection, hdr: SMB2::Header, file_id:
+                      SMB2::GUID, times: SMB::MACTimes, attrs: SMB2::FileAttrs)
+{
+	print fmt("smb2_file_sattr %s -> %s:%d %s MACTimes:%s FileAttrs:%s", c$id$orig_h, c$id$resp_h, c$id$resp_p, file_id, times, attrs);
+}
+

From cd6e541e3e04de92b1b641d683d7fdc5f5700faf Mon Sep 17 00:00:00 2001
From: Daniel Thayer <dnthayer@illinois.edu>
Date: Thu, 5 Apr 2018 14:10:04 -0500
Subject: [PATCH 358/631] Remove unneeded lines from .travis.yml

---
 .travis.yml | 7 -------
 1 file changed, 7 deletions(-)

diff --git a/.travis.yml b/.travis.yml
index 076e405e75..aff55355c1 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -6,17 +6,10 @@ compiler:
 addons:
   ssh_known_hosts: git.bro.org
   apt:
-    sources:
-      - ubuntu-toolchain-r-test
     packages:
-      - bison
-      - cmake
-      - flex
       - libpcap-dev
       - libssl-dev
-      - python-dev
       - swig
-      - zlib1g-dev
 
 branches:
   only:

From 8c91cafad87638f553f513454689ef74c8418b02 Mon Sep 17 00:00:00 2001
From: Daniel Thayer <dnthayer@illinois.edu>
Date: Thu, 5 Apr 2018 14:12:24 -0500
Subject: [PATCH 359/631] Trim the Travis CI build log output

Remove some output from the Travis CI build log to make it easier
to read.

There is an issue with Travis CI when using encrypted environment
variables.  In this case, when btest calls the python function
sys.stdout.isatty() it returns False, which causes btest to output one
line for each test (passed or failed).  As a result, it is difficult to
see at a glance which tests failed.  Switching to btest brief output to
address this issue.
---
 testing/scripts/travis-job | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/testing/scripts/travis-job b/testing/scripts/travis-job
index 95605eef1f..533cb75d02 100644
--- a/testing/scripts/travis-job
+++ b/testing/scripts/travis-job
@@ -48,7 +48,7 @@ run_coverity() {
 
 run() {
     # Run the tests, but don't exit upon failure.
-    make -C testing/btest btest-verbose
+    make -C testing/btest btest-brief
     ret=$?
 
     set -e
@@ -74,9 +74,10 @@ run() {
 }
 
 failure() {
-    # Output each diag.log that contains failed test results.
+    # Output each diag.log that contains failed test results, but don't show
+    # skipped tests.
     for i in testing/btest/diag.log testing/external/bro-testing/diag.log; do
-        grep -qs '... failed$' $i && cat $i ;
+        grep -qs '... failed$' $i && grep -v "... not available, skipped" $i ;
     done
 }
 

From 9c85d3f3a90b198f1ca02ce58f188367acf923be Mon Sep 17 00:00:00 2001
From: Seth Hall <seth@corelight.com>
Date: Thu, 5 Apr 2018 17:12:33 -0400
Subject: [PATCH 360/631] On rare occasions the server doesn't return the tree
 id on read responses.

This tracks the tree id given by the request

This also addresses BIT-1862 with code submitted by Stefano Rinaldi
and took some hints from his changes in other areas of the code.
---
 scripts/policy/protocols/smb/smb2-main.bro  |  2 ++
 src/analyzer/protocol/smb/smb-pipe.pac      | 15 ++++-----
 src/analyzer/protocol/smb/smb2-com-read.pac | 15 ++++++---
 src/analyzer/protocol/smb/smb2-protocol.pac | 34 +++++++++++++++++++--
 4 files changed, 51 insertions(+), 15 deletions(-)

diff --git a/scripts/policy/protocols/smb/smb2-main.bro b/scripts/policy/protocols/smb/smb2-main.bro
index 52c8f8060c..fa952eb5c3 100644
--- a/scripts/policy/protocols/smb/smb2-main.bro
+++ b/scripts/policy/protocols/smb/smb2-main.bro
@@ -72,7 +72,9 @@ event smb2_message(c: connection, hdr: SMB2::Header, is_orig: bool) &priority=-5
 		# marked as PENDING, then we'll skip all of this and wait
 		# for a reply that isn't marked pending.
 		if ( c$smb_state$current_cmd$status == "PENDING" )
+			{
 			return;
+			}
 
 		if ( SMB::write_cmd_log &&
 		     c$smb_state$current_cmd$status !in SMB::ignored_command_statuses &&
diff --git a/src/analyzer/protocol/smb/smb-pipe.pac b/src/analyzer/protocol/smb/smb-pipe.pac
index 2407c63dd3..8ef07e0b0b 100644
--- a/src/analyzer/protocol/smb/smb-pipe.pac
+++ b/src/analyzer/protocol/smb/smb-pipe.pac
@@ -4,7 +4,7 @@
 
 refine connection SMB_Conn += {
 	%member{
-		map<uint16,bool> tree_is_pipe_map;
+		map<uint32,bool> tree_is_pipe_map;
 		map<uint64,analyzer::dce_rpc::DCE_RPC_Analyzer*> fid_to_analyzer_map;
 	%}
 
@@ -20,18 +20,18 @@ refine connection SMB_Conn += {
 			}
 	%}
 
-	function get_tree_is_pipe(tree_id: uint16): bool
+	function get_tree_is_pipe(tree_id: uint32): bool
 		%{
-		return ( tree_is_pipe_map.count(tree_id) > 0 );
+		return ( tree_is_pipe_map.count(tree_id) > 0 && tree_is_pipe_map.at(tree_id) );
 		%}
 
-	function unset_tree_is_pipe(tree_id: uint16): bool
+	function unset_tree_is_pipe(tree_id: uint32): bool
 		%{
 		tree_is_pipe_map.erase(tree_id);
 		return true;
 		%}
 
-	function set_tree_is_pipe(tree_id: uint16): bool
+	function set_tree_is_pipe(tree_id: uint32): bool
 		%{
 		tree_is_pipe_map[tree_id] = true;
 		return true;
@@ -39,10 +39,11 @@ refine connection SMB_Conn += {
 
 	function forward_dce_rpc(pipe_data: bytestring, fid: uint64, is_orig: bool): bool
 		%{
-		analyzer::dce_rpc::DCE_RPC_Analyzer *pipe_dcerpc;
+		analyzer::dce_rpc::DCE_RPC_Analyzer *pipe_dcerpc = nullptr;
 		if ( fid_to_analyzer_map.count(fid) == 0 )
 			{
-			pipe_dcerpc = (analyzer::dce_rpc::DCE_RPC_Analyzer *)analyzer_mgr->InstantiateAnalyzer("DCE_RPC", bro_analyzer()->Conn());
+			auto tmp_analyzer = analyzer_mgr->InstantiateAnalyzer("DCE_RPC", bro_analyzer()->Conn());
+			pipe_dcerpc = static_cast<analyzer::dce_rpc::DCE_RPC_Analyzer *>(tmp_analyzer);
 			if ( pipe_dcerpc )
 				{
 				pipe_dcerpc->SetFileID(fid);
diff --git a/src/analyzer/protocol/smb/smb2-com-read.pac b/src/analyzer/protocol/smb/smb2-com-read.pac
index cf5d2ae065..849671488d 100644
--- a/src/analyzer/protocol/smb/smb2-com-read.pac
+++ b/src/analyzer/protocol/smb/smb2-com-read.pac
@@ -3,18 +3,19 @@ refine connection SMB_Conn += {
 	%member{
 		// Track read offsets to provide correct
 		// offsets for file manager.
-		std::map<uint16,uint64> smb2_read_offsets;
+		std::map<uint64,uint64> smb2_read_offsets;
 		std::map<uint64,uint64> smb2_read_fids;
 	%}
 
-	function get_file_id(message_id: uint64): uint64
+	function get_file_id(message_id: uint64, forget: bool): uint64
 		%{
 		if ( smb2_read_fids.count(message_id) == 0 )
 			return 0;
 		else
 			{
 			uint64 fid = smb2_read_fids[message_id];
-			smb2_read_fids.erase(message_id);
+			if ( forget )
+				smb2_read_fids.erase(message_id);
 			return fid;
 			}
 		%}
@@ -40,7 +41,10 @@ refine connection SMB_Conn += {
 	function proc_smb2_read_response(h: SMB2_Header, val: SMB2_read_response) : bool
 		%{
 		uint64 offset = smb2_read_offsets[${h.message_id}];
-		smb2_read_offsets.erase(${h.message_id});
+		
+		// If a PENDING status was received, keep this around.
+		if ( ${h.status} != 0x00000103 )
+			smb2_read_offsets.erase(${h.message_id});
 
 		if ( ! ${h.is_pipe} && ${val.data_len} > 0 )
 			{
@@ -83,7 +87,8 @@ type SMB2_read_response(header: SMB2_Header) = record {
 	pad               : padding to data_offset - header.head_length;
 	data              : bytestring &length=data_len;
 } &let {
-	fid       : uint64 = $context.connection.get_file_id(header.message_id);
+	# If a reply is has a pending status, let it remain.
+	fid       : uint64 = $context.connection.get_file_id(header.message_id, header.status != 0x00000103);
 	pipe_proc : bool   = $context.connection.forward_dce_rpc(data, fid, false) &if(header.is_pipe);
 
 	proc: bool = $context.connection.proc_smb2_read_response(header, this);
diff --git a/src/analyzer/protocol/smb/smb2-protocol.pac b/src/analyzer/protocol/smb/smb2-protocol.pac
index 1cad6e130e..5ca419eb2f 100644
--- a/src/analyzer/protocol/smb/smb2-protocol.pac
+++ b/src/analyzer/protocol/smb/smb2-protocol.pac
@@ -94,6 +94,12 @@ type SMB2_Message_Response(header: SMB2_Header) = case header.command of {
 
 refine connection SMB_Conn += {
 
+	%member{
+		// Track tree_ids given in requests.  Sometimes the server doesn't
+		// reply with the tree_id.  Index is message_id, yield is tree_id
+		std::map<uint64,uint64> smb2_request_tree_id;
+	%}
+
 	function BuildSMB2HeaderVal(hdr: SMB2_Header): BroVal
 		%{
 		RecordVal* r = new RecordVal(BifType::Record::SMB2::Header);
@@ -124,8 +130,20 @@ refine connection SMB_Conn += {
 
 	function proc_smb2_message(h: SMB2_Header, is_orig: bool): bool
 		%{
-		//if ( ${h.command} == SMB2_READ )
-		//	printf("got a read %s command\n", is_orig ? "request" : "response");
+		if ( is_orig )
+			{
+			// Store the tree_id 
+			smb2_request_tree_id[${h.message_id}] = ${h.tree_id};
+			}
+		else
+			{
+			// Remove the stored tree_id unless the reply is pending.  It will
+			// have already been used by the time this code is reached.
+			if ( ${h.status} != 0x00000103 )
+				{
+				smb2_request_tree_id.erase(${h.message_id});
+				}
+			}
 
 		if ( smb2_message )
 			{
@@ -135,6 +153,15 @@ refine connection SMB_Conn += {
 			}
 		return true;
 		%}
+
+	function get_request_tree_id(message_id: uint64): uint64
+		%{
+		// This is stored at the request and used at the reply.
+		if ( smb2_request_tree_id.count(message_id) > 0 )
+			return smb2_request_tree_id[message_id];
+		else
+			return 0;
+		%}
 };
 
 function smb2_file_attrs_to_bro(val: SMB2_file_attributes): BroVal
@@ -199,7 +226,8 @@ type SMB2_Header(is_orig: bool) = record {
 	related  = (flags >> 26) & 1;
 	msigned  = (flags >> 27) & 1;
 	dfs      = (flags) & 1;
-	is_pipe: bool = $context.connection.get_tree_is_pipe(tree_id);
+	request_tree_id = $context.connection.get_request_tree_id(message_id);
+	is_pipe: bool = $context.connection.get_tree_is_pipe(is_orig ? tree_id : request_tree_id);
 	proc : bool = $context.connection.proc_smb2_message(this, is_orig);
 } &byteorder=littleendian;
 

From a80131c06e22067228f87c1ce73ac462a8835ded Mon Sep 17 00:00:00 2001
From: Seth Hall <seth@corelight.com>
Date: Thu, 5 Apr 2018 17:13:10 -0400
Subject: [PATCH 361/631] Updating the defined SMB2 dialects to match
 Microsofts current docs.

---
 scripts/base/protocols/smb/consts.bro | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/scripts/base/protocols/smb/consts.bro b/scripts/base/protocols/smb/consts.bro
index 862a0ae693..f36d029be9 100644
--- a/scripts/base/protocols/smb/consts.bro
+++ b/scripts/base/protocols/smb/consts.bro
@@ -255,10 +255,12 @@ export {
 	} &default=function(i: count): string { return fmt("unknown-%d", i); };
 
 	const dialects: table[count] of string = {
-		[0x0202] = "2.002",
+		[0x0202] = "2.0.2",
 		[0x0210] = "2.1",
 		[0x0300] = "3.0",
-		[0x0302] = "3.02",
+		[0x0302] = "3.0.2",
+		[0x0311] = "3.1.1",
+		[0x02FF] = "2.1+",
 	} &default=function(i: count): string { return fmt("unknown-%d", i); };
 
 	const share_types: table[count] of string = {

From 6e933199dc5098ef97db0abfce053a2fb1910801 Mon Sep 17 00:00:00 2001
From: Daniel Thayer <dnthayer@illinois.edu>
Date: Fri, 6 Apr 2018 12:50:29 -0500
Subject: [PATCH 362/631] Fix config input reader on systems with gcc 4.8

Systems that have gcc 4.8 (such as RHEL 7 or ubuntu 14.04 LTS) have a
version of libstdc++ that doesn't implement the C++11 regex functions
(the header and functions exist, but calling them results in the process
being terminated).  On those systems, the following tests fail:
scripts.base.frameworks.config.basic ... failed
scripts.base.frameworks.config.read_config ... failed
scripts.base.frameworks.config.several-files ... failed
scripts.base.frameworks.config.updates ... failed
scripts.base.frameworks.input.config.basic ... failed
scripts.base.frameworks.input.config.errors ... failed

As a workaround, this commit switches to using the POSIX regex.h
functions.
---
 src/input/readers/config/Config.cc | 20 ++++++++++++++------
 1 file changed, 14 insertions(+), 6 deletions(-)

diff --git a/src/input/readers/config/Config.cc b/src/input/readers/config/Config.cc
index e47815ab92..e50b468a36 100644
--- a/src/input/readers/config/Config.cc
+++ b/src/input/readers/config/Config.cc
@@ -2,12 +2,12 @@
 
 #include <sstream>
 #include <unordered_set>
-#include <regex>
 
 #include <sys/types.h>
 #include <sys/stat.h>
 #include <unistd.h>
 #include <errno.h>
+#include <regex.h>
 
 #include "Config.h"
 #include "config.bif.h"
@@ -191,18 +191,24 @@ bool Config::DoUpdate()
 		unseen_options.insert(i.first);
 		}
 
+	regex_t re;
+	if ( regcomp(&re, "^([^[:blank:]]+)[[:blank:]]+(.*)$", REG_EXTENDED) )
+		{
+		Error(Fmt("Failed to compile regex."));
+		return true;
+		}
+
 	while ( GetLine(line) )
 		{
-		static std::regex re("^(.*?)\\s+(.*)$");
-		std::smatch match;
-		if ( ! std::regex_search(line, match, re) )
+		regmatch_t match[3];
+		if ( regexec(&re, line.c_str(), 3, match, 0) )
 			{
 			Warning(Fmt("Could not parse '%s'; line has invalid format. Ignoring line.", line.c_str()));
 			continue;
 			}
 
-		string key = match[1];
-		string value = match[2];
+		string key = line.substr(match[1].rm_so, match[1].rm_eo - match[1].rm_so);
+		string value = line.substr(match[2].rm_so, match[2].rm_eo - match[2].rm_so);
 
 		auto typeit = option_types.find(key);
 		if ( typeit == option_types.end() )
@@ -278,6 +284,8 @@ bool Config::DoUpdate()
 			}
 		}
 
+	regfree(&re);
+
 	if ( Info().mode != MODE_STREAM )
 		EndCurrentSend();
 

From b55c78917adfa7e46633555e3ef966d8d43243de Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Tue, 10 Apr 2018 10:25:21 -0500
Subject: [PATCH 363/631] Updating submodule(s).

 [nomail]
---
 src/3rdparty | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/3rdparty b/src/3rdparty
index 207d60381c..3107bd0398 160000
--- a/src/3rdparty
+++ b/src/3rdparty
@@ -1 +1 @@
-Subproject commit 207d60381c194b400ffdfb97c78aa577661bd177
+Subproject commit 3107bd039828c47ebae399d0f0c9220595bf6cf2

From 8152508330536b279ee0f26df3f52a85e74924ad Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Wed, 11 Apr 2018 16:23:26 -0500
Subject: [PATCH 364/631] BIT-1909: fix invalid redef'd record field accesses

---
 src/Net.cc                                    |  1 +
 src/Net.h                                     |  3 ++
 src/Val.cc                                    | 26 ++++++++++
 src/Val.h                                     |  7 +++
 src/main.cc                                   | 10 ++++
 .../language.record-redef-after-init/output   | 10 ++++
 .../language/record-redef-after-init.bro      | 52 +++++++++++++++++++
 7 files changed, 109 insertions(+)
 create mode 100644 testing/btest/Baseline/language.record-redef-after-init/output
 create mode 100644 testing/btest/language/record-redef-after-init.bro

diff --git a/src/Net.cc b/src/Net.cc
index 0b0491719f..ae66b64309 100644
--- a/src/Net.cc
+++ b/src/Net.cc
@@ -61,6 +61,7 @@ double bro_start_time = 0.0; // time Bro started.
 double bro_start_network_time;	// timestamp of first packet
 double last_watchdog_proc_time = 0.0;	// value of above during last watchdog
 bool terminating = false;	// whether we're done reading and finishing up
+bool is_parsing = false;
 
 const Packet *current_pkt = 0;
 int current_dispatched = 0;
diff --git a/src/Net.h b/src/Net.h
index 370f08a3ca..caea61c436 100644
--- a/src/Net.h
+++ b/src/Net.h
@@ -70,6 +70,9 @@ extern bool terminating;
 // True if the remote serializer is to be activated.
 extern bool using_communication;
 
+// True if Bro is currently parsing scripts.
+extern bool is_parsing;
+
 extern const Packet* current_pkt;
 extern int current_dispatched;
 extern double current_timestamp;
diff --git a/src/Val.cc b/src/Val.cc
index 95bb8263a9..3d5b820e10 100644
--- a/src/Val.cc
+++ b/src/Val.cc
@@ -2722,6 +2722,8 @@ unsigned int TableVal::MemoryAllocation() const
 		+ table_hash->MemoryAllocation();
 	}
 
+vector<RecordVal*> RecordVal::parse_time_records;
+
 RecordVal::RecordVal(RecordType* t) : MutableVal(t)
 	{
 	origin = 0;
@@ -2767,6 +2769,12 @@ RecordVal::RecordVal(RecordType* t) : MutableVal(t)
 		vl->append(def ? def->Ref() : 0);
 
 		Unref(def);
+
+		if ( is_parsing )
+			{
+			parse_time_records.emplace_back(this);
+			Ref();
+			}
 		}
 	}
 
@@ -2832,6 +2840,24 @@ Val* RecordVal::LookupWithDefault(int field) const
 	return record_type->FieldDefault(field);
 	}
 
+bool RecordVal::Resize()
+	{
+	auto vs = val.val_list_val;
+	auto rt = record_type;
+	auto current_length = vs->length();
+	auto required_length = rt->NumFields();
+
+	if ( required_length <= current_length )
+		return false;
+
+	vs->resize(required_length);
+
+	for ( auto i = current_length; i < required_length; ++i )
+		vs->replace(i, nullptr);
+
+	return true;
+	}
+
 Val* RecordVal::Lookup(const char* field, bool with_default) const
 	{
 	int idx = record_type->FieldOffset(field);
diff --git a/src/Val.h b/src/Val.h
index ca04381176..7f31d24175 100644
--- a/src/Val.h
+++ b/src/Val.h
@@ -920,6 +920,8 @@ protected:
 
 class RecordVal : public MutableVal {
 public:
+	static vector<RecordVal*> parse_time_records;
+
 	explicit RecordVal(RecordType* t);
 	~RecordVal() override;
 
@@ -930,6 +932,11 @@ public:
 	Val* Lookup(int field) const;	// Does not Ref() value.
 	Val* LookupWithDefault(int field) const;	// Does Ref() value.
 
+	// Extend the underlying array to match the number of fields in the
+	// record type (they may mismatch as a result of parse-time record type
+	// redefinitions.
+	bool Resize();
+
 	/**
 	 * Looks up the value of a field by field name.  If the field doesn't
 	 * exist in the record type, it's an internal error: abort.
diff --git a/src/main.cc b/src/main.cc
index 41e18284a3..3f8a12c7d1 100644
--- a/src/main.cc
+++ b/src/main.cc
@@ -854,7 +854,17 @@ int main(int argc, char** argv)
 	HeapLeakChecker::Disabler disabler;
 #endif
 
+	is_parsing = true;
 	yyparse();
+	is_parsing = false;
+
+	for ( auto& rv : RecordVal::parse_time_records )
+		{
+		rv->Resize();
+		Unref(rv);
+		}
+
+	RecordVal::parse_time_records = {};
 
 	init_general_global_var();
 	init_net_var();
diff --git a/testing/btest/Baseline/language.record-redef-after-init/output b/testing/btest/Baseline/language.record-redef-after-init/output
new file mode 100644
index 0000000000..9c422442a5
--- /dev/null
+++ b/testing/btest/Baseline/language.record-redef-after-init/output
@@ -0,0 +1,10 @@
+[a=redef, d=<uninitialized>, e=<uninitialized>, f=<uninitialized>, g=<uninitialized>, h=<uninitialized>, i=<uninitialized>, j=<uninitialized>, k=<uninitialized>, l=<uninitialized>, m=<uninitialized>, n=<uninitialized>, o=<uninitialized>, p=<uninitialized>, q=<uninitialized>]
+[a=runtime, d=<uninitialized>, e=<uninitialized>, f=<uninitialized>, g=<uninitialized>, h=<uninitialized>, i=<uninitialized>, j=<uninitialized>, k=<uninitialized>, l=<uninitialized>, m=<uninitialized>, n=<uninitialized>, o=<uninitialized>, p=<uninitialized>, q=OPTQ]
+[a=local, d=<uninitialized>, e=<uninitialized>, f=<uninitialized>, g=<uninitialized>, h=<uninitialized>, i=<uninitialized>, j=<uninitialized>, k=<uninitialized>, l=<uninitialized>, m=<uninitialized>, n=<uninitialized>, o=<uninitialized>, p=<uninitialized>, q=OPTQ]
+[a=redef, d=<uninitialized>, e=<uninitialized>, f=<uninitialized>, g=<uninitialized>, h=<uninitialized>, i=<uninitialized>, j=<uninitialized>, k=<uninitialized>, l=<uninitialized>, m=<uninitialized>, n=<uninitialized>, o=<uninitialized>, p=<uninitialized>, q=<uninitialized>]
+[a=redef, d=<uninitialized>, e=<uninitialized>, f=<uninitialized>, g=<uninitialized>, h=<uninitialized>, i=<uninitialized>, j=<uninitialized>, k=<uninitialized>, l=<uninitialized>, m=<uninitialized>, n=<uninitialized>, o=<uninitialized>, p=<uninitialized>, q=<uninitialized>]
+newp
+[a=redef, d=<uninitialized>, e=<uninitialized>, f=<uninitialized>, g=<uninitialized>, h=<uninitialized>, i=<uninitialized>, j=<uninitialized>, k=<uninitialized>, l=<uninitialized>, m=<uninitialized>, n=<uninitialized>, o=<uninitialized>, p=newp, q=<uninitialized>]
+OPTQ
+our value
+[a=redef, d=<uninitialized>, e=<uninitialized>, f=<uninitialized>, g=<uninitialized>, h=<uninitialized>, i=<uninitialized>, j=<uninitialized>, k=<uninitialized>, l=<uninitialized>, m=<uninitialized>, n=<uninitialized>, o=<uninitialized>, p=newp, q=our value]
diff --git a/testing/btest/language/record-redef-after-init.bro b/testing/btest/language/record-redef-after-init.bro
new file mode 100644
index 0000000000..693d8bac76
--- /dev/null
+++ b/testing/btest/language/record-redef-after-init.bro
@@ -0,0 +1,52 @@
+# @TEST-EXEC: bro -b %INPUT >output
+# @TEST-EXEC: btest-diff output
+
+type myrec: record {
+    a: string;
+};
+
+const mr = myrec($a = "init") &redef;
+
+redef mr = myrec($a = "redef");
+
+# Many fields may help ensure out-of-bounds reference failures
+redef record myrec += {
+    d: string &optional;
+    e: string &optional;
+    f: string &optional;
+    g: string &optional;
+    h: string &optional;
+    i: string &optional;
+    j: string &optional;
+    k: string &optional;
+    l: string &optional;
+    m: string &optional;
+    n: string &optional;
+    o: string &optional;
+    p: string &optional;
+    q: string &default="OPTQ";
+};
+
+print mr;                        # original 'myrec' type with updated a value
+print myrec($a = "runtime");     # check we get new defaults
+
+local mr2 = myrec($a = "local");
+print mr2;
+
+mr2 = mr;      # Copying should do the right thing
+print mr2;
+
+local mr3: myrec = mr; # Initializing should do the right thing
+print mr3;
+
+if ( mr?$q )    # the test that did not work properly
+    {
+    print mr$q; # accessed invalid memory location
+    }
+mr$p = "newp";  # Assignment updates mr as much as needed
+print mr$p;
+print mr;
+print mr$q;
+mr$q = "our value";
+print mr$q;
+print mr;

From 55a925db96163aa84d51638748c9c8861e3f8959 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Wed, 18 Apr 2018 10:49:26 -0500
Subject: [PATCH 365/631] Improve HLL cardinality estimate unit test.

The test could fail on the order of 100s of iterations, so I bumped to
desired accuracy to actually check for results that are outside the
error margin.
---
 CHANGES                                   | 4 ++++
 VERSION                                   | 2 +-
 testing/btest/bifs/hll_large_estimate.bro | 6 +++---
 3 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/CHANGES b/CHANGES
index 0c02fa34c2..dec20c06de 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,8 @@
 
+2.5-514 | 2018-04-18 10:54:24 -0500
+
+  * Improve HLL cardinality estimate unit test. (Corelight)
+
 2.5-513 | 2018-04-18 10:38:41 -0500
 
   * Updating the defined SMB2 dialects to match Microsofts current docs.
diff --git a/VERSION b/VERSION
index 999dc71256..ee96928f5d 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.5-513
+2.5-514
diff --git a/testing/btest/bifs/hll_large_estimate.bro b/testing/btest/bifs/hll_large_estimate.bro
index 6a8c0f6e08..2059e47568 100644
--- a/testing/btest/bifs/hll_large_estimate.bro
+++ b/testing/btest/bifs/hll_large_estimate.bro
@@ -1,8 +1,8 @@
 #
 # Test the quality of HLL once by checking adding a large number of IP entries.
 #
-# @TEST-EXEC: bro %INPUT > out
-# @TEST-EXEC: BRO_SEED_FILE="" bro %INPUT > out2
+# @TEST-EXEC: bro -b %INPUT > out
+# @TEST-EXEC: BRO_SEED_FILE="" bro -b %INPUT > out2
 # @TEST-EXEC: head -n1 out2 >> out
 # @TEST-EXEC: btest-diff out
 
@@ -17,7 +17,7 @@ event bro_init()
 		}
 
 	local res: int = double_to_count(hll_cardinality_estimate(cp));
-	if ( |res - 170000| > 15000 )
+	if ( |res - 170000| > 17000 )
 		print "Big error";
 	else
 		print "Ok error";

From eb0c989ab36e0c6a4e3da983d3f3d5e694403d76 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Wed, 18 Apr 2018 11:44:36 -0500
Subject: [PATCH 366/631] Improve std::map usages in SMB code

Removed redundant lookup operations
---
 CHANGES                                       |  6 ++++
 VERSION                                       |  2 +-
 .../protocol/dce-rpc/dce_rpc-protocol.pac     | 33 +++++++++++--------
 src/analyzer/protocol/smb/smb-pipe.pac        | 14 ++++++--
 src/analyzer/protocol/smb/smb2-com-ioctl.pac  | 14 ++++----
 src/analyzer/protocol/smb/smb2-com-read.pac   | 18 +++++-----
 src/analyzer/protocol/smb/smb2-protocol.pac   |  8 +++--
 7 files changed, 60 insertions(+), 35 deletions(-)

diff --git a/CHANGES b/CHANGES
index dec20c06de..2f62e8a520 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,10 @@
 
+2.5-515 | 2018-04-18 11:44:36 -0500
+
+  * Improve std::map usages in SMB code
+
+    Removed redundant lookup operations (Corelight)
+
 2.5-514 | 2018-04-18 10:54:24 -0500
 
   * Improve HLL cardinality estimate unit test. (Corelight)
diff --git a/VERSION b/VERSION
index ee96928f5d..715344f885 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.5-514
+2.5-515
diff --git a/src/analyzer/protocol/dce-rpc/dce_rpc-protocol.pac b/src/analyzer/protocol/dce-rpc/dce_rpc-protocol.pac
index 921b4ba51f..faea6dacfd 100644
--- a/src/analyzer/protocol/dce-rpc/dce_rpc-protocol.pac
+++ b/src/analyzer/protocol/dce-rpc/dce_rpc-protocol.pac
@@ -180,9 +180,11 @@ flow DCE_RPC_Flow(is_orig: bool) {
 	# Fragment reassembly.
 	function reassemble_fragment(header: DCE_RPC_Header, frag: bytestring): bool
 		%{
+		auto it = fb.find(${header.call_id});
+
 		if ( ${header.firstfrag} )
 			{
-			if ( fb.count(${header.call_id}) > 0 )
+			if ( it != fb.end() )
 				{
 				// We already had a first frag earlier.
 				reporter->Weird(connection()->bro_analyzer()->Conn(),
@@ -199,9 +201,11 @@ flow DCE_RPC_Flow(is_orig: bool) {
 			else
 				{
 				// first frag, but not last so we start a flowbuffer
-				fb[${header.call_id}] = std::unique_ptr<FlowBuffer>(new FlowBuffer());
-				fb[${header.call_id}]->NewFrame(0, true);
-				fb[${header.call_id}]->BufferData(frag.begin(), frag.end());
+				auto it = fb.emplace(${header.call_id},
+				                     std::unique_ptr<FlowBuffer>(new FlowBuffer()));
+				auto& flowbuf = it.first->second;
+				flowbuf->NewFrame(0, true);
+				flowbuf->BufferData(frag.begin(), frag.end());
 
 				if ( fb.size() > BifConst::DCE_RPC::max_cmd_reassembly )
 					{
@@ -210,7 +214,7 @@ flow DCE_RPC_Flow(is_orig: bool) {
 					connection()->bro_analyzer()->SetSkip(true);
 					}
 
-				if ( fb[${header.call_id}]->data_length() > (int)BifConst::DCE_RPC::max_frag_data )
+				if ( flowbuf->data_length() > (int)BifConst::DCE_RPC::max_frag_data )
 					{
 					reporter->Weird(connection()->bro_analyzer()->Conn(),
 					                "too_much_dce_rpc_fragment_data");
@@ -220,12 +224,13 @@ flow DCE_RPC_Flow(is_orig: bool) {
 				return false;
 				}
 			}
-		else if ( fb.count(${header.call_id}) > 0 )
+		else if ( it != fb.end() )
 			{
 			// not the first frag, but we have a flow buffer so add to it
-			fb[${header.call_id}]->BufferData(frag.begin(), frag.end());
+			auto& flowbuf = it->second;
+			flowbuf->BufferData(frag.begin(), frag.end());
 
-			if ( fb[${header.call_id}]->data_length() > (int)BifConst::DCE_RPC::max_frag_data )
+			if ( flowbuf->data_length() > (int)BifConst::DCE_RPC::max_frag_data )
 				{
 				reporter->Weird(connection()->bro_analyzer()->Conn(),
 				                "too_much_dce_rpc_fragment_data");
@@ -247,12 +252,14 @@ flow DCE_RPC_Flow(is_orig: bool) {
 	function reassembled_body(h: DCE_RPC_Header, body: bytestring): const_bytestring
 		%{
 		const_bytestring bd = body;
+		auto it = fb.find(${h.call_id});
 
-		if ( fb.count(${h.call_id}) > 0 )
-			{
-			bd = const_bytestring(fb[${h.call_id}]->begin(), fb[${h.call_id}]->end());
-			fb.erase(${h.call_id});
-			}
+		if ( it == fb.end() )
+			return bd;
+
+		auto& flowbuf = it->second;
+		bd = const_bytestring(flowbuf->begin(), flowbuf->end());
+		fb.erase(it);
 
 		return bd;
 		%}
diff --git a/src/analyzer/protocol/smb/smb-pipe.pac b/src/analyzer/protocol/smb/smb-pipe.pac
index 8ef07e0b0b..4dd4c7e754 100644
--- a/src/analyzer/protocol/smb/smb-pipe.pac
+++ b/src/analyzer/protocol/smb/smb-pipe.pac
@@ -22,7 +22,12 @@ refine connection SMB_Conn += {
 
 	function get_tree_is_pipe(tree_id: uint32): bool
 		%{
-		return ( tree_is_pipe_map.count(tree_id) > 0 && tree_is_pipe_map.at(tree_id) );
+		auto it = tree_is_pipe_map.find(tree_id);
+
+		if ( it == tree_is_pipe_map.end() )
+			return false;
+
+		return it->second;
 		%}
 
 	function unset_tree_is_pipe(tree_id: uint32): bool
@@ -40,10 +45,13 @@ refine connection SMB_Conn += {
 	function forward_dce_rpc(pipe_data: bytestring, fid: uint64, is_orig: bool): bool
 		%{
 		analyzer::dce_rpc::DCE_RPC_Analyzer *pipe_dcerpc = nullptr;
-		if ( fid_to_analyzer_map.count(fid) == 0 )
+		auto it = fid_to_analyzer_map.find(fid);
+
+		if ( it == fid_to_analyzer_map.end() )
 			{
 			auto tmp_analyzer = analyzer_mgr->InstantiateAnalyzer("DCE_RPC", bro_analyzer()->Conn());
 			pipe_dcerpc = static_cast<analyzer::dce_rpc::DCE_RPC_Analyzer *>(tmp_analyzer);
+
 			if ( pipe_dcerpc )
 				{
 				pipe_dcerpc->SetFileID(fid);
@@ -52,7 +60,7 @@ refine connection SMB_Conn += {
 			}
 		else
 			{
-			pipe_dcerpc = fid_to_analyzer_map.at(fid);
+			pipe_dcerpc = it->second;
 			}
 
 		if ( pipe_dcerpc )
diff --git a/src/analyzer/protocol/smb/smb2-com-ioctl.pac b/src/analyzer/protocol/smb/smb2-com-ioctl.pac
index e5abeefc82..8d65312f9d 100644
--- a/src/analyzer/protocol/smb/smb2-com-ioctl.pac
+++ b/src/analyzer/protocol/smb/smb2-com-ioctl.pac
@@ -5,14 +5,14 @@ refine connection SMB_Conn += {
 
 	function get_ioctl_fid(message_id: uint64): uint64
 		%{
-		if ( smb2_ioctl_fids.count(message_id) == 0 )
+		auto it = smb2_ioctl_fids.find(message_id);
+
+		if ( it == smb2_ioctl_fids.end() )
 			return 0;
-		else
-			{
-			uint64 fid = smb2_ioctl_fids[message_id];
-			smb2_ioctl_fids.erase(message_id);
-			return fid;
-			}
+
+		uint64 fid = it->second;
+		smb2_ioctl_fids.erase(it);
+		return fid;
 		%}
 
 	function proc_smb2_ioctl_request(val: SMB2_ioctl_request) : bool
diff --git a/src/analyzer/protocol/smb/smb2-com-read.pac b/src/analyzer/protocol/smb/smb2-com-read.pac
index 77eb6dd023..bce9ba2ca9 100644
--- a/src/analyzer/protocol/smb/smb2-com-read.pac
+++ b/src/analyzer/protocol/smb/smb2-com-read.pac
@@ -9,15 +9,17 @@ refine connection SMB_Conn += {
 
 	function get_file_id(message_id: uint64, forget: bool): uint64
 		%{
-		if ( smb2_read_fids.count(message_id) == 0 )
+		auto it = smb2_read_fids.find(message_id);
+
+		if ( it == smb2_read_fids.end() )
 			return 0;
-		else
-			{
-			uint64 fid = smb2_read_fids[message_id];
-			if ( forget )
-				smb2_read_fids.erase(message_id);
-			return fid;
-			}
+
+		uint64 fid = it->second;
+
+		if ( forget )
+			smb2_read_fids.erase(it);
+
+		return fid;
 		%}
 
 	function proc_smb2_read_request(h: SMB2_Header, val: SMB2_read_request) : bool
diff --git a/src/analyzer/protocol/smb/smb2-protocol.pac b/src/analyzer/protocol/smb/smb2-protocol.pac
index 221adec31b..20414c5a9a 100644
--- a/src/analyzer/protocol/smb/smb2-protocol.pac
+++ b/src/analyzer/protocol/smb/smb2-protocol.pac
@@ -157,10 +157,12 @@ refine connection SMB_Conn += {
 	function get_request_tree_id(message_id: uint64): uint64
 		%{
 		// This is stored at the request and used at the reply.
-		if ( smb2_request_tree_id.count(message_id) > 0 )
-			return smb2_request_tree_id[message_id];
-		else
+		auto it = smb2_request_tree_id.find(message_id);
+
+		if ( it == smb2_request_tree_id.end() )
 			return 0;
+
+		return it->second;
 		%}
 };
 

From 10b1857a9cfcdb1c753105efe01873cf5cc699ef Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Wed, 18 Apr 2018 18:16:34 -0500
Subject: [PATCH 367/631] Update &check'd fields in various protocol parsers

* The altered Modbus checks seemed overly strict -- the pcap used
  for the unit test at least had quantities/byte_count fields of
  zero, to which the server responds with an error (expected).

* Most of the altered DNP3 checks seemed overly strict and caused
  the unit tests to fail.  The one that was just wrong was the
  'start' field in header blocks.

* Removed the "start" parameter of the dnp3_header_block event
  since it's always the same value.

* The SMB check failed to compile and I don't know what it intended
  to do, so removed.
---
 NEWS                                          |   2 +
 aux/binpac                                    |   2 +-
 src/analyzer/protocol/dnp3/dnp3-analyzer.pac  |   6 +-
 src/analyzer/protocol/dnp3/dnp3-objects.pac   | 112 ++++-----
 src/analyzer/protocol/dnp3/dnp3-protocol.pac  |  16 +-
 src/analyzer/protocol/dnp3/events.bif         |   5 +-
 .../protocol/modbus/modbus-protocol.pac       |   6 +-
 .../smb/smb1-com-query-information.pac        |   2 +-
 .../protocol/syslog/syslog-protocol.pac       |   4 +-
 .../output                                    |   4 +-
 .../output                                    |   4 +-
 .../output                                    |   4 +-
 .../output                                    |  22 +-
 .../output                                    |  12 +-
 .../output                                    |   6 +-
 .../output                                    |   4 +-
 .../output                                    |   4 +-
 .../output                                    |   8 +-
 .../output                                    |   4 +-
 .../output                                    |   6 +-
 .../output                                    |  12 +-
 .../output                                    |   4 +-
 .../output                                    |   4 +-
 .../scripts.base.protocols.dnp3.events/output | 230 +++++++++---------
 .../output                                    |   1 -
 .../scripts/base/protocols/dnp3/events.bro    |   4 +-
 26 files changed, 237 insertions(+), 251 deletions(-)

diff --git a/NEWS b/NEWS
index aa43682047..cdc46ba37c 100644
--- a/NEWS
+++ b/NEWS
@@ -185,6 +185,8 @@ Changed Functionality
   - event ssl_server_signature now has an additional argument
     "signature_and_hashalgorithm".
 
+- The "dnp3_header_block" event no longer has the "start" parameter
+
 Removed Functionality
 ---------------------
 
diff --git a/aux/binpac b/aux/binpac
index c8d860a2e8..cb8bac9ea3 160000
--- a/aux/binpac
+++ b/aux/binpac
@@ -1 +1 @@
-Subproject commit c8d860a2e8fd42c725aca0000c9f96ec53cde900
+Subproject commit cb8bac9ea31f24f6ad5eb8c0d86a13ba6fa539b8
diff --git a/src/analyzer/protocol/dnp3/dnp3-analyzer.pac b/src/analyzer/protocol/dnp3/dnp3-analyzer.pac
index 393ab82079..3edd839733 100644
--- a/src/analyzer/protocol/dnp3/dnp3-analyzer.pac
+++ b/src/analyzer/protocol/dnp3/dnp3-analyzer.pac
@@ -25,14 +25,14 @@ connection DNP3_Conn(bro_analyzer: BroAnalyzer) {
 flow DNP3_Flow(is_orig: bool) {
 	flowunit = DNP3_PDU(is_orig) withcontext (connection, this);
 
-	function get_dnp3_header_block(start: uint16, len: uint16, ctrl: uint8, dest_addr: uint16, src_addr: uint16): bool
+	function get_dnp3_header_block(len: uint16, ctrl: uint8, dest_addr: uint16, src_addr: uint16): bool
 		%{
 		if ( ::dnp3_header_block )
 			{
 			BifEvent::generate_dnp3_header_block(
 				connection()->bro_analyzer(),
 				connection()->bro_analyzer()->Conn(),
-				is_orig(), start, len, ctrl, dest_addr, src_addr);
+				is_orig(), len, ctrl, dest_addr, src_addr);
 			}
 
 		return true;
@@ -741,7 +741,7 @@ flow DNP3_Flow(is_orig: bool) {
 };
 
 refine typeattr Header_Block += &let {
-	get_header: bool =  $context.flow.get_dnp3_header_block(start, len, ctrl, dest_addr, src_addr);
+	get_header: bool =  $context.flow.get_dnp3_header_block(len, ctrl, dest_addr, src_addr);
 };
 
 refine typeattr DNP3_Application_Request_Header += &let {
diff --git a/src/analyzer/protocol/dnp3/dnp3-objects.pac b/src/analyzer/protocol/dnp3/dnp3-objects.pac
index 0d2b75df0d..711dc0802f 100644
--- a/src/analyzer/protocol/dnp3/dnp3-objects.pac
+++ b/src/analyzer/protocol/dnp3/dnp3-objects.pac
@@ -2,15 +2,7 @@
 
 type Prefix_Type(qualifier_field: uint8) = record {
 	prefix: case ( qualifier_field & 0xf0 ) of {
-		0x00 -> none: empty &check(qualifier_field == 0x01 ||
-						qualifier_field == 0x02 ||
-						qualifier_field == 0x03 ||
-						qualifier_field == 0x04 ||
-						qualifier_field == 0x05 ||
-						qualifier_field == 0x06 ||
-						qualifier_field == 0x07 ||
-						qualifier_field == 0x08 ||
-						qualifier_field == 0x09 );
+		0x00 -> none: empty;
 		0x10 -> prefix8: uint8 &check(qualifier_field == 0x17 ||
 						qualifier_field == 0x18 ||
 						qualifier_field == 0x19 );
@@ -117,9 +109,9 @@ type Request_Data_Object(function_code: uint8, qualifier_field: uint8, object_ty
 		0x0b02 -> boewatime: empty;
 
 	# binary output command g12
-		0x0c01 -> bocmd_CROB: CROB &check (function_code == SELECT || function_code == OPERATE ||
+		0x0c01 -> bocmd_CROB: CROB &check (function_code == RESPONSE || function_code == SELECT || function_code == OPERATE ||
 							function_code == DIRECT_OPERATE || function_code == DIRECT_OPERATE_NR );
-		0x0c02 -> bocmd_PCB: PCB &check (function_code == SELECT || function_code == OPERATE ||
+		0x0c02 -> bocmd_PCB: PCB &check (function_code == RESPONSE || function_code == SELECT || function_code == OPERATE ||
 							function_code == DIRECT_OPERATE || function_code == DIRECT_OPERATE_NR || function_code == WRITE );
 		0x0c03 -> bocmd_PM: uint8;
 
@@ -132,48 +124,48 @@ type Request_Data_Object(function_code: uint8, qualifier_field: uint8, object_ty
 		0x1400 -> counter_default: empty;
 		0x1401 -> counter_32_wflag: empty;
 		0x1402 -> counter_16_wflag: empty;
-		0x1403 -> counter_32_wflag_delta: empty &check (0); # obsolete situation; generate warning
-		0x1404 -> counter_16_wflag_delta: empty &check (0); # obsolete situations; generate warning
+		0x1403 -> counter_32_wflag_delta: empty; # obsolete situation; generate warning
+		0x1404 -> counter_16_wflag_delta: empty; # obsolete situations; generate warning
 		0x1405 -> counter_32_woflag: empty;
 		0x1406 -> counter_16_woflag: empty;
-		0x1407 -> counter_32_woflag_delta: empty &check (0); # obsolete
-		0x1408 -> counter_16_woflag_delta: empty &check (0); # obsolete
+		0x1407 -> counter_32_woflag_delta: empty; # obsolete
+		0x1408 -> counter_16_woflag_delta: empty; # obsolete
 	# frozen counter ; g21
 		0x1500 -> f_counter_default: empty;
 		0x1501 -> f_counter_32_wflag: empty;
 		0x1502 -> f_counter_16_wflag: empty;
-		0x1503 -> f_counter_32_wflag_delta: empty &check (0); # obsolete situation; generate warning
-		0x1504 -> f_counter_16_wflag_delta: empty &check (0); # obsolete situations; generate warning
+		0x1503 -> f_counter_32_wflag_delta: empty; # obsolete situation; generate warning
+		0x1504 -> f_counter_16_wflag_delta: empty; # obsolete situations; generate warning
 		0x1505 -> f_counter_32_wflag_time: empty;
 		0x1506 -> f_counter_16_wflag_time: empty;
-		0x1507 -> f_counter_32_wflag_time_delta: empty &check (0); # obsolete
-		0x1508 -> f_counter_16_wflag_time_delta: empty &check (0); # obsolete
+		0x1507 -> f_counter_32_wflag_time_delta: empty; # obsolete
+		0x1508 -> f_counter_16_wflag_time_delta: empty; # obsolete
 		0x1509 -> f_counter_32_woflag: empty;
 		0x150a -> f_counter_16_woflag: empty;
-		0x150b -> f_counter_32_woflag_delta: empty &check (0); # obsolete
-		0x150c -> f_counter_16_woflag_delta: empty &check (0); # obsolete
+		0x150b -> f_counter_32_woflag_delta: empty; # obsolete
+		0x150c -> f_counter_16_woflag_delta: empty; # obsolete
 
 	# counter event g22
 		0x1600 -> counter_event_default: empty;
 		0x1601 -> counter_event_32_wflag: empty;
 		0x1602 -> counter_event_16_wflag: empty;
-		0x1603 -> counter_event_32_wflag_delta: empty &check(0);
-		0x1604 -> counter_event_16_wflag_delta: empty &check(0);
+		0x1603 -> counter_event_32_wflag_delta: empty;
+		0x1604 -> counter_event_16_wflag_delta: empty;
 		0x1605 -> counter_event_32_wflag_time: empty;
 		0x1606 -> counter_event_16_wflag_time: empty;
-		0x1607 -> counter_event_32_wflag_time_delta: empty &check(0);
-		0x1608 -> counter_event_16_wflag_time_delat: empty &check(0);
+		0x1607 -> counter_event_32_wflag_time_delta: empty;
+		0x1608 -> counter_event_16_wflag_time_delat: empty;
 
 	# counter event g23
 		0x1700 -> f_counter_event_default: empty;
 		0x1701 -> f_counter_event_32_wflag: empty;
 		0x1702 -> f_counter_event_16_wflag: empty;
-		0x1703 -> f_counter_event_32_wflag_delta: empty &check(0);
-		0x1704 -> f_counter_event_16_wflag_delta: empty &check(0);
+		0x1703 -> f_counter_event_32_wflag_delta: empty;
+		0x1704 -> f_counter_event_16_wflag_delta: empty;
 		0x1705 -> f_counter_event_32_wflag_time: empty;
 		0x1706 -> f_counter_event_16_wflag_time: empty;
-		0x1707 -> f_counter_event_32_wflag_time_delta: empty &check(0);
-		0x1708 -> f_counter_event_16_wflag_time_delat: empty &check(0);
+		0x1707 -> f_counter_event_32_wflag_time_delta: empty;
+		0x1708 -> f_counter_event_16_wflag_time_delat: empty;
 
 	#analog input g30
 		0x1e00 -> ai_default: empty;
@@ -273,16 +265,16 @@ type Request_Data_Object(function_code: uint8, qualifier_field: uint8, object_ty
 		0x3402 -> time_fine: uint16;
 
 	# class objects g60
-		0x3C01 -> class0data: empty &check(object_header.qualifier_field == 0x06);
-		#0x3C02 -> class1data: uint8 &check(object_header.qualifier_field == 0x06);
-		0x3C02 -> class1data: empty &check(object_header.qualifier_field == 0x06 ||
-							object_header.qualifier_field == 0x07 || object_header.qualifier_field == 0x08);
-		0x3C03 -> class2data: empty &check(object_header.qualifier_field == 0x06 ||
-							object_header.qualifier_field == 0x07 || object_header.qualifier_field == 0x08);
-		0x3C04 -> class3data: empty &check(object_header.qualifier_field == 0x06 ||
-							object_header.qualifier_field == 0x07 || object_header.qualifier_field == 0x08);
+		0x3C01 -> class0data: empty &check(qualifier_field == 0x06);
+		#0x3C02 -> class1data: uint8 &check(qualifier_field == 0x06);
+		0x3C02 -> class1data: empty &check(qualifier_field == 0x06 ||
+							qualifier_field == 0x07 || qualifier_field == 0x08);
+		0x3C03 -> class2data: empty &check(qualifier_field == 0x06 ||
+							qualifier_field == 0x07 || qualifier_field == 0x08);
+		0x3C04 -> class3data: empty &check(qualifier_field == 0x06 ||
+							qualifier_field == 0x07 || qualifier_field == 0x08);
 	# file control g70
-		0x4601 -> file_control_id: File_Control_ID &check(0);
+		0x4601 -> file_control_id: File_Control_ID;
 		0x4602 -> file_control_auth: File_Control_Auth_Wrap(function_code);
 		0x4603 -> file_control_cmd: File_Control_Cmd &check( file_control_cmd.op_mode == 0 || file_control_cmd.op_mode == 1 ||
 							  file_control_cmd.op_mode == 2 || file_control_cmd.op_mode == 3 );
@@ -423,9 +415,9 @@ type Response_Data_Object(function_code: uint8, qualifier_field: uint8, object_t
 		0x0b02 -> boewatime: BinOutEveAtime;
 
 	# binary output command g12
-		0x0c01 -> bocmd_CROB: CROB &check (function_code == SELECT || function_code == OPERATE ||
+		0x0c01 -> bocmd_CROB: CROB &check (function_code == RESPONSE || function_code == SELECT || function_code == OPERATE ||
 							function_code == DIRECT_OPERATE || function_code == DIRECT_OPERATE_NR );
-		0x0c02 -> bocmd_PCB: PCB &check (function_code == SELECT || function_code == OPERATE ||
+		0x0c02 -> bocmd_PCB: PCB &check (function_code == RESPONSE || function_code == SELECT || function_code == OPERATE ||
 							function_code == DIRECT_OPERATE || function_code == DIRECT_OPERATE_NR || function_code == WRITE );
 		0x0c03 -> bocmd_PM: uint8;
 
@@ -436,46 +428,46 @@ type Response_Data_Object(function_code: uint8, qualifier_field: uint8, object_t
 	# counter ; g20
 		0x1401 -> counter_32_wflag: Counter32wFlag;
 		0x1402 -> counter_16_wflag: Counter16wFlag;
-		0x1403 -> counter_32_wflag_delta: Debug_Byte &check (0); # obsolete situation; generate warning
-		0x1404 -> counter_16_wflag_delta: Debug_Byte &check (0); # obsolete situations; generate warning
+		0x1403 -> counter_32_wflag_delta: Debug_Byte; # obsolete situation; generate warning
+		0x1404 -> counter_16_wflag_delta: Debug_Byte; # obsolete situations; generate warning
 		0x1405 -> counter_32_woflag: Counter32woFlag;
 		0x1406 -> counter_16_woflag: Counter16woFlag;
-		0x1407 -> counter_32_woflag_delta: Debug_Byte &check (0); # obsolete
-		0x1408 -> counter_16_woflag_delta: Debug_Byte &check (0); # obsolete
+		0x1407 -> counter_32_woflag_delta: Debug_Byte; # obsolete
+		0x1408 -> counter_16_woflag_delta: Debug_Byte; # obsolete
 	# frozen counter ; g21
 		#0x1500 -> f_counter_default: empty;
 		0x1501 -> f_counter_32_wflag: FrozenCounter32wFlag;
 		0x1502 -> f_counter_16_wflag: FrozenCounter16wFlag;
-		0x1503 -> f_counter_32_wflag_delta: Debug_Byte &check (0); # obsolete situation; generate warning
-		0x1504 -> f_counter_16_wflag_delta: Debug_Byte &check (0); # obsolete situations; generate warning
+		0x1503 -> f_counter_32_wflag_delta: Debug_Byte; # obsolete situation; generate warning
+		0x1504 -> f_counter_16_wflag_delta: Debug_Byte; # obsolete situations; generate warning
 		0x1505 -> f_counter_32_wflag_time: FrozenCounter32wFlagTime;
 		0x1506 -> f_counter_16_wflag_time: FrozenCounter16wFlagTime;
-		0x1507 -> f_counter_32_wflag_time_delta: Debug_Byte &check (0); # obsolete
-		0x1508 -> f_counter_16_wflag_time_delta: Debug_Byte &check (0); # obsolete
-		0x1509 -> f_counter_32_woflag: FrozenCounter32woFlag &check (f_counter_32_woflag.count_value == 23);
+		0x1507 -> f_counter_32_wflag_time_delta: Debug_Byte; # obsolete
+		0x1508 -> f_counter_16_wflag_time_delta: Debug_Byte; # obsolete
+		0x1509 -> f_counter_32_woflag: FrozenCounter32woFlag;
 		0x150a -> f_counter_16_woflag: FrozenCounter16woFlag;
-		0x150b -> f_counter_32_woflag_delta: Debug_Byte &check (0); # obsolete
-		0x150c -> f_counter_16_woflag_delta: Debug_Byte &check (0); # obsolete
+		0x150b -> f_counter_32_woflag_delta: Debug_Byte; # obsolete
+		0x150c -> f_counter_16_woflag_delta: Debug_Byte; # obsolete
 
 	# counter event g22
 		0x1601 -> counter_event_32_wflag: CounterEve32wFlag;
 		0x1602 -> counter_event_16_wflag: CounterEve16wFlag;
-		0x1603 -> counter_event_32_wflag_delta: Debug_Byte &check(0);
-		0x1604 -> counter_event_16_wflag_delta: Debug_Byte &check(0);
+		0x1603 -> counter_event_32_wflag_delta: Debug_Byte;
+		0x1604 -> counter_event_16_wflag_delta: Debug_Byte;
 		0x1605 -> counter_event_32_wflag_time: CounterEve32wFlagTime;
 		0x1606 -> counter_event_16_wflag_time: CounterEve16wFlagTime;
-		0x1607 -> counter_event_32_wflag_time_delta: Debug_Byte &check(0);
-		0x1608 -> counter_event_16_wflag_time_delat: Debug_Byte &check(0);
+		0x1607 -> counter_event_32_wflag_time_delta: Debug_Byte;
+		0x1608 -> counter_event_16_wflag_time_delat: Debug_Byte;
 
 	# counter event g23
 		0x1701 -> f_counter_event_32_wflag: CounterEve32wFlag;
 		0x1702 -> f_counter_event_16_wflag: CounterEve16wFlag;
-		0x1703 -> f_counter_event_32_wflag_delta: Debug_Byte &check(0);
-		0x1704 -> f_counter_event_16_wflag_delta: Debug_Byte &check(0);
+		0x1703 -> f_counter_event_32_wflag_delta: Debug_Byte;
+		0x1704 -> f_counter_event_16_wflag_delta: Debug_Byte;
 		0x1705 -> f_counter_event_32_wflag_time: CounterEve32wFlagTime;
 		0x1706 -> f_counter_event_16_wflag_time: CounterEve16wFlagTime;
-		0x1707 -> f_counter_event_32_wflag_time_delta: Debug_Byte &check(0);
-		0x1708 -> f_counter_event_16_wflag_time_delat: Debug_Byte &check(0);
+		0x1707 -> f_counter_event_32_wflag_time_delta: Debug_Byte;
+		0x1708 -> f_counter_event_16_wflag_time_delat: Debug_Byte;
 
 	# analog input g30
 		0x1e01 -> ai_32_wflag: AnalogInput32wFlag;
@@ -566,7 +558,7 @@ type Response_Data_Object(function_code: uint8, qualifier_field: uint8, object_t
 		0x3402 -> time_fine: uint16;
 
 	# file control g70
-		0x4601 -> file_control_id: File_Control_ID &check(0);
+		0x4601 -> file_control_id: File_Control_ID;
 		0x4602 -> file_control_auth: File_Control_Auth &check(file_control_auth.usr_name_size == 0 && file_control_auth.pwd_size == 0);
 		0x4603 -> file_control_cmd: File_Control_Cmd &check(file_control_cmd.name_size == 0 &&
 							( file_control_cmd.op_mode == 0 || file_control_cmd.op_mode == 1 ||
diff --git a/src/analyzer/protocol/dnp3/dnp3-protocol.pac b/src/analyzer/protocol/dnp3/dnp3-protocol.pac
index 3cf2290c2c..51bd509eb8 100644
--- a/src/analyzer/protocol/dnp3/dnp3-protocol.pac
+++ b/src/analyzer/protocol/dnp3/dnp3-protocol.pac
@@ -8,7 +8,8 @@ type DNP3_PDU(is_orig: bool) = case is_orig of {
 } &byteorder = bigendian;
 
 type Header_Block = record {
-	start: uint16 &check(start == 0x0564);
+	start_1: uint8 &check(start_1 == 0x05);
+	start_2: uint8 &check(start_2 == 0x64);
 	len: uint8;
 	ctrl: uint8;
 	dest_addr: uint16;
@@ -34,11 +35,11 @@ type DNP3_Request = record {
 		FREEZE_AT_TIME_NR -> freeze_time_nr_requests: Request_Objects(app_header.function_code)[];
 		COLD_RESTART -> cold_restart: empty;
 		WARM_RESTART -> warm_restart: empty;
-		INITIALIZE_DATA -> initilize_data: empty &check(0);  # obsolete
+		INITIALIZE_DATA -> initilize_data: empty;  # obsolete
 		INITIALIZE_APPL -> initilize_appl: Request_Objects(app_header.function_code)[];
 		START_APPL -> start_appl: Request_Objects(app_header.function_code)[];
 		STOP_APPL -> stop_appl: Request_Objects(app_header.function_code)[];
-		SAVE_CONFIG -> save_config: empty &check(0);  # depracated
+		SAVE_CONFIG -> save_config: empty;  # depracated
 		ENABLE_UNSOLICITED -> enable_unsolicited: Request_Objects(app_header.function_code)[];
 		DISABLE_UNSOLICITED -> disable_unsolicited: Request_Objects(app_header.function_code)[];
 		ASSIGN_CLASS -> assign_class: Request_Objects(app_header.function_code)[];
@@ -92,7 +93,7 @@ type Request_Objects(function_code: uint8) = record {
 	data: case (object_header.object_type_field) of {
 		0x0c03 -> bocmd_PM: Request_Data_Object(function_code, object_header.qualifier_field, object_header.object_type_field )[ ( object_header.number_of_item / 8 ) + 1*( object_header.number_of_item > ( (object_header.number_of_item / 8)*8 ) ) ];
 		0x3202 -> time_interval_ojbects: Request_Data_Object(function_code, object_header.qualifier_field, object_header.object_type_field )[ object_header.number_of_item]
-							&check( object_header.qualifer_field == 0x0f && object_header.number_of_item == 0x01);
+							&check( object_header.qualifier_field == 0x0f && object_header.number_of_item == 0x01);
 		default -> ojbects: Request_Data_Object(function_code, object_header.qualifier_field, object_header.object_type_field )[ object_header.number_of_item];
 	};
 	# dump_data is always empty; I intend to use it for checking some conditions;
@@ -135,12 +136,7 @@ type Object_Header(function_code: uint8) = record {
 		8 -> range_field_8: uint16;
 		9 -> range_field_9: uint32;
 		0x0b -> range_field_b: uint8;
-		default -> unknown: bytestring &restofdata &check(0);
-	};
-	# dump_data is always empty; used to check dependency bw object_type_field and qualifier_field
-	dump_data: case ( object_type_field & 0xff00 ) of {
-		0x3C00 -> dump_3c: empty &check( (object_type_field == 0x3C01 || object_type_field == 0x3C02 || object_type_field == 0x3C03 || object_type_field == 0x3C04) && ( qualifier_field == 0x06 ) );
-		default -> dump_def: empty;
+		default -> unknown: bytestring &restofdata;
 	};
 }
       &let{
diff --git a/src/analyzer/protocol/dnp3/events.bif b/src/analyzer/protocol/dnp3/events.bif
index abb735488e..34ea79ae1a 100644
--- a/src/analyzer/protocol/dnp3/events.bif
+++ b/src/analyzer/protocol/dnp3/events.bif
@@ -64,9 +64,6 @@ event dnp3_object_prefix%(c: connection, is_orig: bool, prefix_value: count%);
 ##
 ## is_orig: True if this reflects originator-side activity.
 ##
-## start: the first two bytes of the DNP3 Pseudo Link Layer; its value is fixed
-##        as 0x0564.
-##
 ## len:   the "length" field in the DNP3 Pseudo Link Layer.
 ##
 ## ctrl:  the "control" field in the DNP3 Pseudo Link Layer.
@@ -75,7 +72,7 @@ event dnp3_object_prefix%(c: connection, is_orig: bool, prefix_value: count%);
 ##
 ## src_addr: the "source" field in the DNP3 Pseudo Link Layer.
 ##
-event dnp3_header_block%(c: connection, is_orig: bool, start: count, len: count, ctrl: count, dest_addr: count, src_addr: count%);
+event dnp3_header_block%(c: connection, is_orig: bool, len: count, ctrl: count, dest_addr: count, src_addr: count%);
 
 ## Generated for a DNP3 "Response_Data_Object".
 ## The "Response_Data_Object" contains two parts: object prefix and object
diff --git a/src/analyzer/protocol/modbus/modbus-protocol.pac b/src/analyzer/protocol/modbus/modbus-protocol.pac
index e5b92169b4..09c5c99249 100644
--- a/src/analyzer/protocol/modbus/modbus-protocol.pac
+++ b/src/analyzer/protocol/modbus/modbus-protocol.pac
@@ -186,7 +186,7 @@ type ReadDiscreteInputsResponse(header: ModbusTCP_TransportHeader) = record {
 # REQUEST FC=3
 type ReadHoldingRegistersRequest(header: ModbusTCP_TransportHeader) = record {
 	start_address: uint16;
-	quantity:      uint16 &check(1 <= quantity && quantity <= 125);
+	quantity:      uint16 &check(quantity <= 125);
 } &let {
 	deliver: bool = $context.flow.deliver_ReadHoldingRegistersRequest(header, this);
 } &byteorder=bigendian;
@@ -202,7 +202,7 @@ type ReadHoldingRegistersResponse(header: ModbusTCP_TransportHeader) = record {
 # REQUEST FC=4
 type ReadInputRegistersRequest(header: ModbusTCP_TransportHeader) = record {
 	start_address: uint16;
-	quantity:      uint16 &check(1 <= quantity && quantity <= 125);
+	quantity:      uint16 &check(quantity <= 125);
 } &let {
 	deliver: bool = $context.flow.deliver_ReadInputRegistersRequest(header, this);
 } &byteorder=bigendian;
@@ -295,7 +295,7 @@ type FileRecordRequest = record {
 
 # REQUEST FC=20
 type ReadFileRecordRequest(header: ModbusTCP_TransportHeader) = record {
-	byte_count: uint8               &check(byte_count >= 0x07 && byte_count <= 0xF5);
+	byte_count: uint8               &check(byte_count <= 0xF5);
 	references: FileRecordRequest[] &length=byte_count;
 } &let {
 	deliver: bool = $context.flow.deliver_ReadFileRecordRequest(header, this);
diff --git a/src/analyzer/protocol/smb/smb1-com-query-information.pac b/src/analyzer/protocol/smb/smb1-com-query-information.pac
index f2215fadc2..4566d1ff74 100644
--- a/src/analyzer/protocol/smb/smb1-com-query-information.pac
+++ b/src/analyzer/protocol/smb/smb1-com-query-information.pac
@@ -34,7 +34,7 @@ type SMB1_query_information_response(header: SMB_Header) = record {
 	last_write_time : SMB_time;
 	file_size       : uint32;
 	reserved        : uint16[5];
-	byte_count      : uint16 &check($element == 0);
+	byte_count      : uint16;
 } &let {
 	proc : bool = $context.connection.proc_smb1_query_information_response(header, this);
 };
diff --git a/src/analyzer/protocol/syslog/syslog-protocol.pac b/src/analyzer/protocol/syslog/syslog-protocol.pac
index a2bf8a31da..5d97d0e16b 100644
--- a/src/analyzer/protocol/syslog/syslog-protocol.pac
+++ b/src/analyzer/protocol/syslog/syslog-protocol.pac
@@ -4,9 +4,9 @@ type Syslog_Message = record {
 } &byteorder = littleendian;
 
 type Syslog_Priority = record {
-	lt    : uint8 &check(lt == "<");
+	lt    : uint8 &check(lt == 60); # '<'
 	val   : RE/[[:digit:]]+/;
-	gt    : uint8 &check(gt == ">");
+	gt    : uint8 &check(gt == 62); # '>'
 } &let {
 	val_length: int = sizeof(val) - 1;
 	int_val: int = bytestring_to_int(val, 10);
diff --git a/testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_del_measure/output b/testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_del_measure/output
index 85c7c845f0..477a98f389 100644
--- a/testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_del_measure/output
+++ b/testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_del_measure/output
@@ -1,6 +1,6 @@
-dnp3_header_block, T, 25605, 8, 196, 2, 3
+dnp3_header_block, T, 8, 196, 2, 3
 dnp3_application_request_header, T, 196, 23
-dnp3_header_block, F, 25605, 16, 68, 3, 2
+dnp3_header_block, F, 16, 68, 3, 2
 dnp3_application_response_header, F, 196, 129, 0
 dnp3_object_header, F, 13314, 7, 1, 1, 0
 dnp3_object_prefix, F, 0
diff --git a/testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_en_spon/output b/testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_en_spon/output
index 53c6dc8700..57545988cf 100644
--- a/testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_en_spon/output
+++ b/testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_en_spon/output
@@ -1,7 +1,7 @@
-dnp3_header_block, T, 25605, 17, 196, 2, 3
+dnp3_header_block, T, 17, 196, 2, 3
 dnp3_application_request_header, T, 203, 20
 dnp3_object_header, T, 15362, 6, 0, 65535, 65535
 dnp3_object_header, T, 15363, 6, 0, 65535, 65535
 dnp3_object_header, T, 15364, 6, 0, 65535, 65535
-dnp3_header_block, F, 25605, 10, 68, 3, 2
+dnp3_header_block, F, 10, 68, 3, 2
 dnp3_application_response_header, F, 203, 129, 0
diff --git a/testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_file_del/output b/testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_file_del/output
index 9c63a41ae4..ef59d269b0 100644
--- a/testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_file_del/output
+++ b/testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_file_del/output
@@ -1,8 +1,8 @@
-dnp3_header_block, T, 25605, 99, 196, 4, 3
+dnp3_header_block, T, 99, 196, 4, 3
 dnp3_application_request_header, T, 201, 27
 dnp3_object_header, T, 17923, 91, 1, 1, 0
 dnp3_object_prefix, T, 85
-dnp3_header_block, F, 25605, 29, 68, 3, 4
+dnp3_header_block, F, 29, 68, 3, 4
 dnp3_application_response_header, F, 201, 129, 0
 dnp3_object_header, F, 17924, 91, 1, 1, 0
 dnp3_object_prefix, F, 13
diff --git a/testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_file_read/output b/testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_file_read/output
index f7cdc29b74..cc762c3625 100644
--- a/testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_file_read/output
+++ b/testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_file_read/output
@@ -1,44 +1,44 @@
-dnp3_header_block, T, 25605, 50, 196, 4, 3
+dnp3_header_block, T, 50, 196, 4, 3
 dnp3_application_request_header, T, 206, 25
 dnp3_object_header, T, 17923, 91, 1, 1, 0
 dnp3_object_prefix, T, 36
-dnp3_header_block, F, 25605, 29, 68, 3, 4
+dnp3_header_block, F, 29, 68, 3, 4
 dnp3_application_response_header, F, 206, 129, 4096
 dnp3_object_header, F, 17924, 91, 1, 1, 0
 dnp3_object_prefix, F, 13
 dnp3_response_data_object, F, 255
-dnp3_header_block, T, 25605, 22, 196, 4, 3
+dnp3_header_block, T, 22, 196, 4, 3
 dnp3_application_request_header, T, 207, 1
 dnp3_object_header, T, 17925, 91, 1, 1, 0
 dnp3_object_prefix, T, 8
 dnp3_file_transport, T, 305419896, 0
                                                   \x0a
-dnp3_header_block, F, 25605, 255, 68, 3, 4
+dnp3_header_block, F, 255, 68, 3, 4
 dnp3_application_response_header, F, 239, 129, 4096
 dnp3_object_header, F, 17925, 91, 1, 1, 0
 dnp3_object_prefix, F, 838
 dnp3_file_transport, F, 305419896, 2147483648
 0000  ef bb bf 3c 3f 78 6d 6c  20 76 65 72 73 69 6f 6e  ...<?xml  version\x0a0010  3d 22 31 2e 30 22 20 65  6e 63 6f 64 69 6e 67 3d  ="1.0" e ncoding=\x0a0020  22 75 74 66 2d 38 22 3f  3e 0d 0a 3c 3f 78 6d 6c  "utf-8"? >..<?xml\x0a0030  2d 73 74 79 6c 65 73 68  65 65 74 20 74 79 70 65  -stylesh eet type\x0a0040  3d 27 74 65 78 74 2f 78  73 6c 27 20 68 72 65 66  ='text/x sl' href\x0a0050  3d 27 44 4e 50 33 44 65  76 69 63 65 50 72 6f 66  ='DNP3De viceProf\x0a0060  69 6c 65 4a 61 6e 32 30  31 30 2e 78 73 6c 74 27  ileJan20 10.xslt'\x0a0070  20 6d 65 64 69 61 3d 27  73 63 72 65 65 6e 27 3f   media=' screen'?\x0a0080  3e 0d 0a 3c 44 4e 50 33  44 65 76 69 63 65 50 72  >..<DNP3 DevicePr\x0a0090  6f 66 69 6c 65 44 6f 63  75 6d 65 6e 74 20 78 6d  ofileDoc ument xm\x0a00a0  6c 6e 73 3a 78 73 69 3d  22 68 74 74 70 3a 2f 2f  lns:xsi= "http://\x0a00b0  77 77 77 2e 77 33 2e 6f  72 67 2f 32 30 30 31 2f  www.w3.o rg/2001/\x0a00c0  58 4d 4c 53 63 68 65 6d  61 2d 69 6e 73 74 61 6e  XMLSchem a-instan\x0a00d0  63 65 22 20 78 6d 6c 6e  73 3a 78 73 64 3d 22 68  ce" xmln s:xsd="h\x0a00e0  74 74 70 3a 2f 2f 77 77  77 2e 77 33 2e 6f 72 67  ttp://ww w.w3.org\x0a00f0  2f 32 30 30 31 2f 58 4d  4c 53 63 68 65 6d 61 22  /2001/XM LSchema"\x0a0100  20 73 63 68 65 6d 61 56  65 72 73 69 6f 6e 3d 22   schemaV ersion="\x0a0110  32 2e 30 37 2e 30 30 22  20 78 6d 6c 6e 73 3d 22  2.07.00"  xmlns="\x0a0120  68 74 74 70 3a 2f 2f 77  77 77 2e 64 6e 70 33 2e  http://w ww.dnp3.\x0a0130  6f 72 67 2f 44 4e 50 33  2f 44 65 76 69 63 65 50  org/DNP3 /DeviceP\x0a0140  72 6f 66 69 6c 65 2f 4a  61 6e 32 30 31 30 22 3e  rofile/J an2010">\x0a0150  0d 0a 20 20 3c 21 2d 2d  44 6f 63 75 6d 65 6e 74  ..  <!-- Document\x0a0160  20 48 65 61 64 65 72 2d  2d 3e 0d 0a 20 20 3c 64   Header- ->..  <d\x0a0170  6f 63 75 6d 65 6e 74 48  65 61 64 65 72 3e 0d 0a  ocumentH eader>..\x0a0180  20 20 20 20 3c 64 6f 63  75 6d 65 6e 74 4e 61 6d      <doc umentNam\x0a0190  65 3e 41 20 44 4e 50 33  20 58 4d 4c 20 46 69 6c  e>A DNP3  XML Fil\x0a01a0  65 3c 2f 64 6f 63 75 6d  65 6e 74 4e 61 6d 65 3e  e</docum entName>\x0a01b0  0d 0a 20 20 20 20 3c 64  6f 63 75 6d 65 6e 74 44  ..    <d ocumentD\x0a01c0  65 73 63 72 69 70 74 69  6f 6e 3e 54 68 69 73 20  escripti on>This \x0a01d0  69 73 20 61 20 44 4e 50  33 20 43 6f 6d 70 6c 65  is a DNP 3 Comple\x0a01e0  74 65 20 44 65 76 69 63  65 20 50 72 6f 66 69 6c  te Devic e Profil\x0a01f0  65 20 66 6f 72 20 44 4e  50 20 4f 75 74 73 74 61  e for DN P Outsta\x0a0200  74 69 6f 6e 20 69 6e 20  74 68 65 20 54 4d 57 20  tion in  the TMW \x0a0210  43 6f 6d 6d 75 6e 69 63  61 74 69 6f 6e 20 50 72  Communic ation Pr\x0a0220  6f 74 6f 63 6f 6c 20 54  65 73 74 20 48 61 72 6e  otocol T est Harn\x0a0230  65 73 73 3c 2f 64 6f 63  75 6d 65 6e 74 44 65 73  ess</doc umentDes\x0a0240  63 72 69 70 74 69 6f 6e  3e 0d 0a 20 20 20 20 3c  cription >..    <\x0a0250  72 65 76 69 73 69 6f 6e  48 69 73 74 6f 72 79 20  revision History \x0a0260  76 65 72 73 69 6f 6e 3d  22 32 22 3e 0d 0a 20 20  version= "2">..  \x0a0270  20 20 20 20 3c 64 61 74  65 3e 32 30 31 30 2d 31      <dat e>2010-1\x0a0280  32 2d 30 31 3c 2f 64 61  74 65 3e 0d 0a 20 20 20  2-01</da te>..   \x0a0290  20 20 20 3c 61 75 74 68  6f 72 3e 53 74 65 76 65     <auth or>Steve\x0a02a0  20 4d 63 43 6f 79 3c 2f  61 75 74 68 6f 72 3e 0d   McCoy</ author>.\x0a02b0  0a 20 20 20 20 20 20 3c  72 65 61 73 6f 6e 3e 44  .      < reason>D\x0a02c0  6f 63 75 6d 65 6e 74 65  64 20 54 65 73 74 20 48  ocumente d Test H\x0a02d0  61 72 6e 65 73 73 20 53  44 4e 50 20 44 65 76 69  arness S DNP Devi\x0a02e0  63 65 20 50 72 6f 66 69  6c 65 3c 2f 72 65 61 73  ce Profi le</reas\x0a02f0  6f 6e 3e 0d 0a 20 20 20  20 3c 2f 72 65 76 69 73  on>..     </revis\x0a0300  69 6f 6e 48 69 73 74 6f  72 79 3e 0d 0a 20 20 3c  ionHisto ry>..  <\x0a0310  2f 64 6f 63 75 6d 65 6e  74 48 65 61 64 65 72 3e  /documen tHeader>\x0a0320  0d 0a 3c 2f 44 4e 50 33  44 65 76 69 63 65 50 72  ..</DNP3 DevicePr\x0a0330  6f 66 69 6c 65 44 6f 63  75 6d 65 6e 74 3e        ofileDoc ument>\x0a
 dnp3_response_data_object, F, 255
-dnp3_header_block, T, 25605, 8, 196, 4, 3
+dnp3_header_block, T, 8, 196, 4, 3
 dnp3_application_request_header, T, 207, 0
-dnp3_header_block, T, 25605, 18, 196, 4, 3
+dnp3_header_block, T, 18, 196, 4, 3
 dnp3_application_request_header, T, 192, 2
 dnp3_object_header, T, 12801, 7, 1, 1, 0
 dnp3_object_prefix, T, 0
-dnp3_header_block, F, 25605, 10, 68, 3, 4
+dnp3_header_block, F, 10, 68, 3, 4
 dnp3_application_response_header, F, 192, 129, 0
-dnp3_header_block, T, 25605, 18, 196, 4, 3
+dnp3_header_block, T, 18, 196, 4, 3
 dnp3_application_request_header, T, 193, 2
 dnp3_object_header, T, 12801, 7, 1, 1, 0
 dnp3_object_prefix, T, 0
-dnp3_header_block, F, 25605, 10, 68, 3, 4
+dnp3_header_block, F, 10, 68, 3, 4
 dnp3_application_response_header, F, 193, 129, 0
-dnp3_header_block, T, 25605, 27, 196, 4, 3
+dnp3_header_block, T, 27, 196, 4, 3
 dnp3_application_request_header, T, 194, 26
 dnp3_object_header, T, 17924, 91, 1, 1, 0
 dnp3_object_prefix, T, 13
-dnp3_header_block, F, 25605, 29, 68, 3, 4
+dnp3_header_block, F, 29, 68, 3, 4
 dnp3_application_response_header, F, 194, 129, 0
 dnp3_object_header, F, 17924, 91, 1, 1, 0
 dnp3_object_prefix, F, 13
diff --git a/testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_file_write/output b/testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_file_write/output
index 1e4a23c30f..1c7ef759e0 100644
--- a/testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_file_write/output
+++ b/testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_file_write/output
@@ -1,28 +1,28 @@
-dnp3_header_block, T, 25605, 99, 196, 4, 3
+dnp3_header_block, T, 99, 196, 4, 3
 dnp3_application_request_header, T, 198, 25
 dnp3_object_header, T, 17923, 91, 1, 1, 0
 dnp3_object_prefix, T, 85
-dnp3_header_block, F, 25605, 29, 68, 3, 4
+dnp3_header_block, F, 29, 68, 3, 4
 dnp3_application_response_header, F, 198, 129, 0
 dnp3_object_header, F, 17924, 91, 1, 1, 0
 dnp3_object_prefix, F, 13
 dnp3_response_data_object, F, 255
-dnp3_header_block, T, 25605, 255, 196, 4, 3
+dnp3_header_block, T, 255, 196, 4, 3
 dnp3_application_request_header, T, 199, 2
 dnp3_object_header, T, 17925, 91, 1, 1, 0
 dnp3_object_prefix, T, 838
 dnp3_file_transport, T, 305419896, 2147483648
 0000  ef bb bf 3c 3f 78 6d 6c  20 76 65 72 73 69 6f 6e  ...<?xml  version\x0a0010  3d 22 31 2e 30 22 20 65  6e 63 6f 64 69 6e 67 3d  ="1.0" e ncoding=\x0a0020  22 75 74 66 2d 38 22 3f  3e 0d 0a 3c 3f 78 6d 6c  "utf-8"? >..<?xml\x0a0030  2d 73 74 79 6c 65 73 68  65 65 74 20 74 79 70 65  -stylesh eet type\x0a0040  3d 27 74 65 78 74 2f 78  73 6c 27 20 68 72 65 66  ='text/x sl' href\x0a0050  3d 27 44 4e 50 33 44 65  76 69 63 65 50 72 6f 66  ='DNP3De viceProf\x0a0060  69 6c 65 4a 61 6e 32 30  31 30 2e 78 73 6c 74 27  ileJan20 10.xslt'\x0a0070  20 6d 65 64 69 61 3d 27  73 63 72 65 65 6e 27 3f   media=' screen'?\x0a0080  3e 0d 0a 3c 44 4e 50 33  44 65 76 69 63 65 50 72  >..<DNP3 DevicePr\x0a0090  6f 66 69 6c 65 44 6f 63  75 6d 65 6e 74 20 78 6d  ofileDoc ument xm\x0a00a0  6c 6e 73 3a 78 73 69 3d  22 68 74 74 70 3a 2f 2f  lns:xsi= "http://\x0a00b0  77 77 77 2e 77 33 2e 6f  72 67 2f 32 30 30 31 2f  www.w3.o rg/2001/\x0a00c0  58 4d 4c 53 63 68 65 6d  61 2d 69 6e 73 74 61 6e  XMLSchem a-instan\x0a00d0  63 65 22 20 78 6d 6c 6e  73 3a 78 73 64 3d 22 68  ce" xmln s:xsd="h\x0a00e0  74 74 70 3a 2f 2f 77 77  77 2e 77 33 2e 6f 72 67  ttp://ww w.w3.org\x0a00f0  2f 32 30 30 31 2f 58 4d  4c 53 63 68 65 6d 61 22  /2001/XM LSchema"\x0a0100  20 73 63 68 65 6d 61 56  65 72 73 69 6f 6e 3d 22   schemaV ersion="\x0a0110  32 2e 30 37 2e 30 30 22  20 78 6d 6c 6e 73 3d 22  2.07.00"  xmlns="\x0a0120  68 74 74 70 3a 2f 2f 77  77 77 2e 64 6e 70 33 2e  http://w ww.dnp3.\x0a0130  6f 72 67 2f 44 4e 50 33  2f 44 65 76 69 63 65 50  org/DNP3 /DeviceP\x0a0140  72 6f 66 69 6c 65 2f 4a  61 6e 32 30 31 30 22 3e  rofile/J an2010">\x0a0150  0d 0a 20 20 3c 21 2d 2d  44 6f 63 75 6d 65 6e 74  ..  <!-- Document\x0a0160  20 48 65 61 64 65 72 2d  2d 3e 0d 0a 20 20 3c 64   Header- ->..  <d\x0a0170  6f 63 75 6d 65 6e 74 48  65 61 64 65 72 3e 0d 0a  ocumentH eader>..\x0a0180  20 20 20 20 3c 64 6f 63  75 6d 65 6e 74 4e 61 6d      <doc umentNam\x0a0190  65 3e 41 20 44 4e 50 33  20 58 4d 4c 20 46 69 6c  e>A DNP3  XML Fil\x0a01a0  65 3c 2f 64 6f 63 75 6d  65 6e 74 4e 61 6d 65 3e  e</docum entName>\x0a01b0  0d 0a 20 20 20 20 3c 64  6f 63 75 6d 65 6e 74 44  ..    <d ocumentD\x0a01c0  65 73 63 72 69 70 74 69  6f 6e 3e 54 68 69 73 20  escripti on>This \x0a01d0  69 73 20 61 20 44 4e 50  33 20 43 6f 6d 70 6c 65  is a DNP 3 Comple\x0a01e0  74 65 20 44 65 76 69 63  65 20 50 72 6f 66 69 6c  te Devic e Profil\x0a01f0  65 20 66 6f 72 20 44 4e  50 20 4f 75 74 73 74 61  e for DN P Outsta\x0a0200  74 69 6f 6e 20 69 6e 20  74 68 65 20 54 4d 57 20  tion in  the TMW \x0a0210  43 6f 6d 6d 75 6e 69 63  61 74 69 6f 6e 20 50 72  Communic ation Pr\x0a0220  6f 74 6f 63 6f 6c 20 54  65 73 74 20 48 61 72 6e  otocol T est Harn\x0a0230  65 73 73 3c 2f 64 6f 63  75 6d 65 6e 74 44 65 73  ess</doc umentDes\x0a0240  63 72 69 70 74 69 6f 6e  3e 0d 0a 20 20 20 20 3c  cription >..    <\x0a0250  72 65 76 69 73 69 6f 6e  48 69 73 74 6f 72 79 20  revision History \x0a0260  76 65 72 73 69 6f 6e 3d  22 32 22 3e 0d 0a 20 20  version= "2">..  \x0a0270  20 20 20 20 3c 64 61 74  65 3e 32 30 31 30 2d 31      <dat e>2010-1\x0a0280  32 2d 30 31 3c 2f 64 61  74 65 3e 0d 0a 20 20 20  2-01</da te>..   \x0a0290  20 20 20 3c 61 75 74 68  6f 72 3e 53 74 65 76 65     <auth or>Steve\x0a02a0  20 4d 63 43 6f 79 3c 2f  61 75 74 68 6f 72 3e 0d   McCoy</ author>.\x0a02b0  0a 20 20 20 20 20 20 3c  72 65 61 73 6f 6e 3e 44  .      < reason>D\x0a02c0  6f 63 75 6d 65 6e 74 65  64 20 54 65 73 74 20 48  ocumente d Test H\x0a02d0  61 72 6e 65 73 73 20 53  44 4e 50 20 44 65 76 69  arness S DNP Devi\x0a02e0  63 65 20 50 72 6f 66 69  6c 65 3c 2f 72 65 61 73  ce Profi le</reas\x0a02f0  6f 6e 3e 0d 0a 20 20 20  20 3c 2f 72 65 76 69 73  on>..     </revis\x0a0300  69 6f 6e 48 69 73 74 6f  72 79 3e 0d 0a 20 20 3c  ionHisto ry>..  <\x0a0310  2f 64 6f 63 75 6d 65 6e  74 48 65 61 64 65 72 3e  /documen tHeader>\x0a0320  0d 0a 3c 2f 44 4e 50 33  44 65 76 69 63 65 50 72  ..</DNP3 DevicePr\x0a0330  6f 66 69 6c 65 44 6f 63  75 6d 65 6e 74 3e        ofileDoc ument>\x0a
-dnp3_header_block, F, 25605, 25, 68, 3, 4
+dnp3_header_block, F, 25, 68, 3, 4
 dnp3_application_response_header, F, 199, 129, 0
 dnp3_object_header, F, 17926, 91, 1, 1, 0
 dnp3_object_prefix, F, 9
 dnp3_response_data_object, F, 255
-dnp3_header_block, T, 25605, 27, 196, 4, 3
+dnp3_header_block, T, 27, 196, 4, 3
 dnp3_application_request_header, T, 200, 26
 dnp3_object_header, T, 17924, 91, 1, 1, 0
 dnp3_object_prefix, T, 13
-dnp3_header_block, F, 25605, 29, 68, 3, 4
+dnp3_header_block, F, 29, 68, 3, 4
 dnp3_application_response_header, F, 200, 129, 0
 dnp3_object_header, F, 17924, 91, 1, 1, 0
 dnp3_object_prefix, F, 13
diff --git a/testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_link_only/output b/testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_link_only/output
index 8f59ab2bf2..924455b357 100644
--- a/testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_link_only/output
+++ b/testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_link_only/output
@@ -1,7 +1,7 @@
-dnp3_header_block, T, 25605, 11, 196, 1, 100
+dnp3_header_block, T, 11, 196, 1, 100
 dnp3_application_request_header, T, 199, 1
 dnp3_object_header, T, 15361, 6, 0, 65535, 65535
-dnp3_header_block, F, 25605, 255, 68, 100, 1
+dnp3_header_block, F, 255, 68, 100, 1
 dnp3_application_response_header, F, 135, 129, 5120
 dnp3_object_header, F, 257, 1, 1024, 0, 1023
 dnp3_object_prefix, F, 0
@@ -2114,7 +2114,7 @@ dnp3_response_data_object, F, 255
 dnp3_object_prefix, F, 0
 dnp3_analog_input_SPwFlag, F, 1, 0
 dnp3_response_data_object, F, 255
-dnp3_header_block, F, 25605, 255, 68, 100, 1
+dnp3_header_block, F, 255, 68, 100, 1
 dnp3_application_response_header, F, 72, 129, 5120
 dnp3_object_header, F, 7685, 1, 224, 276, 499
 dnp3_object_prefix, F, 0
diff --git a/testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_read/output b/testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_read/output
index 2bd2d1005e..cabe1eb0cb 100644
--- a/testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_read/output
+++ b/testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_read/output
@@ -1,10 +1,10 @@
-dnp3_header_block, T, 25605, 20, 196, 2, 3
+dnp3_header_block, T, 20, 196, 2, 3
 dnp3_application_request_header, T, 200, 1
 dnp3_object_header, T, 15362, 6, 0, 65535, 65535
 dnp3_object_header, T, 15363, 6, 0, 65535, 65535
 dnp3_object_header, T, 15364, 6, 0, 65535, 65535
 dnp3_object_header, T, 15361, 6, 0, 65535, 65535
-dnp3_header_block, F, 25605, 116, 68, 3, 2
+dnp3_header_block, F, 116, 68, 3, 2
 dnp3_application_response_header, F, 200, 129, 0
 dnp3_object_header, F, 258, 0, 9, 0, 8
 dnp3_object_prefix, F, 0
diff --git a/testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_rec_time/output b/testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_rec_time/output
index ddcbbd9a8c..835de091b3 100644
--- a/testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_rec_time/output
+++ b/testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_rec_time/output
@@ -1,4 +1,4 @@
-dnp3_header_block, T, 25605, 8, 196, 2, 3
+dnp3_header_block, T, 8, 196, 2, 3
 dnp3_application_request_header, T, 193, 24
-dnp3_header_block, F, 25605, 10, 68, 3, 2
+dnp3_header_block, F, 10, 68, 3, 2
 dnp3_application_response_header, F, 193, 129, 0
diff --git a/testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_select_operate/output b/testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_select_operate/output
index 3dcbb63da0..ad84bc3d3b 100644
--- a/testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_select_operate/output
+++ b/testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_select_operate/output
@@ -1,20 +1,20 @@
-dnp3_header_block, T, 25605, 26, 196, 2, 3
+dnp3_header_block, T, 26, 196, 2, 3
 dnp3_application_request_header, T, 199, 3
 dnp3_object_header, T, 3073, 40, 1, 256, 0
 dnp3_object_prefix, T, 1
 dnp3_crob, T, 3, 1, 100, 100, 0
-dnp3_header_block, F, 25605, 28, 68, 3, 2
+dnp3_header_block, F, 28, 68, 3, 2
 dnp3_application_response_header, F, 199, 129, 0
 dnp3_object_header, F, 3073, 40, 1, 256, 0
 dnp3_object_prefix, F, 1
 dnp3_crob, F, 3, 1, 100, 100, 0
 dnp3_response_data_object, F, 255
-dnp3_header_block, T, 25605, 26, 196, 2, 3
+dnp3_header_block, T, 26, 196, 2, 3
 dnp3_application_request_header, T, 200, 4
 dnp3_object_header, T, 3073, 40, 1, 256, 0
 dnp3_object_prefix, T, 1
 dnp3_crob, T, 3, 1, 100, 100, 0
-dnp3_header_block, F, 25605, 28, 68, 3, 2
+dnp3_header_block, F, 28, 68, 3, 2
 dnp3_application_response_header, F, 200, 129, 0
 dnp3_object_header, F, 3073, 40, 1, 256, 0
 dnp3_object_prefix, F, 1
diff --git a/testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_udp_en_spon/output b/testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_udp_en_spon/output
index ea77e744fb..56d544603c 100644
--- a/testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_udp_en_spon/output
+++ b/testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_udp_en_spon/output
@@ -1,7 +1,7 @@
-dnp3_header_block, T, 25605, 17, 196, 1, 100
+dnp3_header_block, T, 17, 196, 1, 100
 dnp3_application_request_header, T, 207, 20
 dnp3_object_header, T, 15362, 6, 0, 65535, 65535
 dnp3_object_header, T, 15363, 6, 0, 65535, 65535
 dnp3_object_header, T, 15364, 6, 0, 65535, 65535
-dnp3_header_block, F, 25605, 10, 68, 100, 1
+dnp3_header_block, F, 10, 68, 100, 1
 dnp3_application_response_header, F, 207, 129, 1
diff --git a/testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_udp_read/output b/testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_udp_read/output
index c875efced0..54340ea328 100644
--- a/testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_udp_read/output
+++ b/testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_udp_read/output
@@ -1,10 +1,10 @@
-dnp3_header_block, T, 25605, 20, 196, 1, 100
+dnp3_header_block, T, 20, 196, 1, 100
 dnp3_application_request_header, T, 199, 1
 dnp3_object_header, T, 15362, 6, 0, 65535, 65535
 dnp3_object_header, T, 15363, 6, 0, 65535, 65535
 dnp3_object_header, T, 15364, 6, 0, 65535, 65535
 dnp3_object_header, T, 15361, 6, 0, 65535, 65535
-dnp3_header_block, F, 25605, 255, 68, 100, 1
+dnp3_header_block, F, 255, 68, 100, 1
 dnp3_application_response_header, F, 135, 129, 36864
 dnp3_object_header, F, 257, 1, 1024, 0, 1023
 dnp3_object_prefix, F, 0
@@ -2117,7 +2117,7 @@ dnp3_response_data_object, F, 255
 dnp3_object_prefix, F, 0
 dnp3_analog_input_SPwFlag, F, 1, 0
 dnp3_response_data_object, F, 255
-dnp3_header_block, F, 25605, 255, 68, 100, 1
+dnp3_header_block, F, 255, 68, 100, 1
 dnp3_application_response_header, F, 72, 129, 36864
 dnp3_object_header, F, 7685, 1, 224, 276, 499
 dnp3_object_prefix, F, 0
diff --git a/testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_udp_select_operate/output b/testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_udp_select_operate/output
index 394bdb1fe9..63d5c992d5 100644
--- a/testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_udp_select_operate/output
+++ b/testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_udp_select_operate/output
@@ -1,32 +1,32 @@
-dnp3_header_block, T, 25605, 26, 196, 1, 100
+dnp3_header_block, T, 26, 196, 1, 100
 dnp3_application_request_header, T, 201, 3
 dnp3_object_header, T, 3073, 40, 1, 256, 0
 dnp3_object_prefix, T, 1
 dnp3_crob, T, 3, 1, 100, 100, 0
-dnp3_header_block, F, 25605, 28, 68, 100, 1
+dnp3_header_block, F, 28, 68, 100, 1
 dnp3_application_response_header, F, 201, 129, 36864
 dnp3_object_header, F, 3073, 40, 1, 256, 0
 dnp3_object_prefix, F, 1
 dnp3_crob, F, 3, 1, 100, 100, 0
 dnp3_response_data_object, F, 255
-dnp3_header_block, T, 25605, 26, 196, 1, 100
+dnp3_header_block, T, 26, 196, 1, 100
 dnp3_application_request_header, T, 202, 4
 dnp3_object_header, T, 3073, 40, 1, 256, 0
 dnp3_object_prefix, T, 1
 dnp3_crob, T, 3, 1, 100, 100, 0
-dnp3_header_block, F, 25605, 28, 68, 100, 1
+dnp3_header_block, F, 28, 68, 100, 1
 dnp3_application_response_header, F, 202, 129, 36864
 dnp3_object_header, F, 3073, 40, 1, 256, 0
 dnp3_object_prefix, F, 1
 dnp3_crob, F, 3, 1, 100, 100, 0
 dnp3_response_data_object, F, 255
-dnp3_header_block, T, 25605, 20, 196, 1, 100
+dnp3_header_block, T, 20, 196, 1, 100
 dnp3_application_request_header, T, 203, 1
 dnp3_object_header, T, 15362, 6, 0, 65535, 65535
 dnp3_object_header, T, 15363, 6, 0, 65535, 65535
 dnp3_object_header, T, 15364, 6, 0, 65535, 65535
 dnp3_object_header, T, 2560, 6, 0, 65535, 65535
-dnp3_header_block, F, 25605, 255, 68, 100, 1
+dnp3_header_block, F, 255, 68, 100, 1
 dnp3_application_response_header, F, 203, 129, 36864
 dnp3_object_header, F, 2562, 1, 512, 0, 511
 dnp3_object_prefix, F, 0
diff --git a/testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_udp_write/output b/testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_udp_write/output
index f8ee638f76..774da81628 100644
--- a/testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_udp_write/output
+++ b/testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_udp_write/output
@@ -1,6 +1,6 @@
-dnp3_header_block, T, 25605, 14, 196, 1, 100
+dnp3_header_block, T, 14, 196, 1, 100
 dnp3_application_request_header, T, 206, 2
 dnp3_object_header, T, 20481, 0, 1, 7, 7
 dnp3_object_prefix, T, 0
-dnp3_header_block, F, 25605, 10, 68, 100, 1
+dnp3_header_block, F, 10, 68, 100, 1
 dnp3_application_response_header, F, 206, 129, 0
diff --git a/testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_write/output b/testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_write/output
index ab9af7f74a..20aa311b58 100644
--- a/testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_write/output
+++ b/testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_write/output
@@ -1,6 +1,6 @@
-dnp3_header_block, T, 25605, 18, 196, 2, 3
+dnp3_header_block, T, 18, 196, 2, 3
 dnp3_application_request_header, T, 192, 2
 dnp3_object_header, T, 12801, 7, 1, 1, 0
 dnp3_object_prefix, T, 0
-dnp3_header_block, F, 25605, 10, 68, 3, 2
+dnp3_header_block, F, 10, 68, 3, 2
 dnp3_application_response_header, F, 192, 129, 0
diff --git a/testing/btest/Baseline/scripts.base.protocols.dnp3.events/output b/testing/btest/Baseline/scripts.base.protocols.dnp3.events/output
index cafddf9eae..f7f89bad79 100644
--- a/testing/btest/Baseline/scripts.base.protocols.dnp3.events/output
+++ b/testing/btest/Baseline/scripts.base.protocols.dnp3.events/output
@@ -1,40 +1,40 @@
-dnp3_header_block, F, 25605, 10, 68, 3, 4
+dnp3_header_block, F, 10, 68, 3, 4
 dnp3_application_response_header, F, 247, 130, 4096
-dnp3_header_block, T, 25605, 8, 196, 4, 3
+dnp3_header_block, T, 8, 196, 4, 3
 dnp3_application_request_header, T, 215, 0
-dnp3_header_block, T, 25605, 18, 196, 4, 3
+dnp3_header_block, T, 18, 196, 4, 3
 dnp3_application_request_header, T, 193, 2
 dnp3_object_header, T, 12801, 7, 1, 1, 0
 dnp3_object_prefix, T, 0
-dnp3_header_block, F, 25605, 10, 68, 3, 4
+dnp3_header_block, F, 10, 68, 3, 4
 dnp3_application_response_header, F, 193, 129, 0
-dnp3_header_block, T, 25605, 17, 196, 4, 3
+dnp3_header_block, T, 17, 196, 4, 3
 dnp3_application_request_header, T, 194, 21
 dnp3_object_header, T, 15362, 6, 0, 65535, 65535
 dnp3_object_header, T, 15363, 6, 0, 65535, 65535
 dnp3_object_header, T, 15364, 6, 0, 65535, 65535
-dnp3_header_block, F, 25605, 10, 68, 3, 4
+dnp3_header_block, F, 10, 68, 3, 4
 dnp3_application_response_header, F, 194, 129, 0
-dnp3_header_block, F, 25605, 10, 68, 3, 4
+dnp3_header_block, F, 10, 68, 3, 4
 dnp3_application_response_header, F, 249, 130, 0
-dnp3_header_block, F, 25605, 10, 68, 3, 4
+dnp3_header_block, F, 10, 68, 3, 4
 dnp3_application_response_header, F, 242, 130, 4096
-dnp3_header_block, T, 25605, 8, 196, 4, 3
+dnp3_header_block, T, 8, 196, 4, 3
 dnp3_application_request_header, T, 210, 0
-dnp3_header_block, T, 25605, 18, 196, 4, 3
+dnp3_header_block, T, 18, 196, 4, 3
 dnp3_application_request_header, T, 193, 2
 dnp3_object_header, T, 12801, 7, 1, 1, 0
 dnp3_object_prefix, T, 0
-dnp3_header_block, F, 25605, 10, 68, 3, 4
+dnp3_header_block, F, 10, 68, 3, 4
 dnp3_application_response_header, F, 193, 129, 0
-dnp3_header_block, T, 25605, 17, 196, 4, 3
+dnp3_header_block, T, 17, 196, 4, 3
 dnp3_application_request_header, T, 194, 20
 dnp3_object_header, T, 15362, 6, 0, 65535, 65535
 dnp3_object_header, T, 15363, 6, 0, 65535, 65535
 dnp3_object_header, T, 15364, 6, 0, 65535, 65535
-dnp3_header_block, F, 25605, 10, 68, 3, 4
+dnp3_header_block, F, 10, 68, 3, 4
 dnp3_application_response_header, F, 194, 129, 0
-dnp3_header_block, F, 25605, 76, 68, 3, 4
+dnp3_header_block, F, 76, 68, 3, 4
 dnp3_application_response_header, F, 243, 130, 0
 dnp3_object_header, F, 13057, 7, 1, 1, 0
 dnp3_object_prefix, F, 0
@@ -60,9 +60,9 @@ dnp3_response_data_object, F, 255
 dnp3_object_prefix, F, 2
 dnp3_analog_input_event_32woTime, F, 1, 0
 dnp3_response_data_object, F, 255
-dnp3_header_block, T, 25605, 8, 196, 4, 3
+dnp3_header_block, T, 8, 196, 4, 3
 dnp3_application_request_header, T, 211, 0
-dnp3_header_block, F, 25605, 71, 68, 3, 4
+dnp3_header_block, F, 71, 68, 3, 4
 dnp3_application_response_header, F, 244, 130, 0
 dnp3_object_header, F, 13057, 7, 1, 1, 0
 dnp3_object_prefix, F, 0
@@ -86,9 +86,9 @@ dnp3_response_data_object, F, 255
 dnp3_object_prefix, F, 1
 dnp3_analog_input_event_32woTime, F, 1, 0
 dnp3_response_data_object, F, 255
-dnp3_header_block, T, 25605, 8, 196, 4, 3
+dnp3_header_block, T, 8, 196, 4, 3
 dnp3_application_request_header, T, 212, 0
-dnp3_header_block, F, 25605, 76, 68, 3, 4
+dnp3_header_block, F, 76, 68, 3, 4
 dnp3_application_response_header, F, 245, 130, 0
 dnp3_object_header, F, 13057, 7, 1, 1, 0
 dnp3_object_prefix, F, 0
@@ -114,9 +114,9 @@ dnp3_response_data_object, F, 255
 dnp3_object_prefix, F, 2
 dnp3_analog_input_event_32woTime, F, 1, 198
 dnp3_response_data_object, F, 255
-dnp3_header_block, T, 25605, 8, 196, 4, 3
+dnp3_header_block, T, 8, 196, 4, 3
 dnp3_application_request_header, T, 213, 0
-dnp3_header_block, F, 25605, 71, 68, 3, 4
+dnp3_header_block, F, 71, 68, 3, 4
 dnp3_application_response_header, F, 246, 130, 0
 dnp3_object_header, F, 13057, 7, 1, 1, 0
 dnp3_object_prefix, F, 0
@@ -140,9 +140,9 @@ dnp3_response_data_object, F, 255
 dnp3_object_prefix, F, 1
 dnp3_analog_input_event_32woTime, F, 1, 200
 dnp3_response_data_object, F, 255
-dnp3_header_block, T, 25605, 8, 196, 4, 3
+dnp3_header_block, T, 8, 196, 4, 3
 dnp3_application_request_header, T, 214, 0
-dnp3_header_block, F, 25605, 76, 68, 3, 4
+dnp3_header_block, F, 76, 68, 3, 4
 dnp3_application_response_header, F, 247, 130, 0
 dnp3_object_header, F, 13057, 7, 1, 1, 0
 dnp3_object_prefix, F, 0
@@ -168,9 +168,9 @@ dnp3_response_data_object, F, 255
 dnp3_object_prefix, F, 2
 dnp3_analog_input_event_32woTime, F, 1, 0
 dnp3_response_data_object, F, 255
-dnp3_header_block, T, 25605, 8, 196, 4, 3
+dnp3_header_block, T, 8, 196, 4, 3
 dnp3_application_request_header, T, 215, 0
-dnp3_header_block, F, 25605, 50, 68, 3, 4
+dnp3_header_block, F, 50, 68, 3, 4
 dnp3_application_response_header, F, 248, 130, 0
 dnp3_object_header, F, 13057, 7, 1, 1, 0
 dnp3_object_prefix, F, 0
@@ -186,9 +186,9 @@ dnp3_object_prefix, F, 2
 dnp3_response_data_object, F, 255
 dnp3_object_prefix, F, 0
 dnp3_response_data_object, F, 255
-dnp3_header_block, T, 25605, 8, 196, 4, 3
+dnp3_header_block, T, 8, 196, 4, 3
 dnp3_application_request_header, T, 216, 0
-dnp3_header_block, F, 25605, 76, 68, 3, 4
+dnp3_header_block, F, 76, 68, 3, 4
 dnp3_application_response_header, F, 249, 130, 0
 dnp3_object_header, F, 13057, 7, 1, 1, 0
 dnp3_object_prefix, F, 0
@@ -214,9 +214,9 @@ dnp3_response_data_object, F, 255
 dnp3_object_prefix, F, 2
 dnp3_analog_input_event_32woTime, F, 1, 199
 dnp3_response_data_object, F, 255
-dnp3_header_block, T, 25605, 8, 196, 4, 3
+dnp3_header_block, T, 8, 196, 4, 3
 dnp3_application_request_header, T, 217, 0
-dnp3_header_block, F, 25605, 66, 68, 3, 4
+dnp3_header_block, F, 66, 68, 3, 4
 dnp3_application_response_header, F, 250, 130, 0
 dnp3_object_header, F, 13057, 7, 1, 1, 0
 dnp3_object_prefix, F, 0
@@ -238,9 +238,9 @@ dnp3_response_data_object, F, 255
 dnp3_object_prefix, F, 1
 dnp3_analog_input_event_32woTime, F, 1, 200
 dnp3_response_data_object, F, 255
-dnp3_header_block, T, 25605, 8, 196, 4, 3
+dnp3_header_block, T, 8, 196, 4, 3
 dnp3_application_request_header, T, 218, 0
-dnp3_header_block, F, 25605, 76, 68, 3, 4
+dnp3_header_block, F, 76, 68, 3, 4
 dnp3_application_response_header, F, 251, 130, 0
 dnp3_object_header, F, 13057, 7, 1, 1, 0
 dnp3_object_prefix, F, 0
@@ -266,9 +266,9 @@ dnp3_response_data_object, F, 255
 dnp3_object_prefix, F, 2
 dnp3_analog_input_event_32woTime, F, 1, 0
 dnp3_response_data_object, F, 255
-dnp3_header_block, T, 25605, 8, 196, 4, 3
+dnp3_header_block, T, 8, 196, 4, 3
 dnp3_application_request_header, T, 219, 0
-dnp3_header_block, F, 25605, 56, 68, 3, 4
+dnp3_header_block, F, 56, 68, 3, 4
 dnp3_application_response_header, F, 252, 130, 0
 dnp3_object_header, F, 13057, 7, 1, 1, 0
 dnp3_object_prefix, F, 0
@@ -286,53 +286,53 @@ dnp3_response_data_object, F, 255
 dnp3_object_prefix, F, 2
 dnp3_analog_input_event_32woTime, F, 1, 199
 dnp3_response_data_object, F, 255
-dnp3_header_block, T, 25605, 8, 196, 4, 3
+dnp3_header_block, T, 8, 196, 4, 3
 dnp3_application_request_header, T, 220, 0
-dnp3_header_block, T, 25605, 8, 196, 4, 3
+dnp3_header_block, T, 8, 196, 4, 3
 dnp3_application_request_header, T, 195, 13
-dnp3_header_block, F, 25605, 16, 68, 3, 4
+dnp3_header_block, F, 16, 68, 3, 4
 dnp3_application_response_header, F, 195, 129, 0
 dnp3_object_header, F, 13314, 7, 1, 1, 0
 dnp3_object_prefix, F, 0
 dnp3_response_data_object, F, 255
-dnp3_header_block, T, 25605, 8, 196, 4, 3
+dnp3_header_block, T, 8, 196, 4, 3
 dnp3_application_request_header, T, 193, 13
-dnp3_header_block, F, 25605, 10, 68, 6, 4
+dnp3_header_block, F, 10, 68, 6, 4
 dnp3_application_response_header, F, 247, 130, 0
-dnp3_header_block, F, 25605, 10, 68, 6, 4
+dnp3_header_block, F, 10, 68, 6, 4
 dnp3_application_response_header, F, 248, 130, 0
-dnp3_header_block, F, 25605, 16, 68, 3, 4
+dnp3_header_block, F, 16, 68, 3, 4
 dnp3_application_response_header, F, 193, 129, 0
 dnp3_object_header, F, 13314, 7, 1, 1, 0
 dnp3_object_prefix, F, 0
 dnp3_response_data_object, F, 255
-dnp3_header_block, T, 25605, 11, 196, 4, 3
+dnp3_header_block, T, 11, 196, 4, 3
 dnp3_application_request_header, T, 194, 1
 dnp3_object_header, T, 512, 6, 0, 65535, 65535
-dnp3_header_block, F, 25605, 10, 68, 3, 4
+dnp3_header_block, F, 10, 68, 3, 4
 dnp3_application_response_header, F, 194, 129, 32768
-dnp3_header_block, F, 25605, 10, 68, 6, 4
+dnp3_header_block, F, 10, 68, 6, 4
 dnp3_application_response_header, F, 249, 130, 32768
-dnp3_header_block, T, 25605, 17, 196, 4, 3
+dnp3_header_block, T, 17, 196, 4, 3
 dnp3_application_request_header, T, 195, 21
 dnp3_object_header, T, 15362, 6, 0, 65535, 65535
 dnp3_object_header, T, 15363, 6, 0, 65535, 65535
 dnp3_object_header, T, 15364, 6, 0, 65535, 65535
-dnp3_header_block, F, 25605, 10, 68, 3, 4
+dnp3_header_block, F, 10, 68, 3, 4
 dnp3_application_response_header, F, 195, 129, 32768
-dnp3_header_block, T, 25605, 14, 196, 4, 3
+dnp3_header_block, T, 14, 196, 4, 3
 dnp3_application_request_header, T, 196, 2
 dnp3_object_header, T, 20481, 0, 1, 7, 7
 dnp3_object_prefix, T, 0
-dnp3_header_block, F, 25605, 10, 68, 3, 4
+dnp3_header_block, F, 10, 68, 3, 4
 dnp3_application_response_header, F, 196, 129, 0
-dnp3_header_block, T, 25605, 20, 196, 4, 3
+dnp3_header_block, T, 20, 196, 4, 3
 dnp3_application_request_header, T, 197, 1
 dnp3_object_header, T, 15362, 6, 0, 65535, 65535
 dnp3_object_header, T, 15363, 6, 0, 65535, 65535
 dnp3_object_header, T, 15364, 6, 0, 65535, 65535
 dnp3_object_header, T, 15361, 6, 0, 65535, 65535
-dnp3_header_block, F, 25605, 78, 68, 3, 4
+dnp3_header_block, F, 78, 68, 3, 4
 dnp3_application_response_header, F, 197, 129, 0
 dnp3_object_header, F, 257, 0, 6, 0, 5
 dnp3_object_prefix, F, 0
@@ -380,90 +380,90 @@ dnp3_response_data_object, F, 255
 dnp3_object_prefix, F, 0
 dnp3_analog_input_32woFlag, F, 7184
 dnp3_response_data_object, F, 255
-dnp3_header_block, F, 25605, 10, 68, 6, 4
+dnp3_header_block, F, 10, 68, 6, 4
 dnp3_application_response_header, F, 250, 130, 0
-dnp3_header_block, F, 25605, 10, 68, 6, 4
+dnp3_header_block, F, 10, 68, 6, 4
 dnp3_application_response_header, F, 251, 130, 0
-dnp3_header_block, F, 25605, 10, 68, 6, 4
+dnp3_header_block, F, 10, 68, 6, 4
 dnp3_application_response_header, F, 252, 130, 0
-dnp3_header_block, F, 25605, 10, 68, 6, 4
+dnp3_header_block, F, 10, 68, 6, 4
 dnp3_application_response_header, F, 253, 130, 0
-dnp3_header_block, F, 25605, 10, 68, 6, 4
+dnp3_header_block, F, 10, 68, 6, 4
 dnp3_application_response_header, F, 254, 130, 0
-dnp3_header_block, F, 25605, 10, 68, 6, 4
+dnp3_header_block, F, 10, 68, 6, 4
 dnp3_application_response_header, F, 255, 130, 0
-dnp3_header_block, F, 25605, 10, 68, 6, 4
+dnp3_header_block, F, 10, 68, 6, 4
 dnp3_application_response_header, F, 240, 130, 0
-dnp3_header_block, F, 25605, 10, 68, 6, 4
+dnp3_header_block, F, 10, 68, 6, 4
 dnp3_application_response_header, F, 241, 130, 0
-dnp3_header_block, T, 25605, 17, 196, 4, 3
+dnp3_header_block, T, 17, 196, 4, 3
 dnp3_application_request_header, T, 198, 20
 dnp3_object_header, T, 15362, 6, 0, 65535, 65535
 dnp3_object_header, T, 15363, 6, 0, 65535, 65535
 dnp3_object_header, T, 15364, 6, 0, 65535, 65535
-dnp3_header_block, F, 25605, 10, 68, 3, 4
+dnp3_header_block, F, 10, 68, 3, 4
 dnp3_application_response_header, F, 198, 129, 0
-dnp3_header_block, F, 25605, 10, 68, 6, 4
+dnp3_header_block, F, 10, 68, 6, 4
 dnp3_application_response_header, F, 242, 130, 0
-dnp3_header_block, T, 25605, 17, 196, 4, 3
+dnp3_header_block, T, 17, 196, 4, 3
 dnp3_application_request_header, T, 199, 20
 dnp3_object_header, T, 15362, 6, 0, 65535, 65535
 dnp3_object_header, T, 15363, 6, 0, 65535, 65535
 dnp3_object_header, T, 15364, 6, 0, 65535, 65535
-dnp3_header_block, F, 25605, 10, 68, 3, 4
+dnp3_header_block, F, 10, 68, 3, 4
 dnp3_application_response_header, F, 199, 129, 0
-dnp3_header_block, F, 25605, 10, 68, 6, 4
+dnp3_header_block, F, 10, 68, 6, 4
 dnp3_application_response_header, F, 243, 130, 0
-dnp3_header_block, F, 25605, 10, 68, 3, 4
+dnp3_header_block, F, 10, 68, 3, 4
 dnp3_application_response_header, F, 240, 130, 36864
-dnp3_header_block, T, 25605, 8, 196, 4, 3
+dnp3_header_block, T, 8, 196, 4, 3
 dnp3_application_request_header, T, 208, 0
-dnp3_header_block, T, 25605, 17, 196, 4, 3
+dnp3_header_block, T, 17, 196, 4, 3
 dnp3_application_request_header, T, 193, 21
 dnp3_object_header, T, 15362, 6, 0, 65535, 65535
 dnp3_object_header, T, 15363, 6, 0, 65535, 65535
 dnp3_object_header, T, 15364, 6, 0, 65535, 65535
-dnp3_header_block, F, 25605, 10, 68, 3, 4
+dnp3_header_block, F, 10, 68, 3, 4
 dnp3_application_response_header, F, 193, 129, 36864
-dnp3_header_block, T, 25605, 18, 196, 4, 3
+dnp3_header_block, T, 18, 196, 4, 3
 dnp3_application_request_header, T, 194, 2
 dnp3_object_header, T, 12801, 7, 1, 1, 0
 dnp3_object_prefix, T, 0
-dnp3_header_block, F, 25605, 10, 68, 3, 4
+dnp3_header_block, F, 10, 68, 3, 4
 dnp3_application_response_header, F, 194, 129, 32768
-dnp3_header_block, T, 25605, 17, 196, 4, 3
+dnp3_header_block, T, 17, 196, 4, 3
 dnp3_application_request_header, T, 195, 21
 dnp3_object_header, T, 15362, 6, 0, 65535, 65535
 dnp3_object_header, T, 15363, 6, 0, 65535, 65535
 dnp3_object_header, T, 15364, 6, 0, 65535, 65535
-dnp3_header_block, F, 25605, 10, 68, 3, 4
+dnp3_header_block, F, 10, 68, 3, 4
 dnp3_application_response_header, F, 195, 129, 32768
-dnp3_header_block, T, 25605, 18, 196, 4, 3
+dnp3_header_block, T, 18, 196, 4, 3
 dnp3_application_request_header, T, 196, 2
 dnp3_object_header, T, 12801, 7, 1, 1, 0
 dnp3_object_prefix, T, 0
-dnp3_header_block, F, 25605, 10, 68, 3, 4
+dnp3_header_block, F, 10, 68, 3, 4
 dnp3_application_response_header, F, 196, 129, 32768
-dnp3_header_block, T, 25605, 17, 196, 4, 3
+dnp3_header_block, T, 17, 196, 4, 3
 dnp3_application_request_header, T, 197, 21
 dnp3_object_header, T, 15362, 6, 0, 65535, 65535
 dnp3_object_header, T, 15363, 6, 0, 65535, 65535
 dnp3_object_header, T, 15364, 6, 0, 65535, 65535
-dnp3_header_block, F, 25605, 10, 68, 3, 4
+dnp3_header_block, F, 10, 68, 3, 4
 dnp3_application_response_header, F, 197, 129, 32768
-dnp3_header_block, T, 25605, 14, 196, 4, 3
+dnp3_header_block, T, 14, 196, 4, 3
 dnp3_application_request_header, T, 198, 2
 dnp3_object_header, T, 20481, 0, 1, 7, 7
 dnp3_object_prefix, T, 0
-dnp3_header_block, F, 25605, 10, 68, 3, 4
+dnp3_header_block, F, 10, 68, 3, 4
 dnp3_application_response_header, F, 198, 129, 0
-dnp3_header_block, T, 25605, 20, 196, 4, 3
+dnp3_header_block, T, 20, 196, 4, 3
 dnp3_application_request_header, T, 199, 1
 dnp3_object_header, T, 15362, 6, 0, 65535, 65535
 dnp3_object_header, T, 15363, 6, 0, 65535, 65535
 dnp3_object_header, T, 15364, 6, 0, 65535, 65535
 dnp3_object_header, T, 15361, 6, 0, 65535, 65535
-dnp3_header_block, F, 25605, 78, 68, 3, 4
+dnp3_header_block, F, 78, 68, 3, 4
 dnp3_application_response_header, F, 199, 129, 0
 dnp3_object_header, F, 257, 0, 6, 0, 5
 dnp3_object_prefix, F, 0
@@ -511,144 +511,144 @@ dnp3_response_data_object, F, 255
 dnp3_object_prefix, F, 0
 dnp3_analog_input_32woFlag, F, 8523
 dnp3_response_data_object, F, 255
-dnp3_header_block, T, 25605, 8, 196, 4, 3
+dnp3_header_block, T, 8, 196, 4, 3
 dnp3_application_request_header, T, 200, 14
-dnp3_header_block, F, 25605, 16, 68, 3, 4
+dnp3_header_block, F, 16, 68, 3, 4
 dnp3_application_response_header, F, 200, 129, 0
 dnp3_object_header, F, 13314, 7, 1, 1, 0
 dnp3_object_prefix, F, 0
 dnp3_response_data_object, F, 255
-dnp3_header_block, T, 25605, 8, 196, 4, 3
+dnp3_header_block, T, 8, 196, 4, 3
 dnp3_application_request_header, T, 201, 14
-dnp3_header_block, F, 25605, 16, 68, 3, 4
+dnp3_header_block, F, 16, 68, 3, 4
 dnp3_application_response_header, F, 201, 129, 0
 dnp3_object_header, F, 13314, 7, 1, 1, 0
 dnp3_object_prefix, F, 0
 dnp3_response_data_object, F, 255
-dnp3_header_block, F, 25605, 10, 68, 3, 4
+dnp3_header_block, F, 10, 68, 3, 4
 dnp3_application_response_header, F, 253, 130, 256
-dnp3_header_block, T, 25605, 17, 196, 65535, 3
+dnp3_header_block, T, 17, 196, 65535, 3
 dnp3_application_request_header, T, 193, 21
 dnp3_object_header, T, 15362, 6, 0, 65535, 65535
 dnp3_object_header, T, 15363, 6, 0, 65535, 65535
 dnp3_object_header, T, 15364, 237, 0, 0, 0
-dnp3_header_block, T, 25605, 17, 196, 65535, 3
+dnp3_header_block, T, 17, 196, 65535, 3
 dnp3_application_request_header, T, 193, 21
 dnp3_object_header, T, 15362, 6, 0, 65535, 65535
 dnp3_object_header, T, 15363, 6, 0, 65535, 65535
 dnp3_object_header, T, 15364, 237, 0, 0, 0
-dnp3_header_block, F, 25605, 10, 68, 3, 4
+dnp3_header_block, F, 10, 68, 3, 4
 dnp3_application_response_header, F, 241, 130, 4096
-dnp3_header_block, T, 25605, 17, 196, 4, 3
+dnp3_header_block, T, 17, 196, 4, 3
 dnp3_application_request_header, T, 193, 18
 dnp3_object_header, T, 15362, 6, 0, 65535, 65535
 dnp3_object_header, T, 263, 6, 0, 65535, 65535
 dnp3_object_header, T, 15364, 237, 0, 0, 0
-dnp3_header_block, F, 25605, 10, 68, 3, 4
+dnp3_header_block, F, 10, 68, 3, 4
 dnp3_application_response_header, F, 195, 129, 4097
-dnp3_header_block, T, 25605, 17, 196, 4, 3
+dnp3_header_block, T, 17, 196, 4, 3
 dnp3_application_request_header, T, 193, 18
 dnp3_object_header, T, 15362, 6, 0, 65535, 65535
 dnp3_object_header, T, 263, 6, 0, 65535, 65535
 dnp3_object_header, T, 15364, 237, 0, 0, 0
-dnp3_header_block, F, 25605, 10, 68, 3, 4
+dnp3_header_block, F, 10, 68, 3, 4
 dnp3_application_response_header, F, 196, 129, 4097
-dnp3_header_block, F, 25605, 10, 68, 3, 6
+dnp3_header_block, F, 10, 68, 3, 6
 dnp3_application_response_header, F, 246, 130, 38145
-dnp3_header_block, T, 25605, 17, 196, 65535, 3
+dnp3_header_block, T, 17, 196, 65535, 3
 dnp3_application_request_header, T, 193, 18
 dnp3_object_header, T, 15362, 6, 0, 65535, 65535
 dnp3_object_header, T, 263, 6, 0, 65535, 65535
 dnp3_object_header, T, 15364, 237, 0, 0, 0
-dnp3_header_block, T, 25605, 17, 196, 65535, 3
+dnp3_header_block, T, 17, 196, 65535, 3
 dnp3_application_request_header, T, 193, 18
 dnp3_object_header, T, 15362, 6, 0, 65535, 65535
 dnp3_object_header, T, 263, 6, 0, 65535, 65535
 dnp3_object_header, T, 15364, 237, 0, 0, 0
-dnp3_header_block, T, 25605, 17, 196, 4, 3
+dnp3_header_block, T, 17, 196, 4, 3
 dnp3_application_request_header, T, 194, 1
 dnp3_object_header, T, 15362, 6, 0, 65535, 65535
 dnp3_object_header, T, 15363, 6, 0, 65535, 65535
 dnp3_object_header, T, 15364, 6, 0, 65535, 65535
-dnp3_header_block, F, 25605, 10, 68, 3, 4
+dnp3_header_block, F, 10, 68, 3, 4
 dnp3_application_response_header, F, 194, 129, 0
-dnp3_header_block, T, 25605, 26, 196, 4, 3
+dnp3_header_block, T, 26, 196, 4, 3
 dnp3_application_request_header, T, 195, 3
 dnp3_object_header, T, 3073, 40, 1, 256, 0
 dnp3_object_prefix, T, 34463
 dnp3_crob, T, 3, 1, 100, 100, 0
-dnp3_header_block, F, 25605, 28, 68, 3, 4
+dnp3_header_block, F, 28, 68, 3, 4
 dnp3_application_response_header, F, 195, 129, 4
 dnp3_object_header, F, 3073, 40, 1, 256, 0
 dnp3_object_prefix, F, 34463
 dnp3_crob, F, 3, 1, 100, 100, 4
 dnp3_response_data_object, F, 255
-dnp3_header_block, T, 25605, 26, 196, 4, 3
+dnp3_header_block, T, 26, 196, 4, 3
 dnp3_application_request_header, T, 196, 3
 dnp3_object_header, T, 3073, 40, 1, 256, 0
 dnp3_object_prefix, T, 34463
 dnp3_crob, T, 3, 1, 100, 100, 0
-dnp3_header_block, F, 25605, 28, 68, 3, 4
+dnp3_header_block, F, 28, 68, 3, 4
 dnp3_application_response_header, F, 196, 129, 4
 dnp3_object_header, F, 3073, 40, 1, 256, 0
 dnp3_object_prefix, F, 34463
 dnp3_crob, F, 3, 1, 100, 100, 4
 dnp3_response_data_object, F, 255
-dnp3_header_block, T, 25605, 26, 196, 4, 3
+dnp3_header_block, T, 26, 196, 4, 3
 dnp3_application_request_header, T, 197, 3
 dnp3_object_header, T, 3073, 40, 1, 256, 0
 dnp3_object_prefix, T, 34463
 dnp3_crob, T, 3, 1, 100, 100, 0
-dnp3_header_block, F, 25605, 28, 68, 3, 4
+dnp3_header_block, F, 28, 68, 3, 4
 dnp3_application_response_header, F, 197, 129, 4
 dnp3_object_header, F, 3073, 40, 1, 256, 0
 dnp3_object_prefix, F, 34463
 dnp3_crob, F, 3, 1, 100, 100, 4
 dnp3_response_data_object, F, 255
-dnp3_header_block, T, 25605, 26, 196, 4, 3
+dnp3_header_block, T, 26, 196, 4, 3
 dnp3_application_request_header, T, 198, 3
 dnp3_object_header, T, 3073, 40, 1, 256, 0
 dnp3_object_prefix, T, 34463
 dnp3_crob, T, 3, 1, 100, 100, 0
-dnp3_header_block, F, 25605, 28, 68, 3, 4
+dnp3_header_block, F, 28, 68, 3, 4
 dnp3_application_response_header, F, 198, 129, 4
 dnp3_object_header, F, 3073, 40, 1, 256, 0
 dnp3_object_prefix, F, 34463
 dnp3_crob, F, 3, 1, 100, 100, 4
 dnp3_response_data_object, F, 255
-dnp3_header_block, T, 25605, 26, 196, 4, 3
+dnp3_header_block, T, 26, 196, 4, 3
 dnp3_application_request_header, T, 199, 3
 dnp3_object_header, T, 3073, 40, 1, 256, 0
 dnp3_object_prefix, T, 34463
 dnp3_crob, T, 3, 1, 100, 100, 0
-dnp3_header_block, F, 25605, 28, 68, 3, 4
+dnp3_header_block, F, 28, 68, 3, 4
 dnp3_application_response_header, F, 199, 129, 4
 dnp3_object_header, F, 3073, 40, 1, 256, 0
 dnp3_object_prefix, F, 34463
 dnp3_crob, F, 3, 1, 100, 100, 4
 dnp3_response_data_object, F, 255
-dnp3_header_block, T, 25605, 11, 196, 4, 3
+dnp3_header_block, T, 11, 196, 4, 3
 dnp3_application_request_header, T, 200, 1
 dnp3_object_header, T, 65280, 6, 0, 65535, 65535
-dnp3_header_block, F, 25605, 10, 68, 3, 4
+dnp3_header_block, F, 10, 68, 3, 4
 dnp3_application_response_header, F, 200, 129, 6
-dnp3_header_block, T, 25605, 11, 196, 4, 3
+dnp3_header_block, T, 11, 196, 4, 3
 dnp3_application_request_header, T, 201, 1
 dnp3_object_header, T, 65280, 6, 0, 65535, 65535
-dnp3_header_block, F, 25605, 10, 68, 3, 4
+dnp3_header_block, F, 10, 68, 3, 4
 dnp3_application_response_header, F, 201, 129, 6
-dnp3_header_block, T, 25605, 11, 196, 4, 3
+dnp3_header_block, T, 11, 196, 4, 3
 dnp3_application_request_header, T, 202, 1
 dnp3_object_header, T, 65280, 6, 0, 65535, 65535
-dnp3_header_block, F, 25605, 10, 68, 3, 4
+dnp3_header_block, F, 10, 68, 3, 4
 dnp3_application_response_header, F, 202, 129, 6
-dnp3_header_block, T, 25605, 11, 196, 4, 3
+dnp3_header_block, T, 11, 196, 4, 3
 dnp3_application_request_header, T, 203, 1
 dnp3_object_header, T, 65280, 6, 0, 65535, 65535
-dnp3_header_block, F, 25605, 10, 68, 3, 4
+dnp3_header_block, F, 10, 68, 3, 4
 dnp3_application_response_header, F, 203, 129, 6
-dnp3_header_block, T, 25605, 11, 196, 4, 3
+dnp3_header_block, T, 11, 196, 4, 3
 dnp3_application_request_header, T, 204, 1
 dnp3_object_header, T, 65280, 6, 0, 65535, 65535
-dnp3_header_block, F, 25605, 10, 68, 3, 4
+dnp3_header_block, F, 10, 68, 3, 4
 dnp3_application_response_header, F, 204, 129, 6
diff --git a/testing/btest/Baseline/scripts.base.protocols.modbus.register_parsing/output b/testing/btest/Baseline/scripts.base.protocols.modbus.register_parsing/output
index 5bb5f1be7c..12829262c2 100644
--- a/testing/btest/Baseline/scripts.base.protocols.modbus.register_parsing/output
+++ b/testing/btest/Baseline/scripts.base.protocols.modbus.register_parsing/output
@@ -1,4 +1,3 @@
-modbus_read_input_registers_request, [orig_h=10.1.1.234, orig_p=51411/tcp, resp_h=10.10.5.104, resp_p=502/tcp], [tid=1119, pid=0, uid=255, function_code=4], 900, 147
 modbus_read_input_registers_response, [orig_h=10.1.1.234, orig_p=51411/tcp, resp_h=10.10.5.104, resp_p=502/tcp], [tid=2606, pid=0, uid=255, function_code=4], [0, 0, 0, 0, 0, 0, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690], 100
 modbus_read_input_registers_request, [orig_h=10.1.1.234, orig_p=51411/tcp, resp_h=10.10.5.104, resp_p=502/tcp], [tid=12993, pid=0, uid=255, function_code=4], 400, 100
 modbus_read_input_registers_response, [orig_h=10.1.1.234, orig_p=51411/tcp, resp_h=10.10.5.104, resp_p=502/tcp], [tid=17667, pid=0, uid=255, function_code=4], [49, 18012, 51, 42, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 49, 50, 51, 54324, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 69, 63, 64, 65, 66, 67, 68, 49, 189, 51, 52, 53, 54, 4151, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 136, 49, 50, 51, 212, 53, 54, 170, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690], 100
diff --git a/testing/btest/scripts/base/protocols/dnp3/events.bro b/testing/btest/scripts/base/protocols/dnp3/events.bro
index fac00b5012..c5a853be61 100644
--- a/testing/btest/scripts/base/protocols/dnp3/events.bro
+++ b/testing/btest/scripts/base/protocols/dnp3/events.bro
@@ -27,9 +27,9 @@ event dnp3_object_prefix(c: connection, is_orig: bool, prefix_value: count)
 	print "dnp3_object_prefix", is_orig, prefix_value;
 	}
 
-event dnp3_header_block(c: connection, is_orig: bool, start: count, len: count, ctrl: count, dest_addr: count, src_addr: count)
+event dnp3_header_block(c: connection, is_orig: bool, len: count, ctrl: count, dest_addr: count, src_addr: count)
 	{
-	print "dnp3_header_block", is_orig, start, len, ctrl, dest_addr, src_addr;
+	print "dnp3_header_block", is_orig, len, ctrl, dest_addr, src_addr;
 	}
 
 event dnp3_response_data_object(c: connection, is_orig: bool, data_value: count)

From e2b48ceb80a226f5d36edb0d66a777b994e9394c Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Thu, 19 Apr 2018 11:56:57 -0500
Subject: [PATCH 368/631] Updating submodule(s).

 [nomail]
---
 aux/binpac | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/aux/binpac b/aux/binpac
index c8d860a2e8..793a028094 160000
--- a/aux/binpac
+++ b/aux/binpac
@@ -1 +1 @@
-Subproject commit c8d860a2e8fd42c725aca0000c9f96ec53cde900
+Subproject commit 793a02809498e923dca6e02f0bfa3e7d35bd84e8

From 708a7136f689de4f4aec871ed2bf7ba6289a7541 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Thu, 19 Apr 2018 14:07:40 -0500
Subject: [PATCH 369/631] Convert some BinPAC &check expressions to &enforce

These checks for the DCE/RPC version and DNP3 'start' fields look
correct.
---
 aux/binpac                                               | 2 +-
 src/analyzer/protocol/dce-rpc/dce_rpc-protocol.pac       | 2 +-
 src/analyzer/protocol/dnp3/dnp3-protocol.pac             | 9 +++++++--
 .../output                                               | 1 +
 4 files changed, 10 insertions(+), 4 deletions(-)

diff --git a/aux/binpac b/aux/binpac
index cb8bac9ea3..b5bf6f43b6 160000
--- a/aux/binpac
+++ b/aux/binpac
@@ -1 +1 @@
-Subproject commit cb8bac9ea31f24f6ad5eb8c0d86a13ba6fa539b8
+Subproject commit b5bf6f43b6e430ad510da10c2dacabe7b29224c0
diff --git a/src/analyzer/protocol/dce-rpc/dce_rpc-protocol.pac b/src/analyzer/protocol/dce-rpc/dce_rpc-protocol.pac
index faea6dacfd..40e4c4c6c2 100644
--- a/src/analyzer/protocol/dce-rpc/dce_rpc-protocol.pac
+++ b/src/analyzer/protocol/dce-rpc/dce_rpc-protocol.pac
@@ -49,7 +49,7 @@ type NDR_Format = record {
 };
 
 type DCE_RPC_Header(is_orig: bool) = record {
-	rpc_vers       : uint8 &check(rpc_vers == 5);
+	rpc_vers       : uint8 &enforce(rpc_vers == 5);
 	rpc_vers_minor : uint8;
 	PTYPE          : uint8;
 	pfc_flags      : uint8;
diff --git a/src/analyzer/protocol/dnp3/dnp3-protocol.pac b/src/analyzer/protocol/dnp3/dnp3-protocol.pac
index 51bd509eb8..da84e8acf8 100644
--- a/src/analyzer/protocol/dnp3/dnp3-protocol.pac
+++ b/src/analyzer/protocol/dnp3/dnp3-protocol.pac
@@ -8,8 +8,8 @@ type DNP3_PDU(is_orig: bool) = case is_orig of {
 } &byteorder = bigendian;
 
 type Header_Block = record {
-	start_1: uint8 &check(start_1 == 0x05);
-	start_2: uint8 &check(start_2 == 0x64);
+	start_1: uint8 &enforce(start_1 == 0x05);
+	start_2: uint8 &enforce(start_2 == 0x64);
 	len: uint8;
 	ctrl: uint8;
 	dest_addr: uint16;
@@ -138,6 +138,11 @@ type Object_Header(function_code: uint8) = record {
 		0x0b -> range_field_b: uint8;
 		default -> unknown: bytestring &restofdata;
 	};
+	# dump_data is always empty; used to check dependency bw object_type_field and qualifier_field
+	dump_data: case ( object_type_field & 0xff00 ) of {
+		0x3C00 -> dump_3c: empty &check( (object_type_field == 0x3C01 || object_type_field == 0x3C02 || object_type_field == 0x3C03 || object_type_field == 0x3C04) && ( qualifier_field == 0x06 ) );
+		default -> dump_def: empty;
+	};
 }
       &let{
 	number_of_item: int = case (qualifier_field & 0x0f) of {
diff --git a/testing/btest/Baseline/scripts.base.protocols.modbus.register_parsing/output b/testing/btest/Baseline/scripts.base.protocols.modbus.register_parsing/output
index 12829262c2..5bb5f1be7c 100644
--- a/testing/btest/Baseline/scripts.base.protocols.modbus.register_parsing/output
+++ b/testing/btest/Baseline/scripts.base.protocols.modbus.register_parsing/output
@@ -1,3 +1,4 @@
+modbus_read_input_registers_request, [orig_h=10.1.1.234, orig_p=51411/tcp, resp_h=10.10.5.104, resp_p=502/tcp], [tid=1119, pid=0, uid=255, function_code=4], 900, 147
 modbus_read_input_registers_response, [orig_h=10.1.1.234, orig_p=51411/tcp, resp_h=10.10.5.104, resp_p=502/tcp], [tid=2606, pid=0, uid=255, function_code=4], [0, 0, 0, 0, 0, 0, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690], 100
 modbus_read_input_registers_request, [orig_h=10.1.1.234, orig_p=51411/tcp, resp_h=10.10.5.104, resp_p=502/tcp], [tid=12993, pid=0, uid=255, function_code=4], 400, 100
 modbus_read_input_registers_response, [orig_h=10.1.1.234, orig_p=51411/tcp, resp_h=10.10.5.104, resp_p=502/tcp], [tid=17667, pid=0, uid=255, function_code=4], [49, 18012, 51, 42, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 49, 50, 51, 54324, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 69, 63, 64, 65, 66, 67, 68, 49, 189, 51, 52, 53, 54, 4151, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 136, 49, 50, 51, 212, 53, 54, 170, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690, 43690], 100

From f1dee4212537bfce1a67aabc55a3c580b0472ad4 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Thu, 19 Apr 2018 17:12:04 -0500
Subject: [PATCH 370/631] BIT-1914: comment out &check usages now that they
 emit warnings

---
 aux/binpac                                    |  2 +-
 src/analyzer/protocol/dnp3/dnp3-objects.pac   | 78 +++++++------------
 src/analyzer/protocol/dnp3/dnp3-protocol.pac  | 26 +++----
 .../protocol/modbus/modbus-protocol.pac       | 40 +++++-----
 src/analyzer/protocol/ncp/ncp.pac             | 14 ++--
 .../protocol/ssl/tls-handshake-protocol.pac   |  4 +-
 .../protocol/syslog/syslog-protocol.pac       |  4 +-
 7 files changed, 73 insertions(+), 95 deletions(-)

diff --git a/aux/binpac b/aux/binpac
index b5bf6f43b6..8181a584a7 160000
--- a/aux/binpac
+++ b/aux/binpac
@@ -1 +1 @@
-Subproject commit b5bf6f43b6e430ad510da10c2dacabe7b29224c0
+Subproject commit 8181a584a7160a096fe1175bd84ce6e244ea47d4
diff --git a/src/analyzer/protocol/dnp3/dnp3-objects.pac b/src/analyzer/protocol/dnp3/dnp3-objects.pac
index 711dc0802f..3061500307 100644
--- a/src/analyzer/protocol/dnp3/dnp3-objects.pac
+++ b/src/analyzer/protocol/dnp3/dnp3-objects.pac
@@ -3,18 +3,12 @@
 type Prefix_Type(qualifier_field: uint8) = record {
 	prefix: case ( qualifier_field & 0xf0 ) of {
 		0x00 -> none: empty;
-		0x10 -> prefix8: uint8 &check(qualifier_field == 0x17 ||
-						qualifier_field == 0x18 ||
-						qualifier_field == 0x19 );
-		0x20 -> prefix16: uint16 &check(qualifier_field == 0x27 ||
-						qualifier_field == 0x28 ||
-						qualifier_field == 0x29 );
-		0x30 -> prefix32: uint32 &check(qualifier_field == 0x37 ||
-						qualifier_field == 0x38 ||
-						qualifier_field == 0x39 );
-		0x40 -> object_size8: uint8 &check(qualifier_field == 0x4B);
-		0x50 -> object_size16: uint16 &check(qualifier_field == 0x5B);
-		0x60 -> object_size32: uint32 &check(qualifier_field == 0x6B);
+		0x10 -> prefix8: uint8; # &check(qualifier_field == 0x17 || qualifier_field == 0x18 || qualifier_field == 0x19 );
+		0x20 -> prefix16: uint16; # &check(qualifier_field == 0x27 || qualifier_field == 0x28 || qualifier_field == 0x29 );
+		0x30 -> prefix32: uint32; # &check(qualifier_field == 0x37 || qualifier_field == 0x38 || qualifier_field == 0x39 );
+		0x40 -> object_size8: uint8; # &check(qualifier_field == 0x4B);
+		0x50 -> object_size16: uint16; # &check(qualifier_field == 0x5B);
+		0x60 -> object_size32: uint32; # &check(qualifier_field == 0x6B);
 	 	default -> unknownprefix: empty;
 	};
 } &let{
@@ -109,10 +103,8 @@ type Request_Data_Object(function_code: uint8, qualifier_field: uint8, object_ty
 		0x0b02 -> boewatime: empty;
 
 	# binary output command g12
-		0x0c01 -> bocmd_CROB: CROB &check (function_code == RESPONSE || function_code == SELECT || function_code == OPERATE ||
-							function_code == DIRECT_OPERATE || function_code == DIRECT_OPERATE_NR );
-		0x0c02 -> bocmd_PCB: PCB &check (function_code == RESPONSE || function_code == SELECT || function_code == OPERATE ||
-							function_code == DIRECT_OPERATE || function_code == DIRECT_OPERATE_NR || function_code == WRITE );
+		0x0c01 -> bocmd_CROB: CROB; # &check (function_code == RESPONSE || function_code == SELECT || function_code == OPERATE || function_code == DIRECT_OPERATE || function_code == DIRECT_OPERATE_NR );
+		0x0c02 -> bocmd_PCB: PCB; # &check (function_code == RESPONSE || function_code == SELECT || function_code == OPERATE || function_code == DIRECT_OPERATE || function_code == DIRECT_OPERATE_NR || function_code == WRITE );
 		0x0c03 -> bocmd_PM: uint8;
 
 	# binary output command event g13
@@ -265,19 +257,15 @@ type Request_Data_Object(function_code: uint8, qualifier_field: uint8, object_ty
 		0x3402 -> time_fine: uint16;
 
 	# class objects g60
-		0x3C01 -> class0data: empty &check(qualifier_field == 0x06);
-		#0x3C02 -> class1data: uint8 &check(qualifier_field == 0x06);
-		0x3C02 -> class1data: empty &check(qualifier_field == 0x06 ||
-							qualifier_field == 0x07 || qualifier_field == 0x08);
-		0x3C03 -> class2data: empty &check(qualifier_field == 0x06 ||
-							qualifier_field == 0x07 || qualifier_field == 0x08);
-		0x3C04 -> class3data: empty &check(qualifier_field == 0x06 ||
-							qualifier_field == 0x07 || qualifier_field == 0x08);
+		0x3C01 -> class0data: empty; # &check(qualifier_field == 0x06);
+		#0x3C02 -> class1data: uint8; # &check(qualifier_field == 0x06);
+		0x3C02 -> class1data: empty; # &check(qualifier_field == 0x06 || qualifier_field == 0x07 || qualifier_field == 0x08);
+		0x3C03 -> class2data: empty; # &check(qualifier_field == 0x06 || qualifier_field == 0x07 || qualifier_field == 0x08);
+		0x3C04 -> class3data: empty; # &check(qualifier_field == 0x06 || qualifier_field == 0x07 || qualifier_field == 0x08);
 	# file control g70
 		0x4601 -> file_control_id: File_Control_ID;
 		0x4602 -> file_control_auth: File_Control_Auth_Wrap(function_code);
-		0x4603 -> file_control_cmd: File_Control_Cmd &check( file_control_cmd.op_mode == 0 || file_control_cmd.op_mode == 1 ||
-							  file_control_cmd.op_mode == 2 || file_control_cmd.op_mode == 3 );
+		0x4603 -> file_control_cmd: File_Control_Cmd; # &check( file_control_cmd.op_mode == 0 || file_control_cmd.op_mode == 1 || file_control_cmd.op_mode == 2 || file_control_cmd.op_mode == 3 );
 		#0x4604 -> file_control_cmd_status: File_Control_Cmd_Status_Wrap(function_code, prefix.prefix_value);  # example shown in P66
 		0x4604 -> file_control_cmd_status: File_Control_Cmd_Status(prefix.prefix_value);  # example shown in P66
 		0x4605 -> file_trans: File_Transport(prefix.prefix_value);
@@ -415,10 +403,8 @@ type Response_Data_Object(function_code: uint8, qualifier_field: uint8, object_t
 		0x0b02 -> boewatime: BinOutEveAtime;
 
 	# binary output command g12
-		0x0c01 -> bocmd_CROB: CROB &check (function_code == RESPONSE || function_code == SELECT || function_code == OPERATE ||
-							function_code == DIRECT_OPERATE || function_code == DIRECT_OPERATE_NR );
-		0x0c02 -> bocmd_PCB: PCB &check (function_code == RESPONSE || function_code == SELECT || function_code == OPERATE ||
-							function_code == DIRECT_OPERATE || function_code == DIRECT_OPERATE_NR || function_code == WRITE );
+		0x0c01 -> bocmd_CROB: CROB; # &check (function_code == RESPONSE || function_code == SELECT || function_code == OPERATE || function_code == DIRECT_OPERATE || function_code == DIRECT_OPERATE_NR );
+		0x0c02 -> bocmd_PCB: PCB; # &check (function_code == RESPONSE || function_code == SELECT || function_code == OPERATE || function_code == DIRECT_OPERATE || function_code == DIRECT_OPERATE_NR || function_code == WRITE );
 		0x0c03 -> bocmd_PM: uint8;
 
 	# binary output command event g13
@@ -559,10 +545,8 @@ type Response_Data_Object(function_code: uint8, qualifier_field: uint8, object_t
 
 	# file control g70
 		0x4601 -> file_control_id: File_Control_ID;
-		0x4602 -> file_control_auth: File_Control_Auth &check(file_control_auth.usr_name_size == 0 && file_control_auth.pwd_size == 0);
-		0x4603 -> file_control_cmd: File_Control_Cmd &check(file_control_cmd.name_size == 0 &&
-							( file_control_cmd.op_mode == 0 || file_control_cmd.op_mode == 1 ||
-							  file_control_cmd.op_mode == 2 || file_control_cmd.op_mode == 3) );
+		0x4602 -> file_control_auth: File_Control_Auth; # &check(file_control_auth.usr_name_size == 0 && file_control_auth.pwd_size == 0);
+		0x4603 -> file_control_cmd: File_Control_Cmd; # &check(file_control_cmd.name_size == 0 && ( file_control_cmd.op_mode == 0 || file_control_cmd.op_mode == 1 || file_control_cmd.op_mode == 2 || file_control_cmd.op_mode == 3) );
 		0x4604 -> file_control_cmd_status: File_Control_Cmd_Status(prefix.prefix_value);
 		0x4605 -> file_trans: File_Transport(prefix.prefix_value);
 		0x4606 -> file_trans_status: File_Transport_Status(prefix.prefix_value);
@@ -615,7 +599,7 @@ type Response_Data_Object(function_code: uint8, qualifier_field: uint8, object_t
 		0x7806 -> keyChange: AuthSessionKeyChange(prefix.prefix_value);
 		0x7807 -> error: AuthError(prefix.prefix_value);
 
-		#default -> unkonwndata: Debug_Byte &check( T );
+		#default -> unkonwndata: Debug_Byte; # &check( T );
 		default -> unmatched: Default_Wrap(object_type_field);
 	};
 }
@@ -689,8 +673,7 @@ type BinOutEveAtime = record {
 
 # g12v1 group: 12; variation: 1
 type CROB = record {
-	control_code: uint8 &check ( (control_code & 0xCF) == 0x00 || (control_code & 0xCF) == 0x01 || (control_code & 0xCF) == 0x03 || (control_code & 0xCF) == 0x04 ||
-					(control_code & 0xCF) == 0x41 || (control_code & 0xCF) == 0x81  );
+	control_code: uint8; # &check ( (control_code & 0xCF) == 0x00 || (control_code & 0xCF) == 0x01 || (control_code & 0xCF) == 0x03 || (control_code & 0xCF) == 0x04 || (control_code & 0xCF) == 0x41 || (control_code & 0xCF) == 0x81  );
 	count: uint8;
 	on_time: uint32;
 	off_time: uint32;
@@ -699,8 +682,7 @@ type CROB = record {
 
 # g12v2; same as g12v1
 type PCB = record {
-	control_code: uint8 &check ( (control_code & 0xCF) == 0x00 || (control_code & 0xCF) == 0x01 || (control_code & 0xCF) == 0x03 || (control_code & 0xCF) == 0x04 ||
-					(control_code & 0xCF) == 0x41 || (control_code & 0xCF) == 0x81  );
+	control_code: uint8; # &check ( (control_code & 0xCF) == 0x00 || (control_code & 0xCF) == 0x01 || (control_code & 0xCF) == 0x03 || (control_code & 0xCF) == 0x04 || (control_code & 0xCF) == 0x41 || (control_code & 0xCF) == 0x81  );
 	count: uint8;
 	on_time: uint32;
 	off_time: uint32;
@@ -1184,7 +1166,7 @@ type File_Control_ID = record {
 	end_rec: uint16;
 	file_size: uint32;
 	time_create: bytestring &length = 6;
-	permission: uint16 &check ( (permission & 0xFE00 ) == 0x0000);
+	permission: uint16; # &check ( (permission & 0xFE00 ) == 0x0000);
 	file_id: uint32;
 	owner_id: uint32;
 	group_id: uint32;
@@ -1197,7 +1179,7 @@ type File_Control_ID = record {
 # g70v2
 type File_Control_Auth_Wrap(fc: uint8) = record {
 	data: case(fc) of {
-		AUTHENTICATE_FILE -> auth_file: File_Control_Auth &check(auth_file.auth_key == 0) ;
+		AUTHENTICATE_FILE -> auth_file: File_Control_Auth; # &check(auth_file.auth_key == 0) ;
 		default -> null: empty;
 	};
 };
@@ -1216,7 +1198,7 @@ type File_Control_Auth = record {
 type File_Control_Cmd_Wrap(function_code: uint8) = record {
 	data_obj: case (function_code) of {
 		OPEN_FILE -> fc_cmd_open: File_Control_Cmd;
-		DELETE_FILE -> fc_cmd_del: File_Control_Cmd &check( fc_cmd_del.op_mode == 0 &&  fc_cmd_del.name_size == 0 && fc_cmd_del.time_create == 0x0);
+		DELETE_FILE -> fc_cmd_del: File_Control_Cmd; # &check( fc_cmd_del.op_mode == 0 &&  fc_cmd_del.name_size == 0 && fc_cmd_del.time_create == 0x0);
 		default -> null: empty;
 	};
 
@@ -1226,7 +1208,7 @@ type File_Control_Cmd = record {
 	name_offset: uint16;
 	name_size: uint16;
 	time_create: bytestring &length = 6;
-	permission: uint16 &check ( (permission & 0xFE00 ) == 0x0000);
+	permission: uint16; # &check ( (permission & 0xFE00 ) == 0x0000);
 	auth_key: uint32;
 	file_size: uint32;
 	op_mode: uint16;
@@ -1238,7 +1220,7 @@ type File_Control_Cmd = record {
 # g70v4
 type File_Control_Cmd_Status_Wrap(function_code: uint8, obj_size: uint32) = record {
 	data_obj: case (function_code) of {
-		ABORT_FILE -> abort: File_Control_Cmd_Status(obj_size) &check(abort.file_size == 0 && abort.max_block_size ==0 && abort.status_code ==0 );
+		ABORT_FILE -> abort: File_Control_Cmd_Status(obj_size); # &check(abort.file_size == 0 && abort.max_block_size ==0 && abort.status_code ==0 );
 		RESPONSE -> fc_cmd_status: File_Control_Cmd_Status(obj_size);
 		default -> null: empty;
 	};
@@ -1274,11 +1256,7 @@ type File_Transport_Status(obj_size: uint32) = record {
 # g70v7
 type File_Desc_Wrap(function_code: uint8) = record {
 	data: case(function_code) of {
-		GET_FILE_INFO -> get_file_info: File_Desc &check(get_file_info.type ==0 &&
-								get_file_info.f_size == 0 &&
-								get_file_info.time_create_low == 0 &&
-								get_file_info.time_create_high == 0 &&
-								get_file_info.permission == 0);
+		GET_FILE_INFO -> get_file_info: File_Desc; # &check(get_file_info.type ==0 && get_file_info.f_size == 0 && get_file_info.time_create_low == 0 && get_file_info.time_create_high == 0 && get_file_info.permission == 0);
 		default -> null: empty;
 	};
 } &byteorder = littleendian;
@@ -1290,7 +1268,7 @@ type File_Desc = record {
 	f_size: uint32;
 	time_create_low: uint32;
 	time_create_high: uint16;
-	permission: uint16 &check ( (permission & 0xFE00 ) == 0x0000);
+	permission: uint16; # &check ( (permission & 0xFE00 ) == 0x0000);
 	req_id: uint16;
 	f_name: bytestring &length = name_size;
 } &byteorder = littleendian;
diff --git a/src/analyzer/protocol/dnp3/dnp3-protocol.pac b/src/analyzer/protocol/dnp3/dnp3-protocol.pac
index da84e8acf8..7e1e7ad1af 100644
--- a/src/analyzer/protocol/dnp3/dnp3-protocol.pac
+++ b/src/analyzer/protocol/dnp3/dnp3-protocol.pac
@@ -92,20 +92,20 @@ type Request_Objects(function_code: uint8) = record {
 	object_header: Object_Header(function_code);
 	data: case (object_header.object_type_field) of {
 		0x0c03 -> bocmd_PM: Request_Data_Object(function_code, object_header.qualifier_field, object_header.object_type_field )[ ( object_header.number_of_item / 8 ) + 1*( object_header.number_of_item > ( (object_header.number_of_item / 8)*8 ) ) ];
-		0x3202 -> time_interval_ojbects: Request_Data_Object(function_code, object_header.qualifier_field, object_header.object_type_field )[ object_header.number_of_item]
-							&check( object_header.qualifier_field == 0x0f && object_header.number_of_item == 0x01);
+		0x3202 -> time_interval_ojbects: Request_Data_Object(function_code, object_header.qualifier_field, object_header.object_type_field )[ object_header.number_of_item];
+						# &check( object_header.qualifier_field == 0x0f && object_header.number_of_item == 0x01);
 		default -> ojbects: Request_Data_Object(function_code, object_header.qualifier_field, object_header.object_type_field )[ object_header.number_of_item];
 	};
 	# dump_data is always empty; I intend to use it for checking some conditions;
 	# However, in the current binpac implementation, &check is not implemented
 	dump_data: case (function_code) of {
-		OPEN_FILE -> open_file_dump: empty &check(object_header.object_type_field == 0x4603);
-		CLOSE_FILE -> close_file_dump: empty &check(object_header.object_type_field == 0x4604);
-		DELETE_FILE -> delete_file_dump: empty &check(object_header.object_type_field == 0x4603);
-		ABORT_FILE -> abort_file_dump: empty &check(object_header.object_type_field == 0x4604);
-		GET_FILE_INFO -> get_file_info: empty &check(object_header.object_type_field == 0x4607);
-		AUTHENTICATE_FILE  -> auth_file: empty &check(object_header.object_type_field == 0x4602);
-		ACTIVATE_CONFIG  -> active_config: empty &check(object_header.object_type_field == 0x4608 || (object_header.object_type_field & 0xFF00) == 0x6E00);
+		OPEN_FILE -> open_file_dump: empty; # &check(object_header.object_type_field == 0x4603);
+		CLOSE_FILE -> close_file_dump: empty; # &check(object_header.object_type_field == 0x4604);
+		DELETE_FILE -> delete_file_dump: empty; # &check(object_header.object_type_field == 0x4603);
+		ABORT_FILE -> abort_file_dump: empty; # &check(object_header.object_type_field == 0x4604);
+		GET_FILE_INFO -> get_file_info: empty; # &check(object_header.object_type_field == 0x4607);
+		AUTHENTICATE_FILE  -> auth_file: empty; # &check(object_header.object_type_field == 0x4602);
+		ACTIVATE_CONFIG  -> active_config: empty; # &check(object_header.object_type_field == 0x4608 || (object_header.object_type_field & 0xFF00) == 0x6E00);
 		default -> default_dump: empty;
 	};
 };
@@ -125,9 +125,9 @@ type Object_Header(function_code: uint8) = record {
 	object_type_field: uint16 ;
 	qualifier_field: uint8 ;
 	range_field: case ( qualifier_field & 0x0f ) of {
-		0 -> range_field_0: Range_Field_0 &check(range_field_0.stop_index >= range_field_0.start_index);
-		1 -> range_field_1: Range_Field_1 &check(range_field_1.stop_index >= range_field_1.start_index);
-		2 -> range_field_2: Range_Field_2 &check(range_field_2.stop_index >= range_field_2.start_index);
+		0 -> range_field_0: Range_Field_0; # &check(range_field_0.stop_index >= range_field_0.start_index);
+		1 -> range_field_1: Range_Field_1; # &check(range_field_1.stop_index >= range_field_1.start_index);
+		2 -> range_field_2: Range_Field_2; # &check(range_field_2.stop_index >= range_field_2.start_index);
 		3 -> range_field_3: Range_Field_3;
 		4 -> range_field_4: Range_Field_4;
 		5 -> range_field_5: Range_Field_5;
@@ -140,7 +140,7 @@ type Object_Header(function_code: uint8) = record {
 	};
 	# dump_data is always empty; used to check dependency bw object_type_field and qualifier_field
 	dump_data: case ( object_type_field & 0xff00 ) of {
-		0x3C00 -> dump_3c: empty &check( (object_type_field == 0x3C01 || object_type_field == 0x3C02 || object_type_field == 0x3C03 || object_type_field == 0x3C04) && ( qualifier_field == 0x06 ) );
+		0x3C00 -> dump_3c: empty; # &check( (object_type_field == 0x3C01 || object_type_field == 0x3C02 || object_type_field == 0x3C03 || object_type_field == 0x3C04) && ( qualifier_field == 0x06 ) );
 		default -> dump_def: empty;
 	};
 }
diff --git a/src/analyzer/protocol/modbus/modbus-protocol.pac b/src/analyzer/protocol/modbus/modbus-protocol.pac
index 09c5c99249..e49b1c62e6 100644
--- a/src/analyzer/protocol/modbus/modbus-protocol.pac
+++ b/src/analyzer/protocol/modbus/modbus-protocol.pac
@@ -154,7 +154,7 @@ type Exception(header: ModbusTCP_TransportHeader) = record {
 # REQUEST FC=1
 type ReadCoilsRequest(header: ModbusTCP_TransportHeader) = record {
 	start_address:  uint16;
-	quantity:       uint16 &check(quantity <= 2000);
+	quantity:       uint16; # &check(quantity <= 2000);
 } &let {
 	deliver: bool = $context.flow.deliver_ReadCoilsRequest(header, this);
 } &byteorder=bigendian;
@@ -170,7 +170,7 @@ type ReadCoilsResponse(header: ModbusTCP_TransportHeader) = record {
 # REQUEST FC=2
 type ReadDiscreteInputsRequest(header: ModbusTCP_TransportHeader) = record {
 	start_address: uint16;
-	quantity:      uint16 &check(quantity <= 2000);
+	quantity:      uint16; # &check(quantity <= 2000);
 } &let {
 	deliver: bool = $context.flow.deliver_ReadDiscreteInputsRequest(header, this);
 } &byteorder=bigendian;
@@ -186,7 +186,7 @@ type ReadDiscreteInputsResponse(header: ModbusTCP_TransportHeader) = record {
 # REQUEST FC=3
 type ReadHoldingRegistersRequest(header: ModbusTCP_TransportHeader) = record {
 	start_address: uint16;
-	quantity:      uint16 &check(quantity <= 125);
+	quantity:      uint16; # &check(quantity <= 125);
 } &let {
 	deliver: bool = $context.flow.deliver_ReadHoldingRegistersRequest(header, this);
 } &byteorder=bigendian;
@@ -202,7 +202,7 @@ type ReadHoldingRegistersResponse(header: ModbusTCP_TransportHeader) = record {
 # REQUEST FC=4
 type ReadInputRegistersRequest(header: ModbusTCP_TransportHeader) = record {
 	start_address: uint16;
-	quantity:      uint16 &check(quantity <= 125);
+	quantity:      uint16; # &check(quantity <= 125);
 } &let {
 	deliver: bool = $context.flow.deliver_ReadInputRegistersRequest(header, this);
 } &byteorder=bigendian;
@@ -218,7 +218,7 @@ type ReadInputRegistersResponse(header: ModbusTCP_TransportHeader) = record {
 # REQUEST FC=5
 type WriteSingleCoilRequest(header: ModbusTCP_TransportHeader) = record {
 	address: uint16;
-	value:   uint16 &check(value == 0x0000 || value == 0xFF00);
+	value:   uint16; # &check(value == 0x0000 || value == 0xFF00);
 } &let {
 	deliver: bool = $context.flow.deliver_WriteSingleCoilRequest(header, this);
 } &byteorder=bigendian;
@@ -226,7 +226,7 @@ type WriteSingleCoilRequest(header: ModbusTCP_TransportHeader) = record {
 # RESPONSE FC=5
 type WriteSingleCoilResponse(header: ModbusTCP_TransportHeader) = record {
 	address: uint16;
-	value:   uint16 &check(value == 0x0000 || value == 0xFF00);
+	value:   uint16; # &check(value == 0x0000 || value == 0xFF00);
 } &let {
 	deliver: bool = $context.flow.deliver_WriteSingleCoilResponse(header, this);
 } &byteorder=bigendian;
@@ -250,8 +250,8 @@ type WriteSingleRegisterResponse(header: ModbusTCP_TransportHeader) = record {
 # REQUEST FC=15
 type WriteMultipleCoilsRequest(header: ModbusTCP_TransportHeader) = record {
 	start_address:    uint16;
-	quantity:         uint16     &check(quantity <= 0x07B0);
-	byte_count:       uint8      &check(byte_count == (quantity + 7)/8);
+	quantity:         uint16; #     &check(quantity <= 0x07B0);
+	byte_count:       uint8; #      &check(byte_count == (quantity + 7)/8);
 	coils:            bytestring &length=byte_count;
 } &let {
 	deliver: bool = $context.flow.deliver_WriteMultipleCoilsRequest(header, this);
@@ -260,7 +260,7 @@ type WriteMultipleCoilsRequest(header: ModbusTCP_TransportHeader) = record {
 # RESPONSE FC=15
 type WriteMultipleCoilsResponse(header: ModbusTCP_TransportHeader) = record {
 	start_address:   uint16;
-	quantity:        uint16 &check(quantity <= 0x07B0);
+	quantity:        uint16; # &check(quantity <= 0x07B0);
 } &let {
 	deliver: bool = $context.flow.deliver_WriteMultipleCoilsResponse(header, this);
 } &byteorder=bigendian;
@@ -287,15 +287,15 @@ type WriteMultipleRegistersResponse(header: ModbusTCP_TransportHeader) = record
 
 # Support data structure for following message type.
 type FileRecordRequest = record {
-	ref_type:   uint8  &check(ref_type == 6);
-	file_num:   uint16 &check(file_num > 0);
-	record_num: uint16 &check(record_num <= 0x270F);
+	ref_type:   uint8; #  &check(ref_type == 6);
+	file_num:   uint16; # &check(file_num > 0);
+	record_num: uint16; # &check(record_num <= 0x270F);
 	record_len: uint16;
 } &byteorder=bigendian;
 
 # REQUEST FC=20
 type ReadFileRecordRequest(header: ModbusTCP_TransportHeader) = record {
-	byte_count: uint8               &check(byte_count <= 0xF5);
+	byte_count: uint8; #               &check(byte_count <= 0xF5);
 	references: FileRecordRequest[] &length=byte_count;
 } &let {
 	deliver: bool = $context.flow.deliver_ReadFileRecordRequest(header, this);
@@ -303,14 +303,14 @@ type ReadFileRecordRequest(header: ModbusTCP_TransportHeader) = record {
 
 # Support data structure for the following message type.
 type FileRecordResponse = record {
-	file_len:    uint8    &check(file_len >= 0x07 && file_len <= 0xF5);
-	ref_type:    uint8    &check(ref_type == 6);
+	file_len:    uint8; #    &check(file_len >= 0x07 && file_len <= 0xF5);
+	ref_type:    uint8; #    &check(ref_type == 6);
 	record_data: uint16[file_len/2] &length=file_len;
 } &byteorder=bigendian;
 
 # RESPONSE FC=20
 type ReadFileRecordResponse(header: ModbusTCP_TransportHeader) = record {
-	byte_count: uint8 &check(byte_count >= 0x07 && byte_count <= 0xF5);
+	byte_count: uint8; # &check(byte_count >= 0x07 && byte_count <= 0xF5);
 	references: FileRecordResponse[] &length=byte_count;
 } &let {
 	deliver: bool = $context.flow.deliver_ReadFileRecordResponse(header, this);
@@ -362,9 +362,9 @@ type MaskWriteRegisterResponse(header: ModbusTCP_TransportHeader) = record {
 # REQUEST FC=23
 type ReadWriteMultipleRegistersRequest(header: ModbusTCP_TransportHeader) = record {
 	read_start_address:    uint16;
-	read_quantity:         uint16                 &check(read_quantity <= 125);
+	read_quantity:         uint16; #                 &check(read_quantity <= 125);
 	write_start_address:   uint16;
-	write_quantity:        uint16                 &check(write_quantity <= 100);
+	write_quantity:        uint16; #                 &check(write_quantity <= 100);
 	write_byte_count:      uint8;
 	write_register_values: uint16[write_quantity] &length=write_byte_count;
 } &let {
@@ -388,8 +388,8 @@ type ReadFIFOQueueRequest(header: ModbusTCP_TransportHeader) = record {
 
 # RESPONSE FC=24
 type ReadFIFOQueueResponse(header: ModbusTCP_TransportHeader) = record {
-	byte_count:    uint16             &check(byte_count <= 62);
-	fifo_count:    uint16             &check(fifo_count <= 31);
+	byte_count:    uint16; #             &check(byte_count <= 62);
+	fifo_count:    uint16; #             &check(fifo_count <= 31);
 	register_data: uint16[fifo_count] &length=fifo_count*2;
 } &let {
 	deliver: bool = $context.flow.deliver_ReadFIFOQueueResponse(header, this);
diff --git a/src/analyzer/protocol/ncp/ncp.pac b/src/analyzer/protocol/ncp/ncp.pac
index d4d5734a54..205c8ee7bc 100644
--- a/src/analyzer/protocol/ncp/ncp.pac
+++ b/src/analyzer/protocol/ncp/ncp.pac
@@ -51,10 +51,10 @@ type ncp_over_tcpip_frame(is_orig: bool) = record {
 		};
 	ncp		: ncp_frame(is_orig, length - offsetof(ncp));
 } &byteorder = bigendian,
-  &length = length,
-  &check( ncp.frame_type == 0x1111 ||
-          ncp.frame_type == 0x2222 ||
-          ncp.frame_type == 0x3333 ||
-          ncp.frame_type == 0x5555 ||
-          ncp.frame_type == 0x7777 ||
-          ncp.frame_type == 0x9999 );
+  &length = length;
+  #&check( ncp.frame_type == 0x1111 ||
+  #        ncp.frame_type == 0x2222 ||
+  #        ncp.frame_type == 0x3333 ||
+  #        ncp.frame_type == 0x5555 ||
+  #        ncp.frame_type == 0x7777 ||
+  #        ncp.frame_type == 0x9999 );
diff --git a/src/analyzer/protocol/ssl/tls-handshake-protocol.pac b/src/analyzer/protocol/ssl/tls-handshake-protocol.pac
index 33c75294a8..762f271ffa 100644
--- a/src/analyzer/protocol/ssl/tls-handshake-protocol.pac
+++ b/src/analyzer/protocol/ssl/tls-handshake-protocol.pac
@@ -78,9 +78,9 @@ type ClientHello(rec: HandshakeRecord) = record {
 		DTLSv10, DTLSv12 -> cookie: ClientHelloCookie(rec);
 		default -> nothing: bytestring &length=0;
 	};
-	csuit_len : uint16 &check(csuit_len > 1 && csuit_len % 2 == 0);
+	csuit_len : uint16; # &check(csuit_len > 1 && csuit_len % 2 == 0);
 	csuits : uint16[csuit_len/2];
-	cmeth_len : uint8 &check(cmeth_len > 0);
+	cmeth_len : uint8; # &check(cmeth_len > 0);
 	cmeths : uint8[cmeth_len];
 	# This weirdness is to deal with the possible existence or absence
 	# of the following fields.
diff --git a/src/analyzer/protocol/syslog/syslog-protocol.pac b/src/analyzer/protocol/syslog/syslog-protocol.pac
index 5d97d0e16b..c1502fc534 100644
--- a/src/analyzer/protocol/syslog/syslog-protocol.pac
+++ b/src/analyzer/protocol/syslog/syslog-protocol.pac
@@ -4,9 +4,9 @@ type Syslog_Message = record {
 } &byteorder = littleendian;
 
 type Syslog_Priority = record {
-	lt    : uint8 &check(lt == 60); # '<'
+	lt    : uint8; # &check(lt == 60); # '<'
 	val   : RE/[[:digit:]]+/;
-	gt    : uint8 &check(gt == 62); # '>'
+	gt    : uint8; # &check(gt == 62); # '>'
 } &let {
 	val_length: int = sizeof(val) - 1;
 	int_val: int = bytestring_to_int(val, 10);

From b23029a09d2eb4d4ae75606aeff576eb01a8d6b8 Mon Sep 17 00:00:00 2001
From: Daniel Thayer <dnthayer@illinois.edu>
Date: Fri, 20 Apr 2018 09:25:51 -0500
Subject: [PATCH 371/631] Reduce number of btest threads running tests on
 Travis CI

On Travis CI, btest was using 32 threads when running with "-j".  Reducing
this to "-j 4" seems to make the tests run a bit faster overall and
somewhat reduces the number of test failures.
---
 testing/scripts/travis-job | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/testing/scripts/travis-job b/testing/scripts/travis-job
index 533cb75d02..524b1964e9 100644
--- a/testing/scripts/travis-job
+++ b/testing/scripts/travis-job
@@ -48,8 +48,10 @@ run_coverity() {
 
 run() {
     # Run the tests, but don't exit upon failure.
-    make -C testing/btest btest-brief
+    cd testing/btest
+    ../../aux/btest/btest -j 4 -b -f diag.log
     ret=$?
+    cd ../..
 
     set -e
 

From 135fa9dc69d0c35d006220fa76e5ffb39fb1e28c Mon Sep 17 00:00:00 2001
From: Robin Sommer <robin@icir.org>
Date: Fri, 20 Apr 2018 07:46:07 -0700
Subject: [PATCH 372/631] Updating submodule(s).

 [nomail]
---
 CHANGES   | 8 +++++---
 VERSION   | 2 +-
 aux/btest | 2 +-
 3 files changed, 7 insertions(+), 5 deletions(-)

diff --git a/CHANGES b/CHANGES
index 2f62e8a520..fd0a9817d6 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,9 +1,11 @@
 
+2.5-519 | 2018-04-20 07:46:07 -0700
+
+  * Reduce number of btest threads running tests on Travis CI. (Daniel Thayer)
+
 2.5-515 | 2018-04-18 11:44:36 -0500
 
-  * Improve std::map usages in SMB code
-
-    Removed redundant lookup operations (Corelight)
+  * Improve std::map usages in SMB code. (Corelight)
 
 2.5-514 | 2018-04-18 10:54:24 -0500
 
diff --git a/VERSION b/VERSION
index 715344f885..f57e9cb483 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.5-515
+2.5-519
diff --git a/aux/btest b/aux/btest
index 8d10f39729..3d76371f89 160000
--- a/aux/btest
+++ b/aux/btest
@@ -1 +1 @@
-Subproject commit 8d10f397299bab7e2f722142b019b24f2aa490f1
+Subproject commit 3d76371f896b714520d0796a1f3f781ee8561c47

From e16cc136674ef2e833e5cdddafcc059337c73476 Mon Sep 17 00:00:00 2001
From: Daniel Thayer <dnthayer@illinois.edu>
Date: Mon, 23 Apr 2018 12:23:34 -0500
Subject: [PATCH 373/631] Improve reliability of missing-file-initially.bro
 test

This test has failed numerous times on Travis CI.  Fixes to make this
test more reliable:  create the does-not-exist.dat file atomically, and
increase wait time after starting bro in order to give all input
streams a chance to try to read the input file.

Also added the input stream name to the test output, in order to make
output easier to understand if the test fails again.
---
 .../bro..stdout                                        | 10 +++++-----
 .../base/frameworks/input/missing-file-initially.bro   |  9 ++++++---
 2 files changed, 11 insertions(+), 8 deletions(-)

diff --git a/testing/btest/Baseline/scripts.base.frameworks.input.missing-file-initially/bro..stdout b/testing/btest/Baseline/scripts.base.frameworks.input.missing-file-initially/bro..stdout
index 39309bc8cf..3d47249011 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.input.missing-file-initially/bro..stdout
+++ b/testing/btest/Baseline/scripts.base.frameworks.input.missing-file-initially/bro..stdout
@@ -1,5 +1,5 @@
-now it does
-and more!
-now it does
-and more!
-Streaming still works
+input: now it does
+input: and more!
+inputstream: now it does
+inputstream: and more!
+inputstream: Streaming still works
diff --git a/testing/btest/scripts/base/frameworks/input/missing-file-initially.bro b/testing/btest/scripts/base/frameworks/input/missing-file-initially.bro
index 4db255b69d..5b7baed4f9 100644
--- a/testing/btest/scripts/base/frameworks/input/missing-file-initially.bro
+++ b/testing/btest/scripts/base/frameworks/input/missing-file-initially.bro
@@ -4,8 +4,11 @@
 # failing behavior.
 
 # @TEST-EXEC: btest-bg-run bro bro %INPUT
-# @TEST-EXEC: sleep 2; cp does-exist.dat does-not-exist.dat
-# @TEST-EXEC: sleep 2; mv does-not-exist.dat does-not-exist-again.dat; echo "Streaming still works" >> does-not-exist-again.dat
+# @TEST-EXEC: sleep 10
+# @TEST-EXEC: mv does-exist.dat does-not-exist.dat
+# @TEST-EXEC: sleep 2
+# @TEST-EXEC: mv does-not-exist.dat does-not-exist-again.dat
+# @TEST-EXEC: echo "Streaming still works" >> does-not-exist-again.dat
 # @TEST-EXEC: btest-bg-wait -k 3
 # @TEST-EXEC: btest-diff bro/.stdout
 # @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-sort btest-diff bro/.stderr
@@ -30,7 +33,7 @@ type Val: record {
 
 event line(description: Input::EventDescription, tpe: Input::Event, v: Val)
 	{
-	print v$line;
+	print fmt("%s: %s", description$name, v$line);
 	}
 
 event line2(description: Input::EventDescription, tpe: Input::Event, v: Val)

From 6600556f51778d83d6f1b42c731db06d275d77ed Mon Sep 17 00:00:00 2001
From: Daniel Thayer <dnthayer@illinois.edu>
Date: Mon, 23 Apr 2018 12:31:59 -0500
Subject: [PATCH 374/631] Improve reliability of the logging rotate.bro test

Occasionally a few lines in the first part of the output file were
not in the expected order (this seems to be caused by each line in the
output being created by a process that is run in the background but
bro doesn't wait for it to finish).  Fixed by sorting the output.
---
 testing/btest/scripts/base/frameworks/logging/rotate.bro | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/testing/btest/scripts/base/frameworks/logging/rotate.bro b/testing/btest/scripts/base/frameworks/logging/rotate.bro
index 86f659c193..501c0db8ea 100644
--- a/testing/btest/scripts/base/frameworks/logging/rotate.bro
+++ b/testing/btest/scripts/base/frameworks/logging/rotate.bro
@@ -1,5 +1,6 @@
 #
-# @TEST-EXEC: bro -b -r ${TRACES}/rotation.trace %INPUT 2>&1 | grep "test" >out
+# @TEST-EXEC: bro -b -r ${TRACES}/rotation.trace %INPUT >bro.out 2>&1
+# @TEST-EXEC: grep "test" bro.out | sort >out
 # @TEST-EXEC: for i in `ls test.*.log | sort`; do printf '> %s\n' $i; cat $i; done >>out
 # @TEST-EXEC: btest-diff out
 

From 27a7276009b8d9d31cb900be49f11efd62bfa44d Mon Sep 17 00:00:00 2001
From: Daniel Thayer <dnthayer@illinois.edu>
Date: Mon, 23 Apr 2018 17:03:51 -0500
Subject: [PATCH 375/631] Fix the ip-broken-header.bro test on macOS

There is no xzcat command on macOS by default.
---
 .../btest/Traces/trunc/mpls-6in6-broken.pcap.gz | Bin 0 -> 23177 bytes
 .../btest/Traces/trunc/mpls-6in6-broken.pcap.xz | Bin 19204 -> 0 bytes
 testing/btest/core/ip-broken-header.bro         |   2 +-
 3 files changed, 1 insertion(+), 1 deletion(-)
 create mode 100644 testing/btest/Traces/trunc/mpls-6in6-broken.pcap.gz
 delete mode 100644 testing/btest/Traces/trunc/mpls-6in6-broken.pcap.xz

diff --git a/testing/btest/Traces/trunc/mpls-6in6-broken.pcap.gz b/testing/btest/Traces/trunc/mpls-6in6-broken.pcap.gz
new file mode 100644
index 0000000000000000000000000000000000000000..af717b19c40030e839d8787baa180901645d2ba4
GIT binary patch
literal 23177
zcmV)TK(W6ciwFo@R^D0y18s0@b1gP$ZZ<7qa&K#8ZZ2?RVQ>J=y$zIISA8G4&(&z=
zNVt-MQy{Mtoq26K_g<66(n!QUmxhsSMHU~jY75%XHu6}SpfMQB@<8}<b<>r#1WyJQ
zX%h2{fi!FJUXs_4nzW%Ika5FEp$p@XwPJ&DVVqECND*=j_L<Slx%=&XKKD6ipL6!d
zf1h(NNY>oD@4f%oU;nS)|M&mPFMj4fbkGD!9}~zTfB)<wXMUdkG>rbd^uDF}r3Lbj
zN#A<^Ve*(i`A+iFD|_e>bao+r@8U!s50)`Pb7&gVhwow6K{k5D1j6+7UN{QTQTZp5
zQF|xJfAG#x$08qna%nq4t7{y2&^#g%rSdF=@;n^8Dg5C18MG0}gQz$gfjl-}o_N%T
zkFghzBG07qOwR@K+{>3InxAiG<>}(+5sc1$6K{T|3-Tn7c+?(deoiiw&d>Z(KeJv-
z>3W@v){Dq<rA8j|7y0L4B0p+3=B`(%JXZ9Te0iev5||(Q_X=;+r)Bp~em`gA>F0L_
zMs@o+mB)2_<Y7>Gm~W!H5{KW-$`e0F{=UeW9~{VYp31Y2mFE{#<WV~B2pwbBYoIzm
zsAhiZ_YZf}_GHxcj6C7CEtO};n;#<P*^`TO2Q6-AzUfL<9`YT2KP%&Tb~bSF8C0B~
zJEA|Aadg1`2mPo?vdF=&GJ!|*<{{s*x^@|FoVX6T%vFzH6bwRN`sj7&$3Axc!f$@~
zgEMrW2d{;9);sBg{PY^R{YrlIrC#-Vg!^?EoM#IaN7*R<`?LF_AP@b))cu>DpVIsH
zHR|VCe!n`{L%v&ie#GTr_2uGB_M3S6(u(9+Wu;zrpIPV5kGwoG^Yh$kM8@K$$mqy~
zNk%=1f##<m50M5hORX11j+bAr(N3(qUj54X`MM``-+dq%H48RBNKJox{xdJQbiF2F
z_H!^lyY%J<*$({t@K?gFmuKt6RsQ|6@R>?^QvGyNK|dw;b7Cc?8tY}(CHg6l2W8&Y
z?EVQxb(2y1^w%r3kC|`UCTvec<8q_a^o9O;zv<SaM{hs!=0oNC`ICzJVqQRBl=)XY
zeUbWC()%aaJpJBX)%Iv&`4sKZ-<H%D$1C^GKcXjLv>bR1!M9K`u0tr5=Ulmcyp4|9
zoQmX$4Ve2*-%X`+5c)bgT#)Bk3IA${LzkxFd_}9ZL6*wFzKa|ebM?i84_|n`ar?*j
z=(A<(HD}!3KpcC+d9xvV4CUk#(igG)tgOEd!QIae`Et+2KBzqw`{yeDr`53$(Wgl~
zC3>i?mlNL4cF9V7-L17ZK0u_tV|@zH-grFnzqX6{U(6^E-_FFF&g<*bSbt4$e)Dds
zzXmwm@8$ma8fSi<Q<<OC{)yFmt^E_r<Bwu_o+<awahW`)HqF_qn7yBe`u2~M{~nJD
z{cJLd48mFauucCWSg%og{%Jv9P>0Y3vR7gD&n4zQ1o3wwd#tZ)k1d|k(HBtq3*qY#
z`laCe;nu4>-qIKJ2OZ?vK<ibfzqtG7^m8cuB`}(q$mb`*`3dH`T%KQ+u~%7n2HEvG
zpRreQXs=?I>}OBg-smg)%LRRbnfUuGC!PzVPowpEBAK5V5&N*OrB7k(RkEL};w{s{
z^8AdB{z^wF*gx|5$YlwCnS5s<A1UlFAA$A1knh;o^`!hSh4a42lc(gov-?@(yiW!8
zm_+_he15JFXW7S0{%^n3{bMM9;q;{Q7jJ*Z-6!sR_tHYG{nHV$fARy(*<*X9<Ev!U
z%gLzCAYSto9LV#7PES|ASH;J?((_LCkLP1v{^Edod`u>P9N&j&qL5nkt5W$mv+<wI
zepZ&}<3;;<rquqiO674KkKT!iJU24(eC)T3%?}y#T#TwH#G{D)^Mcg;DB&|)s+#Bv
zwf+~z7%tyLf7ykTGs^MR@R7)K;?(>bZ$5LPI=+f(<|p~s^nCqk-T4aU$7A!AK>jiW
zKEswfU-7RGdH)3S<45w`VmE*Pl=<&JPDV-Rm*Yhdj<-x9G!nE|kKBCdsHypp&38K}
zIPXyT?#%oU{|n6xFpA`%W)^3Dtc*Meb!>Df%%7e=r|Q2iR^<n6Dg9-;2s?i2pI#4u
zClR+-w`WI@d%r{GXN9q!<NF7lwH7*M^K<;rZEE(0O#~9at2v{oD!dv{Jp8*A=W8xH
z@3-H6OL89)d4@{+rx=g2wBnhLo37W72lDKII`5MAGnI#0tXS**sh^)|Nj!j^i`VUF
z&R$(%P@}2)$JH0}%JKw0VVyjcqoML~74b1wC_ZL|;>7#sdZGAOY_OKyhlxEVb01o$
zLzFK1As(#a5ywCM&_fSDVE%j+??db2>Utr5sBs^nnOc0p>9Y&>omuKkE%rtMwlrrS
z?q18<&&Lw`c?;^|!@~0H%Eae`w?x1Bxr*~OwL;+wq4?8zJTW=%%Ru?BLjIKO=)!(x
zM{Ma3+sF3Ejfh<sdrT=l&)M|@Apc7j|C4@h@&2iZXBxLR`Zk=sQJNeTi$6OQFyV9c
z=_x=wo1ncKSgRhcuJ@3)SJm(54!(xit0`Ur;C|MbpD=&naPipFCl}rUod2qehX=uM
zI>Z$Ixx~`S#aog=F&NTrEdO2~?{$&m>EgrR!rX`7mdbx65&aB4fsK#NXyXrOwrb!H
zgIPSn)9+Ske5}s@8Y<$Euy_0Ke-=@^mKWcL`;Emj#r%s1KehpQzO?Tj3JBod&wrtj
z|C*@sccx48U*RY`rI!Cv^}mAsQ|=BT$$BDlct|Gxd<_Ji1js(@k57C)kmqg8{qx3o
z#=lUxe{}Go2)VRq?y3QOs#EWf#((y;9S_gtQ}W2@#_i`E-Uh&aR<AFhb}ljHJr_Hf
z{o^-PuUA~v4VC<kTKq>GPwT8#*1H;u*AdI6&WaSvpGFuBx%wUKdVbmc+$lTnds>b^
zqtO1z;eU2CX3wJyrYt`h^^Kf=k$jGvJkt>I@WdWF-+X;;*(|31a@+O~a>@KK^&qMK
z+GbLpcCzwZp~~!M0%g_@M$6%Qjrs2}o~>(x`WKpb$S8g&v!B)YSytKoe55y5+|R^@
z-0<W4y96HcQx_h>a{1iYhZH(rE_?s5&?!ZK&{D?xO>*yN6MO~t3g17MR`F$CzPlBB
zl_*^7yAD{rUL790Vt$56lm?%MjE@!Y03H7R*}fQ{#}H!h00GLL**{hCoQeKid-F}-
zIDsy^p*&N8JcB@<BpyaSY6hdO^-sv&zUkJZ#}6Gne*1~rUVkf<XU8kg7T#;kq0`Yh
zz;v4juEmbP&T1q-NxokrKgo$d&4BV9QF(~Mvt{=$LMHt6uLS!g4iskcflB_my8Y#`
zd;li!P)hco>n!H-w>!+@k0xsL)nD0Kd^Q8=d~#j9$1lq#^Y@QTe0PXPLiO&!RYUBr
zkYk5ye*x6HOYEQA5Xk);z(Gpl8DFlh&m)&61^K1%Lc4W-6x*4g`E~>tk5{+9^7U}y
z_7~AMTc!8U9qj(0-^;%bPh|7k8En5^eavWGEMJiuWW(eKD(o*;DE=LU=7`TF7ypLL
zFU3p2@@YA4zqo(w_TtTdwXG$-v9ep?C@6oGdVXLA=kr}H#S3%uvpFT>Py7p*{9D=n
zLD+H2>Kk6970;L>p34A5^qk`H4C0UafcjLOZzIAN=j%=Tt@Foh$ek~v{6jbx49`Cl
z-iO0{zABNY>NWBS;lBnF`{#-J^}0d&KCFuOEPVXmwX}b7`qXO|AK~uy74d6k>Tw?{
ziLV%~|L6zv)8UMY`C7(Cf1zwV6~f;s)aRA?U*F`|&qQB5U#2g18Npu{{bh^sm;Z#>
zKSKVpEMM_Zjt?@bH%;e<mVDuz8upknK6F>OI@=R`@t$4f_)t0i<kuAVll?OO<lynH
zcgpi8>)*fR7jQu9Z2{`F$^Lj&ULMDQ|8NfDaFA^XKNHqVZnYB6TTDM~%GFDnwYS_d
z{6lkmk2V`Hu<`0+2o!%+i|46*quo0GlMI@x!K*0R6M;YTw1z*!;&sK&R}V~obK_qj
zpEG1WfSehndafw<^?H?hlZ^hh^!c3c?Q`m1W~KDEnS7G#{FJR=-<Yr`Mt)ci$m<WG
zP;c@uM7$eA;zI!HHz|FpWc_Ay^=?4*$iwK8R;?Gf+Dtw2UXge%3d-W-_+hg098ka)
z)hQ70e63Qv+Y0fGS0(L3R8^0xn;#vy&bG{bIHz?VGIQTk!&ke`#uOyJS~dR8q_OO#
z@I?amGZh+-6@D-DFV2reew2(_X5tr_Q41}sm*a1t2N5RT6zlg%ad}v}*_hvzvc#nO
z$NE~E`2cd%FEaNJwGVI8+&^0Pp^F^s`6~7yho4F+o^Ty+etZf^P2!a!{FQZxe70_X
zA2az;b-um~Kc|JasL#*R$^KbYyd}Thw)OiNMg4uogI_UM&$U+v55NAO<nZuFhTqjK
z$Rixjy}Y(cqg}%N@RZ}Zdi~5Y<K*p$AyB<mKHg8MVQrXrzrMe>J(vHSZ5r=c;1h9>
z>)BW&zQe~)ALiqyXMQ^bX!G#XJ+hP2f!$EMCiv-O3#;I#A>uh-Qp;Bfou~B?4!Q~B
zF3-LSG9sK)_g10%?QPMYYsoa;8Lm$d??S?lk0uWkaIKTMtoWD%C+?hY5StwNy1=?e
zH&)BUBKPWWXCshYJz}v8*SFpK^CJaYsvT^5{=ND2>NH_%mT_6G^RaJtHjnMXKSmjg
z(%KP-T;sjk+(`o)h&zcY7s36U+B4CpxzP2dtshEjjpmxdmY!my4vdj#6rM!0u{>{U
zz?Un1myB%#RhwFFi_2kiRCCpSg*;?IJqmNk$+J%+S8XtNKG{JRFP31t6m#b)+_jlp
zY}DIahPzg!c6ZB*Ip^#2h||mD8R^<x6TbIEuD6`7{qu7mwQHM{n9Oy?qjt?>v1aCL
zzeV>?)cZkn|L}aPK%NgygfU3+`2P35zxn<65p#W}@(7HIdskCJQk4FMR!=s^E&gPI
z3rx>mRm@d)(^`Gn$;83UV`ZEYE|pCy6D!zDzC_oa*UW{GAx!RJ76`ket}lqU<HcNQ
zLsc$}djaeXcK8@^M;5tw=<4gm;(k|&JE@<QC%K<3>sc!d(lo+#HK6U1jxE=75mxM<
z*r6#|uYV%De`wHb5%&=Jpdiy!CeN32W2eJly<Q@`UJMo_$93h4@8_Q{?&n=<y*l_<
zA_jXpG>K*8-iNm9IjO(1cdChaOTqrhzJA_RZU&>}L2dlU3b@W6on&)YYldRo;QL3e
zcJ{x5aAP0_+hl-C<vF?eNqS=x?w{$lxTXF_QJw{QzB=vHrhg@m6|SjGHx#eSz8x@L
zm)#kz0@n*L7uZKGJc%Xe$BMC@wD+eg?GGBk7Fh9@NctBcx4}?Sp5upZE7sDLa38y}
z+y<XAiM4W_-?ugVi<5`Z{L*1iEXY3_BQ60Pv|=~tUtEapUcugS2F|;B{-WSt!01!;
z{KYj0tvDS?e^5i8+O_d;mne7~#DA#MwYOz%R-g8#DR5ctXt`JG4a|C3W5As)-8;6s
zgoZ}2mGS4ISKJ%j&lZ`WXDxrE(fdIiTbaI339BKMfA?(S=lQOP{_1nq%c|2~u>O0D
z?x$28m$0qnzh~C#;}@QI0td~`llzdOtImk$b6>r>p_0!XLUVcZYRQDSybb2#T%Y{R
z@6Dr-kJID&<i!tXTjU;18nHVrkUWokR0F^9-W0#Va(M?*Xy=<Ot$fpf%{PrU+v`=v
z)+RyqMwRZZi*jUcaj%7QF#dAn?@SEwGVLOz;_ti&xK|myX?5(MlpAc{HHK<$*2L$B
zjn4z*n}q#~bEBd?HcInxWItP3d+aSO<aa8#8{6~0o&t+MYv}j*Be46-rfjbcL-zA1
z;tEP@rS=Qi&v5am{9B(1stguUQ@!_U?;j7j*zx839pk+=2ax(pXMQ|vCHUtCxkbvk
zbt&H1W_ksQ#5cb8z=cm-_!up7F;PqJc$m=_uM(P{#rG_js{Nyol5jsC%eQxfs3lO~
zwq$z4YsWMHR8D_&N=Cgl8TCYy+%(hmQVZE*$BrC0ar~xZWwq<!qqbH&__P3=k<@b~
z)n9VwUBW+I8*%(oYihcRYw1!+?NYseYNXx)vs?ob_OlVZ1noW?op+#ki=@6-5#Z`-
zwbm@#>p)VUz9^9Ay)gG-CU2X+4^eyEG%UC7^#Hx)G<r!EdId@DAEX!$-^BPggyP}*
z;PN}u>h&pjG%oQ>kK#8lHqe_;Jb!UxMQ!%}c6&E^<QTesn9rs2vk%G7&m*v011_=$
za`y8}k%)em=zX3YHOJx)6M2x=PVcMmKPK|;8hF}88!R4Ph$p;NlDisV$Fp4n+z>+X
zAMWetF`IuUug3E1Q;-K^O?$&zVd{lvVf}Z--by{VUYk9L-W1<zoO>m1BvKfKTpv5O
z2czF%xcQa=xf=BKm+d>Qi!}6?0ldV|m)+0&df3?IgXl$5IA6#nUaBjPuY<<>&2jUm
z`!QXyn*9@7O`3QcE0~{M>8MdW>U}_X8%=%chiqnENq%QsdYdT7^S*lf+4FH`y?Tqu
ze&%fJiv4^=KL5T;=RR~W+<HwE&exXso1W*NuThcjV#0RG`~)}Q-oPZ$j&BTW_Va`#
z(Ob7&{e@h|V|rK5Hq9MFE*;v5fcG&Xygt%>ygQY#ut_#|0)mw%qiF7=FOxfQV>D)f
z_7U=J<aokPTvx#p_QCTPW-$8A591>@y&+;GeHR_0%M&JUo1+X@7;ZkdR^n@BYi-dA
zFt6_sSzAVh*A6bWG+k1=X+zd-DqyRB;-CHQCHfWrZSzfUd-TR{e$O`AhdPyKIwQ|S
zecupO-);`5mcsFTq8PdRC$4B~GB$}kTD;(5x&33NR-565=|Sd3?zuborhlQ5n~kt?
zCA`P3f;_Hft)#{2(^gk2X_%Lf?X#uG%XbPAoA0RSMnrr&BqI-UJl8MuQQ9HT1HTWh
zPj=LYtd<9!&nr2_=aodne(9F-N?IIV$@pb@P2w6}$r@~~CCmkrJ5LmwyEU;t<IHyr
zHuvu%RBK;gd|DwEnS1~&&$=Wwm!m(u7@K<o2-aNA*G+BHWIWGzO5Rc?kB=s+WBq7Y
zv46hIy^n3z39i6qv3eD;Y!CT)ecoDa<f?M5lz=>^Rb%TfV*O3HT+w_a&qSp>B`@XY
z=Tlgn%S@ZA%XL0)=>DmX{gn*@;c_kQyBeX>5_xQ^3fpu^w(sg$we!BsuHVlzPV4w-
zEK<<lx}&MuBpN?B47-2AL$qbN)W7)>zYnYlE<9QL-ND5B^L%W>*zXeebM<K0K48H(
z0e^HI2kX^mu~z=#sXP~zMjtT2`MI^YUekOmWBYx~9Yj22$iA8Y*xa->NgV5Gjtj<R
zu%0*SbHPaE8cRd|aQ2~gE{*7~4XIq3SuP>sb-Jaw;h~w@E%s)t%#d>QDOUC`l(8Uo
z`&<L3pG(5?2;GI!S`Lv~sj9wqAJUFzu-y7WeeLKE@U?c4{-UEEVC{|gQ9eK2;(p$x
zmdjscqGog4zArPn_s=H*xO+AO`#Fh`1@d&|<=K^q7ltN0`%N?^kW^ixKYjw2VZS!z
z@{gvu)tvv&9-G>~VAQ%CmWarMmL|y&)5X3|q>b&E^Ztc={5vy068X{(=*7qKwF-5$
z>%#fsRhpeY$IBPrVW6*+THo-@sO^xo@~k|sk+nxRd9@MKqVn7i&_{1Ma0_u-`)GSE
z*5}5+75Uk>-!H-SvSK6Wnn0d)vfng&cYt7TBkqtf>K*juhWqH%VUzoOtaOb$SlFN0
zs5|c%$DKuU`qFTGxo_vr`-2-8t;`kTaU*zn5K^?)M=Pt4eIdEVrVRH3O;I4JKFiXz
z`@b$(yWfZ9o?-DAmVmzaY$A_KgK@Y7n|!kQKEe^+z=yN{xcU88)%jPi$oN<2Tf~2`
zWB=;J&2Kyg)^|_A-XPk&G~YHS#}!?$*FP(SH<(uQ&(B4Fu0>faXE&5b;9&_p6+T`^
zA57dUc<fg(4|S+#0{DYu`o@xQuMoOX296O?=dYQd>X3q)K7y=jYQmP<Vk3w6J=$;{
zHS=&fuP&G&(f+wXL|ydcTB(I7kYIiU(_39R^=_032T`t87e<|?=Fd<nTzMy3I_n@0
z3eF7_KHa?`biUpj{V{z#vk3lq(W@CD6UaT+*_blbQCGT(m$FRxw$l)DSfmSR2I;*=
zw`#4cRh51<&oVUzo&_1TBeLY@#5@awEL<+4O~QQr`T4khRaP!CSYW;S*l#t+0+>rt
z$VE2Jf8uKonPk!a6U9maBdkR>Mogxp=`PLO`T2=4V_6vF<e6@h<&KORc~bLZMSDc9
z%Pw|3U(7W8HdL264zh4q4j(K*HhcUoYRz^@Wp}uBb+9aT|CsJV{9QaoT|~0T!t2{(
z1<Q_Wi)FKTA0n(-*&(dIHdo5z$-kt?qGZaR|FqqdJ)fVSn{GXN^!6ifK2%n9y;r;|
zyBQY1v~m-Q1yHZ6QjR5BibcCucmG(W$R4p#fz)9BmpaQ`YX3x!_CjNUJXZ~zFLnD_
z9l6W9e@;>i!puTuemwd<#}=NS56R7s8RS!Rz8u;)8jx8)m^HSl^3EG0WRHz7-`{Bu
zY1AJZmT@oayD68cG-|I>YhI2;$t)7Ryi!}KD~_7|oPR>kJ`5EvVAsUHUYCr;Dx{Vz
zeZI*3bD8H~fW<cs3(FH_y4UsXc?*tJ4mcI3hm0z*SK%rZr7NX9cK-mx6ZGOy$niZF
zw}+JF#_K)|6;G(%&yyEtY{~r$!IJoG9TshzWfs~mRM~ahtUZ6nI$-{bwGS^+MY@c?
zC1M}GVCw$S*I!KPbQYM!zq~RK4JirfN{`EQRDhCfAj9#)nxR_j#n<m~(zs5)^Itcq
z-({G)XfBsRp8?~U`tgJ`-qK1uf#V&E+&_FKmcx7|mVjVIiist<C+P3+N>s_jA_vWq
zXYN6+-3F6Jv67TL{yB{wF!q;aRvy9pz;p2V3UzxBIZF8@C?>NjMg4GB7Aa4Q>+wzv
z<|o1UT#vV(L(*eFW=nwhW!F@GK%U7A(dqHC`BEJwGkyJlh(Mfp^VEmhiicI)hjSqN
zd95hVO!@unARKlz7{Ki3$F-ovIsbTH+y1&w0c^Hok~wFaTqW`*+hw6BPrqKj_W<=f
z-9CQ2pToM}*6l$-XsF3buiQK(>qUOrgU~OLH=M!k*~=-DkDk3;6VLd%?IxKKtD?&|
zgU^~ZmjAC{fzPk%cPisgSDN*=K;us}@%Z=F*@uzu@p{Gh6NkBLMiSpw1{H+sTCHdQ
z&{5B<%P~Qj#;-A}DvoCXWb*0dD{<p^PyA6@Og@^G?v7Vhc?KI_p`6TO{vfcwtQ#+M
zQN+YD8o|wvD-n<9z6)Gm)X38dw`m<S-W~;e9=N`Nc1fi21bvV9w9I^Bb<o9&tN2PI
z_`WK8b%wPM*Md>58T%07IgG0H`=y+IzhZ+jiS>w@tnt65(1TB&!?>Tbe?IjeKYLAF
zj{@R<h4CLmwzPVeR`Q()wo9vYCxnD)gZNk1taP||@DDxo%I3R}hNJ#%vR<DmGX4L+
zKxY#`rkd$ge_v6Gr)1(gvtQNMPemq{cL+1FAiUzB&NVhCKT^)bViM1Tf-ZJgt&6yL
zy+BeCSry+QKW|O(-rV@bl6m`&x1ZSi_aAHSpR)MZcSV^TUFYl3{0sr(UsC##ed8k&
z2+|*}##{Pg@e4qGDOfLAcOOeIv6v}EejQ5<QEUL#JXJ&#uY4Zgb9V79OqW`K&K<#T
ztrV}MH=^$XcP7)WmsG=t7+@y#Xsx7=vE918K3D8)GHH#&dbu>iCAWW$9XW8~jW-`N
zk{=D9vNPvPGCvAcA03U_&epR7)JN;(+gu7*DaGfPcg>ZNCro^Z<@?F?<9Kch_{NI(
z^8du3o!unXi#rQ8B4%Kt_fOPjCi)oGUX9)+sV~go8y#~0U=PdX`#*T$6Bj;)(3Vsl
zw4}_0nLl6HvmGB451|py9blTx_I%q=K0r~w8#wP_WmI`SyJn!2Jr*09dib!F%GX=M
zd!vcP%6RT97_}LZ22U&x<^1>fb1Um{=1S*hvo?Q2!#-koh(3zHzOEBhUY?g!&(DvP
z;~Q}{^2pIc{Q03@Ts1#AdHP)HH@76ejx$jr)<6BLq_fD;Hyy8^pPK#rUY&eor<3h0
z`S>~!$9e%*%40Aeuwe!HfJ%JzoE)>i6uyVq*mh88Ms$}axu50Yxm)JYFtX=2YVCQC
zb`o+zzN7PW*j|o3FTQ{Npvu1xjlYLpMn(L6u1R~<LpG+}yk+)JB_86_ON$lxfLeRr
zAr_MBV-a}(J8#y#Gt+r<P8lDP>m*{KXg+#1cmuZ*A2Me+A6jK!MD`BWkw-t?lXh0x
zGl`p>A38S87Z*C8?*UjZEqj?F#++)V<he%h@VS>bc=(@;@bGieol>RzE#5G>^JTVk
znM>irRr#g4=J}Q|<o%<^^zUTs3vGGy_=H@VeZzir{D3FVh3ff<?~&a6d`^h}$#z@}
zbKdpy`yG4@dNqSr;dRoOGgWWGn;)`!9KSl=EHppen)$IPb#+!Aw>UqYYY<v-kfgpS
z`V;pS=4XPoc~aziV>%g`)?dZ@C-)v}g<hUl!%>;nAmriue_J{CVHmLq2jcb0dYne}
z`-`)k-S&d5S9reY1WDUt&n%wG?w{=NIb(cp9rk`^N6X&NXdV%X;`tet*gqTf`t<ZD
zTMy_G+t7>RyHw5X=hOq%p7#R+@q_nBo%gA6(ibaXXKkqaN58(mq<$fef6q113gH;T
zYOyML-p%npk)2HA9=MYKX|BOepj&hCIe`7FSx?$?kSlK=R;^bOz_|Hn1@kcXevbHr
zMx6cAH>Xc!JGa*9QxW?|hwpYbl>MXMDc;KM=UHI=t`u*1=0&Ohjwbc*X9d1wsxNq*
zvf@VvS*7yi`VaJUI$4)=Zmp~jnrj5lJV)c-+r#tD<8!T%=aeK~gO(zd#hc^p#^H0_
z+j4v?I$ypi`&s&YIkrm_iw}1HsCKe0xu1dKKQesVY&_gmu{X@sle#vn{j6J${BI4!
zdv*3ta6jL2{P;1={ZnrrzKj>|MRNm0%o0=i6n#F|o|Zf`KGp%#?~d!))%X#)cz86Z
zJ{}%s!SeBN$3-mvNpjw|sl>x|`71oOo;1{_6OlZh*4RIyop}GStP}4~tK{3^_H%Ja
zB_GRNvwTpr^BZV9Q`<hQ;nQd|-{g|H@o~Zzah*WEX{yFP)SVxeKXpHd|0R(hBqB1S
z)<pV=Y3*mG6Yn;3@vp=AIWNq2Tac&Iczldlto-_MnfTZ)O?{ewM#uiq$v3^a=r3C=
zfAhYk?dPn%m@4xJwdB$6B)?%we<}JGDSs-2e*wTRB&9D5-p^Oa&hZ=upY^J-Sg))0
zc&*nJIsGoq7iyu@^<?Gw_a*wmbAt{azCAYa4TJu&3cp7_9tD%{c6Ipi$f%FMINZ-R
zmk+p6|J1buMmiOHe!5zozG{CnmY*Oi&pYV+e7$l1z1*Ik(>(9#H+@}feq3ZzVm3$Q
zd<pYctgc-q-U3qPuV^SAz_pK+&T~aS5%N7YuGk+I4_>$%kIMPRKdG885vw1+R2+3P
zs^;HRj>j!4wjO8dgXHBo1m6FJjmKTDneW%(qZ!5WaMnwsUZDPbg=NsufB46&iqEL|
z_^E9m-lSDuzm}DU8POabf(@TQ+FM%pGfMN>aQ@!!sIQmpB8p=14CG5R`bW$8doRV<
z)cr#obl3I6`;e~JKBRg7+@{YTO-5}uSYM{X7q;mE-p>H|gPz@5ex1R~X6SMN?`LKI
zydTHo;PA2l`rUS&BHxkP{!zdi@!uvJ@9r+qe;Lakr}bU4la__ivz9*+nI9wlqg@=@
zV+we_|EbQGRc46Me57kv@@1)=_Xml`w=!qh73Uq(>^d4C$$Edo^<Bv*gs%^&;qgw`
z{Ea$(7rEG>%*6)kE0pckxc@;ZAKe_6U)z%A*QW2~uNV8?lpmQlKd)xy=WWrSYi~l|
zxcS6)qWa$nkO%#(h%-MK#8hZpBycNV*=y9dp{*O4+Mw&<Y@MM}Z+J3l+WDPA?lI{N
z|GHJPv5b}KT#cMA|E3n!+v4g5vU5G#)xmlnGT8fE&Q~|0J2TvTLi1w|`|vFka%tNz
zwYE~{o&R(wK$)(pu$60j3k>Re3uIGh8K%q97aGP|28l;o$X8EvgO%k5tzrYUGe3Pa
zc?2xglflJM_Aynw5JvjAMY!d^%iMj+ye0s=qyl}Io2;9N*l(xC3g`Khi8{^2uBtp=
z0;?+l;JpLK<!bs>439_2C^329ctA6CWIP^FW4u$Pb)z57_5mcf($0}_KL+)pzG#V`
zXCu5yp6g>Mo(hP#h3j~z%Jw2dCFUolyrthn{;PsZnPP37A*WB7itV*andgM;A102H
z<(ccL*j_q)5<{N&-6@XfhIV;H3V9@ex=|IJXZ}96b#b0xeR<GI2QjA*rcRvA8*h0u
z1TzTgQ>(o0n9k3?X(bOJ7iYq5goP5YSF2+O^TpT!c8LPB{bHQkZ^jobdr9hi#fr{I
z-(i>KfuZuu>793gz8P_BWvHI#hq8ZM5BZLy{R5E4o+z^qEdw}eQQx??fR|1#qCy?w
zH-UNQqB!?m@^NmOB=IpAFHON78-4JhU%T)dPm)ibmdPVs9vhxFN=wT2&Dg6Sd(!7Q
ziTbz+>vu66<Bv<tj~&<jQDzYra(*CUsaUEm$#5T1+C~e~{wddAaR<%1*shHrc}@g)
zggOX4_$0>9m+%PrQ&RI|4u@ZYbBwRf3ZCY2d913wPqqGF&R#_#{-AMQe|wzj=qDj@
zBEo$bq96Y?|B;g?ei-M;>F44<1)kfzhU@yp^!u8wJVPZMUkO_$k!NbG>W-bRWL=U$
z{iVW_Y%reb2ha@Ax+L*<RMorSaMnzI2h9yIig>zw%=HJY!g|rVhX99u4oV(vd({Vx
zM``LWXnjF<!nATcGh8AYcK<w~UY8T%cGtjon?dRZT%fvvhn?^~w6*eIUpB(?rZYcy
zN_u|$N!nWkx(`(WJF=&J9!^}AzYvUP&L2JunlGSE8qWD&?`;WN;}CV~+6=FVF>K9@
zOkIUrg@wAURGw?hV6&n=t^hnI9Q&{%o=>qxWY7z1#9zjW_G%7G*G;Obqx}>A$d%_h
zR=;n1G#Z=pmxb!^%<X3vISvMn*QxHGwNb>=g**(#D+18hh&+0beT_8rg+r973&Y#|
z$XR+fo3uCh@|f#$do`cG*du};tMUhlFiXjAj%cAYmhlI@pwXlsV`r^B4fFQY#q0Ko
z)!~JY0<TdJPnay(86&HxzZN-CUyX74o1+HfQ6=j|6ByX@VR_Ltc{s@+*Fc@Cg8%h$
zw$3ch50YJtM>{*%{CZ8x#eWpnOE=$*5v7+0#J6b5g90KmX?bd~*Aw;FYmE84Shfv=
zy*`H3?!%77sk;?FUk3YLR^i9W&)0FI`&lvnMgM7vCs~yjYnmIM4;fko<MS2^j>j9h
ze3O>Fx=Y_*W_Z6ZMeFs?HSeFT`n62k_3<Qdc;n2f0^n`5d3W92BS^fBUOe1K<Pr+(
zjoNtlozb6cpVGsJe>dN5^cTXmq#sH9k}_>bXS(6-bUN-u#pF>+JCmBeft?T$!F-_E
zPOWDbl4~V9Bf)%7!$+}GYaQaCAI*nP=VLJwLCHRE>vXz<&WPHMi-0n;AQ5iX0-c3L
zWT+v~OPHr<L}yDwh=T-5qQVT_AoD0RlbS3uSJ?M6Wg@&@6rm<q;ejO2S7bq4Zl1~V
zp{k4xhG+h}=PZZ$?+y*-Kh28Bl_51m$!(jfPRCxt%>QhTNo6DW{c(d4wy0B*ZyTu4
ztjoX#hWg5|&{>__F)oY+^$5~M2#2Gd#w{_ymW?`5CJ$~R!p40KB4X2@$sjH;QjH+>
zKqE-W{9I95FI3j~v=IadZ&W@aVLfa4b^Dp#G!+#tmi3wu>*22bB`Xi7^J!vHkf-nR
z?UpOZGNT?ZK{zPyADxQzVAMZoxPqgO*=`^!4_Y8Q$k=}V7S=+@6f-iGPDaMY$h|!t
z_2odG9pBYQoX*GoRg|HwwEsqNCtshYg}I1R+Q}E=dyQwP0|0r>pW)ko=hZUQ@6$%e
zI4?KFM5xFd`FXkX1-4!lAHeZv471M&Rk-YJyz~1mPN&fgz>2nS7v<S5)>$UyjaU~#
z#PQ=@hxzfYAdFQK@9G5#mlFZBqAXDOsEc=*=(HSU@Q}S&oDZUy&j#z`@Z@=4Swuh0
zPz7(%?JTixESP*pQ{&O;^mY@SS7q(NWsC=CFu+XKp3m6P0>Y~{9;oJz)>g3b5P7tM
zEnX92om>1+p3R{8!DV^JYVA{)PFA{z*IWfj<7|5fuPhguANJdrpNqWt>1<48GOiNy
zGpEVOHB(?>MQA<H7s>rI!jG*}-5Si#bMO_bA{l!(Na4Zw$50h)+f^8_hWd;hJho3F
zv&Unm_T~1o4TQ+6*I!p8D`+eH2?|Z(AS@0bTICnIiM~y#m$f>@fg=`or=1>dXbz#%
z-6&xQL#}FtMD2P}qkLJRvuKu~XS5UR#hY{botEUE5z_Bygnozzt9Sz}U)=vkij0XH
z;oTYRpLJ86PL<ZH(3wqhy)^t|2l*5U-$>^G*SjJRzeG6GiANZ5PgA0m`&nduc9qQH
z-@-C-@#DL3fLj1j)#t@~-t!Q#=e6-N&nYk_hWGQ#I3SqTQ$(IbMQ<&Fa!%PE3(YaV
zV2@E_>~8W@^Z5$Dj2XYB3gZl;z~1KZ7;}NY6W4V(K?Y8%Q`$}76-c&T1ybq!oDQ56
zG7~?BX0Ac#bZ&kos`6d;Exu<#YJLpa^L&J<fIUAnhL6bSyXx=}#^XO%<SP7(<171P
z!;oQhHfVln4NSj7bQ3uAb~*pu;QX8m*6WWm`zK)RZMQQblFHu#%unq&Go7((&wJU4
z2aETf(9aiu_{*>r07$I@poXzEn<NgGDmw2q<K)h}(*7AD#=k%zCY`@~{)~wy?D-)?
zzCahR8|Np<0_@eSumQ=(>Bhs~3b>zb+D*wZRM8@FKRe1D52mO*r%d7>AGaYHDRl7~
zv?LR}qX_-dMTPz2cr*m07$56`=P#bgX%zr`p9o`FJ={))aZ2WX7QTPN$)t4A9>a*U
zcLxN%IF9$;FPqN|7)jBDy@Fohh{t=4%nv*2{o{qd4m&W60bZh*?^czk4{{$S&nEuz
z{x;W(x&PX-=lRzBdU3td&sW8#|BBLnuE<yF#1Et1H&y%RKbBU|ruIBLs5So-$ujU6
z?Px^lol<{rU(1ZP`BAg&cZ$t)pt>I9{;}%zk5keCMvXyMuA>N|1{vQT>+t<A49aLC
zcfLyAr=Y*&;=T9F#Gmb5Qk~8r7>KQ^S$tnIi+@h>Nc!{hf9l1<ZOD2-fO?eeK=m<y
zAhn-|$*89?^<FGP&t8s1`t|H_C4*pmjH%ad887if-d??48!r)0hE6=HZ?}jy4o3a;
z`Cqv%=m?81KE6D6%Wr|!FKX7GvG|Qf8Qp~Q-Tj*RkzrIq!%TeRTUGH5vd*-;b88l#
z`T5`f%?BR*Rm(P^PsQ+=1K18r+IYXKaCl?g4vOwAw&MXa*2nwVmG&=aQz+{6@bMc<
z3+=2Ivw!wC$WRDaZz_Mj=zE8v`<eRhez;!goVLh+^0?h>haB=%)$il1*B`cW|2Up+
zy9m0TNLhdR45O`{euvASX5<0RH!0z13-*{c{#h^n;~?pdE7RH?L3`9yF7e-)`x(xE
zSJW5CvmMvR@Qj;?7awzL@JP>)DZ6-am8Vbb_Us>LLsFkgGl1GihS8RZXM*r;u=?Gq
zv&TAQ)FeAU+j0!VpJ|0LI_{ZEM_w|4r>)yR4}Oiae{%X_yWsuv+CZKUz{Oj7nNcC0
z?ff`&R6{g<T4Fz|=iiYg9_i{7y#E#E;|9svcs>?p*zMUm^<Nx$wvqj+;h**z;13)M
z+0Twk3F5JBYP|&Vr^WMk-dM+Gd3%i4K~c{h6Xl1isF$&k?EJh3UccWLbr>KfkPjL^
z)T$T8j_o72P*43gAo^W}ftdQscof&~>>m%lP-Luw*<*kD6TeG;{O_m!-v55J`=kF`
z<UTANRV@!7U&<~%A4o7UUGkaHe;VW`d6cqyk}VeUX*pw~-)Y01ke@Oz8fROrFJN8=
zv*-Wc3;O5l<zv!;!J)c6(qI1=aR11}TRuWZ6)3L_-9LDaUeB_4e)64A`s+5}4vM1w
z*YUD=%gb`-%aN`3q=dAYde6IWK7H)IH=Y2(^UKB)9OQd0ZYp2NFol-p<6Pum*bcWs
ze11o`e14Rw$??SEb@xPnZbvbGgYKVeqdo{4kAO-o*ow(h!Ebpt+J$<^MEJl)iytft
zKV4eIKag>6py2!K>8P;Y>cJ;z+XQMY#-jph(Ehd?$i5czIu;K%Zx5vkM-8xruKHxu
zU=`RMO}se8h9(N`mMOS1Rp%w)`1_RPnO1ZsvUAWd9K0f3YP+<e;Q2xW>tAkXy@K`w
zU&B{4=jV7<o^tvR!FC8&K-Wu`Uj8X)buOQtEWBPE)e7CA6{K_U3sU8;((Mw?#qh^L
z0p15e2VfG;a!W!N1qEl34~GSa#O1Uh@-rjQ`|ztz28AWE`ZQpx?U3`n;%rWtr6=gg
z(d%T&-8-!|NDW6Vo-)!dA^xUG33(7E*1IoB*K$TO{QZ5NJU0fT%H9%=N-U|m^@@wL
zh2iN}s?NI?!!bSVJBaL{`2N|4MBwQ)`}un%;guO7`VS(GoeR&cwr$S?!+mrcCWcP*
z7_@JgR)f=(hBMsUeRy#WjjGoxd6dvM>}k2YJZ~TFZzz0eRnhD09<>urE!AHsy}Xff
zuenNjmgg`E$hqTDUw~@Z3b%j$PV)X)m`7+ylg^kckKM^Ow9Ty7TbgK>Kt_F%8Fhc5
zeFLh$e*ns>%JhZj+f<`Utyh}njOB4b)1}TfTaNC~SbKnNHS|md_4{+DQP9sUpsg#8
zGekF^`JS!_yf10z7x)|d%+ak@+8d{zJBb$F(V1H8jS#wvM~B@`x;=mY2(8y$!0?D-
z#07|sjqK1z&g$vYV)^}y?Eblx>wirvw?8W@cUSQTRrhnY{aFfM+oQjqyHfYhQz30;
z+6u&@<k>*+jlYwJi(M>*XPqzT_g_?8uWspjT`#s?n>Nh-qi_E(`gC0A39!3+t#$gC
z{4=ul52}Q-Ftj2nbeRsGG5}A{%#R;ni|YM%E7f1;f#V4p@W;EQ+b_-|B2is?!HvN(
zGf2cf+}MJUP3Gr^A?X&*wHI94ey>rwXTP?6y9(X2M!SpB;UfNN((Zcklt8=dTdxCa
zcMacOx;QSIFFA{Mq7hua<Q%uXbXmS6qBG>>OKxl+Ub$?9PE{|TWM$@uiC5<6b9S^t
z{|4)S7X6tSDR?7mAM2OfaxZ&1eGt-n6!gI<NPFVwn~vAo$DDSda&$hILH!4sul13O
zqxM<g{xFhjm&fEIZBykYO6RMB-mC@t#&%hH2IKRy%>X^Qxps>IJ?9EPUs6ubsgn;t
z)%ib%_^ECNj@n(g`^?h2d)4dJU84W0EeAxo^%E^GW6zgmVf3u!k6NOu$;Ef}=;zl1
z{r<EDUZk`f&>a2k<JJ0o<N=j;l+b0B#S5aLY`!EYs_;Fjc!2@?C-Bi9CHrO&{%ef#
zf0xSWD_WrcM-ySZfZS4)wOEn9La*HrD^EY)4vw*(->vR{T3~cO;d$TDBp!ly5rLMs
z#tSBqPfFssKF+pR1;t+uXd6xydg*n@`1?n6+f{9<wC@ACpVLvBnWAN=_K)!Nx4BWR
zv_lE=0h_qp_7N!^uZy70m-_yRMiCp@Mi-yiW*aO26`LRO{|(G^m$%{k3kW()m3Rxe
zEw)P2A>6^<KLM(rSAP=XpHh1@4SM1x{P&};x^waEXXa1tx$)4uPA;5TTD<4&a{hbV
z^3TZp{CY8-sX0G7^+HG`UlOz<e(TbG0C>mr8)FK3&&SOC>>Y>vpH{n}Kl<ZZdzF06
zh%1kq&f>w$d0&&tmzZpiP|=P+xLp;DJ<oosTt2B=+&{b2@K}raUFOk#_XxMv4&}j(
zk(V8XJPaE@)Uh{S6x}}!&<ly_(<pzuDJ2hlJ}y_k)Ge=HvYKz7RgkCUc(^p(qxgMj
zA;$G&<oWlN^^+y_Zw<A>&9_I`SXqV3r@-LDY+1Y`O#FGV%nJAf<6kJmpW)(BF<$LX
z9Xv#CKU;$F@L%G^!|fZW!oW^b?aJlo=pGCF!O7O`Ls@)SLS9*mmyIY*Vm#JA<l?c8
z(XWoi=h{C~Jl32h-K<9bRI{Cq5qx1O{Yj<1nAU5b?z&a&YXbVN9A4IMt6f8MKO;P$
zbKWQT^%b<7J}f;JudkrnS*pHbe(64A^|zj%w5$3_(fKjiUY^L}IzE>kufqQl(x<x=
z^0_`u$a!hK$E<!nR}XJ(hE7$~UM(F&&evohccz^({ah3B*jAPPy2RFdyh!GLzCV?x
z52Q~iee&)?yf?6kO!yZzAK#pL;&X##p8om`MR|G{_m?tw67t&(&am_I`BFT|zoK{&
zhUCjQo}{*(oYt52$042&g<B9HT`^QWLs!V&I1~N3_U4<uaU$d-OXL}Z^-J;mU^LSW
z0cyy)>DHsi4;?*z`-$6Le=D7z9b}-D8%V6l(-Cc43NhXh)M++kzaz$z#*OjkyhMzD
z;E#mzxAW1TNFJhetw|!!wJMBr|NCWcczbZ$|MD;V(_j0!4{r-N>@K@g=<xicUzmX7
zhi+3-kd*0xryxfu+9{ZTZ$K(Yxq@0`l{r*_!8Z%vf3v*6rBfOZe9m<Lj**yxB;E^l
z^8KfJnuKBc0NKZ-9lSuCrTfhgcrXT^P(N9d26}~ptWS^(mDlSp$}T($IN+|uhg>97
z6FFZd2}O_-G~AW!|FQ!zfXhh$^s@!Ebp&QsdBGn@0GC6MqeEz<O>lzb3UUDU&vW?i
zJ-k4^X=$dn7*1D7!g#g?0tUXr*-ip7H_Agkb}%d-vR=Oo*LH}{;ED9hNDBV2RbB9R
zd2JPM{4}rN4=EM=i3f}~Wba=T9wEJeF`EEECl@pmAQ3<q41llKpCd<5X1f2nT_(?5
zhJ_2VAW5nJaalpqY}<eovY9WfVqXi8qD06O6yM}WZIJ;u<O2ZLu>k<9CICR+n+5<}
zGXVe&0JkFtz$LS`^&%Kywl=^t?so&LuQdsV3jva+8zeYSM)`OY`*+{cTrbrGIi~Zt
zhzfvUX8#B#$bZ2cAchzZ!Tm>r`R6AP1OR25W&!pyNkY1}w_QTALRX5m`_WUnbq~Y#
zi`4B`dx-%I?HL1qoD6ca_RgCEduN1q2lmc^h5=q*sUajgpk1IfDwC&FFa{7ze%w(l
zk9oocTW5Ys0hD)S^w$@l3K9<R2#OG7KfBE|A?*YS=}Lme1C0|NS0t!jF;SFfAaXy?
zM+H$s8GCHQ3JHNY@}z`7;`7r#dlEgeu%uEjkF3;Jww`jT?!yC(_aE%b?PrsK;1qCQ
z+R)$tbo|7YB=F9~PYUw<ip+kN@-H?5ybzMy&j#;jL@D603v@s0_d~QC<hfhZ`FWL^
zJU?RQ=OL{IIKik7^9d0}<x%l39?MBR6O7s};$PJ6pOd`(gVDsWJf6Wx8l^97kK<wC
zKYwJ!w?G)rXkLF+_hW5Bp5T4=pm)CWewsV&mKA8tNy)Q|k;e`<QHea;l7b(+GGGZQ
z)~zgoE{MG$)L(CrEhAhW923Y#^pxx|0Kjy&GQW19IRKN3UF-}UU+#Vez+>1f9^+4#
z`PmZepS3DH#({?8-)w;mC;okFg*^SNJpZYJ@NW9M;)FP_jr7H^aeIDZkvHm-l?CAk
z8f+-%g@ibj1zHCh&JVbMow3JObNcjU2jmM{G#YRr&#{9B0%U%s(G9xuBNT6W7yo>%
z;|RR>`bzwR=KjGr{M|+G=Ph;liUZ9O=z6>Ywt9JX!51LWuMJWts|eCR)s2ru_Sn`k
zypx(d17&$Gt>Vkc{H$Yuc%7EL5zrM#*<(j;dc!fG^-4@Kv3T8_y8ZM1oc%+Qi?#Tf
z@1U?@quhBn9M7Z+W+I+hF3+k%<>~YAV8w<QQ9;WK%J-p$Jr?D^MsoVXB>u{ET;yZ8
z_=ZgUCw7C`_)k!N#3Q6oiD%~Hb+giVIoF$}_#%D*_Vm&^w7#g#$B{9f?aRe8<@V1V
z@&zP;)M;!}egA0V0T6b5&rS=T+4$Jf_LF2kH1B`0`2s!rP^zG1rhJ!i8{9otvtC*S
zwE6Rudm=nv0h`ujp@8;)`G!|)!x=K_Dri1V9iQL{HIP(_kD<!=m?)tVMmy2uF1#=P
zX`kBs*wXRCs72iz_FWG-viggI$8_P&J8@Dg@t7L+&nKnhy)N=>C&kn41BoXn;WvWY
znZk!XRNe5Z$#}R(gZcvv;~&fLHZlIO0ehZ(<0BIYo4ODA@>rAn_40AlMkpmv+uKyW
zsVbj>tMW}wojgCMrN5Yl5aDB6Z394gdqb8W^`6p(E3>V~TY~<hO7r8RNpM2j5bsys
zaM&{9FIUSG5q6AA{4i5Lm6NB#m*+U3Jzw&=nRu_7eOS_vrgXiG*Gu|SRfHxI^HaKk
z<?so%-27<kQ-N`f#K(TN{=DZ1KzW4q=I-ax@nH5w1zt;-ke$Ajtw-+W>Lm;EEG*66
zM<tm2W=@{8O`{&cQ$F8~amRA2>}TPIgk1d<fL2h9@tdUo{{Y$`|9nY!PTY6BGt-dp
z^2x#NOZ(q_W&s~LxfA2+_4=bf03>({i_d(l=wFyxuO6ho^SDNReUN{T@Brtf{K317
z**~a`&{q5YIV@-YAYgg48hX>{Gh?sH<tuahxvRaOy*&TG9<BWhv44oO?77%rJX|WD
z;*;ygb+z=@pOx<CxbX@{o?Vsk%=M|fJO^9I58fY*dQ{dwHA~PO<BcKk*hG894eBRQ
z4%y@5%>48g<M~-G%;E>D>h-QPj~89HrS2cj`TBnV@P4%LEA%h63!Sg~qd(V1>`X+S
zfM2LPpENP5d05=1-tdMuRK6>z(A`h|eV|!3w=cE?{#m4ut`%-iC=3Z^Q!c(|z%9?i
zfPXZTm7Hz|vtuwnZ187KgUXcop}0-JjYAFa^X^gA`BJ`|Y3<H3)+<JvZPz#~6c_Ai
zI=QpL4Q@1>yihM5)BqdP8vB6oxk4VhFh4G_N!aA+J{W!RJ9_$JeM-tXH3?=TIu*Ii
z7Z+5qAtT4NrHTu}egtNU(Q@5Z_BEov#Jdq^*K4;i@ca+>_hAI~TdyS7F>?Q$XGe8S
z-iKWKurHY0iT2M`j(tcTTJoroPa==_@3t$OEa-qHQ@Ttt#VzfQQ<_XMo7_Qe30YKL
z9zGlL6rT+l&5&Qaf(@B{Axnltj~!;okYx4?`PTwkJS&}?<bu~|lZkP#Pnq@EKL+yH
zj*F!9gW>(_xRU1y2n;nSy|tymP<qK6W`0hOGV-`&hKMDyVP}##Lf~st-AEC3Y}c#m
zw%O=@uIQF%986cbfBJI!CvI75EctKSK*@ig?jd&GUVcHX7#E04D<H?TCy?C!$$+md
zKyu<g$#;*f3x3o0K^2>B<&An*R)5{5WiS7dJ{a7!;m<o#Jpnr!#O3c3WS5cq2j%3M
zG2&0u?q?LFPi(+qN&v9f#uQ+@SvlFxs44kmyU}6-7c?HPk=&;3hl%7$=L@tLCB6?M
zf7Gw)<|Z*e-FW{zUAKQ`%E1~eSrpLznaJ;-nacfB94hA@M=@oA_><3;xp{s`{ArE;
zlcJB%p|_KP-P9i2GX`V{W%i*aI6~-tW=MnMZg+^-&kFNn%ATiEf7FJu=Rv@I=x-Bn
z-+oRrgaam<=UC<X>s-8E*85Sr<av_*4p=-sb0?W1%TzA*qF+dHDet@=0~dGhLVDfG
zu6k1WK$FGgIe%F=KlvR)<bpwQd1n9kg2m<Ln!|K^HXs?KivGehd$=ogdJ5<3#jSz+
zykM;MdGAP&Wzx2(ivdFsPoAj)zGk|HEVJ}J%-BDt)z3SR%+D2`pPs&d5jO}7MT-2L
z0kd8fI(fFUePKz{AEb+w{O12l&>wu1iEqrd>t9TvbiJrNoX<8+F32N$Hs*h+HOoro
zNAx~KXki{L@#be<KYqyWpBwba{IufFG#lvopm+_={JdLee&WFOuq?jui~9EJYQ#}c
zXRm(7icbRB=o5I<EZ(Q4`0TsV_{V93WLjj@t^9ah@M0U}XRm7ypT%vyv0;x(F@X%&
zS!jMvE|kSHQ}Rx`ym;vMJ{!cxHq^*F1&XUIJ-i`6ag|>DnfUYW?oCs8XYKsgtkC^@
z+%Or^5nz8=48L~E@#Du5e<%BdS^V`{U>S?&b8DLIG?-tGp8_vld|I`5@xNA(E31+>
z{FEkngJYv{Xm*i#q7D63s7GNwDkD#9Izl!7k<#xjX3iH}u{)8+|DvM(^RKGzpJt1_
z;PEXfIRT~F$12Uqf50WzF=`)LRqOSC86eBlxPSf^FrHU5e)tAPo*p~u|F8|%V;arm
zM^ocefA)E%_;pY7@fKVaZ`n5n`L76{o;LfkDP4DfDJR#5Sv+JRUqHcH9#+6Z8f<oo
zpvbhK@+tll6j`qld1n@^MTfw~6VUfXn!#4Ro{V||^#1v45r6P1m1>G1OYq!)9G5xo
zTeX^#=rr>rqip10S4&@<1oYosk4yG!mb|>`ykq2gV*a3TbNkh`%M`7fG`BzcrsFcr
z?VBLO?8bOvid}KsApbWbiq|(;U%w?F+g}^6dQx{>$o~uVZhKqTPr)8STKWl^EHor@
z&f0%lRPE#Vd{)N`YJfgtmH%_X^#a60DC;K&;fFmIpV|}APxDLnnLO`y*OlW#Fj-GU
zs{xsO<SaxzmAd|B@1J76wk7=BrB(bxSbG$S*rQCo->b;?&$WuTW||3R@)J^c>wg0r
zPjR*>#+%^D10y{8<#8epWa}&TnIq>EY0k15@o6A#bC!0RM;y8N&{5kwUrjlgSVn59
zPLb<Z>}UD-a+kW1>h)9w{(*m)%JYF%_^G<G{$9YS@$RJs@%=N9$p>sx*gwOX{e#gm
z9?+$b&QGAlJYUVT9zcB;H$E6tmPF_M4|DNBw3(ToG(Nc6ZoL@-uBTG3?+WVig0F{d
z9;#WNoYdRTi8bRk5zmbxxO+WHu`_1zTxI?)Dg7?goR`V}1^Av>xOz^d{Edfuj*leI
zmjwUPR!5$HiI*>d!aGX)7bf$yvge(p<ZUA#$%`)s+|qvY{7dEfl={p@@Q$gsA%{;T
z{^^fO&sRtLymt%o+*V$Xm#@DCjAw30$2Tl{6@}qvSiTsg`>>GTlG5+P+WA2Uf^VpW
zcsT!cGxG53g=G02M>X|AJb6AI*c<(`NVq=mx^j7b-sUyO{Mc`m$U}^+KpuZmW4&f7
zM*R)U{sC%k7&Kj$sjo1~=S-`&`SISjwGi)Jvx59rfxLZ7Q~W-K_=X?r)AL~YCKs;0
zG_W`N5O@gndJndl#l9BnrGr+K*ztUfTfu(|;2k@&W0BA81Mve__^0Q1^Yg1*d2ZN^
z?Pi<zan3vQ&JRwk<L2WV+obXOE!9ht+Ymc#>(hM4MYa1U$*24Xn4es(c}=%CKf7}4
z72k)HmUOP1pJfrr@qss;zd$~1v7y(zMxkD@rhanwMq&Su&+Q<qP9B5`^Fx2xg_AQ}
z{dGmOe#vg5nR~^mers&vhe3WYsRtf5+iY60o<aD2mc{=FX!-JH!41cw*6671?0xv1
zHu?6W_|LP&^}@K}_;bh)<-0by5s{9)QFR~A2+Yr?@>1JfDL&;PTAC03p@AQ(ybu2-
z)EA>sQ~IKO{}6W&vCX(e=I474T=>L=hsYgaD*m&3LqGll%8zN=p!Ty){yiQdC(l5y
zK1ZO$g3+fAOnq1SH8b`6szaTA4ZQfzuN2N#KN@vc^c|f2e6@t%nQO1UR5|{G&~}Pv
z8}zX>e@&z>t^nE3ILv>=(_VM~Wa<?y+61D5uR*Wk*LQvBp@$z(#@7uZ{k5UQrvt?=
z7TT*UUt=!cRAsLwY{4uZThv}%KuhNG@4K%S_cO9o;`5dKeSI-`kj*p)7mCjp<#}gC
z{`8J2fB8sW9y_Rqk*&|^E}@}7d;{g~$NKn&OXG)#jYnA)M$cOQsP?>D<@xU1d8g>E
zGx_<M=brZw`XL_ho8i`-cO)v$uS?!PE4#66f{#Ewo;k3`s(&BD*C5v)MKYcs#D{_$
z?76b>1n~1!KdQBUEiQ7?`05SX`FCA^$8kM`_3Ev_>xt6l&eykBZy)%}E}0;z!9ekl
z>imWdMwIXa+hc)`s?YDp%Y)EKw4fLdPq&FZ4*82M^ob4?830c*q2I41!%NP{vo;Fk
zIny3LrVq&%tj`br9oh30&udM7d9zfX?y8c9&399MI#;Jp4fgAFsl&t6lZW;OO7Nn1
zv)TAqw11}H`9pQ&d4pWPI+ONB1z)*(e>i3Q>N>W9_y#1O&XRUNBv^hro&D1Z>pfxl
zZ~^K)ll)E;Xltz=B#Muv{aV}++KD?D>B~b$tM=!G#AiN^7N=|M)li-aKGTr`Ke%{3
zql>Qu&5o-1kC=WW%SpcJdc}IiPWgHNZ?>4dO7Y}T%hlK0JpapJzF?WRUN4X0V_2}>
z3bg-h+E=HGWc$xrX8q$be?negDe!HSpdgF)u_FFaJHC?jxAgEDK>G7LaQ^783h}Km
z_g|53EoiWssi)NU*Ol`*l-}OOzR>)XobN-5{iQX|ccH)81p$0&MSrvWu383-=c@R_
zz5m?*5A^5%{EFEhx&QF}e`}!MqcXqarF{R=Hv3N^H)tRaWl!khpU7rEdi#+#ABsjT
zNAtscTEp=#m3%gs|FE66e@5;zBRIY)Av_<k^fsza;pc65en+`@+zYIJaH09gdH(Qf
zZoM9StQ^0~vv=aHH6D1H$tLhL10J6R#qZi^Z1@Q1sHgEb^+Ry!^$b|Qt-F6VR#q`A
z9!n<PgqH{8$E1pKGKd%Wo>aU^$iIQ<zb$khx~{H1-B!`>+VO1H2j#cc>^IBr{{|8t
zRIGQ+;nDT*j#~9pMBmbsEtamQ8X8(J?6}DDVdA-^^*NS!{M`=xEoYqa0S*$YSLE>B
zTIGDVAHFW(yA3XvfbaGWCBECL^>}Sny;QHhzng<_S%0@*FI$h;^hxFUD%g3><wN!f
zpJ##o(Jv_UkH*OHd^guW`U7hHqk-zhqkOF5`FTru{*(SbSU%pxo}X;I3pq{IC;8DX
z3(!s22dqz85V(JdSwlNgl<G^U{_G|AL0P=sclGdk!2NN8@OpNBYWw4u>%Tw_{hvj6
z>V&V$I=gcYk2)3cWH5P7j|zO!IL4y|@;ndJ?_j(1dTptzXH~BE4X(nT$bIPW??bWp
z#oMAk*OEVXhVk0~Ux|btA59)Xo^^79Hu+*cV*b<#di$Ne`@VNXhJZGf^12d~WQW<i
zD3f~)Vx`m~du;tj^;l&?y(G_txuTUaEI|w0I4%*+b9^jS8#P7cIi(w$e0RmDuC0a*
zF3p9|*ualV`7Zg_bk|FuHbK1Bcwj5kCS<U17LzOgwjvg8@l*--W(^ijdH-~4_w$ud
z>fOnx8_{HQxtfVZ4ucnUd~FZpyfeT3-thjxvc4}BCNNKBY%gGLCC=;Gy$>unY$vTe
z0mXJo#Y+FIxXV_U+?rghG{=Pw#@+F-9CrsutfG2Q8?lp|Z@ju1hAuL>wS8^Zw&Y?5
zz}O4L*yI4R7F(E`-AZhCE3KW(*&BQHx!E<j{fUu?a<P@BbNgS+aJNzoW;fNlQ7G1<
zhJBrY;!@)sGsyEL9Lp#VZfN+T{rcMZ3arXobE7t_1pC@VZvU%g_A~w8=@3IyiY;#<
zwo;5`I39AvxX_h*%cZe)1R85s#%dqRVFSC0{xE#6mvGeLDcIN~KdSHfh2vZH36i~V
zj>~gLeon-m@IwUk?zI-MoK>U#b$i^$D`<)xH3GfwWU*dly}Ml(4l7tsj9rbjKwcSk
z{8WSSFDpx*VS*c|!rr>!_2~5R#f1RsI)PZWVdT+PZqQhi_&&Tv@qDc}R{K=QMV#X1
zj;5f_*L@=Xxs}CMq0f_zmf<d0YtKHOK$!7nu=R=T{d0W<)`E}SKFqJp2q4*VwHe_l
zOHB+3?6wHEuo!kb=l|}3=-qpHZIx?Z4S?(`aBhM$J_5pZD9#076>1B7&qWSySYOv*
zBSY-*dGOll#J+kH5#u`XTAAI^eLE1Woj!Kt0L`)K)w&<){X1?v)TLAs4rnjf+FBWI
zZC(NEdk!?-C(lj5!_p`IWVb=?;0kV2xZclPdAee?rlzp;^4wKX??Vj9rLN80;E3s`
z3VAGu^OfV;fUHH6;*PnoFh843a4U=VUi~XuF+OW5Uf~Ma=W_9*KfkV__>sOocm_l2
z0|oBw!h5B-w@v56=|Hu7xCyQ`NbYv+-o+tVF)qd<1Zw?RtgrU{^3(DC;&``E^2snB
z%s6(JFqnRtlh98Qek$KPU4y#<fa|)zUC|S&O?D<{%DD$74RQ}e^WmdO@LnSug<kS%
z_a8aQ;&_GN-1Gb?FLNJn$Z+!k*5;sPvbs3w0OGhI7ajm!foFfdb!l;%g#AfdPx`Js
zCiy4qYy{QP^1XO}(qKG)_a<0;ph7>m9v;-|2P+KAX1HLizm?*GfyRaxYaMpL<6Ul%
zk*A2)3~Fyb-U>d_Un#-Y=JAno_VDfo>|v1JQ<RHgGyVO4O*?<EgnEnWy*ucr(Ud}b
zT!_1I7|8PyA$zZ%#gF9dJ-=F>Y;Bj;eaBrujb3xNR{K*Ib>eGTc^+7Y=3;nWEPgGg
zFAZ}cmvLz;aXo?H!EMO+h#nVAi9ZF_%SdIt7`y^N?`X;MPV>>^6c*zZ;P?Ple+o6&
zJGxqbDdNGc$VWD?e_U+)?%n)e))o8b_&n8A@V#42bE&CtdBpKYATAFkKH#dx2iW~g
ze7_mp^JU5VGuiRUsGl(z4;0P^1J_qY-?Uz%Fa9{IFWA9~_zBJWhVlrz-F$DrD(;nH
zucw8x7CPB!#r~mxOX^eEe7X32NURN;cDt0~8duMEw!y8d6Hl>1Zsv8{Kt5O~|4O{*
z#pOX>>U+*6_G;oUcj=CIE97zH<2xLC_3XlZX9`@uU2U#kST3`!r2T9VKNZOHn2}ya
zD)wsf0Svb{g5&m<jmII^A#Szbbg$;TJe(mQ^>9$Vk@LNyt<lbo;(E<P;4N-2<?lpi
z`;$+StwC<y3j29F<#t3N9!1%Hru(N46JMs=8Q}u=(GKl+!cgu$bU6C-d=Jz<OdeJF
zBuvH5@Fh_0IfhGTPm}f2^zZ1^ZWM`1UN5<yt*ZGM>ftHNtJM4?-n(ZU@SRS|H8~4V
z|Dd10_NDHhY03RFQB!}<)W}A=Xrx_#4}r(%bL<~_|5(<uR_GYCrN3Oj_^NLGjO(%7
zse1J@tUZrWUA`%(cMs<$KajJ3G`X07{biB$vV1ftXs?cV=gTTR@3A}<h`k!>FL8g6
z(#xj3zCGjw`YX|eqWLCM=iR|b5`QI=FA%VQczXntYg><7KYY8Xe2SobcsAkQrC}Ax
z^99TwQ`BGE<j?zi0OR4f_|S@nYu5i{o(=;Va`8-rO!Y$W9U9eR>LnicHR7vNw@R$n
zgHM#?FKh?9a$Mww^UG{~f=GPzdk<Xr+66q^rVy{|rTYCr;<Mtb<XLNliu>p`wnkQ^
z*LOTW^M?;Za=j+?!@zt$wej8=KAw-b%*Yn1w~?za{N!IEH(dgg{0;2+8KStO6z9GR
zoV~a}B$BnH_X3Q*RI3Mw`RIh}0gT5_`Sq7Z>Q`P?%5N5gnQkYC$GiO&NPZ#x-W1aN
z=Vp0+3*r2FuzkE@etm>D)bi_U_Fwo|4Ml?E1CY*_Wbu4mdUa8n3&4B{0RP8_Y#sa@
zEO&m;J+0aLW*QwqcUO#(<V&cx*R2T!{@c`Em*e}%a}#%oJdcTy6I+F6W-Q*g*U?9|
z05W{+6VRuS`0l9Q#+T&&mg7&BsF#i8d0xc+lfzTrbGE7aLM?p|kmvj3Q?C|`dbhcF
ziM+oO^QG4MD=PeDyPCCsmEw(TuLq#}enQfoqSa0epXElwd^8;UF8BRl@|4t{?&F^4
z?dZV`UOaXiBz{sK&$%1ueu3(xvOCQO-3Wqbn9#7NkjvuD_P2tsD31y#_)lGRywK_A
zhT$Fbf#3$cJA(&qH9joD7pB|`L%TPSy#|AKt&9h7^NByK;m@9Ju2=3NrO+<+s-&aV
zreN-8PW{?%SJ$td<lCE<rSbph9~j)v17rgKmiwk}*896&0l&S+kUo{<b3kzVl=0b=
z^5b;W??LiQs^;$)d)>9c&R02}A;)x=S+D#Pjm6K!;y00gpA?)Q`aTeTl3~eyhO!T}
z>v=c-OL!k@=?nP!bGs5Bcu->hqz@^)eg2I(e8o;>c_8ZP{+!|8<l#LIHi@qY|4|t)
zI4EDQYHd@+Q-vZ|?q?BsT&Q{t+ee<8_Fmmfp1z9p_K$9VgZmcWvruLK9BdM===sRO
z)$xskO7Wc&%6tli-=9XH?lct7$F%=Nnh)aGTUQP?+nd*0spuc~8u|SS(EEB|SM|O=
zXaWzE0Y7uLrOf$}_J;$RB=qIyY>@LT;t#vR{ZoD~o9@7?>iQtOId&-GYcH(^`9yJj
zU>JY1T*BWU$Fs}#^B17-ZF%5>4W|#Z@LSmS9G@c0qEWrQBImtS9{h9+C<%ktLh<GG
z{HTjee>8yk3Gfw9r}owzqIk`%l)n!--YrbOq<#AGh}jdnqWr{DX?}vbKppbmwGuoT
z+<hqPKfE1sKkN6Ca;{Fn%TwQvERd(*rBZ{b_sUXvRwvQH#`$j2_|B}zeQ4JH!F71w
zgAL}#^YJfUe!R*1nU4C(3E!*Y13n1He|CqAy$;a7O6vRIdRxCg>1~~U#DN1R?wmih
zKiAuuzt)pw+y?-$vxE!gp;@iF3x<1+2<^h!a`c0x@2;H)*{ekP>EB%;7XPQ3>czp4
zC)UPB)+^%XE6pVwY@7=}<u;Otof(Wx=Y3m?Oc1nfAeD=%jNKn>9J^bcdv12Ug3l$R
zZaIGZ7=t}Y9`d?)QaSfS8%?+vJ2o;fKZ7r%B{eiHsC57A;b3KBdG3z>(Ab)LXWSbK
zzd&qLjF$GFT$0eDnaA*R_Q^9x7O2`Egr@J|x6t2lh;Y~7=Czo`*_A8AK0g+Yk(EvK
z>;=4x)h|CANS=qm8|`qE6*hU<l)S4wN0vM4?n<CkgX^Uhh&8ILTpR_?&zlOQ;V59I
zd%olYX;8+X3mRzD0!DhsrmZlm67dHcClc8Pw11%1%eKcRQ5cLmCnt|~;oaIOC(mcl
zS+uZpauK}|Ez*dBE#=%852UThB^JyQFW8j6EKk%U01P1V43QDymmD#Bp7`aUYN6yK
zm5rSCls5Wu{$*t&C(Xpd95tqk^K&|$AFC*jjbsuFOA9ZZcb5z`LZj4ox7eOkq61Z)
zFM!67gUZ5RP<^pIKFNKN;2gIwF)z=j%_ZtR<YI><cAM3)H{QV&vb=DnK+r>8bzXt%
z3MCIVOSF<XU*UbYYf4|g&#UP74L_h3SmOl4Qeq|fMEy{c2&<<J+!C|r`$G2ErB(cb
zoIQ42&t5$jw5iO@Pu_x!=O=69%G#??_Tln4`KONUVx+KtD(s&g>T40r**sw6w0^v$
zS2I5^&dv|H);k>=t$YpJFu{2FLKV)a&6OJ9@xdk=Ez>@3*w@<68iioimT3Q!0nKg{
zk>{pcj~>1K$eRz<&kv0zEVGeHrFg<<Cte5?eChm%G?x2mk;Za){l%6e&|~-{hZvBz
zUgTg;E+O6I(onE*WU^kUY5yyERtlIcNu>Wp*+SHHyNXEvU}J?d%*#;mmZ;H^#c!l5
zX#Wi4?n7weyIm=f#zq)VD7z2ob8Ah;$NVsVp$Ej%B)-cLu~7HIkxaIO#>0<QG;R#y
z8}XN@>r?v4ioo`4x!C@e?2X)LNP7bS*sd6#cL9hdp5hVP4uJE6ISOxDNO6X@f3~wy
zTNG8ghJJ_#3{aY}S3mU7!w>M~IezFiHGj}10tqyt3LE#75;->L@1*YyM)ic^Kj!_x
zzQX>o48~j5r=;`+B$0lem<rk0cU(6&Ka*RU%2!^j2G>aL=U=WN9w*KP`DqXrR{tz3
zPt_YM3#$({(fFKr{LHP0weCYudn0LlAZ~A%%s1ICQA60_#S=>NO~&(IOnEv0kX#$z
zf>Qes0RN+xPYLon8&ie~M<nqQUfAcv^<neff1wfoA-kDuYBqm*rTz2%S{uf{P|v>~
z%L=VxADU~l?Y!KsYP79wua>S?(Ow;e_Uf9Hy;>&EpG(?@`&j)IKE9g6vx(Y=h^)+#
zZs7>m-$CSbxv9RulV~SKa{F2Ne7%k~O6I=?cD^9+KPiz5&p-YD0VUvn=tlMf0E-<o
AK>z>%

literal 0
HcmV?d00001

diff --git a/testing/btest/Traces/trunc/mpls-6in6-broken.pcap.xz b/testing/btest/Traces/trunc/mpls-6in6-broken.pcap.xz
deleted file mode 100644
index f45d0a9a17c38a6e7a0ce91427d28ec5f99b2702..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 19204
zcmV(pK=8l)H+ooF000E$*0e?f03iVu0001VFXf}-_C-p<T>xq@(a3#^_z9b@AIy0K
zO=&R-5)T}|&IMl{UrmYbp(L0l9|ZtyuA~47nCZ0a14v0u-<`ni585RTqSYkVm%4`s
z%3;KJGH{MNT%Wi40{g!37;rT@{D1bUi8|tL*QcQ@^QYuBxsn~+*yCTX+#Y9f?A&#m
z<p5tRew$Nmd3Gtqw1#tC@M{iCvm@!~x}Sy$(Spnl>E_FUA){{NeQZP=HGL)ZLLbki
zHjTnL)U2eg<55zv%tn?ot@=IFQp+0h^I&(CitdF&915~xU%Fe_l##ZPQ%$X+e3a(b
z9gW09iYlBu29=uh>der%cwT9+8jC$3bW)eKPb8E3xiH;Xu~I`<y-a3h4=k$PR|g1t
zE&!Ks-*6dB(#teCPb%xMI>vN$R$1BP5|}h}hF-xUFq4p185vIeU^62I*H+M;;(fHP
z6<iSKT)^ixs4xF)Hb)m}2}P?OowZFEeqd72pDao<@22B{$=%>0=bu;o!~K2QjX!Hs
z?@)1zF-hOYd0&Felis?Ym%1api;wOn^_wQaIPtRJhUS;aSG{%n_M0>0UpPy~R!jca
zL(lf~j$#&arKKu`oS6xqCjqBv?(R4oDc3}Evyk)U>~4BX*-B%w*|q4YQ@Qo)8wE*@
z&8NaCHs@6gD1;9I`sS*7$x8g~$N;e8JQ@ts1$a-lOeFt>#Lxc_iz6g}ubrPz(4t9n
z*<p%O9IIs#K2o3$!uU`My=|sKIp>`Ssscd2zLdvmgZ+E@5#hy#5?HkK#i4_304LnE
zQ1J*pG}IIU{c}6`4UpcCILmn^%j&cl=0bVv?sK=568#%5Tsfp=LDAvxeIhr=F+u3w
zAf8Nx5%8-S=J{xO>>n8Fsq?Ft=RfQw)Cv)z1Gtag6njC_|9;5BV+0FwmZlZxb_@iC
z)j;gSPbQlZ+&ZU5S3SFwxvdHa@aG*Nkfpz@M~(f&ax6OMeH#%B!ykz*Ieca{{9+}q
zo{{)Jb9C4*Jc3e`lmT=*+YIq+2evem#$`S?ST72$ZyYSr&LKuf;M1UyuZV{4TYvCi
zt?!-@%LyJ}bUkj{A!ZxfJIB2{T9YDo@YKhmYk$Pd3@!1#L#$^+Es>Ma7k7k^=21Z`
zdbnquGLieb{^}H-GuWW<Nm#<qN>5ef*dbzRRw`@0RhBZHxBoC6r{!_4E2HGuol=6&
z35CC(f8q(}ylamPREWK@<9R{n5x8);MJ=ru)H3o9wno)DXnpFe@q*4Za<K%i9HyWc
zj`6N<PazG0#A5F9+2*kP#BXSwrJ#(<80im+Bp?T`LE#cmb*#sdHU(9nd9B#-KJ&2Z
ziTB%0zUiSMFIA(?baJF6VQp%z&gZ=_rsFFO&DGJY$$z`0iIykzI+H>oJA!w{tM{nQ
zv65ckrJ)3$^WJk0P!)SPu5D3b7C#_JQ1z_YpoKcFG+%1mwfKj+Rd93yc<H_C6i*lh
zi`Y+1YD#o>)mzzjYbauWP{ESvj<t>D&dHIg69GKvHqPtMX&WTuj?s*66al~57VnB4
z1XP-oW$@p)YW$<at-t_N@L2kxs527(%fLenuclC^#ZhsGCF9Ebhh(MR1%ebVa{U-O
zypRvAq3p=#x3oP6EtycRo-i=B0C7rQw}lAm`lr<uqJUc_Iu*u#*P&t6ff~m#CFiDu
z^aL*2Zo}%la!oNU*nMpRHXIliS)LS^MlPoTTe<dVqSy*0*A_IN)P|8<+67}dQKo!6
zm4frT7PtB(Q?dqOt?hc&;rKDi0vT3b9jTkD2R#<Vc~bMSsF^1wC>$#{v*n5bOlE&4
zTuooen}ud~6oi^}_K6#vw*}J%riWFinbr`Dwn}zZ4-Fo{jO^%p8p~&N_bXCHR2{k#
zJHYJh7sl@cp1LR18ds$tlZ3%b(#V5d6>cd__}!&)U&ED~Q@E|Hwwax?%;WlSOqs8F
zu-A;EK2nsWFqZGfzB5u~zuS9sUFag2cU(jHIa0x2*JnTd0ZhauEPiQPCb*})2T3jO
zK5cO7u%Z%%!@+;=rwzC|;_N?z8Dv)K&R$x*V>)JQ51@tJ|APYq|GZ}TvQEOFLXCJH
zZ%_><8QZked<@UC+0{w+jm;q+QaWavSeUqCs(d}Z&)+JSO{#P@1`q^z-$!CSc#=;4
zc|6|Sb~M<l7-}r6T1?oGAe20P?C=e@R|@kHObi#gR~7!2BqL&Ua?~S`!|?3cM<07W
zR4*}9(bV9FQX1mCS7rBSl&DSLpzoQIzOYmF)(_&^Cn(~&QCzl!Yo|^=JnOvHe2=`w
zLv2%lP`asCLs9&$9NIPSS3BU7AV;#e;c%o-i75b4+;5NNQ{@=hD*D#I0~StVFoxX2
z+`|Ih(b|$F##r@sW?Uws6TtVGx3ju{)^NAsc>{1LqpZZV?&?%+iXNXeBp=|0YYW{e
zSu{sjKGdB~;s^4qNZSrO$&}&Wrh_#4(`m(5DfPwkFEgNQ_lE>ifVNg}ro3SY3_V`m
zi<4YFhcByk2gmK5+lJDDE`T#naGo48U;5ra8(P)&{TQhkFu5X+g@1wX@m+e8A7gaK
zBs}+unLdJiOdK8!yLsETjEFt|cW+n#>@85(w^KvY+1J+8B$&fHm$1CeMbfpFU6Z$O
z58LO@c|sHWbx?Hp$@D~*%rI_(<O+~fVeH{10hm17{Ce6G^48KWy&05U?6E?h1bA-B
z@A8S`?XZUJIU>u(EK`sgJci1WyAcx0PrWmsH0^{}PMOW$W&x4nLUQcefWyskLI8~f
zI(kugN(LIR$W}&dVOfyZ)*k}s5g^J7;d0WnVpg^u-_d+A>OHoxw`jfJ$Tp_!T(b!+
zG9gR@occ3Z$15J^$Zr*^rFh0Yc3Nh-N4m`O?2f#8MGS%UFu?c)t<@oeZ90?@UgrP;
zV|8THfW|WOWD3z16wkhOVNin*j**%+OVRZ#lUNdR20eYxQoWQc_`4`R@Z0M+50y5b
z%!5a69KetqT*mQ024di%5}JjMkyAL}%I~=0eI+vY16Io3@QYQu7W4Z@h~sB}BM!<;
zQ0yuXVEmg7v%k6e=Xw3Be8v`I)Y{l_Ei5I1T1TQ%P*%n3{kq;Pzzf;-o3ZS#GNR;s
z*gn3Ei%vMlN*aN5aa!>uqY%<1f~VDv?C4PoWmWOk7K*Rz7QCSt15PG_4Hnr{I9X6{
z%fCS2{7BSUXbM$0&%0^iD>MfAD#|jfUZbtpxbnh~ij<sBk(e5BNP^?Gc2}vKEjf8h
zoJ5M~NIbB1z$Qj|Rc5UE^2O-bi~tm@aDVOyF+~j$+0BWd-P<e_KH&g(zA)|qCc%Ot
zl8^woGL{v>OEuZ%hijG38L~Z5@us2(ljv+KC4op&5|v55V!6R(6bTJdWs_D*i18nC
z5PVWz42u*>EX(MgKeflKjhTp=9I+c3bHgq@&298__>F+>Xr8(%XO`Do2rOJY`27FH
zaTg!Bl?O<i;Y4frtHV!>a$v<e37dU_lk8O$>$mXFg<s+tB9@8HVgTKUH{4a_j7<wP
zLWCP7ctpq%YK^g5iy5~nTzA&Gjs_56U+nKH)1Y58HJ)|)o)08qh-x>X1E2~s=D#UV
zXyD0KC5QUftDF#?P{o!{=*3Jgud0rSESm<S6YOT#asux|rYiN@U)qW2it)pN{I_qC
zfY%PZcjhJf;g_ez)oFifMId_n@lz|~blE*3KQ`bL-8K7j9?G;8QpWC5Pr~VFk7K8#
z_(3UV^Y<BU38YnKcPN)}%E`*W%PpJ|KMV1IRQgS>=d}qcYs}KL?H^j`$vhkV-x>~f
z{q>(Nof;5vINFnBm#L@Q??byA9s87RO3sUC^`Jbp<1UC@x<659sx8|9q)aUp9B|=u
z8r9iCVVJeuH~5&0c9Y0)&{Y+`V-ELAFa1h52OpdG!R?WcD1>!o0NWlWk>s8Ll9=lH
z(dW2+Hm9XsjXC4UMkbr50f7U+kx<FZqA>yOqG7uYUUY?(yW$uXP~SXY!0|J<`vvAD
zdA(T7sxChd!^q<!7jU4#PUW<q!UJqHZ5ba~f}B~kD^HZUxxkMG&>V4#DMQ*vd2U{K
z41p{vHy-h+lS#5{_$x}{(k$g1xoAPriC|=<C>UsVo@MWdbm9e%OQOX@6DnJq6j?su
zbe;i!s_xU%1+F6Mt2zTi{3(CG2{_%lyy1hnVA~ygU5uVQ*$PJtfV>}_`@RYVDUnrl
z*~J_YHb~w!nE}jt`|+2T%)C?6Euh7CfTOBKe9{dAV&khsg}WkpTk3+Ak@s_~2Iz>X
z;=Ly*o}qu8T?!l-!+N<r!&*P7&gGIa_PJByJ9YHj5rkInZy@J_jL6F#)f@k4gCS1O
z3;Hy~YH$e|cSyZvM%|ESDZeM`(m38Hzhr2{3WkYJ6qVDb%~*OBSj+YQhfj*gkL<KV
zg4T}2x!G!f4-!@SNyq@x+Mah>laZvATFi4p3zIF&B9m8Io9cq50fGB~8q%6O#X^C2
zmTh(wh3^0WL`%DDUZt2x?MS&K4)z$8)dpp=zL-3&YFb0^!D>cO$n^yw(0c}e6xBj$
zR8-qgmu3^*47gM6<d6gb9>iuUFoLtOoirSP!a9-%T@Zt|PUPXVbUH&X3nW%^o^$D1
zVGX6n|0xhW3x`q-6!xbNgUk_QHd#jy-p5cpeNS|m^ltn4PgjwzKy@l`7o&cxfjQ%;
z$tA?kF_N<BqIZ8qUvX5%TUA<WU?secU9aY75{i!L^`>EwdscWqYdio6K5j#6%+ZtK
z^AisR0z&NW=(C<bS{2?AGz()x4tTL3ww5oN$Wm%jJ1nfY0l6V|8kq{}B7m7YvbhE(
zQKN)t+HPbdV|735lG6sNOXX=xUI`B*I5j2G&X{Du(jL@BFDB%lQkS&QD4w29gTq6C
za>pr!8Y{;*8j-;d((#z8)02msjtDREMU`=+st-1FF5l_4jF?@n297^@E2hSoLl29{
zJ^85=xF0}o2Z=0s{Yg#Ai>s-dttrHW7z*Ho;H-AVKAsR7(~AeJ2Sgvh5djy9tY!eo
z@glt2B$;_VHmtuyP8b#AeDlMbuM^=mj@@2mLP1feW=F2`1@7C4g@`{GISl(fCcVms
zy1ybL+s?>bCd`drW^*>&{?Zl!i^qV(4};ef52NTDJn$q_LI@&cI~KnHioZ)iz7FyK
zddgp@-TL?7BS2j()|8kcR!~T;*LLjJe67z$2w7F$Tuvt&J%p+_VPQooS04PKPXY|<
zE<w9yMJ+vP7+5>TJ~sQ?_tI>|rODjC0qrMNL{8Y}8nykd9Q1>eHAUn#RGEW#D{3%(
zT$cr|)Y;#c3a%AxcPUR?$!(O9a3rV|Z8-GZ(epdvO3M6m{(&*CnGcK-LJ%&o{v$EG
z`(Z6%pj7-QrDHNxOK17JJ<%xESEJ#%E>96sND~Um%uQm#${F&++{-hLAx7cK?HB07
zwpWGeO^?1Gb*~ZzbE{bjGcR^|LNs~T6gxTqNG!K!y4q!l@vkN?*3{(BW714M)0d~?
zb~-N|p3`!P5lcvu#|?_T1f+gr9Shxvon;~lIAg4D?G-D7;?WbH^LntEMQnoVb5Zf8
z8@2Wlseiock;H;cbMh;Ix~HCO=6Zzi`lc>3v2IKgo-<!eGyWuSs^vjWc&J?aA|?Dz
z)W&9L_d2vT#J`1@88gVeW3%c!<lgt-!l$N@^+L&&<n)?Wa3^_{m#n;k{!^DCTn4I=
zO1Evj@l{VaRv%-zPiO7ZLDoDzoFa2;oisHF;cnVQt?aFeY+lMZ??5gnbVMQtB?d#C
zH%vU7gWzgcQVQi^jy4olf7r~Tg5$)BBDO8QHsvrJhmPGP)&n}6%ueG@tX&ZA2#x<+
zE&93{+f2q$y>0c%i+K?C>9yE!Ie;onW$!u!Z7<son(x3%@Ne2{qC|pHMb*(R`sF?+
zbI+HnUw9CnYt02uJvk%dG^VQoukIK*C$hBY&963aO%+<N>~GVYk*kSew|ZLtfBu~U
zHH^;bBw&#&*zE+6mNp|IK!?F(_ACsIAA&EI$S|D(6x~{2NVx>#BHrEkh~8T!L<f~k
z{B%p#d5DTj0X7Lt)nNHuhmUOMcCoPxF6@O4eFSJ2Z6v*HU#y3=<kb%DvEH_S7<phP
z+BX^&6!x;-THW5FqT~3af|J0OI_1^2(%bTL9n`w?E9-oml<)DJ^E)zBBNL|Z<^Q1Q
zuR5Gb9)?lvKc985Ox{R=h494PPh<i@kyh~#-wpk@2R_|W2_MAWjNOlV+t%3ifz258
zQ&B`+vVaT$_0EX}gov9>=6rd{AFyY^fofS)*VTjkkaJu~AArnEYd$A{K92WW(W^O}
zS7U-z8-QZji+d26AUlyxy_((t7a7^@)d<)-(;liRADAdFbs?W92@__-SLFI-8>N~8
zJ_$GC*vicbR}Q@S3?hZKfKMfx?P2fjgOCzdKfFu|mr)>sDI`nV(nbr{SD7%Rn!6Z;
zq6F)+o>)(&ncj(kSYbX0VcA!JCO?`0+n`GevTzfso`+#oxKKQPu4QIQ^JdasB0)>H
z9hdGm@K(Dta9@pouGMyd|C=pu;UkCdYOiPOsJ4Uw*2`kt1AatLH|%%G*rP!kDoD8U
zE<8ykQ1MZW@1{fY+Kv5*!|fobDFXtHG!W&ooLT5`0eQxlomY^EDuwrGMhP8T4f`vv
zI6T$e$;=n;5Y4LQ)<BDOGLs#eWDpY)i)ZsxG)eW;$NW$UQplvMgYi>}76r=528x>T
z3o~Sp{1#8nExX99G5QPG5XKRapPffiziDa~Hfj`4a%T*6JEy$q_}L4;aMz9e`h)+*
zfy8vw=pHzlj5h*;&GV&b4;X`*i}ubDnxxr@^4lPCjz%&6<mmNN{d2(wRK=HkQ1xVJ
z)o8z5AHF6s!n$Y5k79}OCgdW@ou(y*|Nm_J^j!01y0%AWos%l$FIW|1(K4F=NX$&M
z<~iF;NdUq#M6ybg?;WuG`saK9);mFK(8a7pmDOs7`vM%!s=(QZQ%m`m@urVuN*a41
zKYW9^U%Bc$yQ@+d=!sy5|E;Pi(KSHIv!{=|sC|X^66m`>9?|b)G`_~*c1!QTw)(Aw
z97V+yBuZ&`e8zlJ(CuPG2dljjDduuLllSAcQ!~xEGy%b1c%S7I4T|QTJis9HlUc>M
z4mfOQ7CeOgqXQzwVWCObG7DDt!DW?;HS>%Vk2Vr=Fr!RbE|(CGUpaOK5FI;q$&%?_
zx?df^zdso8N4LfhG>)o;6lmi9-TSP&_8B-&zIrQX)eu3);3Z?;`$4DqU1n)d1YjnL
z=8nxj9U#lcpKg12T-*4U>A0|)xn=c}4%{9Jt%Y^BIyT5M+w>P?i-|QK<<n`;SDcg!
zVdeXf2nWF*;2az|+q_==WvQ^V1e7-<ZkQ}f%|sP19ljb+ecUKT+*cJZOw@-uM2|O-
zXX0HB9!UT%OTj7Ki+8P?5RZa77^kRRi;~M4`aE&(%Rn!&QtFd&tr8b7phphnW$*>(
z4ed=Z(>U&BLmmN>zJhu)L>t&j<H5Z=R{NpP28*GC*3uBwv!@xVVvvl@Z#zG8EaM=I
zqp5?dw)%U+l+eL9W%1v`x{}!*{<t}d|FtR&=vS+8iG@upR>Q@wd|^5=!Ee2HxrpR+
z6B^Dmno+<nO#I$LI40Sp%{C4Rix%79WpOUzXk=)ck=#)vbjeeU^~{=>AtF<54^p_!
zgVN0;_0W27)Rw0n8RbKQ<*Ldk*`7;<I{KkYg}WLJJF$9^L)Y8|vpqEDUP_X0NXl|R
zTmVVs#aeKh6$eA|{uoCV2Mg<Xp(ps9!N3MbPG)&P3l<Hw5@mbXyAu6duTe<^#w*Xt
zl^NhADI?ks+63`NihX(I)Njd{v<s2qd1lAC<ZE*=W}GZN=B`ubJ|xe7Kv!Dy<bAS(
znM1BvU%3%~<lB4~OvHC4B&&DatE@HS_a|I@@h{kXaK0$HhVpoi$`3Yn@T(Aygk;gs
zCDTeFOwH<7oxppQX0~1j#1T<5SKElfUI9Hp+<7m4#wJ)FP2xbqEid2V&_rdnvhpxC
z`H2m+Fv}A-ZXmty<rsM}N$<l}XdB2$Jyl?*SJj+9Aj&ld2;HHtQ*1nVnUZ0pe;jlS
z4h1J$A<MPNK5YR~giVf+@zQ&U!}_i(LV*zSP3e)Z@gPd+vQkb=LPcSI6=;qYk;QjJ
z_-48ewTyE(5!hi`%R~dqcegmj|B<KASNIpRbN4PrmZl)?p4;Yd^(#V)_an{l7Tg13
zQ%D3Xus8^>4P9jaXtM;`$7`NddY8Xvs!cz2nyc%H#KP^8SOtpEaciclA7?(W26Uj?
zgn;W}UTYJQ;$hELs{zyzbpL4!-!4}L^Yc_>#3UTtr-zrGKOvqBqb3NIL&Q|!oyLK@
ztq!1L5+?twy)v;WJahc*oIzMt4xydRiyw~b8=>jPf0C5=7(;FmowZ9m!YBvF8vct=
z>J95OfDEcXRGO2~1-`k@iyYq}l*C=UKVxnKEBd}tqLwD4CGA+t1{`EzW*PfBYaUI{
z$zq3Vzmo$5DJ$`|k=d2APHWn|O8=z^`hlnql|vImRq1vVL|;HkA2y$I0ZFnskP3v$
zjLLityjuGq^I^)6VvqJ0`eBHQ`bXw@3-n$6bST_BVtMylhcK@+kWW@$_JgHjnir)e
zuvo-%Of=I04kC*d^da9QJA3Zq+hhrroP@E)CspV4MjauQ<6nl=BQthLuD|Xa3R66L
zQsjqXUPa*>&#~rT{zX0boxv65Z+<FwIet*mm53$+<x3WP)$UUa9HCarFBXppd81v+
z*7K#ULFCA~f7waErgUeVc7{LNLr1D*J7RR_Z(e<DC6EYrU~`(8Wp*a^c6W`4tJ(cG
z4*6*LzMmRfG{kpwXFg5n^+4eqO&Zx)GPfItD7eCBB*_MQ_I3g4@i=rmt5|t;$B%)!
zM=wrbP*&}diuKyUL_05)QuD^ys%5^M`?=9LIu~_VFYZh={ZjgJRNKPTERq2Ege3H#
zY44Dv3|Xo3aS4qD6PQoaJu{`M+#wFmRdY_D#$>GI?0L4E$>f+XR&bzFrOAL@CGoc>
zeyFyisQcr=$q!jZ&<L|VwY@XM8LZk<kagdCo=z*j4tdw`{YQ9i^xqUTuy`Wtz}Z{5
z=2?N5>IX(LLGfaCyGHO`N&~IyEuJ*e$<b;#zWJ@~FYb=kB0xASJ$p+8PO3~H1vBQ#
zzqFUo@gjS(^?WoiITRDSrTBsC+b+9Jhdpvdsn~}o?K-we<rkikm;V|TJ4bLlb2J?C
znEI|_Pco@3d7QD=2sf^z2zZ9U!W-C9(Q*Ea{@7DPvu>P7+>}MF&jnBuI6d{(eq0QN
zX&6OmP&w{-ir1HjjH|_xq<LT&y81Brg&(_4{kMO^#p{AjKm}FlyCnaDPC#rxRGS!-
zTU$nlcow1;j=IhOiu#iz{et0ZA7pv3dZ2c$a`-`GJbg=VZLw{v-pS}2`tNvq_3}Z+
zxlB+-bH34a_1{ol6|qWOdrXZV>;Ow`onE%OM0A^7++!4O1wXp>#7fi!EB?1fYK`Y3
z^04^DLRi<_)!*d0ntE`5ruzZsLZcdQpwkf#jFhfYet#9dcd-Z>KZI6FZ5(uoQDrZx
zFYEN5<4wId5}Fo(6Dzl`Hhc(jBO{KVlJ6#{O_L*Mt)en}$?l6khJNzXD=T6u>p8+#
z;T^fii=TXzV<-MPef<fO-=eufiGi)=<|Vt4v*%C<a(-t%YT4)xu16j?@mrLGuw6%X
zuR0-j^EL;`=#O+=7Lki+pjZ8U%)1j;EFb<;<#@NML?Ct64<Jm)U;i(b%o{_O1~@$z
ze`&`lCO;Qey0MnthFeCd|Dybcu%!=y_+@@*e1$#o?XLDZs08+UNjDkAaT*BTr^u9W
zTZ@B|>zoe9g$Ars58iq3jlN&l-Z;--3FT+kVn_F1AxB0_)L6^{xs2=VwDOU??1Ff3
z9Nd^F@}_1dVl8&1I6L-@!5#@kQ9(*d_&^r+&QxVIna`6;%1cS;K{D$Z-I@}LKaRLz
z&>_Oh;L?x8XAikxEuQOZpGN|@fVUcOPza-TA8)6*6Drt>5~&*R#L%%duwziUwiuKE
zTS7+)?X+$AQ2u2m%#x=;sQsm*rf2`Y4mL%orss<^p&mhF0;igKxF({C^5`HjQTBsw
z?<FnUc@FZ|x4_Pnq7ocmn>Z+;nYltvp2OR>O#UeIcMA0fES__71jVuiFlFH#_}A?l
zuvNTQ%(`CTrXeGba!$u2bp0!>yCx5yP`=rYaSRFYp11P!<w?FoFmTmeWXn8H-6eiL
z1f86ZJ>$vcRcP3ngL3hILdLw&%U>(3Ji$0+gI49k5}KDjC4^%cZCZ|Uavq-ArGrl<
zsefeI_iIANO$c!6i#}g@r7n#ZbnbL3l~zsZ_inIUGUV7KR1G(1L`+9o3P(4k!bZ!{
zf+wc*%Gn1a5%pSHt2ui-HT8HxDumC(>VQa7XeS5DK^FsY{4Wh{aVN@&=6Qd1^fxwZ
z*+RL`R-1c{g@?&C56Z+BY-=v_&g2+b>R2v86&U7P8J^x*n$V_O>wrk*uzzJ_^pvDe
zY6&;2CbLCLeSwnGIb;Qt9yuqq2bY){vG2(Zw74B%BAtpA<#C2WHeO+*ciU6D!au2k
zI;2;LuVOAxU|#499Gz{vWhSu-TqmVv^6y$Apro*BYpzItg%;rhv%>&ZaV6<VoY2xU
zk;CgzGI_2aq$tN=82PAS6L@J;AGEk1R9kIEoqD|9%BT*+D{hY)=Mudp_mb@lj^jlY
ziXK(Z$qkN+xZ`*Fsc&#%lMri&VVx4gOR(Vk*3l-g;<cu#L`W8Fuoow%JS!?q;}LK4
zz$UqZi=1v+Zp|pVr_XJT))7G<GG(XPSL5j-hh6l}mO{`HSuKE5*ETNW)U+N>V?>NI
z1_yPyRjpER0Mti`<$APtTy6y3XtU<?=q3I6#AGhqsW=52n-$?bC@74?`*%8Cbj{0t
zFPBo(gzyH_2TY{z(PPLkfZtV!P_7K@JY_(ZNM47{MA#1^=z)kaU3(vvgel;UK1p*7
zbPv`#km^5KSmj=L-8U(4PIDgu6B`cY&ZNUPb0Q<qtcZw(Hg}`2ui*B3_*-zi8d7T$
zD}JaSk(<21{m&VHkYQkWTn|&mTC?N3sC*YQ4Nm8zN%1A;t099={+K8D=uVmG7pa#J
zBz`ThPe5E7dV(Vsdt$?LmTi=vlpSG$sfWGq@E8s0@^`gf4v}?HtBu>F&r~F&eT5r2
zmA7SRi0{0Qkv`i=VKUK1FUl6Mw3|Nl=XJ4AqAr-W31>~z6^c#K&GJcfhYg6hhLjnJ
zoc}2dAJ!pwxtY9g@FaR^QGtAESX&LTxT6C;lT=o}N_mzFuk{W-G0l-0y2Qdrw};*A
zRb)mBg8n$ByS+SWuo;@_1mX`18h_0=doFJNk#t6T1S;9a&S1UtAygfZVx+#T>Xh6J
zAP%8v2zv}j_T`(oD?7tDbw{V#d?@fd?zm*CEkLm=s9CI1l9^;M6p|xC5OG$GTQu&R
zhA55xr+E;j;jKkmlH&=?ILxpyYY9Q-Ka8y}myaNAv-Z?EliIUoQi~UJ@u(jB5l}C(
zCaHNZnj`*5H+dZItGuZI$q}pH|AN`D@rsZ-0g=gYp^V6y=%mDyG1{oD)J`0Yy$#0O
zM<NcDMUQq$Fm3Dj8))<$sEnUE^E@{HY(_)iDBkOScS`0+_2cvLm#g6GkfOaQ9^kM6
z0Ve+xnq8om*h+urzxG%!`b4Uc9Y{kPr3~T|23gi$lN{FSTIJv0VQt_IO`fMU4Up|J
zEzZwUY4BajY(mrOC7$`JGl|{>vlK<cQ)!!j?|1vboMcBsE)9XBQ?!z^RW{<7!nxdd
zDy3B#>cOmya~oZGD-zT`XAK0&gah+QKM|;C$LE)1&bwl>V_V`d%Ts&&M+0n6gJXTI
z{ekkjva<l&#96RFp?(p4zKRfI<3n$Ysoy?KilHCVMjcA=j*y&hK;C)ZuYSF4IsT@j
zIQyl)DJ&U1!hB3l{3hw_j$_w{Qs~#ZfKt2MwuZ{ld`=IkO5J#hiPB5Qa%6VddG|9p
zuqM$kMs1mgZ?He|hlcgICOM&R2<kbQKs?CQilj|2%Y){Q=f5LtbzhfUkZgp|^ca3{
zs_vm(=w=Oja@c$yji$wU7ezos%byA@-BtX23yGFmK8upZA6E@MXr}?AANO8geSlzo
zzfU8>`M1?eUB%xlLZU+gd_X;sh3UaUA!$na>?9#a=$AE*#P3z~OHygD0RgI%H~$uM
zaUV>N-_H|dKFgFP{;<wtU9P7MRWLa$cioA{@mJ>ZbUnFGllMzo#pk?4p+}4_+e$jP
zk}Ak{v#tP=>NKFt3vdjTV%V^E|6eBu7?lfa9T+yNwEanLR~Z7gk8UrvIi;(u2`rZf
zH>Z#cj^M(#*vA4r5MBw8x(aoRC|vcLv`hue?>2|TGVFY@%r^PfHwGcsrBrMqJbkk2
z`^b61+&;dddvi73Z1-TTo>z{nB6KRNl>X5CImhZqqJ5-NcT2QC!yNtIALlWom4crj
z;h_Ri-u`llhFCgd82DOLiptVEc|6^nwHR7b_eP5FXf7eG+LtJS<tk-M`8B$q7z$z`
zzTP7PoP~*C3C}Ffv-Jll`qp>py>6G)Em2nOB4)PA93DDsfCeRBS>FzG9N1%V+fCU5
zIW?SHs(LK9?k1PklL~-6S(PFH7ucWlR$-Vkv<p~JbnM3d4E3SuP9y#jH0F#wM=87n
zqM8^AIOi~BaoD-nY}!V*FV3wIK3f%-oolyR4$O+Q-l(fi)#l?v#CKJ|Eos)7Y@0S^
zE@}Q~vnZfPNf&DZH@j>;Z$o%hq?X+lX2IGwl3Icf`=p{HtNrgR=-m+IkABKX{Fg-5
znavHpcoF)6a9B9%*9kn7iPV$JxJ2eZh>&;Ihxq+qrBAgEPCPA5$1<)CD7Cmawv<aG
zy_3YSyW}9qBkahIF0fWl=L-7-of{YydkIUe{DPn{UdQ|obH1`8x$~#x)xF^*THlvv
z8|={S`OY7bXO%;wdIDkmJqhg?4WI$#zymU+DaC-Km=X<?#FNbbgNZ+LzAba)V+D22
zeSZLnA2vbZ44GZiPh4R{xwx(S!RH?QE|$g-&l&&)VubU@tf!&bK7R}ZM7d}Yv;N%W
zF?W?U9y8=9D)G@X9pHn>!~6GtY-J~g%9pcKKtO_v7B-yvl$f_?%nSp<K%sfvzi^_P
z^nD=b-eZ9C2!U+i$kgr?pQdr;)S@65DL1x_-oUyWgfL1)l1l*WkQ6l5(||(o8K92z
z&|#HC6ZoNh16qLYd(yEwq&5199_UbA5}xu^?}sh)ZxK8#YNEStq^mBMrk-g}_x?O7
z!CUZntReRv`e$maKa|CVGQFQuCCWI@Qszgav3)HYDfu6_u^+xbPAJ^+(`HlL^*ky}
z83C2<BTv+Q42>+KopiE9$+1#)K<RXN71i57vKmG|t0*&ZZgz38VuK<E`5P%Ps042S
zfe-M`XX{2eJoSQN8WTDX1RS3XlvorD?dj!W1s!VGgn@J5(1AvFbg7zCx4pqPw;aqI
zPex!-`}H9P4pC`(zbO7PC5)4<g0*qAq>bkj?xstL!+e}4@avIt81$h!x&BY*ZYV&S
zseCzdJw7tWU}_e!a2Jj(qXt5C(@R8;EU<8hVo=WB%FmS7p2GJ9RF&2Hn0){GV6*ac
zcd5qV4lPDJ);R+0L7S*<^|x<q{^J4o+U0<2n!2_39wQk!dMGWVexPl!s6cwPcXYJh
zb}-a9#a#)+ym4FsifGjB^e367RO)?%d1N7WiqIHDTYE^Or*LI>NE?N2pa6ta+j}wQ
zSY%pMRTeJO7)KCAD<|uzZJ%%2%{S|4JR$I0h-SYhhm1F6`h3Q$<99x~qKDnOa0$(x
zc_o(*!TjsO__lZqHv>wgQ1Xz^1oll|Oqj$TD{m%KEq!`JhBM+wztq_+u$Ery0-@pM
zI#(Fp?+Dh=>sO)R0+u*~c#&272ulIJVB*hyi%Zh~Ct{WI;59H*<NpNXN8iXiyq|hI
z5?h3;d;<3|)tH4)q`#*6bI{nE!~9hDbA7$MrFQiyioL&4BQik)Au7ru8MiHKQu%5W
zeG7n!7mk9nr|pq^6<`BSl086nyn#5Q3;_|mgvrA)1*OMQ4yuyc<NS4)m!Zoq><=XA
ztvqOUjZMIu5Ya?I$7cH5&MkSY!tE(yIlg$z_g^Y!=R(cc+Fgkv4kvtPj3Kq9kZcN8
zq{v1jrWl3yc&iF{x=gPj&|F?<BMtwxo7=7}Ak(up?4hcQwE57G{LO1;lbQELr;5W8
zd`3S0`k60|!Ng4rlV6YWk?QpJDJ432<`i3gCXObejUX{e*ms360#roGKrVv3#i4e|
zz1{TKr;VPlYRh$wrpQ=A<n+=!swS)Q+=p~nskwGe2T<?hj~hD3mG0qT<7P!daeBy3
zDx$u;>qrx|sk>G5oqzo$kr<C9%1Xel-mvP;(yLQ0PW<e{;MKAb&7`5Ew9dXDbV}pX
z2+(;BJg@S`;mDH*BXU0Dp}U;t+`bB=9MbPIG#hA=E4CRgJkcn=^Cf_Dq=;g!+N+rn
z?ahgtfAp0Uc<NRkQC?ceakS@ECF$Dh<cY?la$Ze!)AiEdO&l!5>(zw^kth}WBZ>MH
z0P1Q39&IwWk$zJw>8E+id2kZqR*|7q&<ygVXOCDjC28u&-P;!AskoRU(r^<rS9BTa
z$`<R}1%JKx+T&CZZR*n&Uo)%pU8U(;=)F04rgytSZvdP^H+OXzTBbHB{w(Y#4ro9A
zOou56!7C}e^FDGDDq1Masfja99B+Fx<N*|+BpA|OVkavsm)QiJ)?k_Y4ygd}#i}9r
z)dWkJhtQo+;a)!z6dvoLr#Mg51H>bNpP2kTIfbi8A$ICNaep6SQ^Hp;7wQ=KBP;g|
z*S6!qoGWE0$r<>!>dNvJ{dJ`qi5WSX6!j7yjXk%JWGnN#pa~=pfS%M7c|VRqm6o_!
zqU;AcH$-D&5z$xxH{!lbfovfr=^Fg<4%C|<qZhuy^#OWtqGuWNWB9fjiSShFX$GAr
zdJKLlIT2Yv;T+NQB~pPpZM9ySk10N^(MFL^8>LI+^MdOCMK+p`Vr*mKs<54dB?F||
z*bAGoT;)ltvJNCLS^1+!JJg8UHY&J|gwQylEX<3dAtC(zrS$~EO+`DA`28TGNdcYw
zj&4oQ^=u#Lo~aogPnJx}v}45Q*67Z`QtQipL*5<&W#w=;PyK&QhP_+5C1K$SOy&j|
z!(y<*9o`Xc!qGh7?OUsTM@{5)zv@|i^l=hsmGrk2TdKZX{$x(O$YGpZ6KJw(P}Br?
zUFih#o0L6;r^j$*DE25XFY^B=EVO4TgL*TcOU%SGShq(ezAm;Y^#$BhIHC9XyExMZ
zBH5-O)hJfwKp?R%S(BCg`fQg|p!adas2_HnNl~Q$$AbxTcSnhcTYEH8i`X!+KYP3`
zus>oDWzt!EsYY8jDE^u5&_Z%%ompW*<%o?XeU`ewgr1H0*w9_a^Ycp1LtO0>EDU&a
zul9F=$^azM1`fwrj+2iS`P3yN^sY&`1FFCK<Snv-`7&wfE6!TKft;?W#`+pf&RO*!
z+HgICTQW$#zO3j5!cC<tUIjF>O8FbE5V9U}kdz6M?5)+h+99S4kFK|E+M$9z-$c|F
z>A1*INF-Jn+g-xihPp$ypgcsPJe!k2QfxVCW{N4uv=GT~PY+<NrogDwDk&*scF{p`
zr>1FMzWDHaJsgN3gEA^qvWnVTDsYkgc&Og%&Zzn1ig8WZ)h0q6=PBIJ!QP&6!)Hl(
zjlmu4G0_8wEh^x(p>lHbQR4C%7&N@|dsOV9X>-_AwPBz9o(x*X>4?Wkv``YUOon}>
zx&gY4eyrl0=g`wC;DdtO?|9=Diws-}Z@T$U^Vs<q>POM~0`TTPimPETaIcv$Mdxf~
zKk5l|aPvLH@mVjOU_nLA*V<lYkmf1;ePc`H(m~@uonX>?nh-iCmwe>-+mgl1^|)2T
zkgLTN`5z`A)|t(Hj54*VoH25BUIKei;R_i_580nFWCXC*W0g5sPlNlt#}9cNOs`KD
zG&K?vi>B(Q0<lcaj19HtwZ4+N|2TqcU15FGH?CmfRd>VLU45jl2pl<%%4gCWb25|k
zuRLim)39KXzU#alC91p}DDt{hUqAZoMUd~tdNtqQVZTHXDgYMnv}3{P9w@`BRB(-e
z_ATqyzL2E_Yl)<zJK>yiTZaY2v&-AI`?kH6Ik0K`CZtG*_XzG;p`JNDCR96lRPH!n
zq7#?w!7#H>m{G=%V%!bzqf(6T%-Y^#VcLo?+<dTcx6;D$W}J(<s<RFn1|w-BidBh(
zQ(m=kU%G31;-s-Pwrn@F6d?jd4J=J4g}ZmNNC6(43F-=t?n09?CG5`z4@9}hE1?P5
zwyxV0@uh-6Dy7NC82L_10Ky~)88eN<gk)`~uL8~hSGcm#6&(gmI!~GLBKbJEke_aO
ztkfAImKhQ?CiDmcNZ1zizj5_Pc-u5!coLyeH21D<llSlc>D0>i%KhVOKG~z;qSq=#
z%0TReqt>qGx^}<y2@A-8OMB~v2#zhpo#gdCibf_R<Uxj_&$hpSgqy+b%u7_~DqHUI
zvsuN{>)IDZ?7%g*6e5c4S1;)Q!I1>xOe$VHu!kqz+zrYB-;y48z`uI6J{kGU{X^QC
z`?EIb5^MTW(2P0FU&TS*MfMHO@J0!1;6F`bUH~~%h8$J4s5aaXsM1*K;6FMZV7gr~
zae4VUSQ0$In2(DVU0q{M=<^ZB!D%B}^5T<$XP0EP#Z%}dqLe+`!FR0MW@cwC&M6vw
z(yqlT3BgG!=V4DKaFU&Uu&Z3WeOz2`^wL8wpb~MXUb~}fEX{OIdL6)M|LgID99@n5
z`nE5f&0uGaq}jMHaD)lqMXmE%KEf>u%rtFUwUQSe*3@Oc8X<k*@a!u>2)T<6mnpol
zAMLBf<f!y}E+(k|U%s$rPm)6VAQtw?HfF2)VGIU4Lfruq!fm;%*9Tht0{K_K9Lgk5
z{jjaLa;t1)uWMLI{f!@q8*j}pJM%!`au$qJ7Cn%NtK3><F)Q~Dt~HrRd~S(sbIXS~
z$l*l8wS7cMO}I3)ie7|rm}d20_+6c{C4XpRi`AB3pwmdI<&>Gr&3jA31{3WpO5Alv
zO#fut-6a!HS*o$64FqSJaH&i6>7>uLf4#oF53TmOLi=59nZH^rKh>S12J^>A1qQzl
zW%*L)BO*7)q~42U(!NXUil1cAnGxD~&^9on*^FX+Q%#u(J!<Wg<&%*tAP8BjMc(#8
zLVlrQBCyQF^b^ilxq)R+&eDG^)=U|h8%LH<vGRySG%q<Kr8-pSWeXF(apx?|9JAKp
zK+NfR!<oxBTyn1wliicmu=){-896duSvD?lcE44?krPvERZSD_&z$LKbQOIJuHGvl
z;-oPzCC?zEv1uYX`3cUMA>fp+xl$w@L5GHY=)J+28}7Oz2s!{2&$|Cx*jNP^;1_UW
zWHUcQV{k;V@3Sn`4z_m)c+eWi)@49ewLJ=^{rXYgRsAb5*XclYh{(RoON>xjjsipr
z+e}i&4G4x#h9@J~kMmd1e#%U_0GZ3V#zsB}G2F45GI3iuk#~z>LP97aA{_8_1FCDC
zp$)g{i@d@X7u=tg_%&w{ypn5nx{-Alr+?{yYM@x33Y1R-odVZfe|znv=XS43P97`s
zHcpGeL3>cvfeI`5Pkm^gAOvNR1F`}Q0|e%f;sMVxx8?yn9q|;|5XLgiS(HJdC7@84
zxps$lEfmz=@7$_m$N&zMnVRIQSBKO$LZlS|)wK%$T8lwzRspj-%XO~=D4|H_p7rfJ
zWp6XHi7*BkaQNWSahbmed`v&9T^{);B=(5)qK)WNr?jj};0iRE;-vj5e}tmcxDPu<
zb8roIpTX3&r9)hOmgGLdR5qlwCK9*~@e^@h9gZwBwQU{HFsH3d`c4uv-}UwV;pSRj
zu@@f)1(<%PjhpYm+A;ud?1YOQ9>T@NNib-aZk9v)l?N|t7Is$h)3p;H(>?ZV=vK&>
zL46~O_*l?gE|}zoW_20JFX?2c2?rk_7?;0n2~*~o`s!Ro!+RuhB|adIm~U_hC=1|@
z??78TjH?S&j}19qM_tER)4OK}zd^j(o=;5%7*_*RHQ-?B-MPaUt|sSIQA0_{cQvxb
zxRcgzOyPpZ+8`+?j+`4|Ar}b0NFJfsX)*YcH}3l2HtB2#7*i8vE0kLyITA}qQATp$
z$ugt*9PnQm+V!Yj+wj#8+p@bRvTu0vrjK2W(=D`7e3qDR`mLU$y|sdY1okRM0E!ep
zGzUdnc-kxF)EI(wjZREyRfY!p^rWyrz_FT^9Y%9rc)3f`F`1NXL9KcFaOE6!YU(y5
zik~y<L((!L_ssH07nRepbOP*+vPnrUpw*XLLeOlSMG+n65;~nvGdjxy#A{=Pb+0~q
zobTv57^dNJ3anF`uzu7AH!Q0T#sX~G$82*|%pp^3H?aPK%T^7(3B~WdOo&#q>}9yW
zPfkx!rpy$6U!B)Ln9S9ldsf9hSdTW@Emo~xPghan!x0g$8NpdLI#)EgOUk;d5w3>c
zvmd||iBu?jzH)64+D9r}A_uo-snEaT(+-TrCXAi5&%-$&%oyP;pn)nmtF<a+2mKfG
z4f0o;ZMZeJzh00Ks9yvPhI+|K6bxFR*KxIw;`+A4@>rsNuG^7#`v8{Js8r=}c47R6
zA4S@}1O{3vVM{c(!MLi;#Uw2^cuG`g6JGW@yo%qHnc|xhxdy3IhQ4dRArIg<i<xEX
zUPka=2y=)o3$fEaIx$zA=ooE-h~6seo!Ln`LH>DgXoqfATuA#s3_|FQ5jLg(hhP;5
z{EvdCf;wpqhz=)uq`6MJCoSQX)EcrUCp(s_-$5^oy6Qd@DY9qFMjeS&-H8XArNaGe
zXy4~`WC!}qN<_2Y_pkn1L5q=mfcJSLRW#V*^GL}yoF9>&;>L}!waA3UYec_nGR^}V
zZSh2MHB&stUnFN{kX|J7lL|c}xBkO-Iq#2U4|pXSv2~=lQQDGh(k-}qg?80QyGoER
zdX<RPM%ht3(w8nis>p3b)h;MZiUXPOnJLu8D~8-6=U$`+gK^JK6-IsbMv1?$F%10e
zC_IzmC$bTF+Lvz?t*#>~sB2Maf2SV6bgW-w%1=?LIy2Cd_;>pPCGYP{AHeF4vZ}dr
z1NBDNa`h4kMTLgl>Y-ztyN_1&J5qXaP}Z9)1+ln4nr>EbG!_#E=G6j^4(H(qoO(32
z&zn+uP%Pglqp-1SlckjxSjai3gTL{_Q29Hdbt~KWZF&pitJ*OIn1k@#5;$W8hNnB8
zVqNLJO8ih_lFt8@dy4ext=_2A*H0~wmu+zDcs!ERWSOc846G9pFw+}V*c0!kL>{YG
zGR|A91R8QTH^Je1Mei(`%OdM&qdgk(B2VUF2dW!Aq(>L7IieNe8+tUj&PSF33K$wW
zjb+9CU5oVx013RZZxec093F|Vs+aOpsNos+JC1`A!&zeJ<84#`uf`2xcE;IpNaI{!
zO_)0;IW=~vw1M=3<`to#QRsT87>#==Scen8<9Z@e5<pc_vQ%6BN)3tE8f46I$*H#^
zB@P%f3q5}!F$Cri%$~*AtZpPrP}9)z&GBZp!{B{qCP~Esy+hGHlwVZI9$c3Gbqm9p
zZa7=4Uc|y}Nb*b634CLNvwKoS2T7ZreP7s`K7b5lspVyS2#%ELj1Jf>kkmBX>SW0u
z3+d4GVeW^rrc_P#_3xcFGf)x{z^(YGA1K?N7-(HthRak7$7LuhzXaD}5w>SpdU9cE
z^=Gp-elF)zj!*O@p|xC+izO=E1}=uV4R^55{yA7t!fDyR2p4tG2lAQ#ed7loZ%Zl$
z`0<sCy$ah=5EB}k8M8oR5=c}<4N>7qVCO!wZaA|7XXHqYAm*cUjizPS)AGY)?T)VJ
zFRo23VI6e}F99SNu%|+I*R;V_6(KL<me~XJtRru@S0$ha8HbOU6sa=jkGXU21wd;h
zO~H3YqRXA^*y~(V$x>!#EnJZ80>4N}JFx3n*Q}-TNLIABZ{ssx@`ti{*OKG6;tz9R
z8Qgx?A_^k_XowLr1}N~T^2CKs?btg4*G2q1J|C#mOwJFqp7BWkQ+P2`)wP^gVne=4
zGW(1}@R{Q8OoB<-bLPr449}ni8r5M~^b}F?DoR1N(U3RQDYgH}Q>%FEaAV+xPGSq3
zP|R&=_g1C7t`A%oJPPIP|L2b-SNI-{UdEcxAxkkVcS5BF3OhSR>gtWC%a6n=&IFgx
zV>Yg`FWe6f8J8dP85k;#W~qr-ff;swA79**B-A_2?@S(<p;r_*M=q5y1Ygf-Dx<7e
zi!J)YtQ(+IPQ{l$m1&n>Pk*87=@R@I@(6tuYAI2^2HMKmb)g!qg}j&J!*VZOu#oaC
zlJxo^13Xjz*jZn{XbT4CCsG=*q;}3FYoHmSlV4m7s(!QV)9#zCF*{nq16MT}pN`Az
zKGs53eG>Gqb0wavs(v<k+iu*C4;qOX4AtfpQ>JP8d`&YUW7z^U*h6?bS83#am<&;#
zQ+Pnm{iMv=nW8JE7K@{k?EfCogUdwtNn{9pvz@;gR@0^1lK9bw4PauFwqV|kk}9)D
zAu>rJ4b8+-EnO$?xbK$W&>rvpOu&CH89eh`gxmCaJ2czkE#8+WFN*c2FfjgC#U%ih
z@}KJxwq30x?COX(`VosVXt7ll73}5K2=%`1GxvZs3X%}xiqIF58{{|R!2fVKwdOfo
zKs%mhN+$kcQhAT33(dAoouH56fpONvldU@!;M39_(3t>eB@KW|ND=03`{QipolRgq
zX~QO`!v*A8sBu&%!$E>r2{Vze64BYZw?xkS`El)G7x-@Z4Jo3_ftthC-Hue&sTy8;
zR7#&|V6b95;;Ga!I=ECN_rh}}Ey<vQ4Oj*X89c|?kaoKF7BI@$6li9PGep&uzC<c4
z(_!l{Gl*wqAhm<yjXLmT_mHQy6D{>FKXc+tXW^FWh?&CAz(Xnqp=ET)qndi~QcgvR
z2Ku12DjqcZT7;rL4p}ib0^`U63*HVM>`H<wnN>z3?&L-h>LfDjln%HNdZ1?fiHuB&
z{kq#t?R3x1vjUAS0e|3u`F8d#f*PR&gBJrme~K<ZdE{w@AwyHFPNRyWW{trgkxAEX
zJUa+#AzH4s;K!`r^y((=*9>Yvp~KglCL6G0pj8dl$joW(Xnc?V?etse<qJydc2cP9
z)t4l2zF<V2(jDuIgpgzyoRXDP1$Hm!5`{96(OUsD3X9Vb6b(twEwMiUHPc{5|2sRA
zhL0Q3qHg=vx52}sBfSrwALC@pNt~T7zm!J`YL$U@OkX@n`l@&Y9^t=Wu6ub}4<~<I
z9uh$u&Qq%mn>Z|d!8G{8IA&)!Xtd_??dadole~7E*bg-+XGSYBaQ`sGnx{))%KCqU
zY2G#Z)KIxV;f#~q6e0Q3z8?q_e*pH|{}TcA3JUd$6C)e{3Lwt17j13otWD258ptkF
zvf674+tiD$zi}4TLw*WDt~6%XS3RtR4gAzBUvS&}im05hm!+`CI7A~5T66#MY{^r>
zNy{^{15xlEQ+AY@xI--hA8Oy3B;EJk<uz@ZuWs-RuniZ62ZO2aZeZmh2Ad!X#KN}l
zdysi51j2fN`tYP%H>nUfp2YgkKxG%>rFm)g(XGpdzdDR@_CQ+9cWQ+X;M1?)SR8X-
zG}YhR*R4HmPa<n=H+_DO=Lz9#lql)ASwvm;a$ezL;c@1gr0BTsW47fCNkQiN+d%oN
zyEaU_mZgy25S-vZ$Sed~{;mJ|Y4P4AdbTf?*(h3?gy6y4u+>25lT-js6kxCv6trbN
zs|^j%6@kV4hg`k-D*VmzR*Qf7x7!@_h~VK0q@4E(+{g)Ts%9uslFFOBE8~-yTD>{i
z?kcu(c8}S1T_dk1=FgpdGyFW}l{d)k%oWQ9>i>-%uHs_iU$(mJ7Wk~;STHJ63@Myl
z{vJG6o!ZXbm90-~QUb0qYI<b%$11R_oxEG>Z48uY35xSTxOD&dWlXJD)23Iq_Qt#G
z8II{Lc*Do=iebbX11(l1w$<>+%y%k?C-wI@4WC00uW+I^W^*?BVcwl);`irto2+5@
zLv|<S*RI;jLyL_7e<VDI2w1NQSTK)({&;LZaDx<(^Oi+LEgE{|zjWo_8m>tXWSP^?
z0ZOZE<rDjbXu<EW{7NUvvz-MxrLXDamrz2b(nn;Y+P+9(sea`c8@nXEE<C7v!b(iT
zf4G!mYh18f(Td>2p<JeEi>CVk5K(?bfozZKz-V?1m-8U;lts*;8TBOuFZy5jrAuD5
z##o!*6b_2|)B~x!TUik}V@rW%h*5^dXTvEnc)e8inteCHMNKHS(`(Ji*XA=v_N86E
zFeo11Bo}Ei#$PJ16!z(2YteQD$_Ot*kZWazeIrkxn3I9dyvfj+GGG8^Efq!T7#NV3
zlk4*bE8`i#k$5zYCS!z#jR?!2gcxSqy-Y*@GeVd{AbDoAv4|{C{v+cq>(_Ps%@tJx
zrd=g@TrX0q*udjRq}zD%3I4T2NTN?D#a%kzCC8Em9QvZNW_C_F%EUnaZ_%A8@L#T8
zOP9L+PgUYmz0C%|H_YgwV2wFs#S1v&j?4*=zowKl*pPgEE6wT%Rbj(4`s35n+XqJI
zj-xkdB@G@qNqnIk_%*dW;xA+6B)J_ekv-7UjMRSyTCE!&T@hH$WMv9*=UP+2mNMxX
zeF^V3dE@;QHRV)jJ(VSjO<)`lOmGqjtEX;UFjLjm3%o#iYbS7E#B%3&oq@|^yxp8E
zqDaS*K1iQzxjV>5T1UC+mFAw%gCvUasy<XF<ox*(Z1O7-T|bL3&*|QX*Q%Y$ptIfr
zulec^?J;$DItXtF`EukRT)XSW(imX1c|Wpi0i<My&l1@2)@EbQp<PZ?EK#40zet1@
z#5sP%<t*v#T~)X}R7)unUW>r1>&S$a{$O~#$IKn&`joq*nQc+DY8Ndy@z8&j!aI!w
ztYe=cRs8{PlJMvD;Dh=%`10>%^J38#Zle6i+}{vGu6ZNcy($t)V#(&PW1(u=!M{>`
zcIanjwgXH6oN-Y{&SRQ4?CPl98Ds`WigNILL<5~;uF;gMS8JEpIm}GFQQ6h#KX;TQ
zJ*Y66t%4)n?NG9vAMu-9(f)D#r{jmI<{uV)jJfRNNvcFP$jP$3e>3H3)%XN2FK-AC
z59fi>P{h%)a(v6!R5T8KoBBiEdzT~X*{k~`BGIy)=6TLSR+<_)O&|SNWq;paA<5%y
z6Z0|dR2)-TV9Cu&hz2-=%MH8e`v9`(I07<)|2WT2-*B4G9d5V{FgS}o0#3LPOjCU=
zsyrixJFTZ-spq@-!||>^h4C~oB=>Mc3fkV%k8plK>4b91)=~4kPIkpOfsmcawzm2N
z7S3nfa{m&3n4$y}@18jC$3Bb6smJY?i+2jkp*kT_rsBZqc&P?mzBrh-tGEM$p5aGB
zay4Py?>Sbu(hbOIXiqlC4vqGCcSURmdhlR#&J#aF{K(^h<+Xi>Cc`Dn8`UWR32j?7
zm|;m@{R)<Pm!B*rhUB|vU|uHk>$?|hgVBefMTjy@%{eIYhozLtTPCLtVgHZ-T=l?{
z@0$+sCxr#3RGkpL5yj;S9o?QZ?k%bdM|kcTwa+9{2>b)m6QwitrBe&TAb>{|lT*J8
z1x-*p-Br3AO{na%hO%AqU+QdtqXH~S4PL-aF(f{AMr+zRJHFO6aNcpcAI1B4&B#7k
zJEdXvbWZ(iIxF{+dW%)8XMirb0xACf4SkNX8UhEdj@duVKFq@b>=KQ^VJZqniG~Uc
zo9%yGo~}QJ$1lbE-YWS`PLK4dsGTPwODyWvB)xO-*T~Vs4W33}?>u48hhZnONYjF0
z!usD$D*HE`a18Fb0*Y>%Li*GQA|3EMh?^|@!UY-uh;Zik#Tv*aNX6^F?*aW6b38?9
z6KDb=T9Fcsh|kAQbDIIMD}=DUF0+3EKpUf~6eFNf++O2q5Nqg9&veum(#j-4?K1zA
zhnEU*oXd->{4@`auhYSvJuNdG?29T?QW=po$gPIjk{gZ!Zk%FjJvZo<%?!Wxs2M*e
zJIr91d0fz$w(dOFi9$QDCCaT>R<DTZPG0Y>SrlPznoa)QH&qDC+iT|XdxPQp?|KkD
zHRIPG+TmR3@jdYq#<@AaCtm^O0FY#ird_t9Q@+<CT4WX3yEK*e#RGJNP<Tb1-6E)(
z(b>6>Bwjuks7<QEgx;9axU<lm+EmSB9*9Xc`d>j-7W_pqzQ~})N7@-h-%k^nY9?eG
zhwP(^$ud|*4fQK)`_7y9m9AegG7|__aFIF^l<M`A{oU$2_x}v+_w%!*!ZEcVo$<D0
z8{2ZXT`Q5rlbGd#&dd=O&PiS5D3YTwdhvA82yVf-9+84~x+^oc9#!L1*^h4V2M=7R
z`jSYeSc@7RL=?t`fQ3|jV*bZ;$Rs=|PohBGHIPi2<E>2&46^PL;nmatFfF82iLrOp
z9RUv8TNDG~%sRV*u&6|V@_pHz=<@^4!A8;mS#%sVm#Q=i9!XSM>Y3*pz=W3u&8mc0
zmqETu)w2!88boYQDm04|bWpQ{xvdxMDw7mak6tWaEe#6n8%dPXD8H8lL+ZQOenURK
zs$x2|l#x!0fNy6@QOAR&3P2%@Ts!w)5|U!$iP?AVT{`pjMq#C4hX#NEqij@q7b=W{
z<`v?~pFkn$#sko<GQugqm4w_9El(?{NY=Fq%3<l4pDS^45RZplQsMBUN+-sX0TQ*q
ziGcf)p&lg(do=(c6Y8v2f(#m{t|mg8VrLXKI%&KKobc;P9!nx5(G?N9u?zLi?A7@E
zdrW78ibymwz%{;dOCyw><hR4XwhsnS!aF|6$o4oU^p)8DI7t=d+V5B#y<7FKZx~oX
zzgyL*1Gpt(q;M#7mUBFz2VC+^cGvO>1M5E5y&pKG&XTBCu&%c|k~G|p^IC!j3Sgl+
z+2SbaF63qeT(qzI10d!t%MfHoDE*N{d4;-3bWj$F!p2`JrJ4U$HEX9=L$0Y2iuwcu
zQC6n<AK|%64)r5pYd`DP69?McZT2LQ__y%E-UW}>DNJCk%}ghR1N=u1v;Y7A$B`qz
fCo2Y<00G{W0mkeP1TAg7vBYQl0ssI200dcD+Y3H7

diff --git a/testing/btest/core/ip-broken-header.bro b/testing/btest/core/ip-broken-header.bro
index 48a90d2821..426e7a7bc0 100644
--- a/testing/btest/core/ip-broken-header.bro
+++ b/testing/btest/core/ip-broken-header.bro
@@ -1,7 +1,7 @@
 # This test has a trace that was generated from fuzzing which used to cause
 # OOB reads in Bro. It has a number of packets broken in weird ways.
 #
-# @TEST-EXEC: xzcat $TRACES/trunc/mpls-6in6-broken.pcap.xz | bro -C -b -r - %INPUT
+# @TEST-EXEC: gunzip -c $TRACES/trunc/mpls-6in6-broken.pcap.gz | bro -C -b -r - %INPUT
 # @TEST-EXEC: btest-diff weird.log
 
 @load base/frameworks/notice/weird.bro

From b97abd37984a6c57e354f585e7e862faeb5854b4 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Tue, 24 Apr 2018 13:02:55 -0500
Subject: [PATCH 376/631] Updating submodule(s).

 [nomail]
---
 aux/binpac | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/aux/binpac b/aux/binpac
index 793a028094..afb2aa5d3c 160000
--- a/aux/binpac
+++ b/aux/binpac
@@ -1 +1 @@
-Subproject commit 793a02809498e923dca6e02f0bfa3e7d35bd84e8
+Subproject commit afb2aa5d3c485212230c68a4eade120be288953e

From ff84e4faa382d8dd80a592eb12829aea2e075a9d Mon Sep 17 00:00:00 2001
From: Luciano Mammino <lucianomammino@gmail.com>
Date: Wed, 25 Apr 2018 16:25:34 +0100
Subject: [PATCH 377/631] Update consts.bro

Removed duplicated entries (`000001a0-0000-0000-c000-000000000046`, with `i=3, i=4`) and related comments line

This change should make this file more readable and it will be easier to convert it to other formats (personally I found it out while I was trying to convert this to a JavaScript structure).
---
 scripts/base/protocols/dce-rpc/consts.bro | 8 ++------
 1 file changed, 2 insertions(+), 6 deletions(-)

diff --git a/scripts/base/protocols/dce-rpc/consts.bro b/scripts/base/protocols/dce-rpc/consts.bro
index d9e0993b03..80f7ea4e5e 100644
--- a/scripts/base/protocols/dce-rpc/consts.bro
+++ b/scripts/base/protocols/dce-rpc/consts.bro
@@ -149,10 +149,6 @@ export {
 		# IActivation
 		["4d9f4ab8-7d1c-11cf-861e-0020af6e7c57",0] = "RemoteActivation",
 
-		# IRemoteSCMActivator
-		["000001a0-0000-0000-c000-000000000046",3] = "RemoteGetClassObject",
-		["000001a0-0000-0000-c000-000000000046",4] = "RemoteCreateInstance",
-
 		# nspi
 		["f5cc5a18-4264-101a-8c59-08002b2f8426",0] = "NspiBind",
 		["f5cc5a18-4264-101a-8c59-08002b2f8426",1] = "NspiUnbind",
@@ -222,8 +218,8 @@ export {
 		["000001a0-0000-0000-c000-000000000046",0] = "QueryInterfaceIRemoteSCMActivator",
 		["000001a0-0000-0000-c000-000000000046",1] = "AddRefIRemoteISCMActivator",
 		["000001a0-0000-0000-c000-000000000046",2] = "ReleaseIRemoteISCMActivator",
-		#["000001a0-0000-0000-c000-000000000046",3] = "RemoteGetClassObject",
-		#["000001a0-0000-0000-c000-000000000046",4] = "RemoteCreateInstance",
+		["000001a0-0000-0000-c000-000000000046",3] = "RemoteGetClassObject",
+		["000001a0-0000-0000-c000-000000000046",4] = "RemoteCreateInstance",
 
 		# netlogon
 		["12345678-1234-abcd-ef00-01234567cffb",0] = "NetrLogonUasLogon",

From d9dc8d69d7125474f6eae06718f0b91ddef9e1f2 Mon Sep 17 00:00:00 2001
From: Vern Paxson <vern@icir.org>
Date: Thu, 26 Apr 2018 10:51:43 -0700
Subject: [PATCH 378/631] Starting branch for supporting bit operations on
 count's.

This check-in just adds the operators to the lexer and migrates the existing
operator names internally.
---
 src/Expr.cc | 18 ++++++++++--------
 src/Expr.h  |  3 ++-
 src/parse.y | 12 ++++++------
 src/scan.l  |  6 +++---
 4 files changed, 21 insertions(+), 18 deletions(-)

diff --git a/src/Expr.cc b/src/Expr.cc
index a0456fda31..06fcf448e1 100644
--- a/src/Expr.cc
+++ b/src/Expr.cc
@@ -24,7 +24,9 @@ const char* expr_name(BroExprTag t)
 		"name", "const",
 		"(*)",
 		"++", "--", "!", "+", "-",
-		"+", "-", "+=", "-=", "*", "/", "%", "&&", "||",
+		"+", "-", "+=", "-=", "*", "/", "%",
+		"&", "|", "^",
+		"&&", "||",
 		"<", "<=", "==", "!=", ">=", ">", "?:", "ref",
 		"=", "~", "[]", "$", "?$", "[=]",
 		"table()", "set()", "vector()",
@@ -777,8 +779,8 @@ Val* BinaryExpr::Fold(Val* v1, Val* v2) const
 
 		break;
 
-	case EXPR_AND:		DO_INT_FOLD(&&); break;
-	case EXPR_OR:		DO_INT_FOLD(||); break;
+	case EXPR_AND_AND:	DO_INT_FOLD(&&); break;
+	case EXPR_OR_OR:	DO_INT_FOLD(||); break;
 
 	case EXPR_LT:		DO_INT_VAL_FOLD(<); break;
 	case EXPR_LE:		DO_INT_VAL_FOLD(<=); break;
@@ -1672,14 +1674,14 @@ Val* BoolExpr::DoSingleEval(Frame* f, Val* v1, Expr* op2) const
 		RE_Matcher* re1 = v1->AsPattern();
 		RE_Matcher* re2 = v2->AsPattern();
 
-		RE_Matcher* res = tag == EXPR_AND ?
+		RE_Matcher* res = tag == EXPR_AND_AND ?
 			RE_Matcher_conjunction(re1, re2) :
 			RE_Matcher_disjunction(re1, re2);
 
 		return new PatternVal(res);
 		}
 
-	if ( tag == EXPR_AND )
+	if ( tag == EXPR_AND_AND )
 		{
 		if ( v1->IsZero() )
 			return v1;
@@ -1743,8 +1745,8 @@ Val* BoolExpr::Eval(Frame* f) const
 
 		VectorVal* result = 0;
 
-		// It's either and EXPR_AND or an EXPR_OR.
-		bool is_and = (tag == EXPR_AND);
+		// It's either and EXPR_AND_AND or an EXPR_OR_OR.
+		bool is_and = (tag == EXPR_AND_AND);
 
 		if ( scalar_v->IsZero() == is_and )
 			{
@@ -1785,7 +1787,7 @@ Val* BoolExpr::Eval(Frame* f) const
 		Val* op2 = vec_v2->Lookup(i);
 		if ( op1 && op2 )
 			{
-			bool local_result = (tag == EXPR_AND) ?
+			bool local_result = (tag == EXPR_AND_AND) ?
 				(! op1->IsZero() && ! op2->IsZero()) :
 				(! op1->IsZero() || ! op2->IsZero());
 
diff --git a/src/Expr.h b/src/Expr.h
index d50506f493..89d44c1cb4 100644
--- a/src/Expr.h
+++ b/src/Expr.h
@@ -20,7 +20,8 @@ typedef enum {
 	EXPR_INCR, EXPR_DECR, EXPR_NOT, EXPR_POSITIVE, EXPR_NEGATE,
 	EXPR_ADD, EXPR_SUB, EXPR_ADD_TO, EXPR_REMOVE_FROM,
 	EXPR_TIMES, EXPR_DIVIDE, EXPR_MOD,
-	EXPR_AND, EXPR_OR,
+	EXPR_AND, EXPR_OR, EXPR_XOR,
+	EXPR_AND_AND, EXPR_OR_OR,
 	EXPR_LT, EXPR_LE, EXPR_EQ, EXPR_NE, EXPR_GE, EXPR_GT,
 	EXPR_COND,
 	EXPR_REF,
diff --git a/src/parse.y b/src/parse.y
index 89bb5adbee..90d4c71309 100644
--- a/src/parse.y
+++ b/src/parse.y
@@ -34,8 +34,8 @@
 %left ',' '|'
 %right '=' TOK_ADD_TO TOK_REMOVE_FROM
 %right '?' ':'
-%left TOK_OR
-%left TOK_AND
+%left TOK_OR_OR
+%left TOK_AND_AND
 %nonassoc TOK_HOOK
 %nonassoc '<' '>' TOK_LE TOK_GE TOK_EQ TOK_NE
 %left TOK_IN TOK_NOT_IN
@@ -388,16 +388,16 @@ expr:
 			$$ = new ModExpr($1, $3);
 			}
 
-	|	expr TOK_AND expr
+	|	expr TOK_AND_AND expr
 			{
 			set_location(@1, @3);
-			$$ = new BoolExpr(EXPR_AND, $1, $3);
+			$$ = new BoolExpr(EXPR_AND_AND, $1, $3);
 			}
 
-	|	expr TOK_OR expr
+	|	expr TOK_OR_OR expr
 			{
 			set_location(@1, @3);
-			$$ = new BoolExpr(EXPR_OR, $1, $3);
+			$$ = new BoolExpr(EXPR_OR_OR, $1, $3);
 			}
 
 	|	expr TOK_EQ expr
diff --git a/src/scan.l b/src/scan.l
index 05baea5735..e848b78a43 100644
--- a/src/scan.l
+++ b/src/scan.l
@@ -193,7 +193,7 @@ ESCSEQ	(\\([^\n]|[0-7]+|x[[:xdigit:]]+))
 	RET_CONST(new SubNetVal(IPPrefix(IPAddr(ip), len)))
 }
 
-[!%*/+\-,:;<=>?()\[\]{}~$|]	return yytext[0];
+[!%*/+\-,:;<=>?()\[\]{}~$|&^]	return yytext[0];
 
 "--"	return TOK_DECR;
 "++"	return TOK_INCR;
@@ -206,8 +206,8 @@ ESCSEQ	(\\([^\n]|[0-7]+|x[[:xdigit:]]+))
 ">="	return TOK_GE;
 "<="	return TOK_LE;
 
-"&&"	return TOK_AND;
-"||"	return TOK_OR;
+"&&"	return TOK_AND_AND;
+"||"	return TOK_OR_OR;
 
 add	return TOK_ADD;
 addr	return TOK_ADDR;

From 1658931af1f5c35533457d15735c65462d1e8af1 Mon Sep 17 00:00:00 2001
From: Vern Paxson <vern@icir.org>
Date: Thu, 26 Apr 2018 12:38:24 -0700
Subject: [PATCH 379/631] bitwise operations for "count" types implemented

---
 src/Expr.cc       | 85 ++++++++++++++++++++++++++++++++++++++++++++++-
 src/Expr.h        | 28 +++++++++++++++-
 src/SerialObj.h   |  2 +-
 src/SerialTypes.h |  2 ++
 src/parse.y       | 33 ++++++++++++++++--
 5 files changed, 144 insertions(+), 6 deletions(-)

diff --git a/src/Expr.cc b/src/Expr.cc
index 06fcf448e1..5f79d08dbe 100644
--- a/src/Expr.cc
+++ b/src/Expr.cc
@@ -23,7 +23,7 @@ const char* expr_name(BroExprTag t)
 	static const char* expr_names[int(NUM_EXPRS)] = {
 		"name", "const",
 		"(*)",
-		"++", "--", "!", "+", "-",
+		"++", "--", "!", "~", "+", "-",
 		"+", "-", "+=", "-=", "*", "/", "%",
 		"&", "|", "^",
 		"&&", "||",
@@ -706,6 +706,12 @@ Val* BinaryExpr::Fold(Val* v1, Val* v2) const
 	else \
 		Internal("bad type in BinaryExpr::Fold");
 
+#define DO_UINT_FOLD(op) \
+	if ( is_unsigned ) \
+		u3 = u1 op u2; \
+	else \
+		Internal("bad type in BinaryExpr::Fold");
+
 #define DO_FOLD(op) \
 	if ( is_integral ) \
 		i3 = i1 op i2; \
@@ -779,6 +785,10 @@ Val* BinaryExpr::Fold(Val* v1, Val* v2) const
 
 		break;
 
+	case EXPR_AND:		DO_UINT_FOLD(&); break;
+	case EXPR_OR:		DO_UINT_FOLD(|); break;
+	case EXPR_XOR:		DO_UINT_FOLD(^); break;
+
 	case EXPR_AND_AND:	DO_INT_FOLD(&&); break;
 	case EXPR_OR_OR:	DO_INT_FOLD(||); break;
 
@@ -1081,6 +1091,39 @@ bool IncrExpr::DoUnserialize(UnserialInfo* info)
 	return true;
 	}
 
+ComplementExpr::ComplementExpr(Expr* arg_op) : UnaryExpr(EXPR_COMPLEMENT, arg_op)
+	{
+	if ( IsError() )
+		return;
+
+	BroType* t = op->Type();
+	TypeTag bt = t->Tag();
+
+	if ( bt != TYPE_COUNT )
+		ExprError("requires \"count\" operand");
+	else
+		SetType(base_type(TYPE_COUNT));
+	}
+
+Val* ComplementExpr::Fold(Val* v) const
+	{
+	return new Val(~ v->InternalUnsigned(), type->Tag());
+	}
+
+IMPLEMENT_SERIAL(ComplementExpr, SER_COMPLEMENT_EXPR);
+
+bool ComplementExpr::DoSerialize(SerialInfo* info) const
+	{
+	DO_SERIALIZE(SER_COMPLEMENT_EXPR, UnaryExpr);
+	return true;
+	}
+
+bool ComplementExpr::DoUnserialize(UnserialInfo* info)
+	{
+	DO_UNSERIALIZE(UnaryExpr);
+	return true;
+	}
+
 NotExpr::NotExpr(Expr* arg_op) : UnaryExpr(EXPR_NOT, arg_op)
 	{
 	if ( IsError() )
@@ -1817,6 +1860,46 @@ bool BoolExpr::DoUnserialize(UnserialInfo* info)
 	return true;
 	}
 
+BitExpr::BitExpr(BroExprTag arg_tag, Expr* arg_op1, Expr* arg_op2)
+: BinaryExpr(arg_tag, arg_op1, arg_op2)
+	{
+	if ( IsError() )
+		return;
+
+	TypeTag bt1 = op1->Type()->Tag();
+	if ( IsVector(bt1) )
+		bt1 = op1->Type()->AsVectorType()->YieldType()->Tag();
+
+	TypeTag bt2 = op2->Type()->Tag();
+	if ( IsVector(bt2) )
+		bt2 = op2->Type()->AsVectorType()->YieldType()->Tag();
+
+	if ( bt1 == TYPE_COUNT && bt2 == bt1 )
+		{
+		if ( is_vector(op1) || is_vector(op2) )
+			SetType(new VectorType(base_type(bt1)));
+		else
+			SetType(base_type(bt1));
+		}
+
+	else
+		ExprError("requires \"count\" operands");
+	}
+
+IMPLEMENT_SERIAL(BitExpr, SER_BIT_EXPR);
+
+bool BitExpr::DoSerialize(SerialInfo* info) const
+	{
+	DO_SERIALIZE(SER_BIT_EXPR, BinaryExpr);
+	return true;
+	}
+
+bool BitExpr::DoUnserialize(UnserialInfo* info)
+	{
+	DO_UNSERIALIZE(BinaryExpr);
+	return true;
+	}
+
 EqExpr::EqExpr(BroExprTag arg_tag, Expr* arg_op1, Expr* arg_op2)
 : BinaryExpr(arg_tag, arg_op1, arg_op2)
 	{
diff --git a/src/Expr.h b/src/Expr.h
index 89d44c1cb4..8e8b6cc96b 100644
--- a/src/Expr.h
+++ b/src/Expr.h
@@ -17,7 +17,9 @@ typedef enum {
 	EXPR_ANY = -1,
 	EXPR_NAME, EXPR_CONST,
 	EXPR_CLONE,
-	EXPR_INCR, EXPR_DECR, EXPR_NOT, EXPR_POSITIVE, EXPR_NEGATE,
+	EXPR_INCR, EXPR_DECR,
+	EXPR_NOT, EXPR_COMPLEMENT,
+	EXPR_POSITIVE, EXPR_NEGATE,
 	EXPR_ADD, EXPR_SUB, EXPR_ADD_TO, EXPR_REMOVE_FROM,
 	EXPR_TIMES, EXPR_DIVIDE, EXPR_MOD,
 	EXPR_AND, EXPR_OR, EXPR_XOR,
@@ -378,6 +380,19 @@ protected:
 	DECLARE_SERIAL(IncrExpr);
 };
 
+class ComplementExpr : public UnaryExpr {
+public:
+	explicit ComplementExpr(Expr* op);
+
+protected:
+	friend class Expr;
+	ComplementExpr()	{ }
+
+	Val* Fold(Val* v) const override;
+
+	DECLARE_SERIAL(ComplementExpr);
+};
+
 class NotExpr : public UnaryExpr {
 public:
 	explicit NotExpr(Expr* op);
@@ -531,6 +546,17 @@ protected:
 	DECLARE_SERIAL(BoolExpr);
 };
 
+class BitExpr : public BinaryExpr {
+public:
+	BitExpr(BroExprTag tag, Expr* op1, Expr* op2);
+
+protected:
+	friend class Expr;
+	BitExpr()	{ }
+
+	DECLARE_SERIAL(BitExpr);
+};
+
 class EqExpr : public BinaryExpr {
 public:
 	EqExpr(BroExprTag tag, Expr* op1, Expr* op2);
diff --git a/src/SerialObj.h b/src/SerialObj.h
index 77dc28aefd..b502414f71 100644
--- a/src/SerialObj.h
+++ b/src/SerialObj.h
@@ -3,7 +3,7 @@
 // How to make objects of class Foo serializable:
 //
 //    1. Derive Foo (directly or indirectly) from SerialObj.
-//    2. Add a SER_FOO constant to SerialTypes below.
+//    2. Add a SER_FOO constant to SerialTypes in SerialTypes.h.
 //    3. Add DECLARE_SERIAL(Foo) into class definition.
 //    4. Add a (preferably protected) default ctor if it doesn't already exist.
 //    5. For non-abstract classes, add IMPLEMENT_SERIAL(Foo, SER_FOO) to *.cc
diff --git a/src/SerialTypes.h b/src/SerialTypes.h
index 8a1a2abf51..c5b25d32fb 100644
--- a/src/SerialTypes.h
+++ b/src/SerialTypes.h
@@ -162,6 +162,8 @@ SERIAL_EXPR(SET_CONSTRUCTOR_EXPR, 41)
 SERIAL_EXPR(VECTOR_CONSTRUCTOR_EXPR, 42)
 SERIAL_EXPR(TABLE_COERCE_EXPR, 43)
 SERIAL_EXPR(VECTOR_COERCE_EXPR, 44)
+SERIAL_EXPR(BIT_EXPR, 45)
+SERIAL_EXPR(COMPLEMENT_EXPR, 46)
 
 #define SERIAL_STMT(name, val) SERIAL_CONST(name, val, STMT)
 SERIAL_STMT(STMT, 1)
diff --git a/src/parse.y b/src/parse.y
index 90d4c71309..6f7a43ae7f 100644
--- a/src/parse.y
+++ b/src/parse.y
@@ -31,7 +31,7 @@
 
 %token TOK_NO_TEST
 
-%left ',' '|'
+%left ','
 %right '=' TOK_ADD_TO TOK_REMOVE_FROM
 %right '?' ':'
 %left TOK_OR_OR
@@ -39,10 +39,13 @@
 %nonassoc TOK_HOOK
 %nonassoc '<' '>' TOK_LE TOK_GE TOK_EQ TOK_NE
 %left TOK_IN TOK_NOT_IN
+%left '|'
+%left '^'
+%left '&'
 %left '+' '-'
 %left '*' '/' '%'
 %left TOK_INCR TOK_DECR
-%right '!'
+%right '!' '~'
 %left '$' '[' ']' '(' ')' TOK_HAS_FIELD TOK_HAS_ATTR
 
 %type <b> opt_no_test opt_no_test_block opt_deprecated
@@ -334,6 +337,12 @@ expr:
 			$$ = new NotExpr($2);
 			}
 
+	|	'~' expr
+			{
+			set_location(@1, @2);
+			$$ = new ComplementExpr($2);
+			}
+
 	|	'-' expr	%prec '!'
 			{
 			set_location(@1, @2);
@@ -388,6 +397,24 @@ expr:
 			$$ = new ModExpr($1, $3);
 			}
 
+	|	expr '&' expr
+			{
+			set_location(@1, @3);
+			$$ = new BitExpr(EXPR_AND, $1, $3);
+			}
+
+	|	expr '|' expr
+			{
+			set_location(@1, @3);
+			$$ = new BitExpr(EXPR_OR, $1, $3);
+			}
+
+	|	expr '^' expr
+			{
+			set_location(@1, @3);
+			$$ = new BitExpr(EXPR_XOR, $1, $3);
+			}
+
 	|	expr TOK_AND_AND expr
 			{
 			set_location(@1, @3);
@@ -700,7 +727,7 @@ expr:
 			$$ = new ConstExpr(new PatternVal($1));
 			}
 
-	|       '|' expr '|'
+	|       '|' expr '|'	%prec '('
 			{
 			set_location(@1, @3);
 			$$ = new SizeExpr($2);

From 58ffd61dcc2874d07089b325850c670d6f622e14 Mon Sep 17 00:00:00 2001
From: Vern Paxson <vern@icir.org>
Date: Thu, 26 Apr 2018 13:25:04 -0700
Subject: [PATCH 380/631] test suite for bitwise operators brief NEWS blurb
 allow for "counter" operands (does anyone still use these?) for one (but not
 both) of the bitwise operands

---
 NEWS                                      |  4 ++++
 src/Expr.cc                               | 11 +++++++----
 testing/btest/Baseline/language.count/out | 11 +++++++++++
 testing/btest/language/count.bro          | 11 +++++++++++
 4 files changed, 33 insertions(+), 4 deletions(-)

diff --git a/NEWS b/NEWS
index aa43682047..eeeda2a42c 100644
--- a/NEWS
+++ b/NEWS
@@ -146,6 +146,10 @@ New Functionality
 - Added new SMB events: smb1_transaction_secondary_request,
   smb1_transaction2_secondary_request, smb1_transaction_response
 
+- Added support for bitwise operations on "count" values.  '&', '|' and
+  '^' are binary "and", "or" and "xor" operators, and '~' is a unary
+  ones-complement operator.
+
 Changed Functionality
 ---------------------
 
diff --git a/src/Expr.cc b/src/Expr.cc
index 5f79d08dbe..f5c8e66b50 100644
--- a/src/Expr.cc
+++ b/src/Expr.cc
@@ -1874,12 +1874,15 @@ BitExpr::BitExpr(BroExprTag arg_tag, Expr* arg_op1, Expr* arg_op2)
 	if ( IsVector(bt2) )
 		bt2 = op2->Type()->AsVectorType()->YieldType()->Tag();
 
-	if ( bt1 == TYPE_COUNT && bt2 == bt1 )
+	if ( (bt1 == TYPE_COUNT || bt1 == TYPE_COUNTER) &&
+	     (bt2 == TYPE_COUNT || bt2 == TYPE_COUNTER) )
 		{
-		if ( is_vector(op1) || is_vector(op2) )
-			SetType(new VectorType(base_type(bt1)));
+		if ( bt1 == TYPE_COUNTER && bt2 == TYPE_COUNTER )
+			ExprError("cannot apply a bitwise operator to two \"counter\" operands");
+		else if ( is_vector(op1) || is_vector(op2) )
+			SetType(new VectorType(base_type(TYPE_COUNT)));
 		else
-			SetType(base_type(bt1));
+			SetType(base_type(TYPE_COUNT));
 		}
 
 	else
diff --git a/testing/btest/Baseline/language.count/out b/testing/btest/Baseline/language.count/out
index 4ef65b6098..f1e1eef587 100644
--- a/testing/btest/Baseline/language.count/out
+++ b/testing/btest/Baseline/language.count/out
@@ -14,5 +14,16 @@ modulus operator (PASS)
 division operator (PASS)
 assignment operator (PASS)
 assignment operator (PASS)
+bitwise and (PASS)
+bitwise and (PASS)
+bitwise and (PASS)
+bitwise or (PASS)
+bitwise or (PASS)
+bitwise or (PASS)
+bitwise xor (PASS)
+bitwise xor (PASS)
+bitwise xor (PASS)
+bitwise complement (PASS)
+bitwise complement (PASS)
 max count value = 18446744073709551615 (PASS)
 max count value = 18446744073709551615 (PASS)
diff --git a/testing/btest/language/count.bro b/testing/btest/language/count.bro
index b0972e29fa..39a3786dfb 100644
--- a/testing/btest/language/count.bro
+++ b/testing/btest/language/count.bro
@@ -47,6 +47,17 @@ event bro_init()
 	test_case( "assignment operator", c2 == 8 );
 	c2 -= 2;
 	test_case( "assignment operator", c2 == 6 );
+	test_case( "bitwise and", c2 & 0x4 == 0x4 );
+	test_case( "bitwise and", c4 & 0x4 == 0x4 );
+	test_case( "bitwise and", c8 & 0x4 == 0x0 );
+	test_case( "bitwise or", c2 | 0x4 == c2 );
+	test_case( "bitwise or", c4 | 0x4 == c4 );
+	test_case( "bitwise or", c8 | 0x4 == c7 );
+	test_case( "bitwise xor", c7 ^ 0x4 == c8 );
+	test_case( "bitwise xor", c4 ^ 0x4 == 251 );
+	test_case( "bitwise xor", c8 ^ 0x4 == c7 );
+	test_case( "bitwise complement", ~c6 == 0 );
+	test_case( "bitwise complement", ~~c4 == c4 );
 
 	# Max. value tests
 

From 1ca5a5a16dd6e774b1173006c26c8e7b68c6cfb4 Mon Sep 17 00:00:00 2001
From: Vern Paxson <vern@icir.org>
Date: Thu, 26 Apr 2018 14:57:55 -0700
Subject: [PATCH 381/631] document the '|' operator for patterns

---
 doc/script-reference/types.rst | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/doc/script-reference/types.rst b/doc/script-reference/types.rst
index 651ebfb411..3d6f74aef0 100644
--- a/doc/script-reference/types.rst
+++ b/doc/script-reference/types.rst
@@ -233,6 +233,13 @@ Here is a more detailed description of each type:
     is false since "oob" does not appear at the start of "foobar".  The
     ``!in`` operator would yield the negation of ``in``.
 
+    Finally, you can create a disjunction (either-or) of two patterns
+    using the ``|`` operator.  For example::
+
+	/foo/ | /bar/ in "foobar"
+
+    yields true, like in the similar example above.
+
 .. bro:type:: port
 
     A type representing transport-level port numbers (besides TCP and

From 2bd3a7664df2c5d3200d782ae4ec2dfccd71bc89 Mon Sep 17 00:00:00 2001
From: Vern Paxson <vern@icir.org>
Date: Thu, 26 Apr 2018 16:22:17 -0700
Subject: [PATCH 382/631] documentation for bitwise operators

---
 doc/script-reference/types.rst | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/doc/script-reference/types.rst b/doc/script-reference/types.rst
index 3d6f74aef0..fe77ece90c 100644
--- a/doc/script-reference/types.rst
+++ b/doc/script-reference/types.rst
@@ -91,6 +91,10 @@ Here is a more detailed description of each type:
     type, but a unary plus or minus applied to a "count" results in an
     "int".
 
+    In addition, "count" types support bitwise operations.  You can use
+    ``&``, ``|``, and ``^`` for bitwise ``and'', ``or'', and ``xor''.  You
+    can also use ``~`` for bitwise (one's) complement.
+
 .. bro:type:: double
 
     A numeric type representing a double-precision floating-point
@@ -592,6 +596,9 @@ Here is a more detailed description of each type:
     The resulting vector of bool is the logical "and" (or logical "or") of
     each element of the operand vectors.
 
+    Vectors of type ``count`` can also be operands for the bitwise and/or/xor
+    operators, ``&``, ``|`` and ``^``.
+
     See the :bro:keyword:`for` statement for info on how to iterate over
     the elements in a vector.
 

From 4e9a8e02e0fdc9bf9963f4b355318d8517d9b29f Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Fri, 27 Apr 2018 11:01:03 -0500
Subject: [PATCH 383/631] BIT-1430: Improve cross compilation support

* Add --toolchain= configure option

* Add --with-bifcl= configure option

* Change --with-binpac= configure option to mean "path to binpac
  executable"

* Add an example of how to use the above options for cross compiling
  Bro to the docs
---
 CHANGES                         | 11 +++++
 NEWS                            |  3 ++
 VERSION                         |  2 +-
 cmake                           |  2 +-
 configure                       | 15 +++++-
 doc/install/cross-compiling.rst | 85 +++++++++++++++++++++++++++++++++
 doc/install/install.rst         |  7 +++
 7 files changed, 121 insertions(+), 4 deletions(-)
 create mode 100644 doc/install/cross-compiling.rst

diff --git a/CHANGES b/CHANGES
index 2bb5e3272a..26697060ee 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,15 @@
 
+2.5-527 | 2018-04-27 11:01:03 -0500
+
+  * BIT-1430: Improve cross compilation support (Corelight)
+
+    * Add --toolchain= configure option
+
+    * Add --with-bifcl= configure option
+
+    * Change --with-binpac= configure option to mean "path to binpac
+      executable"
+
 2.5-526 | 2018-04-25 11:06:50 -0500
 
   * BIT-1914: comment out &check usages now that they emit warnings
diff --git a/NEWS b/NEWS
index cdc46ba37c..09c87e8ac7 100644
--- a/NEWS
+++ b/NEWS
@@ -149,6 +149,9 @@ New Functionality
 Changed Functionality
 ---------------------
 
+- The --with-binpac= configure option has changed to mean "path
+  to the binpac executable" instead of "path to binpac installation root".
+
 - The MIME types used to identify X.509 certificates in SSL
   connections changed from "application/pkix-cert" to
   "application/x-x509-user-cert" for host certificates and
diff --git a/VERSION b/VERSION
index 9b13b170d5..8f8414d706 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.5-526
+2.5-527
diff --git a/cmake b/cmake
index c40d8f9831..70fc7406f4 160000
--- a/cmake
+++ b/cmake
@@ -1 +1 @@
-Subproject commit c40d8f9831b69259bfa930a64662d91cfdbf97bf
+Subproject commit 70fc7406f4baa87da9362c2b80ee6bbcdb242e0a
diff --git a/configure b/configure
index 23b12bfb03..2689de225b 100755
--- a/configure
+++ b/configure
@@ -27,6 +27,8 @@ Usage: $0 [OPTION]... [VAR=VALUE]...
     --generator=GENERATOR  CMake generator to use (see cmake --help)
     --ccache               use ccache to speed up recompilation (requires
                            ccache installation and CMake 3.10+)
+    --toolchain=PATH       path to a CMAKE_TOOLCHAIN_FILE
+                           (useful for cross-compiling)
 
   Installation Directories:
     --prefix=PREFIX        installation directory [/usr/local/bro]
@@ -62,7 +64,10 @@ Usage: $0 [OPTION]... [VAR=VALUE]...
     --with-openssl=PATH    path to OpenSSL install root
     --with-bind=PATH       path to BIND install root
     --with-pcap=PATH       path to libpcap install root
-    --with-binpac=PATH     path to BinPAC install root
+    --with-binpac=PATH     path to BinPAC executable
+                           (useful for cross-compiling)
+    --with-bifcl=PATH      path to Bro BIF compiler executable
+                           (useful for cross-compiling)
     --with-flex=PATH       path to flex executable
     --with-bison=PATH      path to bison executable
     --with-python=PATH     path to Python executable
@@ -174,6 +179,9 @@ while [ $# -ne 0 ]; do
         --ccache)
             append_cache_entry ENABLE_CCACHE         BOOL   true
             ;;
+        --toolchain=*)
+            append_cache_entry CMAKE_TOOLCHAIN_FILE  PATH   $optarg
+            ;;
         --prefix=*)
             prefix=$optarg
             append_cache_entry CMAKE_INSTALL_PREFIX PATH   $optarg
@@ -249,7 +257,10 @@ while [ $# -ne 0 ]; do
             append_cache_entry PCAP_ROOT_DIR PATH $optarg
             ;;
         --with-binpac=*)
-            append_cache_entry BinPAC_ROOT_DIR PATH $optarg
+            append_cache_entry BINPAC_EXE_PATH     PATH $optarg
+            ;;
+        --with-bifcl=*)
+            append_cache_entry BIFCL_EXE_PATH      PATH   $optarg
             ;;
         --with-flex=*)
             append_cache_entry FLEX_EXECUTABLE PATH $optarg
diff --git a/doc/install/cross-compiling.rst b/doc/install/cross-compiling.rst
new file mode 100644
index 0000000000..d47bd83fc0
--- /dev/null
+++ b/doc/install/cross-compiling.rst
@@ -0,0 +1,85 @@
+.. _crosstool-NG: https://crosstool-ng.github.io/
+.. _CMake toolchain: https://cmake.org/cmake/help/latest/manual/cmake-toolchains.7.html
+
+===================
+Cross Compiling Bro
+===================
+
+.. contents::
+
+Prerequisites
+=============
+
+You need three things on the host system:
+
+1. The Bro source tree.
+2. A cross-compilation toolchain, such as one built via crosstool-NG_.
+3. Pre-built Bro dependencies from the target system.  This usually
+   includes libpcap, zlib, OpenSSL, and Python development headers
+   and libraries.
+
+Configuration and Compiling
+===========================
+
+You first need to compile a few build tools native to the host system
+for use during the later cross-compile build.  In the root of your
+Bro source tree:
+
+.. console::
+
+   ./configure --builddir=../bro-buildtools
+   ( cd ../bro-buildtools && make binpac bifcl )
+
+Next configure Bro to use your cross-compilation toolchain:
+
+.. console::
+
+   ./configure --toolchain=/home/jon/x-tools/RaspberryPi-toolchain.cmake --with-binpac=$(pwd)/../bro-buildtools/aux/binpac/src/binpac --with-bifcl=$(pwd)/../bro-buildtools/src/bifcl
+
+Here, the toolchain file a `CMake toolchain`_ file.  It might look
+something the following (using a Raspberry Pi as target system)::
+
+  # Operating System on which CMake is targeting.
+  set(CMAKE_SYSTEM_NAME Linux)
+
+  # The CMAKE_STAGING_PREFIX option may not work.
+  # Given that Bro is configured:
+  #
+  #   `./configure --prefix=<dir>`
+  #
+  # The options are:
+  #
+  #   (1) `make install` and then copy over the --prefix dir from host to
+  #       target system.
+  #
+  #   (2) `DESTDIR=<staging_dir> make install` and then copy over the
+  #       contents of that staging directory.
+
+  set(toolchain /home/jon/x-tools/arm-rpi-linux-gnueabihf)
+  set(CMAKE_C_COMPILER   ${toolchain}/bin/arm-rpi-linux-gnueabihf-gcc)
+  set(CMAKE_CXX_COMPILER ${toolchain}/bin/arm-rpi-linux-gnueabihf-g++)
+
+  # The cross-compiler/linker will use these paths to locate dependencies.
+  set(CMAKE_FIND_ROOT_PATH
+      /home/jon/x-tools/bro-rpi-deps
+      ${toolchain}/arm-rpi-linux-gnueabihf/sysroot
+  )
+
+  set(CMAKE_FIND_ROOT_PATH_MODE_PROGRAM NEVER)
+  set(CMAKE_FIND_ROOT_PATH_MODE_LIBRARY ONLY)
+  set(CMAKE_FIND_ROOT_PATH_MODE_INCLUDE ONLY)
+
+If that configuration succeeds you are ready to build:
+
+.. console::
+
+   make
+
+And if that works, install on your host system:
+
+.. console::
+
+   make install
+
+From there, you can copy/move the files from the installation prefix
+on the host system to the target system and start running Bro as usual.
diff --git a/doc/install/install.rst b/doc/install/install.rst
index 4c43ee9c73..f5c804fc0f 100644
--- a/doc/install/install.rst
+++ b/doc/install/install.rst
@@ -214,6 +214,13 @@ all of the documentation for the latest Bro release is available on the
 Bro web site), there are instructions in ``doc/README`` in the source
 distribution.
 
+Cross Compiling
+---------------
+
+See :doc:`cross-compiling` for an example of how
+to cross compile Bro for a different target platform than the one on
+which you build.
+
 Configure the Run-Time Environment
 ==================================
 

From 2799713a8906817ffd2c51be26da544818ecfb1d Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Fri, 27 Apr 2018 11:13:38 -0500
Subject: [PATCH 384/631] Updating submodule(s).

 [nomail]
---
 aux/binpac   | 2 +-
 aux/bro-aux  | 2 +-
 aux/broccoli | 2 +-
 aux/broctl   | 2 +-
 aux/broker   | 2 +-
 5 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/aux/binpac b/aux/binpac
index a4bd60ec2e..e1d8b72fa2 160000
--- a/aux/binpac
+++ b/aux/binpac
@@ -1 +1 @@
-Subproject commit a4bd60ec2e6958506b4a07cf0a57f006254ee4f2
+Subproject commit e1d8b72fa24406e832c610d752d299f9c460d4e7
diff --git a/aux/bro-aux b/aux/bro-aux
index f7cc11d97b..6db18be3e1 160000
--- a/aux/bro-aux
+++ b/aux/bro-aux
@@ -1 +1 @@
-Subproject commit f7cc11d97b3298bbfc5d01ff544e871b67f0fc5a
+Subproject commit 6db18be3e1a5cc6edbe83abb79ca3ed2cd623b41
diff --git a/aux/broccoli b/aux/broccoli
index 22a35f3378..64904c9f6c 160000
--- a/aux/broccoli
+++ b/aux/broccoli
@@ -1 +1 @@
-Subproject commit 22a35f33786b2ede5f3efe7e2b24237a4fe974fb
+Subproject commit 64904c9f6c93d815fbe8f6226d3e1a9f0aa7c1cf
diff --git a/aux/broctl b/aux/broctl
index 60eeea9f98..7991b77bf4 160000
--- a/aux/broctl
+++ b/aux/broctl
@@ -1 +1 @@
-Subproject commit 60eeea9f98455ea613bcfc02e09f2c9665c97f58
+Subproject commit 7991b77bf4e2f80d20152e87f492c59070305031
diff --git a/aux/broker b/aux/broker
index 066fb75d1e..338b65a84d 160000
--- a/aux/broker
+++ b/aux/broker
@@ -1 +1 @@
-Subproject commit 066fb75d1ea46e919a2d9c56faff1e605c64756c
+Subproject commit 338b65a84da66d0059276814de8807ab9ee9b105

From cb5a867cf1738dca53dd4078c2f2b6cab9358cc5 Mon Sep 17 00:00:00 2001
From: Robin Sommer <robin@icir.org>
Date: Fri, 27 Apr 2018 10:50:00 -0700
Subject: [PATCH 385/631] Updating submodule(s).

 [nomail]
---
 aux/binpac   | 2 +-
 aux/bro-aux  | 2 +-
 aux/broccoli | 2 +-
 aux/broctl   | 2 +-
 aux/broker   | 2 +-
 cmake        | 2 +-
 6 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/aux/binpac b/aux/binpac
index a4bd60ec2e..e1d8b72fa2 160000
--- a/aux/binpac
+++ b/aux/binpac
@@ -1 +1 @@
-Subproject commit a4bd60ec2e6958506b4a07cf0a57f006254ee4f2
+Subproject commit e1d8b72fa24406e832c610d752d299f9c460d4e7
diff --git a/aux/bro-aux b/aux/bro-aux
index f7cc11d97b..6db18be3e1 160000
--- a/aux/bro-aux
+++ b/aux/bro-aux
@@ -1 +1 @@
-Subproject commit f7cc11d97b3298bbfc5d01ff544e871b67f0fc5a
+Subproject commit 6db18be3e1a5cc6edbe83abb79ca3ed2cd623b41
diff --git a/aux/broccoli b/aux/broccoli
index 22a35f3378..64904c9f6c 160000
--- a/aux/broccoli
+++ b/aux/broccoli
@@ -1 +1 @@
-Subproject commit 22a35f33786b2ede5f3efe7e2b24237a4fe974fb
+Subproject commit 64904c9f6c93d815fbe8f6226d3e1a9f0aa7c1cf
diff --git a/aux/broctl b/aux/broctl
index 60eeea9f98..7991b77bf4 160000
--- a/aux/broctl
+++ b/aux/broctl
@@ -1 +1 @@
-Subproject commit 60eeea9f98455ea613bcfc02e09f2c9665c97f58
+Subproject commit 7991b77bf4e2f80d20152e87f492c59070305031
diff --git a/aux/broker b/aux/broker
index 066fb75d1e..338b65a84d 160000
--- a/aux/broker
+++ b/aux/broker
@@ -1 +1 @@
-Subproject commit 066fb75d1ea46e919a2d9c56faff1e605c64756c
+Subproject commit 338b65a84da66d0059276814de8807ab9ee9b105
diff --git a/cmake b/cmake
index c40d8f9831..70fc7406f4 160000
--- a/cmake
+++ b/cmake
@@ -1 +1 @@
-Subproject commit c40d8f9831b69259bfa930a64662d91cfdbf97bf
+Subproject commit 70fc7406f4baa87da9362c2b80ee6bbcdb242e0a

From e5e1037e91a2ad8647b43283c2e5d75c2c55609b Mon Sep 17 00:00:00 2001
From: Seth Hall <seth@corelight.com>
Date: Fri, 27 Apr 2018 16:42:19 -0400
Subject: [PATCH 386/631] Fix subnet expiration in the intel framework.

---
 scripts/base/frameworks/intel/main.bro | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/scripts/base/frameworks/intel/main.bro b/scripts/base/frameworks/intel/main.bro
index 30f9a6bf75..299d2d256a 100644
--- a/scripts/base/frameworks/intel/main.bro
+++ b/scripts/base/frameworks/intel/main.bro
@@ -248,7 +248,7 @@ function expire_subnet_data(data: table[subnet] of MetaDataTable, idx: subnet):
 	for ( src in meta_tbl )
 		add metas[meta_tbl[src]];
 
-	return expire_item(cat(idx), ADDR, metas);
+	return expire_item(cat(idx), SUBNET, metas);
 	}
 
 function expire_string_data(data: table[string, Type] of MetaDataTable, idx: any): interval

From c973375f1f2da20b6c138e2934b1b690558f12c2 Mon Sep 17 00:00:00 2001
From: Seth Hall <seth@corelight.com>
Date: Fri, 27 Apr 2018 19:55:22 -0400
Subject: [PATCH 387/631] Add subnet intel expiration to a test.

---
 .../output                                        | 15 ++++++++-------
 .../scripts/base/frameworks/intel/expire-item.bro |  1 +
 2 files changed, 9 insertions(+), 7 deletions(-)

diff --git a/testing/btest/Baseline/scripts.base.frameworks.intel.expire-item/output b/testing/btest/Baseline/scripts.base.frameworks.intel.expire-item/output
index a01d119b81..78422499cf 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.intel.expire-item/output
+++ b/testing/btest/Baseline/scripts.base.frameworks.intel.expire-item/output
@@ -3,15 +3,15 @@
 #empty_field	(empty)
 #unset_field	-
 #path	intel
-#open	2017-02-09-18-29-44
+#open	2018-04-27-23-53-04
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	seen.indicator	seen.indicator_type	seen.where	seen.node	matched	sources	fuid	file_mime_type	file_desc
 #types	time	string	addr	port	addr	port	string	enum	enum	string	set[enum]	set[string]	string	string	string
-1486664984.510411	-	-	-	-	-	1.2.3.4	Intel::ADDR	SOMEWHERE	bro	Intel::ADDR	source1	-	-	-
-1486664987.510937	-	-	-	-	-	1.2.3.4	Intel::ADDR	SOMEWHERE	bro	Intel::ADDR	source1	-	-	-
-1486664990.511265	-	-	-	-	-	1.2.3.4	Intel::ADDR	SOMEWHERE	bro	Intel::ADDR	source1,source2	-	-	-
-1486664993.512024	-	-	-	-	-	1.2.3.4	Intel::ADDR	SOMEWHERE	bro	Intel::ADDR	source1,source2	-	-	-
-1486664996.512265	-	-	-	-	-	1.2.3.4	Intel::ADDR	SOMEWHERE	bro	Intel::ADDR	source1,source2	-	-	-
-#close	2017-02-09-18-30-03
+1524873184.861542	-	-	-	-	-	1.2.3.4	Intel::ADDR	SOMEWHERE	bro	Intel::ADDR	source1	-	-	-
+1524873187.913197	-	-	-	-	-	1.2.3.4	Intel::ADDR	SOMEWHERE	bro	Intel::ADDR	source1	-	-	-
+1524873190.976201	-	-	-	-	-	1.2.3.4	Intel::ADDR	SOMEWHERE	bro	Intel::ADDR	source1,source2	-	-	-
+1524873194.052686	-	-	-	-	-	1.2.3.4	Intel::ADDR	SOMEWHERE	bro	Intel::ADDR	source1,source2	-	-	-
+1524873197.128942	-	-	-	-	-	1.2.3.4	Intel::ADDR	SOMEWHERE	bro	Intel::ADDR	source1,source2	-	-	-
+#close	2018-04-27-23-53-20
 -- Run 1 --
 Trigger: 1.2.3.4
 Seen: 1.2.3.4
@@ -22,6 +22,7 @@ Seen: 1.2.3.4
 -- Run 3 --
 Trigger: 1.2.3.4
 Seen: 1.2.3.4
+Expired: 192.168.0.0/16
 -- Run 4 --
 Trigger: 1.2.3.4
 Seen: 1.2.3.4
diff --git a/testing/btest/scripts/base/frameworks/intel/expire-item.bro b/testing/btest/scripts/base/frameworks/intel/expire-item.bro
index 690a461ea4..08d80714bc 100644
--- a/testing/btest/scripts/base/frameworks/intel/expire-item.bro
+++ b/testing/btest/scripts/base/frameworks/intel/expire-item.bro
@@ -7,6 +7,7 @@
 # @TEST-START-FILE intel.dat
 #fields	indicator	indicator_type	meta.source	meta.desc	meta.url
 1.2.3.4	Intel::ADDR	source1	this host is bad	http://some-data-distributor.com/1
+192.168.0.0/16	Intel::SUBNET	source1	this network is bad	http://some-data-distributor.com/2
 # @TEST-END-FILE
 
 @load frameworks/intel/do_expire

From d3180fff6d25ab1411918a5c922c034c02670e52 Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@icir.org>
Date: Mon, 30 Apr 2018 15:36:10 -0400
Subject: [PATCH 388/631] Change ordering of include directories.

It turns out that --with-openssl does not currently work because even
when the correct library is chosen, the include path ordering will
(typically) cause the system OpenSSL to be included.

Push OpenSSL header directory as the highest priority one. This probably
also makes sense since OpenSSL is/will be one of the most common
libraries that needs specific include directories.
---
 CMakeLists.txt | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/CMakeLists.txt b/CMakeLists.txt
index 2abd715732..a75821e1a3 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -114,7 +114,6 @@ endif ()
 
 include_directories(BEFORE
                     ${PCAP_INCLUDE_DIR}
-                    ${OPENSSL_INCLUDE_DIR}
                     ${BIND_INCLUDE_DIR}
                     ${BinPAC_INCLUDE_DIR}
                     ${ZLIB_INCLUDE_DIR}
@@ -164,6 +163,8 @@ if (ENABLE_PERFTOOLS_DEBUG OR ENABLE_PERFTOOLS)
     # perftools weren't found
 endif ()
 
+include_directories(BEFORE ${OPENSSL_INCLUDE_DIR})
+
 set(brodeps
     ${BinPAC_LIBRARY}
     ${PCAP_LIBRARY}

From 720cf55d5347032ed03b86f2b4f1309fb333e207 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Mon, 30 Apr 2018 16:22:30 -0500
Subject: [PATCH 389/631] Improve how coverage unit tests handle name of build
 dir

This change allows the tests to still pass if the build dir is named
something other than 'build' and/or is a symlink.
---
 CHANGES                                           | 4 ++++
 VERSION                                           | 2 +-
 testing/btest/coverage/bare-load-baseline.test    | 3 ++-
 testing/btest/coverage/default-load-baseline.test | 3 ++-
 testing/btest/coverage/init-default.test          | 2 +-
 5 files changed, 10 insertions(+), 4 deletions(-)

diff --git a/CHANGES b/CHANGES
index bf909494c7..3d817368a6 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,8 @@
 
+2.5-535 | 2018-04-30 16:22:30 -0500
+
+  * Improve how coverage unit tests handle name of build dir (Corelight)
+
 2.5-534 | 2018-04-27 19:59:46 -0400
 
   * Fix subnet expiration in the intel framework. (Seth Hall)
diff --git a/VERSION b/VERSION
index 295de1fdb3..0cf391dccc 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.5-534
+2.5-535
diff --git a/testing/btest/coverage/bare-load-baseline.test b/testing/btest/coverage/bare-load-baseline.test
index 52393afb7c..e518e703fb 100644
--- a/testing/btest/coverage/bare-load-baseline.test
+++ b/testing/btest/coverage/bare-load-baseline.test
@@ -10,5 +10,6 @@
 # @TEST-EXEC: bro -b misc/loaded-scripts
 # @TEST-EXEC: test -e loaded_scripts.log
 # @TEST-EXEC: cat loaded_scripts.log | egrep -v '#' | awk 'NR>0{print $1}' | sed -e ':a' -e '$!N' -e 's/^\(.*\).*\n\1.*/\1/' -e 'ta' >prefix
-# @TEST-EXEC: cat loaded_scripts.log | sed "s#`cat prefix`##g" >canonified_loaded_scripts.log
+# @TEST-EXEC: (test -L $BUILD && basename $(readlink $BUILD) || basename $BUILD) >buildprefix
+# @TEST-EXEC: cat loaded_scripts.log | sed "s#`cat buildprefix`#build#g" | sed "s#`cat prefix`##g" >canonified_loaded_scripts.log
 # @TEST-EXEC: btest-diff canonified_loaded_scripts.log
diff --git a/testing/btest/coverage/default-load-baseline.test b/testing/btest/coverage/default-load-baseline.test
index 669b465083..076f26b770 100644
--- a/testing/btest/coverage/default-load-baseline.test
+++ b/testing/btest/coverage/default-load-baseline.test
@@ -10,5 +10,6 @@
 # @TEST-EXEC: bro misc/loaded-scripts
 # @TEST-EXEC: test -e loaded_scripts.log
 # @TEST-EXEC: cat loaded_scripts.log | egrep -v '#' | sed 's/ //g' | sed -e ':a' -e '$!N' -e 's/^\(.*\).*\n\1.*/\1/' -e 'ta' >prefix
-# @TEST-EXEC: cat loaded_scripts.log | sed "s#`cat prefix`##g" >canonified_loaded_scripts.log
+# @TEST-EXEC: (test -L $BUILD && basename $(readlink $BUILD) || basename $BUILD) >buildprefix
+# @TEST-EXEC: cat loaded_scripts.log | sed "s#`cat buildprefix`#build#g" | sed "s#`cat prefix`##g" >canonified_loaded_scripts.log
 # @TEST-EXEC: btest-diff canonified_loaded_scripts.log
diff --git a/testing/btest/coverage/init-default.test b/testing/btest/coverage/init-default.test
index d736277d49..c74c264eb8 100644
--- a/testing/btest/coverage/init-default.test
+++ b/testing/btest/coverage/init-default.test
@@ -11,7 +11,7 @@
 #@TEST-EXEC: test -e $DIST/scripts/base/init-default.bro
 #@TEST-EXEC: ( cd $DIST/scripts/base && find . -name '*.bro' ) | sort >"all scripts found"
 #@TEST-EXEC: bro misc/loaded-scripts
-#@TEST-EXEC: cat loaded_scripts.log | egrep -v '/build/scripts/|/loaded-scripts.bro|#' | sed 's#/./#/#g'  >loaded_scripts.log.tmp
+#@TEST-EXEC: cat loaded_scripts.log | egrep -v "/$(test -L $BUILD && basename $(readlink $BUILD) || basename $BUILD)/scripts/|/loaded-scripts.bro|#" | sed 's#/./#/#g'  >loaded_scripts.log.tmp
 #@TEST-EXEC: cat loaded_scripts.log.tmp | sed 's/ //g' | sed -e ':a' -e '$!N' -e 's/^\(.*\).*\n\1.*/\1/' -e 'ta' >prefix
 #@TEST-EXEC: cat loaded_scripts.log.tmp | sed 's/ //g' | sed "s#`cat prefix`#./#g" | sort >init-default.bro
 #@TEST-EXEC: diff -u "all scripts found" init-default.bro | egrep "^-[^-]" > missing_loads

From a91da7021dae8c07aaac246c20b5741b477426fc Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Mon, 30 Apr 2018 16:50:29 -0500
Subject: [PATCH 390/631] Updating submodule(s).

 [nomail]
---
 aux/binpac   | 2 +-
 aux/bro-aux  | 2 +-
 aux/broccoli | 2 +-
 aux/broctl   | 2 +-
 aux/broker   | 2 +-
 5 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/aux/binpac b/aux/binpac
index e1d8b72fa2..6369da93f8 160000
--- a/aux/binpac
+++ b/aux/binpac
@@ -1 +1 @@
-Subproject commit e1d8b72fa24406e832c610d752d299f9c460d4e7
+Subproject commit 6369da93f86b72bfd8ac6809bad942a1e38f279a
diff --git a/aux/bro-aux b/aux/bro-aux
index 6db18be3e1..e219c82285 160000
--- a/aux/bro-aux
+++ b/aux/bro-aux
@@ -1 +1 @@
-Subproject commit 6db18be3e1a5cc6edbe83abb79ca3ed2cd623b41
+Subproject commit e219c822857660831c9ded4f1a074ced46f4dc7a
diff --git a/aux/broccoli b/aux/broccoli
index 64904c9f6c..c93061f0c8 160000
--- a/aux/broccoli
+++ b/aux/broccoli
@@ -1 +1 @@
-Subproject commit 64904c9f6c93d815fbe8f6226d3e1a9f0aa7c1cf
+Subproject commit c93061f0c889e0d46fe77ac84292b30a3c9888e2
diff --git a/aux/broctl b/aux/broctl
index 7991b77bf4..799dc23df7 160000
--- a/aux/broctl
+++ b/aux/broctl
@@ -1 +1 @@
-Subproject commit 7991b77bf4e2f80d20152e87f492c59070305031
+Subproject commit 799dc23df799b112ecc57d3f3ea391f56de596a9
diff --git a/aux/broker b/aux/broker
index 338b65a84d..ddb4b0265e 160000
--- a/aux/broker
+++ b/aux/broker
@@ -1 +1 @@
-Subproject commit 338b65a84da66d0059276814de8807ab9ee9b105
+Subproject commit ddb4b0265e5aa370d29baf4df64a18c71294dac6

From 1d98a99ccf86fe93e739a4a0768c871dbc38f3da Mon Sep 17 00:00:00 2001
From: Daniel Thayer <dnthayer@illinois.edu>
Date: Tue, 1 May 2018 15:24:52 -0500
Subject: [PATCH 391/631] Update install instructions for Ubuntu 18.04

---
 doc/install/install.rst | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/doc/install/install.rst b/doc/install/install.rst
index f5c804fc0f..a62823b1bb 100644
--- a/doc/install/install.rst
+++ b/doc/install/install.rst
@@ -63,8 +63,8 @@ To install the required dependencies, you can use:
 
      sudo apt-get install cmake make gcc g++ flex bison libpcap-dev libssl-dev python-dev swig zlib1g-dev
 
-  In order to build Bro on Debian 9, install ``libssl1.0-dev`` instead
-  of ``libssl-dev``.
+  In order to build Bro on Debian 9 or Ubuntu 18.04, install ``libssl1.0-dev``
+  instead of ``libssl-dev``.
 
 * FreeBSD:
 

From c859919f3177a061d1378b351879e3449fcfc0f3 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Tue, 1 May 2018 18:09:30 -0500
Subject: [PATCH 392/631] Improve canonicalization of build dir path in a
 coverage unit test

---
 CHANGES                                  | 5 +++++
 VERSION                                  | 2 +-
 testing/btest/coverage/init-default.test | 3 ++-
 3 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/CHANGES b/CHANGES
index 632465b4a0..e556ad8ea9 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,9 @@
 
+2.5-545 | 2018-05-01 18:09:30 -0500
+
+  * Improve canonicalization of build dir path in a coverage unit test
+    (Corelight)
+
 2.5-544 | 2018-05-01 17:57:15 -0500
 
   * Rewrite the DHCP analyzer and accompanying script-layer API.
diff --git a/VERSION b/VERSION
index 75a080b8dc..0575788c00 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.5-544
+2.5-545
diff --git a/testing/btest/coverage/init-default.test b/testing/btest/coverage/init-default.test
index c74c264eb8..537b5ca77d 100644
--- a/testing/btest/coverage/init-default.test
+++ b/testing/btest/coverage/init-default.test
@@ -11,7 +11,8 @@
 #@TEST-EXEC: test -e $DIST/scripts/base/init-default.bro
 #@TEST-EXEC: ( cd $DIST/scripts/base && find . -name '*.bro' ) | sort >"all scripts found"
 #@TEST-EXEC: bro misc/loaded-scripts
-#@TEST-EXEC: cat loaded_scripts.log | egrep -v "/$(test -L $BUILD && basename $(readlink $BUILD) || basename $BUILD)/scripts/|/loaded-scripts.bro|#" | sed 's#/./#/#g'  >loaded_scripts.log.tmp
+#@TEST-EXEC: (test -L $BUILD && basename $(readlink $BUILD) || basename $BUILD) >buildprefix
+#@TEST-EXEC: cat loaded_scripts.log | egrep -v "/build/scripts/|$(cat buildprefix)/scripts/|/loaded-scripts.bro|#" | sed 's#/./#/#g'  >loaded_scripts.log.tmp
 #@TEST-EXEC: cat loaded_scripts.log.tmp | sed 's/ //g' | sed -e ':a' -e '$!N' -e 's/^\(.*\).*\n\1.*/\1/' -e 'ta' >prefix
 #@TEST-EXEC: cat loaded_scripts.log.tmp | sed 's/ //g' | sed "s#`cat prefix`#./#g" | sort >init-default.bro
 #@TEST-EXEC: diff -u "all scripts found" init-default.bro | egrep "^-[^-]" > missing_loads

From ceab58c17ebebbd2f4a39b3113c5bef6cd65671f Mon Sep 17 00:00:00 2001
From: Vlad Grigorescu <grigorescu@gmail.com>
Date: Wed, 2 May 2018 15:39:43 -0500
Subject: [PATCH 393/631] Make BinPAC exception handling more consistent

---
 src/analyzer/protocol/krb/KRB.cc     | 2 +-
 src/analyzer/protocol/krb/KRB_TCP.cc | 2 +-
 src/analyzer/protocol/mysql/MySQL.cc | 2 +-
 src/analyzer/protocol/ncp/NCP.cc     | 2 +-
 src/analyzer/protocol/sip/SIP_TCP.cc | 3 +--
 src/analyzer/protocol/snmp/SNMP.cc   | 2 +-
 6 files changed, 6 insertions(+), 7 deletions(-)

diff --git a/src/analyzer/protocol/krb/KRB.cc b/src/analyzer/protocol/krb/KRB.cc
index 0a123c3beb..ba7dbd9ccd 100644
--- a/src/analyzer/protocol/krb/KRB.cc
+++ b/src/analyzer/protocol/krb/KRB.cc
@@ -33,7 +33,7 @@ void KRB_Analyzer::DeliverPacket(int len, const u_char* data, bool orig,
 		}
 	catch ( const binpac::Exception& e )
 		{
-		ProtocolViolation(e.c_msg());
+		ProtocolViolation(fmt("Binpac exception: %s", e.c_msg()));
 		}
 	}
 
diff --git a/src/analyzer/protocol/krb/KRB_TCP.cc b/src/analyzer/protocol/krb/KRB_TCP.cc
index 865b3de1e4..27e964f2d7 100644
--- a/src/analyzer/protocol/krb/KRB_TCP.cc
+++ b/src/analyzer/protocol/krb/KRB_TCP.cc
@@ -53,7 +53,7 @@ void KRB_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
 		}
 	catch ( const binpac::Exception& e )
 		{
-		ProtocolViolation(e.c_msg());
+		ProtocolViolation(fmt("Binpac exception: %s", e.c_msg()));
 		}
 	}
 
diff --git a/src/analyzer/protocol/mysql/MySQL.cc b/src/analyzer/protocol/mysql/MySQL.cc
index bfa2eb518b..af874ff5c2 100644
--- a/src/analyzer/protocol/mysql/MySQL.cc
+++ b/src/analyzer/protocol/mysql/MySQL.cc
@@ -53,7 +53,7 @@ void MySQL_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
 		}
 	catch ( const binpac::Exception& e )
 		{
-		reporter->Weird(e.msg().c_str());
+		ProtocolViolation(fmt("Binpac exception: %s", e.c_msg()));
 		}
 	}
 
diff --git a/src/analyzer/protocol/ncp/NCP.cc b/src/analyzer/protocol/ncp/NCP.cc
index 4605ad2bca..add7841908 100644
--- a/src/analyzer/protocol/ncp/NCP.cc
+++ b/src/analyzer/protocol/ncp/NCP.cc
@@ -40,7 +40,7 @@ void NCP_Session::Deliver(int is_orig, int len, const u_char* data)
 		}
 	catch ( const binpac::Exception& e )
 		{
-		analyzer->Weird(e.msg().c_str());
+		analyzer->ProtocolViolation(fmt("Binpac exception: %s", e.c_msg()));
 		}
 	}
 
diff --git a/src/analyzer/protocol/sip/SIP_TCP.cc b/src/analyzer/protocol/sip/SIP_TCP.cc
index 464c650bd9..23cc654fdb 100644
--- a/src/analyzer/protocol/sip/SIP_TCP.cc
+++ b/src/analyzer/protocol/sip/SIP_TCP.cc
@@ -55,8 +55,7 @@ void SIP_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
 		}
 	catch ( const binpac::Exception& e )
 		{
-		printf("BinPAC Exception: %s\n", e.c_msg());
-		ProtocolViolation(e.c_msg());
+		ProtocolViolation(fmt("Binpac exception: %s", e.c_msg()));
 		}
 	}
 
diff --git a/src/analyzer/protocol/snmp/SNMP.cc b/src/analyzer/protocol/snmp/SNMP.cc
index 36282087fa..c34c4d596e 100644
--- a/src/analyzer/protocol/snmp/SNMP.cc
+++ b/src/analyzer/protocol/snmp/SNMP.cc
@@ -35,6 +35,6 @@ void SNMP_Analyzer::DeliverPacket(int len, const u_char* data, bool orig,
 		}
 	catch ( const binpac::Exception& e )
 		{
-		ProtocolViolation(e.c_msg());
+		ProtocolViolation(fmt("Binpac exception: %s", e.c_msg()));
 		}
 	}

From f35eae2e7e4bb60b6c83b1786256f55e5a149ac6 Mon Sep 17 00:00:00 2001
From: Assaf Morami <assaf.morami@gmail.com>
Date: Tue, 8 May 2018 15:46:18 +0300
Subject: [PATCH 394/631] Fix dump_packet & dump_current_packet ignores
 file_name

This fixes an issue where `dump_packet` and `dump_current_packet` ignores the `file_name` parameter if `addl_pkt_dumper` is already pointing to some file (doesn't matter which file...)

http://mailman.icsi.berkeley.edu/pipermail/bro/2018-May/013184.html
---
 src/bro.bif | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/src/bro.bif b/src/bro.bif
index fdcad0735d..31b74cf8d1 100644
--- a/src/bro.bif
+++ b/src/bro.bif
@@ -29,6 +29,7 @@ using namespace std;
 TableType* var_sizes;
 
 static iosource::PktDumper* addl_pkt_dumper = 0;
+static StringVal* open_file_dumper;
 
 bro_int_t parse_int(const char*& fmt)
 	{
@@ -3288,10 +3289,19 @@ function dump_current_packet%(file_name: string%) : bool
 		return new Val(0, TYPE_BOOL);
 
 	if ( ! addl_pkt_dumper )
+		{
 		addl_pkt_dumper = iosource_mgr->OpenPktDumper(file_name->CheckString(), true);
+		{
+	else if ( addl_pkt_dumper && open_file_dumper != file_name)
+		{
+		addl_pkt_dumper->Close();
+		addl_pkt_dumper = iosource_mgr->OpenPktDumper(file_name->CheckString(), true);
+		}
+	// else if (addl_pkt_dumper && open_file_dumper == file_name) do nothing
 
 	if ( addl_pkt_dumper )
 		{
+		open_file_dumper = file_name;
 		addl_pkt_dumper->Dump(pkt);
 		}
 
@@ -3363,10 +3373,20 @@ function get_current_packet_header%(%) : raw_pkt_hdr
 function dump_packet%(pkt: pcap_packet, file_name: string%) : bool
 	%{
 	if ( ! addl_pkt_dumper )
+		{
 		addl_pkt_dumper = iosource_mgr->OpenPktDumper(file_name->CheckString(), true);
+		{
+	else if ( addl_pkt_dumper && open_file_dumper != file_name)
+		{
+		addl_pkt_dumper->Close();
+		addl_pkt_dumper = iosource_mgr->OpenPktDumper(file_name->CheckString(), true);
+		}
+	// else if (addl_pkt_dumper && open_file_dumper == file_name) do nothing
 
 	if ( addl_pkt_dumper )
 		{
+		open_file_dumper = file_name;
+		
 		pkt_timeval ts;
 		uint32 caplen, len, link_type;
 		u_char *data;

From 1953c0458136fa89272dc93e68d73513f5af76d7 Mon Sep 17 00:00:00 2001
From: Assaf Morami <assaf.morami@gmail.com>
Date: Tue, 8 May 2018 17:36:17 +0300
Subject: [PATCH 395/631] dump_packet & dump_current_packet better detect which
 file is being dumped to

---
 src/bro.bif | 12 ++++--------
 1 file changed, 4 insertions(+), 8 deletions(-)

diff --git a/src/bro.bif b/src/bro.bif
index 31b74cf8d1..696b545c1b 100644
--- a/src/bro.bif
+++ b/src/bro.bif
@@ -29,7 +29,6 @@ using namespace std;
 TableType* var_sizes;
 
 static iosource::PktDumper* addl_pkt_dumper = 0;
-static StringVal* open_file_dumper;
 
 bro_int_t parse_int(const char*& fmt)
 	{
@@ -3292,16 +3291,15 @@ function dump_current_packet%(file_name: string%) : bool
 		{
 		addl_pkt_dumper = iosource_mgr->OpenPktDumper(file_name->CheckString(), true);
 		{
-	else if ( addl_pkt_dumper && open_file_dumper != file_name)
+	else if ( addl_pkt_dumper && addl_pkt_dumper->Path() != file_name->CheckString())
 		{
 		addl_pkt_dumper->Close();
 		addl_pkt_dumper = iosource_mgr->OpenPktDumper(file_name->CheckString(), true);
 		}
-	// else if (addl_pkt_dumper && open_file_dumper == file_name) do nothing
+	// else if (addl_pkt_dumper && addl_pkt_dumper->Path() == file_name->CheckString()) do nothing
 
 	if ( addl_pkt_dumper )
 		{
-		open_file_dumper = file_name;
 		addl_pkt_dumper->Dump(pkt);
 		}
 
@@ -3376,17 +3374,15 @@ function dump_packet%(pkt: pcap_packet, file_name: string%) : bool
 		{
 		addl_pkt_dumper = iosource_mgr->OpenPktDumper(file_name->CheckString(), true);
 		{
-	else if ( addl_pkt_dumper && open_file_dumper != file_name)
+	else if ( addl_pkt_dumper && addl_pkt_dumper->Path() != file_name->CheckString())
 		{
 		addl_pkt_dumper->Close();
 		addl_pkt_dumper = iosource_mgr->OpenPktDumper(file_name->CheckString(), true);
 		}
-	// else if (addl_pkt_dumper && open_file_dumper == file_name) do nothing
+	// else if (addl_pkt_dumper && addl_pkt_dumper->Path() == file_name->CheckString()) do nothing
 
 	if ( addl_pkt_dumper )
 		{
-		open_file_dumper = file_name;
-		
 		pkt_timeval ts;
 		uint32 caplen, len, link_type;
 		u_char *data;

From f8f29ecf6ed7521692f94dbc0c9e4721e6d3164e Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Tue, 8 May 2018 10:13:11 -0500
Subject: [PATCH 396/631] Updating submodule(s).

 [nomail]
---
 aux/btest | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/aux/btest b/aux/btest
index 3d76371f89..63784060bf 160000
--- a/aux/btest
+++ b/aux/btest
@@ -1 +1 @@
-Subproject commit 3d76371f896b714520d0796a1f3f781ee8561c47
+Subproject commit 63784060bff18ecd6b7979ab5f4174d90af838ca

From 10441807ff406b22388d159831ea57770fe83d70 Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@icir.org>
Date: Tue, 8 May 2018 10:50:34 -0700
Subject: [PATCH 397/631] Update submodule

 [nomail]
---
 aux/netcontrol-connectors | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/aux/netcontrol-connectors b/aux/netcontrol-connectors
index 9f3d6fce49..1c4851912b 160000
--- a/aux/netcontrol-connectors
+++ b/aux/netcontrol-connectors
@@ -1 +1 @@
-Subproject commit 9f3d6fce49cad3b45b5ddd0fe1f3c79186e1d2e7
+Subproject commit 1c4851912b72c778c2e057e33c1dae99876af41f

From bb20026267d00585b42a0ef24e6bdec5defdb032 Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@icir.org>
Date: Tue, 8 May 2018 11:23:28 -0700
Subject: [PATCH 398/631] Add test for dump_current_packet bif.

---
 CHANGES                                           |   7 +++++++
 VERSION                                           |   2 +-
 .../Baseline/bifs.dump_current_packet/1.pcap      | Bin 0 -> 127 bytes
 .../Baseline/bifs.dump_current_packet/2.pcap      | Bin 0 -> 253 bytes
 testing/btest/bifs/dump_current_packet.bro        |  13 +++++++++++++
 5 files changed, 21 insertions(+), 1 deletion(-)
 create mode 100644 testing/btest/Baseline/bifs.dump_current_packet/1.pcap
 create mode 100644 testing/btest/Baseline/bifs.dump_current_packet/2.pcap
 create mode 100644 testing/btest/bifs/dump_current_packet.bro

diff --git a/CHANGES b/CHANGES
index ee07898969..56288489a6 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,11 @@
 
+2.5-559 | 2018-05-08 11:23:28 -0700
+
+  * Add test for dump_current_packet bif. (Johanna Amann)
+
+	* Fix dump_packet & dump_current_packet to work with several filenames.
+    (Assaf Morami)
+
 2.5-553 | 2018-05-03 14:59:53 -0500
 
   * Make BinPAC exception handling more consistent (Vlad Grigorescu)
diff --git a/VERSION b/VERSION
index feba24af84..a04526640f 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.5-553
+2.5-559
diff --git a/testing/btest/Baseline/bifs.dump_current_packet/1.pcap b/testing/btest/Baseline/bifs.dump_current_packet/1.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..786971a6cfa117324d4be621dfb4e16fd51c7d6e
GIT binary patch
literal 127
zcmca|c+)~A1{MZ5P+(wS1ajopHv5WKGBSh%*&xiw5XZpqo58?iuiX(223H0KPX-1D
zhW~;F{=I#7PCWq1iM$kf$zWQa1XK($0!Xo?r{-qnWpc(Br<D}w78hr*#Fr!&u;%0^
MC+09PC^9et0JFIrivR!s

literal 0
HcmV?d00001

diff --git a/testing/btest/Baseline/bifs.dump_current_packet/2.pcap b/testing/btest/Baseline/bifs.dump_current_packet/2.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..6045568b4b80e4f8c9429cf833df2af5ae82017c
GIT binary patch
literal 253
zcmca|c+)~A1{MZ5P+(wS1ajopHv4|5Vq~}qWP`A=F_8GpApYt4`P8<%2|y0Re8K<!
z8bAyN1}5=O|NjAH{xd=NQ1Z9POOclh^IcvtFtmV#KnAn0rKjd*=4Eom7pIjJ=oS}e
zu*8=n7qI5!Cnx4GFeo;F6jd<rgVZyKK@}fRI$+5l1C<g$w-qSI2$f^$?Ym=ifQLaJ
a%I5^KSs54_7#x6#V1gV#Hj4uT0|x*elRnM>

literal 0
HcmV?d00001

diff --git a/testing/btest/bifs/dump_current_packet.bro b/testing/btest/bifs/dump_current_packet.bro
new file mode 100644
index 0000000000..61c96384e4
--- /dev/null
+++ b/testing/btest/bifs/dump_current_packet.bro
@@ -0,0 +1,13 @@
+# @TEST-EXEC: bro -b -r $TRACES/wikipedia.trace %INPUT
+# @TEST-EXEC: btest-diff 1.pcap
+# @TEST-EXEC: btest-diff 2.pcap
+
+global i: count = 0;
+
+event new_packet(c: connection, p: pkt_hdr)
+	{
+	++i;
+	dump_current_packet(cat(i, ".pcap"));
+	if ( i >= 3 )
+		terminate();
+	}

From 2a01c7083704da6e46251a0808143c76b7e85acc Mon Sep 17 00:00:00 2001
From: jbencteux <jeffrey.bencteux@ops.fr>
Date: Fri, 13 Apr 2018 14:10:26 +0200
Subject: [PATCH 399/631] fix Content-Encoding: x-gzip

RFC 7230 section 4.2.3 states that:

"A recipient SHOULD consider 'x-gzip' to be equivalent to 'gzip'"

This could lead to evasions as an attacker could use:

Content-Encoding: x-gzip

To bypass Bro's decompression.
---
 src/analyzer/protocol/http/HTTP.cc | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/analyzer/protocol/http/HTTP.cc b/src/analyzer/protocol/http/HTTP.cc
index 65a511b8cb..c23d21617b 100644
--- a/src/analyzer/protocol/http/HTTP.cc
+++ b/src/analyzer/protocol/http/HTTP.cc
@@ -451,7 +451,8 @@ void HTTP_Entity::SubmitHeader(mime::MIME_Header* h)
 	else if ( mime::strcasecmp_n(h->get_name(), "content-encoding") == 0 )
 		{
 		data_chunk_t vt = h->get_value_token();
-		if ( mime::strcasecmp_n(vt, "gzip") == 0 )
+		if ( mime::strcasecmp_n(vt, "gzip") == 0 ||
+		     mime::strcasecmp_n(vt, "x-gzip") == 0 )
 			encoding = GZIP;
 		if ( mime::strcasecmp_n(vt, "deflate") == 0 )
 			encoding = DEFLATE;

From c0cc4ef19288cd46da5677bdfaee07c445a4e343 Mon Sep 17 00:00:00 2001
From: jbencteux <jeffrey.bencteux@ops.fr>
Date: Fri, 13 Apr 2018 14:23:14 +0200
Subject: [PATCH 400/631] fix handling of HTTP body length

Partial content bytes range length value and content length value
should not be stored in the same variable. An attacker could override
a given Content-Length or Content-Range with a smaller value to
evade HTTP content.
---
 src/analyzer/protocol/http/HTTP.cc | 23 ++++++++++++++++++++++-
 src/analyzer/protocol/http/HTTP.h  |  1 +
 2 files changed, 23 insertions(+), 1 deletion(-)

diff --git a/src/analyzer/protocol/http/HTTP.cc b/src/analyzer/protocol/http/HTTP.cc
index c23d21617b..b38e81618a 100644
--- a/src/analyzer/protocol/http/HTTP.cc
+++ b/src/analyzer/protocol/http/HTTP.cc
@@ -364,7 +364,19 @@ void HTTP_Entity::SubmitHeader(mime::MIME_Header* h)
 			{
 			int64_t n;
 			if ( atoi_n(vt.length, vt.data, 0, 10, n) )
+				{
 				content_length = n;
+
+				if ( is_partial_content && range_length != content_length )
+					{
+					// Possible evasion attempt.
+					http_message->Weird("HTTP_range_not_matching_len");
+
+					// Take the maximum of both lengths to avoid evasions.
+					if ( range_length > content_length )
+						content_length = range_length;
+					}
+				}
 			else
 				content_length = 0;
 			}
@@ -432,7 +444,16 @@ void HTTP_Entity::SubmitHeader(mime::MIME_Header* h)
 
 			is_partial_content = true;
 			offset = f;
-			content_length = len;
+			range_length = len;
+			if ( content_length != 0 && content_length != range_length )
+				{
+				// Possible evasion attempt.
+				http_message->Weird("HTTP_range_not_matching_len");
+
+				// Take the maximum of both lengths to avoid evasions.
+				if ( range_length > content_length )
+					content_length = range_length;
+				}
 			}
 		else
 			{
diff --git a/src/analyzer/protocol/http/HTTP.h b/src/analyzer/protocol/http/HTTP.h
index a9b781a269..d6f7e476a0 100644
--- a/src/analyzer/protocol/http/HTTP.h
+++ b/src/analyzer/protocol/http/HTTP.h
@@ -55,6 +55,7 @@ protected:
 	HTTP_Message* http_message;
 	int chunked_transfer_state;
 	int64_t content_length;
+	int64_t range_length;
 	int64_t expect_data_length;
 	int expect_body;
 	int64_t body_length;

From 2e2d086144d6b75e63b6633ca14fbe7dba90ec3d Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Tue, 8 May 2018 13:25:14 -0500
Subject: [PATCH 401/631] Fix previous content-length != content-range patch

In the case where no Content-Length header is seen, the content_length
value still should be set based upon the range (same as it would
have been before the patch).
---
 src/analyzer/protocol/http/HTTP.cc | 22 ++++++++++++++--------
 1 file changed, 14 insertions(+), 8 deletions(-)

diff --git a/src/analyzer/protocol/http/HTTP.cc b/src/analyzer/protocol/http/HTTP.cc
index b38e81618a..5d6359a3f8 100644
--- a/src/analyzer/protocol/http/HTTP.cc
+++ b/src/analyzer/protocol/http/HTTP.cc
@@ -42,7 +42,7 @@ HTTP_Entity::HTTP_Entity(HTTP_Message *arg_message, MIME_Entity* parent_entity,
 	http_message = arg_message;
 	expect_body = arg_expect_body;
 	chunked_transfer_state = NON_CHUNKED_TRANSFER;
-	content_length = -1;	// unspecified
+	content_length = range_length = -1;	// unspecified
 	expect_data_length = 0;
 	body_length = 0;
 	header_length = 0;
@@ -445,15 +445,21 @@ void HTTP_Entity::SubmitHeader(mime::MIME_Header* h)
 			is_partial_content = true;
 			offset = f;
 			range_length = len;
-			if ( content_length != 0 && content_length != range_length )
-				{
-				// Possible evasion attempt.
-				http_message->Weird("HTTP_range_not_matching_len");
 
-				// Take the maximum of both lengths to avoid evasions.
-				if ( range_length > content_length )
-					content_length = range_length;
+			if ( content_length > 0 )
+				{
+				if ( content_length != range_length )
+					{
+					// Possible evasion attempt.
+					http_message->Weird("HTTP_range_not_matching_len");
+
+					// Take the maximum of both lengths to avoid evasions.
+					if ( range_length > content_length )
+						content_length = range_length;
+					}
 				}
+			else
+				content_length = range_length;
 			}
 		else
 			{

From ec4a936f66d2f2b50c24249c87fc56187c7e6c40 Mon Sep 17 00:00:00 2001
From: jbencteux <jeffrey.bencteux@ops.fr>
Date: Fri, 13 Apr 2018 16:11:55 +0200
Subject: [PATCH 402/631] fix using chunked mode with HTTP/1.0

According to RFC 7230, Transfer-Encoding was added in HTTP/1.1. Such a
header in a HTTP/1.0 message should be ignored. Interpreting it can be
harmful when sending a HTTP/1.0 message because the parser would
indefinitely wait for a chunk size instead of parsing the message's
body as non-chunked, leading to a HTTP content evasion.
---
 src/analyzer/protocol/http/HTTP.cc | 9 ++++++++-
 src/analyzer/protocol/http/HTTP.h  | 5 +++++
 2 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/src/analyzer/protocol/http/HTTP.cc b/src/analyzer/protocol/http/HTTP.cc
index 5d6359a3f8..4cba28ec34 100644
--- a/src/analyzer/protocol/http/HTTP.cc
+++ b/src/analyzer/protocol/http/HTTP.cc
@@ -470,8 +470,15 @@ void HTTP_Entity::SubmitHeader(mime::MIME_Header* h)
 
 	else if ( mime::strcasecmp_n(h->get_name(), "transfer-encoding") == 0 )
 		{
+		double http_version = 0;
+		if (http_message->analyzer->GetRequestOngoing())
+			http_version = http_message->analyzer->GetRequestVersion();
+		else // reply_ongoing
+			http_version = http_message->analyzer->GetReplyVersion();
+
 		data_chunk_t vt = h->get_value_token();
-		if ( mime::strcasecmp_n(vt, "chunked") == 0 )
+		if ( mime::strcasecmp_n(vt, "chunked") == 0 &&
+		     http_version == 1.1)
 			chunked_transfer_state = BEFORE_CHUNK;
 		}
 
diff --git a/src/analyzer/protocol/http/HTTP.h b/src/analyzer/protocol/http/HTTP.h
index d6f7e476a0..1743fd6a54 100644
--- a/src/analyzer/protocol/http/HTTP.h
+++ b/src/analyzer/protocol/http/HTTP.h
@@ -178,6 +178,11 @@ public:
 	void ConnectionReset() override;
 	void PacketWithRST() override;
 
+	double GetRequestVersion() { return request_version; };
+	double GetReplyVersion() { return reply_version; };
+	int GetRequestOngoing() { return request_ongoing; };
+	int GetReplyOngoing() { return reply_ongoing; };
+
 	static analyzer::Analyzer* Instantiate(Connection* conn)
 		{ return new HTTP_Analyzer(conn); }
 

From e5d5cf9ff13477344d1a34f531b1b5a2fc5b4df5 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Tue, 8 May 2018 14:01:04 -0500
Subject: [PATCH 403/631] Fix case insensitive HTTP/MIME header name
 comparisons

Since the function was never used to check for anything other than
equality, I've changed it to return a bool, otherwise the changes to
its implementation are based on a patch submitted by Jeffrey Bencteux:

Function was comparing two strings based on the length of a user
provided string which could lead to evasions. Any prefix of the static
string could pass conditions where strcasecmp_n was used. Comparison
is now based on the static string length and lengths are checked
before calling strncasecmp.
---
 src/analyzer/protocol/http/HTTP.cc | 32 ++++++++++++++----------------
 src/analyzer/protocol/mime/MIME.cc | 20 +++++++++++--------
 src/analyzer/protocol/mime/MIME.h  |  2 +-
 3 files changed, 28 insertions(+), 26 deletions(-)

diff --git a/src/analyzer/protocol/http/HTTP.cc b/src/analyzer/protocol/http/HTTP.cc
index 4cba28ec34..4e1e5a2218 100644
--- a/src/analyzer/protocol/http/HTTP.cc
+++ b/src/analyzer/protocol/http/HTTP.cc
@@ -357,7 +357,7 @@ void HTTP_Entity::SetPlainDelivery(int64_t length)
 
 void HTTP_Entity::SubmitHeader(mime::MIME_Header* h)
 	{
-	if ( mime::strcasecmp_n(h->get_name(), "content-length") == 0 )
+	if ( mime::istrequal(h->get_name(), "content-length") )
 		{
 		data_chunk_t vt = h->get_value_token();
 		if ( ! mime::is_null_data_chunk(vt) )
@@ -383,7 +383,7 @@ void HTTP_Entity::SubmitHeader(mime::MIME_Header* h)
 		}
 
 	// Figure out content-length for HTTP 206 Partial Content response
-	else if ( mime::strcasecmp_n(h->get_name(), "content-range") == 0 &&
+	else if ( mime::istrequal(h->get_name(), "content-range") &&
 		      http_message->MyHTTP_Analyzer()->HTTP_ReplyCode() == 206 )
 		{
 		data_chunk_t vt = h->get_value_token();
@@ -468,7 +468,7 @@ void HTTP_Entity::SubmitHeader(mime::MIME_Header* h)
 			}
 		}
 
-	else if ( mime::strcasecmp_n(h->get_name(), "transfer-encoding") == 0 )
+	else if ( mime::istrequal(h->get_name(), "transfer-encoding") )
 		{
 		double http_version = 0;
 		if (http_message->analyzer->GetRequestOngoing())
@@ -477,18 +477,16 @@ void HTTP_Entity::SubmitHeader(mime::MIME_Header* h)
 			http_version = http_message->analyzer->GetReplyVersion();
 
 		data_chunk_t vt = h->get_value_token();
-		if ( mime::strcasecmp_n(vt, "chunked") == 0 &&
-		     http_version == 1.1)
+		if ( mime::istrequal(vt, "chunked") && http_version == 1.1 )
 			chunked_transfer_state = BEFORE_CHUNK;
 		}
 
-	else if ( mime::strcasecmp_n(h->get_name(), "content-encoding") == 0 )
+	else if ( mime::istrequal(h->get_name(), "content-encoding") )
 		{
 		data_chunk_t vt = h->get_value_token();
-		if ( mime::strcasecmp_n(vt, "gzip") == 0 ||
-		     mime::strcasecmp_n(vt, "x-gzip") == 0 )
+		if ( mime::istrequal(vt, "gzip") || mime::istrequal(vt, "x-gzip") )
 			encoding = GZIP;
-		if ( mime::strcasecmp_n(vt, "deflate") == 0 )
+		if ( mime::istrequal(vt, "deflate") )
 			encoding = DEFLATE;
 		}
 
@@ -1651,11 +1649,11 @@ void HTTP_Analyzer::HTTP_Header(int is_orig, mime::MIME_Header* h)
 	{
 #if 0
 	// ### Only call ParseVersion if we're tracking versions:
-	if ( strcasecmp_n(h->get_name(), "server") == 0 )
+	if ( istrequal(h->get_name(), "server") )
 		ParseVersion(h->get_value(),
 				(is_orig ? Conn()->OrigAddr() : Conn()->RespAddr()), false);
 
-	else if ( strcasecmp_n(h->get_name(), "user-agent") == 0 )
+	else if ( istrequal(h->get_name(), "user-agent") )
 		ParseVersion(h->get_value(),
 				(is_orig ? Conn()->OrigAddr() : Conn()->RespAddr()), true);
 #endif
@@ -1664,23 +1662,23 @@ void HTTP_Analyzer::HTTP_Header(int is_orig, mime::MIME_Header* h)
 	// side, and if seen assume the connection to be persistent.
 	// This seems fairly safe - at worst, the client does indeed
 	// send additional requests, and the server ignores them.
-	if ( is_orig && mime::strcasecmp_n(h->get_name(), "connection") == 0 )
+	if ( is_orig && mime::istrequal(h->get_name(), "connection") )
 		{
-		if ( mime::strcasecmp_n(h->get_value_token(), "keep-alive") == 0 )
+		if ( mime::istrequal(h->get_value_token(), "keep-alive") )
 			keep_alive = 1;
 		}
 
 	if ( ! is_orig &&
-	     mime::strcasecmp_n(h->get_name(), "connection") == 0 )
+	     mime::istrequal(h->get_name(), "connection") )
 		{
-		if ( mime::strcasecmp_n(h->get_value_token(), "close") == 0 )
+		if ( mime::istrequal(h->get_value_token(), "close") )
 			connection_close = 1;
-		else if ( mime::strcasecmp_n(h->get_value_token(), "upgrade") == 0 )
+		else if ( mime::istrequal(h->get_value_token(), "upgrade") )
 			upgrade_connection = true;
 		}
 
 	if ( ! is_orig &&
-	     mime::strcasecmp_n(h->get_name(), "upgrade") == 0 )
+	     mime::istrequal(h->get_name(), "upgrade") )
 	     upgrade_protocol.assign(h->get_value_token().data, h->get_value_token().length);
 
 	if ( http_header )
diff --git a/src/analyzer/protocol/mime/MIME.cc b/src/analyzer/protocol/mime/MIME.cc
index bcdfe03248..19d3dbe5d3 100644
--- a/src/analyzer/protocol/mime/MIME.cc
+++ b/src/analyzer/protocol/mime/MIME.cc
@@ -146,9 +146,14 @@ void MIME_Mail::Undelivered(int len)
 	                              is_orig, cur_entity_id);
 	}
 
-int strcasecmp_n(data_chunk_t s, const char* t)
+bool istrequal(data_chunk_t s, const char* t)
 	{
-	return strncasecmp(s.data, t, s.length);
+	int len = strlen(t);
+
+	if ( s.length != len )
+		return false;
+
+	return strncasecmp(s.data, t, len) == 0;
 	}
 
 int MIME_count_leading_lws(int len, const char* data)
@@ -751,7 +756,7 @@ int MIME_Entity::LookupMIMEHeaderName(data_chunk_t name)
 	// header names are case-insensitive (RFC 822, 2822, 2045).
 
 	for ( int i = 0; MIMEHeaderName[i] != 0; ++i )
-		if ( strcasecmp_n(name, MIMEHeaderName[i]) == 0 )
+		if ( istrequal(name, MIMEHeaderName[i]) )
 			return i;
 	return -1;
 	}
@@ -876,7 +881,7 @@ int MIME_Entity::ParseFieldParameters(int len, const char* data)
 
 		if ( current_field_type == MIME_CONTENT_TYPE &&
 		     content_type == CONTENT_TYPE_MULTIPART &&
-		     strcasecmp_n(attr, "boundary") == 0 )
+		     istrequal(attr, "boundary") )
 			{
 			// token or quoted-string (and some lenience for characters
 			// not explicitly allowed by the RFC, but encountered in the wild)
@@ -915,13 +920,13 @@ void MIME_Entity::ParseContentType(data_chunk_t type, data_chunk_t sub_type)
 	{
 	int i;
 	for ( i = 0; MIMEContentTypeName[i]; ++i )
-		if ( strcasecmp_n(type, MIMEContentTypeName[i]) == 0 )
+		if ( istrequal(type, MIMEContentTypeName[i]) )
 			break;
 
 	content_type = i;
 
 	for ( i = 0; MIMEContentSubtypeName[i]; ++i )
-		if ( strcasecmp_n(sub_type, MIMEContentSubtypeName[i]) == 0 )
+		if ( istrequal(sub_type, MIMEContentSubtypeName[i]) )
 			break;
 
 	content_subtype = i;
@@ -942,8 +947,7 @@ void MIME_Entity::ParseContentEncoding(data_chunk_t encoding_mechanism)
 	{
 	int i;
 	for ( i = 0; MIMEContentEncodingName[i]; ++i )
-		if ( strcasecmp_n(encoding_mechanism,
-					MIMEContentEncodingName[i]) == 0 )
+		if ( istrequal(encoding_mechanism, MIMEContentEncodingName[i]) )
 			break;
 
 	content_encoding = i;
diff --git a/src/analyzer/protocol/mime/MIME.h b/src/analyzer/protocol/mime/MIME.h
index 2ee58f24d1..a9ef89b932 100644
--- a/src/analyzer/protocol/mime/MIME.h
+++ b/src/analyzer/protocol/mime/MIME.h
@@ -268,7 +268,7 @@ extern StringVal* new_string_val(int length, const char* data);
 extern StringVal* new_string_val(const char* data, const char* end_of_data);
 extern StringVal* new_string_val(const data_chunk_t buf);
 extern int fputs(data_chunk_t b, FILE* fp);
-extern int strcasecmp_n(data_chunk_t s, const char* t);
+extern bool istrequal(data_chunk_t s, const char* t);
 extern int is_lws(char ch);
 extern int MIME_is_field_name_char(char ch);
 extern int MIME_count_leading_lws(int len, const char* data);

From 1f777b57b8265e50cf042cacb1544920f01f1aeb Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Tue, 8 May 2018 15:12:12 -0500
Subject: [PATCH 404/631] BIT-1926: add unit tests for misc. HTTP patches

---
 CHANGES                                          |  15 +++++++++++++++
 VERSION                                          |   2 +-
 .../http.log                                     |  10 ++++++++++
 .../weird.log                                    |  10 ++++++++++
 .../http.log                                     |  10 ++++++++++
 .../scripts.base.protocols.http.x-gzip/http.log  |  10 ++++++++++
 .../Traces/http/content-range-less-than-len.pcap | Bin 0 -> 1066 bytes
 .../btest/Traces/http/fake-content-length.pcap   | Bin 0 -> 1012 bytes
 testing/btest/Traces/http/x-gzip.pcap            | Bin 0 -> 1034 bytes
 .../http/content-range-less-than-len.bro         |   3 +++
 .../base/protocols/http/fake-content-length.bro  |   2 ++
 .../btest/scripts/base/protocols/http/x-gzip.bro |   2 ++
 12 files changed, 63 insertions(+), 1 deletion(-)
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.http.content-range-less-than-len/http.log
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.http.content-range-less-than-len/weird.log
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.http.fake-content-length/http.log
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.http.x-gzip/http.log
 create mode 100755 testing/btest/Traces/http/content-range-less-than-len.pcap
 create mode 100755 testing/btest/Traces/http/fake-content-length.pcap
 create mode 100755 testing/btest/Traces/http/x-gzip.pcap
 create mode 100644 testing/btest/scripts/base/protocols/http/content-range-less-than-len.bro
 create mode 100644 testing/btest/scripts/base/protocols/http/fake-content-length.bro
 create mode 100644 testing/btest/scripts/base/protocols/http/x-gzip.bro

diff --git a/CHANGES b/CHANGES
index 56288489a6..9c9e5169aa 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,19 @@
 
+2.5-565 | 2018-05-08 15:29:53 -0500
+
+  * BIT-1926: add unit tests for misc. HTTP patches (Corelight)
+
+  * Fix case insensitive HTTP/MIME header name comparisons
+    (Jeffrey Bencteux)
+
+  * Don't use chunked mode Transfer-Encoding with HTTP/1.0 (Jeffrey Bencteux)
+
+  * Fix handling of HTTP body length when Content-Range length differs
+    from Content-Length. (Jeffrey Bencteux)
+
+  * Decode 'x-gzip' HTTP Content-Encoding the same as 'gzip'
+    (Jeffrey Bencteux)
+
 2.5-559 | 2018-05-08 11:23:28 -0700
 
   * Add test for dump_current_packet bif. (Johanna Amann)
diff --git a/VERSION b/VERSION
index a04526640f..05811b62f0 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.5-559
+2.5-565
diff --git a/testing/btest/Baseline/scripts.base.protocols.http.content-range-less-than-len/http.log b/testing/btest/Baseline/scripts.base.protocols.http.content-range-less-than-len/http.log
new file mode 100644
index 0000000000..5ff9ffc319
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.http.content-range-less-than-len/http.log
@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	http
+#open	2018-05-08-20-04-16
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	method	host	uri	referrer	version	user_agent	request_body_len	response_body_len	status_code	status_msg	info_code	info_msg	tags	username	password	proxied	orig_fuids	orig_filenames	orig_mime_types	resp_fuids	resp_filenames	resp_mime_types
+#types	time	string	addr	port	addr	port	count	string	string	string	string	string	string	count	count	count	string	count	string	set[enum]	string	string	set[string]	vector[string]	vector[string]	vector[string]	vector[string]	vector[string]	vector[string]
+1523627611.747988	CHhAvVGS1DHFjwGM9	127.0.0.1	58128	127.0.0.1	80	1	GET	localhost	/	-	1.1	Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0	0	33	206	ok	-	-	(empty)	-	-	-	-	-	-	FE5OS23mJkGTBhF8ig	-	text/plain
+#close	2018-05-08-20-04-17
diff --git a/testing/btest/Baseline/scripts.base.protocols.http.content-range-less-than-len/weird.log b/testing/btest/Baseline/scripts.base.protocols.http.content-range-less-than-len/weird.log
new file mode 100644
index 0000000000..7cd09fb789
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.http.content-range-less-than-len/weird.log
@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	weird
+#open	2018-05-08-20-04-16
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
+#types	time	string	addr	port	addr	port	string	string	bool	string
+1523627611.748118	CHhAvVGS1DHFjwGM9	127.0.0.1	58128	127.0.0.1	80	HTTP_range_not_matching_len	-	F	bro
+#close	2018-05-08-20-04-17
diff --git a/testing/btest/Baseline/scripts.base.protocols.http.fake-content-length/http.log b/testing/btest/Baseline/scripts.base.protocols.http.fake-content-length/http.log
new file mode 100644
index 0000000000..aa9c61af96
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.http.fake-content-length/http.log
@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	http
+#open	2018-05-08-20-10-35
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	method	host	uri	referrer	version	user_agent	request_body_len	response_body_len	status_code	status_msg	info_code	info_msg	tags	username	password	proxied	orig_fuids	orig_filenames	orig_mime_types	resp_fuids	resp_filenames	resp_mime_types
+#types	time	string	addr	port	addr	port	count	string	string	string	string	string	string	count	count	count	string	count	string	set[enum]	string	string	set[string]	vector[string]	vector[string]	vector[string]	vector[string]	vector[string]	vector[string]
+1523631796.315381	CHhAvVGS1DHFjwGM9	127.0.0.1	58176	127.0.0.1	80	1	GET	localhost	/	-	1.1	Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0	0	14	200	ok	-	-	(empty)	-	-	-	-	-	-	FCcRXl1oyxVr6ipJA8	-	text/plain
+#close	2018-05-08-20-10-35
diff --git a/testing/btest/Baseline/scripts.base.protocols.http.x-gzip/http.log b/testing/btest/Baseline/scripts.base.protocols.http.x-gzip/http.log
new file mode 100644
index 0000000000..c90eb3315a
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.http.x-gzip/http.log
@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	http
+#open	2018-05-08-19-59-11
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	method	host	uri	referrer	version	user_agent	request_body_len	response_body_len	status_code	status_msg	info_code	info_msg	tags	username	password	proxied	orig_fuids	orig_filenames	orig_mime_types	resp_fuids	resp_filenames	resp_mime_types
+#types	time	string	addr	port	addr	port	count	string	string	string	string	string	string	count	count	count	string	count	string	set[enum]	string	string	set[string]	vector[string]	vector[string]	vector[string]	vector[string]	vector[string]	vector[string]
+1473086764.095192	CHhAvVGS1DHFjwGM9	127.0.0.1	54890	127.0.0.1	80	1	GET	localhost	/	-	1.1	Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Firefox/38.0 Iceweasel/38.6.0	0	19	200	ok	-	-	(empty)	-	-	-	-	-	-	FLWf9w4QphGhQ5XQRa	-	text/plain
+#close	2018-05-08-19-59-11
diff --git a/testing/btest/Traces/http/content-range-less-than-len.pcap b/testing/btest/Traces/http/content-range-less-than-len.pcap
new file mode 100755
index 0000000000000000000000000000000000000000..53ca520e8395ae1918aa1a6f45197dd7ca89286c
GIT binary patch
literal 1066
zcmaKrPfXKr6vuxZM3<5##1j|HFM3g2*KRNZ1rpF8U@$>o#6Jn9mbb2~`?a(kPA+=%
z<Utb77(JN9aPZ*4D>pPcHxe%DL6oa^FZg?f;%3NR`jTJY@AcF7-uL(0-G2KbM%qba
zhlhj+{N>)e>fMW02f4x5=#3U9<Ae;?e~gmRGx@#8`~&p;PBJs1eyU;SW~@@#_)SQx
z{cx{678iv#-73a~wzjiK9&AY_1j)niBQlxU@7(JC{G8M4o98N(Kew96NRP-<oP3r4
z3BA$6n)~YeVa?wo@^Q^|PG5i0DJ*>4;57<I^&%B(-Q~oGd?e_NhD5=t|3sqs`cz_<
zu&{a1Oq>{>rwW~%pPx}u$&@5cI)0#0+c9)I&zF*z^}&<JOkg~G(^<1@TURnkm0r4?
zN)6Fzi<Qc>JkWo?zi)_ot6C<VR4>yBFba;6R#Pf}QuMmzLCz^FxG9Nah5;_81yBx@
zd{DF#y6f7Op$C@3lrl!Hl>d(w?V*(sH945*QF_AFKm?Mfb!L`y6Eq4;&dw!(g$bFH
zgmGp#OBORVYOYysf-XVM)&r2lYYt;z;BPfr0B~j9wpMvO>zbav1o9N~!6<nk&%#Ox
z{J_^JACV-Y4BuJ`TYHHzET4~LI6gA#BWg9yg<bq`r&$IhE-ZJDFI-XdMhlP1cI_1s
zt!JkayM)E3g=S(TDNU>W)G0{f9C)kXY1Frht_`?-GN4&LLEz0jcocvijwRrF%hSNj
zAg|Hh-hZ($^*EENa-V{mk{E`mU({_IJR0P6M)`0XDA-_*H`wAX{0i^F*QmjxyHJg9
ObyqLo$aZ#`8~h6^4HJF<

literal 0
HcmV?d00001

diff --git a/testing/btest/Traces/http/fake-content-length.pcap b/testing/btest/Traces/http/fake-content-length.pcap
new file mode 100755
index 0000000000000000000000000000000000000000..fc1ac91c1c37360722748f6bc8be8541d05c75da
GIT binary patch
literal 1012
zcmaKrPiWIn9LHa}q9afcy^MMAT?RUvCN1rl>4a9P`$Id5Yllv#g!C;9O_MB1Yv=@p
zo&`nl;$?a)*n{jOy9u(JJ4}ZcsqQF<unFGk@5N@cGWsJwc<+~&PrmPce{cW&+gAY;
zM1J&o2r)3({;;>!`WQq@Fs3;e<0ymBT(_G-sWbP!Jc18s9;Q%!YWFBdS8fH`?dO*e
z3Iuxx!N54n>|A(5>&)2LSxSC7l8g`~&%N`>D1Vsx^sv+f`tsKKc6+fiOr~_7`~t`~
z;7>FM!_yq^e)BYUeR5y(GSD|4pJP@p9)U*YpI%C(T7Lua0UQa<!JtG&?S7}kwf3pR
z31;<I`h?h_#Q97C^LU|9$n()iG{i0#wj*NAkR`1G!w_4viN&QAqC+`nG*wNL_(Vj&
zm+wTQNt{*nx{KY}nfo*GB(@r2A{G&@;CUif4L&AB1$d(PmTHl8!{zDA5Sx}|Vgk(}
zuESTHniiH!Q&VNhQ4O7UY2~W>f3>D1H?9kjYvE~r+8fRKATBHEN?lTjh>6Y>SHeX1
z79>s<WOUgmtGXg$rKy@>Tqf(9<d6`1)6jJy)8C4?N{Goxn%aPR(Nrv{Ot?keCUV^(
z+-<T^C$?jY7>+2!QXBq^G&c8{+VJy-Z$rOjHm7!vTVQNya(l>z4ka$_1<^}zl;&V~
zt@0#y;1QplN}OOyJFka{zNI)O2-v8G*cD<mh$UiMt(h93ue}3sz*#O!bj7K_?&3qW
t{&t;;YGZh8Q?eY1O1%qGM|3r`G2FzjzEqgPO+0QvSMSrVo|K2B{soqt5$^y1

literal 0
HcmV?d00001

diff --git a/testing/btest/Traces/http/x-gzip.pcap b/testing/btest/Traces/http/x-gzip.pcap
new file mode 100755
index 0000000000000000000000000000000000000000..7c89026cc595aed0f83a0ed642e7e54a7b20b805
GIT binary patch
literal 1034
zcmaKqJ#5oJ6vxkQfXI?11WPw=gA_Zq+cZj@2Bo0T1QHQw+ENJ>8TaZqacmPi!Ri7G
zNJX$PgsDTy08$pBj)<_ZAfz&(!h+aXnV7?!iD^<*dGeF)-kpE<e;;2z?(Nbb1On^#
z0if`Pd$Pa!*rC8Rye2+uVUPh}zNMu>`sABi5AhGg4=SLT>c00cw&_l%^BVv<)c+Qu
z!wjfJG;%;qOq?R*?XhG42zmZpKnBHwN@?%uJxr(CXF8o%e~yqbJs`ip<jeRa;=|@^
zj<w3Z=Cy!4&`e>v`sg&Z(vY!6YM>WWiPrC!SivPBK5T?Y-D&BB_*y)cI7zKM-yJ0`
zW=c?i*;1(}NKuJpvX<k@(6Cg+DB~r|EIX*qFKEcb;exfL8-^mxMn!nxwj?ECUN;*a
z^b+yA@mLbpoAOK|Dn{TUQmd9QElMK(BzRS?qfN^b$RW(B=mAn3WRPt<DzeOisv;ZX
zUF5k!*{vCzV%vtUDz0vsf=413y`#~Zk-VQ0qjTJpFy*fj0f^5lrq)n2BtvBK%S#+G
z{R^}IFJw&B+R#l+hT4{Hb8rJ~8j6cp=89#SNF~q8u!@k)D~8_0ah4&K|1q|g?GUN_
zPA{nZU`o_fw->>^Tz8q#$`c~zQs4t_BJpAKr=#0G;S<xx5+|wk*!Czf=pvjJMQBx7
zW(n1ss4hcCuh|A7$9{?~ZYF<N1CJ+FI6TQCQ*+BQoS7qupL-St=do0}@9bayawAu`
znSJ}2D}Krr@;ROcJC}aZXR&mWjfArqGwT(9)>ngU{>^$Xf@l3FnRVyoXf}TVnI!-}

literal 0
HcmV?d00001

diff --git a/testing/btest/scripts/base/protocols/http/content-range-less-than-len.bro b/testing/btest/scripts/base/protocols/http/content-range-less-than-len.bro
new file mode 100644
index 0000000000..c95816b29f
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/http/content-range-less-than-len.bro
@@ -0,0 +1,3 @@
+# @TEST-EXEC: bro -r $TRACES/http/content-range-less-than-len.pcap
+# @TEST-EXEC: btest-diff http.log
+# @TEST-EXEC: btest-diff weird.log
diff --git a/testing/btest/scripts/base/protocols/http/fake-content-length.bro b/testing/btest/scripts/base/protocols/http/fake-content-length.bro
new file mode 100644
index 0000000000..5993b18ed1
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/http/fake-content-length.bro
@@ -0,0 +1,2 @@
+# @TEST-EXEC: bro -r $TRACES/http/fake-content-length.pcap
+# @TEST-EXEC: btest-diff http.log
diff --git a/testing/btest/scripts/base/protocols/http/x-gzip.bro b/testing/btest/scripts/base/protocols/http/x-gzip.bro
new file mode 100644
index 0000000000..a73fc5f71f
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/http/x-gzip.bro
@@ -0,0 +1,2 @@
+# @TEST-EXEC: bro -r $TRACES/http/x-gzip.pcap
+# @TEST-EXEC: btest-diff http.log

From 075edbdd2bc6500efc50b321f25a2d6b8787adc1 Mon Sep 17 00:00:00 2001
From: Daniel Thayer <dnthayer@illinois.edu>
Date: Wed, 9 May 2018 14:30:22 -0500
Subject: [PATCH 405/631] Sort output of the missing-file-initially.bro test

The output needs to be sorted to ensure that the test doesn't fail.
---
 .../bro..stdout                                        | 10 +++++-----
 .../base/frameworks/input/missing-file-initially.bro   |  8 ++++----
 2 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/testing/btest/Baseline/scripts.base.frameworks.input.missing-file-initially/bro..stdout b/testing/btest/Baseline/scripts.base.frameworks.input.missing-file-initially/bro..stdout
index 3d47249011..4178deba14 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.input.missing-file-initially/bro..stdout
+++ b/testing/btest/Baseline/scripts.base.frameworks.input.missing-file-initially/bro..stdout
@@ -1,5 +1,5 @@
-input: now it does
-input: and more!
-inputstream: now it does
-inputstream: and more!
-inputstream: Streaming still works
+input: 1 now it does
+input: 2 and more!
+inputstream: 1 now it does
+inputstream: 2 and more!
+inputstream: 3 streaming still works
diff --git a/testing/btest/scripts/base/frameworks/input/missing-file-initially.bro b/testing/btest/scripts/base/frameworks/input/missing-file-initially.bro
index 5b7baed4f9..1de9fbd539 100644
--- a/testing/btest/scripts/base/frameworks/input/missing-file-initially.bro
+++ b/testing/btest/scripts/base/frameworks/input/missing-file-initially.bro
@@ -8,17 +8,17 @@
 # @TEST-EXEC: mv does-exist.dat does-not-exist.dat
 # @TEST-EXEC: sleep 2
 # @TEST-EXEC: mv does-not-exist.dat does-not-exist-again.dat
-# @TEST-EXEC: echo "Streaming still works" >> does-not-exist-again.dat
+# @TEST-EXEC: echo "3 streaming still works" >> does-not-exist-again.dat
 # @TEST-EXEC: btest-bg-wait -k 3
-# @TEST-EXEC: btest-diff bro/.stdout
+# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-sort btest-diff bro/.stdout
 # @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-sort btest-diff bro/.stderr
 
 @TEST-START-FILE does-exist.dat
 #separator \x09
 #fields	line
 #types	string
-now it does
-and more!
+1 now it does
+2 and more!
 @TEST-END-FILE
 
 redef exit_only_after_terminate = T;

From 6611d28920eb24db5c9b9511d8f0bc8374428933 Mon Sep 17 00:00:00 2001
From: Stephen Hosom <0xhosom@gmail.com>
Date: Thu, 10 May 2018 09:13:52 -0400
Subject: [PATCH 406/631] Fix for BIT-1927: notice/extend-email relocation

This is a fairly straightforward change. Previously, users had no
control over whether this script was loaded. By relocating it to
policy, users can now choose whether or not this is necessary
functionality without modifying core Bro scripts.
---
 scripts/base/frameworks/notice/__load__.bro                 | 6 +-----
 scripts/policy/frameworks/notice/__load__.bro               | 3 +++
 .../frameworks/notice/extend-email/hostnames.bro            | 2 +-
 scripts/site/local.bro                                      | 3 +++
 4 files changed, 8 insertions(+), 6 deletions(-)
 create mode 100644 scripts/policy/frameworks/notice/__load__.bro
 rename scripts/{base => policy}/frameworks/notice/extend-email/hostnames.bro (98%)

diff --git a/scripts/base/frameworks/notice/__load__.bro b/scripts/base/frameworks/notice/__load__.bro
index bcf3cd6898..aea3d6d2f3 100644
--- a/scripts/base/frameworks/notice/__load__.bro
+++ b/scripts/base/frameworks/notice/__load__.bro
@@ -8,10 +8,6 @@
 @load ./actions/page
 @load ./actions/add-geodata
 
-# There shouldn't be any default overhead from loading these since they 
-# *should* only do anything when notices have the ACTION_EMAIL action applied.
-@load ./extend-email/hostnames
-
 # The cluster framework must be loaded first.
 @load base/frameworks/cluster
 
@@ -22,4 +18,4 @@
 @endif
 
 # Load here so that it can check whether clustering is enabled.
-@load ./actions/pp-alarms
\ No newline at end of file
+@load ./actions/pp-alarms
diff --git a/scripts/policy/frameworks/notice/__load__.bro b/scripts/policy/frameworks/notice/__load__.bro
new file mode 100644
index 0000000000..fef1dc894e
--- /dev/null
+++ b/scripts/policy/frameworks/notice/__load__.bro
@@ -0,0 +1,3 @@
+# There shouldn't be any default overhead from loading these since they
+# *should* only do anything when notices have the ACTION_EMAIL action applied.
+@load ./extend-email/hostnames
diff --git a/scripts/base/frameworks/notice/extend-email/hostnames.bro b/scripts/policy/frameworks/notice/extend-email/hostnames.bro
similarity index 98%
rename from scripts/base/frameworks/notice/extend-email/hostnames.bro
rename to scripts/policy/frameworks/notice/extend-email/hostnames.bro
index 18442f453d..d8dac39e43 100644
--- a/scripts/base/frameworks/notice/extend-email/hostnames.bro
+++ b/scripts/policy/frameworks/notice/extend-email/hostnames.bro
@@ -3,7 +3,7 @@
 ##! :bro:type:`Notice::Info`'s *src* and *dst* fields as determined by a
 ##! DNS lookup.
 
-@load ../main
+@load base/frameworks/notice/main
 
 module Notice;
 
diff --git a/scripts/site/local.bro b/scripts/site/local.bro
index 9f8be4bc3b..5064d6a330 100644
--- a/scripts/site/local.bro
+++ b/scripts/site/local.bro
@@ -85,6 +85,9 @@
 # Detect SHA1 sums in Team Cymru's Malware Hash Registry.
 @load frameworks/files/detect-MHR
 
+# Extend email alerting to include hostnames
+@load policy/frameworks/notice/extend-email/hostnames
+
 # Uncomment the following line to enable detection of the heartbleed attack. Enabling
 # this might impact performance a bit.
 # @load policy/protocols/ssl/heartbleed

From 98a430c1eb6ff7af91725076a90929bd935e65ac Mon Sep 17 00:00:00 2001
From: Julien Wallior <wallior@sig.com>
Date: Wed, 15 Mar 2017 12:11:10 -0400
Subject: [PATCH 407/631] Decrypt the krb ticket and send authentication data
 out.

---
 scripts/base/init-bare.bro                 |   3 +
 src/analyzer/protocol/krb/CMakeLists.txt   |   1 +
 src/analyzer/protocol/krb/KRB.cc           | 100 ++++++++++++++++++++-
 src/analyzer/protocol/krb/KRB.h            |   8 ++
 src/analyzer/protocol/krb/KRB_TCP.h        |   2 +
 src/analyzer/protocol/krb/krb-analyzer.pac |   5 +-
 src/analyzer/protocol/krb/krb.pac          |  10 ++-
 src/analyzer/protocol/krb/krb_TCP.pac      |  10 ++-
 src/analyzer/protocol/krb/types.bif        |   2 +
 9 files changed, 137 insertions(+), 4 deletions(-)

diff --git a/scripts/base/init-bare.bro b/scripts/base/init-bare.bro
index bd2206ceab..9b2f58ec46 100644
--- a/scripts/base/init-bare.bro
+++ b/scripts/base/init-bare.bro
@@ -4222,6 +4222,7 @@ export {
 
 module KRB;
 export {
+	const keytab = "/etc/krb5.keytab" &redef;
 	## KDC Options. See :rfc:`4120`
 	type KRB::KDC_Options: record {
 		## The ticket to be issued should have its forwardable flag set.
@@ -4344,6 +4345,8 @@ export {
 		cipher		: count;
 		## Cipher text of the ticket
 		ciphertext  : string &optional;
+		## Authentication info
+		authenticationinfo: string &optional;
 	};
 
 	type KRB::Ticket_Vector: vector of KRB::Ticket;
diff --git a/src/analyzer/protocol/krb/CMakeLists.txt b/src/analyzer/protocol/krb/CMakeLists.txt
index 1cac35d626..95f6d672a1 100644
--- a/src/analyzer/protocol/krb/CMakeLists.txt
+++ b/src/analyzer/protocol/krb/CMakeLists.txt
@@ -9,6 +9,7 @@ bro_plugin_cc(KRB.cc)
 bro_plugin_cc(KRB_TCP.cc)
 bro_plugin_bif(types.bif)
 bro_plugin_bif(events.bif)
+bro_plugin_link_library(-lkrb5)
 bro_plugin_pac(krb.pac krb-protocol.pac krb-analyzer.pac
 	krb-asn1.pac
 	krb-defs.pac
diff --git a/src/analyzer/protocol/krb/KRB.cc b/src/analyzer/protocol/krb/KRB.cc
index ba7dbd9ccd..f080efa7f0 100644
--- a/src/analyzer/protocol/krb/KRB.cc
+++ b/src/analyzer/protocol/krb/KRB.cc
@@ -7,13 +7,47 @@
 using namespace analyzer::krb;
 
 KRB_Analyzer::KRB_Analyzer(Connection* conn)
-	: Analyzer("KRB", conn)
+	: Analyzer("KRB", conn),
+	  krb_available(false)
 	{
 	interp = new binpac::KRB::KRB_Conn(this);
+
+	const char* keytab_filename = BifConst::KRB::keytab->CheckString();
+	if (access(keytab_filename, R_OK) != 0)
+		{
+			reporter->Warning("KRB: Can't access keytab (%s)", keytab_filename);
+			return;
+		}
+
+	krb5_error_code retval = krb5_init_context(&krb_context);
+	if (retval)
+		{
+			reporter->Warning("KRB: Couldn't initialize the context (%s)", krb5_get_error_message(krb_context, retval));
+		}
+	else
+		{
+			krb_available = true;
+
+			retval = krb5_kt_resolve(krb_context, keytab_filename, &krb_keytab);
+			if (retval)
+				{
+					reporter->Warning("KRB: Couldn't resolve keytab (%s)", krb5_get_error_message(krb_context, retval));
+				}
+		}
+
 	}
 
 KRB_Analyzer::~KRB_Analyzer()
 	{
+	if (krb_available)
+		{
+			krb5_error_code retval = krb5_kt_close(krb_context, krb_keytab);
+			if (retval)
+				{
+					reporter->Warning("KRB: Couldn't close keytab (%s)", krb5_get_error_message(krb_context, retval));
+				}
+			krb5_free_context(krb_context);
+		}
 	delete interp;
 	}
 
@@ -37,3 +71,67 @@ void KRB_Analyzer::DeliverPacket(int len, const u_char* data, bool orig,
 		}
 	}
 
+StringVal* KRB_Analyzer::GetAuthenticationInfo(const BroString* principal, const BroString* ciphertext, const bro_uint_t enctype)
+	{
+		StringVal* ret = new StringVal("nouser");
+		if (!krb_available)
+			{
+			return ret;
+			}
+
+		BroString delim("/");
+		int pos = principal->FindSubstring(&delim);
+		if (pos == -1)
+			{
+				reporter->Warning("KRB: Couldn't parse principal (%s)", principal->CheckString());
+				return ret;
+			}
+		BroString* service(principal->GetSubstring(0, pos));
+		BroString* hostname(principal->GetSubstring(pos + 1, -1));
+		if (!service || !hostname)
+			{
+				reporter->Warning("KRB: Couldn't parse principal (%s)", principal->CheckString());
+				if (!service)
+					free(service);
+				if (!hostname)
+					free(hostname);
+				return ret;
+			}
+		krb5_principal sprinc;
+		krb5_error_code retval = krb5_sname_to_principal(krb_context, reinterpret_cast<char*>(hostname->Bytes()), reinterpret_cast<char*>(service->Bytes()), KRB5_NT_SRV_HST, &sprinc);
+		if (retval)
+			{
+				reporter->Warning("KRB: Couldn't generate principal name (%s)", krb5_get_error_message(krb_context, retval));
+				return ret;
+			}
+		free(service);
+		free(hostname);
+
+		krb5_ticket tkt;
+		tkt.server = sprinc;
+		tkt.enc_part.enctype = enctype;
+		tkt.enc_part.ciphertext.data = reinterpret_cast<char*>(ciphertext->Bytes());
+		tkt.enc_part.ciphertext.length = ciphertext->Len();
+
+		retval = krb5_server_decrypt_ticket_keytab(krb_context, krb_keytab, &tkt);
+		if (retval)
+			{
+				reporter->Warning("KRB: Couldn't decrypt ticket (%s)", krb5_get_error_message(krb_context, retval));
+				return ret;
+			}
+
+		char* cp;
+		retval = krb5_unparse_name(krb_context, tkt.enc_part2->client, &cp);
+		if (retval)
+			{
+				reporter->Warning("KRB: Couldn't unparse name (%s)", krb5_get_error_message(krb_context, retval));
+				return ret;
+			}
+		free(ret);
+		ret = new StringVal(cp);
+
+		krb5_free_unparsed_name(krb_context, cp);
+
+		return ret;
+
+	}
diff --git a/src/analyzer/protocol/krb/KRB.h b/src/analyzer/protocol/krb/KRB.h
index 99e0529ff1..52cf9fa2bb 100644
--- a/src/analyzer/protocol/krb/KRB.h
+++ b/src/analyzer/protocol/krb/KRB.h
@@ -5,6 +5,8 @@
 
 #include "krb_pac.h"
 
+#include <krb5.h>
+
 namespace analyzer { namespace krb {
 
 class KRB_Analyzer : public analyzer::Analyzer {
@@ -20,9 +22,15 @@ public:
 	static analyzer::Analyzer* Instantiate(Connection* conn)
 		{ return new KRB_Analyzer(conn); }
 
+	StringVal* GetAuthenticationInfo(const BroString* principal, const BroString* ciphertext, const bro_uint_t enctype);
+
 protected:
 
 	binpac::KRB::KRB_Conn* interp;
+
+	bool krb_available;
+	krb5_context krb_context;
+	krb5_keytab krb_keytab;
 };
 
 } } // namespace analyzer::*
diff --git a/src/analyzer/protocol/krb/KRB_TCP.h b/src/analyzer/protocol/krb/KRB_TCP.h
index 0ce4d5f65d..f6c679be63 100644
--- a/src/analyzer/protocol/krb/KRB_TCP.h
+++ b/src/analyzer/protocol/krb/KRB_TCP.h
@@ -22,6 +22,8 @@ public:
 	// Overriden from tcp::TCP_ApplicationAnalyzer.
 	void EndpointEOF(bool is_orig) override;
 
+	StringVal* GetAuthenticationInfo(const BroString* principal, const BroString* ciphertext, const bro_uint_t enctype) { return new StringVal(""); }
+
 	static analyzer::Analyzer* Instantiate(Connection* conn)
 		{ return new KRB_Analyzer(conn); }
 
diff --git a/src/analyzer/protocol/krb/krb-analyzer.pac b/src/analyzer/protocol/krb/krb-analyzer.pac
index 6390fb8fd0..2af70fff98 100644
--- a/src/analyzer/protocol/krb/krb-analyzer.pac
+++ b/src/analyzer/protocol/krb/krb-analyzer.pac
@@ -245,8 +245,11 @@ refine connection KRB_Conn += {
 			rv->Assign(0, new Val(${msg.ap_options.use_session_key}, TYPE_BOOL));
 			rv->Assign(1, new Val(${msg.ap_options.mutual_required}, TYPE_BOOL));
 
+			RecordVal* rvticket = proc_ticket(${msg.ticket});
+			StringVal* authenticationinfo = bro_analyzer()->GetAuthenticationInfo(rvticket->Lookup(2)->AsString(), rvticket->Lookup(4)->AsString(), rvticket->Lookup(3)->AsCount());
+			rvticket->Assign(5, authenticationinfo);
 			BifEvent::generate_krb_ap_request(bro_analyzer(), bro_analyzer()->Conn(),
-						      proc_ticket(${msg.ticket}), rv);
+						      rvticket, rv);
 			}
 		return true;
 		%}
diff --git a/src/analyzer/protocol/krb/krb.pac b/src/analyzer/protocol/krb/krb.pac
index 508fb78a7a..9a3b290ad1 100644
--- a/src/analyzer/protocol/krb/krb.pac
+++ b/src/analyzer/protocol/krb/krb.pac
@@ -4,14 +4,22 @@
 %extern{
 #include "types.bif.h"
 #include "events.bif.h"
+
+namespace analyzer { namespace krb { class KRB_Analyzer; } }
+namespace binpac { namespace KRB { class KRB_Conn; } }
+typedef analyzer::krb::KRB_Analyzer* KRBAnalyzer;
+
+#include "KRB.h"
 %}
 
+extern type KRBAnalyzer;
+
 analyzer KRB withcontext {
 	connection:	KRB_Conn;
 	flow:		KRB_Flow;
 };
 
-connection KRB_Conn(bro_analyzer: BroAnalyzer) {
+connection KRB_Conn(bro_analyzer: KRBAnalyzer) {
 	upflow = KRB_Flow(true);
 	downflow = KRB_Flow(false);
 };
diff --git a/src/analyzer/protocol/krb/krb_TCP.pac b/src/analyzer/protocol/krb/krb_TCP.pac
index 6748c5fcbb..6611a549e4 100644
--- a/src/analyzer/protocol/krb/krb_TCP.pac
+++ b/src/analyzer/protocol/krb/krb_TCP.pac
@@ -4,14 +4,22 @@
 %extern{
 #include "types.bif.h"
 #include "events.bif.h"
+
+namespace analyzer { namespace krb_tcp { class KRB_Analyzer; } }
+namespace binpac { namespace KRB_TCP { class KRB_Conn; } }
+typedef analyzer::krb_tcp::KRB_Analyzer* KRBTCPAnalyzer;
+
+#include "KRB_TCP.h"
 %}
 
+extern type KRBTCPAnalyzer;
+
 analyzer KRB_TCP withcontext {
 	connection:	KRB_Conn;
 	flow:		KRB_Flow;
 };
 
-connection KRB_Conn(bro_analyzer: BroAnalyzer) {
+connection KRB_Conn(bro_analyzer: KRBTCPAnalyzer) {
 	upflow = KRB_Flow(true);
 	downflow = KRB_Flow(false);
 };
diff --git a/src/analyzer/protocol/krb/types.bif b/src/analyzer/protocol/krb/types.bif
index 8393adbf3c..11a80781f8 100644
--- a/src/analyzer/protocol/krb/types.bif
+++ b/src/analyzer/protocol/krb/types.bif
@@ -1,5 +1,7 @@
 module KRB;
 
+const keytab: string;
+
 type Error_Msg: record;
 type SAFE_Msg: record;
 

From ae7625bb2bc67bea5881a912465667ce8732b4d1 Mon Sep 17 00:00:00 2001
From: Julien Wallior <wallior@sig.com>
Date: Wed, 4 Apr 2018 15:57:15 -0400
Subject: [PATCH 408/631] Fix base.protocols.krb.kinit unit test.

---
 testing/btest/Baseline/scripts.base.protocols.krb.kinit/output | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/testing/btest/Baseline/scripts.base.protocols.krb.kinit/output b/testing/btest/Baseline/scripts.base.protocols.krb.kinit/output
index c42038b5d0..50876c8d47 100644
--- a/testing/btest/Baseline/scripts.base.protocols.krb.kinit/output
+++ b/testing/btest/Baseline/scripts.base.protocols.krb.kinit/output
@@ -1,3 +1,3 @@
 KRB_AP_REQUEST
-[pvno=5, realm=VLADG.NET, service_name=krbtgt/VLADG.NET, cipher=18, ciphertext={\x9fY\xd0f\x8dS\xf4I\x88\x04\xfa\xc1\xd8m\xa2\xb7+\xbb\x19\xcag\x0c\x13\xd1g*\xfc\x18\xd1\xb1\x80!\xbd\x85\xec\xf9\x9b\xfa-\x18\xb6\xf5h\x91\xe7\x99\xf4\xdb\x93\xa0\xc7\x90\x1e\xa9\x95v\xd3\x12\xfa,9\x1d\x0b\xd0\xa1\xd25\x0f\x1f[G\xdf\xd0\xbbd\x06$2\xd1\xae\x130qZiY\x07@\xe9\xf9\xff\xa4\x9a\xd4\x09\xf0\x0d\xc1R\x10M\xbdKOV\xfd\xf6\x13\xf6\x9a\x95N\xdf!\xf6x\x94\xd8j\xa5\xdcp\xa8\x04\x99\x02x\xdb$\xd8\xfa_o\x8dV\xc8\x0a\xfe\x00\xf3&c\x0c8\xd1\xd0\xe9\x8e\xab\xfe&\xfe\x00\x8d$\x98I\xe5\x8d\x94rM4%\xd8\xfe\xa9\x08\x06\xc6\x95H7\xf7HCq\xb9\x0d$\x95?\x83B\x82\xdd\xea\xc3f3\xcc\xbb\x09\x0d-\x09;\xa6i%\xcd\xba\x11\xd4\xe0\x12w\xd0G&\xdaj\x82\x7f;\xf3\x1d\x10\xa4l\x06\x16l\x1bc\xa1\xd1\x15!\x00\x8a\xff\x8a\x06\xe7U^:<d\xba"\x02I\xf0\xce\xc7\xad\xb2]
+[pvno=5, realm=VLADG.NET, service_name=krbtgt/VLADG.NET, cipher=18, ciphertext={\x9fY\xd0f\x8dS\xf4I\x88\x04\xfa\xc1\xd8m\xa2\xb7+\xbb\x19\xcag\x0c\x13\xd1g*\xfc\x18\xd1\xb1\x80!\xbd\x85\xec\xf9\x9b\xfa-\x18\xb6\xf5h\x91\xe7\x99\xf4\xdb\x93\xa0\xc7\x90\x1e\xa9\x95v\xd3\x12\xfa,9\x1d\x0b\xd0\xa1\xd25\x0f\x1f[G\xdf\xd0\xbbd\x06$2\xd1\xae\x130qZiY\x07@\xe9\xf9\xff\xa4\x9a\xd4\x09\xf0\x0d\xc1R\x10M\xbdKOV\xfd\xf6\x13\xf6\x9a\x95N\xdf!\xf6x\x94\xd8j\xa5\xdcp\xa8\x04\x99\x02x\xdb$\xd8\xfa_o\x8dV\xc8\x0a\xfe\x00\xf3&c\x0c8\xd1\xd0\xe9\x8e\xab\xfe&\xfe\x00\x8d$\x98I\xe5\x8d\x94rM4%\xd8\xfe\xa9\x08\x06\xc6\x95H7\xf7HCq\xb9\x0d$\x95?\x83B\x82\xdd\xea\xc3f3\xcc\xbb\x09\x0d-\x09;\xa6i%\xcd\xba\x11\xd4\xe0\x12w\xd0G&\xdaj\x82\x7f;\xf3\x1d\x10\xa4l\x06\x16l\x1bc\xa1\xd1\x15!\x00\x8a\xff\x8a\x06\xe7U^:<d\xba"\x02I\xf0\xce\xc7\xad\xb2, authenticationinfo=nouser]
 [use_session_key=F, mutual_required=F]

From afac2ac20f2caf7216954ebcaefbf663130c2fa2 Mon Sep 17 00:00:00 2001
From: Julien Wallior <wallior@sig.com>
Date: Tue, 8 May 2018 14:46:35 -0400
Subject: [PATCH 409/631] Add krb unit test

---
 .../.stdout                                   |   1 +
 testing/btest/Traces/krb/smb2_krb.keytab      | Bin 0 -> 102 bytes
 testing/btest/Traces/krb/smb2_krb.pcap        | Bin 0 -> 44485 bytes
 .../scripts/base/protocols/krb/smb2_krb.test  |  19 ++++++++++++++++++
 4 files changed, 20 insertions(+)
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.krb.smb2_krb/.stdout
 create mode 100644 testing/btest/Traces/krb/smb2_krb.keytab
 create mode 100755 testing/btest/Traces/krb/smb2_krb.pcap
 create mode 100644 testing/btest/scripts/base/protocols/krb/smb2_krb.test

diff --git a/testing/btest/Baseline/scripts.base.protocols.krb.smb2_krb/.stdout b/testing/btest/Baseline/scripts.base.protocols.krb.smb2_krb/.stdout
new file mode 100644
index 0000000000..cd2430defe
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.krb.smb2_krb/.stdout
@@ -0,0 +1 @@
+wallior@DS.SUSQ.COM
diff --git a/testing/btest/Traces/krb/smb2_krb.keytab b/testing/btest/Traces/krb/smb2_krb.keytab
new file mode 100644
index 0000000000000000000000000000000000000000..0f637c1ef07b1df7d1cd11de45d1054333a606e9
GIT binary patch
literal 102
zcmZQ&VqjoMU|?e4b_v!C4h;^}bN2UTV9CfYE@6-;$f(FkOiD`3u`n{!ODWbXE-fz9
zOU};)YGI7nZ!5;cAjF{Xq9ofgF)lmD+Ua=L(bl^++r8R3`l6o;C;Kiv5g>9|9;lcJ
E0A=tV-2eap

literal 0
HcmV?d00001

diff --git a/testing/btest/Traces/krb/smb2_krb.pcap b/testing/btest/Traces/krb/smb2_krb.pcap
new file mode 100755
index 0000000000000000000000000000000000000000..0f726f45d7b9d2e0c5d69a54c67ddcb1d57019f9
GIT binary patch
literal 44485
zcmd6Q2V51$^Y|V-P{D#7D^H_XLBNL31}gS~6)XWk5wQRwDq?$L*JvzJQDej!do*@q
z&{(3V6g#$95)Jl-B`Wxv*}Hk=c;$@W|M&Y}K6`U}x3@DpJ3BMm9v6@OyxNAT7=<F$
z7!x2d<LLE3*KrQ41>9pi<k9!Zwt=y(Tc74k%Fp~5s~3L8hfT0w|DA(F<^5ZWm;Uy~
zHsROIfLo=oB(05_ojT8$jmmDfU~8LS5L7l;q8pUh4Blg8EQkpW#d4uUC+5MJ5A(5a
z-vdj-QiWe{Yzxvf840D9jxHAC^nALmL;*|7nc%>hKsgxm&{sYDET?akjK0!PVywTD
zz~=sqG+@B8>?b;~OK^`dPgy6!Q?aadpG=nJEU;fwupGAHQ}<3SV(`wn`zZtzK7IO>
z%kSfujekpZXTKf+UAlEp`*-WorkigkwWqrWv+3yDxsz{aej5-GIWTI>NcEto7<E8Y
z%+T<ds8P`))pgxHLm*!#Pj|0C4-YT;#LL~2*>vuq?$}A~;qD2Kfe5viJI^8BHgDdX
zSJDA0*#PLkn1}t<lUE`8=Nyu;KNi@(*WanJ`uRkWRlkiX#L9w<V3e046iiOSQf6N<
zS&DOG^@~vairvly(tPla2Z0M6rIbKl_~MfdW6^`-hJ}QNh79xe^2G1*@sG7|72_JG
ztuvNxJkM#xS6bE|0qY-RZ(qw^u(PvC>fzBXsftHs`vNtmw@r9kOt7)xx6{R22gs!o
z5*pgrIIOMdQ9a4ET$RYE*x-R-gCZis1_nn&26t=SvYux{Z=dL4VId>Kf+NBsqhi8P
zsD2+?h^+x!81o3#cj0MVKs{wbwKqu9G|=CfeM;Gbbh5$5oZ`>;g{mZpmi~q8t_ri!
zad%{q&gGvM{k!Pw>T$KsY+IZ~S#4~bcn3`diY-XUYAzuMjoY?qU}nJW$|NB(q29Zz
z3zj5g4VREhCQDHuAxi6w65^ylLf)@R`JYG#a_Sp*fjzWiJjx}+?nZbzO311#V+pxk
zIY`s2iN6!e9k2!4&taP=AtGM{=0c4M?Jfpu5>f_qK5;dW^>m;D`X@Ma)%B7D2S1Ml
z2j3(Q4|l6QrJ}t-uUV7e;HXM)$Oom_8gwjyMJ5z@>5)+2X_BptV7D4Bh1cY>wPR{P
zzcwNN<dB5?6Fd^~j}>1RD(Bd$yL<PZ-MhNC?9yosP=U{FR#)?=T23_}V$jHP6%18@
zdu-T%!Jru2M~)gf!hJy0a44}3lvWGBDu&2x)+FSwpi0PJ=G)BdcOTNT+Z@kozv)e@
zmQ$B?I<s!)sTn^CCl7B7oVfm{jIgN-S8Iy}jjmWHw`r}gYFCc8e!bSY&XpeZPv3EP
zas2m!Z{F;v|2TB~G~4TS-tNpjrMfYt(4-U20b^foD;>Ic;QWbWF1+Z`A*KG=qFH_}
zZ22_DfFkSH9c<b7=$2;78oSIXGyB2dM87khIhsw2f^X02(mhI3eC~{%bA8&5_`2_q
zV{sl+ot&<1*xIOu_Hbv9^1ItNnd`E2m_xtA?+S-jo1ne$h@Jjj^ECEmz9Z*5O<OR|
z|IW!81&SVd-Ka*Xm&d+3(5iyV_UhN(IA5%^{HN}jp*E*;W19D#xM6zZ-7|vSiuH-p
z>`eW0Q+2<e-S$?<yjU;GJ!eetp-Uca{;R!{O9^XNEH2x9UjOB{BKLXJ-(#Eo?DCU_
zhYqN1HjE2$+S@sJUz7T&w`SC^y%CVLVvWP#@e?&&)+`!6dS(mnkoZIMrtCfw`=_Hz
z$biyrw};FvG`slDn7ZXNZ_Z5jUvp^N`pxf03{5*ypvshdYS)cd4iEnH?C6H9ZtH)1
zk&rVar`5d+i|PiHPfFW<aJ_n*%Y{k{&lf4brka0c_06W&TJN0M=d}0Rx$9CFJpJms
zJ-0glJ~z~@#rQf`@4o-5$FBN|r*s(gAh%)%Ve!PL6N{}XwL7rUh_;hoZit`o_*=hi
zhsw@a;yvrH828@){QAMB?(vGtm(95T?H`kVneRI#`*xwqH!iMkb}DJx(>L#W?K$4A
z@K;$~hTZx)MKdDAeLz6D-<Q9<+akGYo1?=*9=`kP=t|A1@E*@<cYB?$ZsLA#zqjLZ
zlJZTT=lyZH`_cH~0kw)xyxP*C*yBG7l+6F;@sJ*N_mAFbyf)=xZqzuxKAR`_-OLJ9
zr*vIW+G9)oCsphH5p(|ez__gb6|&!Sx!&)qxl@)VeDa=lz-fr@<ays5@gAQ#v0+@j
z?^}J_aMFr>tIB?Tyxp>XRfgR=Vb|@e>wX<Kyy`fqo!^|oL!Y^3R-WM4=D~pJ{Vv(G
z3msc?b<&wS!QZ_udAH=!_=@-ToO{$uUAElU&u`=&?QwL|2fr0vJNlmJl`r~bqk&uh
z_~7$<$HgsUzbQ1}kpF~I36HbqpI8(1tmUCBk6le~hkCoKidXyQ@ynFZ3LSpA>KeUe
zf3<s?R?NO~y=;}8y^5c!rs;U$$Fpna6uq=H>i0T(>b6={YTBqe0m8sf=MP5O#5BH{
zcy-D7f=5Q(EIXoCLwDQl>vlTajlFujeZ2-<3ZJ>~Y544G^R`q_&nxYrZuInMpM*tA
zO7;46N!R*W*{_CH=xtLzH8ZHAz3rxq-!4vUd3#Mrm;H{Po~)Y}vj6*WZCiFN{`1tF
zC-?0ho|$!W^0DCl_dH`>H#py|&&l!uuie_%?kv&j=Ap@df4iyuPkwhERhT%t&-fb2
z`!lEYEMBkdxbYR2bRS=S+{1Mlo6nbg{+sW(b`gIRz8+Spz_@Ewub#Q@k>syVt}y$L
ze&s6t?)O`(D}`7SkK?x!(^b`D-joWf`*vr^JDJZ0W!Ju0Zei?>9tFcjCrtk9_QyKe
zhw8k4SM}7%(48;7`lrkLi5>R0+?yQz{`*%Yqdc0Pon7icd(`|3LGxR%v}?Jg<&HIK
zf6*0g)+96F-erF$pNr^=VJXX?l)7L)Fy^rzRl_sTekA>1Y(MT@=Jvyx<$Ba&>{$Pj
z8wVb~^?UVw=fdXqXxA>{V4+LpHqTwx<9<-Wjplx9*$MBsS{-Iau($WKY8Uxt?DiKO
z8g)L=q}`tr+8^Ig?8Q8LTkoqQ_RUkp*6>;Jlh1|KnP;3jYZ{Dg)ik%}l=zhB`ZuD7
zpK#c>HDkl$@yRwj*Pm(o<WfMTf<8YLeHr&|*Q)2Uisws7ncH^MydkM~+ok)BC|<D0
zq++|)-<$T{tyWGPYdE`kaMrUYH(K=1-Z1IV`joz25er(sITK%R$G-F74fgjOR=Gp_
z6}`3}?9nXb{X<Qp+j<Ajsvi%vt~$8q*}{V-7byRvX_@ceXPkL8eEg<wD?Cq_S?cD>
zjF&ye4}Ru#@YRgNt9K3FS+VDq`;{844ZJxv=J@^{p%VsWeVY*Se(Td&Ssq^>N|-QY
z{Idcv&+}j3v0&gY!-p(85jVM8pGMt$tIgXPUiWx2Ro8X7zw}!0@<VK$zgzr#qle>)
zx{IznyYXzEUBP<|r(HaFC~4d4dT(8uUVL~Zan06NRn^+Xr_{~=e6jU(c*n|PSG+uA
zuX(Y~xlK^j(hIwMdcVHGQ~T}-`G3+D8M-`Ub&YO*?!G@w?0dQHl8nhUF7$G_Ga~w@
zwXLhJb!l;IZPwLN`SW|NJ6B@KFWDUqWG!qT)Am-@<?_p3CuT0{ynn~}9#t<)Z?lJW
z9J?TDl>6_jR?3?fzZMzbGI!n&ngvnu6^|Y8oqtCdTR*MM=(g4O{Tdn<<ax4v(WY~z
z|2=o+&6D5Xe;D{Wb!zp(2fua-9#QJZzSK|c!wUbnk_Bw)Y&$J-_*cR1qcU1X74sid
zdrYsU`S!Ic>wfy<gnt$kZoj>wPxpBv_7>mzq~`FT4^EA;96CI$`sawU=gxN=vE-*!
zC#&`@{kF`}V|8K|KDm|V@bJ#a?6*y4_bOE)_KzYTYfm`y%Ybn+hpOW4F8=e<)>Fg2
zJF_I_@3=vQj?|p|sb_ka-@x}7wws?ux3HPmu%COt$6w}-c<Q(8{q;$q%V(v!?a7GW
za`x?V)_uXZs~u-LmFk}8?Onso`I247A7dWX8d2nAjHcYsiqSJFy!iIo93PjonXO%#
zmTm8M+T~V_2aBHVf1Ifj%B<1ux0_gMZ`SvbO$XolUS0aihd!g6y7maam$~i!&u&qN
zFPt0uSKsJbYwr|`FIvdO-mhox@;2>TveJ#7)e4xb8sf5h(sbLSMXNeK39~6vw$DF8
z>HO0M?)9h|<W?x;;;JSA@t3Dp*)-%;gnM?gB@LT)sP#kG1J}FJyKdN||FP(Bh08Y^
zrIflC(!)8pQ=^$_PwRX;{<}fb?sTq`sDAuS-_pg`B?#R-5`@m&eOZ$r_^A>E-{*6F
zw?ErEd$E6yE|ELG+0nCa=$bRjd>4QBecJ`6IvkGaexXi-F5bygy45JNJJO?0p&G8a
zYr=$2<!+9<y0n68nXrErU7T?B?+4w6t}M%ncT4!K-m1A{dzM`}cKg=(=T2@)o!{~6
z30tmK^1fPS$dQ?@8_QHHG-1%tV;X<QiEXRg_PXetcJI?M^=NOK-D5Xb+P`>{%f<4^
zyDODj(DvPmKZo=#8NAbNRMjKBqM!5*jc@*BL*pX-rk&U{&{rt(gKwAqE&dqm`%C1p
zPK7_LTXnk5@P<nV?#OBM_S)8%mm8hR&psC;%*?;*-O^LqSugv)efD&!cZ$RL<VRcV
z3)QSUw9X0}k1Fezx1V0?*AeBW_ODQ;>Xb|MhSg{j@-b(8YW0+g!%AF!Q~ctC+XK2Z
zxxZ@K+o#uV*AKJ58?&dif9IRsOS;d?j6T@sedYRIQ_HkpX^Sd!jb%l=jw|AQ#)B19
z#1Aj{JGGukiny_diZuow8e^V8v0L(bKIGYHvJ~gmGha->uLMEv$QQuJ5af=0dU)9j
z`27CS;v;XT^lx*kjiz~SHTOi!-<BO<t0(XEn7k{=)<Iya9SywoHIsi(O<vJ|a-xAB
zZo{G`&-9o)O?0!tF)p%Ztj8Ep&Z1S3kB7eudD%k~&~9+opI1~nW!w9Cx86T3K7OeZ
z8`f@E-)YAWPH25|*^&4^x-1_0<n8(%ol73}a_-vU%06~vp;yO`K6V{9J#}e)_juQ!
z!fRe0cY9i)aQll%Ge!s3^^aKis%L78qD_*V7EkLF^z=oG55IKt<d(6nifx68V3gZ5
z_CxpuK5DLPY||cI2+}n7g;8_PtVH;Xu^2;E+Umx?jM?(njM12gSSdZ$0g;t8SwHxT
zW`kKA8^%IdDEx)Moj3Dhp73TE8^uPlSQf*=xIIn;+AUc14P2P^7>hx3-^_qV?F@zK
z2aSr&21+o>g^7(%{*jl`-()EuOwVEB4T8U%16(rUg&_yt9BcijISx1(aP5=e!t3|3
zv5FOgf-uV4Mo@)c#I{-Yi*egLY6oqz7~AG%b52>NA!T+3SZEp&+r|=Qji4Cn61+s|
zqGe9}4(EWdwrYrR5Va5kAu{I6Izp@tcTNnkIrA@CwT<kGZ{@)m9#B4f*D20-0Oc`!
z-nDhaKzxqU+oGe2)db`i<!vXFPu_@aH~X-x?G|SSJg(~R+_A|EK6}WX%Q?gggYuMe
zs5j)rZ+z|@Z+kO3RUr5{?dF9gFdIe?vKR%Ce~eWTZdSz?^N*)hMu?pXIjDw6HO~+C
zh8#f|!9efTa8I1k!aauk_>qZ#oNMT>VjJNdM!9UU<>8ljzpr8}TaT*-X?$jZY<;XQ
z>dHt%&KdT5aFBUW*6&@d^!s+qpS5IFc#F^PYO%L&;=MJ<xW#>DL5nZN7Pr=04e9o|
zGHs#x-m32rn_vzIIohhbiX}s>G3Mduj_}KzqlIJ~T?!n%i5y+Hoil8zAx8~+t37`$
zYEny-nd_~qgkrn|>aD;h=&c2%QW@yg7&aQNquBsno1uX!hN?|eZ?eUM<H?&jpG(U4
zd^0oPiHpB;*XJ+F@`4lPwV|G+v^LbUbYv>L(MtIav@Fj%S*x{KzZias?RBfS%F=xC
z72aOejoa&qOOVEQEVS2$II;6e^TlGl40X6TGj6@TYB0eLHQ!)E^59-hIZ|AxkBTja
zcNpc`j(wB7g||sZ<2Laf3vDt7+vNFO{#k#+HbIK1O_Wkx0GuAAm@9K$q<Fz{Fe0U=
z`l?uaNMMxr1))iJCbwLZWW1dNyv4roVcAG5QE)P(w1AFI&};Y_0%{jaeZdoai6ov=
zyvTWK@QUBsF-Kc$)+C77zxO-s=dCQ-aDkob;?*I#)CHkfT%R_FBk#<_=c=z~&VE!r
zrRb`x{H&H!+y3|+^3+t`x^^Q*987N5Zc3Rw*PnfVwgGYrR|`z#tzCZKuwscme&jz8
zXC3=l)PGxja8;?VOa`D|K3(PS9I(!m{zJ}U=@^u9wkYIH!Vjc?Z9esD6~ifVjPf>T
zE5ony{#3!Z&7ZCc(zNjOhef@0M|n{r4BI@vjxNSTgQKL){q=?$inP||TwF7N^fbtf
zF;B-jlDv&GwUjYaTX<#$JS%}reNl>k_MMz`VyaToi-MVJ#fuUzcB~*5M|?)&_`Ew~
zg;+oTcK&|-M#hXDIT~Cf!edGlv0*}jRjd?b!YFSTA%FNa-WhiqH_WpV&@d_3Fq4XN
zYHk?T&QXUG7DOb9t#w8;Or?($&C?)p@SOW|0P&s&@Vuy2V3Ii(Fb{H}BhP^S(grvo
z288B@4VZ&e8$!cD1inK&$ff4}_0G0j1_V{|c9enH=VUUF0y2>8@BDS(i#}KuGjg_(
zOH>P`T*6gVQ(TJX#bYgvO@$q^;oL#<f!qP%=K=Am;7NY|l!2kQvB(8W9Kr&TLw7?|
zY$4oZl*<vD8h)L3@Om;i$_~=BTn|e9lOt9Q{8~dfve)s4F-QK|dI#sG2lC20Hd0tG
zRK@nfJB;!+WE+!z@<HWT+qex|uFnj3?vHKw9Lx!X@p1~O4V6-eJ0$*Xz*^kfsA4gI
z6r-Ha!octwyuWrg=JRv^AWbV6)Ue!uNW?988`gpx$xL`dF5kZ$_Dz=TK1vL71|#-c
zEyO^GKsR?JtHT`)PO!KBr-pro^(q3`K~?ZTy1-h!)Q}q^>=H2wrQsO{YyscR7KfEP
zP>yEHW~o|L%?x<)jlc7Ng4TwWN?U-OUm8vlq~Rn%k#7AJxs4&nt7k)mBX7mOK$r*-
zTSyI&S_TdNe{xtEvt7leK$#fx^uSTcJ9!WM+PDY$l_AbOKf^z3C$=#teh@BfV{(G1
zjR~3?o{`0^gpC>hlgiS@rJG!B%`@&!FTM%V_zi+p|C|`HCO{XKH6lgD`T$WF^K{LQ
z;eYV18DX+4n30*y9R)#cD8ke=vEqe!?L`%6Wkv=!<KzjmSTX*Lx+a>;I97_y2Z(VX
z%$tp5LtzFj3Ji%mi(ruu*%!~yI71mEP;jf8hroM!u7>+=BRX==o{f7`I_ce~PmP_x
zzkoo-2k$W;r>mc~C`dnZLFy+Hq(PYhFL(Gm4?bcnNCK<J*b(G3M+X>`a+(B5)Cy-+
z%nM4un5Xfpgx}(gKi|0VU+w@w+68(!=hP@(w|C|mzX*T*?;BsPm(@^S97L@Inbi3I
zNxiIwvZ+yb9NEjTQ8gACH6m5TUcxsR^Js^^l6P^v`dHSeyD|e_ZS{AKjD4ZupY4}(
zkQ!Af2Ya(mTo6c~5+r>}kYh8rkY2sC=~x0jZo6^e9fYV?)p!Ge#NCu$MX?S`S1}b3
zj8QH_>`nM>E<?W>%h0Q>L7LW4AVVLA!dDPZ8*-qqB-DdBcK)6Zj4dgUN~|i+D6dI>
zhH6D%HCd-V^Fiy%@sO=8Dx&!!JX$EDChu3lS5&NGHINE-EY^6c$^Eb7-6$3P9vMqT
z>!{3t?0A3Y*y=8g@hf*Dsle`ytQrg@Qma|>3vgPaEaZ>I;vkSz5G1J}DCW{%5sxXQ
ztj{6dX{86evT#rMwC_eVJnEY!=-}O~*7sYT7qk+TKGOljNA00|XyOKGvH@{)hd&Ic
z6EI9oD(+V!Bvl}IZt&~T%^su+1jStXE8?S3jQ(lfJF=Gpzz+-obAxh;f$(a3mtXI8
zFI8ZplQZvOeWf(P#>+#+4<yd0A%(cDg{@MC!K@)H7I{EzL%D&QNgrmlXg%jmnsDVv
z@`S=i(*-7_3C=A^8AWVbNLHjr7GT!ohrAhv!^m;~3x;b1z%VeaBjM@}#x@S3zWyBw
z-B{RSXsSTaZ)nq9_2;Au1m&oZn!@sjCep1d-{;LUhA){R6;aRvqW<UED|d|kXLY*1
z{!*Gr(6b3m%IfQ1!UP`qqX$y`aZxS=T#Vto*3ob`h-ZzKK3IR)wG%Fmn1k|iweUbm
ze_}UkbFCO66+rk7x7;yx)QnVt;E`To?=#P)3Iyf&u-4E`tOh~CHyHSfb=68=OlsdN
zpCj;>px3N}hfYJ9puAwjr-Z*1)eS4)x3SQo(UR-t1`DF@5HTe2D`R&qjCg%=%Q=DI
z>UTNyQz1>Tf5$W_X9kB_xQZo6kIewV^(Wp8W4JsGhyEM|GLDk%1-;A@7GOPCeSk<&
zEJ#2Mz)%*iE1UYg&EnmK9&Jt)%)y@Zi2&q`Xi=5Oea^|Ty#2>Oe;Wq4<2j%7diBlM
zQ%gPuyacQDb<<#)AYmn_R1WUVUhRzE420eu0g^!Vv}@aD?h`1V;GhP%iEkiHknj*h
zd`k3cu0cJA1D_+M0<;ob{cPeYhb^gsIoQu#$|z}5H6;0XgdUrL2c_rHu=qX<{z9OY
zaS7fXq;V{~qk6j(8?z1Z6Wsgf)IyGsCMYjnX}xDo2;lBU1aKNH$^faL=Tu;PhX)rI
zfjuz;+qR-!jTl9Jm_XlJfc5T(ay5vJVQ#Se7zG@U1i2powGU)<;TdYYVF0~A>wCgq
zFz*Q-aCKvy;0w%!{lXX0fsk$iIea1Q2G{y<Z4F<C0slgw>?kPJ4f4CgP{kcez(2BJ
zB9X*rRg+U;f9y;Z2!2d$vw|h33k2m=!dffoM-8R=;sy(BV;n4whHnY)=8PjV-T_{7
z&=g*g<MKDg>AEeBmBA-^yofzSkN5F~8IOJjyb^4+qu@+T6LdL9UXZ?hmDIO>ad)oQ
z!U0z_U>7%;z~ECNZ|bfO6I!247YN?1IH38uAI}Q}FLtAPh<LHEvh>ITd?DFOY+cbm
z3I?4T!RwC}8~YRnEx*DZr*4ar?JlGW1V6ei<!OS<DT3=i(0Cl;cS`KaIma0s!vK&y
zlw^01)rP<YZ;(O^)b7ok9Dm%HnJN(c>49s^CP)+HnGG(;4JG=l@V<23F@0GNzD=aN
zR7SJ}w+|X}!|PS5K+rXJ+bv8JG(gF35ifZ#@^^;mVAsW*PZ3btcz7{idf8*(<6`AL
zqzVKdoco8T31+)eDTqmIpX&6;0vym&#3#3(ZZHO`4w8p@tp>EdJ7|L_7Otab;m`X^
zXWOO;1h-v#whPk)<tULVCG-rG=xGU3hx%(IP!Pp>f|iTmav=H^sEJSmdFbSzR^R5A
zkCaLi2o8HIrU{y&M@c_yk-LJohq!(d4KzdnNA&%W9caCOXduXcc4GgP71IPt>!1uV
z@<EB;-o9uK$2$`IRMhKe)o^+Y^{^+@ygskJ-jC2aovpt8FpO6u7(2dZ(c5Fw1%fg%
zxRq5Rk5i=&aY_!y2_%niU#(9)ax+~Zm>g7kW6u0@0zp&wD$5_5NEfZVxi~(K1nrLg
zs~g``7Y2NH1KU#%>fH$9Af5lFmC8tpoA5MoK$<|%Co!u_hcRgaK`EOKU^_VLQs!??
ztW|S891XO@0A777phxM!XIJ>wiyc>;Xp|;Yeb=VLCZK~!X&scIK>W33&rBsR`)}iF
zTeS0DQ1^O()f>2BXy5C?Gqmzv+)iLQq#qj;NG$C+EKMMIDP=296WrsSB%$5Gp&G78
zo3-%#cyZ1b9K}X){UDBK#Znk^%l)-&^6)f)VB7i~+hLlZ<|r3$KqF$)!d(k%Na6iG
zyV4vl_6y`dG+>Y6y+ZW&(ev>DuOIaUdO98;FK)m!<XAn>sqUaxVnMQoNw~CxvtAL~
zzi_<Y`N*(aKqr&Z1TWC^odLbY=vxc$Z;4*Lf9MWA+91%RV$e!(waeU9XP%`C1dBSU
zR_|SMULd%m8?7?v`K3gDKT3XiEMUb^?<lA{POe8o8a)fbKcQq+uamFR1%k;t#WX?h
zoMsZGJ{;nAO6+*AAB*z#GPL73Dr*Q41Ig*UWfwa~|8q_t`2N$$DxGrA2?Tj&g9~y&
zi5*YHMP>-%w%j2gEn*<NTCZ}&cYxhuU3{i>N`Us4(gdFjx*~mXn?p5RmDr8n)`@xp
z_2x*hUO4g$gKuZ@QW(2&{hlfZ@R@@hIMtY0-`;BJTT8$;sG8J2hC|N`0Xf6Do>*vc
zQR;9MjFPZJD&&)@bBUy>X#&AQp)n;fO>ovFUL54s)6v2b0n)o5$J!DdmilQ!=#`$l
zhobJneu{k-$0hQ9O6@hJf4ed2<TQccj)3x`w?mqsoHV4GRy5`B4AV;oROa;J%v311
zJt6#cw3KOWQP(Za&!h<ib4xepX@Yh?()zoePr4>FL?pZ4bo~a$I}q>=f<LNf%>oN&
zxm-^Z%)zCBRFH^I4M`>aVT*(>1UMW8+5l}j1}(qBdWrqjoj05^1cC=Hr=??>pp;Dq
z5W5mR=(c(cU#&uYjh=+)#h@k-1J(QC{1O%H(lP{sv-dSyG%GzrAh@=zxCqNw2LDhC
zS0(jcxY?T<oUtHhq9-fjO%efHw{mw{Md6%a4)!2(CG`U}eCI8FYY9yGOSD&cN9e)O
zFQdR}qh1&Q5*G|wVg%f~gT5FH*I4Mg@j8Diqha-x4Tq!)1UI?Xxc3Os1m!efyHu7x
zG?8|TxWxUfSdjWqu#h-gAX-xNGwMN4Yyeb_gg-GvOK|hW^Y<qGnl2E0G2``uX^<ue
z5+xZ75o+N(CH*0y%L5gnAU`V+6A-i!Q5TBAJhb!Ihxz<Cr3tPL7V{bEDJA~ZQ)#^0
z4LCmn`hz&i7zkVtH381)#K2SZy|GQi*>Zh<X*{X%hbG&=|2G3$@!pNJVT*|0Dd{f_
zjOII{p-oUOVxjMdVZH=ez0*;DfgNcvwra<#Q_yb_(>h4`B#2a0mpwC;bnLg6_gBl~
zum(UCj>A0JZ7Sr}``PI;fDSWo<4{_(*7F1Bajb<(Qz~&zDx2>T{b9T+o9{w@k!H6%
zrC#92Iz!DwuU0?qaY~GB=nD3R;H>ijZ0)f$fuOt|O8LFJPgPz&%lt<FRpdA6%e}ts
z|7ubpT_ETk-+`wInxaREJuLF1a5?-IeZ)B3Y@6O+o7>ad{%u6MKyc8Kx;GktJ|bue
zuM)qh==gB%=%Q8}3H@;x$UN#El6P%0JFhdbsRF^@Smjy=N2dz}P2sH~e`qQlzk%yP
zw8MDVU=+7fIJR)(e>kU&{SQZh7^0;zwA~-{{u=5X+c)9phWK=W(gdY!I)L(^WZWGw
zr!6;Yc%%$5YNZlpIi&D;KY}YOUE^tjQZ^kxT~kVzGJo?-H}5xy`vsBE=2%~xS4O{;
z<Zaru_Mriw@65qNGCQe-Z<VxreVx7=3wTk}qU7o8y)HN?x%r@Uf#Af)87J~BI42N<
ztVRL(>}>SJbi!?}$Y<2{k<jXKk|sbcfNMxIrO)P$F7kNrV32nSI&CO8t^>$FL3!zj
zUoC%VBJDIyl=p!!vl<Dt#?{%OzyUWdYuExvmww(&TP%CbsU(npyWG3CV17rJmYyG|
z93f#r?uq=<O$|zKOo7(ZTJe5|b1vdK3VJ7TU<YwsBLe&rlzj3^^zzTDtU3S6aNSl)
z({twvBoN3Ekta&z|Gp%T;<~k7{`wrs_iGuL2PH`Jp#<f1L#!fZ`5WW(cxm2MJ`YO%
z$I{nJ8{<3*!ITNhuGWP#!QB^<qyl$vsD`VD^u!W)A<d(-VC`5J)*bjAz<Pmai7Pb0
zF!S6QuHsA+T3H+yVb0DveZVgM>EU3XCRA&d?uYX$lqUH8Jz*EQpoXLpeejo=c@~^G
zz_}B#mav;PZb28sOYrC1{{EOISfl_sKq7uEeA@z|wQ%1IesNyM6RfrQc^;hYF*km!
zoWJ&;Ye%FB=HM=!bEc<P$@pT;vFf~{(V(|*ggscQAn{2%yu|l>enEn9o0@FIG{Ley
z#1TE-R`kdMJZf^D!40UOk-r<)AgD?3urjXcp-uCE85s2Kk&`sHk7$x4T=yI9@%R?j
z=LueUA5j<61l^jaNjWn()WX$EdSVeMT(3t-M~YGB7_QeN9t?|q$t=?KmvaKaJ^R+~
z#xy}Om;Q=eRbmfpboAk>xi|(8$EuBh5>K5S-1DK?l6&*c3k18idG9uN>3M;m9<z9d
z_?5`foy$G=Fli*zeK^!SL@G!t!Ii<~eiRm*7tBHC;U?wu;1Iu4GEWyJ%|`3z>2MaN
z5lD!>94yeWS)=a70KX}SI|xf$wYZ)64&Tl^+js|Ic6^W~^cDUNV>dg*fdR{!V7aWj
zysTMy%Ze?6W%)ed1xaQ3UAK5T<WF8!?Yw1;s)eUR{`!-b6==BQ(C~B!DGh78_(%ff
zI~%dKzX64N0S!j^K0`Pi@~aP?4ykCo&u~;N*k^bd_ZeC{9io)NFFhUdw2{4~W2=90
zK9`g68GeLl)E4Bk*JWOLv&UAsiw;?k&z6o>nme{?bff|j$af!&y`?h&$(-;0GQMxg
z40zpw^WEr7fWY9_4v!cfTUAOijf%P8&uMItiT5}Y%NjHBbqiqPJ78k2r?|domWiYe
z{*z4H1r$$#hQXLect<54=1lA&W8ynt;&vrWR7$ZC6EDJ!!3-b<W1hXtN5k(U6W2YG
zF>!m4X0#tNv9DOx62l&Ec&?DPV_IWkBf##=ism`b69>=5cGCN{@QCjVM(D^i@UsIw
zB;U0Yj0jqTJq!cy5XWUGw?b2kEI-0o-r1Ptqx~`i-n8|19(zN61mSy-Tf-B9O6zCD
z@(Aw&md>*L&E<BgG0Wey1(q+wU$AVl94n3it2b-1qouPfS-kmzO_l}C7s<U7^JiJe
z1-7QJq4`XnWifr6!I@7}%!eA7TQ0__H`;{n1oxkN><kSEeGj+R&$68Ht%k=Q0xTSR
zc$wg6=~qgALqVFoK_*BGGXvfZ^LL)$YVA0gQclyc2U@@<NDKG`vDStGxrkxg^b!vd
z9-8*UbA*Wy10kv*635W9QhJ>1gtYK)=~qhjPIa_&T;c(j(cQ)}`gT~5X3TU@F*%n`
z0y!3rOVE)&Ycfj5CFC4XdRzi!3d5J+(ZcuQaf!Vz99cKm5{Xf635vE#K8n&5Kfzd<
z#!Sx)c&G7qn&2v|z^}?0ok7FtBb-FYfQ@)cd4k6!rbGT{EDi!m6G4(Df?_WH6{U&>
zuKK5W??_7ArB{THj%5&}V;KbHB_TeQ{Go}oR(d8sF2VNgdfe)1s&4xWr3nf;#~Lw-
z(?ZBsYvFgP7qo=Q34hj`Pd&7OkF@mRZ&kaDDWl(Z!=yC9&iN>#9xrJGdSeQnl<;<f
z0nkt|dxKyQD{kw?VUdB!v{LVE8VyN?R14oKnf^W{;qL}NZ|@5~d(a7g<{pBUU*Te<
z-uo$^gjWq|@?vzaOx&bMctc<+5+`59LA<ymh}pIDP4f4zvpXB`T}m?v-q6jl>G@9m
zoQg07PfPf57#PX99uAb?WV}1H1a2G<1N9?<A?>4CkwIw!L3!Cog^ncoOM`T!gWILy
zZwz45Z<k;(f1md6n<m^YF_CZcqBOx{y2ADK<@=@#$~JX-MyjveUL(ix8Pb3uP6SNb
zspAvuXG9032}(!cAh$?|8t#+~`_D>r;KD;BNO+ipPlxv$D;3r*P3Yfg60g5jN)wc_
z>i}X`BIgx~KI9`q+)j;4U9@puhxdAC&UYPNDXo>D4xx0T6mN>Ot<6x*u!v|XFuC&Y
z*xpGG#QHKRt%H<Lf{0g%{`^X+?{Jvj$1sy$;o`S9h2!g!Aj+4NrstH6AmS@e2@5bo
zsweel#EWh`ZpXp?gqvJ3X!#Z3<i{sD9ZhD4?JT9~`37Arkpl5MC3+=Ir&k7m9*yGI
z@i+?cLCZ^ni}SQoyq{%?_$f{Bfr);mM4zXd&?`7aE1vQ;sJ|pvw<Y`}X9NeQ5~2F~
zE5V;3;m>PNaCt?KpY#dgr!>KR3#d1X_|@<&O|1}Rrr<df^%wQ3m|H7-)ITom1#V*{
z7<~D1Hl_(~nnR`Q>#wB!&zrz+IPFXQeO0$v9G^M3dWNk;fWH1p{D?~uesMw-EgK%w
z()T}?;9odig16Qk=4pZni;e58hNKexe$iyT#mVqk(6zX<jDhNZYjBE)*9=TD;m?Si
z5X&)ly=jsT{3TH_xY(T*>u&~<-%EBy3!f>$drQJA))=>bx<RkgPh;P@dPc0T1Z(Z8
z@!+2@*hViwi98)ZS*ISLduZZDBiV6xzI6b%K#D;t!2;RO7Ciwx1Pg_|<Y|I$N92_=
zC30RUxCD3GaT8xKV8zXkxS1yuHdkTL@+*uZ;#MRbfPO`=%B+SvFilX(rUUq$5<TN2
z;m7T!c-&UB=lY(OD3!P=zB=bKLE<+-=7=L64ElavTYO;gYA4~xZA)VSKOP)F8xsS3
zz<W7Qa1$T~lEahXZu7BS%)wIo3B8^!C309?qD!uSwNi1rnjYlsPcZwcm?o&MlNYa&
z_P8L)Kl;&Fd$N8*!SZ0usXY?Hj&b}1j|s<lnqY?L{=*mgde<b9EWpbW{^6i&a4QQg
z?~5Br#EpL=feN$(cqALQJ<#@KtyHG!2ayhfewq`UE`rtf5OO_TO89a`qH7G`jsUvC
zfH&gdNn^g`FLILOBRFsWX`UwNy*aO(D&b3}gkSD=2ZM&fML!(nVT+;Un&QjsHm5ip
z1Pf|Yc$#3w?Yw+ZqCc)mbm=vRAy@SJ<IJBTeu9LTpwErG_?7qx*Ye;;&83$MoEbd<
zGc3(u-W8*KhNXZ<@(G+_NtkCm!!mOXpJ9Rdx__qYr9QpK8O}9=3u~nEG{O0e^0uxA
zRm=jsZnkyN-yaTtILZ<G0`>_UYhoR>Qkh-np5=59yl_IKi(vj=3AtYCm9*{+i7rE_
zH{>tjCp-ju=B9Ca2nHVbcliI1@Z)$Ie~iGm&*`PBT&oKlAHjaN#WcYq$$9ZBkuIjQ
z4us#Z_Ims)$6w_53I5@HiKhuho3H}TM3Mz4NceG!1j+$QfFTd&OWzV6f_G<K;rI#q
z+tJ*dzWs4#-CD4b@aNS!;&wy1F4jr~y6h3_Pq2U2%bXs9)ejM7Jv~aau&qgc=-Y%w
zr(d~da(w1s*@|`&0ebvOyknJwU-Zi5T)`P1F~mvmWv4rw4s%e-rUOd7#ghkq=CeNN
zC!yyi_ZAzUz0dIyY~J(%PZJE${SK{Ie>G5`L?75o^%uQGeXqn8z@X(<#&VOgI6i_l
z#UAlA!FS@`ImoTYucZC+nZYmG9R29%w^0u{K7v!*KjvwI*G%A7(*F64@SEzDA_IsI
zEw_vHCfLU1DW`*A*Vw#XyAnPWFrq_ld-d&LKjjI>NAOgDIEo<n!UP|b=p_du{KkAh
zS)lq89)fdfzu@!`>|+AIlKMLu;g?${ef?>)MDXk>5kJ9mb@TFHN&O3&#ZQtb%0b*3
zPd;iP*mz7`o+kL$@VxkGky|Xm^tG^r-~6aW?2)t>50g;Z!mvI=T94{zZ3RoWSS^u(
z-qiJ1j+WM}AM!Qp$;NAV?=(T0dA)FxQRTZ-BP{D=wxgw=pnb&4lKs~LENj7LTn{WU
znwMpElMyUu@nEf%#0~j+AX4b|+R@S`qm$@6&M9H+J1*D^zT*;H>$SGYNGXL)q?-I2
zfVFT@6=d<?nqri1?GT2AKj!PMjb&}NBuKNcCh+-V5_gpZACe}d!ti%4Npo7`bED7N
z8_<AnnVk=~<aSp4Ndphq?qPYB7(E<X$woW#|9tO2Ku&GkJJ8$0-T^<mf|m9UoI-h;
zy~<dg7S_xR_~)9Ey#q>Hg7yy3Y<<#a%;EzhS#Ph@g9zV`%;7)Rmk9TP5Y-Tg<LIC$
z-8(?D{+9L*l+Rbt(%yk5T!wcT%kV$ff;5XNf((Dy9suN6*gL?_?mz}>GE931<Q!1C
zcYxMFz66gJ=oI%3G|XR+IjCTU5u$u#Yx^-d1*K_5vavKRs+bw@ej`d#b~pUWHp8%A
z<J>eT38n?Zq?9MPcfcF+M`Ljq{>9o5jZee^OkYV#+@;rqkJeNP(jEnZ^3qTjaE8fW
z$kHdI(Py5$1Jc^6uGdIuTJyN!O9de&(Hjx(=(%ZlPFnjyzZ#ELia%d6Qa9Jg9(5Pj
zx~R8GX?k9NDa|y09^Ug3Uh#M{{xBFGf7kz143&TTjkMM$!&_-NEpmMx-U||5ocqPK
zJ#j|Q0IwuRI=r$q#t+~9yZT-<Szk|mqmcYcYl<Y#1P6sv*3YZ&C6o2_)cq{0+)Goc
zD@=K5j|vpD<XJuCo>e7dZTWs<kY>qCfA|sS{Nk#OS<j09f*~-$nieC^O0F%@C-HYE
zXvwoW%{{B4#=2|C%glfeDkYwkQVPG+vszlPAR7V-6Js9Fs$cjsZk5^^^ZA1+NV7Bs
z`P^zMN|NAVsDTYVD;f(}<MZcvR<0}wu+E2Q-m@~?XAt{e|3&fszGE7pC)LM-C$+1P
zMNjGs_oTizmY=0DnE@ZYm3UH0IZvJxt+#*9z7J>s7B@Nh4Z;C4r*uL1rJfY+6S3q;
zZ7gEZlX}i&cAK%xe)JB~Bn|>k>eH$=NT>N9trq`}ops$no|K#eN<AqxC*#ZTXrT<z
zld4j*AWMMZF-Ey3Wfz-#7Nu!=OJiwDgx{ynu}5ioeHy>AYirn#$&-2qu7*;cpeMB*
z@<(HF5dMu+De<I8O8!@#6xEM*CsD7Vv<`}F&|T5qD)HP>CC`m^>wF15@@;fPn7C;q
zt={8!G!EWtDbMl}ho4M1t=omhq%^_$>nJ1EOdLOv&7?P`;AzQ|Fx1lSu=i2)8AmF{
z?<UTm017>RCG)^%Oyb9%9|+~-YKdqo^)Hprc>W8&<C6{ay%~5`!jCJ&!@+mNJxTgK
zp9cIVPmXrQ$vnuSRS3c7)jw6jk9hS5Mcv?jFfR~gfCnr1?Q2m+J$}?1)<T+uA6JC%
zr)I<>@A|JuZ_sW)N)z;HMtMIEZ@PpRcR%6}qT!lUG!#X8Pwv60B{bIj7gHW=i{chN
z*caS`t!Qkea_oaND}P4M>O*~w+N=j#Ng-v_8|79CJ=i3ma4(dDQEoHf0AeclU<(`D
zjFmrw%?MTE!78QjOFh`0WeZyR_f#*rH_%kZ=g=U{4_?UU!1Gvl)Bm0d-&Dp61ZxuT
zc^<4g|3A0$p<HDitT<B`2e#wCJtz45+PKQrJlU9X7CqTC?#V7QmZKlMG6QmdP~yod
zZ2|IR$@YGZO~w|k)k%|!u=kJN4-h6o41}nL_;2O}$);NJWUE!M=*hm~vb)(>c5{CS
z(yVetPxh*)cFg|!m9Kzu4Ax|qJXtvhlzOscguVoi7U&c`*(1P{pJ6nLQLdGQb;;>m
znw*TKX_aecz$fu^+I##;h$D@TDe`3Ds4i2=6ZB+nz_(}}c#!s^e~wfs@nlI#$de^>
zWa$VWr3q3#f=+OwqJ#yg_nbwH#3#AsQ`)AcET6ZFMa!4XEuZX2_$N3em$U|?I;XTa
z({0xBRh4RIP1?xv$)y@C-(sN9g5}HLme0{x#*$!1)u&TRET2*eztr+YSF&jNUUTiC
zG1eZRP6cUJS4KYH<G!1D%jc?)&!1=cYJaxn!!gkR!tyzJ<fyG#zHcg9w0!5du3BO&
zN2@Dm1`2!*(Ar5_r7iHKmhZTK>vP!HiS>q!=MXMmV)<zFYRU4cs#vsqZ@BFKXe7J9
zwII!!QXsn@SDr#T&ClUf<FA!lJ~;=JT0Zo~Fj&(?WMNI=(Zctl<y#6ov0(Ymb7?AM
zEKO@lfi#`xev}o<r<5oEEz3tz^8cIVQ`)AcET4y~Ma%b=TRvx*RG$yhtX+s>k+)!k
zA(*v%HTY}m(ngj~E^TP}z5xm?SiTF~^5r*{v9${`18v-uSU#l`eyQafS>58Q#XGJ&
znj7=k#yv>0t{C$9Y*%EY`BjUW3i<qbmQTs5h2g2pe*g8cp3{-`Us<zwb81+$co(^j
zT4XFg>xyLt+VVLAYZgx_=gH#HX;__?tl*R^Hg37?!#5zDdm!Qp!bFH)V)5uyttE?B
ztCmHJ_YarZb;dGl3-c7~VTPW4+TIQ6G;i@}B2K9#l5;?*#iKJxUxG&q6%j3-U+scS
z1H%@K^0A((cJd{ZrWpyw(zM<_Gf?G$+9*2#zf$RD?=VGUy&W(ytCS~b@j@X#jrIPG
zR4Ezjk(7|dBYd>)gCOnuAc*xc3`)m(CuI9Sv{E6~>bF{l3^9qb(Mo2uD@tdr@su;3
zE5|cfhCjU?CzWdre?e#qG3fDQyIKn_I{bLP1b1Z^pE<RLce4(G9<N&W%>0d7!YiN4
z6VE#9=hx>;MOdR_unv`;4jPZ^UYWS5WR?zbWdkW04K0HwtPF!SdKT-1Tck$~A3GQp
zVCKHEL=T>c#NYBDtmft%l<F2!p4U4!i=Nke?s=6o)~+g#Ak8KR(5@fi#c3h4o)`V7
zh&8R}EOA1vUD5OE>2A^Uy39Q<J7Zn9$pLiTH%dG&r4)Xt=jB|lAPa?gG>m!ni}VQp
zz^zy-8K2?5*KeAQp4ao6$RMFQNdTq{_luBbw8rPp^Sml@`;NU&-b3{}adDO*^uO+L
z(SM$|v`?f#eTyE~74C7(m&wiS%s{*Sd{h{NJZ8`39EaxPK`F<{<D%JhTA8D?4oc+`
z5H$v4Iq#O;!)KvY9&$5~2={>y)e!&9>^l9fhb52eW&?{J*GDd^tBqyVZhw$w^F;Kx
zu88xHW@p#y0Oc60$tsQg<s4Azae0Vnz6g&N$`C!S=!O>O7&5su<ujJ1%@Z>N?Wc2T
zvNFe@lqcrq7(Pd;bVf<yk10S>LQ+n7$kQT7o)$sMM-Zi$yQuWQ43v9Z)azhiZ*+b|
zX`7m|bRWGfTDlx=>53Ukwf*!U&6f8d)wzXQanj9NI!~!))})#&om{HX(gilMXz8wU
zOJ`#&V_V*XjNMgY>6B9VrIzl##-gRm<=Vqn#^<|1nyvA`=bU}7k&)&totHvBf1agN
zE3kC<?<EHO*DalsI=!^DxrLHVELys2TsO@%mYc2dnSuEWE3tG+IZl?2bOS;9r89z3
f1L^=-y7<$T`2x_nZ@%N>m@l<-^b2X`EZzSB4}Hxm

literal 0
HcmV?d00001

diff --git a/testing/btest/scripts/base/protocols/krb/smb2_krb.test b/testing/btest/scripts/base/protocols/krb/smb2_krb.test
new file mode 100644
index 0000000000..7aa78567b5
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/krb/smb2_krb.test
@@ -0,0 +1,19 @@
+# This test verifies that given the proper keytab file, the 
+#   Kerberos analyzer can open the AD ticket in the Negociate
+#   Protocol Request and find the user.
+
+# @TEST-COPY-FILE: ${TRACES}/krb/smb2_krb.keytab
+# @TEST-EXEC: bro -b -C -r $TRACES/krb/smb2_krb.pcap %INPUT
+# @TEST-EXEC: btest-diff .stdout
+
+redef KRB::keytab = "smb2_krb.keytab";
+global monitor_ports: set[port] = { 445/tcp, 139/tcp } &redef;
+
+event bro_init() &priority=5{
+	Analyzer::register_for_ports(Analyzer::ANALYZER_SMB, monitor_ports);
+}
+
+event krb_ap_request(c: connection, ticket: KRB::Ticket, opts:  KRB::AP_Options){
+   print ticket$authenticationinfo;
+}
+

From 54ef1083bc0c61c60231521019164b9f24528f9a Mon Sep 17 00:00:00 2001
From: Julien Wallior <wallior@sig.com>
Date: Wed, 9 May 2018 17:17:36 -0400
Subject: [PATCH 410/631] Make linking against libkrb5 optional based on
 whether it is installed on the system or not.

---
 CMakeLists.txt                           | 8 ++++++++
 cmake                                    | 2 +-
 src/analyzer/protocol/krb/CMakeLists.txt | 1 -
 src/analyzer/protocol/krb/KRB.cc         | 6 ++++++
 src/analyzer/protocol/krb/KRB.h          | 4 ++++
 5 files changed, 19 insertions(+), 2 deletions(-)

diff --git a/CMakeLists.txt b/CMakeLists.txt
index e1a9bbbe2e..fd9d599bde 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -169,6 +169,13 @@ endif ()
 # if one specifies --with-openssl (which may be common).
 include_directories(BEFORE ${OPENSSL_INCLUDE_DIR})
 
+set(USE_KRB5 false)
+find_package(LibKrb5)
+if (LibKrb5_FOUND)
+   set(USE_KRB5 true)
+   list(APPEND OPTLIBS ${LibKrb5_LIBRARY})
+endif ()
+
 set(brodeps
     ${BinPAC_LIBRARY}
     ${PCAP_LIBRARY}
@@ -286,6 +293,7 @@ message(
     "\n        tcmalloc:  ${USE_PERFTOOLS_TCMALLOC}"
     "\n       debugging:  ${USE_PERFTOOLS_DEBUG}"
     "\njemalloc:          ${ENABLE_JEMALLOC}"
+    "\nkerberos:          ${USE_KRB5}"
     "\n"
     "\n================================================================\n"
 )
diff --git a/cmake b/cmake
index c8f07c6bf9..385edded96 160000
--- a/cmake
+++ b/cmake
@@ -1 +1 @@
-Subproject commit c8f07c6bf90b472fb54b2ecbe0497238f40dec8a
+Subproject commit 385edded96898154f7cb1d59f1d224cf47097531
diff --git a/src/analyzer/protocol/krb/CMakeLists.txt b/src/analyzer/protocol/krb/CMakeLists.txt
index 95f6d672a1..1cac35d626 100644
--- a/src/analyzer/protocol/krb/CMakeLists.txt
+++ b/src/analyzer/protocol/krb/CMakeLists.txt
@@ -9,7 +9,6 @@ bro_plugin_cc(KRB.cc)
 bro_plugin_cc(KRB_TCP.cc)
 bro_plugin_bif(types.bif)
 bro_plugin_bif(events.bif)
-bro_plugin_link_library(-lkrb5)
 bro_plugin_pac(krb.pac krb-protocol.pac krb-analyzer.pac
 	krb-asn1.pac
 	krb-defs.pac
diff --git a/src/analyzer/protocol/krb/KRB.cc b/src/analyzer/protocol/krb/KRB.cc
index f080efa7f0..7808d33893 100644
--- a/src/analyzer/protocol/krb/KRB.cc
+++ b/src/analyzer/protocol/krb/KRB.cc
@@ -12,6 +12,7 @@ KRB_Analyzer::KRB_Analyzer(Connection* conn)
 	{
 	interp = new binpac::KRB::KRB_Conn(this);
 
+#ifdef USE_KRB5
 	const char* keytab_filename = BifConst::KRB::keytab->CheckString();
 	if (access(keytab_filename, R_OK) != 0)
 		{
@@ -34,11 +35,13 @@ KRB_Analyzer::KRB_Analyzer(Connection* conn)
 					reporter->Warning("KRB: Couldn't resolve keytab (%s)", krb5_get_error_message(krb_context, retval));
 				}
 		}
+#endif
 
 	}
 
 KRB_Analyzer::~KRB_Analyzer()
 	{
+#ifdef USE_KRB5
 	if (krb_available)
 		{
 			krb5_error_code retval = krb5_kt_close(krb_context, krb_keytab);
@@ -48,6 +51,7 @@ KRB_Analyzer::~KRB_Analyzer()
 				}
 			krb5_free_context(krb_context);
 		}
+#endif
 	delete interp;
 	}
 
@@ -74,6 +78,7 @@ void KRB_Analyzer::DeliverPacket(int len, const u_char* data, bool orig,
 StringVal* KRB_Analyzer::GetAuthenticationInfo(const BroString* principal, const BroString* ciphertext, const bro_uint_t enctype)
 	{
 		StringVal* ret = new StringVal("nouser");
+#ifdef USE_KRB5
 		if (!krb_available)
 			{
 			return ret;
@@ -131,6 +136,7 @@ StringVal* KRB_Analyzer::GetAuthenticationInfo(const BroString* principal, const
 		ret = new StringVal(cp);
 
 		krb5_free_unparsed_name(krb_context, cp);
+#endif
 
 		return ret;
 
diff --git a/src/analyzer/protocol/krb/KRB.h b/src/analyzer/protocol/krb/KRB.h
index 52cf9fa2bb..3d924482de 100644
--- a/src/analyzer/protocol/krb/KRB.h
+++ b/src/analyzer/protocol/krb/KRB.h
@@ -5,7 +5,9 @@
 
 #include "krb_pac.h"
 
+#ifdef USE_KRB5
 #include <krb5.h>
+#endif
 
 namespace analyzer { namespace krb {
 
@@ -29,8 +31,10 @@ protected:
 	binpac::KRB::KRB_Conn* interp;
 
 	bool krb_available;
+#ifdef USE_KRB5
 	krb5_context krb_context;
 	krb5_keytab krb_keytab;
+#endif
 };
 
 } } // namespace analyzer::*

From 30c28da0463c399d469bc14236eded128b58c27b Mon Sep 17 00:00:00 2001
From: Pierre LALET <pierre.lalet@cea.fr>
Date: Tue, 15 May 2018 10:14:57 +0200
Subject: [PATCH 411/631] Support 802.11 monitor mode

---
 src/iosource/Packet.cc | 16 ++++++++++++----
 1 file changed, 12 insertions(+), 4 deletions(-)

diff --git a/src/iosource/Packet.cc b/src/iosource/Packet.cc
index 91bba76ba6..fedb795885 100644
--- a/src/iosource/Packet.cc
+++ b/src/iosource/Packet.cc
@@ -86,6 +86,9 @@ int Packet::GetLinkHeaderSize(int link_type)
 	case DLT_PPP_SERIAL:	// PPP_SERIAL
 		return 4;
 
+	case DLT_IEEE802_11:  // 802.11 monitor
+		return 34;
+
 	case DLT_IEEE802_11_RADIO:	// 802.11 plus RadioTap
 		return 59;
 
@@ -279,12 +282,15 @@ void Packet::ProcessLayer2()
 			}
 
 		pdata += rtheader_len;
+		}
 
+	case DLT_IEEE802_11:
+		{
 		u_char len_80211 = 24; // minimal length of data frames
 
 		if ( pdata + len_80211 >= end_of_data )
 			{
-			Weird("truncated_radiotap_header");
+			Weird("truncated_802_11_header");
 			return;
 			}
 
@@ -316,7 +322,7 @@ void Packet::ProcessLayer2()
 
 		if ( pdata + len_80211 >= end_of_data )
 			{
-			Weird("truncated_radiotap_header");
+			Weird("truncated_802_11_header");
 			return;
 			}
 
@@ -349,7 +355,7 @@ void Packet::ProcessLayer2()
 
 		if ( pdata + 8 >= end_of_data )
 			{
-			Weird("truncated_radiotap_header");
+			Weird("truncated_802_11_header");
 			return;
 			}
 		// Check that the DSAP and SSAP are both SNAP and that the control
@@ -374,9 +380,11 @@ void Packet::ProcessLayer2()
 			l3_proto = L3_IPV4;
 		else if ( protocol == 0x86DD )
 			l3_proto = L3_IPV6;
+		else if ( protocol == 0x0806 || protocol == 0x8035 )
+			l3_proto = L3_ARP;
 		else
 			{
-			Weird("non_ip_packet_in_ieee802_11_radio_encapsulation");
+			Weird("non_ip_packet_in_ieee802_11");
 			return;
 			}
 		pdata += 2;

From dfa392bd6cd187e46178c59b2499e120bf8feae7 Mon Sep 17 00:00:00 2001
From: Pierre LALET <pierre.lalet@cea.fr>
Date: Tue, 15 May 2018 17:59:26 +0200
Subject: [PATCH 412/631] Add a test for 802.11 monitor mode

---
 testing/btest/Baseline/core.wlanmon/conn.log |  11 +++++++++++
 testing/btest/Traces/wlanmon.pcap            | Bin 0 -> 731 bytes
 testing/btest/core/wlanmon.bro               |   2 ++
 3 files changed, 13 insertions(+)
 create mode 100644 testing/btest/Baseline/core.wlanmon/conn.log
 create mode 100644 testing/btest/Traces/wlanmon.pcap
 create mode 100644 testing/btest/core/wlanmon.bro

diff --git a/testing/btest/Baseline/core.wlanmon/conn.log b/testing/btest/Baseline/core.wlanmon/conn.log
new file mode 100644
index 0000000000..c88d32480e
--- /dev/null
+++ b/testing/btest/Baseline/core.wlanmon/conn.log
@@ -0,0 +1,11 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	conn
+#open	2016-07-13-16-13-00
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
+#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
+1439902891.705224	CHhAvVGS1DHFjwGM9	172.17.156.76	61738	208.67.220.220	53	udp	dns	0.041654	35	128	SF	-	-	0	Dd	1	63	1	156	-
+1439903050.580632	ClEkJM2Vm5giqnMf4h	fe80::a667:6ff:fef7:ec54	5353	ff02::fb	5353	udp	dns	-	-	-	S0	-	-	0	D	1	328	0	0	-
+#close	2016-07-13-16-13-00
diff --git a/testing/btest/Traces/wlanmon.pcap b/testing/btest/Traces/wlanmon.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..a940ea1046ccc37f2f8d910d770270cded7231cf
GIT binary patch
literal 731
zcmZ`%O=uHQ5dPloCRrqhu0)F<SUd=|h9qs0ZBK5fDF_NV6oj1eNFH%*+AiBDO-~U-
zf>7`vh?s*FF%W-H51tqQE?)e@Q$??ZUOY&lfv)qqu>?zJc9!{l-^`o$?d_{I1seX5
z?*ld&r&zD}C9gq{E~UlJ;MS4Y{o=3Nu66hIpL1hs_sQxI!svEYitES&XTPrkmht@I
zQ=@(1)AaiK@6*U&?ETM9f&uhNij=uix37s1cbu9~%Zu|e#MHwdIudmBiiS6oCZ(k$
z5x@n|0jNch0nj!<!Za>^m4Ff$8G>!CtaTFCn{=}5?jTSvijeFpm&S?xeMLm2D&|B(
zT@ZD6i6GVbjH4l8j+;}8m^#Gg_&m2|o_F3W$~g!u25tD==ErvW-in-Pds#z`{8DrU
zn3$lPUNF(4YItjN_QkVco|`{P6k;QWztbdz=y5gd?@)$MbpzCkZNxU%$QJGGhIGsQ
zX)Mh$Y?|en$!6$3v&&hQBs)u-Bkdrbl=-UdWHs(O9EdjM9LqRn<lK6ER`Bv=;V#AP
z0<VN>i)CJeGMQ9UnXHmB)s#6Nu@~aJQgOY)Ua8`hyb_N04;uP^Ad0bmOrxb0XcLLP
q9VT6Y?llHHja^S^&!bblX31xV(a;0HxPvI&f{x+fMz6j+dFe0JGPl$K

literal 0
HcmV?d00001

diff --git a/testing/btest/core/wlanmon.bro b/testing/btest/core/wlanmon.bro
new file mode 100644
index 0000000000..b227baf7eb
--- /dev/null
+++ b/testing/btest/core/wlanmon.bro
@@ -0,0 +1,2 @@
+# @TEST-EXEC: bro -C -r $TRACES/wlanmon.pcap
+# @TEST-EXEC: btest-diff conn.log

From a7fb278710a5f1e9c85c084ed86d090b20af5eda Mon Sep 17 00:00:00 2001
From: Pierre LALET <pierre.lalet@cea.fr>
Date: Tue, 15 May 2018 18:15:17 +0200
Subject: [PATCH 413/631] Add tests for ARP in 802.11 (w & w/o RadioTAP)

---
 .../scripts.base.protocols.arp.radiotap/.stdout   |   2 ++
 .../scripts.base.protocols.arp.wlanmon/.stdout    |   2 ++
 testing/btest/Traces/arp-who-has-radiotap.pcap    | Bin 0 -> 294 bytes
 testing/btest/Traces/arp-who-has-wlanmon.pcap     | Bin 0 -> 198 bytes
 .../scripts/base/protocols/arp/radiotap.test      |  13 +++++++++++++
 .../btest/scripts/base/protocols/arp/wlanmon.test |  13 +++++++++++++
 6 files changed, 30 insertions(+)
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.arp.radiotap/.stdout
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.arp.wlanmon/.stdout
 create mode 100644 testing/btest/Traces/arp-who-has-radiotap.pcap
 create mode 100644 testing/btest/Traces/arp-who-has-wlanmon.pcap
 create mode 100644 testing/btest/scripts/base/protocols/arp/radiotap.test
 create mode 100644 testing/btest/scripts/base/protocols/arp/wlanmon.test

diff --git a/testing/btest/Baseline/scripts.base.protocols.arp.radiotap/.stdout b/testing/btest/Baseline/scripts.base.protocols.arp.radiotap/.stdout
new file mode 100644
index 0000000000..d45f9ba0d7
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.arp.radiotap/.stdout
@@ -0,0 +1,2 @@
+78:31:c1:c6:3f:c2, ff:ff:ff:ff:ff:ff, 10.0.0.2, 78:31:c1:c6:3f:c2, 10.0.0.1, 00:00:00:00:00:00
+f8:ed:a5:c0:a4:f1, 78:31:c1:c6:3f:c2, 10.0.0.1, f8:ed:a5:c0:a4:f1, 10.0.0.2, 78:31:c1:c6:3f:c2
diff --git a/testing/btest/Baseline/scripts.base.protocols.arp.wlanmon/.stdout b/testing/btest/Baseline/scripts.base.protocols.arp.wlanmon/.stdout
new file mode 100644
index 0000000000..d45f9ba0d7
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.arp.wlanmon/.stdout
@@ -0,0 +1,2 @@
+78:31:c1:c6:3f:c2, ff:ff:ff:ff:ff:ff, 10.0.0.2, 78:31:c1:c6:3f:c2, 10.0.0.1, 00:00:00:00:00:00
+f8:ed:a5:c0:a4:f1, 78:31:c1:c6:3f:c2, 10.0.0.1, f8:ed:a5:c0:a4:f1, 10.0.0.2, 78:31:c1:c6:3f:c2
diff --git a/testing/btest/Traces/arp-who-has-radiotap.pcap b/testing/btest/Traces/arp-who-has-radiotap.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..0ceda7a7ed98088a69c48e852953057ae1acdc4b
GIT binary patch
literal 294
zcmca|c+)~A1{MYw`2U}Qp&rOtt#di_#33$*JRo~2SkizYn?r`-VPaSqh%3ObMAU(C
z+hRsPlj#nOj6hzFk~||j10z^1149R+4nvoy$n2;G6N((BZ~N+^&Ae)LuK)uZ!>U!x
zKs6j}42&EMY%C0n6@~|o*#m82V1j4`vKT?O*QIhZGysJ@frTNqGqHpt*?ttmc91_n
oxP!@n0b(!24G`NMfHG*dGyQnG^uUsjAUo0B0aOeI^4tmM00c)rGXMYp

literal 0
HcmV?d00001

diff --git a/testing/btest/Traces/arp-who-has-wlanmon.pcap b/testing/btest/Traces/arp-who-has-wlanmon.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..f2e6e2fc80f5474fbee269bf368bc386dee6e1c4
GIT binary patch
literal 198
zcmca|c+)~A1{MYw`2U}QArr`%$oe}<XazHa9gq#e9gI2*U7{khqaI8sa+tpDtBW@C
zs@1&$3~UUmRxtzRIoKE&IT+Yj7#J%I4<55W#KpkC1QZ4WAd3-XTG<+Ah5#TRggclF
l7$D|A%!HWc0F*&9jp@hRr3aRL1et+uE>JNT$a5#00|1?jE^7b)

literal 0
HcmV?d00001

diff --git a/testing/btest/scripts/base/protocols/arp/radiotap.test b/testing/btest/scripts/base/protocols/arp/radiotap.test
new file mode 100644
index 0000000000..95ce471532
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/arp/radiotap.test
@@ -0,0 +1,13 @@
+# @TEST-EXEC: bro -r $TRACES/arp-who-has-radiotap.pcap %INPUT
+# @TEST-EXEC: btest-diff .stdout
+
+event arp_request(mac_src: string, mac_dst: string, SPA: addr, SHA: string, TPA: addr, THA: string)
+	{
+	print mac_src, mac_dst, SPA, SHA, TPA, THA;
+	}
+
+event arp_reply(mac_src: string, mac_dst: string, SPA: addr, SHA: string, TPA: addr, THA: string)
+	{
+	print mac_src, mac_dst, SPA, SHA, TPA, THA;
+	}
+
diff --git a/testing/btest/scripts/base/protocols/arp/wlanmon.test b/testing/btest/scripts/base/protocols/arp/wlanmon.test
new file mode 100644
index 0000000000..7f909eac4f
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/arp/wlanmon.test
@@ -0,0 +1,13 @@
+# @TEST-EXEC: bro -r $TRACES/arp-who-has-wlanmon.pcap %INPUT
+# @TEST-EXEC: btest-diff .stdout
+
+event arp_request(mac_src: string, mac_dst: string, SPA: addr, SHA: string, TPA: addr, THA: string)
+	{
+	print mac_src, mac_dst, SPA, SHA, TPA, THA;
+	}
+
+event arp_reply(mac_src: string, mac_dst: string, SPA: addr, SHA: string, TPA: addr, THA: string)
+	{
+	print mac_src, mac_dst, SPA, SHA, TPA, THA;
+	}
+

From 0944747babd1b434bf1aa463c5d8a009a79c8b3a Mon Sep 17 00:00:00 2001
From: Pierre LALET <pierre.lalet@cea.fr>
Date: Tue, 15 May 2018 18:15:17 +0200
Subject: [PATCH 414/631] Add tests for ARP in 802.11 (w & w/o RadioTAP)

---
 .../scripts.base.protocols.arp.radiotap/.stdout   |   2 ++
 .../scripts.base.protocols.arp.wlanmon/.stdout    |   2 ++
 testing/btest/Traces/arp-who-has-radiotap.pcap    | Bin 0 -> 294 bytes
 testing/btest/Traces/arp-who-has-wlanmon.pcap     | Bin 0 -> 198 bytes
 .../scripts/base/protocols/arp/radiotap.test      |  13 +++++++++++++
 .../btest/scripts/base/protocols/arp/wlanmon.test |  13 +++++++++++++
 6 files changed, 30 insertions(+)
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.arp.radiotap/.stdout
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.arp.wlanmon/.stdout
 create mode 100644 testing/btest/Traces/arp-who-has-radiotap.pcap
 create mode 100644 testing/btest/Traces/arp-who-has-wlanmon.pcap
 create mode 100644 testing/btest/scripts/base/protocols/arp/radiotap.test
 create mode 100644 testing/btest/scripts/base/protocols/arp/wlanmon.test

diff --git a/testing/btest/Baseline/scripts.base.protocols.arp.radiotap/.stdout b/testing/btest/Baseline/scripts.base.protocols.arp.radiotap/.stdout
new file mode 100644
index 0000000000..d45f9ba0d7
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.arp.radiotap/.stdout
@@ -0,0 +1,2 @@
+78:31:c1:c6:3f:c2, ff:ff:ff:ff:ff:ff, 10.0.0.2, 78:31:c1:c6:3f:c2, 10.0.0.1, 00:00:00:00:00:00
+f8:ed:a5:c0:a4:f1, 78:31:c1:c6:3f:c2, 10.0.0.1, f8:ed:a5:c0:a4:f1, 10.0.0.2, 78:31:c1:c6:3f:c2
diff --git a/testing/btest/Baseline/scripts.base.protocols.arp.wlanmon/.stdout b/testing/btest/Baseline/scripts.base.protocols.arp.wlanmon/.stdout
new file mode 100644
index 0000000000..d45f9ba0d7
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.arp.wlanmon/.stdout
@@ -0,0 +1,2 @@
+78:31:c1:c6:3f:c2, ff:ff:ff:ff:ff:ff, 10.0.0.2, 78:31:c1:c6:3f:c2, 10.0.0.1, 00:00:00:00:00:00
+f8:ed:a5:c0:a4:f1, 78:31:c1:c6:3f:c2, 10.0.0.1, f8:ed:a5:c0:a4:f1, 10.0.0.2, 78:31:c1:c6:3f:c2
diff --git a/testing/btest/Traces/arp-who-has-radiotap.pcap b/testing/btest/Traces/arp-who-has-radiotap.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..4f532109190bef9d3d485dc6cf392d9dc46bd47f
GIT binary patch
literal 294
zcmca|c+)~A1{MYw`2U}Qp&rOtt#di_#33$*JRo~2SkizYn?r`-VPaSqh%3ObMAU(C
z+hRsPlj#nOj6hzFk~||j10z^1149R+4nvoy$n2;G6@~|o*&q531_BIh469Z#1J!V_
zF)(s4u(2>OLgcv^7?>bhfh<Ol?RBZ#3=Ke`Pheq)?My7;NVXrvupQ(N5bj_yV1Sql
hal?<dOAjph=m3;Kvz-Yd1F{p{9YDokAkUp}4gmYkM7{t3

literal 0
HcmV?d00001

diff --git a/testing/btest/Traces/arp-who-has-wlanmon.pcap b/testing/btest/Traces/arp-who-has-wlanmon.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..7d54788f2a3af477fc4a9d204da2c387d61a8ca7
GIT binary patch
literal 198
zcmca|c+)~A1{MYw`2U}QArr`17V$eOVlo4R9gq#e9gI2*U7{khqaIWk9z14$=sy?;
zFt9PKTEz^M=U`)C<X~W9VPJ&Fb1^V50fm78$YKPU7CD`PAppn+;SMGP28cR{nLpkx
cJ+S1X15gIdG$x1)$P9FIfr`OEo;%?j0B%w=zW@LL

literal 0
HcmV?d00001

diff --git a/testing/btest/scripts/base/protocols/arp/radiotap.test b/testing/btest/scripts/base/protocols/arp/radiotap.test
new file mode 100644
index 0000000000..95ce471532
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/arp/radiotap.test
@@ -0,0 +1,13 @@
+# @TEST-EXEC: bro -r $TRACES/arp-who-has-radiotap.pcap %INPUT
+# @TEST-EXEC: btest-diff .stdout
+
+event arp_request(mac_src: string, mac_dst: string, SPA: addr, SHA: string, TPA: addr, THA: string)
+	{
+	print mac_src, mac_dst, SPA, SHA, TPA, THA;
+	}
+
+event arp_reply(mac_src: string, mac_dst: string, SPA: addr, SHA: string, TPA: addr, THA: string)
+	{
+	print mac_src, mac_dst, SPA, SHA, TPA, THA;
+	}
+
diff --git a/testing/btest/scripts/base/protocols/arp/wlanmon.test b/testing/btest/scripts/base/protocols/arp/wlanmon.test
new file mode 100644
index 0000000000..7f909eac4f
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/arp/wlanmon.test
@@ -0,0 +1,13 @@
+# @TEST-EXEC: bro -r $TRACES/arp-who-has-wlanmon.pcap %INPUT
+# @TEST-EXEC: btest-diff .stdout
+
+event arp_request(mac_src: string, mac_dst: string, SPA: addr, SHA: string, TPA: addr, THA: string)
+	{
+	print mac_src, mac_dst, SPA, SHA, TPA, THA;
+	}
+
+event arp_reply(mac_src: string, mac_dst: string, SPA: addr, SHA: string, TPA: addr, THA: string)
+	{
+	print mac_src, mac_dst, SPA, SHA, TPA, THA;
+	}
+

From ab739462892b4cf8f7971ae22b637f2047722002 Mon Sep 17 00:00:00 2001
From: Pierre LALET <pierre.lalet@cea.fr>
Date: Wed, 16 May 2018 00:17:17 +0200
Subject: [PATCH 415/631] ARP: fix the l2 source address check

ARP_Analyzer::NextPacket() incorrectly assumed that the MAC source
address was at data+6 (which is fine for classical ARP over Ethernet
frames but incorrect for ARP over Wi-Fi for example) and the
destination was at data.

Use pkt->l2_src and pkt->l2_dst instead, set by Packet::ProcessLayer2().
---
 src/analyzer/protocol/arp/ARP.cc | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/analyzer/protocol/arp/ARP.cc b/src/analyzer/protocol/arp/ARP.cc
index b9af26ecfa..83166bd149 100644
--- a/src/analyzer/protocol/arp/ARP.cc
+++ b/src/analyzer/protocol/arp/ARP.cc
@@ -140,7 +140,7 @@ void ARP_Analyzer::NextPacket(double t, const Packet* pkt)
 
 
 	// Check MAC src address = ARP sender MAC address.
-	if ( memcmp((const char*) (data+6), ar_sha(ah), ah->ar_hln) )
+	if ( memcmp(pkt->l2_src, ar_sha(ah), ah->ar_hln) )
 		{
 		BadARP(ah, "weird-arp-sha");
 		return;
@@ -149,12 +149,12 @@ void ARP_Analyzer::NextPacket(double t, const Packet* pkt)
 	// Check the code is supported.
 	switch ( ntohs(ah->ar_op) ) {
 	case ARPOP_REQUEST:
-		RREvent(arp_request, data+6, data,
+		RREvent(arp_request, pkt->l2_src, pkt->l2_dst,
 				ar_spa(ah), ar_sha(ah), ar_tpa(ah), ar_tha(ah));
 		break;
 
 	case ARPOP_REPLY:
-		RREvent(arp_reply, data+6, data,
+		RREvent(arp_reply, pkt->l2_src, pkt->l2_dst,
 				ar_spa(ah), ar_sha(ah), ar_tpa(ah), ar_tha(ah));
 		break;
 

From 2b24e04ada7054082b3d9c0fb44be4470f002f78 Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@icir.org>
Date: Thu, 17 May 2018 15:54:48 -0700
Subject: [PATCH 416/631] Add non-standard experimental Google post-quantum
 ciphers

---
 scripts/base/protocols/ssl/consts.bro | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/scripts/base/protocols/ssl/consts.bro b/scripts/base/protocols/ssl/consts.bro
index b95d299dca..aaac5aab84 100644
--- a/scripts/base/protocols/ssl/consts.bro
+++ b/scripts/base/protocols/ssl/consts.bro
@@ -407,6 +407,11 @@ export {
 	const TLS_CHACHA20_POLY1305_SHA256 = 0x1303;
 	const TLS_AES_128_CCM_SHA256 = 0x1304;
 	const TLS_AES_128_CCM_8_SHA256 = 0x1305;
+	# Google...
+	const TLS_CECPQ1_RSA_WITH_CHACHA20_POLY1305_SHA256 = 0x16b7;
+	const TLS_CECPQ1_ECDSA_WITH_CHACHA20_POLY1305_SHA256 = 0x16b8;
+	const TLS_CECPQ1_RSA_WITH_AES_256_GCM_SHA384 = 0x16b9;
+	const TLS_CECPQ1_ECDSA_WITH_AES_256_GCM_SHA384 = 0x16ba;
 	# draft-bmoeller-tls-downgrade-scsv-01
 	const TLS_FALLBACK_SCSV = 0x5600;
 	# RFC 4492
@@ -797,6 +802,10 @@ export {
 		[TLS_CHACHA20_POLY1305_SHA256] = "TLS_CHACHA20_POLY1305_SHA256",
 		[TLS_AES_128_CCM_SHA256] = "TLS_AES_128_CCM_SHA256",
 		[TLS_AES_128_CCM_8_SHA256] = "TLS_AES_128_CCM_8_SHA256",
+		[TLS_CECPQ1_RSA_WITH_CHACHA20_POLY1305_SHA256] = "TLS_CECPQ1_RSA_WITH_CHACHA20_POLY1305_SHA256",
+		[TLS_CECPQ1_ECDSA_WITH_CHACHA20_POLY1305_SHA256] = "TLS_CECPQ1_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
+		[TLS_CECPQ1_RSA_WITH_AES_256_GCM_SHA384] = "TLS_CECPQ1_RSA_WITH_AES_256_GCM_SHA384",
+		[TLS_CECPQ1_ECDSA_WITH_AES_256_GCM_SHA384] = "TLS_CECPQ1_ECDSA_WITH_AES_256_GCM_SHA384",
 		[TLS_FALLBACK_SCSV] = "TLS_FALLBACK_SCSV",
 		[TLS_ECDH_ECDSA_WITH_NULL_SHA] = "TLS_ECDH_ECDSA_WITH_NULL_SHA",
 		[TLS_ECDH_ECDSA_WITH_RC4_128_SHA] = "TLS_ECDH_ECDSA_WITH_RC4_128_SHA",

From 9c1e20394b9c3047ac1a353caba8d5c74082537b Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Fri, 18 May 2018 09:24:06 -0500
Subject: [PATCH 417/631] BIT-1829: add unit test for modbus parser issue

---
 aux/binpac                                       |   2 +-
 .../weird.log                                    |  10 ++++++++++
 .../modbus/4SICS-GeekLounge-151022-min.pcap      | Bin 0 -> 433 bytes
 .../base/protocols/modbus/length_mismatch.bro    |  15 +++++++++++++++
 4 files changed, 26 insertions(+), 1 deletion(-)
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.modbus.length_mismatch/weird.log
 create mode 100755 testing/btest/Traces/modbus/4SICS-GeekLounge-151022-min.pcap
 create mode 100644 testing/btest/scripts/base/protocols/modbus/length_mismatch.bro

diff --git a/aux/binpac b/aux/binpac
index 6369da93f8..cae5a82ba1 160000
--- a/aux/binpac
+++ b/aux/binpac
@@ -1 +1 @@
-Subproject commit 6369da93f86b72bfd8ac6809bad942a1e38f279a
+Subproject commit cae5a82ba1a3c1d1f0221aa151988759b85e520f
diff --git a/testing/btest/Baseline/scripts.base.protocols.modbus.length_mismatch/weird.log b/testing/btest/Baseline/scripts.base.protocols.modbus.length_mismatch/weird.log
new file mode 100644
index 0000000000..819dc73c85
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.modbus.length_mismatch/weird.log
@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	weird
+#open	2018-05-18-14-10-21
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
+#types	time	string	addr	port	addr	port	string	string	bool	string
+1445502056.228889	CHhAvVGS1DHFjwGM9	192.168.2.166	1987	192.168.88.95	502	binpac exception: out_of_bound: ReadWriteMultipleRegistersRequest:write_register_values__elem: 201 > 200	-	F	bro
+#close	2018-05-18-14-10-21
diff --git a/testing/btest/Traces/modbus/4SICS-GeekLounge-151022-min.pcap b/testing/btest/Traces/modbus/4SICS-GeekLounge-151022-min.pcap
new file mode 100755
index 0000000000000000000000000000000000000000..71a8ae15798ec80aaccc4a7b810d37658e4a33ec
GIT binary patch
literal 433
zcmca|c+)~A1{MYw`2U}Qff2~bn4=LUS;x#^1>}G*1J|8s^#u&<HByPq91N}uj5<CN
z4h(f{mtzmCU|M!yMMOONVa9Lwb~~D8&s-xJAn|Y23ND~7ZXo{0C=MhU815?y?LYsP
zuR*guKTucb=)*(L88$9ckdEO`Oy8Hnl^$xe;O3^zj#aH}UsTR0Tvt@pdG<$k$+R!~
z*|x3EZS|LtlaQ3_wGa-sw5?jT>9?P?xr5WBT0YN>bJj?$zI@Y$Vfzi%E$lldzme=e
zbYJVW)8Xw^<+{#$=L?+6XnG)*-kiWt_4($vStfOB!YbZ+XSHp}3jY$3#J~5a<(H@P
z%r>9h$enn9{r8MBGHyQ_-?(f%lJf9k*|B2nzaRJhT)?<xs>jcc<Bwi;UEjgjbzLy4
z@50u0{l+~hHf(keQr>?0d;C<!#`PU3wdZc#<dP`0nJqav`K^n@MWdUK_cVe+@?i%v
zgFP?^Ko}B+knjYBB!i(x5Cek^Ta-K~6hWcM_>KKAC=~DQcCrkR5O63}2kHWaBs1f5
FE&#<ouF3!a

literal 0
HcmV?d00001

diff --git a/testing/btest/scripts/base/protocols/modbus/length_mismatch.bro b/testing/btest/scripts/base/protocols/modbus/length_mismatch.bro
new file mode 100644
index 0000000000..35835e4b64
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/modbus/length_mismatch.bro
@@ -0,0 +1,15 @@
+# The parser generated by BinPAC needs to handle this pcap without crashing
+# or asserting.  Specifically, pasing Function Code 23,
+# ReadWriteMultipleRegistersRequest, has a field:
+#
+#     uint16[write_quantity] &length=write_byte_count;
+#
+# And the pcap has mismatching values for those quantities.
+# The use of &length on arrays previously caused array elements to
+# be treated as already having a bounds check in the parsing-loop, which
+# is problematic in the case where (write_quantity * 2) > write_byte_count
+# as that can cause reading from a location that exceeds the end of the
+# data buffer.
+
+# @TEST-EXEC: bro -r $TRACES/modbus/4SICS-GeekLounge-151022-min.pcap
+# @TEST-EXEC: btest-diff weird.log

From cc4605c8ae5be0d171f1d8d62dbbc504af7afc66 Mon Sep 17 00:00:00 2001
From: Pierre LALET <pierre.lalet@cea.fr>
Date: Fri, 18 May 2018 17:24:20 +0200
Subject: [PATCH 418/631] Tests/ARP: fix capture files.

It seems the wrong ones were selected in a merge conflict (see
d5797d8).
---
 testing/btest/Traces/arp-who-has-radiotap.pcap | Bin 294 -> 294 bytes
 testing/btest/Traces/arp-who-has-wlanmon.pcap  | Bin 198 -> 198 bytes
 2 files changed, 0 insertions(+), 0 deletions(-)

diff --git a/testing/btest/Traces/arp-who-has-radiotap.pcap b/testing/btest/Traces/arp-who-has-radiotap.pcap
index 0ceda7a7ed98088a69c48e852953057ae1acdc4b..4f532109190bef9d3d485dc6cf392d9dc46bd47f 100644
GIT binary patch
delta 44
tcmZ3+w2Wy&5>JKU!DIG^{)559yc{72ze`kPcGQC(Z<iie@^RuDD*zXO8AbpA

delta 44
rcmZ3+w2Wy&63>Jphw0nCx@a@6THQM_FGmQ%?-CW69rXYz`o;<Xs+|+N

diff --git a/testing/btest/Traces/arp-who-has-wlanmon.pcap b/testing/btest/Traces/arp-who-has-wlanmon.pcap
index f2e6e2fc80f5474fbee269bf368bc386dee6e1c4..7d54788f2a3af477fc4a9d204da2c387d61a8ca7 100644
GIT binary patch
delta 90
zcmX@cc#Ls^gxa!*-%$~h85rysAh?53hoMVUWOmep3d4iP><|41gNb$;V3m>685jb9
ZDnYn|$$$Z(2BQAQ+ocDVe4N;01pwX@Bq#s?

delta 90
zcmX@cc#Ls^gxW;b-%&y<m>KLC7{IuLQHP;RRAhG4g9$|r)3<$f(Pmz?x_6?T23Td;
Y8fJz7ph^(#U@~BUsDY@5s_d}>0QNi`)Bpeg


From 954e7980cf9b1209a9c30ae05966ef50f4875665 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Thu, 17 May 2018 10:23:23 -0500
Subject: [PATCH 419/631] Fixes for MySQL and SMB protocol parsers

* MySQL: the parser for this was generally broken (not following
  the specification well) and needed many changes.  One addition is a
  new "mysql_result_row" event that provides access to the results of
  queries.

* SMB: the spec seems to explitly call out the omission of the
  PrimaryDomain field on SMB_COM_SESSION_SETUP_ANDX responses (and I
  don't see that field in pcaps either), so this may have just been a
  typo that used to work fine in the past only due to faulty array
  parsing behavior in binpac.
---
 aux/binpac                                    |   2 +-
 src/analyzer/protocol/mysql/events.bif        |  12 +
 .../protocol/mysql/mysql-analyzer.pac         |  39 ++-
 .../protocol/mysql/mysql-protocol.pac         | 251 ++++++++++++++++--
 .../smb/smb1-com-session-setup-andx.pac       |   3 +-
 .../mysql.log                                 |   6 +-
 .../mysql.log                                 |  20 +-
 .../out                                       |  42 +++
 .../base/protocols/mysql/wireshark.test       |  25 +-
 9 files changed, 349 insertions(+), 51 deletions(-)
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.mysql.wireshark/out

diff --git a/aux/binpac b/aux/binpac
index cae5a82ba1..ab7cdd4511 160000
--- a/aux/binpac
+++ b/aux/binpac
@@ -1 +1 @@
-Subproject commit cae5a82ba1a3c1d1f0221aa151988759b85e520f
+Subproject commit ab7cdd45114d3d1e8aa8b8c12ac3f3b8cb0bf8fc
diff --git a/src/analyzer/protocol/mysql/events.bif b/src/analyzer/protocol/mysql/events.bif
index bd81e8b8a4..34cbc54b4b 100644
--- a/src/analyzer/protocol/mysql/events.bif
+++ b/src/analyzer/protocol/mysql/events.bif
@@ -38,6 +38,18 @@ event mysql_error%(c: connection, code: count, msg: string%);
 ## .. bro:see:: mysql_command_request mysql_error mysql_server_version mysql_handshake
 event mysql_ok%(c: connection, affected_rows: count%);
 
+## Generated for each MySQL ResultsetRow response packet.
+##
+## See the MySQL `documentation <http://dev.mysql.com/doc/internals/en/client-server-protocol.html>`__
+## for more information about the MySQL protocol.
+##
+## c: The connection.
+##
+## row: The result row data.
+##
+## .. bro:see:: mysql_command_request mysql_error mysql_server_version mysql_handshake mysql_ok
+event mysql_result_row%(c: connection, row: string_vec%);
+
 ## Generated for the initial server handshake packet, which includes the MySQL server version.
 ##
 ## See the MySQL `documentation <http://dev.mysql.com/doc/internals/en/client-server-protocol.html>`__
diff --git a/src/analyzer/protocol/mysql/mysql-analyzer.pac b/src/analyzer/protocol/mysql/mysql-analyzer.pac
index 66710fb2bb..24401c110e 100644
--- a/src/analyzer/protocol/mysql/mysql-analyzer.pac
+++ b/src/analyzer/protocol/mysql/mysql-analyzer.pac
@@ -67,10 +67,41 @@ refine flow MySQL_Flow += {
 
 	function proc_resultset(msg: Resultset): bool
 		%{
-		if ( mysql_ok )
-			BifEvent::generate_mysql_ok(connection()->bro_analyzer(),
-										connection()->bro_analyzer()->Conn(),
-										${msg.rows}->size());
+		if ( connection()->get_results_seen() == 1 )
+			{
+			// This is a bit fake...
+			if ( mysql_ok )
+				BifEvent::generate_mysql_ok(connection()->bro_analyzer(),
+				                            connection()->bro_analyzer()->Conn(),
+				                            0);
+			}
+
+		if ( ${msg.is_eof} )
+			return true;
+
+		if ( ! mysql_result_row )
+			return true;
+
+		auto vt = internal_type("string_vec")->AsVectorType();
+		auto vv = new VectorVal(vt);
+
+		auto& bstring = ${msg.row.first_field.val};
+		auto ptr = reinterpret_cast<const char*>(bstring.data());
+		vv->Assign(vv->Size(), new StringVal(bstring.length(), ptr));
+
+		auto& fields = *${msg.row.fields};
+
+		for ( auto& f : fields )
+			{
+			auto& bstring = f->val();
+			auto ptr = reinterpret_cast<const char*>(bstring.data());
+			vv->Assign(vv->Size(), new StringVal(bstring.length(), ptr));
+			}
+
+		BifEvent::generate_mysql_result_row(connection()->bro_analyzer(),
+		                                    connection()->bro_analyzer()->Conn(),
+		                                    vv);
+
 		return true;
 		%}
 
diff --git a/src/analyzer/protocol/mysql/mysql-protocol.pac b/src/analyzer/protocol/mysql/mysql-protocol.pac
index ec9efd4d40..e352de0d37 100644
--- a/src/analyzer/protocol/mysql/mysql-protocol.pac
+++ b/src/analyzer/protocol/mysql/mysql-protocol.pac
@@ -17,6 +17,10 @@ type LengthEncodedInteger = record {
 	integer : LengthEncodedIntegerLookahead(length);
 };
 
+type LengthEncodedIntegerArg(length: uint8) = record {
+	integer : LengthEncodedIntegerLookahead(length);
+};
+
 type LengthEncodedIntegerLookahead(length: uint8) = record {
 	val: case length of {
 		0xfb    -> i0        : empty;
@@ -33,6 +37,11 @@ type LengthEncodedString = record {
 	val: bytestring &length=to_int()(len);
 };
 
+type LengthEncodedStringArg(first_byte: uint8) = record {
+	len: LengthEncodedIntegerArg(first_byte);
+	val: bytestring &length=to_int()(len);
+};
+
 %header{
 	class to_int
 		{
@@ -56,6 +65,20 @@ type LengthEncodedString = record {
 				return 0;
 			}
 
+		int operator()(LengthEncodedIntegerArg* lei) const
+			{
+			if ( lei->length() < 0xfb )
+				return lei->length();
+			else if ( lei->length() == 0xfc )
+				return lei->integer()->i2();
+			else if ( lei->length() == 0xfd )
+				return to_int()(lei->integer()->i3());
+			else if ( lei->length() == 0xfe )
+				return lei->integer()->i4();
+			else
+				return 0;
+			}
+
 		int operator()(LengthEncodedIntegerLookahead* lei) const
 			{
 			if ( lei->length() < 0xfb )
@@ -107,7 +130,8 @@ enum command_consts {
 	COM_SET_OPTION          = 0x1b,
 	COM_STMT_FETCH          = 0x1c,
 	COM_DAEMON              = 0x1d,
-	COM_BINLOG_DUMP_GTID    = 0x1e
+	COM_BINLOG_DUMP_GTID    = 0x1e,
+	COM_RESET_CONNECTION    = 0x1f,
 };
 
 enum state {
@@ -119,11 +143,12 @@ enum Expected {
 	NO_EXPECTATION,
 	EXPECT_STATUS,
 	EXPECT_COLUMN_DEFINITION,
+	EXPECT_COLUMN_DEFINITION_OR_EOF,
 	EXPECT_COLUMN_COUNT,
-	EXPECT_EOF1,
-	EXPECT_EOF2,
+	EXPECT_EOF,
 	EXPECT_RESULTSET,
-	EXPECT_QUERY_RESPONSE,
+	EXPECT_REST_OF_PACKET,
+	EXPECT_AUTH_SWITCH,
 };
 
 type NUL_String = RE/[^\0]*/;
@@ -133,7 +158,7 @@ type NUL_String = RE/[^\0]*/;
 type MySQL_PDU(is_orig: bool) = record {
 	hdr		: Header;
 	msg		: case is_orig of {
-		false -> server_msg: Server_Message(hdr.seq_id);
+		false -> server_msg: Server_Message(hdr.seq_id, hdr.len);
 		true  -> client_msg: Client_Message(state);
 	} &requires(state);
 } &let {
@@ -147,9 +172,9 @@ type Header = record {
 	len   : uint32 = to_int()(le_len) + 4;
 } &length=4;
 
-type Server_Message(seq_id: uint8) = case seq_id of {
+type Server_Message(seq_id: uint8, pkt_len: uint32) = case seq_id of {
 	0       -> initial_handshake: Initial_Handshake_Packet;
-	default -> command_response : Command_Response;
+	default -> command_response : Command_Response(pkt_len);
 };
 
 type Client_Message(state: int) = case state of {
@@ -225,18 +250,20 @@ type Command_Request_Packet = record {
 	command			: uint8;
 	arg    			: bytestring &restofdata;
 } &let {
-	update_expectation	: bool = $context.connection.set_next_expected(EXPECT_COLUMN_COUNT);
+	update_expectation	: bool = $context.connection.set_next_expected_from_command(command);
 };
 
 # Command Response
 
-type Command_Response = case $context.connection.get_expectation() of {
+type Command_Response(pkt_len: uint32) = case $context.connection.get_expectation() of {
 	EXPECT_COLUMN_COUNT		-> col_count_meta	: ColumnCountMeta;
-	EXPECT_COLUMN_DEFINITION	-> col_defs		: ColumnDefinitions;
-	EXPECT_RESULTSET		-> resultset		: Resultset;
+	EXPECT_COLUMN_DEFINITION	-> col_def		: ColumnDefinition;
+	EXPECT_COLUMN_DEFINITION_OR_EOF	-> def_or_eof	: ColumnDefinitionOrEOF(pkt_len);
+	EXPECT_RESULTSET		-> resultset		: Resultset(pkt_len);
+	EXPECT_REST_OF_PACKET		-> rest		: bytestring &restofdata;
 	EXPECT_STATUS			-> status		: Command_Response_Status;
-	EXPECT_EOF1			-> eof1			: EOF1;
-	EXPECT_EOF2			-> eof2			: EOF2;
+	EXPECT_AUTH_SWITCH -> auth_switch : AuthSwitchRequest;
+	EXPECT_EOF			-> eof			: EOF1;
 	default				-> unknow		: empty;
 };
 
@@ -265,39 +292,55 @@ type ColumnCount(byte: uint8) = record {
 } &let {
 	col_num			: uint32 = to_int()(le_column_count);
 	update_col_num		: bool = $context.connection.set_col_count(col_num);
+	update_remain		: bool = $context.connection.set_remaining_cols(col_num);
 	update_expectation	: bool = $context.connection.set_next_expected(EXPECT_COLUMN_DEFINITION);
 };
 
-type ColumnDefinitions = record {
-	defs				: ColumnDefinition41[1];
+type ColumnDefinition = record {
+	dummy: uint8;
+	def				: ColumnDefinition41(dummy);
 } &let {
-	update_expectation	: bool = $context.connection.set_next_expected(EXPECT_EOF1);
+	update_remain	: bool = $context.connection.dec_remaining_cols();
+	update_expectation	: bool = $context.connection.set_next_expected($context.connection.get_remaining_cols() > 0 ? EXPECT_COLUMN_DEFINITION : EXPECT_EOF);
 };
 
+type ColumnDefinitionOrEOF(pkt_len: uint32) = record {
+	marker: uint8;
+	def_or_eof: case is_eof of {
+		true  -> eof: EOF_Packet;
+		false -> def: ColumnDefinition41(marker);
+	} &requires(is_eof);
+} &let {
+	is_eof: bool = (marker == 0xfe && pkt_len <= 9);
+};
+
+
 type EOF1 = record {
 	eof					: EOF_Packet;
 } &let {
+	update_result_seen	: bool = $context.connection.set_results_seen(0);
 	update_expectation	: bool = $context.connection.set_next_expected(EXPECT_RESULTSET);
 };
 
-type EOF2 = record {
-	eof					: EOF_Packet;
+type Resultset(pkt_len: uint32) = record {
+	marker: uint8;
+	row_or_eof: case is_eof of {
+		true  -> eof: EOF_Packet;
+		false -> row: ResultsetRow(marker);
+	} &requires(is_eof);
 } &let {
-	update_expectation	: bool = $context.connection.set_next_expected(NO_EXPECTATION);
+	is_eof: bool = (marker == 0xfe && pkt_len <= 9);
+	update_result_seen	: bool = $context.connection.inc_results_seen();
+	update_expectation	: bool = $context.connection.set_next_expected(is_eof ? NO_EXPECTATION : EXPECT_RESULTSET);
 };
 
-type Resultset = record {
-	rows				: ResultsetRow[] &until($input.length()==0);
-} &let {
-	update_expectation	: bool = $context.connection.set_next_expected(EXPECT_EOF2);
+type ResultsetRow(first_byte: uint8) = record {
+	first_field: LengthEncodedStringArg(first_byte);
+	fields: LengthEncodedString[$context.connection.get_col_count() - 1];
 };
 
-type ResultsetRow = record {
-	fields: LengthEncodedString[$context.connection.get_col_count()];
-};
-
-type ColumnDefinition41 = record {
-	catalog  : LengthEncodedString;
+type ColumnDefinition41(first_byte: uint8) = record {
+	catalog  : LengthEncodedStringArg(first_byte);
 	schema   : LengthEncodedString;
 	table    : LengthEncodedString;
 	org_table: LengthEncodedString;
@@ -312,6 +355,12 @@ type ColumnDefinition41 = record {
 	filler   : padding[2];
 };
 
+type AuthSwitchRequest = record {
+	status: uint8;
+	name: NUL_String;
+	data: bytestring &restofdata;
+};
+
 type ColumnDefinition320 = record {
 	table            : LengthEncodedString;
 	name             : LengthEncodedString;
@@ -352,6 +401,8 @@ refine connection MySQL_Conn += {
 		int state_;
 		Expected expected_;
 		uint32 col_count_;
+		uint32 remaining_cols_;
+		uint32 results_seen_;
 	%}
 
 	%init{
@@ -359,6 +410,8 @@ refine connection MySQL_Conn += {
 		state_ = CONNECTION_PHASE;
 		expected_ = EXPECT_STATUS;
 		col_count_ = 0;
+		remaining_cols_ = 0;
+		results_seen_ = 0;
 	%}
 
 	function get_version(): uint8
@@ -394,6 +447,112 @@ refine connection MySQL_Conn += {
 		return true;
 		%}
 
+	function set_next_expected_from_command(cmd: uint8): bool
+		%{
+		switch ( cmd ) {
+		case COM_SLEEP:
+			expected_ = EXPECT_STATUS;
+			break;
+		case COM_QUIT:
+			expected_ = EXPECT_STATUS;
+			break;
+		case COM_INIT_DB:
+			expected_ = EXPECT_STATUS;
+			break;
+		case COM_QUERY:
+			expected_ = EXPECT_COLUMN_COUNT;
+			break;
+		case COM_FIELD_LIST:
+			expected_ = EXPECT_COLUMN_DEFINITION_OR_EOF;
+			break;
+		case COM_CREATE_DB:
+			expected_ = EXPECT_STATUS;
+			break;
+		case COM_DROP_DB:
+			expected_ = EXPECT_STATUS;
+			break;
+		case COM_REFRESH:
+			expected_ = EXPECT_STATUS;
+			break;
+		case COM_SHUTDOWN:
+			expected_ = EXPECT_STATUS;
+			break;
+		case COM_STATISTICS:
+			expected_ = EXPECT_REST_OF_PACKET;
+			break;
+		case COM_PROCESS_INFO:
+			expected_ = EXPECT_COLUMN_COUNT;
+			break;
+		case COM_CONNECT:
+			expected_ = EXPECT_STATUS;
+			break;
+		case COM_PROCESS_KILL:
+			expected_ = EXPECT_STATUS;
+			break;
+		case COM_DEBUG:
+			expected_ = EXPECT_STATUS;
+			break;
+		case COM_PING:
+			expected_ = EXPECT_STATUS;
+			break;
+		case COM_TIME:
+			expected_ = EXPECT_STATUS;
+			break;
+		case COM_DELAYED_INSERT:
+			expected_ = EXPECT_STATUS;
+			break;
+		case COM_CHANGE_USER:
+			expected_ = EXPECT_AUTH_SWITCH;
+			break;
+		case COM_BINLOG_DUMP:
+			expected_ = NO_EXPECTATION;
+			break;
+		case COM_TABLE_DUMP:
+			expected_ = NO_EXPECTATION;
+			break;
+		case COM_CONNECT_OUT:
+			expected_ = NO_EXPECTATION;
+			break;
+		case COM_REGISTER_SLAVE:
+			expected_ = NO_EXPECTATION;
+			break;
+		case COM_STMT_PREPARE:
+			expected_ = NO_EXPECTATION;
+			break;
+		case COM_STMT_EXECUTE:
+			expected_ = NO_EXPECTATION;
+			break;
+		case COM_STMT_SEND_LONG_DATA:
+			expected_ = NO_EXPECTATION;
+			break;
+		case COM_STMT_CLOSE:
+			expected_ = NO_EXPECTATION;
+			break;
+		case COM_STMT_RESET:
+			expected_ = NO_EXPECTATION;
+			break;
+		case COM_SET_OPTION:
+			expected_ = NO_EXPECTATION;
+			break;
+		case COM_STMT_FETCH:
+			expected_ = NO_EXPECTATION;
+			break;
+		case COM_DAEMON:
+			expected_ = EXPECT_STATUS;
+			break;
+		case COM_BINLOG_DUMP_GTID:
+			expected_ = NO_EXPECTATION;
+			break;
+		case COM_RESET_CONNECTION:
+			expected_ = EXPECT_STATUS;
+			break;
+		default:
+			expected_ = NO_EXPECTATION;
+			break;
+		}
+		return true;
+		%}
+
 	function get_col_count(): uint32
 		%{
 		return col_count_;
@@ -404,4 +563,38 @@ refine connection MySQL_Conn += {
 		col_count_ = i;
 		return true;
 		%}
+
+	function get_remaining_cols(): uint32
+		%{
+		return remaining_cols_;
+		%}
+
+	function set_remaining_cols(i: uint32): bool
+		%{
+		remaining_cols_ = i;
+		return true;
+		%}
+
+	function dec_remaining_cols(): bool
+		%{
+		--remaining_cols_;
+		return true;
+		%}
+
+	function get_results_seen(): uint32
+		%{
+		return results_seen_;
+		%}
+
+	function set_results_seen(i: uint32): bool
+		%{
+		results_seen_ = i;
+		return true;
+		%}
+
+	function inc_results_seen(): bool
+		%{
+		++results_seen_;
+		return true;
+		%}
 };
diff --git a/src/analyzer/protocol/smb/smb1-com-session-setup-andx.pac b/src/analyzer/protocol/smb/smb1-com-session-setup-andx.pac
index ee96c08d86..854290d0d0 100644
--- a/src/analyzer/protocol/smb/smb1-com-session-setup-andx.pac
+++ b/src/analyzer/protocol/smb/smb1-com-session-setup-andx.pac
@@ -99,7 +99,7 @@ refine connection SMB_Conn += {
 					response->Assign(1, new Val(${val.ntlm.is_guest}, TYPE_BOOL));
 					response->Assign(2, smb_string2stringval(${val.ntlm.native_os}));
 					response->Assign(3, smb_string2stringval(${val.ntlm.native_lanman}));
-					response->Assign(4, smb_string2stringval(${val.ntlm.primary_domain}));
+					//response->Assign(4, smb_string2stringval(${val.ntlm.primary_domain}));
 					//response->Assign(5, bytestring_to_val(${val.ntlm.security_blob}));
 					break;
 				default: // Error!
@@ -242,7 +242,6 @@ type SMB1_session_setup_andx_response_ntlm(header: SMB_Header, offset: uint16) =
 	# offset + 1 due to word_count in the parent type
 	native_os            : SMB_string(header.unicode, offsetof(native_os) + 1);
 	native_lanman        : SMB_string(header.unicode, offsetof(native_lanman) + 1);
-	primary_domain       : SMB_string(header.unicode, offsetof(primary_domain) + 1);
 
 	extra_byte_parameters : bytestring &transient &length=(andx.offset == 0 || andx.offset >= (offset+offsetof(extra_byte_parameters))+2) ? 0 : (andx.offset-(offset+offsetof(extra_byte_parameters)));
 
diff --git a/testing/btest/Baseline/scripts.base.protocols.mysql.auth/mysql.log b/testing/btest/Baseline/scripts.base.protocols.mysql.auth/mysql.log
index 201f5e65ea..58b1974c67 100644
--- a/testing/btest/Baseline/scripts.base.protocols.mysql.auth/mysql.log
+++ b/testing/btest/Baseline/scripts.base.protocols.mysql.auth/mysql.log
@@ -3,7 +3,7 @@
 #empty_field	(empty)
 #unset_field	-
 #path	mysql
-#open	2016-07-13-16-16-46
+#open	2018-05-17-12-54-47
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	cmd	arg	success	rows	response
 #types	time	string	addr	port	addr	port	string	string	bool	count	string
 1362452327.618353	CtPZjS20MLrsMUOJi2	192.168.1.3	55845	192.168.1.8	3306	login	root_nope	F	-	Access denied for user 'root_nope'@'lumberjack.home' (using password: NO)
@@ -16,6 +16,6 @@
 1362452360.410803	C0LAHyvtKSQHyJxIl	192.168.1.3	55863	192.168.1.8	3306	login	root	F	-	Access denied for user 'root'@'lumberjack.home' (using password: YES)
 1362452361.886123	CFLRIC3zaTU1loLGxh	192.168.1.3	55864	192.168.1.8	3306	login	root	F	-	Access denied for user 'root'@'lumberjack.home' (using password: YES)
 1362452372.452858	C9rXSW3KSpTYvPrlI1	192.168.1.3	55865	192.168.1.8	3306	login	root	T	0	-
-1362452372.454995	C9rXSW3KSpTYvPrlI1	192.168.1.3	55865	192.168.1.8	3306	query	select @@version_comment limit 1	T	1	-
+1362452372.454995	C9rXSW3KSpTYvPrlI1	192.168.1.3	55865	192.168.1.8	3306	query	select @@version_comment limit 1	T	0	-
 1362452372.991997	C9rXSW3KSpTYvPrlI1	192.168.1.3	55865	192.168.1.8	3306	quit	(empty)	-	-	-
-#close	2016-07-13-16-16-46
+#close	2018-05-17-12-54-47
diff --git a/testing/btest/Baseline/scripts.base.protocols.mysql.wireshark/mysql.log b/testing/btest/Baseline/scripts.base.protocols.mysql.wireshark/mysql.log
index da1de035b2..ac18135111 100644
--- a/testing/btest/Baseline/scripts.base.protocols.mysql.wireshark/mysql.log
+++ b/testing/btest/Baseline/scripts.base.protocols.mysql.wireshark/mysql.log
@@ -3,25 +3,25 @@
 #empty_field	(empty)
 #unset_field	-
 #path	mysql
-#open	2016-07-13-16-16-46
+#open	2018-05-17-04-01-33
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	cmd	arg	success	rows	response
 #types	time	string	addr	port	addr	port	string	string	bool	count	string
 1216281025.136728	CHhAvVGS1DHFjwGM9	192.168.0.254	56162	192.168.0.254	3306	login	tfoerste	T	0	-
-1216281025.137062	CHhAvVGS1DHFjwGM9	192.168.0.254	56162	192.168.0.254	3306	query	select @@version_comment limit 1	T	1	-
-1216281030.835001	CHhAvVGS1DHFjwGM9	192.168.0.254	56162	192.168.0.254	3306	query	SELECT DATABASE()	T	1	-
+1216281025.137062	CHhAvVGS1DHFjwGM9	192.168.0.254	56162	192.168.0.254	3306	query	select @@version_comment limit 1	T	0	-
+1216281030.835001	CHhAvVGS1DHFjwGM9	192.168.0.254	56162	192.168.0.254	3306	query	SELECT DATABASE()	T	0	-
 1216281030.835395	CHhAvVGS1DHFjwGM9	192.168.0.254	56162	192.168.0.254	3306	init_db	test	T	0	-
-1216281030.835742	CHhAvVGS1DHFjwGM9	192.168.0.254	56162	192.168.0.254	3306	query	show databases	T	1	-
-1216281030.836349	CHhAvVGS1DHFjwGM9	192.168.0.254	56162	192.168.0.254	3306	query	show tables	T	1	-
-1216281030.836757	CHhAvVGS1DHFjwGM9	192.168.0.254	56162	192.168.0.254	3306	field_list	agent	T	3	-
+1216281030.835742	CHhAvVGS1DHFjwGM9	192.168.0.254	56162	192.168.0.254	3306	query	show databases	T	0	-
+1216281030.836349	CHhAvVGS1DHFjwGM9	192.168.0.254	56162	192.168.0.254	3306	query	show tables	T	0	-
+1216281030.836757	CHhAvVGS1DHFjwGM9	192.168.0.254	56162	192.168.0.254	3306	field_list	agent	-	-	-
 1216281048.287657	CHhAvVGS1DHFjwGM9	192.168.0.254	56162	192.168.0.254	3306	query	create table foo (id BIGINT( 10 ) UNSIGNED NOT NULL AUTO_INCREMENT PRIMARY KEY, animal VARCHAR(64) NOT NULL, name VARCHAR(64) NULL DEFAULT NULL) ENGINE = MYISAM	T	0	-
 1216281057.746222	CHhAvVGS1DHFjwGM9	192.168.0.254	56162	192.168.0.254	3306	query	insert into foo (animal, name) values ("dog", "Goofy")	T	1	-
 1216281061.713980	CHhAvVGS1DHFjwGM9	192.168.0.254	56162	192.168.0.254	3306	query	insert into foo (animal, name) values ("cat", "Garfield")	T	1	-
-1216281066.549786	CHhAvVGS1DHFjwGM9	192.168.0.254	56162	192.168.0.254	3306	query	select * from foo	T	3	-
+1216281066.549786	CHhAvVGS1DHFjwGM9	192.168.0.254	56162	192.168.0.254	3306	query	select * from foo	T	0	-
 1216281072.304467	CHhAvVGS1DHFjwGM9	192.168.0.254	56162	192.168.0.254	3306	query	delete from foo where name like '%oo%'	T	1	-
 1216281079.450037	CHhAvVGS1DHFjwGM9	192.168.0.254	56162	192.168.0.254	3306	query	delete from foo where id = 1	T	0	-
-1216281087.437392	CHhAvVGS1DHFjwGM9	192.168.0.254	56162	192.168.0.254	3306	query	select count(*) from foo	T	1	-
-1216281109.107769	CHhAvVGS1DHFjwGM9	192.168.0.254	56162	192.168.0.254	3306	query	select * from foo	T	3	-
+1216281087.437392	CHhAvVGS1DHFjwGM9	192.168.0.254	56162	192.168.0.254	3306	query	select count(*) from foo	T	0	-
+1216281109.107769	CHhAvVGS1DHFjwGM9	192.168.0.254	56162	192.168.0.254	3306	query	select * from foo	T	0	-
 1216281116.209268	CHhAvVGS1DHFjwGM9	192.168.0.254	56162	192.168.0.254	3306	query	delete from foo	T	1	-
 1216281122.880561	CHhAvVGS1DHFjwGM9	192.168.0.254	56162	192.168.0.254	3306	query	drop table foo	T	0	-
 1216281124.418765	CHhAvVGS1DHFjwGM9	192.168.0.254	56162	192.168.0.254	3306	quit	(empty)	-	-	-
-#close	2016-07-13-16-16-46
+#close	2018-05-17-04-01-33
diff --git a/testing/btest/Baseline/scripts.base.protocols.mysql.wireshark/out b/testing/btest/Baseline/scripts.base.protocols.mysql.wireshark/out
new file mode 100644
index 0000000000..d322011e9d
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.mysql.wireshark/out
@@ -0,0 +1,42 @@
+mysql ok, 0
+mysql request, 3, select @@version_comment limit 1
+mysql ok, 0
+mysql result row, [Gentoo Linux mysql-5.0.54]
+mysql request, 3, SELECT DATABASE()
+mysql ok, 0
+mysql result row, []
+mysql request, 2, test
+mysql ok, 0
+mysql request, 3, show databases
+mysql ok, 0
+mysql result row, [information_schema]
+mysql result row, [test]
+mysql request, 3, show tables
+mysql ok, 0
+mysql result row, [agent]
+mysql request, 4, agent\x00
+mysql request, 3, create table foo (id BIGINT( 10 ) UNSIGNED NOT NULL AUTO_INCREMENT PRIMARY KEY, animal VARCHAR(64) NOT NULL, name VARCHAR(64) NULL DEFAULT NULL) ENGINE = MYISAM
+mysql ok, 0
+mysql request, 3, insert into foo (animal, name) values ("dog", "Goofy")
+mysql ok, 1
+mysql request, 3, insert into foo (animal, name) values ("cat", "Garfield")
+mysql ok, 1
+mysql request, 3, select * from foo
+mysql ok, 0
+mysql result row, [1, dog, Goofy]
+mysql result row, [2, cat, Garfield]
+mysql request, 3, delete from foo where name like '%oo%'
+mysql ok, 1
+mysql request, 3, delete from foo where id = 1
+mysql ok, 0
+mysql request, 3, select count(*) from foo
+mysql ok, 0
+mysql result row, [1]
+mysql request, 3, select * from foo
+mysql ok, 0
+mysql result row, [2, cat, Garfield]
+mysql request, 3, delete from foo
+mysql ok, 1
+mysql request, 3, drop table foo
+mysql ok, 0
+mysql request, 1, 
diff --git a/testing/btest/scripts/base/protocols/mysql/wireshark.test b/testing/btest/scripts/base/protocols/mysql/wireshark.test
index 64f4aacdda..55fe5be16c 100644
--- a/testing/btest/scripts/base/protocols/mysql/wireshark.test
+++ b/testing/btest/scripts/base/protocols/mysql/wireshark.test
@@ -1,6 +1,27 @@
 # This tests a PCAP with a few MySQL commands from the Wireshark samples.
 
-# @TEST-EXEC: bro -b -r $TRACES/mysql/mysql.trace %INPUT
+# @TEST-EXEC: bro -b -r $TRACES/mysql/mysql.trace %INPUT >out
+# @TEST-EXEC: btest-diff out
 # @TEST-EXEC: btest-diff mysql.log
 
-@load base/protocols/mysql
\ No newline at end of file
+@load base/protocols/mysql
+
+event mysql_ok(c: connection, affected_rows: count)
+	{
+	print "mysql ok", affected_rows;
+	}
+
+event mysql_result_row(c: connection, row: string_vec)
+	{
+	print "mysql result row", row;
+	}
+
+event mysql_error(c: connection, code: count, msg: string)
+	{
+	print "mysql error", code, msg;
+	}
+
+event mysql_command_request(c: connection, command: count, arg: string)
+	{
+	print "mysql request", command, arg;
+	}

From 99a417fc07962626f01dc877cfed4236956e9d78 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Fri, 18 May 2018 10:34:06 -0500
Subject: [PATCH 420/631] Update test baseline for optimized binpac static-size
 array parsing

---
 aux/binpac                                                  | 2 +-
 .../scripts.base.protocols.modbus.length_mismatch/weird.log | 6 +++---
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/aux/binpac b/aux/binpac
index ab7cdd4511..f548216189 160000
--- a/aux/binpac
+++ b/aux/binpac
@@ -1 +1 @@
-Subproject commit ab7cdd45114d3d1e8aa8b8c12ac3f3b8cb0bf8fc
+Subproject commit f548216189e375ee2a5a21b936f0cb7c5f76121a
diff --git a/testing/btest/Baseline/scripts.base.protocols.modbus.length_mismatch/weird.log b/testing/btest/Baseline/scripts.base.protocols.modbus.length_mismatch/weird.log
index 819dc73c85..073fc33bd8 100644
--- a/testing/btest/Baseline/scripts.base.protocols.modbus.length_mismatch/weird.log
+++ b/testing/btest/Baseline/scripts.base.protocols.modbus.length_mismatch/weird.log
@@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	weird
-#open	2018-05-18-14-10-21
+#open	2018-05-18-15-23-47
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
 #types	time	string	addr	port	addr	port	string	string	bool	string
-1445502056.228889	CHhAvVGS1DHFjwGM9	192.168.2.166	1987	192.168.88.95	502	binpac exception: out_of_bound: ReadWriteMultipleRegistersRequest:write_register_values__elem: 201 > 200	-	F	bro
-#close	2018-05-18-14-10-21
+1445502056.228889	CHhAvVGS1DHFjwGM9	192.168.2.166	1987	192.168.88.95	502	binpac exception: out_of_bound: ReadWriteMultipleRegistersRequest:write_register_values: 402 > 200	-	F	bro
+#close	2018-05-18-15-23-47

From 8315aa36a61319fad352f6e663dfea1c8720cb4c Mon Sep 17 00:00:00 2001
From: Pierre LALET <pierre.lalet@cea.fr>
Date: Fri, 18 May 2018 17:39:48 +0200
Subject: [PATCH 421/631] Add bad ARP tests

The capture file (btest/Traces/arp-leak.pcap) contains the
exploitation of an ARP leak flaw against NetBSD 7.0.2 using Scapy
etherleak() function.
---
 .../scripts.base.protocols.arp.bad/.stdout     |   6 ++++++
 testing/btest/Traces/arp-leak.pcap             | Bin 0 -> 4372 bytes
 .../btest/scripts/base/protocols/arp/bad.test  |  17 +++++++++++++++++
 3 files changed, 23 insertions(+)
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.arp.bad/.stdout
 create mode 100644 testing/btest/Traces/arp-leak.pcap
 create mode 100644 testing/btest/scripts/base/protocols/arp/bad.test

diff --git a/testing/btest/Baseline/scripts.base.protocols.arp.bad/.stdout b/testing/btest/Baseline/scripts.base.protocols.arp.bad/.stdout
new file mode 100644
index 0000000000..4c6945ec64
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.arp.bad/.stdout
@@ -0,0 +1,6 @@
+BAD, 192.168.123.1, 7e:8e:20:d8:23:a7, 192.168.123.2, 00:00:00:00:00:00, corrupt-arp-header (hrd=1, hln=255)
+BAD, 192.168.123.2, 52:54:00:12:34:57, 192.168.123.1, 7e:8e:20:d8:23:a7, corrupt-arp-header (hrd=1, hln=255)
+BAD, 192.168.123.1, 7e:8e:20:d8:23:a7, 192.168.123.2, 00:00:00:00:00:00, corrupt-arp-header (pro=2048, pln=255)
+BAD, 192.168.123.2, 52:54:00:12:34:57, 192.168.123.1, 7e:8e:20:d8:23:a7, corrupt-arp-header (pro=2048, pln=255)
+BAD, 192.168.123.1, 7e:8e:20:d8:23:a7, 192.168.123.2, 00:00:00:00:00:00, corrupt-arp-header (hrd=1, hln=255)
+BAD, 192.168.123.2, 52:54:00:12:34:57, 192.168.123.1, 7e:8e:20:d8:23:a7, corrupt-arp-header (hrd=1, hln=255)
diff --git a/testing/btest/Traces/arp-leak.pcap b/testing/btest/Traces/arp-leak.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..a49919258d084619d80e07a899dc79c7d9194ed2
GIT binary patch
literal 4372
zcmca|c+)~A1{MYcU}0bca>76SjcS?C#UR7P0LK5ppsr8hhVpU_HU>rxhW|i?5I#ch
z2xA>sQ4I>Kkqm%AzywMwM#~Us1(GU)LKuWh!r^I!3Brel6*rUyrYfRBuOXO?x#1r|
zvA~gAj0_DBJ}`xX0diCvaM=fx{r~^MVW>Kwq;Dm{Dpmv&FU#RNOC!h}kRp)z3t!(8
z#HYc4L4bi7i-Hvlpnw|9E{w6jv{K;4#h?I;H4p{`?*ISD<qF$>Sh+Hqy?`kRly0yj
zsF5NBN-s}55$Of9YyqYhXxRb^s)y5Kz#0GBObGq+&ABew^?fl63R!l@1&G3v2lgO7
ztmYGFzAFSOP$vBU#RL+cv)LAGjzJSd`~g&)>sKsToKX0)K^1&(6a=fcP+$NTU=A-J
z_GX-e*rV?Nk;i79F#~JE2mRk*_rT>9)WPLkf*wTt0YV-UG$TCIBmvXQQ!91`Az;LU
zFlPAzEX+sSEhE0&0?$t)k1@h)6i^AV)(KHUVAd$W5@NKqil-|5cYS13r6aFsfckiZ
Gw;=$<%!O+J

literal 0
HcmV?d00001

diff --git a/testing/btest/scripts/base/protocols/arp/bad.test b/testing/btest/scripts/base/protocols/arp/bad.test
new file mode 100644
index 0000000000..efe9b1d15a
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/arp/bad.test
@@ -0,0 +1,17 @@
+# @TEST-EXEC: bro -r $TRACES/arp-leak.pcap %INPUT
+# @TEST-EXEC: btest-diff .stdout
+
+event arp_request(mac_src: string, mac_dst: string, SPA: addr, SHA: string, TPA: addr, THA: string)
+	{
+	print "REQ", mac_src, mac_dst, SPA, SHA, TPA, THA;
+	}
+
+event arp_reply(mac_src: string, mac_dst: string, SPA: addr, SHA: string, TPA: addr, THA: string)
+	{
+	print "REP", mac_src, mac_dst, SPA, SHA, TPA, THA;
+	}
+
+event bad_arp(SPA: addr, SHA: string, TPA: addr, THA: string, explanation: string)
+	{
+	print "BAD", SPA, SHA, TPA, THA, explanation;
+	}

From 7a6f5020f6c9a4483222f546c9d286ddf3c89b70 Mon Sep 17 00:00:00 2001
From: Robin Sommer <robin@corelight.com>
Date: Wed, 16 May 2018 23:45:04 +0000
Subject: [PATCH 422/631] Updating submodule(s).

 [nomail]
---
 CHANGES                   | 4 ++++
 VERSION                   | 2 +-
 aux/binpac                | 2 +-
 aux/bro-aux               | 2 +-
 aux/broccoli              | 2 +-
 aux/broctl                | 2 +-
 aux/broker                | 2 +-
 aux/netcontrol-connectors | 2 +-
 cmake                     | 2 +-
 src/3rdparty              | 2 +-
 10 files changed, 13 insertions(+), 9 deletions(-)

diff --git a/CHANGES b/CHANGES
index 532c18bcc6..153332b751 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,8 @@
 
+2.5-573 | 2018-05-16 23:46:35 +0000
+
+  * Support 802.11 monitor mode. (Pierre LALET)
+
 2.5-569 | 2018-05-10 11:24:07 -0500
 
   * BIT-1927: relocate notice/extend-email/ scripts to policy/ dir and
diff --git a/VERSION b/VERSION
index beed657a9e..c38d5e45ce 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.5-569
+2.5-573
diff --git a/aux/binpac b/aux/binpac
index 6369da93f8..76360315b9 160000
--- a/aux/binpac
+++ b/aux/binpac
@@ -1 +1 @@
-Subproject commit 6369da93f86b72bfd8ac6809bad942a1e38f279a
+Subproject commit 76360315b96056f82ce82b1b832f684fe04bc02f
diff --git a/aux/bro-aux b/aux/bro-aux
index e219c82285..34590b328c 160000
--- a/aux/bro-aux
+++ b/aux/bro-aux
@@ -1 +1 @@
-Subproject commit e219c822857660831c9ded4f1a074ced46f4dc7a
+Subproject commit 34590b328cb4e4fb0ebdcff715c74bfa24bf0698
diff --git a/aux/broccoli b/aux/broccoli
index c93061f0c8..2c120bebaa 160000
--- a/aux/broccoli
+++ b/aux/broccoli
@@ -1 +1 @@
-Subproject commit c93061f0c889e0d46fe77ac84292b30a3c9888e2
+Subproject commit 2c120bebaad57b86799266094fe4f2c35d019349
diff --git a/aux/broctl b/aux/broctl
index 799dc23df7..0ec694144d 160000
--- a/aux/broctl
+++ b/aux/broctl
@@ -1 +1 @@
-Subproject commit 799dc23df799b112ecc57d3f3ea391f56de596a9
+Subproject commit 0ec694144d123e1df6e614205c6f3d25fc8f7af8
diff --git a/aux/broker b/aux/broker
index ddb4b0265e..6484fc1271 160000
--- a/aux/broker
+++ b/aux/broker
@@ -1 +1 @@
-Subproject commit ddb4b0265e5aa370d29baf4df64a18c71294dac6
+Subproject commit 6484fc12712f6ce97138fec8ca413ec8df12766c
diff --git a/aux/netcontrol-connectors b/aux/netcontrol-connectors
index 1c4851912b..9069afa184 160000
--- a/aux/netcontrol-connectors
+++ b/aux/netcontrol-connectors
@@ -1 +1 @@
-Subproject commit 1c4851912b72c778c2e057e33c1dae99876af41f
+Subproject commit 9069afa184a7517267b61d415a80bd8b3c268dad
diff --git a/cmake b/cmake
index c8f07c6bf9..5080aef1ae 160000
--- a/cmake
+++ b/cmake
@@ -1 +1 @@
-Subproject commit c8f07c6bf90b472fb54b2ecbe0497238f40dec8a
+Subproject commit 5080aef1aeeea5bc6b0d8c481ef42f5be2b391a9
diff --git a/src/3rdparty b/src/3rdparty
index 3107bd0398..abc49b68fe 160000
--- a/src/3rdparty
+++ b/src/3rdparty
@@ -1 +1 @@
-Subproject commit 3107bd039828c47ebae399d0f0c9220595bf6cf2
+Subproject commit abc49b68feb1390ae185e524218b1ec6168ec17b

From fe7e1ee7f000b192e5952cc8ae0ecb3c87283030 Mon Sep 17 00:00:00 2001
From: Robin Sommer <robin@corelight.com>
Date: Wed, 16 May 2018 23:48:07 +0000
Subject: [PATCH 423/631] Merge topic/actor-system throug a squashed commit.

---
 .gitmodules                                   |    3 -
 CMakeLists.txt                                |   32 +-
 aux/broker                                    |    2 +-
 configure                                     |   46 +-
 doc/CMakeLists.txt                            |   16 +-
 doc/components/broccoli-python/README.rst     |    1 -
 doc/components/broccoli-ruby/README.rst       |    1 -
 doc/components/broccoli/README.rst            |    1 -
 doc/components/broccoli/broccoli-manual.rst   |    1 -
 doc/components/broker/broker-manual.rst       |    1 -
 doc/components/index.rst                      |    9 +-
 doc/ext/bro.py                                |    7 +-
 doc/frameworks/broker.rst                     |  579 +++--
 doc/frameworks/broker/cluster-layout.png      |  Bin 0 -> 52806 bytes
 doc/frameworks/broker/cluster-layout.xml      |    2 +
 .../broker/connecting-connector.bro           |   12 +-
 doc/frameworks/broker/connecting-listener.bro |   13 +-
 doc/frameworks/broker/events-connector.bro    |   34 +-
 doc/frameworks/broker/events-listener.bro     |   11 +-
 doc/frameworks/broker/logs-connector.bro      |   24 +-
 doc/frameworks/broker/logs-listener.bro       |   13 +-
 doc/frameworks/broker/printing-connector.bro  |   26 -
 doc/frameworks/broker/printing-listener.bro   |   25 -
 doc/frameworks/broker/stores-connector.bro    |   58 +-
 doc/frameworks/broker/stores-listener.bro     |   70 +-
 doc/frameworks/broker/testlog.bro             |    1 -
 doc/index.rst                                 |    2 +
 doc/install/CHANGES-broccoli-python.txt       |    1 -
 doc/install/CHANGES-broccoli-ruby.txt         |    1 -
 doc/install/CHANGES-broccoli.txt              |    1 -
 doc/install/CHANGES-broker.txt                |    1 +
 doc/install/changes.rst                       |   20 +-
 doc/install/install.rst                       |   32 +-
 doc/script-reference/log-files.rst            |    4 +-
 doc/scripting/index.rst                       |   29 +-
 scripts/base/frameworks/broker/__load__.bro   |    1 +
 scripts/base/frameworks/broker/log.bro        |   80 +
 scripts/base/frameworks/broker/main.bro       |  505 ++--
 scripts/base/frameworks/broker/store.bro      |  782 +++----
 scripts/base/frameworks/cluster/__load__.bro  |   12 +-
 scripts/base/frameworks/cluster/main.bro      |  354 ++-
 scripts/base/frameworks/cluster/pools.bro     |  440 ++++
 .../frameworks/cluster/setup-connections.bro  |  236 +-
 scripts/base/frameworks/communication/README  |    2 -
 .../frameworks/communication/__load__.bro     |    1 -
 .../base/frameworks/communication/main.bro    |  354 ---
 scripts/base/frameworks/control/main.bro      |   16 +-
 scripts/base/frameworks/intel/cluster.bro     |  109 +-
 scripts/base/frameworks/intel/main.bro        |   98 +-
 .../netcontrol/catch-and-release.bro          |   19 +-
 .../base/frameworks/netcontrol/cluster.bro    |   23 +-
 .../frameworks/netcontrol/plugins/acld.bro    |   17 +-
 .../frameworks/netcontrol/plugins/broker.bro  |   17 +-
 scripts/base/frameworks/notice/__load__.bro   |    9 -
 .../frameworks/notice/actions/pp-alarms.bro   |    8 +-
 scripts/base/frameworks/notice/cluster.bro    |   53 -
 scripts/base/frameworks/notice/main.bro       |   90 +-
 .../base/frameworks/notice/non-cluster.bro    |   14 -
 scripts/base/frameworks/openflow/cluster.bro  |   10 +-
 .../frameworks/openflow/plugins/broker.bro    |   17 +-
 scripts/base/frameworks/software/main.bro     |  113 +-
 scripts/base/frameworks/sumstats/cluster.bro  |   22 +-
 scripts/base/init-bare.bro                    |   34 +-
 scripts/base/init-default.bro                 |    2 +-
 scripts/base/protocols/dhcp/main.bro          |    8 +-
 scripts/base/protocols/irc/dcc-send.bro       |   38 +-
 scripts/base/utils/hash_hrw.bro               |   76 +
 scripts/broxygen/__load__.bro                 |    1 -
 .../frameworks/communication/listen.bro       |   13 -
 .../policy/frameworks/control/controllee.bro  |   42 +-
 .../policy/frameworks/control/controller.bro  |  105 +-
 .../frameworks/software/version-changes.bro   |   29 +-
 scripts/policy/misc/load-balancing.bro        |  146 +-
 scripts/policy/protocols/conn/known-hosts.bro |  128 +-
 .../policy/protocols/conn/known-services.bro  |  181 +-
 .../policy/protocols/http/detect-webapps.bro  |   55 +-
 scripts/policy/protocols/ssl/known-certs.bro  |  148 +-
 .../policy/protocols/ssl/validate-certs.bro   |   10 +-
 scripts/test-all-policy.bro                   |    1 -
 src/CMakeLists.txt                            |    9 +-
 src/Event.cc                                  |   32 +
 src/Event.h                                   |   29 +-
 src/EventHandler.cc                           |   47 +-
 src/EventHandler.h                            |   18 +-
 src/Expr.cc                                   |  127 +-
 src/Expr.h                                    |   35 +-
 src/Func.cc                                   |   59 +-
 src/Func.h                                    |   10 +-
 src/Net.cc                                    |   30 +-
 src/RE.cc                                     |    8 +
 src/RE.h                                      |    3 +-
 src/Scope.cc                                  |    6 +-
 src/Scope.h                                   |    3 +-
 src/SerialTypes.h                             |    2 +
 src/SerializationFormat.cc                    |    2 +-
 src/SerializationFormat.h                     |    4 +-
 src/Stats.cc                                  |   31 +-
 src/Stmt.cc                                   |  234 +-
 src/Stmt.h                                    |   35 +-
 src/Timer.cc                                  |    2 +
 src/Val.cc                                    |   64 +
 src/Val.h                                     |   18 +
 src/bro.bif                                   |  109 +-
 src/broker-dummy/CMakeLists.txt               |   13 -
 src/broker-dummy/comm.bif                     |    3 -
 src/broker-dummy/data.bif                     |    3 -
 src/broker-dummy/messaging.bif                |    3 -
 src/broker-dummy/store.bif                    |    3 -
 src/broker/CMakeLists.txt                     |    3 -
 src/broker/Data.cc                            | 1098 +++++----
 src/broker/Data.h                             |   90 +-
 src/broker/Manager.cc                         | 2053 +++++++++--------
 src/broker/Manager.h                          |  434 ++--
 src/broker/Store.cc                           |  253 +-
 src/broker/Store.h                            |   54 +-
 src/broker/TODO                               |    8 +
 src/broker/comm.bif                           |  215 +-
 src/broker/data.bif                           |  317 ++-
 src/broker/messaging.bif                      |  467 +++-
 src/broker/store.bif                          |  832 ++++---
 src/event.bif                                 |    2 +-
 src/iosource/PktSrc.cc                        |   20 +-
 src/logging/CMakeLists.txt                    |    3 +
 src/logging/Manager.cc                        |   45 +-
 src/logging/Manager.h                         |    9 +-
 src/logging/WriterBackend.cc                  |   30 +-
 src/logging/WriterBackend.h                   |    6 -
 src/logging/WriterFrontend.cc                 |   26 +-
 src/logging/WriterFrontend.h                  |    6 +-
 src/main.cc                                   |   15 +-
 src/parse.y                                   |   64 +-
 src/scan.l                                    |   11 +-
 src/stats.bif                                 |   73 +-
 src/util.cc                                   |   22 +-
 src/util.h                                    |    9 +
 .../broker.clone_store/clone.clone.out        |    5 -
 .../broker.connect-on-retry/recv.recv.out     |    6 +
 .../broker.connect-on-retry/send.send.out     |    6 +
 .../broker.connection_updates/recv.recv.out   |    2 -
 .../broker.connection_updates/send.send.out   |    1 -
 testing/btest/Baseline/broker.data/out        |  118 -
 .../recv.broker.filtered.log                  |    1 +
 .../Baseline/broker.disconnect/recv.recv.out  |    2 +
 .../recv2.broker.filtered.log                 |    1 +
 .../broker.disconnect/recv2.recv2.out         |    2 +
 .../send.broker.filtered.log                  |    4 +
 .../Baseline/broker.disconnect/send.send.out  |    6 +
 .../Baseline/broker.enable-and-exit/output    |    3 -
 testing/btest/Baseline/broker.error/send.out  |    1 +
 .../Baseline/broker.master_store/master.out   |   14 -
 .../broker.remote_event/recv.recv.out         |   18 +-
 .../broker.remote_event/send.send.out         |   22 +-
 .../broker.remote_event_auto/recv.recv.out    |    6 +
 .../broker.remote_event_auto/send.send.out    |    6 +
 .../recv.recv.out                             |    7 +
 .../send.send.out                             |    6 +
 .../Baseline/broker.remote_id/recv.recv.out   |    4 +
 .../Baseline/broker.remote_log/recv.test.log  |    4 +-
 .../Baseline/broker.remote_log/send.send.out  |    2 +-
 .../Baseline/broker.remote_log/send.test.log  |    4 +-
 .../recv.recv.out}                            |    0
 .../broker.remote_log_late_join/recv.test.log |   14 +
 .../broker.remote_log_late_join/send.send.out |    1 +
 .../broker.remote_log_late_join/send.test.log |   15 +
 .../broker.remote_log_types/send.send.out     |    2 +-
 .../broker.remote_print/recv.recv.out         |    6 -
 .../broker.remote_print/send.send.out         |    6 -
 .../broker.remote_relay_event/one.one.out     |    3 +
 .../broker.remote_relay_event/three.three.out |    2 +
 .../broker.remote_relay_event/two.two.out     |    4 +
 .../broker.ssl_auth_failure/recv.recv.out     |    0
 .../broker.ssl_auth_failure/send.send.out     |    1 +
 .../broker.store.clone/clone.clone.out        |   24 +
 .../broker.store.clone/master.master.out      |    8 +
 .../Baseline/broker.store.local/master.out    |    2 +
 .../Baseline/broker.store.ops/master.out      |   25 +
 .../Baseline/broker.store.record/master.out   |   19 +
 .../Baseline/broker.store.set/master.out      |   29 +
 .../btest/Baseline/broker.store.sqlite/out    |   13 +
 .../Baseline/broker.store.table/master.out    |   33 +
 .../broker.store.type-conversion/master.out   |   47 +
 .../Baseline/broker.store.vector/master.out   |   27 +
 .../broker.unpeer/recv.broker.filtered.log    |    2 +
 .../Baseline/broker.unpeer/recv.recv.out      |    1 +
 .../broker.unpeer/send.broker.filtered.log    |    2 +
 .../Baseline/broker.unpeer/send.send.out      |    3 +
 .../clone.clone.out                           |   29 +-
 .../core.leaks.broker.data/bro..stdout        |   28 +-
 .../bro..stdout                               |   14 -
 .../send.send.out                             |    2 +-
 .../recv.recv.out                             |    6 -
 .../recv.test.log                             |    4 +-
 .../send.send.out                             |    2 +-
 .../send.test.log                             |    4 +-
 .../recv.recv.out                             |    6 -
 .../send.send.out                             |    6 -
 .../core.leaks.remote/sender.test.failure.log |   12 -
 .../core.leaks.remote/sender.test.log         |   14 -
 .../core.leaks.remote/sender.test.success.log |   11 -
 .../Baseline/core.recursive-event/output      |    2 +-
 .../bro.output                                |    8 +-
 .../canonified_loaded_scripts.log             |   15 +-
 .../canonified_loaded_scripts.log             |   32 +-
 .../btest/Baseline/coverage.find-bro-logs/out |    2 +-
 .../coverage.init-default/missing_loads       |    1 -
 .../Baseline/doc.broxygen.all_scripts/.stderr |    1 +
 .../Baseline/doc.broxygen.all_scripts/.stdout |    1 -
 .../btest-doc.sphinx.conditional-notice#1     |    6 +-
 .../btest-doc.sphinx.ftp-bruteforce#1         |    6 +-
 .../btest-doc.sphinx.http_proxy_04#1          |    6 +-
 .../output                                    |   12 +-
 .../output                                    |   13 +-
 .../output                                    |   34 +-
 .../output                                    |   11 +-
 .../output                                    |   24 +-
 .../output                                    |   13 +-
 .../output                                    |   30 -
 .../output                                    |   29 -
 .../output                                    |   58 +-
 .../output                                    |   70 +-
 .../output                                    |    1 -
 .../output                                    |    9 -
 ...-doc.sphinx.netcontrol-3-ssh-guesser.bro#1 |    8 +-
 ...-doc.sphinx.netcontrol-3-ssh-guesser.bro#2 |    6 +-
 .../btest-doc.sphinx.notice_ssh_guesser.bro#1 |    6 +-
 testing/btest/Baseline/istate.base/events     |   33 -
 .../Baseline/istate.base/receiver.conn.log    |    1 -
 .../Baseline/istate.base/receiver.http.log    |   18 -
 .../Baseline/istate.base/sender.conn.log      |    2 -
 .../Baseline/istate.base/sender.http.log      |   18 -
 .../istate.bro-ipv6-socket/recv..stdout       |    1 -
 .../istate.bro-ipv6-socket/send..stdout       |    2 -
 .../istate.broccoli-ipv6-socket/bro..stdout   |    9 -
 .../broccoli..stdout                          |    6 -
 .../Baseline/istate.broccoli-ipv6/bro..stdout |    9 -
 .../istate.broccoli-ipv6/broccoli..stdout     |    6 -
 .../Baseline/istate.broccoli-ssl/bro..stdout  |    9 -
 .../istate.broccoli-ssl/broccoli..stdout      |    6 -
 .../istate.broccoli-vector/bro..stdout        |   13 -
 .../istate.broccoli-vector/broccoli..stdout   |   12 -
 .../btest/Baseline/istate.broccoli/bro.log    |    3 -
 .../Baseline/istate.broccoli/broccoli.log     |    3 -
 .../Baseline/istate.events-ssl/events.rec.log |   32 -
 .../Baseline/istate.events-ssl/events.snd.log |   32 -
 .../istate.events-ssl/receiver.http.log       |   10 -
 .../istate.events-ssl/sender.http.log         |   10 -
 .../Baseline/istate.events/events.rec.log     |   32 -
 .../Baseline/istate.events/events.snd.log     |   32 -
 .../Baseline/istate.events/receiver.http.log  |   10 -
 .../Baseline/istate.events/sender.http.log    |   10 -
 testing/btest/Baseline/istate.hll/out         |    6 -
 .../btest/Baseline/istate.opaque/expected.log |    4 -
 .../btest/Baseline/istate.opaque/output.log   |    4 -
 .../Baseline/istate.persistence/vars.read.log |   32 -
 .../istate.persistence/vars.write.log         |   32 -
 .../Baseline/istate.pybroccoli/bro..stdout    |   20 -
 .../istate.pybroccoli/python..stdout.filtered |   47 -
 .../Baseline/istate.sync/receiver.vars.log    |   34 -
 .../Baseline/istate.sync/sender.vars.log      |   34 -
 testing/btest/Baseline/istate.topk/out        |   21 -
 .../Baseline/language.switch-error-mixed/out  |    1 +
 .../language.switch-types-error-duplicate/out |    1 +
 .../out                                       |    3 +
 .../Baseline/language.switch-types-vars/out   |    9 +
 .../btest/Baseline/language.switch-types/out  |    7 +
 .../Baseline/language.type-cast-any/output    |    6 +
 .../language.type-cast-error-dynamic/output   |    2 +
 .../language.type-cast-error-static/output    |    2 +
 .../Baseline/language.type-cast-same/output   |    2 +
 .../Baseline/language.type-check-any/output   |    3 +
 testing/btest/Baseline/plugins.hooks/output   |   71 +-
 .../manager-1..stdout                         |  147 ++
 .../manager-1..stdout                         |  147 ++
 .../logger-1.test.log                         |   59 +
 .../logger-2.test.log                         |   59 +
 .../proxy-1..stdout                           |    1 +
 .../proxy-2..stdout                           |    1 +
 .../worker-1..stdout                          |    1 +
 .../worker-2..stdout                          |    1 +
 .../manager-1..stdout                         |    4 +
 .../proxy-1..stdout                           |    1 +
 .../proxy-2..stdout                           |    1 +
 .../worker-1..stdout                          |    1 +
 .../worker-2..stdout                          |    1 +
 .../manager-1..stdout                         |   75 +
 .../manager-1..stdout                         |   51 +
 .../proxy-1..stdout                           |    8 +
 .../proxy-2..stdout                           |   24 +
 .../send.log                                  |   24 -
 .../manager-1..stdout                         |    7 +-
 .../manager-1.intel.log                       |    6 +-
 .../worker-1..stdout                          |    7 +-
 .../worker-2..stdout                          |    7 +-
 .../output                                    |    6 +-
 .../output                                    |   22 +-
 .../manager-1.reporter.log                    |   13 -
 .../manager-reporter.log                      |   12 +
 .../sender.test.failure.log                   |    4 -
 .../sender.test.log                           |   14 -
 .../sender.test.success.log                   |   11 -
 .../receiver.test.log                         |   10 -
 .../sender.test.failure.log                   |   12 -
 .../sender.test.log                           |   14 -
 .../sender.test.success.log                   |   11 -
 .../recv.recv.out                             |    2 +-
 .../send.send.out                             |    2 +-
 .../recv.recv.out                             |    2 +-
 .../send.send.out                             |    2 +-
 .../recv.recv.out                             |    2 +-
 .../send.send.out                             |    2 +-
 .../notice.log                                |    6 +-
 .../recv.recv.out                             |    2 +-
 .../send.send.out                             |    2 +-
 .../conn.log                                  |    4 +-
 .../notice.log                                |    6 +-
 .../ssl.log                                   |    4 +-
 .../x509.log                                  |    4 +-
 .../scripts.base.utils.hash_hrw/output        |   40 +
 .../notice.log                                |   16 +
 .../software.log                              |   17 +
 .../notice.log                                |    8 +-
 .../notice.log                                |    6 +-
 .../notice.log                                |    8 +-
 .../notice-encrypted-short.log                |   10 +-
 .../notice-encrypted-success.log              |   10 +-
 .../notice-encrypted.log                      |    6 +-
 .../notice-heartbleed-success.log             |    8 +-
 .../notice-out.log                            |   24 +-
 testing/btest/broker/clone_store.bro          |  125 -
 testing/btest/broker/connect-on-retry.bro     |  103 +
 testing/btest/broker/connection_updates.bro   |   57 -
 testing/btest/broker/data.bro                 |  255 --
 testing/btest/broker/disconnect.bro           |  100 +
 testing/btest/broker/enable-and-exit.bro      |   19 -
 testing/btest/broker/error.bro                |   44 +
 testing/btest/broker/master_store.bro         |  181 --
 testing/btest/broker/remote_event.bro         |  103 +
 testing/btest/broker/remote_event.test        |   94 -
 testing/btest/broker/remote_event_auto.bro    |   98 +
 .../btest/broker/remote_event_ssl_auth.bro    |  263 +++
 testing/btest/broker/remote_id.bro            |   55 +
 testing/btest/broker/remote_log.bro           |  100 +
 testing/btest/broker/remote_log.test          |  109 -
 testing/btest/broker/remote_log_late_join.bro |  107 +
 ...te_log_types.test => remote_log_types.bro} |   53 +-
 testing/btest/broker/remote_print.test        |   83 -
 testing/btest/broker/remote_relay_event.bro   |  126 +
 testing/btest/broker/ssl_auth_failure.bro     |  168 ++
 testing/btest/broker/store/clone.bro          |  145 ++
 testing/btest/broker/store/local.bro          |   43 +
 testing/btest/broker/store/ops.bro            |  145 ++
 testing/btest/broker/store/record.bro         |   38 +
 testing/btest/broker/store/set.bro            |   39 +
 testing/btest/broker/store/sqlite.bro         |   59 +
 testing/btest/broker/store/table.bro          |   42 +
 .../btest/broker/store/type-conversion.bro    |   66 +
 testing/btest/broker/store/vector.bro         |   42 +
 testing/btest/broker/unpeer.bro               |   80 +
 testing/btest/btest.cfg                       |    3 +-
 .../btest/core/leaks/ascii-log-rotation.bro   |   75 -
 testing/btest/core/leaks/basic-cluster.bro    |   12 +-
 .../btest/core/leaks/broker/clone_store.bro   |  207 +-
 testing/btest/core/leaks/broker/data.bro      |  115 +-
 .../btest/core/leaks/broker/master_store.bro  |  266 ++-
 .../btest/core/leaks/broker/remote_event.test |   39 +-
 .../btest/core/leaks/broker/remote_log.test   |   56 +-
 .../btest/core/leaks/broker/remote_print.test |   85 -
 testing/btest/core/leaks/dns-txt.bro          |    1 -
 testing/btest/core/leaks/dns.bro              |    1 -
 testing/btest/core/leaks/dtls.bro             |    2 +-
 testing/btest/core/leaks/exec.test            |    1 -
 testing/btest/core/leaks/hll_cluster.bro      |   19 +-
 testing/btest/core/leaks/input-raw.bro        |    1 -
 testing/btest/core/leaks/input-reread.bro     |    5 +-
 testing/btest/core/leaks/remote.bro           |   97 -
 testing/btest/core/recursive-event.bro        |    5 +-
 .../core/when-interpreter-exceptions.bro      |    1 -
 testing/btest/doc/broxygen/all_scripts.test   |    2 +-
 ...orks_broker_connecting-connector_bro.btest |   12 +-
 ...works_broker_connecting-listener_bro.btest |   13 +-
 ...ameworks_broker_events-connector_bro.btest |   34 +-
 ...rameworks_broker_events-listener_bro.btest |   11 +-
 ...frameworks_broker_logs-connector_bro.btest |   24 +-
 ..._frameworks_broker_logs-listener_bro.btest |   13 +-
 ...eworks_broker_printing-connector_bro.btest |   30 -
 ...meworks_broker_printing-listener_bro.btest |   29 -
 ...ameworks_broker_stores-connector_bro.btest |   58 +-
 ...rameworks_broker_stores-listener_bro.btest |   70 +-
 ...de-doc_frameworks_broker_testlog_bro.btest |    1 -
 ...olicy_protocols_conn_known-hosts_bro.btest |    9 -
 testing/btest/istate/bro-ipv6-socket.bro      |   56 -
 testing/btest/istate/broccoli-ipv6-socket.bro |   10 -
 testing/btest/istate/broccoli-ipv6.bro        |    9 -
 testing/btest/istate/broccoli-ssl.bro         |   68 -
 testing/btest/istate/broccoli-vector.bro      |    9 -
 testing/btest/istate/broccoli.bro             |   17 -
 testing/btest/istate/events-ssl.bro           |  143 --
 testing/btest/istate/events.bro               |   77 -
 testing/btest/istate/hll.bro                  |   40 -
 testing/btest/istate/opaque.bro               |   90 -
 testing/btest/istate/persistence.bro          |  110 -
 testing/btest/istate/pybroccoli.py            |   20 -
 testing/btest/istate/sync.bro                 |  171 --
 testing/btest/istate/topk.bro                 |   74 -
 testing/btest/language/switch-error-mixed.bro |   13 +
 .../language/switch-types-error-duplicate.bro |   18 +
 .../switch-types-error-unsupported.bro        |   17 +
 testing/btest/language/switch-types-vars.bro  |   48 +
 testing/btest/language/switch-types.bro       |   43 +
 testing/btest/language/type-cast-any.bro      |   45 +
 .../language/type-cast-error-dynamic.bro      |   23 +
 .../btest/language/type-cast-error-static.bro |   18 +
 testing/btest/language/type-cast-same.bro     |   21 +
 testing/btest/language/type-check-any.bro     |   24 +
 testing/btest/language/when.bro               |    2 +-
 .../cluster/custom_pool_exclusivity.bro       |  115 +
 .../frameworks/cluster/custom_pool_limits.bro |  115 +
 .../frameworks/cluster/log_distribution.bro   |   80 +
 .../frameworks/cluster/start-it-up-logger.bro |   29 +-
 .../base/frameworks/cluster/start-it-up.bro   |   34 +-
 .../frameworks/cluster/topic_distribution.bro |   85 +
 .../cluster/topic_distribution_bifs.bro       |   96 +
 .../communication_log_baseline.bro            |   42 -
 .../base/frameworks/config/updates.bro        |    1 -
 .../control/configuration_update.bro          |    7 +-
 .../base/frameworks/control/id_value.bro      |   14 +-
 .../base/frameworks/control/shutdown.bro      |    6 +-
 .../frameworks/input/empty-values-hashing.bro |    2 -
 .../input/predicatemodifyandreread.bro        |    2 -
 .../frameworks/input/raw/executestdin.bro     |    1 -
 .../frameworks/input/raw/executestream.bro    |    1 -
 .../base/frameworks/input/raw/offset.bro      |    1 -
 .../base/frameworks/input/raw/stderr.bro      |    1 -
 .../base/frameworks/input/raw/streamraw.bro   |    2 -
 .../scripts/base/frameworks/input/reread.bro  |    1 -
 .../scripts/base/frameworks/input/stream.bro  |    1 -
 .../base/frameworks/input/twotables.bro       |    1 -
 .../frameworks/intel/cluster-transparency.bro |   36 +-
 .../base/frameworks/intel/input-and-match.bro |    3 +-
 .../intel/read-file-dist-cluster.bro          |    2 +-
 .../frameworks/intel/remove-item-cluster.bro  |   23 +-
 .../base/frameworks/intel/updated-match.bro   |    1 -
 .../logging/field-extension-cluster-error.bro |   44 +-
 .../logging/field-extension-cluster.bro       |   41 +-
 .../base/frameworks/logging/remote-config.bro |   94 -
 .../base/frameworks/logging/remote-types.bro  |   91 -
 .../base/frameworks/logging/remote.bro        |   92 -
 .../base/frameworks/netcontrol/acld-hook.bro  |   42 +-
 .../base/frameworks/netcontrol/acld.bro       |   46 +-
 .../frameworks/netcontrol/basic-cluster.bro   |    9 +-
 .../base/frameworks/netcontrol/broker.bro     |   46 +-
 .../base/frameworks/notice/cluster.bro        |   23 +-
 .../frameworks/notice/suppression-cluster.bro |   25 +-
 .../base/frameworks/openflow/broker-basic.bro |   58 +-
 .../base/frameworks/openflow/log-cluster.bro  |   28 +-
 .../frameworks/sumstats/basic-cluster.bro     |   14 +-
 .../base/frameworks/sumstats/basic.bro        |    2 +-
 .../sumstats/cluster-intermediate-update.bro  |   10 +-
 .../frameworks/sumstats/on-demand-cluster.bro |   15 +-
 .../frameworks/sumstats/sample-cluster.bro    |   13 +-
 .../base/frameworks/sumstats/topk-cluster.bro |   12 +-
 .../btest/scripts/base/utils/active-http.test |    1 -
 testing/btest/scripts/base/utils/dir.test     |    1 -
 testing/btest/scripts/base/utils/exec.test    |    1 -
 testing/btest/scripts/base/utils/hash_hrw.bro |   57 +
 .../frameworks/software/version-changes.bro   |   40 +
 466 files changed, 12559 insertions(+), 9655 deletions(-)
 delete mode 120000 doc/components/broccoli-python/README.rst
 delete mode 120000 doc/components/broccoli-ruby/README.rst
 delete mode 120000 doc/components/broccoli/README.rst
 delete mode 120000 doc/components/broccoli/broccoli-manual.rst
 delete mode 120000 doc/components/broker/broker-manual.rst
 create mode 100644 doc/frameworks/broker/cluster-layout.png
 create mode 100644 doc/frameworks/broker/cluster-layout.xml
 delete mode 100644 doc/frameworks/broker/printing-connector.bro
 delete mode 100644 doc/frameworks/broker/printing-listener.bro
 delete mode 120000 doc/install/CHANGES-broccoli-python.txt
 delete mode 120000 doc/install/CHANGES-broccoli-ruby.txt
 delete mode 120000 doc/install/CHANGES-broccoli.txt
 create mode 120000 doc/install/CHANGES-broker.txt
 create mode 100644 scripts/base/frameworks/broker/log.bro
 create mode 100644 scripts/base/frameworks/cluster/pools.bro
 delete mode 100644 scripts/base/frameworks/communication/README
 delete mode 100644 scripts/base/frameworks/communication/__load__.bro
 delete mode 100644 scripts/base/frameworks/communication/main.bro
 delete mode 100644 scripts/base/frameworks/notice/cluster.bro
 delete mode 100644 scripts/base/frameworks/notice/non-cluster.bro
 create mode 100644 scripts/base/utils/hash_hrw.bro
 delete mode 100644 scripts/policy/frameworks/communication/listen.bro
 delete mode 100644 src/broker-dummy/CMakeLists.txt
 delete mode 100644 src/broker-dummy/comm.bif
 delete mode 100644 src/broker-dummy/data.bif
 delete mode 100644 src/broker-dummy/messaging.bif
 delete mode 100644 src/broker-dummy/store.bif
 create mode 100644 src/broker/TODO
 delete mode 100644 testing/btest/Baseline/broker.clone_store/clone.clone.out
 create mode 100644 testing/btest/Baseline/broker.connect-on-retry/recv.recv.out
 create mode 100644 testing/btest/Baseline/broker.connect-on-retry/send.send.out
 delete mode 100644 testing/btest/Baseline/broker.connection_updates/recv.recv.out
 delete mode 100644 testing/btest/Baseline/broker.connection_updates/send.send.out
 delete mode 100644 testing/btest/Baseline/broker.data/out
 create mode 100644 testing/btest/Baseline/broker.disconnect/recv.broker.filtered.log
 create mode 100644 testing/btest/Baseline/broker.disconnect/recv.recv.out
 create mode 100644 testing/btest/Baseline/broker.disconnect/recv2.broker.filtered.log
 create mode 100644 testing/btest/Baseline/broker.disconnect/recv2.recv2.out
 create mode 100644 testing/btest/Baseline/broker.disconnect/send.broker.filtered.log
 create mode 100644 testing/btest/Baseline/broker.disconnect/send.send.out
 delete mode 100644 testing/btest/Baseline/broker.enable-and-exit/output
 create mode 100644 testing/btest/Baseline/broker.error/send.out
 delete mode 100644 testing/btest/Baseline/broker.master_store/master.out
 create mode 100644 testing/btest/Baseline/broker.remote_event_auto/recv.recv.out
 create mode 100644 testing/btest/Baseline/broker.remote_event_auto/send.send.out
 create mode 100644 testing/btest/Baseline/broker.remote_event_ssl_auth/recv.recv.out
 create mode 100644 testing/btest/Baseline/broker.remote_event_ssl_auth/send.send.out
 create mode 100644 testing/btest/Baseline/broker.remote_id/recv.recv.out
 rename testing/btest/Baseline/{broker.clone_store/master.master.out => broker.remote_log_late_join/recv.recv.out} (100%)
 create mode 100644 testing/btest/Baseline/broker.remote_log_late_join/recv.test.log
 create mode 100644 testing/btest/Baseline/broker.remote_log_late_join/send.send.out
 create mode 100644 testing/btest/Baseline/broker.remote_log_late_join/send.test.log
 delete mode 100644 testing/btest/Baseline/broker.remote_print/recv.recv.out
 delete mode 100644 testing/btest/Baseline/broker.remote_print/send.send.out
 create mode 100644 testing/btest/Baseline/broker.remote_relay_event/one.one.out
 create mode 100644 testing/btest/Baseline/broker.remote_relay_event/three.three.out
 create mode 100644 testing/btest/Baseline/broker.remote_relay_event/two.two.out
 create mode 100644 testing/btest/Baseline/broker.ssl_auth_failure/recv.recv.out
 create mode 100644 testing/btest/Baseline/broker.ssl_auth_failure/send.send.out
 create mode 100644 testing/btest/Baseline/broker.store.clone/clone.clone.out
 create mode 100644 testing/btest/Baseline/broker.store.clone/master.master.out
 create mode 100644 testing/btest/Baseline/broker.store.local/master.out
 create mode 100644 testing/btest/Baseline/broker.store.ops/master.out
 create mode 100644 testing/btest/Baseline/broker.store.record/master.out
 create mode 100644 testing/btest/Baseline/broker.store.set/master.out
 create mode 100644 testing/btest/Baseline/broker.store.sqlite/out
 create mode 100644 testing/btest/Baseline/broker.store.table/master.out
 create mode 100644 testing/btest/Baseline/broker.store.type-conversion/master.out
 create mode 100644 testing/btest/Baseline/broker.store.vector/master.out
 create mode 100644 testing/btest/Baseline/broker.unpeer/recv.broker.filtered.log
 create mode 100644 testing/btest/Baseline/broker.unpeer/recv.recv.out
 create mode 100644 testing/btest/Baseline/broker.unpeer/send.broker.filtered.log
 create mode 100644 testing/btest/Baseline/broker.unpeer/send.send.out
 delete mode 100644 testing/btest/Baseline/core.leaks.broker.master_store/bro..stdout
 delete mode 100644 testing/btest/Baseline/core.leaks.broker.remote_print/recv.recv.out
 delete mode 100644 testing/btest/Baseline/core.leaks.broker.remote_print/send.send.out
 delete mode 100644 testing/btest/Baseline/core.leaks.remote/sender.test.failure.log
 delete mode 100644 testing/btest/Baseline/core.leaks.remote/sender.test.log
 delete mode 100644 testing/btest/Baseline/core.leaks.remote/sender.test.success.log
 delete mode 100644 testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_printing-connector_bro/output
 delete mode 100644 testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_printing-listener_bro/output
 delete mode 100644 testing/btest/Baseline/doc.sphinx.include-scripts_policy_protocols_conn_known-hosts_bro/output
 delete mode 100644 testing/btest/Baseline/istate.base/events
 delete mode 100644 testing/btest/Baseline/istate.base/receiver.conn.log
 delete mode 100644 testing/btest/Baseline/istate.base/receiver.http.log
 delete mode 100644 testing/btest/Baseline/istate.base/sender.conn.log
 delete mode 100644 testing/btest/Baseline/istate.base/sender.http.log
 delete mode 100644 testing/btest/Baseline/istate.bro-ipv6-socket/recv..stdout
 delete mode 100644 testing/btest/Baseline/istate.bro-ipv6-socket/send..stdout
 delete mode 100644 testing/btest/Baseline/istate.broccoli-ipv6-socket/bro..stdout
 delete mode 100644 testing/btest/Baseline/istate.broccoli-ipv6-socket/broccoli..stdout
 delete mode 100644 testing/btest/Baseline/istate.broccoli-ipv6/bro..stdout
 delete mode 100644 testing/btest/Baseline/istate.broccoli-ipv6/broccoli..stdout
 delete mode 100644 testing/btest/Baseline/istate.broccoli-ssl/bro..stdout
 delete mode 100644 testing/btest/Baseline/istate.broccoli-ssl/broccoli..stdout
 delete mode 100644 testing/btest/Baseline/istate.broccoli-vector/bro..stdout
 delete mode 100644 testing/btest/Baseline/istate.broccoli-vector/broccoli..stdout
 delete mode 100644 testing/btest/Baseline/istate.broccoli/bro.log
 delete mode 100644 testing/btest/Baseline/istate.broccoli/broccoli.log
 delete mode 100644 testing/btest/Baseline/istate.events-ssl/events.rec.log
 delete mode 100644 testing/btest/Baseline/istate.events-ssl/events.snd.log
 delete mode 100644 testing/btest/Baseline/istate.events-ssl/receiver.http.log
 delete mode 100644 testing/btest/Baseline/istate.events-ssl/sender.http.log
 delete mode 100644 testing/btest/Baseline/istate.events/events.rec.log
 delete mode 100644 testing/btest/Baseline/istate.events/events.snd.log
 delete mode 100644 testing/btest/Baseline/istate.events/receiver.http.log
 delete mode 100644 testing/btest/Baseline/istate.events/sender.http.log
 delete mode 100644 testing/btest/Baseline/istate.hll/out
 delete mode 100644 testing/btest/Baseline/istate.opaque/expected.log
 delete mode 100644 testing/btest/Baseline/istate.opaque/output.log
 delete mode 100644 testing/btest/Baseline/istate.persistence/vars.read.log
 delete mode 100644 testing/btest/Baseline/istate.persistence/vars.write.log
 delete mode 100644 testing/btest/Baseline/istate.pybroccoli/bro..stdout
 delete mode 100644 testing/btest/Baseline/istate.pybroccoli/python..stdout.filtered
 delete mode 100644 testing/btest/Baseline/istate.sync/receiver.vars.log
 delete mode 100644 testing/btest/Baseline/istate.sync/sender.vars.log
 delete mode 100644 testing/btest/Baseline/istate.topk/out
 create mode 100644 testing/btest/Baseline/language.switch-error-mixed/out
 create mode 100644 testing/btest/Baseline/language.switch-types-error-duplicate/out
 create mode 100644 testing/btest/Baseline/language.switch-types-error-unsupported/out
 create mode 100644 testing/btest/Baseline/language.switch-types-vars/out
 create mode 100644 testing/btest/Baseline/language.switch-types/out
 create mode 100644 testing/btest/Baseline/language.type-cast-any/output
 create mode 100644 testing/btest/Baseline/language.type-cast-error-dynamic/output
 create mode 100644 testing/btest/Baseline/language.type-cast-error-static/output
 create mode 100644 testing/btest/Baseline/language.type-cast-same/output
 create mode 100644 testing/btest/Baseline/language.type-check-any/output
 create mode 100644 testing/btest/Baseline/scripts.base.frameworks.cluster.custom_pool_exclusivity/manager-1..stdout
 create mode 100644 testing/btest/Baseline/scripts.base.frameworks.cluster.custom_pool_limits/manager-1..stdout
 create mode 100644 testing/btest/Baseline/scripts.base.frameworks.cluster.log_distribution/logger-1.test.log
 create mode 100644 testing/btest/Baseline/scripts.base.frameworks.cluster.log_distribution/logger-2.test.log
 create mode 100644 testing/btest/Baseline/scripts.base.frameworks.cluster.topic_distribution/manager-1..stdout
 create mode 100644 testing/btest/Baseline/scripts.base.frameworks.cluster.topic_distribution_bifs/manager-1..stdout
 create mode 100644 testing/btest/Baseline/scripts.base.frameworks.cluster.topic_distribution_bifs/proxy-1..stdout
 create mode 100644 testing/btest/Baseline/scripts.base.frameworks.cluster.topic_distribution_bifs/proxy-2..stdout
 delete mode 100644 testing/btest/Baseline/scripts.base.frameworks.communication.communication_log_baseline/send.log
 delete mode 100644 testing/btest/Baseline/scripts.base.frameworks.logging.field-extension-cluster-error/manager-1.reporter.log
 create mode 100644 testing/btest/Baseline/scripts.base.frameworks.logging.field-extension-cluster-error/manager-reporter.log
 delete mode 100644 testing/btest/Baseline/scripts.base.frameworks.logging.remote-config/sender.test.failure.log
 delete mode 100644 testing/btest/Baseline/scripts.base.frameworks.logging.remote-config/sender.test.log
 delete mode 100644 testing/btest/Baseline/scripts.base.frameworks.logging.remote-config/sender.test.success.log
 delete mode 100644 testing/btest/Baseline/scripts.base.frameworks.logging.remote-types/receiver.test.log
 delete mode 100644 testing/btest/Baseline/scripts.base.frameworks.logging.remote/sender.test.failure.log
 delete mode 100644 testing/btest/Baseline/scripts.base.frameworks.logging.remote/sender.test.log
 delete mode 100644 testing/btest/Baseline/scripts.base.frameworks.logging.remote/sender.test.success.log
 create mode 100644 testing/btest/Baseline/scripts.base.utils.hash_hrw/output
 create mode 100644 testing/btest/Baseline/scripts.policy.frameworks.software.version-changes/notice.log
 create mode 100644 testing/btest/Baseline/scripts.policy.frameworks.software.version-changes/software.log
 delete mode 100644 testing/btest/broker/clone_store.bro
 create mode 100644 testing/btest/broker/connect-on-retry.bro
 delete mode 100644 testing/btest/broker/connection_updates.bro
 delete mode 100644 testing/btest/broker/data.bro
 create mode 100644 testing/btest/broker/disconnect.bro
 delete mode 100644 testing/btest/broker/enable-and-exit.bro
 create mode 100644 testing/btest/broker/error.bro
 delete mode 100644 testing/btest/broker/master_store.bro
 create mode 100644 testing/btest/broker/remote_event.bro
 delete mode 100644 testing/btest/broker/remote_event.test
 create mode 100644 testing/btest/broker/remote_event_auto.bro
 create mode 100644 testing/btest/broker/remote_event_ssl_auth.bro
 create mode 100644 testing/btest/broker/remote_id.bro
 create mode 100644 testing/btest/broker/remote_log.bro
 delete mode 100644 testing/btest/broker/remote_log.test
 create mode 100644 testing/btest/broker/remote_log_late_join.bro
 rename testing/btest/broker/{remote_log_types.test => remote_log_types.bro} (59%)
 delete mode 100644 testing/btest/broker/remote_print.test
 create mode 100644 testing/btest/broker/remote_relay_event.bro
 create mode 100644 testing/btest/broker/ssl_auth_failure.bro
 create mode 100644 testing/btest/broker/store/clone.bro
 create mode 100644 testing/btest/broker/store/local.bro
 create mode 100644 testing/btest/broker/store/ops.bro
 create mode 100644 testing/btest/broker/store/record.bro
 create mode 100644 testing/btest/broker/store/set.bro
 create mode 100644 testing/btest/broker/store/sqlite.bro
 create mode 100644 testing/btest/broker/store/table.bro
 create mode 100644 testing/btest/broker/store/type-conversion.bro
 create mode 100644 testing/btest/broker/store/vector.bro
 create mode 100644 testing/btest/broker/unpeer.bro
 delete mode 100644 testing/btest/core/leaks/ascii-log-rotation.bro
 delete mode 100644 testing/btest/core/leaks/broker/remote_print.test
 delete mode 100644 testing/btest/core/leaks/remote.bro
 delete mode 100644 testing/btest/doc/sphinx/include-doc_frameworks_broker_printing-connector_bro.btest
 delete mode 100644 testing/btest/doc/sphinx/include-doc_frameworks_broker_printing-listener_bro.btest
 delete mode 100644 testing/btest/doc/sphinx/include-scripts_policy_protocols_conn_known-hosts_bro.btest
 delete mode 100644 testing/btest/istate/bro-ipv6-socket.bro
 delete mode 100644 testing/btest/istate/broccoli-ipv6-socket.bro
 delete mode 100644 testing/btest/istate/broccoli-ipv6.bro
 delete mode 100644 testing/btest/istate/broccoli-ssl.bro
 delete mode 100644 testing/btest/istate/broccoli-vector.bro
 delete mode 100644 testing/btest/istate/broccoli.bro
 delete mode 100644 testing/btest/istate/events-ssl.bro
 delete mode 100644 testing/btest/istate/events.bro
 delete mode 100644 testing/btest/istate/hll.bro
 delete mode 100644 testing/btest/istate/opaque.bro
 delete mode 100644 testing/btest/istate/persistence.bro
 delete mode 100644 testing/btest/istate/pybroccoli.py
 delete mode 100644 testing/btest/istate/sync.bro
 delete mode 100644 testing/btest/istate/topk.bro
 create mode 100644 testing/btest/language/switch-error-mixed.bro
 create mode 100644 testing/btest/language/switch-types-error-duplicate.bro
 create mode 100644 testing/btest/language/switch-types-error-unsupported.bro
 create mode 100644 testing/btest/language/switch-types-vars.bro
 create mode 100644 testing/btest/language/switch-types.bro
 create mode 100644 testing/btest/language/type-cast-any.bro
 create mode 100644 testing/btest/language/type-cast-error-dynamic.bro
 create mode 100644 testing/btest/language/type-cast-error-static.bro
 create mode 100644 testing/btest/language/type-cast-same.bro
 create mode 100644 testing/btest/language/type-check-any.bro
 create mode 100644 testing/btest/scripts/base/frameworks/cluster/custom_pool_exclusivity.bro
 create mode 100644 testing/btest/scripts/base/frameworks/cluster/custom_pool_limits.bro
 create mode 100644 testing/btest/scripts/base/frameworks/cluster/log_distribution.bro
 create mode 100644 testing/btest/scripts/base/frameworks/cluster/topic_distribution.bro
 create mode 100644 testing/btest/scripts/base/frameworks/cluster/topic_distribution_bifs.bro
 delete mode 100644 testing/btest/scripts/base/frameworks/communication/communication_log_baseline.bro
 delete mode 100644 testing/btest/scripts/base/frameworks/logging/remote-config.bro
 delete mode 100644 testing/btest/scripts/base/frameworks/logging/remote-types.bro
 delete mode 100644 testing/btest/scripts/base/frameworks/logging/remote.bro
 create mode 100644 testing/btest/scripts/base/utils/hash_hrw.bro
 create mode 100644 testing/btest/scripts/policy/frameworks/software/version-changes.bro

diff --git a/.gitmodules b/.gitmodules
index 738888bf85..d4fb571533 100644
--- a/.gitmodules
+++ b/.gitmodules
@@ -4,9 +4,6 @@
 [submodule "aux/binpac"]
 	path = aux/binpac
 	url = git://git.bro.org/binpac
-[submodule "aux/broccoli"]
-	path = aux/broccoli
-	url = git://git.bro.org/broccoli
 [submodule "aux/broctl"]
 	path = aux/broctl
 	url = git://git.bro.org/broctl
diff --git a/CMakeLists.txt b/CMakeLists.txt
index e1a9bbbe2e..9f8d5779b4 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -2,7 +2,7 @@ project(Bro C CXX)
 
 # When changing the minimum version here, also adapt
 # aux/bro-aux/plugin-support/skeleton/CMakeLists.txt
-cmake_minimum_required(VERSION 2.8 FATAL_ERROR)
+cmake_minimum_required(VERSION 2.8.12 FATAL_ERROR)
 
 include(cmake/CommonCMakeConfig.cmake)
 
@@ -95,6 +95,13 @@ FindRequiredPackage(OpenSSL)
 FindRequiredPackage(BIND)
 FindRequiredPackage(ZLIB)
 
+find_package(CAF COMPONENTS core io)
+if (CAF_FOUND)
+	include_directories(BEFORE ${CAF_INCLUDE_DIRS})
+else ()
+	list(APPEND MISSING_PREREQ_DESCS CAF)
+endif ()
+
 if (NOT BinPAC_ROOT_DIR AND
     EXISTS ${CMAKE_CURRENT_SOURCE_DIR}/aux/binpac/CMakeLists.txt)
     add_subdirectory(aux/binpac)
@@ -105,6 +112,12 @@ if (ENABLE_JEMALLOC)
     find_package(JeMalloc)
 endif ()
 
+if ( BISON_VERSION AND BISON_VERSION VERSION_LESS 2.5 )
+    set(MISSING_PREREQS true)
+    list(APPEND MISSING_PREREQ_DESCS
+         " Could not find prerequisite package Bison >= 2.5, found: ${BISON_VERSION}")
+endif ()
+
 if (MISSING_PREREQS)
     foreach (prereq ${MISSING_PREREQ_DESCS})
         message(SEND_ERROR ${prereq})
@@ -219,12 +232,13 @@ include_directories(${CMAKE_CURRENT_BINARY_DIR})
 ########################################################################
 ## Recurse on sub-directories
 
-if ( ENABLE_BROKER )
-    add_subdirectory(aux/broker)
-    set(brodeps ${brodeps} broker)
-    add_definitions(-DENABLE_BROKER)
-    include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR}/aux/broker)
-endif ()
+add_subdirectory(aux/broker)
+set(brodeps ${brodeps} broker)
+include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR}/aux/broker
+                           ${CMAKE_CURRENT_BINARY_DIR}/aux/broker)
+include_directories(BEFORE ${CAF_INCLUDE_DIR_CORE})
+include_directories(BEFORE ${CAF_INCLUDE_DIR_IO})
+include_directories(BEFORE ${CAF_INCLUDE_DIR_OPENSSL})
 
 add_subdirectory(src)
 add_subdirectory(scripts)
@@ -235,7 +249,6 @@ include(CheckOptionalBuildSources)
 
 CheckOptionalBuildSources(aux/broctl   Broctl   INSTALL_BROCTL)
 CheckOptionalBuildSources(aux/bro-aux  Bro-Aux  INSTALL_AUX_TOOLS)
-CheckOptionalBuildSources(aux/broccoli Broccoli INSTALL_BROCCOLI)
 
 ########################################################################
 ## Packaging Setup
@@ -275,9 +288,6 @@ message(
     "\nCXXFLAGS:          ${CMAKE_CXX_FLAGS} ${CMAKE_CXX_FLAGS_${BuildType}}"
     "\nCPP:               ${CMAKE_CXX_COMPILER}"
     "\n"
-    "\nBroker:            ${ENABLE_BROKER}"
-    "\nBroker Python:     ${BROKER_PYTHON_BINDINGS}"
-    "\nBroccoli:          ${INSTALL_BROCCOLI}"
     "\nBroctl:            ${INSTALL_BROCTL}"
     "\nAux. Tools:        ${INSTALL_AUX_TOOLS}"
     "\n"
diff --git a/aux/broker b/aux/broker
index 6484fc1271..a6353cfbf9 160000
--- a/aux/broker
+++ b/aux/broker
@@ -1 +1 @@
-Subproject commit 6484fc12712f6ce97138fec8ca413ec8df12766c
+Subproject commit a6353cfbf937124d327d3064f09913862d3aff5c
diff --git a/configure b/configure
index 2689de225b..fda3be4cd5 100755
--- a/configure
+++ b/configure
@@ -50,15 +50,10 @@ Usage: $0 [OPTION]... [VAR=VALUE]...
                            (automatically on when perftools is present on Linux)
     --enable-perftools-debug use Google's perftools for debugging
     --enable-jemalloc      link against jemalloc
-    --enable-ruby          build ruby bindings for broccoli (deprecated)
-    --enable-broker        enable use of the Broker communication library
-                           (requires C++ Actor Framework)
-    --disable-broccoli     don't build or install the Broccoli library
     --disable-broctl       don't install Broctl
     --disable-auxtools     don't build or install auxiliary tools
     --disable-perftools    don't try to build with Google Perftools
-    --disable-python       don't try to build python bindings for broccoli
-    --disable-pybroker     don't try to build python bindings for broker
+    --disable-python       don't try to build python bindings for broker
 
   Required Packages in Non-Standard Locations:
     --with-openssl=PATH    path to OpenSSL install root
@@ -71,18 +66,15 @@ Usage: $0 [OPTION]... [VAR=VALUE]...
     --with-flex=PATH       path to flex executable
     --with-bison=PATH      path to bison executable
     --with-python=PATH     path to Python executable
-
-  Optional Packages in Non-Standard Locations:
     --with-caf=PATH        path to C++ Actor Framework installation
                            (a required Broker dependency)
+
+  Optional Packages in Non-Standard Locations:
     --with-geoip=PATH      path to the libGeoIP install root
     --with-perftools=PATH  path to Google Perftools install root
     --with-jemalloc=PATH   path to jemalloc install root
     --with-python-lib=PATH path to libpython
     --with-python-inc=PATH path to Python headers
-    --with-ruby=PATH       path to ruby interpreter
-    --with-ruby-lib=PATH   path to ruby library
-    --with-ruby-inc=PATH   path to ruby headers
     --with-swig=PATH       path to SWIG executable
     --with-rocksdb=PATH    path to RocksDB installation
                            (an optional Broker dependency)
@@ -135,21 +127,17 @@ append_cache_entry BRO_ROOT_DIR         PATH   $prefix
 append_cache_entry PY_MOD_INSTALL_DIR   PATH   $prefix/lib/broctl
 append_cache_entry BRO_SCRIPT_INSTALL_PATH STRING $prefix/share/bro
 append_cache_entry BRO_ETC_INSTALL_DIR  PATH   $prefix/etc
-append_cache_entry BROKER_PYTHON_BINDINGS BOOL false
 append_cache_entry ENABLE_DEBUG         BOOL   false
 append_cache_entry ENABLE_PERFTOOLS     BOOL   false
 append_cache_entry ENABLE_PERFTOOLS_DEBUG BOOL false
 append_cache_entry ENABLE_JEMALLOC      BOOL   false
-append_cache_entry ENABLE_BROKER        BOOL   false
 append_cache_entry BinPAC_SKIP_INSTALL  BOOL   true
 append_cache_entry BUILD_SHARED_LIBS    BOOL   true
 append_cache_entry INSTALL_AUX_TOOLS    BOOL   true
-append_cache_entry INSTALL_BROCCOLI     BOOL   true
 append_cache_entry INSTALL_BROCTL       BOOL   true
 append_cache_entry CPACK_SOURCE_IGNORE_FILES STRING
 append_cache_entry ENABLE_MOBILE_IPV6   BOOL   false
 append_cache_entry DISABLE_PERFTOOLS    BOOL   false
-append_cache_entry DISABLE_RUBY_BINDINGS     BOOL   true
 
 # parse arguments
 while [ $# -ne 0 ]; do
@@ -221,14 +209,6 @@ while [ $# -ne 0 ]; do
         --enable-jemalloc)
             append_cache_entry ENABLE_JEMALLOC     BOOL   true
             ;;
-        --enable-broker)
-            append_cache_entry ENABLE_BROKER        BOOL   true
-            ;;
-        --disable-broker)
-            ;;
-        --disable-broccoli)
-            append_cache_entry INSTALL_BROCCOLI     BOOL   false
-            ;;
         --disable-broctl)
             append_cache_entry INSTALL_BROCTL       BOOL   false
             ;;
@@ -241,12 +221,6 @@ while [ $# -ne 0 ]; do
         --disable-python)
             append_cache_entry DISABLE_PYTHON_BINDINGS     BOOL   true
             ;;
-        --disable-pybroker)
-            append_cache_entry DISABLE_PYBROKER     BOOL   true
-            ;;
-        --enable-ruby)
-            append_cache_entry DISABLE_RUBY_BINDINGS     BOOL   false
-            ;;
         --with-openssl=*)
             append_cache_entry OPENSSL_ROOT_DIR PATH $optarg
             ;;
@@ -288,26 +262,12 @@ while [ $# -ne 0 ]; do
             append_cache_entry PYTHON_INCLUDE_DIR   PATH    $optarg
             append_cache_entry PYTHON_INCLUDE_PATH  PATH    $optarg
             ;;
-        --with-ruby=*)
-            append_cache_entry RUBY_EXECUTABLE    PATH    $optarg
-            ;;
-        --with-ruby-lib=*)
-            append_cache_entry RUBY_LIBRARY       PATH    $optarg
-            ;;
-        --with-ruby-inc=*)
-            append_cache_entry RUBY_INCLUDE_DIRS  PATH    $optarg
-            append_cache_entry RUBY_INCLUDE_PATH  PATH    $optarg
-            ;;
         --with-swig=*)
             append_cache_entry SWIG_EXECUTABLE      PATH    $optarg
             ;;
         --with-caf=*)
             append_cache_entry CAF_ROOT_DIR      PATH   $optarg
             ;;
-        --with-libcaf=*)
-            echo "warning: --with-libcaf deprecated, use --with-caf instead"
-            append_cache_entry CAF_ROOT_DIR      PATH   $optarg
-            ;;
         --with-rocksdb=*)
             append_cache_entry ROCKSDB_ROOT_DIR     PATH   $optarg
             ;;
diff --git a/doc/CMakeLists.txt b/doc/CMakeLists.txt
index 414cf56b0c..fc44045553 100644
--- a/doc/CMakeLists.txt
+++ b/doc/CMakeLists.txt
@@ -1,9 +1,9 @@
-set(BROCCOLI_DOCS_SRC ${CMAKE_BINARY_DIR}/aux/broccoli/doc/html)
-set(BROCCOLI_DOCS_DST ${CMAKE_BINARY_DIR}/html/broccoli-api)
 set(SPHINX_INPUT_DIR ${CMAKE_CURRENT_BINARY_DIR}/sphinx_input)
 set(SPHINX_OUTPUT_DIR ${CMAKE_CURRENT_BINARY_DIR}/sphinx_output)
 set(BROXYGEN_SCRIPT_OUTPUT ${CMAKE_CURRENT_BINARY_DIR}/broxygen_script_output)
 set(BROXYGEN_CACHE_DIR ${CMAKE_CURRENT_BINARY_DIR}/broxygen_cache)
+set(BROKER_DOCS_SRC ${CMAKE_BINARY_DIR}/aux/broker/doc/html)
+set(BROKER_DOCS_DST ${CMAKE_BINARY_DIR}/html/broker-manual)
 
 # Find out what BROPATH to use when executing bro.
 execute_process(COMMAND ${CMAKE_BINARY_DIR}/bro-path-dev
@@ -61,10 +61,9 @@ add_custom_target(sphinxdoc
     COMMAND "${CMAKE_COMMAND}" -E create_symlink
             ${SPHINX_OUTPUT_DIR}/html
             ${CMAKE_BINARY_DIR}/html
-    # Copy Broccoli API reference into output dir if it exists.
-    COMMAND test -d ${BROCCOLI_DOCS_SRC} &&
-            ( rm -rf ${BROCCOLI_DOCS_DST} &&
-              cp -r ${BROCCOLI_DOCS_SRC} ${BROCCOLI_DOCS_DST} ) || true
+    # Copy Broker manual into output dir.
+    COMMAND rm -rf ${BROKER_DOCS_DST} &&
+            cp -r ${BROKER_DOCS_SRC} ${BROKER_DOCS_DST}
     WORKING_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR}
     COMMENT "[Sphinx] Generate HTML documentation in ${CMAKE_BINARY_DIR}/html")
 
@@ -77,7 +76,10 @@ add_custom_target(sphinxdoc_clean
     COMMAND "${CMAKE_COMMAND}" -E remove_directory ${BROXYGEN_CACHE_DIR}
     VERBATIM)
 
-add_custom_target(doc)
+if (NOT TARGET doc)
+  add_custom_target(doc)
+endif ()
+
 add_custom_target(docclean)
 add_dependencies(doc sphinxdoc)
 add_dependencies(docclean sphinxdoc_clean)
diff --git a/doc/components/broccoli-python/README.rst b/doc/components/broccoli-python/README.rst
deleted file mode 120000
index 4187e87202..0000000000
--- a/doc/components/broccoli-python/README.rst
+++ /dev/null
@@ -1 +0,0 @@
-../../../aux/broccoli/bindings/broccoli-python/README
\ No newline at end of file
diff --git a/doc/components/broccoli-ruby/README.rst b/doc/components/broccoli-ruby/README.rst
deleted file mode 120000
index da71663099..0000000000
--- a/doc/components/broccoli-ruby/README.rst
+++ /dev/null
@@ -1 +0,0 @@
-../../../aux/broccoli/bindings/broccoli-ruby/README
\ No newline at end of file
diff --git a/doc/components/broccoli/README.rst b/doc/components/broccoli/README.rst
deleted file mode 120000
index d32c70ccd9..0000000000
--- a/doc/components/broccoli/README.rst
+++ /dev/null
@@ -1 +0,0 @@
-../../../aux/broccoli/README
\ No newline at end of file
diff --git a/doc/components/broccoli/broccoli-manual.rst b/doc/components/broccoli/broccoli-manual.rst
deleted file mode 120000
index bd5e8d711f..0000000000
--- a/doc/components/broccoli/broccoli-manual.rst
+++ /dev/null
@@ -1 +0,0 @@
-../../../aux/broccoli/doc/broccoli-manual.rst
\ No newline at end of file
diff --git a/doc/components/broker/broker-manual.rst b/doc/components/broker/broker-manual.rst
deleted file mode 120000
index 90bf8f0833..0000000000
--- a/doc/components/broker/broker-manual.rst
+++ /dev/null
@@ -1 +0,0 @@
-../../../aux/broker/broker-manual.rst
\ No newline at end of file
diff --git a/doc/components/index.rst b/doc/components/index.rst
index c1feda4a61..2a6624480b 100644
--- a/doc/components/index.rst
+++ b/doc/components/index.rst
@@ -13,12 +13,7 @@ current, independent component releases.
    :maxdepth: 1
 
    BinPAC - A protocol parser generator <binpac/README>
-   Broccoli - The Bro Client Communication Library (README) <broccoli/README>
-   Broccoli - User Manual <broccoli/broccoli-manual>
-   Broccoli Python Bindings <broccoli-python/README>
-   Broccoli Ruby Bindings <broccoli-ruby/README>
-   Broker - Bro's (New) Messaging Library (README) <broker/README>
-   Broker - User Manual <broker/broker-manual.rst>
+   Broker - Bro's (New) Messaging Library <broker/README>
    BroControl - Interactive Bro management shell <broctl/README>
    Bro-Aux - Small auxiliary tools for Bro <bro-aux/README>
    BTest - A unit testing framework <btest/README>
@@ -26,5 +21,5 @@ current, independent component releases.
    PySubnetTree - Python module for CIDR lookups<pysubnettree/README>
    trace-summary - Script for generating break-downs of network traffic <trace-summary/README>
 
-The `Broccoli API Reference <../broccoli-api/index.html>`_ may also be of
+The `Broker User Manual <../broker-manual/index.html>`_ may also be of
 interest.
diff --git a/doc/ext/bro.py b/doc/ext/bro.py
index 6a4c50e8ce..a9a4480072 100644
--- a/doc/ext/bro.py
+++ b/doc/ext/bro.py
@@ -259,9 +259,14 @@ class BroDomain(Domain):
     }
 
     def clear_doc(self, docname):
+        to_delete = []
+
         for (typ, name), doc in self.data['objects'].items():
             if doc == docname:
-                del self.data['objects'][typ, name]
+                to_delete.append((typ, name))
+
+        for (typ, name) in to_delete:        
+            del self.data['objects'][typ, name]
 
     def resolve_xref(self, env, fromdocname, builder, typ, target, node,
                      contnode):
diff --git a/doc/frameworks/broker.rst b/doc/frameworks/broker.rst
index 9c9ed89514..c2904881c7 100644
--- a/doc/frameworks/broker.rst
+++ b/doc/frameworks/broker.rst
@@ -1,174 +1,344 @@
+.. _CAF: https://github.com/actor-framework/actor-framework
 
 .. _brokercomm-framework:
 
-======================================
-Broker-Enabled Communication Framework
-======================================
+==============================================
+Broker-Enabled Communication/Cluster Framework
+==============================================
 
 .. rst-class:: opening
 
-    Bro can now use the `Broker Library
+    Bro now uses the `Broker Library
     <../components/broker/README.html>`_ to exchange information with
-    other Bro processes.
+    other Bro processes.  Broker itself uses CAF_ (C++ Actor Framework)
+    internally for connecting nodes and exchanging arbitrary data over
+    networks.  Broker then introduces, on top of CAF, a topic-based
+    publish/subscribe communication pattern using a data model that is
+    compatible to Bro's.  Broker itself can be utilized outside the
+    context of Bro, with Bro itself making use of only a few predefined
+    Broker message formats that represent Bro events, log entries, etc.
+
+    In summary, the Bro's Broker framework provides basic facilities for
+    connecting broker-enabled peers (e.g. Bro instances) to each other
+    and exchanging messages (e.g. events and logs).  With this comes
+    changes in how clusters operate and, since Broker significantly
+    differs from the previous communication framework, there are several
+    changes in the set of scripts that Bro ships with that may break
+    your own customizations.  This document aims to describe the changes
+    that have been made, making it easier to port your own scripts.  It
+    also gives examples of Broker and the new cluster framework that
+    show off all the new features and capabilities.
 
 .. contents::
 
+Porting Guide
+=============
+
+Review and use the points below as a guide to port your own scripts
+to the latest version of Bro, which uses the new cluster and Broker
+communication framework.
+
+General Porting Tips
+--------------------
+
+- ``@load policy/frameworks/communication/listen`` and
+  ``@load base/frameworks/communication`` indicates use of the
+  old communication framework, consider porting to
+  ``@load base/frameworks/broker`` and using the Broker API:
+  :doc:`/scripts/base/frameworks/broker/main.bro`
+
+- The ``&synchronized`` and ``&persistent`` attributes are deprecated,
+  consider using `Data Stores`_ instead.
+
+- Instead of using e.g. ``Cluster::manager2worker_events`` (and all
+  permutations for every node type), what you'd now use is either 
+  :bro:see:`Broker::publish` or :bro:see:`Broker::auto_publish` with
+  either the topic associated with a specific node or class of nodes,
+  like :bro:see:`Cluster::node_topic` or
+  :bro:see:`Cluster::worker_topic`.
+
+- Instead of using the ``send_id`` BIF, use :bro:see:`Broker::publish_id`.
+
+- Use :bro:see:`terminate` instead of :bro:see:`terminate_communication`.
+  The later refers to the old communication system and no longer effects
+  the new Broker-based system.
+
+- For replacing :bro:see:`remote_connection_established` and
+  :bro:see:`remote_connection_closed`, consider :bro:see:`Broker::peer_added`
+  or :bro:see:`Broker::peer_lost`.  There's also :bro:see:`Cluster::node_up`
+  and :bro:see:`Cluster::node_down`.
+
+Notable / Specific Script API Changes
+-------------------------------------
+
+- :bro:see:`Software::tracked` is now partitioned among proxy nodes
+  instead of synchronized in its entirety to all nodes.
+
+- ``Known::known_devices`` is renamed to :bro:see:`Known::device_store`
+  and implemented via the new Broker data store interface.
+  Also use :bro:see:`Known::device_found` instead of updating the
+  store directly directly.
+
+- ``Known::known_hosts`` is renamed to :bro:see:`Known::host_store` and
+  implemented via the new Broker data store interface.
+
+- ``Known::known_services`` is renamed to :bro:see:`Known::service_store`
+  and implemented via the new Broker data store interface.
+
+- ``Known::certs`` is renamed to :bro:see:`Known::cert_store`
+  and implemented via the new Broker data store interface.
+
+New Cluster Layout / API
+========================
+
+Layout / Topology
+-----------------
+
+The cluster topology has changed.
+
+- Proxy nodes no longer connect with each other.
+
+- Each worker node connects to all proxies.
+
+- All node types connect to all logger nodes and the manager node.
+
+This looks like:
+
+.. figure:: broker/cluster-layout.png
+
+Some general suggestions as to the purpose/utilization of each node type:
+
+- Workers: are a good first choice for doing the brunt of any work you need
+  done.  They should be spending a lot of time performing the actual job
+  of parsing/analyzing incoming data from packets, so you might choose
+  to look at them as doing a "first pass" analysis and then deciding how
+  the results should be shared with other nodes in the cluster.
+
+- Proxies: serve as intermediaries for data storage and work/calculation
+  offloading.  Good for helping offload work or data in a scalable and
+  distributed way.  i.e. since any given worker is connected to all
+  proxies and can agree on an "arbitrary key -> proxy node" mapping
+  (more on that later), you can partition work or data amongst them in a
+  uniform manner.  e.g. you might choose to use proxies as a method of
+  sharing non-persistent state or as a "second pass" analysis for any
+  work that you don't want interferring with the workers' capacity to
+  keep up with capturing and parsing packets.
+
+- Manager: this node will be good at performing decisions that require a
+  global view of things since it is in a centralized location, connected
+  to everything.  However, that also makes it easy to overload, so try
+  to use it sparingly and only for tasks that must be done in a
+  centralized or authoritative location. Optionally, for some
+  deployments, the Manager can also serve as the sole Logger.
+
+- Loggers: these nodes should simply be spending their time writing out
+  logs to disk and not used for much else.  In the default cluster
+  configuration, logs get distributed among available loggers in a
+  round-robin fashion, providing failover capability should any given
+  logger temporarily go offline.
+
+Data Management/Sharing Strategies
+==================================
+
+There's maybe no single, best approach or pattern to use when you need a
+Bro script to store or share long-term state and data.  The two
+approaches that were previously used were either using ``&synchronized``
+attribute on tables/sets or by explicitly sending events to specific
+nodes on which you wanted data to be stored.  The former is no longer
+possible, though there are several new possibilities that the new
+Broker/Cluster framework offer, namely distributed data store and data
+partitioning APIs.
+
+Data Stores
+-----------
+
+Broker provides a distributed key-value store interface with optional
+choice of using a persistent backend. For more detail, see
+:ref:`this example <data_store_example>`.
+
+Some ideas/considerations/scenarios when deciding whether to use
+a data store for your use-case:
+
+* If you need the full data set locally in order to achieve low-latency
+  queries using data store "clones" can provide that.
+
+* If you need data that persists across restarts of Bro processes, then
+  data stores can also provide that.
+
+* If the data you want to store is complex (tables, sets, records) or
+  you expect to read, modify, and store back, then data stores may not
+  be able to provide simple, race-free methods of performing the pattern
+  of logic that you want.
+
+* If the data set you want to store is excessively large, that's still
+  problematic even for stores that use a persistent backend as they are
+  implemented in a way that requires a full snapshot of the store's
+  contents to fit in memory (this limitation may change in the future).
+
+Data Partitioning
+-----------------
+
+New data partitioning strategies are available using the API in
+:doc:`/scripts/base/frameworks/cluster/pools.bro`.
+
+One example strategy is to use Highest Random Weight (HRW) hashing to
+partition data tables amongst proxy nodes.  e.g. using
+:bro:see:`Cluster::publish_hrw`.  This could allow clusters to
+be scaled more easily than the approach of "the entire data set gets
+synchronized to all nodes" as the solution to memory limitations becomes
+"just add another proxy node".  It may also take away some of the
+messaging load that used to be required to synchronize data sets across
+all nodes.
+
+The tradeoff of this approach, is that nodes that leave the pool (due to
+crashing, etc.) cause a temporary gap in the total data set until
+workers start hashing keys to a new proxy node that is still alive,
+causing data to now be located and updated there.
+
+Broker Framework Examples
+=========================
+
+The broker framework provides basic facilities for connecting Bro instances
+to eachother and exchanging messages, like events or logs.
+
+See :doc:`/scripts/base/frameworks/broker/main.bro` for an overview
+of the main Broker API.
+
+.. _broker_topic_naming:
+
+Topic Naming Conventions
+------------------------
+
+All Broker-based messaging involves two components: the information you
+want to send (e.g. an event w/ its arguments) along with an associated
+topic name string.  The topic strings are used as a filtering mechanism:
+Broker uses a publish/subscribe communication pattern where peers
+advertise interest in topic **prefixes** and only receive messages which
+match one of their prefix subscriptions.
+
+Broker itself supports arbitrary topic strings, however Bro generally
+follows certain conventions in choosing these topics to help avoid
+conflicts and generally make them easier to remember.
+
+As a reminder of how topic subscriptions work, subscribers advertise
+interest in a topic **prefix** and then receive any messages publish by a
+peer to a topic name that starts with that prefix.  E.g. Alice
+subscribes to the "alice/dogs" prefix, then would receive the following
+message topics published by Bob:
+
+- topic "alice/dogs/corgi"
+- topic "alice/dogs"
+- topic "alice/dogsarecool/oratleastilikethem"
+
+Alice would **not** receive the following message topics published by Bob:
+
+- topic "alice/cats/siamese"
+- topic "alice/cats"
+- topic "alice/dog"
+- topic "alice"
+
+Note that the topics aren't required to form a slash-delimited hierarchy,
+the subscription matching is purely a byte-per-byte prefix comparison.
+
+However, Bro scripts generally will follow a topic naming hierarchy and
+any given script will make the topic names it uses apparent via some
+redef'able constant in its export section.  Generally topics that Bro
+scripts use will be along the lines of "bro/<namespace>/<specifics>"
+with "<namespace>" being the script's module name (in all-undercase).
+For example, you might expect an imaginary "Pretend" framework to
+publish/subscribe using topic names like "bro/pretend/my_cool_event".
+
+For cluster operation, see :doc:`/scripts/base/frameworks/cluster/main.bro`
+for a list of topics that are useful for steering published events to
+the various node classes.  E.g. you have the ability to broadcast to all
+directly-connected nodes, only those of a given class (e.g. just workers),
+or to a specific node within a class.
+
+The topic names that logs get published under are a bit nuanced.  In the
+default cluster configuration, they are round-robin published to
+explicit topic names that identify a single logger.  In standalone Bro
+processes, logs get published to the topic indicated by
+:bro:see:`Broker::default_log_topic_prefix`.
+
+For those writing their own scripts which need new topic names, a
+suggestion would be to avoid prefixing any new topics/prefixes with
+"bro/" as any changes in scripts shipping with Bro will use that prefix
+and it's better to not risk unintended conflicts.
+
 Connecting to Peers
-===================
+-------------------
 
-Communication via Broker must first be turned on via
-:bro:see:`Broker::enable`.
-
-Bro can accept incoming connections by calling :bro:see:`Broker::listen`
-and then monitor connection status updates via the
-:bro:see:`Broker::incoming_connection_established` and
-:bro:see:`Broker::incoming_connection_broken` events.
+Bro can accept incoming connections by calling :bro:see:`Broker::listen`.
 
 .. btest-include:: ${DOC_ROOT}/frameworks/broker/connecting-listener.bro
 
-Bro can initiate outgoing connections by calling :bro:see:`Broker::connect`
-and then monitor connection status updates via the
-:bro:see:`Broker::outgoing_connection_established`,
-:bro:see:`Broker::outgoing_connection_broken`, and
-:bro:see:`Broker::outgoing_connection_incompatible` events.
+Bro can initiate outgoing connections by calling :bro:see:`Broker::peer`.
 
 .. btest-include:: ${DOC_ROOT}/frameworks/broker/connecting-connector.bro
 
-Remote Printing
-===============
-
-To receive remote print messages, first use the
-:bro:see:`Broker::subscribe_to_prints` function to advertise to peers a
-topic prefix of interest and then create an event handler for
-:bro:see:`Broker::print_handler` to handle any print messages that are
-received.
-
-.. btest-include:: ${DOC_ROOT}/frameworks/broker/printing-listener.bro
-
-To send remote print messages, just call :bro:see:`Broker::send_print`.
-
-.. btest-include:: ${DOC_ROOT}/frameworks/broker/printing-connector.bro
-
-Notice that the subscriber only used the prefix "bro/print/", but is
-able to receive messages with full topics of "bro/print/hi",
-"bro/print/stuff", and "bro/print/bye".  The model here is that the
-publisher of a message checks for all subscribers who advertised
-interest in a prefix of that message's topic and sends it to them.
-
-Message Format
---------------
-
-For other applications that want to exchange print messages with Bro,
-the Broker message format is simply:
-
-.. code:: c++
-
-    broker::message{std::string{}};
+In either case, connection status updates are monitored via the
+:bro:see:`Broker::peer_added` and :bro:see:`Broker::peer_lost` events.
 
 Remote Events
-=============
+-------------
 
-Receiving remote events is similar to remote prints.  Just use the
-:bro:see:`Broker::subscribe_to_events` function and possibly define any
-new events along with handlers that peers may want to send.
+To receive remote events, you need to first subscribe to a "topic" to which
+the events are being sent.  A topic is just a string chosen by the sender,
+and named in a way that helps organize events into various categories.
+See the :ref:`topic naming conventions section <broker_topic_naming>` for
+more on how topics work and are chosen.
+
+Use the :bro:see:`Broker::subscribe` function to subscribe to topics and
+define any event handlers for events that peers will send.
 
 .. btest-include:: ${DOC_ROOT}/frameworks/broker/events-listener.bro
 
-There are two different ways to send events.  The first is to call the
-:bro:see:`Broker::send_event` function directly.  The second option is to call
-the :bro:see:`Broker::auto_event` function where you specify a
-particular event that will be automatically sent to peers whenever the
-event is called locally via the normal event invocation syntax.
+There are two different ways to send events.
+
+The first is to call the :bro:see:`Broker::publish` function which you can
+supply directly with the event and its arguments or give it the return value of
+:bro:see:`Broker::make_event` in case you need to send the same event/args
+multiple times.  When publishing events like this, local event handlers for
+the event are not called.
+
+The second option is to call the :bro:see:`Broker::auto_publish` function where
+you specify a particular event that will be automatically sent to peers
+whenever the event is called locally via the normal event invocation syntax.
+When auto-publishing events, local event handler for the event are called
+in addition to sending the event to any subscribed peers.
 
 .. btest-include:: ${DOC_ROOT}/frameworks/broker/events-connector.bro
 
-Again, the subscription model is prefix-based.
-
-Message Format
---------------
-
-For other applications that want to exchange event messages with Bro,
-the Broker message format is:
-
-.. code:: c++
-
-    broker::message{std::string{}, ...};
-
-The first parameter is the name of the event and the remaining ``...``
-are its arguments, which are any of the supported Broker data types as
-they correspond to the Bro types for the event named in the first
-parameter of the message.
+Note that the subscription model is prefix-based, meaning that if you subscribe
+to the "bro/events" topic prefix you would receive events that are published
+to topic names  "bro/events/foo" and "bro/events/bar" but not "bro/misc".
 
 Remote Logging
-==============
+--------------
 
 .. btest-include:: ${DOC_ROOT}/frameworks/broker/testlog.bro
 
-Use the :bro:see:`Broker::subscribe_to_logs` function to advertise interest
-in logs written by peers.  The topic names that Bro uses are implicitly of the
-form "bro/log/<stream-name>".
+To toggle remote logs, redef :bro:see:`Log::enable_remote_logging`.
+Use the :bro:see:`Broker::subscribe` function to advertise interest
+in logs written by peers.  The topic names that Bro uses are determined by
+:bro:see:`Broker::log_topic`.
 
 .. btest-include:: ${DOC_ROOT}/frameworks/broker/logs-listener.bro
 
-To send remote logs either redef :bro:see:`Log::enable_remote_logging` or
-use the :bro:see:`Broker::enable_remote_logs` function.  The former
-allows any log stream to be sent to peers while the latter enables remote
-logging for particular streams.
-
 .. btest-include:: ${DOC_ROOT}/frameworks/broker/logs-connector.bro
 
-Message Format
---------------
+Note that logging events are only raised locally on the node that performs
+the :bro:see:`Log::write` and not automatically published to peers.
 
-For other applications that want to exchange log messages with Bro,
-the Broker message format is:
-
-.. code:: c++
-
-    broker::message{broker::enum_value{}, broker::record{}};
-
-The enum value corresponds to the stream's :bro:see:`Log::ID` value, and
-the record corresponds to a single entry of that log's columns record,
-in this case a ``Test::Info`` value.
-
-Tuning Access Control
-=====================
-
-By default, endpoints do not restrict the message topics that it sends
-to peers and do not restrict what message topics and data store
-identifiers get advertised to peers.  These are the default
-:bro:see:`Broker::EndpointFlags` supplied to :bro:see:`Broker::enable`.
-
-If not using the ``auto_publish`` flag, one can use the
-:bro:see:`Broker::publish_topic` and :bro:see:`Broker::unpublish_topic`
-functions to manipulate the set of message topics (must match exactly)
-that are allowed to be sent to peer endpoints.  These settings take
-precedence over the per-message ``peers`` flag supplied to functions
-that take a :bro:see:`Broker::SendFlags` such as :bro:see:`Broker::send_print`,
-:bro:see:`Broker::send_event`, :bro:see:`Broker::auto_event` or
-:bro:see:`Broker::enable_remote_logs`.
-
-If not using the ``auto_advertise`` flag, one can use the
-:bro:see:`Broker::advertise_topic` and
-:bro:see:`Broker::unadvertise_topic` functions
-to manipulate the set of topic prefixes that are allowed to be
-advertised to peers.  If an endpoint does not advertise a topic prefix, then
-the only way peers can send messages to it is via the ``unsolicited``
-flag of :bro:see:`Broker::SendFlags` and choosing a topic with a matching
-prefix (i.e. full topic may be longer than receivers prefix, just the
-prefix needs to match).
+.. _data_store_example:
 
 Distributed Data Stores
-=======================
+-----------------------
 
-There are three flavors of key-value data store interfaces: master,
-clone, and frontend.
+See :doc:`/scripts/base/frameworks/broker/store.bro` for an overview
+of the Broker data store API.
 
-A frontend is the common interface to query and modify data stores.
-That is, a clone is a specific type of frontend and a master is also a
-specific type of frontend, but a standalone frontend can also exist to
-e.g. query and modify the contents of a remote master store without
-actually "owning" any of the contents itself.
+There are two flavors of key-value data store interfaces: master and clone.
 
 A master data store can be cloned from remote peers which may then
 perform lightweight, local queries against the clone, which
@@ -177,24 +347,149 @@ modify their content directly, instead they send modifications to the
 centralized master store which applies them and then broadcasts them to
 all clones.
 
-Master and clone stores get to choose what type of storage backend to
-use.  E.g. In-memory versus SQLite for persistence.  Note that if clones
-are used, then data store sizes must be able to fit within memory
-regardless of the storage backend as a single snapshot of the master
-store is sent in a single chunk to initialize the clone.
+Master stores get to choose what type of storage backend to
+use.  E.g. In-memory versus SQLite for persistence.
 
-Data stores also support expiration on a per-key basis either using an
-absolute point in time or a relative amount of time since the entry's
-last modification time.
+Data stores also support expiration on a per-key basis using an amount of
+time relative to the entry's last modification time.
 
 .. btest-include:: ${DOC_ROOT}/frameworks/broker/stores-listener.bro
 
 .. btest-include:: ${DOC_ROOT}/frameworks/broker/stores-connector.bro
 
-In the above example, if a local copy of the store contents isn't
-needed, just replace the :bro:see:`Broker::create_clone` call with
-:bro:see:`Broker::create_frontend`.  Queries will then be made against
-the remote master store instead of the local clone.
-
 Note that all data store queries must be made within Bro's asynchronous
 ``when`` statements and must specify a timeout block.
+
+Cluster Framework Examples
+==========================
+
+This section contains a few brief examples of how various communication
+patterns one might use when developing Bro scripts that are to operate in
+the context of a cluster.
+
+Manager Sending Events To Workers
+---------------------------------
+
+This is fairly straightforward, we just need a topic name which we know
+all workers are subscribed combined with the event we want to send them.
+
+.. code:: bro
+
+    event manager_to_workers(s: string)
+        {
+        print "got event from manager", s;
+        }
+
+    event some_event_handled_on_manager()
+        {
+        Broker::publish(Cluster::worker_topic, manager_to_workers,
+                        "hello v0");
+
+        # If you know this event is only handled on the manager, you don't
+        # need any of the following conditions, they're just here as an
+        # example of how you can further discriminate based on node identity.
+
+        # Can check based on the name of the node.
+        if ( Cluster::node == "manager" )
+            Broker::publish(Cluster::worker_topic, manager_to_workers,
+                            "hello v1");
+
+        # Can check based on the type of the node.
+        if ( Cluster::local_node_type() == Cluster::MANAGER )
+            Broker::publish(Cluster::worker_topic, manager_to_workers,
+                            "hello v2");
+
+        # The run-time overhead of the above conditions can even be
+        # eliminated by using the following conditional directives.
+        # It's evaluated once per node at parse-time and, if false,
+        # any code within is just ignored / treated as not existing at all.
+        @if ( Cluster::local_node_type() == Cluster::MANAGER )
+            Broker::publish(Cluster::worker_topic, manager_to_workers,
+                            "hello v3");
+        @endif
+        }
+
+Worker Sending Events To Manager
+--------------------------------
+
+This should look almost identical to the previous case of sending an event
+from the manager to workers, except it simply changes the topic name to
+one which the manager is subscribed.
+
+.. code:: bro
+
+    event worker_to_manager(worker_name: string)
+        {
+        print "got event from worker", worker_name;
+        }
+
+    event some_event_handled_on_worker()
+        {
+        Broker::publish(Cluster::manager_topic, worker_to_manager,
+                        Cluster::node);
+        }
+
+Worker Sending Events To All Workers
+------------------------------------
+
+Since workers are not directly connected to each other in the cluster
+topology, this type of communication is a bit different than what we
+did before.  Instead of using :bro:see:`Broker::publish` we use different
+"relay" calls to hop the message from a different node that *is* connected.
+
+.. code:: bro
+
+    event worker_to_workers(worker_name: string)
+        {
+        print "got event from worker", worker_name;
+        }
+
+    event some_event_handled_on_worker()
+        {
+        # We know the manager is connected to all workers, so we could
+        # choose to relay the event across it.  Note that sending the event
+        # this way will not allow the manager to handle it, even if it
+        # does have an event handler.
+        Broker::relay(Cluster::manager_topic, Cluster::worker_topic,
+                      worker_to_workers, Cluster::node + " (via manager)");
+
+        # We also know that any given proxy is connected to all workers,
+        # though now we have a choice of which proxy to use.  If we
+        # want to distribute the work associated with relaying uniformly,
+        # we can use a round-robin strategy.  The key used here is simply
+        # used by the cluster framework internally to keep track of the
+        # which node is up next in the round-robin.
+        Cluster::relay_rr(Cluster::proxy_pool, "example_key",
+                          Cluster::worker_topic, worker_to_workers,
+                          Cluster::node + " (via a proxy)");
+        }
+
+Worker Distributing Events Uniformly Across Proxies
+---------------------------------------------------
+
+If you want to offload some data/work from a worker to your proxies,
+we can make use of a `Highest Random Weight (HRW) hashing
+<https://en.wikipedia.org/wiki/Rendezvous_hashing>`_ distribution strategy
+to uniformly map an arbitrary key space across all available proxies.
+
+.. code:: bro
+
+    event worker_to_proxies(worker_name: string)
+        {
+        print "got event from worker", worker_name;
+        }
+
+    global my_counter = 0;
+
+    event some_event_handled_on_worker()
+        {
+        # The key here is used to choose which proxy shall receive
+        # the event.  Different keys may map to different nodes, but
+        # any given key always maps to the same node provided the
+        # pool of nodes remains consistent.  If a proxy goes offline,
+        # that key maps to a different node until the original comes
+        # back up.
+        Cluster::publish_hrw(Cluster::proxy_pool,
+                             cat("example_key", ++my_counter),
+                             worker_to_proxies, Cluster::node);
+        }
diff --git a/doc/frameworks/broker/cluster-layout.png b/doc/frameworks/broker/cluster-layout.png
new file mode 100644
index 0000000000000000000000000000000000000000..8016c7321bc5a7e4be48d7856079c173b56b4b13
GIT binary patch
literal 52806
zcma(2b9CNOvjz+&jcu#3t;T8WG`88;Mq}HyZQFL5q_J)Dz0;@XJ8OMwz0Z5{XV&kY
zz4y#qGuNIy6Y@hw6b>328VCpoPFze#9ta571qkTN7f5ixe+I@E(}94#0*MQKS9H-n
z)q-$97slwwe^^J6fJAh==zyXM4uuSMC@*F~dqP7(qRAGM%l9k3g`ai5VC8rFLYQzX
z;C7v*CS^)lSJzgzk#w3FN6c6?;qH7s3HVc_q@khlcPdHrnXmql9|%g!MF^aNfd7@8
z2hJ4>Yj|Rq|Gh70*z*yQO{t8CmFUYLIyysr^{<)&((sCMU5lS!%qAwu92`B1Md;<`
zE@g}G6Se~*zXC@>6~?Hrdv2(WSJrHN#ua@1Vz80@<Et4|TiW_oCh!*NCK(u5d}C6U
zcL)^hG1F3dr^jKR)YOJ2Mn$xp$gXQ^L%pG|VWQD7{OXfc^M{1`8Uxua%ocntD^{vY
zjzCV1Ssz({+~hlBO*51@lcJzii(KZ;l4^hBA^IXm9!dDz&zQ``(KA1a%|=I8P1b*Y
z433Ez%&r~^?utoFl7)>IQQxd;SWrMr%?OOI)!NgcV4~`(lrWKGEauIettanoPR?c*
zu{mHIF2Ku0i6loZ`}O%zZr8-5ui-m!^I{nUvxWw=rK@nQd@Pdt3%tJdOV9K?EWTD7
zjG?ue33(OqM5>Gle_y^#l4#8)i*FKRgP|d6r#TnCW+&+HK)5aSD&F#83N6vf`ee-h
z^_GZlU1>Hy7r<GcJHRDnW${8}U<5;8O_LRg%AO4rh+VME64DaEKNhH?PcNcYcyxYw
z!mVXJ$iTu0UvBwTS8V`w=B*=XubQd+)4e1m?F^*0#61w``yDwEJpM1)2YegrS)p9k
z_v4x0m4v&)dWt7+L}mzhlYBrEd8Ys^Qo2jrEoO^ch8Ki!dBgwSpZp#%sr9476GDW#
zHP7kcmeN0qGr%}YI?#ShxfLZD9m)}$MM}P?bQaPKbn3_P=AC(r-3$8hgF6~{U?42I
zgF?YqdW0q?3qQ}D!b_}gs_cIAxm1iG*kr7_@$tYBo5I`MqYoQBy`#|U8JuDB^8{DZ
zC_^y`DIvxRowHfl)VBH9WYo4-V?SF(F5{QJj^W8hd_eMQwe>7F(G?`VhYqZ@_*E;A
zPusp<Ffgz!ZUicB4zo%rZ*GsyvqWrCB8xY|G~eDO75{!fOIFFf+erxtX|8idP@j0k
z7ct&PO_>#PF#;GUP#nAbC#Y;p0dZbn&O)-Yo;*|%vT;$t)^%3dwB<n7|KEo?GKqB3
zAK002I6XZ>L1bBI@??Y*kTdVj)A}n-XtkctixhBizXHWM=gmNML^6ln^z#c9gN>pc
zY$&us+g(^4>;y8J8XB(U?J0$I`gV6te<srqh-3F8#pWg7m>}8fb}?L3YDF>Gc%Gmu
zdfz!Vo1N?``S=Hp9L!bf)ml&hq)K>2hT{e<UUZV5_I!RC9hVt-L!Fp&aNN}pUmOh#
z7dJ(&)t3*zL)-RSUQmq9KFe|Es%X8Huu5}_0S@d5yFi_fAC;SeW2q-LnIwHs;K;0f
zUc{#4@I;9%L5|mkitf>Axk82}hOc;3*g(VCpBaaJ1RDp3`G9CDVc5@~)CG!1Y?g>`
z_9To!Zq!0WK(vcjC@h20f84O!r8e;YZVFOvEG(PVhKt)P(&{rD;g}V<oZ8*nf7RJi
zpTlXS%J7PhPYo?@{>D<QROX>rMiS%jK=)duBiMn!>swY<CLyPY-;@9qhn12tJT?|o
z(U4I5#XNZ)G8391NEB8$?O|QzZ11?0$DPrAk4kf;8a@!(+R$lc3gP3$kr$pu;|mCq
zD8#;@;pXcsY4y7)?n?bn!2}iQU>=YJ;5c$REs?5+b$S{33;44d{Xy7o%X1mrg?jSD
zk9O{=R&Ja!;hqS1<X-BP<?>%N;PHE7rPHdduLyF*RHV3_^Kz$uK8p2|lIinTVN~zG
zsO5TQJi4-t54A^uPo(y&uWN_9ODhY3Q^Alq<8ejShr>Ep&tW4l*D<_~RZUkr(Y{{Y
zDJqu82T&PclV!=qu?gP@$;kWq+L+ILsmJ84mEuS8O}{?jrpb7RE2pKky^G{qyjTmn
z7>Ys>Su=M!^^b``3cPj2V!XOaejU@aSoH>?gNJ{7DI%C|5r*k`@AY2nU0+0RR9036
zU^no=9nAIV=}XVWn?a23N&ntha*ZitqUQ@-dq=y?<Em?T>T?7CWYxoAq^m;bud+Pi
z^P$1*Kf>OdZ$8%gFI&XT7<dsIMP8)+52p!nX<?VcV*bJ+`jevzxuTc->rZH7F&hOq
zn#b(?e&BG$oY`a~ydVi+aZ|>|f42G_J<r@uby}03#g#wZ(dfRqIBp2Z{TA}LYqm;?
zgGqMDZd&*CZ3n?ru8X&jPBl17<s&4Ur)_KRICTBO`<JXJtY}gqZ2%yy7)vwi9sX%P
zCiq1d*VTR0^&8S{$NLpZlFh0Y=4@qaZxU}yBM&@Qeh$=kqsx#{M!S=UyYc+ll2F@p
z17378Ybbk)%wVYZsaUB3TiNPQptsXS&w?}#B0gF`VAUPQ_WOBUl%BptxbylUg5=FC
zI}}VvaQEgE+0JXLw@}okwbe!_>QpI1$#0+xPDkV^%~WtDa4H-!ad~JMm;kTsv!j3u
z^6<P-6r@>(5+sil-4+&e@Y9U+&4t!i*F6Mdk07=PY(3MBPSdwV#8oJ`fm8zH9NB|O
zo6~8iEr@%<w=F>jf;afrM(coxg}fw@U1R=X=anFWUrU$wxBVCfA{ax$g{F(|Z4hxH
zu%c0n7mz|51xk`z7ebwZMG)(rJ8*`3yO6RFRZ(fbPBhqw2|2LN*6{<W)7Y|0|K#~~
z<`MK8?7Y7*FtQ0a$<S$^Eh@P{Q?&YCto3PRdG`oiK1^oyWlY;F-FbrHaXMt<8_7K=
zOC!zzlHPTHjYNRB{Cz<h+fEr6Oja)w94;i;h4Ddmz8VZ%+y|*tTJ94)l1bMiDqY12
z(OsiX3$aUX?ad+MDTgaEvG!R|m($tc;cuP3q#F#~`}`2h`>rZ~xw}b&p&FN+!J_>+
zD4)2abU41Lo~4w!>G|In1hCku;Tsh}@GyB8c5q%t!sVH)3XjgpPK}o={FO`opn9Q&
zY8|cBEX+guuJ%Y-@g%EKkjsDmEJ4~Ct{AWMZfu#Fkgo!fMPUWBuCLc3zD`(bAYq~f
zNP&Q~zn@8cYi^sn{Vp9y1Y)@UHu&1YP+RM3e}k?ln}7xuXIL5wYdHD(hLQTaN;IZo
zh={$>s^_em|Ivd9SUQ!(r=g*N;w_Y-9Etmvh9r7Vp)u{!{N-SUFwBhpW3ZjM^!}FT
z%RS2eg39<Kx|T)*vdA@CV&dVS1{hufR%Ea5Jua53E~~4JVEe|#z7uMaNl=Dd&esQD
zq9uu3m`pzA@<Uu+!YGp;1`M~r`SCSgJh|Zw)?M(b953EAJq%giX?l`=LsBZR7<MvO
z*{c}l7ZAU6YuDp*U@vI9wQwh`Y>bU`cXYTT*6Yz?M`eK?7*AZ8!gp>P#BRP6B~aIx
zu7TrfHllW}vkDmm=wAE8!7$CvU2gAE+SuA6S?1+ZD!TbbeRBaS$>}k@d{+%ttBFoa
z3$n@^f~02-6PaL6q5*s2xH>Sax0**Zly;AM2e~{GH3*n-x$J<f$9_e3dT#{kSZSh<
z*$h*j!BuSqO|n`O7}6uIKK*lqc`u=(cWiw7d#?KBVPm>h4<tXoXy>8f<g&|o1IY@z
z9yBW}i~evO9%>+HW1@cxZA{n9g2?QQQLRRoMV|#$YGQL|$8Y}4JsKOA1~G2HTR{k|
zqK;xYGl-F~xn@&k>G3i9J^3M2O9@>H{VwB<Z%U-j?JhbYfp)jMs5Gfs*Jq!qcX#dW
z<wuvWWIg^hTZDQ*V#z#c7BaH$A4!ayHQ6pyjHlt@9Md<tHBJ{MY;px+Ll&7tJ0yW~
zKCf+sITCgdziE?G(cXCImf_&^atFfeIOD1BAOr;At~)bha&|F$`n!ydbE{ba7+Jz6
zek0O8?crJtmTe3T3Jx7t0<tt8PMo>;-26>)2AS7d*mfhs9X(}Le0K)~<TBm<dJZ~;
zv8+P}iFAQihY$XfDn&AQdiC+Rs1#DPE>1__S?moRW~M2`hI8OT_<W&*J7m3;kr(!6
zfP9uuPov(oRniz&v_oEmJ2rYymn^0Bfxs#A3fq|Qhzk*0B_VzJvf+W(!EWge&CZT7
z8DxKVTwSG}(CD2=Eh;izf`!#Pwot3w5O03S2V6VO$V`osxNkh4hok<7#csE(M?<Bm
zw^{=M69*^Hc4ts_!WrCBH7I$G9IUstLMd&~upnL>3JTpS*b0v`=RUhhV!|hI<a$dE
znQST?|6TKgZbN<`wzwWtR=af3+xpbr`SGz#1+mdJuMtBU>s#03gU;~J6<lzoGALOr
z(u&-X;85g3+*1!vIqP{Yw6fpB)2Uo#iNwnrI?1!Ox0e)ixd7=X+Q?*ceSKN(0`z~S
z$AjwJ$~PRtbV!u%A3<ehuaD99&8oSJ-&pw08W`9(4#8u>VH3TENX<B$F4fFy+dgcp
zK`z(IePt>llcrX_&@+{Oy)*AEUOR~JDPAw4ZvcafD<~?Zk>Y)djNn{G6RVy@;+F0i
z@h}~~GB8!0gpfspgqW9Z>9nMtZ7=PumeJC?JwH7Sce@+ao=l8OrHW1s$-u+*X7X84
z5k?_Vpj{pj@12<3?J6j*x148Cb1NL}Gjs*vT){rf(<~r*jMXkpRIcv>aL~I?4%%Dv
z{;X=sp+6}j+4qz%rpJ9f6CV~562gC8?>-}h#}}B^MbE!;g|fAtbM5hl?fFb%HU5DH
z$M-Dc0zBdNGueaJzCM}8QX;Vd{W({q1hO+fsk8u%>b}=?b*%wJ`nfBIzCn?DvMh~_
zC{IQUbJ69tCO#klOufm9cGOz$yAQw9lUj-?ixp8g^(7q3#g^dK$iVctW^;)WQjLL$
zxcCCYlZSG@uDsL-2ACNhdL;|!lpRD@rw3&?Gt=f=OC5Ytw5;j(p-3V+dIInYe9Ikv
z<*E5ft+XeD*ygb$8~dKBVje?^(mSsZS>kVQElu9^Up}5BlOt_^UYV9banQlVMb%ND
z$LVKo?iDA{Efu4J(i_2_AMVP^l^IDk&sXNb+{u#$E&+Li>U2Q+CE<6Wl7Px8Pl<I{
z(QEkDUo!YWPEdCz1*O>90!-Q($bQ`Q;^J*z;_4=^(?`-BDxT_WW49<_sezWcS%A($
zNC>RLix<Uau<lc$wD;!^5j86qhH_QlRqzl_Zc1uu@9*Cj@bK`po9vX`I$wpW@aek`
z;NEzs7!AkBR{1=BG^;JYEGCe$lVZ&<P{PH@gL{OcDG~OerEc!Ik-)%1^7miBOy_Tu
zRhJ7vNSpNYbvI~n$rb2$D?VM=+t$*|&ds5$%UY<DVX*lvzWFWLn*=<WrKR%Pr6{e+
zn3)D&YWFl)a?N{%O&wfelNIR28jUL3ex=;Z7C>oFr&p@f?hN-I=*n^WeQr~xqvIog
zm^gB%;RVTSiyP<{gx-ZqGDc)+X&I359N#)id;w#4G@T86%zHJT9nV+d^!A|{(y!6v
zpB9^Nuv3v-uu?Gdn*mC%gpQhQZx<rft%OiP4@x_P>-K1_D5k?5LNh%>uI<ka7iXy)
zKdA>eKCeGSNC?B>-R+oc%l_I=efW(A6um!9(EUeCsx3Is(ln$pajVUA9wjGlX5RBZ
zuH2#E;!ZDocinnT1`rWCpv5mGCTh@7Q8#A`B!|B_e%VLZo_@T0XJBF5mm{a+y|%Zr
z@f;&FY<2C<e%eVOFf?GXx3{miSeCyXk(K{4B_ob5a$_7BX?lzFHo`0KF?$%>@Tvv{
z)vL`_=;RP2Ft=nB^B<#Z%+$<>7s&(=yA;5P+*j~ApX25>S^6mTYbjc90JCx)e~5Bz
z0T|EgEhXl|5rm)FLKvgiWB@7g1DoZ_4+1Y5_Fu$N_(=Ds<o?Ht+RvkSi;wz~ndnyE
z49$Pa;<@=!_Zkj%amgVfYvwSxKAd7<cFe2DNl~$WH5^DucS8%^bmg(rN_{%ZL-69}
zj&a{dy{^;|uE6KnnkjEdZ`jhOz8*CKCEx|!F{b@-cpTVnuA)18F{9k;zhr4)F<mT2
zOji@Xm;aSsHW`_6cmgeWy*Rwicn_Y9o>}42QrD113JdGUxh$PCuF*1aGL6MF<nkmP
z8gyLAJ$x{SJ9uXwK3;DgDp^AE?4H`ktcMbX@4?k9$?JyJaA=s|nw$Y5Hg@RYq3Nz+
zK8T4-j)WqKhkF-jP%5iqPNUIaG$OL^uQzw#sZ#!z$YOncqTz!KZuq68?s8#j7gyID
z5x6Vz6N=@><}eJ<+B-a6WF?)$ihSxGr~aNdNYy&^=91=m<cEdI?Vh)T>|BG`bUPz`
zYly1I4733fg!j#W5F$Rbz)jaxpAqON^Ez*#p{Fji-y!AV_cu2vk@M7IG6D%FzoRjb
zL6gAYHkXST%h$%%p%YDd6!LNr9d9_dt=4>zo@~m*nH6h1z2G?xvRI4x^pM-JS$459
zDRi0=Uwv+0kiJ}{a&d*t79dS}T=F-^0LneWeh+;4a&p3jwYsy`TORG#XRwOa#jA59
zRaiio{3VE>Q|9nzk3knXci|}v^m;g3(b0%PA|kv*&p}wj2(bKU*Kuhe4}lT>1orOk
znGI+jMr5Rf$NO;o(P_~kP|%(yz15NQrO7FLXfUoZ5?;gD&ImZ>n#pWvTJNf(Jlc%#
zap$Y(V$Eh%7;-m`Pxr9UYmHz?5cg2*2rq7}9VCET6J~!rec3Hn`!#X2iogX_rpou>
z;F&_>38o^j;Sp(IVBoKLZr9d!F>;>YfAJw=0vX`osIIK^uFs(?T3PiTu6IxWXbg>Y
zJ+4nS%@-CWW~4$+Dfu}pE)6`q*y-q@r>k-e7uYW5=-`0bDMR`}mzpXD2e)uEV=lKn
zoJnt+L<j9}LA(W0K7YxuMOrF3rd)h;&#-))8&8<(6A>tWwOlk(=2CWSddS*y<Cag<
z_9%?U<!c=GA*xg`J}%`S5CA14D>C5f>KZl7O9&i*u>AuQBa8}RI~oH6Mgan1soA}I
zaYD<*)x^RWoY)SP;HfI*DQ{z9JUS^MV6~iP*T@L^V{**n)?LpFKQ=Ef8XJxFl+|i?
z+gHFuMbXywJDLdw=C^N&n9NT^3EY<7I5?nm3Q|*2c*va{?-4E!SMVw;2rL;2$5h<<
zdGuH=mWo3d_~`G6Zcd@tEBT&vOUzhnj#u{#rm_U*LkvvspHQhbu*phh6>0hnMpZP0
zEN0!LFS)ftqZ_t%r*|+Gtxz+zR#!Fq2M2lGkkaBnYK>b=4Rs95zY=PHef6zp!Q>qW
z8vc3Bu}nd-n<4F0t7mHI_gb&0$jB;;rogPo$P6Ym4#cd0s;Zh3+R(s%2p%b8G$<yP
zv1&8SdybEfZ{z4l`yln(PY^u!<+w}laYIsdMtrjzvC*DuSX90jLLT*|0m_R#K#uE4
zb);>>JU!3IJ}E0Bf;cZ|C%`+CH$QbSHBda2h9`EbhyHe^TKt%{=cct!JNX{X3=aQG
z&@<c;(`yzw)_1fR9zr#Nd;i;?m0@#TB4tM#Gr_#%f{6(+KQWlpot>RA#4<eUh1^Nk
zI|BfPy&1Pb8g;aVz1lcruvxM;1vcCl@sg{@w<{bb1A~AxpOOx4oT4k!_CRso<Xu+5
zY!c(!*iF}on3yEX-D&Wa0|NqHkKp=xmi)p(B2rSY-3KCMy3|S6+QWKK9Tov{S*TqG
zcrGq3RSgXozFp_VuyI=)HPzu~qBvG`Mz@D3+`%)Wuz)qZwUtI{<p>UE<)x0=cdm=R
zGErGZGNmNAwN|y{+%jgv;_@2PWEzf)_Vud~^>Om>BfOp)2^TX}idXcvz<c|Bs)U!K
zQ)5Fz$o#B~3^=A0@;rBe``wu5@%X73yFnT~vw&A`J7$XK-uP(Frw>C#nZ_$pL#vW*
zN^uk3EdM|QzQBm4^QtRvrkdS83W5Dys6Y=N32=yAsL<$6pG-^U?@krB8tss0CLg(a
z$UyW`*VsR(<P<xITr#7iM2EtKURrK+)q6Q@NulKurL~e_NM3r=Q&@o4l*{+mJk(y-
z)EhA$5Kb`?6{#E%gJ^sb^>&Aokq*B(14~(0CO9cozKsToYb*5bk!k1u(njK@|FNd|
zjQ~CZN0RfanjzjO>cPVKwSFYG7itK*RrU<|&KSx<N>`k8&+sv}q%#7`qb`jVt+s#o
zA%&he>2kl6P9+Y^K~IUTf{VjZDGH&Ah}5w}+5iy0HDu;*JeKEq@qVq=Ut}n}XmO&#
zMvhRbzYpHNBqdgCRYKsD2b?Vhwz)gO7@lADtF(kPy@JkG-OCfqdsKAgHpKP0+>W3G
zx7k5S56Z^&rPHuc5tF%2ejS!40do6(*}mUxH#cXyy@N1qaJON%r-IJaI-eru2OotS
zI@v`VSd)-Ia~AhUY-O#jxki^RJ(Z1qJ-?KMz{k6)$FD4D#$}a6RmHpAuW<EBtR^Wg
zF;HP=F!!ajD?d3#tEpB$_BR)Q3v}TP=oE8~Ns&k7^F=$vAN7X4(JC4zhYIEbP>8Mj
z>jKk<9bB~)@*<>~d@ToN8>_`Hj)Cw=%&2M>8E@On^WGOAOV9JM1DTp4RLo?qaNhtl
zR0f56N;Eh7&OCr#+!Gu&p17)ZWx8Qf2pgl;m3Vj&vH=1irlF#I5MR1&T(BWY+c?z;
zYONFP;r{())dAj|+wL%i*$hrf%HjI!^=Kr(l7sTL`E#ICFhb(M?~s~x*p|j`6s%dH
zhc}~sOPf>PtYD6TQT`p)S~aD$qkLYroWRC=9updgJ0?2AquBXk2IB9|{Fx#v<FDWI
z$p~!W;-0Sx$|jMyr?_@=^sIAEW)n0KVi4!x92=Np{1_rT*s*y&)X57uYDZ#ud;z(r
zmfd?Hv%|0s$Mz8DRiy$^<fhVcWz<+DJV#IvBJbpSp_f;v)#Yb0sLLcnwLU*NROSKh
z?*^Uy?g~%$<_3ieistLkqOy#Te(A`XFb;cgX}-7icH`muhwZ2&XlQ?gL|AEQqdG0a
z;L`^I<(1+qx%q}HZ(og}Nm)-%YIhJ)?0JSK3Lowbq}q6?1ISF1-r=Itk@u#t)hd6|
z61$T_I};+yJB@loC&!b%GIxZQwD<Im*+zmNqqbL#;1^!qMV>(jL>vr=aD1;~C1fM|
zDu8l2%QbFvC~c+;62MfM<^4kGY1b(Xta&F%mCj_bd`wDn_d{8F``P1#TD{=<F#AwN
z><JA%$?^>(>^0-f--Ox8#w3D=TIh?iPh$5ZSOwYI05w_}(kV(KM&Wr%-vg-Bxwyf+
zD}V9o%EGjhtSlO$srF#tskqvo59iy1?Jb84&b(zI@^_(4K=|yykrCKqR#}VLvl=j2
zso&tG$vq1(US?FBq!RtHw8ldw5do(9%CXwhKPh8<|FI~%84qeB(9bb4A_ZX;Z%EHW
zB=D#ka)*eZzKu>zjtg&h(|U=lT-o>i^+OYi8G>9-$IY{uikfV!6mAL&Qa$_-wC5(h
zPomis#Bgjud1E|#BIelcc{W8Xm(Gg|j`am0ntRsE0d@myi&}wl=#o;YeZCry*2{5+
zUIui!0xvWE%v_%wNd!>0t&IkYr;=QI1c{+U9fMAB5ki1>_+*;1kGi2#N#_;}A1ato
z4Nnc_5Q5B@_n{Y(Q9DMnDKMZ)*x^ohc<XxKs&`>2!NO8-9|wvV_2w^y-{4j!Vx*OV
zPQAqJk0LN{Eu089*PE(oYdaiYJOiM=y-lan`v&qd{pzhCymz%YJMh({EVcyUnn_8g
zavTD|f2KV_MQJ7|Ug!OtOVRzx=o`Cr4*dk$b~#P5AuaS2<w32!V#21Y@9ughk64$t
z&XT#v23@9WEH%4f6*e_Jy-)jS+cupxBIK;|5~N<2lV=AJ{5eEQ7CAdbl5)kECHV5u
zwVo90afDZqrkWN?@nLd2@kVPj@d9M#0bZm-t|W624A<A=odOtsy%C({l)An7qiP#_
zYPk%lgJ^oWkswKb)Ci$;v@v7^1iWiU`WCgAxm>Zd;dc>IEi5^?=Ib3P2leV;QPtX)
z;^O3ZX1R6~3W-oHG~WXrQOE5#gqiEHpVc<bNp)VU7DwhLR40SjuD6g@wC`^-t|e!V
z57hdLL__Huw1_+$WYcvT4+rDvkB6T1>1-hAm6hdmiVJfZQX--|vk%PEu3H3}*F!IO
zJ9QD;GMDW*G{&XBBnPn456w-8q&=O?!g1f64c@DIe@aB~Vh=^by~(#cy?lw59tTtm
zRXtvbIUrX{)!`IRD!S(6(4gWZh(jNK-H+Vckh-i#(UjA_#M3pazC5p{h-rjrTk(ZQ
z3M@5Nd|BpTvm#=HbED3(*=e;=xbdp!V$gE@7$#)-*p}?DM1X3~)s6k_3zMlZTZ+Uj
z`$J5tvPiNc%49v>)Y)y<Gd=S%#6~ESxAR9lHMz4gT_2!`Ijy%Ypz7*2Vx)}5^&BZ4
z%d#$6xG;>>gv5Qpm8?myT0HBXX<G`;uxrN7QBQQgs-}1`hrwtvb+`awY`2#^JQ-kJ
z*xO-XvbxrRQfc`o=U&5l?94Zf$8*q7F4o2ScGw-<uRac@=O)uH_9f2Ms-qB9^m!>|
zn2?Gc;}v@9oF`0{WVVTxXt$h;gOQ4!r{htzJDN7l=Hv4F7HQoIL}7Kk0s*6%JeR9M
z>;sqB092;4U;OHAXaVtXPM&qf(S0qc7z~17o-In225GKrTKk9`mp(BoH>_6|E&ofF
zx92Fyaz-o-N<-yV#PdZbeG(U)(=A+_5orKBnJc^t8mS8_zIbE@AGl>#7H#=#F-20R
zLm`9}8#?y?^a3Q&LrH>|BVdJ^b?8trzCG7V*J(a-JWq<%f4JgHot;XsxLSW`gI2t0
zG!tIC9g#O!KKqKNI>jo<9CW6KS4t{R2agf;nUAW=`5wT1$%K#{mN$|hZod)3Qm#=2
z)PSlbNa(2*9-D`jW^1KTp6#YXm$>6eyl<MGY)qFhGqu_he$ufM3ntGpu`pvOV;wzr
zvb08u*EA@A#BtjdV*;3`AR3x{MBYxnZ?IA(1fr@z7^fGkVFf!O=>vR5@x)=DT*!O`
zr7*+uEr4n?1E>aH0h_SH@I<T!@#ahcbpyWjcdbDZb2=A;*df>;BG4)O$PiS8v%V}f
zVBxZ&unbCaR;A=f#+nA<9a*wzwmnJ?ExyzA61fk`7^J6=nv0yFtPh5imKvMP>Ly-S
zD06*-K0`rqQmy`c+_Sw1@q!JxQJG5#2u*pUf5~=!Yypxbd%j`P;a_zSP>?cP2`_{q
z9gR+4^D$S>n<ytpu{<o@ZuyWFS(~}&u5`lNM;zh3+9fTY!T|{|Dr|K)!Y11rjlfP;
zwBx6t?zwT<b!m(yOk>XlyoP@=gt9?S6HygT1rdjM22b6ClQ6fu-DO}#(>HZJLAoqp
z5J$R;a$qn^RR|CekjHk8;Dvq#H)my9Q9J%$Hi8Yem(c@-io~tH;w5Jk;yQ4E`a%IM
zU==zy2^+*=ZRRtt^gN*q$3e1-_C&~MxD!PC<9vqSRvKlE<t-dsd-i%bCM{>9*dzsv
z0{!pi%DHFdSrn{?{g8_z@yQxNGQ~WHw49`11rES*&};~1y7D3Eqav3QYd)h?+goyd
z)2=;4m>L??YUT@;)N(E>BBT&t&~u=fTCF2&M4pSzfVb1(#a<re4{4ml$x%FPUQjIz
z`k<JA03yafi<Mu)JE8$Cu9S0p@_q^^aq<R5GgH!%eId36GX@JfEZeoi6pSE5Fg?^9
zL5k}8l~XTZbhH|M9mH>=aB8L5zDNz6a~Wu3{34P5QWAgWv??8hvN$QzdsYm;yoI8)
zc#IhxtgLd_nE%nfI*S@%8{aK7S13b2j*>e7!f9ZjRH-mME%p&_+0c_9b7=v|73aq4
zAz5$s5y=WKLi+8FwVrX*vq1gDXCC_&y|imSNaNj#E*&9gFe0D`%(HD?RaBad4rZlV
zxfz&?-F%YOsGV`7!B+Mgz}fBKlSz?0%uFF)(dh+Vmb+}m_?Bf~$Mc~M8}(V)v&^`*
zms5r%=T~o8d{_WIGtKO8hsiOfe9qce>qn~~x;Dl8zgrC5!dAm0D#`;Mh}-EhlXn*i
zXJ0>eTi8yD)Q&C8d-FuXg8RZ~(QaO<<!trty7#nwTeY>EN6yXZxV6}5f>#h2&}%(o
zZOUg-X~r1r=<z&vWy)=ZTwbPvQAU;KF+Z{s%<TbLQRq#cHc<<E)k~5z7{4P#D>WKp
zVC<W80#97{%je^jw7tFb=^00V{#IK#Qeck6Cn@V%9|};Fa77@<o&3``ilX#(0qk87
z7!rZkuHz|vr|Pm8RYbpl0>cj{HF`Ch5VE<KPMk}ty?v$usojNMVKSbpRKj4_&WS?L
z#}YtjpQQw-Dz$N*5<t&9#t_BrUPQf!!spH`$pXl`bdt%N%X2L4cVsxN|Glx2sOPFA
zJx40A^hi32ZPXW$B6RXVuBlY|<djgBL3J$bETp(R<xqk?g)(~_IMu(paYi&#F&Rpf
z?f>$zu~-sA`<UX~Q{&6*bRcR0x~{9UHN3THznlWEBoxQ`5k};~s$Ci@rJZp@%+2W>
zV4l{fiBd*A>EcMH?PYr7=5_qx55jbMvY4l|MV90;hR}oaJMXTEx#fvw3Tf*3>Q+g+
z&Gnt<{*^;0<6EF{mh9FMx(S(gXdpp&fV4D$oR{#Y^&-AC6O`oS0N&Jsa<P?T{9X4l
zk_c8-E_vl6*yxCy-%se}Ooo3f{Vt;yk(N`-yxTdFoXKaz>}uFWSeh>nDW$(Po;Fs|
z8{uH>DZ7$qz4?wyCzTdT=S^cYB>^^VNJ%4E=lX<%g2ORXzu4VlV><mKJT<qrmD97o
z&WqcVQe8@9XNb=O0bmUOmO7X`uq!hfdaV*j?NQw5M`P~AZ>;YIEE(Lw7qZz&u^_o)
zWz1LC#AF1mk9KdXNjll*!!y-oJJf}gp<~zO1hP7z<dHq!0ZCgk?Twgo@+0DVnwIb>
z*R&m!cKP@F>8!<DorW*Qbacft2WTx)#}#<m86imoH37|!XDsuld_VwF9Hx|@^$utq
zX>PJcQ1^IhIBhJz-u*OD{=P8f+oiWNAvGPmqiBTOsBnnW0BrLZiA#fa>7Y(q=;a#M
zjNLK2CQ4D+e{9shuNJ}6Dj6mhQ6jP8arL>s`ZE>5^VxB0xjbt=@dKjje(9Il1}R_i
zv2GVntOrBlh3m0cQ+&?9E=j}D_Sz?<r-Mrg5nlc1DNlaB4W>svWSr$mxDZeD%zZL6
zmqauYJ5#LgA-vNh<*QN_Z1$8;vtOIKoq(Y2r5c+DQ&wV%Fm3!Z3zzfn*SIZmvw`X@
z*;i#q?Xd|-BW%)ydo}}O2$JQ1!VOZZYaW$syztfW@z_G{<6rEcw_nc7QDd-pvHBi_
zfQsm_1Q@cs#beX+(bO1|l5DOf#mzX5K%+aVIsCgHD;p(Ar-EO89+kyXMM0!ObNX=s
zQd`>a$8#YiNkIwIfXkC!gwn(rm7To2joIus2c0W&^T*JWzuE~Um&pZbu=~EFLhKSU
zu$LpFAjYx1xfjH$%-R$x(`t|7WBwtMcF}19r(?_W*A=h&#T~Mh=}ceEK<R6mx#xdE
zQ;OoYzg7>rz5UMGnr)?B<#I4&?J0NuxFjTjc+T4jB4GaWLp|mb%<`Pp@@HiUFxXw#
zJ(3l45T2<5qe$TNeC0LZ6*@2=#Ke!Vn8RkiYO+c9p7a$+pBlulpZP{v`k$ZJfAK+O
zX9<Yc?-EN&B3M+-lfe~zZJ;*gj@+1W5U$aFI&yb$ynq5wc(pzi&8WXCa@!)~75`h2
zh7Q5;b47^H6$?SZw(ds(7ymw7Wt4F@@*!{k{kSgwf+F%dxB@iS&p1|aL$=WQ&v^64
zcGE?a`M7$Q*L~RLRwCe^35m8Vbr7)KsQt3<#yd=ufAPRnAj-&Ww&y!oC2|>>pvBt<
z*l-`t=ZgD<MLYdN1ldE!U24({Cr55pVtp=y!~gY&_H(l~`m3t9s&^P=P{ur3QxPJU
z;{^%j#prB*Ezr_Fijxi4mfYWM$*5z?MBs#-1Nz631wO46hDP6hJ3k5*p%by`n#1o)
zkSZX-pi@3NhG1T9<|SQv(lR4*Sza7lS@cg{M`x(Ur@Zff<vB?(O-iNyvZ7Y5OVwSR
zyIVB{ozhev2{qI6`#fIkSXn#pr$WI#k7rCyzB6uuGHux+a!I-u{i%KZ0T_Cof8M1{
z5xp5y7>zuBGJz`XB#%5PmFaIaraUsEDaYorz_0jY3i2jArih-BV=JfZKmIiZ0*vfA
zjVhlD^BoW&7gg(!QEaV7O%7WfNdKb@xQpi_LEhvrT6wvDZg0rAfcR-9+be*X%2M5X
zPu#3nd`*NC9C#Y4|9bh+ozm(T016>}|08nS_I!-;u+@;`|Da!E4{kcC3}3o1R$qF`
zpug@(t?hDD@*n@Y5%2*8WVLwRPSu1@*~|p}TfOxqhu1^$pB~nliDUWS)HgV=)q7iV
zSSv>C0{AYJ=;?0$nEf*jBz3LVYUBeBCF2S}@|~Uq4c$a?;A9uQ9sp)Ve@*!R>Jle?
zOPHFejCdK|I^&<f`fZ<w#BKkRl)5wk?k@`Is;<FJ0T4$0gzz&1Cw5Y2md_;2hweYw
zkeMy@v1kju;GZr;nxx_i0yrTtG$7a+Oaw>vCR~{0&h-kHlO^9d@UUa|FefS3=Bh9K
zjd#1(RMx)=qwR!xKHcsAckj(c@(}0v8{bv0dL?E5W4KHVXp+Yq%6!n9fzr>Nq#|L3
zP}g;d7Cm+SkLwY;?9WOlE5hLX)rqF|9vr|mA}Kzj8|#}FXyqF>4&DLnXXyFV$$#0m
zbX0J6LrdMvl}f~B10}XH>PS_Qa#zl0h<?3GTqF7n(SH$gg!Euzc|LXcc=F}{V8Ft)
zwlJKV{oKCQr~iXGemeKr8uV~GJR0Hu9~{rj1@qNQ<JUdk$LRmJ6;rX%!MlWEroAHn
zI}kC-u0Lbh{}#k+|AG9!X_}M-v?+;Bpe@Vmf4uL%X&MS@@T?$g=DaBDU&I4ok*>l}
z_#YNW_LSCv0O}6@i$y?FxQ+XheEo|p{Qp5E5<d{Fsx(8L_)I}{<l+CuYvuOKS%rVO
zGvEu7*LIaoUxSWu-uj{Q)^Y<*C^VMqDaCoYW?*5KOrSzsArZ}N$ShFcWGs{Xh!60k
zP6x7O*M~S3gpumP-6{o-uL?}uD$K;@4_b@Ql$x27&8-OEen(b{iQPNh58CqcCqrYS
zh?f&QG|csk`5Kw9KsInVQ6yyq83bsz_k=`!Mgf5C5xcN5h(p0C4g5p13L16+7XpAo
ze{x3#`YP4p&=@2$INb2ms;(Tdd6r*t{fq@O`G8i2O0@{KI<NfsXjv%$Y;PemmsCLF
zu9bdpNdAkzqYGNKd!MgEU)h_MB7I^QwN;zsYS(6Ar-4Km4^RUE&xs<ND_t}DZ5NdJ
zduTIvtCwG0w*A=2_9}9j7U%zi>4cIN8s#ipMoJ#H17SpY<UAyg<>kDiOZn@MQ;JLo
zvVy@e!7R~rNi&GQN#rZPZ&WT)+-#n+=hw&nKTU}3UbN~{$)tpN7Nsm1ArrM8>h1cw
zA>vQ9dFiCuuHKDcpKw*FJg-$n7rDY&%vsECLQQk0hmHqlsAUPA5!<Ha+v*THu{L2+
z*Hr<en9KI>H~l2;1CKxdg{Yf8;J6~+c5cA?5*M}?13LKNpcI>g!faE4^?x`NvAXn!
z%p&(RX5Nt$i_>nrT$z`IzWn6tWo^NKvf303Si$2+Xjf?YqvWu36u<T$&#no1&Q~s|
zCyo({VQ~>J8R+p-oUhbJ=&;fjdb;`$f(l%i$=|xC=kY}nmGmr>;EX3}_4X;eEZcc$
zJtYAp)f^4>yajgVW|fFSW?Ka4U&wa~IB{mXa-p*ST$?fhtt2hMM)2!R`D56yn+=lM
zm5Q#J3W71)ZV_84CT8FC5;(ZXA_GgK+pV?1wYB-~L1E5UcDSdOlHn<7QQ#+QZER>5
zyO;#*;PQB`VHvnzDF)2R98G~K_SDH74gM*Dc}#ipMFrN_J$yP6C3kbeQlY2HrD1c3
z70BObKN(=iIG-Lf*Abh%?}vcd^aevsDZBwQM)LAw?|38KxW!4H1RBUP5e3aSMldh+
z6MXILmzcCWAPy{NJq>qE3y;9w`A+SS&Re4+joye8NWjZQMWH9P#-u6Sj02gvhTT|5
zMHa8F{5dY=Puc$fMB8WdfG1o;;*w7cPTjBfm1fDU9TX=@n}N+)p<82_%wC*k<|PKZ
z1wkpCR#(Fv)WWO-j@bUUzVP}OqgovQetMs?mFQSi(PzL1m~woOlxlWfc7uVEkyLZx
zUj{Pr|AK`@x}F|(>)xh&@`P-$>fSTHs3L+eD`iyhNK6_U{idy|<P8TO!RJ@9miKt8
zcck&!PzJftfkIp4MNEqXy8`gio^lJSf(6+uMoJAkRJQzo+(+>0rVbg&+3E|E!BlU<
zdr`H68L6L=k#s)ax2Wbne0{4O%$h5ceQP{HEwn?1mTIpH)Q}r>IR8Te3z->llD=Op
z7lfe!#~CvE@M`{pDKZkO^A-%rhT4}Tw;er|hAbiT*M+!?Gye1skEJKC;N-CLP@19m
zG9`pc?Vb*vwiyB9#{>E2-PwW1G6iZ-va^$@0Q)k6UEe5uC(~eMsDn>LnT&g=KROBF
zd!bA^^8PZYhzVDA5T)fcB}Mj4>dQMoS5-MF<MQD_8u0`4S6y`T)<142o?ih>cmADc
z=SN>YC)$tyWKxrEq1S?+!=W4?Q^s{a2D*cLe631RcMrZ^A15(996}eNzaF%VjY+KT
zNj7`y5~P}gerT4mNF@g0@4d?i)=Rh)eJ0M~@r{iSXsL<SEzJYZnAB(D_ph4>ySx2;
zb-$f5pgGTHg;)6;fF_DO26zBZz5P7JAGl`8iqtnzum4c4pr7}Z9z`$BV@uu{w|uQt
z&g`g4)$CS}8}b!o-TJw&ds>kk8`=5l%Q*pu|GtjL2oF9$4i{j$qMcd0mhT_xpu<sj
z^S9Q|=`Kx~@W{|JQL)hkNyv%6$gy_`HguBf>RObz<>}L>i_X^&o3cH5uNveWNpbrD
zy0meU=S41Ii+?vvqTVK<v~yMX#gu>un%`;!c)+<o+(OP{W0$!J>i=(Rz&YS?c{lS~
z9`6{L3}BA#06NFQU~l*C^%GXrmU<IY@qr)WQ9L2}#T~`Z*Ir6EsP6AHxiabebyHoN
z_(6f<=alqwIhDHd#4g~PhY}`kHhR#dhDCiPixh#%iZlt$zY2Z@5NoR6@X=LK#4#RB
z67A1JvAmUEBew^R482KU02<4=L8gwr^b`eH3aWQY=&ftD;TwH@-Nvvn<HlEJ)s`bA
zWi*i`-XF(edAqege`l4lljTSdY+wZZP$?x7eKz3psKo7D*8VXeULJH4(Z(}Wu4-41
zyjN_;k--=h)IkE{DRaRb&fwDIN;1B`8J@U9=LZ3u`>;G3mcFu3ssTY;T$}5U=7ERQ
zjiVi73Nc0-AdZ|KgB>|DMY4qFy&Nnl!y8S2qwW<t6_Ww9R75vt@V$Xc;jpmv(&8FV
zs=}N}NT)`rR^AWM=_i$@HaCK(sAy$G1g|HuEe2ioNWW~$vr-)j2CHJ9;Ss3{N}QR#
zUm$sd<K@&Q8IL|fY~`DODeZwBIg+O>rkgPhzABtR+In1bAg<>%=ys*1K-`tbTj_F0
zh&5pFq)&=gsx$;HVsmV0z#ds{D6nU;g^LCko7q$aJ|Wzn8WLs|>HvOh>-hO`6R|*p
z!14Oqc9rILKvQLc(_Ok}>SVs+4>Y_uz~ly?3mO8)T=H{hgEGPlFel;?XjihF^5yqZ
zU(uK`rt)-BnfOSF>FN#b>bH9MdnY#71>oyi6eJIeuky!df@y4)$rjZV!WrKpAI(*!
zT{QQI9z#P%UgT;HuLs>BJ8&qwdj>{;U*6Sz8Alw41_r4ECS9~0O6LExlk;&w5uTW5
z%Ty7=%AGVyC@Zr)cinK@<8u%@kbIz|r9frY&wJ}&kUU#_?+~fbv$mcpxRM)+B77fY
zWqCLJg5fR8DQ7+{7sGf&fEyXXg`mImD@jk!DsVY$QFo_Ou-V=NrJROV=(j4I6ySQ_
zDs_zHVY~{~pXmX?x>ALV=jh}F&zr&tF@du%u*f57bJ_1Ih0le{%=-aUSV;EGX`kty
zfGez%hf9BCLt{%}4Ms=S1LDsEULVed6#6UD)6cl|fPw%HFSS?pZIrmHwOs^VLqq@h
zdWZIxCz^2lRfH6^<z_GHAJMdK`J_&jYta4dvaekxI7p~&2uD~5GuHD(u_BlKR+k|;
z!3}AUTvhO<)7d_U9yJs~_*|hvT{xz<S1#y|;+$qk9>PPral%kh!2)T##3>L2fZ{d4
zPF4lVCPWZMCZH7oqH|ced6O>5A&c};h+?iIr}TP8dXW!ZkN5=e1iz+uaRVpX5OyXW
zIuS*t6v)GUT2d&}@y-}e<9;r+pOPy+IP~=&*@H1{H0s0W8tlk57!ka(nKKPWdZ766
zy~=;RuNX5Srl9$9*VZ1=hT)u-T7)xv*gg=}cX?BP<x=7v#AHBjp8?l~(A%O_MiQ|}
zOy?ai+?zPua1tSt!5K1%5hk!ZLoC*Q79>ItVIY^3pQk6!A%%`+yw{4C+@MSP8fo#X
zr6uLit;7c~dnKGC-ht$?J>kl)4vO0z6dc(aZ1|DRhew+>k8#U>#_1nG&AxfKKd{vJ
zfZ6%{6Uhp1?Q8V6mi6aLNe7EHRDuX>idUI^5~vbU?PVAQc9ZlL7d$*|Jim3VKZF#g
z_?38?Fy_>fsOadq2iY|)B^vHq`?iPuu3N?eoPj<*z=`j5aJx!MGFJHNER|t&XX>a;
zLH*0S0fezoyo3(40{Di+V|rgX9S(s61qEj~P|6TpZyAuSH$?KHc#+De)U;`Rt6-B!
z23lOs5*he8+piEDE{2^7Yp_3OymHJ-7E<!VH=%6V4%rZK&_8}iU8-0=8@$%**jS7q
zTRc5LqQA9>12GV8#aclMvo+FX`H{gLL#DWUUq7fmKPYRiwiPbX0Xld_O_rK}HhWqS
zuVcR?@Zax>d@l?oo6@`-7IkX0v3EHesH{bK?U2+Vg06@*`5;PV`T51%+&oYsOrgd5
z5iu6zZRWBsYJhU|YsIH6GP|~e8a+kz@7j+r8Kd8t#aKT>vfzPy8MAoG1r5;w?U-@i
zPr;1?kxPvST+h(W5sGxFw)WKyLB`^d+erJqOi123JYLpzL|k;A6+CSWi@T#`q(3U}
zn%vLi?<==>l;e9@oi2F45h?=G09#n5!|u^py&<<KuNY0Bm;U<r_@jSGnm@<L^YQt)
zcVHl38NFirtq&pw7c)4Jz)Pr%C@nou+=$`nB1hqn%j1hvWoDR)n`5FP{eLz(GJh-;
zrA*_JCsWmzn@5Ko6Ngc-D}4NR_)TwN^n({Gz&Ws;OzJl`hc7uideyQohj)38k7HNg
z#DJVj&GS^FXD^G4lT791FsD;LP&n>w=;g&by>p*)93M@j<z1i_ChL`k2d~pNV_8~n
z?Npi=DRD{BqTd?>02w_CBf#+Yjk$j$P+uP$MJ(<je&wKfczA5??F|@;hRgTofQZ4t
zi})c7hRVeW1Nt6clSvf9=waW*T*&X<r{BL`)IbBfv~s{G#OVJ$P5Tm6iOV1%6st`H
zh)1ghatC~;sgUQ6(+}IQBJbx+AZ;c-Y2}u3%`OGZfVd+RyS=@=tv@Ye4EF2LTh8<d
zD(S0@unQfljPEB|NM3yEE+rECr*E%*GsQ2ur*9^}+NbxX*3Y>}of|W7rkf`U#)V;4
z{7oQ&VSAhnKgrq&5V^dy>-WDE4zdw8aylN{VD*UNa{rp2)@5<&x<>R69yFZk^)vBt
zclu3LZ#g4|YF`}i3EG6Cm}>Pr(rvEeC9x$=N8bVi1-TeL4v3BNoT^Ks%oMCOwZflA
zSibE`Gc2xORNE{GP{hN`R+)RTu9A>;yHG|ZvwD`6Fe7l-_n9CFY;_6b`}$@!I}q~y
zr}E46V(Bas;Nr}#(cs7$I!rTrEZzEfNwi<^7u4S+f(}3Ohj)x78mpisasM=#5lJKo
ze<NkZb8>9ko(>c~oGD=qgEG$8oFn);sn1|XqYf!c+^#&c`lk!w=%H8cV{KIU5}Rx+
zsPr>8b-u1}lYh52(PxmXKyGc}<;L*_Q8-bb=M=iUj^HXj(^8rplT;7d?JLp%&gmV+
zHrNpzqjS|%qXdTRxP{wpPlP%jMwK3l#B*&P?09pJ@w&hV^yl+_CaW0+HLp=>VgPlZ
zC&1toy`=nZ9*td(q?G14hUht<+~R&DDU^p+TkZ~>=WJqPGGC?=C7E||_Q&t`<w5Qv
z<DvO+jub##)Z9iE`ag+_mfYD4G8BhR1d5rHHUzN(L?F7N6q;Qsk6I|YhC$slKMD$p
z&#LR0u)Xs|mkVG@%*|kZFH;vTZdE~M?}sHIDatAp76mxuFc$<|@b^Y+{K#8~f~74^
zrph_s6AZVt-c@Zx!#35^^I5ETn)ujQtHVJs(Enk5%e9J9t{3Y*T7p{|0Wf{ZXudnB
zED<yxFOqRUip|X)pT413S}xU$Gddwv0pid5J}^GRJE^mkh8CJA8ndM}Z|5C7O+Z6R
zX*y_?-u2JmlP{m7GaF9}lNK$&(_9cju_CNSuJ?a>0hoc<tY$lF4aEE=i}QsDgoUQz
z``f%!a8U?dYTW`4(B3cT3<m~s&Wjnj*PuID0L;)e1>O<tlV5?ytuT$)*`!5B|AJ`q
zlq<X8V_>58rUqI&2A|CvnF#-WIWiMm(V4T9TvAd}&Ew+-vhjej)#gM*&4}+P8lJe$
z5QA>Y87CGuzKu=h2oVRU33jU{aiT!+ksPww(Zl&Wk6|%1luk|)y(x}Jzz8nw9R)jP
zz+fgrMtmJ3;^E=hIy;-_kON5kO3jD_khp!W(MR$SpLF=+_g~IS2k6?1A=7NLLn`!o
z+tU6ZUUKd1o~C+}7jNw%n0c2(JZL~JzBZ-S1x!*bE-Eka$VX6H960TgkoP%1ik+W-
z^57?Xct@nqt!)ZmaH0Gh1Pn9i*?Uu^r<-+m@P5#mW66)?BRiV&A|n&WY+m0fJe!TT
z@nP{VMV<kgr2{V*A~wUWbM<0B+Okc!5<VY;RMPw~zWacIfi*iEA&2KB^>t1Y0DuMr
zB6vkU6>Kx2R1dh_Y+;ZSk7Ogwo~~2fOGkpSu(OMfCDMkmOYC4Tc~1&7Sqp2saUR2Z
z*2e}N2+yUs3@YqO_T{(!yO}IZ3Z)9%+wuVh6~>7>ebk<zzAa#b6|KA`oiXM&NF_XW
z7X%|{hmbs6#8_TE3gOkxkzlnn{hTX&d{t@joLhnU-*;P6CBwKm21*U861XFfzr6gw
z;Jenjl(5{onw3B3hG4anD%ef_giQrI@cqIIbG@=wLVlYDqPsgj6CQXk#Tku!IyvFg
z>5LEQzj1_^<_e7jvlx-f0u#2I9#VfiT%Ue3NnNb2a(&%dFQ9Sc_wN=JLkG-<fO&sk
zlf$!T{!8GpalQE~CjIT$=%ftTm;M2UsZRKZK%MT<y_uxUR*!<AjPJJ-S<yciamC>Y
za;Lj-*=)Ore%F&RS?ZuEk3|b|o6Q&JFi$|PwPLxdsTDIDQamI(;KhkIeegTY!f`u%
z;Lgm<pn=3O{4!VN>wiAQIIal$ODL$1-2lx`(64jgyw+=?cItGmudn_kIDP4mONEv`
z;w!eQ?ze%03%m?X?hZgrbebt6P0=nFI{CsEf{l*s`77-q9tKm})8h&cz29!YXIBfe
z_4)$;4#Zc7833lppujjdir*IhtnSP@N{J8<fZ0DxR+lkD8)kS2cN-@7!hQ>a6H1@z
z>b=dT)BmKUmBl9+;$I)Ta5ry^8DJ;yJx@^pbBM#kVm^m4NuW3Ng4LtnK>K=ws&Cw|
z?v-?WLjtacR(R6R)5BlHLYMq@hk1s}^aEhWGKcHWLj?MYqK=92hAGHlBd<2{&NX~s
zl@zo|4R1tHclUDcHwj0%+z0(C4VWAx1znsp5EOy}qpXA7BE|iDS-u5y!OhXB1Q-xH
z-pPN~2O5-E!i%Av|Ddf~ul|Z@F|P@Def0nZ1%)K0_&aCN;kxo&6}gt(-mfG8ryLLG
zZ*9r)Brnv5(ExO+3=L36puU5zjlK9vdxc(0Fi6Blz0W7_4g5q#x}iH9rpTmDu2TeF
z_5X1777krC+xIZtA<`|~-7O&?-QC?O(jeX4EhXLE-3`*MbbjcT_wYR4d%wT;A2@Sn
zX2;rV?U|_&J2f0(W}fYs7beNz{8o-vB5-hlK)f8U9!&z2`E<$VFBm(fBnM1<_tB#s
zj8Gke1ui6!FB@W~xiwaW$)i>ON)G(0@HyBBddERWRoMYGyH^EiX=!2A)y#eeBg3hg
z9kj9DU%4aeAPwTt!RAgr;+R2qcekfAM;TkHqrwDJGBY>&<<@W@McEpFHho9VA6hH{
zD(+K{?<++YcI+lV#>KfIrqQ@6#NzsSUGWZcUVMrUV{(%9j<eUgOldL^O!(iK0|C<O
zwl?0LmifDChvWWK+})r4T()2c2ny0<_eJr~%zNZSI?wOt^?5X{E^p8hf*&rL+wvK#
zkXxz<icP9zMC)0b-6x^m7*||2;@S;-)h7bKFqgxell{FtQcg}ax5K1_1hPoM2=Uub
zc2TvW(6d~_5kZbV5J-r#1`4St0nh9zBl3{LF}awrIVd<<`P0*Q&@gJ$%+=zZewa?k
zS&9Zbw6X5lmdmTK@06&x2x?>6LPB75bajKU)#deS_9@}H7(&DoaM<!QwWfnzdU?Ha
zxL|4a3oyn2{>)S1l}DzX2fGFLZhPgcT?@$pI;Hb$@4E|o*Lx%sx+YyKgyMhoB{otr
z6JuMI(+*h5#)cC5STq&1W%PIo6M4y;JtySDAdU0&0pO~X1B{VaQ&SU!;K+sb^>t_^
zDq@DDuZ6+o5-aPcpp#C$NPNax;p4^L?qN7VNEoM!y8`sTERr}8F4FN)RnMS#b@97Y
z7R}g~pGR1Va<AGx(g7oxi66vHd~pRK1NvLHXsiCR!En&qYYRjfhE_~IN#lJXsBy{3
z!9Rbh6ciMEd)9-x&pXVd>T`nkhDI%|!W2I@)%`^F<udUj%J1sBx&YwBH%Qc{sKrT1
z^j%F8wiis$bf|L@yw)8ml8nsO)nJCs%X{;`D}=PX6;R4V_$>_iDMFGZwLCrtV!y2q
zP2E|dMK;-g<fLFVl%F4r19pvZF(w`2FIgBl47a)hb*8(}J+7D?)x^rm3N<@5ISGTS
z88;(9;&~})>s^EzU;5TY)dqSUnfQKys66X8oQQ~<lwj)xpQf#)#oBljr?rLWd5?q;
zlv~n4&gVo2kak|;S9J;RYI7-%kmTd})&b(o9rw-<_mc6wHz(qfGD3nT{34pS7kB%U
zeoBX}6J7y{7S9Xjavs3$@f+{;H8y<nEGlGnw(7C)(~J7D1x(C8Ojg!|0zUrk_SWAx
zf6Cx+UfLh?K^5}#0Z|+as~Bh;y2NK1B9%4&MTGG!@(DK9;mTaa^AL>dZg~Velz$18
zV-rc?C)EQl*X=cI@x=<orx!_%%D<bWu?`}%-CnUH8t3t9pf%+UEp$g^^bVp8#&WQ_
z#f)e*;suEBoR#~sI)&8Ncasd}G|6}7$mSF}qSqI3pfg`t#hf(9{db;UA*|Xx<P?RJ
zq5x)Gg_z=S?oG;Jx#CYjzx2}ja46Z<21x@>w>@9>%%e7V%~AsWrvpY@O|AF=?^VFp
zf)`ympPY7G2t;e+Ez#HdSoWS_rc5YOAOIG?dpADj2T3^OmdU=XsY$w@{>nr(Yj=N6
zQHIQv4G(9sW*|CN)^!QD)~q<`*X}d@(lgM4+W55c7GkL%Kk!JxJU8G`a()H*+;E_5
zWPcT&OKXOO{@_*tTiWFTKbTCkwq`CyB+`3Bta!RB8vZyQ%IhCk#->;?h4%lfm2URc
z&%4{}K;s0O>g$scoC-G%j?nyeYRHB1VBpws`x9`ZjZ@)56!+<wTmck)h<a7lZj#LG
z=Db^1_j_jKnc5`=`H(k7f7i4ou}k9Q9P-J-*if|sH6PleA@s%DQ2!iKL-km?id<1C
zO5*iW<o4AWbDV%c;Wwtw9NH(AnJ+&sf2BN~Tges{2HSnqT2gbnb@O`Hwq{FqJA3{T
zQNS0W&~Vo!m6|f~<8P!kPCF;|LT+r3=xq(Y%pV!<v+rH;{9t2ssr_0pIM#M4wf(v;
zmCD1NJ4p93ik|dx&Yt!8Ytb%_%CV`N(-y6Xc+NM^6xDD}9tJNyC4aTP<Dk><$2cpU
z|7=2QTnJ3}iaE1QJ1n!-cl8KfPNd}Q4g>9s&ClYk_iiU$R?y=*Ituwybk`#ZpW}b9
zjqHT4AWd2JQUyr0z5wT|B<%=&ilUP~F>`!DpY7%BtsA1ma<Sw6kDD@w@?T<=m)!+K
z#a!~?i|2Tu?g0{!`kla_#XuR&19;TE1(D^NW&;5hqh0Yv$fk;_VmS~O8g$D&th{5B
z9gI;f*?w=$nxR-9r~rp*k3a4`3A9z^$E!<A{+$9ECO}dG{S&s<biQC;PSPBi8!Mng
zV1DD|n<^*#Mt9?!qOe}qY$3q1vn&2nD-N=<qe1gEg+V~P+FCOT&fN8$RFj&<i^b$4
z(p{uJk|=e=%S$@SC-;7n{n^X}ANz4q+Zsc%&T+&MudN)hJHO?YKoVql30IK^kRMa3
zu{JZ#^aBl+2HV?yM@%%YMo-IN0IpX$WgMwY&*;7AHFoMoFd5AD^W4YeSEgG@`FCU6
z51a&*LV0ckWe79+Iyasou@2^mbpF7omg01mJaAo0u}X$72dlxj?xr_)c+r%%w=0|u
zq>LpcX@3Lu;Ixk3)5`9cz;h2BXLZ3(G(aB1)@e3tU|6mhrYSlC^M-7``9B8aVm#@E
zq`cZ%Z4Y93v(vz1Arc`zG{y?wJoR{CrNvJ2_6{5P@={gNh7G2XX<kQ4;P<&BW((YX
zKEK!$v}fxj*u4awVE8sSyvl0TVl1fr6-4NLPFlj48_Qur#L;mXrpqWECnW5&sC8B+
zihvK-0zh8am#5oR<p<J2K}K_j4NH0H{6}C6DK5%c2wC&@mP+w%-L!1;(Q1*ryim!i
zPrZ%FwdTJmH=Z$pgt@hHtNyt~NlWuTmip+pFBFp7f=GbxI|;;AhGk!x;YkmZJE;xz
zgFP6~Ne$YMTV%I3pUKUN!U#j<e3;VP(lw}@tb>r@`~bx(WFb|n-edgOz~j2O975ET
zg*sJBstRSiyut<w@#r_FHe!7Yr00RG3$MY<O!pZ9#*m$uhca3Gh<I07UBMPFXb?nh
z&!7pFk=~$i1N~<eXYLDSQ2I-zrXDd~(gKm*@%is6@0i}TFWZp@x}ASzW8ApDtAV0)
zVlVP_y}%Q4p=KA2{#2TWpTLnas0^(Jg$DCo%KOwgVn9V?IXU*F)_3}((b`r<mZ|*$
zhu9QNTHhZrsQ-WkTr%KbcTwSH8jZ&;Rwl;%ue8NKCI2vYb|xa#t>kvIGJwO-rnMIk
z5h@^n#i7?WY$rx3+a=@^qMOAFI=b+e!8)9n{zB<tJxku#)D&nPGSE9@Z>7`TSfyr7
z2UEkN`tP=4YfrrHxL4Y2Hwai;mVos2pj|d;OvV$vtbBZ*VcLMc+4+FY%Jfe&!0aEi
zv>GWIj?r3Mi1<Bif=avvK4lQN8nPnEW^FB*)aLmV;Hm#LmU6}^j$f$8a@#!vG{t{L
zX$CC{OG*Tc=)?c)og;25bP4je-NY_@fUyPeih){vI3vFzbX8UKk+)p;QfuqM{Qz}w
z%Ywd4=HIwtMEekE^Q$6gSQb9e`YGtmduo3%1)NCyet9(YpunY=&%W}O0U>TFbdm74
z(fAIJ)*S*`DeI4R73Eft9QlF0xm%YbzWCl`IA_`-tf~@z?tc?%!K&{EzC)Nb-siU*
z&cJtwMT&|lHUZvrkYtjm;yEwQ((}qmjDn2cS7*(It1V$3{)25sGoG>#u`C@zO*{8?
zl?8yv@e8R=^~Q4EV9G;3dNtu%y-NOr^r)77d02@v13Zg%-~JnbNN6=pQ~*Spr5m9x
zxotf*^4I_8fMQ>r^e%;)?mc6VZwt8B&<^~nIko%6qmh~wKA>-w#>8J+0^NmEsSk<W
zLUCx`P(-?aOzJ;YCEqdQ8Lp=1->%L8VMMz0Vb?@a*^d4mQ%*LcFW(tEO<TQ_Cw)?-
z6Vvj2E6CJQ*oV{qPrcvyfsJKU?sPP-AVl)nx}ml?R8YMK>3`yQvn0G;L}chX=%6tf
zNY?3$Cli%>8&m^OLa*xF9QG(Na!CnW#Ns*K0b|OF9p~^KpkewE^oaIGvDkFdw}>i=
z-$NJI!)o&**iKAq$!wd=r?ASuogV7N6n0ZlQ>u-2zLT-sqFK<FQ764A(6eZA?drQ4
zl}~MM7?&>^%F0*UC&as3Y@QwW=_Wi0)mn13f8v5Th#nI<7ONB41QEOnyOBlfUD1!*
z6?2X|Vy4lbH||~Cg{Icct|#P-?yQo4!Q!qZT9RIZK4^H}g~(0_zm4i6C&f&9+Xa{7
z*AqU}Z9Rowf~@!-o3(rFSpV>(s(#v$G2_q8(Xih=&o5k@y5;+V%UH46+YwNkGh8Q#
z5>Zy{b{LDyp?Fg$%3M=Iqo+w3Ro;&uD#(igl!LJ&Mu%pkw|AIo(;BM3ef?8X2WQ?@
z;CR;8zBzHx#2%Z|A=*>y7i*%@&gK|koQ7_WuOM6u6rj1nF`QMZ%mv0m5xsIE3$m&4
zbbFyQAhIHl4WK;^=xaXjnp2RPC^P)TO&&J;NLex7>>Mh<2hO1<K$S4S3g=^Qzr>Xe
zMOU>E{uKY~<9`BaEp8leyWNYYisu7!KD48i@N0A5(+wSStpj!ubv}EQE|fIl!wQr0
z)<UPi+KQ^6zkF90@n^36yd&u+)AC|BWn4vxSO*u%(i<L9J<Wo_4&S!Enq?IY572A1
ztV}Vx7~LRI1^ru1W?A<TNpOydOmf_z*f52bs^Q5dPOmF_I+0WP!isNq%GX<=>v<T3
zX6g5XEsUK;ivQ1%491>$Ps^^1qK6Y=(dHBOXIHFTt8?F7&X>%Nwl==LmH`=!<}2S4
z#vhLVHx!tiX!d941me9+vH~W6^~SDx+60$)d%vw<(fYby;<qHwQG=*>+4Yag$p?6%
zEWW-5Sw0VnG;&Mc1er=HcIVfRLQ9XGzzvx%iC>f}ZL_u2L(Xkr7df2`&qlj8b}4_s
zga1{}S(3csw|MOHr3Jr`>QAKeaF|DGwBk)sI8l7^beW6+9jsvjM?$6SBP9_5G*<9g
z@mDMJCkcqX2fv(38z*(W+`qYDtW1x_cS@=mrj{wx_0>8OtG{G@eI9(W!mO`1>h<|5
zAr7YM=HrbzQ_s?@s1Bq_Y$xv%tlO7Ul*I*GlWNLIC?JWN$LaBMk-c|ytrxE#iMy6U
z_<Xq*Kx1Q#-t4Lg$u>lZ&>&7!_a7(b*y{ja>JSjvTH2A;@VMNhy&J*!KbSo-%~-wd
zat;-Av_Z&NL5mGY=Jpa&(^hUB)mZ}Wtd^H+l-k(0>$#utk!NO?(C9?px}j?{U*rY(
zc);RdpK|vyz~3fuIGS#dO{FQ2kxM5u>90Pe=U}-krE_T#`vZu;%``JmQ&+xY){s*v
z9VGb2aGPnVOA9ni^s2A_scGPlH~9F)iSWRzb9$;Th`MoV_^qrM7uzoTWZZ5%&=?u+
ziB%=$(so8bS88Xc?!w&j!?Ovmia}H2=&l#OK&z0S@!TuT{F+f)YqeA4kGQ|nXUC)$
zrsNWUaCL2vsAwX^VF*?JFWmJ^<^GgbIRCu0cZmwr4T}*Dl_pSCh{P?JJ=C`+ZaCVD
zfuemEtYpXT&OO#03NQ1{%#GJdYbhA8fVmI&ShoJ{HQDIH3ADAQCGhJ09WMC5IG&~5
zS9#XPzm{|;S|Pv3G?ngW#dH_s%=U*a3_w}$gSK1l5M`ftOjw+jnsnFiEcz)%pk98%
zoG(`O4EM^$6BZ`@ZRo)*%SpkEsg`w7^wi*g^V%Bo!Jef?ECRep^rGT#^;#Kvy6GH{
z9C~MnMN(oQ04c|Qb*18Ot5W_R|4UY!kPu<4l&QCILE&PQlmp_`DR3&okD1*Wqhv%q
zGuR?2H1rJtMW#(neHI>WwJK&K4SI`sy1a&Z6}Hw)6VF&2kGBEJb7sHdsRGz#&EtC}
zoGFc_WCLqVIk?%=iv!(fIM0cXP_=V%dn=Qr^!<ESy7w!dnAvL-SCYt|{$qfJ48xwG
z-@7um_>M^4CV|T6OGXg4_wyOwF&shiYU4+4F?>pAMl{}wUI5T|h)`c@lK{9-*!Q!u
zBe;Dvp<ci*P|_(HsEjrvs_mJ<)l~IW@>=AVku*$6_(||_G^x*|!y*5=>EI~V-u{Oz
zdAgs3S$!75nOZ=77?+cUl(HZcuB`G=t0Mn5<K#UIhyF3@(BQL>7trE@P=E(cC#&cw
zMvH_bo5aktvbVmj3zP{k^lM2%s$;%EHO${ijST2{<+2g}Gbc%EdU~;L1jwJ>MX_(u
zTdeD0SQatJy6xc?24=k4Z?eRQO*zqtKag8X#Wf-owCnW1^6?dy_h$eJ0t!eFiL2~&
z9iY>StrbJG@vNj*Ea6j8JBx$@7*0u>e^Nw+5xmnMI;3qrT3FzGFoj00vTSP|)H1yK
z)`BB^mVd93Ne0Zn7*)woK4wCl(_bD%BW!$0+2OoBUORfsx&L@jPa_uAX;^lh#eFxZ
z;BnJ3R4weo8+u?Ox#E}CBpre@6C?7MSmbz5nk>(8cuQ(R_0Ut%NBR(%Y<viunNoD_
z{>aT~(?4MzN0vTG?yA62B>1hwSb1B8Ot;0&+p7R^|J~f44zkTKt3MTC>HPJ%#VSok
zrk2kD=Lds^q-vCn?j@=6QVaL&5U)9?lo59>+4pn6QPaGCPu|2*ifNkuJm@!E)#~n;
zQvw?IVjCEgA}_QuvU3uGV_k><gOrtO*7-93iw>`A1x^nF%8ke{<*O^U5=3%u*&-u6
z+F04BXY_S%eU*YW=pFY@`w#Y_)a4hHZX4%r)Jh*hL0YZFd)RaJEecnMa>;1?_6lWL
z%r!yCkE_rd_V+ypufPS-i5Q<2J2I{&_cGad_6eY%&|))%70~LaKVOS}5`$J5mrBfZ
zo~+)<<l4`4HFtiNziEYQ&h=<*^9c5R%oMoyzS`)h(z{zLsRWJo`&H4|d$RJ2s?E9~
z@%OB%)50#?v{rfX5`+Jy>~2MS5|!8R#SWjXB)yqk1>rfVmaZ1Pw;QJQhLU3lj;`#K
z`cp5r`>7;!W0~L&x{{@?NuBYF4QS@GEvjC(aZfF$hoKbnY}G{2{+0naTEua>)3z**
zCRd2dZ>|C8O32gKgl==8XK0FL)a{?U*pw}WBqgQvkeV4p>=luNI<Zl_^WFBvBwBv<
z)S^>fjOx8^!C|2c*&u>1C@@&rUb^n9*yd|sC6K=aPGIcyO9-5L7rs+J5M+9m$A$l*
zS)<Dt|I}STQ;mXT)O$w`e{9Zrcw&;ua~Di%z<SlV@JT~4J!E*o4lXs5%3a2E6sMo?
z1b&l+CEgjH!r;Zm!V@HNj#KEn!zt8!Cj=oHL|hnhWLA!flN(k~ek}N2KE`hf^u)gB
zZ_DV*3M-tT7o=+N-GIImth}rL$N}cOj>kyTpo*P~;6ehn*HwjkQ+r@7`=%}z(@ngI
z+e(70`F0ta>{vXWt+rA~e)U7L^e3jNoPh5%RlT%Z4_Iysrpy-S9AoCONb(ff1mHPn
zsFr;R6LNGQer2YA7UCdlVr$JBJ<_&7KZW7WZ_#C!@~bb`Qj<24a*>_a+|cTu%l2hB
z4;S9@=j9ww-(?zb*<HjneooI-VO_g3c_HK&SL3hpHc3GN@QuE6sbzA-YE40Wc^H|#
zvMdu!hlqUFreNo$B<9A1PC@ripE)H7Z@+zBh9Je-<hZ#ES@T2UoDjqye#Y&Wb`}!<
zeOM*Bz0bt6SO>+fPg&zX+TMnN`H9Bipjw4qQqe)<%v)iIr>Hf4_;Ps~p`AL0l~8hg
z1I6K_9)c2OmKcIT-LEQ`H4eK4dUQ#^;k2WWM7bwNKm7^~uS*aTLH}@{e+T2fKOx^>
zTL2<iFdu4PMg}a|9_y23N}R``w;OT`y%{=r&nyD}RQ+fYbG9MrS6}R<rYEc)a=Q1e
zr6yAz#%Qv!h3;{oLTjj<`DB*k(91gMY=}|%Iq*SMRUZgcGc^Sh%16OL6QVxPh9*K9
z;CJ9553QGt>O-bID@6R~s~T;PV@wILu_LUEZ3~DkdD`@hE_8(2b7pFM9!!(jK|k2c
zdS~|^Fz>^E$%xsZe(dg-!HU6PLNUFT+Yz_(*WS!(e^y~(l;n*X*VgYgp0-q7OM4tH
zRA+BrVQ~YGfjFK!n?D5YQq5txHWS-qctf!@`9RbzS04|=2z{JOJMW!cZ8J2EW3cFy
zF;dtYA{M?4Al?$(3dM2AGujci`6&F1)_lG4f!5B}02+QM*4>_lUyq-XCq)55ZECR2
zaTa6+t=GLCCB*t}L3Sg!<>@0h^>t-Ag20S~ifx*Yt>71=al=I?L49?-TWq06FxgEX
z>}0*Es&4bO$M-wTxKE8I5zic7*qlWEh$%k0RDz}dRQFjEHW7NnJbOWvlBK}O5x0O&
z_zCf`uME=-JWZbamKDQq&T#vo77W8f-Gwkib?`*k?p~|8qdKIMg;ql^^+qrq=nA0c
z?@$3@?TK8Oz8_RL&2q3|#_+4^>vgVvo0!S^E4WEWiE$CJ*gyrc3~n2COK#crf_>GF
zjtIPl0RGhA=YNKC<=XCdp!OQ->Gf=W8!j2Y>>wXPV;;GM`B;G6_fAy9O-dh6B#8+<
zCv)DktkT|+d?Ru-LQyq&>eMs#aWrBB+;j)4`F5RzBgw!EFBelL@3cocuJ@4zT|UY$
zXkS6&G1^dM(rH~_6DG+1OYmKF#x$49-m#P|@pDg`#lyA)v+LdWTePv*ft2R*58ySP
ze7*KM{u+i6;R!x3=m!UBy_NG+dA}B5k^zlnbjceqaZM-2TqyeNs1>7v?fKg+=(Y8N
zIdp?PK`?|acnF09UE@2KVDFGZW|tG0^ZvD3Yp(zF0u09wIH-bP&%f`6)ES<gO%|)Z
z&Q5!!1;P|YE+acRrK}>h1&MtAHRYt7(VAtTrZ1w&kFVvIvJ+QH%>HnqlFIEGqS~!O
zdEyxI*xfkbmD+M^*gF(L{(FH`MHQp3^ORK3uH7bJ(-)ROC>`0kX<vD3u5uzE+mFIV
zd-8V@w%Q<l%sZ8#D~sdNI<+l#K|d#oNb^*k2R-zs#%ctQtg14pTOi`~w9d$+dLk)}
z=t~tn2j&lVHW8dL5hX=Z-gh+3INj=`wzYm9B-u~lK2y+NYD`6BTkITPl@Lw+V)h<8
zqu2L+RLci^7d{ic)d1`-d^ukiF#P0OKv<FG_<gMx+N6!0cE$bZWCq)OFv%Nash|rI
zL&yG=2UqjFn>A==XUA>ybm~U>?2&30g!|~Ifb3k6#MA*8!-r>6p?h4477~Y}=enhd
zcZ4wmb&A^4|N3AP-_5Kib2Z3McJ2=9`*d3^(N$4Q`AR&7sI%_{6cU5?eXG)Pj;}eT
z)|5UN+y1`%7Dw(Mo-r=TWNFqCqE3%Ui$FE%5VftsVFSoiOLam2>@akj4B!4hfrn>n
z<{Ep{vhRz)pHh70=fT6;sOp|IXV+J!eR4i;4{N*vy4&l%(77BTh#fIG+VxXn^b>!R
zu98)0iS464GhkY3d_*#1>>w|iYJVc64WHeb-sT%=34Aa4Vgu(+*&yHs?wWE_pm8+d
zYVaNIn{0wBlo&&n^+Jc~2bW_)KE{N=oi%N?>D#&>W|uGVP+fuwC0+dmPI-Po*f!~%
zQ|-3(f%IiXwK~r7t3D(mbcv#?0V$*b$Ob?3Uom(+f~&1>XwYx#%j$B?O<-5C>e7H&
z(8vgeT;n5dJ<RfSR;t|YZ+Jl33Ozymh>ljdHNyMM04k?TD2>NYhFvpRdnQm-O{%uP
zYN5?#y@`8Ves|di_!puZhQ=Z?NzwDc!9ic;jX6YK@}%lf`i;4HXY?&1c29qgaI5%F
zKl+;#Zj%NQ2&#Q&LKv40jcnmeA8+t4*O7*cR(`ENemm+Y3BB3(A=+?z9TX-7kAp>5
z;Ag1v2Ng?|pV5>Kr*+8U3$iMXRg3#48CCf&*bxRsuU_!&KM3TpYet~6MJxNdWgb7D
z)t5PcH#dP?#c~$&jqZo}3FMN<e{zY)5zD^$?~&G5ve86Ehm&ivO@*{&s+_Fe`5|>E
z8MLgclgLAhE(>^>lM}HaJ2-_=b5^P^nBhuHy)93r!M(9J&dIx_nrG>l=_)iiQIAIX
z+w&+haLsMy(CX-%z9vG?m=w!*0Q^x0PpeqJ8ONWSalCksvnr?$k@Nl;CelW`uXP4L
z56E~Qllvr(I=^p?w9mp-q~7JiL<FnTfgo6!3RCB?k|}@g$6gxjvDwRr4h?MfE-k2a
z>ncwq?Tr=Sv3{TYv}3g*M#(R#en@8FQCK>$vzziiDCYh!Vo1MRmwVbX<|y&HJr4hX
z_~}r6d+n5oQgP>#Z2+qWEZ1PgWQvOUP`3Mv>KC0_j6qJ$@eHQ<l+*@?()8xhTCZ58
zK|ke7)u6526fYlMnG?QVS_@t#A)d%W4^BKQMC7VQ*i8kj;|G2!8|3i#sh*Z0ytfQA
zy7V%P{DN-xay!R2Vt`v$#6ZyYJUM@ecE$U$qVna>SDwi7ih;nw-n<7^MQ{OQmBg>m
zB`F(0i?MX2&1_dROj4rPlRrQ?v4eqZ{{wgEf+XZh0{F-SVnBMh53bdi+NYl?CO5<&
zCz9C9vfpL_HGeBEbWJ+CdAz=+IcUFz#nIIKycuea1Ekkds6rYJ_2JKQJF)Hn8Z2c`
zXp)~jbYyn+g-7UeZ1>jWlf1EE|A~U9SJBOtIN%{T6|sU~dd&#nIa;uwjRs~4oWsSv
zUS|j9js&D+rH<vyY)<H`lvgmafh#f)JsmrOJBCy(G0DXa9SHYA5)P@s{?~|NHHZjY
zI!E!Rpc5{zyBIYyZwdS3URd+KxZOAHP2IPYFyc2<f^F7qec<9jg-b78dq#F~jdPFG
z#YFp5VhNlhe?Y*YT~gOBcwjA=)o>9AzF2O=FkjmmHTFbp%avkte<CL!9!#QW1mO*?
zrZfboOo@x0e&3!)@DkN5-*<K@(6Bp@YQ9;edYc9L6S(Bmpm{%}2UQxq=ps&^uMx_Z
zo2X9_TR(q>9kl*Z$I;RV4gQQMc4eA3P+C()PxtX&92QEBX6tx#t&@3|A3*&f`&(Bs
z&A($hp^nAb49+gz|FbXr`0N+c!0fUq6I_;dhKR*)127$k9W=lYI;<`A$bX^U1)Lv9
zz71=9=lUDPoYUoqQVWWzNKWhyv#WQD2kpLhhi$mI<sDJLWN0#3$u|vxgG-Z>3kjI+
z){!S>SK<$<31WSPXj(JF*<g9V^xD6TW0Plt(GYL3fCAs(fl>*}S9|UIDCs=c_z~8d
zOIT*+t8cP(sA3UYJBjcIf3AQRN4T(&6R<+}#>662jf*~0I3}@p#^QHk*)g4LugWBy
z%s;q|n&XoX)CniBzZt@uNi7Qgf&epC5hc9jkaDGaT!wIPwT`Df7UFv<su+no{ntRh
zv^0y<`i}rU)+)zq>rWsv+!jDc79@LUWo<IotrEQb=(^OT38lP$HoiKVq7ZH#Kne5r
z+l)Z=`*v+zx6O0!|2Bh?GLBh^*=kcuJE&hVDBsSDLxZDe802K|Lb8GD_d82y3Paq?
zfPp$~;<VeFw{ewV_13F0W0R<*x{&tm=+Xl5>Z;HQ_~=8zjHxKSL?jE`I4yqV0&B%D
zOL<&PBh?oEQ`)}IdRX<%M^#l-;dBclz8|Vy%du*O>t-JH_tzXe>{}gVq%zxMPNam%
zE9?&7hHel+y@ug>t(nwKcvM4}wxBtjwEKTXV)0z*sTr#RGT>04JY3k)6pSrBd%Koj
z(S#Yp*8$w7Sg${-Zm4Y(U_m+72UcYF@{<9T*=Rx%xaGf5I=TtvjP@S=sZXX7y6dvP
zV|zfdo_hs^$J2Ayzlu|1B>7%fCOe$fU=21hl$`9c=b>rQ`~m{(KYMPzE_!+B2qN;4
z2SX5A{0|f$d1}~tCWUS)mmBIP_{y+<<x(;Kr$3P8pv8&dI%+`M<1;=EFeR*rCDXNM
z2vyZxAaOwxb1mCw5_6L6wm=wBDV~@Ia0>pjGiG&IZSk4!$ccy%a^grJ6z*H%{pC0M
z>_j&cUs?))Vfyvl9lf3{uJvBHt|OPaIsl+{zax>b;GXccM$kaeNgHhKiTGPC={I>T
z(;CdD<?pso$W>|pA*~saMQ}XJVQExZ{sFDVbG6T2C+{2m>#>K|8uhha8@NaCNp!<l
zRAgZ9A~uKqkMviDdf{z+f^C6k#%tN79Hug<6B=x@-r-i7a{MWkfvhI^9W~<SE;oqa
zWWl!>HVp(BmcKz}EU_k3V2RMj*a-SN$ay}o;*_HTVe<g#+>k5R{%E`^S6(B9Hfil_
z-q=_o?|d^uK~rziCNGHq-NMK|=0pP3aK4x&d~R;$caxB+9ik)sSd7HUpGgotJ`-F>
zq4VW(3A5uFO4+v(84EJbwmxUjCqSuY+eQ}=A*&Yw9bXpyyI*597t|iEblk4m$i{7I
z5Txe&=?*8R)DT5|y;r75pP44opoipi-_^LV;dOCB*1+E8jyZ7-VFj1#1~rp~<d#)U
zy;Qqh`=SXe7nQ7G{Tgl!j{9!#>L~YLxK)qifNW$jt3Vz#&ADWNiDco{08u4kWUVtA
zF^kqw$MQ^7fcSBHAFr*7?Szj$sKnUZCz@5$d`&B`G~5WFJqw(mTzxd6>yOpJYk5^*
zt8G^ZD)z(K99I<-+!f=RZy(I5ndo;GHk+O{v8%5yY=<j0rsgUqgR<i=ZM4TR1N&xq
zwwDa3A@oCn_6;cOw~tS^1X!US2Tx+mcUC{*<?cp&HkN;@XVPUB43!n*1BNT~;DDRz
z-W+4CXQSG-0Sv%^4?LqL4C2TM<87`E$88kF)Qo$<X6YSQL<B1?1`DK01GV%_s4&2@
z6dhJs270n9!TNI=3oO>NRxChW^F00E3eDU*5*ME1&%p-`u5@_k7~!`Cr&V)@X6@0^
zRD(G<%6nbNI>7_`U@}45Ps9s0<;Mh1luhCnQc)Lpz65oEtHo*?@{V<ZPg-;_)hVO<
z%gyq+)?NnH|9={qivA#%WH_$|u{S3SMDNQ55yB##Z$A^5)?*oe>ObAxB)OUW#9e>>
zO^sMcpgt}xHEKMOfVvJrK}W$qzE>#`Bd&`z5$pA-DlUxV?iC*ozjwHQ>!NGtm5Y@l
zuqF+S-e%n3*an&}#Wx0;ypKI)f9liFfHV~9RN`K+AAQ_4AtvQ-!fp8pkKc;Jw2%OA
z6&PI!{%U~h`Q`#7e_ddgo0;eE8Y;B~^;@sK|F_}g)^HZ#6rW>CJKr`a!MP2Qv|hrJ
z8eGYUDG@UzPI_AggL5tKcTIkA;7CX}EkfS;N4~_bxVYcT3y@3;cVGV`CFZy9`KBcL
zB?b&j0#BZq3EJqEZynen!lGJh;3V}GmI!^hzJ{V;;xZyb_=Vb2xF{~nU7n>`B~1m}
z1S?k-7#)pr{Nr*jA5ClHI|j->@lw*no3fl(OqSO+8_6(kLJo7F<O5ywB`Ifj=?v0R
z(?cfjanPty;CiI6lM3zS6!FIrdv%Q!O%X$L@SqBc@)P>+`E;FdDr#z^T%wvUDWCsb
zD#mKVO^HuB+&YSVw3bgzojWg<ZQ~?vF)V9QrG~*0oMx*H4qBv}<}lEIOyzx$#}T)2
z3fPYwV`g?%9>_|OS2cweS;Qf=&;l+DX^FH9R105vb1Ek0E0Qu~G;SVZUJo12%>q3y
zSeS6IC3bfSgPqy7go`^+RP^hPI5sb@hr`h$KE3zQg0!BZo*yWq2CfAwsQjl+^F4R(
zz$y_IC)V`bT#_J&7e`XZT@zX|TJDpQ3LaM?`p*sgKNaoYS3l~sY#$4s5z@$iE2ULY
zP44zJN*;{t3#n-GJ0FHSz*X;}`RuNmj7{d%feBHBCH<KUk27jIT>KX5-CLZ6HWU0(
zf%`mEB)s@dHtO=<5@!hWVm2`1XZ}cg8&WZCP^BNm+9R=liE@gTXiR5LcbLaoK6&#a
zPtU**_*ceR#PCvg8ToM$B^BEDWJ=rf{g{5X9oy^mw?uY^mzv}R`2M4{Iv<DLH8Sj5
z$PnVi=S*`@t^r3KJFk=Y>7<fE*G~MujYz55BP$Ex<tCASc*`q@<Lyfnj`#>6E;B{J
zzj7b=zf|y)jv{`~w+GTp?yLJmm!}{`T+?qbLc(S@zV78!KNz(NoA|uB=4=7Y;`7B>
z$ca`#UC}}r+<@XN*%tl-JdF<qPT5)mn+nV()bXlmN8#}{v0)DYpNAY&h?O%3c!J+Q
z6p_K6rv2~-38?s+JCxHDxX8>bPraX<<T<{`s;2JpVPZR3+&W9H=#7&L7C$$zA0Ho2
z{NqDQ+RF)ID#c0ZC}6Wf>VxgCjw){F(JwuwITX5Eo~-QDi+|`O?FN0A;?bP%{YCpf
z%<eD83>!6#Kv@F)?VnPHjY+%$Q;_71_9@^xSUQ9iw5weew?!0jS44oI+;^Zem^^Pq
z5%3mZx7vqQmOj*f(xm$Sp(+;rakNzG3;qIDG*Kg*t~EHMv;2Kz^As<Euva-M6<V8Q
z*7reW?m0LHXe4{|w*|hEJDx*9%MjS&;l_d4BZ7!KSgRv`@rxhN01Of~D<EAX$wWx(
zF-zZ(%Za=RilsP<*oI)f>qp1*bzJsy{&8G&ZPQ1#oC)CFFu}-jh@f898*^QPs4oV;
zP;LXyQ*nNrsw72<Tc{3HPR0D4*&rp6AjwW}g{bf)P4o4;PSb4EDuvZ0iO<bG&w^{u
znOi4??#3q~t2qQ&!GWO|^~BRiXMUyX3mAAIw0|ggawYlyuyXnK{)+#_uTS&)2LN>L
zE&ug3#Z}1d$6i6R4p!FeipUM{MZr}l@yW@Ty%E^Z)|79zFIv@Ps>(m;B<%aDf?&07
z?8<+j{o$ftkWfxG5fb?|qQ1rUD^7eTRNSJ_0`6b0$S#j`IBkFy=ahveooS&nz9ZrK
z0(ik`zH{vI(Lt+$9hZ@Uwjm~tsa<gKHL&#`CFEgWC>J_)R8&~ex)GEaKfJ8ixS@1@
zfY9oDH=yYn=j8$6`XQWBhh2p36W`w$QGQ&9{l9{&d$`c0s<^m+;T)y6Eeux2o8$LS
zQcJc=c3#}dFz>`~EX1hsCRCNFwltFb;I$rO##`_#hR6N1lg;q8#u)?{`S93L(^514
zlx2wHUgOzc9ZoLkWKLG$#qyk)WO$|s%}#ml`LhC$)J%r<SAyDR91Z9+G-{T?C`H+z
zm1*m)93McoGMe0x+KL60*vCzSdG&OX9oLNQ!8(eIiTs%VeE!|P?#X`)$sImhMRwDR
z<c8eA$n12u_L|xO{X+HC-r=e93z`KA>jMjaCk;*&lcBRxJZ;)Y#2SR@2~qRyMqW6d
zeNJzpL4kh8ScTkNV8q+9!~P9Mw;xgM##&08QT-&poKa}r#kqMPc?Fm4YaI~^5d`@n
zGHJXDX+V5-9l~oQEsV}T8#26ad%@#O?jfc6!V#_%(1NT*U+G^kH{5;$%@31hCQOwY
z@PBw&zch32S=s*;S$=U5=RRNeISy0~yUS{>F<}Q{^z{0NJ!_`fra#@OFCpDrSlZt9
z>3_Us;dXflipdylOlO@^nFGLzDi7`r_ur85I|k{SOTwMunc&9{@3Y!k&n^*L@Pa~D
zYb-Vz&~!!X)m}%sqvr0Wn*)f|>t(Vk$J;h@^Qe(g2s@46tNA>Wm;j{Q86*nJHoDXs
zB;>KWDtd#2-Q#tFks9S>ASli!8ds&+yXn%p1Ht-^)aqBJ8aex}KoYj6?omDO=&P~j
z2Of3l5P3ph5-$1wvBd9i%sSr;j`=NpVy8X?qE~&~=JV6Mpk4^dv6!v1eK2IVIvyhI
z&Fu&@1zto&y{if|T080K{U&y8rklsh<N=!)r@gh}8WLI&ixLiOl)>L0qsk_LMm$HW
zzQ(0^7dDwiK!e>Xm7;mL5S%9kCqGaK*))^e^)<yxv?cH5x!3R5Vr2|_Vx?rr0sC0g
zOrvTgw}Z)Lc?PaR0p;{v6b5cVw+ycUk=Yq!E(l-VkRclWSh?UR!ejHis2M$lV9jR0
zG7}5B#1R*+i#W{C{w5$S>^X@uVM;b2%-CE5TF%(Xb@)&nI&5fb)>!~uFqd4*Z$C}A
z<^3R=%q0KA2}UaKT_CAJIPDqGi&mlB?P^1CjkH@an3|RuKxRFazxwV*`yp4!Xny$c
zXLJPU@K@-W_YRYJteX`*J-@yksQ6RO?2w1%kLl*!SvovD;E%i8=!Qs^fNG<Km++DD
zG8v4!a~oouexey6Zbf<xsXvH<ghdbylF}tagybBRhsR0*?VgsNKO}T@n0Fdb5TKT)
z_t#G4fx`3iKb+~;Q1NgiC4(P2Zs_6*6Nc;evIy3WGNeszJ;u|xI2vwYki`&E!geIl
z_RXOS9ZMLR$|Pb@t}PA+yk2eGx!y&MwT%>K4nj+uPjF^-Hk?K^dag|DE&q2FZho~f
zE8O?|7-=hQF55wG5P+*>I`NBBjg|Ui#61v1`TJ<QZRLHp5qTX-q;!bA$hK|h86<BX
zaEd_W$73$QLj-xZQ82q4jgrI2@-@gXb^yErK;n6sC^Jp@`=ue;q))sL6+547^*6PR
zTSr9s<Yhsd{?+5r!SYeff&qWDy8|(onuGr1M{Rj_%h>`F=Mlk}jdi@qb+z85$_5hx
zd5F3V4T^e2z*-aYIeq^PGF~h5JOBdovyI>Z64bi!t&6{L$S$+viP$-L?QV<iqJnBJ
z<T>R^Efi_dEsM@|fLlRfQEx{BA@Cd~aJwvIN%7Hu>C0fM`;)aw;%-mw`eJQ;3KLD#
z^yNT7&6^>=75g=xyE?&mJqD|-8vy6+@cdt)ahN66xOO*0)9e;e$M3ZMg9GRv_$a4`
z;-i0qsD}q)HR}T2F+n-)na%0+%c>y!^T(Mj9ZEIk4*hAWGkxmCb#8Ei<-AXRx<UDF
zC<m>)H&3Me{>8K2V&y$u=M$zL(FQdQLr+n}p7HUdZ070rKLIRHFYasRJEP;H{flFr
z{kH<zJUaUJLP&({NFAQnyMjW#7xWuBPn@i*Y@lC=0ia#~Dnono7-@B;Uu!{Z2XpyM
zoOb%C@~%wne7_+Nj*bvUJ+!=FM9x3;<_93BbJ`*Rhrfm0N_i!0E&}(zI|Ed|3Z{RG
z{@?_Yf~x8y=EeUTi}j*ISpH9Sl&`+--KYLE{X<?kRTF_2|Ie2h{^t&N2CCGFboQb4
zAmZPO2cqqqrZB-s1mUX3uOdcD5RH}V17Ul~g!tRLhmh*nTskdZ;p+t5QB&k}LL%zu
ztf~dGUU;;cYyyHJu)F8_5QTiM5T(YXYRq1wt`Ala&3>3IwHuQ~XY)t?_MG~jR|`Q#
zg%Xre#<!8fgQ&TzsR7#6ks)A%P8gE?1S)iP``uxwap%dwb+O)H&$sV+@)NE7p~rd+
zb%xKr9o3l3IFd*(nr}pE_!DI<6JZDZrrs^+?k*%EBH|r)l6N21QlIC&=t0I(S!B<U
zVzeB3&V6<Rz@m}dyFC1j^K5oZ;;Nd0C#wutfU##g7;$5C{stu3%#F_`V_8B(qHWme
z5&pbSb($6gOE}7d>h=XZZeN5J>~wB4rpfZjn0+2CGM8Mj_RRJ&WpzXdjDF|E#id2x
z?RN$UWT57$UM;v`9Zz<wYFw|2*l5<Fdw6&h7Z-!|NPm_U*AT<;(Y`^KI~9s4&!mq`
z<%Tjx(G3i8cNu}c6h%KE?jQK%u&yh>Y<Mk}n3(v1K>%6VTyD#YNe6z=RfuuBUr%3O
zKQZ&?x6Dmn%t}J~ZQw1p?(UC@HI_Xhi|IYSUU*-Smk2gUhpMS;8LjGovWw&%5EV#0
z6H}dJ;3%@P!PxG=74BufM=E)-v3P>S_(wp9hct_D&yNh&HJ0;VD~E^(@dv_~(3Eur
z1R`@d5nRtU2ba*$4Xlj=a$a@(UbJJryU$@|z7q<=M8}T8J(nNKB^*M-L=O`TXmb{N
zUtnH2KGhe89>Tqb?`pTzlq4kZhvb9fPlG5TK`hZBwJwH2^8!avb`!XvpZ!pDzIsD9
zXE~AT<u;4gTizZkj@H}S4OSFb>`Va5#|xLKMspt(n5+^Vgjio=39Tpj<IhFXF}7mT
z^sdG%#n4`<xpUoXjIslkB~o@w_ok;C_LX2x6j_^`Qy+a&QqloeJ$5pao?=;d0x>MB
zmk89KA|aox!DXSGu26Kk*$86xT4E~DVcH>%z%FK{fY;%Lb}t`sS6E}kit+3cP3rR?
zcO)SX8dE1TNGJy0{dcU$Rtw908=8ZyIW%x%#Fw)*%_IqxSb0--mfl5e5(lfA4+Mgf
zPV@qM=$mzoPKTJtRX|P{&Vv3h1T^Ij<XB11JghG&YN9Br&4AGEQ=4(x9~Z=IbXt(*
zqUDx69k>LajuLo1LGlRvxVJoR*I+(Rf8-NWQhtYQCjZ_^GmhCrf{AtmU+25)?*0?t
zc(Q|LmwFH(kL7HS)pmEj73{z8+JeiF-r&!wAI5R~`ioLIfGH<MY-@xzJ@FcYo3nAt
zYWB;)wD8v4=w?SAIewhB_d8~qjIO$HA}1Rn6&97rC~=FRt;JpGH~PjeZOZ2wR*KcW
zx8#`kEppFQdLap*!!B{YroMTKXOE#IoV0L4bnjx%tNjH8)FZ6X+HjaoVn{S$H(>r3
zi}KdlczGnhe-}{k?bm58b@)=5^L;;$;CA}OjB?KJHz+I%qQ^qJU(WFvj@nNkdO9fS
zL&GK>dx%$M=Q>~Op3$YsRnTz!{TPwr(^HY0_VUN;WUUPueMqhcxV&Dt)GdBwy#?`g
zg6BfN^Ijse!vSXXtF1dhl}1S?K7l`LAB2WyTF>w>To!MQJ{H{&INQj+en6PFrv`Kf
zr5Y{8KrT>xK)eYD07M&8#G!c^G@qWC3DG^Cf)cN4<y#){I2{(4q11X1kI%^H3+o7j
z?^5MAiRTc~hi7BEdX)){*K?nMqI<BP&3`pLBwm}ApZKKq3j-Uw?`OZtHT=A}v%|$S
zvWDAX-}oe)nwpx$axKLsJA5P41hT~Qj30;)lMyEZ>ti&8Pkqh2nZz552uPqbwGv@8
z5|+v?OK?iD>VdzHnfSRHEF@90BI^=1n!D`5ddd2lZ|+Up3zz7Osfih&h}#iD_ROZa
zW&_H~=$cgGZ&WkgVMolVdY+Q_#*25Udl(8F-#~=GUns@o#Fkj|w6)?{_XeegS!%Sk
zzf*DQ`j@1!tUYI`T7|Uo#Lcsqba-d8Vt;MCg+s9Dx7i)8YY9b`6%)~c$ke88-p%Ul
z?5r&hV3KN!{3(47FzlvgO%XRFydwCNDS7}G6=DIkq01AEJ?3-G2Ut*F$?-WvKK5RA
zQhbDHS%Y~E!kE!E!5rg%dI3&1iW>C;o$;k{(vF=e5F{D!SY`SiX(f4s#<e51SPn4Q
ztQLk05NvUPDtlMK#X=I$3)z^4z<XK@j}>CQ5Eum(;3M^#`Diq^P7c8&Q2DkEw4fLv
zX=)DPeBZ$@HqQIY(SDBS06G248;Riqo6U6q-fdo9H}sC}m=3mt&NheHmBN`~=DB*l
z7ajHiv8}-pC=KXR<g^!8D2Si?Tjx~JK13WQ;-rOdt#eIVe#nptFdD3^)aZGt>KWaH
z`@tE!MoS6{3kwB3qKwDOWQCtN!?(3!j$ij>fEX9-nDV@D%^QqOjzsLAn9vBzv@;1o
zEy*1`?kT-}@r%Vz^7_nVT<C9Y>KZ@o^mN$=XLSr4q<e$qds^rL<1~Ba@bt^u?Mv<U
zN6D%Vm*a)ntO?qoRim|B!D?F;VzWwb6?t+|`8Vo?;4kbFp0zaDc!VGdkV6#9b4~dz
zQP_FlG<#Wncb9O$;s3&G`&e!nygOoxy|p3-F3RR@=bsYU)?{&U&MLc5G3;}XFI9Wq
zTQX)pUTlndy+!*uo%haQkR}kQum4YoV3L6se{5(05dhEKhHZ5GPcXZdd#}C0dk4mH
z7eD<&oh>XaTmSx;>Re>A@qIGmV2tN^flPI#d9B&Hc5tmfIrmqcLHdiDC*Ho!KBZLN
zTBeEbQe*%Thq)H)^;TvBnk)XjPPD1Xr^Cfq4@1iKU_Er4j^?wrSAGb(AP%pLni70Q
zyX(umPis-aYI2k({(mZ#EbQ!}8*O(5VmN*;q!gD@2YIhDrBP6u$@6i4eZZu=Jxz5)
zAOWNnlKT~+c8ulxe)`E~zn!b9KF=j&Db#JV{}!&B*eH~wB8rM=U!UDDWLKek7c{f`
zXvAz#*oq?y==qz8VD6${83V{O%0ip*@zwA4c3Wrv+iPNsCGuZ!=fw4_bXF4JZN}4e
z;D6&%n(Jk{V2>10b$j0Hs;;SC(o95se4YUZB13L`SE3vZ4b9Ti3+^@kCbGw)hmw*2
z_R_BDE_dex1OzO%pdBijYpwPC%*E!beC6N|Jr7iX>a4bWB&vIt_mwlqx{86hwnVT;
zdY!4|Iy_jNPmBz7NHgLS*q;EjL-mur8J!cxx4ak>w`&mEWK~zhWWY-I?2pH9D5p1@
zNIPb<j)&8-_g!0HgzHChIm4Bzq$l9uy%Eh}an3vlzMpJS1CJ4(3`{7dz^S~h#L4Qt
zSS(N8s2ur(5f7Uk>OmF7%&_58aJbY|8fK5fwJN=i@DPb#+na0nXW*9v98|i;fn-BL
zl%&6WklI_91!2g_%*MyZO^986Yh9dv29fNBt?ToHi%Ju3hnao*NLH^DDEx0)Vp1Ob
zaAqKXA037U;5R)@y-?82SGY_q$#e36-4^HlST{P@<UIuT;{x0c7A(tFR~D#Ie}3+U
zYOnBU8>^#@jz^G#OUn*5{=1sx0PQ3*gR@*l%VI7Rz<KgW{;jdyd4i=&OKH(srHF;+
z=%B@!D)>sKaR>+^BjG5**=T1>W83LO3Tzn&d6x^Vetn0vKKC6XNXX_xyQ|b~8&z8?
zuRPdYQpM|>!39(_kxdo0@TD0zhV{9gDPSk)K+jH(#K)I;Dq`n0D6jA(5OMb{A?2K6
zTRUC{2e_Bci9L^(yJN$jCneOx(7f>6y9XrxjEF8+exM-CBOdG>ox=Ii_`1Qyx+izE
zGUlj-E{kG>`X$6W;}f%s*`1m2hFph4@W)LJwj+FCP}$0dm49?<d$pXJD(Xp*ov%Vr
zGUM+<`=<nKvM9WUC_het4i~+As87m?`Q5%<CnAxrPkb^(n=TLqv&mXkmoQoUW%VO+
z$A-U|0LELHaEXf}q|@*0_q$;$T%Z)GR4QoI1H{qZnz3`{8uPnb%tkrz%^JsPHkD#)
zt?clBh@roHTxXt2*zg1+TxvPS+wfiiWKHbKn_|u$eU6TfAACn6MN9%QdY6V%`7Wn)
zdd^iSebVBGc!i3<P%8s-n+tHhMvWWhF}u;eQ!*Z0Une9YIue*9Xvl|Gw-_HzUyo5Z
z&|<rfkq@Zs>B{KbX^Hq!&MqPy(*M6Tx8{+{q7oLfyYL_S&IS}t@0TDN&z6^$;gFGc
zqdUgr8H6A6y_R^i^BqILaBz-*mK%u1+F7T{q3pDD<R|exW>@A%R74*A2H<_^+T;)4
zZ9R6d?3+<}p+ynxwXl1>rn5gw;z^U$`zI(Ng8j>db(Yo=<XT6fu~+DPcrSEUd@AhV
zZHO9KzC%Mc#<WsYF*Y`K0ooSb+1>SfcD2(%yHu7o{B95DDumtqXf>(*S$6C_sZ#8_
zxWL+Q)>J-Rk!`!n9E>;;Txn@(JIUb44(ncup$wy8DMBc@GL<&?{noQLg3qz)A5v9h
zZv+yTy+aC$+#~d0y<%(4mLu|1Ylg2Rtx&1NYb}FHq)LV%n6(6|B`nC{wkD)4hwWtj
zk1kcE*)|yi3HrtMXUVY1Z@u#vSd8M;4$t<M;G`#%l$3BtNKhqA`JdI7coFZTW&N{B
zGL)uOlQ7|QjYGd%V&WxGzPS?1KdwXqXeda{9EZHE@-cPcV7gRd<DGI2C)EU$(dqhm
zTx@LUhK7bZ_MLfo5GL-XdPZo8p9`r+X@VlE$aK6jn{{g*VJ>gHK5P25mqU<?Q<AZ;
zM)Ae=^)AC9G`-#~j6{)jd?7tEQ7^5ic>JR<f0r3tJ}a^H)9B!!7FV#WoLcyvR~o8Q
zi*$EULd6D94wFE{%y0QIBK83gFhDt}(7G=xT?eEJ&#<It2KGyhT3~D`8%o_{{%MJc
zP?zdjTH&>|ta1lq(sVpEOp~+{c2XoV43RAXpUO`$6_zxeUMq_3&POq7AgZXVz-TC9
zGjhegdN4Y%CQ_?miEi7#kXZ{*>&SjLzt`8R{gEZ}J-#reva-_Q>q2D1TElKdX)RK&
zwG3b#GUfH0p~{-cF`y_pxXk#??-i{$Z^~ZHKSgWc_*jhz%b($o8eH!9duNcJEc`r#
zV~M<-oLGmu3b187ZdqdDV-w;d#800UGnIqm+Yu6Xl5;<_1)_Vyx@z0i#R3u^m*&_D
zZk#XjpNEuZd&tD3L_e9pWI*97uRqE0eSO%ZFfA@F|EMK`6`nZ2T*v8O(+d`y?7`f~
z+8tnRSnXWvFOmP6toK2{<$X~{hXB<PC+9pBa7sy4F+Jk{E9))8>e!m5;RFc~9D=*M
z26uNSxNCw3cL=a?cPF^JyK8WV;O_4JPR?`WzP^wDduCX(x>t8~Rn6ciK0rSoF2w>!
zV1#+Vki+Ej)+Z^E|3N{alM%ISVArAzCO(_qVgJ{3YlF}W8AQy@spm`h>t2Yp!EraX
zZ`MW``dmfMhZS|TgMVF8e@RezQ;Act^WLV*%q|5pRVAk!r1H)1!M}!g%=)VEQecs(
z{8CT>&Woy(q<+{lxY^NT6^vXY5h5kt;x(&+FcgXCI$T*<x$btfeLS;wK+PZ{c6~Z`
zPVjT2RAWc<0HFP2zM@Vg+kPYi%7HB0KOM7QT+(*@l>36!ekzxu8#H@t4s_gkp^Esu
z=P5dzOB;z@eAD3Q=#Hv7l5JV3v08Z+us;Xp^?EZ8cpJ$goSdArcf_aMz40riS|xf3
zPNCK&qeoK2<sw5?me9SnVt~?v><`Zy?k{d0A6w+Y_J?tzL<9ZZd};`rj_s>y1H(0B
zRl#Z3C-W3xDa#Mm8I6%X({6kSZIzWs#%OYKatIXn+m*=7A|wg>sHG_c$kkv0v^JzI
za(>RsBJ+vAd%A?L0`;-o5Vkqg^JTC?7yMQ>*vad&&S!S*|0xK%jfe+KqvAqsdL)p0
z!+ZG8=JWg-3@i<URNHXomu7r@!J_zyZ&^|6jH?sE!skmTh)Ns=At)cx;HqXy9f;b#
zGjnQw7L*c6r!`|?^>j--2}eZ~P@Q&gQEd0C)L1#ot}OvZ4{X5b!9*0sk#8iwob=D0
zh5@L;A6uc5BbU+N-MvET7wS7p2>*_c%=)_dZfTbwbOP)qV4>ESf8M>J`YS+9X}2^k
z*aesn`eEt35^b^MLJs~zU!!d8i5iSjW>sQPeS5crH$F3i(DL;0|FE9_PQIdp9y1aB
z0CN&tZ0_ccQ8d#HF52rwxjZIUr$oLFq{3ZV8mEn`MG(eBP!gGG{kZ$?gWL%M4b&**
zb^f93Xe2-A7>d8gvy(`L$mI#`Um8wiLxncNA3Waj?*up5qS@Iru*O(#a`!vqKa`TV
zR=|^}oS-A}SBMla2Gh3kZS~kkfD6B#Y({JW)3#&L#cD%sicVdhbEf$GxEYp8cqN^S
z-<to|a7pX0;gZnq4rNh_<C%LLT5ng?*4<y1tf%7-Tg~C_9-Gy)@|6i4?`=w-XWD#u
zHAjv8<g*=6AuhPd)OfAU0O?VdBx<G><#wP0C=0s7lqr$_v`>YjKmU{<#KyW2)$bQ0
zy~HJVtvDQCbbvUd5YbiTyM1x`h|1@xaRT=IG|cO=lkUaX;PxtoH&4p_G)X`?)CyBj
z?#(#tZSV^cnEk+ycVYb5%l{iURZlHl?JI^!T#h-{NY)8B_2|YZBTWOE8~WxU-}fw`
zFYRF`cXsB?F$~T#a4KtA#jmW#&opZ6TFHJfRnc5;{BK+&=FrRN&Ztu6ICs^JtE%*<
zx_7Mb6NnE8(rp}DRXA0Vi{@_}PPSlj)l~fMBUcr`YQV@Tru});TG{*&C6eT7tl=Ef
zCGF3~_-D`G--2BPKJ_#&1~NJuv6GjCt%NR5%zi&=Py<$gKt$1tsoujGTAANl^u_my
zB3tF>X(z~)p=a>R%Xps(S@6L;zfVL4)v=~$c1Vj9pIzy)BGm*%+W!my4EqW2{xAg%
zPP?qB^aQ(^j90ZjMq)%NiWO;?63u4|_OCD9+2q&z=y7^L%^@T}f9pA|B}o{PXnTGS
zH^QSoeGG0|3y|vv;dNjdyq^BQnL?g}@6*ROs>*Zh;y;<9d)r>3qv~A-L;BW92@HZ(
zBEHbtMf&Wc{^@luZQ7z68VNscCJfaMo{`i!4r8?y{E?W=`K`*VU_@SWalhsk#ozrp
zXjSK3Fok$`xBDkrPqC06Vo-{4Uhn`<v)f{yl?w{KS}H<rV8^e4>G%X=hVL+)CL-%7
zYVP~>vrW8o9b&uByVx-q-((9t%4Z5D3n|@gbV{SU&bm8v(=?&rKZ_%7_4;?XNEQrq
zjl7UiKKBO$cgYIoe%;snkhb7}jPFAa{VnGeDkM-l6fF7s32#1$)fG!W{Y5Xd`hA2?
z-W{|l)84-tk<NcMG$6zQW>39wIR!bvqRHQ;BoQ{%pC0I2>s>yDH)$?BGkvAW_htoi
zd%VP>pcEzE=J-PXA9<H5g%l<q;Q!~Vl!GqduBu!wo6LaG1YAj{S+UUhEe(x?!0~Ft
zIZk5dl3F^R^-p*~18X9#l8xVY&6l^W<-w8M3#d+I7~L}uYs{lc{M?*G-r1BdTxl&Y
zRIKse?*G96K}%^UJm6yWbOtNm0-(P+Affdo2QB0O_z|4!fPigScX9OMa!{ACtWlC;
zXHu}UF_>bH$-PG=3zJMemehu~zF-C^gUh9`7-|sra*h#a%nwpd)a(6W<SPjDMG!)N
z`XXdz263y~U)5kB8wY{)I51?*Onf951FA;XM<QJ>;VT4`wWlS?+LQTD<?RuN(K5){
zz_AB6*2dPg5U`>&Tl&PGErSJ6)A&Osz}S%f<Tuj4UzlAfMtO0u$UdN!ll|&!oDN-7
zjIp`je06TI1G%<)s-zqoL14>`u6TzsVPl9fS+xTewtNVChY{H|F_owRo$Q>LolOae
zfS17h|Eme)TexuC#GC*KLkoh%EhuU>06HygeAa*dx}-4^bAVl^dwt%`%u@OG%@zBF
z!V&O6+g(GnL+xhgvNv(RkxfrtL6xQTlLZ!mH0qzMMz=zGT<Mr_j+gq5S9p})Wz)5=
zsyw3Z$e(A`z+0=!*#Yi4tQ6FFemUCs09jo8%V2F6R@ci8`wx5M;x8T*Xry56p1{Gu
z!C?N;n>ce)7-aJuba&n|!9MwHyT)&7({&AGS$X+HzW3&)l4IsNF9-Ck?IQLGE^~=O
zoU2Hz7rD$p1-z;F7bOrndA#ukt(f|w!P+ei^29z7alK2o{RAg45uD;K%GzmLXWY)+
z%UY_eH^;>5h#EU-{ebh8hUMgVd|Yv~w1k=lskt9XaGE+vEWyc<{;pqt$&g-Im&h1+
zMGzhIdjD6=x+<;KW|M*=oOGbQ5634qcSq9JTL331A#|f)t<~=M#t_gxi-A68`qwQk
znXjtOB9)UE^<EIDHl|}jl*owLTL|^5V<J=amu7}*^!0baQcY_hjH<vg0g%-252Y43
zug9AkaE-U3jRto9EQ-jP`4HZ{f#p)ns^lmw$yqParX230{9&<abP@hoblqMPGc4aI
ziw&!SY{_uw6jECa6+lfa%76xZc^KNDz+nj%SUlw+ZCtg1{17tu_kmY~{|u^LX5?^s
zl>~MKG-t%e+{lQrOIO;tJjuSP!)9qf;24!&+HPdHZ=EZl`X4#;6O5u8<{$j)<KHXN
zG$tO-y#QNZ#^;wDYD!P%fe)%I9}u7RZXC3p0%*$sT_g*74aqGCfPA`o+j&cUb#t6!
z7Gr?<ICS*?Z6>~d6%f>aUfee22T=l@o`k^pG+_m90vC2iiv{%_TH>>QqD@ucU!NPv
zqEJF4|35ax7|Yer*MjeLHlN-rCtZFd`fC>R_Y4X&viA>zMx6o-n^&YeSS|BB{T-~$
z4ewle`P{ZCrR{pfXH0$@Mo&N15v5p)NLb}Dl9%5eE(m<%EJu<6WHjRW?voelzgPZi
z%EQBGPr{Z(`1(%U&1!RlY?<ZY+6CYOg1T*5zccnjj}O~*KThQj4f9{2Mi4)(+5tq`
zxP#be7dw`DgQ{z+(Kt2eWFQ%u%Kx1Vb!VI?a~gn?*GYxw%VlhiOqG-m-_{pZ&4{|U
zCI9($FFrPi*+f*?GPH`Y#qj0xj*Z)HYbI+>)&TPM_+Nji0*SB>#Vf3Zo7&;*zEpi8
z(s5a>zn%wvLe~|AQ-ut95x72Ok%QTghE4JhskC4hZUw+C9Kl>L|MWf?;zCEvqX24K
z9n;_T_WsX%m@4;x;6<eX1`$E4lJK-@Ue$Q9e0U#)jlfxh#C{`%z)Dvh9D%#s3~x-K
z1czmyUINPBiteT*Jz|o1L=5k3QJ{;$*ga)n-a!)rfUAGWyU@vr7OhICM@~GgD8aQ0
zaM!qfr${i!)>VW-%3Ab2ee*tAOu1BQbAD))!{I-S_RwU6Be-W0X_N&Jp625I0y+SN
zi0V2}cnVHY8Lw(WL<$y&2;>9~Hnw4^m^@V4Gyszm(_z^)+|JIT6@#732Q)@A<zxUA
zH#+iT+T9YYrLSHxS=I0jiNWQl)$3+SSODj3l#0n8<NfzV|Akd<`Di40ARMrxcV6Y$
z^R$9eO;?`qO(1Q*AK$lqXZ!$Ng@|hVrUdapb~+9Cl#dzb`JNfe88SqqfK%P9e=q&~
zlEHENSmjyer~HU?f6(|0P!RG=)BVxoJ}k6S-k>N|ctBSqG8BExiqX66SyPDd#E{eR
zQXcwQH+|(&if4tudcq;p6ynu)Y=sCM89lvOyjJEW4YAS{Ko|?N5cA;MojeZ1YlQ+D
z2kkB<$Brq~>hGpcDq+w1KbixnH9WKu@r2f@(hZKfPv60-;E<@vCjAFc6k&7O|HUGt
z{JT}(9C06PZGk8cON^s3y3M3yRVNv%-~regttpLN9r32~<rtTZpw%ETp>H1_!;VNH
z0)lOR*F7-So4uFTtH+5zkq`H`DuHCIx9-kOH;e*$5KNwN!#}8)E@&hXBag)GtI@r@
z1O|{gvpKHVBu)^{)U5v~c{HN5g7En9d$z{|esz}X##vyTb{A@Z8<-oE>iY1a%Kj_<
zwN&HwFKh5W8)V$aS}Jz*%7BabLx_U=Ydie%_=mAe-%_^{ztab;XXD>l)JI$=gq;NY
zWZkW85Q5Ij@}!T#RBeBBE&K^1E_+(~P^U*P;>xRpdKfqWJ_%0$>Xl&q4EHC)Vg9u&
zajs1f<Dm=3@5j5k7#Z)7ipVy*zo@8e+(kC5kLDTmLCz`E7XPAt=KBh}`Yh*prKp<}
z2CVT0KVPz0!tmu5QcDNTbALb64w}@TAoz!_Bmo40tJ?C0SEbc0^2qXI@C=Hrf%Q*U
zkdO%z7vfx+<Y(K@=X$m4ZS4AHRuQ`^;CcB<FnZ;lctEcKsF<yQUZYrP*^U$71^q4m
z$sLI`F(Hr8(I0Abu-SbfP|!$$dYb$B*M(V3Ml_aH=OYt-Y6a;43r)(J9xKuD0C{~q
zYB2pQoM7g|eERMqs(feFG@^{Ff6QNOBS4iO0(aRt@-G>!yGI&#`p>{PMVAaADTva5
z-3aN962^1DVk{pGIaQBgrs@V`eR>4mi*D9J1sO{TRws{U_$ux{VOpuRA0^M9DVf-x
zDcMND2#wSgQqv;*``9Z`XW@29x#+<E^j&#QyyJ3a7s(tAS6pJPYkFlV$^Z3zBU>TM
zyHIzp;`)W>Mq_j!g@0%^O*P~9F)+kWPSW~^y|+nhO$lamiOrz%FUvfx1PtT*B!&S$
z847tj(gdC`QhWLa1g)^i2M)2OTx8Sr$*TU8C+taoolB;CN2|<Hd7(~ae8|Z02-HVi
z@|5F|fx>|{2e_p5!~++sXXx)D2{D3`Supr^1&Q%>gF8FbW^>r&r;>-3joWZ3Ks%tf
z@a(v&kzv%(i|c>mVUFf}9^ETMY+5(4sio!9#cZ&o3pj<WPhKR0vTl}fya^=q+WwDD
zDoCNMFPA{=hT$frs@<f*S#dn0jjMqXR#n4V;FhiZ@Ed5}Kgb=y(73}k39Y;A@bQoX
zfc-+9?jT-cnWUQT7gC`&-B2gk4r6R5FApC4vd0?1RX4~C5!~l4?sFX04|3_vj8>g}
zi#6+$-tU$lTRY>_C^df1E&@CvKdaEizi!XPjnzL#msIh?g?V9GtD<vg2_gKq#T;U-
z6b#1x^|>9y)Mm|ueXd7eos#bws681L=-H?%S&N$hvju_6hxrZO;{fw_%&uf<JQ0mK
z;u8-`CNd-vO%Csom+CW*?)X^;moht1K}*B!eod)3&tf$zX|`_-dYL%|f#enA-ztd?
z4Kop1q(7h03o9Oq0+dKNJYM1aA}T8CzJQ8bgWuW6GOn!2#}yAtOgrAf2Kv3$7%W2=
z8qOJjPzaFy$jza~0eR_fS@vYo(*64QnxcxLPrgliAIok~S!(pps2>S6eEFMsC@#LA
zsyt~fw>ArXiWaECHY4!_yANXbuWy_`%^e!VI9cIe!_gWn*=1P1-x0O`a4^d4^cZ|l
zT|*OiCa@+zVD)G&S4FvKJ;mQUAF%>n{KM%bl?m1#cR@GC6H!j*&9}-5*0gmTB_55G
z*vZBnkd(#IeQ57Z-1UTO(DhtjjkGfPQl4|N@xCMa8gji5GK17-yyX2_?(El}IQS96
zu)B5@Lg*Q~hC<Q-Xia@MfEZP1tyh;B0b9SizOgtPVpq2(8Q1uEAgwIvbryR6;Aj$5
zP)9@~A@!^3_DaXa>Vi@dNKbJArS8&A4cwxgUjRB_Y+U3Ao|oTXn3T^3XpG7I+N!Co
zN#C>qGX*YsO)&os{%Q3uc+`7j=eeTB-`~0e&$5Rv2@Foh%3onz@rbuBbs69TEEsO|
z+|*KV0`7Adx}3jYPD5p}RcBvY{Na^KT@f2B8RCC>MFpDrSARz1yxpuP8Y{9c?+n55
z)5ee7YB($hq_5cLn_*gMl>oyxP_`ygfBM-7(D@E#jQRGW5{iSn!SN8e)51eWxjd2@
zBH{}a*d*BX^p}=D-*af+pYu9sv<v0+(YHdj=Nohpw8C~M<|NAl?vpzd`&c+x7q#;m
zJL)DGX%i~iHbYHM)bUKc4zxpFK_lFHIgAISmYO4efCjo3wAa6?=T*Z_Yc(R;_wx2G
zAvFs^LzByERev%imB9H2>TSrBw%o#w`m4I0QTJ=T@7X@4^-dy}9-`W7a7YXai@Wsl
znY6H#T$76r4))n&+ac7?654Z8jwW)wEd&A~rE?93=fl(hJJP4Up*>x{B54MoIUmB8
zmVIXeDLL4D#X5+HluSW5Ozoe*8PSXpS&74h$(Wb=yH<G`jI;I;7u)%K13?Vg&V>Kb
z57kLnln~I1=O#!a4i#hlrKVRpi}<}GzuTFoh3Eo@Nx7YHe!D}ijEXvODcn3X(+my4
z`T=SGA1(k4&-=0rk8sgp4a-ExT~NU0VK?M*BhPRa@v8Gjf&ci>MVs`=0P}`uaL(Z}
z#d2jE&-z|$meWs%A5VC%t88Q2ghHcroclYVvna=J56!Z<*;$zZ%BrYvr|n3%u4w$0
zEZ-9jCaVd^;DRWOI<&Es*GxwPYw-ZF!Km*~{-OG4gY}1dCnjs%%RRC4#>K{9@;{X6
zbwqmWN532~_q8g=o0u%io?|_J)OIVp`w$!?TfUrI;*(sGM1=%TbF^w_ec!)q#7J@N
z(Mv=|4vulR)=P6%_;tu|GN$+4w*f@)NlzCoj>hTqZz2IJ5;i(mHLz@>rncVAkNI%K
zD&fA*NTSv^LY=v|v+pon$TE1t_jy~I#&XKvx8#-NPAow(U-P=rrf~%;XUcy^Y$so{
zlWj+NZQ*};2X1fAlERhVb)uH;`^6J3O|=LeRok)d53`!$T8wQJXdn6RuvaD=jZa)5
zYA<}{Ki6|-;Dkt{@<%q}1s1y7?z30Dx``QgvmBi&0l1@mn`23*8f$h_^b*+m>f1Xw
zwD;y%XF04iiWz!8OwU>eSlS0-i`FWBG^M(%kxW9gljAIJ9}P}^KOAw|qe<S7Yw|$G
zYu6sR?ms7@VUQBN9@_<U&c6m^(X{}zvGJ+~oQ^Q$d=9&Pndbr_0}a8G7q>sm&sJLL
zv~iMyHNDe~)qs(**Co_(pqd2u5?MBzaH+clUCXj<#fo#z{4rxPpkxdFAyr!#PxNxY
z@J9}hyT^V)S}4oqA(Sau6C-OMOg_k(;SFK8{MfnOl;17rD3nip&nB^FM1?m{XfTGg
z+I_-(fle3EN4p;~n4$^a6L5)PC$czrxki|^Zz=ETpG1*uDf}8KQ{D=*(FRCXT$3O6
zxoY8|lr?lAm_cFzh5#w}JFgQ-YQ7L<(vvCR1Z2!HR5Z*m(u6}y8k?MGIxe&X`R3=C
z(+{5<`sjK;H%f_Qz#L!HiOLLw;E-K@XbnGTEok!l>733?DiON+e`NAtNGeW*A`BsN
z<IvAGw!Cg7nFocG6`jB2oz}x`_MPV>@%Qb81jee;FC{IudG7IZ=dGuYh2<7*!dNQm
z+qvdbB>B7%qPgp{rW=L<Ux420gQm7?9P6!ohRF0H5Ae8LC_PjN_J?N2&&?hkz7LI8
z=>&;AgTJr^V+$@vVNjp`M{Ii@EGon%9gW|{Y|0)YQ;@yjK+M%jxu)t|^*c|F!+&TG
z$#(PezM4o^(+iI}yO(l$_ZFV?AT=)_Rr8OaZ-EzL5ez8R3Xe&{t#ye!nFK{rC=Z1B
zDG$i8WEESI6m`ZHUZQR`B^%6f>%lmWytYZSc)_3W>*d<{<~of02h~uSk#?0+j`b$%
z<#*2>5;jC+Tpv2Z*W#psNK<DJ{}}c(e=udd^Tv2$J1{)ltAO^2TTv_T*~c-zpM9hI
zA-r^Zjy>XZDuIO&8d|fu$JJ&im(NU)?V6xaJ~Uqnb!U5(+PD8a%ACZ-&F-+4?49us
za3^6;Z5l($+l(C?w-2<2iwRod@@_XD--ebs+I*5L!?{Lme8WJ1MMUJlyllF=ElzCM
zN%6p{ymdPSyEg?y{Y?Us&}@-1gZDe|&xi{wPXdle(Y&y+u}wtFbN2i`vZ(b}m_r!8
z$aVJI^NS{qlB<5+)kMaZvm>+cuVKRoi5Tdcn`s)*nA|=OhxjQt$^WQIW36m_$?Kaf
z>pk3&UdWyO!*e#PV3H+BwyuG;u@S#5Ul!uy5R~3p^|On$vJ#+D2c8dr&N6(5WPWu8
zk76*np)cvgc`PZVdIB0L0BP^68)su$7wIAd!)Z4mX@C}9>lOJVqlv_vteF%Sgihcg
zazq@0r|d(4EN;E_@iL{`ZI5PyoS!itAp$yyQ8I2j7zXA491!H{PPJupRVp`yV!q#b
zVCuS+-Hrl+YMdtgHlHR6itEzxLX|w(Qjd@+di!p<*Bv%;R?iOI!x!%~p<&(d4gB-k
z`<f6nv<zkwT0=yqz_lcGm1VLE7@ZD;KCFWg$b@OU53xm#WZ_Mnu>#v^9^t=hV3VEC
zGFQI-l)fZ{d9QM}QqF3%boV4#dpiBe`ZeN)jh+9Lkm5RbffL!y9<lx?)PEVa%5$h4
zta>CGZV1Vs;TlU)6qz6;Z0V~o<Nb~9m)k@APwidEfU}g)TJGzfpGxUG-y570omQ9o
zAfsv=E}$JWxfz?O+9LZYqeA0D(KRE}?xcGQPRqlSOr8P#d~%j(w{=O5aA=>+E9u*O
z<}@lX(qB}T$aL6)QFNvO3{imDa@=I46{p@wF}4!B2&AwbCKs|3bGcjsXA0Nlns2+~
z0ns(y8dm+-p^js8F2%+I5}>`^nL8TxM9a_LoJ!MJ{^ny<vn$iHL9WdInCZqmtJ2O%
zrQvoiZ<;d0b&JOo^045NtTYrp9BUF6ftRaO+`Bgfj6emiPZNL<X!k&P@=0(w#>V6z
z<omJ*f>x!Nmv_m)7=`hHmL1DtCF#WWYiZ0E&q^`J4F+I%VApM}pXEkDe(m-NrF(kf
ztEITAtU_?$NXK8~d^}f+*gN7J2m|1gy3_2#jm+e<44mZ3v*l24#sa_@6@zK*c?aKc
z#HzmxkuWaMrhVAFRHvX3W;Kjp@Jq-*`tH|9l*XZj<#Wg730cP`!y8SKvR^$4o|XN~
zfa`_3_Pw;YnjTu=+kNS)B}M<JD@?zsCHvOI2fZkVkI4<_fYO3W6JzMOo2^{jK&qPd
z%40)|EsK#;GNJ1AHwv{oa8goQU$U}&08D{M7Q-uGIn3t~jCtLH>VJClr?t=vF?*%I
z?5hDrX@zV|I?LX$`RM)M7Hgs@nN$*X?1kBllk;S!5jm>nKj)WZQ%b!f_W43kS_Oxe
z$C*}1^W1wzyUcTglqZ_E&rz5sp%@CB5UM}U!x5m<lnC()LnP)qw4qb;N7p}FHikeK
zw?vO+=QXgi6KByU{)Xm}l=!tH9kfs_nUG$A)nL7OI?iuLCKPTpo0H$veB$(Sk~5lg
zv4Sb-L>3FrCvr^J8laL$Q-7_JcqWl<`{yyjO2Q;SD<h)K!4n}NQl)7P@HQUYVkeg<
zbv0Dl?pD!`8kUM~T<oi>&uxeX^S&pM`lH6hZ;cn`tjp5)pXyLtP@>XeEApC}v^^jC
zr}g}VTM*1IM3oX($`LC>G9@&^*gW%AaD}{Pf+ld5>NoojEZANO`$pe2Zk^#1ly0#5
zpgO7M*;L@QAlm!GU^^=OB<R?-pVr@8(3k^nRj$w#988H{c4^7VBbyc%#li^<B^c&U
z)>O-xm0Py}Ba5xz>k;p6l74Zl%4<wz?;zrpWZ1>2J~Ws9Z*V0ssZBisA9}a3!|v8I
zl`slY(Y;2nPRsZ-Uret?dnR}^3uQsO#dgNSr{2>UM(u2fwUfKIF;Q%f$*#tmkh%+c
z_Rqd9`F?tvs4lx5j@s@@B0+bfTC;a?i*^|0vB5KVZk=dy?38~Qu3-h4!LmJeCv9-J
zNgX;7!|9V2^u0E@;fIYJSyiHagM~0oDyi8ye<n~dG~#=jn9);Qqpw;Hs5berp3(_x
zc;QkUtNKjmT3Y)pJiT)G&$VIq$nJ*A|1BbHSk);%>fdAlw1*ID8xHOtd&6R%0W>Z*
zvk$7K7lei<T?Uy^t2#C`e~mM5`*x={`LLA7SY40I`{40@=l6-*_gM{=lWnN+{>#|~
z2C0rQ7*EN$^h3Ko6j(Z{NokPIcyBPOll|R$51T~N+sQjrBs;o~407=epPcrwQSaqP
ze9QTk=-x<+`ZP2eS)PPh(jO3xwbbTM3|wtvi}?7epDWL;3Vy@#m>~hhfveFCfPm1i
zv3;y&7#i#DTO`Oj2urTCnLfX8^c|#3BVlXmv>$ZDOlne4hh<kZ-P>9oJHlkq;T>zG
z8x3Cv@$ow`u#3s}s+E>hw>G+Yyu322yR^a`nbzoAPRr1`OnygrcEsitcl^;Llu@I$
z1&B{|jsTA*(>Ix@!%D=rXZZAXvYpOF>*wO)LV@$ZGdt<xS+g@4Ps9W<Xdbh7oR0pM
zPbaO{?z=$g@D^Ty(e-OwZ))?o_G71A!_jCgqJpMUL<IP3$*#Mr?FV+TpD*hJz*^Dm
zm3S<$6xqsyc-bv)_-_nM1;^E2+3TA#psEr}rudwD=}!)E_puf`>mi?ZMz)c%S_h%a
zQAm$MX*bAW8Jp?#vg!-^W)o1uk?&L1chWq_&^F?jn7;7_zJSJJ*&}zX=dFejbME#d
zD(zLqV?o8#!zIILYq}%wOAEDxJ0S<F)`MNxA`8;hXZGFJD=y>~D+<93bbPVyCD<2y
zOIPaunYAcVSrf^zCwf3i+YsC{m5WFlmS@PU1k(?DAx%MOc(BT?OC~f9seQ$`kHi|_
zF*BPlU*GuE(Rgzi5aKPpQ;m?zu|*y;E*}UuzQri+{X1Q#G{!Xqvv<@x^?+AS<eS|I
zDYM|$i^VM!1nG#c#i2Sm7N&NyBjU9G4oqA-hL^@+D@pkU8;ji5!umWwaRsju#mi|M
zTxw(U{2Pv=)`|jJ8ttoWvP@Zt6*kp*F4H!ysEJH1Ew^6i=g*Dvb-OklP%WxuDz4Td
z7twAFM{TeMg|sCip&5eNy~7_#**$pK<>dbqn7mZyq7jlM8Xa=|5y6$I3&Z>c+2(TA
z>0ZzP!q0NBT|o`O&=E9xdXDRX{9*UB^%;a&u+|*>)KR)V*MPHBy|&>2I7$H46|+G@
zGkd_&_yM&6+4FqIBN$sacF$fsvQUPRV7pSeC|~0xT#6ISkFO-nM2Ld$(VZGtEd<Hz
z7}=$ikZAsrk@FQtsl{tUx*n+nSA_3@ENHM^GF6c;$-@MO-fpCSFnY=vx!i=uNfbFD
z7H~<lY<viHMyUS`(3us^z--`o*|C@WD$EwPhUU-O1N{pQ(VnoSzUcf6wEEqdK0_=H
zpPrJG`}?HXybD3*e%k~y8M8PAfAJZxDFxDbv>WoSZbc?71K1Aag?6Ow#(>v1`C}0P
z8`hs@hdMvRm^y`BzkT<K6d;B$SEVXY;2&_tUP-+SM11Yn5WaR{zIpnoznh(mmr4<v
ze*va9odjF6>NievdF(-EgOcT4u@M1gq?1yc|6&MKB~n9z02#x@HK3JS;=!xuPZnbU
zPxdI|Q{P(a2C~*&BhzDd+|@E>TfR*3T)ZD|M}|No@`?Tl;i$I4f99y|4T5A(N_jC_
zYxpcCDYU$M+v`_Bzsr(ii^g}5Mr*=j>@Vvm>B6~38g>E+dT!r-w;-HThL*ipuU)SS
z{}90T5!hEjLKCfkglJO}6@;Mi4e1m`hWM0MsC}JHNPR-ATKt?%ESif6Aw)?<N<`#1
z?Nl>-yYiN-fdWlxeAJ-Fw#GBgN5#D};`((h-DWJ!ernl1@BDK02|0=d%?l5YJ%rg6
zLLUQXc_Ii?-D14-2Wc(4Z%fCAvq2&{C+W+qn9pvat76SL1sfr*BadnvMq}j;0-sZ_
z2VbXfhGK8Vkm_dnisgO^?TXXvzc^J?R;nIxw}7$ctH$N*!R<Y$aA=9SKVBu_dGu@t
zU#KW5{J5S^?kJEpzPH%$z#fe_xYmcia!zPCYRYjfq%H3Xx_CL!Pz$SNDl}oyQW{N0
zM2fq_U8xFvE|nKCoSB`*<AqmS-l{9v2w8N0dlAcfeH~>Iae{M{Jg@R4m_}wjhLsSW
z)`=inWSuuo7hH3N)#g*R2Y2yhs?#}M$066SJ%+Y>+ruAMBL<f|FG*0DT507D`P{1W
z8ByoQkiJ;OQab9>O0wI;m!CqiyLN?AUiphLzV59b@%6SRkY<yI%L8b<?#&xFT>>AC
zvM-9(#{C$!iL8?BZ8+lzyzpZ(Ss)zUS9hj4>I|t`Nphm@?;#Q+9k<?*=O732_9p!<
zht80hTj`&_<VPg=I!vB&r?NlVD$RM}B<t00c^61-WP{$Oxo~EE+jtmjk;PIKQ2(LJ
z?6Xdcy5F)?_C|>C6JhS2Hoy+J_1*p$w#|8zMZFZb5BSZX4HrAP#fM}xQ1D%RB8FPb
zD3~i2v{sZ<RR57v^VKjY5L0;xuZvw~!O#OhG>Cd|bx_$FI+Rq!uG()icrm()%ENQK
za=u5nwKV(kSgNkiesIK?Q!vDMaBfRcH_C0((O8j-exoav?|}7T89^yu@E_tSML!G(
z8S9tOa(++N!2`O#z&J)5Dt4Ov%4}=?@O0g}!cE*=%r;gk5>^Dc<dtb4&(r3zjOAhf
zBmMO|WNS|L^5%ooHYeYk?4kesftTs$QSQx?L(9v`8$aV2D(vz3mlhteU>%esV+(eK
zc{QC?3m7#^1&wYrXY8%-KgSL`7cqBA5d{*x(F6&dM$2%S&wNjo6dVt2u2VZEG|VfD
z2;^Dw>z9Cy*Slin(N_5?{q4wn(*Ci8jZQ+GM(^yTSWT_FkUo%wqpZ(b^7u}e-<Yt-
zhKDzMh)?myQva=}HuGm^-@3Xzs;YSmk0qD(F$|`y2yYsl5}HV@ZnXJ~JVjb?R0__I
z;VUOPK8lkWiqHp4sC-p9#|b5M0ow_wEG(ZSQOWC7XUWcfYBxi?>NMAzjepTXo2GX<
zhnFJiSKCYyA@06_0Ml~Z`TkNZ3>AI1qUxrnOBl_u{Id>^#ib?2ekY`7eC^V*y<OFx
z?(EEWQa^hI76kTeKi5Vd=_-Wcj$}Ab!=PyB?AYpT;pl9{o6Zv`R`mt_ET8*v9lv5>
zDSqW7%_q9O9olix0(s6E*%<4p6Ez4qg>T$C*?M*&Q*~>wbbjLIXJiwZaO#kLX7o2y
z3LgKU*JFvk0~AsAX|on$7iMo2Nto~h8HqW(j0$59JH7U^)GOq;DGx?kwI6z}9tel9
z-XK90P^H%yQRCA!df;NKF~z4@sYgD^$-OXrqiwSv16wOB<V=Uih8QlQ3Wi^$4a4Uc
z84GC+BHC}4DH6W-@xG0IyMz^ID&}f}R-r&Ae2lR9mb8uFd}eL+%c)Jzo(+~1WjiyE
zW*xO}M0x$jSIOuwZQhI?#yQL;aVl-0a0S`J?{wMBgNzwBl^r7*94cqavwXZFxrHh%
zzZF~_qDB$YhZF(^wOCVItl;+NKoxJo7fW!lf~<MyfpRHx^Xkm9Axk)9eP(kUaPNoy
z7e5qk98?SSE6&e2j=<v;BoZ>3edKL7Af5})!Q8Qq0IRa^v=rH1kL<#L>f&E*GC%}W
zp#moTw%6Y7RjkDhZg`iy+LbQ@P6jeolCCES>%l^W7p%-vbW99`_j?`BxNdnUX49q|
zp0;{xS@rZdc~AKM?d|W#+rT`c`Lo3=L3#sFDR^p%IlXf`?)&bMW4I?17h(B_5Fef4
zvRjsafPx(w=*M;EG4G`bP57iTOX76wZ~3q9`zdzIfz+7l#e{OEAbxhlK6nZ(1`(V6
z^R&|AAhsJrS<m;}OFAt-Wh9<J2p99mc0q=d=FfTukqE<JhL6*13|hv<+14%OF4_7h
zb#l=^&)CKR%bBNW`EpA-o%ij7OkdOI(BU|<iI}!!xgbfqRwi9XhR{<j)r}<&&$n9x
zHIM51?&AC06`J2*kPKrX^1BO*GFxuy@xk+1{Ri#Ywc*v$1cFy-43Vsat_^19xaby=
z+c1&E^P8`J`VJ(5dGHyY{eJ%wbFUYd*}U$$mDg+8MFbINHKkbl@^$TuK~P`FS1YHr
z+1Sv@;rA&_#{S4kznY0HayY}9cb6dqxlYT+!m_fyoi#7PMB8~V(?y>PS=nMa`uwj0
z>G(V!qHVNmbavCJ!CVC9Ge$esQgA^6)Dh#p8hVJ(y+}b|$esfY=fQTKE=zO9Mu#tt
z(%h7ju{zvDZt27r)kZZ)u1kAzwo}y@ImZ>xg}l8DTYf?KRg?6NQP-|`Vk_W7j*>R!
z<3EM_HyaLITWn-XbzZop3cHe0uD6w;&*t01is%l)N$yKhnoK=(-giXI4ScpW7F=Dp
z-N&gx=5^rM6kC&CBi7^DR%|%avLT^dtg=7H8BiK#5Xzwh>FPkntj!dvb?2&eeQUJ4
zDZo}*!~7OUh6LT#iSZync<m#w4Q^+pND1#VNb^bey$<1xO>sp^X*`QFg&rZKe!!yT
zkHtcN0bG~i8t<=%F~G+#XMTY89WS*p%j0|pFi2Y8+@WP$PZJEyKS3%CU!{jc*WcoX
z+%1RiFR}M5jWK8$a`0Y^30-@bkas_67^3MsnqmBkd=7pey6PBuDEVBJ^Jd-A|0QC*
zOxr0?FV*M13bCc{Dn7`?dIcMkRrA`#7Q33=%fB0M33-NYmPj~W%oYY)lyAn-bwZoW
zDcI&ys|N|;4Gd%?!w&(<JP<9CR40a}SIiq0JT@l0W>Wbpsds7^c9N{vw=c|v@n{p&
z!&F1k;4Mns^9e5>qMbQFx{63{;>tNBt{48gs@dzVv*zO!f;&}eom;^MQ}c>Brr#=>
zShm5aWQ<5}A_HgE+Mi*zecws;Pd;Q-u>_1HtI!Z#UkLu19&dzfoDzmoXf(q4z;Na9
zCuNVEtfx*UwS-rYb-V>gw>WoMGW+1JLASOt?zio*kr7T%GYIS2Aze-hBf0wvkly+y
z+EC`UM_<n_$BSxV$P0VcEJB1=gJGL+&PZWhYoa-%m_zi!i3?mSNO&ZBYd1L4mzyWP
zSus1@_`j1`zYtl6A!Wp2JrBWwrCX~Q)z77+@2_It>-@g+(Q}H-qITL3k;wG^q+Dr*
z?uo4bOSnux?ZL<sNux<O8^SMS57>`2n0gGvFE^ZQ#WNR&+oq#Ujuwip&y+G;cqfd8
z6G+!?v(-x$Mf<FE3URORT@T*7k)j~2!oSZNLXv#J!}!&Ye~rz#T@4#GJmyCc#TL`1
zfbz{qK0`%EOE0Xs8?TUI5vr#AgVLFT$gM}#sJ@8d;1^tODZ!1<-XKhtq|;?lKE5#U
zJ}hM|HBRyKh6!YiLC&|O!K6JJCY0!!(ciFp2M9~K9SN2`6rVP4>-5-CnL>`|O0JxR
z$hhCXRepg0kqI6Sdmt4ge35jzL$BtC?Kt;>K7D>i+CIYFR{LuET?byiQ-UIKtMf`Z
zrBvGPYS@^0a=Euxb$f)OCt-r{C+ucv((|^+SkmubF+0%hXpl^19<1M3@3(d^vdT*Q
z6o~y5EBqGq8=JLIvU&<z%(!X-3}>hmZC_~$kE)RuADr$X7M=4CxinjvzMAL|QPZFL
zseNY`$(6|!(~_sp08KtPTG&1`=ow6DWl&2tBKoMq*|93&VuF_VbWbiz+GmouoY7Yt
zqTl&yH`RUM@NKa3SJ*mA3Pfg&ORnrOCK|r7Q%HBkcI4z_QNVJA!++@eKy7PsOFo1C
z5)w2<f`r+Xk#wS3jOw_PTu8Ybnc1iaEpN!zR9$Dsr8GXx_?z7fOhOw=QlAhE1qC@~
z4)#3^%=y{OA~LJSO2X%S&9dVD5Ztb%%$jL}vLDVMcOJbVC~0LfKS}L~m{<a0T5C!n
zZn#=OHz(CHYChlMY<}eFCzX5uJClMaHmSTqj?-vNNKrWfi79C4wxkaD_!?Id78R8=
zrrG|wLFCr(kM;!@DhVxUDZlN5WSb*(t*+w?nXwe?3@}=Kr;$<^+hyfLdj=oQUtV5Y
zpk-vT<tMbOWWj+4%4g6_#nxlD$vkMkhx5myA9F!eDq`>ELZ}knte?!SK1bYl!0x@Z
zmG5>Cuj@6~F8q*M-(f0~KC`c|vy9Bs!5*=G(yOkbDTR8A(qO6P)}9i^wM~!~5j57&
z#XveKXSO8wxrr91I=d&R<AmfKPbPPCrj#=*t-?%HkS}5^eH2R>?+cyyIRf=We7{=k
z>&K9YadC%DUL@(I@fX|lW^}S9_etAMp+lA7-EM<zk1#1<fW0wxg4ucu&L+G@ZoCD(
z3d7j+>ptb`XgWy#Cv?_AO$7=Yl#gzS$i_jqMB|n{1>trxJx5qtC^FCjsS%x+jD4QP
zDoG%5`TDJj>A3QWM=vy@BYb_(`W!yQIR<1^k@}dzGo!joSpL&OX^68J8G)oT8Pm4^
zi@4hM=n1E<bGBT%i3izT!Gl<nxVE3emo_wi?|0b>BBV7(<vf9ttj2hKLD<TA$zrj7
zEFuLC4lCbJ=&;wJSBGe_y6(BoUv`{0e^CC4%z3@k?IjI&sy4Q2Xz?wzf)4kF_Coel
zXM#b<Nj0d%AVE1h*vGMFyzWt9X~9-YD|sKWo?bHEzxtZ?@DaYiykw7tclv}EMku-=
zl+?m~1=~StJ3~D(PEoH?$mOp~K#`cstkn6Le%=bPVCh6|wYZjYw;H=QXU4X*J}Hn$
zf8=rT@QR&0qCXpm59zs{gHuZ}&)i>@`zBH(aeSgHPKl6{pk`{18U4Nc>wKwL1JyX|
z1=dDb(TGPkunbihMSDkmJh|hK?0AwHiJ@CIZ9Z{B%E;~m>9S%SF5f>G#)=7V;vE_m
z{now1Rw28raUvr2BoY!@PAp9ADcq@>#uX#oA%#(z^PX&h-k*wRdwptiMoNksam{Bw
zXWE9&cu%H=%O8*?dsMV%F`2P4xLWJ8TaA0M*xWxEA5WpEe9pVs9Bv?xUC-Iur>v!D
za_s+}1mAubf+I{*?I|4d<R=#vmp?90@lSm#^d3nH*p`e%UTx4jO1EXjoqGptx{`@z
z1njViR~=Ns@u7UGF}F50SR&r3Z%}y!YDA2+B&{z-rH724X)w|^v)9kgEL1$@3v-KU
z!~}^u3R>R1gYT0R5&W`h26A*qKt>)JXt6=WEc#-O2`2^tvCvRnJ|Lm47@<r+>nE5e
zB%s9X8H4vYNsV0@Ni*{82Z@X6HC)W$@ussD(bE$|7&bf}D`g(eBZEiaYsS?uY42S!
zTvp+Ygy*&}=FeNgdha$c@Ta<Tg|30m)r?o8@e6O$U)R_4y(>R_@RRdj4r9oK_P_`K
z09TnGtbF9cEcS$$-g$DzyHr>)=?vc=zzU0uZI}vmbAxFx@08LK|0%|axzw4!0qYLh
z!-$&$4Wqm!fwdEv2fSo!9d=wut>PQ$Z2%FZ64eKWH>4PSz3mfk7)kH~4YF{t9MPXk
z<oYiKuoDf=>?OY&Ym_$fl;AKqk>jhed6;kMEgv@VTA(vVHlBYHWX*j=QBs;l{`9GL
zp*GAdPu!^1^X~l&jY=cn{9gD4``O|WM?(4}q^@MOmQxzFt5B2u!=X*P|G}Z@?jtJ$
z0(7Spf%h*=rxRDgh;=N1w+ero4Jk9M+DopKi~d4Y_6Tg=XD0{GP2IS!FBs|WntLO{
z(0q=aBnyu_C{pK|WeCHn*1fHLC1xE*e93{qk!x!b*-K6*12xlYc@WaC4DlgVmXi+m
zk8Z-MDxn%zuYMJ5XMkFJNJ8!yG|<21_jHOc_4H`6#>B&9f^YS7?niPl6tWlujo7sl
z^Rcz*8>?;_GydAyLZEb?iF(Z?{QbiUuBu?cbk4dG%q6T;<+fkN@oE>U>!n<&xW5@D
z7y#k1vc|u^rWGzcy5zym!9ja?xm~NYyP3cDyemLjz+{TocQC7X7oZ(uysR{ckio$s
z2?n--hv(;IL#Geda?67xeh!yip;q**eKuuex{xmx1}L_BU*AjU-Lrf#fkKLPs8E?&
zmN>WHt>|u8^6I;#qfw}66@qz~#UL06RVL_?cSqc6x1GM|*)@r4bw1?`LMvh066$w8
zzfCY);8ot&czxznR#4Fi#L)F5VBq;2QU7vtXN39GOMCp_MTXMcYjC2*Z`hOY^ZV_+
z>L+b#QNu@d>a!R~20>c%jYUbLjjicRWaZU9LmnOjbh+26#Zx?w$tFC?vPgg3m@tE$
zq@i-rT}lRC2$KV^$bq1dSxYvf=hzzLH7ayzj5f>Jl-BmCywa1wR~xnwY&;KuO_olT
zD=rT~UeHL!*)WQFp7{Z{s|8C&MT3eZCHBWHvyfrw@HYqEF6Xm3|I^)$wZ>0vQ!)FN
zx5vC;SoVCGB0L6%TA0fn6#2Y&l%5qEjUXfs6<NH12)7SS6yD!h=3>&l?&9ccUq3U@
z3GGEpx>#TKOnh^oq^aok-1<7f05z3>i<-_`kA`PRC-(XBHQ~%FK%Eq%S}>609VXzh
zw;%?;r%T)22vdVce18}Nr%gL2Kq5I1MI>yws`DGx*|F=?$p?9I{BXRZ=lG!{Mc*QH
z6<Ul_gLNVh(clw_ma!#+Bd71z_frwa2t!s-LQ^0IKi}sA%RxEU!NQ?yaJK<)hV`0w
zdz|npkTK37!NU>U>eG4&dE^FYW_mh?@nHz+pox=e2W|E`C;)fk-o@QuV4grgRmXk0
zaeHBR4VEt}fb)`t(Rr6NmsDqX{s7Lm!@(Nr*P)R?RDR~y@r?7UD<g=mTi?lM_@x63
z_kN%7{n!k{MC%p*Xq|317m|o|jdztKdo3V=p>S+F)!%fBD6W_58y!ps{teNN4m25F
zwnSp9bBN01ny2&ZQTz`=g;BHm_xnYI+&4yBiw_+c8KGI=?i>D8TTG7|iA;{0m|>p!
z+p?O?uc6r+p?Rz-Tw6ip>_)uQBf<vgqC`|wFdG{iW$;IFcf5EccC=Tgmkj4W<r_9T
zGgz-V##cA#!;a(UW0!0p#=#s;nzAMVdxsWUp<X6M1NC;74=kE^y!?2atpw=p7r1Oz
zFToil6;BH&c6WKn(g*TF=V0#%4tnqh3Zuc9UbDCb!>UU7mO>&E$Fskl=bnJ5Y&P}?
z_{HA%ilS)Z)SKL3cSqgwFI@H>DFPF|n6Y3JCDPd53h`yQnlT}~w4$R_EtI#+Z3l?u
zxqx*hW=bd02ZgseL2OG=^5W${O3$sIkXf9+<mc@J{tV{f3B@%Q9<(5#EZJg53^6vC
zMLBAFh;fumt0p7QEmlc8T)VTzgZrai4K5rz<$z@;BC#*kpGhKDl=JEG8}y-*88n*_
z_9DE6olhYB$y_{FrH)se;iPvvf^M{&lu2j~{Ayo3Uf5(j7wy!3#$6bl=FWeXmNL1<
z9K`me;JyQ0=i@gIuO<7;=kprG-r}69t4WY6O-ahg7+XTgL);jL>3Vr$z1VfMg90J7
z{LgNzmcyfEVT<v;>_TUd5hj{?h5cAZIESh97T44&$!t(AzY`)=0~9UNq=sC|)ie~K
zx23V!+H#>ROP0!*wV{aijYktda|r_TI&?lhrBrA8u`d<X<<L!w1w<GTKO{(nG&Qk}
zzMdQ7<BFB#99V~GCRTdRt^@aSp)n~?u)pB$&EsN6mz`_k0lvI2PF}-veYJ<lRfs|6
zW!HLjRUy9r@X`ePFoSG%wHLZ9wM{1&<9uoH<<MP-A}CK!PG&Wmh}jmi?$yASU93!c
zq22sD#5i&56=GY+K1ea@5yUA=?br3=cv(71Wwy(hnW)TN2=&h1j(b;05$kYUN(2Oz
zBW|vi%8QXseoV(TMM?AhV#Io|H{pBNc97}5Lg;7oSpS|v6RR3X67qTQrGZW83{mLW
zc-$Y^+k~4+rS>j{(fjlmdFRInaWqC*$mA0%?&|88N=nBq{d+-`xMFk`k#v}xz7+*^
zJJ1;>L8fn)EX~&$&{_AUiQWmpzmhoI%E)q*^R^|q^3`ecx5tcWQ;sNx4IDmSTlNH1
z^$lJ6aQJ@361ds%&MMZY;BxkkGKp!DPkSCAP$-uJ$t^^G+&DQ2e|>psktGDmL6vc~
zu;qFVbv8!vb6Rjvkg|&%UM?6KF*l+?mcvNMmjrJlGG>xEA!$q~J9ly-BA>~l=+V)n
zp8XWng%IQ#n)vh_AmZe-qi&Wg9fHone<(<&)ZD6XSL1%#`6*U+t{I^zbiREH2RJDs
zcRGbFRLU(=fs3D?&b-nAE=1*GCjCeIzwfAmdT&kU4Gv~XQKTzW2=98yzetg@%q2>Y
zvhWCg|6Zx$+1QK{i2TH4cZ03({)XFCgP9fTx;UZp$gtV+299Fm6orj?I8|7z5Osq}
z4RHs~6Pn7?gpP%Z>Nl2N0m)z_lrY!7&S=OlR%Wn2bOwZ%or8Qj&-<$5&mxXk5t--4
z3DQT6E_G;o3JGse)S{7KJbWh;o9Q?LIpWn--!ZEQNZ878$c=%Q2}8%t(ZA6XxKXeg
zUOAy4b)BIpb?GJU=tyS{a%N2?P90m(n&J&acDE$Sczme*stdGJIjjLoNQg6GVQ|p#
zfykusSw;;|oftuw3Ehr8$zfcdOs#~=*ideKuls#mc<@_WTPGT9^jba(G|3(2^V<Kp
zd;T0)YX1gwhU~XxA#@b>-Tld&b&JdOiWh#66J}6lW0#f4V?tjX8lITS1=CFMX@Dxy
zyn6KZdou33_uwBYnH_}eKW{RcUky(J-xNgl!0}@N+$%o%gYh+!L>+!cUUY@<&33D+
z(s;*eLZKMlL4a+`F!&&=jD})(cXuZqiO>6cxizR0SIi29E%H+e$vqpig_jrKuV23e
z3~iv2BLqT}L@1Ua*9e_f7|rDBex-QC?Y@A)8!8SHKzyz^P(*E_6OM6lI5hSaBVrTy
zWzhTK69*QDuT74{kL9khU%#@6ydm?s?nzJ$J^7x6m632~@pQcsL>4S54<DJoB${Nk
zAM!YKmn)o4>2E_VlVWq)pRKlW3keA=5Z3oFf5+r36)FdZ0xH#3zmE>iSD_dT*}1tO
z6kZv%b(0bQNKPoB416EtBIpnqe|7A^MnK+8XZ~wEyZjP2%#<mv72+F2FymFOtT9op
zobGl6w`A8|uz$}Ws-hK+{U&s~)w+W;mE_p;@v&tT9?3)cr|ObKZ2NViF@J$=s3Ns@
z&%W7&H{qZ}8&Ve!pJ`KTW-I|iAB(u1!U{TnRb@m!x%X%c$k>8lVb8lA`awkT$8*8X
z)DJ7Muz}GOIm4?>Kmh4lS|-Spspe#6{y^bfM2j^hh&v8vMM^e7ip4NS!lWjOf|xYI
zCGZxy6@msSJ#NC1g?Geugny9T8aAF_d$nf6%8W@AE~5=p)Pl-kgwq5Gj@Pt?`R?-C
z3}JD*{sv59@^p)o%%<_$Mq{mw;5ov6W9nOJYe%dvar_t!u9!bkR8$m%ui{FNFtsyZ
zSY)5UNGT>_86sqy7w&BV<Eu?b)PT*<fK6gqm+sb|`t`2;lW7J7`6ZZZa2ESh=irrJ
z2EhlCx4EyopqU{Igy1cFJiPFrAZXQm2xB{{@0d(QC%4?_;^+7gyo*e1QM^PNLbsr6
z9i2fHal2z7r$2X(n+cvqQL~<V7l_<It(^ySwK{nk=(p}WztCpp=cnDT?V516&px17
zbBtAq9|z!Zxk?cZae#q?Z|v=f>uuYVt5>{7AUSgEo3+#dAdH4`lF0Hbr6S4$i#pAy
zbkfBY)M^TGXi())C~jHQTP%a$2SjC|!|gX?HM#D46z02&jVZWhLm<|hgi20w#^0d8
XIdqGt)pvZ}0e_OBaw6qI`o8}Ugd!g}

literal 0
HcmV?d00001

diff --git a/doc/frameworks/broker/cluster-layout.xml b/doc/frameworks/broker/cluster-layout.xml
new file mode 100644
index 0000000000..d0fe32437f
--- /dev/null
+++ b/doc/frameworks/broker/cluster-layout.xml
@@ -0,0 +1,2 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<mxfile userAgent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36" version="8.5.2" editor="www.draw.io" type="device"><diagram name="Page-1" id="42789a77-a242-8287-6e28-9cd8cfd52e62">7Vxdc6M2FP01flwPkpCAx0022T60MzuTTrt9lEGx2cXIg0ns9NdXGAkjAbExH3a6+CXWRRIgnXN075WcGbpf778mdLP6gwcsmkEr2M/QlxkUH9cRfzLLW25xLDs3LJMwyE3gaHgK/2XSaEnrSxiwrVYx5TxKw41u9HkcMz/VbDRJ+E6v9swj/a4bumQVw5NPo6r17zBIV9IKLOt44TcWLlfy1i6WFxbU/7lM+Ess7zeD6PnwyS+vqepL1t+uaMB3JRN6mKH7hPM0/7be37MoG1s1bHm7x4arxXMnLE7PasAoAo7jWQH0qeeiTwDlXbzS6IWpdzg8afqmRocFYrBkMeax+HN3eGWWdQpEaZWuI/k1ogsW3RWjcs8jnhybbVOapJ+zCTNsj2GU9WCpsoQIFmUWB6qFH9HtNvT/XIVxfkE2A3mp1OgHS9M3WaYvKRcmnqQrvuQxjX7nfCNbbdOE/2TqKcXsecRBn0lxRaEhq/vM4/SRrsMoA/lfLAloTKVZ3glAWS51aB0+wh7zh9I4Hh55H6bfs7eeY1n6R47B8Vll1eo8y6nf8pfEZ02TK6lEkyVLG+p4eZ1sjksdS/R8ZXzN0uRNVEhYRNPwVScMlbxbFvVkUzFj9K1UYcPDON2Wev6WGUQFJSGKaVJAkAN1HJv1ERSDVm5h23a5hfiSP4MqlV7maDqw41ym2BNTfmmmoJtgCiDtmAKgMzpTKkRZCwAsWTKDJBKje7fIvi3TYrbKDIoisehnaN+twpQ9behhznbC79Dpc+TVgQpqXc0u+Xwd+vLCKZbVgJo2gFowqFSTgQAzpzvYaRQu44yxAq9ihN4B8CtLUrZ/F3rqKtJnHCl13R2dG0+aViW3RkGrDqwluLRDA6yRzRwG2w2NFRA2Cd+/fYJ1CMkt4r7l+rcGnMDxFpZ1DnCenxnx/dsEDoQ6cACuAsfBVeDgIYBT55lWgRPxpVCWTHM+Bk7IguCzBEYEEfBWceLpa5BNrggTrwITCYka92ya+x4WFw9fbfKnYFUD1BfHu2tadLoBp3C4S+52/uBixr6XC8oRrzrtDa654T+399XhGb56L655xZe2CZp7jo0wsICNXAc5GhM8OEeQeBhjghwM9d7zV5IdvhfZemBORC8WcsQdsHLWixXZtudZ7454S2IDixi3yUelcpvmKEOjXjvHvy4gbvLswOTZdVXtikTXUKdRtY2ocUzHDk+iPa5oq4xJRbSt0UTbvppGE2jkRxC5TIix8jZUR8ToaEypJROHRuJQwZU5shyNL3OL1FKmPjlZS6ZDZ99YEoqpz5T9MJTDMcwbhGHINhgG8GUMs1HfDGtIgVpGxAK0TbLOCVBnIufIUUmFaSXaEtdgLTxvoeuRmxeFLGgYsiJX55jlXEZW5OgdAWh01BNZIR6WrEo4S+TU44YSE5uj3YvJcediG9eToy7mzpE+mJvmVXFpDwJDc3/XNrcaGmDYWuqhHi57PYOHtFN2E0+nHPRRcDYmmoZxSdqiAiEj+rWMUzIn6qsweKj6vWuc2w2mx8UUjyp8lWX9qlCFwygh0dfR7krYIaxEoBtQavSshJmqos07OZaTppU1xMzondI00lKjOtbvW9Oq23x1yeYdT37mW38fNNu8aMa4mW12fXar2eYi6TvGhjCsQcYUfl9jU9Ca26a/MG7gfU5SbIqzNToOJNfTufLb2fWZE2Jmsj9ITmyYBDZRbm+RwHYv4yp29Y4ANNazvnJi7sA5MVzh5gU+/yCh4fhbl4CcAcxhYkPXzJKBgfCk9kQHypI57aS+AWHVPOiVIscGEB4eaUCMDeOoAAtqc4/71qxT8eipePLM671roNcPaN/bmholmzaqMPayWzBMasvqZz6N2bwtCfqYAnRiK6inRa5tzr9luqtT9d6jrbrzQY3ZsY97FvP/kR0b89cSdWnTXzgMf0eFB0qOXXVnYpgjltA4T3XxEUvbPElmQr6vA2DGT1aMtaC771j9xevEslGTXa1cqDnKkKLlwwrPvKdk1znu1TDkLE5jKlfDMzh1LjmLnwgoF8fsqC9ykl7JKYrHf6eSVz/+zxr08B8=</diagram></mxfile>
\ No newline at end of file
diff --git a/doc/frameworks/broker/connecting-connector.bro b/doc/frameworks/broker/connecting-connector.bro
index adf901ea6a..4b7a588fcb 100644
--- a/doc/frameworks/broker/connecting-connector.bro
+++ b/doc/frameworks/broker/connecting-connector.bro
@@ -1,18 +1,12 @@
-const broker_port: port = 9999/tcp &redef;
 redef exit_only_after_terminate = T;
-redef Broker::endpoint_name = "connector";
 
 event bro_init()
 	{
-	Broker::enable();
-	Broker::connect("127.0.0.1", broker_port, 1sec);
+	Broker::peer("127.0.0.1");
 	}
 
-event Broker::outgoing_connection_established(peer_address: string,
-                                            peer_port: port,
-                                            peer_name: string)
+event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
 	{
-	print "Broker::outgoing_connection_established",
-		  peer_address, peer_port, peer_name;
+	print "peer added", endpoint;
 	terminate();
 	}
diff --git a/doc/frameworks/broker/connecting-listener.bro b/doc/frameworks/broker/connecting-listener.bro
index aa2b945dbe..2392d009fb 100644
--- a/doc/frameworks/broker/connecting-listener.bro
+++ b/doc/frameworks/broker/connecting-listener.bro
@@ -1,20 +1,17 @@
-const broker_port: port = 9999/tcp &redef;
 redef exit_only_after_terminate = T;
-redef Broker::endpoint_name = "listener";
 
 event bro_init()
 	{
-	Broker::enable();
-	Broker::listen(broker_port, "127.0.0.1");
+	Broker::listen("127.0.0.1");
 	}
 
-event Broker::incoming_connection_established(peer_name: string)
+event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
 	{
-	print "Broker::incoming_connection_established", peer_name;
+	print "peer added", endpoint;
 	}
 
-event Broker::incoming_connection_broken(peer_name: string)
+event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string)
 	{
-	print "Broker::incoming_connection_broken", peer_name;
+	print "peer lost", endpoint;
 	terminate();
 	}
diff --git a/doc/frameworks/broker/events-connector.bro b/doc/frameworks/broker/events-connector.bro
index 437e197925..c9ea0c7f31 100644
--- a/doc/frameworks/broker/events-connector.bro
+++ b/doc/frameworks/broker/events-connector.bro
@@ -1,31 +1,35 @@
-const broker_port: port = 9999/tcp &redef;
 redef exit_only_after_terminate = T;
-redef Broker::endpoint_name = "connector";
 global my_event: event(msg: string, c: count);
 global my_auto_event: event(msg: string, c: count);
 
 event bro_init()
 	{
-	Broker::enable();
-	Broker::connect("127.0.0.1", broker_port, 1sec);
-	Broker::auto_event("bro/event/my_auto_event", my_auto_event);
+	Broker::peer("127.0.0.1");
+	Broker::auto_publish("bro/event/my_auto_event", my_auto_event);
 	}
 
-event Broker::outgoing_connection_established(peer_address: string,
-                                            peer_port: port,
-                                            peer_name: string)
+event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
 	{
-	print "Broker::outgoing_connection_established",
-	      peer_address, peer_port, peer_name;
-	Broker::send_event("bro/event/my_event", Broker::event_args(my_event, "hi", 0));
+	print "peer added", endpoint;
+	Broker::publish("bro/event/my_event", my_event, "hi", 0);
 	event my_auto_event("stuff", 88);
-	Broker::send_event("bro/event/my_event", Broker::event_args(my_event, "...", 1));
+	Broker::publish("bro/event/my_event", my_event, "...", 1);
 	event my_auto_event("more stuff", 51);
-	Broker::send_event("bro/event/my_event", Broker::event_args(my_event, "bye", 2));
+	local e = Broker::make_event(my_event, "bye", 2);
+	Broker::publish("bro/event/my_event", e);
 	}
 
-event Broker::outgoing_connection_broken(peer_address: string,
-                                       peer_port: port)
+event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string)
 	{
 	terminate();
 	}
+
+event my_event(msg: string, c: count)
+	{
+	print "got my_event", msg, c;
+	}
+
+event my_auto_event(msg: string, c: count)
+	{
+	print "got my_auto_event", msg, c;
+	}
diff --git a/doc/frameworks/broker/events-listener.bro b/doc/frameworks/broker/events-listener.bro
index b803e646ec..9c6a3217d0 100644
--- a/doc/frameworks/broker/events-listener.bro
+++ b/doc/frameworks/broker/events-listener.bro
@@ -1,20 +1,17 @@
-const broker_port: port = 9999/tcp &redef;
 redef exit_only_after_terminate = T;
-redef Broker::endpoint_name = "listener";
 global msg_count = 0;
 global my_event: event(msg: string, c: count);
 global my_auto_event: event(msg: string, c: count);
 
 event bro_init()
 	{
-	Broker::enable();
-	Broker::subscribe_to_events("bro/event/");
-	Broker::listen(broker_port, "127.0.0.1");
+	Broker::subscribe("bro/event/");
+	Broker::listen("127.0.0.1");
 	}
 
-event Broker::incoming_connection_established(peer_name: string)
+event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
 	{
-	print "Broker::incoming_connection_established", peer_name;
+	print "peer added", endpoint;
 	}
 
 event my_event(msg: string, c: count)
diff --git a/doc/frameworks/broker/logs-connector.bro b/doc/frameworks/broker/logs-connector.bro
index 9c5df335b9..50afb130b2 100644
--- a/doc/frameworks/broker/logs-connector.bro
+++ b/doc/frameworks/broker/logs-connector.bro
@@ -1,17 +1,11 @@
 @load ./testlog
 
-const broker_port: port = 9999/tcp &redef;
 redef exit_only_after_terminate = T;
-redef Broker::endpoint_name = "connector";
-redef Log::enable_local_logging = F;
-redef Log::enable_remote_logging = F;
 global n = 0;
 
 event bro_init()
 	{
-	Broker::enable();
-	Broker::enable_remote_logs(Test::LOG);
-	Broker::connect("127.0.0.1", broker_port, 1sec);
+	Broker::peer("127.0.0.1");
 	}
 
 event do_write()
@@ -24,17 +18,19 @@ event do_write()
 	event do_write();
 	}
 
-event Broker::outgoing_connection_established(peer_address: string,
-                                            peer_port: port,
-                                            peer_name: string)
+event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
 	{
-	print "Broker::outgoing_connection_established",
-	      peer_address, peer_port, peer_name;
+	print "peer added", endpoint;
 	event do_write();
 	}
 
-event Broker::outgoing_connection_broken(peer_address: string,
-                                       peer_port: port)
+event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string)
 	{
 	terminate();
 	}
+
+event Test::log_test(rec: Test::Info)
+	{
+	print "wrote log", rec;
+	Broker::publish("bro/logs/forward/test", Test::log_test, rec);
+	}
diff --git a/doc/frameworks/broker/logs-listener.bro b/doc/frameworks/broker/logs-listener.bro
index 34d475512a..7bfeacfe58 100644
--- a/doc/frameworks/broker/logs-listener.bro
+++ b/doc/frameworks/broker/logs-listener.bro
@@ -1,24 +1,21 @@
 @load ./testlog
 
-const broker_port: port = 9999/tcp &redef;
 redef exit_only_after_terminate = T;
-redef Broker::endpoint_name = "listener";
 
 event bro_init()
 	{
-	Broker::enable();
-	Broker::subscribe_to_logs("bro/log/Test::LOG");
-	Broker::listen(broker_port, "127.0.0.1");
+	Broker::subscribe("bro/logs");
+	Broker::listen("127.0.0.1");
 	}
 
-event Broker::incoming_connection_established(peer_name: string)
+event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
 	{
-	print "Broker::incoming_connection_established", peer_name;
+	print "peer added", endpoint;
 	}
 
 event Test::log_test(rec: Test::Info)
 	{
-	print "wrote log", rec;
+	print "got log event", rec;
 
 	if ( rec$num == 5 )
 		terminate();
diff --git a/doc/frameworks/broker/printing-connector.bro b/doc/frameworks/broker/printing-connector.bro
deleted file mode 100644
index 42d961669a..0000000000
--- a/doc/frameworks/broker/printing-connector.bro
+++ /dev/null
@@ -1,26 +0,0 @@
-const broker_port: port = 9999/tcp &redef;
-redef exit_only_after_terminate = T;
-redef Broker::endpoint_name = "connector";
-
-event bro_init()
-	{
-	Broker::enable();
-	Broker::connect("127.0.0.1", broker_port, 1sec);
-	}
-
-event Broker::outgoing_connection_established(peer_address: string,
-                                            peer_port: port,
-                                            peer_name: string)
-	{
-	print "Broker::outgoing_connection_established",
-	      peer_address, peer_port, peer_name;
-	Broker::send_print("bro/print/hi", "hello");
-	Broker::send_print("bro/print/stuff", "...");
-	Broker::send_print("bro/print/bye", "goodbye");
-	}
-
-event Broker::outgoing_connection_broken(peer_address: string,
-                                       peer_port: port)
-	{
-	terminate();
-	}
diff --git a/doc/frameworks/broker/printing-listener.bro b/doc/frameworks/broker/printing-listener.bro
deleted file mode 100644
index 4630a7e6d7..0000000000
--- a/doc/frameworks/broker/printing-listener.bro
+++ /dev/null
@@ -1,25 +0,0 @@
-const broker_port: port = 9999/tcp &redef;
-redef exit_only_after_terminate = T;
-redef Broker::endpoint_name = "listener";
-global msg_count = 0;
-
-event bro_init()
-	{
-	Broker::enable();
-	Broker::subscribe_to_prints("bro/print/");
-	Broker::listen(broker_port, "127.0.0.1");
-	}
-
-event Broker::incoming_connection_established(peer_name: string)
-	{
-	print "Broker::incoming_connection_established", peer_name;
-	}
-
-event Broker::print_handler(msg: string)
-	{
-	++msg_count;
-	print "got print message", msg;
-
-	if ( msg_count == 3 )
-		terminate();
-	}
diff --git a/doc/frameworks/broker/stores-connector.bro b/doc/frameworks/broker/stores-connector.bro
index d50807cc89..2ea199e222 100644
--- a/doc/frameworks/broker/stores-connector.bro
+++ b/doc/frameworks/broker/stores-connector.bro
@@ -1,53 +1,29 @@
-const broker_port: port = 9999/tcp &redef;
 redef exit_only_after_terminate = T;
 
-global h: opaque of Broker::Handle;
-
-function dv(d: Broker::Data): Broker::DataVector
-	{
-	local rval: Broker::DataVector;
-	rval[0] = d;
-	return rval;
-	}
+global h: opaque of Broker::Store;
 
 global ready: event();
 
-event Broker::outgoing_connection_broken(peer_address: string,
-                                       peer_port: port)
+event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string)
 	{
 	terminate();
 	}
 
-event Broker::outgoing_connection_established(peer_address: string,
-                                            peer_port: port,
-                                            peer_name: string)
-	{
-	local myset: set[string] = {"a", "b", "c"};
-	local myvec: vector of string = {"alpha", "beta", "gamma"};
-	h = Broker::create_master("mystore");
-	Broker::insert(h, Broker::data("one"), Broker::data(110));
-	Broker::insert(h, Broker::data("two"), Broker::data(223));
-	Broker::insert(h, Broker::data("myset"), Broker::data(myset));
-	Broker::insert(h, Broker::data("myvec"), Broker::data(myvec));
-	Broker::increment(h, Broker::data("one"));
-	Broker::decrement(h, Broker::data("two"));
-	Broker::add_to_set(h, Broker::data("myset"), Broker::data("d"));
-	Broker::remove_from_set(h, Broker::data("myset"), Broker::data("b"));
-	Broker::push_left(h, Broker::data("myvec"), dv(Broker::data("delta")));
-	Broker::push_right(h, Broker::data("myvec"), dv(Broker::data("omega")));
-
-	when ( local res = Broker::size(h) )
-		{
-		print "master size", res;
-		event ready();
-		}
-	timeout 10sec
-		{ print "timeout"; }
-	}
-
 event bro_init()
 	{
-	Broker::enable();
-	Broker::connect("127.0.0.1", broker_port, 1secs);
-	Broker::auto_event("bro/event/ready", ready);
+	h = Broker::create_master("mystore");
+
+	local myset: set[string] = {"a", "b", "c"};
+	local myvec: vector of string = {"alpha", "beta", "gamma"};
+	Broker::put(h, "one", 110);
+	Broker::put(h, "two", 223);
+	Broker::put(h, "myset", myset);
+	Broker::put(h, "myvec", myvec);
+	Broker::increment(h, "one");
+	Broker::decrement(h, "two");
+	Broker::insert_into_set(h, "myset", "d");
+	Broker::remove_from(h, "myset", "b");
+	Broker::push(h, "myvec", "delta");
+
+	Broker::peer("127.0.0.1");
 	}
diff --git a/doc/frameworks/broker/stores-listener.bro b/doc/frameworks/broker/stores-listener.bro
index 3dac30deca..49285a0e45 100644
--- a/doc/frameworks/broker/stores-listener.bro
+++ b/doc/frameworks/broker/stores-listener.bro
@@ -1,43 +1,79 @@
-const broker_port: port = 9999/tcp &redef;
 redef exit_only_after_terminate = T;
 
-global h: opaque of Broker::Handle;
+global h: opaque of Broker::Store;
 global expected_key_count = 4;
 global key_count = 0;
 
+# Lookup a value in the store based on an arbitrary key string.
 function do_lookup(key: string)
 	{
-	when ( local res = Broker::lookup(h, Broker::data(key)) )
+	when ( local res = Broker::get(h, key) )
 		{
 		++key_count;
 		print "lookup", key, res;
 
-		if ( key_count == expected_key_count )
+		# End after we iterated over looking up each key in the store twice.
+		if ( key_count == expected_key_count * 2 )
 			terminate();
 		}
-	timeout 10sec
+	# All data store queries must specify a timeout
+	timeout 3sec
 		{ print "timeout", key; }
 	}
 
-event ready()
+event check_keys()
 	{
-	h = Broker::create_clone("mystore");
-
+	# Here we just query for the list of keys in the store, and show how to
+	# look up each one's value.
 	when ( local res = Broker::keys(h) )
 		{
 		print "clone keys", res;
-		do_lookup(Broker::refine_to_string(Broker::vector_lookup(res$result, 0)));
-		do_lookup(Broker::refine_to_string(Broker::vector_lookup(res$result, 1)));
-		do_lookup(Broker::refine_to_string(Broker::vector_lookup(res$result, 2)));
-		do_lookup(Broker::refine_to_string(Broker::vector_lookup(res$result, 3)));
+
+		if ( res?$result )
+			{
+			# Since we know that the keys we are storing are all strings,
+			# we can conveniently cast the result of Broker::keys to
+			# a native Bro type, namely 'set[string]'.
+			for ( k in res$result as string_set )
+				do_lookup(k);
+
+			# Alternatively, we can use a generic iterator to iterate
+			# over the results (which we know is of the 'set' type because
+			# that's what Broker::keys() always returns).  If the keys
+			# we stored were not all of the same type, then you would
+			# likely want to use this method of inspecting the store's keys.
+			local i = Broker::set_iterator(res$result);
+
+			while ( ! Broker::set_iterator_last(i) )
+				{
+				do_lookup(Broker::set_iterator_value(i) as string);
+				Broker::set_iterator_next(i);
+				}
+			}
 		}
-	timeout 10sec
-		{ print "timeout"; }
+	# All data store queries must specify a timeout.
+	# You also might see timeouts on connecting/initializing a clone since
+	# it hasn't had time to get fully set up yet.
+	timeout 1sec
+		{
+		print "timeout";
+		schedule 1sec { check_keys() };
+		}
+	}
+
+event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
+	{
+	print "peer added";
+	# We could create a clone early, like in bro_init and it will periodically
+	# try to synchronize with its master once it connects, however, we just
+	# create it now since we know the peer w/ the master store has just
+	# connected.
+	h = Broker::create_clone("mystore");
+
+	event check_keys();
 	}
 
 event bro_init()
 	{
-	Broker::enable();
-	Broker::subscribe_to_events("bro/event/ready");
-	Broker::listen(broker_port, "127.0.0.1");
+	Broker::listen("127.0.0.1");
 	}
diff --git a/doc/frameworks/broker/testlog.bro b/doc/frameworks/broker/testlog.bro
index 0099671e6d..8d31b6ef1e 100644
--- a/doc/frameworks/broker/testlog.bro
+++ b/doc/frameworks/broker/testlog.bro
@@ -13,6 +13,5 @@ export {
 
 event bro_init() &priority=5
 	{
-	Broker::enable();
 	Log::create_stream(Test::LOG, [$columns=Test::Info, $ev=log_test, $path="test"]);
 	}
diff --git a/doc/index.rst b/doc/index.rst
index 22fb8cbe1a..172ae6f171 100644
--- a/doc/index.rst
+++ b/doc/index.rst
@@ -45,6 +45,8 @@ Reference Section
    script-reference/index.rst
    components/index.rst
 
+`Broker User Manual <../broker-manual/index.html>`_
+
 Development
 ===========
 
diff --git a/doc/install/CHANGES-broccoli-python.txt b/doc/install/CHANGES-broccoli-python.txt
deleted file mode 120000
index fd01ad3cd4..0000000000
--- a/doc/install/CHANGES-broccoli-python.txt
+++ /dev/null
@@ -1 +0,0 @@
-../../aux/broccoli/bindings/broccoli-python/CHANGES
\ No newline at end of file
diff --git a/doc/install/CHANGES-broccoli-ruby.txt b/doc/install/CHANGES-broccoli-ruby.txt
deleted file mode 120000
index e04b33936c..0000000000
--- a/doc/install/CHANGES-broccoli-ruby.txt
+++ /dev/null
@@ -1 +0,0 @@
-../../aux/broccoli/bindings/broccoli-ruby/CHANGES
\ No newline at end of file
diff --git a/doc/install/CHANGES-broccoli.txt b/doc/install/CHANGES-broccoli.txt
deleted file mode 120000
index 22aeb7e410..0000000000
--- a/doc/install/CHANGES-broccoli.txt
+++ /dev/null
@@ -1 +0,0 @@
-../../aux/broccoli/CHANGES
\ No newline at end of file
diff --git a/doc/install/CHANGES-broker.txt b/doc/install/CHANGES-broker.txt
new file mode 120000
index 0000000000..e8a52d6797
--- /dev/null
+++ b/doc/install/CHANGES-broker.txt
@@ -0,0 +1 @@
+../../aux/broker/CHANGES
\ No newline at end of file
diff --git a/doc/install/changes.rst b/doc/install/changes.rst
index 32cd6ad33e..ad26cfde1a 100644
--- a/doc/install/changes.rst
+++ b/doc/install/changes.rst
@@ -17,23 +17,11 @@ BroControl
 
 .. literalinclude:: CHANGES-broctl.txt
 
---------
-Broccoli
---------
+------
+Broker
+------
 
-.. literalinclude:: CHANGES-broccoli.txt
-
----------------
-Broccoli Python
----------------
-
-.. literalinclude:: CHANGES-broccoli-python.txt
-
--------------
-Broccoli Ruby
--------------
-
-.. literalinclude:: CHANGES-broccoli-ruby.txt
+.. literalinclude:: CHANGES-broker.txt
 
 --------
 Capstats
diff --git a/doc/install/install.rst b/doc/install/install.rst
index a62823b1bb..fd05ac9d69 100644
--- a/doc/install/install.rst
+++ b/doc/install/install.rst
@@ -35,16 +35,16 @@ before you begin:
 
 To build Bro from source, the following additional dependencies are required:
 
-    * CMake 2.8 or greater              (http://www.cmake.org)
+    * CMake 2.8.12 or greater           (http://www.cmake.org)
     * Make
     * C/C++ compiler with C++11 support (GCC 4.8+ or Clang 3.3+)
     * SWIG                              (http://www.swig.org)
-    * Bison (GNU Parser Generator)
-    * Flex  (Fast Lexical Analyzer)
+    * Bison 2.5 or greater              (https://www.gnu.org/software/bison/)
+    * Flex (lexical analyzer generator) (https://github.com/westes/flex)
     * Libpcap headers                   (http://www.tcpdump.org)
     * OpenSSL headers                   (http://www.openssl.org)
-    * zlib headers
-    * Python
+    * zlib headers                      (https://zlib.net/)
+    * Python                            (https://www.python.org/)
 
 To install the required dependencies, you can use:
 
@@ -73,7 +73,7 @@ To install the required dependencies, you can use:
 
   .. console::
 
-      sudo pkg install bash cmake swig bison python py27-sqlite3
+      sudo pkg install bash cmake swig30 bison python py27-sqlite3 py27-ipaddress
 
   For older versions of FreeBSD (especially FreeBSD 9.x), the system compiler
   is not new enough to compile Bro. For these systems, you will have to install
@@ -101,14 +101,17 @@ To install the required dependencies, you can use:
   clicking "Install").
 
   OS X comes with all required dependencies except for CMake_, SWIG_,
-  and OpenSSL (OpenSSL headers were removed in OS X 10.11, therefore OpenSSL
-  must be installed manually for OS X versions 10.11 or newer).
-  Distributions of these dependencies can
-  likely be obtained from your preferred Mac OS X package management
-  system (e.g. Homebrew_, MacPorts_, or Fink_). Specifically for
-  Homebrew, the ``cmake``, ``swig``, and ``openssl`` packages
-  provide the required dependencies.  For MacPorts, the ``cmake``, ``swig``,
-  ``swig-python``, and ``openssl`` packages provide the required dependencies.
+  Bison, and OpenSSL (OpenSSL headers were removed in OS X 10.11,
+  therefore OpenSSL must be installed manually for OS X versions 10.11
+  or newer).
+
+  Distributions of these dependencies can likely be obtained from your
+  preferred Mac OS X package management system (e.g. Homebrew_,
+  MacPorts_, or Fink_). Specifically for Homebrew, the ``cmake``,
+  ``swig``, ``openssl``, and ``bison`` packages
+  provide the required dependencies.  For MacPorts, the ``cmake``,
+  ``swig``, ``swig-python``, ``openssl``, and ``bison`` packages provide
+  the required dependencies.
 
 
 Optional Dependencies
@@ -117,7 +120,6 @@ Optional Dependencies
 Bro can make use of some optional libraries and tools if they are found at
 build time:
 
-    * C++ Actor Framework (CAF) version 0.14 (http://actor-framework.org)
     * LibGeoIP (for geolocating IP addresses)
     * sendmail (enables Bro and BroControl to send mail)
     * curl (used by a Bro script that implements active HTTP)
diff --git a/doc/script-reference/log-files.rst b/doc/script-reference/log-files.rst
index a0720ff7c9..285eb20a7c 100644
--- a/doc/script-reference/log-files.rst
+++ b/doc/script-reference/log-files.rst
@@ -168,8 +168,8 @@ Bro Diagnostics
 +----------------------------+---------------------------------------+---------------------------------+
 | cluster.log                | Bro cluster messages                  | :bro:type:`Cluster::Info`       |
 +----------------------------+---------------------------------------+---------------------------------+
-| communication.log          | Communication events between Bro or   | :bro:type:`Communication::Info` |
-|                            | Broccoli instances                    |                                 |
+| broker.log                 | Peering status events between Bro or  | :bro:type:`Broker::Info`        |
+|                            | Broker-enabled processes              |                                 |
 +----------------------------+---------------------------------------+---------------------------------+
 | loaded_scripts.log         | Shows all scripts loaded by Bro       | :bro:type:`LoadedScripts::Info` |
 +----------------------------+---------------------------------------+---------------------------------+
diff --git a/doc/scripting/index.rst b/doc/scripting/index.rst
index 2d14ab1323..1a410cef12 100644
--- a/doc/scripting/index.rst
+++ b/doc/scripting/index.rst
@@ -325,29 +325,14 @@ variable declared while scripts using a different namespace or no
 namespace altogether will not have access to the variable.
 Alternatively, if a global variable is declared within an ``export { ... }``
 block that variable is available to any other script through the
-naming convention of ``MODULE::variable_name``.
-
-The declaration below is taken from the
-:doc:`/scripts/policy/protocols/conn/known-hosts.bro` script and
-declares a variable called ``known_hosts`` as a global set of unique
-IP addresses within the ``Known`` namespace and exports it for use
-outside of the ``Known`` namespace.  Were we to want to use the
-``known_hosts`` variable we'd be able to access it through
-``Known::known_hosts``.  
-
-.. btest-include:: ${BRO_SRC_ROOT}/scripts/policy/protocols/conn/known-hosts.bro
-   :lines: 8-10, 32, 37
-
-The sample above also makes use of an ``export { ... }`` block.  When the module
-keyword is used in a script, the variables declared are said to be in
-that module's "namespace".  Where as a global variable can be accessed
-by its name alone when it is not declared within a module, a global
-variable declared within a module must be exported and then accessed
-via ``MODULE_NAME::VARIABLE_NAME``.  As in the example above, we would be
-able to access the ``known_hosts`` in a separate script variable via
-``Known::known_hosts`` due to the fact that ``known_hosts`` was declared as
-a global variable within an export block under the ``Known`` namespace.
+naming convention of ``<module name>::<variable name>``, i.e. the variable
+needs to be "scoped" by the name of the module in which it was declared.
 
+When the ``module`` keyword is used in a script, the variables declared
+are said to be in that module's "namespace".  Where as a global variable
+can be accessed by its name alone when it is not declared within a
+module, a global variable declared within a module must be exported and
+then accessed via ``<module name>::<variable name>``.
 
 Constants
 ~~~~~~~~~
diff --git a/scripts/base/frameworks/broker/__load__.bro b/scripts/base/frameworks/broker/__load__.bro
index 018d772f4f..77dd69d554 100644
--- a/scripts/base/frameworks/broker/__load__.bro
+++ b/scripts/base/frameworks/broker/__load__.bro
@@ -1,2 +1,3 @@
 @load ./main
 @load ./store
+@load ./log
diff --git a/scripts/base/frameworks/broker/log.bro b/scripts/base/frameworks/broker/log.bro
new file mode 100644
index 0000000000..2461cb8d54
--- /dev/null
+++ b/scripts/base/frameworks/broker/log.bro
@@ -0,0 +1,80 @@
+@load ./main
+
+module Broker;
+
+export {
+	## The Broker logging stream identifier.
+	redef enum Log::ID += { LOG };
+
+	## The type of a Broker activity being logged.
+	type Type: enum {
+		## An informational status update.
+		STATUS,
+		## An error situation.
+		ERROR
+	};
+
+	## A record type containing the column fields of the Broker log.
+	type Info: record {
+		## The network time at which a Broker event occurred.
+		ts:                  time   &log;
+		## The type of the Broker event.
+		ty:                  Type &log;
+		## The event being logged.
+		ev:                  string &log;
+		## The peer (if any) with which a Broker event is
+		## concerned.
+		peer:                NetworkInfo &log &optional;
+		## An optional message describing the Broker event in more detail
+		message:             string &log &optional;
+	};
+}
+
+event bro_init() &priority=5
+	{
+	Log::create_stream(Broker::LOG, [$columns=Info, $path="broker"]);
+	}
+
+function log_status(ev: string, endpoint: EndpointInfo, msg: string)
+	{
+	local r: Info;
+
+	r = [$ts = network_time(),
+	     $ev = ev,
+	     $ty = STATUS,
+	     $message = msg];
+
+	if ( endpoint?$network )
+		r$peer = endpoint$network;
+
+	Log::write(Broker::LOG, r);
+	}
+
+event Broker::peer_added(endpoint: EndpointInfo, msg: string)
+	{
+	log_status("peer-added", endpoint, msg);
+	}
+
+event Broker::peer_removed(endpoint: EndpointInfo, msg: string)
+	{
+	log_status("peer-removed", endpoint, msg);
+	}
+
+event Broker::peer_lost(endpoint: EndpointInfo, msg: string)
+	{
+	log_status("connection-terminated", endpoint, msg);
+	}
+
+event Broker::error(code: ErrorCode, msg: string)
+	{
+	local ev = cat(code);
+	ev = subst_string(ev, "Broker::", "");
+	ev = subst_string(ev, "_", "-");
+	ev = to_lower(ev);
+	
+	Log::write(Broker::LOG, [$ts = network_time(),
+	           $ev = ev,
+	           $ty = ERROR,
+	           $message = msg]);
+	}
+
diff --git a/scripts/base/frameworks/broker/main.bro b/scripts/base/frameworks/broker/main.bro
index 835a9ed796..451d4cf86b 100644
--- a/scripts/base/frameworks/broker/main.bro
+++ b/scripts/base/frameworks/broker/main.bro
@@ -1,55 +1,160 @@
-##! Various data structure definitions for use with Bro's communication system.
-
-module Log;
-
-export {
-    type Log::ID: enum {
-        ## Dummy place-holder.
-        UNKNOWN
-    };
-}
+##! The Broker-based communication API and its various options.
 
 module Broker;
 
 export {
+	## Default port for Broker communication. Where not specified
+	## otherwise, this is the port to connect to and listen on.
+	const default_port = 9999/tcp &redef;
 
-	## A name used to identify this endpoint to peers.
+	## Default interval to retry listening on a port if it's currently in
+	## use already.
+	const default_listen_retry = 30sec &redef;
+
+	## Default address on which to listen.
 	##
-	## .. bro:see:: Broker::connect Broker::listen
-	const endpoint_name = "" &redef;
+	## .. bro:see:: Broker::listen
+	const default_listen_address = "" &redef;
 
-	## Change communication behavior.
-	type EndpointFlags: record {
-		## Whether to restrict message topics that can be published to peers.
-		auto_publish: bool &default = T;
-		## Whether to restrict what message topics or data store identifiers
-		## the local endpoint advertises to peers (e.g. subscribing to
-		## events or making a master data store available).
-		auto_advertise: bool &default = T;
+	## Default interval to retry connecting to a peer if it cannot be made to work
+	## initially, or if it ever becomes disconnected.
+	const default_connect_retry = 30sec &redef;
+
+	## If false, do not use SSL for network connections. By default, SSL will even
+	## be used if no certificates / CAs have been configured. In that case
+	## (which is the default) the communication will be encrypted, but not
+	## authenticated.
+	const disable_ssl = F &redef;
+
+	## Path to a file containing concatenated trusted certificates 
+	## in PEM format. If set, Bro will require valid certificates forx
+	## all peers.
+	const ssl_cafile = "" &redef;
+
+	## Path to an OpenSSL-style directory of trusted certificates.
+	## If set, Bro will require valid certificates forx
+	## all peers.
+	const ssl_capath = "" &redef;
+
+	## Path to a file containing a X.509 certificate for this
+	## node in PEM format. If set, Bro will require valid certificates for
+	## all peers.
+	const ssl_certificate = "" &redef;
+
+	## Passphrase to decrypt the private key specified by
+	## :bro:see:`Broker::ssl_keyfile`. If set, Bro will require valid
+	## certificates for all peers.
+	const ssl_passphrase = "" &redef;
+
+	## Path to the file containing the private key for this node's
+	## certificate. If set, Bro will require valid certificates for
+	## all peers.
+	const ssl_keyfile = "" &redef;
+
+	## Forward all received messages to subscribing peers.
+	const forward_messages = F &redef;
+
+	## The default topic prefix where logs will be published.  The log's stream
+	## id is appended when writing to a particular stream.
+	const default_log_topic_prefix = "bro/logs/" &redef;
+
+	## The default implementation for :bro:see:`Broker::log_topic`.
+	function default_log_topic(id: Log::ID, path: string): string
+		{
+		return default_log_topic_prefix + cat(id);
+		}
+
+	## A function that will be called for each log entry to determine what
+	## broker topic string will be used for sending it to peers.  The
+	## default implementation will return a value based on
+	## :bro:see:`Broker::default_log_topic_prefix`.
+	##
+	## id: the ID associated with the log stream entry that will be sent.
+	##
+	## path: the path to which the log stream entry will be output.
+	##
+	## Returns: a string representing the broker topic to which the log
+	##          will be sent.
+	const log_topic: function(id: Log::ID, path: string): string = default_log_topic &redef;
+
+	type ErrorCode: enum {
+		## The unspecified default error code.
+		UNSPECIFIED = 1,
+		## Version incompatibility.
+		PEER_INCOMPATIBLE = 2,
+		## Referenced peer does not exist.
+		PEER_INVALID = 3,
+		## Remote peer not listening.
+		PEER_UNAVAILABLE = 4,
+		## An peering request timed out.
+		PEER_TIMEOUT = 5,
+		## Master with given name already exist.
+		MASTER_EXISTS = 6,
+		## Master with given name does not exist.
+		NO_SUCH_MASTER = 7,
+		## The given data store key does not exist.
+		NO_SUCH_KEY = 8,
+		## The store operation timed out.
+		REQUEST_TIMEOUT = 9,
+		## The operation expected a different type than provided
+		TYPE_CLASH = 10,
+		## The data value cannot be used to carry out the desired operation.
+		INVALID_DATA = 11,
+		## The storage backend failed to execute the operation.
+		BACKEND_FAILURE = 12,
+		## The storage backend failed to execute the operation.
+		STALE_DATA = 13,
+		## Catch-all for a CAF-level problem.
+		CAF_ERROR = 100
 	};
 
-	## Fine-grained tuning of communication behavior for a particular message.
-	type SendFlags: record {
-		## Send the message to the local endpoint.
-		self: bool &default = F;
-		## Send the message to peer endpoints that advertise interest in
-		## the topic associated with the message.
-		peers: bool &default = T;
-		## Send the message to peer endpoints even if they don't advertise
-		## interest in the topic associated with the message.
-		unsolicited: bool &default = F;
+	## The possible states of a peer endpoint.
+	type PeerStatus: enum {
+		## The peering process is initiated.
+		INITIALIZING,
+		## Connection establishment in process.
+		CONNECTING,
+		## Connection established, peering pending.
+		CONNECTED,
+		## Successfully peered.
+		PEERED,
+		## Connection to remote peer lost.
+		DISCONNECTED,
+		## Reconnecting to peer after a lost connection.
+		RECONNECTING,
 	};
 
+	type NetworkInfo: record {
+		## The IP address or hostname where the endpoint listens.
+		address: string &log;
+		## The port where the endpoint is bound to.
+		bound_port: port &log;
+	};
+
+	type EndpointInfo: record {
+		## A unique identifier of the node.
+		id: string;
+		## Network-level information.
+		network: NetworkInfo &optional;
+	};
+
+	type PeerInfo: record {
+		peer: EndpointInfo;
+		status: PeerStatus;
+	};
+
+	type PeerInfos: vector of PeerInfo;
+
 	## Opaque communication data.
 	type Data: record {
-		d: opaque of Broker::Data &optional;
+		data: opaque of Broker::Data &optional;
 	};
 
-	## Opaque communication data.
+	## Opaque communication data sequence.
 	type DataVector: vector of Broker::Data;
 
 	## Opaque event communication data.
-	type EventArgs: record {
+	type Event: record {
 		## The name of the event.  Not set if invalid event or arguments.
 		name: string &optional;
 		## The arguments to the event.
@@ -63,52 +168,23 @@ export {
 		val: Broker::Data;
 	};
 
-	## Enable use of communication.
-	##
-	## flags: used to tune the local Broker endpoint behavior.
-	##
-	## Returns: true if communication is successfully initialized.
-	global enable: function(flags: EndpointFlags &default = EndpointFlags()): bool;
-
-	## Changes endpoint flags originally supplied to :bro:see:`Broker::enable`.
-	##
-	## flags: the new endpoint behavior flags to use.
-	##
-	## Returns: true if flags were changed.
-	global set_endpoint_flags: function(flags: EndpointFlags &default = EndpointFlags()): bool;
-
-	## Allow sending messages to peers if associated with the given topic.
-	## This has no effect if auto publication behavior is enabled via the flags
-	## supplied to :bro:see:`Broker::enable` or :bro:see:`Broker::set_endpoint_flags`.
-	##
-	## topic: a topic to allow messages to be published under.
-	##
-	## Returns: true if successful.
-	global publish_topic: function(topic: string): bool;
-
-	## Disallow sending messages to peers if associated with the given topic.
-	## This has no effect if auto publication behavior is enabled via the flags
-	## supplied to :bro:see:`Broker::enable` or :bro:see:`Broker::set_endpoint_flags`.
-	##
-	## topic: a topic to disallow messages to be published under.
-	##
-	## Returns: true if successful.
-	global unpublish_topic: function(topic: string): bool;
-
 	## Listen for remote connections.
 	##
-	## p: the TCP port to listen on.
-	##
 	## a: an address string on which to accept connections, e.g.
 	##    "127.0.0.1".  An empty string refers to @p INADDR_ANY.
 	##
-	## reuse: equivalent to behavior of SO_REUSEADDR.
+	## p: the TCP port to listen on. The value 0 means that the OS should choose
+	##    the next available free port.
 	##
-	## Returns: true if the local endpoint is now listening for connections.
+	## retry: If non-zero, retries listening in regular intervals if the port cannot be
+	##        acquired immediately. 0 disables retries.
 	##
-	## .. bro:see:: Broker::incoming_connection_established
-	global listen: function(p: port, a: string &default = "", reuse: bool &default = T): bool;
-
+	## Returns: the bound port or 0/? on failure.
+	##
+	## .. bro:see:: Broker::status
+	global listen: function(a: string &default = default_listen_address,
+	                        p: port &default = default_port,
+	                        retry: interval &default = default_listen_retry): port;
 	## Initiate a remote connection.
 	##
 	## a: an address to connect to, e.g. "localhost" or "127.0.0.1".
@@ -120,63 +196,66 @@ export {
 	##        if it ever becomes disconnected.
 	##
 	## Returns: true if it's possible to try connecting with the peer and
-	##          it's a new peer.  The actual connection may not be established
+	##          it's a new peer. The actual connection may not be established
 	##          until a later point in time.
 	##
-	## .. bro:see:: Broker::outgoing_connection_established
-	global connect: function(a: string, p: port, retry: interval): bool;
+	## .. bro:see:: Broker::status
+	global peer: function(a: string, p: port &default=default_port,
+	                      retry: interval &default=default_connect_retry): bool;
 
 	## Remove a remote connection.
 	##
-	## a: the address used in previous successful call to :bro:see:`Broker::connect`.
+	## Note that this does not terminate the connection to the peer, it
+	## just means that we won't exchange any further information with it
+	## unless peering resumes later.
 	##
-	## p: the port used in previous successful call to :bro:see:`Broker::connect`.
+	## a: the address used in previous successful call to :bro:see:`Broker::peer`.
+	##
+	## p: the port used in previous successful call to :bro:see:`Broker::peer`.
 	##
 	## Returns: true if the arguments match a previously successful call to
-	##          :bro:see:`Broker::connect`.
-	global disconnect: function(a: string, p: port): bool;
+	##          :bro:see:`Broker::peer`.
+	##
+	## TODO: We do not have a function yet to terminate a connection.
+	global unpeer: function(a: string, p: port): bool;
 
-	## Print a simple message to any interested peers.  The receiver can use
-	## :bro:see:`Broker::print_handler` to handle messages.
+	## Returns: a list of all peer connections.
+	global peers: function(): vector of PeerInfo;
+
+	## Returns: a unique identifier for the local broker endpoint.
+	global node_id: function(): string;
+
+	## Sends all pending log messages to remote peers.  This normally
+	## doesn't need to be used except for test cases that are time-sensitive.
+	global flush_logs: function(): count;
+
+	## Publishes the value of an identifier to a given topic.  The subscribers
+	## will update their local value for that identifier on receipt.
 	##
-	## topic: a topic associated with the printed message.
+	## topic: a topic associated with the message.
 	##
-	## msg: the print message to send to peers.
-	##
-	## flags: tune the behavior of how the message is sent.
+	## id: the identifier to publish.
 	##
 	## Returns: true if the message is sent.
-	global send_print: function(topic: string, msg: string, flags: SendFlags &default = SendFlags()): bool;
+	global publish_id: function(topic: string, id: string): bool;
 
-	## Register interest in all peer print messages that use a certain topic
-	## prefix. Use :bro:see:`Broker::print_handler` to handle received
-	## messages.
+	## Register interest in all peer event messages that use a certain topic
+	## prefix.
 	##
 	## topic_prefix: a prefix to match against remote message topics.
 	##               e.g. an empty prefix matches everything and "a" matches
 	##               "alice" and "amy" but not "bob".
 	##
-	## Returns: true if it's a new print subscription and it is now registered.
-	global subscribe_to_prints: function(topic_prefix: string): bool;
+	## Returns: true if it's a new event subscription and it is now registered.
+	global subscribe: function(topic_prefix: string): bool;
 
-	## Unregister interest in all peer print messages that use a topic prefix.
+	## Unregister interest in all peer event messages that use a topic prefix.
 	##
 	## topic_prefix: a prefix previously supplied to a successful call to
-	##               :bro:see:`Broker::subscribe_to_prints`.
+	##               :bro:see:`Broker::subscribe`.
 	##
 	## Returns: true if interest in the topic prefix is no longer advertised.
-	global unsubscribe_to_prints: function(topic_prefix: string): bool;
-
-	## Send an event to any interested peers.
-	##
-	## topic: a topic associated with the event message.
-	##
-	## args: event arguments as made by :bro:see:`Broker::event_args`.
-	##
-	## flags: tune the behavior of how the message is sent.
-	##
-	## Returns: true if the message is sent.
-	global send_event: function(topic: string, args: EventArgs, flags: SendFlags &default = SendFlags()): bool;
+	global unsubscribe: function(topic_prefix: string): bool;
 
 	## Automatically send an event to any interested peers whenever it is
 	## locally dispatched (e.g. using "event my_event(...);" in a script).
@@ -187,83 +266,18 @@ export {
 	##
 	## ev: a Bro event value.
 	##
-	## flags: tune the behavior of how the message is sent.
-	##
 	## Returns: true if automatic event sending is now enabled.
-	global auto_event: function(topic: string, ev: any, flags: SendFlags &default = SendFlags()): bool;
+	global auto_publish: function(topic: string, ev: any): bool;
 
 	## Stop automatically sending an event to peers upon local dispatch.
 	##
-	## topic: a topic originally given to :bro:see:`Broker::auto_event`.
+	## topic: a topic originally given to :bro:see:`Broker::auto_publish`.
 	##
-	## ev: an event originally given to :bro:see:`Broker::auto_event`.
+	## ev: an event originally given to :bro:see:`Broker::auto_publish`.
 	##
 	## Returns: true if automatic events will not occur for the topic/event
 	##          pair.
-	global auto_event_stop: function(topic: string, ev: any): bool;
-
-	## Register interest in all peer event messages that use a certain topic
-	## prefix.
-	##
-	## topic_prefix: a prefix to match against remote message topics.
-	##               e.g. an empty prefix matches everything and "a" matches
-	##               "alice" and "amy" but not "bob".
-	##
-	## Returns: true if it's a new event subscription and it is now registered.
-	global subscribe_to_events: function(topic_prefix: string): bool;
-
-	## Unregister interest in all peer event messages that use a topic prefix.
-	##
-	## topic_prefix: a prefix previously supplied to a successful call to
-	##               :bro:see:`Broker::subscribe_to_events`.
-	##
-	## Returns: true if interest in the topic prefix is no longer advertised.
-	global unsubscribe_to_events: function(topic_prefix: string): bool;
-
-	## Enable remote logs for a given log stream.
-	##
-	## id: the log stream to enable remote logs for.
-	##
-	## flags: tune the behavior of how log entry messages are sent.
-	##
-	## Returns: true if remote logs are enabled for the stream.
-	global enable_remote_logs: function(id: Log::ID, flags: SendFlags &default = SendFlags()): bool;
-
-	## Disable remote logs for a given log stream.
-	##
-	## id: the log stream to disable remote logs for.
-	##
-	## Returns: true if remote logs are disabled for the stream.
-	global disable_remote_logs: function(id: Log::ID): bool;
-
-	## Check if remote logs are enabled for a given log stream.
-	##
-	## id: the log stream to check.
-	##
-	## Returns: true if remote logs are enabled for the given stream.
-	global remote_logs_enabled: function(id: Log::ID): bool;
-
-	## Register interest in all peer log messages that use a certain topic
-	## prefix. Logs are implicitly sent with topic "bro/log/<stream-name>" and
-	## the receiving side processes them through the logging framework as usual.
-	##
-	## topic_prefix: a prefix to match against remote message topics.
-	##               e.g. an empty prefix matches everything and "a" matches
-	##               "alice" and "amy" but not "bob".
-	##
-	## Returns: true if it's a new log subscription and it is now registered.
-	global subscribe_to_logs: function(topic_prefix: string): bool;
-
-	## Unregister interest in all peer log messages that use a topic prefix.
-	## Logs are implicitly sent with topic "bro/log/<stream-name>" and the
-	## receiving side processes them through the logging framework as usual.
-	##
-	## topic_prefix: a prefix previously supplied to a successful call to
-	##               :bro:see:`Broker::subscribe_to_logs`.
-	##
-	## Returns: true if interest in the topic prefix is no longer advertised.
-	global unsubscribe_to_logs: function(topic_prefix: string): bool;
-
+	global auto_unpublish: function(topic: string, ev: any): bool;
 }
 
 @load base/bif/comm.bif
@@ -271,106 +285,67 @@ export {
 
 module Broker;
 
-@ifdef ( Broker::__enable )
+event retry_listen(a: string, p: port, retry: interval)
+	{
+	listen(a, p, retry);
+	}
 
-function enable(flags: EndpointFlags &default = EndpointFlags()) : bool
-    {
-    return __enable(flags);
-    }
+function listen(a: string, p: port, retry: interval): port
+	{
+	local bound = __listen(a, p);
 
-function set_endpoint_flags(flags: EndpointFlags &default = EndpointFlags()): bool
-    {
-    return __set_endpoint_flags(flags);
-    }
+	if ( bound == 0/tcp && retry != 0secs )
+		schedule retry { retry_listen(a, p, retry) };
 
-function publish_topic(topic: string): bool
-    {
-    return __publish_topic(topic);
-    }
+	return bound;
+	}
 
-function unpublish_topic(topic: string): bool
-    {
-    return __unpublish_topic(topic);
-    }
+function peer(a: string, p: port, retry: interval): bool
+	{
+	return __peer(a, p, retry);
+	}
 
-function listen(p: port, a: string &default = "", reuse: bool &default = T): bool
-    {
-    return __listen(p, a, reuse);
-    }
+function unpeer(a: string, p: port): bool
+	{
+	return __unpeer(a, p);
+	}
 
-function connect(a: string, p: port, retry: interval): bool
-    {
-    return __connect(a, p, retry);
-    }
+function peers(): vector of PeerInfo
+	{
+	return __peers();
+	}
 
-function disconnect(a: string, p: port): bool
-    {
-    return __disconnect(a, p);
-    }
+function node_id(): string
+	{
+	return __node_id();
+	}
 
-function send_print(topic: string, msg: string, flags: SendFlags &default = SendFlags()): bool
-    {
-    return __send_print(topic, msg, flags);
-    }
+function flush_logs(): count
+	{
+	return __flush_logs();
+	}
 
-function subscribe_to_prints(topic_prefix: string): bool
-    {
-    return __subscribe_to_prints(topic_prefix);
-    }
+function publish_id(topic: string, id: string): bool
+	{
+	return __publish_id(topic, id);
+	}
 
-function unsubscribe_to_prints(topic_prefix: string): bool
-    {
-    return __unsubscribe_to_prints(topic_prefix);
-    }
+function subscribe(topic_prefix: string): bool
+	{
+	return __subscribe(topic_prefix);
+	}
 
-function send_event(topic: string, args: EventArgs, flags: SendFlags &default = SendFlags()): bool
-    {
-    return __event(topic, args, flags);
-    }
+function unsubscribe(topic_prefix: string): bool
+	{
+	return __unsubscribe(topic_prefix);
+	}
 
-function auto_event(topic: string, ev: any, flags: SendFlags &default = SendFlags()): bool
-    {
-    return __auto_event(topic, ev, flags);
-    }
+function auto_publish(topic: string, ev: any): bool
+	{
+	return __auto_publish(topic, ev);
+	}
 
-function auto_event_stop(topic: string, ev: any): bool
-    {
-    return __auto_event_stop(topic, ev);
-    }
-
-function subscribe_to_events(topic_prefix: string): bool
-    {
-    return __subscribe_to_events(topic_prefix);
-    }
-
-function unsubscribe_to_events(topic_prefix: string): bool
-    {
-    return __unsubscribe_to_events(topic_prefix);
-    }
-
-function enable_remote_logs(id: Log::ID, flags: SendFlags &default = SendFlags()): bool
-    {
-    return __enable_remote_logs(id, flags);
-    }
-
-function disable_remote_logs(id: Log::ID): bool
-    {
-    return __disable_remote_logs(id);
-    }
-
-function remote_logs_enabled(id: Log::ID): bool
-    {
-    return __remote_logs_enabled(id);
-    }
-
-function subscribe_to_logs(topic_prefix: string): bool
-    {
-    return __subscribe_to_logs(topic_prefix);
-    }
-
-function unsubscribe_to_logs(topic_prefix: string): bool
-    {
-    return __unsubscribe_to_logs(topic_prefix);
-    }
-
-@endif
+function auto_unpublish(topic: string, ev: any): bool
+	{
+	return __auto_unpublish(topic, ev);
+	}
diff --git a/scripts/base/frameworks/broker/store.bro b/scripts/base/frameworks/broker/store.bro
index 8640e80648..75b7d69b35 100644
--- a/scripts/base/frameworks/broker/store.bro
+++ b/scripts/base/frameworks/broker/store.bro
@@ -1,4 +1,4 @@
-##! Various data structure definitions for use with Bro's communication system.
+##! The Broker-based data store API and its various options.
 
 @load ./main
 @load base/bif/data.bif
@@ -6,6 +6,24 @@
 module Broker;
 
 export {
+	## The default frequency at which clones will attempt to
+	## reconnect/resynchronize with their master in the event that they become
+	## disconnected.
+	const default_clone_resync_interval = 10sec &redef;
+
+	## The duration after which a clone that is disconnected from its master
+	## will begin to treat its local cache as stale.  In the stale state,
+	## queries to the cache will timeout.  A negative value indicates that
+	## the local cache is never treated as stale.
+	const default_clone_stale_interval = 5min &redef;
+
+	## The maximum amount of time that a disconnected clone will
+	## buffer data store mutation commands.  If the clone reconnects before
+	## this time, it will replay all stored commands.  Note that this doesn't
+	## completely prevent the loss of store updates: all mutation messages
+	## are fire-and-forget and not explicitly acknowledged by the master.
+	## A negative/zero value indicates to never buffer commands.
+	const default_clone_mutation_buffer_interval = 2min &redef;
 
 	## Whether a data store query could be completed or not.
 	type QueryStatus: enum {
@@ -13,15 +31,6 @@ export {
 		FAILURE,
 	};
 
-	## An expiry time for a key-value pair inserted in to a data store.
-	type ExpiryTime: record {
-		## Absolute point in time at which to expire the entry.
-		absolute: time &optional;
-		## A point in time relative to the last modification time at which
-		## to expire the entry.  New modifications will delay the expiration.
-		since_last_modification: interval &optional;
-	};
-
 	## The result of a data store query.
 	type QueryResult: record {
 		## Whether the query completed or not.
@@ -42,13 +51,17 @@ export {
 	## Options to tune the SQLite storage backend.
 	type SQLiteOptions: record {
 		## File system path of the database.
-		path: string &default = "store.sqlite";
+		## If left empty, will be derived from the name of the store,
+		## and use the '.sqlite' file suffix.
+		path: string &default = "";
 	};
 
 	## Options to tune the RocksDB storage backend.
 	type RocksDBOptions: record {
 		## File system path of the database.
-		path: string &default = "store.rocksdb";
+		## If left empty, will be derived from the name of the store.
+		## and use the '.rocksdb' file suffix.
+		path: string &default = "";
 	};
 
 	## Options to tune the particular storage backends.
@@ -57,54 +70,52 @@ export {
 		rocksdb: RocksDBOptions &default = RocksDBOptions();
 	};
 
-@ifdef ( Broker::__enable )
-
 	## Create a master data store which contains key-value pairs.
 	##
-	## id: a unique name for the data store.
+	## name: a unique name for the data store.
 	##
 	## b: the storage backend to use.
 	##
 	## options: tunes how some storage backends operate.
 	##
 	## Returns: a handle to the data store.
-	global create_master: function(id: string, b: BackendType &default = MEMORY,
-	                               options: BackendOptions &default = BackendOptions()): opaque of Broker::Handle;
+	global create_master: function(name: string, b: BackendType &default = MEMORY,
+	                               options: BackendOptions &default = BackendOptions()): opaque of Broker::Store;
 
 	## Create a clone of a master data store which may live with a remote peer.
-	## A clone automatically synchronizes to the master by automatically
+	## A clone automatically synchronizes to the master by
 	## receiving modifications and applying them locally.  Direct modifications
 	## are not possible, they must be sent through the master store, which then
 	## automatically broadcasts the changes out to clones.  But queries may be
 	## made directly against the local cloned copy, which may be resolved
 	## quicker than reaching out to a remote master store.
 	##
-	## id: the unique name which identifies the master data store.
+	## name: the unique name which identifies the master data store.
 	##
-	## b: the storage backend to use.
+	## resync_interval: the frequency at which a clone that is disconnected from
+	##                  its master attempts to reconnect with it.
 	##
-	## options: tunes how some storage backends operate.
+	## stale_interval: the duration after which a clone that is disconnected
+	##                 from its master will begin to treat its local cache as
+	##                 stale.  In this state, queries to the clone will timeout.
+	##                 A negative value indicates that the local cache is never
+	##                 treated as stale.
 	##
-	## resync: the interval at which to re-attempt synchronizing with the master
-	##         store should the connection be lost.  If the clone has not yet
-	##         synchronized for the first time, updates and queries queue up
-	##         until the synchronization completes.  After, if the connection
-	##         to the master store is lost, queries continue to use the clone's
-	##         version, but updates will be lost until the master is once again
-	##         available.
+	## mutation_buffer_interval: the amount of time to buffer data store update
+	##                           messages once a clone detects its master is
+	##                           unavailable.  If the clone reconnects before
+	##                           this time, it will replay all buffered
+	##                           commands.  Note that this doesn't completely
+	##                           prevent the loss of store updates: all mutation
+	##                           messages are fire-and-forget and not explicitly
+	##                           acknowledged by the master.  A negative/zero
+	##                           value indicates that commands never buffer.
 	##
 	## Returns: a handle to the data store.
-	global create_clone: function(id: string, b: BackendType &default = MEMORY,
-	                              options: BackendOptions &default = BackendOptions(),
-	                              resync: interval &default = 1sec): opaque of Broker::Handle;
-
-	## Create a frontend interface to an existing master data store that allows
-	## querying and updating its contents.
-	##
-	## id: the unique name which identifies the master data store.
-	##
-	## Returns: a handle to the data store.
-	global create_frontend: function(id: string): opaque of Broker::Handle;
+	global create_clone: function(name: string,
+	                              resync_interval: interval &default = default_clone_resync_interval,
+	                              stale_interval: interval &default = default_clone_stale_interval,
+	                              mutation_buffer_interval: interval &default = default_clone_mutation_buffer_interval): opaque of Broker::Store;
 
 	## Close a data store.
 	##
@@ -112,11 +123,64 @@ export {
 	##
 	## Returns: true if store was valid and is now closed.  The handle can no
 	##          longer be used for data store operations.
-	global close_by_handle: function(h: opaque of Broker::Handle): bool;
+	global close: function(h: opaque of Broker::Store): bool;
 
-	###########################
-	# non-blocking update API #
-	###########################
+	## Returns: whether a store is closed or not.
+	global is_closed: function(h: opaque of Broker::Store): bool;
+
+	## Returns: the name of the store.
+	global store_name: function(h: opaque of Broker::Store): string;
+
+	## Check if a key exists in a data store.
+	## 
+	## h: the handle of the store to query.
+	##
+	## k: the key to lookup.
+	##
+	## Returns: True if the key exists in the data store.
+	global exists: function(h: opaque of Broker::Store, k: any): QueryResult;
+
+	## Lookup the value associated with a key in a data store.
+	##
+	## h: the handle of the store to query.
+	##
+	## k: the key to lookup.
+	##
+	## Returns: the result of the query.
+	global get: function(h: opaque of Broker::Store, k: any): QueryResult;
+
+	## Insert a key-value pair in to the store, but only if the key does not
+	## already exist.
+	##
+	## h: the handle of the store to modify.
+	##
+	## k: the key to insert.
+	##
+	## v: the value to insert.
+	##
+	## e: the expiration interval of the key-value pair.
+	##
+	## Returns: the result of the query which is a boolean data value that is
+	##          true if the insertion happened, or false if it was rejected
+	##          due to the key already existing.
+	global put_unique: function(h: opaque of Broker::Store,
+	                            k: any, v: any, e: interval &default=0sec): QueryResult;
+
+	## Retrieve a specific index from an existing container value. This
+	## is supported for values of types set, table, and vector.
+	##
+	## h: the handle of the store to query.
+	##
+	## k: the key of the container value to lookup.
+	##
+	## i: the index to retrieve from the container value.
+	## 
+	## Returns: For tables and vectors, the value at the given index, or
+	##          failure if the index doesn't exist. For sets, a boolean
+	##          indicating whether the index exists. Returns failure if the key
+	##          does not exist at all.
+	global get_index_from_value: function(h: opaque of Broker::Store,
+	                                      k: any, i: any): QueryResult;
 
 	## Insert a key-value pair in to the store.
 	##
@@ -126,12 +190,11 @@ export {
 	##
 	## v: the value to insert.
 	##
-	## e: the expiration time of the key-value pair.
+	## e: the expiration interval of the key-value pair.
 	##
 	## Returns: false if the store handle was not valid.
-	global insert: function(h: opaque of Broker::Handle,
-	                        k: Broker::Data, v: Broker::Data,
-	                        e: Broker::ExpiryTime &default = Broker::ExpiryTime()): bool;
+	global put: function(h: opaque of Broker::Store,
+	                     k: any, v: any, e: interval &default=0sec) : bool;
 
 	## Remove a key-value pair from the store.
 	##
@@ -140,261 +203,186 @@ export {
 	## k: the key to remove.
 	##
 	## Returns: false if the store handle was not valid.
-	global erase: function(h: opaque of Broker::Handle, k: Broker::Data): bool;
+	global erase: function(h: opaque of Broker::Store, k: any) : bool;
 
-	## Remove all key-value pairs from the store.
+	## Increments an existing value by a given amount. This is supported for all
+	## numerical types, as well as for timestamps.
 	##
 	## h: the handle of the store to modify.
 	##
+	## k: the key whose associated value is to be modified. The key must
+	##    already exist.
+	##
+	## a: the amount to increment the value by. 
+	##
+	## e: the new expiration interval of the modified key. If null, the
+	##    current expiration time isn't changed.
+	##
 	## Returns: false if the store handle was not valid.
-	global clear: function(h: opaque of Broker::Handle): bool;
+	global increment: function(h: opaque of Broker::Store, k: any,
+	                           a: any &default = 1,
+	                           e: interval &default=0sec) : bool;
 
-	## Increment an integer value in a data store.
+	## Decrements an existing value by a given amount. This is supported for all
+	## numerical types, as well as for timestamps.
 	##
 	## h: the handle of the store to modify.
 	##
-	## k: the key whose associated value is to be modified.
+	## k: the key whose associated value is to be modified. The key must
+	##    already exist.
 	##
-	## by: the amount to increment the value by.  A non-existent key will first
-	##     create it with an implicit value of zero before incrementing.
+	## amount: the amount to decrement the value by. 
+	##
+	## e: the new expiration interval of the modified key. If null, the current
+	##    expiration time isn't changed.
 	##
 	## Returns: false if the store handle was not valid.
-	global increment: function(h: opaque of Broker::Handle,
-	                           k: Broker::Data, by: int &default = +1): bool;
+	global decrement: function(h: opaque of Broker::Store, k: any,
+	                           a: any &default = 1,
+	                           e: interval &default=0sec) : bool;
 
-	## Decrement an integer value in a data store.
+	## Extends an existing string with another.
 	##
 	## h: the handle of the store to modify.
 	##
-	## k: the key whose associated value is to be modified.
+	## k: the key whose associated value is to be modified. The key must
+	##    already exist.
 	##
-	## by: the amount to decrement the value by.  A non-existent key will first
-	##     create it with an implicit value of zero before decrementing.
+	## s: the string to append.
+	##
+	## e: the new expiration interval of the modified key. If null, the
+	##    current expiration time isn't changed.
 	##
 	## Returns: false if the store handle was not valid.
-	global decrement: function(h: opaque of Broker::Handle,
-	                           k: Broker::Data, by: int &default = +1): bool;
+	global append: function(h: opaque of Broker::Store, k: any, s: string, 
+	                        e: interval &default=0sec) : bool;
 
-	## Add an element to a set value in a data store.
+	## Inserts an element into an existing set.
 	##
 	## h: the handle of the store to modify.
 	##
-	## k: the key whose associated value is to be modified.
+	## k: the key whose associated value is to be modified. The key must
+	##    already exist.
 	##
-	## element: the element to add to the set.  A non-existent key will first
-	##          create it with an implicit empty set value before modifying.
+	## i: the index to insert into the set.
+	##
+	## e: the new expiration interval of the modified key. If null, the
+	##    current expiration time isn't changed.
 	##
 	## Returns: false if the store handle was not valid.
-	global add_to_set: function(h: opaque of Broker::Handle,
-	                            k: Broker::Data, element: Broker::Data): bool;
+	global insert_into_set: function(h: opaque of Broker::Store,
+	                                 k: any, i: any, 
+	                                 e: interval &default=0sec) : bool;
 
-	## Remove an element from a set value in a data store.
+	## Inserts an element into an existing table.
 	##
 	## h: the handle of the store to modify.
 	##
-	## k: the key whose associated value is to be modified.
+	## k: the key whose associated value is to be modified. The key must
+	##    already exist.
 	##
-	## element: the element to remove from the set.  A non-existent key will
-	##          implicitly create an empty set value associated with the key.
+	## i: the index to insert into the table
+	## 
+	## v: the value to associate with the index.
+	##
+	## e: the new expiration interval of the modified key. If null, the
+	##    current expiration time isn't changed.
 	##
 	## Returns: false if the store handle was not valid.
-	global remove_from_set: function(h: opaque of Broker::Handle,
-	                                 k: Broker::Data, element: Broker::Data): bool;
+	global insert_into_table: function(h: opaque of Broker::Store,
+	                                   k: any, i: any, v: any,
+	                                   e: interval &default=0sec) : bool;
 
-	## Add a new item to the head of a vector value in a data store.
+	## Removes an element from an existing set or table.
 	##
-	## h: the handle of store to modify.
+	## h: the handle of the store to modify.
 	##
-	## k: the key whose associated value is to be modified.
+	## k: the key whose associated value is to be modified. The key must
+	##    already exist.
 	##
-	## items: the element to insert in to the vector.  A non-existent key will
-	##        first create an empty vector value before modifying.
+	## i: the index to remove from the set or table.
+	##
+	## e: the new expiration interval of the modified key. If null, the
+	##    current expiration time isn't changed.
 	##
 	## Returns: false if the store handle was not valid.
-	global push_left: function(h: opaque of Broker::Handle, k: Broker::Data,
-	                           items: Broker::DataVector): bool;
+	global remove_from: function(h: opaque of Broker::Store,
+	                             k: any, i: any, 
+	                             e: interval &default=0sec) : bool;
 
-	## Add a new item to the tail of a vector value in a data store.
+	## Appends an element to an existing vector.
 	##
-	## h: the handle of store to modify.
+	## h: the handle of the store to modify.
 	##
-	## k: the key whose associated value is to be modified.
+	## k: the key whose associated value is to be modified. The key must
+	##    already exist.
 	##
-	## items: the element to insert in to the vector.  A non-existent key will
-	##        first create an empty vector value before modifying.
+	## b: the value to append to the vector.
+	##
+	## e: the new expiration interval of the modified key. If null, the
+	##    current expiration time isn't changed.
 	##
 	## Returns: false if the store handle was not valid.
-	global push_right: function(h: opaque of Broker::Handle, k: Broker::Data,
-	                            items: Broker::DataVector): bool;
+	global push: function(h: opaque of Broker::Store,
+	                      k: any, v: any, 
+	                      e: interval &default=0sec) : bool;
+
+	## Removes the last element of an existing vector.
+	##
+	## h: the handle of the store to modify.
+	##
+	## k: the key whose associated value is to be modified. The key must
+	##    already exist.
+	##
+	## e: the new expiration interval of the modified key. If null, the
+	##    current expiration time isn't changed.
+	##
+	## Returns: false if the store handle was not valid.
+	global pop: function(h: opaque of Broker::Store,
+	                     k: any,
+	                     e: interval &default=0sec) : bool;
+
+	## Returns a set with all of a store's keys. The results reflect a snapshot
+	## in time that may diverge from reality soon afterwards.   When acessing
+	## any of the element, it may no longer actually be there. The function is
+	## also expensive for large stores, as it copies the complete set.
+	##
+	## Returns: a set with the keys.  If you expect the keys to be of
+	##          non-uniform type, consider using
+	##          :bro:see:`Broker::set_iterator` to iterate over the result.
+	global keys: function(h: opaque of Broker::Store): QueryResult;
+
+	## Deletes all of a store's content, it will be empty afterwards.
+	##
+	## Returns: false if the store handle was not valid.
+	global clear: function(h: opaque of Broker::Store) : bool;
 
 	##########################
-	# non-blocking query API #
-	##########################
-
-	## Pop the head of a data store vector value.
-	##
-	## h: the handle of the store to query.
-	##
-	## k: the key associated with the vector to modify.
-	##
-	## Returns: the result of the query.
-	global pop_left: function(h: opaque of Broker::Handle,
-	                          k: Broker::Data): QueryResult;
-
-	## Pop the tail of a data store vector value.
-	##
-	## h: the handle of the store to query.
-	##
-	## k: the key associated with the vector to modify.
-	##
-	## Returns: the result of the query.
-	global pop_right: function(h: opaque of Broker::Handle,
-	                           k: Broker::Data): QueryResult;
-
-	## Lookup the value associated with a key in a data store.
-	##
-	## h: the handle of the store to query.
-	##
-	## k: the key to lookup.
-	##
-	## Returns: the result of the query.
-	global lookup: function(h: opaque of Broker::Handle,
-	                       k: Broker::Data): QueryResult;
-
-	## Check if a data store contains a given key.
-	##
-	## h: the handle of the store to query.
-	##
-	## k: the key to check for existence.
-	##
-	## Returns: the result of the query (uses :bro:see:`Broker::BOOL`).
-	global exists: function(h: opaque of Broker::Handle,
-	                        k: Broker::Data): QueryResult;
-
-	## Retrieve all keys in a data store.
-	##
-	## h: the handle of the store to query.
-	##
-	## Returns: the result of the query (uses :bro:see:`Broker::VECTOR`).
-	global keys: function(h: opaque of Broker::Handle): QueryResult;
-
-	## Get the number of key-value pairs in a data store.
-	##
-	## h: the handle of the store to query.
-	##
-	## Returns: the result of the query (uses :bro:see:`Broker::COUNT`).
-	global size: function(h: opaque of Broker::Handle): QueryResult;
-
-	##########################
-	# data API               #
+	# Data API               #
 	##########################
 
 	## Convert any Bro value to communication data.
 	##
+	## .. note:: Normally you won't need to use this function as data
+	##    conversion happens implicitly when passing Bro values into Broker
+	##    functions.
+	##
 	## d: any Bro value to attempt to convert (not all types are supported).
 	##
-	## Returns: the converted communication data.  The returned record's optional
-	##          field will not be set if the conversion was not possible (this can
-	##          happen if the Bro data type does not support being converted to
-	##          communication data).
+	## Returns: the converted communication data.  If the supplied Bro data
+	##          type does not support conversion to communication data, the
+	##          returned record's optional field will not be set.
 	global data: function(d: any): Broker::Data;
 
 	## Retrieve the type of data associated with communication data.
 	##
 	## d: the communication data.
 	##
-	## Returns: the data type associated with the communication data.
+	## Returns: The data type associated with the communication data.
+	##          Note that broker represents records in the same way as
+	##          vectors, so there is no "record" type.
 	global data_type: function(d: Broker::Data): Broker::DataType;
 
-	## Convert communication data with a type of :bro:see:`Broker::BOOL` to
-	## an actual Bro value.
-	##
-	## d: the communication data to convert.
-	##
-	## Returns: the value retrieved from the communication data.
-	global refine_to_bool: function(d: Broker::Data): bool;
-
-	## Convert communication data with a type of :bro:see:`Broker::INT` to
-	## an actual Bro value.
-	##
-	## d: the communication data to convert.
-	##
-	## Returns: the value retrieved from the communication data.
-	global refine_to_int: function(d: Broker::Data): int;
-
-	## Convert communication data with a type of :bro:see:`Broker::COUNT` to
-	## an actual Bro value.
-	##
-	## d: the communication data to convert.
-	##
-	## Returns: the value retrieved from the communication data.
-	global refine_to_count: function(d: Broker::Data): count;
-
-	## Convert communication data with a type of :bro:see:`Broker::DOUBLE` to
-	## an actual Bro value.
-	##
-	## d: the communication data to convert.
-	##
-	## Returns: the value retrieved from the communication data.
-	global refine_to_double: function(d: Broker::Data): double;
-
-	## Convert communication data with a type of :bro:see:`Broker::STRING` to
-	## an actual Bro value.
-	##
-	## d: the communication data to convert.
-	##
-	## Returns: the value retrieved from the communication data.
-	global refine_to_string: function(d: Broker::Data): string;
-
-	## Convert communication data with a type of :bro:see:`Broker::ADDR` to
-	## an actual Bro value.
-	##
-	## d: the communication data to convert.
-	##
-	## Returns: the value retrieved from the communication data.
-	global refine_to_addr: function(d: Broker::Data): addr;
-
-	## Convert communication data with a type of :bro:see:`Broker::SUBNET` to
-	## an actual Bro value.
-	##
-	## d: the communication data to convert.
-	##
-	## Returns: the value retrieved from the communication data.
-	global refine_to_subnet: function(d: Broker::Data): subnet;
-
-	## Convert communication data with a type of :bro:see:`Broker::PORT` to
-	## an actual Bro value.
-	##
-	## d: the communication data to convert.
-	##
-	## Returns: the value retrieved from the communication data.
-	global refine_to_port: function(d: Broker::Data): port;
-
-	## Convert communication data with a type of :bro:see:`Broker::TIME` to
-	## an actual Bro value.
-	##
-	## d: the communication data to convert.
-	##
-	## Returns: the value retrieved from the communication data.
-	global refine_to_time: function(d: Broker::Data): time;
-
-	## Convert communication data with a type of :bro:see:`Broker::INTERVAL` to
-	## an actual Bro value.
-	##
-	## d: the communication data to convert.
-	##
-	## Returns: the value retrieved from the communication data.
-	global refine_to_interval: function(d: Broker::Data): interval;
-
-	## Convert communication data with a type of :bro:see:`Broker::ENUM` to
-	## the name of the enum value.  :bro:see:`lookup_ID` may be used to convert
-	## the name to the actual enum value.
-	##
-	## d: the communication data to convert.
-	##
-	## Returns: the enum name retrieved from the communication data.
-	global refine_to_enum_name: function(d: Broker::Data): string;
-
 	## Create communication data of type "set".
 	global set_create: function(): Broker::Data;
 
@@ -403,7 +391,7 @@ export {
 	## s: the set to clear.
 	##
 	## Returns: always true.
-	global set_clear: function(s: Broker::Data): bool;
+	global set_clear: function(s: Broker::Data) : bool;
 
 	## Get the number of elements within a set.
 	##
@@ -419,7 +407,7 @@ export {
 	## key: the element to check for existence.
 	##
 	## Returns: true if the key exists in the set.
-	global set_contains: function(s: Broker::Data, key: Broker::Data): bool;
+	global set_contains: function(s: Broker::Data, key: any) : bool;
 
 	## Insert an element into a set.
 	##
@@ -428,7 +416,7 @@ export {
 	## key: the element to insert.
 	##
 	## Returns: true if the key was inserted, or false if it already existed.
-	global set_insert: function(s: Broker::Data, key: Broker::Data): bool;
+	global set_insert: function(s: Broker::Data, key: any) : bool;
 
 	## Remove an element from a set.
 	##
@@ -437,7 +425,7 @@ export {
 	## key: the element to remove.
 	##
 	## Returns: true if the element existed in the set and is now removed.
-	global set_remove: function(s: Broker::Data, key: Broker::Data): bool;
+	global set_remove: function(s: Broker::Data, key: any) : bool;
 
 	## Create an iterator for a set.  Note that this makes a copy of the set
 	## internally to ensure the iterator is always valid.
@@ -453,7 +441,7 @@ export {
 	##
 	## Returns: true if there are no more elements to iterator over, i.e.
 	##          the iterator is one-past-the-final-element.
-	global set_iterator_last: function(it: opaque of Broker::SetIterator): bool;
+	global set_iterator_last: function(it: opaque of Broker::SetIterator) : bool;
 
 	## Advance an iterator.
 	##
@@ -462,7 +450,7 @@ export {
 	## Returns: true if the iterator, after advancing, still references an element
 	##          in the collection.  False if the iterator, after advancing, is
 	##          one-past-the-final-element.
-	global set_iterator_next: function(it: opaque of Broker::SetIterator): bool;
+	global set_iterator_next: function(it: opaque of Broker::SetIterator) : bool;
 
 	## Retrieve the data at an iterator's current position.
 	##
@@ -479,7 +467,7 @@ export {
 	## t: the table to clear.
 	##
 	## Returns: always true.
-	global table_clear: function(t: Broker::Data): bool;
+	global table_clear: function(t: Broker::Data) : bool;
 
 	## Get the number of elements within a table.
 	##
@@ -495,7 +483,7 @@ export {
 	## key: the key to check for existence.
 	##
 	## Returns: true if the key exists in the table.
-	global table_contains: function(t: Broker::Data, key: Broker::Data): bool;
+	global table_contains: function(t: Broker::Data, key: any) : bool;
 
 	## Insert a key-value pair into a table.
 	##
@@ -507,7 +495,7 @@ export {
 	##
 	## Returns: true if the key-value pair was inserted, or false if the key
 	##          already existed in the table.
-	global table_insert: function(t: Broker::Data, key: Broker::Data, val: Broker::Data): Broker::Data;
+	global table_insert: function(t: Broker::Data, key: any, val: any): Broker::Data;
 
 	## Remove a key-value pair from a table.
 	##
@@ -517,7 +505,7 @@ export {
 	##
 	## Returns: the value associated with the key.  If the key did not exist, then
 	##          the optional field of the returned record is not set.
-	global table_remove: function(t: Broker::Data, key: Broker::Data): Broker::Data;
+	global table_remove: function(t: Broker::Data, key: any): Broker::Data;
 
 	## Retrieve a value from a table.
 	##
@@ -527,7 +515,7 @@ export {
 	##
 	## Returns: the value associated with the key.  If the key did not exist, then
 	##          the optional field of the returned record is not set.
-	global table_lookup: function(t: Broker::Data, key: Broker::Data): Broker::Data;
+	global table_lookup: function(t: Broker::Data, key: any): Broker::Data;
 
 	## Create an iterator for a table.  Note that this makes a copy of the table
 	## internally to ensure the iterator is always valid.
@@ -543,7 +531,7 @@ export {
 	##
 	## Returns: true if there are no more elements to iterator over, i.e.
 	##          the iterator is one-past-the-final-element.
-	global table_iterator_last: function(it: opaque of Broker::TableIterator): bool;
+	global table_iterator_last: function(it: opaque of Broker::TableIterator) : bool;
 
 	## Advance an iterator.
 	##
@@ -552,7 +540,7 @@ export {
 	## Returns: true if the iterator, after advancing, still references an element
 	##          in the collection.  False if the iterator, after advancing, is
 	##          one-past-the-final-element.
-	global table_iterator_next: function(it: opaque of Broker::TableIterator): bool;
+	global table_iterator_next: function(it: opaque of Broker::TableIterator) : bool;
 
 	## Retrieve the data at an iterator's current position.
 	##
@@ -569,7 +557,7 @@ export {
 	## v: the vector to clear.
 	##
 	## Returns: always true.
-	global vector_clear: function(v: Broker::Data): bool;
+	global vector_clear: function(v: Broker::Data) : bool;
 
 	## Get the number of elements within a vector.
 	##
@@ -589,7 +577,7 @@ export {
 	##      current size of the vector, the element is inserted at the end.
 	##
 	## Returns: always true.
-	global vector_insert: function(v: Broker::Data, d: Broker::Data, idx: count): bool;
+	global vector_insert: function(v: Broker::Data, idx: count, d: any) : bool;
 
 	## Replace an element in a vector at a particular position.
 	##
@@ -601,7 +589,7 @@ export {
 	##
 	## Returns: the value that was just evicted.  If the index was larger than any
 	##          valid index, the optional field of the returned record is not set.
-	global vector_replace: function(v: Broker::Data, d: Broker::Data, idx: count): Broker::Data;
+	global vector_replace: function(v: Broker::Data, idx: count, d: any): Broker::Data;
 
 	## Remove an element from a vector at a particular position.
 	##
@@ -637,7 +625,7 @@ export {
 	##
 	## Returns: true if there are no more elements to iterator over, i.e.
 	##          the iterator is one-past-the-final-element.
-	global vector_iterator_last: function(it: opaque of Broker::VectorIterator): bool;
+	global vector_iterator_last: function(it: opaque of Broker::VectorIterator) : bool;
 
 	## Advance an iterator.
 	##
@@ -646,7 +634,7 @@ export {
 	## Returns: true if the iterator, after advancing, still references an element
 	##          in the collection.  False if the iterator, after advancing, is
 	##          one-past-the-final-element.
-	global vector_iterator_next: function(it: opaque of Broker::VectorIterator): bool;
+	global vector_iterator_next: function(it: opaque of Broker::VectorIterator) : bool;
 
 	## Retrieve the data at an iterator's current position.
 	##
@@ -678,7 +666,7 @@ export {
 	## idx: the index to replace.
 	##
 	## Returns: false if the index was larger than any valid index, else true.
-	global record_assign: function(r: Broker::Data, d: Broker::Data, idx: count): bool;
+	global record_assign: function(r: Broker::Data, idx: count, d: any) : bool;
 
 	## Lookup a field in a record at a particular position.
 	##
@@ -705,7 +693,7 @@ export {
 	##
 	## Returns: true if there are no more elements to iterator over, i.e.
 	##          the iterator is one-past-the-final-element.
-	global record_iterator_last: function(it: opaque of Broker::RecordIterator): bool;
+	global record_iterator_last: function(it: opaque of Broker::RecordIterator) : bool;
 
 	## Advance an iterator.
 	##
@@ -714,7 +702,7 @@ export {
 	## Returns: true if the iterator, after advancing, still references an element
 	##          in the collection.  False if the iterator, after advancing, is
 	##          one-past-the-final-element.
-	global record_iterator_next: function(it: opaque of Broker::RecordIterator): bool;
+	global record_iterator_next: function(it: opaque of Broker::RecordIterator) : bool;
 
 	## Retrieve the data at an iterator's current position.
 	##
@@ -722,124 +710,121 @@ export {
 	##
 	## Returns: element in the collection that the iterator currently references.
 	global record_iterator_value: function(it: opaque of Broker::RecordIterator): Broker::Data;
-
-@endif
 }
 
 @load base/bif/store.bif
 
 module Broker;
 
-@ifdef ( Broker::__enable )
-
-function create_master(id: string, b: BackendType &default = MEMORY,
-                       options: BackendOptions &default = BackendOptions()): opaque of Broker::Handle
+function create_master(name: string, b: BackendType &default = MEMORY,
+                       options: BackendOptions &default = BackendOptions()): opaque of Broker::Store
 	{
-	return __create_master(id, b, options);
+	return __create_master(name, b, options);
 	}
 
-function create_clone(id: string, b: BackendType &default = MEMORY,
-                      options: BackendOptions &default = BackendOptions(),
-                      resync: interval &default = 1sec): opaque of Broker::Handle
+function create_clone(name: string,
+                      resync_interval: interval &default = default_clone_resync_interval,
+                      stale_interval: interval &default = default_clone_stale_interval,
+                      mutation_buffer_interval: interval &default = default_clone_mutation_buffer_interval): opaque of Broker::Store
 	{
-	return __create_clone(id, b, options, resync);
+	return __create_clone(name, resync_interval, stale_interval,
+	                      mutation_buffer_interval);
 	}
 
-function create_frontend(id: string): opaque of Broker::Handle
+function close(h: opaque of Broker::Store): bool
 	{
-	return __create_frontend(id);
+	return __close(h);
 	}
 
-function close_by_handle(h: opaque of Broker::Handle): bool
+function is_closed(h: opaque of Broker::Store): bool
 	{
-	return __close_by_handle(h);
+	return __is_closed(h);
 	}
 
-function insert(h: opaque of Broker::Handle, k: Broker::Data, v: Broker::Data,
-                e: Broker::ExpiryTime &default = Broker::ExpiryTime()): bool
+function store_name(h: opaque of Broker::Store): string
 	{
-	return __insert(h, k, v, e);
+	return __store_name(h);
 	}
 
-function erase(h: opaque of Broker::Handle, k: Broker::Data): bool
-	{
-	return __erase(h, k);
-	}
-
-function clear(h: opaque of Broker::Handle): bool
-	{
-	return __clear(h);
-	}
-
-function increment(h: opaque of Broker::Handle,
-                           k: Broker::Data, by: int &default = +1): bool
-	{
-	return __increment(h, k, by);
-	}
-
-function decrement(h: opaque of Broker::Handle,
-                           k: Broker::Data, by: int &default = +1): bool
-	{
-	return __decrement(h, k, by);
-	}
-
-function add_to_set(h: opaque of Broker::Handle,
-                            k: Broker::Data, element: Broker::Data): bool
-	{
-	return __add_to_set(h, k, element);
-	}
-
-function remove_from_set(h: opaque of Broker::Handle,
-                                 k: Broker::Data, element: Broker::Data): bool
-	{
-	return __remove_from_set(h, k, element);
-	}
-
-function push_left(h: opaque of Broker::Handle, k: Broker::Data,
-                           items: Broker::DataVector): bool
-	{
-	return __push_left(h, k, items);
-	}
-
-function push_right(h: opaque of Broker::Handle, k: Broker::Data,
-                            items: Broker::DataVector): bool
-	{
-	return __push_right(h, k, items);
-	}
-
-function pop_left(h: opaque of Broker::Handle, k: Broker::Data): QueryResult
-	{
-	return __pop_left(h, k);
-	}
-
-function pop_right(h: opaque of Broker::Handle, k: Broker::Data): QueryResult
-	{
-	return __pop_right(h, k);
-	}
-
-function lookup(h: opaque of Broker::Handle, k: Broker::Data): QueryResult
-	{
-	return __lookup(h, k);
-	}
-
-function exists(h: opaque of Broker::Handle, k: Broker::Data): QueryResult
+function exists(h: opaque of Broker::Store, k: any): QueryResult
 	{
 	return __exists(h, k);
 	}
 
-function keys(h: opaque of Broker::Handle): QueryResult
+function get(h: opaque of Broker::Store, k: any): QueryResult
+	{
+	return __get(h, k);
+	}
+
+function put_unique(h: opaque of Broker::Store, k: any, v: any,
+             e: interval &default=0sec): QueryResult
+    {
+    return __put_unique(h, k, v, e);
+    }
+
+function get_index_from_value(h: opaque of Broker::Store, k: any, i: any): QueryResult
+	{
+	return __get_index_from_value(h, k, i);
+	}
+
+function keys(h: opaque of Broker::Store): QueryResult
 	{
 	return __keys(h);
 	}
 
-function size(h: opaque of Broker::Handle): QueryResult
+function put(h: opaque of Broker::Store, k: any, v: any, e: interval) : bool
 	{
-	return __size(h);
+	return __put(h, k, v, e);
 	}
 
-function data(d: any): Broker::Data
+function erase(h: opaque of Broker::Store, k: any) : bool
 	{
-	return __data(d);
+	return __erase(h, k);
+	}
+
+function increment(h: opaque of Broker::Store, k: any, a: any, e: interval) : bool
+	{
+	return __increment(h, k, a, e);
+	}
+
+function decrement(h: opaque of Broker::Store, k: any, a: any, e: interval) : bool
+	{
+	return __decrement(h, k, a, e);
+	}
+
+function append(h: opaque of Broker::Store, k: any, s: string, e: interval) : bool
+	{
+	return __append(h, k, s, e);
+	}
+
+function insert_into_set(h: opaque of Broker::Store, k: any, i: any, e: interval) : bool
+	{
+	return __insert_into_set(h, k, i, e);
+	}
+
+function insert_into_table(h: opaque of Broker::Store, k: any, i: any, v: any, e: interval) : bool
+	{
+	return __insert_into_table(h, k, i, v, e);
+	}
+
+function remove_from(h: opaque of Broker::Store, k: any, i: any, e: interval) : bool
+	{
+	return __remove_from(h, k, i, e);
+	}
+
+function push(h: opaque of Broker::Store, k: any, v: any, e: interval) : bool
+	{
+	return __push(h, k, v, e);
+	}
+
+function pop(h: opaque of Broker::Store, k: any, e: interval) : bool
+	{
+	return __pop(h, k, e);
+	}
+
+function clear(h: opaque of Broker::Store) : bool
+	{
+	return __clear(h);
 	}
 
 function data_type(d: Broker::Data): Broker::DataType
@@ -847,59 +832,9 @@ function data_type(d: Broker::Data): Broker::DataType
 	return __data_type(d);
 	}
 
-function refine_to_bool(d: Broker::Data): bool
+function data(d: any): Broker::Data
 	{
-	return __refine_to_bool(d);
-	}
-
-function refine_to_int(d: Broker::Data): int
-	{
-	return __refine_to_int(d);
-	}
-
-function refine_to_count(d: Broker::Data): count
-	{
-	return __refine_to_count(d);
-	}
-
-function refine_to_double(d: Broker::Data): double
-	{
-	return __refine_to_double(d);
-	}
-
-function refine_to_string(d: Broker::Data): string
-	{
-	return __refine_to_string(d);
-	}
-
-function refine_to_addr(d: Broker::Data): addr
-	{
-	return __refine_to_addr(d);
-	}
-
-function refine_to_subnet(d: Broker::Data): subnet
-	{
-	return __refine_to_subnet(d);
-	}
-
-function refine_to_port(d: Broker::Data): port
-	{
-	return __refine_to_port(d);
-	}
-
-function refine_to_time(d: Broker::Data): time
-	{
-	return __refine_to_time(d);
-	}
-
-function refine_to_interval(d: Broker::Data): interval
-	{
-	return __refine_to_interval(d);
-	}
-
-function refine_to_enum_name(d: Broker::Data): string
-	{
-	return __refine_to_enum_name(d);
+	return __data(d);
 	}
 
 function set_create(): Broker::Data
@@ -907,7 +842,7 @@ function set_create(): Broker::Data
 	return __set_create();
 	}
 
-function set_clear(s: Broker::Data): bool
+function set_clear(s: Broker::Data) : bool
 	{
 	return __set_clear(s);
 	}
@@ -917,17 +852,17 @@ function set_size(s: Broker::Data): count
 	return __set_size(s);
 	}
 
-function set_contains(s: Broker::Data, key: Broker::Data): bool
+function set_contains(s: Broker::Data, key: any) : bool
 	{
 	return __set_contains(s, key);
 	}
 
-function set_insert(s: Broker::Data, key: Broker::Data): bool
+function set_insert(s: Broker::Data, key: any) : bool
 	{
 	return __set_insert(s, key);
 	}
 
-function set_remove(s: Broker::Data, key: Broker::Data): bool
+function set_remove(s: Broker::Data, key: any) : bool
 	{
 	return __set_remove(s, key);
 	}
@@ -937,12 +872,12 @@ function set_iterator(s: Broker::Data): opaque of Broker::SetIterator
 	return __set_iterator(s);
 	}
 
-function set_iterator_last(it: opaque of Broker::SetIterator): bool
+function set_iterator_last(it: opaque of Broker::SetIterator) : bool
 	{
 	return __set_iterator_last(it);
 	}
 
-function set_iterator_next(it: opaque of Broker::SetIterator): bool
+function set_iterator_next(it: opaque of Broker::SetIterator) : bool
 	{
 	return __set_iterator_next(it);
 	}
@@ -957,7 +892,7 @@ function table_create(): Broker::Data
 	return __table_create();
 	}
 
-function table_clear(t: Broker::Data): bool
+function table_clear(t: Broker::Data) : bool
 	{
 	return __table_clear(t);
 	}
@@ -967,22 +902,22 @@ function table_size(t: Broker::Data): count
 	return __table_size(t);
 	}
 
-function table_contains(t: Broker::Data, key: Broker::Data): bool
+function table_contains(t: Broker::Data, key: any) : bool
 	{
 	return __table_contains(t, key);
 	}
 
-function table_insert(t: Broker::Data, key: Broker::Data, val: Broker::Data): Broker::Data
+function table_insert(t: Broker::Data, key: any, val: any): Broker::Data
 	{
 	return __table_insert(t, key, val);
 	}
 
-function table_remove(t: Broker::Data, key: Broker::Data): Broker::Data
+function table_remove(t: Broker::Data, key: any): Broker::Data
 	{
 	return __table_remove(t, key);
 	}
 
-function table_lookup(t: Broker::Data, key: Broker::Data): Broker::Data
+function table_lookup(t: Broker::Data, key: any): Broker::Data
 	{
 	return __table_lookup(t, key);
 	}
@@ -992,12 +927,12 @@ function table_iterator(t: Broker::Data): opaque of Broker::TableIterator
 	return __table_iterator(t);
 	}
 
-function table_iterator_last(it: opaque of Broker::TableIterator): bool
+function table_iterator_last(it: opaque of Broker::TableIterator) : bool
 	{
 	return __table_iterator_last(it);
 	}
 
-function table_iterator_next(it: opaque of Broker::TableIterator): bool
+function table_iterator_next(it: opaque of Broker::TableIterator) : bool
 	{
 	return __table_iterator_next(it);
 	}
@@ -1012,7 +947,7 @@ function vector_create(): Broker::Data
 	return __vector_create();
 	}
 
-function vector_clear(v: Broker::Data): bool
+function vector_clear(v: Broker::Data) : bool
 	{
 	return __vector_clear(v);
 	}
@@ -1022,14 +957,14 @@ function vector_size(v: Broker::Data): count
 	return __vector_size(v);
 	}
 
-function vector_insert(v: Broker::Data, d: Broker::Data, idx: count): bool
+function vector_insert(v: Broker::Data, idx: count, d: any) : bool
 	{
-	return __vector_insert(v, d, idx);
+	return __vector_insert(v, idx, d);
 	}
 
-function vector_replace(v: Broker::Data, d: Broker::Data, idx: count): Broker::Data
+function vector_replace(v: Broker::Data, idx: count, d: any): Broker::Data
 	{
-	return __vector_replace(v, d, idx);
+	return __vector_replace(v, idx, d);
 	}
 
 function vector_remove(v: Broker::Data, idx: count): Broker::Data
@@ -1047,12 +982,12 @@ function vector_iterator(v: Broker::Data): opaque of Broker::VectorIterator
 	return __vector_iterator(v);
 	}
 
-function vector_iterator_last(it: opaque of Broker::VectorIterator): bool
+function vector_iterator_last(it: opaque of Broker::VectorIterator) : bool
 	{
 	return __vector_iterator_last(it);
 	}
 
-function vector_iterator_next(it: opaque of Broker::VectorIterator): bool
+function vector_iterator_next(it: opaque of Broker::VectorIterator) : bool
 	{
 	return __vector_iterator_next(it);
 	}
@@ -1072,9 +1007,9 @@ function record_size(r: Broker::Data): count
 	return __record_size(r);
 	}
 
-function record_assign(r: Broker::Data, d: Broker::Data, idx: count): bool
+function record_assign(r: Broker::Data, idx: count, d: any) : bool
 	{
-	return __record_assign(r, d, idx);
+	return __record_assign(r, idx, d);
 	}
 
 function record_lookup(r: Broker::Data, idx: count): Broker::Data
@@ -1087,12 +1022,12 @@ function record_iterator(r: Broker::Data): opaque of Broker::RecordIterator
 	return __record_iterator(r);
 	}
 
-function record_iterator_last(it: opaque of Broker::RecordIterator): bool
+function record_iterator_last(it: opaque of Broker::RecordIterator) : bool
 	{
 	return __record_iterator_last(it);
 	}
 
-function record_iterator_next(it: opaque of Broker::RecordIterator): bool
+function record_iterator_next(it: opaque of Broker::RecordIterator) : bool
 	{
 	return __record_iterator_next(it);
 	}
@@ -1102,4 +1037,3 @@ function record_iterator_value(it: opaque of Broker::RecordIterator): Broker::Da
 	return __record_iterator_value(it);
 	}
 
-@endif
diff --git a/scripts/base/frameworks/cluster/__load__.bro b/scripts/base/frameworks/cluster/__load__.bro
index 1717b833ae..20060357a4 100644
--- a/scripts/base/frameworks/cluster/__load__.bro
+++ b/scripts/base/frameworks/cluster/__load__.bro
@@ -1,11 +1,16 @@
 # Load the core cluster support.
 @load ./main
+@load ./pools
 
 @if ( Cluster::is_enabled() )
 
 # Give the node being started up it's peer name.
 redef peer_description = Cluster::node;
 
+@if ( Cluster::enable_round_robin_logging )
+redef Broker::log_topic = Cluster::rr_log_topic;
+@endif
+
 # Add a cluster prefix.
 @prefixes += cluster
 
@@ -19,13 +24,6 @@ redef peer_description = Cluster::node;
 
 @load ./setup-connections
 
-# Don't load the listening script until we're a bit more sure that the
-# cluster framework is actually being enabled.
-@load frameworks/communication/listen
-
-## Set the port that this node is supposed to listen on.
-redef Communication::listen_port = Cluster::nodes[Cluster::node]$p;
-
 @if ( Cluster::local_node_type() == Cluster::MANAGER )
 @load ./nodes/manager
 # If no logger is defined, then the manager receives logs.
diff --git a/scripts/base/frameworks/cluster/main.bro b/scripts/base/frameworks/cluster/main.bro
index 261f3f1026..31f848e2b2 100644
--- a/scripts/base/frameworks/cluster/main.bro
+++ b/scripts/base/frameworks/cluster/main.bro
@@ -7,10 +7,111 @@
 ##! ``@load base/frameworks/cluster``.
 
 @load base/frameworks/control
+@load base/frameworks/broker
 
 module Cluster;
 
 export {
+	## Whether to distribute log messages among available logging nodes.
+	const enable_round_robin_logging = T &redef;
+
+	## The topic name used for exchanging general messages that are relevant to
+	## any node in a cluster.  Used with broker-enabled cluster communication.
+	const broadcast_topic = "bro/cluster/broadcast" &redef;
+
+	## The topic name used for exchanging messages that are relevant to
+	## logger nodes in a cluster.  Used with broker-enabled cluster communication.
+	const logger_topic = "bro/cluster/logger" &redef;
+
+	## The topic name used for exchanging messages that are relevant to
+	## manager nodes in a cluster.  Used with broker-enabled cluster communication.
+	const manager_topic = "bro/cluster/manager" &redef;
+
+	## The topic name used for exchanging messages that are relevant to
+	## proxy nodes in a cluster.  Used with broker-enabled cluster communication.
+	const proxy_topic = "bro/cluster/proxy" &redef;
+
+	## The topic name used for exchanging messages that are relevant to
+	## worker nodes in a cluster.  Used with broker-enabled cluster communication.
+	const worker_topic = "bro/cluster/worker" &redef;
+
+	## The topic name used for exchanging messages that are relevant to
+	## time machine nodes in a cluster.  Used with broker-enabled cluster communication.
+	const time_machine_topic = "bro/cluster/time_machine" &redef;
+
+	## The topic prefix used for exchanging messages that are relevant to
+	## a named node in a cluster.  Used with broker-enabled cluster communication.
+	const node_topic_prefix = "bro/cluster/node/" &redef;
+
+	## Name of the node on which master data stores will be created if no other
+	## has already been specified by the user in :bro:see:`Cluster::stores`.
+	## An empty value means "use whatever name corresponds to the manager
+	## node".
+	const default_master_node = "" &redef;
+
+	## The type of data store backend that will be used for all data stores if
+	## no other has already been specified by the user in :bro:see:`Cluster::stores`.
+	const default_backend = Broker::MEMORY &redef;
+
+	## The type of persistent data store backend that will be used for all data
+	## stores if no other has already been specified by the user in
+	## :bro:see:`Cluster::stores`.  This will be used when script authors call
+	## :bro:see:`Cluster::create_store` with the *persistent* argument set true.
+	const default_persistent_backend = Broker::SQLITE &redef;
+
+	## Setting a default dir will, for persistent backends that have not
+	## been given an explicit file path via :bro:see:`Cluster::stores`,
+	## automatically create a path within this dir that is based on the name of
+	## the data store.
+	const default_store_dir = "" &redef;
+
+	## Information regarding a cluster-enabled data store.
+	type StoreInfo: record {
+		## The name of the data store.
+		name: string &optional;
+		## The store handle.
+		store: opaque of Broker::Store &optional;
+		## The name of the cluster node on which the master version of the data
+		## store resides.
+		master_node: string &default=default_master_node;
+		## Whether the data store is the master version or a clone.
+		master: bool &default=F;
+		## The type of backend used for storing data.
+		backend: Broker::BackendType &default=default_backend;
+		## Parameters used for configuring the backend.
+		options: Broker::BackendOptions &default=Broker::BackendOptions();
+		## A resync/reconnect interval to pass through to
+		## :bro:see:`Broker::create_clone`.
+		clone_resync_interval: interval &default=Broker::default_clone_resync_interval;
+		## A staleness duration to pass through to
+		## :bro:see:`Broker::create_clone`.
+		clone_stale_interval: interval &default=Broker::default_clone_stale_interval;
+		## A mutation buffer interval to pass through to
+		## :bro:see:`Broker::create_clone`.
+		clone_mutation_buffer_interval: interval &default=Broker::default_clone_mutation_buffer_interval;
+	};
+
+	## A table of cluster-enabled data stores that have been created, indexed
+	## by their name.  This table will be populated automatically by
+	## :bro:see:`Cluster::create_store`, but if you need to customize
+	## the options related to a particular data store, you may redef this
+	## table.  Calls to :bro:see:`Cluster::create_store` will first check
+	## the table for an entry of the same name and, if found, will use the
+	## predefined options there when setting up the store.
+	global stores: table[string] of StoreInfo &default=StoreInfo() &redef;
+
+	## Sets up a cluster-enabled data store.  They will also still properly
+	## function for uses that are not operating a cluster.
+	##
+	## name: the name of the data store to create.
+	##
+	## persistent: whether the data store must be persistent.
+	##
+	## Returns: the store's information.  For master stores, the store will be
+	##          ready to use immediately.  For clones, the store field will not
+	##          be set until the node containing the master store has connected.
+	global create_store: function(name: string, persistent: bool &default=F): StoreInfo;
+
 	## The cluster logging stream identifier.
 	redef enum Log::ID += { LOG };
 
@@ -18,6 +119,8 @@ export {
 	type Info: record {
 		## The time at which a cluster message was generated.
 		ts:       time;
+		## The name of the node that is creating the log record.
+		node: string;
 		## A message indicating information about the cluster's operation.
 		message:  string;
 	} &log;
@@ -46,43 +149,6 @@ export {
 		TIME_MACHINE,
 	};
 
-	## Events raised by a manager and handled by the workers.
-	const manager2worker_events = /Drop::.*/ &redef;
-
-	## Events raised by a manager and handled by proxies.
-	const manager2proxy_events = /EMPTY/ &redef;
-
-	## Events raised by a manager and handled by loggers.
-	const manager2logger_events = /EMPTY/ &redef;
-
-	## Events raised by proxies and handled by loggers.
-	const proxy2logger_events = /EMPTY/ &redef;
-
-	## Events raised by proxies and handled by a manager.
-	const proxy2manager_events = /EMPTY/ &redef;
-
-	## Events raised by proxies and handled by workers.
-	const proxy2worker_events = /EMPTY/ &redef;
-
-	## Events raised by workers and handled by loggers.
-	const worker2logger_events = /EMPTY/ &redef;
-
-	## Events raised by workers and handled by a manager.
-	const worker2manager_events = /(TimeMachine::command|Drop::.*)/ &redef;
-
-	## Events raised by workers and handled by proxies.
-	const worker2proxy_events = /EMPTY/ &redef;
-
-	## Events raised by TimeMachine instances and handled by a manager.
-	const tm2manager_events = /EMPTY/ &redef;
-
-	## Events raised by TimeMachine instances and handled by workers.
-	const tm2worker_events = /EMPTY/ &redef;
-
-	## Events sent by the control host (i.e., BroControl) when dynamically
-	## connecting to a running instance to update settings or request data.
-	const control_events = Control::controller_events &redef;
-
 	## Record type to indicate a node in a cluster.
 	type Node: record {
 		## Identifies the type of cluster node in this node's configuration.
@@ -92,22 +158,17 @@ export {
 		## If the *ip* field is a non-global IPv6 address, this field
 		## can specify a particular :rfc:`4007` ``zone_id``.
 		zone_id:      string      &default="";
-		## The port to which this local node can connect when
-		## establishing communication.
+		## The port that this node will listen on for peer connections.
 		p:            port;
 		## Identifier for the interface a worker is sniffing.
 		interface:    string      &optional;
-		## Name of the logger node this node uses.  For manager, proxies and workers.
-		logger:       string      &optional;
 		## Name of the manager node this node uses.  For workers and proxies.
 		manager:      string      &optional;
-		## Name of the proxy node this node uses.  For workers and managers.
-		proxy:        string      &optional;
-		## Names of worker nodes that this node connects with.
-		## For managers and proxies.
-		workers:      set[string] &optional;
 		## Name of a time machine node with which this node connects.
 		time_machine: string      &optional;
+		## A unique identifier assigned to the node by the broker framework.
+		## This field is only set while a node is connected.
+		id: string                &optional;
 	};
 
 	## This function can be called at any time to determine if the cluster
@@ -134,6 +195,8 @@ export {
 	## named cluster-layout.bro somewhere in the BROPATH.  It will be
 	## automatically loaded if the CLUSTER_NODE environment variable is set.
 	## Note that BroControl handles all of this automatically.
+	## The table is typically indexed by node names/labels (e.g. "manager"
+	## or "worker-1").
 	const nodes: table[string] of Node = {} &redef;
 
 	## Indicates whether or not the manager will act as the logger and receive
@@ -148,8 +211,62 @@ export {
 
 	## Interval for retrying failed connections between cluster nodes.
 	const retry_interval = 1min &redef;
+
+	## When using broker-enabled cluster framework, nodes broadcast this event
+	## to exchange their user-defined name along with a string that uniquely
+	## identifies it for the duration of its lifetime.  This string may change
+	## if the node dies and has to reconnect later.
+	global hello: event(name: string, id: string);
+
+	## When using broker-enabled cluster framework, this event will be emitted
+	## locally whenever a cluster node connects or reconnects.
+	global node_up: event(name: string, id: string);
+
+	## When using broker-enabled cluster framework, this event will be emitted
+	## locally whenever a connected cluster node becomes disconnected.
+	global node_down: event(name: string, id: string);
+
+	## Write a message to the cluster logging stream.
+	global log: function(msg: string);
+
+	## Retrieve the topic associated with a specific node in the cluster.
+	##
+	## name: the name of the cluster node (e.g. "manager").
+	##
+	## Returns: a topic string that may used to send a message exclusively to
+	##          a given cluster node.
+	global node_topic: function(name: string): string;
 }
 
+type NamedNode: record {
+	name: string;
+	node: Node;
+};
+
+function nodes_with_type(node_type: NodeType): vector of NamedNode
+	{
+	local rval: vector of NamedNode = vector();
+	local names: vector of string = vector();
+
+	for ( name in Cluster::nodes )
+		names[|names|] = name;
+
+	names = sort(names, strcmp);
+
+	for ( i in names )
+		{
+		name = names[i];
+		local n = Cluster::nodes[name];
+
+		if ( n$node_type != node_type )
+			next;
+
+		rval[|rval|] = NamedNode($name=name, $node=n);
+		}
+
+	return rval;
+	}
+
 function is_enabled(): bool
 	{
 	return (node != "");
@@ -160,16 +277,64 @@ function local_node_type(): NodeType
 	return is_enabled() ? nodes[node]$node_type : NONE;
 	}
 
-event remote_connection_handshake_done(p: event_peer) &priority=5
+function node_topic(name: string): string
 	{
-	if ( p$descr in nodes && nodes[p$descr]$node_type == WORKER )
+	return node_topic_prefix + name;
+	}
+
+event Cluster::hello(name: string, id: string) &priority=10
+	{
+	if ( name !in nodes )
+		{
+		Reporter::error(fmt("Got Cluster::hello msg from unexpected node: %s", name));
+		return;
+		}
+
+	local n = nodes[name];
+
+	if ( n?$id )
+		{
+		if ( n$id != id )
+			Reporter::error(fmt("Got Cluster::hello msg from duplicate node:%s",
+								name));
+		}
+	else
+		event Cluster::node_up(name, id);
+
+	n$id = id;
+	Cluster::log(fmt("got hello from %s (%s)", name, id));
+
+	if ( n$node_type == WORKER )
 		++worker_count;
 	}
 
-event remote_connection_closed(p: event_peer) &priority=5
+event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string) &priority=10
 	{
-	if ( p$descr in nodes && nodes[p$descr]$node_type == WORKER )
-		--worker_count;
+	if ( ! Cluster::is_enabled() )
+		return;
+
+	local e = Broker::make_event(Cluster::hello, node, Broker::node_id());
+	Broker::publish(Cluster::broadcast_topic, e);
+	}
+
+event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string) &priority=10
+	{
+	for ( node_name in nodes )
+		{
+		local n = nodes[node_name];
+
+		if ( n?$id && n$id == endpoint$id )
+			{
+			Cluster::log(fmt("node down: %s", node_name));
+			delete n$id;
+
+			if ( n$node_type == WORKER )
+				--worker_count;
+
+			event Cluster::node_down(node_name, endpoint$id);
+			break;
+			}
+		}
 	}
 
 event bro_init() &priority=5
@@ -183,3 +348,90 @@ event bro_init() &priority=5
 
 	Log::create_stream(Cluster::LOG, [$columns=Info, $path="cluster"]);
 	}
+
+function create_store(name: string, persistent: bool &default=F): Cluster::StoreInfo
+	{
+	local info = stores[name];
+	info$name = name;
+
+	if ( Cluster::default_store_dir != "" )
+		{
+		local default_options = Broker::BackendOptions();
+		local path = Cluster::default_store_dir + "/" + name;
+
+		if ( info$options$sqlite$path == default_options$sqlite$path )
+			info$options$sqlite$path = path + ".sqlite";
+
+		if ( info$options$rocksdb$path == default_options$rocksdb$path )
+			info$options$rocksdb$path = path + ".rocksdb";
+		}
+
+	if ( persistent )
+		{
+		switch ( info$backend ) {
+		case Broker::MEMORY:
+			info$backend = Cluster::default_persistent_backend;
+			break;
+		case Broker::SQLITE:
+			fallthrough;
+		case Broker::ROCKSDB:
+			# no-op: user already asked for a specific persistent backend.
+			break;
+		default:
+			Reporter::error(fmt("unhandled data store type: %s", info$backend));
+			break;
+		}
+		}
+
+	if ( ! Cluster::is_enabled() )
+		{
+		if ( info?$store )
+			{
+			Reporter::warning(fmt("duplicate cluster store creation for %s", name));
+			return info;
+			}
+
+		info$store = Broker::create_master(name, info$backend, info$options);
+		info$master = T;
+		stores[name] = info;
+		return info;
+		}
+
+	if ( info$master_node == "" )
+		{
+		local mgr_nodes = nodes_with_type(Cluster::MANAGER);
+
+		if ( |mgr_nodes| == 0 )
+			Reporter::fatal(fmt("empty master node name for cluster store " +
+								"'%s', but there's no manager node to default",
+			                    name));
+
+		info$master_node = mgr_nodes[0]$name;
+		}
+	else if ( info$master_node !in Cluster::nodes )
+		Reporter::fatal(fmt("master node '%s' for cluster store '%s' does not exist",
+		                    info$master_node, name));
+
+	if ( Cluster::node == info$master_node )
+		{
+		info$store = Broker::create_master(name, info$backend, info$options);
+		info$master = T;
+		stores[name] = info;
+		Cluster::log(fmt("created master store: %s", name));
+		return info;
+		}
+
+	info$master = F;
+	stores[name] = info;
+	info$store = Broker::create_clone(info$name,
+	                                  info$clone_resync_interval,
+	                                  info$clone_stale_interval,
+	                                  info$clone_mutation_buffer_interval);
+	Cluster::log(fmt("created clone store: %s", info$name));
+	return info;
+	}
+
+function log(msg: string)
+	{
+	Log::write(Cluster::LOG, [$ts = network_time(), $node = node, $message = msg]);
+	}
diff --git a/scripts/base/frameworks/cluster/pools.bro b/scripts/base/frameworks/cluster/pools.bro
new file mode 100644
index 0000000000..b5d8d2729b
--- /dev/null
+++ b/scripts/base/frameworks/cluster/pools.bro
@@ -0,0 +1,440 @@
+##! Defines an interface for managing pools of cluster nodes.  Pools are
+##! are useful way to distribute work or data among nodes within a cluster.
+
+@load ./main
+@load base/utils/hash_hrw
+
+module Cluster;
+
+export {
+	## Store state of a cluster within within the context of a work pool.
+	type PoolNode: record {
+		## The node name (e.g. "manager").
+		name: string;
+		## An alias of *name* used to prevent hashing collisions when creating
+		## *site_id*.
+		alias: string;
+		## A 32-bit unique identifier for the pool node, derived from name/alias.
+		site_id: count;
+		## Whether the node is currently alive and can receive work.
+		alive: bool &default=F;
+	};
+
+	## A pool specification.
+	type PoolSpec: record {
+		## A topic string that can be used to reach all nodes within a pool.
+		topic: string &default = "";
+		## The type of nodes that are contained within the pool.
+		node_type: Cluster::NodeType &default = Cluster::PROXY;
+		## The maximum number of nodes that may belong to the pool.
+		## If not set, then all available nodes will be added to the pool,
+		## else the cluster framework will automatically limit the pool
+		## membership according to the threshhold.
+		max_nodes: count &optional;
+		## Whether the pool requires exclusive access to nodes.  If true,
+		## then *max_nodes* nodes will not be assigned to any other pool.
+		## When using this flag, *max_nodes* must also be set.
+		exclusive: bool &default = F;
+	};
+
+	type PoolNodeTable: table[string] of PoolNode;
+	type RoundRobinTable: table[string] of int;
+
+	## A pool used for distributing data/work among a set of cluster nodes.
+	type Pool: record {
+		## The specification of the pool that was used when registering it.
+		spec: PoolSpec &default = PoolSpec();
+		## Nodes in the pool, indexed by their name (e.g. "manager").
+		nodes: PoolNodeTable &default = PoolNodeTable();
+		## A list of nodes in the pool in a deterministic order.
+		node_list: vector of PoolNode &default = vector();
+		## The Rendezvous hashing structure.
+		hrw_pool: HashHRW::Pool &default = HashHRW::Pool();
+		## Round-Robin table indexed by arbitrary key and storing the next
+		## index of *node_list* that will be eligible to receive work (if it's
+		## alive at the time of next request).
+		rr_key_seq: RoundRobinTable &default = RoundRobinTable();
+	};
+
+	## The specification for :bro:see:`Cluster::proxy_pool`.
+	global proxy_pool_spec: PoolSpec =
+		PoolSpec($topic = "bro/cluster/pool/proxy",
+				 $node_type = Cluster::PROXY) &redef;
+
+	## The specification for :bro:see:`Cluster::worker_pool`.
+	global worker_pool_spec: PoolSpec =
+		PoolSpec($topic = "bro/cluster/pool/worker",
+				 $node_type = Cluster::WORKER) &redef;
+
+	## The specification for :bro:see:`Cluster::logger_pool`.
+	global logger_pool_spec: PoolSpec =
+		PoolSpec($topic = "bro/cluster/pool/logger",
+				 $node_type = Cluster::LOGGER) &redef;
+
+	## A pool containing all the proxy nodes of a cluster.
+	## The pool's node membership/availability is automatically
+	## maintained by the cluster framework.
+	global proxy_pool: Pool;
+
+	## A pool containing all the worker nodes of a cluster.
+	## The pool's node membership/availability is automatically
+	## maintained by the cluster framework.
+	global worker_pool: Pool;
+
+	## A pool containing all the logger nodes of a cluster.
+	## The pool's node membership/availability is automatically
+	## maintained by the cluster framework.
+	global logger_pool: Pool;
+
+	## Registers and initializes a pool.
+	global register_pool: function(spec: PoolSpec): Pool;
+
+	## Retrieve the topic associated with the node mapped via Rendezvous hash
+	## of an arbitrary key.
+	##
+	## pool: the pool of nodes to consider.
+	##
+	## key: data used for input to the hashing function that will uniformly
+	##      distribute keys among available nodes.
+	##
+	## Returns: a topic string associated with a cluster node that is alive
+	##          or an empty string if nothing is alive.
+	global hrw_topic: function(pool: Pool, key: any): string;
+
+	## Retrieve the topic associated with the node in a round-robin fashion.
+	##
+	## pool: the pool of nodes to consider.
+	##
+	## key: an arbitrary string to identify the purpose for which you're
+	##      requesting the topic.  e.g. consider using namespacing of your script
+	##      like "Intel::cluster_rr_key".
+	##
+	## Returns: a topic string associated with a cluster node that is alive,
+	##          or an empty string if nothing is alive.
+	global rr_topic: function(pool: Pool, key: string): string;
+
+	## Distributes log message topics among logger nodes via round-robin.
+	## This will be automatically assigned to :bro:see:`Broker::log_topic`
+	## if :bro:see:`Cluster::enable_round_robin_logging` is enabled.
+	## If no logger nodes are active, then this will return the value
+	## of :bro:see:`Broker::default_log_topic`.
+	global rr_log_topic: function(id: Log::ID, path: string): string;
+}
+
+## Initialize a node as a member of a pool.
+##
+## pool: the pool to which the node will belong.
+##
+## name: the name of the node (e.g. "manager").
+##
+## Returns: F if a node of the same name already exists in the pool, else T.
+global init_pool_node: function(pool: Pool, name: string): bool;
+
+## Mark a pool node as alive/online/available. :bro:see:`Cluster::hrw_topic`
+## will distribute keys to nodes marked as alive.
+##
+## pool: the pool to which the node belongs.
+##
+## name: the name of the node to mark.
+##
+## Returns: F if the node does not exist in the pool, else T.
+global mark_pool_node_alive: function(pool: Pool, name: string): bool;
+
+## Mark a pool node as dead/offline/unavailable. :bro:see:`Cluster::hrw_topic`
+## will not distribute keys to nodes marked as dead.
+##
+## pool: the pool to which the node belongs.
+##
+## name: the name of the node to mark.
+##
+## Returns: F if the node does not exist in the pool, else T.
+global mark_pool_node_dead: function(pool: Pool, name: string): bool;
+
+global registered_pools: vector of Pool = vector();
+
+function register_pool(spec: PoolSpec): Pool
+	{
+	local rval = Pool($spec = spec);
+	registered_pools[|registered_pools|] = rval;
+	return rval;
+	}
+
+function hrw_topic(pool: Pool, key: any): string
+	{
+	if ( |pool$hrw_pool$sites| == 0 )
+		return "";
+
+	local site = HashHRW::get_site(pool$hrw_pool, key);
+	local pn: PoolNode = site$user_data;
+	return node_topic_prefix + pn$name;
+	}
+
+function rr_topic(pool: Pool, key: string): string
+	{
+	if ( key !in pool$rr_key_seq )
+		pool$rr_key_seq[key] = 0;
+
+	local next_idx = pool$rr_key_seq[key];
+	local start = next_idx;
+	local rval = "";
+
+	if ( next_idx >= |pool$node_list| )
+		return rval;
+
+	while ( T )
+		{
+		local pn = pool$node_list[next_idx];
+
+		++next_idx;
+
+		if ( next_idx == |pool$node_list| )
+			next_idx = 0;
+
+		if ( pn$alive )
+			{
+			rval = node_topic_prefix + pn$name;
+			break;
+			}
+
+		if ( next_idx == start )
+			# no nodes alive
+			break;
+		}
+
+	pool$rr_key_seq[key] = next_idx;
+	return rval;
+	}
+
+function rr_log_topic(id: Log::ID, path: string): string
+	{
+	local rval = rr_topic(logger_pool, "Cluster::rr_log_topic");
+
+	if ( rval != "" )
+		return rval;
+
+	rval = Broker::default_log_topic(id, path);
+	return rval;
+	}
+
+event Cluster::node_up(name: string, id: string) &priority=10
+	{
+	for ( i in registered_pools )
+		{
+		local pool = registered_pools[i];
+
+		if ( name in pool$nodes )
+			mark_pool_node_alive(pool, name);
+		}
+	}
+
+event Cluster::node_down(name: string, id: string) &priority=10
+	{
+	for ( i in registered_pools )
+		{
+		local pool = registered_pools[i];
+
+		if ( name in pool$nodes )
+			mark_pool_node_dead(pool, name);
+		}
+	}
+
+function site_id_in_pool(pool: Pool, site_id: count): bool
+	{
+	for ( i in pool$nodes )
+		{
+		local pn = pool$nodes[i];
+
+		if ( pn$site_id == site_id )
+			return T;
+		}
+
+	return F;
+	}
+
+function init_pool_node(pool: Pool, name: string): bool
+	{
+	if ( name in pool$nodes )
+		return F;
+
+	local loop = T;
+	local c = 0;
+
+	while ( loop )
+		{
+		# site id collisions are unlikely, but using aliases handles it...
+		# alternatively could terminate and ask user to pick a new node name
+		# if it ends up colliding.
+		local alias = name + fmt(".%s", c);
+		local site_id = fnv1a32(alias);
+
+		if ( site_id_in_pool(pool, site_id) )
+			++c;
+		else
+			{
+			local pn = PoolNode($name=name, $alias=alias, $site_id=site_id,
+			                    $alive=Cluster::node == name);
+			pool$nodes[name] = pn;
+			pool$node_list[|pool$node_list|] = pn;
+			loop = F;
+			}
+		}
+
+	return T;
+	}
+
+function mark_pool_node_alive(pool: Pool, name: string): bool
+	{
+	if ( name !in pool$nodes )
+		return F;
+
+	local pn = pool$nodes[name];
+	pn$alive = T;
+	HashHRW::add_site(pool$hrw_pool, HashHRW::Site($id=pn$site_id, $user_data=pn));
+	return T;
+	}
+
+function mark_pool_node_dead(pool: Pool, name: string): bool
+	{
+	if ( name !in pool$nodes )
+		return F;
+
+	local pn = pool$nodes[name];
+	pn$alive = F;
+	HashHRW::rem_site(pool$hrw_pool, HashHRW::Site($id=pn$site_id, $user_data=pn));
+	return T;
+	}
+
+event bro_init()
+	{
+	worker_pool = register_pool(worker_pool_spec);
+	proxy_pool = register_pool(proxy_pool_spec);
+	logger_pool = register_pool(logger_pool_spec);
+	}
+
+type PoolEligibilityTracking: record {
+	eligible_nodes: vector of NamedNode &default = vector();
+	next_idx: count &default = 0;
+	excluded: count &default = 0;
+};
+
+global pool_eligibility: table[Cluster::NodeType] of PoolEligibilityTracking = table();
+
+function pool_sorter(a: Pool, b: Pool): int
+	{
+	return strcmp(a$spec$topic, b$spec$topic);
+	}
+
+# Needs to execute before the bro_init in setup-connections
+event bro_init() &priority=-5
+	{
+	if ( ! Cluster::is_enabled() )
+		return;
+
+	# Sorting now ensures the node distribution process is stable even if
+	# there's a change in the order of time-of-registration between Bro runs.
+	sort(registered_pools, pool_sorter);
+
+	pool_eligibility[Cluster::WORKER] =
+		PoolEligibilityTracking($eligible_nodes = nodes_with_type(Cluster::WORKER));
+	pool_eligibility[Cluster::PROXY] =
+		PoolEligibilityTracking($eligible_nodes = nodes_with_type(Cluster::PROXY));
+	pool_eligibility[Cluster::LOGGER] =
+		PoolEligibilityTracking($eligible_nodes = nodes_with_type(Cluster::LOGGER));
+
+	if ( manager_is_logger )
+		{
+		local mgr = nodes_with_type(Cluster::MANAGER);
+		
+		if ( |mgr| > 0 )
+			{
+			local eln = pool_eligibility[Cluster::LOGGER]$eligible_nodes;
+			eln[|eln|] = mgr[0];
+			}
+		}
+
+	local pool: Pool;
+	local pet: PoolEligibilityTracking;
+	local en: vector of NamedNode;
+
+	for ( i in registered_pools )
+		{
+		pool = registered_pools[i];
+
+		if ( pool$spec$node_type !in pool_eligibility )
+			Reporter::fatal(fmt("invalid pool node type: %s", pool$spec$node_type));
+
+		if ( ! pool$spec$exclusive )
+			next;
+
+		if ( ! pool$spec?$max_nodes )
+			Reporter::fatal("Cluster::PoolSpec 'max_nodes' field must be set when using the 'exclusive' flag");
+
+		pet = pool_eligibility[pool$spec$node_type];
+		pet$excluded += pool$spec$max_nodes;
+		}
+
+	for ( nt in pool_eligibility )
+		{
+		pet = pool_eligibility[nt];
+
+		if ( pet$excluded > |pet$eligible_nodes| )
+			Reporter::fatal(fmt("not enough %s nodes to satisfy pool exclusivity requirements: need %d nodes", nt, pet$excluded));
+		}
+
+	for ( i in registered_pools )
+		{
+		pool = registered_pools[i];
+
+		if ( ! pool$spec$exclusive )
+			next;
+
+		pet = pool_eligibility[pool$spec$node_type];
+
+		local e = 0;
+
+		while ( e < pool$spec$max_nodes )
+			{
+			init_pool_node(pool, pet$eligible_nodes[e]$name);
+			++e;
+			}
+
+		local nen: vector of NamedNode = vector();
+
+		for ( j in pet$eligible_nodes )
+			{
+			if ( j < e )
+				next;
+
+			nen[|nen|] = pet$eligible_nodes[j];
+			}
+
+		pet$eligible_nodes = nen;
+		}
+
+	for ( i in registered_pools )
+		{
+		pool = registered_pools[i];
+
+		if ( pool$spec$exclusive )
+			next;
+
+		pet = pool_eligibility[pool$spec$node_type];
+		local nodes_to_init = |pet$eligible_nodes|;
+		
+		if ( pool$spec?$max_nodes &&
+			 pool$spec$max_nodes < |pet$eligible_nodes| )
+			nodes_to_init = pool$spec$max_nodes;
+
+		local nodes_inited = 0;
+
+		while ( nodes_inited < nodes_to_init )
+			{
+			init_pool_node(pool, pet$eligible_nodes[pet$next_idx]$name);
+			++nodes_inited;
+			++pet$next_idx;
+
+			if ( pet$next_idx == |pet$eligible_nodes| )
+				pet$next_idx = 0;
+			}
+		}
+	}
diff --git a/scripts/base/frameworks/cluster/setup-connections.bro b/scripts/base/frameworks/cluster/setup-connections.bro
index 971a55d444..a06d66bc0c 100644
--- a/scripts/base/frameworks/cluster/setup-connections.bro
+++ b/scripts/base/frameworks/cluster/setup-connections.bro
@@ -2,142 +2,122 @@
 ##! as defined by :bro:id:`Cluster::nodes`.
 
 @load ./main
-@load base/frameworks/communication
-
-@if ( Cluster::node in Cluster::nodes )
+@load ./pools
+@load base/frameworks/broker
 
 module Cluster;
 
-event bro_init() &priority=9
+function connect_peer(node_type: NodeType, node_name: string)
 	{
-	local me = nodes[node];
+	local nn = nodes_with_type(node_type);
 
-	for ( i in Cluster::nodes )
+	for ( i in nn )
 		{
-		local n = nodes[i];
+		local n = nn[i];
 
-		# Connections from the control node for runtime control and update events.
-		# Every node in a cluster is eligible for control from this host.
-		if ( n$node_type == CONTROL )
-			Communication::nodes["control"] = [$host=n$ip, $zone_id=n$zone_id,
-			                                   $connect=F, $class="control",
-			                                   $events=control_events];
+		if ( n$name != node_name )
+			next;
 
-		if ( me$node_type == LOGGER )
-			{
-			if ( n$node_type == MANAGER && n$logger == node )
-				Communication::nodes[i] =
-				    [$host=n$ip, $zone_id=n$zone_id, $connect=F,
-				     $class=i, $events=manager2logger_events, $request_logs=T];
-			if ( n$node_type == PROXY && n$logger == node )
-				Communication::nodes[i] =
-				    [$host=n$ip, $zone_id=n$zone_id, $connect=F,
-				     $class=i, $events=proxy2logger_events, $request_logs=T];
-			if ( n$node_type == WORKER && n$logger == node )
-				Communication::nodes[i] =
-				    [$host=n$ip, $zone_id=n$zone_id, $connect=F,
-				     $class=i, $events=worker2logger_events, $request_logs=T];
-			}
-		else if ( me$node_type == MANAGER )
-			{
-			if ( n$node_type == LOGGER && me$logger == i )
-				Communication::nodes["logger"] =
-				    [$host=n$ip, $zone_id=n$zone_id, $p=n$p,
-				     $connect=T, $retry=retry_interval,
-				     $class=node];
-
-			if ( n$node_type == WORKER && n$manager == node )
-				Communication::nodes[i] =
-				    [$host=n$ip, $zone_id=n$zone_id, $connect=F,
-				     $class=i, $events=worker2manager_events,
-				     $request_logs=Cluster::manager_is_logger];
-
-			if ( n$node_type == PROXY && n$manager == node )
-				Communication::nodes[i] =
-				    [$host=n$ip, $zone_id=n$zone_id, $connect=F,
-				     $class=i, $events=proxy2manager_events,
-				     $request_logs=Cluster::manager_is_logger];
-
-			if ( n$node_type == TIME_MACHINE && me?$time_machine && me$time_machine == i )
-				Communication::nodes["time-machine"] = [$host=nodes[i]$ip,
-				                                        $zone_id=nodes[i]$zone_id,
-				                                        $p=nodes[i]$p,
-				                                        $connect=T, $retry=retry_interval,
-				                                        $events=tm2manager_events];
-			}
-
-		else if ( me$node_type == PROXY )
-			{
-			if ( n$node_type == LOGGER && me$logger == i )
-				Communication::nodes["logger"] =
-				    [$host=n$ip, $zone_id=n$zone_id, $p=n$p,
-				     $connect=T, $retry=retry_interval,
-				     $class=node];
-
-			if ( n$node_type == WORKER && n$proxy == node )
-				Communication::nodes[i] =
-					[$host=n$ip, $zone_id=n$zone_id, $connect=F, $class=i,
-					 $sync=T, $auth=T, $events=worker2proxy_events];
-
-			# accepts connections from the previous one.
-			# (This is not ideal for setups with many proxies)
-			# FIXME: Once we're using multiple proxies, we should also figure out some $class scheme ...
-			if ( n$node_type == PROXY )
-				{
-				if ( n?$proxy )
-					Communication::nodes[i]
-					     = [$host=n$ip, $zone_id=n$zone_id, $p=n$p,
-					        $connect=T, $auth=F, $sync=T, $retry=retry_interval];
-				else if ( me?$proxy && me$proxy == i )
-					Communication::nodes[me$proxy]
-					     = [$host=nodes[i]$ip, $zone_id=nodes[i]$zone_id,
-					        $connect=F, $auth=T, $sync=T];
-				}
-
-			# Finally the manager, to send it status updates.
-			if ( n$node_type == MANAGER && me$manager == i )
-				Communication::nodes["manager"] = [$host=nodes[i]$ip,
-				                                   $zone_id=nodes[i]$zone_id,
-				                                   $p=nodes[i]$p,
-				                                   $connect=T, $retry=retry_interval,
-				                                   $class=node,
-				                                   $events=manager2proxy_events];
-			}
-		else if ( me$node_type == WORKER )
-			{
-			if ( n$node_type == LOGGER && me$logger == i )
-				Communication::nodes["logger"] =
-				    [$host=n$ip, $zone_id=n$zone_id, $p=n$p,
-				     $connect=T, $retry=retry_interval,
-				     $class=node];
-
-			if ( n$node_type == MANAGER && me$manager == i )
-				Communication::nodes["manager"] = [$host=nodes[i]$ip,
-				                                   $zone_id=nodes[i]$zone_id,
-				                                   $p=nodes[i]$p,
-				                                   $connect=T, $retry=retry_interval,
-				                                   $class=node,
-				                                   $events=manager2worker_events];
-
-			if ( n$node_type == PROXY && me$proxy == i )
-				Communication::nodes["proxy"] = [$host=nodes[i]$ip,
-				                                 $zone_id=nodes[i]$zone_id,
-				                                 $p=nodes[i]$p,
-				                                 $connect=T, $retry=retry_interval,
-				                                 $sync=T, $class=node,
-				                                 $events=proxy2worker_events];
-
-			if ( n$node_type == TIME_MACHINE &&
-			     me?$time_machine && me$time_machine == i )
-				Communication::nodes["time-machine"] = [$host=nodes[i]$ip,
-				                                        $zone_id=nodes[i]$zone_id,
-				                                        $p=nodes[i]$p,
-				                                        $connect=T,
-				                                        $retry=retry_interval,
-				                                        $events=tm2worker_events];
-
-			}
+		local status = Broker::peer(cat(n$node$ip), n$node$p,
+		                            Cluster::retry_interval);
+		Cluster::log(fmt("initiate peering with %s:%s, retry=%s, status=%s",
+		                 n$node$ip, n$node$p, Cluster::retry_interval,
+		                 status));
 		}
 	}
 
-@endif
+function connect_peers_with_type(node_type: NodeType)
+	{
+	local rval: vector of NamedNode = vector();
+	local nn = nodes_with_type(node_type);
+
+	for ( i in nn )
+		{
+		local n = nn[i];
+		local status = Broker::peer(cat(n$node$ip), n$node$p,
+		                            Cluster::retry_interval);
+		Cluster::log(fmt("initiate peering with %s:%s, retry=%s, status=%s",
+		                 n$node$ip, n$node$p, Cluster::retry_interval,
+		                 status));
+		}
+	}
+
+event bro_init() &priority=-10
+	{
+	local self = nodes[node];
+
+	for ( i in registered_pools )
+		{
+		local pool = registered_pools[i];
+
+		if ( node in pool$nodes )
+			Broker::subscribe(pool$spec$topic);
+		}
+
+	switch ( self$node_type ) {
+	case NONE:
+		return;
+	case CONTROL:
+		break;
+	case LOGGER:
+		Broker::subscribe(Cluster::logger_topic);
+		Broker::subscribe(Broker::default_log_topic_prefix);
+		break;
+	case MANAGER:
+		Broker::subscribe(Cluster::manager_topic);
+
+		if ( Cluster::manager_is_logger )
+			Broker::subscribe(Broker::default_log_topic_prefix);
+
+		break;
+	case PROXY:
+		Broker::subscribe(Cluster::proxy_topic);
+		break;
+	case WORKER:
+		Broker::subscribe(Cluster::worker_topic);
+		break;
+	case TIME_MACHINE:
+		Broker::subscribe(Cluster::time_machine_topic);
+		break;
+	default:
+		Reporter::error(fmt("Unhandled cluster node type: %s", self$node_type));
+		return;
+	}
+
+	Broker::subscribe(Cluster::broadcast_topic);
+	Broker::subscribe(node_topic(node));
+
+	Broker::listen(Broker::default_listen_address,
+	               self$p,
+	               Broker::default_listen_retry);
+
+	Cluster::log(fmt("listening on %s:%s", Broker::default_listen_address, self$p));
+
+	switch ( self$node_type ) {
+	case MANAGER:
+		connect_peers_with_type(LOGGER);
+
+		if ( self?$time_machine )
+			connect_peer(TIME_MACHINE, self$time_machine);
+
+		break;
+	case PROXY:
+		connect_peers_with_type(LOGGER);
+
+		if ( self?$manager )
+			connect_peer(MANAGER, self$manager);
+
+		break;
+	case WORKER:
+		connect_peers_with_type(LOGGER);
+		connect_peers_with_type(PROXY);
+
+		if ( self?$manager )
+			connect_peer(MANAGER, self$manager);
+
+		if ( self?$time_machine )
+			connect_peer(TIME_MACHINE, self$time_machine);
+
+		break;
+	}
+	}
diff --git a/scripts/base/frameworks/communication/README b/scripts/base/frameworks/communication/README
deleted file mode 100644
index 6f73c8c6a4..0000000000
--- a/scripts/base/frameworks/communication/README
+++ /dev/null
@@ -1,2 +0,0 @@
-The communication framework facilitates connecting to remote Bro or
-Broccoli instances to share state and transfer events.
diff --git a/scripts/base/frameworks/communication/__load__.bro b/scripts/base/frameworks/communication/__load__.bro
deleted file mode 100644
index a10fe855df..0000000000
--- a/scripts/base/frameworks/communication/__load__.bro
+++ /dev/null
@@ -1 +0,0 @@
-@load ./main
diff --git a/scripts/base/frameworks/communication/main.bro b/scripts/base/frameworks/communication/main.bro
deleted file mode 100644
index af4eb9fca5..0000000000
--- a/scripts/base/frameworks/communication/main.bro
+++ /dev/null
@@ -1,354 +0,0 @@
-##! Facilitates connecting to remote Bro or Broccoli instances to share state
-##! and/or transfer events.
-
-@load base/frameworks/packet-filter
-@load base/utils/addrs
-
-module Communication;
-
-export {
-
-	## The communication logging stream identifier.
-	redef enum Log::ID += { LOG };
-
-	## Which interface to listen on. The addresses ``0.0.0.0`` and ``[::]``
-	## are wildcards.
-	const listen_interface = 0.0.0.0 &redef;
-
-	## Which port to listen on.  Note that BroControl sets this
-	## automatically.
-	const listen_port = 47757/tcp &redef;
-
-	## This defines if a listening socket should use SSL.
-	const listen_ssl = F &redef;
-
-	## Defines if a listening socket can bind to IPv6 addresses.
-	##
-	## Note that this is overridden by the BroControl IPv6Comm option.
-	const listen_ipv6 = F &redef;
-
-	## If :bro:id:`Communication::listen_interface` is a non-global
-	## IPv6 address and requires a specific :rfc:`4007` ``zone_id``,
-	## it can be specified here.
-	const listen_ipv6_zone_id = "" &redef;
-
-	## Defines the interval at which to retry binding to
-	## :bro:id:`Communication::listen_interface` on
-	## :bro:id:`Communication::listen_port` if it's already in use.
-	const listen_retry = 30 secs &redef;
-
-	## Default compression level.  Compression level is 0-9, with 0 = no
-	## compression.
-	global compression_level = 0 &redef;
-
-	## A record type containing the column fields of the communication log.
-	type Info: record {
-		## The network time at which a communication event occurred.
-		ts:                  time   &log;
-		## The peer name (if any) with which a communication event is
-		## concerned.
-		peer:                string &log &optional;
-		## Where the communication event message originated from, that
-		## is, either from the scripting layer or inside the Bro process.
-		src_name:            string &log &optional;
-		## .. todo:: currently unused.
-		connected_peer_desc: string &log &optional;
-		## .. todo:: currently unused.
-		connected_peer_addr: addr   &log &optional;
-		## .. todo:: currently unused.
-		connected_peer_port: port   &log &optional;
-		## The severity of the communication event message.
-		level:               string &log &optional;
-		## A message describing the communication event between Bro or
-		## Broccoli instances.
-		message:             string &log;
-	};
-
-	## A remote peer to which we would like to talk.
-	## If there's no entry for a peer, it may still connect
-	## and request state, but not send us any.
-	type Node: record {
-		## Remote address.
-		host: addr;
-
-		## If the *host* field is a non-global IPv6 address, this field
-		## can specify a particular :rfc:`4007` ``zone_id``.
-		zone_id: string &optional;
-
-		## Port of the remote Bro communication endpoint if we are
-		## initiating the connection (based on the *connect* field).
-		p: port &optional;
-
-		## When accepting a connection, the configuration only
-		## applies if the class matches the one transmitted by
-		## the peer.
-		##
-		## When initiating a connection, the class is sent to
-		## the other side.
-		class: string &optional;
-
-		## Events requested from remote side.
-		events: pattern &optional;
-
-		## Whether we are going to connect (rather than waiting
-		## for the other side to connect to us).
-		connect: bool &default = F;
-
-		## If disconnected, reconnect after this many seconds.
-		retry: interval &default = 0 secs;
-
-		## Whether to accept remote events.
-		accept_input: bool &default = T;
-
-		## Whether to perform state synchronization with peer.
-		sync: bool &default = F;
-
-		## Whether to request logs from the peer.
-		request_logs: bool &default = F;
-
-		## When performing state synchronization, whether we consider
-		## our state to be authoritative (only one side can be
-		## authoritative).  If so, we will send the peer our current
-		## set when the connection is set up.
-		auth: bool &default = F;
-
-		## If not set, no capture filter is sent.
-		## If set to an empty string, then the default capture filter
-		## is sent.
-		capture_filter: string &optional;
-
-		## Whether to use SSL-based communication.
-		ssl: bool &default = F;
-
-		## Compression level is 0-9, with 0 = no compression.
-		compression: count &default = compression_level;
-
-		## The remote peer.
-		peer: event_peer &optional;
-
-		## Indicates the status of the node.
-		connected: bool &default = F;
-	};
-
-	## The table of Bro or Broccoli nodes that Bro will initiate connections
-	## to or respond to connections from.  Note that BroControl sets this
-	## automatically.
-	global nodes: table[string] of Node &redef;
-
-	## A table of peer nodes for which this node issued a
-	## :bro:id:`Communication::connect_peer` call but with which a connection
-	## has not yet been established or with which a connection has been
-	## closed and is currently in the process of retrying to establish.
-	## When a connection is successfully established, the peer is removed
-	## from the table.
-	global pending_peers: table[peer_id] of Node;
-
-	## A table of peer nodes for which this node has an established connection.
-	## Peers are automatically removed if their connection is closed and
-	## automatically added back if a connection is re-established later.
-	global connected_peers: table[peer_id] of Node;
-
-	## Connect to a node in :bro:id:`Communication::nodes` independent
-	## of its "connect" flag.
-	##
-	## peer: the string used to index a particular node within the
-	##      :bro:id:`Communication::nodes` table.
-	global connect_peer: function(peer: string);
-}
-
-const src_names = {
-	[REMOTE_SRC_CHILD]  = "child",
-	[REMOTE_SRC_PARENT] = "parent",
-	[REMOTE_SRC_SCRIPT] = "script",
-};
-
-event bro_init() &priority=5
-	{
-	Log::create_stream(Communication::LOG, [$columns=Info, $path="communication"]);
-	}
-
-function do_script_log_common(level: count, src: count, msg: string)
-	{
-	Log::write(Communication::LOG, [$ts = network_time(),
-	                                $level = (level == REMOTE_LOG_INFO ? "info" : "error"),
-	                                $src_name = src_names[src],
-	                                $peer = get_event_peer()$descr,
-	                                $message = msg]);
-	}
-
-# This is a core generated event.
-event remote_log(level: count, src: count, msg: string)
-	{
-	do_script_log_common(level, src, msg);
-	}
-
-# This is a core generated event.
-event remote_log_peer(p: event_peer, level: count, src: count, msg: string)
-	{
-	local rmsg = fmt("[#%d/%s:%d] %s", p$id, addr_to_uri(p$host), p$p, msg);
-	do_script_log_common(level, src, rmsg);
-	}
-
-function do_script_log(p: event_peer, msg: string)
-	{
-	do_script_log_common(REMOTE_LOG_INFO, REMOTE_SRC_SCRIPT, msg);
-	}
-
-function connect_peer(peer: string)
-	{
-	local node = nodes[peer];
-	local p = listen_port;
-
-	if ( node?$p )
-		p = node$p;
-
-	local class = node?$class ? node$class : "";
-	local zone_id = node?$zone_id ? node$zone_id : "";
-	local id = connect(node$host, zone_id, p, class, node$retry, node$ssl);
-
-	if ( id == PEER_ID_NONE )
-		Log::write(Communication::LOG, [$ts = network_time(),
-		                                $peer = get_event_peer()$descr,
-		                                $message = "can't trigger connect"]);
-	pending_peers[id] = node;
-	}
-
-
-function setup_peer(p: event_peer, node: Node)
-	{
-	if ( node?$events )
-		{
-		do_script_log(p, fmt("requesting events matching %s", node$events));
-		request_remote_events(p, node$events);
-		}
-
-	if ( node?$capture_filter && node$capture_filter != "" )
-		{
-		local filter = node$capture_filter;
-		do_script_log(p, fmt("sending capture_filter: %s", filter));
-		send_capture_filter(p, filter);
-		}
-
-	if ( node$accept_input )
-		{
-		do_script_log(p, "accepting state");
-		set_accept_state(p, T);
-		}
-
-	set_compression_level(p, node$compression);
-
-	if ( node$sync )
-		{
-		do_script_log(p, "requesting synchronized state");
-		request_remote_sync(p, node$auth);
-		}
-
-	if ( node$request_logs )
-		{
-		do_script_log(p, "requesting logs");
-		request_remote_logs(p);
-		}
-
-	node$peer = p;
-	node$connected = T;
-	connected_peers[p$id] = node;
-	}
-
-event remote_connection_established(p: event_peer)
-	{
-	if ( is_remote_event() )
-		return;
-
-	do_script_log(p, "connection established");
-
-	if ( p$id in pending_peers )
-		{
-		# We issued the connect.
-		local node = pending_peers[p$id];
-		setup_peer(p, node);
-		delete pending_peers[p$id];
-		}
-	else
-		{ # The other side connected to us.
-		local found = F;
-		for ( i in nodes )
-			{
-			node = nodes[i];
-			if ( node$host == p$host )
-				{
-				local c = 0;
-
-				# See if classes match = either both have
-				# the same class, or neither of them has
-				# a class.
-				if ( p?$class && p$class != "" )
-					++c;
-
-				if ( node?$class && node$class != "" )
-					++c;
-
-				if ( c == 1 ||
-				     (c == 2 && p$class != node$class) )
-					next;
-
-				found = T;
-				setup_peer(p, node);
-				break;
-				}
-			}
-
-		if ( ! found )
-			set_compression_level(p, compression_level);
-		}
-
-	complete_handshake(p);
-	}
-
-event remote_connection_closed(p: event_peer)
-	{
-	if ( is_remote_event() )
-		return;
-
-	do_script_log(p, "connection closed");
-
-	if ( p$id in connected_peers )
-		{
-		local node = connected_peers[p$id];
-		node$connected = F;
-
-		delete connected_peers[p$id];
-
-		if ( node$retry != 0secs )
-			# The core will retry.
-			pending_peers[p$id] = node;
-		}
-	}
-
-event remote_state_inconsistency(operation: string, id: string,
-				expected_old: string, real_old: string)
-	{
-	if ( is_remote_event() )
-		return;
-
-	local msg = fmt("state inconsistency: %s should be %s but is %s before %s",
-	                id, expected_old, real_old, operation);
-	Log::write(Communication::LOG, [$ts = network_time(),
-	                                $peer = get_event_peer()$descr,
-	                                $message = msg]);
-	}
-
-
-# Actually initiate the connections that need to be established.
-event bro_init() &priority = -10 # let others modify nodes
-	{
-	if ( |nodes| > 0 )
-		enable_communication();
-
-	for ( tag in nodes )
-		{
-		if ( ! nodes[tag]$connect )
-			next;
-
-		connect_peer(tag);
-		}
-	}
diff --git a/scripts/base/frameworks/control/main.bro b/scripts/base/frameworks/control/main.bro
index 17003cb5a6..e374806b55 100644
--- a/scripts/base/frameworks/control/main.bro
+++ b/scripts/base/frameworks/control/main.bro
@@ -5,6 +5,13 @@
 module Control;
 
 export {
+	## The topic prefix used for exchanging control messages via Broker.
+	const topic_prefix = "bro/control";
+
+	## Whether the controllee should call :bro:see:`Broker::listen`.
+	## In a cluster, this isn't needed since the setup process calls it.
+	const controllee_listen = T &redef;
+
 	## The address of the host that will be controlled.
 	const host = 0.0.0.0 &redef;
 
@@ -22,12 +29,6 @@ export {
 	## This can be used by commands that take an argument.
 	const arg = "" &redef;
 
-	## Events that need to be handled by controllers.
-	const controller_events = /Control::.*_request/ &redef;
-	
-	## Events that need to be handled by controllees.
-	const controllee_events = /Control::.*_response/ &redef;
-
 	## The commands that can currently be given on the command line for
 	## remote control.
 	const commands: set[string] = {
@@ -73,8 +74,7 @@ export {
 	global shutdown_response: event();
 }
 
-
 event terminate_event()
 	{
-	terminate_communication();
+	terminate();
 	}
diff --git a/scripts/base/frameworks/intel/cluster.bro b/scripts/base/frameworks/intel/cluster.bro
index e75bdd0573..1fda1f88c0 100644
--- a/scripts/base/frameworks/intel/cluster.bro
+++ b/scripts/base/frameworks/intel/cluster.bro
@@ -6,69 +6,96 @@
 
 module Intel;
 
-redef record Item += {
-	## This field is used internally for cluster transparency to avoid 
-	## re-dispatching intelligence items over and over from workers.
-	first_dispatch: bool &default=T;
-};
+export {
+	## Broker topic for management of intel items. Sending insert_item and
+	## remove_item events, peers can manage intelligence data.
+	const item_topic = "bro/intel/items" &redef;
+
+	## Broker topic for management of intel indicators as stored on workers
+	## for matching. Sending insert_indicator and remove_indicator events,
+	## the back-end manages indicators.
+	const indicator_topic = "bro/intel/indicators" &redef;
+
+	## Broker topic for matching events, generated by workers and sent to
+	## the back-end for metadata enrichment and logging.
+	const match_topic = "bro/intel/match" &redef;
+}
+
+# Internal events for cluster data distribution.
+global insert_item: event(item: Item);
+global insert_indicator: event(item: Item);
 
 # If this process is not a manager process, we don't want the full metadata.
 @if ( Cluster::local_node_type() != Cluster::MANAGER )
 redef have_full_data = F;
 @endif
 
-# Internal event for cluster data distribution.
-global cluster_new_item: event(item: Item);
-
-# Primary intelligence management is done by the manager.
-# The manager informs the workers about new items and item removal.
-redef Cluster::manager2worker_events += /^Intel::(cluster_new_item|purge_item)$/;
-# A worker queries the manager to insert, remove or indicate the match of an item.
-redef Cluster::worker2manager_events += /^Intel::(cluster_new_item|remove_item|match_no_items)$/;
-
 @if ( Cluster::local_node_type() == Cluster::MANAGER )
+event bro_init()
+	{
+	Broker::subscribe(item_topic);
+	Broker::subscribe(match_topic);
+
+	Broker::auto_publish(indicator_topic, remove_indicator);
+	}
+
 # Handling of new worker nodes.
-event remote_connection_handshake_done(p: event_peer)
+event Cluster::node_up(name: string, id: string)
 	{
 	# When a worker connects, send it the complete minimal data store.
-	# It will be kept up to date after this by the cluster_new_item event.
-	if ( p$descr in Cluster::nodes && Cluster::nodes[p$descr]$node_type == Cluster::WORKER )
+	# It will be kept up to date after this by the insert_indicator event.
+	if ( name in Cluster::nodes && Cluster::nodes[name]$node_type == Cluster::WORKER )
 		{
-		send_id(p, "Intel::min_data_store");
+		Broker::publish_id(Cluster::node_topic(name), "Intel::min_data_store");
 		}
 	}
 
-# Handling of matches triggered by worker nodes.
-event Intel::match_no_items(s: Seen) &priority=5
+# On the manager, the new_item event indicates a new indicator that
+# has to be distributed.
+event Intel::new_item(item: Item) &priority=5
+	{
+	Broker::publish(indicator_topic, Intel::insert_indicator, item);
+	}
+
+# Handling of item insertion triggered by remote node.
+event Intel::insert_item(item: Intel::Item) &priority=5
+	{
+	Intel::_insert(item, T);
+	}
+
+# Handling of item removal triggered by remote node.
+event Intel::remove_item(item: Item, purge_indicator: bool) &priority=5
+	{
+	remove(item, purge_indicator);
+	}
+
+# Handling of match triggered by remote node.
+event Intel::match_remote(s: Seen) &priority=5
 	{
 	if ( Intel::find(s) )
 		event Intel::match(s, Intel::get_items(s));
 	}
-
-# Handling of item removal triggered by worker nodes.
-event Intel::remove_item(item: Item, purge_indicator: bool)
-	{
-	remove(item, purge_indicator);
-	}
 @endif
 
-# Handling of item insertion.
-event Intel::new_item(item: Intel::Item) &priority=5
+@if ( Cluster::local_node_type() == Cluster::WORKER )
+event bro_init()
 	{
-	# The cluster manager always rebroadcasts intelligence.
-	# Workers redistribute it if it was locally generated.
-	if ( Cluster::local_node_type() == Cluster::MANAGER ||
-	     item$first_dispatch )
-		{
-		item$first_dispatch=F;
-		event Intel::cluster_new_item(item);
-		}
+	Broker::subscribe(indicator_topic);
+
+	Broker::auto_publish(match_topic, match_remote);
+	Broker::auto_publish(item_topic, remove_item);
 	}
 
-# Handling of item insertion by remote node.
-event Intel::cluster_new_item(item: Intel::Item) &priority=5
+# On a worker, the new_item event requires to trigger the insertion
+# on the manager to update the back-end data store.
+event Intel::new_item(item: Intel::Item) &priority=5
 	{
-	# Ignore locally generated events to avoid event storms.
-	if ( is_remote_event() )
-		Intel::insert(item);
+	Broker::publish(item_topic, Intel::insert_item, item);
 	}
+
+# Handling of new indicators published by the manager.
+event Intel::insert_indicator(item: Intel::Item) &priority=5
+	{
+	Intel::_insert(item, F);
+	}
+@endif
diff --git a/scripts/base/frameworks/intel/main.bro b/scripts/base/frameworks/intel/main.bro
index 299d2d256a..ffa115e92c 100644
--- a/scripts/base/frameworks/intel/main.bro
+++ b/scripts/base/frameworks/intel/main.bro
@@ -177,12 +177,12 @@ export {
 }
 
 # Internal handler for matches with no metadata available.
-global match_no_items: event(s: Seen);
+global match_remote: event(s: Seen);
 
-# Internal events for cluster data distribution.
+# Internal events for (cluster) data distribution.
 global new_item: event(item: Item);
 global remove_item: event(item: Item, purge_indicator: bool);
-global purge_item: event(item: Item);
+global remove_indicator: event(item: Item);
 
 # Optionally store metadata.  This is used internally depending on
 # if this is a cluster deployment or not.
@@ -357,7 +357,7 @@ function Intel::seen(s: Seen)
 			}
 		else
 			{
-			event Intel::match_no_items(s);
+			event Intel::match_remote(s);
 			}
 		}
 	}
@@ -389,9 +389,11 @@ hook extend_match(info: Info, s: Seen, items: set[Item]) &priority=5
 		}
 	}
 
-function insert(item: Item)
+# Function to insert metadata of an item. The function returns T
+# if the given indicator is new.
+function insert_meta_data(item: Item): bool
 	{
-	# Create and fill out the metadata item.
+	# Prepare the metadata entry.
 	local meta = item$meta;
 	local meta_tbl: table [string] of MetaData;
 	local is_new: bool = T;
@@ -399,11 +401,11 @@ function insert(item: Item)
 	# All intelligence is case insensitive at the moment.
 	local lower_indicator = to_lower(item$indicator);
 
-	if ( item$indicator_type == ADDR )
+	switch ( item$indicator_type )
 		{
-		local host = to_addr(item$indicator);
-		if ( have_full_data )
-			{
+		case ADDR:
+			local host = to_addr(item$indicator);
+
 			if ( host !in data_store$host_data )
 				data_store$host_data[host] = table();
 			else
@@ -414,15 +416,10 @@ function insert(item: Item)
 				}
 
 			meta_tbl = data_store$host_data[host];
-			}
+			break;
+		case SUBNET:
+			local net = to_subnet(item$indicator);
 
-		add min_data_store$host_data[host];
-		}
-	else if ( item$indicator_type == SUBNET )
-		{
-		local net = to_subnet(item$indicator);
-		if ( have_full_data )
-			{
 			if ( !check_subnet(net, data_store$subnet_data) )
 				data_store$subnet_data[net] = table();
 			else
@@ -433,14 +430,8 @@ function insert(item: Item)
 				}
 
 			meta_tbl = data_store$subnet_data[net];
-			}
-
-		add min_data_store$subnet_data[net];
-		}
-	else
-		{
-		if ( have_full_data )
-			{
+			break;
+		default:
 			if ( [lower_indicator, item$indicator_type] !in data_store$string_data )
 				data_store$string_data[lower_indicator, item$indicator_type] = table();
 			else
@@ -452,23 +443,59 @@ function insert(item: Item)
 				}
 
 			meta_tbl = data_store$string_data[lower_indicator, item$indicator_type];
-			}
+			break;
+		}
 
-		add min_data_store$string_data[lower_indicator, item$indicator_type];
+	# Insert new metadata or update if already present.
+	meta_tbl[meta$source] = meta;
+
+	return is_new;
+	}
+
+# Function to encapsulate insertion logic. The first_dispatch parameter
+# indicates whether the item might be new for other nodes.
+function _insert(item: Item, first_dispatch: bool &default = T)
+	{
+	# Assume that the item is new by default.
+	local is_new: bool = T;
+
+	# All intelligence is case insensitive at the moment.
+	local lower_indicator = to_lower(item$indicator);
+
+	# Insert indicator into MinDataStore (might exist already).
+	switch ( item$indicator_type )
+		{
+		case ADDR:
+			local host = to_addr(item$indicator);
+			add min_data_store$host_data[host];
+			break;
+		case SUBNET:
+			local net = to_subnet(item$indicator);
+			add min_data_store$subnet_data[net];
+			break;
+		default:
+			add min_data_store$string_data[lower_indicator, item$indicator_type];
+			break;
 		}
 
 	if ( have_full_data )
 		{
-		# Insert new metadata or update if already present
-		meta_tbl[meta$source] = meta;
+		# Insert new metadata or update if already present.
+		is_new = insert_meta_data(item);
 		}
 
-	if ( is_new )
-		# Trigger insert for cluster in case the item is new
-		# or insert was called on a worker
+	if ( first_dispatch && is_new )
+		# Announce a (possibly) new item if this is the first dispatch and
+		# we know it is new or have to assume that on a worker.
 		event Intel::new_item(item);
 	}
 
+function insert(item: Item)
+	{
+	# Insert possibly new item.
+	_insert(item, T);
+	}
+
 # Function to check whether an item is present.
 function item_exists(item: Item): bool
 	{
@@ -549,12 +576,12 @@ function remove(item: Item, purge_indicator: bool)
 				break;
 			}
 		# Trigger deletion in minimal data stores
-		event Intel::purge_item(item);
+		event Intel::remove_indicator(item);
 		}
 	}
 
 # Handling of indicator removal in minimal data stores.
-event purge_item(item: Item)
+event remove_indicator(item: Item)
 	{
 	switch ( item$indicator_type )
 		{
@@ -571,4 +598,3 @@ event purge_item(item: Item)
 			break;
 		}
 	}
-
diff --git a/scripts/base/frameworks/netcontrol/catch-and-release.bro b/scripts/base/frameworks/netcontrol/catch-and-release.bro
index 2d28274f77..57f135de10 100644
--- a/scripts/base/frameworks/netcontrol/catch-and-release.bro
+++ b/scripts/base/frameworks/netcontrol/catch-and-release.bro
@@ -225,9 +225,22 @@ global blocks: table[addr] of BlockInfo = {}
 
 
 @if ( Cluster::is_enabled() )
-@load base/frameworks/cluster
-redef Cluster::manager2worker_events += /NetControl::catch_release_block_(new|delete)/;
-redef Cluster::worker2manager_events += /NetControl::catch_release_(add|delete|encountered)/;
+
+@if ( Cluster::local_node_type() == Cluster::MANAGER )
+event bro_init()
+	{
+	Broker::auto_publish(Cluster::worker_topic, NetControl::catch_release_block_new);
+	Broker::auto_publish(Cluster::worker_topic, NetControl::catch_release_block_delete);
+	}
+@else
+event bro_init()
+	{
+	Broker::auto_publish(Cluster::manager_topic, NetControl::catch_release_add);
+	Broker::auto_publish(Cluster::manager_topic, NetControl::catch_release_delete);
+	Broker::auto_publish(Cluster::manager_topic, NetControl::catch_release_encountered);
+	}
+@endif
+
 @endif
 
 function cr_check_rule(r: Rule): bool
diff --git a/scripts/base/frameworks/netcontrol/cluster.bro b/scripts/base/frameworks/netcontrol/cluster.bro
index 9abe44b34d..d70ab6d1c1 100644
--- a/scripts/base/frameworks/netcontrol/cluster.bro
+++ b/scripts/base/frameworks/netcontrol/cluster.bro
@@ -16,10 +16,25 @@ export {
 	global cluster_netcontrol_delete_rule: event(id: string, reason: string);
 }
 
-## Workers need ability to forward commands to manager.
-redef Cluster::worker2manager_events += /NetControl::cluster_netcontrol_(add|remove|delete)_rule/;
-## Workers need to see the result events from the manager.
-redef Cluster::manager2worker_events += /NetControl::rule_(added|removed|timeout|error|exists|new|destroyed)/;
+@if ( Cluster::local_node_type() == Cluster::MANAGER )
+event bro_init()
+	{
+	Broker::auto_publish(Cluster::worker_topic, NetControl::rule_added);
+	Broker::auto_publish(Cluster::worker_topic, NetControl::rule_removed);
+	Broker::auto_publish(Cluster::worker_topic, NetControl::rule_timeout);
+	Broker::auto_publish(Cluster::worker_topic, NetControl::rule_error);
+	Broker::auto_publish(Cluster::worker_topic, NetControl::rule_exists);
+	Broker::auto_publish(Cluster::worker_topic, NetControl::rule_new);
+	Broker::auto_publish(Cluster::worker_topic, NetControl::rule_destroyed);
+	}
+@else
+event bro_init()
+	{
+	Broker::auto_publish(Cluster::manager_topic, NetControl::cluster_netcontrol_add_rule);
+	Broker::auto_publish(Cluster::manager_topic, NetControl::cluster_netcontrol_remove_rule);
+	Broker::auto_publish(Cluster::manager_topic, NetControl::cluster_netcontrol_delete_rule);
+	}
+@endif
 
 function activate(p: PluginState, priority: int)
 	{
diff --git a/scripts/base/frameworks/netcontrol/plugins/acld.bro b/scripts/base/frameworks/netcontrol/plugins/acld.bro
index 2c4760e066..38466cdf41 100644
--- a/scripts/base/frameworks/netcontrol/plugins/acld.bro
+++ b/scripts/base/frameworks/netcontrol/plugins/acld.bro
@@ -6,8 +6,6 @@ module NetControl;
 @load ../plugin
 @load base/frameworks/broker
 
-@ifdef ( Broker::__enable )
-
 export {
 	type AclRule : record {
 		command: string;
@@ -243,7 +241,7 @@ function acld_add_rule_fun(p: PluginState, r: Rule) : bool
 	if ( ar$command == "" )
 		return F;
 
-	Broker::send_event(p$acld_config$acld_topic, Broker::event_args(acld_add_rule, p$acld_id, r, ar));
+	Broker::publish(p$acld_config$acld_topic, acld_add_rule, p$acld_id, r, ar);
 	return T;
 	}
 
@@ -266,19 +264,20 @@ function acld_remove_rule_fun(p: PluginState, r: Rule, reason: string) : bool
 			ar$comment = reason;
 		}
 
-	Broker::send_event(p$acld_config$acld_topic, Broker::event_args(acld_remove_rule, p$acld_id, r, ar));
+	Broker::publish(p$acld_config$acld_topic, acld_remove_rule, p$acld_id, r, ar);
 	return T;
 	}
 
 function acld_init(p: PluginState)
 	{
-	Broker::enable();
-	Broker::connect(cat(p$acld_config$acld_host), p$acld_config$acld_port, 1sec);
-	Broker::subscribe_to_events(p$acld_config$acld_topic);
+	Broker::peer(cat(p$acld_config$acld_host), p$acld_config$acld_port);
+	Broker::subscribe(p$acld_config$acld_topic);
 	}
 
-event Broker::outgoing_connection_established(peer_address: string, peer_port: port, peer_name: string)
+event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
 	{
+	local peer_address = cat(endpoint$network$address);
+	local peer_port = endpoint$network$bound_port;
 	if ( [peer_port, peer_address] !in netcontrol_acld_peers )
 		# ok, this one was none of ours...
 		return;
@@ -315,5 +314,3 @@ function create_acld(config: AcldConfig) : PluginState
 
 	return p;
 	}
-
-@endif
diff --git a/scripts/base/frameworks/netcontrol/plugins/broker.bro b/scripts/base/frameworks/netcontrol/plugins/broker.bro
index cb1d5dd786..f4b8715c38 100644
--- a/scripts/base/frameworks/netcontrol/plugins/broker.bro
+++ b/scripts/base/frameworks/netcontrol/plugins/broker.bro
@@ -8,8 +8,6 @@ module NetControl;
 @load ../plugin
 @load base/frameworks/broker
 
-@ifdef ( Broker::__enable )
-
 export {
 	## This record specifies the configuration that is passed to :bro:see:`NetControl::create_broker`.
 	type BrokerConfig: record {
@@ -151,7 +149,7 @@ function broker_add_rule_fun(p: PluginState, r: Rule) : bool
 	if ( ! broker_check_rule(p, r) )
 		return F;
 
-	Broker::send_event(p$broker_config$topic, Broker::event_args(broker_add_rule, p$broker_id, r));
+	Broker::publish(p$broker_config$topic, Broker::make_event(broker_add_rule, p$broker_id, r));
 	return T;
 	}
 
@@ -160,19 +158,20 @@ function broker_remove_rule_fun(p: PluginState, r: Rule, reason: string) : bool
 	if ( ! broker_check_rule(p, r) )
 		return F;
 
-	Broker::send_event(p$broker_config$topic, Broker::event_args(broker_remove_rule, p$broker_id, r, reason));
+	Broker::publish(p$broker_config$topic, Broker::make_event(broker_remove_rule, p$broker_id, r, reason));
 	return T;
 	}
 
 function broker_init(p: PluginState)
 	{
-	Broker::enable();
-	Broker::connect(cat(p$broker_config$host), p$broker_config$bport, 1sec);
-	Broker::subscribe_to_events(p$broker_config$topic);
+	Broker::peer(cat(p$broker_config$host), p$broker_config$bport);
+	Broker::subscribe(p$broker_config$topic);
 	}
 
-event Broker::outgoing_connection_established(peer_address: string, peer_port: port, peer_name: string)
+event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
 	{
+	local peer_address = cat(endpoint$network$address);
+	local peer_port = endpoint$network$bound_port;
 	if ( [peer_port, peer_address] !in netcontrol_broker_peers )
 		return;
 
@@ -219,5 +218,3 @@ function create_broker(config: BrokerConfig, can_expire: bool) : PluginState
 
 	return p;
 	}
-
-@endif
diff --git a/scripts/base/frameworks/notice/__load__.bro b/scripts/base/frameworks/notice/__load__.bro
index aea3d6d2f3..54e704c744 100644
--- a/scripts/base/frameworks/notice/__load__.bro
+++ b/scripts/base/frameworks/notice/__load__.bro
@@ -8,14 +8,5 @@
 @load ./actions/page
 @load ./actions/add-geodata
 
-# The cluster framework must be loaded first.
-@load base/frameworks/cluster
-
-@if ( Cluster::is_enabled() )
-@load ./cluster
-@else
-@load ./non-cluster
-@endif
-
 # Load here so that it can check whether clustering is enabled.
 @load ./actions/pp-alarms
diff --git a/scripts/base/frameworks/notice/actions/pp-alarms.bro b/scripts/base/frameworks/notice/actions/pp-alarms.bro
index 453c82e3d1..a385d8c626 100644
--- a/scripts/base/frameworks/notice/actions/pp-alarms.bro
+++ b/scripts/base/frameworks/notice/actions/pp-alarms.bro
@@ -155,9 +155,11 @@ function pretty_print_alarm(out: file, n: Info)
 	
 @if ( Cluster::is_enabled() )
 	pdescr = "local";
-	
-	if ( n?$src_peer )
-		pdescr = n$src_peer?$descr ? n$src_peer$descr : fmt("%s", n$src_peer$host);
+
+	if ( n?$peer_descr )
+		pdescr = n$peer_descr;
+	else if ( n?$peer_name )
+		pdescr = n$peer_name;
 
 	pdescr = fmt("<%s> ", pdescr);
 @endif
diff --git a/scripts/base/frameworks/notice/cluster.bro b/scripts/base/frameworks/notice/cluster.bro
deleted file mode 100644
index 2a45f957a8..0000000000
--- a/scripts/base/frameworks/notice/cluster.bro
+++ /dev/null
@@ -1,53 +0,0 @@
-##! Implements notice functionality across clusters.  Worker nodes
-##! will disable notice/alarm logging streams and forward notice
-##! events to the manager node for logging/processing.
-
-@load ./main
-@load base/frameworks/cluster
-
-module Notice;
-
-export {
-	## This is the event used to transport notices on the cluster.
-	##
-	## n: The notice information to be sent to the cluster manager for
-	##    further processing.
-	global cluster_notice: event(n: Notice::Info);
-}
-
-## Manager can communicate notice suppression to workers.
-redef Cluster::manager2worker_events += /Notice::begin_suppression/;
-## Workers need ability to forward notices to manager.
-redef Cluster::worker2manager_events += /Notice::cluster_notice/;
-
-@if ( Cluster::local_node_type() != Cluster::MANAGER )
-event Notice::begin_suppression(ts: time, suppress_for: interval, note: Type, identifier: string)
-	{
-	local suppress_until = ts + suppress_for;
-	suppressing[note, identifier] = suppress_until;
-	}
-@endif
-
-@if ( Cluster::local_node_type() == Cluster::MANAGER )
-event Notice::cluster_notice(n: Notice::Info)
-	{
-	# Raise remotely received notices on the manager
-	NOTICE(n);
-	}
-@endif
-
-module GLOBAL;
-
-## This is the entry point in the global namespace for the notice framework.
-function NOTICE(n: Notice::Info)
-	{
-	# Suppress this notice if necessary.
-	if ( Notice::is_being_suppressed(n) )
-		return;
-
-	if ( Cluster::local_node_type() == Cluster::MANAGER )
-		Notice::internal_NOTICE(n);
-	else
-		# For non-managers, send the notice on to the manager.
-		event Notice::cluster_notice(n);
-	}
diff --git a/scripts/base/frameworks/notice/main.bro b/scripts/base/frameworks/notice/main.bro
index aa88c26174..3d4e354394 100644
--- a/scripts/base/frameworks/notice/main.bro
+++ b/scripts/base/frameworks/notice/main.bro
@@ -4,6 +4,8 @@
 ##! what is bad activity for sites.  More extensive documentation about using
 ##! the notice framework can be found in :doc:`/frameworks/notice`.
 
+@load base/frameworks/cluster
+
 module Notice;
 
 export {
@@ -117,9 +119,10 @@ export {
 		## Associated count, or perhaps a status code.
 		n:              count          &log &optional;
 
-		## Peer that raised this notice.
-		src_peer:       event_peer     &optional;
-		## Textual description for the peer that raised this notice.
+		## Name of remote peer that raised this notice.
+		peer_name:      string         &optional;
+		## Textual description for the peer that raised this notice,
+		## including name, host address and port.
 		peer_descr:     string         &log &optional;
 
 		## The actions which have been applied to this notice.
@@ -316,8 +319,36 @@ export {
 	##
 	## n: The record of notice data.
 	global internal_NOTICE: function(n: Notice::Info);
+
+	## This is the event used to transport notices on the cluster.
+	##
+	## n: The notice information to be sent to the cluster manager for
+	##    further processing.
+	global cluster_notice: event(n: Notice::Info);
 }
 
+module GLOBAL;
+
+function NOTICE(n: Notice::Info)
+	{
+	if ( Notice::is_being_suppressed(n) )
+		return;
+
+	@if ( Cluster::is_enabled() )
+		if ( Cluster::local_node_type() == Cluster::MANAGER )
+			Notice::internal_NOTICE(n);
+		else
+			{
+			n$peer_name = n$peer_descr = Cluster::node;
+			Broker::publish(Cluster::manager_topic, Notice::cluster_notice, n);
+			}
+	@else
+		Notice::internal_NOTICE(n);
+	@endif
+	}
+
+module Notice;
+
 # This is used as a hack to implement per-item expiration intervals.
 function per_notice_suppression_interval(t: table[Notice::Type, string] of time, idx: any): interval
 	{
@@ -368,24 +399,6 @@ event bro_init() &priority=5
 		     $interv=24hrs, $postprocessor=log_mailing_postprocessor]);
 	}
 
-# TODO: fix this.
-#function notice_tags(n: Notice::Info) : table[string] of string
-#	{
-#	local tgs: table[string] of string = table();
-#	if ( is_remote_event() )
-#		{
-#		if ( n$src_peer$descr != "" )
-#			tgs["es"] = n$src_peer$descr;
-#		else
-#			tgs["es"] = fmt("%s/%s", n$src_peer$host, n$src_peer$p);
-#		}
-#	else
-#		{
-#		tgs["es"] = peer_description;
-#		}
-#	return tgs;
-#	}
-
 function email_headers(subject_desc: string, dest: string): string
 	{
 	local header_text = string_cat(
@@ -506,11 +519,25 @@ hook Notice::notice(n: Notice::Info) &priority=-5
 	if ( n?$identifier &&
 	     [n$note, n$identifier] !in suppressing &&
 	     n$suppress_for != 0secs )
-		{
-		local suppress_until = n$ts + n$suppress_for;
-		suppressing[n$note, n$identifier] = suppress_until;
+	    {
 		event Notice::begin_suppression(n$ts, n$suppress_for, n$note, n$identifier);
-		}
+	    }
+	}
+
+event Notice::begin_suppression(ts: time, suppress_for: interval, note: Type,
+								identifier: string)
+	{
+	local suppress_until = ts + suppress_for;
+	suppressing[note, identifier] = suppress_until;
+	}
+
+event bro_init()
+	{
+	if ( ! Cluster::is_enabled() )
+		return;
+
+	Broker::auto_publish(Cluster::worker_topic, Notice::begin_suppression);
+	Broker::auto_publish(Cluster::proxy_topic, Notice::begin_suppression);
 	}
 
 function is_being_suppressed(n: Notice::Info): bool
@@ -612,12 +639,6 @@ function apply_policy(n: Notice::Info)
 			n$dst = n$iconn$resp_h;
 		}
 
-	if ( ! n?$src_peer )
-		n$src_peer = get_event_peer();
-	if ( ! n?$peer_descr )
-		n$peer_descr = n$src_peer?$descr ?
-		                   n$src_peer$descr : fmt("%s", n$src_peer$host);
-
 	if ( ! n?$email_body_sections )
 		n$email_body_sections = vector();
 	if ( ! n?$email_delay_tokens )
@@ -652,6 +673,7 @@ function internal_NOTICE(n: Notice::Info)
 	hook Notice::notice(n);
 	}
 
-module GLOBAL;
-
-global NOTICE: function(n: Notice::Info);
+event Notice::cluster_notice(n: Notice::Info)
+	{
+	NOTICE(n);
+	}
diff --git a/scripts/base/frameworks/notice/non-cluster.bro b/scripts/base/frameworks/notice/non-cluster.bro
deleted file mode 100644
index a9f503a9f3..0000000000
--- a/scripts/base/frameworks/notice/non-cluster.bro
+++ /dev/null
@@ -1,14 +0,0 @@
-
-@load ./main
-
-module GLOBAL;
-
-## This is the entry point in the global namespace for the notice framework.
-function NOTICE(n: Notice::Info)
-	{
-	# Suppress this notice if necessary.
-	if ( Notice::is_being_suppressed(n) )
-		return;
-
-	Notice::internal_NOTICE(n);
-	}
diff --git a/scripts/base/frameworks/openflow/cluster.bro b/scripts/base/frameworks/openflow/cluster.bro
index 28de1db3c3..9ae4274bb7 100644
--- a/scripts/base/frameworks/openflow/cluster.bro
+++ b/scripts/base/frameworks/openflow/cluster.bro
@@ -13,8 +13,14 @@ export {
 	global cluster_flow_clear: event(name: string);
 }
 
-## Workers need ability to forward commands to manager.
-redef Cluster::worker2manager_events += /OpenFlow::cluster_flow_(mod|clear)/;
+@if ( Cluster::local_node_type() != Cluster::MANAGER )
+# Workers need ability to forward commands to manager.
+event bro_init()
+	{
+	Broker::auto_publish(Cluster::manager_topic, OpenFlow::cluster_flow_mod);
+	Broker::auto_publish(Cluster::manager_topic, OpenFlow::cluster_flow_clear);
+	}
+@endif
 
 # the flow_mod function wrapper
 function flow_mod(controller: Controller, match: ofp_match, flow_mod: ofp_flow_mod): bool
diff --git a/scripts/base/frameworks/openflow/plugins/broker.bro b/scripts/base/frameworks/openflow/plugins/broker.bro
index fee2dc573d..f37f0b8afc 100644
--- a/scripts/base/frameworks/openflow/plugins/broker.bro
+++ b/scripts/base/frameworks/openflow/plugins/broker.bro
@@ -5,8 +5,6 @@
 
 module OpenFlow;
 
-@ifdef ( Broker::__enable )
-
 export {
 	redef enum Plugin += {
 		BROKER,
@@ -49,27 +47,28 @@ function broker_describe(state: ControllerState): string
 
 function broker_flow_mod_fun(state: ControllerState, match: ofp_match, flow_mod: OpenFlow::ofp_flow_mod): bool
 	{
-	Broker::send_event(state$broker_topic, Broker::event_args(broker_flow_mod, state$_name, state$broker_dpid, match, flow_mod));
+	Broker::publish(state$broker_topic, Broker::make_event(broker_flow_mod, state$_name, state$broker_dpid, match, flow_mod));
 
 	return T;
 	}
 
 function broker_flow_clear_fun(state: OpenFlow::ControllerState): bool
 	{
-	Broker::send_event(state$broker_topic, Broker::event_args(broker_flow_clear, state$_name, state$broker_dpid));
+	Broker::publish(state$broker_topic, Broker::make_event(broker_flow_clear, state$_name, state$broker_dpid));
 
 	return T;
 	}
 
 function broker_init(state: OpenFlow::ControllerState)
 	{
-	Broker::enable();
-	Broker::connect(cat(state$broker_host), state$broker_port, 1sec);
-	Broker::subscribe_to_events(state$broker_topic); # openflow success and failure events are directly sent back via the other plugin via broker.
+	Broker::peer(cat(state$broker_host), state$broker_port);
+	Broker::subscribe(state$broker_topic); # openflow success and failure events are directly sent back via the other plugin via broker.
 	}
 
-event Broker::outgoing_connection_established(peer_address: string, peer_port: port, peer_name: string)
+event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
 	{
+	local peer_address = cat(endpoint$network$address);
+	local peer_port = endpoint$network$bound_port;
 	if ( [peer_port, peer_address] !in broker_peers )
 		# ok, this one was none of ours...
 		return;
@@ -94,5 +93,3 @@ function broker_new(name: string, host: addr, host_port: port, topic: string, dp
 
 	return c;
 	}
-
-@endif
diff --git a/scripts/base/frameworks/software/main.bro b/scripts/base/frameworks/software/main.bro
index a3a15a2db8..8ff399176b 100644
--- a/scripts/base/frameworks/software/main.bro
+++ b/scripts/base/frameworks/software/main.bro
@@ -6,6 +6,7 @@
 
 @load base/utils/directions-and-hosts
 @load base/utils/numbers
+@load base/frameworks/cluster
 
 module Software;
 
@@ -68,8 +69,9 @@ export {
 	## Hosts whose software should be detected and tracked.
 	## Choices are: LOCAL_HOSTS, REMOTE_HOSTS, ALL_HOSTS, NO_HOSTS.
 	const asset_tracking = LOCAL_HOSTS &redef;
-	
+
 	## Other scripts should call this function when they detect software.
+	##
 	## id: The connection id where the software was discovered.
 	##
 	## info: A record representing the software discovered.
@@ -102,15 +104,21 @@ export {
 	
 	## The set of software associated with an address.  Data expires from
 	## this table after one day by default so that a detected piece of 
-	## software will be logged once each day.
-	global tracked: table[addr] of SoftwareSet 
-		&create_expire=1day 
-		&synchronized
-		&redef;
+	## software will be logged once each day.  In a cluster, this table is
+	## uniformly distributed among proxy nodes.
+	global tracked: table[addr] of SoftwareSet &create_expire=1day;
 	
 	## This event can be handled to access the :bro:type:`Software::Info`
 	## record as it is sent on to the logging framework.
 	global log_software: event(rec: Info);
+
+	## This event can be handled to access software information whenever it's
+	## version is found to have changed.
+	global version_change: event(old: Info, new: Info);
+
+	## This event is raised when software is about to be registered for
+	## tracking in :bro:see:`Software::tracked`.
+	global register: event(info: Info);
 }
 
 event bro_init() &priority=5
@@ -437,63 +445,70 @@ function software_fmt(i: Info): string
 	return fmt("%s %s", i$name, software_fmt_version(i$version));
 	}
 
-# Insert a mapping into the table
-# Overides old entries for the same software and generates events if needed.
-event register(id: conn_id, info: Info)
+event Software::register(info: Info)
 	{
-	# Host already known?
-	if ( info$host !in tracked )
-		tracked[info$host] = table();
+	local ts: SoftwareSet;
+
+	if ( info$host in tracked )
+		ts = tracked[info$host];
+	else
+		ts = tracked[info$host] = SoftwareSet();
 
-	local ts = tracked[info$host];
 	# Software already registered for this host?  We don't want to endlessly
 	# log the same thing.
 	if ( info$name in ts )
 		{
 		local old = ts[info$name];
-		
-		# If the version hasn't changed, then we're just redetecting the
-		# same thing, then we don't care.  This results in no extra logging.
-		# But if the $force_log value is set then we'll continue.
-		if ( ! info$force_log && cmp_versions(old$version, info$version) == 0 )
+		local changed = cmp_versions(old$version, info$version) != 0;
+
+		if ( changed )
+			event Software::version_change(old, info);	
+		else if ( ! info$force_log )
+			# If the version hasn't changed, then we're just redetecting the
+			# same thing, then we don't care. 
 			return;
 		}
+
 	ts[info$name] = info;
-	
 	Log::write(Software::LOG, info);
 	}
 
 function found(id: conn_id, info: Info): bool
 	{
-	if ( info$force_log || addr_matches_host(info$host, asset_tracking) )
-		{
-		if ( !info?$ts ) 
-			info$ts=network_time();
-		
-		if ( info?$version ) # we have a version number and don't have to parse. check if the name is also set...
-			{
-				if ( ! info?$name ) 
-					{
-					Reporter::error("Required field name not present in Software::found");
-					return F;
-					}
-			}
-		else  # no version present, we have to parse...
-			{
-			if ( !info?$unparsed_version ) 
-				{
-				Reporter::error("No unparsed version string present in Info record with version in Software::found");
-				return F;
-				}
-			local sw = parse(info$unparsed_version);
-			info$unparsed_version = sw$unparsed_version;
-			info$name = sw$name;
-			info$version = sw$version;
-			}
-		
-		event register(id, info);
-		return T;
-		}
-	else
+	if ( ! info$force_log && ! addr_matches_host(info$host, asset_tracking) )
 		return F;
+
+	if ( ! info?$ts ) 
+		info$ts = network_time();
+
+	if ( info?$version )
+		{
+		if ( ! info?$name )
+			{
+			Reporter::error("Required field name not present in Software::found");
+			return F;
+			}
+		}
+	else if ( ! info?$unparsed_version )
+		{
+		Reporter::error("No unparsed version string present in Info record with version in Software::found");
+		return F;
+		}
+
+	if ( ! info?$version )
+		{
+		local sw = parse(info$unparsed_version);
+		info$unparsed_version = sw$unparsed_version;
+		info$name = sw$name;
+		info$version = sw$version;
+		}
+
+	@if ( Cluster::is_enabled() )
+		Cluster::publish_hrw(Cluster::proxy_pool, info$host, Software::register,
+		                     info);
+	@else
+		event Software::register(info);
+	@endif
+
+	return T;
 	}
diff --git a/scripts/base/frameworks/sumstats/cluster.bro b/scripts/base/frameworks/sumstats/cluster.bro
index c1e0cb0257..f92b4112ff 100644
--- a/scripts/base/frameworks/sumstats/cluster.bro
+++ b/scripts/base/frameworks/sumstats/cluster.bro
@@ -55,18 +55,20 @@ export {
 	global cluster_threshold_crossed: event(ss_name: string, key: SumStats::Key, thold_index: count);
 }
 
-# Add events to the cluster framework to make this work.
-redef Cluster::manager2worker_events += /SumStats::cluster_(ss_request|get_result|threshold_crossed)/;
-redef Cluster::manager2worker_events += /SumStats::(get_a_key)/;
-redef Cluster::worker2manager_events += /SumStats::cluster_(send_result|key_intermediate_response)/;
-redef Cluster::worker2manager_events += /SumStats::(send_a_key|send_no_key)/;
-
 # This variable is maintained to know what keys have recently sent or received
 # intermediate updates so they don't overwhelm the manager.
 global recent_global_view_keys: set[string, Key] &create_expire=1min;
 
 @if ( Cluster::local_node_type() != Cluster::MANAGER )
 
+event bro_init() &priority=100
+	{
+	Broker::auto_publish(Cluster::manager_topic, SumStats::cluster_send_result);
+	Broker::auto_publish(Cluster::manager_topic, SumStats::cluster_key_intermediate_response);
+	Broker::auto_publish(Cluster::manager_topic, SumStats::send_a_key);
+	Broker::auto_publish(Cluster::manager_topic, SumStats::send_no_key);
+	}
+
 # Result tables indexed on a uid that are currently being sent to the
 # manager.
 global sending_results: table[string] of ResultTable = table() &read_expire=1min;
@@ -207,6 +209,14 @@ function request_key(ss_name: string, key: Key): Result
 
 @if ( Cluster::local_node_type() == Cluster::MANAGER )
 
+event bro_init() &priority=100
+	{
+	Broker::auto_publish(Cluster::worker_topic, SumStats::cluster_ss_request);
+	Broker::auto_publish(Cluster::worker_topic, SumStats::cluster_get_result);
+	Broker::auto_publish(Cluster::worker_topic, SumStats::cluster_threshold_crossed);
+	Broker::auto_publish(Cluster::worker_topic, SumStats::get_a_key);
+	}
+
 # This variable is maintained by manager nodes as they collect and aggregate
 # results.
 # Index on a uid.
diff --git a/scripts/base/init-bare.bro b/scripts/base/init-bare.bro
index bd2206ceab..d5bb8f2be9 100644
--- a/scripts/base/init-bare.bro
+++ b/scripts/base/init-bare.bro
@@ -603,6 +603,29 @@ type ThreadStats: record {
 	num_threads: count;
 };
 
+## Statistics about Broker communication.
+##
+## .. bro:see:: get_broker_stats
+type BrokerStats: record {
+	num_peers: count;
+	## Number of active data stores.
+	num_stores: count;
+	## Number of pending data store queries.
+	num_pending_queries: count;
+	## Number of total log messages received.
+	num_events_incoming: count;
+	## Number of total log messages sent.
+	num_events_outgoing: count;
+	## Number of total log records received.
+	num_logs_incoming: count;
+	## Number of total log records sent.
+	num_logs_outgoing: count;
+	## Number of total identifiers received.
+	num_ids_incoming: count;
+	## Number of total identifiers sent.
+	num_ids_outgoing: count;
+};
+
 ## Deprecated.
 ##
 ## .. todo:: Remove. It's still declared internally but doesn't seem  used anywhere
@@ -737,7 +760,7 @@ type IPAddrAnonymizationClass: enum {
 ## A locally unique ID identifying a communication peer. The ID is returned by
 ## :bro:id:`connect`.
 ##
-## .. bro:see:: connect Communication
+## .. bro:see:: connect
 type peer_id: count;
 
 ## A communication peer.
@@ -760,7 +783,7 @@ type event_peer: record {
 	p: port;
 	is_local: bool;		##< True if this record describes the local process.
 	descr: string;		##< The peer's :bro:see:`peer_description`.
-	class: string &optional;	##< The self-assigned *class* of the peer. See :bro:see:`Communication::Node`.
+	class: string &optional;	##< The self-assigned *class* of the peer.
 };
 
 ## Deprecated.
@@ -4783,6 +4806,11 @@ export {
 	const max_frag_data = 30000 &redef;
 }
 
+module Cluster;
+export {
+	type Cluster::Pool: record {};
+}
+
 module GLOBAL;
 
 ## Seed for hashes computed internally for probabilistic data structures. Using
@@ -4797,8 +4825,8 @@ const bits_per_uid: count = 96 &redef;
 
 # Load these frameworks here because they use fairly deep integration with
 # BiFs and script-land defined types.
-@load base/frameworks/broker
 @load base/frameworks/logging
+@load base/frameworks/broker
 @load base/frameworks/input
 @load base/frameworks/analyzer
 @load base/frameworks/files
diff --git a/scripts/base/init-default.bro b/scripts/base/init-default.bro
index 8a942eb4df..d0db0a0330 100644
--- a/scripts/base/init-default.bro
+++ b/scripts/base/init-default.bro
@@ -14,6 +14,7 @@
 @load base/utils/exec
 @load base/utils/files
 @load base/utils/geoip-distance
+@load base/utils/hash_hrw
 @load base/utils/numbers
 @load base/utils/paths
 @load base/utils/patterns
@@ -32,7 +33,6 @@
 @load base/frameworks/signatures
 @load base/frameworks/packet-filter
 @load base/frameworks/software
-@load base/frameworks/communication
 @load base/frameworks/control
 @load base/frameworks/cluster
 @load base/frameworks/intel
diff --git a/scripts/base/protocols/dhcp/main.bro b/scripts/base/protocols/dhcp/main.bro
index 8458b22a4a..5e33d269f3 100644
--- a/scripts/base/protocols/dhcp/main.bro
+++ b/scripts/base/protocols/dhcp/main.bro
@@ -116,8 +116,12 @@ event bro_init() &priority=5
 	Analyzer::register_for_ports(Analyzer::ANALYZER_DHCP, ports);
 	}
 
-# Setup the clusterized config that is needed to tie messages together on a cluster.
-redef Cluster::worker2manager_events += /DHCP::aggregate_msgs/;
+@if ( Cluster::is_enabled() )
+event bro_init()
+	{
+	Broker::auto_publish(Cluster::manager_topic, DHCP::aggregate_msgs);
+	}
+@endif
 
 function join_data_expiration(t: table[count] of Info, idx: count): interval
 	{
diff --git a/scripts/base/protocols/irc/dcc-send.bro b/scripts/base/protocols/irc/dcc-send.bro
index 437724004a..9454fef7b0 100644
--- a/scripts/base/protocols/irc/dcc-send.bro
+++ b/scripts/base/protocols/irc/dcc-send.bro
@@ -11,6 +11,7 @@
 
 @load ./main
 @load base/utils/files
+@load base/frameworks/cluster
 
 module IRC;
 
@@ -23,9 +24,33 @@ export {
 		## Sniffed mime type of the file.
 		dcc_mime_type:         string &log &optional;
 	};
+
+	## The broker topic name to which expected DCC transfer updates are
+	## relayed.
+	const dcc_transfer_update_topic = "bro/irc/dcc_transfer_update" &redef;
 }
 
-global dcc_expected_transfers: table[addr, port] of Info &synchronized &read_expire=5mins;
+global dcc_expected_transfers: table[addr, port] of Info &read_expire=5mins;
+
+event dcc_transfer_add(host: addr, p: port, info: Info)
+	{
+	dcc_expected_transfers[host, p] = info;
+	Analyzer::schedule_analyzer(0.0.0.0, host, p,
+	                            Analyzer::ANALYZER_IRC_DATA, 5 min);
+	}
+
+event dcc_transfer_remove(host: addr, p: port)
+	{
+	delete dcc_expected_transfers[host, p];
+	}
+
+event bro_init()
+	{
+	local lnt = Cluster::local_node_type();
+
+	if ( lnt == Cluster::WORKER )
+		Broker::subscribe(dcc_transfer_update_topic);
+	}
 
 function log_dcc(f: fa_file)
 	{
@@ -51,6 +76,9 @@ function log_dcc(f: fa_file)
 		delete irc$dcc_mime_type;
 
 		delete dcc_expected_transfers[cid$resp_h, cid$resp_p];
+		Cluster::relay_rr(Cluster::proxy_pool, dcc_transfer_update_topic,
+		                  dcc_transfer_update_topic, dcc_transfer_remove,
+		                  cid$resp_h, cid$resp_p);
 		return;
 		}
 	}
@@ -74,6 +102,9 @@ event irc_dcc_message(c: connection, is_orig: bool,
 	local p = count_to_port(dest_port, tcp);
 	Analyzer::schedule_analyzer(0.0.0.0, address, p, Analyzer::ANALYZER_IRC_DATA, 5 min);
 	dcc_expected_transfers[address, p] = c$irc;
+	Cluster::relay_rr(Cluster::proxy_pool, dcc_transfer_update_topic,
+	                  dcc_transfer_update_topic, dcc_transfer_add,
+	                  address, p, c$irc);
 	}
 
 event scheduled_analyzer_applied(c: connection, a: Analyzer::Tag) &priority=10
@@ -86,5 +117,10 @@ event scheduled_analyzer_applied(c: connection, a: Analyzer::Tag) &priority=10
 event connection_state_remove(c: connection) &priority=-5
 	{
 	if ( [c$id$resp_h, c$id$resp_p] in dcc_expected_transfers )
+		{
 		delete dcc_expected_transfers[c$id$resp_h, c$id$resp_p];
+		Cluster::relay_rr(Cluster::proxy_pool, dcc_transfer_update_topic,
+		                  dcc_transfer_update_topic, dcc_transfer_remove,
+		                  c$id$resp_h, c$id$resp_p);
+		}
 	}
diff --git a/scripts/base/utils/hash_hrw.bro b/scripts/base/utils/hash_hrw.bro
new file mode 100644
index 0000000000..ab5491f2c3
--- /dev/null
+++ b/scripts/base/utils/hash_hrw.bro
@@ -0,0 +1,76 @@
+##! An implementation of highest random weight (HRW) hashing, also called
+##! rendezvous hashing. See
+##! `<https://en.wikipedia.org/wiki/Rendezvous_hashing>`_.
+
+module HashHRW;
+
+export {
+	## A site/node is a unique location to which you want a subset of keys
+	## to be distributed.
+	type Site: record {
+		## A unique identifier for the site, should not exceed what
+		## can be contained in a 32-bit integer.
+		id: count;
+		## Other data to associate with the site.
+		user_data: any &optional;
+	};
+
+	## A table of sites, indexed by their id.
+	type SiteTable: table[count] of Site;
+
+	## A collection of sites to distribute keys across.
+	type Pool: record {
+		sites: SiteTable &default=SiteTable();
+	};
+
+	## Add a site to a pool.
+	##
+	## Returns: F is the site is already in the pool, else T.
+	global add_site: function(pool: Pool, site: Site): bool;
+
+	## Remove a site from a pool.
+	##
+	## Returns: F if the site is not in the pool, else T.
+	global rem_site: function(pool: Pool, site: Site): bool;
+
+	## Returns: the site to which the key maps.
+	global get_site: function(pool: Pool, key: any): Site;
+}
+
+function add_site(pool: Pool, site: Site): bool
+	{
+	if ( site$id in pool$sites )
+		return F;
+
+	pool$sites[site$id] = site;
+	return T;
+	}
+
+function rem_site(pool: Pool, site: Site): bool
+	{
+	if ( site$id !in pool$sites )
+		return F;
+
+	delete pool$sites[site$id];
+	return T;
+	}
+
+function get_site(pool: Pool, key: any): Site
+	{
+    local best_site_id = 0;
+    local best_weight = -1;
+    local d = fnv1a32(key);
+
+    for ( site_id in pool$sites )
+        {
+        local w = hrw_weight(d, site_id);
+
+        if ( w > best_weight || (w == best_weight && site_id > best_site_id) )
+            {
+            best_weight = w;
+            best_site_id = site_id;
+            }
+        }
+
+    return pool$sites[best_site_id];
+	}
diff --git a/scripts/broxygen/__load__.bro b/scripts/broxygen/__load__.bro
index 3b78ba8619..dbc175c2a8 100644
--- a/scripts/broxygen/__load__.bro
+++ b/scripts/broxygen/__load__.bro
@@ -2,7 +2,6 @@
 
 # Scripts which are commented out in test-all-policy.bro.
 @load protocols/ssl/notary.bro
-@load frameworks/communication/listen.bro
 @load frameworks/control/controllee.bro
 @load frameworks/control/controller.bro
 @load frameworks/files/extract-all-files.bro
diff --git a/scripts/policy/frameworks/communication/listen.bro b/scripts/policy/frameworks/communication/listen.bro
deleted file mode 100644
index 111bc64a23..0000000000
--- a/scripts/policy/frameworks/communication/listen.bro
+++ /dev/null
@@ -1,13 +0,0 @@
-##! Loading this script will make the Bro instance listen for remote 
-##! Bro instances to connect.
-
-@load base/frameworks/communication
-
-module Communication;
-
-event bro_init() &priority=-10
-	{
-	enable_communication();
-	listen(listen_interface, listen_port, listen_ssl, listen_ipv6,
-	       listen_ipv6_zone_id, listen_retry);
-	}
diff --git a/scripts/policy/frameworks/control/controllee.bro b/scripts/policy/frameworks/control/controllee.bro
index 9646d100ab..01937f27db 100644
--- a/scripts/policy/frameworks/control/controllee.bro
+++ b/scripts/policy/frameworks/control/controllee.bro
@@ -8,12 +8,28 @@
 ##!     bro <scripts> frameworks/control/controllee
 
 @load base/frameworks/control
-# If an instance is a controllee, it implicitly needs to listen for remote
-# connections.
-@load frameworks/communication/listen
+@load base/frameworks/broker
 
 module Control;
 
+event bro_init() &priority=-10
+	{
+	Broker::subscribe(Control::topic_prefix);
+	Broker::auto_publish(Control::topic_prefix + "/id_value_response",
+		                 Control::id_value_response);
+	Broker::auto_publish(Control::topic_prefix + "/peer_status_response",
+		                 Control::peer_status_response);
+	Broker::auto_publish(Control::topic_prefix + "/net_stats_response",
+		                 Control::net_stats_response);
+	Broker::auto_publish(Control::topic_prefix + "/configuration_update_response",
+		                 Control::configuration_update_response);
+	Broker::auto_publish(Control::topic_prefix + "/shutdown_response",
+		                 Control::shutdown_response);
+
+	if ( Control::controllee_listen )
+		Broker::listen();
+	}
+
 event Control::id_value_request(id: string)
 	{
 	local val = lookup_ID(id);
@@ -23,14 +39,18 @@ event Control::id_value_request(id: string)
 event Control::peer_status_request()
 	{
 	local status = "";
-	for ( p in Communication::nodes )
-		{
-		local peer = Communication::nodes[p];
-		if ( ! peer$connected )
-			next;
 
-		status += fmt("%.6f peer=%s host=%s\n",
-			      network_time(), peer$peer$descr, peer$host);
+	# @todo: need to expose broker::endpoint::peers and broker::peer_status
+	local peers = Broker::peers();
+
+	for ( i in peers )
+		{
+		local bpeer = peers[i];
+		status += fmt("%.6f peer=%s host=%s status=%s\n",
+			          network_time(),
+			          bpeer$peer$id,
+			          bpeer$peer$network$address,
+			          bpeer$status);
 		}
 
 	event Control::peer_status_response(status);
@@ -61,5 +81,5 @@ event Control::shutdown_request()
 	# Send the acknowledgement event.
 	event Control::shutdown_response();
 	# Schedule the shutdown to let the current event queue flush itself first.
-	event terminate_event();
+	schedule 1sec { terminate_event() };
 	}
diff --git a/scripts/policy/frameworks/control/controller.bro b/scripts/policy/frameworks/control/controller.bro
index edef4149f9..1cf404ad15 100644
--- a/scripts/policy/frameworks/control/controller.bro
+++ b/scripts/policy/frameworks/control/controller.bro
@@ -7,7 +7,7 @@
 ##!     bro <scripts> frameworks/control/controller Control::host=<host_addr> Control::host_port=<host_port> Control::cmd=<command> [Control::arg=<arg>]
 
 @load base/frameworks/control
-@load base/frameworks/communication
+@load base/frameworks/broker
 
 module Control;
 
@@ -19,18 +19,23 @@ event bro_init() &priority=5
 	# shutdown.
 	if ( cmd !in commands )
 		{
-		# TODO: do an actual error here.  Maybe through the reporter events?
-		print fmt("The '%s' control command is unknown.", cmd);
+		Reporter::error(fmt("The '%s' control command is unknown.", cmd));
 		terminate();
 		}
-	
-	# Establish the communication configuration and only request response
-	# messages.
-	Communication::nodes["control"] = [$host=host, $zone_id=zone_id,
-	                                   $p=host_port, $sync=F, $connect=T,
-	                                   $class="control", $events=Control::controllee_events];
-	}
 
+	Broker::auto_publish(Control::topic_prefix + "/id_value_request",
+		                 Control::id_value_request);
+	Broker::auto_publish(Control::topic_prefix + "/peer_status_request",
+		                 Control::peer_status_request);
+	Broker::auto_publish(Control::topic_prefix + "/net_stats_request",
+		                 Control::net_stats_request);
+	Broker::auto_publish(Control::topic_prefix + "/configuration_update_request",
+		                 Control::configuration_update_request);
+	Broker::auto_publish(Control::topic_prefix + "/shutdown_request",
+                         Control::shutdown_request);
+	Broker::subscribe(Control::topic_prefix);
+	Broker::peer(cat(host), host_port);
+	}
 
 event Control::id_value_response(id: string, val: string) &priority=-10
 	{
@@ -56,12 +61,12 @@ event Control::shutdown_response() &priority=-10
 	{
 	event terminate_event();
 	}
-	
-function configuration_update_func(p: event_peer)
+
+function configurable_ids(): id_table
 	{
-	# Send all &redef'able consts to the peer.
+	local rval: id_table = table();
 	local globals = global_ids();
-    local cnt = 0;
+
 	for ( id in globals )
 		{
         if ( id in ignore_ids )
@@ -77,39 +82,59 @@ function configuration_update_func(p: event_peer)
 		# NOTE: functions are currently not fully supported for serialization and hence
 		# aren't sent.
 		if ( t$constant && t$redefinable && t$type_name != "func" )
-			{
-			send_id(p, id);
-			++cnt;
-			}
+			rval[id] = t;
 		}
 
-	print fmt("sent %d IDs", cnt);
-	event terminate_event();
+	return rval;
 	}
 
-event remote_connection_handshake_done(p: event_peer) &priority=-10
+function send_control_request()
 	{
-	if ( cmd == "id_value" )
-		{
-		if ( arg != "" )
-			event Control::id_value_request(arg);
-		else
-			{
-			# TODO: do an actual error here.  Maybe through the reporter events?
-			print "The id_value command requires that Control::arg have some value.";
-			terminate();
-			}
-		}
-	else if ( cmd == "peer_status" )
+	switch ( cmd ) {
+	case "id_value":
+		if ( arg == "" )
+			Reporter::fatal("The Control::id_value command requires that Control::arg also has some value.");
+
+		event Control::id_value_request(arg);
+		break;
+
+	case "peer_status":
 		event Control::peer_status_request();
-	else if ( cmd == "net_stats" )
+		break;
+
+	case "net_stats":
 		event Control::net_stats_request();
-	else if ( cmd == "shutdown" )
+		break;
+
+	case "shutdown":
 		event Control::shutdown_request();
-	else if ( cmd == "configuration_update" )
-		{
-		configuration_update_func(p);
-		# Signal configuration update to peer.
+		break;
+
+	case "configuration_update":
 		event Control::configuration_update_request();
-		}
+		break;
+
+	default:
+		Reporter::fatal(fmt("unhandled Control::cmd, %s", cmd));
+		break;
+	}
+	}
+
+event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string) &priority=-10
+	{
+	if ( cmd == "configuration_update" )
+		{
+		# Send all &redef'able consts to the peer.
+		local ids = configurable_ids();
+
+		for ( id in ids )
+			{
+			local topic = fmt("%s/id/%s", Control::topic_prefix, id);
+			Broker::publish_id(topic, id);
+			}
+
+		Reporter::info(fmt("Control framework sent %d IDs", |ids|));
+		}
+
+	send_control_request();
 	}
diff --git a/scripts/policy/frameworks/software/version-changes.bro b/scripts/policy/frameworks/software/version-changes.bro
index 73bb72e01b..5494f14bca 100644
--- a/scripts/policy/frameworks/software/version-changes.bro
+++ b/scripts/policy/frameworks/software/version-changes.bro
@@ -22,23 +22,16 @@ export {
 	const interesting_version_changes: set[string] = { } &redef;
 }
 
-event log_software(rec: Info)
+event Software::version_change(old: Software::Info, new: Software::Info)
 	{
-	local ts = tracked[rec$host];
-	
-	if ( rec$name in ts )
-		{
-		local old = ts[rec$name];
-	
-		# Is it a potentially interesting version change?
-		if ( rec$name in interesting_version_changes )
-			{
-			local msg = fmt("%.6f %s switched from %s to %s (%s)",
-					network_time(), rec$software_type,
-					software_fmt_version(old$version),
-					software_fmt(rec), rec$software_type);
-			NOTICE([$note=Software_Version_Change, $src=rec$host,
-			        $msg=msg, $sub=software_fmt(rec)]);
-			}
-		}
+	if ( old$name !in interesting_version_changes )
+		return;
+
+	local msg = fmt("%.6f %s '%s' version changed from %s to %s",
+	                network_time(), old$software_type, old$name,
+	                software_fmt_version(old$version),
+                	software_fmt_version(new$version));
+
+	NOTICE([$note=Software_Version_Change, $src=new$host,
+	        $msg=msg, $sub=software_fmt(new)]);
 	}
diff --git a/scripts/policy/misc/load-balancing.bro b/scripts/policy/misc/load-balancing.bro
index ba770ae1af..928d0e74c0 100644
--- a/scripts/policy/misc/load-balancing.bro
+++ b/scripts/policy/misc/load-balancing.bro
@@ -12,22 +12,11 @@ export {
 		## Apply BPF filters to each worker in a way that causes them to
 		## automatically flow balance traffic between them.
 		AUTO_BPF,
-		# Load balance traffic across the workers by making each one apply
-		# a restrict filter to only listen to a single MAC address.  This
-		# is a somewhat common deployment option for sites doing network
-		# based load balancing with MAC address rewriting and passing the
-		# traffic to a single interface.  Multiple MAC addresses will show
-		# up on the same interface and need filtered to a single address.
-		#MAC_ADDR_BPF,
 	};
 
 	## Defines the method of load balancing to use.
 	const method = AUTO_BPF &redef;
 
-	# Configure the cluster framework to enable the load balancing filter configuration.
-	#global send_filter: event(for_node: string, filter: string);
-	#global confirm_filter_installation: event(success: bool);
-
 	redef record Cluster::Node += {
 		## A BPF filter for load balancing traffic sniffed on a single
 		## interface across a number of processes.  In normal uses, this
@@ -37,97 +26,86 @@ export {
 	};
 }
 
-#redef Cluster::manager2worker_events += /LoadBalancing::send_filter/;
-#redef Cluster::worker2manager_events += /LoadBalancing::confirm_filter_installation/;
-
 @if ( Cluster::is_enabled() )
 
-@if ( Cluster::local_node_type() == Cluster::MANAGER )
-
 event bro_init() &priority=5
 	{
 	if ( method != AUTO_BPF )
 		return;
 
 	local worker_ip_interface: table[addr, string] of count = table();
-	for ( n in Cluster::nodes )
-		{
-		local this_node = Cluster::nodes[n];
+	local sorted_node_names: vector of string = vector();
+	local node: Cluster::Node;
+	local name: string;
 
-		# Only workers!
-		if ( this_node$node_type != Cluster::WORKER ||
-		     ! this_node?$interface )
+	# Sort nodes list so that every node iterates over it in same order.
+	for ( name in Cluster::nodes )
+		sorted_node_names[|sorted_node_names|] = name;
+
+	sort(sorted_node_names, strcmp);
+
+	for ( idx in sorted_node_names )
+		{
+		name = sorted_node_names[idx];
+		node = Cluster::nodes[name];
+
+		if ( node$node_type != Cluster::WORKER )
 			next;
 
-		if ( [this_node$ip, this_node$interface] !in worker_ip_interface )
-			worker_ip_interface[this_node$ip, this_node$interface] = 0;
-		++worker_ip_interface[this_node$ip, this_node$interface];
+		if ( ! node?$interface )
+			next;
+
+		if ( [node$ip, node$interface] !in worker_ip_interface )
+			worker_ip_interface[node$ip, node$interface] = 0;
+
+		++worker_ip_interface[node$ip, node$interface];
 		}
 
-	# Now that we've counted up how many processes are running on an interface
-	# let's create the filters for each worker.
+	# Now that we've counted up how many processes are running per
+	# interface, let's create the filters for each worker.
 	local lb_proc_track: table[addr, string] of count = table();
-	for ( no in Cluster::nodes )
+
+	for ( idx in sorted_node_names )
 		{
-		local that_node = Cluster::nodes[no];
-		if ( that_node$node_type == Cluster::WORKER &&
-		     that_node?$interface && [that_node$ip, that_node$interface] in worker_ip_interface )
-			{
-			if ( [that_node$ip, that_node$interface] !in lb_proc_track )
-				lb_proc_track[that_node$ip, that_node$interface] = 0;
+		name = sorted_node_names[idx];
+		node = Cluster::nodes[name];
 
-			local this_lb_proc = lb_proc_track[that_node$ip, that_node$interface];
-			local total_lb_procs = worker_ip_interface[that_node$ip, that_node$interface];
+		if ( node$node_type != Cluster::WORKER )
+			next;
 
-			++lb_proc_track[that_node$ip, that_node$interface];
-			if ( total_lb_procs > 1 )
-				{
-				that_node$lb_filter = PacketFilter::sampling_filter(total_lb_procs, this_lb_proc);
-				Communication::nodes[no]$capture_filter = that_node$lb_filter;
-				}
-			}
+		if ( ! node?$interface )
+			next;
+
+		if ( [node$ip, node$interface] !in worker_ip_interface )
+			next;
+
+		if ( [node$ip, node$interface] !in lb_proc_track )
+			lb_proc_track[node$ip, node$interface] = 0;
+
+		local this_lb_proc = lb_proc_track[node$ip, node$interface];
+		local total_lb_procs = worker_ip_interface[node$ip, node$interface];
+		++lb_proc_track[node$ip, node$interface];
+
+		if ( total_lb_procs > 1 )
+			node$lb_filter = PacketFilter::sampling_filter(total_lb_procs,
+			                                               this_lb_proc);
+		}
+
+	# Finally, install filter for the current node if it needs one.
+	for ( idx in sorted_node_names )
+		{
+		name = sorted_node_names[idx];
+		node = Cluster::nodes[name];
+
+		if ( name != Cluster::node )
+			next;
+
+		if ( ! node?$lb_filter )
+			next;
+
+		restrict_filters["lb_filter"] = node$lb_filter;
+		PacketFilter::install();
 		}
 	}
 
-#event remote_connection_established(p: event_peer) &priority=-5
-#	{
-#	if ( is_remote_event() )
-#		return;
-#
-#	local for_node = p$descr;
-#	# Send the filter to the peer.
-#	if ( for_node in Cluster::nodes &&
-#	     Cluster::nodes[for_node]?$lb_filter )
-#		{
-#		local filter = Cluster::nodes[for_node]$lb_filter;
-#		event LoadBalancing::send_filter(for_node, filter);
-#		}
-#	}
-
-#event LoadBalancing::confirm_filter_installation(success: bool)
-#	{
-#	# This doesn't really matter yet since we aren't getting back a meaningful success response.
-#	}
-
-@endif
-
-
-@if ( Cluster::local_node_type() == Cluster::WORKER )
-
-#event LoadBalancing::send_filter(for_node: string, filter: string)
-event remote_capture_filter(p: event_peer, filter: string)
-	{
-	#if ( for_node !in Cluster::nodes )
-	#	return;
-	#
-	#if ( Cluster::node == for_node )
-	#	{
-		restrict_filters["lb_filter"] = filter;
-		PacketFilter::install();
-		#event LoadBalancing::confirm_filter_installation(T);
-	#	}
-	}
-
-@endif
-
 @endif
diff --git a/scripts/policy/protocols/conn/known-hosts.bro b/scripts/policy/protocols/conn/known-hosts.bro
index a539885dd1..b920912f11 100644
--- a/scripts/policy/protocols/conn/known-hosts.bro
+++ b/scripts/policy/protocols/conn/known-hosts.bro
@@ -4,6 +4,7 @@
 ##! use on a network per day.
 
 @load base/utils/directions-and-hosts
+@load base/frameworks/cluster
 
 module Known;
 
@@ -19,23 +20,128 @@ export {
 		## TCP connection.
 		host:    addr &log;
 	};
+
+	## Toggles between different implementations of this script.
+	## When true, use a Broker data store, else use a regular Bro set
+	## with keys uniformly distributed over proxy nodes in cluster
+	## operation.
+	const use_host_store = T &redef;
 	
 	## The hosts whose existence should be logged and tracked.
 	## See :bro:type:`Host` for possible choices.
 	const host_tracking = LOCAL_HOSTS &redef;
 	
+	## Holds the set of all known hosts.  Keys in the store are addresses
+	## and their associated value will always be the "true" boolean.
+	global host_store: Cluster::StoreInfo;
+
+	## The Broker topic name to use for :bro:see:`Known::host_store`.
+	const host_store_name = "bro/known/hosts" &redef;
+
+	## The expiry interval of new entries in :bro:see:`Known::host_store`.
+	## This also changes the interval at which hosts get logged.
+	const host_store_expiry = 1day &redef;
+
+	## The timeout interval to use for operations against
+	## :bro:see:`Known::host_store`.
+	const host_store_timeout = 15sec &redef;
+
 	## The set of all known addresses to store for preventing duplicate 
 	## logging of addresses.  It can also be used from other scripts to 
 	## inspect if an address has been seen in use.
 	## Maintain the list of known hosts for 24 hours so that the existence
 	## of each individual address is logged each day.
-	global known_hosts: set[addr] &create_expire=1day &synchronized &redef;
+	##
+	## In cluster operation, this set is distributed uniformly across
+	## proxy nodes.
+	global hosts: set[addr] &create_expire=1day &redef;
 
 	## An event that can be handled to access the :bro:type:`Known::HostsInfo`
 	## record as it is sent on to the logging framework.
 	global log_known_hosts: event(rec: HostsInfo);
 }
 
+event bro_init()
+	{
+	if ( ! Known::use_host_store )
+		return;
+
+	Known::host_store = Cluster::create_store(Known::host_store_name);
+	}
+
+event Known::host_found(info: HostsInfo)
+	{
+	if ( ! Known::use_host_store )
+		return;
+
+	when ( local r = Broker::put_unique(Known::host_store$store, info$host,
+	                                    T, Known::host_store_expiry) )
+		{
+		if ( r$status == Broker::SUCCESS )
+			{
+			if ( r$result as bool )
+				Log::write(Known::HOSTS_LOG, info);
+			}
+		else
+			Reporter::error(fmt("%s: data store put_unique failure",
+			                    Known::host_store_name));
+		}
+	timeout Known::host_store_timeout
+		{
+		# Can't really tell if master store ended up inserting a key.
+		Log::write(Known::HOSTS_LOG, info);
+		}
+	}
+
+event known_host_add(info: HostsInfo)
+	{
+	if ( use_host_store )
+		return;
+
+	if ( info$host in Known::hosts )
+		return;
+
+	add Known::hosts[info$host];
+
+	@if ( ! Cluster::is_enabled() ||
+	      Cluster::local_node_type() == Cluster::PROXY )
+		Log::write(Known::HOSTS_LOG, info);
+	@endif
+	}
+
+event Cluster::node_up(name: string, id: string)
+	{
+	if ( use_host_store )
+		return;
+
+	if ( Cluster::local_node_type() != Cluster::WORKER )
+		return;
+
+	# Drop local suppression cache on workers to force HRW key repartitioning.
+	Known::hosts = set();
+	}
+
+event Cluster::node_down(name: string, id: string)
+	{
+	if ( use_host_store )
+		return;
+
+	if ( Cluster::local_node_type() != Cluster::WORKER )
+		return;
+
+	# Drop local suppression cache on workers to force HRW key repartitioning.
+	Known::hosts = set();
+	}
+
+event Known::host_found(info: HostsInfo)
+	{
+	if ( use_host_store )
+		return;
+
+	Cluster::publish_hrw(Cluster::proxy_pool, info$host, known_host_add, info);
+	event known_host_add(info);
+	}
+
 event bro_init()
 	{
 	Log::create_stream(Known::HOSTS_LOG, [$columns=HostsInfo, $ev=log_known_hosts, $path="known_hosts"]);
@@ -43,17 +149,15 @@ event bro_init()
 
 event connection_established(c: connection) &priority=5
 	{
+	if ( c$orig$state != TCP_ESTABLISHED )
+		return;
+
+	if ( c$resp$state != TCP_ESTABLISHED )
+		return;
+
 	local id = c$id;
-	
+
 	for ( host in set(id$orig_h, id$resp_h) )
-		{
-		if ( host !in known_hosts && 
-		     c$orig$state == TCP_ESTABLISHED &&
-		     c$resp$state == TCP_ESTABLISHED &&
-		     addr_matches_host(host, host_tracking) )
-			{
-			add known_hosts[host];
-			Log::write(Known::HOSTS_LOG, [$ts=network_time(), $host=host]);
-			}
-		}
+		if ( addr_matches_host(host, host_tracking) )
+			event Known::host_found([$ts = network_time(), $host = host]);
 	}
diff --git a/scripts/policy/protocols/conn/known-services.bro b/scripts/policy/protocols/conn/known-services.bro
index 0c79db84f5..d737c9bad0 100644
--- a/scripts/policy/protocols/conn/known-services.bro
+++ b/scripts/policy/protocols/conn/known-services.bro
@@ -4,6 +4,7 @@
 ##! during the session, the protocol will also be logged.
 
 @load base/utils/directions-and-hosts
+@load base/frameworks/cluster
 
 module Known;
 
@@ -25,15 +26,47 @@ export {
 		## A set of protocols that match the service's connection payloads.
 		service:        set[string]     &log;
 	};
+
+	## Toggles between different implementations of this script.
+	## When true, use a Broker data store, else use a regular Bro set
+	## with keys uniformly distributed over proxy nodes in cluster
+	## operation.
+	const use_service_store = T &redef;
 	
 	## The hosts whose services should be tracked and logged.
 	## See :bro:type:`Host` for possible choices.
 	const service_tracking = LOCAL_HOSTS &redef;
 
+	type AddrPortPair: record {
+		host: addr;
+		p: port;
+	};
+
+	## Holds the set of all known services.  Keys in the store are
+	## :bro:type:`Known::AddrPortPair` and their associated value is
+	## always the boolean value of "true".
+	global service_store: Cluster::StoreInfo;
+
+	## The Broker topic name to use for :bro:see:`Known::service_store`.
+	const service_store_name = "bro/known/services" &redef;
+
+	## The expiry interval of new entries in :bro:see:`Known::service_store`.
+	## This also changes the interval at which services get logged.
+	const service_store_expiry = 1day &redef;
+
+	## The timeout interval to use for operations against
+	## :bro:see:`Known::service_store`.
+	const service_store_timeout = 15sec &redef;
+
 	## Tracks the set of daily-detected services for preventing the logging
 	## of duplicates, but can also be inspected by other scripts for
 	## different purposes.
-	global known_services: set[addr, port] &create_expire=1day &synchronized;
+	##
+	## In cluster operation, this set is uniformly distributed across
+	## proxy nodes.
+	##
+	## This set is automatically populated and shouldn't be directly modified.
+	global services: set[addr, port] &create_expire=1day;
 
 	## Event that can be handled to access the :bro:type:`Known::ServicesInfo`
 	## record as it is sent on to the logging framework.
@@ -46,46 +79,121 @@ redef record connection += {
 	known_services_done: bool &default=F;
 };
 
-event bro_init() &priority=5
+
+event bro_init()
 	{
-	Log::create_stream(Known::SERVICES_LOG, [$columns=ServicesInfo,
-	                                         $ev=log_known_services,
-	                                         $path="known_services"]);
+	if ( ! Known::use_service_store )
+		return;
+
+	Known::service_store = Cluster::create_store(Known::service_store_name);
 	}
-	
-event log_it(ts: time, a: addr, p: port, services: set[string])
+
+event service_info_commit(info: ServicesInfo)
+                          
 	{
-	if ( [a, p] !in known_services )
+	if ( ! Known::use_service_store )
+		return;
+
+	local key = AddrPortPair($host = info$host, $p = info$port_num);
+
+	when ( local r = Broker::put_unique(Known::service_store$store, key,
+	                                    T, Known::service_store_expiry) )
 		{
-		add known_services[a, p];
-	
-		local i: ServicesInfo;
-		i$ts=ts;
-		i$host=a;
-		i$port_num=p;
-		i$port_proto=get_port_transport_proto(p);
-		i$service=services;
-		Log::write(Known::SERVICES_LOG, i);
+		if ( r$status == Broker::SUCCESS )
+			{
+			if ( r$result as bool )
+				Log::write(Known::SERVICES_LOG, info);
+			}
+		else
+			Reporter::error(fmt("%s: data store put_unique failure",
+			                    Known::service_store_name));
+		}
+	timeout Known::service_store_timeout
+		{
+		Log::write(Known::SERVICES_LOG, info);
 		}
 	}
-	
+
+event known_service_add(info: ServicesInfo)
+	{
+	if ( Known::use_service_store )
+		return;
+
+	if ( [info$host, info$port_num] in Known::services )
+		return;
+
+	add Known::services[info$host, info$port_num];
+
+	@if ( ! Cluster::is_enabled() ||
+	      Cluster::local_node_type() == Cluster::PROXY )
+		Log::write(Known::SERVICES_LOG, info);
+	@endif
+	}
+
+event Cluster::node_up(name: string, id: string)
+	{
+	if ( Known::use_service_store )
+		return;
+
+	if ( Cluster::local_node_type() != Cluster::WORKER )
+		return;
+
+	# Drop local suppression cache on workers to force HRW key repartitioning.
+	Known::services = set();
+	}
+
+event Cluster::node_down(name: string, id: string)
+	{
+	if ( Known::use_service_store )
+		return;
+
+	if ( Cluster::local_node_type() != Cluster::WORKER )
+		return;
+
+	# Drop local suppression cache on workers to force HRW key repartitioning.
+	Known::services = set();
+	}
+
+event service_info_commit(info: ServicesInfo)
+	{
+	if ( Known::use_service_store )
+		return;
+
+	local key = cat(info$host, info$port_num);
+	Cluster::publish_hrw(Cluster::proxy_pool, key, known_service_add, info);
+	event known_service_add(info);
+	}
+
 function known_services_done(c: connection)
 	{
 	local id = c$id;
 	c$known_services_done = T;
-	
-	if ( ! addr_matches_host(id$resp_h, service_tracking) ||
-	     "ftp-data" in c$service || # don't include ftp data sessions
-	     ("DNS" in c$service && c$resp$size == 0) ) # for dns, require that the server talks.
+
+	if ( ! addr_matches_host(id$resp_h, service_tracking) )
 		return;
-	
-	# If no protocol was detected, wait a short
-	# time before attempting to log in case a protocol is detected
-	# on another connection.
+
+	if ( |c$service| == 1 )
+		{
+		if ( "ftp-data" in c$service )
+			# Don't include ftp data sessions.
+			return;
+
+		if ( "DNS" in c$service && c$resp$size == 0 )
+			# For dns, require that the server talks.
+			return;
+		}
+
+	local info = ServicesInfo($ts = network_time(), $host = id$resp_h,
+	                          $port_num = id$resp_p,
+	                          $port_proto = get_port_transport_proto(id$resp_p),
+	                          $service = c$service);
+
+	# If no protocol was detected, wait a short time before attempting to log
+	# in case a protocol is detected on another connection.
 	if ( |c$service| == 0 )
-		schedule 5min { log_it(network_time(), id$resp_h, id$resp_p, c$service) };
+		schedule 5min { service_info_commit(info) };
 	else 
-		event log_it(network_time(), id$resp_h, id$resp_p, c$service);
+		event service_info_commit(info);
 	}
 	
 event protocol_confirmation(c: connection, atype: Analyzer::Tag, aid: count) &priority=-5
@@ -96,6 +204,19 @@ event protocol_confirmation(c: connection, atype: Analyzer::Tag, aid: count) &pr
 # Handle the connection ending in case no protocol was ever detected.
 event connection_state_remove(c: connection) &priority=-5
 	{
-	if ( ! c$known_services_done && c$resp$state == TCP_ESTABLISHED )
-		known_services_done(c);
+	if ( c$known_services_done )
+		return;
+
+	if ( c$resp$state != TCP_ESTABLISHED )
+		return;
+
+	known_services_done(c);
 	}
+
+event bro_init() &priority=5
+	{
+	Log::create_stream(Known::SERVICES_LOG, [$columns=ServicesInfo,
+	                                         $ev=log_known_services,
+	                                         $path="known_services"]);
+	}
+
diff --git a/scripts/policy/protocols/http/detect-webapps.bro b/scripts/policy/protocols/http/detect-webapps.bro
index 53d7109468..29adbc6580 100644
--- a/scripts/policy/protocols/http/detect-webapps.bro
+++ b/scripts/policy/protocols/http/detect-webapps.bro
@@ -31,25 +31,40 @@ event signature_match(state: signature_state, msg: string, data: string) &priori
 	local si: Software::Info;
 	si = [$name=msg, $unparsed_version=msg, $host=c$id$resp_h, $host_p=c$id$resp_p, $software_type=WEB_APPLICATION];
 	si$url = build_url_http(c$http);
-	if ( c$id$resp_h in Software::tracked &&
-	     si$name in Software::tracked[c$id$resp_h] )
-		{
-		# If the new url is a substring of an existing, known url then let's
-		# use that as the new url for the software.
-		# PROBLEM: different version of the same software on the same server with a shared root path
-		local is_substring = 0;
-		if ( Software::tracked[c$id$resp_h][si$name]?$url &&
-		     |si$url| <= |Software::tracked[c$id$resp_h][si$name]$url| )
-			is_substring = strstr(Software::tracked[c$id$resp_h][si$name]$url, si$url);
-		
-		if ( is_substring == 1 )
-			{
-			Software::tracked[c$id$resp_h][si$name]$url = si$url;
-			# Force the software to be logged because it indicates a URL
-			# closer to the root of the site.
-			si$force_log = T;
-			}
-		}
-	
 	Software::found(c$id, si);
 	}
+
+event Software::register(info: Software::Info) &priority=5
+	{
+	if ( info$host !in Software::tracked )
+		return;
+
+	local ss = Software::tracked[info$host];
+
+	if ( info$name !in ss )
+		return;
+
+	local old_info = ss[info$name];
+
+	if ( ! old_info?$url )
+		return;
+
+	if ( ! info?$url )
+		return;
+
+	# If the new url is a substring of an existing, known url then let's
+	# use that as the new url for the software.
+	# PROBLEM: different version of the same software on the same server with a shared root path
+	local is_substring = 0;
+
+	if ( |info$url| <= |old_info$url| )
+		is_substring = strstr(old_info$url, info$url);
+
+	if ( is_substring != 1 )
+		return;
+
+	old_info$url = info$url;
+	# Force the software to be logged because it indicates a URL
+	# closer to the root of the site.
+	info$force_log = T;
+	}
diff --git a/scripts/policy/protocols/ssl/known-certs.bro b/scripts/policy/protocols/ssl/known-certs.bro
index 1f27521e46..25365eb4b4 100644
--- a/scripts/policy/protocols/ssl/known-certs.bro
+++ b/scripts/policy/protocols/ssl/known-certs.bro
@@ -4,6 +4,7 @@
 @load base/utils/directions-and-hosts
 @load base/protocols/ssl
 @load base/files/x509
+@load base/frameworks/cluster
 
 module Known;
 
@@ -29,27 +30,139 @@ export {
 	## The certificates whose existence should be logged and tracked.
 	## Choices are: LOCAL_HOSTS, REMOTE_HOSTS, ALL_HOSTS, NO_HOSTS.
 	const cert_tracking = LOCAL_HOSTS &redef;
+
+	## Toggles between different implementations of this script.
+	## When true, use a Broker data store, else use a regular Bro set
+	## with keys uniformly distributed over proxy nodes in cluster
+	## operation.
+	const use_cert_store = T &redef;
 	
+	type AddrCertHashPair: record {
+		host: addr;
+		hash: string;
+	};
+
+	## Holds the set of all known certificates.  Keys in the store are of
+	## type :bro:type:`Known::AddrCertHashPair` and their associated value is
+	## always the boolean value of "true".
+	global cert_store: Cluster::StoreInfo;
+
+	## The Broker topic name to use for :bro:see:`Known::cert_store`.
+	const cert_store_name = "bro/known/certs" &redef;
+
+	## The expiry interval of new entries in :bro:see:`Known::cert_store`.
+	## This also changes the interval at which certs get logged.
+	const cert_store_expiry = 1day &redef;
+
+	## The timeout interval to use for operations against
+	## :bro:see:`Known::cert_store`.
+	const cert_store_timeout = 15sec &redef;
+
 	## The set of all known certificates to store for preventing duplicate 
 	## logging. It can also be used from other scripts to 
 	## inspect if a certificate has been seen in use. The string value 
 	## in the set is for storing the DER formatted certificate' SHA1 hash.
-	global certs: set[addr, string] &create_expire=1day &synchronized &redef;
+	##
+	## In cluster operation, this set is uniformly distributed across
+	## proxy nodes.
+	global certs: set[addr, string] &create_expire=1day &redef;
 	
 	## Event that can be handled to access the loggable record as it is sent
 	## on to the logging framework.
 	global log_known_certs: event(rec: CertsInfo);
 }
 
-event bro_init() &priority=5
+event bro_init()
 	{
-	Log::create_stream(Known::CERTS_LOG, [$columns=CertsInfo, $ev=log_known_certs, $path="known_certs"]);
+	if ( ! Known::use_cert_store )
+		return;
+
+	Known::cert_store = Cluster::create_store(Known::cert_store_name);
+	}
+
+event Known::cert_found(info: CertsInfo, hash: string)
+    {
+	if ( ! Known::use_cert_store )
+		return;
+
+	local key = AddrCertHashPair($host = info$host, $hash = hash);
+
+	when ( local r = Broker::put_unique(Known::cert_store$store, key,
+	                                    T, Known::cert_store_expiry) )
+		{
+		if ( r$status == Broker::SUCCESS )
+			{
+			if ( r$result as bool )
+				Log::write(Known::CERTS_LOG, info);
+			}
+		else
+			Reporter::error(fmt("%s: data store put_unique failure",
+			                    Known::cert_store_name));
+		}
+	timeout Known::cert_store_timeout
+		{
+		# Can't really tell if master store ended up inserting a key.
+		Log::write(Known::CERTS_LOG, info);
+		}
+    }
+
+event known_cert_add(info: CertsInfo, hash: string)
+	{
+	if ( Known::use_cert_store )
+		return;
+
+	if ( [info$host, hash] in Known::certs )
+		return;
+
+	add Known::certs[info$host, hash];
+
+	@if ( ! Cluster::is_enabled() ||
+	      Cluster::local_node_type() == Cluster::PROXY )
+		Log::write(Known::CERTS_LOG, info);
+	@endif
+	}
+
+event Known::cert_found(info: CertsInfo, hash: string)
+	{
+	if ( Known::use_cert_store )
+		return;
+
+	local key = cat(info$host, hash);
+	Cluster::publish_hrw(Cluster::proxy_pool, key, known_cert_add, info, hash);
+	event known_cert_add(info, hash);
+	}
+
+event Cluster::node_up(name: string, id: string)
+	{
+	if ( Known::use_cert_store )
+		return;
+
+	if ( Cluster::local_node_type() != Cluster::WORKER )
+		return;
+
+	Known::certs = table();
+	}
+
+event Cluster::node_down(name: string, id: string)
+	{
+	if ( Known::use_cert_store )
+		return;
+
+	if ( Cluster::local_node_type() != Cluster::WORKER )
+		return;
+
+	Known::certs = table();
 	}
 
 event ssl_established(c: connection) &priority=3
 	{
-	if ( ! c$ssl?$cert_chain || |c$ssl$cert_chain| < 1 ||
-	     ! c$ssl$cert_chain[0]?$x509 )
+	if ( ! c$ssl?$cert_chain )
+		return;
+	
+	if ( |c$ssl$cert_chain| < 1 )
+		return;
+	
+	if ( ! c$ssl$cert_chain[0]?$x509 )
 		return;
 
 	local fuid = c$ssl$cert_chain_fuids[0];
@@ -61,16 +174,21 @@ event ssl_established(c: connection) &priority=3
 		return;
 		}
 
+	local host = c$id$resp_h;
+
+	if ( ! addr_matches_host(host, cert_tracking) )
+		return;
+
 	local hash = c$ssl$cert_chain[0]$sha1;
 	local cert = c$ssl$cert_chain[0]$x509$certificate;
-
-	local host = c$id$resp_h;
-	if ( [host, hash] !in certs && addr_matches_host(host, cert_tracking) )
-		{
-		add certs[host, hash];
-		Log::write(Known::CERTS_LOG, [$ts=network_time(), $host=host,
-		                              $port_num=c$id$resp_p, $subject=cert$subject,
-		                              $issuer_subject=cert$issuer,
-		                              $serial=cert$serial]);
-		}
+	local info = CertsInfo($ts = network_time(), $host = host,
+	                       $port_num = c$id$resp_p, $subject = cert$subject,
+	                       $issuer_subject = cert$issuer,
+	                       $serial = cert$serial);
+	event Known::cert_found(info, hash);
+	}
+
+event bro_init() &priority=5
+	{
+	Log::create_stream(Known::CERTS_LOG, [$columns=CertsInfo, $ev=log_known_certs, $path="known_certs"]);
 	}
diff --git a/scripts/policy/protocols/ssl/validate-certs.bro b/scripts/policy/protocols/ssl/validate-certs.bro
index 352ff4e863..451388da24 100644
--- a/scripts/policy/protocols/ssl/validate-certs.bro
+++ b/scripts/policy/protocols/ssl/validate-certs.bro
@@ -3,6 +3,7 @@
 # Also caches all intermediate certificates encountered so far and use them
 # for future validations.
 
+@load base/frameworks/cluster
 @load base/frameworks/notice
 @load base/protocols/ssl
 
@@ -61,12 +62,13 @@ export {
 global intermediate_cache: table[string] of vector of opaque of x509;
 
 @if ( Cluster::is_enabled() )
-@load base/frameworks/cluster
-redef Cluster::manager2worker_events += /SSL::intermediate_add/;
-redef Cluster::worker2manager_events += /SSL::new_intermediate/;
+event bro_init()
+	{
+	Broker::auto_publish(Cluster::worker_topic, SSL::intermediate_add);
+	Broker::auto_publish(Cluster::manager_topic, SSL::new_intermediate);
+	}
 @endif
 
-
 function add_to_cache(key: string, value: vector of opaque of x509)
 	{
 	intermediate_cache[key] = value;
diff --git a/scripts/test-all-policy.bro b/scripts/test-all-policy.bro
index 413ed8e969..3389942fe5 100644
--- a/scripts/test-all-policy.bro
+++ b/scripts/test-all-policy.bro
@@ -9,7 +9,6 @@
 
 # The base/ scripts are all loaded by default and not included here.
 
-# @load frameworks/communication/listen.bro
 # @load frameworks/control/controllee.bro
 # @load frameworks/control/controller.bro
 @load frameworks/dpd/detect-protocols.bro
diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt
index 982c37a79b..00f19b9348 100644
--- a/src/CMakeLists.txt
+++ b/src/CMakeLists.txt
@@ -156,6 +156,7 @@ set(bro_SUBDIR_LIBS CACHE INTERNAL "subdir libraries" FORCE)
 set(bro_PLUGIN_LIBS CACHE INTERNAL "plugin libraries" FORCE)
 
 add_subdirectory(analyzer)
+add_subdirectory(broker)
 add_subdirectory(broxygen)
 add_subdirectory(file_analysis)
 add_subdirectory(input)
@@ -163,14 +164,6 @@ add_subdirectory(iosource)
 add_subdirectory(logging)
 add_subdirectory(probabilistic)
 
-if ( ENABLE_BROKER )
-    add_subdirectory(broker)
-else ()
-    # Just to satisfy coverage unit tests until new Broker-based
-    # communication is enabled by default.
-    add_subdirectory(broker-dummy)
-endif ()
-
 set(bro_SUBDIRS
     # Order is important here.
     ${bro_PLUGIN_LIBS}
diff --git a/src/Event.cc b/src/Event.cc
index 7b1c88ea64..33256a573e 100644
--- a/src/Event.cc
+++ b/src/Event.cc
@@ -54,6 +54,38 @@ void Event::Describe(ODesc* d) const
 		d->Add("(");
 	}
 
+void Event::Dispatch(bool no_remote)
+	{
+	if ( src == SOURCE_BROKER )
+		no_remote = true;
+
+	if ( event_serializer )
+		{
+		SerialInfo info(event_serializer);
+		event_serializer->Serialize(&info, handler->Name(), args);
+		}
+
+	if ( handler->ErrorHandler() )
+		reporter->BeginErrorHandler();
+
+	try
+		{
+		handler->Call(args, no_remote);
+		}
+
+	catch ( InterpreterException& e )
+		{
+		// Already reported.
+		}
+
+	if ( obj )
+		// obj->EventDone();
+		Unref(obj);
+
+	if ( handler->ErrorHandler() )
+		reporter->EndErrorHandler();
+	}
+
 EventMgr::EventMgr()
 	{
 	head = tail = 0;
diff --git a/src/Event.h b/src/Event.h
index d81a7717eb..69860daf50 100644
--- a/src/Event.h
+++ b/src/Event.h
@@ -34,34 +34,7 @@ protected:
 
 	// This method is protected to make sure that everybody goes through
 	// EventMgr::Dispatch().
-	void Dispatch(bool no_remote = false)
-		{
-		if ( event_serializer )
-			{
-			SerialInfo info(event_serializer);
-			event_serializer->Serialize(&info, handler->Name(), args);
-			}
-
-		if ( handler->ErrorHandler() )
-			reporter->BeginErrorHandler();
-
-		try
-			{
-			handler->Call(args, no_remote);
-			}
-
-		catch ( InterpreterException& e )
-			{
-			// Already reported.
-			}
-
-		if ( obj )
-			// obj->EventDone();
-			Unref(obj);
-
-		if ( handler->ErrorHandler() )
-			reporter->EndErrorHandler();
-		}
+	void Dispatch(bool no_remote = false);
 
 	EventHandlerPtr handler;
 	val_list* args;
diff --git a/src/EventHandler.cc b/src/EventHandler.cc
index 3f1fd71ddf..00b19f7832 100644
--- a/src/EventHandler.cc
+++ b/src/EventHandler.cc
@@ -5,10 +5,8 @@
 #include "RemoteSerializer.h"
 #include "NetVar.h"
 
-#ifdef ENABLE_BROKER
 #include "broker/Manager.h"
 #include "broker/Data.h"
-#endif
 
 EventHandler::EventHandler(const char* arg_name)
 	{
@@ -32,19 +30,16 @@ EventHandler::operator bool() const
 	return enabled && ((local && local->HasBodies())
 			   || receivers.length()
 			   || generate_always
-#ifdef ENABLE_BROKER
-			   || ! auto_remote_send.empty()
-			   // TODO: and require a subscriber interested in a topic or unsolicited flags?
-#endif
-	                   );
+			   || ! auto_publish.empty());
 	}
 
-FuncType* EventHandler::FType()
+FuncType* EventHandler::FType(bool check_export)
 	{
 	if ( type )
 		return type;
 
-	ID* id = lookup_ID(name, current_module.c_str());
+	ID* id = lookup_ID(name, current_module.c_str(), false, false,
+	                   check_export);
 
 	if ( ! id )
 		return 0;
@@ -84,14 +79,11 @@ void EventHandler::Call(val_list* vl, bool no_remote)
 			remote_serializer->SendCall(&info, receivers[i], name, vl);
 			}
 
-#ifdef ENABLE_BROKER
-
-		if ( ! auto_remote_send.empty() )
+		if ( ! auto_publish.empty() )
 			{
-			// TODO: also short-circuit based on interested subscribers/flags?
-			broker::message msg;
-			msg.reserve(vl->length() + 1);
-			msg.emplace_back(Name());
+			// Send event in form [name, xs...] where xs represent the arguments.
+			broker::vector xs;
+			xs.reserve(vl->length());
 			bool valid_args = true;
 
 			for ( auto i = 0; i < vl->length(); ++i )
@@ -99,30 +91,33 @@ void EventHandler::Call(val_list* vl, bool no_remote)
 				auto opt_data = bro_broker::val_to_data((*vl)[i]);
 
 				if ( opt_data )
-					msg.emplace_back(move(*opt_data));
+					xs.emplace_back(move(*opt_data));
 				else
 					{
 					valid_args = false;
-					auto_remote_send.clear();
-					reporter->Error("failed auto-remote event '%s', disabled",
-					                Name());
+					auto_publish.clear();
+					reporter->Error("failed auto-remote event '%s', disabled", Name());
 					break;
 					}
 				}
 
 			if ( valid_args )
 				{
-				for ( auto it = auto_remote_send.begin();
-				      it != auto_remote_send.end(); ++it )
+				for ( auto it = auto_publish.begin(); ; )
 					{
-					if ( std::next(it) == auto_remote_send.end() )
-						broker_mgr->Event(it->first, move(msg), it->second);
+					const auto& topic = *it;
+					++it;
+
+					if ( it != auto_publish.end() )
+						broker_mgr->PublishEvent(topic, Name(), xs);
 					else
-						broker_mgr->Event(it->first, msg, it->second);
+						{
+						broker_mgr->PublishEvent(topic, Name(), std::move(xs));
+						break;
+						}
 					}
 				}
 			}
-#endif
 		}
 
 	if ( local )
diff --git a/src/EventHandler.h b/src/EventHandler.h
index af5d561a46..bad3d278fa 100644
--- a/src/EventHandler.h
+++ b/src/EventHandler.h
@@ -4,7 +4,7 @@
 #define EVENTHANDLER
 
 #include <assert.h>
-#include <map>
+#include <unordered_set>
 #include <string>
 #include "List.h"
 #include "BroList.h"
@@ -22,24 +22,22 @@ public:
 
 	const char* Name()	{ return name; }
 	Func* LocalHandler()	{ return local; }
-	FuncType* FType();
+	FuncType* FType(bool check_export = true);
 
 	void SetLocalHandler(Func* f);
 
 	void AddRemoteHandler(SourceID peer);
 	void RemoveRemoteHandler(SourceID peer);
 
-#ifdef ENABLE_BROKER
-	void AutoRemote(std::string topic, int flags)
+	void AutoPublish(std::string topic)
 		{
-		auto_remote_send[std::move(topic)] = flags;
+		auto_publish.insert(std::move(topic));
 		}
 
-	void AutoRemoteStop(const std::string& topic)
+	void AutoUnpublish(const std::string& topic)
 		{
-		auto_remote_send.erase(topic);
+		auto_publish.erase(topic);
 		}
-#endif
 
 	void Call(val_list* vl, bool no_remote = false);
 
@@ -81,9 +79,7 @@ private:
 	typedef List(SourceID) receiver_list;
 	receiver_list receivers;
 
-#ifdef ENABLE_BROKER
-	std::map<std::string, int> auto_remote_send;	// topic -> flags
-#endif
+	std::unordered_set<std::string> auto_publish;
 };
 
 // Encapsulates a ptr to an event handler to overload the boolean operator.
diff --git a/src/Expr.cc b/src/Expr.cc
index a0456fda31..1a4ab25661 100644
--- a/src/Expr.cc
+++ b/src/Expr.cc
@@ -18,8 +18,6 @@
 
 const char* expr_name(BroExprTag t)
 	{
-	static char errbuf[512];
-
 	static const char* expr_names[int(NUM_EXPRS)] = {
 		"name", "const",
 		"(*)",
@@ -31,7 +29,7 @@ const char* expr_name(BroExprTag t)
 		"$=", "in", "<<>>",
 		"()", "event", "schedule",
 		"coerce", "record_coerce", "table_coerce",
-		"sizeof", "flatten"
+		"sizeof", "flatten", "cast", "is"
 	};
 
 	if ( int(t) >= NUM_EXPRS )
@@ -4537,13 +4535,21 @@ Val* CallExpr::Eval(Frame* f) const
 	if ( func_val && v )
 		{
 		const ::Func* func = func_val->AsFunc();
-		calling_expr = this;
 		const CallExpr* current_call = f ? f->GetCall() : 0;
+		call_stack.emplace_back(CallInfo{this, func});
 
 		if ( f )
 			f->SetCall(this);
 
-		ret = func->Call(v, f); // No try/catch here; we pass exceptions upstream.
+		try
+			{
+			ret = func->Call(v, f);
+			}
+		catch ( ... )
+			{
+			call_stack.pop_back();
+			throw;
+			}
 
 		if ( f )
 			f->SetCall(current_call);
@@ -4551,7 +4557,7 @@ Val* CallExpr::Eval(Frame* f) const
 		// Don't Unref() the arguments, as Func::Call already did that.
 		delete v;
 
-		calling_expr = 0;
+		call_stack.pop_back();
 		}
 	else
 		delete_vals(v);
@@ -4872,7 +4878,7 @@ Val* ListExpr::InitVal(const BroType* t, Val* aggr) const
 				Unref(v);
 				return 0;
 				}
-				
+
 			v->Append(vi);
 			}
 		return v;
@@ -5203,6 +5209,112 @@ bool RecordAssignExpr::DoUnserialize(UnserialInfo* info)
 	return true;
 	}
 
+CastExpr::CastExpr(Expr* arg_op, BroType* t) : UnaryExpr(EXPR_CAST, arg_op)
+	{
+	auto stype = Op()->Type();
+
+	::Ref(t);
+	SetType(t);
+
+	if ( ! can_cast_value_to_type(stype, t) )
+		ExprError("cast not supported");
+	}
+
+Val* CastExpr::Eval(Frame* f) const
+	{
+	if ( IsError() )
+		return 0;
+
+	Val* v = op->Eval(f);
+
+	if ( ! v )
+		return 0;
+
+	Val* nv = cast_value_to_type(v, Type());
+
+	if ( nv )
+		{
+		Unref(v);
+		return nv;
+		}
+
+	ODesc d;
+	d.Add("cannot cast value of type '");
+	v->Type()->Describe(&d);
+	d.Add("' to type '");
+	Type()->Describe(&d);
+	d.Add("'");
+	Unref(v);
+	reporter->ExprRuntimeError(this, "%s", d.Description());
+	return 0;  // not reached.
+	}
+
+void CastExpr::ExprDescribe(ODesc* d) const
+	{
+	Op()->Describe(d);
+	d->Add(" as ");
+	Type()->Describe(d);
+	}
+
+IMPLEMENT_SERIAL(CastExpr, SER_CAST_EXPR);
+
+bool CastExpr::DoSerialize(SerialInfo* info) const
+	{
+	DO_SERIALIZE(SER_CAST_EXPR, UnaryExpr);
+	return true;
+	}
+
+bool CastExpr::DoUnserialize(UnserialInfo* info)
+	{
+	DO_UNSERIALIZE(UnaryExpr);
+	return true;
+	}
+
+IsExpr::IsExpr(Expr* arg_op, BroType* arg_t) : UnaryExpr(EXPR_IS, arg_op)
+	{
+	t = arg_t;
+	::Ref(t);
+
+	SetType(base_type(TYPE_BOOL));
+	}
+
+IsExpr::~IsExpr()
+	{
+	Unref(t);
+	}
+
+Val* IsExpr::Fold(Val* v) const
+	{
+	if ( IsError() )
+		return 0;
+
+	if ( can_cast_value_to_type(v, t) )
+		return new Val(1, TYPE_BOOL);
+	else
+		return new Val(0, TYPE_BOOL);
+	}
+
+void IsExpr::ExprDescribe(ODesc* d) const
+	{
+	Op()->Describe(d);
+	d->Add(" is ");
+	t->Describe(d);
+	}
+
+IMPLEMENT_SERIAL(IsExpr, SER_IS_EXPR_ /* sic */);
+
+bool IsExpr::DoSerialize(SerialInfo* info) const
+	{
+	DO_SERIALIZE(SER_IS_EXPR_, UnaryExpr);
+	return true;
+	}
+
+bool IsExpr::DoUnserialize(UnserialInfo* info)
+	{
+	DO_UNSERIALIZE(UnaryExpr);
+	return true;
+	}
+
 Expr* get_assign_expr(Expr* op1, Expr* op2, int is_init)
 	{
 	if ( op1->Type()->Tag() == TYPE_RECORD &&
@@ -5212,7 +5324,6 @@ Expr* get_assign_expr(Expr* op1, Expr* op2, int is_init)
 		return new AssignExpr(op1, op2, is_init);
 	}
 
-
 int check_and_promote_expr(Expr*& e, BroType* t)
 	{
 	BroType* et = e->Type();
diff --git a/src/Expr.h b/src/Expr.h
index d50506f493..9acc546b31 100644
--- a/src/Expr.h
+++ b/src/Expr.h
@@ -44,7 +44,9 @@ typedef enum {
 	EXPR_VECTOR_COERCE,
 	EXPR_SIZE,
 	EXPR_FLATTEN,
-#define NUM_EXPRS (int(EXPR_FLATTEN) + 1)
+	EXPR_CAST,
+	EXPR_IS,
+#define NUM_EXPRS (int(EXPR_IS) + 1)
 } BroExprTag;
 
 extern const char* expr_name(BroExprTag t);
@@ -1044,6 +1046,37 @@ protected:
 	DECLARE_SERIAL(RecordAssignExpr);
 };
 
+class CastExpr : public UnaryExpr {
+public:
+	CastExpr(Expr* op, BroType* t);
+
+protected:
+	friend class Expr;
+	CastExpr()	{ }
+
+	Val* Eval(Frame* f) const override;
+	void ExprDescribe(ODesc* d) const override;
+
+	DECLARE_SERIAL(CastExpr);
+};
+
+class IsExpr : public UnaryExpr {
+public:
+	IsExpr(Expr* op, BroType* t);
+	virtual ~IsExpr();
+
+protected:
+	friend class Expr;
+	IsExpr()	{ }
+
+	Val* Fold(Val* v) const override;
+	void ExprDescribe(ODesc* d) const override;
+	DECLARE_SERIAL(IsExpr);
+
+private:
+	BroType* t;
+};
+
 inline Val* Expr::ExprVal() const
 	{
 	if ( ! IsConst() )
diff --git a/src/Func.cc b/src/Func.cc
index e7167eb8ee..703cc04d29 100644
--- a/src/Func.cc
+++ b/src/Func.cc
@@ -50,7 +50,7 @@
 
 extern	RETSIGTYPE sig_handler(int signo);
 
-const Expr* calling_expr = 0;
+vector<CallInfo> call_stack;
 bool did_builtin_init = false;
 
 vector<Func*> Func::unique_ids;
@@ -637,10 +637,60 @@ bool BuiltinFunc::DoUnserialize(UnserialInfo* info)
 
 void builtin_error(const char* msg, BroObj* arg)
 	{
-	if ( calling_expr )
-		calling_expr->Error(msg, arg);
-	else
+	if ( call_stack.empty() )
+		{
 		reporter->Error(msg, arg);
+		return;
+		}
+
+	auto last_call = call_stack.back();
+
+	if ( call_stack.size() < 2 )
+		{
+		// Don't need to check for wrapper function like "<module>::__<func>"
+		last_call.call->Error(msg, arg);
+		return;
+		}
+
+	auto starts_with_double_underscore = [](const std::string& name) -> bool
+		{ return name.size() > 2 && name[0] == '_' && name[1] == '_'; };
+	auto last_loc = last_call.call->GetLocationInfo();
+	std::string last_func = last_call.func->Name();
+
+	auto pos = last_func.find_first_of("::");
+	std::string wrapper_func;
+
+	if ( pos == std::string::npos )
+		{
+		if ( ! starts_with_double_underscore(last_func) )
+			{
+			last_call.call->Error(msg, arg);
+			return;
+			}
+
+		wrapper_func = last_func.substr(2);
+		}
+	else
+		{
+		auto module_name = last_func.substr(0, pos);
+		auto func_name = last_func.substr(pos + 2);
+
+		if ( ! starts_with_double_underscore(func_name) )
+			{
+			last_call.call->Error(msg, arg);
+			return;
+			}
+
+		wrapper_func = module_name + "::" + func_name.substr(2);
+		}
+
+	auto parent_call = call_stack[call_stack.size() - 2];
+	auto parent_func = parent_call.func->Name();
+
+	if ( wrapper_func == parent_func )
+		parent_call.call->Error(msg, arg);
+	else
+		last_call.call->Error(msg, arg);
 	}
 
 #include "bro.bif.func_h"
@@ -671,6 +721,7 @@ void init_builtin_funcs()
 	TimerStats = internal_type("TimerStats")->AsRecordType();
 	FileAnalysisStats = internal_type("FileAnalysisStats")->AsRecordType();
 	ThreadStats = internal_type("ThreadStats")->AsRecordType();
+	BrokerStats = internal_type("BrokerStats")->AsRecordType();
 
 	var_sizes = internal_type("var_sizes")->AsTableType();
 
diff --git a/src/Func.h b/src/Func.h
index 1c9e48549b..dc54087e06 100644
--- a/src/Func.h
+++ b/src/Func.h
@@ -140,10 +140,12 @@ extern void init_builtin_funcs_subdirs();
 
 extern bool check_built_in_call(BuiltinFunc* f, CallExpr* call);
 
-// This global is set prior to the interpreter making a function call.
-// It's there so that built-in functions can access the location information
-// associated with a call when reporting error messages.
-extern const Expr* calling_expr;
+struct CallInfo {
+	const CallExpr* call;
+	const Func* func;
+};
+
+extern vector<CallInfo> call_stack;
 
 // This is set to true after the built-in functions have been initialized.
 extern bool did_builtin_init;
diff --git a/src/Net.cc b/src/Net.cc
index ae66b64309..4357f122ca 100644
--- a/src/Net.cc
+++ b/src/Net.cc
@@ -33,10 +33,7 @@
 #include "iosource/PktSrc.h"
 #include "iosource/PktDumper.h"
 #include "plugin/Manager.h"
-
-#ifdef ENABLE_BROKER
 #include "broker/Manager.h"
-#endif
 
 extern "C" {
 #include "setsignal.h"
@@ -312,11 +309,7 @@ void net_run()
 			}
 #endif
 		current_iosrc = src;
-		bool communication_enabled = using_communication;
-
-#ifdef ENABLE_BROKER
-		communication_enabled |= broker_mgr->Enabled();
-#endif
+		auto communication_enabled = using_communication || broker_mgr->Active();
 
 		if ( src )
 			src->Process();	// which will call net_packet_dispatch()
@@ -334,7 +327,8 @@ void net_run()
 				}
 			}
 
-		else if ( (have_pending_timers || communication_enabled) &&
+		else if ( (have_pending_timers || communication_enabled ||
+		           BifConst::exit_only_after_terminate) &&
 			  ! pseudo_realtime )
 			{
 			// Take advantage of the lull to get up to
@@ -387,6 +381,24 @@ void net_run()
 			// Check whether we have timers scheduled for
 			// the future on which we need to wait.
 			have_pending_timers = timer_mgr->Size() > 0;
+
+		if ( pseudo_realtime && communication_enabled )
+			{
+			auto have_active_packet_source = false;
+
+			for ( auto& ps : iosource_mgr->GetPktSrcs() )
+				{
+				if ( ps->IsOpen() )
+					{
+					have_active_packet_source = true;
+					break;
+					}
+				}
+
+			if (  ! have_active_packet_source )
+				// Can turn off pseudo realtime now
+				pseudo_realtime = 0;
+			}
 		}
 
 	// Get the final statistics now, and not when net_finish() is
diff --git a/src/RE.cc b/src/RE.cc
index 6c1e80588f..a4294e064d 100644
--- a/src/RE.cc
+++ b/src/RE.cc
@@ -408,6 +408,14 @@ RE_Matcher::RE_Matcher(const char* pat)
 	AddPat(pat);
 	}
 
+RE_Matcher::RE_Matcher(const char* exact_pat, const char* anywhere_pat)
+	{
+	re_anywhere = new Specific_RE_Matcher(MATCH_ANYWHERE);
+	re_anywhere->SetPat(anywhere_pat);
+	re_exact = new Specific_RE_Matcher(MATCH_EXACTLY);
+	re_exact->SetPat(exact_pat);
+	}
+
 RE_Matcher::~RE_Matcher()
 	{
 	delete re_anywhere;
diff --git a/src/RE.h b/src/RE.h
index 943751fddc..056c0d2183 100644
--- a/src/RE.h
+++ b/src/RE.h
@@ -173,7 +173,8 @@ class RE_Matcher : SerialObj {
 public:
 	RE_Matcher();
 	explicit RE_Matcher(const char* pat);
-	~RE_Matcher() override;
+	RE_Matcher(const char* exact_pat, const char* anywhere_pat);
+	virtual ~RE_Matcher() override;
 
 	void AddPat(const char* pat);
 
diff --git a/src/Scope.cc b/src/Scope.cc
index 091dbabb9b..b0115ca0f6 100644
--- a/src/Scope.cc
+++ b/src/Scope.cc
@@ -113,13 +113,13 @@ TraversalCode Scope::Traverse(TraversalCallback* cb) const
 
 
 ID* lookup_ID(const char* name, const char* curr_module, bool no_global,
-	      bool same_module_only)
+              bool same_module_only, bool check_export)
 	{
 	string fullname = make_full_var_name(curr_module, name);
 
 	string ID_module = extract_module_name(fullname.c_str());
-	bool need_export = ID_module != GLOBAL_MODULE_NAME &&
-				ID_module != curr_module;
+	bool need_export = check_export && (ID_module != GLOBAL_MODULE_NAME &&
+	                                    ID_module != curr_module);
 
 	for ( int i = scopes.length() - 1; i >= 0; --i )
 		{
diff --git a/src/Scope.h b/src/Scope.h
index 0e8e81c1a5..10bd84ca1f 100644
--- a/src/Scope.h
+++ b/src/Scope.h
@@ -64,7 +64,8 @@ extern bool in_debug;
 // If no_global is true, don't search in the default "global" namespace.
 // This passed ownership of a ref'ed ID to the caller.
 extern ID* lookup_ID(const char* name, const char* module,
-		     bool no_global = false, bool same_module_only=false);
+                     bool no_global = false, bool same_module_only = false,
+                     bool check_export = true);
 extern ID* install_ID(const char* name, const char* module_name,
 			bool is_global, bool is_export);
 
diff --git a/src/SerialTypes.h b/src/SerialTypes.h
index 8a1a2abf51..44c8b91f00 100644
--- a/src/SerialTypes.h
+++ b/src/SerialTypes.h
@@ -162,6 +162,8 @@ SERIAL_EXPR(SET_CONSTRUCTOR_EXPR, 41)
 SERIAL_EXPR(VECTOR_CONSTRUCTOR_EXPR, 42)
 SERIAL_EXPR(TABLE_COERCE_EXPR, 43)
 SERIAL_EXPR(VECTOR_COERCE_EXPR, 44)
+SERIAL_EXPR(CAST_EXPR, 45)
+SERIAL_EXPR(IS_EXPR_, 46) // Name conflict with internal SER_IS_EXPR constant.
 
 #define SERIAL_STMT(name, val) SERIAL_CONST(name, val, STMT)
 SERIAL_STMT(STMT, 1)
diff --git a/src/SerializationFormat.cc b/src/SerializationFormat.cc
index 1483578a9e..d5f366f7fd 100644
--- a/src/SerializationFormat.cc
+++ b/src/SerializationFormat.cc
@@ -18,7 +18,7 @@ SerializationFormat::~SerializationFormat()
 	free(output);
 	}
 
-void SerializationFormat::StartRead(char* data, uint32 arg_len)
+void SerializationFormat::StartRead(const char* data, uint32 arg_len)
 	{
 	input = data;
 	input_len = arg_len;
diff --git a/src/SerializationFormat.h b/src/SerializationFormat.h
index 1248b7f74b..43e6fde693 100644
--- a/src/SerializationFormat.h
+++ b/src/SerializationFormat.h
@@ -19,7 +19,7 @@ public:
 	virtual ~SerializationFormat();
 
 	// Unserialization.
-	virtual void StartRead(char* data, uint32 len);
+	virtual void StartRead(const char* data, uint32 len);
 	virtual void EndRead();
 
 	virtual bool Read(int* v, const char* tag) = 0;
@@ -87,7 +87,7 @@ protected:
 	uint32 output_size;
 	uint32 output_pos;
 
-	char* input;
+	const char* input;
 	uint32 input_len;
 	uint32 input_pos;
 
diff --git a/src/Stats.cc b/src/Stats.cc
index d1f447c05c..960b3085cb 100644
--- a/src/Stats.cc
+++ b/src/Stats.cc
@@ -9,10 +9,7 @@
 #include "DNS_Mgr.h"
 #include "Trigger.h"
 #include "threading/Manager.h"
-
-#ifdef ENABLE_BROKER
 #include "broker/Manager.h"
-#endif
 
 uint64 killed_by_inactivity = 0;
 
@@ -226,25 +223,19 @@ void ProfileLogger::Log()
 			    ));
 		}
 
-#ifdef ENABLE_BROKER
-	auto cs = broker_mgr->ConsumeStatistics();
+	auto cs = broker_mgr->GetStatistics();
 
 	file->Write(fmt("%0.6f Comm: peers=%zu stores=%zu "
-	                "store_queries=%zu store_responses=%zu "
-	                "outgoing_conn_status=%zu incoming_conn_status=%zu "
-	                "reports=%zu\n",
-	                network_time, cs.outgoing_peer_count, cs.data_store_count,
-	                cs.pending_query_count, cs.response_count,
-	                cs.outgoing_conn_status_count, cs.incoming_conn_status_count,
-	                cs.report_count));
-
-	for ( const auto& s : cs.print_count )
-		file->Write(fmt("    %-25s prints dequeued=%zu\n", s.first.data(), s.second));
-	for ( const auto& s : cs.event_count )
-		file->Write(fmt("    %-25s events dequeued=%zu\n", s.first.data(), s.second));
-	for ( const auto& s : cs.log_count )
-		file->Write(fmt("    %-25s logs dequeued=%zu\n", s.first.data(), s.second));
-#endif
+	                "pending_queries=%zu "
+	                "events_in=%zu events_out=%zu "
+	                "logs_in=%zu logs_out=%zu "
+	                "ids_in=%zu ids_out=%zu ",
+	                network_time, cs.num_peers, cs.num_stores,
+	                cs.num_pending_queries,
+	                cs.num_events_incoming, cs.num_events_outgoing,
+	                cs.num_logs_incoming, cs.num_logs_outgoing,
+	                cs.num_ids_incoming, cs.num_ids_outgoing
+	                ));
 
 	// Script-level state.
 	unsigned int size, mem = 0;
diff --git a/src/Stmt.cc b/src/Stmt.cc
index 71100e51e2..23e98ce8d1 100644
--- a/src/Stmt.cc
+++ b/src/Stmt.cc
@@ -546,8 +546,8 @@ static BroStmtTag get_last_stmt_tag(const Stmt* stmt)
 	return get_last_stmt_tag(stmts->Stmts()[len - 1]);
 	}
 
-Case::Case(ListExpr* c, Stmt* arg_s)
-    : cases(c), s(arg_s)
+Case::Case(ListExpr* arg_expr_cases, id_list* arg_type_cases, Stmt* arg_s)
+	: expr_cases(arg_expr_cases), type_cases(arg_type_cases), s(arg_s)
 	{
 	BroStmtTag t = get_last_stmt_tag(Body());
 
@@ -557,13 +557,18 @@ Case::Case(ListExpr* c, Stmt* arg_s)
 
 Case::~Case()
 	{
-	Unref(cases);
+	Unref(expr_cases);
 	Unref(s);
+
+	loop_over_list((*type_cases), i)
+		Unref((*type_cases)[i]);
+
+	delete type_cases;
 	}
 
 void Case::Describe(ODesc* d) const
 	{
-	if ( ! Cases() )
+	if ( ! (expr_cases || type_cases) )
 		{
 		if ( ! d->IsBinary() )
 			d->Add("default:");
@@ -578,20 +583,49 @@ void Case::Describe(ODesc* d) const
 		return;
 		}
 
-	const expr_list& e = Cases()->Exprs();
-
 	if ( ! d->IsBinary() )
 		d->Add("case");
 
-	d->AddCount(e.length());
-
-	loop_over_list(e, j)
+	if ( expr_cases )
 		{
-		if ( j > 0 && ! d->IsReadable() )
-			d->Add(",");
+		const expr_list& e = expr_cases->Exprs();
 
-		d->SP();
-		e[j]->Describe(d);
+		d->AddCount(e.length());
+
+		loop_over_list(e, i)
+			{
+			if ( i > 0 && d->IsReadable() )
+				d->Add(",");
+
+			d->SP();
+			e[i]->Describe(d);
+			}
+		}
+
+	if ( type_cases )
+		{
+		const id_list& t = *type_cases;
+
+		d->AddCount(t.length());
+
+		loop_over_list(t, i)
+			{
+			if ( i > 0 && d->IsReadable() )
+				d->Add(",");
+
+			d->SP();
+			d->Add("type");
+			d->SP();
+			t[i]->Type()->Describe(d);
+
+			if ( t[i]->Name() )
+				{
+				d->SP();
+				d->Add("as");
+				d->SP();
+				d->Add(t[i]->Name());
+				}
+			}
 		}
 
 	if ( d->IsReadable() )
@@ -607,12 +641,17 @@ TraversalCode Case::Traverse(TraversalCallback* cb) const
 	{
 	TraversalCode tc;
 
-	if ( cases )
+	if ( expr_cases )
 		{
-		tc = cases->Traverse(cb);
+		tc = expr_cases->Traverse(cb);
 		HANDLE_TC_STMT_PRE(tc);
 		}
 
+	if ( type_cases )
+		{
+		// No traverse support for types.
+		}
+
 	tc = s->Traverse(cb);
 	HANDLE_TC_STMT_PRE(tc);
 
@@ -634,17 +673,48 @@ IMPLEMENT_SERIAL(Case, SER_CASE);
 bool Case::DoSerialize(SerialInfo* info) const
 	{
 	DO_SERIALIZE(SER_CASE, BroObj);
-	return cases->Serialize(info) && this->s->Serialize(info);
+
+	if ( ! expr_cases->Serialize(info) )
+		return false;
+
+	id_list empty;
+	id_list* types = (type_cases ? type_cases : &empty);
+
+	if ( ! SERIALIZE(types->length()) )
+		return false;
+
+	loop_over_list((*types), i)
+		{
+		if ( ! (*types)[i]->Serialize(info) )
+			return false;
+		}
+
+	return this->s->Serialize(info);
 	}
 
 bool Case::DoUnserialize(UnserialInfo* info)
 	{
 	DO_UNSERIALIZE(BroObj);
 
-	cases = (ListExpr*) Expr::Unserialize(info, EXPR_LIST);
-	if ( ! cases )
+	expr_cases = (ListExpr*) Expr::Unserialize(info, EXPR_LIST);
+	if ( ! expr_cases )
 		return false;
 
+	int len;
+	if ( ! UNSERIALIZE(&len) )
+		return false;
+
+	type_cases = new id_list;
+
+	while ( len-- )
+		{
+		ID* id = ID::Unserialize(info);
+		if ( ! id )
+			return false;
+
+		type_cases->append(id);
+		}
+
 	this->s = Stmt::Unserialize(info);
 	return this->s != 0;
 	}
@@ -661,7 +731,7 @@ void SwitchStmt::Init()
 	comp_hash = new CompositeHash(t);
 	Unref(t);
 
-	case_label_map.SetDeleteFunc(int_del_func);
+	case_label_value_map.SetDeleteFunc(int_del_func);
 	}
 
 SwitchStmt::SwitchStmt(Expr* index, case_list* arg_cases) :
@@ -669,16 +739,22 @@ SwitchStmt::SwitchStmt(Expr* index, case_list* arg_cases) :
 	{
 	Init();
 
-	if ( ! is_atomic_type(e->Type()) )
-		e->Error("switch expression must be of an atomic type");
+bool have_exprs = false;
+	bool have_types = false;
 
 	loop_over_list(*cases, i)
 		{
 		Case* c = (*cases)[i];
-		ListExpr* le = c->Cases();
+		ListExpr* le = c->ExprCases();
+		id_list* tl = c->TypeCases();
 
 		if ( le )
 			{
+			have_exprs = true;
+
+			if ( ! is_atomic_type(e->Type()) )
+				e->Error("switch expression must be of an atomic type when cases are expressions");
+
 			if ( ! le->Type()->AsTypeList()->AllMatch(e->Type(), false) )
 				{
 				le->Error("case expression type differs from switch type", e);
@@ -736,12 +812,34 @@ SwitchStmt::SwitchStmt(Expr* index, case_list* arg_cases) :
 					exprs[j]->Error("case label expression isn't constant");
 				else
 					{
-					if ( ! AddCaseLabelMapping(exprs[j]->ExprVal(), i) )
+					if ( ! AddCaseLabelValueMapping(exprs[j]->ExprVal(), i) )
 						exprs[j]->Error("duplicate case label");
 					}
 				}
 			}
 
+		else if ( tl )
+			{
+			have_types = true;
+
+			loop_over_list((*tl), j)
+				{
+				BroType* ct = (*tl)[j]->Type();
+
+	   			if ( ! can_cast_value_to_type(e->Type(), ct) )
+					{
+					c->Error("cannot cast switch expression to case type");
+					continue;
+					}
+
+				if ( ! AddCaseLabelTypeMapping((*tl)[j], i) )
+					{
+					c->Error("duplicate case label");
+					continue;
+					}
+				}
+			}
+
 		else
 			{
 			if ( default_case_idx != -1 )
@@ -750,6 +848,10 @@ SwitchStmt::SwitchStmt(Expr* index, case_list* arg_cases) :
 				default_case_idx = i;
 			}
 		}
+
+	if ( have_exprs && have_types )
+		Error("cannot mix cases with expressions and types");
+
 	}
 
 SwitchStmt::~SwitchStmt()
@@ -761,7 +863,7 @@ SwitchStmt::~SwitchStmt()
 	delete comp_hash;
 	}
 
-bool SwitchStmt::AddCaseLabelMapping(const Val* v, int idx)
+bool SwitchStmt::AddCaseLabelValueMapping(const Val* v, int idx)
 	{
 	HashKey* hk = comp_hash->ComputeHash(v, 1);
 
@@ -772,7 +874,7 @@ bool SwitchStmt::AddCaseLabelMapping(const Val* v, int idx)
 		    type_name(v->Type()->Tag()), type_name(e->Type()->Tag()));
 		}
 
-	int* label_idx = case_label_map.Lookup(hk);
+	int* label_idx = case_label_value_map.Lookup(hk);
 
 	if ( label_idx )
 		{
@@ -780,38 +882,76 @@ bool SwitchStmt::AddCaseLabelMapping(const Val* v, int idx)
 		return false;
 		}
 
-	case_label_map.Insert(hk, new int(idx));
+	case_label_value_map.Insert(hk, new int(idx));
 	delete hk;
 	return true;
 	}
 
-int SwitchStmt::FindCaseLabelMatch(const Val* v) const
+bool SwitchStmt::AddCaseLabelTypeMapping(ID* t, int idx)
 	{
-	HashKey* hk = comp_hash->ComputeHash(v, 1);
-
-	if ( ! hk )
+	for ( auto i : case_label_type_list )
 		{
-		reporter->PushLocation(e->GetLocationInfo());
-		reporter->Error("switch expression type mismatch (%s/%s)",
-		    type_name(v->Type()->Tag()), type_name(e->Type()->Tag()));
-		return -1;
+		if ( same_type(i.first->Type(), t->Type()) )
+			return false;
 		}
 
-	int* label_idx = case_label_map.Lookup(hk);
+	auto e = std::make_pair(t, idx);
+	case_label_type_list.push_back(e);
 
-	delete hk;
+	return true;
+	}
 
-	if ( ! label_idx )
-		return default_case_idx;
+std::pair<int, ID*> SwitchStmt::FindCaseLabelMatch(const Val* v) const
+	{
+	int label_idx = -1;
+	ID* label_id = 0;
+
+	// Find matching expression cases.
+	if ( case_label_value_map.Length() )
+		{
+		HashKey* hk = comp_hash->ComputeHash(v, 1);
+
+		if ( ! hk )
+			{
+			reporter->PushLocation(e->GetLocationInfo());
+			reporter->Error("switch expression type mismatch (%s/%s)",
+			    type_name(v->Type()->Tag()), type_name(e->Type()->Tag()));
+			return std::make_pair(-1, nullptr);
+			}
+
+		if ( auto i = case_label_value_map.Lookup(hk) )
+			label_idx = *i;
+
+		delete hk;
+		}
+
+	// Find matching type cases.
+	for ( auto i : case_label_type_list )
+		{
+		auto id = i.first;
+		auto type = id->Type();
+
+		if ( can_cast_value_to_type(v, type) )
+			{
+			label_idx = i.second;
+			label_id = id;
+			break;
+			}
+		}
+
+	if ( label_idx < 0 )
+		return std::make_pair(default_case_idx, nullptr);
 	else
-		return *label_idx;
+		return std::make_pair(label_idx, label_id);
 	}
 
 Val* SwitchStmt::DoExec(Frame* f, Val* v, stmt_flow_type& flow) const
 	{
 	Val* rval = 0;
 
-	int matching_label_idx = FindCaseLabelMatch(v);
+	auto m = FindCaseLabelMatch(v);
+	int matching_label_idx = m.first;
+	ID* matching_id = m.second;
 
 	if ( matching_label_idx == -1 )
 		return 0;
@@ -820,6 +960,12 @@ Val* SwitchStmt::DoExec(Frame* f, Val* v, stmt_flow_type& flow) const
 		{
 		const Case* c = (*cases)[i];
 
+		if ( matching_id )
+			{
+			auto cv = cast_value_to_type(v, matching_id->Type());
+			f->SetElement(matching_id->Offset(), cv);
+			}
+
 		flow = FLOW_NEXT;
 		rval = c->Body()->Exec(f, flow);
 
@@ -841,7 +987,7 @@ int SwitchStmt::IsPure() const
 	loop_over_list(*cases, i)
 		{
 		Case* c = (*cases)[i];
-		if ( ! c->Cases()->IsPure() || ! c->Body()->IsPure() )
+		if ( ! c->ExprCases()->IsPure() || ! c->Body()->IsPure() )
 			return 0;
 		}
 
@@ -928,7 +1074,7 @@ bool SwitchStmt::DoUnserialize(UnserialInfo* info)
 
 	loop_over_list(*cases, i)
 		{
-		const ListExpr* le = (*cases)[i]->Cases();
+		const ListExpr* le = (*cases)[i]->ExprCases();
 
 		if ( ! le )
 			continue;
@@ -937,7 +1083,7 @@ bool SwitchStmt::DoUnserialize(UnserialInfo* info)
 
 		loop_over_list(exprs, j)
 			{
-			if ( ! AddCaseLabelMapping(exprs[j]->ExprVal(), i) )
+			if ( ! AddCaseLabelValueMapping(exprs[j]->ExprVal(), i) )
 				return false;
 			}
 		}
@@ -1390,7 +1536,7 @@ void ForStmt::Describe(ODesc* d) const
 		if ( i > 0 )
 			d->Add(",");
 		}
-	
+
 	if ( loop_vars->length() )
 		d->Add("]");
 
diff --git a/src/Stmt.h b/src/Stmt.h
index 7fed08ed33..a6676d678d 100644
--- a/src/Stmt.h
+++ b/src/Stmt.h
@@ -183,11 +183,14 @@ protected:
 
 class Case : public BroObj {
 public:
-	Case(ListExpr* c, Stmt* arg_s);
+	Case(ListExpr* c, id_list* types, Stmt* arg_s);
 	~Case() override;
 
-	const ListExpr* Cases() const	{ return cases; }
-	ListExpr* Cases()		{ return cases; }
+	const ListExpr* ExprCases() const	{ return expr_cases; }
+	ListExpr* ExprCases()		{ return expr_cases; }
+
+	const id_list* TypeCases() const	{ return type_cases; }
+	id_list* TypeCases()		{ return type_cases; }
 
 	const Stmt* Body() const	{ return s; }
 	Stmt* Body()			{ return s; }
@@ -201,11 +204,12 @@ public:
 
 protected:
 	friend class Stmt;
-	Case()	{ cases = 0; s = 0; }
+	Case()	{ expr_cases = 0; type_cases = 0; s = 0; }
 
 	DECLARE_SERIAL(Case);
 
-	ListExpr* cases;
+	ListExpr* expr_cases;
+	id_list* type_cases;
 	Stmt* s;
 };
 
@@ -232,20 +236,27 @@ protected:
 	// Initialize composite hash and case label map.
 	void Init();
 
-	// Adds an entry in case_label_map for the given value to associate it
+	// Adds an entry in case_label_value_map for the given value to associate it
 	// with the given index in the cases list.  If the entry already exists,
 	// returns false, else returns true.
-	bool AddCaseLabelMapping(const Val* v, int idx);
+	bool AddCaseLabelValueMapping(const Val* v, int idx);
 
-	// Returns index of a case label that's equal to the value, or
-	// default_case_idx if no case label matches (which may be -1 if there's
-	// no default label).
-	int FindCaseLabelMatch(const Val* v) const;
+	// Adds an entry in case_label_type_map for the given type (w/ ID) to
+	// associate it with the given index in the cases list.  If an entry
+	// for the type already exists, returns false; else returns true.
+	bool AddCaseLabelTypeMapping(ID* t, int idx);
+
+	// Returns index of a case label that matches the value, or
+	// default_case_idx if no case label matches (which may be -1 if
+	// there's no default label). The second tuple element is the ID of
+	// the matching type-based case if it defines one.
+	std::pair<int, ID*> FindCaseLabelMatch(const Val* v) const;
 
 	case_list* cases;
 	int default_case_idx;
 	CompositeHash* comp_hash;
-	PDict(int) case_label_map;
+	PDict(int) case_label_value_map;
+	std::vector<std::pair<ID*, int>> case_label_type_list;
 };
 
 class AddStmt : public ExprStmt {
diff --git a/src/Timer.cc b/src/Timer.cc
index f4370ed735..4fe998606b 100644
--- a/src/Timer.cc
+++ b/src/Timer.cc
@@ -6,6 +6,7 @@
 #include "Timer.h"
 #include "Desc.h"
 #include "Serializer.h"
+#include "broker/Manager.h"
 
 // Names of timers in same order than in TimerType.
 const char* TimerNames[] = {
@@ -103,6 +104,7 @@ int TimerMgr::Advance(double arg_t, int max_expire)
 	last_timestamp = 0;
 	num_expired = 0;
 	last_advance = timer_mgr->Time();
+	broker_mgr->AdvanceTime(arg_t);
 
 	return DoAdvance(t, max_expire);
 	}
diff --git a/src/Val.cc b/src/Val.cc
index bbe0bb6520..4da4a35d48 100644
--- a/src/Val.cc
+++ b/src/Val.cc
@@ -3526,3 +3526,67 @@ void delete_vals(val_list* vals)
 		delete vals;
 		}
 	}
+
+Val* cast_value_to_type(Val* v, BroType* t)
+	{
+	// Note: when changing this function, adapt all three of
+	// cast_value_to_type()/can_cast_value_to_type()/can_cast_value_to_type().
+
+	if ( ! v )
+		return 0;
+
+	// Always allow casting to same type. This also covers casting 'any'
+	// to the actual type.
+	if ( same_type(v->Type(), t) )
+		return v->Ref();
+
+	if ( same_type(v->Type(), bro_broker::DataVal::ScriptDataType()) )
+		{
+		auto dv = v->AsRecordVal()->Lookup(0);
+		return static_cast<bro_broker::DataVal *>(dv)->castTo(t);
+		}
+
+	return 0;
+	}
+
+bool can_cast_value_to_type(const Val* v, BroType* t)
+	{
+	// Note: when changing this function, adapt all three of
+	// cast_value_to_type()/can_cast_value_to_type()/can_cast_value_to_type().
+
+	if ( ! v )
+		return false;
+
+	// Always allow casting to same type. This also covers casting 'any'
+	// to the actual type.
+	if ( same_type(v->Type(), t) )
+		return true;
+
+	if ( same_type(v->Type(), bro_broker::DataVal::ScriptDataType()) )
+		{
+		auto dv = v->AsRecordVal()->Lookup(0);
+		return static_cast<const bro_broker::DataVal *>(dv)->canCastTo(t);
+		}
+
+	return false;
+	}
+
+bool can_cast_value_to_type(const BroType* s, BroType* t)
+	{
+	// Note: when changing this function, adapt all three of
+	// cast_value_to_type()/can_cast_value_to_type()/can_cast_value_to_type().
+
+	// Always allow casting to same type. This also covers casting 'any'
+	// to the actual type.
+	if ( same_type(s, t) )
+		return true;
+
+	if ( same_type(s, bro_broker::DataVal::ScriptDataType()) )
+		// As Broker is dynamically typed, we don't know if we will be able
+		// to convert the type as intended. We optimistically assume that we
+		// will.
+		return true;
+
+	return false;
+	}
+
diff --git a/src/Val.h b/src/Val.h
index b98948acfc..771ed40dd1 100644
--- a/src/Val.h
+++ b/src/Val.h
@@ -1101,4 +1101,22 @@ extern void delete_vals(val_list* vals);
 // True if the given Val* has a vector type.
 inline bool is_vector(Val* v)	{ return  v->Type()->Tag() == TYPE_VECTOR; }
 
+// Returns v casted to type T if the type supports that. Returns null if not.
+// The returned value will be ref'ed.
+//
+// Note: This implements the script-level cast operator.
+extern Val* cast_value_to_type(Val* v, BroType* t);
+
+// Returns true if v can be casted to type T. If so, check_and_cast() will
+// succeed as well.
+//
+// Note: This implements the script-level type comparision operator.
+extern bool can_cast_value_to_type(const Val* v, BroType* t);
+
+// Returns true if values of type s may support casting to type t. This is
+// purely static check to weed out cases early on that will never succeed.
+// However, even this function returns true, casting may still fail for a
+// specific instance later.
+extern bool can_cast_value_to_type(const BroType* s, BroType* t);
+
 #endif
diff --git a/src/bro.bif b/src/bro.bif
index d4b6a1cd33..652b8cdd07 100644
--- a/src/bro.bif
+++ b/src/bro.bif
@@ -782,6 +782,63 @@ function sha256_hash_finish%(handle: opaque of sha256%): string
 	return static_cast<HashVal*>(handle)->Get();
 	%}
 
+## Returns 32-bit digest of arbitrary input values using FNV-1a hash algorithm.
+## See `<https://en.wikipedia.org/wiki/Fowler%E2%80%93Noll%E2%80%93Vo_hash_function>`_.
+##
+## input: The desired input value to hash.
+##
+## Returns: The hashed value.
+##
+## .. bro:see:: hrw_weight
+function fnv1a32%(input: any%): count
+	%{
+	ODesc desc(DESC_BINARY);
+	input->Describe(&desc);
+	auto bytes = desc.Bytes();
+
+	uint32 offset32 = 2166136261;
+	uint32 prime32 = 16777619;
+	uint32 rval = offset32;
+
+	for ( auto i = 0; i < desc.Len(); ++i )
+		{
+		rval ^= (uint32) bytes[i];
+		rval *= prime32;
+		}
+
+	return new Val(rval, TYPE_COUNT);
+	%}
+
+## Calculates a weight value for use in a Rendezvous Hashing algorithm.
+## See `<https://en.wikipedia.org/wiki/Rendezvous_hashing>`_.
+## The weight function used is the one recommended in the original
+## paper: `<http://www.eecs.umich.edu/techreports/cse/96/CSE-TR-316-96.pdf>`_.
+##
+## key_digest: A 32-bit digest of a key.  E.g. use :bro:see:`fnv1a32` to
+##             produce this.
+##
+## site_id: A 32-bit site/node identifier.
+##
+## Returns: The weight value for the key/site pair.
+##
+## .. bro:see:: fnv1a32
+function hrw_weight%(key_digest: count, site_id: count%): count
+	%{
+	uint32 d = key_digest;
+	d &= 0x7fffffff; // 31-bit digest
+	int32 si = site_id;
+	auto a = 1103515245;
+	auto b = 12345;
+	auto m = 2147483648; // 2**31
+
+	int32 rval = (a * ((a * si + b) ^ d) + b) % m;
+
+	if ( rval < 0 )
+		rval += m; // [0, 2**31 - 1]
+
+	return new Val((uint64) rval, TYPE_COUNT);
+	%}
+
 ## Generates a random number.
 ##
 ## max: The maximum value of the random number.
@@ -2739,7 +2796,7 @@ function encode_base64%(s: string, a: string &default=""%): string
 		return new StringVal(t);
 	else
 		{
-		reporter->Error("error in encoding string %s", s->CheckString());
+		reporter->Error("Broker query has an invalid data store");
 		return new StringVal("");
 		}
 	%}
@@ -4660,7 +4717,7 @@ function uninstall_dst_net_filter%(snet: subnet%) : bool
 ## Enables the communication system. By default, the communication is off until
 ## explicitly enabled, and all other calls to communication-related functions
 ## will be ignored until done so.
-function enable_communication%(%): any
+function enable_communication%(%): any &deprecated
 	%{
 	if ( bro_start_network_time != 0.0 )
 		{
@@ -4770,7 +4827,7 @@ function capture_state_updates%(filename: string%) : bool
 ##              set_compression_level
 ##              send_state
 ##              send_id
-function connect%(ip: addr, zone_id: string, p: port, our_class: string, retry: interval, ssl: bool%) : count
+function connect%(ip: addr, zone_id: string, p: port, our_class: string, retry: interval, ssl: bool%) : count &deprecated
 	%{
 	return new Val(uint32(remote_serializer->Connect(ip->AsAddr(),
 	               zone_id->CheckString(), p->Port(), our_class->CheckString(),
@@ -4785,7 +4842,7 @@ function connect%(ip: addr, zone_id: string, p: port, our_class: string, retry:
 ## Returns: True on success.
 ##
 ## .. bro:see:: connect listen
-function disconnect%(p: event_peer%) : bool
+function disconnect%(p: event_peer%) : bool &deprecated
     %{
 	RemoteSerializer::PeerID id = p->AsRecordVal()->Lookup(0)->AsCount();
 	return new Val(remote_serializer->CloseConnection(id), TYPE_BOOL);
@@ -4803,7 +4860,7 @@ function disconnect%(p: event_peer%) : bool
 ## .. bro:see:: request_remote_sync
 ##              request_remote_logs
 ##              set_accept_state
-function request_remote_events%(p: event_peer, handlers: pattern%) : bool
+function request_remote_events%(p: event_peer, handlers: pattern%) : bool &deprecated
 	%{
 	RemoteSerializer::PeerID id = p->AsRecordVal()->Lookup(0)->AsCount();
 	return new Val(remote_serializer->RequestEvents(id, handlers),
@@ -4822,7 +4879,7 @@ function request_remote_events%(p: event_peer, handlers: pattern%) : bool
 ## .. bro:see:: request_remote_events
 ##              request_remote_logs
 ##              set_accept_state
-function request_remote_sync%(p: event_peer, auth: bool%) : bool
+function request_remote_sync%(p: event_peer, auth: bool%) : bool &deprecated
 	%{
 	RemoteSerializer::PeerID id = p->AsRecordVal()->Lookup(0)->AsCount();
 	return new Val(remote_serializer->RequestSync(id, auth), TYPE_BOOL);
@@ -4836,7 +4893,7 @@ function request_remote_sync%(p: event_peer, auth: bool%) : bool
 ##
 ## .. bro:see:: request_remote_events
 ##              request_remote_sync
-function request_remote_logs%(p: event_peer%) : bool
+function request_remote_logs%(p: event_peer%) : bool &deprecated
 	%{
 	RemoteSerializer::PeerID id = p->AsRecordVal()->Lookup(0)->AsCount();
 	return new Val(remote_serializer->RequestLogs(id), TYPE_BOOL);
@@ -4853,7 +4910,7 @@ function request_remote_logs%(p: event_peer%) : bool
 ## .. bro:see:: request_remote_events
 ##              request_remote_sync
 ##              set_compression_level
-function set_accept_state%(p: event_peer, accept: bool%) : bool
+function set_accept_state%(p: event_peer, accept: bool%) : bool &deprecated
 	%{
 	RemoteSerializer::PeerID id = p->AsRecordVal()->Lookup(0)->AsCount();
 	return new Val(remote_serializer->SetAcceptState(id, accept),
@@ -4870,7 +4927,7 @@ function set_accept_state%(p: event_peer, accept: bool%) : bool
 ## Returns: True on success.
 ##
 ## .. bro:see:: set_accept_state
-function set_compression_level%(p: event_peer, level: count%) : bool
+function set_compression_level%(p: event_peer, level: count%) : bool &deprecated
 	%{
 	RemoteSerializer::PeerID id = p->AsRecordVal()->Lookup(0)->AsCount();
 	return new Val(remote_serializer->SetCompressionLevel(id, level),
@@ -4897,7 +4954,7 @@ function set_compression_level%(p: event_peer, level: count%) : bool
 ## Returns: True on success.
 ##
 ## .. bro:see:: connect disconnect
-function listen%(ip: addr, p: port, ssl: bool, ipv6: bool, zone_id: string, retry_interval: interval%) : bool
+function listen%(ip: addr, p: port, ssl: bool, ipv6: bool, zone_id: string, retry_interval: interval%) : bool &deprecated
 	%{
 	return new Val(remote_serializer->Listen(ip->AsAddr(), p->Port(), ssl, ipv6, zone_id->CheckString(), retry_interval), TYPE_BOOL);
 	%}
@@ -4933,7 +4990,7 @@ function send_state%(p: event_peer%) : bool
 ## Returns: True on success.
 ##
 ## .. bro:see:: send_state send_ping send_current_packet send_capture_filter
-function send_id%(p: event_peer, id: string%) : bool
+function send_id%(p: event_peer, id: string%) : bool &deprecated
 	%{
 	RemoteSerializer::PeerID pid = p->AsRecordVal()->Lookup(0)->AsCount();
 
@@ -4952,7 +5009,7 @@ function send_id%(p: event_peer, id: string%) : bool
 ## data from parent and child has been sent out.
 ##
 ## Returns: True if the termination process has been started successfully.
-function terminate_communication%(%) : bool
+function terminate_communication%(%) : bool &deprecated
 	%{
 	return new Val(remote_serializer->Terminate(), TYPE_BOOL);
 	%}
@@ -4963,7 +5020,7 @@ function terminate_communication%(%) : bool
 ## p: The peer ID returned from :bro:id:`connect`.
 ##
 ## Returns: True on success.
-function complete_handshake%(p: event_peer%) : bool
+function complete_handshake%(p: event_peer%) : bool &deprecated
 	%{
 	RemoteSerializer::PeerID id = p->AsRecordVal()->Lookup(0)->AsCount();
 	return new Val(remote_serializer->CompleteHandshake(id), TYPE_BOOL);
@@ -4980,7 +5037,7 @@ function complete_handshake%(p: event_peer%) : bool
 ## Returns: True if sending the ping succeeds.
 ##
 ## .. bro:see:: send_state send_id send_current_packet send_capture_filter
-function send_ping%(p: event_peer, seq: count%) : bool
+function send_ping%(p: event_peer, seq: count%) : bool &deprecated
 	%{
 	RemoteSerializer::PeerID id = p->AsRecordVal()->Lookup(0)->AsCount();
 	return new Val(remote_serializer->SendPing(id, seq), TYPE_BOOL);
@@ -4994,7 +5051,7 @@ function send_ping%(p: event_peer, seq: count%) : bool
 ##
 ## .. bro:see:: send_id send_state send_ping send_capture_filter
 ##              dump_packet dump_current_packet get_current_packet
-function send_current_packet%(p: event_peer%) : bool
+function send_current_packet%(p: event_peer%) : bool &deprecated
 	%{
 	const Packet* pkt;
 
@@ -5010,10 +5067,14 @@ function send_current_packet%(p: event_peer%) : bool
 
 ## Returns the peer who generated the last event.
 ##
+## Note, this function is deprecated. It works correctly only for local events and
+## events received through the legacy communication system. It does *not* work for
+## events received through Broker and will report an error in that case.
+##
 ## Returns: The ID of the peer who generated the last event.
 ##
 ## .. bro:see:: get_local_event_peer
-function get_event_peer%(%) : event_peer
+function get_event_peer%(%) : event_peer &deprecated
 	%{
 	SourceID src = mgr.CurrentSource();
 
@@ -5024,6 +5085,14 @@ function get_event_peer%(%) : event_peer
 		return p;
 		}
 
+	if ( src == SOURCE_BROKER )
+		{
+		reporter->Error("get_event_peer() does not support Broker events");
+		RecordVal* p = mgr.GetLocalPeerVal();
+		Ref(p);
+		return p;
+		}
+
 	if ( ! remote_serializer )
 		reporter->InternalError("remote_serializer not initialized");
 
@@ -5044,7 +5113,7 @@ function get_event_peer%(%) : event_peer
 ## Returns: The peer ID of the local Bro instance.
 ##
 ## .. bro:see:: get_event_peer
-function get_local_event_peer%(%) : event_peer
+function get_local_event_peer%(%) : event_peer &deprecated
 	%{
 	RecordVal* p = mgr.GetLocalPeerVal();
 	Ref(p);
@@ -5060,7 +5129,7 @@ function get_local_event_peer%(%) : event_peer
 ## Returns: True if sending the packet succeeds.
 ##
 ## .. bro:see:: send_id send_state send_ping send_current_packet
-function send_capture_filter%(p: event_peer, s: string%) : bool
+function send_capture_filter%(p: event_peer, s: string%) : bool &deprecated
 	%{
 	RemoteSerializer::PeerID id = p->AsRecordVal()->Lookup(0)->AsCount();
 	return new Val(remote_serializer->SendCaptureFilter(id, s->CheckString()), TYPE_BOOL);
@@ -5089,7 +5158,7 @@ function continue_processing%(%) : any
 ## Stops propagating :bro:attr:`&synchronized` accesses.
 ##
 ## .. bro:see:: suspend_processing continue_processing resume_state_updates
-function suspend_state_updates%(%) : any
+function suspend_state_updates%(%) : any &deprecated
 	%{
 	if ( remote_serializer )
 		remote_serializer->SuspendStateUpdates();
@@ -5099,7 +5168,7 @@ function suspend_state_updates%(%) : any
 ## Resumes propagating :bro:attr:`&synchronized` accesses.
 ##
 ## .. bro:see:: suspend_processing continue_processing suspend_state_updates
-function resume_state_updates%(%) : any
+function resume_state_updates%(%) : any &deprecated
 	%{
 	if ( remote_serializer )
 		remote_serializer->ResumeStateUpdates();
diff --git a/src/broker-dummy/CMakeLists.txt b/src/broker-dummy/CMakeLists.txt
deleted file mode 100644
index 08c5f3214c..0000000000
--- a/src/broker-dummy/CMakeLists.txt
+++ /dev/null
@@ -1,13 +0,0 @@
-# Placeholder for Broker-based communication functionality, not enabled
-# by default.  This helps satisfy coverage unit tests pass regardless of
-# whether Broker is enabled or not.
-
-include(BroSubdir)
-
-bif_target(comm.bif)
-bif_target(data.bif)
-bif_target(messaging.bif)
-bif_target(store.bif)
-
-bro_add_subdir_library(broker_dummy ${BIF_OUTPUT_CC})
-add_dependencies(bro_broker_dummy generate_outputs)
diff --git a/src/broker-dummy/comm.bif b/src/broker-dummy/comm.bif
deleted file mode 100644
index b030a4cc73..0000000000
--- a/src/broker-dummy/comm.bif
+++ /dev/null
@@ -1,3 +0,0 @@
-
-##! Placeholder for Broker-based communication functionality, not enabled
-##! by default.
diff --git a/src/broker-dummy/data.bif b/src/broker-dummy/data.bif
deleted file mode 100644
index e9b9950474..0000000000
--- a/src/broker-dummy/data.bif
+++ /dev/null
@@ -1,3 +0,0 @@
-
-##! Placeholder for Broker-based communication functionality, not enabled
-##! by default
diff --git a/src/broker-dummy/messaging.bif b/src/broker-dummy/messaging.bif
deleted file mode 100644
index e9b9950474..0000000000
--- a/src/broker-dummy/messaging.bif
+++ /dev/null
@@ -1,3 +0,0 @@
-
-##! Placeholder for Broker-based communication functionality, not enabled
-##! by default
diff --git a/src/broker-dummy/store.bif b/src/broker-dummy/store.bif
deleted file mode 100644
index e9b9950474..0000000000
--- a/src/broker-dummy/store.bif
+++ /dev/null
@@ -1,3 +0,0 @@
-
-##! Placeholder for Broker-based communication functionality, not enabled
-##! by default
diff --git a/src/broker/CMakeLists.txt b/src/broker/CMakeLists.txt
index 988855cafb..e3a3a73661 100644
--- a/src/broker/CMakeLists.txt
+++ b/src/broker/CMakeLists.txt
@@ -10,9 +10,6 @@ if ( ROCKSDB_INCLUDE_DIR )
     include_directories(BEFORE ${ROCKSDB_INCLUDE_DIR})
 endif ()
 
-include_directories(BEFORE ${CAF_INCLUDE_DIR_CORE})
-include_directories(BEFORE ${CAF_INCLUDE_DIR_IO})
-
 set(comm_SRCS
     Data.cc
     Manager.cc
diff --git a/src/broker/Data.cc b/src/broker/Data.cc
index 09b0da11e1..3d4bcf27e9 100644
--- a/src/broker/Data.cc
+++ b/src/broker/Data.cc
@@ -1,7 +1,8 @@
 #include "Data.h"
 #include "broker/data.bif.h"
-#include <caf/binary_serializer.hpp>
-#include <caf/binary_deserializer.hpp>
+#include <caf/stream_serializer.hpp>
+#include <caf/stream_deserializer.hpp>
+#include <caf/streambuf.hpp>
 
 using namespace std;
 
@@ -11,6 +12,8 @@ OpaqueType* bro_broker::opaque_of_table_iterator;
 OpaqueType* bro_broker::opaque_of_vector_iterator;
 OpaqueType* bro_broker::opaque_of_record_iterator;
 
+BroType* bro_broker::DataVal::script_data_type = nullptr;
+
 static broker::port::protocol to_broker_port_proto(TransportProto tp)
 	{
 	switch ( tp ) {
@@ -47,6 +50,11 @@ struct val_converter {
 	BroType* type;
 	bool require_log_attr;
 
+	result_type operator()(broker::none)
+		{
+		return nullptr;
+		}
+
 	result_type operator()(bool a)
 		{
 		if ( type->Tag() == TYPE_BOOL )
@@ -96,14 +104,34 @@ struct val_converter {
 			}
 		case TYPE_FUNC:
 			{
-			auto id = lookup_ID(a.data(), GLOBAL_MODULE_NAME);
-			auto rval = id ? id->ID_Val() : nullptr;
-			Unref(id);
+			auto id = global_scope()->Lookup(a.data());
 
-			if ( rval && rval->Type()->Tag() == TYPE_FUNC )
-				return rval;
+			if ( ! id )
+				return nullptr;
 
-			return nullptr;
+			auto rval = id->ID_Val();
+
+			if ( ! rval )
+				return nullptr;
+
+			auto t = rval->Type();
+
+			if ( ! t )
+				return nullptr;
+
+			if ( t->Tag() != TYPE_FUNC )
+				return nullptr;
+
+			return rval->Ref();
+			}
+		case TYPE_OPAQUE:
+			{
+			SerializationFormat* form = new BinarySerializationFormat();
+			form->StartRead(a.data(), a.size());
+			CloneSerializer ss(form);
+			UnserialInfo uinfo(&ss);
+			uinfo.cache = false;
+			return Val::Unserialize(&uinfo, type->Tag());
 			}
 		default:
 			return nullptr;
@@ -140,20 +168,24 @@ struct val_converter {
 		return nullptr;
 		}
 
-	result_type operator()(broker::time_point& a)
+	result_type operator()(broker::timestamp& a)
 		{
-		if ( type->Tag() == TYPE_TIME )
-			return new Val(a.value, TYPE_TIME);
+		if ( type->Tag() != TYPE_TIME )
+			return nullptr;
 
-		return nullptr;
+		using namespace std::chrono;
+		auto s = duration_cast<broker::fractional_seconds>(a.time_since_epoch());
+		return new Val(s.count(), TYPE_TIME);
 		}
 
-	result_type operator()(broker::time_duration& a)
+	result_type operator()(broker::timespan& a)
 		{
-		if ( type->Tag() == TYPE_INTERVAL )
-			return new Val(a.value, TYPE_INTERVAL);
+		if ( type->Tag() != TYPE_INTERVAL )
+			return nullptr;
 
-		return nullptr;
+		using namespace std::chrono;
+		auto s = duration_cast<broker::fractional_seconds>(a);
+		return new Val(s.count(), TYPE_INTERVAL);
 		}
 
 	result_type operator()(broker::enum_value& a)
@@ -182,17 +214,32 @@ struct val_converter {
 
 		for ( auto& item : a )
 			{
+			auto expected_index_types = tt->Indices()->Types();
 			broker::vector composite_key;
-			auto indices = broker::get<broker::vector>(item);
+			auto indices = broker::get_if<broker::vector>(item);
 
-			if ( ! indices )
+			if ( indices )
+				{
+				if ( expected_index_types->length() == 1 )
+					{
+					auto index_is_vector_or_record =
+					     (*expected_index_types)[0]->Tag() == TYPE_RECORD ||
+					     (*expected_index_types)[0]->Tag() == TYPE_VECTOR;
+
+					if ( index_is_vector_or_record )
+						{
+						// Disambiguate from composite key w/ multiple vals.
+						composite_key.emplace_back(move(item));
+						indices = &composite_key;
+						}
+					}
+				}
+			else
 				{
 				composite_key.emplace_back(move(item));
 				indices = &composite_key;
 				}
 
-			auto expected_index_types = tt->Indices()->Types();
-
 			if ( static_cast<size_t>(expected_index_types->length()) !=
 			     indices->size() )
 				{
@@ -235,17 +282,32 @@ struct val_converter {
 
 		for ( auto& item : a )
 			{
+			auto expected_index_types = tt->Indices()->Types();
 			broker::vector composite_key;
-			auto indices = broker::get<broker::vector>(item.first);
+			auto indices = broker::get_if<broker::vector>(item.first);
 
-			if ( ! indices )
+			if ( indices )
+				{
+				if ( expected_index_types->length() == 1 )
+					{
+					auto index_is_vector_or_record =
+					     (*expected_index_types)[0]->Tag() == TYPE_RECORD ||
+					     (*expected_index_types)[0]->Tag() == TYPE_VECTOR;
+
+					if ( index_is_vector_or_record )
+						{
+						// Disambiguate from composite key w/ multiple vals.
+						composite_key.emplace_back(move(item.first));
+						indices = &composite_key;
+						}
+					}
+				}
+			else
 				{
 				composite_key.emplace_back(move(item.first));
 				indices = &composite_key;
 				}
 
-			auto expected_index_types = tt->Indices()->Types();
-
 			if ( static_cast<size_t>(expected_index_types->length()) !=
 			     indices->size() )
 				{
@@ -289,78 +351,435 @@ struct val_converter {
 
 	result_type operator()(broker::vector& a)
 		{
-		if ( type->Tag() != TYPE_VECTOR )
-			return nullptr;
+		if ( type->Tag() == TYPE_VECTOR )
+			{
+			auto vt = type->AsVectorType();
+			auto rval = new VectorVal(vt);
 
-		auto vt = type->AsVectorType();
-		auto rval = new VectorVal(vt);
+			for ( auto& item : a )
+				{
+				auto item_val = bro_broker::data_to_val(move(item), vt->YieldType());
+
+				if ( ! item_val )
+					{
+					Unref(rval);
+					return nullptr;
+					}
+
+				rval->Assign(rval->Size(), item_val);
+				}
+
+			return rval;
+			}
+		else if ( type->Tag() == TYPE_RECORD )
+			{
+			auto rt = type->AsRecordType();
+			auto rval = new RecordVal(rt);
+			auto idx = 0u;
+
+			for ( auto i = 0u; i < static_cast<size_t>(rt->NumFields()); ++i )
+				{
+				if ( require_log_attr && ! rt->FieldDecl(i)->FindAttr(ATTR_LOG) )
+					continue;
+
+				if ( idx >= a.size() )
+					{
+					Unref(rval);
+					return nullptr;
+					}
+
+				if ( broker::get_if<broker::none>(a[idx]) != nullptr )
+					{
+					rval->Assign(i, nullptr);
+					++idx;
+					continue;
+					}
+
+				auto item_val = bro_broker::data_to_val(move(a[idx]),
+																								rt->FieldType(i));
+
+				if ( ! item_val )
+					{
+					Unref(rval);
+					return nullptr;
+					}
+
+				rval->Assign(i, item_val);
+				++idx;
+				}
+
+			return rval;
+			}
+		else if ( type->Tag() == TYPE_PATTERN )
+			{
+			if ( a.size() != 2 )
+				return nullptr;
+
+			auto exact_text = broker::get_if<std::string>(a[0]);
+			auto anywhere_text = broker::get_if<std::string>(a[1]);
+
+			if ( ! exact_text || ! anywhere_text )
+				return nullptr;
+
+			RE_Matcher* re = new RE_Matcher(exact_text->c_str(),
+			                                anywhere_text->c_str());
+
+			if ( ! re->Compile() )
+				{
+				reporter->Error("failed compiling unserialized pattern: %s, %s",
+				                exact_text->c_str(), anywhere_text->c_str());
+				delete re;
+				return nullptr;
+				}
+
+			auto rval = new PatternVal(re);
+			return rval;
+			}
+
+		return nullptr;
+		}
+};
+
+struct type_checker {
+	using result_type = bool;
+
+	BroType* type;
+
+	result_type operator()(broker::none)
+		{
+		return false;
+		}
+
+	result_type operator()(bool a)
+		{
+		if ( type->Tag() == TYPE_BOOL )
+			return true;
+		return false;
+		}
+
+	result_type operator()(uint64_t a)
+		{
+		if ( type->Tag() == TYPE_COUNT )
+			return true;
+		if ( type->Tag() == TYPE_COUNTER )
+			return true;
+		return false;
+		}
+
+	result_type operator()(int64_t a)
+		{
+		if ( type->Tag() == TYPE_INT )
+			return true;
+		return false;
+		}
+
+	result_type operator()(double a)
+		{
+		if ( type->Tag() == TYPE_DOUBLE )
+			return true;
+		return false;
+		}
+
+	result_type operator()(const std::string& a)
+		{
+		switch ( type->Tag() ) {
+		case TYPE_STRING:
+			return true;
+		case TYPE_FILE:
+			return true;
+		case TYPE_FUNC:
+			{
+			auto id = global_scope()->Lookup(a.data());
+
+			if ( ! id )
+				return false;
+
+			auto rval = id->ID_Val();
+
+			if ( ! rval )
+				return false;
+
+			auto t = rval->Type();
+
+			if ( ! t )
+				return false;
+
+			if ( t->Tag() != TYPE_FUNC )
+				return false;
+
+			return true;
+			}
+		case TYPE_OPAQUE:
+			{
+			// TODO
+			SerializationFormat* form = new BinarySerializationFormat();
+			form->StartRead(a.data(), a.size());
+			CloneSerializer ss(form);
+			UnserialInfo uinfo(&ss);
+			uinfo.cache = false;
+			return Val::Unserialize(&uinfo, type->Tag());
+			}
+		default:
+			return false;
+		}
+		}
+
+	result_type operator()(const broker::address& a)
+		{
+		if ( type->Tag() == TYPE_ADDR )
+			return true;
+
+		return false;
+		}
+
+	result_type operator()(const broker::subnet& a)
+		{
+		if ( type->Tag() == TYPE_SUBNET )
+			return true;
+
+		return false;
+		}
+
+	result_type operator()(const broker::port& a)
+		{
+		if ( type->Tag() == TYPE_PORT )
+			return true;
+
+		return false;
+		}
+
+	result_type operator()(const broker::timestamp& a)
+		{
+		if ( type->Tag() == TYPE_TIME )
+			return true;
+
+		return false;
+		}
+
+	result_type operator()(const broker::timespan& a)
+		{
+		if ( type->Tag() == TYPE_INTERVAL )
+			return true;
+
+		return false;
+		}
+
+	result_type operator()(const broker::enum_value& a)
+		{
+		if ( type->Tag() == TYPE_ENUM )
+			{
+			auto etype = type->AsEnumType();
+			auto i = etype->Lookup(GLOBAL_MODULE_NAME, a.name.data());
+			return i != -1;
+			}
+
+		return false;
+		}
+
+	result_type operator()(const broker::set& a)
+		{
+		if ( ! type->IsSet() )
+			return false;
+
+		auto tt = type->AsTableType();
+
+		for ( const auto& item : a )
+			{
+			auto expected_index_types = tt->Indices()->Types();
+			auto indices = broker::get_if<broker::vector>(item);
+			vector<const broker::data*> indices_to_check;
+
+			if ( indices )
+				{
+				if ( expected_index_types->length() == 1 )
+					{
+					auto index_is_vector_or_record =
+					     (*expected_index_types)[0]->Tag() == TYPE_RECORD ||
+					     (*expected_index_types)[0]->Tag() == TYPE_VECTOR;
+
+					if ( index_is_vector_or_record )
+						// Disambiguate from composite key w/ multiple vals.
+						indices_to_check.emplace_back(&item);
+					else
+						{
+						indices_to_check.reserve(indices->size());
+
+						for ( auto i = 0u; i < indices->size(); ++i )
+							indices_to_check.emplace_back(&(*indices)[i]);
+						}
+					}
+				else
+					{
+					indices_to_check.reserve(indices->size());
+
+					for ( auto i = 0u; i < indices->size(); ++i )
+						indices_to_check.emplace_back(&(*indices)[i]);
+					}
+				}
+			else
+				indices_to_check.emplace_back(&item);
+
+			if ( static_cast<size_t>(expected_index_types->length()) !=
+			     indices_to_check.size() )
+				return false;
+
+			for ( auto i = 0u; i < indices_to_check.size(); ++i )
+				{
+				auto expect = (*expected_index_types)[i];
+				auto& index_to_check = *(indices_to_check)[i];
+
+				if ( ! broker::visit(type_checker{expect}, index_to_check) )
+					return false;
+				}
+			}
+
+		return true;
+		}
+
+	result_type operator()(const broker::table& a)
+		{
+		if ( ! type->IsTable() )
+			return false;
+
+		auto tt = type->AsTableType();
 
 		for ( auto& item : a )
 			{
-			auto item_val = bro_broker::data_to_val(move(item), vt->YieldType());
+			auto expected_index_types = tt->Indices()->Types();
+			auto indices = broker::get_if<broker::vector>(item.first);
+			vector<const broker::data*> indices_to_check;
 
-			if ( ! item_val )
+			if ( indices )
 				{
-				Unref(rval);
-				return nullptr;
+				if ( expected_index_types->length() == 1 )
+					{
+					auto index_is_vector_or_record =
+					     (*expected_index_types)[0]->Tag() == TYPE_RECORD ||
+					     (*expected_index_types)[0]->Tag() == TYPE_VECTOR;
+
+					if ( index_is_vector_or_record )
+						// Disambiguate from composite key w/ multiple vals.
+						indices_to_check.emplace_back(&item.first);
+					else
+						{
+						indices_to_check.reserve(indices->size());
+
+						for ( auto i = 0u; i < indices->size(); ++i )
+							indices_to_check.emplace_back(&(*indices)[i]);
+						}
+					}
+				else
+					{
+					indices_to_check.reserve(indices->size());
+
+					for ( auto i = 0u; i < indices->size(); ++i )
+						indices_to_check.emplace_back(&(*indices)[i]);
+					}
+				}
+			else
+				indices_to_check.emplace_back(&item.first);
+
+
+			if ( static_cast<size_t>(expected_index_types->length()) !=
+			     indices_to_check.size() )
+				{
+				return false;
 				}
 
-			rval->Assign(rval->Size(), item_val);
+			auto list_val = new ListVal(TYPE_ANY);
+
+			for ( auto i = 0u; i < indices_to_check.size(); ++i )
+				{
+				auto expect = (*expected_index_types)[i];
+				auto& index_to_check = *(indices_to_check)[i];
+
+				if ( ! broker::visit(type_checker{expect}, index_to_check) )
+					return false;
+				}
+
+			if ( ! broker::visit(type_checker{tt->YieldType()},
+			                     item.second) )
+				return false;
 			}
 
-		return rval;
+		return true;
 		}
 
-	result_type operator()(broker::record& a)
+	result_type operator()(const broker::vector& a)
 		{
-		if ( type->Tag() != TYPE_RECORD )
-			return nullptr;
-
-		auto rt = type->AsRecordType();
-		auto rval = new RecordVal(rt);
-		auto idx = 0u;
-
-		for ( auto i = 0u; i < static_cast<size_t>(rt->NumFields()); ++i )
+		if ( type->Tag() == TYPE_VECTOR )
 			{
-			if ( require_log_attr && ! rt->FieldDecl(i)->FindAttr(ATTR_LOG) )
-				continue;
+			auto vt = type->AsVectorType();
 
-			if ( idx >= a.fields.size() )
+			for ( auto& item : a )
 				{
-				Unref(rval);
-				return nullptr;
+				if ( ! broker::visit(type_checker{vt->YieldType()}, item) )
+					return false;
 				}
 
-			if ( ! a.fields[idx] )
+			return true;
+			}
+		else if ( type->Tag() == TYPE_RECORD )
+			{
+			auto rt = type->AsRecordType();
+			auto idx = 0u;
+
+			for ( auto i = 0u; i < static_cast<size_t>(rt->NumFields()); ++i )
 				{
-				rval->Assign(i, nullptr);
+				if ( idx >= a.size() )
+					return false;
+
+				if ( broker::get_if<broker::none>(a[idx]) != nullptr )
+					{
+					++idx;
+					continue;
+					}
+
+				if ( ! broker::visit(type_checker{rt->FieldType(i)},
+				                     a[idx]) )
+					return false;
+
 				++idx;
-				continue;
 				}
 
-			auto item_val = bro_broker::data_to_val(move(*a.fields[idx]),
-			                                        rt->FieldType(i));
+			return true;
+			}
+		else if ( type->Tag() == TYPE_PATTERN )
+			{
+			if ( a.size() != 2 )
+				return false;
 
-			if ( ! item_val )
+			auto exact_text = broker::get_if<std::string>(a[0]);
+			auto anywhere_text = broker::get_if<std::string>(a[1]);
+
+			if ( ! exact_text || ! anywhere_text )
+				return false;
+
+			RE_Matcher* re = new RE_Matcher(exact_text->c_str(),
+			                                anywhere_text->c_str());
+			auto compiled = re->Compile();
+			delete re;
+
+			if ( ! compiled )
 				{
-				Unref(rval);
-				return nullptr;
+				reporter->Error("failed compiling pattern: %s, %s",
+				                exact_text->c_str(), anywhere_text->c_str());
+				return false;
 				}
 
-			rval->Assign(i, item_val);
-			++idx;
+			return true;
 			}
 
-		return rval;
+		return false;
 		}
 };
 
 Val* bro_broker::data_to_val(broker::data d, BroType* type, bool require_log_attr)
 	{
-	return broker::visit(val_converter{type, require_log_attr}, d);
+	return broker::visit(val_converter{type, require_log_attr}, std::move(d));
 	}
 
-broker::util::optional<broker::data> bro_broker::val_to_data(Val* v)
+broker::expected<broker::data> bro_broker::val_to_data(Val* v)
 	{
 	switch ( v->Type()->Tag() ) {
 	case TYPE_BOOL:
@@ -394,15 +813,22 @@ broker::util::optional<broker::data> bro_broker::val_to_data(Val* v)
 		auto a = broker::address(reinterpret_cast<const uint32_t*>(&tmp),
 		                         broker::address::family::ipv6,
 		                         broker::address::byte_order::network);
-		return {broker::subnet(a, s.Length())};
+		return {broker::subnet(std::move(a), s.Length())};
 		}
 		break;
 	case TYPE_DOUBLE:
 		return {v->AsDouble()};
 	case TYPE_TIME:
-		return {broker::time_point(v->AsTime())};
+		{
+	  auto secs = broker::fractional_seconds{v->AsTime()};
+	  auto since_epoch = std::chrono::duration_cast<broker::timespan>(secs);
+		return {broker::timestamp{since_epoch}};
+		}
 	case TYPE_INTERVAL:
-		return {broker::time_duration(v->AsInterval())};
+		{
+	  auto secs = broker::fractional_seconds{v->AsInterval()};
+		return {std::chrono::duration_cast<broker::timespan>(secs)};
+		}
 	case TYPE_ENUM:
 		{
 		auto enum_type = v->Type()->AsEnumType();
@@ -462,7 +888,7 @@ broker::util::optional<broker::data> bro_broker::val_to_data(Val* v)
 				auto key_part = val_to_data((*vl->Vals())[k]);
 
 				if ( ! key_part )
-					return {};
+					return broker::ec::invalid_data;
 
 				composite_key.emplace_back(move(*key_part));
 				}
@@ -475,20 +901,19 @@ broker::util::optional<broker::data> bro_broker::val_to_data(Val* v)
 				key = move(composite_key);
 
 			if ( is_set )
-				broker::get<broker::set>(rval)->emplace(move(key));
+				broker::get<broker::set>(rval).emplace(move(key));
 			else
 				{
 				auto val = val_to_data(entry->Value());
 
 				if ( ! val )
-					return {};
+					return broker::ec::invalid_data;
 
-				broker::get<broker::table>(rval)->emplace(move(key),
-				                                          move(*val));
+				broker::get<broker::table>(rval).emplace(move(key), move(*val));
 				}
 			}
 
-		return {rval};
+		return {std::move(rval)};
 		}
 	case TYPE_VECTOR:
 		{
@@ -506,19 +931,19 @@ broker::util::optional<broker::data> bro_broker::val_to_data(Val* v)
 			auto item = val_to_data(item_val);
 
 			if ( ! item )
-				return {};
+				return broker::ec::invalid_data;
 
 			rval.emplace_back(move(*item));
 			}
 
-		return {rval};
+		return {std::move(rval)};
 		}
 	case TYPE_RECORD:
 		{
 		auto rec = v->AsRecordVal();
-		broker::record rval;
+		broker::vector rval;
 		size_t num_fields = v->Type()->AsRecordType()->NumFields();
-		rval.fields.reserve(num_fields);
+		rval.reserve(num_fields);
 
 		for ( auto i = 0u; i < num_fields; ++i )
 			{
@@ -526,7 +951,7 @@ broker::util::optional<broker::data> bro_broker::val_to_data(Val* v)
 
 			if ( ! item_val )
 				{
-				rval.fields.emplace_back(broker::record::field{});
+				rval.emplace_back(broker::nil);
 				continue;
 				}
 
@@ -534,12 +959,36 @@ broker::util::optional<broker::data> bro_broker::val_to_data(Val* v)
 			Unref(item_val);
 
 			if ( ! item )
-				return {};
+				return broker::ec::invalid_data;
 
-			rval.fields.emplace_back(broker::record::field{move(*item)});
+			rval.emplace_back(move(*item));
 			}
 
-		return {rval};
+		return {std::move(rval)};
+		}
+	case TYPE_PATTERN:
+		{
+		RE_Matcher* p = v->AsPattern();
+		broker::vector rval = {p->PatternText(), p->AnywherePatternText()};
+		return {std::move(rval)};
+		}
+	case TYPE_OPAQUE:
+		{
+		SerializationFormat* form = new BinarySerializationFormat();
+		form->StartWrite();
+		CloneSerializer ss(form);
+		SerialInfo sinfo(&ss);
+		sinfo.cache = false;
+		sinfo.include_locations = false;
+
+		if ( ! v->Serialize(&sinfo) )
+			return broker::ec::invalid_data;
+
+		char* data;
+		uint32 len = form->EndWrite(&data);
+		string rval(data, len);
+		free(data);
+		return {std::move(rval)};
 		}
 	default:
 		reporter->Error("unsupported Broker::Data type: %s",
@@ -547,7 +996,7 @@ broker::util::optional<broker::data> bro_broker::val_to_data(Val* v)
 		break;
 	}
 
-	return {};
+	return broker::ec::invalid_data;
 	}
 
 RecordVal* bro_broker::make_data_val(Val* v)
@@ -571,95 +1020,98 @@ RecordVal* bro_broker::make_data_val(broker::data d)
 struct data_type_getter {
 	using result_type = EnumVal*;
 
-	result_type operator()(bool a)
+	result_type operator()(broker::none)
+		{
+		return new EnumVal(BifEnum::Broker::NONE,
+		                   BifType::Enum::Broker::DataType);
+		}
+
+	result_type operator()(bool)
 		{
 		return new EnumVal(BifEnum::Broker::BOOL,
 		                   BifType::Enum::Broker::DataType);
 		}
 
-	result_type operator()(uint64_t a)
+	result_type operator()(uint64_t)
 		{
 		return new EnumVal(BifEnum::Broker::COUNT,
 		                   BifType::Enum::Broker::DataType);
 		}
 
-	result_type operator()(int64_t a)
+	result_type operator()(int64_t)
 		{
 		return new EnumVal(BifEnum::Broker::INT,
 		                   BifType::Enum::Broker::DataType);
 		}
 
-	result_type operator()(double a)
+	result_type operator()(double)
 		{
 		return new EnumVal(BifEnum::Broker::DOUBLE,
 		                   BifType::Enum::Broker::DataType);
 		}
 
-	result_type operator()(const std::string& a)
+	result_type operator()(const std::string&)
 		{
 		return new EnumVal(BifEnum::Broker::STRING,
 		                   BifType::Enum::Broker::DataType);
 		}
 
-	result_type operator()(const broker::address& a)
+	result_type operator()(const broker::address&)
 		{
 		return new EnumVal(BifEnum::Broker::ADDR,
 		                   BifType::Enum::Broker::DataType);
 		}
 
-	result_type operator()(const broker::subnet& a)
+	result_type operator()(const broker::subnet&)
 		{
 		return new EnumVal(BifEnum::Broker::SUBNET,
 		                   BifType::Enum::Broker::DataType);
 		}
 
-	result_type operator()(const broker::port& a)
+	result_type operator()(const broker::port&)
 		{
 		return new EnumVal(BifEnum::Broker::PORT,
 		                   BifType::Enum::Broker::DataType);
 		}
 
-	result_type operator()(const broker::time_point& a)
+	result_type operator()(const broker::timestamp&)
 		{
 		return new EnumVal(BifEnum::Broker::TIME,
 		                   BifType::Enum::Broker::DataType);
 		}
 
-	result_type operator()(const broker::time_duration& a)
+	result_type operator()(const broker::timespan&)
 		{
 		return new EnumVal(BifEnum::Broker::INTERVAL,
 		                   BifType::Enum::Broker::DataType);
 		}
 
-	result_type operator()(const broker::enum_value& a)
+	result_type operator()(const broker::enum_value&)
 		{
 		return new EnumVal(BifEnum::Broker::ENUM,
 		                   BifType::Enum::Broker::DataType);
 		}
 
-	result_type operator()(const broker::set& a)
+	result_type operator()(const broker::set&)
 		{
 		return new EnumVal(BifEnum::Broker::SET,
 		                   BifType::Enum::Broker::DataType);
 		}
 
-	result_type operator()(const broker::table& a)
+	result_type operator()(const broker::table&)
 		{
 		return new EnumVal(BifEnum::Broker::TABLE,
 		                   BifType::Enum::Broker::DataType);
 		}
 
-	result_type operator()(const broker::vector& a)
+	result_type operator()(const broker::vector&)
 		{
+		// Note that Broker uses vectors to store record data, so there's
+		// no actual way to tell if this data was originally associated
+		// with a Bro record.
 		return new EnumVal(BifEnum::Broker::VECTOR,
 		                   BifType::Enum::Broker::DataType);
 		}
-
-	result_type operator()(const broker::record& a)
-		{
-		return new EnumVal(BifEnum::Broker::RECORD,
-		                   BifType::Enum::Broker::DataType);
-		}
 };
 
 EnumVal* bro_broker::get_data_type(RecordVal* v, Frame* frame)
@@ -678,17 +1130,28 @@ broker::data& bro_broker::opaque_field_to_data(RecordVal* v, Frame* f)
 	return static_cast<DataVal*>(d)->data;
 	}
 
+bool bro_broker::DataVal::canCastTo(BroType* t) const
+	{
+	return broker::visit(type_checker{type}, data);
+	}
+
+Val* bro_broker::DataVal::castTo(BroType* t)
+	{
+	return data_to_val(data, t, false);
+	}
+
 IMPLEMENT_SERIAL(bro_broker::DataVal, SER_COMM_DATA_VAL);
 
 bool bro_broker::DataVal::DoSerialize(SerialInfo* info) const
 	{
 	DO_SERIALIZE(SER_COMM_DATA_VAL, OpaqueVal);
 
-	std::string serial;
-	caf::binary_serializer bs(std::back_inserter(serial));
-	bs << data;
+	std::string buffer;
+	caf::containerbuf<std::string> sb{buffer};
+	caf::stream_serializer<caf::containerbuf<std::string>&> serializer{sb};
+	serializer << data;
 
-	if ( ! SERIALIZE_STR(serial.data(), serial.size()) )
+	if ( ! SERIALIZE_STR(buffer.data(), buffer.size()) )
 		return false;
 
 	return true;
@@ -704,439 +1167,50 @@ bool bro_broker::DataVal::DoUnserialize(UnserialInfo* info)
 	if ( ! UNSERIALIZE_STR(&serial, &len) )
 		return false;
 
-	caf::binary_deserializer bd(serial, len);
-	caf::uniform_typeid<broker::data>()->deserialize(&data, &bd);
+	caf::arraybuf<char> sb{const_cast<char*>(serial), // will not write
+	                       static_cast<size_t>(len)};
+	caf::stream_deserializer<caf::arraybuf<char>&> deserializer{sb};
+	deserializer >> data;
+
 	delete [] serial;
 	return true;
 	}
 
-static broker::util::optional<broker::data> threading_val_to_data_internal(TypeTag type, const threading::Value::_val& val)
-	{
-	switch ( type ) {
-	case TYPE_BOOL:
-	        return {val.int_val != 0};
-
-	case TYPE_INT:
-	        return {val.int_val};
-
-	case TYPE_COUNT:
-	case TYPE_COUNTER:
-	        return {val.uint_val};
-
-	case TYPE_PORT:
-		return {broker::port(val.port_val.port, to_broker_port_proto(val.port_val.proto))};
-
-	case TYPE_ADDR:
-		{
-		IPAddr a;
-
-		switch ( val.addr_val.family ) {
-		case IPv4:
-			a = IPAddr(val.addr_val.in.in4);
-			break;
-
-		case IPv6:
-			a = IPAddr(val.addr_val.in.in6);
-			break;
-
-		default:
-			reporter->InternalError("unsupported protocol family in threading_val_to_data");
-		}
-
-		in6_addr tmp;
-		a.CopyIPv6(&tmp);
-		return {broker::address(reinterpret_cast<const uint32_t*>(&tmp),
-					broker::address::family::ipv6,
-					broker::address::byte_order::network)};
-		}
-
-	case TYPE_SUBNET:
-		{
-		IPAddr a;
-		int length;
-
-		switch ( val.subnet_val.prefix.family ) {
-		case IPv4:
-			a = IPAddr(val.subnet_val.prefix.in.in4);
-			length = (val.subnet_val.length - 96);
-			break;
-
-		case IPv6:
-			a = IPAddr(val.subnet_val.prefix.in.in6);
-			length = val.subnet_val.length;
-			break;
-
-		default:
-			reporter->InternalError("unsupported protocol family in threading_val_to_data");
-		}
-
-		in6_addr tmp;
-		a.CopyIPv6(&tmp);
-
-		auto s = broker::address(reinterpret_cast<const uint32_t*>(&tmp),
-		                         broker::address::family::ipv6,
-		                         broker::address::byte_order::network);
-		return {broker::subnet(s, length)};
-		}
-
-	case TYPE_DOUBLE:
-	        return {val.double_val};
-
-	case TYPE_TIME:
-		return {broker::time_point(val.double_val)};
-
-	case TYPE_INTERVAL:
-		return {broker::time_duration(val.double_val)};
-
-	case TYPE_ENUM:
-		return {broker::enum_value(std::string(val.string_val.data, val.string_val.length))};
-
-	case TYPE_STRING:
-	case TYPE_FILE:
-	case TYPE_FUNC:
-		return {std::string(val.string_val.data, val.string_val.length)};
-
-	case TYPE_TABLE:
-		{
-		auto s = broker::set();
-
-		for ( int i = 0; i < val.set_val.size; ++i )
-			{
-			auto c = bro_broker::threading_val_to_data(val.set_val.vals[i]);
-
-			if ( ! c )
-				return {};
-
-			s.emplace(*c);
-			}
-
-		return {move(s)};
-		}
-
-	case TYPE_VECTOR:
-		{
-		auto s = broker::vector();
-
-		for ( int i = 0; i < val.vector_val.size; ++i )
-			{
-			auto c = bro_broker::threading_val_to_data(val.vector_val.vals[i]);
-
-			if ( ! c )
-				return {};
-
-			s.emplace_back(*c);
-			}
-
-		return {move(s)};
-		}
-
-	default:
-		reporter->InternalError("unsupported type %s in threading_val_to_data",
-		                        type_name(type));
-	}
-
-	return {};
-	}
-
-
-broker::util::optional<broker::data> bro_broker::threading_val_to_data(const threading::Value* v)
-	{
-	broker::util::optional<broker::data> d;
-
-	if ( v->present )
-		{
-		d = threading_val_to_data_internal(v->type, v->val);
-
-		if ( ! d )
-			return {};
-		}
-
-	auto type = broker::record::field(static_cast<uint64_t>(v->type));
-	auto present = broker::record::field(v->present);
-	auto data = (v->present) ? broker::record::field(*d) : broker::util::optional<broker::data>();
-
-	return {broker::record({move(type), move(present), move(data)})};
-	};
-
-struct threading_val_converter {
-	using result_type = bool;
-
-	TypeTag type;
-	threading::Value::_val& val;
-
-	result_type operator()(bool a)
-		{
-		if ( type == TYPE_BOOL )
-			{
-			val.int_val = (a ? 1 : 0);
-			return true;
-			}
-
-		return false;
-		}
-
-	result_type operator()(uint64_t a)
-		{
-		if ( type == TYPE_COUNT || type == TYPE_COUNTER )
-			{
-			val.uint_val = a;
-			return true;
-			}
-
-		return false;
-		}
-
-	result_type operator()(int64_t a)
-		{
-		if ( type == TYPE_INT )
-			{
-			val.int_val = a;
-			return true;
-			}
-
-		return false;
-		}
-
-	result_type operator()(double a)
-		{
-		if ( type == TYPE_DOUBLE )
-			{
-			val.double_val = a;
-			return true;
-			}
-
-		return false;
-		}
-
-
-	result_type operator()(const std::string& a)
-		{
-		if ( type == TYPE_STRING || type == TYPE_FILE || type == TYPE_FUNC )
-			{
-			auto n = a.size();
-			val.string_val.length = n;
-			val.string_val.data = new char[n];
-			memcpy(val.string_val.data, a.data(), n);
-			return true;
-			}
-
-		return false;
-		}
-
-	result_type operator()(const broker::address& a)
-		{
-		if ( type == TYPE_ADDR )
-			{
-			auto bits = reinterpret_cast<const in6_addr*>(&a.bytes());
-			auto b = IPAddr(*bits);
-
-			if ( a.is_v4() )
-				{
-				val.addr_val.family = IPv4;
-				b.CopyIPv4(&val.addr_val.in.in4);
-				return true;
-				}
-
-			if ( a.is_v6() )
-				{
-				val.addr_val.family = IPv6;
-				b.CopyIPv6(&val.addr_val.in.in6);
-				return true;
-				}
-			}
-
-		return false;
-		}
-
-	result_type operator()(const broker::subnet& s)
-		{
-		if ( type == TYPE_SUBNET )
-			{
-			auto bits = reinterpret_cast<const in6_addr*>(&s.network().bytes());
-			auto a = IPAddr(*bits);
-
-			val.subnet_val.length = s.length();
-
-			if ( s.network().is_v4() )
-				{
-				val.subnet_val.prefix.family = IPv4;
-				a.CopyIPv4(&val.subnet_val.prefix.in.in4);
-				val.subnet_val.length += 96;
-				return true;
-				}
-
-			if ( s.network().is_v6() )
-				{
-				val.subnet_val.prefix.family = IPv6;
-				a.CopyIPv6(&val.subnet_val.prefix.in.in6);
-				return true;
-				}
-			}
-
-		return false;
-		}
-
-	result_type operator()(const broker::port& a)
-		{
-		if ( type == TYPE_PORT )
-			{
-			val.port_val.port = a.number();
-			val.port_val.proto = bro_broker::to_bro_port_proto(a.type());
-			return true;
-			}
-
-		return false;
-		}
-
-	result_type operator()(const broker::time_point& a)
-		{
-		if ( type == TYPE_TIME )
-			{
-			val.double_val = a.value;
-			return true;
-			}
-
-		return false;
-		}
-
-	result_type operator()(const broker::time_duration& a)
-		{
-		if ( type == TYPE_INTERVAL )
-			{
-			val.double_val = a.value;
-			return true;
-			}
-
-		return false;
-		}
-
-	result_type operator()(const broker::enum_value& a)
-		{
-		if ( type == TYPE_ENUM )
-			{
-			auto n = a.name.size();
-			val.string_val.length = n;
-			val.string_val.data = new char[n];
-			memcpy(val.string_val.data, a.name.data(), n);
-			return true;
-			}
-
-		return false;
-		}
-
-	result_type operator()(const broker::set& a)
-		{
-		if ( type == TYPE_TABLE )
-			{
-			val.set_val.size = a.size();
-			val.set_val.vals = new threading::Value* [val.set_val.size];
-
-			auto p = val.set_val.vals;
-
-			for ( auto& i : a )
-				*p++ = bro_broker::data_to_threading_val(move(i));
-
-			return true;
-			}
-
-		return false;
-		}
-
-	result_type operator()(const broker::table& a)
-		{
-		return false;
-		}
-
-	result_type operator()(const broker::vector& a)
-		{
-		if ( type == TYPE_VECTOR )
-			{
-			val.vector_val.size = a.size();
-			val.vector_val.vals = new threading::Value* [val.vector_val.size];
-
-			auto p = val.vector_val.vals;
-
-			for ( auto& i : a )
-				*p++ = bro_broker::data_to_threading_val(move(i));
-
-			return true;
-			}
-
-		return false;
-		}
-
-	result_type operator()(const broker::record& a)
-		{
-		return false;
-		}
-};
-
-threading::Value* bro_broker::data_to_threading_val(broker::data d)
-	{
-	auto r = broker::get<broker::record>(d);
-
-	if ( ! r )
-		return nullptr;
-
-	auto type = broker::get<uint64_t>(*r->get(0));
-	auto present = broker::get<bool>(*r->get(1));
-	auto data = r->get(2);
-
-	if ( ! (type && present) )
-		return nullptr;
-
-	if ( *present && ! data )
-		return nullptr;
-
-	auto tv = new threading::Value;
-	tv->type = static_cast<TypeTag>(*type);
-	tv->present = *present;
-
-	if ( *present && ! broker::visit(threading_val_converter{tv->type, tv->val}, *data) )
-		{
-		delete tv;
-		return nullptr;
-		}
-
-	return tv;
-	}
-
 broker::data bro_broker::threading_field_to_data(const threading::Field* f)
 	{
-	auto name = broker::record::field(f->name);
-	auto type = broker::record::field(static_cast<uint64_t>(f->type));
-	auto subtype = broker::record::field(static_cast<uint64_t>(f->subtype));
-	auto optional = broker::record::field(f->optional);
+	auto name = f->name;
+	auto type = static_cast<uint64_t>(f->type);
+	auto subtype = static_cast<uint64_t>(f->subtype);
+	auto optional = f->optional;
 
-	broker::util::optional<broker::data> secondary;
+	broker::data secondary = broker::nil;
 
 	if ( f->secondary_name )
 		secondary = {f->secondary_name};
 
-	return move(broker::record({name, secondary, type, subtype, optional}));
+	return broker::vector({name, secondary, type, subtype, optional});
 	}
 
 threading::Field* bro_broker::data_to_threading_field(broker::data d)
 	{
-	auto r = broker::get<broker::record>(d);
-
-	if ( ! r )
+	if ( ! broker::is<broker::vector>(d) )
 		return nullptr;
 
-	auto name = broker::get<std::string>(*r->get(0));
-	auto secondary = r->get(1);
-	auto type = broker::get<uint64_t>(*r->get(2));
-	auto subtype = broker::get<uint64_t>(*r->get(3));
-	auto optional = broker::get<bool>(*r->get(4));
+	auto& v = broker::get<broker::vector>(d);
+	auto name = broker::get_if<std::string>(v[0]);
+	auto secondary = v[1];
+	auto type = broker::get_if<broker::count>(v[2]);
+	auto subtype = broker::get_if<broker::count>(v[3]);
+	auto optional = broker::get_if<broker::boolean>(v[4]);
 
 	if ( ! (name && type && subtype && optional) )
 		return nullptr;
 
-	if ( secondary && ! broker::is<std::string>(*secondary) )
+	if ( secondary != broker::nil && ! broker::is<std::string>(secondary) )
 		return nullptr;
 
 	return new threading::Field(name->c_str(),
-				    secondary ? broker::get<std::string>(*secondary)->c_str() : nullptr,
+				    secondary != broker::nil ? broker::get<std::string>(secondary).c_str() : nullptr,
 				    static_cast<TypeTag>(*type),
 				    static_cast<TypeTag>(*subtype),
 				    *optional);
diff --git a/src/broker/Data.h b/src/broker/Data.h
index 526304b00c..8a636bb7db 100644
--- a/src/broker/Data.h
+++ b/src/broker/Data.h
@@ -1,7 +1,7 @@
 #ifndef BRO_COMM_DATA_H
 #define BRO_COMM_DATA_H
 
-#include <broker/data.hh>
+#include <broker/broker.hh>
 #include "Val.h"
 #include "Reporter.h"
 #include "Frame.h"
@@ -48,7 +48,7 @@ EnumVal* get_data_type(RecordVal* v, Frame* frame);
  * @param v a Bro value.
  * @return a Broker data value if the Bro value could be converted to one.
  */
-broker::util::optional<broker::data> val_to_data(Val* v);
+broker::expected<broker::data> val_to_data(Val* v);
 
 /**
  * Convert a Broker data value to a Bro value.
@@ -66,7 +66,7 @@ Val* data_to_val(broker::data d, BroType* type, bool require_log_attr = false);
  * @param v a Bro threading::Value.
  * @return a Broker data value if the Bro threading::Value could be converted to one.
  */
-broker::util::optional<broker::data> threading_val_to_data(const threading::Value* v);
+broker::expected<broker::data> threading_val_to_data(const threading::Value* v);
 
 /**
  * Convert a Bro threading::Field to a Broker data value.
@@ -108,14 +108,29 @@ public:
 		d->Add("}");
 		}
 
+	Val* castTo(BroType* t);
+	bool canCastTo(BroType* t) const;
+
+	// Returns the Bro type that scripts use to represent a Broker data
+	// instance. This may be wrapping the opaque value inside another
+	// type.
+	static BroType* ScriptDataType()
+		{
+		if ( ! script_data_type )
+			script_data_type = internal_type("Broker::Data");
+
+		return script_data_type;
+		}
+
 	DECLARE_SERIAL(DataVal);
 
 	broker::data data;
 
 protected:
-
 	DataVal()
 		{}
+
+	static BroType* script_data_type;
 };
 
 /**
@@ -124,50 +139,55 @@ protected:
 struct type_name_getter {
 	using result_type = const char*;
 
-	result_type operator()(bool a)
+	result_type operator()(broker::none)
+		{ return "NONE"; } // FIXME: what's the right thing to return here?
+
+	result_type operator()(bool)
 		{ return "bool"; }
 
-	result_type operator()(uint64_t a)
+	result_type operator()(uint64_t)
 		{ return "uint64_t"; }
 
-	result_type operator()(int64_t a)
+	result_type operator()(int64_t)
 		{ return "int64_t"; }
 
-	result_type operator()(double a)
+	result_type operator()(double)
 		{ return "double"; }
 
-	result_type operator()(const std::string& a)
+	result_type operator()(const std::string&)
 		{ return "string"; }
 
-	result_type operator()(const broker::address& a)
+	result_type operator()(const broker::address&)
 		{ return "address"; }
 
-	result_type operator()(const broker::subnet& a)
+	result_type operator()(const broker::subnet&)
 		{ return "subnet"; }
 
-	result_type operator()(const broker::port& a)
+	result_type operator()(const broker::port&)
 		{ return "port"; }
 
-	result_type operator()(const broker::time_point& a)
+	result_type operator()(const broker::timestamp&)
 		{ return "time"; }
 
-	result_type operator()(const broker::time_duration& a)
+	result_type operator()(const broker::timespan&)
 		{ return "interval"; }
 
-	result_type operator()(const broker::enum_value& a)
+	result_type operator()(const broker::enum_value&)
 		{ return "enum"; }
 
-	result_type operator()(const broker::set& a)
+	result_type operator()(const broker::set&)
 		{ return "set"; }
 
-	result_type operator()(const broker::table& a)
+	result_type operator()(const broker::table&)
 		{ return "table"; }
 
-	result_type operator()(const broker::vector& a)
-		{ return "vector"; }
+	result_type operator()(const broker::vector&)
+		{ 
+		assert(tag == TYPE_VECTOR || tag == TYPE_RECORD);
+	 	return tag == TYPE_VECTOR ? "vector" : "record";
+		}
 
-	result_type operator()(const broker::record& a)
-		{ return "record"; }
+	TypeTag tag;
 };
 
 /**
@@ -192,12 +212,11 @@ broker::data& opaque_field_to_data(RecordVal* v, Frame* f);
 template <typename T>
 T& require_data_type(broker::data& d, TypeTag tag, Frame* f)
 	{
-	auto ptr = broker::get<T>(d);
-
+	auto ptr = broker::get_if<T>(d);
 	if ( ! ptr )
 		reporter->RuntimeError(f->GetCall()->GetLocationInfo(),
 		                       "data is of type '%s' not of type '%s'",
-		                       broker::visit(type_name_getter{}, d),
+		                       broker::visit(type_name_getter{tag}, d),
 		                       type_name(tag));
 
 	return *ptr;
@@ -212,21 +231,6 @@ inline T& require_data_type(RecordVal* v, TypeTag tag, Frame* f)
 	return require_data_type<T>(opaque_field_to_data(v, f), tag, f);
 	}
 
-/**
- * Convert a Broker::Data Bro value to a Bro value of a given type.
- * @tparam a type that a Broker data variant may contain.
- * @param v a Broker::Data value.
- * @param tag a Bro type to convert to.
- * @param f used to get location information on error.
- * A runtime interpret exception is thrown if trying to access a type which
- * is not currently stored in the Broker data.
- */
-template <typename T>
-inline Val* refine(RecordVal* v, TypeTag tag, Frame* f)
-	{
-	return new Val(require_data_type<T>(v, tag, f), tag);
-	}
-
 // Copying data in to iterator vals is not the fastest approach, but safer...
 
 class SetIterator : public OpaqueVal {
@@ -273,12 +277,12 @@ public:
 
 	RecordIterator(RecordVal* v, TypeTag tag, Frame* f)
 	    : OpaqueVal(bro_broker::opaque_of_record_iterator),
-	      dat(require_data_type<broker::record>(v, TYPE_RECORD, f)),
-	      it(dat.fields.begin())
+	      dat(require_data_type<broker::vector>(v, TYPE_RECORD, f)),
+	      it(dat.begin())
 		{}
 
-	broker::record dat;
-	decltype(broker::record::fields)::iterator it;
+	broker::vector dat;
+	broker::vector::iterator it;
 };
 
 } // namespace bro_broker
diff --git a/src/broker/Manager.cc b/src/broker/Manager.cc
index d5acb27b5a..47f7c95722 100644
--- a/src/broker/Manager.cc
+++ b/src/broker/Manager.cc
@@ -1,10 +1,12 @@
+
+#include <broker/broker.hh>
+#include <broker/bro.hh>
+#include <cstdio>
+#include <unistd.h>
+
 #include "Manager.h"
 #include "Data.h"
 #include "Store.h"
-#include <broker/broker.hh>
-#include <broker/report.hh>
-#include <cstdio>
-#include <unistd.h>
 #include "util.h"
 #include "Var.h"
 #include "Reporter.h"
@@ -18,12 +20,26 @@
 
 using namespace std;
 
-VectorType* bro_broker::Manager::vector_of_data_type;
-EnumType* bro_broker::Manager::log_id_type;
-EnumType* bro_broker::Manager::writer_id_type;
-int bro_broker::Manager::send_flags_self_idx;
-int bro_broker::Manager::send_flags_peers_idx;
-int bro_broker::Manager::send_flags_unsolicited_idx;
+namespace bro_broker {
+
+// Max number of log messages buffered per stream before we send them out as
+// a batch.
+static const int LOG_BATCH_SIZE = 400;
+
+// Max secs to buffer log messages before sending the current set out as a
+// batch.
+static const double LOG_BUFFER_INTERVAL = 1.0;
+
+// Number of buffered messages (at the Broker/CAF layer) after which
+// subscribers consider themselves congested.
+static const size_t SUBSCRIBER_MAX_QSIZE = 20u;
+
+const broker::endpoint_info Manager::NoPeer{{}, {}};
+
+VectorType* Manager::vector_of_data_type;
+EnumType* Manager::log_id_type;
+EnumType* Manager::writer_id_type;
+int Manager::script_scope = 0;
 
 struct unref_guard {
 	unref_guard(Val* v) : val(v) {}
@@ -31,209 +47,411 @@ struct unref_guard {
 	Val* val;
 };
 
-bro_broker::Manager::Manager()
-	: iosource::IOSource(), next_timestamp(-1)
+struct scoped_reporter_location {
+	scoped_reporter_location(Frame* frame)
+		{
+		reporter->PushLocation(frame->GetCall()->GetLocationInfo());
+		}
+
+	~scoped_reporter_location()
+		{
+		reporter->PopLocation();
+		}
+};
+
+#ifdef DEBUG
+static std::string RenderMessage(std::string topic, broker::data x)
 	{
-	SetIdle(true);
+	return fmt("%s -> %s", broker::to_string(x).c_str(), topic.c_str());
 	}
 
-bro_broker::Manager::~Manager()
+static std::string RenderEvent(std::string topic, std::string name, broker::data args)
 	{
-	vector<decltype(data_stores)::key_type> stores_to_close;
-
-	for ( auto& s : data_stores )
-		stores_to_close.emplace_back(s.first);
-
-	for ( auto& s : stores_to_close )
-		// This doesn't loop directly over data_stores, because CloseStore
-		// modifies the map and invalidates iterators.
-		CloseStore(s.first, s.second);
+	return fmt("%s(%s) -> %s", name.c_str(), broker::to_string(args).c_str(), topic.c_str());
 	}
 
-static int require_field(RecordType* rt, const char* name)
+static std::string RenderMessage(broker::store::response x)
 	{
-	auto rval = rt->FieldOffset(name);
-
-	if ( rval < 0 )
-		reporter->InternalError("no field named '%s' in record type '%s'", name,
-		                        rt->GetName().data());
-
-	return rval;
+	return fmt("%s [id %" PRIu64 "]", (x.answer ? broker::to_string(*x.answer).c_str() : "<no answer>"), x.id);
 	}
 
-static int endpoint_flags_to_int(Val* broker_endpoint_flags)
+static std::string RenderMessage(const broker::vector* xs)
 	{
-	int rval = 0;
-	auto r = broker_endpoint_flags->AsRecordVal();
-	Val* auto_publish_flag = r->Lookup("auto_publish", true);
-	Val* auto_advertise_flag = r->Lookup("auto_advertise", true);
-
-	if ( auto_publish_flag->AsBool() )
-		rval |= broker::AUTO_PUBLISH;
-
-	if ( auto_advertise_flag->AsBool() )
-		rval |= broker::AUTO_ADVERTISE;
-
-	Unref(auto_publish_flag);
-	Unref(auto_advertise_flag);
-	return rval;
+	return broker::to_string(*xs);
 	}
 
-bool bro_broker::Manager::Enable(Val* broker_endpoint_flags)
+static std::string RenderMessage(const broker::data& d)
 	{
-	if ( endpoint != nullptr )
-		return true;
+	return broker::to_string(d);
+	}
 
-	auto send_flags_type = internal_type("Broker::SendFlags")->AsRecordType();
-	send_flags_self_idx = require_field(send_flags_type, "self");
-	send_flags_peers_idx = require_field(send_flags_type, "peers");
-	send_flags_unsolicited_idx = require_field(send_flags_type, "unsolicited");
+static std::string RenderMessage(const broker::vector& xs)
+	{
+	return broker::to_string(xs);
+	}
 
+static std::string RenderMessage(const broker::status& s)
+	{
+	return broker::to_string(s.code());
+	}
+
+static std::string RenderMessage(const broker::error& e)
+	{
+	return fmt("%s (%s)", broker::to_string(e.code()).c_str(),
+		   caf::to_string(e.context()).c_str());
+	}
+
+#endif
+
+static inline Val* get_option(const char* option)
+	{
+	auto id = global_scope()->Lookup(option);
+
+	if ( ! (id && id->ID_Val()) )
+		reporter->FatalError("Unknown Broker option %s", option);
+
+	return id->ID_Val();
+	}
+
+class configuration : public broker::configuration {
+public:
+	configuration(broker::broker_options options)
+		: broker::configuration(options)
+		{
+		openssl_cafile = get_option("Broker::ssl_cafile")->AsString()->CheckString();
+		openssl_capath = get_option("Broker::ssl_capath")->AsString()->CheckString();
+		openssl_certificate = get_option("Broker::ssl_certificate")->AsString()->CheckString();
+		openssl_key = get_option("Broker::ssl_keyfile")->AsString()->CheckString();
+		openssl_passphrase = get_option("Broker::ssl_passphrase")->AsString()->CheckString();
+		}
+};
+
+Manager::BrokerState::BrokerState(broker::broker_options options)
+	: endpoint(configuration(options)),
+	  subscriber(endpoint.make_subscriber({}, SUBSCRIBER_MAX_QSIZE)),
+	  status_subscriber(endpoint.make_status_subscriber(true))
+	{
+	}
+
+Manager::Manager(bool reading_pcaps)
+	{
+	bound_port = 0;
+
+	next_timestamp = 1;
+	SetIdle(false);
+	this->reading_pcaps = reading_pcaps;
+	}
+
+Manager::~Manager()
+	{
+	}
+
+void Manager::InitPostScript()
+	{
+	DBG_LOG(DBG_BROKER, "Initializing");
+
+	default_log_topic_prefix =
+	    get_option("Broker::default_log_topic_prefix")->AsString()->CheckString();
+	log_topic_func = get_option("Broker::log_topic")->AsFunc();
 	log_id_type = internal_type("Log::ID")->AsEnumType();
 	writer_id_type = internal_type("Log::Writer")->AsEnumType();
 
-	bro_broker::opaque_of_data_type = new OpaqueType("Broker::Data");
-	bro_broker::opaque_of_set_iterator = new OpaqueType("Broker::SetIterator");
-	bro_broker::opaque_of_table_iterator = new OpaqueType("Broker::TableIterator");
-	bro_broker::opaque_of_vector_iterator = new OpaqueType("Broker::VectorIterator");
-	bro_broker::opaque_of_record_iterator = new OpaqueType("Broker::RecordIterator");
-	bro_broker::opaque_of_store_handle = new OpaqueType("Broker::Handle");
+	opaque_of_data_type = new OpaqueType("Broker::Data");
+	opaque_of_set_iterator = new OpaqueType("Broker::SetIterator");
+	opaque_of_table_iterator = new OpaqueType("Broker::TableIterator");
+	opaque_of_vector_iterator = new OpaqueType("Broker::VectorIterator");
+	opaque_of_record_iterator = new OpaqueType("Broker::RecordIterator");
+	opaque_of_store_handle = new OpaqueType("Broker::Store");
 	vector_of_data_type = new VectorType(internal_type("Broker::Data")->Ref());
 
-	auto res = broker::init();
-
-	if ( res )
-		{
-		fprintf(stderr, "broker::init failed: %s\n", broker::strerror(res));
-		return false;
-		}
-
-	res = broker::report::init(true);
-
-	if ( res )
-		{
-		fprintf(stderr, "broker::report::init failed: %s\n",
-		        broker::strerror(res));
-		return false;
-		}
-
-	const char* name;
-	auto name_from_script = internal_val("Broker::endpoint_name")->AsString();
-
-	if ( name_from_script->Len() )
-		name = name_from_script->CheckString();
-	else
-		{
-		char host[256];
-
-		if ( gethostname(host, sizeof(host)) == 0 )
-			name = fmt("bro@%s.%ld", host, static_cast<long>(getpid()));
-		else
-			name = fmt("bro@<unknown>.%ld", static_cast<long>(getpid()));
-		}
-
-	int flags = endpoint_flags_to_int(broker_endpoint_flags);
-	endpoint = unique_ptr<broker::endpoint>(new broker::endpoint(name, flags));
+	// Register as a "dont-count" source first, we may change that later.
 	iosource_mgr->Register(this, true);
-	return true;
+
+	broker::broker_options options;
+	options.disable_ssl = get_option("Broker::disable_ssl")->AsBool();
+	options.forward = get_option("Broker::forward_messages")->AsBool();
+	options.use_real_time = ! reading_pcaps;
+
+	bstate = std::make_shared<BrokerState>(options);
 	}
 
-bool bro_broker::Manager::SetEndpointFlags(Val* broker_endpoint_flags)
+void Manager::Terminate()
 	{
-	if ( ! Enabled() )
-		return false;
+	FlushLogBuffers();
 
-	int flags = endpoint_flags_to_int(broker_endpoint_flags);
-	endpoint->set_flags(flags);
-	return true;
+	vector<string> stores_to_close;
+
+	for ( auto& x : data_stores )
+		stores_to_close.push_back(x.first);
+
+	for ( auto& x: stores_to_close )
+		// This doesn't loop directly over data_stores, because CloseStore
+		// modifies the map and invalidates iterators.
+		CloseStore(x);
+
+	FlushLogBuffers();
+
+	for ( auto& p : bstate->endpoint.peers() )
+		bstate->endpoint.unpeer(p.peer.network->address, p.peer.network->port);
+
+	bstate->endpoint.shutdown();
 	}
 
-bool bro_broker::Manager::Listen(uint16_t port, const char* addr, bool reuse_addr)
+bool Manager::Active()
 	{
-	if ( ! Enabled() )
+	if ( bstate->endpoint.is_shutdown() )
 		return false;
 
-	auto rval = endpoint->listen(port, addr, reuse_addr);
+	if ( bound_port > 0 )
+		return true;
 
-	if ( ! rval )
+	return bstate->endpoint.peers().size();
+	}
+
+void Manager::AdvanceTime(double seconds_since_unix_epoch)
+	{
+	if ( bstate->endpoint.is_shutdown() )
+		return;
+
+	if ( bstate->endpoint.use_real_time() )
+		return;
+
+	auto secs = std::chrono::duration<double>(seconds_since_unix_epoch);
+	auto span = std::chrono::duration_cast<broker::timespan>(secs);
+	broker::timestamp next_time{span};
+	bstate->endpoint.advance_time(next_time);
+	}
+
+void Manager::FlushPendingQueries()
+	{
+	while ( ! pending_queries.empty() )
 		{
-		reporter->Error("Failed to listen on %s:%" PRIu16 " : %s",
-		                addr ? addr : "INADDR_ANY", port,
-		                endpoint->last_error().data());
+		// possibly an infinite loop if a query can recursively
+		// generate more queries...
+		Process();
+		}
+	}
+
+uint16_t Manager::Listen(const string& addr, uint16_t port)
+	{
+	if ( bstate->endpoint.is_shutdown() )
+		return 0;
+
+	bound_port = bstate->endpoint.listen(addr, port);
+
+	if ( bound_port == 0 )
+		Error("Failed to listen on %s:%" PRIu16,
+		      addr.empty() ? "INADDR_ANY" : addr.c_str(), port);
+
+	// Register as a "does-count" source now.
+	iosource_mgr->Register(this, false);
+
+	DBG_LOG(DBG_BROKER, "Listening on %s:%" PRIu16,
+		addr.empty() ? "INADDR_ANY" : addr.c_str(), port);
+
+	return bound_port;
+	}
+
+void Manager::Peer(const string& addr, uint16_t port, double retry)
+	{
+	if ( bstate->endpoint.is_shutdown() )
+		return;
+
+	DBG_LOG(DBG_BROKER, "Starting to peer with %s:%" PRIu16,
+		addr.c_str(), port);
+
+	if ( retry > 0.0 && retry < 1.0 )
+		// Ensure that it doesn't get turned into zero.
+		retry = 1.0;
+
+	auto secs = broker::timeout::seconds(static_cast<uint64>(retry));
+	bstate->endpoint.peer_nosync(addr, port, secs);
+
+	// // Register as a "does-count" source now.
+	iosource_mgr->Register(this, false);
+	}
+
+void Manager::Unpeer(const string& addr, uint16_t port)
+	{
+	if ( bstate->endpoint.is_shutdown() )
+		return;
+
+	DBG_LOG(DBG_BROKER, "Stopping to peer with %s:%" PRIu16,
+		addr.c_str(), port);
+
+	FlushLogBuffers();
+	bstate->endpoint.unpeer_nosync(addr, port);
+	}
+
+std::vector<broker::peer_info> Manager::Peers() const
+	{
+	if ( bstate->endpoint.is_shutdown() )
+		return {};
+
+	return bstate->endpoint.peers();
+	}
+
+std::string Manager::NodeID() const
+	{
+	return to_string(bstate->endpoint.node_id());
+	}
+
+bool Manager::PublishEvent(string topic, std::string name, broker::vector args)
+	{
+	if ( bstate->endpoint.is_shutdown() )
+		return true;
+
+	if ( ! bstate->endpoint.peers().size() )
+		return true;
+
+	DBG_LOG(DBG_BROKER, "Publishing event: %s",
+		RenderEvent(topic, name, args).c_str());
+	broker::bro::Event ev(std::move(name), std::move(args));
+	bstate->endpoint.publish(move(topic), std::move(ev));
+	++statistics.num_events_outgoing;
+	return true;
+	}
+
+bool Manager::PublishEvent(string topic, RecordVal* args)
+	{
+	if ( bstate->endpoint.is_shutdown() )
+		return true;
+
+	if ( ! bstate->endpoint.peers().size() )
+		return true;
+
+	if ( ! args->Lookup(0) )
+		return false;
+
+	auto event_name = args->Lookup(0)->AsString()->CheckString();
+	auto vv = args->Lookup(1)->AsVectorVal();
+	broker::vector xs;
+	xs.reserve(vv->Size());
+
+	for ( auto i = 0u; i < vv->Size(); ++i )
+		{
+		auto val = vv->Lookup(i)->AsRecordVal()->Lookup(0);
+		auto data_val = static_cast<DataVal*>(val);
+		xs.emplace_back(data_val->data);
 		}
 
-	return rval;
+	return PublishEvent(topic, event_name, std::move(xs));
 	}
 
-bool bro_broker::Manager::Connect(string addr, uint16_t port,
-                            chrono::duration<double> retry_interval)
+bool Manager::RelayEvent(std::string first_topic,
+                         broker::set relay_topics,
+                         std::string name,
+                         broker::vector args)
 	{
-	if ( ! Enabled() )
-		return false;
+	if ( bstate->endpoint.is_shutdown() )
+		return true;
 
-	auto& peer = peers[make_pair(addr, port)];
+	if ( ! bstate->endpoint.peers().size() )
+		return true;
 
-	if ( peer )
-		return false;
-
-	peer = endpoint->peer(move(addr), port, retry_interval);
+	DBG_LOG(DBG_BROKER, "Publishing relay event: %s",
+	        RenderEvent(first_topic, name, args).c_str());
+	broker::bro::RelayEvent msg(std::move(relay_topics), std::move(name),
+	                            std::move(args));
+	bstate->endpoint.publish(std::move(first_topic), std::move(msg));
+	++statistics.num_events_outgoing;
 	return true;
 	}
 
-bool bro_broker::Manager::Disconnect(const string& addr, uint16_t port)
+bool Manager::RelayEvent(std::string first_topic,
+                         std::set<std::string> relay_topics,
+                         RecordVal* args)
 	{
-	if ( ! Enabled() )
+	if ( bstate->endpoint.is_shutdown() )
+		return true;
+
+	if ( ! bstate->endpoint.peers().size() )
+		return true;
+
+	if ( ! args->Lookup(0) )
 		return false;
 
-	auto it = peers.find(make_pair(addr, port));
+	auto event_name = args->Lookup(0)->AsString()->CheckString();
+	auto vv = args->Lookup(1)->AsVectorVal();
+	broker::vector xs;
+	xs.reserve(vv->Size());
 
-	if ( it == peers.end() )
-		return false;
+	for ( auto i = 0u; i < vv->Size(); ++i )
+		{
+		auto val = vv->Lookup(i)->AsRecordVal()->Lookup(0);
+		auto data_val = static_cast<DataVal*>(val);
+		xs.emplace_back(data_val->data);
+		}
 
-	auto rval = endpoint->unpeer(it->second);
-	peers.erase(it);
-	return rval;
+	broker::set topic_set;
+
+	for ( auto& t : relay_topics )
+		topic_set.emplace(std::move(t));
+
+	return RelayEvent(first_topic, std::move(topic_set), event_name,
+					  std::move(xs));
 	}
 
-bool bro_broker::Manager::Print(string topic, string msg, Val* flags)
+bool Manager::PublishIdentifier(std::string topic, std::string id)
 	{
-	if ( ! Enabled() )
+	if ( bstate->endpoint.is_shutdown() )
+		return true;
+
+	if ( ! bstate->endpoint.peers().size() )
+		return true;
+
+	ID* i = global_scope()->Lookup(id.c_str());
+
+	if ( ! i )
 		return false;
 
-	endpoint->send(move(topic), broker::message{move(msg)},
-	               send_flags_to_int(flags));
+	auto val = i->ID_Val();
+
+	if ( ! val )
+		// Probably could have a special case to also unset the value on the
+		// receiving side, but not sure what use that would be.
+		return false;
+
+	auto data = val_to_data(val);
+
+	if ( ! data )
+		{
+		Error("Failed to publish ID with unsupported type: %s (%s)",
+		      id.c_str(), type_name(val->Type()->Tag()));
+		return false;
+		}
+
+	broker::bro::IdentifierUpdate msg(move(id), move(*data));
+	DBG_LOG(DBG_BROKER, "Publishing id-update: %s",
+	        RenderMessage(topic, msg).c_str());
+	bstate->endpoint.publish(move(topic), move(msg));
+	++statistics.num_ids_outgoing;
 	return true;
 	}
 
-bool bro_broker::Manager::Event(std::string topic, broker::message msg, int flags)
+bool Manager::PublishLogCreate(EnumVal* stream, EnumVal* writer,
+			       const logging::WriterBackend::WriterInfo& info,
+			       int num_fields, const threading::Field* const * fields,
+			       const broker::endpoint_info& peer)
 	{
-	if ( ! Enabled() )
-		return false;
+	if ( bstate->endpoint.is_shutdown() )
+		return true;
 
-	endpoint->send(move(topic), move(msg), flags);
-	return true;
-	}
+	if ( ! bstate->endpoint.peers().size() )
+		return true;
 
-bool bro_broker::Manager::CreateLog(EnumVal* stream, EnumVal* writer,
-				    const logging::WriterBackend::WriterInfo& info,
-				    int num_fields, const threading::Field* const * fields,
-				    int flags, const string& peer)
-	{
-	if ( ! Enabled() )
-		return false;
+	auto stream_id = stream->Type()->AsEnumType()->Lookup(stream->AsEnum());
 
-	auto stream_name = stream->Type()->AsEnumType()->Lookup(stream->AsEnum());
-
-	if ( ! stream_name )
+	if ( ! stream_id )
 		{
 		reporter->Error("Failed to remotely log: stream %d doesn't have name",
 		                stream->AsEnum());
 		return false;
 		}
 
-	auto writer_name = writer->Type()->AsEnumType()->Lookup(writer->AsEnum());
+	auto writer_id = writer->Type()->AsEnumType()->Lookup(writer->AsEnum());
 
-	if ( ! writer_name )
+	if ( ! writer_id )
 		{
 		reporter->Error("Failed to remotely log: writer %d doesn't have name",
 		                writer->AsEnum());
@@ -243,6 +461,7 @@ bool bro_broker::Manager::CreateLog(EnumVal* stream, EnumVal* writer,
 	auto writer_info = info.ToBroker();
 
 	broker::vector fields_data;
+	fields_data.reserve(num_fields);
 
 	for ( auto i = 0; i < num_fields; ++i )
 		{
@@ -250,99 +469,199 @@ bool bro_broker::Manager::CreateLog(EnumVal* stream, EnumVal* writer,
 		fields_data.push_back(move(field_data));
 		}
 
-	// TODO: If peer is given, send message to just that one destination.
+	std::string topic = default_log_topic_prefix + stream_id;
+	auto bstream_id = broker::enum_value(move(stream_id));
+	auto bwriter_id = broker::enum_value(move(writer_id));
+	broker::bro::LogCreate msg(move(bstream_id), move(bwriter_id), move(writer_info), move(fields_data));
 
-	std::string topic = std::string("bro/log/") + stream_name;
-	auto bstream_name = broker::enum_value(move(stream_name));
-	auto bwriter_name = broker::enum_value(move(writer_name));
-	broker::message msg{move("create"), move(bstream_name), move(bwriter_name), move(writer_info), move(fields_data)};
-	endpoint->send(move(topic), move(msg), flags);
+	DBG_LOG(DBG_BROKER, "Publishing log creation: %s", RenderMessage(topic, msg).c_str());
+
+	if ( peer.node != NoPeer.node )
+		// Direct message.
+		bstate->endpoint.publish(peer, move(topic), move(msg));
+	else
+		// Broadcast.
+		bstate->endpoint.publish(move(topic), move(msg));
 
 	return true;
 	}
 
-bool bro_broker::Manager::Log(EnumVal* stream, EnumVal* writer, string path, int num_vals, const threading::Value* const * vals, int flags)
+bool Manager::PublishLogWrite(EnumVal* stream, EnumVal* writer, string path, int num_fields, const threading::Value* const * vals)
 	{
-	if ( ! Enabled() )
-		return false;
+	if ( bstate->endpoint.is_shutdown() )
+		return true;
 
-	auto stream_name = stream->Type()->AsEnumType()->Lookup(stream->AsEnum());
+	if ( ! bstate->endpoint.peers().size() )
+		return true;
 
-	if ( ! stream_name )
+	auto stream_id_num = stream->AsEnum();
+	auto stream_id = stream->Type()->AsEnumType()->Lookup(stream_id_num);
+
+	if ( ! stream_id )
 		{
 		reporter->Error("Failed to remotely log: stream %d doesn't have name",
 		                stream->AsEnum());
 		return false;
 		}
 
-	auto writer_name = writer->Type()->AsEnumType()->Lookup(writer->AsEnum());
+	auto writer_id = writer->Type()->AsEnumType()->Lookup(writer->AsEnum());
 
-	if ( ! writer_name )
+	if ( ! writer_id )
 		{
 		reporter->Error("Failed to remotely log: writer %d doesn't have name",
 		                writer->AsEnum());
 		return false;
 		}
 
-	broker::vector vals_data;
+	BinarySerializationFormat fmt;
+	char* data;
+	int len;
 
-	for ( auto i = 0; i < num_vals; ++i )
+	fmt.StartWrite();
+
+	bool success = fmt.Write(num_fields, "num_fields");
+
+	if ( ! success )
 		{
-		auto field_data = threading_val_to_data(vals[i]);
+		reporter->Error("Failed to remotely log stream %s: num_fields serialization failed", stream_id);
+		return false;
+		}
 
-		if ( ! field_data )
+	for ( int i = 0; i < num_fields; ++i )
+		{
+		if ( ! vals[i]->Write(&fmt) )
 			{
-			reporter->Error("Failed to remotely log stream %s: "
-			                "unsupported type for field #%d",
-			                stream_name, i);
+			reporter->Error("Failed to remotely log stream %s: field %d serialization failed", stream_id, i);
 			return false;
 			}
-
-		vals_data.push_back(move(*field_data));
 		}
 
-	std::string topic = std::string("bro/log/") + stream_name;
-	auto bstream_name = broker::enum_value(move(stream_name));
-	auto bwriter_name = broker::enum_value(move(writer_name));
-	broker::message msg{move("write"), move(bstream_name), move(bwriter_name), move(path), move(vals_data)};
-	endpoint->send(move(topic), move(msg), flags);
+	len = fmt.EndWrite(&data);
+	std::string serial_data(data, len);
+	free(data);
 
-	return true;
-	}
+	val_list vl(2);
+	vl.append(stream->Ref());
+	vl.append(new StringVal(path));
+	Val* v = log_topic_func->Call(&vl);
 
-bool bro_broker::Manager::Event(std::string topic, RecordVal* args, Val* flags)
-	{
-	if ( ! Enabled() )
-		return false;
-
-	if ( ! args->Lookup(0) )
-		return false;
-
-	auto event_name = args->Lookup(0)->AsString()->CheckString();
-	auto vv = args->Lookup(1)->AsVectorVal();
-	broker::message msg;
-	msg.reserve(vv->Size() + 1);
-	msg.emplace_back(event_name);
-
-	for ( auto i = 0u; i < vv->Size(); ++i )
+	if ( ! v )
 		{
-		auto val = vv->Lookup(i)->AsRecordVal()->Lookup(0);
-		auto data_val = static_cast<DataVal*>(val);
-		msg.emplace_back(data_val->data);
+		reporter->Error("Failed to remotely log: log_topic func did not return"
+		                " a value for stream %s at path %s", stream_id,
+		                path.data());
+		return false;
 		}
 
-	endpoint->send(move(topic), move(msg), send_flags_to_int(flags));
+	std::string topic = v->AsString()->CheckString();
+	Unref(v);
+
+	auto bstream_id = broker::enum_value(move(stream_id));
+	auto bwriter_id = broker::enum_value(move(writer_id));
+	broker::bro::LogWrite msg(move(bstream_id), move(bwriter_id), move(path),
+	                          move(serial_data));
+
+	DBG_LOG(DBG_BROKER, "Buffering log record: %s", RenderMessage(topic, msg).c_str());
+
+	if ( log_buffers.size() <= (unsigned int)stream_id_num )
+		log_buffers.resize(stream_id_num + 1);
+
+	auto& lb = log_buffers[stream_id_num];
+	++lb.message_count;
+	auto& pending_batch = lb.msgs[topic];
+	pending_batch.emplace_back(std::move(msg));
+
+	if ( lb.message_count >= LOG_BATCH_SIZE ||
+	     (network_time - lb.last_flush >= LOG_BUFFER_INTERVAL) )
+		statistics.num_logs_outgoing += lb.Flush(Endpoint());
+
 	return true;
 	}
 
-bool bro_broker::Manager::AutoEvent(string topic, Val* event, Val* flags)
+size_t Manager::LogBuffer::Flush(broker::endpoint& endpoint)
 	{
-	if ( ! Enabled() )
-		return false;
+	if ( endpoint.is_shutdown() )
+		return 0;
 
+	if ( ! message_count )
+		// No logs buffered for this stream.
+		return 0;
+
+	for ( auto& kv : msgs )
+		{
+		auto& topic = kv.first;
+		auto& pending_batch = kv.second;
+		broker::vector batch;
+		batch.reserve(LOG_BATCH_SIZE + 1);
+		pending_batch.swap(batch);
+		broker::bro::Batch msg(std::move(batch));
+		endpoint.publish(topic, move(msg));
+		}
+
+	auto rval = message_count;
+	last_flush = network_time;
+	message_count = 0;
+	return rval;
+	}
+
+size_t Manager::FlushLogBuffers()
+	{
+	DBG_LOG(DBG_BROKER, "Flushing all log buffers");
+	auto rval = 0u;
+
+	for ( auto& lb : log_buffers )
+		rval += lb.Flush(Endpoint());
+
+	return rval;
+	}
+
+void Manager::Error(const char* format, ...)
+	{
+	va_list args;
+	va_start(args, format);
+	auto msg = fmt(format, args);
+	va_end(args);
+
+	if ( script_scope )
+		builtin_error(msg);
+	else
+		reporter->Error("%s", msg);
+	}
+
+bool Manager::AutoPublishEvent(string topic, Val* event)
+	{
 	if ( event->Type()->Tag() != TYPE_FUNC )
 		{
-		reporter->Error("Broker::auto_event must operate on an event");
+		Error("Broker::auto_publish must operate on an event");
+		return false;
+		}
+
+	auto event_val = event->AsFunc();
+	if ( event_val->Flavor() != FUNC_FLAVOR_EVENT )
+		{
+		Error("Broker::auto_publish must operate on an event");
+		return false;
+		}
+
+	auto handler = event_registry->Lookup(event_val->Name());
+	if ( ! handler )
+		{
+		Error("Broker::auto_publish failed to lookup event '%s'",
+		      event_val->Name());
+		return false;
+		}
+
+	DBG_LOG(DBG_BROKER, "Enabling auto-publising of event %s to topic %s", handler->Name(), topic.c_str());
+	handler->AutoPublish(move(topic));
+
+	return true;
+	}
+
+bool Manager::AutoUnpublishEvent(const string& topic, Val* event)
+	{
+	if ( event->Type()->Tag() != TYPE_FUNC )
+		{
+		Error("Broker::auto_event_stop must operate on an event");
 		return false;
 		}
 
@@ -350,7 +669,7 @@ bool bro_broker::Manager::AutoEvent(string topic, Val* event, Val* flags)
 
 	if ( event_val->Flavor() != FUNC_FLAVOR_EVENT )
 		{
-		reporter->Error("Broker::auto_event must operate on an event");
+		Error("Broker::auto_event_stop must operate on an event");
 		return false;
 		}
 
@@ -358,57 +677,25 @@ bool bro_broker::Manager::AutoEvent(string topic, Val* event, Val* flags)
 
 	if ( ! handler )
 		{
-		reporter->Error("Broker::auto_event failed to lookup event '%s'",
-		                event_val->Name());
+		Error("Broker::auto_event_stop failed to lookup event '%s'",
+		      event_val->Name());
 		return false;
 		}
 
-	handler->AutoRemote(move(topic), send_flags_to_int(flags));
+
+	DBG_LOG(DBG_BROKER, "Disabling auto-publishing of event %s to topic %s", handler->Name(), topic.c_str());
+	handler->AutoUnpublish(topic);
+
 	return true;
 	}
 
-bool bro_broker::Manager::AutoEventStop(const string& topic, Val* event)
+RecordVal* Manager::MakeEvent(val_list* args, Frame* frame)
 	{
-	if ( ! Enabled() )
-		return false;
-
-	if ( event->Type()->Tag() != TYPE_FUNC )
-		{
-		reporter->Error("Broker::auto_event_stop must operate on an event");
-		return false;
-		}
-
-	auto event_val = event->AsFunc();
-
-	if ( event_val->Flavor() != FUNC_FLAVOR_EVENT )
-		{
-		reporter->Error("Broker::auto_event_stop must operate on an event");
-		return false;
-		}
-
-	auto handler = event_registry->Lookup(event_val->Name());
-
-	if ( ! handler )
-		{
-		reporter->Error("Broker::auto_event_stop failed to lookup event '%s'",
-		                event_val->Name());
-		return false;
-		}
-
-
-	handler->AutoRemoteStop(topic);
-	return true;
-	}
-
-RecordVal* bro_broker::Manager::MakeEventArgs(val_list* args)
-	{
-	if ( ! Enabled() )
-		return nullptr;
-
-	auto rval = new RecordVal(BifType::Record::Broker::EventArgs);
+	auto rval = new RecordVal(BifType::Record::Broker::Event);
 	auto arg_vec = new VectorVal(vector_of_data_type);
 	rval->Assign(1, arg_vec);
 	Func* func = 0;
+	scoped_reporter_location srl{frame};
 
 	for ( auto i = 0; i < args->length(); ++i )
 		{
@@ -420,7 +707,7 @@ RecordVal* bro_broker::Manager::MakeEventArgs(val_list* args)
 
 			if ( arg_val->Type()->Tag() != TYPE_FUNC )
 				{
-				reporter->Error("1st param of Broker::event_args must be event");
+				Error("attempt to convert non-event into an event type");
 				return rval;
 				}
 
@@ -428,7 +715,7 @@ RecordVal* bro_broker::Manager::MakeEventArgs(val_list* args)
 
 			if ( func->Flavor() != FUNC_FLAVOR_EVENT )
 				{
-				reporter->Error("1st param of Broker::event_args must be event");
+				Error("attempt to convert non-event into an event type");
 				return rval;
 				}
 
@@ -436,8 +723,8 @@ RecordVal* bro_broker::Manager::MakeEventArgs(val_list* args)
 
 			if ( num_args != args->length() - 1 )
 				{
-				reporter->Error("bad # of Broker::event_args: got %d, expect %d",
-				                args->length(), num_args + 1);
+				Error("bad # of arguments: got %d, expect %d",
+				      args->length(), num_args + 1);
 				return rval;
 				}
 
@@ -445,12 +732,15 @@ RecordVal* bro_broker::Manager::MakeEventArgs(val_list* args)
 			continue;
 			}
 
+		auto got_type = (*args)[i]->Type();
 		auto expected_type = (*func->FType()->ArgTypes()->Types())[i - 1];
 
-		if ( ! same_type((*args)[i]->Type(), expected_type) )
+		if ( ! same_type(got_type, expected_type) )
 			{
 			rval->Assign(0, 0);
-			reporter->Error("Broker::event_args param %d type mismatch", i);
+			Error("event parameter #%d type mismatch, got %s, expect %s", i,
+			      type_name(got_type->Tag()),
+			      type_name(expected_type->Tag()));
 			return rval;
 			}
 
@@ -460,7 +750,8 @@ RecordVal* bro_broker::Manager::MakeEventArgs(val_list* args)
 			{
 			Unref(data_val);
 			rval->Assign(0, 0);
-			reporter->Error("Broker::event_args unsupported event/params");
+			Error("failed to convert param #%d of type %s to broker data",
+				  i, type_name(got_type->Tag()));
 			return rval;
 			}
 
@@ -470,547 +761,215 @@ RecordVal* bro_broker::Manager::MakeEventArgs(val_list* args)
 	return rval;
 	}
 
-bool bro_broker::Manager::SubscribeToPrints(string topic_prefix)
+bool Manager::Subscribe(const string& topic_prefix)
 	{
-	if ( ! Enabled() )
-		return false;
-
-	auto& q = print_subscriptions[topic_prefix].q;
-
-	if ( q )
-		return false;
-
-	q = broker::message_queue(move(topic_prefix), *endpoint);
+	DBG_LOG(DBG_BROKER, "Subscribing to topic prefix %s", topic_prefix.c_str());
+	bstate->subscriber.add_topic(topic_prefix);
 	return true;
 	}
 
-bool bro_broker::Manager::UnsubscribeToPrints(const string& topic_prefix)
+bool Manager::Unsubscribe(const string& topic_prefix)
 	{
-	if ( ! Enabled() )
-		return false;
-
-	return print_subscriptions.erase(topic_prefix);
-	}
-
-bool bro_broker::Manager::SubscribeToEvents(string topic_prefix)
-	{
-	if ( ! Enabled() )
-		return false;
-
-	auto& q = event_subscriptions[topic_prefix].q;
-
-	if ( q )
-		return false;
-
-	q = broker::message_queue(move(topic_prefix), *endpoint);
+	DBG_LOG(DBG_BROKER, "Unsubscribing from topic prefix %s", topic_prefix.c_str());
+	bstate->subscriber.remove_topic(topic_prefix);
 	return true;
 	}
 
-bool bro_broker::Manager::UnsubscribeToEvents(const string& topic_prefix)
-	{
-	if ( ! Enabled() )
-		return false;
-
-	return event_subscriptions.erase(topic_prefix);
-	}
-
-bool bro_broker::Manager::SubscribeToLogs(string topic_prefix)
-	{
-	if ( ! Enabled() )
-		return false;
-
-	auto& q = log_subscriptions[topic_prefix].q;
-
-	if ( q )
-		return false;
-
-	q = broker::message_queue(move(topic_prefix), *endpoint);
-	return true;
-	}
-
-bool bro_broker::Manager::UnsubscribeToLogs(const string& topic_prefix)
-	{
-	if ( ! Enabled() )
-		return false;
-
-	return log_subscriptions.erase(topic_prefix);
-	}
-
-bool bro_broker::Manager::PublishTopic(broker::topic t)
-	{
-	if ( ! Enabled() )
-		return false;
-
-	endpoint->publish(move(t));
-	return true;
-	}
-
-bool bro_broker::Manager::UnpublishTopic(broker::topic t)
-	{
-	if ( ! Enabled() )
-		return false;
-
-	endpoint->unpublish(move(t));
-	return true;
-	}
-
-bool bro_broker::Manager::AdvertiseTopic(broker::topic t)
-	{
-	if ( ! Enabled() )
-		return false;
-
-	endpoint->advertise(move(t));
-	return true;
-	}
-
-bool bro_broker::Manager::UnadvertiseTopic(broker::topic t)
-	{
-	if ( ! Enabled() )
-		return false;
-
-	endpoint->unadvertise(move(t));
-	return true;
-	}
-
-int bro_broker::Manager::send_flags_to_int(Val* flags)
-	{
-	auto r = flags->AsRecordVal();
-	int rval = 0;
-	Val* self_flag = r->LookupWithDefault(send_flags_self_idx);
-	Val* peers_flag = r->LookupWithDefault(send_flags_peers_idx);
-	Val* unsolicited_flag = r->LookupWithDefault(send_flags_unsolicited_idx);
-
-	if ( self_flag->AsBool() )
-		rval |= broker::SELF;
-
-	if ( peers_flag->AsBool() )
-		rval |= broker::PEERS;
-
-	if ( unsolicited_flag->AsBool() )
-		rval |= broker::UNSOLICITED;
-
-	Unref(self_flag);
-	Unref(peers_flag);
-	Unref(unsolicited_flag);
-	return rval;
-	}
-
-void bro_broker::Manager::GetFds(iosource::FD_Set* read, iosource::FD_Set* write,
+void Manager::GetFds(iosource::FD_Set* read, iosource::FD_Set* write,
                            iosource::FD_Set* except)
 	{
-	read->Insert(endpoint->outgoing_connection_status().fd());
-	read->Insert(endpoint->incoming_connection_status().fd());
+	if ( bstate->status_subscriber.available() || bstate->subscriber.available() )
+                SetIdle(false);
 
-	for ( const auto& ps : print_subscriptions )
-		read->Insert(ps.second.q.fd());
+	read->Insert(bstate->subscriber.fd());
+	read->Insert(bstate->status_subscriber.fd());
+	write->Insert(bstate->subscriber.fd());
+	write->Insert(bstate->status_subscriber.fd());
+	except->Insert(bstate->subscriber.fd());
+	except->Insert(bstate->status_subscriber.fd());
 
-	for ( const auto& ps : event_subscriptions )
-		read->Insert(ps.second.q.fd());
-
-	for ( const auto& ps : log_subscriptions )
-		read->Insert(ps.second.q.fd());
-
-	for ( const auto& s : data_stores )
-		read->Insert(s.second->store->responses().fd());
-
-	read->Insert(broker::report::default_queue->fd());
+	for ( auto& x : data_stores )
+		read->Insert(x.second->proxy.mailbox().descriptor());
 	}
 
-double bro_broker::Manager::NextTimestamp(double* local_network_time)
+double Manager::NextTimestamp(double* local_network_time)
 	{
-	if ( next_timestamp < 0 )
-		next_timestamp = timer_mgr->Time();
+	if ( ! IsIdle() )
+		return timer_mgr->Time();
 
-	return next_timestamp;
+	if ( bstate->status_subscriber.available() || bstate->subscriber.available() )
+		return timer_mgr->Time();
+
+	for ( auto& s : data_stores )
+		{
+		if ( ! s.second->proxy.mailbox().empty() )
+			return timer_mgr->Time();
+		}
+
+	return -1;
 	}
 
-struct response_converter {
-	using result_type = RecordVal*;
-	broker::store::query::tag query_tag;
-
-	result_type operator()(bool d)
-		{
-		switch ( query_tag ) {
-		case broker::store::query::tag::pop_left:
-		case broker::store::query::tag::pop_right:
-		case broker::store::query::tag::lookup:
-			// A boolean result means the key doesn't exist (if it did, then
-			// the result would contain the broker::data value, not a bool).
-			return new RecordVal(BifType::Record::Broker::Data);
-		default:
-			return bro_broker::make_data_val(broker::data{d});
-		}
-		}
-
-	result_type operator()(uint64_t d)
-		{
-		return bro_broker::make_data_val(broker::data{d});
-		}
-
-	result_type operator()(broker::data& d)
-		{
-		return bro_broker::make_data_val(move(d));
-		}
-
-	result_type operator()(std::vector<broker::data>& d)
-		{
-		return bro_broker::make_data_val(broker::data{move(d)});
-		}
-
-	result_type operator()(broker::store::snapshot& d)
-		{
-		broker::table table;
-
-		for ( auto& item : d.entries )
-			{
-			auto& key = item.first;
-			auto& val = item.second.item;
-			table[move(key)] = move(val);
-			}
-
-		return bro_broker::make_data_val(broker::data{move(table)});
-		}
-};
-
-static RecordVal* response_to_val(broker::store::response r)
+void Manager::DispatchMessage(broker::data msg)
 	{
-	return broker::visit(response_converter{r.request.type}, r.reply.value);
+	switch ( broker::bro::Message::type(msg) ) {
+	case broker::bro::Message::Type::Event:
+		ProcessEvent(std::move(msg));
+		break;
+
+	case broker::bro::Message::Type::RelayEvent:
+		ProcessRelayEvent(std::move(msg));
+		break;
+
+	case broker::bro::Message::Type::LogCreate:
+		ProcessLogCreate(std::move(msg));
+		break;
+
+	case broker::bro::Message::Type::LogWrite:
+		ProcessLogWrite(std::move(msg));
+		break;
+
+	case broker::bro::Message::Type::IdentifierUpdate:
+		ProcessIdentifierUpdate(std::move(msg));
+		break;
+
+	case broker::bro::Message::Type::Batch:
+		{
+		broker::bro::Batch batch(std::move(msg));
+
+		for ( auto& i : batch.batch() )
+			DispatchMessage(std::move(i));
+
+		break;
+		}
+
+	default:
+		// We ignore unknown types so that we could add more in the
+		// future if we had too.
+		break;
+	}
 	}
 
-void bro_broker::Manager::Process()
+void Manager::Process()
 	{
-	auto outgoing_connection_updates =
-	        endpoint->outgoing_connection_status().want_pop();
-	auto incoming_connection_updates =
-	        endpoint->incoming_connection_status().want_pop();
+	bool had_input = false;
 
-	statistics.outgoing_conn_status_count += outgoing_connection_updates.size();
-	statistics.incoming_conn_status_count += incoming_connection_updates.size();
+	auto status_msgs = bstate->status_subscriber.poll();
 
-	for ( auto& u : outgoing_connection_updates )
+	for ( auto& status_msg : status_msgs )
 		{
-		switch ( u.status ) {
-		case broker::outgoing_connection_status::tag::established:
-			log_mgr->SendAllWritersTo(u.peer_name);
+		had_input = true;
 
-			if ( Broker::outgoing_connection_established )
-				{
-				val_list* vl = new val_list;
-				vl->append(new StringVal(u.relation.remote_tuple().first));
-				vl->append(port_mgr->Get(u.relation.remote_tuple().second,
-				                       TRANSPORT_TCP));
-				vl->append(new StringVal(u.peer_name));
-				mgr.QueueEvent(Broker::outgoing_connection_established, vl);
-				}
-			break;
-
-		case broker::outgoing_connection_status::tag::disconnected:
-			if ( Broker::outgoing_connection_broken )
-				{
-				val_list* vl = new val_list;
-				vl->append(new StringVal(u.relation.remote_tuple().first));
-				vl->append(port_mgr->Get(u.relation.remote_tuple().second,
-				                       TRANSPORT_TCP));
-				mgr.QueueEvent(Broker::outgoing_connection_broken, vl);
-				}
-			break;
-
-		case broker::outgoing_connection_status::tag::incompatible:
-			if ( Broker::outgoing_connection_incompatible )
-				{
-				val_list* vl = new val_list;
-				vl->append(new StringVal(u.relation.remote_tuple().first));
-				vl->append(port_mgr->Get(u.relation.remote_tuple().second,
-				                       TRANSPORT_TCP));
-				mgr.QueueEvent(Broker::outgoing_connection_incompatible, vl);
-				}
-			break;
-
-		default:
-			reporter->InternalWarning(
-			            "unknown broker::outgoing_connection_status::tag : %d",
-			            static_cast<int>(u.status));
-			break;
-		}
-		}
-
-	for ( auto& u : incoming_connection_updates )
-		{
-		switch ( u.status ) {
-		case broker::incoming_connection_status::tag::established:
-			log_mgr->SendAllWritersTo(u.peer_name);
-
-			if ( Broker::incoming_connection_established )
-				{
-				val_list* vl = new val_list;
-				vl->append(new StringVal(u.peer_name));
-				mgr.QueueEvent(Broker::incoming_connection_established, vl);
-				}
-			break;
-
-		case broker::incoming_connection_status::tag::disconnected:
-			if ( Broker::incoming_connection_broken )
-				{
-				val_list* vl = new val_list;
-				vl->append(new StringVal(u.peer_name));
-				mgr.QueueEvent(Broker::incoming_connection_broken, vl);
-				}
-			break;
-
-		default:
-			reporter->InternalWarning(
-			            "unknown broker::incoming_connection_status::tag : %d",
-			            static_cast<int>(u.status));
-			break;
-		}
-		}
-
-	for ( auto& ps : print_subscriptions )
-		{
-		auto print_messages = ps.second.q.want_pop();
-
-		if ( print_messages.empty() )
-			continue;
-
-		ps.second.received += print_messages.size();
-
-		if ( ! Broker::print_handler )
-			continue;
-
-		for ( auto& pm : print_messages )
+		if ( auto stat = broker::get_if<broker::status>(status_msg) )
 			{
-			if ( pm.size() != 1 )
-				{
-				reporter->Warning("got print message of invalid size: %zd",
-				                  pm.size());
-				continue;
-				}
-
-			std::string* msg = broker::get<std::string>(pm[0]);
-
-			if ( ! msg )
-				{
-				reporter->Warning("got print message of invalid type: %d",
-				                  static_cast<int>(broker::which(pm[0])));
-				continue;
-				}
-
-			val_list* vl = new val_list;
-			vl->append(new StringVal(move(*msg)));
-			mgr.QueueEvent(Broker::print_handler, vl);
+			ProcessStatus(std::move(*stat));
+			continue;
 			}
+
+		if ( auto err = broker::get_if<broker::error>(status_msg) )
+			{
+			ProcessError(std::move(*err));
+			continue;
+			}
+
+		reporter->InternalWarning("ignoring status_subscriber message with unexpected type");
 		}
 
-	for ( auto& es : event_subscriptions )
+	auto messages = bstate->subscriber.poll();
+
+	for ( auto& message : messages )
 		{
-		auto event_messages = es.second.q.want_pop();
+		had_input = true;
 
-		if ( event_messages.empty() )
-			continue;
+		auto& topic = message.first;
+		auto& msg = message.second;
 
-		es.second.received += event_messages.size();
-
-		for ( auto& em : event_messages )
+		try
 			{
-			if ( em.empty() )
-				{
-				reporter->Warning("got empty event message");
-				continue;
-				}
-
-			std::string* event_name = broker::get<std::string>(em[0]);
-
-			if ( ! event_name )
-				{
-				reporter->Warning("got event message w/o event name: %d",
-				                  static_cast<int>(broker::which(em[0])));
-				continue;
-				}
-
-			EventHandlerPtr ehp = event_registry->Lookup(event_name->data());
-
-			if ( ! ehp )
-				continue;
-
-			auto arg_types = ehp->FType()->ArgTypes()->Types();
-
-			if ( static_cast<size_t>(arg_types->length()) != em.size() - 1 )
-				{
-				reporter->Warning("got event message with invalid # of args,"
-				                  " got %zd, expected %d", em.size() - 1,
-				                  arg_types->length());
-				continue;
-				}
-
-			val_list* vl = new val_list;
-
-			for ( auto i = 1u; i < em.size(); ++i )
-				{
-				auto val = data_to_val(move(em[i]), (*arg_types)[i - 1]);
-
-				if ( val )
-					vl->append(val);
-				else
-					{
-					reporter->Warning("failed to convert remote event arg # %d",
-					                  i - 1);
-					break;
-					}
-				}
-
-			if ( static_cast<size_t>(vl->length()) == em.size() - 1 )
-				mgr.QueueEvent(ehp, vl);
-			else
-				delete_vals(vl);
+			DispatchMessage(std::move(msg));
+			}
+		catch ( std::runtime_error& e )
+			{
+			reporter->Warning("ignoring invalid Broker message: %s", + e.what());
+			continue;
 			}
 		}
 
-	for ( auto& ls : log_subscriptions )
+	for ( auto& s : data_stores )
 		{
-		auto log_messages = ls.second.q.want_pop();
-
-		if ( log_messages.empty() )
-			continue;
-
-		ls.second.received += log_messages.size();
-
-		for ( auto& lm : log_messages )
+		while ( ! s.second->proxy.mailbox().empty() )
 			{
-			if ( lm.size() < 1 )
-				{
-				reporter->Warning("got bad remote log message, no type field");
-				continue;
-				}
-
-			if ( lm[0] == "create" )
-				ProcessCreateLog(std::move(lm));
-			else if ( lm[0] == "write" )
-				ProcessWriteLog(std::move(lm));
-			else
-				reporter->Warning("got remote log w/o known type: %d",
-						  static_cast<int>(broker::which(lm[0])));
+			had_input = true;
+			auto response = s.second->proxy.receive();
+			ProcessStoreResponse(s.second, move(response));
 			}
 		}
 
-	for ( const auto& s : data_stores )
-		{
-		auto responses = s.second->store->responses().want_pop();
-
-		if ( responses.empty() )
-			continue;
-
-		statistics.report_count += responses.size();
-
-		for ( auto& response : responses )
-			{
-			auto ck = static_cast<StoreQueryCallback*>(response.cookie);
-			auto it = pending_queries.find(ck);
-
-			if ( it == pending_queries.end() )
-				{
-				reporter->Warning("unmatched response to query on store %s",
-				                  s.second->store->id().data());
-				continue;
-				}
-
-			auto query = *it;
-
-			if ( query->Disabled() )
-				{
-				// Trigger timer must have timed the query out already.
-				delete query;
-				pending_queries.erase(it);
-				continue;
-				}
-
-			switch ( response.reply.stat ) {
-			case broker::store::result::status::timeout:
-				// Fine, trigger's timeout takes care of things.
-				break;
-			case broker::store::result::status::failure:
-				query->Result(query_result());
-				break;
-			case broker::store::result::status::success:
-				query->Result(query_result(response_to_val(move(response))));
-				break;
-			default:
-				reporter->InternalWarning("unknown store response status: %d",
-				                         static_cast<int>(response.reply.stat));
-				break;
-			}
-
-			delete query;
-			pending_queries.erase(it);
-			}
-		}
-
-	auto reports = broker::report::default_queue->want_pop();
-	statistics.report_count += reports.size();
-
-	for ( auto& report : reports )
-		{
-		if ( report.size() < 2 )
-			{
-			reporter->Warning("got broker report msg of size %zu, expect 4",
-			                  report.size());
-			continue;
-			}
-
-		uint64_t* level = broker::get<uint64_t>(report[1]);
-
-		if ( ! level )
-			{
-			reporter->Warning("got broker report msg w/ bad level type: %d",
-			                  static_cast<int>(broker::which(report[1])));
-			continue;
-			}
-
-		auto lvl = static_cast<broker::report::level>(*level);
-
-		switch ( lvl ) {
-		case broker::report::level::debug:
-			DBG_LOG(DBG_BROKER, broker::to_string(report).data());
-			break;
-		case broker::report::level::info:
-			reporter->Info("broker info: %s",
-			               broker::to_string(report).data());
-			break;
-		case broker::report::level::warn:
-			reporter->Warning("broker warning: %s",
-			                  broker::to_string(report).data());
-			break;
-		case broker::report::level::error:
-			reporter->Error("broker error: %s",
-			                broker::to_string(report).data());
-			break;
-			}
-		}
-
-	next_timestamp = -1;
+	SetIdle(! had_input);
 	}
 
-bool bro_broker::Manager::ProcessCreateLog(broker::message msg)
+void Manager::ProcessEvent(broker::bro::Event ev)
 	{
-	if ( msg.size() != 5 )
+	DBG_LOG(DBG_BROKER, "Received event: %s", RenderMessage(ev).c_str());
+
+	++statistics.num_events_incoming;
+
+	auto handler = event_registry->Lookup(ev.name().c_str());
+	if ( ! handler )
+		return;
+
+	auto& args = ev.args();
+	auto arg_types = handler->FType(false)->ArgTypes()->Types();
+
+	if ( static_cast<size_t>(arg_types->length()) != args.size() )
 		{
-		reporter->Warning("got bad remote log create size: %zd (expected 5)",
-				  msg.size());
-		return false;
+		reporter->Warning("got event message '%s' with invalid # of args,"
+				  " got %zd, expected %d", ev.name().data(), args.size(),
+				  arg_types->length());
+		return;
 		}
 
-	unsigned int idx = 1; // Skip type at index 0.
+	auto vl = new val_list;
 
-	// Get stream ID.
-
-	if ( ! broker::get<broker::enum_value>(msg[idx]) )
+	for ( auto i = 0u; i < args.size(); ++i )
 		{
-		reporter->Warning("got remote log create w/o stream id: %d",
-				  static_cast<int>(broker::which(msg[idx])));
-		return false;
+		auto got_type = args[i].get_type_name();
+		auto expected_type = (*arg_types)[i];
+		auto val = data_to_val(std::move(args[i]), expected_type);
+
+		if ( val )
+			vl->append(val);
+		else
+			{
+			reporter->Warning("failed to convert remote event '%s' arg #%d,"
+			                  " got %s, expected %s",
+			                  ev.name().data(), i, got_type,
+			                  type_name(expected_type->Tag()));
+			break;
+			}
 		}
 
-	auto stream_id = data_to_val(move(msg[idx]), log_id_type);
+	if ( static_cast<size_t>(vl->length()) == args.size() )
+		mgr.QueueEvent(handler, vl, SOURCE_BROKER);
+	else
+		delete_vals(vl);
+	}
 
+void Manager::ProcessRelayEvent(broker::bro::RelayEvent ev)
+	{
+	DBG_LOG(DBG_BROKER, "Received relay event: %s", RenderMessage(ev).c_str());
+	++statistics.num_events_incoming;
+
+	for ( auto& t : ev.topics() )
+		PublishEvent(std::move(broker::get<std::string>(t)),
+		             std::move(ev.name()),
+		             std::move(ev.args()));
+	}
+
+bool bro_broker::Manager::ProcessLogCreate(broker::bro::LogCreate lc)
+	{
+	DBG_LOG(DBG_BROKER, "Received log-create: %s", RenderMessage(lc).c_str());
+
+	auto stream_id = data_to_val(std::move(lc.stream_id()), log_id_type);
 	if ( ! stream_id )
 		{
 		reporter->Warning("failed to unpack remote log stream id");
@@ -1018,19 +977,8 @@ bool bro_broker::Manager::ProcessCreateLog(broker::message msg)
 		}
 
 	unref_guard stream_id_unreffer{stream_id};
-	++idx;
-
-	// Get writer ID.
-
-	if ( ! broker::get<broker::enum_value>(msg[idx]) )
-		{
-		reporter->Warning("got remote log create w/o writer id: %d",
-				  static_cast<int>(broker::which(msg[idx])));
-		return false;
-		}
-
-	auto writer_id = data_to_val(move(msg[idx]), writer_id_type);
 
+	auto writer_id = data_to_val(std::move(lc.writer_id()), writer_id_type);
 	if ( ! writer_id )
 		{
 		reporter->Warning("failed to unpack remote log writer id");
@@ -1038,251 +986,484 @@ bool bro_broker::Manager::ProcessCreateLog(broker::message msg)
 		}
 
 	unref_guard writer_id_unreffer{writer_id};
-	++idx;
-
-	// Get writer info.
-
-	if ( ! broker::get<broker::record>(msg[idx]) )
-		{
-		reporter->Warning("got remote log create w/o writer info id: %d",
-				  static_cast<int>(broker::which(msg[idx])));
-		return false;
-		}
 
 	auto writer_info = std::unique_ptr<logging::WriterBackend::WriterInfo>(new logging::WriterBackend::WriterInfo);
-
-	if ( ! writer_info->FromBroker(std::move(msg[idx])) )
+	if ( ! writer_info->FromBroker(std::move(lc.writer_info())) )
 		{
 		reporter->Warning("failed to unpack remote log writer info");
 		return false;
 		}
 
-	++idx;
-
 	// Get log fields.
 
-	auto fields_data = broker::get<broker::vector>(msg[idx]);
+	try
+		{
+		auto fields_data = std::move(broker::get<broker::vector>(lc.fields_data()));
+		auto num_fields = fields_data.size();
+		auto fields = new threading::Field* [num_fields];
 
-	if ( ! fields_data )
+		for ( auto i = 0u; i < num_fields; ++i )
+			{
+			if ( auto field = data_to_threading_field(std::move(fields_data[i])) )
+				fields[i] = field;
+			else
+				{
+				reporter->Warning("failed to convert remote log field # %d", i);
+				return false;
+				}
+			}
+
+		if ( ! log_mgr->CreateWriterForRemoteLog(stream_id->AsEnumVal(), writer_id->AsEnumVal(), writer_info.get(), num_fields, fields) )
+			{
+			ODesc d;
+			stream_id->Describe(&d);
+			reporter->Warning("failed to create remote log stream for %s locally", d.Description());
+			}
+
+		writer_info.release(); // log_mgr took ownership.
+		return true;
+		}
+
+	catch (const broker::bad_variant_access& e)
 		{
 		reporter->Warning("failed to unpack remote log fields");
 		return false;
 		}
-
-	auto num_fields = fields_data->size();
-	auto fields = new threading::Field* [num_fields];
-
-	for ( auto i = 0u; i < num_fields; ++i )
-		{
-		if ( auto field = data_to_threading_field((*fields_data)[i]) )
-			fields[i] = field;
-		else
-			{
-			reporter->Warning("failed to convert remote log field # %d", i);
-			return false;
-			}
-		}
-
-	if ( ! log_mgr->CreateWriterForRemoteLog(stream_id->AsEnumVal(), writer_id->AsEnumVal(), writer_info.get(), num_fields, fields) )
-		{
-		ODesc d;
-		stream_id->Describe(&d);
-		reporter->Warning("failed to create remote log stream for %s locally", d.Description());
-		}
-
-	writer_info.release(); // log_mgr took ownership.
-	return true;
 	}
 
-bool bro_broker::Manager::ProcessWriteLog(broker::message msg)
+bool bro_broker::Manager::ProcessLogWrite(broker::bro::LogWrite lw)
 	{
-	if ( msg.size() != 5 )
-		{
-		reporter->Warning("got bad remote log size: %zd (expected 5)",
-				  msg.size());
-		return false;
-		}
+	DBG_LOG(DBG_BROKER, "Received log-write: %s", RenderMessage(lw).c_str());
 
-	unsigned int idx = 1; // Skip type at index 0.
+	++statistics.num_logs_incoming;
+	auto& stream_id_name = lw.stream_id().name;
 
 	// Get stream ID.
-
-	if ( ! broker::get<broker::enum_value>(msg[idx]) )
-		{
-		reporter->Warning("got remote log w/o stream id: %d",
-				  static_cast<int>(broker::which(msg[idx])));
-		return false;
-		}
-
-	auto stream_id = data_to_val(move(msg[idx]), log_id_type);
+	auto stream_id = data_to_val(std::move(lw.stream_id()), log_id_type);
 
 	if ( ! stream_id )
 		{
-		reporter->Warning("failed to unpack remote log stream id");
+		reporter->Warning("failed to unpack remote log stream id: %s",
+		                  stream_id_name.data());
 		return false;
 		}
 
 	unref_guard stream_id_unreffer{stream_id};
-	++idx;
 
 	// Get writer ID.
-
-	if ( ! broker::get<broker::enum_value>(msg[idx]) )
-		{
-		reporter->Warning("got remote log w/o writer id: %d",
-				  static_cast<int>(broker::which(msg[idx])));
-		return false;
-		}
-
-	auto writer_id = data_to_val(move(msg[idx]), writer_id_type);
-
+	auto writer_id = data_to_val(std::move(lw.writer_id()), writer_id_type);
 	if ( ! writer_id )
 		{
-		reporter->Warning("failed to unpack remote log writer id");
+		reporter->Warning("failed to unpack remote log writer id for stream: %s", stream_id_name.data());
 		return false;
 		}
 
 	unref_guard writer_id_unreffer{writer_id};
-	++idx;
 
-	// Get path.
-
-	auto path = broker::get<std::string>(msg[idx]);
-
-	if ( ! path )
+	 try
 		{
-		reporter->Warning("failed to unpack remote log path");
-		return false;
-		}
+		auto& path = broker::get<std::string>(lw.path());
+		auto& serial_data = broker::get<std::string>(lw.serial_data());
 
-	++idx;
+		BinarySerializationFormat fmt;
+		fmt.StartRead(serial_data.data(), serial_data.size());
 
-	// Get log values.
+		int num_fields;
+		bool success = fmt.Read(&num_fields, "num_fields");
 
-	auto vals_data = broker::get<broker::vector>(msg[idx]);
-
-	if ( ! vals_data )
-		{
-		reporter->Warning("failed to unpack remote log values");
-		return false;
-		}
-
-	auto num_vals = vals_data->size();
-	auto vals = new threading::Value* [num_vals];
-
-	for ( auto i = 0u; i < num_vals; ++i )
-		{
-		if ( auto val = data_to_threading_val((*vals_data)[i]) )
-			vals[i] = val;
-		else
+		if ( ! success )
 			{
-			reporter->Warning("failed to convert remote log arg # %d", i);
+			reporter->Warning("failed to unserialize remote log num fields for stream: %s", stream_id_name.data());
 			return false;
 			}
+
+		auto vals = new threading::Value* [num_fields];
+
+		for ( int i = 0; i < num_fields; ++i )
+			{
+			vals[i] = new threading::Value;
+
+			if ( ! vals[i]->Read(&fmt) )
+				{
+				for ( int j = 0; j <=i; ++j )
+					delete vals[j];
+
+				delete [] vals;
+				reporter->Warning("failed to unserialize remote log field %d for stream: %s", i, stream_id_name.data());
+
+				return false;
+				}
+			}
+
+		log_mgr->WriteFromRemote(stream_id->AsEnumVal(), writer_id->AsEnumVal(), std::move(path), num_fields, vals);
+		fmt.EndRead();
+		return true;
 		}
 
-	log_mgr->WriteFromRemote(stream_id->AsEnumVal(), writer_id->AsEnumVal(), *path, num_vals, vals);
-	return true;
-	}
-
-bool bro_broker::Manager::AddStore(StoreHandleVal* handle)
-	{
-	if ( ! Enabled() )
-		return false;
-
-	if ( ! handle->store )
-		return false;
-
-	auto key = make_pair(handle->store->id(), handle->store_type);
-
-	if ( data_stores.find(key) != data_stores.end() )
-		return false;
-
-	data_stores[key] = handle;
-	Ref(handle);
-	return true;
-	}
-
-bro_broker::StoreHandleVal*
-bro_broker::Manager::LookupStore(const broker::store::identifier& id,
-                           bro_broker::StoreType type)
-	{
-	if ( ! Enabled() )
-		return nullptr;
-
-	auto key = make_pair(id, type);
-	auto it = data_stores.find(key);
-
-	if ( it == data_stores.end() )
-		return nullptr;
-
-	return it->second;
-	}
-
-bool bro_broker::Manager::CloseStore(const broker::store::identifier& id,
-                               StoreType type)
-	{
-	if ( ! Enabled() )
-		return false;
-
-	auto key = make_pair(id, type);
-	auto it = data_stores.find(key);
-
-	if ( it == data_stores.end() )
-		return false;
-
-	for ( auto it = pending_queries.begin(); it != pending_queries.end(); )
+	catch ( const broker::bad_variant_access& e)
 		{
-		auto query = *it;
+		reporter->Warning("failed to unpack remote log values (bad variant) for stream: %s", stream_id_name.data());
+		return false;
+		}
+	}
 
-		if ( query->GetStoreType() == type && query->StoreID() == id )
+bool Manager::ProcessIdentifierUpdate(broker::bro::IdentifierUpdate iu)
+	{
+	DBG_LOG(DBG_BROKER, "Received id-update: %s", RenderMessage(iu).c_str());
+	++statistics.num_ids_incoming;
+	auto id_name = std::move(iu.id_name());
+	auto id_value = std::move(iu.id_value());
+	auto id = global_scope()->Lookup(id_name.c_str());
+
+	if ( ! id )
+		{
+		reporter->Warning("Received id-update request for unkown id: %s",
+		                 id_name.c_str());
+		return false;
+		}
+
+	auto val = data_to_val(std::move(id_value), id->Type());
+
+	if ( ! val )
+		{
+		reporter->Error("Failed to receive ID with unsupported type: %s (%s)",
+		                id_name.c_str(), type_name(id->Type()->Tag()));
+		return false;
+		}
+
+	id->SetVal(val);
+	return true;
+	}
+
+void Manager::ProcessStatus(broker::status stat)
+	{
+	DBG_LOG(DBG_BROKER, "Received status message: %s", RenderMessage(stat).c_str());
+
+	auto ctx = stat.context<broker::endpoint_info>();
+
+	EventHandlerPtr event;
+	switch (stat.code()) {
+	case broker::sc::unspecified:
+		event = Broker::status;
+		break;
+
+	case broker::sc::peer_added:
+	        assert(ctx);
+	        log_mgr->SendAllWritersTo(*ctx);
+		event = Broker::peer_added;
+		break;
+
+	case broker::sc::peer_removed:
+		event = Broker::peer_removed;
+		break;
+
+	case broker::sc::peer_lost:
+		event = Broker::peer_lost;
+		break;
+	}
+
+	auto ei = internal_type("Broker::EndpointInfo")->AsRecordType();
+	auto endpoint_info = new RecordVal(ei);
+
+	if ( ctx )
+		{
+		endpoint_info->Assign(0, new StringVal(to_string(ctx->node)));
+		auto ni = internal_type("Broker::NetworkInfo")->AsRecordType();
+		auto network_info = new RecordVal(ni);
+
+		if ( ctx->network )
 			{
-			it = pending_queries.erase(it);
-			query->Abort();
-			delete query;
+			network_info->Assign(0, new StringVal(ctx->network->address.data()));
+			network_info->Assign(1, port_mgr->Get(ctx->network->port, TRANSPORT_TCP));
 			}
 		else
-			++it;
+			{
+			// TODO: are there any status messages where the ctx->network
+			// is not set and actually could be?
+			network_info->Assign(0, new StringVal("<unknown>"));
+			network_info->Assign(1, port_mgr->Get(0, TRANSPORT_TCP));
+			}
+
+		endpoint_info->Assign(1, network_info);
 		}
 
-	delete it->second->store;
-	it->second->store = nullptr;
-	Unref(it->second);
-	data_stores.erase(it);
+	auto str = stat.message();
+	auto msg = new StringVal(str ? *str : "");
+
+	auto vl = new val_list;
+	vl->append(endpoint_info);
+	vl->append(msg);
+
+	mgr.QueueEvent(event, vl);
+	}
+
+void Manager::ProcessError(broker::error err)
+	{
+	DBG_LOG(DBG_BROKER, "Received error message: %s", RenderMessage(err).c_str());
+
+	if ( ! Broker::error )
+		return;
+
+	BifEnum::Broker::ErrorCode ec;
+	std::string msg;
+
+	if ( err.category() == caf::atom("broker") )
+		{
+		msg = caf::to_string(err.context());
+
+		switch ( static_cast<broker::ec>(err.code()) ) {
+		case broker::ec::peer_incompatible:
+			ec = BifEnum::Broker::ErrorCode::PEER_INCOMPATIBLE;
+			break;
+
+		case broker::ec::peer_invalid:
+			ec = BifEnum::Broker::ErrorCode::PEER_INVALID;
+			break;
+
+		case broker::ec::peer_unavailable:
+			ec = BifEnum::Broker::ErrorCode::PEER_UNAVAILABLE;
+			break;
+
+		case broker::ec::peer_timeout:
+			ec = BifEnum::Broker::ErrorCode::PEER_TIMEOUT;
+			break;
+
+		case broker::ec::master_exists:
+			ec = BifEnum::Broker::ErrorCode::MASTER_EXISTS;
+			break;
+
+		case broker::ec::no_such_master:
+			ec = BifEnum::Broker::ErrorCode::NO_SUCH_MASTER;
+			break;
+
+		case broker::ec::no_such_key:
+			ec = BifEnum::Broker::ErrorCode::NO_SUCH_KEY;
+			break;
+
+		case broker::ec::request_timeout:
+			ec = BifEnum::Broker::ErrorCode::REQUEST_TIMEOUT;
+			break;
+
+		case broker::ec::type_clash:
+			ec = BifEnum::Broker::ErrorCode::TYPE_CLASH;
+			break;
+
+		case broker::ec::invalid_data:
+			ec = BifEnum::Broker::ErrorCode::INVALID_DATA;
+			break;
+
+		case broker::ec::backend_failure:
+			ec = BifEnum::Broker::ErrorCode::BACKEND_FAILURE;
+			break;
+
+		case broker::ec::stale_data:
+			ec = BifEnum::Broker::ErrorCode::STALE_DATA;
+			break;
+
+		case broker::ec::unspecified: // fall-through
+		default:
+			ec = BifEnum::Broker::ErrorCode::UNSPECIFIED;
+		}
+		}
+	else
+		{
+		ec = BifEnum::Broker::ErrorCode::CAF_ERROR;
+		msg = fmt("[%s] %s", caf::to_string(err.category()).c_str(), caf::to_string(err.context()).c_str());
+		}
+
+	auto vl = new val_list;
+	vl->append(new EnumVal(ec, BifType::Enum::Broker::ErrorCode));
+	vl->append(new StringVal(msg));
+	mgr.QueueEvent(Broker::error, vl);
+	}
+
+void Manager::ProcessStoreResponse(StoreHandleVal* s, broker::store::response response)
+	{
+	DBG_LOG(DBG_BROKER, "Received store response: %s", RenderMessage(response).c_str());
+
+	auto request = pending_queries.find(std::make_pair(response.id, s));
+
+	if ( request == pending_queries.end() )
+		{
+		reporter->Warning("unmatched response to query %" PRIu64 " on store %s",
+				  response.id, s->store.name().c_str());
+		return;
+		}
+
+	if ( request->second->Disabled() )
+		{
+		// Trigger timer must have timed the query out already.
+		delete request->second;
+		pending_queries.erase(request);
+		return;
+		}
+
+	if ( response.answer )
+		request->second->Result(query_result(make_data_val(std::move(*response.answer))));
+	else if ( response.answer.error() == broker::ec::request_timeout )
+		{
+		// Fine, trigger's timeout takes care of things.
+		}
+	else if ( response.answer.error() == broker::ec::stale_data )
+		{
+		// It's sort of arbitrary whether to make this type of error successful
+		// query with a "fail" status versus going through the when stmt timeout
+		// code path.  I think the timeout path is maybe more expected in order
+		// for failures like "no such key" to actually be distinguishable from
+		// this type of error (which is less easily handled programmatically).
+		}
+	else if ( response.answer.error() == broker::ec::no_such_key )
+		request->second->Result(query_result());
+	else
+		reporter->InternalWarning("unknown store response status: %s",
+					  to_string(response.answer.error()).c_str());
+
+	delete request->second;
+	pending_queries.erase(request);
+	}
+
+StoreHandleVal* Manager::MakeMaster(const string& name, broker::backend type,
+                                    broker::backend_options opts)
+	{
+	if ( bstate->endpoint.is_shutdown() )
+		return nullptr;
+
+	if ( LookupStore(name) )
+		return nullptr;
+
+	DBG_LOG(DBG_BROKER, "Creating master for data store %s", name.c_str());
+
+	auto it = opts.find("path");
+
+	if ( it == opts.end() )
+		it = opts.emplace("path", "").first;
+
+	if ( it->second == broker::data("") )
+		{
+		auto suffix = ".store";
+
+		switch ( type ) {
+		case broker::backend::sqlite:
+			suffix = ".sqlite";
+			break;
+		case broker::backend::rocksdb:
+			suffix = ".rocksdb";
+			break;
+		default:
+			break;
+		}
+
+		it->second = name + suffix;
+		}
+
+	auto result = bstate->endpoint.attach_master(name, type, move(opts));
+	if ( ! result )
+		{
+		Error("Failed to attach master store %s:",
+		      to_string(result.error()).c_str());
+		return nullptr;
+		}
+
+	auto handle = new StoreHandleVal{*result};
+	Ref(handle);
+
+	data_stores.emplace(name, handle);
+
+	if ( bstate->endpoint.use_real_time() )
+		return handle;
+
+	// Wait for master to become available/responsive.
+	// Possibly avoids timeouts in scripts during unit tests.
+	handle->store.exists("");
+	return handle;
+	}
+
+StoreHandleVal* Manager::MakeClone(const string& name, double resync_interval,
+                                   double stale_interval,
+                                   double mutation_buffer_interval)
+	{
+	if ( bstate->endpoint.is_shutdown() )
+		return nullptr;
+
+	if ( LookupStore(name) )
+		return nullptr;
+
+	DBG_LOG(DBG_BROKER, "Creating clone for data store %s", name.c_str());
+
+	auto result = bstate->endpoint.attach_clone(name, resync_interval,
+	                                            stale_interval,
+	                                            mutation_buffer_interval);
+	if ( ! result )
+		{
+		Error("Failed to attach clone store %s:",
+		      to_string(result.error()).c_str());
+		return nullptr;
+		}
+
+	auto handle = new StoreHandleVal{*result};
+	Ref(handle);
+
+	data_stores.emplace(name, handle);
+
+	return handle;
+	}
+
+StoreHandleVal* Manager::LookupStore(const string& name)
+	{
+	auto i = data_stores.find(name);
+	return i == data_stores.end() ? nullptr : i->second;
+	}
+
+bool Manager::CloseStore(const string& name)
+	{
+	DBG_LOG(DBG_BROKER, "Closing data store %s", name.c_str());
+
+	auto s = data_stores.find(name);
+	if ( s == data_stores.end() )
+		return false;
+
+	for ( auto i = pending_queries.begin(); i != pending_queries.end(); )
+		if ( i->second->Store().name() == name )
+			{
+			i->second->Abort();
+			delete i->second;
+			i = pending_queries.erase(i);
+			}
+	else
+		{
+		++i;
+		}
+
+	Unref(s->second);
+	data_stores.erase(s);
 	return true;
 	}
 
-bool bro_broker::Manager::TrackStoreQuery(StoreQueryCallback* cb)
+bool Manager::TrackStoreQuery(StoreHandleVal* handle, broker::request_id id,
+                              StoreQueryCallback* cb)
 	{
-	assert(Enabled());
-	return pending_queries.insert(cb).second;
-	}
+	auto rval = pending_queries.emplace(std::make_pair(id, handle), cb).second;
 
-bro_broker::Stats bro_broker::Manager::ConsumeStatistics()
-	{
-	statistics.outgoing_peer_count = peers.size();
-	statistics.data_store_count = data_stores.size();
-	statistics.pending_query_count = pending_queries.size();
+	if ( bstate->endpoint.use_real_time() )
+		return rval;
 
-	for ( auto& s : print_subscriptions )
-		{
-		statistics.print_count[s.first] = s.second.received;
-		s.second.received = 0;
-		}
-
-	for ( auto& s : event_subscriptions )
-		{
-		statistics.event_count[s.first] = s.second.received;
-		s.second.received = 0;
-		}
-
-	for ( auto& s : log_subscriptions )
-		{
-		statistics.log_count[s.first] = s.second.received;
-		s.second.received = 0;
-		}
-
-	auto rval = move(statistics);
-	statistics = Stats{};
+	FlushPendingQueries();
 	return rval;
 	}
+
+const Stats& Manager::GetStatistics()
+	{
+	if ( bstate->endpoint.is_shutdown() )
+		statistics.num_peers = 0;
+	else
+		statistics.num_peers = bstate->endpoint.peers().size();
+
+	statistics.num_stores = data_stores.size();
+	statistics.num_pending_queries = pending_queries.size();
+
+	// The other attributes are set as activity happens.
+
+	return statistics;
+	}
+
+} // namespace bro_broker
diff --git a/src/broker/Manager.h b/src/broker/Manager.h
index d5701c56b1..996859636d 100644
--- a/src/broker/Manager.h
+++ b/src/broker/Manager.h
@@ -1,11 +1,13 @@
 #ifndef BRO_COMM_MANAGER_H
 #define BRO_COMM_MANAGER_H
 
-#include <broker/endpoint.hh>
-#include <broker/message_queue.hh>
+#include <broker/broker.hh>
+#include <broker/bro.hh>
 #include <memory>
 #include <string>
 #include <map>
+#include <set>
+#include <unordered_map>
 #include <unordered_set>
 #include "broker/Store.h"
 #include "Reporter.h"
@@ -15,31 +17,27 @@
 namespace bro_broker {
 
 /**
- * Communication statistics.  Some are tracked in relation to last
- * sample (bro_broker::Manager::ConsumeStatistics()).
+ * Communication statistics.
  */
 struct Stats {
-	// Number of outgoing peer connections (at time of sample).
-	size_t outgoing_peer_count = 0;
-	// Number of data stores (at time of sample).
-	size_t data_store_count = 0;
-	// Number of pending data store queries (at time of sample).
-	size_t pending_query_count = 0;
-	// Number of data store responses received (since last sample).
-	size_t response_count = 0;
-	// Number of outgoing connection updates received (since last sample).
-	size_t outgoing_conn_status_count = 0;
-	// Number of incoming connection updates received (since last sample).
-	size_t incoming_conn_status_count = 0;
-	// Number of broker report messages (e.g. debug, warning, errors) received
-	// (since last sample).
-	size_t report_count = 0;
-	// Number of print messages received per topic-prefix (since last sample).
-	std::map<std::string, size_t> print_count;
-	// Number of event messages received per topic-prefix (since last sample).
-	std::map<std::string, size_t> event_count;
-	// Number of log messages received per topic-prefix (since last sample).
-	std::map<std::string, size_t> log_count;
+	// Number of active peer connections.
+	size_t num_peers = 0;
+	// Number of active data stores.
+	size_t num_stores = 0;
+	// Number of pending data store queries.
+	size_t num_pending_queries = 0;
+	// Number of total log messages received.
+	size_t num_events_incoming = 0;
+	// Number of total log messages sent.
+	size_t num_events_outgoing = 0;
+	// Number of total log records received.
+	size_t num_logs_incoming = 0;
+	// Number of total log records sent.
+	size_t num_logs_outgoing = 0;
+	// Number of total identifiers received.
+	size_t num_ids_incoming = 0;
+	// Number of total identifiers sent.
+	size_t num_ids_outgoing = 0;
 };
 
 /**
@@ -47,126 +45,136 @@ struct Stats {
  * or other external applications via use of the Broker messaging library.
  */
 class Manager : public iosource::IOSource {
-friend class StoreHandleVal;
 public:
+    static const broker::endpoint_info NoPeer;
 
 	/**
 	 * Constructor.
 	 */
-	Manager();
+	Manager(bool reading_pcaps);
 
 	/**
-	 * Destructor.  Any still-pending data store queries are aborted.
+	 * Destructor.
 	 */
-	~Manager();
+	~Manager() override;
 
 	/**
-	 * Enable use of communication.
-	 * @param flags used to tune the local Broker endpoint's behavior.
-	 * See the Broker::EndpointFlags record type.
-	 * @return true if communication is successfully initialized.
+	 * Initialization of the manager. This is called late during Bro's
+	 * initialization after any scripts are processed.
 	 */
-	bool Enable(Val* flags);
+	void InitPostScript();
 
 	/**
-	 * Changes endpoint flags originally supplied to bro_broker::Manager::Enable().
-	 * @param flags the new behavior flags to use.
-	 * @return true if flags were changed.
+	 * Shuts Broker down at termination.
 	 */
-	bool SetEndpointFlags(Val* flags);
+	void Terminate();
 
 	/**
-	 * @return true if bro_broker::Manager::Enable() has previously been called and
-	 * it succeeded.
+	 * Returns true if any Broker communincation is currently active.
 	 */
-	bool Enabled()
-		{ return endpoint != nullptr; }
+	bool Active();
+
+	/**
+	 * Advances time.  Broker data store expiration is driven by this
+	 * simulated time instead of real/wall time.
+	 */
+	void AdvanceTime(double seconds_since_unix_epoch);
 
 	/**
 	 * Listen for remote connections.
 	 * @param port the TCP port to listen on.
 	 * @param addr an address string on which to accept connections, e.g.
-	 * "127.0.0.1".  A nullptr refers to @p INADDR_ANY.
-	 * @param reuse_addr equivalent to behavior of SO_REUSEADDR.
-	 * @return true if the local endpoint is now listening for connections.
+	 * "127.0.0.1".  The empty string refers to @p INADDR_ANY.
+	 * @return 0 on failure or the bound port otherwise. If *port* != 0, then the
+	 * return value equals *port* on success. If *port* equals 0, then the
+	 * return values represents the bound port as chosen by the OS.
 	 */
-	bool Listen(uint16_t port, const char* addr = nullptr,
-	            bool reuse_addr = true);
+	uint16_t Listen(const std::string& addr, uint16_t port);
 
 	/**
-	 * Initiate a remote connection.
+	 * Initiate a peering with a remote endpoint.
 	 * @param addr an address to connect to, e.g. "localhost" or "127.0.0.1".
 	 * @param port the TCP port on which the remote side is listening.
-	 * @param retry_interval an interval at which to retry establishing the
-	 * connection with the remote peer.
-	 * @return true if it's possible to try connecting with the peer and
-	 * it's a new peer.  The actual connection may not be established until a
-	 * later point in time.
+	 * @param retry If non-zero, the time after which to retry if
+	 * connection cannot be established, or breaks.
 	 */
-	bool Connect(std::string addr, uint16_t port,
-	             std::chrono::duration<double> retry_interval);
+	void Peer(const std::string& addr, uint16_t port, double retry = 10.0);
 
 	/**
-	 * Remove a remote connection.
-	 * @param addr the address used in bro_broker::Manager::Connect().
-	 * @param port the port used in bro_broker::Manager::Connect().
-	 * @return true if the arguments match a previously successful call to
-	 * bro_broker::Manager::Connect().
+	 * Remove a remote peering.
+	 * @param addr the address used in bro_broker::Manager::Peer().
+	 * @param port the port used in bro_broker::Manager::Peer().
 	 */
-	bool Disconnect(const std::string& addr, uint16_t port);
+	void Unpeer(const std::string& addr, uint16_t port);
 
 	/**
-	 * Print a simple message to any interested peers.
-	 * @param topic a topic string associated with the print message.
-	 * Peers advertise interest by registering a subscription to some prefix
-	 * of this topic name.
-	 * @param msg the string to send to peers.
-	 * @param flags tune the behavior of how the message is send.
-	 * See the Broker::SendFlags record type.
+	 * @return a list of peer endpoints.
+	 */
+	std::vector<broker::peer_info> Peers() const;
+
+	/**
+	 * @return a unique identifier for this broker endpoint.
+	 */
+	std::string NodeID() const;
+
+	/**
+	 * Send an identifier's value to interested peers.
+	 * @param topic a topic string associated with the message.
+	 * @param id the name of the identifier to send.
 	 * @return true if the message is sent successfully.
 	 */
-	bool Print(std::string topic, std::string msg, Val* flags);
+	bool PublishIdentifier(std::string topic, std::string id);
 
 	/**
 	 * Send an event to any interested peers.
-	 * @param topic a topic string associated with the print message.
+	 * @param topic a topic string associated with the message.
 	 * Peers advertise interest by registering a subscription to some prefix
 	 * of this topic name.
-	 * @param msg the event to send to peers, which is the name of the event
-	 * as a string followed by all of its arguments.
-	 * @param flags tune the behavior of how the message is send.
-	 * See the Broker::SendFlags record type.
+	 * @param name the name of the event
+	 * @param args the event's arguments
 	 * @return true if the message is sent successfully.
 	 */
-	bool Event(std::string topic, broker::message msg, int flags);
+	bool PublishEvent(std::string topic, std::string name, broker::vector args);
 
 	/**
 	 * Send an event to any interested peers.
-	 * @param topic a topic string associated with the print message.
+	 * @param topic a topic string associated with the message.
 	 * Peers advertise interest by registering a subscription to some prefix
 	 * of this topic name.
-	 * @param args the event and its arguments to send to peers.  See the
-	 * Broker::EventArgs record type.
-	 * @param flags tune the behavior of how the message is send.
-	 * See the Broker::SendFlags record type.
+	 * @param ev the event and its arguments to send to peers, in the form of
+	 * a Broker::Event record type.
 	 * @return true if the message is sent successfully.
 	 */
-	bool Event(std::string topic, RecordVal* args, Val* flags);
+	bool PublishEvent(std::string topic, RecordVal* ev);
 
 	/**
-	 * Send a log entry to any interested peers.  The topic name used is
-	 * implicitly "bro/log/<stream-name>".
-	 * @param stream the stream to which the log entry belongs.
-	 * @param writer the writer to use for outputting this log entry.
-	 * @param path the log path to output the log entry to.
-	 * @param num_vals the number of fields to log.
-	 * @param vals the log values to log, of size num_vals.
-	 * @param flags tune the behavior of how the message is send.
-	 * See the Broker::SendFlags record type.
+	 * Sends an event to any interested peers, who, upon receipt, immediately
+	 * republish the event to a new set of topics.
+	 * @param first_topic the first topic to use when publishing the event
+	 * @param relay_topics the set of topics the receivers will use to
+	 * republish the event.  The event is relayed at most a single hop.
+	 * @param name the name of the event
+	 * @param args the event's arguments
 	 * @return true if the message is sent successfully.
 	 */
-	bool Log(EnumVal* stream, EnumVal* writer, string path, int num_vals,
-		 const threading::Value* const * vals, int flags);
+	bool RelayEvent(std::string first_topic,
+					broker::set relay_topics,
+					std::string name,
+					broker::vector args);
+
+	/**
+	 * Sends an event to any interested peers, who, upon receipt, immediately
+	 * republish the event to a new set of topics.
+	 * @param first_topic the first topic to use when publishing the event
+	 * @param relay_topics the set of topics the receivers will use to
+	 * republish the event.  The event is relayed at most a single hop.
+	 * @param ev the event and its arguments to send to peers, in the form of
+	 * a Broker::Event record type.
+	 * @return true if the message is sent successfully.
+	 */
+	bool RelayEvent(std::string first_topic,
+					std::set<std::string> relay_topics,
+					RecordVal* ev);
 
 	/**
 	 * Send a message to create a log stream to any interested peers.
@@ -177,13 +185,26 @@ public:
 	 * @param info backend initialization information for the writer.
 	 * @param num_fields the number of fields the log has.
 	 * @param fields the log's fields, of size num_fields.
-	 * @param flags tune the behavior of how the message is send.
 	 * See the Broker::SendFlags record type.
 	 * @param peer If given, send the message only to this peer.
 	 * @return true if the message is sent successfully.
 	 */
-	bool CreateLog(EnumVal* stream, EnumVal* writer, const logging::WriterBackend::WriterInfo& info,
-		       int num_fields, const threading::Field* const * fields, int flags, const string& peer = "");
+	bool PublishLogCreate(EnumVal* stream, EnumVal* writer, const logging::WriterBackend::WriterInfo& info,
+			      int num_fields, const threading::Field* const * fields, const broker::endpoint_info& peer = NoPeer);
+
+	/**
+	 * Send a log entry to any interested peers.  The topic name used is
+	 * implicitly "bro/log/<stream-name>".
+	 * @param stream the stream to which the log entry belongs.
+	 * @param writer the writer to use for outputting this log entry.
+	 * @param path the log path to output the log entry to.
+	 * @param num_vals the number of fields to log.
+	 * @param vals the log values to log, of size num_vals.
+	 * See the Broker::SendFlags record type.
+	 * @return true if the message is sent successfully.
+	 */
+	bool PublishLogWrite(EnumVal* stream, EnumVal* writer, string path, int num_vals,
+			     const threading::Value* const * vals);
 
 	/**
 	 * Automatically send an event to any interested peers whenever it is
@@ -192,45 +213,27 @@ public:
 	 * Peers advertise interest by registering a subscription to some prefix
 	 * of this topic name.
 	 * @param event a Bro event value.
-	 * @param flags tune the behavior of how the message is send.
-	 * See the Broker::SendFlags record type.
 	 * @return true if automatic event sending is now enabled.
 	 */
-	bool AutoEvent(std::string topic, Val* event, Val* flags);
+	bool AutoPublishEvent(std::string topic, Val* event);
 
 	/**
 	 * Stop automatically sending an event to peers upon local dispatch.
-	 * @param topic a topic originally given to bro_broker::Manager::AutoEvent().
-	 * @param event an event originally given to bro_broker::Manager::AutoEvent().
+	 * @param topic a topic originally given to bro_broker::Manager::AutoPublish().
+	 * @param event an event originally given to bro_broker::Manager::AutoPublish().
 	 * @return true if automatic events will no occur for the topic/event pair.
 	 */
-	bool AutoEventStop(const std::string& topic, Val* event);
+	bool AutoUnpublishEvent(const std::string& topic, Val* event);
 
 	/**
-	 * Create an EventArgs record value from an event and its arguments.
+	 * Create an `Event` record value from an event and its arguments.
 	 * @param args the event and its arguments.  The event is always the first
 	 * elements in the list.
-	 * @return an EventArgs record value.  If an invalid event or arguments
+	 * @param frame the calling frame, used to report location info upon error
+	 * @return an `Event` record value.  If an invalid event or arguments
 	 * were supplied the optional "name" field will not be set.
 	 */
-	RecordVal* MakeEventArgs(val_list* args);
-
-	/**
-	 * Register interest in peer print messages that use a certain topic prefix.
-	 * @param topic_prefix a prefix to match against remote message topics.
-	 * e.g. an empty prefix will match everything and "a" will match "alice"
-	 * and "amy" but not "bob".
-	 * @return true if it's a new print subscriptions and it is now registered.
-	 */
-	bool SubscribeToPrints(std::string topic_prefix);
-
-	/**
-	 * Unregister interest in peer print messages.
-	 * @param topic_prefix a prefix previously supplied to a successful call
-	 * to bro_broker::Manager::SubscribeToPrints().
-	 * @return true if interest in topic prefix is no longer advertised.
-	 */
-	bool UnsubscribeToPrints(const std::string& topic_prefix);
+	RecordVal* MakeEvent(val_list* args, Frame* frame);
 
 	/**
 	 * Register interest in peer event messages that use a certain topic prefix.
@@ -239,111 +242,117 @@ public:
 	 * and "amy" but not "bob".
 	 * @return true if it's a new event subscription and it is now registered.
 	 */
-	bool SubscribeToEvents(std::string topic_prefix);
+	bool Subscribe(const std::string& topic_prefix);
 
 	/**
 	 * Unregister interest in peer event messages.
 	 * @param topic_prefix a prefix previously supplied to a successful call
-	 * to bro_broker::Manager::SubscribeToEvents().
+	 * to bro_broker::Manager::Subscribe().
 	 * @return true if interest in topic prefix is no longer advertised.
 	 */
-	bool UnsubscribeToEvents(const std::string& topic_prefix);
+	bool Unsubscribe(const std::string& topic_prefix);
 
 	/**
-	 * Register interest in peer log messages that use a certain topic prefix.
-	 * @param topic_prefix a prefix to match against remote message topics.
-	 * e.g. an empty prefix will match everything and "a" will match "alice"
-	 * and "amy" but not "bob".
-	 * @return true if it's a new log subscription and it is now registered.
+	 * Create a new *master* data store.
+	 * @param name The name of the store.
+	 * @param type The backend type.
+	 * @param opts The backend options.
+	 * @return a pointer to the newly created store a nullptr on failure.
 	 */
-	bool SubscribeToLogs(std::string topic_prefix);
+	StoreHandleVal* MakeMaster(const std::string& name, broker::backend type,
+				   broker::backend_options opts);
 
 	/**
-	 * Unregister interest in peer log messages.
-	 * @param topic_prefix a prefix previously supplied to a successful call
-	 * to bro_broker::Manager::SubscribeToLogs().
-	 * @return true if interest in topic prefix is no longer advertised.
+	 * Create a new *clone* data store.
+	 * @param name The name of the store.
+	 * @param resync_interval The frequency at which the clone will attempt
+	 * to reconnect/resynchronize with its master in the event it becomes
+	 * disconnected.
+	 * @param stale_interval The duration after which a clone that is
+	 * disconnected from its master will treat its local cache as stale.
+	 * In this state, queries to the clone will timeout.  A negative value
+	 * indicates to never treat the local cache as stale.
+	 * @param mutation_buffer_interval The max amount of time that a
+	 * disconnected clone will buffer mutation commands.  If the clone
+	 * reconnects before this time, it replays all buffered commands.  Note
+	 * that this doesn't completely prevent the loss of store updates: all
+	 * mutation messages are fire-and-forget and not explicitly acknowledged by
+	 * the master.  A negative/zero value indicates to never buffer commands.
+	 * @return a pointer to the newly created store a nullptr on failure.
 	 */
-	bool UnsubscribeToLogs(const std::string& topic_prefix);
-
-	/**
-	 * Allow sending messages to peers if associated with the given topic.
-	 * This has no effect if auto publication behavior is enabled via the flags
-	 * supplied to bro_broker::Manager::Enable() or bro_broker::Manager::SetEndpointFlags().
-	 * @param t a topic to allow messages to be published under.
-	 * @return true if successful.
-	 */
-	bool PublishTopic(broker::topic t);
-
-	/**
-	 * Disallow sending messages to peers if associated with the given topic.
-	 * This has no effect if auto publication behavior is enabled via the flags
-	 * supplied to bro_broker::Manager::Enable() or bro_broker::Manager::SetEndpointFlags().
-	 * @param t a topic to disallow messages to be published under.
-	 * @return true if successful.
-	 */
-	bool UnpublishTopic(broker::topic t);
-
-	/**
-	 * Allow advertising interest in the given topic to peers.
-	 * This has no effect if auto advertise behavior is enabled via the flags
-	 * supplied to bro_broker::Manager::Enable() or bro_broker::Manager::SetEndpointFlags().
-	 * @param t a topic to allow advertising interest/subscription to peers.
-	 * @return true if successful.
-	 */
-	bool AdvertiseTopic(broker::topic t);
-
-	/**
-	 * Disallow advertising interest in the given topic to peers.
-	 * This has no effect if auto advertise behavior is enabled via the flags
-	 * supplied to bro_broker::Manager::Enable() or bro_broker::Manager::SetEndpointFlags().
-	 * @param t a topic to disallow advertising interest/subscription to peers.
-	 * @return true if successful.
-	 */
-	bool UnadvertiseTopic(broker::topic t);
-
-	/**
-	 * Register the availability of a data store.
-	 * @param handle the data store.
-	 * @return true if the store was valid and not already away of it.
-	 */
-	bool AddStore(StoreHandleVal* handle);
+	StoreHandleVal* MakeClone(const std::string& name,
+	                          double resync_interval = 10.0,
+	                          double stale_interval = 300.0,
+	                          double mutation_buffer_interval = 120.0);
 
 	/**
 	 * Lookup a data store by it's identifier name and type.
-	 * @param id the store's name.
-	 * @param type the type of data store.
+	 * @param name the store's name.
 	 * @return a pointer to the store handle if it exists else nullptr.
 	 */
-	StoreHandleVal* LookupStore(const broker::store::identifier& id, StoreType type);
+	StoreHandleVal* LookupStore(const std::string& name);
 
 	/**
 	 * Close and unregister a data store.  Any existing references to the
 	 * store handle will not be able to be used for any data store operations.
-	 * @param id the stores' name.
-	 * @param type the type of the data store.
+	 * @param name the stores' name.
 	 * @return true if such a store existed and is now closed.
 	 */
-	bool CloseStore(const broker::store::identifier& id, StoreType type);
+	bool CloseStore(const std::string& name);
 
 	/**
 	 * Register a data store query callback.
 	 * @param cb the callback info to use when the query completes or times out.
 	 * @return true if now tracking a data store query.
 	 */
-	bool TrackStoreQuery(StoreQueryCallback* cb);
+	bool TrackStoreQuery(StoreHandleVal* handle, broker::request_id id,
+	                     StoreQueryCallback* cb);
+
+	/**
+	 * Send all pending log write messages.
+	 * @return the number of messages sent.
+	 */
+	size_t FlushLogBuffers();
 
 	/**
 	 * @return communication statistics.
 	 */
-	Stats ConsumeStatistics();
+	const Stats& GetStatistics();
 
 	/**
-	 * Convert Broker::SendFlags to int flags for use with broker::send().
+	 * Creating an instance of this struct simply helps the manager
+	 * keep track of whether calls into its API are coming from script
+	 * layer BIFs so that error messages can emit useful call site info.
 	 */
-	static int send_flags_to_int(Val* flags);
+	struct ScriptScopeGuard {
+		ScriptScopeGuard() { ++script_scope; }
+		~ScriptScopeGuard() { --script_scope; }
+	};
 
 private:
+
+	class BrokerState {
+	public:
+		BrokerState(broker::broker_options options);
+		broker::endpoint endpoint;
+		broker::subscriber subscriber;
+		broker::status_subscriber status_subscriber;
+	};
+
+	void DispatchMessage(broker::data msg);
+	void ProcessEvent(broker::bro::Event ev);
+	void ProcessRelayEvent(broker::bro::RelayEvent re);
+	bool ProcessLogCreate(broker::bro::LogCreate lc);
+	bool ProcessLogWrite(broker::bro::LogWrite lw);
+	bool ProcessIdentifierUpdate(broker::bro::IdentifierUpdate iu);
+	void ProcessStatus(broker::status stat);
+	void ProcessError(broker::error err);
+	void ProcessStoreResponse(StoreHandleVal*, broker::store::response response);
+	void FlushPendingQueries();
+
+	void Error(const char* format, ...)
+		__attribute__((format (printf, 2, 3)));
+
 	// IOSource interface overrides:
 	void GetFds(iosource::FD_Set* read, iosource::FD_Set* write,
 	            iosource::FD_Set* except) override;
@@ -356,35 +365,50 @@ private:
 		{ return "Broker::Manager"; }
 
 	broker::endpoint& Endpoint()
-		{ return *endpoint; }
+		{ assert(bstate); return bstate->endpoint; }
 
-	bool ProcessCreateLog(broker::message msg);
-	bool ProcessWriteLog(broker::message msg);
+	Func* log_topic_func;
+	std::string default_log_topic_prefix;
+	uint16_t bound_port;
 
-	struct QueueWithStats {
-		broker::message_queue q;
-		size_t received = 0;
+	std::shared_ptr<BrokerState> bstate;
+
+	struct LogBuffer {
+		// Indexed by topic string.
+		std::unordered_map<std::string, broker::vector> msgs;
+		double last_flush;
+		size_t message_count;
+
+		size_t Flush(broker::endpoint& endpoint);
 	};
 
-	std::unique_ptr<broker::endpoint> endpoint;
-	std::map<std::pair<std::string, uint16_t>, broker::peering> peers;
-	std::map<std::string, QueueWithStats> print_subscriptions;
-	std::map<std::string, QueueWithStats> event_subscriptions;
-	std::map<std::string, QueueWithStats> log_subscriptions;
+	// Indexed by stream ID enum.
+	std::vector<LogBuffer> log_buffers;
 
-	std::map<std::pair<broker::store::identifier, StoreType>,
-	         StoreHandleVal*> data_stores;
-	std::unordered_set<StoreQueryCallback*> pending_queries;
+	// Data stores
+	using query_id = std::pair<broker::request_id, StoreHandleVal*>;
+
+	struct query_id_hasher {
+		size_t operator()(const query_id& qid) const
+			{
+			size_t rval = 0;
+			broker::detail::hash_combine(rval, qid.first);
+			broker::detail::hash_combine(rval, qid.second);
+			return rval;
+			}
+	};
+
+	std::unordered_map<std::string, StoreHandleVal*> data_stores;
+	std::unordered_map<query_id, StoreQueryCallback*, query_id_hasher> pending_queries;
 
 	Stats statistics;
 	double next_timestamp;
+	bool reading_pcaps;
+	static int script_scope;
 
 	static VectorType* vector_of_data_type;
 	static EnumType* log_id_type;
 	static EnumType* writer_id_type;
-	static int send_flags_self_idx;
-	static int send_flags_peers_idx;
-	static int send_flags_unsolicited_idx;
 };
 
 } // namespace bro_broker
diff --git a/src/broker/Store.cc b/src/broker/Store.cc
index 97954bb328..200e1b6abf 100644
--- a/src/broker/Store.cc
+++ b/src/broker/Store.cc
@@ -1,204 +1,135 @@
 #include "Store.h"
 #include "broker/Manager.h"
 
-#include <broker/store/master.hh>
-#include <broker/store/clone.hh>
-#include <broker/store/sqlite_backend.hh>
+namespace bro_broker {
 
-#ifdef HAVE_ROCKSDB
-#include <broker/store/rocksdb_backend.hh>
-#include <rocksdb/db.h>
-#endif
+OpaqueType* opaque_of_store_handle;
 
-OpaqueType* bro_broker::opaque_of_store_handle;
-
-bro_broker::StoreHandleVal::StoreHandleVal(broker::store::identifier id,
-                                     bro_broker::StoreType arg_type,
-                                     broker::util::optional<BifEnum::Broker::BackendType> arg_back,
-                                     RecordVal* backend_options, std::chrono::duration<double> resync)
-	: OpaqueVal(opaque_of_store_handle),
-	  store(), store_type(arg_type), backend_type(arg_back)
+void StoreHandleVal::ValDescribe(ODesc* d) const
 	{
-	using BifEnum::Broker::BackendType;
-	std::unique_ptr<broker::store::backend> backend;
-
-	if ( backend_type )
-		switch ( *backend_type ) {
-		case BackendType::MEMORY:
-			backend.reset(new broker::store::memory_backend);
-			break;
-		case BackendType::SQLITE:
-			{
-			auto sqlite = new broker::store::sqlite_backend;
-			std::string path = backend_options->Lookup(0)->AsRecordVal()
-			                   ->Lookup(0)->AsStringVal()->CheckString();
-
-			if ( sqlite->open(path) )
-				backend.reset(sqlite);
-			else
-				{
-				reporter->Error("failed to open sqlite backend at path %s: %s",
-				                path.data(), sqlite->last_error().data());
-				delete sqlite;
-				}
-			}
-			break;
-		case BackendType::ROCKSDB:
-			{
-#ifdef HAVE_ROCKSDB
-			std::string path = backend_options->Lookup(1)->AsRecordVal()
-			                   ->Lookup(0)->AsStringVal()->CheckString();
-			rocksdb::Options rock_op;
-			rock_op.create_if_missing = true;
-
-			auto rocksdb = new broker::store::rocksdb_backend;
-
-			if ( rocksdb->open(path, options).ok() )
-				backend.reset(rocksdb);
-			else
-				{
-				reporter->Error("failed to open rocksdb backend at path %s: %s",
-				                path.data(), rocksdb->last_error().data());
-				delete rocksdb;
-				}
-#else
-			reporter->Error("rocksdb backend support is not enabled");
-#endif
-			}
-			break;
-		default:
-			reporter->FatalError("unknown data store backend: %d",
-			                     static_cast<int>(*backend_type));
-			}
-
-	switch ( store_type ) {
-	case StoreType::FRONTEND:
-		store = new broker::store::frontend(broker_mgr->Endpoint(), move(id));
-		break;
-	case StoreType::MASTER:
-		store = new broker::store::master(broker_mgr->Endpoint(), move(id),
-		                                  move(backend));
-		break;
-	case StoreType::CLONE:
-		store = new broker::store::clone(broker_mgr->Endpoint(), move(id), resync,
-		                                 move(backend));
-		break;
-	default:
-		reporter->FatalError("unknown data store type: %d",
-		                     static_cast<int>(store_type));
-		}
-	}
-
-void bro_broker::StoreHandleVal::ValDescribe(ODesc* d) const
-	{
-	using BifEnum::Broker::BackendType;
+	//using BifEnum::Broker::BackendType;
 	d->Add("broker::store::");
 
-	switch ( store_type ) {
-	case StoreType::FRONTEND:
-		d->Add("frontend");
-		break;
-	case StoreType::MASTER:
-		d->Add("master");
-		break;
-	case StoreType::CLONE:
-		d->Add("clone");
-		break;
-	default:
-		d->Add("unknown");
-		}
+	//switch ( store_type ) {
+  //  case broker::frontend::FRONTEND:
+	//	d->Add("frontend");
+	//	break;
+  //  case broker::frontend::MASTER:
+	//	d->Add("master");
+	//	break;
+  //  case broker::frontend::CLONE:
+	//	d->Add("clone");
+	//	break;
+	//default:
+	//	d->Add("unknown");
+	//	}
 
 	d->Add("{");
-	d->Add(store->id());
+	d->Add(store.name());
 
-	if ( backend_type )
-		{
-		d->Add(", ");
+	//if ( backend_type )
+	//	{
+	//	d->Add(", ");
 
-		switch ( *backend_type ) {
-		case BackendType::MEMORY:
-			d->Add("memory");
-			break;
-		case BackendType::SQLITE:
-			d->Add("sqlite");
-			break;
-		case BackendType::ROCKSDB:
-			d->Add("rocksdb");
-			break;
-		default:
-			d->Add("unknown");
-			}
-		}
+	//	switch ( *backend_type ) {
+	//	case BackendType::MEMORY:
+	//		d->Add("memory");
+	//		break;
+	//	case BackendType::SQLITE:
+	//		d->Add("sqlite");
+	//		break;
+	//	case BackendType::ROCKSDB:
+	//		d->Add("rocksdb");
+	//		break;
+	//	default:
+	//		d->Add("unknown");
+	//		}
+	//	}
 
 	d->Add("}");
 	}
 
-IMPLEMENT_SERIAL(bro_broker::StoreHandleVal, SER_COMM_STORE_HANDLE_VAL);
+IMPLEMENT_SERIAL(StoreHandleVal, SER_COMM_STORE_HANDLE_VAL);
 
-bool bro_broker::StoreHandleVal::DoSerialize(SerialInfo* info) const
+bool StoreHandleVal::DoSerialize(SerialInfo* info) const
 	{
 	DO_SERIALIZE(SER_COMM_STORE_HANDLE_VAL, OpaqueVal);
 
-	bool have_store = store != nullptr;
-
-	if ( ! SERIALIZE(have_store) )
-		return false;
-
-	if ( ! have_store )
-		return true;
-
-	if ( ! SERIALIZE(static_cast<int>(store_type)) )
-		return false;
-
-	if ( ! SERIALIZE_STR(store->id().data(), store->id().size()) )
+	auto name = store.name();
+	if ( ! SERIALIZE_STR(name.data(), name.size()) )
 		return false;
 
 	return true;
 	}
 
-bool bro_broker::StoreHandleVal::DoUnserialize(UnserialInfo* info)
+bool StoreHandleVal::DoUnserialize(UnserialInfo* info)
 	{
 	DO_UNSERIALIZE(OpaqueVal);
 
-	bool have_store;
-
-	if ( ! UNSERIALIZE(&have_store) )
-		return false;
-
-	if ( ! have_store )
-		{
-		store = nullptr;
-		return true;
-		}
-
-	int type;
-
-	if ( ! UNSERIALIZE(&type) )
-		return false;
-
-	const char* id_str;
+	const char* name_str;
 	int len;
 
-	if ( ! UNSERIALIZE_STR(&id_str, &len) )
+	if ( ! UNSERIALIZE_STR(&name_str, &len) )
 		return false;
 
-	broker::store::identifier id(id_str, len);
-	delete [] id_str;
-
-	auto handle = broker_mgr->LookupStore(id, static_cast<bro_broker::StoreType>(type));
+	std::string name(name_str, len);
+	delete [] name_str;
 
+	auto handle = broker_mgr->LookupStore(name);
 	if ( ! handle )
 		{
 		// Passing serialized version of store handles to other Bro processes
 		// doesn't make sense, only allow local clones of the handle val.
-		reporter->Error("failed to look up unserialized store handle %s, %d",
-		                id.data(), type);
-		store = nullptr;
+		reporter->Error("failed to look up unserialized store handle %s",
+		                name.c_str());
 		return false;
 		}
 
 	store = handle->store;
-	store_type = handle->store_type;
-	backend_type = handle->backend_type;
+	proxy = broker::store::proxy{store};
+
 	return true;
 	}
+
+broker::backend to_backend_type(BifEnum::Broker::BackendType type)
+	{
+	switch ( type ) {
+	case BifEnum::Broker::MEMORY:
+		return broker::memory;
+
+	case BifEnum::Broker::SQLITE:
+		return broker::sqlite;
+
+	case BifEnum::Broker::ROCKSDB:
+		return broker::rocksdb;
+	}
+
+	throw std::runtime_error("unknown broker backend");
+	}
+
+broker::backend_options to_backend_options(broker::backend backend,
+                                           RecordVal* options)
+	{
+	switch ( backend ) {
+	case broker::sqlite:
+		{
+		auto path = options->Lookup(0)->AsRecordVal()
+			->Lookup(0)->AsStringVal()->CheckString();
+		return {{"path", path}};
+		}
+
+	case broker::rocksdb:
+		{
+		auto path = options->Lookup(1)->AsRecordVal()
+			->Lookup(0)->AsStringVal()->CheckString();
+		return {{"path", path}};
+		}
+
+	default:
+		break;
+	}
+
+	return broker::backend_options{};
+	}
+
+} // namespace bro_broker
diff --git a/src/broker/Store.h b/src/broker/Store.h
index 4b673e70dc..628a678f45 100644
--- a/src/broker/Store.h
+++ b/src/broker/Store.h
@@ -8,22 +8,12 @@
 #include "Val.h"
 #include "Trigger.h"
 
-#include <broker/store/frontend.hh>
+#include <broker/broker.hh>
 
 namespace bro_broker {
 
 extern OpaqueType* opaque_of_store_handle;
 
-/**
- * Enumerates the possible types of data stores.
- */
-enum StoreType {
-	// Just a view in to a remote store, contains no data itself.
-	FRONTEND,
-	MASTER,
-	CLONE,
-};
-
 /**
  * Create a Broker::QueryStatus value.
  * @param success whether the query status should be set to success or failure.
@@ -75,12 +65,9 @@ inline RecordVal* query_result(RecordVal* data)
  */
 class StoreQueryCallback {
 public:
-
 	StoreQueryCallback(Trigger* arg_trigger, const CallExpr* arg_call,
-					   broker::store::identifier arg_store_id,
-	                   StoreType arg_store_type)
-		: trigger(arg_trigger), call(arg_call), store_id(move(arg_store_id)),
-	      store_type(arg_store_type)
+			   broker::store store)
+		: trigger(arg_trigger), call(arg_call), store(move(store))
 		{
 		Ref(trigger);
 		}
@@ -108,18 +95,14 @@ public:
 	bool Disabled() const
 		{ return trigger->Disabled(); }
 
-	const broker::store::identifier& StoreID() const
-		{ return store_id; }
-
-	StoreType GetStoreType() const
-		{ return store_type; }
+	const broker::store& Store() const
+		{ return store; }
 
 private:
 
 	Trigger* trigger;
 	const CallExpr* call;
-	broker::store::identifier store_id;
-	StoreType store_type;
+	broker::store store;
 };
 
 /**
@@ -127,27 +110,28 @@ private:
  */
 class StoreHandleVal : public OpaqueVal {
 public:
-
-	StoreHandleVal(broker::store::identifier id,
-		       bro_broker::StoreType arg_type,
-		       broker::util::optional<BifEnum::Broker::BackendType> arg_back,
-		       RecordVal* backend_options,
-		       std::chrono::duration<double> resync = std::chrono::seconds(1));
+	StoreHandleVal(broker::store s)
+		: OpaqueVal(bro_broker::opaque_of_store_handle), store{s}, proxy{store}
+		{ }
 
 	void ValDescribe(ODesc* d) const override;
 
 	DECLARE_SERIAL(StoreHandleVal);
 
-	broker::store::frontend* store;
-	bro_broker::StoreType store_type;
-	broker::util::optional<BifEnum::Broker::BackendType> backend_type;
+	broker::store store;
+	broker::store::proxy proxy;
 
 protected:
-
-	StoreHandleVal()
-		{}
+	StoreHandleVal() = default;
 };
 
+// Helper function to construct a broker backend type from script land.
+broker::backend to_backend_type(BifEnum::Broker::BackendType type);
+
+// Helper function to construct broker backend options from script land.
+broker::backend_options to_backend_options(broker::backend backend,
+                                           RecordVal* options);
+
 } // namespace bro_broker
 
 #endif // BRO_COMM_STORE_H
diff --git a/src/broker/TODO b/src/broker/TODO
new file mode 100644
index 0000000000..e7f2893f97
--- /dev/null
+++ b/src/broker/TODO
@@ -0,0 +1,8 @@
+
+For later:
+
+- Routing isn't supported yet
+
+- Error logging doesn't record the relevant peer. That's because
+  Broker doesn't pass the endpoint_info on for errors, as status
+  messages do.
diff --git a/src/broker/comm.bif b/src/broker/comm.bif
index 3bc8fa7dff..28ed862b7c 100644
--- a/src/broker/comm.bif
+++ b/src/broker/comm.bif
@@ -7,133 +7,134 @@
 
 module Broker;
 
-type Broker::EndpointFlags: record;
+## Generated when something changes in the Broker sub-system.
+event Broker::status%(endpoint: EndpointInfo, msg: string%);
 
-function Broker::__enable%(flags: EndpointFlags%): bool
+## Generated when a new peering has been established.
+event Broker::peer_added%(endpoint: EndpointInfo, msg: string%);
+
+## Generated when an existing peer has been removed.
+event Broker::peer_removed%(endpoint: EndpointInfo, msg: string%);
+
+## Generated when an existing peering has been lost.
+event Broker::peer_lost%(endpoint: EndpointInfo, msg: string%);
+
+## Generated when an error occurs in the Broker sub-system.
+event Broker::error%(code: ErrorCode, msg: string%);
+
+## Enumerates the possible error types. 
+enum ErrorCode %{
+	UNSPECIFIED = 1,
+	PEER_INCOMPATIBLE = 2,
+	PEER_INVALID = 3,
+	PEER_UNAVAILABLE = 4,
+	PEER_TIMEOUT = 5,
+	MASTER_EXISTS = 6,
+	NO_SUCH_MASTER = 7,
+	NO_SUCH_KEY = 8,
+	REQUEST_TIMEOUT = 9,
+	TYPE_CLASH = 10,
+	INVALID_DATA = 11,
+	BACKEND_FAILURE = 12,
+	STALE_DATA = 13,
+	CAF_ERROR = 100,
+%}
+
+## The possible states of a peer endpoint.
+enum PeerStatus %{
+	INITIALIZING,
+	CONNECTING,
+	CONNECTED,
+	PEERED,
+	DISCONNECTED,
+	RECONNECTING,
+%}
+
+function Broker::__listen%(a: string, p: port%): port
 	%{
-	return new Val(broker_mgr->Enable(flags), TYPE_BOOL);
-	%}
+	bro_broker::Manager::ScriptScopeGuard ssg;
 
-function Broker::__set_endpoint_flags%(flags: EndpointFlags%): bool
-	%{
-	return new Val(broker_mgr->SetEndpointFlags(flags), TYPE_BOOL);
-	%}
-
-function Broker::__publish_topic%(topic: string%): bool
-	%{
-	return new Val(broker_mgr->PublishTopic(topic->CheckString()), TYPE_BOOL);
-	%}
-
-function Broker::__unpublish_topic%(topic: string%): bool
-	%{
-	return new Val(broker_mgr->UnpublishTopic(topic->CheckString()), TYPE_BOOL);
-	%}
-
-## Allow advertising interest in the given topic to peers.
-## This has no effect if auto advertise behavior is enabled via the flags
-## supplied to :bro:see:`Broker::enable` or :bro:see:`Broker::set_endpoint_flags`.
-##
-## topic: a topic to allow advertising interest/subscription to peers.
-##
-## Returns: true if successful.
-function Broker::advertise_topic%(topic: string%): bool
-	%{
-	return new Val(broker_mgr->AdvertiseTopic(topic->CheckString()), TYPE_BOOL);
-	%}
-
-## Disallow advertising interest in the given topic to peers.
-## This has no effect if auto advertise behavior is enabled via the flags
-## supplied to :bro:see:`Broker::enable` or :bro:see:`Broker::set_endpoint_flags`.
-##
-## topic: a topic to disallow advertising interest/subscription to peers.
-##
-## Returns: true if successful.
-function Broker::unadvertise_topic%(topic: string%): bool
-	%{
-	return new Val(broker_mgr->UnadvertiseTopic(topic->CheckString()), TYPE_BOOL);
-	%}
-
-## Generated when a connection has been established due to a previous call
-## to :bro:see:`Broker::connect`.
-##
-## peer_address: the address used to connect to the peer.
-##
-## peer_port: the port used to connect to the peer.
-##
-## peer_name: the name by which the peer identified itself.
-event Broker::outgoing_connection_established%(peer_address: string,
-                                             peer_port: port,
-                                             peer_name: string%);
-
-## Generated when a previously established connection becomes broken.
-## Reconnection will automatically be attempted at a frequency given
-## by the original call to :bro:see:`Broker::connect`.
-##
-## peer_address: the address used to connect to the peer.
-##
-## peer_port: the port used to connect to the peer.
-##
-## .. bro:see:: Broker::outgoing_connection_established
-event Broker::outgoing_connection_broken%(peer_address: string,
-                                        peer_port: port%);
-
-## Generated when a connection via :bro:see:`Broker::connect` has failed
-## because the remote side is incompatible.
-##
-## peer_address: the address used to connect to the peer.
-##
-## peer_port: the port used to connect to the peer.
-event Broker::outgoing_connection_incompatible%(peer_address: string,
-                                              peer_port: port%);
-
-## Generated when a peer has established a connection with this process
-## as a result of previously performing a :bro:see:`Broker::listen`.
-##
-## peer_name: the name by which the peer identified itself.
-event Broker::incoming_connection_established%(peer_name: string%);
-
-## Generated when a peer that previously established a connection with this
-## process becomes disconnected.
-##
-## peer_name: the name by which the peer identified itself.
-##
-## .. bro:see:: Broker::incoming_connection_established
-event Broker::incoming_connection_broken%(peer_name: string%);
-
-function Broker::__listen%(p: port, a: string, reuse: bool%): bool
-	%{
 	if ( ! p->IsTCP() )
 		{
-		reporter->Error("listen port must use tcp");
+		builtin_error("listen port must use tcp");
+		return port_mgr->Get(0, TRANSPORT_UNKNOWN);
+		}
+
+	auto rval = broker_mgr->Listen(a->Len() ? a->CheckString() : "", p->Port());
+	return port_mgr->Get(rval, TRANSPORT_TCP);
+	%}
+
+function Broker::__peer%(a: string, p: port, retry: interval%): bool
+	%{
+	bro_broker::Manager::ScriptScopeGuard ssg;
+
+	if ( ! p->IsTCP() )
+		{
+		builtin_error("remote connection port must use tcp");
 		return new Val(false, TYPE_BOOL);
 		}
 
-	auto rval = broker_mgr->Listen(p->Port(), a->Len() ? a->CheckString() : 0,
-								 reuse);
-	return new Val(rval, TYPE_BOOL);
+	broker_mgr->Peer(a->CheckString(), p->Port(), retry);
+	return new Val(true, TYPE_BOOL);
 	%}
 
-function Broker::__connect%(a: string, p: port, retry: interval%): bool
+function Broker::__unpeer%(a: string, p: port%): bool
 	%{
+	bro_broker::Manager::ScriptScopeGuard ssg;
+
 	if ( ! p->IsTCP() )
 		{
-		reporter->Error("remote connection port must use tcp");
+		builtin_error("remote connection port must use tcp");
 		return new Val(false, TYPE_BOOL);
 		}
 
-	auto rval = broker_mgr->Connect(a->CheckString(), p->Port(),
-	                              std::chrono::duration<double>(retry));
-	return new Val(rval, TYPE_BOOL);
+	broker_mgr->Unpeer(a->CheckString(), p->Port());
+	return new Val(true, TYPE_BOOL);
 	%}
 
-function Broker::__disconnect%(a: string, p: port%): bool
+function Broker::__peers%(%): PeerInfos
 	%{
-	if ( ! p->IsTCP() )
+	bro_broker::Manager::ScriptScopeGuard ssg;
+	VectorVal* rval = new VectorVal(internal_type("Broker::PeerInfos")->AsVectorType());
+	auto i = 0;
+
+	for ( auto& p : broker_mgr->Peers() )
 		{
-		reporter->Error("remote connection port must use tcp");
-		return new Val(false, TYPE_BOOL);
+		auto pi = internal_type("Broker::PeerInfo")->AsRecordType();
+		auto ei = internal_type("Broker::EndpointInfo")->AsRecordType();
+		auto ni = internal_type("Broker::NetworkInfo")->AsRecordType();
+		auto peer_info = new RecordVal(pi);
+		auto endpoint_info = new RecordVal(ei);
+		auto network_info = new RecordVal(ni);
+		auto n = p.peer.network;
+
+		if ( n )
+			{
+			network_info->Assign(0, new AddrVal(IPAddr(n->address)));
+			network_info->Assign(1, port_mgr->Get(n->port, TRANSPORT_TCP));
+			}
+		else
+			{
+			network_info->Assign(0, new AddrVal("0.0.0.0"));
+			network_info->Assign(1, port_mgr->Get(0, TRANSPORT_TCP));
+			}
+
+		endpoint_info->Assign(0, new StringVal(to_string(p.peer.node)));
+		endpoint_info->Assign(1, network_info);
+
+		auto ps = (BifEnum::Broker::PeerStatus)p.status;
+		peer_info->Assign(0, endpoint_info);
+		peer_info->Assign(1, new EnumVal(ps, BifType::Enum::Broker::PeerStatus));
+
+		rval->Assign(i, peer_info);
+		++i;
 		}
 
-	auto rval = broker_mgr->Disconnect(a->CheckString(), p->Port());
-	return new Val(rval, TYPE_BOOL);
+	return rval;
+	%}
+
+function Broker::__node_id%(%): string
+	%{
+	bro_broker::Manager::ScriptScopeGuard ssg;
+	return new StringVal(broker_mgr->NodeID());
 	%}
diff --git a/src/broker/data.bif b/src/broker/data.bif
index 7f9c27f9a2..658145089c 100644
--- a/src/broker/data.bif
+++ b/src/broker/data.bif
@@ -10,6 +10,7 @@ module Broker;
 ## Enumerates the possible types that :bro:see:`Broker::Data` may be in
 ## terms of Bro data types.
 enum DataType %{
+	NONE,
 	BOOL,
 	INT,
 	COUNT,
@@ -24,7 +25,6 @@ enum DataType %{
 	SET,
 	TABLE,
 	VECTOR,
-	RECORD,
 %}
 
 type Broker::Data: record;
@@ -41,77 +41,6 @@ function Broker::__data_type%(d: Broker::Data%): Broker::DataType
 	return bro_broker::get_data_type(d->AsRecordVal(), frame);
 	%}
 
-function Broker::__refine_to_bool%(d: Broker::Data%): bool
-	%{
-	return bro_broker::refine<bool>(d->AsRecordVal(), TYPE_BOOL, frame);
-	%}
-
-function Broker::__refine_to_int%(d: Broker::Data%): int
-	%{
-	return bro_broker::refine<int64_t>(d->AsRecordVal(), TYPE_INT, frame);
-	%}
-
-function Broker::__refine_to_count%(d: Broker::Data%): count
-	%{
-	return bro_broker::refine<uint64_t>(d->AsRecordVal(), TYPE_COUNT, frame);
-	%}
-
-function Broker::__refine_to_double%(d: Broker::Data%): double
-	%{
-	return bro_broker::refine<double>(d->AsRecordVal(), TYPE_DOUBLE, frame);
-	%}
-
-function Broker::__refine_to_string%(d: Broker::Data%): string
-	%{
-	return new StringVal(bro_broker::require_data_type<std::string>(d->AsRecordVal(),
-												              TYPE_STRING,
-															  frame));
-	%}
-
-function Broker::__refine_to_addr%(d: Broker::Data%): addr
-	%{
-	auto& a = bro_broker::require_data_type<broker::address>(d->AsRecordVal(),
-													   TYPE_ADDR, frame);
-	auto bits = reinterpret_cast<const in6_addr*>(&a.bytes());
-	return new AddrVal(IPAddr(*bits));
-	%}
-
-function Broker::__refine_to_subnet%(d: Broker::Data%): subnet
-	%{
-	auto& a = bro_broker::require_data_type<broker::subnet>(d->AsRecordVal(),
-													  TYPE_SUBNET, frame);
-	auto bits = reinterpret_cast<const in6_addr*>(&a.network().bytes());
-	return new SubNetVal(IPPrefix(IPAddr(*bits), a.length()));
-	%}
-
-function Broker::__refine_to_port%(d: Broker::Data%): port
-	%{
-	auto& a = bro_broker::require_data_type<broker::port>(d->AsRecordVal(),
-													TYPE_PORT, frame);
-	return port_mgr->Get(a.number(), bro_broker::to_bro_port_proto(a.type()));
-	%}
-
-function Broker::__refine_to_time%(d: Broker::Data%): time
-	%{
-	auto v = bro_broker::require_data_type<broker::time_point>(d->AsRecordVal(),
-														TYPE_TIME, frame).value;
-	return new Val(v, TYPE_TIME);
-	%}
-
-function Broker::__refine_to_interval%(d: Broker::Data%): interval
-	%{
-	auto v = bro_broker::require_data_type<broker::time_duration>(d->AsRecordVal(),
-														TYPE_INTERVAL, frame).value;
-	return new Val(v, TYPE_INTERVAL);
-	%}
-
-function Broker::__refine_to_enum_name%(d: Broker::Data%): string
-	%{
-	auto& v = bro_broker::require_data_type<broker::enum_value>(d->AsRecordVal(),
-														TYPE_ENUM, frame).name;
-	return new StringVal(v);
-	%}
-
 function Broker::__set_create%(%): Broker::Data
 	%{
 	return bro_broker::make_data_val(broker::set());
@@ -119,41 +48,63 @@ function Broker::__set_create%(%): Broker::Data
 
 function Broker::__set_clear%(s: Broker::Data%): bool
 	%{
-	auto& v = bro_broker::require_data_type<broker::set>(s->AsRecordVal(), TYPE_TABLE,
-												   frame);
+	auto& v = bro_broker::require_data_type<broker::set>(s->AsRecordVal(),
+	                                                     TYPE_TABLE, frame);
 	v.clear();
 	return new Val(true, TYPE_BOOL);
 	%}
 
 function Broker::__set_size%(s: Broker::Data%): count
 	%{
-	auto& v = bro_broker::require_data_type<broker::set>(s->AsRecordVal(), TYPE_TABLE,
-												   frame);
+	auto& v = bro_broker::require_data_type<broker::set>(s->AsRecordVal(),
+	                                                     TYPE_TABLE, frame);
 	return new Val(static_cast<uint64_t>(v.size()), TYPE_COUNT);
 	%}
 
-function Broker::__set_contains%(s: Broker::Data, key: Broker::Data%): bool
+function Broker::__set_contains%(s: Broker::Data, key: any%): bool
 	%{
-	auto& v = bro_broker::require_data_type<broker::set>(s->AsRecordVal(), TYPE_TABLE,
-												   frame);
-	auto& k = bro_broker::opaque_field_to_data(key->AsRecordVal(), frame);
-	return new Val(v.find(k) != v.end(), TYPE_BOOL);
+	auto& v = bro_broker::require_data_type<broker::set>(s->AsRecordVal(),
+	                                                     TYPE_TABLE, frame);
+	auto k = bro_broker::val_to_data(key);
+
+	if ( ! k )
+		{
+		builtin_error("invalid Broker data conversion for key argument");
+		return new Val(false, TYPE_BOOL);
+		}
+
+	return new Val(v.find(*k) != v.end(), TYPE_BOOL);
 	%}
 
-function Broker::__set_insert%(s: Broker::Data, key: Broker::Data%): bool
+function Broker::__set_insert%(s: Broker::Data, key: any%): bool
 	%{
-	auto& v = bro_broker::require_data_type<broker::set>(s->AsRecordVal(), TYPE_TABLE,
-												   frame);
-	auto& k = bro_broker::opaque_field_to_data(key->AsRecordVal(), frame);
-	return new Val(v.insert(k).second, TYPE_BOOL);
+	auto& v = bro_broker::require_data_type<broker::set>(s->AsRecordVal(),
+	                                                     TYPE_TABLE, frame);
+
+	auto k = bro_broker::val_to_data(key);
+
+	if ( ! k )
+		{
+		builtin_error("invalid Broker data conversion for key argument");
+		return new Val(false, TYPE_BOOL);
+		}
+
+	return new Val(v.insert(std::move(*k)).second, TYPE_BOOL);
 	%}
 
-function Broker::__set_remove%(s: Broker::Data, key: Broker::Data%): bool
+function Broker::__set_remove%(s: Broker::Data, key: any%): bool
 	%{
-	auto& v = bro_broker::require_data_type<broker::set>(s->AsRecordVal(), TYPE_TABLE,
-												   frame);
-	auto& k = bro_broker::opaque_field_to_data(key->AsRecordVal(), frame);
-	return new Val(v.erase(k) > 0, TYPE_BOOL);
+	auto& v = bro_broker::require_data_type<broker::set>(s->AsRecordVal(),
+	                                                     TYPE_TABLE, frame);
+	auto k = bro_broker::val_to_data(key);
+
+	if ( ! k )
+		{
+		builtin_error("invalid Broker data conversion for key argument");
+		return new Val(false, TYPE_BOOL);
+		}
+
+	return new Val(v.erase(*k) > 0, TYPE_BOOL);
 	%}
 
 function Broker::__set_iterator%(s: Broker::Data%): opaque of Broker::SetIterator
@@ -185,9 +136,7 @@ function Broker::__set_iterator_value%(it: opaque of Broker::SetIterator%): Brok
 
 	if ( set_it->it == set_it->dat.end() )
 		{
-		reporter->PushLocation(frame->GetCall()->GetLocationInfo());
-		reporter->Warning("attempt to retrieve value of invalid set iterator");
-		reporter->PopLocation();
+		builtin_error("attempt to retrieve value of invalid set iterator");
 		return rval;
 		}
 
@@ -203,7 +152,7 @@ function Broker::__table_create%(%): Broker::Data
 function Broker::__table_clear%(t: Broker::Data%): bool
 	%{
 	auto& v = bro_broker::require_data_type<broker::table>(t->AsRecordVal(),
-													 TYPE_TABLE, frame);
+	                                                       TYPE_TABLE, frame);
 	v.clear();
 	return new Val(true, TYPE_BOOL);
 	%}
@@ -211,45 +160,75 @@ function Broker::__table_clear%(t: Broker::Data%): bool
 function Broker::__table_size%(t: Broker::Data%): count
 	%{
 	auto& v = bro_broker::require_data_type<broker::table>(t->AsRecordVal(),
-													 TYPE_TABLE, frame);
+	                                                       TYPE_TABLE, frame);
 	return new Val(static_cast<uint64_t>(v.size()), TYPE_COUNT);
 	%}
 
-function Broker::__table_contains%(t: Broker::Data, key: Broker::Data%): bool
+function Broker::__table_contains%(t: Broker::Data, key: any%): bool
 	%{
 	auto& v = bro_broker::require_data_type<broker::table>(t->AsRecordVal(),
-													 TYPE_TABLE, frame);
-	auto& k = bro_broker::opaque_field_to_data(key->AsRecordVal(), frame);
-	return new Val(v.find(k) != v.end(), TYPE_BOOL);
+	                                                       TYPE_TABLE, frame);
+
+	auto k = bro_broker::val_to_data(key);
+
+	if ( ! k )
+		{
+		builtin_error("invalid Broker data conversion for key argument");
+		return new Val(false, TYPE_BOOL);
+		}
+
+	return new Val(v.find(*k) != v.end(), TYPE_BOOL);
 	%}
 
-function Broker::__table_insert%(t: Broker::Data, key: Broker::Data, val: Broker::Data%): Broker::Data
+function Broker::__table_insert%(t: Broker::Data, key: any, val: any%): Broker::Data
 	%{
 	auto& table = bro_broker::require_data_type<broker::table>(t->AsRecordVal(),
-													     TYPE_TABLE, frame);
-	auto& k = bro_broker::opaque_field_to_data(key->AsRecordVal(), frame);
-	auto& v = bro_broker::opaque_field_to_data(val->AsRecordVal(), frame);
+	                                                           TYPE_TABLE, frame);
+
+	auto k = bro_broker::val_to_data(key);
+
+	if ( ! k )
+		{
+		builtin_error("invalid Broker data conversion for key argument");
+		return new RecordVal(BifType::Record::Broker::Data);
+		}
+
+	auto v = bro_broker::val_to_data(val);
+
+	if ( ! v )
+		{
+		builtin_error("invalid Broker data conversion for value argument");
+		return new RecordVal(BifType::Record::Broker::Data);
+		}
 
 	try
 		{
-		auto& prev = table.at(k);
+		auto& prev = table.at(*k);
 		auto rval = bro_broker::make_data_val(move(prev));
-		prev = v;
+		prev = std::move(*v);
 		return rval;
 		}
 	catch (const std::out_of_range&)
 		{
-		table[k] = v;
+		table[std::move(*k)] = std::move(*v);
 		return new RecordVal(BifType::Record::Broker::Data);
 		}
 	%}
 
-function Broker::__table_remove%(t: Broker::Data, key: Broker::Data%): Broker::Data
+function Broker::__table_remove%(t: Broker::Data, key: any%): Broker::Data
 	%{
 	auto& table = bro_broker::require_data_type<broker::table>(t->AsRecordVal(),
-													     TYPE_TABLE, frame);
-	auto& k = bro_broker::opaque_field_to_data(key->AsRecordVal(), frame);
-	auto it = table.find(k);
+	                                                           TYPE_TABLE, frame);
+
+	auto k = bro_broker::val_to_data(key);
+
+	if ( ! k )
+		{
+		builtin_error("invalid Broker data conversion for key argument");
+		return new RecordVal(BifType::Record::Broker::Data);
+		}
+
+	auto it = table.find(*k);
 
 	if ( it == table.end() )
 		return new RecordVal(BifType::Record::Broker::Data);
@@ -261,12 +240,20 @@ function Broker::__table_remove%(t: Broker::Data, key: Broker::Data%): Broker::D
 		}
 	%}
 
-function Broker::__table_lookup%(t: Broker::Data, key: Broker::Data%): Broker::Data
+function Broker::__table_lookup%(t: Broker::Data, key: any%): Broker::Data
 	%{
 	auto& table = bro_broker::require_data_type<broker::table>(t->AsRecordVal(),
-													     TYPE_TABLE, frame);
-	auto& k = bro_broker::opaque_field_to_data(key->AsRecordVal(), frame);
-	auto it = table.find(k);
+	                                                           TYPE_TABLE, frame);
+
+	auto k = bro_broker::val_to_data(key);
+
+	if ( ! k )
+		{
+		builtin_error("invalid Broker data conversion for key argument");
+		return new RecordVal(BifType::Record::Broker::Data);
+		}
+
+	auto it = table.find(*k);
 
 	if ( it == table.end() )
 		return new RecordVal(BifType::Record::Broker::Data);
@@ -307,9 +294,7 @@ function Broker::__table_iterator_value%(it: opaque of Broker::TableIterator%):
 
 	if ( ti->it == ti->dat.end() )
 		{
-		reporter->PushLocation(frame->GetCall()->GetLocationInfo());
-		reporter->Warning("attempt to retrieve value of invalid table iterator");
-		reporter->PopLocation();
+		builtin_error("attempt to retrieve value of invalid table iterator");
 		return rval;
 		}
 
@@ -326,7 +311,7 @@ function Broker::__vector_create%(%): Broker::Data
 function Broker::__vector_clear%(v: Broker::Data%): bool
 	%{
 	auto& vec = bro_broker::require_data_type<broker::vector>(v->AsRecordVal(),
-													    TYPE_VECTOR, frame);
+	                                                          TYPE_VECTOR, frame);
 	vec.clear();
 	return new Val(true, TYPE_BOOL);
 	%}
@@ -334,38 +319,51 @@ function Broker::__vector_clear%(v: Broker::Data%): bool
 function Broker::__vector_size%(v: Broker::Data%): count
 	%{
 	auto& vec = bro_broker::require_data_type<broker::vector>(v->AsRecordVal(),
-													    TYPE_VECTOR, frame);
+	                                                          TYPE_VECTOR, frame);
 	return new Val(static_cast<uint64_t>(vec.size()), TYPE_COUNT);
 	%}
 
-function Broker::__vector_insert%(v: Broker::Data, d: Broker::Data, idx: count%): bool
+function Broker::__vector_insert%(v: Broker::Data, idx:count, d: any%): bool
 	%{
 	auto& vec = bro_broker::require_data_type<broker::vector>(v->AsRecordVal(),
-													    TYPE_VECTOR, frame);
-	auto& item = bro_broker::opaque_field_to_data(d->AsRecordVal(), frame);
+	                                                          TYPE_VECTOR, frame);
+	auto item = bro_broker::val_to_data(d);
+
+	if ( ! item )
+		{
+		builtin_error("invalid Broker data conversion for item argument");
+		return new Val(false, TYPE_BOOL);
+		}
+
 	idx = min(idx, static_cast<uint64_t>(vec.size()));
-	vec.insert(vec.begin() + idx, item);
+	vec.insert(vec.begin() + idx, std::move(*item));
 	return new Val(true, TYPE_BOOL);
 	%}
 
-function Broker::__vector_replace%(v: Broker::Data, d: Broker::Data, idx: count%): Broker::Data
+function Broker::__vector_replace%(v: Broker::Data, idx: count, d: any%): Broker::Data
 	%{
 	auto& vec = bro_broker::require_data_type<broker::vector>(v->AsRecordVal(),
-													    TYPE_VECTOR, frame);
-	auto& item = bro_broker::opaque_field_to_data(d->AsRecordVal(), frame);
+	                                                          TYPE_VECTOR, frame);
+	auto item = bro_broker::val_to_data(d);
+
+	if ( ! item )
+		{
+		builtin_error("invalid Broker data conversion for item argument");
+		return new Val(false, TYPE_BOOL);
+		}
 
 	if ( idx >= vec.size() )
 		return new RecordVal(BifType::Record::Broker::Data);
 
 	auto rval = bro_broker::make_data_val(move(vec[idx]));
-	vec[idx] = item;
+	vec[idx] = std::move(*item);
 	return rval;
 	%}
 
 function Broker::__vector_remove%(v: Broker::Data, idx: count%): Broker::Data
 	%{
 	auto& vec = bro_broker::require_data_type<broker::vector>(v->AsRecordVal(),
-													    TYPE_VECTOR, frame);
+	                                                          TYPE_VECTOR, frame);
 
 	if ( idx >= vec.size() )
 		return new RecordVal(BifType::Record::Broker::Data);
@@ -378,7 +376,7 @@ function Broker::__vector_remove%(v: Broker::Data, idx: count%): Broker::Data
 function Broker::__vector_lookup%(v: Broker::Data, idx: count%): Broker::Data
 	%{
 	auto& vec = bro_broker::require_data_type<broker::vector>(v->AsRecordVal(),
-													    TYPE_VECTOR, frame);
+	                                                          TYPE_VECTOR, frame);
 
 	if ( idx >= vec.size() )
 		return new RecordVal(BifType::Record::Broker::Data);
@@ -415,9 +413,7 @@ function Broker::__vector_iterator_value%(it: opaque of Broker::VectorIterator%)
 
 	if ( vi->it == vi->dat.end() )
 		{
-		reporter->PushLocation(frame->GetCall()->GetLocationInfo());
-		reporter->Warning("attempt to retrieve value of invalid vector iterator");
-		reporter->PopLocation();
+		builtin_error("attempt to retrieve value of invalid vector iterator");
 		return rval;
 		}
 
@@ -427,41 +423,44 @@ function Broker::__vector_iterator_value%(it: opaque of Broker::VectorIterator%)
 
 function Broker::__record_create%(sz: count%): Broker::Data
 	%{
-	return bro_broker::make_data_val(broker::record(std::vector<broker::record::field>(sz)));
+	return bro_broker::make_data_val(broker::vector(sz));
 	%}
 
 function Broker::__record_size%(r: Broker::Data%): count
 	%{
-	auto& v = bro_broker::require_data_type<broker::record>(r->AsRecordVal(),
-													  TYPE_RECORD, frame);
-	return new Val(static_cast<uint64_t>(v.fields.size()), TYPE_COUNT);
+	auto& v = bro_broker::require_data_type<broker::vector>(r->AsRecordVal(),
+	                                                        TYPE_RECORD, frame);
+	return new Val(static_cast<uint64_t>(v.size()), TYPE_COUNT);
 	%}
 
-function Broker::__record_assign%(r: Broker::Data, d: Broker::Data, idx: count%): bool
+function Broker::__record_assign%(r: Broker::Data, idx: count, d: any%): bool
 	%{
-	auto& v = bro_broker::require_data_type<broker::record>(r->AsRecordVal(),
-													  TYPE_RECORD, frame);
-	auto& item = bro_broker::opaque_field_to_data(d->AsRecordVal(), frame);
-
-	if ( idx >= v.fields.size() )
+	auto& v = bro_broker::require_data_type<broker::vector>(r->AsRecordVal(),
+	                                                       TYPE_RECORD, frame);
+	if ( idx >= v.size() )
 		return new Val(false, TYPE_BOOL);
 
-	v.fields[idx] = item;
+	auto item = bro_broker::val_to_data(d);
+
+	if ( ! item )
+		{
+		builtin_error("invalid Broker data conversion for item argument");
+		return new Val(false, TYPE_BOOL);
+		}
+
+	v[idx] = std::move(*item);
 	return new Val(true, TYPE_BOOL);
 	%}
 
 function Broker::__record_lookup%(r: Broker::Data, idx: count%): Broker::Data
 	%{
-	auto& v = bro_broker::require_data_type<broker::record>(r->AsRecordVal(),
-													  TYPE_RECORD, frame);
+	auto& v = bro_broker::require_data_type<broker::vector>(r->AsRecordVal(),
+	                                                        TYPE_RECORD, frame);
 
-	if ( idx >= v.size() )
+	if ( idx >= v.size() || broker::get_if<broker::none>(v[idx]) )
 		return new RecordVal(BifType::Record::Broker::Data);
 
-	if ( ! v.fields[idx] )
-		return new RecordVal(BifType::Record::Broker::Data);
-
-	return bro_broker::make_data_val(*v.fields[idx]);
+	return bro_broker::make_data_val(v[idx]);
 	%}
 
 function Broker::__record_iterator%(r: Broker::Data%): opaque of Broker::RecordIterator
@@ -472,18 +471,18 @@ function Broker::__record_iterator%(r: Broker::Data%): opaque of Broker::RecordI
 function Broker::__record_iterator_last%(it: opaque of Broker::RecordIterator%): bool
 	%{
 	auto ri = static_cast<bro_broker::RecordIterator*>(it);
-	return new Val(ri->it == ri->dat.fields.end(), TYPE_BOOL);
+	return new Val(ri->it == ri->dat.end(), TYPE_BOOL);
 	%}
 
 function Broker::__record_iterator_next%(it: opaque of Broker::RecordIterator%): bool
 	%{
 	auto ri = static_cast<bro_broker::RecordIterator*>(it);
 
-	if ( ri->it == ri->dat.fields.end() )
+	if ( ri->it == ri->dat.end() )
 		return new Val(false, TYPE_BOOL);
 
 	++ri->it;
-	return new Val(ri->it != ri->dat.fields.end(), TYPE_BOOL);
+	return new Val(ri->it != ri->dat.end(), TYPE_BOOL);
 	%}
 
 function Broker::__record_iterator_value%(it: opaque of Broker::RecordIterator%): Broker::Data
@@ -491,17 +490,15 @@ function Broker::__record_iterator_value%(it: opaque of Broker::RecordIterator%)
 	auto ri = static_cast<bro_broker::RecordIterator*>(it);
 	auto rval = new RecordVal(BifType::Record::Broker::Data);
 
-	if ( ri->it == ri->dat.fields.end() )
+	if ( ri->it == ri->dat.end() )
 		{
-		reporter->PushLocation(frame->GetCall()->GetLocationInfo());
-		reporter->Warning("attempt to retrieve value of invalid record iterator");
-		reporter->PopLocation();
+		builtin_error("attempt to retrieve value of invalid record iterator");
 		return rval;
 		}
 
-	if ( ! *ri->it )
+	if ( broker::get_if<broker::none>(*ri->it) )
 		return rval; // field isn't set
 
-	rval->Assign(0, new bro_broker::DataVal(**ri->it));
+	rval->Assign(0, new bro_broker::DataVal(*ri->it));
 	return rval;
 	%}
diff --git a/src/broker/messaging.bif b/src/broker/messaging.bif
index dadece9681..0336bf0d1e 100644
--- a/src/broker/messaging.bif
+++ b/src/broker/messaging.bif
@@ -1,112 +1,475 @@
 
-##! Functions for peering and various messaging patterns (e.g. print/log/event).
+##! Functions for peering and various messaging patterns.
 
 %%{
 #include "broker/Manager.h"
 #include "logging/Manager.h"
+#include <set>
+#include <string>
+
+static bool is_string_set(const BroType* type)
+	{
+	if ( ! type->IsSet() )
+		return false;
+
+	auto index_types = type->AsSetType()->IndexTypes();
+
+	if ( index_types->length() != 1 )
+		return false;
+
+	return (*index_types)[0]->Tag() == TYPE_STRING;
+	}
+
+std::set<std::string> val_to_topic_set(Val* val)
+	{
+	std::set<std::string> rval;
+
+	if ( val->Type()->Tag() == TYPE_STRING )
+		rval.emplace(val->AsString()->CheckString());
+	else
+		{
+		const PDict(TableEntryVal)* tbl = val->AsTable();
+
+		if ( tbl->Length() == 0 )
+			return rval;
+
+		IterCookie* c = tbl->InitForIteration();
+		HashKey* k;
+
+		while ( tbl->NextEntry(k, c) )
+			{
+			auto index = val->AsTableVal()->RecoverIndex(k);
+			rval.emplace(index->Index(0)->AsString()->CheckString());
+			Unref(index);
+			delete k;
+			}
+		}
+
+	return rval;
+	}
+
+static bool publish_event_args(val_list& args, const BroString* topic,
+                               Frame* frame)
+	{
+	bro_broker::Manager::ScriptScopeGuard ssg;
+	auto rval = false;
+
+	if ( args[0]->Type()->Tag() == TYPE_RECORD )
+		rval = broker_mgr->PublishEvent(topic->CheckString(),
+		                                args[0]->AsRecordVal());
+	else
+		{
+		auto ev = broker_mgr->MakeEvent(&args, frame);
+		rval = broker_mgr->PublishEvent(topic->CheckString(), ev);
+		Unref(ev);
+		}
+
+	return rval;
+	}
+
+static bool relay_event_args(val_list& args, const BroString* topic,
+                             std::set<std::string> topic_set, Frame* frame)
+	{
+	bro_broker::Manager::ScriptScopeGuard ssg;
+	auto rval = false;
+
+	if ( args[0]->Type()->Tag() == TYPE_RECORD )
+		rval = broker_mgr->RelayEvent(topic->CheckString(),
+									  std::move(topic_set),
+		                              args[0]->AsRecordVal());
+	else
+		{
+		auto ev = broker_mgr->MakeEvent(&args, frame);
+		rval = broker_mgr->RelayEvent(topic->CheckString(),
+									  std::move(topic_set),
+									  ev);
+		Unref(ev);
+		}
+
+	return rval;
+	}
+
 %%}
 
 module Broker;
 
-type Broker::SendFlags: record;
-
-type Broker::EventArgs: record;
-
-## Used to handle remote print messages from peers that call
-## :bro:see:`Broker::send_print`.
-event Broker::print_handler%(msg: string%);
-
-function Broker::__send_print%(topic: string, msg: string, flags: Broker::SendFlags%): bool
-	%{
-	auto rval = broker_mgr->Print(topic->CheckString(), msg->CheckString(),
-	                            flags);
-	return new Val(rval, TYPE_BOOL);
-	%}
-
-function Broker::__subscribe_to_prints%(topic_prefix: string%): bool
-	%{
-	auto rval = broker_mgr->SubscribeToPrints(topic_prefix->CheckString());
-	return new Val(rval, TYPE_BOOL);
-	%}
-
-function Broker::__unsubscribe_to_prints%(topic_prefix: string%): bool
-	%{
-	auto rval = broker_mgr->UnsubscribeToPrints(topic_prefix->CheckString());
-	return new Val(rval, TYPE_BOOL);
-	%}
+type Broker::Event: record;
 
 ## Create a data structure that may be used to send a remote event via
-## :bro:see:`Broker::send_event`.
+## :bro:see:`Broker::publish`.
 ##
 ## args: an event, followed by a list of argument values that may be used
 ##       to call it.
 ##
 ## Returns: opaque communication data that may be used to send a remote
 ##          event.
-function Broker::event_args%(...%): Broker::EventArgs
+function Broker::make_event%(...%): Broker::Event
 	%{
-	auto rval = broker_mgr->MakeEventArgs(@ARGS@);
+	bro_broker::Manager::ScriptScopeGuard ssg;
+	auto rval = broker_mgr->MakeEvent(@ARGS@, frame);
 	return rval;
 	%}
 
-function Broker::__event%(topic: string, args: Broker::EventArgs, flags: Broker::SendFlags%): bool
+## Publishes an event at a given topic.
+##
+## topic: a topic associated with the event message.
+##
+## args: Either the event arguments as already made by
+##       :bro:see:`Broker::make_event` or the argument list to pass along
+##       to it.
+##
+## Returns: true if the message is sent.
+function Broker::publish%(topic: string, ...%): bool
 	%{
-	auto rval = broker_mgr->Event(topic->CheckString(), args->AsRecordVal(),
-	                            flags);
+	val_list* bif_args = @ARGS@;
+	val_list args(bif_args->length() - 1);
+
+	for ( auto i = 1; i < bif_args->length(); ++i )
+		args.append((*bif_args)[i]);
+
+	auto rval = publish_event_args(args, topic->AsString(), frame);
 	return new Val(rval, TYPE_BOOL);
 	%}
 
-function Broker::__auto_event%(topic: string, ev: any, flags: Broker::SendFlags%): bool
+## Publishes an event at a given topic, with any receivers automatically
+## forwarding it to its peers with a different topic.  The event is relayed
+## at most a single hop.
+##
+## first_topic: the initial topic to use for publishing the event.
+##
+## args: the first member of the argument list may be either a string or
+##       a set of strings indicating the secondary topic that the first
+##       set of receivers will use to re-publish the event.  The remaining
+##       members of the argument list are either the return value of a
+##       previously-made call to :bro:see:`Broker::make_event` or the
+##       argument list that should be passed along to it, so that it can
+##       be called as part of executing this function.
+##
+## Returns: true if the message is sent.
+function Broker::relay%(first_topic: string, ...%): bool
 	%{
-	auto rval = broker_mgr->AutoEvent(topic->CheckString(), ev, flags);
+	bro_broker::Manager::ScriptScopeGuard ssg;
+	val_list* bif_args = @ARGS@;
+
+	if ( bif_args->length() < 3 )
+		{
+		builtin_error("Broker::relay requires at least 3 arguments");
+		return new Val(false, TYPE_BOOL);
+		}
+
+	auto second_topic = (*bif_args)[1];
+
+	if ( second_topic->Type()->Tag() != TYPE_STRING &&
+		 ! is_string_set(second_topic->Type()) )
+		{
+		builtin_error("Broker::relay requires a string or string_set as 2nd argument");
+		return new Val(false, TYPE_BOOL);
+		}
+
+	auto topic_set = val_to_topic_set(second_topic);
+
+	if ( topic_set.empty() )
+		return new Val(false, TYPE_BOOL);
+
+	val_list args(bif_args->length() - 2);
+
+	for ( auto i = 2; i < bif_args->length(); ++i )
+		args.append((*bif_args)[i]);
+
+	auto rval = false;
+
+	if ( args[0]->Type()->Tag() == TYPE_RECORD )
+		rval = broker_mgr->RelayEvent(first_topic->CheckString(),
+									  std::move(topic_set),
+	                                  args[0]->AsRecordVal());
+	else
+		{
+		auto ev = broker_mgr->MakeEvent(&args, frame);
+		rval = broker_mgr->RelayEvent(first_topic->CheckString(),
+									  std::move(topic_set), ev);
+		Unref(ev);
+		}
+
 	return new Val(rval, TYPE_BOOL);
 	%}
 
-function Broker::__auto_event_stop%(topic: string, ev: any%): bool
+function Broker::__flush_logs%(%): count
 	%{
-	auto rval = broker_mgr->AutoEventStop(topic->CheckString(), ev);
+	auto rval = broker_mgr->FlushLogBuffers();
+	return new Val(static_cast<uint64>(rval), TYPE_COUNT);
+	%}
+
+function Broker::__publish_id%(topic: string, id: string%): bool
+	%{
+	bro_broker::Manager::ScriptScopeGuard ssg;
+	auto rval = broker_mgr->PublishIdentifier(topic->CheckString(),
+	                                          id->CheckString());
 	return new Val(rval, TYPE_BOOL);
 	%}
 
-function Broker::__subscribe_to_events%(topic_prefix: string%): bool
+function Broker::__auto_publish%(topic: string, ev: any%): bool
 	%{
-	auto rval = broker_mgr->SubscribeToEvents(topic_prefix->CheckString());
+	bro_broker::Manager::ScriptScopeGuard ssg;
+	auto rval = broker_mgr->AutoPublishEvent(topic->CheckString(), ev);
 	return new Val(rval, TYPE_BOOL);
 	%}
 
-function Broker::__unsubscribe_to_events%(topic_prefix: string%): bool
+function Broker::__auto_unpublish%(topic: string, ev: any%): bool
 	%{
-	auto rval = broker_mgr->UnsubscribeToEvents(topic_prefix->CheckString());
+	bro_broker::Manager::ScriptScopeGuard ssg;
+	auto rval = broker_mgr->AutoUnpublishEvent(topic->CheckString(), ev);
 	return new Val(rval, TYPE_BOOL);
 	%}
 
-function Broker::__enable_remote_logs%(id: Log::ID, flags: Broker::SendFlags%): bool
+function Broker::__subscribe%(topic_prefix: string%): bool
 	%{
-	auto rval = log_mgr->EnableRemoteLogs(id->AsEnumVal(),
-	                                   bro_broker::Manager::send_flags_to_int(flags));
+	bro_broker::Manager::ScriptScopeGuard ssg;
+	auto rval = broker_mgr->Subscribe(topic_prefix->CheckString());
 	return new Val(rval, TYPE_BOOL);
 	%}
 
-function Broker::__disable_remote_logs%(id: Log::ID%): bool
+function Broker::__unsubscribe%(topic_prefix: string%): bool
 	%{
-	auto rval = log_mgr->DisableRemoteLogs(id->AsEnumVal());
+	bro_broker::Manager::ScriptScopeGuard ssg;
+	auto rval = broker_mgr->Unsubscribe(topic_prefix->CheckString());
 	return new Val(rval, TYPE_BOOL);
 	%}
 
-function Broker::__remote_logs_enabled%(id: Log::ID%): bool
+module Cluster;
+
+type Cluster::Pool: record;
+
+## Publishes an event to a node within a pool according to Round-Robin
+## distribution strategy.
+##
+## pool: the pool of nodes that are eligible to receive the revent
+##
+## key: an arbitrary string to identify the purpose for which you're
+##      distributing the event.  e.g. consider using namespacing of your
+##      script like "Intel::cluster_rr_key".
+##
+## args: Either the event arguments as already made by
+##       :bro:see:`Broker::make_event` or the argument list to pass along
+##       to it.
+##
+## Returns: true if the message is sent.
+function Cluster::publish_rr%(pool: Pool, key: string, ...%): bool
 	%{
-	auto rval = log_mgr->RemoteLogsAreEnabled(id->AsEnumVal());
+	static Func* topic_func = 0;
+
+	if ( ! topic_func )
+		topic_func = global_scope()->Lookup("Cluster::rr_topic")->ID_Val()->AsFunc();
+
+	val_list vl(2);
+	vl.append(pool->Ref());
+	vl.append(key->Ref());
+	auto topic = topic_func->Call(&vl);
+
+	if ( ! topic->AsString()->Len() )
+		{
+		Unref(topic);
+		return new Val(false, TYPE_BOOL);
+		}
+
+	val_list* bif_args = @ARGS@;
+	val_list args(bif_args->length() - 2);
+
+	for ( auto i = 2; i < bif_args->length(); ++i )
+		args.append((*bif_args)[i]);
+
+	auto rval = publish_event_args(args, topic->AsString(), frame);
+	Unref(topic);
 	return new Val(rval, TYPE_BOOL);
 	%}
 
-function Broker::__subscribe_to_logs%(topic_prefix: string%): bool
+
+## Publishes an event at a given topic, with a receiver node chosen
+## from a pool according to Round-Robin distribution strategy.  The receiving
+## node, then automatically forwards it to its peers with a different topic.
+## The event is relayed at most a single hop.
+##
+## pool: the pool of nodes that are eligible to receive the revent
+##
+## key: an arbitrary string to identify the purpose for which you're
+##      distributing the event.  e.g. consider using namespacing of your
+##      script like "Intel::cluster_rr_key".
+##
+## args: the first member of the argument list may be either a string or
+##       a set of strings indicating the secondary topic that the receiver
+##       will use to re-publish the event.  The remaining
+##       members of the argument list are either the return value of a
+##       previously-made call to :bro:see:`Broker::make_event` or the
+##       argument list that should be passed along to it, so that it can
+##       be called as part of executing this function.
+##
+## Returns: true if the message is sent.
+function Cluster::relay_rr%(pool: Pool, key: any, ...%): bool
 	%{
-	auto rval = broker_mgr->SubscribeToLogs(topic_prefix->CheckString());
+	val_list* bif_args = @ARGS@;
+
+	if ( bif_args->length() < 4 )
+		{
+		builtin_error("Cluster::relay_rr requires at least 4 arguments");
+		return new Val(false, TYPE_BOOL);
+		}
+
+	static Func* topic_func = 0;
+
+	if ( ! topic_func )
+		topic_func = global_scope()->Lookup("Cluster::rr_topic")->ID_Val()->AsFunc();
+
+	val_list vl(2);
+	vl.append(pool->Ref());
+	vl.append(key->Ref());
+	auto topic = topic_func->Call(&vl);
+
+	if ( ! topic->AsString()->Len() )
+		{
+		Unref(topic);
+		return new Val(false, TYPE_BOOL);
+		}
+
+	auto second_topic = (*bif_args)[2];
+
+	if ( second_topic->Type()->Tag() != TYPE_STRING &&
+		 ! is_string_set(second_topic->Type()) )
+		{
+		builtin_error("Cluster::relay_rr requires a string or string_set as 3rd argument");
+		Unref(topic);
+		return new Val(false, TYPE_BOOL);
+		}
+
+	auto topic_set = val_to_topic_set(second_topic);
+
+	if ( topic_set.empty() )
+		{
+		Unref(topic);
+		return new Val(false, TYPE_BOOL);
+		}
+
+	val_list args(bif_args->length() - 3);
+
+	for ( auto i = 3; i < bif_args->length(); ++i )
+		args.append((*bif_args)[i]);
+
+	auto rval = relay_event_args(args, topic->AsString(), std::move(topic_set),
+	                             frame);
+	Unref(topic);
 	return new Val(rval, TYPE_BOOL);
 	%}
 
-function Broker::__unsubscribe_to_logs%(topic_prefix: string%): bool
+## Publishes an event to a node within a pool according to Rendezvous
+## (Highest Random Weight) hashing strategy.
+##
+## pool: the pool of nodes that are eligible to receive the revent
+##
+## key: data used for input to the hashing function that will uniformly
+##      distribute keys among available nodes.
+##
+## args: Either the event arguments as already made by
+##       :bro:see:`Broker::make_event` or the argument list to pass along
+##       to it.
+##
+## Returns: true if the message is sent.
+function Cluster::publish_hrw%(pool: Pool, key: any, ...%): bool
 	%{
-	auto rval = broker_mgr->UnsubscribeToLogs(topic_prefix->CheckString());
+	static Func* topic_func = 0;
+
+	if ( ! topic_func )
+		topic_func = global_scope()->Lookup("Cluster::hrw_topic")->ID_Val()->AsFunc();
+
+	val_list vl(2);
+	vl.append(pool->Ref());
+	vl.append(key->Ref());
+	auto topic = topic_func->Call(&vl);
+
+	if ( ! topic->AsString()->Len() )
+		{
+		Unref(topic);
+		return new Val(false, TYPE_BOOL);
+		}
+
+	val_list* bif_args = @ARGS@;
+	val_list args(bif_args->length() - 2);
+
+	for ( auto i = 2; i < bif_args->length(); ++i )
+		args.append((*bif_args)[i]);
+
+	auto rval = publish_event_args(args, topic->AsString(), frame);
+	Unref(topic);
+	return new Val(rval, TYPE_BOOL);
+	%}
+
+## Publishes an event at a given topic, with a receiver node chosen
+## from a pool according to Rendezvous (Highest Random Weight) distribution
+## strategy.  The receiving nodes then automatically forwards it to its peers
+## with a different topic.  The event is relayed at most a single hop.
+##
+## pool: the pool of nodes that are eligible to receive the revent
+##
+## key: data used for input to the hashing function that will uniformly
+##      distribute keys among available nodes.
+##
+## args: the first member of the argument list may be either a string or
+##       a set of strings indicating the secondary topic that the receiver
+##       will use to re-publish the event.  The remaining
+##       members of the argument list are either the return value of a
+##       previously-made call to :bro:see:`Broker::make_event` or the
+##       argument list that should be passed along to it, so that it can
+##       be called as part of executing this function.
+##
+## Returns: true if the message is sent.
+function Cluster::relay_hrw%(pool: Pool, key: any, ...%): bool
+	%{
+	val_list* bif_args = @ARGS@;
+
+	if ( bif_args->length() < 4 )
+		{
+		builtin_error("Cluster::relay_hrw requires at least 4 arguments");
+		return new Val(false, TYPE_BOOL);
+		}
+
+	static Func* topic_func = 0;
+
+	if ( ! topic_func )
+		topic_func = global_scope()->Lookup("Cluster::hrw_topic")->ID_Val()->AsFunc();
+
+	val_list vl(2);
+	vl.append(pool->Ref());
+	vl.append(key->Ref());
+	auto topic = topic_func->Call(&vl);
+
+	if ( ! topic->AsString()->Len() )
+		{
+		Unref(topic);
+		return new Val(false, TYPE_BOOL);
+		}
+
+	auto second_topic = (*bif_args)[2];
+
+	if ( second_topic->Type()->Tag() != TYPE_STRING &&
+		 ! is_string_set(second_topic->Type()) )
+		{
+		builtin_error("Cluster::relay_hrw requires a string or string_set as 3rd argument");
+		Unref(topic);
+		return new Val(false, TYPE_BOOL);
+		}
+
+	auto topic_set = val_to_topic_set(second_topic);
+
+	if ( topic_set.empty() )
+		{
+		Unref(topic);
+		return new Val(false, TYPE_BOOL);
+		}
+
+	val_list args(bif_args->length() - 3);
+
+	for ( auto i = 3; i < bif_args->length(); ++i )
+		args.append((*bif_args)[i]);
+
+	auto rval = relay_event_args(args, topic->AsString(), std::move(topic_set),
+	                             frame);
+	Unref(topic);
 	return new Val(rval, TYPE_BOOL);
 	%}
diff --git a/src/broker/store.bif b/src/broker/store.bif
index 6d7ddea6af..af17ceebae 100644
--- a/src/broker/store.bif
+++ b/src/broker/store.bif
@@ -6,12 +6,24 @@
 #include "broker/Store.h"
 #include "broker/Data.h"
 #include "Trigger.h"
+
+static broker::optional<broker::timespan> prepare_expiry(double e)
+	{
+	broker::optional<broker::timespan> ts;
+
+	if ( e )
+		{
+		broker::timespan x;
+		broker::convert(e, x);
+		ts = x;
+		}
+
+	return ts;
+	}
 %%}
 
 module Broker;
 
-type Broker::ExpiryTime: record;
-
 type Broker::QueryResult: record;
 
 type Broker::BackendOptions: record;
@@ -24,410 +36,628 @@ enum BackendType %{
 %}
 
 function Broker::__create_master%(id: string, b: BackendType,
-                               options: BackendOptions &default = BackendOptions()%): opaque of Broker::Handle
+                                  options: BackendOptions &default = BackendOptions()%): opaque of Broker::Store
 	%{
-	auto id_str = id->CheckString();
-	auto type = bro_broker::StoreType::MASTER;
-	auto rval = broker_mgr->LookupStore(id_str, type);
+	bro_broker::Manager::ScriptScopeGuard ssg;
+	auto name = id->CheckString();
+	auto rval = broker_mgr->LookupStore(name);
 
 	if ( rval )
 		{
-		Ref(rval);
+		::Ref(rval);
 		return rval;
 		}
 
-	rval = new bro_broker::StoreHandleVal(id_str, type,
-	                                static_cast<BifEnum::Broker::BackendType>(b->AsEnum()),
-	                                options->AsRecordVal());
-	auto added = broker_mgr->AddStore(rval);
-	assert(added);
-	return rval;
+	auto e = static_cast<BifEnum::Broker::BackendType>(b->AsEnum());
+	auto type = bro_broker::to_backend_type(e);
+	auto opts = bro_broker::to_backend_options(type, options->AsRecordVal());
+
+	auto store = broker_mgr->MakeMaster(name, type, std::move(opts));
+
+	if ( ! store )
+		{
+		builtin_error(fmt("Could not create Broker master store '%s'", name));
+		return nullptr;
+		}
+
+	return store;
 	%}
 
-function Broker::__create_clone%(id: string, b: BackendType,
-                              options: BackendOptions &default = BackendOptions(),
-                              resync: interval &default = 1sec%): opaque of Broker::Handle
+function Broker::__create_clone%(id: string, resync_interval: interval,
+                                 stale_interval: interval,
+                                 mutation_buffer_interval: interval%): opaque of Broker::Store
 	%{
-	auto id_str = id->CheckString();
-	auto type = bro_broker::StoreType::CLONE;
-	auto rval = broker_mgr->LookupStore(id_str, type);
+	bro_broker::Manager::ScriptScopeGuard ssg;
+	auto name = id->CheckString();
+	auto rval = broker_mgr->LookupStore(name);
 
 	if ( rval )
 		{
-		Ref(rval);
+		::Ref(rval);
 		return rval;
 		}
 
-	rval = new bro_broker::StoreHandleVal(id_str, type,
-	                                static_cast<BifEnum::Broker::BackendType>(b->AsEnum()),
-	                                options->AsRecordVal(),
-	                                std::chrono::duration<double>(resync));
-	auto added = broker_mgr->AddStore(rval);
-	assert(added);
-	return rval;
-	%}
-
-function Broker::__create_frontend%(id: string%): opaque of Broker::Handle
-	%{
-	auto id_str = id->CheckString();
-	auto type = bro_broker::StoreType::FRONTEND;
-	auto rval = broker_mgr->LookupStore(id_str, type);
-
-	if ( rval )
+	auto store = broker_mgr->MakeClone(name, resync_interval, stale_interval,
+	                                   mutation_buffer_interval);
+	if ( ! store )
 		{
-		Ref(rval);
-		return rval;
+		builtin_error(fmt("Could not create clone of Broker store '%s'", name));
+		return nullptr;
 		}
 
-	rval = new bro_broker::StoreHandleVal(id_str, type, {}, nullptr);
-	auto added = broker_mgr->AddStore(rval);
-	assert(added);
-	return rval;
+	return store;
 	%}
 
-function Broker::__close_by_handle%(h: opaque of Broker::Handle%): bool
+function Broker::__is_closed%(h: opaque of Broker::Store%): bool
 	%{
-	auto handle = static_cast<bro_broker::StoreHandleVal*>(h);
+	bro_broker::Manager::ScriptScopeGuard ssg;
 
-	if ( ! handle->store )
-		return new Val(false, TYPE_BOOL);
-
-	return new Val(broker_mgr->CloseStore(handle->store->id(),
-										handle->store_type), TYPE_BOOL);
-	%}
-
-###########################
-# non-blocking update API #
-###########################
-
-function Broker::__insert%(h: opaque of Broker::Handle,
-                        k: Broker::Data, v: Broker::Data,
-                        e: Broker::ExpiryTime &default = Broker::ExpiryTime()%): bool
-	%{
-	auto handle = static_cast<bro_broker::StoreHandleVal*>(h);
-
-	if ( ! handle->store )
-		return new Val(false, TYPE_BOOL);
-
-	auto& key = bro_broker::opaque_field_to_data(k->AsRecordVal(), frame);
-	auto& val = bro_broker::opaque_field_to_data(v->AsRecordVal(), frame);
-
-	using broker::store::expiration_time;
-
-	auto abs_expiry_val = e->AsRecordVal()->Lookup(0);
-
-	if ( abs_expiry_val )
+	if ( ! h )
 		{
-		auto expiry = expiration_time(abs_expiry_val->AsTime());
-		handle->store->insert(key, val, expiry);
-		return new Val(true, TYPE_BOOL);
+		builtin_error("invalid Broker store handle");
+		return new Val(false, TYPE_BOOL);
 		}
 
-	auto rel_expiry_val = e->AsRecordVal()->Lookup(1);
+	auto handle = static_cast<bro_broker::StoreHandleVal*>(h);
+	return new Val(broker_mgr->LookupStore(handle->store.name()), TYPE_BOOL);
+	%}
 
-	if ( rel_expiry_val )
+function Broker::__close%(h: opaque of Broker::Store%): bool
+	%{
+	bro_broker::Manager::ScriptScopeGuard ssg;
+
+	if ( ! h )
 		{
-		auto ct = broker::time_point::now().value;
-		auto expiry = expiration_time(rel_expiry_val->AsInterval(), ct);
-		handle->store->insert(key, val, expiry);
-		return new Val(true, TYPE_BOOL);
+		builtin_error("invalid Broker store handle");
+		return new Val(false, TYPE_BOOL);
 		}
 
-	handle->store->insert(key, val);
-	return new Val(true, TYPE_BOOL);
+	auto handle = static_cast<bro_broker::StoreHandleVal*>(h);
+	return new Val(broker_mgr->CloseStore(handle->store.name()), TYPE_BOOL);
 	%}
 
-function Broker::__erase%(h: opaque of Broker::Handle, k: Broker::Data%): bool
+function Broker::__store_name%(h: opaque of Broker::Store%): string
 	%{
-	auto handle = static_cast<bro_broker::StoreHandleVal*>(h);
-
-	if ( ! handle->store )
-		return new Val(false, TYPE_BOOL);
-
-	auto& key = bro_broker::opaque_field_to_data(k->AsRecordVal(), frame);
-	handle->store->erase(key);
-	return new Val(true, TYPE_BOOL);
-	%}
-
-function Broker::__clear%(h: opaque of Broker::Handle%): bool
-	%{
-	auto handle = static_cast<bro_broker::StoreHandleVal*>(h);
-
-	if ( ! handle->store )
-		return new Val(false, TYPE_BOOL);
-
-	handle->store->clear();
-	return new Val(true, TYPE_BOOL);
-	%}
-
-function Broker::__increment%(h: opaque of Broker::Handle,
-                           k: Broker::Data, by: int &default = +1%): bool
-	%{
-	auto handle = static_cast<bro_broker::StoreHandleVal*>(h);
-
-	if ( ! handle->store )
-		return new Val(false, TYPE_BOOL);
-
-	auto& key = bro_broker::opaque_field_to_data(k->AsRecordVal(), frame);
-	handle->store->increment(key, by);
-	return new Val(true, TYPE_BOOL);
-	%}
-
-function Broker::__decrement%(h: opaque of Broker::Handle,
-                           k: Broker::Data, by: int &default = +1%): bool
-	%{
-	auto handle = static_cast<bro_broker::StoreHandleVal*>(h);
-
-	if ( ! handle->store )
-		return new Val(false, TYPE_BOOL);
-
-	auto& key = bro_broker::opaque_field_to_data(k->AsRecordVal(), frame);
-	handle->store->decrement(key, by);
-	return new Val(true, TYPE_BOOL);
-	%}
-
-function Broker::__add_to_set%(h: opaque of Broker::Handle,
-                            k: Broker::Data, element: Broker::Data%): bool
-	%{
-	auto handle = static_cast<bro_broker::StoreHandleVal*>(h);
-
-	if ( ! handle->store )
-		return new Val(false, TYPE_BOOL);
-
-	auto& key = bro_broker::opaque_field_to_data(k->AsRecordVal(), frame);
-	auto& ele = bro_broker::opaque_field_to_data(element->AsRecordVal(), frame);
-	handle->store->add_to_set(key, ele);
-	return new Val(true, TYPE_BOOL);
-	%}
-
-function Broker::__remove_from_set%(h: opaque of Broker::Handle,
-                                 k: Broker::Data, element: Broker::Data%): bool
-	%{
-	auto handle = static_cast<bro_broker::StoreHandleVal*>(h);
-
-	if ( ! handle->store )
-		return new Val(false, TYPE_BOOL);
-
-	auto& key = bro_broker::opaque_field_to_data(k->AsRecordVal(), frame);
-	auto& ele = bro_broker::opaque_field_to_data(element->AsRecordVal(), frame);
-	handle->store->remove_from_set(key, ele);
-	return new Val(true, TYPE_BOOL);
-	%}
-
-function Broker::__push_left%(h: opaque of Broker::Handle, k: Broker::Data,
-                           items: Broker::DataVector%): bool
-	%{
-	auto handle = static_cast<bro_broker::StoreHandleVal*>(h);
-
-	if ( ! handle->store )
-		return new Val(false, TYPE_BOOL);
-
-	auto& key = bro_broker::opaque_field_to_data(k->AsRecordVal(), frame);
-	broker::vector items_vector;
-	auto items_vv = items->AsVector();
-
-	for ( auto i = 0u; i < items_vv->size(); ++i )
+	if ( ! h )
 		{
-		auto& item = bro_broker::opaque_field_to_data((*items_vv)[i]->AsRecordVal(),
-		                                        frame);
-		items_vector.emplace_back(item);
+		builtin_error("invalid Broker store handle");
+		return new StringVal("");
 		}
 
-	handle->store->push_left(key, move(items_vector));
-	return new Val(true, TYPE_BOOL);
-	%}
-
-function Broker::__push_right%(h: opaque of Broker::Handle, k: Broker::Data,
-                            items: Broker::DataVector%): bool
-	%{
 	auto handle = static_cast<bro_broker::StoreHandleVal*>(h);
-
-	if ( ! handle->store )
-		return new Val(false, TYPE_BOOL);
-
-	auto& key = bro_broker::opaque_field_to_data(k->AsRecordVal(), frame);
-	broker::vector items_vector;
-	auto items_vv = items->AsVector();
-
-	for ( auto i = 0u; i < items_vv->size(); ++i )
-		{
-		auto& item = bro_broker::opaque_field_to_data((*items_vv)[i]->AsRecordVal(),
-		                                        frame);
-		items_vector.emplace_back(item);
-		}
-
-	handle->store->push_right(key, move(items_vector));
-	return new Val(true, TYPE_BOOL);
+	return new StringVal(handle->store.name());
 	%}
 
-##########################
-# non-blocking query API #
-##########################
-
-%%{
-static bool prepare_for_query(Val* opaque, Frame* frame,
-			      bro_broker::StoreHandleVal** handle,
-			      double* timeout,
-			      bro_broker::StoreQueryCallback** cb)
-	{
-	*handle = static_cast<bro_broker::StoreHandleVal*>(opaque);
-
-	if ( ! (*handle)->store )
+function Broker::__exists%(h: opaque of Broker::Store,
+                           k: any%): Broker::QueryResult
+	%{
+	if ( ! h )
 		{
-		reporter->PushLocation(frame->GetCall()->GetLocationInfo());
-		reporter->Error("Broker query has an invalid data store");
-		reporter->PopLocation();
-		return false;
+		builtin_error("invalid Broker store handle");
+		return new Val(false, TYPE_BOOL);
 		}
 
-	Trigger* trigger = frame->GetTrigger();
+	auto handle = static_cast<bro_broker::StoreHandleVal*>(h);
+	auto key = bro_broker::val_to_data(k);
+
+	if ( ! key )
+		{
+		builtin_error("invalid Broker data conversion for key argument");
+		return bro_broker::query_result();
+		}
+
+	auto trigger = frame->GetTrigger();
 
 	if ( ! trigger )
 		{
-		reporter->PushLocation(frame->GetCall()->GetLocationInfo());
-		reporter->Error("Broker queries can only be called inside when-condition");
-		reporter->PopLocation();
-		return false;
+		builtin_error("Broker queries can only be called inside when-condition");
+		return bro_broker::query_result();
 		}
 
-	*timeout = trigger->TimeoutValue();
+	auto timeout = trigger->TimeoutValue();
 
-	if ( *timeout < 0 )
+	if ( timeout < 0 )
 		{
-		reporter->PushLocation(frame->GetCall()->GetLocationInfo());
-		reporter->Error("Broker queries must specify a timeout block");
-		reporter->PopLocation();
-		return false;
+		builtin_error("Broker queries must specify a timeout block");
+		return bro_broker::query_result();
 		}
 
 	frame->SetDelayed();
 	trigger->Hold();
-	*cb = new bro_broker::StoreQueryCallback(trigger, frame->GetCall(),
-					   (*handle)->store->id(),
-					   (*handle)->store_type);
-	broker_mgr->TrackStoreQuery(*cb);
-	return true;
-	}
 
-%%}
+	auto cb = new bro_broker::StoreQueryCallback(trigger, frame->GetCall(),
+	                                             handle->store);
+	auto req_id = handle->proxy.exists(std::move(*key));
+	broker_mgr->TrackStoreQuery(handle, req_id, cb);
 
-function Broker::__pop_left%(h: opaque of Broker::Handle,
-                          k: Broker::Data%): Broker::QueryResult
+	return 0;
+	%}
+
+function Broker::__get%(h: opaque of Broker::Store,
+                        k: any%): Broker::QueryResult
 	%{
-	if ( ! broker_mgr->Enabled() )
-		return bro_broker::query_result();
+	if ( ! h )
+		{
+		builtin_error("invalid Broker store handle");
+		return new Val(false, TYPE_BOOL);
+		}
 
-	Val* key = k->AsRecordVal()->Lookup(0);
+	auto handle = static_cast<bro_broker::StoreHandleVal*>(h);
+	auto key = bro_broker::val_to_data(k);
 
 	if ( ! key )
+		{
+		builtin_error("invalid Broker data conversion for key argument");
 		return bro_broker::query_result();
+		}
 
-	double timeout;
-	bro_broker::StoreQueryCallback* cb;
-	bro_broker::StoreHandleVal* handle;
+	auto trigger = frame->GetTrigger();
 
-	if ( ! prepare_for_query(h, frame, &handle, &timeout, &cb) )
+	if ( ! trigger )
+		{
+		builtin_error("Broker queries can only be called inside when-condition");
 		return bro_broker::query_result();
+		}
+
+	auto timeout = trigger->TimeoutValue();
+
+	if ( timeout < 0 )
+		{
+		builtin_error("Broker queries must specify a timeout block");
+		return bro_broker::query_result();
+		}
+
+	frame->SetDelayed();
+	trigger->Hold();
+
+	auto cb = new bro_broker::StoreQueryCallback(trigger, frame->GetCall(),
+	                                             handle->store);
+	auto req_id = handle->proxy.get(std::move(*key));
+	broker_mgr->TrackStoreQuery(handle, req_id, cb);
 
-	handle->store->pop_left(static_cast<bro_broker::DataVal*>(key)->data,
-	                         std::chrono::duration<double>(timeout), cb);
 	return 0;
 	%}
 
-function Broker::__pop_right%(h: opaque of Broker::Handle,
-                           k: Broker::Data%): Broker::QueryResult
+function Broker::__put_unique%(h: opaque of Broker::Store,
+                               k: any, v: any, e: interval%): Broker::QueryResult
 	%{
-	if ( ! broker_mgr->Enabled() )
-		return bro_broker::query_result();
+	if ( ! h )
+		{
+		builtin_error("invalid Broker store handle");
+		return new Val(false, TYPE_BOOL);
+		}
 
-	Val* key = k->AsRecordVal()->Lookup(0);
+	auto handle = static_cast<bro_broker::StoreHandleVal*>(h);
+	auto key = bro_broker::val_to_data(k);
+	auto val = bro_broker::val_to_data(v);
 
 	if ( ! key )
+		{
+		builtin_error("invalid Broker data conversion for key argument");
 		return bro_broker::query_result();
+		}
 
-	double timeout;
-	bro_broker::StoreQueryCallback* cb;
-	bro_broker::StoreHandleVal* handle;
-
-	if ( ! prepare_for_query(h, frame, &handle, &timeout, &cb) )
+	if ( ! val )
+		{
+		builtin_error("invalid Broker data conversion for value argument");
 		return bro_broker::query_result();
+		}
+
+	auto trigger = frame->GetTrigger();
+
+	if ( ! trigger )
+		{
+		builtin_error("Broker queries can only be called inside when-condition");
+		return bro_broker::query_result();
+		}
+
+	auto timeout = trigger->TimeoutValue();
+
+	if ( timeout < 0 )
+		{
+		builtin_error("Broker queries must specify a timeout block");
+		return bro_broker::query_result();
+		}
+
+	frame->SetDelayed();
+	trigger->Hold();
+
+	auto cb = new bro_broker::StoreQueryCallback(trigger, frame->GetCall(),
+	                                             handle->store);
+
+	auto req_id = handle->proxy.put_unique(std::move(*key), std::move(*val),
+	                                       prepare_expiry(e));
+	broker_mgr->TrackStoreQuery(handle, req_id, cb);
 
-	handle->store->pop_right(static_cast<bro_broker::DataVal*>(key)->data,
-	                         std::chrono::duration<double>(timeout), cb);
 	return 0;
 	%}
 
-function Broker::__lookup%(h: opaque of Broker::Handle,
-                       k: Broker::Data%): Broker::QueryResult
+function Broker::__get_index_from_value%(h: opaque of Broker::Store,
+                                         k: any, i: any%): Broker::QueryResult
 	%{
-	if ( ! broker_mgr->Enabled() )
-		return bro_broker::query_result();
+	if ( ! h )
+		{
+		builtin_error("invalid Broker store handle");
+		return new Val(false, TYPE_BOOL);
+		}
 
-	Val* key = k->AsRecordVal()->Lookup(0);
+	auto handle = static_cast<bro_broker::StoreHandleVal*>(h);
+	auto key = bro_broker::val_to_data(k);
 
 	if ( ! key )
+		{
+		builtin_error("invalid Broker data conversion for key argument");
 		return bro_broker::query_result();
+		}
 
-	double timeout;
-	bro_broker::StoreQueryCallback* cb;
-	bro_broker::StoreHandleVal* handle;
+	auto index = bro_broker::val_to_data(i);
 
-	if ( ! prepare_for_query(h, frame, &handle, &timeout, &cb) )
+	if ( ! index )
+		{
+		builtin_error("invalid Broker data conversion for index argument");
 		return bro_broker::query_result();
+		}
+	
+	auto trigger = frame->GetTrigger();
+
+	if ( ! trigger )
+		{
+		builtin_error("Broker queries can only be called inside when-condition");
+		return bro_broker::query_result();
+		}
+
+	auto timeout = trigger->TimeoutValue();
+
+	if ( timeout < 0 )
+		{
+		builtin_error("Broker queries must specify a timeout block");
+		return bro_broker::query_result();
+		}
+
+	frame->SetDelayed();
+	trigger->Hold();
+
+	auto cb = new bro_broker::StoreQueryCallback(trigger, frame->GetCall(),
+						     handle->store);
+	auto req_id = handle->proxy.get_index_from_value(std::move(*key),
+	                                                 std::move(*index));
+	broker_mgr->TrackStoreQuery(handle, req_id, cb);
 
-	handle->store->lookup(static_cast<bro_broker::DataVal*>(key)->data,
-	                      std::chrono::duration<double>(timeout), cb);
 	return 0;
 	%}
 
-function Broker::__exists%(h: opaque of Broker::Handle,
-                        k: Broker::Data%): Broker::QueryResult
+function Broker::__keys%(h: opaque of Broker::Store%): Broker::QueryResult
 	%{
-	if ( ! broker_mgr->Enabled() )
-		return bro_broker::query_result();
+	if ( ! h )
+		{
+		builtin_error("invalid Broker store handle");
+		return new Val(false, TYPE_BOOL);
+		}
 
-	Val* key = k->AsRecordVal()->Lookup(0);
+	auto handle = static_cast<bro_broker::StoreHandleVal*>(h);
+
+	auto trigger = frame->GetTrigger();
+
+	if ( ! trigger )
+		{
+		builtin_error("Broker queries can only be called inside when-condition");
+		return bro_broker::query_result();
+		}
+
+	auto timeout = trigger->TimeoutValue();
+
+	if ( timeout < 0 )
+		{
+		builtin_error("Broker queries must specify a timeout block");
+		return bro_broker::query_result();
+		}
+
+	frame->SetDelayed();
+	trigger->Hold();
+
+	auto cb = new bro_broker::StoreQueryCallback(trigger, frame->GetCall(),
+	                                             handle->store);
+	auto req_id = handle->proxy.keys();
+	broker_mgr->TrackStoreQuery(handle, req_id, cb);
+
+	return 0;
+	%}
+
+function Broker::__put%(h: opaque of Broker::Store,
+                        k: any, v: any, e: interval%): bool
+	%{
+	if ( ! h )
+		{
+		builtin_error("invalid Broker store handle");
+		return new Val(false, TYPE_BOOL);
+		}
+
+	auto handle = static_cast<bro_broker::StoreHandleVal*>(h);
+	auto key = bro_broker::val_to_data(k);
+	auto val = bro_broker::val_to_data(v);
 
 	if ( ! key )
-		return bro_broker::query_result();
+		{
+		builtin_error("invalid Broker data conversion for key argument");
+		return new Val(false, TYPE_BOOL);
+		}
 
-	double timeout;
-	bro_broker::StoreQueryCallback* cb;
-	bro_broker::StoreHandleVal* handle;
+	if ( ! val )
+		{
+		builtin_error("invalid Broker data conversion for value argument");
+		return new Val(false, TYPE_BOOL);
+		}
 
-	if ( ! prepare_for_query(h, frame, &handle, &timeout, &cb) )
-		return bro_broker::query_result();
-
-	handle->store->exists(static_cast<bro_broker::DataVal*>(key)->data,
-	                      std::chrono::duration<double>(timeout), cb);
-	return 0;
+	handle->store.put(std::move(*key), std::move(*val), prepare_expiry(e));
+	return new Val(true, TYPE_BOOL);
 	%}
 
-function Broker::__keys%(h: opaque of Broker::Handle%): Broker::QueryResult
+function Broker::__erase%(h: opaque of Broker::Store, k: any%): bool
 	%{
-	double timeout;
-	bro_broker::StoreQueryCallback* cb;
-	bro_broker::StoreHandleVal* handle;
+	if ( ! h )
+		{
+		builtin_error("invalid Broker store handle");
+		return new Val(false, TYPE_BOOL);
+		}
 
-	if ( ! prepare_for_query(h, frame, &handle, &timeout, &cb) )
-		return bro_broker::query_result();
+	auto handle = static_cast<bro_broker::StoreHandleVal*>(h);
+	auto key = bro_broker::val_to_data(k);
 
-	handle->store->keys(std::chrono::duration<double>(timeout), cb);
-	return 0;
+	if ( ! key )
+		{
+		builtin_error("invalid Broker data conversion for key argument");
+		return new Val(false, TYPE_BOOL);
+		}
+
+	handle->store.erase(std::move(*key));
+	return new Val(true, TYPE_BOOL);
 	%}
 
-function Broker::__size%(h: opaque of Broker::Handle%): Broker::QueryResult
+function Broker::__increment%(h: opaque of Broker::Store, k: any, a: any,
+                              e: interval%): bool
 	%{
-	if ( ! broker_mgr->Enabled() )
-		return bro_broker::query_result();
+	if ( ! h )
+		{
+		builtin_error("invalid Broker store handle");
+		return new Val(false, TYPE_BOOL);
+		}
 
-	double timeout;
-	bro_broker::StoreQueryCallback* cb;
-	bro_broker::StoreHandleVal* handle;
+	auto handle = static_cast<bro_broker::StoreHandleVal*>(h);
+	auto key = bro_broker::val_to_data(k);
+	auto amount = bro_broker::val_to_data(a);
 
-	if ( ! prepare_for_query(h, frame, &handle, &timeout, &cb) )
-		return bro_broker::query_result();
+	if ( ! key )
+		{
+		builtin_error("invalid Broker data conversion for key argument");
+		return new Val(false, TYPE_BOOL);
+		}
 
-	handle->store->size(std::chrono::duration<double>(timeout), cb);
-	return 0;
+	if ( ! amount )
+		{
+		builtin_error("invalid Broker data conversion for amount argument");
+		return new Val(false, TYPE_BOOL);
+		}
+
+	handle->store.increment(std::move(*key), std::move(*amount),
+	                        prepare_expiry(e));
+	return new Val(true, TYPE_BOOL);
+	%}
+
+function Broker::__decrement%(h: opaque of Broker::Store, k: any, a: any,
+                              e: interval%): bool
+	%{
+	if ( ! h )
+		{
+		builtin_error("invalid Broker store handle");
+		return new Val(false, TYPE_BOOL);
+		}
+
+	auto handle = static_cast<bro_broker::StoreHandleVal*>(h);
+	auto key = bro_broker::val_to_data(k);
+	auto amount = bro_broker::val_to_data(a);
+
+	if ( ! key )
+		{
+		builtin_error("invalid Broker data conversion for key argument");
+		return new Val(false, TYPE_BOOL);
+		}
+
+	if ( ! amount )
+		{
+		builtin_error("invalid Broker data conversion for amount argument");
+		return new Val(false, TYPE_BOOL);
+		}
+
+	handle->store.decrement(std::move(*key), std::move(*amount), prepare_expiry(e));
+	return new Val(true, TYPE_BOOL);
+	%}
+
+function Broker::__append%(h: opaque of Broker::Store, k: any, s: any,
+                           e: interval%): bool
+	%{
+	if ( ! h )
+		{
+		builtin_error("invalid Broker store handle");
+		return new Val(false, TYPE_BOOL);
+		}
+
+	auto handle = static_cast<bro_broker::StoreHandleVal*>(h);
+	auto key = bro_broker::val_to_data(k);
+	auto str = bro_broker::val_to_data(s);
+
+	if ( ! key )
+		{
+		builtin_error("invalid Broker data conversion for key argument");
+		return new Val(false, TYPE_BOOL);
+		}
+
+	if ( ! str )
+		{
+		builtin_error("invalid Broker data conversion for str argument");
+		return new Val(false, TYPE_BOOL);
+		}
+
+	handle->store.append(std::move(*key), std::move(*str), prepare_expiry(e));
+	return new Val(true, TYPE_BOOL);
+	%}
+
+function Broker::__insert_into_set%(h: opaque of Broker::Store, k: any, i: any,
+                                    e: interval%): bool
+	%{
+	if ( ! h )
+		{
+		builtin_error("invalid Broker store handle");
+		return new Val(false, TYPE_BOOL);
+		}
+
+	auto handle = static_cast<bro_broker::StoreHandleVal*>(h);
+	auto key = bro_broker::val_to_data(k);
+	auto idx = bro_broker::val_to_data(i);
+
+	if ( ! key )
+		{
+		builtin_error("invalid Broker data conversion for key argument");
+		return new Val(false, TYPE_BOOL);
+		}
+
+	if ( ! idx )
+		{
+		builtin_error("invalid Broker data conversion for index argument");
+		return new Val(false, TYPE_BOOL);
+		}
+
+	handle->store.insert_into(std::move(*key), std::move(*idx),
+	                          prepare_expiry(e));
+	return new Val(true, TYPE_BOOL);
+	%}
+
+function Broker::__insert_into_table%(h: opaque of Broker::Store, k: any,
+                                      i: any, v: any, e: interval%): bool
+	%{
+	if ( ! h )
+		{
+		builtin_error("invalid Broker store handle");
+		return new Val(false, TYPE_BOOL);
+		}
+
+	auto handle = static_cast<bro_broker::StoreHandleVal*>(h);
+	auto key = bro_broker::val_to_data(k);
+	auto idx = bro_broker::val_to_data(i);
+	auto val = bro_broker::val_to_data(v);
+
+	if ( ! key )
+		{
+		builtin_error("invalid Broker data conversion for key argument");
+		return new Val(false, TYPE_BOOL);
+		}
+
+	if ( ! idx )
+		{
+		builtin_error("invalid Broker data conversion for index argument");
+		return new Val(false, TYPE_BOOL);
+		}
+
+	if ( ! val )
+		{
+		builtin_error("invalid Broker data conversion for value argument");
+		return new Val(false, TYPE_BOOL);
+		}
+
+	handle->store.insert_into(std::move(*key), std::move(*idx),
+	                          std::move(*val), prepare_expiry(e));
+	return new Val(true, TYPE_BOOL);
+	%}
+
+function Broker::__remove_from%(h: opaque of Broker::Store, k: any, i: any,
+                                e: interval%): bool
+	%{
+	if ( ! h )
+		{
+		builtin_error("invalid Broker store handle");
+		return new Val(false, TYPE_BOOL);
+		}
+
+	auto handle = static_cast<bro_broker::StoreHandleVal*>(h);
+	auto key = bro_broker::val_to_data(k);
+	auto idx = bro_broker::val_to_data(i);
+
+	if ( ! key )
+		{
+		builtin_error("invalid Broker data conversion for key argument");
+		return new Val(false, TYPE_BOOL);
+		}
+
+	if ( ! idx )
+		{
+		builtin_error("invalid Broker data conversion for index argument");
+		return new Val(false, TYPE_BOOL);
+		}
+
+	handle->store.remove_from(std::move(*key), std::move(*idx),
+	                          prepare_expiry(e));
+	return new Val(true, TYPE_BOOL);
+	%}
+
+function Broker::__push%(h: opaque of Broker::Store, k: any, v: any,
+                         e: interval%): bool
+	%{
+	if ( ! h )
+		{
+		builtin_error("invalid Broker store handle");
+		return new Val(false, TYPE_BOOL);
+		}
+
+	auto handle = static_cast<bro_broker::StoreHandleVal*>(h);
+	auto key = bro_broker::val_to_data(k);
+	auto val = bro_broker::val_to_data(v);
+
+	if ( ! key )
+		{
+		builtin_error("invalid Broker data conversion for key argument");
+		return new Val(false, TYPE_BOOL);
+		}
+
+	if ( ! val )
+		{
+		builtin_error("invalid Broker data conversion for value argument");
+		return new Val(false, TYPE_BOOL);
+		}
+
+	handle->store.push(std::move(*key), std::move(*val), prepare_expiry(e));
+	return new Val(true, TYPE_BOOL);
+	%}
+
+function Broker::__pop%(h: opaque of Broker::Store, k: any, e: interval%): bool
+	%{
+	if ( ! h )
+		{
+		builtin_error("invalid Broker store handle");
+		return new Val(false, TYPE_BOOL);
+		}
+
+	auto handle = static_cast<bro_broker::StoreHandleVal*>(h);
+	auto key = bro_broker::val_to_data(k);
+
+	if ( ! key )
+		{
+		builtin_error("invalid Broker data conversion for key argument");
+		return new Val(false, TYPE_BOOL);
+		}
+
+	handle->store.pop(std::move(*key), prepare_expiry(e));
+	return new Val(true, TYPE_BOOL);
+	%}
+
+function Broker::__clear%(h: opaque of Broker::Store%): bool
+	%{
+	if ( ! h )
+		{
+		builtin_error("invalid Broker store handle");
+		return new Val(false, TYPE_BOOL);
+		}
+
+	auto handle = static_cast<bro_broker::StoreHandleVal*>(h);
+
+	handle->store.clear();
+	return new Val(true, TYPE_BOOL);
 	%}
diff --git a/src/event.bif b/src/event.bif
index f568de902b..28ed7f6807 100644
--- a/src/event.bif
+++ b/src/event.bif
@@ -183,7 +183,7 @@ event connection_flow_label_changed%(c: connection, is_orig: bool, old_label: co
 
 ## Generated for a new connection received from the communication subsystem.
 ## Remote peers can inject packets into Bro's packet loop, for example via
-## :doc:`Broccoli </components/broccoli/README>`.  The communication system
+## Broccoli.  The communication system
 ## raises this event with the first packet of a connection coming in this way.
 ##
 ## c: The connection.
diff --git a/src/iosource/PktSrc.cc b/src/iosource/PktSrc.cc
index a9362a0b62..343801ab7d 100644
--- a/src/iosource/PktSrc.cc
+++ b/src/iosource/PktSrc.cc
@@ -10,6 +10,8 @@
 #include "Hash.h"
 #include "Net.h"
 #include "Sessions.h"
+#include "broker/Manager.h"
+#include "iosource/Manager.h"
 
 #include "pcap/pcap.bif.h"
 
@@ -304,13 +306,19 @@ bool PktSrc::ExtractNextPacketInternal()
 		return 1;
 		}
 
-	if ( pseudo_realtime && using_communication && ! IsOpen() )
+	if ( pseudo_realtime && ! IsOpen() )
 		{
-		// Source has gone dry, we're done.
-		if ( remote_trace_sync_interval )
-			remote_serializer->SendFinalSyncPoint();
-		else
-			remote_serializer->Terminate();
+		if ( using_communication )
+			{
+			// Source has gone dry, we're done.
+			if ( remote_trace_sync_interval )
+				remote_serializer->SendFinalSyncPoint();
+			else
+				remote_serializer->Terminate();
+			}
+
+		if ( broker_mgr->Active() )
+			iosource_mgr->Terminate();
 		}
 
 	SetIdle(true);
diff --git a/src/logging/CMakeLists.txt b/src/logging/CMakeLists.txt
index f7ed586014..6553e2170f 100644
--- a/src/logging/CMakeLists.txt
+++ b/src/logging/CMakeLists.txt
@@ -6,6 +6,9 @@ include_directories(BEFORE
                     ${CMAKE_CURRENT_BINARY_DIR}
 )
 
+include_directories(BEFORE ${CAF_INCLUDE_DIR_CORE})
+include_directories(BEFORE ${CAF_INCLUDE_DIR_IO})
+
 add_subdirectory(writers)
 
 set(logging_SRCS
diff --git a/src/logging/Manager.cc b/src/logging/Manager.cc
index 66a275736a..ce32165177 100644
--- a/src/logging/Manager.cc
+++ b/src/logging/Manager.cc
@@ -8,6 +8,7 @@
 #include "../Net.h"
 #include "../Type.h"
 
+#include "broker/Manager.h"
 #include "threading/Manager.h"
 #include "threading/SerialTypes.h"
 
@@ -18,10 +19,6 @@
 #include "../plugin/Plugin.h"
 #include "../plugin/Manager.h"
 
-#ifdef ENABLE_BROKER
-#include "broker/Manager.h"
-#endif
-
 using namespace logging;
 
 struct Manager::Filter {
@@ -82,10 +79,7 @@ struct Manager::Stream {
 
 	WriterMap writers;	// Writers indexed by id/path pair.
 
-#ifdef ENABLE_BROKER
 	bool enable_remote;
-	int remote_flags;
-#endif
 
 	~Stream();
 	};
@@ -310,10 +304,7 @@ bool Manager::CreateStream(EnumVal* id, RecordVal* sval)
 	streams[idx]->event = event ? event_registry->Lookup(event->Name()) : 0;
 	streams[idx]->columns = columns->Ref()->AsRecordType();
 
-#ifdef ENABLE_BROKER
 	streams[idx]->enable_remote = internal_val("Log::enable_remote_logging")->AsBool();
-	streams[idx]->remote_flags = broker::PEERS;
-#endif
 
 	DBG_LOG(DBG_LOGGING, "Created new logging stream '%s', raising event %s",
 		streams[idx]->name.c_str(), event ? streams[idx]->event->Name() : "<none>");
@@ -1241,11 +1232,7 @@ WriterFrontend* Manager::CreateWriter(EnumVal* id, EnumVal* writer, WriterBacken
 	winfo->info->rotation_interval = winfo->interval;
 	winfo->info->rotation_base = parse_rotate_base_time(base_time);
 
-#ifdef ENABLE_BROKER
-	winfo->writer = new WriterFrontend(*winfo->info, id, writer, local, remote, stream->remote_flags);
-#else
-	winfo->writer = new WriterFrontend(*winfo->info, id, writer, local, remote, 0);
-#endif
+	winfo->writer = new WriterFrontend(*winfo->info, id, writer, local, remote);
 	winfo->writer->Init(num_fields, fields);
 
 	if ( ! from_remote )
@@ -1326,7 +1313,7 @@ void Manager::SendAllWritersTo(RemoteSerializer::PeerID peer)
 		{
 		Stream* stream = (*s);
 
-		if ( ! stream )
+		if ( ! (stream && stream->enable_remote) )
 			continue;
 
 		for ( Stream::WriterMap::iterator i = stream->writers.begin();
@@ -1344,14 +1331,13 @@ void Manager::SendAllWritersTo(RemoteSerializer::PeerID peer)
 		}
 	}
 
-void Manager::SendAllWritersTo(const string& peer)
+void Manager::SendAllWritersTo(const broker::endpoint_info& ei)
 	{
-#ifdef ENABLE_BROKER
 	for ( vector<Stream *>::iterator s = streams.begin(); s != streams.end(); ++s )
 		{
 		Stream* stream = (*s);
 
-		if ( ! stream )
+		if ( ! (stream && stream->enable_remote) )
 			continue;
 
 		for ( Stream::WriterMap::iterator i = stream->writers.begin();
@@ -1360,16 +1346,14 @@ void Manager::SendAllWritersTo(const string& peer)
 			WriterFrontend* writer = i->second->writer;
 
 			EnumVal writer_val(i->first.first, internal_type("Log::Writer")->AsEnumType());
-			broker_mgr->CreateLog((*s)->id,
-					      &writer_val,
-					      *i->second->info,
-					      writer->NumFields(),
-					      writer->Fields(),
-					      stream->remote_flags,
-					      peer);
+			broker_mgr->PublishLogCreate((*s)->id,
+						     &writer_val,
+						     *i->second->info,
+						     writer->NumFields(),
+						     writer->Fields(),
+						     ei);
 			}
 		}
-#endif
 	}
 
 bool Manager::SetBuf(EnumVal* id, bool enabled)
@@ -1418,9 +1402,7 @@ void Manager::Terminate()
 		}
 	}
 
-#ifdef ENABLE_BROKER
-
-bool Manager::EnableRemoteLogs(EnumVal* stream_id, int flags)
+bool Manager::EnableRemoteLogs(EnumVal* stream_id)
 	{
 	auto stream = FindStream(stream_id);
 
@@ -1428,7 +1410,6 @@ bool Manager::EnableRemoteLogs(EnumVal* stream_id, int flags)
 		return false;
 
 	stream->enable_remote = true;
-	stream->remote_flags = flags;
 	return true;
 	}
 
@@ -1463,8 +1444,6 @@ RecordType* Manager::StreamColumns(EnumVal* stream_id)
 	return stream->columns;
 	}
 
-#endif
-
 // Timer which on dispatching rotates the filter.
 class RotationTimer : public Timer {
 public:
diff --git a/src/logging/Manager.h b/src/logging/Manager.h
index ad526ec915..d04def7938 100644
--- a/src/logging/Manager.h
+++ b/src/logging/Manager.h
@@ -5,6 +5,8 @@
 #ifndef LOGGING_MANAGER_H
 #define LOGGING_MANAGER_H
 
+#include <broker/endpoint_info.hh>
+
 #include "../Val.h"
 #include "../Tag.h"
 #include "../EventHandler.h"
@@ -173,7 +175,7 @@ public:
 	/**
 	 * Announces all instantiated writers to a given Broker peer.
 	 */
-	void SendAllWritersTo(const string& peer);
+	void SendAllWritersTo(const broker::endpoint_info& ei);
 
 	/**
 	 * Sets log streams buffering state. This adjusts all associated
@@ -203,14 +205,12 @@ public:
 	 */
 	void Terminate();
 
-#ifdef ENABLE_BROKER
 	/**
 	 * Enable remote logs for a given stream.
 	 * @param stream_id the stream to enable remote logs for.
-	 * @param flags tune behavior of how log entries are sent to peer endpoints.
 	 * @return true if remote logs are enabled.
 	 */
-	bool EnableRemoteLogs(EnumVal* stream_id, int flags);
+	bool EnableRemoteLogs(EnumVal* stream_id);
 
 	/**
 	 * Disable remote logs for a given stream.
@@ -229,7 +229,6 @@ public:
 	 * a given log stream.
 	 */
 	RecordType* StreamColumns(EnumVal* stream_id);
-#endif
 
 protected:
 	friend class WriterFrontend;
diff --git a/src/logging/WriterBackend.cc b/src/logging/WriterBackend.cc
index ebf5165169..1a70b808a4 100644
--- a/src/logging/WriterBackend.cc
+++ b/src/logging/WriterBackend.cc
@@ -119,14 +119,8 @@ bool WriterBackend::WriterInfo::Write(SerializationFormat* fmt) const
 	return true;
 	}
 
-#ifdef ENABLE_BROKER
 broker::data WriterBackend::WriterInfo::ToBroker() const
 	{
-	auto bpath = broker::record::field(path);
-	auto brotation_base = broker::record::field(rotation_base);
-	auto brotation_interval = broker::record::field(rotation_interval);
-	auto bnetwork_time = broker::record::field(network_time);
-
 	auto t = broker::table();
 
 	for ( config_map::const_iterator i = config.begin(); i != config.end(); ++i )
@@ -136,23 +130,20 @@ broker::data WriterBackend::WriterInfo::ToBroker() const
 		t.insert(std::make_pair(key, value));
 		}
 
-	auto bconfig = broker::record::field(move(t));
-
-	return move(broker::record({bpath, brotation_base, brotation_interval, bnetwork_time, bconfig}));
+	return broker::vector({path, rotation_base, rotation_interval, network_time, std::move(t)});
 	}
 
 bool WriterBackend::WriterInfo::FromBroker(broker::data d)
 	{
-	auto r = broker::get<broker::record>(d);
-
-	if ( ! r )
+	if ( ! broker::is<broker::vector>(d) )
 		return false;
 
-	auto bpath = broker::get<std::string>(*r->get(0));
-	auto brotation_base = broker::get<double>(*r->get(1));
-	auto brotation_interval = broker::get<double>(*r->get(2));
-	auto bnetwork_time = broker::get<double>(*r->get(3));
-	auto bconfig = broker::get<broker::table>(*r->get(4));
+	auto v = broker::get<broker::vector>(d);
+	auto bpath = broker::get_if<std::string>(v[0]);
+	auto brotation_base = broker::get_if<double>(v[1]);
+	auto brotation_interval = broker::get_if<double>(v[2]);
+	auto bnetwork_time = broker::get_if<double>(v[3]);
+	auto bconfig = broker::get_if<broker::table>(v[4]);
 
 	if ( ! (bpath && brotation_base && brotation_interval && bnetwork_time && bconfig) )
 		return false;
@@ -164,8 +155,8 @@ bool WriterBackend::WriterInfo::FromBroker(broker::data d)
 
 	for ( auto i : *bconfig )
 		{
-		auto k = broker::get<std::string>(i.first);
-		auto v = broker::get<std::string>(i.second);
+		auto k = broker::get_if<std::string>(i.first);
+		auto v = broker::get_if<std::string>(i.second);
 
 		if ( ! (k && v) )
 			return false;
@@ -176,7 +167,6 @@ bool WriterBackend::WriterInfo::FromBroker(broker::data d)
 
 	return true;
 	}
-#endif
 
 WriterBackend::WriterBackend(WriterFrontend* arg_frontend) : MsgThread()
 	{
diff --git a/src/logging/WriterBackend.h b/src/logging/WriterBackend.h
index 49c7a95857..bb806b31e6 100644
--- a/src/logging/WriterBackend.h
+++ b/src/logging/WriterBackend.h
@@ -6,10 +6,7 @@
 #define LOGGING_WRITERBACKEND_H
 
 #include "threading/MsgThread.h"
-
-#ifdef ENABLE_BROKER
 #include "broker/Data.h"
-#endif
 
 #include "Component.h"
 
@@ -118,11 +115,8 @@ public:
 		// fields. They serialize/deserialize the struct.
 		bool Read(SerializationFormat* fmt);
 		bool Write(SerializationFormat* fmt) const;
-
-#ifdef ENABLE_BROKER
 		broker::data ToBroker() const;
 		bool FromBroker(broker::data d);
-#endif
 
 		private:
 		const WriterInfo& operator=(const WriterInfo& other); // Disable.
diff --git a/src/logging/WriterFrontend.cc b/src/logging/WriterFrontend.cc
index 0c2378890f..56bbf68161 100644
--- a/src/logging/WriterFrontend.cc
+++ b/src/logging/WriterFrontend.cc
@@ -1,10 +1,7 @@
 
 #include "Net.h"
 #include "threading/SerialTypes.h"
-
-#ifdef ENABLE_BROKER
 #include "broker/Manager.h"
-#endif
 
 #include "Manager.h"
 #include "WriterFrontend.h"
@@ -101,7 +98,7 @@ private:
 
 using namespace logging;
 
-WriterFrontend::WriterFrontend(const WriterBackend::WriterInfo& arg_info, EnumVal* arg_stream, EnumVal* arg_writer, bool arg_local, bool arg_remote, int arg_remote_flags)
+WriterFrontend::WriterFrontend(const WriterBackend::WriterInfo& arg_info, EnumVal* arg_stream, EnumVal* arg_writer, bool arg_local, bool arg_remote)
 	{
 	stream = arg_stream;
 	writer = arg_writer;
@@ -112,7 +109,6 @@ WriterFrontend::WriterFrontend(const WriterBackend::WriterInfo& arg_info, EnumVa
 	buf = true;
 	local = arg_local;
 	remote = arg_remote;
-	remote_flags = arg_remote_flags;
 	write_buffer = 0;
 	write_buffer_pos = 0;
 	info = new WriterBackend::WriterInfo(arg_info);
@@ -179,14 +175,11 @@ void WriterFrontend::Init(int arg_num_fields, const Field* const * arg_fields)
 						       arg_num_fields,
 						       arg_fields);
 
-#ifdef ENABLE_BROKER
-		broker_mgr->CreateLog(stream,
-				      writer,
-				      *info,
-				      arg_num_fields,
-				      arg_fields,
-				      remote_flags);
-#endif
+		broker_mgr->PublishLogCreate(stream,
+					     writer,
+					     *info,
+					     arg_num_fields,
+					     arg_fields);
 		}
 
 	}
@@ -214,14 +207,11 @@ void WriterFrontend::Write(int arg_num_fields, Value** vals)
 						num_fields,
 						vals);
 
-#ifdef ENABLE_BROKER
-		broker_mgr->Log(stream,
+		broker_mgr->PublishLogWrite(stream,
 				writer,
 				info->path,
 				num_fields,
-				vals,
-				remote_flags);
-#endif
+				vals);
 		}
 
 	if ( ! backend )
diff --git a/src/logging/WriterFrontend.h b/src/logging/WriterFrontend.h
index 9228aeac45..bdfdddad18 100644
--- a/src/logging/WriterFrontend.h
+++ b/src/logging/WriterFrontend.h
@@ -39,12 +39,9 @@ public:
 	 * remote: If true, the writer will forward logs to remote
 	 * clients.
 	 *
-	 * remote_flags: Broker flags controlling where remote logs are
-	 * propagated to.
-	 *
 	 * Frontends must only be instantiated by the main thread.
 	 */
-	WriterFrontend(const WriterBackend::WriterInfo& info, EnumVal* stream, EnumVal* writer, bool local, bool remote, int remote_flags);
+	WriterFrontend(const WriterBackend::WriterInfo& info, EnumVal* stream, EnumVal* writer, bool local, bool remote);
 
 	/**
 	 * Destructor.
@@ -202,7 +199,6 @@ protected:
 	bool buf;	// True if buffering is enabled (default).
 	bool local;	// True if logging locally.
 	bool remote;	// True if loggin remotely.
-	int remote_flags;	// Broker propagation flags.
 
 	const char* name;	// Descriptive name of the
 	WriterBackend::WriterInfo* info;	// The writer information.
diff --git a/src/main.cc b/src/main.cc
index ac24cb5b42..2277ab0cba 100644
--- a/src/main.cc
+++ b/src/main.cc
@@ -56,15 +56,12 @@ extern "C" {
 #include "file_analysis/Manager.h"
 #include "broxygen/Manager.h"
 #include "iosource/Manager.h"
+#include "broker/Manager.h"
 
 #include "binpac_bro.h"
 
 #include "3rdparty/sqlite3.h"
 
-#ifdef ENABLE_BROKER
-#include "broker/Manager.h"
-#endif
-
 Brofiler brofiler;
 
 #ifndef HAVE_STRSEP
@@ -94,9 +91,7 @@ analyzer::Manager* analyzer_mgr = 0;
 file_analysis::Manager* file_mgr = 0;
 broxygen::Manager* broxygen_mgr = 0;
 iosource::Manager* iosource_mgr = 0;
-#ifdef ENABLE_BROKER
 bro_broker::Manager* broker_mgr = 0;
-#endif
 
 const char* prog;
 char* writefile = 0;
@@ -366,6 +361,7 @@ void terminate_bro()
 	log_mgr->Terminate();
 	input_mgr->Terminate();
 	thread_mgr->Terminate();
+	broker_mgr->Terminate();
 
 	mgr.Drain();
 
@@ -382,6 +378,7 @@ void terminate_bro()
 	delete log_mgr;
 	delete plugin_mgr;
 	delete reporter;
+	// broker_mgr is deleted via iosource_mgr
 	delete iosource_mgr;
 	delete port_mgr;
 
@@ -800,10 +797,7 @@ int main(int argc, char** argv)
 	log_mgr = new logging::Manager();
 	input_mgr = new input::Manager();
 	file_mgr = new file_analysis::Manager();
-
-#ifdef ENABLE_BROKER
-	broker_mgr = new bro_broker::Manager();
-#endif
+	broker_mgr = new bro_broker::Manager(read_files.length() > 0);
 
 	plugin_mgr->InitPreScript();
 	analyzer_mgr->InitPreScript();
@@ -871,6 +865,7 @@ int main(int argc, char** argv)
 
 	plugin_mgr->InitPostScript();
 	broxygen_mgr->InitPostScript();
+	broker_mgr->InitPostScript();
 
 	if ( print_plugins )
 		{
diff --git a/src/parse.y b/src/parse.y
index 89bb5adbee..cc976c5b2d 100644
--- a/src/parse.y
+++ b/src/parse.y
@@ -2,7 +2,10 @@
 // See the file "COPYING" in the main distribution directory for copyright.
 %}
 
-%expect 78
+// Switching parser table type fixes ambiguity problems.
+%define lr.type ielr
+
+%expect 142
 
 %token TOK_ADD TOK_ADD_TO TOK_ADDR TOK_ANY
 %token TOK_ATENDIF TOK_ATELSE TOK_ATIF TOK_ATIFDEF TOK_ATIFNDEF
@@ -16,7 +19,7 @@
 %token TOK_REMOVE_FROM TOK_RETURN TOK_SCHEDULE TOK_SET
 %token TOK_STRING TOK_SUBNET TOK_SWITCH TOK_TABLE
 %token TOK_TIME TOK_TIMEOUT TOK_TIMER TOK_TYPE TOK_UNION TOK_VECTOR TOK_WHEN
-%token TOK_WHILE
+%token TOK_WHILE TOK_AS TOK_IS
 
 %token TOK_ATTR_ADD_FUNC TOK_ATTR_ENCRYPT TOK_ATTR_DEFAULT
 %token TOK_ATTR_OPTIONAL TOK_ATTR_REDEF TOK_ATTR_ROTATE_INTERVAL
@@ -44,11 +47,12 @@
 %left TOK_INCR TOK_DECR
 %right '!'
 %left '$' '[' ']' '(' ')' TOK_HAS_FIELD TOK_HAS_ATTR
+%nonassoc TOK_AS TOK_IS
 
 %type <b> opt_no_test opt_no_test_block opt_deprecated
 %type <str> TOK_ID TOK_PATTERN_TEXT single_pattern
-%type <id> local_id global_id def_global_id event_id global_or_event_id resolve_id begin_func
-%type <id_l> local_id_list
+%type <id> local_id global_id def_global_id event_id global_or_event_id resolve_id begin_func case_type
+%type <id_l> local_id_list case_type_list
 %type <ic> init_class
 %type <expr> opt_init
 %type <val> TOK_CONSTANT
@@ -705,6 +709,18 @@ expr:
 			set_location(@1, @3);
 			$$ = new SizeExpr($2);
 			}
+
+	|       expr TOK_AS type
+			{
+			set_location(@1, @3);
+			$$ = new CastExpr($1, $3);
+			}
+
+	|       expr TOK_IS type
+			{
+			set_location(@1, @3);
+			$$ = new IsExpr($1, $3);
+			}
 	;
 
 expr_list:
@@ -1506,12 +1522,48 @@ case_list:
 
 case:
 		TOK_CASE expr_list ':' stmt_list
-			{ $$ = new Case($2, $4); }
+			{ $$ = new Case($2, 0, $4); }
+	|
+		TOK_CASE case_type_list ':' stmt_list
+			{ $$ = new Case(0, $2, $4); }
 	|
 		TOK_DEFAULT ':' stmt_list
-			{ $$ = new Case(0, $3); }
+			{ $$ = new Case(0, 0, $3); }
 	;
 
+case_type_list:
+		case_type_list ',' case_type
+			{ $1->append($3); }
+	|
+		case_type
+			{
+			$$ = new id_list;
+			$$->append($1);
+			}
+	;
+
+case_type:
+		TOK_TYPE type
+			{
+			$$ = new ID(0, SCOPE_FUNCTION, 0);
+			$$->SetType($2);
+			}
+
+	|	TOK_TYPE type TOK_AS TOK_ID
+			{
+			const char* name = $4;
+			BroType* type = $2;
+			ID* case_var = lookup_ID(name, current_module.c_str());
+
+			if ( case_var && case_var->IsGlobal() )
+				case_var->Error("already a global identifier");
+			else
+				case_var = install_ID(name, current_module.c_str(), false, false);
+
+			add_local(case_var, type, INIT_NONE, 0, 0, VAR_REGULAR);
+			$$ = case_var;
+			}
+
 for_head:
 		TOK_FOR '(' TOK_ID TOK_IN expr ')'
 			{
diff --git a/src/scan.l b/src/scan.l
index 05baea5735..41fb758bc6 100644
--- a/src/scan.l
+++ b/src/scan.l
@@ -212,6 +212,7 @@ ESCSEQ	(\\([^\n]|[0-7]+|x[[:xdigit:]]+))
 add	return TOK_ADD;
 addr	return TOK_ADDR;
 any	return TOK_ANY;
+as	return TOK_AS;
 bool	return TOK_BOOL;
 break	return TOK_BREAK;
 case	return TOK_CASE;
@@ -240,6 +241,7 @@ in	return TOK_IN;
 "!"{OWS}in/[^A-Za-z0-9]	return TOK_NOT_IN;	/* don't confuse w "! infoo"! */
 int	return TOK_INT;
 interval	return TOK_INTERVAL;
+is	return TOK_IS;
 list	return TOK_LIST;
 local	return TOK_LOCAL;
 module	return TOK_MODULE;
@@ -288,14 +290,12 @@ when	return TOK_WHEN;
 	}
 
 &mergeable {
-	// Not yet deprecated, but soon.
-	//deprecated_attr(yytext);
+	deprecated_attr(yytext);
 	return TOK_ATTR_MERGEABLE;
 	}
 
 &persistent {
-	// Not yet deprecated, but soon.
-	//deprecated_attr(yytext);
+	deprecated_attr(yytext);
 	return TOK_ATTR_PERSISTENT;
 	}
 
@@ -310,8 +310,7 @@ when	return TOK_WHEN;
 	}
 
 &synchronized  {
-	// Not yet deprecated, but soon.
-	//deprecated_attr(yytext);
+	deprecated_attr(yytext);
 	return TOK_ATTR_SYNCHRONIZED;
 	}
 
diff --git a/src/stats.bif b/src/stats.bif
index e901b5e777..2a525a1790 100644
--- a/src/stats.bif
+++ b/src/stats.bif
@@ -2,6 +2,7 @@
 %%{ // C segment
 #include "util.h"
 #include "threading/Manager.h"
+#include "broker/Manager.h"
 
 RecordType* ProcStats;
 RecordType* NetStats;
@@ -14,6 +15,7 @@ RecordType* EventStats;
 RecordType* ThreadStats;
 RecordType* TimerStats;
 RecordType* FileAnalysisStats;
+RecordType* BrokerStats;
 %%}
 
 ## Returns packet capture statistics. Statistics include the number of
@@ -32,6 +34,7 @@ RecordType* FileAnalysisStats;
 ##              get_reassembler_stats
 ##              get_thread_stats
 ##              get_timer_stats
+##              get_broker_stats
 function get_net_stats%(%): NetStats
 	%{
 	uint64 recv = 0;
@@ -79,6 +82,7 @@ function get_net_stats%(%): NetStats
 ##              get_reassembler_stats
 ##              get_thread_stats
 ##              get_timer_stats
+##              get_broker_stats
 function get_conn_stats%(%): ConnStats
 	%{
 	RecordVal* r = new RecordVal(ConnStats);
@@ -128,6 +132,7 @@ function get_conn_stats%(%): ConnStats
 ##              get_reassembler_stats
 ##              get_thread_stats
 ##              get_timer_stats
+##              get_broker_stats
 function get_proc_stats%(%): ProcStats
 	%{
 	struct rusage ru;
@@ -183,6 +188,7 @@ function get_proc_stats%(%): ProcStats
 ##              get_reassembler_stats
 ##              get_thread_stats
 ##              get_timer_stats
+##              get_broker_stats
 function get_event_stats%(%): EventStats
 	%{
 	RecordVal* r = new RecordVal(EventStats);
@@ -208,6 +214,7 @@ function get_event_stats%(%): EventStats
 ##              get_proc_stats
 ##              get_thread_stats
 ##              get_timer_stats
+##              get_broker_stats
 function get_reassembler_stats%(%): ReassemblerStats
 	%{
 	RecordVal* r = new RecordVal(ReassemblerStats);
@@ -235,6 +242,7 @@ function get_reassembler_stats%(%): ReassemblerStats
 ##              get_reassembler_stats
 ##              get_thread_stats
 ##              get_timer_stats
+##              get_broker_stats
 function get_dns_stats%(%): DNSStats
 	%{
 	RecordVal* r = new RecordVal(DNSStats);
@@ -267,6 +275,7 @@ function get_dns_stats%(%): DNSStats
 ##              get_proc_stats
 ##              get_reassembler_stats
 ##              get_thread_stats
+##              get_broker_stats
 function get_timer_stats%(%): TimerStats
 	%{
 	RecordVal* r = new RecordVal(TimerStats);
@@ -293,6 +302,7 @@ function get_timer_stats%(%): TimerStats
 ##              get_reassembler_stats
 ##              get_thread_stats
 ##              get_timer_stats
+##              get_broker_stats
 function get_file_analysis_stats%(%): FileAnalysisStats
 	%{
 	RecordVal* r = new RecordVal(FileAnalysisStats);
@@ -319,6 +329,7 @@ function get_file_analysis_stats%(%): FileAnalysisStats
 ##              get_proc_stats
 ##              get_reassembler_stats
 ##              get_timer_stats
+##              get_broker_stats
 function get_thread_stats%(%): ThreadStats
 	%{
 	RecordVal* r = new RecordVal(ThreadStats);
@@ -343,6 +354,7 @@ function get_thread_stats%(%): ThreadStats
 ##              get_reassembler_stats
 ##              get_thread_stats
 ##              get_timer_stats
+##              get_broker_stats
 function get_gap_stats%(%): GapStats
 	%{
 	RecordVal* r = new RecordVal(GapStats);
@@ -373,6 +385,7 @@ function get_gap_stats%(%): GapStats
 ##              get_reassembler_stats
 ##              get_thread_stats
 ##              get_timer_stats
+##              get_broker_stats
 function get_matcher_stats%(%): MatcherStats
 	%{
 	RecordVal* r = new RecordVal(MatcherStats);
@@ -394,29 +407,37 @@ function get_matcher_stats%(%): MatcherStats
 	return r;
 	%}
 
-# function get_broker_stats%(%): BrokerStats
-# 	%{
-# 	RecordVal* r = new RecordVal(CommunicationStats);
-# 	int n = 0;
-#
-# #ifdef ENABLE_BROKER
-# 	auto cs = broker_mgr->ConsumeStatistics();
-#
-# 	r->Assign(n++, new Val(cs.outgoing_peer_count, TYPE_COUNT));
-# 	r->Assign(n++, new Val(cs.data_store_count, TYPE_COUNT));
-# 	r->Assign(n++, new Val(cs.pending_query_count, TYPE_COUNT));
-# 	r->Assign(n++, new Val(cs.response_count, TYPE_COUNT));
-# 	r->Assign(n++, new Val(cs.outgoing_conn_status_count, TYPE_COUNT));
-# 	r->Assign(n++, new Val(cs.incoming_conn_status_count, TYPE_COUNT));
-# 	r->Assign(n++, new Val(cs.report_count, TYPE_COUNT));
-#
-# 	//for ( const auto& s : cs.print_count )
-# 	//	file->Write(fmt("    %-25s prints dequeued=%zu\n", s.first.data(), s.second));
-# 	//for ( const auto& s : cs.event_count )
-# 	//	file->Write(fmt("    %-25s events dequeued=%zu\n", s.first.data(), s.second));
-# 	//for ( const auto& s : cs.log_count )
-# 	//	file->Write(fmt("    %-25s logs dequeued=%zu\n", s.first.data(), s.second));
-# #endif
-#
-# 	return r;
-# 	%}
+## Returns statistics about Broker communication.
+##
+## Returns: A record with Broker statistics.
+##
+## .. bro:see:: get_conn_stats
+##              get_dns_stats
+##              get_event_stats
+##              get_file_analysis_stats
+##              get_gap_stats
+##              get_matcher_stats
+##              get_net_stats
+##              get_proc_stats
+##              get_reassembler_stats
+##              get_thread_stats
+##              get_timer_stats
+##              get_broker_stats
+function get_broker_stats%(%): BrokerStats
+	%{
+	RecordVal* r = new RecordVal(BrokerStats);
+	int n = 0;
+	
+	auto cs = broker_mgr->GetStatistics();
+	r->Assign(n++, new Val(static_cast<uint64_t>(cs.num_peers), TYPE_COUNT));
+	r->Assign(n++, new Val(static_cast<uint64_t>(cs.num_stores), TYPE_COUNT));
+	r->Assign(n++, new Val(static_cast<uint64_t>(cs.num_pending_queries), TYPE_COUNT));
+	r->Assign(n++, new Val(static_cast<uint64_t>(cs.num_events_incoming), TYPE_COUNT));
+	r->Assign(n++, new Val(static_cast<uint64_t>(cs.num_events_outgoing), TYPE_COUNT));
+	r->Assign(n++, new Val(static_cast<uint64_t>(cs.num_logs_incoming), TYPE_COUNT));
+	r->Assign(n++, new Val(static_cast<uint64_t>(cs.num_logs_outgoing), TYPE_COUNT));
+	r->Assign(n++, new Val(static_cast<uint64_t>(cs.num_ids_incoming), TYPE_COUNT));
+	r->Assign(n++, new Val(static_cast<uint64_t>(cs.num_ids_outgoing), TYPE_COUNT));
+
+	return r;
+	%}
diff --git a/src/util.cc b/src/util.cc
index a2f0cb8c94..35db6f131c 100644
--- a/src/util.cc
+++ b/src/util.cc
@@ -542,7 +542,7 @@ const char* fmt_bytes(const char* data, int len)
 	return buf;
 	}
 
-const char* fmt(const char* format, ...)
+const char* fmt(const char* format, va_list al)
 	{
 	static char* buf = 0;
 	static unsigned int buf_len = 1024;
@@ -550,28 +550,34 @@ const char* fmt(const char* format, ...)
 	if ( ! buf )
 		buf = (char*) safe_malloc(buf_len);
 
-	va_list al;
-	va_start(al, format);
+	va_list alc;
+	va_copy(alc, al);
 	int n = safe_vsnprintf(buf, buf_len, format, al);
-	va_end(al);
 
 	if ( (unsigned int) n >= buf_len )
 		{ // Not enough room, grow the buffer.
 		buf_len = n + 32;
 		buf = (char*) safe_realloc(buf, buf_len);
 
-		// Is it portable to restart?
-		va_start(al, format);
-		n = safe_vsnprintf(buf, buf_len, format, al);
-		va_end(al);
+		n = safe_vsnprintf(buf, buf_len, format, alc);
 
 		if ( (unsigned int) n >= buf_len )
 			reporter->InternalError("confusion reformatting in fmt()");
 		}
 
+	va_end(alc);
 	return buf;
 	}
 
+const char* fmt(const char* format, ...)
+	{
+	va_list al;
+	va_start(al, format);
+	auto rval = fmt(format, al);
+	va_end(al);
+	return rval;
+	}
+
 const char* fmt_access_time(double t)
 	{
 	static char buf[256];
diff --git a/src/util.h b/src/util.h
index 05305dd55c..cdba01a9a0 100644
--- a/src/util.h
+++ b/src/util.h
@@ -166,6 +166,8 @@ extern std::string strtolower(const std::string& s);
 
 extern const char* fmt_bytes(const char* data, int len);
 
+// Note: returns a pointer into a shared buffer.
+extern const char* fmt(const char* format, va_list args);
 // Note: returns a pointer into a shared buffer.
 extern const char* fmt(const char* format, ...)
 	__attribute__((format (printf, 1, 2)));
@@ -236,6 +238,13 @@ typedef ptr_compat_uint SourceID;
 #define PRI_SOURCE_ID PRI_PTR_COMPAT_UINT
 static const SourceID SOURCE_LOCAL = 0;
 
+// TODO: This is a temporary marker to flag events coming in via Broker.
+// Those are remote events but we don't have any further peer informationa
+// available for them (as the old communication code would have). Once we
+// remove RemoteSerializer, we can turn the SourceID into a simple boolean
+// indicating whether it's a local or remote event.
+static const SourceID SOURCE_BROKER = 0xffffffff;
+
 extern void pinpoint();
 extern int int_list_cmp(const void* v1, const void* v2);
 
diff --git a/testing/btest/Baseline/broker.clone_store/clone.clone.out b/testing/btest/Baseline/broker.clone_store/clone.clone.out
deleted file mode 100644
index 3db1dd4e00..0000000000
--- a/testing/btest/Baseline/broker.clone_store/clone.clone.out
+++ /dev/null
@@ -1,5 +0,0 @@
-clone keys, [status=Broker::SUCCESS, result=[d=broker::data{[one, two, myset, myvec]}]]
-lookup, two, [status=Broker::SUCCESS, result=[d=broker::data{222}]]
-lookup, one, [status=Broker::SUCCESS, result=[d=broker::data{111}]]
-lookup, myvec, [status=Broker::SUCCESS, result=[d=broker::data{[delta, alpha, beta, gamma, omega]}]]
-lookup, myset, [status=Broker::SUCCESS, result=[d=broker::data{{a, c, d}}]]
diff --git a/testing/btest/Baseline/broker.connect-on-retry/recv.recv.out b/testing/btest/Baseline/broker.connect-on-retry/recv.recv.out
new file mode 100644
index 0000000000..78a9b50a5c
--- /dev/null
+++ b/testing/btest/Baseline/broker.connect-on-retry/recv.recv.out
@@ -0,0 +1,6 @@
+receiver added peer: endpoint=127.0.0.1 msg=handshake successful
+receiver got ping: my-message, 1
+receiver got ping: my-message, 2
+receiver got ping: my-message, 3
+receiver got ping: my-message, 4
+receiver got ping: my-message, 5
diff --git a/testing/btest/Baseline/broker.connect-on-retry/send.send.out b/testing/btest/Baseline/broker.connect-on-retry/send.send.out
new file mode 100644
index 0000000000..f5a9d54af0
--- /dev/null
+++ b/testing/btest/Baseline/broker.connect-on-retry/send.send.out
@@ -0,0 +1,6 @@
+sender added peer: endpoint=127.0.0.1 msg=received handshake from remote core
+sender got pong: my-message, 1
+sender got pong: my-message, 2
+sender got pong: my-message, 3
+sender got pong: my-message, 4
+sender lost peer: endpoint=127.0.0.1 msg=lost remote peer
diff --git a/testing/btest/Baseline/broker.connection_updates/recv.recv.out b/testing/btest/Baseline/broker.connection_updates/recv.recv.out
deleted file mode 100644
index d246bf153f..0000000000
--- a/testing/btest/Baseline/broker.connection_updates/recv.recv.out
+++ /dev/null
@@ -1,2 +0,0 @@
-Broker::incoming_connection_established, connector
-Broker::incoming_connection_broken, connector
diff --git a/testing/btest/Baseline/broker.connection_updates/send.send.out b/testing/btest/Baseline/broker.connection_updates/send.send.out
deleted file mode 100644
index 205782c8f0..0000000000
--- a/testing/btest/Baseline/broker.connection_updates/send.send.out
+++ /dev/null
@@ -1 +0,0 @@
-Broker::outgoing_connection_established, 127.0.0.1, 9999/tcp, listener
diff --git a/testing/btest/Baseline/broker.data/out b/testing/btest/Baseline/broker.data/out
deleted file mode 100644
index 8703ca6a0c..0000000000
--- a/testing/btest/Baseline/broker.data/out
+++ /dev/null
@@ -1,118 +0,0 @@
-Broker::BOOL
-Broker::INT
-Broker::COUNT
-Broker::DOUBLE
-Broker::STRING
-Broker::ADDR
-Broker::SUBNET
-Broker::PORT
-Broker::TIME
-Broker::INTERVAL
-Broker::ENUM
-Broker::SET
-Broker::TABLE
-Broker::VECTOR
-Broker::RECORD
-***************************
-T
-F
-1
-0
--1
-1
-0
-1.1
--11.1
-hello
-1.2.3.4
-192.168.0.0/16
-22/tcp
-42.0
-180.0
-Broker::BOOL
-{
-two,
-one,
-three
-}
-{
-[two] = 2,
-[one] = 1,
-[three] = 3
-}
-[zero, one, two]
-[a=<uninitialized>, b=bee, c=1]
-[a=test, b=bee, c=1]
-[a=test, b=testagain, c=1]
-***************************
-0
-T
-1
-T
-F
-T
-2
-F
-2
-T
-1
-F
-{
-bye
-}
-T
-0
-{
-
-}
-***************************
-0
-[d=<uninitialized>]
-1
-T
-42
-F
-[d=<uninitialized>]
-2
-[d=broker::data{7}]
-2
-37
-[d=broker::data{42}]
-1
-[d=<uninitialized>]
-1
-T
-0
-{
-
-}
-***************************
-0
-T
-T
-T
-T
-[hi, salutations, hello, greetings]
-4
-[d=broker::data{hello}]
-[d=broker::data{bah}]
-[d=broker::data{hi}]
-[hi, salutations, bah, greetings]
-[d=broker::data{bah}]
-[hi, salutations, greetings]
-3
-T
-0
-[]
-***************************
-3
-T
-T
-T
-[d=broker::data{hi}]
-[d=broker::data{hello}]
-[d=broker::data{37}]
-3
-T
-3
-[d=broker::data{goodbye}]
diff --git a/testing/btest/Baseline/broker.disconnect/recv.broker.filtered.log b/testing/btest/Baseline/broker.disconnect/recv.broker.filtered.log
new file mode 100644
index 0000000000..18907995da
--- /dev/null
+++ b/testing/btest/Baseline/broker.disconnect/recv.broker.filtered.log
@@ -0,0 +1 @@
+1502645128.235998 Broker::STATUS peer-added 127.0.0.1 XXX handshake successful
diff --git a/testing/btest/Baseline/broker.disconnect/recv.recv.out b/testing/btest/Baseline/broker.disconnect/recv.recv.out
new file mode 100644
index 0000000000..f2782a61b2
--- /dev/null
+++ b/testing/btest/Baseline/broker.disconnect/recv.recv.out
@@ -0,0 +1,2 @@
+peer added, handshake successful
+Something receiver, 1
diff --git a/testing/btest/Baseline/broker.disconnect/recv2.broker.filtered.log b/testing/btest/Baseline/broker.disconnect/recv2.broker.filtered.log
new file mode 100644
index 0000000000..6a698102f2
--- /dev/null
+++ b/testing/btest/Baseline/broker.disconnect/recv2.broker.filtered.log
@@ -0,0 +1 @@
+1502645286.464675 Broker::STATUS peer-added 127.0.0.1 XXX handshake successful
diff --git a/testing/btest/Baseline/broker.disconnect/recv2.recv2.out b/testing/btest/Baseline/broker.disconnect/recv2.recv2.out
new file mode 100644
index 0000000000..ba803026ad
--- /dev/null
+++ b/testing/btest/Baseline/broker.disconnect/recv2.recv2.out
@@ -0,0 +1,2 @@
+peer added, handshake successful
+Something receiver, 2
diff --git a/testing/btest/Baseline/broker.disconnect/send.broker.filtered.log b/testing/btest/Baseline/broker.disconnect/send.broker.filtered.log
new file mode 100644
index 0000000000..2a82fdec5f
--- /dev/null
+++ b/testing/btest/Baseline/broker.disconnect/send.broker.filtered.log
@@ -0,0 +1,4 @@
+1524513026.795171 Broker::STATUS peer-added 127.0.0.1 XXX received handshake from remote core
+1524513033.340316 Broker::STATUS connection-terminated 127.0.0.1 XXX lost remote peer
+1524513035.437373 Broker::STATUS peer-added 127.0.0.1 XXX received handshake from remote core
+1524513041.743002 Broker::STATUS connection-terminated 127.0.0.1 XXX lost remote peer
diff --git a/testing/btest/Baseline/broker.disconnect/send.send.out b/testing/btest/Baseline/broker.disconnect/send.send.out
new file mode 100644
index 0000000000..2ed842beb0
--- /dev/null
+++ b/testing/btest/Baseline/broker.disconnect/send.send.out
@@ -0,0 +1,6 @@
+peer added, received handshake from remote core
+Something sender, 1
+peer lost, lost remote peer
+peer added, received handshake from remote core
+Something sender, 2
+peer lost, lost remote peer
diff --git a/testing/btest/Baseline/broker.enable-and-exit/output b/testing/btest/Baseline/broker.enable-and-exit/output
deleted file mode 100644
index 6df9e9b67f..0000000000
--- a/testing/btest/Baseline/broker.enable-and-exit/output
+++ /dev/null
@@ -1,3 +0,0 @@
-1
-2
-terminating
diff --git a/testing/btest/Baseline/broker.error/send.out b/testing/btest/Baseline/broker.error/send.out
new file mode 100644
index 0000000000..ed6a72b2b1
--- /dev/null
+++ b/testing/btest/Baseline/broker.error/send.out
@@ -0,0 +1 @@
+error, Broker::PEER_INVALID, (invalid-node, *1.2.3.4:1947, "no such peer when unpeering")
diff --git a/testing/btest/Baseline/broker.master_store/master.out b/testing/btest/Baseline/broker.master_store/master.out
deleted file mode 100644
index 1983d0bccc..0000000000
--- a/testing/btest/Baseline/broker.master_store/master.out
+++ /dev/null
@@ -1,14 +0,0 @@
-lookup(two): [status=Broker::SUCCESS, result=[d=broker::data{222}]]
-lookup(myset): [status=Broker::SUCCESS, result=[d=broker::data{{a, c, d}}]]
-lookup(one): [status=Broker::SUCCESS, result=[d=broker::data{111}]]
-lookup(myvec): [status=Broker::SUCCESS, result=[d=broker::data{[delta, alpha, beta, gamma, omega]}]]
-lookup(four): [status=Broker::SUCCESS, result=[d=<uninitialized>]]
-exists(two): [status=Broker::SUCCESS, result=[d=broker::data{0}]]
-exists(myset): [status=Broker::SUCCESS, result=[d=broker::data{1}]]
-exists(one): [status=Broker::SUCCESS, result=[d=broker::data{1}]]
-exists(four): [status=Broker::SUCCESS, result=[d=broker::data{0}]]
-pop_left(myvec): [status=Broker::SUCCESS, result=[d=broker::data{delta}]]
-pop_right(myvec): [status=Broker::SUCCESS, result=[d=broker::data{omega}]]
-keys: [status=Broker::SUCCESS, result=[d=broker::data{[myvec, myset, one]}]]
-size: [status=Broker::SUCCESS, result=[d=broker::data{3}]]
-size (after clear): [status=Broker::SUCCESS, result=[d=broker::data{0}]]
diff --git a/testing/btest/Baseline/broker.remote_event/recv.recv.out b/testing/btest/Baseline/broker.remote_event/recv.recv.out
index 7dab0284ea..54b7d375fb 100644
--- a/testing/btest/Baseline/broker.remote_event/recv.recv.out
+++ b/testing/btest/Baseline/broker.remote_event/recv.recv.out
@@ -1,6 +1,12 @@
-got event msg, ping, 0
-got event msg, ping, 1
-got event msg, ping, 2
-got event msg, ping, 3
-got event msg, ping, 4
-got event msg, ping, 5
+receiver added peer: endpoint=127.0.0.1 msg=handshake successful
+is_remote should be T, and is, T
+receiver got ping: my-message, 1
+is_remote should be T, and is, T
+receiver got ping: my-message, 2
+is_remote should be T, and is, T
+receiver got ping: my-message, 3
+is_remote should be T, and is, T
+receiver got ping: my-message, 4
+is_remote should be T, and is, T
+receiver got ping: my-message, 5
+[num_peers=1, num_stores=0, num_pending_queries=0, num_events_incoming=5, num_events_outgoing=4, num_logs_incoming=0, num_logs_outgoing=1, num_ids_incoming=0, num_ids_outgoing=0]
diff --git a/testing/btest/Baseline/broker.remote_event/send.send.out b/testing/btest/Baseline/broker.remote_event/send.send.out
index 2d61135abe..b8be473e40 100644
--- a/testing/btest/Baseline/broker.remote_event/send.send.out
+++ b/testing/btest/Baseline/broker.remote_event/send.send.out
@@ -1,11 +1,11 @@
-Broker::outgoing_connection_established, 127.0.0.1, 9999/tcp
-got event msg, pong, 0
-got auto event msg, ping, 0
-got event msg, pong, 1
-got auto event msg, ping, 1
-got event msg, pong, 2
-got auto event msg, ping, 2
-got event msg, pong, 3
-got auto event msg, ping, 3
-got event msg, pong, 4
-got auto event msg, ping, 4
+is_remote should be F, and is, F
+sender added peer: endpoint=127.0.0.1 msg=received handshake from remote core
+is_remote should be T, and is, T
+sender got pong: my-message, 1
+is_remote should be T, and is, T
+sender got pong: my-message, 2
+is_remote should be T, and is, T
+sender got pong: my-message, 3
+is_remote should be T, and is, T
+sender got pong: my-message, 4
+sender lost peer: endpoint=127.0.0.1 msg=lost remote peer
diff --git a/testing/btest/Baseline/broker.remote_event_auto/recv.recv.out b/testing/btest/Baseline/broker.remote_event_auto/recv.recv.out
new file mode 100644
index 0000000000..78a9b50a5c
--- /dev/null
+++ b/testing/btest/Baseline/broker.remote_event_auto/recv.recv.out
@@ -0,0 +1,6 @@
+receiver added peer: endpoint=127.0.0.1 msg=handshake successful
+receiver got ping: my-message, 1
+receiver got ping: my-message, 2
+receiver got ping: my-message, 3
+receiver got ping: my-message, 4
+receiver got ping: my-message, 5
diff --git a/testing/btest/Baseline/broker.remote_event_auto/send.send.out b/testing/btest/Baseline/broker.remote_event_auto/send.send.out
new file mode 100644
index 0000000000..f5a9d54af0
--- /dev/null
+++ b/testing/btest/Baseline/broker.remote_event_auto/send.send.out
@@ -0,0 +1,6 @@
+sender added peer: endpoint=127.0.0.1 msg=received handshake from remote core
+sender got pong: my-message, 1
+sender got pong: my-message, 2
+sender got pong: my-message, 3
+sender got pong: my-message, 4
+sender lost peer: endpoint=127.0.0.1 msg=lost remote peer
diff --git a/testing/btest/Baseline/broker.remote_event_ssl_auth/recv.recv.out b/testing/btest/Baseline/broker.remote_event_ssl_auth/recv.recv.out
new file mode 100644
index 0000000000..88b8207c91
--- /dev/null
+++ b/testing/btest/Baseline/broker.remote_event_ssl_auth/recv.recv.out
@@ -0,0 +1,7 @@
+receiver added peer: endpoint=127.0.0.1 msg=handshake successful
+receiver got ping: my-message, 1
+receiver got ping: my-message, 2
+receiver got ping: my-message, 3
+receiver got ping: my-message, 4
+receiver got ping: my-message, 5
+[num_peers=1, num_stores=0, num_pending_queries=0, num_events_incoming=5, num_events_outgoing=4, num_logs_incoming=0, num_logs_outgoing=1, num_ids_incoming=0, num_ids_outgoing=0]
diff --git a/testing/btest/Baseline/broker.remote_event_ssl_auth/send.send.out b/testing/btest/Baseline/broker.remote_event_ssl_auth/send.send.out
new file mode 100644
index 0000000000..f5a9d54af0
--- /dev/null
+++ b/testing/btest/Baseline/broker.remote_event_ssl_auth/send.send.out
@@ -0,0 +1,6 @@
+sender added peer: endpoint=127.0.0.1 msg=received handshake from remote core
+sender got pong: my-message, 1
+sender got pong: my-message, 2
+sender got pong: my-message, 3
+sender got pong: my-message, 4
+sender lost peer: endpoint=127.0.0.1 msg=lost remote peer
diff --git a/testing/btest/Baseline/broker.remote_id/recv.recv.out b/testing/btest/Baseline/broker.remote_id/recv.recv.out
new file mode 100644
index 0000000000..4df78bcdd6
--- /dev/null
+++ b/testing/btest/Baseline/broker.remote_id/recv.recv.out
@@ -0,0 +1,4 @@
+intial val, init
+peer added
+peer lost
+updated val, newval
diff --git a/testing/btest/Baseline/broker.remote_log/recv.test.log b/testing/btest/Baseline/broker.remote_log/recv.test.log
index b79e1b53b9..f0f279a626 100644
--- a/testing/btest/Baseline/broker.remote_log/recv.test.log
+++ b/testing/btest/Baseline/broker.remote_log/recv.test.log
@@ -3,7 +3,7 @@
 #empty_field	(empty)
 #unset_field	-
 #path	test
-#open	2017-02-27-16-21-20
+#open	2017-04-26-01-04-25
 #fields	msg	num
 #types	string	count
 ping	0
@@ -12,4 +12,4 @@ ping	2
 ping	3
 ping	4
 ping	5
-#close	2017-02-27-16-21-20
+#close	2017-04-26-01-04-26
diff --git a/testing/btest/Baseline/broker.remote_log/send.send.out b/testing/btest/Baseline/broker.remote_log/send.send.out
index 632279e697..c2520da821 100644
--- a/testing/btest/Baseline/broker.remote_log/send.send.out
+++ b/testing/btest/Baseline/broker.remote_log/send.send.out
@@ -1 +1 @@
-Broker::outgoing_connection_established, 127.0.0.1, 9999/tcp
+Broker::peer_added, 127.0.0.1
diff --git a/testing/btest/Baseline/broker.remote_log/send.test.log b/testing/btest/Baseline/broker.remote_log/send.test.log
index 93862c656b..f0f279a626 100644
--- a/testing/btest/Baseline/broker.remote_log/send.test.log
+++ b/testing/btest/Baseline/broker.remote_log/send.test.log
@@ -3,7 +3,7 @@
 #empty_field	(empty)
 #unset_field	-
 #path	test
-#open	2017-02-27-16-21-19
+#open	2017-04-26-01-04-25
 #fields	msg	num
 #types	string	count
 ping	0
@@ -12,4 +12,4 @@ ping	2
 ping	3
 ping	4
 ping	5
-#close	2017-02-27-16-21-20
+#close	2017-04-26-01-04-26
diff --git a/testing/btest/Baseline/broker.clone_store/master.master.out b/testing/btest/Baseline/broker.remote_log_late_join/recv.recv.out
similarity index 100%
rename from testing/btest/Baseline/broker.clone_store/master.master.out
rename to testing/btest/Baseline/broker.remote_log_late_join/recv.recv.out
diff --git a/testing/btest/Baseline/broker.remote_log_late_join/recv.test.log b/testing/btest/Baseline/broker.remote_log_late_join/recv.test.log
new file mode 100644
index 0000000000..d2c086a2e0
--- /dev/null
+++ b/testing/btest/Baseline/broker.remote_log_late_join/recv.test.log
@@ -0,0 +1,14 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	test
+#open	2017-05-07-23-57-46
+#fields	msg	num
+#types	string	count
+ping	1
+ping	2
+ping	3
+ping	4
+ping	5
+#close	2017-05-07-23-57-47
diff --git a/testing/btest/Baseline/broker.remote_log_late_join/send.send.out b/testing/btest/Baseline/broker.remote_log_late_join/send.send.out
new file mode 100644
index 0000000000..c2520da821
--- /dev/null
+++ b/testing/btest/Baseline/broker.remote_log_late_join/send.send.out
@@ -0,0 +1 @@
+Broker::peer_added, 127.0.0.1
diff --git a/testing/btest/Baseline/broker.remote_log_late_join/send.test.log b/testing/btest/Baseline/broker.remote_log_late_join/send.test.log
new file mode 100644
index 0000000000..2052699fe5
--- /dev/null
+++ b/testing/btest/Baseline/broker.remote_log_late_join/send.test.log
@@ -0,0 +1,15 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	test
+#open	2017-05-07-23-57-44
+#fields	msg	num
+#types	string	count
+ping	0
+ping	1
+ping	2
+ping	3
+ping	4
+ping	5
+#close	2017-05-07-23-57-47
diff --git a/testing/btest/Baseline/broker.remote_log_types/send.send.out b/testing/btest/Baseline/broker.remote_log_types/send.send.out
index 632279e697..c2520da821 100644
--- a/testing/btest/Baseline/broker.remote_log_types/send.send.out
+++ b/testing/btest/Baseline/broker.remote_log_types/send.send.out
@@ -1 +1 @@
-Broker::outgoing_connection_established, 127.0.0.1, 9999/tcp
+Broker::peer_added, 127.0.0.1
diff --git a/testing/btest/Baseline/broker.remote_print/recv.recv.out b/testing/btest/Baseline/broker.remote_print/recv.recv.out
deleted file mode 100644
index 6e5a37abbf..0000000000
--- a/testing/btest/Baseline/broker.remote_print/recv.recv.out
+++ /dev/null
@@ -1,6 +0,0 @@
-got print msg, ping 0
-got print msg, ping 1
-got print msg, ping 2
-got print msg, ping 3
-got print msg, ping 4
-got print msg, ping 5
diff --git a/testing/btest/Baseline/broker.remote_print/send.send.out b/testing/btest/Baseline/broker.remote_print/send.send.out
deleted file mode 100644
index 861dd64a8a..0000000000
--- a/testing/btest/Baseline/broker.remote_print/send.send.out
+++ /dev/null
@@ -1,6 +0,0 @@
-Broker::outgoing_connection_established, 127.0.0.1, 9999/tcp
-got print msg, pong 0
-got print msg, pong 1
-got print msg, pong 2
-got print msg, pong 3
-got print msg, pong 4
diff --git a/testing/btest/Baseline/broker.remote_relay_event/one.one.out b/testing/btest/Baseline/broker.remote_relay_event/one.one.out
new file mode 100644
index 0000000000..45c18d28be
--- /dev/null
+++ b/testing/btest/Baseline/broker.remote_relay_event/one.one.out
@@ -0,0 +1,3 @@
+sender added peer: endpoint=127.0.0.1 msg=received handshake from remote core
+got ready event
+sender lost peer: endpoint=127.0.0.1 msg=lost remote peer
diff --git a/testing/btest/Baseline/broker.remote_relay_event/three.three.out b/testing/btest/Baseline/broker.remote_relay_event/three.three.out
new file mode 100644
index 0000000000..8193829fd4
--- /dev/null
+++ b/testing/btest/Baseline/broker.remote_relay_event/three.three.out
@@ -0,0 +1,2 @@
+receiver added peer: endpoint=127.0.0.1 msg=handshake successful
+got my_event, hello world
diff --git a/testing/btest/Baseline/broker.remote_relay_event/two.two.out b/testing/btest/Baseline/broker.remote_relay_event/two.two.out
new file mode 100644
index 0000000000..21378cdd92
--- /dev/null
+++ b/testing/btest/Baseline/broker.remote_relay_event/two.two.out
@@ -0,0 +1,4 @@
+receiver added peer: endpoint=127.0.0.1 msg=received handshake from remote core
+receiver added peer: endpoint=127.0.0.1 msg=handshake successful
+sending ready event
+receiver lost peer: endpoint=127.0.0.1 msg=lost remote peer
diff --git a/testing/btest/Baseline/broker.ssl_auth_failure/recv.recv.out b/testing/btest/Baseline/broker.ssl_auth_failure/recv.recv.out
new file mode 100644
index 0000000000..e69de29bb2
diff --git a/testing/btest/Baseline/broker.ssl_auth_failure/send.send.out b/testing/btest/Baseline/broker.ssl_auth_failure/send.send.out
new file mode 100644
index 0000000000..af1061d460
--- /dev/null
+++ b/testing/btest/Baseline/broker.ssl_auth_failure/send.send.out
@@ -0,0 +1 @@
+sender error: code=Broker::PEER_UNAVAILABLE msg=(invalid-node, *127.0.0.1:9999, "remote endpoint unavailable")
diff --git a/testing/btest/Baseline/broker.store.clone/clone.clone.out b/testing/btest/Baseline/broker.store.clone/clone.clone.out
new file mode 100644
index 0000000000..9ae8d91491
--- /dev/null
+++ b/testing/btest/Baseline/broker.store.clone/clone.clone.out
@@ -0,0 +1,24 @@
+----
+clone, one, Broker::SUCCESS, [data=broker::data{110}]
+clone, two, Broker::SUCCESS, [data=broker::data{223}]
+clone, [1, 2], Broker::SUCCESS, [data=broker::data{1947/tcp}]
+clone, three, Broker::FAILURE, [data=<uninitialized>]
+clone, four, Broker::FAILURE, [data=<uninitialized>]
+clone, five, Broker::FAILURE, [data=<uninitialized>]
+clone, six, Broker::FAILURE, [data=<uninitialized>]
+----
+clone, one, Broker::SUCCESS, [data=broker::data{110}]
+clone, two, Broker::SUCCESS, [data=broker::data{223}]
+clone, [1, 2], Broker::SUCCESS, [data=broker::data{1947/tcp}]
+clone, three, Broker::SUCCESS, [data=broker::data{3.140000}]
+clone, four, Broker::SUCCESS, [data=broker::data{1.2.3.4}]
+clone, five, Broker::FAILURE, [data=<uninitialized>]
+clone, six, Broker::FAILURE, [data=<uninitialized>]
+----
+clone, one, Broker::SUCCESS, [data=broker::data{110}]
+clone, two, Broker::SUCCESS, [data=broker::data{223}]
+clone, [1, 2], Broker::SUCCESS, [data=broker::data{1947/tcp}]
+clone, three, Broker::SUCCESS, [data=broker::data{3.140000}]
+clone, four, Broker::FAILURE, [data=<uninitialized>]
+clone, five, Broker::SUCCESS, [data=broker::data{555}]
+clone, six, Broker::SUCCESS, [data=broker::data{666}]
diff --git a/testing/btest/Baseline/broker.store.clone/master.master.out b/testing/btest/Baseline/broker.store.clone/master.master.out
new file mode 100644
index 0000000000..0d19efd785
--- /dev/null
+++ b/testing/btest/Baseline/broker.store.clone/master.master.out
@@ -0,0 +1,8 @@
+----
+master, one, Broker::SUCCESS, [data=broker::data{110}]
+master, two, Broker::SUCCESS, [data=broker::data{223}]
+master, [1, 2], Broker::SUCCESS, [data=broker::data{1947/tcp}]
+master, three, Broker::SUCCESS, [data=broker::data{3.140000}]
+master, four, Broker::FAILURE, [data=<uninitialized>]
+master, five, Broker::SUCCESS, [data=broker::data{555}]
+master, six, Broker::SUCCESS, [data=broker::data{666}]
diff --git a/testing/btest/Baseline/broker.store.local/master.out b/testing/btest/Baseline/broker.store.local/master.out
new file mode 100644
index 0000000000..89ef24ba49
--- /dev/null
+++ b/testing/btest/Baseline/broker.store.local/master.out
@@ -0,0 +1,2 @@
+string, 110
+count, 223
diff --git a/testing/btest/Baseline/broker.store.ops/master.out b/testing/btest/Baseline/broker.store.ops/master.out
new file mode 100644
index 0000000000..afb7c84fb4
--- /dev/null
+++ b/testing/btest/Baseline/broker.store.ops/master.out
@@ -0,0 +1,25 @@
+[1], one, Broker::SUCCESS, [data=broker::data{110}]
+[2], two, Broker::SUCCESS, [data=broker::data{220}]
+[3], three, Broker::SUCCESS, [data=broker::data{330}]
+[4], four, Broker::SUCCESS, [data=broker::data{{1, 2, 3}}]
+[5], five, Broker::FAILURE, [data=<uninitialized>]
+[6], {
+y,
+x
+}, Broker::SUCCESS, [data=broker::data{[1/tcp, 2/tcp, 3/tcp]}]
+[7], two, Broker::SUCCESS, [data=broker::data{230}]
+[8], three, Broker::SUCCESS, [data=broker::data{320}]
+[9], four, Broker::SUCCESS, [data=broker::data{{1, 2, 3}}]
+keys, [status=Broker::SUCCESS, result=[data=broker::data{{four, one, set, str, table, three, two, vec, {x, y}}}]]
+[11], str, Broker::SUCCESS, [data=broker::data{foobar}]
+[12], set, Broker::SUCCESS, [data=broker::data{{A, B, C}}]
+[13], table, Broker::SUCCESS, [data=broker::data{{a -> 1, c -> 3}}]
+[14], vec, Broker::SUCCESS, [data=broker::data{[1, 2, 3, 4]}]
+[15], one, [status=Broker::SUCCESS, result=[data=broker::data{T}]]
+[16], NOPE, [status=Broker::SUCCESS, result=[data=broker::data{F}]]
+[17], vec, Broker::SUCCESS, [data=broker::data{2}]
+[18], set, Broker::SUCCESS, [data=broker::data{T}]
+[19], table, Broker::SUCCESS, [data=broker::data{1}]
+[20], table, Broker::FAILURE, [data=<uninitialized>]
+keys, [status=Broker::SUCCESS, result=[data=broker::data{{one, set, str, table, three, two, vec, {x, y}}}]]
+keys, [status=Broker::SUCCESS, result=[data=broker::data{{}}]]
diff --git a/testing/btest/Baseline/broker.store.record/master.out b/testing/btest/Baseline/broker.store.record/master.out
new file mode 100644
index 0000000000..9e82505b41
--- /dev/null
+++ b/testing/btest/Baseline/broker.store.record/master.out
@@ -0,0 +1,19 @@
+3
+T
+T
+T
+[data=broker::data{[hi, hello, 37]}], [s1=hi, s2=hello, c=37]
+
+[data=broker::data{hi}]
+[data=broker::data{hello}]
+[data=broker::data{37}]
+3
+T
+3
+[data=broker::data{goodbye}]
+[data=broker::data{[hi, goodbye, 37]}], [s1=hi, s2=goodbye, c=37]
+
+| [data=broker::data{hi}]
+| [data=broker::data{goodbye}]
+| [data=broker::data{37}]
+
diff --git a/testing/btest/Baseline/broker.store.set/master.out b/testing/btest/Baseline/broker.store.set/master.out
new file mode 100644
index 0000000000..4d0ad144ad
--- /dev/null
+++ b/testing/btest/Baseline/broker.store.set/master.out
@@ -0,0 +1,29 @@
+0
+T
+1
+T
+F
+T
+[data=broker::data{{bye, hi}}], {
+bye,
+hi
+}
+| [data=broker::data{bye}]
+| [data=broker::data{hi}]
+
+2
+F
+2
+T
+1
+F
+[data=broker::data{{bye}}], {
+bye
+}
+
+T
+0
+[data=broker::data{{}}], {
+
+}
+
diff --git a/testing/btest/Baseline/broker.store.sqlite/out b/testing/btest/Baseline/broker.store.sqlite/out
new file mode 100644
index 0000000000..621474aef2
--- /dev/null
+++ b/testing/btest/Baseline/broker.store.sqlite/out
@@ -0,0 +1,13 @@
+Run, 1
+Inserting
+Run, 2
+Retrieving
+one, Broker::SUCCESS, [data=broker::data{110}]
+two, Broker::SUCCESS, [data=broker::data{220}]
+three, Broker::SUCCESS, [data=broker::data{330}]
+four, Broker::SUCCESS, [data=broker::data{{1, 2, 3}}]
+five, Broker::FAILURE, [data=<uninitialized>]
+{
+y,
+x
+}, Broker::SUCCESS, [data=broker::data{[1/tcp, 2/tcp, 3/tcp]}]
diff --git a/testing/btest/Baseline/broker.store.table/master.out b/testing/btest/Baseline/broker.store.table/master.out
new file mode 100644
index 0000000000..3ab2a3abd0
--- /dev/null
+++ b/testing/btest/Baseline/broker.store.table/master.out
@@ -0,0 +1,33 @@
+0
+[data=<uninitialized>]
+1
+T
+42
+F
+[data=<uninitialized>]
+2
+[data=broker::data{{bye -> 7, hi -> 42}}], {
+[bye] = 7,
+[hi] = 42
+}
+| [key=[data=broker::data{bye}], val=[data=broker::data{7}]]
+| [key=[data=broker::data{hi}], val=[data=broker::data{42}]]
+
+[data=broker::data{7}]
+[data=broker::data{{bye -> 37, hi -> 42}}], {
+[bye] = 37,
+[hi] = 42
+}
+
+2
+37
+[data=broker::data{42}]
+1
+[data=<uninitialized>]
+1
+T
+0
+[data=broker::data{{}}], {
+
+}
+
diff --git a/testing/btest/Baseline/broker.store.type-conversion/master.out b/testing/btest/Baseline/broker.store.type-conversion/master.out
new file mode 100644
index 0000000000..0ef9bd4144
--- /dev/null
+++ b/testing/btest/Baseline/broker.store.type-conversion/master.out
@@ -0,0 +1,47 @@
+Broker::BOOL
+Broker::INT
+Broker::COUNT
+Broker::DOUBLE
+Broker::STRING
+Broker::ADDR
+Broker::SUBNET
+Broker::PORT
+Broker::TIME
+Broker::INTERVAL
+Broker::ENUM
+Broker::SET
+Broker::TABLE
+Broker::VECTOR
+Broker::VECTOR
+Broker::VECTOR
+***************************
+T
+F
+1
+0
+-1
+1
+0
+1.1
+-11.1
+hello
+1.2.3.4
+192.168.0.0/16
+22/tcp
+42.0
+180.0
+Broker::BOOL
+{
+two,
+one,
+three
+}
+{
+[two] = 2,
+[one] = 1,
+[three] = 3
+}
+[zero, one, two]
+[s=abc]
+[c=123, r1=[s=xyz]]
+opaque of sha256, T
diff --git a/testing/btest/Baseline/broker.store.vector/master.out b/testing/btest/Baseline/broker.store.vector/master.out
new file mode 100644
index 0000000000..e442646af8
--- /dev/null
+++ b/testing/btest/Baseline/broker.store.vector/master.out
@@ -0,0 +1,27 @@
+0
+T
+T
+T
+T
+4
+[data=broker::data{[hi, salutations, hello, greetings]}], [hi, salutations, hello, greetings]
+| [data=broker::data{hi}]
+| [data=broker::data{salutations}]
+| [data=broker::data{hello}]
+| [data=broker::data{greetings}]
+
+[data=broker::data{hello}]
+[data=broker::data{[hi, salutations, bah, greetings]}], [hi, salutations, bah, greetings]
+
+[data=broker::data{bah}]
+[data=broker::data{hi}]
+[data=broker::data{[hi, salutations, bah, greetings]}], [hi, salutations, bah, greetings]
+
+[data=broker::data{bah}]
+[data=broker::data{[hi, salutations, greetings]}], [hi, salutations, greetings]
+
+3
+T
+0
+[data=broker::data{[]}], []
+
diff --git a/testing/btest/Baseline/broker.unpeer/recv.broker.filtered.log b/testing/btest/Baseline/broker.unpeer/recv.broker.filtered.log
new file mode 100644
index 0000000000..ccdfd7e510
--- /dev/null
+++ b/testing/btest/Baseline/broker.unpeer/recv.broker.filtered.log
@@ -0,0 +1,2 @@
+1499913965.846216 Broker::STATUS peer-added 127.0.0.1 XXX handshake successful
+1499913969.834114 Broker::STATUS connection-terminated 127.0.0.1 XXX lost remote peer
diff --git a/testing/btest/Baseline/broker.unpeer/recv.recv.out b/testing/btest/Baseline/broker.unpeer/recv.recv.out
new file mode 100644
index 0000000000..ea871a634b
--- /dev/null
+++ b/testing/btest/Baseline/broker.unpeer/recv.recv.out
@@ -0,0 +1 @@
+Something receiver, 1
diff --git a/testing/btest/Baseline/broker.unpeer/send.broker.filtered.log b/testing/btest/Baseline/broker.unpeer/send.broker.filtered.log
new file mode 100644
index 0000000000..78964fd30a
--- /dev/null
+++ b/testing/btest/Baseline/broker.unpeer/send.broker.filtered.log
@@ -0,0 +1,2 @@
+1499913965.830809 Broker::STATUS peer-added 127.0.0.1 XXX received handshake from remote core
+1499913969.832007 Broker::STATUS peer-removed 127.0.0.1 XXX removed peering
diff --git a/testing/btest/Baseline/broker.unpeer/send.send.out b/testing/btest/Baseline/broker.unpeer/send.send.out
new file mode 100644
index 0000000000..b657b44f8c
--- /dev/null
+++ b/testing/btest/Baseline/broker.unpeer/send.send.out
@@ -0,0 +1,3 @@
+Something sender, 1
+unpeering
+Something sender, 2
diff --git a/testing/btest/Baseline/core.leaks.broker.clone_store/clone.clone.out b/testing/btest/Baseline/core.leaks.broker.clone_store/clone.clone.out
index ef997abeb8..9ae8d91491 100644
--- a/testing/btest/Baseline/core.leaks.broker.clone_store/clone.clone.out
+++ b/testing/btest/Baseline/core.leaks.broker.clone_store/clone.clone.out
@@ -1,5 +1,24 @@
-clone keys, [status=Broker::SUCCESS, result=[d=broker::data{[one, two, myset, myvec]}]]
-lookup, one, [status=Broker::SUCCESS, result=[d=broker::data{111}]]
-lookup, two, [status=Broker::SUCCESS, result=[d=broker::data{222}]]
-lookup, myset, [status=Broker::SUCCESS, result=[d=broker::data{{a, c, d}}]]
-lookup, myvec, [status=Broker::SUCCESS, result=[d=broker::data{[delta, alpha, beta, gamma, omega]}]]
+----
+clone, one, Broker::SUCCESS, [data=broker::data{110}]
+clone, two, Broker::SUCCESS, [data=broker::data{223}]
+clone, [1, 2], Broker::SUCCESS, [data=broker::data{1947/tcp}]
+clone, three, Broker::FAILURE, [data=<uninitialized>]
+clone, four, Broker::FAILURE, [data=<uninitialized>]
+clone, five, Broker::FAILURE, [data=<uninitialized>]
+clone, six, Broker::FAILURE, [data=<uninitialized>]
+----
+clone, one, Broker::SUCCESS, [data=broker::data{110}]
+clone, two, Broker::SUCCESS, [data=broker::data{223}]
+clone, [1, 2], Broker::SUCCESS, [data=broker::data{1947/tcp}]
+clone, three, Broker::SUCCESS, [data=broker::data{3.140000}]
+clone, four, Broker::SUCCESS, [data=broker::data{1.2.3.4}]
+clone, five, Broker::FAILURE, [data=<uninitialized>]
+clone, six, Broker::FAILURE, [data=<uninitialized>]
+----
+clone, one, Broker::SUCCESS, [data=broker::data{110}]
+clone, two, Broker::SUCCESS, [data=broker::data{223}]
+clone, [1, 2], Broker::SUCCESS, [data=broker::data{1947/tcp}]
+clone, three, Broker::SUCCESS, [data=broker::data{3.140000}]
+clone, four, Broker::FAILURE, [data=<uninitialized>]
+clone, five, Broker::SUCCESS, [data=broker::data{555}]
+clone, six, Broker::SUCCESS, [data=broker::data{666}]
diff --git a/testing/btest/Baseline/core.leaks.broker.data/bro..stdout b/testing/btest/Baseline/core.leaks.broker.data/bro..stdout
index 8703ca6a0c..a58dc4a480 100644
--- a/testing/btest/Baseline/core.leaks.broker.data/bro..stdout
+++ b/testing/btest/Baseline/core.leaks.broker.data/bro..stdout
@@ -12,7 +12,7 @@ Broker::ENUM
 Broker::SET
 Broker::TABLE
 Broker::VECTOR
-Broker::RECORD
+Broker::VECTOR
 ***************************
 T
 F
@@ -67,19 +67,19 @@ T
 }
 ***************************
 0
-[d=<uninitialized>]
+[data=<uninitialized>]
 1
 T
 42
 F
-[d=<uninitialized>]
+[data=<uninitialized>]
 2
-[d=broker::data{7}]
+[data=broker::data{7}]
 2
 37
-[d=broker::data{42}]
+[data=broker::data{42}]
 1
-[d=<uninitialized>]
+[data=<uninitialized>]
 1
 T
 0
@@ -94,11 +94,11 @@ T
 T
 [hi, salutations, hello, greetings]
 4
-[d=broker::data{hello}]
-[d=broker::data{bah}]
-[d=broker::data{hi}]
+[data=broker::data{hello}]
+[data=broker::data{bah}]
+[data=broker::data{hi}]
 [hi, salutations, bah, greetings]
-[d=broker::data{bah}]
+[data=broker::data{bah}]
 [hi, salutations, greetings]
 3
 T
@@ -109,10 +109,10 @@ T
 T
 T
 T
-[d=broker::data{hi}]
-[d=broker::data{hello}]
-[d=broker::data{37}]
+[data=broker::data{hi}]
+[data=broker::data{hello}]
+[data=broker::data{37}]
 3
 T
 3
-[d=broker::data{goodbye}]
+[data=broker::data{goodbye}]
diff --git a/testing/btest/Baseline/core.leaks.broker.master_store/bro..stdout b/testing/btest/Baseline/core.leaks.broker.master_store/bro..stdout
deleted file mode 100644
index 9eebc797e5..0000000000
--- a/testing/btest/Baseline/core.leaks.broker.master_store/bro..stdout
+++ /dev/null
@@ -1,14 +0,0 @@
-lookup(two): [status=Broker::SUCCESS, result=[d=broker::data{222}]]
-lookup(four): [status=Broker::SUCCESS, result=[d=<uninitialized>]]
-lookup(myset): [status=Broker::SUCCESS, result=[d=broker::data{{a, c, d}}]]
-lookup(one): [status=Broker::SUCCESS, result=[d=broker::data{111}]]
-lookup(myvec): [status=Broker::SUCCESS, result=[d=broker::data{[delta, alpha, beta, gamma, omega]}]]
-exists(one): [status=Broker::SUCCESS, result=[d=broker::data{1}]]
-exists(two): [status=Broker::SUCCESS, result=[d=broker::data{0}]]
-exists(myset): [status=Broker::SUCCESS, result=[d=broker::data{1}]]
-exists(four): [status=Broker::SUCCESS, result=[d=broker::data{0}]]
-pop_right(myvec): [status=Broker::SUCCESS, result=[d=broker::data{omega}]]
-pop_left(myvec): [status=Broker::SUCCESS, result=[d=broker::data{delta}]]
-keys: [status=Broker::SUCCESS, result=[d=broker::data{[myvec, myset, one]}]]
-size: [status=Broker::SUCCESS, result=[d=broker::data{3}]]
-size (after clear): [status=Broker::SUCCESS, result=[d=broker::data{0}]]
diff --git a/testing/btest/Baseline/core.leaks.broker.remote_event/send.send.out b/testing/btest/Baseline/core.leaks.broker.remote_event/send.send.out
index 2d61135abe..61c732410c 100644
--- a/testing/btest/Baseline/core.leaks.broker.remote_event/send.send.out
+++ b/testing/btest/Baseline/core.leaks.broker.remote_event/send.send.out
@@ -1,4 +1,4 @@
-Broker::outgoing_connection_established, 127.0.0.1, 9999/tcp
+Broker peer added, [address=127.0.0.1, bound_port=9999/tcp]
 got event msg, pong, 0
 got auto event msg, ping, 0
 got event msg, pong, 1
diff --git a/testing/btest/Baseline/core.leaks.broker.remote_log/recv.recv.out b/testing/btest/Baseline/core.leaks.broker.remote_log/recv.recv.out
index 3e0957442d..e69de29bb2 100644
--- a/testing/btest/Baseline/core.leaks.broker.remote_log/recv.recv.out
+++ b/testing/btest/Baseline/core.leaks.broker.remote_log/recv.recv.out
@@ -1,6 +0,0 @@
-wrote log, [msg=ping, num=0]
-wrote log, [msg=ping, num=1]
-wrote log, [msg=ping, num=2]
-wrote log, [msg=ping, num=3]
-wrote log, [msg=ping, num=4]
-wrote log, [msg=ping, num=5]
diff --git a/testing/btest/Baseline/core.leaks.broker.remote_log/recv.test.log b/testing/btest/Baseline/core.leaks.broker.remote_log/recv.test.log
index 4fe7790779..f0f279a626 100644
--- a/testing/btest/Baseline/core.leaks.broker.remote_log/recv.test.log
+++ b/testing/btest/Baseline/core.leaks.broker.remote_log/recv.test.log
@@ -3,7 +3,7 @@
 #empty_field	(empty)
 #unset_field	-
 #path	test
-#open	2015-02-12-17-33-13
+#open	2017-04-26-01-04-25
 #fields	msg	num
 #types	string	count
 ping	0
@@ -12,4 +12,4 @@ ping	2
 ping	3
 ping	4
 ping	5
-#close	2015-02-12-17-33-14
+#close	2017-04-26-01-04-26
diff --git a/testing/btest/Baseline/core.leaks.broker.remote_log/send.send.out b/testing/btest/Baseline/core.leaks.broker.remote_log/send.send.out
index 632279e697..f1d017bb24 100644
--- a/testing/btest/Baseline/core.leaks.broker.remote_log/send.send.out
+++ b/testing/btest/Baseline/core.leaks.broker.remote_log/send.send.out
@@ -1 +1 @@
-Broker::outgoing_connection_established, 127.0.0.1, 9999/tcp
+Broker peer added, [address=127.0.0.1, bound_port=9999/tcp]
diff --git a/testing/btest/Baseline/core.leaks.broker.remote_log/send.test.log b/testing/btest/Baseline/core.leaks.broker.remote_log/send.test.log
index 884517b252..f0f279a626 100644
--- a/testing/btest/Baseline/core.leaks.broker.remote_log/send.test.log
+++ b/testing/btest/Baseline/core.leaks.broker.remote_log/send.test.log
@@ -3,7 +3,7 @@
 #empty_field	(empty)
 #unset_field	-
 #path	test
-#open	2015-02-12-17-33-13
+#open	2017-04-26-01-04-25
 #fields	msg	num
 #types	string	count
 ping	0
@@ -12,4 +12,4 @@ ping	2
 ping	3
 ping	4
 ping	5
-#close	2015-02-12-17-33-15
+#close	2017-04-26-01-04-26
diff --git a/testing/btest/Baseline/core.leaks.broker.remote_print/recv.recv.out b/testing/btest/Baseline/core.leaks.broker.remote_print/recv.recv.out
deleted file mode 100644
index 6e5a37abbf..0000000000
--- a/testing/btest/Baseline/core.leaks.broker.remote_print/recv.recv.out
+++ /dev/null
@@ -1,6 +0,0 @@
-got print msg, ping 0
-got print msg, ping 1
-got print msg, ping 2
-got print msg, ping 3
-got print msg, ping 4
-got print msg, ping 5
diff --git a/testing/btest/Baseline/core.leaks.broker.remote_print/send.send.out b/testing/btest/Baseline/core.leaks.broker.remote_print/send.send.out
deleted file mode 100644
index 861dd64a8a..0000000000
--- a/testing/btest/Baseline/core.leaks.broker.remote_print/send.send.out
+++ /dev/null
@@ -1,6 +0,0 @@
-Broker::outgoing_connection_established, 127.0.0.1, 9999/tcp
-got print msg, pong 0
-got print msg, pong 1
-got print msg, pong 2
-got print msg, pong 3
-got print msg, pong 4
diff --git a/testing/btest/Baseline/core.leaks.remote/sender.test.failure.log b/testing/btest/Baseline/core.leaks.remote/sender.test.failure.log
deleted file mode 100644
index 71e1d18c73..0000000000
--- a/testing/btest/Baseline/core.leaks.remote/sender.test.failure.log
+++ /dev/null
@@ -1,12 +0,0 @@
-#separator \x09
-#set_separator	,
-#empty_field	(empty)
-#unset_field	-
-#path	test.failure
-#open	2012-07-20-01-50-18
-#fields	t	id.orig_h	id.orig_p	id.resp_h	id.resp_p	status	country
-#types	time	addr	port	addr	port	string	string
-1342749018.970682	1.2.3.4	1234	2.3.4.5	80	failure	US
-1342749018.970682	1.2.3.4	1234	2.3.4.5	80	failure	UK
-1342749018.970682	1.2.3.4	1234	2.3.4.5	80	failure	MX
-#close	2012-07-20-01-50-18
diff --git a/testing/btest/Baseline/core.leaks.remote/sender.test.log b/testing/btest/Baseline/core.leaks.remote/sender.test.log
deleted file mode 100644
index bc3dac5a1a..0000000000
--- a/testing/btest/Baseline/core.leaks.remote/sender.test.log
+++ /dev/null
@@ -1,14 +0,0 @@
-#separator \x09
-#set_separator	,
-#empty_field	(empty)
-#unset_field	-
-#path	test
-#open	2012-07-20-01-50-18
-#fields	t	id.orig_h	id.orig_p	id.resp_h	id.resp_p	status	country
-#types	time	addr	port	addr	port	string	string
-1342749018.970682	1.2.3.4	1234	2.3.4.5	80	success	unknown
-1342749018.970682	1.2.3.4	1234	2.3.4.5	80	failure	US
-1342749018.970682	1.2.3.4	1234	2.3.4.5	80	failure	UK
-1342749018.970682	1.2.3.4	1234	2.3.4.5	80	success	BR
-1342749018.970682	1.2.3.4	1234	2.3.4.5	80	failure	MX
-#close	2012-07-20-01-50-18
diff --git a/testing/btest/Baseline/core.leaks.remote/sender.test.success.log b/testing/btest/Baseline/core.leaks.remote/sender.test.success.log
deleted file mode 100644
index f0b26454b4..0000000000
--- a/testing/btest/Baseline/core.leaks.remote/sender.test.success.log
+++ /dev/null
@@ -1,11 +0,0 @@
-#separator \x09
-#set_separator	,
-#empty_field	(empty)
-#unset_field	-
-#path	test.success
-#open	2012-07-20-01-50-18
-#fields	t	id.orig_h	id.orig_p	id.resp_h	id.resp_p	status	country
-#types	time	addr	port	addr	port	string	string
-1342749018.970682	1.2.3.4	1234	2.3.4.5	80	success	unknown
-1342749018.970682	1.2.3.4	1234	2.3.4.5	80	success	BR
-#close	2012-07-20-01-50-18
diff --git a/testing/btest/Baseline/core.recursive-event/output b/testing/btest/Baseline/core.recursive-event/output
index f599e28b8a..ec635144f6 100644
--- a/testing/btest/Baseline/core.recursive-event/output
+++ b/testing/btest/Baseline/core.recursive-event/output
@@ -1 +1 @@
-10
+9
diff --git a/testing/btest/Baseline/core.when-interpreter-exceptions/bro.output b/testing/btest/Baseline/core.when-interpreter-exceptions/bro.output
index 6d7ae52baf..200e850a12 100644
--- a/testing/btest/Baseline/core.when-interpreter-exceptions/bro.output
+++ b/testing/btest/Baseline/core.when-interpreter-exceptions/bro.output
@@ -1,7 +1,7 @@
-expression error in /Users/jon/Projects/bro/bro/testing/btest/.tmp/core.when-interpreter-exceptions/when-interpreter-exceptions.bro, line 48: field value missing [myrecord$notset]
-expression error in /Users/jon/Projects/bro/bro/testing/btest/.tmp/core.when-interpreter-exceptions/when-interpreter-exceptions.bro, line 92: field value missing [myrecord$notset]
-expression error in /Users/jon/Projects/bro/bro/testing/btest/.tmp/core.when-interpreter-exceptions/when-interpreter-exceptions.bro, line 73: field value missing [myrecord$notset]
-expression error in /Users/jon/Projects/bro/bro/testing/btest/.tmp/core.when-interpreter-exceptions/when-interpreter-exceptions.bro, line 104: field value missing [myrecord$notset]
+expression error in /Users/jon/Projects/bro/bro/testing/btest/.tmp/core.when-interpreter-exceptions/when-interpreter-exceptions.bro, line 47: field value missing [myrecord$notset]
+expression error in /Users/jon/Projects/bro/bro/testing/btest/.tmp/core.when-interpreter-exceptions/when-interpreter-exceptions.bro, line 91: field value missing [myrecord$notset]
+expression error in /Users/jon/Projects/bro/bro/testing/btest/.tmp/core.when-interpreter-exceptions/when-interpreter-exceptions.bro, line 72: field value missing [myrecord$notset]
+expression error in /Users/jon/Projects/bro/bro/testing/btest/.tmp/core.when-interpreter-exceptions/when-interpreter-exceptions.bro, line 103: field value missing [myrecord$notset]
 received termination signal
 [f(F)]
 f() done, no exception, T
diff --git a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log
index 36e8934e74..768eb520ea 100644
--- a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log
+++ b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log
@@ -15,13 +15,6 @@ scripts/base/init-bare.bro
   build/scripts/base/bif/plugins/Bro_SNMP.types.bif.bro
   build/scripts/base/bif/plugins/Bro_KRB.types.bif.bro
   build/scripts/base/bif/event.bif.bro
-  scripts/base/frameworks/broker/__load__.bro
-    scripts/base/frameworks/broker/main.bro
-      build/scripts/base/bif/comm.bif.bro
-      build/scripts/base/bif/messaging.bif.bro
-    scripts/base/frameworks/broker/store.bro
-      build/scripts/base/bif/data.bif.bro
-      build/scripts/base/bif/store.bif.bro
   scripts/base/frameworks/logging/__load__.bro
     scripts/base/frameworks/logging/main.bro
       build/scripts/base/bif/logging.bif.bro
@@ -31,6 +24,14 @@ scripts/base/init-bare.bro
     scripts/base/frameworks/logging/writers/ascii.bro
     scripts/base/frameworks/logging/writers/sqlite.bro
     scripts/base/frameworks/logging/writers/none.bro
+  scripts/base/frameworks/broker/__load__.bro
+    scripts/base/frameworks/broker/main.bro
+      build/scripts/base/bif/comm.bif.bro
+      build/scripts/base/bif/messaging.bif.bro
+    scripts/base/frameworks/broker/store.bro
+      build/scripts/base/bif/data.bif.bro
+      build/scripts/base/bif/store.bif.bro
+    scripts/base/frameworks/broker/log.bro
   scripts/base/frameworks/input/__load__.bro
     scripts/base/frameworks/input/main.bro
       build/scripts/base/bif/input.bif.bro
diff --git a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
index 8e353a8c3d..5ca6cdd812 100644
--- a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
+++ b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
@@ -3,7 +3,7 @@
 #empty_field	(empty)
 #unset_field	-
 #path	loaded_scripts
-#open	2018-03-01-16-09-46
+#open	2018-05-17-23-49-59
 #fields	name
 #types	string
 scripts/base/init-bare.bro
@@ -15,13 +15,6 @@ scripts/base/init-bare.bro
   build/scripts/base/bif/plugins/Bro_SNMP.types.bif.bro
   build/scripts/base/bif/plugins/Bro_KRB.types.bif.bro
   build/scripts/base/bif/event.bif.bro
-  scripts/base/frameworks/broker/__load__.bro
-    scripts/base/frameworks/broker/main.bro
-      build/scripts/base/bif/comm.bif.bro
-      build/scripts/base/bif/messaging.bif.bro
-    scripts/base/frameworks/broker/store.bro
-      build/scripts/base/bif/data.bif.bro
-      build/scripts/base/bif/store.bif.bro
   scripts/base/frameworks/logging/__load__.bro
     scripts/base/frameworks/logging/main.bro
       build/scripts/base/bif/logging.bif.bro
@@ -31,6 +24,14 @@ scripts/base/init-bare.bro
     scripts/base/frameworks/logging/writers/ascii.bro
     scripts/base/frameworks/logging/writers/sqlite.bro
     scripts/base/frameworks/logging/writers/none.bro
+  scripts/base/frameworks/broker/__load__.bro
+    scripts/base/frameworks/broker/main.bro
+      build/scripts/base/bif/comm.bif.bro
+      build/scripts/base/bif/messaging.bif.bro
+    scripts/base/frameworks/broker/store.bro
+      build/scripts/base/bif/data.bif.bro
+      build/scripts/base/bif/store.bif.bro
+    scripts/base/frameworks/broker/log.bro
   scripts/base/frameworks/input/__load__.bro
     scripts/base/frameworks/input/main.bro
       build/scripts/base/bif/input.bif.bro
@@ -185,6 +186,7 @@ scripts/base/init-default.bro
   scripts/base/utils/email.bro
   scripts/base/utils/files.bro
   scripts/base/utils/geoip-distance.bro
+  scripts/base/utils/hash_hrw.bro
   scripts/base/utils/numbers.bro
   scripts/base/utils/queue.bro
   scripts/base/utils/strings.bro
@@ -193,6 +195,11 @@ scripts/base/init-default.bro
   scripts/base/utils/urls.bro
   scripts/base/frameworks/notice/__load__.bro
     scripts/base/frameworks/notice/main.bro
+      scripts/base/frameworks/cluster/__load__.bro
+        scripts/base/frameworks/cluster/main.bro
+          scripts/base/frameworks/control/__load__.bro
+            scripts/base/frameworks/control/main.bro
+        scripts/base/frameworks/cluster/pools.bro
     scripts/base/frameworks/notice/weird.bro
     scripts/base/frameworks/notice/actions/drop.bro
       scripts/base/frameworks/netcontrol/__load__.bro
@@ -211,10 +218,6 @@ scripts/base/init-default.bro
                   scripts/base/utils/json.bro
                 scripts/base/frameworks/openflow/plugins/log.bro
                 scripts/base/frameworks/openflow/plugins/broker.bro
-              scripts/base/frameworks/cluster/__load__.bro
-                scripts/base/frameworks/cluster/main.bro
-                  scripts/base/frameworks/control/__load__.bro
-                    scripts/base/frameworks/control/main.bro
               scripts/base/frameworks/openflow/non-cluster.bro
           scripts/base/frameworks/netcontrol/plugins/packetfilter.bro
           scripts/base/frameworks/netcontrol/plugins/broker.bro
@@ -226,7 +229,6 @@ scripts/base/init-default.bro
     scripts/base/frameworks/notice/actions/email_admin.bro
     scripts/base/frameworks/notice/actions/page.bro
     scripts/base/frameworks/notice/actions/add-geodata.bro
-    scripts/base/frameworks/notice/non-cluster.bro
     scripts/base/frameworks/notice/actions/pp-alarms.bro
   scripts/base/frameworks/dpd/__load__.bro
     scripts/base/frameworks/dpd/main.bro
@@ -237,8 +239,6 @@ scripts/base/init-default.bro
     scripts/base/frameworks/packet-filter/netstats.bro
   scripts/base/frameworks/software/__load__.bro
     scripts/base/frameworks/software/main.bro
-  scripts/base/frameworks/communication/__load__.bro
-    scripts/base/frameworks/communication/main.bro
   scripts/base/frameworks/intel/__load__.bro
     scripts/base/frameworks/intel/main.bro
     scripts/base/frameworks/intel/files.bro
@@ -364,4 +364,4 @@ scripts/base/init-default.bro
   scripts/base/misc/find-filtered-trace.bro
   scripts/base/misc/version.bro
 scripts/policy/misc/loaded-scripts.bro
-#close	2018-03-01-16-09-46
+#close	2018-05-17-23-49-59
diff --git a/testing/btest/Baseline/coverage.find-bro-logs/out b/testing/btest/Baseline/coverage.find-bro-logs/out
index 03bdb1b0e3..70a635b24f 100644
--- a/testing/btest/Baseline/coverage.find-bro-logs/out
+++ b/testing/btest/Baseline/coverage.find-bro-logs/out
@@ -1,7 +1,7 @@
 barnyard2
+broker
 capture_loss
 cluster
-communication
 config
 conn
 dce__r_pc
diff --git a/testing/btest/Baseline/coverage.init-default/missing_loads b/testing/btest/Baseline/coverage.init-default/missing_loads
index 50d52bd0a5..31966f11c1 100644
--- a/testing/btest/Baseline/coverage.init-default/missing_loads
+++ b/testing/btest/Baseline/coverage.init-default/missing_loads
@@ -5,7 +5,6 @@
 -./frameworks/cluster/setup-connections.bro
 -./frameworks/intel/cluster.bro
 -./frameworks/netcontrol/cluster.bro
--./frameworks/notice/cluster.bro
 -./frameworks/openflow/cluster.bro
 -./frameworks/packet-filter/cluster.bro
 -./frameworks/sumstats/cluster.bro
diff --git a/testing/btest/Baseline/doc.broxygen.all_scripts/.stderr b/testing/btest/Baseline/doc.broxygen.all_scripts/.stderr
index d4746c0865..2bc5465045 100644
--- a/testing/btest/Baseline/doc.broxygen.all_scripts/.stderr
+++ b/testing/btest/Baseline/doc.broxygen.all_scripts/.stderr
@@ -1 +1,2 @@
+error in /home/jon/projects/bro/bro/scripts/policy/frameworks/control/controller.bro, line 22: The '' control command is unknown.
 <params>, line 1: received termination signal
diff --git a/testing/btest/Baseline/doc.broxygen.all_scripts/.stdout b/testing/btest/Baseline/doc.broxygen.all_scripts/.stdout
index f72022e359..bfc3c033df 100644
--- a/testing/btest/Baseline/doc.broxygen.all_scripts/.stdout
+++ b/testing/btest/Baseline/doc.broxygen.all_scripts/.stdout
@@ -1,2 +1 @@
-The '' control command is unknown.
 WARNING: No Site::local_nets have been defined.  It's usually a good idea to define your local networks.
diff --git a/testing/btest/Baseline/doc.sphinx.conditional-notice/btest-doc.sphinx.conditional-notice#1 b/testing/btest/Baseline/doc.sphinx.conditional-notice/btest-doc.sphinx.conditional-notice#1
index 4164b54e53..0cb081d6fb 100644
--- a/testing/btest/Baseline/doc.sphinx.conditional-notice/btest-doc.sphinx.conditional-notice#1
+++ b/testing/btest/Baseline/doc.sphinx.conditional-notice/btest-doc.sphinx.conditional-notice#1
@@ -18,9 +18,9 @@
       #empty_field	(empty)
       #unset_field	-
       #path	notice
-      #open	2016-07-13-16-13-16
+      #open	2017-12-21-02-23-46
       #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	fuid	file_mime_type	file_desc	proto	note	msg	sub	src	dst	p	n	peer_descr	actions	suppress_for	dropped	remote_location.country_code	remote_location.region	remote_location.city	remote_location.latitude	remote_location.longitude
       #types	time	string	addr	port	addr	port	string	string	string	enum	enum	string	string	addr	addr	port	count	string	set[enum]	interval	bool	string	string	string	double	double
-      1394745603.293028	CHhAvVGS1DHFjwGM9	192.168.4.149	60539	87.98.220.10	443	F1fX1R2cDOzbvg17ye	-	-	tcp	SSL::Certificate_Expired	Certificate CN=www.spidh.org,OU=COMODO SSL,OU=Domain Control Validated expired at 2014-03-04-23:59:59.000000000	-	192.168.4.149	87.98.220.10	443	-	bro	Notice::ACTION_EMAIL,Notice::ACTION_LOG	86400.000000	F	-	-	-	-	-
-      #close	2016-07-13-16-13-17
+      1394745603.293028	CHhAvVGS1DHFjwGM9	192.168.4.149	60539	87.98.220.10	443	F1fX1R2cDOzbvg17ye	-	-	tcp	SSL::Certificate_Expired	Certificate CN=www.spidh.org,OU=COMODO SSL,OU=Domain Control Validated expired at 2014-03-04-23:59:59.000000000	-	192.168.4.149	87.98.220.10	443	-	-	Notice::ACTION_EMAIL,Notice::ACTION_LOG	86400.000000	F	-	-	-	-	-
+      #close	2017-12-21-02-23-46
 
diff --git a/testing/btest/Baseline/doc.sphinx.ftp-bruteforce/btest-doc.sphinx.ftp-bruteforce#1 b/testing/btest/Baseline/doc.sphinx.ftp-bruteforce/btest-doc.sphinx.ftp-bruteforce#1
index 55bbccb828..3d3ad09013 100644
--- a/testing/btest/Baseline/doc.sphinx.ftp-bruteforce/btest-doc.sphinx.ftp-bruteforce#1
+++ b/testing/btest/Baseline/doc.sphinx.ftp-bruteforce/btest-doc.sphinx.ftp-bruteforce#1
@@ -16,9 +16,9 @@
       #empty_field	(empty)
       #unset_field	-
       #path	notice
-      #open	2014-04-01-22-59-07
+      #open	2017-12-21-02-24-08
       #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	fuid	file_mime_type	file_desc	proto	note	msg	sub	src	dst	p	n	peer_descr	actions	suppress_for	dropped	remote_location.country_code	remote_location.region	remote_location.city	remote_location.latitude	remote_location.longitude
       #types	time	string	addr	port	addr	port	string	string	string	enum	enum	string	string	addr	addr	port	count	string	set[enum]	interval	bool	string	string	string	double	double
-      1389721084.522861	-	-	-	-	-	-	-	-	-	FTP::Bruteforcing	192.168.56.1 had 20 failed logins on 1 FTP server in 0m37s	-	192.168.56.1	-	-	-	bro	Notice::ACTION_LOG	3600.000000	F	-	-	-	-	-
-      #close	2014-04-01-22-59-07
+      1389721084.522861	-	-	-	-	-	-	-	-	-	FTP::Bruteforcing	192.168.56.1 had 20 failed logins on 1 FTP server in 0m37s	-	192.168.56.1	-	-	-	-	Notice::ACTION_LOG	3600.000000	F	-	-	-	-	-
+      #close	2017-12-21-02-24-08
 
diff --git a/testing/btest/Baseline/doc.sphinx.http_proxy_04/btest-doc.sphinx.http_proxy_04#1 b/testing/btest/Baseline/doc.sphinx.http_proxy_04/btest-doc.sphinx.http_proxy_04#1
index 1d31f4b027..7ec214a1a9 100644
--- a/testing/btest/Baseline/doc.sphinx.http_proxy_04/btest-doc.sphinx.http_proxy_04#1
+++ b/testing/btest/Baseline/doc.sphinx.http_proxy_04/btest-doc.sphinx.http_proxy_04#1
@@ -16,9 +16,9 @@
       #empty_field	(empty)
       #unset_field	-
       #path	notice
-      #open	2016-07-13-16-13-22
+      #open	2017-12-21-02-24-33
       #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	fuid	file_mime_type	file_desc	proto	note	msg	sub	src	dst	p	n	peer_descr	actions	suppress_for	dropped	remote_location.country_code	remote_location.region	remote_location.city	remote_location.latitude	remote_location.longitude
       #types	time	string	addr	port	addr	port	string	string	string	enum	enum	string	string	addr	addr	port	count	string	set[enum]	interval	bool	string	string	string	double	double
-      1389654450.449603	CHhAvVGS1DHFjwGM9	192.168.56.1	52679	192.168.56.101	80	-	-	-	tcp	HTTP::Open_Proxy	A local server is acting as an open proxy: 192.168.56.101	-	192.168.56.1	192.168.56.101	80	-	bro	Notice::ACTION_LOG	86400.000000	F	-	-	-	-	-
-      #close	2016-07-13-16-13-22
+      1389654450.449603	CHhAvVGS1DHFjwGM9	192.168.56.1	52679	192.168.56.101	80	-	-	-	tcp	HTTP::Open_Proxy	A local server is acting as an open proxy: 192.168.56.101	-	192.168.56.1	192.168.56.101	80	-	-	Notice::ACTION_LOG	86400.000000	F	-	-	-	-	-
+      #close	2017-12-21-02-24-33
 
diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_connecting-connector_bro/output b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_connecting-connector_bro/output
index c4cbde045c..d2916a4c4f 100644
--- a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_connecting-connector_bro/output
+++ b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_connecting-connector_bro/output
@@ -2,21 +2,15 @@
 
 connecting-connector.bro
 
-const broker_port: port = 9999/tcp &redef;
 redef exit_only_after_terminate = T;
-redef Broker::endpoint_name = "connector";
 
 event bro_init()
 	{
-	Broker::enable();
-	Broker::connect("127.0.0.1", broker_port, 1sec);
+	Broker::peer("127.0.0.1");
 	}
 
-event Broker::outgoing_connection_established(peer_address: string,
-                                            peer_port: port,
-                                            peer_name: string)
+event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
 	{
-	print "Broker::outgoing_connection_established",
-		  peer_address, peer_port, peer_name;
+	print "peer added", endpoint;
 	terminate();
 	}
diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_connecting-listener_bro/output b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_connecting-listener_bro/output
index 8ea85569c9..b15bac75c0 100644
--- a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_connecting-listener_bro/output
+++ b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_connecting-listener_bro/output
@@ -2,23 +2,20 @@
 
 connecting-listener.bro
 
-const broker_port: port = 9999/tcp &redef;
 redef exit_only_after_terminate = T;
-redef Broker::endpoint_name = "listener";
 
 event bro_init()
 	{
-	Broker::enable();
-	Broker::listen(broker_port, "127.0.0.1");
+	Broker::listen("127.0.0.1");
 	}
 
-event Broker::incoming_connection_established(peer_name: string)
+event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
 	{
-	print "Broker::incoming_connection_established", peer_name;
+	print "peer added", endpoint;
 	}
 
-event Broker::incoming_connection_broken(peer_name: string)
+event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string)
 	{
-	print "Broker::incoming_connection_broken", peer_name;
+	print "peer lost", endpoint;
 	terminate();
 	}
diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_events-connector_bro/output b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_events-connector_bro/output
index d7a0e64be2..96616dbd3c 100644
--- a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_events-connector_bro/output
+++ b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_events-connector_bro/output
@@ -2,34 +2,38 @@
 
 events-connector.bro
 
-const broker_port: port = 9999/tcp &redef;
 redef exit_only_after_terminate = T;
-redef Broker::endpoint_name = "connector";
 global my_event: event(msg: string, c: count);
 global my_auto_event: event(msg: string, c: count);
 
 event bro_init()
 	{
-	Broker::enable();
-	Broker::connect("127.0.0.1", broker_port, 1sec);
-	Broker::auto_event("bro/event/my_auto_event", my_auto_event);
+	Broker::peer("127.0.0.1");
+	Broker::auto_publish("bro/event/my_auto_event", my_auto_event);
 	}
 
-event Broker::outgoing_connection_established(peer_address: string,
-                                            peer_port: port,
-                                            peer_name: string)
+event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
 	{
-	print "Broker::outgoing_connection_established",
-	      peer_address, peer_port, peer_name;
-	Broker::send_event("bro/event/my_event", Broker::event_args(my_event, "hi", 0));
+	print "peer added", endpoint;
+	Broker::publish("bro/event/my_event", my_event, "hi", 0);
 	event my_auto_event("stuff", 88);
-	Broker::send_event("bro/event/my_event", Broker::event_args(my_event, "...", 1));
+	Broker::publish("bro/event/my_event", my_event, "...", 1);
 	event my_auto_event("more stuff", 51);
-	Broker::send_event("bro/event/my_event", Broker::event_args(my_event, "bye", 2));
+	local e = Broker::make_event(my_event, "bye", 2);
+	Broker::publish("bro/event/my_event", e);
 	}
 
-event Broker::outgoing_connection_broken(peer_address: string,
-                                       peer_port: port)
+event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string)
 	{
 	terminate();
 	}
+
+event my_event(msg: string, c: count)
+	{
+	print "got my_event", msg, c;
+	}
+
+event my_auto_event(msg: string, c: count)
+	{
+	print "got my_auto_event", msg, c;
+	}
diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_events-listener_bro/output b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_events-listener_bro/output
index 640722cac0..928ba60311 100644
--- a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_events-listener_bro/output
+++ b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_events-listener_bro/output
@@ -2,23 +2,20 @@
 
 events-listener.bro
 
-const broker_port: port = 9999/tcp &redef;
 redef exit_only_after_terminate = T;
-redef Broker::endpoint_name = "listener";
 global msg_count = 0;
 global my_event: event(msg: string, c: count);
 global my_auto_event: event(msg: string, c: count);
 
 event bro_init()
 	{
-	Broker::enable();
-	Broker::subscribe_to_events("bro/event/");
-	Broker::listen(broker_port, "127.0.0.1");
+	Broker::subscribe("bro/event/");
+	Broker::listen("127.0.0.1");
 	}
 
-event Broker::incoming_connection_established(peer_name: string)
+event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
 	{
-	print "Broker::incoming_connection_established", peer_name;
+	print "peer added", endpoint;
 	}
 
 event my_event(msg: string, c: count)
diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_logs-connector_bro/output b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_logs-connector_bro/output
index 907d712c88..84d0a60391 100644
--- a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_logs-connector_bro/output
+++ b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_logs-connector_bro/output
@@ -4,18 +4,12 @@ logs-connector.bro
 
 @load ./testlog
 
-const broker_port: port = 9999/tcp &redef;
 redef exit_only_after_terminate = T;
-redef Broker::endpoint_name = "connector";
-redef Log::enable_local_logging = F;
-redef Log::enable_remote_logging = F;
 global n = 0;
 
 event bro_init()
 	{
-	Broker::enable();
-	Broker::enable_remote_logs(Test::LOG);
-	Broker::connect("127.0.0.1", broker_port, 1sec);
+	Broker::peer("127.0.0.1");
 	}
 
 event do_write()
@@ -28,17 +22,19 @@ event do_write()
 	event do_write();
 	}
 
-event Broker::outgoing_connection_established(peer_address: string,
-                                            peer_port: port,
-                                            peer_name: string)
+event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
 	{
-	print "Broker::outgoing_connection_established",
-	      peer_address, peer_port, peer_name;
+	print "peer added", endpoint;
 	event do_write();
 	}
 
-event Broker::outgoing_connection_broken(peer_address: string,
-                                       peer_port: port)
+event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string)
 	{
 	terminate();
 	}
+
+event Test::log_test(rec: Test::Info)
+	{
+	print "wrote log", rec;
+	Broker::publish("bro/logs/forward/test", Test::log_test, rec);
+	}
diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_logs-listener_bro/output b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_logs-listener_bro/output
index de6abbf5a0..359a88b476 100644
--- a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_logs-listener_bro/output
+++ b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_logs-listener_bro/output
@@ -4,25 +4,22 @@ logs-listener.bro
 
 @load ./testlog
 
-const broker_port: port = 9999/tcp &redef;
 redef exit_only_after_terminate = T;
-redef Broker::endpoint_name = "listener";
 
 event bro_init()
 	{
-	Broker::enable();
-	Broker::subscribe_to_logs("bro/log/Test::LOG");
-	Broker::listen(broker_port, "127.0.0.1");
+	Broker::subscribe("bro/logs");
+	Broker::listen("127.0.0.1");
 	}
 
-event Broker::incoming_connection_established(peer_name: string)
+event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
 	{
-	print "Broker::incoming_connection_established", peer_name;
+	print "peer added", endpoint;
 	}
 
 event Test::log_test(rec: Test::Info)
 	{
-	print "wrote log", rec;
+	print "got log event", rec;
 
 	if ( rec$num == 5 )
 		terminate();
diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_printing-connector_bro/output b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_printing-connector_bro/output
deleted file mode 100644
index 91ee179fe6..0000000000
--- a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_printing-connector_bro/output
+++ /dev/null
@@ -1,30 +0,0 @@
-# @TEST-EXEC: cat %INPUT >output && btest-diff output
-
-printing-connector.bro
-
-const broker_port: port = 9999/tcp &redef;
-redef exit_only_after_terminate = T;
-redef Broker::endpoint_name = "connector";
-
-event bro_init()
-	{
-	Broker::enable();
-	Broker::connect("127.0.0.1", broker_port, 1sec);
-	}
-
-event Broker::outgoing_connection_established(peer_address: string,
-                                            peer_port: port,
-                                            peer_name: string)
-	{
-	print "Broker::outgoing_connection_established",
-	      peer_address, peer_port, peer_name;
-	Broker::send_print("bro/print/hi", "hello");
-	Broker::send_print("bro/print/stuff", "...");
-	Broker::send_print("bro/print/bye", "goodbye");
-	}
-
-event Broker::outgoing_connection_broken(peer_address: string,
-                                       peer_port: port)
-	{
-	terminate();
-	}
diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_printing-listener_bro/output b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_printing-listener_bro/output
deleted file mode 100644
index 37e4d0eae9..0000000000
--- a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_printing-listener_bro/output
+++ /dev/null
@@ -1,29 +0,0 @@
-# @TEST-EXEC: cat %INPUT >output && btest-diff output
-
-printing-listener.bro
-
-const broker_port: port = 9999/tcp &redef;
-redef exit_only_after_terminate = T;
-redef Broker::endpoint_name = "listener";
-global msg_count = 0;
-
-event bro_init()
-	{
-	Broker::enable();
-	Broker::subscribe_to_prints("bro/print/");
-	Broker::listen(broker_port, "127.0.0.1");
-	}
-
-event Broker::incoming_connection_established(peer_name: string)
-	{
-	print "Broker::incoming_connection_established", peer_name;
-	}
-
-event Broker::print_handler(msg: string)
-	{
-	++msg_count;
-	print "got print message", msg;
-
-	if ( msg_count == 3 )
-		terminate();
-	}
diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_stores-connector_bro/output b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_stores-connector_bro/output
index 74b59467e7..8ef4dca1f5 100644
--- a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_stores-connector_bro/output
+++ b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_stores-connector_bro/output
@@ -2,56 +2,32 @@
 
 stores-connector.bro
 
-const broker_port: port = 9999/tcp &redef;
 redef exit_only_after_terminate = T;
 
-global h: opaque of Broker::Handle;
-
-function dv(d: Broker::Data): Broker::DataVector
-	{
-	local rval: Broker::DataVector;
-	rval[0] = d;
-	return rval;
-	}
+global h: opaque of Broker::Store;
 
 global ready: event();
 
-event Broker::outgoing_connection_broken(peer_address: string,
-                                       peer_port: port)
+event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string)
 	{
 	terminate();
 	}
 
-event Broker::outgoing_connection_established(peer_address: string,
-                                            peer_port: port,
-                                            peer_name: string)
-	{
-	local myset: set[string] = {"a", "b", "c"};
-	local myvec: vector of string = {"alpha", "beta", "gamma"};
-	h = Broker::create_master("mystore");
-	Broker::insert(h, Broker::data("one"), Broker::data(110));
-	Broker::insert(h, Broker::data("two"), Broker::data(223));
-	Broker::insert(h, Broker::data("myset"), Broker::data(myset));
-	Broker::insert(h, Broker::data("myvec"), Broker::data(myvec));
-	Broker::increment(h, Broker::data("one"));
-	Broker::decrement(h, Broker::data("two"));
-	Broker::add_to_set(h, Broker::data("myset"), Broker::data("d"));
-	Broker::remove_from_set(h, Broker::data("myset"), Broker::data("b"));
-	Broker::push_left(h, Broker::data("myvec"), dv(Broker::data("delta")));
-	Broker::push_right(h, Broker::data("myvec"), dv(Broker::data("omega")));
-
-	when ( local res = Broker::size(h) )
-		{
-		print "master size", res;
-		event ready();
-		}
-	timeout 10sec
-		{ print "timeout"; }
-	}
-
 event bro_init()
 	{
-	Broker::enable();
-	Broker::connect("127.0.0.1", broker_port, 1secs);
-	Broker::auto_event("bro/event/ready", ready);
+	h = Broker::create_master("mystore");
+
+	local myset: set[string] = {"a", "b", "c"};
+	local myvec: vector of string = {"alpha", "beta", "gamma"};
+	Broker::put(h, "one", 110);
+	Broker::put(h, "two", 223);
+	Broker::put(h, "myset", myset);
+	Broker::put(h, "myvec", myvec);
+	Broker::increment(h, "one");
+	Broker::decrement(h, "two");
+	Broker::insert_into_set(h, "myset", "d");
+	Broker::remove_from(h, "myset", "b");
+	Broker::push(h, "myvec", "delta");
+
+	Broker::peer("127.0.0.1");
 	}
diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_stores-listener_bro/output b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_stores-listener_bro/output
index 8dadbc803c..571ede2687 100644
--- a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_stores-listener_bro/output
+++ b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_stores-listener_bro/output
@@ -2,46 +2,82 @@
 
 stores-listener.bro
 
-const broker_port: port = 9999/tcp &redef;
 redef exit_only_after_terminate = T;
 
-global h: opaque of Broker::Handle;
+global h: opaque of Broker::Store;
 global expected_key_count = 4;
 global key_count = 0;
 
+# Lookup a value in the store based on an arbitrary key string.
 function do_lookup(key: string)
 	{
-	when ( local res = Broker::lookup(h, Broker::data(key)) )
+	when ( local res = Broker::get(h, key) )
 		{
 		++key_count;
 		print "lookup", key, res;
 
-		if ( key_count == expected_key_count )
+		# End after we iterated over looking up each key in the store twice.
+		if ( key_count == expected_key_count * 2 )
 			terminate();
 		}
-	timeout 10sec
+	# All data store queries must specify a timeout
+	timeout 3sec
 		{ print "timeout", key; }
 	}
 
-event ready()
+event check_keys()
 	{
-	h = Broker::create_clone("mystore");
-
+	# Here we just query for the list of keys in the store, and show how to
+	# look up each one's value.
 	when ( local res = Broker::keys(h) )
 		{
 		print "clone keys", res;
-		do_lookup(Broker::refine_to_string(Broker::vector_lookup(res$result, 0)));
-		do_lookup(Broker::refine_to_string(Broker::vector_lookup(res$result, 1)));
-		do_lookup(Broker::refine_to_string(Broker::vector_lookup(res$result, 2)));
-		do_lookup(Broker::refine_to_string(Broker::vector_lookup(res$result, 3)));
+
+		if ( res?$result )
+			{
+			# Since we know that the keys we are storing are all strings,
+			# we can conveniently cast the result of Broker::keys to
+			# a native Bro type, namely 'set[string]'.
+			for ( k in res$result as string_set )
+				do_lookup(k);
+
+			# Alternatively, we can use a generic iterator to iterate
+			# over the results (which we know is of the 'set' type because
+			# that's what Broker::keys() always returns).  If the keys
+			# we stored were not all of the same type, then you would
+			# likely want to use this method of inspecting the store's keys.
+			local i = Broker::set_iterator(res$result);
+
+			while ( ! Broker::set_iterator_last(i) )
+				{
+				do_lookup(Broker::set_iterator_value(i) as string);
+				Broker::set_iterator_next(i);
+				}
+			}
 		}
-	timeout 10sec
-		{ print "timeout"; }
+	# All data store queries must specify a timeout.
+	# You also might see timeouts on connecting/initializing a clone since
+	# it hasn't had time to get fully set up yet.
+	timeout 1sec
+		{
+		print "timeout";
+		schedule 1sec { check_keys() };
+		}
+	}
+
+event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
+	{
+	print "peer added";
+	# We could create a clone early, like in bro_init and it will periodically
+	# try to synchronize with its master once it connects, however, we just
+	# create it now since we know the peer w/ the master store has just
+	# connected.
+	h = Broker::create_clone("mystore");
+
+	event check_keys();
 	}
 
 event bro_init()
 	{
-	Broker::enable();
-	Broker::subscribe_to_events("bro/event/ready");
-	Broker::listen(broker_port, "127.0.0.1");
+	Broker::listen("127.0.0.1");
 	}
diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_testlog_bro/output b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_testlog_bro/output
index d5a92417dc..8d779a1b92 100644
--- a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_testlog_bro/output
+++ b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_testlog_bro/output
@@ -17,6 +17,5 @@ export {
 
 event bro_init() &priority=5
 	{
-	Broker::enable();
 	Log::create_stream(Test::LOG, [$columns=Test::Info, $ev=log_test, $path="test"]);
 	}
diff --git a/testing/btest/Baseline/doc.sphinx.include-scripts_policy_protocols_conn_known-hosts_bro/output b/testing/btest/Baseline/doc.sphinx.include-scripts_policy_protocols_conn_known-hosts_bro/output
deleted file mode 100644
index 150de38f35..0000000000
--- a/testing/btest/Baseline/doc.sphinx.include-scripts_policy_protocols_conn_known-hosts_bro/output
+++ /dev/null
@@ -1,9 +0,0 @@
-# @TEST-EXEC: cat %INPUT >output && btest-diff output
-
-known-hosts.bro
-
-module Known;
-
-export {
-	global known_hosts: set[addr] &create_expire=1day &synchronized &redef;
-}
diff --git a/testing/btest/Baseline/doc.sphinx.netcontrol-3-ssh-guesser.bro/btest-doc.sphinx.netcontrol-3-ssh-guesser.bro#1 b/testing/btest/Baseline/doc.sphinx.netcontrol-3-ssh-guesser.bro/btest-doc.sphinx.netcontrol-3-ssh-guesser.bro#1
index 85b8662f40..5f899ce9c0 100644
--- a/testing/btest/Baseline/doc.sphinx.netcontrol-3-ssh-guesser.bro/btest-doc.sphinx.netcontrol-3-ssh-guesser.bro#1
+++ b/testing/btest/Baseline/doc.sphinx.netcontrol-3-ssh-guesser.bro/btest-doc.sphinx.netcontrol-3-ssh-guesser.bro#1
@@ -20,13 +20,13 @@
       #empty_field	(empty)
       #unset_field	-
       #path	netcontrol
-      #open	2016-07-26-22-04-14
+      #open	2017-12-21-18-58-53
       #fields	ts	rule_id	category	cmd	state	action	target	entity_type	entity	mod	msg	priority	expire	location	plugin
       #types	time	string	enum	string	enum	string	enum	string	string	string	string	int	interval	string	string
       0.000000	-	NetControl::MESSAGE	-	-	-	-	-	-	-	activating plugin with priority 0	-	-	-	Debug-All
       0.000000	-	NetControl::MESSAGE	-	-	-	-	-	-	-	activation finished	-	-	-	Debug-All
       0.000000	-	NetControl::MESSAGE	-	-	-	-	-	-	-	plugin initialization done	-	-	-	-
-      1427726711.398575	2	NetControl::RULE	ADD	NetControl::REQUESTED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.56.1/32	-	-	0	600.000000	ACTION_DROP: T	Debug-All
-      1427726711.398575	2	NetControl::RULE	ADD	NetControl::SUCCEEDED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.56.1/32	-	-	0	600.000000	ACTION_DROP: T	Debug-All
-      #close	2016-07-26-22-04-14
+      1427726759.303199	2	NetControl::RULE	ADD	NetControl::REQUESTED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.56.1/32	-	-	0	600.000000	ACTION_DROP: T	Debug-All
+      1427726759.303199	2	NetControl::RULE	ADD	NetControl::SUCCEEDED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.56.1/32	-	-	0	600.000000	ACTION_DROP: T	Debug-All
+      #close	2017-12-21-18-58-53
 
diff --git a/testing/btest/Baseline/doc.sphinx.netcontrol-3-ssh-guesser.bro/btest-doc.sphinx.netcontrol-3-ssh-guesser.bro#2 b/testing/btest/Baseline/doc.sphinx.netcontrol-3-ssh-guesser.bro/btest-doc.sphinx.netcontrol-3-ssh-guesser.bro#2
index 4501f85377..039821c266 100644
--- a/testing/btest/Baseline/doc.sphinx.netcontrol-3-ssh-guesser.bro/btest-doc.sphinx.netcontrol-3-ssh-guesser.bro#2
+++ b/testing/btest/Baseline/doc.sphinx.netcontrol-3-ssh-guesser.bro/btest-doc.sphinx.netcontrol-3-ssh-guesser.bro#2
@@ -10,9 +10,9 @@
       #empty_field	(empty)
       #unset_field	-
       #path	notice
-      #open	2016-07-26-22-04-14
+      #open	2017-12-21-18-58-53
       #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	fuid	file_mime_type	file_desc	proto	note	msg	sub	src	dst	p	n	peer_descr	actions	suppress_for	dropped	remote_location.country_code	remote_location.region	remote_location.city	remote_location.latitude	remote_location.longitude
       #types	time	string	addr	port	addr	port	string	string	string	enum	enum	string	string	addr	addr	port	count	string	set[enum]	interval	bool	string	string	string	double	double
-      1427726711.398575	-	-	-	-	-	-	-	-	-	SSH::Password_Guessing	192.168.56.1 appears to be guessing SSH passwords (seen in 10 connections).	Sampled servers:  192.168.56.103, 192.168.56.103, 192.168.56.103, 192.168.56.103, 192.168.56.103	192.168.56.1	-	-	-	bro	Notice::ACTION_DROP,Notice::ACTION_LOG	3600.000000	F	-	-	-	-	-
-      #close	2016-07-26-22-04-14
+      1427726759.303199	-	-	-	-	-	-	-	-	-	SSH::Password_Guessing	192.168.56.1 appears to be guessing SSH passwords (seen in 10 connections).	Sampled servers:  192.168.56.103, 192.168.56.103, 192.168.56.103, 192.168.56.103, 192.168.56.103	192.168.56.1	-	-	-	-	Notice::ACTION_DROP,Notice::ACTION_LOG	3600.000000	F	-	-	-	-	-
+      #close	2017-12-21-18-58-53
 
diff --git a/testing/btest/Baseline/doc.sphinx.notice_ssh_guesser.bro/btest-doc.sphinx.notice_ssh_guesser.bro#1 b/testing/btest/Baseline/doc.sphinx.notice_ssh_guesser.bro/btest-doc.sphinx.notice_ssh_guesser.bro#1
index a8d9ce96d1..56918146fa 100644
--- a/testing/btest/Baseline/doc.sphinx.notice_ssh_guesser.bro/btest-doc.sphinx.notice_ssh_guesser.bro#1
+++ b/testing/btest/Baseline/doc.sphinx.notice_ssh_guesser.bro/btest-doc.sphinx.notice_ssh_guesser.bro#1
@@ -18,9 +18,9 @@
       #empty_field	(empty)
       #unset_field	-
       #path	notice
-      #open	2015-03-30-16-20-23
+      #open	2017-12-21-02-24-48
       #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	fuid	file_mime_type	file_desc	proto	note	msg	sub	src	dst	p	n	peer_descr	actions	suppress_for	dropped	remote_location.country_code	remote_location.region	remote_location.city	remote_location.latitude	remote_location.longitude
       #types	time	string	addr	port	addr	port	string	string	string	enum	enum	string	string	addr	addr	port	count	string	set[enum]	interval	bool	string	string	string	double	double
-      1427726711.398575	-	-	-	-	-	-	-	-	-	SSH::Password_Guessing	192.168.56.1 appears to be guessing SSH passwords (seen in 10 connections).	Sampled servers:  192.168.56.103, 192.168.56.103, 192.168.56.103, 192.168.56.103, 192.168.56.103	192.168.56.1	-	-	-	bro	Notice::ACTION_EMAIL,Notice::ACTION_LOG	3600.000000	F	-	-	-	-	-
-      #close	2015-03-30-16-20-23
+      1427726759.303199	-	-	-	-	-	-	-	-	-	SSH::Password_Guessing	192.168.56.1 appears to be guessing SSH passwords (seen in 10 connections).	Sampled servers:  192.168.56.103, 192.168.56.103, 192.168.56.103, 192.168.56.103, 192.168.56.103	192.168.56.1	-	-	-	-	Notice::ACTION_EMAIL,Notice::ACTION_LOG	3600.000000	F	-	-	-	-	-
+      #close	2017-12-21-02-24-48
 
diff --git a/testing/btest/Baseline/istate.base/events b/testing/btest/Baseline/istate.base/events
deleted file mode 100644
index fbb3c23f28..0000000000
--- a/testing/btest/Baseline/istate.base/events
+++ /dev/null
@@ -1,33 +0,0 @@
-Event [1301452424.097552] connection_pending([id=[orig_h=141.42.64.125, orig_p=56729/tcp, resp_h=125.190.109.199, resp_p=12345/tcp], orig=[size=0, state=1], resp=[size=0, state=6], start_time=1301452418.93139, duration=0.182432889938354, service={}, addl="", hot=0, history="Sr"])
-Event [1301452424.097552] connection_state_remove([id=[orig_h=141.42.64.125, orig_p=56729/tcp, resp_h=125.190.109.199, resp_p=12345/tcp], orig=[size=0, state=1], resp=[size=0, state=6], start_time=1301452418.93139, duration=0.182432889938354, service={}, addl="", hot=0, history="Sr"])
-Event [1301452424.099251] new_connection([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=0, state=1], resp=[size=0, state=0], start_time=1301452424.0315, duration=0.0, service={}, addl="cc=1", hot=0, history=""])
-Event [1301452424.280556] connection_established([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=0, state=4], resp=[size=0, state=4], start_time=1301452424.0315, duration=0.182510137557983, service={}, addl="", hot=0, history="Sh"])
-Event [1301452424.280556] protocol_confirmation([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=0, state=4], start_time=1301452424.0315, duration=0.183290958404541, service={}, addl="", hot=0, history="ShAD"]165)
-Event [1301452424.282557] http_request([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=0, state=4], start_time=1301452424.0315, duration=0.183290958404541, service={}, addl="", hot=0, history="ShAD"]"GET""/""/""1.0")
-Event [1301452424.282557] http_begin_entity([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=0, state=4], start_time=1301452424.0315, duration=0.183290958404541, service={}, addl="%events-send-1", hot=0, history="ShAD"]T)
-Event [1301452424.284421] http_header([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=0, state=4], start_time=1301452424.0315, duration=0.183290958404541, service={}, addl="%events-send-1 %events-rcv-1", hot=0, history="ShAD"]T"USER-AGENT""Wget/1.10")
-Event [1301452424.284421] http_header([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=0, state=4], start_time=1301452424.0315, duration=0.183290958404541, service={}, addl="%events-send-1 %events-rcv-1", hot=0, history="ShAD"]T"ACCEPT""*/*")
-Event [1301452424.284421] http_header([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=0, state=4], start_time=1301452424.0315, duration=0.183290958404541, service={}, addl="%events-send-1 %events-rcv-1", hot=0, history="ShAD"]T"HOST""www.icir.org")
-Event [1301452424.284421] http_header([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=0, state=4], start_time=1301452424.0315, duration=0.183290958404541, service={}, addl="%events-send-1 %events-rcv-1", hot=0, history="ShAD"]T"CONNECTION""Keep-Alive")
-Event [1301452424.284421] http_content_type([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=0, state=4], start_time=1301452424.0315, duration=0.183290958404541, service={}, addl="%events-send-1 %events-rcv-1", hot=0, history="ShAD"]T"TEXT""PLAIN")
-Event [1301452424.284421] http_end_entity([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=0, state=4], start_time=1301452424.0315, duration=0.183290958404541, service={}, addl="%events-send-1 %events-rcv-1", hot=0, history="ShAD"]T)
-Event [1301452424.284421] http_message_done([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=0, state=4], start_time=1301452424.0315, duration=0.183290958404541, service={}, addl="%events-send-1 %events-rcv-1", hot=0, history="ShAD"]T[start=1301452424.21479, interrupted=F, finish_msg="message ends normally", body_length=0, content_gap_length=0, header_length=86])
-Event [1301452424.465561] http_reply([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=1448, state=4], start_time=1301452424.0315, duration=0.367331027984619, service={}, addl="%events-send-1", hot=0, history="ShADd"]"1.1"200"OK")
-Event [1301452424.465561] http_begin_entity([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=1448, state=4], start_time=1301452424.0315, duration=0.367331027984619, service={}, addl="%events-send-1 %events-rcv-1", hot=0, history="ShADd"]F)
-Event [1301452424.465561] http_header([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=1448, state=4], start_time=1301452424.0315, duration=0.367331027984619, service={}, addl="%events-send-1 %events-rcv-1", hot=0, history="ShADd"]F"DATE""Fri, 07 Oct 2005 23:23:55 GMT")
-Event [1301452424.465561] http_header([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=1448, state=4], start_time=1301452424.0315, duration=0.367331027984619, service={}, addl="%events-send-1 %events-rcv-1", hot=0, history="ShADd"]F"SERVER""Apache/1.3.33 (Unix)")
-Event [1301452424.465561] http_header([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=1448, state=4], start_time=1301452424.0315, duration=0.367331027984619, service={}, addl="%events-send-1 %events-rcv-1", hot=0, history="ShADd"]F"LAST-MODIFIED""Fri, 07 Oct 2005 16:23:01 GMT")
-Event [1301452424.465561] http_header([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=1448, state=4], start_time=1301452424.0315, duration=0.367331027984619, service={}, addl="%events-send-1 %events-rcv-1", hot=0, history="ShADd"]F"ETAG"""2c96c-23aa-4346a0e5"")
-Event [1301452424.465561] http_header([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=1448, state=4], start_time=1301452424.0315, duration=0.367331027984619, service={}, addl="%events-send-1 %events-rcv-1", hot=0, history="ShADd"]F"ACCEPT-RANGES""bytes")
-Event [1301452424.465561] http_header([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=1448, state=4], start_time=1301452424.0315, duration=0.367331027984619, service={}, addl="%events-send-1 %events-rcv-1", hot=0, history="ShADd"]F"CONTENT-LENGTH""9130")
-Event [1301452424.465561] http_header([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=1448, state=4], start_time=1301452424.0315, duration=0.367331027984619, service={}, addl="%events-send-1 %events-rcv-1", hot=0, history="ShADd"]F"KEEP-ALIVE""timeout=15, max=100")
-Event [1301452424.465561] http_header([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=1448, state=4], start_time=1301452424.0315, duration=0.367331027984619, service={}, addl="%events-send-1 %events-rcv-1", hot=0, history="ShADd"]F"CONNECTION""Keep-Alive")
-Event [1301452424.465561] http_header([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=1448, state=4], start_time=1301452424.0315, duration=0.367331027984619, service={}, addl="%events-send-1 %events-rcv-1", hot=0, history="ShADd"]F"CONTENT-TYPE""text/html")
-Event [1301452424.465561] http_content_type([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=1448, state=4], start_time=1301452424.0315, duration=0.367331027984619, service={}, addl="%events-send-1 %events-rcv-1", hot=0, history="ShADd"]F"TEXT""HTML")
-Event [1301452424.648565] http_entity_data([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=5792, state=4], start_time=1301452424.0315, duration=0.551820039749146, service={}, addl="%events-send-1", hot=0, history="ShADd"]F4096"<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"^J"http://www.w3.org/TR/REC-html40/loose.dtd">^J<HEAD><TITLE>ICIR</TITLE></HEAD>^J<BODY bgcolor="#ffffff" text="#000000" link="#0000ff" vlink="#b20000">^J<img src=icir.gif alt="ICIR"><br>^J<p>^JICIR (The ICSI Center for Internet Research)^Jis a ^Jnon-profit^Jresearch institute at^J<a href="http://www.icsi.berkeley.edu">ICSI</a>^Jin ^J<a href="http://dir.yahoo.com/Regional/U_S__States/California/Cities/Berkeley/">Berkeley</a>, ^JCalifornia.<br>^JFor the three years from 1999 to 2001 we were named^JACIRI, the AT&T Center for Internet Research at ICSI, ^Jand were funded by <a href="http://www.att.com">AT&amp;T</a>.<br>^J^JThe goals of ICIR are to:^J<ul>^J<li>Pursue research on the Internet architecture and related networking issues,^J<li>^JParticipate actively in the research (<a href="http://www.acm.org/sigcomm/">SIGCOMM</a> and <a href="http://www.irtf.org/">IRTF</a>) and^Jstandards (<a href="http://www.ietf.org/">IETF</a>) communities,^J<li> Bridge the gap between the Internet research community and commercial ^Jinterests by providing a neutral forum where topics of mutual technical ^Jinterest can be addressed.^J</ul>^J<p>^J<!--^JICIR is now ^J<a href="jobs.html">^Jhiring</a> for both postdoctoral positions and summer interns.^J-->^J<hr>^J^J<DIV ALIGN="CENTER">^J^J<table width="100%" cellspacing=16 cellpadding=0>^J^J<tr>^J<td width="35%" valign=top>^J^J<h2>^JPeople^J</h2>^J<ul>^J<li>^J<a href="./shenker/">^JScott Shenker</a>, Group Leader<br> ^J<li><a href="http://www.icir.org/mallman/">Mark Allman</a>^J<li>^J<a href="./floyd/">Sally Floyd</a>^J<!--^J<li><a href="http://www.isi.edu/~govindan/">Ramesh Govindan</a>^J-->^J<li>^J<a href="./karp/papers.html">^JRichard Karp</a>  ^J<!-- (also with the ^J<a href="http://www.icsi.berkeley.edu/Theory/">ICSI Theory Group</a>, ^J<a href="http://www.msri.org/">MSRI</a>, and^J<a href="http://www.cs.berkeley.edu/">UC Berkeley</a>) -->^J<li>^J<a href="./vern/">^JVern Paxson</a>  ^J<li>^J<a href="http://www.icir.org/robin/">^JRobin Sommer</a>^J<li>^J<a href="http://www.cs.berkeley.edu/~nweaver/">^JNicholas Weaver</a>^J<li>^J<a href="http://www.icsi.berkeley.edu/~zhao/">^JJerry Zhao</a>^J<!-- </ul> &nbsp; &nbsp;<b>Group Members</b> <ul> -->^J<li><b><a href="pastvisitors.html">Past Group Members</a></b>,^J<br>including:^J<ul>^J<li>^J<a href="http://www.cs.ucl.ac.uk/staff/M.Handley/">^JMark Handley</a> (UCL)^J<li><a href="./kohler/">Eddie Kohler</a> (UCLA)^J</ul>^J<li><b>Affiliated <a href="http://www.xorp.org/">Xorp</a>^JResearchers</b>:^J  <ul>^J  <li><a href="./jcardona/">Javier Cardona</a>^J  <li><a href="./atanu/">Atanu Ghosh</a> ^J  <li><a href="./hodson/">Orion Hodson</a>^J  <li><a href="./pavlin/">Pavlin Radoslavov</a> ^J  <li><a href="http://www.iet.unipi.it/~luigi">Luigi Rizzo</a>^J  <li><a href="http://people.freebsd.org/~bms/">Bruce Simpson</a>^J</ul>^J<li><b>Affiliated UCB Researchers</b>:^J  <ul>^J  <li><a href="http://www.cs.berkeley.edu/~christos/">Christos Papadimitriou</a>^J  <li><a href="http://www.cs.berkeley.edu/~istoica/">Ion Stoica</a>^J  </ul>^J<li><b>Visitors</b>:^J  <ul>^J  <li><a href="http://grid.sjtu.edu.cn/teachers/dengqn/dengqn.htm">Professor Quin-Ni Deng</a>^J<!--^J  from Shanghai Jiaotong University^J-->^J  <li>Teemu Koponen^J<!--^J  , Helsinki Institute for Information Technology^J-->^J  </ul>^J<!--^J<li><a href="pastvisitors.html">Other researchers</a>^J-->^J<a name=Visitors></a>^J<li><b>Interns:</b>^J<ul>^J<li>Juan Caballero^J<li><a href="http://www.stanford.edu/~casado/">Martin Casado</a>^J<li><a href="http://www.cs.rice.edu/~scrosby/">Scott Crosby</a>^J<li><a href="http://bnrg.cs.berkeley.edu/~wdc/">Weidong Cui</a>^J<li><a href="http://www.cs.berkeley.edu/~chema">Chema Gonzalez</a>^J<li>Halldor Isak Gylfason^J<li><a href="http://www.cl.cam.ac.uk/~cpk25/">Christian Kreibich</a>^J<li><a href="http://www.cs.ucsd.edu/~braghava">Barath Raghavan</a>^J<!--^J<li><a href="newinterns.html">New Interns:</a> ^J-->^J</ul>^J<li><b>Undergraduate Interns:</b>^J<ul>^J<li>Michael Hoisie^J<li>Arthur Wayne Liao^J<li>Christopher Portka^J</ul>^J<li><b><a href="pastvisitors.html">Past Visitors and Interns:</a></b>^J</ul>^J^J</td>^J<td width="30%" vali")
-Event [1301452424.689566] http_entity_data([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=8688, state=4], start_time=1301452424.0315, duration=0.552114009857178, service={}, addl="%events-send-1", hot=0, history="ShADd"]F4096"gn=top>^J^J<h2>^JPublications^J</h2>^J<ul>^J<li><a href="./rfcs.html">^JRFCs</a> with ICIR authors.^J<li>^J<a href="./internetdrafts.html">^JInternet drafts</a> with ICIR authors, 3/2004 ^J(or <a href="http://www.rfc-editor.org/idsearch.html">search</a>^Jthe current list).^J<!--^Jfor "Shenker OR Floyd OR Allman OR Paxson".^J(or the ^J<a^Jhref="^Jhttp://search.ietf.org:80/search/cgi-bin/BrokerQuery.pl.cgi?broker=internet-drafts&query=%28Author%3A+Shenker+OR+Floyd+OR+Handley+OR+Paxson+OR+Kohler%29&caseflag=on&wordflag=off&errorflag=0&maxlineflag=50&maxresultflag=1000&descflag=on&sort=by-NML&verbose=on&maxobjflag=25">current list</a>.)^J^Jhttp://search.ietf.org:80/search/cgi-bin/BrokerQuery.pl.cgi?broker=internet-drafts&query=(Shenker+OR+Floyd+OR+Handley+OR+Paxson+OR+Kohler)&descflag=on">current list</a>).^J-->^J<!--^Jfrom the ^J<a href="http://search.ietf.org/search/brokers/internet-drafts/query.html">^JInternet-Drafts Search Engine</a>).^J-->^J<li>Papers by ^J<a href="./shenker/papers.html">Scott Shenker</a>^J(<a^Jhref="http://citeseer.ist.psu.edu/cs?qb=dbnum%3D1%2Cqtype%3Dcitation:&q=Scott%20w/2%20Shenker%20or%20S%20w/2%20Shenker&co=Citations">RI</a>),^J^J<a href="./mallman/papers/">Mark Allman</a>^J(<a^Jhref="http://citeseer.ist.psu.edu/cs?qb=dbnum%3D1%2Cqtype%3Dcitation:&q=Mark%20w/2%20Allman%20or%20S%20w/2%20Allman&co=Citations">RI</a>),^J^J<a href="./floyd/papers.html">Sally Floyd</a>^J(<a^Jhref="http://citeseer.ist.psu.edu/cs?qb=dbnum%3D1%2Cqtype%3Dcitation:&q=Sally%20w/2%20Floyd%20or%20S%20w/2%20Floyd&co=Citations">RI</a>),^J^J<a href="./karp/papers.html">Richard Karp</a>^J(<a^Jhref="http://citeseer.ist.psu.edu/cs?qb=dbnum%3D1%2Cqtype%3Dcitation:&q=Richard%20w/2%20Karp%20or%20R%20w/2%20Karp&co=Citations">RI</a>),^J<a href="./kohler/pubs/">Eddie Kohler</a>^J(<a^Jhref="http://citeseer.ist.psu.edu/cs?qb=dbnum%3D1%2Cqtype%3Dcitation:&q=eddie%20w/2%20kohler%20or%20e%20w/2%20kohler&co=Citations">RI</a>),^J<a href="./vern/papers.html">Vern Paxson</a>^J(<a^Jhref="http://citeseer.ist.psu.edu/cs?qb=dbnum%3D1%2Cqtype%3Dcitation:&q=Vern%20w/2%20Paxson%20or%20V%20w/2%20Paxson&co=Citations">RI</a>).^J<li>The <a href="http://citeseer.ist.psu.edu/">^JResearchIndex</a> (RI) and the ^J<a href="http://citeseer.ist.psu.edu/cs">Search</a>^Jand ^J<a href="http://citeseer.ist.psu.edu/Networking/">^JNetworking</a> pages. ^J</ul>^J^J<h2>^JProjects ^J</h2>^J<ul>^J<li>^J<a href="./vern/bro-info.html">Bro</a>^J(detecting network intruders). ^J<li>The <a href="http://www.isi.edu/newarch/">NewArch</a> Project:^JFuture-Generation Internet Architecture.^J<LI>The <a href="http://www.isi.edu/nsnam/ns/">NS</a>^Jnetwork simulator.^J<li> <a href="./tbit/">TBIT</a>^J(TCP Behavior Identification Tool).^J<li> <a href="http://www.xorp.org/">Xorp</a>^J(Extensible Open Router Platform).^J<li>^J<a href="./funded_projects.html">^JOther Funded Projects</a>.^J<li>^J<a href="./research.html">^JAdditional Research Links</a>.^J</ul>^J^J^J</td>^J^J<td width="35%" valign=top>^J    ^J<h2>Research</h2>^J&nbsp; &nbsp;<b>Transport and Congestion</b>^J<ul>^J<li>^J<a href="./kohler/dcp/">DCCP</a>^J(Datagram Congestion Control Protocol).^J<li>^J<a href="./floyd/ecn.html">ECN</a>^J(Explicit Congestion Notification).^J<li>^J<a href="http://www.ietf.org/html.charters/intserv-charter.html">^JIntegrated services</a>.^J<li>^J<a href="./floyd/red.html">RED</a> ^Jqueue management, and^J<a href="./red-pd/">RED-PD</a>.^J<li>^J<a href="./floyd/hstcp.html">HighSpeed TCP</a>.^J<li>^J<a^Jhref="http://www.ietf.cnri.reston.va.us/html.charters/OLD/tcpimpl-charter.html">^JTCP Implementation</a>.^J<li>^JReordering-Robust TCP ^J(<a href="./bkarp/RR-TCP/">RR-TCP</a>).^J<li>TCP^J<a href="./floyd/sacks.html">SACK</a> ^J(Selective Acknowledgment).^J<li>^J<a href="./tfrc/">TFRC</a> ^J(TCP-Friendly Rate Control).^J</ul>^J^J&nbsp; &nbsp;<b>Traffic and Topology</b>^J<ul>^J<LI>^J<a href="http://idmaps.eecs.umich.edu/">IDMaps</a> ^J(Internet Distance Mapping).^J<LI>The <a href="http://www.acm.org/sigcomm/ITA/">^JInternet Traffic Archive</a>.^J<li>^J<a href="http://www-net.cs.umass.edu/minc/">MINC</a>^J(Multicast-based Inference of Network-internal Characteristics).^J<li>^J<a href="http://www.psc.edu/networking/nimi/">NIMI</a>^J(N")
-Event [1301452424.832570] http_entity_data([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=9417, state=4], start_time=1301452424.0315, duration=0.73563814163208, service={}, addl="%events-send-1", hot=0, history="ShADd"]F938"ational Internet Measurement Infrastructure).^J</ul>^J^J<h2>^J<a href="./collaborators.html">^JCollaborators</a>^J</h2>^J^J<!--^J&nbsp; &nbsp;<b>Multicast and Multimedia</b>^J<ul>^J<LI><A href="/malloc/">MALLOC</a>^J(Multicast Address Allocation).^J<LI><a href="http://www.cs.columbia.edu/~hgs/sip/">SIP</a>^J(Session Initiation Protocol).^J<li> <a href="yoid"> Yoid</a> (host-based content distribution). ^J</ul>^J-->^J^J</td>^J^J</tr>^J</table>^J</DIV>^J^J<hr>^J<h2>Information for <a href="./abouticir.html">visitors</a> and <a href="/sysdocs/">local users</a>.</h2>^J<hr>^JLast modified: June 2004. <a href="./COPYRIGHTS">Copyright notice</a>.^J<a href="http://web.archive.org/web/*/http://www.aciri.org/">^JOlder versions</a> of this web page, in its ACIRI incarnation..^J<BR>^JFor more information about this server, mail <I>www@aciri.org</I>.  ^J<BR>^JTo report <a href="scanning.html">unusual activity</a> by any of our hosts, mail <I>abuse@aciri.org</I>.^J</BODY>^J")
-Event [1301452424.832570] http_end_entity([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=9417, state=4], start_time=1301452424.0315, duration=0.73563814163208, service={}, addl="%events-send-1 %events-rcv-1", hot=0, history="ShADd"]F)
-Event [1301452424.832570] http_message_done([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=9417, state=4], start_time=1301452424.0315, duration=0.73563814163208, service={}, addl="%events-send-1 %events-rcv-1", hot=0, history="ShADd"]F[start=1301452424.39883, interrupted=F, finish_msg="message ends normally", body_length=9130, content_gap_length=0, header_length=265])
-Event [1301452424.990539] net_done(1301452424.99054)
-Event [1301452424.990539] bro_done()
diff --git a/testing/btest/Baseline/istate.base/receiver.conn.log b/testing/btest/Baseline/istate.base/receiver.conn.log
deleted file mode 100644
index 6827ed1fee..0000000000
--- a/testing/btest/Baseline/istate.base/receiver.conn.log
+++ /dev/null
@@ -1 +0,0 @@
-1301452418.931393 0.182433 141.42.64.125 125.190.109.199 other 56729 12345 tcp ? ? REJ X
diff --git a/testing/btest/Baseline/istate.base/receiver.http.log b/testing/btest/Baseline/istate.base/receiver.http.log
deleted file mode 100644
index 74400b15d5..0000000000
--- a/testing/btest/Baseline/istate.base/receiver.http.log
+++ /dev/null
@@ -1,18 +0,0 @@
-1301452424.282557 %events-rcv-1 start 141.42.64.125:56730 > 125.190.109.199:80
-1301452424.284421 %events-rcv-1 > USER-AGENT: Wget/1.10
-1301452424.284421 %events-rcv-1 > ACCEPT: */*
-1301452424.284421 %events-rcv-1 > HOST: www.icir.org
-1301452424.284421 %events-rcv-1 > CONNECTION: Keep-Alive
-1301452424.465561 %events-rcv-1 < DATE: Fri, 07 Oct 2005 23:23:55 GMT
-1301452424.465561 %events-rcv-1 < SERVER: Apache/1.3.33 (Unix)
-1301452424.465561 %events-rcv-1 < LAST-MODIFIED: Fri, 07 Oct 2005 16:23:01 GMT
-1301452424.465561 %events-rcv-1 < ETAG: "2c96c-23aa-4346a0e5"
-1301452424.465561 %events-rcv-1 < ACCEPT-RANGES: bytes
-1301452424.465561 %events-rcv-1 < CONTENT-LENGTH: 9130
-1301452424.465561 %events-rcv-1 < KEEP-ALIVE: timeout=15, max=100
-1301452424.465561 %events-rcv-1 < CONNECTION: Keep-Alive
-1301452424.465561 %events-rcv-1 < CONTENT-TYPE: text/html
-1301452424.648565 %events-rcv-1 <= 4096 bytes: "<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML ..."
-1301452424.689566 %events-rcv-1 <= 4096 bytes: "gn=top>^J^J<h2>^JPublications^J</h2>^J<ul>^J<l..."
-1301452424.832570 %events-rcv-1 <= 938 bytes: "ational Internet Measurement Infrastruct..."
-1301452424.832570 %events-rcv-1 GET / (200 "OK" [9130] www.icir.org)
diff --git a/testing/btest/Baseline/istate.base/sender.conn.log b/testing/btest/Baseline/istate.base/sender.conn.log
deleted file mode 100644
index 1735dbd63e..0000000000
--- a/testing/btest/Baseline/istate.base/sender.conn.log
+++ /dev/null
@@ -1,2 +0,0 @@
-1301452418.931393 0.182433 141.42.64.125 125.190.109.199 other 56729 12345 tcp ? ? REJ X
-1301452424.031503 ? 141.42.64.125 125.190.109.199 http 56730 80 tcp 98 9417 S1 X %events-send-1
diff --git a/testing/btest/Baseline/istate.base/sender.http.log b/testing/btest/Baseline/istate.base/sender.http.log
deleted file mode 100644
index b5aed6501a..0000000000
--- a/testing/btest/Baseline/istate.base/sender.http.log
+++ /dev/null
@@ -1,18 +0,0 @@
-1301452424.214794 %events-send-1 start 141.42.64.125:56730 > 125.190.109.199:80
-1301452424.214794 %events-send-1 > USER-AGENT: Wget/1.10
-1301452424.214794 %events-send-1 > ACCEPT: */*
-1301452424.214794 %events-send-1 > HOST: www.icir.org
-1301452424.214794 %events-send-1 > CONNECTION: Keep-Alive
-1301452424.398834 %events-send-1 < DATE: Fri, 07 Oct 2005 23:23:55 GMT
-1301452424.398834 %events-send-1 < SERVER: Apache/1.3.33 (Unix)
-1301452424.398834 %events-send-1 < LAST-MODIFIED: Fri, 07 Oct 2005 16:23:01 GMT
-1301452424.398834 %events-send-1 < ETAG: "2c96c-23aa-4346a0e5"
-1301452424.398834 %events-send-1 < ACCEPT-RANGES: bytes
-1301452424.398834 %events-send-1 < CONTENT-LENGTH: 9130
-1301452424.398834 %events-send-1 < KEEP-ALIVE: timeout=15, max=100
-1301452424.398834 %events-send-1 < CONNECTION: Keep-Alive
-1301452424.398834 %events-send-1 < CONTENT-TYPE: text/html
-1301452424.583323 %events-send-1 <= 4096 bytes: "<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML ..."
-1301452424.583617 %events-send-1 <= 4096 bytes: "gn=top>^J^J<h2>^JPublications^J</h2>^J<ul>^J<l..."
-1301452424.767141 %events-send-1 <= 938 bytes: "ational Internet Measurement Infrastruct..."
-1301452424.767141 %events-send-1 GET / (200 "OK" [9130] www.icir.org)
diff --git a/testing/btest/Baseline/istate.bro-ipv6-socket/recv..stdout b/testing/btest/Baseline/istate.bro-ipv6-socket/recv..stdout
deleted file mode 100644
index 673af68234..0000000000
--- a/testing/btest/Baseline/istate.bro-ipv6-socket/recv..stdout
+++ /dev/null
@@ -1 +0,0 @@
-handshake done with peer: ::1
diff --git a/testing/btest/Baseline/istate.bro-ipv6-socket/send..stdout b/testing/btest/Baseline/istate.bro-ipv6-socket/send..stdout
deleted file mode 100644
index fbc855464d..0000000000
--- a/testing/btest/Baseline/istate.bro-ipv6-socket/send..stdout
+++ /dev/null
@@ -1,2 +0,0 @@
-handshake done with peer: ::1
-my_event: hello world
diff --git a/testing/btest/Baseline/istate.broccoli-ipv6-socket/bro..stdout b/testing/btest/Baseline/istate.broccoli-ipv6-socket/bro..stdout
deleted file mode 100644
index 0a7bac52c5..0000000000
--- a/testing/btest/Baseline/istate.broccoli-ipv6-socket/bro..stdout
+++ /dev/null
@@ -1,9 +0,0 @@
-handshake done with peer
-bro_addr(1.2.3.4)
-bro_subnet(10.0.0.0/16)
-bro_addr(2607:f8b0:4009:802::1014)
-bro_subnet(2607:f8b0::/32)
-broccoli_addr(1.2.3.4)
-broccoli_subnet(10.0.0.0/16)
-broccoli_addr(2607:f8b0:4009:802::1014)
-broccoli_subnet(2607:f8b0::/32)
diff --git a/testing/btest/Baseline/istate.broccoli-ipv6-socket/broccoli..stdout b/testing/btest/Baseline/istate.broccoli-ipv6-socket/broccoli..stdout
deleted file mode 100644
index dba9318891..0000000000
--- a/testing/btest/Baseline/istate.broccoli-ipv6-socket/broccoli..stdout
+++ /dev/null
@@ -1,6 +0,0 @@
-Connected to Bro instance at: ::1:47757
-Received bro_addr(1.2.3.4)
-Received bro_subnet(10.0.0.0/16)
-Received bro_addr(2607:f8b0:4009:802::1014)
-Received bro_subnet(2607:f8b0::/32)
-Terminating
diff --git a/testing/btest/Baseline/istate.broccoli-ipv6/bro..stdout b/testing/btest/Baseline/istate.broccoli-ipv6/bro..stdout
deleted file mode 100644
index 0a7bac52c5..0000000000
--- a/testing/btest/Baseline/istate.broccoli-ipv6/bro..stdout
+++ /dev/null
@@ -1,9 +0,0 @@
-handshake done with peer
-bro_addr(1.2.3.4)
-bro_subnet(10.0.0.0/16)
-bro_addr(2607:f8b0:4009:802::1014)
-bro_subnet(2607:f8b0::/32)
-broccoli_addr(1.2.3.4)
-broccoli_subnet(10.0.0.0/16)
-broccoli_addr(2607:f8b0:4009:802::1014)
-broccoli_subnet(2607:f8b0::/32)
diff --git a/testing/btest/Baseline/istate.broccoli-ipv6/broccoli..stdout b/testing/btest/Baseline/istate.broccoli-ipv6/broccoli..stdout
deleted file mode 100644
index 481778c98a..0000000000
--- a/testing/btest/Baseline/istate.broccoli-ipv6/broccoli..stdout
+++ /dev/null
@@ -1,6 +0,0 @@
-Connected to Bro instance at: localhost:47757
-Received bro_addr(1.2.3.4)
-Received bro_subnet(10.0.0.0/16)
-Received bro_addr(2607:f8b0:4009:802::1014)
-Received bro_subnet(2607:f8b0::/32)
-Terminating
diff --git a/testing/btest/Baseline/istate.broccoli-ssl/bro..stdout b/testing/btest/Baseline/istate.broccoli-ssl/bro..stdout
deleted file mode 100644
index 0a7bac52c5..0000000000
--- a/testing/btest/Baseline/istate.broccoli-ssl/bro..stdout
+++ /dev/null
@@ -1,9 +0,0 @@
-handshake done with peer
-bro_addr(1.2.3.4)
-bro_subnet(10.0.0.0/16)
-bro_addr(2607:f8b0:4009:802::1014)
-bro_subnet(2607:f8b0::/32)
-broccoli_addr(1.2.3.4)
-broccoli_subnet(10.0.0.0/16)
-broccoli_addr(2607:f8b0:4009:802::1014)
-broccoli_subnet(2607:f8b0::/32)
diff --git a/testing/btest/Baseline/istate.broccoli-ssl/broccoli..stdout b/testing/btest/Baseline/istate.broccoli-ssl/broccoli..stdout
deleted file mode 100644
index 481778c98a..0000000000
--- a/testing/btest/Baseline/istate.broccoli-ssl/broccoli..stdout
+++ /dev/null
@@ -1,6 +0,0 @@
-Connected to Bro instance at: localhost:47757
-Received bro_addr(1.2.3.4)
-Received bro_subnet(10.0.0.0/16)
-Received bro_addr(2607:f8b0:4009:802::1014)
-Received bro_subnet(2607:f8b0::/32)
-Terminating
diff --git a/testing/btest/Baseline/istate.broccoli-vector/bro..stdout b/testing/btest/Baseline/istate.broccoli-vector/bro..stdout
deleted file mode 100644
index 5b50dcda66..0000000000
--- a/testing/btest/Baseline/istate.broccoli-vector/bro..stdout
+++ /dev/null
@@ -1,13 +0,0 @@
-handshake done with peer
-bro_vector([a, b, c, d, e])
-bro_vector([one, two, three])
-broccoli_vector_element(0, a)
-broccoli_vector_element(1, b)
-broccoli_vector_element(2, c)
-broccoli_vector_element(3, d)
-broccoli_vector_element(4, e)
-broccoli_vector_element(5, additional element)
-broccoli_vector_element(0, one)
-broccoli_vector_element(1, two)
-broccoli_vector_element(2, three)
-broccoli_vector_element(3, additional element)
diff --git a/testing/btest/Baseline/istate.broccoli-vector/broccoli..stdout b/testing/btest/Baseline/istate.broccoli-vector/broccoli..stdout
deleted file mode 100644
index 147384f565..0000000000
--- a/testing/btest/Baseline/istate.broccoli-vector/broccoli..stdout
+++ /dev/null
@@ -1,12 +0,0 @@
-Connected to Bro instance at: localhost:47757
-Received bro_vector
-  0: a
-  1: b
-  2: c
-  3: d
-  4: e
-Received bro_vector
-  0: one
-  1: two
-  2: three
-Terminating
diff --git a/testing/btest/Baseline/istate.broccoli/bro.log b/testing/btest/Baseline/istate.broccoli/bro.log
deleted file mode 100644
index 70bf23f95a..0000000000
--- a/testing/btest/Baseline/istate.broccoli/bro.log
+++ /dev/null
@@ -1,3 +0,0 @@
-ping received, seq 0, 1342749173.594568 at src, 1342749173.637317 at dest, 
-ping received, seq 1, 1342749174.594948 at src, 1342749174.596551 at dest, 
-ping received, seq 2, 1342749175.595486 at src, 1342749175.596581 at dest, 
diff --git a/testing/btest/Baseline/istate.broccoli/broccoli.log b/testing/btest/Baseline/istate.broccoli/broccoli.log
deleted file mode 100644
index faa3960273..0000000000
--- a/testing/btest/Baseline/istate.broccoli/broccoli.log
+++ /dev/null
@@ -1,3 +0,0 @@
-pong event from 127.0.0.1: seq=0, 
-pong event from 127.0.0.1: seq=1, 
-pong event from 127.0.0.1: seq=2, 
diff --git a/testing/btest/Baseline/istate.events-ssl/events.rec.log b/testing/btest/Baseline/istate.events-ssl/events.rec.log
deleted file mode 100644
index 8c7f4f621c..0000000000
--- a/testing/btest/Baseline/istate.events-ssl/events.rec.log
+++ /dev/null
@@ -1,32 +0,0 @@
-http_request
-http_begin_entity
-http_header
-http_header
-http_header
-http_header
-http_all_headers
-http_content_type
-http_end_entity
-http_message_done
-http_reply
-http_begin_entity
-http_header
-http_header
-http_header
-http_header
-http_header
-http_header
-http_header
-http_header
-http_header
-http_all_headers
-http_content_type
-http_entity_data
-http_entity_data
-http_entity_data
-http_entity_data
-http_entity_data
-http_entity_data
-http_entity_data
-http_end_entity
-http_message_done
diff --git a/testing/btest/Baseline/istate.events-ssl/events.snd.log b/testing/btest/Baseline/istate.events-ssl/events.snd.log
deleted file mode 100644
index 8c7f4f621c..0000000000
--- a/testing/btest/Baseline/istate.events-ssl/events.snd.log
+++ /dev/null
@@ -1,32 +0,0 @@
-http_request
-http_begin_entity
-http_header
-http_header
-http_header
-http_header
-http_all_headers
-http_content_type
-http_end_entity
-http_message_done
-http_reply
-http_begin_entity
-http_header
-http_header
-http_header
-http_header
-http_header
-http_header
-http_header
-http_header
-http_header
-http_all_headers
-http_content_type
-http_entity_data
-http_entity_data
-http_entity_data
-http_entity_data
-http_entity_data
-http_entity_data
-http_entity_data
-http_end_entity
-http_message_done
diff --git a/testing/btest/Baseline/istate.events-ssl/receiver.http.log b/testing/btest/Baseline/istate.events-ssl/receiver.http.log
deleted file mode 100644
index cddd16ad65..0000000000
--- a/testing/btest/Baseline/istate.events-ssl/receiver.http.log
+++ /dev/null
@@ -1,10 +0,0 @@
-#separator \x09
-#set_separator	,
-#empty_field	(empty)
-#unset_field	-
-#path	http
-#open	2016-07-13-16-13-42
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	method	host	uri	referrer	version	user_agent	request_body_len	response_body_len	status_code	status_msg	info_code	info_msg	tags	username	password	proxied	orig_fuids	orig_filenames	orig_mime_types	resp_fuids	resp_filenames	resp_mime_types
-#types	time	string	addr	port	addr	port	count	string	string	string	string	string	string	count	count	count	string	count	string	set[enum]	string	string	set[string]	vector[string]	vector[string]	vector[string]	vector[string]	vector[string]	vector[string]
-1468426421.247540	ClEkJM2Vm5giqnMf4h	141.42.64.125	56730	125.190.109.199	80	1	GET	www.icir.org	/	-	1.1	Wget/1.10	0	9130	200	OK	-	-	(empty)	-	-	-	-	-	-	-	-	-
-#close	2016-07-13-16-13-43
diff --git a/testing/btest/Baseline/istate.events-ssl/sender.http.log b/testing/btest/Baseline/istate.events-ssl/sender.http.log
deleted file mode 100644
index cddd16ad65..0000000000
--- a/testing/btest/Baseline/istate.events-ssl/sender.http.log
+++ /dev/null
@@ -1,10 +0,0 @@
-#separator \x09
-#set_separator	,
-#empty_field	(empty)
-#unset_field	-
-#path	http
-#open	2016-07-13-16-13-42
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	method	host	uri	referrer	version	user_agent	request_body_len	response_body_len	status_code	status_msg	info_code	info_msg	tags	username	password	proxied	orig_fuids	orig_filenames	orig_mime_types	resp_fuids	resp_filenames	resp_mime_types
-#types	time	string	addr	port	addr	port	count	string	string	string	string	string	string	count	count	count	string	count	string	set[enum]	string	string	set[string]	vector[string]	vector[string]	vector[string]	vector[string]	vector[string]	vector[string]
-1468426421.247540	ClEkJM2Vm5giqnMf4h	141.42.64.125	56730	125.190.109.199	80	1	GET	www.icir.org	/	-	1.1	Wget/1.10	0	9130	200	OK	-	-	(empty)	-	-	-	-	-	-	-	-	-
-#close	2016-07-13-16-13-43
diff --git a/testing/btest/Baseline/istate.events/events.rec.log b/testing/btest/Baseline/istate.events/events.rec.log
deleted file mode 100644
index 8c7f4f621c..0000000000
--- a/testing/btest/Baseline/istate.events/events.rec.log
+++ /dev/null
@@ -1,32 +0,0 @@
-http_request
-http_begin_entity
-http_header
-http_header
-http_header
-http_header
-http_all_headers
-http_content_type
-http_end_entity
-http_message_done
-http_reply
-http_begin_entity
-http_header
-http_header
-http_header
-http_header
-http_header
-http_header
-http_header
-http_header
-http_header
-http_all_headers
-http_content_type
-http_entity_data
-http_entity_data
-http_entity_data
-http_entity_data
-http_entity_data
-http_entity_data
-http_entity_data
-http_end_entity
-http_message_done
diff --git a/testing/btest/Baseline/istate.events/events.snd.log b/testing/btest/Baseline/istate.events/events.snd.log
deleted file mode 100644
index 8c7f4f621c..0000000000
--- a/testing/btest/Baseline/istate.events/events.snd.log
+++ /dev/null
@@ -1,32 +0,0 @@
-http_request
-http_begin_entity
-http_header
-http_header
-http_header
-http_header
-http_all_headers
-http_content_type
-http_end_entity
-http_message_done
-http_reply
-http_begin_entity
-http_header
-http_header
-http_header
-http_header
-http_header
-http_header
-http_header
-http_header
-http_header
-http_all_headers
-http_content_type
-http_entity_data
-http_entity_data
-http_entity_data
-http_entity_data
-http_entity_data
-http_entity_data
-http_entity_data
-http_end_entity
-http_message_done
diff --git a/testing/btest/Baseline/istate.events/receiver.http.log b/testing/btest/Baseline/istate.events/receiver.http.log
deleted file mode 100644
index a9624fab9f..0000000000
--- a/testing/btest/Baseline/istate.events/receiver.http.log
+++ /dev/null
@@ -1,10 +0,0 @@
-#separator \x09
-#set_separator	,
-#empty_field	(empty)
-#unset_field	-
-#path	http
-#open	2016-07-13-16-13-32
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	method	host	uri	referrer	version	user_agent	request_body_len	response_body_len	status_code	status_msg	info_code	info_msg	tags	username	password	proxied	orig_fuids	orig_filenames	orig_mime_types	resp_fuids	resp_filenames	resp_mime_types
-#types	time	string	addr	port	addr	port	count	string	string	string	string	string	string	count	count	count	string	count	string	set[enum]	string	string	set[string]	vector[string]	vector[string]	vector[string]	vector[string]	vector[string]	vector[string]
-1468426411.716196	ClEkJM2Vm5giqnMf4h	141.42.64.125	56730	125.190.109.199	80	1	GET	www.icir.org	/	-	1.1	Wget/1.10	0	9130	200	OK	-	-	(empty)	-	-	-	-	-	-	-	-	-
-#close	2016-07-13-16-13-33
diff --git a/testing/btest/Baseline/istate.events/sender.http.log b/testing/btest/Baseline/istate.events/sender.http.log
deleted file mode 100644
index a9624fab9f..0000000000
--- a/testing/btest/Baseline/istate.events/sender.http.log
+++ /dev/null
@@ -1,10 +0,0 @@
-#separator \x09
-#set_separator	,
-#empty_field	(empty)
-#unset_field	-
-#path	http
-#open	2016-07-13-16-13-32
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	method	host	uri	referrer	version	user_agent	request_body_len	response_body_len	status_code	status_msg	info_code	info_msg	tags	username	password	proxied	orig_fuids	orig_filenames	orig_mime_types	resp_fuids	resp_filenames	resp_mime_types
-#types	time	string	addr	port	addr	port	count	string	string	string	string	string	string	count	count	count	string	count	string	set[enum]	string	string	set[string]	vector[string]	vector[string]	vector[string]	vector[string]	vector[string]	vector[string]
-1468426411.716196	ClEkJM2Vm5giqnMf4h	141.42.64.125	56730	125.190.109.199	80	1	GET	www.icir.org	/	-	1.1	Wget/1.10	0	9130	200	OK	-	-	(empty)	-	-	-	-	-	-	-	-	-
-#close	2016-07-13-16-13-33
diff --git a/testing/btest/Baseline/istate.hll/out b/testing/btest/Baseline/istate.hll/out
deleted file mode 100644
index f5bb99d960..0000000000
--- a/testing/btest/Baseline/istate.hll/out
+++ /dev/null
@@ -1,6 +0,0 @@
-1
-10.000763
-2
-10.000763
-3
-11.000923
diff --git a/testing/btest/Baseline/istate.opaque/expected.log b/testing/btest/Baseline/istate.opaque/expected.log
deleted file mode 100644
index 1386a47db1..0000000000
--- a/testing/btest/Baseline/istate.opaque/expected.log
+++ /dev/null
@@ -1,4 +0,0 @@
-acbd18db4cc2f85cedef654fccc4a4d8
-0beec7b5ea3f0fdbc95d0dd47f3c5bc275da8a33
-2c26b46b68ffc68ff99b453c1d30413413422d706483bfa0f98a5e886266e7ae
-[entropy=0.918296, chi_square=423.666667, mean=108.0, monte_carlo_pi=nan, serial_correlation=-0.5]
diff --git a/testing/btest/Baseline/istate.opaque/output.log b/testing/btest/Baseline/istate.opaque/output.log
deleted file mode 100644
index 1386a47db1..0000000000
--- a/testing/btest/Baseline/istate.opaque/output.log
+++ /dev/null
@@ -1,4 +0,0 @@
-acbd18db4cc2f85cedef654fccc4a4d8
-0beec7b5ea3f0fdbc95d0dd47f3c5bc275da8a33
-2c26b46b68ffc68ff99b453c1d30413413422d706483bfa0f98a5e886266e7ae
-[entropy=0.918296, chi_square=423.666667, mean=108.0, monte_carlo_pi=nan, serial_correlation=-0.5]
diff --git a/testing/btest/Baseline/istate.persistence/vars.read.log b/testing/btest/Baseline/istate.persistence/vars.read.log
deleted file mode 100644
index dbf6780da5..0000000000
--- a/testing/btest/Baseline/istate.persistence/vars.read.log
+++ /dev/null
@@ -1,32 +0,0 @@
-42
--42
-Hallihallo
-1.2.3.4
-1.2.0.0/16
-3.14
-42.0 secs
-{
-[2] = uiop,
-[1] = qwerty
-}
-file "test" of string
-/^?(12345)$?/
-{
-2,
-4,
-1,
-5,
-3
-}
-{
-[1, ABC] = 101,
-[3, GHI] = 103,
-[2, DEF] = 102
-}
-{
-[12345] = /^?(12345)$?/,
-[12346] = /^?(12345)$?/
-}
-42/udp
-[1, 2, 3]
-[a=yuyuyu, b=[a=rec1, b=100, c=1.24], c=[a=rec2, b=200, c=2.24], d=7.77]
diff --git a/testing/btest/Baseline/istate.persistence/vars.write.log b/testing/btest/Baseline/istate.persistence/vars.write.log
deleted file mode 100644
index dbf6780da5..0000000000
--- a/testing/btest/Baseline/istate.persistence/vars.write.log
+++ /dev/null
@@ -1,32 +0,0 @@
-42
--42
-Hallihallo
-1.2.3.4
-1.2.0.0/16
-3.14
-42.0 secs
-{
-[2] = uiop,
-[1] = qwerty
-}
-file "test" of string
-/^?(12345)$?/
-{
-2,
-4,
-1,
-5,
-3
-}
-{
-[1, ABC] = 101,
-[3, GHI] = 103,
-[2, DEF] = 102
-}
-{
-[12345] = /^?(12345)$?/,
-[12346] = /^?(12345)$?/
-}
-42/udp
-[1, 2, 3]
-[a=yuyuyu, b=[a=rec1, b=100, c=1.24], c=[a=rec2, b=200, c=2.24], d=7.77]
diff --git a/testing/btest/Baseline/istate.pybroccoli/bro..stdout b/testing/btest/Baseline/istate.pybroccoli/bro..stdout
deleted file mode 100644
index 85260ba64b..0000000000
--- a/testing/btest/Baseline/istate.pybroccoli/bro..stdout
+++ /dev/null
@@ -1,20 +0,0 @@
-==== atomic
--10
-2
-1468426429.288464
-2.0 mins
-F
-1.5
-Servus
-5555/tcp
-6.7.6.5
-2001:db8:85a3::8a2e:370:7334
-192.168.0.0/16
-2001:db8:85a3::/48
-==== record
-[a=42, b=6.6.7.7]
-42, 6.6.7.7
-==== coerced record
-[one=<uninitialized>, a=13, b=<uninitialized>, c=helloworld, d=<uninitialized>]
-13
-helloworld
diff --git a/testing/btest/Baseline/istate.pybroccoli/python..stdout.filtered b/testing/btest/Baseline/istate.pybroccoli/python..stdout.filtered
deleted file mode 100644
index d6c81edf2b..0000000000
--- a/testing/btest/Baseline/istate.pybroccoli/python..stdout.filtered
+++ /dev/null
@@ -1,47 +0,0 @@
-==== atomic a 1 ====
--4L -4
-42 42
-1468426429.2942
-60.0
-True True
-3.14
-'Hurz' Hurz
-'12345/udp' 12345/udp
-'1.2.3.4' 1.2.3.4
-'22.33.44.0/24' 22.33.44.0/24
-'2607:f8b0:4009:802::1014' 2607:f8b0:4009:802::1014
-'2607:f8b0::/32' 2607:f8b0::/32
-==== atomic a 2 ====
--10L -10
-2 2
-1468426429.2885
-120.0
-False False
-1.5
-'Servus' Servus
-'5555/tcp' 5555/tcp
-'6.7.6.5' 6.7.6.5
-'192.168.0.0/16' 192.168.0.0/16
-'2001:db8:85a3::8a2e:370:7334' 2001:db8:85a3::8a2e:370:7334
-'2001:db8:85a3::/48' 2001:db8:85a3::/48
-==== atomic b 2 ====
--10L -10
-<broccoli.count instance at > 2
-<broccoli.time instance at > 1468426429.2885
-<broccoli.interval instance at > 120.0
-False False
-1.5
-'Servus' Servus
-<broccoli.port instance at > 5555/tcp
-<broccoli.addr instance at > 6.7.6.5
-<broccoli.subnet instance at > 192.168.0.0/16
-<broccoli.addr instance at > 2001:db8:85a3::8a2e:370:7334
-<broccoli.subnet instance at > 2001:db8:85a3::/48
-==== record 1 ====
-<broccoli.record instance at >
-42L 42
-'6.6.7.7' 6.6.7.7
-==== record 2 ====
-<broccoli.record instance at >
-99L 99
-'3.4.5.1' 3.4.5.1
diff --git a/testing/btest/Baseline/istate.sync/receiver.vars.log b/testing/btest/Baseline/istate.sync/receiver.vars.log
deleted file mode 100644
index d15c4b9c35..0000000000
--- a/testing/btest/Baseline/istate.sync/receiver.vars.log
+++ /dev/null
@@ -1,34 +0,0 @@
-421
-1234567
-Jodel
-4.3.2.1
-4.0.0.0/8
-21.0
-42.0 secs
-{
-[1] = asdfg2,
-[3] = asdfg1
-}
-file "test2" of string
-/^?(abbcdefgh)$?/
-{
-2,
-6,
-4,
-5,
-3
-}
-{
-[3, GHI] = 103,
-[2, DEF] = 103,
-[4, JKL] = 104
-}
-{
-[6767] = /^?(QWERTZ)$?/,
-[12345] = /^?(12345)$?/,
-[12346] = /^?(12345)$?/
-}
-6667/tcp
-[2, 20, 3, 4]
-[a=zxzxzx, b=[a=pop, b=43, c=9.999], c=[a=IOIOI, b=201, c=612.2], d=6.6666, e=<uninitialized>]
-122112
diff --git a/testing/btest/Baseline/istate.sync/sender.vars.log b/testing/btest/Baseline/istate.sync/sender.vars.log
deleted file mode 100644
index d15c4b9c35..0000000000
--- a/testing/btest/Baseline/istate.sync/sender.vars.log
+++ /dev/null
@@ -1,34 +0,0 @@
-421
-1234567
-Jodel
-4.3.2.1
-4.0.0.0/8
-21.0
-42.0 secs
-{
-[1] = asdfg2,
-[3] = asdfg1
-}
-file "test2" of string
-/^?(abbcdefgh)$?/
-{
-2,
-6,
-4,
-5,
-3
-}
-{
-[3, GHI] = 103,
-[2, DEF] = 103,
-[4, JKL] = 104
-}
-{
-[6767] = /^?(QWERTZ)$?/,
-[12345] = /^?(12345)$?/,
-[12346] = /^?(12345)$?/
-}
-6667/tcp
-[2, 20, 3, 4]
-[a=zxzxzx, b=[a=pop, b=43, c=9.999], c=[a=IOIOI, b=201, c=612.2], d=6.6666, e=<uninitialized>]
-122112
diff --git a/testing/btest/Baseline/istate.topk/out b/testing/btest/Baseline/istate.topk/out
deleted file mode 100644
index ef3d0cef30..0000000000
--- a/testing/btest/Baseline/istate.topk/out
+++ /dev/null
@@ -1,21 +0,0 @@
-1
-2
-6
-4
-5
-1
-[c, e, d]
-1
-2
-6
-4
-5
-1
-[c, e, d]
-2
-4
-12
-8
-10
-2
-[c, e, d]
diff --git a/testing/btest/Baseline/language.switch-error-mixed/out b/testing/btest/Baseline/language.switch-error-mixed/out
new file mode 100644
index 0000000000..75fa1d84c2
--- /dev/null
+++ b/testing/btest/Baseline/language.switch-error-mixed/out
@@ -0,0 +1 @@
+error in /home/robin/bro/lang-ext/testing/btest/.tmp/language.switch-error-mixed/switch-error-mixed.bro, line 6: cannot mix cases with expressions and types (switch (v) {case 42:{ return (42!)}case type count:{ return (Count!)}})
diff --git a/testing/btest/Baseline/language.switch-types-error-duplicate/out b/testing/btest/Baseline/language.switch-types-error-duplicate/out
new file mode 100644
index 0000000000..e523b14550
--- /dev/null
+++ b/testing/btest/Baseline/language.switch-types-error-duplicate/out
@@ -0,0 +1 @@
+error in /home/robin/bro/lang-ext/testing/btest/.tmp/language.switch-types-error-duplicate/switch-types-error-duplicate.bro, lines 11-12: duplicate case label (case type bool, type count:{ return (Bool or address!)})
diff --git a/testing/btest/Baseline/language.switch-types-error-unsupported/out b/testing/btest/Baseline/language.switch-types-error-unsupported/out
new file mode 100644
index 0000000000..133c8653f2
--- /dev/null
+++ b/testing/btest/Baseline/language.switch-types-error-unsupported/out
@@ -0,0 +1,3 @@
+error in /home/robin/bro/lang-ext/testing/btest/.tmp/language.switch-types-error-unsupported/switch-types-error-unsupported.bro, lines 9-10: cannot cast switch expression to case type (case type count:{ return (Count!)})
+error in /home/robin/bro/lang-ext/testing/btest/.tmp/language.switch-types-error-unsupported/switch-types-error-unsupported.bro, lines 11-12: cannot cast switch expression to case type (case type bool, type addr:{ return (Bool or address!)})
+error in /home/robin/bro/lang-ext/testing/btest/.tmp/language.switch-types-error-unsupported/switch-types-error-unsupported.bro, lines 11-12: cannot cast switch expression to case type (case type bool, type addr:{ return (Bool or address!)})
diff --git a/testing/btest/Baseline/language.switch-types-vars/out b/testing/btest/Baseline/language.switch-types-vars/out
new file mode 100644
index 0000000000..36904c63b9
--- /dev/null
+++ b/testing/btest/Baseline/language.switch-types-vars/out
@@ -0,0 +1,9 @@
+string!, My StrIng
+count!, 42
+Bool or address?
+    addr, 1.2.3.4
+Bool or address?
+    bool, T
+int!
+double or port
+double or port
diff --git a/testing/btest/Baseline/language.switch-types/out b/testing/btest/Baseline/language.switch-types/out
new file mode 100644
index 0000000000..536852101f
--- /dev/null
+++ b/testing/btest/Baseline/language.switch-types/out
@@ -0,0 +1,7 @@
+String!
+Count!
+Bool or address!
+Somethign else!
+
+Bool or address!
+n/a
diff --git a/testing/btest/Baseline/language.type-cast-any/output b/testing/btest/Baseline/language.type-cast-any/output
new file mode 100644
index 0000000000..e7c07abe7e
--- /dev/null
+++ b/testing/btest/Baseline/language.type-cast-any/output
@@ -0,0 +1,6 @@
+Foo, Foo, T, Foo==Foo => T
+Foo, Foo, T, Bar==Foo => F
+42, 42, T, 42==42 => T
+42, 42, T, 21==42 => F
+[a=1.2.3.4, b=1947/tcp], [a=1.2.3.4, b=1947/tcp], T, [a=1.2.3.4, b=1947/tcp]==[a=1.2.3.4, b=1947/tcp] => T
+[a=1.2.3.4, b=1947/tcp], [a=1.2.3.4, b=1947/tcp], T, [a=2.3.4.5, b=1947/tcp]==[a=1.2.3.4, b=1947/tcp] => F
diff --git a/testing/btest/Baseline/language.type-cast-error-dynamic/output b/testing/btest/Baseline/language.type-cast-error-dynamic/output
new file mode 100644
index 0000000000..10d92ac199
--- /dev/null
+++ b/testing/btest/Baseline/language.type-cast-error-dynamic/output
@@ -0,0 +1,2 @@
+expression error in /home/robin/bro/lang-ext/testing/btest/.tmp/language.type-cast-error-dynamic/type-cast-error-dynamic.bro, line 11: cannot cast value of type 'count' to type 'string' [a as string]
+expression error in /home/robin/bro/lang-ext/testing/btest/.tmp/language.type-cast-error-dynamic/type-cast-error-dynamic.bro, line 11: cannot cast value of type 'record { a:addr; b:port; }' to type 'string' [a as string]
diff --git a/testing/btest/Baseline/language.type-cast-error-static/output b/testing/btest/Baseline/language.type-cast-error-static/output
new file mode 100644
index 0000000000..a93e262f21
--- /dev/null
+++ b/testing/btest/Baseline/language.type-cast-error-static/output
@@ -0,0 +1,2 @@
+error in /home/robin/bro/lang-ext/testing/btest/.tmp/language.type-cast-error-static/type-cast-error-static.bro, line 14: cast not supported (string as count)
+error in /home/robin/bro/lang-ext/testing/btest/.tmp/language.type-cast-error-static/type-cast-error-static.bro, line 15: cast not supported (string as X)
diff --git a/testing/btest/Baseline/language.type-cast-same/output b/testing/btest/Baseline/language.type-cast-same/output
new file mode 100644
index 0000000000..ac40874860
--- /dev/null
+++ b/testing/btest/Baseline/language.type-cast-same/output
@@ -0,0 +1,2 @@
+sTriNg, T
+[a=1.2.3.4, b=1947/tcp], T
diff --git a/testing/btest/Baseline/language.type-check-any/output b/testing/btest/Baseline/language.type-check-any/output
new file mode 100644
index 0000000000..90b825d6fd
--- /dev/null
+++ b/testing/btest/Baseline/language.type-check-any/output
@@ -0,0 +1,3 @@
+Foo, T, F, F
+1, F, T, F
+[a=1.2.3.4, b=1947/tcp], F, F, T
diff --git a/testing/btest/Baseline/plugins.hooks/output b/testing/btest/Baseline/plugins.hooks/output
index 05097df859..37a613347c 100644
--- a/testing/btest/Baseline/plugins.hooks/output
+++ b/testing/btest/Baseline/plugins.hooks/output
@@ -152,6 +152,10 @@
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_XMPP, {5222<...>/tcp})) -> <no result>
 0.000000   MetaHookPost  CallFunction(Cluster::is_enabled, <frame>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(Cluster::is_enabled, <null>, ()) -> <no result>
+0.000000   MetaHookPost  CallFunction(Cluster::local_node_type, <frame>, ()) -> <no result>
+0.000000   MetaHookPost  CallFunction(Cluster::register_pool, <frame>, ([topic=bro<...>/logger, node_type=Cluster::LOGGER, max_nodes=<uninitialized>, exclusive=F])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Cluster::register_pool, <frame>, ([topic=bro<...>/proxy, node_type=Cluster::PROXY, max_nodes=<uninitialized>, exclusive=F])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Cluster::register_pool, <frame>, ([topic=bro<...>/worker, node_type=Cluster::WORKER, max_nodes=<uninitialized>, exclusive=F])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Files::register_analyzer_add_callback, <frame>, (Files::ANALYZER_EXTRACT, FileExtract::on_add{ if (!FileExtract::args?$extract_filename) FileExtract::args$extract_filename = cat(extract-, FileExtract::f$last_active, -, FileExtract::f$source, -, FileExtract::f$id)FileExtract::f$info$extracted = FileExtract::args$extract_filenameFileExtract::args$extract_filename = build_path_compressed(FileExtract::prefix, FileExtract::args$extract_filename)FileExtract::f$info$extracted_cutoff = Fmkdir(FileExtract::prefix)})) -> <no result>
 0.000000   MetaHookPost  CallFunction(Files::register_for_mime_type, <frame>, (Files::ANALYZER_MD5, application/pkix-cert)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Files::register_for_mime_type, <frame>, (Files::ANALYZER_MD5, application/x-x509-ca-cert)) -> <no result>
@@ -172,8 +176,8 @@
 0.000000   MetaHookPost  CallFunction(Files::register_protocol, <frame>, (Analyzer::ANALYZER_KRB_TCP, [get_file_handle=KRB::get_file_handle{ return ()}, describe=KRB::describe_file{ <init> KRB::cid{ if (KRB::f$source != KRB_TCP && KRB::f$source != KRB) return ()if (!KRB::f?$info || !KRB::f$info?$x509 || !KRB::f$info$x509?$certificate) return ()for ([KRB::cid] in KRB::f$conns) { if (KRB::f$conns[KRB::cid]?$krb) { KRB::c = KRB::f$conns[KRB::cid]return (cat(KRB::c$id$resp_h, :, KRB::c$id$resp_p))}}return (cat(Serial: , KRB::f$info$x509$certificate$serial,  Subject: , KRB::f$info$x509$certificate$subject,  Issuer: , KRB::f$info$x509$certificate$issuer))}}])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Files::register_protocol, <frame>, (Analyzer::ANALYZER_SMTP, [get_file_handle=SMTP::get_file_handle{ return (cat(Analyzer::ANALYZER_SMTP, SMTP::c$start_time, SMTP::c$smtp$trans_depth, SMTP::c$smtp_state$mime_depth))}, describe=SMTP::describe_file{ <init> SMTP::cid{ if (SMTP::f$source != SMTP) return ()for ([SMTP::cid] in SMTP::f$conns) { SMTP::c = SMTP::f$conns[SMTP::cid]return (SMTP::describe(SMTP::c$smtp))}return ()}}])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Files::register_protocol, <frame>, (Analyzer::ANALYZER_SSL, [get_file_handle=SSL::get_file_handle{ return ()}, describe=SSL::describe_file{ <init> SSL::cid{ if (SSL::f$source != SSL || !SSL::f?$info || !SSL::f$info?$x509 || !SSL::f$info$x509?$certificate) return ()for ([SSL::cid] in SSL::f$conns) { if (SSL::f$conns[SSL::cid]?$ssl) { SSL::c = SSL::f$conns[SSL::cid]return (cat(SSL::c$id$resp_h, :, SSL::c$id$resp_p))}}return (cat(Serial: , SSL::f$info$x509$certificate$serial,  Subject: , SSL::f$info$x509$certificate$subject,  Issuer: , SSL::f$info$x509$certificate$issuer))}}])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::__add_filter, <frame>, (Broker::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=broker, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__add_filter, <frame>, (Cluster::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=cluster, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__add_filter, <frame>, (Communication::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=communication, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__add_filter, <frame>, (Config::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=config, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__add_filter, <frame>, (Conn::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=conn, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__add_filter, <frame>, (DCE_RPC::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=dce_rpc, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
@@ -216,8 +220,8 @@
 0.000000   MetaHookPost  CallFunction(Log::__add_filter, <frame>, (Weird::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=weird, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__add_filter, <frame>, (X509::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=x509, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__add_filter, <frame>, (mysql::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=mysql, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (Broker::LOG, [columns=<no value description>, ev=<uninitialized>, path=broker])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (Cluster::LOG, [columns=<no value description>, ev=<uninitialized>, path=cluster])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (Communication::LOG, [columns=<no value description>, ev=<uninitialized>, path=communication])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (Config::LOG, [columns=<no value description>, ev=Config::log_config, path=config])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (Conn::LOG, [columns=<no value description>, ev=Conn::log_conn, path=conn])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (DCE_RPC::LOG, [columns=<no value description>, ev=<uninitialized>, path=dce_rpc])) -> <no result>
@@ -260,9 +264,9 @@
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1519920860.516463, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1525287517.317589, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (Broker::LOG)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (Cluster::LOG)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (Communication::LOG)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (Config::LOG)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (Conn::LOG)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (DCE_RPC::LOG)) -> <no result>
@@ -305,8 +309,8 @@
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (Weird::LOG)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (X509::LOG)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (mysql::LOG)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::add_filter, <frame>, (Broker::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_filter, <frame>, (Cluster::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::add_filter, <frame>, (Communication::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_filter, <frame>, (Config::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_filter, <frame>, (Conn::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_filter, <frame>, (DCE_RPC::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
@@ -349,8 +353,8 @@
 0.000000   MetaHookPost  CallFunction(Log::add_filter, <frame>, (Weird::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_filter, <frame>, (X509::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_filter, <frame>, (mysql::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::add_stream_filters, <frame>, (Broker::LOG, default)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_stream_filters, <frame>, (Cluster::LOG, default)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::add_stream_filters, <frame>, (Communication::LOG, default)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_stream_filters, <frame>, (Config::LOG, default)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_stream_filters, <frame>, (Conn::LOG, default)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_stream_filters, <frame>, (DCE_RPC::LOG, default)) -> <no result>
@@ -393,8 +397,8 @@
 0.000000   MetaHookPost  CallFunction(Log::add_stream_filters, <frame>, (Weird::LOG, default)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_stream_filters, <frame>, (X509::LOG, default)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_stream_filters, <frame>, (mysql::LOG, default)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (Broker::LOG, [columns=<no value description>, ev=<uninitialized>, path=broker])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (Cluster::LOG, [columns=<no value description>, ev=<uninitialized>, path=cluster])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (Communication::LOG, [columns=<no value description>, ev=<uninitialized>, path=communication])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (Config::LOG, [columns=<no value description>, ev=Config::log_config, path=config])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (Conn::LOG, [columns=<no value description>, ev=Conn::log_conn, path=conn])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (DCE_RPC::LOG, [columns=<no value description>, ev=<uninitialized>, path=dce_rpc])) -> <no result>
@@ -437,7 +441,7 @@
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1519920860.516463, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1525287517.317589, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
 0.000000   MetaHookPost  CallFunction(NetControl::check_plugins, <frame>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(NetControl::init, <null>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(Notice::want_pp, <frame>, ()) -> <no result>
@@ -652,6 +656,7 @@
 0.000000   MetaHookPost  LoadFile(0, .<...>/plugin.bro) -> -1
 0.000000   MetaHookPost  LoadFile(0, .<...>/plugins) -> -1
 0.000000   MetaHookPost  LoadFile(0, .<...>/polling.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/pools.bro) -> -1
 0.000000   MetaHookPost  LoadFile(0, .<...>/postprocessors) -> -1
 0.000000   MetaHookPost  LoadFile(0, .<...>/pp-alarms.bro) -> -1
 0.000000   MetaHookPost  LoadFile(0, .<...>/raw.bro) -> -1
@@ -693,7 +698,6 @@
 0.000000   MetaHookPost  LoadFile(0, base<...>/broker) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/cluster) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/comm.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(0, base<...>/communication) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/config) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/conn) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/conn-ids.bro) -> -1
@@ -719,6 +723,7 @@
 0.000000   MetaHookPost  LoadFile(0, base<...>/ftp) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/geoip-distance.bro) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/hash) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/hash_hrw.bro) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/http) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/imap) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/init-default.bro) -> -1
@@ -945,6 +950,10 @@
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_XMPP, {5222<...>/tcp}))
 0.000000   MetaHookPre   CallFunction(Cluster::is_enabled, <frame>, ())
 0.000000   MetaHookPre   CallFunction(Cluster::is_enabled, <null>, ())
+0.000000   MetaHookPre   CallFunction(Cluster::local_node_type, <frame>, ())
+0.000000   MetaHookPre   CallFunction(Cluster::register_pool, <frame>, ([topic=bro<...>/logger, node_type=Cluster::LOGGER, max_nodes=<uninitialized>, exclusive=F]))
+0.000000   MetaHookPre   CallFunction(Cluster::register_pool, <frame>, ([topic=bro<...>/proxy, node_type=Cluster::PROXY, max_nodes=<uninitialized>, exclusive=F]))
+0.000000   MetaHookPre   CallFunction(Cluster::register_pool, <frame>, ([topic=bro<...>/worker, node_type=Cluster::WORKER, max_nodes=<uninitialized>, exclusive=F]))
 0.000000   MetaHookPre   CallFunction(Files::register_analyzer_add_callback, <frame>, (Files::ANALYZER_EXTRACT, FileExtract::on_add{ if (!FileExtract::args?$extract_filename) FileExtract::args$extract_filename = cat(extract-, FileExtract::f$last_active, -, FileExtract::f$source, -, FileExtract::f$id)FileExtract::f$info$extracted = FileExtract::args$extract_filenameFileExtract::args$extract_filename = build_path_compressed(FileExtract::prefix, FileExtract::args$extract_filename)FileExtract::f$info$extracted_cutoff = Fmkdir(FileExtract::prefix)}))
 0.000000   MetaHookPre   CallFunction(Files::register_for_mime_type, <frame>, (Files::ANALYZER_MD5, application/pkix-cert))
 0.000000   MetaHookPre   CallFunction(Files::register_for_mime_type, <frame>, (Files::ANALYZER_MD5, application/x-x509-ca-cert))
@@ -965,8 +974,8 @@
 0.000000   MetaHookPre   CallFunction(Files::register_protocol, <frame>, (Analyzer::ANALYZER_KRB_TCP, [get_file_handle=KRB::get_file_handle{ return ()}, describe=KRB::describe_file{ <init> KRB::cid{ if (KRB::f$source != KRB_TCP && KRB::f$source != KRB) return ()if (!KRB::f?$info || !KRB::f$info?$x509 || !KRB::f$info$x509?$certificate) return ()for ([KRB::cid] in KRB::f$conns) { if (KRB::f$conns[KRB::cid]?$krb) { KRB::c = KRB::f$conns[KRB::cid]return (cat(KRB::c$id$resp_h, :, KRB::c$id$resp_p))}}return (cat(Serial: , KRB::f$info$x509$certificate$serial,  Subject: , KRB::f$info$x509$certificate$subject,  Issuer: , KRB::f$info$x509$certificate$issuer))}}]))
 0.000000   MetaHookPre   CallFunction(Files::register_protocol, <frame>, (Analyzer::ANALYZER_SMTP, [get_file_handle=SMTP::get_file_handle{ return (cat(Analyzer::ANALYZER_SMTP, SMTP::c$start_time, SMTP::c$smtp$trans_depth, SMTP::c$smtp_state$mime_depth))}, describe=SMTP::describe_file{ <init> SMTP::cid{ if (SMTP::f$source != SMTP) return ()for ([SMTP::cid] in SMTP::f$conns) { SMTP::c = SMTP::f$conns[SMTP::cid]return (SMTP::describe(SMTP::c$smtp))}return ()}}]))
 0.000000   MetaHookPre   CallFunction(Files::register_protocol, <frame>, (Analyzer::ANALYZER_SSL, [get_file_handle=SSL::get_file_handle{ return ()}, describe=SSL::describe_file{ <init> SSL::cid{ if (SSL::f$source != SSL || !SSL::f?$info || !SSL::f$info?$x509 || !SSL::f$info$x509?$certificate) return ()for ([SSL::cid] in SSL::f$conns) { if (SSL::f$conns[SSL::cid]?$ssl) { SSL::c = SSL::f$conns[SSL::cid]return (cat(SSL::c$id$resp_h, :, SSL::c$id$resp_p))}}return (cat(Serial: , SSL::f$info$x509$certificate$serial,  Subject: , SSL::f$info$x509$certificate$subject,  Issuer: , SSL::f$info$x509$certificate$issuer))}}]))
+0.000000   MetaHookPre   CallFunction(Log::__add_filter, <frame>, (Broker::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=broker, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}]))
 0.000000   MetaHookPre   CallFunction(Log::__add_filter, <frame>, (Cluster::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=cluster, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}]))
-0.000000   MetaHookPre   CallFunction(Log::__add_filter, <frame>, (Communication::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=communication, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}]))
 0.000000   MetaHookPre   CallFunction(Log::__add_filter, <frame>, (Config::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=config, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}]))
 0.000000   MetaHookPre   CallFunction(Log::__add_filter, <frame>, (Conn::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=conn, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}]))
 0.000000   MetaHookPre   CallFunction(Log::__add_filter, <frame>, (DCE_RPC::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=dce_rpc, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}]))
@@ -1009,8 +1018,8 @@
 0.000000   MetaHookPre   CallFunction(Log::__add_filter, <frame>, (Weird::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=weird, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}]))
 0.000000   MetaHookPre   CallFunction(Log::__add_filter, <frame>, (X509::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=x509, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}]))
 0.000000   MetaHookPre   CallFunction(Log::__add_filter, <frame>, (mysql::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=mysql, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (Broker::LOG, [columns=<no value description>, ev=<uninitialized>, path=broker]))
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (Cluster::LOG, [columns=<no value description>, ev=<uninitialized>, path=cluster]))
-0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (Communication::LOG, [columns=<no value description>, ev=<uninitialized>, path=communication]))
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (Config::LOG, [columns=<no value description>, ev=Config::log_config, path=config]))
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (Conn::LOG, [columns=<no value description>, ev=Conn::log_conn, path=conn]))
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (DCE_RPC::LOG, [columns=<no value description>, ev=<uninitialized>, path=dce_rpc]))
@@ -1053,9 +1062,9 @@
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird]))
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509]))
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql]))
-0.000000   MetaHookPre   CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1519920860.516463, node=bro, filter=ip or not ip, init=T, success=T]))
+0.000000   MetaHookPre   CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1525287517.317589, node=bro, filter=ip or not ip, init=T, success=T]))
+0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (Broker::LOG))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (Cluster::LOG))
-0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (Communication::LOG))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (Config::LOG))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (Conn::LOG))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (DCE_RPC::LOG))
@@ -1098,8 +1107,8 @@
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (Weird::LOG))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (X509::LOG))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (mysql::LOG))
+0.000000   MetaHookPre   CallFunction(Log::add_filter, <frame>, (Broker::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}]))
 0.000000   MetaHookPre   CallFunction(Log::add_filter, <frame>, (Cluster::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}]))
-0.000000   MetaHookPre   CallFunction(Log::add_filter, <frame>, (Communication::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}]))
 0.000000   MetaHookPre   CallFunction(Log::add_filter, <frame>, (Config::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}]))
 0.000000   MetaHookPre   CallFunction(Log::add_filter, <frame>, (Conn::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}]))
 0.000000   MetaHookPre   CallFunction(Log::add_filter, <frame>, (DCE_RPC::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}]))
@@ -1142,8 +1151,8 @@
 0.000000   MetaHookPre   CallFunction(Log::add_filter, <frame>, (Weird::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}]))
 0.000000   MetaHookPre   CallFunction(Log::add_filter, <frame>, (X509::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}]))
 0.000000   MetaHookPre   CallFunction(Log::add_filter, <frame>, (mysql::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::add_stream_filters, <frame>, (Broker::LOG, default))
 0.000000   MetaHookPre   CallFunction(Log::add_stream_filters, <frame>, (Cluster::LOG, default))
-0.000000   MetaHookPre   CallFunction(Log::add_stream_filters, <frame>, (Communication::LOG, default))
 0.000000   MetaHookPre   CallFunction(Log::add_stream_filters, <frame>, (Config::LOG, default))
 0.000000   MetaHookPre   CallFunction(Log::add_stream_filters, <frame>, (Conn::LOG, default))
 0.000000   MetaHookPre   CallFunction(Log::add_stream_filters, <frame>, (DCE_RPC::LOG, default))
@@ -1186,8 +1195,8 @@
 0.000000   MetaHookPre   CallFunction(Log::add_stream_filters, <frame>, (Weird::LOG, default))
 0.000000   MetaHookPre   CallFunction(Log::add_stream_filters, <frame>, (X509::LOG, default))
 0.000000   MetaHookPre   CallFunction(Log::add_stream_filters, <frame>, (mysql::LOG, default))
+0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (Broker::LOG, [columns=<no value description>, ev=<uninitialized>, path=broker]))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (Cluster::LOG, [columns=<no value description>, ev=<uninitialized>, path=cluster]))
-0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (Communication::LOG, [columns=<no value description>, ev=<uninitialized>, path=communication]))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (Config::LOG, [columns=<no value description>, ev=Config::log_config, path=config]))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (Conn::LOG, [columns=<no value description>, ev=Conn::log_conn, path=conn]))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (DCE_RPC::LOG, [columns=<no value description>, ev=<uninitialized>, path=dce_rpc]))
@@ -1230,7 +1239,7 @@
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird]))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509]))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql]))
-0.000000   MetaHookPre   CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1519920860.516463, node=bro, filter=ip or not ip, init=T, success=T]))
+0.000000   MetaHookPre   CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1525287517.317589, node=bro, filter=ip or not ip, init=T, success=T]))
 0.000000   MetaHookPre   CallFunction(NetControl::check_plugins, <frame>, ())
 0.000000   MetaHookPre   CallFunction(NetControl::init, <null>, ())
 0.000000   MetaHookPre   CallFunction(Notice::want_pp, <frame>, ())
@@ -1445,6 +1454,7 @@
 0.000000   MetaHookPre   LoadFile(0, .<...>/plugin.bro)
 0.000000   MetaHookPre   LoadFile(0, .<...>/plugins)
 0.000000   MetaHookPre   LoadFile(0, .<...>/polling.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/pools.bro)
 0.000000   MetaHookPre   LoadFile(0, .<...>/postprocessors)
 0.000000   MetaHookPre   LoadFile(0, .<...>/pp-alarms.bro)
 0.000000   MetaHookPre   LoadFile(0, .<...>/raw.bro)
@@ -1486,7 +1496,6 @@
 0.000000   MetaHookPre   LoadFile(0, base<...>/broker)
 0.000000   MetaHookPre   LoadFile(0, base<...>/cluster)
 0.000000   MetaHookPre   LoadFile(0, base<...>/comm.bif.bro)
-0.000000   MetaHookPre   LoadFile(0, base<...>/communication)
 0.000000   MetaHookPre   LoadFile(0, base<...>/config)
 0.000000   MetaHookPre   LoadFile(0, base<...>/conn)
 0.000000   MetaHookPre   LoadFile(0, base<...>/conn-ids.bro)
@@ -1512,6 +1521,7 @@
 0.000000   MetaHookPre   LoadFile(0, base<...>/ftp)
 0.000000   MetaHookPre   LoadFile(0, base<...>/geoip-distance.bro)
 0.000000   MetaHookPre   LoadFile(0, base<...>/hash)
+0.000000   MetaHookPre   LoadFile(0, base<...>/hash_hrw.bro)
 0.000000   MetaHookPre   LoadFile(0, base<...>/http)
 0.000000   MetaHookPre   LoadFile(0, base<...>/imap)
 0.000000   MetaHookPre   LoadFile(0, base<...>/init-default.bro)
@@ -1737,6 +1747,10 @@
 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_TEREDO, {3544/udp})
 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_XMPP, {5222<...>/tcp})
 0.000000 | HookCallFunction Cluster::is_enabled()
+0.000000 | HookCallFunction Cluster::local_node_type()
+0.000000 | HookCallFunction Cluster::register_pool([topic=bro<...>/logger, node_type=Cluster::LOGGER, max_nodes=<uninitialized>, exclusive=F])
+0.000000 | HookCallFunction Cluster::register_pool([topic=bro<...>/proxy, node_type=Cluster::PROXY, max_nodes=<uninitialized>, exclusive=F])
+0.000000 | HookCallFunction Cluster::register_pool([topic=bro<...>/worker, node_type=Cluster::WORKER, max_nodes=<uninitialized>, exclusive=F])
 0.000000 | HookCallFunction Files::register_analyzer_add_callback(Files::ANALYZER_EXTRACT, FileExtract::on_add{ if (!FileExtract::args?$extract_filename) FileExtract::args$extract_filename = cat(extract-, FileExtract::f$last_active, -, FileExtract::f$source, -, FileExtract::f$id)FileExtract::f$info$extracted = FileExtract::args$extract_filenameFileExtract::args$extract_filename = build_path_compressed(FileExtract::prefix, FileExtract::args$extract_filename)FileExtract::f$info$extracted_cutoff = Fmkdir(FileExtract::prefix)})
 0.000000 | HookCallFunction Files::register_for_mime_type(Files::ANALYZER_MD5, application/pkix-cert)
 0.000000 | HookCallFunction Files::register_for_mime_type(Files::ANALYZER_MD5, application/x-x509-ca-cert)
@@ -1757,8 +1771,8 @@
 0.000000 | HookCallFunction Files::register_protocol(Analyzer::ANALYZER_KRB_TCP, [get_file_handle=KRB::get_file_handle{ return ()}, describe=KRB::describe_file{ <init> KRB::cid{ if (KRB::f$source != KRB_TCP && KRB::f$source != KRB) return ()if (!KRB::f?$info || !KRB::f$info?$x509 || !KRB::f$info$x509?$certificate) return ()for ([KRB::cid] in KRB::f$conns) { if (KRB::f$conns[KRB::cid]?$krb) { KRB::c = KRB::f$conns[KRB::cid]return (cat(KRB::c$id$resp_h, :, KRB::c$id$resp_p))}}return (cat(Serial: , KRB::f$info$x509$certificate$serial,  Subject: , KRB::f$info$x509$certificate$subject,  Issuer: , KRB::f$info$x509$certificate$issuer))}}])
 0.000000 | HookCallFunction Files::register_protocol(Analyzer::ANALYZER_SMTP, [get_file_handle=SMTP::get_file_handle{ return (cat(Analyzer::ANALYZER_SMTP, SMTP::c$start_time, SMTP::c$smtp$trans_depth, SMTP::c$smtp_state$mime_depth))}, describe=SMTP::describe_file{ <init> SMTP::cid{ if (SMTP::f$source != SMTP) return ()for ([SMTP::cid] in SMTP::f$conns) { SMTP::c = SMTP::f$conns[SMTP::cid]return (SMTP::describe(SMTP::c$smtp))}return ()}}])
 0.000000 | HookCallFunction Files::register_protocol(Analyzer::ANALYZER_SSL, [get_file_handle=SSL::get_file_handle{ return ()}, describe=SSL::describe_file{ <init> SSL::cid{ if (SSL::f$source != SSL || !SSL::f?$info || !SSL::f$info?$x509 || !SSL::f$info$x509?$certificate) return ()for ([SSL::cid] in SSL::f$conns) { if (SSL::f$conns[SSL::cid]?$ssl) { SSL::c = SSL::f$conns[SSL::cid]return (cat(SSL::c$id$resp_h, :, SSL::c$id$resp_p))}}return (cat(Serial: , SSL::f$info$x509$certificate$serial,  Subject: , SSL::f$info$x509$certificate$subject,  Issuer: , SSL::f$info$x509$certificate$issuer))}}])
+0.000000 | HookCallFunction Log::__add_filter(Broker::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=broker, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])
 0.000000 | HookCallFunction Log::__add_filter(Cluster::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=cluster, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])
-0.000000 | HookCallFunction Log::__add_filter(Communication::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=communication, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])
 0.000000 | HookCallFunction Log::__add_filter(Config::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=config, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])
 0.000000 | HookCallFunction Log::__add_filter(Conn::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=conn, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])
 0.000000 | HookCallFunction Log::__add_filter(DCE_RPC::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=dce_rpc, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])
@@ -1801,8 +1815,8 @@
 0.000000 | HookCallFunction Log::__add_filter(Weird::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=weird, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])
 0.000000 | HookCallFunction Log::__add_filter(X509::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=x509, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])
 0.000000 | HookCallFunction Log::__add_filter(mysql::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=mysql, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])
+0.000000 | HookCallFunction Log::__create_stream(Broker::LOG, [columns=<no value description>, ev=<uninitialized>, path=broker])
 0.000000 | HookCallFunction Log::__create_stream(Cluster::LOG, [columns=<no value description>, ev=<uninitialized>, path=cluster])
-0.000000 | HookCallFunction Log::__create_stream(Communication::LOG, [columns=<no value description>, ev=<uninitialized>, path=communication])
 0.000000 | HookCallFunction Log::__create_stream(Config::LOG, [columns=<no value description>, ev=Config::log_config, path=config])
 0.000000 | HookCallFunction Log::__create_stream(Conn::LOG, [columns=<no value description>, ev=Conn::log_conn, path=conn])
 0.000000 | HookCallFunction Log::__create_stream(DCE_RPC::LOG, [columns=<no value description>, ev=<uninitialized>, path=dce_rpc])
@@ -1845,9 +1859,9 @@
 0.000000 | HookCallFunction Log::__create_stream(Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird])
 0.000000 | HookCallFunction Log::__create_stream(X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509])
 0.000000 | HookCallFunction Log::__create_stream(mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql])
-0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1519920860.516463, node=bro, filter=ip or not ip, init=T, success=T])
+0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1525287517.317589, node=bro, filter=ip or not ip, init=T, success=T])
+0.000000 | HookCallFunction Log::add_default_filter(Broker::LOG)
 0.000000 | HookCallFunction Log::add_default_filter(Cluster::LOG)
-0.000000 | HookCallFunction Log::add_default_filter(Communication::LOG)
 0.000000 | HookCallFunction Log::add_default_filter(Config::LOG)
 0.000000 | HookCallFunction Log::add_default_filter(Conn::LOG)
 0.000000 | HookCallFunction Log::add_default_filter(DCE_RPC::LOG)
@@ -1890,8 +1904,8 @@
 0.000000 | HookCallFunction Log::add_default_filter(Weird::LOG)
 0.000000 | HookCallFunction Log::add_default_filter(X509::LOG)
 0.000000 | HookCallFunction Log::add_default_filter(mysql::LOG)
+0.000000 | HookCallFunction Log::add_filter(Broker::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])
 0.000000 | HookCallFunction Log::add_filter(Cluster::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])
-0.000000 | HookCallFunction Log::add_filter(Communication::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])
 0.000000 | HookCallFunction Log::add_filter(Config::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])
 0.000000 | HookCallFunction Log::add_filter(Conn::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])
 0.000000 | HookCallFunction Log::add_filter(DCE_RPC::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])
@@ -1934,8 +1948,8 @@
 0.000000 | HookCallFunction Log::add_filter(Weird::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])
 0.000000 | HookCallFunction Log::add_filter(X509::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])
 0.000000 | HookCallFunction Log::add_filter(mysql::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])
+0.000000 | HookCallFunction Log::add_stream_filters(Broker::LOG, default)
 0.000000 | HookCallFunction Log::add_stream_filters(Cluster::LOG, default)
-0.000000 | HookCallFunction Log::add_stream_filters(Communication::LOG, default)
 0.000000 | HookCallFunction Log::add_stream_filters(Config::LOG, default)
 0.000000 | HookCallFunction Log::add_stream_filters(Conn::LOG, default)
 0.000000 | HookCallFunction Log::add_stream_filters(DCE_RPC::LOG, default)
@@ -1978,8 +1992,8 @@
 0.000000 | HookCallFunction Log::add_stream_filters(Weird::LOG, default)
 0.000000 | HookCallFunction Log::add_stream_filters(X509::LOG, default)
 0.000000 | HookCallFunction Log::add_stream_filters(mysql::LOG, default)
+0.000000 | HookCallFunction Log::create_stream(Broker::LOG, [columns=<no value description>, ev=<uninitialized>, path=broker])
 0.000000 | HookCallFunction Log::create_stream(Cluster::LOG, [columns=<no value description>, ev=<uninitialized>, path=cluster])
-0.000000 | HookCallFunction Log::create_stream(Communication::LOG, [columns=<no value description>, ev=<uninitialized>, path=communication])
 0.000000 | HookCallFunction Log::create_stream(Config::LOG, [columns=<no value description>, ev=Config::log_config, path=config])
 0.000000 | HookCallFunction Log::create_stream(Conn::LOG, [columns=<no value description>, ev=Conn::log_conn, path=conn])
 0.000000 | HookCallFunction Log::create_stream(DCE_RPC::LOG, [columns=<no value description>, ev=<uninitialized>, path=dce_rpc])
@@ -2022,7 +2036,7 @@
 0.000000 | HookCallFunction Log::create_stream(Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird])
 0.000000 | HookCallFunction Log::create_stream(X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509])
 0.000000 | HookCallFunction Log::create_stream(mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql])
-0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1519920860.516463, node=bro, filter=ip or not ip, init=T, success=T])
+0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1525287517.317589, node=bro, filter=ip or not ip, init=T, success=T])
 0.000000 | HookCallFunction NetControl::check_plugins()
 0.000000 | HookCallFunction NetControl::init()
 0.000000 | HookCallFunction Notice::want_pp()
@@ -2245,6 +2259,7 @@
 0.000000 | HookLoadFile  .<...>/plugin.bro
 0.000000 | HookLoadFile  .<...>/plugins
 0.000000 | HookLoadFile  .<...>/polling.bro
+0.000000 | HookLoadFile  .<...>/pools.bro
 0.000000 | HookLoadFile  .<...>/postprocessors
 0.000000 | HookLoadFile  .<...>/pp-alarms.bro
 0.000000 | HookLoadFile  .<...>/raw.bro
@@ -2287,7 +2302,6 @@
 0.000000 | HookLoadFile  base<...>/broker
 0.000000 | HookLoadFile  base<...>/cluster
 0.000000 | HookLoadFile  base<...>/comm.bif.bro
-0.000000 | HookLoadFile  base<...>/communication
 0.000000 | HookLoadFile  base<...>/config
 0.000000 | HookLoadFile  base<...>/conn
 0.000000 | HookLoadFile  base<...>/conn-ids.bro
@@ -2313,6 +2327,7 @@
 0.000000 | HookLoadFile  base<...>/ftp
 0.000000 | HookLoadFile  base<...>/geoip-distance.bro
 0.000000 | HookLoadFile  base<...>/hash
+0.000000 | HookLoadFile  base<...>/hash_hrw.bro
 0.000000 | HookLoadFile  base<...>/http
 0.000000 | HookLoadFile  base<...>/imap
 0.000000 | HookLoadFile  base<...>/init-default.bro
@@ -2372,7 +2387,7 @@
 0.000000 | HookLoadFile  base<...>/x509
 0.000000 | HookLoadFile  base<...>/xmpp
 0.000000 | HookLogInit   packet_filter 1/1 {ts (time), node (string), filter (string), init (bool), success (bool)}
-0.000000 | HookLogWrite  packet_filter [ts=1519920860.516463, node=bro, filter=ip or not ip, init=T, success=T]
+0.000000 | HookLogWrite  packet_filter [ts=1525287517.317589, node=bro, filter=ip or not ip, init=T, success=T]
 0.000000 | HookQueueEvent NetControl::init()
 0.000000 | HookQueueEvent bro_init()
 0.000000 | HookQueueEvent filter_change_tracking()
diff --git a/testing/btest/Baseline/scripts.base.frameworks.cluster.custom_pool_exclusivity/manager-1..stdout b/testing/btest/Baseline/scripts.base.frameworks.cluster.custom_pool_exclusivity/manager-1..stdout
new file mode 100644
index 0000000000..f5b2222839
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.cluster.custom_pool_exclusivity/manager-1..stdout
@@ -0,0 +1,147 @@
+1st stuff
+hrw, 0, bro/cluster/node/proxy-1
+hrw (custom pool), 0, bro/cluster/node/proxy-2
+hrw, 1, bro/cluster/node/proxy-1
+hrw (custom pool), 1, bro/cluster/node/proxy-2
+hrw, 2, bro/cluster/node/proxy-1
+hrw (custom pool), 2, bro/cluster/node/proxy-2
+hrw, 3, bro/cluster/node/proxy-1
+hrw (custom pool), 3, bro/cluster/node/proxy-2
+hrw, 13, bro/cluster/node/proxy-1
+hrw (custom pool), 13, bro/cluster/node/proxy-2
+hrw, 37, bro/cluster/node/proxy-1
+hrw (custom pool), 37, bro/cluster/node/proxy-2
+hrw, 42, bro/cluster/node/proxy-1
+hrw (custom pool), 42, bro/cluster/node/proxy-2
+hrw, 101, bro/cluster/node/proxy-1
+hrw (custom pool), 101, bro/cluster/node/proxy-2
+rr, bro/cluster/node/proxy-1
+rr (custom pool), bro/cluster/node/proxy-2
+rr, bro/cluster/node/proxy-1
+rr (custom pool), bro/cluster/node/proxy-2
+rr, bro/cluster/node/proxy-1
+rr (custom pool), bro/cluster/node/proxy-2
+rr, bro/cluster/node/proxy-1
+rr (custom pool), bro/cluster/node/proxy-2
+rr, bro/cluster/node/proxy-1
+rr (custom pool), bro/cluster/node/proxy-2
+rr, bro/cluster/node/proxy-1
+rr (custom pool), bro/cluster/node/proxy-2
+rr, bro/cluster/node/proxy-1
+rr (custom pool), bro/cluster/node/proxy-2
+rr, bro/cluster/node/proxy-1
+rr (custom pool), bro/cluster/node/proxy-2
+hrw, 0, bro/cluster/node/proxy-1
+hrw (custom pool), 0, bro/cluster/node/proxy-2
+hrw, 1, bro/cluster/node/proxy-1
+hrw (custom pool), 1, bro/cluster/node/proxy-2
+hrw, 2, bro/cluster/node/proxy-1
+hrw (custom pool), 2, bro/cluster/node/proxy-2
+hrw, 3, bro/cluster/node/proxy-1
+hrw (custom pool), 3, bro/cluster/node/proxy-2
+hrw, 13, bro/cluster/node/proxy-1
+hrw (custom pool), 13, bro/cluster/node/proxy-2
+hrw, 37, bro/cluster/node/proxy-1
+hrw (custom pool), 37, bro/cluster/node/proxy-2
+hrw, 42, bro/cluster/node/proxy-1
+hrw (custom pool), 42, bro/cluster/node/proxy-2
+hrw, 101, bro/cluster/node/proxy-1
+hrw (custom pool), 101, bro/cluster/node/proxy-2
+2nd stuff
+hrw, 0, 
+hrw (custom pool), 0, bro/cluster/node/proxy-2
+hrw, 1, 
+hrw (custom pool), 1, bro/cluster/node/proxy-2
+hrw, 2, 
+hrw (custom pool), 2, bro/cluster/node/proxy-2
+hrw, 3, 
+hrw (custom pool), 3, bro/cluster/node/proxy-2
+hrw, 13, 
+hrw (custom pool), 13, bro/cluster/node/proxy-2
+hrw, 37, 
+hrw (custom pool), 37, bro/cluster/node/proxy-2
+hrw, 42, 
+hrw (custom pool), 42, bro/cluster/node/proxy-2
+hrw, 101, 
+hrw (custom pool), 101, bro/cluster/node/proxy-2
+rr, 
+rr (custom pool), bro/cluster/node/proxy-2
+rr, 
+rr (custom pool), bro/cluster/node/proxy-2
+rr, 
+rr (custom pool), bro/cluster/node/proxy-2
+rr, 
+rr (custom pool), bro/cluster/node/proxy-2
+rr, 
+rr (custom pool), bro/cluster/node/proxy-2
+rr, 
+rr (custom pool), bro/cluster/node/proxy-2
+rr, 
+rr (custom pool), bro/cluster/node/proxy-2
+rr, 
+rr (custom pool), bro/cluster/node/proxy-2
+hrw, 0, 
+hrw (custom pool), 0, bro/cluster/node/proxy-2
+hrw, 1, 
+hrw (custom pool), 1, bro/cluster/node/proxy-2
+hrw, 2, 
+hrw (custom pool), 2, bro/cluster/node/proxy-2
+hrw, 3, 
+hrw (custom pool), 3, bro/cluster/node/proxy-2
+hrw, 13, 
+hrw (custom pool), 13, bro/cluster/node/proxy-2
+hrw, 37, 
+hrw (custom pool), 37, bro/cluster/node/proxy-2
+hrw, 42, 
+hrw (custom pool), 42, bro/cluster/node/proxy-2
+hrw, 101, 
+hrw (custom pool), 101, bro/cluster/node/proxy-2
+no stuff
+hrw, 0, 
+hrw (custom pool), 0, 
+hrw, 1, 
+hrw (custom pool), 1, 
+hrw, 2, 
+hrw (custom pool), 2, 
+hrw, 3, 
+hrw (custom pool), 3, 
+hrw, 13, 
+hrw (custom pool), 13, 
+hrw, 37, 
+hrw (custom pool), 37, 
+hrw, 42, 
+hrw (custom pool), 42, 
+hrw, 101, 
+hrw (custom pool), 101, 
+rr, 
+rr (custom pool), 
+rr, 
+rr (custom pool), 
+rr, 
+rr (custom pool), 
+rr, 
+rr (custom pool), 
+rr, 
+rr (custom pool), 
+rr, 
+rr (custom pool), 
+rr, 
+rr (custom pool), 
+rr, 
+rr (custom pool), 
+hrw, 0, 
+hrw (custom pool), 0, 
+hrw, 1, 
+hrw (custom pool), 1, 
+hrw, 2, 
+hrw (custom pool), 2, 
+hrw, 3, 
+hrw (custom pool), 3, 
+hrw, 13, 
+hrw (custom pool), 13, 
+hrw, 37, 
+hrw (custom pool), 37, 
+hrw, 42, 
+hrw (custom pool), 42, 
+hrw, 101, 
+hrw (custom pool), 101, 
diff --git a/testing/btest/Baseline/scripts.base.frameworks.cluster.custom_pool_limits/manager-1..stdout b/testing/btest/Baseline/scripts.base.frameworks.cluster.custom_pool_limits/manager-1..stdout
new file mode 100644
index 0000000000..977abbf9e9
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.cluster.custom_pool_limits/manager-1..stdout
@@ -0,0 +1,147 @@
+1st stuff
+hrw, 0, bro/cluster/node/proxy-1
+hrw (custom pool), 0, bro/cluster/node/proxy-1
+hrw, 1, bro/cluster/node/proxy-1
+hrw (custom pool), 1, bro/cluster/node/proxy-1
+hrw, 2, bro/cluster/node/proxy-1
+hrw (custom pool), 2, bro/cluster/node/proxy-1
+hrw, 3, bro/cluster/node/proxy-1
+hrw (custom pool), 3, bro/cluster/node/proxy-1
+hrw, 13, bro/cluster/node/proxy-1
+hrw (custom pool), 13, bro/cluster/node/proxy-2
+hrw, 37, bro/cluster/node/proxy-1
+hrw (custom pool), 37, bro/cluster/node/proxy-2
+hrw, 42, bro/cluster/node/proxy-1
+hrw (custom pool), 42, bro/cluster/node/proxy-2
+hrw, 101, bro/cluster/node/proxy-1
+hrw (custom pool), 101, bro/cluster/node/proxy-2
+rr, bro/cluster/node/proxy-1
+rr (custom pool), bro/cluster/node/proxy-1
+rr, bro/cluster/node/proxy-1
+rr (custom pool), bro/cluster/node/proxy-2
+rr, bro/cluster/node/proxy-1
+rr (custom pool), bro/cluster/node/proxy-1
+rr, bro/cluster/node/proxy-1
+rr (custom pool), bro/cluster/node/proxy-2
+rr, bro/cluster/node/proxy-1
+rr (custom pool), bro/cluster/node/proxy-1
+rr, bro/cluster/node/proxy-1
+rr (custom pool), bro/cluster/node/proxy-2
+rr, bro/cluster/node/proxy-1
+rr (custom pool), bro/cluster/node/proxy-1
+rr, bro/cluster/node/proxy-1
+rr (custom pool), bro/cluster/node/proxy-2
+hrw, 0, bro/cluster/node/proxy-1
+hrw (custom pool), 0, bro/cluster/node/proxy-1
+hrw, 1, bro/cluster/node/proxy-1
+hrw (custom pool), 1, bro/cluster/node/proxy-1
+hrw, 2, bro/cluster/node/proxy-1
+hrw (custom pool), 2, bro/cluster/node/proxy-1
+hrw, 3, bro/cluster/node/proxy-1
+hrw (custom pool), 3, bro/cluster/node/proxy-1
+hrw, 13, bro/cluster/node/proxy-1
+hrw (custom pool), 13, bro/cluster/node/proxy-2
+hrw, 37, bro/cluster/node/proxy-1
+hrw (custom pool), 37, bro/cluster/node/proxy-2
+hrw, 42, bro/cluster/node/proxy-1
+hrw (custom pool), 42, bro/cluster/node/proxy-2
+hrw, 101, bro/cluster/node/proxy-1
+hrw (custom pool), 101, bro/cluster/node/proxy-2
+2nd stuff
+hrw, 0, 
+hrw (custom pool), 0, bro/cluster/node/proxy-2
+hrw, 1, 
+hrw (custom pool), 1, bro/cluster/node/proxy-2
+hrw, 2, 
+hrw (custom pool), 2, bro/cluster/node/proxy-2
+hrw, 3, 
+hrw (custom pool), 3, bro/cluster/node/proxy-2
+hrw, 13, 
+hrw (custom pool), 13, bro/cluster/node/proxy-2
+hrw, 37, 
+hrw (custom pool), 37, bro/cluster/node/proxy-2
+hrw, 42, 
+hrw (custom pool), 42, bro/cluster/node/proxy-2
+hrw, 101, 
+hrw (custom pool), 101, bro/cluster/node/proxy-2
+rr, 
+rr (custom pool), bro/cluster/node/proxy-2
+rr, 
+rr (custom pool), bro/cluster/node/proxy-2
+rr, 
+rr (custom pool), bro/cluster/node/proxy-2
+rr, 
+rr (custom pool), bro/cluster/node/proxy-2
+rr, 
+rr (custom pool), bro/cluster/node/proxy-2
+rr, 
+rr (custom pool), bro/cluster/node/proxy-2
+rr, 
+rr (custom pool), bro/cluster/node/proxy-2
+rr, 
+rr (custom pool), bro/cluster/node/proxy-2
+hrw, 0, 
+hrw (custom pool), 0, bro/cluster/node/proxy-2
+hrw, 1, 
+hrw (custom pool), 1, bro/cluster/node/proxy-2
+hrw, 2, 
+hrw (custom pool), 2, bro/cluster/node/proxy-2
+hrw, 3, 
+hrw (custom pool), 3, bro/cluster/node/proxy-2
+hrw, 13, 
+hrw (custom pool), 13, bro/cluster/node/proxy-2
+hrw, 37, 
+hrw (custom pool), 37, bro/cluster/node/proxy-2
+hrw, 42, 
+hrw (custom pool), 42, bro/cluster/node/proxy-2
+hrw, 101, 
+hrw (custom pool), 101, bro/cluster/node/proxy-2
+no stuff
+hrw, 0, 
+hrw (custom pool), 0, 
+hrw, 1, 
+hrw (custom pool), 1, 
+hrw, 2, 
+hrw (custom pool), 2, 
+hrw, 3, 
+hrw (custom pool), 3, 
+hrw, 13, 
+hrw (custom pool), 13, 
+hrw, 37, 
+hrw (custom pool), 37, 
+hrw, 42, 
+hrw (custom pool), 42, 
+hrw, 101, 
+hrw (custom pool), 101, 
+rr, 
+rr (custom pool), 
+rr, 
+rr (custom pool), 
+rr, 
+rr (custom pool), 
+rr, 
+rr (custom pool), 
+rr, 
+rr (custom pool), 
+rr, 
+rr (custom pool), 
+rr, 
+rr (custom pool), 
+rr, 
+rr (custom pool), 
+hrw, 0, 
+hrw (custom pool), 0, 
+hrw, 1, 
+hrw (custom pool), 1, 
+hrw, 2, 
+hrw (custom pool), 2, 
+hrw, 3, 
+hrw (custom pool), 3, 
+hrw, 13, 
+hrw (custom pool), 13, 
+hrw, 37, 
+hrw (custom pool), 37, 
+hrw, 42, 
+hrw (custom pool), 42, 
+hrw, 101, 
+hrw (custom pool), 101, 
diff --git a/testing/btest/Baseline/scripts.base.frameworks.cluster.log_distribution/logger-1.test.log b/testing/btest/Baseline/scripts.base.frameworks.cluster.log_distribution/logger-1.test.log
new file mode 100644
index 0000000000..03d3454c14
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.cluster.log_distribution/logger-1.test.log
@@ -0,0 +1,59 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	test
+#open	2017-12-08-00-37-18
+#fields	num
+#types	count
+1
+3
+5
+7
+9
+11
+13
+15
+17
+19
+21
+23
+25
+27
+29
+31
+33
+35
+37
+39
+41
+43
+45
+47
+49
+51
+53
+55
+57
+59
+61
+63
+65
+67
+69
+71
+73
+75
+77
+79
+81
+83
+85
+87
+89
+91
+93
+95
+97
+99
+#close	2017-12-08-00-37-20
diff --git a/testing/btest/Baseline/scripts.base.frameworks.cluster.log_distribution/logger-2.test.log b/testing/btest/Baseline/scripts.base.frameworks.cluster.log_distribution/logger-2.test.log
new file mode 100644
index 0000000000..1b04569201
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.cluster.log_distribution/logger-2.test.log
@@ -0,0 +1,59 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	test
+#open	2017-12-08-00-37-18
+#fields	num
+#types	count
+2
+4
+6
+8
+10
+12
+14
+16
+18
+20
+22
+24
+26
+28
+30
+32
+34
+36
+38
+40
+42
+44
+46
+48
+50
+52
+54
+56
+58
+60
+62
+64
+66
+68
+70
+72
+74
+76
+78
+80
+82
+84
+86
+88
+90
+92
+94
+96
+98
+100
+#close	2017-12-08-00-37-20
diff --git a/testing/btest/Baseline/scripts.base.frameworks.cluster.start-it-up-logger/proxy-1..stdout b/testing/btest/Baseline/scripts.base.frameworks.cluster.start-it-up-logger/proxy-1..stdout
index c3a1950daf..7c8eb5ee83 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.cluster.start-it-up-logger/proxy-1..stdout
+++ b/testing/btest/Baseline/scripts.base.frameworks.cluster.start-it-up-logger/proxy-1..stdout
@@ -1,3 +1,4 @@
 Connected to a peer
 Connected to a peer
 Connected to a peer
+Connected to a peer
diff --git a/testing/btest/Baseline/scripts.base.frameworks.cluster.start-it-up-logger/proxy-2..stdout b/testing/btest/Baseline/scripts.base.frameworks.cluster.start-it-up-logger/proxy-2..stdout
index c3a1950daf..7c8eb5ee83 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.cluster.start-it-up-logger/proxy-2..stdout
+++ b/testing/btest/Baseline/scripts.base.frameworks.cluster.start-it-up-logger/proxy-2..stdout
@@ -1,3 +1,4 @@
 Connected to a peer
 Connected to a peer
 Connected to a peer
+Connected to a peer
diff --git a/testing/btest/Baseline/scripts.base.frameworks.cluster.start-it-up-logger/worker-1..stdout b/testing/btest/Baseline/scripts.base.frameworks.cluster.start-it-up-logger/worker-1..stdout
index c3a1950daf..7c8eb5ee83 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.cluster.start-it-up-logger/worker-1..stdout
+++ b/testing/btest/Baseline/scripts.base.frameworks.cluster.start-it-up-logger/worker-1..stdout
@@ -1,3 +1,4 @@
 Connected to a peer
 Connected to a peer
 Connected to a peer
+Connected to a peer
diff --git a/testing/btest/Baseline/scripts.base.frameworks.cluster.start-it-up-logger/worker-2..stdout b/testing/btest/Baseline/scripts.base.frameworks.cluster.start-it-up-logger/worker-2..stdout
index c3a1950daf..7c8eb5ee83 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.cluster.start-it-up-logger/worker-2..stdout
+++ b/testing/btest/Baseline/scripts.base.frameworks.cluster.start-it-up-logger/worker-2..stdout
@@ -1,3 +1,4 @@
 Connected to a peer
 Connected to a peer
 Connected to a peer
+Connected to a peer
diff --git a/testing/btest/Baseline/scripts.base.frameworks.cluster.start-it-up/manager-1..stdout b/testing/btest/Baseline/scripts.base.frameworks.cluster.start-it-up/manager-1..stdout
index 7c8eb5ee83..5b10602c67 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.cluster.start-it-up/manager-1..stdout
+++ b/testing/btest/Baseline/scripts.base.frameworks.cluster.start-it-up/manager-1..stdout
@@ -1,4 +1,8 @@
 Connected to a peer
 Connected to a peer
 Connected to a peer
+Got fully_connected event
+Got fully_connected event
 Connected to a peer
+Got fully_connected event
+Got fully_connected event
diff --git a/testing/btest/Baseline/scripts.base.frameworks.cluster.start-it-up/proxy-1..stdout b/testing/btest/Baseline/scripts.base.frameworks.cluster.start-it-up/proxy-1..stdout
index 4e70653647..c3a1950daf 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.cluster.start-it-up/proxy-1..stdout
+++ b/testing/btest/Baseline/scripts.base.frameworks.cluster.start-it-up/proxy-1..stdout
@@ -1,2 +1,3 @@
 Connected to a peer
 Connected to a peer
+Connected to a peer
diff --git a/testing/btest/Baseline/scripts.base.frameworks.cluster.start-it-up/proxy-2..stdout b/testing/btest/Baseline/scripts.base.frameworks.cluster.start-it-up/proxy-2..stdout
index 4e70653647..c3a1950daf 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.cluster.start-it-up/proxy-2..stdout
+++ b/testing/btest/Baseline/scripts.base.frameworks.cluster.start-it-up/proxy-2..stdout
@@ -1,2 +1,3 @@
 Connected to a peer
 Connected to a peer
+Connected to a peer
diff --git a/testing/btest/Baseline/scripts.base.frameworks.cluster.start-it-up/worker-1..stdout b/testing/btest/Baseline/scripts.base.frameworks.cluster.start-it-up/worker-1..stdout
index 4e70653647..c3a1950daf 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.cluster.start-it-up/worker-1..stdout
+++ b/testing/btest/Baseline/scripts.base.frameworks.cluster.start-it-up/worker-1..stdout
@@ -1,2 +1,3 @@
 Connected to a peer
 Connected to a peer
+Connected to a peer
diff --git a/testing/btest/Baseline/scripts.base.frameworks.cluster.start-it-up/worker-2..stdout b/testing/btest/Baseline/scripts.base.frameworks.cluster.start-it-up/worker-2..stdout
index 4e70653647..c3a1950daf 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.cluster.start-it-up/worker-2..stdout
+++ b/testing/btest/Baseline/scripts.base.frameworks.cluster.start-it-up/worker-2..stdout
@@ -1,2 +1,3 @@
 Connected to a peer
 Connected to a peer
+Connected to a peer
diff --git a/testing/btest/Baseline/scripts.base.frameworks.cluster.topic_distribution/manager-1..stdout b/testing/btest/Baseline/scripts.base.frameworks.cluster.topic_distribution/manager-1..stdout
new file mode 100644
index 0000000000..2c99f08ef2
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.cluster.topic_distribution/manager-1..stdout
@@ -0,0 +1,75 @@
+1st stuff
+hrw, 0, bro/cluster/node/proxy-1
+hrw, 1, bro/cluster/node/proxy-1
+hrw, 2, bro/cluster/node/proxy-1
+hrw, 3, bro/cluster/node/proxy-1
+hrw, 13, bro/cluster/node/proxy-2
+hrw, 37, bro/cluster/node/proxy-2
+hrw, 42, bro/cluster/node/proxy-2
+hrw, 101, bro/cluster/node/proxy-2
+rr, bro/cluster/node/proxy-1
+rr, bro/cluster/node/proxy-2
+rr, bro/cluster/node/proxy-1
+rr, bro/cluster/node/proxy-2
+rr, bro/cluster/node/proxy-1
+rr, bro/cluster/node/proxy-2
+rr, bro/cluster/node/proxy-1
+rr, bro/cluster/node/proxy-2
+hrw, 0, bro/cluster/node/proxy-1
+hrw, 1, bro/cluster/node/proxy-1
+hrw, 2, bro/cluster/node/proxy-1
+hrw, 3, bro/cluster/node/proxy-1
+hrw, 13, bro/cluster/node/proxy-2
+hrw, 37, bro/cluster/node/proxy-2
+hrw, 42, bro/cluster/node/proxy-2
+hrw, 101, bro/cluster/node/proxy-2
+2nd stuff
+hrw, 0, bro/cluster/node/proxy-2
+hrw, 1, bro/cluster/node/proxy-2
+hrw, 2, bro/cluster/node/proxy-2
+hrw, 3, bro/cluster/node/proxy-2
+hrw, 13, bro/cluster/node/proxy-2
+hrw, 37, bro/cluster/node/proxy-2
+hrw, 42, bro/cluster/node/proxy-2
+hrw, 101, bro/cluster/node/proxy-2
+rr, bro/cluster/node/proxy-2
+rr, bro/cluster/node/proxy-2
+rr, bro/cluster/node/proxy-2
+rr, bro/cluster/node/proxy-2
+rr, bro/cluster/node/proxy-2
+rr, bro/cluster/node/proxy-2
+rr, bro/cluster/node/proxy-2
+rr, bro/cluster/node/proxy-2
+hrw, 0, bro/cluster/node/proxy-2
+hrw, 1, bro/cluster/node/proxy-2
+hrw, 2, bro/cluster/node/proxy-2
+hrw, 3, bro/cluster/node/proxy-2
+hrw, 13, bro/cluster/node/proxy-2
+hrw, 37, bro/cluster/node/proxy-2
+hrw, 42, bro/cluster/node/proxy-2
+hrw, 101, bro/cluster/node/proxy-2
+no stuff
+hrw, 0, 
+hrw, 1, 
+hrw, 2, 
+hrw, 3, 
+hrw, 13, 
+hrw, 37, 
+hrw, 42, 
+hrw, 101, 
+rr, 
+rr, 
+rr, 
+rr, 
+rr, 
+rr, 
+rr, 
+rr, 
+hrw, 0, 
+hrw, 1, 
+hrw, 2, 
+hrw, 3, 
+hrw, 13, 
+hrw, 37, 
+hrw, 42, 
+hrw, 101, 
diff --git a/testing/btest/Baseline/scripts.base.frameworks.cluster.topic_distribution_bifs/manager-1..stdout b/testing/btest/Baseline/scripts.base.frameworks.cluster.topic_distribution_bifs/manager-1..stdout
new file mode 100644
index 0000000000..1170b6dd6a
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.cluster.topic_distribution_bifs/manager-1..stdout
@@ -0,0 +1,51 @@
+1st stuff
+hrw, 0, T
+hrw, 1, T
+hrw, 2, T
+hrw, 3, T
+hrw, 13, T
+hrw, 37, T
+hrw, 42, T
+hrw, 101, T
+rr, T
+rr, T
+rr, T
+rr, T
+rr, T
+rr, T
+rr, T
+rr, T
+2nd stuff
+hrw, 0, T
+hrw, 1, T
+hrw, 2, T
+hrw, 3, T
+hrw, 13, T
+hrw, 37, T
+hrw, 42, T
+hrw, 101, T
+rr, T
+rr, T
+rr, T
+rr, T
+rr, T
+rr, T
+rr, T
+rr, T
+no stuff
+hrw, 0, F
+hrw, 1, F
+hrw, 2, F
+hrw, 3, F
+hrw, 13, F
+hrw, 37, F
+hrw, 42, F
+hrw, 101, F
+rr, F
+rr, F
+rr, F
+rr, F
+rr, F
+rr, F
+rr, F
+rr, F
diff --git a/testing/btest/Baseline/scripts.base.frameworks.cluster.topic_distribution_bifs/proxy-1..stdout b/testing/btest/Baseline/scripts.base.frameworks.cluster.topic_distribution_bifs/proxy-1..stdout
new file mode 100644
index 0000000000..b86028c482
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.cluster.topic_distribution_bifs/proxy-1..stdout
@@ -0,0 +1,8 @@
+got distributed event hrw, 0
+got distributed event hrw, 1
+got distributed event hrw, 2
+got distributed event hrw, 3
+got distributed event rr, 0
+got distributed event rr, 2
+got distributed event rr, 13
+got distributed event rr, 42
diff --git a/testing/btest/Baseline/scripts.base.frameworks.cluster.topic_distribution_bifs/proxy-2..stdout b/testing/btest/Baseline/scripts.base.frameworks.cluster.topic_distribution_bifs/proxy-2..stdout
new file mode 100644
index 0000000000..a83f3f7394
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.cluster.topic_distribution_bifs/proxy-2..stdout
@@ -0,0 +1,24 @@
+got distributed event hrw, 13
+got distributed event hrw, 37
+got distributed event hrw, 42
+got distributed event hrw, 101
+got distributed event rr, 1
+got distributed event rr, 3
+got distributed event rr, 37
+got distributed event rr, 101
+got distributed event hrw, 0
+got distributed event hrw, 1
+got distributed event hrw, 2
+got distributed event hrw, 3
+got distributed event hrw, 13
+got distributed event hrw, 37
+got distributed event hrw, 42
+got distributed event hrw, 101
+got distributed event rr, 0
+got distributed event rr, 1
+got distributed event rr, 2
+got distributed event rr, 3
+got distributed event rr, 13
+got distributed event rr, 37
+got distributed event rr, 42
+got distributed event rr, 101
diff --git a/testing/btest/Baseline/scripts.base.frameworks.communication.communication_log_baseline/send.log b/testing/btest/Baseline/scripts.base.frameworks.communication.communication_log_baseline/send.log
deleted file mode 100644
index c6a19029b6..0000000000
--- a/testing/btest/Baseline/scripts.base.frameworks.communication.communication_log_baseline/send.log
+++ /dev/null
@@ -1,24 +0,0 @@
-#separator \x09
-#set_separator	,
-#empty_field	(empty)
-#unset_field	-
-#path	communication
-#open	2012-07-20-01-49-40
-#fields	ts	peer	src_name	connected_peer_desc	connected_peer_addr	connected_peer_port	level	message
-#types	time	string	string	string	addr	port	string	string
-1342748980.737451	bro	parent	-	-	-	info	[#1/127.0.0.1:47757] added peer
-1342748980.747149	bro	child	-	-	-	info	[#1/127.0.0.1:47757] connected
-1342748980.748489	bro	parent	-	-	-	info	[#1/127.0.0.1:47757] peer connected
-1342748980.748489	bro	parent	-	-	-	info	[#1/127.0.0.1:47757] phase: version
-1342748980.750749	bro	script	-	-	-	info	connection established
-1342748980.750749	bro	script	-	-	-	info	requesting events matching /^?(NOTHING)$?/
-1342748980.750749	bro	script	-	-	-	info	accepting state
-1342748980.752225	bro	parent	-	-	-	info	[#1/127.0.0.1:47757] phase: handshake
-1342748980.752225	bro	parent	-	-	-	info	warning: no events to request
-1342748980.753384	bro	parent	-	-	-	info	[#1/127.0.0.1:47757] peer_description is bro
-1342748980.793108	bro	parent	-	-	-	info	[#1/127.0.0.1:47757] peer supports keep-in-cache; using that
-1342748980.793108	bro	parent	-	-	-	info	[#1/127.0.0.1:47757] phase: running
-1342748980.793108	bro	parent	-	-	-	info	terminating...
-1342748980.796454	bro	child	-	-	-	info	terminating
-1342748980.797536	bro	parent	-	-	-	info	[#1/127.0.0.1:47757] closing connection
-#close	2012-07-20-01-49-40
diff --git a/testing/btest/Baseline/scripts.base.frameworks.intel.cluster-transparency/manager-1..stdout b/testing/btest/Baseline/scripts.base.frameworks.intel.cluster-transparency/manager-1..stdout
index c57cda176e..3bc1269931 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.intel.cluster-transparency/manager-1..stdout
+++ b/testing/btest/Baseline/scripts.base.frameworks.intel.cluster-transparency/manager-1..stdout
@@ -1,2 +1,5 @@
-cluster_new_item: 123.123.123.123 inserted by worker-1 (from peer: worker-1)
-cluster_new_item: 4.3.2.1 inserted by worker-2 (from peer: worker-2)
+new_item triggered for 1.2.3.4 by manager on manager-1
+insert_item: 4.3.2.1 inserted by worker-2
+new_item triggered for 4.3.2.1 by worker-2 on manager-1
+insert_item: 123.123.123.123 inserted by worker-1
+new_item triggered for 123.123.123.123 by worker-1 on manager-1
diff --git a/testing/btest/Baseline/scripts.base.frameworks.intel.cluster-transparency/manager-1.intel.log b/testing/btest/Baseline/scripts.base.frameworks.intel.cluster-transparency/manager-1.intel.log
index 48df37a6ec..8ec5dbe3cd 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.intel.cluster-transparency/manager-1.intel.log
+++ b/testing/btest/Baseline/scripts.base.frameworks.intel.cluster-transparency/manager-1.intel.log
@@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	intel
-#open	2016-06-15-19-11-27
+#open	2018-02-27-17-03-26
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	seen.indicator	seen.indicator_type	seen.where	seen.node	matched	sources	fuid	file_mime_type	file_desc
 #types	time	string	addr	port	addr	port	string	enum	enum	string	set[enum]	set[string]	string	string	string
-1466017887.060652	-	-	-	-	-	123.123.123.123	Intel::ADDR	Intel::IN_ANYWHERE	worker-2	Intel::ADDR	worker-1	-	-	-
-#close	2016-06-15-19-11-36
+1519751006.478387	-	-	-	-	-	123.123.123.123	Intel::ADDR	Intel::IN_ANYWHERE	worker-2	Intel::ADDR	worker-1	-	-	-
+#close	2018-02-27-17-03-26
diff --git a/testing/btest/Baseline/scripts.base.frameworks.intel.cluster-transparency/worker-1..stdout b/testing/btest/Baseline/scripts.base.frameworks.intel.cluster-transparency/worker-1..stdout
index 3be0ae6f70..a6288340f5 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.intel.cluster-transparency/worker-1..stdout
+++ b/testing/btest/Baseline/scripts.base.frameworks.intel.cluster-transparency/worker-1..stdout
@@ -1,3 +1,4 @@
-cluster_new_item: 1.2.3.4 inserted by manager (from peer: manager-1)
-cluster_new_item: 123.123.123.123 inserted by worker-1 (from peer: manager-1)
-cluster_new_item: 4.3.2.1 inserted by worker-2 (from peer: manager-1)
+new_indicator: 1.2.3.4 inserted by manager
+new_indicator: 4.3.2.1 inserted by worker-2
+new_item triggered for 123.123.123.123 by worker-1 on worker-1
+new_indicator: 123.123.123.123 inserted by worker-1
diff --git a/testing/btest/Baseline/scripts.base.frameworks.intel.cluster-transparency/worker-2..stdout b/testing/btest/Baseline/scripts.base.frameworks.intel.cluster-transparency/worker-2..stdout
index df950e68c4..b0c71cfb6a 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.intel.cluster-transparency/worker-2..stdout
+++ b/testing/btest/Baseline/scripts.base.frameworks.intel.cluster-transparency/worker-2..stdout
@@ -1,4 +1,5 @@
-cluster_new_item: 1.2.3.4 inserted by manager (from peer: manager-1)
-cluster_new_item: 123.123.123.123 inserted by worker-1 (from peer: manager-1)
-cluster_new_item: 4.3.2.1 inserted by worker-2 (from peer: manager-1)
+new_indicator: 1.2.3.4 inserted by manager
+new_item triggered for 4.3.2.1 by worker-2 on worker-2
+new_indicator: 4.3.2.1 inserted by worker-2
+new_indicator: 123.123.123.123 inserted by worker-1
 Doing a lookup
diff --git a/testing/btest/Baseline/scripts.base.frameworks.intel.remove-non-existing/output b/testing/btest/Baseline/scripts.base.frameworks.intel.remove-non-existing/output
index 69606c1407..03dcf582e9 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.intel.remove-non-existing/output
+++ b/testing/btest/Baseline/scripts.base.frameworks.intel.remove-non-existing/output
@@ -3,9 +3,9 @@
 #empty_field	(empty)
 #unset_field	-
 #path	reporter
-#open	2017-02-11-16-36-40
+#open	2018-02-27-17-25-30
 #fields	ts	level	message	location
 #types	time	enum	string	string
-0.000000	Reporter::INFO	Tried to remove non-existing item '192.168.1.1' (Intel::ADDR).	/home/johanna/bro/master/scripts/base/frameworks/intel/./main.bro, lines 520-521
+0.000000	Reporter::INFO	Tried to remove non-existing item '192.168.1.1' (Intel::ADDR).	/home/jgras/devel/bro/scripts/base/frameworks/intel/./main.bro, lines 547-548
 0.000000	Reporter::INFO	received termination signal	(empty)
-#close	2017-02-11-16-36-40
+#close	2018-02-27-17-25-30
diff --git a/testing/btest/Baseline/scripts.base.frameworks.intel.updated-match/output b/testing/btest/Baseline/scripts.base.frameworks.intel.updated-match/output
index 5249bb3110..c6f6e14fdd 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.intel.updated-match/output
+++ b/testing/btest/Baseline/scripts.base.frameworks.intel.updated-match/output
@@ -3,23 +3,23 @@
 #empty_field	(empty)
 #unset_field	-
 #path	intel
-#open	2016-08-05-13-14-12
+#open	2017-12-21-02-28-27
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	seen.indicator	seen.indicator_type	seen.where	seen.node	matched	sources	fuid	file_mime_type	file_desc
 #types	time	string	addr	port	addr	port	string	enum	enum	string	set[enum]	set[string]	string	string	string
-1470402852.531769	-	-	-	-	-	1.2.3.4	Intel::ADDR	SOMEWHERE	bro	Intel::ADDR	source1	-	-	-
-1470402855.546089	-	-	-	-	-	1.2.3.4	Intel::ADDR	SOMEWHERE	bro	Intel::ADDR	source1,source2	-	-	-
-1470402855.546089	-	-	-	-	-	4.3.2.1	Intel::ADDR	SOMEWHERE	bro	Intel::ADDR	source2	-	-	-
-1470402858.547977	-	-	-	-	-	1.2.3.4	Intel::ADDR	SOMEWHERE	bro	Intel::ADDR	source1,source2	-	-	-
-1470402858.547977	-	-	-	-	-	4.3.2.1	Intel::ADDR	SOMEWHERE	bro	Intel::ADDR	source2	-	-	-
-#close	2016-08-05-13-14-18
+1513823307.655824	-	-	-	-	-	1.2.3.4	Intel::ADDR	SOMEWHERE	bro	Intel::ADDR	source1	-	-	-
+1513823310.680693	-	-	-	-	-	1.2.3.4	Intel::ADDR	SOMEWHERE	bro	Intel::ADDR	source1,source2	-	-	-
+1513823310.680693	-	-	-	-	-	4.3.2.1	Intel::ADDR	SOMEWHERE	bro	Intel::ADDR	source2	-	-	-
+1513823313.736551	-	-	-	-	-	1.2.3.4	Intel::ADDR	SOMEWHERE	bro	Intel::ADDR	source1,source2	-	-	-
+1513823313.736551	-	-	-	-	-	4.3.2.1	Intel::ADDR	SOMEWHERE	bro	Intel::ADDR	source2	-	-	-
+#close	2017-12-21-02-28-33
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	notice
-#open	2016-08-05-13-14-18
+#open	2017-12-21-02-28-33
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	fuid	file_mime_type	file_desc	proto	note	msg	sub	src	dst	p	n	peer_descr	actions	suppress_for	dropped	remote_location.country_code	remote_location.region	remote_location.city	remote_location.latitude	remote_location.longitude
 #types	time	string	addr	port	addr	port	string	string	string	enum	enum	string	string	addr	addr	port	count	string	set[enum]	interval	bool	string	string	string	double	double
-1470402858.547977	-	-	-	-	-	-	-	-	-	Intel::Notice	Intel hit on 1.2.3.4 at SOMEWHERE	1.2.3.4	-	-	-	-	bro	Notice::ACTION_LOG	3600.000000	F	-	-	-	-	-
-1470402858.547977	-	-	-	-	-	-	-	-	-	Intel::Notice	Intel hit on 4.3.2.1 at SOMEWHERE	4.3.2.1	-	-	-	-	bro	Notice::ACTION_LOG	3600.000000	F	-	-	-	-	-
-#close	2016-08-05-13-14-18
+1513823313.736551	-	-	-	-	-	-	-	-	-	Intel::Notice	Intel hit on 1.2.3.4 at SOMEWHERE	1.2.3.4	-	-	-	-	-	Notice::ACTION_LOG	3600.000000	F	-	-	-	-	-
+1513823313.736551	-	-	-	-	-	-	-	-	-	Intel::Notice	Intel hit on 4.3.2.1 at SOMEWHERE	4.3.2.1	-	-	-	-	-	Notice::ACTION_LOG	3600.000000	F	-	-	-	-	-
+#close	2017-12-21-02-28-33
diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.field-extension-cluster-error/manager-1.reporter.log b/testing/btest/Baseline/scripts.base.frameworks.logging.field-extension-cluster-error/manager-1.reporter.log
deleted file mode 100644
index b7d8c111cf..0000000000
--- a/testing/btest/Baseline/scripts.base.frameworks.logging.field-extension-cluster-error/manager-1.reporter.log
+++ /dev/null
@@ -1,13 +0,0 @@
-#separator \x09
-#set_separator	,
-#empty_field	(empty)
-#unset_field	-
-#path	reporter
-#open	2016-09-22-23-31-34
-#fields	_write_ts	_stream	_system_name	ts	level	message	location
-#types	time	string	string	time	enum	string	string
-1474587094.261799	reporter	manager-1	0.000000	Reporter::WARNING	WriterFrontend communication/Log::WRITER_ASCII expected 11 fields in write, got 8. Skipping line.	(empty)
-1474587094.261799	reporter	manager-1	0.000000	Reporter::WARNING	WriterFrontend communication/Log::WRITER_ASCII expected 11 fields in write, got 8. Skipping line.	(empty)
-1474587094.261799	reporter	manager-1	0.000000	Reporter::WARNING	WriterFrontend communication/Log::WRITER_ASCII expected 11 fields in write, got 8. Skipping line.	(empty)
-1474587099.984660	reporter	manager-1	0.000000	Reporter::INFO	received termination signal	(empty)
-#close	2016-09-22-23-31-40
diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.field-extension-cluster-error/manager-reporter.log b/testing/btest/Baseline/scripts.base.frameworks.logging.field-extension-cluster-error/manager-reporter.log
new file mode 100644
index 0000000000..7b8743734c
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.logging.field-extension-cluster-error/manager-reporter.log
@@ -0,0 +1,12 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	reporter
+#open	2018-04-27-22-48-04
+#fields	_write_ts	_stream	_system_name	ts	level	message	location
+#types	time	string	string	time	enum	string	string
+1524869284.624934	reporter	manager-1	0.000000	Reporter::WARNING	WriterFrontend broker/Log::WRITER_ASCII expected 9 fields in write, got 6. Skipping line.	(empty)
+1524869284.679015	reporter	manager-1	0.000000	Reporter::WARNING	WriterFrontend cluster/Log::WRITER_ASCII expected 6 fields in write, got 3. Skipping line.	(empty)
+1524869299.534389	reporter	manager-1	0.000000	Reporter::INFO	received termination signal	(empty)
+#close	2018-04-27-22-48-19
diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.remote-config/sender.test.failure.log b/testing/btest/Baseline/scripts.base.frameworks.logging.remote-config/sender.test.failure.log
deleted file mode 100644
index 41b8544db1..0000000000
--- a/testing/btest/Baseline/scripts.base.frameworks.logging.remote-config/sender.test.failure.log
+++ /dev/null
@@ -1,4 +0,0 @@
-t	id.orig_h	id.orig_p	id.resp_h	id.resp_p	status	country
-1424728450.994495	1.2.3.4	1234	2.3.4.5	80	failure	US
-1424728450.994495	1.2.3.4	1234	2.3.4.5	80	failure	UK
-1424728450.994495	1.2.3.4	1234	2.3.4.5	80	failure	MX
diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.remote-config/sender.test.log b/testing/btest/Baseline/scripts.base.frameworks.logging.remote-config/sender.test.log
deleted file mode 100644
index f84ccde80c..0000000000
--- a/testing/btest/Baseline/scripts.base.frameworks.logging.remote-config/sender.test.log
+++ /dev/null
@@ -1,14 +0,0 @@
-#separator \x09
-#set_separator	,
-#empty_field	(empty)
-#unset_field	-
-#path	test
-#open	2015-02-23-21-54-13
-#fields	t	id.orig_h	id.orig_p	id.resp_h	id.resp_p	status	country
-#types	time	addr	port	addr	port	string	string
-1424728450.994495	1.2.3.4	1234	2.3.4.5	80	success	unknown
-1424728450.994495	1.2.3.4	1234	2.3.4.5	80	failure	US
-1424728450.994495	1.2.3.4	1234	2.3.4.5	80	failure	UK
-1424728450.994495	1.2.3.4	1234	2.3.4.5	80	success	BR
-1424728450.994495	1.2.3.4	1234	2.3.4.5	80	failure	MX
-#close	2015-02-23-21-54-13
diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.remote-config/sender.test.success.log b/testing/btest/Baseline/scripts.base.frameworks.logging.remote-config/sender.test.success.log
deleted file mode 100644
index 35f497fd0d..0000000000
--- a/testing/btest/Baseline/scripts.base.frameworks.logging.remote-config/sender.test.success.log
+++ /dev/null
@@ -1,11 +0,0 @@
-#separator \x09
-#set_separator	,
-#empty_field	(empty)
-#unset_field	-
-#path	test.success
-#open	2015-02-23-21-54-13
-#fields	t	id.orig_h	id.orig_p	id.resp_h	id.resp_p	status	country
-#types	time	addr	port	addr	port	string	string
-1424728450.994495	1.2.3.4	1234	2.3.4.5	80	success	unknown
-1424728450.994495	1.2.3.4	1234	2.3.4.5	80	success	BR
-#close	2015-02-23-21-54-13
diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.remote-types/receiver.test.log b/testing/btest/Baseline/scripts.base.frameworks.logging.remote-types/receiver.test.log
deleted file mode 100644
index d15f9fa7d6..0000000000
--- a/testing/btest/Baseline/scripts.base.frameworks.logging.remote-types/receiver.test.log
+++ /dev/null
@@ -1,10 +0,0 @@
-#separator \x09
-#set_separator	,
-#empty_field	EMPTY
-#unset_field	-
-#path	test
-#open	2016-07-13-16-15-16
-#fields	b	i	e	c	p	sn	a	d	t	iv	s	sc	ss	se	vc	ve
-#types	bool	int	enum	count	port	subnet	addr	double	time	interval	string	set[count]	set[string]	set[string]	vector[count]	vector[string]
-T	-42	Test::LOG	21	123	10.0.0.0/24	1.2.3.4	3.14	1468426515.359438	100.000000	hurz	2,4,1,3	BB,AA,CC	EMPTY	10,20,30	EMPTY
-#close	2016-07-13-16-15-26
diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.remote/sender.test.failure.log b/testing/btest/Baseline/scripts.base.frameworks.logging.remote/sender.test.failure.log
deleted file mode 100644
index 71e1d18c73..0000000000
--- a/testing/btest/Baseline/scripts.base.frameworks.logging.remote/sender.test.failure.log
+++ /dev/null
@@ -1,12 +0,0 @@
-#separator \x09
-#set_separator	,
-#empty_field	(empty)
-#unset_field	-
-#path	test.failure
-#open	2012-07-20-01-50-18
-#fields	t	id.orig_h	id.orig_p	id.resp_h	id.resp_p	status	country
-#types	time	addr	port	addr	port	string	string
-1342749018.970682	1.2.3.4	1234	2.3.4.5	80	failure	US
-1342749018.970682	1.2.3.4	1234	2.3.4.5	80	failure	UK
-1342749018.970682	1.2.3.4	1234	2.3.4.5	80	failure	MX
-#close	2012-07-20-01-50-18
diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.remote/sender.test.log b/testing/btest/Baseline/scripts.base.frameworks.logging.remote/sender.test.log
deleted file mode 100644
index bc3dac5a1a..0000000000
--- a/testing/btest/Baseline/scripts.base.frameworks.logging.remote/sender.test.log
+++ /dev/null
@@ -1,14 +0,0 @@
-#separator \x09
-#set_separator	,
-#empty_field	(empty)
-#unset_field	-
-#path	test
-#open	2012-07-20-01-50-18
-#fields	t	id.orig_h	id.orig_p	id.resp_h	id.resp_p	status	country
-#types	time	addr	port	addr	port	string	string
-1342749018.970682	1.2.3.4	1234	2.3.4.5	80	success	unknown
-1342749018.970682	1.2.3.4	1234	2.3.4.5	80	failure	US
-1342749018.970682	1.2.3.4	1234	2.3.4.5	80	failure	UK
-1342749018.970682	1.2.3.4	1234	2.3.4.5	80	success	BR
-1342749018.970682	1.2.3.4	1234	2.3.4.5	80	failure	MX
-#close	2012-07-20-01-50-18
diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.remote/sender.test.success.log b/testing/btest/Baseline/scripts.base.frameworks.logging.remote/sender.test.success.log
deleted file mode 100644
index f0b26454b4..0000000000
--- a/testing/btest/Baseline/scripts.base.frameworks.logging.remote/sender.test.success.log
+++ /dev/null
@@ -1,11 +0,0 @@
-#separator \x09
-#set_separator	,
-#empty_field	(empty)
-#unset_field	-
-#path	test.success
-#open	2012-07-20-01-50-18
-#fields	t	id.orig_h	id.orig_p	id.resp_h	id.resp_p	status	country
-#types	time	addr	port	addr	port	string	string
-1342749018.970682	1.2.3.4	1234	2.3.4.5	80	success	unknown
-1342749018.970682	1.2.3.4	1234	2.3.4.5	80	success	BR
-#close	2012-07-20-01-50-18
diff --git a/testing/btest/Baseline/scripts.base.frameworks.netcontrol.acld-hook/recv.recv.out b/testing/btest/Baseline/scripts.base.frameworks.netcontrol.acld-hook/recv.recv.out
index d6d5c32fb2..b4ae6c9810 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.netcontrol.acld-hook/recv.recv.out
+++ b/testing/btest/Baseline/scripts.base.frameworks.netcontrol.acld-hook/recv.recv.out
@@ -1,4 +1,4 @@
-Broker::incoming_connection_established
+Broker peer added
 add_rule, 0, [ty=NetControl::FLOW, conn=<uninitialized>, flow=[src_h=192.168.18.50/32, src_p=<uninitialized>, dst_h=74.125.239.97/32, dst_p=<uninitialized>, src_m=<uninitialized>, dst_m=<uninitialized>], ip=<uninitialized>, mac=<uninitialized>], NetControl::DROP, [command=blockhosthost, cookie=2, arg=192.168.18.50 74.125.239.97, comment=here]
 add_rule, 0, [ty=NetControl::FLOW, conn=<uninitialized>, flow=[src_h=<uninitialized>, src_p=<uninitialized>, dst_h=<uninitialized>, dst_p=443/tcp, src_m=<uninitialized>, dst_m=<uninitialized>], ip=<uninitialized>, mac=<uninitialized>], NetControl::DROP, [command=droptcpport, cookie=3, arg=443, comment=there]
 add_rule, 0, [ty=NetControl::ADDRESS, conn=<uninitialized>, flow=<uninitialized>, ip=192.168.18.50/32, mac=<uninitialized>], NetControl::DROP, [command=nullzero, cookie=4, arg=192.168.18.50/32, comment=]
diff --git a/testing/btest/Baseline/scripts.base.frameworks.netcontrol.acld-hook/send.send.out b/testing/btest/Baseline/scripts.base.frameworks.netcontrol.acld-hook/send.send.out
index 5d8cb431f4..b348f04fc0 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.netcontrol.acld-hook/send.send.out
+++ b/testing/btest/Baseline/scripts.base.frameworks.netcontrol.acld-hook/send.send.out
@@ -1,4 +1,4 @@
-Broker::outgoing_connection_established, 127.0.0.1, 9999/tcp
+Broker peer added, [address=127.0.0.1, bound_port=9999/tcp]
 rule added, [ty=NetControl::FLOW, conn=<uninitialized>, flow=[src_h=192.168.18.50/32, src_p=<uninitialized>, dst_h=74.125.239.97/32, dst_p=<uninitialized>, src_m=<uninitialized>, dst_m=<uninitialized>], ip=<uninitialized>, mac=<uninitialized>], NetControl::DROP
 rule added, [ty=NetControl::FLOW, conn=<uninitialized>, flow=[src_h=<uninitialized>, src_p=<uninitialized>, dst_h=<uninitialized>, dst_p=443/tcp, src_m=<uninitialized>, dst_m=<uninitialized>], ip=<uninitialized>, mac=<uninitialized>], NetControl::DROP
 rule added, [ty=NetControl::ADDRESS, conn=<uninitialized>, flow=<uninitialized>, ip=192.168.18.50/32, mac=<uninitialized>], NetControl::DROP
diff --git a/testing/btest/Baseline/scripts.base.frameworks.netcontrol.acld/recv.recv.out b/testing/btest/Baseline/scripts.base.frameworks.netcontrol.acld/recv.recv.out
index f75f20ea28..b6e702c448 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.netcontrol.acld/recv.recv.out
+++ b/testing/btest/Baseline/scripts.base.frameworks.netcontrol.acld/recv.recv.out
@@ -1,4 +1,4 @@
-Broker::incoming_connection_established
+Broker peer added
 add_rule, 0, [ty=NetControl::FLOW, conn=<uninitialized>, flow=[src_h=192.168.18.50/32, src_p=<uninitialized>, dst_h=74.125.239.97/32, dst_p=<uninitialized>, src_m=<uninitialized>, dst_m=<uninitialized>], ip=<uninitialized>, mac=<uninitialized>], NetControl::DROP, [command=blockhosthost, cookie=2, arg=192.168.18.50 74.125.239.97, comment=here]
 add_rule, 0, [ty=NetControl::FLOW, conn=<uninitialized>, flow=[src_h=<uninitialized>, src_p=<uninitialized>, dst_h=<uninitialized>, dst_p=443/tcp, src_m=<uninitialized>, dst_m=<uninitialized>], ip=<uninitialized>, mac=<uninitialized>], NetControl::DROP, [command=droptcpport, cookie=3, arg=443, comment=there]
 add_rule, 0, [ty=NetControl::ADDRESS, conn=<uninitialized>, flow=<uninitialized>, ip=192.168.18.50/32, mac=<uninitialized>], NetControl::DROP, [command=drop, cookie=4, arg=192.168.18.50/32, comment=]
diff --git a/testing/btest/Baseline/scripts.base.frameworks.netcontrol.acld/send.send.out b/testing/btest/Baseline/scripts.base.frameworks.netcontrol.acld/send.send.out
index a0a9354726..1e24b1ae3a 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.netcontrol.acld/send.send.out
+++ b/testing/btest/Baseline/scripts.base.frameworks.netcontrol.acld/send.send.out
@@ -1,4 +1,4 @@
-Broker::outgoing_connection_established, 127.0.0.1, 9999/tcp
+Broker peer added, [address=127.0.0.1, bound_port=9999/tcp]
 rule added, [ty=NetControl::FLOW, conn=<uninitialized>, flow=[src_h=192.168.18.50/32, src_p=<uninitialized>, dst_h=74.125.239.97/32, dst_p=<uninitialized>, src_m=<uninitialized>, dst_m=<uninitialized>], ip=<uninitialized>, mac=<uninitialized>], NetControl::DROP
 rule exists, [ty=NetControl::FLOW, conn=<uninitialized>, flow=[src_h=<uninitialized>, src_p=<uninitialized>, dst_h=<uninitialized>, dst_p=443/tcp, src_m=<uninitialized>, dst_m=<uninitialized>], ip=<uninitialized>, mac=<uninitialized>], NetControl::DROP
 rule added, [ty=NetControl::ADDRESS, conn=<uninitialized>, flow=<uninitialized>, ip=192.168.18.50/32, mac=<uninitialized>], NetControl::DROP
diff --git a/testing/btest/Baseline/scripts.base.frameworks.netcontrol.broker/recv.recv.out b/testing/btest/Baseline/scripts.base.frameworks.netcontrol.broker/recv.recv.out
index 5a3741d841..58f209eaf4 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.netcontrol.broker/recv.recv.out
+++ b/testing/btest/Baseline/scripts.base.frameworks.netcontrol.broker/recv.recv.out
@@ -1,4 +1,4 @@
-Broker::incoming_connection_established
+Broker peer added
 add_rule, 0, [ty=NetControl::FLOW, conn=<uninitialized>, flow=[src_h=10.10.1.4/32, src_p=1470/tcp, dst_h=74.53.140.153/32, dst_p=25/tcp, src_m=<uninitialized>, dst_m=<uninitialized>], ip=<uninitialized>, mac=<uninitialized>], NetControl::DROP
 add_rule, 0, [ty=NetControl::ADDRESS, conn=<uninitialized>, flow=<uninitialized>, ip=10.10.1.4/32, mac=<uninitialized>], NetControl::DROP
 remove_rule, 0, [ty=NetControl::ADDRESS, conn=<uninitialized>, flow=<uninitialized>, ip=10.10.1.4/32, mac=<uninitialized>], NetControl::DROP, removing
diff --git a/testing/btest/Baseline/scripts.base.frameworks.netcontrol.broker/send.send.out b/testing/btest/Baseline/scripts.base.frameworks.netcontrol.broker/send.send.out
index aee04c25cc..920fdd8085 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.netcontrol.broker/send.send.out
+++ b/testing/btest/Baseline/scripts.base.frameworks.netcontrol.broker/send.send.out
@@ -1,4 +1,4 @@
-Broker::outgoing_connection_established, 127.0.0.1, 9999/tcp
+Broker peer added, [address=127.0.0.1, bound_port=9999/tcp]
 rule exists, [ty=NetControl::FLOW, conn=<uninitialized>, flow=[src_h=10.10.1.4/32, src_p=1470/tcp, dst_h=74.53.140.153/32, dst_p=25/tcp, src_m=<uninitialized>, dst_m=<uninitialized>], ip=<uninitialized>, mac=<uninitialized>], NetControl::DROP
 rule timeout, [ty=NetControl::FLOW, conn=<uninitialized>, flow=[src_h=10.10.1.4/32, src_p=1470/tcp, dst_h=74.53.140.153/32, dst_p=25/tcp, src_m=<uninitialized>, dst_m=<uninitialized>], ip=<uninitialized>, mac=<uninitialized>], NetControl::DROP, [duration=<uninitialized>, packet_count=<uninitialized>, byte_count=<uninitialized>]
 rule added, [ty=NetControl::ADDRESS, conn=<uninitialized>, flow=<uninitialized>, ip=10.10.1.4/32, mac=<uninitialized>], NetControl::DROP
diff --git a/testing/btest/Baseline/scripts.base.frameworks.notice.suppression/notice.log b/testing/btest/Baseline/scripts.base.frameworks.notice.suppression/notice.log
index 03c42d5849..9b79fc7adc 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.notice.suppression/notice.log
+++ b/testing/btest/Baseline/scripts.base.frameworks.notice.suppression/notice.log
@@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	notice
-#open	2014-04-01-23-15-34
+#open	2017-12-20-23-33-05
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	fuid	file_mime_type	file_desc	proto	note	msg	sub	src	dst	p	n	peer_descr	actions	suppress_for	dropped	remote_location.country_code	remote_location.region	remote_location.city	remote_location.latitude	remote_location.longitude
 #types	time	string	addr	port	addr	port	string	string	string	enum	enum	string	string	addr	addr	port	count	string	set[enum]	interval	bool	string	string	string	double	double
-1396394134.092329	-	-	-	-	-	-	-	-	-	Test_Notice	test	-	-	-	-	-	bro	Notice::ACTION_LOG	3600.000000	F	-	-	-	-	-
-#close	2014-04-01-23-15-34
+1513812785.342226	-	-	-	-	-	-	-	-	-	Test_Notice	test	-	-	-	-	-	-	Notice::ACTION_LOG	3600.000000	F	-	-	-	-	-
+#close	2017-12-20-23-33-05
diff --git a/testing/btest/Baseline/scripts.base.frameworks.openflow.broker-basic/recv.recv.out b/testing/btest/Baseline/scripts.base.frameworks.openflow.broker-basic/recv.recv.out
index b1c2ed5050..ab6eefe646 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.openflow.broker-basic/recv.recv.out
+++ b/testing/btest/Baseline/scripts.base.frameworks.openflow.broker-basic/recv.recv.out
@@ -1,4 +1,4 @@
-Broker::incoming_connection_established
+Broker peer added
 flow_clear, 42
 got flow_mod, 42, [in_port=<uninitialized>, dl_src=<uninitialized>, dl_dst=<uninitialized>, dl_vlan=<uninitialized>, dl_vlan_pcp=<uninitialized>, dl_type=<uninitialized>, nw_tos=<uninitialized>, nw_proto=<uninitialized>, nw_src=<uninitialized>, nw_dst=<uninitialized>, tp_src=<uninitialized>, tp_dst=<uninitialized>], [cookie=4398046511105, table_id=<uninitialized>, command=OpenFlow::OFPFC_ADD, idle_timeout=0, hard_timeout=0, priority=0, out_port=<uninitialized>, out_group=<uninitialized>, flags=0, actions=[out_ports=[3, 7], vlan_vid=<uninitialized>, vlan_pcp=<uninitialized>, vlan_strip=F, dl_src=<uninitialized>, dl_dst=<uninitialized>, nw_tos=<uninitialized>, nw_src=<uninitialized>, nw_dst=<uninitialized>, tp_src=<uninitialized>, tp_dst=<uninitialized>]]
 got flow_mod, 42, [in_port=<uninitialized>, dl_src=<uninitialized>, dl_dst=<uninitialized>, dl_vlan=<uninitialized>, dl_vlan_pcp=<uninitialized>, dl_type=2048, nw_tos=<uninitialized>, nw_proto=6, nw_src=10.10.1.4/32, nw_dst=74.53.140.153/32, tp_src=1470, tp_dst=25], [cookie=4398046511146, table_id=<uninitialized>, command=OpenFlow::OFPFC_ADD, idle_timeout=30, hard_timeout=0, priority=5, out_port=<uninitialized>, out_group=<uninitialized>, flags=0, actions=[out_ports=[], vlan_vid=<uninitialized>, vlan_pcp=<uninitialized>, vlan_strip=F, dl_src=<uninitialized>, dl_dst=<uninitialized>, nw_tos=<uninitialized>, nw_src=<uninitialized>, nw_dst=<uninitialized>, tp_src=<uninitialized>, tp_dst=<uninitialized>]]
diff --git a/testing/btest/Baseline/scripts.base.frameworks.openflow.broker-basic/send.send.out b/testing/btest/Baseline/scripts.base.frameworks.openflow.broker-basic/send.send.out
index 5f4fadfb81..ec860918ba 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.openflow.broker-basic/send.send.out
+++ b/testing/btest/Baseline/scripts.base.frameworks.openflow.broker-basic/send.send.out
@@ -1,4 +1,4 @@
-Broker::outgoing_connection_established, 127.0.0.1, 9999/tcp
+Broker peer added, [address=127.0.0.1, bound_port=9999/tcp]
 Flow_mod_success
 Flow_mod_failure
 connection established
diff --git a/testing/btest/Baseline/scripts.base.protocols.ftp.gridftp/conn.log b/testing/btest/Baseline/scripts.base.protocols.ftp.gridftp/conn.log
index 5f470124a3..362fb42ced 100644
--- a/testing/btest/Baseline/scripts.base.protocols.ftp.gridftp/conn.log
+++ b/testing/btest/Baseline/scripts.base.protocols.ftp.gridftp/conn.log
@@ -3,9 +3,9 @@
 #empty_field	(empty)
 #unset_field	-
 #path	conn
-#open	2016-07-13-16-16-18
+#open	2018-02-18-22-12-45
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
 1348168976.546371	ClEkJM2Vm5giqnMf4h	192.168.57.103	35391	192.168.57.101	55968	tcp	ssl,gridftp-data	0.010760	2109	3196	S1	-	-	0	ShADad	7	2481	6	3516	-
 1348168976.274919	CHhAvVGS1DHFjwGM9	192.168.57.103	60108	192.168.57.101	2811	tcp	ftp,gridftp,ssl	0.294743	4491	6659	SF	-	-	0	ShAdDaFf	22	5643	21	7759	-
-#close	2016-07-13-16-16-18
+#close	2018-02-18-22-12-45
diff --git a/testing/btest/Baseline/scripts.base.protocols.ftp.gridftp/notice.log b/testing/btest/Baseline/scripts.base.protocols.ftp.gridftp/notice.log
index 2c2a0570e8..c8f76ae4d0 100644
--- a/testing/btest/Baseline/scripts.base.protocols.ftp.gridftp/notice.log
+++ b/testing/btest/Baseline/scripts.base.protocols.ftp.gridftp/notice.log
@@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	notice
-#open	2016-07-13-16-16-18
+#open	2017-12-21-02-27-54
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	fuid	file_mime_type	file_desc	proto	note	msg	sub	src	dst	p	n	peer_descr	actions	suppress_for	dropped	remote_location.country_code	remote_location.region	remote_location.city	remote_location.latitude	remote_location.longitude
 #types	time	string	addr	port	addr	port	string	string	string	enum	enum	string	string	addr	addr	port	count	string	set[enum]	interval	bool	string	string	string	double	double
-1348168976.557131	ClEkJM2Vm5giqnMf4h	192.168.57.103	35391	192.168.57.101	55968	-	-	-	tcp	GridFTP::Data_Channel	GridFTP data channel over threshold 2 bytes	-	192.168.57.103	192.168.57.101	55968	-	bro	Notice::ACTION_LOG	3600.000000	F	-	-	-	-	-
-#close	2016-07-13-16-16-18
+1348168976.557131	ClEkJM2Vm5giqnMf4h	192.168.57.103	35391	192.168.57.101	55968	-	-	-	tcp	GridFTP::Data_Channel	GridFTP data channel over threshold 2 bytes	-	192.168.57.103	192.168.57.101	55968	-	-	Notice::ACTION_LOG	3600.000000	F	-	-	-	-	-
+#close	2017-12-21-02-27-54
diff --git a/testing/btest/Baseline/scripts.base.protocols.ftp.gridftp/ssl.log b/testing/btest/Baseline/scripts.base.protocols.ftp.gridftp/ssl.log
index 1091d026f4..1904e9eaa5 100644
--- a/testing/btest/Baseline/scripts.base.protocols.ftp.gridftp/ssl.log
+++ b/testing/btest/Baseline/scripts.base.protocols.ftp.gridftp/ssl.log
@@ -3,9 +3,9 @@
 #empty_field	(empty)
 #unset_field	-
 #path	ssl
-#open	2016-07-13-16-16-18
+#open	2017-12-21-02-27-54
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	curve	server_name	resumed	last_alert	next_protocol	established	cert_chain_fuids	client_cert_chain_fuids	subject	issuer	client_subject	client_issuer
 #types	time	string	addr	port	addr	port	string	string	string	string	bool	string	string	bool	vector[string]	vector[string]	string	string	string	string
 1348168976.508038	CHhAvVGS1DHFjwGM9	192.168.57.103	60108	192.168.57.101	2811	TLSv10	TLS_RSA_WITH_AES_256_CBC_SHA	-	-	F	-	-	T	FBtbj87tgpyeDSj31,F8TfgZ31c1dFu8Kt2k	FVNYOh2BeQBb7MpCPe,FwjBou1e5DbpE0eOgk,FbYQmk4x4M4Bx3PZme	CN=host/alpha,OU=simpleCA-alpha,OU=GlobusTest,O=Grid	CN=Globus Simple CA,OU=simpleCA-alpha,OU=GlobusTest,O=Grid	CN=917532944,CN=Jon Siwek,OU=local,OU=simpleCA-alpha,OU=GlobusTest,O=Grid	CN=Jon Siwek,OU=local,OU=simpleCA-alpha,OU=GlobusTest,O=Grid
 1348168976.551422	ClEkJM2Vm5giqnMf4h	192.168.57.103	35391	192.168.57.101	55968	TLSv10	TLS_RSA_WITH_NULL_SHA	-	-	F	-	-	T	F4SSqN31HDIrrH5Q8h,FJHp5Pf6VLQsRQK3,FHACqa3dX9BXRV2av,FNnDVT1NURRWeoLLN3	FFWYVj4BcvQb35WIaf,Fj16G835fnJgnVlKU6,FGONoc1Nj0Ka5zlxDa	CN=932373381,CN=917532944,CN=Jon Siwek,OU=local,OU=simpleCA-alpha,OU=GlobusTest,O=Grid	CN=917532944,CN=Jon Siwek,OU=local,OU=simpleCA-alpha,OU=GlobusTest,O=Grid	CN=917532944,CN=Jon Siwek,OU=local,OU=simpleCA-alpha,OU=GlobusTest,O=Grid	CN=Jon Siwek,OU=local,OU=simpleCA-alpha,OU=GlobusTest,O=Grid
-#close	2016-07-13-16-16-18
+#close	2017-12-21-02-27-54
diff --git a/testing/btest/Baseline/scripts.base.protocols.ftp.gridftp/x509.log b/testing/btest/Baseline/scripts.base.protocols.ftp.gridftp/x509.log
index 7ffa645cbe..294175f0be 100644
--- a/testing/btest/Baseline/scripts.base.protocols.ftp.gridftp/x509.log
+++ b/testing/btest/Baseline/scripts.base.protocols.ftp.gridftp/x509.log
@@ -3,7 +3,7 @@
 #empty_field	(empty)
 #unset_field	-
 #path	x509
-#open	2016-07-13-16-16-18
+#open	2017-12-21-02-27-54
 #fields	ts	id	certificate.version	certificate.serial	certificate.subject	certificate.issuer	certificate.not_valid_before	certificate.not_valid_after	certificate.key_alg	certificate.sig_alg	certificate.key_type	certificate.key_length	certificate.exponent	certificate.curve	san.dns	san.uri	san.email	san.ip	basic_constraints.ca	basic_constraints.path_len
 #types	time	string	count	string	string	string	time	time	string	string	string	count	string	string	vector[string]	vector[string]	vector[string]	vector[addr]	bool	count
 1348168976.510615	FBtbj87tgpyeDSj31	3	01	CN=host/alpha,OU=simpleCA-alpha,OU=GlobusTest,O=Grid	CN=Globus Simple CA,OU=simpleCA-alpha,OU=GlobusTest,O=Grid	1348161979.000000	1379697979.000000	rsaEncryption	sha1WithRSAEncryption	rsa	1024	65537	-	-	-	-	-	-	-
@@ -18,4 +18,4 @@
 1348168976.554445	FFWYVj4BcvQb35WIaf	3	36B07110	CN=917532944,CN=Jon Siwek,OU=local,OU=simpleCA-alpha,OU=GlobusTest,O=Grid	CN=Jon Siwek,OU=local,OU=simpleCA-alpha,OU=GlobusTest,O=Grid	1348162941.000000	1348206441.000000	rsaEncryption	sha1WithRSAEncryption	rsa	512	65537	-	-	-	-	-	-	-
 1348168976.554445	Fj16G835fnJgnVlKU6	3	02	CN=Jon Siwek,OU=local,OU=simpleCA-alpha,OU=GlobusTest,O=Grid	CN=Globus Simple CA,OU=simpleCA-alpha,OU=GlobusTest,O=Grid	1348162263.000000	1379698263.000000	rsaEncryption	sha1WithRSAEncryption	rsa	1024	65537	-	-	-	-	-	-	-
 1348168976.554445	FGONoc1Nj0Ka5zlxDa	3	EA83D17188B68E4D	CN=Globus Simple CA,OU=simpleCA-alpha,OU=GlobusTest,O=Grid	CN=Globus Simple CA,OU=simpleCA-alpha,OU=GlobusTest,O=Grid	1348161502.000000	1505841502.000000	rsaEncryption	sha1WithRSAEncryption	rsa	1024	65537	-	-	-	-	-	T	-
-#close	2016-07-13-16-16-18
+#close	2017-12-21-02-27-54
diff --git a/testing/btest/Baseline/scripts.base.utils.hash_hrw/output b/testing/btest/Baseline/scripts.base.utils.hash_hrw/output
new file mode 100644
index 0000000000..2c37b5b752
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.utils.hash_hrw/output
@@ -0,0 +1,40 @@
+T
+F
+T
+T
+T
+T
+T
+F
+[id=0, user_data=alice]
+[id=3, user_data=dave]
+[id=3, user_data=dave]
+[id=0, user_data=alice]
+[id=0, user_data=alice]
+[id=4, user_data=eve]
+[id=0, user_data=alice]
+[id=1, user_data=bob]
+[id=0, user_data=alice]
+[id=1, user_data=bob]
+T
+[id=3, user_data=dave]
+[id=3, user_data=dave]
+[id=3, user_data=dave]
+[id=4, user_data=eve]
+[id=4, user_data=eve]
+[id=4, user_data=eve]
+[id=3, user_data=dave]
+[id=1, user_data=bob]
+[id=4, user_data=eve]
+[id=1, user_data=bob]
+T
+[id=0, user_data=alice]
+[id=3, user_data=dave]
+[id=3, user_data=dave]
+[id=0, user_data=alice]
+[id=0, user_data=alice]
+[id=4, user_data=eve]
+[id=0, user_data=alice]
+[id=1, user_data=bob]
+[id=0, user_data=alice]
+[id=1, user_data=bob]
diff --git a/testing/btest/Baseline/scripts.policy.frameworks.software.version-changes/notice.log b/testing/btest/Baseline/scripts.policy.frameworks.software.version-changes/notice.log
new file mode 100644
index 0000000000..21181bceba
--- /dev/null
+++ b/testing/btest/Baseline/scripts.policy.frameworks.software.version-changes/notice.log
@@ -0,0 +1,16 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	notice
+#open	2017-12-21-02-29-09
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	fuid	file_mime_type	file_desc	proto	note	msg	sub	src	dst	p	n	peer_descr	actions	suppress_for	dropped	remote_location.country_code	remote_location.region	remote_location.city	remote_location.latitude	remote_location.longitude
+#types	time	string	addr	port	addr	port	string	string	string	enum	enum	string	string	addr	addr	port	count	string	set[enum]	interval	bool	string	string	string	double	double
+1513823349.733021	-	-	-	-	-	-	-	-	-	Software::Software_Version_Change	1513823349.733021 Software::UNKNOWN 'my_fake_software' version changed from 1.0.0 to 1.1.0	my_fake_software 1.1.0	127.0.0.1	-	-	-	-	Notice::ACTION_LOG	3600.000000	F	-	-	-	-	-
+1513823349.733021	-	-	-	-	-	-	-	-	-	Software::Software_Version_Change	1513823349.733021 Software::UNKNOWN 'my_fake_software' version changed from 1.1.0 to 1.2.0	my_fake_software 1.2.0	127.0.0.1	-	-	-	-	Notice::ACTION_LOG	3600.000000	F	-	-	-	-	-
+1513823349.733021	-	-	-	-	-	-	-	-	-	Software::Software_Version_Change	1513823349.733021 Software::UNKNOWN 'my_fake_software' version changed from 1.2.0 to 1.0.0	my_fake_software 1.0.0	127.0.0.1	-	-	-	-	Notice::ACTION_LOG	3600.000000	F	-	-	-	-	-
+1513823349.733021	-	-	-	-	-	-	-	-	-	Software::Software_Version_Change	1513823349.733021 Software::UNKNOWN 'my_fake_software' version changed from 1.0.0 to 1.1.0	my_fake_software 1.1.0	127.0.0.1	-	-	-	-	Notice::ACTION_LOG	3600.000000	F	-	-	-	-	-
+1513823349.733021	-	-	-	-	-	-	-	-	-	Software::Software_Version_Change	1513823349.733021 Software::UNKNOWN 'my_fake_software' version changed from 1.1.0 to 1.2.0	my_fake_software 1.2.0	127.0.0.1	-	-	-	-	Notice::ACTION_LOG	3600.000000	F	-	-	-	-	-
+1513823349.733021	-	-	-	-	-	-	-	-	-	Software::Software_Version_Change	1513823349.733021 Software::UNKNOWN 'my_fake_software' version changed from 1.2.0 to 1.0.0	my_fake_software 1.0.0	127.0.0.1	-	-	-	-	Notice::ACTION_LOG	3600.000000	F	-	-	-	-	-
+1513823349.733021	-	-	-	-	-	-	-	-	-	Software::Software_Version_Change	1513823349.733021 Software::UNKNOWN 'my_fake_software' version changed from 1.0.0 to 1.1.0	my_fake_software 1.1.0	127.0.0.1	-	-	-	-	Notice::ACTION_LOG	3600.000000	F	-	-	-	-	-
+#close	2017-12-21-02-29-09
diff --git a/testing/btest/Baseline/scripts.policy.frameworks.software.version-changes/software.log b/testing/btest/Baseline/scripts.policy.frameworks.software.version-changes/software.log
new file mode 100644
index 0000000000..c2f6764003
--- /dev/null
+++ b/testing/btest/Baseline/scripts.policy.frameworks.software.version-changes/software.log
@@ -0,0 +1,17 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	software
+#open	2017-12-21-02-29-09
+#fields	ts	host	host_p	software_type	name	version.major	version.minor	version.minor2	version.minor3	version.addl	unparsed_version
+#types	time	addr	port	enum	string	count	count	count	count	string	string
+1513823349.733021	127.0.0.1	-	Software::UNKNOWN	my_fake_software	1	0	0	-	-	my_fake_software 1.0.0
+1513823349.733021	127.0.0.1	-	Software::UNKNOWN	my_fake_software	1	1	0	-	-	my_fake_software 1.1.0
+1513823349.733021	127.0.0.1	-	Software::UNKNOWN	my_fake_software	1	2	0	-	-	my_fake_software 1.2.0
+1513823349.733021	127.0.0.1	-	Software::UNKNOWN	my_fake_software	1	0	0	-	-	my_fake_software 1.0.0
+1513823349.733021	127.0.0.1	-	Software::UNKNOWN	my_fake_software	1	1	0	-	-	my_fake_software 1.1.0
+1513823349.733021	127.0.0.1	-	Software::UNKNOWN	my_fake_software	1	2	0	-	-	my_fake_software 1.2.0
+1513823349.733021	127.0.0.1	-	Software::UNKNOWN	my_fake_software	1	0	0	-	-	my_fake_software 1.0.0
+1513823349.733021	127.0.0.1	-	Software::UNKNOWN	my_fake_software	1	1	0	-	-	my_fake_software 1.1.0
+#close	2017-12-21-02-29-09
diff --git a/testing/btest/Baseline/scripts.policy.frameworks.software.vulnerable/notice.log b/testing/btest/Baseline/scripts.policy.frameworks.software.vulnerable/notice.log
index 9dcb672b24..1ba280bc78 100644
--- a/testing/btest/Baseline/scripts.policy.frameworks.software.vulnerable/notice.log
+++ b/testing/btest/Baseline/scripts.policy.frameworks.software.vulnerable/notice.log
@@ -3,9 +3,9 @@
 #empty_field	(empty)
 #unset_field	-
 #path	notice
-#open	2014-04-01-23-16-19
+#open	2017-12-21-02-29-27
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	fuid	file_mime_type	file_desc	proto	note	msg	sub	src	dst	p	n	peer_descr	actions	suppress_for	dropped	remote_location.country_code	remote_location.region	remote_location.city	remote_location.latitude	remote_location.longitude
 #types	time	string	addr	port	addr	port	string	string	string	enum	enum	string	string	addr	addr	port	count	string	set[enum]	interval	bool	string	string	string	double	double
-1396394179.027101	-	-	-	-	-	-	-	-	-	Software::Vulnerable_Version	1.2.3.4 is running Java 1.7.0.15 which is vulnerable.	Java 1.7.0.15	1.2.3.4	-	-	-	bro	Notice::ACTION_LOG	3600.000000	F	-	-	-	-	-
-1396394179.027101	-	-	-	-	-	-	-	-	-	Software::Vulnerable_Version	1.2.3.5 is running Java 1.6.0.43 which is vulnerable.	Java 1.6.0.43	1.2.3.5	-	-	-	bro	Notice::ACTION_LOG	3600.000000	F	-	-	-	-	-
-#close	2014-04-01-23-16-19
+1513823367.386212	-	-	-	-	-	-	-	-	-	Software::Vulnerable_Version	1.2.3.4 is running Java 1.7.0.15 which is vulnerable.	Java 1.7.0.15	1.2.3.4	-	-	-	-	Notice::ACTION_LOG	3600.000000	F	-	-	-	-	-
+1513823367.386212	-	-	-	-	-	-	-	-	-	Software::Vulnerable_Version	1.2.3.5 is running Java 1.6.0.43 which is vulnerable.	Java 1.6.0.43	1.2.3.5	-	-	-	-	Notice::ACTION_LOG	3600.000000	F	-	-	-	-	-
+#close	2017-12-21-02-29-27
diff --git a/testing/btest/Baseline/scripts.policy.protocols.ssh.detect-bruteforcing/notice.log b/testing/btest/Baseline/scripts.policy.protocols.ssh.detect-bruteforcing/notice.log
index ee206db117..26aa4144c8 100644
--- a/testing/btest/Baseline/scripts.policy.protocols.ssh.detect-bruteforcing/notice.log
+++ b/testing/btest/Baseline/scripts.policy.protocols.ssh.detect-bruteforcing/notice.log
@@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	notice
-#open	2015-03-30-15-43-30
+#open	2017-12-21-02-29-44
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	fuid	file_mime_type	file_desc	proto	note	msg	sub	src	dst	p	n	peer_descr	actions	suppress_for	dropped	remote_location.country_code	remote_location.region	remote_location.city	remote_location.latitude	remote_location.longitude
 #types	time	string	addr	port	addr	port	string	string	string	enum	enum	string	string	addr	addr	port	count	string	set[enum]	interval	bool	string	string	string	double	double
-1427726711.398575	-	-	-	-	-	-	-	-	-	SSH::Password_Guessing	192.168.56.1 appears to be guessing SSH passwords (seen in 10 connections).	Sampled servers:  192.168.56.103, 192.168.56.103, 192.168.56.103, 192.168.56.103, 192.168.56.103	192.168.56.1	-	-	-	bro	Notice::ACTION_LOG	3600.000000	F	-	-	-	-	-
-#close	2015-03-30-15-43-30
+1427726759.303199	-	-	-	-	-	-	-	-	-	SSH::Password_Guessing	192.168.56.1 appears to be guessing SSH passwords (seen in 10 connections).	Sampled servers:  192.168.56.103, 192.168.56.103, 192.168.56.103, 192.168.56.103, 192.168.56.103	192.168.56.1	-	-	-	-	Notice::ACTION_LOG	3600.000000	F	-	-	-	-	-
+#close	2017-12-21-02-29-44
diff --git a/testing/btest/Baseline/scripts.policy.protocols.ssl.expiring-certs/notice.log b/testing/btest/Baseline/scripts.policy.protocols.ssl.expiring-certs/notice.log
index bea2c1f280..cdfc85691a 100644
--- a/testing/btest/Baseline/scripts.policy.protocols.ssl.expiring-certs/notice.log
+++ b/testing/btest/Baseline/scripts.policy.protocols.ssl.expiring-certs/notice.log
@@ -3,9 +3,9 @@
 #empty_field	(empty)
 #unset_field	-
 #path	notice
-#open	2016-07-13-16-17-27
+#open	2017-12-21-02-30-08
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	fuid	file_mime_type	file_desc	proto	note	msg	sub	src	dst	p	n	peer_descr	actions	suppress_for	dropped	remote_location.country_code	remote_location.region	remote_location.city	remote_location.latitude	remote_location.longitude
 #types	time	string	addr	port	addr	port	string	string	string	enum	enum	string	string	addr	addr	port	count	string	set[enum]	interval	bool	string	string	string	double	double
-1394745603.293028	CHhAvVGS1DHFjwGM9	192.168.4.149	60539	87.98.220.10	443	F1fX1R2cDOzbvg17ye	-	-	tcp	SSL::Certificate_Expired	Certificate CN=www.spidh.org,OU=COMODO SSL,OU=Domain Control Validated expired at 2014-03-04-23:59:59.000000000	-	192.168.4.149	87.98.220.10	443	-	bro	Notice::ACTION_LOG	86400.000000	F	-	-	-	-	-
-1394745619.197766	ClEkJM2Vm5giqnMf4h	192.168.4.149	60540	122.1.240.204	443	F6NAbK127LhNBaEe5c	-	-	tcp	SSL::Certificate_Expires_Soon	Certificate CN=www.tobu-estate.com,OU=Terms of use at www.verisign.com/rpa (c)05,O=TOBU RAILWAY Co.\\,Ltd.,L=Sumida-ku,ST=Tokyo,C=JP is going to expire at 2014-03-14-23:59:59.000000000	-	192.168.4.149	122.1.240.204	443	-	bro	Notice::ACTION_LOG	86400.000000	F	-	-	-	-	-
-#close	2016-07-13-16-17-27
+1394745603.293028	CHhAvVGS1DHFjwGM9	192.168.4.149	60539	87.98.220.10	443	F1fX1R2cDOzbvg17ye	-	-	tcp	SSL::Certificate_Expired	Certificate CN=www.spidh.org,OU=COMODO SSL,OU=Domain Control Validated expired at 2014-03-04-23:59:59.000000000	-	192.168.4.149	87.98.220.10	443	-	-	Notice::ACTION_LOG	86400.000000	F	-	-	-	-	-
+1394745619.197766	ClEkJM2Vm5giqnMf4h	192.168.4.149	60540	122.1.240.204	443	F6NAbK127LhNBaEe5c	-	-	tcp	SSL::Certificate_Expires_Soon	Certificate CN=www.tobu-estate.com,OU=Terms of use at www.verisign.com/rpa (c)05,O=TOBU RAILWAY Co.\\,Ltd.,L=Sumida-ku,ST=Tokyo,C=JP is going to expire at 2014-03-14-23:59:59.000000000	-	192.168.4.149	122.1.240.204	443	-	-	Notice::ACTION_LOG	86400.000000	F	-	-	-	-	-
+#close	2017-12-21-02-30-08
diff --git a/testing/btest/Baseline/scripts.policy.protocols.ssl.heartbleed/notice-encrypted-short.log b/testing/btest/Baseline/scripts.policy.protocols.ssl.heartbleed/notice-encrypted-short.log
index 3d38c0e4e1..dc1f0239e2 100644
--- a/testing/btest/Baseline/scripts.policy.protocols.ssl.heartbleed/notice-encrypted-short.log
+++ b/testing/btest/Baseline/scripts.policy.protocols.ssl.heartbleed/notice-encrypted-short.log
@@ -3,10 +3,10 @@
 #empty_field	(empty)
 #unset_field	-
 #path	notice
-#open	2016-07-13-16-17-30
+#open	2017-12-21-02-30-25
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	fuid	file_mime_type	file_desc	proto	note	msg	sub	src	dst	p	n	peer_descr	actions	suppress_for	dropped	remote_location.country_code	remote_location.region	remote_location.city	remote_location.latitude	remote_location.longitude
 #types	time	string	addr	port	addr	port	string	string	string	enum	enum	string	string	addr	addr	port	count	string	set[enum]	interval	bool	string	string	string	double	double
-1398954957.074664	CHhAvVGS1DHFjwGM9	192.168.4.149	54233	162.219.2.166	4443	-	-	-	tcp	Heartbleed::SSL_Heartbeat_Attack	Heartbeat before ciphertext. Probable attack or scan. Length: 32, is_orig: 1	-	192.168.4.149	162.219.2.166	4443	32	bro	Notice::ACTION_LOG	3600.000000	F	-	-	-	-	-
-1398954957.074664	CHhAvVGS1DHFjwGM9	192.168.4.149	54233	162.219.2.166	4443	-	-	-	tcp	Heartbleed::SSL_Heartbeat_Odd_Length	Heartbeat message smaller than minimum required length. Probable attack. Message length: 32. Required length: 48. Cipher: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA. Cipher match: /^?(_256_CBC_SHA$)$?/	-	192.168.4.149	162.219.2.166	4443	32	bro	Notice::ACTION_LOG	3600.000000	F	-	-	-	-	-
-1398954957.145535	CHhAvVGS1DHFjwGM9	192.168.4.149	54233	162.219.2.166	4443	-	-	-	tcp	Heartbleed::SSL_Heartbeat_Attack_Success	An encrypted TLS heartbleed attack was probably detected! First packet client record length 32, first packet server record length 48. Time: 0.351035	-	192.168.4.149	162.219.2.166	4443	-	bro	Notice::ACTION_LOG	3600.000000	F	-	-	-	-	-
-#close	2016-07-13-16-17-30
+1398954957.074664	CHhAvVGS1DHFjwGM9	192.168.4.149	54233	162.219.2.166	4443	-	-	-	tcp	Heartbleed::SSL_Heartbeat_Attack	Heartbeat before ciphertext. Probable attack or scan. Length: 32, is_orig: 1	-	192.168.4.149	162.219.2.166	4443	32	-	Notice::ACTION_LOG	3600.000000	F	-	-	-	-	-
+1398954957.074664	CHhAvVGS1DHFjwGM9	192.168.4.149	54233	162.219.2.166	4443	-	-	-	tcp	Heartbleed::SSL_Heartbeat_Odd_Length	Heartbeat message smaller than minimum required length. Probable attack. Message length: 32. Required length: 48. Cipher: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA. Cipher match: /^?(_256_CBC_SHA$)$?/	-	192.168.4.149	162.219.2.166	4443	32	-	Notice::ACTION_LOG	3600.000000	F	-	-	-	-	-
+1398954957.145535	CHhAvVGS1DHFjwGM9	192.168.4.149	54233	162.219.2.166	4443	-	-	-	tcp	Heartbleed::SSL_Heartbeat_Attack_Success	An encrypted TLS heartbleed attack was probably detected! First packet client record length 32, first packet server record length 48. Time: 0.351035	-	192.168.4.149	162.219.2.166	4443	-	-	Notice::ACTION_LOG	3600.000000	F	-	-	-	-	-
+#close	2017-12-21-02-30-25
diff --git a/testing/btest/Baseline/scripts.policy.protocols.ssl.heartbleed/notice-encrypted-success.log b/testing/btest/Baseline/scripts.policy.protocols.ssl.heartbleed/notice-encrypted-success.log
index 2277c081e1..8a104974c4 100644
--- a/testing/btest/Baseline/scripts.policy.protocols.ssl.heartbleed/notice-encrypted-success.log
+++ b/testing/btest/Baseline/scripts.policy.protocols.ssl.heartbleed/notice-encrypted-success.log
@@ -3,10 +3,10 @@
 #empty_field	(empty)
 #unset_field	-
 #path	notice
-#open	2016-07-13-16-17-29
+#open	2017-12-21-02-30-24
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	fuid	file_mime_type	file_desc	proto	note	msg	sub	src	dst	p	n	peer_descr	actions	suppress_for	dropped	remote_location.country_code	remote_location.region	remote_location.city	remote_location.latitude	remote_location.longitude
 #types	time	string	addr	port	addr	port	string	string	string	enum	enum	string	string	addr	addr	port	count	string	set[enum]	interval	bool	string	string	string	double	double
-1397169549.882425	CHhAvVGS1DHFjwGM9	192.168.4.149	59676	107.170.241.107	443	-	-	-	tcp	Heartbleed::SSL_Heartbeat_Attack	Heartbeat before ciphertext. Probable attack or scan. Length: 32, is_orig: 1	-	192.168.4.149	107.170.241.107	443	32	bro	Notice::ACTION_LOG	3600.000000	F	-	-	-	-	-
-1397169549.882425	CHhAvVGS1DHFjwGM9	192.168.4.149	59676	107.170.241.107	443	-	-	-	tcp	Heartbleed::SSL_Heartbeat_Odd_Length	Heartbeat message smaller than minimum required length. Probable attack. Message length: 32. Required length: 48. Cipher: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA. Cipher match: /^?(_256_CBC_SHA$)$?/	-	192.168.4.149	107.170.241.107	443	32	bro	Notice::ACTION_LOG	3600.000000	F	-	-	-	-	-
-1397169549.895057	CHhAvVGS1DHFjwGM9	192.168.4.149	59676	107.170.241.107	443	-	-	-	tcp	Heartbleed::SSL_Heartbeat_Attack_Success	An encrypted TLS heartbleed attack was probably detected! First packet client record length 32, first packet server record length 16416. Time: 0.035413	-	192.168.4.149	107.170.241.107	443	-	bro	Notice::ACTION_LOG	3600.000000	F	-	-	-	-	-
-#close	2016-07-13-16-17-29
+1397169549.882425	CHhAvVGS1DHFjwGM9	192.168.4.149	59676	107.170.241.107	443	-	-	-	tcp	Heartbleed::SSL_Heartbeat_Attack	Heartbeat before ciphertext. Probable attack or scan. Length: 32, is_orig: 1	-	192.168.4.149	107.170.241.107	443	32	-	Notice::ACTION_LOG	3600.000000	F	-	-	-	-	-
+1397169549.882425	CHhAvVGS1DHFjwGM9	192.168.4.149	59676	107.170.241.107	443	-	-	-	tcp	Heartbleed::SSL_Heartbeat_Odd_Length	Heartbeat message smaller than minimum required length. Probable attack. Message length: 32. Required length: 48. Cipher: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA. Cipher match: /^?(_256_CBC_SHA$)$?/	-	192.168.4.149	107.170.241.107	443	32	-	Notice::ACTION_LOG	3600.000000	F	-	-	-	-	-
+1397169549.895057	CHhAvVGS1DHFjwGM9	192.168.4.149	59676	107.170.241.107	443	-	-	-	tcp	Heartbleed::SSL_Heartbeat_Attack_Success	An encrypted TLS heartbleed attack was probably detected! First packet client record length 32, first packet server record length 16416. Time: 0.035413	-	192.168.4.149	107.170.241.107	443	-	-	Notice::ACTION_LOG	3600.000000	F	-	-	-	-	-
+#close	2017-12-21-02-30-24
diff --git a/testing/btest/Baseline/scripts.policy.protocols.ssl.heartbleed/notice-encrypted.log b/testing/btest/Baseline/scripts.policy.protocols.ssl.heartbleed/notice-encrypted.log
index 26e4b37722..0d56fcba8d 100644
--- a/testing/btest/Baseline/scripts.policy.protocols.ssl.heartbleed/notice-encrypted.log
+++ b/testing/btest/Baseline/scripts.policy.protocols.ssl.heartbleed/notice-encrypted.log
@@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	notice
-#open	2016-07-13-16-17-29
+#open	2017-12-21-02-30-23
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	fuid	file_mime_type	file_desc	proto	note	msg	sub	src	dst	p	n	peer_descr	actions	suppress_for	dropped	remote_location.country_code	remote_location.region	remote_location.city	remote_location.latitude	remote_location.longitude
 #types	time	string	addr	port	addr	port	string	string	string	enum	enum	string	string	addr	addr	port	count	string	set[enum]	interval	bool	string	string	string	double	double
-1400106542.810248	CHhAvVGS1DHFjwGM9	54.221.166.250	56323	162.219.2.166	443	-	-	-	tcp	Heartbleed::SSL_Heartbeat_Attack	Heartbeat before ciphertext. Probable attack or scan. Length: 86, is_orig: 1	-	54.221.166.250	162.219.2.166	443	86	bro	Notice::ACTION_LOG	3600.000000	F	-	-	-	-	-
-#close	2016-07-13-16-17-29
+1400106542.810248	CHhAvVGS1DHFjwGM9	54.221.166.250	56323	162.219.2.166	443	-	-	-	tcp	Heartbleed::SSL_Heartbeat_Attack	Heartbeat before ciphertext. Probable attack or scan. Length: 86, is_orig: 1	-	54.221.166.250	162.219.2.166	443	86	-	Notice::ACTION_LOG	3600.000000	F	-	-	-	-	-
+#close	2017-12-21-02-30-23
diff --git a/testing/btest/Baseline/scripts.policy.protocols.ssl.heartbleed/notice-heartbleed-success.log b/testing/btest/Baseline/scripts.policy.protocols.ssl.heartbleed/notice-heartbleed-success.log
index f5ef4dd565..4828b15af2 100644
--- a/testing/btest/Baseline/scripts.policy.protocols.ssl.heartbleed/notice-heartbleed-success.log
+++ b/testing/btest/Baseline/scripts.policy.protocols.ssl.heartbleed/notice-heartbleed-success.log
@@ -3,9 +3,9 @@
 #empty_field	(empty)
 #unset_field	-
 #path	notice
-#open	2016-07-13-16-17-28
+#open	2017-12-21-02-30-22
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	fuid	file_mime_type	file_desc	proto	note	msg	sub	src	dst	p	n	peer_descr	actions	suppress_for	dropped	remote_location.country_code	remote_location.region	remote_location.city	remote_location.latitude	remote_location.longitude
 #types	time	string	addr	port	addr	port	string	string	string	enum	enum	string	string	addr	addr	port	count	string	set[enum]	interval	bool	string	string	string	double	double
-1396976220.863714	CHhAvVGS1DHFjwGM9	173.203.79.216	41459	107.170.241.107	443	-	-	-	tcp	Heartbleed::SSL_Heartbeat_Attack	An TLS heartbleed attack was detected! Record length 16368. Payload length 16365	-	173.203.79.216	107.170.241.107	443	-	bro	Notice::ACTION_LOG	3600.000000	F	-	-	-	-	-
-1396976220.918017	CHhAvVGS1DHFjwGM9	173.203.79.216	41459	107.170.241.107	443	-	-	-	tcp	Heartbleed::SSL_Heartbeat_Attack_Success	An TLS heartbleed attack detected before was probably exploited. Message length: 16384. Payload length: 16365	-	173.203.79.216	107.170.241.107	443	-	bro	Notice::ACTION_LOG	3600.000000	F	-	-	-	-	-
-#close	2016-07-13-16-17-28
+1396976220.863714	CHhAvVGS1DHFjwGM9	173.203.79.216	41459	107.170.241.107	443	-	-	-	tcp	Heartbleed::SSL_Heartbeat_Attack	An TLS heartbleed attack was detected! Record length 16368. Payload length 16365	-	173.203.79.216	107.170.241.107	443	-	-	Notice::ACTION_LOG	3600.000000	F	-	-	-	-	-
+1396976220.918017	CHhAvVGS1DHFjwGM9	173.203.79.216	41459	107.170.241.107	443	-	-	-	tcp	Heartbleed::SSL_Heartbeat_Attack_Success	An TLS heartbleed attack detected before was probably exploited. Message length: 16384. Payload length: 16365	-	173.203.79.216	107.170.241.107	443	-	-	Notice::ACTION_LOG	3600.000000	F	-	-	-	-	-
+#close	2017-12-21-02-30-22
diff --git a/testing/btest/Baseline/scripts.policy.protocols.ssl.weak-keys/notice-out.log b/testing/btest/Baseline/scripts.policy.protocols.ssl.weak-keys/notice-out.log
index 42b62fc875..dddb66427d 100644
--- a/testing/btest/Baseline/scripts.policy.protocols.ssl.weak-keys/notice-out.log
+++ b/testing/btest/Baseline/scripts.policy.protocols.ssl.weak-keys/notice-out.log
@@ -3,31 +3,31 @@
 #empty_field	(empty)
 #unset_field	-
 #path	notice
-#open	2016-07-13-16-17-36
+#open	2017-12-21-02-31-09
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	fuid	file_mime_type	file_desc	proto	note	msg	sub	src	dst	p	n	peer_descr	actions	suppress_for	dropped	remote_location.country_code	remote_location.region	remote_location.city	remote_location.latitude	remote_location.longitude
 #types	time	string	addr	port	addr	port	string	string	string	enum	enum	string	string	addr	addr	port	count	string	set[enum]	interval	bool	string	string	string	double	double
-1398558136.430417	CHhAvVGS1DHFjwGM9	192.168.18.50	62277	162.219.2.166	443	-	-	-	tcp	SSL::Weak_Key	Host uses weak DH parameters with 1024 key bits	-	192.168.18.50	162.219.2.166	443	-	bro	Notice::ACTION_LOG	86400.000000	F	-	-	-	-	-
-1398558136.430417	CHhAvVGS1DHFjwGM9	192.168.18.50	62277	162.219.2.166	443	-	-	-	tcp	SSL::Weak_Key	DH key length of 1024 bits is smaller certificate key length of 2048 bits	-	192.168.18.50	162.219.2.166	443	-	bro	Notice::ACTION_LOG	86400.000000	F	-	-	-	-	-
-1398558136.542637	CHhAvVGS1DHFjwGM9	192.168.18.50	62277	162.219.2.166	443	-	-	-	tcp	SSL::Weak_Key	Host uses weak certificate with 2048 bit key	-	192.168.18.50	162.219.2.166	443	-	bro	Notice::ACTION_LOG	86400.000000	F	-	-	-	-	-
-#close	2016-07-13-16-17-36
+1398558136.430417	CHhAvVGS1DHFjwGM9	192.168.18.50	62277	162.219.2.166	443	-	-	-	tcp	SSL::Weak_Key	Host uses weak DH parameters with 1024 key bits	-	192.168.18.50	162.219.2.166	443	-	-	Notice::ACTION_LOG	86400.000000	F	-	-	-	-	-
+1398558136.430417	CHhAvVGS1DHFjwGM9	192.168.18.50	62277	162.219.2.166	443	-	-	-	tcp	SSL::Weak_Key	DH key length of 1024 bits is smaller certificate key length of 2048 bits	-	192.168.18.50	162.219.2.166	443	-	-	Notice::ACTION_LOG	86400.000000	F	-	-	-	-	-
+1398558136.542637	CHhAvVGS1DHFjwGM9	192.168.18.50	62277	162.219.2.166	443	-	-	-	tcp	SSL::Weak_Key	Host uses weak certificate with 2048 bit key	-	192.168.18.50	162.219.2.166	443	-	-	Notice::ACTION_LOG	86400.000000	F	-	-	-	-	-
+#close	2017-12-21-02-31-09
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	notice
-#open	2016-07-13-16-17-36
+#open	2017-12-21-02-31-10
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	fuid	file_mime_type	file_desc	proto	note	msg	sub	src	dst	p	n	peer_descr	actions	suppress_for	dropped	remote_location.country_code	remote_location.region	remote_location.city	remote_location.latitude	remote_location.longitude
 #types	time	string	addr	port	addr	port	string	string	string	enum	enum	string	string	addr	addr	port	count	string	set[enum]	interval	bool	string	string	string	double	double
-1397165496.713940	CHhAvVGS1DHFjwGM9	192.168.4.149	59062	91.227.4.92	443	-	-	-	tcp	SSL::Old_Version	Host uses protocol version SSLv2 which is lower than the safe minimum TLSv10	-	192.168.4.149	91.227.4.92	443	-	bro	Notice::ACTION_LOG	86400.000000	F	-	-	-	-	-
-#close	2016-07-13-16-17-36
+1397165496.713940	CHhAvVGS1DHFjwGM9	192.168.4.149	59062	91.227.4.92	443	-	-	-	tcp	SSL::Old_Version	Host uses protocol version SSLv2 which is lower than the safe minimum TLSv10	-	192.168.4.149	91.227.4.92	443	-	-	Notice::ACTION_LOG	86400.000000	F	-	-	-	-	-
+#close	2017-12-21-02-31-10
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	notice
-#open	2016-07-13-16-17-37
+#open	2017-12-21-02-31-11
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	fuid	file_mime_type	file_desc	proto	note	msg	sub	src	dst	p	n	peer_descr	actions	suppress_for	dropped	remote_location.country_code	remote_location.region	remote_location.city	remote_location.latitude	remote_location.longitude
 #types	time	string	addr	port	addr	port	string	string	string	enum	enum	string	string	addr	addr	port	count	string	set[enum]	interval	bool	string	string	string	double	double
-1170717505.734145	CHhAvVGS1DHFjwGM9	192.150.187.164	58868	194.127.84.106	443	-	-	-	tcp	SSL::Weak_Cipher	Host established connection using unsafe ciper suite TLS_RSA_WITH_RC4_128_MD5	-	192.150.187.164	194.127.84.106	443	-	bro	Notice::ACTION_LOG	86400.000000	F	-	-	-	-	-
-1170717505.934612	CHhAvVGS1DHFjwGM9	192.150.187.164	58868	194.127.84.106	443	-	-	-	tcp	SSL::Weak_Key	Host uses weak certificate with 1024 bit key	-	192.150.187.164	194.127.84.106	443	-	bro	Notice::ACTION_LOG	86400.000000	F	-	-	-	-	-
-#close	2016-07-13-16-17-37
+1170717505.734145	CHhAvVGS1DHFjwGM9	192.150.187.164	58868	194.127.84.106	443	-	-	-	tcp	SSL::Weak_Cipher	Host established connection using unsafe ciper suite TLS_RSA_WITH_RC4_128_MD5	-	192.150.187.164	194.127.84.106	443	-	-	Notice::ACTION_LOG	86400.000000	F	-	-	-	-	-
+1170717505.934612	CHhAvVGS1DHFjwGM9	192.150.187.164	58868	194.127.84.106	443	-	-	-	tcp	SSL::Weak_Key	Host uses weak certificate with 1024 bit key	-	192.150.187.164	194.127.84.106	443	-	-	Notice::ACTION_LOG	86400.000000	F	-	-	-	-	-
+#close	2017-12-21-02-31-11
diff --git a/testing/btest/broker/clone_store.bro b/testing/btest/broker/clone_store.bro
deleted file mode 100644
index 1ed35826dc..0000000000
--- a/testing/btest/broker/clone_store.bro
+++ /dev/null
@@ -1,125 +0,0 @@
-# @TEST-SERIALIZE: brokercomm
-# @TEST-REQUIRES: grep -q ENABLE_BROKER:BOOL=true $BUILD/CMakeCache.txt
-
-# @TEST-EXEC: btest-bg-run clone "bro -b ../clone.bro broker_port=$BROKER_PORT >clone.out"
-# @TEST-EXEC: btest-bg-run master "bro -b ../master.bro broker_port=$BROKER_PORT >master.out"
-
-# @TEST-EXEC: btest-bg-wait 60
-# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-sort btest-diff clone/clone.out
-# @TEST-EXEC: btest-diff master/master.out
-
-@TEST-START-FILE clone.bro
-
-const broker_port: port &redef;
-redef exit_only_after_terminate = T;
-
-global h: opaque of Broker::Handle;
-global expected_key_count = 4;
-global key_count = 0;
-
-global query_timeout = 30sec;
-
-function do_lookup(key: string)
-	{
-	when ( local res = Broker::lookup(h, Broker::data(key)) )
-		{
-		++key_count;
-		print "lookup", key, res;
-
-		if ( key_count == expected_key_count )
-			terminate();
-		}
-	timeout query_timeout
-		{
-		print "clone lookup query timeout";
-		terminate();
-		}
-	}
-
-event ready()
-	{
-	h = Broker::create_clone("mystore");
-
-	when ( local res = Broker::keys(h) )
-		{
-		print "clone keys", res;
-		do_lookup(Broker::refine_to_string(Broker::vector_lookup(res$result, 0)));
-		do_lookup(Broker::refine_to_string(Broker::vector_lookup(res$result, 1)));
-		do_lookup(Broker::refine_to_string(Broker::vector_lookup(res$result, 2)));
-		do_lookup(Broker::refine_to_string(Broker::vector_lookup(res$result, 3)));
-		}
-	timeout query_timeout
-		{
-		print "clone keys query timeout";
-		terminate();
-		}
-	}
-
-event bro_init()
-	{
-	Broker::enable();
-	Broker::subscribe_to_events("bro/event/ready");
-	Broker::listen(broker_port, "127.0.0.1");
-	}
-
-@TEST-END-FILE
-
-@TEST-START-FILE master.bro
-
-global query_timeout = 15sec;
-
-const broker_port: port &redef;
-redef exit_only_after_terminate = T;
-
-global h: opaque of Broker::Handle;
-
-function dv(d: Broker::Data): Broker::DataVector
-	{
-	local rval: Broker::DataVector;
-	rval[0] = d;
-	return rval;
-	}
-
-global ready: event();
-
-event Broker::outgoing_connection_broken(peer_address: string,
-                                       peer_port: port)
-	{
-	terminate();
-	}
-
-event Broker::outgoing_connection_established(peer_address: string,
-                                            peer_port: port,
-                                            peer_name: string)
-	{
-	local myset: set[string] = {"a", "b", "c"};
-	local myvec: vector of string = {"alpha", "beta", "gamma"};
-	h = Broker::create_master("mystore");
-	Broker::insert(h, Broker::data("one"), Broker::data(110));
-	Broker::insert(h, Broker::data("two"), Broker::data(223));
-	Broker::insert(h, Broker::data("myset"), Broker::data(myset));
-	Broker::insert(h, Broker::data("myvec"), Broker::data(myvec));
-	Broker::increment(h, Broker::data("one"));
-	Broker::decrement(h, Broker::data("two"));
-	Broker::add_to_set(h, Broker::data("myset"), Broker::data("d"));
-	Broker::remove_from_set(h, Broker::data("myset"), Broker::data("b"));
-	Broker::push_left(h, Broker::data("myvec"), dv(Broker::data("delta")));
-	Broker::push_right(h, Broker::data("myvec"), dv(Broker::data("omega")));
-
-	when ( local res = Broker::size(h) )
-		{ event ready(); }
-	timeout query_timeout
-		{
-		print "master size query timeout";
-		terminate();
-		}
-	}
-
-event bro_init()
-	{
-	Broker::enable();
-	Broker::auto_event("bro/event/ready", ready);
-	Broker::connect("127.0.0.1", broker_port, 1secs);
-	}
-
-@TEST-END-FILE
diff --git a/testing/btest/broker/connect-on-retry.bro b/testing/btest/broker/connect-on-retry.bro
new file mode 100644
index 0000000000..0ce6950712
--- /dev/null
+++ b/testing/btest/broker/connect-on-retry.bro
@@ -0,0 +1,103 @@
+# @TEST-SERIALIZE: comm
+#
+# @TEST-EXEC: btest-bg-run recv "bro -B broker -b ../recv.bro >recv.out"
+# @TEST-EXEC: btest-bg-run send "bro -B broker -b ../send.bro >send.out"
+#
+# @TEST-EXEC: btest-bg-wait 20
+# @TEST-EXEC: btest-diff recv/recv.out
+# @TEST-EXEC: btest-diff send/send.out
+
+@TEST-START-FILE send.bro
+
+redef Broker::default_connect_retry=1secs;
+redef Broker::default_listen_retry=1secs;
+redef exit_only_after_terminate = T;
+
+global event_count = 0;
+
+global ping: event(msg: string, c: count);
+
+event bro_init()
+    {
+    Broker::subscribe("bro/event/my_topic");
+    Broker::auto_publish("bro/event/my_topic", ping);
+    Broker::peer("127.0.0.1");
+    }
+
+function send_event()
+    {
+    event ping("my-message", ++event_count);
+    }
+
+event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
+    {
+    print fmt("sender added peer: endpoint=%s msg=%s", endpoint$network$address, msg);
+    send_event();
+    }
+
+event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string)
+    {
+    print fmt("sender lost peer: endpoint=%s msg=%s", endpoint$network$address, msg);
+    terminate();
+    }
+
+event pong(msg: string, n: count)
+    {
+    print fmt("sender got pong: %s, %s", msg, n);
+    send_event();
+    }
+
+@TEST-END-FILE
+
+
+@TEST-START-FILE recv.bro
+
+redef Broker::default_connect_retry=1secs;
+redef Broker::default_listen_retry=1secs;
+redef exit_only_after_terminate = T;
+
+const events_to_recv = 5;
+
+global handler: event(msg: string, c: count);
+global auto_handler: event(msg: string, c: count);
+
+global pong: event(msg: string, c: count);
+
+event delayed_listen()
+	{
+        Broker::listen("127.0.0.1");
+	}
+
+event bro_init()
+        {
+        Broker::subscribe("bro/event/my_topic");
+	Broker::auto_publish("bro/event/my_topic", pong);
+	schedule 5secs { delayed_listen() };
+        }
+
+event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
+        {
+        print fmt("receiver added peer: endpoint=%s msg=%s",
+        endpoint$network$address, msg);
+        }
+
+event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string)
+        {
+        print fmt("receiver lost peer: endpoint=%s msg=%s",
+        endpoint$network$address, msg);
+        }
+
+event ping(msg: string, n: count)
+        {
+        print fmt("receiver got ping: %s, %s", msg, n);
+
+        if ( n == events_to_recv )
+                {
+                terminate();
+                return;
+                }
+
+	event pong(msg, n);
+        }
+
+@TEST-END-FILE
diff --git a/testing/btest/broker/connection_updates.bro b/testing/btest/broker/connection_updates.bro
deleted file mode 100644
index d431a59dbe..0000000000
--- a/testing/btest/broker/connection_updates.bro
+++ /dev/null
@@ -1,57 +0,0 @@
-# @TEST-SERIALIZE: brokercomm
-# @TEST-REQUIRES: grep -q ENABLE_BROKER:BOOL=true $BUILD/CMakeCache.txt
-
-# @TEST-EXEC: btest-bg-run recv "bro -b ../recv.bro broker_port=$BROKER_PORT >recv.out"
-# @TEST-EXEC: btest-bg-run send "bro -b ../send.bro broker_port=$BROKER_PORT >send.out"
-
-# @TEST-EXEC: btest-bg-wait 20
-# @TEST-EXEC: btest-diff recv/recv.out
-# @TEST-EXEC: btest-diff send/send.out
-
-@TEST-START-FILE recv.bro
-
-const broker_port: port &redef;
-redef exit_only_after_terminate = T;
-redef Broker::endpoint_name = "listener";
-
-event bro_init()
-	{
-	Broker::enable();
-	Broker::listen(broker_port, "127.0.0.1");
-	}
-
-event Broker::incoming_connection_established(peer_name: string)
-	{
-	print "Broker::incoming_connection_established", peer_name;
-	}
-
-event Broker::incoming_connection_broken(peer_name: string)
-	{
-	print "Broker::incoming_connection_broken", peer_name;
-	terminate();
-	}
-
-@TEST-END-FILE
-
-@TEST-START-FILE send.bro
-
-const broker_port: port &redef;
-redef exit_only_after_terminate = T;
-redef Broker::endpoint_name = "connector";
-
-event bro_init()
-	{
-	Broker::enable();
-	Broker::connect("127.0.0.1", broker_port, 1sec);
-	}
-
-event Broker::outgoing_connection_established(peer_address: string,
-                                            peer_port: port,
-                                            peer_name: string)
-	{
-	print "Broker::outgoing_connection_established",
-	      peer_address, peer_port, peer_name;
-	terminate();
-	}
-
-@TEST-END-FILE
diff --git a/testing/btest/broker/data.bro b/testing/btest/broker/data.bro
deleted file mode 100644
index 49474e3a5a..0000000000
--- a/testing/btest/broker/data.bro
+++ /dev/null
@@ -1,255 +0,0 @@
-# @TEST-REQUIRES: grep -q ENABLE_BROKER:BOOL=true $BUILD/CMakeCache.txt
-
-# @TEST-EXEC: bro -b %INPUT >out
-# @TEST-EXEC: btest-diff out
-
-type bro_set: set[string];
-type bro_table: table[string] of count;
-type bro_vector: vector of string;
-
-type bro_record : record {
-	a: string &optional;
-	b: string &default = "bee";
-	c: count;
-};
-
-function broker_to_bro_record_recurse(it: opaque of Broker::RecordIterator,
-                                           rval: bro_record,
-                                           idx: count): bro_record
-	{
-	if ( Broker::record_iterator_last(it) )
-		return rval;
-
-	local field_value = Broker::record_iterator_value(it);
-
-	if ( field_value?$d )
-		switch ( idx ) {
-		case 0:
-			rval$a = Broker::refine_to_string(field_value);
-			break;
-		case 1:
-			rval$b = Broker::refine_to_string(field_value);
-			break;
-		case 2:
-			rval$c = Broker::refine_to_count(field_value);
-			break;
-		};
-
-	++idx;
-	Broker::record_iterator_next(it);
-	return broker_to_bro_record_recurse(it, rval, idx);
-	}
-
-function broker_to_bro_record(d: Broker::Data): bro_record
-	{
-	return broker_to_bro_record_recurse(Broker::record_iterator(d),
-	                                         bro_record($c = 0), 0);
-	}
-
-function
-broker_to_bro_set_recurse(it: opaque of Broker::SetIterator,
-                            rval: bro_set): bro_set
-	{
-	if ( Broker::set_iterator_last(it) )
-		return rval;
-
-	add rval[Broker::refine_to_string(Broker::set_iterator_value(it))];
-	Broker::set_iterator_next(it);
-	return broker_to_bro_set_recurse(it, rval);
-	}
-
-
-function broker_to_bro_set(d: Broker::Data): bro_set
-	{
-	return broker_to_bro_set_recurse(Broker::set_iterator(d), bro_set());
-	}
-
-function
-broker_to_bro_table_recurse(it: opaque of Broker::TableIterator,
-                                rval: bro_table): bro_table
-	{
-	if ( Broker::table_iterator_last(it) )
-		return rval;
-
-	local item = Broker::table_iterator_value(it);
-	rval[Broker::refine_to_string(item$key)] = Broker::refine_to_count(item$val);
-	Broker::table_iterator_next(it);
-	return broker_to_bro_table_recurse(it, rval);
-	}
-
-function broker_to_bro_table(d: Broker::Data): bro_table
-	{
-	return broker_to_bro_table_recurse(Broker::table_iterator(d),
-	                                       bro_table());
-	}
-
-function broker_to_bro_vector_recurse(it: opaque of Broker::VectorIterator,
-                                           rval: bro_vector): bro_vector
-	{
-	if ( Broker::vector_iterator_last(it) )
-		return rval;
-
-	rval[|rval|] = Broker::refine_to_string(Broker::vector_iterator_value(it));
-	Broker::vector_iterator_next(it);
-	return broker_to_bro_vector_recurse(it, rval);
-	}
-
-function broker_to_bro_vector(d: Broker::Data): bro_vector
-	{
-	return broker_to_bro_vector_recurse(Broker::vector_iterator(d),
-	                                         bro_vector());
-	}
-
-event bro_init()
-{
-Broker::enable();
-
-### Print every broker data type
-
-print Broker::data_type(Broker::data(T));
-print Broker::data_type(Broker::data(+1));
-print Broker::data_type(Broker::data(1));
-print Broker::data_type(Broker::data(1.1));
-print Broker::data_type(Broker::data("1 (how creative)"));
-print Broker::data_type(Broker::data(1.1.1.1));
-print Broker::data_type(Broker::data(1.1.1.1/1));
-print Broker::data_type(Broker::data(1/udp));
-print Broker::data_type(Broker::data(double_to_time(1)));
-print Broker::data_type(Broker::data(1sec));
-print Broker::data_type(Broker::data(Broker::BOOL));
-local s: bro_set = bro_set("one", "two", "three");
-local t: bro_table = bro_table(["one"] = 1, ["two"] = 2, ["three"] = 3);
-local v: bro_vector = bro_vector("zero", "one", "two");
-local r: bro_record = bro_record($c = 1);
-print Broker::data_type(Broker::data(s));
-print Broker::data_type(Broker::data(t));
-print Broker::data_type(Broker::data(v));
-print Broker::data_type(Broker::data(r));
-
-print "***************************";
-
-### Convert a Bro value to a broker value, then print the result
-
-print Broker::refine_to_bool(Broker::data(T));
-print Broker::refine_to_bool(Broker::data(F));
-print Broker::refine_to_int(Broker::data(+1));
-print Broker::refine_to_int(Broker::data(+0));
-print Broker::refine_to_int(Broker::data(-1));
-print Broker::refine_to_count(Broker::data(1));
-print Broker::refine_to_count(Broker::data(0));
-print Broker::refine_to_double(Broker::data(1.1));
-print Broker::refine_to_double(Broker::data(-11.1));
-print Broker::refine_to_string(Broker::data("hello"));
-print Broker::refine_to_addr(Broker::data(1.2.3.4));
-print Broker::refine_to_subnet(Broker::data(192.168.1.1/16));
-print Broker::refine_to_port(Broker::data(22/tcp));
-print Broker::refine_to_time(Broker::data(double_to_time(42)));
-print Broker::refine_to_interval(Broker::data(3min));
-print Broker::refine_to_enum_name(Broker::data(Broker::BOOL));
-
-local cs = Broker::data(s);
-print broker_to_bro_set(cs);
-
-local ct = Broker::data(t);
-print broker_to_bro_table(ct);
-
-local cv = Broker::data(v);
-print broker_to_bro_vector(cv);
-
-local cr = Broker::data(r);
-print broker_to_bro_record(cr);
-
-r$a = "test";
-cr = Broker::data(r);
-print broker_to_bro_record(cr);
-
-r$b = "testagain";
-cr = Broker::data(r);
-print broker_to_bro_record(cr);
-
-print "***************************";
-
-### Test the broker set BIFs
-
-cs = Broker::set_create();
-print Broker::set_size(cs);
-print Broker::set_insert(cs, Broker::data("hi"));
-print Broker::set_size(cs);
-print Broker::set_contains(cs, Broker::data("hi"));
-print Broker::set_contains(cs, Broker::data("bye"));
-print Broker::set_insert(cs, Broker::data("bye"));
-print Broker::set_size(cs);
-print Broker::set_insert(cs, Broker::data("bye"));
-print Broker::set_size(cs);
-print Broker::set_remove(cs, Broker::data("hi"));
-print Broker::set_size(cs);
-print Broker::set_remove(cs, Broker::data("hi"));
-print broker_to_bro_set(cs);
-print Broker::set_clear(cs);
-print Broker::set_size(cs);
-print broker_to_bro_set(cs);
-
-print "***************************";
-
-### Test the broker table BIFs
-
-ct = Broker::table_create();
-print Broker::table_size(ct);
-print Broker::table_insert(ct, Broker::data("hi"), Broker::data(42));
-print Broker::table_size(ct);
-print Broker::table_contains(ct, Broker::data("hi"));
-print Broker::refine_to_count(Broker::table_lookup(ct, Broker::data("hi")));
-print Broker::table_contains(ct, Broker::data("bye"));
-print Broker::table_insert(ct, Broker::data("bye"), Broker::data(7));
-print Broker::table_size(ct);
-print Broker::table_insert(ct, Broker::data("bye"), Broker::data(37));
-print Broker::table_size(ct);
-print Broker::refine_to_count(Broker::table_lookup(ct, Broker::data("bye")));
-print Broker::table_remove(ct, Broker::data("hi"));
-print Broker::table_size(ct);
-print Broker::table_remove(ct, Broker::data("hi"));
-print Broker::table_size(ct);
-print Broker::table_clear(ct);
-print Broker::table_size(ct);
-print broker_to_bro_table(ct);
-
-print "***************************";
-
-### Test the broker vector BIFs
-
-cv = Broker::vector_create();
-print Broker::vector_size(cv);
-print Broker::vector_insert(cv, Broker::data("hi"), 0);
-print Broker::vector_insert(cv, Broker::data("hello"), 1);
-print Broker::vector_insert(cv, Broker::data("greetings"), 2);
-print Broker::vector_insert(cv, Broker::data("salutations"), 1);
-print broker_to_bro_vector(cv);
-print Broker::vector_size(cv);
-print Broker::vector_replace(cv, Broker::data("bah"), 2);
-print Broker::vector_lookup(cv, 2);
-print Broker::vector_lookup(cv, 0);
-print broker_to_bro_vector(cv);
-print Broker::vector_remove(cv, 2);
-print broker_to_bro_vector(cv);
-print Broker::vector_size(cv);
-print Broker::vector_clear(cv);
-print Broker::vector_size(cv);
-print broker_to_bro_vector(cv);
-
-print "***************************";
-
-### Test the broker record BIFs
-
-cr = Broker::record_create(3);
-print Broker::record_size(cr);
-print Broker::record_assign(cr, Broker::data("hi"), 0);
-print Broker::record_assign(cr, Broker::data("hello"), 1);
-print Broker::record_assign(cr, Broker::data(37), 2);
-print Broker::record_lookup(cr, 0);
-print Broker::record_lookup(cr, 1);
-print Broker::record_lookup(cr, 2);
-print Broker::record_size(cr);
-print Broker::record_assign(cr, Broker::data("goodbye"), 1);
-print Broker::record_size(cr);
-print Broker::record_lookup(cr, 1);
-}
diff --git a/testing/btest/broker/disconnect.bro b/testing/btest/broker/disconnect.bro
new file mode 100644
index 0000000000..cc1822f891
--- /dev/null
+++ b/testing/btest/broker/disconnect.bro
@@ -0,0 +1,100 @@
+# @TEST-SERIALIZE: comm
+#
+# @TEST-EXEC: btest-bg-run recv "bro -B broker -b ../recv.bro >recv.out"
+# @TEST-EXEC: btest-bg-run send "bro -B broker -b ../send.bro >send.out"
+#
+# @TEST-EXEC: sleep 6 && kill $(cat recv/.pid) && sleep 1 && echo 0 >recv/.exitcode
+# @TEST-EXEC: btest-bg-run recv2 "bro -B broker -b ../recv.bro >recv2.out"
+#
+# @TEST-EXEC: btest-bg-wait 25
+# @TEST-EXEC: btest-diff send/send.out
+# @TEST-EXEC: btest-diff recv/recv.out
+# @TEST-EXEC: btest-diff recv2/recv2.out
+#
+# @TEST-EXEC: cat send/broker.log | awk '/Broker::STATUS/ { $5="XXX"; print; }' >send/broker.filtered.log
+# @TEST-EXEC: cat recv/broker.log | awk '/Broker::STATUS/ { $5="XXX"; print; }' >recv/broker.filtered.log
+# @TEST-EXEC: cat recv2/broker.log | grep -v "lost remote peer" | awk '/Broker::STATUS/ { $5="XXX"; print; }' >recv2/broker.filtered.log
+# @TEST-EXEC: btest-diff send/broker.filtered.log
+# @TEST-EXEC: btest-diff recv/broker.filtered.log
+# @TEST-EXEC: btest-diff recv2/broker.filtered.log
+
+@TEST-START-FILE send.bro
+
+redef Broker::default_connect_retry=1secs;
+redef Broker::default_listen_retry=1secs;
+redef exit_only_after_terminate = T;
+
+event self_terminate()
+	{
+	terminate();
+	}
+
+event do_terminate()
+    {
+    schedule 2sec { self_terminate() };
+    }
+
+event print_something(i: int)
+    {
+    print "Something sender", i;
+    }
+
+event bro_init()
+    {
+    Broker::subscribe("bro/event/my_topic");
+    Broker::auto_publish("bro/event/my_topic", print_something);
+    Broker::auto_publish("bro/event/my_topic", do_terminate);
+    Broker::peer("127.0.0.1");
+
+    schedule 3secs { print_something(1) };
+    schedule 12secs { print_something(2) };
+    schedule 13secs { do_terminate() };
+    }
+
+event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string)
+    {
+    print "peer lost", msg;
+    }
+
+event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
+    {
+    print "peer added", msg;
+    }
+
+@TEST-END-FILE
+
+
+@TEST-START-FILE recv.bro
+
+redef Broker::default_connect_retry=1secs;
+redef Broker::default_listen_retry=1secs;
+redef exit_only_after_terminate = T;
+
+event do_terminate()
+    {
+    terminate();
+    }
+
+event print_something(i: int)
+    {
+    print "Something receiver", i;
+    }
+
+event bro_init()
+    {
+    Broker::subscribe("bro/event/my_topic");
+    Broker::listen("127.0.0.1");
+    }
+
+event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string)
+    {
+    # In the 2nd run, this may be lost at termination, so don't output.
+    #print "peer lost", msg;
+    }
+
+event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
+    {
+    print "peer added", msg;
+    }
+
+@TEST-END-FILE
diff --git a/testing/btest/broker/enable-and-exit.bro b/testing/btest/broker/enable-and-exit.bro
deleted file mode 100644
index 78800b31b0..0000000000
--- a/testing/btest/broker/enable-and-exit.bro
+++ /dev/null
@@ -1,19 +0,0 @@
-# @TEST-REQUIRES: grep -q ENABLE_BROKER:BOOL=true $BUILD/CMakeCache.txt
-
-# @TEST-EXEC: bro -b %INPUT >output
-# @TEST-EXEC: btest-diff output
-
-redef exit_only_after_terminate = T;
-
-event terminate_me() {
-        print "terminating";
-        terminate();
-}
-
-event bro_init() {
-        Broker::enable();
-
-        print "1";
-        schedule 1sec { terminate_me() };
-        print "2";
-}
diff --git a/testing/btest/broker/error.bro b/testing/btest/broker/error.bro
new file mode 100644
index 0000000000..a379e99ea8
--- /dev/null
+++ b/testing/btest/broker/error.bro
@@ -0,0 +1,44 @@
+# @TEST-SERIALIZE: comm
+#
+# @TEST-EXEC: bro -B main-loop,broker -b send.bro >send.out
+# @TEST-EXEC: btest-diff send.out
+# 
+
+@TEST-START-FILE send.bro
+
+redef Broker::default_connect_retry=1secs;
+redef Broker::default_listen_retry=1secs;
+redef exit_only_after_terminate = T;
+
+event do_terminate()
+    {
+    terminate();
+    }
+
+event do_something()
+    {
+    # Will fail and generate an error.
+    Broker::unpeer("1.2.3.4", 1947/tcp);
+    }
+
+event Broker::status(endpoint: Broker::EndpointInfo, msg: string)
+    {
+    print "status", endpoint, endpoint$network, msg;
+    }
+
+event Broker::error(code: Broker::ErrorCode, msg: string)
+    {
+    print "error", code, msg;
+    }
+
+event bro_init()
+    {
+    Broker::subscribe("bro/event/my_topic");
+    
+    schedule 2secs { do_something() };
+    schedule 4secs { do_terminate() };
+    }
+
+
+@TEST-END-FILE
+
diff --git a/testing/btest/broker/master_store.bro b/testing/btest/broker/master_store.bro
deleted file mode 100644
index 09f0f82880..0000000000
--- a/testing/btest/broker/master_store.bro
+++ /dev/null
@@ -1,181 +0,0 @@
-# @TEST-REQUIRES: grep -q ENABLE_BROKER:BOOL=true $BUILD/CMakeCache.txt
-
-# @TEST-EXEC: btest-bg-run master "bro -b %INPUT >out"
-# @TEST-EXEC: btest-bg-wait 60
-# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-sort btest-diff master/out
-
-redef exit_only_after_terminate = T;
-
-global h: opaque of Broker::Handle;
-global lookup_count = 0;
-const lookup_expect_count = 5;
-global exists_count = 0;
-const exists_expect_count = 4;
-global pop_count = 0;
-const pop_expect_count = 2;
-
-global test_size: event(where: string &default = "");
-
-global query_timeout = 30sec;
-
-event test_clear()
-	{
-	Broker::clear(h);
-	event test_size("after clear");
-	}
-
-event test_size(where: string)
-	{
-	when ( local res = Broker::size(h) )
-		{
-		if ( where == "" )
-			{
-			print fmt("size: %s", res);
-			event test_clear();
-			}
-		else
-			{
-			print fmt("size (%s): %s", where, res);
-			terminate();
-			}
-		}
-	timeout query_timeout
-		{
-		print "'size' query timeout";
-
-		if ( where == "" )
-			event test_clear();
-		else
-			terminate();
-		}
-	}
-
-event test_keys()
-	{
-	when ( local res = Broker::keys(h) )
-		{
-		print fmt("keys: %s", res);
-		event test_size();
-		}
-	timeout query_timeout
-		{
-		print "'keys' query timeout";
-		event test_size();
-		}
-	}
-
-event test_pop(key: string)
-	{
-	when ( local lres = Broker::pop_left(h, Broker::data(key)) )
-		{
-		print fmt("pop_left(%s): %s", key, lres);
-		++pop_count;
-
-		if ( pop_count == pop_expect_count )
-			event test_keys();
-		}
-	timeout query_timeout
-		{
-		print "'pop_left' timeout";
-		++pop_count;
-
-		if ( pop_count == pop_expect_count )
-			event test_keys();
-		}
-
-	when ( local rres = Broker::pop_right(h, Broker::data(key)) )
-		{
-		print fmt("pop_right(%s): %s", key, rres);
-		++pop_count;
-
-		if ( pop_count == pop_expect_count )
-			event test_keys();
-		}
-	timeout query_timeout
-		{
-		print "'pop_right' timeout";
-		++pop_count;
-
-		if ( pop_count == pop_expect_count )
-			event test_keys();
-		}
-	}
-
-function do_exists(key: string)
-	{
-	when ( local res = Broker::exists(h, Broker::data(key)) )
-		{
-		print fmt("exists(%s): %s", key, res);
-		++exists_count;
-
-		if ( exists_count == exists_expect_count )
-			event test_pop("myvec");
-		}
-	timeout query_timeout
-		{
-		print "'exists' query timeout";
-		++exists_count;
-
-		if ( exists_count == exists_expect_count )
-			event test_pop("myvec");
-		}
-	}
-
-event test_erase()
-	{
-	Broker::erase(h, Broker::data("two"));
-	do_exists("one");
-	do_exists("two");
-	do_exists("myset");
-	do_exists("four");
-	}
-
-function do_lookup(key: string)
-	{
-	when ( local res = Broker::lookup(h, Broker::data(key)) )
-		{
-		print fmt("lookup(%s): %s", key, res);
-		++lookup_count;
-
-		if ( lookup_count == lookup_expect_count )
-			event test_erase();
-		}
-	timeout query_timeout
-		{
-		print "'lookup' query timeout";
-		++lookup_count;
-
-		if ( lookup_count == lookup_expect_count )
-			event test_erase();
-		}
-	}
-
-function dv(d: Broker::Data): Broker::DataVector
-	{
-	local rval: Broker::DataVector;
-	rval[0] = d;
-	return rval;
-	}
-
-event bro_init()
-	{
-	Broker::enable();
-	local myset: set[string] = {"a", "b", "c"};
-	local myvec: vector of string = {"alpha", "beta", "gamma"};
-	h = Broker::create_master("master");
-	Broker::insert(h, Broker::data("one"), Broker::data(110));
-	Broker::insert(h, Broker::data("two"), Broker::data(223));
-	Broker::insert(h, Broker::data("myset"), Broker::data(myset));
-	Broker::insert(h, Broker::data("myvec"), Broker::data(myvec));
-	Broker::increment(h, Broker::data("one"));
-	Broker::decrement(h, Broker::data("two"));
-	Broker::add_to_set(h, Broker::data("myset"), Broker::data("d"));
-	Broker::remove_from_set(h, Broker::data("myset"), Broker::data("b"));
-	Broker::push_left(h, Broker::data("myvec"), dv(Broker::data("delta")));
-	Broker::push_right(h, Broker::data("myvec"), dv(Broker::data("omega")));
-	do_lookup("one");
-	do_lookup("two");
-	do_lookup("myset");
-	do_lookup("four");
-	do_lookup("myvec");
-	}
diff --git a/testing/btest/broker/remote_event.bro b/testing/btest/broker/remote_event.bro
new file mode 100644
index 0000000000..94aac2ca20
--- /dev/null
+++ b/testing/btest/broker/remote_event.bro
@@ -0,0 +1,103 @@
+# @TEST-SERIALIZE: comm
+#
+# @TEST-EXEC: btest-bg-run recv "bro -B broker -b ../recv.bro >recv.out"
+# @TEST-EXEC: btest-bg-run send "bro -B broker -b ../send.bro >send.out"
+#
+# @TEST-EXEC: btest-bg-wait 20
+# @TEST-EXEC: btest-diff recv/recv.out
+# @TEST-EXEC: btest-diff send/send.out
+
+@TEST-START-FILE send.bro
+
+redef Broker::default_connect_retry=1secs;
+redef Broker::default_listen_retry=1secs;
+redef exit_only_after_terminate = T;
+
+global event_count = 0;
+
+global ping: event(msg: string, c: count);
+
+event bro_init()
+    {
+    Broker::subscribe("bro/event/my_topic");
+    Broker::peer("127.0.0.1");
+    print "is_remote should be F, and is", is_remote_event();
+    }
+
+function send_event()
+    {
+    ++event_count;
+    local e = Broker::make_event(ping, "my-message", event_count);
+    Broker::publish("bro/event/my_topic", e);
+    }
+
+event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
+    {
+    print fmt("sender added peer: endpoint=%s msg=%s",
+    endpoint$network$address, msg);
+    send_event();
+    }
+
+event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string)
+    {
+    print fmt("sender lost peer: endpoint=%s msg=%s",
+    endpoint$network$address, msg);
+    terminate();
+    }
+
+event pong(msg: string, n: count)
+    {
+    print "is_remote should be T, and is", is_remote_event();
+    print fmt("sender got pong: %s, %s", msg, n);
+    send_event();
+    }
+
+@TEST-END-FILE
+
+
+@TEST-START-FILE recv.bro
+
+redef Broker::default_connect_retry=1secs;
+redef Broker::default_listen_retry=1secs;
+redef exit_only_after_terminate = T;
+
+const events_to_recv = 5;
+
+global handler: event(msg: string, c: count);
+global auto_handler: event(msg: string, c: count);
+
+global pong: event(msg: string, c: count);
+
+event bro_init()
+        {
+        Broker::subscribe("bro/event/my_topic");
+        Broker::listen("127.0.0.1");
+        }
+
+event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
+        {
+        print fmt("receiver added peer: endpoint=%s msg=%s", endpoint$network$address, msg);
+        }
+
+event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string)
+        {
+        print fmt("receiver lost peer: endpoint=%s msg=%s", endpoint$network$address, msg);
+        }
+
+event ping(msg: string, n: count)
+        {
+	print "is_remote should be T, and is", is_remote_event();
+        print fmt("receiver got ping: %s, %s", msg, n);
+
+        if ( n == events_to_recv )
+                {
+		print get_broker_stats();
+                terminate();
+                return;
+                }
+
+        local e = Broker::make_event(pong, msg, n);
+        Broker::publish("bro/event/my_topic", e);
+        }
+
+@TEST-END-FILE
diff --git a/testing/btest/broker/remote_event.test b/testing/btest/broker/remote_event.test
deleted file mode 100644
index 5118f1a5e8..0000000000
--- a/testing/btest/broker/remote_event.test
+++ /dev/null
@@ -1,94 +0,0 @@
-# @TEST-SERIALIZE: brokercomm
-# @TEST-REQUIRES: grep -q ENABLE_BROKER:BOOL=true $BUILD/CMakeCache.txt
-
-# @TEST-EXEC: btest-bg-run recv "bro -b ../recv.bro broker_port=$BROKER_PORT >recv.out"
-# @TEST-EXEC: btest-bg-run send "bro -b ../send.bro broker_port=$BROKER_PORT >send.out"
-
-# @TEST-EXEC: btest-bg-wait 20
-# @TEST-EXEC: btest-diff recv/recv.out
-# @TEST-EXEC: btest-diff send/send.out
-
-@TEST-START-FILE recv.bro
-
-const broker_port: port &redef;
-redef exit_only_after_terminate = T;
-
-global event_handler: event(msg: string, c: count);
-global auto_event_handler: event(msg: string, c: count);
-
-event bro_init()
-	{
-	Broker::enable();
-	Broker::subscribe_to_events("bro/event/");
-	Broker::auto_event("bro/event/my_topic", auto_event_handler);
-	Broker::listen(broker_port, "127.0.0.1");
-	}
-
-global event_count = 0;
-global events_to_recv = 6;
-
-event event_handler(msg: string, n: count)
-	{
-	++event_count;
-	print "got event msg", msg, n;
-
-	if ( event_count == events_to_recv )
-		{
-		terminate();
-		return;
-		}
-
-	event auto_event_handler(msg, n);
-	local args = Broker::event_args(event_handler, "pong", n);
-	Broker::send_event("bro/event/my_topic", args);
-	}
-
-@TEST-END-FILE
-
-@TEST-START-FILE send.bro
-
-const broker_port: port &redef;
-redef exit_only_after_terminate = T;
-
-global event_handler: event(msg: string, c: count);
-global auto_event_handler: event(msg: string, c: count);
-
-event bro_init()
-	{
-	Broker::enable();
-	Broker::subscribe_to_events("bro/event/my_topic");
-	Broker::connect("127.0.0.1", broker_port, 1secs);
-	}
-
-global event_count = 0;
-
-event Broker::outgoing_connection_established(peer_address: string,
-                                            peer_port: port,
-                                            peer_name: string)
-	{
-	print "Broker::outgoing_connection_established", peer_address, peer_port;
-	local args = Broker::event_args(event_handler, "ping", event_count);
-	Broker::send_event("bro/event/hi", args);
-	++event_count;
-	}
-
-event Broker::outgoing_connection_broken(peer_address: string,
-                                       peer_port: port)
-	{
-	terminate();
-	}
-
-event event_handler(msg: string, n: count)
-	{
-	print "got event msg", msg, n;
-	local args = Broker::event_args(event_handler, "ping", event_count);
-    Broker::send_event("bro/event/hi", args);
-	++event_count;
-	}
-
-event auto_event_handler(msg: string, n: count)
-	{
-	print "got auto event msg", msg, n;
-	}
-	
-@TEST-END-FILE
diff --git a/testing/btest/broker/remote_event_auto.bro b/testing/btest/broker/remote_event_auto.bro
new file mode 100644
index 0000000000..fc1b9922a5
--- /dev/null
+++ b/testing/btest/broker/remote_event_auto.bro
@@ -0,0 +1,98 @@
+# @TEST-SERIALIZE: comm
+#
+# @TEST-EXEC: btest-bg-run recv "bro -b ../recv.bro >recv.out"
+# @TEST-EXEC: btest-bg-run send "bro -b ../send.bro >send.out"
+#
+# @TEST-EXEC: btest-bg-wait 20
+# @TEST-EXEC: btest-diff recv/recv.out
+# @TEST-EXEC: btest-diff send/send.out
+
+@TEST-START-FILE send.bro
+
+redef Broker::default_connect_retry=1secs;
+redef Broker::default_listen_retry=1secs;
+redef exit_only_after_terminate = T;
+
+global event_count = 0;
+
+global ping: event(msg: string, c: count);
+
+event bro_init()
+    {
+    Broker::subscribe("bro/event/my_topic");
+    Broker::auto_publish("bro/event/my_topic", ping);
+    Broker::peer("127.0.0.1");
+    }
+
+function send_event()
+    {
+    event ping("my-message", ++event_count);
+    }
+
+event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
+    {
+    print fmt("sender added peer: endpoint=%s msg=%s", endpoint$network$address, msg);
+    send_event();
+    }
+
+event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string)
+    {
+    print fmt("sender lost peer: endpoint=%s msg=%s", endpoint$network$address, msg);
+    terminate();
+    }
+
+event pong(msg: string, n: count)
+    {
+    print fmt("sender got pong: %s, %s", msg, n);
+    send_event();
+    }
+
+@TEST-END-FILE
+
+
+@TEST-START-FILE recv.bro
+
+redef Broker::default_connect_retry=1secs;
+redef Broker::default_listen_retry=1secs;
+redef exit_only_after_terminate = T;
+
+const events_to_recv = 5;
+
+global handler: event(msg: string, c: count);
+global auto_handler: event(msg: string, c: count);
+
+global pong: event(msg: string, c: count);
+
+event bro_init()
+        {
+        Broker::subscribe("bro/event/my_topic");
+	Broker::auto_publish("bro/event/my_topic", pong);
+        Broker::listen("127.0.0.1");
+        }
+
+event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
+        {
+        print fmt("receiver added peer: endpoint=%s msg=%s",
+        endpoint$network$address, msg);
+        }
+
+event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string)
+        {
+        print fmt("receiver lost peer: endpoint=%s msg=%s",
+        endpoint$network$address, msg);
+        }
+
+event ping(msg: string, n: count)
+        {
+        print fmt("receiver got ping: %s, %s", msg, n);
+
+        if ( n == events_to_recv )
+                {
+                terminate();
+                return;
+                }
+
+	event pong(msg, n);
+        }
+
+@TEST-END-FILE
diff --git a/testing/btest/broker/remote_event_ssl_auth.bro b/testing/btest/broker/remote_event_ssl_auth.bro
new file mode 100644
index 0000000000..6135fd15be
--- /dev/null
+++ b/testing/btest/broker/remote_event_ssl_auth.bro
@@ -0,0 +1,263 @@
+# @TEST-SERIALIZE: comm
+#
+# @TEST-EXEC: btest-bg-run recv "bro -B broker -b ../recv.bro >recv.out"
+# @TEST-EXEC: btest-bg-run send "bro -B broker -b ../send.bro >send.out"
+#
+# @TEST-EXEC: btest-bg-wait 20
+# @TEST-EXEC: btest-diff recv/recv.out
+# @TEST-EXEC: btest-diff send/send.out
+
+
+@TEST-START-FILE cert.1.pem
+-----BEGIN CERTIFICATE-----
+MIIDOjCCAiICCQDz7oMOR7Wm7jANBgkqhkiG9w0BAQsFADBkMQswCQYDVQQGEwJV
+UzELMAkGA1UECAwCQ0ExETAPBgNVBAcMCEJlcmtlbGV5MSMwIQYDVQQKDBpBQ01F
+IFNpZ25pbmcgQXV0aG9yaXR5IEluYzEQMA4GA1UEAwwHZm9vLmJhcjAgFw0xNzA0
+MjEyMzI2MzhaGA80NzU1MDMxOTIzMjYzOFowWDELMAkGA1UEBhMCVVMxCzAJBgNV
+BAgMAkNBMREwDwYDVQQHDAhCZXJrZWxleTEVMBMGA1UECgwMQUNNRSBTZXJ2aWNl
+MRIwEAYDVQQDDAkxLmZvby5iYXIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
+AoIBAQDHobccAQQqbZANdOdx852W/nUzGcwpurOi8zbh9yCxMwnFMogW9AsqKEnd
+sypV6Ah/cIz45PAgCdEg+1pc2DG7+E0+QlV4ChNwCDuk+FSWB6pqMTCdZcLeIwlA
+GPp6Ow9v40dW7IFpDetFKXEo6kqEzR5P58Q0a6KpCtpsSMqhk57Py83wB9gPA1vp
+s77kN7D5CI3oay86TA5j5nfFMT1X/77Hs24csW6CLnW/OD4f1RK79UgPd/kpPKQ1
+jNq+hsR7NZTcfrAF1hcfScxnKaznO7WopSt1k75NqLdnSN1GIci2GpiXYKtXZ9l5
+TErv2Oucpw/u+a/wjKlXjrgLL9lfAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAKuW
+yKA2uuiNc9MKU+yVbNaP8kPaMb/wMvVaFG8FFFpCTZ0MFMLsqRpeqtj7gMK/gaJC
+CQm4EyadjzfWFYDLkHzm6b7gI8digvvhjr/C2RJ5Qxr2P0iFP1buGq0CqnF20XgQ
+Q+ecS43CZ77CfKfS6ZLPmAZMAwgFLImVyo5mkaTECo3+9oCnjDYBapvXLJqCJRhk
+NosoTmGCV0HecWN4l38ojnXd44aSktQIND9iCLus3S6++nFnX5DHGZiv6/SnSO/6
++Op7nV0A6zKVcMOYQ0SGZPD8UQs5wDJgrR9LY29Ox5QBwu/5NqyvNSrMQaTop5vb
+wkMInaq5lLxEYQDSLBc=
+-----END CERTIFICATE-----
+@TEST-END-FILE
+
+@TEST-START-FILE cert.2.pem
+-----BEGIN CERTIFICATE-----
+MIIDOjCCAiICCQDz7oMOR7Wm7TANBgkqhkiG9w0BAQsFADBkMQswCQYDVQQGEwJV
+UzELMAkGA1UECAwCQ0ExETAPBgNVBAcMCEJlcmtlbGV5MSMwIQYDVQQKDBpBQ01F
+IFNpZ25pbmcgQXV0aG9yaXR5IEluYzEQMA4GA1UEAwwHZm9vLmJhcjAgFw0xNzA0
+MjEyMzI2MzNaGA80NzU1MDMxOTIzMjYzM1owWDELMAkGA1UEBhMCVVMxCzAJBgNV
+BAgMAkNBMREwDwYDVQQHDAhCZXJrZWxleTEVMBMGA1UECgwMQUNNRSBTZXJ2aWNl
+MRIwEAYDVQQDDAkyLmZvby5iYXIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
+AoIBAQDG9fAvW9qnhjGRmLpA++RvOHaesu7NiUQvxf2F6gF2rLJV0/+DSA/PztEv
+1WJaGhgJSaEqUjaHk3HY2EKlbGXEPh1mxqgPZD5plGlu4ddTwutxCxxQiFIBH+3N
+MYRjJvDN7ozJoi4uRiK0QQdDWAqWJs5hMOJqeWd6MCgmVXSP6pj5/omGROktbHzD
+9jJhAW9fnYFg6k+7cGN5kLmjqqnGhJkNtgom6uW9j73S9OpU/9Er2aZme6/PrujI
+qYFBV81TJK2vmonWUITxfQjk9JVJYhBdHamGTxUqVBbuRcbAqdImV9yx4LoGh55u
+L6xnsW4i0n1o1k+bh03NgwPz12O3AgMBAAEwDQYJKoZIhvcNAQELBQADggEBAJmN
+yCdInFIeEwomE6m+Su82BWBzkztOfMG9iRE+1aGuC8EQ8kju5NNMmWQcuKetNh0s
+hJVdY6LXh27O0ZUllhQ/ig9c+dYFh6AHoZU7WjiNKIyWuyl4IAOkQ4IEdsBvst+l
+0rafcdJjUpqNOMWeyg6x1s+gUD5o+ZLCZGCdkCW3fZbKgF52L+vmsSRiJg2JkYZW
+8BPNNsroHZw2UXnLvRqUXCMf1hnOrlx/B0a0Q46hD4NQvl+OzlKaxfR2L2USmJ8M
+XZvT6+i8fWvkGv18iunm23Yu+8Zf08wTXnbqXvmMda5upAYLmwD0YKIVYC3ycihh
+mkYCYI6PVeH63a2/zxw=
+-----END CERTIFICATE-----
+@TEST-END-FILE
+
+@TEST-START-FILE key.1.pem
+-----BEGIN RSA PRIVATE KEY-----
+MIIEogIBAAKCAQEAx6G3HAEEKm2QDXTncfOdlv51MxnMKbqzovM24fcgsTMJxTKI
+FvQLKihJ3bMqVegIf3CM+OTwIAnRIPtaXNgxu/hNPkJVeAoTcAg7pPhUlgeqajEw
+nWXC3iMJQBj6ejsPb+NHVuyBaQ3rRSlxKOpKhM0eT+fENGuiqQrabEjKoZOez8vN
+8AfYDwNb6bO+5Dew+QiN6GsvOkwOY+Z3xTE9V/++x7NuHLFugi51vzg+H9USu/VI
+D3f5KTykNYzavobEezWU3H6wBdYXH0nMZyms5zu1qKUrdZO+Tai3Z0jdRiHIthqY
+l2CrV2fZeUxK79jrnKcP7vmv8IypV464Cy/ZXwIDAQABAoIBAC0Y7jmoTR2clJ9F
+modWhnI215kMqd9/atdT5EEVx8/f/MQMj0vII8GJSm6H6/duLIVFksMjTM+gCBtQ
+TPCOcmXJSQHYkGBGvm9fnMG+y7T81FWa+SWFeIkgFxXgzqzQLMOU72fGk9F8sHp2
+Szb3/o+TmtZoQB2rdxqC9ibiJsxrG5IBVKkzlSPv3POkPXwSb1HcETqrTwefuioj
+WMuMrqtm5Y3HddJ5l4JEF5VA3KrsfXWl3JLHH0UViemVahiNjXQAVTKAXIL1PHAV
+J2MCEvlpA7sIgXREbmvPvZUTkt3pIqhVjZVJ7tHiSnSecqNTbuxcocnhKhZrHNtC
+v2zYKHkCgYEA6cAIhz0qOGDycZ1lf9RSWw0RO1hO8frATMQNVoFVuJJCVL22u96u
+0FvJ0JGyYbjthULnlOKyRe7DUL5HRLVS4D7vvKCrgwDmsJp1VFxMdASUdaBfq6aX
+oKLUW4q7kC2lQcmK/PVRYwp2GQSx8bodWe+DtXUY/GcN03znY8mhSB0CgYEA2qJK
+1GSZsm6kFbDek3BiMMHfO+X819owB2FmXiH+GQckyIZu9xA3HWrkOWTqwglEvzfO
+qzFF96E9iEEtseAxhcM8gPvfFuXiUj9t2nH/7SzMnVGikhtYi0p6jrgHmscc4NBx
+AOUA15kYEFOGqpZfl2uuKqgHidrHdGkJzzSUBqsCgYAVCjb6TVQejQNlnKBFOExN
+a8iwScuZVlO21TLKJYwct/WGgSkQkgO0N37b6jFfQHEIvLPxn9IiH1KvUuFBWvzh
+uGiF1wR5HzykitKizEgJbVwbllrmLXGagO2Sa9NkL+efG1AKYt53hrqIl/aYZoM7
+1CZL0AV2uqPw9F4zijOdNQKBgH1WmvWGMsKjQTgaLI9z1ybCjjqlj70jHXOtt+Tx
+Md2hRcobn5PN3PrlY68vlpHkhF/nG3jzB3x+GGt7ijm2IE3h7la3jl5vLb8fE9gu
+kJykmSz7Nurx+GHqMbaN8/Ycfga4GIB9yGzRHIWHjOVQzb5eAfv8Vk4GeV/YM8Jx
+Dwd/AoGAILn8pVC9dIFac2BDOFU5y9ZvMmZAvwRxh9vEWewNvkzg27vdYc+rCHNm
+I7H0S/RqfqVeo0ApE5PQ8Sll6RvxN/mbSQo9YeCDGQ1r1rNe4Vs12GAYXAbE4ipf
+BTdqMbieumB/zL97iK5baHUFEJ4VRtLQhh/SOXgew/BF8ccpilI=
+-----END RSA PRIVATE KEY-----
+@TEST-END-FILE
+
+@TEST-START-FILE key.2.pem
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpQIBAAKCAQEAxvXwL1vap4YxkZi6QPvkbzh2nrLuzYlEL8X9heoBdqyyVdP/
+g0gPz87RL9ViWhoYCUmhKlI2h5Nx2NhCpWxlxD4dZsaoD2Q+aZRpbuHXU8LrcQsc
+UIhSAR/tzTGEYybwze6MyaIuLkYitEEHQ1gKlibOYTDianlnejAoJlV0j+qY+f6J
+hkTpLWx8w/YyYQFvX52BYOpPu3BjeZC5o6qpxoSZDbYKJurlvY+90vTqVP/RK9mm
+Znuvz67oyKmBQVfNUyStr5qJ1lCE8X0I5PSVSWIQXR2phk8VKlQW7kXGwKnSJlfc
+seC6Boeebi+sZ7FuItJ9aNZPm4dNzYMD89djtwIDAQABAoIBAQDDaWquGRl40GR/
+C/JjQQPr+RkIZdYGKXu/MEcA8ATf+l5tzfp3hp+BCzCKOpqOxHI3LQoN9xF3t2lq
+AX3z27NYO2nFN/h4pYxnRk0Hiulia1+zd6YnsrxYPnPhxXCxsd1xZYsBvzh8WoZb
+ZEMt8Zr0PskUzF6VFQh9Ci9k9ym07ooo/KqP4wjXsm/JK1ueOCTpRtabrBI1icrV
+iTaw1JEGqlTAQ92vg3pXqSG5yy69Krt7miZZtiOA5mJ90VrHtlNSgp31AOcVv/Ve
+/LMIwJp9EzTN+4ipT7AKPeJAoeVqpFjQk+2cW44zJ7xyzw73pTs5ErxkEIhQOp4M
+ak2iMg4BAoGBAOivDZSaOcTxEB3oKxYvN/jL9eU2Io9wdZwAZdYQpkgc8lkM9elW
+2rbHIwifkDxQnZbl3rXM8xmjA4c5PSCUYdPnLvx6nsUJrWTG0RjakHRliSLthNEC
+LpL9MR1aQblyz1D/ulWTFOCNvHU7m3XI3RVJEQWu3qQ5pCndzT56wXjnAoGBANrl
+zKvR9o2SONU8SDIcMzXrO2647Z8yXn4Kz1WhWojhRQQ1V3VOLm8gBwv8bPtc7LmE
+MSX5MIcxRoHu7D98d53hd+K/ZGYV2h/638qaIEgZDf2oa8QylBgvoGljoy1DH8nN
+KKOgksqWK0AAEkP0+S4IFugTxHVanw8JUkV0gVSxAoGBANIRUGJrxmHt/M3zUArs
+QE0G3o28DQGQ1y0rEsVrLKQINid9UvoBpt3C9PcRD2fUpCGakDFzwbnQeRv46h3i
+uFtV6Q6aKYLcFMXZ1ObqU+Yx0NhOtUz4+lFL8q58UL/7Tf3jkjc13XBJpe31DYoN
++MMBvzNxR6HeRD5j96tDqi3bAoGAT57SqZS/l5MeNQGuSPvU7MHZZlbBp+xMTpBk
+BgOgyLUXw4Ybf8GmRiliJsv0YCHWwUwCDIvtSN91hAGB0T3WzIiccM+pFzDPnF5G
+VI1nPJJQcnl2aXD0SS/ZqzvguK/3uhFzvMDFZAbnSGo+OpW6pTGwE05NYVpLDM8Z
+K8ZK3KECgYEApNoI5Mr5tmtjq4sbZrgQq6cMlfkIj9gUubOzFCryUb6NaB38Xqkp
+2N3/jqdkR+5ZiKOYhsYj+Iy6U3jyqiEl9VySYTfEIfP/ky1CD0a8/EVC9HR4iG8J
+im6G7/osaSBYAZctryLqVJXObTelgEy/EFwW9jW8HVph/G+ljmHOmuQ=
+-----END RSA PRIVATE KEY-----
+@TEST-END-FILE
+
+@TEST-START-FILE cert.2.pem
+-----BEGIN CERTIFICATE-----
+MIIDOjCCAiICCQDz7oMOR7Wm7TANBgkqhkiG9w0BAQsFADBkMQswCQYDVQQGEwJV
+UzELMAkGA1UECAwCQ0ExETAPBgNVBAcMCEJlcmtlbGV5MSMwIQYDVQQKDBpBQ01F
+IFNpZ25pbmcgQXV0aG9yaXR5IEluYzEQMA4GA1UEAwwHZm9vLmJhcjAgFw0xNzA0
+MjEyMzI2MzNaGA80NzU1MDMxOTIzMjYzM1owWDELMAkGA1UEBhMCVVMxCzAJBgNV
+BAgMAkNBMREwDwYDVQQHDAhCZXJrZWxleTEVMBMGA1UECgwMQUNNRSBTZXJ2aWNl
+MRIwEAYDVQQDDAkyLmZvby5iYXIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
+AoIBAQDG9fAvW9qnhjGRmLpA++RvOHaesu7NiUQvxf2F6gF2rLJV0/+DSA/PztEv
+1WJaGhgJSaEqUjaHk3HY2EKlbGXEPh1mxqgPZD5plGlu4ddTwutxCxxQiFIBH+3N
+MYRjJvDN7ozJoi4uRiK0QQdDWAqWJs5hMOJqeWd6MCgmVXSP6pj5/omGROktbHzD
+9jJhAW9fnYFg6k+7cGN5kLmjqqnGhJkNtgom6uW9j73S9OpU/9Er2aZme6/PrujI
+qYFBV81TJK2vmonWUITxfQjk9JVJYhBdHamGTxUqVBbuRcbAqdImV9yx4LoGh55u
+L6xnsW4i0n1o1k+bh03NgwPz12O3AgMBAAEwDQYJKoZIhvcNAQELBQADggEBAJmN
+yCdInFIeEwomE6m+Su82BWBzkztOfMG9iRE+1aGuC8EQ8kju5NNMmWQcuKetNh0s
+hJVdY6LXh27O0ZUllhQ/ig9c+dYFh6AHoZU7WjiNKIyWuyl4IAOkQ4IEdsBvst+l
+0rafcdJjUpqNOMWeyg6x1s+gUD5o+ZLCZGCdkCW3fZbKgF52L+vmsSRiJg2JkYZW
+8BPNNsroHZw2UXnLvRqUXCMf1hnOrlx/B0a0Q46hD4NQvl+OzlKaxfR2L2USmJ8M
+XZvT6+i8fWvkGv18iunm23Yu+8Zf08wTXnbqXvmMda5upAYLmwD0YKIVYC3ycihh
+mkYCYI6PVeH63a2/zxw=
+-----END CERTIFICATE-----
+@TEST-END-FILE
+
+@TEST-START-FILE ca.pem
+-----BEGIN CERTIFICATE-----
+MIIDmzCCAoOgAwIBAgIJAPLZ3e3WR0LLMA0GCSqGSIb3DQEBCwUAMGQxCzAJBgNV
+BAYTAlVTMQswCQYDVQQIDAJDQTERMA8GA1UEBwwIQmVya2VsZXkxIzAhBgNVBAoM
+GkFDTUUgU2lnbmluZyBBdXRob3JpdHkgSW5jMRAwDgYDVQQDDAdmb28uYmFyMB4X
+DTE3MDQyMTIzMjM0OFoXDTQyMDQyMTIzMjM0OFowZDELMAkGA1UEBhMCVVMxCzAJ
+BgNVBAgMAkNBMREwDwYDVQQHDAhCZXJrZWxleTEjMCEGA1UECgwaQUNNRSBTaWdu
+aW5nIEF1dGhvcml0eSBJbmMxEDAOBgNVBAMMB2Zvby5iYXIwggEiMA0GCSqGSIb3
+DQEBAQUAA4IBDwAwggEKAoIBAQC6ah79JvrN3LtcPzc9bX5THdzfidWncSmowotG
+SZA3gcIhlsYD3P3RCaUR9g+f2Z/l0l7ciKgWetpNtN9hRBbg5/9tFzSpCb/Y0SSG
+mwtHHovEqN2MWV+Od/MUcYSlL6MmPjSDc8Ls5NSniTr9OBE9J1jm72AsuzHasjPQ
+D84TlWeTSs0HW3H5VxDb15xWYFnmgBo0JylDWj0+VWI+G41Xr7Ubu9699lWSFYF9
+FCtdjzM5e1CGZOMvqUbUBus38BhUAdQ4fE7Dwnn8seKh+7HpJ70omIgqG87e4DBo
+HbnMAkZaekk8+LBl0Hfu8c66Utw9mNoMIlFf/AMlJyLDIpNxAgMBAAGjUDBOMB0G
+A1UdDgQWBBRc6Cbyshtny6jFWZtd/cEUUfMQ3DAfBgNVHSMEGDAWgBRc6Cbyshtn
+y6jFWZtd/cEUUfMQ3DAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCY
+numHau9XYH5h4R2CoMdnKPMGk6V7UZZdbidLLcE4roQrYhnBdyhT69b/ySJK2Ee4
+mt8T+E0wcg3k8Pr3aJEJA8eYYaJTqZvvv+TwuMBPjmE2rYSIpgMZv2tRD3XWMaQu
+duLbwkclfejQHDD26xNXsxuU+WNB5kuvtNAg0oKFyFdNKElLQEcjyYzfxmCF4YX5
+WmElijr1Tzuzd59rWPqC/tVIsh42vQ+P6g8Y1PDmo8eTUFveZ+wcr/eEPW6IOMrg
+OW7tATcrgzNuXZ1umiuGgAPuIVqPfr9ssZHBqi9UOK9L/8MQrnOxecNUpPohcTFR
+vq+Zqu15QV9T4BVWKHv0
+-----END CERTIFICATE-----
+@TEST-END-FILE
+
+@TEST-START-FILE send.bro
+
+redef Broker::default_connect_retry=1secs;
+redef Broker::default_listen_retry=1secs;
+redef exit_only_after_terminate = T;
+
+redef Broker::ssl_cafile = "../ca.pem";
+redef Broker::ssl_keyfile = "../key.1.pem";
+redef Broker::ssl_certificate = "../cert.1.pem";
+
+global event_count = 0;
+
+global ping: event(msg: string, c: count);
+
+event bro_init()
+    {
+    Broker::subscribe("bro/event/my_topic");
+    Broker::peer("127.0.0.1");
+    }
+
+function send_event()
+    {
+    ++event_count;
+    local e = Broker::make_event(ping, "my-message", event_count);
+    Broker::publish("bro/event/my_topic", e);
+    }
+
+event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
+    {
+    print fmt("sender added peer: endpoint=%s msg=%s",
+    endpoint$network$address, msg);
+    send_event();
+    }
+
+event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string)
+    {
+    print fmt("sender lost peer: endpoint=%s msg=%s",
+    endpoint$network$address, msg);
+    terminate();
+    }
+
+event pong(msg: string, n: count)
+    {
+    print fmt("sender got pong: %s, %s", msg, n);
+    send_event();
+    }
+
+@TEST-END-FILE
+
+
+@TEST-START-FILE recv.bro
+
+redef Broker::default_connect_retry=1secs;
+redef Broker::default_listen_retry=1secs;
+redef exit_only_after_terminate = T;
+
+redef Broker::ssl_cafile = "../ca.pem";
+redef Broker::ssl_keyfile = "../key.2.pem";
+redef Broker::ssl_certificate = "../cert.2.pem";
+
+const events_to_recv = 5;
+
+global handler: event(msg: string, c: count);
+global auto_handler: event(msg: string, c: count);
+
+global pong: event(msg: string, c: count);
+
+event bro_init()
+        {
+        Broker::subscribe("bro/event/my_topic");
+        Broker::listen("127.0.0.1");
+        }
+
+event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
+        {
+        print fmt("receiver added peer: endpoint=%s msg=%s", endpoint$network$address, msg);
+        }
+
+event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string)
+        {
+        print fmt("receiver lost peer: endpoint=%s msg=%s", endpoint$network$address, msg);
+        }
+
+event ping(msg: string, n: count)
+        {
+        print fmt("receiver got ping: %s, %s", msg, n);
+
+        if ( n == events_to_recv )
+                {
+		print get_broker_stats();
+                terminate();
+                return;
+                }
+
+        local e = Broker::make_event(pong, msg, n);
+        Broker::publish("bro/event/my_topic", e);
+        }
+
+@TEST-END-FILE
diff --git a/testing/btest/broker/remote_id.bro b/testing/btest/broker/remote_id.bro
new file mode 100644
index 0000000000..2748f4a061
--- /dev/null
+++ b/testing/btest/broker/remote_id.bro
@@ -0,0 +1,55 @@
+# @TEST-SERIALIZE: comm
+#
+# @TEST-EXEC: btest-bg-run recv "bro -B broker -b ../recv.bro >recv.out"
+# @TEST-EXEC: btest-bg-run send "bro -B broker -b ../send.bro test_var=newval >send.out"
+#
+# @TEST-EXEC: btest-bg-wait 20
+# @TEST-EXEC: btest-diff recv/recv.out
+
+@TEST-START-FILE send.bro
+
+const test_var = "init" &redef;
+
+event bro_init()
+	{
+	Broker::peer("127.0.0.1");
+	}
+
+event die()
+	{
+	terminate();
+	}
+
+event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
+	{
+	print "peer added";
+	Broker::publish_id("bro/ids/test", "test_var");
+	schedule 1sec { die() };
+	}
+
+@TEST-END-FILE
+
+@TEST-START-FILE recv.bro
+
+const test_var = "init" &redef;
+
+event bro_init()
+	{
+	print "intial val", test_var;
+	Broker::subscribe("bro/ids");
+	Broker::listen();
+	}
+
+event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
+	{
+	print "peer added";
+	}
+
+event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string)
+	{
+	print "peer lost";
+	print "updated val", test_var;
+	terminate();
+	}
+
+@TEST-END-FILE
diff --git a/testing/btest/broker/remote_log.bro b/testing/btest/broker/remote_log.bro
new file mode 100644
index 0000000000..409fbba7e3
--- /dev/null
+++ b/testing/btest/broker/remote_log.bro
@@ -0,0 +1,100 @@
+# @TEST-SERIALIZE: comm
+
+# @TEST-EXEC: btest-bg-run recv "bro -B broker -b ../recv.bro >recv.out"
+# @TEST-EXEC: btest-bg-run send "bro -B broker -b ../send.bro >send.out"
+
+# @TEST-EXEC: btest-bg-wait 20
+# @TEST-EXEC: btest-diff recv/recv.out
+# @TEST-EXEC: btest-diff recv/test.log
+# @TEST-EXEC: btest-diff send/send.out
+# @TEST-EXEC: btest-diff send/test.log
+
+@TEST-START-FILE common.bro
+
+redef Broker::default_connect_retry=1secs;
+redef Broker::default_listen_retry=1secs;
+redef exit_only_after_terminate = T;
+
+module Test;
+
+export {
+	redef enum Log::ID += { LOG };
+
+	type Info: record {
+		msg: string &log;
+		nolog: string &default="no";
+		num: count &log;
+	};
+}
+
+event bro_init() &priority=5
+	{
+	Log::create_stream(Test::LOG, [$columns=Test::Info]);
+	}
+
+event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string)
+    {
+    terminate();
+    }
+
+@TEST-END-FILE
+
+@TEST-START-FILE recv.bro
+
+
+@load ./common.bro
+
+event bro_init()
+	{
+	Broker::subscribe("bro/");
+	Broker::listen("127.0.0.1");
+	}
+
+event Broker::peer_removed(endpoint: Broker::EndpointInfo, msg: string)
+	{
+	terminate();
+	}
+
+@TEST-END-FILE
+
+@TEST-START-FILE send.bro
+
+
+
+@load ./common.bro
+
+event bro_init()
+	{
+	Broker::peer("127.0.0.1");
+	}
+
+global n = 0;
+
+event die()
+	{
+	terminate();
+	}
+
+event do_write()
+	{
+	if ( n == 6 )
+		{
+		Broker::flush_logs();
+		schedule 1sec { die() };
+		}
+	else
+		{
+		Log::write(Test::LOG, [$msg = "ping", $num = n]);
+		++n;
+		schedule 0.1secs { do_write() };
+		}
+	}
+
+event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
+    {
+    print "Broker::peer_added", endpoint$network$address;
+    event do_write();
+    }
+
+
+@TEST-END-FILE
diff --git a/testing/btest/broker/remote_log.test b/testing/btest/broker/remote_log.test
deleted file mode 100644
index df8f8d8d8a..0000000000
--- a/testing/btest/broker/remote_log.test
+++ /dev/null
@@ -1,109 +0,0 @@
-# @TEST-SERIALIZE: brokercomm
-# @TEST-REQUIRES: grep -q ENABLE_BROKER:BOOL=true $BUILD/CMakeCache.txt
-
-# @TEST-EXEC: btest-bg-run recv "bro -b ../common.bro ../recv.bro broker_port=$BROKER_PORT >recv.out"
-# @TEST-EXEC: btest-bg-run send "bro -b ../common.bro ../send.bro broker_port=$BROKER_PORT >send.out"
-
-# @TEST-EXEC: btest-bg-wait 20
-# @TEST-EXEC: btest-diff recv/recv.out
-# @TEST-EXEC: btest-diff recv/test.log
-# @TEST-EXEC: btest-diff send/send.out
-# @TEST-EXEC: btest-diff send/test.log
-
-@TEST-START-FILE common.bro
-
-
-global quit_receiver: event();
-global quit_sender: event();
-
-
-module Test;
-
-export {
-        redef enum Log::ID += { LOG };
-
-        type Info: record {
-                msg: string &log;
-                nolog: string &default="no";
-                num: count &log;
-        };
-}
-
-event bro_init() &priority=5
-        {
-        Broker::enable();
-        Log::create_stream(Test::LOG, [$columns=Test::Info]);
-        }
-
-@TEST-END-FILE
-
-@TEST-START-FILE recv.bro
-
-const broker_port: port &redef;
-redef exit_only_after_terminate = T;
-
-event bro_init()
-        {
-        Broker::subscribe_to_logs("bro/log/");
-        Broker::subscribe_to_events("bro/event/");
-        Broker::listen(broker_port, "127.0.0.1");
-        }
-
-event quit_receiver()
-    {
-    terminate();
-    }
-
-@TEST-END-FILE
-
-
-@TEST-START-FILE send.bro
-
-const broker_port: port &redef;
-redef exit_only_after_terminate = T;
-
-event bro_init()
-    {
-    Broker::enable_remote_logs(Test::LOG);
-    Broker::publish_topic("bro/event/");
-    Broker::connect("127.0.0.1", broker_port, 1secs);
-    }
-
-global n = 0;
-
-event do_write()
-        {
-        if ( n == 6 )
-        {
-        local args = Broker::event_args(quit_receiver);
-        Broker::send_event("bro/event/", args);
-        schedule 1sec { quit_sender() };
-        }
-        else
-                {
-                Log::write(Test::LOG, [$msg = "ping", $num = n]);
-                ++n;
-                event do_write();
-                }
-        }
-
-event quit_sender()
-    {
-    terminate();
-    }
-
-event Broker::outgoing_connection_established(peer_address: string,
-                                            peer_port: port,
-                                            peer_name: string)
-        {
-        print "Broker::outgoing_connection_established", peer_address, peer_port;
-        event do_write();
-        }
-
-event Broker::outgoing_connection_broken(peer_address: string,
-                                       peer_port: port)
-        {
-        terminate();
-        }
-
-@TEST-END-FILE
diff --git a/testing/btest/broker/remote_log_late_join.bro b/testing/btest/broker/remote_log_late_join.bro
new file mode 100644
index 0000000000..bb452fc84d
--- /dev/null
+++ b/testing/btest/broker/remote_log_late_join.bro
@@ -0,0 +1,107 @@
+# @TEST-SERIALIZE: comm
+
+# @TEST-EXEC: btest-bg-run recv "bro -b ../recv.bro >recv.out"
+# @TEST-EXEC: btest-bg-run send "bro -b ../send.bro >send.out"
+
+# @TEST-EXEC: btest-bg-wait 20
+# @TEST-EXEC: btest-diff recv/recv.out
+# @TEST-EXEC: btest-diff recv/test.log
+# @TEST-EXEC: btest-diff send/send.out
+# @TEST-EXEC: btest-diff send/test.log
+
+@TEST-START-FILE common.bro
+
+redef Broker::default_connect_retry=1secs;
+redef Broker::default_listen_retry=1secs;
+redef exit_only_after_terminate = T;
+
+module Test;
+
+export {
+	redef enum Log::ID += { LOG };
+
+	type Info: record {
+		msg: string &log;
+		nolog: string &default="no";
+		num: count &log;
+	};
+}
+
+event bro_init() &priority=5
+	{
+	Log::create_stream(Test::LOG, [$columns=Test::Info]);
+	}
+
+event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string)
+    {
+    terminate();
+    }
+
+@TEST-END-FILE
+
+@TEST-START-FILE recv.bro
+
+
+@load ./common.bro
+
+event bro_init()
+	{
+	Broker::subscribe("bro/");
+	Broker::listen("127.0.0.1");
+	}
+
+event Broker::peer_removed(endpoint: Broker::EndpointInfo, msg: string)
+	{
+	terminate();
+	}
+
+@TEST-END-FILE
+
+@TEST-START-FILE send.bro
+
+
+
+@load ./common.bro
+
+event doconnect()
+	{
+	Broker::peer("127.0.0.1");
+	}
+
+global n = 0;
+
+event bro_init()
+	{
+	schedule 2secs { doconnect() };
+	Log::write(Test::LOG, [$msg = "ping", $num = n]);
+	++n;
+	}
+
+event die()
+	{
+	terminate();
+	}
+
+event do_write()
+	{
+	if ( n == 6 )
+		{
+		Broker::flush_logs();
+		schedule 1sec { die() };
+		}
+	else
+		{
+		Log::write(Test::LOG, [$msg = "ping", $num = n]);
+		++n;
+		schedule 0.1secs { do_write() };
+		}
+	}
+
+event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
+    {
+    print "Broker::peer_added", endpoint$network$address;
+    event do_write();
+    }
+
+
+@TEST-END-FILE
diff --git a/testing/btest/broker/remote_log_types.test b/testing/btest/broker/remote_log_types.bro
similarity index 59%
rename from testing/btest/broker/remote_log_types.test
rename to testing/btest/broker/remote_log_types.bro
index 48011a8c07..2b76bb05c4 100644
--- a/testing/btest/broker/remote_log_types.test
+++ b/testing/btest/broker/remote_log_types.bro
@@ -1,17 +1,22 @@
-# @TEST-SERIALIZE: brokercomm
-# @TEST-REQUIRES: grep -q ENABLE_BROKER:BOOL=true $BUILD/CMakeCache.txt
+# @TEST-SERIALIZE: comm
 
-# @TEST-EXEC: btest-bg-run recv "bro -b ../common.bro ../recv.bro broker_port=$BROKER_PORT >recv.out"
-# @TEST-EXEC: btest-bg-run send "bro -b ../common.bro ../send.bro broker_port=$BROKER_PORT >send.out"
+# @TEST-EXEC: btest-bg-run recv "bro -b ../recv.bro >recv.out"
+# @TEST-EXEC: btest-bg-run send "bro -b ../send.bro >send.out"
 
 # @TEST-EXEC: btest-bg-wait 20
 # @TEST-EXEC: btest-diff recv/recv.out
 # @TEST-EXEC: btest-diff recv/test.log
 # @TEST-EXEC: btest-diff send/send.out
 # @TEST-EXEC: btest-diff send/test.log
+# @TEST-EXEC: cat send/test.log | grep -v '#close' >send/test.log.filtered
+# @TEST-EXEC: cat recv/test.log | grep -v '#close' >recv/test.log.filtered
+# @TEST-EXEC: diff -u send/test.log.filtered recv/test.log.filtered
 
 @TEST-START-FILE common.bro
 
+redef Broker::default_connect_retry=1secs;
+redef Broker::default_listen_retry=1secs;
+redef exit_only_after_terminate = T;
 
 global quit_receiver: event();
 global quit_sender: event();
@@ -46,7 +51,6 @@ export {
 
 event bro_init() &priority=5
         {
-        Broker::enable();
         Log::create_stream(Test::LOG, [$columns=Test::Info]);
         }
 
@@ -54,15 +58,13 @@ event bro_init() &priority=5
 
 @TEST-START-FILE recv.bro
 
-const broker_port: port &redef;
-redef exit_only_after_terminate = T;
+@load ./common.bro
 
 event bro_init()
-        {
-        Broker::subscribe_to_logs("bro/log/");
-        Broker::subscribe_to_events("bro/event/");
-        Broker::listen(broker_port, "127.0.0.1");
-        }
+	{
+	Broker::subscribe("bro/");
+	Broker::listen("127.0.0.1");
+	}
 
 event quit_receiver()
 	{
@@ -71,18 +73,16 @@ event quit_receiver()
 
 @TEST-END-FILE
 
-
 @TEST-START-FILE send.bro
 
-const broker_port: port &redef;
-redef exit_only_after_terminate = T;
+
+
+@load ./common.bro
 
 event bro_init()
-        {
-        Broker::enable_remote_logs(Test::LOG);
-        Broker::publish_topic("bro/event/");
-        Broker::connect("127.0.0.1", broker_port, 1secs);
-        }
+	{
+	Broker::peer("127.0.0.1");
+	}
 
 event quit_sender()
 	{
@@ -97,11 +97,9 @@ function foo(i : count) : string
 		return "Bar";
 	}
 
-event Broker::outgoing_connection_established(peer_address: string,
-                                            peer_port: port,
-                                            peer_name: string)
-        {
-        print "Broker::outgoing_connection_established", peer_address, peer_port;
+event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
+	{
+	print "Broker::peer_added", endpoint$network$address;
 
 	local empty_set: set[string];
 	local empty_vector: vector of string;
@@ -126,9 +124,10 @@ event Broker::outgoing_connection_established(peer_address: string,
 		$f=foo
 		]);
 
-	local args = Broker::event_args(quit_receiver);
-	Broker::send_event("bro/event/", args);
+	local e = Broker::make_event(quit_receiver);
+	Broker::publish("bro/", e);
 	schedule 1sec { quit_sender() };
         }
 
+
 @TEST-END-FILE
diff --git a/testing/btest/broker/remote_print.test b/testing/btest/broker/remote_print.test
deleted file mode 100644
index c64e70fedc..0000000000
--- a/testing/btest/broker/remote_print.test
+++ /dev/null
@@ -1,83 +0,0 @@
-# @TEST-SERIALIZE: brokercomm
-# @TEST-REQUIRES: grep -q ENABLE_BROKER:BOOL=true $BUILD/CMakeCache.txt
-
-# @TEST-EXEC: btest-bg-run recv "bro -b ../recv.bro broker_port=$BROKER_PORT >recv.out"
-# @TEST-EXEC: btest-bg-run send "bro -b ../send.bro broker_port=$BROKER_PORT >send.out"
-
-# @TEST-EXEC: btest-bg-wait 20
-# @TEST-EXEC: btest-diff recv/recv.out
-# @TEST-EXEC: btest-diff send/send.out
-
-@TEST-START-FILE recv.bro
-
-const broker_port: port &redef;
-redef exit_only_after_terminate = T;
-
-event bro_init()
-	{
-	Broker::enable();
-	Broker::subscribe_to_prints("bro/print/");
-	Broker::listen(broker_port, "127.0.0.1");
-	}
-
-global messages_to_recv = 6;
-global messages_sent = 0;
-global messages_recv = 0;
-
-event Broker::print_handler(msg: string)
-	{
-	++messages_recv;
-	print "got print msg", msg;
-
-	if ( messages_to_recv == messages_recv )
-		{
-		terminate();
-		return;
-		}
-
-	Broker::send_print("bro/print/my_topic", fmt("pong %d", messages_sent));
-	++messages_sent;
-	}
-
-@TEST-END-FILE
-
-@TEST-START-FILE send.bro
-
-const broker_port: port &redef;
-redef exit_only_after_terminate = T;
-
-event bro_init()
-	{
-	Broker::enable();
-	Broker::subscribe_to_prints("bro/print/my_topic");
-	Broker::connect("127.0.0.1", broker_port, 1secs);
-	}
-
-global messages_sent = 0;
-global messages_recv = 0;
-global peer_disconnected = F;
-
-event Broker::outgoing_connection_established(peer_address: string,
-                                            peer_port: port,
-                                            peer_name: string)
-	{
-	print "Broker::outgoing_connection_established", peer_address, peer_port;
-	Broker::send_print("bro/print/hi", fmt("ping %d", messages_sent));
-	++messages_sent;
-	}
-
-event Broker::outgoing_connection_broken(peer_address: string,
-                                       peer_port: port)
-	{
-	terminate();
-	}
-
-event Broker::print_handler(msg: string)
-	{
-	++messages_recv;
-	print "got print msg", msg;
-	Broker::send_print("bro/print/hi", fmt("ping %d", messages_sent));
-	++messages_sent;
-	}
-
-@TEST-END-FILE
diff --git a/testing/btest/broker/remote_relay_event.bro b/testing/btest/broker/remote_relay_event.bro
new file mode 100644
index 0000000000..ae40c10a4c
--- /dev/null
+++ b/testing/btest/broker/remote_relay_event.bro
@@ -0,0 +1,126 @@
+# @TEST-SERIALIZE: comm
+#
+# @TEST-EXEC: btest-bg-run three "bro -B broker -b ../three.bro >three.out"
+# @TEST-EXEC: btest-bg-run two "bro -B broker -b ../two.bro >two.out"
+# @TEST-EXEC: btest-bg-run one "bro -B broker -b ../one.bro >one.out"
+#
+# @TEST-EXEC: btest-bg-wait 20
+# @TEST-EXEC: btest-diff one/one.out
+# @TEST-EXEC: btest-diff two/two.out
+# @TEST-EXEC: btest-diff three/three.out
+
+@TEST-START-FILE one.bro
+
+redef Broker::default_connect_retry=1secs;
+redef Broker::default_listen_retry=1secs;
+redef exit_only_after_terminate = T;
+
+event my_event(s: string)
+	{
+	print "got my_event", s;
+	}
+
+event ready_event()
+	{
+	print "got ready event";
+
+	Broker::relay("bro/event/pre-relay", "bro/event/post-relay", my_event,
+				  "hello world");
+	}
+
+event bro_init()
+    {
+    Broker::subscribe("bro/event/ready");
+    Broker::peer("127.0.0.1", 10000/tcp);
+    }
+
+event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
+    {
+    print fmt("sender added peer: endpoint=%s msg=%s",
+    		  endpoint$network$address, msg);
+    }
+
+event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string)
+    {
+    print fmt("sender lost peer: endpoint=%s msg=%s",
+    		  endpoint$network$address, msg);
+    terminate();
+    }
+
+@TEST-END-FILE
+
+
+@TEST-START-FILE two.bro
+
+redef Broker::default_connect_retry=1secs;
+redef Broker::default_listen_retry=1secs;
+redef exit_only_after_terminate = T;
+
+global peers_added = 0;
+
+event my_event(s: string)
+	{
+	print "got my_event", s;
+	terminate();
+	}
+
+event ready_event()
+	{
+	}
+
+event bro_init()
+    {
+    Broker::subscribe("bro/event/pre-relay");
+    Broker::listen("127.0.0.1", 10000/tcp);
+	Broker::peer("127.0.0.1", 9999/tcp);
+    }
+
+event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
+    {
+    print fmt("receiver added peer: endpoint=%s msg=%s", endpoint$network$address, msg);
+    ++peers_added;
+
+    if ( peers_added == 2 )
+    	{
+		print "sending ready event";
+        Broker::publish("bro/event/ready", ready_event);
+    	}
+    }
+
+event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string)
+    {
+    print fmt("receiver lost peer: endpoint=%s msg=%s", endpoint$network$address, msg);
+    terminate();
+    }
+
+@TEST-END-FILE
+
+@TEST-START-FILE three.bro
+
+redef Broker::default_connect_retry=1secs;
+redef Broker::default_listen_retry=1secs;
+redef exit_only_after_terminate = T;
+
+event my_event(s: string)
+	{
+	print "got my_event", s;
+	terminate();
+	}
+
+event bro_init()
+    {
+    Broker::subscribe("bro/event/post-relay");
+    Broker::listen("127.0.0.1", 9999/tcp);
+    }
+
+event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
+    {
+    print fmt("receiver added peer: endpoint=%s msg=%s", endpoint$network$address, msg);
+    }
+
+event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string)
+    {
+    print fmt("receiver lost peer: endpoint=%s msg=%s", endpoint$network$address, msg);
+    }
+
+@TEST-END-FILE
diff --git a/testing/btest/broker/ssl_auth_failure.bro b/testing/btest/broker/ssl_auth_failure.bro
new file mode 100644
index 0000000000..3bc259327f
--- /dev/null
+++ b/testing/btest/broker/ssl_auth_failure.bro
@@ -0,0 +1,168 @@
+# @TEST-SERIALIZE: comm
+#
+# @TEST-EXEC: btest-bg-run recv "bro -B broker -b ../recv.bro >recv.out"
+# @TEST-EXEC: btest-bg-run send "bro -B broker -b ../send.bro >send.out"
+#
+# @TEST-EXEC: btest-bg-wait 15
+# @TEST-EXEC: btest-diff recv/recv.out
+# @TEST-EXEC: btest-diff send/send.out
+
+@TEST-START-FILE ca.pem
+-----BEGIN CERTIFICATE-----
+MIIDmzCCAoOgAwIBAgIJAPLZ3e3WR0LLMA0GCSqGSIb3DQEBCwUAMGQxCzAJBgNV
+BAYTAlVTMQswCQYDVQQIDAJDQTERMA8GA1UEBwwIQmVya2VsZXkxIzAhBgNVBAoM
+GkFDTUUgU2lnbmluZyBBdXRob3JpdHkgSW5jMRAwDgYDVQQDDAdmb28uYmFyMB4X
+DTE3MDQyMTIzMjM0OFoXDTQyMDQyMTIzMjM0OFowZDELMAkGA1UEBhMCVVMxCzAJ
+BgNVBAgMAkNBMREwDwYDVQQHDAhCZXJrZWxleTEjMCEGA1UECgwaQUNNRSBTaWdu
+aW5nIEF1dGhvcml0eSBJbmMxEDAOBgNVBAMMB2Zvby5iYXIwggEiMA0GCSqGSIb3
+DQEBAQUAA4IBDwAwggEKAoIBAQC6ah79JvrN3LtcPzc9bX5THdzfidWncSmowotG
+SZA3gcIhlsYD3P3RCaUR9g+f2Z/l0l7ciKgWetpNtN9hRBbg5/9tFzSpCb/Y0SSG
+mwtHHovEqN2MWV+Od/MUcYSlL6MmPjSDc8Ls5NSniTr9OBE9J1jm72AsuzHasjPQ
+D84TlWeTSs0HW3H5VxDb15xWYFnmgBo0JylDWj0+VWI+G41Xr7Ubu9699lWSFYF9
+FCtdjzM5e1CGZOMvqUbUBus38BhUAdQ4fE7Dwnn8seKh+7HpJ70omIgqG87e4DBo
+HbnMAkZaekk8+LBl0Hfu8c66Utw9mNoMIlFf/AMlJyLDIpNxAgMBAAGjUDBOMB0G
+A1UdDgQWBBRc6Cbyshtny6jFWZtd/cEUUfMQ3DAfBgNVHSMEGDAWgBRc6Cbyshtn
+y6jFWZtd/cEUUfMQ3DAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCY
+numHau9XYH5h4R2CoMdnKPMGk6V7UZZdbidLLcE4roQrYhnBdyhT69b/ySJK2Ee4
+mt8T+E0wcg3k8Pr3aJEJA8eYYaJTqZvvv+TwuMBPjmE2rYSIpgMZv2tRD3XWMaQu
+duLbwkclfejQHDD26xNXsxuU+WNB5kuvtNAg0oKFyFdNKElLQEcjyYzfxmCF4YX5
+WmElijr1Tzuzd59rWPqC/tVIsh42vQ+P6g8Y1PDmo8eTUFveZ+wcr/eEPW6IOMrg
+OW7tATcrgzNuXZ1umiuGgAPuIVqPfr9ssZHBqi9UOK9L/8MQrnOxecNUpPohcTFR
+vq+Zqu15QV9T4BVWKHv0
+-----END CERTIFICATE-----
+@TEST-END-FILE
+
+
+@TEST-START-FILE cert.1.pem
+-----BEGIN CERTIFICATE-----
+MIIDOjCCAiICCQDz7oMOR7Wm7jANBgkqhkiG9w0BAQsFADBkMQswCQYDVQQGEwJV
+UzELMAkGA1UECAwCQ0ExETAPBgNVBAcMCEJlcmtlbGV5MSMwIQYDVQQKDBpBQ01F
+IFNpZ25pbmcgQXV0aG9yaXR5IEluYzEQMA4GA1UEAwwHZm9vLmJhcjAgFw0xNzA0
+MjEyMzI2MzhaGA80NzU1MDMxOTIzMjYzOFowWDELMAkGA1UEBhMCVVMxCzAJBgNV
+BAgMAkNBMREwDwYDVQQHDAhCZXJrZWxleTEVMBMGA1UECgwMQUNNRSBTZXJ2aWNl
+MRIwEAYDVQQDDAkxLmZvby5iYXIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
+AoIBAQDHobccAQQqbZANdOdx852W/nUzGcwpurOi8zbh9yCxMwnFMogW9AsqKEnd
+sypV6Ah/cIz45PAgCdEg+1pc2DG7+E0+QlV4ChNwCDuk+FSWB6pqMTCdZcLeIwlA
+GPp6Ow9v40dW7IFpDetFKXEo6kqEzR5P58Q0a6KpCtpsSMqhk57Py83wB9gPA1vp
+s77kN7D5CI3oay86TA5j5nfFMT1X/77Hs24csW6CLnW/OD4f1RK79UgPd/kpPKQ1
+jNq+hsR7NZTcfrAF1hcfScxnKaznO7WopSt1k75NqLdnSN1GIci2GpiXYKtXZ9l5
+TErv2Oucpw/u+a/wjKlXjrgLL9lfAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAKuW
+yKA2uuiNc9MKU+yVbNaP8kPaMb/wMvVaFG8FFFpCTZ0MFMLsqRpeqtj7gMK/gaJC
+CQm4EyadjzfWFYDLkHzm6b7gI8digvvhjr/C2RJ5Qxr2P0iFP1buGq0CqnF20XgQ
+Q+ecS43CZ77CfKfS6ZLPmAZMAwgFLImVyo5mkaTECo3+9oCnjDYBapvXLJqCJRhk
+NosoTmGCV0HecWN4l38ojnXd44aSktQIND9iCLus3S6++nFnX5DHGZiv6/SnSO/6
++Op7nV0A6zKVcMOYQ0SGZPD8UQs5wDJgrR9LY29Ox5QBwu/5NqyvNSrMQaTop5vb
+wkMInaq5lLxEYQDSLBc=
+-----END CERTIFICATE-----
+@TEST-END-FILE
+
+@TEST-START-FILE key.1.pem
+-----BEGIN RSA PRIVATE KEY-----
+MIIEogIBAAKCAQEAx6G3HAEEKm2QDXTncfOdlv51MxnMKbqzovM24fcgsTMJxTKI
+FvQLKihJ3bMqVegIf3CM+OTwIAnRIPtaXNgxu/hNPkJVeAoTcAg7pPhUlgeqajEw
+nWXC3iMJQBj6ejsPb+NHVuyBaQ3rRSlxKOpKhM0eT+fENGuiqQrabEjKoZOez8vN
+8AfYDwNb6bO+5Dew+QiN6GsvOkwOY+Z3xTE9V/++x7NuHLFugi51vzg+H9USu/VI
+D3f5KTykNYzavobEezWU3H6wBdYXH0nMZyms5zu1qKUrdZO+Tai3Z0jdRiHIthqY
+l2CrV2fZeUxK79jrnKcP7vmv8IypV464Cy/ZXwIDAQABAoIBAC0Y7jmoTR2clJ9F
+modWhnI215kMqd9/atdT5EEVx8/f/MQMj0vII8GJSm6H6/duLIVFksMjTM+gCBtQ
+TPCOcmXJSQHYkGBGvm9fnMG+y7T81FWa+SWFeIkgFxXgzqzQLMOU72fGk9F8sHp2
+Szb3/o+TmtZoQB2rdxqC9ibiJsxrG5IBVKkzlSPv3POkPXwSb1HcETqrTwefuioj
+WMuMrqtm5Y3HddJ5l4JEF5VA3KrsfXWl3JLHH0UViemVahiNjXQAVTKAXIL1PHAV
+J2MCEvlpA7sIgXREbmvPvZUTkt3pIqhVjZVJ7tHiSnSecqNTbuxcocnhKhZrHNtC
+v2zYKHkCgYEA6cAIhz0qOGDycZ1lf9RSWw0RO1hO8frATMQNVoFVuJJCVL22u96u
+0FvJ0JGyYbjthULnlOKyRe7DUL5HRLVS4D7vvKCrgwDmsJp1VFxMdASUdaBfq6aX
+oKLUW4q7kC2lQcmK/PVRYwp2GQSx8bodWe+DtXUY/GcN03znY8mhSB0CgYEA2qJK
+1GSZsm6kFbDek3BiMMHfO+X819owB2FmXiH+GQckyIZu9xA3HWrkOWTqwglEvzfO
+qzFF96E9iEEtseAxhcM8gPvfFuXiUj9t2nH/7SzMnVGikhtYi0p6jrgHmscc4NBx
+AOUA15kYEFOGqpZfl2uuKqgHidrHdGkJzzSUBqsCgYAVCjb6TVQejQNlnKBFOExN
+a8iwScuZVlO21TLKJYwct/WGgSkQkgO0N37b6jFfQHEIvLPxn9IiH1KvUuFBWvzh
+uGiF1wR5HzykitKizEgJbVwbllrmLXGagO2Sa9NkL+efG1AKYt53hrqIl/aYZoM7
+1CZL0AV2uqPw9F4zijOdNQKBgH1WmvWGMsKjQTgaLI9z1ybCjjqlj70jHXOtt+Tx
+Md2hRcobn5PN3PrlY68vlpHkhF/nG3jzB3x+GGt7ijm2IE3h7la3jl5vLb8fE9gu
+kJykmSz7Nurx+GHqMbaN8/Ycfga4GIB9yGzRHIWHjOVQzb5eAfv8Vk4GeV/YM8Jx
+Dwd/AoGAILn8pVC9dIFac2BDOFU5y9ZvMmZAvwRxh9vEWewNvkzg27vdYc+rCHNm
+I7H0S/RqfqVeo0ApE5PQ8Sll6RvxN/mbSQo9YeCDGQ1r1rNe4Vs12GAYXAbE4ipf
+BTdqMbieumB/zL97iK5baHUFEJ4VRtLQhh/SOXgew/BF8ccpilI=
+-----END RSA PRIVATE KEY-----
+@TEST-END-FILE
+
+@TEST-START-FILE send.bro
+
+redef Broker::default_connect_retry=1secs;
+redef Broker::default_listen_retry=1secs;
+redef exit_only_after_terminate = T;
+
+redef Broker::ssl_cafile = "../ca.pem";
+redef Broker::ssl_keyfile = "../key.1.pem";
+redef Broker::ssl_certificate = "../cert.1.pem";
+
+global event_count = 0;
+
+global ping: event(msg: string, c: count);
+
+event do_terminate()
+	{
+	terminate();
+	}
+
+event bro_init()
+    {
+    Broker::subscribe("bro/event/my_topic");
+    Broker::peer("127.0.0.1");
+    schedule 5secs { do_terminate()   };
+    }
+
+event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
+    {
+    print fmt("sender added peer: endpoint=%s msg=%s", endpoint$network$address, msg);
+    }
+
+event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string)
+    {
+    print fmt("sender lost peer: endpoint=%s msg=%s", endpoint$network$address, msg);
+    terminate();
+    }
+
+event Broker::error(code: Broker::ErrorCode, msg: string)
+    {
+    print fmt("sender error: code=%s msg=%s", code, msg);
+    terminate();
+    }
+
+@TEST-END-FILE
+
+
+@TEST-START-FILE recv.bro
+
+redef Broker::default_connect_retry=1secs;
+redef Broker::default_listen_retry=1secs;
+redef exit_only_after_terminate = T;
+
+# No cert here.
+# 
+# redef Broker::ssl_cafile = "../ca.pem";
+# redef Broker::ssl_keyfile = "../key.2.pem";
+# redef Broker::ssl_certificate = "../cert.2.pem";
+
+event do_terminate()
+	{
+	terminate();
+	}
+
+event bro_init()
+        {
+        Broker::listen("127.0.0.1");
+        schedule 10secs { do_terminate()   };
+        }
+
+event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
+        {
+        print fmt("receiver added peer: endpoint=%s msg=%s", endpoint$network$address, msg);
+        }
+
+event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string)
+        {
+        print fmt("receiver lost peer: endpoint=%s msg=%s", endpoint$network$address, msg);
+        }
+
+@TEST-END-FILE
diff --git a/testing/btest/broker/store/clone.bro b/testing/btest/broker/store/clone.bro
new file mode 100644
index 0000000000..4f04189fe2
--- /dev/null
+++ b/testing/btest/broker/store/clone.bro
@@ -0,0 +1,145 @@
+# @TEST-SERIALIZE: comm
+#
+# @TEST-EXEC: btest-bg-run clone "bro -B broker -b  ../clone-main.bro >clone.out"
+# @TEST-EXEC: btest-bg-run master "bro -B broker -b  ../master-main.bro >master.out"
+#
+# @TEST-EXEC: btest-bg-wait 25
+# @TEST-EXEC: btest-diff clone/clone.out
+# @TEST-EXEC: btest-diff master/master.out
+
+@TEST-START-FILE master-main.bro
+
+redef exit_only_after_terminate = T;
+global query_timeout = 1sec;
+
+global ready: event();
+
+global h: opaque of Broker::Store;
+
+function print_index(k: any)
+        {
+        when ( local r = Broker::get(h, k) )
+                {
+                print "master", k, r$status, r$result;
+                }
+        timeout query_timeout
+                {
+                print "master", fmt("clone <timeout for %s>", k);
+                }
+        }
+
+event done()
+	{
+	terminate();
+	}
+
+event inserted()
+	{
+	Broker::erase(h, "four");
+	
+	print("----");
+	print_index("one");
+	print_index("two");
+	print_index(vector(1,2));
+	print_index("three");
+	print_index("four");
+	print_index("five");
+	print_index("six");
+	schedule 6secs { done() };
+	}
+
+event bro_init()
+	{
+	Broker::auto_publish("bro/events", done);
+	Broker::subscribe("bro/");
+
+	h = Broker::create_master("test");
+	Broker::put(h, "one", "110");
+	Broker::put(h, "two", 223);
+	Broker::put(h, vector(1,2), 1947/tcp);
+	
+	Broker::peer("127.0.0.1");
+	}
+
+event insert_more()
+	{
+	Broker::put(h, "three", 3.14);
+	Broker::put(h, "four", 1.2.3.4);
+	}
+
+event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
+	{
+    schedule 4secs { insert_more() };
+	}
+
+@TEST-END-FILE
+
+
+@TEST-START-FILE clone-main.bro
+
+redef exit_only_after_terminate = T;
+
+global query_timeout = 1sec;
+
+global h: opaque of Broker::Store;
+
+
+global inserted: event();
+
+function print_index(k: any)
+        {
+        when ( local r = Broker::get(h, k) )
+                {
+                print "clone", k, r$status, r$result;
+                }
+        timeout query_timeout
+                {
+                print "clone", fmt("clone <timeout for %s>", k);
+                }
+        }
+
+event done()
+	{
+	terminate();
+	}
+
+event lookup(stage: count)
+	{
+	print("----");
+	print_index("one");
+	print_index("two");
+	print_index(vector(1,2));
+	print_index("three");
+	print_index("four");
+	print_index("five");
+	print_index("six");
+	
+	if ( stage == 1 )
+		schedule 4secs { lookup(2) };
+
+	if ( stage == 2 )
+		{
+		Broker::put(h, "five", "555");
+		Broker::put(h, "six", "666");
+		schedule 4sec { inserted() };
+		schedule 8secs { lookup(3) };
+		}
+
+	if ( stage == 3 )
+		schedule 4sec { done() };
+	}
+
+event bro_init()
+	{
+	Broker::auto_publish("bro/events", inserted);
+	Broker::subscribe("bro/");
+	Broker::listen("127.0.0.1");
+	}
+
+event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
+	{
+	h = Broker::create_clone("test");
+	schedule 2secs { lookup(1) };
+	}
+
+@TEST-END-FILE
diff --git a/testing/btest/broker/store/local.bro b/testing/btest/broker/store/local.bro
new file mode 100644
index 0000000000..b352df93f2
--- /dev/null
+++ b/testing/btest/broker/store/local.bro
@@ -0,0 +1,43 @@
+# @TEST-EXEC: btest-bg-run master "bro -b %INPUT >out"
+# @TEST-EXEC: btest-bg-wait 60
+# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-sort btest-diff master/out
+
+redef exit_only_after_terminate = T;
+
+global query_timeout = 1sec;
+
+global h: opaque of Broker::Store;
+
+event done()
+	{
+	terminate();
+	}
+
+event bro_init()
+	{
+	h = Broker::create_master("master");
+	Broker::put(h, "one", "110");
+	Broker::put(h, "two", 223);
+
+	when ( local res1 = Broker::get(h, "one") )
+		{
+		local s = (res1$result as string);
+		print "string", s;
+		}
+	timeout query_timeout 
+		{
+		print "timeout";
+		}
+
+	when ( local res2 = Broker::get(h, "two") )
+		{
+		local c = (res2$result as count);
+		print "count", c;
+		}
+	timeout query_timeout 
+		{
+		print "timeout";
+		}
+	
+        schedule 2secs { done() };
+	}
diff --git a/testing/btest/broker/store/ops.bro b/testing/btest/broker/store/ops.bro
new file mode 100644
index 0000000000..070a0f2ed3
--- /dev/null
+++ b/testing/btest/broker/store/ops.bro
@@ -0,0 +1,145 @@
+# @TEST-EXEC: btest-bg-run master "bro -B broker -b %INPUT >out"
+# @TEST-EXEC: btest-bg-wait 60
+# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-sort btest-diff master/out
+
+redef exit_only_after_terminate = T;
+
+global query_timeout = 1sec;
+
+global h: opaque of Broker::Store;
+
+global step: count = 0;
+
+function print_index(k: any)
+	{
+	when ( local r = Broker::get(h, k) )
+		{
+		step += 1;
+		print fmt("[%d]", step), k, r$status, r$result;
+		}
+	timeout query_timeout
+		{
+		step += 1;
+		print fmt("[%d] <timeout for %s>", step, k);
+		}
+	}
+
+function print_exists(k: any)
+	{
+	when ( local r = Broker::exists(h, k) )
+		{
+		step += 1;
+		print fmt("[%d]", step), k, r;
+		}
+	timeout query_timeout
+		{
+		step += 1;
+		print fmt("[%d] <timeout for %s>", step, k);
+		}
+	}
+
+function print_index_from_value(k: any, i: any)
+	{
+	when ( local r = Broker::get_index_from_value(h, k, i) )
+		{
+		step += 1;
+		print fmt("[%d]", step), k, r$status, r$result;
+		}
+	timeout query_timeout
+		{
+		step += 1;
+		print fmt("[%d] <timeout for %s>", step, k);
+		}
+	}
+
+function print_keys()
+	{
+	when ( local s = Broker::keys(h) )
+		{
+		step += 1;
+		print "keys", s;
+		}
+	timeout query_timeout
+		{
+		step += 1;
+		print fmt("[%d] <timeout for print keys>", step);
+		}
+	}
+
+event done()
+	{
+	terminate();
+	}
+
+event pk2()
+	{
+	print_keys();
+	}
+
+event pk1()
+	{
+	print_keys();
+	Broker::clear(h);
+	schedule 1sec { pk2() };
+	}
+
+event bro_init()
+	{
+	h = Broker::create_master("master");
+	Broker::put(h, "one", "110");
+	Broker::put(h, "two", 220);
+	Broker::put(h, "three", 330);
+	Broker::put(h, "four", set(1, 2,3));
+	Broker::put(h, set("x", "y"), vector(1/tcp, 2/tcp, 3/tcp));
+
+	Broker::put(h, "str", "foo");
+	Broker::put(h, "vec", vector(1, 2,3));
+	Broker::put(h, "set", set("A", "B"));
+	Broker::put(h, "table", table(["a"] = 1, ["b"] = 2));
+	
+	print_index("one");
+	print_index("two");
+	print_index("three");
+	print_index("four");
+	print_index("five");
+	print_index(set("x", "y"));
+
+	when ( step == 6 )
+		{
+		Broker::increment(h, "two");
+		Broker::increment(h, "two", 9);
+		Broker::decrement(h, "three");
+		Broker::decrement(h, "three", 9);
+		print_index("two");
+		print_index("three");
+		print_index("four");
+		print_keys();
+		Broker::erase(h, "four");
+
+		Broker::append(h, "str", "bar");
+		Broker::insert_into_set(h, "set", "C");
+		Broker::insert_into_table(h, "table", "c", 3);
+		Broker::remove_from(h, "set", 2);
+		Broker::remove_from(h, "table", "b");
+		Broker::push(h, "vec", 4);
+		Broker::push(h, "vec", 5);
+		Broker::pop(h, "vec");
+
+		print_index("str");
+		print_index("set");
+		print_index("table");
+		print_index("vec");
+
+		print_exists("one");
+		print_exists("NOPE");
+	
+        	print_index_from_value("vec", 1);
+        	print_index_from_value("set", "A");
+    	        print_index_from_value("table", "a");
+    	        print_index_from_value("table", "X");
+		
+		schedule 1sec { pk1() };
+		}
+
+        schedule 4secs { done() };
+	}
diff --git a/testing/btest/broker/store/record.bro b/testing/btest/broker/store/record.bro
new file mode 100644
index 0000000000..ab862012a6
--- /dev/null
+++ b/testing/btest/broker/store/record.bro
@@ -0,0 +1,38 @@
+# @TEST-EXEC: btest-bg-run master "bro -b %INPUT >out"
+# @TEST-EXEC: btest-bg-wait 60
+# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-sort btest-diff master/out
+
+type R: record  {
+    s1: string;
+    s2: string;
+    c: count;
+};
+
+event bro_init()
+	{
+	local cr = Broker::record_create(3);
+	print Broker::record_size(cr);
+	print Broker::record_assign(cr, 0, "hi");
+	print Broker::record_assign(cr, 1, "hello");
+	print Broker::record_assign(cr, 2, 37);
+	print cr, (cr as R);
+	print "";
+	
+	print Broker::record_lookup(cr, 0);
+	print Broker::record_lookup(cr, 1);
+	print Broker::record_lookup(cr, 2);
+	print Broker::record_size(cr);
+	print Broker::record_assign(cr, 1, "goodbye");
+	print Broker::record_size(cr);
+	print Broker::record_lookup(cr, 1);
+	print cr, (cr as R);
+	print "";
+
+	local i = Broker::record_iterator(cr);
+	while ( ! Broker::record_iterator_last(i) )
+		{
+		print fmt("| %s", Broker::record_iterator_value(i));
+		Broker::record_iterator_next(i);
+		}
+	print "";
+	}
diff --git a/testing/btest/broker/store/set.bro b/testing/btest/broker/store/set.bro
new file mode 100644
index 0000000000..056b46e221
--- /dev/null
+++ b/testing/btest/broker/store/set.bro
@@ -0,0 +1,39 @@
+# @TEST-EXEC: btest-bg-run master "bro -b %INPUT >out"
+# @TEST-EXEC: btest-bg-wait 60
+# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-sort btest-diff master/out
+
+
+event bro_init()
+	{
+	local cs = Broker::set_create();
+	
+	print Broker::set_size(cs);
+	print Broker::set_insert(cs, "hi");
+	print Broker::set_size(cs);
+	print Broker::set_contains(cs, "hi");
+	print Broker::set_contains(cs, "bye");
+	print Broker::set_insert(cs, "bye");
+
+	print cs, (cs as set[string]);
+	local i = Broker::set_iterator(cs);
+ 	while ( ! Broker::set_iterator_last(i) )
+		{
+		print fmt("| %s", Broker::set_iterator_value(i));
+		Broker::set_iterator_next(i);
+		}
+	print "";
+	
+	print Broker::set_size(cs);
+	print Broker::set_insert(cs, "bye");
+	print Broker::set_size(cs);
+	print Broker::set_remove(cs, "hi");
+	print Broker::set_size(cs);
+	print Broker::set_remove(cs, "hi");
+	print cs, (cs as set[string]);
+	print "";
+	
+	print Broker::set_clear(cs);
+	print Broker::set_size(cs);
+	print cs, (cs as set[string]);
+	print "";
+	}
diff --git a/testing/btest/broker/store/sqlite.bro b/testing/btest/broker/store/sqlite.bro
new file mode 100644
index 0000000000..fbce1a693a
--- /dev/null
+++ b/testing/btest/broker/store/sqlite.bro
@@ -0,0 +1,59 @@
+# @TEST-EXEC: bro -b %INPUT RUN=1 >out
+# @TEST-EXEC: bro -b %INPUT RUN=2 >>out
+# @TEST-EXEC: btest-diff out
+
+global RUN = 0 &redef;
+
+redef exit_only_after_terminate = T;
+
+global query_timeout = 1sec;
+
+global h: opaque of Broker::Store;
+
+function print_index(k: any)
+	{
+	when ( local r = Broker::get(h, k) )
+		{
+		print k, r$status, r$result;
+		}
+	timeout query_timeout
+		{
+		print fmt("<timeout for %s>", k);
+		}
+	}
+
+event done()
+	{
+	terminate();
+	}
+
+event bro_init()
+	{
+	h = Broker::create_master("master", Broker::SQLITE);
+
+	print "Run", RUN;
+	
+	if ( RUN == 1 ) 
+		{
+		print "Inserting";
+		Broker::put(h, "one", "110");
+		Broker::put(h, "two", 220);
+		Broker::put(h, "three", 330);
+		Broker::put(h, "four", set(1, 2,3));
+		Broker::put(h, set("x", "y"), vector(1/tcp, 2/tcp, 3/tcp));
+		terminate();
+		}
+
+	if ( RUN == 2 )
+		{
+		print "Retrieving";
+		print_index("one");
+		print_index("two");
+		print_index("three");
+		print_index("four");
+		print_index("five");
+		print_index(set("x", "y"));
+		}
+
+        schedule 2secs { done() };
+	}
diff --git a/testing/btest/broker/store/table.bro b/testing/btest/broker/store/table.bro
new file mode 100644
index 0000000000..11bd00028b
--- /dev/null
+++ b/testing/btest/broker/store/table.bro
@@ -0,0 +1,42 @@
+# @TEST-EXEC: btest-bg-run master "bro -b %INPUT >out"
+# @TEST-EXEC: btest-bg-wait 60
+# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-sort btest-diff master/out
+
+
+event bro_init()
+	{
+	local ct = Broker::table_create();
+
+	print Broker::table_size(ct);
+	print Broker::table_insert(ct, "hi", 42);
+	print Broker::table_size(ct);
+	print Broker::table_contains(ct, "hi");
+	print (Broker::table_lookup(ct, "hi") as count);
+	print Broker::table_contains(ct, "bye");
+	print Broker::table_insert(ct, "bye", 7);
+	print Broker::table_size(ct);
+
+	print ct, (ct as table[string] of count);
+	local i = Broker::table_iterator(ct);
+ 	while ( ! Broker::table_iterator_last(i) )
+		{
+		print fmt("| %s", Broker::table_iterator_value(i));
+		Broker::table_iterator_next(i);
+		}
+	print "";
+
+	print Broker::table_insert(ct, "bye", 37);
+	print ct, (ct as table[string] of count);
+	print "";
+	
+	print Broker::table_size(ct);
+	print (Broker::table_lookup(ct, "bye") as count);
+	print Broker::table_remove(ct, "hi");
+	print Broker::table_size(ct);
+	print Broker::table_remove(ct, "hi");
+	print Broker::table_size(ct);
+	print Broker::table_clear(ct);
+	print Broker::table_size(ct);
+	print ct, (ct as table[string] of count);
+	print "";
+	}
diff --git a/testing/btest/broker/store/type-conversion.bro b/testing/btest/broker/store/type-conversion.bro
new file mode 100644
index 0000000000..916c3f349d
--- /dev/null
+++ b/testing/btest/broker/store/type-conversion.bro
@@ -0,0 +1,66 @@
+# @TEST-EXEC: btest-bg-run master "bro -b %INPUT >out"
+# @TEST-EXEC: btest-bg-wait 60
+# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-sort btest-diff master/out
+
+type R1: record {
+    s: string;
+};
+
+type R2: record {
+    c: count;
+    r1: R1;
+};
+
+event bro_init()
+	{
+	### Print every broker data type
+	print Broker::data_type(Broker::data(T));
+	print Broker::data_type(Broker::data(+1));
+	print Broker::data_type(Broker::data(1));
+	print Broker::data_type(Broker::data(1.1));
+	print Broker::data_type(Broker::data("1 (how creative)"));
+	print Broker::data_type(Broker::data(1.1.1.1));
+	print Broker::data_type(Broker::data(1.1.1.1/1));
+	print Broker::data_type(Broker::data(1/udp));
+	print Broker::data_type(Broker::data(double_to_time(1)));
+	print Broker::data_type(Broker::data(1sec));
+	print Broker::data_type(Broker::data(Broker::BOOL));
+	print Broker::data_type(Broker::data(set("one", "two", "three")));
+	print Broker::data_type(Broker::data(table(["one"] = 1, ["two"] = 2, ["three"] = 3)));
+	print Broker::data_type(Broker::data(vector("zero", "one", "two")));
+	print Broker::data_type(Broker::data(R1($s="abc")));
+	print Broker::data_type(Broker::data(R2($c=123, $r1=R1($s="xyz"))));
+
+	print "***************************";
+
+        ### Convert a Bro value to a broker value, then print the result
+
+	print (Broker::data(T) as bool);
+	print (Broker::data(F) as bool);
+	print (Broker::data(+1) as int);
+	print (Broker::data(+0) as int);
+	print (Broker::data(-1) as int);
+	print (Broker::data(1) as count);
+	print (Broker::data(0) as count);
+	print (Broker::data(1.1) as double);
+	print (Broker::data(-11.1) as double);
+	print (Broker::data("hello") as string);
+	print (Broker::data(1.2.3.4) as addr);
+	print (Broker::data(192.168.1.1/16) as subnet);
+	print (Broker::data(22/tcp) as port);
+	print (Broker::data(double_to_time(42)) as time);
+	print (Broker::data(3min) as interval);
+	print (Broker::data(Broker::BOOL) as Broker::DataType);
+	print (Broker::data(set("one", "two", "three")) as set[string]);
+	print (Broker::data(table(["one"] = 1, ["two"] = 2, ["three"] = 3)) as table[string] of count);
+	print (Broker::data(vector("zero", "one", "two")) as vector of string);
+	print (Broker::data(R1($s="abc")) as R1);
+	print (Broker::data(R2($c=123, $r1=R1($s="xyz"))) as R2);
+
+	local h1 = sha256_hash_init();
+	sha256_hash_update(h1, "abc");
+	local h2 = (Broker::data(h1) as opaque of sha256);
+	local s1 = sha256_hash_finish(h1);
+	local s2 = sha256_hash_finish(h2);
+	print "opaque of sha256", s1 == s2;
+	}
diff --git a/testing/btest/broker/store/vector.bro b/testing/btest/broker/store/vector.bro
new file mode 100644
index 0000000000..7edc4ba050
--- /dev/null
+++ b/testing/btest/broker/store/vector.bro
@@ -0,0 +1,42 @@
+# @TEST-EXEC: btest-bg-run master "bro -b %INPUT >out"
+# @TEST-EXEC: btest-bg-wait 60
+# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-sort btest-diff master/out
+
+
+event bro_init()
+	{
+	local cv = Broker::vector_create();
+	print Broker::vector_size(cv);
+	print Broker::vector_insert(cv, 0, "hi");
+	print Broker::vector_insert(cv, 1, "hello");
+	print Broker::vector_insert(cv, 2, "greetings");
+	print Broker::vector_insert(cv, 1, "salutations");
+	print Broker::vector_size(cv);
+	print cv, (cv as vector of string);
+	local i = Broker::vector_iterator(cv);
+	while ( ! Broker::vector_iterator_last(i) )
+		{
+		print fmt("| %s", Broker::vector_iterator_value(i));
+		Broker::vector_iterator_next(i);
+		}
+	print "";
+	
+	print Broker::vector_replace(cv, 2, "bah");
+	print cv, (cv as vector of string);
+	print "";
+	
+	print Broker::vector_lookup(cv, 2);
+	print Broker::vector_lookup(cv, 0);
+	print cv, (cv as vector of string);
+	print "";
+	
+	print Broker::vector_remove(cv, 2);
+	print cv, (cv as vector of string);
+	print "";
+	
+	print Broker::vector_size(cv);
+	print Broker::vector_clear(cv);
+	print Broker::vector_size(cv);
+	print cv, (cv as vector of string);
+	print "";
+	}
diff --git a/testing/btest/broker/unpeer.bro b/testing/btest/broker/unpeer.bro
new file mode 100644
index 0000000000..5786ab0e1a
--- /dev/null
+++ b/testing/btest/broker/unpeer.bro
@@ -0,0 +1,80 @@
+# @TEST-SERIALIZE: comm
+#
+# @TEST-EXEC: btest-bg-run recv "bro -b ../recv.bro >recv.out"
+# @TEST-EXEC: btest-bg-run send "bro -b ../send.bro >send.out"
+#
+# @TEST-EXEC: btest-bg-wait 20
+# @TEST-EXEC: btest-diff recv/recv.out
+# @TEST-EXEC: btest-diff send/send.out
+# 
+# @TEST-EXEC: cat recv/broker.log | awk '/Broker::STATUS/ { $5="XXX"; print; }' >recv/broker.filtered.log
+# @TEST-EXEC: cat send/broker.log | awk '/Broker::STATUS/ { $5="XXX"; print; }' >send/broker.filtered.log
+# @TEST-EXEC: btest-diff recv/broker.filtered.log
+# @TEST-EXEC: btest-diff send/broker.filtered.log
+
+@TEST-START-FILE send.bro
+
+redef Broker::default_connect_retry=1secs;
+redef Broker::default_listen_retry=1secs;
+redef exit_only_after_terminate = T;
+
+event do_terminate()
+    {
+    terminate();
+    }
+
+event print_something(i: int)
+    {
+    print "Something sender", i;
+    }
+
+event unpeer(endpoint: Broker::EndpointInfo)
+    {
+    print "unpeering";
+    Broker::unpeer("127.0.0.1", endpoint$network$bound_port);
+    schedule 2secs { print_something(2) };
+    schedule 4secs { do_terminate() };
+    }
+
+event bro_init()
+    {
+    Broker::subscribe("bro/event/my_topic");
+    Broker::auto_publish("bro/event/my_topic", print_something);
+    Broker::peer("127.0.0.1");
+    }
+
+event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
+    {
+    schedule 2secs { print_something(1) };
+    schedule 4secs { unpeer(endpoint) };
+    }
+
+
+@TEST-END-FILE
+
+
+@TEST-START-FILE recv.bro
+
+redef Broker::default_connect_retry=1secs;
+redef Broker::default_listen_retry=1secs;
+redef exit_only_after_terminate = T;
+
+event do_terminate()
+    {
+    terminate();
+    }
+
+event print_something(i: int)
+    {
+    print "Something receiver", i;
+    }
+
+event bro_init()
+    {
+    Broker::subscribe("bro/event/my_topic");
+    Broker::listen("127.0.0.1");
+    schedule 10secs { do_terminate() };
+    }
+
+
+@TEST-END-FILE
diff --git a/testing/btest/btest.cfg b/testing/btest/btest.cfg
index cfddb92899..2b9d75287f 100644
--- a/testing/btest/btest.cfg
+++ b/testing/btest/btest.cfg
@@ -1,5 +1,5 @@
 [btest]
-TestDirs    = doc bifs language core scripts istate coverage signatures plugins broker
+TestDirs    = doc bifs language core scripts coverage signatures plugins broker
 TmpDir      = %(testbase)s/.tmp
 BaselineDir = %(testbase)s/Baseline
 IgnoreDirs  = .svn CVS .tmp
@@ -25,4 +25,3 @@ TMPDIR=%(testbase)s/.tmp
 BRO_PROFILER_FILE=%(testbase)s/.tmp/script-coverage.XXXXXX
 BTEST_RST_FILTER=$SCRIPTS/rst-filter
 BRO_DNS_FAKE=1
-BROKER_PORT=9999/tcp
diff --git a/testing/btest/core/leaks/ascii-log-rotation.bro b/testing/btest/core/leaks/ascii-log-rotation.bro
deleted file mode 100644
index a84f80ea90..0000000000
--- a/testing/btest/core/leaks/ascii-log-rotation.bro
+++ /dev/null
@@ -1,75 +0,0 @@
-# Needs perftools support.
-#
-# @TEST-SERIALIZE: comm
-# @TEST-GROUP: leaks
-#
-# @TEST-REQUIRES: bro  --help 2>&1 | grep -q mem-leaks
-#
-# @TEST-EXEC: btest-bg-run receiver HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local bro -b -m ../receiver.bro
-# @TEST-EXEC: sleep 1
-# @TEST-EXEC: btest-bg-run sender HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local bro -b -m ../sender.bro
-# @TEST-EXEC: sleep 1
-# @TEST-EXEC: btest-bg-wait 60
-
-@TEST-START-FILE sender.bro
-
-@load base/frameworks/communication
-@load base/protocols/dns
-
-redef Communication::nodes += {
-    ["foo"] = [$host = 127.0.0.1, $connect=T]
-};
-
-global write_count: count = 0;
-
-event do_write()
-	{
-	print "do_write";
-	local cid: conn_id = conn_id($orig_h=1.2.3.4,$orig_p=1/tcp,
-	                             $resp_h=5.6.7.8,$resp_p=2/tcp);
-	local dns_info_dummy = DNS::Info($ts=network_time(), $uid="FAKE",
-	                                 $id=cid, $proto=tcp);
-	Log::write(DNS::LOG, dns_info_dummy);
-	schedule .1sec { do_write() };
-	++write_count;
-
-	if ( write_count == 200 )
-		terminate();
-	}
-
-event remote_connection_handshake_done(p: event_peer)
-	{
-	print "remote_connection_handshake_done", p;
-	schedule .1sec { do_write() };
-	}
-
-event remote_connection_closed(p: event_peer)
-	{
-	print "remote_connection_closed", p;
-	}
-
-@TEST-END-FILE
-
-@TEST-START-FILE receiver.bro
-
-@load frameworks/communication/listen
-@load base/protocols/dns
-
-redef Communication::nodes += {
-	["foo"] = [$host = 127.0.0.1, $connect=F, $request_logs=T]
-};
-
-redef Log::default_rotation_interval = 2sec;
-
-event remote_connection_handshake_done(p: event_peer)
-	{
-	print "remote_connection_handshake_done", p;
-	}
-
-event remote_connection_closed(p: event_peer)
-	{
-	print "remote_connection_closed", p;
-	terminate();
-	}
-
-@TEST-END-FILE
diff --git a/testing/btest/core/leaks/basic-cluster.bro b/testing/btest/core/leaks/basic-cluster.bro
index 7c9df36b9a..103146495b 100644
--- a/testing/btest/core/leaks/basic-cluster.bro
+++ b/testing/btest/core/leaks/basic-cluster.bro
@@ -13,7 +13,7 @@
 
 @TEST-START-FILE cluster-layout.bro
 redef Cluster::nodes = {
-	["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=37757/tcp, $workers=set("worker-1", "worker-2")],
+	["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=37757/tcp],
 	["worker-1"]  = [$node_type=Cluster::WORKER,  $ip=127.0.0.1, $p=37760/tcp, $manager="manager-1", $interface="eth0"],
 	["worker-2"]  = [$node_type=Cluster::WORKER,  $ip=127.0.0.1, $p=37761/tcp, $manager="manager-1", $interface="eth1"],
 };
@@ -40,13 +40,17 @@ event bro_init() &priority=5
 	                  	}]);
 	}
 
-event remote_connection_closed(p: event_peer)
+event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string)
 	{
 	terminate();
 	}
 
 global ready_for_data: event();
-redef Cluster::manager2worker_events += /^ready_for_data$/;
+
+event bro_init()
+	{
+	Broker::auto_publish(Cluster::worker_topic, ready_for_data);
+	}
 
 event ready_for_data()
 	{
@@ -75,7 +79,7 @@ event ready_for_data()
 @if ( Cluster::local_node_type() == Cluster::MANAGER )
 
 global peer_count = 0;
-event remote_connection_handshake_done(p: event_peer) &priority=-5
+event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
 	{
 	++peer_count;
 	if ( peer_count == 2 )
diff --git a/testing/btest/core/leaks/broker/clone_store.bro b/testing/btest/core/leaks/broker/clone_store.bro
index 4996d05bd2..2cd728c631 100644
--- a/testing/btest/core/leaks/broker/clone_store.bro
+++ b/testing/btest/core/leaks/broker/clone_store.bro
@@ -1,113 +1,144 @@
-# @TEST-SERIALIZE: brokercomm
-# @TEST-REQUIRES: grep -q ENABLE_BROKER:BOOL=true $BUILD/CMakeCache.txt
+# @TEST-SERIALIZE: comm
 # @TEST-REQUIRES: bro --help 2>&1 | grep -q mem-leaks
 # @TEST-GROUP: leaks
 
-# @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local btest-bg-run clone "bro -m -b ../clone.bro broker_port=$BROKER_PORT >clone.out"
-# @TEST-EXEC: btest-bg-run master "bro -b ../master.bro broker_port=$BROKER_PORT >master.out"
+# @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local btest-bg-run clone "bro -m -b ../clone.bro >clone.out"
+# @TEST-EXEC: btest-bg-run master "bro -b ../master.bro >master.out"
 
 # @TEST-EXEC: btest-bg-wait 45
 # @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-sort btest-diff clone/clone.out
 
-@TEST-START-FILE clone.bro
-
-const broker_port: port &redef;
-redef exit_only_after_terminate = T;
-
-global h: opaque of Broker::Handle;
-global expected_key_count = 4;
-global key_count = 0;
-
-function do_lookup(key: string)
-	{
-	when ( local res = Broker::lookup(h, Broker::data(key)) )
-		{
-		++key_count;
-		print "lookup", key, res;
-
-		if ( key_count == expected_key_count )
-			terminate();
-		}
-	timeout 10sec
-		{ print "timeout"; }
-	}
-
-event ready()
-	{
-	h = Broker::create_clone("mystore");
-
-	when ( local res = Broker::keys(h) )
-		{
-		print "clone keys", res;
-		do_lookup(Broker::refine_to_string(Broker::vector_lookup(res$result, 0)));
-		do_lookup(Broker::refine_to_string(Broker::vector_lookup(res$result, 1)));
-		do_lookup(Broker::refine_to_string(Broker::vector_lookup(res$result, 2)));
-		do_lookup(Broker::refine_to_string(Broker::vector_lookup(res$result, 3)));
-		}
-	timeout 10sec
-		{ print "timeout"; }
-	}
-
-event bro_init()
-	{
-	Broker::enable();
-	Broker::subscribe_to_events("bro/event/ready");
-	Broker::listen(broker_port, "127.0.0.1");
-	}
-
-@TEST-END-FILE
-
 @TEST-START-FILE master.bro
 
-const broker_port: port &redef;
 redef exit_only_after_terminate = T;
-
-global h: opaque of Broker::Handle;
-
-function dv(d: Broker::Data): Broker::DataVector
-	{
-	local rval: Broker::DataVector;
-	rval[0] = d;
-	return rval;
-	}
+global query_timeout = 1sec;
 
 global ready: event();
 
-event Broker::outgoing_connection_broken(peer_address: string,
-                                       peer_port: port)
+global h: opaque of Broker::Store;
+
+function print_index(k: any)
+        {
+        when ( local r = Broker::get(h, k) )
+                {
+                print "master", k, r$status, r$result;
+                }
+        timeout query_timeout
+                {
+                print "master", fmt("clone <timeout for %s>", k);
+                }
+        }
+
+event done()
 	{
 	terminate();
 	}
 
-event Broker::outgoing_connection_established(peer_address: string,
-                                            peer_port: port,
-                                            peer_name: string)
+event inserted()
 	{
-	local myset: set[string] = {"a", "b", "c"};
-	local myvec: vector of string = {"alpha", "beta", "gamma"};
-	Broker::insert(h, Broker::data("one"), Broker::data(110));
-	Broker::insert(h, Broker::data("two"), Broker::data(223));
-	Broker::insert(h, Broker::data("myset"), Broker::data(myset));
-	Broker::insert(h, Broker::data("myvec"), Broker::data(myvec));
-	Broker::increment(h, Broker::data("one"));
-	Broker::decrement(h, Broker::data("two"));
-	Broker::add_to_set(h, Broker::data("myset"), Broker::data("d"));
-	Broker::remove_from_set(h, Broker::data("myset"), Broker::data("b"));
-	Broker::push_left(h, Broker::data("myvec"), dv(Broker::data("delta")));
-	Broker::push_right(h, Broker::data("myvec"), dv(Broker::data("omega")));
-
-	when ( local res = Broker::size(h) )
-		{ event ready(); }
-	timeout 10sec
-		{ print "timeout"; }
+	Broker::erase(h, "four");
+	
+	print("----");
+	print_index("one");
+	print_index("two");
+	print_index(vector(1,2));
+	print_index("three");
+	print_index("four");
+	print_index("five");
+	print_index("six");
+        schedule 2secs { done() };
 	}
 
 event bro_init()
 	{
-	Broker::enable();
-	Broker::auto_event("bro/event/ready", ready);
-	h = Broker::create_master("mystore");
-	Broker::connect("127.0.0.1", broker_port, 1secs);
+	Broker::auto_publish("bro/events", done);
+	Broker::subscribe("bro/");
+
+	h = Broker::create_master("test");
+	Broker::put(h, "one", "110");
+	Broker::put(h, "two", 223);
+	Broker::put(h, vector(1,2), 1947/tcp);
+	
+	Broker::peer("127.0.0.1");
+	}
+
+event insert_more()
+	{
+	Broker::put(h, "three", 3.14);
+	Broker::put(h, "four", 1.2.3.4);
+	}
+
+event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
+	{
+        schedule 4secs { insert_more() };
 	}
 
 @TEST-END-FILE
+
+
+@TEST-START-FILE clone.bro
+
+redef exit_only_after_terminate = T;
+
+global query_timeout = 1sec;
+
+global h: opaque of Broker::Store;
+
+
+global inserted: event();
+
+function print_index(k: any)
+        {
+        when ( local r = Broker::get(h, k) )
+                {
+                print "clone", k, r$status, r$result;
+                }
+        timeout query_timeout
+                {
+                print "clone", fmt("clone <timeout for %s>", k);
+                }
+        }
+
+event lookup(stage: count)
+	{
+	print("----");
+	print_index("one");
+	print_index("two");
+	print_index(vector(1,2));
+	print_index("three");
+	print_index("four");
+	print_index("five");
+	print_index("six");
+	
+	if ( stage == 1 )
+		schedule 4secs { lookup(2) };
+
+	if ( stage == 2 )
+		{
+		Broker::put(h, "five", "555");
+		Broker::put(h, "six", "666");
+		event inserted();
+		schedule 2secs { lookup(3) };
+		}
+	}
+
+event done()
+	{
+	terminate();
+	}
+
+event bro_init()
+	{
+	Broker::auto_publish("bro/events", inserted);
+	Broker::subscribe("bro/");
+	Broker::listen("127.0.0.1");
+	}
+
+event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
+	{
+	h = Broker::create_clone("test");
+	schedule 2secs { lookup(1) };
+	}
+
+@TEST-END-FILE
+
diff --git a/testing/btest/core/leaks/broker/data.bro b/testing/btest/core/leaks/broker/data.bro
index d67c879fbf..d79155fa30 100644
--- a/testing/btest/core/leaks/broker/data.bro
+++ b/testing/btest/core/leaks/broker/data.bro
@@ -1,4 +1,3 @@
-# @TEST-REQUIRES: grep -q ENABLE_BROKER:BOOL=true $BUILD/CMakeCache.txt
 # @TEST-REQUIRES: bro --help 2>&1 | grep -q mem-leaks
 # @TEST-GROUP: leaks
 
@@ -17,24 +16,24 @@ type bro_record : record {
 };
 
 function broker_to_bro_record_recurse(it: opaque of Broker::RecordIterator,
-                                           rval: bro_record,
-                                           idx: count): bro_record
+                                      rval: bro_record,
+                                      idx: count): bro_record
 	{
 	if ( Broker::record_iterator_last(it) )
 		return rval;
 
 	local field_value = Broker::record_iterator_value(it);
 
-	if ( field_value?$d )
+	if ( field_value?$data )
 		switch ( idx ) {
 		case 0:
-			rval$a = Broker::refine_to_string(field_value);
+			rval$a = field_value as string;
 			break;
 		case 1:
-			rval$b = Broker::refine_to_string(field_value);
+			rval$b = field_value as string;
 			break;
 		case 2:
-			rval$c = Broker::refine_to_count(field_value);
+			rval$c = field_value as count;
 			break;
 		};
 
@@ -46,7 +45,7 @@ function broker_to_bro_record_recurse(it: opaque of Broker::RecordIterator,
 function broker_to_bro_record(d: Broker::Data): bro_record
 	{
 	return broker_to_bro_record_recurse(Broker::record_iterator(d),
-	                                         bro_record($c = 0), 0);
+	                                    bro_record($c = 0), 0);
 	}
 
 function
@@ -56,7 +55,7 @@ broker_to_bro_set_recurse(it: opaque of Broker::SetIterator,
 	if ( Broker::set_iterator_last(it) )
 		return rval;
 
-	add rval[Broker::refine_to_string(Broker::set_iterator_value(it))];
+	add rval[Broker::set_iterator_value(it) as string];
 	Broker::set_iterator_next(it);
 	return broker_to_bro_set_recurse(it, rval);
 	}
@@ -75,7 +74,7 @@ broker_to_bro_table_recurse(it: opaque of Broker::TableIterator,
 		return rval;
 
 	local item = Broker::table_iterator_value(it);
-	rval[Broker::refine_to_string(item$key)] = Broker::refine_to_count(item$val);
+	rval[item$key as string] = item$val as count;
 	Broker::table_iterator_next(it);
 	return broker_to_bro_table_recurse(it, rval);
 	}
@@ -83,16 +82,16 @@ broker_to_bro_table_recurse(it: opaque of Broker::TableIterator,
 function broker_to_bro_table(d: Broker::Data): bro_table
 	{
 	return broker_to_bro_table_recurse(Broker::table_iterator(d),
-	                                       bro_table());
+	                                   bro_table());
 	}
 
 function broker_to_bro_vector_recurse(it: opaque of Broker::VectorIterator,
-                                           rval: bro_vector): bro_vector
+                                      rval: bro_vector): bro_vector
 	{
 	if ( Broker::vector_iterator_last(it) )
 		return rval;
 
-	rval[|rval|] = Broker::refine_to_string(Broker::vector_iterator_value(it));
+	rval[|rval|] = Broker::vector_iterator_value(it) as string;
 	Broker::vector_iterator_next(it);
 	return broker_to_bro_vector_recurse(it, rval);
 	}
@@ -100,19 +99,15 @@ function broker_to_bro_vector_recurse(it: opaque of Broker::VectorIterator,
 function broker_to_bro_vector(d: Broker::Data): bro_vector
 	{
 	return broker_to_bro_vector_recurse(Broker::vector_iterator(d),
-	                                         bro_vector());
+	                                    bro_vector());
 	}
 
-event bro_init()
-{
-Broker::enable();
-}
-
 global did_it = F;
 
 event new_connection(c: connection)
 {
 if ( did_it ) return;
+
 did_it = T;
 
 ### Print every broker data type
@@ -141,22 +136,22 @@ print "***************************";
 
 ### Convert a Bro value to a broker value, then print the result
 
-print Broker::refine_to_bool(Broker::data(T));
-print Broker::refine_to_bool(Broker::data(F));
-print Broker::refine_to_int(Broker::data(+1));
-print Broker::refine_to_int(Broker::data(+0));
-print Broker::refine_to_int(Broker::data(-1));
-print Broker::refine_to_count(Broker::data(1));
-print Broker::refine_to_count(Broker::data(0));
-print Broker::refine_to_double(Broker::data(1.1));
-print Broker::refine_to_double(Broker::data(-11.1));
-print Broker::refine_to_string(Broker::data("hello"));
-print Broker::refine_to_addr(Broker::data(1.2.3.4));
-print Broker::refine_to_subnet(Broker::data(192.168.1.1/16));
-print Broker::refine_to_port(Broker::data(22/tcp));
-print Broker::refine_to_time(Broker::data(double_to_time(42)));
-print Broker::refine_to_interval(Broker::data(3min));
-print Broker::refine_to_enum_name(Broker::data(Broker::BOOL));
+print (Broker::data(T)) as bool;
+print (Broker::data(F)) as bool;
+print (Broker::data(+1)) as int;
+print (Broker::data(+0)) as int;
+print (Broker::data(-1)) as int;
+print (Broker::data(1)) as count;
+print (Broker::data(0)) as count;
+print (Broker::data(1.1)) as double;
+print (Broker::data(-11.1)) as double;
+print (Broker::data("hello")) as string;
+print (Broker::data(1.2.3.4)) as addr;
+print (Broker::data(192.168.1.1/16)) as subnet;
+print (Broker::data(22/tcp)) as port;
+print (Broker::data(double_to_time(42))) as time;
+print (Broker::data(3min)) as interval;
+print (Broker::data(Broker::BOOL)) as Broker::DataType;
 
 local cs = Broker::data(s);
 print broker_to_bro_set(cs);
@@ -184,17 +179,17 @@ print "***************************";
 
 cs = Broker::set_create();
 print Broker::set_size(cs);
-print Broker::set_insert(cs, Broker::data("hi"));
+print Broker::set_insert(cs, ("hi"));
 print Broker::set_size(cs);
-print Broker::set_contains(cs, Broker::data("hi"));
-print Broker::set_contains(cs, Broker::data("bye"));
-print Broker::set_insert(cs, Broker::data("bye"));
+print Broker::set_contains(cs, ("hi"));
+print Broker::set_contains(cs, ("bye"));
+print Broker::set_insert(cs, ("bye"));
 print Broker::set_size(cs);
-print Broker::set_insert(cs, Broker::data("bye"));
+print Broker::set_insert(cs, ("bye"));
 print Broker::set_size(cs);
-print Broker::set_remove(cs, Broker::data("hi"));
+print Broker::set_remove(cs, ("hi"));
 print Broker::set_size(cs);
-print Broker::set_remove(cs, Broker::data("hi"));
+print Broker::set_remove(cs, ("hi"));
 print broker_to_bro_set(cs);
 print Broker::set_clear(cs);
 print Broker::set_size(cs);
@@ -206,19 +201,19 @@ print "***************************";
 
 ct = Broker::table_create();
 print Broker::table_size(ct);
-print Broker::table_insert(ct, Broker::data("hi"), Broker::data(42));
+print Broker::table_insert(ct, ("hi"), (42));
 print Broker::table_size(ct);
-print Broker::table_contains(ct, Broker::data("hi"));
-print Broker::refine_to_count(Broker::table_lookup(ct, Broker::data("hi")));
-print Broker::table_contains(ct, Broker::data("bye"));
-print Broker::table_insert(ct, Broker::data("bye"), Broker::data(7));
+print Broker::table_contains(ct, ("hi"));
+print (Broker::table_lookup(ct, ("hi"))) as count;
+print Broker::table_contains(ct, ("bye"));
+print Broker::table_insert(ct, ("bye"), (7));
 print Broker::table_size(ct);
-print Broker::table_insert(ct, Broker::data("bye"), Broker::data(37));
+print Broker::table_insert(ct, ("bye"), (37));
 print Broker::table_size(ct);
-print Broker::refine_to_count(Broker::table_lookup(ct, Broker::data("bye")));
-print Broker::table_remove(ct, Broker::data("hi"));
+print (Broker::table_lookup(ct, ("bye"))) as count;
+print Broker::table_remove(ct, ("hi"));
 print Broker::table_size(ct);
-print Broker::table_remove(ct, Broker::data("hi"));
+print Broker::table_remove(ct, ("hi"));
 print Broker::table_size(ct);
 print Broker::table_clear(ct);
 print Broker::table_size(ct);
@@ -230,13 +225,13 @@ print "***************************";
 
 cv = Broker::vector_create();
 print Broker::vector_size(cv);
-print Broker::vector_insert(cv, Broker::data("hi"), 0);
-print Broker::vector_insert(cv, Broker::data("hello"), 1);
-print Broker::vector_insert(cv, Broker::data("greetings"), 2);
-print Broker::vector_insert(cv, Broker::data("salutations"), 1);
+print Broker::vector_insert(cv, 0, ("hi"));
+print Broker::vector_insert(cv, 1, ("hello"));
+print Broker::vector_insert(cv, 2, ("greetings"));
+print Broker::vector_insert(cv, 1, ("salutations"));
 print broker_to_bro_vector(cv);
 print Broker::vector_size(cv);
-print Broker::vector_replace(cv, Broker::data("bah"), 2);
+print Broker::vector_replace(cv, 2, ("bah"));
 print Broker::vector_lookup(cv, 2);
 print Broker::vector_lookup(cv, 0);
 print broker_to_bro_vector(cv);
@@ -253,14 +248,14 @@ print "***************************";
 
 cr = Broker::record_create(3);
 print Broker::record_size(cr);
-print Broker::record_assign(cr, Broker::data("hi"), 0);
-print Broker::record_assign(cr, Broker::data("hello"), 1);
-print Broker::record_assign(cr, Broker::data(37), 2);
+print Broker::record_assign(cr, 0, ("hi"));
+print Broker::record_assign(cr, 1, ("hello"));
+print Broker::record_assign(cr, 2, (37));
 print Broker::record_lookup(cr, 0);
 print Broker::record_lookup(cr, 1);
 print Broker::record_lookup(cr, 2);
 print Broker::record_size(cr);
-print Broker::record_assign(cr, Broker::data("goodbye"), 1);
+print Broker::record_assign(cr, 1, ("goodbye"));
 print Broker::record_size(cr);
 print Broker::record_lookup(cr, 1);
 }
diff --git a/testing/btest/core/leaks/broker/master_store.bro b/testing/btest/core/leaks/broker/master_store.bro
index 11f32b49ae..583f80413b 100644
--- a/testing/btest/core/leaks/broker/master_store.bro
+++ b/testing/btest/core/leaks/broker/master_store.bro
@@ -1,155 +1,149 @@
-# @TEST-REQUIRES: grep -q ENABLE_BROKER:BOOL=true $BUILD/CMakeCache.txt
 # @TEST-REQUIRES: bro --help 2>&1 | grep -q mem-leaks
 # @TEST-GROUP: leaks
 
 # @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local btest-bg-run bro bro -m -b -r $TRACES/http/get.trace %INPUT
 # @TEST-EXEC: btest-bg-wait 45
-# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-sort btest-diff bro/.stdout
 
 redef exit_only_after_terminate = T;
 
-global h: opaque of Broker::Handle;
-global lookup_count = 0;
-const lookup_expect_count = 5;
-global exists_count = 0;
-const exists_expect_count = 4;
-global pop_count = 0;
-const pop_expect_count = 2;
+global query_timeout = 45sec;
 
-global test_size: event(where: string &default = "");
+global h: opaque of Broker::Store;
 
-event test_clear()
+global step: count = 0;
+
+function print_index(k: any)
 	{
+	when ( local r = Broker::get(h, k) )
+		{
+		step += 1;
+		print fmt("[%d]", step), k, r$status, r$result;
+		}
+	timeout query_timeout
+		{
+		step += 1;
+		print fmt("[%d] <timeout for %s>", step, k);
+		}
+	}
+
+function print_exists(k: any)
+	{
+	when ( local r = Broker::exists(h, k) )
+		{
+		step += 1;
+		print fmt("[%d]", step), k, r;
+		}
+	timeout query_timeout
+		{
+		step += 1;
+		print fmt("[%d] <timeout for %s>", step, k);
+		}
+	}
+
+function print_index_from_value(k: any, i: any)
+	{
+	when ( local r = Broker::get_index_from_value(h, k, i) )
+		{
+		step += 1;
+		print fmt("[%d]", step), k, r$status, r$result;
+		}
+	timeout query_timeout
+		{
+		step += 1;
+		print fmt("[%d] <timeout for %s>", step, k);
+		}
+	}
+
+function print_keys()
+	{
+	when ( local s = Broker::keys(h) )
+		{
+		step += 1;
+		print "keys", s;
+		}
+	timeout query_timeout
+		{
+		step += 1;
+		print fmt("[%d] <timeout for print keys>", step);
+		}
+	}
+
+event done()
+	{
+	terminate();
+	}
+
+event pk2()
+	{
+	print_keys();
+	}
+
+event pk1()
+	{
+	print_keys();
 	Broker::clear(h);
-	event test_size("after clear");
+	schedule 1sec { pk2() };
 	}
 
-event test_size(where: string)
-	{
-	when ( local res = Broker::size(h) )
-		{
-		if ( where == "" )
-			{
-			print fmt("size: %s", res);
-			event test_clear();
-			}
-		else
-			{
-			print fmt("size (%s): %s", where, res);
-			terminate();
-			}
-		}
-	timeout 10sec
-		{ print "timeout"; }
-	}
-
-event test_keys()
-	{
-	when ( local res = Broker::keys(h) )
-		{
-		print fmt("keys: %s", res);
-		event test_size();
-		}
-	timeout 10sec
-		{ print "timeout"; }
-	}
-
-event test_pop(key: string)
-	{
-	when ( local lres = Broker::pop_left(h, Broker::data(key)) )
-		{
-		print fmt("pop_left(%s): %s", key, lres);
-		++pop_count;
-
-		if ( pop_count == pop_expect_count )
-			event test_keys();
-		}
-	timeout 10sec
-		{ print "timeout"; }
-
-	when ( local rres = Broker::pop_right(h, Broker::data(key)) )
-		{
-		print fmt("pop_right(%s): %s", key, rres);
-		++pop_count;
-
-		if ( pop_count == pop_expect_count )
-			event test_keys();
-		}
-	timeout 10sec
-		{ print "timeout"; }
-	}
-
-function do_exists(key: string)
-	{
-	when ( local res = Broker::exists(h, Broker::data(key)) )
-		{
-		print fmt("exists(%s): %s", key, res);
-		++exists_count;
-
-		if ( exists_count == exists_expect_count )
-			event test_pop("myvec");
-		}
-	timeout 10sec
-		{ print "timeout"; }
-	}
-
-event test_erase()
-	{
-	Broker::erase(h, Broker::data("two"));
-	do_exists("one");
-	do_exists("two");
-	do_exists("myset");
-	do_exists("four");
-	}
-
-function do_lookup(key: string)
-	{
-	when ( local res = Broker::lookup(h, Broker::data(key)) )
-		{
-		print fmt("lookup(%s): %s", key, res);
-		++lookup_count;
-
-		if ( lookup_count == lookup_expect_count )
-			event test_erase();
-		}
-	timeout 10sec
-		{ print "timeout"; }
-	}
-
-function dv(d: Broker::Data): Broker::DataVector
-	{
-	local rval: Broker::DataVector;
-	rval[0] = d;
-	return rval;
-	}
-
-global did_it = F;
-
 event bro_init()
 	{
-	Broker::enable();
 	h = Broker::create_master("master");
+	Broker::put(h, "one", "110");
+	Broker::put(h, "two", 220);
+	Broker::put(h, "three", 330);
+	Broker::put(h, "four", set(1, 2,3));
+	Broker::put(h, set("x", "y"), vector(1/tcp, 2/tcp, 3/tcp));
+
+	Broker::put(h, "str", "foo");
+	Broker::put(h, "vec", vector(1, 2,3));
+	Broker::put(h, "set", set("A", "B"));
+	Broker::put(h, "table", table(["a"] = 1, ["b"] = 2));
+	
+	print_index("one");
+	print_index("two");
+	print_index("three");
+	print_index("four");
+	print_index("five");
+	print_index(set("x", "y"));
+
+	when ( step == 6 )
+		{
+		Broker::increment(h, "two");
+		Broker::increment(h, "two", 9);
+		Broker::decrement(h, "three");
+		Broker::decrement(h, "three", 9);
+		print_index("two");
+		print_index("three");
+		print_index("four");
+		print_keys();
+		Broker::erase(h, "four");
+
+		Broker::append(h, "str", "bar");
+		Broker::insert_into_set(h, "set", "C");
+		Broker::insert_into_table(h, "table", "c", 3);
+		Broker::remove_from(h, "set", 2);
+		Broker::remove_from(h, "table", "b");
+		Broker::push(h, "vec", 4);
+		Broker::push(h, "vec", 5);
+		Broker::pop(h, "vec");
+
+		print_index("str");
+		print_index("set");
+		print_index("table");
+		print_index("vec");
+
+		print_exists("one");
+		print_exists("NOPE");
+	
+        	print_index_from_value("vec", 1);
+        	print_index_from_value("set", "A");
+    	        print_index_from_value("table", "a");
+    	        print_index_from_value("table", "X");
+		
+		schedule 1sec { pk1() };
+		}
+
+        schedule 15secs { done() };
 	}
 
-event new_connection(c: connection)
-	{
-	if ( did_it ) return;
-	did_it = T;
-	local myset: set[string] = {"a", "b", "c"};
-	local myvec: vector of string = {"alpha", "beta", "gamma"};
-	Broker::insert(h, Broker::data("one"), Broker::data(110));
-	Broker::insert(h, Broker::data("two"), Broker::data(223));
-	Broker::insert(h, Broker::data("myset"), Broker::data(myset));
-	Broker::insert(h, Broker::data("myvec"), Broker::data(myvec));
-	Broker::increment(h, Broker::data("one"));
-	Broker::decrement(h, Broker::data("two"));
-	Broker::add_to_set(h, Broker::data("myset"), Broker::data("d"));
-	Broker::remove_from_set(h, Broker::data("myset"), Broker::data("b"));
-	Broker::push_left(h, Broker::data("myvec"), dv(Broker::data("delta")));
-	Broker::push_right(h, Broker::data("myvec"), dv(Broker::data("omega")));
-	do_lookup("one");
-	do_lookup("two");
-	do_lookup("myset");
-	do_lookup("four");
-	do_lookup("myvec");
-	}
+
diff --git a/testing/btest/core/leaks/broker/remote_event.test b/testing/btest/core/leaks/broker/remote_event.test
index a7f174f7fd..b788f3ee79 100644
--- a/testing/btest/core/leaks/broker/remote_event.test
+++ b/testing/btest/core/leaks/broker/remote_event.test
@@ -1,10 +1,9 @@
-# @TEST-SERIALIZE: brokercomm
-# @TEST-REQUIRES: grep -q ENABLE_BROKER:BOOL=true $BUILD/CMakeCache.txt
+# @TEST-SERIALIZE: comm
 # @TEST-REQUIRES: bro --help 2>&1 | grep -q mem-leaks
 # @TEST-GROUP: leaks
 
-# @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local btest-bg-run recv "bro -m -b ../recv.bro broker_port=$BROKER_PORT >recv.out"
-# @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local btest-bg-run send "bro -m -b ../send.bro broker_port=$BROKER_PORT >send.out"
+# @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local btest-bg-run recv "bro -m -b ../recv.bro >recv.out"
+# @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local btest-bg-run send "bro -m -b ../send.bro >send.out"
 
 # @TEST-EXEC: btest-bg-wait 45
 # @TEST-EXEC: btest-diff recv/recv.out
@@ -12,7 +11,6 @@
 
 @TEST-START-FILE recv.bro
 
-const broker_port: port &redef;
 redef exit_only_after_terminate = T;
 
 global event_handler: event(msg: string, c: count);
@@ -20,10 +18,9 @@ global auto_event_handler: event(msg: string, c: count);
 
 event bro_init()
 	{
-	Broker::enable();
-	Broker::subscribe_to_events("bro/event/");
-	Broker::auto_event("bro/event/my_topic", auto_event_handler);
-	Broker::listen(broker_port, "127.0.0.1");
+	Broker::subscribe("bro/event/");
+	Broker::auto_publish("bro/event/my_topic", auto_event_handler);
+	Broker::listen("127.0.0.1");
 	}
 
 global event_count = 0;
@@ -41,15 +38,13 @@ event event_handler(msg: string, n: count)
 		}
 
 	event auto_event_handler(msg, n);
-	local args = Broker::event_args(event_handler, "pong", n);
-	Broker::send_event("bro/event/my_topic", args);
+	Broker::publish("bro/event/my_topic", event_handler, "pong", n);
 	}
 
 @TEST-END-FILE
 
 @TEST-START-FILE send.bro
 
-const broker_port: port &redef;
 redef exit_only_after_terminate = T;
 
 global event_handler: event(msg: string, c: count);
@@ -57,25 +52,20 @@ global auto_event_handler: event(msg: string, c: count);
 
 event bro_init()
 	{
-	Broker::enable();
-	Broker::subscribe_to_events("bro/event/my_topic");
-	Broker::connect("127.0.0.1", broker_port, 1secs);
+	Broker::subscribe("bro/event/my_topic");
+	Broker::peer("127.0.0.1", Broker::default_port, 1secs);
 	}
 
 global event_count = 0;
 
-event Broker::outgoing_connection_established(peer_address: string,
-                                            peer_port: port,
-                                            peer_name: string)
+event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
 	{
-	print "Broker::outgoing_connection_established", peer_address, peer_port;
-	local args = Broker::event_args(event_handler, "ping", event_count);
-	Broker::send_event("bro/event/hi", args);
+	print "Broker peer added", endpoint$network;
+	Broker::publish("bro/event/hi", event_handler, "ping", event_count);
 	++event_count;
 	}
 
-event Broker::outgoing_connection_broken(peer_address: string,
-                                       peer_port: port)
+event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string)
 	{
 	terminate();
 	}
@@ -83,8 +73,7 @@ event Broker::outgoing_connection_broken(peer_address: string,
 event event_handler(msg: string, n: count)
 	{
 	print "got event msg", msg, n;
-	local args = Broker::event_args(event_handler, "ping", event_count);
-	Broker::send_event("bro/event/hi", args);
+	Broker::publish("bro/event/hi", event_handler, "ping", event_count);
 	++event_count;
 	}
 
diff --git a/testing/btest/core/leaks/broker/remote_log.test b/testing/btest/core/leaks/broker/remote_log.test
index 0093e9db2e..a2b1d8793e 100644
--- a/testing/btest/core/leaks/broker/remote_log.test
+++ b/testing/btest/core/leaks/broker/remote_log.test
@@ -1,10 +1,9 @@
-# @TEST-SERIALIZE: brokercomm
-# @TEST-REQUIRES: grep -q ENABLE_BROKER:BOOL=true $BUILD/CMakeCache.txt
+# @TEST-SERIALIZE: comm
 # @TEST-REQUIRES: bro --help 2>&1 | grep -q mem-leaks
 # @TEST-GROUP: leaks
 
-# @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local btest-bg-run recv "bro -m -b ../common.bro ../recv.bro broker_port=$BROKER_PORT >recv.out"
-# @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local btest-bg-run send "bro -m -b ../common.bro ../send.bro broker_port=$BROKER_PORT >send.out"
+# @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local btest-bg-run recv "bro -m -b ../recv.bro >recv.out"
+# @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local btest-bg-run send "bro -m -b ../send.bro >send.out"
 
 # @TEST-EXEC: btest-bg-wait 45
 # @TEST-EXEC: btest-diff recv/recv.out
@@ -14,6 +13,8 @@
 
 @TEST-START-FILE common.bro
 
+redef exit_only_after_terminate = T;
+
 module Test;
 
 export {
@@ -21,50 +22,47 @@ export {
 
 	type Info: record {
 		msg: string &log;
+		nolog: string &default="no";
 		num: count &log;
 	};
-
-	global log_test: event(rec: Test::Info);
 }
 
 event bro_init() &priority=5
 	{
-	Broker::enable();
-	Log::create_stream(Test::LOG, [$columns=Test::Info, $ev=log_test]);
+	Log::create_stream(Test::LOG, [$columns=Test::Info]);
+	}
+
+event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string)
+	{
+	terminate();
 	}
 
 @TEST-END-FILE
 
 @TEST-START-FILE recv.bro
 
-const broker_port: port &redef;
-redef exit_only_after_terminate = T;
+@load ./common.bro
 
 event bro_init()
 	{
-	Broker::subscribe_to_logs("bro/log/");
-	Broker::listen(broker_port, "127.0.0.1");
+	Broker::subscribe("bro/");
+	Broker::listen("127.0.0.1");
 	}
 
-event Test::log_test(rec: Test::Info)
+event Broker::peer_removed(endpoint: Broker::EndpointInfo, msg: string)
 	{
-	print "wrote log", rec;
-
-	if ( rec$num == 5 )
-		terminate();
+	terminate();
 	}
 
 @TEST-END-FILE
 
 @TEST-START-FILE send.bro
 
-const broker_port: port &redef;
-redef exit_only_after_terminate = T;
+@load ./common.bro
 
 event bro_init()
 	{
-	Broker::enable_remote_logs(Test::LOG);
-	Broker::connect("127.0.0.1", broker_port, 1secs);
+	Broker::peer("127.0.0.1");
 	}
 
 global n = 0;
@@ -72,27 +70,19 @@ global n = 0;
 event do_write()
 	{
 	if ( n == 6 )
-		return;
+		terminate();
 	else
 		{
 		Log::write(Test::LOG, [$msg = "ping", $num = n]);
 		++n;
-		event do_write();
+		schedule 0.1secs { do_write() };
 		}
 	}
 
-event Broker::outgoing_connection_established(peer_address: string,
-                                            peer_port: port,
-                                            peer_name: string)
+event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
 	{
-	print "Broker::outgoing_connection_established", peer_address, peer_port;
+	print "Broker peer added", endpoint$network;
 	event do_write();
 	}
 
-event Broker::outgoing_connection_broken(peer_address: string,
-                                       peer_port: port)
-	{
-	terminate();
-	}
-
 @TEST-END-FILE
diff --git a/testing/btest/core/leaks/broker/remote_print.test b/testing/btest/core/leaks/broker/remote_print.test
deleted file mode 100644
index 9ecc913f34..0000000000
--- a/testing/btest/core/leaks/broker/remote_print.test
+++ /dev/null
@@ -1,85 +0,0 @@
-# @TEST-SERIALIZE: brokercomm
-# @TEST-REQUIRES: grep -q ENABLE_BROKER:BOOL=true $BUILD/CMakeCache.txt
-# @TEST-REQUIRES: bro --help 2>&1 | grep -q mem-leaks
-# @TEST-GROUP: leaks
-
-# @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local btest-bg-run recv "bro -m -b ../recv.bro broker_port=$BROKER_PORT >recv.out"
-# @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local btest-bg-run send "bro -m -b ../send.bro broker_port=$BROKER_PORT >send.out"
-
-# @TEST-EXEC: btest-bg-wait 45
-# @TEST-EXEC: btest-diff recv/recv.out
-# @TEST-EXEC: btest-diff send/send.out
-
-@TEST-START-FILE recv.bro
-
-const broker_port: port &redef;
-redef exit_only_after_terminate = T;
-
-event bro_init()
-	{
-	Broker::enable();
-	Broker::subscribe_to_prints("bro/print/");
-	Broker::listen(broker_port, "127.0.0.1");
-	}
-
-global messages_to_recv = 6;
-global messages_sent = 0;
-global messages_recv = 0;
-
-event Broker::print_handler(msg: string)
-	{
-	++messages_recv;
-	print "got print msg", msg;
-
-	if ( messages_to_recv == messages_recv )
-		{
-		terminate();
-		return;
-		}
-
-	Broker::send_print("bro/print/my_topic", fmt("pong %d", messages_sent));
-	++messages_sent;
-	}
-
-@TEST-END-FILE
-
-@TEST-START-FILE send.bro
-
-const broker_port: port &redef;
-redef exit_only_after_terminate = T;
-
-event bro_init()
-	{
-	Broker::enable();
-	Broker::subscribe_to_prints("bro/print/my_topic");
-	Broker::connect("127.0.0.1", broker_port, 1secs);
-	}
-
-global messages_sent = 0;
-global messages_recv = 0;
-global peer_disconnected = F;
-
-event Broker::outgoing_connection_established(peer_address: string,
-                                            peer_port: port,
-                                            peer_name: string)
-	{
-	print "Broker::outgoing_connection_established", peer_address, peer_port;
-	Broker::send_print("bro/print/hi", fmt("ping %d", messages_sent));
-	++messages_sent;
-	}
-
-event Broker::outgoing_connection_broken(peer_address: string,
-                                       peer_port: port)
-	{
-	terminate();
-	}
-
-event Broker::print_handler(msg: string)
-	{
-	++messages_recv;
-	print "got print msg", msg;
-	Broker::send_print("bro/print/hi", fmt("ping %d", messages_sent));
-	++messages_sent;
-	}
-
-@TEST-END-FILE
diff --git a/testing/btest/core/leaks/dns-txt.bro b/testing/btest/core/leaks/dns-txt.bro
index e47e19f9c9..c04e5df6ea 100644
--- a/testing/btest/core/leaks/dns-txt.bro
+++ b/testing/btest/core/leaks/dns-txt.bro
@@ -7,7 +7,6 @@
 # @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local btest-bg-run bro bro -b -m -r $TRACES/wikipedia.trace %INPUT
 # @TEST-EXEC: btest-bg-wait 60
 
-@load base/frameworks/communication # keep network time running
 redef exit_only_after_terminate = T;
 
 global n1 = 0;
diff --git a/testing/btest/core/leaks/dns.bro b/testing/btest/core/leaks/dns.bro
index 570c66cf56..f16a4ca3bb 100644
--- a/testing/btest/core/leaks/dns.bro
+++ b/testing/btest/core/leaks/dns.bro
@@ -7,7 +7,6 @@
 # @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local btest-bg-run bro bro -b -m -r $TRACES/wikipedia.trace %INPUT
 # @TEST-EXEC: btest-bg-wait 60
 
-@load base/frameworks/communication # keep network time running
 redef exit_only_after_terminate = T;
 
 const foo: set[addr] = {
diff --git a/testing/btest/core/leaks/dtls.bro b/testing/btest/core/leaks/dtls.bro
index 57b5479fac..e7f75a530e 100644
--- a/testing/btest/core/leaks/dtls.bro
+++ b/testing/btest/core/leaks/dtls.bro
@@ -4,7 +4,7 @@
 #
 # @TEST-REQUIRES: bro  --help 2>&1 | grep -q mem-leaks
 #
-# @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local btest-bg-run bro bro -b -m -r $TRACES/tls/dtls-openssl.pcap %INPUT
+# @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local btest-bg-run bro bro -b -m -r $TRACES/tls/dtls1_0.pcap %INPUT
 # @TEST-EXEC: btest-bg-wait 60
 
 @load base/protocols/ssl
diff --git a/testing/btest/core/leaks/exec.test b/testing/btest/core/leaks/exec.test
index 8ae054cf63..4cc8240012 100644
--- a/testing/btest/core/leaks/exec.test
+++ b/testing/btest/core/leaks/exec.test
@@ -10,7 +10,6 @@
 @TEST-START-FILE exectest.bro
 
 @load base/utils/exec
-@load base/frameworks/communication # let network-time run. otherwise there are no heartbeats...
 redef exit_only_after_terminate = T;
 
 global c: count = 0;
diff --git a/testing/btest/core/leaks/hll_cluster.bro b/testing/btest/core/leaks/hll_cluster.bro
index 3ba46005e1..f856f5d633 100644
--- a/testing/btest/core/leaks/hll_cluster.bro
+++ b/testing/btest/core/leaks/hll_cluster.bro
@@ -5,11 +5,11 @@
 #
 # @TEST-REQUIRES: bro  --help 2>&1 | grep -q mem-leaks
 #
-# @TEST-EXEC: bro %INPUT>out
-# @TEST-EXEC: btest-bg-run manager-1 HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local BROPATH=$BROPATH:.. CLUSTER_NODE=manager-1 bro %INPUT
+# @TEST-EXEC: bro -m %INPUT>out
+# @TEST-EXEC: btest-bg-run manager-1 HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local BROPATH=$BROPATH:.. CLUSTER_NODE=manager-1 bro -m %INPUT
 # @TEST-EXEC: sleep 2
-# @TEST-EXEC: btest-bg-run worker-1 HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local BROPATH=$BROPATH:.. CLUSTER_NODE=worker-1 bro runnumber=1 %INPUT
-# @TEST-EXEC: btest-bg-run worker-2 HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local BROPATH=$BROPATH:.. CLUSTER_NODE=worker-2 bro runnumber=2 %INPUT
+# @TEST-EXEC: btest-bg-run worker-1 HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local BROPATH=$BROPATH:.. CLUSTER_NODE=worker-1 bro -m runnumber=1 %INPUT
+# @TEST-EXEC: btest-bg-run worker-2 HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local BROPATH=$BROPATH:.. CLUSTER_NODE=worker-2 bro -m runnumber=2 %INPUT
 # @TEST-EXEC: btest-bg-wait 60
 #
 # @TEST-EXEC: btest-diff manager-1/.stdout
@@ -18,7 +18,7 @@
 
 @TEST-START-FILE cluster-layout.bro
 redef Cluster::nodes = {
-	["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=37757/tcp, $workers=set("worker-1", "worker-2")],
+	["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=37757/tcp],
 	["worker-1"]  = [$node_type=Cluster::WORKER,  $ip=127.0.0.1, $p=37760/tcp, $manager="manager-1"],
 	["worker-2"]  = [$node_type=Cluster::WORKER,  $ip=127.0.0.1, $p=37761/tcp, $manager="manager-1"],
 };
@@ -28,13 +28,16 @@ redef Log::default_rotation_interval = 0secs;
 
 global hll_data: event(data: opaque of cardinality);
 
-redef Cluster::worker2manager_events += /hll_data/;
-
 @if ( Cluster::local_node_type() == Cluster::WORKER )
 
+event bro_init()
+	{
+	Broker::auto_publish(Cluster::manager_topic, hll_data);
+	}
+
 global runnumber: count &redef; # differentiate runs
 
-event remote_connection_handshake_done(p: event_peer)
+event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
 	{
 	local c = hll_cardinality_init(0.01, 0.95);
 
diff --git a/testing/btest/core/leaks/input-raw.bro b/testing/btest/core/leaks/input-raw.bro
index cec50682fb..602232da77 100644
--- a/testing/btest/core/leaks/input-raw.bro
+++ b/testing/btest/core/leaks/input-raw.bro
@@ -31,7 +31,6 @@ sdf
 3rw43wRRERLlL#RWERERERE.
 @TEST-END-FILE
 
-@load base/frameworks/communication  # let network-time run
 
 module A;
 
diff --git a/testing/btest/core/leaks/input-reread.bro b/testing/btest/core/leaks/input-reread.bro
index f71873c776..b3d1498bff 100644
--- a/testing/btest/core/leaks/input-reread.bro
+++ b/testing/btest/core/leaks/input-reread.bro
@@ -6,7 +6,7 @@
 #
 # @TEST-EXEC: cp input1.log input.log
 # @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local btest-bg-run bro bro -m -b %INPUT
-# @TEST-EXEC: sleep 10
+# @TEST-EXEC: sleep 60
 # @TEST-EXEC: cp input2.log input.log
 # @TEST-EXEC: sleep 10
 # @TEST-EXEC: cp input3.log input.log
@@ -14,7 +14,7 @@
 # @TEST-EXEC: cp input4.log input.log
 # @TEST-EXEC: sleep 10
 # @TEST-EXEC: cp input5.log input.log
-# @TEST-EXEC: btest-bg-wait 60
+# @TEST-EXEC: btest-bg-wait 120
 
 @TEST-START-FILE input1.log
 #separator \x09
@@ -61,7 +61,6 @@ F	-48	SSH::LOG	21	123	10.0.0.0/24	1.2.3.4	3.14	1315801931.273616	100.000000	hurz
 @TEST-END-FILE
 
 @load base/protocols/ssh
-@load base/frameworks/communication  # let network-time run
 
 redef exit_only_after_terminate = T;
 redef InputAscii::empty_field = "EMPTY";
diff --git a/testing/btest/core/leaks/remote.bro b/testing/btest/core/leaks/remote.bro
deleted file mode 100644
index f9d412b8e9..0000000000
--- a/testing/btest/core/leaks/remote.bro
+++ /dev/null
@@ -1,97 +0,0 @@
-# Needs perftools support.
-#
-# @TEST-SERIALIZE: comm
-# @TEST-GROUP: leaks
-#
-# @TEST-REQUIRES: bro  --help 2>&1 | grep -q mem-leaks
-#
-# @TEST-EXEC: btest-bg-run sender HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local bro -b -m --pseudo-realtime %INPUT ../sender.bro
-# @TEST-EXEC: sleep 1
-# @TEST-EXEC: btest-bg-run receiver HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local bro -b -m --pseudo-realtime %INPUT ../receiver.bro
-# @TEST-EXEC: sleep 1
-# @TEST-EXEC: btest-bg-wait 60
-# @TEST-EXEC: btest-diff sender/test.log
-# @TEST-EXEC: btest-diff sender/test.failure.log
-# @TEST-EXEC: btest-diff sender/test.success.log
-# @TEST-EXEC: ( cd sender && for i in *.log; do cat $i | $SCRIPTS/diff-remove-timestamps >c.$i; done )
-# @TEST-EXEC: ( cd receiver && for i in *.log; do cat $i | $SCRIPTS/diff-remove-timestamps >c.$i; done )
-# @TEST-EXEC: cmp receiver/c.test.log sender/c.test.log
-# @TEST-EXEC: cmp receiver/c.test.failure.log sender/c.test.failure.log
-# @TEST-EXEC: cmp receiver/c.test.success.log sender/c.test.success.log
-
-# This is the common part loaded by both sender and receiver.
-module Test;
-
-export {
-	# Create a new ID for our log stream
-	redef enum Log::ID += { LOG };
-
-	# Define a record with all the columns the log file can have.
-	# (I'm using a subset of fields from ssh-ext for demonstration.)
-	type Log: record {
-		t: time;
-		id: conn_id; # Will be rolled out into individual columns.
-		status: string &optional;
-		country: string &default="unknown";
-	} &log;
-}
-
-event bro_init()
-{
-	Log::create_stream(Test::LOG, [$columns=Log]);
-	Log::add_filter(Test::LOG, [$name="f1", $path="test.success", $pred=function(rec: Log): bool { return rec$status == "success"; }]);
-}
-
-#####
-
-@TEST-START-FILE sender.bro
-
-@load frameworks/communication/listen
-
-module Test;
-
-function fail(rec: Log): bool
-	{
-	return rec$status != "success";
-	}
-
-event remote_connection_handshake_done(p: event_peer)
-	{
-	Log::add_filter(Test::LOG, [$name="f2", $path="test.failure", $pred=fail]);
-
-	local cid = [$orig_h=1.2.3.4, $orig_p=1234/tcp, $resp_h=2.3.4.5, $resp_p=80/tcp];
-
-	local r: Log = [$t=network_time(), $id=cid, $status="success"];
-
-	# Log something.
-	Log::write(Test::LOG, r);
-	Log::write(Test::LOG, [$t=network_time(), $id=cid, $status="failure", $country="US"]);
-	Log::write(Test::LOG, [$t=network_time(), $id=cid, $status="failure", $country="UK"]);
-	Log::write(Test::LOG, [$t=network_time(), $id=cid, $status="success", $country="BR"]);
-	Log::write(Test::LOG, [$t=network_time(), $id=cid, $status="failure", $country="MX"]);
-	disconnect(p);
-	}
-
-event remote_connection_closed(p: event_peer)
-	{
-	terminate();
-	}
-
-@TEST-END-FILE
-
-@TEST-START-FILE receiver.bro
-
-#####
-
-@load base/frameworks/communication
-
-redef Communication::nodes += {
-    ["foo"] = [$host = 127.0.0.1, $connect=T, $request_logs=T]
-};
-
-event remote_connection_closed(p: event_peer)
-	{
-	terminate();
-	}
-
-@TEST-END-FILE
diff --git a/testing/btest/core/recursive-event.bro b/testing/btest/core/recursive-event.bro
index 3bc4b51541..245e994cd6 100644
--- a/testing/btest/core/recursive-event.bro
+++ b/testing/btest/core/recursive-event.bro
@@ -4,8 +4,9 @@
 # In old version, the event would keep triggering endlessely, with the network
 # time not moving forward and Bro not terminating. 
 # 
-# Note that the output will be 10 (not 20) because we still execute two rounds
-# of events every time we drain.
+# Note that the output will not be 20 because we still execute two rounds
+# of events every time we drain and also at startup several (currently 3)
+# rounds of events drain with the same network_time.
 
 redef exit_only_after_terminate=T;
 
diff --git a/testing/btest/core/when-interpreter-exceptions.bro b/testing/btest/core/when-interpreter-exceptions.bro
index 151d8d2f57..f259a46bda 100644
--- a/testing/btest/core/when-interpreter-exceptions.bro
+++ b/testing/btest/core/when-interpreter-exceptions.bro
@@ -5,7 +5,6 @@
 # interpreter exceptions in "when" blocks shouldn't cause termination
 
 @load base/utils/exec
-@load base/frameworks/communication # let network-time run. otherwise there are no heartbeats...
 redef exit_only_after_terminate = T;
 
 type MyRecord: record {
diff --git a/testing/btest/doc/broxygen/all_scripts.test b/testing/btest/doc/broxygen/all_scripts.test
index 61cead160b..c0cb07b750 100644
--- a/testing/btest/doc/broxygen/all_scripts.test
+++ b/testing/btest/doc/broxygen/all_scripts.test
@@ -7,7 +7,7 @@
 # @TEST-SERIALIZE: comm
 # @TEST-EXEC: bro -X broxygen.config broxygen DumpEvents::include=/NOTHING_MATCHES/
 # @TEST-EXEC: btest-diff .stdout
-# @TEST-EXEC: btest-diff .stderr
+# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff .stderr
 
 @TEST-START-FILE broxygen.config
 script	*	scripts/
diff --git a/testing/btest/doc/sphinx/include-doc_frameworks_broker_connecting-connector_bro.btest b/testing/btest/doc/sphinx/include-doc_frameworks_broker_connecting-connector_bro.btest
index c4cbde045c..d2916a4c4f 100644
--- a/testing/btest/doc/sphinx/include-doc_frameworks_broker_connecting-connector_bro.btest
+++ b/testing/btest/doc/sphinx/include-doc_frameworks_broker_connecting-connector_bro.btest
@@ -2,21 +2,15 @@
 
 connecting-connector.bro
 
-const broker_port: port = 9999/tcp &redef;
 redef exit_only_after_terminate = T;
-redef Broker::endpoint_name = "connector";
 
 event bro_init()
 	{
-	Broker::enable();
-	Broker::connect("127.0.0.1", broker_port, 1sec);
+	Broker::peer("127.0.0.1");
 	}
 
-event Broker::outgoing_connection_established(peer_address: string,
-                                            peer_port: port,
-                                            peer_name: string)
+event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
 	{
-	print "Broker::outgoing_connection_established",
-		  peer_address, peer_port, peer_name;
+	print "peer added", endpoint;
 	terminate();
 	}
diff --git a/testing/btest/doc/sphinx/include-doc_frameworks_broker_connecting-listener_bro.btest b/testing/btest/doc/sphinx/include-doc_frameworks_broker_connecting-listener_bro.btest
index 8ea85569c9..b15bac75c0 100644
--- a/testing/btest/doc/sphinx/include-doc_frameworks_broker_connecting-listener_bro.btest
+++ b/testing/btest/doc/sphinx/include-doc_frameworks_broker_connecting-listener_bro.btest
@@ -2,23 +2,20 @@
 
 connecting-listener.bro
 
-const broker_port: port = 9999/tcp &redef;
 redef exit_only_after_terminate = T;
-redef Broker::endpoint_name = "listener";
 
 event bro_init()
 	{
-	Broker::enable();
-	Broker::listen(broker_port, "127.0.0.1");
+	Broker::listen("127.0.0.1");
 	}
 
-event Broker::incoming_connection_established(peer_name: string)
+event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
 	{
-	print "Broker::incoming_connection_established", peer_name;
+	print "peer added", endpoint;
 	}
 
-event Broker::incoming_connection_broken(peer_name: string)
+event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string)
 	{
-	print "Broker::incoming_connection_broken", peer_name;
+	print "peer lost", endpoint;
 	terminate();
 	}
diff --git a/testing/btest/doc/sphinx/include-doc_frameworks_broker_events-connector_bro.btest b/testing/btest/doc/sphinx/include-doc_frameworks_broker_events-connector_bro.btest
index d7a0e64be2..96616dbd3c 100644
--- a/testing/btest/doc/sphinx/include-doc_frameworks_broker_events-connector_bro.btest
+++ b/testing/btest/doc/sphinx/include-doc_frameworks_broker_events-connector_bro.btest
@@ -2,34 +2,38 @@
 
 events-connector.bro
 
-const broker_port: port = 9999/tcp &redef;
 redef exit_only_after_terminate = T;
-redef Broker::endpoint_name = "connector";
 global my_event: event(msg: string, c: count);
 global my_auto_event: event(msg: string, c: count);
 
 event bro_init()
 	{
-	Broker::enable();
-	Broker::connect("127.0.0.1", broker_port, 1sec);
-	Broker::auto_event("bro/event/my_auto_event", my_auto_event);
+	Broker::peer("127.0.0.1");
+	Broker::auto_publish("bro/event/my_auto_event", my_auto_event);
 	}
 
-event Broker::outgoing_connection_established(peer_address: string,
-                                            peer_port: port,
-                                            peer_name: string)
+event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
 	{
-	print "Broker::outgoing_connection_established",
-	      peer_address, peer_port, peer_name;
-	Broker::send_event("bro/event/my_event", Broker::event_args(my_event, "hi", 0));
+	print "peer added", endpoint;
+	Broker::publish("bro/event/my_event", my_event, "hi", 0);
 	event my_auto_event("stuff", 88);
-	Broker::send_event("bro/event/my_event", Broker::event_args(my_event, "...", 1));
+	Broker::publish("bro/event/my_event", my_event, "...", 1);
 	event my_auto_event("more stuff", 51);
-	Broker::send_event("bro/event/my_event", Broker::event_args(my_event, "bye", 2));
+	local e = Broker::make_event(my_event, "bye", 2);
+	Broker::publish("bro/event/my_event", e);
 	}
 
-event Broker::outgoing_connection_broken(peer_address: string,
-                                       peer_port: port)
+event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string)
 	{
 	terminate();
 	}
+
+event my_event(msg: string, c: count)
+	{
+	print "got my_event", msg, c;
+	}
+
+event my_auto_event(msg: string, c: count)
+	{
+	print "got my_auto_event", msg, c;
+	}
diff --git a/testing/btest/doc/sphinx/include-doc_frameworks_broker_events-listener_bro.btest b/testing/btest/doc/sphinx/include-doc_frameworks_broker_events-listener_bro.btest
index 640722cac0..928ba60311 100644
--- a/testing/btest/doc/sphinx/include-doc_frameworks_broker_events-listener_bro.btest
+++ b/testing/btest/doc/sphinx/include-doc_frameworks_broker_events-listener_bro.btest
@@ -2,23 +2,20 @@
 
 events-listener.bro
 
-const broker_port: port = 9999/tcp &redef;
 redef exit_only_after_terminate = T;
-redef Broker::endpoint_name = "listener";
 global msg_count = 0;
 global my_event: event(msg: string, c: count);
 global my_auto_event: event(msg: string, c: count);
 
 event bro_init()
 	{
-	Broker::enable();
-	Broker::subscribe_to_events("bro/event/");
-	Broker::listen(broker_port, "127.0.0.1");
+	Broker::subscribe("bro/event/");
+	Broker::listen("127.0.0.1");
 	}
 
-event Broker::incoming_connection_established(peer_name: string)
+event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
 	{
-	print "Broker::incoming_connection_established", peer_name;
+	print "peer added", endpoint;
 	}
 
 event my_event(msg: string, c: count)
diff --git a/testing/btest/doc/sphinx/include-doc_frameworks_broker_logs-connector_bro.btest b/testing/btest/doc/sphinx/include-doc_frameworks_broker_logs-connector_bro.btest
index 907d712c88..84d0a60391 100644
--- a/testing/btest/doc/sphinx/include-doc_frameworks_broker_logs-connector_bro.btest
+++ b/testing/btest/doc/sphinx/include-doc_frameworks_broker_logs-connector_bro.btest
@@ -4,18 +4,12 @@ logs-connector.bro
 
 @load ./testlog
 
-const broker_port: port = 9999/tcp &redef;
 redef exit_only_after_terminate = T;
-redef Broker::endpoint_name = "connector";
-redef Log::enable_local_logging = F;
-redef Log::enable_remote_logging = F;
 global n = 0;
 
 event bro_init()
 	{
-	Broker::enable();
-	Broker::enable_remote_logs(Test::LOG);
-	Broker::connect("127.0.0.1", broker_port, 1sec);
+	Broker::peer("127.0.0.1");
 	}
 
 event do_write()
@@ -28,17 +22,19 @@ event do_write()
 	event do_write();
 	}
 
-event Broker::outgoing_connection_established(peer_address: string,
-                                            peer_port: port,
-                                            peer_name: string)
+event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
 	{
-	print "Broker::outgoing_connection_established",
-	      peer_address, peer_port, peer_name;
+	print "peer added", endpoint;
 	event do_write();
 	}
 
-event Broker::outgoing_connection_broken(peer_address: string,
-                                       peer_port: port)
+event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string)
 	{
 	terminate();
 	}
+
+event Test::log_test(rec: Test::Info)
+	{
+	print "wrote log", rec;
+	Broker::publish("bro/logs/forward/test", Test::log_test, rec);
+	}
diff --git a/testing/btest/doc/sphinx/include-doc_frameworks_broker_logs-listener_bro.btest b/testing/btest/doc/sphinx/include-doc_frameworks_broker_logs-listener_bro.btest
index de6abbf5a0..359a88b476 100644
--- a/testing/btest/doc/sphinx/include-doc_frameworks_broker_logs-listener_bro.btest
+++ b/testing/btest/doc/sphinx/include-doc_frameworks_broker_logs-listener_bro.btest
@@ -4,25 +4,22 @@ logs-listener.bro
 
 @load ./testlog
 
-const broker_port: port = 9999/tcp &redef;
 redef exit_only_after_terminate = T;
-redef Broker::endpoint_name = "listener";
 
 event bro_init()
 	{
-	Broker::enable();
-	Broker::subscribe_to_logs("bro/log/Test::LOG");
-	Broker::listen(broker_port, "127.0.0.1");
+	Broker::subscribe("bro/logs");
+	Broker::listen("127.0.0.1");
 	}
 
-event Broker::incoming_connection_established(peer_name: string)
+event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
 	{
-	print "Broker::incoming_connection_established", peer_name;
+	print "peer added", endpoint;
 	}
 
 event Test::log_test(rec: Test::Info)
 	{
-	print "wrote log", rec;
+	print "got log event", rec;
 
 	if ( rec$num == 5 )
 		terminate();
diff --git a/testing/btest/doc/sphinx/include-doc_frameworks_broker_printing-connector_bro.btest b/testing/btest/doc/sphinx/include-doc_frameworks_broker_printing-connector_bro.btest
deleted file mode 100644
index 91ee179fe6..0000000000
--- a/testing/btest/doc/sphinx/include-doc_frameworks_broker_printing-connector_bro.btest
+++ /dev/null
@@ -1,30 +0,0 @@
-# @TEST-EXEC: cat %INPUT >output && btest-diff output
-
-printing-connector.bro
-
-const broker_port: port = 9999/tcp &redef;
-redef exit_only_after_terminate = T;
-redef Broker::endpoint_name = "connector";
-
-event bro_init()
-	{
-	Broker::enable();
-	Broker::connect("127.0.0.1", broker_port, 1sec);
-	}
-
-event Broker::outgoing_connection_established(peer_address: string,
-                                            peer_port: port,
-                                            peer_name: string)
-	{
-	print "Broker::outgoing_connection_established",
-	      peer_address, peer_port, peer_name;
-	Broker::send_print("bro/print/hi", "hello");
-	Broker::send_print("bro/print/stuff", "...");
-	Broker::send_print("bro/print/bye", "goodbye");
-	}
-
-event Broker::outgoing_connection_broken(peer_address: string,
-                                       peer_port: port)
-	{
-	terminate();
-	}
diff --git a/testing/btest/doc/sphinx/include-doc_frameworks_broker_printing-listener_bro.btest b/testing/btest/doc/sphinx/include-doc_frameworks_broker_printing-listener_bro.btest
deleted file mode 100644
index 37e4d0eae9..0000000000
--- a/testing/btest/doc/sphinx/include-doc_frameworks_broker_printing-listener_bro.btest
+++ /dev/null
@@ -1,29 +0,0 @@
-# @TEST-EXEC: cat %INPUT >output && btest-diff output
-
-printing-listener.bro
-
-const broker_port: port = 9999/tcp &redef;
-redef exit_only_after_terminate = T;
-redef Broker::endpoint_name = "listener";
-global msg_count = 0;
-
-event bro_init()
-	{
-	Broker::enable();
-	Broker::subscribe_to_prints("bro/print/");
-	Broker::listen(broker_port, "127.0.0.1");
-	}
-
-event Broker::incoming_connection_established(peer_name: string)
-	{
-	print "Broker::incoming_connection_established", peer_name;
-	}
-
-event Broker::print_handler(msg: string)
-	{
-	++msg_count;
-	print "got print message", msg;
-
-	if ( msg_count == 3 )
-		terminate();
-	}
diff --git a/testing/btest/doc/sphinx/include-doc_frameworks_broker_stores-connector_bro.btest b/testing/btest/doc/sphinx/include-doc_frameworks_broker_stores-connector_bro.btest
index 74b59467e7..8ef4dca1f5 100644
--- a/testing/btest/doc/sphinx/include-doc_frameworks_broker_stores-connector_bro.btest
+++ b/testing/btest/doc/sphinx/include-doc_frameworks_broker_stores-connector_bro.btest
@@ -2,56 +2,32 @@
 
 stores-connector.bro
 
-const broker_port: port = 9999/tcp &redef;
 redef exit_only_after_terminate = T;
 
-global h: opaque of Broker::Handle;
-
-function dv(d: Broker::Data): Broker::DataVector
-	{
-	local rval: Broker::DataVector;
-	rval[0] = d;
-	return rval;
-	}
+global h: opaque of Broker::Store;
 
 global ready: event();
 
-event Broker::outgoing_connection_broken(peer_address: string,
-                                       peer_port: port)
+event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string)
 	{
 	terminate();
 	}
 
-event Broker::outgoing_connection_established(peer_address: string,
-                                            peer_port: port,
-                                            peer_name: string)
-	{
-	local myset: set[string] = {"a", "b", "c"};
-	local myvec: vector of string = {"alpha", "beta", "gamma"};
-	h = Broker::create_master("mystore");
-	Broker::insert(h, Broker::data("one"), Broker::data(110));
-	Broker::insert(h, Broker::data("two"), Broker::data(223));
-	Broker::insert(h, Broker::data("myset"), Broker::data(myset));
-	Broker::insert(h, Broker::data("myvec"), Broker::data(myvec));
-	Broker::increment(h, Broker::data("one"));
-	Broker::decrement(h, Broker::data("two"));
-	Broker::add_to_set(h, Broker::data("myset"), Broker::data("d"));
-	Broker::remove_from_set(h, Broker::data("myset"), Broker::data("b"));
-	Broker::push_left(h, Broker::data("myvec"), dv(Broker::data("delta")));
-	Broker::push_right(h, Broker::data("myvec"), dv(Broker::data("omega")));
-
-	when ( local res = Broker::size(h) )
-		{
-		print "master size", res;
-		event ready();
-		}
-	timeout 10sec
-		{ print "timeout"; }
-	}
-
 event bro_init()
 	{
-	Broker::enable();
-	Broker::connect("127.0.0.1", broker_port, 1secs);
-	Broker::auto_event("bro/event/ready", ready);
+	h = Broker::create_master("mystore");
+
+	local myset: set[string] = {"a", "b", "c"};
+	local myvec: vector of string = {"alpha", "beta", "gamma"};
+	Broker::put(h, "one", 110);
+	Broker::put(h, "two", 223);
+	Broker::put(h, "myset", myset);
+	Broker::put(h, "myvec", myvec);
+	Broker::increment(h, "one");
+	Broker::decrement(h, "two");
+	Broker::insert_into_set(h, "myset", "d");
+	Broker::remove_from(h, "myset", "b");
+	Broker::push(h, "myvec", "delta");
+
+	Broker::peer("127.0.0.1");
 	}
diff --git a/testing/btest/doc/sphinx/include-doc_frameworks_broker_stores-listener_bro.btest b/testing/btest/doc/sphinx/include-doc_frameworks_broker_stores-listener_bro.btest
index 8dadbc803c..571ede2687 100644
--- a/testing/btest/doc/sphinx/include-doc_frameworks_broker_stores-listener_bro.btest
+++ b/testing/btest/doc/sphinx/include-doc_frameworks_broker_stores-listener_bro.btest
@@ -2,46 +2,82 @@
 
 stores-listener.bro
 
-const broker_port: port = 9999/tcp &redef;
 redef exit_only_after_terminate = T;
 
-global h: opaque of Broker::Handle;
+global h: opaque of Broker::Store;
 global expected_key_count = 4;
 global key_count = 0;
 
+# Lookup a value in the store based on an arbitrary key string.
 function do_lookup(key: string)
 	{
-	when ( local res = Broker::lookup(h, Broker::data(key)) )
+	when ( local res = Broker::get(h, key) )
 		{
 		++key_count;
 		print "lookup", key, res;
 
-		if ( key_count == expected_key_count )
+		# End after we iterated over looking up each key in the store twice.
+		if ( key_count == expected_key_count * 2 )
 			terminate();
 		}
-	timeout 10sec
+	# All data store queries must specify a timeout
+	timeout 3sec
 		{ print "timeout", key; }
 	}
 
-event ready()
+event check_keys()
 	{
-	h = Broker::create_clone("mystore");
-
+	# Here we just query for the list of keys in the store, and show how to
+	# look up each one's value.
 	when ( local res = Broker::keys(h) )
 		{
 		print "clone keys", res;
-		do_lookup(Broker::refine_to_string(Broker::vector_lookup(res$result, 0)));
-		do_lookup(Broker::refine_to_string(Broker::vector_lookup(res$result, 1)));
-		do_lookup(Broker::refine_to_string(Broker::vector_lookup(res$result, 2)));
-		do_lookup(Broker::refine_to_string(Broker::vector_lookup(res$result, 3)));
+
+		if ( res?$result )
+			{
+			# Since we know that the keys we are storing are all strings,
+			# we can conveniently cast the result of Broker::keys to
+			# a native Bro type, namely 'set[string]'.
+			for ( k in res$result as string_set )
+				do_lookup(k);
+
+			# Alternatively, we can use a generic iterator to iterate
+			# over the results (which we know is of the 'set' type because
+			# that's what Broker::keys() always returns).  If the keys
+			# we stored were not all of the same type, then you would
+			# likely want to use this method of inspecting the store's keys.
+			local i = Broker::set_iterator(res$result);
+
+			while ( ! Broker::set_iterator_last(i) )
+				{
+				do_lookup(Broker::set_iterator_value(i) as string);
+				Broker::set_iterator_next(i);
+				}
+			}
 		}
-	timeout 10sec
-		{ print "timeout"; }
+	# All data store queries must specify a timeout.
+	# You also might see timeouts on connecting/initializing a clone since
+	# it hasn't had time to get fully set up yet.
+	timeout 1sec
+		{
+		print "timeout";
+		schedule 1sec { check_keys() };
+		}
+	}
+
+event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
+	{
+	print "peer added";
+	# We could create a clone early, like in bro_init and it will periodically
+	# try to synchronize with its master once it connects, however, we just
+	# create it now since we know the peer w/ the master store has just
+	# connected.
+	h = Broker::create_clone("mystore");
+
+	event check_keys();
 	}
 
 event bro_init()
 	{
-	Broker::enable();
-	Broker::subscribe_to_events("bro/event/ready");
-	Broker::listen(broker_port, "127.0.0.1");
+	Broker::listen("127.0.0.1");
 	}
diff --git a/testing/btest/doc/sphinx/include-doc_frameworks_broker_testlog_bro.btest b/testing/btest/doc/sphinx/include-doc_frameworks_broker_testlog_bro.btest
index d5a92417dc..8d779a1b92 100644
--- a/testing/btest/doc/sphinx/include-doc_frameworks_broker_testlog_bro.btest
+++ b/testing/btest/doc/sphinx/include-doc_frameworks_broker_testlog_bro.btest
@@ -17,6 +17,5 @@ export {
 
 event bro_init() &priority=5
 	{
-	Broker::enable();
 	Log::create_stream(Test::LOG, [$columns=Test::Info, $ev=log_test, $path="test"]);
 	}
diff --git a/testing/btest/doc/sphinx/include-scripts_policy_protocols_conn_known-hosts_bro.btest b/testing/btest/doc/sphinx/include-scripts_policy_protocols_conn_known-hosts_bro.btest
deleted file mode 100644
index 150de38f35..0000000000
--- a/testing/btest/doc/sphinx/include-scripts_policy_protocols_conn_known-hosts_bro.btest
+++ /dev/null
@@ -1,9 +0,0 @@
-# @TEST-EXEC: cat %INPUT >output && btest-diff output
-
-known-hosts.bro
-
-module Known;
-
-export {
-	global known_hosts: set[addr] &create_expire=1day &synchronized &redef;
-}
diff --git a/testing/btest/istate/bro-ipv6-socket.bro b/testing/btest/istate/bro-ipv6-socket.bro
deleted file mode 100644
index 305f32caab..0000000000
--- a/testing/btest/istate/bro-ipv6-socket.bro
+++ /dev/null
@@ -1,56 +0,0 @@
-# @TEST-SERIALIZE: comm
-#
-# @TEST-REQUIRES: ifconfig | grep -q -E "inet6 ::1|inet6 addr: ::1"
-#
-# @TEST-EXEC: btest-bg-run recv bro -b ../recv.bro
-# @TEST-EXEC: btest-bg-run send bro -b ../send.bro
-# @TEST-EXEC: btest-bg-wait 20
-#
-# @TEST-EXEC: btest-diff recv/.stdout
-# @TEST-EXEC: btest-diff send/.stdout
-
-@TEST-START-FILE send.bro
-
-@load base/frameworks/communication
-
-redef Communication::nodes += {
-    ["foo"] = [$host=[::1], $connect=T, $retry=1sec, $events=/my_event/]
-};
-
-global my_event: event(s: string);
-
-event remote_connection_handshake_done(p: event_peer)
-	{
-	print fmt("handshake done with peer: %s", p$host);
-	}
-
-event my_event(s: string)
-	{
-	print fmt("my_event: %s", s);
-	terminate();
-	}
-
-@TEST-END-FILE
-
-#############
-
-@TEST-START-FILE recv.bro
-
-@load frameworks/communication/listen
-
-redef Communication::listen_ipv6=T;
-
-global my_event: event(s: string);
-
-event remote_connection_handshake_done(p: event_peer)
-	{
-	print fmt("handshake done with peer: %s", p$host);
-	event my_event("hello world");
-	}
-
-event remote_connection_closed(p: event_peer)
-	{
-	terminate();
-	}
-
-@TEST-END-FILE
diff --git a/testing/btest/istate/broccoli-ipv6-socket.bro b/testing/btest/istate/broccoli-ipv6-socket.bro
deleted file mode 100644
index 27df984471..0000000000
--- a/testing/btest/istate/broccoli-ipv6-socket.bro
+++ /dev/null
@@ -1,10 +0,0 @@
-# @TEST-SERIALIZE: comm
-#
-# @TEST-REQUIRES: test -e $BUILD/aux/broccoli/src/libbroccoli.so || test -e $BUILD/aux/broccoli/src/libbroccoli.dylib
-# @TEST-REQUIRES: ifconfig | grep -q -E "inet6 ::1|inet6 addr: ::1"
-#
-# @TEST-EXEC: btest-bg-run bro bro $DIST/aux/broccoli/test/broccoli-v6addrs.bro "Communication::listen_ipv6=T"
-# @TEST-EXEC: btest-bg-run broccoli $BUILD/aux/broccoli/test/broccoli-v6addrs -R -6 ::1
-# @TEST-EXEC: btest-bg-wait 20
-# @TEST-EXEC: btest-diff bro/.stdout
-# @TEST-EXEC: btest-diff broccoli/.stdout
diff --git a/testing/btest/istate/broccoli-ipv6.bro b/testing/btest/istate/broccoli-ipv6.bro
deleted file mode 100644
index 0e360df713..0000000000
--- a/testing/btest/istate/broccoli-ipv6.bro
+++ /dev/null
@@ -1,9 +0,0 @@
-# @TEST-SERIALIZE: comm
-#
-# @TEST-REQUIRES: test -e $BUILD/aux/broccoli/src/libbroccoli.so || test -e $BUILD/aux/broccoli/src/libbroccoli.dylib
-#
-# @TEST-EXEC: btest-bg-run bro bro $DIST/aux/broccoli/test/broccoli-v6addrs.bro
-# @TEST-EXEC: btest-bg-run broccoli $BUILD/aux/broccoli/test/broccoli-v6addrs -R
-# @TEST-EXEC: btest-bg-wait 20
-# @TEST-EXEC: btest-diff bro/.stdout
-# @TEST-EXEC: btest-diff broccoli/.stdout
diff --git a/testing/btest/istate/broccoli-ssl.bro b/testing/btest/istate/broccoli-ssl.bro
deleted file mode 100644
index fce5ed8535..0000000000
--- a/testing/btest/istate/broccoli-ssl.bro
+++ /dev/null
@@ -1,68 +0,0 @@
-# @TEST-SERIALIZE: comm
-#
-# @TEST-REQUIRES: test -e $BUILD/aux/broccoli/src/libbroccoli.so || test -e $BUILD/aux/broccoli/src/libbroccoli.dylib
-#
-# @TEST-EXEC: chmod 600 broccoli.conf
-# @TEST-EXEC: btest-bg-run bro bro $DIST/aux/broccoli/test/broccoli-v6addrs.bro "Communication::listen_ssl=T" "ssl_ca_certificate=../ca_cert.pem" "ssl_private_key=../bro.pem"
-# @TEST-EXEC: btest-bg-run broccoli BROCCOLI_CONFIG_FILE=../broccoli.conf $BUILD/aux/broccoli/test/broccoli-v6addrs -R
-# @TEST-EXEC: btest-bg-wait 20
-# @TEST-EXEC: btest-diff bro/.stdout
-# @TEST-EXEC: btest-diff broccoli/.stdout
-
-@TEST-START-FILE broccoli.conf
-/broccoli/use_ssl      yes
-/broccoli/ca_cert      ../ca_cert.pem
-/broccoli/host_cert    ../bro.pem
-/broccoli/host_key     ../bro.pem
-@TEST-END-FILE
-
-@TEST-START-FILE bro.pem
------BEGIN RSA PRIVATE KEY-----
-MIICXgIBAAKBgQD17FE8UVaO224Y8UL2bH1okCYxr5dVytTQ93uE5J9caGADzPZe
-qYPuvtPt9ivhBtf2L9odK7unQU60v6RsO3bb9bQktQbEdh0FEjnso2UHe/nLreYn
-VyLCEp9Sh1OFQnMhJNYuzNwVzWOqH/TYNy3ODueZTS4YBsRyEkpEfgeoaQIDAQAB
-AoGAJ/S1Xi94+Mz+Hl9UmeUWmx6QlhIJbI7/9NPA5d6fZcwvjW6HuOmh3fBzTn5o
-sq8B96Xesk6gtpQNzaA1fsBKlzDSpGRDVg2odN9vIT3jd0Dub2F47JHdFCqtMUIV
-rCsO+fpGtavv1zJ/rzlJz7rx4cRP+/Gwd5YlH0q5cFuHhAECQQD9q328Ye4A7o2e
-cLOhzuWUZszqdIY7ZTgDtk06F57VrjLVERrZjrtAwbs77m+ybw4pDKKU7H5inhQQ
-03PU40ARAkEA+C6cCM6E4hRwuR+QyIqpNC4CzgPaKlF+VONZLYYvHEwFvx2/EPtX
-zOZdE4HdJwnXBYx7+AGFeq8uHhrN2Tq62QJBAMory2JAinejqKsGF6R2SPMlm1ug
-0vqziRksShBqkuSqmUjHASczYnoR7S+usMb9S8PblhgrA++FHWjrnf2lwIECQQCj
-+/AfpY2J8GWW/HNm/q/UiX5S75qskZI+tsXK3bmtIdI+OIJxzxFxktj3NbyRud+4
-i92xvhebO7rmK2HOYg7pAkEA2wrwY1E237twoYXuUInv9F9kShKLQs19nup/dfmF
-xfoVqYjJwidzPfgngowJZij7SoTaIBKv/fKp5Tq6xW3AEg==
------END RSA PRIVATE KEY-----
------BEGIN CERTIFICATE-----
-MIICZDCCAc2gAwIBAgIJAKoxR9yFGsk8MA0GCSqGSIb3DQEBBQUAMCsxKTAnBgNV
-BAMTIEJybyBSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MCAXDTExMDYxNTIx
-MjgxNVoYDzIxMTEwNTIyMjEyODE1WjArMSkwJwYDVQQDEyBCcm8gUm9vdCBDZXJ0
-aWZpY2F0aW9uIEF1dGhvcml0eTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA
-9exRPFFWjttuGPFC9mx9aJAmMa+XVcrU0Pd7hOSfXGhgA8z2XqmD7r7T7fYr4QbX
-9i/aHSu7p0FOtL+kbDt22/W0JLUGxHYdBRI57KNlB3v5y63mJ1ciwhKfUodThUJz
-ISTWLszcFc1jqh/02Dctzg7nmU0uGAbEchJKRH4HqGkCAwEAAaOBjTCBijAdBgNV
-HQ4EFgQU2vIsKYuGhHP8c7GeJLfWAjbKCFgwWwYDVR0jBFQwUoAU2vIsKYuGhHP8
-c7GeJLfWAjbKCFihL6QtMCsxKTAnBgNVBAMTIEJybyBSb290IENlcnRpZmljYXRp
-b24gQXV0aG9yaXR5ggkAqjFH3IUayTwwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0B
-AQUFAAOBgQAF2oceL61dA7WxA9lxcxsA/Fccr7+J6sO+pLXoZtx5tpknEuIUebkm
-UfMGAiyYIenHi8u0Sia8KrIfuCDc2dG3DYmfX7/faCEbtSx8KtNQFIs3aXr1zhsw
-3sX9fLS0gp/qHoPMuhbhlvTlMFSE/Mih3KDsZEGcifzI6ooLF0YP5A==
------END CERTIFICATE-----
-@TEST-END-FILE
-
-@TEST-START-FILE ca_cert.pem
------BEGIN CERTIFICATE-----
-MIICZDCCAc2gAwIBAgIJAKoxR9yFGsk8MA0GCSqGSIb3DQEBBQUAMCsxKTAnBgNV
-BAMTIEJybyBSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MCAXDTExMDYxNTIx
-MjgxNVoYDzIxMTEwNTIyMjEyODE1WjArMSkwJwYDVQQDEyBCcm8gUm9vdCBDZXJ0
-aWZpY2F0aW9uIEF1dGhvcml0eTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA
-9exRPFFWjttuGPFC9mx9aJAmMa+XVcrU0Pd7hOSfXGhgA8z2XqmD7r7T7fYr4QbX
-9i/aHSu7p0FOtL+kbDt22/W0JLUGxHYdBRI57KNlB3v5y63mJ1ciwhKfUodThUJz
-ISTWLszcFc1jqh/02Dctzg7nmU0uGAbEchJKRH4HqGkCAwEAAaOBjTCBijAdBgNV
-HQ4EFgQU2vIsKYuGhHP8c7GeJLfWAjbKCFgwWwYDVR0jBFQwUoAU2vIsKYuGhHP8
-c7GeJLfWAjbKCFihL6QtMCsxKTAnBgNVBAMTIEJybyBSb290IENlcnRpZmljYXRp
-b24gQXV0aG9yaXR5ggkAqjFH3IUayTwwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0B
-AQUFAAOBgQAF2oceL61dA7WxA9lxcxsA/Fccr7+J6sO+pLXoZtx5tpknEuIUebkm
-UfMGAiyYIenHi8u0Sia8KrIfuCDc2dG3DYmfX7/faCEbtSx8KtNQFIs3aXr1zhsw
-3sX9fLS0gp/qHoPMuhbhlvTlMFSE/Mih3KDsZEGcifzI6ooLF0YP5A==
------END CERTIFICATE-----
-@TEST-END-FILE
diff --git a/testing/btest/istate/broccoli-vector.bro b/testing/btest/istate/broccoli-vector.bro
deleted file mode 100644
index cf0b0c8642..0000000000
--- a/testing/btest/istate/broccoli-vector.bro
+++ /dev/null
@@ -1,9 +0,0 @@
-# @TEST-SERIALIZE: comm
-#
-# @TEST-REQUIRES: test -e $BUILD/aux/broccoli/src/libbroccoli.so || test -e $BUILD/aux/broccoli/src/libbroccoli.dylib
-#
-# @TEST-EXEC: btest-bg-run bro bro $DIST/aux/broccoli/test/broccoli-vectors.bro
-# @TEST-EXEC: btest-bg-run broccoli $BUILD/aux/broccoli/test/broccoli-vectors -R
-# @TEST-EXEC: btest-bg-wait 20
-# @TEST-EXEC: btest-diff bro/.stdout
-# @TEST-EXEC: btest-diff broccoli/.stdout
diff --git a/testing/btest/istate/broccoli.bro b/testing/btest/istate/broccoli.bro
deleted file mode 100644
index a6427412bf..0000000000
--- a/testing/btest/istate/broccoli.bro
+++ /dev/null
@@ -1,17 +0,0 @@
-# @TEST-SERIALIZE: comm
-#
-# @TEST-REQUIRES: test -e $BUILD/aux/broccoli/src/libbroccoli.so || test -e $BUILD/aux/broccoli/src/libbroccoli.dylib
-#
-# @TEST-EXEC: btest-bg-run bro bro %INPUT $DIST/aux/broccoli/test/broping-record.bro
-# @TEST-EXEC: btest-bg-run broccoli $BUILD/aux/broccoli/test/broping -R -r -c 3 127.0.0.1
-# @TEST-EXEC: btest-bg-wait 20
-# @TEST-EXEC: cat bro/ping.log | sed 's/one-way.*//g' >bro.log
-# @TEST-EXEC: cat broccoli/.stdout | sed 's/time=.*//g' >broccoli.log
-# @TEST-EXEC: btest-diff bro.log
-# @TEST-EXEC: btest-diff broccoli.log
-
-event remote_connection_closed(p: event_peer)
-	{
-	terminate();
-	}
-
diff --git a/testing/btest/istate/events-ssl.bro b/testing/btest/istate/events-ssl.bro
deleted file mode 100644
index d227417c15..0000000000
--- a/testing/btest/istate/events-ssl.bro
+++ /dev/null
@@ -1,143 +0,0 @@
-# @TEST-SERIALIZE: comm
-#
-# @TEST-EXEC: btest-bg-run sender   bro -C -r $TRACES/web.trace --pseudo-realtime ../sender.bro
-# @TEST-EXEC: btest-bg-run receiver bro ../receiver.bro
-# @TEST-EXEC: btest-bg-wait 20
-# 
-# @TEST-EXEC: btest-diff sender/http.log
-# @TEST-EXEC: btest-diff receiver/http.log
-# 
-# @TEST-EXEC: cat sender/http.log   | $SCRIPTS/diff-remove-timestamps >sender.http.log
-# @TEST-EXEC: cat receiver/http.log | $SCRIPTS/diff-remove-timestamps >receiver.http.log
-# @TEST-EXEC: cmp sender.http.log receiver.http.log
-# 
-# @TEST-EXEC: bro -x sender/events.bst | sed 's/^event \[[-0-9.]*\] //g' | grep '^http_' | grep -v http_stats | sed 's/(.*$//g' | $SCRIPTS/diff-remove-timestamps >events.snd.log
-# @TEST-EXEC: bro -x receiver/events.bst | sed 's/^event \[[-0-9.]*\] //g' | grep '^http_' | grep -v http_stats | sed 's/(.*$//g' | $SCRIPTS/diff-remove-timestamps  >events.rec.log
-# @TEST-EXEC: btest-diff events.rec.log
-# @TEST-EXEC: btest-diff events.snd.log
-# @TEST-EXEC: cmp events.rec.log events.snd.log
-# 
-# We don't compare the transmitted event paramerters anymore. With the dynamic
-# state in there since 1.6, they don't match reliably.
-
-@TEST-START-FILE sender.bro
-
-@load frameworks/communication/listen
-redef Communication::listen_ssl=T;
-
-event bro_init()
-    {
-    capture_events("events.bst");
-    }
-
-redef peer_description = "events-send";
-
-# Make sure the HTTP connection really gets out.
-# (We still miss one final connection event because we shutdown before
-# it gets propagated but that's ok.)
-redef tcp_close_delay = 0secs;
-
-redef ssl_ca_certificate = "../ca_cert.pem";
-redef ssl_private_key = "../bro.pem";
-redef ssl_passphrase = "my-password";
-
-# Make sure the HTTP connection really gets out.
-# (We still miss one final connection event because we shutdown before
-# it gets propagated but that's ok.)
-redef tcp_close_delay = 0secs;
-
-# File-analysis fields in http.log won't get set on receiver side correctly,
-# one problem is with the way serialization may send a unique ID in place
-# of a full value and expect the remote side to associate that unique ID with
-# a value it received at an earlier time.  So sometimes modifications the sender# makes to the value aren't seen on the receiver.
-function myfh(c: connection, is_orig: bool): string
-	{
-	return "";
-	}
-
-event bro_init() 
-	{
-	# Ignore all http files.
-	Files::register_protocol(Analyzer::ANALYZER_HTTP,
-							 [$get_file_handle = myfh]);
-	}
-
-@TEST-END-FILE
-
-#############
-
-@TEST-START-FILE receiver.bro
-
-event bro_init()
-    {
-    capture_events("events.bst");
-    }
-
-redef peer_description = "events-rcv";
-
-redef Communication::nodes += {
-    ["foo"] = [$host = 127.0.0.1, $events = /http_.*|signature_match|file_.*/, $connect=T, $ssl=T, $retry=1sec]
-};
-
-redef ssl_ca_certificate = "../ca_cert.pem";
-redef ssl_private_key = "../bro.pem";
-redef ssl_passphrase = "my-password";
-                                                                                                                                    
-event remote_connection_closed(p: event_peer)
-	{
-	terminate();
-	}
-
-@TEST-END-FILE
-
-@TEST-START-FILE bro.pem
------BEGIN RSA PRIVATE KEY-----
-MIICXgIBAAKBgQD17FE8UVaO224Y8UL2bH1okCYxr5dVytTQ93uE5J9caGADzPZe
-qYPuvtPt9ivhBtf2L9odK7unQU60v6RsO3bb9bQktQbEdh0FEjnso2UHe/nLreYn
-VyLCEp9Sh1OFQnMhJNYuzNwVzWOqH/TYNy3ODueZTS4YBsRyEkpEfgeoaQIDAQAB
-AoGAJ/S1Xi94+Mz+Hl9UmeUWmx6QlhIJbI7/9NPA5d6fZcwvjW6HuOmh3fBzTn5o
-sq8B96Xesk6gtpQNzaA1fsBKlzDSpGRDVg2odN9vIT3jd0Dub2F47JHdFCqtMUIV
-rCsO+fpGtavv1zJ/rzlJz7rx4cRP+/Gwd5YlH0q5cFuHhAECQQD9q328Ye4A7o2e
-cLOhzuWUZszqdIY7ZTgDtk06F57VrjLVERrZjrtAwbs77m+ybw4pDKKU7H5inhQQ
-03PU40ARAkEA+C6cCM6E4hRwuR+QyIqpNC4CzgPaKlF+VONZLYYvHEwFvx2/EPtX
-zOZdE4HdJwnXBYx7+AGFeq8uHhrN2Tq62QJBAMory2JAinejqKsGF6R2SPMlm1ug
-0vqziRksShBqkuSqmUjHASczYnoR7S+usMb9S8PblhgrA++FHWjrnf2lwIECQQCj
-+/AfpY2J8GWW/HNm/q/UiX5S75qskZI+tsXK3bmtIdI+OIJxzxFxktj3NbyRud+4
-i92xvhebO7rmK2HOYg7pAkEA2wrwY1E237twoYXuUInv9F9kShKLQs19nup/dfmF
-xfoVqYjJwidzPfgngowJZij7SoTaIBKv/fKp5Tq6xW3AEg==
------END RSA PRIVATE KEY-----
------BEGIN CERTIFICATE-----
-MIICZDCCAc2gAwIBAgIJAKoxR9yFGsk8MA0GCSqGSIb3DQEBBQUAMCsxKTAnBgNV
-BAMTIEJybyBSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MCAXDTExMDYxNTIx
-MjgxNVoYDzIxMTEwNTIyMjEyODE1WjArMSkwJwYDVQQDEyBCcm8gUm9vdCBDZXJ0
-aWZpY2F0aW9uIEF1dGhvcml0eTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA
-9exRPFFWjttuGPFC9mx9aJAmMa+XVcrU0Pd7hOSfXGhgA8z2XqmD7r7T7fYr4QbX
-9i/aHSu7p0FOtL+kbDt22/W0JLUGxHYdBRI57KNlB3v5y63mJ1ciwhKfUodThUJz
-ISTWLszcFc1jqh/02Dctzg7nmU0uGAbEchJKRH4HqGkCAwEAAaOBjTCBijAdBgNV
-HQ4EFgQU2vIsKYuGhHP8c7GeJLfWAjbKCFgwWwYDVR0jBFQwUoAU2vIsKYuGhHP8
-c7GeJLfWAjbKCFihL6QtMCsxKTAnBgNVBAMTIEJybyBSb290IENlcnRpZmljYXRp
-b24gQXV0aG9yaXR5ggkAqjFH3IUayTwwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0B
-AQUFAAOBgQAF2oceL61dA7WxA9lxcxsA/Fccr7+J6sO+pLXoZtx5tpknEuIUebkm
-UfMGAiyYIenHi8u0Sia8KrIfuCDc2dG3DYmfX7/faCEbtSx8KtNQFIs3aXr1zhsw
-3sX9fLS0gp/qHoPMuhbhlvTlMFSE/Mih3KDsZEGcifzI6ooLF0YP5A==
------END CERTIFICATE-----
-@TEST-END-FILE
-
-@TEST-START-FILE ca_cert.pem
------BEGIN CERTIFICATE-----
-MIICZDCCAc2gAwIBAgIJAKoxR9yFGsk8MA0GCSqGSIb3DQEBBQUAMCsxKTAnBgNV
-BAMTIEJybyBSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MCAXDTExMDYxNTIx
-MjgxNVoYDzIxMTEwNTIyMjEyODE1WjArMSkwJwYDVQQDEyBCcm8gUm9vdCBDZXJ0
-aWZpY2F0aW9uIEF1dGhvcml0eTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA
-9exRPFFWjttuGPFC9mx9aJAmMa+XVcrU0Pd7hOSfXGhgA8z2XqmD7r7T7fYr4QbX
-9i/aHSu7p0FOtL+kbDt22/W0JLUGxHYdBRI57KNlB3v5y63mJ1ciwhKfUodThUJz
-ISTWLszcFc1jqh/02Dctzg7nmU0uGAbEchJKRH4HqGkCAwEAAaOBjTCBijAdBgNV
-HQ4EFgQU2vIsKYuGhHP8c7GeJLfWAjbKCFgwWwYDVR0jBFQwUoAU2vIsKYuGhHP8
-c7GeJLfWAjbKCFihL6QtMCsxKTAnBgNVBAMTIEJybyBSb290IENlcnRpZmljYXRp
-b24gQXV0aG9yaXR5ggkAqjFH3IUayTwwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0B
-AQUFAAOBgQAF2oceL61dA7WxA9lxcxsA/Fccr7+J6sO+pLXoZtx5tpknEuIUebkm
-UfMGAiyYIenHi8u0Sia8KrIfuCDc2dG3DYmfX7/faCEbtSx8KtNQFIs3aXr1zhsw
-3sX9fLS0gp/qHoPMuhbhlvTlMFSE/Mih3KDsZEGcifzI6ooLF0YP5A==
------END CERTIFICATE-----
-@TEST-END-FILE
-
diff --git a/testing/btest/istate/events.bro b/testing/btest/istate/events.bro
deleted file mode 100644
index 1edf14fee7..0000000000
--- a/testing/btest/istate/events.bro
+++ /dev/null
@@ -1,77 +0,0 @@
-# @TEST-SERIALIZE: comm
-#
-# @TEST-EXEC: btest-bg-run sender   bro -Bthreading,logging,comm -C -r $TRACES/web.trace --pseudo-realtime ../sender.bro
-# @TEST-EXEC: btest-bg-run receiver bro -Bthreading,logging,comm  ../receiver.bro
-# @TEST-EXEC: btest-bg-wait 20
-# 
-# @TEST-EXEC: btest-diff sender/http.log
-# @TEST-EXEC: btest-diff receiver/http.log
-# 
-# @TEST-EXEC: cat sender/http.log   | $SCRIPTS/diff-remove-timestamps >sender.http.log
-# @TEST-EXEC: cat receiver/http.log | $SCRIPTS/diff-remove-timestamps >receiver.http.log
-# @TEST-EXEC: cmp sender.http.log receiver.http.log
-# 
-# @TEST-EXEC: bro -x sender/events.bst | sed 's/^event \[[-0-9.]*\] //g' | grep '^http_' | grep -v http_stats | sed 's/(.*$//g' | $SCRIPTS/diff-remove-timestamps >events.snd.log
-# @TEST-EXEC: bro -x receiver/events.bst | sed 's/^event \[[-0-9.]*\] //g' | grep '^http_' | grep -v http_stats | sed 's/(.*$//g' | $SCRIPTS/diff-remove-timestamps  >events.rec.log
-# @TEST-EXEC: btest-diff events.rec.log
-# @TEST-EXEC: btest-diff events.snd.log
-# @TEST-EXEC: cmp events.rec.log events.snd.log
-# 
-# We don't compare the transmitted event paramerters anymore. With the dynamic
-# state in there since 1.6, they don't match reliably.
-
-@TEST-START-FILE sender.bro
-
-@load frameworks/communication/listen
-
-event bro_init()
-    {
-    capture_events("events.bst");
-    }
-
-redef peer_description = "events-send";
-
-# Make sure the HTTP connection really gets out.
-# (We still miss one final connection event because we shutdown before
-# it gets propagated but that's ok.)
-redef tcp_close_delay = 0secs;
-
-# File-analysis fields in http.log won't get set on receiver side correctly,
-# one problem is with the way serialization may send a unique ID in place
-# of a full value and expect the remote side to associate that unique ID with
-# a value it received at an earlier time.  So sometimes modifications the sender# makes to the value aren't seen on the receiver.
-function myfh(c: connection, is_orig: bool): string
-	{
-	return "";
-	}
-
-event bro_init() 
-	{
-	# Ignore all http files.
-	Files::register_protocol(Analyzer::ANALYZER_HTTP,
-	                         [$get_file_handle = myfh]);
-	}
-
-@TEST-END-FILE
-
-#############
-
-@TEST-START-FILE receiver.bro
-
-event bro_init()
-    {
-    capture_events("events.bst");
-    }
-
-redef peer_description = "events-rcv";
-
-redef Communication::nodes += {
-    ["foo"] = [$host = 127.0.0.1, $events = /http_.*|signature_match|file_.*/, $connect=T, $retry=1sec]
-};
-
-event remote_connection_closed(p: event_peer)
-	{
-	terminate();
-	}
-
-@TEST-END-FILE
diff --git a/testing/btest/istate/hll.bro b/testing/btest/istate/hll.bro
deleted file mode 100644
index 511a892644..0000000000
--- a/testing/btest/istate/hll.bro
+++ /dev/null
@@ -1,40 +0,0 @@
-# @TEST-EXEC: bro -b %INPUT runnumber=1 >out
-# @TEST-EXEC: bro -b %INPUT runnumber=2 >>out
-# @TEST-EXEC: bro -b %INPUT runnumber=3 >>out
-# @TEST-EXEC: btest-diff out
-
-global runnumber: count &redef; # differentiate first and second run
-
-global card: opaque of cardinality &persistent;
-
-event bro_init()
-	{
-	print runnumber;
-
-	if ( runnumber == 1 )
-		{
-		card = hll_cardinality_init(0.01, 0.95);
-
-		hll_cardinality_add(card, "a");
-		hll_cardinality_add(card, "b");
-		hll_cardinality_add(card, "c");
-		hll_cardinality_add(card, "d");
-		hll_cardinality_add(card, "e");
-		hll_cardinality_add(card, "f");
-		hll_cardinality_add(card, "g");
-		hll_cardinality_add(card, "h");
-		hll_cardinality_add(card, "i");
-		hll_cardinality_add(card, "j");
-		}
-
-	print hll_cardinality_estimate(card);
-
-		if ( runnumber == 2 )
-		{
-		hll_cardinality_add(card, "a");
-		hll_cardinality_add(card, "b");
-		hll_cardinality_add(card, "c");
-		hll_cardinality_add(card, "aa");
-		}
-	}
-
diff --git a/testing/btest/istate/opaque.bro b/testing/btest/istate/opaque.bro
deleted file mode 100644
index b387f9d6bc..0000000000
--- a/testing/btest/istate/opaque.bro
+++ /dev/null
@@ -1,90 +0,0 @@
-#
-# @TEST-EXEC: bro -r $TRACES/empty.trace write.bro
-# @TEST-EXEC: bro read.bro
-# @TEST-EXEC: btest-diff expected.log
-# @TEST-EXEC: btest-diff output.log
-# @TEST-EXEC: cmp output.log expected.log
-
-@TEST-START-FILE read.bro
-
-global md5_handle: opaque of md5 &persistent &synchronized;
-global sha1_handle: opaque of sha1 &persistent &synchronized;
-global sha256_handle: opaque of sha256 &persistent &synchronized;
-global entropy_handle: opaque of entropy &persistent &synchronized;
-
-global bloomfilter_elements: set[string] &persistent &synchronized;
-global bloomfilter_handle: opaque of bloomfilter &persistent &synchronized;
-
-event bro_done()
-  {
-  local out = open("output.log");
-
-  # Finish incremental operations started by a previous Bro.
-  if ( md5_hash_update(md5_handle, "oo") )
-    print out, md5_hash_finish(md5_handle);
-  else
-    print out, "md5_hash_update() failed";
-
-  if ( sha1_hash_update(sha1_handle, "oo") )
-    print out, sha1_hash_finish(sha1_handle);
-  else
-    print out, "sha1_hash_update() failed";
-
-  if ( sha256_hash_update(sha256_handle, "oo") )
-    print out, sha256_hash_finish(sha256_handle);
-  else
-    print out, "sha256_hash_update() failed";
-
-  if ( entropy_test_add(entropy_handle, "oo") )
-    print out, entropy_test_finish(entropy_handle);
-  else
-    print out, "entropy_test_add() failed";
-
-  for ( e in bloomfilter_elements )
-    print bloomfilter_lookup(bloomfilter_handle, e);
-  }
-
-@TEST-END-FILE
-
-@TEST-START-FILE write.bro
-
-global md5_handle: opaque of md5 &persistent &synchronized;
-global sha1_handle: opaque of sha1 &persistent &synchronized;
-global sha256_handle: opaque of sha256 &persistent &synchronized;
-global entropy_handle: opaque of entropy &persistent &synchronized;
-
-global bloomfilter_elements = { "foo", "bar", "baz" } &persistent &synchronized;
-global bloomfilter_handle: opaque of bloomfilter &persistent &synchronized;
-
-event bro_init()
-  {
-	local out = open("expected.log");
-	print out, md5_hash("foo");
-	print out, sha1_hash("foo");
-	print out, sha256_hash("foo");
-	print out, find_entropy("foo");
-
-  # Begin incremental operations. Our goal is to feed the data string "foo" to
-  # the computation, but split into "f" and "oo" in two instances..
-  md5_handle = md5_hash_init();
-  if ( ! md5_hash_update(md5_handle, "f") )
-    print out, "md5_hash_update() failed";
-
-  sha1_handle = sha1_hash_init();
-  if ( ! sha1_hash_update(sha1_handle, "f") )
-    print out, "sha1_hash_update() failed";
-
-  sha256_handle = sha256_hash_init();
-  if ( ! sha256_hash_update(sha256_handle, "f") )
-    print out, "sha256_hash_update() failed";
-
-  entropy_handle = entropy_test_init();
-  if ( ! entropy_test_add(entropy_handle, "f") )
-    print out, "entropy_test_add() failed";
-
-  bloomfilter_handle = bloomfilter_basic_init(0.1, 100);
-  for ( e in bloomfilter_elements )
-    bloomfilter_add(bloomfilter_handle, e);
-  }
-
-@TEST-END-FILE
diff --git a/testing/btest/istate/persistence.bro b/testing/btest/istate/persistence.bro
deleted file mode 100644
index ea2a5368ba..0000000000
--- a/testing/btest/istate/persistence.bro
+++ /dev/null
@@ -1,110 +0,0 @@
-#
-# @TEST-EXEC: bro -r $TRACES/empty.trace write.bro %INPUT 
-# @TEST-EXEC: cp vars.log vars.write.log
-# @TEST-EXEC: bro read.bro %INPUT 
-# @TEST-EXEC: cp vars.log vars.read.log
-# @TEST-EXEC: btest-diff vars.read.log
-# @TEST-EXEC: btest-diff vars.write.log
-# @TEST-EXEC: cmp vars.read.log vars.write.log
-
-### Common code for reader and writer.
-
-event bro_done()
-	{
-	local out = open("vars.log");
-	print out, foo1;
-	print out, foo2;
-	print out, foo3;
-	print out, foo4;
-	print out, foo5;
-	print out, foo6;
-	print out, foo8;
-	print out, foo9;
-	print out, foo10;
-	print out, foo11;
-	print out, foo12;
-	print out, foo13;
-	print out, foo14;
-	print out, foo15;
-	print out, foo16;
-	print out, foo17;
-	}
-
-	
-	
-	
-
-@TEST-START-FILE read.bro
-
-global foo1: count &persistent &synchronized;
-global foo2: int &persistent &synchronized;
-global foo3: string &persistent &synchronized; 
-global foo4: addr &persistent &synchronized; 
-global foo5: subnet &persistent &synchronized; 
-global foo6: double &persistent &synchronized; 
-global foo8: interval &persistent &synchronized; 
-global foo9: table[count] of string &persistent &synchronized;
-global foo10: file &persistent &synchronized; 
-global foo11: pattern &persistent &synchronized; 
-global foo12: set[count] &persistent &synchronized; 
-global foo13: table[count, string] of count &persistent &synchronized;
-global foo14: table[count] of pattern &persistent &synchronized;
-global foo15: port &persistent &synchronized;
-global foo16: vector of count &persistent &synchronized;
-
-type type1: record {
-    a: string;
-    b: count &default=42;
-    c: double &optional;
-    };
-
-type type2: record {
-    a: string;
-    b: type1;
-    c: type1;
-    d: double;
-    };
-
-global foo17: type2  &persistent &synchronized;
-
-@TEST-END-FILE
-
-@TEST-START-FILE write.bro
-
-global foo1 = 42 &persistent &synchronized;
-global foo2 = -42 &persistent &synchronized;
-global foo3 = "Hallihallo" &persistent &synchronized; 
-global foo4 = 1.2.3.4 &persistent &synchronized; 
-global foo5 = 1.2.0.0/16 &persistent &synchronized; 
-global foo6 = 3.14 &persistent &synchronized; 
-global foo8 = 42 secs &persistent &synchronized; 
-global foo9 = { [1] = "qwerty", [2] = "uiop" } &persistent &synchronized;
-global foo10 = open("test") &persistent &synchronized; 
-global foo11 = /12345/ &persistent &synchronized; 
-global foo12 = { 1,2,3,4,5 } &persistent &synchronized; 
-global foo13  =  { [1,"ABC"] = 101, [2,"DEF"] = 102, [3,"GHI"] = 103 } &persistent &synchronized;
-global foo14  =  { [12345] = foo11, [12346] = foo11 } &persistent &synchronized;
-global foo15 = 42/udp &persistent &synchronized;
-global foo16: vector of count = [1,2,3] &persistent &synchronized;
- 
-type type1: record {
-    a: string;
-    b: count &default=42;
-    c: double &optional;
-    };
-
-type type2: record {
-    a: string;
-    b: type1;
-    c: type1;
-    d: double;
-    };
-
-global foo17: type2 = [
-	$a = "yuyuyu",
-    $b = [$a="rec1", $b=100, $c=1.24],
-    $c = [$a="rec2", $b=200, $c=2.24],
-   	$d = 7.77				   
-	] &persistent &synchronized;
-
-@TEST-END-FILE
diff --git a/testing/btest/istate/pybroccoli.py b/testing/btest/istate/pybroccoli.py
deleted file mode 100644
index 0d7106d592..0000000000
--- a/testing/btest/istate/pybroccoli.py
+++ /dev/null
@@ -1,20 +0,0 @@
-# @TEST-SERIALIZE: comm
-#
-# @TEST-REQUIRES: test -e $BUILD/aux/broccoli/src/libbroccoli.so || test -e $BUILD/aux/broccoli/src/libbroccoli.dylib
-# @TEST-REQUIRES: test -e $BUILD/aux/broccoli/bindings/broccoli-python/_broccoli_intern.so
-#
-# @TEST-EXEC: btest-bg-run bro    bro %INPUT $DIST/aux/broccoli/bindings/broccoli-python/tests/test.bro
-# @TEST-EXEC: sleep 2
-# @TEST-EXEC: btest-bg-run python PYTHONPATH=$DIST/aux/broccoli/bindings/broccoli-python/:$BUILD/aux/broccoli/bindings/broccoli-python python $DIST/aux/broccoli/bindings/broccoli-python/tests/test.py
-# @TEST-EXEC: btest-bg-wait -k 20
-# @TEST-EXEC: btest-diff bro/.stdout
-#
-# @TEST-EXEC: sed -e 's/instance at [^>]*>/instance at >/' -e 's/object at [^>]*>/instance at >/' <python/.stdout >python/.stdout.filtered
-# @TEST-EXEC: TEST_DIFF_CANONIFIER="sed -e 's/^\([-]*[0-9][0-9]*\)L/\1/' | $SCRIPTS/diff-remove-timestamps" btest-diff python/.stdout.filtered
-
-event remote_connection_closed(p: event_peer)
-	{
-	terminate();
-	}
-
-
diff --git a/testing/btest/istate/sync.bro b/testing/btest/istate/sync.bro
deleted file mode 100644
index a297e8a50f..0000000000
--- a/testing/btest/istate/sync.bro
+++ /dev/null
@@ -1,171 +0,0 @@
-# @TEST-SERIALIZE: comm
-#
-# @TEST-EXEC: btest-bg-run sender   bro -b %INPUT ../sender.bro
-# @TEST-EXEC: btest-bg-run receiver bro -b %INPUT ../receiver.bro
-# @TEST-EXEC: btest-bg-wait 20
-#
-# @TEST-EXEC: btest-diff sender/vars.log
-# @TEST-EXEC: btest-diff receiver/vars.log
-# @TEST-EXEC: cmp sender/vars.log receiver/vars.log
-
-### Common code for sender and receiver.
-
-# Instantiate variables.
-
-global foo1 = 42 &persistent &synchronized;
-global foo2 = -42 &persistent &synchronized;
-global foo3 = "Hallihallo" &persistent &synchronized; 
-global foo4 = 1.2.3.4 &persistent &synchronized; 
-global foo5 = 1.2.0.0/16 &persistent &synchronized; 
-global foo6 = 3.14 &persistent &synchronized; 
-global foo8 = 42 secs &persistent &synchronized; 
-global foo9 = { [1] = "qwerty", [2] = "uiop" } &persistent &synchronized;
-global foo10 = open("test") &persistent &synchronized; 
-global foo11 = /12345/ &persistent &synchronized; 
-global foo12 = { 1,2,3,4,5 } &persistent &synchronized; 
-global foo13  =  { [1,"ABC"] = 101, [2,"DEF"] = 102, [3,"GHI"] = 103 } &persistent &synchronized;
-global foo14  =  { [12345] = foo11, [12346] = foo11 } &persistent &synchronized;
-global foo15 = 42/udp &persistent &synchronized;
-global foo16: vector of count = [1,2,3] &persistent &synchronized;
-global foo18: count &persistent &synchronized;  # not initialized
- 
-type type1: record {
-    a: string;
-    b: count &default=42;
-    c: double &optional;
-    };
-
-type type2: record {
-    a: string;
-    b: type1;
-    c: type1;
-    d: double;
-    e: double &optional;
-    };
-
-global foo17: type2 = [
-	$a = "yuyuyu",
-	$b = [$a="rec1", $b=100, $c=1.24],
-	$c = [$a="rec2", $b=200, $c=2.24],
-	$d = 7.77, $e=100.0
-	] &persistent &synchronized;
-
-# Print variables.
-
-event bro_done()
-	{
-	local out = open("vars.log");
-	print out, foo1;
-	print out, foo2;
-	print out, foo3;
-	print out, foo4;
-	print out, foo5;
-	print out, foo6;
-	print out, foo8;
-	print out, foo9;
-	print out, foo10;
-	print out, foo11;
-	print out, foo12;
-	print out, foo13;
-	print out, foo14;
-	print out, foo15;
-	print out, foo16;
-	print out, foo17;
-	print out, foo18;
-	}
-
-
-@TEST-START-FILE sender.bro
-
-# Perform modifications on variables.
-
-function modify()
-	{
-	foo1 = 420;
-	++foo1;
-	
-	--foo2;
-	
-	foo3 = "Jodel";
-	
-	foo4 = 4.3.2.1; 
-	
-	foo5 = 4.0.0.0/8; 
-	
-	foo6 = 21;
-	
-	foo9[3] = "asdfg1";
-	foo9[1] = "asdfg2";
-	delete foo9[2];
-	
-	foo10 = open("test2");
-	
-	foo11 = /abbcdefgh/;
-	
-	add foo12[6];
-	delete foo12[1];
-	
-	foo13[4,"JKL"] = 104;
-	delete foo13[1,"ABC"];
-	++foo13[2,"DEF"];
-	
-	foo14[6767] = /QWERTZ/;
-	
-	foo15 = 6667/tcp;
-	
-	foo16[3] = 4;
-	foo16[1] = 20;
-	++foo16[0];
-	
-	local x: type1;
-	x$a = "pop";
-	++x$b;
-	x$c = 9.999;
-	foo17$a = "zxzxzx";
-	foo17$b = x;
-	foo17$c$a = "IOIOI";
-	++foo17$c$b;
-	foo17$c$c = 612.2;
-	foo17$d = 6.6666;
-	delete foo17$e;
-	
-	foo2 = 1234567;
-	foo18 = 122112;
-	}
-
-@load frameworks/communication/listen
-
-event remote_connection_handshake_done(p: event_peer)
-	{
-	modify();
-	terminate_communication();
-	}
-			 
-redef Communication::nodes += {
-    ["foo"] = [$host = 127.0.0.1, $sync=T]
-};
-
-@TEST-END-FILE
-
-#############
-
-@TEST-START-FILE receiver.bro
-
-@load base/frameworks/communication
-
-event bro_init()
-    {
-    capture_events("events.bst");
-    }
-	
-redef Communication::nodes += {
-    ["foo"] = [$host = 127.0.0.1, $events = /.*/, $connect=T, $sync=T,
-               $retry=1sec]
-};
-
-event remote_connection_closed(p: event_peer)
-	{
-	terminate();
-	}
-
-@TEST-END-FILE
diff --git a/testing/btest/istate/topk.bro b/testing/btest/istate/topk.bro
deleted file mode 100644
index 4d599c2780..0000000000
--- a/testing/btest/istate/topk.bro
+++ /dev/null
@@ -1,74 +0,0 @@
-# @TEST-EXEC: bro -b %INPUT runnumber=1 >out
-# @TEST-EXEC: bro -b %INPUT runnumber=2 >>out
-# @TEST-EXEC: bro -b %INPUT runnumber=3 >>out
-# @TEST-EXEC: btest-diff out
-
-global runnumber: count &redef; # differentiate runs
-
-global k1: opaque of topk &persistent;
-global k2: opaque of topk &persistent;
-
-event bro_init() 
-	{
-
-	k2 = topk_init(20);
-
-	if ( runnumber == 1 )
-		{
-		k1 = topk_init(100);
-		
-		topk_add(k1, "a");
-		topk_add(k1, "b");
-		topk_add(k1, "b");
-		topk_add(k1, "c");
-		topk_add(k1, "c");
-		topk_add(k1, "c");
-		topk_add(k1, "c");
-		topk_add(k1, "c");
-		topk_add(k1, "c");
-		topk_add(k1, "d");
-		topk_add(k1, "d");
-		topk_add(k1, "d");
-		topk_add(k1, "d");
-		topk_add(k1, "e");
-		topk_add(k1, "e");
-		topk_add(k1, "e");
-		topk_add(k1, "e");
-		topk_add(k1, "e");
-		topk_add(k1, "f");
-		}
-
-	local s = topk_get_top(k1, 3);
-	print topk_count(k1, "a");
-	print topk_count(k1, "b");
-	print topk_count(k1, "c");
-	print topk_count(k1, "d");
-	print topk_count(k1, "e");
-	print topk_count(k1, "f");
-
-	if ( runnumber == 2 ) 
-		{
-		topk_add(k1, "a");
-		topk_add(k1, "b");
-		topk_add(k1, "b");
-		topk_add(k1, "c");
-		topk_add(k1, "c");
-		topk_add(k1, "c");
-		topk_add(k1, "c");
-		topk_add(k1, "c");
-		topk_add(k1, "c");
-		topk_add(k1, "d");
-		topk_add(k1, "d");
-		topk_add(k1, "d");
-		topk_add(k1, "d");
-		topk_add(k1, "e");
-		topk_add(k1, "e");
-		topk_add(k1, "e");
-		topk_add(k1, "e");
-		topk_add(k1, "e");
-		topk_add(k1, "f");
-		}
-
-	print s;
-
-	}
diff --git a/testing/btest/language/switch-error-mixed.bro b/testing/btest/language/switch-error-mixed.bro
new file mode 100644
index 0000000000..78c7a2091f
--- /dev/null
+++ b/testing/btest/language/switch-error-mixed.bro
@@ -0,0 +1,13 @@
+# @TEST-EXEC-FAIL: bro -b %INPUT >out 2>&1
+# @TEST-EXEC:      TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff out
+
+function switch_one(v: count): string
+	{
+	switch (v) {
+	case 42:
+		return "42!";
+	case type count:
+		return "Count!";
+	}
+	}
+
diff --git a/testing/btest/language/switch-types-error-duplicate.bro b/testing/btest/language/switch-types-error-duplicate.bro
new file mode 100644
index 0000000000..846d228be3
--- /dev/null
+++ b/testing/btest/language/switch-types-error-duplicate.bro
@@ -0,0 +1,18 @@
+# @TEST-EXEC-FAIL: bro -b %INPUT >out 2>&1
+# @TEST-EXEC:      TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff out
+
+function switch_one(v: any): string
+	{
+	switch (v) {
+	case type string:
+		return "String!";
+	case type count:
+		return "Count!";
+	case type bool, type count:
+		return "Bool or address!";
+	default:
+		return "Somethign else!";
+	}
+
+	}
+
diff --git a/testing/btest/language/switch-types-error-unsupported.bro b/testing/btest/language/switch-types-error-unsupported.bro
new file mode 100644
index 0000000000..d8b8d039df
--- /dev/null
+++ b/testing/btest/language/switch-types-error-unsupported.bro
@@ -0,0 +1,17 @@
+# @TEST-EXEC-FAIL: bro -b %INPUT >out 2>&1
+# @TEST-EXEC:      TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff out
+
+function switch_one(v: string): string
+	{
+	switch (v) {
+	case type string:
+		return "String!";
+	case type count:
+		return "Count!";
+	case type bool, type addr:
+		return "Bool or address!";
+	default:
+		return "Somethign else!";
+	}
+	}
+
diff --git a/testing/btest/language/switch-types-vars.bro b/testing/btest/language/switch-types-vars.bro
new file mode 100644
index 0000000000..1b0ca5591b
--- /dev/null
+++ b/testing/btest/language/switch-types-vars.bro
@@ -0,0 +1,48 @@
+# @TEST-EXEC: bro -b %INPUT >out
+# @TEST-EXEC: btest-diff out
+
+function switch_one(v: any)
+	{
+	switch (v) {
+	case type string as s:
+		print "string!", s;
+		break;
+	
+	case type count as c:
+		print "count!", c;
+		break;
+
+	case type int:
+		print "int!";
+		break;
+
+	case type double, type port:
+		print "double or port";
+		break;
+
+	case type bool as b, type addr as a:
+		print "Bool or address?";
+
+		if ( v is bool )
+			print "    bool", b;
+
+		if ( v is addr )
+			print "    addr", a;
+
+		break;
+	default:
+		print "Somethign else!";
+		break;
+	}
+	}
+
+event bro_init()
+	{
+	switch_one("My StrIng");
+	switch_one(42);
+	switch_one(1.2.3.4);
+	switch_one(T);
+	switch_one(-13);
+	switch_one(42/udp);
+	switch_one(3.1415926);
+	}
diff --git a/testing/btest/language/switch-types.bro b/testing/btest/language/switch-types.bro
new file mode 100644
index 0000000000..468ba93922
--- /dev/null
+++ b/testing/btest/language/switch-types.bro
@@ -0,0 +1,43 @@
+# @TEST-EXEC: bro -b %INPUT >out
+# @TEST-EXEC: btest-diff out
+
+function switch_one(v: any): string
+	{
+	switch (v) {
+	case type string:
+		return "String!";
+	case type count:
+		return "Count!";
+	case type bool, type addr:
+		return "Bool or address!";
+	default:
+		return "Somethign else!";
+	}
+	}
+
+function switch_one_no_default(v: any): string
+	{
+	switch (v) {
+	case type string:
+		return "String!";
+	case type count:
+		return "Count!";
+	case type bool, type addr:
+		return "Bool or address!";
+	}
+
+	return "n/a";
+	}
+
+
+event bro_init()
+	{
+	print switch_one("string");
+	print switch_one(42);
+	print switch_one(T);
+	print switch_one(1947/tcp);
+	print "";
+	print switch_one_no_default(1.2.3.4);
+	print switch_one_no_default(1947/tcp);
+	
+	}
diff --git a/testing/btest/language/type-cast-any.bro b/testing/btest/language/type-cast-any.bro
new file mode 100644
index 0000000000..ddd4ea2dbe
--- /dev/null
+++ b/testing/btest/language/type-cast-any.bro
@@ -0,0 +1,45 @@
+# @TEST-EXEC: bro -b %INPUT >output 2>&1
+# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff output
+
+type X: record  {
+    a: addr;
+    b: port;
+};
+
+function cast_to_string(a: any, b: string)
+	{
+	local P = (a as string);
+	local Cmp = (P == b);
+	print a, P, P is string, fmt("%s==%s => %s", b, P, Cmp);
+	}
+
+function cast_to_count(a: any, b: count)
+	{
+	local P = (a as count);
+	local Cmp = (P == b);
+	print a, P, P is count, fmt("%s==%s => %s", b, P, Cmp);
+	}
+
+function cast_to_X(a: any, b: X)
+	{
+	local P = (a as X);
+	local Cmp = (P$a == b$a && P$b == b$b);
+	print a, P, P is X, fmt("%s==%s => %s", b, P, Cmp);
+	}
+
+event bro_init()
+	{
+	local x: X;
+	x = [$a = 1.2.3.4, $b=1947/tcp];
+	
+	cast_to_string("Foo", "Foo");
+	cast_to_string("Foo", "Bar");
+	
+	cast_to_count(42, 42);
+	cast_to_count(42, 21);
+
+	cast_to_X(x, [$a=1.2.3.4, $b=1947/tcp]);
+	cast_to_X(x, [$a=2.3.4.5, $b=1947/tcp]);
+	}
+
+
diff --git a/testing/btest/language/type-cast-error-dynamic.bro b/testing/btest/language/type-cast-error-dynamic.bro
new file mode 100644
index 0000000000..45f1d1fb5f
--- /dev/null
+++ b/testing/btest/language/type-cast-error-dynamic.bro
@@ -0,0 +1,23 @@
+# @TEST-EXEC: bro -b %INPUT >output 2>&1
+# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff output
+
+type X: record  {
+    a: addr;
+    b: port;
+};
+
+function cast_to_string(a: any)
+	{
+	print a as string;
+	}
+
+event bro_init()
+	{
+	local x: X;
+	x = [$a = 1.2.3.4, $b=1947/tcp];
+
+	cast_to_string(42);
+	cast_to_string(x);
+	}
+
+
diff --git a/testing/btest/language/type-cast-error-static.bro b/testing/btest/language/type-cast-error-static.bro
new file mode 100644
index 0000000000..3533fef3cb
--- /dev/null
+++ b/testing/btest/language/type-cast-error-static.bro
@@ -0,0 +1,18 @@
+# @TEST-EXEC-FAIL: bro -b %INPUT >output 2>&1
+# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff output
+
+type X: record  {
+    a: addr;
+    b: port;
+};
+
+event bro_init()
+	{
+	local x: X;
+	x = [$a = 1.2.3.4, $b=1947/tcp];
+
+	print "string" as count;
+	print "string" as X;
+	}
+
+
diff --git a/testing/btest/language/type-cast-same.bro b/testing/btest/language/type-cast-same.bro
new file mode 100644
index 0000000000..93c3b633fa
--- /dev/null
+++ b/testing/btest/language/type-cast-same.bro
@@ -0,0 +1,21 @@
+# @TEST-EXEC: bro -b %INPUT >output 2>&1
+# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff output
+
+type X: record  {
+    a: addr;
+    b: port;
+};
+
+event bro_init()
+	{
+	local x: X;
+	x = [$a = 1.2.3.4, $b=1947/tcp];
+
+	local s = "sTriNg" as string;
+	local y = x as X;
+
+	print s, s is string;
+	print y, y is X;
+	}
+
+
diff --git a/testing/btest/language/type-check-any.bro b/testing/btest/language/type-check-any.bro
new file mode 100644
index 0000000000..5d882c8997
--- /dev/null
+++ b/testing/btest/language/type-check-any.bro
@@ -0,0 +1,24 @@
+# @TEST-EXEC: bro -b %INPUT >output 2>&1
+# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff output
+
+type X: record  {
+    a: addr;
+    b: port;
+};
+
+function check(a: any)
+	{
+	print a, a is string, a is count, a is X;
+	}
+
+event bro_init()
+	{
+	local x: X;
+	x = [$a = 1.2.3.4, $b=1947/tcp];
+
+	check("Foo");
+	check(1);
+	check(x);
+	}
+
+
diff --git a/testing/btest/language/when.bro b/testing/btest/language/when.bro
index d996d1c026..795552a422 100644
--- a/testing/btest/language/when.bro
+++ b/testing/btest/language/when.bro
@@ -4,7 +4,7 @@
 # @TEST-EXEC: mv test1/.stdout out
 # @TEST-EXEC: btest-diff out
 
-@load frameworks/communication/listen
+redef exit_only_after_terminate = T;
 
 event bro_init()
 {
diff --git a/testing/btest/scripts/base/frameworks/cluster/custom_pool_exclusivity.bro b/testing/btest/scripts/base/frameworks/cluster/custom_pool_exclusivity.bro
new file mode 100644
index 0000000000..5f337093b0
--- /dev/null
+++ b/testing/btest/scripts/base/frameworks/cluster/custom_pool_exclusivity.bro
@@ -0,0 +1,115 @@
+# @TEST-SERIALIZE: comm
+#
+# @TEST-EXEC: btest-bg-run manager-1 BROPATH=$BROPATH:.. CLUSTER_NODE=manager-1 bro %INPUT
+# @TEST-EXEC: sleep 1
+# @TEST-EXEC: btest-bg-run proxy-1   BROPATH=$BROPATH:.. CLUSTER_NODE=proxy-1 bro %INPUT
+# @TEST-EXEC: btest-bg-run proxy-2   BROPATH=$BROPATH:.. CLUSTER_NODE=proxy-2 bro %INPUT
+# @TEST-EXEC: btest-bg-wait 30
+# @TEST-EXEC: btest-diff manager-1/.stdout
+
+@TEST-START-FILE cluster-layout.bro
+redef Cluster::nodes = {
+	["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=37757/tcp],
+	["proxy-1"] = [$node_type=Cluster::PROXY,     $ip=127.0.0.1, $p=37758/tcp, $manager="manager-1"],
+	["proxy-2"] = [$node_type=Cluster::PROXY,     $ip=127.0.0.1, $p=37759/tcp, $manager="manager-1"],
+	["worker-1"] = [$node_type=Cluster::WORKER,   $ip=127.0.0.1, $p=37760/tcp, $manager="manager-1", $interface="eth0"],
+	["worker-2"] = [$node_type=Cluster::WORKER,   $ip=127.0.0.1, $p=37761/tcp, $manager="manager-1", $interface="eth1"],
+};
+@TEST-END-FILE
+
+global my_pool_spec: Cluster::PoolSpec =
+		Cluster::PoolSpec(
+			$topic = "bro/cluster/pool/my_pool",
+			$node_type = Cluster::PROXY
+			);
+
+global my_pool: Cluster::Pool;
+
+redef Cluster::proxy_pool_spec =
+		Cluster::PoolSpec(
+			$topic = "bro/cluster/pool/proxy",
+			$node_type = Cluster::PROXY,
+			$exclusive = T,
+			$max_nodes = 1 
+			);
+
+event bro_init()
+	{
+	my_pool = Cluster::register_pool(my_pool_spec);
+	}
+
+global proxy_count = 0;
+
+event go_away()
+	{
+	terminate();
+	}
+
+function print_stuff(heading: string)
+	{
+	print heading;
+
+	local v: vector of count = vector(0, 1, 2, 3, 13, 37, 42, 101);
+
+	for ( i in v )
+		{
+		print "hrw", v[i], Cluster::hrw_topic(Cluster::proxy_pool, v[i]);
+		print "hrw (custom pool)", v[i], Cluster::hrw_topic(my_pool, v[i]);
+		}
+
+	local rr_key = "test";
+
+	for ( i in v )
+		{
+		print "rr", Cluster::rr_topic(Cluster::proxy_pool, rr_key);
+		print "rr (custom pool)", Cluster::rr_topic(my_pool, rr_key);
+		}
+
+	# Just checking the same keys still map to same topic ...
+	for ( i in v )
+		{
+		print "hrw", v[i], Cluster::hrw_topic(Cluster::proxy_pool, v[i]);
+		print "hrw (custom pool)", v[i], Cluster::hrw_topic(my_pool, v[i]);
+		}
+	}
+
+event Cluster::node_up(name: string, id: string)
+	{
+	if ( Cluster::node != "manager-1" )
+		return;
+
+	if ( name == "proxy-1" || name == "proxy-2" )
+		++proxy_count;
+
+	if ( proxy_count == 2 )	
+		{
+		print_stuff("1st stuff");
+		local e = Broker::make_event(go_away);
+		Broker::publish(Cluster::node_topic("proxy-1"), e);
+		}
+	}
+
+event Cluster::node_down(name: string, id: string)
+	{
+	if ( Cluster::node != "manager-1" )
+		return;
+
+	if ( name == "proxy-1" )
+		{
+		print_stuff("2nd stuff");
+		local e = Broker::make_event(go_away);
+		Broker::publish(Cluster::node_topic("proxy-2"), e);
+		}
+
+	if ( name == "proxy-2" )
+		{
+		print_stuff("no stuff");
+		terminate();
+		}
+	}
+
+event Cluster::node_down(name: string, id: string)
+	{
+	if ( name == "manager-1" )
+		terminate();
+	}
diff --git a/testing/btest/scripts/base/frameworks/cluster/custom_pool_limits.bro b/testing/btest/scripts/base/frameworks/cluster/custom_pool_limits.bro
new file mode 100644
index 0000000000..10a190f016
--- /dev/null
+++ b/testing/btest/scripts/base/frameworks/cluster/custom_pool_limits.bro
@@ -0,0 +1,115 @@
+# @TEST-SERIALIZE: comm
+#
+# @TEST-EXEC: btest-bg-run manager-1 BROPATH=$BROPATH:.. CLUSTER_NODE=manager-1 bro %INPUT
+# @TEST-EXEC: sleep 1
+# @TEST-EXEC: btest-bg-run proxy-1   BROPATH=$BROPATH:.. CLUSTER_NODE=proxy-1 bro %INPUT
+# @TEST-EXEC: btest-bg-run proxy-2   BROPATH=$BROPATH:.. CLUSTER_NODE=proxy-2 bro %INPUT
+# @TEST-EXEC: btest-bg-wait 30
+# @TEST-EXEC: btest-diff manager-1/.stdout
+
+@TEST-START-FILE cluster-layout.bro
+redef Cluster::nodes = {
+	["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=37757/tcp],
+	["proxy-1"] = [$node_type=Cluster::PROXY,     $ip=127.0.0.1, $p=37758/tcp, $manager="manager-1"],
+	["proxy-2"] = [$node_type=Cluster::PROXY,     $ip=127.0.0.1, $p=37759/tcp, $manager="manager-1"],
+	["worker-1"] = [$node_type=Cluster::WORKER,   $ip=127.0.0.1, $p=37760/tcp, $manager="manager-1", $interface="eth0"],
+	["worker-2"] = [$node_type=Cluster::WORKER,   $ip=127.0.0.1, $p=37761/tcp, $manager="manager-1", $interface="eth1"],
+};
+@TEST-END-FILE
+
+global my_pool_spec: Cluster::PoolSpec =
+		Cluster::PoolSpec(
+			$topic = "bro/cluster/pool/my_pool",
+			$node_type = Cluster::PROXY
+			);
+
+global my_pool: Cluster::Pool;
+
+redef Cluster::proxy_pool_spec =
+		Cluster::PoolSpec(
+			$topic = "bro/cluster/pool/proxy",
+			$node_type = Cluster::PROXY,
+			$exclusive = F,
+			$max_nodes = 1 
+			);
+
+event bro_init()
+	{
+	my_pool = Cluster::register_pool(my_pool_spec);
+	}
+
+global proxy_count = 0;
+
+event go_away()
+	{
+	terminate();
+	}
+
+function print_stuff(heading: string)
+	{
+	print heading;
+
+	local v: vector of count = vector(0, 1, 2, 3, 13, 37, 42, 101);
+
+	for ( i in v )
+		{
+		print "hrw", v[i], Cluster::hrw_topic(Cluster::proxy_pool, v[i]);
+		print "hrw (custom pool)", v[i], Cluster::hrw_topic(my_pool, v[i]);
+		}
+
+	local rr_key = "test";
+
+	for ( i in v )
+		{
+		print "rr", Cluster::rr_topic(Cluster::proxy_pool, rr_key);
+		print "rr (custom pool)", Cluster::rr_topic(my_pool, rr_key);
+		}
+
+	# Just checking the same keys still map to same topic ...
+	for ( i in v )
+		{
+		print "hrw", v[i], Cluster::hrw_topic(Cluster::proxy_pool, v[i]);
+		print "hrw (custom pool)", v[i], Cluster::hrw_topic(my_pool, v[i]);
+		}
+	}
+
+event Cluster::node_up(name: string, id: string)
+	{
+	if ( Cluster::node != "manager-1" )
+		return;
+
+	if ( name == "proxy-1" || name == "proxy-2" )
+		++proxy_count;
+
+	if ( proxy_count == 2 )	
+		{
+		print_stuff("1st stuff");
+		local e = Broker::make_event(go_away);
+		Broker::publish(Cluster::node_topic("proxy-1"), e);
+		}
+	}
+
+event Cluster::node_down(name: string, id: string)
+	{
+	if ( Cluster::node != "manager-1" )
+		return;
+
+	if ( name == "proxy-1" )
+		{
+		print_stuff("2nd stuff");
+		local e = Broker::make_event(go_away);
+		Broker::publish(Cluster::node_topic("proxy-2"), e);
+		}
+
+	if ( name == "proxy-2" )
+		{
+		print_stuff("no stuff");
+		terminate();
+		}
+	}
+
+event Cluster::node_down(name: string, id: string)
+	{
+	if ( name == "manager-1" )
+		terminate();
+	}
diff --git a/testing/btest/scripts/base/frameworks/cluster/log_distribution.bro b/testing/btest/scripts/base/frameworks/cluster/log_distribution.bro
new file mode 100644
index 0000000000..02c1b7b6e7
--- /dev/null
+++ b/testing/btest/scripts/base/frameworks/cluster/log_distribution.bro
@@ -0,0 +1,80 @@
+# @TEST-SERIALIZE: comm
+#
+# @TEST-EXEC: btest-bg-run logger-1 BROPATH=$BROPATH:.. CLUSTER_NODE=logger-1 bro %INPUT
+# @TEST-EXEC: btest-bg-run logger-2 BROPATH=$BROPATH:.. CLUSTER_NODE=logger-2 bro %INPUT
+# @TEST-EXEC: sleep 1
+# @TEST-EXEC: btest-bg-run manager BROPATH=$BROPATH:.. CLUSTER_NODE=manager bro %INPUT
+# @TEST-EXEC: sleep 1
+# @TEST-EXEC: btest-bg-run worker-1  BROPATH=$BROPATH:.. CLUSTER_NODE=worker-1 bro %INPUT
+# @TEST-EXEC: btest-bg-wait 30
+# @TEST-EXEC: btest-diff logger-1/test.log
+# @TEST-EXEC: btest-diff logger-2/test.log
+
+@TEST-START-FILE cluster-layout.bro
+redef Cluster::manager_is_logger = F;
+
+redef Cluster::nodes = {
+    ["manager"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=37757/tcp],
+    ["worker-1"] = [$node_type=Cluster::WORKER,   $ip=127.0.0.1, $p=37760/tcp, $manager="manager", $interface="eth0"],
+    ["logger-1"] = [$node_type=Cluster::LOGGER,   $ip=127.0.0.1, $p=37762/tcp, $manager="manager"],
+    ["logger-2"] = [$node_type=Cluster::LOGGER,   $ip=127.0.0.1, $p=37763/tcp, $manager="manager"]
+};
+
+@TEST-END-FILE
+
+redef Log::default_rotation_interval = 0sec;
+
+module Test;
+redef enum Log::ID += { LOG };
+
+type Info: record {
+	num: count &log;
+};
+
+event bro_init() &priority=5
+	{
+	Log::create_stream(Test::LOG, [$columns=Info, $path="test"]);
+	}
+
+global peer_count = 0;
+global c = 0;
+
+event go_away()
+	{
+	terminate();
+	}
+
+event do_count()
+	{
+	Log::write(Test::LOG, [$num = ++c]);
+
+	if ( c == 100 )
+		{
+		Broker::flush_logs();
+		schedule 2sec { go_away() };
+		}
+	else
+		schedule 0.01sec { do_count() };
+	}
+
+event Cluster::node_up(name: string, id: string)
+	{
+	print "node_up", name;
+	++peer_count;
+
+	if ( Cluster::node == "worker-1" && peer_count == 3 )
+		{
+		Cluster::logger_pool$rr_key_seq["Cluster::rr_log_topic"] = 0;
+		schedule 0.25sec { do_count() };
+		}
+	}
+
+event Cluster::node_down(name: string, id: string)
+	{
+	print "node_down", name;
+	--peer_count;
+
+	if ( name == "worker-1" )
+		schedule 2sec { go_away() };
+	}
+
diff --git a/testing/btest/scripts/base/frameworks/cluster/start-it-up-logger.bro b/testing/btest/scripts/base/frameworks/cluster/start-it-up-logger.bro
index 97f3698f36..6fb834cc74 100644
--- a/testing/btest/scripts/base/frameworks/cluster/start-it-up-logger.bro
+++ b/testing/btest/scripts/base/frameworks/cluster/start-it-up-logger.bro
@@ -21,11 +21,11 @@
 redef Cluster::manager_is_logger = F;
 redef Cluster::nodes = {
 	["logger-1"] = [$node_type=Cluster::LOGGER,   $ip=127.0.0.1, $p=37757/tcp],
-	["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=37758/tcp, $logger="logger-1", $workers=set("worker-1")],
-	["proxy-1"] = [$node_type=Cluster::PROXY,     $ip=127.0.0.1, $p=37759/tcp, $logger="logger-1", $manager="manager-1", $workers=set("worker-1")],
-	["proxy-2"] = [$node_type=Cluster::PROXY,     $ip=127.0.0.1, $p=37760/tcp, $logger="logger-1", $manager="manager-1", $workers=set("worker-2")],
-	["worker-1"] = [$node_type=Cluster::WORKER,   $ip=127.0.0.1, $p=37761/tcp, $logger="logger-1", $manager="manager-1", $proxy="proxy-1", $interface="eth0"],
-	["worker-2"] = [$node_type=Cluster::WORKER,   $ip=127.0.0.1, $p=37762/tcp, $logger="logger-1", $manager="manager-1", $proxy="proxy-2", $interface="eth1"],
+	["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=37758/tcp],
+	["proxy-1"] = [$node_type=Cluster::PROXY,     $ip=127.0.0.1, $p=37759/tcp, $manager="manager-1"],
+	["proxy-2"] = [$node_type=Cluster::PROXY,     $ip=127.0.0.1, $p=37760/tcp, $manager="manager-1"],
+	["worker-1"] = [$node_type=Cluster::WORKER,   $ip=127.0.0.1, $p=37761/tcp, $manager="manager-1", $interface="eth0"],
+	["worker-2"] = [$node_type=Cluster::WORKER,   $ip=127.0.0.1, $p=37762/tcp, $manager="manager-1", $interface="eth1"],
 };
 @TEST-END-FILE
 
@@ -38,25 +38,28 @@ global fully_connected_nodes = 0;
 event fully_connected()
 	{
 	++fully_connected_nodes;
+
 	if ( Cluster::node == "logger-1" )
 		{
 		if ( peer_count == 5 && fully_connected_nodes == 5 )
-			terminate_communication();
+			terminate();
 		}
 	}
 
-redef Cluster::worker2logger_events += /fully_connected/;
-redef Cluster::proxy2logger_events += /fully_connected/;
-redef Cluster::manager2logger_events += /fully_connected/;
+event bro_init()
+	{
+	Broker::auto_publish(Cluster::logger_topic, fully_connected);
+	}
 
-event remote_connection_handshake_done(p: event_peer)
+event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
 	{
 	print "Connected to a peer";
 	++peer_count;
+
 	if ( Cluster::node == "logger-1" )
 		{
 		if ( peer_count == 5 && fully_connected_nodes == 5 )
-			terminate_communication();
+			terminate();
 		}
 	else if ( Cluster::node == "manager-1" )
 		{
@@ -65,12 +68,12 @@ event remote_connection_handshake_done(p: event_peer)
 		}
 	else
 		{
-		if ( peer_count == 3 )
+		if ( peer_count == 4 )
 			event fully_connected();
 		}
 	}
 
-event remote_connection_closed(p: event_peer)
+event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string)
 	{
 	terminate();
 	}
diff --git a/testing/btest/scripts/base/frameworks/cluster/start-it-up.bro b/testing/btest/scripts/base/frameworks/cluster/start-it-up.bro
index acb9c3676a..3b21cee3dc 100644
--- a/testing/btest/scripts/base/frameworks/cluster/start-it-up.bro
+++ b/testing/btest/scripts/base/frameworks/cluster/start-it-up.bro
@@ -8,7 +8,7 @@
 # @TEST-EXEC: btest-bg-run worker-1  BROPATH=$BROPATH:.. CLUSTER_NODE=worker-1 bro %INPUT
 # @TEST-EXEC: btest-bg-run worker-2  BROPATH=$BROPATH:.. CLUSTER_NODE=worker-2 bro %INPUT
 # @TEST-EXEC: btest-bg-wait 30
-# @TEST-EXEC: btest-diff manager-1/.stdout
+# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-sort btest-diff manager-1/.stdout
 # @TEST-EXEC: btest-diff proxy-1/.stdout
 # @TEST-EXEC: btest-diff proxy-2/.stdout
 # @TEST-EXEC: btest-diff worker-1/.stdout
@@ -16,11 +16,11 @@
 
 @TEST-START-FILE cluster-layout.bro
 redef Cluster::nodes = {
-	["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=37757/tcp, $workers=set("worker-1")],
-	["proxy-1"] = [$node_type=Cluster::PROXY,     $ip=127.0.0.1, $p=37758/tcp, $manager="manager-1", $workers=set("worker-1")],
-	["proxy-2"] = [$node_type=Cluster::PROXY,     $ip=127.0.0.1, $p=37759/tcp, $manager="manager-1", $workers=set("worker-2")],
-	["worker-1"] = [$node_type=Cluster::WORKER,   $ip=127.0.0.1, $p=37760/tcp, $manager="manager-1", $proxy="proxy-1", $interface="eth0"],
-	["worker-2"] = [$node_type=Cluster::WORKER,   $ip=127.0.0.1, $p=37761/tcp, $manager="manager-1", $proxy="proxy-2", $interface="eth1"],
+	["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=37757/tcp],
+	["proxy-1"] = [$node_type=Cluster::PROXY,     $ip=127.0.0.1, $p=37758/tcp, $manager="manager-1"],
+	["proxy-2"] = [$node_type=Cluster::PROXY,     $ip=127.0.0.1, $p=37759/tcp, $manager="manager-1"],
+	["worker-1"] = [$node_type=Cluster::WORKER,   $ip=127.0.0.1, $p=37760/tcp, $manager="manager-1", $interface="eth0"],
+	["worker-2"] = [$node_type=Cluster::WORKER,   $ip=127.0.0.1, $p=37761/tcp, $manager="manager-1", $interface="eth1"],
 };
 @TEST-END-FILE
 
@@ -32,34 +32,42 @@ global fully_connected_nodes = 0;
 
 event fully_connected()
 	{
+	if ( ! is_remote_event() )
+		return;
+
+	print "Got fully_connected event";
 	fully_connected_nodes = fully_connected_nodes + 1;
+
 	if ( Cluster::node == "manager-1" )
 		{
 		if ( peer_count == 4 && fully_connected_nodes == 4 )
-			terminate_communication();
+			terminate();
 		}
 	}
 
-redef Cluster::worker2manager_events += /fully_connected/;
-redef Cluster::proxy2manager_events += /fully_connected/;
+event bro_init()
+	{
+	Broker::auto_publish(Cluster::manager_topic, fully_connected);
+	}
 
-event remote_connection_handshake_done(p: event_peer)
+event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
 	{
 	print "Connected to a peer";
 	peer_count = peer_count + 1;
+
 	if ( Cluster::node == "manager-1" )
 		{
 		if ( peer_count == 4 && fully_connected_nodes == 4 )
-			terminate_communication();
+			terminate();
 		}
 	else
 		{
-		if ( peer_count == 2 )
+		if ( peer_count == 3 )
 			event fully_connected();
 		}
 	}
 
-event remote_connection_closed(p: event_peer)
+event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string)
 	{
 	terminate();
 	}
diff --git a/testing/btest/scripts/base/frameworks/cluster/topic_distribution.bro b/testing/btest/scripts/base/frameworks/cluster/topic_distribution.bro
new file mode 100644
index 0000000000..591a3329b7
--- /dev/null
+++ b/testing/btest/scripts/base/frameworks/cluster/topic_distribution.bro
@@ -0,0 +1,85 @@
+# @TEST-SERIALIZE: comm
+#
+# @TEST-EXEC: btest-bg-run manager-1 BROPATH=$BROPATH:.. CLUSTER_NODE=manager-1 bro %INPUT
+# @TEST-EXEC: sleep 1
+# @TEST-EXEC: btest-bg-run proxy-1   BROPATH=$BROPATH:.. CLUSTER_NODE=proxy-1 bro %INPUT
+# @TEST-EXEC: btest-bg-run proxy-2   BROPATH=$BROPATH:.. CLUSTER_NODE=proxy-2 bro %INPUT
+# @TEST-EXEC: btest-bg-wait 30
+# @TEST-EXEC: btest-diff manager-1/.stdout
+
+@TEST-START-FILE cluster-layout.bro
+redef Cluster::nodes = {
+	["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=37757/tcp],
+	["proxy-1"] = [$node_type=Cluster::PROXY,     $ip=127.0.0.1, $p=37758/tcp, $manager="manager-1"],
+	["proxy-2"] = [$node_type=Cluster::PROXY,     $ip=127.0.0.1, $p=37759/tcp, $manager="manager-1"],
+	["worker-1"] = [$node_type=Cluster::WORKER,   $ip=127.0.0.1, $p=37760/tcp, $manager="manager-1", $interface="eth0"],
+	["worker-2"] = [$node_type=Cluster::WORKER,   $ip=127.0.0.1, $p=37761/tcp, $manager="manager-1", $interface="eth1"],
+};
+@TEST-END-FILE
+
+global proxy_count = 0;
+
+event go_away()
+	{
+	terminate();
+	}
+
+function print_stuff(heading: string)
+	{
+	print heading;
+
+	local v: vector of count = vector(0, 1, 2, 3, 13, 37, 42, 101);
+
+	for ( i in v )
+		print "hrw", v[i], Cluster::hrw_topic(Cluster::proxy_pool, v[i]);
+
+	local rr_key = "test";
+
+	for ( i in v )
+		print "rr", Cluster::rr_topic(Cluster::proxy_pool, rr_key);
+
+	# Just checking the same keys still map to same topic ...
+	for ( i in v )
+		print "hrw", v[i], Cluster::hrw_topic(Cluster::proxy_pool, v[i]);
+	}
+
+event Cluster::node_up(name: string, id: string)
+	{
+	if ( Cluster::node != "manager-1" )
+		return;
+
+	if ( name == "proxy-1" || name == "proxy-2" )
+		++proxy_count;
+
+	if ( proxy_count == 2 )	
+		{
+		print_stuff("1st stuff");
+		local e = Broker::make_event(go_away);
+		Broker::publish(Cluster::node_topic("proxy-1"), e);
+		}
+	}
+
+event Cluster::node_down(name: string, id: string)
+	{
+	if ( Cluster::node != "manager-1" )
+		return;
+
+	if ( name == "proxy-1" )
+		{
+		print_stuff("2nd stuff");
+		local e = Broker::make_event(go_away);
+		Broker::publish(Cluster::node_topic("proxy-2"), e);
+		}
+
+	if ( name == "proxy-2" )
+		{
+		print_stuff("no stuff");
+		terminate();
+		}
+	}
+
+event Cluster::node_down(name: string, id: string)
+	{
+	if ( name == "manager-1" )
+		terminate();
+	}
diff --git a/testing/btest/scripts/base/frameworks/cluster/topic_distribution_bifs.bro b/testing/btest/scripts/base/frameworks/cluster/topic_distribution_bifs.bro
new file mode 100644
index 0000000000..2f2462e752
--- /dev/null
+++ b/testing/btest/scripts/base/frameworks/cluster/topic_distribution_bifs.bro
@@ -0,0 +1,96 @@
+# @TEST-SERIALIZE: comm
+#
+# @TEST-EXEC: btest-bg-run manager-1 BROPATH=$BROPATH:.. CLUSTER_NODE=manager-1 bro %INPUT
+# @TEST-EXEC: sleep 1
+# @TEST-EXEC: btest-bg-run proxy-1   BROPATH=$BROPATH:.. CLUSTER_NODE=proxy-1 bro %INPUT
+# @TEST-EXEC: btest-bg-run proxy-2   BROPATH=$BROPATH:.. CLUSTER_NODE=proxy-2 bro %INPUT
+# @TEST-EXEC: btest-bg-wait 30
+# @TEST-EXEC: btest-diff manager-1/.stdout
+# @TEST-EXEC: btest-diff proxy-1/.stdout
+# @TEST-EXEC: btest-diff proxy-2/.stdout
+
+@TEST-START-FILE cluster-layout.bro
+redef Cluster::nodes = {
+	["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=37757/tcp],
+	["proxy-1"] = [$node_type=Cluster::PROXY,     $ip=127.0.0.1, $p=37758/tcp, $manager="manager-1"],
+	["proxy-2"] = [$node_type=Cluster::PROXY,     $ip=127.0.0.1, $p=37759/tcp, $manager="manager-1"],
+	["worker-1"] = [$node_type=Cluster::WORKER,   $ip=127.0.0.1, $p=37760/tcp, $manager="manager-1", $interface="eth0"],
+	["worker-2"] = [$node_type=Cluster::WORKER,   $ip=127.0.0.1, $p=37761/tcp, $manager="manager-1", $interface="eth1"],
+};
+@TEST-END-FILE
+
+global proxy_count = 0;
+global q = 0;
+
+event go_away()
+	{
+	terminate();
+	}
+
+event distributed_event_hrw(c: count)
+	{
+	print "got distributed event hrw", c;
+	}
+
+event distributed_event_rr(c: count)
+	{
+	print "got distributed event rr", c;
+	}
+
+function send_stuff(heading: string)
+	{
+	print heading;
+
+	local v: vector of count = vector(0, 1, 2, 3, 13, 37, 42, 101);
+
+	for ( i in v )
+		print "hrw", v[i], Cluster::publish_hrw(Cluster::proxy_pool, v[i],
+												distributed_event_hrw, v[i]);
+
+	local rr_key = "test";
+
+	for ( i in v )
+		print "rr", Cluster::publish_rr(Cluster::proxy_pool, rr_key,
+										distributed_event_rr, v[i]);
+	}
+
+event Cluster::node_up(name: string, id: string)
+	{
+	if ( Cluster::node != "manager-1" )
+		return;
+
+	if ( name == "proxy-1" || name == "proxy-2" )
+		++proxy_count;
+
+	if ( proxy_count == 2 )	
+		{
+		send_stuff("1st stuff");
+		local e = Broker::make_event(go_away);
+		Broker::publish(Cluster::node_topic("proxy-1"), e);
+		}
+	}
+
+event Cluster::node_down(name: string, id: string)
+	{
+	if ( Cluster::node != "manager-1" )
+		return;
+
+	if ( name == "proxy-1" )
+		{
+		send_stuff("2nd stuff");
+		local e = Broker::make_event(go_away);
+		Broker::publish(Cluster::node_topic("proxy-2"), e);
+		}
+
+	if ( name == "proxy-2" )
+		{
+		send_stuff("no stuff");
+		terminate();
+		}
+	}
+
+event Cluster::node_down(name: string, id: string)
+	{
+	if ( name == "manager-1" )
+		terminate();
+	}
diff --git a/testing/btest/scripts/base/frameworks/communication/communication_log_baseline.bro b/testing/btest/scripts/base/frameworks/communication/communication_log_baseline.bro
deleted file mode 100644
index 4a2ed735ef..0000000000
--- a/testing/btest/scripts/base/frameworks/communication/communication_log_baseline.bro
+++ /dev/null
@@ -1,42 +0,0 @@
-# @TEST-SERIALIZE: comm
-#
-# @TEST-EXEC: btest-bg-run receiver bro -b ../receiver.bro
-# @TEST-EXEC: btest-bg-run sender   bro -b ../sender.bro
-# @TEST-EXEC: btest-bg-wait -k 10
-#
-# Don't diff the receiver log just because port is always going to change
-# @TEST-EXEC: egrep -v 'CPU|bytes|pid|socket buffer size' sender/communication.log >send.log
-# @TEST-EXEC: btest-diff send.log
-
-@TEST-START-FILE sender.bro
-
-@load base/frameworks/communication/main
-
-redef Communication::nodes += {
-    ["foo"] = [$host = 127.0.0.1, $events = /NOTHING/, $connect=T]
-};
-
-event remote_connection_handshake_done(p: event_peer)
-	{
-	terminate_communication();
-	}
-
-event remote_connection_closed(p: event_peer)
-	{
-	terminate();
-	}
-
-@TEST-END-FILE
-
-#############
-
-@TEST-START-FILE receiver.bro
-
-@load frameworks/communication/listen
-
-event remote_connection_closed(p: event_peer)
-	{
-	terminate();
-	}
-
-@TEST-END-FILE
diff --git a/testing/btest/scripts/base/frameworks/config/updates.bro b/testing/btest/scripts/base/frameworks/config/updates.bro
index 088157b079..b9ecd013cd 100644
--- a/testing/btest/scripts/base/frameworks/config/updates.bro
+++ b/testing/btest/scripts/base/frameworks/config/updates.bro
@@ -13,7 +13,6 @@
 
 @load base/frameworks/config
 @load base/protocols/conn
-@load base/frameworks/communication  # let network-time run
 
 redef exit_only_after_terminate = T;
 redef Config::config_files += {"../configfile"};
diff --git a/testing/btest/scripts/base/frameworks/control/configuration_update.bro b/testing/btest/scripts/base/frameworks/control/configuration_update.bro
index d9e62efe08..5e459cc9f0 100644
--- a/testing/btest/scripts/base/frameworks/control/configuration_update.bro
+++ b/testing/btest/scripts/base/frameworks/control/configuration_update.bro
@@ -1,6 +1,6 @@
 # @TEST-SERIALIZE: comm
 #
-# @TEST-EXEC: btest-bg-run controllee  BROPATH=$BROPATH:.. bro %INPUT frameworks/control/controllee Communication::listen_port=65531/tcp 
+# @TEST-EXEC: btest-bg-run controllee  BROPATH=$BROPATH:.. bro %INPUT frameworks/control/controllee Broker::default_port=65531/tcp
 # @TEST-EXEC: sleep 5
 # @TEST-EXEC: btest-bg-run controller  BROPATH=$BROPATH:.. bro %INPUT test-redef frameworks/control/controller Control::host=127.0.0.1 Control::host_port=65531/tcp Control::cmd=configuration_update
 # @TEST-EXEC: sleep 5
@@ -8,11 +8,6 @@
 # @TEST-EXEC: btest-bg-wait 10
 # @TEST-EXEC: btest-diff controllee/.stdout
 
-redef Communication::nodes = {
-	# We're waiting for connections from this host for control.
-	["control"] = [$host=127.0.0.1, $class="control", $events=Control::controller_events],
-};
-
 const test_var = "ORIGINAL VALUE (this should be printed out first)" &redef;
 
 @TEST-START-FILE test-redef.bro
diff --git a/testing/btest/scripts/base/frameworks/control/id_value.bro b/testing/btest/scripts/base/frameworks/control/id_value.bro
index ffbb9a10cf..13cf1c5548 100644
--- a/testing/btest/scripts/base/frameworks/control/id_value.bro
+++ b/testing/btest/scripts/base/frameworks/control/id_value.bro
@@ -1,15 +1,10 @@
 # @TEST-SERIALIZE: comm
 #
-# @TEST-EXEC: btest-bg-run controllee  BROPATH=$BROPATH:.. bro %INPUT only-for-controllee frameworks/control/controllee Communication::listen_port=65532/tcp 
+# @TEST-EXEC: btest-bg-run controllee  BROPATH=$BROPATH:.. bro %INPUT only-for-controllee frameworks/control/controllee Broker::default_port=65532/tcp
 # @TEST-EXEC: btest-bg-run controller  BROPATH=$BROPATH:.. bro %INPUT frameworks/control/controller Control::host=127.0.0.1 Control::host_port=65532/tcp Control::cmd=id_value Control::arg=test_var
 # @TEST-EXEC: btest-bg-wait -k 10
 # @TEST-EXEC: btest-diff controller/.stdout
 
-redef Communication::nodes = {
-	# We're waiting for connections from this host for control.
-	["control"] = [$host=127.0.0.1, $class="control", $events=Control::controller_events],
-};
-
 # This value shouldn't ever be printed to the controllers stdout.
 const test_var = "Original value" &redef;
 
@@ -19,8 +14,13 @@ const test_var = "Original value" &redef;
 redef test_var = "This is the value from the controllee";
 @TEST-END-FILE
 
+event die()
+	{
+	terminate();
+	}
+
 event Control::id_value_response(id: string, val: string)
 	{
 	print fmt("Got an id_value_response(%s, %s) event", id, val);
-	terminate();
+	schedule 2sec { die() };
 	}
diff --git a/testing/btest/scripts/base/frameworks/control/shutdown.bro b/testing/btest/scripts/base/frameworks/control/shutdown.bro
index 7b6e5713f8..cec965974a 100644
--- a/testing/btest/scripts/base/frameworks/control/shutdown.bro
+++ b/testing/btest/scripts/base/frameworks/control/shutdown.bro
@@ -1,10 +1,6 @@
 # @TEST-SERIALIZE: comm
 #
-# @TEST-EXEC: btest-bg-run controllee BROPATH=$BROPATH:.. bro %INPUT frameworks/control/controllee Communication::listen_port=65530/tcp 
+# @TEST-EXEC: btest-bg-run controllee BROPATH=$BROPATH:.. bro %INPUT frameworks/control/controllee Broker::default_port=65530/tcp
 # @TEST-EXEC: btest-bg-run controller BROPATH=$BROPATH:.. bro %INPUT frameworks/control/controller Control::host=127.0.0.1 Control::host_port=65530/tcp Control::cmd=shutdown
 # @TEST-EXEC: btest-bg-wait 10
 
-redef Communication::nodes = {
-	# We're waiting for connections from this host for control.
-	["control"] = [$host=127.0.0.1, $class="control", $events=Control::controller_events],
-};
diff --git a/testing/btest/scripts/base/frameworks/input/empty-values-hashing.bro b/testing/btest/scripts/base/frameworks/input/empty-values-hashing.bro
index 44a15a29bc..d12ab864f2 100644
--- a/testing/btest/scripts/base/frameworks/input/empty-values-hashing.bro
+++ b/testing/btest/scripts/base/frameworks/input/empty-values-hashing.bro
@@ -20,8 +20,6 @@
 2	TEST	TEST
 @TEST-END-FILE
 
-@load base/frameworks/communication  # let network-time run
-
 redef exit_only_after_terminate = T;
 
 module A;
diff --git a/testing/btest/scripts/base/frameworks/input/predicatemodifyandreread.bro b/testing/btest/scripts/base/frameworks/input/predicatemodifyandreread.bro
index 33455314cd..526d1e113f 100644
--- a/testing/btest/scripts/base/frameworks/input/predicatemodifyandreread.bro
+++ b/testing/btest/scripts/base/frameworks/input/predicatemodifyandreread.bro
@@ -57,8 +57,6 @@
 
 redef exit_only_after_terminate = T;
 
-@load base/frameworks/communication  # let network-time run
-
 redef InputAscii::empty_field = "EMPTY";
 
 module A;
diff --git a/testing/btest/scripts/base/frameworks/input/raw/executestdin.bro b/testing/btest/scripts/base/frameworks/input/raw/executestdin.bro
index 16826873f4..0edc53a0e4 100644
--- a/testing/btest/scripts/base/frameworks/input/raw/executestdin.bro
+++ b/testing/btest/scripts/base/frameworks/input/raw/executestdin.bro
@@ -4,7 +4,6 @@
 # @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-sort btest-diff out
 
 redef exit_only_after_terminate = T;
-@load base/frameworks/communication  # let network-time run. otherwise there are no heartbeats...
 
 global outfile: file;
 global processes_finished: count = 0;
diff --git a/testing/btest/scripts/base/frameworks/input/raw/executestream.bro b/testing/btest/scripts/base/frameworks/input/raw/executestream.bro
index 9ce2688296..77cb425fa4 100644
--- a/testing/btest/scripts/base/frameworks/input/raw/executestream.bro
+++ b/testing/btest/scripts/base/frameworks/input/raw/executestream.bro
@@ -26,7 +26,6 @@ sdf
 3rw43wRRERLlL#RWERERERE.
 @TEST-END-FILE
 
-@load base/frameworks/communication  # let network-time run
 
 module A;
 
diff --git a/testing/btest/scripts/base/frameworks/input/raw/offset.bro b/testing/btest/scripts/base/frameworks/input/raw/offset.bro
index 5ab2d84655..7ce040e1c9 100644
--- a/testing/btest/scripts/base/frameworks/input/raw/offset.bro
+++ b/testing/btest/scripts/base/frameworks/input/raw/offset.bro
@@ -10,7 +10,6 @@ sdfkh:KH;fdkncv;ISEUp34:Fkdj;YVpIODhfDF
 @TEST-END-FILE
 
 redef exit_only_after_terminate = T;
-@load base/frameworks/communication # keep network time running
 
 global outfile: file;
 global try: count;
diff --git a/testing/btest/scripts/base/frameworks/input/raw/stderr.bro b/testing/btest/scripts/base/frameworks/input/raw/stderr.bro
index 0eb312c3e6..8e3fcefe41 100644
--- a/testing/btest/scripts/base/frameworks/input/raw/stderr.bro
+++ b/testing/btest/scripts/base/frameworks/input/raw/stderr.bro
@@ -3,7 +3,6 @@
 # @TEST-EXEC: btest-diff out
 
 redef exit_only_after_terminate = T;
-@load base/frameworks/communication  # let network-time run. otherwise there are no heartbeats...
 
 type Val: record {
 	s: string;
diff --git a/testing/btest/scripts/base/frameworks/input/raw/streamraw.bro b/testing/btest/scripts/base/frameworks/input/raw/streamraw.bro
index 84dd74e23c..6e45ba32b7 100644
--- a/testing/btest/scripts/base/frameworks/input/raw/streamraw.bro
+++ b/testing/btest/scripts/base/frameworks/input/raw/streamraw.bro
@@ -26,8 +26,6 @@ sdf
 3rw43wRRERLlL#RWERERERE.
 @TEST-END-FILE
 
-@load base/frameworks/communication  # let network-time run
-
 module A;
 
 type Val: record {
diff --git a/testing/btest/scripts/base/frameworks/input/reread.bro b/testing/btest/scripts/base/frameworks/input/reread.bro
index e55b4b4f0c..d8cb868d22 100644
--- a/testing/btest/scripts/base/frameworks/input/reread.bro
+++ b/testing/btest/scripts/base/frameworks/input/reread.bro
@@ -56,7 +56,6 @@ F	-48	SSH::LOG	21	123	10.0.0.0/24	1.2.3.4	3.14	1315801931.273616	100.000000	hurz
 @TEST-END-FILE
 
 @load base/protocols/ssh
-@load base/frameworks/communication  # let network-time run
 
 redef exit_only_after_terminate = T;
 redef InputAscii::empty_field = "EMPTY";
diff --git a/testing/btest/scripts/base/frameworks/input/stream.bro b/testing/btest/scripts/base/frameworks/input/stream.bro
index 75228ee102..ed497859aa 100644
--- a/testing/btest/scripts/base/frameworks/input/stream.bro
+++ b/testing/btest/scripts/base/frameworks/input/stream.bro
@@ -21,7 +21,6 @@ T	-43	SSH::LOG	21	123	10.0.0.0/24	1.2.3.4	3.14	1315801931.273616	100.000000	hurz
 F	-43	SSH::LOG	21	123	10.0.0.0/24	1.2.3.4	3.14	1315801931.273616	100.000000	hurz	2,4,1,3	CC,AA,BB	EMPTY	10,20,30	EMPTY	SSH::foo\x0a{ \x0aif (0 < SSH::i) \x0a\x09return (Foo);\x0aelse\x0a\x09return (Bar);\x0a\x0a}
 @TEST-END-FILE
 
-@load base/frameworks/communication # keep network time running
 @load base/protocols/ssh
 redef exit_only_after_terminate = T;
 
diff --git a/testing/btest/scripts/base/frameworks/input/twotables.bro b/testing/btest/scripts/base/frameworks/input/twotables.bro
index 0e4436afa2..f0bedb2673 100644
--- a/testing/btest/scripts/base/frameworks/input/twotables.bro
+++ b/testing/btest/scripts/base/frameworks/input/twotables.bro
@@ -30,7 +30,6 @@ T	-43	SSH::LOG	21	123	10.0.0.0/24	1.2.3.4	3.14	1315801931.273616	100.000000	hurz
 F	-44	SSH::LOG	21	123	10.0.0.0/24	1.2.3.4	3.14	1315801931.273616	100.000000	hurz	2,4,1,3	CC,AA,BB	EMPTY	10,20,30	EMPTY	SSH::foo\x0a{ \x0aif (0 < SSH::i) \x0a\x09return (Foo);\x0aelse\x0a\x09return (Bar);\x0a\x0a}
 @TEST-END-FILE
 
-@load base/frameworks/communication # keep network time running
 @load base/protocols/ssh
 redef exit_only_after_terminate = T;
 
diff --git a/testing/btest/scripts/base/frameworks/intel/cluster-transparency.bro b/testing/btest/scripts/base/frameworks/intel/cluster-transparency.bro
index 5bedf752d2..62aabf6888 100644
--- a/testing/btest/scripts/base/frameworks/intel/cluster-transparency.bro
+++ b/testing/btest/scripts/base/frameworks/intel/cluster-transparency.bro
@@ -11,19 +11,17 @@
 
 @TEST-START-FILE cluster-layout.bro
 redef Cluster::nodes = {
-	["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=37757/tcp, $workers=set("worker-1", "worker-2")],
+	["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=37757/tcp],
 	["worker-1"]  = [$node_type=Cluster::WORKER,  $ip=127.0.0.1, $p=37760/tcp, $manager="manager-1"],
 	["worker-2"]  = [$node_type=Cluster::WORKER,  $ip=127.0.0.1, $p=37761/tcp, $manager="manager-1"],
 };
 @TEST-END-FILE
 
-@load base/frameworks/control
-
 module Intel;
 
 redef Log::default_rotation_interval=0sec;
 
-event remote_connection_handshake_done(p: event_peer)
+event Cluster::node_up(name: string, id: string)
 	{
 	# Insert the data once both workers are connected.
 	if ( Cluster::local_node_type() == Cluster::MANAGER && Cluster::worker_count == 2 )
@@ -34,12 +32,10 @@ event remote_connection_handshake_done(p: event_peer)
 
 global worker2_data = 0;
 global sent_data = F;
-event Intel::cluster_new_item(item: Intel::Item)
+# Watch for new indicators send to workers.
+event Intel::insert_indicator(item: Intel::Item)
 	{
-	if ( ! is_remote_event() )
-		return;
-
-	print fmt("cluster_new_item: %s inserted by %s (from peer: %s)", item$indicator, item$meta$source, get_event_peer()$descr);
+	print fmt("new_indicator: %s inserted by %s", item$indicator, item$meta$source);
 
 	if ( ! sent_data )
 		{
@@ -67,14 +63,26 @@ event Intel::cluster_new_item(item: Intel::Item)
 		}
 	}
 
-event Intel::log_intel(rec: Intel::Info)
+# Watch for remote inserts sent to the manager.
+event Intel::insert_item(item: Intel::Item)
 	{
-	event Control::shutdown_request();
+	print fmt("insert_item: %s inserted by %s", item$indicator, item$meta$source);
 	}
 
-event remote_connection_closed(p: event_peer)
+# Watch for new items.
+event Intel::new_item(item: Intel::Item)
+	{
+	print fmt("new_item triggered for %s by %s on %s", item$indicator,
+			item$meta$source, Cluster::node);
+	}
+
+event Intel::log_intel(rec: Intel::Info)
+	{
+	terminate();
+	}
+
+event Cluster::node_down(name: string, id: string)
 	{
 	# Cascading termination
-	#print fmt("disconnected from: %s", p);
-	terminate_communication();
+	terminate();
 	}
diff --git a/testing/btest/scripts/base/frameworks/intel/input-and-match.bro b/testing/btest/scripts/base/frameworks/intel/input-and-match.bro
index 7150d30993..774f17fc57 100644
--- a/testing/btest/scripts/base/frameworks/intel/input-and-match.bro
+++ b/testing/btest/scripts/base/frameworks/intel/input-and-match.bro
@@ -11,8 +11,7 @@
 e@mail.com	Intel::EMAIL	source1	Phishing email source	http://some-data-distributor.com/100000
 @TEST-END-FILE
 
-@load frameworks/communication/listen
-
+redef exit_only_after_terminate = T;
 redef Intel::read_files += { "../intel.dat" };
 redef enum Intel::Where += { SOMEWHERE };
 
diff --git a/testing/btest/scripts/base/frameworks/intel/read-file-dist-cluster.bro b/testing/btest/scripts/base/frameworks/intel/read-file-dist-cluster.bro
index f336fe24b3..5488c4938e 100644
--- a/testing/btest/scripts/base/frameworks/intel/read-file-dist-cluster.bro
+++ b/testing/btest/scripts/base/frameworks/intel/read-file-dist-cluster.bro
@@ -12,7 +12,7 @@
 
 @TEST-START-FILE cluster-layout.bro
 redef Cluster::nodes = {
-	["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=37757/tcp, $workers=set("worker-1", "worker-2")],
+	["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=37757/tcp],
 	["worker-1"]  = [$node_type=Cluster::WORKER,  $ip=127.0.0.1, $p=37760/tcp, $manager="manager-1"],
 	["worker-2"]  = [$node_type=Cluster::WORKER,  $ip=127.0.0.1, $p=37761/tcp, $manager="manager-1"],
 };
diff --git a/testing/btest/scripts/base/frameworks/intel/remove-item-cluster.bro b/testing/btest/scripts/base/frameworks/intel/remove-item-cluster.bro
index d13536a015..6cc0fbdea0 100644
--- a/testing/btest/scripts/base/frameworks/intel/remove-item-cluster.bro
+++ b/testing/btest/scripts/base/frameworks/intel/remove-item-cluster.bro
@@ -2,20 +2,18 @@
 #
 # @TEST-EXEC: btest-bg-run manager-1 BROPATH=$BROPATH:.. CLUSTER_NODE=manager-1 bro %INPUT
 # @TEST-EXEC: btest-bg-run worker-1  BROPATH=$BROPATH:.. CLUSTER_NODE=worker-1 bro %INPUT
-# @TEST-EXEC: btest-bg-wait -k 10
+# @TEST-EXEC: btest-bg-wait -k 13
 # @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-sort btest-diff manager-1/.stdout
 # @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-sort btest-diff worker-1/.stdout
 # @TEST-EXEC: btest-diff manager-1/intel.log
 
 # @TEST-START-FILE cluster-layout.bro
 redef Cluster::nodes = {
-	["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=37757/tcp, $workers=set("worker-1")],
+	["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=37757/tcp],
 	["worker-1"]  = [$node_type=Cluster::WORKER,  $ip=127.0.0.1, $p=37760/tcp, $manager="manager-1"],
 };
 # @TEST-END-FILE
 
-@load base/frameworks/control
-
 module Intel;
 
 redef Log::default_rotation_interval=0sec;
@@ -37,7 +35,7 @@ event test_worker()
 	Intel::seen([$host=10.10.10.10, $where=Intel::IN_ANYWHERE]);
 	}
 
-event remote_connection_handshake_done(p: event_peer)
+event Cluster::node_up(name: string, id: string)
 	{
 	# Insert the data once all workers are connected.
 	if ( Cluster::local_node_type() == Cluster::MANAGER && Cluster::worker_count == 1 )
@@ -54,7 +52,7 @@ event remote_connection_handshake_done(p: event_peer)
 	}
 
 global worker_data = 0;
-event Intel::cluster_new_item(item: Intel::Item)
+event Intel::insert_indicator(item: Intel::Item)
 	{
 	# Run test on worker-1 when all items have been inserted
 	if ( Cluster::node == "worker-1" )
@@ -70,19 +68,24 @@ event Intel::remove_item(item: Item, purge_indicator: bool)
 	print fmt("Removing %s (source: %s).", item$indicator, item$meta$source);
 	}
 
-event purge_item(item: Item)
+event remove_indicator(item: Item)
 	{
 	print fmt("Purging %s.", item$indicator);
 	}
 
+event die()
+	{
+	terminate();
+	}
+
 event Intel::log_intel(rec: Intel::Info)
 	{
 	print "Logging intel hit!";
-	event Control::shutdown_request();
+	schedule 2sec { die() };
 	}
 
-event remote_connection_closed(p: event_peer)
+event Cluster::node_down(name: string, id: string)
 	{
 	# Cascading termination
-	terminate_communication();
+	schedule 2sec { die() };
 	}
diff --git a/testing/btest/scripts/base/frameworks/intel/updated-match.bro b/testing/btest/scripts/base/frameworks/intel/updated-match.bro
index 75063d4b8f..fd7c738210 100644
--- a/testing/btest/scripts/base/frameworks/intel/updated-match.bro
+++ b/testing/btest/scripts/base/frameworks/intel/updated-match.bro
@@ -28,7 +28,6 @@
 4.3.2.1	Intel::ADDR	source2	this host might also be baaad	http://some-data-distributor.com/4321	T
 # @TEST-END-FILE
 
-@load base/frameworks/communication # let network-time run
 @load frameworks/intel/do_notice
 
 redef exit_only_after_terminate = T;
diff --git a/testing/btest/scripts/base/frameworks/logging/field-extension-cluster-error.bro b/testing/btest/scripts/base/frameworks/logging/field-extension-cluster-error.bro
index 6ac7a5efce..6ddcd0ddb7 100644
--- a/testing/btest/scripts/base/frameworks/logging/field-extension-cluster-error.bro
+++ b/testing/btest/scripts/base/frameworks/logging/field-extension-cluster-error.bro
@@ -4,20 +4,25 @@
 # @TEST-EXEC: sleep 1
 # @TEST-EXEC: btest-bg-run worker-1  "cp ../cluster-layout.bro . && CLUSTER_NODE=worker-1 bro --pseudo-realtime -C -r $TRACES/wikipedia.trace %INPUT"
 # @TEST-EXEC: btest-bg-wait 20
-# @TEST-EXEC: btest-diff manager-1/reporter.log
+# @TEST-EXEC: cat manager-1/reporter.log | grep -v "reporter/" > manager-reporter.log
+# @TEST-EXEC: btest-diff manager-reporter.log
 
 
 @TEST-START-FILE cluster-layout.bro
 redef Cluster::nodes = {
-	["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=37757/tcp, $workers=set("worker-1")],
+	["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=37757/tcp],
 	["worker-1"]  = [$node_type=Cluster::WORKER,  $ip=127.0.0.1, $p=37760/tcp, $manager="manager-1", $interface="eth0"],
 };
 @TEST-END-FILE
 
-redef Log::default_rotation_interval = 0secs;
-
 @load base/protocols/conn
 
+@if ( Cluster::node == "worker-1" )
+redef exit_only_after_terminate = T;
+@endif
+
+redef Log::default_rotation_interval = 0secs;
+
 redef Log::default_scope_sep="_";
 
 type Extension: record {
@@ -39,11 +44,32 @@ redef Log::default_ext_func = add_extension;
 
 @endif
 
-event terminate_me() {
+event die()
+	{
 	terminate();
-}
+	}
 
-event remote_connection_closed(p: event_peer) {
-  schedule 1sec { terminate_me() };
-}
+event slow_death()
+	{
+	Broker::flush_logs();
+	schedule 2sec { die() };
+	}
 
+event kill_worker()
+	{
+	Broker::publish("death", slow_death);
+	}
+
+event bro_init()
+	{
+	if ( Cluster::node == "worker-1" )
+		Broker::subscribe("death");
+
+	if ( Cluster::node == "manager-1" )
+		schedule 13sec { kill_worker() };
+	}
+
+event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string)
+	{
+	schedule 2sec { die() };
+	}
diff --git a/testing/btest/scripts/base/frameworks/logging/field-extension-cluster.bro b/testing/btest/scripts/base/frameworks/logging/field-extension-cluster.bro
index fb51251f8c..711a1286aa 100644
--- a/testing/btest/scripts/base/frameworks/logging/field-extension-cluster.bro
+++ b/testing/btest/scripts/base/frameworks/logging/field-extension-cluster.bro
@@ -9,15 +9,19 @@
 
 @TEST-START-FILE cluster-layout.bro
 redef Cluster::nodes = {
-	["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=37757/tcp, $workers=set("worker-1")],
+	["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=37757/tcp],
 	["worker-1"]  = [$node_type=Cluster::WORKER,  $ip=127.0.0.1, $p=37760/tcp, $manager="manager-1", $interface="eth0"],
 };
 @TEST-END-FILE
 
-redef Log::default_rotation_interval = 0secs;
-
 @load base/protocols/conn
 
+@if ( Cluster::node == "worker-1" )
+redef exit_only_after_terminate = T;
+@endif
+
+redef Log::default_rotation_interval = 0secs;
+
 redef Log::default_scope_sep="_";
 
 type Extension: record {
@@ -35,11 +39,32 @@ function add_extension(path: string): Extension
 
 redef Log::default_ext_func = add_extension;
 
-event terminate_me() {
+event die()
+	{
 	terminate();
-}
+	}
 
-event remote_connection_closed(p: event_peer) {
-  schedule 1sec { terminate_me() };
-}
+event slow_death()
+	{
+	Broker::flush_logs();
+	schedule 2sec { die() };
+	}
 
+event kill_worker()
+	{
+	Broker::publish("death", slow_death);
+	}
+
+event bro_init()
+	{
+	if ( Cluster::node == "worker-1" )
+		Broker::subscribe("death");
+
+	if ( Cluster::node == "manager-1" )
+		schedule 13sec { kill_worker() };
+	}
+
+event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string)
+	{
+	schedule 2sec { die() };
+	}
diff --git a/testing/btest/scripts/base/frameworks/logging/remote-config.bro b/testing/btest/scripts/base/frameworks/logging/remote-config.bro
deleted file mode 100644
index 9fd94acc7d..0000000000
--- a/testing/btest/scripts/base/frameworks/logging/remote-config.bro
+++ /dev/null
@@ -1,94 +0,0 @@
-# @TEST-SERIALIZE: comm
-#
-# @TEST-EXEC: btest-bg-run sender bro -b --pseudo-realtime %INPUT ../sender.bro
-# @TEST-EXEC: sleep 1
-# @TEST-EXEC: btest-bg-run receiver bro -b --pseudo-realtime %INPUT ../receiver.bro
-# @TEST-EXEC: sleep 1
-# @TEST-EXEC: btest-bg-wait 15
-# @TEST-EXEC: btest-diff sender/test.log
-# @TEST-EXEC: btest-diff sender/test.failure.log
-# @TEST-EXEC: btest-diff sender/test.success.log
-# @TEST-EXEC: ( cd sender && for i in *.log; do cat $i | $SCRIPTS/diff-remove-timestamps >c.$i; done )
-# @TEST-EXEC: ( cd receiver && for i in *.log; do cat $i | $SCRIPTS/diff-remove-timestamps >c.$i; done )
-# @TEST-EXEC: cmp receiver/c.test.log sender/c.test.log
-# @TEST-EXEC: cmp receiver/c.test.failure.log sender/c.test.failure.log
-# @TEST-EXEC: cmp receiver/c.test.success.log sender/c.test.success.log
-
-# This is the common part loaded by both sender and receiver.
-module Test;
-
-export {
-	# Create a new ID for our log stream
-	redef enum Log::ID += { LOG };
-
-	# Define a record with all the columns the log file can have.
-	# (I'm using a subset of fields from ssh-ext for demonstration.)
-	type Log: record {
-		t: time;
-		id: conn_id; # Will be rolled out into individual columns.
-		status: string &optional;
-		country: string &default="unknown";
-	} &log;
-}
-
-event bro_init()
-{
-	Log::create_stream(Test::LOG, [$columns=Log]);
-	Log::add_filter(Test::LOG, [$name="f1", $path="test.success", $pred=function(rec: Log): bool { return rec$status == "success"; }]);
-}
-
-#####
-
-@TEST-START-FILE sender.bro
-
-@load frameworks/communication/listen
-
-module Test;
-
-function fail(rec: Log): bool
-	{
-	return rec$status != "success";
-	}
-
-event remote_connection_handshake_done(p: event_peer)
-	{
-	local config: table[string] of string;
-	config["tsv"] = "T";
-	Log::add_filter(Test::LOG, [$name="f2", $path="test.failure", $pred=fail, $config=config]);
-
-	local cid = [$orig_h=1.2.3.4, $orig_p=1234/tcp, $resp_h=2.3.4.5, $resp_p=80/tcp];
-
-	local r: Log = [$t=network_time(), $id=cid, $status="success"];
-
-	# Log something.
-	Log::write(Test::LOG, r);
-	Log::write(Test::LOG, [$t=network_time(), $id=cid, $status="failure", $country="US"]);
-	Log::write(Test::LOG, [$t=network_time(), $id=cid, $status="failure", $country="UK"]);
-	Log::write(Test::LOG, [$t=network_time(), $id=cid, $status="success", $country="BR"]);
-	Log::write(Test::LOG, [$t=network_time(), $id=cid, $status="failure", $country="MX"]);
-	disconnect(p);
-	}
-
-event remote_connection_closed(p: event_peer)
-	{
-	terminate();
-	}
-
-@TEST-END-FILE
-
-@TEST-START-FILE receiver.bro
-
-#####
-
-@load base/frameworks/communication
-
-redef Communication::nodes += {
-    ["foo"] = [$host = 127.0.0.1, $connect=T, $request_logs=T]
-};
-
-event remote_connection_closed(p: event_peer)
-	{
-	terminate();
-	}
-
-@TEST-END-FILE
diff --git a/testing/btest/scripts/base/frameworks/logging/remote-types.bro b/testing/btest/scripts/base/frameworks/logging/remote-types.bro
deleted file mode 100644
index b8425428d3..0000000000
--- a/testing/btest/scripts/base/frameworks/logging/remote-types.bro
+++ /dev/null
@@ -1,91 +0,0 @@
-# @TEST-SERIALIZE: comm
-#
-# @TEST-EXEC: btest-bg-run sender bro -B threading,logging --pseudo-realtime %INPUT ../sender.bro
-# @TEST-EXEC: btest-bg-run receiver bro -B threading,logging --pseudo-realtime %INPUT ../receiver.bro
-# @TEST-EXEC: btest-bg-wait -k 10
-# @TEST-EXEC: btest-diff receiver/test.log
-# @TEST-EXEC: cat receiver/test.log | egrep -v '#open|#close' >r.log
-# @TEST-EXEC: cat sender/test.log   | egrep -v '#open|#close' >s.log
-# @TEST-EXEC: cmp r.log s.log
-
-# Remote version testing all types.
-
-# This is the common part loaded by both sender and receiver.
-
-redef LogAscii::empty_field = "EMPTY";
-
-module Test;
-
-export {
-	# Create a new ID for our log stream
-	redef enum Log::ID += { LOG };
-
-	type Log: record {
-		b: bool;
-		i: int;
-		e: Log::ID;
-		c: count;
-		p: port;
-		sn: subnet;
-		a: addr;
-		d: double;
-		t: time;
-		iv: interval;
-		s: string;
-		sc: set[count];
-		ss: set[string];
-		se: set[string];
-		vc: vector of count;
-		ve: vector of string;
-	} &log;
-}
-
-event bro_init()
-{
-	Log::create_stream(Test::LOG, [$columns=Log]);
-}
-
-#####
-
-@TEST-START-FILE sender.bro
-
-module Test;
-
-@load frameworks/communication/listen
-
-event remote_connection_handshake_done(p: event_peer)
-	{
-	local empty_set: set[string];
-	local empty_vector: vector of string;
-
-	Log::write(Test::LOG, [
-		$b=T,
-		$i=-42,
-		$e=Test::LOG,
-		$c=21,
-		$p=123/tcp,
-		$sn=10.0.0.1/24,
-		$a=1.2.3.4,
-		$d=3.14,
-		$t=network_time(),
-		$iv=100secs,
-		$s="hurz",
-		$sc=set(1,2,3,4),
-		$ss=set("AA", "BB", "CC"),
-		$se=empty_set,
-		$vc=vector(10, 20, 30),
-		$ve=empty_vector
-		]);
-	disconnect(p);
-	}
-@TEST-END-FILE
-
-@TEST-START-FILE receiver.bro
-
-#####
-
-redef Communication::nodes += {
-    ["foo"] = [$host = 127.0.0.1, $connect=T, $request_logs=T]
-};
-
-@TEST-END-FILE
diff --git a/testing/btest/scripts/base/frameworks/logging/remote.bro b/testing/btest/scripts/base/frameworks/logging/remote.bro
deleted file mode 100644
index ba577cc92b..0000000000
--- a/testing/btest/scripts/base/frameworks/logging/remote.bro
+++ /dev/null
@@ -1,92 +0,0 @@
-# @TEST-SERIALIZE: comm
-#
-# @TEST-EXEC: btest-bg-run sender bro -b --pseudo-realtime %INPUT ../sender.bro
-# @TEST-EXEC: sleep 1
-# @TEST-EXEC: btest-bg-run receiver bro -b --pseudo-realtime %INPUT ../receiver.bro
-# @TEST-EXEC: sleep 1
-# @TEST-EXEC: btest-bg-wait 15
-# @TEST-EXEC: btest-diff sender/test.log
-# @TEST-EXEC: btest-diff sender/test.failure.log
-# @TEST-EXEC: btest-diff sender/test.success.log
-# @TEST-EXEC: ( cd sender && for i in *.log; do cat $i | $SCRIPTS/diff-remove-timestamps >c.$i; done )
-# @TEST-EXEC: ( cd receiver && for i in *.log; do cat $i | $SCRIPTS/diff-remove-timestamps >c.$i; done )
-# @TEST-EXEC: cmp receiver/c.test.log sender/c.test.log
-# @TEST-EXEC: cmp receiver/c.test.failure.log sender/c.test.failure.log
-# @TEST-EXEC: cmp receiver/c.test.success.log sender/c.test.success.log
-
-# This is the common part loaded by both sender and receiver.
-module Test;
-
-export {
-	# Create a new ID for our log stream
-	redef enum Log::ID += { LOG };
-
-	# Define a record with all the columns the log file can have.
-	# (I'm using a subset of fields from ssh-ext for demonstration.)
-	type Log: record {
-		t: time;
-		id: conn_id; # Will be rolled out into individual columns.
-		status: string &optional;
-		country: string &default="unknown";
-	} &log;
-}
-
-event bro_init()
-{
-	Log::create_stream(Test::LOG, [$columns=Log]);
-	Log::add_filter(Test::LOG, [$name="f1", $path="test.success", $pred=function(rec: Log): bool { return rec$status == "success"; }]);
-}
-
-#####
-
-@TEST-START-FILE sender.bro
-
-@load frameworks/communication/listen
-
-module Test;
-
-function fail(rec: Log): bool
-	{
-	return rec$status != "success";
-	}
-
-event remote_connection_handshake_done(p: event_peer)
-	{
-	Log::add_filter(Test::LOG, [$name="f2", $path="test.failure", $pred=fail]);
-
-	local cid = [$orig_h=1.2.3.4, $orig_p=1234/tcp, $resp_h=2.3.4.5, $resp_p=80/tcp];
-
-	local r: Log = [$t=network_time(), $id=cid, $status="success"];
-
-	# Log something.
-	Log::write(Test::LOG, r);
-	Log::write(Test::LOG, [$t=network_time(), $id=cid, $status="failure", $country="US"]);
-	Log::write(Test::LOG, [$t=network_time(), $id=cid, $status="failure", $country="UK"]);
-	Log::write(Test::LOG, [$t=network_time(), $id=cid, $status="success", $country="BR"]);
-	Log::write(Test::LOG, [$t=network_time(), $id=cid, $status="failure", $country="MX"]);
-	disconnect(p);
-	}
-
-event remote_connection_closed(p: event_peer)
-	{
-	terminate();
-	}
-
-@TEST-END-FILE
-
-@TEST-START-FILE receiver.bro
-
-#####
-
-@load base/frameworks/communication
-
-redef Communication::nodes += {
-    ["foo"] = [$host = 127.0.0.1, $connect=T, $request_logs=T]
-};
-
-event remote_connection_closed(p: event_peer)
-	{
-	terminate();
-	}
-
-@TEST-END-FILE
diff --git a/testing/btest/scripts/base/frameworks/netcontrol/acld-hook.bro b/testing/btest/scripts/base/frameworks/netcontrol/acld-hook.bro
index e131ec1dc0..2928e3d9a0 100644
--- a/testing/btest/scripts/base/frameworks/netcontrol/acld-hook.bro
+++ b/testing/btest/scripts/base/frameworks/netcontrol/acld-hook.bro
@@ -1,7 +1,6 @@
-# @TEST-SERIALIZE: brokercomm
-# @TEST-REQUIRES: grep -q ENABLE_BROKER:BOOL=true $BUILD/CMakeCache.txt
-# @TEST-EXEC: btest-bg-run recv "bro -b ../recv.bro broker_port=$BROKER_PORT >recv.out"
-# @TEST-EXEC: btest-bg-run send "bro -b -r $TRACES/tls/ecdhe.pcap --pseudo-realtime ../send.bro broker_port=$BROKER_PORT >send.out"
+# @TEST-SERIALIZE: comm
+# @TEST-EXEC: btest-bg-run recv "bro -b ../recv.bro >recv.out"
+# @TEST-EXEC: btest-bg-run send "bro -b -r $TRACES/tls/ecdhe.pcap --pseudo-realtime ../send.bro >send.out"
 
 # @TEST-EXEC: btest-bg-wait 20
 # @TEST-EXEC: btest-diff recv/recv.out
@@ -11,13 +10,12 @@
 
 @load base/frameworks/netcontrol
 
-const broker_port: port &redef;
 redef exit_only_after_terminate = T;
 
 event NetControl::init()
 	{
 	suspend_processing();
-	local netcontrol_acld = NetControl::create_acld(NetControl::AcldConfig($acld_host=127.0.0.1, $acld_port=broker_port, $acld_topic="bro/event/netcontroltest"));
+	local netcontrol_acld = NetControl::create_acld(NetControl::AcldConfig($acld_host=127.0.0.1, $acld_port=Broker::default_port, $acld_topic="bro/event/netcontroltest"));
 	NetControl::activate(netcontrol_acld, 0);
 	}
 
@@ -26,15 +24,12 @@ event NetControl::init_done()
 	continue_processing();
 	}
 
-event Broker::outgoing_connection_established(peer_address: string,
-                                            peer_port: port,
-                                            peer_name: string)
+event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
 	{
-	print "Broker::outgoing_connection_established", peer_address, peer_port;
+	print "Broker peer added", endpoint$network;
 	}
 
-event Broker::outgoing_connection_broken(peer_address: string,
-                                       peer_port: port)
+event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string)
 	{
 	terminate();
 	}
@@ -86,36 +81,41 @@ event NetControl::rule_removed(r: NetControl::Rule, p: NetControl::PluginState,
 @load base/frameworks/netcontrol
 @load base/frameworks/broker
 
-const broker_port: port &redef;
 redef exit_only_after_terminate = T;
 
+event die()
+	{
+	terminate();
+	}
+
 event bro_init()
 	{
-	Broker::enable();
-	Broker::subscribe_to_events("bro/event/netcontroltest");
-	Broker::listen(broker_port, "127.0.0.1");
+	Broker::subscribe("bro/event/netcontroltest");
+	Broker::listen("127.0.0.1");
 	}
 
-event Broker::incoming_connection_established(peer_name: string)
+event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
 	{
-	print "Broker::incoming_connection_established";
+	print "Broker peer added";
 	}
 
 event NetControl::acld_add_rule(id: count, r: NetControl::Rule, ar: NetControl::AclRule)
 	{
 	print "add_rule", id, r$entity, r$ty, ar;
 
-	Broker::send_event("bro/event/netcontroltest", Broker::event_args(NetControl::acld_rule_added, id, r, ar$command));
+	Broker::publish("bro/event/netcontroltest", NetControl::acld_rule_added, id, r, ar$command);
 	}
 
 event NetControl::acld_remove_rule(id: count, r: NetControl::Rule, ar: NetControl::AclRule)
 	{
 	print "remove_rule", id, r$entity, r$ty, ar;
 
-	Broker::send_event("bro/event/netcontroltest", Broker::event_args(NetControl::acld_rule_removed, id, r, ar$command));
+	Broker::publish("bro/event/netcontroltest", NetControl::acld_rule_removed, id, r, ar$command);
 
 	if ( r$cid == 4 )
-		terminate();
+		{
+		schedule 2sec { die() };
+		}
 	}
 
 @TEST-END-FILE
diff --git a/testing/btest/scripts/base/frameworks/netcontrol/acld.bro b/testing/btest/scripts/base/frameworks/netcontrol/acld.bro
index e13b1d340e..b802536eec 100644
--- a/testing/btest/scripts/base/frameworks/netcontrol/acld.bro
+++ b/testing/btest/scripts/base/frameworks/netcontrol/acld.bro
@@ -1,7 +1,6 @@
-# @TEST-SERIALIZE: brokercomm
-# @TEST-REQUIRES: grep -q ENABLE_BROKER:BOOL=true $BUILD/CMakeCache.txt
-# @TEST-EXEC: btest-bg-run recv "bro -b ../recv.bro broker_port=$BROKER_PORT >recv.out"
-# @TEST-EXEC: btest-bg-run send "bro -b -r $TRACES/tls/ecdhe.pcap --pseudo-realtime ../send.bro broker_port=$BROKER_PORT >send.out"
+# @TEST-SERIALIZE: comm
+# @TEST-EXEC: btest-bg-run recv "bro -b ../recv.bro >recv.out"
+# @TEST-EXEC: btest-bg-run send "bro -b -r $TRACES/tls/ecdhe.pcap --pseudo-realtime ../send.bro >send.out"
 
 # @TEST-EXEC: btest-bg-wait 20
 # @TEST-EXEC: btest-diff send/netcontrol.log
@@ -12,21 +11,18 @@
 
 @load base/frameworks/netcontrol
 
-const broker_port: port &redef;
 redef exit_only_after_terminate = T;
 
 event NetControl::init()
 	{
 	suspend_processing();
-	local netcontrol_acld = NetControl::create_acld(NetControl::AcldConfig($acld_host=127.0.0.1, $acld_port=broker_port, $acld_topic="bro/event/netcontroltest"));
+	local netcontrol_acld = NetControl::create_acld(NetControl::AcldConfig($acld_host=127.0.0.1, $acld_port=Broker::default_port, $acld_topic="bro/event/netcontroltest"));
 	NetControl::activate(netcontrol_acld, 0);
 	}
 
-event Broker::outgoing_connection_established(peer_address: string,
-                                            peer_port: port,
-                                            peer_name: string)
+event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
 	{
-	print "Broker::outgoing_connection_established", peer_address, peer_port;
+	print "Broker peer added", endpoint$network;
 	}
 
 event NetControl::init_done()
@@ -34,8 +30,7 @@ event NetControl::init_done()
 	continue_processing();
 	}
 
-event Broker::outgoing_connection_broken(peer_address: string,
-                                       peer_port: port)
+event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string)
 	{
 	terminate();
 	}
@@ -91,19 +86,22 @@ event NetControl::rule_error(r: NetControl::Rule, p: NetControl::PluginState, ms
 @load base/frameworks/netcontrol
 @load base/frameworks/broker
 
-const broker_port: port &redef;
 redef exit_only_after_terminate = T;
 
+event die()
+	{
+	terminate();
+	}
+
 event bro_init()
 	{
-	Broker::enable();
-	Broker::subscribe_to_events("bro/event/netcontroltest");
-	Broker::listen(broker_port, "127.0.0.1");
+	Broker::subscribe("bro/event/netcontroltest");
+	Broker::listen("127.0.0.1");
 	}
 
-event Broker::incoming_connection_established(peer_name: string)
+event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
 	{
-	print "Broker::incoming_connection_established";
+	print "Broker peer added";
 	}
 
 event NetControl::acld_add_rule(id: count, r: NetControl::Rule, ar: NetControl::AclRule)
@@ -111,9 +109,9 @@ event NetControl::acld_add_rule(id: count, r: NetControl::Rule, ar: NetControl::
 	print "add_rule", id, r$entity, r$ty, ar;
 
 	if ( r$cid != 3 )
-		Broker::send_event("bro/event/netcontroltest", Broker::event_args(NetControl::acld_rule_added, id, r, ar$command));
+		Broker::publish("bro/event/netcontroltest", NetControl::acld_rule_added, id, r, ar$command);
 	else
-		Broker::send_event("bro/event/netcontroltest", Broker::event_args(NetControl::acld_rule_exists, id, r, ar$command));
+		Broker::publish("bro/event/netcontroltest", NetControl::acld_rule_exists, id, r, ar$command);
 	}
 
 event NetControl::acld_remove_rule(id: count, r: NetControl::Rule, ar: NetControl::AclRule)
@@ -121,12 +119,14 @@ event NetControl::acld_remove_rule(id: count, r: NetControl::Rule, ar: NetContro
 	print "remove_rule", id, r$entity, r$ty, ar;
 
 	if ( r$cid != 2 )
-		Broker::send_event("bro/event/netcontroltest", Broker::event_args(NetControl::acld_rule_removed, id, r, ar$command));
+		Broker::publish("bro/event/netcontroltest", NetControl::acld_rule_removed, id, r, ar$command);
 	else
-		Broker::send_event("bro/event/netcontroltest", Broker::event_args(NetControl::acld_rule_error, id, r, ar$command));
+		Broker::publish("bro/event/netcontroltest", NetControl::acld_rule_error, id, r, ar$command);
 
 	if ( r$cid == 4 )
-		terminate();
+		{
+		schedule 2sec { die() };
+		}
 	}
 
 @TEST-END-FILE
diff --git a/testing/btest/scripts/base/frameworks/netcontrol/basic-cluster.bro b/testing/btest/scripts/base/frameworks/netcontrol/basic-cluster.bro
index 9bbb3beb77..bdf7f3f75d 100644
--- a/testing/btest/scripts/base/frameworks/netcontrol/basic-cluster.bro
+++ b/testing/btest/scripts/base/frameworks/netcontrol/basic-cluster.bro
@@ -11,7 +11,7 @@
 
 @TEST-START-FILE cluster-layout.bro
 redef Cluster::nodes = {
-	["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=37757/tcp, $workers=set("worker-1", "worker-2")],
+	["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=37757/tcp],
 	["worker-1"]  = [$node_type=Cluster::WORKER,  $ip=127.0.0.1, $p=37760/tcp, $manager="manager-1", $interface="eth0"],
 	["worker-2"]  = [$node_type=Cluster::WORKER,  $ip=127.0.0.1, $p=37761/tcp, $manager="manager-1", $interface="eth0"],
 };
@@ -28,7 +28,7 @@ event bro_init()
 	suspend_processing();
 	}
 
-event remote_connection_handshake_done(p: event_peer)
+event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
 	{
 	continue_processing();
 	}
@@ -51,9 +51,10 @@ event terminate_me() {
 	terminate();
 }
 
-event remote_connection_closed(p: event_peer) {
+event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string)
+	{
 	schedule 1sec { terminate_me() };
-}
+	}
 
 event NetControl::rule_added(r: NetControl::Rule, p: NetControl::PluginState, msg: string &default="")
 	{
diff --git a/testing/btest/scripts/base/frameworks/netcontrol/broker.bro b/testing/btest/scripts/base/frameworks/netcontrol/broker.bro
index 4fd29c499d..75ad035f69 100644
--- a/testing/btest/scripts/base/frameworks/netcontrol/broker.bro
+++ b/testing/btest/scripts/base/frameworks/netcontrol/broker.bro
@@ -1,7 +1,6 @@
-# @TEST-SERIALIZE: brokercomm
-# @TEST-REQUIRES: grep -q ENABLE_BROKER:BOOL=true $BUILD/CMakeCache.txt
-# @TEST-EXEC: btest-bg-run recv "bro -b ../recv.bro broker_port=$BROKER_PORT >recv.out"
-# @TEST-EXEC: btest-bg-run send "bro -b -r $TRACES/smtp.trace --pseudo-realtime ../send.bro broker_port=$BROKER_PORT >send.out"
+# @TEST-SERIALIZE: comm
+# @TEST-EXEC: btest-bg-run recv "bro -b ../recv.bro >recv.out"
+# @TEST-EXEC: btest-bg-run send "bro -b -r $TRACES/smtp.trace --pseudo-realtime ../send.bro >send.out"
 
 # @TEST-EXEC: btest-bg-wait 20
 # @TEST-EXEC: btest-diff send/netcontrol.log
@@ -12,13 +11,12 @@
 
 @load base/frameworks/netcontrol
 
-const broker_port: port &redef;
 redef exit_only_after_terminate = T;
 
 event NetControl::init()
 	{
 	suspend_processing();
-	local netcontrol_broker = NetControl::create_broker(NetControl::BrokerConfig($host=127.0.0.1, $bport=broker_port, $topic="bro/event/netcontroltest"), T);
+	local netcontrol_broker = NetControl::create_broker(NetControl::BrokerConfig($host=127.0.0.1, $bport=Broker::default_port, $topic="bro/event/netcontroltest"), T);
 	NetControl::activate(netcontrol_broker, 0);
 	}
 
@@ -27,15 +25,12 @@ event NetControl::init_done()
 	continue_processing();
 	}
 
-event Broker::outgoing_connection_established(peer_address: string,
-                                            peer_port: port,
-                                            peer_name: string)
+event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
 	{
-	print "Broker::outgoing_connection_established", peer_address, peer_port;
+	print "Broker peer added", endpoint$network;
 	}
 
-event Broker::outgoing_connection_broken(peer_address: string,
-                                       peer_port: port)
+event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string)
 	{
 	terminate();
 	}
@@ -75,19 +70,22 @@ event NetControl::rule_timeout(r: NetControl::Rule, i: NetControl::FlowInfo, p:
 @load base/frameworks/netcontrol
 @load base/frameworks/broker
 
-const broker_port: port &redef;
 redef exit_only_after_terminate = T;
 
+event die()
+	{
+	terminate();
+	}
+
 event bro_init()
 	{
-	Broker::enable();
-	Broker::subscribe_to_events("bro/event/netcontroltest");
-	Broker::listen(broker_port, "127.0.0.1");
+	Broker::subscribe("bro/event/netcontroltest");
+	Broker::listen("127.0.0.1");
 	}
 
-event Broker::incoming_connection_established(peer_name: string)
+event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
 	{
-	print "Broker::incoming_connection_established";
+	print "Broker peer added";
 	}
 
 event NetControl::broker_add_rule(id: count, r: NetControl::Rule)
@@ -95,22 +93,24 @@ event NetControl::broker_add_rule(id: count, r: NetControl::Rule)
 	print "add_rule", id, r$entity, r$ty;
 
 	if ( r$cid == 3 )
-		Broker::send_event("bro/event/netcontroltest", Broker::event_args(NetControl::broker_rule_added, id, r, ""));
+		Broker::publish("bro/event/netcontroltest", NetControl::broker_rule_added, id, r, "");
 	if ( r$cid == 2 )
-		Broker::send_event("bro/event/netcontroltest", Broker::event_args(NetControl::broker_rule_exists, id, r, ""));
+		Broker::publish("bro/event/netcontroltest", NetControl::broker_rule_exists, id, r, "");
 
 	if ( r$cid == 2 )
-		Broker::send_event("bro/event/netcontroltest", Broker::event_args(NetControl::broker_rule_timeout, id, r, NetControl::FlowInfo()));
+		Broker::publish("bro/event/netcontroltest", NetControl::broker_rule_timeout, id, r, NetControl::FlowInfo());
 	}
 
 event NetControl::broker_remove_rule(id: count, r: NetControl::Rule, reason: string)
 	{
 	print "remove_rule", id, r$entity, r$ty, reason;
 
-	Broker::send_event("bro/event/netcontroltest", Broker::event_args(NetControl::broker_rule_removed, id, r, ""));
+	Broker::publish("bro/event/netcontroltest", NetControl::broker_rule_removed, id, r, "");
 
 	if ( r$cid == 3 )
-		terminate();
+		{
+		schedule 2sec { die() };
+		}
 	}
 
 @TEST-END-FILE
diff --git a/testing/btest/scripts/base/frameworks/notice/cluster.bro b/testing/btest/scripts/base/frameworks/notice/cluster.bro
index 47932edb8e..6784daf068 100644
--- a/testing/btest/scripts/base/frameworks/notice/cluster.bro
+++ b/testing/btest/scripts/base/frameworks/notice/cluster.bro
@@ -9,9 +9,9 @@
 
 @TEST-START-FILE cluster-layout.bro
 redef Cluster::nodes = {
-	["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=27757/tcp, $workers=set("worker-1")],
-	["proxy-1"] = [$node_type=Cluster::PROXY,     $ip=127.0.0.1, $p=27758/tcp, $manager="manager-1", $workers=set("worker-1")],
-	["worker-1"] = [$node_type=Cluster::WORKER,   $ip=127.0.0.1, $p=27760/tcp, $manager="manager-1", $proxy="proxy-1", $interface="eth0"],
+	["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=27757/tcp],
+	["proxy-1"] = [$node_type=Cluster::PROXY,     $ip=127.0.0.1, $p=27758/tcp, $manager="manager-1"],
+	["worker-1"] = [$node_type=Cluster::WORKER,   $ip=127.0.0.1, $p=27760/tcp, $manager="manager-1", $interface="eth0"],
 };
 @TEST-END-FILE
 
@@ -21,44 +21,37 @@ redef enum Notice::Type += {
 	Test_Notice,
 };
 
-event remote_connection_closed(p: event_peer)
+event Cluster::node_down(name: string, id: string)
 	{
 	terminate();
 	}
 
-global ready: event();
-
-redef Cluster::manager2worker_events += /ready/;
-
 event delayed_notice()
 	{
 	if ( Cluster::node == "worker-1" )
 		NOTICE([$note=Test_Notice, $msg="test notice!"]);
 	}
 
-@if ( Cluster::local_node_type() == Cluster::WORKER )
-
 event ready()
 	{
 	schedule 1secs { delayed_notice() };
 	}
 
-@endif
-
 @if ( Cluster::local_node_type() == Cluster::MANAGER )
 
 global peer_count = 0;
 
-event remote_connection_handshake_done(p: event_peer)
+event Cluster::node_up(name: string, id: string)
 	{
 	peer_count = peer_count + 1;
+
 	if ( peer_count == 2 )
-		event ready();
+		Broker::publish(Cluster::worker_topic, ready);
 	}
 
 event Notice::log_notice(rec: Notice::Info)
 	{
-	terminate_communication();
+	terminate();
 	}
 
 @endif
diff --git a/testing/btest/scripts/base/frameworks/notice/suppression-cluster.bro b/testing/btest/scripts/base/frameworks/notice/suppression-cluster.bro
index 5010da82cc..c67512853f 100644
--- a/testing/btest/scripts/base/frameworks/notice/suppression-cluster.bro
+++ b/testing/btest/scripts/base/frameworks/notice/suppression-cluster.bro
@@ -10,10 +10,10 @@
 
 @TEST-START-FILE cluster-layout.bro
 redef Cluster::nodes = {
-	["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=27757/tcp, $workers=set("worker-1", "worker-2")],
-	["proxy-1"] = [$node_type=Cluster::PROXY,     $ip=127.0.0.1, $p=27758/tcp, $manager="manager-1", $workers=set("worker-1", "worker-2")],
-	["worker-1"] = [$node_type=Cluster::WORKER,   $ip=127.0.0.1, $p=27760/tcp, $manager="manager-1", $proxy="proxy-1"],
-	["worker-2"] = [$node_type=Cluster::WORKER,   $ip=127.0.0.1, $p=27761/tcp, $manager="manager-1", $proxy="proxy-1"],
+	["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=27757/tcp],
+	["proxy-1"] = [$node_type=Cluster::PROXY,     $ip=127.0.0.1, $p=27758/tcp, $manager="manager-1"],
+	["worker-1"] = [$node_type=Cluster::WORKER,   $ip=127.0.0.1, $p=27760/tcp, $manager="manager-1"],
+	["worker-2"] = [$node_type=Cluster::WORKER,   $ip=127.0.0.1, $p=27761/tcp, $manager="manager-1"],
 };
 @TEST-END-FILE
 
@@ -23,15 +23,11 @@ redef enum Notice::Type += {
 	Test_Notice,
 };
 
-event remote_connection_closed(p: event_peer)
+event Cluster::node_down(name: string, id: string)
 	{
 	terminate();
 	}
 
-global ready: event();
-
-redef Cluster::manager2worker_events += /ready/;
-
 event delayed_notice()
 	{
 	NOTICE([$note=Test_Notice,
@@ -39,8 +35,6 @@ event delayed_notice()
 	        $identifier="this identifier is static"]);
 	}
 
-@if ( Cluster::local_node_type() == Cluster::WORKER )
-
 event ready()
     {
 	if ( Cluster::node == "worker-1" )
@@ -52,20 +46,19 @@ event ready()
 event Notice::suppressed(n: Notice::Info)
 	{
 	if ( Cluster::node == "worker-1" )
-		terminate_communication();
+		terminate();
 	}
 
-@endif
-
 @if ( Cluster::local_node_type() == Cluster::MANAGER )
 
 global peer_count = 0;
 
-event remote_connection_handshake_done(p: event_peer)
+event Cluster::node_up(name: string, id: string)
 	{
 	peer_count = peer_count + 1;
+
 	if ( peer_count == 3 )
-		event ready();
+		Broker::publish(Cluster::worker_topic, ready);
 	}
 
 @endif
diff --git a/testing/btest/scripts/base/frameworks/openflow/broker-basic.bro b/testing/btest/scripts/base/frameworks/openflow/broker-basic.bro
index 9250590013..83f83c15b4 100644
--- a/testing/btest/scripts/base/frameworks/openflow/broker-basic.bro
+++ b/testing/btest/scripts/base/frameworks/openflow/broker-basic.bro
@@ -1,7 +1,6 @@
-# @TEST-SERIALIZE: brokercomm
-# @TEST-REQUIRES: grep -q ENABLE_BROKER:BOOL=true $BUILD/CMakeCache.txt
-# @TEST-EXEC: btest-bg-run recv "bro -b ../recv.bro broker_port=$BROKER_PORT >recv.out"
-# @TEST-EXEC: btest-bg-run send "bro -b -r $TRACES/smtp.trace --pseudo-realtime ../send.bro broker_port=$BROKER_PORT >send.out"
+# @TEST-SERIALIZE: comm
+# @TEST-EXEC: btest-bg-run recv "bro -b ../recv.bro >recv.out"
+# @TEST-EXEC: btest-bg-run send "bro -b -r $TRACES/smtp.trace --pseudo-realtime ../send.bro >send.out"
 
 # @TEST-EXEC: btest-bg-wait 20
 # @TEST-EXEC: btest-diff recv/recv.out
@@ -12,7 +11,6 @@
 @load base/protocols/conn
 @load base/frameworks/openflow
 
-const broker_port: port &redef;
 redef exit_only_after_terminate = T;
 
 global of_controller: OpenFlow::Controller;
@@ -20,14 +18,17 @@ global of_controller: OpenFlow::Controller;
 event bro_init()
 	{
 	suspend_processing();
-	of_controller = OpenFlow::broker_new("broker1", 127.0.0.1, broker_port, "bro/event/openflow", 42);
+	of_controller = OpenFlow::broker_new("broker1", 127.0.0.1, Broker::default_port, "bro/openflow", 42);
 	}
 
-event Broker::outgoing_connection_established(peer_address: string,
-                                            peer_port: port,
-                                            peer_name: string)
+event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
 	{
-	print "Broker::outgoing_connection_established", peer_address, peer_port;
+	print "Broker peer added", endpoint$network;
+	}
+
+event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string)
+	{
+	terminate();
 	}
 
 event OpenFlow::controller_activated(name: string, controller: OpenFlow::Controller)
@@ -37,12 +38,6 @@ event OpenFlow::controller_activated(name: string, controller: OpenFlow::Control
 	OpenFlow::flow_mod(of_controller, [], [$cookie=OpenFlow::generate_cookie(1), $command=OpenFlow::OFPFC_ADD, $actions=[$out_ports=vector(3, 7)]]);
 	}
 
-event Broker::outgoing_connection_broken(peer_address: string,
-                                       peer_port: port)
-	{
-	terminate();
-	}
-
 event connection_established(c: connection)
 	{
 	print "connection established";
@@ -76,21 +71,29 @@ event OpenFlow::flow_mod_failure(name: string, match: OpenFlow::ofp_match, flow_
 
 @load base/frameworks/openflow
 
-const broker_port: port &redef;
 redef exit_only_after_terminate = T;
 
 global msg_count: count = 0;
 
-event bro_init()
+event die()
 	{
-	Broker::enable();
-	Broker::subscribe_to_events("bro/event/openflow");
-	Broker::listen(broker_port, "127.0.0.1");
+	terminate();
 	}
 
-event Broker::incoming_connection_established(peer_name: string)
+event bro_init()
 	{
-	print "Broker::incoming_connection_established";
+	Broker::subscribe("bro/openflow");
+	Broker::listen("127.0.0.1");
+	}
+
+event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
+	{
+	print "Broker peer added";
+	}
+
+event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string)
+	{
+	terminate();
 	}
 
 function got_message()
@@ -98,14 +101,16 @@ function got_message()
 	++msg_count;
 
 	if ( msg_count >= 4 )
-		terminate();
+		{
+		schedule 2sec { die() };
+		}
 	}
 
 event OpenFlow::broker_flow_mod(name: string, dpid: count, match: OpenFlow::ofp_match, flow_mod: OpenFlow::ofp_flow_mod)
 	{
 	print "got flow_mod", dpid, match, flow_mod;
-	Broker::send_event("bro/event/openflow", Broker::event_args(OpenFlow::flow_mod_success, name, match, flow_mod, ""));
-	Broker::send_event("bro/event/openflow", Broker::event_args(OpenFlow::flow_mod_failure, name, match, flow_mod, ""));
+	Broker::publish("bro/openflow", OpenFlow::flow_mod_success, name, match, flow_mod, "");
+	Broker::publish("bro/openflow", OpenFlow::flow_mod_failure, name, match, flow_mod, "");
 	got_message();
 	}
 
@@ -115,6 +120,5 @@ event OpenFlow::broker_flow_clear(name: string, dpid: count)
 	got_message();
 	}
 
-
 @TEST-END-FILE
 
diff --git a/testing/btest/scripts/base/frameworks/openflow/log-cluster.bro b/testing/btest/scripts/base/frameworks/openflow/log-cluster.bro
index cccf60cf99..c618be7e65 100644
--- a/testing/btest/scripts/base/frameworks/openflow/log-cluster.bro
+++ b/testing/btest/scripts/base/frameworks/openflow/log-cluster.bro
@@ -8,7 +8,7 @@
 
 @TEST-START-FILE cluster-layout.bro
 redef Cluster::nodes = {
-	["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=37757/tcp, $workers=set("worker-1", "worker-2")],
+	["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=37757/tcp],
 	["worker-1"]  = [$node_type=Cluster::WORKER,  $ip=127.0.0.1, $p=37760/tcp, $manager="manager-1", $interface="eth0"],
 };
 @TEST-END-FILE
@@ -26,9 +26,22 @@ event bro_init()
 	of_controller = OpenFlow::log_new(42);
 	}
 
+event terminate_me()
+	{
+	terminate();
+	}
+
+global done = F;
+
 event connection_established(c: connection)
 	{
+	if ( done )
+		return;
+
+	done = T;
+
 	print "conn established";
+
 	local match = OpenFlow::match_conn(c$id);
 	local match_rev = OpenFlow::match_conn(c$id, T);
 
@@ -42,14 +55,11 @@ event connection_established(c: connection)
 	OpenFlow::flow_mod(of_controller, match, flow_mod);
 	OpenFlow::flow_mod(of_controller, match_rev, flow_mod);
 
-	terminate();
+	schedule 2sec { terminate_me() };
 	}
 
-event terminate_me() {
-	terminate();
-}
-
-event remote_connection_closed(p: event_peer) {
-	schedule 1sec { terminate_me() };
-}
+event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string)
+	{
+	schedule 2sec { terminate_me() };
+	}
 
diff --git a/testing/btest/scripts/base/frameworks/sumstats/basic-cluster.bro b/testing/btest/scripts/base/frameworks/sumstats/basic-cluster.bro
index d2fd592855..2c744228a0 100644
--- a/testing/btest/scripts/base/frameworks/sumstats/basic-cluster.bro
+++ b/testing/btest/scripts/base/frameworks/sumstats/basic-cluster.bro
@@ -10,7 +10,7 @@
 
 @TEST-START-FILE cluster-layout.bro
 redef Cluster::nodes = {
-	["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=37757/tcp, $workers=set("worker-1", "worker-2")],
+	["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=37757/tcp],
 	["worker-1"]  = [$node_type=Cluster::WORKER,  $ip=127.0.0.1, $p=37760/tcp, $manager="manager-1", $interface="eth0"],
 	["worker-2"]  = [$node_type=Cluster::WORKER,  $ip=127.0.0.1, $p=37761/tcp, $manager="manager-1", $interface="eth1"],
 };
@@ -37,13 +37,12 @@ event bro_init() &priority=5
 	                  	}]);
 	}
 
-event remote_connection_closed(p: event_peer)
+event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string)
 	{
 	terminate();
 	}
 
 global ready_for_data: event();
-redef Cluster::manager2worker_events += /^ready_for_data$/;
 
 event ready_for_data()
 	{
@@ -71,10 +70,17 @@ event ready_for_data()
 
 @if ( Cluster::local_node_type() == Cluster::MANAGER )
 
+event bro_init() &priority=100
+	{
+	Broker::auto_publish(Cluster::worker_topic, ready_for_data);
+	}
+
 global peer_count = 0;
-event remote_connection_handshake_done(p: event_peer) &priority=-5
+
+event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
 	{
 	++peer_count;
+
 	if ( peer_count == 2 )
 		event ready_for_data();
 	}
diff --git a/testing/btest/scripts/base/frameworks/sumstats/basic.bro b/testing/btest/scripts/base/frameworks/sumstats/basic.bro
index d2cd51cc9e..40f269ab1a 100644
--- a/testing/btest/scripts/base/frameworks/sumstats/basic.bro
+++ b/testing/btest/scripts/base/frameworks/sumstats/basic.bro
@@ -1,5 +1,5 @@
 # @TEST-EXEC: btest-bg-run standalone bro %INPUT
-# @TEST-EXEC: btest-bg-wait 5
+# @TEST-EXEC: btest-bg-wait 10
 # @TEST-EXEC: btest-diff standalone/.stdout
 
 redef exit_only_after_terminate=T;
diff --git a/testing/btest/scripts/base/frameworks/sumstats/cluster-intermediate-update.bro b/testing/btest/scripts/base/frameworks/sumstats/cluster-intermediate-update.bro
index 4fb6b817d3..ae0f093c27 100644
--- a/testing/btest/scripts/base/frameworks/sumstats/cluster-intermediate-update.bro
+++ b/testing/btest/scripts/base/frameworks/sumstats/cluster-intermediate-update.bro
@@ -9,7 +9,7 @@
 
 @TEST-START-FILE cluster-layout.bro
 redef Cluster::nodes = {
-	["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=37757/tcp, $workers=set("worker-1", "worker-2")],
+	["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=37757/tcp],
 	["worker-1"]  = [$node_type=Cluster::WORKER,  $ip=127.0.0.1, $p=37760/tcp, $manager="manager-1", $interface="eth0"],
 	["worker-2"]  = [$node_type=Cluster::WORKER,  $ip=127.0.0.1, $p=37761/tcp, $manager="manager-1", $interface="eth1"],
 };
@@ -43,7 +43,7 @@ event bro_init() &priority=5
 	                  	}]);
 	}
 
-event remote_connection_closed(p: event_peer)
+event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string)
 	{
 	terminate();
 	}
@@ -56,9 +56,9 @@ event do_stats(i: count)
 	SumStats::observe("test.metric", [$host=1.2.3.4], [$num=i]);
 	}
 
-event remote_connection_handshake_done(p: event_peer)
+event Cluster::node_up(name: string, id: string)
 	{
-	if ( p$descr == "manager-1" )
+	if ( name == "manager-1" )
 		{
 		if ( Cluster::node == "worker-1" )
 			{
@@ -69,5 +69,3 @@ event remote_connection_handshake_done(p: event_peer)
 			schedule 0.5sec { do_stats(40) };
 		}
 	}
-
-
diff --git a/testing/btest/scripts/base/frameworks/sumstats/on-demand-cluster.bro b/testing/btest/scripts/base/frameworks/sumstats/on-demand-cluster.bro
index 4e3e765500..ac2aacc03c 100644
--- a/testing/btest/scripts/base/frameworks/sumstats/on-demand-cluster.bro
+++ b/testing/btest/scripts/base/frameworks/sumstats/on-demand-cluster.bro
@@ -11,7 +11,7 @@
 
 @TEST-START-FILE cluster-layout.bro
 redef Cluster::nodes = {
-	["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=37757/tcp, $workers=set("worker-1", "worker-2")],
+	["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=37757/tcp],
 	["worker-1"]  = [$node_type=Cluster::WORKER,  $ip=127.0.0.1, $p=37760/tcp, $manager="manager-1", $interface="eth0"],
 	["worker-2"]  = [$node_type=Cluster::WORKER,  $ip=127.0.0.1, $p=37761/tcp, $manager="manager-1", $interface="eth1"],
 };
@@ -29,13 +29,17 @@ event bro_init() &priority=5
 	                  $reducers=set(r1)]);
 	}
 
-event remote_connection_closed(p: event_peer)
+event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string)
 	{
 	terminate();
 	}
 
 global ready_for_data: event();
-redef Cluster::manager2worker_events += /^ready_for_data$/;
+
+event bro_init()
+	{
+	Broker::auto_publish(Cluster::worker_topic, ready_for_data);
+	}
 
 event on_demand()
 	{
@@ -72,8 +76,11 @@ event ready_for_data()
 	}
 
 global peer_count = 0;
-event remote_connection_handshake_done(p: event_peer) &priority=-5
+event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
 	{
+	if ( Cluster::node != "manager-1" )
+		return;
+
 	++peer_count;
 	if ( peer_count == 2 )
 		{
diff --git a/testing/btest/scripts/base/frameworks/sumstats/sample-cluster.bro b/testing/btest/scripts/base/frameworks/sumstats/sample-cluster.bro
index 1f2bab0229..935a57bb5d 100644
--- a/testing/btest/scripts/base/frameworks/sumstats/sample-cluster.bro
+++ b/testing/btest/scripts/base/frameworks/sumstats/sample-cluster.bro
@@ -9,7 +9,7 @@
 
 @TEST-START-FILE cluster-layout.bro
 redef Cluster::nodes = {
-	["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=37757/tcp, $workers=set("worker-1", "worker-2")],
+	["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=37757/tcp],
 	["worker-1"]  = [$node_type=Cluster::WORKER,  $ip=127.0.0.1, $p=37760/tcp, $manager="manager-1", $interface="eth0"],
 	["worker-2"]  = [$node_type=Cluster::WORKER,  $ip=127.0.0.1, $p=37761/tcp, $manager="manager-1", $interface="eth1"],
 };
@@ -39,13 +39,18 @@ event bro_init() &priority=5
 	                  	}]);
 	}
 
-event remote_connection_closed(p: event_peer)
+event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string)
 	{
 	terminate();
 	}
 
 global ready_for_data: event();
-redef Cluster::manager2worker_events += /^ready_for_data$/;
+
+event bro_init()
+	{
+	Broker::auto_publish(Cluster::worker_topic, ready_for_data);
+
+	}
 
 event ready_for_data()
 	{
@@ -101,7 +106,7 @@ event ready_for_data()
 @if ( Cluster::local_node_type() == Cluster::MANAGER )
 
 global peer_count = 0;
-event remote_connection_handshake_done(p: event_peer) &priority=-5
+event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
 	{
 	++peer_count;
 	if ( peer_count == 2 )
diff --git a/testing/btest/scripts/base/frameworks/sumstats/topk-cluster.bro b/testing/btest/scripts/base/frameworks/sumstats/topk-cluster.bro
index d26cee4244..57a08aa040 100644
--- a/testing/btest/scripts/base/frameworks/sumstats/topk-cluster.bro
+++ b/testing/btest/scripts/base/frameworks/sumstats/topk-cluster.bro
@@ -10,7 +10,7 @@
 #
 @TEST-START-FILE cluster-layout.bro
 redef Cluster::nodes = {
-	["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=37757/tcp, $workers=set("worker-1", "worker-2")],
+	["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=37757/tcp],
 	["worker-1"]  = [$node_type=Cluster::WORKER,  $ip=127.0.0.1, $p=37760/tcp, $manager="manager-1", $interface="eth0"],
 	["worker-2"]  = [$node_type=Cluster::WORKER,  $ip=127.0.0.1, $p=37761/tcp, $manager="manager-1", $interface="eth1"],
 };
@@ -45,13 +45,17 @@ event bro_init() &priority=5
 
 	}
 
-event remote_connection_closed(p: event_peer)
+event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string)
 	{
 	terminate();
 	}
 
 global ready_for_data: event();
-redef Cluster::manager2worker_events += /^ready_for_data$/;
+
+event bro_init()
+	{
+	Broker::auto_publish(Cluster::worker_topic, ready_for_data);
+	}
 
 event ready_for_data()
 	{
@@ -96,7 +100,7 @@ event ready_for_data()
 @if ( Cluster::local_node_type() == Cluster::MANAGER )
 
 global peer_count = 0;
-event remote_connection_handshake_done(p: event_peer) &priority=-5
+event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
 	{
 	++peer_count;
 	if ( peer_count == 2 )
diff --git a/testing/btest/scripts/base/utils/active-http.test b/testing/btest/scripts/base/utils/active-http.test
index dbd3fbe141..97d06448ca 100644
--- a/testing/btest/scripts/base/utils/active-http.test
+++ b/testing/btest/scripts/base/utils/active-http.test
@@ -9,7 +9,6 @@
 # @TEST-EXEC: btest-diff output
 
 @load base/utils/active-http
-@load base/frameworks/communication # let network-time run. otherwise there are no heartbeats...
 redef exit_only_after_terminate = T;
 
 global c: count = 0;
diff --git a/testing/btest/scripts/base/utils/dir.test b/testing/btest/scripts/base/utils/dir.test
index aa9ee62315..76ec5d4fb5 100644
--- a/testing/btest/scripts/base/utils/dir.test
+++ b/testing/btest/scripts/base/utils/dir.test
@@ -5,7 +5,6 @@
 @TEST-START-FILE dirtest.bro
 
 @load base/utils/dir
-@load base/frameworks/communication # let network-time run. otherwise there are no heartbeats...
 redef exit_only_after_terminate = T;
 
 global c: count = 0;
diff --git a/testing/btest/scripts/base/utils/exec.test b/testing/btest/scripts/base/utils/exec.test
index 389527bcfc..0b926df402 100644
--- a/testing/btest/scripts/base/utils/exec.test
+++ b/testing/btest/scripts/base/utils/exec.test
@@ -5,7 +5,6 @@
 @TEST-START-FILE exectest.bro
 
 @load base/utils/exec
-@load base/frameworks/communication # let network-time run. otherwise there are no heartbeats...
 redef exit_only_after_terminate = T;
 
 global c: count = 0;
diff --git a/testing/btest/scripts/base/utils/hash_hrw.bro b/testing/btest/scripts/base/utils/hash_hrw.bro
new file mode 100644
index 0000000000..90f87f6f46
--- /dev/null
+++ b/testing/btest/scripts/base/utils/hash_hrw.bro
@@ -0,0 +1,57 @@
+# @TEST-EXEC: bro -b %INPUT > output
+# @TEST-EXEC: btest-diff output
+
+@load base/utils/hash_hrw
+
+local pool = HashHRW::Pool();
+local alice =   HashHRW::Site($id=0, $user_data="alice");
+local bob =     HashHRW::Site($id=1, $user_data="bob");
+local charlie = HashHRW::Site($id=2, $user_data="charlie");
+local dave =    HashHRW::Site($id=3, $user_data="dave");
+local eve =     HashHRW::Site($id=4, $user_data="eve");
+
+print HashHRW::add_site(pool, alice);
+print HashHRW::add_site(pool, alice);
+print HashHRW::add_site(pool, bob);
+print HashHRW::add_site(pool, charlie);
+print HashHRW::add_site(pool, dave);
+print HashHRW::add_site(pool, eve);
+print HashHRW::rem_site(pool, charlie);
+print HashHRW::rem_site(pool, charlie);
+
+print HashHRW::get_site(pool, "one");
+print HashHRW::get_site(pool, "two");
+print HashHRW::get_site(pool, "three");
+print HashHRW::get_site(pool, "four");
+print HashHRW::get_site(pool, "four");
+print HashHRW::get_site(pool, "five");
+print HashHRW::get_site(pool, "six");
+print HashHRW::get_site(pool, 1);
+print HashHRW::get_site(pool, 2);
+print HashHRW::get_site(pool, 3);
+
+print HashHRW::rem_site(pool, alice);
+
+print HashHRW::get_site(pool, "one");
+print HashHRW::get_site(pool, "two");
+print HashHRW::get_site(pool, "three");
+print HashHRW::get_site(pool, "four");
+print HashHRW::get_site(pool, "four");
+print HashHRW::get_site(pool, "five");
+print HashHRW::get_site(pool, "six");
+print HashHRW::get_site(pool, 1);
+print HashHRW::get_site(pool, 2);
+print HashHRW::get_site(pool, 3);
+
+print HashHRW::add_site(pool, alice);
+
+print HashHRW::get_site(pool, "one");
+print HashHRW::get_site(pool, "two");
+print HashHRW::get_site(pool, "three");
+print HashHRW::get_site(pool, "four");
+print HashHRW::get_site(pool, "four");
+print HashHRW::get_site(pool, "five");
+print HashHRW::get_site(pool, "six");
+print HashHRW::get_site(pool, 1);
+print HashHRW::get_site(pool, 2);
+print HashHRW::get_site(pool, 3);
diff --git a/testing/btest/scripts/policy/frameworks/software/version-changes.bro b/testing/btest/scripts/policy/frameworks/software/version-changes.bro
new file mode 100644
index 0000000000..c6d2433236
--- /dev/null
+++ b/testing/btest/scripts/policy/frameworks/software/version-changes.bro
@@ -0,0 +1,40 @@
+# @TEST-EXEC: bro -b %INPUT
+# @TEST-EXEC: btest-diff software.log
+# @TEST-EXEC: btest-diff notice.log
+
+@load base/frameworks/software
+@load policy/frameworks/software/version-changes
+
+const fake_software_name = "my_fake_software";
+redef Software::asset_tracking = ALL_HOSTS;
+redef Software::interesting_version_changes += {fake_software_name};
+
+global versions: vector of string = vector("1.0.0", "1.1.0", "1.2.0", "1.0.0");
+global version_index = 0;
+global c = 0;
+
+event new_software()
+	{
+	local v = versions[version_index];
+	local cid = conn_id($orig_h = 127.0.0.1, $orig_p = 22/tcp,
+						$resp_h = 127.0.0.1, $resp_p = 22/tcp);
+	local si = Software::Info($name=fake_software_name,
+							  $unparsed_version=fmt("%s %s",
+							  						fake_software_name, v),
+							  $host=127.0.0.1);
+	Software::found(cid, si);
+
+	++version_index;
+	++c;
+
+	if ( version_index >= |versions| )
+		version_index = 0;
+
+	if ( c < 10 )
+		event new_software();
+	}
+
+event bro_init()
+	{
+	event new_software();
+	}

From ed7b0b3503c42b63e9198bb16ff9724c9f4df2b6 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Mon, 21 May 2018 13:34:16 -0500
Subject: [PATCH 424/631] Update link to flex pattern docs

---
 CHANGES                        | 10 ++++++++++
 VERSION                        |  2 +-
 doc/script-reference/types.rst |  2 +-
 3 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/CHANGES b/CHANGES
index 532c18bcc6..2958d4bb60 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,14 @@
 
+2.5-582 | 2018-05-21 13:34:16 -0500
+
+  * Update link to flex pattern docs (Corelight)
+
+  * Add non-standard experimental Google post-quantum ciphers (Johanna Amann)
+
+  * ARP: fix the l2 source address check for ARP over Wi-Fi (Pierre LALET)
+
+  * Support 802.11 monitor mode (Pierre LALET)
+
 2.5-569 | 2018-05-10 11:24:07 -0500
 
   * BIT-1927: relocate notice/extend-email/ scripts to policy/ dir and
diff --git a/VERSION b/VERSION
index beed657a9e..ccba4e2ffe 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.5-569
+2.5-582
diff --git a/doc/script-reference/types.rst b/doc/script-reference/types.rst
index 651ebfb411..34388e9958 100644
--- a/doc/script-reference/types.rst
+++ b/doc/script-reference/types.rst
@@ -198,7 +198,7 @@ Here is a more detailed description of each type:
     for fast text-searching operations.  Pattern constants are created
     by enclosing text within forward slashes (/) and is the same syntax
     as the patterns supported by the `flex lexical analyzer
-    <http://flex.sourceforge.net/manual/Patterns.html>`_.  The speed of
+    <http://westes.github.io/flex/manual/Patterns.html>`_.  The speed of
     regular expression matching does not depend on the complexity or
     size of the patterns.  Patterns support two types of matching, exact
     and embedded.

From 87552390e5fa07dc0f40a883217a766bd8213d62 Mon Sep 17 00:00:00 2001
From: Robin Sommer <robin@corelight.com>
Date: Wed, 16 May 2018 23:36:36 +0000
Subject: [PATCH 425/631] Bring Broccoli back for the time being.

It's deprecated and now disabled by default, but can be reenabled by
configuring with --enable-broccoli.
---
 .gitmodules        |  3 +++
 CHANGES            | 11 +++++++++--
 CMakeLists.txt     |  2 ++
 VERSION            |  2 +-
 configure          |  9 +++++++--
 doc/CMakeLists.txt |  2 ++
 doc/ext/bro.py     |  2 +-
 src/Stmt.cc        |  2 +-
 8 files changed, 26 insertions(+), 7 deletions(-)

diff --git a/.gitmodules b/.gitmodules
index d4fb571533..738888bf85 100644
--- a/.gitmodules
+++ b/.gitmodules
@@ -4,6 +4,9 @@
 [submodule "aux/binpac"]
 	path = aux/binpac
 	url = git://git.bro.org/binpac
+[submodule "aux/broccoli"]
+	path = aux/broccoli
+	url = git://git.bro.org/broccoli
 [submodule "aux/broctl"]
 	path = aux/broctl
 	url = git://git.bro.org/broctl
diff --git a/CHANGES b/CHANGES
index 153332b751..5acb3c98ca 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,7 +1,14 @@
 
-2.5-573 | 2018-05-16 23:46:35 +0000
+2.5-574 | 2018-05-16 23:52:05 +0000
 
-  * Support 802.11 monitor mode. (Pierre LALET)
+  * Switch Bro's communication over to Broker; deprecate the old
+    communication system, including Broccoli. See NEWS for more.
+
+  * Extend switch statement to branch by type of the operand. See NEWS
+    for more.
+
+  * Add new operators "is" and "as" for dynamic type casting and type
+    checking. See NEWS for more.
 
 2.5-569 | 2018-05-10 11:24:07 -0500
 
diff --git a/CMakeLists.txt b/CMakeLists.txt
index 9f8d5779b4..fabeb5ae64 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -249,6 +249,7 @@ include(CheckOptionalBuildSources)
 
 CheckOptionalBuildSources(aux/broctl   Broctl   INSTALL_BROCTL)
 CheckOptionalBuildSources(aux/bro-aux  Bro-Aux  INSTALL_AUX_TOOLS)
+CheckOptionalBuildSources(aux/broccoli Broccoli INSTALL_BROCCOLI)
 
 ########################################################################
 ## Packaging Setup
@@ -288,6 +289,7 @@ message(
     "\nCXXFLAGS:          ${CMAKE_CXX_FLAGS} ${CMAKE_CXX_FLAGS_${BuildType}}"
     "\nCPP:               ${CMAKE_CXX_COMPILER}"
     "\n"
+    "\nBroccoli:          ${INSTALL_BROCCOLI}"
     "\nBroctl:            ${INSTALL_BROCTL}"
     "\nAux. Tools:        ${INSTALL_AUX_TOOLS}"
     "\n"
diff --git a/VERSION b/VERSION
index c38d5e45ce..3424d54e46 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.5-573
+2.5-574
diff --git a/configure b/configure
index fda3be4cd5..cf1c901449 100755
--- a/configure
+++ b/configure
@@ -50,6 +50,7 @@ Usage: $0 [OPTION]... [VAR=VALUE]...
                            (automatically on when perftools is present on Linux)
     --enable-perftools-debug use Google's perftools for debugging
     --enable-jemalloc      link against jemalloc
+    --enable-broccoli      build or install the Broccoli library (deprecated)
     --disable-broctl       don't install Broctl
     --disable-auxtools     don't build or install auxiliary tools
     --disable-perftools    don't try to build with Google Perftools
@@ -66,7 +67,7 @@ Usage: $0 [OPTION]... [VAR=VALUE]...
     --with-flex=PATH       path to flex executable
     --with-bison=PATH      path to bison executable
     --with-python=PATH     path to Python executable
-    --with-caf=PATH        path to C++ Actor Framework installation
+    --with-caf=PATH        path to C++ Actor Framework installation for using external version
                            (a required Broker dependency)
 
   Optional Packages in Non-Standard Locations:
@@ -133,6 +134,7 @@ append_cache_entry ENABLE_PERFTOOLS_DEBUG BOOL false
 append_cache_entry ENABLE_JEMALLOC      BOOL   false
 append_cache_entry BinPAC_SKIP_INSTALL  BOOL   true
 append_cache_entry BUILD_SHARED_LIBS    BOOL   true
+append_cache_entry INSTALL_BROCCOLI     BOOL   false
 append_cache_entry INSTALL_AUX_TOOLS    BOOL   true
 append_cache_entry INSTALL_BROCTL       BOOL   true
 append_cache_entry CPACK_SOURCE_IGNORE_FILES STRING
@@ -209,7 +211,10 @@ while [ $# -ne 0 ]; do
         --enable-jemalloc)
             append_cache_entry ENABLE_JEMALLOC     BOOL   true
             ;;
-        --disable-broctl)
+        --enable-broccoli)
+            append_cache_entry INSTALL_BROCCOLI     BOOL   yes
+            ;;
+       --disable-broctl)
             append_cache_entry INSTALL_BROCTL       BOOL   false
             ;;
         --disable-auxtools)
diff --git a/doc/CMakeLists.txt b/doc/CMakeLists.txt
index fc44045553..2563375dcc 100644
--- a/doc/CMakeLists.txt
+++ b/doc/CMakeLists.txt
@@ -2,6 +2,8 @@ set(SPHINX_INPUT_DIR ${CMAKE_CURRENT_BINARY_DIR}/sphinx_input)
 set(SPHINX_OUTPUT_DIR ${CMAKE_CURRENT_BINARY_DIR}/sphinx_output)
 set(BROXYGEN_SCRIPT_OUTPUT ${CMAKE_CURRENT_BINARY_DIR}/broxygen_script_output)
 set(BROXYGEN_CACHE_DIR ${CMAKE_CURRENT_BINARY_DIR}/broxygen_cache)
+set(BROCCOLI_DOCS_SRC ${CMAKE_BINARY_DIR}/aux/broccoli/doc/html)
+set(BROCCOLI_DOCS_DST ${CMAKE_BINARY_DIR}/html/broccoli-api)
 set(BROKER_DOCS_SRC ${CMAKE_BINARY_DIR}/aux/broker/doc/html)
 set(BROKER_DOCS_DST ${CMAKE_BINARY_DIR}/html/broker-manual)
 
diff --git a/doc/ext/bro.py b/doc/ext/bro.py
index a9a4480072..96a2628cea 100644
--- a/doc/ext/bro.py
+++ b/doc/ext/bro.py
@@ -265,7 +265,7 @@ class BroDomain(Domain):
             if doc == docname:
                 to_delete.append((typ, name))
 
-        for (typ, name) in to_delete:        
+        for (typ, name) in to_delete:
             del self.data['objects'][typ, name]
 
     def resolve_xref(self, env, fromdocname, builder, typ, target, node,
diff --git a/src/Stmt.cc b/src/Stmt.cc
index 23e98ce8d1..e48b463f5d 100644
--- a/src/Stmt.cc
+++ b/src/Stmt.cc
@@ -739,7 +739,7 @@ SwitchStmt::SwitchStmt(Expr* index, case_list* arg_cases) :
 	{
 	Init();
 
-bool have_exprs = false;
+	bool have_exprs = false;
 	bool have_types = false;
 
 	loop_over_list(*cases, i)

From ad1978f6984f544ff6817714a0ecdea3b4406ad8 Mon Sep 17 00:00:00 2001
From: Robin Sommer <robin@corelight.com>
Date: Thu, 17 May 2018 00:54:28 +0000
Subject: [PATCH 426/631] Updating NEWS and CHANGES.

---
 CHANGES    |  13 ++++--
 NEWS       | 124 ++++++++++++++++++++++++++++++++++++++++++++++++++++-
 VERSION    |   2 +-
 aux/broctl |   2 +-
 aux/broker |   2 +-
 5 files changed, 136 insertions(+), 7 deletions(-)

diff --git a/CHANGES b/CHANGES
index 5acb3c98ca..6315877665 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,14 +1,21 @@
 
-2.5-574 | 2018-05-16 23:52:05 +0000
+2.5-576 | 2018-05-17 00:54:28 +0000
 
   * Switch Bro's communication over to Broker; deprecate the old
     communication system, including Broccoli. See NEWS for more.
 
+    (Many people contributed to this effort. Broker library: Jon
+    Siwek, Matthias Vallentin, Robin Sommer, Dominik Charousset.
+    Porting Bro to Broker: Daniel Thayer, Robin Sommer, Jon Siwek.
+    Further contributions by: Johanna Amann, Justin Azoff, Matthias
+    Fischer, Jan Grashoefer, and Seth Hall. The final integration was
+    supported by Corelight.)
+
   * Extend switch statement to branch by type of the operand. See NEWS
-    for more.
+    for more. (Robin Sommer)
 
   * Add new operators "is" and "as" for dynamic type casting and type
-    checking. See NEWS for more.
+    checking. See NEWS for more. (Robin Sommer)
 
 2.5-569 | 2018-05-10 11:24:07 -0500
 
diff --git a/NEWS b/NEWS
index b6f003a5cd..7f2ab3543f 100644
--- a/NEWS
+++ b/NEWS
@@ -11,6 +11,102 @@ Bro 2.6 (in progress)
 New Functionality
 -----------------
 
+- Bro has switched to using the new Broker library for all its
+  communication. Broker's API has been completely redesigned (compared
+  to the version in 2.5), and much of its implementation has been
+  redone. There's a new script-level "broker" framework that
+  supersedes the old "communication" framework, which is now
+  depracated. The "cluster" and "control" frameworks have been ported
+  to Broker; same for BroControl. For more about the new Broker
+  framework, see doc/frameworks/broker.rst (there's also guide there
+  for porting existing Bro scripts to Broker). For more about Broker
+  itself, including its API for external applications, see
+  aux/broker/doc.
+
+  TODO: Replace documentation paths with URLs once these are available
+  online.
+
+  When using BroControl, the meaning of proxies has changed with
+  Broker. If you are upgrading and have configured more than one proxy
+  currenty, we recommend going back down to a single proxy node now.
+  Unless you are using custom scripts doing significant data
+  distribution themselves through the new cluster framework, that
+  should be fine.
+
+- Bro now has new "is" and "as" script operators for dynamic
+  type-checking and casting.
+
+    - "v as T" casts a value v into a value of type T, assuming that's
+      possible (if not, it triggers a runtime error).
+
+    - "v is T" returns a boolean indicating whether value v can be
+      casted into type T (i.e., if true then "v as T" will succeed).
+
+    This casting supports three cases currently: (1) a value of
+    declared type "any" can be casted to its actual underlying type;
+    (2) Broker values can be casted to their corresponding script
+    types; and (3) all values can be casted to their declared types
+    (i.e., a no-op).
+
+    Example for "any":
+
+        # cat a.bro
+        function check(a: any)
+            {
+            local s: string = "default";
+
+            if ( a is string )
+                s = (a as string);
+
+            print fmt("s=%s", s);
+            }
+
+        event bro_init()
+            {
+            check("Foo");
+            check(1);
+            }
+
+        # bro a.bro
+        s=Foo
+        s=default
+
+- The existing "switch" got extended to now also support switching by
+  type rather than value. The new syntax supports two type-based versions
+  of "case":
+
+    - "case type T: ...": Take branch if operand can be casted to type T.
+
+    - "case type T as x: ... ": Take branch if operand can be casted
+      to type T, and make the casted value available through ID "x".
+
+    Multiple types can be listed per branch, separated by commas.
+    However, one cannot mix cases with expressions and types inside a
+    single switch statement.
+
+    Example:
+
+        function switch_one(v: any)
+            {
+            switch (v) {
+            case type string:
+                    print "It's a string!";
+                    break;
+
+            case type count as c:
+                    print "It's a count!", c;
+                    break;
+
+            case type bool, type addr:
+                    print "It's a bool or address!";
+                    break;
+
+            default:
+                    print "Something else!";
+                    break;
+            }
+            }
+
 - Bro now comes with a new "configuration framework" that allows
   updating script options dynamically at runtime. This functionality
   consists of three larger pieces working together:
@@ -149,7 +245,11 @@ New Functionality
 Changed Functionality
 ---------------------
 
-- The DHCP analyzer and its script-layer interface have been rewritten.
+  - ALl communication is now handled through Broker, requiring changes
+    to existing scripts to port them over to the new API. The Broker
+    framework documentation comes with a porting guide.
+
+  - The DHCP analyzer and its script-layer interface have been rewritten.
 
   - Supports more DHCP options than before.
 
@@ -227,6 +327,28 @@ Removed Functionality
   https://github.com/bro/packages for a list of Bro packages currently
   available.
 
+- BroControl: The option 'IPv6Comm' and 'ZoneID' options are no longer
+  available (though Broker should be able to handle IPv6
+  automatically).
+
+Deprecated Functionality
+------------------------
+
+- The old communication system is now deprecated and scheduled for
+  removal with the next Bro release. This includes the "communication"
+  framework, the &sychronized attributes, and the existing
+  communication-related BiFs. Use Broker instead.
+
+- The infrastructure for serializing Bro values into a binary
+  representation is now deprecated and scheduled for removal with the
+  next Bro release. This includes the &persistent attribute, as well
+  as BiFs like send_id(). Use Broker data stores and the new
+  configuration framework instead.
+
+- BroControl: The 'update' command is deprecated and scheduled for
+  removal with the next Bro release. Bro's new configuration framework
+  is taking its place.
+
 Bro 2.5.1
 =========
 
diff --git a/VERSION b/VERSION
index 3424d54e46..7c9972b026 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.5-574
+2.5-585
diff --git a/aux/broctl b/aux/broctl
index 0ec694144d..5c49cf5326 160000
--- a/aux/broctl
+++ b/aux/broctl
@@ -1 +1 @@
-Subproject commit 0ec694144d123e1df6e614205c6f3d25fc8f7af8
+Subproject commit 5c49cf53260a2bd52695e2e2b6a01b7f56f31b78
diff --git a/aux/broker b/aux/broker
index a6353cfbf9..4d914b2fe2 160000
--- a/aux/broker
+++ b/aux/broker
@@ -1 +1 @@
-Subproject commit a6353cfbf937124d327d3064f09913862d3aff5c
+Subproject commit 4d914b2fe21aebfe5185db4b002dd0268e5cb7e7

From 593000be573f5182274604121cc562f3765a4eba Mon Sep 17 00:00:00 2001
From: Robin Sommer <robin@corelight.com>
Date: Fri, 18 May 2018 22:59:35 +0000
Subject: [PATCH 427/631] Updating submodules.

---
 aux/binpac                | 2 +-
 aux/bro-aux               | 2 +-
 aux/broccoli              | 2 +-
 aux/broctl                | 2 +-
 aux/broker                | 2 +-
 aux/netcontrol-connectors | 2 +-
 src/3rdparty              | 2 +-
 7 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/aux/binpac b/aux/binpac
index 76360315b9..df95de3031 160000
--- a/aux/binpac
+++ b/aux/binpac
@@ -1 +1 @@
-Subproject commit 76360315b96056f82ce82b1b832f684fe04bc02f
+Subproject commit df95de3031980c1cd4f35777c4eed8221415bdc0
diff --git a/aux/bro-aux b/aux/bro-aux
index 34590b328c..ad99dc534f 160000
--- a/aux/bro-aux
+++ b/aux/bro-aux
@@ -1 +1 @@
-Subproject commit 34590b328cb4e4fb0ebdcff715c74bfa24bf0698
+Subproject commit ad99dc534f2574a47a808d677fc76098f42a1b54
diff --git a/aux/broccoli b/aux/broccoli
index 2c120bebaa..701a539f29 160000
--- a/aux/broccoli
+++ b/aux/broccoli
@@ -1 +1 @@
-Subproject commit 2c120bebaad57b86799266094fe4f2c35d019349
+Subproject commit 701a539f295f138bb1c44953310e083a4210fe1b
diff --git a/aux/broctl b/aux/broctl
index 5c49cf5326..7e68ad436e 160000
--- a/aux/broctl
+++ b/aux/broctl
@@ -1 +1 @@
-Subproject commit 5c49cf53260a2bd52695e2e2b6a01b7f56f31b78
+Subproject commit 7e68ad436e122fa95c87b6caca0e2e7b20dd5b97
diff --git a/aux/broker b/aux/broker
index 4d914b2fe2..6ebbd07e6e 160000
--- a/aux/broker
+++ b/aux/broker
@@ -1 +1 @@
-Subproject commit 4d914b2fe21aebfe5185db4b002dd0268e5cb7e7
+Subproject commit 6ebbd07e6e3f2457f89128bdd88525408e70d3b6
diff --git a/aux/netcontrol-connectors b/aux/netcontrol-connectors
index 9069afa184..a432ae2f9a 160000
--- a/aux/netcontrol-connectors
+++ b/aux/netcontrol-connectors
@@ -1 +1 @@
-Subproject commit 9069afa184a7517267b61d415a80bd8b3c268dad
+Subproject commit a432ae2f9a06e7b1664df5fc4ce1b694acb7b099
diff --git a/src/3rdparty b/src/3rdparty
index abc49b68fe..a1aecbdd65 160000
--- a/src/3rdparty
+++ b/src/3rdparty
@@ -1 +1 @@
-Subproject commit abc49b68feb1390ae185e524218b1ec6168ec17b
+Subproject commit a1aecbdd653df6478eb90e0da02d261b1fc85ced

From eaf5f4a9bb8a88447c0f81b21af0204a0586cb73 Mon Sep 17 00:00:00 2001
From: Robin Sommer <robin@corelight.com>
Date: Fri, 18 May 2018 23:11:30 +0000
Subject: [PATCH 428/631] Whitespace changes.

---
 CHANGES      |  2 +-
 VERSION      |  2 +-
 src/Scope.cc |  2 +-
 src/Scope.h  |  4 ++--
 src/Stats.cc | 20 ++++++++++----------
 src/Stmt.cc  |  2 +-
 6 files changed, 16 insertions(+), 16 deletions(-)

diff --git a/CHANGES b/CHANGES
index 6315877665..f9b5c69595 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,5 +1,5 @@
 
-2.5-576 | 2018-05-17 00:54:28 +0000
+2.5-587 | 2018-05-21 18:02:23 +0000
 
   * Switch Bro's communication over to Broker; deprecate the old
     communication system, including Broccoli. See NEWS for more.
diff --git a/VERSION b/VERSION
index 7c9972b026..955e9fb7b1 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.5-585
+2.5-587
diff --git a/src/Scope.cc b/src/Scope.cc
index b0115ca0f6..97d8e23003 100644
--- a/src/Scope.cc
+++ b/src/Scope.cc
@@ -113,7 +113,7 @@ TraversalCode Scope::Traverse(TraversalCallback* cb) const
 
 
 ID* lookup_ID(const char* name, const char* curr_module, bool no_global,
-              bool same_module_only, bool check_export)
+	      bool same_module_only, bool check_export)
 	{
 	string fullname = make_full_var_name(curr_module, name);
 
diff --git a/src/Scope.h b/src/Scope.h
index 10bd84ca1f..f2713fef80 100644
--- a/src/Scope.h
+++ b/src/Scope.h
@@ -64,8 +64,8 @@ extern bool in_debug;
 // If no_global is true, don't search in the default "global" namespace.
 // This passed ownership of a ref'ed ID to the caller.
 extern ID* lookup_ID(const char* name, const char* module,
-                     bool no_global = false, bool same_module_only = false,
-                     bool check_export = true);
+		     bool no_global = false, bool same_module_only = false,
+		     bool check_export = true);
 extern ID* install_ID(const char* name, const char* module_name,
 			bool is_global, bool is_export);
 
diff --git a/src/Stats.cc b/src/Stats.cc
index 960b3085cb..b1d5c427a9 100644
--- a/src/Stats.cc
+++ b/src/Stats.cc
@@ -226,16 +226,16 @@ void ProfileLogger::Log()
 	auto cs = broker_mgr->GetStatistics();
 
 	file->Write(fmt("%0.6f Comm: peers=%zu stores=%zu "
-	                "pending_queries=%zu "
-	                "events_in=%zu events_out=%zu "
-	                "logs_in=%zu logs_out=%zu "
-	                "ids_in=%zu ids_out=%zu ",
-	                network_time, cs.num_peers, cs.num_stores,
-	                cs.num_pending_queries,
-	                cs.num_events_incoming, cs.num_events_outgoing,
-	                cs.num_logs_incoming, cs.num_logs_outgoing,
-	                cs.num_ids_incoming, cs.num_ids_outgoing
-	                ));
+			"pending_queries=%zu "
+			"events_in=%zu events_out=%zu "
+			"logs_in=%zu logs_out=%zu "
+			"ids_in=%zu ids_out=%zu ",
+			network_time, cs.num_peers, cs.num_stores,
+			cs.num_pending_queries,
+			cs.num_events_incoming, cs.num_events_outgoing,
+			cs.num_logs_incoming, cs.num_logs_outgoing,
+			cs.num_ids_incoming, cs.num_ids_outgoing
+		       ));
 
 	// Script-level state.
 	unsigned int size, mem = 0;
diff --git a/src/Stmt.cc b/src/Stmt.cc
index e48b463f5d..26be70c373 100644
--- a/src/Stmt.cc
+++ b/src/Stmt.cc
@@ -915,7 +915,7 @@ std::pair<int, ID*> SwitchStmt::FindCaseLabelMatch(const Val* v) const
 			{
 			reporter->PushLocation(e->GetLocationInfo());
 			reporter->Error("switch expression type mismatch (%s/%s)",
-			    type_name(v->Type()->Tag()), type_name(e->Type()->Tag()));
+					type_name(v->Type()->Tag()), type_name(e->Type()->Tag()));
 			return std::make_pair(-1, nullptr);
 			}
 

From 647fe3f494a076c14161ffd60f4d02f49b4ab6c0 Mon Sep 17 00:00:00 2001
From: Robin Sommer <robin@corelight.com>
Date: Mon, 21 May 2018 22:36:44 +0000
Subject: [PATCH 429/631] Updating submodule(s).

 [nomail]
---
 aux/btest | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/aux/btest b/aux/btest
index 63784060bf..99ec0e1ea8 160000
--- a/aux/btest
+++ b/aux/btest
@@ -1 +1 @@
-Subproject commit 63784060bff18ecd6b7979ab5f4174d90af838ca
+Subproject commit 99ec0e1ea89e166af4cb6ebc2d923d123424123d

From 436a93b38abbc0e16d7f6305813dadfaae71d0b2 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Tue, 22 May 2018 09:18:58 -0500
Subject: [PATCH 430/631] Make Reassembler::TotalSize a constant time operation

---
 CHANGES        | 4 ++++
 VERSION        | 2 +-
 src/Reassem.cc | 7 +------
 3 files changed, 6 insertions(+), 7 deletions(-)

diff --git a/CHANGES b/CHANGES
index 99a22a5d80..78d25d4246 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,8 @@
 
+2.5-591 | 2018-05-22 09:19:59 -0500
+
+  * Make Reassembler::TotalSize a constant time operation (Corelight)
+
 2.5-589 | 2018-05-21 21:37:54 +0000
 
   * Switch Bro's communication over to Broker; deprecate the old
diff --git a/VERSION b/VERSION
index 0b2f58b34d..dd91cbab0f 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.5-589
+2.5-591
diff --git a/src/Reassem.cc b/src/Reassem.cc
index a52bff01c6..0cdeadf80d 100644
--- a/src/Reassem.cc
+++ b/src/Reassem.cc
@@ -255,12 +255,7 @@ void Reassembler::ClearOldBlocks()
 
 uint64 Reassembler::TotalSize() const
 	{
-	uint64 size = 0;
-
-	for ( DataBlock* b = blocks; b; b = b->next )
-		size += b->Size();
-
-	return size;
+	return size_of_all_blocks;
 	}
 
 void Reassembler::Describe(ODesc* d) const

From 477d3fc0e2281750d3e412ba12df357cdc09f9c3 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Tue, 22 May 2018 09:48:17 -0500
Subject: [PATCH 431/631] Updating submodule(s).

 [nomail]
---
 aux/broker | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/aux/broker b/aux/broker
index 6ebbd07e6e..1466c9ed7f 160000
--- a/aux/broker
+++ b/aux/broker
@@ -1 +1 @@
-Subproject commit 6ebbd07e6e3f2457f89128bdd88525408e70d3b6
+Subproject commit 1466c9ed7f290a84b1e51ceb147e8423552d28b1

From c1871b0f0bbc36ac9836ca752f0268a8b669a066 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Tue, 22 May 2018 12:46:30 -0500
Subject: [PATCH 432/631] Update test baseline for binpac changes

---
 .../scripts.base.protocols.modbus.length_mismatch/weird.log | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/testing/btest/Baseline/scripts.base.protocols.modbus.length_mismatch/weird.log b/testing/btest/Baseline/scripts.base.protocols.modbus.length_mismatch/weird.log
index 073fc33bd8..a00df5267e 100644
--- a/testing/btest/Baseline/scripts.base.protocols.modbus.length_mismatch/weird.log
+++ b/testing/btest/Baseline/scripts.base.protocols.modbus.length_mismatch/weird.log
@@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	weird
-#open	2018-05-18-15-23-47
+#open	2018-05-22-17-16-17
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
 #types	time	string	addr	port	addr	port	string	string	bool	string
-1445502056.228889	CHhAvVGS1DHFjwGM9	192.168.2.166	1987	192.168.88.95	502	binpac exception: out_of_bound: ReadWriteMultipleRegistersRequest:write_register_values: 402 > 200	-	F	bro
-#close	2018-05-18-15-23-47
+1445502056.228889	CHhAvVGS1DHFjwGM9	192.168.2.166	1987	192.168.88.95	502	binpac exception: out_of_bound: ReadWriteMultipleRegistersRequest:write_register_values: 16932 > 200	-	F	bro
+#close	2018-05-22-17-16-17

From c9bf16e1725a3500a99d30ebe79f0416aaf82518 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Tue, 22 May 2018 13:31:48 -0500
Subject: [PATCH 433/631] Updating submodule(s).

 [nomail]
---
 aux/broker | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/aux/broker b/aux/broker
index 1466c9ed7f..39ff1195bd 160000
--- a/aux/broker
+++ b/aux/broker
@@ -1 +1 @@
-Subproject commit 1466c9ed7f290a84b1e51ceb147e8423552d28b1
+Subproject commit 39ff1195bd22f412fd91073c5df3014a2e03c4e9

From e35da5f592ca4f3bc088281da26b4c19db8018db Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Tue, 22 May 2018 16:27:07 -0500
Subject: [PATCH 434/631] Migrate NCP analyzer to use latest analyzer API

It was possibly never updated for newer Analyzer API changes, as simply
attaching the NCP analyzer to a connection would result in null pointer
derefernces and also support analyzers were not attached.
---
 src/analyzer/protocol/ncp/NCP.cc              |  23 +-
 src/analyzer/protocol/ncp/NCP.h               |   1 +
 .../scripts.base.protocols.ncp.event/out      | 468 ++++++++++++++++++
 testing/btest/Traces/ncp.pcap                 | Bin 0 -> 66824 bytes
 .../scripts/base/protocols/ncp/event.bro      |  20 +
 5 files changed, 500 insertions(+), 12 deletions(-)
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.ncp.event/out
 create mode 100644 testing/btest/Traces/ncp.pcap
 create mode 100644 testing/btest/scripts/base/protocols/ncp/event.bro

diff --git a/src/analyzer/protocol/ncp/NCP.cc b/src/analyzer/protocol/ncp/NCP.cc
index add7841908..f2745666dc 100644
--- a/src/analyzer/protocol/ncp/NCP.cc
+++ b/src/analyzer/protocol/ncp/NCP.cc
@@ -159,11 +159,7 @@ Contents_NCP_Analyzer::Contents_NCP_Analyzer(Connection* conn, bool orig, NCP_Se
 	{
 	session = arg_session;
 	resync = true;
-
-	tcp::TCP_Analyzer* tcp = static_cast<tcp::TCP_ApplicationAnalyzer*>(Parent())->TCP();
-	if ( tcp )
-		resync = (orig ? tcp->OrigState() : tcp->RespState()) !=
-						tcp::TCP_ENDPOINT_ESTABLISHED;
+	resync_set = false;
 	}
 
 Contents_NCP_Analyzer::~Contents_NCP_Analyzer()
@@ -174,20 +170,23 @@ void Contents_NCP_Analyzer::DeliverStream(int len, const u_char* data, bool orig
 	{
 	tcp::TCP_SupportAnalyzer::DeliverStream(len, data, orig);
 
-	tcp::TCP_Analyzer* tcp = static_cast<tcp::TCP_ApplicationAnalyzer*>(Parent())->TCP();
+	auto tcp = static_cast<NCP_Analyzer*>(Parent())->TCP();
+
+	if ( ! resync_set )
+		{
+		resync_set = true;
+		resync = (IsOrig() ? tcp->OrigState() : tcp->RespState()) !=
+						tcp::TCP_ENDPOINT_ESTABLISHED;
+		}
 
 	if ( tcp && tcp->HadGap(orig) )
 		return;
 
-	DEBUG_MSG("NCP deliver: len = %d resync = %d buffer.empty = %d\n",
-		len, resync, buffer.empty());
-
 	if ( buffer.empty() && resync )
 		{
 		// Assume NCP frames align with packet boundary.
 		if ( (IsOrig() && len < 22) || (! IsOrig() && len < 16) )
 			{ // ignore small fragmeents
-			DEBUG_MSG("NCP discard small pieces: %d\n", len);
 			return;
 			}
 
@@ -224,13 +223,13 @@ NCP_Analyzer::NCP_Analyzer(Connection* conn)
 	{
 	session = new NCP_Session(this);
 	o_ncp = new Contents_NCP_Analyzer(conn, true, session);
+	AddSupportAnalyzer(o_ncp);
 	r_ncp = new Contents_NCP_Analyzer(conn, false, session);
+	AddSupportAnalyzer(r_ncp);
 	}
 
 NCP_Analyzer::~NCP_Analyzer()
 	{
 	delete session;
-	delete o_ncp;
-	delete r_ncp;
 	}
 
diff --git a/src/analyzer/protocol/ncp/NCP.h b/src/analyzer/protocol/ncp/NCP.h
index 713eca756d..f8cac95090 100644
--- a/src/analyzer/protocol/ncp/NCP.h
+++ b/src/analyzer/protocol/ncp/NCP.h
@@ -97,6 +97,7 @@ protected:
 
 	// Re-sync for partial connections (or after a content gap).
 	bool resync;
+	bool resync_set;
 };
 
 class NCP_Analyzer : public tcp::TCP_ApplicationAnalyzer {
diff --git a/testing/btest/Baseline/scripts.base.protocols.ncp.event/out b/testing/btest/Baseline/scripts.base.protocols.ncp.event/out
new file mode 100644
index 0000000000..6374c60f5d
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.ncp.event/out
@@ -0,0 +1,468 @@
+ncp reply, 13107, 70, 0, 0, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 86, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 79, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 86, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 79, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 86, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 79, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 86, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 79, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 86, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 79, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 86, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 59, 89
+ncp reply, 13107, 2, 8738, 89, 255
+ncp request, 8738, 59, 89
+ncp reply, 13107, 2, 8738, 89, 255
+ncp request, 8738, 79, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 86, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 66, 89
+ncp reply, 13107, 92, 8738, 89, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 163, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 163, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 163, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 163, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 163, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 163, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 163, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 163, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 163, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 163, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 163, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 163, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 163, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 163, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 163, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 163, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 163, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 163, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 163, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 163, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 163, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 163, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 163, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 163, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 163, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 163, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 163, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 163, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 163, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 163, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 163, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 163, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 163, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 163, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 163, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 163, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 66, 89
+ncp reply, 13107, 92, 8738, 89, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 163, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 163, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 163, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 163, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 163, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 163, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 163, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 163, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 163, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 163, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 163, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 163, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 46, 89
+ncp reply, 13107, 88, 8738, 89, 0
+ncp request, 8738, 40, 89
+ncp reply, 13107, 11, 8738, 89, 0
+ncp request, 8738, 40, 89
+ncp reply, 13107, 102, 8738, 89, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 6, 22338
+ncp reply, 13107, 10, 8738, 22338, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 163, 8738, 72, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 163, 8738, 72, 0
+ncp request, 8738, 14, 72
diff --git a/testing/btest/Traces/ncp.pcap b/testing/btest/Traces/ncp.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..d8c61b3683f631fa404980393915cd9d97d46da9
GIT binary patch
literal 66824
zcmdVD2Y3`!`~E)(Ed+uHBB2^qx}<ktfrK<j+f88;qQsDFdQV89N$4QG_ue~*bdVw{
zVsA*X04ky)AV?Q}_j4u=VRGhtumAh*dtLv``wni}b3V^K=ehUHnK`pxo!GU~TB<Gm
zyFGa#NmlrxUH#+z9e-{pO~z~5r3UB2GkZuczHYiy*G3AIq~Yz1eWW+)_8D*cidBZK
z)0oTF4Q*!Y6UGcNR*ZYuU_W5m-#<%IaYV8Ke;ecOzNl+0ytp=b<8dpij*`@;u@ps7
zt8AI6`W{~6BuU?6`+%;#^r~@LZMIwExAxTf_xFix5y%GOyR^$pG9M!g^R((CjjAh2
zL`8Hqv#lEv73fYG>>o)BFH2HDPD%{^wmo*F+t^yCTMWXG5Sfv}Hf9?1|D~a{2w%}&
zO@k>qra|u#l?JEKS}-)o%=%E#AjRFCTEG^S5Ma(W7n>t<`{w1Bzh-9}S(<Au)Q1Mf
zyZE@ed-?jh*x4G)g++O}N!b}g%_(}%XTOd}$}#K1%N+vpl85A&bBl}YY)O-iAdN<N
z+N)_2=xNQ>Bv_v?*3n@9aLK|8iY9IF_tXU>oo)$;O*(ees0rhhhEfoIKzlVYd|qZ^
z^!o5wF~&MVj1-6wUbsUMqp`a?g_gTn4x-YrpuHM+kY_C}cnZMv0H3n(I|aNg{=O1?
zDWd!1OF}1dyI)1*?HRdVO|A#|XplP>tf)#(v1RhOs|}^acujjX@~NJ+x#Xik9uD&1
zi_rNhyP+9>Pvn6*-7-Xvcc{IxqqL=&G?oHeNmKxpsY$hMr0AH~fWU~D=mt`iKGRUD
z+9euDDdwWA;=FvPjNA++z;B{j?!W}-sjB6%;Sk`8!9Mmww|j~JsAWQwq@qz5FIl3N
z=YmX7%XPRSUV(@!A!28KEiVTl)iN=XbaE{_{w}KJj!c6ds#+eq(pWLR0W?^b`j?^s
zYMENV_CKoS+J6XZxh_wW@eT9|<LVgfAH2)2<rN?{>DW=D4zUVNXxDNlCPsHvMU1Nh
zF*-wxNjcvtVxX2Ov|JJIAgZ92>v6$51H2i)ck^p`C8AR;6FQL_u8GJyGjd-wc{7j)
zfjlewgR0~dTPDxFF05r6E_o2hJAix*zm``a`v0Jo!*7UcxeF7(M^($?IzWKU5TI@y
zKSco4G9gM*y_AygEm6yRK_;l>`dkq=L&S23XyDiKY7kN_6C+S7YdP+wsFu4j4ZKyg
zJgyuXd}^?dxiq+?q5*1|TEO-{s^wiEjYfFdtG!7CdfIX|`4pObXRyEj2fvorfY_vC
zM~x~X>Mv16yu!rrQdh)x5aSPsaWVs3l>;@@GKH2a;>aywEjQqT{{ir80KdSm<+X@T
zwM^(lo^@M9-i?uas>!bzD<;^2e0|!Ds^k<~Chz&Tu$CM0$S2r>{2!2i#INObi2gsQ
z<=a5j9%DN)0X)>T{0{`kg8=@`1}OrdmI+akK98FJz!J5*{*JJg?YJW5=@Z5qAz~T7
zme+%jYMB^;T3O4HcSW`A#58bM)$({FG?)zy+P;SVRM~w|%hUq4|4}WU0BJPB)6S{o
zMqEvBRy6)?Xz~KTmN$Udq+>^oDkANks3M%17;dVH82>iJ*a0!DQaUSQpq44LToI!Y
zRq($292a~Cz)u3aHoulPB0AMFp%Z!Q`yz4|M((O6KMC?r4EE8NlkKaLQ*4=B|4>-V
zjk)BXfc$HN{k_}#THb`{|ASh-3smh|c4Y#%sA_rq*T#y8?hs()&&?D8P|JiUNpnAW
z{HG;qIpLA8mY?T|IMH37Frf=XT*0s9%^;*&CPtuE)^hECM78Y3G;mhc@`NtXzyu8j
z#$_rRpq8lxZ2zNLZu?kR%T2hNn4rm2Xws8k%UeKf(y^mP74a^b&>myEGclZ06)|Bd
z#3+Us`b12fJbhoL&~in*@<dq6O}XI30AC95Zv0x_is)3!gihpzlAVCugONL`$(MqB
z7RX;3)Tb&r#g@q*SlfxtmtWwL&jR^YkhkX7@-{^OAJp=xT6Th3_GAKdQ`Pc>tq|a@
z!9MCh(|U>ksAWQwq?PTDerkzYF0O4S8e=!(ig;I_Fwx3jfA<4^EpG=Q)iN;xwX&9N
z>(~kAzPy+Quc&HyqLr~?QY&aMFM5`u0cx3A!1h0?<?A4gMtIse@5?XpG?~;2nwX(U
z3cr?jfY_vCM~y0CL0wTrcr!7&sw!fl8DjWAjPikHiWqobrqFUl>_=3=`*L$GxDUXG
z06d0Y%R3RBYMIc9Jhq;Q+=r2OQIlgDchUfmC&Z^$C8yXj`P%k&(geJwy_)3Zp7vbw
z0U#d-@_<E+mANk?{vLB*R$)5bE<}&7TU)9tZLK3o))ZNu(35Iu%z9Ou=bF_)l&mjH
zwzE3faY%MOlC_ODRZW&~p0HWqrJaPyw%{ha9?8x{vL5_o-}>*99o$)zY<HGyCv~!O
zk?cK#y>WkBaMff9M^4sZnb4(Ma+AG>WY;3u_I#J#P02dcw)Cv#>&rzh-Gd3xQRUJT
z*BUD(zXkzfN=_>Rz@-UMk_y(1n`sG`egZPVOh_x9h?8G~i1!WlcRu60^xGf|*&s7g
zX~?sh8&`;2x+l}1gW9F<LxT!v;1ae-(Eu(@Enxc}xpbG6LYHpM)uck7FbPNNPB!1A
z_kh@>V@Hj=?kt+n9&zcJ80}RRG3hmku?%7~jUJ_l0hgxGve*5Cr~;R6!v$Xk@Em}@
z%6I9#h)ym|=tMqem596-BY#;<o&)kj27ANbQTbKLDK;+OAnGU#&AsrN_G&KO*|RN|
z{1C`T7#ib3**kKSX7AUNdLjVrR-=wnte0&6Ns*+E{{F1PNTVdF{`{nXmH3G*UbCN$
zdf7^P0WSU=zA0}+^!zI}(h>MQ?P?;c9iA^$A*yASZxb`xYs;?}p6g{e)Ee&c`r?j~
z)UwIo_^IytJ!{(}77cZMJ}1A4KJkqSpZMQcQ0Lk(=Z-_uXYIYyFf%Z*!K@Ds-ghqc
zov>$}ar4NWm=iJnd9K?YbXZ=i&-fAR&+WYHHY{LO$G-|LPl`I&=5gMsq3<vF{rAx;
zo4wb0M~lHT?tQrT!ic*Mvs+KunP>f)^PImDq9=NmJRaHq^3Bg(Z_mhz3(x;@>!}u3
z_Zbc^*f*zQ_xuGRC-gtqIIKOIows6Y&$I(wd@h!IS$|V>VbH^OAK%<H;nZ65p3?j#
zZ?yh7=u+@|EuD7wCANNV_$#*a{v0#I|HSW`ug1?g*YDRsV~3t}m%Jl`*1H_|uwS9u
zxx}c@H8G!ko9H$7;H0JwM<=)bBjxnuBi5a}p4yxBZpea@iwC^$VA!!AH@?(k@!hli
zhqsC9u={Ra-l*}DQ;)2=JGNEwr<Vpge&;`D&951oo19s)`nz#|?|$)onBAyz+X7ZJ
z+wSC@o7m&lN28W_&S~0n-IJ|9`!C3v6g02ix{-y$zu$EC^zJUMx3m3P?HZ=*^hH>(
z%f4%W=bStJq-;xZ?ipV?n%mQCl%DZ~ZIaz=bG=<QbtNks32)_A^4GRbZ9U{ZVCxh(
zI=0$IvChx7k*497Xjk_PX_Ti!m7bwo)SWE%Rr^QMqUOqoA`X9FIilEyO8EaaqG%!|
z6&7bCXPdozJiI+Ty`6>>W)t1Jb8Ms)2uypmYoD_gvHE;J@7ZgglSUXT-h2V|xin>`
zQlFXb?nEVT4wBSIl9pF~B}rRH`>>1P|Nd9sL-~=kby*L#TR;7l@~WZa7Zua5Z`epz
zr`V`4;%z?HMw)}4(_T%@@t*B?YQFgbDjyg89?n~Yi@=rFCNagx24T21xu4V&yo+m%
z(zG=F42;?nCX1P-?~PMwdIg#mLet(4URE^4+c&XEQt$c$pIBKrK-I=oRK*XlJ=OHz
zS5+0QrTjjr*JqxM=<Qp_Rj*K=Fu4cR^XI>P9{?e}eG?<`G-eLne!h)#1z*u#tzVs8
z!ZbM9`B@Dn_kafTpg}8}4-^e{y1P>g*p?^s%Plq+=9-J6)AI_8lZO=JCIfT}eR^?m
zes^c*($Z3=;*1<K?l8#C$Td49=Q$0@axTuxcFr}I7C9FsXP9%7&CW&nN%&V)4d!IC
zoo&B>u#BQ&y`62sFc%jWH&+io7e~CP{HO1~ujpGYE*@SZ(7d5AFW+77>f6oD&Xxq8
zhP0!>N_(~L8R+>kSKxUN7?&&_%;b*+4kCS%j&%WQ!hL~_U@WkdDf{jzm9l?8*|!Y#
zk&nY}D#~IkK%wRL!bn6Fj0M_r!QTS-BY;=%#{!2C-5>D@oyhM9$(J$m6Ke8DApacX
zKZahcN=~t5^0Nztj?jTi{<%Kk&4wT^;5))$M7N|POj;yzgyk&r<0?mZ6F2uvaYp8&
zKOL-O4o4t1l+@$5)>*<4CNCB`LPwr@Q=FmR>rk%^-w}?0kQ{*+fm-PZ9!o@yu!3oD
zOyvk~z77qdp~0Y9s}&942-E_$n&1dakajd!Y3DdXC$7NJ`h+RZ;}V6&*}*$V-=t$*
zfa<EpQjsI9WXc{@)zy^ep=>^s^$Y$;Q5KFsq2;=YM^u3$bmoHR1H2u;HO>x>B04z&
zp%eKPA^9ps{*Icw9muDF{N<oSRmmx~O#aO>p(AwRl1~G<E6Bt6j&KaoE$Ij|mx~->
zHOu^n$`PixB6GY^M4W7o;l<ON5Q$Ba{HDHq+7gcNJIDm5_+7c`;rjR#%z)jy$9II|
zAS6d1Mxa(Y!kiT%M_9u&IIMDnDVWrn+87$Fd^|$Y0FFQ{V5<p^@H^6u1}p6xM|g!N
z@YKfogsEN-IG8_1IDzy{I@SfKuBNRNIl@||>>*WMP4$AZj!<^2|9VAPI0A*1>uM9C
z3LK#u7u*rxxI^ilH-C)qE~1ko5IT{2tP+v0W8??b<Ut@01$nC9{Ho*>TPFV$QR$3<
z_G*%k_jKfvhk_h)#rHb#9pNORThbAVR*M{AJ<I%n$`PgxK;|2fxlM|bk~zi*#3o5~
z>bDwi2}d{%GJzvFan;)h^)_K{<4e9Hyaz&Z1Y)FvBA+#+uMs)I2ByJ&l_N~u1Pwkm
z*oXggA7{vwt_Vk<7O>R>M>veMqrpmhweA_{>C6@QV|~K31PH9-JHq=&-=t$*fa)r8
zt*EXxGG+Iv>S|g7l>H6LzONsxC<{lR&~jbPL{xzzxNyOL19%p|oA4ds14JiBAao*k
zSSKRi#K`xm$+L_V(`-P#v1egba*8dJ_g*h_1XmvUG#ii)1GzQd5l$hxB^}`k7`5jS
zHnYt4s2pM1Fl3&J%tQ0OQ8I@k5St{OY|(#%B^)7igU}J&xay@sJ=~^vXB*!UJ_I2-
z0x<%$(h+__OWN}YTbKrKs~ln4r_f+BH0X5OUC{uJKrLXa369WfqtFrDxdKntCrls3
zR)SnmrnxZTC0}dQ=}sekla6%(s;ghoL=b*Td$k!FpRG*U-Kx5pJ_^d>l47{6&ufaZ
za0Ci1*Hx`eLPzl6g5#3n^ck38y1{pZj}V<4fzXM38rsk%-^R$_Qj^aB`ALI)*dN~E
zRmmx~OzyZ@=m?%%@{=H60rDUDj_@&}Thb9Of>GNMwzJH4sT^VY3S-4|EL{ql_M5Yk
zIUIr5B*`?y=Mzgfg2xu2BY5%Dn~tSR({Dq)DSSux1cc-W#0b<%NB9&iX*<FWrom2?
zBTT;y4T7OT=JiI325<yw0b5OQgbrJUj^ND|80(;B;PUl@^ZYTwr%2zVV_ksiY9E@=
zuB)9)*&V97nt{vC)3FXJEZp5kQ5KFsq2;<VZWB6!4;LKkpl0Ca(g&ycj_?_xlOqs1
zkzYm|+T^<!`F1rq?k=5<bx>i>Zk?-=Q*4=h{dS=v_;Sgy4r&H`=D|U}BYckNmUM*3
z9U@0~i)Fq|<p?uQBJ&>&_Mx92zNcgkM<6yyy1wxJgO+fFtsoPeHFW2y_oF^xW(%m7
z#&?7-KuC^2j6kh)gy5YbN7&6Y*s5}bnJtVJGipPFtyixq8o&{#1#C6J5q2Q$Xt2`G
zIcw;_6L>~#2>c<Yx%TiK;Y*}%(y=Z;b=7y5sIJ~-%5G8B)yxl}Eam`1XE-%gl!YTu
zXt}O35mj*3(31<^4&dhizK-t*Um-d<0-+Q6Jt6rXM!s21eh%clL0;$x)Tj5TQf!(0
z)LTMF&~wRqgB)j3_cg9QevRmsbcD>^Pp@598`pK-%QD||_Sx%0Gk-(oOAU<^`aJ#}
zsj`h!oR3)A<BfeR)<%`PRK~JT=wnx=s0eqVJaJe3)KPaW;V$<<CUBQt+#|76pD?Qz
zj)caQ%x^$Q?m~<tfjlR%;BAq+>}MKmP`S&jUeNQH!9Jn&R|^yk;4ahxwwmBBe<ST^
zu+q+Pm)=}~k3rz;m@?D2l6eN{V@(Kk0qR||_K4i&08@6oszzsBhqB)r><2!vKdvYX
zccIX7jc!9!fxGnKf`1S2Cji&DlKCy7le-W)k$2xKB0tE;*Qv>$fE-s#2VQKxt13Cg
zmdVc}>KweLy_)3XJ^i@kkMs$%p98tZmCUn<Zb^5Uwol{;hgjxoRgN(GIb+4lfyjK!
zbEQh=a0FtLq~9kcp0R`@d=D~#Blz>wn>i5bB||-pE1Bm&NRB{^bWmhRDBmw~gu_gO
zH7ZA#oeT{|LW9Ilixdsu2-E_$n&1fS4hS8gFIV7^`h+>SRp_q9mCW-<-=t$*fa>a9
zG@(6?Kf;t<t*WazFF@JFP}aZcQbk!f0)>|A>Jp*~93g-Uz8K)`0j_Z+^8%uiBM>@~
z4?id(e}|E;Qj@m_`F@bMZ!)ziImMRA`yLWHLLirXKgc~mu5l&vJ4CmnBRmA7_88$P
z%Y3EE5$1RpD`qt}*vG%OVz`ny9D&#*>FdNFzOjTO<Qx_{LJ&{AS<Ru|M9flZT*>?%
zgyaas2-HePXmLd32*;QPD^!j!XCgGfeO2+RK8#Q_fFn=~*lL0!Y(m=6V5Pm<8&;ra
zFjwFn`h>Z@+Ow2DAbpdLbpfiY{_lwD>Nrz&xvH+_`a;<_C_Apv(-9~ffkMl5m4>JS
zM+o79#{s;b_AKR(h)#|`=tTaPko*KAU#2GS2l5h-r`e?|eFEeZTP8nvROkr(xa1`u
zkJp~1yol(QbcE7lB1d?aWxiD92y^3+`B%ui{(GC1%;5;cCQ0#KUG`bR5%kA}j?ka0
z-d9i$EA_NyDKCML9Dx{tTImRv(USHo<w>T&5|ty&#X`GTSi=(c^T{rX25<yw0b5OQ
zguW+)ju6Tf7>jJ?4bq;ayo~fsI@SfKu6{rh+GB+Gn6isibv190v0`>JDEmSEXhm7n
z6@`}T>H(q(93hMcKD!yfbG2tFe?oL}1VShBdGCtI-)H2D)a1D!$3p73O*Vb2l2dG%
zeCA1^BZPCwu?Tt|Mx$D@ls_Z7B^@F7J&_}Pz%pN`a)fy!k@-wy9@hT8k~tiK*d(d>
zAC1OZ!Vy-3OmNl^!BuZ2)cZnvmhu-6k|Pi!P%9lF;C+!JoMIX*P&vZ9FQ5VD!Q(m~
zt*vMPN1zt4)dWXahO|+0T4RJruE1~W6XuW6o~68k^i4X}1*ooiejuu=51F#_RdqFg
z43xz&jB8NaNl_M#K%wQjibGU^BN({gUjTfz_AKSEh)#|`=tO=~NPe1;&r_4n2Kfzx
zz3E!5wpGa~woHEUL!l!eYW2qm&b|Ti)!MU^R}tNkj<Dvm$Pqqbna@=@!u-|7ia8O;
zeEKdQC383eu}RX1)EC!U!Vy}0By@x*o_cd4pdOaUYt1bF210TKVgzcXBOF6Z+GB)|
znFe!Ijxhf&G{8C$Q`UhW6b;}A)B?7e;0P~&EOdluuE1D?vS5Su%;N7z-=t$*fa+?%
zCn87qgef~)RaXl(K-uX~HsXnmqAVPNLd$hkh^PWbh~a`y2lzhinZ-X4og9JCiTt@w
zMdY6{@>y!~eIUmO)#UQey{hCCTP9zHsB`d|_G%|;<2_@!<Xb`hf%eSeHAJ_hBN#pt
zIl^Zw^O-6~Snz?dVlEzIIN*yp50%W}2*f5yW9D|AW(h|)2{OSLVE|9Pxp-{hLago7
znpyl4gyaasNC!opS<L%f<OrWL4Q8kuVPR`%;0z76y?sE@0FFQ{V5<p^a1m)ogO&Db
z-80bB#1$BeP!{60Ppz57>qy_EV_ksis^kk%U46lnovx~@g&#xNFep3o{$)j3I0A*1
z>uL$23LGJh3myjW@3dzYZy-830-+Omr!Ph1Uo!G(YVz+uo(b}zdtX*1r`R(2D_;p6
zA)ZT~3G!>&GmAG7-I9**BN(-37QbSdPgOa>!fVJJt~H>U!K7pkM<6y_9kzP3!V-?q
z_#2@k4CJc!fj(i8pZ3h+Umzq$AV#28I>HIGq&-IXnrSda<p_)XpaIs2#NOO7SJ42D
zKrLXa369`(M(79$T!FC&Wzk>SGmE#7KJIOxE<km49ZhJ@BYeY@eN$Cei~cfJ%&QM&
zzq)-yQ5KFsq2;=2^sUelUgd$$tFKR3Y^^=BcpK5l5eS{go1PVspJC*aRpg7ULEZ`E
zdv0y3N=~t5@`s2j7$dyKCGQ0CCfYNLe<Qjj9bwZskt2M|GM}V!gvCveIo2k{#vMbd
zPghM5n<Oo*{q0AVa0I*aLPr?HRc{>B!@b&CGmCdXNRB{^K&^Cy{b)(s5zaCVCaN4^
zaVj*xI+0k9%}<}G0Y{(~u+;=dXm&y92#H*Qu?S@eE;DJ}|9BVan{=!TP+hG@6WWe&
zjww4qRaZ-zL)rJBZ1d|2mEHwMpwMz%oj_E<7~yp;_<I0HwQAk}cn{IZ5eS{gBfk@o
zpJ(Lb)#RN({u7?AdH>HzRmmx~OnwDX1&)x!CI1QJ-r6&Z_YvKaj_}?OB1gEuG9RaM
zgeBg_iuwM?eDU;bC3B1sh)t3%jyQVK5{}UPN1-DO=BYQ|AL_lSJ+t@#gyaas2-HeP
z*nyU`9pO8s!B~|eEO`?ez<Xj!*M%w?z!9hgY&F3VnqL$;LNZriEJ9h@Q+sCdA<{SL
zSQntW+Jz>x9pQVX>=;#DE$s<qF?ks?@V8<`SvUfPmh0*qq6!=#g$q6g;5Zl2y8rPJ
zqLU*KI+2?%iO7Fo<fGN(VIW@#@}5^ys*+P|nY`;|p(B{N<SRk`s`kv{KZtHgM>qvW
z?X!j-S>_cgM_BqQGROU2(ch21p=1t6AT~+*&h~@pmT&~OpM;K(%2n?P)Z3vwv-lW<
z<OswF)JjMA3@vFp!bPURD3v2D-C?X)@G>+wfXCVWJ5GWlPz%^<f+KYPS?CC9Jb@Qr
z5z4Y8?U}_VNZ+JmU4ZIpADYm1giB1>H&k`CED6f?fwD_~j#QL|BT#6$uD(Q6fg_}I
z!TSKbKzn9ULUeKjLMQT9e-V*iX5=H)<OLwdrP=5=e(F<|oMOx5w-8k@M#$ij4+43G
z_ROLcqFd4tR$dV~!cQ#o5h_PmR)Ne9A@g=^IxCsO5r|EaT5P?6$0<7e*Uw|R2{OUV
zVkTETJR5A;*V;3S)*vKDAV#28I>LcpMUL<@(_pyD5tiX0-V3l!B<i0f)`|vj1Zn|W
zO>l(3t3pS};tGsKD9gud&n(tL`X(Lg0#sMup$TnA_=PDuOjTFQ$3xkFpzM!7zM?1#
zN1)JhT|Gopfg@yd!T$j`o}Z<4&th#vCr2Q3A|L;oi2Mp8AF3vwXRKJ*3gpLsXjPS*
zV$0-_zY859hey5;4=rB4PJ3pt4x(Gq5$=OgdyMca%e-9W2+P+Y^KxXK646)59F9P2
zlGMX)!A(mzLf#)jN66)>R}S?aXwNLx1tB>CF#@&H5$azPIl@(@L7B=CmOp?7OQAuZ
zdEY4-z!9hgY&F3VHY4q5u+q-C){w^)7z;;MY}TGxtcUbXI@SfKuKfNK)zxoI*-}+q
zt=J4@4?x+M&(~Fyg(FaCxvmlsRp1EuT<`+`Kd3#kXoKkF2!u}Le+bEcXXGVn@`E7%
z7UXr#-l<AXv1Rhx*M*Kyz$O0{<fpY~7V9IrB^}}D4biHpKUn5NRI8>|oHkZ0@-j3w
zuD@Z6RM|!<F1;yomuoCmvC3U4W7!+mzZ$Ek2zQ}8algo^4UaA1E{{Pb7;hBvj>IA_
zeZtC@v}Y-8K}haGj3j}4C3DSRB6s<dX;7qcmz6I;PplI$j+u!&DW5*cg<8N?6Wrw?
z(vAiz?HqS0;tGsKC@VkHo~3Mn^l`Tnbph&Kvu=sp<vLTgP*tNVKZCNRP&W1Ji;A*v
z7YZ%c=r%+ZxJxk?ycFOVA8O4~HbiuC7eXiUpxYwy8;ra_P5vXu=Yl-stIw;FQ*4?1
zPec`*fehi2&jmT|q0+kl(GJlq=`P#<7CFLAmU+I)5mw$n=C|-P)Zel&j(>XHg4i(6
zbMV7WmT-hxcZ7~m!d35<K4DdW_AF&15RxMhBTy?HVKZ9No|E{CX^^LKgjE5?ip7|~
zH@r7xwxR*X8`J`}n&1eJk#;m#Y3DdXDNo?VScJ0bZ|zyi=a4>TDX9xkU9Gz-s;gT}
z*<4j!t@<0vVwI3#<7bByW#I@ETCS_Bh$?V|GA_7>K4Eno?ODpkh)#|`=tMr|o{0Q5
zBhOKhudV~~D3HJT>6WVG6k8@gb6@BP<y`V8kT=twrF<UIE$Ij|9*7*_Z<cws$`MvK
zL*|$ZG&uHYp=6FR0<qykc0ZV6ku#9LK_(a@4CSha&s1BTp*>641cc-W#0b<%N0{?a
z<Op||23aacSe*e4uujBKe?qRJ0UUu^z*Z9+q5dPGBMjpTj72DGT58WyHbwd-9qR&A
zR|n99_MF6BrfjCFuGX}KvN!Qu)jv+pSCoY#P-wZXennJ)BMj$)-voG9?ODnf5S<)>
z(20E9KO*vbj66e4-ql#K1Z$upKlyM%RdR|glMj3>bc7K+@+HrKyu0=+Wiv##q$4!J
zZKv9E68Bl==_*H9(;b=TAoKjl9!lnL1Y(n<^4$SPEHOqX2ARMSMsn55fqHmKuh#vK
zFM^O9ff#{W=?IQeeZd&v0n;E&<p^u0K?AH4i3}UvPtgF5KrLXa363xxX-9*VcFq{#
z4X(g5^$Bb7uoA8NADbh6la6%(s;f>`^#zXbkSUw0s;jlVq3kv&>-^p`Pf?`Ma$Wf$
zs=yIOaly9%JW_j>(jL*t5eS{gzY>x^V&rBuc_hd`0{QbN2P=I7UPiHH^20~!t3To6
z`M%x0?pWm$KG@f`PNQ@1C)jMA!f<A;-iYw+EA>TZAQfB{K7tB~+B2RlKx#>MIrM9N
zfxG;}R7_F1%i2U^#Zq{8#9J5JD=NZWhz(EUTb5*z`y>ok>x<lFG*7*yU7_Av+B2Rl
zK^W3YW~3t~&q+K+OWJ23kC_I^DtB4?7Bs+`lZfdfo@xMhp%$>!1a~R@P3SITxB_EA
z%eoZp8P8ToAJ3AcE<hE~?01p7JYmWXR@Lab6eyboWebmmE4>RfN}=T%bwgBvyNu<6
zX92tzvsD_;l5CCW<Sv9x<Ua|?C9L*&qi&L#ycpz@Kpt~cUzMC<%j9$a5IVv*F8L&o
zj|I8Lvn1Ofx+NW<&oz-FSh37sS2@DEvB>-ip8t8L00V-ja}vZRNfrK$-?zkgV=l-9
z<BjoL^{zlY%tCA3OW78L<OswF)JjM2|5M}$)=Yy$l_RYC)>yHu0W|oc^ogPY9D!QE
zRudfIDAJAwEA5=|#sr?g%dntjJvzPCy_7E@eUpxL0jewWb&(^~V#*Fu)z$h*P_{Fa
zefv;nMOiokg_i4TJ)#O6VImj2Gr$*W&r&)dIynNN6S@9|h`cr<e@#uk5adB1pMTK4
zDmlfL$vtlh9bpoeJP72tYgcQQvK^vZ(h;tJQTq&}4$J&il_RX*h|Jd@bKhA{GshT#
z*d!@u!Q-ixaD@JU2_0cFSG_e*57*eWo+YURAvppu0=3c+ZlWdaF+yFYL4wK=*8c+y
zu;wJZS>ZY5=))1H1#C6J5w_hDI>MV=fw7=v15OXLo+bG*(l_Z?7ofT_+!obUJ*MnH
zRb6e^24#Q7Gg|NMg_M==H*f?BE!R~pq6!>g3K#rmfFIGGrEHJr<OqaL<W_%+$ZZ&T
zyqf%ov0`~Gke_?|R#kF}Et4Nc)H!%fdo>dt?>Uu6zPuL5Khd70?11Q&bcCEcB1fpt
zGLKU^!iG<fIc}&68-C3}$sCSAY?8Fu|MfkVaD)#)CKw}3<EodWPuQr_o~7&vLUIIR
zq=O=#HDufsIf5<Iz@&17jXG$6H78+lId3Z(z!9hgY&F3Vjv;Nq7-2eBU@U0a_@(wN
zWhbO>(y=Z;bv5XosID3?We2G0YU7tsb`_NEvGaRHSvUfPmg{OLq6!>g1{Zu4z%Ogh
zQg%jkas)yr^7{8h<P8~lteX5X$d7`&&5lp1l2dG%d;_8i9APGx{3ytAl~C*Xk6jSm
zl8#_{AaVpdmU)cI5jNg3R;*}?=jy)WQLJPRM<6yy%K9pLizOW48ps5WFpH<&injWM
zO~Kl;lwCncjzEk+t#pKq4@Hj9h-nb5a)eF6&;V;rLKmmcP&9xePz%^<f+H+=By@z?
zT!FEmWfLB0r8P_W3eq>}SQntW>iLhTuAXDcMycv*(>*AQnY7T6TlOo;!VxI6TvsWG
zDsY53T<}DF!e$%oS;}sRPL4q6M1EgL-k6aaRpgs(Kt2NGuW#O1m7HSB<fk7C9bqn)
zd<4ktwPzL`5#5rGuvoHHW>Tv^Z~A$bxj}X3)Mk5Rex9B;{q-A2m2ITryNIQI2GWGZ
zid4BvWh^{z+T(XcMYs#)DM=aDeb!jQUAkD=iri%$_eh+_k;vAbrE~%zxeGCp1oC*}
z3$&zt2GW#i5TSCH&DqfN2|aH*+ELK}?m{hKs|oJnVQniKZ_MWkjKwiq+Gx*GIwO6P
zj&%X*T_2+f?W>|MFlED4HM*sZv0^2j<1z5b`~ixxa2E<K*XUJ56}Za+9{9@E0C&`$
zrF21bau-4;@@=(5<joj)n3~)X<hXu0@Zvlq{q)?4V$0+MYuk#(8w<JQ-9fI`o~3j}
zbW6I+V=!tv!iy~PP?aNW(IfK($b8HXca_ZH2*f5yi*LPFVF^cwsUviRMO^h3Ks{Wm
z)S9Jq10gvAF#`49ISI6+?Fh}82K`lzuw^DR!1|Sei4iu625<yw0b5OQgkg1sj<A?3
zFc!yb#V|{2meL*Rn{=!TP+hgGC#oyl=8oC_eyY0K>JMelLRtS=u8Oj71PU$Jl|P~i
z9AOC;{4Bt6SCiJglpcsqjzH){enCjyf{}-)$)iAi7v$|{wyR1`v1RhNY=n-mluLdW
z<b$<mDLoP0l8z8xU*rfaS?0kiN7y>pSg|S=PnUf!tw6~fjzDaZwD#tEKUu;N4uMQ?
z2C|H&-l|xrw?})H(hG#-2*e1~N=F!GD{_QZOoJemBW&FR4X}PCepSe2MFThjwScWA
zIKo#*TQDcFoGUOE$81Z}o~86g`X(Lg0#sM!4MdL6nkgHos;g~jP!{X1;>S&Gs3;3Z
zpwMz%%|ldyBdp+p&jUE_+16U|?Sts#2!u}L?hQrcZ5Vlgn!FU`yFs4z=A)|Q6k8_0
zfT(luns&}C<w`F3ZjevVo~86fbW1wIOgoVyv}Kw1RXM`83C4=mcydjA{k5S==5PdJ
zlcedb7FpyouvRn@I>IWRdaIj2z4O|$l-)r{jzElbP~@|Qz~@Ac@DkI&U*!nf&O-w)
zJOlOTzDE=d;0V+LwwmAwJCU})5ms{r#)6jZQ?zF(dmw$2j&%X5tMJC6x^iI3`l;$_
z`xGb}4P`%=fPvf7u{VX5>na0L1&*+W3my&dCEBx;JrSK8fzXNE_IVL`J4W6|O}+%=
zSXCakY5bY0<P=*bzlW#-M_9`xF97)#?O94aqFd4tHZ~DCf{tb0TjdDbw;=ORk$KoB
zK1$|r1Y(n<vt4wHEipzI&{XIM>$vKDs!!M<Y0pyj0wFm9F#@&H5$eAna)g(e2E9~{
zutS0dm`#rB+-sqt0UUu^z*Z9+AsuN89AQ0IU@U0au~U1NvNzH<=~x$_x{{iS>Z(0c
zR<Ek79XpK`YZ^n@2BVKF%3_Q_q2;=2ji>@g*uVo{(-`2#v}Y;%AUZh$p%eLGA$bQz
z-cwC}4CGFDy6m-zT~)~`woE?eMWG{X<dQpq{B!MDN<T!mq$3117db*lmU$1ABkcGb
znd6PZH2vgSC383eu}RYDK=*5waD*iw6Pz_{;;J`ApRluo_ROL`2+0wM5vY}p(9d4v
z2%VS)-BpgTvja51niEr&Z?U2Q9D!QERuddy8PXOw!e*|(SkSWb8||6JzDVDsV_ksi
z%DaWg5jrzveN}a}^BX9O2iTe-Ml4m7g(FaCxvruSRp1C)xZocH{1@$+#Q;PnM<8?}
z|3gULg^~NH$$tU)?;v*>jyq?bj&3NnOunY2&=IzB$$tm=9qpOLKt#8sBSf_lIYL*K
zxwpy@cHS{otnG)V%YO0F({UXff!HMJXX(IcOE|(>kO>@N8&AEp{qzaD`fJZD27!<q
zff#{W=?J}BiyYw<rh%8r5q9;523T`4V4KI&ry0Q!s0C~_!4c*mZGj_f=L(DkExR6S
z&nyNbeUpxL0jewiHX=vp#+3C`)zz+tP<Aquomo~^wXP_%Tvx9ls=yI;aKR_*6W+r8
zs#-IPA&5?nK<Gq%Ur6rA$URi#Z#4k<29Ot(rdK7W*fM$kvIc^yg!<ckq>*(y#M#!e
z%C~hIb9uCvO-wJtq1Ib|{cgUY@uTbYuObZFh|n>xp@go?_G)tyE}r|Vs8Gx5)rMzY
zn$i4+x7yI3=UYFL?(~-=>)Lg8TUph%rf7SNRiZUGAD-Dmj%gzWN|MX-@e;^pJ^|UQ
zME25*hG*7Zy8Z$pw#{$y;KtynXQSOfG%vJ7do{Mso(H&WZ4t2<@{|_hQU@_PM>mvy
zt0S>p9i`3%&x7J9%OQ>-GCIZ~y|_5PyR&mnQbx8@T3%jSw%I8;FNb~YoSdGNn`_Q?
z9-NVz(tAK)l-{djMzP+*&BNQJV^XocEZ05L-L-Uxhfh{|VP4iypX{N&8O5$%X0w~O
zYe~oGegS&_pa3uTKsVpMo^HPG-a&pHqwq~{7dJ1rjzi1zse_Z!GQBf>Ts=z*Iu`3)
z9YSJa49>1ju6DK|c}2zD9aL0ywy{O#LPx(eb1r@uo;NfjJ3GnQ)5*o5vk8cKrA0j)
zVtY7LzIKR+aqx6<?crd~bqx0J;ZRu8-POt0$;HXFi$kzEIV;cE&BevX1vD-`4nY}(
z=G440XLtI!ovmMTvN<1Z6r0P6ozshRvb!ba=VxamClzPp<vN$qcU~z|e>W$)M}gkO
z$+ufq=dSFP&%c2j!;*5-h9sq#yAw>>;BMwz_6wfMF9hZ$=cQ!irge8n8=8^dEybLg
zom6aAe%v=bsj$clpnlPjjy^t~zK*Wlh7_kd`miwG-Q@PX?QBEM=6pxL?2HmL<?iBQ
zXKN_TD=T;Gn}-9LOz_<uvglWm=vVA)@%>_m=@?U<k3V=ON5|6AQpeQ1!W_pTh1q7p
zGpF=$K$jp8eQZpSBhrg9r<x1Rh24eSsP~Wzy<5kU40EYIv#4WkQjVGaTVgKM4@u8X
zjg08$T@)MdWX^T!n3SV$m*GDozN9d9fLCg2{=k&%v{JK2xiQTrq`<=vni*f5A03ob
z;MFhN@hN<mIXA61y}N@Kfcoa;Wo00h;5dDN(a+B>A{PGyq?(5YXL<VcEy#+E8<<jD
zW{5~}PjZbdDN6D$iSY1=FuC^4FUa(YHn^3#ITm^th8kTQO_9mLxrY8ZQEoB5f$0$u
zuD))b$$^oDvDxW)J~64$5yb_bF#`;KF&^oKrj&lE<#E9grNM<hF8zjjWVm>QheUW6
z#U~Y(<z^cD4oNCB8V0&~hk2v~x<nacLtI^pT?(W6gD50C1;~c-l5&r*oYcg$P-AFp
zcIx0j(~zL7ka*9)l5C%X{-J%-4JnDS#=OWO<z+>FsHWhuNZ<ZLy#opy%iMf?JVJeP
z(lW};#ind`ui|jetejj|UzeEj^m3CaFT^w0F{6Lx;PSLW*Ww^!ahYG}z_^l9?|`UG
z*JR&VgL!}<B0DOtJfoz<+vL~7A&sgI$GKQvTwauy>y%|K@58>wjKK@N%H6YvLvXlX
zzpzBVnE%5CdN@Su*&pjm6aCZj!ZJ*z^whkJ0sTV;`j@#m8hbbxq5^~TaD^ma-@zVk
zDaoGR?r!cWNvYjq^`3*hl2d(BlRQ#VQ@oPBeY(f^>pi>2gzH`1JU!gpJYC(qx`#de
z%EzsHzyQ6UU-w{quY0sUD=#~#Fez+ke27P|Ii@hbheHI~ar4$^1iO_628a8`q-RIO
znj$k}W1=JbC8qgiL>6a6c^9}8N4ZBv=KJ_0<|M}#<qXY<a|!Aj6yf0#7}M7$$G1Ez
zEIKtb+dVy}G$ygocR+wkkxxOn$<05eATy>gtJGs?scWHMu48JZ>%j7`P_Nj2CYP+>
zvVH?xlOjvvV@u1zAqqg`{uzk=>1P};IATCrsv#hJU~ZVZTdsF(SZri}9~Wb}duT@g
z*vRzwGM|7lcNd>fa{fX%|A$r*+tto*b;$D&&-wR#!QMaYA4!YbN>YKV+0EB0Fs?kw
zFWD4RX7C6P_YTO6^z+RM@C+>V?;jQ#?dVusU~n;e#fBCP7@9G_H`(9SoYg<ikmPR4
ziXJk=P~z<o?2_LvJ|`eAdqApRs7tzUkb7dXM^gWSaC3NMXi`XWL{UyiVPR>3(b1fi
zXDkZy@Nw%~nCxZDFK{o5O!V{*2p-~5Fr;5VT6C&gxR-y4PhVqlV)5W~^MJmwp(WXY
znbF04`weh0gt~cn`Q^K1XQdd24)sn>^3FATgv5K7q{n%?=HzA+IYx#L88WbcrbkhK
z$MlHI0j4BVzp(IrzG*Q=lS@)@Tu@w*Pe|;5(A2n~Sg!!Q#TBLXa0sD8;Flj?oEaP(
zWQ_LCNlx^Qgu%rO)H`}H-%LWk?e379=a`(7oK9Xz{~;$WF3iiW`U5-L<h&udc>n5H
zXfAL`EQXirGb&$a!0hmb>ES7VZ7yLy&B+^5WX{PeG0WdgEK1fV(~;fsdPBho==ni3
z0*bO$jWe1x|KUKYq49$o6L8O{yiu&)?>CgjTT5(L-*aVM*2|7!>8^7}Q}&Op5Byb<
zS~eLRKh<5oXKkCrqM@$O=j1ohC%!S^6aO0v>RcP<+;Ql^2Qyb+jc?hg{)I8EV%o1>
zx*|K@bJ#eqzveU=fAr!z>#rW&u;+`}d(t1Y9Xc#%kB|4^h|q}d9DbSpLAQBdgtYrU
zXv!~}_BCJnL$s@*XIcD&vFm1hoRiQrVX57>13u|rv?KSC%}eobct(HIY0r}EM;YDv
zy}8QV=AGi;dXB$b)ouAGw^=WrFXt`!xXqF?qrWWQIc>p>pZ@Ce#y7_nzmxOg<g+_!
z|CQ7<w^44Jb!+Wgor*eJIxsFiI(2x9*MHsSu<+nQzoI7RR!$iB#?8Hjg~Qr>b7lJ2
zmM3R;mK2QY+UTTD`n<VAtUj7IY0bdlJCD3MvB7U;pHJDk_oMPH83PaaPj+&@clx=M
zAz`;8eLf$hPi%9+_q5cxQ`u3QV+X9d*SY)F>uq!DEgzfO_)eE^PNdxY%_`VCy6J|%
z`i>dLJ&x~4?>Fbog0tN=_@x}Ny72lo`*!c2c)0wSYuh*0jU7MnSlaBF``%4E?QHJZ
z`=0lUsSVw;Pwwh<a@F+?yFUKduKmaMp+h{D8h`7)E_%!MelrJ!L=L*uZ)xa`?8d$N
zC*~h&eO2Gcv?_nin6{}ej=aBr?xebXTTf4w25yTeYO^gVvtQAl_ro*S+&+H2(|q^g
zcJmL+-H>wqb;s;Aj`!+c@6ff?(qj#`=l0(@BFyizX_wr)KWeh!+OkHm4|W(^|1$S#
z$Ii22+Wc7eWxbu-HzT{eDz)6u^5dMQKkq(o*C1=)TI0r<jnmG|Kb16T*rd5FX6-*a
zqs!zh`-uTpQ_dZJrTN-m|AKi3O4@gg`SEM&l_MSPL}TBNt9aKdRv9+4tsBx=1I|ub
zp@$z__>MgGojKf2%0ySE{R!KshsS$WS((kg#>(t^az)rWHEl1y`p^F*{@34bB;x<1
z3O~+MY+^=x(fLU)!;x$@c3&n*FC)tOS+$fpujFr9IA?4?6@K<L&L+NA_?7B@ngPYS
z)Tp*P*7NPZ{d0JgSnO+Cr?yy$N}H`y;ON+D8^xO6vbIzUo<Y0XGpzn@a*I48Vg=WK
z>>u1XK0=cI9l<+bZ0!&kYG*qj119Q<A$oLdRFE4Rv?(Le<m|j67;E(*YUK|C%knWS
zFY4|PRG87t!Nt{~e^Rc4tFNz%gNsXd_J0gRV(e@KFjVgD5HrNw&B4vrA=;czt@}E-
zx_5W=>F(ww|I)KVT{f`K&rZt7eLALP18Pm5??!J0Ma6lAXeB49%n_q`y$fCrDJpg>
zG?!pNox(=!hC=llN3^*ZZyWNs^#2?UB^9UZ+1Zz!Z5(^E`FD8k7@1Gwcc_t@SCpHP
zno7SA7ai>g`HKG?+vAPv-#ni^qp-7$HWy;ZjgfIsAWpH|?QHFAUwRYwePOeH;&yS9
zNB?M?O`@D?N#5NrIo8E%>JqomC3@mD?dmQeb#8K(x`ZL)*)DP85_?N}{=tp$^jB=7
zSdClN78TE@&lFGPN%?`)wU=&OM)AATi7!QQZ7q!Qg&@lFPotdbAk6Cl%PUot*Jb3D
zMsKy_u&noKUKvN~C>lMrqx6<lN)UFG-qO}-Y-9PaY@MtyfKzXjUH|^|)UjTC-E^sL
zm00ZSrx9Qh<?2YXQaS%YtUzCWEd5XQq*w7H+ADL^`MtCQ59h)ZNJOVU@to`D9Xw$&
z?QET%JUKd5nk02Eh_i2E)mW;`)FCJ&&=Ax&Ff1?x{~CgVg8cec`JaD;BsoY{q`{aN
z8|euCiuP&)+#Q}@K68YhHCY<qcKpAGF6p!O-f5T_nAl*}2M6yv7yC}wv(C7AWKPV9
z82>!iZ4WvuuhnP#i1p`o-gO%mu&U!<1(zp99c=SB@6^!u7ySPF=#|ah>%61I;2HNm
z+<Rff-G|w&r|itLe$9E#UkT9@Jxd;s?0@;@=dQPBWW|N&f4TKki>vz#hZpRdQ?Yyg
zf{+vXA8Z`f9?i~MF|}vffi6B5%e}0>DY`J|;k%D-?wW9Ft$9yrev>y^{~UBF_`Q}+
zJNyz`zc>69+j)PEnc;up_sv)1=bY>J>!7hiPr6IqkwNQS4t&_J(Cu7eROp(R&%RCc
zntO0kQ-`CITmO-Adh!wL&RtLK&3ZRv!O6t~UU)F<*pC}u>aqCl+5W@ZM0MDGH!pA0
z_{ph9R^1)jD*4k(10BEfpR?xIjLl8XELr{CxW9M5cs|T-)VXZ|E1GS0^3F}{aqFW|
zOFZW^?YZvB)}Q?sWK9a1S8v_O!r|X<x_f$e7uVa_eyw&5({=hHEZAk=wZC)Doqkfb
zr8xJDFC9()BpYcO4kYdBqbZH@{Hn^)RKMlhV_9=^NeakGp&89M?C23zVLDwuOd7`5
ztu57+w!*aN-HQDP|JK5TvtnWc0wZFg8%Uvn@h(2D?p}DyXd)#Q7H1@9o4tHIygfX<
zoiM9GbcVq;(hB???bZBkmK&SObk4H{8BOh3H?)~egArrJI$UfY&}z~~Whyh%-JPi9
z%>m_rdG5-uBx&ntpB`T0p8i+gL-~=kby*L#%UL}AKD}xv`9;O_>l-%G)hRYAjChxV
zcMg6+do?x3dw$JRbDaccEH!*!T!bmkN;L=J@2S25b-MnfrbBIfro)zI(pU;?^<QcF
zda~#-RqjkvC)H(>x5hzJe2hTs;k9XsrnqcEY?AcxrNDDmRt`|LaTQhZ18o0ltMBpe
ztE!6DQhuM*I}b9!Ws`5X>J5T=xS99<KMOA_>d{~l>NU33=|Vvm5+XAaPh<8jRgofk
zaGeL!z)^MC<gK&NU^FyX=y+7o0GCau1#JI+zidJRUqRY}%O+>I0*}@w?8Y^X`(X<&
zC<4=5Jatb=rwc>+CLQYn)WjsS=<#o!OxbR#ix0aeL)qm}c6b3U6Fj{fNulNU$~A~e
zCPRC*x(f3AmJ7Zd;EMp>bK!RiIHp(r1rJAbe|$;kMDCd?BKKnCuc*lvf&4JY2j!ow
zN=~t5@-v7^Za{lA^6{Q$x#WjIz6s>r_>K^P=$3SZk!d1F@Mf8JRXM`$O~#7#_!xm$
z$*z-<IUIr5B&k`inTssp2)95caD;O__15E~2zEcl%~s#?9U&5g<Osw_2Ss*-)#)Nf
z@L?KsQ8~iy$IzfRK5pqkXWX_`*>B+p)B?7e;0RF}LPt2y6}Y!P;qC1ZxD($I3`pOk
zV_ksi>K8N-1UYE0_8#uz%arY`s;jrRL)llM>^s@-D$3&43JNXPm35}j5iW4SUj_I(
z0B_EB1S6u8BM>@~PeB{n<lPy0CpGyyARh|ym07#1l2dG%d{UOs5x(P+4+S}HZM;{H
z?+8(dZb?Vzk}YzC9xU^YDo1$xQ)G?@IK}jJ!s%#bHNX*w4GZC3Xg=8zjxY&i0!R3s
zs~$dzU=KbR>+V~8M~DU?IRY^PwbBvV<cJ)hC)1#V$`SUw3=JMZgO^?|Q8a)fPz%^<
zf+G|nZNV7f2d==6ATXZkd)J!p2r)<>%Q&eEP+ir@71foVDcfFES9`uPR%~biWv$aN
zaDO^RpwMz%IUp*H4`{FUP8;O;BM*E-3xNNG+wlJ4J3=g?lOqs1k#7`|_hRHPtI2-?
zxi>zD>ZjD{Rmmx~Om4~(I>JRRxi`pfgZvWT5e6W-B^}`w7^yf|fv9h?7~Y#@u2VU}
zp4-SAkN%Gy?{H4Z9F9P2lGNr=<`0%|gur~EBV6LDhmQ}~8v^yF@g2bgLUIIR1Zt%t
ze2<oJ*BINYy_22o!!&58a)iAh&|p6_7~IyVXaGl`7O>R>M{q6>I>KeH!22QaeeK&X
z<B+~d$GQO3)iE@o{Z8x0lyy+m)!zG17I%0?2M!*pD2p)yg_i5;JfaF5;U_NmH~NHq
z^|f!mj7M~G1VShBltK}?KO=uhMZT{-$Wgn|osu%El2dG%`~jlQ!E4&9dD(c+pSk3>
zK@Nx1di>--M7N|PEH4r{LSL47Ta_d1YhkR|h()qdr^;t2nZpr?4UhDE*?hqgj$l<R
zbcA1c>TSfw2kgU5ky;D86F^9gK#X)y<g<oFXi3`<0+<GERF1GO2O5+>gS9QXDH^~L
zs0C~_!4YhR2p!=HSKtzT!hSqMNNZvDt4JRYq@^xEb+sH#Xgfk6Q?|9LuJ*Tuva_M=
z#MfdKW#I@ETCS`25mn#_zjDDbr??->C$w(Ad=1gb5eS{gjU^)TAV%IwP3{D8tY3-B
zd^NBtImMRATa*eN;VPGWC&+t&{2+gfFbL5t=?DkFs69pqW|_BCIl}&4#)?hPA@hdy
zTPc~t5r|Ea+AS*nuOBu?$Hcx&=m@{@)Z2uQ57<8o>ZS3=2#FvhM<7O^Ryx8Sw506_
zAxwi7Do5Bq3mUlNBa(i7p`M}v9D!QERudedQMu3&e&-78u1`477t>sO_-75TBYl&O
zbpbkt%g}_jBlKg++N<j7Kwl_pfU>9KToh&D2ozebt9^(naD+d&;0AzWaj4e9?j%Gf
zM<8?}_ZuoA@6X7atI4B5o(uA=CWorz6k8@gkEnt%!Zj{=F36KXK9BDRgAv`5j_}4X
zkt2k%%wJSF!hvLD{t+^d>@!-)9F9P2lJsTE@f$5MMrb}l=m>vu)x#tI5A20{{(MJB
z1|c~DF#@&H5%!@aZAS=W8Z=Wm!hyZe;082!rO_ot12_V;fUPDtLfer-N4U-v_=Y~=
zU^=F`X7U{&1?ih~tP4<GT|^Vwju6h2eL+=M2h)ueo9&=%BV2*3GLJx^<+^J7hR_ji
z@W40Q0lW<075sSwGoq6t5IT`>MjP7X5sbX4n!F6;ui%4|ZWtd{C8yXj`NdH}N4Uu)
ze+A?dL0-Ujgj7Vgq$5nM5II65%e;xo5e`m7=6G_sVOAUp>FLZOu}RXI#VN}y;Rv@u
zCYV|Li>n?U`G4>N)N8|cgftM6BM>7{D;;6>Xptirm<G?Q9O2*vXs{I;<kml|XaGl`
z7O>R>N4STy1v87de{ED<y8ms=WxAj*-(9$Qt3Kh-RLm@9^Bo}_>6>({3s7B686&DI
zBU84qs;&-Ag|Z()S!4Jwin16ZP-wZX)+4H5jBuL^{vp7Z0{m6JBV-^tIRc>*x%*fV
zc@!gmPEEcP<iCR4J?xvR<P=*bZ!u2j2!C_Qe+4;u+TAd|BV;1FB^_Ze7`4wDqFLsR
zRE}_HtFdAW9@iiFb^dWBbBqy)O_Ju$p0v&qj?i?x&=KzN)Z2nb{vWo|Uf7)lLUIIR
z1Zt%tY(z`iV}ux{ft|_`4qHKkOlYvP_5wu%I0ChRttL2v(*&U-;P%Dpj<6*Y0`JnE
zS<FWICLQYnR99c33GH{<Sf*@4Rb3t41!eL0qsTcS#}sAZ2o$<<j4)B?2=}<)699f(
zduA~Q(a8}AoyfPM4Q=uPjJ$!G{5Z(hg1jVnXH{~FEt3zQBy@!PT=KOb|3Z6aF&EJ-
z=?I-BiyXnkGPhMZ!r?EB6<cc|bNdpVk~tiK*l-(F<4^zVhse?~nG7<)7y<XCR`0M|
z@yP!p9kpi`^FT<BK#V}GbOZ<7{j2Q=aZH2yDn~fd5gK&D#~R&!QmAMEN1zt4)dWYF
zfV2f;goj*#J3-(x+B1v!NFN`qNnL=BVT&oEx{7DY+NkR4$QdXb0A<hgU7{!pN1)Jh
zUG+v(!5HBY7d!yqSF~pq3lN<gfzX+k3CRaC@_K6WD<H?i9V7PpPpL{yv1RgAQ-zN3
z50`u}$nR>;EEXcVB^@Dmn#d6nSmt$Aj&S5IGRNckBNEc~Dw)F(h)t3XwjTVwCB_Kf
zf=u8DkGbmMk^k?6YR@bdfsh=57=c>p2)WZmj_@keppMEB-U)>UxV|0X{UBV?0FFQ{
zV5<p^@GjC8IKmUIz&}A?+=ihwvsjGuO*+;EsIHP{h#cWHrfh9hUA^<jSg{S`yoi>)
zN)=_{2ozebt2Yo;+Y!7Z9{4sZeZtX(+B1to5S<)>(24xDnIiH*jJ%eL{3sS}ZF>nH
zcJxS}R+XG$%j8XFi5$Vpic9_y$XjdAES4a;B^_Ze7`4wD5?SWfDn~fl8kvtk=F4tj
z#{TI%0<lSw_nnv@E#U~Zvqg^JWzAI&kNiKHuRXI^3PN%OVgzcXBkVv++GB**nFdxW
zM>v`f4OT*fp?`N)G=L*e3)pIcBh;QFas;nhT!B~W6OOgho>?qI`X(Lg0#sKU(1iBb
zJBcYPsp{%jJ1Bbu%D(1{M~XbXLy1Dmb#)w31&&ag3w{LPuG%w;<%mv>K<GrCFjquA
zn2|sE;Mo-u$6P^<S*-BhJ_z-coMOx5UoN+ihT=8t)$T{g_Nv1rzW{PSHnWH@mFpS;
z@b^~uKURqhMRfiu5o;V@-YOBwZ|({k2}3ZpSGxyiS~AP;aiJ<dKV!vq2YhhP!#cy2
z{8HWBi9p^OOLhCyu6#}Z32fTgHw0(Zw~Bq)%8<@g)?Il-)|P0uuJZf;zO<=a)H2eQ
zSpNZQF@8jQHPuqR>he_E?f})+L$wAA|4~%yg};YtQhl9n7^!CcZ|n3;tgsR2wREM8
z6p7!Vy_#NrDNL__-cjkb9(oOeUWb3GQ1oiy?oMr^HA<cqnNf;I5nhmDJ#LCvvT+Op
zv%7y)PqE%3oo+a#SgW?wQQBU|dX&<fmDVDml2ta+CV<giEyX2fmg1unRf<QE;u56z
zhVdOG#bS4NYP&K;TBkxzD>?iJ3tOID8l*+OWS#Jh)`qLz5`DsP52!biKRq{s)U&GH
zE>~GDRR6zPF7(=Z(Hm_lQ}^N6XVpFK0d*fh-FC50tq?<RVuPVnJYHq>AF2B6a-l^a
zLwL4VE3W{r`dsxMKs{XUxZ8E%d8NEsBM4QJjZQZbgeHF?q~6_ggN=lRk8H2jv-+g5
z+#eiO<&KLLJ6=TYb!MGYdX~MrJ4MF(D|Xr_`b0$6K6UW2<?-)$5&SE_--Lg`;SIDB
z(qGn?+L3Ql>atNZP)KKa-0!5yV+HcSr;mhQ{Oz8S2L=k%0=AkkP)I`Bg7@17T!HcN
zC?|}VzfI!L+mAx}^nUwq7iqdl^nRPcq`jwlzdd1uv~iI3gtJbO7UvEWTkaa4A?h5w
zroCF%9`DtVOCAUEB#>*YBdkF5XGh@woiXg*EHZ{nmib+kF`P(3=6jI2`N2^oa~K1$
zNz#0)AIDi)Is6B9`>Zk8Z4nL-?YQdgfqHLiPb-fGp-IOGsdnE+6WRmBESCHo^<jS-
z$$yFDL%JPNlE-1E(DGrwfv5sUXv78o65uD<wDM)e(b^**9E}!0jzM&C1VYDmD;;6n
zRvTp@do^e4oXz<E{`Of%IB^pEcj+^~w&3(h-bjnph^2iRlEY%%R=G=MEPUqI*H0&B
t;4VaqttPn3k!`|*^&IzL;iFdG#l4>odsnw_skTlxmJU|v(}N{h|34(sVa5Oe

literal 0
HcmV?d00001

diff --git a/testing/btest/scripts/base/protocols/ncp/event.bro b/testing/btest/scripts/base/protocols/ncp/event.bro
new file mode 100644
index 0000000000..acb4bf0a0c
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/ncp/event.bro
@@ -0,0 +1,20 @@
+# @TEST-EXEC: bro -C -r $TRACES/ncp.pcap %INPUT >out
+# @TEST-EXEC: btest-diff out
+
+redef likely_server_ports += { 524/tcp };
+
+event bro_init()
+	{
+	const ports = { 524/tcp };
+	Analyzer::register_for_ports(Analyzer::ANALYZER_NCP, ports);
+	}
+
+event ncp_request(c: connection, frame_type: count, length: count, func: count)
+	{
+	print "ncp request", frame_type, length, func;
+	}
+
+event ncp_reply(c: connection, frame_type: count, length: count, req_frame: count, req_func: count, completion_code: count)
+	{
+	print "ncp reply", frame_type, length, req_frame, req_func, completion_code;
+	}

From 58864c358ccd1a37c112d15acaa0742d0846336c Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Tue, 22 May 2018 18:27:52 -0500
Subject: [PATCH 435/631] Add NCP::max_frame_size tuning option

This helps prevent excessive allocations based on message lengths
taken from NCP headers.
---
 scripts/base/init-bare.bro                    |   6 +
 src/analyzer/protocol/ncp/CMakeLists.txt      |   2 +-
 src/analyzer/protocol/ncp/NCP.cc              |  44 +-
 src/analyzer/protocol/ncp/NCP.h               |  11 +-
 src/analyzer/protocol/ncp/consts.bif          |   1 +
 .../out                                       | 418 ++++++++++++++++++
 .../base/protocols/ncp/frame_size_tuning.bro  |  20 +
 7 files changed, 487 insertions(+), 15 deletions(-)
 create mode 100644 src/analyzer/protocol/ncp/consts.bif
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.ncp.frame_size_tuning/out
 create mode 100644 testing/btest/scripts/base/protocols/ncp/frame_size_tuning.bro

diff --git a/scripts/base/init-bare.bro b/scripts/base/init-bare.bro
index d5bb8f2be9..e592f9277e 100644
--- a/scripts/base/init-bare.bro
+++ b/scripts/base/init-bare.bro
@@ -4806,6 +4806,12 @@ export {
 	const max_frag_data = 30000 &redef;
 }
 
+module NCP;
+export {
+	## The maximum number of bytes to allocate when parsing NCP frames.
+	const max_frame_size = 65536 &redef;
+}
+
 module Cluster;
 export {
 	type Cluster::Pool: record {};
diff --git a/src/analyzer/protocol/ncp/CMakeLists.txt b/src/analyzer/protocol/ncp/CMakeLists.txt
index bd06d4e426..1ec5cf2e67 100644
--- a/src/analyzer/protocol/ncp/CMakeLists.txt
+++ b/src/analyzer/protocol/ncp/CMakeLists.txt
@@ -5,6 +5,6 @@ include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DI
 
 bro_plugin_begin(Bro NCP)
 bro_plugin_cc(NCP.cc Plugin.cc)
-bro_plugin_bif(events.bif)
+bro_plugin_bif(events.bif consts.bif)
 bro_plugin_pac(ncp.pac)
 bro_plugin_end()
diff --git a/src/analyzer/protocol/ncp/NCP.cc b/src/analyzer/protocol/ncp/NCP.cc
index f2745666dc..f01c409429 100644
--- a/src/analyzer/protocol/ncp/NCP.cc
+++ b/src/analyzer/protocol/ncp/NCP.cc
@@ -9,6 +9,7 @@
 #include "NCP.h"
 
 #include "events.bif.h"
+#include "consts.bif.h"
 
 using namespace std;
 using namespace analyzer::ncp;
@@ -105,13 +106,12 @@ void FrameBuffer::Reset()
 	msg_len = 0;
 	}
 
-// Returns true if we have a complete frame
-bool FrameBuffer::Deliver(int &len, const u_char* &data)
+int FrameBuffer::Deliver(int &len, const u_char* &data)
 	{
 	ASSERT(buf_len >= hdr_len);
 
 	if ( len == 0 )
-		return false;
+		return -1;
 
 	if ( buf_n < hdr_len )
 		{
@@ -123,13 +123,16 @@ bool FrameBuffer::Deliver(int &len, const u_char* &data)
 			}
 
 		if ( buf_n < hdr_len )
-			return false;
+			return -1;
 
 		compute_msg_length();
 
 		if ( msg_len > buf_len )
 			{
-			buf_len = msg_len * 2;
+			if ( msg_len > BifConst::NCP::max_frame_size )
+				return 1;
+
+			buf_len = msg_len;
 			u_char* new_buf = new u_char[buf_len];
 			memcpy(new_buf, msg_buf, buf_n);
 			delete [] msg_buf;
@@ -143,7 +146,13 @@ bool FrameBuffer::Deliver(int &len, const u_char* &data)
 		++buf_n; ++data; --len;
 		}
 
-	return buf_n >= msg_len;
+	if ( buf_n < msg_len )
+		return -1;
+
+	if ( buf_n == msg_len )
+		return 0;
+
+	return 1;
 	}
 
 void NCP_FrameBuffer::compute_msg_length()
@@ -203,10 +212,27 @@ void Contents_NCP_Analyzer::DeliverStream(int len, const u_char* data, bool orig
 		resync = false;
 		}
 
-	while ( buffer.Deliver(len, data) )
+	for ( ; ; )
 		{
-		session->Deliver(IsOrig(), buffer.Len(), buffer.Data());
-		buffer.Reset();
+		auto result = buffer.Deliver(len, data);
+
+		if ( result < 0 )
+			break;
+
+		if ( result == 0 )
+			{
+			session->Deliver(IsOrig(), buffer.Len(), buffer.Data());
+			buffer.Reset();
+			}
+		else
+			{
+			// The rest of the data available in this delivery will
+			// be discarded and will need to resync to a new frame header.
+			Weird("ncp_large_frame");
+			buffer.Reset();
+			resync = true;
+			break;
+			}
 		}
 	}
 
diff --git a/src/analyzer/protocol/ncp/NCP.h b/src/analyzer/protocol/ncp/NCP.h
index f8cac95090..bdf5d8bffe 100644
--- a/src/analyzer/protocol/ncp/NCP.h
+++ b/src/analyzer/protocol/ncp/NCP.h
@@ -54,8 +54,9 @@ public:
 	explicit FrameBuffer(int header_length);
 	virtual ~FrameBuffer();
 
-	// Returns true if a frame is ready
-	bool Deliver(int& len, const u_char* &data);
+	// Returns -1 if frame is not ready, 0 if it else, and 1 if
+	// the frame would require too large of a buffer allocation.
+	int Deliver(int& len, const u_char* &data);
 
 	void Reset();
 
@@ -68,9 +69,9 @@ protected:
 
 	int hdr_len;
 	u_char* msg_buf;
-	int msg_len;
-	int buf_n;	// number of bytes in msg_buf
-	int buf_len;	// size off msg_buf
+	uint64 msg_len;
+	size_t buf_n;	// number of bytes in msg_buf
+	size_t buf_len;	// size off msg_buf
 };
 
 #define NCP_TCPIP_HEADER_LENGTH 8
diff --git a/src/analyzer/protocol/ncp/consts.bif b/src/analyzer/protocol/ncp/consts.bif
new file mode 100644
index 0000000000..452dd9a2b6
--- /dev/null
+++ b/src/analyzer/protocol/ncp/consts.bif
@@ -0,0 +1 @@
+const NCP::max_frame_size: count;
diff --git a/testing/btest/Baseline/scripts.base.protocols.ncp.frame_size_tuning/out b/testing/btest/Baseline/scripts.base.protocols.ncp.frame_size_tuning/out
new file mode 100644
index 0000000000..cfb805ee70
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.ncp.frame_size_tuning/out
@@ -0,0 +1,418 @@
+ncp reply, 13107, 70, 0, 0, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 86, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 79, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 86, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 79, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 86, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 79, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 86, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 79, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 86, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 79, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 86, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 59, 89
+ncp reply, 13107, 2, 8738, 89, 255
+ncp request, 8738, 59, 89
+ncp reply, 13107, 2, 8738, 89, 255
+ncp request, 8738, 79, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 86, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 66, 89
+ncp reply, 13107, 92, 8738, 89, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 66, 89
+ncp reply, 13107, 92, 8738, 89, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 46, 89
+ncp reply, 13107, 88, 8738, 89, 0
+ncp request, 8738, 40, 89
+ncp reply, 13107, 11, 8738, 89, 0
+ncp request, 8738, 40, 89
+ncp reply, 13107, 102, 8738, 89, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 6, 22338
+ncp reply, 13107, 10, 8738, 22338, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 14, 72
diff --git a/testing/btest/scripts/base/protocols/ncp/frame_size_tuning.bro b/testing/btest/scripts/base/protocols/ncp/frame_size_tuning.bro
new file mode 100644
index 0000000000..46ad87e752
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/ncp/frame_size_tuning.bro
@@ -0,0 +1,20 @@
+# @TEST-EXEC: bro -C -r $TRACES/ncp.pcap %INPUT NCP::max_frame_size=150 >out
+# @TEST-EXEC: btest-diff out
+
+redef likely_server_ports += { 524/tcp };
+
+event bro_init()
+	{
+	const ports = { 524/tcp };
+	Analyzer::register_for_ports(Analyzer::ANALYZER_NCP, ports);
+	}
+
+event ncp_request(c: connection, frame_type: count, length: count, func: count)
+	{
+	print "ncp request", frame_type, length, func;
+	}
+
+event ncp_reply(c: connection, frame_type: count, length: count, req_frame: count, req_func: count, completion_code: count)
+	{
+	print "ncp reply", frame_type, length, req_frame, req_func, completion_code;
+	}

From b2923f5528848cc3deaa45643c4c4953e0b2a161 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Wed, 23 May 2018 16:50:12 -0500
Subject: [PATCH 436/631] Documentation improvements/fixes

---
 CHANGES                                       |  4 +++
 VERSION                                       |  2 +-
 aux/broker                                    |  2 +-
 doc/components/index.rst                      |  3 --
 doc/frameworks/broker.rst                     | 27 +++++++++++------
 doc/index.rst                                 |  2 --
 doc/install/index.rst                         |  1 +
 doc/script-reference/log-files.rst            |  3 --
 doc/scripting/index.rst                       | 10 +++----
 .../output                                    | 30 +++++++++++++++++++
 ...e_bif_plugins_Bro_DNS_events_bif_bro.btest | 30 +++++++++++++++++++
 11 files changed, 90 insertions(+), 24 deletions(-)
 create mode 100644 testing/btest/Baseline/doc.sphinx.include-build_scripts_base_bif_plugins_Bro_DNS_events_bif_bro/output
 create mode 100644 testing/btest/doc/sphinx/include-build_scripts_base_bif_plugins_Bro_DNS_events_bif_bro.btest

diff --git a/CHANGES b/CHANGES
index 826e5b2f6e..d2578bcf01 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,8 @@
 
+2.5-599 | 2018-05-23 16:50:12 -0500
+
+  * Documentation improvements/fixes (Corelight)
+
 2.5-598 | 2018-05-22 15:05:24 -0500
 
   * Fixes for MySQL and SMB protocol parsers (Corelight)
diff --git a/VERSION b/VERSION
index f281a4fb84..5b206a3bed 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.5-598
+2.5-599
diff --git a/aux/broker b/aux/broker
index 39ff1195bd..b29708e14f 160000
--- a/aux/broker
+++ b/aux/broker
@@ -1 +1 @@
-Subproject commit 39ff1195bd22f412fd91073c5df3014a2e03c4e9
+Subproject commit b29708e14f33c87c4c9dbfe1ebe7c7c1482c9f6b
diff --git a/doc/components/index.rst b/doc/components/index.rst
index 2a6624480b..2f69b3ef54 100644
--- a/doc/components/index.rst
+++ b/doc/components/index.rst
@@ -20,6 +20,3 @@ current, independent component releases.
    Capstats - Command-line packet statistic tool <capstats/README>
    PySubnetTree - Python module for CIDR lookups<pysubnettree/README>
    trace-summary - Script for generating break-downs of network traffic <trace-summary/README>
-
-The `Broker User Manual <../broker-manual/index.html>`_ may also be of
-interest.
diff --git a/doc/frameworks/broker.rst b/doc/frameworks/broker.rst
index c2904881c7..23b1f91478 100644
--- a/doc/frameworks/broker.rst
+++ b/doc/frameworks/broker.rst
@@ -74,11 +74,6 @@ Notable / Specific Script API Changes
 - :bro:see:`Software::tracked` is now partitioned among proxy nodes
   instead of synchronized in its entirety to all nodes.
 
-- ``Known::known_devices`` is renamed to :bro:see:`Known::device_store`
-  and implemented via the new Broker data store interface.
-  Also use :bro:see:`Known::device_found` instead of updating the
-  store directly directly.
-
 - ``Known::known_hosts`` is renamed to :bro:see:`Known::host_store` and
   implemented via the new Broker data store interface.
 
@@ -116,13 +111,18 @@ Some general suggestions as to the purpose/utilization of each node type:
 
 - Proxies: serve as intermediaries for data storage and work/calculation
   offloading.  Good for helping offload work or data in a scalable and
-  distributed way.  i.e. since any given worker is connected to all
+  distributed way.  Since any given worker is connected to all
   proxies and can agree on an "arbitrary key -> proxy node" mapping
   (more on that later), you can partition work or data amongst them in a
   uniform manner.  e.g. you might choose to use proxies as a method of
   sharing non-persistent state or as a "second pass" analysis for any
   work that you don't want interferring with the workers' capacity to
-  keep up with capturing and parsing packets.
+  keep up with capturing and parsing packets.  Note that the default scripts
+  that come with Bro don't utilize proxies themselves, so if you are coming
+  from a previous BroControl deployment, you may want to try reducing down
+  to a single proxy node.  If you come to have custom/community scripts
+  that utilize proxies, that would be the time to start considering scaling
+  up the number of proxies to meet demands.
 
 - Manager: this node will be good at performing decisions that require a
   global view of things since it is in a centralized location, connected
@@ -179,10 +179,12 @@ Data Partitioning
 -----------------
 
 New data partitioning strategies are available using the API in
-:doc:`/scripts/base/frameworks/cluster/pools.bro`.
+:doc:`/scripts/base/frameworks/cluster/pools.bro`.  Using that API, developers
+of custom Bro scripts can define a custom pool of nodes that best fits the
+needs of their script.
 
 One example strategy is to use Highest Random Weight (HRW) hashing to
-partition data tables amongst proxy nodes.  e.g. using
+partition data tables amongst the pool of all proxy nodes.  e.g. using
 :bro:see:`Cluster::publish_hrw`.  This could allow clusters to
 be scaled more easily than the approach of "the entire data set gets
 synchronized to all nodes" as the solution to memory limitations becomes
@@ -195,6 +197,13 @@ crashing, etc.) cause a temporary gap in the total data set until
 workers start hashing keys to a new proxy node that is still alive,
 causing data to now be located and updated there.
 
+If the developer of a script expects its workload to be particularly
+intensive, wants to ensure that their operations get exclusive
+access to nodes, or otherwise set containts on the number of nodes within
+a pool utilized by their script, then the :bro:see:`Cluster::PoolSpec`
+structure will allow them to that while still allowing users of that script
+to override the default suggestions made by the original developer.
+
 Broker Framework Examples
 =========================
 
diff --git a/doc/index.rst b/doc/index.rst
index 172ae6f171..22fb8cbe1a 100644
--- a/doc/index.rst
+++ b/doc/index.rst
@@ -45,8 +45,6 @@ Reference Section
    script-reference/index.rst
    components/index.rst
 
-`Broker User Manual <../broker-manual/index.html>`_
-
 Development
 ===========
 
diff --git a/doc/install/index.rst b/doc/install/index.rst
index 71d2534921..2689b9adea 100644
--- a/doc/install/index.rst
+++ b/doc/install/index.rst
@@ -10,3 +10,4 @@ Installation
 
    install
    upgrade
+   cross-compiling
diff --git a/doc/script-reference/log-files.rst b/doc/script-reference/log-files.rst
index 285eb20a7c..8f7d87d89a 100644
--- a/doc/script-reference/log-files.rst
+++ b/doc/script-reference/log-files.rst
@@ -130,9 +130,6 @@ Network Observations
 +============================+=======================================+=================================+
 | known_certs.log            | SSL certificates                      | :bro:type:`Known::CertsInfo`    |
 +----------------------------+---------------------------------------+---------------------------------+
-| known_devices.log          | MAC addresses of devices on the       | :bro:type:`Known::DevicesInfo`  |
-|                            | network                               |                                 |
-+----------------------------+---------------------------------------+---------------------------------+
 | known_hosts.log            | Hosts that have completed TCP         | :bro:type:`Known::HostsInfo`    |
 |                            | handshakes                            |                                 |
 +----------------------------+---------------------------------------+---------------------------------+
diff --git a/doc/scripting/index.rst b/doc/scripting/index.rst
index 1a410cef12..54ae83bf81 100644
--- a/doc/scripting/index.rst
+++ b/doc/scripting/index.rst
@@ -171,7 +171,7 @@ write scripts for Bro but for understanding Bro itself.
 Gaining familiarity with the specific events generated by Bro is a big
 step towards building a mind set for working with Bro scripts.  The
 majority of events generated by Bro are defined in the
-built-in-function files or ``.bif`` files which also act as the basis for
+built-in-function (``*.bif``) files which also act as the basis for
 online event documentation.  These in-line comments are compiled into
 an online documentation system using Broxygen.  Whether starting a
 script from scratch or reading and maintaining someone else's script,
@@ -212,11 +212,11 @@ later.
 While Bro is capable of packet level processing, its strengths lay in
 the context of a connection between an originator and a responder.  As
 such, there are events defined for the primary parts of the connection
-life-cycle as you'll see from the small selection of
-connection-related events below.  
+life-cycle such as the following:
 
-.. btest-include:: ${BRO_SRC_ROOT}/build/scripts/base/bif/event.bif.bro
-   :lines: 69-72,88,106-109,129,132-137,148
+* :bro:see:`new_connection`
+* :bro:see:`connection_timeout`
+* :bro:see:`connection_state_remove`
 
 Of the events listed, the event that will give us the best insight
 into the connection record data type will be
diff --git a/testing/btest/Baseline/doc.sphinx.include-build_scripts_base_bif_plugins_Bro_DNS_events_bif_bro/output b/testing/btest/Baseline/doc.sphinx.include-build_scripts_base_bif_plugins_Bro_DNS_events_bif_bro/output
new file mode 100644
index 0000000000..6e15ece5e0
--- /dev/null
+++ b/testing/btest/Baseline/doc.sphinx.include-build_scripts_base_bif_plugins_Bro_DNS_events_bif_bro/output
@@ -0,0 +1,30 @@
+# @TEST-EXEC: cat %INPUT >output && btest-diff output
+
+Bro_DNS.events.bif.bro
+
+## Generated for DNS requests. For requests with multiple queries, this event
+## is raised once for each.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
+## information about the DNS protocol. Bro analyzes both UDP and TCP DNS
+## sessions.
+##
+## c: The connection, which may be UDP or TCP depending on the type of the
+##    transport-layer session being analyzed.
+##
+## msg: The parsed DNS message header.
+##
+## query: The queried name.
+##
+## qtype: The queried resource record type.
+##
+## qclass: The queried resource record class.
+##
+## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
+##    dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
+##    dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end
+##    dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
+##    dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
+##    dns_rejected non_dns_request dns_max_queries dns_session_timeout dns_skip_addl
+##    dns_skip_all_addl dns_skip_all_auth dns_skip_auth
+global dns_request: event(c: connection , msg: dns_msg , query: string , qtype: count , qclass: count );
diff --git a/testing/btest/doc/sphinx/include-build_scripts_base_bif_plugins_Bro_DNS_events_bif_bro.btest b/testing/btest/doc/sphinx/include-build_scripts_base_bif_plugins_Bro_DNS_events_bif_bro.btest
new file mode 100644
index 0000000000..6e15ece5e0
--- /dev/null
+++ b/testing/btest/doc/sphinx/include-build_scripts_base_bif_plugins_Bro_DNS_events_bif_bro.btest
@@ -0,0 +1,30 @@
+# @TEST-EXEC: cat %INPUT >output && btest-diff output
+
+Bro_DNS.events.bif.bro
+
+## Generated for DNS requests. For requests with multiple queries, this event
+## is raised once for each.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
+## information about the DNS protocol. Bro analyzes both UDP and TCP DNS
+## sessions.
+##
+## c: The connection, which may be UDP or TCP depending on the type of the
+##    transport-layer session being analyzed.
+##
+## msg: The parsed DNS message header.
+##
+## query: The queried name.
+##
+## qtype: The queried resource record type.
+##
+## qclass: The queried resource record class.
+##
+## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
+##    dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
+##    dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end
+##    dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
+##    dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
+##    dns_rejected non_dns_request dns_max_queries dns_session_timeout dns_skip_addl
+##    dns_skip_all_addl dns_skip_all_auth dns_skip_auth
+global dns_request: event(c: connection , msg: dns_msg , query: string , qtype: count , qclass: count );

From 63251e99374baccaf7c244f0096cd025edc096d6 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Thu, 24 May 2018 09:40:07 -0500
Subject: [PATCH 437/631] Updating submodule(s).

 [nomail]
---
 aux/broker | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/aux/broker b/aux/broker
index b29708e14f..e621cf5d44 160000
--- a/aux/broker
+++ b/aux/broker
@@ -1 +1 @@
-Subproject commit b29708e14f33c87c4c9dbfe1ebe7c7c1482c9f6b
+Subproject commit e621cf5d445cee8d6b73b57719baae40b10d2f9a

From 04eaafd4eb34f01ddd1d913e6e75a2e1b48f4970 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Thu, 24 May 2018 09:41:46 -0500
Subject: [PATCH 438/631] Updating submodule(s).

 [nomail]
---
 src/3rdparty | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/3rdparty b/src/3rdparty
index a1aecbdd65..6511cd6e45 160000
--- a/src/3rdparty
+++ b/src/3rdparty
@@ -1 +1 @@
-Subproject commit a1aecbdd653df6478eb90e0da02d261b1fc85ced
+Subproject commit 6511cd6e45811af0904947a36e565dcb9eee61dd

From 85c82b13ef8d9f9396d19b738104441662959725 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Thu, 24 May 2018 12:06:59 -0500
Subject: [PATCH 439/631] Updating submodule(s).

 [nomail]
---
 aux/broker | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/aux/broker b/aux/broker
index e621cf5d44..3afc638c59 160000
--- a/aux/broker
+++ b/aux/broker
@@ -1 +1 @@
-Subproject commit e621cf5d445cee8d6b73b57719baae40b10d2f9a
+Subproject commit 3afc638c596eebdd84bbc3b5a34de35a49baec04

From 186d47c762467a7f53bf0703af125bc926c3c67c Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Thu, 24 May 2018 13:23:52 -0500
Subject: [PATCH 440/631] Fix a typo in docs

---
 src/broker/messaging.bif | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/broker/messaging.bif b/src/broker/messaging.bif
index 0336bf0d1e..8b2c64e86f 100644
--- a/src/broker/messaging.bif
+++ b/src/broker/messaging.bif
@@ -288,7 +288,7 @@ function Cluster::publish_rr%(pool: Pool, key: string, ...%): bool
 ## node, then automatically forwards it to its peers with a different topic.
 ## The event is relayed at most a single hop.
 ##
-## pool: the pool of nodes that are eligible to receive the revent
+## pool: the pool of nodes that are eligible to receive the event
 ##
 ## key: an arbitrary string to identify the purpose for which you're
 ##      distributing the event.  e.g. consider using namespacing of your

From 95ea84e60e0c9766b64f838378b62f38fb2ae779 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Thu, 24 May 2018 14:32:45 -0500
Subject: [PATCH 441/631] Fix how cluster framework tracks worker count

---
 scripts/base/frameworks/cluster/main.bro | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/scripts/base/frameworks/cluster/main.bro b/scripts/base/frameworks/cluster/main.bro
index 31f848e2b2..8eb4bf90bf 100644
--- a/scripts/base/frameworks/cluster/main.bro
+++ b/scripts/base/frameworks/cluster/main.bro
@@ -238,6 +238,8 @@ export {
 	global node_topic: function(name: string): string;
 }
 
+global active_worker_ids: set[string] = set();
+
 type NamedNode: record {
 	name: string;
 	node: Node;
@@ -305,7 +307,10 @@ event Cluster::hello(name: string, id: string) &priority=10
 	Cluster::log(fmt("got hello from %s (%s)", name, id));
 
 	if ( n$node_type == WORKER )
-		++worker_count;
+		{
+		add active_worker_ids[id];
+		worker_count = |active_worker_ids|;
+		}
 	}
 
 event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string) &priority=10
@@ -329,7 +334,10 @@ event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string) &priority=1
 			delete n$id;
 
 			if ( n$node_type == WORKER )
-				--worker_count;
+				{
+				delete active_worker_ids[endpoint$id];
+				worker_count = |active_worker_ids|;
+				}
 
 			event Cluster::node_down(node_name, endpoint$id);
 			break;

From 45178f3051a3fe69adb465d022333efd0be7495c Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Thu, 24 May 2018 14:33:35 -0500
Subject: [PATCH 442/631] Add a counter for number of alive nodes within a
 given cluster pool

---
 scripts/base/frameworks/cluster/pools.bro | 22 ++++++++++++++++++++--
 1 file changed, 20 insertions(+), 2 deletions(-)

diff --git a/scripts/base/frameworks/cluster/pools.bro b/scripts/base/frameworks/cluster/pools.bro
index b5d8d2729b..69b6c7128e 100644
--- a/scripts/base/frameworks/cluster/pools.bro
+++ b/scripts/base/frameworks/cluster/pools.bro
@@ -54,6 +54,8 @@ export {
 		## index of *node_list* that will be eligible to receive work (if it's
 		## alive at the time of next request).
 		rr_key_seq: RoundRobinTable &default = RoundRobinTable();
+		## Number of pool nodes that are currently alive.
+		alive_count: count &default = 0;
 	};
 
 	## The specification for :bro:see:`Cluster::proxy_pool`.
@@ -275,6 +277,10 @@ function init_pool_node(pool: Pool, name: string): bool
 			                    $alive=Cluster::node == name);
 			pool$nodes[name] = pn;
 			pool$node_list[|pool$node_list|] = pn;
+
+			if ( pn$alive )
+				++pool$alive_count;
+
 			loop = F;
 			}
 		}
@@ -288,7 +294,13 @@ function mark_pool_node_alive(pool: Pool, name: string): bool
 		return F;
 
 	local pn = pool$nodes[name];
-	pn$alive = T;
+
+	if ( ! pn$alive )
+		{
+		pn$alive = T;
+		++pool$alive_count;
+		}
+
 	HashHRW::add_site(pool$hrw_pool, HashHRW::Site($id=pn$site_id, $user_data=pn));
 	return T;
 	}
@@ -299,7 +311,13 @@ function mark_pool_node_dead(pool: Pool, name: string): bool
 		return F;
 
 	local pn = pool$nodes[name];
-	pn$alive = F;
+
+	if ( pn$alive )
+		{
+		pn$alive = F;
+		--pool$alive_count;
+		}
+
 	HashHRW::rem_site(pool$hrw_pool, HashHRW::Site($id=pn$site_id, $user_data=pn));
 	return T;
 	}

From fe478877c6b927c1a10689cc7287cfe186336b60 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Thu, 24 May 2018 14:35:25 -0500
Subject: [PATCH 443/631] Change Intel framework to round-robin insertion
 events across proxies

---
 scripts/base/frameworks/intel/cluster.bro     |  6 +-
 .../manager-1..stdout                         |  5 ++
 .../manager-1.intel.log                       | 10 +++
 .../worker-1..stdout                          |  4 +
 .../worker-2..stdout                          |  5 ++
 .../intel/cluster-transparency-with-proxy.bro | 90 +++++++++++++++++++
 6 files changed, 119 insertions(+), 1 deletion(-)
 create mode 100644 testing/btest/Baseline/scripts.base.frameworks.intel.cluster-transparency-with-proxy/manager-1..stdout
 create mode 100644 testing/btest/Baseline/scripts.base.frameworks.intel.cluster-transparency-with-proxy/manager-1.intel.log
 create mode 100644 testing/btest/Baseline/scripts.base.frameworks.intel.cluster-transparency-with-proxy/worker-1..stdout
 create mode 100644 testing/btest/Baseline/scripts.base.frameworks.intel.cluster-transparency-with-proxy/worker-2..stdout
 create mode 100644 testing/btest/scripts/base/frameworks/intel/cluster-transparency-with-proxy.bro

diff --git a/scripts/base/frameworks/intel/cluster.bro b/scripts/base/frameworks/intel/cluster.bro
index 1fda1f88c0..99b920e00d 100644
--- a/scripts/base/frameworks/intel/cluster.bro
+++ b/scripts/base/frameworks/intel/cluster.bro
@@ -54,7 +54,11 @@ event Cluster::node_up(name: string, id: string)
 # has to be distributed.
 event Intel::new_item(item: Item) &priority=5
 	{
-	Broker::publish(indicator_topic, Intel::insert_indicator, item);
+	if ( Cluster::proxy_pool$alive_count == 0 )
+		Broker::publish(indicator_topic, Intel::insert_indicator, item);
+	else
+		Cluster::relay_rr(Cluster::proxy_pool, "Intel::new_item_relay_rr",
+		                  indicator_topic, Intel::insert_indicator, item);
 	}
 
 # Handling of item insertion triggered by remote node.
diff --git a/testing/btest/Baseline/scripts.base.frameworks.intel.cluster-transparency-with-proxy/manager-1..stdout b/testing/btest/Baseline/scripts.base.frameworks.intel.cluster-transparency-with-proxy/manager-1..stdout
new file mode 100644
index 0000000000..3bc1269931
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.intel.cluster-transparency-with-proxy/manager-1..stdout
@@ -0,0 +1,5 @@
+new_item triggered for 1.2.3.4 by manager on manager-1
+insert_item: 4.3.2.1 inserted by worker-2
+new_item triggered for 4.3.2.1 by worker-2 on manager-1
+insert_item: 123.123.123.123 inserted by worker-1
+new_item triggered for 123.123.123.123 by worker-1 on manager-1
diff --git a/testing/btest/Baseline/scripts.base.frameworks.intel.cluster-transparency-with-proxy/manager-1.intel.log b/testing/btest/Baseline/scripts.base.frameworks.intel.cluster-transparency-with-proxy/manager-1.intel.log
new file mode 100644
index 0000000000..8ec5dbe3cd
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.intel.cluster-transparency-with-proxy/manager-1.intel.log
@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	intel
+#open	2018-02-27-17-03-26
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	seen.indicator	seen.indicator_type	seen.where	seen.node	matched	sources	fuid	file_mime_type	file_desc
+#types	time	string	addr	port	addr	port	string	enum	enum	string	set[enum]	set[string]	string	string	string
+1519751006.478387	-	-	-	-	-	123.123.123.123	Intel::ADDR	Intel::IN_ANYWHERE	worker-2	Intel::ADDR	worker-1	-	-	-
+#close	2018-02-27-17-03-26
diff --git a/testing/btest/Baseline/scripts.base.frameworks.intel.cluster-transparency-with-proxy/worker-1..stdout b/testing/btest/Baseline/scripts.base.frameworks.intel.cluster-transparency-with-proxy/worker-1..stdout
new file mode 100644
index 0000000000..a6288340f5
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.intel.cluster-transparency-with-proxy/worker-1..stdout
@@ -0,0 +1,4 @@
+new_indicator: 1.2.3.4 inserted by manager
+new_indicator: 4.3.2.1 inserted by worker-2
+new_item triggered for 123.123.123.123 by worker-1 on worker-1
+new_indicator: 123.123.123.123 inserted by worker-1
diff --git a/testing/btest/Baseline/scripts.base.frameworks.intel.cluster-transparency-with-proxy/worker-2..stdout b/testing/btest/Baseline/scripts.base.frameworks.intel.cluster-transparency-with-proxy/worker-2..stdout
new file mode 100644
index 0000000000..b0c71cfb6a
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.intel.cluster-transparency-with-proxy/worker-2..stdout
@@ -0,0 +1,5 @@
+new_indicator: 1.2.3.4 inserted by manager
+new_item triggered for 4.3.2.1 by worker-2 on worker-2
+new_indicator: 4.3.2.1 inserted by worker-2
+new_indicator: 123.123.123.123 inserted by worker-1
+Doing a lookup
diff --git a/testing/btest/scripts/base/frameworks/intel/cluster-transparency-with-proxy.bro b/testing/btest/scripts/base/frameworks/intel/cluster-transparency-with-proxy.bro
new file mode 100644
index 0000000000..bf6ed644ed
--- /dev/null
+++ b/testing/btest/scripts/base/frameworks/intel/cluster-transparency-with-proxy.bro
@@ -0,0 +1,90 @@
+# @TEST-SERIALIZE: comm
+#
+# @TEST-EXEC: btest-bg-run manager-1 BROPATH=$BROPATH:.. CLUSTER_NODE=manager-1 bro %INPUT
+# @TEST-EXEC: btest-bg-run proxy-1  BROPATH=$BROPATH:.. CLUSTER_NODE=proxy-1 bro %INPUT
+# @TEST-EXEC: btest-bg-run worker-1  BROPATH=$BROPATH:.. CLUSTER_NODE=worker-1 bro %INPUT
+# @TEST-EXEC: btest-bg-run worker-2  BROPATH=$BROPATH:.. CLUSTER_NODE=worker-2 bro %INPUT
+# @TEST-EXEC: btest-bg-wait -k 10
+# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-sort btest-diff manager-1/.stdout
+# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-sort btest-diff worker-1/.stdout
+# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-sort btest-diff worker-2/.stdout
+# @TEST-EXEC: btest-diff manager-1/intel.log
+
+@TEST-START-FILE cluster-layout.bro
+redef Cluster::nodes = {
+	["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=37757/tcp],
+	["worker-1"]  = [$node_type=Cluster::WORKER,  $ip=127.0.0.1, $p=37760/tcp, $manager="manager-1"],
+	["worker-2"]  = [$node_type=Cluster::WORKER,  $ip=127.0.0.1, $p=37761/tcp, $manager="manager-1"],
+	["proxy-1"]  = [$node_type=Cluster::PROXY,  $ip=127.0.0.1, $p=37762/tcp, $manager="manager-1"],
+};
+@TEST-END-FILE
+
+module Intel;
+
+redef Log::default_rotation_interval=0sec;
+
+event Cluster::node_up(name: string, id: string)
+	{
+	# Insert the data once both workers are connected.
+	if ( Cluster::local_node_type() == Cluster::MANAGER && Cluster::worker_count == 2 && Cluster::proxy_pool$alive_count == 1 )
+		{
+		Intel::insert([$indicator="1.2.3.4", $indicator_type=Intel::ADDR, $meta=[$source="manager"]]);
+		}
+	}
+
+global worker2_data = 0;
+global sent_data = F;
+# Watch for new indicators send to workers.
+event Intel::insert_indicator(item: Intel::Item)
+	{
+	print fmt("new_indicator: %s inserted by %s", item$indicator, item$meta$source);
+
+	if ( ! sent_data )
+		{
+		# We wait to insert data here because we can now be sure the 
+		# full cluster is constructed.
+		sent_data = T;
+		if ( Cluster::node == "worker-1" )
+			Intel::insert([$indicator="123.123.123.123", $indicator_type=Intel::ADDR, $meta=[$source="worker-1"]]);
+		if ( Cluster::node == "worker-2" )
+			Intel::insert([$indicator="4.3.2.1", $indicator_type=Intel::ADDR, $meta=[$source="worker-2"]]);
+		}
+
+	# We're forcing worker-2 to do a lookup when it has three intelligence items
+	# which were distributed over the cluster (data inserted locally is resent).
+	if ( Cluster::node == "worker-2" )
+		{
+		++worker2_data;
+		if ( worker2_data == 3 )
+			{
+			# Now that everything is inserted, see if we can match on the data inserted
+			# by worker-1.
+			print "Doing a lookup";
+			Intel::seen([$host=123.123.123.123, $where=Intel::IN_ANYWHERE]);
+			}
+		}
+	}
+
+# Watch for remote inserts sent to the manager.
+event Intel::insert_item(item: Intel::Item)
+	{
+	print fmt("insert_item: %s inserted by %s", item$indicator, item$meta$source);
+	}
+
+# Watch for new items.
+event Intel::new_item(item: Intel::Item)
+	{
+	print fmt("new_item triggered for %s by %s on %s", item$indicator,
+			item$meta$source, Cluster::node);
+	}
+
+event Intel::log_intel(rec: Intel::Info)
+	{
+	terminate();
+	}
+
+event Cluster::node_down(name: string, id: string)
+	{
+	# Cascading termination
+	terminate();
+	}

From 5c283e0a2e6e9b0542057180a9e428d90557a26e Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Fri, 25 May 2018 08:56:13 -0500
Subject: [PATCH 444/631] Updating submodule(s).

 [nomail]
---
 aux/broker | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/aux/broker b/aux/broker
index 3afc638c59..575a399281 160000
--- a/aux/broker
+++ b/aux/broker
@@ -1 +1 @@
-Subproject commit 3afc638c596eebdd84bbc3b5a34de35a49baec04
+Subproject commit 575a3992814b9dab1ace0e30a148310f0118e3e2

From 7327c87c0ab2a843eb6df69d5631d96bfc404e4a Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Fri, 25 May 2018 12:20:45 -0500
Subject: [PATCH 445/631] Updating submodule(s).

 [nomail]
---
 aux/broker | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/aux/broker b/aux/broker
index 575a399281..7b84848bde 160000
--- a/aux/broker
+++ b/aux/broker
@@ -1 +1 @@
-Subproject commit 575a3992814b9dab1ace0e30a148310f0118e3e2
+Subproject commit 7b84848bded443637fa34e76f7d8558bd1cafbee

From bbd65bcc74e2c1473be1a505196ff9259527465a Mon Sep 17 00:00:00 2001
From: Michael Dopheide <dopheide@es.net>
Date: Sun, 27 May 2018 20:49:15 -0500
Subject: [PATCH 446/631] A suggestion for reminding folks about calling events
 in Module namespaces.

---
 doc/frameworks/broker.rst | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)

diff --git a/doc/frameworks/broker.rst b/doc/frameworks/broker.rst
index 23b1f91478..fa17a35963 100644
--- a/doc/frameworks/broker.rst
+++ b/doc/frameworks/broker.rst
@@ -376,6 +376,28 @@ This section contains a few brief examples of how various communication
 patterns one might use when developing Bro scripts that are to operate in
 the context of a cluster.
 
+A Reminder About Events and Module Namespaces
+---------------------------------------------
+
+For the following examples, please keep in mind that when referring to event names that were
+defined inside a module namespace, you should always use that namespace scoping when referring to the event name, even within the module itself.  For instance:
+
+.. code:: bro
+
+    module ModuleName;
+
+    event manager_to_workers(s: string)
+        {
+        print "got event from manager", s;
+        }
+
+    event some_event_handled_on_manager()
+        {
+        Broker::publish(Cluster::worker_topic, ModuleName::manager_to_workers,
+                        "hello v0");
+        }
+
+
 Manager Sending Events To Workers
 ---------------------------------
 

From 84c1d9c808083e28a419d0233ca1bfe9c1809c07 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Tue, 29 May 2018 10:13:17 -0500
Subject: [PATCH 447/631] Fix NEWS file formatting

---
 CHANGES | 15 +++++++++++++++
 NEWS    |  4 ++--
 VERSION |  2 +-
 3 files changed, 18 insertions(+), 3 deletions(-)

diff --git a/CHANGES b/CHANGES
index d2578bcf01..6b81d44a0e 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,19 @@
 
+2.5-611 | 2018-05-29 10:13:17 -0500
+
+  * Fix NEWS file formatting (Corelight)
+
+  * Improve Broker docs with reminder about modules and event namespace
+    scoping interactions. (Michael Dopheide)
+
+  * Change Intel framework to round-robin insertion events across proxies
+    (Corelight)
+
+  * Add a counter for number of alive nodes within a given cluster pool
+    (Corelight)
+
+  * Fix how cluster framework tracks worker count (Corelight)
+
 2.5-599 | 2018-05-23 16:50:12 -0500
 
   * Documentation improvements/fixes (Corelight)
diff --git a/NEWS b/NEWS
index 7f2ab3543f..6f3c047f40 100644
--- a/NEWS
+++ b/NEWS
@@ -48,7 +48,7 @@ New Functionality
     types; and (3) all values can be casted to their declared types
     (i.e., a no-op).
 
-    Example for "any":
+    Example for "any"::
 
         # cat a.bro
         function check(a: any)
@@ -84,7 +84,7 @@ New Functionality
     However, one cannot mix cases with expressions and types inside a
     single switch statement.
 
-    Example:
+    Example::
 
         function switch_one(v: any)
             {
diff --git a/VERSION b/VERSION
index 5b206a3bed..67d2dc9fde 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.5-599
+2.5-611

From 44dfcb7c6a35dc14236efcd12f08fe03fdd6d005 Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@corelight.com>
Date: Tue, 29 May 2018 14:07:26 -0700
Subject: [PATCH 448/631] Start clusterizing configuration framework.

This is not finished and currently does not work due Broker not liking
to serialize into any types.
---
 scripts/base/frameworks/config/input.bro      |  6 +-
 scripts/base/frameworks/config/main.bro       | 60 ++++++++++++++++++
 .../base/frameworks/config/basic_cluster.bro  | 61 +++++++++++++++++++
 3 files changed, 125 insertions(+), 2 deletions(-)
 create mode 100644 testing/btest/scripts/base/frameworks/config/basic_cluster.bro

diff --git a/scripts/base/frameworks/config/input.bro b/scripts/base/frameworks/config/input.bro
index 87acb50065..aaef2e59b1 100644
--- a/scripts/base/frameworks/config/input.bro
+++ b/scripts/base/frameworks/config/input.bro
@@ -54,12 +54,14 @@ event InputConfig::new_value(name: string, source: string, id: string, value: an
 	{
 	if ( sub_bytes(name, 1,  15) != "config-oneshot-" && source !in config_files )
 		return;
-	
-	Option::set(id, value, source);
+
+	Config::set_value(id, value, source);
 	}
 
 function read_config(filename: string)
 	{
+	# Only read the configuration on the manager. The other nodes are being fed from
+	# the manager.
 	if ( Cluster::is_enabled() && Cluster::local_node_type() != Cluster::MANAGER )
 		return;
 
diff --git a/scripts/base/frameworks/config/main.bro b/scripts/base/frameworks/config/main.bro
index ffd9e764ef..c93271efa1 100644
--- a/scripts/base/frameworks/config/main.bro
+++ b/scripts/base/frameworks/config/main.bro
@@ -2,6 +2,8 @@
 ##! (as specified by the "option" keyword) at runtime. It also logs runtime
 ##! changes to options to config.log.
 
+@load base/frameworks/cluster
+
 module Config;
 
 export {
@@ -25,8 +27,63 @@ export {
 	## Event that can be handled to access the :bro:type:`Config::Info`
 	## record as it is sent on to the logging framework.
 	global log_config: event(rec: Info);
+
+	## Broker topic for announcing new configuration value. Sending new_value,
+	## peers can send configuration changes that will be distributed accross
+	## the entire cluster.
+	const change_topic = "bro/config/change";
+
+	## This function is the config framework layer around the lower-level
+	## :bro:see:`Option::set` call. Config::set_value will set the configuration
+	## value for all nodes in the cluster, no matter where it was called. Note
+	## that `bro:see:`Option::set` does not distribute configuration changes
+	## to other nodes.
+	##
+	## ID: The ID of the option to update.
+	##
+	## val: The new value of the option.
+	##
+	## location: Optional parameter detailing where this change originated from.
+	##
+	## Returns: true on success, false when an error ocured.
+	global set_value: function(ID: string, val: any, location: string &default = "" &optional): bool;
 }
 
+@if ( Cluster::is_enabled() )
+event bro_init()
+	{
+	Broker::subscribe(change_topic);
+	}
+
+event Config::cluster_set_option(ID: string, val: any, location: string)
+	{
+	Option::set(ID, val, location);
+	}
+
+function set_value(ID: string, val: any, location: string &default = "" &optional): bool
+	{
+	# First try setting it locally - abort if not possible.
+	if ( ! Option::set(ID, val, location) )
+		{
+		return F;
+		}
+	# If it turns out that it is possible - send it to everyone else to apply.
+	Broker::publish(change_topic, Config::cluster_set_option, ID, val, location);
+	if ( Cluster::local_node_type() != Cluster::MANAGER )
+		{
+		Broker::relay(change_topic, change_topic, Config::cluster_set_option, ID, val, location);
+		}
+	return T;
+	}
+@else
+	# Standalone implementation
+	function set_value(ID: string, val: any, location: string &default = "" &optional): bool
+		{
+		return Option::set(ID, val, location);
+		}
+@endif
+
+
 function format_value(value: any) : string
 	{
 	local tn = type_name(value);
@@ -64,6 +121,8 @@ event bro_init() &priority=10
 	{
 	Log::create_stream(LOG, [$columns=Info, $ev=log_config, $path="config"]);
 
+	# Limit logging to the manager - everyone else just feeds off it.
+@if ( !Cluster::is_enabled() || Cluster::local_node_type() == Cluster::MANAGER )
 	# Iterate over all existing options and add ourselves as change handlers with
 	# a low priority so that we can log the changes.
 	local gids = global_ids();
@@ -74,4 +133,5 @@ event bro_init() &priority=10
 
 		Option::set_change_handler(i, config_option_changed, -100);
 		}
+@endif
 	}
diff --git a/testing/btest/scripts/base/frameworks/config/basic_cluster.bro b/testing/btest/scripts/base/frameworks/config/basic_cluster.bro
new file mode 100644
index 0000000000..8882c6d66a
--- /dev/null
+++ b/testing/btest/scripts/base/frameworks/config/basic_cluster.bro
@@ -0,0 +1,61 @@
+# @TEST-EXEC: btest-bg-run manager-1 BROPATH=$BROPATH:.. CLUSTER_NODE=manager-1 bro %INPUT
+# @TEST-EXEC: sleep 1
+# @TEST-EXEC: btest-bg-run worker-1  BROPATH=$BROPATH:.. CLUSTER_NODE=worker-1 bro %INPUT
+# @TEST-EXEC: btest-bg-run worker-2  BROPATH=$BROPATH:.. CLUSTER_NODE=worker-2 bro %INPUT
+# @TEST-EXEC: btest-bg-wait 10
+
+@load base/frameworks/config
+
+
+@TEST-START-FILE cluster-layout.bro
+redef Cluster::nodes = {
+	["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=37757/tcp],
+	["worker-1"]  = [$node_type=Cluster::WORKER,  $ip=127.0.0.1, $p=37760/tcp, $manager="manager-1", $interface="eth0"],
+	["worker-2"]  = [$node_type=Cluster::WORKER,  $ip=127.0.0.1, $p=37761/tcp, $manager="manager-1", $interface="eth1"],
+};
+@TEST-END-FILE
+
+redef Log::default_rotation_interval = 0secs;
+
+export {
+	option testport = 42/tcp;
+	option teststring = "a";
+}
+
+global n = 0;
+
+event bro_init() &priority=5
+	{
+	}
+
+event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string)
+	{
+	terminate();
+	}
+
+global ready_for_data: event();
+
+event bro_init()
+	{
+	Broker::auto_publish(Cluster::worker_topic, ready_for_data);
+	}
+
+@if ( Cluster::node == "worker-1" )
+event ready_for_data()
+	{
+	Config::set_value("testport", 44/tcp);
+	Config::set_value("teststring", "b", "comment");
+	}
+@endif
+
+@if ( Cluster::local_node_type() == Cluster::MANAGER )
+
+global peer_count = 0;
+event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
+	{
+	++peer_count;
+	if ( peer_count == 2 )
+		event ready_for_data();
+	}
+
+@endif

From 6489b54debafeb4c6b10780992b385c9c37cc78a Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Thu, 31 May 2018 08:58:34 -0500
Subject: [PATCH 449/631] Remove dead code in broker data/val conversion
 function

---
 src/broker/Data.cc | 10 +++-------
 src/broker/Data.h  |  4 +---
 2 files changed, 4 insertions(+), 10 deletions(-)

diff --git a/src/broker/Data.cc b/src/broker/Data.cc
index 3d4bcf27e9..60d9093df4 100644
--- a/src/broker/Data.cc
+++ b/src/broker/Data.cc
@@ -48,7 +48,6 @@ struct val_converter {
 	using result_type = Val*;
 
 	BroType* type;
-	bool require_log_attr;
 
 	result_type operator()(broker::none)
 		{
@@ -379,9 +378,6 @@ struct val_converter {
 
 			for ( auto i = 0u; i < static_cast<size_t>(rt->NumFields()); ++i )
 				{
-				if ( require_log_attr && ! rt->FieldDecl(i)->FindAttr(ATTR_LOG) )
-					continue;
-
 				if ( idx >= a.size() )
 					{
 					Unref(rval);
@@ -774,9 +770,9 @@ struct type_checker {
 		}
 };
 
-Val* bro_broker::data_to_val(broker::data d, BroType* type, bool require_log_attr)
+Val* bro_broker::data_to_val(broker::data d, BroType* type)
 	{
-	return broker::visit(val_converter{type, require_log_attr}, std::move(d));
+	return broker::visit(val_converter{type}, std::move(d));
 	}
 
 broker::expected<broker::data> bro_broker::val_to_data(Val* v)
@@ -1137,7 +1133,7 @@ bool bro_broker::DataVal::canCastTo(BroType* t) const
 
 Val* bro_broker::DataVal::castTo(BroType* t)
 	{
-	return data_to_val(data, t, false);
+	return data_to_val(data, t);
 	}
 
 IMPLEMENT_SERIAL(bro_broker::DataVal, SER_COMM_DATA_VAL);
diff --git a/src/broker/Data.h b/src/broker/Data.h
index 8a636bb7db..525faba5f6 100644
--- a/src/broker/Data.h
+++ b/src/broker/Data.h
@@ -54,12 +54,10 @@ broker::expected<broker::data> val_to_data(Val* v);
  * Convert a Broker data value to a Bro value.
  * @param d a Broker data value.
  * @param type the expected type of the value to return.
- * @param require_log_attr if true, skip over record fields that don't have the
- * &log attribute.
  * @return a pointer to a new Bro value or a nullptr if the conversion was not
  * possible.
  */
-Val* data_to_val(broker::data d, BroType* type, bool require_log_attr = false);
+Val* data_to_val(broker::data d, BroType* type);
 
 /**
  * Convert a Bro threading::Value to a Broker data value.

From bd3c16c6d71117eeb2344e6ffccdfc323ea836fa Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Thu, 31 May 2018 10:05:18 -0500
Subject: [PATCH 450/631] Fix a bug in broker data type-casting check

---
 src/broker/Data.cc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/broker/Data.cc b/src/broker/Data.cc
index 60d9093df4..90b30ef3aa 100644
--- a/src/broker/Data.cc
+++ b/src/broker/Data.cc
@@ -1128,7 +1128,7 @@ broker::data& bro_broker::opaque_field_to_data(RecordVal* v, Frame* f)
 
 bool bro_broker::DataVal::canCastTo(BroType* t) const
 	{
-	return broker::visit(type_checker{type}, data);
+	return broker::visit(type_checker{t}, data);
 	}
 
 Val* bro_broker::DataVal::castTo(BroType* t)

From d873acc9e394c51c06260f4785063f8212a3b46b Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Thu, 31 May 2018 10:39:40 -0500
Subject: [PATCH 451/631] Support unserializing broker data into type 'any'

The receiver side will wrap the data as a Broker::Data value, which
can then be type-checked/cast via 'is' or 'as' operators to a specific
Bro type.  For example:

Sender:

    Broker::publish("topic", my_event, "hello")

Receiver:

    event my_event(arg: any)
        {
        if ( arg is string )
            print arg as string;
        }
---
 src/broker/Data.cc                            |   3 +
 .../broker.remote_event_any/recv.recv.out     |  12 ++
 .../broker.remote_event_any/send.send.out     |  11 ++
 testing/btest/broker/remote_event_any.bro     | 107 ++++++++++++++++++
 4 files changed, 133 insertions(+)
 create mode 100644 testing/btest/Baseline/broker.remote_event_any/recv.recv.out
 create mode 100644 testing/btest/Baseline/broker.remote_event_any/send.send.out
 create mode 100644 testing/btest/broker/remote_event_any.bro

diff --git a/src/broker/Data.cc b/src/broker/Data.cc
index 90b30ef3aa..99c6e3ebef 100644
--- a/src/broker/Data.cc
+++ b/src/broker/Data.cc
@@ -772,6 +772,9 @@ struct type_checker {
 
 Val* bro_broker::data_to_val(broker::data d, BroType* type)
 	{
+	if ( type->Tag() == TYPE_ANY )
+		return bro_broker::make_data_val(move(d));
+
 	return broker::visit(val_converter{type}, std::move(d));
 	}
 
diff --git a/testing/btest/Baseline/broker.remote_event_any/recv.recv.out b/testing/btest/Baseline/broker.remote_event_any/recv.recv.out
new file mode 100644
index 0000000000..54b7d375fb
--- /dev/null
+++ b/testing/btest/Baseline/broker.remote_event_any/recv.recv.out
@@ -0,0 +1,12 @@
+receiver added peer: endpoint=127.0.0.1 msg=handshake successful
+is_remote should be T, and is, T
+receiver got ping: my-message, 1
+is_remote should be T, and is, T
+receiver got ping: my-message, 2
+is_remote should be T, and is, T
+receiver got ping: my-message, 3
+is_remote should be T, and is, T
+receiver got ping: my-message, 4
+is_remote should be T, and is, T
+receiver got ping: my-message, 5
+[num_peers=1, num_stores=0, num_pending_queries=0, num_events_incoming=5, num_events_outgoing=4, num_logs_incoming=0, num_logs_outgoing=1, num_ids_incoming=0, num_ids_outgoing=0]
diff --git a/testing/btest/Baseline/broker.remote_event_any/send.send.out b/testing/btest/Baseline/broker.remote_event_any/send.send.out
new file mode 100644
index 0000000000..b8be473e40
--- /dev/null
+++ b/testing/btest/Baseline/broker.remote_event_any/send.send.out
@@ -0,0 +1,11 @@
+is_remote should be F, and is, F
+sender added peer: endpoint=127.0.0.1 msg=received handshake from remote core
+is_remote should be T, and is, T
+sender got pong: my-message, 1
+is_remote should be T, and is, T
+sender got pong: my-message, 2
+is_remote should be T, and is, T
+sender got pong: my-message, 3
+is_remote should be T, and is, T
+sender got pong: my-message, 4
+sender lost peer: endpoint=127.0.0.1 msg=lost remote peer
diff --git a/testing/btest/broker/remote_event_any.bro b/testing/btest/broker/remote_event_any.bro
new file mode 100644
index 0000000000..153056c456
--- /dev/null
+++ b/testing/btest/broker/remote_event_any.bro
@@ -0,0 +1,107 @@
+# @TEST-SERIALIZE: comm
+#
+# @TEST-EXEC: btest-bg-run recv "bro -B broker -b ../recv.bro >recv.out"
+# @TEST-EXEC: btest-bg-run send "bro -B broker -b ../send.bro >send.out"
+#
+# @TEST-EXEC: btest-bg-wait 20
+# @TEST-EXEC: btest-diff recv/recv.out
+# @TEST-EXEC: btest-diff send/send.out
+
+@TEST-START-FILE send.bro
+
+redef Broker::default_connect_retry=1secs;
+redef Broker::default_listen_retry=1secs;
+redef exit_only_after_terminate = T;
+
+global event_count = 0;
+
+global ping: event(msg: string, c: any);
+
+event bro_init()
+    {
+    Broker::subscribe("bro/event/my_topic");
+    Broker::peer("127.0.0.1");
+    print "is_remote should be F, and is", is_remote_event();
+    }
+
+function send_event()
+    {
+    ++event_count;
+    local e = Broker::make_event(ping, "my-message", event_count);
+    Broker::publish("bro/event/my_topic", e);
+    }
+
+event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
+    {
+    print fmt("sender added peer: endpoint=%s msg=%s",
+    endpoint$network$address, msg);
+    send_event();
+    }
+
+event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string)
+    {
+    print fmt("sender lost peer: endpoint=%s msg=%s",
+    endpoint$network$address, msg);
+    terminate();
+    }
+
+event pong(msg: string, n: any)
+    {
+    print "is_remote should be T, and is", is_remote_event();
+
+    if ( n is count )
+        print fmt("sender got pong: %s, %s", msg, n as count);
+
+    send_event();
+    }
+
+@TEST-END-FILE
+
+
+@TEST-START-FILE recv.bro
+
+redef Broker::default_connect_retry=1secs;
+redef Broker::default_listen_retry=1secs;
+redef exit_only_after_terminate = T;
+
+const events_to_recv = 5;
+
+global handler: event(msg: string, c: count);
+global auto_handler: event(msg: string, c: count);
+
+global pong: event(msg: string, c: count);
+
+event bro_init()
+        {
+        Broker::subscribe("bro/event/my_topic");
+        Broker::listen("127.0.0.1");
+        }
+
+event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
+        {
+        print fmt("receiver added peer: endpoint=%s msg=%s", endpoint$network$address, msg);
+        }
+
+event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string)
+        {
+        print fmt("receiver lost peer: endpoint=%s msg=%s", endpoint$network$address, msg);
+        }
+
+event ping(msg: string, n: any)
+        {
+        print "is_remote should be T, and is", is_remote_event();
+
+        if ( n is count )
+        	print fmt("receiver got ping: %s, %s", msg, n as count);
+
+        if ( (n as count) == events_to_recv )
+                {
+		print get_broker_stats();
+                terminate();
+                return;
+                }
+
+        Broker::publish("bro/event/my_topic", pong, msg, n as count);
+        }
+
+@TEST-END-FILE

From 3679b0d963f238686a2b2cdf2d9f46a476aec363 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Thu, 31 May 2018 12:45:44 -0500
Subject: [PATCH 452/631] Teach Option::set to unwrap Broker::Data values

---
 src/option.bif                                | 74 +++++++++++++------
 .../manager-1..stdout                         |  2 +
 .../worker-1..stdout                          |  4 +
 .../worker-2..stdout                          |  2 +
 .../base/frameworks/config/basic_cluster.bro  | 28 +++++--
 5 files changed, 81 insertions(+), 29 deletions(-)
 create mode 100644 testing/btest/Baseline/scripts.base.frameworks.config.basic_cluster/manager-1..stdout
 create mode 100644 testing/btest/Baseline/scripts.base.frameworks.config.basic_cluster/worker-1..stdout
 create mode 100644 testing/btest/Baseline/scripts.base.frameworks.config.basic_cluster/worker-2..stdout

diff --git a/src/option.bif b/src/option.bif
index 011db2f069..67108053f3 100644
--- a/src/option.bif
+++ b/src/option.bif
@@ -5,6 +5,36 @@ module Option;
 
 %%{
 #include "NetVar.h"
+#include "broker/Data.h"
+
+static bool call_option_handlers_and_set_value(StringVal* name, ID* i, Val* val,
+                                               StringVal* location)
+	{
+	val->Ref();
+	if ( i->HasOptionHandlers() )
+		{
+		for ( auto handler_function : i->GetOptionHandlers() )
+			{
+			val_list vl(2);
+			vl.append(name->Ref());
+			vl.append(val);
+			if ( handler_function->FType()->AsFuncType()->ArgTypes()->Types()->length() == 3 )
+				vl.append(location->Ref());
+
+			val = handler_function->Call(&vl); // consumed by next call.
+			if ( ! val )
+				{
+				// Someone messed up, don't change value and just return
+				return false;
+				}
+			}
+		}
+
+	// clone to prevent changes
+	i->SetVal(val->Clone());
+	Unref(val); // Either ref'd once or function call result.
+	return true;
+	}
 %%}
 
 ## Set an option to a new value. This change will also cause the option change
@@ -41,36 +71,32 @@ function Option::set%(ID: string, val: any, location: string &default=""%): bool
 		return new Val(0, TYPE_BOOL);
 		}
 
+	if ( same_type(val->Type(), bro_broker::DataVal::ScriptDataType()) )
+		{
+		auto dv = static_cast<bro_broker::DataVal*>(val->AsRecordVal()->Lookup(0));
+		auto val_from_data = dv->castTo(i->Type());
+
+		if ( ! val_from_data )
+			{
+			builtin_error(fmt("Incompatible type for set of ID '%s': got broker data '%s', need '%s'",
+				ID->CheckString(), dv->data.get_type_name(), type_name(i->Type()->Tag())));
+			return new Val(0, TYPE_BOOL);
+			}
+
+		auto rval = call_option_handlers_and_set_value(ID, i, val_from_data, location);
+		Unref(val_from_data);
+		return new Val(rval, TYPE_BOOL);
+		}
+
 	if ( ! same_type(i->Type(), val->Type()) )
 		{
 		builtin_error(fmt("Incompatible type for set of ID '%s': got '%s', need '%s'",
 			ID->CheckString(), type_name(val->Type()->Tag()), type_name(i->Type()->Tag())));
+		return new Val(0, TYPE_BOOL);
 		}
 
-	val->Ref();
-	if ( i->HasOptionHandlers() )
-		{
-		for ( auto handler_function : i->GetOptionHandlers() )
-			{
-			val_list vl(2);
-			vl.append(ID->Ref());
-			vl.append(val);
-			if ( handler_function->FType()->AsFuncType()->ArgTypes()->Types()->length() == 3 )
-				vl.append(location->Ref());
-
-			val = handler_function->Call(&vl); // consumed by next call.
-			if ( ! val )
-				{
-				// Someone messed up, don't change value and just return
-				return new Val(0, TYPE_BOOL);
-				}
-			}
-		}
-
-	// clone to prevent changes
-	i->SetVal(val->Clone());
-	Unref(val); // Either ref'd once or function call result.
-	return new Val(1, TYPE_BOOL);
+	auto rval = call_option_handlers_and_set_value(ID, i, val, location);
+	return new Val(rval, TYPE_BOOL);
 	%}
 
 ## Set a change handler for an option. The change handler will be
diff --git a/testing/btest/Baseline/scripts.base.frameworks.config.basic_cluster/manager-1..stdout b/testing/btest/Baseline/scripts.base.frameworks.config.basic_cluster/manager-1..stdout
new file mode 100644
index 0000000000..ad74a79d79
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.config.basic_cluster/manager-1..stdout
@@ -0,0 +1,2 @@
+option changed, testport, 44/tcp, 
+option changed, teststring, b, comment
diff --git a/testing/btest/Baseline/scripts.base.frameworks.config.basic_cluster/worker-1..stdout b/testing/btest/Baseline/scripts.base.frameworks.config.basic_cluster/worker-1..stdout
new file mode 100644
index 0000000000..3558bbe476
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.config.basic_cluster/worker-1..stdout
@@ -0,0 +1,4 @@
+option changed, testport, 44/tcp, 
+option changed, teststring, b, comment
+option changed, testport, 44/tcp, 
+option changed, teststring, b, comment
diff --git a/testing/btest/Baseline/scripts.base.frameworks.config.basic_cluster/worker-2..stdout b/testing/btest/Baseline/scripts.base.frameworks.config.basic_cluster/worker-2..stdout
new file mode 100644
index 0000000000..ad74a79d79
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.config.basic_cluster/worker-2..stdout
@@ -0,0 +1,2 @@
+option changed, testport, 44/tcp, 
+option changed, teststring, b, comment
diff --git a/testing/btest/scripts/base/frameworks/config/basic_cluster.bro b/testing/btest/scripts/base/frameworks/config/basic_cluster.bro
index 8882c6d66a..1703bee8e5 100644
--- a/testing/btest/scripts/base/frameworks/config/basic_cluster.bro
+++ b/testing/btest/scripts/base/frameworks/config/basic_cluster.bro
@@ -2,7 +2,10 @@
 # @TEST-EXEC: sleep 1
 # @TEST-EXEC: btest-bg-run worker-1  BROPATH=$BROPATH:.. CLUSTER_NODE=worker-1 bro %INPUT
 # @TEST-EXEC: btest-bg-run worker-2  BROPATH=$BROPATH:.. CLUSTER_NODE=worker-2 bro %INPUT
-# @TEST-EXEC: btest-bg-wait 10
+# @TEST-EXEC: btest-bg-wait 15
+# @TEST-EXEC: btest-diff manager-1/.stdout
+# @TEST-EXEC: btest-diff worker-1/.stdout
+# @TEST-EXEC: btest-diff worker-2/.stdout
 
 @load base/frameworks/config
 
@@ -24,10 +27,6 @@ export {
 
 global n = 0;
 
-event bro_init() &priority=5
-	{
-	}
-
 event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string)
 	{
 	terminate();
@@ -46,8 +45,27 @@ event ready_for_data()
 	Config::set_value("testport", 44/tcp);
 	Config::set_value("teststring", "b", "comment");
 	}
+
 @endif
 
+event die()
+	{
+	terminate();
+	}
+
+function option_changed(ID: string, new_value: any, location: string): any
+	{
+	print "option changed", ID, new_value, location;
+	schedule 5sec { die() };
+	return new_value;
+	}
+
+event bro_init() &priority=5
+	{
+	Option::set_change_handler("testport", option_changed, -100);
+	Option::set_change_handler("teststring", option_changed, -100);
+	}
+
 @if ( Cluster::local_node_type() == Cluster::MANAGER )
 
 global peer_count = 0;

From 08c64112f016f60d80df7f085fa3874cd8589db7 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Thu, 31 May 2018 13:12:46 -0500
Subject: [PATCH 453/631] Document variable argument list BIFs using ellipsis

Instead of a single parameter: "va_args: any".
---
 src/Type.cc | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/src/Type.cc b/src/Type.cc
index aa9388d64e..7ddca8f907 100644
--- a/src/Type.cc
+++ b/src/Type.cc
@@ -1185,7 +1185,14 @@ void RecordType::DescribeFieldsReST(ODesc* d, bool func_args) const
 		if ( d->FindType(td->type) )
 			d->Add("<recursion>");
 		else
-			td->DescribeReST(d);
+			{
+			if ( num_fields == 1 && streq(td->id, "va_args") &&
+			     td->type->Tag() == TYPE_ANY )
+				// This was a BIF using variable argument list
+				d->Add("...");
+			else
+				td->DescribeReST(d);
+			}
 
 		if ( func_args )
 			continue;

From 224ee790e2e4894c2083371185b60593169f5be8 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Thu, 31 May 2018 15:26:22 -0500
Subject: [PATCH 454/631] Add Broker::publish_and_relay BIF

Like Broker::relay, except the relaying-node also calls event handlers.
---
 aux/broker                                    |   2 +-
 src/broker/Manager.cc                         |  65 +++++++--
 src/broker/Manager.h                          |  22 ++-
 src/broker/messaging.bif                      |  72 +++++++++-
 .../one.one.out                               |   3 +
 .../three.three.out                           |   2 +
 .../two.two.out                               |   5 +
 .../broker/remote_publish_and_relay_event.bro | 125 ++++++++++++++++++
 8 files changed, 270 insertions(+), 26 deletions(-)
 create mode 100644 testing/btest/Baseline/broker.remote_publish_and_relay_event/one.one.out
 create mode 100644 testing/btest/Baseline/broker.remote_publish_and_relay_event/three.three.out
 create mode 100644 testing/btest/Baseline/broker.remote_publish_and_relay_event/two.two.out
 create mode 100644 testing/btest/broker/remote_publish_and_relay_event.bro

diff --git a/aux/broker b/aux/broker
index 7b84848bde..11c9313582 160000
--- a/aux/broker
+++ b/aux/broker
@@ -1 +1 @@
-Subproject commit 7b84848bded443637fa34e76f7d8558bd1cafbee
+Subproject commit 11c9313582b5505c002a62eba28ffb93bae1e5b3
diff --git a/src/broker/Manager.cc b/src/broker/Manager.cc
index 47f7c95722..8184a86111 100644
--- a/src/broker/Manager.cc
+++ b/src/broker/Manager.cc
@@ -341,7 +341,8 @@ bool Manager::PublishEvent(string topic, RecordVal* args)
 bool Manager::RelayEvent(std::string first_topic,
                          broker::set relay_topics,
                          std::string name,
-                         broker::vector args)
+                         broker::vector args,
+                         bool handle_on_relayer)
 	{
 	if ( bstate->endpoint.is_shutdown() )
 		return true;
@@ -349,18 +350,33 @@ bool Manager::RelayEvent(std::string first_topic,
 	if ( ! bstate->endpoint.peers().size() )
 		return true;
 
-	DBG_LOG(DBG_BROKER, "Publishing relay event: %s",
+	DBG_LOG(DBG_BROKER, "Publishing %s-relay event: %s",
+			handle_on_relayer ? "handle" : "",
 	        RenderEvent(first_topic, name, args).c_str());
-	broker::bro::RelayEvent msg(std::move(relay_topics), std::move(name),
-	                            std::move(args));
-	bstate->endpoint.publish(std::move(first_topic), std::move(msg));
+
+	if ( handle_on_relayer )
+		{
+		broker::bro::HandleAndRelayEvent msg(std::move(relay_topics),
+		                                     std::move(name),
+		                                     std::move(args));
+		bstate->endpoint.publish(std::move(first_topic), std::move(msg));
+		}
+	else
+		{
+		broker::bro::RelayEvent msg(std::move(relay_topics),
+		                            std::move(name),
+		                            std::move(args));
+		bstate->endpoint.publish(std::move(first_topic), std::move(msg));
+		}
+
 	++statistics.num_events_outgoing;
 	return true;
 	}
 
 bool Manager::RelayEvent(std::string first_topic,
                          std::set<std::string> relay_topics,
-                         RecordVal* args)
+                         RecordVal* args,
+                         bool handle_on_relayer)
 	{
 	if ( bstate->endpoint.is_shutdown() )
 		return true;
@@ -389,7 +405,7 @@ bool Manager::RelayEvent(std::string first_topic,
 		topic_set.emplace(std::move(t));
 
 	return RelayEvent(first_topic, std::move(topic_set), event_name,
-					  std::move(xs));
+					  std::move(xs), handle_on_relayer);
 	}
 
 bool Manager::PublishIdentifier(std::string topic, std::string id)
@@ -820,6 +836,10 @@ void Manager::DispatchMessage(broker::data msg)
 		ProcessRelayEvent(std::move(msg));
 		break;
 
+	case broker::bro::Message::Type::HandleAndRelayEvent:
+		ProcessHandleAndRelayEvent(std::move(msg));
+		break;
+
 	case broker::bro::Message::Type::LogCreate:
 		ProcessLogCreate(std::move(msg));
 		break;
@@ -907,23 +927,23 @@ void Manager::Process()
 	SetIdle(! had_input);
 	}
 
-void Manager::ProcessEvent(broker::bro::Event ev)
+
+void Manager::ProcessEvent(std::string name, broker::vector args)
 	{
-	DBG_LOG(DBG_BROKER, "Received event: %s", RenderMessage(ev).c_str());
-
+	DBG_LOG(DBG_BROKER, "Process event: %s %s",
+			name.data(), RenderMessage(args).data());
 	++statistics.num_events_incoming;
+	auto handler = event_registry->Lookup(name.data());
 
-	auto handler = event_registry->Lookup(ev.name().c_str());
 	if ( ! handler )
 		return;
 
-	auto& args = ev.args();
 	auto arg_types = handler->FType(false)->ArgTypes()->Types();
 
 	if ( static_cast<size_t>(arg_types->length()) != args.size() )
 		{
 		reporter->Warning("got event message '%s' with invalid # of args,"
-				  " got %zd, expected %d", ev.name().data(), args.size(),
+				  " got %zd, expected %d", name.data(), args.size(),
 				  arg_types->length());
 		return;
 		}
@@ -942,7 +962,7 @@ void Manager::ProcessEvent(broker::bro::Event ev)
 			{
 			reporter->Warning("failed to convert remote event '%s' arg #%d,"
 			                  " got %s, expected %s",
-			                  ev.name().data(), i, got_type,
+			                  name.data(), i, got_type,
 			                  type_name(expected_type->Tag()));
 			break;
 			}
@@ -954,6 +974,11 @@ void Manager::ProcessEvent(broker::bro::Event ev)
 		delete_vals(vl);
 	}
 
+void Manager::ProcessEvent(broker::bro::Event ev)
+	{
+	ProcessEvent(std::move(ev.name()), std::move(ev.args()));
+	}
+
 void Manager::ProcessRelayEvent(broker::bro::RelayEvent ev)
 	{
 	DBG_LOG(DBG_BROKER, "Received relay event: %s", RenderMessage(ev).c_str());
@@ -965,6 +990,18 @@ void Manager::ProcessRelayEvent(broker::bro::RelayEvent ev)
 		             std::move(ev.args()));
 	}
 
+void Manager::ProcessHandleAndRelayEvent(broker::bro::HandleAndRelayEvent ev)
+	{
+	DBG_LOG(DBG_BROKER, "Received handle-relay event: %s",
+	        RenderMessage(ev).c_str());
+	ProcessEvent(ev.name(), ev.args());
+
+	for ( auto& t : ev.topics() )
+		PublishEvent(std::move(broker::get<std::string>(t)),
+		             std::move(ev.name()),
+		             std::move(ev.args()));
+	}
+
 bool bro_broker::Manager::ProcessLogCreate(broker::bro::LogCreate lc)
 	{
 	DBG_LOG(DBG_BROKER, "Received log-create: %s", RenderMessage(lc).c_str());
diff --git a/src/broker/Manager.h b/src/broker/Manager.h
index 996859636d..976aa82a03 100644
--- a/src/broker/Manager.h
+++ b/src/broker/Manager.h
@@ -148,33 +148,41 @@ public:
 	bool PublishEvent(std::string topic, RecordVal* ev);
 
 	/**
-	 * Sends an event to any interested peers, who, upon receipt, immediately
-	 * republish the event to a new set of topics.
+	 * Sends an event to any interested peers, who, upon receipt,
+	 * republishes the event to a new set of topics and optionally
+	 * calls event handlers.
 	 * @param first_topic the first topic to use when publishing the event
 	 * @param relay_topics the set of topics the receivers will use to
 	 * republish the event.  The event is relayed at most a single hop.
 	 * @param name the name of the event
 	 * @param args the event's arguments
+	 * @param handle_on_relayer whether they relaying-node should call event
+	 * handlers.
 	 * @return true if the message is sent successfully.
 	 */
 	bool RelayEvent(std::string first_topic,
 					broker::set relay_topics,
 					std::string name,
-					broker::vector args);
+					broker::vector args,
+					bool handle_on_relayer);
 
 	/**
-	 * Sends an event to any interested peers, who, upon receipt, immediately
-	 * republish the event to a new set of topics.
+	 * Sends an event to any interested peers, who, upon receipt,
+	 * republishes the event to a new set of topics and optionally
+	 * calls event handlers.
 	 * @param first_topic the first topic to use when publishing the event
 	 * @param relay_topics the set of topics the receivers will use to
 	 * republish the event.  The event is relayed at most a single hop.
 	 * @param ev the event and its arguments to send to peers, in the form of
 	 * a Broker::Event record type.
+	 * @param handle_on_relayer whether they relaying-node should call event
+	 * handlers.
 	 * @return true if the message is sent successfully.
 	 */
 	bool RelayEvent(std::string first_topic,
 					std::set<std::string> relay_topics,
-					RecordVal* ev);
+					RecordVal* ev,
+					bool handle_on_relayer);
 
 	/**
 	 * Send a message to create a log stream to any interested peers.
@@ -340,8 +348,10 @@ private:
 	};
 
 	void DispatchMessage(broker::data msg);
+	void ProcessEvent(std::string name, broker::vector args);
 	void ProcessEvent(broker::bro::Event ev);
 	void ProcessRelayEvent(broker::bro::RelayEvent re);
+	void ProcessHandleAndRelayEvent(broker::bro::HandleAndRelayEvent ev);
 	bool ProcessLogCreate(broker::bro::LogCreate lc);
 	bool ProcessLogWrite(broker::bro::LogWrite lw);
 	bool ProcessIdentifierUpdate(broker::bro::IdentifierUpdate iu);
diff --git a/src/broker/messaging.bif b/src/broker/messaging.bif
index 8b2c64e86f..c7b16dba72 100644
--- a/src/broker/messaging.bif
+++ b/src/broker/messaging.bif
@@ -76,13 +76,13 @@ static bool relay_event_args(val_list& args, const BroString* topic,
 	if ( args[0]->Type()->Tag() == TYPE_RECORD )
 		rval = broker_mgr->RelayEvent(topic->CheckString(),
 									  std::move(topic_set),
-		                              args[0]->AsRecordVal());
+		                              args[0]->AsRecordVal(), false);
 	else
 		{
 		auto ev = broker_mgr->MakeEvent(&args, frame);
 		rval = broker_mgr->RelayEvent(topic->CheckString(),
 									  std::move(topic_set),
-									  ev);
+									  ev, false);
 		Unref(ev);
 		}
 
@@ -133,7 +133,7 @@ function Broker::publish%(topic: string, ...%): bool
 
 ## Publishes an event at a given topic, with any receivers automatically
 ## forwarding it to its peers with a different topic.  The event is relayed
-## at most a single hop.
+## at most a single hop and the relayer does not call any local event handlers.
 ##
 ## first_topic: the initial topic to use for publishing the event.
 ##
@@ -181,12 +181,74 @@ function Broker::relay%(first_topic: string, ...%): bool
 	if ( args[0]->Type()->Tag() == TYPE_RECORD )
 		rval = broker_mgr->RelayEvent(first_topic->CheckString(),
 									  std::move(topic_set),
-	                                  args[0]->AsRecordVal());
+	                                  args[0]->AsRecordVal(), false);
 	else
 		{
 		auto ev = broker_mgr->MakeEvent(&args, frame);
 		rval = broker_mgr->RelayEvent(first_topic->CheckString(),
-									  std::move(topic_set), ev);
+									  std::move(topic_set), ev, false);
+		Unref(ev);
+		}
+
+	return new Val(rval, TYPE_BOOL);
+	%}
+
+## Publishes an event at a given topic, with any receivers automatically
+## forwarding it to its peers with a different topic.  The event is relayed
+## at most a single hop and the relayer does call local event handlers.
+##
+## first_topic: the initial topic to use for publishing the event.
+##
+## args: the first member of the argument list may be either a string or
+##       a set of strings indicating the secondary topic that the first
+##       set of receivers will use to re-publish the event.  The remaining
+##       members of the argument list are either the return value of a
+##       previously-made call to :bro:see:`Broker::make_event` or the
+##       argument list that should be passed along to it, so that it can
+##       be called as part of executing this function.
+##
+## Returns: true if the message is sent.
+function Broker::publish_and_relay%(first_topic: string, ...%): bool
+	%{
+	bro_broker::Manager::ScriptScopeGuard ssg;
+	val_list* bif_args = @ARGS@;
+
+	if ( bif_args->length() < 3 )
+		{
+		builtin_error("Broker::publish_and_relay requires at least 3 arguments");
+		return new Val(false, TYPE_BOOL);
+		}
+
+	auto second_topic = (*bif_args)[1];
+
+	if ( second_topic->Type()->Tag() != TYPE_STRING &&
+		 ! is_string_set(second_topic->Type()) )
+		{
+		builtin_error("Broker::publish_and_relay requires a string or string_set as 2nd argument");
+		return new Val(false, TYPE_BOOL);
+		}
+
+	auto topic_set = val_to_topic_set(second_topic);
+
+	if ( topic_set.empty() )
+		return new Val(false, TYPE_BOOL);
+
+	val_list args(bif_args->length() - 2);
+
+	for ( auto i = 2; i < bif_args->length(); ++i )
+		args.append((*bif_args)[i]);
+
+	auto rval = false;
+
+	if ( args[0]->Type()->Tag() == TYPE_RECORD )
+		rval = broker_mgr->RelayEvent(first_topic->CheckString(),
+									  std::move(topic_set),
+	                                  args[0]->AsRecordVal(), true);
+	else
+		{
+		auto ev = broker_mgr->MakeEvent(&args, frame);
+		rval = broker_mgr->RelayEvent(first_topic->CheckString(),
+									  std::move(topic_set), ev, true);
 		Unref(ev);
 		}
 
diff --git a/testing/btest/Baseline/broker.remote_publish_and_relay_event/one.one.out b/testing/btest/Baseline/broker.remote_publish_and_relay_event/one.one.out
new file mode 100644
index 0000000000..45c18d28be
--- /dev/null
+++ b/testing/btest/Baseline/broker.remote_publish_and_relay_event/one.one.out
@@ -0,0 +1,3 @@
+sender added peer: endpoint=127.0.0.1 msg=received handshake from remote core
+got ready event
+sender lost peer: endpoint=127.0.0.1 msg=lost remote peer
diff --git a/testing/btest/Baseline/broker.remote_publish_and_relay_event/three.three.out b/testing/btest/Baseline/broker.remote_publish_and_relay_event/three.three.out
new file mode 100644
index 0000000000..8193829fd4
--- /dev/null
+++ b/testing/btest/Baseline/broker.remote_publish_and_relay_event/three.three.out
@@ -0,0 +1,2 @@
+receiver added peer: endpoint=127.0.0.1 msg=handshake successful
+got my_event, hello world
diff --git a/testing/btest/Baseline/broker.remote_publish_and_relay_event/two.two.out b/testing/btest/Baseline/broker.remote_publish_and_relay_event/two.two.out
new file mode 100644
index 0000000000..7bedece7d2
--- /dev/null
+++ b/testing/btest/Baseline/broker.remote_publish_and_relay_event/two.two.out
@@ -0,0 +1,5 @@
+receiver added peer: endpoint=127.0.0.1 msg=received handshake from remote core
+receiver added peer: endpoint=127.0.0.1 msg=handshake successful
+sending ready event
+got my_event, hello world
+receiver lost peer: endpoint=127.0.0.1 msg=lost remote peer
diff --git a/testing/btest/broker/remote_publish_and_relay_event.bro b/testing/btest/broker/remote_publish_and_relay_event.bro
new file mode 100644
index 0000000000..493e673af2
--- /dev/null
+++ b/testing/btest/broker/remote_publish_and_relay_event.bro
@@ -0,0 +1,125 @@
+# @TEST-SERIALIZE: comm
+#
+# @TEST-EXEC: btest-bg-run three "bro -B broker -b ../three.bro >three.out"
+# @TEST-EXEC: btest-bg-run two "bro -B broker -b ../two.bro >two.out"
+# @TEST-EXEC: btest-bg-run one "bro -B broker -b ../one.bro >one.out"
+#
+# @TEST-EXEC: btest-bg-wait 20
+# @TEST-EXEC: btest-diff one/one.out
+# @TEST-EXEC: btest-diff two/two.out
+# @TEST-EXEC: btest-diff three/three.out
+
+@TEST-START-FILE one.bro
+
+redef Broker::default_connect_retry=1secs;
+redef Broker::default_listen_retry=1secs;
+redef exit_only_after_terminate = T;
+
+event my_event(s: string)
+	{
+	print "got my_event", s;
+	}
+
+event ready_event()
+	{
+	print "got ready event";
+
+	Broker::publish_and_relay("bro/event/pre-relay", "bro/event/post-relay",
+	                          my_event, "hello world");
+	}
+
+event bro_init()
+    {
+    Broker::subscribe("bro/event/ready");
+    Broker::peer("127.0.0.1", 10000/tcp);
+    }
+
+event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
+    {
+    print fmt("sender added peer: endpoint=%s msg=%s",
+    		  endpoint$network$address, msg);
+    }
+
+event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string)
+    {
+    print fmt("sender lost peer: endpoint=%s msg=%s",
+    		  endpoint$network$address, msg);
+    terminate();
+    }
+
+@TEST-END-FILE
+
+
+@TEST-START-FILE two.bro
+
+redef Broker::default_connect_retry=1secs;
+redef Broker::default_listen_retry=1secs;
+redef exit_only_after_terminate = T;
+
+global peers_added = 0;
+
+event my_event(s: string)
+	{
+	print "got my_event", s;
+	}
+
+event ready_event()
+	{
+	}
+
+event bro_init()
+    {
+    Broker::subscribe("bro/event/pre-relay");
+    Broker::listen("127.0.0.1", 10000/tcp);
+	Broker::peer("127.0.0.1", 9999/tcp);
+    }
+
+event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
+    {
+    print fmt("receiver added peer: endpoint=%s msg=%s", endpoint$network$address, msg);
+    ++peers_added;
+
+    if ( peers_added == 2 )
+    	{
+		print "sending ready event";
+        Broker::publish("bro/event/ready", ready_event);
+    	}
+    }
+
+event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string)
+    {
+    print fmt("receiver lost peer: endpoint=%s msg=%s", endpoint$network$address, msg);
+    terminate();
+    }
+
+@TEST-END-FILE
+
+@TEST-START-FILE three.bro
+
+redef Broker::default_connect_retry=1secs;
+redef Broker::default_listen_retry=1secs;
+redef exit_only_after_terminate = T;
+
+event my_event(s: string)
+	{
+	print "got my_event", s;
+	terminate();
+	}
+
+event bro_init()
+    {
+    Broker::subscribe("bro/event/post-relay");
+    Broker::listen("127.0.0.1", 9999/tcp);
+    }
+
+event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
+    {
+    print fmt("receiver added peer: endpoint=%s msg=%s", endpoint$network$address, msg);
+    }
+
+event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string)
+    {
+    print fmt("receiver lost peer: endpoint=%s msg=%s", endpoint$network$address, msg);
+    }
+
+@TEST-END-FILE

From 1fec186c39cbfe814b8d6e2cbbfff3e9397d17d7 Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@icir.org>
Date: Tue, 22 May 2018 17:18:14 -0700
Subject: [PATCH 455/631] Fix SCT validation when invalid certificates are in
 chain.

At the moment it would try to access an unset optional in this case.
---
 scripts/policy/protocols/ssl/validate-sct.bro | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/scripts/policy/protocols/ssl/validate-sct.bro b/scripts/policy/protocols/ssl/validate-sct.bro
index a89a5e5b19..f4d1646ae8 100644
--- a/scripts/policy/protocols/ssl/validate-sct.bro
+++ b/scripts/policy/protocols/ssl/validate-sct.bro
@@ -180,6 +180,8 @@ hook ssl_finishing(c: connection) &priority=19
 					{
 					if ( i == 0 ) # end-host-cert
 						next;
+					if ( ! c$ssl$cert_chain[i]?$x509 || ! c$ssl$cert_chain[i]$x509?$handle )
+						next;
 
 					issuer_key_hash = x509_spki_hash(c$ssl$cert_chain[i]$x509$handle, 4);
 					valid = sct_verify(cert, proof$logid, log$key, proof$signature, proof$timestamp, proof$hash_alg, issuer_key_hash);

From f9e5777e6fc2a3f9ea19b042b73574949345bad8 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Fri, 1 Jun 2018 10:03:24 -0500
Subject: [PATCH 456/631] BIT-1635: fix `make doc` warnings

References to Input::Reader and Log::Writer enum types no longer emit
warnings as they are now hardcoded to be documented as part of their
associated framework scripts and so links to them now work.
---
 CHANGES                    | 10 ++++++++++
 VERSION                    |  2 +-
 doc/conf.py.in             |  2 --
 src/broxygen/ScriptInfo.cc | 13 +++++++++++++
 4 files changed, 24 insertions(+), 3 deletions(-)

diff --git a/CHANGES b/CHANGES
index 6b81d44a0e..6d57a8caa8 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,14 @@
 
+2.5-618 | 2018-06-01 10:03:24 -0500
+
+  * BIT-1635: fix `make doc` warnings (Corelight)
+
+  * Add smb2_file_sattr event (Devin Trejo)
+
+  * Add bad ARP tests (Pierre LATET)
+
+  * Fix SCT validation when invalid certificates are in chain. (Johanna Amann)
+
 2.5-611 | 2018-05-29 10:13:17 -0500
 
   * Fix NEWS file formatting (Corelight)
diff --git a/VERSION b/VERSION
index 67d2dc9fde..05bbcf298c 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.5-611
+2.5-618
diff --git a/doc/conf.py.in b/doc/conf.py.in
index ef9367483a..f7243b4527 100644
--- a/doc/conf.py.in
+++ b/doc/conf.py.in
@@ -195,8 +195,6 @@ html_sidebars = {
 # Output file base name for HTML help builder.
 htmlhelp_basename = 'Broxygen'
 
-html_add_permalinks = None
-
 # -- Options for LaTeX output --------------------------------------------------
 
 # The paper size ('letter' or 'a4').
diff --git a/src/broxygen/ScriptInfo.cc b/src/broxygen/ScriptInfo.cc
index 0a57991969..2c054ea9b1 100644
--- a/src/broxygen/ScriptInfo.cc
+++ b/src/broxygen/ScriptInfo.cc
@@ -250,6 +250,19 @@ void ScriptInfo::DoInitPostScript()
 		        id->Name(), name.c_str());
 		state_vars.push_back(info);
 		}
+
+	// The following enum types are automatically created internally in Bro,
+	// so just manually associating them with scripts for now.
+	if ( name == "base/frameworks/input/main.bro" )
+		{
+		auto id = global_scope()->Lookup("Input::Reader");
+		types.push_back(new IdentifierInfo(id, this));
+		}
+	else if ( name == "base/frameworks/logging/main.bro" )
+		{
+		auto id = global_scope()->Lookup("Log::Writer");
+		types.push_back(new IdentifierInfo(id, this));
+		}
 	}
 
 vector<string> ScriptInfo::GetComments() const

From 55f14c2eb848bc69048e319223152ba12437bbe5 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Fri, 1 Jun 2018 11:29:15 -0500
Subject: [PATCH 457/631] Relocate temporary script coverage files

So they don't clutter the top-level of unit test .tmp/ dir.
---
 CHANGES                           |  4 ++++
 VERSION                           |  2 +-
 src/Brofiler.cc                   | 14 +++++++++++---
 testing/btest/Makefile            |  5 +++--
 testing/btest/btest.cfg           |  2 +-
 testing/external/subdir-btest.cfg |  2 +-
 6 files changed, 21 insertions(+), 8 deletions(-)

diff --git a/CHANGES b/CHANGES
index 6d57a8caa8..ae4972788f 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,8 @@
 
+2.5-619 | 2018-06-01 11:29:15 -0500
+
+  * Relocate temporary script coverage files (Corelight)
+
 2.5-618 | 2018-06-01 10:03:24 -0500
 
   * BIT-1635: fix `make doc` warnings (Corelight)
diff --git a/VERSION b/VERSION
index 05bbcf298c..344be7760a 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.5-618
+2.5-619
diff --git a/src/Brofiler.cc b/src/Brofiler.cc
index e7d8c8fdeb..a31ec469f0 100644
--- a/src/Brofiler.cc
+++ b/src/Brofiler.cc
@@ -50,10 +50,18 @@ bool Brofiler::WriteStats()
 	char* bf = getenv("BRO_PROFILER_FILE");
 	if ( ! bf ) return false;
 
-	FILE* f;
-	const char* p = strstr(bf, ".XXXXXX");
+	SafeDirname dirname{bf};
 
-	if ( p && ! p[7] )
+	if ( ! ensure_intermediate_dirs(dirname.result.data()) )
+		{
+		reporter->Error("Failed to open BRO_PROFILER_FILE destination '%s' for writing", bf);
+		return false;
+		}
+
+	FILE* f;
+	const char* p = strstr(bf, "XXXXXX");
+
+	if ( p && ! p[6] )
 		{
 		mode_t old_umask = umask(S_IXUSR | S_IRWXO | S_IRWXG);
 		int fd = mkstemp(bf);
diff --git a/testing/btest/Makefile b/testing/btest/Makefile
index 56bf8f0a7e..c9bcfff5ee 100644
--- a/testing/btest/Makefile
+++ b/testing/btest/Makefile
@@ -1,6 +1,7 @@
 
 DIAG=diag.log
 BTEST=../../aux/btest/btest
+SCRIPT_COV=.tmp/script-coverage
 
 all: cleanup btest-verbose coverage
 
@@ -15,11 +16,11 @@ btest-brief:
 	@$(BTEST) -j -b -f $(DIAG)
 
 coverage:
-	@../scripts/coverage-calc ".tmp/script-coverage*" coverage.log `pwd`/../../scripts
+	@../scripts/coverage-calc "$(SCRIPT_COV)/*" coverage.log `pwd`/../../scripts
 
 cleanup:
 	@rm -f $(DIAG)
-	@rm -f .tmp/script-coverage*
+	@rm -rf $(SCRIPT_COV)*
 
 distclean: cleanup
 	@rm -rf .btest.failed.dat \
diff --git a/testing/btest/btest.cfg b/testing/btest/btest.cfg
index 2b9d75287f..8a69f5eddc 100644
--- a/testing/btest/btest.cfg
+++ b/testing/btest/btest.cfg
@@ -22,6 +22,6 @@ DIST=%(testbase)s/../..
 BUILD=%(testbase)s/../../build
 TEST_DIFF_CANONIFIER=%(testbase)s/../scripts/diff-canonifier
 TMPDIR=%(testbase)s/.tmp
-BRO_PROFILER_FILE=%(testbase)s/.tmp/script-coverage.XXXXXX
+BRO_PROFILER_FILE=%(testbase)s/.tmp/script-coverage/XXXXXX
 BTEST_RST_FILTER=$SCRIPTS/rst-filter
 BRO_DNS_FAKE=1
diff --git a/testing/external/subdir-btest.cfg b/testing/external/subdir-btest.cfg
index 4315ade850..39aaead17a 100644
--- a/testing/external/subdir-btest.cfg
+++ b/testing/external/subdir-btest.cfg
@@ -18,7 +18,7 @@ SCRIPTS=%(testbase)s/../scripts
 SCRIPTS_LOCAL=%(testbase)s/scripts
 DIST=%(testbase)s/../../..
 BUILD=%(testbase)s/../../../build
-BRO_PROFILER_FILE=%(testbase)s/.tmp/script-coverage.XXXXXX
+BRO_PROFILER_FILE=%(testbase)s/.tmp/script-coverage/XXXXXX
 BRO_DNS_FAKE=1
 # For fedora 21 - they disable MD5 for certificate verification and need setting an environment variable to permit it.
 OPENSSL_ENABLE_MD5_VERIFY=1

From 8bb76cd3c1d1ae5cfb87c59a71c30cebf9506e55 Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@icir.org>
Date: Fri, 1 Jun 2018 12:32:34 -0700
Subject: [PATCH 458/631] KRB: do not set authentication info to nouser.

Simply do not set it at all in this case - it is an optional after
all...
---
 src/analyzer/protocol/krb/KRB.cc                 | 16 +++++++---------
 src/analyzer/protocol/krb/krb-analyzer.pac       |  3 ++-
 .../scripts.base.protocols.krb.kinit/output      |  2 +-
 3 files changed, 10 insertions(+), 11 deletions(-)

diff --git a/src/analyzer/protocol/krb/KRB.cc b/src/analyzer/protocol/krb/KRB.cc
index c3dfaf45b7..4a13aec425 100644
--- a/src/analyzer/protocol/krb/KRB.cc
+++ b/src/analyzer/protocol/krb/KRB.cc
@@ -73,31 +73,30 @@ void KRB_Analyzer::DeliverPacket(int len, const u_char* data, bool orig,
 
 StringVal* KRB_Analyzer::GetAuthenticationInfo(const BroString* principal, const BroString* ciphertext, const bro_uint_t enctype)
 	{
-	StringVal* ret = new StringVal("nouser");
 #ifdef USE_KRB5
 	if ( !krb_available )
-		return ret;
+		return nullptr;
 
 	BroString delim("/");
 	int pos = principal->FindSubstring(&delim);
 	if ( pos == -1 )
 		{
 		reporter->Warning("KRB: Couldn't parse principal (%s)", principal->CheckString());
-		return ret;
+		return nullptr;
 		}
 	std::unique_ptr<BroString> service = unique_ptr<BroString>(principal->GetSubstring(0, pos));
 	std::unique_ptr<BroString> hostname = unique_ptr<BroString>(principal->GetSubstring(pos + 1, -1));
 	if ( !service || !hostname )
 		{
 		reporter->Warning("KRB: Couldn't parse principal (%s)", principal->CheckString());
-		return ret;
+		return nullptr;
 		}
 	krb5_principal sprinc;
 	krb5_error_code retval = krb5_sname_to_principal(krb_context, hostname->CheckString(), service->CheckString(), KRB5_NT_SRV_HST, &sprinc);
 	if ( retval )
 		{
 		reporter->Warning("KRB: Couldn't generate principal name (%s)", krb5_get_error_message(krb_context, retval));
-		return ret;
+		return nullptr;
 		}
 
 	krb5_ticket tkt;
@@ -110,7 +109,7 @@ StringVal* KRB_Analyzer::GetAuthenticationInfo(const BroString* principal, const
 	if ( retval )
 		{
 		reporter->Warning("KRB: Couldn't decrypt ticket (%s)", krb5_get_error_message(krb_context, retval));
-		return ret;
+		return nullptr;
 		}
 
 	char* cp;
@@ -118,10 +117,9 @@ StringVal* KRB_Analyzer::GetAuthenticationInfo(const BroString* principal, const
 	if ( retval )
 		{
 		reporter->Warning("KRB: Couldn't unparse name (%s)", krb5_get_error_message(krb_context, retval));
-		return ret;
+		return nullptr;
 		}
-	free(ret);
-	ret = new StringVal(cp);
+	StringVal* ret = new StringVal(cp);
 
 	krb5_free_unparsed_name(krb_context, cp);
 #endif
diff --git a/src/analyzer/protocol/krb/krb-analyzer.pac b/src/analyzer/protocol/krb/krb-analyzer.pac
index 2af70fff98..7c59a6a99e 100644
--- a/src/analyzer/protocol/krb/krb-analyzer.pac
+++ b/src/analyzer/protocol/krb/krb-analyzer.pac
@@ -247,7 +247,8 @@ refine connection KRB_Conn += {
 
 			RecordVal* rvticket = proc_ticket(${msg.ticket});
 			StringVal* authenticationinfo = bro_analyzer()->GetAuthenticationInfo(rvticket->Lookup(2)->AsString(), rvticket->Lookup(4)->AsString(), rvticket->Lookup(3)->AsCount());
-			rvticket->Assign(5, authenticationinfo);
+			if ( authenticationinfo )
+				rvticket->Assign(5, authenticationinfo);
 			BifEvent::generate_krb_ap_request(bro_analyzer(), bro_analyzer()->Conn(),
 						      rvticket, rv);
 			}
diff --git a/testing/btest/Baseline/scripts.base.protocols.krb.kinit/output b/testing/btest/Baseline/scripts.base.protocols.krb.kinit/output
index 50876c8d47..20b0b568c3 100644
--- a/testing/btest/Baseline/scripts.base.protocols.krb.kinit/output
+++ b/testing/btest/Baseline/scripts.base.protocols.krb.kinit/output
@@ -1,3 +1,3 @@
 KRB_AP_REQUEST
-[pvno=5, realm=VLADG.NET, service_name=krbtgt/VLADG.NET, cipher=18, ciphertext={\x9fY\xd0f\x8dS\xf4I\x88\x04\xfa\xc1\xd8m\xa2\xb7+\xbb\x19\xcag\x0c\x13\xd1g*\xfc\x18\xd1\xb1\x80!\xbd\x85\xec\xf9\x9b\xfa-\x18\xb6\xf5h\x91\xe7\x99\xf4\xdb\x93\xa0\xc7\x90\x1e\xa9\x95v\xd3\x12\xfa,9\x1d\x0b\xd0\xa1\xd25\x0f\x1f[G\xdf\xd0\xbbd\x06$2\xd1\xae\x130qZiY\x07@\xe9\xf9\xff\xa4\x9a\xd4\x09\xf0\x0d\xc1R\x10M\xbdKOV\xfd\xf6\x13\xf6\x9a\x95N\xdf!\xf6x\x94\xd8j\xa5\xdcp\xa8\x04\x99\x02x\xdb$\xd8\xfa_o\x8dV\xc8\x0a\xfe\x00\xf3&c\x0c8\xd1\xd0\xe9\x8e\xab\xfe&\xfe\x00\x8d$\x98I\xe5\x8d\x94rM4%\xd8\xfe\xa9\x08\x06\xc6\x95H7\xf7HCq\xb9\x0d$\x95?\x83B\x82\xdd\xea\xc3f3\xcc\xbb\x09\x0d-\x09;\xa6i%\xcd\xba\x11\xd4\xe0\x12w\xd0G&\xdaj\x82\x7f;\xf3\x1d\x10\xa4l\x06\x16l\x1bc\xa1\xd1\x15!\x00\x8a\xff\x8a\x06\xe7U^:<d\xba"\x02I\xf0\xce\xc7\xad\xb2, authenticationinfo=nouser]
+[pvno=5, realm=VLADG.NET, service_name=krbtgt/VLADG.NET, cipher=18, ciphertext={\x9fY\xd0f\x8dS\xf4I\x88\x04\xfa\xc1\xd8m\xa2\xb7+\xbb\x19\xcag\x0c\x13\xd1g*\xfc\x18\xd1\xb1\x80!\xbd\x85\xec\xf9\x9b\xfa-\x18\xb6\xf5h\x91\xe7\x99\xf4\xdb\x93\xa0\xc7\x90\x1e\xa9\x95v\xd3\x12\xfa,9\x1d\x0b\xd0\xa1\xd25\x0f\x1f[G\xdf\xd0\xbbd\x06$2\xd1\xae\x130qZiY\x07@\xe9\xf9\xff\xa4\x9a\xd4\x09\xf0\x0d\xc1R\x10M\xbdKOV\xfd\xf6\x13\xf6\x9a\x95N\xdf!\xf6x\x94\xd8j\xa5\xdcp\xa8\x04\x99\x02x\xdb$\xd8\xfa_o\x8dV\xc8\x0a\xfe\x00\xf3&c\x0c8\xd1\xd0\xe9\x8e\xab\xfe&\xfe\x00\x8d$\x98I\xe5\x8d\x94rM4%\xd8\xfe\xa9\x08\x06\xc6\x95H7\xf7HCq\xb9\x0d$\x95?\x83B\x82\xdd\xea\xc3f3\xcc\xbb\x09\x0d-\x09;\xa6i%\xcd\xba\x11\xd4\xe0\x12w\xd0G&\xdaj\x82\x7f;\xf3\x1d\x10\xa4l\x06\x16l\x1bc\xa1\xd1\x15!\x00\x8a\xff\x8a\x06\xe7U^:<d\xba"\x02I\xf0\xce\xc7\xad\xb2, authenticationinfo=<uninitialized>]
 [use_session_key=F, mutual_required=F]

From 327acf6555148aba759bd034d57a07773f17d03f Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@icir.org>
Date: Fri, 1 Jun 2018 12:46:26 -0700
Subject: [PATCH 459/631] KRB: do not set keytab by default.

Only enable decryption if a user purposefully sets a keytab.
---
 scripts/base/init-bare.bro                    |  3 ++-
 src/analyzer/protocol/krb/KRB.cc              |  3 +++
 .../.stderr                                   |  0
 .../.stdout                                   |  1 +
 .../base/protocols/krb/smb2_krb_nokeytab.test | 20 +++++++++++++++++++
 5 files changed, 26 insertions(+), 1 deletion(-)
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.krb.smb2_krb_nokeytab/.stderr
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.krb.smb2_krb_nokeytab/.stdout
 create mode 100644 testing/btest/scripts/base/protocols/krb/smb2_krb_nokeytab.test

diff --git a/scripts/base/init-bare.bro b/scripts/base/init-bare.bro
index 07ed841f6a..1d64c7c0a3 100644
--- a/scripts/base/init-bare.bro
+++ b/scripts/base/init-bare.bro
@@ -4245,7 +4245,8 @@ export {
 
 module KRB;
 export {
-	const keytab = "/etc/krb5.keytab" &redef;
+	## Kerberos keytab file name. Used to decrypt tickets encountered on the wire.
+	const keytab = "" &redef;
 	## KDC Options. See :rfc:`4120`
 	type KRB::KDC_Options: record {
 		## The ticket to be issued should have its forwardable flag set.
diff --git a/src/analyzer/protocol/krb/KRB.cc b/src/analyzer/protocol/krb/KRB.cc
index 4a13aec425..5a41b0b99b 100644
--- a/src/analyzer/protocol/krb/KRB.cc
+++ b/src/analyzer/protocol/krb/KRB.cc
@@ -13,6 +13,9 @@ KRB_Analyzer::KRB_Analyzer(Connection* conn)
 	interp = new binpac::KRB::KRB_Conn(this);
 
 #ifdef USE_KRB5
+	if ( BifConst::KRB::keytab->Len() == 0 )
+		return; // no keytab set
+
 	const char* keytab_filename = BifConst::KRB::keytab->CheckString();
 	if ( access(keytab_filename, R_OK) != 0 )
 		{
diff --git a/testing/btest/Baseline/scripts.base.protocols.krb.smb2_krb_nokeytab/.stderr b/testing/btest/Baseline/scripts.base.protocols.krb.smb2_krb_nokeytab/.stderr
new file mode 100644
index 0000000000..e69de29bb2
diff --git a/testing/btest/Baseline/scripts.base.protocols.krb.smb2_krb_nokeytab/.stdout b/testing/btest/Baseline/scripts.base.protocols.krb.smb2_krb_nokeytab/.stdout
new file mode 100644
index 0000000000..cf84443e49
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.krb.smb2_krb_nokeytab/.stdout
@@ -0,0 +1 @@
+F
diff --git a/testing/btest/scripts/base/protocols/krb/smb2_krb_nokeytab.test b/testing/btest/scripts/base/protocols/krb/smb2_krb_nokeytab.test
new file mode 100644
index 0000000000..0d2c68d142
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/krb/smb2_krb_nokeytab.test
@@ -0,0 +1,20 @@
+# This test verifies that without a keytab file no entries are
+# created and no errors happen.
+#
+# @TEST-REQUIRES: grep -q "#define USE_KRB5" $BUILD/bro-config.h
+#
+# @TEST-COPY-FILE: ${TRACES}/krb/smb2_krb.keytab
+# @TEST-EXEC: bro -C -r $TRACES/krb/smb2_krb.pcap %INPUT
+# @TEST-EXEC: btest-diff .stdout
+# @TEST-EXEC: btest-diff .stderr
+
+global monitor_ports: set[port] = { 445/tcp, 139/tcp } &redef;
+
+event bro_init() &priority=5{
+	Analyzer::register_for_ports(Analyzer::ANALYZER_SMB, monitor_ports);
+}
+
+event krb_ap_request(c: connection, ticket: KRB::Ticket, opts:  KRB::AP_Options){
+   print ticket?$authenticationinfo;
+}
+

From 6f3ccd507b2dcd095baf4dbcd004b06088f77ad7 Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@icir.org>
Date: Fri, 1 Jun 2018 12:48:38 -0700
Subject: [PATCH 460/631] Allow setting KRB5 root dir in configure

---
 configure | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/configure b/configure
index cf1c901449..ed4cbf3d6e 100755
--- a/configure
+++ b/configure
@@ -72,6 +72,7 @@ Usage: $0 [OPTION]... [VAR=VALUE]...
 
   Optional Packages in Non-Standard Locations:
     --with-geoip=PATH      path to the libGeoIP install root
+    --with-krb5=PATH       path to krb5 install root
     --with-perftools=PATH  path to Google Perftools install root
     --with-jemalloc=PATH   path to jemalloc install root
     --with-python-lib=PATH path to libpython
@@ -250,6 +251,9 @@ while [ $# -ne 0 ]; do
         --with-geoip=*)
             append_cache_entry LibGeoIP_ROOT_DIR PATH $optarg
             ;;
+        --with-krb5=*)
+            append_cache_entry LibKrb5_ROOT_DIR PATH $optarg
+            ;;
         --with-perftools=*)
             append_cache_entry GooglePerftools_ROOT_DIR PATH $optarg
             ;;

From 1b4e0116f4aa4f846b4ea85b01a26f066f8e401d Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Fri, 1 Jun 2018 15:38:11 -0500
Subject: [PATCH 461/631] Allow BRO_DEFAULT_LISTEN_ADDRESS to control broker
 listen address

This environment variable is now set to listen only on IPv4 loopback
when running unit tests (instead of using the default INADDR_ANY).

This also moves some of the @loads out from init-bare.bro into a new
init-frameworks-and-bifs.bro in order to better support calling BIFs
(like `getenv`) from variable initializations in those particular
frameworks.
---
 scripts/base/frameworks/broker/main.bro       |  2 +-
 scripts/base/init-bare.bro                    | 20 +++-----------
 scripts/base/init-frameworks-and-bifs.bro     | 15 +++++++++++
 src/input.h                                   |  1 +
 src/main.cc                                   |  4 ++-
 src/scan.l                                    | 25 ++++++++++++++----
 .../canonified_loaded_scripts.log             | 11 ++++----
 .../canonified_loaded_scripts.log             | 11 ++++----
 testing/btest/Baseline/plugins.hooks/output   | 26 ++++++++++++++-----
 testing/btest/btest.cfg                       |  1 +
 10 files changed, 76 insertions(+), 40 deletions(-)
 create mode 100644 scripts/base/init-frameworks-and-bifs.bro

diff --git a/scripts/base/frameworks/broker/main.bro b/scripts/base/frameworks/broker/main.bro
index 451d4cf86b..5368d5422b 100644
--- a/scripts/base/frameworks/broker/main.bro
+++ b/scripts/base/frameworks/broker/main.bro
@@ -14,7 +14,7 @@ export {
 	## Default address on which to listen.
 	##
 	## .. bro:see:: Broker::listen
-	const default_listen_address = "" &redef;
+	const default_listen_address = getenv("BRO_DEFAULT_LISTEN_ADDRESS") &redef;
 
 	## Default interval to retry connecting to a peer if it cannot be made to work
 	## initially, or if it ever becomes disconnected.
diff --git a/scripts/base/init-bare.bro b/scripts/base/init-bare.bro
index d5bb8f2be9..c20a31279f 100644
--- a/scripts/base/init-bare.bro
+++ b/scripts/base/init-bare.bro
@@ -1,4 +1,4 @@
-@load base/bif/const.bif.bro
+@load base/bif/const.bif
 @load base/bif/types.bif
 
 # Type declarations
@@ -1797,9 +1797,11 @@ type gtp_delete_pdp_ctx_response_elements: record {
 };
 
 # Prototypes of Bro built-in functions.
-@load base/bif/strings.bif
 @load base/bif/bro.bif
+@load base/bif/stats.bif
 @load base/bif/reporter.bif
+@load base/bif/strings.bif
+@load base/bif/option.bif
 
 ## Deprecated. This is superseded by the new logging framework.
 global log_file_name: function(tag: string): string &redef;
@@ -4822,17 +4824,3 @@ const global_hash_seed: string = "" &redef;
 ## files.  The larger the value, the more confidence in UID uniqueness.
 ## The maximum is currently 128 bits.
 const bits_per_uid: count = 96 &redef;
-
-# Load these frameworks here because they use fairly deep integration with
-# BiFs and script-land defined types.
-@load base/frameworks/logging
-@load base/frameworks/broker
-@load base/frameworks/input
-@load base/frameworks/analyzer
-@load base/frameworks/files
-
-@load base/bif
-
-# Load BiFs defined by plugins.
-@load base/bif/plugins
-
diff --git a/scripts/base/init-frameworks-and-bifs.bro b/scripts/base/init-frameworks-and-bifs.bro
new file mode 100644
index 0000000000..f772e2d223
--- /dev/null
+++ b/scripts/base/init-frameworks-and-bifs.bro
@@ -0,0 +1,15 @@
+# Load these frameworks here because they use fairly deep integration with
+# BiFs and script-land defined types.  They are also more likely to
+# make use of calling BIFs for variable initializations, and that
+# can't be done until init-bare.bro has been loaded completely (hence
+# the separate file).
+@load base/frameworks/logging
+@load base/frameworks/broker
+@load base/frameworks/input
+@load base/frameworks/analyzer
+@load base/frameworks/files
+
+@load base/bif
+
+# Load BiFs defined by plugins.
+@load base/bif/plugins
diff --git a/src/input.h b/src/input.h
index f0f402b23b..3d0caa459a 100644
--- a/src/input.h
+++ b/src/input.h
@@ -14,6 +14,7 @@ extern int yydebug;
 extern int brolex();
 extern char last_tok[128];
 
+extern void add_essential_input_file(const char* file);
 extern void add_input_file(const char* file);
 extern void add_input_file_at_front(const char* file);
 
diff --git a/src/main.cc b/src/main.cc
index 2277ab0cba..2a61c753b8 100644
--- a/src/main.cc
+++ b/src/main.cc
@@ -755,7 +755,9 @@ int main(int argc, char** argv)
 
 	broxygen_mgr = new broxygen::Manager(broxygen_config, bro_argv[0]);
 
-	add_input_file("base/init-bare.bro");
+	add_essential_input_file("base/init-bare.bro");
+	add_essential_input_file("base/init-frameworks-and-bifs.bro");
+
 	if ( ! bare_mode )
 		add_input_file("base/init-default.bro");
 
diff --git a/src/scan.l b/src/scan.l
index 41fb758bc6..27490c13ad 100644
--- a/src/scan.l
+++ b/src/scan.l
@@ -821,6 +821,18 @@ void do_atendif()
 // are referred to (in order to save the locations of tokens and statements,
 // for error reporting and debugging).
 static name_list input_files;
+static name_list essential_input_files;
+
+void add_essential_input_file(const char* file)
+	{
+	if ( ! file )
+		reporter->InternalError("empty filename");
+
+	if ( ! filename )
+		(void) load_files(file);
+	else
+		essential_input_files.append(copy_string(file));
+	}
 
 void add_input_file(const char* file)
 	{
@@ -869,7 +881,7 @@ int yywrap()
 	if ( ! did_builtin_init && file_stack.length() == 1 )
 		{
 		// ### This is a gross hack - we know that the first file
-		// we parse is bro.init, and after it it's safe to initialize
+		// we parse is init-bare.bro, and after it it's safe to initialize
 		// the built-ins.  Furthermore, we want to initialize the
 		// built-in's *right* after parsing bro.init, so that other
 		// source files can use built-in's when initializing globals.
@@ -885,19 +897,22 @@ int yywrap()
 		return 0;
 
 	// Stack is now empty.
-	while ( input_files.length() > 0 )
+	while ( essential_input_files.length() > 0 || input_files.length() > 0 )
 		{
-		if ( load_files(input_files[0]) )
+		name_list& files = essential_input_files.length() > 0 ?
+		             essential_input_files : input_files;
+
+		if ( load_files(files[0]) )
 			{
 			// Don't delete the filename - it's pointed to by
 			// every BroObj created when parsing it.
-			(void) input_files.remove_nth(0);
+			(void) files.remove_nth(0);
 			return 0;
 			}
 
 		// We already scanned the file.  Pop it and try the next,
 		// if any.
-		(void) input_files.remove_nth(0);
+		(void) files.remove_nth(0);
 		}
 
 	// For each file scanned so far, and for each @prefix, look for a
diff --git a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log
index 768eb520ea..c56e53f28d 100644
--- a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log
+++ b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log
@@ -3,18 +3,21 @@
 #empty_field	(empty)
 #unset_field	-
 #path	loaded_scripts
-#open	2018-03-01-16-07-03
+#open	2018-06-01-20-31-44
 #fields	name
 #types	string
 scripts/base/init-bare.bro
   build/scripts/base/bif/const.bif.bro
   build/scripts/base/bif/types.bif.bro
-  build/scripts/base/bif/strings.bif.bro
   build/scripts/base/bif/bro.bif.bro
+  build/scripts/base/bif/stats.bif.bro
   build/scripts/base/bif/reporter.bif.bro
+  build/scripts/base/bif/strings.bif.bro
+  build/scripts/base/bif/option.bif.bro
   build/scripts/base/bif/plugins/Bro_SNMP.types.bif.bro
   build/scripts/base/bif/plugins/Bro_KRB.types.bif.bro
   build/scripts/base/bif/event.bif.bro
+scripts/base/init-frameworks-and-bifs.bro
   scripts/base/frameworks/logging/__load__.bro
     scripts/base/frameworks/logging/main.bro
       build/scripts/base/bif/logging.bif.bro
@@ -52,8 +55,6 @@ scripts/base/init-bare.bro
         scripts/base/utils/patterns.bro
     scripts/base/frameworks/files/magic/__load__.bro
   build/scripts/base/bif/__load__.bro
-    build/scripts/base/bif/stats.bif.bro
-    build/scripts/base/bif/option.bif.bro
     build/scripts/base/bif/broxygen.bif.bro
     build/scripts/base/bif/pcap.bif.bro
     build/scripts/base/bif/bloom-filter.bif.bro
@@ -175,4 +176,4 @@ scripts/base/init-bare.bro
     build/scripts/base/bif/plugins/Bro_SQLiteWriter.sqlite.bif.bro
 scripts/policy/misc/loaded-scripts.bro
   scripts/base/utils/paths.bro
-#close	2018-03-01-16-07-03
+#close	2018-06-01-20-31-44
diff --git a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
index 5ca6cdd812..11bb9e1fa2 100644
--- a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
+++ b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
@@ -3,18 +3,21 @@
 #empty_field	(empty)
 #unset_field	-
 #path	loaded_scripts
-#open	2018-05-17-23-49-59
+#open	2018-06-01-20-31-46
 #fields	name
 #types	string
 scripts/base/init-bare.bro
   build/scripts/base/bif/const.bif.bro
   build/scripts/base/bif/types.bif.bro
-  build/scripts/base/bif/strings.bif.bro
   build/scripts/base/bif/bro.bif.bro
+  build/scripts/base/bif/stats.bif.bro
   build/scripts/base/bif/reporter.bif.bro
+  build/scripts/base/bif/strings.bif.bro
+  build/scripts/base/bif/option.bif.bro
   build/scripts/base/bif/plugins/Bro_SNMP.types.bif.bro
   build/scripts/base/bif/plugins/Bro_KRB.types.bif.bro
   build/scripts/base/bif/event.bif.bro
+scripts/base/init-frameworks-and-bifs.bro
   scripts/base/frameworks/logging/__load__.bro
     scripts/base/frameworks/logging/main.bro
       build/scripts/base/bif/logging.bif.bro
@@ -52,8 +55,6 @@ scripts/base/init-bare.bro
         scripts/base/utils/patterns.bro
     scripts/base/frameworks/files/magic/__load__.bro
   build/scripts/base/bif/__load__.bro
-    build/scripts/base/bif/stats.bif.bro
-    build/scripts/base/bif/option.bif.bro
     build/scripts/base/bif/broxygen.bif.bro
     build/scripts/base/bif/pcap.bif.bro
     build/scripts/base/bif/bloom-filter.bif.bro
@@ -364,4 +365,4 @@ scripts/base/init-default.bro
   scripts/base/misc/find-filtered-trace.bro
   scripts/base/misc/version.bro
 scripts/policy/misc/loaded-scripts.bro
-#close	2018-05-17-23-49-59
+#close	2018-06-01-20-31-46
diff --git a/testing/btest/Baseline/plugins.hooks/output b/testing/btest/Baseline/plugins.hooks/output
index 37a613347c..4a7b2c0854 100644
--- a/testing/btest/Baseline/plugins.hooks/output
+++ b/testing/btest/Baseline/plugins.hooks/output
@@ -264,7 +264,7 @@
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1525287517.317589, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1527879383.723919, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (Broker::LOG)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (Cluster::LOG)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (Config::LOG)) -> <no result>
@@ -441,7 +441,7 @@
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1525287517.317589, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1527879383.723919, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
 0.000000   MetaHookPost  CallFunction(NetControl::check_plugins, <frame>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(NetControl::init, <null>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(Notice::want_pp, <frame>, ()) -> <no result>
@@ -469,6 +469,7 @@
 0.000000   MetaHookPost  CallFunction(bro_init, <null>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(current_time, <frame>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(filter_change_tracking, <null>, ()) -> <no result>
+0.000000   MetaHookPost  CallFunction(getenv, <null>, (BRO_DEFAULT_LISTEN_ADDRESS)) -> <no result>
 0.000000   MetaHookPost  CallFunction(getenv, <null>, (CLUSTER_NODE)) -> <no result>
 0.000000   MetaHookPost  CallFunction(global_ids, <frame>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(network_time, <frame>, ()) -> <no result>
@@ -727,6 +728,7 @@
 0.000000   MetaHookPost  LoadFile(0, base<...>/http) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/imap) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/init-default.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/init-frameworks-and-bifs.bro) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/input) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/input.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/intel) -> -1
@@ -744,6 +746,7 @@
 0.000000   MetaHookPost  LoadFile(0, base<...>/ntlm) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/numbers.bro) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/openflow) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/option.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/packet-filter) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/paths.bro) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/patterns.bro) -> -1
@@ -766,6 +769,7 @@
 0.000000   MetaHookPost  LoadFile(0, base<...>/software) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/ssh) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/ssl) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/stats.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/store.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/strings.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/strings.bro) -> -1
@@ -1062,7 +1066,7 @@
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird]))
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509]))
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql]))
-0.000000   MetaHookPre   CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1525287517.317589, node=bro, filter=ip or not ip, init=T, success=T]))
+0.000000   MetaHookPre   CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1527879383.723919, node=bro, filter=ip or not ip, init=T, success=T]))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (Broker::LOG))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (Cluster::LOG))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (Config::LOG))
@@ -1239,7 +1243,7 @@
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird]))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509]))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql]))
-0.000000   MetaHookPre   CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1525287517.317589, node=bro, filter=ip or not ip, init=T, success=T]))
+0.000000   MetaHookPre   CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1527879383.723919, node=bro, filter=ip or not ip, init=T, success=T]))
 0.000000   MetaHookPre   CallFunction(NetControl::check_plugins, <frame>, ())
 0.000000   MetaHookPre   CallFunction(NetControl::init, <null>, ())
 0.000000   MetaHookPre   CallFunction(Notice::want_pp, <frame>, ())
@@ -1267,6 +1271,7 @@
 0.000000   MetaHookPre   CallFunction(bro_init, <null>, ())
 0.000000   MetaHookPre   CallFunction(current_time, <frame>, ())
 0.000000   MetaHookPre   CallFunction(filter_change_tracking, <null>, ())
+0.000000   MetaHookPre   CallFunction(getenv, <null>, (BRO_DEFAULT_LISTEN_ADDRESS))
 0.000000   MetaHookPre   CallFunction(getenv, <null>, (CLUSTER_NODE))
 0.000000   MetaHookPre   CallFunction(global_ids, <frame>, ())
 0.000000   MetaHookPre   CallFunction(network_time, <frame>, ())
@@ -1525,6 +1530,7 @@
 0.000000   MetaHookPre   LoadFile(0, base<...>/http)
 0.000000   MetaHookPre   LoadFile(0, base<...>/imap)
 0.000000   MetaHookPre   LoadFile(0, base<...>/init-default.bro)
+0.000000   MetaHookPre   LoadFile(0, base<...>/init-frameworks-and-bifs.bro)
 0.000000   MetaHookPre   LoadFile(0, base<...>/input)
 0.000000   MetaHookPre   LoadFile(0, base<...>/input.bif.bro)
 0.000000   MetaHookPre   LoadFile(0, base<...>/intel)
@@ -1542,6 +1548,7 @@
 0.000000   MetaHookPre   LoadFile(0, base<...>/ntlm)
 0.000000   MetaHookPre   LoadFile(0, base<...>/numbers.bro)
 0.000000   MetaHookPre   LoadFile(0, base<...>/openflow)
+0.000000   MetaHookPre   LoadFile(0, base<...>/option.bif.bro)
 0.000000   MetaHookPre   LoadFile(0, base<...>/packet-filter)
 0.000000   MetaHookPre   LoadFile(0, base<...>/paths.bro)
 0.000000   MetaHookPre   LoadFile(0, base<...>/patterns.bro)
@@ -1564,6 +1571,7 @@
 0.000000   MetaHookPre   LoadFile(0, base<...>/software)
 0.000000   MetaHookPre   LoadFile(0, base<...>/ssh)
 0.000000   MetaHookPre   LoadFile(0, base<...>/ssl)
+0.000000   MetaHookPre   LoadFile(0, base<...>/stats.bif.bro)
 0.000000   MetaHookPre   LoadFile(0, base<...>/store.bif.bro)
 0.000000   MetaHookPre   LoadFile(0, base<...>/strings.bif.bro)
 0.000000   MetaHookPre   LoadFile(0, base<...>/strings.bro)
@@ -1859,7 +1867,7 @@
 0.000000 | HookCallFunction Log::__create_stream(Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird])
 0.000000 | HookCallFunction Log::__create_stream(X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509])
 0.000000 | HookCallFunction Log::__create_stream(mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql])
-0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1525287517.317589, node=bro, filter=ip or not ip, init=T, success=T])
+0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1527879383.723919, node=bro, filter=ip or not ip, init=T, success=T])
 0.000000 | HookCallFunction Log::add_default_filter(Broker::LOG)
 0.000000 | HookCallFunction Log::add_default_filter(Cluster::LOG)
 0.000000 | HookCallFunction Log::add_default_filter(Config::LOG)
@@ -2036,7 +2044,7 @@
 0.000000 | HookCallFunction Log::create_stream(Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird])
 0.000000 | HookCallFunction Log::create_stream(X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509])
 0.000000 | HookCallFunction Log::create_stream(mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql])
-0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1525287517.317589, node=bro, filter=ip or not ip, init=T, success=T])
+0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1527879383.723919, node=bro, filter=ip or not ip, init=T, success=T])
 0.000000 | HookCallFunction NetControl::check_plugins()
 0.000000 | HookCallFunction NetControl::init()
 0.000000 | HookCallFunction Notice::want_pp()
@@ -2064,6 +2072,7 @@
 0.000000 | HookCallFunction bro_init()
 0.000000 | HookCallFunction current_time()
 0.000000 | HookCallFunction filter_change_tracking()
+0.000000 | HookCallFunction getenv(BRO_DEFAULT_LISTEN_ADDRESS)
 0.000000 | HookCallFunction getenv(CLUSTER_NODE)
 0.000000 | HookCallFunction global_ids()
 0.000000 | HookCallFunction network_time()
@@ -2331,6 +2340,7 @@
 0.000000 | HookLoadFile  base<...>/http
 0.000000 | HookLoadFile  base<...>/imap
 0.000000 | HookLoadFile  base<...>/init-default.bro
+0.000000 | HookLoadFile  base<...>/init-frameworks-and-bifs.bro
 0.000000 | HookLoadFile  base<...>/input
 0.000000 | HookLoadFile  base<...>/input.bif.bro
 0.000000 | HookLoadFile  base<...>/intel
@@ -2348,6 +2358,7 @@
 0.000000 | HookLoadFile  base<...>/ntlm
 0.000000 | HookLoadFile  base<...>/numbers.bro
 0.000000 | HookLoadFile  base<...>/openflow
+0.000000 | HookLoadFile  base<...>/option.bif.bro
 0.000000 | HookLoadFile  base<...>/packet-filter
 0.000000 | HookLoadFile  base<...>/paths.bro
 0.000000 | HookLoadFile  base<...>/patterns.bro
@@ -2370,6 +2381,7 @@
 0.000000 | HookLoadFile  base<...>/software
 0.000000 | HookLoadFile  base<...>/ssh
 0.000000 | HookLoadFile  base<...>/ssl
+0.000000 | HookLoadFile  base<...>/stats.bif.bro
 0.000000 | HookLoadFile  base<...>/store.bif.bro
 0.000000 | HookLoadFile  base<...>/strings.bif.bro
 0.000000 | HookLoadFile  base<...>/strings.bro
@@ -2387,7 +2399,7 @@
 0.000000 | HookLoadFile  base<...>/x509
 0.000000 | HookLoadFile  base<...>/xmpp
 0.000000 | HookLogInit   packet_filter 1/1 {ts (time), node (string), filter (string), init (bool), success (bool)}
-0.000000 | HookLogWrite  packet_filter [ts=1525287517.317589, node=bro, filter=ip or not ip, init=T, success=T]
+0.000000 | HookLogWrite  packet_filter [ts=1527879383.723919, node=bro, filter=ip or not ip, init=T, success=T]
 0.000000 | HookQueueEvent NetControl::init()
 0.000000 | HookQueueEvent bro_init()
 0.000000 | HookQueueEvent filter_change_tracking()
diff --git a/testing/btest/btest.cfg b/testing/btest/btest.cfg
index 8a69f5eddc..81ee5bd5e5 100644
--- a/testing/btest/btest.cfg
+++ b/testing/btest/btest.cfg
@@ -25,3 +25,4 @@ TMPDIR=%(testbase)s/.tmp
 BRO_PROFILER_FILE=%(testbase)s/.tmp/script-coverage/XXXXXX
 BTEST_RST_FILTER=$SCRIPTS/rst-filter
 BRO_DNS_FAKE=1
+BRO_DEFAULT_LISTEN_ADDRESS=127.0.0.1

From 3a9575bf8a089aa2c8f7cd8dffa569f447a95d4e Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@icir.org>
Date: Fri, 1 Jun 2018 13:12:46 -0700
Subject: [PATCH 462/631] Make kerberos initialization static.

There does not seem to be any reason to initialize the members more than
once globally.
---
 NEWS                             |  3 +++
 src/analyzer/protocol/krb/KRB.cc | 31 ++++++++++++++++++-------------
 src/analyzer/protocol/krb/KRB.h  |  9 ++++++---
 3 files changed, 27 insertions(+), 16 deletions(-)

diff --git a/NEWS b/NEWS
index 6f3c047f40..9c2cbcb2e1 100644
--- a/NEWS
+++ b/NEWS
@@ -242,6 +242,9 @@ New Functionality
 - Added new SMB events: smb1_transaction_secondary_request,
   smb1_transaction2_secondary_request, smb1_transaction_response
 
+- Bro can now decrypt Kerberos tickets, and retrieve the authentication from
+  them, given a suitable keytab file.
+
 Changed Functionality
 ---------------------
 
diff --git a/src/analyzer/protocol/krb/KRB.cc b/src/analyzer/protocol/krb/KRB.cc
index 5a41b0b99b..4ee663dcf1 100644
--- a/src/analyzer/protocol/krb/KRB.cc
+++ b/src/analyzer/protocol/krb/KRB.cc
@@ -6,13 +6,25 @@
 
 using namespace analyzer::krb;
 
+bool KRB_Analyzer::krb_available = false;
+#ifdef USE_KRB5
+krb5_context KRB_Analyzer::krb_context = nullptr;
+krb5_keytab KRB_Analyzer::krb_keytab = nullptr;
+std::once_flag KRB_Analyzer::krb_initialized;
+#endif
+
 KRB_Analyzer::KRB_Analyzer(Connection* conn)
-	: Analyzer("KRB", conn),
-	  krb_available(false)
+	: Analyzer("KRB", conn)
 	{
 	interp = new binpac::KRB::KRB_Conn(this);
+#ifdef USE_KRB5
+	std::call_once(krb_initialized, Initialize_Krb);
+#endif
+	}
 
 #ifdef USE_KRB5
+void KRB_Analyzer::Initialize_Krb()
+	{
 	if ( BifConst::KRB::keytab->Len() == 0 )
 		return; // no keytab set
 
@@ -37,20 +49,11 @@ KRB_Analyzer::KRB_Analyzer(Connection* conn)
 		return;
 		}
 	krb_available = true;
-#endif
 	}
+#endif
 
 KRB_Analyzer::~KRB_Analyzer()
 	{
-#ifdef USE_KRB5
-	if ( krb_available )
-		{
-		krb5_error_code retval = krb5_kt_close(krb_context, krb_keytab);
-		if ( retval )
-			reporter->Warning("KRB: Couldn't close keytab (%s)", krb5_get_error_message(krb_context, retval));
-		krb5_free_context(krb_context);
-		}
-#endif
 	delete interp;
 	}
 
@@ -125,7 +128,9 @@ StringVal* KRB_Analyzer::GetAuthenticationInfo(const BroString* principal, const
 	StringVal* ret = new StringVal(cp);
 
 	krb5_free_unparsed_name(krb_context, cp);
-#endif
 
 	return ret;
+#else
+	return nullptr;
+#endif
 	}
diff --git a/src/analyzer/protocol/krb/KRB.h b/src/analyzer/protocol/krb/KRB.h
index 3d924482de..7eee46d838 100644
--- a/src/analyzer/protocol/krb/KRB.h
+++ b/src/analyzer/protocol/krb/KRB.h
@@ -30,10 +30,13 @@ protected:
 
 	binpac::KRB::KRB_Conn* interp;
 
-	bool krb_available;
+private:
+	static bool krb_available;
 #ifdef USE_KRB5
-	krb5_context krb_context;
-	krb5_keytab krb_keytab;
+	static std::once_flag krb_initialized;
+	static void Initialize_Krb();
+	static krb5_context krb_context;
+	static krb5_keytab krb_keytab;
 #endif
 };
 

From 81d6b4c645a8e42932899ba0044f59f436d00a21 Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@icir.org>
Date: Fri, 1 Jun 2018 15:03:41 -0700
Subject: [PATCH 463/631] Updating submodule(s).

 [nomail]
---
 aux/binpac   | 2 +-
 aux/bro-aux  | 2 +-
 aux/broccoli | 2 +-
 aux/broctl   | 2 +-
 aux/broker   | 2 +-
 5 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/aux/binpac b/aux/binpac
index 0b2ef114fd..951aeae8e4 160000
--- a/aux/binpac
+++ b/aux/binpac
@@ -1 +1 @@
-Subproject commit 0b2ef114fdac4c135d357693d7e74a441dee8db3
+Subproject commit 951aeae8e4a08c598203cf61387f015ec4e0849d
diff --git a/aux/bro-aux b/aux/bro-aux
index ad99dc534f..eeb677ff69 160000
--- a/aux/bro-aux
+++ b/aux/bro-aux
@@ -1 +1 @@
-Subproject commit ad99dc534f2574a47a808d677fc76098f42a1b54
+Subproject commit eeb677ff696f8ea3eaa43a765fe40da07ed5281d
diff --git a/aux/broccoli b/aux/broccoli
index 701a539f29..d9041cc95d 160000
--- a/aux/broccoli
+++ b/aux/broccoli
@@ -1 +1 @@
-Subproject commit 701a539f295f138bb1c44953310e083a4210fe1b
+Subproject commit d9041cc95d2232dbbcf36647f34537da22e360ff
diff --git a/aux/broctl b/aux/broctl
index 7e68ad436e..fc7abc2c5e 160000
--- a/aux/broctl
+++ b/aux/broctl
@@ -1 +1 @@
-Subproject commit 7e68ad436e122fa95c87b6caca0e2e7b20dd5b97
+Subproject commit fc7abc2c5e459b51d60b2036db428053b5fb27f5
diff --git a/aux/broker b/aux/broker
index 7b84848bde..da4f84a4cf 160000
--- a/aux/broker
+++ b/aux/broker
@@ -1 +1 @@
-Subproject commit 7b84848bded443637fa34e76f7d8558bd1cafbee
+Subproject commit da4f84a4cf9921298910e5b61214f32de27c632d

From 51f20136d5ce8a768ec77ada34b4bf326933d11c Mon Sep 17 00:00:00 2001
From: Seth Hall <seth@corelight.com>
Date: Sat, 2 Jun 2018 04:37:08 -0400
Subject: [PATCH 464/631] Remove some UTF-8 characters that snuck into a few
 strings.

---
 scripts/base/files/pe/consts.bro              |  2 +-
 .../base/protocols/smb/const-nt-status.bro    | 20 +++++++++----------
 2 files changed, 11 insertions(+), 11 deletions(-)

diff --git a/scripts/base/files/pe/consts.bro b/scripts/base/files/pe/consts.bro
index 35ad9c3c61..3dcfddec79 100644
--- a/scripts/base/files/pe/consts.bro
+++ b/scripts/base/files/pe/consts.bro
@@ -65,7 +65,7 @@ export {
 		[9]  = "WINDOWS_CE_GUI",
 		[10] = "EFI_APPLICATION",
 		[11] = "EFI_BOOT_SERVICE_DRIVER",
-		[12] = "EFI_RUNTIME_
DRIVER",
+		[12] = "EFI_RUNTIME_DRIVER",
 		[13] = "EFI_ROM",
 		[14] = "XBOX"
 	} &default=function(i: count):string { return fmt("unknown-%d", i); };
diff --git a/scripts/base/protocols/smb/const-nt-status.bro b/scripts/base/protocols/smb/const-nt-status.bro
index 8804522ed9..ea7c7fe9ed 100644
--- a/scripts/base/protocols/smb/const-nt-status.bro
+++ b/scripts/base/protocols/smb/const-nt-status.bro
@@ -64,8 +64,8 @@ redef SMB::statuses += {
 	[0x40000007] = [$id="BAD_CURRENT_DIRECTORY", $desc="{Invalid Current Directory} The process cannot switch to the startup current directory %hs. Select OK to set the current directory to %hs, or select CANCEL to exit."],
 	[0x40000008] = [$id="SERIAL_MORE_WRITES", $desc="{Serial IOCTL Complete} A serial I/O operation was completed by another write to a serial port. (The IOCTL_SERIAL_XOFF_COUNTER reached zero.)"],
 	[0x40000009] = [$id="REGISTRY_RECOVERED", $desc="{Registry Recovery} One of the files that contains the system registry data had to be recovered by using a log or alternate copy. The recovery was successful."],
-	[0x4000000A] = [$id="FT_READ_RECOVERY_FROM_BACKUP", $desc="{Redundant Read} To satisfy a read request, the Windows NT fault-tolerant file system successfully read the requested data from a redundant copy. This was done because the file system encountered a failure on a member of the fault-tolerant volume but was unable to reassign the failing area of the device."],
-	[0x4000000B] = [$id="FT_WRITE_RECOVERY", $desc="{Redundant Write} To satisfy a write request, the Windows NT fault-tolerant file system successfully wrote a redundant copy of the information. This was done because the file system encountered a failure on a member of the fault-tolerant volume but was unable to reassign the failing area of the device."],
+	[0x4000000A] = [$id="FT_READ_RECOVERY_FROM_BACKUP", $desc="{Redundant Read} To satisfy a read request, the Windows NT fault-tolerant file system successfully read the requested data from a redundant copy. This was done because the file system encountered a failure on a member of the fault-tolerant volume but was unable to reassign the failing area of the device."],
+	[0x4000000B] = [$id="FT_WRITE_RECOVERY", $desc="{Redundant Write} To satisfy a write request, the Windows NT fault-tolerant file system successfully wrote a redundant copy of the information. This was done because the file system encountered a failure on a member of the fault-tolerant volume but was unable to reassign the failing area of the device."],
 	[0x4000000C] = [$id="SERIAL_COUNTER_TIMEOUT", $desc="{Serial IOCTL Timeout} A serial I/O operation completed because the time-out period expired. (The IOCTL_SERIAL_XOFF_COUNTER had not reached zero.)"],
 	[0x4000000D] = [$id="NULL_LM_PASSWORD", $desc="{Password Too Complex} The Windows password is too complex to be converted to a LAN Manager password. The LAN Manager password that returned is a NULL string."],
 	[0x4000000E] = [$id="IMAGE_MACHINE_TYPE_MISMATCH", $desc="{Machine Type Mismatch} The image file %hs is valid but is for a machine type other than the current machine. Select OK to continue, or CANCEL to fail the DLL load."],
@@ -839,12 +839,12 @@ redef SMB::statuses += {
 	[0xC0000303] = [$id="WMI_ALREADY_ENABLED", $desc="Collection or events for the WMI GUID is already enabled."],
 	[0xC0000304] = [$id="MFT_TOO_FRAGMENTED", $desc="The master file table on the volume is too fragmented to complete this operation."],
 	[0xC0000305] = [$id="COPY_PROTECTION_FAILURE", $desc="Copy protection failure."],
-	[0xC0000306] = [$id="CSS_AUTHENTICATION_FAILURE", $desc="Copy protection error—DVD CSS Authentication failed."],
-	[0xC0000307] = [$id="CSS_KEY_NOT_PRESENT", $desc="Copy protection error—The specified sector does not contain a valid key."],
-	[0xC0000308] = [$id="CSS_KEY_NOT_ESTABLISHED", $desc="Copy protection error—DVD session key not established."],
-	[0xC0000309] = [$id="CSS_SCRAMBLED_SECTOR", $desc="Copy protection error—The read failed because the sector is encrypted."],
-	[0xC000030A] = [$id="CSS_REGION_MISMATCH", $desc="Copy protection error—The region of the specified DVD does not correspond to the region setting of the drive."],
-	[0xC000030B] = [$id="CSS_RESETS_EXHAUSTED", $desc="Copy protection error—The region setting of the drive may be permanent."],
+	[0xC0000306] = [$id="CSS_AUTHENTICATION_FAILURE", $desc="Copy protection error-DVD CSS Authentication failed."],
+	[0xC0000307] = [$id="CSS_KEY_NOT_PRESENT", $desc="Copy protection error-The specified sector does not contain a valid key."],
+	[0xC0000308] = [$id="CSS_KEY_NOT_ESTABLISHED", $desc="Copy protection error-DVD session key not established."],
+	[0xC0000309] = [$id="CSS_SCRAMBLED_SECTOR", $desc="Copy protection error-The read failed because the sector is encrypted."],
+	[0xC000030A] = [$id="CSS_REGION_MISMATCH", $desc="Copy protection error-The region of the specified DVD does not correspond to the region setting of the drive."],
+	[0xC000030B] = [$id="CSS_RESETS_EXHAUSTED", $desc="Copy protection error-The region setting of the drive may be permanent."],
 	[0xC0000320] = [$id="PKINIT_FAILURE", $desc="The Kerberos protocol encountered an error while validating the KDC certificate during smart card logon. There is more information in the system event log."],
 	[0xC0000321] = [$id="SMARTCARD_SUBSYSTEM_FAILURE", $desc="The Kerberos protocol encountered an error while attempting to use the smart card subsystem."],
 	[0xC0000322] = [$id="NO_KERB_KEY", $desc="The target server does not have acceptable Kerberos credentials."],
@@ -855,7 +855,7 @@ redef SMB::statuses += {
 	[0xC0000354] = [$id="DEBUGGER_INACTIVE", $desc="An attempt to do an operation on a debug port failed because the port is in the process of being deleted."],
 	[0xC0000355] = [$id="DS_VERSION_CHECK_FAILURE", $desc="This version of Windows is not compatible with the behavior version of the directory forest, domain, or domain controller."],
 	[0xC0000356] = [$id="AUDITING_DISABLED", $desc="The specified event is currently not being audited."],
-	[0xC0000357] = [$id="PRENT4_MACHINE_ACCOUNT", $desc="The machine account was created prior to Windows NT 4.0. The account needs to be recreated."],
+	[0xC0000357] = [$id="PRENT4_MACHINE_ACCOUNT", $desc="The machine account was created prior to Windows NT 4.0. The account needs to be recreated."],
 	[0xC0000358] = [$id="DS_AG_CANT_HAVE_UNIVERSAL_MEMBER", $desc="An account group cannot have a universal group as a member."],
 	[0xC0000359] = [$id="INVALID_IMAGE_WIN_32", $desc="The specified image file did not have the correct format; it appears to be a 32-bit Windows image."],
 	[0xC000035A] = [$id="INVALID_IMAGE_WIN_64", $desc="The specified image file did not have the correct format; it appears to be a 64-bit Windows image."],
@@ -1790,4 +1790,4 @@ redef SMB::statuses += {
 	[0xC03A0017] = [$id="VHD_CHILD_PARENT_SIZE_MISMATCH", $desc="The chain of virtual hard disks is corrupted. There is a mismatch in the virtual sizes of the parent virtual hard disk and differencing disk."],
 	[0xC03A0018] = [$id="VHD_DIFFERENCING_CHAIN_CYCLE_DETECTED", $desc="The chain of virtual hard disks is corrupted. A differencing disk is indicated in its own parent chain."],
 	[0xC03A0019] = [$id="VHD_DIFFERENCING_CHAIN_ERROR_IN_PARENT", $desc="The chain of virtual hard disks is inaccessible. There was an error opening a virtual hard disk further up the chain."],
-};
\ No newline at end of file
+};

From cd18d96205851aa9b81bcb8f0c6960768b457f72 Mon Sep 17 00:00:00 2001
From: Seth Hall <seth@corelight.com>
Date: Sat, 2 Jun 2018 04:57:48 -0400
Subject: [PATCH 465/631] Removed a few more discovered UTF-8 characters in Bro
 scripts.

---
 scripts/base/protocols/smb/const-nt-status.bro | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/scripts/base/protocols/smb/const-nt-status.bro b/scripts/base/protocols/smb/const-nt-status.bro
index ea7c7fe9ed..f985e72a3b 100644
--- a/scripts/base/protocols/smb/const-nt-status.bro
+++ b/scripts/base/protocols/smb/const-nt-status.bro
@@ -494,7 +494,7 @@ redef SMB::statuses += {
 	[0xC0000131] = [$id="INVALID_IMAGE_WIN_16", $desc="The specified image file did not have the correct format: it appears to be a 16-bit Windows image."],
 	[0xC0000132] = [$id="LOGON_SERVER_CONFLICT", $desc="The Netlogon service cannot start because another Netlogon service running in the domain conflicts with the specified role."],
 	[0xC0000133] = [$id="TIME_DIFFERENCE_AT_DC", $desc="The time at the primary domain controller is different from the time at the backup domain controller or member server by too large an amount."],
-	[0xC0000134] = [$id="SYNCHRONIZATION_REQUIRED", $desc="The SAM database on a Windows Server is significantly out of synchronization with the copy on the domain controller. A complete synchronization is required."],
+	[0xC0000134] = [$id="SYNCHRONIZATION_REQUIRED", $desc="The SAM database on a Windows Server is significantly out of synchronization with the copy on the domain controller. A complete synchronization is required."],
 	[0xC0000135] = [$id="DLL_NOT_FOUND", $desc="{Unable To Locate Component} This application has failed to start because %hs was not found. Reinstalling the application may fix this problem."],
 	[0xC0000136] = [$id="OPEN_FAILED", $desc="The NtCreateFile API failed. This error should never be returned to an application; it is a place holder for the Windows LAN Manager Redirector to use in its internal error-mapping routines."],
 	[0xC0000137] = [$id="IO_PRIVILEGE_FAILED", $desc="{Privilege Failed} The I/O permissions for the process could not be changed."],
@@ -536,7 +536,7 @@ redef SMB::statuses += {
 	[0xC000015B] = [$id="LOGON_TYPE_NOT_GRANTED", $desc="A user has requested a type of logon (for example, interactive or network) that has not been granted. An administrator has control over who may logon interactively and through the network."],
 	[0xC000015C] = [$id="NOT_REGISTRY_FILE", $desc="The system has attempted to load or restore a file into the registry, and the specified file is not in the format of a registry file."],
 	[0xC000015D] = [$id="NT_CROSS_ENCRYPTION_REQUIRED", $desc="An attempt was made to change a user password in the security account manager without providing the necessary Windows cross-encrypted password."],
-	[0xC000015E] = [$id="DOMAIN_CTRLR_CONFIG_ERROR", $desc="A Windows Server has an incorrect configuration."],
+	[0xC000015E] = [$id="DOMAIN_CTRLR_CONFIG_ERROR", $desc="A Windows Server has an incorrect configuration."],
 	[0xC000015F] = [$id="FT_MISSING_MEMBER", $desc="An attempt was made to explicitly access the secondary copy of information via a device control to the fault tolerance driver and the secondary copy is not present in the system."],
 	[0xC0000160] = [$id="ILL_FORMED_SERVICE_ENTRY", $desc="A configuration registry node that represents a driver service entry was ill-formed and did not contain the required value entries."],
 	[0xC0000161] = [$id="ILLEGAL_CHARACTER", $desc="An illegal character was encountered. For a multibyte character set, this includes a lead byte without a succeeding trail byte. For the Unicode character set this includes the characters 0xFFFF and 0xFFFE."],
@@ -577,7 +577,7 @@ redef SMB::statuses += {
 	[0xC0000188] = [$id="LOG_FILE_FULL", $desc="The log file space is insufficient to support this operation."],
 	[0xC0000189] = [$id="TOO_LATE", $desc="A write operation was attempted to a volume after it was dismounted."],
 	[0xC000018A] = [$id="NO_TRUST_LSA_SECRET", $desc="The workstation does not have a trust secret for the primary domain in the local LSA database."],
-	[0xC000018B] = [$id="NO_TRUST_SAM_ACCOUNT", $desc="The SAM database on the Windows Server does not have a computer account for this workstation trust relationship."],
+	[0xC000018B] = [$id="NO_TRUST_SAM_ACCOUNT", $desc="The SAM database on the Windows Server does not have a computer account for this workstation trust relationship."],
 	[0xC000018C] = [$id="TRUSTED_DOMAIN_FAILURE", $desc="The logon request failed because the trust relationship between the primary domain and the trusted domain failed."],
 	[0xC000018D] = [$id="TRUSTED_RELATIONSHIP_FAILURE", $desc="The logon request failed because the trust relationship between this workstation and the primary domain failed."],
 	[0xC000018E] = [$id="EVENTLOG_FILE_CORRUPT", $desc="The Eventlog log file is corrupt."],
@@ -833,7 +833,7 @@ redef SMB::statuses += {
 	[0xC00002FD] = [$id="KDC_UNKNOWN_ETYPE", $desc="The encryption type requested is not supported by the KDC."],
 	[0xC00002FE] = [$id="SHUTDOWN_IN_PROGRESS", $desc="A system shutdown is in progress."],
 	[0xC00002FF] = [$id="SERVER_SHUTDOWN_IN_PROGRESS", $desc="The server machine is shutting down."],
-	[0xC0000300] = [$id="NOT_SUPPORTED_ON_SBS", $desc="This operation is not supported on a computer running Windows Server 2003 for Small Business Server."],
+	[0xC0000300] = [$id="NOT_SUPPORTED_ON_SBS", $desc="This operation is not supported on a computer running Windows Server 2003 for Small Business Server."],
 	[0xC0000301] = [$id="WMI_GUID_DISCONNECTED", $desc="The WMI GUID is no longer available."],
 	[0xC0000302] = [$id="WMI_ALREADY_DISABLED", $desc="Collection or events for the WMI GUID is already disabled."],
 	[0xC0000303] = [$id="WMI_ALREADY_ENABLED", $desc="Collection or events for the WMI GUID is already enabled."],

From fde88fa7177f7432d8611346926b428ff6dfc628 Mon Sep 17 00:00:00 2001
From: Vlad Grigorescu <grigorescu@gmail.com>
Date: Sat, 2 Jun 2018 17:29:01 -0500
Subject: [PATCH 466/631] #120: Pull in PR, and make a couple small cleanup
 tweaks.

---
 src/analyzer/protocol/ssh/ssh-analyzer.pac | 2 +-
 src/analyzer/protocol/ssh/ssh-protocol.pac | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/analyzer/protocol/ssh/ssh-analyzer.pac b/src/analyzer/protocol/ssh/ssh-analyzer.pac
index bdb2553849..0ee0b92569 100644
--- a/src/analyzer/protocol/ssh/ssh-analyzer.pac
+++ b/src/analyzer/protocol/ssh/ssh-analyzer.pac
@@ -178,7 +178,7 @@ refine flow SSH_Flow += {
 		%{
 		switch (v) {
 			case SSH1:
-				return packet_length + 4 + 8 -(packet_length%8);
+				return packet_length + 4 + 8 - (packet_length % 8);
 			case SSH2:
 				return packet_length + 4;
 			default:
diff --git a/src/analyzer/protocol/ssh/ssh-protocol.pac b/src/analyzer/protocol/ssh/ssh-protocol.pac
index a86e6cef8e..bf09f6e168 100644
--- a/src/analyzer/protocol/ssh/ssh-protocol.pac
+++ b/src/analyzer/protocol/ssh/ssh-protocol.pac
@@ -38,7 +38,7 @@ type SSH1_Key_Exchange(is_orig: bool, packet_length: uint32) = record {
 	msg_type      : uint8;
 	message       : SSH1_Message(is_orig, msg_type, packet_length - 5);
 	crc           : uint32;
-} &length = packet_length + 8 - (packet_length % 8);
+} &length = $context.flow.get_kex_length($context.connection.get_version(), packet_length) - 4;
 
 type SSH1_Message(is_orig: bool, msg_type: uint8, length: uint32) = case msg_type of {
 	SSH_SMSG_PUBLIC_KEY  -> public_key  : SSH1_PUBLIC_KEY(length);

From 19b893a5bcd8ff90d0b898fd39ceefe7fd885f6d Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Mon, 4 Jun 2018 13:52:46 -0500
Subject: [PATCH 467/631] Make 0 be a valid packet source timestamp

For fuzzed/damaged/corrupted pcaps, a timestamp of 0 could lead to an
infinite loop in Bro as it interprets that as meaning the packet source
is not ready yet.
---
 CHANGES                 | 4 ++++
 VERSION                 | 2 +-
 src/Serializer.cc       | 4 ++--
 src/iosource/Manager.cc | 4 ++--
 4 files changed, 9 insertions(+), 5 deletions(-)

diff --git a/CHANGES b/CHANGES
index e807bb0525..52bc4656a2 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,8 @@
 
+2.5-642 | 2018-06-04 13:52:46 -0500
+
+  * Make 0 be a valid packet source timestamp (Corelight)
+
 2.5-641 | 2018-06-04 09:18:59 -0700
 
   * Add Broker::publish_and_relay BIF
diff --git a/VERSION b/VERSION
index 15ce2d3aad..6de87095f8 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.5-641
+2.5-642
diff --git a/src/Serializer.cc b/src/Serializer.cc
index b759334b4d..0366c36c81 100644
--- a/src/Serializer.cc
+++ b/src/Serializer.cc
@@ -1017,7 +1017,7 @@ double EventPlayer::NextTimestamp(double* local_network_time)
 		return ne_time;
 
 	if ( ! io )
-		return 0;
+		return -1;
 
 	// Read next event if we don't have one waiting.
 	if ( ! ne_time )
@@ -1028,7 +1028,7 @@ double EventPlayer::NextTimestamp(double* local_network_time)
 		}
 
 	if ( ! ne_time )
-		return 0;
+		return -1;
 
 	if ( ! network_time )
 		{
diff --git a/src/iosource/Manager.cc b/src/iosource/Manager.cc
index 80fa5fe860..390449da81 100644
--- a/src/iosource/Manager.cc
+++ b/src/iosource/Manager.cc
@@ -81,7 +81,7 @@ IOSource* Manager::FindSoonest(double* ts)
 			all_idle = false;
 			double local_network_time = 0;
 			double ts = (*i)->src->NextTimestamp(&local_network_time);
-			if ( ts > 0 && ts < soonest_ts )
+			if ( ts >= 0 && ts < soonest_ts )
 				{
 				soonest_ts = ts;
 				soonest_src = (*i)->src;
@@ -162,7 +162,7 @@ IOSource* Manager::FindSoonest(double* ts)
 				{
 				double local_network_time = 0;
 				double ts = src->src->NextTimestamp(&local_network_time);
-				if ( ts > 0.0 && ts < soonest_ts )
+				if ( ts >= 0.0 && ts < soonest_ts )
 					{
 					soonest_ts = ts;
 					soonest_src = src->src;

From a89151776242773a89ea1c8557e28d2b08c31e61 Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@icir.org>
Date: Mon, 4 Jun 2018 11:43:20 -0700
Subject: [PATCH 468/631] Fix read at invalid address in X509 extension parser.

When encountering an extension unknown to OpenSSL, we would read from
the wrong memory location. Also added a testcase to prevent this specific
case from happening again.
---
 src/file_analysis/analyzer/x509/X509Common.cc         |  2 +-
 .../.stdout                                           |  4 ++++
 .../base/protocols/ssl/x509-invalid-extension.test    | 11 +++++++++++
 3 files changed, 16 insertions(+), 1 deletion(-)
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.ssl.x509-invalid-extension/.stdout
 create mode 100644 testing/btest/scripts/base/protocols/ssl/x509-invalid-extension.test

diff --git a/src/file_analysis/analyzer/x509/X509Common.cc b/src/file_analysis/analyzer/x509/X509Common.cc
index b101f502ff..38102ed97e 100644
--- a/src/file_analysis/analyzer/x509/X509Common.cc
+++ b/src/file_analysis/analyzer/x509/X509Common.cc
@@ -244,7 +244,7 @@ void file_analysis::X509Common::ParseExtension(X509_EXTENSION* ex, EventHandlerP
 		int len = i2d_ASN1_OCTET_STRING(X509_EXTENSION_get_data(ex), &buf);
 		if ( len >=0 )
 			{
-			BIO_write(bio, &buf, len);
+			BIO_write(bio, buf, len);
 			OPENSSL_free(buf);
 			}
 		}
diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.x509-invalid-extension/.stdout b/testing/btest/Baseline/scripts.base.protocols.ssl.x509-invalid-extension/.stdout
new file mode 100644
index 0000000000..a56a7a6080
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.x509-invalid-extension/.stdout
@@ -0,0 +1,4 @@
+UNDEF
+\x04a0_\xa1]\xa0[0Y0W0U\x16\x09image/gif0!0\x1f0\x07\x06\x05+\x0e\x03\x02\x1a\x04\x14\x8f\xe5\xd3\x1a\x86\xac\x8d\x8ek\xc3\xcf\x80j\xd4H\x18,{\x19.0%\x16#http://logo.verisign.com/vslogo.gif
+UNDEF
+\x04a0_\xa1]\xa0[0Y0W0U\x16\x09image/gif0!0\x1f0\x07\x06\x05+\x0e\x03\x02\x1a\x04\x14\x8f\xe5\xd3\x1a\x86\xac\x8d\x8ek\xc3\xcf\x80j\xd4H\x18,{\x19.0%\x16#http://logo.verisign.com/vslogo.gif
diff --git a/testing/btest/scripts/base/protocols/ssl/x509-invalid-extension.test b/testing/btest/scripts/base/protocols/ssl/x509-invalid-extension.test
new file mode 100644
index 0000000000..de0dc9e59f
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/ssl/x509-invalid-extension.test
@@ -0,0 +1,11 @@
+# @TEST-EXEC: bro -C -r $TRACES/tls/ocsp-stapling.trace %INPUT
+# @TEST-EXEC: btest-diff .stdout
+
+event x509_extension(f: fa_file, ext: X509::Extension)
+	{
+	if ( ext$oid != "1.3.6.1.5.5.7.1.12" )
+		return;
+
+	print ext$short_name;
+	print ext$value;
+	}

From b5b688b5f546b94b822e8fae88d384089880c7af Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Tue, 5 Jun 2018 15:19:16 -0500
Subject: [PATCH 469/631] Update `make doc`: don't copy broker docs

---
 CHANGES            | 4 ++++
 VERSION            | 2 +-
 doc/CMakeLists.txt | 5 -----
 3 files changed, 5 insertions(+), 6 deletions(-)

diff --git a/CHANGES b/CHANGES
index e928add3da..de7e57cc94 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,8 @@
 
+2.5-647 | 2018-06-05 15:19:16 -0500
+
+  * Update `make doc`: don't copy broker docs (Corelight)
+
 2.5-646 | 2018-06-05 11:31:43 -0500
 
   * Add NCP::max_frame_size tuning option (Corelight)
diff --git a/VERSION b/VERSION
index a0572ad9b1..e4a6c3fab3 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.5-646
+2.5-647
diff --git a/doc/CMakeLists.txt b/doc/CMakeLists.txt
index 2563375dcc..0edf2429ab 100644
--- a/doc/CMakeLists.txt
+++ b/doc/CMakeLists.txt
@@ -4,8 +4,6 @@ set(BROXYGEN_SCRIPT_OUTPUT ${CMAKE_CURRENT_BINARY_DIR}/broxygen_script_output)
 set(BROXYGEN_CACHE_DIR ${CMAKE_CURRENT_BINARY_DIR}/broxygen_cache)
 set(BROCCOLI_DOCS_SRC ${CMAKE_BINARY_DIR}/aux/broccoli/doc/html)
 set(BROCCOLI_DOCS_DST ${CMAKE_BINARY_DIR}/html/broccoli-api)
-set(BROKER_DOCS_SRC ${CMAKE_BINARY_DIR}/aux/broker/doc/html)
-set(BROKER_DOCS_DST ${CMAKE_BINARY_DIR}/html/broker-manual)
 
 # Find out what BROPATH to use when executing bro.
 execute_process(COMMAND ${CMAKE_BINARY_DIR}/bro-path-dev
@@ -63,9 +61,6 @@ add_custom_target(sphinxdoc
     COMMAND "${CMAKE_COMMAND}" -E create_symlink
             ${SPHINX_OUTPUT_DIR}/html
             ${CMAKE_BINARY_DIR}/html
-    # Copy Broker manual into output dir.
-    COMMAND rm -rf ${BROKER_DOCS_DST} &&
-            cp -r ${BROKER_DOCS_SRC} ${BROKER_DOCS_DST}
     WORKING_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR}
     COMMENT "[Sphinx] Generate HTML documentation in ${CMAKE_BINARY_DIR}/html")
 

From 0b4871daf4d60ee1d8e414be8152a4e7fb972b9b Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Tue, 5 Jun 2018 17:32:47 -0500
Subject: [PATCH 470/631] BIT-1936: improve Broxygen warnings

---
 CHANGES                 |  4 ++++
 VERSION                 |  2 +-
 src/broxygen/Manager.cc | 35 ++++++++++++++++++++++++-----------
 3 files changed, 29 insertions(+), 12 deletions(-)

diff --git a/CHANGES b/CHANGES
index de7e57cc94..c059e1ce7f 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,8 @@
 
+2.5-648 | 2018-06-05 17:32:47 -0500
+
+  * BIT-1936: improve Broxygen warnings (Corelight)
+
 2.5-647 | 2018-06-05 15:19:16 -0500
 
   * Update `make doc`: don't copy broker docs (Corelight)
diff --git a/VERSION b/VERSION
index e4a6c3fab3..e458614976 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.5-647
+2.5-648
diff --git a/src/broxygen/Manager.cc b/src/broxygen/Manager.cc
index 9e33e6919b..4fd28d60f5 100644
--- a/src/broxygen/Manager.cc
+++ b/src/broxygen/Manager.cc
@@ -12,7 +12,13 @@ using namespace std;
 
 static void DbgAndWarn(const char* msg)
 	{
-	reporter->InternalWarning("%s", msg);
+	if ( reporter->Errors() )
+		// We've likely already reported to real source of the problem
+		// as an error, avoid adding an additional warning which may
+		// be confusing.
+		return;
+
+	reporter->Warning("%s", msg);
 	DBG_LOG(DBG_BROXYGEN, "%s", msg);
 	}
 
@@ -22,7 +28,8 @@ static void WarnMissingScript(const char* type, const ID* id,
 	if ( script == "<command line>" )
 		return;
 
-	DbgAndWarn(fmt("Can't document %s %s, lookup of %s failed",
+	DbgAndWarn(fmt("Can't generate Broxygen doumentation for %s %s, "
+	               "lookup of %s failed",
 	               type, id->Name(), script.c_str()));
 	}
 
@@ -122,7 +129,8 @@ void Manager::Script(const string& path)
 
 	if ( scripts.GetInfo(name) )
 		{
-		DbgAndWarn(fmt("Duplicate script documentation: %s", name.c_str()));
+		DbgAndWarn(fmt("Duplicate Broxygen script documentation: %s",
+		               name.c_str()));
 		return;
 		}
 
@@ -138,7 +146,8 @@ void Manager::Script(const string& path)
 
 	if ( packages.GetInfo(name) )
 		{
-		DbgAndWarn(fmt("Duplicate package documentation: %s", name.c_str()));
+		DbgAndWarn(fmt("Duplicate Broxygen package documentation: %s",
+		               name.c_str()));
 		return;
 		}
 
@@ -155,7 +164,8 @@ void Manager::ScriptDependency(const string& path, const string& dep)
 
 	if ( dep.empty() )
 		{
-		DbgAndWarn(fmt("Empty script doc dependency: %s", path.c_str()));
+		DbgAndWarn(fmt("Empty Broxygen script doc dependency: %s",
+		               path.c_str()));
 		return;
 		}
 
@@ -165,8 +175,8 @@ void Manager::ScriptDependency(const string& path, const string& dep)
 
 	if ( ! script_info )
 		{
-		DbgAndWarn(fmt("Failed to add script doc dependency %s for %s",
-		               depname.c_str(), name.c_str()));
+		DbgAndWarn(fmt("Failed to add Broxygen script doc dependency %s "
+		               "for %s", depname.c_str(), name.c_str()));
 		return;
 		}
 
@@ -189,7 +199,7 @@ void Manager::ModuleUsage(const string& path, const string& module)
 
 	if ( ! script_info )
 		{
-		DbgAndWarn(fmt("Failed to add module usage %s in %s",
+		DbgAndWarn(fmt("Failed to add Broxygen module usage %s in %s",
 		               module.c_str(), name.c_str()));
 		return;
 		}
@@ -231,7 +241,8 @@ void Manager::StartType(ID* id)
 
 	if ( id->GetLocationInfo() == &no_location )
 		{
-		DbgAndWarn(fmt("Can't document %s, no location available", id->Name()));
+		DbgAndWarn(fmt("Can't generate broxygen doumentation for %s, "
+		               "no location available", id->Name()));
 		return;
 		}
 
@@ -323,7 +334,8 @@ void Manager::RecordField(const ID* id, const TypeDecl* field,
 
 	if ( ! idd )
 		{
-		DbgAndWarn(fmt("Can't document record field %s, unknown record: %s",
+		DbgAndWarn(fmt("Can't generate broxygen doumentation for "
+		               "record field %s, unknown record: %s",
 		               field->id, id->Name()));
 		return;
 		}
@@ -348,7 +360,8 @@ void Manager::Redef(const ID* id, const string& path)
 
 	if ( ! id_info )
 		{
-		DbgAndWarn(fmt("Can't document redef of %s, identifier lookup failed",
+		DbgAndWarn(fmt("Can't generate broxygen doumentation for "
+		               "redef of %s, identifier lookup failed",
 		               id->Name()));
 		return;
 		}

From 10fdb16f3ba678032778032bcbebb036676107e8 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Wed, 6 Jun 2018 14:02:22 -0500
Subject: [PATCH 471/631] Updating submodule(s).

 [nomail]
---
 aux/broctl | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/aux/broctl b/aux/broctl
index fc7abc2c5e..64fc253007 160000
--- a/aux/broctl
+++ b/aux/broctl
@@ -1 +1 @@
-Subproject commit fc7abc2c5e459b51d60b2036db428053b5fb27f5
+Subproject commit 64fc25300723d753217b5cf5e8bee2d4500409e1

From 9822fc252d5e92208704df4a388ea31989869499 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Wed, 6 Jun 2018 16:20:18 -0500
Subject: [PATCH 472/631] Improve Broker performance

Now manually keeps track of peer count instead of querying Broker for
that information (which would result in waiting upon a blocking request
to the core actor).
---
 CHANGES               |  4 ++++
 VERSION               |  2 +-
 src/broker/Manager.cc | 30 +++++++++++++++---------------
 src/broker/Manager.h  |  2 ++
 4 files changed, 22 insertions(+), 16 deletions(-)

diff --git a/CHANGES b/CHANGES
index c059e1ce7f..a39792e601 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,8 @@
 
+2.5-650 | 2018-06-06 16:20:18 -0500
+
+  * Improve Broker performance (Corelight)
+
 2.5-648 | 2018-06-05 17:32:47 -0500
 
   * BIT-1936: improve Broxygen warnings (Corelight)
diff --git a/VERSION b/VERSION
index e458614976..1b47653967 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.5-648
+2.5-650
diff --git a/src/broker/Manager.cc b/src/broker/Manager.cc
index 8184a86111..3d666fa1d4 100644
--- a/src/broker/Manager.cc
+++ b/src/broker/Manager.cc
@@ -136,6 +136,7 @@ Manager::BrokerState::BrokerState(broker::broker_options options)
 Manager::Manager(bool reading_pcaps)
 	{
 	bound_port = 0;
+	peer_count = 0;
 
 	next_timestamp = 1;
 	SetIdle(false);
@@ -205,7 +206,7 @@ bool Manager::Active()
 	if ( bound_port > 0 )
 		return true;
 
-	return bstate->endpoint.peers().size();
+	return peer_count > 0;
 	}
 
 void Manager::AdvanceTime(double seconds_since_unix_epoch)
@@ -301,7 +302,7 @@ bool Manager::PublishEvent(string topic, std::string name, broker::vector args)
 	if ( bstate->endpoint.is_shutdown() )
 		return true;
 
-	if ( ! bstate->endpoint.peers().size() )
+	if ( peer_count == 0 )
 		return true;
 
 	DBG_LOG(DBG_BROKER, "Publishing event: %s",
@@ -317,7 +318,7 @@ bool Manager::PublishEvent(string topic, RecordVal* args)
 	if ( bstate->endpoint.is_shutdown() )
 		return true;
 
-	if ( ! bstate->endpoint.peers().size() )
+	if ( peer_count == 0 )
 		return true;
 
 	if ( ! args->Lookup(0) )
@@ -347,7 +348,7 @@ bool Manager::RelayEvent(std::string first_topic,
 	if ( bstate->endpoint.is_shutdown() )
 		return true;
 
-	if ( ! bstate->endpoint.peers().size() )
+	if ( peer_count == 0 )
 		return true;
 
 	DBG_LOG(DBG_BROKER, "Publishing %s-relay event: %s",
@@ -381,7 +382,7 @@ bool Manager::RelayEvent(std::string first_topic,
 	if ( bstate->endpoint.is_shutdown() )
 		return true;
 
-	if ( ! bstate->endpoint.peers().size() )
+	if ( peer_count == 0 )
 		return true;
 
 	if ( ! args->Lookup(0) )
@@ -413,7 +414,7 @@ bool Manager::PublishIdentifier(std::string topic, std::string id)
 	if ( bstate->endpoint.is_shutdown() )
 		return true;
 
-	if ( ! bstate->endpoint.peers().size() )
+	if ( peer_count == 0 )
 		return true;
 
 	ID* i = global_scope()->Lookup(id.c_str());
@@ -453,7 +454,7 @@ bool Manager::PublishLogCreate(EnumVal* stream, EnumVal* writer,
 	if ( bstate->endpoint.is_shutdown() )
 		return true;
 
-	if ( ! bstate->endpoint.peers().size() )
+	if ( peer_count == 0 )
 		return true;
 
 	auto stream_id = stream->Type()->AsEnumType()->Lookup(stream->AsEnum());
@@ -507,7 +508,7 @@ bool Manager::PublishLogWrite(EnumVal* stream, EnumVal* writer, string path, int
 	if ( bstate->endpoint.is_shutdown() )
 		return true;
 
-	if ( ! bstate->endpoint.peers().size() )
+	if ( peer_count == 0 )
 		return true;
 
 	auto stream_id_num = stream->AsEnum();
@@ -1185,16 +1186,19 @@ void Manager::ProcessStatus(broker::status stat)
 		break;
 
 	case broker::sc::peer_added:
-	        assert(ctx);
-	        log_mgr->SendAllWritersTo(*ctx);
+		++peer_count;
+		assert(ctx);
+		log_mgr->SendAllWritersTo(*ctx);
 		event = Broker::peer_added;
 		break;
 
 	case broker::sc::peer_removed:
+		--peer_count;
 		event = Broker::peer_removed;
 		break;
 
 	case broker::sc::peer_lost:
+		--peer_count;
 		event = Broker::peer_lost;
 		break;
 	}
@@ -1490,11 +1494,7 @@ bool Manager::TrackStoreQuery(StoreHandleVal* handle, broker::request_id id,
 
 const Stats& Manager::GetStatistics()
 	{
-	if ( bstate->endpoint.is_shutdown() )
-		statistics.num_peers = 0;
-	else
-		statistics.num_peers = bstate->endpoint.peers().size();
-
+	statistics.num_peers = peer_count;
 	statistics.num_stores = data_stores.size();
 	statistics.num_pending_queries = pending_queries.size();
 
diff --git a/src/broker/Manager.h b/src/broker/Manager.h
index 976aa82a03..182203f829 100644
--- a/src/broker/Manager.h
+++ b/src/broker/Manager.h
@@ -414,6 +414,8 @@ private:
 	Stats statistics;
 	double next_timestamp;
 	bool reading_pcaps;
+	int peer_count;
+
 	static int script_scope;
 
 	static VectorType* vector_of_data_type;

From f50effd364ab315855944b947a32b3b1f4ef7ee8 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Thu, 7 Jun 2018 09:51:46 -0500
Subject: [PATCH 473/631] Fix signed/unsigned comparison compiler warning

The signed int in this case is essentially a constant anyway.
---
 CHANGES                          | 4 ++++
 VERSION                          | 2 +-
 src/analyzer/protocol/ncp/NCP.cc | 2 +-
 src/analyzer/protocol/ncp/NCP.h  | 4 ++--
 4 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/CHANGES b/CHANGES
index a39792e601..188dd6439c 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,8 @@
 
+2.5-651 | 2018-06-07 09:57:29 -0500
+
+  * Fix signed/unsigned comparison compiler warning (Corelight)
+
 2.5-650 | 2018-06-06 16:20:18 -0500
 
   * Improve Broker performance (Corelight)
diff --git a/VERSION b/VERSION
index 1b47653967..d3b74ae5f3 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.5-650
+2.5-651
diff --git a/src/analyzer/protocol/ncp/NCP.cc b/src/analyzer/protocol/ncp/NCP.cc
index f01c409429..e8672e7ebe 100644
--- a/src/analyzer/protocol/ncp/NCP.cc
+++ b/src/analyzer/protocol/ncp/NCP.cc
@@ -80,7 +80,7 @@ void NCP_Session::DeliverFrame(const binpac::NCP::ncp_frame* frame)
 		}
 	}
 
-FrameBuffer::FrameBuffer(int header_length)
+FrameBuffer::FrameBuffer(size_t header_length)
 	{
 	hdr_len = header_length;
 	msg_buf = 0;
diff --git a/src/analyzer/protocol/ncp/NCP.h b/src/analyzer/protocol/ncp/NCP.h
index bdf5d8bffe..ff64db9077 100644
--- a/src/analyzer/protocol/ncp/NCP.h
+++ b/src/analyzer/protocol/ncp/NCP.h
@@ -51,7 +51,7 @@ protected:
 
 class FrameBuffer {
 public:
-	explicit FrameBuffer(int header_length);
+	explicit FrameBuffer(size_t header_length);
 	virtual ~FrameBuffer();
 
 	// Returns -1 if frame is not ready, 0 if it else, and 1 if
@@ -67,7 +67,7 @@ public:
 protected:
 	virtual void compute_msg_length() = 0;
 
-	int hdr_len;
+	size_t hdr_len;
 	u_char* msg_buf;
 	uint64 msg_len;
 	size_t buf_n;	// number of bytes in msg_buf

From da593e7aaa8f5b9f59df0be501dc54d7e2fd6b33 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Thu, 7 Jun 2018 13:56:02 -0500
Subject: [PATCH 474/631] GH-131: disable krb ticket decryption on non-Linux

A test case fails on macOS and FreeBSD fails to build.
---
 CHANGES        |  4 ++++
 CMakeLists.txt | 10 ++++++----
 VERSION        |  2 +-
 3 files changed, 11 insertions(+), 5 deletions(-)

diff --git a/CHANGES b/CHANGES
index 188dd6439c..cb297c3b31 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,8 @@
 
+2.5-652 | 2018-06-07 13:57:23 -0500
+
+  * GH-131: disable krb ticket decryption on non-Linux (Corelight)
+
 2.5-651 | 2018-06-07 09:57:29 -0500
 
   * Fix signed/unsigned comparison compiler warning (Corelight)
diff --git a/CMakeLists.txt b/CMakeLists.txt
index 34fb514cc6..d0ea236330 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -144,10 +144,12 @@ if (LIBGEOIP_FOUND)
 endif ()
 
 set(USE_KRB5 false)
-find_package(LibKrb5)
-if (LibKrb5_FOUND)
-   set(USE_KRB5 true)
-   list(APPEND OPTLIBS ${LibKrb5_LIBRARY})
+if ( ${CMAKE_SYSTEM_NAME} MATCHES Linux )
+  find_package(LibKrb5)
+  if (LibKrb5_FOUND)
+     set(USE_KRB5 true)
+     list(APPEND OPTLIBS ${LibKrb5_LIBRARY})
+  endif ()
 endif ()
 
 set(HAVE_PERFTOOLS false)
diff --git a/VERSION b/VERSION
index d3b74ae5f3..8620f5a053 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.5-651
+2.5-652

From c2c35ed17897a5e09b37a4b90169f3ac1409a0ca Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Thu, 7 Jun 2018 16:56:14 -0500
Subject: [PATCH 475/631] Updating submodule(s).

 [nomail]
---
 aux/broker | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/aux/broker b/aux/broker
index 81cf863bb2..9b56fea499 160000
--- a/aux/broker
+++ b/aux/broker
@@ -1 +1 @@
-Subproject commit 81cf863bb26c39b88f6cf6d1d8439458a1586bee
+Subproject commit 9b56fea4999d4e11a5cd2caaafd934759015fab5

From 8bbe84a1b6b0eb33e15031cdcce3cac977edbaa0 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Fri, 8 Jun 2018 10:00:42 -0500
Subject: [PATCH 476/631] Updating submodule(s).

 [nomail]
---
 aux/broctl | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/aux/broctl b/aux/broctl
index 64fc253007..99ef926d09 160000
--- a/aux/broctl
+++ b/aux/broctl
@@ -1 +1 @@
-Subproject commit 64fc25300723d753217b5cf5e8bee2d4500409e1
+Subproject commit 99ef926d09a144a9919dec01f6231692e170120e

From b51e6f39ddc641811d4875cda4543d3a60fb5a63 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Fri, 8 Jun 2018 10:43:03 -0500
Subject: [PATCH 477/631] Correct conn history field documentation

---
 CHANGES                              | 4 ++++
 VERSION                              | 2 +-
 scripts/base/protocols/conn/main.bro | 9 ++++++---
 3 files changed, 11 insertions(+), 4 deletions(-)

diff --git a/CHANGES b/CHANGES
index cb297c3b31..80083ef0c4 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,8 @@
 
+2.5-655 | 2018-06-08 10:43:03 -0500
+
+  * Correct conn history field documentation (Corelight)
+
 2.5-652 | 2018-06-07 13:57:23 -0500
 
   * GH-131: disable krb ticket decryption on non-Linux (Corelight)
diff --git a/VERSION b/VERSION
index 8620f5a053..968ce81a87 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.5-652
+2.5-655
diff --git a/scripts/base/protocols/conn/main.bro b/scripts/base/protocols/conn/main.bro
index c806a017e0..0e9661dea3 100644
--- a/scripts/base/protocols/conn/main.bro
+++ b/scripts/base/protocols/conn/main.bro
@@ -95,9 +95,12 @@ export {
 		##
 		## If the event comes from the originator, the letter is in
 		## upper-case; if it comes from the responder, it's in
-		## lower-case. Multiple packets of the same type will only be
-		## noted once (e.g. we only record one "d" in each direction,
-		## regardless of how many data packets were seen.)
+		## lower-case.  The 'a', 'c', 'd', 'i', 'q', and 't' flags are
+		## recorded a maximum of one time in either direction regardless
+		## of how many are actually seen.  However, 'f', 'h', 'r', or
+		## 's' may be recorded multiple times for either direction and
+		## only compressed when sharing a sequence number with the
+		## last-seen packet of the same flag type.
 		history:      string          &log &optional;
 		## Number of packets that the originator sent.
 		## Only set if :bro:id:`use_conn_size_analyzer` = T.

From 6752ffcc8efe2a3dc97586f31f27e39fa0c4d0bd Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Mon, 11 Jun 2018 10:39:56 -0500
Subject: [PATCH 478/631] Updating submodule(s).

 [nomail]
---
 aux/broker | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/aux/broker b/aux/broker
index 9b56fea499..bf8943df55 160000
--- a/aux/broker
+++ b/aux/broker
@@ -1 +1 @@
-Subproject commit 9b56fea4999d4e11a5cd2caaafd934759015fab5
+Subproject commit bf8943df551efccaaa2b19e838429239260748e8

From c9fe9a943c4d78b18ffbae13c562b93349a5f951 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Tue, 12 Jun 2018 13:49:39 -0500
Subject: [PATCH 479/631] Add Broker::max_live_threads and
 Broker::max_pcap_threads tunables

These may be used to change the number of scheduler threads that the
underlying CAF library creates.  In pcap mode, it's currently hardcoded
to the minimal 4 threads due to potentially significant overhead in CAF.
---
 CHANGES                                 |  5 +++
 VERSION                                 |  2 +-
 scripts/base/frameworks/broker/main.bro | 16 ++++++++++
 src/broker/Manager.cc                   | 42 ++++++++++++++++---------
 src/broker/Manager.h                    |  7 ++++-
 5 files changed, 55 insertions(+), 17 deletions(-)

diff --git a/CHANGES b/CHANGES
index 28bd93ba6b..10d00d919f 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,9 @@
 
+2.5-660 | 2018-06-12 13:49:39 -0500
+
+  * Add Broker::max_live_threads and Broker::max_pcap_threads tunables
+    (Corelight)
+
 2.5-658 | 2018-06-08 16:41:07 +0000
 
   * Allow BRO_DEFAULT_LISTEN_ADDRESS to control broker listen address.
diff --git a/VERSION b/VERSION
index 0b13a1e84e..946f73bee2 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.5-658
+2.5-660
diff --git a/scripts/base/frameworks/broker/main.bro b/scripts/base/frameworks/broker/main.bro
index 5368d5422b..cfd4f06280 100644
--- a/scripts/base/frameworks/broker/main.bro
+++ b/scripts/base/frameworks/broker/main.bro
@@ -51,6 +51,22 @@ export {
 	## all peers.
 	const ssl_keyfile = "" &redef;
 
+	## Max number of threads to use for Broker/CAF functionality when
+	## operating on a live interface.  Using zero will cause this to
+	## be automatically determined based on number of available CPUs.
+	const max_live_threads = 0 &redef;
+
+	## Max number of threads to use for Broker/CAF functionality when
+	## operating on a pcap file.  Using zero will cause this to be
+	## automaticallu determined based on number of available CPUs.
+	# TODO: on systems where number of CPUs starts exceeding ~10,
+	# simply creating a caf::actor_system and not using it incurs
+	# significant performance overhead.  Can CAF be updated to
+	# be more efficient in the case where the application isn't
+	# actually making much use of most of those threads instead
+	# of hardcoding this to the minimal 4 threads?
+	const max_pcap_threads = 4 &redef;
+
 	## Forward all received messages to subscribing peers.
 	const forward_messages = F &redef;
 
diff --git a/src/broker/Manager.cc b/src/broker/Manager.cc
index 3d666fa1d4..f18d245bb0 100644
--- a/src/broker/Manager.cc
+++ b/src/broker/Manager.cc
@@ -113,21 +113,18 @@ static inline Val* get_option(const char* option)
 	return id->ID_Val();
 	}
 
-class configuration : public broker::configuration {
-public:
-	configuration(broker::broker_options options)
-		: broker::configuration(options)
-		{
-		openssl_cafile = get_option("Broker::ssl_cafile")->AsString()->CheckString();
-		openssl_capath = get_option("Broker::ssl_capath")->AsString()->CheckString();
-		openssl_certificate = get_option("Broker::ssl_certificate")->AsString()->CheckString();
-		openssl_key = get_option("Broker::ssl_keyfile")->AsString()->CheckString();
-		openssl_passphrase = get_option("Broker::ssl_passphrase")->AsString()->CheckString();
-		}
-};
+Manager::BrokerConfig::BrokerConfig(broker::broker_options options)
+	: broker::configuration(options)
+	{
+	openssl_cafile = get_option("Broker::ssl_cafile")->AsString()->CheckString();
+	openssl_capath = get_option("Broker::ssl_capath")->AsString()->CheckString();
+	openssl_certificate = get_option("Broker::ssl_certificate")->AsString()->CheckString();
+	openssl_key = get_option("Broker::ssl_keyfile")->AsString()->CheckString();
+	openssl_passphrase = get_option("Broker::ssl_passphrase")->AsString()->CheckString();
+	}
 
-Manager::BrokerState::BrokerState(broker::broker_options options)
-	: endpoint(configuration(options)),
+Manager::BrokerState::BrokerState(BrokerConfig config)
+	: endpoint(std::move(config)),
 	  subscriber(endpoint.make_subscriber({}, SUBSCRIBER_MAX_QSIZE)),
 	  status_subscriber(endpoint.make_status_subscriber(true))
 	{
@@ -173,7 +170,22 @@ void Manager::InitPostScript()
 	options.forward = get_option("Broker::forward_messages")->AsBool();
 	options.use_real_time = ! reading_pcaps;
 
-	bstate = std::make_shared<BrokerState>(options);
+	BrokerConfig config{std::move(options)};
+	auto max_live_threads = get_option("Broker::max_live_threads")->AsCount();
+	auto max_pcap_threads = get_option("Broker::max_pcap_threads")->AsCount();
+
+	if ( reading_pcaps )
+		{
+		if ( max_pcap_threads )
+			config.scheduler_max_threads = max_pcap_threads;
+		}
+	else
+		{
+		if ( max_live_threads )
+			config.scheduler_max_threads = max_live_threads;
+		}
+
+	bstate = std::make_shared<BrokerState>(std::move(config));
 	}
 
 void Manager::Terminate()
diff --git a/src/broker/Manager.h b/src/broker/Manager.h
index 182203f829..8c5ab09dc6 100644
--- a/src/broker/Manager.h
+++ b/src/broker/Manager.h
@@ -339,9 +339,14 @@ public:
 
 private:
 
+	class BrokerConfig : public broker::configuration {
+	public:
+		BrokerConfig(broker::broker_options options);
+	};
+
 	class BrokerState {
 	public:
-		BrokerState(broker::broker_options options);
+		BrokerState(BrokerConfig config);
 		broker::endpoint endpoint;
 		broker::subscriber subscriber;
 		broker::status_subscriber status_subscriber;

From 8a00a2dbf8414fb381f33859beab321cd4465eda Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Wed, 13 Jun 2018 14:48:28 -0500
Subject: [PATCH 480/631] Updating submodule(s).

 [nomail]
---
 aux/broker | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/aux/broker b/aux/broker
index bf8943df55..ee8c3c19f8 160000
--- a/aux/broker
+++ b/aux/broker
@@ -1 +1 @@
-Subproject commit bf8943df551efccaaa2b19e838429239260748e8
+Subproject commit ee8c3c19f8e9501623b552df30c8d78c2c66c98d

From 197ea03f8f917664d41b63438a38790b4606baf7 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Thu, 14 Jun 2018 12:41:21 -0500
Subject: [PATCH 481/631] Minor optimization to
 bro_broker::Manager::FlushPendingQueries

---
 src/broker/Manager.cc | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/src/broker/Manager.cc b/src/broker/Manager.cc
index f18d245bb0..3a980d22c2 100644
--- a/src/broker/Manager.cc
+++ b/src/broker/Manager.cc
@@ -241,8 +241,17 @@ void Manager::FlushPendingQueries()
 		{
 		// possibly an infinite loop if a query can recursively
 		// generate more queries...
-		Process();
+		for ( auto& s : data_stores )
+			{
+			while ( ! s.second->proxy.mailbox().empty() )
+				{
+				auto response = s.second->proxy.receive();
+				ProcessStoreResponse(s.second, move(response));
+				}
+			}
 		}
+
+	SetIdle(false);
 	}
 
 uint16_t Manager::Listen(const string& addr, uint16_t port)

From e578c1c23162889c3dd4963854a465e92ef4e1d5 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Thu, 14 Jun 2018 12:51:28 -0500
Subject: [PATCH 482/631] Add Broker::max_threads and Broker::max_sleep tuning
 options

The former replaces the pcap vs. live versions of the same tuning
option.  If a user does not change these, Bro makes some internal
decisions that may help avoid performance problems on systems with high
core counts: the number of CAF threads is capped at 8 and the maximum
sleep duration for under-utilized threads is increased to 64ms (CAF's
default is 10ms).
---
 CHANGES                                 |  7 +++++
 VERSION                                 |  2 +-
 scripts/base/frameworks/broker/main.bro | 22 +++++---------
 src/broker/Manager.cc                   | 39 +++++++++++++++++++------
 4 files changed, 46 insertions(+), 24 deletions(-)

diff --git a/CHANGES b/CHANGES
index 10d00d919f..e6692ef2f5 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,11 @@
 
+2.5-663 | 2018-06-14 12:51:28 -0500
+
+  * Add Broker::max_threads and Broker::max_sleep tuning options,
+    remove Broker::max_live_threads and Broker::max_pcap threads (Corelight)
+
+  * Minor optimization to bro_broker::Manager::FlushPendingQueries (Corelight)
+
 2.5-660 | 2018-06-12 13:49:39 -0500
 
   * Add Broker::max_live_threads and Broker::max_pcap_threads tunables
diff --git a/VERSION b/VERSION
index 946f73bee2..a38fa6e474 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.5-660
+2.5-663
diff --git a/scripts/base/frameworks/broker/main.bro b/scripts/base/frameworks/broker/main.bro
index cfd4f06280..23a701c3ef 100644
--- a/scripts/base/frameworks/broker/main.bro
+++ b/scripts/base/frameworks/broker/main.bro
@@ -51,21 +51,15 @@ export {
 	## all peers.
 	const ssl_keyfile = "" &redef;
 
-	## Max number of threads to use for Broker/CAF functionality when
-	## operating on a live interface.  Using zero will cause this to
-	## be automatically determined based on number of available CPUs.
-	const max_live_threads = 0 &redef;
+	## Max number of threads to use for Broker/CAF functionality.
+	## Using zero will cause this to be automatically determined
+	## based on number of available CPUs.
+	const max_threads = 0 &redef;
 
-	## Max number of threads to use for Broker/CAF functionality when
-	## operating on a pcap file.  Using zero will cause this to be
-	## automaticallu determined based on number of available CPUs.
-	# TODO: on systems where number of CPUs starts exceeding ~10,
-	# simply creating a caf::actor_system and not using it incurs
-	# significant performance overhead.  Can CAF be updated to
-	# be more efficient in the case where the application isn't
-	# actually making much use of most of those threads instead
-	# of hardcoding this to the minimal 4 threads?
-	const max_pcap_threads = 4 &redef;
+	## Max number of microseconds for under-utilized Broker/CAF
+	## threads to sleep.  Using zero will cause this to be automatically
+	## determined or just use CAF's default setting.
+	const max_sleep = 0 &redef;
 
 	## Forward all received messages to subscribing peers.
 	const forward_messages = F &redef;
diff --git a/src/broker/Manager.cc b/src/broker/Manager.cc
index 3a980d22c2..e78db804a8 100644
--- a/src/broker/Manager.cc
+++ b/src/broker/Manager.cc
@@ -171,20 +171,41 @@ void Manager::InitPostScript()
 	options.use_real_time = ! reading_pcaps;
 
 	BrokerConfig config{std::move(options)};
-	auto max_live_threads = get_option("Broker::max_live_threads")->AsCount();
-	auto max_pcap_threads = get_option("Broker::max_pcap_threads")->AsCount();
+	auto max_threads = get_option("Broker::max_threads")->AsCount();
+	auto max_sleep = get_option("Broker::max_sleep")->AsCount();
 
-	if ( reading_pcaps )
-		{
-		if ( max_pcap_threads )
-			config.scheduler_max_threads = max_pcap_threads;
-		}
+	if ( max_threads )
+		config.scheduler_max_threads = max_threads;
 	else
 		{
-		if ( max_live_threads )
-			config.scheduler_max_threads = max_live_threads;
+		// On high-core-count systems, spawning one thread per core
+		// can lead to significant performance problems even if most
+		// threads are under-utilized.  Related:
+		// https://github.com/actor-framework/actor-framework/issues/699
+		if ( reading_pcaps )
+			config.scheduler_max_threads = 2u;
+		else
+			{
+			auto hc = std::thread::hardware_concurrency();
+
+			if ( hc > 8u )
+				hc = 8u;
+			else if ( hc < 4u)
+				hc = 4u;
+
+			config.scheduler_max_threads = hc;
+			}
 		}
 
+	if ( max_sleep )
+		config.work_stealing_relaxed_sleep_duration_us = max_sleep;
+	else
+		// 64ms is just an arbitrary amount derived from testing
+		// the overhead of a unused CAF actor system on a 32-core system.
+		// Performance was within 2% of baseline timings (w/o CAF)
+		// when using this sleep duration.
+		config.work_stealing_relaxed_sleep_duration_us = 64000;
+
 	bstate = std::make_shared<BrokerState>(std::move(config));
 	}
 

From 32bd0bfb6e50d2e741827429e62216d2f9ee4aa6 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Thu, 14 Jun 2018 16:32:01 -0500
Subject: [PATCH 483/631] Updating submodule(s).

 [nomail]
---
 aux/broker | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/aux/broker b/aux/broker
index ee8c3c19f8..d6b28211b8 160000
--- a/aux/broker
+++ b/aux/broker
@@ -1 +1 @@
-Subproject commit ee8c3c19f8e9501623b552df30c8d78c2c66c98d
+Subproject commit d6b28211b8cfb7d2f5ee089d13cb32413d02a5ba

From 5ac2cdecd42db419de677b6cfe4334efe96b483a Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Thu, 14 Jun 2018 17:34:38 -0500
Subject: [PATCH 484/631] Updating submodule(s).

 [nomail]
---
 aux/broker   | 2 +-
 src/3rdparty | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/aux/broker b/aux/broker
index d6b28211b8..9daf9184b9 160000
--- a/aux/broker
+++ b/aux/broker
@@ -1 +1 @@
-Subproject commit d6b28211b8cfb7d2f5ee089d13cb32413d02a5ba
+Subproject commit 9daf9184b999e67dcd5ed26d7862e73c42d26408
diff --git a/src/3rdparty b/src/3rdparty
index 6511cd6e45..7c82dcc67f 160000
--- a/src/3rdparty
+++ b/src/3rdparty
@@ -1 +1 @@
-Subproject commit 6511cd6e45811af0904947a36e565dcb9eee61dd
+Subproject commit 7c82dcc67fb0c53d6e18074dc828875eae1995fa

From bf246e59d0fc91d36aafe9f23b9b47470228894f Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Fri, 15 Jun 2018 14:57:16 -0500
Subject: [PATCH 485/631] Updating submodule(s).

 [nomail]
---
 aux/broker   | 2 +-
 src/3rdparty | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/aux/broker b/aux/broker
index 9daf9184b9..5ea77922d5 160000
--- a/aux/broker
+++ b/aux/broker
@@ -1 +1 @@
-Subproject commit 9daf9184b999e67dcd5ed26d7862e73c42d26408
+Subproject commit 5ea77922d500d2a485dabafa9fbe81176e35060e
diff --git a/src/3rdparty b/src/3rdparty
index 7c82dcc67f..bae2418c89 160000
--- a/src/3rdparty
+++ b/src/3rdparty
@@ -1 +1 @@
-Subproject commit 7c82dcc67fb0c53d6e18074dc828875eae1995fa
+Subproject commit bae2418c89531313aee4dd8809241457b22479e5

From 3c6afc8409524d5321c1ffb556104c117eb040f6 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Fri, 15 Jun 2018 15:30:11 -0500
Subject: [PATCH 486/631] Add --disable-broker-tests configure option

---
 CHANGES    | 4 ++++
 VERSION    | 2 +-
 aux/broker | 2 +-
 configure  | 4 ++++
 4 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/CHANGES b/CHANGES
index e6692ef2f5..8e3547000a 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,8 @@
 
+2.5-667 | 2018-06-15 15:30:11 -0500
+
+  * Add --disable-broker-tests configure option (Corelight)
+
 2.5-663 | 2018-06-14 12:51:28 -0500
 
   * Add Broker::max_threads and Broker::max_sleep tuning options,
diff --git a/VERSION b/VERSION
index a38fa6e474..fe9e42523c 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.5-663
+2.5-667
diff --git a/aux/broker b/aux/broker
index 5ea77922d5..a11f8c6e20 160000
--- a/aux/broker
+++ b/aux/broker
@@ -1 +1 @@
-Subproject commit 5ea77922d500d2a485dabafa9fbe81176e35060e
+Subproject commit a11f8c6e20264abe6147bc2b1be7ca3e7dabad05
diff --git a/configure b/configure
index ed4cbf3d6e..fdbca263c6 100755
--- a/configure
+++ b/configure
@@ -55,6 +55,7 @@ Usage: $0 [OPTION]... [VAR=VALUE]...
     --disable-auxtools     don't build or install auxiliary tools
     --disable-perftools    don't try to build with Google Perftools
     --disable-python       don't try to build python bindings for broker
+    --disable-broker-tests don'e try to build Broker unit tests
 
   Required Packages in Non-Standard Locations:
     --with-openssl=PATH    path to OpenSSL install root
@@ -227,6 +228,9 @@ while [ $# -ne 0 ]; do
         --disable-python)
             append_cache_entry DISABLE_PYTHON_BINDINGS     BOOL   true
             ;;
+        --disable-broker-tests)
+            append_cache_entry BROKER_DISABLE_TESTS     BOOL   true
+            ;;
         --with-openssl=*)
             append_cache_entry OPENSSL_ROOT_DIR PATH $optarg
             ;;

From c11039cb73e5228f79a6430e2ab5c29cb27c1eec Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Fri, 15 Jun 2018 17:14:33 -0500
Subject: [PATCH 487/631] Make old comm. system usages an error unless
 old_comm_usage_is_ok is set

---
 CHANGES                                       |  5 ++
 VERSION                                       |  2 +-
 doc/frameworks/broker.rst                     |  7 ++
 scripts/base/init-bare.bro                    |  7 ++
 src/Net.h                                     |  2 +
 src/main.cc                                   | 82 +++++++++++++++++++
 src/scan.l                                    |  1 +
 .../btest/Baseline/core.old_comm_usage/out    |  2 +
 testing/btest/core/old_comm_usage.bro         |  7 ++
 9 files changed, 114 insertions(+), 1 deletion(-)
 create mode 100644 testing/btest/Baseline/core.old_comm_usage/out
 create mode 100644 testing/btest/core/old_comm_usage.bro

diff --git a/CHANGES b/CHANGES
index 8e3547000a..e1dbc6bfcf 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,9 @@
 
+2.5-668 | 2018-06-15 17:14:33 -0500
+
+  * Make old comm. system usages an error unless old_comm_usage_is_ok is set
+    (Corelight)
+
 2.5-667 | 2018-06-15 15:30:11 -0500
 
   * Add --disable-broker-tests configure option (Corelight)
diff --git a/VERSION b/VERSION
index fe9e42523c..483a2c482b 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.5-667
+2.5-668
diff --git a/doc/frameworks/broker.rst b/doc/frameworks/broker.rst
index 807ce9a07a..6943a0a698 100644
--- a/doc/frameworks/broker.rst
+++ b/doc/frameworks/broker.rst
@@ -50,6 +50,13 @@ General Porting Tips
 - The ``&synchronized`` and ``&persistent`` attributes are deprecated,
   consider using `Data Stores`_ instead.
 
+- Usages of the old communications system features are all deprecated,
+  however, they also do not work in the default Bro configuration unless
+  you manually take action to set up the old communication system.
+  To aid in porting, such usages will default to raising a fatal error
+  unless you explicitly acknowledge that such usages of the old system
+  are ok.  Set the :bro:see:`old_comm_usage_is_ok`` flag in this case.
+
 - Instead of using e.g. ``Cluster::manager2worker_events`` (and all
   permutations for every node type), what you'd now use is either 
   :bro:see:`Broker::publish` or :bro:see:`Broker::auto_publish` with
diff --git a/scripts/base/init-bare.bro b/scripts/base/init-bare.bro
index cd9302ce25..c502607cbd 100644
--- a/scripts/base/init-bare.bro
+++ b/scripts/base/init-bare.bro
@@ -4834,3 +4834,10 @@ const global_hash_seed: string = "" &redef;
 ## files.  The larger the value, the more confidence in UID uniqueness.
 ## The maximum is currently 128 bits.
 const bits_per_uid: count = 96 &redef;
+
+## Whether usage of the old communication system is considered an error or
+## not.  The default Bro configuration no longer works with the non-Broker
+## communication system unless you have manually taken action to initialize
+## and set up the old comm. system.  Deprecation warnings are still emitted
+## when setting this flag, but they will not result in a fatal error.
+const old_comm_usage_is_ok: bool = F &redef;
diff --git a/src/Net.h b/src/Net.h
index caea61c436..bdc84ec74f 100644
--- a/src/Net.h
+++ b/src/Net.h
@@ -83,6 +83,8 @@ extern iosource::PktDumper* pkt_dumper;	// where to save packets
 
 extern char* writefile;
 
+extern int old_comm_usage_count;
+
 // Script file we have already scanned (or are in the process of scanning).
 // They are identified by inode number.
 struct ScannedFile {
diff --git a/src/main.cc b/src/main.cc
index 2a61c753b8..2e9a89ddd1 100644
--- a/src/main.cc
+++ b/src/main.cc
@@ -44,6 +44,7 @@ extern "C" {
 #include "EventRegistry.h"
 #include "Stats.h"
 #include "Brofiler.h"
+#include "Traverse.h"
 
 #include "threading/Manager.h"
 #include "input/Manager.h"
@@ -114,6 +115,7 @@ char* command_line_policy = 0;
 vector<string> params;
 set<string> requested_plugins;
 char* proc_status_file = 0;
+int old_comm_usage_count = 0;
 
 OpaqueType* md5_type = 0;
 OpaqueType* sha1_type = 0;
@@ -424,6 +426,70 @@ static void bro_new_handler()
 	out_of_memory("new");
 	}
 
+static auto old_comm_ids = std::set<const char*, CompareString>{
+	"connect",
+	"disconnect",
+	"request_remote_events",
+	"request_remote_sync",
+	"request_remote_logs",
+	"set_accept_state",
+	"set_compression_level",
+	"listen",
+	"send_id",
+	"terminate_communication",
+	"complete_handshake",
+	"send_ping",
+	"send_current_packet",
+	"get_event_peer",
+	"send_capture_filter",
+	"suspend_state_updates",
+	"resume_state_updates",
+};
+
+static bool is_old_comm_usage(const ID* id)
+	{
+	auto name = id->Name();
+
+	if ( old_comm_ids.find(name) == old_comm_ids.end() )
+		return false;
+
+	return true;
+	}
+
+class OldCommUsageTraversalCallback : public TraversalCallback {
+public:
+	virtual TraversalCode PreExpr(const Expr* expr) override
+		{
+		switch ( expr->Tag() ) {
+		case EXPR_CALL:
+			{
+			const CallExpr* call = static_cast<const CallExpr*>(expr);
+			auto func = call->Func();
+
+			if ( func->Tag() == EXPR_NAME )
+				{
+				const NameExpr* ne = static_cast<const NameExpr*>(func);
+				auto id = ne->Id();
+
+				if ( is_old_comm_usage(id) )
+					++old_comm_usage_count;
+				}
+			}
+			break;
+		default:
+			break;
+		}
+
+		return TC_CONTINUE;
+		}
+};
+
+static void find_old_comm_usages()
+	{
+	OldCommUsageTraversalCallback cb;
+	traverse_all(&cb);
+	}
+
 int main(int argc, char** argv)
 	{
 	std::set_new_handler(bro_new_handler);
@@ -854,6 +920,22 @@ int main(int argc, char** argv)
 	yyparse();
 	is_parsing = false;
 
+	find_old_comm_usages();
+
+	if ( old_comm_usage_count )
+		{
+		auto old_comm_ack_id = global_scope()->Lookup("old_comm_usage_is_ok");
+
+		if ( ! old_comm_ack_id->ID_Val()->AsBool() )
+			reporter->FatalError("Detected old, deprecated communication "
+								 "system usages that will not work unless "
+								 "you explicitly take action to initizialize "
+								 "and set up the old comm. system.  "
+								 "Set the 'old_comm_usage_is_ok' flag "
+								 "to bypass this error if you've taken such "
+								 "actions.");
+		}
+
 	RecordVal::ResizeParseTimeRecords();
 
 	init_general_global_var();
diff --git a/src/scan.l b/src/scan.l
index 27490c13ad..ed307a79da 100644
--- a/src/scan.l
+++ b/src/scan.l
@@ -310,6 +310,7 @@ when	return TOK_WHEN;
 	}
 
 &synchronized  {
+	++old_comm_usage_count;
 	deprecated_attr(yytext);
 	return TOK_ATTR_SYNCHRONIZED;
 	}
diff --git a/testing/btest/Baseline/core.old_comm_usage/out b/testing/btest/Baseline/core.old_comm_usage/out
new file mode 100644
index 0000000000..28585d78ba
--- /dev/null
+++ b/testing/btest/Baseline/core.old_comm_usage/out
@@ -0,0 +1,2 @@
+warning in /Users/jon/projects/bro/bro/testing/btest/.tmp/core.old_comm_usage/old_comm_usage.bro, line 6: deprecated (terminate_communication)
+fatal error: Detected old, deprecated communication system usages that will not work unless you explicitly take action to initizialize and set up the old comm. system.  Set the 'old_comm_usage_is_ok' flag to bypass this error if you've taken such actions.
diff --git a/testing/btest/core/old_comm_usage.bro b/testing/btest/core/old_comm_usage.bro
new file mode 100644
index 0000000000..0e9ae2f1f6
--- /dev/null
+++ b/testing/btest/core/old_comm_usage.bro
@@ -0,0 +1,7 @@
+# @TEST-EXEC-FAIL: bro -b %INPUT >out 2>&1
+# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff out
+
+event bro_init()
+	{
+	terminate_communication();
+	}

From 344382ee7beda7c610af297a1a5aa58e8af4f9a9 Mon Sep 17 00:00:00 2001
From: Vern Paxson <vern@icir.org>
Date: Tue, 19 Jun 2018 11:50:38 -0700
Subject: [PATCH 488/631] documentation clarification for "p1 | p2"

---
 doc/script-reference/types.rst | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/doc/script-reference/types.rst b/doc/script-reference/types.rst
index fe77ece90c..b446e972dd 100644
--- a/doc/script-reference/types.rst
+++ b/doc/script-reference/types.rst
@@ -237,12 +237,13 @@ Here is a more detailed description of each type:
     is false since "oob" does not appear at the start of "foobar".  The
     ``!in`` operator would yield the negation of ``in``.
 
-    Finally, you can create a disjunction (either-or) of two patterns
+    Finally, you can create a disjunction (either-or) of two literal patterns
     using the ``|`` operator.  For example::
 
 	/foo/ | /bar/ in "foobar"
 
-    yields true, like in the similar example above.
+    yields true, like in the similar example above.  (This does not presently
+    work for variables whose values are patterns, however.)
 
 .. bro:type:: port
 

From 7b3bad635ba46a5583acae6f5b8ef440cc14694a Mon Sep 17 00:00:00 2001
From: Daniel Thayer <dnthayer@illinois.edu>
Date: Tue, 19 Jun 2018 16:26:51 -0500
Subject: [PATCH 489/631] Disable broxygen when running unit tests

Disable broxygen when running unit tests (except for the tests that use
broxygen).  On my dual-core MacBook Pro, this change results in the
unit tests taking about 13% less time to finish running.
---
 testing/btest/btest.cfg                               | 1 +
 testing/btest/doc/broxygen/all_scripts.test           | 2 +-
 testing/btest/doc/broxygen/command_line.bro           | 2 +-
 testing/btest/doc/broxygen/comment_retrieval_bifs.bro | 2 +-
 testing/btest/doc/broxygen/enums.bro                  | 2 +-
 testing/btest/doc/broxygen/example.bro                | 2 +-
 testing/btest/doc/broxygen/func-params.bro            | 2 +-
 testing/btest/doc/broxygen/identifier.bro             | 2 +-
 testing/btest/doc/broxygen/package.bro                | 2 +-
 testing/btest/doc/broxygen/package_index.bro          | 2 +-
 testing/btest/doc/broxygen/records.bro                | 2 +-
 testing/btest/doc/broxygen/script_index.bro           | 2 +-
 testing/btest/doc/broxygen/script_summary.bro         | 2 +-
 testing/btest/doc/broxygen/type-aliases.bro           | 2 +-
 testing/btest/doc/broxygen/vectors.bro                | 2 +-
 15 files changed, 15 insertions(+), 14 deletions(-)

diff --git a/testing/btest/btest.cfg b/testing/btest/btest.cfg
index 81ee5bd5e5..6671d70b64 100644
--- a/testing/btest/btest.cfg
+++ b/testing/btest/btest.cfg
@@ -26,3 +26,4 @@ BRO_PROFILER_FILE=%(testbase)s/.tmp/script-coverage/XXXXXX
 BTEST_RST_FILTER=$SCRIPTS/rst-filter
 BRO_DNS_FAKE=1
 BRO_DEFAULT_LISTEN_ADDRESS=127.0.0.1
+BRO_DISABLE_BROXYGEN=1
diff --git a/testing/btest/doc/broxygen/all_scripts.test b/testing/btest/doc/broxygen/all_scripts.test
index c0cb07b750..dc009044da 100644
--- a/testing/btest/doc/broxygen/all_scripts.test
+++ b/testing/btest/doc/broxygen/all_scripts.test
@@ -5,7 +5,7 @@
 # listen.bro in order to document it.
 
 # @TEST-SERIALIZE: comm
-# @TEST-EXEC: bro -X broxygen.config broxygen DumpEvents::include=/NOTHING_MATCHES/
+# @TEST-EXEC: unset BRO_DISABLE_BROXYGEN; bro -X broxygen.config broxygen DumpEvents::include=/NOTHING_MATCHES/
 # @TEST-EXEC: btest-diff .stdout
 # @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff .stderr
 
diff --git a/testing/btest/doc/broxygen/command_line.bro b/testing/btest/doc/broxygen/command_line.bro
index 95558f7461..d009667b7e 100644
--- a/testing/btest/doc/broxygen/command_line.bro
+++ b/testing/btest/doc/broxygen/command_line.bro
@@ -1,7 +1,7 @@
 # Shouldn't emit any warnings about not being able to document something
 # that's supplied via command line script.
 
-# @TEST-EXEC: bro %INPUT -e 'redef myvar=10; print myvar' >output 2>&1
+# @TEST-EXEC: unset BRO_DISABLE_BROXYGEN; bro %INPUT -e 'redef myvar=10; print myvar' >output 2>&1
 # @TEST-EXEC: btest-diff output
 
 const myvar = 5 &redef;
diff --git a/testing/btest/doc/broxygen/comment_retrieval_bifs.bro b/testing/btest/doc/broxygen/comment_retrieval_bifs.bro
index 77a6058d71..f3c1be6b14 100644
--- a/testing/btest/doc/broxygen/comment_retrieval_bifs.bro
+++ b/testing/btest/doc/broxygen/comment_retrieval_bifs.bro
@@ -1,4 +1,4 @@
-# @TEST-EXEC: bro -b %INPUT >out
+# @TEST-EXEC: unset BRO_DISABLE_BROXYGEN; bro -b %INPUT >out
 # @TEST-EXEC: btest-diff out
 
 ##! This is a test script.
diff --git a/testing/btest/doc/broxygen/enums.bro b/testing/btest/doc/broxygen/enums.bro
index e8b4c741c2..8fbdb11ab6 100644
--- a/testing/btest/doc/broxygen/enums.bro
+++ b/testing/btest/doc/broxygen/enums.bro
@@ -1,4 +1,4 @@
-# @TEST-EXEC: bro -b -X broxygen.config %INPUT
+# @TEST-EXEC: unset BRO_DISABLE_BROXYGEN; bro -b -X broxygen.config %INPUT
 # @TEST-EXEC: btest-diff autogen-reST-enums.rst
 
 @TEST-START-FILE broxygen.config
diff --git a/testing/btest/doc/broxygen/example.bro b/testing/btest/doc/broxygen/example.bro
index e7212f3c5f..22a6fc7418 100644
--- a/testing/btest/doc/broxygen/example.bro
+++ b/testing/btest/doc/broxygen/example.bro
@@ -1,4 +1,4 @@
-# @TEST-EXEC: bro -X broxygen.config %INPUT
+# @TEST-EXEC: unset BRO_DISABLE_BROXYGEN; bro -X broxygen.config %INPUT
 # @TEST-EXEC: btest-diff example.rst
 
 @TEST-START-FILE broxygen.config
diff --git a/testing/btest/doc/broxygen/func-params.bro b/testing/btest/doc/broxygen/func-params.bro
index 42d1308151..e53ca475f1 100644
--- a/testing/btest/doc/broxygen/func-params.bro
+++ b/testing/btest/doc/broxygen/func-params.bro
@@ -1,4 +1,4 @@
-# @TEST-EXEC: bro -b -X broxygen.config %INPUT
+# @TEST-EXEC: unset BRO_DISABLE_BROXYGEN; bro -b -X broxygen.config %INPUT
 # @TEST-EXEC: btest-diff autogen-reST-func-params.rst
 
 @TEST-START-FILE broxygen.config
diff --git a/testing/btest/doc/broxygen/identifier.bro b/testing/btest/doc/broxygen/identifier.bro
index db5c2528ee..9225ab8db0 100644
--- a/testing/btest/doc/broxygen/identifier.bro
+++ b/testing/btest/doc/broxygen/identifier.bro
@@ -1,5 +1,5 @@
 # @TEST-SERIALIZE: comm
-# @TEST-EXEC: bro -b -X broxygen.config %INPUT
+# @TEST-EXEC: unset BRO_DISABLE_BROXYGEN; bro -b -X broxygen.config %INPUT
 # @TEST-EXEC: btest-diff test.rst
 
 @TEST-START-FILE broxygen.config
diff --git a/testing/btest/doc/broxygen/package.bro b/testing/btest/doc/broxygen/package.bro
index fd75a1ce21..0d8d790361 100644
--- a/testing/btest/doc/broxygen/package.bro
+++ b/testing/btest/doc/broxygen/package.bro
@@ -1,5 +1,5 @@
 # @TEST-SERIALIZE: comm
-# @TEST-EXEC: bro -b -X broxygen.config %INPUT
+# @TEST-EXEC: unset BRO_DISABLE_BROXYGEN; bro -b -X broxygen.config %INPUT
 # @TEST-EXEC: btest-diff test.rst
 
 @TEST-START-FILE broxygen.config
diff --git a/testing/btest/doc/broxygen/package_index.bro b/testing/btest/doc/broxygen/package_index.bro
index ef6cc4ab29..4b98290f20 100644
--- a/testing/btest/doc/broxygen/package_index.bro
+++ b/testing/btest/doc/broxygen/package_index.bro
@@ -1,5 +1,5 @@
 # @TEST-SERIALIZE: comm
-# @TEST-EXEC: bro -b -X broxygen.config %INPUT
+# @TEST-EXEC: unset BRO_DISABLE_BROXYGEN; bro -b -X broxygen.config %INPUT
 # @TEST-EXEC: btest-diff test.rst
 
 @TEST-START-FILE broxygen.config
diff --git a/testing/btest/doc/broxygen/records.bro b/testing/btest/doc/broxygen/records.bro
index 0cc7d27500..fbaa957a9f 100644
--- a/testing/btest/doc/broxygen/records.bro
+++ b/testing/btest/doc/broxygen/records.bro
@@ -1,4 +1,4 @@
-# @TEST-EXEC: bro -b -X broxygen.config %INPUT
+# @TEST-EXEC: unset BRO_DISABLE_BROXYGEN; bro -b -X broxygen.config %INPUT
 # @TEST-EXEC: btest-diff autogen-reST-records.rst
 
 @TEST-START-FILE broxygen.config
diff --git a/testing/btest/doc/broxygen/script_index.bro b/testing/btest/doc/broxygen/script_index.bro
index 86e1909863..c987c005be 100644
--- a/testing/btest/doc/broxygen/script_index.bro
+++ b/testing/btest/doc/broxygen/script_index.bro
@@ -1,5 +1,5 @@
 # @TEST-SERIALIZE: comm
-# @TEST-EXEC: bro -b -X broxygen.config %INPUT
+# @TEST-EXEC: unset BRO_DISABLE_BROXYGEN; bro -b -X broxygen.config %INPUT
 # @TEST-EXEC: btest-diff test.rst
 
 @TEST-START-FILE broxygen.config
diff --git a/testing/btest/doc/broxygen/script_summary.bro b/testing/btest/doc/broxygen/script_summary.bro
index a7aafc65a0..7fc89c3735 100644
--- a/testing/btest/doc/broxygen/script_summary.bro
+++ b/testing/btest/doc/broxygen/script_summary.bro
@@ -1,5 +1,5 @@
 # @TEST-SERIALIZE: comm
-# @TEST-EXEC: bro -b -X broxygen.config %INPUT
+# @TEST-EXEC: unset BRO_DISABLE_BROXYGEN; bro -b -X broxygen.config %INPUT
 # @TEST-EXEC: btest-diff test.rst
 
 @TEST-START-FILE broxygen.config
diff --git a/testing/btest/doc/broxygen/type-aliases.bro b/testing/btest/doc/broxygen/type-aliases.bro
index 28c2cc5568..0971327c2b 100644
--- a/testing/btest/doc/broxygen/type-aliases.bro
+++ b/testing/btest/doc/broxygen/type-aliases.bro
@@ -1,4 +1,4 @@
-# @TEST-EXEC: bro -b -X broxygen.config %INPUT
+# @TEST-EXEC: unset BRO_DISABLE_BROXYGEN; bro -b -X broxygen.config %INPUT
 # @TEST-EXEC: btest-diff autogen-reST-type-aliases.rst
 
 @TEST-START-FILE broxygen.config
diff --git a/testing/btest/doc/broxygen/vectors.bro b/testing/btest/doc/broxygen/vectors.bro
index 62fb31d436..7c18225357 100644
--- a/testing/btest/doc/broxygen/vectors.bro
+++ b/testing/btest/doc/broxygen/vectors.bro
@@ -1,4 +1,4 @@
-# @TEST-EXEC: bro -b -X broxygen.config %INPUT
+# @TEST-EXEC: unset BRO_DISABLE_BROXYGEN; bro -b -X broxygen.config %INPUT
 # @TEST-EXEC: btest-diff autogen-reST-vectors.rst
 
 @TEST-START-FILE broxygen.config

From 21614cd30d0f23f2535a6e7ffa8dce6dd008eaff Mon Sep 17 00:00:00 2001
From: Vern Paxson <vern@icir.org>
Date: Wed, 20 Jun 2018 09:49:29 -0700
Subject: [PATCH 490/631] basic code implemented, but there's a memory problem
 somehwere :-(

---
 src/Expr.cc | 47 ++++++++++++++++++++++++++++-------------------
 src/Expr.h  |  3 +++
 src/parse.y | 36 ++++++++++--------------------------
 3 files changed, 41 insertions(+), 45 deletions(-)

diff --git a/src/Expr.cc b/src/Expr.cc
index f5c8e66b50..d895e811ab 100644
--- a/src/Expr.cc
+++ b/src/Expr.cc
@@ -665,6 +665,9 @@ Val* BinaryExpr::Fold(Val* v1, Val* v2) const
 	if ( it == TYPE_INTERNAL_STRING )
 		return StringFold(v1, v2);
 
+	if ( v1->Type()->Tag() == TYPE_PATTERN )
+		return PatternFold(v1, v2);
+
 	if ( it == TYPE_INTERNAL_ADDR )
 		return AddrFold(v1, v2);
 
@@ -851,6 +854,21 @@ Val* BinaryExpr::StringFold(Val* v1, Val* v2) const
 	return new Val(result, TYPE_BOOL);
 	}
 
+Val* BinaryExpr::PatternFold(Val* v1, Val* v2) const
+	{
+	const RE_Matcher* re1 = v1->AsPattern();
+	const RE_Matcher* re2 = v2->AsPattern();
+
+	if ( tag != EXPR_AND && tag != EXPR_OR )
+		BadTag("BinaryExpr::PatternFold");
+
+	RE_Matcher* res = tag == EXPR_AND ?
+		RE_Matcher_conjunction(re1, re2) :
+		RE_Matcher_disjunction(re1, re2);
+
+	return new PatternVal(res);
+	}
+
 Val* BinaryExpr::AddrFold(Val* v1, Val* v2) const
 	{
 	IPAddr a1 = v1->AsAddr();
@@ -1696,9 +1714,6 @@ BoolExpr::BoolExpr(BroExprTag arg_tag, Expr* arg_op1, Expr* arg_op2)
 			SetType(base_type(TYPE_BOOL));
 		}
 
-	else if ( bt1 == TYPE_PATTERN && bt2 == bt1 )
-		SetType(base_type(TYPE_PATTERN));
-
 	else
 		ExprError("requires boolean operands");
 	}
@@ -1708,22 +1723,6 @@ Val* BoolExpr::DoSingleEval(Frame* f, Val* v1, Expr* op2) const
 	if ( ! v1 )
 		return 0;
 
-	if ( Type()->Tag() == TYPE_PATTERN )
-		{
-		Val* v2 = op2->Eval(f);
-		if ( ! v2 )
-			return 0;
-
-		RE_Matcher* re1 = v1->AsPattern();
-		RE_Matcher* re2 = v2->AsPattern();
-
-		RE_Matcher* res = tag == EXPR_AND_AND ?
-			RE_Matcher_conjunction(re1, re2) :
-			RE_Matcher_disjunction(re1, re2);
-
-		return new PatternVal(res);
-		}
-
 	if ( tag == EXPR_AND_AND )
 		{
 		if ( v1->IsZero() )
@@ -1885,6 +1884,16 @@ BitExpr::BitExpr(BroExprTag arg_tag, Expr* arg_op1, Expr* arg_op2)
 			SetType(base_type(TYPE_COUNT));
 		}
 
+	if ( bt1 == TYPE_PATTERN )
+		{
+		if ( bt2 != TYPE_PATTERN )
+			ExprError("cannot mix pattern and non-pattern operands");
+		else if ( tag == EXPR_XOR )
+			ExprError("'^' operator does not apply to patterns");
+		else
+			SetType(base_type(TYPE_PATTERN));
+		}
+
 	else
 		ExprError("requires \"count\" operands");
 	}
diff --git a/src/Expr.h b/src/Expr.h
index 8e8b6cc96b..4229750fb1 100644
--- a/src/Expr.h
+++ b/src/Expr.h
@@ -327,6 +327,9 @@ protected:
 	// Same for when the constants are strings.
 	virtual Val* StringFold(Val* v1, Val* v2) const;
 
+	// Same for when the constants are patterns.
+	virtual Val* PatternFold(Val* v1, Val* v2) const;
+
 	// Same for when the constants are addresses or subnets.
 	virtual Val* AddrFold(Val* v1, Val* v2) const;
 	virtual Val* SubNetFold(Val* v1, Val* v2) const;
diff --git a/src/parse.y b/src/parse.y
index 6f7a43ae7f..b8f82aa1fb 100644
--- a/src/parse.y
+++ b/src/parse.y
@@ -2,7 +2,7 @@
 // See the file "COPYING" in the main distribution directory for copyright.
 %}
 
-%expect 78
+%expect 77
 
 %token TOK_ADD TOK_ADD_TO TOK_ADDR TOK_ANY
 %token TOK_ATENDIF TOK_ATELSE TOK_ATIF TOK_ATIFDEF TOK_ATIFNDEF
@@ -49,13 +49,12 @@
 %left '$' '[' ']' '(' ')' TOK_HAS_FIELD TOK_HAS_ATTR
 
 %type <b> opt_no_test opt_no_test_block opt_deprecated
-%type <str> TOK_ID TOK_PATTERN_TEXT single_pattern
+%type <str> TOK_ID TOK_PATTERN_TEXT
 %type <id> local_id global_id def_global_id event_id global_or_event_id resolve_id begin_func
 %type <id_l> local_id_list
 %type <ic> init_class
 %type <expr> opt_init
 %type <val> TOK_CONSTANT
-%type <re> pattern
 %type <expr> expr opt_expr init anonymous_function
 %type <event_expr> event
 %type <stmt> stmt stmt_list func_body for_head
@@ -720,11 +719,15 @@ expr:
 			$$ = new ConstExpr($1);
 			}
 
-	|	pattern
+	|	'/' { begin_RE(); } TOK_PATTERN_TEXT { end_RE(); } '/'
 			{
-			set_location(@1);
-			$1->Compile();
-			$$ = new ConstExpr(new PatternVal($1));
+			set_location(@3);
+
+			RE_Matcher* re = new RE_Matcher($3);
+			delete [] $3;
+
+			re->Compile();
+			$$ = new ConstExpr(new PatternVal(re));
 			}
 
 	|       '|' expr '|'	%prec '('
@@ -754,25 +757,6 @@ opt_expr_list:
 		{ $$ = new ListExpr(); }
 	;
 
-pattern:
-		pattern '|' single_pattern
-			{
-			$1->AddPat($3);
-			delete [] $3;
-			}
-
-	|	single_pattern
-			{
-			$$ = new RE_Matcher($1);
-			delete [] $1;
-			}
-	;
-
-single_pattern:
-		'/' { begin_RE(); } TOK_PATTERN_TEXT { end_RE(); } '/'
-			{ $$ = $3; }
-	;
-
 enum_body:
 		enum_body_list
 			{

From 66ee3764117e4d01c1ed3e0ff05ca60161ea9a69 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Thu, 21 Jun 2018 11:48:10 -0500
Subject: [PATCH 491/631] BIT-1938: fix crash in Broker manager shutdown

---
 src/broker/Manager.cc | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/broker/Manager.cc b/src/broker/Manager.cc
index e78db804a8..20bba4426d 100644
--- a/src/broker/Manager.cc
+++ b/src/broker/Manager.cc
@@ -226,7 +226,9 @@ void Manager::Terminate()
 	FlushLogBuffers();
 
 	for ( auto& p : bstate->endpoint.peers() )
-		bstate->endpoint.unpeer(p.peer.network->address, p.peer.network->port);
+		if ( p.peer.network )
+			bstate->endpoint.unpeer(p.peer.network->address,
+			                        p.peer.network->port);
 
 	bstate->endpoint.shutdown();
 	}

From 8ee92c70da43fa62921a51d4818dce5ea01c96d4 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Thu, 21 Jun 2018 11:55:39 -0500
Subject: [PATCH 492/631] Add ability for BroControl to skip cluster setup

It does this by setting the BROCTL_CHECK_CONFIG env. variable.
Related to BIT-1938.
---
 CHANGES                                               | 8 ++++++++
 VERSION                                               | 2 +-
 aux/broctl                                            | 2 +-
 scripts/base/frameworks/cluster/setup-connections.bro | 3 +++
 4 files changed, 13 insertions(+), 2 deletions(-)

diff --git a/CHANGES b/CHANGES
index e1dbc6bfcf..69976ba603 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,12 @@
 
+2.5-671 | 2018-06-21 11:55:39 -0500
+
+  * Add ability for BroControl to skip cluster setup (Corelight)
+
+  * BIT-1938: fix crash in Broker manager shutdown (Corelight)
+
+  * Disable broxygen when running unit tests (Daniel Thayer)
+
 2.5-668 | 2018-06-15 17:14:33 -0500
 
   * Make old comm. system usages an error unless old_comm_usage_is_ok is set
diff --git a/VERSION b/VERSION
index 483a2c482b..fd8c8172cf 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.5-668
+2.5-671
diff --git a/aux/broctl b/aux/broctl
index 99ef926d09..c5dd2ba83d 160000
--- a/aux/broctl
+++ b/aux/broctl
@@ -1 +1 @@
-Subproject commit 99ef926d09a144a9919dec01f6231692e170120e
+Subproject commit c5dd2ba83dda185d2008731a5cd25b2b8131ac78
diff --git a/scripts/base/frameworks/cluster/setup-connections.bro b/scripts/base/frameworks/cluster/setup-connections.bro
index a06d66bc0c..63ddbdd8b0 100644
--- a/scripts/base/frameworks/cluster/setup-connections.bro
+++ b/scripts/base/frameworks/cluster/setup-connections.bro
@@ -44,6 +44,9 @@ function connect_peers_with_type(node_type: NodeType)
 
 event bro_init() &priority=-10
 	{
+	if ( getenv("BROCTL_CHECK_CONFIG") != "" )
+		return;
+
 	local self = nodes[node];
 
 	for ( i in registered_pools )

From 0ab550d3b128418a561df9c690497a1ff860940a Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Thu, 21 Jun 2018 14:36:42 -0500
Subject: [PATCH 493/631] Updating submodule(s).

 [nomail]
---
 aux/broker   | 2 +-
 src/3rdparty | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/aux/broker b/aux/broker
index a11f8c6e20..08f41ccc24 160000
--- a/aux/broker
+++ b/aux/broker
@@ -1 +1 @@
-Subproject commit a11f8c6e20264abe6147bc2b1be7ca3e7dabad05
+Subproject commit 08f41ccc2497f4c6567da0b95488593c39a12a01
diff --git a/src/3rdparty b/src/3rdparty
index bae2418c89..c78abc8454 160000
--- a/src/3rdparty
+++ b/src/3rdparty
@@ -1 +1 @@
-Subproject commit bae2418c89531313aee4dd8809241457b22479e5
+Subproject commit c78abc8454932019f030045340348560a8ac9b23

From 247095479526b61b9b11924027b5a37af199e09d Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@icir.org>
Date: Thu, 21 Jun 2018 14:21:36 -0700
Subject: [PATCH 494/631] Fix for ancient reference-counting bug in NFA.cc

This patch fixes a *19 year old* reference-counting bug (which could
lead to a use-after-free, not merely a leak) in the regular expression
code.

Patch by Vern Paxson.
---
 src/NFA.cc | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/NFA.cc b/src/NFA.cc
index 43ec3d2a90..8fb78a7131 100644
--- a/src/NFA.cc
+++ b/src/NFA.cc
@@ -55,7 +55,10 @@ void NFA_State::AddXtionsTo(NFA_state_list* ns)
 NFA_State* NFA_State::DeepCopy()
 	{
 	if ( mark )
+		{
+		Ref(mark);
 		return mark;
+		}
 
 	NFA_State* copy = ccl ? new NFA_State(ccl) : new NFA_State(sym, 0);
 	SetMark(copy);

From b864772e8ac18df273afeb8d2ce471422591fc73 Mon Sep 17 00:00:00 2001
From: Vern Paxson <vern@icir.org>
Date: Thu, 21 Jun 2018 15:15:05 -0700
Subject: [PATCH 495/631] fixed typos in NEWS

---
 NEWS | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/NEWS b/NEWS
index 93a28cb200..445305ea59 100644
--- a/NEWS
+++ b/NEWS
@@ -16,7 +16,7 @@ New Functionality
   to the version in 2.5), and much of its implementation has been
   redone. There's a new script-level "broker" framework that
   supersedes the old "communication" framework, which is now
-  depracated. The "cluster" and "control" frameworks have been ported
+  deprecated. The "cluster" and "control" frameworks have been ported
   to Broker; same for BroControl. For more about the new Broker
   framework, see doc/frameworks/broker.rst (there's also guide there
   for porting existing Bro scripts to Broker). For more about Broker
@@ -252,7 +252,7 @@ New Functionality
 Changed Functionality
 ---------------------
 
-  - ALl communication is now handled through Broker, requiring changes
+  - All communication is now handled through Broker, requiring changes
     to existing scripts to port them over to the new API. The Broker
     framework documentation comes with a porting guide.
 

From 6c8562bbdd45d4e5499d4b6e6dc1eca1ca8a9d77 Mon Sep 17 00:00:00 2001
From: Vern Paxson <vern@icir.org>
Date: Thu, 21 Jun 2018 15:50:56 -0700
Subject: [PATCH 496/631] deprecate && / || operators for patterns

---
 src/Expr.cc | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/Expr.cc b/src/Expr.cc
index 1ab82853c3..0c890eaea2 100644
--- a/src/Expr.cc
+++ b/src/Expr.cc
@@ -1695,7 +1695,10 @@ BoolExpr::BoolExpr(BroExprTag arg_tag, Expr* arg_op1, Expr* arg_op2)
 		}
 
 	else if ( bt1 == TYPE_PATTERN && bt2 == bt1 )
+		{
+		reporter->Warning("&& and || operators deprecated for pattern operands");
 		SetType(base_type(TYPE_PATTERN));
+		}
 
 	else
 		ExprError("requires boolean operands");

From 3767d2bee2ac73db57160fd616866cac1e0c8039 Mon Sep 17 00:00:00 2001
From: Daniel Thayer <dnthayer@illinois.edu>
Date: Fri, 22 Jun 2018 00:55:46 -0500
Subject: [PATCH 497/631] Travis CI fewer failures and improved output messages

Improved readability of the output by adding more error checking
and better error and informational messages, and by moving the
unit test diag.log output to just before any external tests are run.

For pull request builds, skip the private tests instead of failing.

Prevent timeouts after 10 minutes of no output by not using the
btest "-b" option.

Decrease build time by not building unneeded components.
---
 .travis.yml                |   2 -
 testing/scripts/travis-job | 154 ++++++++++++++++++++++++-------------
 2 files changed, 102 insertions(+), 54 deletions(-)

diff --git a/.travis.yml b/.travis.yml
index aff55355c1..28c1cfa129 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -23,5 +23,3 @@ notifications:
 before_script: sh testing/scripts/travis-job build
 
 script: sh testing/scripts/travis-job run
-
-after_failure: sh testing/scripts/travis-job failure
diff --git a/testing/scripts/travis-job b/testing/scripts/travis-job
index 524b1964e9..b8f43874c8 100644
--- a/testing/scripts/travis-job
+++ b/testing/scripts/travis-job
@@ -1,24 +1,25 @@
 #!/bin/sh
-
-if [ "${TRAVIS}" != "true" ]; then
-    echo "$0: this script is intended for Travis CI"
-    exit 1
-fi
+#
+# This script (along with the .travis.yml file) is used by Travis CI to
+# build Bro and run the tests.
 
 if [ $# -ne 1 ]; then
-    echo "usage: $0 build|run|failure"
+    echo "usage: $0 build|run"
     exit 1
 fi
 
 step=$1
 
-build() {
-    ./configure && make -j 4
-}
-
+# Build Bro with the coverity tools.
 build_coverity() {
     # Get the coverity tools
     set -e
+
+    if [ -z "${COV_TOKEN}" ]; then
+        echo "Error: COV_TOKEN is not defined (should be defined in environment variables section of Travis settings for this repo)"
+        exit 1
+    fi
+
     wget -nv https://scan.coverity.com/download/cxx/linux64 --post-data "token=${COV_TOKEN}&project=Bro" -O coverity_tool.tgz
     tar xzf coverity_tool.tgz
     mv cov-analysis* coverity-tools
@@ -33,6 +34,7 @@ build_coverity() {
     cov-build --dir cov-int make -j 4
 }
 
+# Create a tar file and send it to coverity.
 run_coverity() {
     set -e
 
@@ -43,75 +45,123 @@ run_coverity() {
 
     cd build
     tar cjf ${FILE} cov-int
-    curl --form token=${COV_TOKEN} --form email=${EMAIL} --form file=@${FILE} --form version=${VER} --form description=${DESC} https://scan.coverity.com/builds?project=Bro
+    curl --form token=${COV_TOKEN} --form email=${EMAIL} --form file=@${FILE} --form "version=${VER}" --form "description=${DESC}" https://scan.coverity.com/builds?project=Bro
 }
 
+# Build Bro.
+build() {
+    # Skip building broker tests, python bindings, and broctl, as these are
+    # not needed by the bro tests.
+    ./configure --build-type=Release --disable-broker-tests --disable-python --disable-broctl && make -j 2
+}
+
+# Run all Bro tests.
 run() {
-    # Run the tests, but don't exit upon failure.
+    echo
+    echo "Running unit tests ##################################################"
+    echo
     cd testing/btest
-    ../../aux/btest/btest -j 4 -b -f diag.log
+    # Must specify a value for "-j" option, otherwise Travis uses a huge value.
+    ../../aux/btest/btest -j 4 -d
     ret=$?
-    cd ../..
+
+    echo
+    echo "Getting external tests ##############################################"
+    echo
+    cd ../external
 
     set -e
 
-    # Get the test repo
-    make -C testing/external init
+    make init
 
-    # Get the private test repo
-    curl https://www.bro.org/static/travis-ci/travis_key.enc -o travis_key.enc
-    openssl aes-256-cbc -K $encrypted_6a6fe747ff7b_key -iv $encrypted_6a6fe747ff7b_iv -in travis_key.enc -out travis_key -d
-    chmod 600 travis_key
-    mv travis_key $HOME/.ssh/id_rsa
-    cd testing/external
-    git clone ssh://git@git.bro.org/bro-testing-private
-    cd ../..
-    rm $HOME/.ssh/id_rsa
+    # Rename the encrypted environment variables to avoid having the hash value
+    # hard-coded multiple times in this script.
+    hash=6a6fe747ff7b
+    eval "trav_key=\$encrypted_${hash}_key"
+    eval "trav_iv=\$encrypted_${hash}_iv"
 
-    # Run the external tests
-    make -C testing/external
+    if [ -n "$trav_key" ] && [ -n "$trav_iv" ]; then
+        curl https://www.bro.org/static/travis-ci/travis_key.enc -o travis_key.enc
+        openssl aes-256-cbc -K $trav_key -iv $trav_iv -in travis_key.enc -out travis_key -d
+        chmod 600 travis_key
+        mv travis_key ~/.ssh/id_rsa
+        git clone ssh://git@git.bro.org/bro-testing-private
+        rm ~/.ssh/id_rsa
+    elif [ -n "${TRAVIS_PULL_REQUEST}" ] && [ "${TRAVIS_PULL_REQUEST}" != "false" ]; then
+        # For pull request builds, the private key is not available, so skip
+        # the private tests to avoid failing.
+        echo "Note: skipping private tests because encrypted env. variables are not defined."
+    else
+        echo "Error: cannot get private tests because encrypted env. variables are not defined."
+        exit 1
+    fi
+
+    echo
+    echo "Running external tests ##############################################"
+    echo
+    trap showdiag EXIT
+    make
 
     # If we get here, then external tests were successful.
     exit $ret
 }
 
-failure() {
-    # Output each diag.log that contains failed test results, but don't show
-    # skipped tests.
-    for i in testing/btest/diag.log testing/external/bro-testing/diag.log; do
-        grep -qs '... failed$' $i && grep -v "... not available, skipped" $i ;
-    done
+# Output the contents of diag.log when a test fails.
+showdiag() {
+    # Show failed tests only, not skipped tests.
+    f=bro-testing/diag.log
+
+    grep -qs '... failed$' $f && \
+      echo && \
+      echo "Output of failed external tests #####################################" && \
+      echo && \
+      grep -v "... not available, skipped" $f
 }
 
-# Coverity scan is run from a Travis CI cron job.
-if [ "$TRAVIS_EVENT_TYPE" = "cron" ]; then
-    # Each Travis CI build consists of multiple jobs.  Here we choose one job
-    # to run the coverity scan.
-    JOB=`echo $TRAVIS_JOB_NUMBER | cut -d . -f 2`
+if [ "$step" != "build" ] && [ "$step" != "run" ]; then
+    echo "Error: unknown build step: $step"
+    exit 1
+fi
 
-    if [ "$JOB" != "1" ]; then
+if [ "${TRAVIS}" != "true" ]; then
+    echo "$0: this script is intended for Travis CI"
+    exit 1
+fi
+
+if [ "${TRAVIS_EVENT_TYPE}" = "cron" ]; then
+    # Run the coverity scan from a Travis CI cron job.
+
+    # Extract second component of the job number.
+    if [ -z "${TRAVIS_JOB_NUMBER}" ]; then
+        echo "Error: TRAVIS_JOB_NUMBER is not defined (it should be defined by Travis CI)"
+        exit 1
+    fi
+    job=`echo ${TRAVIS_JOB_NUMBER} | cut -d . -f 2`
+
+    # If this isn't the first job in a Travis CI build, then just output a
+    # message and exit (this is not an error).
+    if [ "$job" != "1" ]; then
         echo "Coverity scan is performed only in the first job of this build"
         exit 0
     fi
 
     # This is split up into two steps because the build outputs thousands of
-    # lines (which are collapsed into a single line on the web page).
+    # lines (which are conveniently collapsed into a single line in the
+    # "Job log" on the Travis CI web site).
     if [ "$step" = "build" ]; then
         build_coverity
     elif [ "$step" = "run" ]; then
         run_coverity
     fi
-    exit 0
-fi
+else
+    # Build bro and run tests.
 
-# Run one step of a Travis CI job.  The "build" and "run" are split up into
-# separate steps because the build outputs thousands of lines (which are
-# collapsed into a single line on the web page).  The "failure" step is run
-# only when at least one test fails.
-if [ "$step" = "build" ]; then
-    build
-elif [ "$step" = "run" ]; then
-    run
-elif [ "$step" = "failure" ]; then
-    failure
+    # The "build" and "run" steps are split up into separate steps because the
+    # build outputs thousands of lines (which are conveniently collapsed into
+    # a single line when viewing the "Job log" on the Travis CI web site).
+    if [ "$step" = "build" ]; then
+        build
+    elif [ "$step" = "run" ]; then
+        run
+    fi
 fi

From ed42e20714c8bc99566d32cd26302cf1d524a423 Mon Sep 17 00:00:00 2001
From: Daniel Thayer <dnthayer@illinois.edu>
Date: Fri, 22 Jun 2018 10:13:24 -0500
Subject: [PATCH 498/631] Use docker containers to run Bro tests on Travis CI

The advantage of using docker containers is to build and test Bro in
an environment that more closely resembles the environment where Bro
will actually be used.  The docker containers currently used enable
testing Bro with all the major versions of gcc (versions 4 through 8),
as well as both python 2 and 3.

The "travis-job" script now takes a second parameter which specifies
a Linux distro to use (specifying "travis" will build and test bro
without using docker).
---
 .travis.yml                | 23 +++++++---
 testing/scripts/travis-job | 91 +++++++++++++++++++++++++++++++++-----
 2 files changed, 96 insertions(+), 18 deletions(-)

diff --git a/.travis.yml b/.travis.yml
index 28c1cfa129..56d41de17d 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -1,15 +1,13 @@
 language: cpp
-compiler:
-  - clang
-  - gcc
+
+services:
+  - docker
 
 addons:
-  ssh_known_hosts: git.bro.org
   apt:
     packages:
       - libpcap-dev
       - libssl-dev
-      - swig
 
 branches:
   only:
@@ -20,6 +18,17 @@ notifications:
     recipients:
     - bro-commits-internal@bro.org
 
-before_script: sh testing/scripts/travis-job build
+# Build Bro and run tests in the following Linux distros (specifying "travis"
+# builds bro in Travis without using docker).
+env:
+  - distro: centos_7
+  - distro: debian_9
+  - distro: fedora_28
+  - distro: ubuntu_16.04
+  - distro: ubuntu_18.04
 
-script: sh testing/scripts/travis-job run
+install: sh testing/scripts/travis-job install $distro
+
+before_script: sh testing/scripts/travis-job build $distro
+
+script: sh testing/scripts/travis-job run $distro
diff --git a/testing/scripts/travis-job b/testing/scripts/travis-job
index b8f43874c8..bb6ef760d6 100644
--- a/testing/scripts/travis-job
+++ b/testing/scripts/travis-job
@@ -3,12 +3,15 @@
 # This script (along with the .travis.yml file) is used by Travis CI to
 # build Bro and run the tests.
 
-if [ $# -ne 1 ]; then
-    echo "usage: $0 build|run"
+if [ $# -ne 2 ]; then
+    echo "usage: $0 CMD DISTRO"
+    echo "  CMD is a build step (install, build, or run)"
+    echo "  DISTRO is a Linux distro, or 'travis' to run in Travis without docker"
     exit 1
 fi
 
 step=$1
+distro=$2
 
 # Build Bro with the coverity tools.
 build_coverity() {
@@ -48,6 +51,50 @@ run_coverity() {
     curl --form token=${COV_TOKEN} --form email=${EMAIL} --form file=@${FILE} --form "version=${VER}" --form "description=${DESC}" https://scan.coverity.com/builds?project=Bro
 }
 
+
+# Setup a docker container.
+setup_docker() {
+    case $distro in
+        centos_7)
+        distro_cmds="yum -y install cmake make gcc gcc-c++ flex bison libpcap-devel openssl-devel git openssl which"
+        ;;
+        debian_9)
+        distro_cmds="apt-get update; apt-get -y install cmake make gcc g++ flex bison python libpcap-dev libssl1.0-dev zlib1g-dev git sqlite3 curl bsdmainutils"
+        ;;
+        fedora_28)
+        distro_cmds="yum -y install cmake make gcc gcc-c++ flex bison libpcap-devel compat-openssl10-devel git sqlite findutils which; ln -s /usr/bin/python3 /usr/local/bin/python"
+        ;;
+        ubuntu_16.04)
+        distro_cmds="apt-get update; apt-get -y install cmake make gcc g++ flex bison python libpcap-dev libssl-dev zlib1g-dev git sqlite3 curl bsdmainutils"
+        ;;
+        ubuntu_18.04)
+        distro_cmds="apt-get update; apt-get -y install cmake make gcc g++ flex bison python3 libpcap-dev libssl1.0-dev zlib1g-dev git sqlite3 curl bsdmainutils; ln -s /usr/bin/python3 /usr/local/bin/python"
+        ;;
+        *)
+        echo "Error: distro ${distro} is not recognized by this script"
+        exit 1
+        ;;
+    esac
+
+    docker_image=`echo $distro | tr '_' ':'`
+    docker run --name brotest -id -v "`pwd`:/bro" -w /bro ${docker_image} sh
+    docker exec brotest sh -c "${distro_cmds}"
+}
+
+
+# Build bro in a docker container.
+build_docker() {
+    docker exec -e TRAVIS brotest sh testing/scripts/travis-job $step travis
+}
+
+
+# Run Bro tests in a docker container.
+run_docker() {
+    prepare_env
+    docker exec -t -e TRAVIS -e TRAVIS_PULL_REQUEST -e trav_key -e trav_iv brotest sh testing/scripts/travis-job $step travis
+}
+
+
 # Build Bro.
 build() {
     # Skip building broker tests, python bindings, and broctl, as these are
@@ -55,7 +102,22 @@ build() {
     ./configure --build-type=Release --disable-broker-tests --disable-python --disable-broctl && make -j 2
 }
 
-# Run all Bro tests.
+
+# Rename the encrypted environment variables to avoid having the hash value
+# hard-coded multiple times in this script.
+prepare_env() {
+    if [ -z "$trav_key" ]; then
+        hash=6a6fe747ff7b
+        eval "trav_key=\$encrypted_${hash}_key"
+        eval "trav_iv=\$encrypted_${hash}_iv"
+        # Export so they are visible in docker containers.
+        export trav_key
+        export trav_iv
+    fi
+}
+
+
+# Run Bro tests.
 run() {
     echo
     echo "Running unit tests ##################################################"
@@ -73,18 +135,15 @@ run() {
     set -e
 
     make init
-
-    # Rename the encrypted environment variables to avoid having the hash value
-    # hard-coded multiple times in this script.
-    hash=6a6fe747ff7b
-    eval "trav_key=\$encrypted_${hash}_key"
-    eval "trav_iv=\$encrypted_${hash}_iv"
+    prepare_env
 
     if [ -n "$trav_key" ] && [ -n "$trav_iv" ]; then
         curl https://www.bro.org/static/travis-ci/travis_key.enc -o travis_key.enc
         openssl aes-256-cbc -K $trav_key -iv $trav_iv -in travis_key.enc -out travis_key -d
         chmod 600 travis_key
+        mkdir -p ~/.ssh
         mv travis_key ~/.ssh/id_rsa
+        ssh-keyscan -H -p 22 -t rsa git.bro.org >> ~/.ssh/known_hosts
         git clone ssh://git@git.bro.org/bro-testing-private
         rm ~/.ssh/id_rsa
     elif [ -n "${TRAVIS_PULL_REQUEST}" ] && [ "${TRAVIS_PULL_REQUEST}" != "false" ]; then
@@ -118,7 +177,7 @@ showdiag() {
       grep -v "... not available, skipped" $f
 }
 
-if [ "$step" != "build" ] && [ "$step" != "run" ]; then
+if [ "$step" != "install" ] && [ "$step" != "build" ] && [ "$step" != "run" ]; then
     echo "Error: unknown build step: $step"
     exit 1
 fi
@@ -153,7 +212,7 @@ if [ "${TRAVIS_EVENT_TYPE}" = "cron" ]; then
     elif [ "$step" = "run" ]; then
         run_coverity
     fi
-else
+elif [ "$distro" = "travis" ]; then
     # Build bro and run tests.
 
     # The "build" and "run" steps are split up into separate steps because the
@@ -164,4 +223,14 @@ else
     elif [ "$step" = "run" ]; then
         run
     fi
+else
+    # Build bro and run tests in a docker container.
+
+    if [ "$step" = "install" ]; then
+        setup_docker
+    elif [ "$step" = "build" ]; then
+        build_docker
+    elif [ "$step" = "run" ]; then
+        run_docker
+    fi
 fi

From cff68b437152c2117e3ac8a0565e040b29ad92cc Mon Sep 17 00:00:00 2001
From: Vern Paxson <vern@icir.org>
Date: Fri, 22 Jun 2018 10:03:13 -0700
Subject: [PATCH 499/631] deprecate mixing scalars and vectors

---
 NEWS        |  7 +++++++
 src/Expr.cc | 13 +++++++++++--
 2 files changed, 18 insertions(+), 2 deletions(-)

diff --git a/NEWS b/NEWS
index 445305ea59..8542d7853b 100644
--- a/NEWS
+++ b/NEWS
@@ -356,6 +356,13 @@ Deprecated Functionality
   removal with the next Bro release. Bro's new configuration framework
   is taking its place.
 
+- Mixing of scalars and vectors, such as "v + e" yielding a vector
+  corresponding to the vector v with the scalar e added to each of
+  its elements, has been deprecated.
+
+- The undocumented feature of using "&&" and "||" operators for patterns
+  has been deprecated.
+
 Bro 2.5.1
 =========
 
diff --git a/src/Expr.cc b/src/Expr.cc
index 0c890eaea2..be4b05d6a2 100644
--- a/src/Expr.cc
+++ b/src/Expr.cc
@@ -909,11 +909,17 @@ void BinaryExpr::PromoteOps(TypeTag t)
 	TypeTag bt1 = op1->Type()->Tag();
 	TypeTag bt2 = op2->Type()->Tag();
 
-	if ( IsVector(bt1) )
+	bool is_vec1 = IsVector(bt1);
+	bool is_vec2 = IsVector(bt2);
+
+	if ( is_vec1 )
 		bt1 = op1->Type()->AsVectorType()->YieldType()->Tag();
-	if ( IsVector(bt2) )
+	if ( is_vec2 )
 		bt2 = op2->Type()->AsVectorType()->YieldType()->Tag();
 
+	if ( (is_vec1 || is_vec2) && ! (is_vec1 && is_vec2) )
+		reporter->Warning("mixing vector and scalar operands is deprecated");
+
 	if ( bt1 != t )
 		op1 = new ArithCoerceExpr(op1, t);
 	if ( bt2 != t )
@@ -1003,7 +1009,10 @@ IncrExpr::IncrExpr(BroExprTag arg_tag, Expr* arg_op)
 		if ( ! IsIntegral(t->AsVectorType()->YieldType()->Tag()) )
 			ExprError("vector elements must be integral for increment operator");
 		else
+			{
+			reporter->Warning("increment/decrement operations for vectors deprecated");
 			SetType(t->Ref());
+			}
 		}
 	else
 		{

From b811a8e7a6fa4d2b56b60937fadbe144cdc4ed51 Mon Sep 17 00:00:00 2001
From: Vern Paxson <vern@icir.org>
Date: Fri, 22 Jun 2018 13:40:53 -0700
Subject: [PATCH 500/631] bug fix (and typo fix) for vector+scalar boolean
 operations

---
 src/Expr.cc | 2 +-
 src/Val.cc  | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/Expr.cc b/src/Expr.cc
index be4b05d6a2..cd431fdca1 100644
--- a/src/Expr.cc
+++ b/src/Expr.cc
@@ -1798,7 +1798,7 @@ Val* BoolExpr::Eval(Frame* f) const
 
 		VectorVal* result = 0;
 
-		// It's either and EXPR_AND_AND or an EXPR_OR_OR.
+		// It's either an EXPR_AND_AND or an EXPR_OR_OR.
 		bool is_and = (tag == EXPR_AND_AND);
 
 		if ( scalar_v->IsZero() == is_and )
diff --git a/src/Val.cc b/src/Val.cc
index 4da4a35d48..61cca185df 100644
--- a/src/Val.cc
+++ b/src/Val.cc
@@ -3226,7 +3226,7 @@ bool VectorVal::AssignRepeat(unsigned int index, unsigned int how_many,
 	ResizeAtLeast(index + how_many);
 
 	for ( unsigned int i = index; i < index + how_many; ++i )
-		if ( ! Assign(i, element ) )
+		if ( ! Assign(i, element->Ref() ) )
 			return false;
 
 	return true;

From 89b7b88e75f7662fc655d73ef81827290941f1db Mon Sep 17 00:00:00 2001
From: Vern Paxson <vern@icir.org>
Date: Fri, 22 Jun 2018 13:43:51 -0700
Subject: [PATCH 501/631] deprecate boolean scalar+vector operations

---
 src/Expr.cc | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/Expr.cc b/src/Expr.cc
index cd431fdca1..ef8da8edbb 100644
--- a/src/Expr.cc
+++ b/src/Expr.cc
@@ -1698,7 +1698,11 @@ BoolExpr::BoolExpr(BroExprTag arg_tag, Expr* arg_op1, Expr* arg_op2)
 	if ( BothBool(bt1, bt2) )
 		{
 		if ( is_vector(op1) || is_vector(op2) )
+			{
+			if ( ! (is_vector(op1) && is_vector(op2)) )
+				reporter->Warning("mixing vector and scalar operands is deprecated");
 			SetType(new VectorType(base_type(TYPE_BOOL)));
+			}
 		else
 			SetType(base_type(TYPE_BOOL));
 		}

From 9e2c70b90b79db440873bdbe55ed735f6d04033b Mon Sep 17 00:00:00 2001
From: Vern Paxson <vern@icir.org>
Date: Fri, 22 Jun 2018 14:17:15 -0700
Subject: [PATCH 502/631] deprecate merge_patterns()

---
 NEWS        | 3 +++
 src/bro.bif | 2 ++
 2 files changed, 5 insertions(+)

diff --git a/NEWS b/NEWS
index 8542d7853b..8cd4f3c201 100644
--- a/NEWS
+++ b/NEWS
@@ -360,6 +360,9 @@ Deprecated Functionality
   corresponding to the vector v with the scalar e added to each of
   its elements, has been deprecated.
 
+- The built-in function merge_pattern() has been deprecated.  It will
+  be replaced by the '&' operator for patterns.
+
 - The undocumented feature of using "&&" and "||" operators for patterns
   has been deprecated.
 
diff --git a/src/bro.bif b/src/bro.bif
index 652b8cdd07..f0641104c9 100644
--- a/src/bro.bif
+++ b/src/bro.bif
@@ -2966,6 +2966,8 @@ function merge_pattern%(p1: pattern, p2: pattern%): pattern
 		return 0;
 		}
 
+	reporter->Warning("merge_pattern() builtin-function has been deprecated");
+
 	RE_Matcher* re = new RE_Matcher();
 	re->AddPat(p1->PatternText());
 	re->AddPat(p2->PatternText());

From 4cdf1e39bbee3dd50a9d4b1a38da4ee78ad3bc22 Mon Sep 17 00:00:00 2001
From: Chung Min Kim <chung.kim@corelight.com>
Date: Fri, 22 Jun 2018 14:27:46 -0700
Subject: [PATCH 503/631] Add code coverage for bro source files after btest
 test suite

Adds --enable-coverage flag to configure Bro with gcov.
A new directory named /testing/bro-code-coverage/ contains a new
coverage target that as part of `make coverage` in /testing/.
This coverage option creates coverage.log of all important directories in /src/ and
places all generated .gcov files alongside the corresponding source file.
---
 configure                                  |   7 ++
 testing/Makefile                           |   2 +
 testing/bro-core-coverage/Makefile         |   9 ++
 testing/bro-core-coverage/code_coverage.sh | 134 +++++++++++++++++++++
 testing/btest/Makefile                     |   1 +
 5 files changed, 153 insertions(+)
 create mode 100644 testing/bro-core-coverage/Makefile
 create mode 100755 testing/bro-core-coverage/code_coverage.sh

diff --git a/configure b/configure
index fdbca263c6..56d10e393b 100755
--- a/configure
+++ b/configure
@@ -45,6 +45,7 @@ Usage: $0 [OPTION]... [VAR=VALUE]...
 
   Optional Features:
     --enable-debug         compile in debugging mode (like --build-type=Debug)
+    --enable-coverage      compile with code coverage support (implies debugging mode)
     --enable-mobile-ipv6   analyze mobile IPv6 features defined by RFC 6275
     --enable-perftools     force use of Google perftools on non-Linux systems
                            (automatically on when perftools is present on Linux)
@@ -142,6 +143,8 @@ append_cache_entry INSTALL_BROCTL       BOOL   true
 append_cache_entry CPACK_SOURCE_IGNORE_FILES STRING
 append_cache_entry ENABLE_MOBILE_IPV6   BOOL   false
 append_cache_entry DISABLE_PERFTOOLS    BOOL   false
+append_cache_entry DISABLE_RUBY_BINDINGS     BOOL   true
+append_cache_entry ENABLE_COVERAGE	BOOL   false
 
 # parse arguments
 while [ $# -ne 0 ]; do
@@ -197,6 +200,10 @@ while [ $# -ne 0 ]; do
         --logdir=*)
             append_cache_entry BRO_LOG_DIR  PATH   $optarg
             ;;
+        --enable-coverage)
+            append_cache_entry ENABLE_COVERAGE         BOOL   true
+            append_cache_entry ENABLE_DEBUG         BOOL   true
+            ;;
         --enable-debug)
             append_cache_entry ENABLE_DEBUG         BOOL   true
             ;;
diff --git a/testing/Makefile b/testing/Makefile
index e83ec09396..e34aaca939 100644
--- a/testing/Makefile
+++ b/testing/Makefile
@@ -8,6 +8,7 @@ brief: make-brief coverage
 distclean:
 	@rm -f coverage.log
 	$(MAKE) -C btest $@
+	$(MAKE) -C bro-core-coverage $@
 
 make-verbose:
 	@for repo in $(DIRS); do (cd $$repo && make -s ); done
@@ -22,4 +23,5 @@ coverage:
 	@echo "Complete test suite code coverage:"
 	@./scripts/coverage-calc "brocov.tmp.*" coverage.log `pwd`/../scripts
 	@rm -f brocov.tmp.*
+	@cd bro-core-coverage && make coverage
 
diff --git a/testing/bro-core-coverage/Makefile b/testing/bro-core-coverage/Makefile
new file mode 100644
index 0000000000..e7db4894fd
--- /dev/null
+++ b/testing/bro-core-coverage/Makefile
@@ -0,0 +1,9 @@
+coverage: cleanup
+	@./code_coverage.sh
+
+cleanup:
+	@rm -f coverage.log
+	@find ../../ -name "*.gcov" -exec rm {} \;
+
+distclean: cleanup
+	@find ../../ -name "*.gcno" -exec rm {} \;
diff --git a/testing/bro-core-coverage/code_coverage.sh b/testing/bro-core-coverage/code_coverage.sh
new file mode 100755
index 0000000000..b1eb8c599a
--- /dev/null
+++ b/testing/bro-core-coverage/code_coverage.sh
@@ -0,0 +1,134 @@
+#!/bin/bash
+#
+# On a Bro build configured with --enable-coverage, this script
+# produces a code coverage report after Bro has been invoked. The
+# intended application of this script is after the btest testsuite has
+# run. This combination (btests first, coverage computation afterward)
+# happens automatically when running "make" in the testing directory.
+#
+# This depends on gcov, which should come with your gcc.
+#
+# AUTOMATES CODE COVERAGE TESTING
+#	1. Run test suite
+# 	2. Check for .gcda files existing.
+#	3a. Run gcov (-p to preserve path)
+#       3b. Prune .gcov files for objects outside of the Bro tree
+#	4a. Analyze .gcov files generated and create summary file
+#	4b. Send .gcov files to appropriate path
+#
+CURR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" # Location of script
+BASE="$(realpath "${CURR}/../../")"
+TMP="${CURR}/tmp.$$"
+mkdir -p $TMP
+
+# DEFINE CLEANUP PROCESS
+function finish {
+	find "$BASE" -name "*.gcda" -exec rm {} \; > /dev/null 2>&1
+	rm -rf $TMP
+}
+trap finish EXIT
+
+# DEFINE CRUCIAL FUNCTIONS FOR COVERAGE CHECKING
+function check_file_coverage {
+	GCOVDIR="$1"
+
+	for i in $GCOVDIR/*.gcov; do
+		# Effective # of lines: starts with a number (# of runs in line) or ##### (line never run)
+		TOTAL=$(cut -d: -f 1 "$i" | sed 's/ //g' | grep -v "^[[:alpha:]]" | grep -v "-" | wc -l)
+
+		# Count number of lines never run
+		UNRUN=$(grep "#####" "$i" | wc -l)
+
+		# Lines in code are either run or unrun
+		RUN=$(($TOTAL - $UNRUN))
+
+                # Avoid division-by-zero problems:
+                PERCENTAGE=0.000
+                [ $RUN -gt 0 ] && PERCENTAGE=$(bc <<< "scale=3; 100*$RUN/$TOTAL")
+
+		# Find correlation between % of lines run vs. "Runs"
+		echo -e "$PERCENTAGE\t$RUN\t$TOTAL\t$(grep "0:Runs" "$i" | sed 's/.*://')\t$i"
+	done
+}
+
+function check_group_coverage {
+	DATA="$1"	# FILE CONTAINING COVERAGE DATA
+	SRC_FOLDER="$2" # WHERE BRO WAS COMPILED
+	OUTPUT="$3"
+
+	# Prints all the relevant directories
+	DIRS=$(for i in $(cut -f 5 "$DATA"); do basename "$i" | sed 's/#[^#]*$//'; done \
+		| sort | uniq | sed 's/^.*'"${SRC_FOLDER}"'//' | grep "^#s\+" )
+	# "Generalize" folders unless it's from analyzers
+	DIRS=$(for i in $DIRS; do
+		if !(echo "$i" | grep "src#analyzer"); then
+			echo "$i" | cut -d "#" -f 1,2,3
+		fi
+	done | sort | uniq )
+
+	for i in $DIRS; do
+		# For elements in #src, we only care about the files direclty in the directory.
+		if [[ "$i" = "#src" ]]; then
+			RUN=$(echo $(grep "$i#[^#]\+$" $DATA | grep "$SRC_FOLDER$i\|build$i" | cut -f 2) | tr " " "+" | bc)
+			TOTAL=$(echo $(grep "$i#[^#]\+$" $DATA | grep "$SRC_FOLDER$i\|build$i" | cut -f 3) | tr " " "+" | bc)
+		else
+			RUN=$(echo $(grep "$i" $DATA | cut -f 2) | tr " " "+" | bc)
+			TOTAL=$(echo $(grep "$i" $DATA | cut -f 3) | tr " " "+" | bc)
+		fi
+
+		PERCENTAGE=$( echo "scale=3;100*$RUN/$TOTAL" | bc | tr "\n" " " )
+		printf "%-50s\t%12s\t%6s %%\n" "$i" "$RUN/$TOTAL" $PERCENTAGE \
+                       | sed 's|#|/|g' >>$OUTPUT
+	done
+}
+
+# 1. Run test suite
+# SHOULD HAVE ALREADY BEEN RUN BEFORE THIS SCRIPT (BASED ON MAKEFILE TARGETS)
+
+# 2. Check for .gcno and .gcda file presence
+echo -n "Checking for coverage files... "
+for pat in gcda gcno; do
+    if [ -z "$(find "$BASE" -name "*.$pat" 2>/dev/null)" ]; then
+        echo "no .$pat files, nothing to do"
+	exit 0
+    fi
+done
+echo "ok"
+
+# 3a. Run gcov (-p to preserve path) and move into tmp directory
+echo -n "Creating coverage files... "
+( cd "$TMP" && find "$BASE" -name "*.o" -exec gcov -p {} > /dev/null 2>&1 \; )
+NUM_GCOVS=$(ls "$TMP"/*.gcov | wc -l)
+if [ $NUM_GCOVS -eq 0 ]; then
+	echo "no gcov files produced, aborting"
+	exit 1
+fi
+echo "ok, $NUM_GCOVS coverage files"
+
+# 3b. Prune gcov files that fall outside of the Bro tree:
+# Look for files containing gcov's slash substitution character "#"
+# and remove any that don't contain the Bro path root.
+echo -n "Pruning out-of-tree coverage files... "
+PREFIX=$(echo "$BASE" | sed 's|/|#|g')
+for i in "$TMP"/*#*.gcov; do
+    if ! [[ "$i" = *$PREFIX* ]]; then
+        rm -f $i
+    fi
+done
+NUM_GCOVS=$(ls "$TMP"/*.gcov | wc -l)
+echo "ok, $NUM_GCOVS coverage files remain"
+
+# 4a. Analyze .gcov files generated and create summary file
+echo -n "Creating summary file... "
+DATA="${TMP}/data.txt"
+SUMMARY="$CURR/coverage.log"
+check_file_coverage "$TMP" > "$DATA"
+check_group_coverage "$DATA" ${BASE##*/} $SUMMARY
+echo "ok"
+
+# 4b. Send .gcov files to appropriate path
+echo -n "Sending coverage files to respective directories... "
+for i in "$TMP"/*#*.gcov; do
+    mv $i $(echo $(basename $i) | sed 's/#/\//g')
+done
+echo "ok"
diff --git a/testing/btest/Makefile b/testing/btest/Makefile
index c9bcfff5ee..c6f2438ad1 100644
--- a/testing/btest/Makefile
+++ b/testing/btest/Makefile
@@ -21,6 +21,7 @@ coverage:
 cleanup:
 	@rm -f $(DIAG)
 	@rm -rf $(SCRIPT_COV)*
+	@find ../../ -name "*.gcda" -exec rm {} \;
 
 distclean: cleanup
 	@rm -rf .btest.failed.dat \

From 04b7f8276c3b85409326b5405937e1dc37e5f008 Mon Sep 17 00:00:00 2001
From: Vern Paxson <vern@icir.org>
Date: Fri, 22 Jun 2018 15:12:22 -0700
Subject: [PATCH 504/631] side-porting changes for supporting &/| pattern ops

---
 src/Expr.cc | 44 ++++++++++++++++++++++++++++----------------
 src/Expr.h  |  3 +++
 src/NFA.cc  |  3 +++
 src/parse.y | 36 ++++++++++--------------------------
 4 files changed, 44 insertions(+), 42 deletions(-)

diff --git a/src/Expr.cc b/src/Expr.cc
index ef8da8edbb..b979a3638b 100644
--- a/src/Expr.cc
+++ b/src/Expr.cc
@@ -663,6 +663,9 @@ Val* BinaryExpr::Fold(Val* v1, Val* v2) const
 	if ( it == TYPE_INTERNAL_STRING )
 		return StringFold(v1, v2);
 
+	if ( v1->Type()->Tag() == TYPE_PATTERN )
+		return PatternFold(v1, v2);
+
 	if ( it == TYPE_INTERNAL_ADDR )
 		return AddrFold(v1, v2);
 
@@ -849,6 +852,21 @@ Val* BinaryExpr::StringFold(Val* v1, Val* v2) const
 	return new Val(result, TYPE_BOOL);
 	}
 
+Val* BinaryExpr::PatternFold(Val* v1, Val* v2) const
+	{
+	const RE_Matcher* re1 = v1->AsPattern();
+	const RE_Matcher* re2 = v2->AsPattern();
+
+	if ( tag != EXPR_AND && tag != EXPR_OR )
+		BadTag("BinaryExpr::PatternFold");
+
+	RE_Matcher* res = tag == EXPR_AND ?
+		RE_Matcher_conjunction(re1, re2) :
+		RE_Matcher_disjunction(re1, re2);
+
+	return new PatternVal(res);
+	}
+
 Val* BinaryExpr::AddrFold(Val* v1, Val* v2) const
 	{
 	IPAddr a1 = v1->AsAddr();
@@ -1722,22 +1740,6 @@ Val* BoolExpr::DoSingleEval(Frame* f, Val* v1, Expr* op2) const
 	if ( ! v1 )
 		return 0;
 
-	if ( Type()->Tag() == TYPE_PATTERN )
-		{
-		Val* v2 = op2->Eval(f);
-		if ( ! v2 )
-			return 0;
-
-		RE_Matcher* re1 = v1->AsPattern();
-		RE_Matcher* re2 = v2->AsPattern();
-
-		RE_Matcher* res = tag == EXPR_AND_AND ?
-			RE_Matcher_conjunction(re1, re2) :
-			RE_Matcher_disjunction(re1, re2);
-
-		return new PatternVal(res);
-		}
-
 	if ( tag == EXPR_AND_AND )
 		{
 		if ( v1->IsZero() )
@@ -1899,6 +1901,16 @@ BitExpr::BitExpr(BroExprTag arg_tag, Expr* arg_op1, Expr* arg_op2)
 			SetType(base_type(TYPE_COUNT));
 		}
 
+	if ( bt1 == TYPE_PATTERN )
+		{
+		if ( bt2 != TYPE_PATTERN )
+			ExprError("cannot mix pattern and non-pattern operands");
+		else if ( tag == EXPR_XOR )
+			ExprError("'^' operator does not apply to patterns");
+		else
+			SetType(base_type(TYPE_PATTERN));
+		}
+
 	else
 		ExprError("requires \"count\" operands");
 	}
diff --git a/src/Expr.h b/src/Expr.h
index 9fc9aa15ed..c21547d91c 100644
--- a/src/Expr.h
+++ b/src/Expr.h
@@ -329,6 +329,9 @@ protected:
 	// Same for when the constants are strings.
 	virtual Val* StringFold(Val* v1, Val* v2) const;
 
+	// Same for when the constants are patterns.
+	virtual Val* PatternFold(Val* v1, Val* v2) const;
+
 	// Same for when the constants are addresses or subnets.
 	virtual Val* AddrFold(Val* v1, Val* v2) const;
 	virtual Val* SubNetFold(Val* v1, Val* v2) const;
diff --git a/src/NFA.cc b/src/NFA.cc
index 43ec3d2a90..8fb78a7131 100644
--- a/src/NFA.cc
+++ b/src/NFA.cc
@@ -55,7 +55,10 @@ void NFA_State::AddXtionsTo(NFA_state_list* ns)
 NFA_State* NFA_State::DeepCopy()
 	{
 	if ( mark )
+		{
+		Ref(mark);
 		return mark;
+		}
 
 	NFA_State* copy = ccl ? new NFA_State(ccl) : new NFA_State(sym, 0);
 	SetMark(copy);
diff --git a/src/parse.y b/src/parse.y
index 8145b66809..34d6f31373 100644
--- a/src/parse.y
+++ b/src/parse.y
@@ -5,7 +5,7 @@
 // Switching parser table type fixes ambiguity problems.
 %define lr.type ielr
 
-%expect 142
+%expect 141
 
 %token TOK_ADD TOK_ADD_TO TOK_ADDR TOK_ANY
 %token TOK_ATENDIF TOK_ATELSE TOK_ATIF TOK_ATIFDEF TOK_ATIFNDEF
@@ -53,13 +53,12 @@
 %nonassoc TOK_AS TOK_IS
 
 %type <b> opt_no_test opt_no_test_block opt_deprecated
-%type <str> TOK_ID TOK_PATTERN_TEXT single_pattern
+%type <str> TOK_ID TOK_PATTERN_TEXT
 %type <id> local_id global_id def_global_id event_id global_or_event_id resolve_id begin_func case_type
 %type <id_l> local_id_list case_type_list
 %type <ic> init_class
 %type <expr> opt_init
 %type <val> TOK_CONSTANT
-%type <re> pattern
 %type <expr> expr opt_expr init anonymous_function
 %type <event_expr> event
 %type <stmt> stmt stmt_list func_body for_head
@@ -724,11 +723,15 @@ expr:
 			$$ = new ConstExpr($1);
 			}
 
-	|	pattern
+	|	'/' { begin_RE(); } TOK_PATTERN_TEXT { end_RE(); } '/'
 			{
-			set_location(@1);
-			$1->Compile();
-			$$ = new ConstExpr(new PatternVal($1));
+			set_location(@3);
+
+			RE_Matcher* re = new RE_Matcher($3);
+			delete [] $3;
+
+			re->Compile();
+			$$ = new ConstExpr(new PatternVal(re));
 			}
 
 	|       '|' expr '|'	%prec '('
@@ -770,25 +773,6 @@ opt_expr_list:
 		{ $$ = new ListExpr(); }
 	;
 
-pattern:
-		pattern '|' single_pattern
-			{
-			$1->AddPat($3);
-			delete [] $3;
-			}
-
-	|	single_pattern
-			{
-			$$ = new RE_Matcher($1);
-			delete [] $1;
-			}
-	;
-
-single_pattern:
-		'/' { begin_RE(); } TOK_PATTERN_TEXT { end_RE(); } '/'
-			{ $$ = $3; }
-	;
-
 enum_body:
 		enum_body_list
 			{

From f340707e2c725fef54efa0eaa259b85b0d634df4 Mon Sep 17 00:00:00 2001
From: Vern Paxson <vern@icir.org>
Date: Fri, 22 Jun 2018 15:23:06 -0700
Subject: [PATCH 505/631] documentation for &/| for patterns

---
 NEWS                           |  6 ++++++
 doc/script-reference/types.rst | 12 +++++++++---
 2 files changed, 15 insertions(+), 3 deletions(-)

diff --git a/NEWS b/NEWS
index 8cd4f3c201..f594207f58 100644
--- a/NEWS
+++ b/NEWS
@@ -249,6 +249,12 @@ New Functionality
   '^' are binary "and", "or" and "xor" operators, and '~' is a unary
   ones-complement operator.
 
+- The '&' and '|' operators can apply to patterns, too.  p1 & p2 yields
+  a pattern that represents matching p1 followed by p2, and p1 | p2 yields
+  a pattern representing matching p1 or p2.  The p1 | p2 functionality was
+  semi-present in previous versions of Bro, but required constants as as
+  its operands; now you can use any pattern-valued expressions.
+
 Changed Functionality
 ---------------------
 
diff --git a/doc/script-reference/types.rst b/doc/script-reference/types.rst
index 44dcbbdfb8..438706c425 100644
--- a/doc/script-reference/types.rst
+++ b/doc/script-reference/types.rst
@@ -237,13 +237,19 @@ Here is a more detailed description of each type:
     is false since "oob" does not appear at the start of "foobar".  The
     ``!in`` operator would yield the negation of ``in``.
 
-    Finally, you can create a disjunction (either-or) of two literal patterns
+    You can create a disjunction (either-or) of two patterns
     using the ``|`` operator.  For example::
 
 	/foo/ | /bar/ in "foobar"
 
-    yields true, like in the similar example above.  (This does not presently
-    work for variables whose values are patterns, however.)
+    yields true, like in the similar example above.  You can also
+    create the conjunction (concatenation) of patterns using the ``&``
+    operator.  For example:
+
+	/foo/ & /bar/ in "foobar"
+
+    will yield true because the pattern /(foo)(bar)/ appears in
+    the string "foobar".
 
 .. bro:type:: port
 

From 762048cb414fc10a492c19a1dd05930c518f1134 Mon Sep 17 00:00:00 2001
From: Vern Paxson <vern@icir.org>
Date: Fri, 22 Jun 2018 15:29:10 -0700
Subject: [PATCH 506/631] test suite updates for &/| pattern operators

---
 testing/btest/Baseline/language.pattern/out | 4 ++++
 testing/btest/language/pattern.bro          | 4 ++++
 2 files changed, 8 insertions(+)

diff --git a/testing/btest/Baseline/language.pattern/out b/testing/btest/Baseline/language.pattern/out
index 4a5b8de670..9c801eb60b 100644
--- a/testing/btest/Baseline/language.pattern/out
+++ b/testing/btest/Baseline/language.pattern/out
@@ -6,3 +6,7 @@ inequality operator (order of operands) (PASS)
 in operator (PASS)
 in operator (PASS)
 !in operator (PASS)
+& operator (PASS)
+& operator (FAIL)
+| operator (PASS)
+| operator (FAIL)
diff --git a/testing/btest/language/pattern.bro b/testing/btest/language/pattern.bro
index b904fe8737..1c137969eb 100644
--- a/testing/btest/language/pattern.bro
+++ b/testing/btest/language/pattern.bro
@@ -27,6 +27,10 @@ event bro_init()
 	test_case( "in operator", p1 in "foobar" );
 	test_case( "in operator", p2 in "foobar" );
 	test_case( "!in operator", p3 !in "foobar" );
+	test_case( "& operator", p1 & p2 in "baroob" );
+	test_case( "& operator", p2 & p1 in "baroob" );
+	test_case( "| operator", p1 | p2 in "lazybarlazy" );
+	test_case( "| operator", p3 | p4 in "xoob" );
 
 }
 

From e93c638f8dd221e5c53309261fec64c6cd3eb893 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Fri, 22 Jun 2018 20:17:06 -0500
Subject: [PATCH 507/631] Fix null pointer deref in AST traversal

Specifically in the case where parsing bro scripts had failed.
---
 CHANGES         | 6 ++++++
 VERSION         | 2 +-
 src/Traverse.cc | 4 ++++
 3 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/CHANGES b/CHANGES
index 1789bed0cc..3cfedbf79c 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,10 @@
 
+2.5-681 | 2018-06-22 20:17:06 -0500
+
+  * Fix null pointer deref in AST traversal (Corelight)
+
+  * Fix for ancient reference-counting bug in NFA.cc (Vern Paxson)
+
 2.5-679 | 2018-06-21 16:00:48 -0500
 
   * Add support for bitwise operations (&, |, ^, ~) on "count" values.
diff --git a/VERSION b/VERSION
index 6aaa39f82a..b1972f1dd6 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.5-679
+2.5-681
diff --git a/src/Traverse.cc b/src/Traverse.cc
index 78eed27800..d19c6d3801 100644
--- a/src/Traverse.cc
+++ b/src/Traverse.cc
@@ -9,6 +9,10 @@ TraversalCode traverse_all(TraversalCallback* cb)
 	if ( ! global_scope() )
 		return TC_CONTINUE;
 
+	if ( ! stmts )
+		// May be null when parsing fails.
+		return TC_CONTINUE;
+
 	cb->current_scope = global_scope();
 
 	TraversalCode tc = global_scope()->Traverse(cb);

From 610d1ae40762f11f4b55d46792c3234454c130d9 Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@icir.org>
Date: Fri, 22 Jun 2018 22:01:42 -0700
Subject: [PATCH 508/631] Update submodules to correct checkouts.

---
 aux/binpac                | 2 +-
 aux/bro-aux               | 2 +-
 aux/broccoli              | 2 +-
 aux/broctl                | 2 +-
 aux/broker                | 2 +-
 aux/btest                 | 2 +-
 aux/netcontrol-connectors | 2 +-
 cmake                     | 2 +-
 src/3rdparty              | 2 +-
 9 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/aux/binpac b/aux/binpac
index afb2aa5d3c..951aeae8e4 160000
--- a/aux/binpac
+++ b/aux/binpac
@@ -1 +1 @@
-Subproject commit afb2aa5d3c485212230c68a4eade120be288953e
+Subproject commit 951aeae8e4a08c598203cf61387f015ec4e0849d
diff --git a/aux/bro-aux b/aux/bro-aux
index f7cc11d97b..eeb677ff69 160000
--- a/aux/bro-aux
+++ b/aux/bro-aux
@@ -1 +1 @@
-Subproject commit f7cc11d97b3298bbfc5d01ff544e871b67f0fc5a
+Subproject commit eeb677ff696f8ea3eaa43a765fe40da07ed5281d
diff --git a/aux/broccoli b/aux/broccoli
index 22a35f3378..d9041cc95d 160000
--- a/aux/broccoli
+++ b/aux/broccoli
@@ -1 +1 @@
-Subproject commit 22a35f33786b2ede5f3efe7e2b24237a4fe974fb
+Subproject commit d9041cc95d2232dbbcf36647f34537da22e360ff
diff --git a/aux/broctl b/aux/broctl
index 60eeea9f98..c5dd2ba83d 160000
--- a/aux/broctl
+++ b/aux/broctl
@@ -1 +1 @@
-Subproject commit 60eeea9f98455ea613bcfc02e09f2c9665c97f58
+Subproject commit c5dd2ba83dda185d2008731a5cd25b2b8131ac78
diff --git a/aux/broker b/aux/broker
index 066fb75d1e..08f41ccc24 160000
--- a/aux/broker
+++ b/aux/broker
@@ -1 +1 @@
-Subproject commit 066fb75d1ea46e919a2d9c56faff1e605c64756c
+Subproject commit 08f41ccc2497f4c6567da0b95488593c39a12a01
diff --git a/aux/btest b/aux/btest
index 3d76371f89..99ec0e1ea8 160000
--- a/aux/btest
+++ b/aux/btest
@@ -1 +1 @@
-Subproject commit 3d76371f896b714520d0796a1f3f781ee8561c47
+Subproject commit 99ec0e1ea89e166af4cb6ebc2d923d123424123d
diff --git a/aux/netcontrol-connectors b/aux/netcontrol-connectors
index 9f3d6fce49..a432ae2f9a 160000
--- a/aux/netcontrol-connectors
+++ b/aux/netcontrol-connectors
@@ -1 +1 @@
-Subproject commit 9f3d6fce49cad3b45b5ddd0fe1f3c79186e1d2e7
+Subproject commit a432ae2f9a06e7b1664df5fc4ce1b694acb7b099
diff --git a/cmake b/cmake
index c40d8f9831..1600554d1d 160000
--- a/cmake
+++ b/cmake
@@ -1 +1 @@
-Subproject commit c40d8f9831b69259bfa930a64662d91cfdbf97bf
+Subproject commit 1600554d1d907f4f252f19cf1f55e13d368a936f
diff --git a/src/3rdparty b/src/3rdparty
index 3107bd0398..c78abc8454 160000
--- a/src/3rdparty
+++ b/src/3rdparty
@@ -1 +1 @@
-Subproject commit 3107bd039828c47ebae399d0f0c9220595bf6cf2
+Subproject commit c78abc8454932019f030045340348560a8ac9b23

From 6449b0ab9e87cd61bc180fc6aafc9a5fc5ddfe4e Mon Sep 17 00:00:00 2001
From: Vern Paxson <vern@icir.org>
Date: Sat, 23 Jun 2018 14:46:47 -0700
Subject: [PATCH 509/631] mirroring previous topic/vern/set-ops to get branch
 up to date, since I'm a n00b

---
 src/Expr.cc | 77 +++++++++++++++++++++++++++++++++++++++++++++--------
 src/Expr.h  |  3 +++
 src/Val.cc  | 48 +++++++++++++++++++++++++++++++--
 src/Val.h   |  6 +++++
 4 files changed, 121 insertions(+), 13 deletions(-)

diff --git a/src/Expr.cc b/src/Expr.cc
index 1ab82853c3..617a7637df 100644
--- a/src/Expr.cc
+++ b/src/Expr.cc
@@ -663,6 +663,9 @@ Val* BinaryExpr::Fold(Val* v1, Val* v2) const
 	if ( it == TYPE_INTERNAL_STRING )
 		return StringFold(v1, v2);
 
+	if ( v1->Type()->IsSet() )
+		return SetFold(v1, v2);
+
 	if ( it == TYPE_INTERNAL_ADDR )
 		return AddrFold(v1, v2);
 
@@ -849,6 +852,32 @@ Val* BinaryExpr::StringFold(Val* v1, Val* v2) const
 	return new Val(result, TYPE_BOOL);
 	}
 
+Val* BinaryExpr::SetFold(Val* v1, Val* v2) const
+	{
+	TableVal* tv1 = v1->AsTableVal();
+	TableVal* tv2 = v2->AsTableVal();
+
+	if ( tag != EXPR_AND && tag != EXPR_OR && tag != EXPR_SUB )
+		BadTag("BinaryExpr::SetFold");
+
+	// TableVal* result = new TableVal(v1->Type()->AsTableType());
+	TableVal* result = v1->Clone()->AsTableVal();
+
+	if ( tag == EXPR_OR )
+		{
+		if ( ! tv2->AddTo(result, false, false) )
+			reporter->InternalError("set union failed to type check");
+		}
+
+	else if ( tag == EXPR_SUB )
+		{
+		if ( ! tv2->RemoveFrom(result) )
+			reporter->InternalError("set difference failed to type check");
+		}
+
+	return result;
+	}
+
 Val* BinaryExpr::AddrFold(Val* v1, Val* v2) const
 	{
 	IPAddr a1 = v1->AsAddr();
@@ -1421,24 +1450,39 @@ SubExpr::SubExpr(Expr* arg_op1, Expr* arg_op2)
 	if ( IsError() )
 		return;
 
-	TypeTag bt1 = op1->Type()->Tag();
-	if ( IsVector(bt1) )
-		bt1 = op1->Type()->AsVectorType()->YieldType()->Tag();
+	const BroType* t1 = op1->Type();
+	const BroType* t2 = op2->Type();
 
-	TypeTag bt2 = op2->Type()->Tag();
+	TypeTag bt1 = t1->Tag();
+	if ( IsVector(bt1) )
+		bt1 = t1->AsVectorType()->YieldType()->Tag();
+
+	TypeTag bt2 = t2->Tag();
 	if ( IsVector(bt2) )
-		bt2 = op2->Type()->AsVectorType()->YieldType()->Tag();
+		bt2 = t2->AsVectorType()->YieldType()->Tag();
 
 	BroType* base_result_type = 0;
 
 	if ( bt1 == TYPE_TIME && bt2 == TYPE_INTERVAL )
 		base_result_type = base_type(bt1);
+
 	else if ( bt1 == TYPE_TIME && bt2 == TYPE_TIME )
 		SetType(base_type(TYPE_INTERVAL));
+
 	else if ( bt1 == TYPE_INTERVAL && bt2 == TYPE_INTERVAL )
 		base_result_type = base_type(bt1);
+
+	else if ( t1->IsSet() && t2->IsSet() )
+		{
+		if ( same_type(t1, t2) )
+			SetType(op1->Type()->Ref());
+		else
+			ExprError("incompatible \"set\" operands");
+		}
+
 	else if ( BothArithmetic(bt1, bt2) )
 		PromoteType(max_type(bt1, bt2), is_vector(op1) || is_vector(op2));
+
 	else
 		ExprError("requires arithmetic operands");
 
@@ -1864,13 +1908,16 @@ BitExpr::BitExpr(BroExprTag arg_tag, Expr* arg_op1, Expr* arg_op2)
 	if ( IsError() )
 		return;
 
-	TypeTag bt1 = op1->Type()->Tag();
-	if ( IsVector(bt1) )
-		bt1 = op1->Type()->AsVectorType()->YieldType()->Tag();
+	const BroType* t1 = op1->Type();
+	const BroType* t2 = op2->Type();
 
-	TypeTag bt2 = op2->Type()->Tag();
+	TypeTag bt1 = t1->Tag();
+	if ( IsVector(bt1) )
+		bt1 = t1->AsVectorType()->YieldType()->Tag();
+
+	TypeTag bt2 = t2->Tag();
 	if ( IsVector(bt2) )
-		bt2 = op2->Type()->AsVectorType()->YieldType()->Tag();
+		bt2 = t2->AsVectorType()->YieldType()->Tag();
 
 	if ( (bt1 == TYPE_COUNT || bt1 == TYPE_COUNTER) &&
 	     (bt2 == TYPE_COUNT || bt2 == TYPE_COUNTER) )
@@ -1883,8 +1930,16 @@ BitExpr::BitExpr(BroExprTag arg_tag, Expr* arg_op1, Expr* arg_op2)
 			SetType(base_type(TYPE_COUNT));
 		}
 
+	else if ( t1->IsSet() && t2->IsSet() )
+		{
+		if ( same_type(t1, t2) )
+			SetType(op1->Type()->Ref());
+		else
+			ExprError("incompatible \"set\" operands");
+		}
+
 	else
-		ExprError("requires \"count\" operands");
+		ExprError("requires \"count\" or compatible \"set\" operands");
 	}
 
 IMPLEMENT_SERIAL(BitExpr, SER_BIT_EXPR);
diff --git a/src/Expr.h b/src/Expr.h
index 9fc9aa15ed..a8c890b675 100644
--- a/src/Expr.h
+++ b/src/Expr.h
@@ -329,6 +329,9 @@ protected:
 	// Same for when the constants are strings.
 	virtual Val* StringFold(Val* v1, Val* v2) const;
 
+	// Same for when the constants are sets.
+	virtual Val* SetFold(Val* v1, Val* v2) const;
+
 	// Same for when the constants are addresses or subnets.
 	virtual Val* AddrFold(Val* v1, Val* v2) const;
 	virtual Val* SubNetFold(Val* v1, Val* v2) const;
diff --git a/src/Val.cc b/src/Val.cc
index 4da4a35d48..540719ef14 100644
--- a/src/Val.cc
+++ b/src/Val.cc
@@ -1704,9 +1704,18 @@ int TableVal::RemoveFrom(Val* val) const
 	HashKey* k;
 	while ( tbl->NextEntry(k, c) )
 		{
-		Val* index = RecoverIndex(k);
+		// ### The following code appears to be a complete
+		// no-op.  Commented out 8+ years after it was
+		// introduced. -VP  22Jun18
+		// Val* index = RecoverIndex(k);
+		//
+		// Unref(index);
 
-		Unref(index);
+		// Not sure that this is 100% sound, since the HashKey
+		// comes from one table but is being used in another.
+		// OTOH, they are both the same type, so as long as
+		// we don't have hash keys that are keyed per dictionary,
+		// it should work ...
 		Unref(t->Delete(k));
 		delete k;
 		}
@@ -1714,6 +1723,41 @@ int TableVal::RemoveFrom(Val* val) const
 	return 1;
 	}
 
+TableVal* TableVal::Intersect(const TableVal* tv) const
+	{
+	TableVal* result = new TableVal(table_type);
+
+	const PDict(TableEntryVal)* t1 = tv->AsTable();
+	const PDict(TableEntryVal)* t2 = AsTable();
+	const PDict(TableEntryVal)* t3 = result->AsTable();
+
+	// Figure out which is smaller.
+	if ( t1->Length() > t2->Length() )
+		{ // Swap.
+		const PDict(TableEntryVal)* t3 = t1;
+		t1 = t2;
+		t2 = t3;
+		}
+
+	IterCookie* c = t1->InitForIteration();
+	HashKey* k;
+	while ( t1->NextEntry(k, c) )
+		{
+//### 		// Here we leverage the same assumption about consistent
+//### 		// hashes as in TableVal::RemoveFrom above.
+//### 		if ( t2->Lookup(k) )
+//### 			{
+//### 			Val* index = RecoverIndex();
+//### 			result->
+//### 
+//### 		Unref(index);
+//### 		Unref(t->Delete(k));
+//### 		delete k;
+		}
+
+	return result;
+	}
+
 int TableVal::ExpandAndInit(Val* index, Val* new_val)
 	{
 	BroType* index_type = index->Type();
diff --git a/src/Val.h b/src/Val.h
index 771ed40dd1..ef2a8eefd6 100644
--- a/src/Val.h
+++ b/src/Val.h
@@ -809,6 +809,12 @@ public:
 	// Returns true if the addition typechecked, false if not.
 	int RemoveFrom(Val* v) const override;
 
+	// Returns a new table that is the intersection of this
+	// table and the given table.  Intersection is just done
+	// on index, not on yield value, so this really only makes
+	// sense for sets.
+	TableVal* Intersect(const TableVal* v) const;
+
 	// Expands any lists in the index into multiple initializations.
 	// Returns true if the initializations typecheck, false if not.
 	int ExpandAndInit(Val* index, Val* new_val);

From 072a25df0f353009fb4655c39eb2efca7a000ab4 Mon Sep 17 00:00:00 2001
From: Vern Paxson <vern@icir.org>
Date: Sun, 24 Jun 2018 10:43:58 -0700
Subject: [PATCH 510/631] set intersection implemented

---
 src/Expr.cc |  6 ++++++
 src/Val.cc  | 18 +++++++-----------
 2 files changed, 13 insertions(+), 11 deletions(-)

diff --git a/src/Expr.cc b/src/Expr.cc
index 617a7637df..ed14eb6045 100644
--- a/src/Expr.cc
+++ b/src/Expr.cc
@@ -860,6 +860,9 @@ Val* BinaryExpr::SetFold(Val* v1, Val* v2) const
 	if ( tag != EXPR_AND && tag != EXPR_OR && tag != EXPR_SUB )
 		BadTag("BinaryExpr::SetFold");
 
+	if ( tag == EXPR_AND )
+		return tv1->Intersect(tv2);
+
 	// TableVal* result = new TableVal(v1->Type()->AsTableType());
 	TableVal* result = v1->Clone()->AsTableVal();
 
@@ -875,6 +878,9 @@ Val* BinaryExpr::SetFold(Val* v1, Val* v2) const
 			reporter->InternalError("set difference failed to type check");
 		}
 
+	else
+		BadTag("BinaryExpr::SetFold", expr_name(tag));
+
 	return result;
 	}
 
diff --git a/src/Val.cc b/src/Val.cc
index 540719ef14..d6bcdae4a6 100644
--- a/src/Val.cc
+++ b/src/Val.cc
@@ -1729,7 +1729,7 @@ TableVal* TableVal::Intersect(const TableVal* tv) const
 
 	const PDict(TableEntryVal)* t1 = tv->AsTable();
 	const PDict(TableEntryVal)* t2 = AsTable();
-	const PDict(TableEntryVal)* t3 = result->AsTable();
+	PDict(TableEntryVal)* t3 = result->AsNonConstTable();
 
 	// Figure out which is smaller.
 	if ( t1->Length() > t2->Length() )
@@ -1743,16 +1743,12 @@ TableVal* TableVal::Intersect(const TableVal* tv) const
 	HashKey* k;
 	while ( t1->NextEntry(k, c) )
 		{
-//### 		// Here we leverage the same assumption about consistent
-//### 		// hashes as in TableVal::RemoveFrom above.
-//### 		if ( t2->Lookup(k) )
-//### 			{
-//### 			Val* index = RecoverIndex();
-//### 			result->
-//### 
-//### 		Unref(index);
-//### 		Unref(t->Delete(k));
-//### 		delete k;
+ 		// Here we leverage the same assumption about consistent
+ 		// hashes as in TableVal::RemoveFrom above.
+ 		if ( t2->Lookup(k) )
+			t3->Insert(k, new TableEntryVal(0));
+
+		delete k;
 		}
 
 	return result;

From 0ae022205e596aef2b36630e8b3d6b0a8b73fe18 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Mon, 25 Jun 2018 15:48:56 -0500
Subject: [PATCH 511/631] Reduce proliferation of including broker header files

This change should roughly halve compilation time
---
 src/Val.cc                   | 2 ++
 src/logging/WriterBackend.cc | 2 ++
 src/logging/WriterBackend.h  | 3 ++-
 3 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/src/Val.cc b/src/Val.cc
index 4da4a35d48..acf0b6f915 100644
--- a/src/Val.cc
+++ b/src/Val.cc
@@ -27,6 +27,8 @@
 #include "Reporter.h"
 #include "IPAddr.h"
 
+#include "broker/Data.h"
+
 Val::Val(Func* f)
 	{
 	val.func_val = f;
diff --git a/src/logging/WriterBackend.cc b/src/logging/WriterBackend.cc
index 1a70b808a4..69327e815d 100644
--- a/src/logging/WriterBackend.cc
+++ b/src/logging/WriterBackend.cc
@@ -1,5 +1,7 @@
 // See the file "COPYING" in the main distribution directory for copyright.
 
+#include <broker/data.hh>
+
 #include "util.h"
 #include "threading/SerialTypes.h"
 
diff --git a/src/logging/WriterBackend.h b/src/logging/WriterBackend.h
index bb806b31e6..74541d8586 100644
--- a/src/logging/WriterBackend.h
+++ b/src/logging/WriterBackend.h
@@ -6,12 +6,13 @@
 #define LOGGING_WRITERBACKEND_H
 
 #include "threading/MsgThread.h"
-#include "broker/Data.h"
 
 #include "Component.h"
 
 class RemoteSerializer;
 
+namespace broker { class data; }
+
 namespace logging  {
 
 class WriterFrontend;

From 0200b5bd88435d8b6f26cd075b47e25879c6af21 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Mon, 25 Jun 2018 15:50:28 -0500
Subject: [PATCH 512/631] Move internal broker/Manager classes out of header

---
 aux/broker            |  2 +-
 src/broker/Manager.cc | 68 +++++++++++++++++++++++++------------------
 src/broker/Manager.h  | 27 +++++------------
 3 files changed, 48 insertions(+), 49 deletions(-)

diff --git a/aux/broker b/aux/broker
index 08f41ccc24..17fcb73a30 160000
--- a/aux/broker
+++ b/aux/broker
@@ -1 +1 @@
-Subproject commit 08f41ccc2497f4c6567da0b95488593c39a12a01
+Subproject commit 17fcb73a30388862f0a921040a605ac38f47ff74
diff --git a/src/broker/Manager.cc b/src/broker/Manager.cc
index 20bba4426d..eb1ef5de05 100644
--- a/src/broker/Manager.cc
+++ b/src/broker/Manager.cc
@@ -34,6 +34,43 @@ static const double LOG_BUFFER_INTERVAL = 1.0;
 // subscribers consider themselves congested.
 static const size_t SUBSCRIBER_MAX_QSIZE = 20u;
 
+static inline Val* get_option(const char* option)
+	{
+	auto id = global_scope()->Lookup(option);
+
+	if ( ! (id && id->ID_Val()) )
+		reporter->FatalError("Unknown Broker option %s", option);
+
+	return id->ID_Val();
+	}
+
+class BrokerConfig : public broker::configuration {
+public:
+	BrokerConfig(broker::broker_options options)
+		: broker::configuration(options)
+		{
+		openssl_cafile = get_option("Broker::ssl_cafile")->AsString()->CheckString();
+		openssl_capath = get_option("Broker::ssl_capath")->AsString()->CheckString();
+		openssl_certificate = get_option("Broker::ssl_certificate")->AsString()->CheckString();
+		openssl_key = get_option("Broker::ssl_keyfile")->AsString()->CheckString();
+		openssl_passphrase = get_option("Broker::ssl_passphrase")->AsString()->CheckString();
+		}
+};
+
+class BrokerState {
+public:
+	BrokerState(BrokerConfig config)
+		: endpoint(std::move(config)),
+		  subscriber(endpoint.make_subscriber({}, SUBSCRIBER_MAX_QSIZE)),
+		  status_subscriber(endpoint.make_status_subscriber(true))
+		{
+		}
+
+	broker::endpoint endpoint;
+	broker::subscriber subscriber;
+	broker::status_subscriber status_subscriber;
+};
+
 const broker::endpoint_info Manager::NoPeer{{}, {}};
 
 VectorType* Manager::vector_of_data_type;
@@ -103,33 +140,6 @@ static std::string RenderMessage(const broker::error& e)
 
 #endif
 
-static inline Val* get_option(const char* option)
-	{
-	auto id = global_scope()->Lookup(option);
-
-	if ( ! (id && id->ID_Val()) )
-		reporter->FatalError("Unknown Broker option %s", option);
-
-	return id->ID_Val();
-	}
-
-Manager::BrokerConfig::BrokerConfig(broker::broker_options options)
-	: broker::configuration(options)
-	{
-	openssl_cafile = get_option("Broker::ssl_cafile")->AsString()->CheckString();
-	openssl_capath = get_option("Broker::ssl_capath")->AsString()->CheckString();
-	openssl_certificate = get_option("Broker::ssl_certificate")->AsString()->CheckString();
-	openssl_key = get_option("Broker::ssl_keyfile")->AsString()->CheckString();
-	openssl_passphrase = get_option("Broker::ssl_passphrase")->AsString()->CheckString();
-	}
-
-Manager::BrokerState::BrokerState(BrokerConfig config)
-	: endpoint(std::move(config)),
-	  subscriber(endpoint.make_subscriber({}, SUBSCRIBER_MAX_QSIZE)),
-	  status_subscriber(endpoint.make_status_subscriber(true))
-	{
-	}
-
 Manager::Manager(bool reading_pcaps)
 	{
 	bound_port = 0;
@@ -634,7 +644,7 @@ bool Manager::PublishLogWrite(EnumVal* stream, EnumVal* writer, string path, int
 
 	if ( lb.message_count >= LOG_BATCH_SIZE ||
 	     (network_time - lb.last_flush >= LOG_BUFFER_INTERVAL) )
-		statistics.num_logs_outgoing += lb.Flush(Endpoint());
+		statistics.num_logs_outgoing += lb.Flush(bstate->endpoint);
 
 	return true;
 	}
@@ -671,7 +681,7 @@ size_t Manager::FlushLogBuffers()
 	auto rval = 0u;
 
 	for ( auto& lb : log_buffers )
-		rval += lb.Flush(Endpoint());
+		rval += lb.Flush(bstate->endpoint);
 
 	return rval;
 	}
diff --git a/src/broker/Manager.h b/src/broker/Manager.h
index 8c5ab09dc6..b5b05adab1 100644
--- a/src/broker/Manager.h
+++ b/src/broker/Manager.h
@@ -16,6 +16,8 @@
 
 namespace bro_broker {
 
+class BrokerState;
+
 /**
  * Communication statistics.
  */
@@ -197,8 +199,11 @@ public:
 	 * @param peer If given, send the message only to this peer.
 	 * @return true if the message is sent successfully.
 	 */
-	bool PublishLogCreate(EnumVal* stream, EnumVal* writer, const logging::WriterBackend::WriterInfo& info,
-			      int num_fields, const threading::Field* const * fields, const broker::endpoint_info& peer = NoPeer);
+	bool PublishLogCreate(EnumVal* stream, EnumVal* writer,
+	                      const logging::WriterBackend::WriterInfo& info,
+	                      int num_fields,
+	                      const threading::Field* const * fields,
+	                      const broker::endpoint_info& peer = NoPeer);
 
 	/**
 	 * Send a log entry to any interested peers.  The topic name used is
@@ -268,7 +273,7 @@ public:
 	 * @return a pointer to the newly created store a nullptr on failure.
 	 */
 	StoreHandleVal* MakeMaster(const std::string& name, broker::backend type,
-				   broker::backend_options opts);
+	                           broker::backend_options opts);
 
 	/**
 	 * Create a new *clone* data store.
@@ -339,19 +344,6 @@ public:
 
 private:
 
-	class BrokerConfig : public broker::configuration {
-	public:
-		BrokerConfig(broker::broker_options options);
-	};
-
-	class BrokerState {
-	public:
-		BrokerState(BrokerConfig config);
-		broker::endpoint endpoint;
-		broker::subscriber subscriber;
-		broker::status_subscriber status_subscriber;
-	};
-
 	void DispatchMessage(broker::data msg);
 	void ProcessEvent(std::string name, broker::vector args);
 	void ProcessEvent(broker::bro::Event ev);
@@ -379,9 +371,6 @@ private:
 	const char* Tag() override
 		{ return "Broker::Manager"; }
 
-	broker::endpoint& Endpoint()
-		{ assert(bstate); return bstate->endpoint; }
-
 	Func* log_topic_func;
 	std::string default_log_topic_prefix;
 	uint16_t bound_port;

From a33d2d13bfa2788593d1ba2fa2988b4496c17193 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Mon, 25 Jun 2018 16:34:54 -0500
Subject: [PATCH 513/631] Reorganize private broker/Manager members

---
 CHANGES               |  6 ++++++
 VERSION               |  2 +-
 src/broker/Manager.cc | 12 ++++++------
 src/broker/Manager.h  | 27 ++++++++++++---------------
 4 files changed, 25 insertions(+), 22 deletions(-)

diff --git a/CHANGES b/CHANGES
index 4a603200ce..585dd3e21b 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,10 @@
 
+2.5-687 | 2018-06-25 16:35:25 -0500
+
+  * Reorganize internal + private broker/Manager.h bits (Corelight)
+
+  * Reduce proliferation of including broker header files (Corelight)
+
 2.5-684 | 2018-06-25 11:26:55 -0500
 
   * Use docker containers to run Bro tests on Travis CI (Daniel Thayer)
diff --git a/VERSION b/VERSION
index 29acf569de..3b74ad46cd 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.5-684
+2.5-687
diff --git a/src/broker/Manager.cc b/src/broker/Manager.cc
index eb1ef5de05..f31537f3b7 100644
--- a/src/broker/Manager.cc
+++ b/src/broker/Manager.cc
@@ -73,9 +73,6 @@ public:
 
 const broker::endpoint_info Manager::NoPeer{{}, {}};
 
-VectorType* Manager::vector_of_data_type;
-EnumType* Manager::log_id_type;
-EnumType* Manager::writer_id_type;
 int Manager::script_scope = 0;
 
 struct unref_guard {
@@ -140,14 +137,17 @@ static std::string RenderMessage(const broker::error& e)
 
 #endif
 
-Manager::Manager(bool reading_pcaps)
+Manager::Manager(bool arg_reading_pcaps)
 	{
 	bound_port = 0;
+	reading_pcaps = arg_reading_pcaps;
 	peer_count = 0;
+	log_topic_func = nullptr;
+	vector_of_data_type = nullptr;
+	log_id_type = nullptr;
+	writer_id_type = nullptr;
 
-	next_timestamp = 1;
 	SetIdle(false);
-	this->reading_pcaps = reading_pcaps;
 	}
 
 Manager::~Manager()
diff --git a/src/broker/Manager.h b/src/broker/Manager.h
index b5b05adab1..b5faaee345 100644
--- a/src/broker/Manager.h
+++ b/src/broker/Manager.h
@@ -371,12 +371,6 @@ private:
 	const char* Tag() override
 		{ return "Broker::Manager"; }
 
-	Func* log_topic_func;
-	std::string default_log_topic_prefix;
-	uint16_t bound_port;
-
-	std::shared_ptr<BrokerState> bstate;
-
 	struct LogBuffer {
 		// Indexed by topic string.
 		std::unordered_map<std::string, broker::vector> msgs;
@@ -386,9 +380,6 @@ private:
 		size_t Flush(broker::endpoint& endpoint);
 	};
 
-	// Indexed by stream ID enum.
-	std::vector<LogBuffer> log_buffers;
-
 	// Data stores
 	using query_id = std::pair<broker::request_id, StoreHandleVal*>;
 
@@ -402,19 +393,25 @@ private:
 			}
 	};
 
+	std::vector<LogBuffer> log_buffers; // Indexed by stream ID enum.
+	std::string default_log_topic_prefix;
+	std::shared_ptr<BrokerState> bstate;
 	std::unordered_map<std::string, StoreHandleVal*> data_stores;
-	std::unordered_map<query_id, StoreQueryCallback*, query_id_hasher> pending_queries;
+	std::unordered_map<query_id, StoreQueryCallback*,
+	                   query_id_hasher> pending_queries;
 
 	Stats statistics;
-	double next_timestamp;
+
+	uint16_t bound_port;
 	bool reading_pcaps;
 	int peer_count;
 
-	static int script_scope;
+	Func* log_topic_func;
+	VectorType* vector_of_data_type;
+	EnumType* log_id_type;
+	EnumType* writer_id_type;
 
-	static VectorType* vector_of_data_type;
-	static EnumType* log_id_type;
-	static EnumType* writer_id_type;
+	static int script_scope;
 };
 
 } // namespace bro_broker

From f57611c2f0e17edd6873696915c38186c224c30d Mon Sep 17 00:00:00 2001
From: Daniel Thayer <dnthayer@illinois.edu>
Date: Tue, 26 Jun 2018 08:30:49 -0500
Subject: [PATCH 514/631] Fix travis-job script to not fail when all tests
 succeed

Fixed by calling the "showdiag" function only when external tests fail.
---
 testing/scripts/travis-job | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/testing/scripts/travis-job b/testing/scripts/travis-job
index bb6ef760d6..f006b898ce 100644
--- a/testing/scripts/travis-job
+++ b/testing/scripts/travis-job
@@ -158,8 +158,7 @@ run() {
     echo
     echo "Running external tests ##############################################"
     echo
-    trap showdiag EXIT
-    make
+    make || showdiag
 
     # If we get here, then external tests were successful.
     exit $ret
@@ -175,6 +174,8 @@ showdiag() {
       echo "Output of failed external tests #####################################" && \
       echo && \
       grep -v "... not available, skipped" $f
+
+    exit 1
 }
 
 if [ "$step" != "install" ] && [ "$step" != "build" ] && [ "$step" != "run" ]; then

From 9c0303804d1d32fe1b90997b85662fd37d716ec8 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Tue, 26 Jun 2018 11:45:52 -0500
Subject: [PATCH 515/631] Remove header self-inclusions

---
 CHANGES                           | 6 ++++++
 VERSION                           | 2 +-
 src/analyzer/protocol/http/HTTP.h | 2 --
 src/analyzer/protocol/tcp/TCP.h   | 1 -
 4 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/CHANGES b/CHANGES
index 585dd3e21b..206a804ab7 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,10 @@
 
+2.5-689 | 2018-06-26 11:45:52 -0500
+
+  * Remove header self-inclusions (Corelight)
+
+  * Fix travis-job script to not fail when all tests succeed (Daniel Thayer)
+
 2.5-687 | 2018-06-25 16:35:25 -0500
 
   * Reorganize internal + private broker/Manager.h bits (Corelight)
diff --git a/VERSION b/VERSION
index 3b74ad46cd..b34c5c7be1 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.5-687
+2.5-689
diff --git a/src/analyzer/protocol/http/HTTP.h b/src/analyzer/protocol/http/HTTP.h
index 1743fd6a54..743f9965e7 100644
--- a/src/analyzer/protocol/http/HTTP.h
+++ b/src/analyzer/protocol/http/HTTP.h
@@ -12,8 +12,6 @@
 #include "IPAddr.h"
 #include "analyzer/protocol/http/events.bif.h"
 
-#include "HTTP.h"
-
 namespace analyzer { namespace http {
 
 enum CHUNKED_TRANSFER_STATE {
diff --git a/src/analyzer/protocol/tcp/TCP.h b/src/analyzer/protocol/tcp/TCP.h
index db3c2efa91..69f3482ae0 100644
--- a/src/analyzer/protocol/tcp/TCP.h
+++ b/src/analyzer/protocol/tcp/TCP.h
@@ -4,7 +4,6 @@
 #define ANALYZER_PROTOCOL_TCP_TCP_H
 
 #include "analyzer/Analyzer.h"
-#include "analyzer/protocol/tcp/TCP.h"
 #include "PacketDumper.h"
 #include "IPAddr.h"
 #include "TCP_Endpoint.h"

From 2fa1ea77e4e861a9e27e89a1cff07396d3fefd26 Mon Sep 17 00:00:00 2001
From: Vern Paxson <vern@icir.org>
Date: Tue, 26 Jun 2018 10:43:06 -0700
Subject: [PATCH 516/631] fixed 3 leaks in creating pattern values

---
 src/NFA.cc    | 17 +++++++++++++++--
 src/NFA.h     |  8 ++++++++
 src/RE.cc     | 20 ++++++++++++++++++--
 src/re-scan.l |  9 ++++++++-
 4 files changed, 49 insertions(+), 5 deletions(-)

diff --git a/src/NFA.cc b/src/NFA.cc
index 8fb78a7131..c53aa4304b 100644
--- a/src/NFA.cc
+++ b/src/NFA.cc
@@ -12,6 +12,7 @@ NFA_State::NFA_State(int arg_sym, EquivClass* ec)
 	sym = arg_sym;
 	ccl = 0;
 	accept = NO_ACCEPT;
+	first_trans_is_back_ref = false;
 	mark = 0;
 	epsclosure = 0;
 	id = ++nfa_state_id;
@@ -33,6 +34,7 @@ NFA_State::NFA_State(CCL* arg_ccl)
 	sym = SYM_CCL;
 	ccl = arg_ccl;
 	accept = NO_ACCEPT;
+	first_trans_is_back_ref = false;
 	mark = 0;
 	id = ++nfa_state_id;
 	epsclosure = 0;
@@ -41,7 +43,8 @@ NFA_State::NFA_State(CCL* arg_ccl)
 NFA_State::~NFA_State()
 	{
 	for ( int i = 0; i < xtions.length(); ++i )
-		Unref(xtions[i]);
+		if ( i > 0 || ! first_trans_is_back_ref )
+			Unref(xtions[i]);
 
 	delete epsclosure;
 	}
@@ -247,7 +250,10 @@ void NFA_Machine::MakePositiveClosure()
 	{
 	AppendEpsilon();
 	final_state->AddXtion(first_state);
-	Ref(first_state);
+
+	// Don't Ref the state the final epsilon points to, otherwise we'll
+	// have reference cycles that lead to leaks.
+	final_state->SetFirstTransIsBackRef();
 	}
 
 void NFA_Machine::MakeRepl(int lower, int upper)
@@ -307,6 +313,13 @@ NFA_Machine* make_alternate(NFA_Machine* m1, NFA_Machine* m2)
 	m2->AppendState(last);
 	Ref(last);
 
+	// Keep these around.
+	Ref(m1->FirstState());
+	Ref(m2->FirstState());
+
+	Unref(m1);
+	Unref(m2);
+
 	return new NFA_Machine(first, last);
 	}
 
diff --git a/src/NFA.h b/src/NFA.h
index 560f0930b4..79c3961dd5 100644
--- a/src/NFA.h
+++ b/src/NFA.h
@@ -46,6 +46,8 @@ public:
 	NFA_State* Mark() const		{ return mark; }
 	void ClearMarks();
 
+	void SetFirstTransIsBackRef()	{ first_trans_is_back_ref = true; }
+
 	int TransSym() const	{ return sym; }
 	CCL* TransCCL() const	{ return ccl; }
 	int ID() const		{ return id; }
@@ -62,7 +64,13 @@ protected:
 	int sym;	// if SYM_CCL, then use ccl
 	CCL* ccl;	// if nil, then use sym
 	int accept;
+
+	// Whether the first transition points backwards.  Used
+	// to avoid reference-counting loops.
+	bool first_trans_is_back_ref;
+
 	int id;	// number that uniquely identifies this state
+
 	NFA_state_list xtions;
 	NFA_state_list* epsclosure;
 	NFA_State* mark;
diff --git a/src/RE.cc b/src/RE.cc
index a4294e064d..4d26ce2423 100644
--- a/src/RE.cc
+++ b/src/RE.cc
@@ -19,6 +19,7 @@ int case_insensitive = 0;
 
 extern int RE_parse(void);
 extern void RE_set_input(const char* str);
+extern void RE_done_with_scan();
 
 Specific_RE_Matcher::Specific_RE_Matcher(match_type arg_mt, int arg_multiline)
 : equiv_class(NUM_SYM)
@@ -108,9 +109,15 @@ int Specific_RE_Matcher::Compile(int lazy)
 
 	rem = this;
 	RE_set_input(pattern_text);
-	if ( RE_parse() )
+
+	int parse_status = RE_parse();
+	RE_done_with_scan();
+
+	if ( parse_status )
 		{
 		reporter->Error("error compiling pattern /%s/", pattern_text);
+		Unref(nfa);
+		nfa = 0;
 		return 0;
 		}
 
@@ -139,9 +146,18 @@ int Specific_RE_Matcher::CompileSet(const string_list& set, const int_list& idx)
 	loop_over_list(set, i)
 		{
 		RE_set_input(set[i]);
-		if ( RE_parse() )
+		int parse_status = RE_parse();
+		RE_done_with_scan();
+
+		if ( parse_status )
 			{
 			reporter->Error("error compiling pattern /%s/", set[i]);
+
+			if ( set_nfa != nfa )
+				Unref(set_nfa);
+			Unref(nfa);
+			nfa = 0;
+
 			return 0;
 			}
 
diff --git a/src/re-scan.l b/src/re-scan.l
index 0d737f08a6..8bd00c8bba 100644
--- a/src/re-scan.l
+++ b/src/re-scan.l
@@ -196,8 +196,15 @@ CCL_EXPR	("[:"[[:alpha:]]+":]")
 
 %%
 
+YY_BUFFER_STATE RE_buf;
+
 void RE_set_input(const char* str)
 	{
 	RE_parse_input = str;
-	yy_scan_string(str);
+	RE_buf = yy_scan_string(str);
+	}
+
+void RE_done_with_scan()
+	{
+	yy_delete_buffer(RE_buf);
 	}

From bd5414d8d5ed0a678c230d9e6e2b81b2499db899 Mon Sep 17 00:00:00 2001
From: Vern Paxson <vern@icir.org>
Date: Tue, 26 Jun 2018 10:57:24 -0700
Subject: [PATCH 517/631] whoops - patterns ops broke count bitwise ops

---
 src/Expr.cc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/Expr.cc b/src/Expr.cc
index b979a3638b..4c3c7a536a 100644
--- a/src/Expr.cc
+++ b/src/Expr.cc
@@ -1901,7 +1901,7 @@ BitExpr::BitExpr(BroExprTag arg_tag, Expr* arg_op1, Expr* arg_op2)
 			SetType(base_type(TYPE_COUNT));
 		}
 
-	if ( bt1 == TYPE_PATTERN )
+	else if ( bt1 == TYPE_PATTERN )
 		{
 		if ( bt2 != TYPE_PATTERN )
 			ExprError("cannot mix pattern and non-pattern operands");

From fef351b9c146cc366603c6739991c84a97723be5 Mon Sep 17 00:00:00 2001
From: Daniel Thayer <dnthayer@illinois.edu>
Date: Tue, 26 Jun 2018 14:38:24 -0500
Subject: [PATCH 518/631] Add documentation for some new Bro features

Add documentation for the type-based "switch" statement,
the "as" operator, the "is" operator, and bitwise operators.
---
 doc/script-reference/operators.rst  | 61 +++++++++++++++++++++++++++++
 doc/script-reference/statements.rst | 36 +++++++++++++++++
 2 files changed, 97 insertions(+)

diff --git a/doc/script-reference/operators.rst b/doc/script-reference/operators.rst
index 9442102b52..e9683f3e97 100644
--- a/doc/script-reference/operators.rst
+++ b/doc/script-reference/operators.rst
@@ -85,6 +85,25 @@ Arithmetic operators
 |                              |             | of elements.                  |
 +------------------------------+-------------+-------------------------------+
 
+Bitwise operators
+-----------------
+
+The bitwise operators work with operands of type :bro:type:`count` or
+``vector of count``, but the bitwise complement operator works with ``count``
+only.
+
++------------------------------+-------------+
+| Name                         | Syntax      |
++==============================+=============+
+| Bitwise AND                  | *a* & *b*   |
++------------------------------+-------------+
+| Bitwise OR                   | *a* | *b*   |
++------------------------------+-------------+
+| Bitwise XOR                  | *a* ^ *b*   |
++------------------------------+-------------+
+| Bitwise complement           | ~ *a*       |
++------------------------------+-------------+
+
 
 Assignment operators
 --------------------
@@ -122,6 +141,48 @@ field name must be in the declaration of the record type.
 +------------------------------+-------------+-------------------------------+
 
 
+Type casting
+------------
+
+The "as" operator performs type casting and the "is" operator checks if a
+type cast is supported or not.  For both operators, the first operand is a
+value and the second operand is the name of a Bro script type (either built-in
+or user-defined).
+
++------------------------------+-------------+-------------------------------+
+| Name                         | Syntax      | Notes                         |
++==============================+=============+===============================+
+| Type cast                    | *v* as *t*  | Cast value "v" into type "t". |
+|                              |             | Evaluates to the value casted |
+|                              |             | to the specified type.        |
+|                              |             | If this is not a supported    |
+|                              |             | cast, then a runtime error is |
+|                              |             | triggered.                    |
++------------------------------+-------------+-------------------------------+
+| Check if a cast is supported | *v* is *t*  | Evaluates to boolean. If true,|
+|                              |             | then "v as t" would succeed.  |
++------------------------------+-------------+-------------------------------+
+
+Only the following kinds of type casts are supported currently:
+
+- Broker values (i.e., values returned from functions such as
+  :bro:id:`Broker::data`) can be casted to their corresponding Bro script
+  types.
+- A value of declared type "any" can be casted to its actual underlying type.
+- All values can be casted to their declared types (i.e., this is a no-op).
+
+The function in this example tries to cast a value to a string::
+
+    function example(a: any)
+        {
+        local s: string;
+
+        if ( a is string )
+            s = (a as string);
+
+        }
+
+
 Other operators
 ---------------
 
diff --git a/doc/script-reference/statements.rst b/doc/script-reference/statements.rst
index 963d4dc7a2..9e061d4df7 100644
--- a/doc/script-reference/statements.rst
+++ b/doc/script-reference/statements.rst
@@ -571,6 +571,42 @@ Here are the statements that the Bro scripting language supports.
     do not indicate the presence of a `compound statement`_), and that no
     semicolon is needed at the end of a "switch" statement.
 
+    There is an alternative form of the switch statement that supports
+    switching by type rather than value.  This form of the switch statement
+    uses type-based versions of "case":
+
+    - "case type t: ...": Take branch if the value of the switch expression
+      could be casted to type t (where "t" is the name of a Bro script type,
+      either built-in or user-defined).
+
+    - "case type t as x: ...": Same as above, but the casted value is
+      available through ID "x".
+
+    Multiple types can be listed per branch, separated by commas (the "type"
+    keyword must be repeated for each type in the list).
+
+    Example::
+
+        function example(v: any)
+            {
+            switch (v) {
+            case type count as c:
+                    print "It's a count", c;
+                    break;
+
+            case type bool, type addr:
+                    print "It's a bool or address";
+                    break;
+            }
+            }
+
+    Note that a single switch statement switches either by type or by value,
+    but not both.
+
+    Also note that the type-based switch statement will trigger a runtime
+    error if any cast in any "case" is an unsupported cast (see the
+    documentation of the type casting operator "as").
+
 
 .. bro:keyword:: when
 

From 884d3d2abd601e9ba788629939d875cc9de77614 Mon Sep 17 00:00:00 2001
From: Daniel Thayer <dnthayer@illinois.edu>
Date: Tue, 26 Jun 2018 14:43:41 -0500
Subject: [PATCH 519/631] Fix reST formatting in documentation of "count" type

---
 doc/script-reference/types.rst | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/doc/script-reference/types.rst b/doc/script-reference/types.rst
index 44dcbbdfb8..de5fa689f9 100644
--- a/doc/script-reference/types.rst
+++ b/doc/script-reference/types.rst
@@ -92,7 +92,7 @@ Here is a more detailed description of each type:
     "int".
 
     In addition, "count" types support bitwise operations.  You can use
-    ``&``, ``|``, and ``^`` for bitwise ``and'', ``or'', and ``xor''.  You
+    ``&``, ``|``, and ``^`` for bitwise ``and``, ``or``, and ``xor``.  You
     can also use ``~`` for bitwise (one's) complement.
 
 .. bro:type:: double

From ac495e729bc29323027aa4dc17dce59de93013d9 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Tue, 26 Jun 2018 15:05:23 -0500
Subject: [PATCH 520/631] Fix deprecated actor_system_config field usages

---
 CHANGES               |  4 ++++
 VERSION               |  2 +-
 aux/broker            |  2 +-
 src/3rdparty          |  2 +-
 src/broker/Manager.cc | 10 +++++-----
 5 files changed, 12 insertions(+), 8 deletions(-)

diff --git a/CHANGES b/CHANGES
index 206a804ab7..78c8dbf629 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,8 @@
 
+2.5-690 | 2018-06-26 15:05:23 -0500
+
+  * Fix deprecated actor_system_config field usages (Corelight)
+
 2.5-689 | 2018-06-26 11:45:52 -0500
 
   * Remove header self-inclusions (Corelight)
diff --git a/VERSION b/VERSION
index b34c5c7be1..c546c8150b 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.5-689
+2.5-690
diff --git a/aux/broker b/aux/broker
index 17fcb73a30..6d5b3c785c 160000
--- a/aux/broker
+++ b/aux/broker
@@ -1 +1 @@
-Subproject commit 17fcb73a30388862f0a921040a605ac38f47ff74
+Subproject commit 6d5b3c785c3c1e517c4c7596beda23e411edeff2
diff --git a/src/3rdparty b/src/3rdparty
index c78abc8454..0b10bb2943 160000
--- a/src/3rdparty
+++ b/src/3rdparty
@@ -1 +1 @@
-Subproject commit c78abc8454932019f030045340348560a8ac9b23
+Subproject commit 0b10bb2943beaf972ddc494ba34699ed37ef3dbf
diff --git a/src/broker/Manager.cc b/src/broker/Manager.cc
index f31537f3b7..6f5e09e611 100644
--- a/src/broker/Manager.cc
+++ b/src/broker/Manager.cc
@@ -185,7 +185,7 @@ void Manager::InitPostScript()
 	auto max_sleep = get_option("Broker::max_sleep")->AsCount();
 
 	if ( max_threads )
-		config.scheduler_max_threads = max_threads;
+		config.set("scheduler.max-threads", max_threads);
 	else
 		{
 		// On high-core-count systems, spawning one thread per core
@@ -193,7 +193,7 @@ void Manager::InitPostScript()
 		// threads are under-utilized.  Related:
 		// https://github.com/actor-framework/actor-framework/issues/699
 		if ( reading_pcaps )
-			config.scheduler_max_threads = 2u;
+			config.set("scheduler.max-threads", 2u);
 		else
 			{
 			auto hc = std::thread::hardware_concurrency();
@@ -203,18 +203,18 @@ void Manager::InitPostScript()
 			else if ( hc < 4u)
 				hc = 4u;
 
-			config.scheduler_max_threads = hc;
+			config.set("scheduler.max-threads", hc);
 			}
 		}
 
 	if ( max_sleep )
-		config.work_stealing_relaxed_sleep_duration_us = max_sleep;
+		config.set("work-stealing.relaxed-sleep-duration-us", max_sleep);
 	else
 		// 64ms is just an arbitrary amount derived from testing
 		// the overhead of a unused CAF actor system on a 32-core system.
 		// Performance was within 2% of baseline timings (w/o CAF)
 		// when using this sleep duration.
-		config.work_stealing_relaxed_sleep_duration_us = 64000;
+		config.set("work-stealing.relaxed-sleep-duration-us", 64000);
 
 	bstate = std::make_shared<BrokerState>(std::move(config));
 	}

From 57128af3ab3bfc3f71ccccfb8d0acfb4a2650646 Mon Sep 17 00:00:00 2001
From: Daniel Thayer <dnthayer@illinois.edu>
Date: Tue, 26 Jun 2018 15:34:57 -0500
Subject: [PATCH 521/631] Fix a broken link and some typos in broker
 documentation

---
 doc/frameworks/broker.rst | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/doc/frameworks/broker.rst b/doc/frameworks/broker.rst
index 6943a0a698..e050ec6479 100644
--- a/doc/frameworks/broker.rst
+++ b/doc/frameworks/broker.rst
@@ -55,7 +55,7 @@ General Porting Tips
   you manually take action to set up the old communication system.
   To aid in porting, such usages will default to raising a fatal error
   unless you explicitly acknowledge that such usages of the old system
-  are ok.  Set the :bro:see:`old_comm_usage_is_ok`` flag in this case.
+  are ok.  Set the :bro:see:`old_comm_usage_is_ok` flag in this case.
 
 - Instead of using e.g. ``Cluster::manager2worker_events`` (and all
   permutations for every node type), what you'd now use is either 
@@ -67,7 +67,7 @@ General Porting Tips
 - Instead of using the ``send_id`` BIF, use :bro:see:`Broker::publish_id`.
 
 - Use :bro:see:`terminate` instead of :bro:see:`terminate_communication`.
-  The later refers to the old communication system and no longer effects
+  The latter refers to the old communication system and no longer affects
   the new Broker-based system.
 
 - For replacing :bro:see:`remote_connection_established` and
@@ -123,7 +123,7 @@ Some general suggestions as to the purpose/utilization of each node type:
   (more on that later), you can partition work or data amongst them in a
   uniform manner.  e.g. you might choose to use proxies as a method of
   sharing non-persistent state or as a "second pass" analysis for any
-  work that you don't want interferring with the workers' capacity to
+  work that you don't want interfering with the workers' capacity to
   keep up with capturing and parsing packets.  Note that the default scripts
   that come with Bro don't utilize proxies themselves, so if you are coming
   from a previous BroControl deployment, you may want to try reducing down
@@ -149,7 +149,7 @@ Data Management/Sharing Strategies
 
 There's maybe no single, best approach or pattern to use when you need a
 Bro script to store or share long-term state and data.  The two
-approaches that were previously used were either using ``&synchronized``
+approaches that were previously used were either using the ``&synchronized``
 attribute on tables/sets or by explicitly sending events to specific
 nodes on which you wanted data to be stored.  The former is no longer
 possible, though there are several new possibilities that the new
@@ -206,16 +206,16 @@ causing data to now be located and updated there.
 
 If the developer of a script expects its workload to be particularly
 intensive, wants to ensure that their operations get exclusive
-access to nodes, or otherwise set containts on the number of nodes within
+access to nodes, or otherwise set constraints on the number of nodes within
 a pool utilized by their script, then the :bro:see:`Cluster::PoolSpec`
-structure will allow them to that while still allowing users of that script
+structure will allow them to do that while still allowing users of that script
 to override the default suggestions made by the original developer.
 
 Broker Framework Examples
 =========================
 
 The broker framework provides basic facilities for connecting Bro instances
-to eachother and exchanging messages, like events or logs.
+to each other and exchanging messages, like events or logs.
 
 See :doc:`/scripts/base/frameworks/broker/main.bro` for an overview
 of the main Broker API.
@@ -320,7 +320,7 @@ the event are not called.
 The second option is to call the :bro:see:`Broker::auto_publish` function where
 you specify a particular event that will be automatically sent to peers
 whenever the event is called locally via the normal event invocation syntax.
-When auto-publishing events, local event handler for the event are called
+When auto-publishing events, local event handlers for the event are called
 in addition to sending the event to any subscribed peers.
 
 .. btest-include:: ${DOC_ROOT}/frameworks/broker/events-connector.bro
@@ -541,7 +541,7 @@ did before.  Instead of using :bro:see:`Broker::publish` we use different
         # though now we have a choice of which proxy to use.  If we
         # want to distribute the work associated with relaying uniformly,
         # we can use a round-robin strategy.  The key used here is simply
-        # used by the cluster framework internally to keep track of the
+        # used by the cluster framework internally to keep track of
         # which node is up next in the round-robin.
         Cluster::relay_rr(Cluster::proxy_pool, "example_key",
                           Cluster::worker_topic, worker_to_workers,

From 80b3b82b540e390ce4fd7a3f2abd68088c6bad80 Mon Sep 17 00:00:00 2001
From: Vern Paxson <vern@icir.org>
Date: Tue, 26 Jun 2018 15:59:41 -0700
Subject: [PATCH 522/631] implemented /re/i for case-insensitive patterns

---
 NEWS           |  6 +++++
 src/RE.cc      | 19 ++++++++++++++
 src/RE.h       |  5 ++++
 src/input.h    |  1 -
 src/parse.y    |  9 ++++---
 src/re-parse.y | 69 +++++++++++++++++++++++++++++++++++---------------
 src/re-scan.l  | 21 ++++++++++++++-
 src/scan.l     | 14 +++++++++-
 8 files changed, 117 insertions(+), 27 deletions(-)

diff --git a/NEWS b/NEWS
index f594207f58..d075d4637b 100644
--- a/NEWS
+++ b/NEWS
@@ -255,6 +255,12 @@ New Functionality
   semi-present in previous versions of Bro, but required constants as as
   its operands; now you can use any pattern-valued expressions.
 
+- You can now specify that a pattern should be match in a case-insensitive
+  fashion by adding 'i' to the end of its specification.  So for example
+  /fOO/i == "Foo" yields T, as does /fOO/i in "xFoObar".  Characters
+  enclosed in quotes however keep their casing, so /"fOO"/i in "xFoObar"
+  yields F, though it yields T for "xfOObar".
+
 Changed Functionality
 ---------------------
 
diff --git a/src/RE.cc b/src/RE.cc
index 4d26ce2423..4e29fa8e92 100644
--- a/src/RE.cc
+++ b/src/RE.cc
@@ -102,6 +102,19 @@ void Specific_RE_Matcher::AddPat(const char* new_pat,
 	pattern_text = s;
 	}
 
+void Specific_RE_Matcher::MakeCaseInsensitive()
+	{
+	const char fmt[] = "(+i %s)";
+	int n = strlen(pattern_text) + strlen(fmt);
+
+	char* s = new char[n + 5 /* slop */];
+
+	safe_snprintf(s, n + 5, fmt, pattern_text);
+
+	delete [] pattern_text;
+	pattern_text = s;
+	}
+
 int Specific_RE_Matcher::Compile(int lazy)
 	{
 	if ( ! pattern_text )
@@ -444,6 +457,12 @@ void RE_Matcher::AddPat(const char* new_pat)
 	re_exact->AddPat(new_pat);
 	}
 
+void RE_Matcher::MakeCaseInsensitive()
+	{
+	re_anywhere->MakeCaseInsensitive();
+	re_exact->MakeCaseInsensitive();
+	}
+
 int RE_Matcher::Compile(int lazy)
 	{
 	return re_anywhere->Compile(lazy) && re_exact->Compile(lazy);
diff --git a/src/RE.h b/src/RE.h
index 056c0d2183..06b0699864 100644
--- a/src/RE.h
+++ b/src/RE.h
@@ -54,6 +54,8 @@ public:
 
 	void AddPat(const char* pat);
 
+	void MakeCaseInsensitive();
+
 	void SetPat(const char* pat)	{ pattern_text = copy_string(pat); }
 
 	int Compile(int lazy = 0);
@@ -178,6 +180,9 @@ public:
 
 	void AddPat(const char* pat);
 
+	// Makes the matcher as specified to date case-insensitive.
+	void MakeCaseInsensitive();
+
 	int Compile(int lazy = 0);
 
 	// Returns true if s exactly matches the pattern, false otherwise.
diff --git a/src/input.h b/src/input.h
index 3d0caa459a..230a10073a 100644
--- a/src/input.h
+++ b/src/input.h
@@ -23,7 +23,6 @@ extern void add_input_file_at_front(const char* file);
 extern void add_to_name_list(char* s, char delim, name_list& nl);
 
 extern void begin_RE();
-extern void end_RE();
 
 extern void do_atif(Expr* expr);
 extern void do_atifdef(const char* id);
diff --git a/src/parse.y b/src/parse.y
index 34d6f31373..25b6c17873 100644
--- a/src/parse.y
+++ b/src/parse.y
@@ -14,7 +14,7 @@
 %token TOK_DOUBLE TOK_ELSE TOK_ENUM TOK_EVENT TOK_EXPORT TOK_FALLTHROUGH
 %token TOK_FILE TOK_FOR TOK_FUNCTION TOK_GLOBAL TOK_HOOK TOK_ID TOK_IF TOK_INT
 %token TOK_INTERVAL TOK_LIST TOK_LOCAL TOK_MODULE
-%token TOK_NEXT TOK_OF TOK_OPAQUE TOK_PATTERN TOK_PATTERN_TEXT
+%token TOK_NEXT TOK_OF TOK_OPAQUE TOK_PATTERN TOK_PATTERN_END TOK_PATTERN_TEXT
 %token TOK_PORT TOK_PRINT TOK_RECORD TOK_REDEF
 %token TOK_REMOVE_FROM TOK_RETURN TOK_SCHEDULE TOK_SET
 %token TOK_STRING TOK_SUBNET TOK_SWITCH TOK_TABLE
@@ -52,7 +52,7 @@
 %left '$' '[' ']' '(' ')' TOK_HAS_FIELD TOK_HAS_ATTR
 %nonassoc TOK_AS TOK_IS
 
-%type <b> opt_no_test opt_no_test_block opt_deprecated
+%type <b> opt_no_test opt_no_test_block opt_deprecated TOK_PATTERN_END
 %type <str> TOK_ID TOK_PATTERN_TEXT
 %type <id> local_id global_id def_global_id event_id global_or_event_id resolve_id begin_func case_type
 %type <id_l> local_id_list case_type_list
@@ -723,13 +723,16 @@ expr:
 			$$ = new ConstExpr($1);
 			}
 
-	|	'/' { begin_RE(); } TOK_PATTERN_TEXT { end_RE(); } '/'
+	|	'/' { begin_RE(); } TOK_PATTERN_TEXT TOK_PATTERN_END
 			{
 			set_location(@3);
 
 			RE_Matcher* re = new RE_Matcher($3);
 			delete [] $3;
 
+			if ( $4 )
+				re->MakeCaseInsensitive();
+
 			re->Compile();
 			$$ = new ConstExpr(new PatternVal(re));
 			}
diff --git a/src/re-parse.y b/src/re-parse.y
index 3847c06f29..6834836f28 100644
--- a/src/re-parse.y
+++ b/src/re-parse.y
@@ -11,11 +11,13 @@
 int csize = 256;
 int syntax_error = 0;
 
+int is_letter(int sym);
+int cupper(int sym);
 int clower(int sym);
 void yyerror(const char msg[]);
 %}
 
-%token TOK_CHAR TOK_NUMBER TOK_CCL TOK_CCE
+%token TOK_CHAR TOK_NUMBER TOK_CCL TOK_CCE TOK_CASE_INSENSITIVE
 
 %union {
 	int int_val;
@@ -126,12 +128,11 @@ singleton	:  singleton '*'
 		|  '(' re ')'
 			{ $$ = $2; }
 
+		|  TOK_CASE_INSENSITIVE re ')'
+			{ $$ = $2; case_insensitive = 0; }
+
 		|  TOK_CHAR
-			{
-			if ( case_insensitive && $1 >= 'A' && $1 <= 'Z' )
-				$1 = clower($1);
-			$$ = new NFA_Machine(new NFA_State($1, rem->EC()));
-			}
+			{ $$ = new NFA_Machine(new NFA_State($1, rem->EC())); }
 
 		|  '^'
 			{
@@ -158,17 +159,29 @@ full_ccl	:  '[' ccl ']'
 
 ccl		:  ccl TOK_CHAR '-' TOK_CHAR
 			{
-			if ( case_insensitive )
-				{
-				if ( $2 >= 'A' && $2 <= 'Z' )
-					$2 = clower($2);
-				if ( $4 >= 'A' && $4 <= 'Z' )
-					$4 = clower($4);
-				}
-
 			if ( $2 > $4 )
 				synerr("negative range in character class");
 
+			else if ( case_insensitive &&
+				  (is_letter($2) || is_letter($4)) )
+				{
+				if ( is_letter($2) && is_letter($4) &&
+				     isupper($2) == isupper($4) )
+					{ // Compatible range, do both versions
+					int l2 = tolower($2);
+					int l4 = tolower($4);
+
+					for ( int i = l2; i<= l4; ++i )
+						{
+						$1->Add(i);
+						$1->Add(toupper(i));
+						}
+					}
+
+				else
+					synerr("ambiguous case-insensitive character class");
+				}
+
 			else
 				{
 				for ( int i = $2; i <= $4; ++i )
@@ -178,10 +191,13 @@ ccl		:  ccl TOK_CHAR '-' TOK_CHAR
 
 		|  ccl TOK_CHAR
 			{
-			if ( case_insensitive && $2 >= 'A' && $2 <= 'Z' )
-				$2 = clower($2);
-
-			$1->Add($2);
+			if ( case_insensitive && is_letter($2) )
+				{
+				$1->Add(clower($2));
+				$1->Add(cupper($2));
+				}
+			else
+				$1->Add($2);
 			}
 
 		|  ccl ccl_expr
@@ -200,9 +216,10 @@ ccl_expr:	   TOK_CCE
 
 string		:  string TOK_CHAR
 			{
-			if ( case_insensitive && $2 >= 'A' && $2 <= 'Z' )
-				$2 = clower($2);
-
+			// Even if case-insensitivity is set,
+			// leave this alone; that provides a way
+			// of "escaping" out of insensitivity
+			// if needed.
 			$1->AppendState(new NFA_State($2, rem->EC()));
 			}
 
@@ -211,6 +228,16 @@ string		:  string TOK_CHAR
 		;
 %%
 
+int is_letter(int sym)
+	{
+	return isascii(sym) && (islower(sym) || isupper(sym));
+	}
+
+int cupper(int sym)
+	{
+	return (isascii(sym) && islower(sym)) ?  toupper(sym) : sym;
+	}
+
 int clower(int sym)
 	{
 	return (isascii(sym) && isupper(sym)) ?  tolower(sym) : sym;
diff --git a/src/re-scan.l b/src/re-scan.l
index 8bd00c8bba..70bafd5649 100644
--- a/src/re-scan.l
+++ b/src/re-scan.l
@@ -114,6 +114,25 @@ CCL_EXPR	("[:"[[:alpha:]]+":]")
 				}
 			}
 
+	"(+i"[ \t]*	case_insensitive = 1; return TOK_CASE_INSENSITIVE;
+
+	[a-zA-Z]	{
+			if ( case_insensitive )
+				{
+				char c = yytext[0];	// unput trashes yytext!
+				// Push back the character inside a CCL,
+				// so the parser can then expand it.
+				unput(']');
+				unput(c);
+				unput('[');
+				}
+			else
+				{
+				yylval.int_val = yytext[0];
+				return TOK_CHAR;
+				}
+			}
+
 	[|*+?.(){}]	return yytext[0];
 	.		yylval.int_val = yytext[0]; return TOK_CHAR;
 	\n		return 0;	// treat as end of pattern
@@ -157,7 +176,7 @@ CCL_EXPR	("[:"[[:alpha:]]+":]")
 	"[:upper:]"	{
 			BEGIN(SC_CCL);
 			yylval.cce_val =
-				case_insensitive ? my_isupper : my_islower;
+				case_insensitive ? my_islower : my_isupper;
 			return TOK_CCE;
 			}
 
diff --git a/src/scan.l b/src/scan.l
index 3bbf6ec999..24e0547bfc 100644
--- a/src/scan.l
+++ b/src/scan.l
@@ -554,7 +554,19 @@ F	RET_CONST(new Val(false, TYPE_BOOL))
 	return TOK_PATTERN_TEXT;
 	}
 
-<RE>[/\\\n]	return yytext[0];
+<RE>"/"	{
+	BEGIN(INITIAL);
+	yylval.b = false;
+	return TOK_PATTERN_END;
+	}
+
+<RE>"/i"	{
+	BEGIN(INITIAL);
+	yylval.b = true;
+	return TOK_PATTERN_END;
+	}
+
+<RE>[\\\n]	return yytext[0];	// should cause a parse error
 
 <*>.	reporter->Error("unrecognized character - %s", yytext);
 

From a97567ef389578a08de9a00f62700624ebfec5a6 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Tue, 26 Jun 2018 18:00:51 -0500
Subject: [PATCH 523/631] Add memory leak unit test for pattern operations

---
 testing/btest/core/leaks/pattern.bro | 38 ++++++++++++++++++++++++++++
 1 file changed, 38 insertions(+)
 create mode 100644 testing/btest/core/leaks/pattern.bro

diff --git a/testing/btest/core/leaks/pattern.bro b/testing/btest/core/leaks/pattern.bro
new file mode 100644
index 0000000000..3119ad12af
--- /dev/null
+++ b/testing/btest/core/leaks/pattern.bro
@@ -0,0 +1,38 @@
+# @TEST-GROUP: leaks
+# @TEST-REQUIRES: bro --help 2>&1 | grep -q mem-leaks
+
+# @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local btest-bg-run bro bro -m -b -r $TRACES/http/get.trace %INPUT
+# @TEST-EXEC: btest-bg-wait 60
+
+function test_case(msg: string, expect: bool)
+    {
+    print fmt("%s (%s)", msg, expect ? "PASS" : "FAIL");
+    }
+
+event new_connection(c: connection)
+	{
+	print "new connection";
+
+	local p1: pattern = /foo|bar/; 
+	local p2: pattern = /oob/; 
+	local p3: pattern = /^oob/; 
+	local p4 = /foo/;
+
+	# Type inference tests
+
+	test_case( "type inference", type_name(p4) == "pattern" );
+
+	# Operator tests
+
+	test_case( "equality operator", "foo" == p1 );
+	test_case( "equality operator (order of operands)", p1 == "foo" );
+	test_case( "inequality operator", "foobar" != p1 );
+	test_case( "inequality operator (order of operands)", p1 != "foobar" );
+	test_case( "in operator", p1 in "foobar" );
+	test_case( "in operator", p2 in "foobar" );
+	test_case( "!in operator", p3 !in "foobar" );
+	test_case( "& operator", p1 & p2 in "baroob" );
+	test_case( "& operator", p2 & p1 in "baroob" );
+	test_case( "| operator", p1 | p2 in "lazybarlazy" );
+	test_case( "| operator", p3 | p4 in "xoob" );
+	}

From e33a3a9c0298dec00474c1e4b79dce2b57dafaa5 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Tue, 26 Jun 2018 18:06:07 -0500
Subject: [PATCH 524/631] Fix typo in NEWS

---
 CHANGES | 16 ++++++++++++++++
 NEWS    |  2 +-
 VERSION |  2 +-
 3 files changed, 18 insertions(+), 2 deletions(-)

diff --git a/CHANGES b/CHANGES
index 78c8dbf629..f8ca072f83 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,20 @@
 
+2.5-710 | 2018-06-26 18:06:22 -0500
+
+  * Add memory leak unit test for pattern operations (Corelight)
+
+  * fixed 3 leaks in creating pattern values (Vern Paxson)
+
+  * add & and | operators for patterns (Vern Paxson)
+
+  * deprecate merge_patterns() (Vern Paxson)
+
+  * deprecate boolean scalar+vector operations (Vern Paxson)
+
+  * deprecate mixing scalars and vectors (Vern Paxson)
+
+  * deprecate && / || operators for patterns (Vern Paxson)
+
 2.5-690 | 2018-06-26 15:05:23 -0500
 
   * Fix deprecated actor_system_config field usages (Corelight)
diff --git a/NEWS b/NEWS
index f594207f58..a4f233a116 100644
--- a/NEWS
+++ b/NEWS
@@ -252,7 +252,7 @@ New Functionality
 - The '&' and '|' operators can apply to patterns, too.  p1 & p2 yields
   a pattern that represents matching p1 followed by p2, and p1 | p2 yields
   a pattern representing matching p1 or p2.  The p1 | p2 functionality was
-  semi-present in previous versions of Bro, but required constants as as
+  semi-present in previous versions of Bro, but required constants as
   its operands; now you can use any pattern-valued expressions.
 
 Changed Functionality
diff --git a/VERSION b/VERSION
index c546c8150b..ca1bc4e12b 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.5-690
+2.5-710

From 4bd8f3a5d5bfe7c922c94e2bc66c93a230f17496 Mon Sep 17 00:00:00 2001
From: Vern Paxson <vern@icir.org>
Date: Tue, 26 Jun 2018 20:43:48 -0700
Subject: [PATCH 525/631] fix for handling [:(lower|upper):] in
 case-insensitive patterns

---
 src/re-scan.l | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/src/re-scan.l b/src/re-scan.l
index 70bafd5649..d952ca2fd1 100644
--- a/src/re-scan.l
+++ b/src/re-scan.l
@@ -36,6 +36,8 @@ static int my_isprint(int c)	{ return isprint(c); }
 static int my_ispunct(int c)	{ return ispunct(c); }
 static int my_isspace(int c)	{ return isspace(c); }
 static int my_isxdigit(int c)	{ return isxdigit(c); }
+
+static int my_is_letter(int c)	{ return my_islower(c) || my_isupper(c); }
 %}
 
 %option caseless nodefault nostdinit noyywrap
@@ -168,15 +170,22 @@ CCL_EXPR	("[:"[[:alpha:]]+":]")
 	"[:cntrl:]"	RET_CCE(my_iscntrl)
 	"[:digit:]"	RET_CCE(my_isdigit)
 	"[:graph:]"	RET_CCE(my_isgraph)
-	"[:lower:]"	RET_CCE(my_islower)
 	"[:print:]"	RET_CCE(my_isprint)
 	"[:punct:]"	RET_CCE(my_ispunct)
 	"[:space:]"	RET_CCE(my_isspace)
 	"[:xdigit:]"	RET_CCE(my_isxdigit)
+
+	"[:lower:]"	{
+			BEGIN(SC_CCL);
+			yylval.cce_val =
+				case_insensitive ? my_is_letter : my_islower;
+			return TOK_CCE;
+			}
+
 	"[:upper:]"	{
 			BEGIN(SC_CCL);
 			yylval.cce_val =
-				case_insensitive ? my_islower : my_isupper;
+				case_insensitive ? my_is_letter : my_isupper;
 			return TOK_CCE;
 			}
 

From 9bdb24a719121be1fd8008ba56f36ab65b91d26b Mon Sep 17 00:00:00 2001
From: Vern Paxson <vern@icir.org>
Date: Tue, 26 Jun 2018 20:47:12 -0700
Subject: [PATCH 526/631] d'oh there's isalpha.  I looked earlier for isletter
 :-P

---
 src/re-parse.y | 12 +++---------
 src/re-scan.l  |  6 ++----
 2 files changed, 5 insertions(+), 13 deletions(-)

diff --git a/src/re-parse.y b/src/re-parse.y
index 6834836f28..95573f6a22 100644
--- a/src/re-parse.y
+++ b/src/re-parse.y
@@ -11,7 +11,6 @@
 int csize = 256;
 int syntax_error = 0;
 
-int is_letter(int sym);
 int cupper(int sym);
 int clower(int sym);
 void yyerror(const char msg[]);
@@ -163,9 +162,9 @@ ccl		:  ccl TOK_CHAR '-' TOK_CHAR
 				synerr("negative range in character class");
 
 			else if ( case_insensitive &&
-				  (is_letter($2) || is_letter($4)) )
+				  (isalpha($2) || isalpha($4)) )
 				{
-				if ( is_letter($2) && is_letter($4) &&
+				if ( isalpha($2) && isalpha($4) &&
 				     isupper($2) == isupper($4) )
 					{ // Compatible range, do both versions
 					int l2 = tolower($2);
@@ -191,7 +190,7 @@ ccl		:  ccl TOK_CHAR '-' TOK_CHAR
 
 		|  ccl TOK_CHAR
 			{
-			if ( case_insensitive && is_letter($2) )
+			if ( case_insensitive && isalpha($2) )
 				{
 				$1->Add(clower($2));
 				$1->Add(cupper($2));
@@ -228,11 +227,6 @@ string		:  string TOK_CHAR
 		;
 %%
 
-int is_letter(int sym)
-	{
-	return isascii(sym) && (islower(sym) || isupper(sym));
-	}
-
 int cupper(int sym)
 	{
 	return (isascii(sym) && islower(sym)) ?  toupper(sym) : sym;
diff --git a/src/re-scan.l b/src/re-scan.l
index d952ca2fd1..0c6819bdd7 100644
--- a/src/re-scan.l
+++ b/src/re-scan.l
@@ -36,8 +36,6 @@ static int my_isprint(int c)	{ return isprint(c); }
 static int my_ispunct(int c)	{ return ispunct(c); }
 static int my_isspace(int c)	{ return isspace(c); }
 static int my_isxdigit(int c)	{ return isxdigit(c); }
-
-static int my_is_letter(int c)	{ return my_islower(c) || my_isupper(c); }
 %}
 
 %option caseless nodefault nostdinit noyywrap
@@ -178,14 +176,14 @@ CCL_EXPR	("[:"[[:alpha:]]+":]")
 	"[:lower:]"	{
 			BEGIN(SC_CCL);
 			yylval.cce_val =
-				case_insensitive ? my_is_letter : my_islower;
+				case_insensitive ? my_isalpha : my_islower;
 			return TOK_CCE;
 			}
 
 	"[:upper:]"	{
 			BEGIN(SC_CCL);
 			yylval.cce_val =
-				case_insensitive ? my_is_letter : my_isupper;
+				case_insensitive ? my_isalpha : my_isupper;
 			return TOK_CCE;
 			}
 

From d6990119db8822612a05dadf838629ba3ea9a1cc Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@corelight.com>
Date: Wed, 27 Jun 2018 10:47:17 -0700
Subject: [PATCH 527/631] Continue work on config framework clusterization.

This does not currently work.
---
 scripts/base/frameworks/config/main.bro       |  44 +++++++-
 .../manager-1.config.log                      |  11 ++
 .../base/frameworks/config/basic_cluster.bro  |   2 +-
 .../base/frameworks/config/cluster_resend.bro | 102 ++++++++++++++++++
 4 files changed, 153 insertions(+), 6 deletions(-)
 create mode 100644 testing/btest/Baseline/scripts.base.frameworks.config.basic_cluster/manager-1.config.log
 create mode 100644 testing/btest/scripts/base/frameworks/config/cluster_resend.bro

diff --git a/scripts/base/frameworks/config/main.bro b/scripts/base/frameworks/config/main.bro
index c93271efa1..3503e5e6bd 100644
--- a/scripts/base/frameworks/config/main.bro
+++ b/scripts/base/frameworks/config/main.bro
@@ -50,25 +50,43 @@ export {
 }
 
 @if ( Cluster::is_enabled() )
+type OptionCacheValue: record {
+	val: any;
+	location: string;
+};
+
+global option_cache: table[string] of OptionCacheValue;
+
 event bro_init()
 	{
 	Broker::subscribe(change_topic);
 	}
 
+
 event Config::cluster_set_option(ID: string, val: any, location: string)
 	{
+@if ( Cluster::local_node_type() == Cluster::MANAGER )
+	option_cache[ID] = OptionCacheValue($val=val, $location=location);
+@endif
 	Option::set(ID, val, location);
 	}
 
 function set_value(ID: string, val: any, location: string &default = "" &optional): bool
 	{
+	local cache_val: any;
+	# first cache value in case setting it succeeds and we have to store it.
+	if ( Cluster::local_node_type() == Cluster::MANAGER )
+		cache_val = copy(val);
 	# First try setting it locally - abort if not possible.
 	if ( ! Option::set(ID, val, location) )
-		{
 		return F;
-		}
+	# If setting worked, copy the new value into the cache on the manager
+	if ( Cluster::local_node_type() == Cluster::MANAGER )
+		option_cache[ID] = OptionCacheValue($val=cache_val, $location=location);
+
 	# If it turns out that it is possible - send it to everyone else to apply.
 	Broker::publish(change_topic, Config::cluster_set_option, ID, val, location);
+
 	if ( Cluster::local_node_type() != Cluster::MANAGER )
 		{
 		Broker::relay(change_topic, change_topic, Config::cluster_set_option, ID, val, location);
@@ -76,11 +94,27 @@ function set_value(ID: string, val: any, location: string &default = "" &optiona
 	return T;
 	}
 @else
-	# Standalone implementation
-	function set_value(ID: string, val: any, location: string &default = "" &optional): bool
+# Standalone implementation
+function set_value(ID: string, val: any, location: string &default = "" &optional): bool
+	{
+	return Option::set(ID, val, location);
+	}
+@endif
+
+@if ( Cluster::is_enabled() && Cluster::local_node_type() == Cluster::MANAGER )
+# Handling of new worker nodes.
+event Cluster::node_up(name: string, id: string)
+	{
+	# When a node connects, send it all current Option values.
+	if ( name in Cluster::nodes )
 		{
-		return Option::set(ID, val, location);
+		print option_cache;
+		for ( ID in option_cache )
+			{
+			Broker::publish(Cluster::node_topic(name), Config::cluster_set_option, ID, option_cache[ID]$val, option_cache[ID]$location);
+			}
 		}
+	}
 @endif
 
 
diff --git a/testing/btest/Baseline/scripts.base.frameworks.config.basic_cluster/manager-1.config.log b/testing/btest/Baseline/scripts.base.frameworks.config.basic_cluster/manager-1.config.log
new file mode 100644
index 0000000000..2953e3d78d
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.config.basic_cluster/manager-1.config.log
@@ -0,0 +1,11 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	config
+#open	2018-06-22-18-27-45
+#fields	ts	id	old_value	new_value	location
+#types	time	string	string	string	string
+1529692065.525489	testport	42/tcp	44/tcp	-
+1529692065.562594	teststring	a	b	comment
+#close	2018-06-22-18-27-50
diff --git a/testing/btest/scripts/base/frameworks/config/basic_cluster.bro b/testing/btest/scripts/base/frameworks/config/basic_cluster.bro
index 1703bee8e5..4dc743a0cf 100644
--- a/testing/btest/scripts/base/frameworks/config/basic_cluster.bro
+++ b/testing/btest/scripts/base/frameworks/config/basic_cluster.bro
@@ -6,6 +6,7 @@
 # @TEST-EXEC: btest-diff manager-1/.stdout
 # @TEST-EXEC: btest-diff worker-1/.stdout
 # @TEST-EXEC: btest-diff worker-2/.stdout
+# @TEST-EXEC: btest-diff manager-1/config.log
 
 @load base/frameworks/config
 
@@ -45,7 +46,6 @@ event ready_for_data()
 	Config::set_value("testport", 44/tcp);
 	Config::set_value("teststring", "b", "comment");
 	}
-
 @endif
 
 event die()
diff --git a/testing/btest/scripts/base/frameworks/config/cluster_resend.bro b/testing/btest/scripts/base/frameworks/config/cluster_resend.bro
new file mode 100644
index 0000000000..450c03cbdf
--- /dev/null
+++ b/testing/btest/scripts/base/frameworks/config/cluster_resend.bro
@@ -0,0 +1,102 @@
+# @TEST-EXEC: btest-bg-run manager-1 BROPATH=$BROPATH:.. CLUSTER_NODE=manager-1 bro %INPUT
+# @TEST-EXEC: sleep 1
+# @TEST-EXEC: btest-bg-run worker-1  BROPATH=$BROPATH:.. CLUSTER_NODE=worker-1 bro %INPUT
+# @TEST-EXEC: sleep 15
+# @TEST-EXEC: btest-bg-run worker-2  BROPATH=$BROPATH:.. CLUSTER_NODE=worker-2 bro %INPUT
+# @TEST-EXEC: btest-bg-wait 15
+# @TEST-EXEC: btest-diff manager-1/.stdout
+# @TEST-EXEC: btest-diff worker-1/.stdout
+# @TEST-EXEC: btest-diff worker-2/.stdout
+# @TEST-EXEC: btest-diff manager-1/config.log
+
+# In this test we check if values get updated on a worker, even if they were set before the
+# worker is present.
+
+@load base/frameworks/config
+
+
+@TEST-START-FILE cluster-layout.bro
+redef Cluster::nodes = {
+	["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=37757/tcp],
+	["worker-1"]  = [$node_type=Cluster::WORKER,  $ip=127.0.0.1, $p=37760/tcp, $manager="manager-1", $interface="eth0"],
+	["worker-2"]  = [$node_type=Cluster::WORKER,  $ip=127.0.0.1, $p=37761/tcp, $manager="manager-1", $interface="eth1"],
+};
+@TEST-END-FILE
+
+redef Log::default_rotation_interval = 0secs;
+
+export {
+	option testport = 42/tcp;
+	option teststring = "a";
+}
+
+global n = 0;
+
+event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string)
+	{
+	terminate();
+	}
+
+global ready_for_data: event();
+
+event bro_init()
+	{
+	Broker::auto_publish(Cluster::worker_topic, ready_for_data);
+	}
+
+@if ( Cluster::node == "worker-1" )
+event ready_for_data()
+	{
+	Config::set_value("testport", 44/tcp);
+	Config::set_value("teststring", "b", "comment");
+	}
+@endif
+
+@if ( Cluster::is_enabled() && Cluster::local_node_type() == Cluster::MANAGER )
+event Cluster::node_up(name: string, id: string)
+	{
+	 print "Node up", name;
+	}
+@endif
+
+event die()
+	{
+	terminate();
+	}
+
+function option_changed(ID: string, new_value: any, location: string): any
+	{
+	print "option changed", ID, new_value, location;
+	#schedule 5sec { die() };
+	return new_value;
+	}
+
+event bro_init() &priority=5
+	{
+	Option::set_change_handler("testport", option_changed, -100);
+	Option::set_change_handler("teststring", option_changed, -100);
+	}
+
+@if ( Cluster::local_node_type() == Cluster::MANAGER )
+
+global peer_count = 0;
+event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
+	{
+	++peer_count;
+	if ( peer_count == 1 )
+		event ready_for_data();
+	}
+
+@endif
+
+event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string)
+	{
+	terminate();
+	}
+
+module Config;
+
+event Config::cluster_set_option(ID: string, val: any, location: string)
+	{
+	print "cluster_set_option for ", ID;
+	}

From ceefb6edafe669d90b5abd03b18962cba6ccb875 Mon Sep 17 00:00:00 2001
From: Daniel Thayer <dnthayer@illinois.edu>
Date: Wed, 27 Jun 2018 13:00:09 -0500
Subject: [PATCH 528/631] Fix minor typos in broker reference documentation

---
 scripts/base/frameworks/broker/main.bro   | 23 ++++++++++++++---------
 scripts/base/frameworks/broker/store.bro  |  8 ++++++--
 scripts/base/frameworks/cluster/pools.bro |  4 ++--
 src/broker/messaging.bif                  |  8 ++++----
 4 files changed, 26 insertions(+), 17 deletions(-)

diff --git a/scripts/base/frameworks/broker/main.bro b/scripts/base/frameworks/broker/main.bro
index 23a701c3ef..cab205dd85 100644
--- a/scripts/base/frameworks/broker/main.bro
+++ b/scripts/base/frameworks/broker/main.bro
@@ -20,19 +20,19 @@ export {
 	## initially, or if it ever becomes disconnected.
 	const default_connect_retry = 30sec &redef;
 
-	## If false, do not use SSL for network connections. By default, SSL will even
-	## be used if no certificates / CAs have been configured. In that case
+	## If true, do not use SSL for network connections. By default, SSL will
+	## even be used if no certificates / CAs have been configured. In that case
 	## (which is the default) the communication will be encrypted, but not
 	## authenticated.
 	const disable_ssl = F &redef;
 
 	## Path to a file containing concatenated trusted certificates 
-	## in PEM format. If set, Bro will require valid certificates forx
+	## in PEM format. If set, Bro will require valid certificates for
 	## all peers.
 	const ssl_cafile = "" &redef;
 
 	## Path to an OpenSSL-style directory of trusted certificates.
-	## If set, Bro will require valid certificates forx
+	## If set, Bro will require valid certificates for
 	## all peers.
 	const ssl_capath = "" &redef;
 
@@ -96,9 +96,9 @@ export {
 		PEER_INVALID = 3,
 		## Remote peer not listening.
 		PEER_UNAVAILABLE = 4,
-		## An peering request timed out.
+		## A peering request timed out.
 		PEER_TIMEOUT = 5,
-		## Master with given name already exist.
+		## Master with given name already exists.
 		MASTER_EXISTS = 6,
 		## Master with given name does not exist.
 		NO_SUCH_MASTER = 7,
@@ -106,7 +106,7 @@ export {
 		NO_SUCH_KEY = 8,
 		## The store operation timed out.
 		REQUEST_TIMEOUT = 9,
-		## The operation expected a different type than provided
+		## The operation expected a different type than provided.
 		TYPE_CLASH = 10,
 		## The data value cannot be used to carry out the desired operation.
 		INVALID_DATA = 11,
@@ -181,7 +181,7 @@ export {
 	## Listen for remote connections.
 	##
 	## a: an address string on which to accept connections, e.g.
-	##    "127.0.0.1".  An empty string refers to @p INADDR_ANY.
+	##    "127.0.0.1".  An empty string refers to INADDR_ANY.
 	##
 	## p: the TCP port to listen on. The value 0 means that the OS should choose
 	##    the next available free port.
@@ -229,9 +229,13 @@ export {
 	## TODO: We do not have a function yet to terminate a connection.
 	global unpeer: function(a: string, p: port): bool;
 
+	## Get a list of all peer connections.
+	##
 	## Returns: a list of all peer connections.
 	global peers: function(): vector of PeerInfo;
 
+	## Get a unique identifier for the local broker endpoint.
+	##
 	## Returns: a unique identifier for the local broker endpoint.
 	global node_id: function(): string;
 
@@ -268,7 +272,8 @@ export {
 	global unsubscribe: function(topic_prefix: string): bool;
 
 	## Automatically send an event to any interested peers whenever it is
-	## locally dispatched (e.g. using "event my_event(...);" in a script).
+	## locally dispatched. (For example, using "event my_event(...);" in a
+	## script.)
 	##
 	## topic: a topic string associated with the event message.
 	##        Peers advertise interest by registering a subscription to some
diff --git a/scripts/base/frameworks/broker/store.bro b/scripts/base/frameworks/broker/store.bro
index 75b7d69b35..2e216afa93 100644
--- a/scripts/base/frameworks/broker/store.bro
+++ b/scripts/base/frameworks/broker/store.bro
@@ -59,7 +59,7 @@ export {
 	## Options to tune the RocksDB storage backend.
 	type RocksDBOptions: record {
 		## File system path of the database.
-		## If left empty, will be derived from the name of the store.
+		## If left empty, will be derived from the name of the store,
 		## and use the '.rocksdb' file suffix.
 		path: string &default = "";
 	};
@@ -125,9 +125,13 @@ export {
 	##          longer be used for data store operations.
 	global close: function(h: opaque of Broker::Store): bool;
 
-	## Returns: whether a store is closed or not.
+	## Check if a store is closed or not.
+	##
+	## Returns: true if the store is closed.
 	global is_closed: function(h: opaque of Broker::Store): bool;
 
+	## Get the name of a store.
+	##
 	## Returns: the name of the store.
 	global store_name: function(h: opaque of Broker::Store): string;
 
diff --git a/scripts/base/frameworks/cluster/pools.bro b/scripts/base/frameworks/cluster/pools.bro
index 69b6c7128e..fb45594adc 100644
--- a/scripts/base/frameworks/cluster/pools.bro
+++ b/scripts/base/frameworks/cluster/pools.bro
@@ -1,5 +1,5 @@
 ##! Defines an interface for managing pools of cluster nodes.  Pools are
-##! are useful way to distribute work or data among nodes within a cluster.
+##! a useful way to distribute work or data among nodes within a cluster.
 
 @load ./main
 @load base/utils/hash_hrw
@@ -7,7 +7,7 @@
 module Cluster;
 
 export {
-	## Store state of a cluster within within the context of a work pool.
+	## Store state of a cluster within the context of a work pool.
 	type PoolNode: record {
 		## The node name (e.g. "manager").
 		name: string;
diff --git a/src/broker/messaging.bif b/src/broker/messaging.bif
index c7b16dba72..bc0d03a629 100644
--- a/src/broker/messaging.bif
+++ b/src/broker/messaging.bif
@@ -304,7 +304,7 @@ type Cluster::Pool: record;
 ## Publishes an event to a node within a pool according to Round-Robin
 ## distribution strategy.
 ##
-## pool: the pool of nodes that are eligible to receive the revent
+## pool: the pool of nodes that are eligible to receive the event.
 ##
 ## key: an arbitrary string to identify the purpose for which you're
 ##      distributing the event.  e.g. consider using namespacing of your
@@ -350,7 +350,7 @@ function Cluster::publish_rr%(pool: Pool, key: string, ...%): bool
 ## node, then automatically forwards it to its peers with a different topic.
 ## The event is relayed at most a single hop.
 ##
-## pool: the pool of nodes that are eligible to receive the event
+## pool: the pool of nodes that are eligible to receive the event.
 ##
 ## key: an arbitrary string to identify the purpose for which you're
 ##      distributing the event.  e.g. consider using namespacing of your
@@ -423,7 +423,7 @@ function Cluster::relay_rr%(pool: Pool, key: any, ...%): bool
 ## Publishes an event to a node within a pool according to Rendezvous
 ## (Highest Random Weight) hashing strategy.
 ##
-## pool: the pool of nodes that are eligible to receive the revent
+## pool: the pool of nodes that are eligible to receive the event.
 ##
 ## key: data used for input to the hashing function that will uniformly
 ##      distribute keys among available nodes.
@@ -467,7 +467,7 @@ function Cluster::publish_hrw%(pool: Pool, key: any, ...%): bool
 ## strategy.  The receiving nodes then automatically forwards it to its peers
 ## with a different topic.  The event is relayed at most a single hop.
 ##
-## pool: the pool of nodes that are eligible to receive the revent
+## pool: the pool of nodes that are eligible to receive the event.
 ##
 ## key: data used for input to the hashing function that will uniformly
 ##      distribute keys among available nodes.

From bd74b4525b1cf038331fc77e49e892bcae73c15e Mon Sep 17 00:00:00 2001
From: Daniel Thayer <dnthayer@illinois.edu>
Date: Wed, 27 Jun 2018 14:00:32 -0500
Subject: [PATCH 529/631] Add pattern operators to the documentation of
 operators

---
 doc/script-reference/operators.rst | 26 ++++++++++++++++++++++++++
 1 file changed, 26 insertions(+)

diff --git a/doc/script-reference/operators.rst b/doc/script-reference/operators.rst
index e9683f3e97..b7d6e71b73 100644
--- a/doc/script-reference/operators.rst
+++ b/doc/script-reference/operators.rst
@@ -141,6 +141,32 @@ field name must be in the declaration of the record type.
 +------------------------------+-------------+-------------------------------+
 
 
+Pattern operators
+-----------------
+
+In the table below, *p* is a pattern, and *s* is a string.
+
++------------------------------+-------------+-------------------------------+
+| Name                         | Syntax      | Notes                         |
++==============================+=============+===============================+
+| Exact matching               | *p* == *s*  | Evaluates to a boolean,       |
+|                              |             | indicating if the entire      |
+|                              |             | string exactly matches the    |
+|                              |             | pattern.                      |
++------------------------------+-------------+-------------------------------+
+| Embedded matching            | *p* in *s*  | Evaluates to a boolean,       |
+|                              |             | indicating if pattern is      |
+|                              |             | found somewhere in the string.|
++------------------------------+-------------+-------------------------------+
+| Conjunction                  | *p1* & *p2* | Evaluates to a pattern that   |
+|                              |             | represents matching p1        |
+|                              |             | followed by p2.               |
++------------------------------+-------------+-------------------------------+
+| Disjunction                  | *p1* | *p2* | Evaluates to a pattern that   |
+|                              |             | represents matching p1 or p2. |
++------------------------------+-------------+-------------------------------+
+
+
 Type casting
 ------------
 

From 8849e214caeb0dbae9fe110a8f13f3e33e665a14 Mon Sep 17 00:00:00 2001
From: Daniel Thayer <dnthayer@illinois.edu>
Date: Wed, 27 Jun 2018 14:33:07 -0500
Subject: [PATCH 530/631] Fix some typos and formatting in NEWS

---
 NEWS | 23 +++++++++++------------
 1 file changed, 11 insertions(+), 12 deletions(-)

diff --git a/NEWS b/NEWS
index a4f233a116..b6d88aa82f 100644
--- a/NEWS
+++ b/NEWS
@@ -18,7 +18,7 @@ New Functionality
   supersedes the old "communication" framework, which is now
   deprecated. The "cluster" and "control" frameworks have been ported
   to Broker; same for BroControl. For more about the new Broker
-  framework, see doc/frameworks/broker.rst (there's also guide there
+  framework, see doc/frameworks/broker.rst (there's also a guide there
   for porting existing Bro scripts to Broker). For more about Broker
   itself, including its API for external applications, see
   aux/broker/doc.
@@ -258,11 +258,11 @@ New Functionality
 Changed Functionality
 ---------------------
 
-  - All communication is now handled through Broker, requiring changes
-    to existing scripts to port them over to the new API. The Broker
-    framework documentation comes with a porting guide.
+- All communication is now handled through Broker, requiring changes
+  to existing scripts to port them over to the new API. The Broker
+  framework documentation comes with a porting guide.
 
-  - The DHCP analyzer and its script-layer interface have been rewritten.
+- The DHCP analyzer and its script-layer interface have been rewritten.
 
   - Supports more DHCP options than before.
 
@@ -272,9 +272,6 @@ Changed Functionality
   - Removed the policy/protocols/dhcp/known-devices-and-hostnames.bro
     script since it's generally less relevant now with the updated log.
 
-  - Removed policy/misc/known-devices.bro script and thus
-    known_devices.log will no longer be created.
-
   - Removed the base/protocols/dhcp/utils.bro script and thus the
     'reverse_ip' function.
 
@@ -290,6 +287,9 @@ Changed Functionality
     - dhcp_release
     - dhcp_inform
 
+- Removed policy/misc/known-devices.bro script and thus
+  known_devices.log will no longer be created.
+
 - The --with-binpac= configure option has changed to mean "path
   to the binpac executable" instead of "path to binpac installation root".
 
@@ -315,7 +315,7 @@ Changed Functionality
 
 - The 'tunnel_parents' field of conn.log is now marked &optional, so, for
   the default configuration of logs, this field will show "-" instead of
-  "(empty)" for connections that lack any tunelling.
+  "(empty)" for connections that lack any tunneling.
 
 - SMB event argument changes:
 
@@ -335,14 +335,13 @@ Removed Functionality
 ---------------------
 
 - We no longer maintain any Bro plugins as part of the Bro
-  distribution. Most of the plugins that used be in aux/plugins have
+  distribution. Most of the plugins that used to be in aux/plugins have
   been moved over to use the Bro Package Manager instead. See
   https://github.com/bro/packages for a list of Bro packages currently
   available.
 
 - BroControl: The option 'IPv6Comm' and 'ZoneID' options are no longer
-  available (though Broker should be able to handle IPv6
-  automatically).
+  available (though Broker should be able to handle IPv6 automatically).
 
 Deprecated Functionality
 ------------------------

From 06e7f18a3260e890392d34031bfcc16eb77a7414 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Wed, 27 Jun 2018 19:11:58 -0500
Subject: [PATCH 531/631] Prevent double-wrapping Broker::Data in published
 event args

In the following example, the republication of "arg" would result in
literally sending it as a Broker::Data record instead of the broker data
that it was already wrapping.

Sender:

    Broker::publish("topic", my_event, "hello")

Receiver:

    event my_event(arg: any)
        {
        Broker::publish("topic", my_event, arg)
        }
---
 CHANGES                                   |  4 ++++
 VERSION                                   |  2 +-
 src/broker/Manager.cc                     | 10 +++++++++-
 testing/btest/broker/remote_event_any.bro |  8 ++++++--
 4 files changed, 20 insertions(+), 4 deletions(-)

diff --git a/CHANGES b/CHANGES
index f8ca072f83..4a1c61ccab 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,8 @@
 
+2.5-711 | 2018-06-27 19:11:58 -0500
+
+  * Prevent double-wrapping Broker::Data in published event args (Corelight)
+
 2.5-710 | 2018-06-26 18:06:22 -0500
 
   * Add memory leak unit test for pattern operations (Corelight)
diff --git a/VERSION b/VERSION
index ca1bc4e12b..0ddf8676ac 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.5-710
+2.5-711
diff --git a/src/broker/Manager.cc b/src/broker/Manager.cc
index 6f5e09e611..5def875ce7 100644
--- a/src/broker/Manager.cc
+++ b/src/broker/Manager.cc
@@ -815,7 +815,15 @@ RecordVal* Manager::MakeEvent(val_list* args, Frame* frame)
 			return rval;
 			}
 
-		auto data_val = make_data_val((*args)[i]);
+		RecordVal* data_val;
+
+		if ( same_type(got_type, bro_broker::DataVal::ScriptDataType()) )
+			{
+			data_val = (*args)[i]->AsRecordVal();
+			Ref(data_val);
+			}
+		else
+			data_val = make_data_val((*args)[i]);
 
 		if ( ! data_val->Lookup(0) )
 			{
diff --git a/testing/btest/broker/remote_event_any.bro b/testing/btest/broker/remote_event_any.bro
index 153056c456..9e5c8ea8de 100644
--- a/testing/btest/broker/remote_event_any.bro
+++ b/testing/btest/broker/remote_event_any.bro
@@ -69,7 +69,7 @@ const events_to_recv = 5;
 global handler: event(msg: string, c: count);
 global auto_handler: event(msg: string, c: count);
 
-global pong: event(msg: string, c: count);
+global pong: event(msg: string, c: any);
 
 event bro_init()
         {
@@ -101,7 +101,11 @@ event ping(msg: string, n: any)
                 return;
                 }
 
-        Broker::publish("bro/event/my_topic", pong, msg, n as count);
+		if ( (n as count) % 2 == 0 )
+			Broker::publish("bro/event/my_topic", pong, msg, n as count);
+		else
+			# internals should not wrap n into another Broker::Data record
+			Broker::publish("bro/event/my_topic", pong, msg, n);
         }
 
 @TEST-END-FILE

From 4614dbe911c6c33cb1f09ad8e2333c115b8f2ecc Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Thu, 28 Jun 2018 09:29:45 -0500
Subject: [PATCH 532/631] Updating submodule(s).

 [nomail]
---
 aux/broker   | 2 +-
 src/3rdparty | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/aux/broker b/aux/broker
index c0faf99fb0..1d90b931cc 160000
--- a/aux/broker
+++ b/aux/broker
@@ -1 +1 @@
-Subproject commit c0faf99fb0215f410a987b502cfba9f7037906aa
+Subproject commit 1d90b931cc888e31b0d4774dbae54f5758841ab3
diff --git a/src/3rdparty b/src/3rdparty
index 0b10bb2943..648ff9aee1 160000
--- a/src/3rdparty
+++ b/src/3rdparty
@@ -1 +1 @@
-Subproject commit 0b10bb2943beaf972ddc494ba34699ed37ef3dbf
+Subproject commit 648ff9aee1bb568a1a8252bd6e8146a7c60a911e

From cfe45e0af0d7c5123278579dd82b5b83bce5b387 Mon Sep 17 00:00:00 2001
From: Vern Paxson <vern@icir.org>
Date: Fri, 29 Jun 2018 11:30:00 -0700
Subject: [PATCH 533/631] documentation updates for case-insensitive patterns

---
 NEWS                           |  5 +++++
 doc/script-reference/types.rst | 15 ++++++++++++---
 2 files changed, 17 insertions(+), 3 deletions(-)

diff --git a/NEWS b/NEWS
index d075d4637b..5dbdbcaf5d 100644
--- a/NEWS
+++ b/NEWS
@@ -261,6 +261,11 @@ New Functionality
   enclosed in quotes however keep their casing, so /"fOO"/i in "xFoObar"
   yields F, though it yields T for "xfOObar".
 
+  You can achieve the same functionality for a subpattern enclosed in
+  parentheses by adding "+i" to the open parenthesis, optionally followed
+  by whitespace.  So for example "/foo|(+i bar)/" will match "BaR", but
+  not "FoO".
+
 Changed Functionality
 ---------------------
 
diff --git a/doc/script-reference/types.rst b/doc/script-reference/types.rst
index 438706c425..d24ce09b8c 100644
--- a/doc/script-reference/types.rst
+++ b/doc/script-reference/types.rst
@@ -198,9 +198,9 @@ Here is a more detailed description of each type:
 
 .. bro:type:: pattern
 
-    A type representing regular-expression patterns which can be used
+    A type representing regular-expression patterns that can be used
     for fast text-searching operations.  Pattern constants are created
-    by enclosing text within forward slashes (/) and is the same syntax
+    by enclosing text within forward slashes (``/``) and use the same syntax
     as the patterns supported by the `flex lexical analyzer
     <http://westes.github.io/flex/manual/Patterns.html>`_.  The speed of
     regular expression matching does not depend on the complexity or
@@ -244,13 +244,22 @@ Here is a more detailed description of each type:
 
     yields true, like in the similar example above.  You can also
     create the conjunction (concatenation) of patterns using the ``&``
-    operator.  For example:
+    operator.  For example::
 
 	/foo/ & /bar/ in "foobar"
 
     will yield true because the pattern /(foo)(bar)/ appears in
     the string "foobar".
 
+    When specifying a pattern, you can add a final ``i`` specifier to
+    mark it as case-insensitive.  For example, ``/foo|bar/i`` will match
+    a "foo", "Foo", "BaR", etc.
+
+    You can also introduce a case-insensitive sub-pattern by enclosing it
+    in ``(+i``<pattern>``)``.  For clarity, you can optionally include
+    trailing whitespace after the ``+i`` designator.  So, for example,
+    ``/foo|(+i bar)/`` will match "foo" and "BaR", but *not* "Foo".
+
 .. bro:type:: port
 
     A type representing transport-level port numbers (besides TCP and

From 5ce3d1b899dc27adb853a19f07da35b7deeea9f0 Mon Sep 17 00:00:00 2001
From: Vern Paxson <vern@icir.org>
Date: Fri, 29 Jun 2018 11:30:21 -0700
Subject: [PATCH 534/631] bug fix for recent memory leak patch

---
 src/RE.cc | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/RE.cc b/src/RE.cc
index 4e29fa8e92..cd37da18e9 100644
--- a/src/RE.cc
+++ b/src/RE.cc
@@ -168,7 +168,8 @@ int Specific_RE_Matcher::CompileSet(const string_list& set, const int_list& idx)
 
 			if ( set_nfa != nfa )
 				Unref(set_nfa);
-			Unref(nfa);
+			else
+				Unref(nfa);
 			nfa = 0;
 
 			return 0;

From a02d9e7f4a6fa4d6430d9ffbdcef3423810b140f Mon Sep 17 00:00:00 2001
From: Vern Paxson <vern@icir.org>
Date: Fri, 29 Jun 2018 11:35:22 -0700
Subject: [PATCH 535/631] document use of double quotes to escape
 case-insensitivity

---
 NEWS                           | 5 +++++
 doc/script-reference/types.rst | 4 ++++
 2 files changed, 9 insertions(+)

diff --git a/NEWS b/NEWS
index 5dbdbcaf5d..69665cde26 100644
--- a/NEWS
+++ b/NEWS
@@ -266,6 +266,11 @@ New Functionality
   by whitespace.  So for example "/foo|(+i bar)/" will match "BaR", but
   not "FoO".
 
+  For both ways of specifying case-insensitivity, characters enclosed in
+  double quotes maintain their case-sensitivity.  So for example /"foo"/i
+  will not match "Foo", but it will match "foo".
+
+
 Changed Functionality
 ---------------------
 
diff --git a/doc/script-reference/types.rst b/doc/script-reference/types.rst
index d24ce09b8c..36ed0f5bfa 100644
--- a/doc/script-reference/types.rst
+++ b/doc/script-reference/types.rst
@@ -260,6 +260,10 @@ Here is a more detailed description of each type:
     trailing whitespace after the ``+i`` designator.  So, for example,
     ``/foo|(+i bar)/`` will match "foo" and "BaR", but *not* "Foo".
 
+    For both ways of specifying case-insensitivity, characters enclosed
+    in double quotes maintain their case-sensitivity.  So for example
+    /"foo"/i will not match "Foo", but it will match "foo".
+
 .. bro:type:: port
 
     A type representing transport-level port numbers (besides TCP and

From f5e89b96aec80be073e6ec90a5ff2b6fcdba4490 Mon Sep 17 00:00:00 2001
From: Vern Paxson <vern@icir.org>
Date: Fri, 29 Jun 2018 11:55:50 -0700
Subject: [PATCH 536/631] test suite update for case-insensitive patterns

---
 testing/btest/Baseline/language.pattern/out | 22 +++++++++++++
 testing/btest/language/pattern.bro          | 34 ++++++++++++++++++++-
 2 files changed, 55 insertions(+), 1 deletion(-)

diff --git a/testing/btest/Baseline/language.pattern/out b/testing/btest/Baseline/language.pattern/out
index 9c801eb60b..5c31320da9 100644
--- a/testing/btest/Baseline/language.pattern/out
+++ b/testing/btest/Baseline/language.pattern/out
@@ -10,3 +10,25 @@ in operator (PASS)
 & operator (FAIL)
 | operator (PASS)
 | operator (FAIL)
+/i pattern modifier (PASS)
+/i pattern modifier (PASS)
+/i double-quote escape (FAIL)
+/i double-quote escape (PASS)
+case-sensitive pattern (FAIL)
+case-sensitive pattern (FAIL)
+case-sensitive pattern (PASS)
+/i pattern disjunction (PASS)
+/i pattern disjunction (FAIL)
+/i pattern disjunction (PASS)
+/i pattern disjunction (PASS)
+/i pattern concatenation (PASS)
+/i pattern concatenation (FAIL)
+/i pattern concatenation (FAIL)
+/i pattern concatenation (PASS)
+/i pattern concatenation (PASS)
+/i pattern concatenation (FAIL)
+/i pattern character class (FAIL)
+/i pattern character class (PASS)
+(+i ...) pattern construct (PASS)
+(+i ...) pattern construct (FAIL)
+(+i ...) pattern construct (PASS)
diff --git a/testing/btest/language/pattern.bro b/testing/btest/language/pattern.bro
index 1c137969eb..70eca233ea 100644
--- a/testing/btest/language/pattern.bro
+++ b/testing/btest/language/pattern.bro
@@ -22,15 +22,47 @@ event bro_init()
 
 	test_case( "equality operator", "foo" == p1 );
 	test_case( "equality operator (order of operands)", p1 == "foo" );
+
 	test_case( "inequality operator", "foobar" != p1 );
 	test_case( "inequality operator (order of operands)", p1 != "foobar" );
+
 	test_case( "in operator", p1 in "foobar" );
 	test_case( "in operator", p2 in "foobar" );
 	test_case( "!in operator", p3 !in "foobar" );
+
 	test_case( "& operator", p1 & p2 in "baroob" );
 	test_case( "& operator", p2 & p1 in "baroob" );
+
 	test_case( "| operator", p1 | p2 in "lazybarlazy" );
 	test_case( "| operator", p3 | p4 in "xoob" );
 
-}
+	test_case( "/i pattern modifier", /fOO/i in "xFoObar" );
+	test_case( "/i pattern modifier", /fOO/i == "Foo" );
 
+	test_case( "/i double-quote escape", /"fOO"/i in "xFoObar" );
+	test_case( "/i double-quote escape", /"fOO"/i in "xfOObar" );
+
+	test_case( "case-sensitive pattern", /fOO/ in "xFoObar" );
+	test_case( "case-sensitive pattern", /fOO/ == "Foo" );
+	test_case( "case-sensitive pattern", /fOO/ == "fOO" );
+
+	test_case( "/i pattern disjunction", /bar/i | /bez/ == "bez" );
+	test_case( "/i pattern disjunction", /bar/i | /bez/ == "bEz" );
+	test_case( "/i pattern disjunction", /bar/i | /bez/ == "bar" );
+	test_case( "/i pattern disjunction", /bar/i | /bez/ == "bAr" );
+
+	test_case( "/i pattern concatenation", /bar/i & /bez/ == "barbez" );
+	test_case( "/i pattern concatenation", /bar/i & /bez/ == "barbEz" );
+	test_case( "/i pattern concatenation", /BAR/i & /bez/ == "barbEz" );
+	test_case( "/i pattern concatenation", /bar/i & /bez/ == "bArbez" );
+	test_case( "/i pattern concatenation", /BAR/i & /bez/ == "bArbez" );
+	test_case( "/i pattern concatenation", /bar/i & /bez/ == "bArbEz" );
+
+	test_case( "/i pattern character class", /ba[0a-c99S-Z0]/i & /bEz/ == "bArbEz" );
+	test_case( "/i pattern character class", /ba[0a-c99M-S0]/i & /bEz/ == "bArbEz" );
+
+	test_case( "(+i ...) pattern construct", /foo|(+i bar)/ in "xBAry" );
+	test_case( "(+i ...) pattern construct", /foo|(+i bar)/ in "xFOoy" );
+	test_case( "(+i ...) pattern construct", /foo|(+i bar)/ | /foo/i in "xFOoy" );
+
+}

From 726424f371c2b3d5f044a96a9143a8169bb728c4 Mon Sep 17 00:00:00 2001
From: Vern Paxson <vern@icir.org>
Date: Fri, 29 Jun 2018 12:00:37 -0700
Subject: [PATCH 537/631] nitlet in NEWS entry

---
 NEWS | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/NEWS b/NEWS
index 69665cde26..a31491862f 100644
--- a/NEWS
+++ b/NEWS
@@ -255,7 +255,7 @@ New Functionality
   semi-present in previous versions of Bro, but required constants as as
   its operands; now you can use any pattern-valued expressions.
 
-- You can now specify that a pattern should be match in a case-insensitive
+- You can now specify that a pattern matches in a case-insensitive
   fashion by adding 'i' to the end of its specification.  So for example
   /fOO/i == "Foo" yields T, as does /fOO/i in "xFoObar".  Characters
   enclosed in quotes however keep their casing, so /"fOO"/i in "xFoObar"

From 85c4b0d2859140f1be679601d87e75a60b3559bb Mon Sep 17 00:00:00 2001
From: Vern Paxson <vern@icir.org>
Date: Fri, 29 Jun 2018 13:01:05 -0700
Subject: [PATCH 538/631] use PCRE syntax instead of the beautiful new (?i ...)
 syntax

---
 NEWS                                        | 5 ++---
 doc/script-reference/types.rst              | 5 ++---
 src/RE.cc                                   | 2 +-
 src/re-scan.l                               | 2 +-
 testing/btest/Baseline/language.pattern/out | 6 +++---
 testing/btest/language/pattern.bro          | 6 +++---
 6 files changed, 12 insertions(+), 14 deletions(-)

diff --git a/NEWS b/NEWS
index a31491862f..02e632865c 100644
--- a/NEWS
+++ b/NEWS
@@ -262,9 +262,8 @@ New Functionality
   yields F, though it yields T for "xfOObar".
 
   You can achieve the same functionality for a subpattern enclosed in
-  parentheses by adding "+i" to the open parenthesis, optionally followed
-  by whitespace.  So for example "/foo|(+i bar)/" will match "BaR", but
-  not "FoO".
+  parentheses by adding "?i:" to the open parenthesis.  So for example
+  "/foo|(?i:bar)/" will match "BaR", but not "FoO".
 
   For both ways of specifying case-insensitivity, characters enclosed in
   double quotes maintain their case-sensitivity.  So for example /"foo"/i
diff --git a/doc/script-reference/types.rst b/doc/script-reference/types.rst
index 36ed0f5bfa..99dac0be48 100644
--- a/doc/script-reference/types.rst
+++ b/doc/script-reference/types.rst
@@ -256,9 +256,8 @@ Here is a more detailed description of each type:
     a "foo", "Foo", "BaR", etc.
 
     You can also introduce a case-insensitive sub-pattern by enclosing it
-    in ``(+i``<pattern>``)``.  For clarity, you can optionally include
-    trailing whitespace after the ``+i`` designator.  So, for example,
-    ``/foo|(+i bar)/`` will match "foo" and "BaR", but *not* "Foo".
+    in ``(?i:``<pattern>``)``.  So, for example, ``/foo|(?i:bar)/`` will
+    match "foo" and "BaR", but *not* "Foo".
 
     For both ways of specifying case-insensitivity, characters enclosed
     in double quotes maintain their case-sensitivity.  So for example
diff --git a/src/RE.cc b/src/RE.cc
index cd37da18e9..9c17f2f992 100644
--- a/src/RE.cc
+++ b/src/RE.cc
@@ -104,7 +104,7 @@ void Specific_RE_Matcher::AddPat(const char* new_pat,
 
 void Specific_RE_Matcher::MakeCaseInsensitive()
 	{
-	const char fmt[] = "(+i %s)";
+	const char fmt[] = "(?i:%s)";
 	int n = strlen(pattern_text) + strlen(fmt);
 
 	char* s = new char[n + 5 /* slop */];
diff --git a/src/re-scan.l b/src/re-scan.l
index 0c6819bdd7..292f7a2e02 100644
--- a/src/re-scan.l
+++ b/src/re-scan.l
@@ -114,7 +114,7 @@ CCL_EXPR	("[:"[[:alpha:]]+":]")
 				}
 			}
 
-	"(+i"[ \t]*	case_insensitive = 1; return TOK_CASE_INSENSITIVE;
+	"(?i:"		case_insensitive = 1; return TOK_CASE_INSENSITIVE;
 
 	[a-zA-Z]	{
 			if ( case_insensitive )
diff --git a/testing/btest/Baseline/language.pattern/out b/testing/btest/Baseline/language.pattern/out
index 5c31320da9..dac62ab0fa 100644
--- a/testing/btest/Baseline/language.pattern/out
+++ b/testing/btest/Baseline/language.pattern/out
@@ -29,6 +29,6 @@ case-sensitive pattern (PASS)
 /i pattern concatenation (FAIL)
 /i pattern character class (FAIL)
 /i pattern character class (PASS)
-(+i ...) pattern construct (PASS)
-(+i ...) pattern construct (FAIL)
-(+i ...) pattern construct (PASS)
+(?i:...) pattern construct (PASS)
+(?i:...) pattern construct (FAIL)
+(?i:...) pattern construct (PASS)
diff --git a/testing/btest/language/pattern.bro b/testing/btest/language/pattern.bro
index 70eca233ea..e427b70e80 100644
--- a/testing/btest/language/pattern.bro
+++ b/testing/btest/language/pattern.bro
@@ -61,8 +61,8 @@ event bro_init()
 	test_case( "/i pattern character class", /ba[0a-c99S-Z0]/i & /bEz/ == "bArbEz" );
 	test_case( "/i pattern character class", /ba[0a-c99M-S0]/i & /bEz/ == "bArbEz" );
 
-	test_case( "(+i ...) pattern construct", /foo|(+i bar)/ in "xBAry" );
-	test_case( "(+i ...) pattern construct", /foo|(+i bar)/ in "xFOoy" );
-	test_case( "(+i ...) pattern construct", /foo|(+i bar)/ | /foo/i in "xFOoy" );
+	test_case( "(?i:...) pattern construct", /foo|(?i:bar)/ in "xBAry" );
+	test_case( "(?i:...) pattern construct", /foo|(?i:bar)/ in "xFOoy" );
+	test_case( "(?i:...) pattern construct", /foo|(?i:bar)/ | /foo/i in "xFOoy" );
 
 }

From c28f1ae0ced6832a1661da2848a7f0ece3033780 Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@corelight.com>
Date: Fri, 29 Jun 2018 13:10:00 -0700
Subject: [PATCH 539/631] Add sending of values to nodes that dropped out.

The only node that cannot be recovered is the manager - and the manager
should just re-read its own configuration and be ok :)
---
 scripts/base/frameworks/config/main.bro       |  8 +-----
 src/option.bif                                |  7 ++++-
 .../manager-1..stdout                         |  5 ++++
 .../manager-1.config.log                      | 12 +++++++++
 .../worker-1..stdout                          |  5 ++++
 .../worker-2..stdout                          |  3 +++
 .../base/frameworks/config/basic_cluster.bro  |  2 +-
 .../base/frameworks/config/cluster_resend.bro | 27 ++++++++++---------
 8 files changed, 48 insertions(+), 21 deletions(-)
 create mode 100644 testing/btest/Baseline/scripts.base.frameworks.config.cluster_resend/manager-1..stdout
 create mode 100644 testing/btest/Baseline/scripts.base.frameworks.config.cluster_resend/manager-1.config.log
 create mode 100644 testing/btest/Baseline/scripts.base.frameworks.config.cluster_resend/worker-1..stdout
 create mode 100644 testing/btest/Baseline/scripts.base.frameworks.config.cluster_resend/worker-2..stdout

diff --git a/scripts/base/frameworks/config/main.bro b/scripts/base/frameworks/config/main.bro
index 3503e5e6bd..b83da42785 100644
--- a/scripts/base/frameworks/config/main.bro
+++ b/scripts/base/frameworks/config/main.bro
@@ -62,7 +62,6 @@ event bro_init()
 	Broker::subscribe(change_topic);
 	}
 
-
 event Config::cluster_set_option(ID: string, val: any, location: string)
 	{
 @if ( Cluster::local_node_type() == Cluster::MANAGER )
@@ -103,17 +102,12 @@ function set_value(ID: string, val: any, location: string &default = "" &optiona
 
 @if ( Cluster::is_enabled() && Cluster::local_node_type() == Cluster::MANAGER )
 # Handling of new worker nodes.
-event Cluster::node_up(name: string, id: string)
+event Cluster::node_up(name: string, id: string) &priority=-10
 	{
 	# When a node connects, send it all current Option values.
 	if ( name in Cluster::nodes )
-		{
-		print option_cache;
 		for ( ID in option_cache )
-			{
 			Broker::publish(Cluster::node_topic(name), Config::cluster_set_option, ID, option_cache[ID]$val, option_cache[ID]$location);
-			}
-		}
 	}
 @endif
 
diff --git a/src/option.bif b/src/option.bif
index 67108053f3..6a0ba777ee 100644
--- a/src/option.bif
+++ b/src/option.bif
@@ -48,7 +48,12 @@ static bool call_option_handlers_and_set_value(StringVal* name, ID* i, Val* val,
 ##
 ## Returns: true on success, false when an error occurred.
 ##
-## .. bro:see:: Option::set_change_handler
+## .. bro:see:: Option::set_change_handler Config::set_value
+##
+## .. note:: :bro:id:`Option::set` only works on one node and does not distribute
+##           new values across a cluster. The higher-level :bro:id:`Config::set_value`
+##           supports clusterization and should typically be used instead of this
+##           lower-level function.
 function Option::set%(ID: string, val: any, location: string &default=""%): bool
 	%{
 	auto i = global_scope()->Lookup(ID->CheckString());
diff --git a/testing/btest/Baseline/scripts.base.frameworks.config.cluster_resend/manager-1..stdout b/testing/btest/Baseline/scripts.base.frameworks.config.cluster_resend/manager-1..stdout
new file mode 100644
index 0000000000..066eb59f96
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.config.cluster_resend/manager-1..stdout
@@ -0,0 +1,5 @@
+Node up, worker-1
+option changed, testcount, 1, 
+option changed, testport, 44/tcp, 
+option changed, teststring, b, comment
+Node up, worker-2
diff --git a/testing/btest/Baseline/scripts.base.frameworks.config.cluster_resend/manager-1.config.log b/testing/btest/Baseline/scripts.base.frameworks.config.cluster_resend/manager-1.config.log
new file mode 100644
index 0000000000..900aaf6796
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.config.cluster_resend/manager-1.config.log
@@ -0,0 +1,12 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	config
+#open	2018-06-29-19-46-30
+#fields	ts	id	old_value	new_value	location
+#types	time	string	string	string	string
+1530301590.505311	testcount	0	1	-
+1530301590.605012	testport	42/tcp	44/tcp	-
+1530301590.605012	teststring	a	b	comment
+#close	2018-06-29-19-46-51
diff --git a/testing/btest/Baseline/scripts.base.frameworks.config.cluster_resend/worker-1..stdout b/testing/btest/Baseline/scripts.base.frameworks.config.cluster_resend/worker-1..stdout
new file mode 100644
index 0000000000..59431be9c1
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.config.cluster_resend/worker-1..stdout
@@ -0,0 +1,5 @@
+option changed, testport, 44/tcp, 
+option changed, teststring, b, comment
+option changed, testcount, 1, 
+option changed, testport, 44/tcp, 
+option changed, teststring, b, comment
diff --git a/testing/btest/Baseline/scripts.base.frameworks.config.cluster_resend/worker-2..stdout b/testing/btest/Baseline/scripts.base.frameworks.config.cluster_resend/worker-2..stdout
new file mode 100644
index 0000000000..564ac790e8
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.config.cluster_resend/worker-2..stdout
@@ -0,0 +1,3 @@
+option changed, testport, 44/tcp, 
+option changed, testcount, 1, 
+option changed, teststring, b, comment
diff --git a/testing/btest/scripts/base/frameworks/config/basic_cluster.bro b/testing/btest/scripts/base/frameworks/config/basic_cluster.bro
index 4dc743a0cf..c6e0bf15a6 100644
--- a/testing/btest/scripts/base/frameworks/config/basic_cluster.bro
+++ b/testing/btest/scripts/base/frameworks/config/basic_cluster.bro
@@ -69,7 +69,7 @@ event bro_init() &priority=5
 @if ( Cluster::local_node_type() == Cluster::MANAGER )
 
 global peer_count = 0;
-event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
+event Cluster::node_up(name: string, id: string)
 	{
 	++peer_count;
 	if ( peer_count == 2 )
diff --git a/testing/btest/scripts/base/frameworks/config/cluster_resend.bro b/testing/btest/scripts/base/frameworks/config/cluster_resend.bro
index 450c03cbdf..9e82672f2b 100644
--- a/testing/btest/scripts/base/frameworks/config/cluster_resend.bro
+++ b/testing/btest/scripts/base/frameworks/config/cluster_resend.bro
@@ -28,6 +28,7 @@ redef Log::default_rotation_interval = 0secs;
 export {
 	option testport = 42/tcp;
 	option teststring = "a";
+	option testcount: count = 0;
 }
 
 global n = 0;
@@ -52,10 +53,10 @@ event ready_for_data()
 	}
 @endif
 
-@if ( Cluster::is_enabled() && Cluster::local_node_type() == Cluster::MANAGER )
-event Cluster::node_up(name: string, id: string)
+@if ( Cluster::node == "manager-1" )
+event ready_for_data()
 	{
-	 print "Node up", name;
+	Config::set_value("testcount", 1);
 	}
 @endif
 
@@ -64,10 +65,18 @@ event die()
 	terminate();
 	}
 
+@if ( Cluster::is_enabled() && Cluster::local_node_type() == Cluster::MANAGER )
+event Cluster::node_up(name: string, id: string)
+	{
+		print "Node up", name;
+		if ( name == "worker-2" )
+		schedule 5sec { die() };
+	}
+@endif
+
 function option_changed(ID: string, new_value: any, location: string): any
 	{
 	print "option changed", ID, new_value, location;
-	#schedule 5sec { die() };
 	return new_value;
 	}
 
@@ -75,12 +84,13 @@ event bro_init() &priority=5
 	{
 	Option::set_change_handler("testport", option_changed, -100);
 	Option::set_change_handler("teststring", option_changed, -100);
+	Option::set_change_handler("testcount", option_changed, -100);
 	}
 
 @if ( Cluster::local_node_type() == Cluster::MANAGER )
 
 global peer_count = 0;
-event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
+event Cluster::node_up(name: string, id: string) &priority=-5
 	{
 	++peer_count;
 	if ( peer_count == 1 )
@@ -93,10 +103,3 @@ event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string)
 	{
 	terminate();
 	}
-
-module Config;
-
-event Config::cluster_set_option(ID: string, val: any, location: string)
-	{
-	print "cluster_set_option for ", ID;
-	}

From 30c259864c52be0b6457a0b1974ec5336001d763 Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@corelight.com>
Date: Fri, 29 Jun 2018 13:33:45 -0700
Subject: [PATCH 540/631] Config: another cluster test-case, this time reading
 in a file.

This test-case has actually revealed an interesting issue - it works as
is, but as soon as one adds a vector, one gets the fun error-message

fatal error in any: BroType::AsVectorType (any/vector) (any)

This will require a bit more digging :).
---
 .../manager-1..stdout                         |   1 +
 .../manager-1.config.log                      |  23 ++++
 .../worker-1..stdout                          |  11 ++
 .../worker-2..stdout                          |  11 ++
 .../frameworks/config/read_config_cluster.bro | 102 ++++++++++++++++++
 5 files changed, 148 insertions(+)
 create mode 100644 testing/btest/Baseline/scripts.base.frameworks.config.read_config_cluster/manager-1..stdout
 create mode 100644 testing/btest/Baseline/scripts.base.frameworks.config.read_config_cluster/manager-1.config.log
 create mode 100644 testing/btest/Baseline/scripts.base.frameworks.config.read_config_cluster/worker-1..stdout
 create mode 100644 testing/btest/Baseline/scripts.base.frameworks.config.read_config_cluster/worker-2..stdout
 create mode 100644 testing/btest/scripts/base/frameworks/config/read_config_cluster.bro

diff --git a/testing/btest/Baseline/scripts.base.frameworks.config.read_config_cluster/manager-1..stdout b/testing/btest/Baseline/scripts.base.frameworks.config.read_config_cluster/manager-1..stdout
new file mode 100644
index 0000000000..21f258d510
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.config.read_config_cluster/manager-1..stdout
@@ -0,0 +1 @@
+option changed, testport, 45/unknown, ../configfile
diff --git a/testing/btest/Baseline/scripts.base.frameworks.config.read_config_cluster/manager-1.config.log b/testing/btest/Baseline/scripts.base.frameworks.config.read_config_cluster/manager-1.config.log
new file mode 100644
index 0000000000..a9794564b3
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.config.read_config_cluster/manager-1.config.log
@@ -0,0 +1,23 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	config
+#open	2018-06-29-20-24-53
+#fields	ts	id	old_value	new_value	location
+#types	time	string	string	string	string
+1530303893.918762	testbool	T	F	../configfile
+1530303893.918762	testcount	0	1	../configfile
+1530303893.918762	testcount	1	2	../configfile
+1530303893.918762	testint	0	-1	../configfile
+1530303893.918762	testenum	SSH::LOG	Conn::LOG	../configfile
+1530303893.918762	testport	42/tcp	45/unknown	../configfile
+1530303893.918762	testaddr	127.0.0.1	127.0.0.1	../configfile
+1530303893.918762	testaddr	127.0.0.1	2607:f8b0:4005:801::200e	../configfile
+1530303893.918762	testinterval	1.0 sec	60.0	../configfile
+1530303893.918762	testtime	0.0	1507321987.0	../configfile
+1530303893.918762	test_set	(empty)	b,c,a,d,erdbeerschnitzel	../configfile
+1530303893.918762	test_set	b,c,a,d,erdbeerschnitzel	\x28empty)	../configfile
+1530303893.918762	test_set	\x28empty)	\x2d	../configfile
+1530303893.918762	test_set_full	2,1,7,15,10,3	6,4,1,7,5,3	../configfile
+#close	2018-06-29-20-25-06
diff --git a/testing/btest/Baseline/scripts.base.frameworks.config.read_config_cluster/worker-1..stdout b/testing/btest/Baseline/scripts.base.frameworks.config.read_config_cluster/worker-1..stdout
new file mode 100644
index 0000000000..b55e8dd13c
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.config.read_config_cluster/worker-1..stdout
@@ -0,0 +1,11 @@
+cluster_set_option, testtime, [data=broker::data{1507321987000000000ns}], ../configfile
+cluster_set_option, testint, [data=broker::data{-1}], ../configfile
+option changed, testport, 45/unknown, ../configfile
+cluster_set_option, testport, [data=broker::data{45/?}], ../configfile
+cluster_set_option, testinterval, [data=broker::data{60000000000ns}], ../configfile
+cluster_set_option, test_set, [data=broker::data{{-}}], ../configfile
+cluster_set_option, testaddr, [data=broker::data{2607:f8b0:4005:801::200e}], ../configfile
+cluster_set_option, testenum, [data=broker::data{Conn::LOG}], ../configfile
+cluster_set_option, testbool, [data=broker::data{F}], ../configfile
+cluster_set_option, testcount, [data=broker::data{2}], ../configfile
+cluster_set_option, test_set_full, [data=broker::data{{1, 3, 4, 5, 6, 7}}], ../configfile
diff --git a/testing/btest/Baseline/scripts.base.frameworks.config.read_config_cluster/worker-2..stdout b/testing/btest/Baseline/scripts.base.frameworks.config.read_config_cluster/worker-2..stdout
new file mode 100644
index 0000000000..b55e8dd13c
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.config.read_config_cluster/worker-2..stdout
@@ -0,0 +1,11 @@
+cluster_set_option, testtime, [data=broker::data{1507321987000000000ns}], ../configfile
+cluster_set_option, testint, [data=broker::data{-1}], ../configfile
+option changed, testport, 45/unknown, ../configfile
+cluster_set_option, testport, [data=broker::data{45/?}], ../configfile
+cluster_set_option, testinterval, [data=broker::data{60000000000ns}], ../configfile
+cluster_set_option, test_set, [data=broker::data{{-}}], ../configfile
+cluster_set_option, testaddr, [data=broker::data{2607:f8b0:4005:801::200e}], ../configfile
+cluster_set_option, testenum, [data=broker::data{Conn::LOG}], ../configfile
+cluster_set_option, testbool, [data=broker::data{F}], ../configfile
+cluster_set_option, testcount, [data=broker::data{2}], ../configfile
+cluster_set_option, test_set_full, [data=broker::data{{1, 3, 4, 5, 6, 7}}], ../configfile
diff --git a/testing/btest/scripts/base/frameworks/config/read_config_cluster.bro b/testing/btest/scripts/base/frameworks/config/read_config_cluster.bro
new file mode 100644
index 0000000000..d44518579f
--- /dev/null
+++ b/testing/btest/scripts/base/frameworks/config/read_config_cluster.bro
@@ -0,0 +1,102 @@
+# @TEST-EXEC: btest-bg-run manager-1 BROPATH=$BROPATH:.. CLUSTER_NODE=manager-1 bro %INPUT
+# @TEST-EXEC: sleep 1
+# @TEST-EXEC: btest-bg-run worker-1  BROPATH=$BROPATH:.. CLUSTER_NODE=worker-1 bro %INPUT
+# @TEST-EXEC: btest-bg-run worker-2  BROPATH=$BROPATH:.. CLUSTER_NODE=worker-2 bro %INPUT
+# @TEST-EXEC: btest-bg-wait 15
+# @TEST-EXEC: btest-diff manager-1/.stdout
+# @TEST-EXEC: btest-diff worker-1/.stdout
+# @TEST-EXEC: btest-diff worker-2/.stdout
+# @TEST-EXEC: btest-diff manager-1/config.log
+
+@load base/frameworks/config
+
+
+@TEST-START-FILE cluster-layout.bro
+redef Cluster::nodes = {
+	["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=37757/tcp],
+	["worker-1"]  = [$node_type=Cluster::WORKER,  $ip=127.0.0.1, $p=37760/tcp, $manager="manager-1", $interface="eth0"],
+	["worker-2"]  = [$node_type=Cluster::WORKER,  $ip=127.0.0.1, $p=37761/tcp, $manager="manager-1", $interface="eth1"],
+};
+@TEST-END-FILE
+
+@TEST-START-FILE configfile
+testbool F
+testcount    1
+testcount 2
+testcount 2
+testint		-1
+testenum Conn::LOG
+testport 45
+testaddr 127.0.0.1
+testaddr 2607:f8b0:4005:801::200e
+testinterval 60
+testtime 1507321987
+test_set a,b,c,d,erdbeerschnitzel
+test_vector 1,2,3,4,5,6
+test_set (empty)
+test_set -
+test_set_full 1,3,4,5,6,7
+@TEST-END-FILE
+
+redef Log::default_rotation_interval = 0secs;
+
+export {
+	option testbool: bool = T;
+	option testcount: count = 0;
+	option testint: int = 0;
+	option testenum = SSH::LOG;
+	option testport = 42/tcp;
+	option testaddr = 127.0.0.1;
+	option testtime = network_time();
+	option testinterval = 1sec;
+	option teststring = "a";
+	option test_set: set[string] = {};
+	option test_set_full: set[count] = {1, 2, 3, 7, 10, 15};
+	#option test_vector: vector of count = {};
+}
+
+event bro_init()
+	{
+	Config::read_config("../configfile");
+	}
+
+event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string)
+	{
+	terminate();
+	}
+
+function option_changed(ID: string, new_value: any, location: string): any
+	{
+	print "option changed", ID, new_value, location;
+	return new_value;
+	}
+
+event bro_init() &priority=5
+	{
+	Option::set_change_handler("testport", option_changed, -100);
+	Option::set_change_handler("teststring", option_changed, -100);
+	}
+
+event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string)
+	{
+	terminate();
+	}
+
+@if ( Cluster::is_enabled() && Cluster::local_node_type() == Cluster::MANAGER )
+event die()
+	{
+	terminate();
+	}
+
+event Cluster::node_up(name: string, id: string)
+	{
+	schedule 10sec { die() };
+	}
+@endif
+
+module Config;
+
+event Config::cluster_set_option(ID: string, val: any, location: string) &priority=-10
+	{
+	print "cluster_set_option", ID, val, location;
+	}

From 8f990036f6ad1b9f5cb935a75c260a07d17b94c6 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Fri, 29 Jun 2018 15:58:53 -0500
Subject: [PATCH 541/631] Fixes for OpenSSL 1.1 support

The following tests currently fail due to what seems like different
behavior in OpenSSL 1.1 vs 1.0:

    scripts/base/protocols/rdp/rdp-x509.bro
    bifs/x509_verify.bro
---
 cmake                                         |   2 +-
 src/file_analysis/analyzer/x509/OCSP.cc       | 433 ++++++++++++++++--
 src/file_analysis/analyzer/x509/OCSP.h        |   4 +-
 src/file_analysis/analyzer/x509/X509.cc       |   4 +
 src/file_analysis/analyzer/x509/functions.bif |  41 +-
 5 files changed, 425 insertions(+), 59 deletions(-)

diff --git a/cmake b/cmake
index 1600554d1d..064bf442f2 160000
--- a/cmake
+++ b/cmake
@@ -1 +1 @@
-Subproject commit 1600554d1d907f4f252f19cf1f55e13d368a936f
+Subproject commit 064bf442f22e72a2c15b3db6b7995189efaee982
diff --git a/src/file_analysis/analyzer/x509/OCSP.cc b/src/file_analysis/analyzer/x509/OCSP.cc
index 02c9274999..e22440aab8 100644
--- a/src/file_analysis/analyzer/x509/OCSP.cc
+++ b/src/file_analysis/analyzer/x509/OCSP.cc
@@ -21,7 +21,7 @@
 // helper function of sk_X509_value to avoid namespace problem
 // sk_X509_value(X,Y) = > SKM_sk_value(X509,X,Y)
 // X509 => file_analysis::X509
-X509 *helper_sk_X509_value(STACK_OF(X509) *certs, int i)
+X509* helper_sk_X509_value(const STACK_OF(X509)* certs, int i)
 	{
 	return sk_X509_value(certs, i);
 	}
@@ -42,38 +42,84 @@ static Val* get_ocsp_type(RecordVal* args, const char* name)
 	return rval;
 	}
 
-static void OCSP_RESPID_bio(OCSP_RESPID *resp_id, BIO* bio)
+static bool OCSP_RESPID_bio(OCSP_BASICRESP* basic_resp, BIO* bio)
 	{
-	if (resp_id->type == V_OCSP_RESPID_NAME)
-		X509_NAME_print_ex(bio, resp_id->value.byName, 0, XN_FLAG_ONELINE);
-	else if (resp_id->type == V_OCSP_RESPID_KEY)
-		i2a_ASN1_STRING(bio, resp_id->value.byKey, V_ASN1_OCTET_STRING);
+#if ( OPENSSL_VERSION_NUMBER < 0x10100000L )
+	ASN1_OCTET_STRING* key  = nullptr;
+	X509_NAME*         name = nullptr;
+
+	if ( ! basic_resp->tbsResponseData )
+		return false;
+
+	auto resp_id = basic_resp->tbsResponseData->responderId;
+
+	if ( resp_id->type == V_OCSP_RESPID_NAME )
+		name = resp_id->value.byName;
+	else if ( resp_id->type == V_OCSP_RESPID_KEY )
+		key = resp_id->value.byKey;
+	else
+		return false;
+#else
+	const ASN1_OCTET_STRING* key  = nullptr;
+	const X509_NAME*         name = nullptr;
+
+	if ( ! OCSP_resp_get0_id(basic_resp, &key, &name) )
+		return false;
+#endif
+
+	if ( name )
+		X509_NAME_print_ex(bio, name, 0, XN_FLAG_ONELINE);
+	else
+		i2a_ASN1_STRING(bio, key, V_ASN1_OCTET_STRING);
+
+	return true;
 	}
 
-void ocsp_add_cert_id(OCSP_CERTID *cert_id, val_list* vl, BIO* bio)
+bool ocsp_add_cert_id(const OCSP_CERTID* cert_id, val_list* vl, BIO* bio)
 	{
+	ASN1_OBJECT*       hash_alg         = nullptr;
+	ASN1_OCTET_STRING* issuer_name_hash = nullptr;
+	ASN1_OCTET_STRING* issuer_key_hash  = nullptr;
+	ASN1_INTEGER*      serial_number    = nullptr;
+
+	auto res = OCSP_id_get0_info(&issuer_name_hash, &hash_alg,
+	                             &issuer_key_hash, &serial_number,
+	                             const_cast<OCSP_CERTID*>(cert_id));
+
+	if ( ! res )
+		{
+		reporter->Weird("OpenSSL failed to get OCSP_CERTID info");
+		vl->append(new StringVal(""));
+		vl->append(new StringVal(""));
+		vl->append(new StringVal(""));
+		vl->append(new StringVal(""));
+		return false;
+		}
+
 	char buf[OCSP_STRING_BUF_SIZE];
 	memset(buf, 0, sizeof(buf));
 
-	i2a_ASN1_OBJECT(bio, cert_id->hashAlgorithm->algorithm);
+	i2a_ASN1_OBJECT(bio, hash_alg);
 	int len = BIO_read(bio, buf, sizeof(buf));
 	vl->append(new StringVal(len, buf));
 	BIO_reset(bio);
 
-	i2a_ASN1_STRING(bio, cert_id->issuerNameHash, V_ASN1_OCTET_STRING);
+	i2a_ASN1_STRING(bio, issuer_name_hash, V_ASN1_OCTET_STRING);
 	len = BIO_read(bio, buf, sizeof(buf));
 	vl->append(new StringVal(len, buf));
 	BIO_reset(bio);
 
-	i2a_ASN1_STRING(bio, cert_id->issuerKeyHash, V_ASN1_OCTET_STRING);
+	i2a_ASN1_STRING(bio, issuer_key_hash, V_ASN1_OCTET_STRING);
 	len = BIO_read(bio, buf, sizeof(buf));
 	vl->append(new StringVal(len, buf));
 	BIO_reset(bio);
 
-	i2a_ASN1_INTEGER(bio, cert_id->serialNumber);
+	i2a_ASN1_INTEGER(bio, serial_number);
 	len = BIO_read(bio, buf, sizeof(buf));
 	vl->append(new StringVal(len, buf));
 	BIO_reset(bio);
+
+	return true;
 	}
 
 file_analysis::Analyzer* OCSP::InstantiateRequest(RecordVal* args, File* file)
@@ -124,6 +170,7 @@ bool file_analysis::OCSP::EndOfFile()
 	else
 		{
 		OCSP_RESPONSE *resp = d2i_OCSP_RESPONSE(NULL, &ocsp_char, ocsp_data.size());
+
 		if (!resp)
 			{
 			reporter->Weird(fmt("OPENSSL Could not parse OCSP response (fuid %s)", GetFile()->GetID().c_str()));
@@ -138,22 +185,262 @@ bool file_analysis::OCSP::EndOfFile()
 	return true;
 }
 
-void file_analysis::OCSP::ParseRequest(OCSP_REQUEST *req, const char* fid)
+#if ( OPENSSL_VERSION_NUMBER >= 0x10100000L )
+// Re-encode and then parse out ASN1 structures to get at what we need...
+/*-  BasicOCSPResponse       ::= SEQUENCE {
+ *      tbsResponseData      ResponseData,
+ *      signatureAlgorithm   AlgorithmIdentifier,
+ *      signature            BIT STRING,
+ *      certs                [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL }
+typedef struct ocsp_basic_response_st {
+    OCSP_RESPDATA *tbsResponseData;
+    X509_ALGOR *signatureAlgorithm;
+    ASN1_BIT_STRING *signature;
+    STACK_OF(X509) *certs;
+} OCSP_BASICRESP;
+*/
+static StringVal* parse_basic_resp_sig_alg(OCSP_BASICRESP* basic_resp,
+                                           BIO* bio, char* buf, size_t buf_len)
 	{
-	OCSP_REQINFO *inf     = req->tbsRequest;
+	int der_basic_resp_len = 0;
+	unsigned char* der_basic_resp_dat = nullptr;
 
+	der_basic_resp_len = i2d_OCSP_BASICRESP(basic_resp, &der_basic_resp_dat);
+
+	if ( der_basic_resp_len <= 0 )
+		return new StringVal("");
+
+	const unsigned char* const_der_basic_resp_dat = der_basic_resp_dat;
+
+	auto bseq = d2i_ASN1_SEQUENCE_ANY(nullptr, &const_der_basic_resp_dat,
+	                                  der_basic_resp_len);
+
+	if ( ! bseq )
+		{
+		OPENSSL_free(der_basic_resp_dat);
+		return new StringVal("");
+		}
+
+	if ( sk_ASN1_TYPE_num(bseq) < 3 )
+		{
+		sk_ASN1_TYPE_free(bseq);
+		OPENSSL_free(der_basic_resp_dat);
+		return new StringVal("");
+		}
+
+	auto constexpr sig_alg_idx = 1u;
+	auto aseq_type = sk_ASN1_TYPE_value(bseq, sig_alg_idx);
+
+	if ( ASN1_TYPE_get(aseq_type) != V_ASN1_SEQUENCE )
+		{
+		sk_ASN1_TYPE_free(bseq);
+		OPENSSL_free(der_basic_resp_dat);
+		return new StringVal("");
+		}
+
+	auto aseq_str = aseq_type->value.asn1_string;
+	auto aseq_len = ASN1_STRING_length(aseq_str);
+	auto aseq_dat = ASN1_STRING_get0_data(aseq_str);
+
+	auto aseq = d2i_ASN1_SEQUENCE_ANY(nullptr, &aseq_dat, aseq_len);
+
+	if ( ! aseq )
+		{
+		sk_ASN1_TYPE_free(bseq);
+		OPENSSL_free(der_basic_resp_dat);
+		return new StringVal("");
+		}
+
+	if ( sk_ASN1_TYPE_num(aseq) < 1 )
+		{
+		sk_ASN1_TYPE_free(aseq);
+		sk_ASN1_TYPE_free(bseq);
+		OPENSSL_free(der_basic_resp_dat);
+		return new StringVal("");
+		}
+
+	auto constexpr alg_obj_idx = 0u;
+	auto alg_obj_type = sk_ASN1_TYPE_value(aseq, alg_obj_idx);
+
+	if ( ASN1_TYPE_get(alg_obj_type) != V_ASN1_OBJECT )
+		{
+		sk_ASN1_TYPE_free(aseq);
+		sk_ASN1_TYPE_free(bseq);
+		OPENSSL_free(der_basic_resp_dat);
+		return new StringVal("");
+		}
+
+	auto alg_obj = alg_obj_type->value.object;
+	i2a_ASN1_OBJECT(bio, alg_obj);
+	auto alg_len = BIO_read(bio, buf, buf_len);
+	auto rval = new StringVal(alg_len, buf);
+	BIO_reset(bio);
+
+	sk_ASN1_TYPE_free(aseq);
+	sk_ASN1_TYPE_free(bseq);
+	OPENSSL_free(der_basic_resp_dat);
+	return rval;
+	}
+
+static Val* parse_basic_resp_data_version(OCSP_BASICRESP* basic_resp)
+	{
+	int der_basic_resp_len = 0;
+	unsigned char* der_basic_resp_dat = nullptr;
+
+	der_basic_resp_len = i2d_OCSP_BASICRESP(basic_resp, &der_basic_resp_dat);
+
+	if ( der_basic_resp_len <= 0 )
+		return new Val(-1, TYPE_COUNT);
+
+	const unsigned char* const_der_basic_resp_dat = der_basic_resp_dat;
+
+	auto bseq = d2i_ASN1_SEQUENCE_ANY(nullptr, &const_der_basic_resp_dat,
+	                                  der_basic_resp_len);
+
+	if ( ! bseq )
+		{
+		OPENSSL_free(der_basic_resp_dat);
+		return new Val(-1, TYPE_COUNT);
+		}
+
+	if ( sk_ASN1_TYPE_num(bseq) < 3 )
+		{
+		sk_ASN1_TYPE_free(bseq);
+		OPENSSL_free(der_basic_resp_dat);
+		return new Val(-1, TYPE_COUNT);
+		}
+
+	auto constexpr resp_data_idx = 0u;
+	auto dseq_type = sk_ASN1_TYPE_value(bseq, resp_data_idx);
+
+	if ( ASN1_TYPE_get(dseq_type) != V_ASN1_SEQUENCE )
+		{
+		sk_ASN1_TYPE_free(bseq);
+		OPENSSL_free(der_basic_resp_dat);
+		return new Val(-1, TYPE_COUNT);
+		}
+
+	auto dseq_str = dseq_type->value.asn1_string;
+	auto dseq_len = ASN1_STRING_length(dseq_str);
+	auto dseq_dat = ASN1_STRING_get0_data(dseq_str);
+
+	auto dseq = d2i_ASN1_SEQUENCE_ANY(nullptr, &dseq_dat, dseq_len);
+
+	if ( ! dseq )
+		{
+		sk_ASN1_TYPE_free(bseq);
+		OPENSSL_free(der_basic_resp_dat);
+		return new StringVal("");
+		}
+
+	if ( sk_ASN1_TYPE_num(dseq) < 1 )
+		{
+		sk_ASN1_TYPE_free(dseq);
+		sk_ASN1_TYPE_free(bseq);
+		OPENSSL_free(der_basic_resp_dat);
+		return new StringVal("");
+		}
+
+/*-  ResponseData ::= SEQUENCE {
+ *      version              [0] EXPLICIT Version DEFAULT v1,
+ *      responderID              ResponderID,
+ *      producedAt               GeneralizedTime,
+ *      responses                SEQUENCE OF SingleResponse,
+ *      responseExtensions   [1] EXPLICIT Extensions OPTIONAL }
+ */
+
+	auto constexpr version_idx = 0u;
+	auto version_type = sk_ASN1_TYPE_value(dseq, version_idx);
+
+	if ( ASN1_TYPE_get(version_type) != V_ASN1_INTEGER )
+		{
+		sk_ASN1_TYPE_free(dseq);
+		sk_ASN1_TYPE_free(bseq);
+		OPENSSL_free(der_basic_resp_dat);
+		// Not present, use default value.
+		return new Val(0, TYPE_COUNT);
+		}
+
+	uint64_t asn1_int = ASN1_INTEGER_get(version_type->value.integer);
+	sk_ASN1_TYPE_free(dseq);
+	sk_ASN1_TYPE_free(bseq);
+	OPENSSL_free(der_basic_resp_dat);
+	return new Val(asn1_int, TYPE_COUNT);
+	}
+
+static uint64 parse_request_version(OCSP_REQUEST* req)
+	{
+	int der_req_len = 0;
+	unsigned char* der_req_dat = nullptr;
+	der_req_len = i2d_OCSP_REQUEST(req, &der_req_dat);
+	const unsigned char* const_der_req_dat = der_req_dat;
+
+	if ( ! der_req_dat )
+		return -1;
+
+	auto rseq = d2i_ASN1_SEQUENCE_ANY(nullptr, &const_der_req_dat,
+	                                  der_req_len);
+
+	if ( ! rseq )
+		{
+		OPENSSL_free(der_req_dat);
+		return -1;
+		}
+
+	if ( sk_ASN1_TYPE_num(rseq) < 1 )
+		{
+		sk_ASN1_TYPE_free(rseq);
+		OPENSSL_free(der_req_dat);
+		return -1;
+		}
+
+	auto constexpr version_idx = 0u;
+	auto version_type = sk_ASN1_TYPE_value(rseq, version_idx);
+
+	if ( ASN1_TYPE_get(version_type) != V_ASN1_INTEGER )
+		{
+		sk_ASN1_TYPE_free(rseq);
+		OPENSSL_free(der_req_dat);
+		// Not present, use default value.
+		return 0;
+		}
+
+	uint64_t asn1_int = ASN1_INTEGER_get(version_type->value.integer);
+	sk_ASN1_TYPE_free(rseq);
+	OPENSSL_free(der_req_dat);
+	return asn1_int;
+	}
+#endif
+
+void file_analysis::OCSP::ParseRequest(OCSP_REQUEST* req, const char* fid)
+	{
 	char buf[OCSP_STRING_BUF_SIZE]; // we need a buffer for some of the openssl functions
 	memset(buf, 0, sizeof(buf));
 
 	// build up our response as we go along...
 	val_list* vl = new val_list();
 	vl->append(GetFile()->GetVal()->Ref());
-	vl->append(new Val((uint64)ASN1_INTEGER_get(inf->version), TYPE_COUNT));
+
+	uint64 version = 0;
+	GENERAL_NAME* general_name = nullptr;
+
+#if ( OPENSSL_VERSION_NUMBER < 0x10100000L )
+	if ( req->tbsRequest->version )
+		version = (uint64)ASN1_INTEGER_get(req->tbsRequest->version);
+
+	general_name = req->tbsRequest->requestorName;
+#else
+	version = parse_request_version(req);
+	// TODO: try to parse out general name ?
+#endif
+
+	vl->append(new Val(version, TYPE_COUNT));
+
 	BIO *bio = BIO_new(BIO_s_mem());
 
-	if (inf->requestorName != NULL)
+	if ( general_name )
 		{
-		GENERAL_NAME_print(bio, inf->requestorName);
+		GENERAL_NAME_print(bio, general_name);
 		int len = BIO_read(bio, buf, sizeof(buf));
 		vl->append(new StringVal(len, buf));
 		BIO_reset(bio);
@@ -182,10 +469,12 @@ void file_analysis::OCSP::ParseRequest(OCSP_REQUEST *req, const char* fid)
 void file_analysis::OCSP::ParseResponse(OCSP_RESPVal *resp_val, const char* fid)
 	{
 	OCSP_RESPONSE   *resp       = resp_val->GetResp();
-	OCSP_RESPBYTES  *resp_bytes = resp->responseBytes;
+	//OCSP_RESPBYTES  *resp_bytes = resp->responseBytes;
 	OCSP_BASICRESP  *basic_resp = nullptr;
 	OCSP_RESPDATA   *resp_data  = nullptr;
 	OCSP_RESPID     *resp_id    = nullptr;
+	const ASN1_GENERALIZEDTIME* produced_at = nullptr;
+	const STACK_OF(X509)* certs = nullptr;
 
 	int resp_count, num_ext = 0;
 	VectorVal *certs_vector = nullptr;
@@ -203,11 +492,11 @@ void file_analysis::OCSP::ParseResponse(OCSP_RESPVal *resp_val, const char* fid)
 	mgr.QueueEvent(ocsp_response_status, vl);
 	vl = nullptr;
 
-	if (!resp_bytes)
-		{
-		Unref(status_val);
-		return;
-		}
+	//if (!resp_bytes)
+	//	{
+	//	Unref(status_val);
+	//	return;
+	//	}
 
 	BIO *bio = BIO_new(BIO_s_mem());
 	//i2a_ASN1_OBJECT(bio, resp_bytes->responseType);
@@ -219,31 +508,53 @@ void file_analysis::OCSP::ParseResponse(OCSP_RESPVal *resp_val, const char* fid)
 	if ( !basic_resp )
 		goto clean_up;
 
+#if ( OPENSSL_VERSION_NUMBER < 0x10100000L )
 	resp_data = basic_resp->tbsResponseData;
 	if ( !resp_data )
 		goto clean_up;
+#endif
 
 	vl = new val_list();
 	vl->append(GetFile()->GetVal()->Ref());
 	vl->append(resp_val->Ref());
 	vl->append(status_val);
+
+#if ( OPENSSL_VERSION_NUMBER < 0x10100000L )
 	vl->append(new Val((uint64)ASN1_INTEGER_get(resp_data->version), TYPE_COUNT));
+#else
+	vl->append(parse_basic_resp_data_version(basic_resp));
+#endif
 
 	// responderID
-	resp_id = resp_data->responderId;
-	OCSP_RESPID_bio(resp_id, bio);
-	len = BIO_read(bio, buf, sizeof(buf));
-	vl->append(new StringVal(len, buf));
-	BIO_reset(bio);
+	if ( OCSP_RESPID_bio(basic_resp, bio) )
+		{
+		len = BIO_read(bio, buf, sizeof(buf));
+		vl->append(new StringVal(len, buf));
+		BIO_reset(bio);
+		}
+	else
+		{
+		reporter->Weird("OpenSSL failed to get OCSP responder id");
+		vl->append(new StringVal(""));
+		}
 
 	// producedAt
-	vl->append(new Val(GetTimeFromAsn1(resp_data->producedAt, fid, reporter), TYPE_TIME));
+#if ( OPENSSL_VERSION_NUMBER < 0x10100000L )
+	produced_at = resp_data->producedAt;
+#else
+	produced_at = OCSP_resp_get0_produced_at(basic_resp);
+#endif
+
+	vl->append(new Val(GetTimeFromAsn1(produced_at, fid, reporter), TYPE_TIME));
 
 	// responses
-	resp_count = sk_OCSP_SINGLERESP_num(resp_data->responses);
+
+	resp_count = OCSP_resp_count(basic_resp);
+
 	for ( int i=0; i<resp_count; i++ )
 		{
-		OCSP_SINGLERESP *single_resp = sk_OCSP_SINGLERESP_value(resp_data->responses, i);
+		OCSP_SINGLERESP* single_resp = OCSP_resp_get0(basic_resp, i);
+
 		if ( !single_resp )
 			continue;
 
@@ -251,24 +562,41 @@ void file_analysis::OCSP::ParseResponse(OCSP_RESPVal *resp_val, const char* fid)
 		rvl->append(GetFile()->GetVal()->Ref());
 
 		// cert id
-		OCSP_CERTID *cert_id = single_resp->certId;
+		const OCSP_CERTID* cert_id = nullptr;
+
+#if ( OPENSSL_VERSION_NUMBER < 0x10100000L )
+		cert_id = single_resp->certId;
+#else
+		cert_id = OCSP_SINGLERESP_get0_id(single_resp);
+#endif
+
 		ocsp_add_cert_id(cert_id, rvl, bio);
 		BIO_reset(bio);
 
 		// certStatus
-		OCSP_CERTSTATUS *cert_status = single_resp->certStatus;
-		const char* cert_status_str = OCSP_cert_status_str(cert_status->type);
+		int status = V_OCSP_CERTSTATUS_UNKNOWN;
+		int reason = OCSP_REVOKED_STATUS_NOSTATUS;
+		ASN1_GENERALIZEDTIME* revoke_time = nullptr;
+		ASN1_GENERALIZEDTIME* this_update = nullptr;
+		ASN1_GENERALIZEDTIME* next_update = nullptr;
+
+		if ( ! OCSP_resp_find_status(basic_resp,
+									 const_cast<OCSP_CERTID*>(cert_id),
+									 &status, &reason, &revoke_time,
+									 &this_update, &next_update) )
+			reporter->Weird("OpenSSL failed to find status of OCSP response");
+
+		const char* cert_status_str = OCSP_cert_status_str(status);
 		rvl->append(new StringVal(strlen(cert_status_str), cert_status_str));
 
 		// revocation time and reason if revoked
-		if ( cert_status->type == V_OCSP_CERTSTATUS_REVOKED )
+		if ( status == V_OCSP_CERTSTATUS_REVOKED )
 			{
-			OCSP_REVOKEDINFO *revoked_info = cert_status->value.revoked;
-			rvl->append(new Val(GetTimeFromAsn1(revoked_info->revocationTime, fid, reporter), TYPE_TIME));
+			rvl->append(new Val(GetTimeFromAsn1(revoke_time, fid, reporter), TYPE_TIME));
 
-			if ( revoked_info->revocationReason )
+			if ( reason != OCSP_REVOKED_STATUS_NOSTATUS )
 				{
-				const char* revoke_reason = OCSP_crl_reason_str(ASN1_ENUMERATED_get(revoked_info->revocationReason));
+				const char* revoke_reason = OCSP_crl_reason_str(reason);
 				rvl->append(new StringVal(strlen(revoke_reason), revoke_reason));
 				}
 			else
@@ -280,9 +608,13 @@ void file_analysis::OCSP::ParseResponse(OCSP_RESPVal *resp_val, const char* fid)
 			rvl->append(new StringVal(0, ""));
 			}
 
-		rvl->append(new Val(GetTimeFromAsn1(single_resp->thisUpdate, fid, reporter), TYPE_TIME));
-		if ( single_resp->nextUpdate )
-			rvl->append(new Val(GetTimeFromAsn1(single_resp->nextUpdate, fid, reporter), TYPE_TIME));
+		if ( this_update )
+			rvl->append(new Val(GetTimeFromAsn1(this_update, fid, reporter), TYPE_TIME));
+		else
+			rvl->append(new Val(0, TYPE_TIME));
+
+		if ( next_update )
+			rvl->append(new Val(GetTimeFromAsn1(next_update, fid, reporter), TYPE_TIME));
 		else
 			rvl->append(new Val(0, TYPE_TIME));
 
@@ -299,10 +631,14 @@ void file_analysis::OCSP::ParseResponse(OCSP_RESPVal *resp_val, const char* fid)
 			}
 		}
 
+#if ( OPENSSL_VERSION_NUMBER < 0x10100000L )
 	i2a_ASN1_OBJECT(bio, basic_resp->signatureAlgorithm->algorithm);
 	len = BIO_read(bio, buf, sizeof(buf));
 	vl->append(new StringVal(len, buf));
 	BIO_reset(bio);
+#else
+	vl->append(parse_basic_resp_sig_alg(basic_resp, bio, buf, sizeof(buf)));
+#endif
 
 	//i2a_ASN1_OBJECT(bio, basic_resp->signature);
 	//len = BIO_read(bio, buf, sizeof(buf));
@@ -311,13 +647,20 @@ void file_analysis::OCSP::ParseResponse(OCSP_RESPVal *resp_val, const char* fid)
 
 	certs_vector = new VectorVal(internal_type("x509_opaque_vector")->AsVectorType());
 	vl->append(certs_vector);
-	if ( basic_resp->certs )
+
+#if ( OPENSSL_VERSION_NUMBER < 0x10100000L )
+	certs = basic_resp->certs;
+#else
+	certs = OCSP_resp_get0_certs(basic_resp);
+#endif
+
+	if ( certs )
 		{
-		int num_certs = sk_X509_num(basic_resp->certs);
+		int num_certs = sk_X509_num(certs);
 		for ( int i=0; i<num_certs; i++ )
 			{
-			::X509 *this_cert = X509_dup(helper_sk_X509_value(basic_resp->certs, i));
-			//::X509 *this_cert = X509_dup(sk_X509_value(basic_resp->certs, i));
+			::X509 *this_cert = X509_dup(helper_sk_X509_value(certs, i));
+			//::X509 *this_cert = X509_dup(sk_X509_value(certs, i));
 			if (this_cert)
 				certs_vector->Assign(i, new file_analysis::X509Val(this_cert));
 			else
diff --git a/src/file_analysis/analyzer/x509/OCSP.h b/src/file_analysis/analyzer/x509/OCSP.h
index ca8c2c563e..75caf3120a 100644
--- a/src/file_analysis/analyzer/x509/OCSP.h
+++ b/src/file_analysis/analyzer/x509/OCSP.h
@@ -29,8 +29,8 @@ protected:
 	OCSP(RecordVal* args, File* file, bool request);
 
 private:
-	void ParseResponse(OCSP_RESPVal *, const char* fid = 0);
-	void ParseRequest(OCSP_REQUEST *, const char* fid = 0);
+	void ParseResponse(OCSP_RESPVal*, const char* fid = 0);
+	void ParseRequest(OCSP_REQUEST*, const char* fid = 0);
 	void ParseExtensionsSpecific(X509_EXTENSION* ex, bool, ASN1_OBJECT*, const char*) override;
 
 	std::string ocsp_data;
diff --git a/src/file_analysis/analyzer/x509/X509.cc b/src/file_analysis/analyzer/x509/X509.cc
index 0426b59923..7571915207 100644
--- a/src/file_analysis/analyzer/x509/X509.cc
+++ b/src/file_analysis/analyzer/x509/X509.cc
@@ -290,7 +290,11 @@ void file_analysis::X509::ParseSAN(X509_EXTENSION* ext)
 				continue;
 				}
 
+#if ( OPENSSL_VERSION_NUMBER < 0x10100000L )
 			const char* name = (const char*) ASN1_STRING_data(gen->d.ia5);
+#else
+			const char* name = (const char*) ASN1_STRING_get0_data(gen->d.ia5);
+#endif
 			StringVal* bs = new StringVal(name);
 
 			switch ( gen->type )
diff --git a/src/file_analysis/analyzer/x509/functions.bif b/src/file_analysis/analyzer/x509/functions.bif
index 18f56758f5..3622e0d13a 100644
--- a/src/file_analysis/analyzer/x509/functions.bif
+++ b/src/file_analysis/analyzer/x509/functions.bif
@@ -109,21 +109,36 @@ STACK_OF(X509)* x509_get_untrusted_stack(VectorVal* certs_vec)
 
 // We need this function to be able to identify the signer certificate of an
 // OCSP request out of a list of possible certificates.
-X509* x509_get_ocsp_signer(STACK_OF(X509) *certs, OCSP_RESPID *rid)
+X509* x509_get_ocsp_signer(const STACK_OF(X509)* certs,
+                           OCSP_BASICRESP* basic_resp)
 	{
-	// We support two lookup types - either by response id or by key.
-	if ( rid->type == V_OCSP_RESPID_NAME )
-		return X509_find_by_subject(certs, rid->value.byName);
+	const ASN1_OCTET_STRING* key  = nullptr;
+	const X509_NAME*         name = nullptr;
 
-	// There only should be name and type - but let's be sure...
-	if ( rid->type != V_OCSP_RESPID_KEY )
+#if ( OPENSSL_VERSION_NUMBER < 0x10100000L )
+	OCSP_RESPID* resp_id = basic_resp->tbsResponseData->responderId;
+
+	if ( resp_id->type == V_OCSP_RESPID_NAME )
+		name = resp_id->value.byName;
+	else if ( resp_id->type == V_OCSP_RESPID_KEY )
+		key = resp_id->value.byKey;
+	else
 		return 0;
+#else
+	if ( ! OCSP_resp_get0_id(basic_resp, &key, &name) )
+		return 0;
+#endif
+
+	if ( name )
+		return X509_find_by_subject(const_cast<STACK_OF(X509)*>(certs),
+									const_cast<X509_NAME*>(name));
 
 	// Just like OpenSSL, we just support SHA-1 lookups and bail out otherwhise.
-	if ( rid->value.byKey->length != SHA_DIGEST_LENGTH )
+	if ( key->length != SHA_DIGEST_LENGTH )
 		return 0;
 
-	unsigned char* key_hash = rid->value.byKey->data;
+	unsigned char* key_hash = key->data;
+
 	for ( int i = 0; i < sk_X509_num(certs); ++i )
 		{
 		unsigned char digest[SHA_DIGEST_LENGTH];
@@ -328,15 +343,19 @@ function x509_ocsp_verify%(certs: x509_opaque_vector, ocsp_reply: string, root_c
 
 	// Because we actually want to be able to give nice error messages that show why we were
 	// not able to verify the OCSP response - do our own verification logic first.
-	signer = x509_get_ocsp_signer(basic->certs, basic->tbsResponseData->responderId);
+#if ( OPENSSL_VERSION_NUMBER < 0x10100000L )
+	signer = x509_get_ocsp_signer(basic->certs, basic);
+#else
+	signer = x509_get_ocsp_signer(OCSP_resp_get0_certs(basic), basic);
+#endif
 
 	/*
 	Do this perhaps - OpenSSL also cannot do it, so I do not really feel bad about it.
 	Needs a different lookup because the root store is no stack of X509 certs
 
-	if ( !s igner )
+	if ( ! signer )
 		// if we did not find it in the certificates that were sent, search in the root store
-		signer = x509_get_ocsp_signer(ocsp_certs, basic->tbsResponseData->responderId);
+		signer = x509_get_ocsp_signer(ocsp_certs, basic);
 	*/
 
 	if ( ! signer )

From 2e0edd741608ba73c5f0e6aca9b2bc4a2277ad17 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Fri, 29 Jun 2018 16:01:23 -0500
Subject: [PATCH 542/631] Adjust x509 unit tests to work around OpenSSL 1.0 vs.
 1.1 differences

---
 CMakeLists.txt                                |  4 ++
 .../{.stdout => stdout-openssl-1.0}           |  0
 .../bifs.x509_verify/stdout-openssl-1.1       |  6 ++
 testing/btest/bifs/x509_verify.bro            | 11 +++-
 .../scripts/base/protocols/rdp/rdp-x509.bro   |  2 +-
 testing/scripts/diff-remove-x509-key-info     | 55 +++++++++++++++++++
 6 files changed, 76 insertions(+), 2 deletions(-)
 rename testing/btest/Baseline/bifs.x509_verify/{.stdout => stdout-openssl-1.0} (100%)
 create mode 100644 testing/btest/Baseline/bifs.x509_verify/stdout-openssl-1.1
 create mode 100755 testing/scripts/diff-remove-x509-key-info

diff --git a/CMakeLists.txt b/CMakeLists.txt
index d0ea236330..aad1163ed5 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -220,6 +220,10 @@ include(CheckNameserCompat)
 include(GetArchitecture)
 include(RequireCXX11)
 
+if ( (OPENSSL_VERSION VERSION_EQUAL "1.1.0") OR (OPENSSL_VERSION VERSION_GREATER "1.1.0") )
+  set(BRO_HAVE_OPENSSL_1_1 true CACHE INTERNAL "" FORCE)
+endif()
+
 # Tell the plugin code that we're building as part of the main tree.
 set(BRO_PLUGIN_INTERNAL_BUILD true CACHE INTERNAL "" FORCE)
 
diff --git a/testing/btest/Baseline/bifs.x509_verify/.stdout b/testing/btest/Baseline/bifs.x509_verify/stdout-openssl-1.0
similarity index 100%
rename from testing/btest/Baseline/bifs.x509_verify/.stdout
rename to testing/btest/Baseline/bifs.x509_verify/stdout-openssl-1.0
diff --git a/testing/btest/Baseline/bifs.x509_verify/stdout-openssl-1.1 b/testing/btest/Baseline/bifs.x509_verify/stdout-openssl-1.1
new file mode 100644
index 0000000000..29660eade5
--- /dev/null
+++ b/testing/btest/Baseline/bifs.x509_verify/stdout-openssl-1.1
@@ -0,0 +1,6 @@
+Validation result: certificate has expired
+Validation result: ok
+Resulting chain:
+Fingerprint: 70829f77ff4b6e908324a3f4e1940fce6c489098, Subject: CN=www.tobu-estate.com,OU=Terms of use at www.verisign.com/rpa (c)05,O=TOBU RAILWAY Co.\,Ltd.,L=Sumida-ku,ST=Tokyo,C=JP
+Fingerprint: 5deb8f339e264c19f6686f5f8f32b54a4c46b476, Subject: CN=VeriSign Class 3 Secure Server CA - G3,OU=Terms of use at https://www.verisign.com/rpa (c)10,OU=VeriSign Trust Network,O=VeriSign\, Inc.,C=US
+Fingerprint: 4eb6d578499b1ccf5f581ead56be3d9b6744a5e5, Subject: CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=(c) 2006 VeriSign\, Inc. - For authorized use only,OU=VeriSign Trust Network,O=VeriSign\, Inc.,C=US
diff --git a/testing/btest/bifs/x509_verify.bro b/testing/btest/bifs/x509_verify.bro
index 59939180c8..2afc735172 100644
--- a/testing/btest/bifs/x509_verify.bro
+++ b/testing/btest/bifs/x509_verify.bro
@@ -1,5 +1,14 @@
 # @TEST-EXEC: bro -r $TRACES/tls/tls-expired-cert.trace %INPUT
-# @TEST-EXEC: btest-diff .stdout
+
+# This is a hack: the results of OpenSSL 1.1's vs 1.0's
+# X509_verify_cert() -> X509_STORE_CTX_get1_chain() calls
+# differ.  Word seems to be that OpenSSL 1.1's cert-chain-building
+# code is significantly different/rewritten so may be the reason...
+
+# @TEST-EXEC: cp .stdout stdout-openssl-1.0
+# @TEST-EXEC: cp .stdout stdout-openssl-1.1
+
+# @TEST-EXEC: grep -q "BRO_HAVE_OPENSSL_1_1" $BUILD/CMakeCache.txt && btest-diff stdout-openssl-1.1 || btest-diff stdout-openssl-1.0
 
 redef SSL::root_certs += {
 	["OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US"] = "\x30\x82\x02\x3C\x30\x82\x01\xA5\x02\x10\x70\xBA\xE4\x1D\x10\xD9\x29\x34\xB6\x38\xCA\x7B\x03\xCC\xBA\xBF\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x02\x05\x00\x30\x5F\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x17\x30\x15\x06\x03\x55\x04\x0A\x13\x0E\x56\x65\x72\x69\x53\x69\x67\x6E\x2C\x20\x49\x6E\x63\x2E\x31\x37\x30\x35\x06\x03\x55\x04\x0B\x13\x2E\x43\x6C\x61\x73\x73\x20\x33\x20\x50\x75\x62\x6C\x69\x63\x20\x50\x72\x69\x6D\x61\x72\x79\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x30\x1E\x17\x0D\x39\x36\x30\x31\x32\x39\x30\x30\x30\x30\x30\x30\x5A\x17\x0D\x32\x38\x30\x38\x30\x31\x32\x33\x35\x39\x35\x39\x5A\x30\x5F\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x17\x30\x15\x06\x03\x55\x04\x0A\x13\x0E\x56\x65\x72\x69\x53\x69\x67\x6E\x2C\x20\x49\x6E\x63\x2E\x31\x37\x30\x35\x06\x03\x55\x04\x0B\x13\x2E\x43\x6C\x61\x73\x73\x20\x33\x20\x50\x75\x62\x6C\x69\x63\x20\x50\x72\x69\x6D\x61\x72\x79\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x30\x81\x9F\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x81\x8D\x00\x30\x81\x89\x02\x81\x81\x00\xC9\x5C\x59\x9E\xF2\x1B\x8A\x01\x14\xB4\x10\xDF\x04\x40\xDB\xE3\x57\xAF\x6A\x45\x40\x8F\x84\x0C\x0B\xD1\x33\xD9\xD9\x11\xCF\xEE\x02\x58\x1F\x25\xF7\x2A\xA8\x44\x05\xAA\xEC\x03\x1F\x78\x7F\x9E\x93\xB9\x9A\x00\xAA\x23\x7D\xD6\xAC\x85\xA2\x63\x45\xC7\x72\x27\xCC\xF4\x4C\xC6\x75\x71\xD2\x39\xEF\x4F\x42\xF0\x75\xDF\x0A\x90\xC6\x8E\x20\x6F\x98\x0F\xF8\xAC\x23\x5F\x70\x29\x36\xA4\xC9\x86\xE7\xB1\x9A\x20\xCB\x53\xA5\x85\xE7\x3D\xBE\x7D\x9A\xFE\x24\x45\x33\xDC\x76\x15\xED\x0F\xA2\x71\x64\x4C\x65\x2E\x81\x68\x45\xA7\x02\x03\x01\x00\x01\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x02\x05\x00\x03\x81\x81\x00\xBB\x4C\x12\x2B\xCF\x2C\x26\x00\x4F\x14\x13\xDD\xA6\xFB\xFC\x0A\x11\x84\x8C\xF3\x28\x1C\x67\x92\x2F\x7C\xB6\xC5\xFA\xDF\xF0\xE8\x95\xBC\x1D\x8F\x6C\x2C\xA8\x51\xCC\x73\xD8\xA4\xC0\x53\xF0\x4E\xD6\x26\xC0\x76\x01\x57\x81\x92\x5E\x21\xF1\xD1\xB1\xFF\xE7\xD0\x21\x58\xCD\x69\x17\xE3\x44\x1C\x9C\x19\x44\x39\x89\x5C\xDC\x9C\x00\x0F\x56\x8D\x02\x99\xED\xA2\x90\x45\x4C\xE4\xBB\x10\xA4\x3D\xF0\x32\x03\x0E\xF1\xCE\xF8\xE8\xC9\x51\x8C\xE6\x62\x9F\xE6\x9F\xC0\x7D\xB7\x72\x9C\xC9\x36\x3A\x6B\x9F\x4E\xA8\xFF\x64\x0D\x64"
diff --git a/testing/btest/scripts/base/protocols/rdp/rdp-x509.bro b/testing/btest/scripts/base/protocols/rdp/rdp-x509.bro
index ae1eb8b542..2fed0d7d19 100644
--- a/testing/btest/scripts/base/protocols/rdp/rdp-x509.bro
+++ b/testing/btest/scripts/base/protocols/rdp/rdp-x509.bro
@@ -1,5 +1,5 @@
 # @TEST-EXEC: bro -r $TRACES/rdp/rdp-x509.pcap %INPUT
 # @TEST-EXEC: btest-diff rdp.log
-# @TEST-EXEC: btest-diff x509.log
+# @TEST-EXEC: TEST_DIFF_CANONIFIER="$SCRIPTS/diff-remove-timestamps | $SCRIPTS/diff-remove-x509-key-info" btest-diff x509.log
 
 @load base/protocols/rdp
diff --git a/testing/scripts/diff-remove-x509-key-info b/testing/scripts/diff-remove-x509-key-info
new file mode 100755
index 0000000000..85404fb30d
--- /dev/null
+++ b/testing/scripts/diff-remove-x509-key-info
@@ -0,0 +1,55 @@
+#! /usr/bin/env bash
+#
+# A diff canonifier that removes all X.509 public key information
+# which, in the specific case of the RDP protocol's misuse of
+# md5WithRSAEncryption, seems that OpenSSL 1.0 is able to manually
+# workaround by setting to rsaEncryption, but OpenSSL 1.1 still fails
+# to extract the key, so the corresponding fields are always removed here.
+
+awk '
+BEGIN { FS="\t"; OFS="\t"; key_type_col = -1; key_length_col = -1; exponent_col = -1; curve_col = -1 }
+
+/^#/ {
+    if ( $1 == "#fields" )
+        {
+        for ( i = 2; i <= NF; ++i )
+            {
+            if ( $i == "certificate.key_type" )
+                key_type_col = i-1;
+            if ( $i == "certificate.key_length" )
+                key_length_col = i-1;
+            if ( $i == "certificate.exponent" )
+                exponent_col = i-1;
+            if ( $i == "certificate.curve" )
+                curve_col = i-1;
+            }
+        }
+
+    print;
+    next;
+}
+
+key_type_col > 0 {
+        # Mark it regardless of whether it is set.
+        $key_type_col = "x";
+}
+
+key_length_col > 0 {
+        # Mark it regardless of whether it is set.
+        $key_length_col = "x";
+}
+
+exponent_col > 0 {
+        # Mark it regardless of whether it is set.
+        $exponent_col = "x";
+}
+
+curve_col > 0 {
+        # Mark it regardless of whether it is set.
+        $curve_col = "x";
+}
+
+{
+    print;
+}
+'

From bb55f828096e5690e0b97079a53f0e77b171d480 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Fri, 29 Jun 2018 16:15:34 -0500
Subject: [PATCH 543/631] Remove requestorName parameter of ocsp_request event

This field isn't publicly available via the OpenSSL 1.1 API, not used
in the base scripts, and has no example in the test suit, so removing
it is simpler than trying to support manually parsing it out of the
raw data.
---
 NEWS                                                |  2 ++
 src/file_analysis/analyzer/x509/OCSP.cc             | 13 -------------
 src/file_analysis/analyzer/x509/ocsp_events.bif     |  5 +----
 .../scripts/base/protocols/ssl/ocsp-http-get.test   |  4 ++--
 .../base/protocols/ssl/ocsp-request-only.test       |  4 ++--
 .../base/protocols/ssl/ocsp-request-response.test   |  4 ++--
 .../base/protocols/ssl/ocsp-response-only.test      |  4 ++--
 .../scripts/base/protocols/ssl/ocsp-revoked.test    |  4 ++--
 8 files changed, 13 insertions(+), 27 deletions(-)

diff --git a/NEWS b/NEWS
index a4f233a116..bbfb567e91 100644
--- a/NEWS
+++ b/NEWS
@@ -344,6 +344,8 @@ Removed Functionality
   available (though Broker should be able to handle IPv6
   automatically).
 
+- The "ocsp_request" event no longer has "requestorName" parameter.
+
 Deprecated Functionality
 ------------------------
 
diff --git a/src/file_analysis/analyzer/x509/OCSP.cc b/src/file_analysis/analyzer/x509/OCSP.cc
index e22440aab8..ccb6762739 100644
--- a/src/file_analysis/analyzer/x509/OCSP.cc
+++ b/src/file_analysis/analyzer/x509/OCSP.cc
@@ -422,13 +422,10 @@ void file_analysis::OCSP::ParseRequest(OCSP_REQUEST* req, const char* fid)
 	vl->append(GetFile()->GetVal()->Ref());
 
 	uint64 version = 0;
-	GENERAL_NAME* general_name = nullptr;
 
 #if ( OPENSSL_VERSION_NUMBER < 0x10100000L )
 	if ( req->tbsRequest->version )
 		version = (uint64)ASN1_INTEGER_get(req->tbsRequest->version);
-
-	general_name = req->tbsRequest->requestorName;
 #else
 	version = parse_request_version(req);
 	// TODO: try to parse out general name ?
@@ -438,16 +435,6 @@ void file_analysis::OCSP::ParseRequest(OCSP_REQUEST* req, const char* fid)
 
 	BIO *bio = BIO_new(BIO_s_mem());
 
-	if ( general_name )
-		{
-		GENERAL_NAME_print(bio, general_name);
-		int len = BIO_read(bio, buf, sizeof(buf));
-		vl->append(new StringVal(len, buf));
-		BIO_reset(bio);
-		}
-	else
-		vl->append(new StringVal(0, ""));
-
 	mgr.QueueEvent(ocsp_request, vl);
 
 	int req_count = OCSP_request_onereq_count(req);
diff --git a/src/file_analysis/analyzer/x509/ocsp_events.bif b/src/file_analysis/analyzer/x509/ocsp_events.bif
index 4e0ed6e9dc..f49208d238 100644
--- a/src/file_analysis/analyzer/x509/ocsp_events.bif
+++ b/src/file_analysis/analyzer/x509/ocsp_events.bif
@@ -7,13 +7,10 @@
 ##
 ## req: version: the version of the OCSP request. Typically 0 (Version 1).
 ##
-## requestorName: name of the OCSP requestor. This attribute is optional; if
-##                it is not set, an empty string is returned here.
-##
 ## .. bro:see:: ocsp_request_certificate ocsp_response_status
 ##              ocsp_response_bytes ocsp_response_certificate ocsp_extension
 ##              x509_ocsp_ext_signed_certificate_timestamp
-event ocsp_request%(f: fa_file, version: count, requestorName: string%);
+event ocsp_request%(f: fa_file, version: count%);
 
 ## Event that is raised when encountering an OCSP request for a certificate,
 ## e.g. in an HTTP connection. See :rfc:`6960` for more details.
diff --git a/testing/btest/scripts/base/protocols/ssl/ocsp-http-get.test b/testing/btest/scripts/base/protocols/ssl/ocsp-http-get.test
index ff48772b6a..c8c8acc589 100644
--- a/testing/btest/scripts/base/protocols/ssl/ocsp-http-get.test
+++ b/testing/btest/scripts/base/protocols/ssl/ocsp-http-get.test
@@ -17,9 +17,9 @@ event ocsp_extension(f: fa_file, ext: X509::Extension, global_resp: bool)
 	print "extension: ", ext, global_resp;
 	}
 
-event ocsp_request(f: fa_file, version: count, requestorName: string)
+event ocsp_request(f: fa_file, version: count)
 	{
-	print "request", version, requestorName;
+	print "request", version, "";
 	}
 
 event ocsp_request_certificate(f: fa_file, hashAlgorithm: string, issuerNameHash: string, issuerKeyHash: string, serialNumber: string)
diff --git a/testing/btest/scripts/base/protocols/ssl/ocsp-request-only.test b/testing/btest/scripts/base/protocols/ssl/ocsp-request-only.test
index 0176716553..05483717b0 100644
--- a/testing/btest/scripts/base/protocols/ssl/ocsp-request-only.test
+++ b/testing/btest/scripts/base/protocols/ssl/ocsp-request-only.test
@@ -16,9 +16,9 @@ event ocsp_extension(f: fa_file, ext: X509::Extension, global_resp: bool)
 	print "extension: ", ext, global_resp;
 	}
 
-event ocsp_request(f: fa_file, version: count, requestorName: string)
+event ocsp_request(f: fa_file, version: count)
 	{
-	print "request", version, requestorName;
+	print "request", version, "";
 	}
 
 event ocsp_request_certificate(f: fa_file, hashAlgorithm: string, issuerNameHash: string, issuerKeyHash: string, serialNumber: string)
diff --git a/testing/btest/scripts/base/protocols/ssl/ocsp-request-response.test b/testing/btest/scripts/base/protocols/ssl/ocsp-request-response.test
index 3adfab9aa2..b95203dfd8 100644
--- a/testing/btest/scripts/base/protocols/ssl/ocsp-request-response.test
+++ b/testing/btest/scripts/base/protocols/ssl/ocsp-request-response.test
@@ -17,9 +17,9 @@ event ocsp_extension(f: fa_file, ext: X509::Extension, global_resp: bool)
 	print "extension: ", ext, global_resp;
 	}
 
-event ocsp_request(f: fa_file, version: count, requestorName: string)
+event ocsp_request(f: fa_file, version: count)
 	{
-	print "request", version, requestorName;
+	print "request", version, "";
 	}
 
 event ocsp_request_certificate(f: fa_file, hashAlgorithm: string, issuerNameHash: string, issuerKeyHash: string, serialNumber: string)
diff --git a/testing/btest/scripts/base/protocols/ssl/ocsp-response-only.test b/testing/btest/scripts/base/protocols/ssl/ocsp-response-only.test
index f99a71802c..43dbf82583 100644
--- a/testing/btest/scripts/base/protocols/ssl/ocsp-response-only.test
+++ b/testing/btest/scripts/base/protocols/ssl/ocsp-response-only.test
@@ -17,9 +17,9 @@ event ocsp_extension(f: fa_file, ext: X509::Extension, global_resp: bool)
 	print "extension: ", ext, global_resp;
 	}
 
-event ocsp_request(f: fa_file, version: count, requestorName: string)
+event ocsp_request(f: fa_file, version: count)
 	{
-	print "request", version, requestorName;
+	print "request", version, "";
 	}
 
 event ocsp_request_certificate(f: fa_file, hashAlgorithm: string, issuerNameHash: string, issuerKeyHash: string, serialNumber: string)
diff --git a/testing/btest/scripts/base/protocols/ssl/ocsp-revoked.test b/testing/btest/scripts/base/protocols/ssl/ocsp-revoked.test
index ae39640f3f..e4378135ad 100644
--- a/testing/btest/scripts/base/protocols/ssl/ocsp-revoked.test
+++ b/testing/btest/scripts/base/protocols/ssl/ocsp-revoked.test
@@ -17,9 +17,9 @@ event ocsp_extension(f: fa_file, ext: X509::Extension, global_resp: bool)
 	print "extension: ", ext, global_resp;
 	}
 
-event ocsp_request(f: fa_file, version: count, requestorName: string)
+event ocsp_request(f: fa_file, version: count)
 	{
-	print "request", version, requestorName;
+	print "request", version, "";
 	}
 
 event ocsp_request_certificate(f: fa_file, hashAlgorithm: string, issuerNameHash: string, issuerKeyHash: string, serialNumber: string)

From a66364fee0c74018da638eb3a580a92b1e11dfc4 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Mon, 2 Jul 2018 14:04:55 -0500
Subject: [PATCH 544/631] Update install instructions for OpenSSL 1.1 compat

---
 doc/install/install.rst | 6 ------
 1 file changed, 6 deletions(-)

diff --git a/doc/install/install.rst b/doc/install/install.rst
index fd05ac9d69..cc8d81b14f 100644
--- a/doc/install/install.rst
+++ b/doc/install/install.rst
@@ -54,18 +54,12 @@ To install the required dependencies, you can use:
 
      sudo yum install cmake make gcc gcc-c++ flex bison libpcap-devel openssl-devel python-devel swig zlib-devel
 
-  In order to build Bro on Fedora 26, install ``compat-openssl10-devel`` instead
-  of ``openssl-devel``.
-
 * DEB/Debian-based Linux:
 
   .. console::
 
      sudo apt-get install cmake make gcc g++ flex bison libpcap-dev libssl-dev python-dev swig zlib1g-dev
 
-  In order to build Bro on Debian 9 or Ubuntu 18.04, install ``libssl1.0-dev``
-  instead of ``libssl-dev``.
-
 * FreeBSD:
 
   Most required dependencies should come with a minimal FreeBSD install

From c9ebe725f6b5c2acbe74d1595ebcc40ee9b7979b Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Mon, 2 Jul 2018 16:29:21 -0500
Subject: [PATCH 545/631] BIT-1941: improve reliability of broker.disconnect
 unit test

---
 CHANGES                                       |   4 +
 VERSION                                       |   2 +-
 .../recv.broker.filtered.log                  |   1 -
 .../Baseline/broker.disconnect/recv.recv.out  |   2 +-
 .../recv2.broker.filtered.log                 |   1 -
 .../broker.disconnect/recv2.recv2.out         |   2 +-
 .../send.broker.filtered.log                  |   4 -
 .../Baseline/broker.disconnect/send.send.out  |   2 -
 testing/btest/broker/disconnect.bro           | 109 ++++++++----------
 testing/scripts/wait-for-file                 |  24 ++++
 testing/scripts/wait-for-pid                  |  24 ++++
 11 files changed, 105 insertions(+), 70 deletions(-)
 delete mode 100644 testing/btest/Baseline/broker.disconnect/recv.broker.filtered.log
 delete mode 100644 testing/btest/Baseline/broker.disconnect/recv2.broker.filtered.log
 delete mode 100644 testing/btest/Baseline/broker.disconnect/send.broker.filtered.log
 create mode 100755 testing/scripts/wait-for-file
 create mode 100755 testing/scripts/wait-for-pid

diff --git a/CHANGES b/CHANGES
index 9bc5ff07ec..7bde326b16 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,8 @@
 
+2.5-721 | 2018-07-02 16:29:21 -0500
+
+  * BIT-1941: improve reliability of broker.disconnect unit test (Corelight)
+
 2.5-719 | 2018-06-27 20:02:52 -0500
 
   * Fix some typos and formatting in NEWS and other documentation
diff --git a/VERSION b/VERSION
index 613011266e..a9a61666da 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.5-719
+2.5-721
diff --git a/testing/btest/Baseline/broker.disconnect/recv.broker.filtered.log b/testing/btest/Baseline/broker.disconnect/recv.broker.filtered.log
deleted file mode 100644
index 18907995da..0000000000
--- a/testing/btest/Baseline/broker.disconnect/recv.broker.filtered.log
+++ /dev/null
@@ -1 +0,0 @@
-1502645128.235998 Broker::STATUS peer-added 127.0.0.1 XXX handshake successful
diff --git a/testing/btest/Baseline/broker.disconnect/recv.recv.out b/testing/btest/Baseline/broker.disconnect/recv.recv.out
index f2782a61b2..c7c5a6ea33 100644
--- a/testing/btest/Baseline/broker.disconnect/recv.recv.out
+++ b/testing/btest/Baseline/broker.disconnect/recv.recv.out
@@ -1,2 +1,2 @@
 peer added, handshake successful
-Something receiver, 1
+receiver got event, 1
diff --git a/testing/btest/Baseline/broker.disconnect/recv2.broker.filtered.log b/testing/btest/Baseline/broker.disconnect/recv2.broker.filtered.log
deleted file mode 100644
index 6a698102f2..0000000000
--- a/testing/btest/Baseline/broker.disconnect/recv2.broker.filtered.log
+++ /dev/null
@@ -1 +0,0 @@
-1502645286.464675 Broker::STATUS peer-added 127.0.0.1 XXX handshake successful
diff --git a/testing/btest/Baseline/broker.disconnect/recv2.recv2.out b/testing/btest/Baseline/broker.disconnect/recv2.recv2.out
index ba803026ad..09a0133c8d 100644
--- a/testing/btest/Baseline/broker.disconnect/recv2.recv2.out
+++ b/testing/btest/Baseline/broker.disconnect/recv2.recv2.out
@@ -1,2 +1,2 @@
 peer added, handshake successful
-Something receiver, 2
+receiver got event, 2
diff --git a/testing/btest/Baseline/broker.disconnect/send.broker.filtered.log b/testing/btest/Baseline/broker.disconnect/send.broker.filtered.log
deleted file mode 100644
index 2a82fdec5f..0000000000
--- a/testing/btest/Baseline/broker.disconnect/send.broker.filtered.log
+++ /dev/null
@@ -1,4 +0,0 @@
-1524513026.795171 Broker::STATUS peer-added 127.0.0.1 XXX received handshake from remote core
-1524513033.340316 Broker::STATUS connection-terminated 127.0.0.1 XXX lost remote peer
-1524513035.437373 Broker::STATUS peer-added 127.0.0.1 XXX received handshake from remote core
-1524513041.743002 Broker::STATUS connection-terminated 127.0.0.1 XXX lost remote peer
diff --git a/testing/btest/Baseline/broker.disconnect/send.send.out b/testing/btest/Baseline/broker.disconnect/send.send.out
index 2ed842beb0..f75d91dc23 100644
--- a/testing/btest/Baseline/broker.disconnect/send.send.out
+++ b/testing/btest/Baseline/broker.disconnect/send.send.out
@@ -1,6 +1,4 @@
 peer added, received handshake from remote core
-Something sender, 1
 peer lost, lost remote peer
 peer added, received handshake from remote core
-Something sender, 2
 peer lost, lost remote peer
diff --git a/testing/btest/broker/disconnect.bro b/testing/btest/broker/disconnect.bro
index cc1822f891..6a5201627d 100644
--- a/testing/btest/broker/disconnect.bro
+++ b/testing/btest/broker/disconnect.bro
@@ -1,22 +1,19 @@
 # @TEST-SERIALIZE: comm
-#
+
 # @TEST-EXEC: btest-bg-run recv "bro -B broker -b ../recv.bro >recv.out"
 # @TEST-EXEC: btest-bg-run send "bro -B broker -b ../send.bro >send.out"
-#
-# @TEST-EXEC: sleep 6 && kill $(cat recv/.pid) && sleep 1 && echo 0 >recv/.exitcode
+
+# @TEST-EXEC: $SCRIPTS/wait-for-file recv/got-event 30 || (btest-bg-wait -k 1 && false)
+# @TEST-EXEC: kill $(cat recv/.pid)
+# @TEST-EXEC: $SCRIPTS/wait-for-pid $(cat recv/.pid) 10 || (btest-bg-wait -k 1 && false)
+# @TEST-EXEC: echo 0 >recv/.exitcode
+
 # @TEST-EXEC: btest-bg-run recv2 "bro -B broker -b ../recv.bro >recv2.out"
-#
-# @TEST-EXEC: btest-bg-wait 25
+# @TEST-EXEC: btest-bg-wait 30
+
 # @TEST-EXEC: btest-diff send/send.out
 # @TEST-EXEC: btest-diff recv/recv.out
 # @TEST-EXEC: btest-diff recv2/recv2.out
-#
-# @TEST-EXEC: cat send/broker.log | awk '/Broker::STATUS/ { $5="XXX"; print; }' >send/broker.filtered.log
-# @TEST-EXEC: cat recv/broker.log | awk '/Broker::STATUS/ { $5="XXX"; print; }' >recv/broker.filtered.log
-# @TEST-EXEC: cat recv2/broker.log | grep -v "lost remote peer" | awk '/Broker::STATUS/ { $5="XXX"; print; }' >recv2/broker.filtered.log
-# @TEST-EXEC: btest-diff send/broker.filtered.log
-# @TEST-EXEC: btest-diff recv/broker.filtered.log
-# @TEST-EXEC: btest-diff recv2/broker.filtered.log
 
 @TEST-START-FILE send.bro
 
@@ -24,42 +21,34 @@ redef Broker::default_connect_retry=1secs;
 redef Broker::default_listen_retry=1secs;
 redef exit_only_after_terminate = T;
 
-event self_terminate()
+global peers = 0;
+const test_topic = "bro/test/my_topic";
+
+event my_event(i: count)
 	{
-	terminate();
+	print "sender got event", i;
 	}
 
-event do_terminate()
-    {
-    schedule 2sec { self_terminate() };
-    }
-
-event print_something(i: int)
-    {
-    print "Something sender", i;
-    }
-
 event bro_init()
-    {
-    Broker::subscribe("bro/event/my_topic");
-    Broker::auto_publish("bro/event/my_topic", print_something);
-    Broker::auto_publish("bro/event/my_topic", do_terminate);
-    Broker::peer("127.0.0.1");
-
-    schedule 3secs { print_something(1) };
-    schedule 12secs { print_something(2) };
-    schedule 13secs { do_terminate() };
-    }
+	{
+	Broker::subscribe(test_topic);
+	Broker::peer("127.0.0.1");
+	}
 
 event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string)
-    {
-    print "peer lost", msg;
-    }
+	{
+	print "peer lost", msg;
+
+	if ( peers == 2 )
+		terminate();
+	}
 
 event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
-    {
-    print "peer added", msg;
-    }
+	{
+	++peers;
+	print "peer added", msg;
+	Broker::publish(test_topic, my_event, peers);
+	}
 
 @TEST-END-FILE
 
@@ -70,31 +59,33 @@ redef Broker::default_connect_retry=1secs;
 redef Broker::default_listen_retry=1secs;
 redef exit_only_after_terminate = T;
 
-event do_terminate()
-    {
-    terminate();
-    }
+const test_topic = "bro/test/my_topic";
 
-event print_something(i: int)
-    {
-    print "Something receiver", i;
-    }
+event my_event(i: count)
+	{
+	print "receiver got event", i;
+
+	if ( i == 1 )
+		# In the first case, terminate via `kill` from btest command.
+		system("touch got-event");
+	else
+		terminate();
+	}
 
 event bro_init()
-    {
-    Broker::subscribe("bro/event/my_topic");
-    Broker::listen("127.0.0.1");
-    }
+	{
+	Broker::subscribe(test_topic);
+	Broker::listen("127.0.0.1");
+	}
 
 event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string)
-    {
-    # In the 2nd run, this may be lost at termination, so don't output.
-    #print "peer lost", msg;
-    }
+	{
+	terminate();
+	}
 
 event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
-    {
-    print "peer added", msg;
-    }
+	{
+	print "peer added", msg;
+	}
 
 @TEST-END-FILE
diff --git a/testing/scripts/wait-for-file b/testing/scripts/wait-for-file
new file mode 100755
index 0000000000..7a0a6f6874
--- /dev/null
+++ b/testing/scripts/wait-for-file
@@ -0,0 +1,24 @@
+#! /usr/bin/env bash
+
+# Sleeps until a file comes into existence.
+
+if [[ $# -ne 2 ]]; then
+  >&2 echo "usage: $0 <file to wait for> <max secs to wait>"
+  exit 1
+fi
+
+wait_file=$1
+max_wait=$2
+wait_count=0
+
+while [[ ! -e $wait_file ]]; do
+  let "wait_count += 1"
+
+  if [[ $wait_count -ge $max_wait ]]; then
+    >&2 echo "error: file '$wait_file' does not exist after $max_wait seconds"
+    exit 1
+  fi
+
+  sleep 1
+done
+
diff --git a/testing/scripts/wait-for-pid b/testing/scripts/wait-for-pid
new file mode 100755
index 0000000000..7aa0a927fe
--- /dev/null
+++ b/testing/scripts/wait-for-pid
@@ -0,0 +1,24 @@
+#! /usr/bin/env bash
+
+# Sleeps until a process id no longer exists.
+
+if [[ $# -ne 2 ]]; then
+  >&2 echo "usage: $0 <pid to wait for> <max secs to wait>"
+  exit 1
+fi
+
+wait_pid=$1
+max_wait=$2
+wait_count=0
+
+while kill -0 $wait_pid &> /dev/null; do
+  let "wait_count += 1"
+
+  if [[ $wait_count -ge $max_wait ]]; then
+    >&2 echo "error: process $wait_pid still exists after $max_wait seconds"
+    exit 1
+  fi
+
+  sleep 1
+done
+

From acf1c591eac67f4731a277aa837223a4b26c8719 Mon Sep 17 00:00:00 2001
From: Liviu Valsan <liviu.valsan@cern.ch>
Date: Tue, 3 Jul 2018 15:08:21 +0200
Subject: [PATCH 546/631] Added support for making optional the extraction of
 DNS entries from X509 SAN as Intel::seen records.

---
 scripts/policy/frameworks/intel/seen/x509.bro | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/scripts/policy/frameworks/intel/seen/x509.bro b/scripts/policy/frameworks/intel/seen/x509.bro
index c4f487947e..ba90a9610a 100644
--- a/scripts/policy/frameworks/intel/seen/x509.bro
+++ b/scripts/policy/frameworks/intel/seen/x509.bro
@@ -2,9 +2,16 @@
 @load base/files/x509
 @load ./where-locations
 
+module Intel;
+
+export {
+        ## Enables the extraction of subject alternate names from the X509 SAN DNS field
+        const enable_x509_ext_subject_alternative_name = T &redef;
+}
+
 event x509_ext_subject_alternative_name(f: fa_file, ext: X509::SubjectAlternativeName)
 	{
-	if ( ext?$dns )
+	if ( enable_x509_ext_subject_alternative_name && ext?$dns )
 		{
 		for ( i in ext$dns )
 			Intel::seen([$indicator=ext$dns[i],

From 85e46f37cab925c772047c3bdc4ff3559f9ae552 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Tue, 3 Jul 2018 09:16:37 -0500
Subject: [PATCH 547/631] BIT-1941: teach diff-remove-timestamps about time 0

---
 CHANGES                                | 4 ++++
 VERSION                                | 2 +-
 testing/scripts/diff-remove-timestamps | 3 +--
 3 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/CHANGES b/CHANGES
index 7bde326b16..bd46f4e65c 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,8 @@
 
+2.5-722 | 2018-07-03 09:16:37 -0500
+
+  * BIT-1941: teach diff-remove-timestamps about time 0 (Corelight)
+
 2.5-721 | 2018-07-02 16:29:21 -0500
 
   * BIT-1941: improve reliability of broker.disconnect unit test (Corelight)
diff --git a/VERSION b/VERSION
index a9a61666da..e1dbbe72b1 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.5-721
+2.5-722
diff --git a/testing/scripts/diff-remove-timestamps b/testing/scripts/diff-remove-timestamps
index 44422f6f55..770a181c59 100755
--- a/testing/scripts/diff-remove-timestamps
+++ b/testing/scripts/diff-remove-timestamps
@@ -9,6 +9,5 @@ else
    sed="sed -E"
 fi
 
-# The first sed uses a "basic" regexp, the 2nd a "modern:.
-sed 's/[0-9]\{10\}\.[0-9]\{2,8\}/XXXXXXXXXX.XXXXXX/g' | \
+$sed 's/(0\.000000)|([0-9]{10}\.[0-9]{2,8})/XXXXXXXXXX.XXXXXX/g' | \
 $sed 's/^ *#(open|close).(19|20)..-..-..-..-..-..$/#\1 XXXX-XX-XX-XX-XX-XX/g'

From a6ddc882c3ba4308757bf3e7fe581ea367288d4e Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Tue, 3 Jul 2018 09:34:10 -0500
Subject: [PATCH 548/631] Fix unstable config framework test

---
 CHANGES                                                       | 4 ++++
 VERSION                                                       | 2 +-
 .../btest/scripts/base/frameworks/config/several-files.bro    | 3 +--
 3 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/CHANGES b/CHANGES
index bd46f4e65c..2a606b2956 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,8 @@
 
+2.5-723 | 2018-07-03 09:34:10 -0500
+
+  * Fix unstable config framework test (Corelight)
+
 2.5-722 | 2018-07-03 09:16:37 -0500
 
   * BIT-1941: teach diff-remove-timestamps about time 0 (Corelight)
diff --git a/VERSION b/VERSION
index e1dbbe72b1..64feb3eb5a 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.5-722
+2.5-723
diff --git a/testing/btest/scripts/base/frameworks/config/several-files.bro b/testing/btest/scripts/base/frameworks/config/several-files.bro
index 57d15c0075..c5ad563b4e 100644
--- a/testing/btest/scripts/base/frameworks/config/several-files.bro
+++ b/testing/btest/scripts/base/frameworks/config/several-files.bro
@@ -1,7 +1,6 @@
 # @TEST-EXEC: btest-bg-run bro bro -b %INPUT
 # @TEST-EXEC: btest-bg-wait 10
-# @TEST-EXEC: sort bro/config.log >bro/config.log.tmp && mv bro/config.log.tmp bro/config.log
-# @TEST-EXEC: btest-diff bro/config.log
+# @TEST-EXEC: TEST_DIFF_CANONIFIER="$SCRIPTS/diff-canonifier | grep -v ^# | $SCRIPTS/diff-sort" btest-diff bro/config.log
 
 @load base/frameworks/config
 @load base/protocols/conn

From df3ce608e300cea7342b7ca1f7ffc4ed3f4785b1 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Tue, 3 Jul 2018 10:25:14 -0500
Subject: [PATCH 549/631] Fix unstable cluster/logging test

---
 .../base/frameworks/logging/field-extension-cluster-error.bro   | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/testing/btest/scripts/base/frameworks/logging/field-extension-cluster-error.bro b/testing/btest/scripts/base/frameworks/logging/field-extension-cluster-error.bro
index 6ddcd0ddb7..9def14cc2a 100644
--- a/testing/btest/scripts/base/frameworks/logging/field-extension-cluster-error.bro
+++ b/testing/btest/scripts/base/frameworks/logging/field-extension-cluster-error.bro
@@ -5,7 +5,7 @@
 # @TEST-EXEC: btest-bg-run worker-1  "cp ../cluster-layout.bro . && CLUSTER_NODE=worker-1 bro --pseudo-realtime -C -r $TRACES/wikipedia.trace %INPUT"
 # @TEST-EXEC: btest-bg-wait 20
 # @TEST-EXEC: cat manager-1/reporter.log | grep -v "reporter/" > manager-reporter.log
-# @TEST-EXEC: btest-diff manager-reporter.log
+# @TEST-EXEC: TEST_DIFF_CANONIFIER="$SCRIPTS/diff-canonifier | grep -v ^# | $SCRIPTS/diff-sort" btest-diff manager-reporter.log
 
 
 @TEST-START-FILE cluster-layout.bro

From 15d74ac081e7a5ca6c569f2021f371c17d71a5c4 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Tue, 3 Jul 2018 14:56:10 -0500
Subject: [PATCH 550/631] BIT-1941: improve unit test stability

Mostly trying to standardize the way tests sleep for arbitrary amounts
of time to make it easier to tell at which particular point the
unit test actually may need the timeout interval increased (or else
debugged further).
---
 CHANGES                                       |   4 +
 VERSION                                       |   2 +-
 .../out                                       |  30 ++--
 .../out                                       | 144 +-----------------
 .../out                                       | 144 +-----------------
 .../worker-2..stdout                          |   1 +
 testing/btest/core/leaks/basic-cluster.bro    |   5 +-
 testing/btest/core/leaks/hll_cluster.bro      |   5 +-
 testing/btest/core/leaks/input-raw.bro        |  11 +-
 testing/btest/core/leaks/input-reread.bro     |  19 ++-
 .../cluster/custom_pool_exclusivity.bro       |   5 +-
 .../frameworks/cluster/custom_pool_limits.bro |   5 +-
 .../frameworks/cluster/log_distribution.bro   |   6 +-
 .../frameworks/cluster/start-it-up-logger.bro |   7 +-
 .../base/frameworks/cluster/start-it-up.bro   |   6 +-
 .../frameworks/cluster/topic_distribution.bro |   5 +-
 .../cluster/topic_distribution_bifs.bro       |   5 +-
 .../base/frameworks/config/updates.bro        |  14 +-
 .../control/configuration_update.bro          |  12 +-
 .../frameworks/input/empty-values-hashing.bro |   6 +-
 .../input/missing-file-initially.bro          |  15 +-
 .../input/predicatemodifyandreread.bro        |  18 ++-
 .../frameworks/input/raw/executestdin.bro     |  35 +++--
 .../frameworks/input/raw/executestream.bro    |  12 +-
 .../base/frameworks/input/raw/offset.bro      |   6 +-
 .../base/frameworks/input/raw/streamraw.bro   |  13 +-
 .../scripts/base/frameworks/input/reread.bro  |  19 ++-
 .../scripts/base/frameworks/input/stream.bro  |  12 +-
 .../base/frameworks/input/twotables.bro       |   6 +-
 .../base/frameworks/intel/input-and-match.bro |   1 -
 .../intel/read-file-dist-cluster.bro          |   5 +-
 .../base/frameworks/intel/updated-match.bro   |  31 ++--
 .../logging/field-extension-cluster-error.bro |   5 +-
 .../logging/field-extension-cluster.bro       |   9 +-
 .../frameworks/netcontrol/basic-cluster.bro   |  16 +-
 .../base/frameworks/notice/cluster.bro        |   5 +-
 .../frameworks/notice/suppression-cluster.bro |   5 +-
 .../base/frameworks/openflow/log-cluster.bro  |  16 +-
 .../frameworks/sumstats/basic-cluster.bro     |   5 +-
 .../sumstats/cluster-intermediate-update.bro  |   5 +-
 .../frameworks/sumstats/on-demand-cluster.bro |   5 +-
 .../frameworks/sumstats/sample-cluster.bro    |   4 +-
 .../base/frameworks/sumstats/topk-cluster.bro |   4 +-
 43 files changed, 302 insertions(+), 386 deletions(-)

diff --git a/CHANGES b/CHANGES
index 2a606b2956..8331fb1d70 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,8 @@
 
+2.5-725 | 2018-07-03 14:56:10 -0500
+
+  * BIT-1941: improve unit test stability (Corelight)
+
 2.5-723 | 2018-07-03 09:34:10 -0500
 
   * Fix unstable config framework test (Corelight)
diff --git a/VERSION b/VERSION
index 64feb3eb5a..9f94bc17a4 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.5-723
+2.5-725
diff --git a/testing/btest/Baseline/scripts.base.frameworks.input.raw.executestdin/out b/testing/btest/Baseline/scripts.base.frameworks.input.raw.executestdin/out
index 23851022b5..e847bdab82 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.input.raw.executestdin/out
+++ b/testing/btest/Baseline/scripts.base.frameworks.input.raw.executestdin/out
@@ -1,20 +1,10 @@
-Input::EVENT_NEW, cat |, input0
-hello
-Input::EVENT_NEW, cat |, input0
-there\x01\x02\x03\x04\x05\x01\x02\x03yay0
-Input::EVENT_NEW, cat |, input1
-hello
-Input::EVENT_NEW, cat |, input1
-there\x01\x02\x03\x04\x05\x01\x02\x03yay01
-Input::EVENT_NEW, cat |, input2
-hello
-Input::EVENT_NEW, cat |, input2
-there\x01\x02\x03\x04\x05\x01\x02\x03yay012
-Input::EVENT_NEW, cat |, input3
-hello
-Input::EVENT_NEW, cat |, input3
-there\x01\x02\x03\x04\x05\x01\x02\x03yay0123
-Input::EVENT_NEW, cat |, input4
-hello
-Input::EVENT_NEW, cat |, input4
-there\x01\x02\x03\x04\x05\x01\x02\x03yay01234
+Input::EVENT_NEW, cat |, input0, hello
+Input::EVENT_NEW, cat |, input0, there\x01\x02\x03\x04\x05\x01\x02\x03yay0
+Input::EVENT_NEW, cat |, input1, hello
+Input::EVENT_NEW, cat |, input1, there\x01\x02\x03\x04\x05\x01\x02\x03yay01
+Input::EVENT_NEW, cat |, input4, hello
+Input::EVENT_NEW, cat |, input4, there\x01\x02\x03\x04\x05\x01\x02\x03yay01234
+Input::EVENT_NEW, cat |, input2, hello
+Input::EVENT_NEW, cat |, input2, there\x01\x02\x03\x04\x05\x01\x02\x03yay012
+Input::EVENT_NEW, cat |, input3, hello
+Input::EVENT_NEW, cat |, input3, there\x01\x02\x03\x04\x05\x01\x02\x03yay0123
diff --git a/testing/btest/Baseline/scripts.base.frameworks.input.raw.executestream/out b/testing/btest/Baseline/scripts.base.frameworks.input.raw.executestream/out
index 1705220b28..df7331e5e2 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.input.raw.executestream/out
+++ b/testing/btest/Baseline/scripts.base.frameworks.input.raw.executestream/out
@@ -1,153 +1,25 @@
-[source=tail -f ../input.log |, reader=Input::READER_RAW, mode=Input::STREAM, name=input, fields=<no value description>, want_record=F, ev=line
-{ 
-print A::outfile, A::description;
-print A::outfile, A::tpe;
-print A::outfile, A::s;
-A::try = A::try + 1;
-if (8 == A::try) 
-{ 
-print A::outfile, done;
-close(A::outfile);
-Input::remove(input);
-terminate();
-}
-
-}, error_ev=<uninitialized>, config={
-
-}]
+tail -f ../input.log |, Input::READER_RAW, Input::STREAM, input
 Input::EVENT_NEW
 sdfkh:KH;fdkncv;ISEUp34:Fkdj;YVpIODhfDF
-[source=tail -f ../input.log |, reader=Input::READER_RAW, mode=Input::STREAM, name=input, fields=<no value description>, want_record=F, ev=line
-{ 
-print A::outfile, A::description;
-print A::outfile, A::tpe;
-print A::outfile, A::s;
-A::try = A::try + 1;
-if (8 == A::try) 
-{ 
-print A::outfile, done;
-close(A::outfile);
-Input::remove(input);
-terminate();
-}
-
-}, error_ev=<uninitialized>, config={
-
-}]
+tail -f ../input.log |, Input::READER_RAW, Input::STREAM, input
 Input::EVENT_NEW
 DSF"DFKJ"SDFKLh304yrsdkfj@#(*U$34jfDJup3UF
-[source=tail -f ../input.log |, reader=Input::READER_RAW, mode=Input::STREAM, name=input, fields=<no value description>, want_record=F, ev=line
-{ 
-print A::outfile, A::description;
-print A::outfile, A::tpe;
-print A::outfile, A::s;
-A::try = A::try + 1;
-if (8 == A::try) 
-{ 
-print A::outfile, done;
-close(A::outfile);
-Input::remove(input);
-terminate();
-}
-
-}, error_ev=<uninitialized>, config={
-
-}]
+tail -f ../input.log |, Input::READER_RAW, Input::STREAM, input
 Input::EVENT_NEW
 q3r3057fdf
-[source=tail -f ../input.log |, reader=Input::READER_RAW, mode=Input::STREAM, name=input, fields=<no value description>, want_record=F, ev=line
-{ 
-print A::outfile, A::description;
-print A::outfile, A::tpe;
-print A::outfile, A::s;
-A::try = A::try + 1;
-if (8 == A::try) 
-{ 
-print A::outfile, done;
-close(A::outfile);
-Input::remove(input);
-terminate();
-}
-
-}, error_ev=<uninitialized>, config={
-
-}]
+tail -f ../input.log |, Input::READER_RAW, Input::STREAM, input
 Input::EVENT_NEW
 sdfs\d
-[source=tail -f ../input.log |, reader=Input::READER_RAW, mode=Input::STREAM, name=input, fields=<no value description>, want_record=F, ev=line
-{ 
-print A::outfile, A::description;
-print A::outfile, A::tpe;
-print A::outfile, A::s;
-A::try = A::try + 1;
-if (8 == A::try) 
-{ 
-print A::outfile, done;
-close(A::outfile);
-Input::remove(input);
-terminate();
-}
-
-}, error_ev=<uninitialized>, config={
-
-}]
+tail -f ../input.log |, Input::READER_RAW, Input::STREAM, input
 Input::EVENT_NEW
 
-[source=tail -f ../input.log |, reader=Input::READER_RAW, mode=Input::STREAM, name=input, fields=<no value description>, want_record=F, ev=line
-{ 
-print A::outfile, A::description;
-print A::outfile, A::tpe;
-print A::outfile, A::s;
-A::try = A::try + 1;
-if (8 == A::try) 
-{ 
-print A::outfile, done;
-close(A::outfile);
-Input::remove(input);
-terminate();
-}
-
-}, error_ev=<uninitialized>, config={
-
-}]
+tail -f ../input.log |, Input::READER_RAW, Input::STREAM, input
 Input::EVENT_NEW
 dfsdf
-[source=tail -f ../input.log |, reader=Input::READER_RAW, mode=Input::STREAM, name=input, fields=<no value description>, want_record=F, ev=line
-{ 
-print A::outfile, A::description;
-print A::outfile, A::tpe;
-print A::outfile, A::s;
-A::try = A::try + 1;
-if (8 == A::try) 
-{ 
-print A::outfile, done;
-close(A::outfile);
-Input::remove(input);
-terminate();
-}
-
-}, error_ev=<uninitialized>, config={
-
-}]
+tail -f ../input.log |, Input::READER_RAW, Input::STREAM, input
 Input::EVENT_NEW
 sdf
-[source=tail -f ../input.log |, reader=Input::READER_RAW, mode=Input::STREAM, name=input, fields=<no value description>, want_record=F, ev=line
-{ 
-print A::outfile, A::description;
-print A::outfile, A::tpe;
-print A::outfile, A::s;
-A::try = A::try + 1;
-if (8 == A::try) 
-{ 
-print A::outfile, done;
-close(A::outfile);
-Input::remove(input);
-terminate();
-}
-
-}, error_ev=<uninitialized>, config={
-
-}]
+tail -f ../input.log |, Input::READER_RAW, Input::STREAM, input
 Input::EVENT_NEW
 3rw43wRRERLlL#RWERERERE.
 done
diff --git a/testing/btest/Baseline/scripts.base.frameworks.input.raw.streamraw/out b/testing/btest/Baseline/scripts.base.frameworks.input.raw.streamraw/out
index a2082f154b..16822c34a4 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.input.raw.streamraw/out
+++ b/testing/btest/Baseline/scripts.base.frameworks.input.raw.streamraw/out
@@ -1,153 +1,25 @@
-[source=../input.log, reader=Input::READER_RAW, mode=Input::STREAM, name=input, fields=<no value description>, want_record=F, ev=line
-{ 
-print A::outfile, A::description;
-print A::outfile, A::tpe;
-print A::outfile, A::s;
-A::try = A::try + 1;
-if (8 == A::try) 
-{ 
-print A::outfile, done;
-close(A::outfile);
-Input::remove(input);
-terminate();
-}
-
-}, error_ev=<uninitialized>, config={
-
-}]
+../input.log, Input::READER_RAW, Input::STREAM, input
 Input::EVENT_NEW
 sdfkh:KH;fdkncv;ISEUp34:Fkdj;YVpIODhfDF
-[source=../input.log, reader=Input::READER_RAW, mode=Input::STREAM, name=input, fields=<no value description>, want_record=F, ev=line
-{ 
-print A::outfile, A::description;
-print A::outfile, A::tpe;
-print A::outfile, A::s;
-A::try = A::try + 1;
-if (8 == A::try) 
-{ 
-print A::outfile, done;
-close(A::outfile);
-Input::remove(input);
-terminate();
-}
-
-}, error_ev=<uninitialized>, config={
-
-}]
+../input.log, Input::READER_RAW, Input::STREAM, input
 Input::EVENT_NEW
 DSF"DFKJ"SDFKLh304yrsdkfj@#(*U$34jfDJup3UF
-[source=../input.log, reader=Input::READER_RAW, mode=Input::STREAM, name=input, fields=<no value description>, want_record=F, ev=line
-{ 
-print A::outfile, A::description;
-print A::outfile, A::tpe;
-print A::outfile, A::s;
-A::try = A::try + 1;
-if (8 == A::try) 
-{ 
-print A::outfile, done;
-close(A::outfile);
-Input::remove(input);
-terminate();
-}
-
-}, error_ev=<uninitialized>, config={
-
-}]
+../input.log, Input::READER_RAW, Input::STREAM, input
 Input::EVENT_NEW
 q3r3057fdf
-[source=../input.log, reader=Input::READER_RAW, mode=Input::STREAM, name=input, fields=<no value description>, want_record=F, ev=line
-{ 
-print A::outfile, A::description;
-print A::outfile, A::tpe;
-print A::outfile, A::s;
-A::try = A::try + 1;
-if (8 == A::try) 
-{ 
-print A::outfile, done;
-close(A::outfile);
-Input::remove(input);
-terminate();
-}
-
-}, error_ev=<uninitialized>, config={
-
-}]
+../input.log, Input::READER_RAW, Input::STREAM, input
 Input::EVENT_NEW
 sdfs\d
-[source=../input.log, reader=Input::READER_RAW, mode=Input::STREAM, name=input, fields=<no value description>, want_record=F, ev=line
-{ 
-print A::outfile, A::description;
-print A::outfile, A::tpe;
-print A::outfile, A::s;
-A::try = A::try + 1;
-if (8 == A::try) 
-{ 
-print A::outfile, done;
-close(A::outfile);
-Input::remove(input);
-terminate();
-}
-
-}, error_ev=<uninitialized>, config={
-
-}]
+../input.log, Input::READER_RAW, Input::STREAM, input
 Input::EVENT_NEW
 
-[source=../input.log, reader=Input::READER_RAW, mode=Input::STREAM, name=input, fields=<no value description>, want_record=F, ev=line
-{ 
-print A::outfile, A::description;
-print A::outfile, A::tpe;
-print A::outfile, A::s;
-A::try = A::try + 1;
-if (8 == A::try) 
-{ 
-print A::outfile, done;
-close(A::outfile);
-Input::remove(input);
-terminate();
-}
-
-}, error_ev=<uninitialized>, config={
-
-}]
+../input.log, Input::READER_RAW, Input::STREAM, input
 Input::EVENT_NEW
 dfsdf
-[source=../input.log, reader=Input::READER_RAW, mode=Input::STREAM, name=input, fields=<no value description>, want_record=F, ev=line
-{ 
-print A::outfile, A::description;
-print A::outfile, A::tpe;
-print A::outfile, A::s;
-A::try = A::try + 1;
-if (8 == A::try) 
-{ 
-print A::outfile, done;
-close(A::outfile);
-Input::remove(input);
-terminate();
-}
-
-}, error_ev=<uninitialized>, config={
-
-}]
+../input.log, Input::READER_RAW, Input::STREAM, input
 Input::EVENT_NEW
 sdf
-[source=../input.log, reader=Input::READER_RAW, mode=Input::STREAM, name=input, fields=<no value description>, want_record=F, ev=line
-{ 
-print A::outfile, A::description;
-print A::outfile, A::tpe;
-print A::outfile, A::s;
-A::try = A::try + 1;
-if (8 == A::try) 
-{ 
-print A::outfile, done;
-close(A::outfile);
-Input::remove(input);
-terminate();
-}
-
-}, error_ev=<uninitialized>, config={
-
-}]
+../input.log, Input::READER_RAW, Input::STREAM, input
 Input::EVENT_NEW
 3rw43wRRERLlL#RWERERERE.
 done
diff --git a/testing/btest/Baseline/scripts.base.frameworks.netcontrol.basic-cluster/worker-2..stdout b/testing/btest/Baseline/scripts.base.frameworks.netcontrol.basic-cluster/worker-2..stdout
index c638f34077..587a51d2b8 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.netcontrol.basic-cluster/worker-2..stdout
+++ b/testing/btest/Baseline/scripts.base.frameworks.netcontrol.basic-cluster/worker-2..stdout
@@ -1,3 +1,4 @@
 Rule added, worker-2:2, 4
 Rule added, worker-2:3, 5
 1
+Rule destroyed, worker-2:3, 5, 0
diff --git a/testing/btest/core/leaks/basic-cluster.bro b/testing/btest/core/leaks/basic-cluster.bro
index 103146495b..8ea5d9c6dc 100644
--- a/testing/btest/core/leaks/basic-cluster.bro
+++ b/testing/btest/core/leaks/basic-cluster.bro
@@ -6,7 +6,6 @@
 # @TEST-REQUIRES: bro  --help 2>&1 | grep -q mem-leaks
 #
 # @TEST-EXEC: btest-bg-run manager-1 HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local BROPATH=$BROPATH:.. CLUSTER_NODE=manager-1 bro -m %INPUT
-# @TEST-EXEC: sleep 1
 # @TEST-EXEC: btest-bg-run worker-1  HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local BROPATH=$BROPATH:.. CLUSTER_NODE=worker-1 bro -m %INPUT
 # @TEST-EXEC: btest-bg-run worker-2  HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local BROPATH=$BROPATH:.. CLUSTER_NODE=worker-2 bro -m %INPUT
 # @TEST-EXEC: btest-bg-wait 60
@@ -19,6 +18,10 @@ redef Cluster::nodes = {
 };
 @TEST-END-FILE
 
+redef Cluster::retry_interval = 1sec;
+redef Broker::default_listen_retry = 1sec;
+redef Broker::default_connect_retry = 1sec;
+
 redef Log::default_rotation_interval = 0secs;
 
 global n = 0;
diff --git a/testing/btest/core/leaks/hll_cluster.bro b/testing/btest/core/leaks/hll_cluster.bro
index f856f5d633..6a92f1a2e7 100644
--- a/testing/btest/core/leaks/hll_cluster.bro
+++ b/testing/btest/core/leaks/hll_cluster.bro
@@ -7,7 +7,6 @@
 #
 # @TEST-EXEC: bro -m %INPUT>out
 # @TEST-EXEC: btest-bg-run manager-1 HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local BROPATH=$BROPATH:.. CLUSTER_NODE=manager-1 bro -m %INPUT
-# @TEST-EXEC: sleep 2
 # @TEST-EXEC: btest-bg-run worker-1 HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local BROPATH=$BROPATH:.. CLUSTER_NODE=worker-1 bro -m runnumber=1 %INPUT
 # @TEST-EXEC: btest-bg-run worker-2 HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local BROPATH=$BROPATH:.. CLUSTER_NODE=worker-2 bro -m runnumber=2 %INPUT
 # @TEST-EXEC: btest-bg-wait 60
@@ -24,6 +23,10 @@ redef Cluster::nodes = {
 };
 @TEST-END-FILE
 
+redef Cluster::retry_interval = 1sec;
+redef Broker::default_listen_retry = 1sec;
+redef Broker::default_connect_retry = 1sec;
+
 redef Log::default_rotation_interval = 0secs;
 
 global hll_data: event(data: opaque of cardinality);
diff --git a/testing/btest/core/leaks/input-raw.bro b/testing/btest/core/leaks/input-raw.bro
index 602232da77..1a7315bc2a 100644
--- a/testing/btest/core/leaks/input-raw.bro
+++ b/testing/btest/core/leaks/input-raw.bro
@@ -6,9 +6,9 @@
 #
 # @TEST-EXEC: cp input1.log input.log
 # @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local btest-bg-run bro bro -m -b %INPUT 
-# @TEST-EXEC: sleep 5
+# @TEST-EXEC: $SCRIPTS/wait-for-file bro/got2 8 || (btest-bg-wait -k 1 && false)
 # @TEST-EXEC: cat input2.log >> input.log
-# @TEST-EXEC: sleep 5
+# @TEST-EXEC: $SCRIPTS/wait-for-file bro/got6 8 || (btest-bg-wait -k 1 && false)
 # @TEST-EXEC: cat input3.log >> input.log
 # @TEST-EXEC: btest-bg-wait 60
 
@@ -48,7 +48,12 @@ event line(description: Input::EventDescription, tpe: Input::Event, s: string)
 	print outfile, s;
 
 	try = try + 1;
-	if ( try == 16 )
+
+	if ( try == 2 )
+		system("touch got2");
+	else if ( try == 6 )
+		system("touch got6");
+	else if ( try == 16 )
 		{
 		print outfile, "done";
 		close(outfile);
diff --git a/testing/btest/core/leaks/input-reread.bro b/testing/btest/core/leaks/input-reread.bro
index b3d1498bff..8b6295c15d 100644
--- a/testing/btest/core/leaks/input-reread.bro
+++ b/testing/btest/core/leaks/input-reread.bro
@@ -6,13 +6,13 @@
 #
 # @TEST-EXEC: cp input1.log input.log
 # @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local btest-bg-run bro bro -m -b %INPUT
-# @TEST-EXEC: sleep 60
+# @TEST-EXEC: $SCRIPTS/wait-for-file bro/got2 60 || (btest-bg-wait -k 1 && false)
 # @TEST-EXEC: cp input2.log input.log
-# @TEST-EXEC: sleep 10
+# @TEST-EXEC: $SCRIPTS/wait-for-file bro/got4 10 || (btest-bg-wait -k 1 && false)
 # @TEST-EXEC: cp input3.log input.log
-# @TEST-EXEC: sleep 10
+# @TEST-EXEC: $SCRIPTS/wait-for-file bro/got6 10 || (btest-bg-wait -k 1 && false)
 # @TEST-EXEC: cp input4.log input.log
-# @TEST-EXEC: sleep 10
+# @TEST-EXEC: $SCRIPTS/wait-for-file bro/got8 10 || (btest-bg-wait -k 1 && false)
 # @TEST-EXEC: cp input5.log input.log
 # @TEST-EXEC: btest-bg-wait 120
 
@@ -145,7 +145,16 @@ event Input::end_of_data(name: string, source: string)
 	}
 	
 	try = try + 1;
-	if ( try == 10 )
+
+	if ( try == 2 )
+		system("touch got2");
+	else if ( try == 4 )
+		system("touch got4");
+	else if ( try == 6 )
+		system("touch got6");
+	else if ( try == 8 )
+		system("touch got8");
+	else if ( try == 10 )
 		{
 		print outfile, "done";
 		close(outfile);
diff --git a/testing/btest/scripts/base/frameworks/cluster/custom_pool_exclusivity.bro b/testing/btest/scripts/base/frameworks/cluster/custom_pool_exclusivity.bro
index 5f337093b0..c94b594daf 100644
--- a/testing/btest/scripts/base/frameworks/cluster/custom_pool_exclusivity.bro
+++ b/testing/btest/scripts/base/frameworks/cluster/custom_pool_exclusivity.bro
@@ -1,7 +1,6 @@
 # @TEST-SERIALIZE: comm
 #
 # @TEST-EXEC: btest-bg-run manager-1 BROPATH=$BROPATH:.. CLUSTER_NODE=manager-1 bro %INPUT
-# @TEST-EXEC: sleep 1
 # @TEST-EXEC: btest-bg-run proxy-1   BROPATH=$BROPATH:.. CLUSTER_NODE=proxy-1 bro %INPUT
 # @TEST-EXEC: btest-bg-run proxy-2   BROPATH=$BROPATH:.. CLUSTER_NODE=proxy-2 bro %INPUT
 # @TEST-EXEC: btest-bg-wait 30
@@ -17,6 +16,10 @@ redef Cluster::nodes = {
 };
 @TEST-END-FILE
 
+redef Cluster::retry_interval = 1sec;
+redef Broker::default_listen_retry = 1sec;
+redef Broker::default_connect_retry = 1sec;
+
 global my_pool_spec: Cluster::PoolSpec =
 		Cluster::PoolSpec(
 			$topic = "bro/cluster/pool/my_pool",
diff --git a/testing/btest/scripts/base/frameworks/cluster/custom_pool_limits.bro b/testing/btest/scripts/base/frameworks/cluster/custom_pool_limits.bro
index 10a190f016..cb099bc715 100644
--- a/testing/btest/scripts/base/frameworks/cluster/custom_pool_limits.bro
+++ b/testing/btest/scripts/base/frameworks/cluster/custom_pool_limits.bro
@@ -1,7 +1,6 @@
 # @TEST-SERIALIZE: comm
 #
 # @TEST-EXEC: btest-bg-run manager-1 BROPATH=$BROPATH:.. CLUSTER_NODE=manager-1 bro %INPUT
-# @TEST-EXEC: sleep 1
 # @TEST-EXEC: btest-bg-run proxy-1   BROPATH=$BROPATH:.. CLUSTER_NODE=proxy-1 bro %INPUT
 # @TEST-EXEC: btest-bg-run proxy-2   BROPATH=$BROPATH:.. CLUSTER_NODE=proxy-2 bro %INPUT
 # @TEST-EXEC: btest-bg-wait 30
@@ -17,6 +16,10 @@ redef Cluster::nodes = {
 };
 @TEST-END-FILE
 
+redef Cluster::retry_interval = 1sec;
+redef Broker::default_listen_retry = 1sec;
+redef Broker::default_connect_retry = 1sec;
+
 global my_pool_spec: Cluster::PoolSpec =
 		Cluster::PoolSpec(
 			$topic = "bro/cluster/pool/my_pool",
diff --git a/testing/btest/scripts/base/frameworks/cluster/log_distribution.bro b/testing/btest/scripts/base/frameworks/cluster/log_distribution.bro
index 02c1b7b6e7..5e710016ba 100644
--- a/testing/btest/scripts/base/frameworks/cluster/log_distribution.bro
+++ b/testing/btest/scripts/base/frameworks/cluster/log_distribution.bro
@@ -2,9 +2,7 @@
 #
 # @TEST-EXEC: btest-bg-run logger-1 BROPATH=$BROPATH:.. CLUSTER_NODE=logger-1 bro %INPUT
 # @TEST-EXEC: btest-bg-run logger-2 BROPATH=$BROPATH:.. CLUSTER_NODE=logger-2 bro %INPUT
-# @TEST-EXEC: sleep 1
 # @TEST-EXEC: btest-bg-run manager BROPATH=$BROPATH:.. CLUSTER_NODE=manager bro %INPUT
-# @TEST-EXEC: sleep 1
 # @TEST-EXEC: btest-bg-run worker-1  BROPATH=$BROPATH:.. CLUSTER_NODE=worker-1 bro %INPUT
 # @TEST-EXEC: btest-bg-wait 30
 # @TEST-EXEC: btest-diff logger-1/test.log
@@ -22,6 +20,10 @@ redef Cluster::nodes = {
 
 @TEST-END-FILE
 
+redef Cluster::retry_interval = 1sec;
+redef Broker::default_listen_retry = 1sec;
+redef Broker::default_connect_retry = 1sec;
+
 redef Log::default_rotation_interval = 0sec;
 
 module Test;
diff --git a/testing/btest/scripts/base/frameworks/cluster/start-it-up-logger.bro b/testing/btest/scripts/base/frameworks/cluster/start-it-up-logger.bro
index 6fb834cc74..6bb9dcbc03 100644
--- a/testing/btest/scripts/base/frameworks/cluster/start-it-up-logger.bro
+++ b/testing/btest/scripts/base/frameworks/cluster/start-it-up-logger.bro
@@ -1,12 +1,9 @@
 # @TEST-SERIALIZE: comm
 #
 # @TEST-EXEC: btest-bg-run logger-1  CLUSTER_NODE=logger-1 BROPATH=$BROPATH:.. bro %INPUT
-# @TEST-EXEC: sleep 1
 # @TEST-EXEC: btest-bg-run manager-1 CLUSTER_NODE=manager-1 BROPATH=$BROPATH:.. bro %INPUT
-# @TEST-EXEC: sleep 1
 # @TEST-EXEC: btest-bg-run proxy-1   CLUSTER_NODE=proxy-1 BROPATH=$BROPATH:.. bro %INPUT
 # @TEST-EXEC: btest-bg-run proxy-2   CLUSTER_NODE=proxy-2 BROPATH=$BROPATH:.. bro %INPUT
-# @TEST-EXEC: sleep 1
 # @TEST-EXEC: btest-bg-run worker-1  CLUSTER_NODE=worker-1 BROPATH=$BROPATH:.. bro %INPUT
 # @TEST-EXEC: btest-bg-run worker-2  CLUSTER_NODE=worker-2 BROPATH=$BROPATH:.. bro %INPUT
 # @TEST-EXEC: btest-bg-wait 30
@@ -29,6 +26,10 @@ redef Cluster::nodes = {
 };
 @TEST-END-FILE
 
+redef Cluster::retry_interval = 1sec;
+redef Broker::default_listen_retry = 1sec;
+redef Broker::default_connect_retry = 1sec;
+
 global fully_connected: event();
 
 global peer_count = 0;
diff --git a/testing/btest/scripts/base/frameworks/cluster/start-it-up.bro b/testing/btest/scripts/base/frameworks/cluster/start-it-up.bro
index 3b21cee3dc..be974c074f 100644
--- a/testing/btest/scripts/base/frameworks/cluster/start-it-up.bro
+++ b/testing/btest/scripts/base/frameworks/cluster/start-it-up.bro
@@ -1,10 +1,8 @@
 # @TEST-SERIALIZE: comm
 #
 # @TEST-EXEC: btest-bg-run manager-1 BROPATH=$BROPATH:.. CLUSTER_NODE=manager-1 bro %INPUT
-# @TEST-EXEC: sleep 1
 # @TEST-EXEC: btest-bg-run proxy-1   BROPATH=$BROPATH:.. CLUSTER_NODE=proxy-1 bro %INPUT
 # @TEST-EXEC: btest-bg-run proxy-2   BROPATH=$BROPATH:.. CLUSTER_NODE=proxy-2 bro %INPUT
-# @TEST-EXEC: sleep 1
 # @TEST-EXEC: btest-bg-run worker-1  BROPATH=$BROPATH:.. CLUSTER_NODE=worker-1 bro %INPUT
 # @TEST-EXEC: btest-bg-run worker-2  BROPATH=$BROPATH:.. CLUSTER_NODE=worker-2 bro %INPUT
 # @TEST-EXEC: btest-bg-wait 30
@@ -24,6 +22,10 @@ redef Cluster::nodes = {
 };
 @TEST-END-FILE
 
+redef Cluster::retry_interval = 1sec;
+redef Broker::default_listen_retry = 1sec;
+redef Broker::default_connect_retry = 1sec;
+
 global fully_connected: event();
 
 global peer_count = 0;
diff --git a/testing/btest/scripts/base/frameworks/cluster/topic_distribution.bro b/testing/btest/scripts/base/frameworks/cluster/topic_distribution.bro
index 591a3329b7..e360ac55ef 100644
--- a/testing/btest/scripts/base/frameworks/cluster/topic_distribution.bro
+++ b/testing/btest/scripts/base/frameworks/cluster/topic_distribution.bro
@@ -1,7 +1,6 @@
 # @TEST-SERIALIZE: comm
 #
 # @TEST-EXEC: btest-bg-run manager-1 BROPATH=$BROPATH:.. CLUSTER_NODE=manager-1 bro %INPUT
-# @TEST-EXEC: sleep 1
 # @TEST-EXEC: btest-bg-run proxy-1   BROPATH=$BROPATH:.. CLUSTER_NODE=proxy-1 bro %INPUT
 # @TEST-EXEC: btest-bg-run proxy-2   BROPATH=$BROPATH:.. CLUSTER_NODE=proxy-2 bro %INPUT
 # @TEST-EXEC: btest-bg-wait 30
@@ -17,6 +16,10 @@ redef Cluster::nodes = {
 };
 @TEST-END-FILE
 
+redef Cluster::retry_interval = 1sec;
+redef Broker::default_listen_retry = 1sec;
+redef Broker::default_connect_retry = 1sec;
+
 global proxy_count = 0;
 
 event go_away()
diff --git a/testing/btest/scripts/base/frameworks/cluster/topic_distribution_bifs.bro b/testing/btest/scripts/base/frameworks/cluster/topic_distribution_bifs.bro
index 2f2462e752..9e79081906 100644
--- a/testing/btest/scripts/base/frameworks/cluster/topic_distribution_bifs.bro
+++ b/testing/btest/scripts/base/frameworks/cluster/topic_distribution_bifs.bro
@@ -1,7 +1,6 @@
 # @TEST-SERIALIZE: comm
 #
 # @TEST-EXEC: btest-bg-run manager-1 BROPATH=$BROPATH:.. CLUSTER_NODE=manager-1 bro %INPUT
-# @TEST-EXEC: sleep 1
 # @TEST-EXEC: btest-bg-run proxy-1   BROPATH=$BROPATH:.. CLUSTER_NODE=proxy-1 bro %INPUT
 # @TEST-EXEC: btest-bg-run proxy-2   BROPATH=$BROPATH:.. CLUSTER_NODE=proxy-2 bro %INPUT
 # @TEST-EXEC: btest-bg-wait 30
@@ -19,6 +18,10 @@ redef Cluster::nodes = {
 };
 @TEST-END-FILE
 
+redef Cluster::retry_interval = 1sec;
+redef Broker::default_listen_retry = 1sec;
+redef Broker::default_connect_retry = 1sec;
+
 global proxy_count = 0;
 global q = 0;
 
diff --git a/testing/btest/scripts/base/frameworks/config/updates.bro b/testing/btest/scripts/base/frameworks/config/updates.bro
index b9ecd013cd..1e523c752f 100644
--- a/testing/btest/scripts/base/frameworks/config/updates.bro
+++ b/testing/btest/scripts/base/frameworks/config/updates.bro
@@ -1,11 +1,11 @@
 # @TEST-EXEC: btest-bg-run bro bro -b %INPUT
-# @TEST-EXEC: sleep 2
+# @TEST-EXEC: $SCRIPTS/wait-for-file bro/got1 5 || (btest-bg-wait -k 1 && false)
 # @TEST-EXEC: mv configfile2 configfile
 # @TEST-EXEC: touch configfile
-# @TEST-EXEC: sleep 2
+# @TEST-EXEC: $SCRIPTS/wait-for-file bro/got2 5 || (btest-bg-wait -k 1 && false)
 # @TEST-EXEC: mv configfile3 configfile
 # @TEST-EXEC: touch configfile
-# @TEST-EXEC: sleep 2
+# @TEST-EXEC: $SCRIPTS/wait-for-file bro/got3 5 || (btest-bg-wait -k 1 && false)
 # @TEST-EXEC: mv configfile4 configfile
 # @TEST-EXEC: touch configfile
 # @TEST-EXEC: btest-bg-wait 10
@@ -103,6 +103,12 @@ event Input::end_of_data(name: string, source:string)
 
 	eolcount += 1;
 
-	if ( eolcount == 4 )
+	if ( eolcount == 1 )
+		system("touch got1");
+	else if ( eolcount == 2 )
+		system("touch got2");
+	else if ( eolcount == 3 )
+		system("touch got3");
+	else if ( eolcount == 4 )
 		terminate();
 	}
diff --git a/testing/btest/scripts/base/frameworks/control/configuration_update.bro b/testing/btest/scripts/base/frameworks/control/configuration_update.bro
index 5e459cc9f0..d3fef8e1b5 100644
--- a/testing/btest/scripts/base/frameworks/control/configuration_update.bro
+++ b/testing/btest/scripts/base/frameworks/control/configuration_update.bro
@@ -1,13 +1,14 @@
 # @TEST-SERIALIZE: comm
 #
 # @TEST-EXEC: btest-bg-run controllee  BROPATH=$BROPATH:.. bro %INPUT frameworks/control/controllee Broker::default_port=65531/tcp
-# @TEST-EXEC: sleep 5
 # @TEST-EXEC: btest-bg-run controller  BROPATH=$BROPATH:.. bro %INPUT test-redef frameworks/control/controller Control::host=127.0.0.1 Control::host_port=65531/tcp Control::cmd=configuration_update
-# @TEST-EXEC: sleep 5
-# @TEST-EXEC: btest-bg-run controller2 BROPATH=$BROPATH:.. bro %INPUT frameworks/control/controller Control::host=127.0.0.1 Control::host_port=65531/tcp Control::cmd=shutdown
 # @TEST-EXEC: btest-bg-wait 10
 # @TEST-EXEC: btest-diff controllee/.stdout
 
+redef Cluster::retry_interval = 1sec;
+redef Broker::default_listen_retry = 1sec;
+redef Broker::default_connect_retry = 1sec;
+
 const test_var = "ORIGINAL VALUE (this should be printed out first)" &redef;
 
 @TEST-START-FILE test-redef.bro
@@ -23,3 +24,8 @@ event bro_done()
 	{
 	print test_var;
 	}
+
+event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string)
+	{
+	terminate();
+	}
diff --git a/testing/btest/scripts/base/frameworks/input/empty-values-hashing.bro b/testing/btest/scripts/base/frameworks/input/empty-values-hashing.bro
index d12ab864f2..f25c9bc3f6 100644
--- a/testing/btest/scripts/base/frameworks/input/empty-values-hashing.bro
+++ b/testing/btest/scripts/base/frameworks/input/empty-values-hashing.bro
@@ -1,6 +1,6 @@
 # @TEST-EXEC: cp input1.log input.log
 # @TEST-EXEC: btest-bg-run bro bro -b %INPUT
-# @TEST-EXEC: sleep 2
+# @TEST-EXEC: $SCRIPTS/wait-for-file bro/got1 5 || (btest-bg-wait -k 1 && false)
 # @TEST-EXEC: cp input2.log input.log
 # @TEST-EXEC: btest-bg-wait 10
 # @TEST-EXEC: btest-diff out
@@ -75,7 +75,9 @@ event Input::end_of_data(name: string, source: string)
 	print outfile, servers;
 	
 	try = try + 1;
-	if ( try == 2 )
+	if ( try == 1 )
+		system("touch got1");
+	else if ( try == 2 )
 		{
 		print outfile, "done";
 		close(outfile);
diff --git a/testing/btest/scripts/base/frameworks/input/missing-file-initially.bro b/testing/btest/scripts/base/frameworks/input/missing-file-initially.bro
index 1de9fbd539..7c9f51994c 100644
--- a/testing/btest/scripts/base/frameworks/input/missing-file-initially.bro
+++ b/testing/btest/scripts/base/frameworks/input/missing-file-initially.bro
@@ -4,12 +4,12 @@
 # failing behavior.
 
 # @TEST-EXEC: btest-bg-run bro bro %INPUT
-# @TEST-EXEC: sleep 10
+# @TEST-EXEC: $SCRIPTS/wait-for-file bro/init 5 || (btest-bg-wait -k 1 && false)
 # @TEST-EXEC: mv does-exist.dat does-not-exist.dat
-# @TEST-EXEC: sleep 2
+# @TEST-EXEC: $SCRIPTS/wait-for-file bro/next 5 || (btest-bg-wait -k 1 && false)
 # @TEST-EXEC: mv does-not-exist.dat does-not-exist-again.dat
 # @TEST-EXEC: echo "3 streaming still works" >> does-not-exist-again.dat
-# @TEST-EXEC: btest-bg-wait -k 3
+# @TEST-EXEC: btest-bg-wait 5
 # @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-sort btest-diff bro/.stdout
 # @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-sort btest-diff bro/.stderr
 
@@ -31,9 +31,17 @@ type Val: record {
 	line: string;
 };
 
+global line_count = 0;
+
 event line(description: Input::EventDescription, tpe: Input::Event, v: Val)
 	{
 	print fmt("%s: %s", description$name, v$line);
+	++line_count;
+
+	if ( line_count == 4 )
+		system("touch next");
+	if ( line_count == 5 )
+		terminate();
 	}
 
 event line2(description: Input::EventDescription, tpe: Input::Event, v: Val)
@@ -49,4 +57,5 @@ event bro_init()
 	Input::add_event([$source="../does-not-exist.dat", $name="inputmanual", $reader=Input::READER_ASCII, $mode=Input::MANUAL, $fields=Val, $ev=line, $want_record=T]);
 	Input::add_event([$source="../does-not-exist.dat", $name="input2", $reader=Input::READER_ASCII, $mode=Input::REREAD, $fields=Val, $ev=line2, $want_record=T,
 	                  $config=table(["fail_on_file_problem"] = "T")]);
+	system("touch init");
 	}
diff --git a/testing/btest/scripts/base/frameworks/input/predicatemodifyandreread.bro b/testing/btest/scripts/base/frameworks/input/predicatemodifyandreread.bro
index 526d1e113f..0ac5f104d0 100644
--- a/testing/btest/scripts/base/frameworks/input/predicatemodifyandreread.bro
+++ b/testing/btest/scripts/base/frameworks/input/predicatemodifyandreread.bro
@@ -1,12 +1,12 @@
 # @TEST-EXEC: cp input1.log input.log
 # @TEST-EXEC: btest-bg-run bro bro -b %INPUT
-# @TEST-EXEC: sleep 2
+# @TEST-EXEC: $SCRIPTS/wait-for-file bro/got1 5 || (btest-bg-wait -k 1 && false)
 # @TEST-EXEC: cp input2.log input.log
-# @TEST-EXEC: sleep 2
+# @TEST-EXEC: $SCRIPTS/wait-for-file bro/got2 5 || (btest-bg-wait -k 1 && false)
 # @TEST-EXEC: cp input3.log input.log
-# @TEST-EXEC: sleep 2
+# @TEST-EXEC: $SCRIPTS/wait-for-file bro/got3 5 || (btest-bg-wait -k 1 && false)
 # @TEST-EXEC: cp input4.log input.log
-# @TEST-EXEC: sleep 2
+# @TEST-EXEC: $SCRIPTS/wait-for-file bro/got4 5 || (btest-bg-wait -k 1 && false)
 # @TEST-EXEC: cp input5.log input.log
 # @TEST-EXEC: btest-bg-wait 10
 # @TEST-EXEC: btest-diff out
@@ -96,7 +96,15 @@ event Input::end_of_data(name: string, source: string)
 	try = try + 1;
 	print outfile, fmt("Update_finished for %s, try %d", name, try);
 	print outfile, servers;
-	
+
+	if ( try == 1 )
+		system("touch got1");
+	else if ( try == 2 )
+		system("touch got2");
+	else if ( try == 3 )
+		system("touch got3");
+	else if ( try == 4 )
+		system("touch got4");
 	if ( try == 5 )
 		{
 		close(outfile);
diff --git a/testing/btest/scripts/base/frameworks/input/raw/executestdin.bro b/testing/btest/scripts/base/frameworks/input/raw/executestdin.bro
index 0edc53a0e4..b78dd4e0e3 100644
--- a/testing/btest/scripts/base/frameworks/input/raw/executestdin.bro
+++ b/testing/btest/scripts/base/frameworks/input/raw/executestdin.bro
@@ -7,6 +7,7 @@ redef exit_only_after_terminate = T;
 
 global outfile: file;
 global processes_finished: count = 0;
+global lines_received: count = 0;
 global n: count = 0;
 global total_processes: count = 0;
 
@@ -20,10 +21,23 @@ type Val: record {
 	s: string;
 };
 
+global more_input: function(name_prefix: string);
+
+function check_terminate_condition()
+	{
+	if ( processes_finished != total_processes )
+		return;
+
+	if ( lines_received != (total_processes - 1) * 2 )
+		return;
+
+	terminate();
+	}
+
 event line(description: Input::EventDescription, tpe: Input::Event, s: string)
 	{
-	print outfile, tpe, description$source, description$name;
-	print outfile, s;
+	++lines_received;
+	print outfile, tpe, description$source, description$name, s;
 	}
 
 event InputRaw::process_finished(name: string, source:string, exit_code:count, signal_exit:bool)
@@ -31,10 +45,18 @@ event InputRaw::process_finished(name: string, source:string, exit_code:count, s
 	print "process_finished", name, source;
 	Input::remove(name);
 	++processes_finished;
-	if ( processes_finished == total_processes )
+	if ( processes_finished == 1 )
+		{
+		more_input("input");
+		more_input("input");
+		more_input("input");
+		more_input("input");
+		more_input("input");
+		}
+	else if ( processes_finished == total_processes )
 		{
 		close(outfile);
-		terminate();
+		check_terminate_condition();
 		}
 	}
 
@@ -59,9 +81,4 @@ event bro_init()
 	                  $reader=Input::READER_RAW, $mode=Input::STREAM,
 	                  $name="input", $fields=Val, $ev=line, $want_record=F,
 	                  $config=config_strings]);
-	more_input("input");
-	more_input("input");
-	more_input("input");
-	more_input("input");
-	more_input("input");
 	}
diff --git a/testing/btest/scripts/base/frameworks/input/raw/executestream.bro b/testing/btest/scripts/base/frameworks/input/raw/executestream.bro
index 77cb425fa4..240761ee03 100644
--- a/testing/btest/scripts/base/frameworks/input/raw/executestream.bro
+++ b/testing/btest/scripts/base/frameworks/input/raw/executestream.bro
@@ -1,8 +1,8 @@
 # @TEST-EXEC: cp input1.log input.log
 # @TEST-EXEC: btest-bg-run bro bro -b %INPUT 
-# @TEST-EXEC: sleep 3
+# @TEST-EXEC: $SCRIPTS/wait-for-file bro/got1 5 || (btest-bg-wait -k 1 && false)
 # @TEST-EXEC: cat input2.log >> input.log
-# @TEST-EXEC: sleep 3
+# @TEST-EXEC: $SCRIPTS/wait-for-file bro/got3 5 || (btest-bg-wait -k 1 && false)
 # @TEST-EXEC: cat input3.log >> input.log
 # @TEST-EXEC: btest-bg-wait 10
 # @TEST-EXEC: btest-diff out
@@ -38,12 +38,16 @@ global outfile: file;
 
 event line(description: Input::EventDescription, tpe: Input::Event, s: string)
 	{
-	print outfile, description;
+	print outfile, description$source, description$reader, description$mode, description$name;
 	print outfile, tpe;
 	print outfile, s;
 
 	try = try + 1;
-	if ( try == 8 )
+	if ( try == 1 )
+		system("touch got1");
+	else if ( try == 3 )
+		system("touch got3");
+	else if ( try == 8 )
 		{
 		print outfile, "done";
 		close(outfile);
diff --git a/testing/btest/scripts/base/frameworks/input/raw/offset.bro b/testing/btest/scripts/base/frameworks/input/raw/offset.bro
index 7ce040e1c9..f37fb9c28a 100644
--- a/testing/btest/scripts/base/frameworks/input/raw/offset.bro
+++ b/testing/btest/scripts/base/frameworks/input/raw/offset.bro
@@ -1,6 +1,6 @@
 # @TEST-EXEC: cp input.log input2.log
 # @TEST-EXEC: btest-bg-run bro bro -b %INPUT
-# @TEST-EXEC: sleep 2
+# @TEST-EXEC: $SCRIPTS/wait-for-file bro/got2 5 || (btest-bg-wait -k 1 && false)
 # @TEST-EXEC: echo "hi" >> input2.log
 # @TEST-EXEC: btest-bg-wait 10
 # @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-sort btest-diff out
@@ -24,7 +24,9 @@ event line(description: Input::EventDescription, tpe: Input::Event, s: string)
 	{
 	print outfile, s;
 	try = try + 1;
-	if ( try == 3 )
+	if ( try == 2 )
+		system("touch got2");
+	else if ( try == 3 )
 		{
 		close(outfile);
 		terminate();
diff --git a/testing/btest/scripts/base/frameworks/input/raw/streamraw.bro b/testing/btest/scripts/base/frameworks/input/raw/streamraw.bro
index 6e45ba32b7..331db7eeb8 100644
--- a/testing/btest/scripts/base/frameworks/input/raw/streamraw.bro
+++ b/testing/btest/scripts/base/frameworks/input/raw/streamraw.bro
@@ -1,8 +1,8 @@
 # @TEST-EXEC: cp input1.log input.log
 # @TEST-EXEC: btest-bg-run bro bro -b %INPUT 
-# @TEST-EXEC: sleep 3
+# @TEST-EXEC: $SCRIPTS/wait-for-file bro/got1 5 || (btest-bg-wait -k 1 && false)
 # @TEST-EXEC: cat input2.log >> input.log
-# @TEST-EXEC: sleep 3
+# @TEST-EXEC: $SCRIPTS/wait-for-file bro/got3 5 || (btest-bg-wait -k 1 && false)
 # @TEST-EXEC: cat input3.log >> input.log
 # @TEST-EXEC: btest-bg-wait 10
 # @TEST-EXEC: btest-diff out
@@ -37,12 +37,17 @@ global outfile: file;
 
 event line(description: Input::EventDescription, tpe: Input::Event, s: string)
 	{
-	print outfile, description;
+	print outfile, description$source, description$reader, description$mode, description$name;
 	print outfile, tpe;
 	print outfile, s;
 
 	try = try + 1;
-	if ( try == 8 )
+
+	if ( try == 1 )
+		system("touch got1");
+	else if ( try == 3 )
+		system("touch got3");
+	else if ( try == 8 )
 		{
 		print outfile, "done";
 		close(outfile);
diff --git a/testing/btest/scripts/base/frameworks/input/reread.bro b/testing/btest/scripts/base/frameworks/input/reread.bro
index d8cb868d22..4199093543 100644
--- a/testing/btest/scripts/base/frameworks/input/reread.bro
+++ b/testing/btest/scripts/base/frameworks/input/reread.bro
@@ -1,12 +1,12 @@
 # @TEST-EXEC: cp input1.log input.log
 # @TEST-EXEC: btest-bg-run bro bro -b %INPUT
-# @TEST-EXEC: sleep 2
+# @TEST-EXEC: $SCRIPTS/wait-for-file bro/got1 5 || (btest-bg-wait -k 1 && false)
 # @TEST-EXEC: cp input2.log input.log
-# @TEST-EXEC: sleep 2
+# @TEST-EXEC: $SCRIPTS/wait-for-file bro/got2 5 || (btest-bg-wait -k 1 && false)
 # @TEST-EXEC: cp input3.log input.log
-# @TEST-EXEC: sleep 2
+# @TEST-EXEC: $SCRIPTS/wait-for-file bro/got3 5 || (btest-bg-wait -k 1 && false)
 # @TEST-EXEC: cp input4.log input.log
-# @TEST-EXEC: sleep 2
+# @TEST-EXEC: $SCRIPTS/wait-for-file bro/got4 5 || (btest-bg-wait -k 1 && false)
 # @TEST-EXEC: cp input5.log input.log
 # @TEST-EXEC: btest-bg-wait 10
 # @TEST-EXEC: btest-diff out
@@ -126,7 +126,16 @@ event Input::end_of_data(name: string, source: string)
 	print outfile, servers;
 	
 	try = try + 1;
-	if ( try == 5 )
+
+	if ( try == 1 )
+		system("touch got1");
+	else if ( try == 2 )
+		system("touch got2");
+	else if ( try == 3 )
+		system("touch got3");
+	else if ( try == 4 )
+		system("touch got4");
+	else if ( try == 5 )
 		{
 		print outfile, "done";
 		close(outfile);
diff --git a/testing/btest/scripts/base/frameworks/input/stream.bro b/testing/btest/scripts/base/frameworks/input/stream.bro
index ed497859aa..8ed498f074 100644
--- a/testing/btest/scripts/base/frameworks/input/stream.bro
+++ b/testing/btest/scripts/base/frameworks/input/stream.bro
@@ -1,8 +1,8 @@
 # @TEST-EXEC: cp input1.log input.log
 # @TEST-EXEC: btest-bg-run bro bro -b %INPUT
-# @TEST-EXEC: sleep 3
+# @TEST-EXEC: $SCRIPTS/wait-for-file bro/got1 5 || (btest-bg-wait -k 1 && false)
 # @TEST-EXEC: cat input2.log >> input.log
-# @TEST-EXEC: sleep 3
+# @TEST-EXEC: $SCRIPTS/wait-for-file bro/got2 5 || (btest-bg-wait -k 1 && false)
 # @TEST-EXEC: cat input3.log >> input.log
 # @TEST-EXEC: btest-bg-wait 10
 # @TEST-EXEC: btest-diff out
@@ -66,8 +66,12 @@ event line(description: Input::TableDescription, tpe: Input::Event, left: Idx, r
 	print outfile, servers;
 
 	try = try + 1;
-	
-	if ( try == 3 )
+
+	if ( try == 1 )
+		system("touch got1");
+	else if ( try == 2 )
+		system("touch got2");
+	else if ( try == 3 )
 		{
 		print outfile, "done";
 		close(outfile);
diff --git a/testing/btest/scripts/base/frameworks/input/twotables.bro b/testing/btest/scripts/base/frameworks/input/twotables.bro
index f0bedb2673..6f127ac4c2 100644
--- a/testing/btest/scripts/base/frameworks/input/twotables.bro
+++ b/testing/btest/scripts/base/frameworks/input/twotables.bro
@@ -1,6 +1,6 @@
 # @TEST-EXEC: cp input1.log input.log
 # @TEST-EXEC: btest-bg-run bro bro -b %INPUT
-# @TEST-EXEC: sleep 5
+# @TEST-EXEC: $SCRIPTS/wait-for-file bro/got2 5 || (btest-bg-wait -k 1 && false)
 # @TEST-EXEC: cp input3.log input.log
 # @TEST-EXEC: btest-bg-wait 10
 # @TEST-EXEC: btest-diff event.out
@@ -116,7 +116,9 @@ event Input::end_of_data(name: string, source: string)
 	#print fin_out, servers;
 	
 	try = try + 1;
-	if ( try == 3 )
+	if ( try == 2 )
+		system("touch got2");
+	else if ( try == 3 )
 		{
 		print fin_out, "done";
 		print fin_out, servers;
diff --git a/testing/btest/scripts/base/frameworks/intel/input-and-match.bro b/testing/btest/scripts/base/frameworks/intel/input-and-match.bro
index 774f17fc57..8f74117201 100644
--- a/testing/btest/scripts/base/frameworks/intel/input-and-match.bro
+++ b/testing/btest/scripts/base/frameworks/intel/input-and-match.bro
@@ -1,4 +1,3 @@
-# @TEST-SERIALIZE: comm
 
 # @TEST-EXEC: btest-bg-run broproc bro %INPUT
 # @TEST-EXEC: btest-bg-wait -k 5
diff --git a/testing/btest/scripts/base/frameworks/intel/read-file-dist-cluster.bro b/testing/btest/scripts/base/frameworks/intel/read-file-dist-cluster.bro
index 5488c4938e..b34e273d54 100644
--- a/testing/btest/scripts/base/frameworks/intel/read-file-dist-cluster.bro
+++ b/testing/btest/scripts/base/frameworks/intel/read-file-dist-cluster.bro
@@ -1,7 +1,6 @@
 # @TEST-SERIALIZE: comm
 #
 # @TEST-EXEC: btest-bg-run manager-1 BROPATH=$BROPATH:.. CLUSTER_NODE=manager-1 bro %INPUT
-# @TEST-EXEC: sleep 2
 # @TEST-EXEC: btest-bg-run worker-1  BROPATH=$BROPATH:.. CLUSTER_NODE=worker-1 bro %INPUT
 # @TEST-EXEC: btest-bg-run worker-2  BROPATH=$BROPATH:.. CLUSTER_NODE=worker-2 bro %INPUT
 # @TEST-EXEC: btest-bg-wait -k 10
@@ -26,6 +25,10 @@ e@mail.com	Intel::EMAIL	source1	Phishing email source	http://some-data-distribut
 @TEST-END-FILE
 
 @load base/frameworks/control
+redef Cluster::retry_interval = 1sec;
+redef Broker::default_listen_retry = 1sec;
+redef Broker::default_connect_retry = 1sec;
+
 redef Log::default_rotation_interval=0sec;
 
 module Intel;
diff --git a/testing/btest/scripts/base/frameworks/intel/updated-match.bro b/testing/btest/scripts/base/frameworks/intel/updated-match.bro
index fd7c738210..5cace1741e 100644
--- a/testing/btest/scripts/base/frameworks/intel/updated-match.bro
+++ b/testing/btest/scripts/base/frameworks/intel/updated-match.bro
@@ -1,12 +1,10 @@
-# @TEST-SERIALIZE: comm
-
 # @TEST-EXEC: cp intel1.dat intel.dat
 # @TEST-EXEC: btest-bg-run broproc bro %INPUT
-# @TEST-EXEC: sleep 2
+# @TEST-EXEC: $SCRIPTS/wait-for-file broproc/got1 5 || (btest-bg-wait -k 1 && false)
 # @TEST-EXEC: cp intel2.dat intel.dat
-# @TEST-EXEC: sleep 2
+# @TEST-EXEC: $SCRIPTS/wait-for-file broproc/got2 5 || (btest-bg-wait -k 1 && false)
 # @TEST-EXEC: cp intel3.dat intel.dat
-# @TEST-EXEC: btest-bg-wait 6
+# @TEST-EXEC: btest-bg-wait 10
 # @TEST-EXEC: cat broproc/intel.log > output
 # @TEST-EXEC: cat broproc/notice.log >> output
 # @TEST-EXEC: btest-diff output
@@ -35,6 +33,8 @@ redef Intel::read_files += { "../intel.dat" };
 redef enum Intel::Where += { SOMEWHERE };
 
 global runs = 0;
+global entries_read = 0;
+
 event do_it()
 	{
 	Intel::seen([$host=1.2.3.4,
@@ -43,8 +43,11 @@ event do_it()
 	             $where=SOMEWHERE]);
 
 	++runs;
-	if ( runs < 3 )
-		schedule 3sec { do_it() };
+
+	if ( runs == 1 )
+		system("touch got1");
+	if ( runs == 2 )
+		system("touch got2");
 	}
 
 global log_lines = 0;
@@ -55,7 +58,17 @@ event Intel::log_intel(rec: Intel::Info)
 		terminate();
 	}
 
-event bro_init() &priority=-10
+module Intel;
+
+event Intel::read_entry(desc: Input::EventDescription, tpe: Input::Event, item: Intel::Item)
 	{
-	schedule 1sec { do_it() };
+	++entries_read;
+	print entries_read;
+
+	if ( entries_read == 1 )
+		event do_it();
+	else if ( entries_read == 3 )
+		event do_it();
+	else if ( entries_read == 5 )
+		event do_it();
 	}
diff --git a/testing/btest/scripts/base/frameworks/logging/field-extension-cluster-error.bro b/testing/btest/scripts/base/frameworks/logging/field-extension-cluster-error.bro
index 9def14cc2a..03108505d5 100644
--- a/testing/btest/scripts/base/frameworks/logging/field-extension-cluster-error.bro
+++ b/testing/btest/scripts/base/frameworks/logging/field-extension-cluster-error.bro
@@ -1,7 +1,6 @@
 # @TEST-SERIALIZE: comm
 #
 # @TEST-EXEC: btest-bg-run manager-1 "cp ../cluster-layout.bro . && CLUSTER_NODE=manager-1 bro %INPUT"
-# @TEST-EXEC: sleep 1
 # @TEST-EXEC: btest-bg-run worker-1  "cp ../cluster-layout.bro . && CLUSTER_NODE=worker-1 bro --pseudo-realtime -C -r $TRACES/wikipedia.trace %INPUT"
 # @TEST-EXEC: btest-bg-wait 20
 # @TEST-EXEC: cat manager-1/reporter.log | grep -v "reporter/" > manager-reporter.log
@@ -21,6 +20,10 @@ redef Cluster::nodes = {
 redef exit_only_after_terminate = T;
 @endif
 
+redef Cluster::retry_interval = 1sec;
+redef Broker::default_listen_retry = 1sec;
+redef Broker::default_connect_retry = 1sec;
+
 redef Log::default_rotation_interval = 0secs;
 
 redef Log::default_scope_sep="_";
diff --git a/testing/btest/scripts/base/frameworks/logging/field-extension-cluster.bro b/testing/btest/scripts/base/frameworks/logging/field-extension-cluster.bro
index 711a1286aa..3c464311f5 100644
--- a/testing/btest/scripts/base/frameworks/logging/field-extension-cluster.bro
+++ b/testing/btest/scripts/base/frameworks/logging/field-extension-cluster.bro
@@ -1,7 +1,6 @@
 # @TEST-SERIALIZE: comm
 #
 # @TEST-EXEC: btest-bg-run manager-1 "cp ../cluster-layout.bro . && CLUSTER_NODE=manager-1 bro %INPUT"
-# @TEST-EXEC: sleep 1
 # @TEST-EXEC: btest-bg-run worker-1  "cp ../cluster-layout.bro . && CLUSTER_NODE=worker-1 bro --pseudo-realtime -C -r $TRACES/wikipedia.trace %INPUT"
 # @TEST-EXEC: btest-bg-wait 20
 # @TEST-EXEC: btest-diff manager-1/http.log
@@ -20,6 +19,9 @@ redef Cluster::nodes = {
 redef exit_only_after_terminate = T;
 @endif
 
+redef Cluster::retry_interval = 1sec;
+redef Broker::default_listen_retry = 1sec;
+redef Broker::default_connect_retry = 1sec;
 redef Log::default_rotation_interval = 0secs;
 
 redef Log::default_scope_sep="_";
@@ -59,9 +61,12 @@ event bro_init()
 	{
 	if ( Cluster::node == "worker-1" )
 		Broker::subscribe("death");
+	}
 
+event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
+	{
 	if ( Cluster::node == "manager-1" )
-		schedule 13sec { kill_worker() };
+		schedule 2sec { kill_worker() };
 	}
 
 event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string)
diff --git a/testing/btest/scripts/base/frameworks/netcontrol/basic-cluster.bro b/testing/btest/scripts/base/frameworks/netcontrol/basic-cluster.bro
index bdf7f3f75d..fc9a308297 100644
--- a/testing/btest/scripts/base/frameworks/netcontrol/basic-cluster.bro
+++ b/testing/btest/scripts/base/frameworks/netcontrol/basic-cluster.bro
@@ -1,9 +1,10 @@
 # @TEST-SERIALIZE: comm
 #
 # @TEST-EXEC: btest-bg-run manager-1 "cp ../cluster-layout.bro . && CLUSTER_NODE=manager-1 bro %INPUT"
-# @TEST-EXEC: sleep 1
 # @TEST-EXEC: btest-bg-run worker-1  "cp ../cluster-layout.bro . && CLUSTER_NODE=worker-1 bro --pseudo-realtime -C -r $TRACES/tls/ecdhe.pcap %INPUT"
-# @TEST-EXEC: sleep 1
+
+# @TEST-EXEC: $SCRIPTS/wait-for-pid $(cat worker-1/.pid) 10 || (btest-bg-wait -k 1 && false)
+
 # @TEST-EXEC: btest-bg-run worker-2  "cp ../cluster-layout.bro . && CLUSTER_NODE=worker-2 bro --pseudo-realtime -C -r $TRACES/tls/ecdhe.pcap %INPUT"
 # @TEST-EXEC: btest-bg-wait 20
 # @TEST-EXEC: btest-diff worker-1/.stdout
@@ -17,6 +18,10 @@ redef Cluster::nodes = {
 };
 @TEST-END-FILE
 
+redef Cluster::retry_interval = 1sec;
+redef Broker::default_listen_retry = 1sec;
+redef Broker::default_connect_retry = 1sec;
+
 redef Log::default_rotation_interval = 0secs;
 #redef exit_only_after_terminate = T;
 
@@ -51,9 +56,14 @@ event terminate_me() {
 	terminate();
 }
 
+global peers_lost = 0;
+
 event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string)
 	{
-	schedule 1sec { terminate_me() };
+	++peers_lost;
+
+	if ( peers_lost == 2 )
+		schedule 2sec { terminate_me() };
 	}
 
 event NetControl::rule_added(r: NetControl::Rule, p: NetControl::PluginState, msg: string &default="")
diff --git a/testing/btest/scripts/base/frameworks/notice/cluster.bro b/testing/btest/scripts/base/frameworks/notice/cluster.bro
index 6784daf068..9bb80422b1 100644
--- a/testing/btest/scripts/base/frameworks/notice/cluster.bro
+++ b/testing/btest/scripts/base/frameworks/notice/cluster.bro
@@ -2,7 +2,6 @@
 #
 # @TEST-EXEC: btest-bg-run manager-1 BROPATH=$BROPATH:.. CLUSTER_NODE=manager-1 bro %INPUT
 # @TEST-EXEC: btest-bg-run proxy-1   BROPATH=$BROPATH:.. CLUSTER_NODE=proxy-1 bro %INPUT
-# @TEST-EXEC: sleep 2
 # @TEST-EXEC: btest-bg-run worker-1  BROPATH=$BROPATH:.. CLUSTER_NODE=worker-1 bro %INPUT
 # @TEST-EXEC: btest-bg-wait 20
 # @TEST-EXEC: btest-diff manager-1/notice.log
@@ -15,6 +14,10 @@ redef Cluster::nodes = {
 };
 @TEST-END-FILE
 
+redef Cluster::retry_interval = 1sec;
+redef Broker::default_listen_retry = 1sec;
+redef Broker::default_connect_retry = 1sec;
+
 redef Log::default_rotation_interval = 0secs;
 
 redef enum Notice::Type += {
diff --git a/testing/btest/scripts/base/frameworks/notice/suppression-cluster.bro b/testing/btest/scripts/base/frameworks/notice/suppression-cluster.bro
index c67512853f..6c9e429bc9 100644
--- a/testing/btest/scripts/base/frameworks/notice/suppression-cluster.bro
+++ b/testing/btest/scripts/base/frameworks/notice/suppression-cluster.bro
@@ -2,7 +2,6 @@
 #
 # @TEST-EXEC: btest-bg-run manager-1 BROPATH=$BROPATH:.. CLUSTER_NODE=manager-1 bro %INPUT
 # @TEST-EXEC: btest-bg-run proxy-1   BROPATH=$BROPATH:.. CLUSTER_NODE=proxy-1 bro %INPUT
-# @TEST-EXEC: sleep 2
 # @TEST-EXEC: btest-bg-run worker-1  BROPATH=$BROPATH:.. CLUSTER_NODE=worker-1 bro %INPUT
 # @TEST-EXEC: btest-bg-run worker-2  BROPATH=$BROPATH:.. CLUSTER_NODE=worker-2 bro %INPUT
 # @TEST-EXEC: btest-bg-wait 20
@@ -17,6 +16,10 @@ redef Cluster::nodes = {
 };
 @TEST-END-FILE
 
+redef Cluster::retry_interval = 1sec;
+redef Broker::default_listen_retry = 1sec;
+redef Broker::default_connect_retry = 1sec;
+
 redef Log::default_rotation_interval = 0secs;
 
 redef enum Notice::Type += {
diff --git a/testing/btest/scripts/base/frameworks/openflow/log-cluster.bro b/testing/btest/scripts/base/frameworks/openflow/log-cluster.bro
index c618be7e65..de957e720e 100644
--- a/testing/btest/scripts/base/frameworks/openflow/log-cluster.bro
+++ b/testing/btest/scripts/base/frameworks/openflow/log-cluster.bro
@@ -1,7 +1,6 @@
 # @TEST-SERIALIZE: comm
 #
 # @TEST-EXEC: btest-bg-run manager-1 "cp ../cluster-layout.bro . && CLUSTER_NODE=manager-1 bro %INPUT"
-# @TEST-EXEC: sleep 1
 # @TEST-EXEC: btest-bg-run worker-1  "cp ../cluster-layout.bro . && CLUSTER_NODE=worker-1 bro --pseudo-realtime -C -r $TRACES/smtp.trace %INPUT"
 # @TEST-EXEC: btest-bg-wait 20
 # @TEST-EXEC: btest-diff manager-1/openflow.log
@@ -13,6 +12,9 @@ redef Cluster::nodes = {
 };
 @TEST-END-FILE
 
+redef Cluster::retry_interval = 1sec;
+redef Broker::default_listen_retry = 1sec;
+redef Broker::default_connect_retry = 1sec;
 redef Log::default_rotation_interval = 0secs;
 #redef exit_only_after_terminate = T;
 
@@ -21,6 +23,18 @@ redef Log::default_rotation_interval = 0secs;
 
 global of_controller: OpenFlow::Controller;
 
+@if ( Cluster::local_node_type() == Cluster::WORKER )
+event bro_init()
+	{
+	suspend_processing();
+	}
+
+event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
+	{
+	continue_processing();
+	}
+@endif
+
 event bro_init()
 	{
 	of_controller = OpenFlow::log_new(42);
diff --git a/testing/btest/scripts/base/frameworks/sumstats/basic-cluster.bro b/testing/btest/scripts/base/frameworks/sumstats/basic-cluster.bro
index 2c744228a0..e02b3143c5 100644
--- a/testing/btest/scripts/base/frameworks/sumstats/basic-cluster.bro
+++ b/testing/btest/scripts/base/frameworks/sumstats/basic-cluster.bro
@@ -1,7 +1,6 @@
 # @TEST-SERIALIZE: comm
 #
 # @TEST-EXEC: btest-bg-run manager-1 BROPATH=$BROPATH:.. CLUSTER_NODE=manager-1 bro %INPUT
-# @TEST-EXEC: sleep 1
 # @TEST-EXEC: btest-bg-run worker-1  BROPATH=$BROPATH:.. CLUSTER_NODE=worker-1 bro %INPUT
 # @TEST-EXEC: btest-bg-run worker-2  BROPATH=$BROPATH:.. CLUSTER_NODE=worker-2 bro %INPUT
 # @TEST-EXEC: btest-bg-wait 15
@@ -16,6 +15,10 @@ redef Cluster::nodes = {
 };
 @TEST-END-FILE
 
+redef Cluster::retry_interval = 1sec;
+redef Broker::default_listen_retry = 1sec;
+redef Broker::default_connect_retry = 1sec;
+
 redef Log::default_rotation_interval = 0secs;
 
 global n = 0;
diff --git a/testing/btest/scripts/base/frameworks/sumstats/cluster-intermediate-update.bro b/testing/btest/scripts/base/frameworks/sumstats/cluster-intermediate-update.bro
index ae0f093c27..18df7fe768 100644
--- a/testing/btest/scripts/base/frameworks/sumstats/cluster-intermediate-update.bro
+++ b/testing/btest/scripts/base/frameworks/sumstats/cluster-intermediate-update.bro
@@ -1,7 +1,6 @@
 # @TEST-SERIALIZE: comm
 #
 # @TEST-EXEC: btest-bg-run manager-1 BROPATH=$BROPATH:.. CLUSTER_NODE=manager-1 bro %INPUT
-# @TEST-EXEC: sleep 3
 # @TEST-EXEC: btest-bg-run worker-1  BROPATH=$BROPATH:.. CLUSTER_NODE=worker-1 bro %INPUT 
 # @TEST-EXEC: btest-bg-run worker-2  BROPATH=$BROPATH:.. CLUSTER_NODE=worker-2 bro %INPUT
 # @TEST-EXEC: btest-bg-wait 20
@@ -15,6 +14,10 @@ redef Cluster::nodes = {
 };
 @TEST-END-FILE
 
+redef Cluster::retry_interval = 1sec;
+redef Broker::default_listen_retry = 1sec;
+redef Broker::default_connect_retry = 1sec;
+
 redef Log::default_rotation_interval = 0secs;
 
 event bro_init() &priority=5
diff --git a/testing/btest/scripts/base/frameworks/sumstats/on-demand-cluster.bro b/testing/btest/scripts/base/frameworks/sumstats/on-demand-cluster.bro
index ac2aacc03c..adf61ffb82 100644
--- a/testing/btest/scripts/base/frameworks/sumstats/on-demand-cluster.bro
+++ b/testing/btest/scripts/base/frameworks/sumstats/on-demand-cluster.bro
@@ -1,7 +1,6 @@
 # @TEST-SERIALIZE: comm
 #
 # @TEST-EXEC: btest-bg-run manager-1 BROPATH=$BROPATH:.. CLUSTER_NODE=manager-1 bro %INPUT
-# @TEST-EXEC: sleep 1
 # @TEST-EXEC: btest-bg-run worker-1  BROPATH=$BROPATH:.. CLUSTER_NODE=worker-1 bro %INPUT
 # @TEST-EXEC: btest-bg-run worker-2  BROPATH=$BROPATH:.. CLUSTER_NODE=worker-2 bro %INPUT
 # @TEST-EXEC: btest-bg-wait 15
@@ -17,6 +16,10 @@ redef Cluster::nodes = {
 };
 @TEST-END-FILE
 
+redef Cluster::retry_interval = 1sec;
+redef Broker::default_listen_retry = 1sec;
+redef Broker::default_connect_retry = 1sec;
+
 redef Log::default_rotation_interval = 0secs;
 
 global n = 0;
diff --git a/testing/btest/scripts/base/frameworks/sumstats/sample-cluster.bro b/testing/btest/scripts/base/frameworks/sumstats/sample-cluster.bro
index 935a57bb5d..6426b42680 100644
--- a/testing/btest/scripts/base/frameworks/sumstats/sample-cluster.bro
+++ b/testing/btest/scripts/base/frameworks/sumstats/sample-cluster.bro
@@ -1,7 +1,6 @@
 # @TEST-SERIALIZE: comm
 #
 # @TEST-EXEC: btest-bg-run manager-1 BROPATH=$BROPATH:.. CLUSTER_NODE=manager-1 bro %INPUT
-# @TEST-EXEC: sleep 1
 # @TEST-EXEC: btest-bg-run worker-1  BROPATH=$BROPATH:.. CLUSTER_NODE=worker-1 bro %INPUT
 # @TEST-EXEC: btest-bg-run worker-2  BROPATH=$BROPATH:.. CLUSTER_NODE=worker-2 bro %INPUT
 # @TEST-EXEC: btest-bg-wait 15
@@ -15,6 +14,9 @@ redef Cluster::nodes = {
 };
 @TEST-END-FILE
 
+redef Cluster::retry_interval = 1sec;
+redef Broker::default_listen_retry = 1sec;
+redef Broker::default_connect_retry = 1sec;
 redef Log::default_rotation_interval = 0secs;
 
 event bro_init() &priority=5
diff --git a/testing/btest/scripts/base/frameworks/sumstats/topk-cluster.bro b/testing/btest/scripts/base/frameworks/sumstats/topk-cluster.bro
index 57a08aa040..3ab90e91b8 100644
--- a/testing/btest/scripts/base/frameworks/sumstats/topk-cluster.bro
+++ b/testing/btest/scripts/base/frameworks/sumstats/topk-cluster.bro
@@ -1,7 +1,6 @@
 # @TEST-SERIALIZE: comm
 #
 # @TEST-EXEC: btest-bg-run manager-1 BROPATH=$BROPATH:.. CLUSTER_NODE=manager-1 bro %INPUT
-# @TEST-EXEC: sleep 1
 # @TEST-EXEC: btest-bg-run worker-1  BROPATH=$BROPATH:.. CLUSTER_NODE=worker-1 bro %INPUT
 # @TEST-EXEC: btest-bg-run worker-2  BROPATH=$BROPATH:.. CLUSTER_NODE=worker-2 bro %INPUT
 # @TEST-EXEC: btest-bg-wait 15
@@ -16,6 +15,9 @@ redef Cluster::nodes = {
 };
 @TEST-END-FILE
 
+redef Cluster::retry_interval = 1sec;
+redef Broker::default_listen_retry = 1sec;
+redef Broker::default_connect_retry = 1sec;
 redef Log::default_rotation_interval = 0secs;
 
 

From b9a5d9ccbe0f86a67b9bc7b644d9cd849f49d050 Mon Sep 17 00:00:00 2001
From: Vern Paxson <vern@icir.org>
Date: Thu, 5 Jul 2018 10:13:20 -0700
Subject: [PATCH 551/631] de-restrict pattern-oriented BiFs to no longer
 require only running at init

---
 NEWS        |  3 +++
 src/bro.bif | 12 ------------
 2 files changed, 3 insertions(+), 12 deletions(-)

diff --git a/NEWS b/NEWS
index 8cd4f3c201..c898bcb3a1 100644
--- a/NEWS
+++ b/NEWS
@@ -249,6 +249,9 @@ New Functionality
   '^' are binary "and", "or" and "xor" operators, and '~' is a unary
   ones-complement operator.
 
+- The string_to_pattern() built-in (and the now-deprecated merge_pattern()
+  built-in) is no longer restricted to only be called at initialization time.
+
 Changed Functionality
 ---------------------
 
diff --git a/src/bro.bif b/src/bro.bif
index f0641104c9..835bcc3f7a 100644
--- a/src/bro.bif
+++ b/src/bro.bif
@@ -2960,12 +2960,6 @@ function uuid_to_string%(uuid: string%): string
 ##      :bro:id:`bro_init`.
 function merge_pattern%(p1: pattern, p2: pattern%): pattern
 	%{
-	if ( bro_start_network_time != 0.0 )
-		{
-		builtin_error("merge_pattern can only be called at init time");
-		return 0;
-		}
-
 	reporter->Warning("merge_pattern() builtin-function has been deprecated");
 
 	RE_Matcher* re = new RE_Matcher();
@@ -3035,12 +3029,6 @@ function convert_for_pattern%(s: string%): string
 ##      :bro:id:`bro_init`.
 function string_to_pattern%(s: string, convert: bool%): pattern
 	%{
-	if ( bro_start_network_time != 0.0 )
-		{
-		builtin_error("string_to_pattern can only be called at init time");
-		return 0;
-		}
-
 	const char* ss = (const char*) (s->Bytes());
 	int sn = s->Len();
 	char* pat;

From ad9abd4c9b73a3d543df9463a9b1fe21ea9f3a56 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Fri, 6 Jul 2018 08:04:02 -0500
Subject: [PATCH 552/631] BIT-1950: support PPPoE over QinQ

---
 src/iosource/Packet.cc                        |  96 ++++++++----------
 .../Baseline/core.pppoe-over-qinq/conn.log    |  10 ++
 testing/btest/Traces/pppoe-over-qinq.pcap     | Bin 0 -> 42264 bytes
 testing/btest/core/pppoe-over-qinq.bro        |   2 +
 4 files changed, 54 insertions(+), 54 deletions(-)
 create mode 100644 testing/btest/Baseline/core.pppoe-over-qinq/conn.log
 create mode 100644 testing/btest/Traces/pppoe-over-qinq.pcap
 create mode 100644 testing/btest/core/pppoe-over-qinq.bro

diff --git a/src/iosource/Packet.cc b/src/iosource/Packet.cc
index fedb795885..5199765f51 100644
--- a/src/iosource/Packet.cc
+++ b/src/iosource/Packet.cc
@@ -149,36 +149,17 @@ void Packet::ProcessLayer2()
 
 		pdata += GetLinkHeaderSize(link_type);
 
-		switch ( protocol )
+		bool saw_vlan = false;
+
+		while ( protocol == 0x8100 || protocol == 0x9100 ||
+				protocol == 0x8864 )
 			{
-			// MPLS carried over the ethernet frame.
-			case 0x8847:
-				have_mpls = true;
-				break;
-
-			// VLAN carried over the ethernet frame.
-			// 802.1q / 802.1ad
-			case 0x8100:
-			case 0x9100:
-				if ( pdata + 4 >= end_of_data )
-					{
-					Weird("truncated_link_header");
-					return;
-					}
-
-				vlan = ((pdata[0] << 8) + pdata[1]) & 0xfff;
-				protocol = ((pdata[2] << 8) + pdata[3]);
-				pdata += 4; // Skip the vlan header
-
-				// Check for MPLS in VLAN.
-				if ( protocol == 0x8847 )
-					{
-					have_mpls = true;
-					break;
-					}
-
-				// Check for double-tagged (802.1ad)
-				if ( protocol == 0x8100 || protocol == 0x9100 )
+			switch ( protocol )
+				{
+				// VLAN carried over the ethernet frame.
+				// 802.1q / 802.1ad
+				case 0x8100:
+				case 0x9100:
 					{
 					if ( pdata + 4 >= end_of_data )
 						{
@@ -186,39 +167,46 @@ void Packet::ProcessLayer2()
 						return;
 						}
 
-					inner_vlan = ((pdata[0] << 8) + pdata[1]) & 0xfff;
+					auto& vlan_ref = saw_vlan ? inner_vlan : vlan;
+					vlan_ref = ((pdata[0] << 8) + pdata[1]) & 0xfff;
 					protocol = ((pdata[2] << 8) + pdata[3]);
 					pdata += 4; // Skip the vlan header
+					saw_vlan = true;
+					eth_type = protocol;
 					}
+					break;
 
-				eth_type = protocol;
-				break;
-
-			// PPPoE carried over the ethernet frame.
-			case 0x8864:
-				if ( pdata + 8 >= end_of_data )
+				// PPPoE carried over the ethernet frame.
+				case 0x8864:
 					{
-					Weird("truncated_link_header");
-					return;
+					if ( pdata + 8 >= end_of_data )
+						{
+						Weird("truncated_link_header");
+						return;
+						}
+
+					protocol = (pdata[6] << 8) + pdata[7];
+					pdata += 8; // Skip the PPPoE session and PPP header
+
+					if ( protocol == 0x0021 )
+						l3_proto = L3_IPV4;
+					else if ( protocol == 0x0057 )
+						l3_proto = L3_IPV6;
+					else
+						{
+						// Neither IPv4 nor IPv6.
+						Weird("non_ip_packet_in_pppoe_encapsulation");
+						return;
+						}
 					}
-
-				protocol = (pdata[6] << 8) + pdata[7];
-				pdata += 8; // Skip the PPPoE session and PPP header
-
-				if ( protocol == 0x0021 )
-					l3_proto = L3_IPV4;
-				else if ( protocol == 0x0057 )
-					l3_proto = L3_IPV6;
-				else
-					{
-					// Neither IPv4 nor IPv6.
-					Weird("non_ip_packet_in_pppoe_encapsulation");
-					return;
-					}
-
-				break;
+					break;
+				}
 			}
 
+		// Check for MPLS in VLAN.
+		if ( protocol == 0x8847 )
+			have_mpls = true;
+
 		// Normal path to determine Layer 3 protocol.
 		if ( ! have_mpls && l3_proto == L3_UNKNOWN )
 			{
diff --git a/testing/btest/Baseline/core.pppoe-over-qinq/conn.log b/testing/btest/Baseline/core.pppoe-over-qinq/conn.log
new file mode 100644
index 0000000000..6450d8f2f7
--- /dev/null
+++ b/testing/btest/Baseline/core.pppoe-over-qinq/conn.log
@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	conn
+#open	2018-07-06-12-25-54
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
+#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
+1523351398.449222	CHhAvVGS1DHFjwGM9	1.1.1.1	20394	2.2.2.2	443	tcp	-	273.626833	11352	4984	SF	-	-	0	ShADdtaTFf	44	25283	42	13001	-
+#close	2018-07-06-12-25-54
diff --git a/testing/btest/Traces/pppoe-over-qinq.pcap b/testing/btest/Traces/pppoe-over-qinq.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..10e1429d0c7b80181bdeed602dbad65f2c05ac15
GIT binary patch
literal 42264
zcmeFa1z1$;+CMx)cL+##NHcUuhmz7rceiv(C`flocb9}9oeCldNS8DM0@BSlgL?M%
z?7h$T-`6?s|GUojvMwK-S+nN;t!J%!-SK<w=b2BPud<*3Fo54SAOHw{W9rkd*)s(P
z&;`GSw3`j`0eJHRpt<=05Q~G1F#+iC08s$B1OOlm`6mR&Sq%hlP~c6z7}z*oD547a
zMkUns_10Ga015^+69^3r2LvJ@0huPkAfLfNeMdVcLj@>--$Po{kSne;D&*5YpmE)x
zaS*Wx19spnA|Xf+L|~(Q@kLbj6&O*?_YUcm5cxmQV1PgvC`f;r=}`d>z!D+tX8ZI0
z(BB}?{^-wpi16R_M-7Z}t$=|6h@AR<-aKrm02y!}AnmWELa{)kLNR@p%HH#*Qt>bV
zD0~3GU1%T__$B}^prL!4wv}@SvXNF^sLv+gn6SaU3Z`^RlRXdB@D6(bTZBi3xjKoZ
zB5iArbLX_Y{9V-H!0}RK4dp@rjm5-)<mweafVPdXjiHUIjj|1?4Y9wd4b;ZcM%#9;
z4Z97izYvfHNCgN0_yL>%7BFDw_4k_(0N+;t0L9Io*}&f3+JxE2&IW)B?i(rq8*m2(
z8UY3d2n&q>3kyVmg9AbV0k8nrn@h>=1U~2vxM2W50A?t2Hdu2uCRVPSznnLJIS?G}
zjon$;nOWh!zd$f|a<XS(Wo88+1Hh61NB{%?9Do=MhX=p`oZVc||CN8tzzSQ%4Fgz(
z1>Cg1ek5S~AgTrXj)({HNEq$?(<5;`UMQxefQR6$k_k~QXjEvhqCS9z*6jBYFe<M5
zaDQx4mf+2htsE)F!>w(#u+ZMYGtBe>3bHikDFN~iRL6y>X~+SZ15U53(jCMfV!P|l
z;>sY%U-N@i2N{4;1wbhWz`KL|;hjPLa5|aLP~fKp<DQT1qD?U)p?FG}TWQe-90(N-
zkv>o|@E8>cM1}=`Tv?Gph;Y!VFmPB<s>-ayAVSC+BrI%YcN+s+ClezwF*^r)I|l<N
z3p-m@QV=oZV`Qwm|M*zN!P(J??2(C+tDS=tD=mlyasV_I=|2t-vo>&aBx5I&P$N@T
zmL(GtA!8zY$POaGMP=n?Wo6|C-E5lRx4huDJZ$Woyqvt6Ab%heD;5Y74w(TC2m|!z
z=7$18-<%>L2><sxp-_;-46H3o?Hp_^41S(JIu^EqgN2KMlL?u;gPDP?g~#{v#{{86
zP7f9fK@7wL;^O3G`?dRMAQZ^wm?*HkoFG<?n-c)PNB9Nf4hREs5IhQ^n6tf!gOi1=
z9V;H_E@U4f3OXy9l&z_Stpylb*3QoUrwAkzBoW9X4F1%JnUxvD2ss=Xg<9Oi+QP-e
z!JSMQ@(m^MI|D-tYYQiLG6`EV3tJNt2Mb#>RtgXq<alTld>apEM-vCIL9lRgwl#75
z%`Sj17{%{zE)W&~?GHo;fcGOo`2&G~)|xS~s3G|mO%cndBLVyk^OLI#SA$(E88c`+
zq4+|fR?u{9{W4qc6+9<Nn9Zq}7M1%Suk!0Qg1G#gJ>7`Hopnt+#n(UE(OKLnSF<Kb
z&@5<_j6#?{=_R?U35<GGLi+-RZ#=QE%#8cJU&g&$>IeE2>Kc{zXrfm>r_M+5ezmJ@
zWDIhSu!l>l!Y3PBa`HXYCY=!y2VvQ-uS4lSN!gVx$V`54A0*gH)O*nPs+nQ(iueRR
zc2m_%QV?&HxcklrLeUB4PXc<{k*jA;y(p}m{$;~6CvhpbI)|hK5B$Um1(U0Hr$k=k
ziFz}v8o|3d?WR+@tBm!*zX{eZhI$VL4YsK{{?K9|e`q0)1^9XrW5O7M^!<M^um0FJ
zCQc3(Mvlxj9*$06tucZaUH`wn?*6E5_H4i127e4UdnO}e+u!!wJYK|DFi;=>2n~XY
z4g_Aqz(7O6X5Kta#MCf%LD+BzU_FP0g@*?I;}sOh4stjdj5){@qy>kpA1Db7Jdpsx
z<HCVtL6kp_g96^gh1hOKJ{A^ZW=D4$BSXk3vl!Vsf~fy-5EKX><xdZDur~m~!@-*Q
zp#Xs(QV1X=3|O0ev4I*TYqNaF8u`XXV}oSyk4K}|EI|yA14v=0Kwyo`B*`QSB!EDJ
zksTd=2MvB><X{bY{1YAQ_hmp*VCg?P2?7RU{rWv)$SH$u$Ik<x{)J#Cuu4CLL%OjG
zWA0EeP%!>LTX3@kngg5xvzx>W9;ov9WTAd#e&+U1nIqDGquN2?0+?MN>b6??0RW(0
zzk!n?INpH<JOGJ9k$Gu)IaS|}PNcJVhKIo$`k9qareqXi^{4-y)#tmh`n$hc{lbi&
zRv!}%0MHA52P6`gU(Zush9Y}vM~a}-S6-XDro1&}63XCepsL!ZmikV7v?04;^BWDo
z6_DG27*&I(j{Tw$E4$y!9*Lhb3Fee=zJAH|1KK;(8H^vD3ApKuB<KMYIbbRym#yNg
zz=PgP*k&zXS*3?wval$8hFcxQFX%<f))@GZmo7_6#LrPezX)LAsC3q3L}l(FADlH?
z+ntK5XO>Q<16%;xGR?1@2lU@8h+2@AETo&}pg+~CbeMPs=<*EqD7<|C9oR+m2KXUJ
z0xUJS(j5Qt%aj^sw_c7_CvVq~V8~<L6N6B(qp;(zO}WHSWaOaDcCD-@WQBo_D2!F4
z9_uV$CF&o<M))W0j$ZIiU;o~GfqfI$d;tM=Z2X}V_leuzJa9UIKY4*pTF5QJJ#G|#
zoq?T*HPi@n6F_~Q4)4sPo^3bzk=nz|fdhM*SGG=*)Ff)*jE|Pj!153_e&YFxG!PE;
z5dM?lw%<vd=mdA#m-JH}YPTVfZoRy_xI^9oL9bU(pf+C{gXhclJU%DM1}Qe}jnx?4
z8_Qfvt`q#YLW{?a9xcfU!pJbE-`1Ut>KTdQgl6L|?)P#gr)l1u)~}`Ak+PP)o7TIb
zN?K;NT!9yeQZ-r-*mL*r=wq<#+sBuWAF3Ksa`k(#dD%f3?nZdUGMFD8w#|%`pRj$j
zdnEDkY-gX9_N+PEg0W{t7#s!6++UGUd;)-F0r|r+fc#;wet7h!3(|IWJ9{HOLS-g$
zd{Z_5bk#t9eZTrNTo4ZUp#{5iG&Qg@QMNF%W&G}hesktOKOp<nne%~oAm2pBVx={r
zBVz-BxX6AU`CSCqlRvO?ATw}wGPiTE@GvnZ13M=&J6mgaRtb<8<h#&V{6D`!_A?Mr
za5l8IFd_pxXd45t;}e6pP*V$|8xKt;@?93#|AC_f&YLKKofQQB_cKahgS-X(j1vAo
z3t#@<yzNAmi4)~IgYhEUI6JpM#39FB$ys@y7epuGlvokxm=offcuykq@6yDiT;d`x
zJh2zOYCR)rE6ypXeX@Ry_v~mM0}0FUoj_{A9J3J0B=H*aIsL%9mp(6ACuCu8*m{Th
z<DX<cqLqI>$$7pMXcwov>JVaN#@u3YbZi@ust>bCch>b#bl5FvX$v_oX6E(FW?y3l
z9xon5Ez={Wc#ptW9LxdfQD}Ovb#fIQ9@t~Gn(fsU$YGOMHz;pY5<Ci*R237c3U;;>
zrtS8g9kv~Y!e{ZMij&#=Mo^TpMEP>#jJ*Vj@%4c|!fXc7hgl||sc%I!3mq|KeaJ$V
zJv<5r`VVgl)Bzi74G_yu!w&WYlpyjy_XKRec@WSYh@ZiNI7$Q%I7z(*XCxpK$UZU{
zU63|N6AlLa5&%;A&1Hby;7?!V>goy+1yRd?ctYBrX8;8SA|m*!BOz9Q4s7+&z>ztm
z{dKGl+=ImWz+EDKh}Adi`PJ%|3;neEgM<J8#KnRjCr=7P2f7EM&ZNvF4<!BR09k+Q
zHjBNH0Xvf!=Z*LLB~}2!f#@I-Fk!%sH<tuN#7Y3d1MdJoV3<E6Z3P)ACRQd+cJ}XK
z1scp<m_K*ozxVP!BPInMvs;b3AjEw!-ZQ8Qc2@R(vM4upSQM!0`SC7+j{16IN}=5N
z{`e+VT;P}wIr77%$0;#7@~{~^xfou9&syNb9)u$_S&n1mpOsXw7!(@qnaumh2Hgpg
zueO-HzSoA77#*p09^6&f7{f&9SlLs;b&z09hOmP~VoD_;Zw3&42e0D9em}pgkut;d
zYqq#O$2r;t@N&@2X}+LL^|hYd(U{QZzyYeaqD5HP;+!&d^S%0|C_a<1<TBf-%TiED
zBl@1&O`{+d_yKXzF688^)r^Zuw?IXkA;z?xg!2IZMi`c3L*E_4DW4;>(x`g1W_O`I
zU)!9?26P=hc;e{TKp8sOg_+ug&+KW{@42F7uCi*jcTds4xi3UJU<zRWZR$cy>msT!
zLjeQ*OOWh$sj&YcspUdosU!X!-=)I+hon}*gQdRr13wRtEAStcdg43!UFw}DaDeAv
z+5ysTwjclhN^yZBJjhdL`klPt2>+G5fm~Pcxq``?66%`_8wiI1fY2iBg*#ns9_g-V
z>#dut#ph72<9v-@>KePyRPXhBPnzWs2$m56iHdQHDaZSOcy8Y)7eGzj(bV1}@AyEG
zDwMhXJ=;6<7f|UVsuah5b$ZyDQgQElgf0?4;uG2=zvLydS8msxNLPwSWBZ8DUvc4x
zO)tiDum7#2i(%NSDcui9dWtIe8At?<Q}-%s3?}>NtAOuDJzo$oG(v?&XYD8nlG=L5
zs*A?K#L8Yy_1O7lEB0HLMWK^+#JsJE@&~cQ!pDyuz>&ZOquVSq<R&Im1eaY{qH?zK
zf6x(U4@;y?kH?e&l()G7wooW@_oX}ec6w`(upY9p=R_WA5iU+vVnag%fIu+i005I|
z-?uqZlfl5Dsv0paElcmy!!2PFIXJR@gY~3HK6>7yfoaH{Mm#{cWj$_LkMGRNE$ea1
zdi+Le+_E13zhynzkP!bd{PWkI81Q5G=f~ho>#v?zJQ?DNeZhk>Ft5Q>0T31mGFStN
zdLVwqbO-r1!u~xAe;Z-{F2eQ)YscRhYq@3JZdtcm*6o&cyBXuUW!-MZxc&=Sx11y7
z|6tUy2c~PjM;+xtkVpg)b^K=$PF;Q?6lPpRl?y=-)L)|jz=Y0C`)lS9@V%^sndrey
z;mp%tnZru>@j~%r1q=kk7x#Xo>Nl)QUo#589lQh5{)KEE2tNYQB9gq3E&r#o@emBX
z*#UsxkpfYM_X3(njMeKlwu72eoFXne&r;#vRbwR%szDpR^_lEt{Aym3NJb9nq)8Xb
zzfFMMgok`!Qt8@9=R5rqJc9BMr+?G!Kc#<u7Fc`_IzbG75_E#4VgSyR0RUWRXn4sV
zR}hHM2<5Fko#b;qY44_u80vKSu3z%`+oTuLYIIGW1!g3%P_DFy+|ZKxD++ov%9OMd
zNC-~?&jWOvuN&ai-%ukbD9#Z3q~|nX!U$QycYN6u&<uZR5b%INEODKNxW{MG&3LAQ
z{@m{22@Hn$ASgFf+QuHgz*Onwu{)>pwRNjO-Gr@z5=FD>O9GvFb#_~Hf`j|G&zE-J
z%B8RiGCq(Mka8(xS}p5MMRelqhzc8euK04o%6+c(Ary*dJ|e^66s_r6ZaO8YSV|?8
zIth!$8<()`boy}kW%{YeR^}5duSWNtX5{CXO(M1rCCrF}+UaWh@@Ir2hb$8@Nf(=<
zG0NX=hk9Urcq1BCk1KSAtvthZ%^zZ?<eQbsTKOe~D*QT)Z@Pu6f$qcQzA;qUroIW4
zbQ*`n)Qq<|zx3x<!!x_@IiF$O@!gnd7h93(-Zp;jjCwe`bilwdR7B1oM-MyN7>Rw(
zs#+v)8T|myb&OMW8l$i~bRp*@^dUJDz?K6$n!t{B>pf-A%QE@NqR?ZU<Ee?kF-L<S
zhOffBrtlR<{4BomY(1^WM3;($!h^fdO(VIk2l{9$@UZm9Q6Hs%u%9yxVvExn;*HxS
zp_4=;_<q>88Takz@!?LY+>~CjK}>O}WpFl;6+J!ddMAVR7#HSk<~C~g!z1cS{U+Wn
z2lQG`LYVp>U`)B^e!Qs%3a9i@s!UjhS;I1{>-gPc?7=`HkHSUo16e8N<f77iUHYDD
z%|tqi3^oaFx)PCQrW}eDPeuK;JN?so`J5cPx|Qoab9X)*+QH`4Xof~xF^GL6f?D>&
zbT^!MqwZvWD6`d|gx3_F2JCy+XXfZpxD<f>0YOUSdO?&kf%A1B_b1|wd-sgr<M^Z=
zG9_8<e!9-~I+B}Ds=Tf|lT0?B(xk<5Syed4-=LuteL1y?@jO$9A?f8XcYT$Z!>5h#
zxrIAZ?=?ridh-qoXZk*f56xL-gPEggV|j=?iK~@hX_QYhc`=piSsolJi{UvX_L;>Y
zJmp1LUsLM?T@h^~PH|YZvC5D07@<)-v!pv{@+;-RAG5}1VnUEpPscuWXtk>qj^jX=
znQJm;o>Uv(`(Vgy4{-d_Q-0RfaG<9n|0TLI1V7TFLE|7>e9S!cvr3KfB}(&dBKwX<
zpNvq>i%jEI;e6b1I&Y2UL$2*0vvka{ged5ikgpNdxCmyRy30Grs@7TR!J?<B(CkkZ
zq>E=wjU;N##XcYAbyVK_s>$`*^N@tD>C-}@e8MS`$R~GCS%KrSmyzmRw)vN5+WgM}
z{49@XE+*_rCMd5%&dIPU&&(u`JbfbvTE`9UYf#Q?`8zM4jN<n>VhuKWXHd`&NmPAm
zPI_^VzW5j<r5$qqLZvCR0*iWu)_#rFHIHp2)QAK3p8IHa7BNysbeMKNlvcU#Fmb{1
z@G|#dX8A=2o%52?Xs6XzK`OqGsim$XW3~8pTwuZk+opgqqo?Crc5XmWcC8n--ikIE
z8G^sU*TgfA9lKqULfgx?pTbbJR~KC}wI+OnmY3Dyt=e*AEG;?NJ!4)v;5_JtuC$6a
zlH@FPIV(e)Lh$rU@)w)7ya-56KBSY`z9MlIvUp#F$A&|lOjY$n2xE^rHvt$zY|UjZ
zvtDrGKAJi=iu&+{WS(WSrK?K*VhCq#AaK;l)0vpW)55-18gXU9-8pP`H54AVGOzMZ
z6f*Ic`>`f`aaqgg66$FGutF4RBY%PpUzt@$9M4@Y!ADfEb`N=V6RFfetfp33nXTdb
z>|5OB^o*0_?E;y|R^i+qWBvC$$VOsC)R!FS1$?{wcvUCh#vj4<lNgB`RgmcEbL(h)
zn%h;LE7db=cGN&s6B~I0O<P7a91@wEh9dE(i*+Jfs*!<B=~^4&OG3d`e;;h=A?>fN
zK5+bo^al?VK<ZjKNPe~Y(!5{?&j%s>*$=>ycDM9g62-=KV3A>P=3W3X*MRfI@pB6P
zv*D-h(@h~#A8UEc?HUr#X?>8RxZ0DG_Vq$wMBL#?;OFCN3*{UN*26PQKfYZ&-9~%v
zTJ=uqg7*cvNLO(Q@x|g>t{tk=z9t9kQ-Yvkl6*U&4{7}BucfyuIah0tQ<>r9jC1_B
z(zH@5S+zUJEK@(4AiX7jR$oEuyKR4LQ{-|9vy5WJZ;*u5kp9Ag(8TqWR>vbd<CT<N
z_WR`&R|OkdK!C%}T~$l>j4u`(<72I#&kKnS@`mpZ0G1Ig#G{uMcC#bB?nH%(BqvGb
zmdHg8ev&q6?Vz+u847B91%+?ah(J52@~lLkG^7!^PG-Btg}bKUEPT3gvXdeE;hQtF
zXYeW>%mbf?7z=SZ-BG&7)#EXCwzCO6w<=hd-02(Nsv+^=YxMJOPEZ7i$CY|NS`{UT
zcs&+kT3TqP1t7XKLWS<U(*v)mj}9Adl+s+T>!-03+p3K_%uNhyGO8^YkGjC--&0*0
zE$e!E(v#4-?mtzqiXNTp0(Eh}qOL7cCw-&C{OGM#kxsiEmXH|_>**B<L<P9VQ2?UQ
zfSdN$DgaFbQ2}VG?<&AH_^S%Yto~F1yr(ygAL{srK0zTr$$TyTK#Gm77&*0U+EE8l
z&?Txwe{k-N=rnqEB4yo^0*_=1_<A#UW6k|GVj4f;47;zLK)~2!wS<qJZ0qA1b=%9e
z(3MxO+vj+Xj#*SGHpSdtpqeMHq>p}^kK~VanNp6yV8q0V@l)V&AsXUfm~&v8pyi!&
zOg+!3CKBme!+7H<NVy(r7Gqm#Cb;VR?M1;(IyKW^Oz<m-yE@)E-#CY|i}zSDbq&2T
zSn><>oe}TTXUYxl>sgsUZpQtlcuvyUE*^4cUMYbm<~?>r;a>S(%oT~9E6LYB4R<{4
ziZUP9sLsK#oz4AJ+@>Rj#_f__RQ}<O`)%l`q2z=`=E<d~UHVT2WV_cappi`N7F3?l
zl}bJX`7V<okyxG$)CV0(?lk6o40(1rtNP@6<3Zag-a&eK%CoV^E>XF4Xw|nyE{1oq
z5Z03S#5V5PxG&Fr4Po9}>qqY-RS@uf$7QdDm{Q>KjV$rQTKWAEvNwgQj%w7VV}{tv
zEdm5PubuWy^IuahW*8yC`iC27>0|+7qjfstm}>R0J{ypyufHDZ5y&hM#Xq!ZwtT&|
zXX_W8O)eQRu&n($j?K{_&U)`Fq2@6hnXmUAa(WR3ZPZrF<>iE~aL%j33HdW(M}HZj
ztc6{mA~vPrHMi^ZGs@3|vM;M=CZ*6_8dmmfRUN)`x;U&p7XJ`1<7OFz-UxWv8elC<
zs~YH%weA)$!OGl1uomxA#C6tWPBI(OkfL|5Nn<Qpqm!RX3uLpMd8rCqNXL`>c)19A
zyP<tvE?;XTa~z)E4>w1go?^<)ghOvoIg}=PpW;gUffFS(#Y+~mTE)nN+!scMGDyL!
z<|4!Sp1a=`v_5flI_tjoX%uy%%)REhcqK6&(`lZKn2`P%t~sa!p+(@K;>Uf45k_C}
z%5?r}7eQi<;&J-bq8BRkQuCAf*`pFh1`L@56l0W4Ycgj`2$<8fYyvZSJSvELu@ij-
zx$CHbFS49f5R(KKyUoE*6u-##EaCstOaXEtiPGQa5J2V;+-!du)BkHC`OzZe(S{Jo
zD~Uf7u1a{wJ_tg^4D>&e#($9%{hX<wa+4HU{!>!K2T8bm!3h^!?{|dpLYdX^!bgh`
zgjk#33cvrl54U;AZC-Mlm)zzhw|U8be_mn%w)#@&h_`IiEgN;qM%}Vew`|n^3O33T
zZ1uls{g$u%A7m3jH`xT&AF~N*UT`*n0DSgqHUU8p^auW@_%3ip#C~zhcl}rKT@V#e
z1*-rrc$Pn;{dGbKLk!`&V8C++Ae1NT#IJnU56Tm)0>KHlD)3*W0^m`}TXOQ2ocuS*
zNr)lQx`zKd#Rlm&-iqdr-s;h!0tS4ux55u|1c1mk2h08&D}bck$R_`zY?)PG4EV3t
zyMOeA($EM11@MFtNc(GF3&jC3gHUWlnGggsvOgk#&mIr4l9}{7?GO8-kU^uPM*5?r
z{4)dGjY}Lpx{9xNFe-7Bp}*7`=t<t?z*@wX?k!*2X+a-C%Ary|hEfaLIZqT0uc^uU
zvc)Gg&it6cb+v7c7VCANWJPqFaYa1rV1g9S`r{W{<_jx9aV*uUSD$UpP#!lnc*u9x
zVxZK>?N#XDD0p@v5V3lH*#=p|7`n1ks>{x_WZJ*#VZN716A{EOGnM^daU`l?EXrS&
zZuX#yg0e|+ZKhnhFDfc)vf3q(1CL~V3ZFZ(iH+Len$})dA$LAT;M-E&Ls~6fQZffc
zu`WJPudIgVvQu>Q1mR^{#qu+$D7^d?ycV%N2mOzDnNftx2I<{_LfN`Xf?T7Y&@Cc1
z;nT3iBcS1?dba&pUXP?yh*ckq`G~(g3)sV48|qCjs<KC<X4&-+JfZSwJd0f|sf1&D
z*%<D|r`upx10N$J8epp}U%ZN-?e}mT$M~r7<7><zJ37!f-C6m-xZ5`$z31hV4YZa}
znB){`hkX8##zrd1)6u31#J%i@p{?fL@42On9myEe?RlB;SZZ@$e`0~Q^JKG}jD1#2
zUk{B+GWj)QQVBUMfhQT8L4A`H_IXmrwHL*i2c1Yq2S3!koi8@xtAY3X)BFk$3;3%)
z&K#U`?K!%=UT)yGKx<f8X>7M<jdPLC(mlXMKe?MY&{2un<@K^n6{5k(NC^LSl?sG=
zekBgBQaN@6FQo#JN}l`MgqXi}-v62n{wWm$U_JD`O6B2?M-Q6EI(&67SbT4mrURMA
zJo|l?0$>2+K><ZoN)D#PDvY?iq$;ZqjFXCz>C!=#m}Estp}|8QIQg<ex|GNFx>7qd
z)hNt{agpW79)7t%dR*n?QT>jt+dq_XmrL|4S|d0;7QF@-)lT4Yr7i4gt7nFh`Bp$f
z+U7ylo>)Vdbz}8YCOZJp@g8x_B%Gqd(1rTNc84h!+VdorU_}iZp;~?Qx>Q3vE<9=t
zzvdPE__Ug>XeEm0KK9*XIku){GWwm~=@}L2$Sb^+yv!MIgdN`?jh5JaDd3C883w*O
zp~h_=>K`4u(h~QnSSV$f_6k?Nw!_;(-^fklDm4$xK8R9l5etd|mdl+!3D#(seaq8`
z9dW5GmWpJE5<!vj)G70u39aRGkw&e1VL|T=K7QWBWVfIh4Vs0ejr41QkvtgSFA)0H
zc~zVDQe`kBcBLcs?b(jzdy4Bim&Ml<1N-~&B9;mDyzPE185p$qDY{zPS#*zeX6Fff
z3~?2fF(gZehb={6KD$3#rP^vp4oztY`KtSMwA2ki_rywMX+Xv(aNlK2c2pL1J%pIE
ziQq)?g*8o>%k(0g#m4Rd6kN}{?9a)Yers0|7jE_$om8>(gc8aK*B94_A?d<3O3f`f
znMwwilUn3-J&FZPiP+~$u}Nkm_HxJD_jUZ`fW@D$@Qp@*uP7Wvv|frMdj!v5b&))&
z*hK-EiAczIT+dU_`AWVL7$A);vO{mrpiN+oX_gUCOcx3rqF1CCBAKw>xGU~wGEa}@
zgqkk1`n1D7<Gk%v)d}VUsJXkJ!mKy3KzWK@gy$XA`lkk~Oo+aQDZ^g7pGWppTMgCV
zv#We!eW$VIaA!rIiG-Y(=)1+U3<;d6M3JqD5497>E)GDG4tmkdB~0QUZ5&9MxaaI3
zHbp0ni6i3&)WWXT74h=xYjf}phXiCh;F4fymT0CiJPc%@%mzWt&mPvbG0iX55Nm|U
z#qf>jCo||>z09;}xL33D;7-R}UdnVqHHsJ0*OZdv7!D&6ragnV_ww;Uq^QQdHHy^s
zylN?&^bDU!^70QIx4miZS9DxF_9MO`XpPrt<RjH0DQ;K!y!Lz^wN-`YtH;M6%FOsV
zPGNeNdw{VoDUXL*G>n4yO)WWr^%Ko;xkat|i@7*+MWUHgFX3k#UK_>odghbBKeRVr
z=4D1Le#x2A0o#ZJH)gK5mA6|1-&;!T=t|C9k~&F9Q(qiE+bfwRt%z{nA5oHj_!GfV
z(L%S!Sv;xf(B|pWd)teP*LNk!!gmg0svA5OscnUhjzuDno}J@cw~M;0d@aS;V?-ru
zCJbJ0&m`<_-}rR-ilA&fK;AQAzXHxS+!V$k)!^EybcJZ~?#OY+6>RDydCFy@tcBp6
zZ}KnR<@0;=1+Uo~%kShruUfvyY6!McEnG%ijmrzhvZVN?{WT=7%RS|BP)+vkgUIgl
zV7DDJ@w=WFinGD?#Xee9UeBNJNdOUtrLLc^zod+#W7cPyotuEteb}`)#KSYq909Yh
zPxXN(P2}a#v*(!eU-xA4)d=`GmnTIY7a@&wvS4EGo`GVV4`ILdTZCR9>$0e`ENab&
zsVdWLP~1Pzj?n4jzznuiTIi9BD%**9ZMt?a&@d#)JSmFKY9ll2EhpUt$RUxX2|1qM
z@8?LBNNX4`aeBQ_lK1X8&gt&{EARFqS<1JZa!t~0bF^h*QeIU4;(|HZb1$rWrwU)2
z`4#T4seM%sn+}g0%CX{khfrB1?wohu?n+Nlq@q<}{`Ck|N<cK`6P_33*?OyVA{FvW
zP@f{@qqss-1P?O%p*C}$Ea`G@Q>-GJjn15hP>cFl?E$CN`t{@SmI7Ws_F}Jjgcw<v
zP|3-LT6j*?Z78FhLqzn=LTWB$!s28QV)d!OR(}sXb_r>JZS{d;H&rU1epIQD{+hC>
z_}};vaFq&*BLLt*oUU(-eLfr?_n`+)!!^ch&VCH1XKrc`P2QVCIY*p1EBC-EOPkW-
zO%dX!XKYo0pWiN>mW?swg_R&xr8q@mSr75_@**kUYkEZRI=;Z1;D9Tvk73j-&^mLa
zU6uXLD*#v>7SUT}phH9LFz%U<S2Ht+q_3%E8kfHKXxx;iN#vEGks@=R0n6*t>Y@fN
z@!G<(C|7b{&R(mYD!dRN9jiJn(-0g(CUrEUuG*v6(bK`(2qVO*^VI$5(1)ROaKFs{
zTWA(1vE;qjj=0q@F)h!u@r-9%rRtx_hW%{mIUQ_VK5sT~-(9y(-Fwt2z@-`Def&va
ze<?5O6E(UjaA;n>X`lP`7m~X(fhQ<No13m}@s3ymgptK?O5&4aJUhWshw##$s8`!3
zIDOTysk6rewq})>tR9KMIbcP-L;d{iz9Kr@W0$!G6VJTH7;@-B_B*5G8L>PPPr9#m
z-7)9V+$EZ!FBBiSoL9cl$H=9kMW>C9uKVJ#&DgDw06X!1w25DRJ_g^_Dp;eAsrB<U
zFM~fy-&#;)GS+s|@m-uVJnEf}Q+LAw<>WYs1~8|g+(xUn(dz$Lv>LGvuBiqSLXh^?
z76#^~a2)2xdWfw5v>u`wGsMC`DkVBL{!uBx2iXVa91t&m2!^q+C6QJaBf##7?WU(+
ztR9M~lENa#Vs>14=2Vpx8Z(W?l)mo6jL(lCQb4G!pYIs^<a+(fRPjP~K5o=7V}<Rg
z%Q08b$Mrah1-wrQeh&PU(eJJkRbi>HeNy+U!&>T7Er}v|3y3fuv>mk=A{rZPqo3!j
zH*#*XJZqy*O`g+%%F)P59%x6oGC5kUjA88sZEB!itmrN0hFJNf)L`r-Ndddw;1uDT
znKhH~<nb>Jz^mgC(wEFncyw|uLQyf&5eOWqEt!GLmI~)}B;nklJm#Wh0tFd$#1_|M
zMfSb)GS~6&-d$_)5<ObjaMb0#5;*zbz{20vkb|Q@9Mjp7@2ACyfQGsCjAdQty&Oh2
zZ29Eu=BJ%O%I#5%r-M*r=%NCCGo+c9eUrZ4Z^Oc^F~bht*(&dQxFjRgSZsdggO9$z
z32S0@wt^SH4|yu1W7)?UuuV#I#I#i!UQ6yp(V33A%Rb|Cm4-VU5u1_+6pc#FcyM9@
zS_$DAi}ZC==e$3H`N%tkO+BG!JB|BvopHDj<i6?3^l2@^zA#t<MC|rTIx|t5GCG69
zR;Z3OiNssfaC=`wR&B<jY!z+Bl)JLEM>KLv#fdXcI;(n%rLu*kez<2YStKfeRFUn#
zenqO%JEzTF6xw2<y0b*RHlu>`0U4iPsr~RaO|S~9RfD5oTs#%Q8rV0sLz^bv3wtZk
zAkQ!A?=c|QVr8$^3$2K~v@gI)9_=Ehi_q)l1N+thR{xBgIdkQ_$K5JJL_)nIc^^Q(
z7IQihC_hV3EeQ`D+r316Mx4XYIl>(>z=Qm5M>528y1uM9gI^hbmm;`FIVu_1xDgS`
zfspitamld~=qXO+9BT=k1+qiC_~sofkv9K$6U?~zZyw?fIneMi!EcFXMlxE4(=wRG
zue@WiPMJC@oI&5394ku5P>j~-eR{Ox-SLze;BxO%K|vQkxJO_vh~2qzphuE$wU3}*
zEc6zxitS@+%8@eL@#<$0)zq%;*+Vpw_bFPKtHs$iA@y@sx)sMDQ<H`qK|-;0Z&sMt
zQDh&O2S@l*2g3{!eFKeUOTK+(=SA{jtgGSW@d@46f(t-ulyAxkZ&RubEI4e|qP<`*
zmTUSRKVg5jak#v>UPnKbVh0~tTWIWIV^%3VP964C*bz_GHY&a;zx+M)&KEuAT?g9d
zsCru@X05ypglMS)l09ruj>TQY0yJVA6j8Zju89a?VJ3)Jx+oO>h5;IvN6LKRo)-==
ziwRnpR6yXS_FIurZ>*pYY0!DpPH<;qnxi(hxsRKR3l1t>5qV9S1m56*a2k@AzT~!c
zg8;;9`E8*69fs)D4U2Q<SB~YC_;{fjvjPTUr~~5<69TXT%T5^hz8EHCqUO!^r?p-G
zIuq8U_?};504%`ybtHpngCm&}Y?eg3G3I*I`BY4RsEpdlr}Vs?tUH+}+LXi_5=)uL
zSLaS@?8yrNVQHj7UFiPAUYLHa5b4}LYa`4|sDqrH47;-<=pbf|R_`1+Q`Wu^*UC`<
zVTs7r`@8uu^l$dnp|vI7sI|#{VDLsqFnd>;`nD;*pfhwECqj>`^iEvbHz|yJj9+J#
zOuGj9cX{d(p0NlYrLeE4V5xp-8axRUu3VRu5fL_odW3X8d2AK$nv_;U$7h!U|AG!n
zovX$hncd*wn<Nn`HYKj6;QI#FAg@oaON831@Hw^uEtRBFwCg(@-#(8=UXZ^x<;qhs
zTKeIviG0KG`RHcWo4CPyRU;;u2+Z%RPq}L1rkoelaZ@ov4okRj#LWh&i!a6s>(?JR
zxIWBVC%Pi}nw=wM^WJV8ou;qS^fR`~5sM>*k&=CGk|x2-Q@XP|I&5fwGb<TP;vmg<
z6#Rh%G7)&rxWnA%eDMM;4sQU&9>gjt*wK4^!zq|;IO!8&aPp^D1B;r)(3)#;f+-60
z(}lESmC0w}-u@bbt*b+ALz~2-w8lb28ZF)Q&4<*Wr4I@BGCplDW*=;I7ISCeMSZAM
zPZ#XygR?b{Bnh{bYy4yzd+<qA&~Pm~;E7L#8mBw`%#$+-W&-0k14l@LIz}rxgA>_s
z9BvmHSoH|)y(gYMrD$`7BZYT#9o_+2*R))7LNpaO#n`MTHH6QnXon6g^^?*!RlZCU
zHxzIBdF^GNb`&Qx&sR?<;*rebrzP|RsYpMgW#S*sOLC|}eKr-6J{@FKzbZI|3~Jhf
zArg$vq6~pvXk{}%FKwJ_@9SVK;^PHP-6aO>tu)|U^<K0fqzZGtMYo$RX3Yz#s77tW
zKyc%-7fw+;=Y2<?IIb38owMYWk41*&8H>8qK5_rvrb)6BaFT%YM0(Wqo%=&+dlvZS
z`6~7|E5fd{Q;%OYnUFoH%VZIJ&czqR<)DpxFxooe7-g&EIzFqOesm(daO$y|)T|j%
zL`D|<JPUV}bwP~QK(Y*BsgEc(M}B0+GgjP~B<@@t?xXAH2Tw0KMc*R5U&Fbd>`<KY
zjNzo<bqi5fuT(hee)aA*Oxu3XGZDO<w&{HX4+jpB>3VE>5~2A5p{XQft+1Fj8+d$*
z9hi0=r<jStMT0x|h-R{5;&u`kmqJbJTtli*X&)c3wr9tk<YvET?-xid8XVzzqBJ}l
zNb3~QjgqTbVkS1`yYQJ<2Go)m>uKxHFfw^BYy33pt{ctktyw1D+3-5*-urhD4~o*W
z0qsaM$cBuSZPDu}UxK14Qd3v=-y`g`6plBp*6vMlOPIE2Uz7#TdV9%fMU~WEdlcz?
zMFc&B5*KekTh|{hmDl0a@~_Hj%!szvxzaVxPwE~ht|p|)4f@oAS`kJ%EH`qkZKL}9
zE?F2<2OjcU1ez)d=zGG66XVbUOPgtvNKfUZzRt=mbkEtxc7`mC+#_==p5obfRH{!$
zNbD&C9q3*VP=>Z9YNvRV=UlS%$nGfv{fKS)yvu82u_~VS#F^QtB$lTHbU?%Gk9Qk!
zCpG~hOi_*g#T^4OTqIiCI<eQHj(T-+UYc)IE`vEI1>9bO9@{1EZ(2?w_p90B2h77Y
z^lmUAx%oa&NS+c5cPa;!6?WZkwqPWmw0cH9pqssX*Pasv^EI1HD>RRTh;hP{ghXiW
zn^$iFxs}9JXz7}l4dnRVT=|J}?Y$Sy{Fq;g1)Av3bdQ5Kjy%&Hc2hUR)xlHS95ppq
z{Pg9Lw{}h}4CZuBla>GZF3PH~tvgn|1T;Ss*~UzkK!~Qbn1!ZeuZnB;rZx}NhPv!l
zx-xdHJ&b|E2=A57n?AD!AL<WG7g{gtT!e}_r(M0<*PE^Iieu;-kI?EWKJdiluWesR
zzE;Oe34X}}z0C%(`Z-{$UjsJxkan~EsnrK0K{8<gcxduw9deytGhw}spPBH3y8ytq
zhvpO;YWyo5a*U6z@p4^iWiaclM&K4W6y<uAHKu3oqHGmf^+r7cw7#s3MGTvnT2;0$
zUpnC$fJad$FJ2{*k#FYg7>vq>b~HEQB9NG_Em5tTMiG`(j>(KMEqTRV0upxR9_G8#
zS#x!YEez>{HO}7}+vtUOMf1Zy^NPM0NOVIJKgTvSDaH%+K@bF+zlZSd2I1(h5Qf2v
zq(i2%ju%1@^g192Ur68qeBfLG(*F8Bz>wSwA`|@>L>~Y3K77v?AhRV^a&CC&+Z^FG
zN4U)q{ukv45K9vD1oiLa2y-{KYW0t{N*@Hy5rWNs$q^!5QU4BW_8B7E^z)y}#zRUO
zDgSkhSCh`G@=~#;Z8(t3Rm#jv-Df#e-<#)Sgd5kiLNY5Y)pE$-+sES;)`Cr)uno&r
zyOUhwo>scU)qr}I_gbnF#q7JCT5&9+!kig~^=JIdY{qqmR!>fv=8|hk_8v!zpA9)E
zMixzQT`IXpiwnB!)6;k@mIGpo_e0kw6bIuD&m9jemgp%hCGO|UkL1Ci$Z={&QhUWv
ztoOYuf(6pISrvEZmp9SxiggX0g~=BZ#P;}Wsh<x7q9nS(n?*fP(O!KP(b`bb@`d(U
z>+8K@<65J|8I5<!`+;M$hZ*kS$a^s`-OlbZt^OU(*3n{#(d`fU1W6CG_eFZBtiJT6
zc14mTo4?#tr!tVlW#hf<9_{l5`HluE8KXWO!e(C?<j9Hw!COslFPg{(<ewOs7iGw+
zz_R#rlc1x|3@|67C@c~W84kzOtX})U)tZcT&<FT$Dj001o+u|`xtlMhF*j6ijPaI1
zdGi;Jpc`@CiQ8~>*0kuO<<YOj+LB_^R|{mn&U_bXc*654r1jl|t7{XmkzRMLw`gN0
zs(b^jVW0u0?~`jlncQO`KnYs^ReZh$x4o^nCk%&I$;0Gu9Yn_bymQ;fP7OXp=sb)0
z;#}>vnj>1f+td%=%ugqXtaI2NpRxP#+PS~L(a=a7x}ecgBq*WW7Et1KRd#v8odD6@
zNxy&pS48wd7g05jAY;6GZvZ!$?V>Q+zg_$NQz`}^DE-$lUf5C*TyK5?1|N))##w$!
z+JYGCCKybeSLt6n0R0!%xI#Wl8{EvN4lCF1@#8?r>WyCyguTg3WgU!T5J*OH$eHEd
z%ty$P$EZmIqCphB7834m3|Tn-iiC^`wDZ;KB18=8l>VJ1n#EsqrRna{5A@e7?Ve*1
zQx__sucp`J_@x!ieu-`>#>Vv*RF-KKJ+v*~4;T0PLRD>Pkl|&I7yq?LGN;dDNUkB6
zu2~=}+5gM7Emx7dGSx)h1uxDiI_@b457{myiGfYqomN!2zVmRFUK9on-}=LRqF||j
zO?3__O2o=kB|l=M#Ku+2hFuY@^W%GwnrC<SwukCU?dU1|WJv_f>!-J--K)c1WFE<*
z_Cwhn-(8~0pTBc?WPT;68f<u%L&q?>SaJpTU454zZu;~?uA@9S+@n+fPE{|ylf)6W
z@tKD+ynyV9`o=HO8{haM?pGW37%Ul+6h9U|<g+B71{A-|2@hoD1-$qMB{RxI;z#ff
zPA7?@s_qe80Q;9b$A@oYSCj&@@XVN736<6RA|FL@jH*PS58=@r;LXwi*w}SXWiOZE
zahi(|SRDEaVrO7x&|cL;;b>1LC((`GY2n4JC11WY%2ZW62(Vt2;ihr&1BEbDkX3p#
zLB;MF(j-NFQ#RE{;N&Qhx7ET7xJQ1;$3D4On024QMk6pqK!@%{?R*ciaz@Db`{Y5d
z%K9nhnv<xh&lU)&n~vFdr)+#a?gpPxni}E5Qa;H>y$4RmLP7C}To<}(i9?gYR}Cvi
z3&Sj6=dJlBL#u|8()8NT3zav@VJ8euPiC2vVhxJstMa5t1fEfb#wDGe(ac4nu@AG&
z<CNBQI&4idPRt9LqT=e7Q~3pl6!K*wWnTL%vr>*lCQIw0d%|2EZ1H<K=v=vzilvL>
zg<jl=`eu;@kKv1Nr1s31$x)b>23k&vf7!NN{6Gx&%x|(;GP((G#T{qY)P7;+8ZXoD
z89wadNUpn0|JO}SRQsg*5~E~qR<yI_6+4UULXy!LZKU%+0^EmksL(Q_7IyXzOG)oK
zaMR_Wv!FN4KUc;~zNk0;T$~ztgtbUmV$e~G0L1tbBHei}F$1><Nfe&pb%<-`{0G@x
zG`T}t@+pCOstAL_p`s&AN6~t&4z$LZrc-e|MN5Syt%r$+f%y~{Tt2RZLriz2)oMi)
zbCmpF-k;bV2#~$(Al#!tGud36T-FH9b-62cQM(0WK`Y3>BgrdK{G6EgNF@YcE8EXS
zOCWCc&Li=0WAPan`XKDqCTy<GwU*Sh1mZ^coLcJMB++DVI?uEAf@@dJrWzIoDF711
zdufsR2NhK#l*^rq>e7h-ljk48LpReowz2}Mj`zxsVcaqfDky5dVHO`@jQ2&Uj2z^9
zU+0INJeChCvsCuS9Z#V~A97N_VWTJ8<BEQKT}W}CsWuLsdko|iK*_!r$Z}n~4gC1*
zk-q<f3<tfBU-910gk?5y<cNRv#;(U#dadoy!kW|KxspBT${2h$txUHW@q~o09&K8g
z)HCYIogIx7!de9a!|PpPW7cQTG4a8+k6VYJuch13R%X2G%wB%9r}G2J?pmhnbsMG#
z*0ZZ@cl(NCb1dE?=5SivwR)+xoKWE9&E#@_`-2nmy)bvIR%!X=%dcY!EK^~1@Y9D8
z7Ar5tA`!YHWw@O_GSFl%sZcM!T^*Y3%)(-<nmdLs7~B$7b<I|`G>($X!ti0PP_Yu<
z{=`R|N?!c1rwI@pu0S%(x`R{lYV9iN{m34QuXW^bA8buZ!5t$UPlk4*!7lSF>50;W
zNKnJ!TNqBsXu+y^$-3j{>(XQU=QfFiY|_B}@^m5bw3=t0NcK{R5kAwCK8!E!<?{sk
z^bSbW!LEtTLfH?Je@HtCQ1uI4fcTOXu+{%}$9PRX-uM#m7;nHe0H9j1q-S5J`HqS@
zYAHkWFktPdbz2J=M(9cK*GRVWtYLT5Z%$60N(H7Khu1XMT4fvs=9SYEeY!)3V_3Bb
zV)T3J@481PwlbOr7!_sfV?>Lh;hg#H0CNizC{sH_b)rU5Y9Esf6{vCF<<&ho5%G&F
zO10{y1Ad4&8HosLuhgvx1B5e&)a-vfM?ENDB56;3#4a^C%>OXSHZAdt*95OK3O`fe
z^Bo_YR|G&VpGt?OPuF5Z!AvyRcY%BEkL=;YUq>YJN#P+{&S<f(0=7BaQyK#H$t}^G
zQfSQD+%Ez%oZ8Z_r!Xt_mAq53DSOlfhI8)17g$$pGm;GvXlKL1LM5hpzH;6Q@uVL<
zI)7!2w5~ow!?96B2fsq4Ux_n7<i|>aFHEH=_a=NJ(dACvD_eo?t)ipVt+PEPIzxhI
zv(oKTPQfJNI89nU4MjDnNaWVn=x#6YifOG9_d8QU-v=%Y#sfaKyHB34+qMkaRqx6f
zv3(2R-3ml(3h#}Te6YMV`?31oYX=maxkppP7rnC8!z3@>r#Y}O*?+T5nl5?ZSSy_(
zi1D7H0@@m^0nC$7x6$ftwE901twQumaS7_*9^*Chf>;>H81KpBpJTkQ#3B2@W4v(S
zHP3D~IBd?o`eD8g(9T2hof_miuuknY3d%?Pf!F9o{RqjHQxQrqq%t3Dt7M-#=<2?Y
z>+d}ewJV)Tx!RW<rjc&JDrV*%ht4@K@hwDu)M+(*f4}m6WkO3*Jmyg~2Nc3%J<khz
zarUzP?iq|IK90F7o|-Rga+r7X;WOP>2%oD@E?2sFzjKM#Gz~VP>6lr`ZXQ!I=V0KP
za#<yM)b2@ev4Z|hoHOyItPFGI<<&~NSv@Sr-lQtiTD;5M6;S3^qlXmFnbsJab+<Ia
zSP9ski;i@?{VGx%1M?EDPB{j?>w_yh0d7=H1unfv0~C=V70+CmlwR5rR@FHX;f5q3
zr8@6ZpE+ttD*`8RRSO5w$vyuVuGeRX-Tfb_rcFmM7D>w^T4?li+xDF)6e&E3CMr66
zgC>+SP>BZ*@9i4f@doME`zViJhb!i-oHd!C;xfNz&8X@`r!0!B$QyjUbljK<d^#5Z
z2v@}VEJd04Ng5%lkZ8j9tmK5To%$sJzR-mXz0RGFzRYj96kXe+z~8DQNmX<<-(TYF
z;j@gnVQ~zW7Z@iW?C130rUy~Gp#-I;g)BTD&+Nu!cspDYf{<T`!dY0VKFeCnBzC+8
z23KLMM>n>o$&3+}uu7(HA=)a9J$ajWQllET@}>5^uuSccoWIG7Cu&>e0z`TUlD<@K
z=L2vtJq;xNt}F%y?Z+SdkkZHrK#PtD7dyLyWHJW(6dx`_jAW_#vznp5QQ$)BN*&-0
zNHL1Ge43Kif9E3Vsrfv#ct;lost5ZKT8n$?G{%*UGV1f9JAMiFY+a773f~gc<MFCR
znsbl<&$bU<S*R1;HFt@6=8FD;wvTEK=OgZHLUQ4S@wZng=x}kT-k3;D1g}ztn~rUH
zdU493zX?>Q1`@|SMo7te)B0fB@sn(eQ2|$%EN^#0RoRkuvAWBe6B?mojml{U8FE%`
zp{oNdZrQ13#><7Cel%nNA8*2itP3vUB;Szq$SxY=d$_QSC&YA51EL;Aw4pN8K5&5Y
z*Z6jN!q_AT&-id(<C7QRV5J9-GqcMzc;y)b7c%#hB95GJiaBM<Yv=i)Dba9U%!IP{
zK6t^vPWi8|a@UPuV>~CuCJ!*War1h+`VVx7_bLVQ#%Lv-Q2EYU@bL~YYrN9|Orz7w
z2~=`#>r<}AQ8Q9Y;+SHkoY}h5CO%QbRFxKRlZ|Fqvi6r)7?ZgeU5_cc5Y%x!Yt116
z4M(@IxQHh-zdQXPcHt<2#I#BqHi}=$XBy_`T8KbHXrzX8j7bOTc=a;bkd5K%?2c5$
zlSOhecdDY#O59I)YGAPzr|s&pN|OXd4uv3AC6Dg6#hU-Rj{fHw8$>%d{LSF6981k3
z2y+c)vr|gjesaxbUgL#U_7DVq+P_u%bj#x0vN-?8ERGFWzurEA1DHSoZrY9e`qMEb
zD5;y7AmCDY$e0p)>91oMR`x$5Z_o|^ptB$!Z=?IBTZ3h6ef4OUR%Lf;g4NyG4t^U>
zLWs1f?%9sxZ2ZHMNm^%IE$1qrqiyBPxRmod%64w@rLItdtdgf94IfonlCYtoo)L?c
zap(fKvlXJ@%Zsbd$c1tjszaL`PUTuJ4_hY@1tytEmlvKEk3+3kBofAW)~lI9CDOne
zpN~qw_n*rWuW=)~e%R+{KA2-vh`c&Y`U>~(XfqI&>5iP%K{D^GcUcnIn+-DYSFlgx
zI9{pHiUoS0?Tr(vROS}youFFF$8(qC<;6Gd;t3n6<aWZxFzYZC709Y!_0P46=6S6W
zrhc7xq>$xRYTL@0La2FCJXwpt=ym*1R4!wkyYCADIew@d4d(gLI-LtQ^dW(|Bit*O
z7K{^Wq)oTN#XV+@m4Lc-zS)?wg$<FWWDDv#laG}|Z>GbZ@M0I++4p6;MZ395`{Ll}
z7TD%n*Kp*L@yVt?=G}{N7oD0&hzaa<PUGuGaP)>pCLFanL25h_!+jRAc0y{KR!2UO
zF!9p0@YuuY1D9!WZ1=8TD@#&)19FgJE3w{{Eu&>A;pHQ;d=wMeD~rpTh9peUy>7ky
zBibkRGzwMl?COgfB}2rVe6=r#yq$w>YbYaTL_T5V@6+gC;6XWl3`8Q1&~5VVtPu}3
z3f0YP@Y{YmvqP0P)r=q!r>M@!a<Ypu#NRbL;aE#)-nkIPvd1O;4SQLpf)XtOaNLFu
zQ92?`xLcC%mgKu7`EE(RTaxd81<41o`lMj1e+3RNAnmV14dCL<M2^otCUSs(gz)!2
zJO7>JgQVcQ;2((pzQ*|X6#SO(`|lzAAllHXa~pWx2A=<y15br`l)o{vo|xt)Ur+k0
ze7!j9_xZX_Bt)%iGyfLCy&HtYKO&fX^u<8D&P)3vLfzj(puIsz_#=Xu7Z_nB7x|9}
zufYia=Rc%COm~Bj@<#-lNN`okGj;H~p5Hgf^)b%<Ti1vFMt0nv$p$kfddVR_&)&*@
zyzu)S;LH0vj0rI#1i|!A5ft!{^jM;Qt$WeRH1mRHnfLqbJ`~%}Q%uAm{DDw*aph}y
zsh9w26=-olDx$j8fOZ3hnyyf1FcfM>Dz46g-awV~O@)9(GJ^Kv^}>q@r?NQ<>&hjk
zk4UQBF)fN_Hfq!Of#JULWWD_FnNxvHl24inn!N3wPWGU$SV%|l8+So{ky||fTBUP8
zubru_<eI_RIQj^C#%B+E@R`>zrjYH1-WNb8Qs#%6v01&?FZw(uM96Le&D)5~=v~VN
zsvDZfMnNH+XxHy!IqYh<TVf-bU@eS~$E>5&h2FJ3aFt$LvajYXu51dh2X>7n@pmsQ
zcau17E%ICP%8W5FZp3KIS=etbDvPXJqr7Xy2ohEZ$fuF$qrq~k*3BZ(VcTd{-EWC!
zsK9fn%6Lzr7onYeG8q4oPUP{<`WNj$AMbe8?Ovn}<TzMp^Z-I>Tg@F{E!R{IqVDk3
zQK}NnI<pRa{nHYzouFAbO?y4XFUZ)7crWO)ZObgJpb8dMcOMW&Af+iAv%`s+wpOF%
z+FE^D#jqHzi9sZr>iVYBV!?05UbJ$@9uIjwRZH9MGPb}b;q#W)>lWcYGVC&;QtOA%
zCPzL!KBdjzoEV`&7GJ@j8ZVMdj^yG9MaO3T{*~i7VQBx$Q*J@Isfc~#y4QK8B;lu}
zBuaMyT^Z*&69j4IA=f)3IJ&sTwqOlryZd)Ws&4h`R=@t9elgeo`>S8xRzTfWK;2eA
z-Bv)|RzUqXR6s$Z3d_!0tAAVfdRzB;Tlacf_xiu1?iFJ7ZNOIlKUDV$ro;o`Z|h$F
zo9bR68sG}nfPZ%`>5s~1um+q8-D<#plLp+@jo#Lc{wL~2A(rGh*ph%JtKYO6zWq-t
zxqkfo@sCxkIR9xCE1SrRs5*7Xd^`n30N{U4YL+qb->CM#<xp=q)W64}4%#69$DRcY
zfPy3dU<ZD}>{|cMFH{gK+>Bk>{yKJ5rw$pXf{a}i`}`cc(g%$fntX&Hw7vgZ2#Pld
zHvfYNN;e4Be}$04{<9AzAIA&LydZsO|9gE<zCp11D}>C=-y>Lbg@F<7BOw7yz$OmT
zZni(SbT>7tfFCuhoc~m_`oq$JXN%GL0{}SC&;WuT!r+ZO6j~0p`?Es<h=cj@mn>f+
zAfWtU(0|*!mfx6HOt4CU4RAPEYA`DBZw$2pav&Eg;GdRyzfq}j@KEce8qJSB0Ni~0
zHF4>H|F}&5qB#A>WdgE8WIuQNlN(X4fQfiHkMiR({aEB(yPksJ%bnHDk~>L>3?VcQ
z{>2m!(C$Up{}d=b7!<t1%FVs`*PxZG=>K;?J-|K9r-c5$3+e?1#WO+te@0(R0ewrG
AC;$Ke

literal 0
HcmV?d00001

diff --git a/testing/btest/core/pppoe-over-qinq.bro b/testing/btest/core/pppoe-over-qinq.bro
new file mode 100644
index 0000000000..cdfd4607ae
--- /dev/null
+++ b/testing/btest/core/pppoe-over-qinq.bro
@@ -0,0 +1,2 @@
+# @TEST-EXEC: bro -C -r $TRACES/pppoe-over-qinq.pcap
+# @TEST-EXEC: btest-diff conn.log

From e416d34f1f3cb291fa164e00f531ba52dde47678 Mon Sep 17 00:00:00 2001
From: Vern Paxson <vern@icir.org>
Date: Fri, 6 Jul 2018 13:46:06 -0700
Subject: [PATCH 553/631] bug fix for set intersection

---
 src/Val.cc | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/Val.cc b/src/Val.cc
index d6bcdae4a6..48458254f1 100644
--- a/src/Val.cc
+++ b/src/Val.cc
@@ -1734,9 +1734,9 @@ TableVal* TableVal::Intersect(const TableVal* tv) const
 	// Figure out which is smaller.
 	if ( t1->Length() > t2->Length() )
 		{ // Swap.
-		const PDict(TableEntryVal)* t3 = t1;
+		const PDict(TableEntryVal)* tmp = t1;
 		t1 = t2;
-		t2 = t3;
+		t2 = tmp;
 		}
 
 	IterCookie* c = t1->InitForIteration();

From 2a8ea87c9fe048657edcf257ced11d89a8067afb Mon Sep 17 00:00:00 2001
From: Vern Paxson <vern@icir.org>
Date: Fri, 6 Jul 2018 16:22:06 -0700
Subject: [PATCH 554/631] implemented set relationals

---
 src/Expr.cc | 95 +++++++++++++++++++++++++++++++++++++++--------------
 src/Val.cc  | 68 +++++++++++++++++++++++++++++++++-----
 src/Val.h   | 10 ++++++
 3 files changed, 140 insertions(+), 33 deletions(-)

diff --git a/src/Expr.cc b/src/Expr.cc
index ed14eb6045..d3b22503cb 100644
--- a/src/Expr.cc
+++ b/src/Expr.cc
@@ -856,32 +856,55 @@ Val* BinaryExpr::SetFold(Val* v1, Val* v2) const
 	{
 	TableVal* tv1 = v1->AsTableVal();
 	TableVal* tv2 = v2->AsTableVal();
+	TableVal* result;
+	bool res;
 
-	if ( tag != EXPR_AND && tag != EXPR_OR && tag != EXPR_SUB )
-		BadTag("BinaryExpr::SetFold");
-
-	if ( tag == EXPR_AND )
+	switch ( tag ) {
+	case EXPR_AND:
 		return tv1->Intersect(tv2);
 
-	// TableVal* result = new TableVal(v1->Type()->AsTableType());
-	TableVal* result = v1->Clone()->AsTableVal();
+	case EXPR_OR:
+		// TableVal* result = new TableVal(v1->Type()->AsTableType());
+		result = v1->Clone()->AsTableVal();
 
-	if ( tag == EXPR_OR )
-		{
 		if ( ! tv2->AddTo(result, false, false) )
 			reporter->InternalError("set union failed to type check");
-		}
+		return result;
+
+	case EXPR_SUB:
+		result = v1->Clone()->AsTableVal();
 
-	else if ( tag == EXPR_SUB )
-		{
 		if ( ! tv2->RemoveFrom(result) )
 			reporter->InternalError("set difference failed to type check");
-		}
+		return result;
 
-	else
+	case EXPR_EQ:
+		res = tv1->EqualTo(tv2);
+		break;
+
+	case EXPR_NE:
+		res = ! tv1->EqualTo(tv2);
+		break;
+
+	case EXPR_LT:
+		res = tv1->IsSubsetOf(tv2) && tv1->Size() < tv2->Size();
+		break;
+
+	case EXPR_LE:
+		res = tv1->IsSubsetOf(tv2);
+		break;
+
+	case EXPR_GE:
+	case EXPR_GT:
+		// These should't happen due to canonicalization.
+		reporter->InternalError("confusion over canonicalization in set comparison");
+
+	default:
 		BadTag("BinaryExpr::SetFold", expr_name(tag));
+		return 0;
+	}
 
-	return result;
+	return new Val(res, TYPE_BOOL);
 	}
 
 Val* BinaryExpr::AddrFold(Val* v1, Val* v2) const
@@ -1970,13 +1993,16 @@ EqExpr::EqExpr(BroExprTag arg_tag, Expr* arg_op1, Expr* arg_op2)
 
 	Canonicize();
 
-	TypeTag bt1 = op1->Type()->Tag();
-	if ( IsVector(bt1) )
-		bt1 = op1->Type()->AsVectorType()->YieldType()->Tag();
+	const BroType* t1 = op1->Type();
+	const BroType* t2 = op2->Type();
 
-	TypeTag bt2 = op2->Type()->Tag();
+	TypeTag bt1 = t1->Tag();
+	if ( IsVector(bt1) )
+		bt1 = t1->AsVectorType()->YieldType()->Tag();
+
+	TypeTag bt2 = t2->Tag();
 	if ( IsVector(bt2) )
-		bt2 = op2->Type()->AsVectorType()->YieldType()->Tag();
+		bt2 = t2->AsVectorType()->YieldType()->Tag();
 
 	if ( is_vector(op1) || is_vector(op2) )
 		SetType(new VectorType(base_type(TYPE_BOOL)));
@@ -2006,10 +2032,20 @@ EqExpr::EqExpr(BroExprTag arg_tag, Expr* arg_op1, Expr* arg_op2)
 			break;
 
 		case TYPE_ENUM:
-			if ( ! same_type(op1->Type(), op2->Type()) )
+			if ( ! same_type(t1, t2) )
 				ExprError("illegal enum comparison");
 			break;
 
+		case TYPE_TABLE:
+			if ( t1->IsSet() && t2->IsSet() )
+				{
+				if ( ! same_type(t1, t2) )
+					ExprError("incompatible sets in comparison");
+				break;
+				}
+
+			// FALL THROUGH
+
 		default:
 			ExprError("illegal comparison");
 		}
@@ -2072,13 +2108,16 @@ RelExpr::RelExpr(BroExprTag arg_tag, Expr* arg_op1, Expr* arg_op2)
 
 	Canonicize();
 
-	TypeTag bt1 = op1->Type()->Tag();
-	if ( IsVector(bt1) )
-		bt1 = op1->Type()->AsVectorType()->YieldType()->Tag();
+	const BroType* t1 = op1->Type();
+	const BroType* t2 = op2->Type();
 
-	TypeTag bt2 = op2->Type()->Tag();
+	TypeTag bt1 = t1->Tag();
+	if ( IsVector(bt1) )
+		bt1 = t1->AsVectorType()->YieldType()->Tag();
+
+	TypeTag bt2 = t2->Tag();
 	if ( IsVector(bt2) )
-		bt2 = op2->Type()->AsVectorType()->YieldType()->Tag();
+		bt2 = t2->AsVectorType()->YieldType()->Tag();
 
 	if ( is_vector(op1) || is_vector(op2) )
 		SetType(new VectorType(base_type(TYPE_BOOL)));
@@ -2088,6 +2127,12 @@ RelExpr::RelExpr(BroExprTag arg_tag, Expr* arg_op1, Expr* arg_op2)
 	if ( BothArithmetic(bt1, bt2) )
 		PromoteOps(max_type(bt1, bt2));
 
+	else if ( t1->IsSet() && t2->IsSet() )
+		{
+		if ( ! same_type(t1, t2) )
+			ExprError("incompatible sets in comparison");
+		}
+
 	else if ( bt1 != bt2 )
 		ExprError("operands must be of the same type");
 
diff --git a/src/Val.cc b/src/Val.cc
index 48458254f1..02e88cd3b4 100644
--- a/src/Val.cc
+++ b/src/Val.cc
@@ -1727,16 +1727,16 @@ TableVal* TableVal::Intersect(const TableVal* tv) const
 	{
 	TableVal* result = new TableVal(table_type);
 
+	const PDict(TableEntryVal)* t0 = AsTable();
 	const PDict(TableEntryVal)* t1 = tv->AsTable();
-	const PDict(TableEntryVal)* t2 = AsTable();
-	PDict(TableEntryVal)* t3 = result->AsNonConstTable();
+	PDict(TableEntryVal)* t2 = result->AsNonConstTable();
 
-	// Figure out which is smaller.
-	if ( t1->Length() > t2->Length() )
+	// Figure out which is smaller; assign it to t1.
+	if ( t1->Length() > t0->Length() )
 		{ // Swap.
 		const PDict(TableEntryVal)* tmp = t1;
-		t1 = t2;
-		t2 = tmp;
+		t1 = t0;
+		t0 = tmp;
 		}
 
 	IterCookie* c = t1->InitForIteration();
@@ -1745,8 +1745,8 @@ TableVal* TableVal::Intersect(const TableVal* tv) const
 		{
  		// Here we leverage the same assumption about consistent
  		// hashes as in TableVal::RemoveFrom above.
- 		if ( t2->Lookup(k) )
-			t3->Insert(k, new TableEntryVal(0));
+ 		if ( t0->Lookup(k) )
+			t2->Insert(k, new TableEntryVal(0));
 
 		delete k;
 		}
@@ -1754,6 +1754,58 @@ TableVal* TableVal::Intersect(const TableVal* tv) const
 	return result;
 	}
 
+bool TableVal::EqualTo(const TableVal* tv) const
+	{
+	const PDict(TableEntryVal)* t0 = AsTable();
+	const PDict(TableEntryVal)* t1 = tv->AsTable();
+
+	if ( t0->Length() != t1->Length() )
+		return false;
+
+	IterCookie* c = t0->InitForIteration();
+	HashKey* k;
+	while ( t0->NextEntry(k, c) )
+		{
+ 		// Here we leverage the same assumption about consistent
+ 		// hashes as in TableVal::RemoveFrom above.
+ 		if ( ! t1->Lookup(k) )
+			{
+			delete k;
+			return false;
+			}
+
+		delete k;
+		}
+
+	return true;
+	}
+
+bool TableVal::IsSubsetOf(const TableVal* tv) const
+	{
+	const PDict(TableEntryVal)* t0 = AsTable();
+	const PDict(TableEntryVal)* t1 = tv->AsTable();
+
+	if ( t0->Length() > t1->Length() )
+		return false;
+
+	IterCookie* c = t0->InitForIteration();
+	HashKey* k;
+	while ( t0->NextEntry(k, c) )
+		{
+ 		// Here we leverage the same assumption about consistent
+ 		// hashes as in TableVal::RemoveFrom above.
+ 		if ( ! t1->Lookup(k) )
+			{
+			delete k;
+			return false;
+			}
+
+		delete k;
+		}
+
+	return true;
+	}
+
 int TableVal::ExpandAndInit(Val* index, Val* new_val)
 	{
 	BroType* index_type = index->Type();
diff --git a/src/Val.h b/src/Val.h
index ef2a8eefd6..32ce6a0187 100644
--- a/src/Val.h
+++ b/src/Val.h
@@ -815,6 +815,16 @@ public:
 	// sense for sets.
 	TableVal* Intersect(const TableVal* v) const;
 
+	// Returns true if this set contains the same members as the
+	// given set.  Note that comparisons are done using hash keys,
+	// so errors can arise for compound sets such as sets-of-sets.
+	// See https://bro-tracker.atlassian.net/browse/BIT-1949.
+	bool EqualTo(const TableVal* v) const;
+
+	// Returns true if this set is a subset (not necessarily proper)
+	// of the given set.
+	bool IsSubsetOf(const TableVal* v) const;
+
 	// Expands any lists in the index into multiple initializations.
 	// Returns true if the initializations typecheck, false if not.
 	int ExpandAndInit(Val* index, Val* new_val);

From 73349362a3e5cec0625738b711bf7aca9c6d8ab6 Mon Sep 17 00:00:00 2001
From: Vern Paxson <vern@icir.org>
Date: Mon, 9 Jul 2018 13:05:10 -0700
Subject: [PATCH 555/631] 'W' for zero window implemented; logarithmic
 'T'/'C'/'W' history repetitions

---
 NEWS                                      | 10 ++++
 scripts/base/protocols/conn/main.bro      | 14 +++--
 src/Conn.cc                               | 39 +++++++++++++
 src/Conn.h                                | 11 ++++
 src/analyzer/protocol/tcp/TCP.cc          | 67 ++++++++++++++---------
 src/analyzer/protocol/tcp/TCP_Endpoint.cc | 29 ++++++++++
 src/analyzer/protocol/tcp/TCP_Endpoint.h  | 17 +++++-
 src/analyzer/protocol/tcp/events.bif      | 37 +++++++++++++
 src/analyzer/protocol/udp/UDP.cc          | 23 +++++++-
 src/analyzer/protocol/udp/UDP.h           |  6 ++
 src/analyzer/protocol/udp/events.bif      | 13 +++++
 11 files changed, 231 insertions(+), 35 deletions(-)

diff --git a/NEWS b/NEWS
index b6d88aa82f..31f144cddd 100644
--- a/NEWS
+++ b/NEWS
@@ -255,6 +255,16 @@ New Functionality
   semi-present in previous versions of Bro, but required constants as
   its operands; now you can use any pattern-valued expressions.
 
+- The new history character 'W' indicates that the originator ('w' = responder)
+  advertised a TCP zero window (instructing the peer to not send any data
+  until receiving a non-zero window).
+
+- The history characters 'C' (checksum error seen), 'T' (retransmission
+  seen), and 'W' (zero window advertised) are now repeated in a logarithmic
+  fashion upon seeing multiple instances of the corresponding behavior.
+  Thus a connection with 2 C's in its history means that the originator
+  sent >= 10 packets with checksum errors; 3 C's means >= 100, etc.
+
 Changed Functionality
 ---------------------
 
diff --git a/scripts/base/protocols/conn/main.bro b/scripts/base/protocols/conn/main.bro
index 0e9661dea3..e96b27873c 100644
--- a/scripts/base/protocols/conn/main.bro
+++ b/scripts/base/protocols/conn/main.bro
@@ -86,8 +86,9 @@ export {
 		## d       packet with payload ("data")
 		## f       packet with FIN bit set
 		## r       packet with RST bit set
-		## c       packet with a bad checksum
+		## c       packet with a bad checksum (applies to UDP too)
 		## t       packet with retransmitted payload
+		## w       packet with a zero window advertisement
 		## i       inconsistent packet (e.g. FIN+RST bits set)
 		## q       multi-flag packet (SYN+FIN or SYN+RST bits set)
 		## ^       connection direction was flipped by Bro's heuristic
@@ -95,12 +96,15 @@ export {
 		##
 		## If the event comes from the originator, the letter is in
 		## upper-case; if it comes from the responder, it's in
-		## lower-case.  The 'a', 'c', 'd', 'i', 'q', and 't' flags are
+		## lower-case.  The 'a', 'd', 'i' and 'q' flags are
 		## recorded a maximum of one time in either direction regardless
-		## of how many are actually seen.  However, 'f', 'h', 'r', or
-		## 's' may be recorded multiple times for either direction and
-		## only compressed when sharing a sequence number with the
+		## of how many are actually seen.  'f', 'h', 'r' and
+		## 's' can be recorded multiple times for either direction
+		## if the associated sequence number differs from the
 		## last-seen packet of the same flag type.
+		## 'c', 't' and 'w' are recorded in a logarithmic fashion:
+		## the second instance represents that the event was seen
+		## (at least) 10 times; the third instance, 100 times; etc.
 		history:      string          &log &optional;
 		## Number of packets that the originator sent.
 		## Only set if :bro:id:`use_conn_size_analyzer` = T.
diff --git a/src/Conn.cc b/src/Conn.cc
index 1edecde0b9..7f9dd862b9 100644
--- a/src/Conn.cc
+++ b/src/Conn.cc
@@ -289,6 +289,45 @@ bool Connection::IsReuse(double t, const u_char* pkt)
 	return root_analyzer && root_analyzer->IsReuse(t, pkt);
 	}
 
+bool Connection::ScaledHistoryEntry(char code,
+				uint32& counter, uint32& scaling_threshold,
+				uint32 scaling_base)
+	{
+	if ( ++counter == scaling_threshold )
+		{
+		AddHistory(code);
+
+		int new_threshold = scaling_threshold * scaling_base;
+
+		if ( new_threshold <= scaling_threshold )
+			// This can happen due to wrap-around.  In that
+			// case, reset the counter but leave the threshold
+			// unchanged.
+			counter = 0;
+
+		else
+			scaling_threshold = new_threshold;
+
+		return true;
+		}
+
+	return false;
+	}
+
+void Connection::HistoryThresholdEvent(EventHandlerPtr e, bool is_orig,
+					uint32 threshold)
+	{
+	if ( ! e )
+	        return;
+
+	val_list* vl = new val_list;
+	vl->append(BuildConnVal());
+	vl->append(new Val(is_orig, TYPE_BOOL));
+	vl->append(new Val(threshold, TYPE_COUNT));
+
+	ConnectionEvent(e, 0, vl);
+	}
+
 void Connection::DeleteTimer(double /* t */)
 	{
 	if ( is_active )
diff --git a/src/Conn.h b/src/Conn.h
index db0cb2fe55..00f084e8de 100644
--- a/src/Conn.h
+++ b/src/Conn.h
@@ -240,6 +240,17 @@ public:
 			return true;
 		}
 
+	// Increments the passed counter and adds it as a history
+	// code if it has crossed the next scaling threshold.  Scaling
+	// is done in terms of powers of the third argument.
+	// Returns true if the threshold was crossed, false otherwise.
+	bool ScaledHistoryEntry(char code,
+				uint32& counter, uint32& scaling_threshold,
+				uint32 scaling_base = 10);
+
+	void HistoryThresholdEvent(EventHandlerPtr e, bool is_orig,
+					uint32 threshold);
+
 	void AddHistory(char code)	{ history += code; }
 
 	void DeleteTimer(double t);
diff --git a/src/analyzer/protocol/tcp/TCP.cc b/src/analyzer/protocol/tcp/TCP.cc
index 791cf9f779..b08fc7b07b 100644
--- a/src/analyzer/protocol/tcp/TCP.cc
+++ b/src/analyzer/protocol/tcp/TCP.cc
@@ -459,7 +459,7 @@ bool TCP_Analyzer::ValidateChecksum(const struct tcphdr* tp,
 	     ! endpoint->ValidChecksum(tp, len) )
 		{
 		Weird("bad_TCP_checksum");
-		endpoint->CheckHistory(HIST_CORRUPT_PKT, 'C');
+		endpoint->ChecksumError();
 		return false;
 		}
 	else
@@ -579,16 +579,38 @@ static void init_window(TCP_Endpoint* endpoint, TCP_Endpoint* peer,
 static void update_window(TCP_Endpoint* endpoint, unsigned int window,
                           uint32 base_seq, uint32 ack_seq, TCP_Flags flags)
 	{
-	// Note, the offered window on an initial SYN is unscaled, even
-	// if the SYN includes scaling, so we need to do the following
-	// test *before* updating the scaling information below.  (Hmmm,
-	// how does this work for windows on SYN/ACKs? ###)
+	// Note, applying scaling here would be incorrect for an initial SYN,
+	// whose window value is always unscaled.  However, we don't
+	// check the window's value for recision in that case anyway, so
+	// no-harm-no-foul.
 	int scale = endpoint->window_scale;
 	window = window << scale;
 
+	// Zero windows are boring if either (1) they come with a RST packet
+	// or after a RST packet, or (2) they come after the peer has sent
+	// a FIN (because there's no relevant window at that point anyway).
+	// (They're also boring if they come after the peer has sent a RST,
+	// but *nothing* should be sent in response to a RST, so we ignore
+	// that case.)
+	//
+	// However, they *are* potentially interesting if sent by an
+	// endpoint that's already sent a FIN, since that FIN meant "I'm
+	// not going to send any more", but doesn't mean "I won't receive
+	// any more".
+	if ( window == 0 && ! flags.RST() &&
+	     endpoint->peer->state != TCP_ENDPOINT_CLOSED &&
+	     endpoint->state != TCP_ENDPOINT_RESET )
+		endpoint->ZeroWindow();
+
 	// Don't analyze window values off of SYNs, they're sometimes
-	// immediately rescinded.
-	if ( ! flags.SYN() )
+	// immediately rescinded.  Also don't do so for FINs or RSTs,
+	// or if the connection has already been partially closed, since
+	// such recisions occur frequently in practice, probably as the
+	// receiver loses buffer memory due to its process going away.
+
+	if ( ! flags.SYN() && ! flags.FIN() && ! flags.RST() &&
+	     endpoint->state != TCP_ENDPOINT_CLOSED &&
+	     endpoint->state != TCP_ENDPOINT_RESET )
 		{
 		// ### Decide whether to accept new window based on Active
 		// Mapping policy.
@@ -601,29 +623,20 @@ static void update_window(TCP_Endpoint* endpoint, unsigned int window,
 
 			if ( advance < 0 )
 				{
-				// A window recision.  We don't report these
-				// for FINs or RSTs, or if the connection
-				// has already been partially closed, since
-				// such recisions occur frequently in practice,
-				// probably as the receiver loses buffer memory
-				// due to its process going away.
-				//
-				// We also, for window scaling, allow a bit
-				// of slop ###.  This is because sometimes
-				// there will be an apparent recision due
-				// to the granularity of the scaling.
-				if ( ! flags.FIN() && ! flags.RST() &&
-				     endpoint->state != TCP_ENDPOINT_CLOSED &&
-				     endpoint->state != TCP_ENDPOINT_RESET &&
-				     (-advance) >= (1 << scale) )
+				// An apparent window recision.  Allow a
+				// bit of slop for window scaling.  This is
+				// because sometimes there will be an
+				// apparent recision due to the granularity
+				// of the scaling.
+				if ( (-advance) >= (1 << scale) )
 					endpoint->Conn()->Weird("window_recision");
 				}
-
-			endpoint->window = window;
-			endpoint->window_ack_seq = ack_seq;
-			endpoint->window_seq = base_seq;
 			}
 		}
+
+	endpoint->window = window;
+	endpoint->window_ack_seq = ack_seq;
+	endpoint->window_seq = base_seq;
 	}
 
 static void syn_weirds(TCP_Flags flags, TCP_Endpoint* endpoint, int data_len)
@@ -1206,7 +1219,7 @@ static int32 update_last_seq(TCP_Endpoint* endpoint, uint32 last_seq,
 		endpoint->UpdateLastSeq(last_seq);
 
 	else if ( delta_last < 0 && len > 0 )
-		endpoint->CheckHistory(HIST_RXMIT, 'T');
+		endpoint->DidRxmit();
 
 	return delta_last;
 	}
diff --git a/src/analyzer/protocol/tcp/TCP_Endpoint.cc b/src/analyzer/protocol/tcp/TCP_Endpoint.cc
index c3175ec9f5..36fdaf1022 100644
--- a/src/analyzer/protocol/tcp/TCP_Endpoint.cc
+++ b/src/analyzer/protocol/tcp/TCP_Endpoint.cc
@@ -32,6 +32,9 @@ TCP_Endpoint::TCP_Endpoint(TCP_Analyzer* arg_analyzer, int arg_is_orig)
 	tcp_analyzer = arg_analyzer;
 	is_orig = arg_is_orig;
 
+	chk_cnt = rxmt_cnt = win0_cnt = 0;
+	chk_thresh = rxmt_thresh = win0_thresh = 1;
+
 	hist_last_SYN = hist_last_FIN = hist_last_RST = 0;
 
 	src_addr = is_orig ? Conn()->RespAddr() : Conn()->OrigAddr();
@@ -284,3 +287,29 @@ void TCP_Endpoint::AddHistory(char code)
 	Conn()->AddHistory(code);
 	}
 
+void TCP_Endpoint::ChecksumError()
+	{
+	uint32 t = chk_thresh;
+	if ( Conn()->ScaledHistoryEntry(IsOrig() ? 'C' : 'c',
+					chk_cnt, chk_thresh) )
+		Conn()->HistoryThresholdEvent(tcp_multiple_checksum_errors,
+						IsOrig(), t);
+	}
+
+void TCP_Endpoint::DidRxmit()
+	{
+	uint32 t = rxmt_thresh;
+	if ( Conn()->ScaledHistoryEntry(IsOrig() ? 'T' : 't',
+					rxmt_cnt, rxmt_thresh) )
+		Conn()->HistoryThresholdEvent(tcp_multiple_retransmissions,
+						IsOrig(), t);
+	}
+
+void TCP_Endpoint::ZeroWindow()
+	{
+	uint32 t = win0_thresh;
+	if ( Conn()->ScaledHistoryEntry(IsOrig() ? 'W' : 'w',
+					win0_cnt, win0_thresh) )
+		Conn()->HistoryThresholdEvent(tcp_multiple_zero_windows,
+						IsOrig(), t);
+	}
diff --git a/src/analyzer/protocol/tcp/TCP_Endpoint.h b/src/analyzer/protocol/tcp/TCP_Endpoint.h
index 2e8a8a041e..d84b9adc77 100644
--- a/src/analyzer/protocol/tcp/TCP_Endpoint.h
+++ b/src/analyzer/protocol/tcp/TCP_Endpoint.h
@@ -166,6 +166,15 @@ public:
 
 	int ValidChecksum(const struct tcphdr* tp, int len) const;
 
+	// Called to inform endpoint that it has generated a checksum error.
+	void ChecksumError();
+
+	// Called to inform endpoint that it has generated a retransmission.
+	void DidRxmit();
+
+	// Called to inform endpoint that it has offered a zero window..
+	void ZeroWindow();
+
 	// Returns true if the data was used (and hence should be recorded
 	// in the save file), false otherwise.
 	int DataSent(double t, uint64 seq, int len, int caplen, const u_char* data,
@@ -188,6 +197,7 @@ public:
 #define HIST_MULTI_FLAG_PKT 0x40
 #define HIST_CORRUPT_PKT 0x80
 #define HIST_RXMIT 0x100
+#define HIST_WIN0 0x200
 	int CheckHistory(uint32 mask, char code);
 	void AddHistory(char code);
 
@@ -202,7 +212,7 @@ public:
 	double start_time, last_time;
 	IPAddr src_addr; // the other endpoint
 	IPAddr dst_addr; // this endpoint
-	uint32 window; // current congestion window (*scaled*, not pre-scaling)
+	uint32 window; // current advertised window (*scaled*, not pre-scaling)
 	int window_scale;  // from the TCP option
 	uint32 window_ack_seq; // at which ack_seq number did we record 'window'
 	uint32 window_seq; // at which sending sequence number did we record 'window'
@@ -225,6 +235,11 @@ protected:
 	uint32 last_seq, ack_seq;	// in host order
 	uint32 seq_wraps, ack_wraps;	// Number of times 32-bit TCP sequence space
 					// has wrapped around (overflowed).
+
+	// Performance history accounting.
+	uint32 chk_cnt, chk_thresh;
+	uint32 rxmt_cnt, rxmt_thresh;
+	uint32 win0_cnt, win0_thresh;
 };
 
 #define ENDIAN_UNKNOWN 0
diff --git a/src/analyzer/protocol/tcp/events.bif b/src/analyzer/protocol/tcp/events.bif
index 5cf2710804..d93ebe4819 100644
--- a/src/analyzer/protocol/tcp/events.bif
+++ b/src/analyzer/protocol/tcp/events.bif
@@ -290,6 +290,43 @@ event tcp_contents%(c: connection, is_orig: bool, seq: count, contents: string%)
 ## TODO.
 event tcp_rexmit%(c: connection, is_orig: bool, seq: count, len: count, data_in_flight: count, window: count%);
 
+## Generated if a TCP flow crosses a checksum-error threshold, per
+## 'C'/'c' history reporting.
+##
+## c: The connection record for the TCP connection.
+##
+## is_orig: True if the event is raised for the originator side.
+##
+## threshold: the threshold that was crossed
+##
+## .. bro:see::  udp_multiple_checksum_errors
+##    tcp_multiple_zero_windows tcp_multiple_retransmissions
+event tcp_multiple_checksum_errors%(c: connection, is_orig: bool, threshold: count%);
+
+## Generated if a TCP flow crosses a zero-window threshold, per
+## 'W'/'w' history reporting.
+##
+## c: The connection record for the TCP connection.
+##
+## is_orig: True if the event is raised for the originator side.
+##
+## threshold: the threshold that was crossed
+##
+## .. bro:see::  tcp_multiple_checksum_errors tcp_multiple_retransmissions
+event tcp_multiple_zero_windows%(c: connection, is_orig: bool, threshold: count%);
+
+## Generated if a TCP flow crosses a retransmission threshold, per
+## 'T'/'t' history reporting.
+##
+## c: The connection record for the TCP connection.
+##
+## is_orig: True if the event is raised for the originator side.
+##
+## threshold: the threshold that was crossed
+##
+## .. bro:see::  tcp_multiple_checksum_errors tcp_multiple_zero_windows
+event tcp_multiple_retransmissions%(c: connection, is_orig: bool, threshold: count%);
+
 ## Generated when failing to write contents of a TCP stream to a file.
 ##
 ## c: The connection whose contents are being recorded.
diff --git a/src/analyzer/protocol/udp/UDP.cc b/src/analyzer/protocol/udp/UDP.cc
index ca46b88339..d1b798e65e 100644
--- a/src/analyzer/protocol/udp/UDP.cc
+++ b/src/analyzer/protocol/udp/UDP.cc
@@ -20,6 +20,9 @@ UDP_Analyzer::UDP_Analyzer(Connection* conn)
 	conn->EnableStatusUpdateTimer();
 	conn->SetInactivityTimeout(udp_inactivity_timeout);
 	request_len = reply_len = -1;	// -1 means "haven't seen any activity"
+
+	req_chk_cnt = rep_chk_cnt = 0;
+	req_chk_thresh = rep_chk_thresh = 1;
 	}
 
 UDP_Analyzer::~UDP_Analyzer()
@@ -77,9 +80,19 @@ void UDP_Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig,
 			Weird("bad_UDP_checksum");
 
 			if ( is_orig )
-				Conn()->CheckHistory(HIST_ORIG_CORRUPT_PKT, 'C');
+				{
+				uint32 t = req_chk_thresh;
+				if ( Conn()->ScaledHistoryEntry('C',
+						req_chk_cnt, req_chk_thresh) )
+					ChecksumEvent(is_orig, t);
+				}
 			else
-				Conn()->CheckHistory(HIST_RESP_CORRUPT_PKT, 'c');
+				{
+				uint32 t = rep_chk_thresh;
+				if ( Conn()->ScaledHistoryEntry('c',
+						rep_chk_cnt, rep_chk_thresh) )
+					ChecksumEvent(is_orig, t);
+				}
 
 			return;
 			}
@@ -209,6 +222,12 @@ unsigned int UDP_Analyzer::MemoryAllocation() const
 	return Analyzer::MemoryAllocation() + padded_sizeof(*this) - 24;
 	}
 
+void UDP_Analyzer::ChecksumEvent(bool is_orig, uint32 threshold)
+	{
+	Conn()->HistoryThresholdEvent(udp_multiple_checksum_errors,
+					is_orig, threshold);
+	}
+
 bool UDP_Analyzer::ValidateChecksum(const IP_Hdr* ip, const udphdr* up, int len)
 	{
 	uint32 sum;
diff --git a/src/analyzer/protocol/udp/UDP.h b/src/analyzer/protocol/udp/UDP.h
index 2c7f3ce150..7e07902a7e 100644
--- a/src/analyzer/protocol/udp/UDP.h
+++ b/src/analyzer/protocol/udp/UDP.h
@@ -31,6 +31,8 @@ protected:
 	bool IsReuse(double t, const u_char* pkt) override;
 	unsigned int MemoryAllocation() const override;
 
+	void ChecksumEvent(bool is_orig, uint32 threshold);
+
 	// Returns true if the checksum is valid, false if not
 	static bool ValidateChecksum(const IP_Hdr* ip, const struct udphdr* up,
 	                             int len);
@@ -44,6 +46,10 @@ private:
 #define HIST_RESP_DATA_PKT 0x2
 #define HIST_ORIG_CORRUPT_PKT 0x4
 #define HIST_RESP_CORRUPT_PKT 0x8
+
+	// For tracking checksum history.
+	uint32 req_chk_cnt, req_chk_thresh;
+	uint32 rep_chk_cnt, rep_chk_thresh;
 };
 
 } } // namespace analyzer::* 
diff --git a/src/analyzer/protocol/udp/events.bif b/src/analyzer/protocol/udp/events.bif
index 394181cf5d..afcace330b 100644
--- a/src/analyzer/protocol/udp/events.bif
+++ b/src/analyzer/protocol/udp/events.bif
@@ -36,3 +36,16 @@ event udp_reply%(u: connection%);
 ##    udp_content_deliver_all_orig udp_content_deliver_all_resp
 ##    udp_content_delivery_ports_orig udp_content_delivery_ports_resp
 event udp_contents%(u: connection, is_orig: bool, contents: string%);
+
+## Generated if a UDP flow crosses a checksum-error threshold, per
+## 'C'/'c' history reporting.
+##
+## u: The connection record for the corresponding UDP flow.
+##
+## is_orig: True if the event is raised for the originator side.
+##
+## threshold: the threshold that was crossed
+##
+## .. bro:see::  udp_reply udp_request udp_session_done
+##    tcp_multiple_checksum_errors
+event udp_multiple_checksum_errors%(u: connection, is_orig: bool, threshold: count%);

From 187757f3770c229d89e08d58aa9c5294ad8224f3 Mon Sep 17 00:00:00 2001
From: Vern Paxson <vern@icir.org>
Date: Mon, 9 Jul 2018 13:05:50 -0700
Subject: [PATCH 556/631] a different sort of history update

---
 doc/intro/index.rst | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/doc/intro/index.rst b/doc/intro/index.rst
index cf448a0c84..b58a4dbb5b 100644
--- a/doc/intro/index.rst
+++ b/doc/intro/index.rst
@@ -169,7 +169,7 @@ History
 
 Bro's history goes back much further than many people realize. `Vern
 Paxson <http://www.icir.org/vern>`_ designed and implemented the
-initial version almost two decades ago.
+initial version more than two decades ago.
 Vern began work on the code in 1995 as a researcher at the `Lawrence
 Berkeley National Laboratory (LBNL) <http://www.lbl.gov>`_. Berkeley
 Lab began operational deployment in 1996, and the USENIX Security

From e1b7820b01c23b3a4c5002b6a7b10883cacb0e2f Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Thu, 12 Jul 2018 17:51:23 -0500
Subject: [PATCH 557/631] Move bifcl to a separate repo

---
 .gitmodules        |   3 +
 CMakeLists.txt     |   4 +
 aux/bifcl          |   1 +
 cmake              |   2 +-
 src/CMakeLists.txt |  27 --
 src/bif_arg.cc     |  83 -----
 src/bif_arg.h      |  51 ---
 src/bif_type.def   |  22 --
 src/builtin-func.l | 422 ------------------------
 src/builtin-func.y | 785 ---------------------------------------------
 10 files changed, 9 insertions(+), 1391 deletions(-)
 create mode 160000 aux/bifcl
 delete mode 100644 src/bif_arg.cc
 delete mode 100644 src/bif_arg.h
 delete mode 100644 src/bif_type.def
 delete mode 100644 src/builtin-func.l
 delete mode 100644 src/builtin-func.y

diff --git a/.gitmodules b/.gitmodules
index 738888bf85..789449bca6 100644
--- a/.gitmodules
+++ b/.gitmodules
@@ -25,3 +25,6 @@
 [submodule "aux/netcontrol-connectors"]
 	path = aux/netcontrol-connectors
 	url = git://git.bro.org/bro-netcontrol
+[submodule "aux/bifcl"]
+	path = aux/bifcl
+	url = git://git.bro.org/bifcl
diff --git a/CMakeLists.txt b/CMakeLists.txt
index d0ea236330..370bf78c92 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -108,6 +108,10 @@ if (NOT BinPAC_ROOT_DIR AND
 endif ()
 FindRequiredPackage(BinPAC)
 
+if ( NOT BIFCL_EXE_PATH )
+  add_subdirectory(aux/bifcl)
+endif ()
+
 if (ENABLE_JEMALLOC)
     find_package(JeMalloc)
 endif ()
diff --git a/aux/bifcl b/aux/bifcl
new file mode 160000
index 0000000000..a25704cc76
--- /dev/null
+++ b/aux/bifcl
@@ -0,0 +1 @@
+Subproject commit a25704cc769438b6ecaf92331511456826e90409
diff --git a/cmake b/cmake
index 1600554d1d..a416553abc 160000
--- a/cmake
+++ b/cmake
@@ -1 +1 @@
-Subproject commit 1600554d1d907f4f252f19cf1f55e13d368a936f
+Subproject commit a416553abcb7aa650e934cd3800bcab0cbcf3e63
diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt
index 00f19b9348..ff0cfc019e 100644
--- a/src/CMakeLists.txt
+++ b/src/CMakeLists.txt
@@ -44,15 +44,6 @@ endmacro(REPLACE_YY_PREFIX_TARGET)
 
 set(BISON_FLAGS "--debug")
 
-# BIF parser/scanner
-bison_target(BIFParser builtin-func.y
-             ${CMAKE_CURRENT_BINARY_DIR}/bif_parse.cc
-             HEADER ${CMAKE_CURRENT_BINARY_DIR}/bif_parse.h
-             #VERBOSE ${CMAKE_CURRENT_BINARY_DIR}/bif_parse.output
-             COMPILE_FLAGS "${BISON_FLAGS}")
-flex_target(BIFScanner builtin-func.l ${CMAKE_CURRENT_BINARY_DIR}/bif_lex.cc)
-add_flex_bison_dependency(BIFScanner BIFParser)
-
 # Rule parser/scanner
 bison_target(RuleParser rule-parse.y
              ${CMAKE_CURRENT_BINARY_DIR}/rup.cc
@@ -93,24 +84,6 @@ replace_yy_prefix_target(${CMAKE_CURRENT_BINARY_DIR}/p.cc
 flex_target(Scanner scan.l ${CMAKE_CURRENT_BINARY_DIR}/scan.cc
             COMPILE_FLAGS "-Pbro")
 
-########################################################################
-## bifcl (BIF compiler) target
-
-set(bifcl_SRCS
-   ${BISON_BIFParser_INPUT}
-   ${FLEX_BIFScanner_INPUT}
-   ${BISON_BIFParser_OUTPUTS}
-   ${FLEX_BIFScanner_OUTPUTS}
-   bif_arg.cc
-   module_util.cc
-   bif_arg.h
-   module_util.h
-)
-
-add_executable(bifcl ${bifcl_SRCS})
-
-target_link_libraries(bifcl)
-
 ########################################################################
 ## bifcl-dependent targets
 
diff --git a/src/bif_arg.cc b/src/bif_arg.cc
deleted file mode 100644
index f5e25f3746..0000000000
--- a/src/bif_arg.cc
+++ /dev/null
@@ -1,83 +0,0 @@
-#include "bro-config.h"
-
-#include <set>
-#include <string>
-using namespace std;
-
-#include <string.h>
-
-#include "bif_arg.h"
-
-static struct {
-	const char* bif_type;
-	const char* bro_type;
-	const char* c_type;
-	const char* accessor;
-	const char* constructor;
-} builtin_func_arg_type[] = {
-#define DEFINE_BIF_TYPE(id, bif_type, bro_type, c_type, accessor, constructor) \
-	{bif_type, bro_type, c_type, accessor, constructor},
-#include "bif_type.def"
-#undef DEFINE_BIF_TYPE
-};
-
-extern const char* arg_list_name;
-
-BuiltinFuncArg::BuiltinFuncArg(const char* arg_name, int arg_type)
-	{
-	name = arg_name;
-	type = arg_type;
-	type_str = "";
-	attr_str = "";
-	}
-
-BuiltinFuncArg::BuiltinFuncArg(const char* arg_name, const char* arg_type_str,
-                               const char* arg_attr_str)
-	{
-	name = arg_name;
-	type = TYPE_OTHER;
-	type_str = arg_type_str;
-	attr_str = arg_attr_str;
-
-	for ( int i = 0; builtin_func_arg_type[i].bif_type[0] != '\0'; ++i )
-		if ( ! strcmp(builtin_func_arg_type[i].bif_type, arg_type_str) )
-			{
-			type = i;
-			type_str = "";
-			}
-	}
-
-void BuiltinFuncArg::PrintBro(FILE* fp)
-	{
-	fprintf(fp, "%s: %s%s %s", name, builtin_func_arg_type[type].bro_type,
-	        type_str, attr_str);
-	}
-
-void BuiltinFuncArg::PrintCDef(FILE* fp, int n)
-	{
-	fprintf(fp,
-		"\t%s %s = (%s) (",
-		builtin_func_arg_type[type].c_type,
-		name,
-		builtin_func_arg_type[type].c_type);
-
-	char buf[1024];
-	snprintf(buf, sizeof(buf), "(*%s)[%d]", arg_list_name, n);
-	// Print the accessor expression.
-	fprintf(fp, builtin_func_arg_type[type].accessor, buf);
-
-	fprintf(fp, ");\n");
-	}
-
-void BuiltinFuncArg::PrintCArg(FILE* fp, int n)
-	{
-	const char* ctype = builtin_func_arg_type[type].c_type;
-	char buf[1024];
-
-	fprintf(fp, "%s %s", ctype, name);
-	}
-
-void BuiltinFuncArg::PrintBroValConstructor(FILE* fp)
-	{
-	fprintf(fp, builtin_func_arg_type[type].constructor, name);
-	}
diff --git a/src/bif_arg.h b/src/bif_arg.h
deleted file mode 100644
index 906cfd9c6a..0000000000
--- a/src/bif_arg.h
+++ /dev/null
@@ -1,51 +0,0 @@
-#ifndef bif_arg_h
-#define bif_arg_h
-
-#include <stdio.h>
-
-enum builtin_func_arg_type {
-#define DEFINE_BIF_TYPE(id, bif_type, bro_type, c_type, accessor, constructor) \
-	id,
-#include "bif_type.def"
-#undef DEFINE_BIF_TYPE
-/*
-	TYPE_ANY,
-	TYPE_BOOL,
-	TYPE_COUNT,
-	TYPE_INT,
-	TYPE_STRING,
-	TYPE_PATTERN,
-	TYPE_PORT,
-	TYPE_OTHER,
-*/
-};
-
-extern const char* builtin_func_arg_type_bro_name[];
-
-class BuiltinFuncArg {
-public:
-	BuiltinFuncArg(const char* arg_name, int arg_type);
-	BuiltinFuncArg(const char* arg_name, const char* arg_type_str,
-	               const char* arg_attr_str = "");
-
-	void SetAttrStr(const char* arg_attr_str)
-		{
-		attr_str = arg_attr_str;
-		};
-
-	const char* Name() const	{ return name; }
-	int Type() const		{ return type; }
-
-	void PrintBro(FILE* fp);
-	void PrintCDef(FILE* fp, int n);
-	void PrintCArg(FILE* fp, int n);
-	void PrintBroValConstructor(FILE* fp);
-
-protected:
-	const char* name;
-	int type;
-	const char* type_str;
-	const char* attr_str;
-};
-
-#endif
diff --git a/src/bif_type.def b/src/bif_type.def
deleted file mode 100644
index c30ffeb49b..0000000000
--- a/src/bif_type.def
+++ /dev/null
@@ -1,22 +0,0 @@
-// DEFINE_BIF_TYPE(id, bif_type, bro_type, c_type, accessor, constructor)
-
-DEFINE_BIF_TYPE(TYPE_ADDR, 	"addr", "addr", "AddrVal*", 		"%s->AsAddrVal()", 	"%s")
-DEFINE_BIF_TYPE(TYPE_ANY, 	"any", "any", "Val*", 			"%s", 			"%s")
-DEFINE_BIF_TYPE(TYPE_BOOL, 	"bool", "bool", "int", 			"%s->AsBool()", 	"new Val(%s, TYPE_BOOL)")
-DEFINE_BIF_TYPE(TYPE_CONN_ID, 	"conn_id", "conn_id", "Val*", 		"%s", 			"%s")
-DEFINE_BIF_TYPE(TYPE_CONNECTION, "connection", "connection", "Connection*", "%s->AsRecordVal()->GetOrigin()", "%s->BuildConnVal()")
-DEFINE_BIF_TYPE(TYPE_COUNT, 	"count", "count", "bro_uint_t", 	"%s->AsCount()", 	"new Val(%s, TYPE_COUNT)")
-DEFINE_BIF_TYPE(TYPE_DOUBLE, 	"double", "double", "double", 		"%s->AsDouble()", 	"new Val(%s, TYPE_DOUBLE)")
-DEFINE_BIF_TYPE(TYPE_FILE, 	"file", "file", "BroFile*", 		"%s->AsFile()", 	"new Val(%s)")
-DEFINE_BIF_TYPE(TYPE_INT, 	"int", "int", "bro_int_t", 		"%s->AsInt()", 		"new Val(%s, TYPE_INT)")
-DEFINE_BIF_TYPE(TYPE_INTERVAL, 	"interval", "interval", "double", 	"%s->AsInterval()", 	"new IntervalVal(%s, Seconds)")
-DEFINE_BIF_TYPE(TYPE_PACKET, 	"packet", "packet", "TCP_TracePacket*", "%s->AsRecordVal()->GetOrigin()", "%s->PacketVal()")
-DEFINE_BIF_TYPE(TYPE_PATTERN, 	"pattern", "pattern", "RE_Matcher*", 	"%s->AsPattern()",	"new PatternVal(%s)")
-// DEFINE_BIF_TYPE(TYPE_PORT, 	"port", "port", "uint32", 		"%s->AsPortVal()->Port()", "incomplete data")
-DEFINE_BIF_TYPE(TYPE_PORT, 	"port", "port", "PortVal*", 		"%s->AsPortVal()",	"%s")
-DEFINE_BIF_TYPE(TYPE_PORTVAL, 	"portval", "port", "PortVal*", 		"%s->AsPortVal()",	"%s")
-DEFINE_BIF_TYPE(TYPE_STRING, 	"string", "string", "StringVal*", 	"%s->AsStringVal()",	"%s")
-// DEFINE_BIF_TYPE(TYPE_STRING, 	"string", "string", "BroString*", 	"%s->AsString()",	"new StringVal(%s)")
-DEFINE_BIF_TYPE(TYPE_SUBNET, 	"subnet", "subnet", "SubNetVal*", 	"%s->AsSubNetVal()",	"%s")
-DEFINE_BIF_TYPE(TYPE_TIME, 	"time", "time", "double", 		"%s->AsTime()", 	"new Val(%s, TYPE_TIME)")
-DEFINE_BIF_TYPE(TYPE_OTHER, 	"", "", "Val*", 			"%s", 			"%s")
diff --git a/src/builtin-func.l b/src/builtin-func.l
deleted file mode 100644
index 2d59408f83..0000000000
--- a/src/builtin-func.l
+++ /dev/null
@@ -1,422 +0,0 @@
-%{
-#include <ctype.h>
-#include <string.h>
-#include <unistd.h>
-#include "bif_arg.h"
-#include "bif_parse.h"
-
-char* copy_string(const char* s)
-	{
-	char* c = new char[strlen(s)+1];
-	strcpy(c, s);
-	return c;
-	}
-
-int line_number = 1;
-
-extern int in_c_code;
-
-int check_c_mode(int t)
-	{
-	if ( ! in_c_code )
-		return t;
-
-	yylval.str = copy_string(yytext);
-	return TOK_C_TOKEN;
-	}
-%}
-
-WS	[ \t]+
-OWS	[ \t]*
- /* Note, bifcl only accepts a single "::" in IDs while the policy
-    layer acceptes multiple. (But the policy layer doesn't have
-	a hierachy. */
-IDCOMPONENT [A-Za-z_][A-Za-z_0-9]*
-ID	{IDCOMPONENT}(::{IDCOMPONENT})?
-ESCSEQ	(\\([^\n]|[0-7]+|x[[:xdigit:]]+))
-DEC [[:digit:]]+
-HEX	[0-9a-fA-F]+
-
-
-%option nodefault
-
-%%
-
-#.*	{
-	yylval.str = copy_string(yytext);
-	return TOK_COMMENT;
-	}
-
-\n	{
-	++line_number;
-	return TOK_LF;
-	}
-
-{WS}	{
-	yylval.str = copy_string(yytext);
-	return TOK_WS;
-	}
-
-[=,:;]	return check_c_mode(yytext[0]);
-
-"%{"	return TOK_LPB;
-"%}"	return TOK_RPB;
-"%%{"	return TOK_LPPB;
-"%%}"	return TOK_RPPB;
-
-"%("		return check_c_mode(TOK_LPP);
-"%)"		return check_c_mode(TOK_RPP);
-"..."		return check_c_mode(TOK_VAR_ARG);
-"function"	return check_c_mode(TOK_FUNCTION);
-"event"		return check_c_mode(TOK_EVENT);
-"const"		return check_c_mode(TOK_CONST);
-"enum"		return check_c_mode(TOK_ENUM);
-"type"		return check_c_mode(TOK_TYPE);
-"record"	return check_c_mode(TOK_RECORD);
-"set"		return check_c_mode(TOK_SET);
-"table"		return check_c_mode(TOK_TABLE);
-"vector"	return check_c_mode(TOK_VECTOR);
-"of"            return check_c_mode(TOK_OF);
-"opaque"        return check_c_mode(TOK_OPAQUE);
-"module"        return check_c_mode(TOK_MODULE);
-
-"@ARG@"		return TOK_ARG;
-"@ARGS@"	return TOK_ARGS;
-"@ARGC@"	return TOK_ARGC;
-
-"T"	yylval.val = 1; return TOK_BOOL;
-"F"	yylval.val = 0; return TOK_BOOL;
-
-{DEC}	{
-	yylval.str = copy_string(yytext);
-	return TOK_INT;
-	}
-
-"0x"{HEX} {
-	yylval.str = copy_string(yytext);
-	return TOK_INT;
-	}
-
-
-{ID}	{
-	yylval.str = copy_string(yytext);
-	return TOK_ID;
-	}
-
-  /*
-  Hacky way to pass along arbitrary attribute expressions since the BIF parser
-  has little understanding of valid Bro expressions.  With this pattern, the
-  attribute expression should stop when it reaches another attribute, another
-  function argument, or the end of the function declaration.
-  */
-&{ID}({OWS}={OWS}[^&%;,]+)?	{
-	int t = check_c_mode(TOK_ATTR);
-
-	if ( t == TOK_ATTR )
-		{
-		yylval.str = copy_string(yytext);
-		return TOK_ATTR;
-		}
-	else
-		return t;
-	}
-
-\"([^\\\n\"]|{ESCSEQ})*\"	{
-	yylval.str = copy_string(yytext);
-	return TOK_CSTR;
-	}
-
-\'([^\\\n\']|{ESCSEQ})*\'	{
-	yylval.str = copy_string(yytext);
-	return TOK_CSTR;
-	}
-
-.	{
-	yylval.val = yytext[0];
-	return TOK_ATOM;
-	}
-%%
-
-int yywrap()
-	{
-	yy_delete_buffer(YY_CURRENT_BUFFER);
-	return 1;
-	}
-
-extern int yyparse();
-char* input_filename = 0;
-char* input_filename_with_path = 0;
-char* plugin = 0;
-int   alternative_mode = 0;
-
-FILE* fp_bro_init = 0;
-FILE* fp_func_def = 0;
-FILE* fp_func_h = 0;
-FILE* fp_func_init = 0;
-FILE* fp_func_register = 0;
-FILE* fp_netvar_h = 0;
-FILE* fp_netvar_def = 0;
-FILE* fp_netvar_init = 0;
-
-void remove_file(const char *surfix);
-void err_exit(void);
-FILE* open_output_file(const char* surfix);
-void close_if_open(FILE **fpp);
-void close_all_output_files(void);
-
-
-FILE* open_output_file(const char* surfix)
-	{
-	char fn[1024];
-	FILE* fp;
-
-	snprintf(fn, sizeof(fn), "%s.%s", input_filename, surfix);
-	if ( (fp = fopen(fn, "w")) == NULL )
-		{
-		fprintf(stderr, "Error: cannot open file: %s\n", fn);
-		err_exit();
-		}
-
-	return fp;
-	}
-
-void usage()
-	{
-	fprintf(stderr, "usage: bifcl [-p <plugin> | -s] *.bif\n");
-	exit(1);
-	}
-
-void init_alternative_mode()
-	{
-	fp_bro_init = open_output_file("bro");
-	fp_func_h = open_output_file("h");
-	fp_func_def = open_output_file("cc");
-	fp_func_init = open_output_file("init.cc");
-	fp_func_register = plugin ? open_output_file("register.cc") : NULL;
-
-	fp_netvar_h = fp_func_h;
-	fp_netvar_def = fp_func_def;
-	fp_netvar_init = fp_func_init;
-
-	int n = 1024 + strlen(input_filename);
-	char auto_gen_comment[n];
-
-	snprintf(auto_gen_comment, n,
-		 "This file was automatically generated by bifcl from %s (%s mode).",
-		 input_filename_with_path, plugin ? "plugin" : "alternative");
-
-	fprintf(fp_bro_init, "# %s\n\n", auto_gen_comment);
-	fprintf(fp_func_def, "// %s\n\n", auto_gen_comment);
-	fprintf(fp_func_h, "// %s\n\n", auto_gen_comment);
-	fprintf(fp_func_init, "// %s\n\n", auto_gen_comment);
-
-	if ( fp_func_register )
-		fprintf(fp_func_register, "// %s\n\n", auto_gen_comment);
-
-	static char guard[1024];
-	if ( getcwd(guard, sizeof(guard)) == NULL )
-		{
-		fprintf(stderr, "Error: cannot get current working directory\n");
-		err_exit();
-		}
-	strncat(guard, "/", sizeof(guard) - strlen(guard) - 1);
-	strncat(guard, input_filename, sizeof(guard) - strlen(guard) - 1);
-
-	for ( char* p = guard; *p; p++ )
-		{
-		if ( ! isalnum(*p) )
-			*p = '_';
-		}
-
-	fprintf(fp_func_h, "#if defined(BRO_IN_NETVAR) || ! defined(%s)\n", guard);
-
-	fprintf(fp_func_h, "#ifndef BRO_IN_NETVAR\n");
-	fprintf(fp_func_h, "#ifndef %s\n", guard);
-	fprintf(fp_func_h, "#define %s\n", guard);
-	fprintf(fp_func_h, "#include \"bro-bif.h\"\n");
-	fprintf(fp_func_h, "#endif\n");
-	fprintf(fp_func_h, "#endif\n");
-	fprintf(fp_func_h, "\n");
-
-	fprintf(fp_func_def, "\n");
-	fprintf(fp_func_def, "#include \"%s.h\"\n", input_filename);
-	fprintf(fp_func_def, "\n");
-
-	static char name[1024];
-	strncpy(name, input_filename, sizeof(name));
-	char* dot = strchr(name, '.');
-	if ( dot )
-		*dot = '\0';
-
-	if ( plugin )
-		{
-		static char plugin_canon[1024];
-		strncpy(plugin_canon, plugin, sizeof(plugin_canon));
-		char* colon = strstr(plugin_canon, "::");
-
-		if ( colon ) {
-			*colon = '_';
-			memmove(colon + 1, colon + 2, plugin_canon + strlen(plugin_canon) - colon);
-			}
-
-		fprintf(fp_func_init, "\n");
-		fprintf(fp_func_init, "#include <list>\n");
-		fprintf(fp_func_init, "#include <string>\n");
-		fprintf(fp_func_init, "#include \"plugin/Plugin.h\"\n");
-		fprintf(fp_func_init, "#include \"%s.h\"\n", input_filename);
-		fprintf(fp_func_init, "\n");
-		fprintf(fp_func_init, "namespace plugin { namespace %s {\n", plugin_canon);
-		fprintf(fp_func_init, "\n");
-		fprintf(fp_func_init, "void __bif_%s_init(plugin::Plugin* plugin)\n", name);
-		fprintf(fp_func_init, "\t{\n");
-
-		fprintf(fp_func_register, "#include \"plugin/Manager.h\"\n");
-		fprintf(fp_func_register, "\n");
-		fprintf(fp_func_register, "namespace plugin { namespace %s {\n", plugin_canon);
-		fprintf(fp_func_register, "void __bif_%s_init(plugin::Plugin* plugin);\n", name);
-		fprintf(fp_func_register, "::plugin::__RegisterBif __register_bifs_%s_%s(\"%s\", __bif_%s_init);\n", plugin_canon, name, plugin, name);
-		fprintf(fp_func_register, "} }\n");
-        }
-	}
-
-void finish_alternative_mode()
-	{
-	fprintf(fp_func_h, "\n");
-	fprintf(fp_func_h, "#endif\n");
-
-	if ( plugin )
-		{
-		fprintf(fp_func_init, "\n");
-		fprintf(fp_func_init, "\t}\n");
-		fprintf(fp_func_init, "} }\n");
-		fprintf(fp_func_init, "\n");
-		fprintf(fp_func_init, "\n");
-		}
-	}
-
-int main(int argc, char* argv[])
-	{
-	int opt;
-
-	while ( (opt = getopt(argc, argv, "p:s")) != -1 )
-		{
-		switch ( opt ) {
-		case 'p':
-			alternative_mode = 1;
-			plugin = optarg;
-			break;
-
-		case 's':
-			alternative_mode = 1;
-			break;
-
-		default:
-			usage();
-		}
-		}
-
-	for ( int i = optind; i < argc; i++ )
-		{
-		FILE* fp_input;
-		char* slash;
-
-		input_filename = input_filename_with_path = argv[i];
-		slash = strrchr(input_filename, '/');
-
-		if ( (fp_input = fopen(input_filename, "r")) == NULL )
-			{
-			fprintf(stderr, "Error: cannot open file: %s\n", input_filename);
-			/* no output files open. can simply exit */
-			exit(1);
-			}
-
-		if ( slash )
-			input_filename = slash + 1;
-
-		if ( ! alternative_mode )
-			{
-			fp_bro_init = open_output_file("bro");
-			fp_func_h = open_output_file("func_h");
-			fp_func_def = open_output_file("func_def");
-			fp_func_init = open_output_file("func_init");
-			fp_netvar_h = open_output_file("netvar_h");
-			fp_netvar_def = open_output_file("netvar_def");
-			fp_netvar_init = open_output_file("netvar_init");
-
-			int n = 1024 + strlen(input_filename);
-			char auto_gen_comment[n];
-
-			snprintf(auto_gen_comment, n,
-				"This file was automatically generated by bifcl from %s.",
-				input_filename);
-
-			fprintf(fp_bro_init, "# %s\n\n", auto_gen_comment);
-			fprintf(fp_func_def, "// %s\n\n", auto_gen_comment);
-			fprintf(fp_func_h, "// %s\n\n", auto_gen_comment);
-			fprintf(fp_func_init, "// %s\n\n", auto_gen_comment);
-			fprintf(fp_netvar_def, "// %s\n\n", auto_gen_comment);
-			fprintf(fp_netvar_h, "// %s\n\n", auto_gen_comment);
-			fprintf(fp_netvar_init, "// %s\n\n", auto_gen_comment);
-			}
-
-		else
-			init_alternative_mode();
-
-		yy_switch_to_buffer(yy_create_buffer(fp_input, YY_BUF_SIZE));
-		yyparse();
-
-		if ( alternative_mode )
-			finish_alternative_mode();
-
-		fclose(fp_input);
-		close_all_output_files();
-
-		}
-	}
-
-void close_if_open(FILE **fpp)
-	{
-	if (*fpp)
-		fclose(*fpp);
-	*fpp = NULL;
-	}
-
-void close_all_output_files(void)
-	{
-	close_if_open(&fp_bro_init);
-	close_if_open(&fp_func_h);
-	close_if_open(&fp_func_def);
-	close_if_open(&fp_func_init);
-	close_if_open(&fp_func_register);
-
-	if ( ! alternative_mode )
-		{
-		close_if_open(&fp_netvar_h);
-		close_if_open(&fp_netvar_def);
-		close_if_open(&fp_netvar_init);
-		}
-	}
-
-void remove_file(const char *surfix)
-	{
-	char fn[1024];
-
-	snprintf(fn, sizeof(fn), "%s.%s", input_filename, surfix);
-	unlink(fn);
-	}
-
-void err_exit(void)
-	{
-	close_all_output_files();
-	/* clean up. remove all output files we've generated so far */
-	remove_file("bro");
-	remove_file("func_h");
-	remove_file("func_def");
-	remove_file("func_init");
-	remove_file("func_register");
-	remove_file("netvar_h");
-	remove_file("netvar_def");
-	remove_file("netvar_init");
-	exit(1);
-	}
-
diff --git a/src/builtin-func.y b/src/builtin-func.y
deleted file mode 100644
index 0f895ced52..0000000000
--- a/src/builtin-func.y
+++ /dev/null
@@ -1,785 +0,0 @@
-%{
-#include <vector>
-#include <set>
-#include <string>
-#include <cstring>
-
-using namespace std;
-
-#include <stdio.h>
-#include <stdlib.h>
-
-#include "module_util.h"
-
-using namespace std;
-
-extern int line_number;
-extern char* input_filename;
-extern char* plugin;
-
-#define print_line_directive(fp) fprintf(fp, "\n#line %d \"%s\"\n", line_number, input_filename)
-
-extern FILE* fp_bro_init;
-extern FILE* fp_func_def;
-extern FILE* fp_func_h;
-extern FILE* fp_func_init;
-extern FILE* fp_netvar_h;
-extern FILE* fp_netvar_def;
-extern FILE* fp_netvar_init;
-
-int in_c_code = 0;
-string current_module = GLOBAL_MODULE_NAME;
-int definition_type;
-string type_name;
-
-
-enum {
-	C_SEGMENT_DEF,
-	FUNC_DEF,
-	EVENT_DEF,
-	TYPE_DEF,
-	CONST_DEF,
-};
-
-// Holds the name of a declared object (function, enum, record type, event,
-// etc. and information about namespaces, etc.
-struct decl_struct {
-	string module_name;
-	string bare_name; // name without module or namespace
-	string c_namespace_start; // "opening" namespace for use in netvar_*
-	string c_namespace_end;   // closing "}" for all the above namespaces
-	string c_fullname; // fully qualified name (namespace::....) for use in netvar_init
-	string bro_fullname; // fully qualified bro name, for netvar (and lookup_ID())
-	string bro_name;  // the name as we read it from input. What we write into the .bro file
-
-	// special cases for events. Events have an EventHandlerPtr
-	// and a generate_* function. This name is for the generate_* function
-	string generate_bare_name;
-	string generate_c_fullname;
-	string generate_c_namespace_start;
-	string generate_c_namespace_end;
-} decl;
-
-void set_definition_type(int type, const char *arg_type_name)
-	{
-	definition_type = type;
-	if ( type == TYPE_DEF && arg_type_name )
-		type_name = string(arg_type_name);
-	else
-		type_name = "";
-	}
-
-void set_decl_name(const char *name)
-	{
-	decl.bare_name = extract_var_name(name);
-
-	// make_full_var_name prepends the correct module, if any
-	// then we can extract the module name again.
-	string varname = make_full_var_name(current_module.c_str(), name);
-	decl.module_name = extract_module_name(varname.c_str());
-
-	decl.c_namespace_start = "";
-	decl.c_namespace_end = "";
-	decl.c_fullname = "";
-	decl.bro_fullname = "";
-	decl.bro_name = "";
-
-	decl.generate_c_fullname = "";
-	decl.generate_bare_name = string("generate_") + decl.bare_name;
-	decl.generate_c_namespace_start = "";
-	decl.generate_c_namespace_end = "";
-
-	switch ( definition_type ) {
-	case TYPE_DEF:
-		decl.c_namespace_start = "namespace BifType { namespace " + type_name + "{ ";
-		decl.c_namespace_end = " } }";
-		decl.c_fullname = "BifType::" + type_name + "::";
-		break;
-
-	case CONST_DEF:
-		decl.c_namespace_start = "namespace BifConst { ";
-		decl.c_namespace_end = " } ";
-		decl.c_fullname = "BifConst::";
-		break;
-
-	case FUNC_DEF:
-		decl.c_namespace_start = "namespace BifFunc { ";
-		decl.c_namespace_end = " } ";
-		decl.c_fullname = "BifFunc::";
-		break;
-
-	case EVENT_DEF:
-		decl.c_namespace_start = "";
-		decl.c_namespace_end = "";
-		decl.c_fullname = "::";  // need this for namespace qualified events due do event_c_body
-		decl.generate_c_namespace_start = "namespace BifEvent { ";
-		decl.generate_c_namespace_end = " } ";
-		decl.generate_c_fullname = "BifEvent::";
-		break;
-
-	default:
-		break;
-	}
-
-	if ( decl.module_name != GLOBAL_MODULE_NAME )
-		{
-		decl.c_namespace_start += "namespace " + decl.module_name + " { ";
-		decl.c_namespace_end += string(" }");
-		decl.c_fullname += decl.module_name + "::";
-		decl.bro_fullname += decl.module_name + "::";
-
-		decl.generate_c_namespace_start  += "namespace " + decl.module_name + " { ";
-		decl.generate_c_namespace_end += " } ";
-		decl.generate_c_fullname += decl.module_name + "::";
-		}
-
-	decl.bro_fullname += decl.bare_name;
-	if ( definition_type == FUNC_DEF )
-		decl.bare_name = string("bro_") + decl.bare_name;
-
-	decl.c_fullname += decl.bare_name;
-	decl.bro_name += name;
-	decl.generate_c_fullname += decl.generate_bare_name;
-
-	}
-
-const char* arg_list_name = "BiF_ARGS";
-
-#include "bif_arg.h"
-
-/* Map bif/bro type names to C types for use in const declaration */
-static struct {
-	const char* bif_type;
-	const char* bro_type;
-	const char* c_type;
-	const char* accessor;
-	const char* constructor;
-} builtin_types[] = {
-#define DEFINE_BIF_TYPE(id, bif_type, bro_type, c_type, accessor, constructor) \
-	{bif_type, bro_type, c_type, accessor, constructor},
-#include "bif_type.def"
-#undef DEFINE_BIF_TYPE
-};
-
-int get_type_index(const char *type_name)
-	{
-	for ( int i = 0; builtin_types[i].bif_type[0] != '\0'; ++i )
-		{
-		if ( strcmp(builtin_types[i].bif_type, type_name) == 0 )
-			return i;
-		}
-		return TYPE_OTHER;
-	}
-
-
-int var_arg; // whether the number of arguments is variable
-std::vector<BuiltinFuncArg*> args;
-
-extern int yyerror(const char[]);
-extern int yywarn(const char msg[]);
-extern int yylex();
-
-char* concat(const char* str1, const char* str2)
-	{
-	int len1 = strlen(str1);
-	int len2 = strlen(str2);
-
-	char* s = new char[len1 + len2 +1];
-
-	memcpy(s, str1, len1);
-	memcpy(s + len1, str2, len2);
-
-	s[len1+len2] = '\0';
-
-	return s;
-	}
-
-// Print the bro_event_* function prototype in C++, without the ending ';'
-void print_event_c_prototype(FILE *fp, bool is_header)
-	{
-	if ( is_header )
-		fprintf(fp, "%s void %s(analyzer::Analyzer* analyzer%s",
-			decl.generate_c_namespace_start.c_str(), decl.generate_bare_name.c_str(),
-			args.size() ? ", " : "" );
-	else
-		fprintf(fp, "void %s(analyzer::Analyzer* analyzer%s",
-			decl.generate_c_fullname.c_str(),
-			args.size() ? ", " : "" );
-	for ( int i = 0; i < (int) args.size(); ++i )
-		{
-		if ( i > 0 )
-			fprintf(fp, ", ");
-		args[i]->PrintCArg(fp, i);
-		}
-	fprintf(fp, ")");
-	if ( is_header )
-		fprintf(fp, "; %s\n", decl.generate_c_namespace_end.c_str());
-	else
-		fprintf(fp, "\n");
-	}
-
-// Print the bro_event_* function body in C++.
-void print_event_c_body(FILE *fp)
-	{
-	fprintf(fp, "\t{\n");
-	fprintf(fp, "\t// Note that it is intentional that here we do not\n");
-	fprintf(fp, "\t// check if %s is NULL, which should happen *before*\n",
-		decl.c_fullname.c_str());
-	fprintf(fp, "\t// %s is called to avoid unnecessary Val\n",
-		decl.generate_c_fullname.c_str());
-	fprintf(fp, "\t// allocation.\n");
-	fprintf(fp, "\n");
-
-	fprintf(fp, "\tval_list* vl = new val_list;\n\n");
-	BuiltinFuncArg *connection_arg = 0;
-
-	for ( int i = 0; i < (int) args.size(); ++i )
-		{
-		fprintf(fp, "\t");
-		fprintf(fp, "vl->append(");
-		args[i]->PrintBroValConstructor(fp);
-		fprintf(fp, ");\n");
-
-		if ( args[i]->Type() == TYPE_CONNECTION )
-			{
-			if ( connection_arg == 0 )
-				connection_arg = args[i];
-			else
-				{
-				// We are seeing two connection type arguments.
-				yywarn("Warning: with more than connection-type "
-				       "event arguments, bifcl only passes "
-				       "the first one to EventMgr as cookie.");
-				}
-			}
-		}
-
-	fprintf(fp, "\n");
-	fprintf(fp, "\tmgr.QueueEvent(%s, vl, SOURCE_LOCAL, analyzer->GetID(), timer_mgr",
-		decl.c_fullname.c_str());
-
-	if ( connection_arg )
-		// Pass the connection to the EventMgr as the "cookie"
-		fprintf(fp, ", %s", connection_arg->Name());
-
-	fprintf(fp, ");\n");
-	fprintf(fp, "\t} // event generation\n");
-	//fprintf(fp, "%s // end namespace\n", decl.generate_c_namespace_end.c_str());
-	}
-
-void record_bif_item(const char* id, const char* type)
-	{
-	if ( ! plugin )
-		return;
-
-	fprintf(fp_func_init, "\tplugin->AddBifItem(\"%s\", plugin::BifItem::%s);\n", id, type);
-	}
-
-%}
-
-%token TOK_LPP TOK_RPP TOK_LPB TOK_RPB TOK_LPPB TOK_RPPB TOK_VAR_ARG
-%token TOK_BOOL
-%token TOK_FUNCTION TOK_EVENT TOK_CONST TOK_ENUM TOK_OF
-%token TOK_TYPE TOK_RECORD TOK_SET TOK_VECTOR TOK_OPAQUE TOK_TABLE TOK_MODULE
-%token TOK_ARGS TOK_ARG TOK_ARGC
-%token TOK_ID TOK_ATTR TOK_CSTR TOK_LF TOK_WS TOK_COMMENT
-%token TOK_ATOM TOK_INT TOK_C_TOKEN
-
-%left ',' ':'
-
-%type <str> TOK_C_TOKEN TOK_ID TOK_CSTR TOK_WS TOK_COMMENT TOK_ATTR TOK_INT opt_ws type attr_list opt_attr_list opt_func_attrs
-%type <val> TOK_ATOM TOK_BOOL
-
-%union	{
-	const char* str;
-	int val;
-}
-
-%%
-
-builtin_lang:	definitions
-			{
-			fprintf(fp_bro_init, "} # end of export section\n");
-			fprintf(fp_bro_init, "module %s;\n", GLOBAL_MODULE_NAME);
-			}
-
-
-
-definitions:	definitions definition opt_ws
-			{
-			if ( in_c_code )
-				fprintf(fp_func_def, "%s", $3);
-			else
-				fprintf(fp_bro_init, "%s", $3);
-			}
-	|	opt_ws
-			{
-			fprintf(fp_bro_init, "%s", $1);
-			fprintf(fp_bro_init, "export {\n");
-			}
-	;
-
-definition:	event_def
-	|	func_def
-	|	c_code_segment
-	|	enum_def
-	|	const_def
-	|	type_def
-	|   module_def
-	;
-
-
-module_def:	TOK_MODULE opt_ws TOK_ID opt_ws ';'
-			{
-			current_module = string($3);
-			fprintf(fp_bro_init, "module %s;\n", $3);
-			}
-
-	 // XXX: Add the netvar glue so that the event engine knows about
-	 // the type. One still has to define the type in bro.init.
-	 // Would be nice, if we could just define the record type here
-	 // and then copy to the .bif.bro file, but type declarations in
-	 // Bro can be quite powerful. Don't know whether it's worth it
-	 // extend the bif-language to be able to handle that all....
-	 // Or we just support a simple form of record type definitions
-	 // TODO: add other types (tables, sets)
-type_def:	TOK_TYPE opt_ws TOK_ID opt_ws ':' opt_ws type_def_types opt_ws ';'
-			{
-			set_decl_name($3);
-
-			fprintf(fp_netvar_h, "%s extern %sType * %s; %s\n",
-				decl.c_namespace_start.c_str(), type_name.c_str(),
-				decl.bare_name.c_str(), decl.c_namespace_end.c_str());
-			fprintf(fp_netvar_def, "%s %sType * %s; %s\n",
-				decl.c_namespace_start.c_str(), type_name.c_str(),
-				decl.bare_name.c_str(), decl.c_namespace_end.c_str());
-			fprintf(fp_netvar_init,
-				"\t%s = internal_type(\"%s\")->As%sType();\n",
-				decl.c_fullname.c_str(), decl.bro_fullname.c_str(),
-				type_name.c_str());
-
-			record_bif_item(decl.bro_fullname.c_str(), "TYPE");
-			}
-	;
-
-type_def_types: TOK_RECORD
-			{ set_definition_type(TYPE_DEF, "Record"); }
-	| TOK_SET
-			{ set_definition_type(TYPE_DEF, "Set"); }
-	| TOK_VECTOR
-			{ set_definition_type(TYPE_DEF, "Vector"); }
-	| TOK_TABLE
-			{ set_definition_type(TYPE_DEF, "Table"); }
-	;
-
-opt_func_attrs:	attr_list opt_ws
-		{ $$ = $1; }
-	| /* nothing */
-		{ $$ = ""; }
-	;
-
-event_def:	event_prefix opt_ws plain_head opt_func_attrs
-			{ fprintf(fp_bro_init, "%s", $4); } end_of_head ';'
-			{
-			print_event_c_prototype(fp_func_h, true);
-			print_event_c_prototype(fp_func_def, false);
-			print_event_c_body(fp_func_def);
-			}
-
-func_def:	func_prefix opt_ws typed_head opt_func_attrs
-			{ fprintf(fp_bro_init, "%s", $4); } end_of_head body
-	;
-
-enum_def:	enum_def_1 enum_list TOK_RPB opt_attr_list
-			{
-			// First, put an end to the enum type decl.
-			fprintf(fp_bro_init, "} ");
-			fprintf(fp_bro_init, "%s", $4);
-			fprintf(fp_bro_init, ";\n");
-			if ( decl.module_name != GLOBAL_MODULE_NAME )
-				fprintf(fp_netvar_h, "}; } }\n");
-			else
-				fprintf(fp_netvar_h, "}; }\n");
-
-			// Now generate the netvar's.
-			fprintf(fp_netvar_h, "%s extern EnumType * %s; %s\n",
-				decl.c_namespace_start.c_str(), decl.bare_name.c_str(), decl.c_namespace_end.c_str());
-			fprintf(fp_netvar_def, "%s EnumType * %s; %s\n",
-				decl.c_namespace_start.c_str(), decl.bare_name.c_str(), decl.c_namespace_end.c_str());
-			fprintf(fp_netvar_init,
-				"\t%s = internal_type(\"%s\")->AsEnumType();\n",
-				decl.c_fullname.c_str(), decl.bro_fullname.c_str());
-
-			record_bif_item(decl.bro_fullname.c_str(), "TYPE");
-			}
-	;
-
-enum_def_1:	TOK_ENUM opt_ws TOK_ID opt_ws TOK_LPB opt_ws
-			{
-			set_definition_type(TYPE_DEF, "Enum");
-			set_decl_name($3);
-			fprintf(fp_bro_init, "type %s: enum %s{%s", decl.bro_name.c_str(), $4, $6);
-
-			// this is the namespace were the enumerators are defined, not where
-			// the type is defined.
-			// We don't support fully qualified names as enumerators. Use a module name
-			fprintf(fp_netvar_h, "namespace BifEnum { ");
-			if ( decl.module_name != GLOBAL_MODULE_NAME )
-				fprintf(fp_netvar_h, "namespace %s { ", decl.module_name.c_str());
-			fprintf(fp_netvar_h, "enum %s {\n", $3);
-			}
-	;
-
-enum_list:	enum_list TOK_ID opt_ws ',' opt_ws
-			{
-			fprintf(fp_bro_init, "%s%s,%s", $2, $3, $5);
-			fprintf(fp_netvar_h, "\t%s,\n", $2);
-			}
-	| 		enum_list TOK_ID opt_ws '=' opt_ws TOK_INT opt_ws ',' opt_ws
-			{
-			fprintf(fp_bro_init, "%s = %s%s,%s", $2, $6, $7, $9);
-			fprintf(fp_netvar_h, "\t%s = %s,\n", $2, $6);
-			}
-	|	/* nothing */
-	;
-
-
-const_def:	TOK_CONST opt_ws TOK_ID opt_ws ':' opt_ws TOK_ID opt_ws ';'
-			{
-			set_definition_type(CONST_DEF, 0);
-			set_decl_name($3);
-			int typeidx = get_type_index($7);
-			char accessor[1024];
-
-			snprintf(accessor, sizeof(accessor), builtin_types[typeidx].accessor, "");
-
-
-			fprintf(fp_netvar_h, "%s extern %s %s; %s\n",
-					decl.c_namespace_start.c_str(),
-					builtin_types[typeidx].c_type, decl.bare_name.c_str(),
-					decl.c_namespace_end.c_str());
-			fprintf(fp_netvar_def, "%s %s %s; %s\n",
-					decl.c_namespace_start.c_str(),
-					builtin_types[typeidx].c_type, decl.bare_name.c_str(),
-					decl.c_namespace_end.c_str());
-			fprintf(fp_netvar_init, "\t%s = internal_const_val(\"%s\")%s;\n",
-				decl.c_fullname.c_str(), decl.bro_fullname.c_str(),
-				accessor);
-
-			record_bif_item(decl.bro_fullname.c_str(), "CONSTANT");
-			}
-
-attr_list:
-		attr_list TOK_ATTR
-			{ $$ = concat($1, $2); }
-	|
-		TOK_ATTR
-	;
-
-opt_attr_list:
-		attr_list
-	|	/* nothing */
-		{ $$ = ""; }
-	;
-
-func_prefix:	TOK_FUNCTION
-			{ set_definition_type(FUNC_DEF, 0); }
-	;
-
-event_prefix:	TOK_EVENT
-			{ set_definition_type(EVENT_DEF, 0); }
-	;
-
-end_of_head:	/* nothing */
-			{
-			fprintf(fp_bro_init, ";\n");
-			}
-	;
-
-typed_head:	plain_head return_type
-			{
-			}
-	;
-
-plain_head:	head_1 args arg_end opt_ws
-			{
-			if ( var_arg )
-				fprintf(fp_bro_init, "va_args: any");
-			else
-				{
-				for ( int i = 0; i < (int) args.size(); ++i )
-					{
-					if ( i > 0 )
-						fprintf(fp_bro_init, ", ");
-					args[i]->PrintBro(fp_bro_init);
-					}
-				}
-
-			fprintf(fp_bro_init, ")");
-
-			fprintf(fp_bro_init, "%s", $4);
-			fprintf(fp_func_def, "%s", $4);
-			}
-	;
-
-head_1:		TOK_ID opt_ws arg_begin
-			{
-			const char* method_type = 0;
-			set_decl_name($1);
-
-			if ( definition_type == FUNC_DEF )
-				{
-				method_type = "function";
-				print_line_directive(fp_func_def);
-				}
-			else if ( definition_type == EVENT_DEF )
-				method_type = "event";
-
-			if ( method_type )
-				fprintf(fp_bro_init,
-					"global %s: %s%s(",
-					decl.bro_name.c_str(), method_type, $2);
-
-			if ( definition_type == FUNC_DEF )
-				{
-				fprintf(fp_func_init,
-					"\t(void) new BuiltinFunc(%s, \"%s\", 0);\n",
-					decl.c_fullname.c_str(), decl.bro_fullname.c_str());
-
-				fprintf(fp_func_h,
-					"%sextern Val* %s(Frame* frame, val_list*);%s\n",
-					decl.c_namespace_start.c_str(), decl.bare_name.c_str(), decl.c_namespace_end.c_str());
-
-				fprintf(fp_func_def,
-					"Val* %s(Frame* frame, val_list* %s)",
-					decl.c_fullname.c_str(), arg_list_name);
-
-				record_bif_item(decl.bro_fullname.c_str(), "FUNCTION");
-				}
-			else if ( definition_type == EVENT_DEF )
-				{
-				// TODO: add namespace for events here
-				fprintf(fp_netvar_h,
-					"%sextern EventHandlerPtr %s; %s\n",
-					decl.c_namespace_start.c_str(), decl.bare_name.c_str(), decl.c_namespace_end.c_str());
-
-				fprintf(fp_netvar_def,
-					"%sEventHandlerPtr %s; %s\n",
-					decl.c_namespace_start.c_str(), decl.bare_name.c_str(), decl.c_namespace_end.c_str());
-
-				fprintf(fp_netvar_init,
-					"\t%s = internal_handler(\"%s\");\n",
-					decl.c_fullname.c_str(), decl.bro_fullname.c_str());
-
-				record_bif_item(decl.bro_fullname.c_str(), "EVENT");
-
-				// C++ prototypes of bro_event_* functions will
-				// be generated later.
-				}
-			}
-	;
-
-arg_begin:	TOK_LPP
-			{ args.clear(); var_arg = 0; }
-	;
-
-arg_end:	TOK_RPP
-	;
-
-args:		args_1
-	|	opt_ws
-			{ /* empty, to avoid yacc complaint about type clash */ }
-	;
-
-args_1:		args_1 ',' opt_ws arg opt_ws opt_attr_list
-			{ if ( ! args.empty() ) args[args.size()-1]->SetAttrStr($6); }
-	|	opt_ws arg opt_ws opt_attr_list
-			{ if ( ! args.empty() ) args[args.size()-1]->SetAttrStr($4); }
-	;
-
-// TODO: Migrate all other compound types to this rule. Once the BiF language
-// can parse all regular Bro types, we can throw out the unnecessary
-// boilerplate typedefs for addr_set, string_set, etc.
-type:
-                TOK_OPAQUE opt_ws TOK_OF opt_ws TOK_ID
-                        { $$ = concat("opaque of ", $5); }
-        |       TOK_ID
-                        { $$ = $1; }
-        ;
-
-arg:		TOK_ID opt_ws ':' opt_ws type
-			{ args.push_back(new BuiltinFuncArg($1, $5)); }
-	|	TOK_VAR_ARG
-			{
-			if ( definition_type == EVENT_DEF )
-				yyerror("events cannot have variable arguments");
-			var_arg = 1;
-			}
-	;
-
-return_type:	':' opt_ws type opt_ws
-			{
-			BuiltinFuncArg* ret = new BuiltinFuncArg("", $3);
-			ret->PrintBro(fp_bro_init);
-			delete ret;
-			fprintf(fp_func_def, "%s", $4);
-			}
-	;
-
-body:		body_start c_body body_end
-			{
-			fprintf(fp_func_def, " // end of %s\n", decl.c_fullname.c_str());
-			print_line_directive(fp_func_def);
-			}
-	;
-
-c_code_begin:	/* empty */
-			{
-			in_c_code = 1;
-			print_line_directive(fp_func_def);
-			}
-	;
-
-c_code_end:	/* empty */
-			{ in_c_code = 0; }
-	;
-
-body_start:	TOK_LPB c_code_begin
-			{
-			int implicit_arg = 0;
-			int argc = args.size();
-
-			fprintf(fp_func_def, "{");
-
-			if ( argc > 0 || ! var_arg )
-				fprintf(fp_func_def, "\n");
-
-			if ( ! var_arg )
-				{
-				fprintf(fp_func_def, "\tif ( %s->length() != %d )\n", arg_list_name, argc);
-				fprintf(fp_func_def, "\t\t{\n");
-				fprintf(fp_func_def,
-					"\t\treporter->Error(\"%s() takes exactly %d argument(s)\");\n",
-					decl.bro_fullname.c_str(), argc);
-				fprintf(fp_func_def, "\t\treturn 0;\n");
-				fprintf(fp_func_def, "\t\t}\n");
-				}
-			else if ( argc > 0 )
-				{
-				fprintf(fp_func_def, "\tif ( %s->length() < %d )\n", arg_list_name, argc);
-				fprintf(fp_func_def, "\t\t{\n");
-				fprintf(fp_func_def,
-					"\t\treporter->Error(\"%s() takes at least %d argument(s)\");\n",
-					decl.bro_fullname.c_str(), argc);
-				fprintf(fp_func_def, "\t\treturn 0;\n");
-				fprintf(fp_func_def, "\t\t}\n");
-				}
-
-			for ( int i = 0; i < (int) args.size(); ++i )
-				args[i]->PrintCDef(fp_func_def, i + implicit_arg);
-			print_line_directive(fp_func_def);
-			}
-	;
-
-body_end:	TOK_RPB c_code_end
-			{
-			fprintf(fp_func_def, "}");
-			}
-	;
-
-c_code_segment: TOK_LPPB c_code_begin c_body c_code_end TOK_RPPB
-	;
-
-c_body:		opt_ws
-			{ fprintf(fp_func_def, "%s", $1); }
-	|	c_body c_atom opt_ws
-			{ fprintf(fp_func_def, "%s", $3); }
-	;
-
-c_atom:		TOK_ID
-			{ fprintf(fp_func_def, "%s", $1); }
-	|	TOK_C_TOKEN
-			{ fprintf(fp_func_def, "%s", $1); }
-	|	TOK_ARG
-			{ fprintf(fp_func_def, "(*%s)", arg_list_name); }
-	|	TOK_ARGS
-			{ fprintf(fp_func_def, "%s", arg_list_name); }
-	|	TOK_ARGC
-			{ fprintf(fp_func_def, "%s->length()", arg_list_name); }
-	|	TOK_CSTR
-			{ fprintf(fp_func_def, "%s", $1); }
-	|	TOK_ATOM
-			{ fprintf(fp_func_def, "%c", $1); }
-	|	TOK_INT
-			{ fprintf(fp_func_def, "%s", $1); }
-
-	;
-
-opt_ws:		opt_ws TOK_WS
-			{ $$ = concat($1, $2); }
-	|	opt_ws TOK_LF
-			{ $$ = concat($1, "\n"); }
-	|	opt_ws TOK_COMMENT
-			{
-			if ( in_c_code )
-				$$ = concat($1, $2);
-			else
-				if ( $2[1] == '#' )
-					// This is a special type of comment that is used to
-					// generate bro script documentation, so pass it through.
-					$$ = concat($1, $2);
-				else
-					$$ = $1;
-			}
-	|	/* empty */
-			{ $$ = ""; }
-	;
-
-%%
-
-extern char* yytext;
-extern char* input_filename;
-extern int line_number;
-void err_exit(void);
-
-void print_msg(const char msg[])
-	{
-	int msg_len = strlen(msg) + strlen(yytext) + 64;
-	char* msgbuf = new char[msg_len];
-
-	if ( yytext[0] == '\n' )
-		snprintf(msgbuf, msg_len, "%s, on previous line", msg);
-
-	else if ( yytext[0] == '\0' )
-		snprintf(msgbuf, msg_len, "%s, at end of file", msg);
-
-	else
-		snprintf(msgbuf, msg_len, "%s, at or near \"%s\"", msg, yytext);
-
-	/*
-	extern int column;
-	sprintf(msgbuf, "%*s\n%*s\n", column, "^", column, msg);
-	*/
-
-	if ( input_filename )
-		fprintf(stderr, "%s:%d: ", input_filename, line_number);
-	else
-		fprintf(stderr, "line %d: ", line_number);
-	fprintf(stderr, "%s\n", msgbuf);
-
-	delete [] msgbuf;
-	}
-
-int yywarn(const char msg[])
-	{
-	print_msg(msg);
-	return 0;
-	}
-
-int yyerror(const char msg[])
-	{
-	print_msg(msg);
-
-	err_exit();
-	return 0;
-	}

From 7fdb184ca6efc30ddcea985fb7e81f7ea8d246a1 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Fri, 13 Jul 2018 10:12:28 -0500
Subject: [PATCH 558/631] Install binpac

---
 aux/binpac | 2 +-
 configure  | 1 -
 2 files changed, 1 insertion(+), 2 deletions(-)

diff --git a/aux/binpac b/aux/binpac
index 951aeae8e4..1550429b09 160000
--- a/aux/binpac
+++ b/aux/binpac
@@ -1 +1 @@
-Subproject commit 951aeae8e4a08c598203cf61387f015ec4e0849d
+Subproject commit 1550429b09812b96c4ce8fd1ba65b8299b189959
diff --git a/configure b/configure
index fdbca263c6..830a70b60f 100755
--- a/configure
+++ b/configure
@@ -134,7 +134,6 @@ append_cache_entry ENABLE_DEBUG         BOOL   false
 append_cache_entry ENABLE_PERFTOOLS     BOOL   false
 append_cache_entry ENABLE_PERFTOOLS_DEBUG BOOL false
 append_cache_entry ENABLE_JEMALLOC      BOOL   false
-append_cache_entry BinPAC_SKIP_INSTALL  BOOL   true
 append_cache_entry BUILD_SHARED_LIBS    BOOL   true
 append_cache_entry INSTALL_BROCCOLI     BOOL   false
 append_cache_entry INSTALL_AUX_TOOLS    BOOL   true

From 2ffaa1cdb17515266b2d69add9bbb4f202be06fd Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Fri, 13 Jul 2018 17:23:08 -0500
Subject: [PATCH 559/631] Support building plugins from Bro installation root

As opposed to plugins depending on a Bro source/build tree.  This
required installing various Bro headers, BinPAC and it's headers,
bifcl, and Bro's custom CMake modules.
---
 CMakeLists.txt     |  5 ++++-
 aux/bro-aux        |  2 +-
 bro-config.in      | 10 +++++++++-
 cmake              |  2 +-
 src/CMakeLists.txt | 20 ++++++++++++++++++++
 5 files changed, 35 insertions(+), 4 deletions(-)

diff --git a/CMakeLists.txt b/CMakeLists.txt
index 370bf78c92..dd47aaaf9b 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -235,12 +235,15 @@ endif ()
 
 configure_file(${CMAKE_CURRENT_SOURCE_DIR}/bro-config.h.in
                ${CMAKE_CURRENT_BINARY_DIR}/bro-config.h)
+include_directories(${CMAKE_CURRENT_BINARY_DIR})
+install(FILES ${CMAKE_CURRENT_BINARY_DIR}/bro-config.h DESTINATION include/bro)
 
 configure_file(${CMAKE_CURRENT_SOURCE_DIR}/bro-config.in
                ${CMAKE_CURRENT_BINARY_DIR}/bro-config @ONLY)
 install(PROGRAMS ${CMAKE_CURRENT_BINARY_DIR}/bro-config DESTINATION bin)
 
-include_directories(${CMAKE_CURRENT_BINARY_DIR})
+install(DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR}/cmake DESTINATION share/bro
+        USE_SOURCE_PERMISSIONS)
 
 ########################################################################
 ## Recurse on sub-directories
diff --git a/aux/bro-aux b/aux/bro-aux
index eeb677ff69..2fb15af398 160000
--- a/aux/bro-aux
+++ b/aux/bro-aux
@@ -1 +1 @@
-Subproject commit eeb677ff696f8ea3eaa43a765fe40da07ed5281d
+Subproject commit 2fb15af398f899ea5f8999f332a832a31e3def73
diff --git a/bro-config.in b/bro-config.in
index 0c426fd17b..bd02d80bb2 100755
--- a/bro-config.in
+++ b/bro-config.in
@@ -7,11 +7,13 @@ site_dir=@BRO_SCRIPT_INSTALL_PATH@/site
 plugin_dir=@BRO_PLUGIN_INSTALL_PATH@
 config_dir=@BRO_ETC_INSTALL_DIR@
 python_dir=@PY_MOD_INSTALL_DIR@
+cmake_dir=@CMAKE_INSTALL_PREFIX@/share/bro/cmake
+include_dir=@CMAKE_INSTALL_PREFIX@/include/bro
 bropath=@DEFAULT_BROPATH@
 bro_dist=@BRO_DIST@
 
 usage="\
-Usage: bro-config [--version] [--prefix] [--script_dir] [--site_dir] [--plugin_dir] [--config_dir] [--python_dir] [--bropath] [--bro_dist]"
+Usage: bro-config [--version] [--prefix] [--script_dir] [--site_dir] [--plugin_dir] [--config_dir] [--python_dir] [--include_dir] [--cmake_dir] [--bropath] [--bro_dist]"
 
 if [ $# -eq 0 ] ; then
       echo "${usage}" 1>&2
@@ -46,6 +48,12 @@ while [ $# -ne 0 ]; do
     --python_dir)
       echo $python_dir
       ;;
+    --cmake_dir)
+      echo $cmake_dir
+      ;;
+    --include_dir)
+      echo $include_dir
+      ;;
     --bropath)
       echo $bropath
       ;;
diff --git a/cmake b/cmake
index a416553abc..aebe1173f7 160000
--- a/cmake
+++ b/cmake
@@ -1 +1 @@
-Subproject commit a416553abcb7aa650e934cd3800bcab0cbcf3e63
+Subproject commit aebe1173f74c505e04dd7959bb087a59a0e85fac
diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt
index ff0cfc019e..363860a65e 100644
--- a/src/CMakeLists.txt
+++ b/src/CMakeLists.txt
@@ -400,3 +400,23 @@ install(CODE "
        ${BRO_SCRIPT_INSTALL_PATH}/policy/tuning/logs-to-elasticsearch.bro
    )
 ")
+
+install(DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR}/
+        DESTINATION include/bro
+        FILES_MATCHING
+        PATTERN "*.h"
+        PATTERN "*.pac"
+        PATTERN "3rdparty/*" EXCLUDE
+)
+
+install(DIRECTORY ${CMAKE_CURRENT_BINARY_DIR}/
+        DESTINATION include/bro
+        FILES_MATCHING
+        PATTERN "*.bif.func_h"
+        PATTERN "*.bif.netvar_h"
+        PATTERN "*.bif.h"
+)
+
+install(FILES ${CMAKE_CURRENT_SOURCE_DIR}/3rdparty/sqlite3.h
+        DESTINATION include/bro/3rdparty
+)

From 36400e2d6782c1bd997507b7ecf4b134fba6f74e Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Mon, 16 Jul 2018 10:12:36 -0500
Subject: [PATCH 560/631] Updating submodule(s).

 [nomail]
---
 aux/bro-aux | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/aux/bro-aux b/aux/bro-aux
index eeb677ff69..ed9764186e 160000
--- a/aux/bro-aux
+++ b/aux/bro-aux
@@ -1 +1 @@
-Subproject commit eeb677ff696f8ea3eaa43a765fe40da07ed5281d
+Subproject commit ed9764186effc50172c2f6f77070ad35ff0e9002

From c09fe427a8783830b2a208d33b909d875054930d Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Mon, 16 Jul 2018 16:06:02 -0500
Subject: [PATCH 561/631] Improve Specific_RE_Matcher::CompileSet() error
 condition cleanup

---
 CHANGES   | 5 +++++
 VERSION   | 2 +-
 src/RE.cc | 2 +-
 3 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/CHANGES b/CHANGES
index f8ed4a5982..e6463829e5 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,9 @@
 
+2.5-741 | 2018-07-16 16:06:02 -0500
+
+  * Improve Specific_RE_Matcher::CompileSet() error condition cleanup
+    (Jon Siwek, Corelight)
+
 2.5-740 | 2018-07-16 16:01:31 -0500
 
   * Add support for case-insensitive patterns (Vern Paxson, Corelight)
diff --git a/VERSION b/VERSION
index d2ae53737a..86f56afeeb 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.5-740
+2.5-741
diff --git a/src/RE.cc b/src/RE.cc
index 907670acd3..517fab4c91 100644
--- a/src/RE.cc
+++ b/src/RE.cc
@@ -166,7 +166,7 @@ int Specific_RE_Matcher::CompileSet(const string_list& set, const int_list& idx)
 			{
 			reporter->Error("error compiling pattern /%s/", set[i]);
 
-			if ( set_nfa != nfa )
+			if ( set_nfa && set_nfa != nfa )
 				Unref(set_nfa);
 			else
 				Unref(nfa);

From 4c072409f04122bf96916a7aca2851f8fd5fbf6e Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Mon, 16 Jul 2018 16:14:18 -0500
Subject: [PATCH 562/631] Updating submodule(s).

 [nomail]
---
 aux/bro-aux | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/aux/bro-aux b/aux/bro-aux
index ed9764186e..d2476564e6 160000
--- a/aux/bro-aux
+++ b/aux/bro-aux
@@ -1 +1 @@
-Subproject commit ed9764186effc50172c2f6f77070ad35ff0e9002
+Subproject commit d2476564e6934de8fcffc47bff1ae9733c3dde0c

From f4728bd60365781f6351e417f19b8ebf29ec5ae2 Mon Sep 17 00:00:00 2001
From: Vern Paxson <vern@icir.org>
Date: Tue, 17 Jul 2018 10:25:45 -0700
Subject: [PATCH 563/631] only generate history threshold events for > 1
 instance mention those events in NEWS

---
 NEWS        | 9 +++++++++
 src/Conn.cc | 5 +++++
 2 files changed, 14 insertions(+)

diff --git a/NEWS b/NEWS
index 31f144cddd..239b53af91 100644
--- a/NEWS
+++ b/NEWS
@@ -265,6 +265,15 @@ New Functionality
   Thus a connection with 2 C's in its history means that the originator
   sent >= 10 packets with checksum errors; 3 C's means >= 100, etc.
 
+- The above behaviors occurring multiple times (i.e., starting at
+  10 instances, than again for 100 instances, etc.) generate corresponding
+  events: tcp_multiple_checksum_errors, udp_multiple_checksum_errors,
+  tcp_multiple_zero_windows, and tcp_multiple_retransmissions.  Each
+  has the same form, e.g.
+
+  event tcp_multiple_retransmissions(c: connection, is_orig: bool,
+				     threshold: count);
+
 Changed Functionality
 ---------------------
 
diff --git a/src/Conn.cc b/src/Conn.cc
index 7f9dd862b9..c90ddd61c2 100644
--- a/src/Conn.cc
+++ b/src/Conn.cc
@@ -320,6 +320,11 @@ void Connection::HistoryThresholdEvent(EventHandlerPtr e, bool is_orig,
 	if ( ! e )
 	        return;
 
+	if ( threshold == 1 )
+		// This will be far and away the most common case,
+		// and at this stage it's not a *multiple* instance.
+		return;
+
 	val_list* vl = new val_list;
 	vl->append(BuildConnVal());
 	vl->append(new Val(is_orig, TYPE_BOOL));

From 9caad8a04277b0993651415f1aa6d17b6caabba1 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Tue, 17 Jul 2018 14:20:19 -0500
Subject: [PATCH 564/631] Port broker::data variant usages to use CAF API
 directly

Old code still all worked, but made use of Broker functions which
now just redirect to CAF ones.
---
 CHANGES                      |   5 ++
 VERSION                      |   2 +-
 aux/broker                   |   2 +-
 src/broker/Data.cc           |  56 ++++++-------
 src/broker/Data.h            |   4 +-
 src/broker/Manager.cc        | 152 ++++++++++++++++++-----------------
 src/broker/data.bif          |   4 +-
 src/logging/WriterBackend.cc |  18 ++---
 8 files changed, 125 insertions(+), 118 deletions(-)

diff --git a/CHANGES b/CHANGES
index e6463829e5..a4972bb8ea 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,9 @@
 
+2.5-743 | 2018-07-17 14:20:19 -0500
+
+  * Port broker::data variant usages to use CAF API directly
+    (Jon Siwek, Corelight)
+
 2.5-741 | 2018-07-16 16:06:02 -0500
 
   * Improve Specific_RE_Matcher::CompileSet() error condition cleanup
diff --git a/VERSION b/VERSION
index 86f56afeeb..fd335625ba 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.5-741
+2.5-743
diff --git a/aux/broker b/aux/broker
index 1d90b931cc..467024ab09 160000
--- a/aux/broker
+++ b/aux/broker
@@ -1 +1 @@
-Subproject commit 1d90b931cc888e31b0d4774dbae54f5758841ab3
+Subproject commit 467024ab09e3443798126e69054fb8862c69562f
diff --git a/src/broker/Data.cc b/src/broker/Data.cc
index 99c6e3ebef..b836b66002 100644
--- a/src/broker/Data.cc
+++ b/src/broker/Data.cc
@@ -215,7 +215,7 @@ struct val_converter {
 			{
 			auto expected_index_types = tt->Indices()->Types();
 			broker::vector composite_key;
-			auto indices = broker::get_if<broker::vector>(item);
+			auto indices = caf::get_if<broker::vector>(&item);
 
 			if ( indices )
 				{
@@ -283,7 +283,7 @@ struct val_converter {
 			{
 			auto expected_index_types = tt->Indices()->Types();
 			broker::vector composite_key;
-			auto indices = broker::get_if<broker::vector>(item.first);
+			auto indices = caf::get_if<broker::vector>(&item.first);
 
 			if ( indices )
 				{
@@ -384,7 +384,7 @@ struct val_converter {
 					return nullptr;
 					}
 
-				if ( broker::get_if<broker::none>(a[idx]) != nullptr )
+				if ( caf::get_if<broker::none>(&a[idx]) != nullptr )
 					{
 					rval->Assign(i, nullptr);
 					++idx;
@@ -411,8 +411,8 @@ struct val_converter {
 			if ( a.size() != 2 )
 				return nullptr;
 
-			auto exact_text = broker::get_if<std::string>(a[0]);
-			auto anywhere_text = broker::get_if<std::string>(a[1]);
+			auto exact_text = caf::get_if<std::string>(&a[0]);
+			auto anywhere_text = caf::get_if<std::string>(&a[1]);
 
 			if ( ! exact_text || ! anywhere_text )
 				return nullptr;
@@ -582,7 +582,7 @@ struct type_checker {
 		for ( const auto& item : a )
 			{
 			auto expected_index_types = tt->Indices()->Types();
-			auto indices = broker::get_if<broker::vector>(item);
+			auto indices = caf::get_if<broker::vector>(&item);
 			vector<const broker::data*> indices_to_check;
 
 			if ( indices )
@@ -624,7 +624,7 @@ struct type_checker {
 				auto expect = (*expected_index_types)[i];
 				auto& index_to_check = *(indices_to_check)[i];
 
-				if ( ! broker::visit(type_checker{expect}, index_to_check) )
+				if ( ! caf::visit(type_checker{expect}, index_to_check) )
 					return false;
 				}
 			}
@@ -642,7 +642,7 @@ struct type_checker {
 		for ( auto& item : a )
 			{
 			auto expected_index_types = tt->Indices()->Types();
-			auto indices = broker::get_if<broker::vector>(item.first);
+			auto indices = caf::get_if<broker::vector>(&item.first);
 			vector<const broker::data*> indices_to_check;
 
 			if ( indices )
@@ -689,11 +689,11 @@ struct type_checker {
 				auto expect = (*expected_index_types)[i];
 				auto& index_to_check = *(indices_to_check)[i];
 
-				if ( ! broker::visit(type_checker{expect}, index_to_check) )
+				if ( ! caf::visit(type_checker{expect}, index_to_check) )
 					return false;
 				}
 
-			if ( ! broker::visit(type_checker{tt->YieldType()},
+			if ( ! caf::visit(type_checker{tt->YieldType()},
 			                     item.second) )
 				return false;
 			}
@@ -709,7 +709,7 @@ struct type_checker {
 
 			for ( auto& item : a )
 				{
-				if ( ! broker::visit(type_checker{vt->YieldType()}, item) )
+				if ( ! caf::visit(type_checker{vt->YieldType()}, item) )
 					return false;
 				}
 
@@ -725,13 +725,13 @@ struct type_checker {
 				if ( idx >= a.size() )
 					return false;
 
-				if ( broker::get_if<broker::none>(a[idx]) != nullptr )
+				if ( caf::get_if<broker::none>(&a[idx]) != nullptr )
 					{
 					++idx;
 					continue;
 					}
 
-				if ( ! broker::visit(type_checker{rt->FieldType(i)},
+				if ( ! caf::visit(type_checker{rt->FieldType(i)},
 				                     a[idx]) )
 					return false;
 
@@ -745,8 +745,8 @@ struct type_checker {
 			if ( a.size() != 2 )
 				return false;
 
-			auto exact_text = broker::get_if<std::string>(a[0]);
-			auto anywhere_text = broker::get_if<std::string>(a[1]);
+			auto exact_text = caf::get_if<std::string>(&a[0]);
+			auto anywhere_text = caf::get_if<std::string>(&a[1]);
 
 			if ( ! exact_text || ! anywhere_text )
 				return false;
@@ -775,7 +775,7 @@ Val* bro_broker::data_to_val(broker::data d, BroType* type)
 	if ( type->Tag() == TYPE_ANY )
 		return bro_broker::make_data_val(move(d));
 
-	return broker::visit(val_converter{type}, std::move(d));
+	return caf::visit(val_converter{type}, std::move(d));
 	}
 
 broker::expected<broker::data> bro_broker::val_to_data(Val* v)
@@ -900,7 +900,7 @@ broker::expected<broker::data> bro_broker::val_to_data(Val* v)
 				key = move(composite_key);
 
 			if ( is_set )
-				broker::get<broker::set>(rval).emplace(move(key));
+				caf::get<broker::set>(rval).emplace(move(key));
 			else
 				{
 				auto val = val_to_data(entry->Value());
@@ -908,7 +908,7 @@ broker::expected<broker::data> bro_broker::val_to_data(Val* v)
 				if ( ! val )
 					return broker::ec::invalid_data;
 
-				broker::get<broker::table>(rval).emplace(move(key), move(*val));
+				caf::get<broker::table>(rval).emplace(move(key), move(*val));
 				}
 			}
 
@@ -1115,7 +1115,7 @@ struct data_type_getter {
 
 EnumVal* bro_broker::get_data_type(RecordVal* v, Frame* frame)
 	{
-	return broker::visit(data_type_getter{}, opaque_field_to_data(v, frame));
+	return caf::visit(data_type_getter{}, opaque_field_to_data(v, frame));
 	}
 
 broker::data& bro_broker::opaque_field_to_data(RecordVal* v, Frame* f)
@@ -1131,7 +1131,7 @@ broker::data& bro_broker::opaque_field_to_data(RecordVal* v, Frame* f)
 
 bool bro_broker::DataVal::canCastTo(BroType* t) const
 	{
-	return broker::visit(type_checker{t}, data);
+	return caf::visit(type_checker{t}, data);
 	}
 
 Val* bro_broker::DataVal::castTo(BroType* t)
@@ -1192,24 +1192,24 @@ broker::data bro_broker::threading_field_to_data(const threading::Field* f)
 
 threading::Field* bro_broker::data_to_threading_field(broker::data d)
 	{
-	if ( ! broker::is<broker::vector>(d) )
+	if ( ! caf::holds_alternative<broker::vector>(d) )
 		return nullptr;
 
-	auto& v = broker::get<broker::vector>(d);
-	auto name = broker::get_if<std::string>(v[0]);
+	auto& v = caf::get<broker::vector>(d);
+	auto name = caf::get_if<std::string>(&v[0]);
 	auto secondary = v[1];
-	auto type = broker::get_if<broker::count>(v[2]);
-	auto subtype = broker::get_if<broker::count>(v[3]);
-	auto optional = broker::get_if<broker::boolean>(v[4]);
+	auto type = caf::get_if<broker::count>(&v[2]);
+	auto subtype = caf::get_if<broker::count>(&v[3]);
+	auto optional = caf::get_if<broker::boolean>(&v[4]);
 
 	if ( ! (name && type && subtype && optional) )
 		return nullptr;
 
-	if ( secondary != broker::nil && ! broker::is<std::string>(secondary) )
+	if ( secondary != broker::nil && ! caf::holds_alternative<std::string>(secondary) )
 		return nullptr;
 
 	return new threading::Field(name->c_str(),
-				    secondary != broker::nil ? broker::get<std::string>(secondary).c_str() : nullptr,
+				    secondary != broker::nil ? caf::get<std::string>(secondary).c_str() : nullptr,
 				    static_cast<TypeTag>(*type),
 				    static_cast<TypeTag>(*subtype),
 				    *optional);
diff --git a/src/broker/Data.h b/src/broker/Data.h
index 525faba5f6..e2a5968a82 100644
--- a/src/broker/Data.h
+++ b/src/broker/Data.h
@@ -210,11 +210,11 @@ broker::data& opaque_field_to_data(RecordVal* v, Frame* f);
 template <typename T>
 T& require_data_type(broker::data& d, TypeTag tag, Frame* f)
 	{
-	auto ptr = broker::get_if<T>(d);
+	auto ptr = caf::get_if<T>(&d);
 	if ( ! ptr )
 		reporter->RuntimeError(f->GetCall()->GetLocationInfo(),
 		                       "data is of type '%s' not of type '%s'",
-		                       broker::visit(type_name_getter{tag}, d),
+		                       caf::visit(type_name_getter{tag}, d),
 		                       type_name(tag));
 
 	return *ptr;
diff --git a/src/broker/Manager.cc b/src/broker/Manager.cc
index 5def875ce7..a78ba2bea8 100644
--- a/src/broker/Manager.cc
+++ b/src/broker/Manager.cc
@@ -942,13 +942,13 @@ void Manager::Process()
 		{
 		had_input = true;
 
-		if ( auto stat = broker::get_if<broker::status>(status_msg) )
+		if ( auto stat = caf::get_if<broker::status>(&status_msg) )
 			{
 			ProcessStatus(std::move(*stat));
 			continue;
 			}
 
-		if ( auto err = broker::get_if<broker::error>(status_msg) )
+		if ( auto err = caf::get_if<broker::error>(&status_msg) )
 			{
 			ProcessError(std::move(*err));
 			continue;
@@ -1048,7 +1048,7 @@ void Manager::ProcessRelayEvent(broker::bro::RelayEvent ev)
 	++statistics.num_events_incoming;
 
 	for ( auto& t : ev.topics() )
-		PublishEvent(std::move(broker::get<std::string>(t)),
+		PublishEvent(std::move(caf::get<std::string>(t)),
 		             std::move(ev.name()),
 		             std::move(ev.args()));
 	}
@@ -1060,7 +1060,7 @@ void Manager::ProcessHandleAndRelayEvent(broker::bro::HandleAndRelayEvent ev)
 	ProcessEvent(ev.name(), ev.args());
 
 	for ( auto& t : ev.topics() )
-		PublishEvent(std::move(broker::get<std::string>(t)),
+		PublishEvent(std::move(caf::get<std::string>(t)),
 		             std::move(ev.name()),
 		             std::move(ev.args()));
 	}
@@ -1095,40 +1095,38 @@ bool bro_broker::Manager::ProcessLogCreate(broker::bro::LogCreate lc)
 		}
 
 	// Get log fields.
+	auto fields_data = caf::get_if<broker::vector>(&lc.fields_data());
 
-	try
-		{
-		auto fields_data = std::move(broker::get<broker::vector>(lc.fields_data()));
-		auto num_fields = fields_data.size();
-		auto fields = new threading::Field* [num_fields];
-
-		for ( auto i = 0u; i < num_fields; ++i )
-			{
-			if ( auto field = data_to_threading_field(std::move(fields_data[i])) )
-				fields[i] = field;
-			else
-				{
-				reporter->Warning("failed to convert remote log field # %d", i);
-				return false;
-				}
-			}
-
-		if ( ! log_mgr->CreateWriterForRemoteLog(stream_id->AsEnumVal(), writer_id->AsEnumVal(), writer_info.get(), num_fields, fields) )
-			{
-			ODesc d;
-			stream_id->Describe(&d);
-			reporter->Warning("failed to create remote log stream for %s locally", d.Description());
-			}
-
-		writer_info.release(); // log_mgr took ownership.
-		return true;
-		}
-
-	catch (const broker::bad_variant_access& e)
+	if ( ! fields_data )
 		{
 		reporter->Warning("failed to unpack remote log fields");
 		return false;
 		}
+
+	auto num_fields = fields_data->size();
+	auto fields = new threading::Field* [num_fields];
+
+	for ( auto i = 0u; i < num_fields; ++i )
+		{
+		if ( auto field = data_to_threading_field(std::move((*fields_data)[i])) )
+			fields[i] = field;
+		else
+			{
+			reporter->Warning("failed to convert remote log field # %d", i);
+			delete [] fields;
+			return false;
+			}
+		}
+
+	if ( ! log_mgr->CreateWriterForRemoteLog(stream_id->AsEnumVal(), writer_id->AsEnumVal(), writer_info.get(), num_fields, fields) )
+		{
+		ODesc d;
+		stream_id->Describe(&d);
+		reporter->Warning("failed to create remote log stream for %s locally", d.Description());
+		}
+
+	writer_info.release(); // log_mgr took ownership.
+	return true;
 	}
 
 bool bro_broker::Manager::ProcessLogWrite(broker::bro::LogWrite lw)
@@ -1159,52 +1157,56 @@ bool bro_broker::Manager::ProcessLogWrite(broker::bro::LogWrite lw)
 		}
 
 	unref_guard writer_id_unreffer{writer_id};
+	auto path = caf::get_if<std::string>(&lw.path());
 
-	 try
+	if ( ! path )
 		{
-		auto& path = broker::get<std::string>(lw.path());
-		auto& serial_data = broker::get<std::string>(lw.serial_data());
-
-		BinarySerializationFormat fmt;
-		fmt.StartRead(serial_data.data(), serial_data.size());
-
-		int num_fields;
-		bool success = fmt.Read(&num_fields, "num_fields");
-
-		if ( ! success )
-			{
-			reporter->Warning("failed to unserialize remote log num fields for stream: %s", stream_id_name.data());
-			return false;
-			}
-
-		auto vals = new threading::Value* [num_fields];
-
-		for ( int i = 0; i < num_fields; ++i )
-			{
-			vals[i] = new threading::Value;
-
-			if ( ! vals[i]->Read(&fmt) )
-				{
-				for ( int j = 0; j <=i; ++j )
-					delete vals[j];
-
-				delete [] vals;
-				reporter->Warning("failed to unserialize remote log field %d for stream: %s", i, stream_id_name.data());
-
-				return false;
-				}
-			}
-
-		log_mgr->WriteFromRemote(stream_id->AsEnumVal(), writer_id->AsEnumVal(), std::move(path), num_fields, vals);
-		fmt.EndRead();
-		return true;
-		}
-
-	catch ( const broker::bad_variant_access& e)
-		{
-		reporter->Warning("failed to unpack remote log values (bad variant) for stream: %s", stream_id_name.data());
+		reporter->Warning("failed to unpack remote log values (bad path variant) for stream: %s", stream_id_name.data());
 		return false;
 		}
+
+	auto serial_data = caf::get_if<std::string>(&lw.serial_data());
+
+	if ( ! serial_data )
+		{
+		reporter->Warning("failed to unpack remote log values (bad serial_data variant) for stream: %s", stream_id_name.data());
+		return false;
+		}
+
+	BinarySerializationFormat fmt;
+	fmt.StartRead(serial_data->data(), serial_data->size());
+
+	int num_fields;
+	bool success = fmt.Read(&num_fields, "num_fields");
+
+	if ( ! success )
+		{
+		reporter->Warning("failed to unserialize remote log num fields for stream: %s", stream_id_name.data());
+		return false;
+		}
+
+	auto vals = new threading::Value* [num_fields];
+
+	for ( int i = 0; i < num_fields; ++i )
+		{
+		vals[i] = new threading::Value;
+
+		if ( ! vals[i]->Read(&fmt) )
+			{
+			for ( int j = 0; j <=i; ++j )
+				delete vals[j];
+
+			delete [] vals;
+			reporter->Warning("failed to unserialize remote log field %d for stream: %s", i, stream_id_name.data());
+
+			return false;
+			}
+		}
+
+	log_mgr->WriteFromRemote(stream_id->AsEnumVal(), writer_id->AsEnumVal(),
+	                         std::move(*path), num_fields, vals);
+	fmt.EndRead();
+	return true;
 	}
 
 bool Manager::ProcessIdentifierUpdate(broker::bro::IdentifierUpdate iu)
diff --git a/src/broker/data.bif b/src/broker/data.bif
index 658145089c..e874076434 100644
--- a/src/broker/data.bif
+++ b/src/broker/data.bif
@@ -457,7 +457,7 @@ function Broker::__record_lookup%(r: Broker::Data, idx: count%): Broker::Data
 	auto& v = bro_broker::require_data_type<broker::vector>(r->AsRecordVal(),
 	                                                        TYPE_RECORD, frame);
 
-	if ( idx >= v.size() || broker::get_if<broker::none>(v[idx]) )
+	if ( idx >= v.size() || caf::get_if<broker::none>(&v[idx]) )
 		return new RecordVal(BifType::Record::Broker::Data);
 
 	return bro_broker::make_data_val(v[idx]);
@@ -496,7 +496,7 @@ function Broker::__record_iterator_value%(it: opaque of Broker::RecordIterator%)
 		return rval;
 		}
 
-	if ( broker::get_if<broker::none>(*ri->it) )
+	if ( caf::get_if<broker::none>(&(*ri->it)) )
 		return rval; // field isn't set
 
 	rval->Assign(0, new bro_broker::DataVal(*ri->it));
diff --git a/src/logging/WriterBackend.cc b/src/logging/WriterBackend.cc
index 69327e815d..4416e41d17 100644
--- a/src/logging/WriterBackend.cc
+++ b/src/logging/WriterBackend.cc
@@ -137,15 +137,15 @@ broker::data WriterBackend::WriterInfo::ToBroker() const
 
 bool WriterBackend::WriterInfo::FromBroker(broker::data d)
 	{
-	if ( ! broker::is<broker::vector>(d) )
+	if ( ! caf::holds_alternative<broker::vector>(d) )
 		return false;
 
-	auto v = broker::get<broker::vector>(d);
-	auto bpath = broker::get_if<std::string>(v[0]);
-	auto brotation_base = broker::get_if<double>(v[1]);
-	auto brotation_interval = broker::get_if<double>(v[2]);
-	auto bnetwork_time = broker::get_if<double>(v[3]);
-	auto bconfig = broker::get_if<broker::table>(v[4]);
+	auto v = caf::get<broker::vector>(d);
+	auto bpath = caf::get_if<std::string>(&v[0]);
+	auto brotation_base = caf::get_if<double>(&v[1]);
+	auto brotation_interval = caf::get_if<double>(&v[2]);
+	auto bnetwork_time = caf::get_if<double>(&v[3]);
+	auto bconfig = caf::get_if<broker::table>(&v[4]);
 
 	if ( ! (bpath && brotation_base && brotation_interval && bnetwork_time && bconfig) )
 		return false;
@@ -157,8 +157,8 @@ bool WriterBackend::WriterInfo::FromBroker(broker::data d)
 
 	for ( auto i : *bconfig )
 		{
-		auto k = broker::get_if<std::string>(i.first);
-		auto v = broker::get_if<std::string>(i.second);
+		auto k = caf::get_if<std::string>(&i.first);
+		auto v = caf::get_if<std::string>(&i.second);
 
 		if ( ! (k && v) )
 			return false;

From 35b778eb4e18d0588d17a14bb2f77f7f4eda0c63 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Tue, 17 Jul 2018 14:42:52 -0500
Subject: [PATCH 565/631] Updating submodule(s).

 [nomail]
---
 aux/broker   | 2 +-
 src/3rdparty | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/aux/broker b/aux/broker
index 467024ab09..2285177616 160000
--- a/aux/broker
+++ b/aux/broker
@@ -1 +1 @@
-Subproject commit 467024ab09e3443798126e69054fb8862c69562f
+Subproject commit 2285177616bf0e0bed6758bccf63f3dfee4d2b4f
diff --git a/src/3rdparty b/src/3rdparty
index 648ff9aee1..b7c6be774b 160000
--- a/src/3rdparty
+++ b/src/3rdparty
@@ -1 +1 @@
-Subproject commit 648ff9aee1bb568a1a8252bd6e8146a7c60a911e
+Subproject commit b7c6be774b922be1e15f53571201c3be2bc28b75

From 1d1a63c16ccde3c7ce7b9f8932350a4d352da066 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Tue, 17 Jul 2018 16:46:16 -0500
Subject: [PATCH 566/631] Add explicit key in Travis known_hosts

---
 CHANGES                    | 4 ++++
 VERSION                    | 2 +-
 testing/scripts/travis-job | 2 +-
 3 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/CHANGES b/CHANGES
index a4972bb8ea..5eb9d2dec0 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,8 @@
 
+2.5-745 | 2018-07-17 16:46:16 -0500
+
+  * Add explicit key in Travis known_hosts (Jon Siwek, Corelight)
+
 2.5-743 | 2018-07-17 14:20:19 -0500
 
   * Port broker::data variant usages to use CAF API directly
diff --git a/VERSION b/VERSION
index fd335625ba..46f8a42564 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.5-743
+2.5-745
diff --git a/testing/scripts/travis-job b/testing/scripts/travis-job
index f006b898ce..c6221d76a2 100644
--- a/testing/scripts/travis-job
+++ b/testing/scripts/travis-job
@@ -143,7 +143,7 @@ run() {
         chmod 600 travis_key
         mkdir -p ~/.ssh
         mv travis_key ~/.ssh/id_rsa
-        ssh-keyscan -H -p 22 -t rsa git.bro.org >> ~/.ssh/known_hosts
+        echo "git.bro.org ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEmlu+EaJfPKTVqoEUzb5JBEdvNiFxO2wm7Vl61dGBl57avakFl8YnRujbA2yxlpC2xnEKD5y++hXxtxRLefyCM=" >> ~/.ssh/known_hosts
         git clone ssh://git@git.bro.org/bro-testing-private
         rm ~/.ssh/id_rsa
     elif [ -n "${TRAVIS_PULL_REQUEST}" ] && [ "${TRAVIS_PULL_REQUEST}" != "false" ]; then

From bf67076cdce063bcd7788dac449eb380943d34ab Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Tue, 17 Jul 2018 17:51:13 -0500
Subject: [PATCH 567/631] Improve an input framework unit test

---
 CHANGES                                       |  4 ++
 VERSION                                       |  2 +-
 .../out                                       | 36 ++++---------
 .../base/frameworks/input/raw/stderr.bro      | 52 +++++++++----------
 4 files changed, 38 insertions(+), 56 deletions(-)

diff --git a/CHANGES b/CHANGES
index 5eb9d2dec0..0f05f4fb59 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,8 @@
 
+2.5-746 | 2018-07-17 17:51:13 -0500
+
+  * Improve an input framework unit test (Jon Siwek, Corelight)
+
 2.5-745 | 2018-07-17 16:46:16 -0500
 
   * Add explicit key in Travis known_hosts (Jon Siwek, Corelight)
diff --git a/VERSION b/VERSION
index 46f8a42564..fcd1315f19 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.5-745
+2.5-746
diff --git a/testing/btest/Baseline/scripts.base.frameworks.input.raw.stderr/out b/testing/btest/Baseline/scripts.base.frameworks.input.raw.stderr/out
index b7f857339d..65d0c26ab4 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.input.raw.stderr/out
+++ b/testing/btest/Baseline/scripts.base.frameworks.input.raw.stderr/out
@@ -1,27 +1,9 @@
-Input::EVENT_NEW
-..:
-F
-Input::EVENT_NEW
-bro
-F
-Input::EVENT_NEW
-out
-F
-Input::EVENT_NEW
-stderr.bro
-F
-Input::EVENT_NEW
-stderr output contained nonexistant
-T
-Input::EVENT_NEW
-stderr output contained nonexistant
-T
-Input::EVENT_NEW
-stderr output contained nonexistant
-T
-done
-End of Data event
-input
-Process finished event
-input
-Exit code != 0
+Input::EVENT_NEW line output (stderr=F): ../mydir:
+Input::EVENT_NEW line output (stderr=F): a
+Input::EVENT_NEW line output (stderr=F): b
+Input::EVENT_NEW line output (stderr=F): c
+Input::EVENT_NEW line output (stderr=T): <stderr output contained nonexistant>
+Input::EVENT_NEW line output (stderr=T): <stderr output contained nonexistant>
+Input::EVENT_NEW line output (stderr=T): <stderr output contained nonexistant>
+End of Data event, input
+Process finished event, input, T
diff --git a/testing/btest/scripts/base/frameworks/input/raw/stderr.bro b/testing/btest/scripts/base/frameworks/input/raw/stderr.bro
index 8e3fcefe41..8ff4cc7f1b 100644
--- a/testing/btest/scripts/base/frameworks/input/raw/stderr.bro
+++ b/testing/btest/scripts/base/frameworks/input/raw/stderr.bro
@@ -1,3 +1,4 @@
+# @TEST-EXEC: mkdir mydir && touch mydir/a && touch mydir/b && touch mydir/c
 # @TEST-EXEC: btest-bg-run bro bro -b %INPUT 
 # @TEST-EXEC: btest-bg-wait 10
 # @TEST-EXEC: btest-diff out
@@ -9,64 +10,59 @@ type Val: record {
 	is_stderr: bool;
 };
 
-global try: count;
+global try = 0;
+global n = 0;
 global outfile: file;
 
 event line(description: Input::EventDescription, tpe: Input::Event, s: string, is_stderr: bool)
 	{
-	print outfile, tpe;
+	local line_output = fmt("%s line output (stderr=%s): ", tpe, is_stderr);
+
 	if ( is_stderr ) 
 		{
 		# work around localized error messages. and if some localization does not include the filename... well... that would be bad :)
 		if ( strstr(s, "nonexistant") > 0 ) 
-			{
-			print outfile, "stderr output contained nonexistant";
-			}
+			line_output += "<stderr output contained nonexistant>";
+		else
+			line_output += "<unexpected/weird error localization>";
 		}
 	else
-		{
-		print outfile, s;
-		}
-	print outfile, is_stderr;
+		line_output += s;
 
-	try = try + 1;
-	if ( try == 7 )
-		{
-		print outfile, "done";
-		Input::remove("input");
-		}
+	print outfile, line_output;
+	++try;
+
+	if ( n == 2 && try == 7 )
+		terminate();
 	}
 
-global n = 0;
-
 event Input::end_of_data(name: string, source:string)
 	{
-	print outfile, "End of Data event";
-	print outfile, name;
+	print outfile, "End of Data event", name;
 	++n;
-	if ( n == 2 )
+
+	if ( n == 2 && try == 7 )
 		terminate();
 	}
 
 event InputRaw::process_finished(name: string, source:string, exit_code:count, signal_exit:bool)
 	{
-	print outfile, "Process finished event";
-	print outfile, name;
-	if ( exit_code != 0 ) 
-		print outfile, "Exit code != 0";
+	print outfile, "Process finished event", name, exit_code != 0;
 	++n;
-	if ( n == 2 )
+
+	if ( n == 2 && try == 7 )
 		terminate();
 	}
 
 event bro_init()
 	{
-
 	local config_strings: table[string] of string = {
 		["read_stderr"] = "1"
 	};
 
 	outfile = open("../out");
-	try = 0;
-	Input::add_event([$source="ls .. ../nonexistant ../nonexistant2 ../nonexistant3 |", $reader=Input::READER_RAW, $name="input", $fields=Val, $ev=line, $want_record=F, $config=config_strings, $mode=Input::STREAM]);
+	Input::add_event([$source="ls ../mydir ../nonexistant ../nonexistant2 ../nonexistant3 |",
+	                 $reader=Input::READER_RAW, $name="input",
+	                 $fields=Val, $ev=line, $want_record=F,
+	                 $config=config_strings, $mode=Input::STREAM]);
 	}

From d245513e0a3bc4924a7ec5f1bfb268d1af421b75 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Wed, 18 Jul 2018 09:51:13 -0500
Subject: [PATCH 568/631] Improve some netcontrol unit tests

---
 CHANGES                                         |  4 ++++
 VERSION                                         |  2 +-
 .../base/frameworks/netcontrol/acld-hook.bro    | 17 +++++++++++++++--
 .../scripts/base/frameworks/netcontrol/acld.bro | 17 +++++++++++++++--
 .../base/frameworks/netcontrol/broker.bro       | 17 +++++++++++++++--
 5 files changed, 50 insertions(+), 7 deletions(-)

diff --git a/CHANGES b/CHANGES
index 0f05f4fb59..dd723f7fa7 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,8 @@
 
+2.5-747 | 2018-07-18 09:51:13 -0500
+
+  * Improve some netcontrol unit tests (Jon Siwek, Corelight)
+
 2.5-746 | 2018-07-17 17:51:13 -0500
 
   * Improve an input framework unit test (Jon Siwek, Corelight)
diff --git a/VERSION b/VERSION
index fcd1315f19..c0d70f840f 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.5-746
+2.5-747
diff --git a/testing/btest/scripts/base/frameworks/netcontrol/acld-hook.bro b/testing/btest/scripts/base/frameworks/netcontrol/acld-hook.bro
index 2928e3d9a0..a0ce9c44d6 100644
--- a/testing/btest/scripts/base/frameworks/netcontrol/acld-hook.bro
+++ b/testing/btest/scripts/base/frameworks/netcontrol/acld-hook.bro
@@ -11,22 +11,35 @@
 @load base/frameworks/netcontrol
 
 redef exit_only_after_terminate = T;
+global have_peer = F;
+global did_init = F;
+
+event bro_init()
+	{
+	suspend_processing();
+	}
 
 event NetControl::init()
 	{
-	suspend_processing();
 	local netcontrol_acld = NetControl::create_acld(NetControl::AcldConfig($acld_host=127.0.0.1, $acld_port=Broker::default_port, $acld_topic="bro/event/netcontroltest"));
 	NetControl::activate(netcontrol_acld, 0);
 	}
 
 event NetControl::init_done()
 	{
-	continue_processing();
+	did_init = T;
+
+	if ( did_init && have_peer )
+		continue_processing();
 	}
 
 event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
 	{
 	print "Broker peer added", endpoint$network;
+	have_peer = T;
+
+	if ( did_init && have_peer )
+		continue_processing();
 	}
 
 event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string)
diff --git a/testing/btest/scripts/base/frameworks/netcontrol/acld.bro b/testing/btest/scripts/base/frameworks/netcontrol/acld.bro
index b802536eec..7593790013 100644
--- a/testing/btest/scripts/base/frameworks/netcontrol/acld.bro
+++ b/testing/btest/scripts/base/frameworks/netcontrol/acld.bro
@@ -12,10 +12,16 @@
 @load base/frameworks/netcontrol
 
 redef exit_only_after_terminate = T;
+global have_peer = F;
+global did_init = F;
+
+event bro_init()
+	{
+	suspend_processing();
+	}
 
 event NetControl::init()
 	{
-	suspend_processing();
 	local netcontrol_acld = NetControl::create_acld(NetControl::AcldConfig($acld_host=127.0.0.1, $acld_port=Broker::default_port, $acld_topic="bro/event/netcontroltest"));
 	NetControl::activate(netcontrol_acld, 0);
 	}
@@ -23,11 +29,18 @@ event NetControl::init()
 event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
 	{
 	print "Broker peer added", endpoint$network;
+	have_peer = T;
+
+	if ( did_init && have_peer )
+		continue_processing();
 	}
 
 event NetControl::init_done()
 	{
-	continue_processing();
+	did_init = T;
+
+	if ( did_init && have_peer )
+		continue_processing();
 	}
 
 event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string)
diff --git a/testing/btest/scripts/base/frameworks/netcontrol/broker.bro b/testing/btest/scripts/base/frameworks/netcontrol/broker.bro
index 75ad035f69..9e8bb65476 100644
--- a/testing/btest/scripts/base/frameworks/netcontrol/broker.bro
+++ b/testing/btest/scripts/base/frameworks/netcontrol/broker.bro
@@ -12,22 +12,35 @@
 @load base/frameworks/netcontrol
 
 redef exit_only_after_terminate = T;
+global have_peer = F;
+global did_init = F;
+
+event bro_init()
+	{
+	suspend_processing();
+	}
 
 event NetControl::init()
 	{
-	suspend_processing();
 	local netcontrol_broker = NetControl::create_broker(NetControl::BrokerConfig($host=127.0.0.1, $bport=Broker::default_port, $topic="bro/event/netcontroltest"), T);
 	NetControl::activate(netcontrol_broker, 0);
 	}
 
 event NetControl::init_done()
 	{
-	continue_processing();
+	did_init = T;
+
+	if ( did_init && have_peer )
+		continue_processing();
 	}
 
 event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
 	{
 	print "Broker peer added", endpoint$network;
+	have_peer = T;
+
+	if ( did_init && have_peer )
+		continue_processing();
 	}
 
 event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string)

From 86cd484759d09f7fea89e8f0281e90bcbe24f8df Mon Sep 17 00:00:00 2001
From: Vern Paxson <vern@corelight.com>
Date: Fri, 20 Jul 2018 08:57:37 -0700
Subject: [PATCH 569/631] documentation, test suite update

---
 NEWS                                    |  9 +++++
 doc/script-reference/types.rst          |  9 +++++
 testing/btest/Baseline/language.set/out | 27 +++++++++++++++
 testing/btest/language/set.bro          | 45 +++++++++++++++++++++++++
 4 files changed, 90 insertions(+)

diff --git a/NEWS b/NEWS
index 93a28cb200..f66cdd617e 100644
--- a/NEWS
+++ b/NEWS
@@ -249,6 +249,15 @@ New Functionality
   '^' are binary "and", "or" and "xor" operators, and '~' is a unary
   ones-complement operator.
 
+- Added support for set union, intersection, difference, and comparison
+  operations.  The corresponding operators for the first three are
+  "s1 | s2", "s1 & s2", and "s1 - s2".  Relationals are in terms
+  of subsets, so "s1 < s2" yields true if s1 is a proper subset of s2
+  and "s1 == s2" if the two sets have exactly the same elements.
+  "s1 <= s2" holds for subsets or equality, and similarly "s1 != s2",
+  "s1 > s2", and "s1 >= s2" have the expected meanings in terms
+  of non-equality, proper superset, and superset-or-equal.
+
 Changed Functionality
 ---------------------
 
diff --git a/doc/script-reference/types.rst b/doc/script-reference/types.rst
index 44dcbbdfb8..5459ae8514 100644
--- a/doc/script-reference/types.rst
+++ b/doc/script-reference/types.rst
@@ -526,6 +526,15 @@ Here is a more detailed description of each type:
 
         |s|
 
+    You can compute the union, intersection, or difference of two sets
+    using the ``|``, ``&``, and ``-`` operators.  You can compare
+    sets for equality (they have exactly the same elements) using ``==``.
+    The ``<`` operator returns ``T`` if the lefthand operand is a proper
+    subset of the righthand operand.  Similarly, ``<=`` returns ``T``
+    if the lefthand operator is a subset (not necessarily proper, i.e.,
+    it may be equal to the righthand operand).  The operators ``!=``, ``>``
+    and ``>=`` provide the expected complementary operations.
+
     See the :bro:keyword:`for` statement for info on how to iterate over
     the elements in a set.
 
diff --git a/testing/btest/Baseline/language.set/out b/testing/btest/Baseline/language.set/out
index fc157cf7d9..0128420cbf 100644
--- a/testing/btest/Baseline/language.set/out
+++ b/testing/btest/Baseline/language.set/out
@@ -42,3 +42,30 @@ remove element (PASS)
 !in operator (PASS)
 remove element (PASS)
 !in operator (PASS)
+union (PASS)
+intersection (FAIL)
+difference (PASS)
+difference (PASS)
+union/inter. (PASS)
+relational (PASS)
+relational (PASS)
+subset (FAIL)
+subset (FAIL)
+subset (PASS)
+superset (FAIL)
+superset (FAIL)
+superset (FAIL)
+superset (PASS)
+non-ordering (FAIL)
+non-ordering (PASS)
+superset (PASS)
+superset (FAIL)
+superset (PASS)
+superset (PASS)
+superset (PASS)
+superset (FAIL)
+equality (PASS)
+equality (FAIL)
+non-equality (PASS)
+equality (FAIL)
+magnitude (FAIL)
diff --git a/testing/btest/language/set.bro b/testing/btest/language/set.bro
index d1eef7e6f0..56cd649b49 100644
--- a/testing/btest/language/set.bro
+++ b/testing/btest/language/set.bro
@@ -136,5 +136,50 @@ event bro_init()
 	delete sg3["curly"];
 	test_case( "remove element", |sg3| == 3 );
 	test_case( "!in operator", "curly" !in sg3 );
+
+
+	local a = set(1,5,7,9,8,14);
+	local b = set(1,7,9,2);
+
+	local a_plus_b = set(1,2,5,7,9,8,14);
+	local a_also_b = set(1,7,9);
+	local a_sans_b = set(5,8,14);
+	local b_sans_a = set(2);
+
+	local a_or_b = a | b;
+	local a_and_b = a & b;
+
+	test_case( "union", a_or_b == a_plus_b );
+	test_case( "intersection", a_and_b == a_plus_b );
+	test_case( "difference", a - b == a_sans_b );
+	test_case( "difference", b - a == b_sans_a );
+
+	test_case( "union/inter.", |b & set(1,7,9,2)| == |b | set(1,7,2,9)| );
+	test_case( "relational", |b & a_or_b| == |b| && |b| < |a_or_b| );
+	test_case( "relational", b < a_or_b && a < a_or_b && a_or_b > a_and_b );
+
+	test_case( "subset", b < a );
+	test_case( "subset", a < b );
+	test_case( "subset", b < (a | set(2)) );
+	test_case( "superset", b > a );
+	test_case( "superset", b > (a | set(2)) );
+	test_case( "superset", b | set(8, 14, 5) > (a | set(2)) );
+	test_case( "superset", b | set(8, 14, 99, 5) > (a | set(2)) );
+
+	test_case( "non-ordering", (a <= b) || (a >= b) );
+	test_case( "non-ordering", (a <= a_or_b) && (a_or_b >= b) );
+
+	test_case( "superset", (b | set(14, 5)) > a - set(8) );
+	test_case( "superset", (b | set(14)) > a - set(8) );
+	test_case( "superset", (b | set(14)) > a - set(8,5) );
+	test_case( "superset", b >= a - set(5,8,14) );
+	test_case( "superset", b > a - set(5,8,14) );
+	test_case( "superset", (b - set(2)) > a - set(5,8,14) );
+	test_case( "equality", a == a | set(5) );
+	test_case( "equality", a == a | set(5,11) );
+	test_case( "non-equality", a != a | set(5,11) );
+	test_case( "equality", a == a | set(5,11) );
+
+	test_case( "magnitude", |a_and_b| == |a_or_b|);
 }
 

From 6215d45f10e316228df7a07bdba8b038b827ac63 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Fri, 20 Jul 2018 11:59:40 -0500
Subject: [PATCH 570/631] Improve control framework id-update/test output

---
 scripts/policy/frameworks/control/controller.bro |  7 +++++--
 .../frameworks/control/configuration_update.bro  | 16 ++++++++++++++--
 2 files changed, 19 insertions(+), 4 deletions(-)

diff --git a/scripts/policy/frameworks/control/controller.bro b/scripts/policy/frameworks/control/controller.bro
index 1cf404ad15..4897005dfb 100644
--- a/scripts/policy/frameworks/control/controller.bro
+++ b/scripts/policy/frameworks/control/controller.bro
@@ -126,14 +126,17 @@ event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string) &priority=
 		{
 		# Send all &redef'able consts to the peer.
 		local ids = configurable_ids();
+		local publish_count = 0;
 
 		for ( id in ids )
 			{
 			local topic = fmt("%s/id/%s", Control::topic_prefix, id);
-			Broker::publish_id(topic, id);
+
+			if ( Broker::publish_id(topic, id) )
+				++publish_count;
 			}
 
-		Reporter::info(fmt("Control framework sent %d IDs", |ids|));
+		Reporter::info(fmt("Control framework sent %d IDs", publish_count));
 		}
 
 	send_control_request();
diff --git a/testing/btest/scripts/base/frameworks/control/configuration_update.bro b/testing/btest/scripts/base/frameworks/control/configuration_update.bro
index d3fef8e1b5..77badfcf2e 100644
--- a/testing/btest/scripts/base/frameworks/control/configuration_update.bro
+++ b/testing/btest/scripts/base/frameworks/control/configuration_update.bro
@@ -1,7 +1,7 @@
 # @TEST-SERIALIZE: comm
 #
-# @TEST-EXEC: btest-bg-run controllee  BROPATH=$BROPATH:.. bro %INPUT frameworks/control/controllee Broker::default_port=65531/tcp
-# @TEST-EXEC: btest-bg-run controller  BROPATH=$BROPATH:.. bro %INPUT test-redef frameworks/control/controller Control::host=127.0.0.1 Control::host_port=65531/tcp Control::cmd=configuration_update
+# @TEST-EXEC: btest-bg-run controllee  BROPATH=$BROPATH:.. bro -Bbroker %INPUT frameworks/control/controllee Broker::default_port=65531/tcp
+# @TEST-EXEC: btest-bg-run controller  BROPATH=$BROPATH:.. bro -Bbroker %INPUT test-redef frameworks/control/controller Control::host=127.0.0.1 Control::host_port=65531/tcp Control::cmd=configuration_update
 # @TEST-EXEC: btest-bg-wait 10
 # @TEST-EXEC: btest-diff controllee/.stdout
 
@@ -18,14 +18,26 @@ redef test_var = "NEW VALUE (this should be printed out second)";
 event bro_init()
 	{
 	print test_var;
+	Reporter::info("handle bro_init");
 	}
 	
 event bro_done()
 	{
 	print test_var;
+	Reporter::info("handle bro_done");
 	}
 
 event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string)
 	{
 	terminate();
 	}
+
+event Control::configuration_update_request()
+	{
+	Reporter::info("handle Control::configuration_update_request");
+	}
+
+event Control::configuration_update_response()
+	{
+	Reporter::info("handle Control::configuration_update_response");
+	}

From 385350a1f366365efcaab1029567e72f5b954b07 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Fri, 20 Jul 2018 12:08:06 -0500
Subject: [PATCH 571/631] Make Broker congestion queue size tunable and
 increase default

---
 CHANGES                                 |  7 +++++++
 VERSION                                 |  2 +-
 scripts/base/frameworks/broker/main.bro |  5 +++++
 src/broker/Manager.cc                   | 11 ++++-------
 4 files changed, 17 insertions(+), 8 deletions(-)

diff --git a/CHANGES b/CHANGES
index dd723f7fa7..bcdd6aa3fc 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,11 @@
 
+2.5-749 | 2018-07-20 12:08:06 -0500
+
+  * Make Broker congestion queue size tunable and increase default
+    (Jon Siwek, Corelight)
+
+  * Improve control framework id-update/test output (Jon Siwek, Corelight)
+
 2.5-747 | 2018-07-18 09:51:13 -0500
 
   * Improve some netcontrol unit tests (Jon Siwek, Corelight)
diff --git a/VERSION b/VERSION
index c0d70f840f..ddee4c89a5 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.5-747
+2.5-749
diff --git a/scripts/base/frameworks/broker/main.bro b/scripts/base/frameworks/broker/main.bro
index cab205dd85..0fdf289ee6 100644
--- a/scripts/base/frameworks/broker/main.bro
+++ b/scripts/base/frameworks/broker/main.bro
@@ -51,6 +51,11 @@ export {
 	## all peers.
 	const ssl_keyfile = "" &redef;
 
+	## The number of buffered messages at the Broker/CAF layer after which
+	## a subscriber considers themselves congested (i.e. tune the congestion
+	## control mechanisms).
+	const congestion_queue_size = 200 &redef;
+
 	## Max number of threads to use for Broker/CAF functionality.
 	## Using zero will cause this to be automatically determined
 	## based on number of available CPUs.
diff --git a/src/broker/Manager.cc b/src/broker/Manager.cc
index a78ba2bea8..9712516b74 100644
--- a/src/broker/Manager.cc
+++ b/src/broker/Manager.cc
@@ -30,10 +30,6 @@ static const int LOG_BATCH_SIZE = 400;
 // batch.
 static const double LOG_BUFFER_INTERVAL = 1.0;
 
-// Number of buffered messages (at the Broker/CAF layer) after which
-// subscribers consider themselves congested.
-static const size_t SUBSCRIBER_MAX_QSIZE = 20u;
-
 static inline Val* get_option(const char* option)
 	{
 	auto id = global_scope()->Lookup(option);
@@ -59,9 +55,9 @@ public:
 
 class BrokerState {
 public:
-	BrokerState(BrokerConfig config)
+	BrokerState(BrokerConfig config, size_t congestion_queue_size)
 		: endpoint(std::move(config)),
-		  subscriber(endpoint.make_subscriber({}, SUBSCRIBER_MAX_QSIZE)),
+		  subscriber(endpoint.make_subscriber({}, congestion_queue_size)),
 		  status_subscriber(endpoint.make_status_subscriber(true))
 		{
 		}
@@ -216,7 +212,8 @@ void Manager::InitPostScript()
 		// when using this sleep duration.
 		config.set("work-stealing.relaxed-sleep-duration-us", 64000);
 
-	bstate = std::make_shared<BrokerState>(std::move(config));
+	auto cqs = get_option("Broker::congestion_queue_size")->AsCount();
+	bstate = std::make_shared<BrokerState>(std::move(config), cqs);
 	}
 
 void Manager::Terminate()

From 12add531313c957edbb5f28f1cbb768e184e40d4 Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@corelight.com>
Date: Fri, 20 Jul 2018 13:36:38 -0700
Subject: [PATCH 572/631] Fix special-case-bug for vectors in UnaryExpr.

In some cases one can get the Type() of unaryexpr to be ANY. Vectors so
far did not deal gracefully with this and crashed because trying to
convert any to a vectortype.

This patch fixes this by just using the original vector-type in this
case.
---
 src/Expr.cc                              |  8 +++++++-
 testing/btest/core/vector-assignment.bro | 19 +++++++++++++++++++
 2 files changed, 26 insertions(+), 1 deletion(-)
 create mode 100644 testing/btest/core/vector-assignment.bro

diff --git a/src/Expr.cc b/src/Expr.cc
index 4c3c7a536a..a86f86b9c4 100644
--- a/src/Expr.cc
+++ b/src/Expr.cc
@@ -456,7 +456,13 @@ Val* UnaryExpr::Eval(Frame* f) const
 	if ( is_vector(v) )
 		{
 		VectorVal* v_op = v->AsVectorVal();
-		VectorVal* result = new VectorVal(Type()->AsVectorType());
+		VectorType* out_t;
+		if ( Type()->Tag() == TYPE_ANY )
+			out_t = v->Type()->AsVectorType();
+		else
+			out_t = Type()->AsVectorType();
+
+		VectorVal* result = new VectorVal(out_t);
 
 		for ( unsigned int i = 0; i < v_op->Size(); ++i )
 			{
diff --git a/testing/btest/core/vector-assignment.bro b/testing/btest/core/vector-assignment.bro
new file mode 100644
index 0000000000..d1f02c124f
--- /dev/null
+++ b/testing/btest/core/vector-assignment.bro
@@ -0,0 +1,19 @@
+# @TEST-EXEC: bro %INPUT
+
+# This regression test checks a special case in the vector code. In this case
+# UnaryExpr will be called with a Type() of any. Tests succeeds if it does not
+# crash Bro.
+
+type OptionCacheValue: record {
+	val: any;
+};
+
+function set_me(val: any) {
+	local a = OptionCacheValue($val=val);
+	print a;
+}
+
+event bro_init() {
+	local b: vector of count = {1, 2, 3};
+	set_me(b);
+}

From f3d4ba51afb05eed749ddcf7c144992af36cd395 Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@corelight.com>
Date: Fri, 20 Jul 2018 13:41:44 -0700
Subject: [PATCH 573/631] Add vector to read_config_cluster test.

It works now after fixing the vector-any-UnaryExpr Bro bug.
---
 .../manager-1.config.log                      | 33 ++++++++++---------
 .../worker-1..stdout                          |  1 +
 .../worker-2..stdout                          |  1 +
 .../frameworks/config/read_config_cluster.bro |  2 +-
 4 files changed, 20 insertions(+), 17 deletions(-)

diff --git a/testing/btest/Baseline/scripts.base.frameworks.config.read_config_cluster/manager-1.config.log b/testing/btest/Baseline/scripts.base.frameworks.config.read_config_cluster/manager-1.config.log
index a9794564b3..f1420279b4 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.config.read_config_cluster/manager-1.config.log
+++ b/testing/btest/Baseline/scripts.base.frameworks.config.read_config_cluster/manager-1.config.log
@@ -3,21 +3,22 @@
 #empty_field	(empty)
 #unset_field	-
 #path	config
-#open	2018-06-29-20-24-53
+#open	2018-07-20-20-40-10
 #fields	ts	id	old_value	new_value	location
 #types	time	string	string	string	string
-1530303893.918762	testbool	T	F	../configfile
-1530303893.918762	testcount	0	1	../configfile
-1530303893.918762	testcount	1	2	../configfile
-1530303893.918762	testint	0	-1	../configfile
-1530303893.918762	testenum	SSH::LOG	Conn::LOG	../configfile
-1530303893.918762	testport	42/tcp	45/unknown	../configfile
-1530303893.918762	testaddr	127.0.0.1	127.0.0.1	../configfile
-1530303893.918762	testaddr	127.0.0.1	2607:f8b0:4005:801::200e	../configfile
-1530303893.918762	testinterval	1.0 sec	60.0	../configfile
-1530303893.918762	testtime	0.0	1507321987.0	../configfile
-1530303893.918762	test_set	(empty)	b,c,a,d,erdbeerschnitzel	../configfile
-1530303893.918762	test_set	b,c,a,d,erdbeerschnitzel	\x28empty)	../configfile
-1530303893.918762	test_set	\x28empty)	\x2d	../configfile
-1530303893.918762	test_set_full	2,1,7,15,10,3	6,4,1,7,5,3	../configfile
-#close	2018-06-29-20-25-06
+1532119210.151927	testbool	T	F	../configfile
+1532119210.151927	testcount	0	1	../configfile
+1532119210.151927	testcount	1	2	../configfile
+1532119210.151927	testint	0	-1	../configfile
+1532119210.151927	testenum	SSH::LOG	Conn::LOG	../configfile
+1532119210.151927	testport	42/tcp	45/unknown	../configfile
+1532119210.151927	testaddr	127.0.0.1	127.0.0.1	../configfile
+1532119210.151927	testaddr	127.0.0.1	2607:f8b0:4005:801::200e	../configfile
+1532119210.151927	testinterval	1.0 sec	60.0	../configfile
+1532119210.151927	testtime	0.0	1507321987.0	../configfile
+1532119210.151927	test_set	(empty)	b,c,a,d,erdbeerschnitzel	../configfile
+1532119210.151927	test_vector	(empty)	1,2,3,4,5,6	../configfile
+1532119210.151927	test_set	b,c,a,d,erdbeerschnitzel	\x28empty)	../configfile
+1532119210.151927	test_set	\x28empty)	\x2d	../configfile
+1532119210.151927	test_set_full	2,1,7,15,10,3	6,4,1,7,5,3	../configfile
+#close	2018-07-20-20-40-22
diff --git a/testing/btest/Baseline/scripts.base.frameworks.config.read_config_cluster/worker-1..stdout b/testing/btest/Baseline/scripts.base.frameworks.config.read_config_cluster/worker-1..stdout
index b55e8dd13c..08b60346e3 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.config.read_config_cluster/worker-1..stdout
+++ b/testing/btest/Baseline/scripts.base.frameworks.config.read_config_cluster/worker-1..stdout
@@ -6,6 +6,7 @@ cluster_set_option, testinterval, [data=broker::data{60000000000ns}], ../configf
 cluster_set_option, test_set, [data=broker::data{{-}}], ../configfile
 cluster_set_option, testaddr, [data=broker::data{2607:f8b0:4005:801::200e}], ../configfile
 cluster_set_option, testenum, [data=broker::data{Conn::LOG}], ../configfile
+cluster_set_option, test_vector, [data=broker::data{[1, 2, 3, 4, 5, 6]}], ../configfile
 cluster_set_option, testbool, [data=broker::data{F}], ../configfile
 cluster_set_option, testcount, [data=broker::data{2}], ../configfile
 cluster_set_option, test_set_full, [data=broker::data{{1, 3, 4, 5, 6, 7}}], ../configfile
diff --git a/testing/btest/Baseline/scripts.base.frameworks.config.read_config_cluster/worker-2..stdout b/testing/btest/Baseline/scripts.base.frameworks.config.read_config_cluster/worker-2..stdout
index b55e8dd13c..08b60346e3 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.config.read_config_cluster/worker-2..stdout
+++ b/testing/btest/Baseline/scripts.base.frameworks.config.read_config_cluster/worker-2..stdout
@@ -6,6 +6,7 @@ cluster_set_option, testinterval, [data=broker::data{60000000000ns}], ../configf
 cluster_set_option, test_set, [data=broker::data{{-}}], ../configfile
 cluster_set_option, testaddr, [data=broker::data{2607:f8b0:4005:801::200e}], ../configfile
 cluster_set_option, testenum, [data=broker::data{Conn::LOG}], ../configfile
+cluster_set_option, test_vector, [data=broker::data{[1, 2, 3, 4, 5, 6]}], ../configfile
 cluster_set_option, testbool, [data=broker::data{F}], ../configfile
 cluster_set_option, testcount, [data=broker::data{2}], ../configfile
 cluster_set_option, test_set_full, [data=broker::data{{1, 3, 4, 5, 6, 7}}], ../configfile
diff --git a/testing/btest/scripts/base/frameworks/config/read_config_cluster.bro b/testing/btest/scripts/base/frameworks/config/read_config_cluster.bro
index d44518579f..4d35b794bc 100644
--- a/testing/btest/scripts/base/frameworks/config/read_config_cluster.bro
+++ b/testing/btest/scripts/base/frameworks/config/read_config_cluster.bro
@@ -52,7 +52,7 @@ export {
 	option teststring = "a";
 	option test_set: set[string] = {};
 	option test_set_full: set[count] = {1, 2, 3, 7, 10, 15};
-	#option test_vector: vector of count = {};
+	option test_vector: vector of count = {};
 }
 
 event bro_init()

From 8233d82144de389e3ac564352d27dae36054162a Mon Sep 17 00:00:00 2001
From: Robin Sommer <robin@corelight.com>
Date: Mon, 23 Jul 2018 18:07:15 +0000
Subject: [PATCH 574/631] Fix some compiler warnings.

---
 src/CMakeLists.txt      |  4 ++++
 src/RemoteSerializer.cc | 14 +++++++-------
 2 files changed, 11 insertions(+), 7 deletions(-)

diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt
index 00f19b9348..c58ef2d0c9 100644
--- a/src/CMakeLists.txt
+++ b/src/CMakeLists.txt
@@ -52,6 +52,7 @@ bison_target(BIFParser builtin-func.y
              COMPILE_FLAGS "${BISON_FLAGS}")
 flex_target(BIFScanner builtin-func.l ${CMAKE_CURRENT_BINARY_DIR}/bif_lex.cc)
 add_flex_bison_dependency(BIFScanner BIFParser)
+set_property(SOURCE bif_lex.cc APPEND_STRING PROPERTY COMPILE_FLAGS "-Wno-sign-compare")
 
 # Rule parser/scanner
 bison_target(RuleParser rule-parse.y
@@ -67,6 +68,7 @@ replace_yy_prefix_target(${CMAKE_CURRENT_BINARY_DIR}/rup.h
                          rules_ rules_)
 flex_target(RuleScanner rule-scan.l ${CMAKE_CURRENT_BINARY_DIR}/rule-scan.cc
             COMPILE_FLAGS "-Prules_")
+set_property(SOURCE rule-scan.cc APPEND_STRING PROPERTY COMPILE_FLAGS "-Wno-sign-compare")
 
 # RE parser/scanner
 bison_target(REParser re-parse.y
@@ -80,6 +82,7 @@ replace_yy_prefix_target(${CMAKE_CURRENT_BINARY_DIR}/rep.cc
 flex_target(REScanner re-scan.l ${CMAKE_CURRENT_BINARY_DIR}/re-scan.cc
             COMPILE_FLAGS "-Pre_")
 add_flex_bison_dependency(REScanner REParser)
+set_property(SOURCE re-scan.cc APPEND_STRING PROPERTY COMPILE_FLAGS "-Wno-sign-compare")
 
 # Parser/Scanner
 bison_target(Parser parse.y
@@ -92,6 +95,7 @@ replace_yy_prefix_target(${CMAKE_CURRENT_BINARY_DIR}/p.cc
                          bro yy)
 flex_target(Scanner scan.l ${CMAKE_CURRENT_BINARY_DIR}/scan.cc
             COMPILE_FLAGS "-Pbro")
+set_property(SOURCE scan.cc APPEND_STRING PROPERTY COMPILE_FLAGS "-Wno-sign-compare")
 
 ########################################################################
 ## bifcl (BIF compiler) target
diff --git a/src/RemoteSerializer.cc b/src/RemoteSerializer.cc
index 78080e31f5..392bdb8f6f 100644
--- a/src/RemoteSerializer.cc
+++ b/src/RemoteSerializer.cc
@@ -255,7 +255,7 @@ struct ping_args {
 # define DEBUG_COMM(msg)
 #endif
 
-#define READ_CHUNK(i, c, do_if_eof) \
+#define READ_CHUNK(i, c, do_if_eof, kill_me) \
 	{ \
 	if ( ! i->Read(&c) ) \
 		{ \
@@ -264,7 +264,7 @@ struct ping_args {
 			do_if_eof; \
 			} \
 		else \
-			Error(fmt("can't read data chunk: %s", io->Error()), i == io); \
+			Error(fmt("can't read data chunk: %s", io->Error()), kill_me); \
 		return false; \
 		} \
 	\
@@ -3586,7 +3586,7 @@ bool SocketComm::ProcessParentMessage()
 		{
 		// Argument chunk follows.
 		ChunkedIO::Chunk* c = 0;
-		READ_CHUNK(io, c, Error("parent died", true));
+		READ_CHUNK(io, c, Error("parent died", true), true);
 		parent_args = c;
 		parent_msgstate = TYPE;
 		bool result = DoParentMessage();
@@ -3872,7 +3872,7 @@ bool SocketComm::ProcessRemoteMessage(SocketComm::Peer* peer)
 		{ // CMsg follows
 		ChunkedIO::Chunk* c;
 		READ_CHUNK(peer->io, c,
-			(CloseConnection(peer, true), peer))
+			(CloseConnection(peer, true), peer), false)
 
 		CMsg* msg = (CMsg*) c->data;
 
@@ -3907,7 +3907,7 @@ bool SocketComm::ProcessRemoteMessage(SocketComm::Peer* peer)
 		// forward to our parent.
 		ChunkedIO::Chunk* c;
 		READ_CHUNK(peer->io, c,
-			(CloseConnection(peer, true), peer))
+			(CloseConnection(peer, true), peer), false)
 
 		// Set time3.
 		ping_args* args = (ping_args*) c->data;
@@ -3921,7 +3921,7 @@ bool SocketComm::ProcessRemoteMessage(SocketComm::Peer* peer)
 		// forward to our parent.
 		ChunkedIO::Chunk* c;
 		READ_CHUNK(peer->io, c,
-			(CloseConnection(peer, true), peer))
+			(CloseConnection(peer, true), peer), false)
 
 		// Calculate time delta.
 		ping_args* args = (ping_args*) c->data;
@@ -3944,7 +3944,7 @@ bool SocketComm::ProcessRemoteMessage(SocketComm::Peer* peer)
 		// forward to our parent.
 		ChunkedIO::Chunk* c;
 		READ_CHUNK(peer->io, c,
-			(CloseConnection(peer, true), peer))
+			(CloseConnection(peer, true), peer), false)
 
 		return ForwardChunkToParent(peer, c);
 		}

From 461c367952bb9965a99c2fdd3b567a789e4b88cf Mon Sep 17 00:00:00 2001
From: Robin Sommer <robin@corelight.com>
Date: Mon, 23 Jul 2018 18:11:37 +0000
Subject: [PATCH 575/631] Updating submodule(s).

 [nomail]
---
 aux/binpac | 2 +-
 cmake      | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/aux/binpac b/aux/binpac
index 951aeae8e4..1c915311b4 160000
--- a/aux/binpac
+++ b/aux/binpac
@@ -1 +1 @@
-Subproject commit 951aeae8e4a08c598203cf61387f015ec4e0849d
+Subproject commit 1c915311b445ba6b76c8c727e0d4e7f70594db1c
diff --git a/cmake b/cmake
index 1600554d1d..b89581de74 160000
--- a/cmake
+++ b/cmake
@@ -1 +1 @@
-Subproject commit 1600554d1d907f4f252f19cf1f55e13d368a936f
+Subproject commit b89581de74d1ff61880f957afa5b7f721105fbde

From 0f74e1eedda64f7b69ee445e52992246ad74d948 Mon Sep 17 00:00:00 2001
From: Robin Sommer <robin@corelight.com>
Date: Tue, 24 Jul 2018 01:39:07 +0000
Subject: [PATCH 576/631] Add serialization group to clustered config framework
 tests.

---
 CHANGES                                                         | 2 +-
 VERSION                                                         | 2 +-
 testing/btest/scripts/base/frameworks/config/basic_cluster.bro  | 2 ++
 testing/btest/scripts/base/frameworks/config/cluster_resend.bro | 2 ++
 .../scripts/base/frameworks/config/read_config_cluster.bro      | 2 ++
 5 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/CHANGES b/CHANGES
index dbf3b11825..dbf67b1918 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,5 +1,5 @@
 
-2.5-765 | 2018-07-23 23:38:28 +0000
+2.5-766 | 2018-07-24 01:39:07 +0000
 
   * Clusterization of configureation framework. (Johanna Amann, Corelight)
 
diff --git a/VERSION b/VERSION
index 83d9c9f70c..08fbf3ec7b 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.5-765
+2.5-766
diff --git a/testing/btest/scripts/base/frameworks/config/basic_cluster.bro b/testing/btest/scripts/base/frameworks/config/basic_cluster.bro
index c6e0bf15a6..6423773b26 100644
--- a/testing/btest/scripts/base/frameworks/config/basic_cluster.bro
+++ b/testing/btest/scripts/base/frameworks/config/basic_cluster.bro
@@ -1,3 +1,5 @@
+# @TEST-SERIALIZE: comm
+# 
 # @TEST-EXEC: btest-bg-run manager-1 BROPATH=$BROPATH:.. CLUSTER_NODE=manager-1 bro %INPUT
 # @TEST-EXEC: sleep 1
 # @TEST-EXEC: btest-bg-run worker-1  BROPATH=$BROPATH:.. CLUSTER_NODE=worker-1 bro %INPUT
diff --git a/testing/btest/scripts/base/frameworks/config/cluster_resend.bro b/testing/btest/scripts/base/frameworks/config/cluster_resend.bro
index 9e82672f2b..e5c871a578 100644
--- a/testing/btest/scripts/base/frameworks/config/cluster_resend.bro
+++ b/testing/btest/scripts/base/frameworks/config/cluster_resend.bro
@@ -1,3 +1,5 @@
+# @TEST-SERIALIZE: comm
+# 
 # @TEST-EXEC: btest-bg-run manager-1 BROPATH=$BROPATH:.. CLUSTER_NODE=manager-1 bro %INPUT
 # @TEST-EXEC: sleep 1
 # @TEST-EXEC: btest-bg-run worker-1  BROPATH=$BROPATH:.. CLUSTER_NODE=worker-1 bro %INPUT
diff --git a/testing/btest/scripts/base/frameworks/config/read_config_cluster.bro b/testing/btest/scripts/base/frameworks/config/read_config_cluster.bro
index 4d35b794bc..ea806fc18c 100644
--- a/testing/btest/scripts/base/frameworks/config/read_config_cluster.bro
+++ b/testing/btest/scripts/base/frameworks/config/read_config_cluster.bro
@@ -1,3 +1,5 @@
+# @TEST-SERIALIZE: comm
+# 
 # @TEST-EXEC: btest-bg-run manager-1 BROPATH=$BROPATH:.. CLUSTER_NODE=manager-1 bro %INPUT
 # @TEST-EXEC: sleep 1
 # @TEST-EXEC: btest-bg-run worker-1  BROPATH=$BROPATH:.. CLUSTER_NODE=worker-1 bro %INPUT

From d62079b59a523f225f3daec534a792210808ee6c Mon Sep 17 00:00:00 2001
From: Robin Sommer <robin@corelight.com>
Date: Tue, 24 Jul 2018 02:26:17 +0000
Subject: [PATCH 577/631] Updating submodule(s).

 [nomail]
---
 CHANGES      | 11 +++++++++++
 NEWS         |  5 +++++
 VERSION      |  2 +-
 aux/bifcl    |  2 +-
 aux/binpac   |  2 +-
 aux/bro-aux  |  2 +-
 aux/broccoli |  2 +-
 aux/broctl   |  2 +-
 aux/broker   |  2 +-
 9 files changed, 23 insertions(+), 7 deletions(-)

diff --git a/CHANGES b/CHANGES
index dbf67b1918..26b45a1f3f 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,15 @@
 
+2.5-771 | 2018-07-24 02:26:17 +0000
+
+  * Support building plugins from Bro installation prefix so that it
+    does no longer need access to a Bro source/build tree. This
+    required installing various Bro headers, BinPAC and it's headers,
+    bifcl, and Bro's custom CMake modules. (Jon Siwek, Corelight)
+
+  * Add binpac to install process. (Jon Siwek, Corelight)
+
+  * Move bifcl to a separate repo. (Jon Siwek, Corelight)
+
 2.5-766 | 2018-07-24 01:39:07 +0000
 
   * Clusterization of configureation framework. (Johanna Amann, Corelight)
diff --git a/NEWS b/NEWS
index 0caf8ad58a..9b5d00943f 100644
--- a/NEWS
+++ b/NEWS
@@ -269,6 +269,11 @@ New Functionality
   double quotes maintain their case-sensitivity.  So for example /"foo"/i
   will not match "Foo", but it will match "foo".
 
+- "make install" now installs Bro's include headers (and more) into
+  --prefix so that compiling plugins does no longer need access to a
+  source/build tree. For OS distributions, this also facilitates
+  creating "bro-devel" packages providing all files necessary to build
+  plugins.
 
 Changed Functionality
 ---------------------
diff --git a/VERSION b/VERSION
index 08fbf3ec7b..2fb81e9be3 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.5-766
+2.5-771
diff --git a/aux/bifcl b/aux/bifcl
index c7adafebd7..c1a154dab5 160000
--- a/aux/bifcl
+++ b/aux/bifcl
@@ -1 +1 @@
-Subproject commit c7adafebd79631c7815db2eb5a9dd9a6f086e2e2
+Subproject commit c1a154dab5c0d78a907ebfca71805b7a6dfb5952
diff --git a/aux/binpac b/aux/binpac
index 3f2e6eec68..bfdb7a8194 160000
--- a/aux/binpac
+++ b/aux/binpac
@@ -1 +1 @@
-Subproject commit 3f2e6eec68b8cb09e541c7301b0b19e57c6ec18e
+Subproject commit bfdb7a8194a84a6298f8776d7ac7132313742715
diff --git a/aux/bro-aux b/aux/bro-aux
index 5337a283bb..0c60d51cf7 160000
--- a/aux/bro-aux
+++ b/aux/bro-aux
@@ -1 +1 @@
-Subproject commit 5337a283bb9756eb4ba5119aeede6626787a53ca
+Subproject commit 0c60d51cf7faac478397bde72e7ead536365aa2d
diff --git a/aux/broccoli b/aux/broccoli
index d9041cc95d..86ebcbbebb 160000
--- a/aux/broccoli
+++ b/aux/broccoli
@@ -1 +1 @@
-Subproject commit d9041cc95d2232dbbcf36647f34537da22e360ff
+Subproject commit 86ebcbbebbfa4d7df33cec7ad6dfe7996b0a3ca3
diff --git a/aux/broctl b/aux/broctl
index e28feb1ed8..1d6d148b2f 160000
--- a/aux/broctl
+++ b/aux/broctl
@@ -1 +1 @@
-Subproject commit e28feb1ed80a5787f4d6055fbe15b1699397871e
+Subproject commit 1d6d148b2feae71861f11ee21911aa64b7a360aa
diff --git a/aux/broker b/aux/broker
index 2285177616..99e0c0d40e 160000
--- a/aux/broker
+++ b/aux/broker
@@ -1 +1 @@
-Subproject commit 2285177616bf0e0bed6758bccf63f3dfee4d2b4f
+Subproject commit 99e0c0d40e176e7a8618d45de68b4cd528f7b7af

From 4ca4b0504350fa3546726a4732bfb60f450af30f Mon Sep 17 00:00:00 2001
From: Chung Min Kim <chung.kim@corelight.com>
Date: Tue, 24 Jul 2018 13:19:14 -0700
Subject: [PATCH 578/631] Refactoring, making error messages nicer, & lcov

Directory name for bro core coverage changed to "coverage", error
messages made nicer. Use `make html` in testing/coverage to create
logs in HTML format when lcov exists on the system.
---
 .gitignore                                    |  1 +
 testing/Makefile                              |  4 ++--
 .../{bro-core-coverage => coverage}/Makefile  |  6 ++++++
 testing/coverage/README                       | 13 ++++++++++++
 .../code_coverage.sh                          | 20 ++++++++++++-------
 5 files changed, 35 insertions(+), 9 deletions(-)
 rename testing/{bro-core-coverage => coverage}/Makefile (52%)
 create mode 100644 testing/coverage/README
 rename testing/{bro-core-coverage => coverage}/code_coverage.sh (90%)

diff --git a/.gitignore b/.gitignore
index d59a62b7e1..fa397f98d2 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,3 @@
 build
 tmp
+*.gcov
diff --git a/testing/Makefile b/testing/Makefile
index e34aaca939..c5610fc97b 100644
--- a/testing/Makefile
+++ b/testing/Makefile
@@ -8,7 +8,7 @@ brief: make-brief coverage
 distclean:
 	@rm -f coverage.log
 	$(MAKE) -C btest $@
-	$(MAKE) -C bro-core-coverage $@
+	$(MAKE) -C coverage $@
 
 make-verbose:
 	@for repo in $(DIRS); do (cd $$repo && make -s ); done
@@ -23,5 +23,5 @@ coverage:
 	@echo "Complete test suite code coverage:"
 	@./scripts/coverage-calc "brocov.tmp.*" coverage.log `pwd`/../scripts
 	@rm -f brocov.tmp.*
-	@cd bro-core-coverage && make coverage
+	@cd coverage && make coverage
 
diff --git a/testing/bro-core-coverage/Makefile b/testing/coverage/Makefile
similarity index 52%
rename from testing/bro-core-coverage/Makefile
rename to testing/coverage/Makefile
index e7db4894fd..1aa8036bbf 100644
--- a/testing/bro-core-coverage/Makefile
+++ b/testing/coverage/Makefile
@@ -7,3 +7,9 @@ cleanup:
 
 distclean: cleanup
 	@find ../../ -name "*.gcno" -exec rm {} \;
+
+html:
+	@(cd ../../; if which lcov; then\
+		lcov --capture --directory . --output-file coverage.info \
+		&& genhtml coverage.info && rm coverage.info; \
+	fi)
diff --git a/testing/coverage/README b/testing/coverage/README
new file mode 100644
index 0000000000..0c19e14d51
--- /dev/null
+++ b/testing/coverage/README
@@ -0,0 +1,13 @@
+On a Bro build configured with --enable-coverage, this script produces a code coverage report after Bro has been invoked. The intended application of this script is after the btest testsuite has run. This combination (btests first, coverage computation afterward) happens automatically when running "make" in the testing directory.  This script puts .gcov files (which are included in .gitignore) alongside the corresponding source files.
+
+This depends on gcov, which should come with your gcc. If gcov is not installed, the script will abort with an error message.
+
+TODO: Use `make html` as make target in this directory to output the html files that gcov can create (must have lcov on system).
+
+The goal of code-coverage.sh script is to automate code coverage testing. See the following steps for the code structure:
+	1. Run test suite
+ 	2. Check for .gcda files existing.
+	3a. Run gcov (-p to preserve path)
+	3b. Prune .gcov files for objects outside of the Bro tree
+	4a. Analyze .gcov files generated and create summary file
+	4b. Send .gcov files to appropriate path
diff --git a/testing/bro-core-coverage/code_coverage.sh b/testing/coverage/code_coverage.sh
similarity index 90%
rename from testing/bro-core-coverage/code_coverage.sh
rename to testing/coverage/code_coverage.sh
index b1eb8c599a..ec583b1e5e 100755
--- a/testing/bro-core-coverage/code_coverage.sh
+++ b/testing/coverage/code_coverage.sh
@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/usr/bin/env bash
 #
 # On a Bro build configured with --enable-coverage, this script
 # produces a code coverage report after Bro has been invoked. The
@@ -17,7 +17,7 @@
 #	4b. Send .gcov files to appropriate path
 #
 CURR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" # Location of script
-BASE="$(realpath "${CURR}/../../")"
+BASE="$(readlink -f "${CURR}/../../")"
 TMP="${CURR}/tmp.$$"
 mkdir -p $TMP
 
@@ -96,14 +96,20 @@ done
 echo "ok"
 
 # 3a. Run gcov (-p to preserve path) and move into tmp directory
+# ... if system does not have gcov installed, exit with message.
 echo -n "Creating coverage files... "
-( cd "$TMP" && find "$BASE" -name "*.o" -exec gcov -p {} > /dev/null 2>&1 \; )
-NUM_GCOVS=$(ls "$TMP"/*.gcov | wc -l)
-if [ $NUM_GCOVS -eq 0 ]; then
-	echo "no gcov files produced, aborting"
+if which gcov; then
+	( cd "$TMP" && find "$BASE" -name "*.o" -exec gcov -p {} > /dev/null 2>&1 \; )
+	NUM_GCOVS=$(find "$TMP" -name *.gcov | wc -l)
+	if [ $NUM_GCOVS -eq 0 ]; then
+		echo "no gcov files produced, aborting"
+		exit 1
+	fi
+	echo "ok, $NUM_GCOVS coverage files"
+else
+	echo "gcov is not installed on system, aborting"
 	exit 1
 fi
-echo "ok, $NUM_GCOVS coverage files"
 
 # 3b. Prune gcov files that fall outside of the Bro tree:
 # Look for files containing gcov's slash substitution character "#"

From e31563069b6bdab1dceaa0490f1ad6b89556b267 Mon Sep 17 00:00:00 2001
From: Zhongjie Wang <wzj401@gmail.com>
Date: Tue, 24 Jul 2018 14:07:12 -0700
Subject: [PATCH 579/631] Added missing tcp-state for signature dpd_rfb_server

---
 scripts/base/protocols/rfb/dpd.sig | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/scripts/base/protocols/rfb/dpd.sig b/scripts/base/protocols/rfb/dpd.sig
index 40793ad590..c105070b24 100644
--- a/scripts/base/protocols/rfb/dpd.sig
+++ b/scripts/base/protocols/rfb/dpd.sig
@@ -1,6 +1,7 @@
 signature dpd_rfb_server {
 	ip-proto == tcp
 	payload /^RFB/
+	tcp-state responder
 	requires-reverse-signature dpd_rfb_client
 	enable "rfb"
 }
@@ -9,4 +10,4 @@ signature dpd_rfb_client {
 	ip-proto == tcp
 	payload /^RFB/
 	tcp-state originator
-}
\ No newline at end of file
+}

From 3ed59249ba4978a4379d65679c6eb2b727d8181c Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Tue, 24 Jul 2018 16:38:30 -0500
Subject: [PATCH 580/631] Exclude CMakeFiles from header installation path

---
 src/CMakeLists.txt | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt
index 15738f8df0..f3dfd42d85 100644
--- a/src/CMakeLists.txt
+++ b/src/CMakeLists.txt
@@ -428,6 +428,7 @@ install(DIRECTORY ${CMAKE_CURRENT_BINARY_DIR}/
         PATTERN "*.bif.func_h"
         PATTERN "*.bif.netvar_h"
         PATTERN "*.bif.h"
+        PATTERN "CMakeFiles" EXCLUDE
 )
 
 install(FILES ${CMAKE_CURRENT_SOURCE_DIR}/3rdparty/sqlite3.h

From 026f78e5a3d0f362ec859968b97c2cfe0dec96bd Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Tue, 24 Jul 2018 16:39:34 -0500
Subject: [PATCH 581/631] Add broker/binpac/caf dirs to bro-config script

---
 CHANGES        |  6 ++++++
 CMakeLists.txt | 14 ++++++++++++++
 VERSION        |  2 +-
 aux/binpac     |  2 +-
 aux/bro-aux    |  2 +-
 bro-config.in  | 14 +++++++++++++-
 cmake          |  2 +-
 7 files changed, 37 insertions(+), 5 deletions(-)

diff --git a/CHANGES b/CHANGES
index 2809b30da0..6b5905ee3f 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,10 @@
 
+2.5-775 | 2018-07-24 16:39:34 -0500
+
+  * Add broker/binpac/caf dirs to bro-config script (Jon Siwek, Corelight)
+
+  * Exclude CMakeFiles from header installation path (Jon Siwek, Corelight)
+
 2.5-773 | 2018-07-24 15:04:41 +0000
 
   * BIT-1950: Support PPPoE over QinQ (Jon Siwek, Corelight)
diff --git a/CMakeLists.txt b/CMakeLists.txt
index dd47aaaf9b..5f4f949a6f 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -238,6 +238,20 @@ configure_file(${CMAKE_CURRENT_SOURCE_DIR}/bro-config.h.in
 include_directories(${CMAKE_CURRENT_BINARY_DIR})
 install(FILES ${CMAKE_CURRENT_BINARY_DIR}/bro-config.h DESTINATION include/bro)
 
+if ( CAF_ROOT_DIR )
+  set(BRO_CONFIG_CAF_ROOT_DIR ${CAF_ROOT_DIR})
+else ()
+  set(BRO_CONFIG_CAF_ROOT_DIR ${BRO_ROOT_DIR})
+endif ()
+
+if ( BinPAC_ROOT_DIR )
+  set(BRO_CONFIG_BINPAC_ROOT_DIR ${BinPAC_ROOT_DIR})
+else ()
+  set(BRO_CONFIG_BINPAC_ROOT_DIR ${BRO_ROOT_DIR})
+endif ()
+
+set(BRO_CONFIG_BROKER_ROOT_DIR ${BRO_ROOT_DIR})
+
 configure_file(${CMAKE_CURRENT_SOURCE_DIR}/bro-config.in
                ${CMAKE_CURRENT_BINARY_DIR}/bro-config @ONLY)
 install(PROGRAMS ${CMAKE_CURRENT_BINARY_DIR}/bro-config DESTINATION bin)
diff --git a/VERSION b/VERSION
index cc077245e0..4ef74ff31b 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.5-773
+2.5-775
diff --git a/aux/binpac b/aux/binpac
index bfdb7a8194..6c0bf00a5f 160000
--- a/aux/binpac
+++ b/aux/binpac
@@ -1 +1 @@
-Subproject commit bfdb7a8194a84a6298f8776d7ac7132313742715
+Subproject commit 6c0bf00a5f1f63c2d8c35f9193d12a72eb0c0c79
diff --git a/aux/bro-aux b/aux/bro-aux
index 0c60d51cf7..ee71fe58d3 160000
--- a/aux/bro-aux
+++ b/aux/bro-aux
@@ -1 +1 @@
-Subproject commit 0c60d51cf7faac478397bde72e7ead536365aa2d
+Subproject commit ee71fe58d392812f09c3d08ec2c69bc9b757c086
diff --git a/bro-config.in b/bro-config.in
index bd02d80bb2..be9ee551b3 100755
--- a/bro-config.in
+++ b/bro-config.in
@@ -11,9 +11,12 @@ cmake_dir=@CMAKE_INSTALL_PREFIX@/share/bro/cmake
 include_dir=@CMAKE_INSTALL_PREFIX@/include/bro
 bropath=@DEFAULT_BROPATH@
 bro_dist=@BRO_DIST@
+binpac_root=@BRO_CONFIG_BINPAC_ROOT_DIR@
+caf_root=@BRO_CONFIG_CAF_ROOT_DIR@
+broker_root=@BRO_CONFIG_BROKER_ROOT_DIR@
 
 usage="\
-Usage: bro-config [--version] [--prefix] [--script_dir] [--site_dir] [--plugin_dir] [--config_dir] [--python_dir] [--include_dir] [--cmake_dir] [--bropath] [--bro_dist]"
+Usage: bro-config [--version] [--prefix] [--script_dir] [--site_dir] [--plugin_dir] [--config_dir] [--python_dir] [--include_dir] [--cmake_dir] [--bropath] [--bro_dist] [--binpac_root] [--caf_root] [--broker_root]"
 
 if [ $# -eq 0 ] ; then
       echo "${usage}" 1>&2
@@ -60,6 +63,15 @@ while [ $# -ne 0 ]; do
     --bro_dist)
       echo $bro_dist
       ;;
+    --binpac_root)
+      echo $binpac_root
+      ;;
+    --caf_root)
+      echo $caf_root
+      ;;
+    --broker_root)
+      echo $broker_root
+      ;;
     *)
       echo "${usage}" 1>&2
       exit 1
diff --git a/cmake b/cmake
index b4906b02b4..c4c2d6eeb7 160000
--- a/cmake
+++ b/cmake
@@ -1 +1 @@
-Subproject commit b4906b02b4a9a4ceeecd17f2a61e7ce87f784b2a
+Subproject commit c4c2d6eeb7609836255abb054b91c4039bb7e276

From 4a97421ef380442d703401bd04697aac73399e27 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Tue, 24 Jul 2018 16:52:58 -0500
Subject: [PATCH 582/631] Updating submodule(s).

 [nomail]
---
 aux/bifcl    | 2 +-
 aux/binpac   | 2 +-
 aux/bro-aux  | 2 +-
 aux/broccoli | 2 +-
 aux/broctl   | 2 +-
 aux/broker   | 2 +-
 6 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/aux/bifcl b/aux/bifcl
index c1a154dab5..7fffb6bcf1 160000
--- a/aux/bifcl
+++ b/aux/bifcl
@@ -1 +1 @@
-Subproject commit c1a154dab5c0d78a907ebfca71805b7a6dfb5952
+Subproject commit 7fffb6bcf1ea78331ca2fc0e7d16642ec2463ca0
diff --git a/aux/binpac b/aux/binpac
index 6c0bf00a5f..4a06b4cf3c 160000
--- a/aux/binpac
+++ b/aux/binpac
@@ -1 +1 @@
-Subproject commit 6c0bf00a5f1f63c2d8c35f9193d12a72eb0c0c79
+Subproject commit 4a06b4cf3ce2112426c306cd358753793167bbeb
diff --git a/aux/bro-aux b/aux/bro-aux
index ee71fe58d3..c633a852ec 160000
--- a/aux/bro-aux
+++ b/aux/bro-aux
@@ -1 +1 @@
-Subproject commit ee71fe58d392812f09c3d08ec2c69bc9b757c086
+Subproject commit c633a852ec0bb983e74c0f47b73d03a30b7f1259
diff --git a/aux/broccoli b/aux/broccoli
index 86ebcbbebb..a4a859a7a8 160000
--- a/aux/broccoli
+++ b/aux/broccoli
@@ -1 +1 @@
-Subproject commit 86ebcbbebbfa4d7df33cec7ad6dfe7996b0a3ca3
+Subproject commit a4a859a7a87363167239205bd07fedced0c584a3
diff --git a/aux/broctl b/aux/broctl
index 1d6d148b2f..206fc8254a 160000
--- a/aux/broctl
+++ b/aux/broctl
@@ -1 +1 @@
-Subproject commit 1d6d148b2feae71861f11ee21911aa64b7a360aa
+Subproject commit 206fc8254a4049dfad420d5571704de4a06444bd
diff --git a/aux/broker b/aux/broker
index 99e0c0d40e..c5fb0f696e 160000
--- a/aux/broker
+++ b/aux/broker
@@ -1 +1 @@
-Subproject commit 99e0c0d40e176e7a8618d45de68b4cd528f7b7af
+Subproject commit c5fb0f696e9088692ebe87ab733e3da847f37726

From 1bee7277e083b682ddcc1d7e4b3afb5db5de12bd Mon Sep 17 00:00:00 2001
From: Jeffrey Bencteux <jeffrey.bencteux@ssi.gouv.fr>
Date: Wed, 25 Jul 2018 13:27:11 +0200
Subject: [PATCH 583/631] fix NTLM NegotiateFlags field offsets

Wrong offsets were used for the NegotiateFlags field of the
NEGOTIATE_MESSAGE, CHALLENGE_MESSAGE and AUTHENTICATE_MESSAGE. See
[MS-NLMP].pdf section 2.2.2.5 for a definition of that field.
---
 src/analyzer/protocol/ntlm/ntlm-protocol.pac | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/src/analyzer/protocol/ntlm/ntlm-protocol.pac b/src/analyzer/protocol/ntlm/ntlm-protocol.pac
index 8862be1f22..f8784c74c7 100644
--- a/src/analyzer/protocol/ntlm/ntlm-protocol.pac
+++ b/src/analyzer/protocol/ntlm/ntlm-protocol.pac
@@ -171,7 +171,7 @@ type NTLM_Negotiate_Flags = record {
 	request_non_nt_session_key          : bool = (flags & 0x00400000) > 0;
 	negotiate_identify                  : bool = (flags & 0x00100000) > 0;
 
-	negotiate_extended_sessionsecurity  : bool = (flags & 0x00040000) > 0;
+	negotiate_extended_sessionsecurity  : bool = (flags & 0x00080000) > 0;
 	target_type_server                  : bool = (flags & 0x00020000) > 0;
 	target_type_domain                  : bool = (flags & 0x00010000) > 0;
 
@@ -179,14 +179,14 @@ type NTLM_Negotiate_Flags = record {
 	negotiate_oem_workstation_supplied  : bool = (flags & 0x00002000) > 0;
 	negotiate_oem_domain_supplied       : bool = (flags & 0x00001000) > 0;
 
-	negotiate_anonymous_connection      : bool = (flags & 0x00000400) > 0;
-	negotiate_ntlm                      : bool = (flags & 0x00000100) > 0;
+	negotiate_anonymous_connection      : bool = (flags & 0x00000800) > 0;
+	negotiate_ntlm                      : bool = (flags & 0x00000200) > 0;
 
 	negotiate_lm_key                    : bool = (flags & 0x00000080) > 0;
 	negotiate_datagram                  : bool = (flags & 0x00000040) > 0;
 	negotiate_seal                      : bool = (flags & 0x00000020) > 0;
+	negotiate_sign                      : bool = (flags & 0x00000010) > 0;
 
-	negotiate_sign                      : bool = (flags & 0x00000008) > 0;
 	request_target                      : bool = (flags & 0x00000004) > 0;
 	negotiate_oem                       : bool = (flags & 0x00000002) > 0;
 	negotiate_unicode                   : bool = (flags & 0x00000001) > 0;

From 2502e48a01b81c5b90e19c9dc38e1a3f7b2e4367 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Wed, 25 Jul 2018 15:10:15 -0500
Subject: [PATCH 584/631] Updating submodule(s).

 [nomail]
---
 aux/broker | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/aux/broker b/aux/broker
index c5fb0f696e..b5508f387b 160000
--- a/aux/broker
+++ b/aux/broker
@@ -1 +1 @@
-Subproject commit c5fb0f696e9088692ebe87ab733e3da847f37726
+Subproject commit b5508f387bb6c24c95f23de479184869b9836769

From dfe0768fa1e9f23f2cca09bce6ad79525c18e993 Mon Sep 17 00:00:00 2001
From: Vern Paxson <vern@icir.org>
Date: Thu, 26 Jul 2018 12:18:31 -0700
Subject: [PATCH 585/631] v += e implemented

---
 src/Expr.cc | 37 ++++++++++++++++++++++++++++++++++++-
 src/Val.h   |  2 --
 2 files changed, 36 insertions(+), 3 deletions(-)

diff --git a/src/Expr.cc b/src/Expr.cc
index a86f86b9c4..8856fb3a4b 100644
--- a/src/Expr.cc
+++ b/src/Expr.cc
@@ -1390,7 +1390,8 @@ bool AddExpr::DoUnserialize(UnserialInfo* info)
 	}
 
 AddToExpr::AddToExpr(Expr* arg_op1, Expr* arg_op2)
-: BinaryExpr(EXPR_ADD_TO, arg_op1->MakeLvalue(), arg_op2)
+: BinaryExpr(EXPR_ADD_TO,
+	     is_vector(arg_op1) ? arg_op1 : arg_op1->MakeLvalue(), arg_op2)
 	{
 	if ( IsError() )
 		return;
@@ -1404,6 +1405,32 @@ AddToExpr::AddToExpr(Expr* arg_op1, Expr* arg_op2)
 		SetType(base_type(bt1));
 	else if ( BothInterval(bt1, bt2) )
 		SetType(base_type(bt1));
+
+	else if ( IsVector(bt1) )
+		{
+		bt1 = op1->Type()->AsVectorType()->YieldType()->Tag();
+
+		if ( IsArithmetic(bt1) )
+			{
+			if ( IsArithmetic(bt2) )
+				{
+				if ( bt2 != bt1 )
+					op2 = new ArithCoerceExpr(op2, bt1);
+
+				SetType(op1->Type()->Ref());
+				}
+
+			else
+				ExprError("appending non-arithmetic to arithmetic vector");
+			}
+
+		else if ( bt1 != bt2 )
+			ExprError("incompatible vector append");
+
+		else
+			SetType(op1->Type()->Ref());
+		}
+
 	else
 		ExprError("requires two arithmetic or two string operands");
 	}
@@ -1421,6 +1448,14 @@ Val* AddToExpr::Eval(Frame* f) const
 		return 0;
 		}
 
+	if ( is_vector(v1) )
+		{
+		VectorVal* vv = v1->AsVectorVal();
+		if ( ! vv->Assign(vv->Size(), v2) )
+			reporter->Error("type-checking failed in vector append");
+		return v1;
+		}
+
 	Val* result = Fold(v1, v2);
 	Unref(v1);
 	Unref(v2);
diff --git a/src/Val.h b/src/Val.h
index 771ed40dd1..a050c5d4fe 100644
--- a/src/Val.h
+++ b/src/Val.h
@@ -1015,8 +1015,6 @@ public:
 
 	// Returns false if the type of the argument was wrong.
 	// The vector will automatically grow to accomodate the index.
-	// 'assigner" is the expression that is doing the assignment;
-	// it's just used for pinpointing errors.
 	//
 	// Note: does NOT Ref() the element! Remember to do so unless
 	//       the element was just created and thus has refcount 1.

From 016a164bb68355332d08701ae971a7eb3830433c Mon Sep 17 00:00:00 2001
From: Vern Paxson <vern@icir.org>
Date: Thu, 26 Jul 2018 12:29:50 -0700
Subject: [PATCH 586/631] documentation of v += e

---
 NEWS                           |  3 +++
 doc/script-reference/types.rst | 14 ++++++++++++++
 2 files changed, 17 insertions(+)

diff --git a/NEWS b/NEWS
index 3cb0fd79b3..f160ec06b1 100644
--- a/NEWS
+++ b/NEWS
@@ -277,6 +277,9 @@ New Functionality
 
 - Bro now supports PPPoE over QinQ.
 
+- An expression of the form v += e will append the value of the expression
+  e to the end of the vector v (of course assuming type-compatbility).
+
 Changed Functionality
 ---------------------
 
diff --git a/doc/script-reference/types.rst b/doc/script-reference/types.rst
index f1d81f63ab..c3bacabbf8 100644
--- a/doc/script-reference/types.rst
+++ b/doc/script-reference/types.rst
@@ -599,6 +599,20 @@ Here is a more detailed description of each type:
 
         |v|
 
+    A particularly common operation on a vector is to append an element
+    to its end.  You can do so using:
+
+    .. code:: bro
+
+        v += e;
+
+    where if e's type is ``X``, v's type is ``vector of X``.  Note that
+    this expression is equivalent to:
+
+    .. code:: bro
+
+        v[|v|] = e;
+
     Vectors of integral types (``int`` or ``count``) support the pre-increment
     (``++``) and pre-decrement operators (``--``), which will increment or
     decrement each element in the vector.

From 81c63a0c65aea8c0dd98d3ce9e6c36c793bc4f58 Mon Sep 17 00:00:00 2001
From: Vern Paxson <vern@icir.org>
Date: Thu, 26 Jul 2018 12:37:06 -0700
Subject: [PATCH 587/631] test case for v += e

---
 testing/btest/language/vector.bro | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/testing/btest/language/vector.bro b/testing/btest/language/vector.bro
index 76fc8b69e3..85bed8eae2 100644
--- a/testing/btest/language/vector.bro
+++ b/testing/btest/language/vector.bro
@@ -163,5 +163,10 @@ event bro_init()
 	test_case( "&& operator", v14[0] == F && v14[1] == F && v14[2] == T );
 	test_case( "|| operator", v15[0] == T && v15[1] == F && v15[2] == T );
 
+	# Test += operator.
+	local v16 = v6;
+	v16 += 40;
+	test_case( "+= operator", all_set(v16 == vector( 10, 20, 30, 40 )) );
+
 }
 

From 88fd7510c66980836fa37ab619d65ac3daa0d902 Mon Sep 17 00:00:00 2001
From: Vern Paxson <vern@icir.org>
Date: Thu, 26 Jul 2018 12:51:36 -0700
Subject: [PATCH 588/631] reap the fruits of v += e

---
 .../data_struct_vector_declaration.bro        |  8 +--
 scripts/base/files/pe/main.bro                |  2 +-
 scripts/base/files/x509/main.bro              |  2 +-
 scripts/base/frameworks/cluster/main.bro      |  4 +-
 scripts/base/frameworks/cluster/pools.bro     |  8 +--
 scripts/base/frameworks/config/main.bro       |  4 +-
 scripts/base/frameworks/netcontrol/main.bro   | 12 ++---
 .../netcontrol/plugins/openflow.bro           | 14 ++---
 .../base/frameworks/openflow/plugins/ryu.bro  |  2 +-
 scripts/base/frameworks/sumstats/main.bro     |  6 +--
 .../base/frameworks/sumstats/non-cluster.bro  |  2 +-
 .../frameworks/sumstats/plugins/sample.bro    |  2 +-
 scripts/base/protocols/dhcp/main.bro          |  2 +-
 scripts/base/protocols/dns/main.bro           |  4 +-
 scripts/base/protocols/http/entities.bro      | 12 ++---
 scripts/base/protocols/http/utils.bro         |  2 +-
 scripts/base/protocols/sip/main.bro           |  4 +-
 scripts/base/protocols/smtp/files.bro         |  2 +-
 scripts/base/protocols/smtp/main.bro          |  2 +-
 scripts/base/protocols/ssl/files.bro          |  8 +--
 scripts/base/utils/addrs.bro                  |  4 +-
 scripts/base/utils/email.bro                  |  2 +-
 scripts/base/utils/exec.bro                   |  6 +--
 scripts/base/utils/json.bro                   |  8 +--
 .../notice/extend-email/hostnames.bro         |  4 +-
 scripts/policy/misc/load-balancing.bro        |  2 +-
 scripts/policy/protocols/dhcp/msg-orig.bro    |  2 +-
 .../policy/protocols/http/header-names.bro    |  4 +-
 scripts/policy/protocols/ssl/heartbleed.bro   | 54 +++++++++----------
 scripts/policy/protocols/ssl/notary.bro       |  2 +-
 scripts/policy/protocols/ssl/validate-sct.bro |  4 +-
 testing/btest/core/leaks/broker/data.bro      |  2 +-
 testing/btest/language/ipv6-literals.bro      | 48 ++++++++---------
 .../language/record-default-coercion.bro      |  2 +-
 .../netcontrol/delete-internal-state.bro      |  8 +--
 .../base/frameworks/netcontrol/multiple.bro   |  8 +--
 .../frameworks/sumstats/sample-cluster.bro    |  2 +-
 37 files changed, 132 insertions(+), 132 deletions(-)

diff --git a/doc/scripting/data_struct_vector_declaration.bro b/doc/scripting/data_struct_vector_declaration.bro
index 6d684d09b1..e9b31880f6 100644
--- a/doc/scripting/data_struct_vector_declaration.bro
+++ b/doc/scripting/data_struct_vector_declaration.bro
@@ -3,10 +3,10 @@ event bro_init()
     local v1: vector of count;
     local v2 = vector(1, 2, 3, 4);
     
-    v1[|v1|] = 1;
-    v1[|v1|] = 2;
-    v1[|v1|] = 3;
-    v1[|v1|] = 4;
+    v1 += 1;
+    v1 += 2;
+    v1 += 3;
+    v1 += 4;
     
     print fmt("contents of v1: %s", v1);
     print fmt("length of v1: %d", |v1|);
diff --git a/scripts/base/files/pe/main.bro b/scripts/base/files/pe/main.bro
index b2723e4138..972e8a31c8 100644
--- a/scripts/base/files/pe/main.bro
+++ b/scripts/base/files/pe/main.bro
@@ -126,7 +126,7 @@ event pe_section_header(f: fa_file, h: PE::SectionHeader) &priority=5
 
 	if ( ! f$pe?$section_names )
 		f$pe$section_names = vector();
-	f$pe$section_names[|f$pe$section_names|] = h$name;
+	f$pe$section_names += h$name;
 	}
 
 event file_state_remove(f: fa_file) &priority=-5
diff --git a/scripts/base/files/x509/main.bro b/scripts/base/files/x509/main.bro
index 30f60f1362..b6fdde5494 100644
--- a/scripts/base/files/x509/main.bro
+++ b/scripts/base/files/x509/main.bro
@@ -66,7 +66,7 @@ event x509_certificate(f: fa_file, cert_ref: opaque of x509, cert: X509::Certifi
 event x509_extension(f: fa_file, ext: X509::Extension) &priority=5
 	{
 	if ( f$info?$x509 )
-		f$info$x509$extensions[|f$info$x509$extensions|] = ext;
+		f$info$x509$extensions += ext;
 	}
 
 event x509_ext_basic_constraints(f: fa_file, ext: X509::BasicConstraints) &priority=5
diff --git a/scripts/base/frameworks/cluster/main.bro b/scripts/base/frameworks/cluster/main.bro
index 8eb4bf90bf..779f0c159a 100644
--- a/scripts/base/frameworks/cluster/main.bro
+++ b/scripts/base/frameworks/cluster/main.bro
@@ -251,7 +251,7 @@ function nodes_with_type(node_type: NodeType): vector of NamedNode
 	local names: vector of string = vector();
 
 	for ( name in Cluster::nodes )
-		names[|names|] = name;
+		names += name;
 
 	names = sort(names, strcmp);
 
@@ -263,7 +263,7 @@ function nodes_with_type(node_type: NodeType): vector of NamedNode
 		if ( n$node_type != node_type )
 			next;
 
-		rval[|rval|] = NamedNode($name=name, $node=n);
+		rval += NamedNode($name=name, $node=n);
 		}
 
 	return rval;
diff --git a/scripts/base/frameworks/cluster/pools.bro b/scripts/base/frameworks/cluster/pools.bro
index fb45594adc..ac8673b7e8 100644
--- a/scripts/base/frameworks/cluster/pools.bro
+++ b/scripts/base/frameworks/cluster/pools.bro
@@ -157,7 +157,7 @@ global registered_pools: vector of Pool = vector();
 function register_pool(spec: PoolSpec): Pool
 	{
 	local rval = Pool($spec = spec);
-	registered_pools[|registered_pools|] = rval;
+	registered_pools += rval;
 	return rval;
 	}
 
@@ -276,7 +276,7 @@ function init_pool_node(pool: Pool, name: string): bool
 			local pn = PoolNode($name=name, $alias=alias, $site_id=site_id,
 			                    $alive=Cluster::node == name);
 			pool$nodes[name] = pn;
-			pool$node_list[|pool$node_list|] = pn;
+			pool$node_list += pn;
 
 			if ( pn$alive )
 				++pool$alive_count;
@@ -366,7 +366,7 @@ event bro_init() &priority=-5
 		if ( |mgr| > 0 )
 			{
 			local eln = pool_eligibility[Cluster::LOGGER]$eligible_nodes;
-			eln[|eln|] = mgr[0];
+			eln += mgr[0];
 			}
 		}
 
@@ -423,7 +423,7 @@ event bro_init() &priority=-5
 			if ( j < e )
 				next;
 
-			nen[|nen|] = pet$eligible_nodes[j];
+			nen += pet$eligible_nodes[j];
 			}
 
 		pet$eligible_nodes = nen;
diff --git a/scripts/base/frameworks/config/main.bro b/scripts/base/frameworks/config/main.bro
index b83da42785..6268ee4a8d 100644
--- a/scripts/base/frameworks/config/main.bro
+++ b/scripts/base/frameworks/config/main.bro
@@ -120,14 +120,14 @@ function format_value(value: any) : string
 		{
 		local it: set[bool] = value;
 		for ( sv in it )
-			part[|part|] = cat(sv);
+			part += cat(sv);
 		return join_string_vec(part, ",");
 		}
 	else if ( /^vector/ in tn )
 		{
 		local vit: vector of any = value;
 		for ( i in vit )
-			part[|part|] = cat(vit[i]);
+			part += cat(vit[i]);
 		return join_string_vec(part, ",");
 		}
 	else if ( tn == "string" )
diff --git a/scripts/base/frameworks/netcontrol/main.bro b/scripts/base/frameworks/netcontrol/main.bro
index 3e9b35fa8c..a9418508af 100644
--- a/scripts/base/frameworks/netcontrol/main.bro
+++ b/scripts/base/frameworks/netcontrol/main.bro
@@ -555,19 +555,19 @@ function quarantine_host(infected: addr, dns: addr, quarantine: addr, t: interva
 	local orules: vector of string = vector();
 	local edrop: Entity = [$ty=FLOW, $flow=Flow($src_h=addr_to_subnet(infected))];
 	local rdrop: Rule = [$ty=DROP, $target=FORWARD, $entity=edrop, $expire=t, $location=location];
-	orules[|orules|] = add_rule(rdrop);
+	orules += add_rule(rdrop);
 
 	local todnse: Entity = [$ty=FLOW, $flow=Flow($src_h=addr_to_subnet(infected), $dst_h=addr_to_subnet(dns), $dst_p=53/udp)];
 	local todnsr = Rule($ty=MODIFY, $target=FORWARD, $entity=todnse, $expire=t, $location=location, $mod=FlowMod($dst_h=quarantine), $priority=+5);
-	orules[|orules|] = add_rule(todnsr);
+	orules += add_rule(todnsr);
 
 	local fromdnse: Entity = [$ty=FLOW, $flow=Flow($src_h=addr_to_subnet(dns), $src_p=53/udp, $dst_h=addr_to_subnet(infected))];
 	local fromdnsr = Rule($ty=MODIFY, $target=FORWARD, $entity=fromdnse, $expire=t, $location=location, $mod=FlowMod($src_h=dns), $priority=+5);
-	orules[|orules|] = add_rule(fromdnsr);
+	orules += add_rule(fromdnsr);
 
 	local wle: Entity = [$ty=FLOW, $flow=Flow($src_h=addr_to_subnet(infected), $dst_h=addr_to_subnet(quarantine), $dst_p=80/tcp)];
 	local wlr = Rule($ty=WHITELIST, $target=FORWARD, $entity=wle, $expire=t, $location=location, $priority=+5);
-	orules[|orules|] = add_rule(wlr);
+	orules += add_rule(wlr);
 
 	return orules;
 	}
@@ -637,7 +637,7 @@ event NetControl::init() &priority=-20
 function activate_impl(p: PluginState, priority: int)
 	{
 	p$_priority = priority;
-	plugins[|plugins|] = p;
+	plugins += p;
 	sort(plugins, function(p1: PluginState, p2: PluginState) : int { return p2$_priority - p1$_priority; });
 
 	plugin_ids[plugin_counter] = p;
@@ -734,7 +734,7 @@ function find_rules_subnet(sn: subnet) : vector of Rule
 		for ( rule_id in rules_by_subnets[sn_entry] )
 			{
 			if ( rule_id in rules )
-				ret[|ret|] = rules[rule_id];
+				ret += rules[rule_id];
 			else
 				Reporter::error("find_rules_subnet - internal data structure error, missing rule");
 			}
diff --git a/scripts/base/frameworks/netcontrol/plugins/openflow.bro b/scripts/base/frameworks/netcontrol/plugins/openflow.bro
index c528a1ba3e..f1403a70a8 100644
--- a/scripts/base/frameworks/netcontrol/plugins/openflow.bro
+++ b/scripts/base/frameworks/netcontrol/plugins/openflow.bro
@@ -158,17 +158,17 @@ function entity_to_match(p: PluginState, e: Entity): vector of OpenFlow::ofp_mat
 
 	if ( e$ty == CONNECTION )
 		{
-		v[|v|] = OpenFlow::match_conn(e$conn); # forward and...
-		v[|v|] = OpenFlow::match_conn(e$conn, T); # reverse
+		v += OpenFlow::match_conn(e$conn); # forward and...
+		v += OpenFlow::match_conn(e$conn, T); # reverse
 		return openflow_match_pred(p, e, v);
 		}
 
 	if ( e$ty == MAC )
 		{
-		v[|v|] = OpenFlow::ofp_match(
+		v += OpenFlow::ofp_match(
 			$dl_src=e$mac
 		);
-		v[|v|] = OpenFlow::ofp_match(
+		v += OpenFlow::ofp_match(
 			$dl_dst=e$mac
 		);
 
@@ -182,12 +182,12 @@ function entity_to_match(p: PluginState, e: Entity): vector of OpenFlow::ofp_mat
 		if ( is_v6_subnet(e$ip) )
 			dl_type = OpenFlow::ETH_IPv6;
 
-		v[|v|] = OpenFlow::ofp_match(
+		v += OpenFlow::ofp_match(
 			$dl_type=dl_type,
 			$nw_src=e$ip
 		);
 
-		v[|v|] = OpenFlow::ofp_match(
+		v += OpenFlow::ofp_match(
 			$dl_type=dl_type,
 			$nw_dst=e$ip
 		);
@@ -231,7 +231,7 @@ function entity_to_match(p: PluginState, e: Entity): vector of OpenFlow::ofp_mat
 			m$tp_dst = port_to_count(f$dst_p);
 			}
 
-		v[|v|] = m;
+		v += m;
 
 		return openflow_match_pred(p, e, v);
 		}
diff --git a/scripts/base/frameworks/openflow/plugins/ryu.bro b/scripts/base/frameworks/openflow/plugins/ryu.bro
index f022fe0f03..cc400293a0 100644
--- a/scripts/base/frameworks/openflow/plugins/ryu.bro
+++ b/scripts/base/frameworks/openflow/plugins/ryu.bro
@@ -88,7 +88,7 @@ function ryu_flow_mod(state: OpenFlow::ControllerState, match: ofp_match, flow_m
 	local flow_actions: vector of ryu_flow_action = vector();
 
 	for ( i in flow_mod$actions$out_ports )
-		flow_actions[|flow_actions|] = ryu_flow_action($_type="OUTPUT", $_port=flow_mod$actions$out_ports[i]);
+		flow_actions += ryu_flow_action($_type="OUTPUT", $_port=flow_mod$actions$out_ports[i]);
 
 	# Generate our ryu_flow_mod record for the ReST API call.
 	local mod: ryu_ofp_flow_mod = ryu_ofp_flow_mod(
diff --git a/scripts/base/frameworks/sumstats/main.bro b/scripts/base/frameworks/sumstats/main.bro
index edd80ede0f..f704dbcdd2 100644
--- a/scripts/base/frameworks/sumstats/main.bro
+++ b/scripts/base/frameworks/sumstats/main.bro
@@ -267,7 +267,7 @@ function add_observe_plugin_dependency(calc: Calculation, depends_on: Calculatio
 	{
 	if ( calc !in calc_deps )
 		calc_deps[calc] = vector();
-	calc_deps[calc][|calc_deps[calc]|] = depends_on;
+	calc_deps[calc] += depends_on;
 	}
 
 event bro_init() &priority=100000
@@ -348,7 +348,7 @@ function add_calc_deps(calcs: vector of Calculation, c: Calculation)
 			{
 			if ( calc_deps[c][i] in calc_deps )
 				add_calc_deps(calcs, calc_deps[c][i]);
-			calcs[|c|] = calc_deps[c][i];
+			calcs += calc_deps[c][i];
 			#print fmt("add dep for %s [%s] ", c, calc_deps[c][i]);
 			}
 		}
@@ -387,7 +387,7 @@ function create(ss: SumStat)
 					skip_calc=T;
 				}
 			if ( ! skip_calc )
-				reducer$calc_funcs[|reducer$calc_funcs|] = calc;
+				reducer$calc_funcs += calc;
 			}
 
 		if ( reducer$stream !in reducer_store )
diff --git a/scripts/base/frameworks/sumstats/non-cluster.bro b/scripts/base/frameworks/sumstats/non-cluster.bro
index 57785a03b2..100e8dad4a 100644
--- a/scripts/base/frameworks/sumstats/non-cluster.bro
+++ b/scripts/base/frameworks/sumstats/non-cluster.bro
@@ -11,7 +11,7 @@ event SumStats::process_epoch_result(ss: SumStat, now: time, data: ResultTable)
 	for ( key in data )
 		{
 		ss$epoch_result(now, key, data[key]);
-		keys_to_delete[|keys_to_delete|] = key;
+		keys_to_delete += key;
 
 		if ( --i == 0 )
 			break;
diff --git a/scripts/base/frameworks/sumstats/plugins/sample.bro b/scripts/base/frameworks/sumstats/plugins/sample.bro
index 0200e85949..2f96c5eb30 100644
--- a/scripts/base/frameworks/sumstats/plugins/sample.bro
+++ b/scripts/base/frameworks/sumstats/plugins/sample.bro
@@ -43,7 +43,7 @@ function sample_add_sample(obs:Observation, rv: ResultVal)
 	++rv$sample_elements;
 
 	if ( |rv$samples| < rv$num_samples )
-		rv$samples[|rv$samples|] = obs;
+		rv$samples += obs;
 	else
 		{
 		local ra = rand(rv$sample_elements);
diff --git a/scripts/base/protocols/dhcp/main.bro b/scripts/base/protocols/dhcp/main.bro
index 5e33d269f3..ae102e6085 100644
--- a/scripts/base/protocols/dhcp/main.bro
+++ b/scripts/base/protocols/dhcp/main.bro
@@ -178,7 +178,7 @@ event DHCP::aggregate_msgs(ts: time, id: conn_id, uid: string, is_orig: bool, ms
 	if ( uid !in log_info$uids )
 		add log_info$uids[uid];
 
-	log_info$msg_types[|log_info$msg_types|] = DHCP::message_types[msg$m_type];
+	log_info$msg_types += DHCP::message_types[msg$m_type];
 
 	# Let's watch for messages in any DHCP message type
 	# and split them out based on client and server.
diff --git a/scripts/base/protocols/dns/main.bro b/scripts/base/protocols/dns/main.bro
index a8946e871e..127a06b5a0 100644
--- a/scripts/base/protocols/dns/main.bro
+++ b/scripts/base/protocols/dns/main.bro
@@ -324,11 +324,11 @@ hook DNS::do_reply(c: connection, msg: dns_msg, ans: dns_answer, reply: string)
 			{
 			if ( ! c$dns?$answers )
 				c$dns$answers = vector();
-			c$dns$answers[|c$dns$answers|] = reply;
+			c$dns$answers += reply;
 
 			if ( ! c$dns?$TTLs )
 				c$dns$TTLs = vector();
-			c$dns$TTLs[|c$dns$TTLs|] = ans$TTL;
+			c$dns$TTLs += ans$TTL;
 			}
 		}
 	}
diff --git a/scripts/base/protocols/http/entities.bro b/scripts/base/protocols/http/entities.bro
index bec89b536d..3670d7879a 100644
--- a/scripts/base/protocols/http/entities.bro
+++ b/scripts/base/protocols/http/entities.bro
@@ -87,14 +87,14 @@ event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) &priori
 			if ( ! c$http?$orig_fuids )
 				c$http$orig_fuids = string_vec(f$id);
 			else
-				c$http$orig_fuids[|c$http$orig_fuids|] = f$id;
+				c$http$orig_fuids += f$id;
 
 			if ( f$info?$filename )
 				{
 				if ( ! c$http?$orig_filenames )
 					c$http$orig_filenames = string_vec(f$info$filename);
 				else
-					c$http$orig_filenames[|c$http$orig_filenames|] = f$info$filename;
+					c$http$orig_filenames += f$info$filename;
 				}
 			}
 
@@ -103,14 +103,14 @@ event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) &priori
 			if ( ! c$http?$resp_fuids )
 				c$http$resp_fuids = string_vec(f$id);
 			else
-				c$http$resp_fuids[|c$http$resp_fuids|] = f$id;
+				c$http$resp_fuids += f$id;
 
 			if ( f$info?$filename )
 				{
 				if ( ! c$http?$resp_filenames )
 					c$http$resp_filenames = string_vec(f$info$filename);
 				else
-					c$http$resp_filenames[|c$http$resp_filenames|] = f$info$filename;
+					c$http$resp_filenames += f$info$filename;
 				}
 
 			}
@@ -130,14 +130,14 @@ event file_sniff(f: fa_file, meta: fa_metadata) &priority=5
 		if ( ! f$http?$orig_mime_types )
 			f$http$orig_mime_types = string_vec(meta$mime_type);
 		else
-			f$http$orig_mime_types[|f$http$orig_mime_types|] = meta$mime_type;
+			f$http$orig_mime_types += meta$mime_type;
 		}
 	else
 		{
 		if ( ! f$http?$resp_mime_types )
 			f$http$resp_mime_types = string_vec(meta$mime_type);
 		else
-			f$http$resp_mime_types[|f$http$resp_mime_types|] = meta$mime_type;
+			f$http$resp_mime_types += meta$mime_type;
 		}
 	}
 
diff --git a/scripts/base/protocols/http/utils.bro b/scripts/base/protocols/http/utils.bro
index 88549f8404..67f13f2640 100644
--- a/scripts/base/protocols/http/utils.bro
+++ b/scripts/base/protocols/http/utils.bro
@@ -47,7 +47,7 @@ function extract_keys(data: string, kv_splitter: pattern): string_vec
 		{
 		local key_val = split_string1(parts[part_index], /=/);
 		if ( 0 in key_val )
-			key_vec[|key_vec|] = key_val[0];
+			key_vec += key_val[0];
 		}
 	return key_vec;
 	}
diff --git a/scripts/base/protocols/sip/main.bro b/scripts/base/protocols/sip/main.bro
index f629049928..f4dba22876 100644
--- a/scripts/base/protocols/sip/main.bro
+++ b/scripts/base/protocols/sip/main.bro
@@ -226,7 +226,7 @@ event sip_header(c: connection, is_request: bool, name: string, value: string) &
 				c$sip$user_agent = value;
 				break;
 			case "VIA", "V":
-				c$sip$request_path[|c$sip$request_path|] = split_string1(value, /;[ ]?branch/)[0];
+				c$sip$request_path += split_string1(value, /;[ ]?branch/)[0];
 				break;
 			}
 
@@ -256,7 +256,7 @@ event sip_header(c: connection, is_request: bool, name: string, value: string) &
 				c$sip$response_to = value;
 				break;
 			case "VIA", "V":
-				c$sip$response_path[|c$sip$response_path|] = split_string1(value, /;[ ]?branch/)[0];
+				c$sip$response_path += split_string1(value, /;[ ]?branch/)[0];
 				break;
 			}
 
diff --git a/scripts/base/protocols/smtp/files.bro b/scripts/base/protocols/smtp/files.bro
index 352c2025a3..a65b90b528 100644
--- a/scripts/base/protocols/smtp/files.bro
+++ b/scripts/base/protocols/smtp/files.bro
@@ -49,5 +49,5 @@ event bro_init() &priority=5
 event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) &priority=5
 	{
 	if ( c?$smtp && !c$smtp$tls )
-		c$smtp$fuids[|c$smtp$fuids|] = f$id;
+		c$smtp$fuids += f$id;
 	}
diff --git a/scripts/base/protocols/smtp/main.bro b/scripts/base/protocols/smtp/main.bro
index cd0e730d8e..18c75a93c0 100644
--- a/scripts/base/protocols/smtp/main.bro
+++ b/scripts/base/protocols/smtp/main.bro
@@ -295,7 +295,7 @@ event mime_one_header(c: connection, h: mime_header_rec) &priority=3
 		c$smtp$process_received_from = F;
 		}
 	if ( c$smtp$path[|c$smtp$path|-1] != ip )
-		c$smtp$path[|c$smtp$path|] = ip;
+		c$smtp$path += ip;
 	}
 
 event connection_state_remove(c: connection) &priority=-5
diff --git a/scripts/base/protocols/ssl/files.bro b/scripts/base/protocols/ssl/files.bro
index 8750645b36..d0d89561e3 100644
--- a/scripts/base/protocols/ssl/files.bro
+++ b/scripts/base/protocols/ssl/files.bro
@@ -121,13 +121,13 @@ event file_sniff(f: fa_file, meta: fa_metadata) &priority=5
 
 	if ( f$is_orig )
 		{
-		c$ssl$client_cert_chain[|c$ssl$client_cert_chain|] = f$info;
-		c$ssl$client_cert_chain_fuids[|c$ssl$client_cert_chain_fuids|] = f$id;
+		c$ssl$client_cert_chain += f$info;
+		c$ssl$client_cert_chain_fuids += f$id;
 		}
 	else
 		{
-		c$ssl$cert_chain[|c$ssl$cert_chain|] = f$info;
-		c$ssl$cert_chain_fuids[|c$ssl$cert_chain_fuids|] = f$id;
+		c$ssl$cert_chain += f$info;
+		c$ssl$cert_chain_fuids += f$id;
 		}
 	}
 
diff --git a/scripts/base/utils/addrs.bro b/scripts/base/utils/addrs.bro
index e8fd746e5e..058aabd96e 100644
--- a/scripts/base/utils/addrs.bro
+++ b/scripts/base/utils/addrs.bro
@@ -100,7 +100,7 @@ function find_ip_addresses(input: string): string_array &deprecated
 	for ( i in parts )
 		{
 		if ( i % 2 == 1 && is_valid_ip(parts[i]) )
-			output[|output|] = parts[i];
+			output += parts[i];
 		}
 	return output;
 	}
@@ -118,7 +118,7 @@ function extract_ip_addresses(input: string): string_vec
 	for ( i in parts )
 		{
 		if ( i % 2 == 1 && is_valid_ip(parts[i]) )
-			output[|output|] = parts[i];
+			output += parts[i];
 		}
 	return output;
 	}
diff --git a/scripts/base/utils/email.bro b/scripts/base/utils/email.bro
index 08e8db8500..4feed351b4 100644
--- a/scripts/base/utils/email.bro
+++ b/scripts/base/utils/email.bro
@@ -10,7 +10,7 @@ function extract_email_addrs_vec(str: string): string_vec
 
 	local raw_addrs = find_all(str, /(^|[<,:[:blank:]])[^<,:[:blank:]@]+"@"[^>,;[:blank:]]+([>,;[:blank:]]|$)/);
 	for ( raw_addr in raw_addrs )
-		addrs[|addrs|] = gsub(raw_addr, /[<>,:;[:blank:]]/, "");
+		addrs += gsub(raw_addr, /[<>,:;[:blank:]]/, "");
 
 	return addrs;
 	}
diff --git a/scripts/base/utils/exec.bro b/scripts/base/utils/exec.bro
index a926775bda..61488a1249 100644
--- a/scripts/base/utils/exec.bro
+++ b/scripts/base/utils/exec.bro
@@ -69,14 +69,14 @@ event Exec::line(description: Input::EventDescription, tpe: Input::Event, s: str
 		if ( ! result?$stderr )
 			result$stderr = vector(s);
 		else
-			result$stderr[|result$stderr|] = s;
+			result$stderr += s;
 		}
 	else
 		{
 		if ( ! result?$stdout )
 			result$stdout = vector(s);
 		else
-			result$stdout[|result$stdout|] = s;
+			result$stdout += s;
 		}
 	}
 
@@ -93,7 +93,7 @@ event Exec::file_line(description: Input::EventDescription, tpe: Input::Event, s
 	if ( track_file !in result$files )
 		result$files[track_file] = vector(s);
 	else
-		result$files[track_file][|result$files[track_file]|] = s;
+		result$files[track_file] += s;
 	}
 
 event Input::end_of_data(orig_name: string, source:string)
diff --git a/scripts/base/utils/json.bro b/scripts/base/utils/json.bro
index 05dcff1e27..45248e3ea2 100644
--- a/scripts/base/utils/json.bro
+++ b/scripts/base/utils/json.bro
@@ -66,7 +66,7 @@ function to_json(v: any, only_loggable: bool &default=F, field_escape_pattern: p
 			if ( field_desc?$value && (!only_loggable || field_desc$log) )
 				{
 				local onepart = cat("\"", field, "\": ", to_json(field_desc$value, only_loggable));
-				rec_parts[|rec_parts|] = onepart;
+				rec_parts += onepart;
 				}
 			}
 			return cat("{", join_string_vec(rec_parts, ", "), "}");
@@ -79,7 +79,7 @@ function to_json(v: any, only_loggable: bool &default=F, field_escape_pattern: p
 		local sa: set[bool] = v;
 		for ( sv in sa )
 			{
-			set_parts[|set_parts|] = to_json(sv, only_loggable);
+			set_parts += to_json(sv, only_loggable);
 			}
 		return cat("[", join_string_vec(set_parts, ", "), "]");
 		}
@@ -91,7 +91,7 @@ function to_json(v: any, only_loggable: bool &default=F, field_escape_pattern: p
 			{
 			local ts = to_json(ti);
 			local if_quotes = (ts[0] == "\"") ? "" : "\"";
-			tab_parts[|tab_parts|] = cat(if_quotes, ts, if_quotes, ": ", to_json(ta[ti], only_loggable));
+			tab_parts += cat(if_quotes, ts, if_quotes, ": ", to_json(ta[ti], only_loggable));
 			}
 		return cat("{", join_string_vec(tab_parts, ", "), "}");
 		}
@@ -101,7 +101,7 @@ function to_json(v: any, only_loggable: bool &default=F, field_escape_pattern: p
 		local va: vector of any = v;
 		for ( vi in va )
 			{
-			vec_parts[|vec_parts|] = to_json(va[vi], only_loggable);
+			vec_parts += to_json(va[vi], only_loggable);
 			}
 		return cat("[", join_string_vec(vec_parts, ", "), "]");
 		}
diff --git a/scripts/policy/frameworks/notice/extend-email/hostnames.bro b/scripts/policy/frameworks/notice/extend-email/hostnames.bro
index d8dac39e43..9ee58d3e0b 100644
--- a/scripts/policy/frameworks/notice/extend-email/hostnames.bro
+++ b/scripts/policy/frameworks/notice/extend-email/hostnames.bro
@@ -35,7 +35,7 @@ hook notice(n: Notice::Info) &priority=10
 		when ( local src_name = lookup_addr(n$src) )
 			{
 			output = string_cat("orig/src hostname: ", src_name, "\n");
-			tmp_notice_storage[uid]$email_body_sections[|tmp_notice_storage[uid]$email_body_sections|] = output;
+			tmp_notice_storage[uid]$email_body_sections += output;
 			delete tmp_notice_storage[uid]$email_delay_tokens["hostnames-src"];
 			}
 		}
@@ -45,7 +45,7 @@ hook notice(n: Notice::Info) &priority=10
 		when ( local dst_name = lookup_addr(n$dst) )
 			{
 			output = string_cat("resp/dst hostname: ", dst_name, "\n");
-			tmp_notice_storage[uid]$email_body_sections[|tmp_notice_storage[uid]$email_body_sections|] = output;
+			tmp_notice_storage[uid]$email_body_sections += output;
 			delete tmp_notice_storage[uid]$email_delay_tokens["hostnames-dst"];
 			}
 		}
diff --git a/scripts/policy/misc/load-balancing.bro b/scripts/policy/misc/load-balancing.bro
index 928d0e74c0..40bbe238ca 100644
--- a/scripts/policy/misc/load-balancing.bro
+++ b/scripts/policy/misc/load-balancing.bro
@@ -40,7 +40,7 @@ event bro_init() &priority=5
 
 	# Sort nodes list so that every node iterates over it in same order.
 	for ( name in Cluster::nodes )
-		sorted_node_names[|sorted_node_names|] = name;
+		sorted_node_names += name;
 
 	sort(sorted_node_names, strcmp);
 
diff --git a/scripts/policy/protocols/dhcp/msg-orig.bro b/scripts/policy/protocols/dhcp/msg-orig.bro
index beb7c7d78b..d2350192b5 100644
--- a/scripts/policy/protocols/dhcp/msg-orig.bro
+++ b/scripts/policy/protocols/dhcp/msg-orig.bro
@@ -17,5 +17,5 @@ export {
 
 event DHCP::aggregate_msgs(ts: time, id: conn_id, uid: string, is_orig: bool, msg: DHCP::Msg, options: DHCP::Options) &priority=3
 	{
-	log_info$msg_orig[|log_info$msg_orig|] = is_orig ? id$orig_h : id$resp_h;
+	log_info$msg_orig += is_orig ? id$orig_h : id$resp_h;
 	}
diff --git a/scripts/policy/protocols/http/header-names.bro b/scripts/policy/protocols/http/header-names.bro
index ed3f9380a7..1b256226dd 100644
--- a/scripts/policy/protocols/http/header-names.bro
+++ b/scripts/policy/protocols/http/header-names.bro
@@ -35,7 +35,7 @@ event http_header(c: connection, is_orig: bool, name: string, value: string) &pr
 			{
 			if ( ! c$http?$client_header_names )
 				c$http$client_header_names = vector();
-			c$http$client_header_names[|c$http$client_header_names|] = name;
+			c$http$client_header_names += name;
 			}
 		}
 	else
@@ -44,7 +44,7 @@ event http_header(c: connection, is_orig: bool, name: string, value: string) &pr
 			{
 			if ( ! c$http?$server_header_names )
 				c$http$server_header_names = vector();
-			c$http$server_header_names[|c$http$server_header_names|] = name;
+			c$http$server_header_names += name;
 			}
 		}
 	}
diff --git a/scripts/policy/protocols/ssl/heartbleed.bro b/scripts/policy/protocols/ssl/heartbleed.bro
index 783961bef2..e1073b3ff0 100644
--- a/scripts/policy/protocols/ssl/heartbleed.bro
+++ b/scripts/policy/protocols/ssl/heartbleed.bro
@@ -50,33 +50,33 @@ event bro_init()
 	# Minimum length a heartbeat packet must have for different cipher suites.
 	# Note - tls 1.1f and 1.0 have different lengths :(
 	# This should be all cipher suites usually supported by vulnerable servers.
-	min_lengths_tls11[|min_lengths_tls11|] = [$cipher=/_AES_256_GCM_SHA384$/, $min_length=43];
-	min_lengths_tls11[|min_lengths_tls11|] = [$cipher=/_AES_128_GCM_SHA256$/, $min_length=43];
-	min_lengths_tls11[|min_lengths_tls11|] = [$cipher=/_256_CBC_SHA384$/, $min_length=96];
-	min_lengths_tls11[|min_lengths_tls11|] = [$cipher=/_256_CBC_SHA256$/, $min_length=80];
-	min_lengths_tls11[|min_lengths_tls11|] = [$cipher=/_256_CBC_SHA$/, $min_length=64];
-	min_lengths_tls11[|min_lengths_tls11|] = [$cipher=/_128_CBC_SHA256$/, $min_length=80];
-	min_lengths_tls11[|min_lengths_tls11|] = [$cipher=/_128_CBC_SHA$/, $min_length=64];
-	min_lengths_tls11[|min_lengths_tls11|] = [$cipher=/_3DES_EDE_CBC_SHA$/, $min_length=48];
-	min_lengths_tls11[|min_lengths_tls11|] = [$cipher=/_SEED_CBC_SHA$/, $min_length=64];
-	min_lengths_tls11[|min_lengths_tls11|] = [$cipher=/_IDEA_CBC_SHA$/, $min_length=48];
-	min_lengths_tls11[|min_lengths_tls11|] = [$cipher=/_DES_CBC_SHA$/, $min_length=48];
-	min_lengths_tls11[|min_lengths_tls11|] = [$cipher=/_DES40_CBC_SHA$/, $min_length=48];
-	min_lengths_tls11[|min_lengths_tls11|] = [$cipher=/_RC4_128_SHA$/, $min_length=39];
-	min_lengths_tls11[|min_lengths_tls11|] = [$cipher=/_RC4_128_MD5$/, $min_length=35];
-	min_lengths_tls11[|min_lengths_tls11|] = [$cipher=/_RC4_40_MD5$/, $min_length=35];
-	min_lengths_tls11[|min_lengths_tls11|] = [$cipher=/_RC2_CBC_40_MD5$/, $min_length=48];
-	min_lengths[|min_lengths|] = [$cipher=/_256_CBC_SHA$/, $min_length=48];
-	min_lengths[|min_lengths|] = [$cipher=/_128_CBC_SHA$/, $min_length=48];
-	min_lengths[|min_lengths|] = [$cipher=/_3DES_EDE_CBC_SHA$/, $min_length=40];
-	min_lengths[|min_lengths|] = [$cipher=/_SEED_CBC_SHA$/, $min_length=48];
-	min_lengths[|min_lengths|] = [$cipher=/_IDEA_CBC_SHA$/, $min_length=40];
-	min_lengths[|min_lengths|] = [$cipher=/_DES_CBC_SHA$/, $min_length=40];
-	min_lengths[|min_lengths|] = [$cipher=/_DES40_CBC_SHA$/, $min_length=40];
-	min_lengths[|min_lengths|] = [$cipher=/_RC4_128_SHA$/, $min_length=39];
-	min_lengths[|min_lengths|] = [$cipher=/_RC4_128_MD5$/, $min_length=35];
-	min_lengths[|min_lengths|] = [$cipher=/_RC4_40_MD5$/, $min_length=35];
-	min_lengths[|min_lengths|] = [$cipher=/_RC2_CBC_40_MD5$/, $min_length=40];
+	min_lengths_tls11 += [$cipher=/_AES_256_GCM_SHA384$/, $min_length=43];
+	min_lengths_tls11 += [$cipher=/_AES_128_GCM_SHA256$/, $min_length=43];
+	min_lengths_tls11 += [$cipher=/_256_CBC_SHA384$/, $min_length=96];
+	min_lengths_tls11 += [$cipher=/_256_CBC_SHA256$/, $min_length=80];
+	min_lengths_tls11 += [$cipher=/_256_CBC_SHA$/, $min_length=64];
+	min_lengths_tls11 += [$cipher=/_128_CBC_SHA256$/, $min_length=80];
+	min_lengths_tls11 += [$cipher=/_128_CBC_SHA$/, $min_length=64];
+	min_lengths_tls11 += [$cipher=/_3DES_EDE_CBC_SHA$/, $min_length=48];
+	min_lengths_tls11 += [$cipher=/_SEED_CBC_SHA$/, $min_length=64];
+	min_lengths_tls11 += [$cipher=/_IDEA_CBC_SHA$/, $min_length=48];
+	min_lengths_tls11 += [$cipher=/_DES_CBC_SHA$/, $min_length=48];
+	min_lengths_tls11 += [$cipher=/_DES40_CBC_SHA$/, $min_length=48];
+	min_lengths_tls11 += [$cipher=/_RC4_128_SHA$/, $min_length=39];
+	min_lengths_tls11 += [$cipher=/_RC4_128_MD5$/, $min_length=35];
+	min_lengths_tls11 += [$cipher=/_RC4_40_MD5$/, $min_length=35];
+	min_lengths_tls11 += [$cipher=/_RC2_CBC_40_MD5$/, $min_length=48];
+	min_lengths += [$cipher=/_256_CBC_SHA$/, $min_length=48];
+	min_lengths += [$cipher=/_128_CBC_SHA$/, $min_length=48];
+	min_lengths += [$cipher=/_3DES_EDE_CBC_SHA$/, $min_length=40];
+	min_lengths += [$cipher=/_SEED_CBC_SHA$/, $min_length=48];
+	min_lengths += [$cipher=/_IDEA_CBC_SHA$/, $min_length=40];
+	min_lengths += [$cipher=/_DES_CBC_SHA$/, $min_length=40];
+	min_lengths += [$cipher=/_DES40_CBC_SHA$/, $min_length=40];
+	min_lengths += [$cipher=/_RC4_128_SHA$/, $min_length=39];
+	min_lengths += [$cipher=/_RC4_128_MD5$/, $min_length=35];
+	min_lengths += [$cipher=/_RC4_40_MD5$/, $min_length=35];
+	min_lengths += [$cipher=/_RC2_CBC_40_MD5$/, $min_length=40];
 	}
 
 event ssl_heartbeat(c: connection, is_orig: bool, length: count, heartbeat_type: count, payload_length: count, payload: string)
diff --git a/scripts/policy/protocols/ssl/notary.bro b/scripts/policy/protocols/ssl/notary.bro
index 07f2cdebc4..4406dd9629 100644
--- a/scripts/policy/protocols/ssl/notary.bro
+++ b/scripts/policy/protocols/ssl/notary.bro
@@ -56,7 +56,7 @@ event ssl_established(c: connection) &priority=3
 	local waits_already = digest in waitlist;
 	if ( ! waits_already )
 		waitlist[digest] = vector();
-	waitlist[digest][|waitlist[digest]|] = c$ssl;
+	waitlist[digest] += c$ssl;
 	if ( waits_already )
 		return;
 
diff --git a/scripts/policy/protocols/ssl/validate-sct.bro b/scripts/policy/protocols/ssl/validate-sct.bro
index f4d1646ae8..0ce11b63ff 100644
--- a/scripts/policy/protocols/ssl/validate-sct.bro
+++ b/scripts/policy/protocols/ssl/validate-sct.bro
@@ -76,7 +76,7 @@ event bro_init()
 
 event ssl_extension_signed_certificate_timestamp(c: connection, is_orig: bool, version: count, logid: string, timestamp: count, signature_and_hashalgorithm: SSL::SignatureAndHashAlgorithm, signature: string) &priority=5
 	{
-	c$ssl$ct_proofs[|c$ssl$ct_proofs|] = SctInfo($version=version, $logid=logid, $timestamp=timestamp, $sig_alg=signature_and_hashalgorithm$SignatureAlgorithm, $hash_alg=signature_and_hashalgorithm$HashAlgorithm, $signature=signature, $source=SCT_TLS_EXT);
+	c$ssl$ct_proofs += SctInfo($version=version, $logid=logid, $timestamp=timestamp, $sig_alg=signature_and_hashalgorithm$SignatureAlgorithm, $hash_alg=signature_and_hashalgorithm$HashAlgorithm, $signature=signature, $source=SCT_TLS_EXT);
 	}
 
 event x509_ocsp_ext_signed_certificate_timestamp(f: fa_file, version: count, logid: string, timestamp: count, hash_algorithm: count, signature_algorithm: count, signature: string) &priority=5
@@ -103,7 +103,7 @@ event x509_ocsp_ext_signed_certificate_timestamp(f: fa_file, version: count, log
 		local c = f$conns[cid];
 		}
 
-	c$ssl$ct_proofs[|c$ssl$ct_proofs|] = SctInfo($version=version, $logid=logid, $timestamp=timestamp, $sig_alg=signature_algorithm, $hash_alg=hash_algorithm, $signature=signature, $source=src);
+	c$ssl$ct_proofs += SctInfo($version=version, $logid=logid, $timestamp=timestamp, $sig_alg=signature_algorithm, $hash_alg=hash_algorithm, $signature=signature, $source=src);
 	}
 
 # Priority = 19 will be handled after validation is done
diff --git a/testing/btest/core/leaks/broker/data.bro b/testing/btest/core/leaks/broker/data.bro
index d79155fa30..590d041ff1 100644
--- a/testing/btest/core/leaks/broker/data.bro
+++ b/testing/btest/core/leaks/broker/data.bro
@@ -91,7 +91,7 @@ function broker_to_bro_vector_recurse(it: opaque of Broker::VectorIterator,
 	if ( Broker::vector_iterator_last(it) )
 		return rval;
 
-	rval[|rval|] = Broker::vector_iterator_value(it) as string;
+	rval += Broker::vector_iterator_value(it) as string;
 	Broker::vector_iterator_next(it);
 	return broker_to_bro_vector_recurse(it, rval);
 	}
diff --git a/testing/btest/language/ipv6-literals.bro b/testing/btest/language/ipv6-literals.bro
index 004d104c6e..bf888b29e1 100644
--- a/testing/btest/language/ipv6-literals.bro
+++ b/testing/btest/language/ipv6-literals.bro
@@ -3,30 +3,30 @@
 
 local v: vector of addr = vector();
 
-v[|v|] = [::1];
-v[|v|] = [::ffff];
-v[|v|] = [::ffff:ffff];
-v[|v|] = [::0a0a:ffff];
-v[|v|] = [1::1];
-v[|v|] = [1::a];
-v[|v|] = [1::1:1];
-v[|v|] = [1::1:a];
-v[|v|] = [a::a];
-v[|v|] = [a::1];
-v[|v|] = [a::a:a];
-v[|v|] = [a::a:1];
-v[|v|] = [a:a::a];
-v[|v|] = [aaaa:0::ffff];
-v[|v|] = [::ffff:192.168.1.100];
-v[|v|] = [ffff::192.168.1.100];
-v[|v|] = [::192.168.1.100];
-v[|v|] = [::ffff:0:192.168.1.100];
-v[|v|] = [805B:2D9D:DC28::FC57:212.200.31.255];
-v[|v|] = [0xaaaa::bbbb];
-v[|v|] = [aaaa:bbbb:cccc:dddd:eeee:ffff:1111:2222];
-v[|v|] = [aaaa:bbbb:cccc:dddd:eeee:ffff:1:2222];
-v[|v|] = [aaaa:bbbb:cccc:dddd:eeee:ffff:0:2222];
-v[|v|] = [aaaa:bbbb:cccc:dddd:eeee:0:0:2222];
+v += [::1];
+v += [::ffff];
+v += [::ffff:ffff];
+v += [::0a0a:ffff];
+v += [1::1];
+v += [1::a];
+v += [1::1:1];
+v += [1::1:a];
+v += [a::a];
+v += [a::1];
+v += [a::a:a];
+v += [a::a:1];
+v += [a:a::a];
+v += [aaaa:0::ffff];
+v += [::ffff:192.168.1.100];
+v += [ffff::192.168.1.100];
+v += [::192.168.1.100];
+v += [::ffff:0:192.168.1.100];
+v += [805B:2D9D:DC28::FC57:212.200.31.255];
+v += [0xaaaa::bbbb];
+v += [aaaa:bbbb:cccc:dddd:eeee:ffff:1111:2222];
+v += [aaaa:bbbb:cccc:dddd:eeee:ffff:1:2222];
+v += [aaaa:bbbb:cccc:dddd:eeee:ffff:0:2222];
+v += [aaaa:bbbb:cccc:dddd:eeee:0:0:2222];
 
 for (i in v)
     print v[i];
diff --git a/testing/btest/language/record-default-coercion.bro b/testing/btest/language/record-default-coercion.bro
index 822b845f65..9d8babf571 100644
--- a/testing/btest/language/record-default-coercion.bro
+++ b/testing/btest/language/record-default-coercion.bro
@@ -43,6 +43,6 @@ print_bar(bar6);
 local r: MyRecord = [$c=13];
 print r;
 print |r$v|;
-r$v[|r$v|] = "test";
+r$v += "test";
 print r;
 print |r$v|;
diff --git a/testing/btest/scripts/base/frameworks/netcontrol/delete-internal-state.bro b/testing/btest/scripts/base/frameworks/netcontrol/delete-internal-state.bro
index 9b8c995fac..29cb439a64 100644
--- a/testing/btest/scripts/base/frameworks/netcontrol/delete-internal-state.bro
+++ b/testing/btest/scripts/base/frameworks/netcontrol/delete-internal-state.bro
@@ -43,10 +43,10 @@ event dump_info()
 event connection_established(c: connection)
 	{
 	local id = c$id;
-	rules[|rules|] = NetControl::shunt_flow([$src_h=id$orig_h, $src_p=id$orig_p, $dst_h=id$resp_h, $dst_p=id$resp_p], 0secs);
-	rules[|rules|] = NetControl::drop_address(id$orig_h, 0secs);
-	rules[|rules|] = NetControl::whitelist_address(id$orig_h, 0secs);
-	rules[|rules|] = NetControl::redirect_flow([$src_h=id$orig_h, $src_p=id$orig_p, $dst_h=id$resp_h, $dst_p=id$resp_p], 5, 0secs);
+	rules += NetControl::shunt_flow([$src_h=id$orig_h, $src_p=id$orig_p, $dst_h=id$resp_h, $dst_p=id$resp_p], 0secs);
+	rules += NetControl::drop_address(id$orig_h, 0secs);
+	rules += NetControl::whitelist_address(id$orig_h, 0secs);
+	rules += NetControl::redirect_flow([$src_h=id$orig_h, $src_p=id$orig_p, $dst_h=id$resp_h, $dst_p=id$resp_p], 5, 0secs);
 
 	schedule 1sec { remove_all() };
 	schedule 2sec { dump_info() };
diff --git a/testing/btest/scripts/base/frameworks/netcontrol/multiple.bro b/testing/btest/scripts/base/frameworks/netcontrol/multiple.bro
index 56a764f2e9..d56c8e2468 100644
--- a/testing/btest/scripts/base/frameworks/netcontrol/multiple.bro
+++ b/testing/btest/scripts/base/frameworks/netcontrol/multiple.bro
@@ -27,10 +27,10 @@ event remove_all()
 event connection_established(c: connection)
 	{
 	local id = c$id;
-	rules[|rules|] = NetControl::shunt_flow([$src_h=id$orig_h, $src_p=id$orig_p, $dst_h=id$resp_h, $dst_p=id$resp_p], 0secs);
-	rules[|rules|] = NetControl::drop_address(id$orig_h, 0secs);
-	rules[|rules|] = NetControl::whitelist_address(id$orig_h, 0secs);
-	rules[|rules|] = NetControl::redirect_flow([$src_h=id$orig_h, $src_p=id$orig_p, $dst_h=id$resp_h, $dst_p=id$resp_p], 5, 0secs);
+	rules += NetControl::shunt_flow([$src_h=id$orig_h, $src_p=id$orig_p, $dst_h=id$resp_h, $dst_p=id$resp_p], 0secs);
+	rules += NetControl::drop_address(id$orig_h, 0secs);
+	rules += NetControl::whitelist_address(id$orig_h, 0secs);
+	rules += NetControl::redirect_flow([$src_h=id$orig_h, $src_p=id$orig_p, $dst_h=id$resp_h, $dst_p=id$resp_p], 5, 0secs);
 
 	schedule 1sec { remove_all() };
 	}
diff --git a/testing/btest/scripts/base/frameworks/sumstats/sample-cluster.bro b/testing/btest/scripts/base/frameworks/sumstats/sample-cluster.bro
index 6426b42680..52fce96dba 100644
--- a/testing/btest/scripts/base/frameworks/sumstats/sample-cluster.bro
+++ b/testing/btest/scripts/base/frameworks/sumstats/sample-cluster.bro
@@ -31,7 +31,7 @@ event bro_init() &priority=5
 	                  	print fmt("Host: %s  Sampled observations: %d", key$host, r$sample_elements);
 	                  	local sample_nums: vector of count = vector();
 	                  	for ( sample in r$samples ) 
-	                  		sample_nums[|sample_nums|] =r$samples[sample]$num;
+	                  		sample_nums += r$samples[sample]$num;
 
 	                  	print fmt("    %s", sort(sample_nums));
 	                  	},

From 2375c0c4bea697af75f83a6a7732d089cd374e52 Mon Sep 17 00:00:00 2001
From: Vern Paxson <vern@icir.org>
Date: Thu, 26 Jul 2018 14:35:30 -0700
Subject: [PATCH 589/631] forgot to update test suite results for v += e

---
 testing/btest/Baseline/language.vector/out | 1 +
 1 file changed, 1 insertion(+)

diff --git a/testing/btest/Baseline/language.vector/out b/testing/btest/Baseline/language.vector/out
index 0aa3ab0a8f..0fdcc1fa24 100644
--- a/testing/btest/Baseline/language.vector/out
+++ b/testing/btest/Baseline/language.vector/out
@@ -57,3 +57,4 @@ access element (PASS)
 % operator (PASS)
 && operator (PASS)
 || operator (PASS)
++= operator (PASS)

From f7358a3351f04a1a28f5e34437658426e73664f6 Mon Sep 17 00:00:00 2001
From: Vern Paxson <vern@icir.org>
Date: Thu, 26 Jul 2018 14:35:57 -0700
Subject: [PATCH 590/631] d'oh, still have a (deprecated) string_array rather
 than string_vector

---
 scripts/base/utils/addrs.bro | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/scripts/base/utils/addrs.bro b/scripts/base/utils/addrs.bro
index 058aabd96e..f89467c14d 100644
--- a/scripts/base/utils/addrs.bro
+++ b/scripts/base/utils/addrs.bro
@@ -100,7 +100,7 @@ function find_ip_addresses(input: string): string_array &deprecated
 	for ( i in parts )
 		{
 		if ( i % 2 == 1 && is_valid_ip(parts[i]) )
-			output += parts[i];
+			output[|output|] += parts[i];
 		}
 	return output;
 	}

From 3710ff936fb9b4acdc121dd7dabb25170db56872 Mon Sep 17 00:00:00 2001
From: Damani Wade <damani.wade@corelight.com>
Date: Mon, 2 Jul 2018 09:18:37 -0400
Subject: [PATCH 591/631] Add Cisco FabricPath support

---
 src/iosource/Packet.cc                        |  14 ++++++
 .../Baseline/core.cisco-fabric-path/conn.log  |  41 ++++++++++++++++++
 testing/btest/Traces/cisco-fabric-path.pcap   | Bin 0 -> 10816 bytes
 testing/btest/core/cisco-fabric-path.bro      |   2 +
 4 files changed, 57 insertions(+)
 create mode 100644 testing/btest/Baseline/core.cisco-fabric-path/conn.log
 create mode 100644 testing/btest/Traces/cisco-fabric-path.pcap
 create mode 100644 testing/btest/core/cisco-fabric-path.bro

diff --git a/src/iosource/Packet.cc b/src/iosource/Packet.cc
index 5199765f51..3aa0e28b92 100644
--- a/src/iosource/Packet.cc
+++ b/src/iosource/Packet.cc
@@ -140,6 +140,20 @@ void Packet::ProcessLayer2()
 
 	case DLT_EN10MB:
 		{
+		// Skip past Cisco FabricPath to encapsulated ethernet frame.
+		if ( pdata[12] == 0x89 && pdata[13] == 0x03 )
+			{
+			auto constexpr cfplen = 16;
+
+			if ( pdata + cfplen + GetLinkHeaderSize(link_type) >= end_of_data )
+				{
+				Weird("truncated_link_header_cfp");
+				return;
+				}
+
+			pdata += cfplen;
+			}
+
 		// Get protocol being carried from the ethernet frame.
 		int protocol = (pdata[12] << 8) + pdata[13];
 
diff --git a/testing/btest/Baseline/core.cisco-fabric-path/conn.log b/testing/btest/Baseline/core.cisco-fabric-path/conn.log
new file mode 100644
index 0000000000..eae407aceb
--- /dev/null
+++ b/testing/btest/Baseline/core.cisco-fabric-path/conn.log
@@ -0,0 +1,41 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	conn
+#open	2018-07-09-14-17-29
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
+#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
+1529347003.860008	C7fIlMZDuRiqjpYbb	1.1.1.6	57005	2.2.2.2	48879	tcp	-	0.001018	0	0	S0	-	-	0	S	2	80	0	0	-
+1529347003.861732	CykQaM33ztNt0csB9a	1.1.1.4	57005	2.2.2.2	48879	tcp	-	0.000928	0	0	S0	-	-	0	S	2	80	0	0	-
+1529347003.863372	CtxTCR2Yer0FR1tIBg	1.1.1.14	57005	2.2.2.2	48879	tcp	-	0.000928	0	0	S0	-	-	0	S	2	80	0	0	-
+1529347003.865002	CpmdRlaUoJLN3uIRa	1.1.1.12	57005	2.2.2.2	48879	tcp	-	0.000926	0	0	S0	-	-	0	S	2	80	0	0	-
+1529347003.866648	C1Xkzz2MaGtLrc1Tla	1.1.1.0	57005	2.2.2.2	48879	tcp	-	0.001042	0	0	S0	-	-	0	S	2	80	0	0	-
+1529347003.868394	CqlVyW1YwZ15RhTBc4	1.1.1.2	57005	2.2.2.2	48879	tcp	-	0.000920	0	0	S0	-	-	0	S	2	80	0	0	-
+1529347003.870014	CLNN1k2QMum1aexUK7	1.1.1.8	57005	2.2.2.2	48879	tcp	-	0.000930	0	0	S0	-	-	0	S	2	80	0	0	-
+1529347003.871649	CBA8792iHmnhPLksKa	1.1.1.10	57005	2.2.2.2	48879	tcp	-	0.000928	0	0	S0	-	-	0	S	2	80	0	0	-
+1529347003.873385	CGLPPc35OzDQij1XX8	1234::e	57005	5678::	48879	tcp	-	0.001139	0	0	S0	-	-	0	S	2	120	0	0	-
+1529347003.875322	CiyBAq1bBLNaTiTAc	1234::c	57005	5678::	48879	tcp	-	0.001027	0	0	S0	-	-	0	S	2	120	0	0	-
+1529347003.877182	CFSwNi4CNGxcuffo49	1234::6	57005	5678::	48879	tcp	-	0.001055	0	0	S0	-	-	0	S	2	120	0	0	-
+1529347003.879034	Cipfzj1BEnhejw8cGf	1234::4	57005	5678::	48879	tcp	-	0.001018	0	0	S0	-	-	0	S	2	120	0	0	-
+1529347003.881330	CV5WJ42jPYbNW9JNWf	1234::8	57005	5678::	48879	tcp	-	0.001029	0	0	S0	-	-	0	S	2	120	0	0	-
+1529347003.883152	CPhDKt12KQPUVbQz06	1234::a	57005	5678::	48879	tcp	-	0.001005	0	0	S0	-	-	0	S	2	120	0	0	-
+1529347003.884945	CAnFrb2Cvxr5T7quOc	1234::	57005	5678::	48879	tcp	-	0.001005	0	0	S0	-	-	0	S	2	120	0	0	-
+1529347003.886751	C8rquZ3DjgNW06JGLl	1234::2	57005	5678::	48879	tcp	-	0.001120	0	0	S0	-	-	0	S	2	120	0	0	-
+1529347003.851951	CFLRIC3zaTU1loLGxh	1234::4	57005	5678::	48879	udp	-	0.000905	0	0	S0	-	-	0	D	2	96	0	0	-
+1529347003.855232	Ck51lg1bScffFj34Ri	1234::a	57005	5678::	48879	udp	-	0.000894	0	0	S0	-	-	0	D	2	96	0	0	-
+1529347003.839636	CtPZjS20MLrsMUOJi2	1.1.1.12	57005	2.2.2.2	48879	udp	-	0.000847	0	0	S0	-	-	0	D	2	56	0	0	-
+1529347003.858393	CNnMIj2QSd84NKf7U3	1234::2	57005	5678::	48879	udp	-	0.000902	0	0	S0	-	-	0	D	2	96	0	0	-
+1529347003.842649	CmES5u32sYpV7JYN	1.1.1.2	57005	2.2.2.2	48879	udp	-	0.000830	0	0	S0	-	-	0	D	2	56	0	0	-
+1529347003.850367	C0LAHyvtKSQHyJxIl	1234::6	57005	5678::	48879	udp	-	0.000898	0	0	S0	-	-	0	D	2	96	0	0	-
+1529347003.848776	CwjjYJ2WqgTbAqiHl6	1234::c	57005	5678::	48879	udp	-	0.000902	0	0	S0	-	-	0	D	2	96	0	0	-
+1529347003.856801	C9mvWx3ezztgzcexV7	1234::	57005	5678::	48879	udp	-	0.000898	0	0	S0	-	-	0	D	2	96	0	0	-
+1529347003.841103	CUM0KZ3MLUfNB0cl11	1.1.1.0	57005	2.2.2.2	48879	udp	-	0.000926	0	0	S0	-	-	0	D	2	56	0	0	-
+1529347003.845524	C37jN32gN3y3AZzyf6	1.1.1.10	57005	2.2.2.2	48879	udp	-	0.000843	0	0	S0	-	-	0	D	2	56	0	0	-
+1529347003.847079	C3eiCBGOLw3VtHfOj	1234::e	57005	5678::	48879	udp	-	0.001014	0	0	S0	-	-	0	D	2	96	0	0	-
+1529347003.853544	C9rXSW3KSpTYvPrlI1	1234::8	57005	5678::	48879	udp	-	0.001010	0	0	S0	-	-	0	D	2	96	0	0	-
+1529347003.836659	ClEkJM2Vm5giqnMf4h	1.1.1.4	57005	2.2.2.2	48879	udp	-	0.000847	0	0	S0	-	-	0	D	2	56	0	0	-
+1529347003.838130	C4J4Th3PJpwUYZZ6gc	1.1.1.14	57005	2.2.2.2	48879	udp	-	0.000880	0	0	S0	-	-	0	D	2	56	0	0	-
+1529347003.844086	CP5puj4I8PtEU4qzYg	1.1.1.8	57005	2.2.2.2	48879	udp	-	0.000830	0	0	S0	-	-	0	D	2	56	0	0	-
+1529347003.834704	CHhAvVGS1DHFjwGM9	1.1.1.6	57005	2.2.2.2	48879	udp	-	0.001243	0	0	S0	-	-	0	D	2	56	0	0	-
+#close	2018-07-09-14-17-29
diff --git a/testing/btest/Traces/cisco-fabric-path.pcap b/testing/btest/Traces/cisco-fabric-path.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..f238a0600da0afbc78ddd92e65a588a2b72fa202
GIT binary patch
literal 10816
zcmb{13sg<{9>DQ^-btkpN-A%;>5@dIIE5IGp14U!NfAmKmC%D!B%zUzR|YAKlA#b$
zLi8A<ZVDlJET<SGLwEoFJ$`4K_I1w6S?jEj_5FW-r`r2h-MyNAh)eOQ)<;tlMRDlA
zoc}y{Zp;NG%9Q>yJY9EspUtN<QyQy}|D`}pq9`r+Z(=pyYa9+o$fX}uC$lA#f|GG;
z3Ex7?GY4DmY)h?Ns9jc<tnB(k@><$TvbCW#G8bFg2Ck!gIX2eMJ^!7?a9yWed@0u$
z^tAp7TA}&aI{Rt2YCWg0w&+8mCAdhtOtv<(-rm5L_UN+B&fKmy&&}L+oZ-r*T`E#8
zgH{c`g_g^0Y<X_ATam!^uDx&l`vu~Hwx(=tXx%Ns*1qclL#%nT98I=_YcpJzX_u0e
zYdCsZ{{*f6cd+&7OSt4IZ{NtjtE}9>McT=-wV}1`9=3+8ol&r#Kb?DKby-)2>lW>z
zq+IaH_{{@a!^*LhySLiwIX`)Ch1ZI1;3DnOvbCWVUxBR|afQQj1cl`r-uLLoaNVR`
zz-s-xANvi8{wuWZS7B?HlZCyGAbVKaZ=L6Wi?rv<)`phxV{8plvtPGY=pxQ=DeT2?
z<<c$%DVI_EF5jovI_V_&tx9-C>9^@WdxDF!hsxFl*WDUyy}lSWGgIXF@tS_)b%yH-
z?NXF-8Mg1zd5JBj8HcT1Mb@i32aQMr7ilZV)&|$}*Gkkl`WSdVf8yeOirR6o%b0Yt
zO_k1YxPqFvEA!P+ne7knz(?~n?b9ZxRn{p{R`k2zxw$SQau$`DvtUp{FOZS?ypGf(
z-k~+rK!1rTXK74H`rEs#RwWi|1Xxu*qIKj?Zx1Zw_!%i?CVGLD)KfZAzw`;ML;r{p
z58z&&uwZ-VUaVFji!~ao=3me{c30nGAMP4;<;rpMz)I?c9jQy2(5icQU%%D7Uy6Ro
z=o-js<+E60!0OLaZu=Zikz7{};u+nW7TLHTtfU^+k@^s!a@*%?r)TF^p5d=*I{P27
zJ*!oL#To@xO+~ccj$hg>lizEVMa1i)U?uhVj?^zJq4m}ZU1LW<aYK_!#Y|SKB8zo1
zSjVZN^?5IA_Y%RIs>tpRx?m;sP93Q~?uyp(eH-u93w`s)s8;k~wNfnBSg^YGK&$uK
z9mUnc%w(;}DaXJ{>bE;m*U&)gUs|WLr-<y+ixWSyU$eL@)*WCypoP|PPrGRHM8hL5
zCC!)uR#NxrNZmt6xotm;-(9pSk_wISzBKt5x$X}k`=QV`kG}5Xe%Nwpwc+YguiNgJ
zAa&`lOj*+Jg{S(9FZ)6$3+sZ=l%*gg?N{=)p*mm?3cZ89#XUKGuN~92zh?;ZX(4Wk
z(!#b~16sLyD4aYcBsZE9S?o3CObG}{J6_&4RHO7!IDCAO_jzu>{tLIg^clj7v=Dbj
zX<^%46k7VjQE1#}kz**=d-ny0!OuZR+ClQRq59Ggg@awSkFMrzPc}b0cP2x4i5BAa
zC@pNe!$K><7==4i(^5-$VV2VsD|Ug9v^UDzhN^=J3SYdn+?vdf)`)GGJ)R*fpoO?c
zN(;p;e<AzYQZp19MtoAY<L{E#^_Z*-Lefr>w++IfVifX^xHaktG%9q?HH={hZ_q+m
zkeWA2X(22y<N>WK6HxdtOtog7ps$-(nP(jcNn0du8>;IqQP_!lU?ER9wa4`tCCxi;
z>(}yCT8O)4i-~+Kw|#d7E#0Xoypg4m{7QH)vfkuF83;++L*6!2A5TZ2(J~vYXwgN5
zM^OWNGG4<RT8LYww6N{_QfP(PppdU|CBs9Mr5Af=t`P`HJ5$~^RFmwLsj2jt@XWN(
z^_oSUI+bOgH=*S|(_JXrzA2@S+|vAAgqDLc<w*ZKJnvsi@pY$iJ%k$$%>^$x>F|#_
zY3y8_VR80=#Q~hX%eQU0R?a#@`+KPL3|pILFk65#r1Vu#ROGmgl&p&%1T&D6GJn)b
z>s@e$*!SJej^TP33wKwAu+Gr_ekwh~&gK~s7UK-Z>xz?k+#5E|C$4>k8OTW!e$+`>
zOK^twR=rajcp-tEqi;`VouU1`ReFYBn`g*ajx$UddZ^Zi*MEG>l;Slo1378tk2)#c
z2WR**_4=J&{1}a8PW`M{XJ~()m7ZaH^9*NK;|xmG23iUHJ5?hdE;57}$Vu@(>ZIZT
zoWUn>SJ_d4Z6|RWubOp+_V--r8MZagaB&^ZuxT2lrXr9$(g-;~elkE#()v*+l?3Aq
z!FAm(ofYa-j-2}?l68jm_h0E5;+tp4-iR~YRCpD<R=9Tisk~Bm_&AW0YJb#855sYW
zi125HW+DTh_j~6$u+Gr_UMxLBT=NX$qi_bL@m&(qL{!L;sPuZ6ft(cnqfWXSjd!qP
z$vqC3P<QKfkMgdPJD4unmpA%a(|0h&zHGHHdrb?w<qh0xw07Y42~jKa)4ot9C)dqa
z&IL7T=g8WIT6`?Z99OR4uH&eu@3E(H7&2R0#@LhFmvMHZ?B%(Xe_3-pvJ3B@hyxjE
zKasT!vfw=^6ZKt_q0X&(QW-}1F=Ufz8Dl?gUsjrcvfd}dB8s>l9**REtO6NnYs=aO
zncYE@RsLx-M3?7ichg|^GluMETE^Im+n1>yk&<Z^{H?_En-pm5My|=Ey+hVE$P$mD
z>~r5FqgehV7n{;i2N|+iw2ZM2w=Zi<LfQJve^*8DH|2dyizh!tAZ=e++aU8#L0ORL
zHi^67%*13T+Z7C%JuPGG!R^Zme@EG;46$&mKu_PdadQ%UG)cQa);7qdq@yfjhp5p^
z7;HK3;<=>^*$i67*niuXP51+4lXY@Kf`qTLl59;CK}Oo4vbI51lZi5prjOe&(enw0
z<K};6$fnUU#@^e$Y{n&&t>4r?Xrbu*f`gX1)*vJ8U|HKB+kZuwvY@X?@La0%w6v0X
zyRE<Z!n&4gveHJG_g&CJ(KKI~vZHJ8T-@2^cm$<*a!-;rxpt5fBpp3r{Y^B7IoEh@
z-~^hx?h316HM8!wt>&}0(L7H@Au*5>taCM?q#RyTazgixo={hW=F|a`Is3UT*VJ;N
zzOb5E_t{o6=MI|JjTrdm7T3S`i9hwoeVd#R(a{sk@1a@srJ}AoZ_Eja{k}e|X4d_+
z)qJiD&G8`%UKH@`xu=5S?!)U$PPp9B6W;z8%?_0f6XW<#dOmru{VS`Pbzf~Y^QzFi
z-2aOA0)F(Z@M$&k!AwqA-O&@w9-%q0x^HiZV3gjrxKAfo&8+)rtJ(eunoZ+uvJMJr
z1DyTxwZKeHnAy=2wmw7iHD{;DheG>3owdD<Sk0{aXsh{fEt-#YuQd!1RvK(N^0^4i
z<OG9`o>2Z0&4~t^1zDneC#$^K{;X!!{j=3<^9IdphIp?q6z$3w^|74%hL@bMzN07D
z)#06EOX$9!8Y+3s$@QfH<j&EZ?3=E>KJ=YK6>himC70y^SLTWDuqByj$+Mv5jE_HZ
zK?Po6(jF&U8(J3cu@(PIZ%ZAH@R8|ZJ#~gFgm#fNfCWYWGqeUaU@Nt2pAm%|$2lv0
z&3gkb(k_s#4K3Y9Y<VR(&YsA<ULDgfyoTX2q**rKf4v(2##Z+Xv2QF_tK8j_vkY9M
zEs?Dau7<DJ(&+hMUMSCdjhU}@Cx*+McA0<QRl-qe`<Z=mg^u7S-kdQdCj<PzMcVPQ
zwZZk6hb{M_l0&xqd3((#ZQjmsh0-pvXa4_>;}8+He9qN3T;`iO`NvMm0~cvm$<_wf
z;7-`GsmrY_7cAOR6KKDg;aW+%)V}|Eag?w%&?V==T7l%N>O$)raFKSlY;ABgDP!w#
z)}rO_h3Bq}c376da9PkU@%LT#Rk5|{g0sgG;fJL`cD@zhB5fzx+T`Qd6<hUwU+ss9
zOiolU(r{zAM$j(X@4L>cV=H>O!icG&7g6Hr2cLqAv^8aGgKJ|?Y?<!N`uRLHIA}t8
ztzXMEmva4fzqI-GcVW$+bI{V&RB8MDQsFFva0g1fD6!Y)_uwLJ19{s}ecBs^8$CH&
z#2n4rHEw^ovkJ}Gg|D?yI3cT!Z^N0MweWO60SHMuP~J8OQ*}{TV)l342JWiOR=lLq
ztU^_G;q3k>JbWYb^kMGMW4c$lD?v!w3*>Esu;)M&_Eg9TPT+~2&9_W;VHI-Ng{gy4
zSUPE9V>ez!L_oK<Y9J)-f%3LNxJ(a)e$M@m2>GW^dtQpkWEG0pg#vvP`p1bSOZa=1
zXL{}<_bbv~B5xanxx-LcKTbSxr{Kkam<=XntU_CM;k@A}{6p*GN;N^Hr1bf#S@0T?
z_9%JVARKOpLK~%qW3z;LeaC(|)cSkve||0hW9P%KWrI;D?DD25=b<p#mNV7E0)(Wk
zCvO{s5@Qs;b6pnaA+qC4R8!r;`WmXSzlPx^C>$LdX!=ZKV><Gn0r@_gwEM{02I0D~
yC_JF|Q-OI??3`HrtI6^7Ph;hIK+Dq<Tff&IDSg!RX3+2pArIg+B<&*E+W!NB&4lp)

literal 0
HcmV?d00001

diff --git a/testing/btest/core/cisco-fabric-path.bro b/testing/btest/core/cisco-fabric-path.bro
new file mode 100644
index 0000000000..ff7fa298e3
--- /dev/null
+++ b/testing/btest/core/cisco-fabric-path.bro
@@ -0,0 +1,2 @@
+# @TEST-EXEC: bro -C -r $TRACES/cisco-fabric-path.pcap
+# @TEST-EXEC: btest-diff conn.log

From a8e65d908ea49c51c4e95565dfe11711d2a484df Mon Sep 17 00:00:00 2001
From: Chung Min Kim <chung.kim@corelight.com>
Date: Mon, 30 Jul 2018 09:35:55 -0700
Subject: [PATCH 592/631] Fixing up `make html` target

Add types of files that genhtml (the program that generates html files
from .gcno/.gcda files, included in lcov) should ignore, such as .yy and
.ll files.
---
 testing/coverage/Makefile         |  5 +--
 testing/coverage/README           | 11 ++----
 testing/coverage/code_coverage.sh | 12 ++++--
 testing/coverage/lcov_html.sh     | 61 +++++++++++++++++++++++++++++++
 4 files changed, 74 insertions(+), 15 deletions(-)
 create mode 100755 testing/coverage/lcov_html.sh

diff --git a/testing/coverage/Makefile b/testing/coverage/Makefile
index 1aa8036bbf..7f458a4f9c 100644
--- a/testing/coverage/Makefile
+++ b/testing/coverage/Makefile
@@ -9,7 +9,4 @@ distclean: cleanup
 	@find ../../ -name "*.gcno" -exec rm {} \;
 
 html:
-	@(cd ../../; if which lcov; then\
-		lcov --capture --directory . --output-file coverage.info \
-		&& genhtml coverage.info && rm coverage.info; \
-	fi)
+	@./lcov_html.sh $(COVERAGE_HTML_DIR)
diff --git a/testing/coverage/README b/testing/coverage/README
index 0c19e14d51..2cda389452 100644
--- a/testing/coverage/README
+++ b/testing/coverage/README
@@ -2,12 +2,7 @@ On a Bro build configured with --enable-coverage, this script produces a code co
 
 This depends on gcov, which should come with your gcc. If gcov is not installed, the script will abort with an error message.
 
-TODO: Use `make html` as make target in this directory to output the html files that gcov can create (must have lcov on system).
+After `make all` in the upper directory, use `make html` as make target in this directory to output the html files that lcov can create. By default, the html files will be contained in a directory named "coverage-html" in the base directory. To set a custom name, use `make html COVERAGE_HTML_DIR=custom-dir-name`.
 
-The goal of code-coverage.sh script is to automate code coverage testing. See the following steps for the code structure:
-	1. Run test suite
- 	2. Check for .gcda files existing.
-	3a. Run gcov (-p to preserve path)
-	3b. Prune .gcov files for objects outside of the Bro tree
-	4a. Analyze .gcov files generated and create summary file
-	4b. Send .gcov files to appropriate path
+The script code_coverage.sh is triggered by `make coverage` (included in `make` in /testing), and its goal is to automate code coverage testing. 
+The script lcov_html.sh is triggered by `make html`, and its goal is to create html files from the aforementioned coverage data.
diff --git a/testing/coverage/code_coverage.sh b/testing/coverage/code_coverage.sh
index ec583b1e5e..758b2fa915 100755
--- a/testing/coverage/code_coverage.sh
+++ b/testing/coverage/code_coverage.sh
@@ -17,13 +17,12 @@
 #	4b. Send .gcov files to appropriate path
 #
 CURR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" # Location of script
-BASE="$(readlink -f "${CURR}/../../")"
+BASE="$( cd "$CURR" && cd ../../ && pwd )"
 TMP="${CURR}/tmp.$$"
 mkdir -p $TMP
 
 # DEFINE CLEANUP PROCESS
 function finish {
-	find "$BASE" -name "*.gcda" -exec rm {} \; > /dev/null 2>&1
 	rm -rf $TMP
 }
 trap finish EXIT
@@ -98,13 +97,20 @@ echo "ok"
 # 3a. Run gcov (-p to preserve path) and move into tmp directory
 # ... if system does not have gcov installed, exit with message.
 echo -n "Creating coverage files... "
-if which gcov; then
+if which gcov > /dev/null 2>&1; then
 	( cd "$TMP" && find "$BASE" -name "*.o" -exec gcov -p {} > /dev/null 2>&1 \; )
 	NUM_GCOVS=$(find "$TMP" -name *.gcov | wc -l)
 	if [ $NUM_GCOVS -eq 0 ]; then
 		echo "no gcov files produced, aborting"
 		exit 1
 	fi
+
+	# Account for '^' that occurs in macOS due to LLVM
+	# This character seems to be equivalent to ".." (up 1 dir)
+	for file in $(ls $TMP/*.gcov | grep '\^'); do
+		mv $file "$(sed 's/#[^#]*#\^//g' <<< "$file")"
+	done
+
 	echo "ok, $NUM_GCOVS coverage files"
 else
 	echo "gcov is not installed on system, aborting"
diff --git a/testing/coverage/lcov_html.sh b/testing/coverage/lcov_html.sh
new file mode 100755
index 0000000000..d1af203437
--- /dev/null
+++ b/testing/coverage/lcov_html.sh
@@ -0,0 +1,61 @@
+#!/usr/bin/env bash
+#
+# On a Bro build configured with --enable-coverage, this script
+# produces a code coverage report in HTML format after Bro has been invoked. The
+# intended application of this script is after the btest testsuite has run.
+
+# This depends on lcov to run.
+
+function die {
+	echo "$@"
+	exit 1
+}
+function finish {
+	rm -rf "$TMP"
+}
+function verify-run {
+	if bash -c "$1" > /dev/null 2>&1; then
+		echo ${2:-"ok"}
+	else
+		die ${3:-"error, abort"}
+	fi
+}
+trap finish EXIT 
+
+COVERAGE_FILE="./$TMP/coverage.info"
+COVERAGE_HTML_DIR="${1:-"coverage-html"}"
+REMOVE_TARGETS="*.yy *.ll *.y *.l"
+
+# 1. Move to base dir, create tmp dir
+cd ../../; 
+TMP=".tmp.$$"
+mkdir "$TMP"
+
+# 2. Check for .gcno and .gcda file presence
+echo -n "Checking for coverage files... "
+for pat in gcda gcno; do
+    if [ -z "$(find "$BASE" -name "*.$pat" 2>/dev/null)" ]; then
+        echo "no .$pat files, nothing to do"
+	exit 0
+    fi
+done
+echo "ok"
+
+# 3. If lcov does not exist, abort process. 
+echo -n "Checking for lcov... "
+verify-run "which lcov" \
+	"lcov installed on system, continue" \
+	"lcov not installed, abort"
+
+# 4. Create a "tracefile" through lcov, which is necessary to create html files later on.
+echo -n "Creating tracefile for html generation... " 
+verify-run "lcov --no-external --capture --directory . --output-file $COVERAGE_FILE"
+
+for TARGET in $REMOVE_TARGETS; do
+	echo -n "Getting rid of $TARGET files from tracefile... "
+	verify-run "lcov --remove $COVERAGE_FILE $TARGET --output-file $COVERAGE_FILE"
+done
+
+# 5. Create HTML files. 
+echo -n "Creating HTML files... "
+verify-run "genhtml -q -o $COVERAGE_HTML_DIR $COVERAGE_FILE"

From c4cb27b12f2033f9e17a6e562c26a22180b7b5b6 Mon Sep 17 00:00:00 2001
From: Chung Min Kim <chung.kim@corelight.com>
Date: Mon, 30 Jul 2018 12:17:40 -0700
Subject: [PATCH 593/631] Added coverage to .PHONY in Makefile due to
 testing/coverage

---
 testing/Makefile | 1 +
 1 file changed, 1 insertion(+)

diff --git a/testing/Makefile b/testing/Makefile
index c5610fc97b..98c6b239a2 100644
--- a/testing/Makefile
+++ b/testing/Makefile
@@ -25,3 +25,4 @@ coverage:
 	@rm -f brocov.tmp.*
 	@cd coverage && make coverage
 
+.PHONY: coverage

From e11cc8778f1e061fbdb49cdcf75e71f150951b2e Mon Sep 17 00:00:00 2001
From: Chung Min Kim <chung.kim@corelight.com>
Date: Mon, 30 Jul 2018 13:34:53 -0700
Subject: [PATCH 594/631] Minor edits due to typo and field changes

---
 testing/coverage/lcov_html.sh | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/testing/coverage/lcov_html.sh b/testing/coverage/lcov_html.sh
index d1af203437..f4ff6f2b29 100755
--- a/testing/coverage/lcov_html.sh
+++ b/testing/coverage/lcov_html.sh
@@ -22,19 +22,19 @@ function verify-run {
 }
 trap finish EXIT 
 
+TMP=".tmp.$$"
 COVERAGE_FILE="./$TMP/coverage.info"
 COVERAGE_HTML_DIR="${1:-"coverage-html"}"
-REMOVE_TARGETS="*.yy *.ll *.y *.l"
+REMOVE_TARGETS="*.yy *.ll *.y *.l */bro.dir/* *.bif"
 
 # 1. Move to base dir, create tmp dir
 cd ../../; 
-TMP=".tmp.$$"
 mkdir "$TMP"
 
 # 2. Check for .gcno and .gcda file presence
 echo -n "Checking for coverage files... "
 for pat in gcda gcno; do
-    if [ -z "$(find "$BASE" -name "*.$pat" 2>/dev/null)" ]; then
+    if [ -z "$(find . -name "*.$pat" 2>/dev/null)" ]; then
         echo "no .$pat files, nothing to do"
 	exit 0
     fi
@@ -58,4 +58,4 @@ done
 
 # 5. Create HTML files. 
 echo -n "Creating HTML files... "
-verify-run "genhtml -q -o $COVERAGE_HTML_DIR $COVERAGE_FILE"
+verify-run "genhtml -o $COVERAGE_HTML_DIR $COVERAGE_FILE"

From 1ae7d3b3493a0501b1ae777952b36d075fd6355e Mon Sep 17 00:00:00 2001
From: Jonathan Perkins <jonathan@corelight.com>
Date: Fri, 27 Apr 2018 00:38:53 +0200
Subject: [PATCH 595/631] Replace GeoIP Legacy DB support with MaxMind DB
 support

This updates the "lookup_location" and "lookup_asn" BIFs to use
libmaxminddb.  The motivation for this is that MaxMind is discontinuing
GeoLite Legacy databases: no updates after April 1, 2018, no downloads
after January 2, 2019.  It's also noted that all GeoIP Legacy databases
may be discontinued as they are superseded by GeoIP2.
---
 CMakeLists.txt             |  10 +-
 NEWS                       |   9 +
 bro-config.h.in            |   6 -
 configure                  |   4 +-
 doc/frameworks/geoip.rst   |  88 +++----
 scripts/base/init-bare.bro |   3 +
 src/bro.bif                | 471 +++++++++++++++++++++++--------------
 7 files changed, 363 insertions(+), 228 deletions(-)

diff --git a/CMakeLists.txt b/CMakeLists.txt
index 5f4f949a6f..fcdc3a71c7 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -140,11 +140,11 @@ include_directories(BEFORE
 # Optional Dependencies
 
 set(USE_GEOIP false)
-find_package(LibGeoIP)
-if (LIBGEOIP_FOUND)
+find_package(LibMMDB)
+if (LibMMDB_FOUND)
     set(USE_GEOIP true)
-    include_directories(BEFORE ${LibGeoIP_INCLUDE_DIR})
-    list(APPEND OPTLIBS ${LibGeoIP_LIBRARY})
+    include_directories(BEFORE ${LibMMDB_INCLUDE_DIR})
+    list(APPEND OPTLIBS ${LibMMDB_LIBRARY})
 endif ()
 
 set(USE_KRB5 false)
@@ -323,7 +323,7 @@ message(
     "\nBroctl:            ${INSTALL_BROCTL}"
     "\nAux. Tools:        ${INSTALL_AUX_TOOLS}"
     "\n"
-    "\nGeoIP:             ${USE_GEOIP}"
+    "\nlibmaxminddb:      ${USE_GEOIP}"
     "\nKerberos:          ${USE_KRB5}"
     "\ngperftools found:  ${HAVE_PERFTOOLS}"
     "\n        tcmalloc:  ${USE_PERFTOOLS_TCMALLOC}"
diff --git a/NEWS b/NEWS
index 3cb0fd79b3..921c402c76 100644
--- a/NEWS
+++ b/NEWS
@@ -356,6 +356,15 @@ Changed Functionality
 - The string_to_pattern() built-in (and the now-deprecated merge_pattern()
   built-in) is no longer restricted to only be called at initialization time.
 
+- GeoIP Legacy Database support has been replaced with GeoIP2 MaxMind DB
+  format support.
+
+  - This updates the "lookup_location" and "lookup_asn" BIFs to use
+    libmaxminddb.  The motivation for this is that MaxMind is discontinuing
+    GeoLite Legacy databases: no updates after April 1, 2018, no downloads
+    after January 2, 2019.  It's also noted that all GeoIP Legacy databases
+    may be discontinued as they are superseded by GeoIP2.
+
 Removed Functionality
 ---------------------
 
diff --git a/bro-config.h.in b/bro-config.h.in
index 19ab863a3f..1b351e550f 100644
--- a/bro-config.h.in
+++ b/bro-config.h.in
@@ -111,12 +111,6 @@
 /* Define if KRB5 is available */
 #cmakedefine USE_KRB5
 
-/* Whether the found GeoIP API supports IPv6 Country Edition */
-#cmakedefine HAVE_GEOIP_COUNTRY_EDITION_V6
-
-/* Whether the found GeoIP API supports IPv6 City Edition */
-#cmakedefine HAVE_GEOIP_CITY_EDITION_REV0_V6
-
 /* Use Google's perftools */
 #cmakedefine USE_PERFTOOLS_DEBUG
 
diff --git a/configure b/configure
index 830a70b60f..56954368ef 100755
--- a/configure
+++ b/configure
@@ -72,7 +72,7 @@ Usage: $0 [OPTION]... [VAR=VALUE]...
                            (a required Broker dependency)
 
   Optional Packages in Non-Standard Locations:
-    --with-geoip=PATH      path to the libGeoIP install root
+    --with-geoip=PATH      path to the libmaxminddb install root
     --with-krb5=PATH       path to krb5 install root
     --with-perftools=PATH  path to Google Perftools install root
     --with-jemalloc=PATH   path to jemalloc install root
@@ -252,7 +252,7 @@ while [ $# -ne 0 ]; do
             append_cache_entry BISON_EXECUTABLE PATH $optarg
             ;;
         --with-geoip=*)
-            append_cache_entry LibGeoIP_ROOT_DIR PATH $optarg
+            append_cache_entry LibMMDB_ROOT_DIR PATH $optarg
             ;;
         --with-krb5=*)
             append_cache_entry LibKrb5_ROOT_DIR PATH $optarg
diff --git a/doc/frameworks/geoip.rst b/doc/frameworks/geoip.rst
index d756f97589..d826aabff6 100644
--- a/doc/frameworks/geoip.rst
+++ b/doc/frameworks/geoip.rst
@@ -8,11 +8,13 @@ GeoLocation
 .. rst-class:: opening
 
     During the process of creating policy scripts the need may arise
-    to find the geographic location for an IP address. Bro has support
+    to find the geographic location for an IP address. Bro had support
     for the `GeoIP library <http://www.maxmind.com/app/c>`__ at the
-    policy script level beginning with release 1.3 to account for this
-    need.  To use this functionality, you need to first install the libGeoIP
-    software, and then install the GeoLite city database before building
+    policy script level from release 1.3 to 2.5.X to account for this
+    need.  Starting with release 2.6 GeoIP support requires `libmaxminddb
+    <https://github.com/maxmind/libmaxminddb/releases>`__.
+    To use this functionality, you need to first install the libmaxminddb
+    software, and then install the GeoLite2 city database before building
     Bro.
 
 .. contents::
@@ -20,85 +22,91 @@ GeoLocation
 Install libGeoIP
 ----------------
 
-Before building Bro, you need to install libGeoIP.
+Before building Bro, you need to install libmaxminddb.
 
 * FreeBSD:
 
   .. console::
 
-      sudo pkg install GeoIP
+      sudo pkg install libmaxminddb
 
 * RPM/RedHat-based Linux:
 
   .. console::
 
-      sudo yum install GeoIP-devel
+      sudo yum install libmaxminddb-devel
 
 * DEB/Debian-based Linux:
 
   .. console::
 
-      sudo apt-get install libgeoip-dev
+      sudo apt-get install libmaxminddb-dev
 
 * Mac OS X:
 
   You need to install from your preferred package management system
   (e.g. MacPorts, Fink, or Homebrew).  The name of the package that you need
-  may be libgeoip, geoip, or geoip-dev, depending on which package management
-  system you are using.
+  may be libmaxminddb, maxminddb, or libmaxminddb-dev, depending on which
+  package management system you are using.
 
 
-GeoIPLite Database Installation
--------------------------------
+GeoLite2-City Database Installation
+-----------------------------------
 
-A country database for GeoIPLite is included when you do the C API
-install, but for Bro, we are using the city database which includes
-cities and regions in addition to countries.
+Bro can use the city or country database.  The city database includes cities
+and regions in addition to countries.
 
-`Download <http://www.maxmind.com/app/geolitecity>`__ the GeoLite city
-binary database:
+`Download <http://geolite.maxmind.com/download/geoip/database/GeoLite2-City.tar.gz>`__
+the GeoLite2 city binary database:
 
 .. console::
 
-    wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz
-    gunzip GeoLiteCity.dat.gz
+    wget http://geolite.maxmind.com/download/geoip/database/GeoLite2-City.tar.gz
+    tar zxf GeoLite2-City.tar.gz
 
-Next, the file needs to be renamed and put in the GeoIP database directory.
-This directory should already exist and will vary depending on which platform
-and package you are using.  For FreeBSD, use ``/usr/local/share/GeoIP``.  For
-Linux, use ``/usr/share/GeoIP`` or ``/var/lib/GeoIP`` (choose whichever one
-already exists).
+Next, the file "GeoLite2-City_YYYYMMDD/GeoLite2-City.mmdb" needs to be renamed
+and put in the GeoIP database directory.  This directory should already exist
+and will vary depending on which platform and package you are using.  For
+FreeBSD, use ``/usr/local/share/GeoIP``.  For Linux, use ``/usr/share/GeoIP``
+or ``/var/lib/GeoIP`` (choose whichever one already exists).
     
 .. console::
 
-    mv GeoLiteCity.dat <path_to_database_dir>/GeoIPCity.dat
-
-Note that there is a separate database for IPv6 addresses, which can also
-be installed if you want GeoIP functionality for IPv6.
+    mv <extracted subdir>/GeoLite2-City.mmdb <path_to_database_dir>/GeoLite2-City.mmdb
 
 Testing
 -------
 
 Before using the GeoIP functionality, it is a good idea to verify that
-everything is setup correctly.  After installing libGeoIP and the GeoIP city
-database, and building Bro, you can quickly check if the GeoIP functionality
-works by running a command like this:
+everything is setup correctly.  After installing libmaxminddb and the GeoIP
+city database, and building Bro, you can quickly check if the GeoIP
+functionality works by running a command like this:
 
 .. console::
 
     bro -e "print lookup_location(8.8.8.8);"
 
-If you see an error message similar to "Failed to open GeoIP City database",
-then you may need to either rename or move your GeoIP city database file (the
-error message should give you the full pathname of the database file that
-Bro is looking for).
+If you see an error message similar to "Failed to open GeoIP location
+database", then you may need to either rename or move your GeoIP
+location database file.  Bro looks for location database files in the
+following order by default:
+
+    /usr/share/GeoIP/GeoLite2-City.mmdb
+    /var/lib/GeoIP/GeoLite2-City.mmdb
+    /usr/local/share/GeoIP/GeoLite2-City.mmdb
+    /usr/local/var/GeoIP/GeoLite2-City.mmdb
+    /usr/share/GeoIP/GeoLite2-Country.mmdb
+    /var/lib/GeoIP/GeoLite2-Country.mmdb
+    /usr/local/share/GeoIP/GeoLite2-Country.mmdb
+    /usr/local/var/GeoIP/GeoLite2-Country.mmdb
 
 If you see an error message similar to "Bro was not configured for GeoIP
-support", then you need to rebuild Bro and make sure it is linked against
-libGeoIP.  Normally, if libGeoIP is installed correctly then it should
-automatically be found when building Bro.  If this doesn't happen, then
-you may need to specify the path to the libGeoIP installation
-(e.g. ``./configure --with-geoip=<path>``).
+support", then you either need to rebuild Bro and make sure it is linked
+against libmaxminddb or else set the :bro:see:`mmdb_dir`` value
+correctly.  Normally, if libmaxminddb is installed correctly then it
+should automatically be found when building Bro.  If this doesn't
+happen, then you may need to specify the path to the libmaxminddb
+installation (e.g. ``./configure --with-geoip=<path>``).
 
 Usage
 -----
diff --git a/scripts/base/init-bare.bro b/scripts/base/init-bare.bro
index c502607cbd..b39490ed7e 100644
--- a/scripts/base/init-bare.bro
+++ b/scripts/base/init-bare.bro
@@ -872,6 +872,9 @@ type geo_location: record {
 	longitude: double &optional;	##< Longitude.
 } &log;
 
+## The directory containing MaxMind DB (*.mmdb) files to use for GeoIP support.
+const mmdb_dir: string = "" &redef;
+
 ## Computed entropy values. The record captures a number of measures that are
 ## computed in parallel. See `A Pseudorandom Number Sequence Test Program
 ## <http://www.fourmilab.ch/random>`_ for more information, Bro uses the same
diff --git a/src/bro.bif b/src/bro.bif
index c7b26dea04..d6cacec96d 100644
--- a/src/bro.bif
+++ b/src/bro.bif
@@ -3599,77 +3599,269 @@ function lookup_hostname%(host: string%) : addr_set
 %%{
 #ifdef USE_GEOIP
 extern "C" {
-#include <GeoIPCity.h>
+#include <maxminddb.h>
+#include <sys/stat.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <netinet/ip.h>
 }
 
-static GeoIP* open_geoip_db(GeoIPDBTypes type)
+class MMDB {
+public:
+	MMDB(const char* filename);
+
+	~MMDB();
+
+	MMDB_lookup_result_s Lookup(const struct sockaddr* const sa);
+
+private:
+	MMDB_s mmdb;
+};
+
+MMDB::MMDB(const char *filename)
 	{
-	GeoIP* geoip = 0;
+	int status = MMDB_open(filename, MMDB_MODE_MMAP, &mmdb);
 
-	if ( GeoIP_db_avail(type) )
-		geoip = GeoIP_open_type(type, GEOIP_MEMORY_CACHE);
-
-	return geoip;
+	if ( MMDB_SUCCESS != status )
+		{
+		throw std::runtime_error(MMDB_strerror(status));
+		}
 	}
 
-static GeoIP* open_geoip_city_db()
+MMDB::~MMDB()
 	{
-	GeoIP* geoip = open_geoip_db(GEOIP_CITY_EDITION_REV0);
-
-	if ( ! geoip )
-		geoip = open_geoip_db(GEOIP_CITY_EDITION_REV1);
-
-	if ( ! geoip )
-		{
-		string rev0_path = GeoIPDBFileName[GEOIP_CITY_EDITION_REV0];
-		string rev1_path = GeoIPDBFileName[GEOIP_CITY_EDITION_REV1];
-		string db_path = rev0_path;
-
-		// Maybe in the future the revisions won't share a common default path.
-		if ( rev0_path != rev1_path )
-			db_path = rev0_path + " or " + rev1_path;
-
-		reporter->Info("Failed to open GeoIP City database: %s",
-		               db_path.c_str());
-		}
-
-	return geoip;
+	MMDB_close(&mmdb);
 	}
 
-static GeoIP* open_geoip_city_db_v6()
+MMDB_lookup_result_s MMDB::Lookup(const struct sockaddr* const sa)
 	{
-	GeoIP* geoip = 0;
+	int mmdb_error;
+	MMDB_lookup_result_s result = MMDB_lookup_sockaddr(&mmdb, sa, &mmdb_error);
 
-	// Both city edition revisions for IPv6 show up in libGeoIP 1.4.7.
-#ifdef HAVE_GEOIP_CITY_EDITION_REV0_V6
-	geoip = open_geoip_db(GEOIP_CITY_EDITION_REV0_V6);
-
-	if ( ! geoip )
-		geoip = open_geoip_db(GEOIP_CITY_EDITION_REV1_V6);
-
-	if ( ! geoip )
+	if ( MMDB_SUCCESS != mmdb_error )
 		{
-		string rev0_path = GeoIPDBFileName[GEOIP_CITY_EDITION_REV0_V6];
-		string rev1_path = GeoIPDBFileName[GEOIP_CITY_EDITION_REV1_V6];
-		string db_path = rev0_path;
-
-		// Maybe in the future the revisions won't share a common default path.
-		if ( rev0_path != rev1_path )
-			db_path = rev0_path + " or " + rev1_path;
-
-		reporter->Info("Failed to open GeoIP Cityv6 database: %s",
-		               db_path.c_str());
+		throw std::runtime_error(MMDB_strerror(mmdb_error));
 		}
-#endif
 
-	return geoip;
+	return result;
+	}
+
+std::unique_ptr<MMDB> mmdb_loc;
+std::unique_ptr<MMDB> mmdb_asn;
+
+static bool mmdb_open(const char* filename, bool asn)
+	{
+	struct stat buf;
+
+	if ( 0 != stat(filename, &buf) )
+		{
+		return false;
+		}
+
+	try
+		{
+		if ( asn )
+			{
+			mmdb_asn.reset(new MMDB(filename));
+			}
+		else
+			{
+			mmdb_loc.reset(new MMDB(filename));
+			}
+		}
+
+	catch ( const std::exception& e )
+		{
+		reporter->Info("Failed to open MaxMind DB: %s [%s]", filename,
+		               e.what());
+		return false;
+		}
+
+	return true;
+	}
+
+static bool mmdb_open_loc(const char* filename)
+	{
+	return mmdb_open(filename, false);
+	}
+
+static bool mmdb_open_asn(const char* filename)
+	{
+	return mmdb_open(filename, true);
+	}
+
+static bool mmdb_lookup(const IPAddr& addr, MMDB_lookup_result_s& result,
+                        bool asn)
+	{
+	struct sockaddr_storage ss = {0};
+
+	if ( IPv4 == addr.GetFamily() )
+		{
+		struct sockaddr_in* sa = (struct sockaddr_in*)&ss;
+		sa->sin_family = AF_INET;
+		addr.CopyIPv4(&sa->sin_addr);
+		}
+
+	else
+		{
+		struct sockaddr_in6* sa = (struct sockaddr_in6*)&ss;
+		sa->sin6_family = AF_INET6;
+		addr.CopyIPv6(&sa->sin6_addr);
+		}
+
+	try
+		{
+		result = asn ? mmdb_asn->Lookup((struct sockaddr*)&ss)
+		             : mmdb_loc->Lookup((struct sockaddr*)&ss);
+		}
+
+	catch ( const std::exception& e )
+		{
+		reporter->Info("MaxMind DB lookup location error [%s]",
+		               e.what());
+		return false;
+		}
+
+	return result.found_entry;
+	}
+
+static bool mmdb_lookup_loc(const IPAddr& addr, MMDB_lookup_result_s& result)
+	{
+	return mmdb_lookup(addr, result, false);
+	}
+
+static bool mmdb_lookup_asn(const IPAddr& addr, MMDB_lookup_result_s& result)
+	{
+	return mmdb_lookup(addr, result, true);
+	}
+
+static Val* mmdb_getvalue(MMDB_entry_data_s* entry_data, int status,
+                          int data_type )
+	{
+	switch (status)
+		{
+		case MMDB_SUCCESS:
+			if ( entry_data->has_data )
+				{
+				switch (data_type)
+					{
+					case MMDB_DATA_TYPE_UTF8_STRING:
+						return new StringVal(entry_data->data_size,
+						                     entry_data->utf8_string);
+						break;
+
+					case MMDB_DATA_TYPE_DOUBLE:
+						return new Val(entry_data->double_value, TYPE_DOUBLE);
+						break;
+
+					case MMDB_DATA_TYPE_UINT32:
+						return new Val(entry_data->uint32, TYPE_COUNT);
+
+					default:
+						break;
+					}
+				}
+			break;
+
+		case MMDB_LOOKUP_PATH_DOES_NOT_MATCH_DATA_ERROR:
+			// key doesn't exist, nothing to do
+			break;
+
+		default:
+			reporter->Info("MaxMind DB error [%s]", MMDB_strerror(status));
+			break;
+		}
+
+	return nullptr;
+	}
+
+static bool mmdb_try_open_loc ()
+	{
+	// City database is always preferred over Country database.
+	auto mmdb_dir_val = global_scope()->Lookup("mmdb_dir")->ID_Val();
+	std::string mmdb_dir = mmdb_dir_val->AsString()->CheckString();
+
+	if ( ! mmdb_dir.empty() )
+		{
+		auto d = mmdb_dir + "/GeoLite2-City.mmdb";
+
+		if ( mmdb_open_loc(d.data()) )
+			return true;
+
+		d = mmdb_dir + "/GeoLite2-Country.mmdb";
+
+		if ( mmdb_open_loc(d.data()) )
+			return true;;
+		}
+
+	return mmdb_open_loc("/usr/share/GeoIP/GeoLite2-City.mmdb")
+	    || mmdb_open_loc("/var/lib/GeoIP/GeoLite2-City.mmdb")
+	    || mmdb_open_loc("/usr/local/share/GeoIP/GeoLite2-City.mmdb")
+	    || mmdb_open_loc("/usr/local/var/GeoIP/GeoLite2-City.mmdb")
+	    || mmdb_open_loc("/usr/share/GeoIP/GeoLite2-Country.mmdb")
+	    || mmdb_open_loc("/var/lib/GeoIP/GeoLite2-Country.mmdb")
+	    || mmdb_open_loc("/usr/local/share/GeoIP/GeoLite2-Country.mmdb")
+	    || mmdb_open_loc("/usr/local/var/GeoIP/GeoLite2-Country.mmdb");
+	}
+
+static bool mmdb_try_open_asn ()
+	{
+	auto mmdb_dir_val = global_scope()->Lookup("mmdb_dir")->ID_Val();
+	std::string mmdb_dir = mmdb_dir_val->AsString()->CheckString();
+
+	if ( ! mmdb_dir.empty() )
+		{
+		auto d = mmdb_dir + "/GeoLite2-ASN.mmdb";
+
+		if ( mmdb_open_asn(d.data()) )
+			return true;
+		}
+
+	return mmdb_open_asn("/usr/share/GeoIP/GeoLite2-ASN.mmdb")
+	    || mmdb_open_asn("/var/lib/GeoIP/GeoLite2-ASN.mmdb")
+	    || mmdb_open_asn("/usr/local/share/GeoIP/GeoLite2-ASN.mmdb")
+	    || mmdb_open_asn("/usr/local/var/GeoIP/GeoLite2-ASN.mmdb");
 	}
 
 #endif
 %%}
 
+## Initializes MMDB for later use of lookup_location.
+## Requires Bro to be built with ``libmaxminddb``.
+##
+## f: The filename of the MaxMind City or Country DB.
+##
+## Returns: A boolean indicating whether the db was successfully opened.
+##
+## .. bro:see:: lookup_asn
+function mmdb_open_location_db%(f: string%) : bool
+	%{
+#ifdef USE_GEOIP
+	return new Val(mmdb_open_loc(f->CheckString()), TYPE_BOOL);
+#else
+        return new Val(0, TYPE_BOOL);
+#endif
+	%}
+
+## Initializes MMDB for later use of lookup_asn.
+## Requires Bro to be built with ``libmaxminddb``.
+##
+## f: The filename of the MaxMind ASN DB.
+##
+## Returns: A boolean indicating whether the db was successfully opened.
+##
+## .. bro:see:: lookup_asn
+function mmdb_open_asn_db%(f: string%) : bool
+	%{
+#ifdef USE_GEOIP
+	return new Val(mmdb_open_asn(f->CheckString()), TYPE_BOOL);
+#else
+	return new Val(0, TYPE_BOOL);
+#endif
+	%}
+
 ## Performs a geo-lookup of an IP address.
-## Requires Bro to be built with ``libgeoip``.
+## Requires Bro to be built with ``libmaxminddb``.
 ##
 ## a: The IP address to lookup.
 ##
@@ -3681,104 +3873,52 @@ function lookup_location%(a: addr%) : geo_location
 	RecordVal* location = new RecordVal(geo_location);
 
 #ifdef USE_GEOIP
-	static bool geoip_initialized = false;
-	static GeoIP* geoip = 0;
-	static GeoIP* geoip_v6 = 0;
-	static bool have_city_db = false;
-	static bool have_cityv6_db = false;
-	GeoIPRecord* gir = 0;
-	const char* cc = 0;
-
-	if ( ! geoip_initialized )
+	if ( ! mmdb_loc )
 		{
-		geoip_initialized = true;
-		geoip = open_geoip_city_db();
-
-		if ( ! geoip )
+		if ( ! mmdb_try_open_loc() )
 			{
-			geoip = open_geoip_db(GEOIP_COUNTRY_EDITION);
-			string db_path = GeoIPDBFileName[GEOIP_COUNTRY_EDITION];
-
-			if ( ! geoip )
-				builtin_error(fmt("Failed fall back to GeoIP Country "
-				                  "database: %s",
-				                  GeoIPDBFileName[GEOIP_COUNTRY_EDITION]));
-			else
-				reporter->Info("Fell back to GeoIP Country database");
+			builtin_error("Failed to open GeoIP location database");
+			return location;
 			}
-		else
-			have_city_db = true;
-
-		geoip_v6 = open_geoip_city_db_v6();
-
-		if ( geoip_v6 )
-			have_cityv6_db = true;
-
-#ifdef HAVE_GEOIP_COUNTRY_EDITION_V6
-		if ( ! geoip_v6 )
-			{
-			geoip_v6 = open_geoip_db(GEOIP_COUNTRY_EDITION_V6);
-
-			if ( ! geoip_v6 )
-				reporter->Info("Failed to open GeoIPv6 Country database: %s",
-				               GeoIPDBFileName[GEOIP_COUNTRY_EDITION_V6]);
-			}
-#endif
-
-		if ( ! geoip_v6 )
-			builtin_error("Can't open GeoIPv6 City/Country database");
 		}
 
-#ifdef HAVE_GEOIP_COUNTRY_EDITION_V6
-	if ( geoip_v6 && a->AsAddr().GetFamily() == IPv6 )
+	MMDB_lookup_result_s result;
+
+	if ( mmdb_lookup_loc(a->AsAddr(), result) )
 		{
-		geoipv6_t ga;
-		a->AsAddr().CopyIPv6(&ga);
-		if ( have_cityv6_db )
-			gir = GeoIP_record_by_ipnum_v6(geoip_v6, ga);
-		else
-			cc = GeoIP_country_code_by_ipnum_v6(geoip_v6, ga);
-		}
-	else
-#endif
+		MMDB_entry_data_s entry_data;
+		int status;
 
-	if ( geoip && a->AsAddr().GetFamily() == IPv4 )
-		{
-		const uint32* bytes;
-		a->AsAddr().GetBytes(&bytes);
-		if ( have_city_db )
-			gir = GeoIP_record_by_ipnum(geoip, ntohl(*bytes));
-		else
-			cc = GeoIP_country_code_by_ipnum(geoip, ntohl(*bytes));
-		}
+		// Get Country ISO Code
+		status = MMDB_get_value(&result.entry, &entry_data,
+		                        "country", "iso_code", nullptr);
+		location->Assign(0, mmdb_getvalue(&entry_data, status,
+		                 MMDB_DATA_TYPE_UTF8_STRING));
 
-	if ( gir )
-		{
-		if ( gir->country_code )
-			location->Assign(0, new StringVal(gir->country_code));
+		// Get Major Subdivision ISO Code
+		status = MMDB_get_value(&result.entry, &entry_data,
+		                        "subdivisions", "0", "iso_code", nullptr);
+		location->Assign(1, mmdb_getvalue(&entry_data, status,
+		                 MMDB_DATA_TYPE_UTF8_STRING));
 
-		if ( gir->region )
-			location->Assign(1, new StringVal(gir->region));
+		// Get City English Name
+		status = MMDB_get_value(&result.entry, &entry_data,
+		                        "city", "names", "en", nullptr);
+		location->Assign(2, mmdb_getvalue(&entry_data, status,
+		                 MMDB_DATA_TYPE_UTF8_STRING));
 
-		if ( gir->city )
-			location->Assign(2, new StringVal(gir->city));
+		// Get Location Latitude
+		status = MMDB_get_value(&result.entry, &entry_data,
+		                        "location", "latitude", nullptr);
+		location->Assign(3, mmdb_getvalue(&entry_data, status,
+		                 MMDB_DATA_TYPE_DOUBLE));
 
-		if ( gir->latitude )
-			location->Assign(3, new Val(gir->latitude,
-							TYPE_DOUBLE));
+		// Get Location Longitude
+		status = MMDB_get_value(&result.entry, &entry_data,
+		                        "location", "longitude", nullptr);
+		location->Assign(4, mmdb_getvalue(&entry_data, status,
+		                 MMDB_DATA_TYPE_DOUBLE));
 
-		if ( gir->longitude )
-			location->Assign(4, new Val(gir->longitude,
-						TYPE_DOUBLE));
-
-		GeoIPRecord_delete(gir);
-
-		return location;
-		}
-
-	else if ( cc )
-		{
-		location->Assign(0, new StringVal(cc));
 		return location;
 		}
 
@@ -3792,64 +3932,45 @@ function lookup_location%(a: addr%) : geo_location
 		}
 #endif
 
-	// We can get here even if we have GeoIP support if we weren't
+	// We can get here even if we have MMDB support if we weren't
 	// able to initialize it or it didn't return any information for
 	// the address.
 
 	return location;
 	%}
 
-## Performs an AS lookup of an IP address.
-## Requires Bro to be built with ``libgeoip``.
+## Performs an ASN lookup of an IP address.
+## Requires Bro to be built with ``libmaxminddb``.
 ##
 ## a: The IP address to lookup.
 ##
-## Returns: The number of the AS that contains *a*.
+## Returns: The number of the ASN that contains *a*.
 ##
 ## .. bro:see:: lookup_location
 function lookup_asn%(a: addr%) : count
 	%{
 #ifdef USE_GEOIP
-	static GeoIP* geoip_asn = 0;
-	static bool geoip_asn_initialized = false;
-	char* gir = 0;
-
-	if ( ! geoip_asn_initialized )
+	if ( ! mmdb_asn )
 		{
-		geoip_asn_initialized = true;
-		geoip_asn = open_geoip_db(GEOIP_ASNUM_EDITION);
-
-		if ( ! geoip_asn )
-			builtin_error(fmt("Can't open GeoIP ASNUM database: %s",
-			                  GeoIPDBFileName[GEOIP_ASNUM_EDITION]));
-		}
-
-	if ( geoip_asn )
-		{
-// IPv6 support showed up in 1.4.5.
-#ifdef HAVE_GEOIP_COUNTRY_EDITION_V6
-		if ( a->AsAddr().GetFamily() == IPv6 )
+		if ( ! mmdb_try_open_asn() )
 			{
-			geoipv6_t ga;
-			a->AsAddr().CopyIPv6(&ga);
-			gir = GeoIP_name_by_ipnum_v6(geoip_asn, ga);
-			}
-		else
-#endif
-
-		if ( a->AsAddr().GetFamily() == IPv4 )
-			{
-			const uint32* bytes;
-			a->AsAddr().GetBytes(&bytes);
-			gir = GeoIP_name_by_ipnum(geoip_asn, ntohl(*bytes));
+			builtin_error("No open GeoIP ASN database");
+			return new Val(0, TYPE_COUNT);
 			}
 		}
 
-	if ( gir )
+	MMDB_lookup_result_s result;
+
+	if ( mmdb_lookup_asn(a->AsAddr(), result) )
 		{
-		// Move the pointer +2 so we don't return
-		// the first two characters: "AS".
-		return new Val(atoi(gir+2), TYPE_COUNT);
+		MMDB_entry_data_s entry_data;
+		int status;
+
+		// Get Autonomous System Number
+		status = MMDB_get_value(&result.entry, &entry_data,
+		                        "autonomous_system_number", nullptr);
+		Val* asn = mmdb_getvalue(&entry_data, status, MMDB_DATA_TYPE_UINT32);
+		return asn == nullptr ? new Val(0, TYPE_COUNT) : asn;
 		}
 
 #else // not USE_GEOIP

From 38296842be455af8cef080d938a9257864548ae5 Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@icir.org>
Date: Tue, 31 Jul 2018 13:13:10 +0200
Subject: [PATCH 596/631] Update submodule[s]

 nomail
---
 aux/bifcl    | 2 +-
 aux/binpac   | 2 +-
 aux/bro-aux  | 2 +-
 aux/broccoli | 2 +-
 aux/broctl   | 2 +-
 aux/broker   | 2 +-
 6 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/aux/bifcl b/aux/bifcl
index 7fffb6bcf1..ca8b211984 160000
--- a/aux/bifcl
+++ b/aux/bifcl
@@ -1 +1 @@
-Subproject commit 7fffb6bcf1ea78331ca2fc0e7d16642ec2463ca0
+Subproject commit ca8b21198465a20130e812dc98a37c5ed7b3d66e
diff --git a/aux/binpac b/aux/binpac
index 4a06b4cf3c..9b2bd15865 160000
--- a/aux/binpac
+++ b/aux/binpac
@@ -1 +1 @@
-Subproject commit 4a06b4cf3ce2112426c306cd358753793167bbeb
+Subproject commit 9b2bd15865a8723faa41ab9fd590250a976946e4
diff --git a/aux/bro-aux b/aux/bro-aux
index c633a852ec..e331241bcd 160000
--- a/aux/bro-aux
+++ b/aux/bro-aux
@@ -1 +1 @@
-Subproject commit c633a852ec0bb983e74c0f47b73d03a30b7f1259
+Subproject commit e331241bcd5565971782421d197f388692a3d84f
diff --git a/aux/broccoli b/aux/broccoli
index a4a859a7a8..548e8b2b1d 160000
--- a/aux/broccoli
+++ b/aux/broccoli
@@ -1 +1 @@
-Subproject commit a4a859a7a87363167239205bd07fedced0c584a3
+Subproject commit 548e8b2b1d75298a8a19136357c58b049da8d847
diff --git a/aux/broctl b/aux/broctl
index 206fc8254a..db67d55d47 160000
--- a/aux/broctl
+++ b/aux/broctl
@@ -1 +1 @@
-Subproject commit 206fc8254a4049dfad420d5571704de4a06444bd
+Subproject commit db67d55d47dd8c35787865226f18ba9997e81beb
diff --git a/aux/broker b/aux/broker
index b5508f387b..44a7f2cd03 160000
--- a/aux/broker
+++ b/aux/broker
@@ -1 +1 @@
-Subproject commit b5508f387bb6c24c95f23de479184869b9836769
+Subproject commit 44a7f2cd03e1392c18088bcf28b34882b171fccc

From 9edd38026230119042dd71e1ea77840c68f63e0f Mon Sep 17 00:00:00 2001
From: Chung Min Kim <chung.kim@corelight.com>
Date: Tue, 31 Jul 2018 13:28:21 -0700
Subject: [PATCH 597/631] Renamed verify-run to verify_run

---
 testing/coverage/lcov_html.sh | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/testing/coverage/lcov_html.sh b/testing/coverage/lcov_html.sh
index f4ff6f2b29..c729b2145c 100755
--- a/testing/coverage/lcov_html.sh
+++ b/testing/coverage/lcov_html.sh
@@ -13,7 +13,7 @@ function die {
 function finish {
 	rm -rf "$TMP"
 }
-function verify-run {
+function verify_run {
 	if bash -c "$1" > /dev/null 2>&1; then
 		echo ${2:-"ok"}
 	else
@@ -43,19 +43,19 @@ echo "ok"
 
 # 3. If lcov does not exist, abort process. 
 echo -n "Checking for lcov... "
-verify-run "which lcov" \
+verify_run "which lcov" \
 	"lcov installed on system, continue" \
 	"lcov not installed, abort"
 
 # 4. Create a "tracefile" through lcov, which is necessary to create html files later on.
 echo -n "Creating tracefile for html generation... " 
-verify-run "lcov --no-external --capture --directory . --output-file $COVERAGE_FILE"
+verify_run "lcov --no-external --capture --directory . --output-file $COVERAGE_FILE"
 
 for TARGET in $REMOVE_TARGETS; do
 	echo -n "Getting rid of $TARGET files from tracefile... "
-	verify-run "lcov --remove $COVERAGE_FILE $TARGET --output-file $COVERAGE_FILE"
+	verify_run "lcov --remove $COVERAGE_FILE $TARGET --output-file $COVERAGE_FILE"
 done
 
 # 5. Create HTML files. 
 echo -n "Creating HTML files... "
-verify-run "genhtml -o $COVERAGE_HTML_DIR $COVERAGE_FILE"
+verify_run "genhtml -o $COVERAGE_HTML_DIR $COVERAGE_FILE"

From 509efc58dbf3e94519bde3375671af37a86bd432 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Tue, 31 Jul 2018 17:15:34 -0500
Subject: [PATCH 598/631] Updating submodule(s).

 [nomail]
---
 aux/bifcl    | 2 +-
 aux/binpac   | 2 +-
 aux/bro-aux  | 2 +-
 aux/broccoli | 2 +-
 aux/broctl   | 2 +-
 aux/broker   | 2 +-
 cmake        | 2 +-
 7 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/aux/bifcl b/aux/bifcl
index ca8b211984..f648ad79b2 160000
--- a/aux/bifcl
+++ b/aux/bifcl
@@ -1 +1 @@
-Subproject commit ca8b21198465a20130e812dc98a37c5ed7b3d66e
+Subproject commit f648ad79b20baba4f80259d059044ae78d56d7c4
diff --git a/aux/binpac b/aux/binpac
index 9b2bd15865..5e098fe601 160000
--- a/aux/binpac
+++ b/aux/binpac
@@ -1 +1 @@
-Subproject commit 9b2bd15865a8723faa41ab9fd590250a976946e4
+Subproject commit 5e098fe60180ceb38182a5ff530609d9765caef8
diff --git a/aux/bro-aux b/aux/bro-aux
index e331241bcd..1b27ec4c24 160000
--- a/aux/bro-aux
+++ b/aux/bro-aux
@@ -1 +1 @@
-Subproject commit e331241bcd5565971782421d197f388692a3d84f
+Subproject commit 1b27ec4c24bb13443f1a5e8f4249ff4e20e06dd1
diff --git a/aux/broccoli b/aux/broccoli
index 548e8b2b1d..80a4aa6892 160000
--- a/aux/broccoli
+++ b/aux/broccoli
@@ -1 +1 @@
-Subproject commit 548e8b2b1d75298a8a19136357c58b049da8d847
+Subproject commit 80a4aa68927c2f60ece1200268106edc27f50338
diff --git a/aux/broctl b/aux/broctl
index db67d55d47..d900149ef6 160000
--- a/aux/broctl
+++ b/aux/broctl
@@ -1 +1 @@
-Subproject commit db67d55d47dd8c35787865226f18ba9997e81beb
+Subproject commit d900149ef6e2f744599a9575b67fb7155953bd4a
diff --git a/aux/broker b/aux/broker
index 44a7f2cd03..488dc806d0 160000
--- a/aux/broker
+++ b/aux/broker
@@ -1 +1 @@
-Subproject commit 44a7f2cd03e1392c18088bcf28b34882b171fccc
+Subproject commit 488dc806d0f777dcdee04f3794f04121ded08b8e
diff --git a/cmake b/cmake
index 9a9bbd2941..ec66fd8fbd 160000
--- a/cmake
+++ b/cmake
@@ -1 +1 @@
-Subproject commit 9a9bbd29413ed6eba645e09628ba8eed8232603f
+Subproject commit ec66fd8fbd81fd8b25ced0214016f4c89604a15c

From 4243a5d5b04408000b48c6f89b0081e5ac2fbd1c Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Wed, 1 Aug 2018 11:21:24 -0500
Subject: [PATCH 599/631] Update CAF-finding logic

---
 CMakeLists.txt | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/CMakeLists.txt b/CMakeLists.txt
index df5e4c68ff..fa56ed8b7d 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -95,11 +95,12 @@ FindRequiredPackage(OpenSSL)
 FindRequiredPackage(BIND)
 FindRequiredPackage(ZLIB)
 
-find_package(CAF COMPONENTS core io)
+find_package(CAF COMPONENTS core io openssl)
 if (CAF_FOUND)
+    # e.g. if not using embedded CAF, then need to know where to look
+    # for CAF headers since that may differ from where Broker headers
+    # are found (and including a Broker header may pull in CAF headers).
 	include_directories(BEFORE ${CAF_INCLUDE_DIRS})
-else ()
-	list(APPEND MISSING_PREREQ_DESCS CAF)
 endif ()
 
 if (NOT BinPAC_ROOT_DIR AND

From 08a1480fd968c3bb3beadcd205cf0d7ab14b1f97 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Wed, 1 Aug 2018 11:25:27 -0500
Subject: [PATCH 600/631] Fix --with-binpac configure option

---
 CHANGES        | 6 ++++++
 CMakeLists.txt | 2 +-
 VERSION        | 2 +-
 aux/binpac     | 2 +-
 configure      | 1 +
 5 files changed, 10 insertions(+), 3 deletions(-)

diff --git a/CHANGES b/CHANGES
index 80b5ea4d13..a6b09460cc 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,10 @@
 
+2.5-790 | 2018-08-01 11:25:27 -0500
+
+  * Fix --with-binpac configure option (Jon Siwek, Corelight)
+
+  * Update CAF-finding logic (Jon Siwek, Corelight)
+
 2.5-787 | 2018-07-31 16:50:55 -0500
 
   * Add Cisco FabricPath support (Damani Wade, Corelight)
diff --git a/CMakeLists.txt b/CMakeLists.txt
index fa56ed8b7d..452f2834cc 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -103,7 +103,7 @@ if (CAF_FOUND)
 	include_directories(BEFORE ${CAF_INCLUDE_DIRS})
 endif ()
 
-if (NOT BinPAC_ROOT_DIR AND
+if (NOT BINPAC_EXE_PATH AND
     EXISTS ${CMAKE_CURRENT_SOURCE_DIR}/aux/binpac/CMakeLists.txt)
     add_subdirectory(aux/binpac)
 endif ()
diff --git a/VERSION b/VERSION
index 7abdb93759..0a96ff9b53 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.5-787
+2.5-790
diff --git a/aux/binpac b/aux/binpac
index 5e098fe601..7e6b47ee90 160000
--- a/aux/binpac
+++ b/aux/binpac
@@ -1 +1 @@
-Subproject commit 5e098fe60180ceb38182a5ff530609d9765caef8
+Subproject commit 7e6b47ee90c5b6ab80b0e6f93d5cf835fd86ce4e
diff --git a/configure b/configure
index 56954368ef..46aaeb3bbd 100755
--- a/configure
+++ b/configure
@@ -241,6 +241,7 @@ while [ $# -ne 0 ]; do
             ;;
         --with-binpac=*)
             append_cache_entry BINPAC_EXE_PATH     PATH $optarg
+            append_cache_entry BinPAC_ROOT_DIR     PATH "$(dirname $optarg)/.."
             ;;
         --with-bifcl=*)
             append_cache_entry BIFCL_EXE_PATH      PATH   $optarg

From 8c8b55cd1816a87d9111310d2c7f8174905d3517 Mon Sep 17 00:00:00 2001
From: Daniel Thayer <dnthayer@illinois.edu>
Date: Thu, 2 Aug 2018 15:44:47 -0500
Subject: [PATCH 601/631] Use default version of OpenSSL on all travis docker
 containers

---
 testing/scripts/travis-job | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/testing/scripts/travis-job b/testing/scripts/travis-job
index c6221d76a2..7e2c276762 100644
--- a/testing/scripts/travis-job
+++ b/testing/scripts/travis-job
@@ -59,16 +59,16 @@ setup_docker() {
         distro_cmds="yum -y install cmake make gcc gcc-c++ flex bison libpcap-devel openssl-devel git openssl which"
         ;;
         debian_9)
-        distro_cmds="apt-get update; apt-get -y install cmake make gcc g++ flex bison python libpcap-dev libssl1.0-dev zlib1g-dev git sqlite3 curl bsdmainutils"
+        distro_cmds="apt-get update; apt-get -y install cmake make gcc g++ flex bison python libpcap-dev libssl-dev zlib1g-dev git sqlite3 curl bsdmainutils"
         ;;
         fedora_28)
-        distro_cmds="yum -y install cmake make gcc gcc-c++ flex bison libpcap-devel compat-openssl10-devel git sqlite findutils which; ln -s /usr/bin/python3 /usr/local/bin/python"
+        distro_cmds="yum -y install cmake make gcc gcc-c++ flex bison libpcap-devel openssl-devel git sqlite findutils which; ln -s /usr/bin/python3 /usr/local/bin/python"
         ;;
         ubuntu_16.04)
         distro_cmds="apt-get update; apt-get -y install cmake make gcc g++ flex bison python libpcap-dev libssl-dev zlib1g-dev git sqlite3 curl bsdmainutils"
         ;;
         ubuntu_18.04)
-        distro_cmds="apt-get update; apt-get -y install cmake make gcc g++ flex bison python3 libpcap-dev libssl1.0-dev zlib1g-dev git sqlite3 curl bsdmainutils; ln -s /usr/bin/python3 /usr/local/bin/python"
+        distro_cmds="apt-get update; apt-get -y install cmake make gcc g++ flex bison python3 libpcap-dev libssl-dev zlib1g-dev git sqlite3 curl bsdmainutils; ln -s /usr/bin/python3 /usr/local/bin/python"
         ;;
         *)
         echo "Error: distro ${distro} is not recognized by this script"

From 29c179c30d3ed5e2ce2b6368c654bbd69c8d944a Mon Sep 17 00:00:00 2001
From: Daniel Thayer <dnthayer@illinois.edu>
Date: Thu, 2 Aug 2018 16:12:26 -0500
Subject: [PATCH 602/631] Improve a travis output message in pull request
 builds

The output message is now more explicit and doesn't look like an
error message.
---
 testing/scripts/travis-job | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/testing/scripts/travis-job b/testing/scripts/travis-job
index 7e2c276762..92d8d6d53d 100644
--- a/testing/scripts/travis-job
+++ b/testing/scripts/travis-job
@@ -149,7 +149,7 @@ run() {
     elif [ -n "${TRAVIS_PULL_REQUEST}" ] && [ "${TRAVIS_PULL_REQUEST}" != "false" ]; then
         # For pull request builds, the private key is not available, so skip
         # the private tests to avoid failing.
-        echo "Note: skipping private tests because encrypted env. variables are not defined."
+        echo "Note: skipping private tests because encrypted env. variables are not available in pull request builds."
     else
         echo "Error: cannot get private tests because encrypted env. variables are not defined."
         exit 1

From 02900c9401408a22438e7d9fec739c31b852fb6f Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Mon, 6 Aug 2018 16:15:47 -0500
Subject: [PATCH 603/631] Updating submodule(s).

 [nomail]
---
 aux/bifcl    | 2 +-
 aux/binpac   | 2 +-
 aux/bro-aux  | 2 +-
 aux/broccoli | 2 +-
 aux/broctl   | 2 +-
 aux/broker   | 2 +-
 cmake        | 2 +-
 7 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/aux/bifcl b/aux/bifcl
index f648ad79b2..08142075ee 160000
--- a/aux/bifcl
+++ b/aux/bifcl
@@ -1 +1 @@
-Subproject commit f648ad79b20baba4f80259d059044ae78d56d7c4
+Subproject commit 08142075ee48e0db5897bd6e7d5a03f1e9eb8084
diff --git a/aux/binpac b/aux/binpac
index 7e6b47ee90..08cbe758a5 160000
--- a/aux/binpac
+++ b/aux/binpac
@@ -1 +1 @@
-Subproject commit 7e6b47ee90c5b6ab80b0e6f93d5cf835fd86ce4e
+Subproject commit 08cbe758a5d6d2d404dcd552e246180827d0257b
diff --git a/aux/bro-aux b/aux/bro-aux
index 1b27ec4c24..b9de0fc0d1 160000
--- a/aux/bro-aux
+++ b/aux/bro-aux
@@ -1 +1 @@
-Subproject commit 1b27ec4c24bb13443f1a5e8f4249ff4e20e06dd1
+Subproject commit b9de0fc0d1d9c65bfbfa8fca68f5f668e4f54203
diff --git a/aux/broccoli b/aux/broccoli
index 80a4aa6892..3e01d4b41c 160000
--- a/aux/broccoli
+++ b/aux/broccoli
@@ -1 +1 @@
-Subproject commit 80a4aa68927c2f60ece1200268106edc27f50338
+Subproject commit 3e01d4b41c525870cfebdb131a62d54d998d55ff
diff --git a/aux/broctl b/aux/broctl
index d900149ef6..4f73b40c1a 160000
--- a/aux/broctl
+++ b/aux/broctl
@@ -1 +1 @@
-Subproject commit d900149ef6e2f744599a9575b67fb7155953bd4a
+Subproject commit 4f73b40c1aa31657199f1021ccc974f4e996c79f
diff --git a/aux/broker b/aux/broker
index 488dc806d0..1236cfc64a 160000
--- a/aux/broker
+++ b/aux/broker
@@ -1 +1 @@
-Subproject commit 488dc806d0f777dcdee04f3794f04121ded08b8e
+Subproject commit 1236cfc64aae9ceb469ea9cf141dd2e3e9422e6b
diff --git a/cmake b/cmake
index ec66fd8fbd..f5265a1ea8 160000
--- a/cmake
+++ b/cmake
@@ -1 +1 @@
-Subproject commit ec66fd8fbd81fd8b25ced0214016f4c89604a15c
+Subproject commit f5265a1ea8b5631aaf00164452ba718f8635db22

From 29359ffff22802f075dbc6095ac0ed7ea921469d Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Mon, 6 Aug 2018 16:36:10 -0500
Subject: [PATCH 604/631] Updating submodule(s).

 [nomail]
---
 aux/broccoli | 2 +-
 aux/broctl   | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/aux/broccoli b/aux/broccoli
index 3e01d4b41c..f061c47c1d 160000
--- a/aux/broccoli
+++ b/aux/broccoli
@@ -1 +1 @@
-Subproject commit 3e01d4b41c525870cfebdb131a62d54d998d55ff
+Subproject commit f061c47c1db058339aa8d273d2d9cc1b27d8518d
diff --git a/aux/broctl b/aux/broctl
index 4f73b40c1a..b1f127c7d2 160000
--- a/aux/broctl
+++ b/aux/broctl
@@ -1 +1 @@
-Subproject commit 4f73b40c1aa31657199f1021ccc974f4e996c79f
+Subproject commit b1f127c7d25522ddf25f6677f5914e467b5f86d7

From e6042940dce27ff0588d52a7cfd9d43528d56bf5 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Mon, 6 Aug 2018 17:04:42 -0500
Subject: [PATCH 605/631] Fix (non)suppression of proxy-bound events in
 known-*.bro scripts

When not using data stores, these scripts were intended to suppress
sending duplicate events to proxies by looking up the key in the local
cache.
---
 scripts/policy/protocols/conn/known-hosts.bro    | 3 +++
 scripts/policy/protocols/conn/known-services.bro | 3 +++
 scripts/policy/protocols/ssl/known-certs.bro     | 5 +++++
 3 files changed, 11 insertions(+)

diff --git a/scripts/policy/protocols/conn/known-hosts.bro b/scripts/policy/protocols/conn/known-hosts.bro
index b920912f11..410ed9edfe 100644
--- a/scripts/policy/protocols/conn/known-hosts.bro
+++ b/scripts/policy/protocols/conn/known-hosts.bro
@@ -138,6 +138,9 @@ event Known::host_found(info: HostsInfo)
 	if ( use_host_store )
 		return;
 
+	if ( info$host in Known::hosts )
+		return;
+
 	Cluster::publish_hrw(Cluster::proxy_pool, info$host, known_host_add, info);
 	event known_host_add(info);
 	}
diff --git a/scripts/policy/protocols/conn/known-services.bro b/scripts/policy/protocols/conn/known-services.bro
index d737c9bad0..7a829214c1 100644
--- a/scripts/policy/protocols/conn/known-services.bro
+++ b/scripts/policy/protocols/conn/known-services.bro
@@ -159,6 +159,9 @@ event service_info_commit(info: ServicesInfo)
 	if ( Known::use_service_store )
 		return;
 
+	if ( [info$host, info$port_num] in Known::services )
+		return;
+
 	local key = cat(info$host, info$port_num);
 	Cluster::publish_hrw(Cluster::proxy_pool, key, known_service_add, info);
 	event known_service_add(info);
diff --git a/scripts/policy/protocols/ssl/known-certs.bro b/scripts/policy/protocols/ssl/known-certs.bro
index 25365eb4b4..e45a243dfd 100644
--- a/scripts/policy/protocols/ssl/known-certs.bro
+++ b/scripts/policy/protocols/ssl/known-certs.bro
@@ -127,6 +127,9 @@ event Known::cert_found(info: CertsInfo, hash: string)
 	if ( Known::use_cert_store )
 		return;
 
+	if ( [info$host, hash] in Known::certs )
+		return;
+
 	local key = cat(info$host, hash);
 	Cluster::publish_hrw(Cluster::proxy_pool, key, known_cert_add, info, hash);
 	event known_cert_add(info, hash);
@@ -140,6 +143,7 @@ event Cluster::node_up(name: string, id: string)
 	if ( Cluster::local_node_type() != Cluster::WORKER )
 		return;
 
+	# Drop local suppression cache on workers to force HRW key repartitioning.
 	Known::certs = table();
 	}
 
@@ -151,6 +155,7 @@ event Cluster::node_down(name: string, id: string)
 	if ( Cluster::local_node_type() != Cluster::WORKER )
 		return;
 
+	# Drop local suppression cache on workers to force HRW key repartitioning.
 	Known::certs = table();
 	}
 

From 71266167074442f75f20925425fd25093a2683eb Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Mon, 6 Aug 2018 17:07:56 -0500
Subject: [PATCH 606/631] Fix an "uninitialized" compiler warning

Though it is actually initialized on all non-aborting code paths.
---
 CHANGES     | 7 +++++++
 VERSION     | 2 +-
 src/Expr.cc | 2 +-
 3 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/CHANGES b/CHANGES
index 5e5d425b26..07f2aefa93 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,11 @@
 
+2.5-815 | 2018-08-06 17:07:56 -0500
+
+  * Fix an "uninitialized" compiler warning (Jon Siwek, Corelight)
+
+  * Fix (non)suppression of proxy-bound events in known-*.bro scripts
+    (Jon Siwek, Corelight)
+
 2.5-811 | 2018-08-03 11:33:57 -0500
 
   * Update scripts to use vector "+=" append operation (Vern Paxson, Corelight)
diff --git a/VERSION b/VERSION
index 6e9545e5f2..ff24872445 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.5-811
+2.5-815
diff --git a/src/Expr.cc b/src/Expr.cc
index c5f38841ee..f958c63ecf 100644
--- a/src/Expr.cc
+++ b/src/Expr.cc
@@ -882,7 +882,7 @@ Val* BinaryExpr::SetFold(Val* v1, Val* v2) const
 	TableVal* tv1 = v1->AsTableVal();
 	TableVal* tv2 = v2->AsTableVal();
 	TableVal* result;
-	bool res;
+	bool res = false;
 
 	switch ( tag ) {
 	case EXPR_AND:

From df2e2672d920bfeb9442724e4031416807a2ed60 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Wed, 8 Aug 2018 09:43:46 -0500
Subject: [PATCH 607/631] Updating submodule(s).

 [nomail]
---
 aux/broker   | 2 +-
 src/3rdparty | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/aux/broker b/aux/broker
index 1236cfc64a..6027177387 160000
--- a/aux/broker
+++ b/aux/broker
@@ -1 +1 @@
-Subproject commit 1236cfc64aae9ceb469ea9cf141dd2e3e9422e6b
+Subproject commit 602717738716918e6f3e2c93cc17f92a0b8d6d36
diff --git a/src/3rdparty b/src/3rdparty
index b7c6be774b..02c5b1d6a3 160000
--- a/src/3rdparty
+++ b/src/3rdparty
@@ -1 +1 @@
-Subproject commit b7c6be774b922be1e15f53571201c3be2bc28b75
+Subproject commit 02c5b1d6a3990ca989377798bc7e89eacf4713aa

From 2c9dbdd05533e83316d26e596828a106a45f7918 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Wed, 8 Aug 2018 13:03:22 -0500
Subject: [PATCH 608/631] Fix cluster layout graphic and doc warnings

---
 CHANGES                                       |   6 ++++++
 VERSION                                       |   2 +-
 aux/broker                                    |   2 +-
 doc/frameworks/broker/cluster-layout.png      | Bin 52806 -> 56499 bytes
 doc/frameworks/broker/cluster-layout.xml      |   2 +-
 doc/frameworks/geoip.rst                      |   2 +-
 scripts/base/init-bare.bro                    |   2 +-
 .../output                                    |   8 ++++----
 ...g_data_struct_vector_declaration_bro.btest |   8 ++++----
 9 files changed, 19 insertions(+), 13 deletions(-)

diff --git a/CHANGES b/CHANGES
index 07f2aefa93..cce85749d0 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,10 @@
 
+2.5-819 | 2018-08-08 13:03:22 -0500
+
+  * Fix cluster layout graphic and doc warnings (Jon Siwek, Corelight)
+
+  * Added missing tcp-state for signature dpd_rfb_server (Zhongjie Wang)
+
 2.5-815 | 2018-08-06 17:07:56 -0500
 
   * Fix an "uninitialized" compiler warning (Jon Siwek, Corelight)
diff --git a/VERSION b/VERSION
index ff24872445..cd1b9210ec 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.5-815
+2.5-819
diff --git a/aux/broker b/aux/broker
index 6027177387..398d8f9dad 160000
--- a/aux/broker
+++ b/aux/broker
@@ -1 +1 @@
-Subproject commit 602717738716918e6f3e2c93cc17f92a0b8d6d36
+Subproject commit 398d8f9dad05a6a71b3bbbceb65243b2ab56350e
diff --git a/doc/frameworks/broker/cluster-layout.png b/doc/frameworks/broker/cluster-layout.png
index 8016c7321bc5a7e4be48d7856079c173b56b4b13..3813bfbfda1540c3bb31aaaaca3691f7a647a170 100644
GIT binary patch
literal 56499
zcma&NWmud|vn@OX4^D7*g1b8ex8N>=I{|`g(BQ#cf;$9vcXxMpcRfR%XJ7mLIN$fa
zfA4FiySi#s)#|G1;IDGx2p@4i0ssI6Nr^9t005W^0Pukv1`70L&3FqH03ZTLei2f3
z(LL6Ic0ub|@-}5am)OV8O@Kfa`qBdhvyCWm8r|dr0Y(Mu8-m~D-4lV2PArt{D+u}u
zXn+$%R{nyFLi`&RMj|F&P@*O6Y(cs+h}hW1$=Qiv!IOXh#&xOr%+`y8gN4UW&>d|=
zu#u~X19}{jaXAML@z5W@CJMv0$;2v{h_tifv64AHKJ~!GMTgwC^Pz8t2qFPlc<;gB
zt|80!Sp+XA!VcyHE7@u-*UXT0kBtNzhr;p;Hea|PTRzpH?Le}+p}YXW8X|X_S8B#u
z%V}q4Mdl*{{jBYZnA+Pe`wdqb;XNee%Uedf{yEY|2%WFU^;cKFKequw;4U*c1>P13
zS4Tu{gWIaA<WtwLDjg1=o}i7;F)?kx(%;Y<LhHnH$`-O;hs{u^<G>JNq>R(U^}^SU
zN3R<9_ZfAA`bY%YB!v)g(WkAaISYVKPO>7Jwf?_$=>VK^l`xFG-*&F4`neoG(i8A`
z(4RdAEI)@P_%4eET%nw=iOs8?#0)2y^qaC|0w+zS_Z-)8I^5GL57B445iNgrff;^(
z1%qvD_vtNlySuQplP(|6e7q@Ei&rNRctTBGyy@FfYVu<Ej*0QCrLCUWf3ZCIb9%Z8
zwP|v=kQ1aO6>U6hktrD6&h3w+r1Y%!Y}(qq&8~Opr|~WB90inNlPZ_m{GK>+FRx1h
zEbg}u`_Iq#&vDI3eo9J61!TN*@Yu|mK*hkE$6u1+>*Swj4>!7SXU&xbV4t4@{YAwB
zSgq#dZd_ZwZ8NUcS<Dy@Us*mhcMga|$5fF^1egeuV~;ZyMhkz&3p@;#*mzbxdVR7p
zG-(R`xW$7Mer`K)q^eW%k@^#7&5`q6M-6t*D;SsqG`+@c&S2+M=kI=>K*^AtnXl;K
z>r`-0UE8qPmz4~3*4}F`9!pJU7x}E&I5pV<HdK%9Lndh2Z5{hhyA0Ju6pVDpoA73d
zWO6E{DAO?MS<|?bVJ{VOF?lg=5qL8`QxD6TEt42mJv|lfJ(tJNp_r)9wCc=$By7nc
z!te5a-BdYMC3RtdtG4T$9~p7KZ7%Kd5prx+zQMj|V=rlQqo8r<%Y>9Zy-Uipw95oR
z(e9$yyix4je}0}*U+`CxZ0M(zz(}+49Lu_77OV1{mp2pRhP(W7uC>Z>Po=x<ZQ)K<
za|3vg#iN0hp3`w+=MVu)7tdEW<+|L?1$zY(vc9;iMB@e6B(9kB?HM!)85R^CIU~uA
z4JOq^Ce^}SIf0U>WR?)}zjANvvdeB$xal}EZFD{yB$F$CdtkPbPj+`aucNWh+fvb%
zLWsekkX$cB@nF+f<g{BZD+}Cc!Erp6h#teCa(G=A;;g4P-1B(|wJDB5xc(z%o(M6{
zC<&z*zFyov)q8>DxmqcoA$fAz!jMRt#-?_7o)`X*|F)dQX|};3KfSD4)MkuB@zy4W
zLs8sUEOs8Z{khAEneA|yt8lMhLAFTV@Z{HggO$0{=|)>GyriU-5|3s{nW{x%^B)4x
zUwR8be?fWv>>&5nmjQE8u4L#e;x?iipjOsCrsw4)+SZA&SyP!u#0`#(Lt)$hI}n7z
zmQ!`?-Te#Mt|m_m0&5fR=j^$ON|pJvX6Cy&y}Fj$`9MN`lcNSF_bEmV*B3S!)pT5I
z2t6U2*}ib@Mfc|}>mzn+%_fap-&s8_cPKBN>izACoq;+)yDOcL6$tH>m%NsVAl%er
znyAYJj<a)kPPs4N_jXIw$b4IxyQ(_Ts%yO%7!}|zG?rD%X#kx<zA11Z#33hqeQ3vc
z%KyR~IFZ-?Xl+wOpu#MnJv{Iu#&k^hPA<);f<Amex-ViQL)D|M=UL}c0>DWct}-HJ
zj9nm`I6N}sw`ssJja0aYPQ)r>0U-~OSc9Z#f97W8hM$X})+X)TSpo?M><c*)q`VR`
zS-Ly^fhq6+KT9zJJ{npK4(H$iJW9ye6Q!*~gz&Nc5<KHy!15KBvB9;^mXQ@WSc50J
zyh7NT&h;somCW5iyDLZRe8#CFoI=TOljv>gZq$XpLKBz-VRbay)x2%=ZRBN;X7Yw2
zwM{<V-@T6y-jqQbFf>kFv7H9eagFP&yXaKvkr>|K=qe%rv*n_EAlfvuR^NUmk8s`I
zh915#n^1dXD9DbX1)h)F*|%KR6B3yu#cZ6>m9(s%Sv*2KBmR5umsQ<zjnJDqN*UPF
zBH|B1t>**zzwRI3h;nRn?)fYUX`Q(@(kS!X#a5*8%-8q!pzXSXIu0E6^n1k#y9UE*
z#!D1P?{8n6H(HmZbYWgR4w%i<+xVx;)sQe2@EPf;QA1X2kUDtUlDGcUJk+h}@1{2V
zy6%0;^h{x|*hsKu+=x@-+s1ooC%V55*!%6e)%$I87~92gRE^Qth<2XC1F26g&6h#X
zb>WlVLw-d8OvLLI65hie;k|wbNxAsBZ;RgUXv5=;ynw*X$f~CRSi5cpeRGIkIb9;H
zp6@gQ?)s4N5HYD8{RM{x$PGKx7UFc6dh7ExHm(}`5{pv-XuGga5pKw>o@YAsbi8=F
zNiSR;^=3?XGI|Ks$s9pHsUq81w)#3=JfGae24CFQKFag6LV2y#5pJ6BA_;glb!Xpo
zyPtJ6#|<!Umo@3nd)^7oIi0K<j2a_#m=34FX?ZOjJS;XIhK>Ox-kR2*te5nst617E
z9!$p%c2j^t7SyylX^3r<<v!Vz^1?_;Vfmi6{I6IL_fK6$4)D_mWzXcxZ4rb)&>3l9
zORZXmH!xmxj>fBp;Q}6<4o9_)fC|wbyo0IVGwd=Sdpfb)A0?k=t=H2i^FPhWzvD~A
zm%PhLd&;hV{3rX%X~8Y$y0}Rztn>9TEK)cY*o#=7(CkK6#r8@a@ZR%IXshWgAlp*s
z+s>g17ONfe@t=G_vzF*F_>C?>qP4j^{tv$4x20NLS1}a2q0)(28nqPo=>!6Z1c|H*
zBG-3ot8-WGLajPSs>rtNB3{7XdrLys*OVKPXf&y9-(gR2STLL@%6(EaW3{h657!(j
zm`TAuJilaSR=|XTL%Xy>#_|P4;QLLC@yUyx_tjZ%%`KE1<(018BLZNuT{!IIry+uw
z*I84<9DE3iWE0U)V-l?b5=^~c329@<WZI21FGIM-JleQ4x{M@ytErL|x9e&1@By5;
z=5^<o#kd`C)aJMxLXYuujH_6XYbBZppR#4oCrzt>vs3aN^O$<KVMSByF8~L%vga|6
zM#1&Y@1r3|0zT%pEeLf^Cm$ojP}#F%d8v*#T*MeUuQG*@LRY<puFjr)KaACZZE!if
zHk*dzIjeIN;G)6L$_oTKU^2Mz%Rp4xVrepWk;yDI-##Ra*9(D<LAQrVe#+E(x{XGD
zK8>TXud{x;Ie%z=UjAe{);B8feIG)Sa@we9%!lzzcO7~Nuodb9L>Q<WO!k!o7Aa!&
zKR=&vj8pQKJR0dxUi5|Rxbk=}x!N5*o{59C69T>-Mb^*45CBq5rg$Nq5yLLZxMfqy
zn+yj@XIeX`hr68dQFfBl-rRO^8P{)@_(&hd8y$h&K2IABut;6$enIW5FR=G4Gf*8u
zLIj^%(-OCdmm*Dh_rUB$AsB`i+TN~}7<V5q*QfSOUHAe1<)sRdvO$u&W{e0p-@(rV
zCR|*7%gda9CS@&f?+p#X)!KO0W)^(zo^F^b4)^udon6AyQ{7W~@|?l`mJ}Xo0AWkQ
z5iymY*Wk}}zvv?gwsyv#4sdAI0y~OE{cZW=q$?uYzTMm6eiFc|_ts*~vkA6dGACw{
zC|pYElE6hx06sUTUnPHWtPXQ4;CSXRmQZ1bF0Y`#1fR+|P?e~`ZsBFAO9JD~&Y%nN
z;&uxF%Db0i!8Kp(vyPcPkN?^F_T-mMd=k3ASnd7x5w_I|b7ZmGwZiaBx8C&FMZ#^%
z5et{Alf{wcVrEYNCP7bdjbMfNX%PM1e!=<N;Mr&_2#TtsX~ibeW>+r=c$i|_5m+8W
zG%nCy+|nn|{8m;G+Iz1iH>v`-A2Md=L-Mh`^V_WNsAUT(9?H0VdNa{)adinIIoApS
zoQy9WM<%?~*6LT5oYB60!?;F-^Lu{&Apenjb-K3-_+y)@%SdL9UMXb`_Wojl&?{Xu
zOD)FOf~}*;faD2~FFmbwLLRdWsJImxifbZB(M>QSY-Ys4%oFpUsIQ2VCfZJ<On)3>
z9ms%2>^wJ*bjwrr7srZ%<I#b5$T#%_tnfJbOYTPZC~TnAhQjJ8#R$BPSDkCr3aH<I
zMaD41%v<DB;xUeN?blCy>pl8*x#kUA_m_OT(82x|5asS{c<t@=vZ^HC8DmID(%D$C
zcc0H-qQ_QJfk2byE<h9(ul*;_D>29zro*6R=9MCfNft&MW2zXd%LVZ~5hi6T@b04p
zI7L7!qv=D)Tc*&xlgCS}p~_dP$N}3RagPZyM*S>)<C)P#_&<xX=NO-6wNBm!Iv#_>
zJm*-PVsl?*IbslSVa7?r5*_Rv_(F?SPArHScTiAjxpsFj1y|OIHYX4Ytx+37y$Kz?
z+sr0<nIdL7KL{}aj$6H2r;OQKe}M57fO`#p)mlVEO{r0!Af5e=%iuxuLAR`q>s3ty
zkyS=DG9rZWpfb^Z@b2u8ZiY5kQ~EqzRAn{o>+7dgb9OQRT8o<VTG$xP*%C$Rxnw=m
zJspYF+oL7D*VjJV&a&DNC)yIW$o=D68Lsv*x0DyjgXTGSY5J-ICHQ+A{Q9lHMODI*
zA{7vsDR&i3{ND5Bmii5$#Z8(`I!hJRV<D?(H9lThfom>2f^T|n0~Q~|p;W7i=!7iG
zQn?VcFzGo78kmi(3b}yp+mUfePRZd@U>(J&xP78Id9d!gmNzjd_-y`jzm0u1Wc@~%
zQdmKBj%G|*C9&BnJe+loO|onjg;%mehbiw5LgV+><JqWeoY@=$>52HY1n-2C<;$((
zB&|B@&-g8GZ~zUJ1zke?m3oPw1mdu<ed`E2#qNzzc5RF;1Nee~HryTrIoX@T0%L@j
zIJIVO8C8zVD^c30UhQI-)-2JPLDV>=!D!Dp!^j{g<?|u|b9>8V?T($H&TzQ|1R5n0
z=_OTVsnai}6PzP?L4Xc}h(0?Ms))C;f|+U~ow@WdtgX-KB16bXNJmP?Yvb%HUEASF
zq&-H)N|n_$=jbhqqUY$eMXFNgCWb~5Pl%z9-QnijG(E9AqxjMoY4Qt~Q_zHOw@(bY
zt(SmxHQQ$cz;-280<qxD{jx7pSL!I9?X{=mZC^pbFB-6AX88M%)x)16<VWb!@_~T^
zxb}Mp6gs-s-iIWGGJj@~c}FN+4hs^w(rnwde#`k06x=xfB2cemcRoVGRm#gLe`-YQ
z>O92;+Wk5-MpcuU{<dD93)2;f!v3U2eT13SHNcpXcL~!L<bs!<a2{=s5c8&oW6N|f
z!r?Lj_!|5}Q|R1acU@7u_qdU65pTA{at;tT9p;K<TFD&hw21GX6=N;0v!_kuvH_2y
z5IJS=j0&uuAw1e7kdS=Pie*CoZ2L3VT+4rXh|yOEs(4F*OL&qIRxngDnvIjoA}@9X
zNB$fYt@@8c&V$5T9|0U}iP{s?<pbA3#Z58SLLfT(mLm}zgwG4$>*Z~He;+okC+6m#
z3PKMr|B;I~Tf5-uA<Y$Ird9~79z(<)>}aLB!F|2192l7p?DGM2B@LN5Gv9<m8jU@-
zn@)a?i2nMm4cJm&T#mBa97zr8T%U>Jz0rm`I^FLUVQh|@0lpu8Ob3Y1V>}=M@S?cM
z@_Vi+I_EpVBXCWmpL8sq>=&dt#BX*1bl`xL)m;}+dV#s68Ad9^7*?fP+C%D^$Yj}b
zRQe*;i@UQXG74%w4;P~r3_dqyul~kqbjAMF!j+~gmZ`bzL?yiJs{m<cX#!vrW7BmG
zzXpjzub87KFXgWtik6YrFj_e>)<fnL{trH2iCbIn1LmD|I3|&Sl6HwD2%%+c@$1Hq
z{;f+GxG#2lt#!_4%trg+YUE5ui<jJsXZE`M_fMlO@!QjwgRap=t7&9z`3v`GAFe-$
zA)8h#2Jqb#xus%Efy10DZXkd08@UMf?J!Tw(T0mY#BKGhDW7!=Cv(Bxo96`VKh@ZE
zUspunXS;>FF@D)Q)3c8D6m8d0hiUV!yB^F4daabz+0s;}w*gA$d@F+=E8;u&6PSlb
zSOE`610|DB>JO!(kwaFRFg{B}>A0VwlBH@w3%Ch&pLO3&Bvm1{Ct5fkI?L&6`jwH`
z)Y*&KrG2=fHypaA>4~6hh3~GiJhhu3(q;i(-1{+V?fd1n^x4b3^a8(gN2uU_C!B02
zRZ!Ng-Be&IFoGZwMXs|wl1Y8af5{EamDwN+gSNTCU%|tl&hZb4kn-`g-+-<7zA1a5
zR-G8|@+`x9ljHR&vLrFqPOyOUiv?Oo)#Km}E3Qr<G-5u*>%-nEWG{+*HR4BBM{Jyq
zn&TC5EZK)?2a7%1=O2!i58juTN=|QAW4An-wLkG&7TL0^Q95J8&PgUSq&O_Le89XQ
z!*OYQV4&@|T<uUS=XNVYs0{bV8$HY_&SkTR_Lp<(f26R(x+=_&>f0X;C>65Qy=rDN
zCZ*Tdy1T@P{b8xINkETbmOY@3h)NcH2bHQScEZ9n1d&;O9ms|o_<&5~zVY#KXA&rZ
zwH%ujo=&kZP;7@p&vlI%SKcp>8kVZ)sY4?xk5-S1ck<i2AC(w?abExEtGt4f7pQX$
z{TA!<4Pi}zt>%kM$|q7F8p7C@`Qu>wzIY%zxjqCTao84#RfLNDQ}!RdDW(URwbjTS
z4D^ijr@o9zgGvhe##t<1(+gPb$}aGQ8}`1N1W|S<9|GY%youk|DSzr#*#G>Hn`_g!
zJMFQ4ye`C?tVEa1h!dsU+m^gH-Lq92Jzm+$=(-Z1pKsl=oSWF99O9|M6{lVBd|mFJ
z^LpM19HKOW4eKnJGDwB<X><_fr0?9|lmli-#ldG^P#i-`Gx^H+&0PGPzRj&v(_(zs
zU2&!xaKemuK2KOP>LM$~1{7Mz8{~^2^A>Zl<}ZAoj&xY#AakAh^D%k}1)vFsnRI6}
znd7DHGXJY0euM-Z`~yzi>5BMV<y>h;2f_lOT$1wzN$PyV)#1U4cRk$4%Q4e5u9RA{
zv(+2-F`bfqcr0MVONQg0DAAr~o2m|zyH^7l)M-hwDt3xPn+;@!uniiJW2JvF=`d$+
z^+A^D`H5>NAy<0+*{JY2_)j)aQRdcW+PET+(z<;{{mRwXR0SE>-4Cp;N;U`EATKBb
z5QQD`U0rk*td6&?jNgW*z$29qZk8?8OX|lU;vWT7n}K!ir%y@Vt)l5^!zajR_zvaE
zbu@GZRh4UV>V5r{HiFOP4Rm~rB0ZW!dZTO3RGuKE&H30j_wlKo&wVwZ5SCzr--4he
zo{g-_zzy0E50aNdEF<|5+8W6|Ion3aC!W}UlBDD|!R(}Bk`!;=Eb+RM$lvv5vWR(;
zU-rDDRk49~LahBB2ntqfp)xe(N#`WWPl{QXVm$;H9JRJ<wa!DkI<`fGIIFZdy7Jy(
zOAm9!&TQ2xmSr0w)<^bUUh9Nt5MG@s9-V7K9pnPgkV1A|{AfFSB6eQsduu(e<N}7y
zOxpKPXUoSil;1AmmNQ8ZUp(3OE>E`>5?H)>98KPeNX4liYl;0yksH3gIpo^r?k3nq
z3|UD*`ePiF79tw2OP;dv&0>uLtI-UbSM?ou#mh8E4p?yo1bqU}@gi{JkNdAxGip2n
z7mPMh2uv%uU*Ck+iu}eI4@9HXWggs65Nir-Kk@pB&V2VH{#A_oP14qJyt#$iD%zHw
zw)=z6H}xdOqPH=*l=;!Lr8}$H9LwxX9}@%-;YEnYCywjA@4vlZW~PAJn2dyBhqH9u
z4GmyE^}HOy4K`urXqTs{zFD2pdsXFlZOZB{PIC)YPfCcdDk~RY9}3|JIXnM=cP>9A
zP4cMFK>ivs7~XP#!-aR?mM&{hd)TT>Ob3G>i)|&UDQx_fhA{>32VxW5OW4-H+2$6#
zE`Z99U%g_WFyU3*@k8|4WKbzeDQFuXX+aUr-!Um%0N|^3t=fkntgTEz;UO3s)goB=
zVd7H@Ior{zJNwA}Mju%0YXF_6arTW;ZqDfflgMQ~ZLd36mzG<~mKUlkTYpI~{;Y7{
z6WkI`<i7Q-WL(cSYsxNZJN~k^!t(j{^_0cWG%_fJ7%RpBi$I^8-D+lj$@7xke*YeJ
z#NS`BcMSug627q-e+EoL12*=UQCoqEt8l&yxWD1p%RaP|1M0OO#qX02QFiNH!yIz7
z`*S{aOOq$`a0;pWK>BaN&sN7WJLZ#9LosUhf~8{srM1>`HAH(rdI<g5cXLe@kwA|4
zrOOBs*0`pZ(vGe?>59wOH153SPoCBaudaRt*JFR&v%OP5l{Lg95(EHP%^-7d51aiQ
z3BCL@G?h}jtj1kK^4uo4-ATBCpak@%muY~>wg=*f5`7=g`(U3O&f|!e%*ndY8mhog
zW>>|*&c4p6R}D`(+;9~_dEoofDu#8zVfSjc5)(5d*B{%Ruq-AeSGv7>WPQ7|eXC*t
zq9>-Fy{t%JZ6dbP(gv~41IzcI?DIUh&73lNt}PS^9FW^kG#4dg8-|Qeh5J-5Zd(O6
zCBuIgt4qr~Q<cjsnjXrzEf+Fnz>TZCj!0N<5m&)jwy(4VQn!@)Vb&u?2aCEgI_hyH
z7AAP)Y-j_K#-MQFZx+`}R6`s%Jc5!s?p{z1<+3gf53$%mT#qLXLjv(<h=hg2pD2e}
zG}~K&dATd+(Fv)4e*QUO#!b){v_xQksxvs2$koDSDvW1$R}#q}c2Uj9l#`zJgK<!B
zOW_+$`7%gVOrhT}oM()6VGd=vXwS7o8(^K!b;u>S5Brxto2Lv}nRI_yp=>4!0E~d{
zPgObR<oO8s3#>R`1i$OJdixLhaF=ROVrWf~n+ru%D*1&#uxV#cmO;3DIS2a9Oh^<#
zNCU-X(<IG6M6(%LIgA^=dMQ9udxj5tVuH^Fp8>gE$+kv7Ps4}4>Vhv!A8T)SlSEPJ
zuAq##vo3G`r&v2QA&8gAPNV5r_mCB{2^LzEy7`(Wea&CEE=IgJ7qK?)Y}hMuot{ma
zP0oI7{E=c<vG7z#A({KbMS5|LAD%Ji$U5Q@GxhT-Z~j7k+SWKJ%E0X!8q#hfz=DNB
z1A#NQpsolueMgN1M6_jw?E;{RU+Ab%X>t*29P^?Tnh(&sufQH-tLJj8XiDkEs^K={
zNgy(&WST%_B5bVl>&q#w>I;eAl*<Z3z|`{I(0)rE3JqE8(4MG9*z}34A{O>X`tB>j
zL+gm99tvedPc|ot-)W$;QV!dV;k=XI2^+-}W4L^<0+(U%fnpjS+k8!j9ZaKQm0t=(
zT?WTvhKa@%T&GbJ2sP#iF`Xvx@7LI(-LErHeV3mm&DnP$?7&K)C@A%Qi#3OZSU^tp
z&d<9&cx*`ejSx3i^gN@C!gMC;1tRnQuH)X7M)w&qNDX81=mo?11gu)htvm|HPv~*U
zE%33$Xs|%PfwNe>zfx80%Bd)(twj3P_@!lLb#CeTPqZ3&M^);Uy`~He7eRTLgq^wu
z`HGf+#fgkCkH6)y3t~8{`Uz=^HD;;D!jN<)vCZ#PZ|%2jqs?qg3C~wNT-?-fxCH78
z#n>UMN`r2Orq>g#$$E_e^F-PK)*&|G<i(<hbqxv`mpFXJ#{8lyDYIzmnuuf`CD?vh
zJ@8I}!%~n59i`JgZr}%ej3oTEtWeldX^7x|wV_cxhHaSa&*_m5x^N{F%PP*#Fh0C#
z7;zEZ)H)TBxWwzZYBMp>{ct!N*TU~4$1n1lUQOa9vt@b(Z!Rn6Cl}=$m$?+@6b$PE
zlST>5mhvES=kEs8C0yxOBK#rM#Ju!s!?L<fA(PMShGLU><@imTAKOBe+X$1skrgmx
z_4uj%C3CgbqMQR(NqCl$JBF*0$H%5&)#QxIF=8+R05u#rk)LB7yU1V2*AR)}loamn
zf++Ub>3Us*AA=4Q3+GZm00k0=Ywc5?adSPcH?8pYLWuP-{V=U@?Rtf%7RQMRpbfsR
zn0qiZm7P0{T1Z9*Z>M1ni6MwtqCk0c>N|LBTJuWv&#B6&##zR*Am^~DL4r)xHTW|E
zulwjb19r)6M~<YT=BOHX%rDCPp6YamrnO)Rotu`#X4i<%P*z`T=;emlJPZs9Dp|zE
z?><E6QTN<<(O20q60wTd)*!{v=oX&LipfN8|JuPJk>m~e#CzmlKir#zM^9vCWM8>=
zs-WlMQOHsn7CsYj8Svni;<wKnbNP^PL}J}=sO=<FckVkq9$TGZ_RL8~QMYPwCqiCl
z{m`wH!gydUq>iXw94f2eYx)w`Ys^&oAw8p59@K5pF_^w~*E^IEUe#t&==!lmFrjr4
zwYoiF%<dI{a@c{sQ4bTeRnO5VHE4nr&T;W-h7DLfIw9YYtFl7~8plLYZBiOwcR6aR
z)t_8yjvc5<wJ)O<Glm5jtq4R=0~!56L7~qqG%q&2+>rulASGN+A0i2=*ig>Vb%+s{
zlu3AqaorR_wXgYbd*<;8zKRNr^d1I?hY55jDWV^R4?VCW*ph=v*$O^1nz?;Sj*z6f
zEDgk?5<90A*qBWTa{m0mdxQ2wP7y7l27wI_kT)V%b?{374FTUu%b}j+CHeqw%vxGV
zTTWNId$A^Z?ThHAI;^y?-y%nszdMGI#U6g_F@$5+o5y_Hnnf7Xy!tt6bFO7wvCtH9
zksoU#+mjRfU~~bNoBBVq0DK|}3dbSHyhmKrAaDM~Aod7!deT$G_!UQ|cOs+WSz(fx
z-DkMIw-x=Q7^ATh9Y+Yt#u#9f&9JzHKxrNA)$$<&-muUKBEJ={SQQz?#|ssiyc8LH
zE`j4oE&R0HVR7SH^>U{8NI$NQDw_%pB}m$ja$8+$JTc?5mr91@YHyIV;DVIb>`xHM
z9{158PWOI+Jl6(lFWf}ZSD7OM+O%w?Q;wvq8~A6F{UsYL+ua1+J>3&gd5_9zt3y5Q
zF_*QTT9=djYvbu`!22Ab;28`c?4XK0{pwuLRa`;0dO#;p2~%?)7~Up|47)nMn4Yz~
zxvYwJw1LWlam$A9PHeS3#Mn0lm18G9Hb;IvN*7ZrWwq{X+V*=EPpL&Ei$S^}b?w~(
zc`&<3!|ov5=&9SPYq}Z+y}q11k&ugcb8`D$D~PejPclWAHaVwQthccMDA`o>1DFI=
zqA)tFaY`RSPRB`8UB(z{Xk#Z(8Bz?;jK;|8hf;}Ca;uhm+cB8VU|2~jUZUq_#OFs`
z9Ru4@mF|Z+N*{F@=c<~P$1Kn~pTwI`ps&k`cYIWd8|-oN6Nc)Dei;iAi-WoegR#rX
z0~<U!j0-LQI)IAx<XTill@kE;u!22elURUFcl6U{CU6s-LdhAws2Sa^#%lY5Wz%EB
zn)ghPqQ|{08?p$?p1ND0h5St#WQNkYrDfz#Q?)P+2|$P@c-6ja#Ro%R-yEaHjtB3S
zAG8Ldi!r$id22K$UGJwx;bmJh%|%HJLDP*cP?(sq!V5&!3}kG^0#<peDA;%$B$^aj
z993e;lX5sqf3Y}R2(dCrlvQH#b^dXe8h`M~R^#a-g`|bLy$b2$jJ{(vaa4kE;7n{y
z^SecAj3)e7dOj(lB~1q|@_d34qz|>j{s6P#0Jjy$mBytKk?66Vg+BSHOuomOf<f%x
zHm8LzT@)?NfhF9~_(Pg$oyM)0RPJPNvH(A3byhBT$Xk8;E4#1h4XmSe$Cn?)Tg{Lt
zrMz%N<Gs7ADFh!NLIb*LNfhyDBu?%-Rf2P@3uWj@dpSe)+Kno>#bOqzCxnIoT`qnj
zuXKe3mRxLx(d?KdOalgiA{f4=TzzC{N(Vz3=3t^l`Msmn{M?OpQQx%b+cjE7m?Em_
z=7tJiDjky9;|@wf!%NS0L;aWXaVF>OlES4Kg-2diKHGe=ICRCqwLdICiBYUhV58X4
z&5li7-$AU;B554%&0y@~I|^+=kq|7b9o=Td%?I~YbM)zjuUVXnuKrDeJtl{n{`S?@
zVOiEvq|^<>5-``tzk61`s4Zf#WMv1QbB~$5{w>7LM&P+wbmb^pD}RWwNBl`n?t-Dm
zHHbNB&eY=T!Y`N+eVeQ-s+xjd^PNJ?N||!lp;P<mZ~d6+ayukAIhd<#T)(D`Jb;gF
z9@J2=1qk=J6~D+*ZQ3QtW*GRqa(^aZnXY}zL}Tw+{0c|WQ=8ohmi-|y)>2AK)7P}Q
zpm7#&W)5K)&u?T^K0>&-Cl7}^Ca4+^zUvc-YazV^8YTkuk;=K(^Chj-2C*cqbNjxm
z4%jtD-l)2JE8?RzD3&mY`Xqp2@LSY=KUFrA%-{k)IU|+0966~=1OJaA>Z~CHZoO2s
zY4h%6Hq0H`+R56T&%EX-|Jx5J6wBH1v}H}g*?!vSf-25NG1s<;bI=T1AP%S>;WIZ+
z*!ekO%+wOX6ef<>9h~%vf}0YZh=$7({Q5o$^9cDwIH`3KF1eliE6Nb+3#xB|17cxi
z_y5I(siKQbaHSk6@_RUOf%|*VJ$7+v2lOhdsqqESD7#tL?Cz<`>>5iTh0!o>mf90~
z)8ch$!+UiGr!L*FKW&vPQQa$jjG<jBf}qIN?Lw11SA_neD5w@@PW#QJV)YP9p5*L^
zxr8T%hFdDqu@g>upAB>|hb(?>pzZBx&%Sv?d*UeZklGQC@|-r=%EszQ=?~w!E;Oev
zTog74Vxy2Wh!zopm677o#}GX~*ezJa`*sD|*V>+}jwFSAFBtlCV(EB9<3V{5Y3OgX
z5cR=<#1L5)Y<fXGs%;w1W8qaB&ptl>KKp9^O!eSY#@M2=zQ+}E@7r<c@{_^~2R}YB
zCs<wzA7qx9*t*ZYYFYiD<eDEL@+pX7$yrk43)_-GoN2<sJ)eGJxx5{%5;dWvp=@2F
zYjeB4!?gl6l<f;QUGGY2N@%Er?8;VYnet^BmLVQdVo4nrl%#PLHBSlSKo;H1!`F{7
zirb0F>$#8qh4c+`Z~UP0Mo=GTpT0x$UU+)>kd%U1G+xD}k`Aq0)deKt?{S#om)t|6
zxYw2`tJEH1kaZkA3cl0Q9`#KoOuC{!)BKR6!q6#%(H-O>ncM`a^MCHaifPFteMKyP
zE=3eEH{dbbPZ<!Xifd!~X^5-nDK6y*eh;A3Ru4$sGn~a3zo<Vdir55TX`5^z`K+V2
z%=`&ZkujL#Y@u-ZgJ}L~t2(g^Dy?bSY&}o*p_<)8B~r!IU?(UC@qcL(d6b&4SmI<S
z%m|1Xr^KF@qwp@3*y1q~eQuNVgM%t=L6jadfST4tX+{k#N-r13F#H%a5e<{FGRpkN
z;-V+SMdN{Zq<G5eIZA|)wDa&jNjWHPd2xRK$u&%GPU{3*<Dp~}Y3T9KwTe!Y#w$N)
zdglTrl0_Y#iT0&&IB(5mof4@k_vJKPuN+1<I13c6VR<_}L5YBLm9>OopmLChMj)rg
zuICFvH{M-HhlRHfX#LbFgT<_^2h6~{oR{uFQ%5iL*~r}T!^M%uJGoFh`k;wXm=wOK
zT-)T-PoLh!J~AM+rQdZ-L11_1i4RszVMy+rto{*4Xlvl0DU-sP?oCHRZe7LUW<OZu
z`1tc(snJ#O)wO9RQwjp3o@>9hRr<`VU5dr4_NBgnS{6Rd*4;Ok^i@o74)fbb9OIz_
zKQf2j4YnoAKV4sc%8FZO50Dp|$6IPP4_&VOYw=~*>_2B=;fEnEMsrJeK-R}<?$xp%
zs?z7HI5`N-&FMo1j}VM7d*<F0ak6?fU4K`z#s?MC-9}HmC`lY=?p6<_=rVvz*e+p&
zEc19>xwUk&1n+t!XJ@cK067XJK!^v_eT>!Sr>;C2@oAFsRkKiVEbU>P4!@X!N)Z`j
zwzIhD`DfwuIL_>*O02lVBC-+8_eDe(y~wvyO|qqf#`_FTMKgm_zE9Lh`C``o_~XV>
zwmcn1;$@CHA{_J=J`|=PM^;G;TIf=mnw{8}{#`}EZ4a?o9~88Jhe35LY3=t{h1~Lr
zOG+&As<P){W6liH%~0uY!oO7b)gOKz=v&Ooin{$^mwn0^2Wkk!x90SRr?STmLI#5d
zA9qTcztl>8qza%>^)fSX)RX~7?k%Uf2(P5ot)VZYW@1!iQ8ha!7ZWek{&hbCqbp;K
zeGrYN81faga<HSdvNDY`;BR{WJ&_>XXU?PxLoJ3M%V``#<`sWqco3R%A~pCq4i2>q
zr-LRKUU-cxfQ(fo7mG%q`VaR=@A9LzV9e{lfNM3o*$umx82bRyv@wV}nN+iH&l<kV
zx;>hr{v@^I+g&bpZcscVn33~K(Z6F5$+|>}0KMhCOv};N0&0hx<%a9o@V##-ecBvc
zQ?5)e@oWLXP}>N94LY4DR>|{t?;)rN0-lN1GSV773stHc$Ynu-r0wlDQWg?JN@D^2
z*ECuzs&4;oSMrsp6G@U-G_fsj@O{Iw#Db*6t&a$*Pg?KdPJcgjH@4P)7t+kKS4#dL
z1*M~Z{BloBl>>9dFLI6@U%<q>dkvN1S%P+Q(;GNt@ckRsuJ}A&ar1;B)zC*u;S}{p
zgCr3gy??i4MK>-HQIwz(2E`3_Ra2Smlb=(bzv~vyGHZm2_o}h(9-0~oItmM+&8+)N
z`zpO?JqOY_{@lj>W6K`ZgdhBp#JMnjafFNN_zDWdKfsnhw#@K{fsUK5XiMYviQ)Z_
zJF<wezf`C($-LNn)jpu;K9W)8Bv8<xnSwT*eV-xo5b&7ScVx{1ZJK|(T#?Rx5#TXC
zyQsyNYcI5^M(Sc)T<F95zESA=MrufetK$swZ@*S8Y-KF{ROL?^CScNQD>rXqJE7h&
z)-$K(1V<JSO9BJJn4x2j80!cAd!JPkTjBrwYn4lD#hN`aQWs6-;5ns_xbHG!>gg@e
z{Q`lI2n51#P;q!Xb_@ItRKnc-YnOD~@O5(<8eMrRtG|%-@HDOy1S!>5|NVSn`}-#9
zeP^>;_;hC0<A;TO95@|Qs;bTDit|Jl#VF19kApTpKp=zo3$ml^tYl2cOi;%&o4gc3
zlkcx6i-RHmZ&7B@KTV->-XXTkOeDXne9<8rh1c4+=ZGo*;oSp5%gc{3BtURPeurbx
zcG9`USh(1EbpdL5J{tR9z_zwlY7tT8pb1r6ir^jv&ZCsVxwh%Svp>oH7iYUpOk~Hi
ze*+~`o4kK)X9gj!rE%dV1@wD&pv@ziCdg=EDHMoz|0@d(Z*EAOvu2+^KKU<Hfoou}
zh(YWX1G1a^f3}-rvdqaZ!dG2e$M5gh1;Ob5PZX1GvD!V?6*mxdjQY=tOSWNl+<vZ*
z2Ce;H9JA3Nn;UE_7gV;T|1VTnvx}0pvR=2SU*(+ppXDx#j5t-y*_wh^73a{zt#<pz
zoN?&?Z*y7(a#i9&>4dDBAm#rTYllW4(#&3{g6gGd|AkHnEaCTD)C=pl+{PC(XO!G+
zSbg(LOI-MJEB?Cd#ZBDGhj*9teRo-%-TqTR<BnTO3*~=CwWChSA5$izH5{u5-T$mX
zRZyuI17aDqWyFi-Kd(K5j=uu;-6d+(;!O5GgGvY2vT<f)3lb_N8|lAU`_lq6r%o1V
zZR!8K_Q+4RmEJ3tvX0&Q|3cmW*Ig&_KO5&TEVvopu94wd^$Gv~LxbdX>&&>&;KHf^
zUL9LUS}K~HAp<;UtPwF@Lfok2S~-h8GM}i$e2!b@;a(mWA9)1!KAqKlN#f$$<$l?7
zDWGD=;()ctzY*{BP-)RQIs5_UD~g!<eG@E{2O<y+G<<QxE{>eLKs_S?APv$}OgUhR
za<)%BH3XG&GnB=txj@0q#uxJ##FYyVDf99FMGhAYLuc)ffd>I&GZ+k{E{mTX*asKB
z&RrLI{{tx%$$yp_o!@Ul9`i1!<2t37iIS2#X#fhHOX({XJr0<Q|0~t#U}*J8CDs+d
zU%`FB@9IWXyh5UiU;5nAFzeLGVc8v2W7lo4|C*!|J=)EkcloN`-H#I^wHMnh5ZbJU
z2K}B%B&iF24SS2pFh{OxgaLZ;CO~r}NShDN*X(_s2G*{{@{>u;HB>dcp;#J*iidau
zz(~<mHs6G7d+LgZH&O~$@v~OJbNbK=-S+eN)!q6GNAuXj?$zoTl`vYS1KFpzXyZ8N
zWLv967+or5<VQMOrU9-yU5pS#L2?;LBT&nu&tVzVujcppM_YkA(5%ujQYr#mC!hZb
z@IxA|uvQ>G-_Fox=l38RNf3GVv}7xan%Hd8Iak}tMVAK#vo!~jmWb*~&>%F2C2BrO
zQLONBAXt*>s%tR*pB%(XgQmQ>CrGlaIV_|%+$HM;=EwuSpG@K-2B_!nJ^eb2IdcVP
z;Z?->CL`VbpeH1e;D_Ak&!pYn{DgNl%I5<Xal|=4;fVUYVeQ~yew0E(VL`N8uLiIB
z1io6URKhE1ihATHrWf%@6)u^~`?)atpWHKsjGc7#8#-viNwATJQ)isd!_FqrJ8d?>
z7x#7=lC8OhfAd*rkMLuv9?bspQQY&A-n}zSeJDM+-goR}QLc6R#t+Ts&KJh*9w^&-
z&wM;*n;EB_#rZhjyc{bTGuj}VR+gRtwa#)rEh=mi3AL@pU&IkN9UBusa_I*eU)7Tw
z$dnjT2TLzIX|fq82J?no6#knO^C}@4p`(e0!-2GWn4AM`a!1eYZYREexObK~%5At1
zGf2?>oF8b6NU)lS1$f{t8H|Ni15VyBwE5j?KA#!=T1pep>+7o1$!~8Bp?w&f<@j4V
zyoUtUZ~SRVCncl4QyetAnhq>IK762P8S<%|{5N4T>l>a4n{}XfVRb`Nf)34UGd{bi
z*CuOJ;Qb8_yIIA$a{rL3{(Gk#*OR&h@!9Ch+{vgs{Ab_Xw7kv*W?8+3$N0aqa-gnG
z$t}!mFxmSNFY~-w10{3qCAZZ6@r?Amthjv`Qc@VJYaAy``0};I^)hdz?|zw&I^@?x
zqsm^l{Po{ycZ6>R4#2qEh{Ww)bCZCu-!iX@y$+;RE^YgAta~&=%?oh1@)6jB(n0Zv
zK+-g;hAu$YSPRn=8+4Nn2tfGPn_-d9@9@mjzm^N33jYw%ymjNtv58qK9xjHU7ftDZ
zamMAZdAb=&WY8=gYGZv^=iVaioPeRNHJpSxW5p#!_NBa04f^qa?eI_<$_5sLpD$R8
z))2K6_%Dg-KO|J2)Muw3jkH~T;d*=Iz;+}VVNx68k3ZzEy6ZCNo{@gGylMGuZ`BuD
zq)@j1nQy=Tz^&LbQJG!x<kxo!MJ@Y&oi<0N>)<y2BG|-f$mz5t^Wy-@o&JPa_PBpo
zB^8b5cGGV5NBcLO#hfd&R=YjP*H{zfY^PU!#fdiPn6LUP@!33KuYE<y?PYM?=In?f
zFnI^15hx{Fq<@ii1{!N;M*sQ`r_68f{%xD$iS@N^D~G+#dlF#hg@!R**x3ZP(Oo`O
z6?z##?&P+A3|}L95E6`oh<EpM)gsaeA6L@U0DtP{l~sm1!Si1gGuYYfr{txGXd$(g
zn%DImx)dI=Y`&R{v?hBF)?{Cam?mXBD5^v=(@v1O3{zrRMSPwe_zMi`t9+nh;c&ve
z%0DtucK1dFAS?SHrkS}8z2Qt-GL7%;F2bg`${t@9BAiZnx4O0#jK-xjM*0ie-t7Du
z12rjJAz~0zgA@>-R2KfOImtM{y@metFLS1B?+<XSn`yg0YY?%19I-+Dn$Pw_Yy_EV
zm=E#I%6n6}e}u!)+HFieA<ial2-O-QjBs}8c%sCR_&|o%aFVeQQO1JQ<>Pd5DGR>3
z@}0%glak-d2V8~f-a3_#%eR1Rfw0C!V_`X+T&-vzdy<QPA9hIu*6bg%M5DBe!Iwf<
z(8CF(bz#}GgLRG(=bHTo`*OFDL_Kh+C@xp!vebnSrnjSu3kScI>ISxc3>UHVVuf>F
zgYFd^G3FAKxj@B6Z7HB6-TQ-{tYnJ=8E8z7mu8`+L`hlhz9A=B0#P?K1+FGrIj`Gb
zm0+FTmnVM`Fqi~>tt<oN-OX$ErT|BH910E7W;bt(_V*Vva|ckcY~S;SAM`((yV)wH
zED4wkPx#{$+HdcH2CNufm?=D%OBAwxU^9uqjs1=Sbsoqp-`-b99nP41m!d@OElN?u
zbn(tnP_7SpQsnsq&e!TplOnXe3_oz(Ftx@$O#jal!tZ?*;AmFeg7}}?a$vM$@4z!C
z^oFkw9Oh8_jwK^)iD)9emN=f>9V+?jWvfJ3d$T(~m8a-dH6svK*%S;};lTPBg0hC+
zu&0)cx@`@OQ}3_9fkB!wG72`|{QY35$oN}^5{GK*H&JVF5$>;F^r}=Y9S}P^Mq=bw
zqkp->0a8sD7XMDWg2!|mVvS6eN2k@7q=Dvk%j=^Pl~HlYcneSb7=lt>g7sl6JdQXx
z*4WyZEKx7ey@S{z$8=AZpL&Z!H$KHP@r>k6z?{Q?B4=Q(9y!mSb*(O=n;F%QF;WI1
zr1yt*c7EL*xg%4WH*Or2a-=|?B0hBE^}~R*3&IrL#mTon-T^(MEG3oOAxynM#6S=_
zg47>quS6!3wnGZ@3@<Ho`O(nPMa(301b^CK$WXmMo%-QM&NI~t`J*8Xs<be>_;+YA
zCc{oUou7Eu>CKu@7u0XG8L-dv^?;z($U(T2SOH`}tpfJ%uY(m|!Z(=mIp&WIsis8>
z%@Wb#T0h3gr}Bc|rF>dHUwd=$S}Tzx{YICD(BkfNwV0#`vgqoOB9*htSX97xCNgx|
zY1SLlFA^)2;_W?5!Qt(__J^0T^oVNPs<`C!fWT9SRUNb^)sCNh;`%%QZKDYn(D(uJ
z2VP}chcLs9GdDsh6c5?n?N$+Spz$I%mL)cnqpzR-Y$|z${ft}xBQf^j%*`vU06AkJ
z3a_ZVauLgky#LaR2zQCC_nTCCP%R{6!1+B5p<qV(3K98>yLz1~?r<VIq6z;U3<MNZ
zdtQdOUzn^GuzTHIf3=Qk{Es!R%T3{czO(g*tL^9*SICFC^oXEFN8gR?hPBQHxP<i)
z>`0%C48m>g)(;nBEeM|o!+e{cKinIhfkj#^sA+bLmbE~yd(XY-Jxmkwdcc=$>jo6S
zj{U^xfOA6fv~74?7|fRUjDmW98WqCqUb<O{)dviN!nV2%YEi`~1U)S!kkQqP&+e1&
z#P1@^Bk=hA1B7uZ?s&yCDog(E0Cqyw@)_%@Lswj<(;41<4y)#%*u4=q*uxpvK&r7e
zaHT$t^@T#ijz%}|ZVKKrY`(V3Z88|dkN$b#xSjKTdf=9mPvf<Ya4v^8k$gt!k2lcY
z4u`qw3(vmYZ=PT?o@}VQd^?mTFpy6YfI}qULfp9P>s(t>>l!K5@?qp|lNG?=_c(!N
zgl}vb91mz1CGZpLU?|22!Ra7ed$md@HJl2H9Qy%!2Gz6VG0|`O-WzQPe{WvmcrtP0
zQ0#OWY3N{h?D^E0GWhVVmHVu(6O|9;LV!H*u2E)CcEX6F^Ala8z>PxJtzk1iVttqq
zruQxP^$Gf^x#MLK=v9s{dc_1crea#k`p(^6`)W81FBv^=c77|w-E|W>LE6_#gFHq`
zs$Y)+JZa-aqDuF!PlVs<>`=eJ*S{YJs%e(a@0Xh+m?6BMxGZ>A`)fK<<V{MQE5D3?
zM28(78NDndu&}720L!K+7kAlv?v0R`w0pr)BGt^d&Bdi~so}AzytlcJ65K`X!X`w~
zJ$EyVi7$-PBV+Y2aX&5#q7wvH>-L<l=_gIMZcq}qs$P(OrwwUE1|S+w>Jp+zHIvjG
zwhp;@%>Rw7B=PB#&G+qP%=5h4lCXnfiMOKkfnb+b?iQd<v=PFOJZP0O{04AyJlh;t
zj>SF`+^nOjSZUZ!*4cOqpvw3&rRO&+O9Q;FPT(_Q@c0U&B+9ayth1S&*?zU5KZ#VY
z3RwvAI$u7vomcv@vDLTNt_ipY2N(&+adzRcMM0Ofb(mzxfYB&WzuRTIHqCu~6a}d(
zOI|PNg7m=F5Y+zy<(cm^x!f^~&}W#FUOGWfF)dzxHDRgNl2z-o1Uj}@9r-!7&qy6`
z+24SR#`Bp?<v%nNSIrj<8Sx$$5b>94eu#)ii0m~<NAMH!-xE|Y+@CM*>zzCI{S4xB
zco49D1AkR-gV$s&ew|Nc_FYSF#S#{2P7iKW9r438pdXXtzdgn@|3z*!1LaeNmU}DJ
z^S=WrcTx%;fCw>{`t~D_guw24N@DAYK4h+IeuX&2zk<ig6pkua8WNu?W4_4i$^+uV
z`vU?Lfy6i6g;nV~Gz|RwU=)2xyi;s*k?R4~!#W0jNUfS5EZd$?HCZi>HPm&I4=-i5
z(7HAm1OI0h01d;nwNeh(_D7JosM{+(ixp8bm*HVe7`^77j}*K&P`n)0c*AbSZZ%05
zwGt+Jtsm~h`nnd+T77n9afGr1b-m+VpO2-_^o%@O#$DDSv>|=k{IT;az>%reE3qiS
z1HIf*NQH8!%4gVQq#`AO7Iyu9k#4g&dAw-go!l5uKC^VmZh0gvp0V$FcU4ugg9nkX
z`^K?7P7Wz&?#7AGW8tTp^KOSFo!3he1d@v*cbaM4u<wp}x<WmpCkby)PtSR8pXB*$
zzMi|6%~TPWm87h1t+i(7r*bbCarx9s+M<sRx9+$2zUh7h5POpgnS|>0?4AoS-ebM!
z<1Lnb)GRu;V6m?2=WGq`XZt4_gvgs$yC}DKgzAK@HSQiA6_X8j;Iv}r^bX3rP-W#H
zcx}oyEA~^1p0i=c7~>)h&Y2z+1$^7H=4+u&`I{(;nd4w+7LpKYi|%w%S~Jvrac}4~
zV97noGW^a~vWxddnlp(iPp%Wnx81f|@MYoF0P(qv1ro^>8t5TA=}#jqo+ned(EKS+
z@#kESfF_OM4j#H*DwwWP&~)ZoTklWvpO}p}6a&#JON@nNdQtj{JfV4bHdUy^Bn3kA
zolbWiQ_=8~<cghhLx|2ed|G%<YpX-JD%1<dsWju6O91sY14Q0$wgS|+)l$&xy*lc<
zyyv&LYn`@$blVvjr-}Mug-F1+I#AKny!y}7A?OCAxioWNo>)RJ0svJLK&jl)!OuTB
zO%lfBtus@^`ibEX3u|(qc;9;|4Ki(Mjm+XAdiwYI=G5v-5Fd}_^GnNPrO;uPaKrQQ
z%eVEQfj)P>Xf-Eop9;Q9aRo8hIF{kOLf%fk_n`xS>gZt5M*MN05kb&9+DNz=6b}=U
zu+pjH*0IIgr+Q-1dp6CT{#nYZIjeiS+bsuuk%RpgJ;0b8&H^E*^NIk30d;jE2Tn^;
z!E<4CyNq_w)llCZ{`yNUPYm*9YdLr&527aiA?EzgEJ!vb(fX0sb*QPG(+kL`Tsm56
za%T!t(E0QF7&~=9g}WQAKr;Ftfs(<WsH3=YnckBz@yvJ<;%JaW8<aD>#oQZQ_=dFQ
z{amEdXt~7OiC+R{2Se^#95kR!F*Z?(9MqXi?W>RJ*wy#Cs0)-ViXJG-VSVRipZ|aw
z;K;Y-4#IoO%WS*9cY%>q_Rv(Khek@EQcKLTUfrUi%-ayd!jwj(yV(3E>L)lk<8aVm
z>J&;Q;`_6%1su&_P@pJb(QOf60|nvx!=vwh{+irMumeHIhfaHMox+;%Fqvjj;a>;1
z8h)FBrnPUEFU)S0=GY{NT!44*RehkRf?zO<2c@@1Tl$-NU1Tw=pLi7DK+;jtFTBAO
z6|#T{Zna2)i8u28!q~)Aeo+9Rji}T}DXf}v-nVcyxqJM$XcUB#j-;$_X9m$5(DRdN
zG21GEuD=8_+Q}kO8I~fh8wyt5;%OZ=F-u$v=IL}s3|r?^-U9t=U8!@qC+fUfvBX9k
z>FG;Kek#uMa6qtWl@O65=xw0rN40Z2Ab#Bx-VLj;HVvqqMr*l7mKJO*gF`X%mpXhc
zuN@_0{cY^I-*oG@e$8Ijs#q?R@>4&=<RNyjXY1gB(y1k7>Mgi=LhZ5~ACk6tI#$Qc
zjqK_cG=^!)*h>e`-sez~X8C^kz<nuvM;qw!5uR39jqPlkhJR_-WD~Wbb?vhFH1+GV
z{cr!lft52oekUTsGo2|1-Oqa&56w?EuPn5^rmpZK@a*CP=<4u<2r=+6IzMP?3_wZo
zqjo_(3v9msjn0dl-@%3sw|Gs<Rt&P--c3gg8a6Py6LYU)LXV)WlIMs)>-vqJfp$-2
z9<>1+;KDw!yx(KYGy(|2JpfIj67p6C<p33L(bV<@Pu?#UAN~(nZ{bi?7pxD1(jnd5
zUD9v>k&y0`1_^1T4&5NFbeE*GNarD?OS&5Y;Q-S0ZH)Kc`~Ciby=KjtXX2SzYZEXZ
zD!jA_c8wI~ADI}o9e+>qJ^z%pLe_HoLRsZaEil%Ah`qL$d*wY}*O8p1JixNB!_J5t
z%-%BgwfxtxX1`B7v5Rihs2LhMpoGYLAvIvEGJ!dM)6E+eP(%F8X<Gh(a6H4vkR;<C
zKN&)$ck8{`&$P|d*Js`_r2zTRFW4daOJB%hL;2|Hy_hGvK!KB^TO}RI>ITOIhyaWf
z%Sjji6vpp!uI&Fb;OVB1fpHvNSw}rXSk}W+LQvej;T?lD9Q`O_L7iO+4o(&fhQ79g
zCg5Jc5n09Oz}YgfU{&<Cq1XSsA|ZBt`!v@`YzBH|f&S#sYHEKf$8-2F--=f+k;T$4
zG`@M6RlqrXMQH8r^ytAA<s`!aqF%(&VT2<Z`gLOIc_$tDt2t?{#z$_4dfiFHCt|~V
znyZ8?{swyuiyXqXb_~s}V#uL4eqIT)xW62txm5H*@@;Dfnf~WaASU68sQ%0>Nm#A<
z_-x)K9j+5qMI`uvgcoKWWNi(qek)`D@IfndUE1!`K0H5TqrV=y@^V3|<C@h#Vn#gs
zgR}PD-DT?8?MxlT+8bTl)54%OA7FUnmlT)+<{Ws8g16fMUm|qw@_DSv2cWH<=&Ens
z_eKkw6$UN63)}c3^iW!{<4rQ33d5GB%pn(iX!5k4>!TUuF???2Mphh92t0L-%u!!>
ztKv46<XE6)V-j;eQlauNE<-p`<DB{J#Y0Xn`a-G;x<d@gv*O86YLayg6ldj*koKS2
z9Axedr>H0+4<5VL^F?kt?WZ3s_qN1FgLB6YWpP@*+Yl${Gnak=dbj_kgoyXYzQ^>J
z(O$;)L5(lqX1xsTy@}&}gkF4GC#w3oLo-(N>$S|ZIm5}HrWJ<}Rw7h7cZgPiOa-mp
zCG9%9MkhEq2ksrNv`W?$*hE8Y&ya9_YddGnH(+=v;A|c~v~E{htk{<yse<C!`_rPR
zRcYR31EecK-4A|DsP9H@(=z?Gbi|$R-yU`x-%j<5bu?|Ii*PV%{z5`6>9q3k)56w2
z9t=XrERqO#6CnHM8!*#@LU;oJ=|T2Q+$@@`B{d&?^(tfzQ->5SxpO@??}FPKKfc!&
z=BQWV9T@cWgMfKl+Fwefh}BgKn{+2)ZKOh-g;p{5Q!NLb=h_zK=tAWN;>!i$&Rm-?
zttO~N^b;?Ho2_~YSjEcex3lr33k~iDN(3+&evG@f5-$K+RR70H=jdVH;41q7Y}+q~
zHA}<GRF1$!XJO|`!&{t<PQRd&MRC7uLG7xW-M8-BNeZ*=2VMeNvN$1E3c2??aw~Gf
z1e?#}jca1UlADxFoWsNTf4HYcSDFM11WnyH@q4O$i*uo8x*eOH6~j1ma)v5_L5tcU
zZKEdd9<;|&E`p3Y*VpLNTB;^g|593#;=s;AO$l-NY6qlbOu)<fI=`Mkho(?JT|XRr
zO)U;PcXtV>h<=%)J1Olt4|lmwjBxo$#gEKLIqb5D6c_#}fd-7XFD1skhyBnNesd!W
zyp%vu&X~`S#h%i>QG?K$g)hbrd9G9B6qFyDpaC?b!jwa;*-T4J&TOc<;ZUsYRmsaY
zm%-0@zmzl%_432yK3>=^v{ho}QkY29>C@Qea25rHfUR(nU}!CWU82#~v<14YBCdq>
zNFWxxlVATwkLCyBeFLhi0GMZ?u4!mtNQy`_#m~PG$Y@b|=3S+>hF7_*I&-c!of;z<
zcy<Tdng6-*!rt;#V=X=v?h_`0y3UiR^Il|B-T$Wf4H^#8e*mmQ3W7^!O_}87Gn%Tf
zzAh9Fvz*R1rP7!x_U@6%_Whh5R-!J<n^Yno*e3A4e?iM%ex45dIgUvs#S{5t@aO%#
zJs5w-Uhn_82D8RlBev7|xw^*qS4Ed&L7L;B^lo5uDU2gB414lDmT$$mU=@rIE<x8k
z6b^d$a^9LPlECq`g2Ow)9bh!TA+mlu6FzQaGgInEJ~z(VhinS8pU<(LMOMj0^^0aw
zx*XR)6-QsKUgJo!I4ef?Kb6JQih>Yl!7NFAm3Pzp%RvsDSkiT}2OI0xgJ%`r=C!0b
z)<wU#4uHw(d2S;2szGt#VYJft?3V|p#|FEA!S%z-BCLBPhZGbV7n1=g!bDWmPfv1p
zBEp%tvDo2mB*M;dKopptJ%GU{J^$6u%X{E3R}~;qyD9{>)1c;x8)A_@Q-%?=Cojc}
z?-kBH8#?~*-G;e4$yB-H^JdCoGF-hentUhrsutZl`91Z&r1#f|t<5iS#)#WgRNg2D
z`8?ufNr`ZNRQ`~q_0mi;hC1CuV=d}8z#YcWzAhnIG`TmASKR*2fH8cOHRT2bm`w=|
zOqJz?GXe9luFVg=z<ymhtD!~h0t@%n<akU`$+B~y5r&hWmE1mgGFE5dFRPz0HLMU=
z?h69VnMdqI;p<X-oD?_gOG<@vpz<#@IqvYz*Vn89!kR(wYTWW3reU|~HNZ(1!X^q0
z$^|BKzQ}}v!6AtccSaH%^(6Qq3@;o6eaKS~-Ep0vZvjlw6;V{z{UfPM2j2-(4LYE{
z6gsDSi5qKd3I?SxPSQlC4cdBRU^eB{&s+Ad=b(K0tIZ+WDrZ7`7kMZt2V}GVn)vVu
zzc*nLjQik^4~{oQ8B~~aT7S7==C$aTy0TTU$51Vxw*EK)SN&QG`xc4NBABjYv|ElE
zj(bO3z8ex#1s+Xr{OplovBCNbGKW+uA>a`5$MQAySXq$oA)sIA*-tv3G0~6SUqSuT
z!w5QYjNfNGyBH1%ND0#JTz_z$P03&{v1R$w;!;oi?mSCa<FPj+sZ+GE+FB8B^3=S+
zu#`!hbPE3WwLGLu;4%t@CIidak*rYschS<CqVI@K)86ml$mzrAFn{KiR1hWJ8-}03
zry2iM(_7}(@6tA{ql^Kcmam>hsWm7UteFzjxE61MUL7YRPS<v=P4ER6+rl)v&xa(P
zJGp*Qd&tV?mi<{H<RzzA@KZkcBPcKhIG3s>!k$}EZsbrZw8>6v<6uJJcl*qLCD#(;
z#!?f6i)`u%3i_k3GD#Sg=ANKL9ohUG>`3>ikOSbdcBj8Gq3yG6hq*YH!oBt6>kB!y
zPykI`{;O?O;1ovJ^osg=4&*3MXjm5x<!dD|Q@ekv(c))8j)Uzwse-FgecXgXFdb=N
z?b7<1o+;hOK<iu2gD)wfuxPJ<nM_OS^qpEES<938Vj1|P$>5o=v{a-?%s^-r7_9IH
z=d;F2G8{e{=W|wa>46`w%IyB(de4Fm@;r))4FsF?M^Aws{wA+<p3q{kgySY$!4rSp
z)wh@|A_VSP0Z%gw_#@H9jnH<25<jbP<eSrV))0!<K*1l*PELm;!I)I<Q6j?xKErXT
zsr?NZa6rgl?IoNJW9Z;dpnpI0C2p0w!;z5{R+K?2?uAO8_A1@`{O(|20x?QrS0#9A
zga;$g0a!s-0vV0TBVW=2yCs72GK9{*tdGx<zEdaI*ii=*#UK-IO8pOfRo@f>uSi3)
zo9Q~9$l-Kb1NoUqRuJl1e87);2dpq1tomUR@!tcsE-xHv{MMqgaKF%I%A$zn^Cf_A
zWAMl?=sG3I#UG$xm9z5mzhBK4`JADzMLh%$C)~A8^%o5-&j>H8;8JAEXajPR`^Mx}
ztF3W>@oCg3%1L9_p^r<tf{4G%4LS1tj6}GafUu_~>My1-=F2=d;hi0Az#s+lR6Pfu
zzr#CTdc$g0K&T+4nI#~{Fj9Lw;0z3I0ditjd4GcUiL{s+3+cg1k;n4SK8ZZO%7D!?
z%7R0i+0PP09irPNYaptjwPMH}zp5IXtEck>#Qxmi%jbWVlO)Q5CEAM=6VlgJ^r-i9
zI*1FoL>Lqf9H%4u1VV#K#n_I-9!v+0;nunZ#*3X{E|)y@=Jlr`fM-hLGN%*IQqyJu
zY(ou3hYTNMrGIXFh!zYy;ULHgo0atc_kFrZU2|1%AMR>_{k%tn^XXbQK{0RmZk-xl
z)whBn?Usd<`dyk<%_TM3=+8v~P`CniI?w~^?v+G2R17{O4cr3!t9m{Yv#ZvT|ABnq
z4j4_b6KB=q^9v%Tzxq-Sq+~%}MnKaB9KXTiLCYP|f0GLi>3|eg^;e|`7^lJkGoO#|
z3bnFD&$*3%DFn8Xn&uOvtHnXAIZdv0b5w)9CiOyvgO%LSB2kZ6?C)9g;NitE8#h2p
zHc=^V;*6PNb6<g<faFq{`@id3m{C(+YC5<MB@Z#?QpJr(TFHIYvA`Z$<2*P_f*C6M
z9K6bnV}jZTL0zKnQqCh$4+$uf1fyd*0&f2{&edVQ;7`l>NRh5G-u#N$Pm4MV1`gTe
z7*mRfy>`B>GMB@xE29c-_m!O_wN!FXO0dVTNUEOuT1oowVL*OUGivynIG`N>!p6sF
z59g687}>kDE{HLO@-h7te_5+WBWr5}U#qW1>pBsH?3hx8k^|iUuHHI#Jdm2m$KNdl
zohZ@)Ey{`b0!NYO@s#R)5(+a+Rmvlekh&oabOt=iQ^C9UwdH?=Rn|2~^6I`A4r}%x
zUq)5-_hRb8D=7T+zM2)B+|vMaYE?tk(<Y-4#F!u}gcG7$srelm&CHD)gK*+#)W_sF
zw2uJJ&Dk{c<LJ~lV6(&qdM>}WKb(db3yWybxo#p<fNWYj<S~Zm^nnl`!zVnE7FWY_
z<boKIu84}2qli_fv5ndWV6-zq+gc9Yh8idVlQyVY_HhLmEYo#cRp{!_|Dk_sDH$mi
zie!%*8}|0m(4VpUL-R~^h_YZr00;q}osrg62kr?_2SYDBOU=TAhiRTmO{Bg@3&&OK
zswf<iY*=JOdi|9Uv5`7my};7~+dBk2i^m6_;t+XOXz)+P8Ye<?L$oQ~u#0nS<m*g|
zn594E1J4PKeRM!Bv|4d0DnEQ?W~8COBQvYxo<0!<=TDahieiCyl5!%aShCg{Tqf!0
z9*HOx3^O=qq2(|XVHfl_^)q+njyEQKLWqlxf$`{o7n(6&J4#h?v%<c{Vv%Jn-b|05
ziC%4A!#s+pDnxcrd+sA66u$^tvNpWl%0lJe3@2!Uj7jV61sDky!lfvPJjKuKw9xK<
z3tmP`hz>&os2vSZJ1=j>aK+{v!wk~0=`H^8hYDb-o<=E4G7wNVwRU3KTsGWA6YMfd
zY}n1#xn`<QlFl1f+Q3=;|6-o|iue01kE&pX4#r0iB3eoqJ8|j*e&5)XE*yTU>J!AA
zkG;oVi^SGVcl1RGqbu;?^@J5;b{4EG1h{gbrqFHl(X`0kl3J0|*OZOd{u_zXBA#^I
zUm3qU<zxrJnldVa3km~UM}H^VfjjAu)Q|6lgkoh|R2BC7MrvIl0JTeFd|WErpdcF4
z61H){VjFXfpCh>o>v{(sIY#DIOu$qszv)8mKa*Y>y5b}~hWZ`&AcLp6ukVEg?dGts
z@UXP&;{BVoRh^6&i@(lj1+NE=<xeyjM;cxXYO>p_V7@Jog(Z0XvDSYgu(<gBuB(*n
z>ldmTl9F%2>UQ4TD>Gm2yhF{*pp94e>p%UanswTGbTiB!f3&G!vE3}8;ph{ETW9P$
z8gQd4ZsnK5JfT+j^o`QV!Sh4pm@SJhQ@LD(B*bl09hxRY`=<WQPq-o+iQyD*%rn+d
z)=Xs3@KB5WW!31Hp|1y#+l|bEr1)i^T<2xEdHhJBk<YKYWlT^DZ7y5G!{dd`P14zN
zB71$OVD27}MbCKUhID-_hO>W|)}$2c*wfSJ5k|LhbboBduGWfk(ul&X=+GiqyM6C}
z92bSEPX*EsoKb<rxiZDa_bT5CUa72x<dM)`5_;9Cb>Y!NKhSP`CS<aOpy81WNoFkF
zx!Hb&cNtHaVG0a;*9a1E4K<!1YTX%1-}+yxMN#WNg>B4>+9YJs575M4d&j(rrP`ZV
zfk`e3X_r!nLa|&UtE|m{-thA2xCFsbn2nwojvHHD;$!JkJ?nDkYC0g?zF1S<`oYAF
zOg9;CnLO;aNSF@C${(*Nr?;I*OwPxYCWk^^3-2<gGc%T~@+K0c!a4QYZ`TF=DAfN|
zQ$KjchK=FYHyRy(i4xK`ThkPp1^11>T%V98ge|4QRP%|rr#4aOqtX(YuT$Y9Xo*VL
zC!VWo<`<0=(q~Rvj<hrmQ6{75+S4cJ?-g)q3<dd{a^ax1e1H2seP?_sG;|C1TjHBC
zt8W})Viz{HRl5ktqP-s>H)9MEJw=87Lx-uCAn9bXE-?GY($Tq-UkQRw=r}I2479cz
zxcHEPGf7XV8`?057<rengU}8Z+^oorIr;OQw%ldm?j6l|CuyDt0y=oh9^jxYtaK0}
zZlvG`?O+Y~_;_w56*E}O*DRAuNb*Z%<TFuU8Y*P*x*G=dvXfLTDzMAn%W4Y}ky+tV
zM4||J7C;6DPtoWldI*A7r>mk8%kHmCc4lUc$I-F9qi6yzV2ztX>7H;3v2Oe%G;o72
zv|+?yEDXjQat|3pkd^YZCgL4t^4T7`kVvN=Wj@_fxRpa^qVF-5g{;^G58|k2^}Xrq
zY7}M_e<S;q73603c%TmapKlJ(@eIT{jS{e8K6c`>8cxHVmc4Ox^dFd1+eVdC@fuCL
zX)0fBG#+}#-AJj<0Y7@(j$RwEGYCAaho{)>I`LCy@&oYD>*0Tb23;V>hK8o*q_8uu
zwgql>U|u!qS5k|(!YVkcon%}s^0xt7=XzFvU=kYIldw)C3yDLB7UAR6h(dt4srIUq
z%j>$v`WOlJPDr=+B1GDMSk?8cB2VWf7MgxCNJqrb`v|B~ur8$zX%g2k{+PL$82_S1
zeo>1O6Uxm{R{hwP1+PrsJ8oVX>`&q#+jk2`O%<jsFQ9fhy}^X(U1;1qx0I4&H4B`#
z-DoF}v41E+?5-z{Swi)u>K9;_M$zMx2$6&LW;M^7#UFcW)?PQHonOQ*`90$U$lW&t
zaaf3zZg6-rL>V;dYjV6YrUDnCED28>*@{DA&^4+Uz^$Bk9En3-S^b}7-}K50piC9x
z;*pX)ns)A*ph_7Y9>@W8H=x=m%n&f>1oenxAB$1FP4Sxb=a7A71k6C+yePC~y9#CH
z8EC`{RV=O5tJK@j&|!M<nZwjsYz#ZG1Ps>jY19YZ-`L!oQIOdGW?x2t_ci?SD6^P{
zZd`5cJYLI5z5j4)W0B}2mLB}up+)tEMtI9r8OCvCVXc>>=9=&oq|h@#y=zi)O-Yb*
z&A^Oq;CaTd&Htot6dQU`L#9`)t2RdcTRB}aDk*t^eRi-SoZCJMUH9|}MMdn`dD|(=
z&O7ZtfE}D6-}{JnJY7@p?r0u9`$0rJAkJl|v3ga>XwXxkWjA&hd_RkWVTX~mYOn{N
z<N(0ev@lmnh6nB-;SEoCYBz$4_A$oGG3kWk9P|{1Lf^y~06-q`*e4p<y5<fZ6IERw
zu6gOv@w|rltd?5Etikn-%W##ZOnA_ggz$@&^H<ucG;ZR~?*yq0Z3Nf;Kwla9%yW9o
zIN~`RBJR+b9J+ftZjl^HD0dKu=a(6doQLNgHWe}1lGovr!}L}F`}JMr1fLMORGFCt
zmh297uF&u(;xWH;NgT_Tk(LRxM=n-f|LB{o@-_ny3bNstHnX&PAME!Mn+SOl79HpN
zSdRa?ttx~}0VXyY4NslQxFjV!8I*J#-v$ynV>3<r6t^?9<Lk`|7?K+)Gw-6k+OIfV
zG}m-tEm1?G0~dssy;=u}xU{`{EF2jWW;8NTQqN?|L^^{Ww%}D})m}T&wCNnlf>0BB
zDGXV0CBUZ;Y2+8QC?b2bjFx>VU{`%UdFh0+Pi#m@--cPE(tS|e7uv!{(IY`-I<0ce
z#iuU|jkLeLS!lH!X$`E+wV%5xu$l2Q=!vOQ9B;cTpEW12naQ&J=zzZh&Mtg=rID4@
zq`^7d=Q)~sbai_K;eu|^^YM7URAf}c7d88VL(bPSU0BKdLY@klM3Si7<Lh8}sL@q~
z6n{#d(^w5iewK*2;%NZ&!0t|mxpr>Ljtt9$+A=(ZroU#}i34U$J#gndCd}0s`nqX%
zC+6+6&O!aDnQg-f9K~qN!cRC3z)Q8$(&oHMrn;O$y?-iL8sTLAz58igU}@{L>DG>q
zp}W-U0WS?q@;z?n!{=HQOJ6p8I5bKw^%9KpXg9p;=T{M8EAq5#g9`J-^6a5x5oSM8
z1q$h5S?Gv<wtjaCO23$`I_<#*L4<crvMfJo<8M$;cB{t)Mv^rgFl)@HFshWHv7~G=
zA5(oBm{ecENZo!qGn6{&qbP8cuA}`?5s6l{Hxpz!m?yp>9$1agOb0K^dah)<{sZkc
zbRObm3y0j6OYZc;*`Ui^Q9*x#33cBf4@4Vn7+ez$qnY4TG4s0YHZ%f4*&vy~6^ysh
zT|v#Z^^_Tj=6WdOCKo45r>e!lRH7>q7pxa|{EqeBGoU0RN{c6gLJIyB7~)4+WEd6y
zKD;0=P`zdP-N5MMddqLMZ=|~Z%>u-7t-GSzU@OwP_jmF~eMlJw6A+p>xg<s$K7qKX
z_Pzy#wPT)8PfoYssXxkqU$k*KX$#-TML2@o^_=>**7oe`o0;b3=af!5ZSZDY%pzg8
z%!o9_8qMT{DJ+h$p(Yy2pNRTp)rx?UBa(^=0A{qyYc%TutJKea?zkn~gCYn*Op|5i
zSc|~*l1pA~EOSb%{Qw*j{dD159tqF}C&UYlNYr={nh;(|HpVG_#}4*kWN<}43Q+)k
zXG6_uzbuoH*M$vO%mmdOm=)$UT6F{Qh^~lW1KV`nNflyl@6-h8IweR~4W6VlPGj6a
z<M+OZ3)*><Gg-s~vp#oSUHyf{g@X5C?LkwCRZS88iX6(kXSsRUiV9Z}%BAW+w}5bi
zj_u&2n%FbQP@BcM_h@}T#R0`=`s~;T#EA2}z#G%>cx}QgFN*c!%*ovK0p~|0myR1?
zR92Wu$#g6&Jzu-RDKJ9x=EYSq=u!-(*3{svqS7nMPA)3AeTDgrtkp8fXD?xpJ!?m?
ztQ4$>$;pxtp6Yh@Ya(lhBXUYgK#bbBg?8f!$HFE8|7bN9Etuak>SNbf6&mhEBuWzZ
zOVZTiWu5NzgFPkzUTlb|thgn<7Xu&OkCN<;DCT}=e8-i!{!{vGS5p6_wqjQ4FK^fF
zWyOt}b(+tQ8(0Ovf%OZKVO2XG+=5PXW6)=e(h(@juAN;G(e<CqE^dZxUO7m;-YcRX
z8fvTA@e-wTbIgVk$CpNoYvt&$4OsOFv4iJ`i0xsdLW?PvY!oHB%yYmB8Xb4VxXpGO
zynLoa@ep~f=2j1Xkt6GiV-4@Cjw&K%eAPg%I5cHcCm=xk#xN3PfZPw0pEa@3GghY0
zs*IDsbx9HVn7;cip;8bbPA~q2b^{;7e6QFQT^lC?D=%;vaNb)xynKOhM_-F<0Sk5r
zW~6shSFy(-ju)&9$~q9Tw7TSHbc;aA`WjhlX7n-X8a~9sCVTEwdmhqgGPqAatqG#W
zqzy3#ZHKPdzawORgPFlH@a<iEy(qhZgwe~7Y|ITKHf%+=ExpnoRx{5N6kBpl$>DG#
zQ+14iH9QtahOK3|m=NSq?#b1=2*tPFG8xe$HC*kbp0=3=H(2!U15R)VF@%{Jyu`a>
zK>b<6DOT1I*oI*;BZjPcNnW-rr)1p6z1k#oU&BWquH-d9zpTQA3RjR9CCHb{m3q3U
zW8NojxDyIQ&@$Y-m(oX#&LS)Bn1jP_7%alRM9&z#O==H~KolQSOE|6~u@fN;%cVw#
zdn!r9?^(W;ASMIlquJH&ux)yaeyPnQo=UsH+dQjt;8D?Bzn`6J8kG9Jrg<eM+O4|m
z91jpa{mJ!3rl7KAPlI`%nSxfU|Hd#}8K!y0YSN1R$u6-pmT^6!+1K=zGp8T_G7z8u
zI5{OGIlBUo+VaMAthp&v8!jTEDi9lyXGle&2N4PAR^cvUELeY&C7;v;ih)w>yqDKg
z&O5~DR~zR$KsBH~{Mj^LT5*w?sR6>2OaRVGpI<KzoLgJ(H+uw8B-Rp4QLYIJ<1!9j
z%Qp$bnJP&b=`eFg4xuHL8)jaRtr|}vE@=LPU0Jqve!(8xIEm+|;p)|#7~;)0APW7<
z9IJc3$&-#^2OjIho~u-EaXp&N);CeO`rKS3-0b%#Jme>#5i?BUxwK|f7$U;JW-9{x
z^;M<6kY$i9M0~{!LgA?$9lFwVbF`m5X$W`4a|ne4O|juPG_KVwkcNgPGxlK1LRjpb
zDTW9fq_%??zyw|yeZ!lf&7q;;2``gzaho7Bm|?jl^o)g(C>H#025+3n>8629y7c9H
zefQymnHi`(MJ(6b;@Pw@QU<q1q6LroSgF{Z%Sql%%!sPuRd)Q9+plYY;0$02PaSP8
zL&{4&R<kD<9?Q=6ZVPX$E<<6oL(I!+BF(ESW#kReAqVLo=lj?AUi@|~ZQ&$cS34j-
z@e}>HA1)bS5x!?z6p{AOxGC`?V&*J(h_q_2&hHcZo7tuib&spea2n*K;AnAnq0UA8
zO5n8!roCWeIc@0}fZW$CDk#m{TDgYR8ZZnHZU*<sm*uY8VS?BPboL5jdhCh`#gSt^
zzF9naH15j2-}q690xxs)prPX!o7Sd;gaZX4(~!zX)WBzXQCNmZiA4pzG)Uv6o}>D!
z{T#tvR|jW`Wj2HiD&7QI&<uiV=b-qVA0?ofMd9e^nLlV@l=dzN?Nf{(mW32QR<|yA
z%BXPZUC*;>;Wyvt7p$!_a>~Uyl@P??{a{*|Kx)iW)}3=Vgx;jCdSojQ%in_W8@Pb!
zt|#INT+i{1JWK=O9JuFw;fD&-SAFc?=dK$iP*V4UJ1Z(d2d$ztZPaY82Gn@$&F@As
zjy%5Zyg;w)%dg0N%`+bNCO64_LFWuSO$oRZD$E1)!At&9Ki@eIk;l`@_SE{9uTo+V
zfcJYQ=nZ;i!jX4Z%#rk0>|SRjT^j^qwr=jFqE7d%r{hE=^E;U_DFfasJWW7*pmS8o
zv_G(1<2ZrII5HvJQs?0A>+w5Vfjdni0CAkpTe6%*XKVk<ScM%I)QfXXnc-ORxR2u&
zUIM`0S0rw#I?50fYZ_j{%m%(*5J5!`35kmu3cZD%I%oB1o-Xq4^AsA!L{mb9f07}B
zmyzqaZ10P|a}MS2QZapV!kqWa-FjOhMvMG0OMAroj-kGhWc~C6fS1A(h-DsHEtS~q
zZN?6dS_=oGKovy`DT#RCg;Tdz>d>BzmYG0y*I?%mfPJx0>s^nTq3rem_j)f6oW4`4
zcQ+dfOfm(b?~5tBY0jHMUj~?(>p*D9J(YNVf5d%)`&qRo*Yoi3Q%U#;31)h*IhQ?;
zV!k|zz3G$7H=CM2X93g9HVz$8%;N4l6<iIH*qKrs5_akpqUCFg!q+=D{gj`hSw`yS
zm`KcnqeIo7VvD#FR<3RKDYp)&_?@BXQpcRxB+LjwtJtc&n18&ME2WAg(OrtTC?PTN
z{nOQFs=Y<_1Ia~2w;4JTqb=6=w?>Pb=4+;nsXE|ibtTNb9;!GvwD2Nkkkihx)WA<P
zSl(>R0!d+oxoc7=Eo}YZ)UYfZ^vYgo3DIhRWN6D}B;R(<;$>#zcfr%f3cQgbnh|hZ
za4yyst7Mr_=Zh<L^aLC|zsK_XAUGZSLLF~wR?CXr9)a)_9iZHxOLCj<A$+}rwOASX
z+^{xs%kF4u)~c9{wMjhCfiWUX8G5G}NJ2~Wlyr<!f+f=F<J)y6SxC<iB?VgRwYfSF
z1|yj?E_Q`$Znc+(fjyWWhwmUqS6|jssA~p0YIKmwhHeIj;g$ZEg_IGtAG8pYpx1^y
z(pSIrwa<L7gk+Czo-deV5=u-w0?R3zaLjM<0VA|j!-W8;F!H&QvpP`9xT;U?6}wyo
z!ly6&kHW%do<}`wSYnOPKhaR_ZLIz}$u6zU#X!5dWuMAe^Z)GUYLT(`jPoNCvy9V=
zE;Ivfcr`mXZa~|>@emOcpVJ<Qr?b0%nr9;b$T@zA*-2iH?L0Pnr!OY}l~AUC^OFxZ
z_eu*kotB90r>Vz+HeRl_Mu(MbFCFMB`agPZHFrm{E3z80j`5pPp!PsYA26j&r$0=>
z{pI?&s0e(KG_?*Z)9w)3Nx#Yr)bLxk#L}0lp~pql{UQ%aetIvFINToMGq7L`4tEdK
zu8gQSF(FAuJZG;5HZ=MvXE4C-IZr~6X-ly&)=}O3)Tya$)ny03(Seg>$U6%^6KYE<
zf+(39=3&vfH8?t*Bs&=LqBc?=_sD$01o4#Z1=s5{Dl5-T@Vr!NZ7H)Y)ypUYvGU`v
z%)lbIjgyA!l~DEM6S6X0HZQsLno^8zF=5!p5|{<iSv(qsW%wqQEm$nzxHxT-lJo(7
zN)wF|?oN`3$lggSzu=x68(X=}b9>0{KfU?UgVDK>IB8hTk_=cKyq0&S_KBC#VPjq5
zk466<`Gp`xNP(7;M6Hh|*D6~6aSjWii&tt_gC*x>+;|8iqdy-cVy;(8JYPL?dnKF#
z!%keisNlARhPPkrKbWuJC`L9}QP~ul`(%upRiZ93x@UQ;D&t9GTohjQs)uO{Aqne!
z4S<|1y11~a61C%cMu?<r@6|IaTXA&sLPm)y_>=zGpIs$DG_B*uixbipb>3E5Rs@Xu
z;POpN@F$gMIaSEGo1^a>G4tUQaZA-+5s){hhPT4YZ_hA#7(l-=tQti4bbL&H7wbIx
z)q3UYLr4%@+1|O|Yy8I~*uwg7^6{`1;*QFoBsEYOeavbKvRzqfyIAjOUR<r|g1qCN
zTidt`T#j)#o7?MYFyb8ND_eyv(q{!5^z7tfBDj-8aOeUK+{w$fsxIUaPi5m}eM%hC
z7^Zm|8jej*iS>Z2X*zgYpn7n4)*f{?s5*CTC1;k289af01-QD*+No`>84jJQ1$0qi
zQXqXI6E*1i6bw9s4OJEvXt(tsNI(8k;lIG;0<3V|_h?|#R?}txmAGVuYo7OH95$M*
zxMFRmup_l-VAYpAlI<02L+eQ%fK~U&VZ8;zHkTiU&20j;mVolCcnV#YwVJ&dIgO-n
zoHAX6r)R@UDeCNF(Wm(y>C!CTw6oc(YW7yHR^W#>QO|fHVx{28$bzqwt)x5$$epzn
z)7!STD(teXzg0$%REP<Cj0BFJuPEF+EMZpUj=G|g#8V5jo^m>hX%|tg?A_>Vt5RZm
zlO-L$WCb@9N_6qVH88UVc?GyOw|${~-JHRC{+}(kF?EJdJz0)_lX2kRi~qIS)^25m
zQKAQd8_UwYos7he_ZQ4Y1c_IDty?8favq4N%2>A|%dDT})q>bu$&lI@Itp@Jm|iF;
zWf^Smc9j1QgGh|CEFjT^tJ1>24E`8aS7G8q?Px+kv{>psXGbBQS3B5mI{FW`y|K}+
znnFjh8ADw(p&?Ia8pYA^PAPMAhPnfFqyP>>jGognO_ESb;f>nMqkV2K^5hHh$O*L*
zCMv<4uW3&d;a;M6jWRd$PuJ-PEL#!^9=nQZ{g-s1w}lE2PioN0=h+pvR(p>Ci(cwb
zH)8-^+N}`AAi*i>kFoqou_@-CT))vTSu=^xE6HCS*D)xTk!OOXx_iO&qKry@MJbCn
zcJN9Jb@Dos?gf|x&hAC^RIrEC%G{|~Y%Lr9$QYEiV3wH)Jdcc_T$XDh%BZ0V*$24*
z#7Z7==epfx^kW1|lH3n|P|<m$<AvYf@=FQiz3y<2i=rVLn++r;UZ$p(4yl30u;nQC
z+Gm)kWo3ENF>Yh4X)9Wh@DA(U45f-?YsZ(FMTk41G4j!kvODWT^SJD~#8#1g!(pPH
z4T95OEs{)Ha{<dp4Lvf@N0cWmgDF!YcO~FVY+SkL_(G1EB;U(7@XGLb;H(hj0DfqP
z?wt*cztoSC4Mxrkn2k)O(S!XiJKErwwcOP<8vf~q<7M5?rL$9?(dRSAD7;M1QVC+{
z#y!_iA00iJr0*0OEwWy<fyUVPM_lBZ;v>mP5jg`e=W#QWk_2jA8_Hb_W2KX_FAqX~
zerkumxbx^eY5B04;^1;ca=(&cIpP-NqZe4%SWjq;Gun-pNnxKKd=_Vvbi)cbpp=|d
z@@Gq!SYg_=Anxg%-<zMJ4e(ABp*P#Q|L`-t@M<jBBVh6ekq>jzhu1Ca%)8rW$+Jn@
zt;aI|5tMbATWH3zUkw|&A8iit<HaZAFBNNe0eRGA-xGOkaFa<mcA4*&IZ}gz1%=b<
zMi*QT=$hlx=nP~Tfvj`J#d`en+@YDWkdQ2<jGAe@BrQGN_d7bCtBrQQdtO;dJ6ASq
z8|sILN}<4S_kP+l)Wlq+epe>W!-qe;Ueof*zD70n7|v>yU$DQio>WxNGL(dwlpTvU
zebXUnqzV~U0)x%a@$_d3_zP(Sb+F3`?s^`@4Ewkvf=QxY>tTap<Atu4M?W8w^Az5m
zz5_Kc%C9=~E(D8%f`*o-m5qtX#V(Q}$*5&N7}dSjZiT*jn5#UU+)2ac>)RO=Nr3}S
zi^OXV;YprqyVIDa_VRZ7mFBHvyIL<dO@5o{ydPioT6rBl$o%Rlt0o#sEMVr1%Im<C
z<B|X>BjTQ<PibcMH+qn}*$|y4rdF5Y?{h4HUr{mPw~(QcA?KcezrTNueXx4_#T?M@
zW$z!sXLvOt>0igOeizC&4J09^@94JXLd8ji5hd0=J!-~*qS6&(G3L<+AV-+Q1^x(g
zE|p=D%P)^@5X^nsX<*Tf=6*0?D9|>^rTDtmE=1*9yYqD3N5(pbxe)Xf+p>G7pVG{<
zNTt^2-$hsKeLBD1bKktem?@M)=TFBS#i4|I5}?L|_0noVXM4>Ry}h<rYA627nn!ga
zFU}b41e%@{(XcmZ+t37Scv9+6DAl70+rfPmRX6Aw;iHfF@d2KF=hH587CsVRm^o;F
z%#|J5bZX_VpK~bE!#CFSBYf*DT)Cy5w&3k)ezSEcO|q-N+3sG9L5$6Eg@hivZ!h)9
zzOo*4BQ4wAL8rdtty+9{z4f^yy~PejnY(MOVU+v}uGk#=Msr>`5Ss;GjI&kQEFrTS
zzoO)Vx_#JApJds846oS_f@MMg$05p(4%?j&C}q3tzL715iSlk@4DN(RkWsq2zH&##
zauL3?ypN0>^$Avar+2EQ7%P&y?^GTm9I{aN1pgw{mal9fm_plOw%W^bSQ_b9&jPtD
znGdB3N3U#m_l&Dkjw{D@tTA;A4voZ9Jo5%I0xjj6X+^1Yk=jcwHO%&vL&VGBIIGrO
z>EAvp3Uq`{)D+=|8OWCxg-F&kf^MiAMWTq32=j^*oOJh9_0)c$x#;|ALrJvB{IW$|
z_T|e@DepvV7pZHp2p_IO?@#Ww$&eLsj@o{HOh{&Zv4nbMDv4Y*oKHy2lrmWUloaKT
z^XaggZI6YlIBJ-N0+d(X(S<g!QVKrif|L_kh{sg+>odB&kjGSJ*<^D`z@{e#HIey{
z3t1`Yjlev+!>dVjy?rz?SOIp{4VkmGR08_Y;J4*5)>G9t9+^1l_4c^x<#nA^HaGUW
z6h7+BW`iSVyv?PE=Fvo#AA#-+(ln5F*GO&Ga2>7F+Eb|QxL!VjQuHxY1M9istuWB#
zXzx&6La6X?7XNEO_zQ4-W`5bwYb$gsMk3cKJB&TLzg%NeQ`g7$SvMkuy3u??%lmFE
z&4Aa-Mr_Zc)1O!I?ax^y_wEO*21LH3i#4m8!kVNA6jHK1eD$y%7+{xNV|+-D$&`1H
z38*E2BprOvkYm%32&4V}Il=<u%1-!h?gZ9?_W9xWNo8BV#r|lAn5DP3zJ~ST6?Z2$
z*|LF-GdX_xGgf>hx<C0eT;L(zs?xJ>Np+xx-%riQqo+dY#(M{R1W12-ap~nT732ut
zyuhhvB`K?}r*rfZbnyIKu<ISgm*ct**2{T6L<kK0MvNXlwg!OxI3FhMyxeCtF+A2o
z`!;fHQuJ31(k8BJ3Gg^y#Zhqy?$%(*=bd#*{V|!A+%=YX(--dWrKD<HkZ4nV44l-w
zC+tN`&jnoxKQYCQR0teye&UGpbgR}Hha>RUq^MZFI(1J^dPe5DaTZNQ85)5q4vk{`
zM1bKJO`U-NJ1I$I2_19(42iSKwEiAu323RM>)WYlwt==29#w-;f>X4_j7Uf<>6KFF
z@l<<7Jp1lMn_1C$w4X=R;P|!E@F?%~D;s_bQICy&xZoy*BW43lu8OEM@C!A^+S2YY
zN<Gb}8aSMuyg+C0uHY09Jd}6=u1gAzNC5p`j|w@c(JcNm^{)sNLbm>fZm!f<aD$et
z4s|D!6u$dYM;R97^NzZ@JF4<61xv>_O5V_G%jRY`;qBr<hxWx&bjj+v(2L66&!!m!
zyj<dHW87NV9_#-@p15wepgIBts`@a{_gFDKPDb1g!K##wb7-Zdy#$xR#JV-*nvnTb
z0oQD5-9f^f{pg|`0xszMSP?+d@q*(LW4nyCSE?|)h!&pU6wuU~cAM!qdZ88Rc}4EO
zCf?&=XqW7=V=BbX)PC>582v1CF+gq*dn;B27gy3n80EXrfM>*NpeeW+?(z|m(JWgK
zx}X?g7#Ele>PAOT4p`?>h2Q~+zjYPu>muT_wZ}H;5$8!u>1kP3pgIi}YZ9)D+iuf7
zv_E#pw{h|<!=j5^EYAA*+wW)6&61bH14lOPdcfmyA5?!h)!%CV>+-PkUR3c!Z;4Fa
zO9LO~SpOSV`2UuEA0HWvmcx_u6R2&0;?4AEhO<=c!>K$~s?ZnmPqFxZ)i!+&%|}E+
z%y#d}NDWuf@MstzTyar1t*c@wHF8qfjF8N@C>xLe4weDTLH(_xznQRFj}A(h)@!TA
z>D@Hj;yUq4d(kC8lbg4JRMNP=l;WVGyh8Le#uBmI>BR=~ca`H5*Y0XYv;0ScDb*Ms
zr6r{9m)XkQ(Ew=ZznrnIrM*>(B2(e95GdjTqRh(0<ZGoh<<Y8q<SE%q*<RDV@5ra;
zw-mFrm0d=5{ws%Fsd2IMR5Wj1<s(8MY+e+}l66or$ajkcf5|wa*JN~`*$@YA2*uL0
zP=eV);D}i*%(;xRe)EJTR?yVGN<OjihM33OeIz2&$oFiE&CD{2)n+Uu2=<7YyG8q_
z06LX?p6h2-imb<)=^2efaS8$~YL7w!5T`>=E2v!s`o4x)c!ReK)JDyO$a@a_jKP;k
zw_kj@wOFrQwwBBg_4Ye1F3C6yB&uIjgUXCiFpSPM+nc1-99b|#iim+$c?m#Lw!Wu)
zTJ)DZQ*}S&j~!I0=FJsUI(WxjcRD7V(A(`L-&}9C<Z^{~$6<w==zbfOXz-I?er1K%
zY<w_?!0+UmwOObBCpvmTf~l`W0shj&Rx9gd3DEbeClYUeVlg=^<SZ6pyid$WFXiaD
zV={{yIcjebL6OF*E!3_)aGbf|T=HupX(c*fC+su&_A7ZYA2EkO(@epy!^+vN=;lv)
z5~>0{2eF!drssBkCUdP|q#3lc=eWEb&}MCd;6`_m&+y`+;Ied~&<g^ZAz_|Yg-w=C
zz04xo{9*#}QD2~Ndee+YP?X^nH~1ZPsST+`<TOZeRMBg%kYn2S%lFY7!asePD1MJi
zh}Tl<BwzLa0Z3@*&Wma-4QLB+hz+@&lvMelVR;e1zur1o`F1APRd=+_^6qSatC6%+
z=SNce@!PXN{++u|zZ4apUgEk|j%pk9+ywd~cBWoZPS?#sc<Vl!1KL-*(Y1TT;3)C1
z#4HhUufJ(fG35#s9(TqCa?+U~-;cJ5W+68b-`lqYZg?qV7-)7<tECuP>GDaeS)9JT
z?UCi`p>_cVJbW77)+pZ&vcg9V@<nLzj-oY{7P=o@Eu1pcQ1U}SjarX-p+B1%eU=HQ
zdr$X2nxO)-_r>$8HC=V#Os9!e^(OZySh5#7)K&IV7?-<C53IMZ#7A&oMB!Bi1DzK_
zFF2$nx}N4(u`z?c{j38+2x!6Ss%I?5d`o5AGyfQ1ch*ZC&d|{M_u;B*tSvaG%jiR!
zuPn+1?$)7K_N=kqB`(ZvN6R7Q3-zWGn@{wU7cnkYPARuJSi4eovZb3p&99lCX}Vxs
z6gw|{@jF=YTf7m;pFB1`?AmpOP!us7?aa4Y^3y92hjDvmgd>mQuW#Zgi@PfFl9Qcb
z8m8a%MNHdx8O7d&iRoOVy57}o@q+}<k%w5l%46y$nKD0m{#<eDDbSwsxxYVg=ei9L
zuD+@t-gQ2!1+RZ(aB^w>biCF#c)W}#@3d8*o%?2+Mc_wpywe5Q#Y@bLyN0=6T^42F
z{TfYo5w8VK7^A0`OVMpLgSj@B72)CXLgpr|2DYpKpZf|~DzJDp8(?wF{xi|>)jne$
zjTR+j6gnbQvL*^{eIICTbnA7dmu=+qu-W!3hPTW2An?@`!9Mo(+a=|`Aey5f)dC4}
zZ$!20Lemo#V&8cvjiHy5lEFlVXek^+whMF2(HIuR-Hybjh&P6){t2=WsXOT0S;X_9
z-SIqi$9Qx1mE%M>!$xBfs*1W^P)Q~3#)M(=C#h3>u&Wj_eye5-{|=kf_o($=J+<-U
zOB_y+FovG*O5m$3FibrfVbsEN`@Sz2D-zQp62}wyVqe(~GOoDyt0Gq_I;y<3nmF>B
zzl45z8(-MK#P&2;Ku`ax&4PW4@Wm&#uB_n(*kYFNtq`XwGfGY#TWkdxfH)LHXs~-v
zfuUHJ34-YWtP@IsGWe$e;nx5m1t#T1g^{Uob)n<cyij2tfR=+#<sZ^+ewzOfF(~o$
zdoc6(&?HL;+KrvGTG9Cm!;z$L&z<X6W6y?Qz8p+<x*|1*@27FE_pssV-R?`q_i)Y<
zD&|NqVCeJIGSipu+4l8GDF^4?+{YAASH73Im<dF?4F6^U^2Qli+oIcVqo!=MH$wVH
zH-5q&nGH^}$+XkK%M-A_DoyeuZ8Y{7ciG3TI2~LUS-Zq>I#sOCX=)-)_gxBJsBx(1
z@`a8+2i+{HyY`Dx0hf0)BaM8HEIqy}P75B8!1@_}-Y0ge<8o36V-@A_yh}NM({{DT
z1q_}kT>>Fk>KCEl9hfTL1}v3RjKsod;xg&V&7ZwmzWG+MT}OG~2IrP#(n#{hW~!_5
z!G7CA9sAYmehs7$PAe-v@2fKc!W3Wb80!UmoGD}-=xcbTBPVGCYS9n-&1d_LeNY9~
zj5GSSyF(Ivk2^Y7Bkbw;tC-9M)#^7UWJg6tz7Yfw*$=0Y9VcdDGm3AYeiVYn2BG^c
zwUpRL^rm&bT`nVvU})30aPiA&w})Tw3^aOOw_bl>iBJIRnm*sqvI&~?TYhDBS?vgs
z&4x!_w)l06lA_4JKXj)vvDLTzImk@?c5G<NQlHsywU@Ld6Ye3g4IATr-&bSEqtrgF
zheuIA-c#`8m2xpZM9=8i^sn&5)oc!8BmU9*$}s6E#cUnr<C$f!qCw!pS-p|d<SGf&
z{wmDxUan!k%|zg$?9_3;1Jc08^7N@g3%pOo;f+{V_jS*jRABw~s+i8N{(-d(`*yDt
z)akA2C{>1(|EkKxq%PnQ*jd@Ae-Mq&y4#>*nK4C5YHq>s`^+IJ^#Hb0t9Mo!erJXk
z4amK8eZ)z-gP(vq`r^iH!EBkt`FOUSLUa@7HUN1!?cBp`d>?F*5g|hxc+9c6QC<-F
zaBDuse`l@#ZmnQ<;l`8Iw=~Z_ZTC3r)y&<OlxAbCC5<tby;6aVuQgR>JI@q+q)NR~
zn{0b-vS`6Jc*9-}zMMx~KbM_g%F@ay1W7CE*7ghYhO=IKvoKlNkdV@J#102>HN8eO
zd$b~q5c5AtH3>1UN(Rux?*hVz{tOf?cb1l!unX<oTovcVR0d90U$n^2JbT3qwFl>4
zG`rIUB+u<z3Sz9+)@Qi9mKCf<mG3H<h;4j9OiaiRU{(xgf}x5U#kS8F%t;BKyw9;^
z)(!<y2IZg^VrhE(*$yJrD=uEd(+|)-1Y<yEOTe6@oR>SXUVSY|pP>-hK5m+Neu3eK
zRI@YO!S)n!qxXCI3#M|f#+#0BH}|#`A)^#`q|0~4Ocq0__eJeW8`TsKTVB1(bPnyB
z0w&w-<up&MVZ3+o`B`Eq;4RSbnDL<13CK2gev3vx_>7ePTjbpd5caDabI4(Se514f
z$)~X_v+Nbw%w8>Og-CNW#WUN5x?1)*ej5u1yx6li*PRhEtMR<8hZfA*tbvPm<J$Wb
z&pZx7bq)Trnujl1>jz8C1jFgP?sp-35GU{YgAFp&6{ee=Uv%nX3-08@1TAK*b%dEV
z3akmZE?WgZ`(S;Q=6nB-KfBnlngq`xoph3MP)z1Y>|d}e3b&_sVfMl=dcLgRo+~dp
zX3uOg9p*3HpWe_LWLYvK>Y88escgI0m{h+{ZFQ3<I18M5P2Jx*pk5F<$<#BL7s#!9
z=Vrarhqb8WZSlX{hAZAvByllSX#|??>Qo92w|!^NiMz_g^W8bYpTYKI_t;W(<x^bK
zo;N>*>vES=U(qaTy0j#TOpn|zUsk)#rL!!16z^7y!zjS4Tvk8xb;TNqMIz+rZ+J{o
zdahI@`zm4)=Mn!mtQk2haH%3u1k~e9emeg8nU=t>C}+KFJD2#B9W=quaG%#1DYv|E
zH9*qSwft~0OaUW#o+(w6=<duC=_rT?eb2ZdXE@(7Xe?xx{BIm?w%HdKX_|LY&Ywk+
zD2S}-h_FJG^RBgqeSdsE1t;cRo!w+LgCAL-(X>M$1?%<YsaGGy@X`!(>F4-bgsdA~
z9#5_cI{HIQJpECY&KA@;VLO8VlQ<g{<S8etD#`Xz2%8A#1B27)aQrgQ5gb1Vmr1U*
z79`gReZFduzxM^MrQV!qkNa7kN06Z|XIzaPT*$XSc@fam$)4!@wekxgf7<Ud`*`AC
zZG*+3$RGrmBJx9S)nC@fpld4FG`KjY{xMlpjoLS%R@X4ryg9y8qsTD%r69`fE!iwq
zcZsNdfHix)@7D6r+qbfOb-*TZUad39J<UvPWL<N8Y@_;j=A(toi}s327oaqj|62Qh
zl^js{ulahHkd8ElH%>P5*^yuW+6!pC7ht4sFpcS0pD=GON>CiSb)0Ix!N9NCUTTj@
z9iysJ>mj3u{D_OP4bvEMl;}}oUgcuKIpPZP<^jTyVZ-n4N!Z8A|Ef`8Af^7Vfk<Jw
z*$d&_Cg;7$S6A}BZYdo_it~=TJ04%>aAPw#AGz$D8$IBNwiIdA>w~+|il6#7>%he~
z$Ty^N4EvIh>e*I%^<Z5ML`mz0%IwPG%jh0@XRP^~#CRw6=sXn-$1MKxh-lXXk-b1}
zuPis$ok?Z4mS$c)3}O!J;pF|#Vpq^eIt)<u-2rU*Ec_~tm|j6CSdvl(We^;dOc5Fp
zD~mL@mU~~9S=;)%4qHXeswKcMDI!?2rG9~Dp0WQSf~ZYS%00liiE)F+0+XW40_Vuf
zd`hZ+C+mBi4~gXz`{gAG0du?EthMjuHp9v`$XR|H_L<ZLo%=o-@d~>{j}@jZfjOvW
z5cyw!Yj5RyLS`M%t`YVwtNY!qiQc9<i26%?Jot$<ON@lB+C+?%XuSxb{Uk3@C+fZ2
z<|z3CqrYB14pR>4igKlamZlbqm0eeh`(Q3$hBRTZ+@Q4ma*5cW2OO}vP!)yT;?2e5
zZLWs4TXCr!Hm#%w*aVrVmfj;}QzLzf>82@#^a_6H;~SaZc0mf$b3p1(qenhx_N%H>
z+4D@8zr=MR337cY0q1bzApGMCeD?Rno0diQqvgzLoMu<uX07t>wt1zY)-Pups~i#%
zbd1;Ga^BrJxwBtr=R*ZduQDFX&}zwZm?(-cu5xB+y#Ui%#!s0N7p=h$<*RLPPnDY~
zy*Fi-VlcKhF(Q7sCyHtM-I;79WpMH9O{G0+@y>P^8zT}M2?6#Y;a}SMeA+|s#nL+9
z&g|ckee3#5Mn^hfb5(0-tjb*p;k)~$1Xu{ynbzdzz(=;m@+C(#>fO1|9A=IPeM-hX
zYI}z|NpQ5^JiTipM#e?8ze<oiU0B%gns~Rb8n!9oC?0#P^b}L4kEi>t2Vg|4;Qmr)
zu|Kfo#F=>|CE<@n`|YAD4KY^kH_O*XCOYKRMsLKjH<L$nt3O%WZIym9@~rxmlWVCs
z%(_tTJhfKrf^pbaq4uxm)>`q*?*E3OnKpkjYwRkuxbbDGM7D;%qcX>0+1*K>{0J{v
z3hF0LPf#m7WI#oy<77%Ad<YS}=vP0|ja07Y=8agE4LGfPg*nI?ociSsw74)1r_yw&
zKih!$;Xo6Ly*I4q_5l0rD}@u>vj9ye@iugRBwV~7Z$tomnxD~o8h1L=a@q~XFpav^
z(1<@hp;;5u-E60e_<45`r^^mMknfxHx``hIA?XyZ8634Q8>Ed-N82|B&3g~+7V3QO
zetqqGs6C!JDi=JzOFlC_yYOL<dUqD7IWz{PfN_8ST-3Zrpq5+1R?#X3r+HCd+X{5Z
z@z}kh`Q5$ZJSjyPQ<LdLP?ffM6rw3KS{5r~*+XYZTqAl*2&*G}#xRBctdVi+{!@(o
z!u>Bp)5xS(v!w&y35lDX_u0$zwHm!nEA{viI9R+q*CGTF3HGbpN?tn;?Qb-SG(}Y6
z;Ec5oV(zxwe&;=~HCs>l|CoBqsJND{YZM41xVuBp;1IlV2=4A42=4A0+ylYg-Q696
zySuwPcjtWPJoo+EV|4f4RkdWUHRmcs^@Tr@(;<j}!|(Q{qWy1&i?4r;1cf>(bs8&B
zyiqYOxzHb<xRk&u#dUew(Q|bSh`0`<c{p4XVg;p8P>_F3SHbU|UP^{mp|1e$&3w{z
z_Pm*`W@4bHEv<+wW+gWyms*b`)<dYx+SC-b3FLrZuQEtoVy!+L$ULZDMKl4t*vMf5
zPnvIZ6^1)GREW-xnE~@cMltB3&8)($qT|?K2}5O`ALc63CoWP5Pv>vrtzI>VCZ7sr
zR%JoiLIs9+tMm&9>n{f7uTOs?_4$I<Z5i)*6HX4+3>uBOM1QiA8kF99vvZ>05kdq}
z2l`(IK+a@1c*hk6z-WU!@AlL;&CG@`$8&Q)$RL-4KP>ifC;5&gSfA0&rMuvkY;8vV
zq#1YKxKT@QqP<L7H7g>TvEVdMZ7}dl)OqL0tVd;<?ezh#oyBYA@fb-{<7}bjwXI^#
ztKDWPI~yZd>}1ZiV=nPhMw65m4-dCKh4o;9Cpc=|fh=HnTmJK~=~uq}zg72DfDuXN
zf<;<UQi#%$$=TFeUW=PJ@^8K22^AKLNDIBH+C??<EFTj!nx9!QNEhR5hNtd_V9gi-
zH&NI&H_?19;HAXGZmf+99ZNg!=vpp%mJnF+=HC2{#BR+zPgRXYt_SEjg=tGMnCFrz
zo$}a1F-Sf&2&u}`)C(w1WsEaKDzikBS@b!{7d=l|qXU`1Z8ph2v6%#5JFZHjP2R;X
zcb)1{3H509_7>V;uGwb6TnbKt``nsfT$ZO?9j%b8JU!{K>&zbR$fyR5QYa`)2egS2
zx(gScR$0bIn$F{@#Kg!AzUp32ilHxiE&E!gIO~n{m$7zOFA<h4YA%2MGUL_ew0hLA
z-~PUovTm(qUszyUQk%{?{)Xn0u}$9S^qP52+@<Ef8mll*q*Wflkkj|8ZGno~^y{qQ
z-*xQztDtCwi@7%($}ZoGK<?|cf*sa26>ODPlf4-Lca)SZYdVq}?)y-|Q#~6q)toWc
zI(ND=-JIqoxL>0Q)aufN1GiJytQDr;c5=`HqN9@*$WZ1+mYO>#=DgAFU+15kNzF>k
z_1mD!$|5uC^PSec?_XP*F=GnVuSf1vvS(Y&Voe8MY?sT+O4^_GS52PoX-c?=*69pK
z?sPj+8&2v%g`|4a_!!vEC66?>=n9=))maeAKDSiqD0N!$9RL4>@}=8(2KT>BG3)=f
z;9t4UhLa-Rm+!urO7TnsffT(gfps*+{vNLvwtVk*+p+VB<4+j~?5e4&_wi!{E$MDI
zF{j*Y=5wu<(-hKCVzA`(6j=c(B!U`#uz&c)YXT^`e~HyCVg{UnGu;bQuZriy5U@@z
zozAklH=F@&oso(Z@5jxQ44V12+aG=JrMQRg`cJzAON7q0m&fCL?F@Qz=;4k?>h36|
z1-JdRMs;1hx~v$dff^nZUmQD%8?}^0Oif@XL~sUdP#gpT$S0eLuldmbeWT`}j1&ly
z^e@-kYqL>8nOe}wqv&Ws9o5@`>N(?VUSCT^u2p=kk5@3wU+mnQJb^b!G0{rk+-~}v
zQwniBhbnsfW0mVMX1OIX=>zr$n_Ki$+z`F0+)R7;izH$<l*rEzyeP)_L}<Q9#D5o3
z^M4CT6aek!gr{<kKCoLnlli+7R=nSc-j6pFeMkBkj~JB9!j`iRZlxBomRwMmk5n44
zZm}-kVnyzG3}^J7__Ge8Ut{gzd4anwF@@}_=fT)zgIZwa`&1%Ppz;4tG+9ye8~GbL
z|KSd3|7;~n5rD@SSM-w*|K<xP{nI?OdnLAjibT_{|2t^fCudIo`&>rC$$dv*oz9#_
ziG3-bdF0AdjgF5-hUWG2T*fV=)vG##=zRxqU2O9$>TQRUBIaHKNSOLZdR)e(nAWF1
zQ2WJ7FLV-&^0Bt<a1K)FwmPHvYivN6%kN+Q3baH}TmNLvnOGGTW`{J&G!uNX7IpS*
z^McjxVF@sZE7S`&A+;6MN>Xi3PM&P%+_q9bZjcml&D(_TOHF-&w}R4nF{{biQa}zz
zH`W>(2_7Cg_?AP3hVirYYueHO?TQEjox>7T=&6=rMy*W4?82FgMsfMi)YyHHrn%qZ
zuJXm@zl;tJjUNC2fNGSc=<AQd^|Z$iTiHjks<uT6lavxR1!O&L`<=T}VUzwzR2Uek
zV<Hn!D8L5#jlRqMlgS4T;(ci+hHMBjE_LvY4C$V@0He|fgC#V8_^Oc8-Kt8IH6t}V
zMC4#&3%{<Rl%&a(jA}8ClhRd&Tt^ha`gH{?6kc9{i{Vwdk3*7Cp7skzaALk90q_q>
zpI!X!N&Ui8z3_{Q&9P;uWY95on41@={=i;I@FGo4Y;a$F!gmR3uCSyYrQr-#V5X+z
z+qQ1!+NyHN3rdj=H7A2=aHGAY^i*aV3rkKSral;woGy|9I`7{mDts0lu4V1{A`uuv
zqeY-nsfVyJOV%$VQ<7BeV)=)rPJmV3MFuV&h*rJw*Q2<@XDjDxNKh<oZ!$J9mE*Uq
zFWf+E;K18rQquZ=^f}z>h{W;Ne@pprIl})D4UZ(sZJWXkRz9L7hQM0wlOFhs3Fr*9
z1;j=!KH|9Y4ic$U1DzC3!NH}IDxC3w6l<%;?STqmKAjV;i2n=!=!Ms!?DfAW->}12
zMH|7}WWm^q%O`18hYL3HQF?D&x!Btn=nRoVkVl#9n`mKLw>RxZWo-!{*P<JPPB2Y`
zK+T~g&|R<D;pYE5>0cz)Uj4VZ4D2877d=wl(QX5*gCr{8AAo@?V$2G^!6HTrsVZu<
z0|dv1#(yr;9S6FSYZmAHk!^E+S#MygzF=-DF~=71S<Mcglmf#Fe^G1Np0WJD8}~m}
z{$EsIzG)`NB&am8%%qNwDuu6OCn<(3L-335Lf7^{CruLgaamxV=v`xq<o2v6r5DbB
z)JaN^Q{^|N^576Dd4W)Z)QtMS{TR=G`Z0We95L*n{IGhM_xgtQu~h#@8`riltYjFZ
zQ>TW`3fDLM=s{5NhPk3@M-dWB4XnD!KuMI$3-iDH=UJF2f>I($meU8U<G5PI2sKB4
zYFsQ*YttkF9~^z0nt$vjHQfFOdSJHSbrM*_U?K7SEF8?JN%i%ozE_D*zt$-XKk;)y
zHmiw&2&!JGa$H=UY;;L7s0v1KEygL<6=5m`5vUK^ncIS!^B<`Hrgqxc5J5qxV1G%#
zj)2W%Go3vcnkBK`#%MmllGl=&oDkEL+j?T`C9Hj;Zlk62p3t>ojr&i3aD5aYf#EOZ
zXC&TF_dk2@LTklBG1|G=7B65T9PULOBQ+Md7ArYTvFk@P8!{k5VuNbRbC0r0n`nL?
ze48Wr?)`ftDx3K~X<BX-Bs0)GbRYiLF8*t^NdW9?TV;j~7Zz}!ra`&T*I(nQZ}o$o
z{2-cz%}^Nh?3!r}<(jt*CD8$FrKzCd<?lXOp&sr`Y=HHc*tdp&ClsjM{sxFKe&Kn5
zIQ}bA!hPnSzkp!63``0n{d?$CFmlTHt2E*#BVi`Q!eQ+s=g0yCht$UrAM#@w!@J#e
z4!@xZ8gm-5;QoR6Nn16mTnY`-*rG|%*rq$7Y=j0O9&bw-7ImrD1NiuhxWD-BuesDL
zvj4{)j`;p1CreIt)bm!tHwnooion59sQ&WKRbS_jn~{mxUF%~*fp&$VUZI*el#$r)
zjr!Okg`QQ4zM@#aO`V2uIxpZ@|C;j!{TsBrO0n|Ma}|Vym5yN5UdYS4SEkhCC#F)X
z{BgC@7DGNuJi}46k#Gb1_T8ka+`v*0qWq8xa{UTdFDM8kSBr(QG5~m@zsdf8ZBcq*
z9o5TP{z^{TZFOKps2vbyvqOH7m6XHE=d{BTQE|r3MNg%^g!4w!kp#NtVbm%Mx{VFK
zsgM_b^TzqYmK4I#@_f25Si%%>iERNqtjNnhI7V>ibz#b~$+B?ao8SR9VJHFp*B;f-
zj&7XeOBbiMIGI`2m$lyBp|t8F*l_zM2ZSipP)PYMz9#5q;_g^e?dV4$*uTKM1=&^T
zUum#*reXdBtA$kP#?4qyWe5&>K~P{5IctiBvnj9L&aR5(%r{qQ0?xX_vs3B%ogEW3
zs4l$M-2sN)ezl@-fWF6s{qKVzARx(SHj(+8lYIX_;z`pWYjmjlUn}B}Q>^Y5{j2Sq
zo3S?fR^lW-E1BI-I>qVbp9F<O1q(rhtl3(srK!utrY^Ax7J!WCkMv9yGO(gl@(lkV
ze0t$_g&t1|5pMA=KEQ_a8I`cf0%k7cl$iXtCMp>lcHCjJRAt^eiMA$qH0gQx4Em`_
zYMjKK-ZEwCeQdwC7K70Rl35@d*X|uAXXyj9$DgoQu18#x07d41b!xbn`7m1srb&6F
z&N{}x@~vw*X#W-jk(KzG8oV*TR@G@3)@PG_q$6uAyox)(0PUf>MivcOhPP%1f?hOO
zphQJUA2gI~EQIQ<yvj?k8IV2jeodOPMF4$UcEj3?uzyc7Rd*WlgmQeBV`x{Df-il*
zaR=2~Xs{z|e$N!*Y=#??3@HV`;c5IOIirjY4XGP!+`4h6b{!f8EO*wQ{|9BxRXvr2
z`j&}ZwBoB~0>9f7xadFBhK)vFD2*+Ihc$({)2bzDUS$C@i_h^{E<Q))fwFYV1j6M;
zW6>S%g*T9MgJ2V2AJm40nPjyoHU5?gy%|NeMQ$u?REn_;P_?Lr25Z6XEsh5C<s#E~
zeKHv<9Lj%8VV&c%|6JyLvU>97D95ssoR;zf2dvm?C+{#nGHVkbEKV55+di&=1gJ(S
zL92cFzLghbvAugu+_iiH^Ph`HXh7Y7mG9qB<22~P!Tqin`Xkn_scPf37ky3B?h9l!
zhr7i$6Ta6Ag%;w9ot6NxEpqkoTWg1s)Z)+ynlE~_WZS3=h7ODk|8Xw~x>l*^|3RF<
z8+0Qx*EVlK&WA96Y~mk~(*Kv6@U=PC);nQ0Ao#enzx8FBs+$!#nr2w+J7F|E_7QGA
z9J+ls?Dt0gfk3~%j8y1<eELs7(c}PogJo=^4YM`C)JGox_jo^MIu}1<H8w^x(~Z#X
zvIittWr(K>lgyHT%#;Sil`uZDnr#6Sv=Knt%h=utK<SOa;9u~0zWgV1%T+>-dWgy<
z3ulGu%}nzN39GT+4bope96srQ=1b%6<<82;^$A8I^y0z|$Mj~IS^#ySy$R|6!-x^w
zxi!#|lv*MA(zpi2^&M8IuZDPmY8ZP2KJ-J6-%6~dG@6DJ{*#nM4xdm#mW@VmVOCJ-
zpRsX{Vv=Q-CoP6=6il}1h5Va`iRA`a#Cn1pXc!>JG*jSgQoaBZAyPLsj@RT0i|~CX
z^c79!c<5Y{y9M~gZ$I(seh63%DG3fv0U1ricVj?}MUU)&X}r?I^3WX0E(DQ&^ed#n
z1u!L8APYWt#9&OZdi$ZH9xzhmBPxue+CPi}Hzs#U46PB$Oc)7u{wbfaB6lh`%gcEW
zN$oVaohbSLB(9smUbM;o;{_Ua4TLf&(dI!A#xY;&l;XGA{>NbnoRs@tb^zxviryTw
z8L%ZRFF?;SDB2U!MD7VCSY0#lU28uFuU!mlFF{F;B|d}2s?$IhzmocBzC!3fJtWbR
z!y>yq;9&#p{|B7@-)xfu2m%(7yijf_ziD!uML@HI@E&S>s@Ai(FpTo#c#v4WnS<Py
zwu=4|%v$fY3@jsqhta?I*m7Q%$;v-uL>Q`}WddH7T4&JnmKN>1t;`#-dGOBrPzhtj
z%}C*oHIMnml#bAQum?wq@bb+X$WRh(3=foZrloU$-hP`+_wN&#D>+1gAzkSxsQeYG
zPDsYucEJ6)h|eajs8wP-e9_<jD1EO)6*&ZFFKPWTYyNLIG{<jI-%nP~3s)#T8FTHC
z&kKsx(3|<e9PSb&AH89CLh{QxAG?UhR~aKKjhY|J7=JsYlSHh9VmsUvok0S2Y^%sz
zwZ!y+W<W$ROBO&;_|{m@sx=IwG>_y8aSPjL`_J#V<CfF^1#aHGLqHf>BR)~*PEmg`
z<Cwks4^b?ABkkq{TuoafVgc&U(C&tcoz)-6uOVN1ROG+0BqnddNb6f2s!1F~aT<P#
zxE9VtiNTDdYKuxXO^nOvs^bV>MShe&Pi*&xG(>QcgpECUIxgV(O9<rqCy1fDb`0+y
zercDL;I9}HLT;FihP9Xc17!MLd2;M#xUdqi*AkzBUk===BPq$xZj%ce7ltBmd1`cm
zl_?C-`<=T%2H02~U}K6APZ$5JHT9Jj-8r)oZ8oGK8IE=H47%zM0GwPy=bhGEe_GxD
zV*8nbW|WRV6y}xQ<Ro){s|v^K^tkYUDws>`M4?B3;?idNk9tWvv{gQU>1zN`>}&k>
zV_JFTgWp_iIHi_ZXvtR~df-8k*gaJ;HCWjtG@``uc)ynr2%<dMI(dB?aIyH77g~Br
zP4gcYK$IUCV`T`EeZL{qf&*6-XFl64I#voJpX8c_P6xPBnF#-B*^eR-_uO!B3#qm%
zb?3AQmMB$R&P#BV7@zmT33_ikzwj-Ysn#$y7&TKzb2>*3{cJI`{ad#4e~wSiGC+mq
zMKdmR+CD7s{0pmqn=}Ae)iFv#nS&9rB`V*ABI9Dv)qk922<1wi5o~IDLGbti*HZpM
z?a3cX5rA5Vc}5B{ULWT}#StFAo4SCZmx(|ju^JuU?KcOphET+|7;WM;G_~zq)93>7
zJH@Z`cdg}H{|+G8Ahq;Y@}iptr5Zvtktd=F5)KijblrNSfAq%?{RsTwIjW)ynfprT
z{dON6pUSwJrFAKT8r}L|==1syWdrMT1=gmH;DnOWMQ&KFl#(*89aUe5K9p_MOF3hO
z5ee&1K&mZH#NL8xK7Whpjo?}Bu@os45Wt?A#PC=W0Er+n?Ol$b8h|!)I{Q|Qjrvx=
zGJJsG2sf|hfRwQ@t*|DO&T|gSkjjm30?e^krZCm{E8EyFI~BGTLP@s9s1%Q#oPv=p
zRTJuoi#I6A-8fX^T<OHvO$hpoZf|$RLdO2^HjED>d?iIVrztFFzv{f|r!SgZ!m~CB
z<igQ0T8~ZePs|vkj-7vjG0#<i7NgHL(Ox3jmb)$Lxm=ypxmysN&Hl>gsq?5#SPCqv
z73tFfIny*m*Is3~iR;nXe06#^)kR>hD^#zqCEXxhniM4M2w@!4Y!voaia&lUs>Xt&
z_B8{DSEoaD3L?HRFSOLyyP_vIq^Z)7h1ucuuM<(qH7`LkSpme{u1+}j*9ree%GY!D
zU}>}47u)gPW^Or{x^6PpYE$a_6GJs7J=>Qw7UaHGsmAHDy`}H`LmB0a6^0&G5uQwa
zLj$h%fQTjX=ggc}VjSOr*jkl!sT*+qxiw&7?iwPS9I?jP)Q-ob{irjsNxrD{Dn9em
z3H6o4XG+ChChPJp%$5NoWxyd}{ux1{rI?<s@EaTBNt@N#%AXYjSL#Bg2P>~Y%Txh0
zZF1MD<Md&329P_Fhxx#Zrz_8yvhiVm`R1?JLbXj@a2kbCQGyNTmk4cxHEwJIJVOq2
zRtvBkxCABV@AEdm#ze_W1g5?Se0Hr{{jz|#@fAF}hgs!nibt)$j+twMiWd{3cQ@VV
zX-gp{{RsssZ3<We(luKeSxI#Y<dt>zxz=6UB`KJ8`k{h6Eo)SxyWgw~fq@IsDOY&q
z?|1<d!7u^oj<=((w%#+vvra-i4Spfl&BppQDOHstb=H=)s8o9wR7P6Sn$7nIb1-Gk
zQ75{F^YiZ|cOt`ndoe1@?7QIvJBKYPf9dR&ke~T&eEBa8)Vk0+49iPgNFhtl@;5L#
zJb#FFfXdbniMvf0bFglH*Z4fU-U6E6Ysk>8wVHi8)4}=I3>HckIJuZ~J8r7O1W=0w
zRf&(L6FM@m+q|F1x1UC--6!dEDqL=g4g}3En+r2jRB=mN%~?|w;a=ht98jUt;YX7C
zL+cDxqg9iosS*I}y!zu4)&c~urg6|&8OBirJ5LlDvtP!-AwGj?NkjKP+<F~sc$I(Y
zPmo7L5`!&|yl0a05<1coWNf`Zsjh+1ySi%tWZlfr+P^^N>1FpC^{B10g;%v+_b8;b
zlIhBOBX+HT=#DzmNcHNZy2a(wV!6(L;%TWCHHH&abL7wHNT_}^`di|FP-Jz6dX!Gv
z1l4UZ&G3`wImP)qRC)GuzH_K>4hH9=e{<ukP8;?-YA6aiN4La@7p*r)OVa_NgPqCN
zu7K9UzT}V21u&;a3R2*DNBug;rE4A8M8xfA`n{r!20SWz@U7!$s1HMiQwgz25F&fS
z^Q0U$8Aj|oF<LxWxghG-OR0;wS?#Dsv2HiyLGWXN?il#dfX`@%>f_2va__MLl1e+g
zJt%h4z}Cui2Spn-n>4$-#h#sS177r8`Bmpn%2DyXmk6~tZMOz7r>&5kPlfhSi}l2;
zUa!a5PiAtz=%Rj)lw#GLkV8$w-?6ktHjpVo23fzu=tEg1f^A&V6)M@Q;wMO4Mii5`
zp=9aO2JK&JduNK|&o*)!z^CHuPUD4~wpOqwD>kGzRbm5OB$!gbxWPte4UR~jb$qs3
zCR~huEZ!rAJ<`B7laa2cpGA1NHD@}}bixU&{ZR#yYYp}v-G2gXPCnjEZeN}B*&Qki
z%8FCeBY!{*`qS$yap0`F-;QDGTn;~ejXsXD!4pZ^x60!GIMk$zGE7OHEB(B*`c`}E
zbRB1JO^I$zk=ys8{sq&Wd7>#<h*>s9$|vfTbCdudu3~SFojpify)h?f>utgXMC+Jp
zHdGPD7KkEIFTeJfXiKB&ZY(oWMSkYwW5VB3bI4HOUoR^9>14a4ULm@Hw3JQcE@Ah`
zTAbpI_~QzP1qI?@o}vs--=a&XoW61gmyb|r{6=(o?ap_JMqq)k|8&R?h5SZs-lN>N
zV7k!i?zztYsR2J@*;3^{EuJZMIs;YYNx9vM>KP|Q`Aky0b78KA|25^?agtFwqF~19
z<uOrC`TLu@@^tty(=VE$z8o+HNY{`b+;&p2{apC+`B7kY-KKRsMFCz-4sKz2vJ&r-
zH5bUbEwba)32X2XJ@@5H<FaE_cA$ox7*|D=rr23NYaHL3+*DJEpX5xed+oo-!dRGo
zA&=&xdp0fkD~bnOuU!d=Q#i?aui)JwJGqu1(JeX(|9*!OY{9)g^}bbk-;t8M=jfa-
z+YzB$qk+=Uk3Y19PzzUS*_qeOdzw)@KZ80@-wn>_-kQ*)OF3Jj9_tkrynuijhKHmk
zsalwcFTanof3lB%p(LT(`{HbQcuN0G&&zI%H}byYF~&9Sp1nVx4A0v*P#g@=Z(wCY
zUG1Fa0mEeLbEICIg1T1vmYgY*H=@KfY3ZFa&+M+1dlQ_bG0cSpqk*K!DnVnCQ{W_;
z^`~*H$Lkd;CS@H1hhe%Ng*h{5%-}x#+Lh*n3DxAlmLruLZGjk6TqJWL?n80Tb49^W
zG)2Q!JLtULq_#490fn(`5XlGNqX71)w)byxA_%cZh%%=jMrRjLy?aZB!U>iMsV{Os
zV84Jpb#35e49Uij%7?uBm6~dPWr~F$Y%cW7pcuNpr`sSOu&h$9JSkF&XJrS67G{mU
ztKD}({W`jYB^`uEg5N)FP(iqu!Ix$WaXsG%bfK4Xh@kx9D>-O2E{{Teath34DD(Ru
zhxCQ!FZmz=Q!_uq#zlkmw_&>?CKof`4{lQB2~cbgiu={{9X4lF5&B@=ugPb!VQ<&<
z_Czq`f!dr=WeaO?b?D?L^R7>{f4>Kwd)n-ZVrt-Te4Fb^j>0kHO&Dx$EJNb+-fQ$E
zm%@`fy1q}S^%VJitvewyZKr+ECxhJ?!(X20%=W!oOZc46fPuhj2P4=CMp@q%yda}h
zXBm*qVAw_DIWaQZB2=E0thY;M5Pz0}r~8uK6UI_@Vto^#K<Sod+*>}o5sp%@46C_d
z&bok$7@(0@l#@8WvvA<H0eQS9tcJc&10&A)b8o!BiertbS=p=)jb8-1yQpo>Jd`s=
zEADg0B&EU*56j*L_2)GcCtHqMdJNX2sOf%IF6}qPDnHp%@8~N$le+tu5JX?2s~!2^
zj#NaYKVVVr!kHrA@Qi(*UQyQTQ&;16c|qoaD@Ma|^|O3BSqY|!T1N9T+>)s1w6A5m
z-V-YSNKF#85!)jmYf-mXAMY3c{d0&QmDG}y>nK7>V420}b(|gF4)p4S*pbqo>)Nlo
zIk8f?@_y@W;@Yc?y2qn?0=@hVI2=~pJgz0JV>}fOnAxP@I?z`-WR&J7GYq7kxziAc
zHK`BaP#&RNHQ=zxe^>eoIhoReiuIK2wGM|kmy4$L#9!uL$#0#G5vS5W^%a1kx6D8J
znr$`Ez^STy7z)_31^eL(Y5%Ez)24^F^?oL{1OdN+jD&R$m-U$<xNOQo_!>m3e`(6J
zs)(p*;K-3Z8Yggo=S!wHljiDb(pRr2Arrwx+6MvpAQCA-%h?4OdEy6$ib*qX8JRY_
zgD*o6h6V0wQfp24cc4k8_ad#&n+Mx4MT!HgO?D&S;HlIy-y>|q<ewuoWc%|SmeX(=
zhlWUgL$KSU7xipi%1E;9Q|^~jg3{s`t&hItJyRsU@!%Y&4sF&{a==GR78JN)x4}}K
zTGuX}-zz2JpUxUU$bIc(AqMR#M1L3!;=;$gX34y<%9$<a{K#FV+A_DDl%CoWqVVKq
zur%|B?y-OaZd)yr5;CBAG)1j6VL78cTegq}?7JdF<OhY|J`!E2bu5bgwbNV&C*TV<
zOjjDw)MMRQKDgodFVK;uS$u(**WcvY2MMa_$)74H5)-$;+nvbIwe70=WxmuV4It|U
z@{LCj*4X9cCn448oHjH5SY(yidLd?VJff<K>mWl5@AffX(-PrmEn-y>s@k>@EhqaB
zr69AQ`%Z|z7c|!Eop&TIJNC+#KJXef7B=Z|=5C8=f#0{Ke@PY1CDXJE_h%3MB1e;x
z(i%p$?g_2wwk1dQ6sqFOKj(x3I49w(+XK$Ga98UR)Y749Kjx)EUK!L6l;zzE%!r&R
zqNgl@ph8OmYM|F&i`OcuccS~ICXJv2)}>1&BB2J-Ft$Z+QR`9nH%dRPLZgM=U~-<I
zeWAywaC>|d=R`slJd+TMaGlU5Fsr2*>bB2>MvNGMGg~kp3i>>Z4<)#cSW1#}Uc2~J
zo_iyL&U_XEWFLeZ468u-tH+?;uOP2K;SMXWURgq?WVRgcyZ21o{;QXSRM_QDGyMSw
zt*&R7-tXSzClIl(E|TV)Q)dtLW7a1dH-y6^tY5K<jF?l;4$M}*18%>Hf6d$Uq;-f+
zr<yjH&e<XU`-aT$X5IuxxNSjOs%0qc9=q!V3CiQ0Dd(+Q_K2o9W${NBl0kEy)Y7UP
zSh~G^n1hUn$2(}*R4NnAdT(heRKacAic~kA$%ORyYc}#7IRi7PVoJB8Wx^+D0vV+(
zR|x%G_Ne`6W)NmFydGVIYNMLJC^Pwig0oHX=TE!{j=7Y(AW4|R*d*NR)|F<SS!d!8
zr?R#jsF<HbD)7;##|6WhpyRC~E0@}wi0rn#+*mBNZozaLV(+;)7s&;9htUxQc@c?O
zbNYA6CWQ$b=8Cna<Ln*-YO!TTv80Qo#4%$Rd3nH9Y(M70r}^sU9?5B@YnOt5xpAk2
zRuJ00Aj*5XI4VhbbxY@!OOIw_<)_9wJE9xve!oP&cW0riA2d1|c{Zfk&t=*yfn{st
z#%x-4ZMm4H0laOY(vNaV#3hivU{okr51Sk>lYz1CJW|MlTCKt<*LzVO3ykfZlvv8I
zEtvlDrD~$O=Ft?(cu@(@$*2-1GtYK&7(esjz*(;4P<6rAm}1OZOSh}3#Lnqgm}`Tt
zLI_%^ffkWlG}byBr<GD)!CzXuWUOu$luIH@Sh2JgCm|fe<{?^<cUbvl=Hlb<F>4Uw
z-%M+lSOrMrVnYIn7jSVuEixE6v5Ft_$;u8dZtuJd@Ul5y=~P*QVrYhh(SKITdRL!i
z+f;lPfW|VP!K6^95-`IeEJ_>~Y@#%bUvk=<<`hbmsit6}>p#Y7f(whX=tU)D59<G{
zbELKt%TSx7`x*UnxXQ9{lf!VHDBR_r7H}PKHz}O7Yi53H=DlUss!wNs%;uqnI5$D$
zvOs(*^!iry8P714Hj(gvc7+HpIKl2wEj+zBj5U^8gpb6VhcK+KR#Ae2htuSPY*PcF
zbjlPNUx$Jd-Z9-!=j=u$*;hoJl4`ne=CWO%ite&I_8Hs;HExZ?tP3+A6Fpb=sABS9
zjBmgDQKBs<RaxCU)|!P3(n{h}8~z>%`}vFbe7<Bh$20{)`@9A+xcRCwJP8|w7H*Y8
zej2UPuFp7-!3)YRS(j9Hv!blLva%Y$G^}wksT4Dn9vyo&31)f1ohU0H_`}vcZzg>$
zLgLtGgSe7&X)lwrd@ets7AM>rcG@0qBiv9AZgm|#fvv2Y+;+oz0P8nI!_%*Gr|X=(
zuOWkbrj9!9`M#N1(mrze_>$Y_Dd2}mmfvr>CH-CX<40wCmvp(L01Qvi)DAY~bk(so
z<XkP9Ddd8R6u6`#d|2PO-C?5S_)9K%pfV`!a;77{g!vP_dYg$p3zZH+MDUT3w#cuL
zdxZ;}-k}Is-8u=hgldG#NsV8b6#twRVVSuZtVw;QGVnq6evf5yJ5Tx5*_`in$1gi8
z`_Ljbf*RrTVXC-W%2y=KIT8yw-VmLdY0Vqb&I~Ev@$Xq#1?8vUVRM}dznQ&5raH{?
zNi;~xj-?4v^TZ~xIhIe=;~q2o>D2@Uqv=;A<<wh>#vfXvH}ZCyMJX-UW4mjVUQbH-
zn1H$EOi6}s9~lD)b%%endH5q+MLS`M`Y9J5r%8%0E};j<=^Ig=UfwTSZSbB*X3&6Q
zD?c>mtnu1Ujm7FP)>M9Gs&6*J8^P+CDjhskap|e{1bIgK1{$LX=?5`O^<UvA(zm)Q
zT?)N2)v=AgfRSi^zOt;4IBmea(kPj!AgalS03F9KX(1@2>2gprqXwi9DedAr?jOw#
z<klxjdbzWGvjtTPZQG`4ap4^gxwtK6;ucKD0B`tHfo*4I#6`CgrsPT53zAxB+s1de
zF)Ix?!oUu>YU{^RC>Z4F#iYl#BvRf)iYgWqcjwi<t{?nSHZ(T{(I-yH${L4J$eaw}
zJ(S@$2KQX6mR%}kpq|$C*Uj35C&OLT(YRX1#IdHMr(~bEWrsdle#o2tT<TOo&`zy=
z+D!ao@iQn-AmlpV<#i5^S{ImLAXU;r<$=VJJA>u{)2CF*7y=C?UdnjrPVH7l#?41<
z!j{F6#%NvqrKqM){b7};(NPTlO%CqUK(E+m_?-{sp^@zcnHxSDPI(KHPku^qf1@Gp
zXG-(oL&UJ6Xg?3k7;DAahk`tq0wemXm)w=QfQxg=T$yRDe7__HeQ}C2s6HCvgAaZq
z>TK}mQ8SxJUB@``22bm;qc4k1XwXp$fFpKVC_PY&4Ft*2!bJot%L^gIV~PCM$qiWf
zKH9+Qy6>a$YC04-*ATD1&Wg98zF+HNI=QeJDW1>HFZOfNtj5KBidy+JIX%_AI6w6K
z{=t1(#@*cFY-u$n0xzxA#%8!MR8>KbG3x-1bZ3geQME#4$(XM$Ta#S1jfKh442k?%
zDK>=cZW|l-(=2@j;I~vDjNFCWPmRe3_Cl=6C<AArq^JL8Bi2u`b}J`8Ta{y7Yk6!l
z<Ld)|4T=ZY75U19UtzKqt<09IkJG}H*<GDe00w(z5RbWTy3mIUS;{yRwH?hxi-}ck
zN;}pM-EDX1%V*0UT7h58#=ZuCKiOjQ;_p0{XF@HxqpDTad5et^`<E(epf|Gm2ueG_
zAAAT)->6(kSIlZ$vn7Y>{~{_95Z}CM-Fkj50jGmG?_c=GDk?LF{URMlaa*yKx(tR&
z5MzBUk)SV*3CkaYgNqb}lryse5p75c_o-BPL3dq4HR(p#-YxK1&fGdV8BygcMsNc(
zctQ@5*^yi|ScFxO?ht)Ea2*(iT}^gKjI&~-ri9r+p-qctMly#)Ro-s*Xny}D+CR&}
z`|<2W&QK>N|Imm)J|6+yp{=3(Q(VasD-S38FNKw)BurpfEsCmcD*?`d0L=GmepC{*
zK@Nj%0}`$hqh}9?9f*Jy!wf@9Zl%v6Bai11mq{7%aesWDk78=6tEVZ^P4r8M`ogm=
zAG#8VK(8zMOgxeTXQ6`)Kb|xM>7s+h`<6`pab6O@0^BUYc`<dG*17I}bL9m5dWO~&
zHaWCdD!Vl1nR5|Z4f!KMm`y|+R(Tg(0i?aqCz6Pj5L{V{cq7>RylPnW5*rwCd?ga)
z>)i1}**yxB$T?6f+pV_j%~vbU)If*GtpWgRQ5CG^J78!?oq#zz2LK6i`ZGoQ{7jPd
zby3oxV%lw<?u4ME(N}QS8bb^MPj`VXoV*UIh}%RX-=O{`@1O0&KMrX?E`UQ+W(g!0
z)SwD@y|uz;bXEfyb*KpqN@VMG?YV#GOED|eTTR20cqrt6LqgstpWvW!<Jky0I2e=B
zs6&VcS=KHojf~l1nd>eJn1XmSU@uCq+iO47k6923zZ|H1*d#q4(#-o}9b7P5E&++;
z+@VGOTaQnfHrSIrON@XGE@gF=yk7eUCN1a!B8x*K(KTnmn9$&PMoq?wD1lxO+OZoG
zH%iX=nJiy>vKPi#eoQY<COouq(F<d`KZRL?6e%v$e;mq%jh`+qj&&C-xUcoMf|p}J
z9Y31^EmP!O?vnD^21$Mgg0Tcv7Mi00TiL4aco{dxDz$P{!BwAnqvl{M$$=iR7)(gu
z_iFB)J9%*mna4WO4wC6iH4TfHzON~tn7-{S_q!e8u`ZcMfTWI+JedIiud}^lBz>~}
z2P)4q9Kg0kGFQUw`gJti@n0_vcphT*a8UR863of)*C^vXM(a(XNv5fyMA7#9I6#NN
z3-#R0jH5%o%0Ir<0E_M`cKix97GhZuzY;06vQgTmVB<m%w);t9(JoIFhA6=(`{yPB
z=BK{$7JK2}zvMUWp-WzIR1Igk_uJ)yw_zzW5H2kA+U3OOCcp#b_o#_)62<^HSLW)v
zugxi1K7L%HEpW-hL2L2Dns++{<JAnFH7_8OphlK@Oi@rMVGpE_<$j^0R&~E$SlL1E
z{{1Ju3+6kXkXS^tD@!_RZb09rt{reYxDX;ym6ALqG9N9XH_e}JK9|tqN|#ppJR$>Q
zc2QC1(w&k92$vz#x-#VDu@pPtaTq=lWguQy_-O3=nVvvy!uxJF_-=Q9zEbfd=@+*f
zv>4}y{R9*~`2;UkDmlKUxW=TXj?@bt!Sp+k=k~)V<RD2OA|u|KeR$S~7@ZyN!!7S`
zF=wJLDMG2YLWSwm6nGPp2h;?zo=T}9iO^jotmu<ooud;jRNeQwU#YLgK_uqTqM~@$
zuud)A%5WLxX>gLT-*|~O%vG<J02nn)5=k{}f<72kxnwMDYd)+ZPJ#I0K+4xlZ~_H=
z000Z>_Gp19>fpIntfIPC@y;Ie1_8?RdPZuXUrZ^>s>D9r<mlw&AJjfuAedelATa5Y
zC4;}CB8IcPyCNH1dWp&VANMN)d*>VDT-CH83PbpzFQn3?6qV(B6?33`egXeaYSMM5
z;03m|U)Oa|IW(;rB0gAttw_;vtWE&bdSUQ!V$nE7YP5@|%s5y7NizGfG!tFbH<N{G
zxKrQFlvag3@BVcs^$nlATlyO)>oaIEoqDX(w0o0A?j;V{qqANgnh_1M2qbWHp=R1_
zBMo~-{@Vo}8RGS0q^QIoZ9JRBc(D-ApZSXU{g9|6*-m{l@Mh>IsxN^;C+aTp!@y*5
zy4s{)$P$QnWo&n!&(NYOEFVL`>t-Qc*wl1E=+xoNvY#`@Z+9WSA&rlepl*M4Hg+=V
z8U3)BdC-eFm1T>)npzHolyxvc)G33fCi9A~c;6(da;*~7q<nNN@cQRD^|UtSQ$r35
z>5`X}8)V;E%@t!qY!DA{749jvC8A2kS8wHiU`|nAKvRwR`%v=lRC0K14W}oKv#;BV
z${F8}E%RR{+vf48O5xEBK4?q@sf}tV|E*t}X8;(`eoiE%8#<~i{>nLAvq=N`<H;g6
z&SJ?hzrjFR?ET!s6m6>*HR|iD&GZJ2Y3#kB*A*&U>PNCSbBXqap&7YyGQ65jLqupl
z0eJzKVR#TNNloTblRx+CuNrA_HVSC0zz?(d0<gPGkdXG!BBl5u8fQ<1WN-yAo&MQ+
zYM>Q2ciQSCUD!egdJC7sKTqN@4V;`-AE5cZkXGmgr>cD^8c7`N$=#Ybg78?C(76U&
z3FojrlQ)!vJ>X0{^zq}Q&^RM^z#J@G+S}BxXp3Y_u9i<@a(?P|I>tx0dwKZ^@i&c7
zi8iC8JAHi6OLum<frIB&Q*>=c+JrZOX`Bv-Rz&CMx*jvkROY5W;Qg@K4#z~_alqBl
zTo%e1pXoQFpztgo$}ecc{1uUB^{|4W0j2z7>1qy<pbsx(VLs$|U_WV2o~@-Wo+ll6
zn~n_8>8KzT5;}^WnHWB=^QU>BBs|vTyM|>|2e<4Yf_ZHSV&o)U&xgIv<$kp)j$pu$
zX=d3|!TD=!?E*4$3qK;MuHA`i{h8Kza~Oxe1|wg6^?Ap>wsdaZ)|<<B`O}LMk8QQV
z(IbtIWy5`53VRE@4j@H?6?)#F;X)e&^Vdb@5JHCc^4)kbdmnlGqpk>UB2E6#{9fI0
zJq9bc7IHQHJTjKCc3xTzTJ6)jps`ih-|szq2_ke1h%IIT20;18Z-G5qXA&V6|2E#D
zSCObIDe0HaQQ|l_lc1KthF*gY@$bCNsgH8`@P2BO<JiKz4V-^I%Fa_rF_`g&wvEap
z-dywo(o!cU@aAz)yRhdLePJ2f-%76N;1Di%g-z_EfZzogdHiQ$)eltLrhgFb)#iWh
zy{<LwwNID{7U02qvAixjmO)$0*J(eGy)wWZE#RFXkz6&UD-dFsAmwbGki;jxI@K1x
z2)i2Z77-tnj<I1skdtiAg(2dtrj@p@lykuK1sH&lGge}Nd?dht>xpI)bD!zvA3~$p
zq*Aeub`DgDyTMP9PCTH{?Zas-iJp_aJy?0gy42gPo6t+X3_Tq&+<dQTk_`0qjzVTe
zAtr!qq|&wmN^Q=U66<&YGP^i9&k<l?_{`$M0!ocOF8;cD_vLLBx92O@M|$s>dI`wy
z8NZK0nNzu5rhh92dlzq|DT}(cbFui8jN#z7AN@Q^n~d&Co5TA!*XfNp@Ysi}v6`nn
zkRG%)&pSD$>ap{adEcM77*oM5QXyG(q=bk_Rjm-a%@_6TdY0XzNUin=Y`pU#kB1G`
z25`=9f;M=00duNxKtop!=Ro*8-zwao#1VJm%sPH9{CtXKbg^lkRojp2E|v=mJ<g=$
zIWE|n!}dwc7Hr^gIZb*09fixQ>8O=C6hSUvYi=Xw4;sZyA^grAI9Z|BVCmFvA3O91
zP`BBA$a06rZ;({4Qj1vb>?apC4P6q-5=kaQ-wGsX&QB8l{9<~i5QO`j6M>s5?h0+6
zyfx9L>zEmd;d*WEcZCKVk0$au_Fi4@W-4wb#vDyjTkYHUr~!72v(E1s@ngxWvLR8x
zL|Q;1Cs4R>nW13&0@Us!AZ)8TT@kQ?U$5K8KykWi)`LHqD|2thlWu&L$##o1Acy_3
zQw?H8DkNG+2LK>2>Qvn9pa=SK)qz`Fj{XkGikOd0HVTsCMLm36Nau@6J&#bd_*{4X
zl(W?(`Dt@|If7w_RNycl^Ma`d=OJG{!g`?T(>;hwYpvGphB-2yMb@=zrvMF-&UUS$
ze(033oZ|HfQFmQ!&od>ND6fWVo~PBV^FzoBr)R?sZ)H!1^+d8lp+xEr@2Q(AV{Hus
z6AN!=vL>tZxSmRn?w!-3rNK4b^A-18Ed@#$&jxudGfZsc>i~lN(3#jo;bfW2#Liea
zFiI0F>Zo57QMSAJh<mb}uB)Q#`o;c0dy!Xwd>Q|)IjWYO#xtfwf*yTY%clb2DxVX-
zE9S!ES*yuMNn?CWnuYJ!WAWnH4e`O=J<rlr@;yeEkB)&`<7IV%DeP^ljMv3L^*)C3
zfO=Y`Q7<67pu%QiBtkF+{-WC{A}TuWboE6~PPy(nidTrV+2M${_Lg=z<@b<D<hc#u
z$}WeFeR1~r#n7<b_28}XlqVTh?A6ibE}eQ)v}p~vj@po>lv5;WOZ$ojz1;3p&3=ms
z_cV)f%QIrb4K#Ey`I|YM?CfLQLk`Ego=wIWNg_f@&Qsv70^^)#t~Al3hC*OGC#6We
z^rwfVgjT1aA*a#|6<!+$E$$AVC5?jm8zt5BJ_b#!L?pO(v1$K#&s-j&y6;zvMNFB0
zK0P!iwC)WKIawt?3T1R{&O4lN$ra0LM!ft+Yq511&o2||H_|TX6FB6BsNMUl`^7@Z
zQ05rC9nqLBf&P5yV!}PmU6=d1`mF)xKD&N*f3PA$ITdtezgJlm#wucz_k7@8qd>!Z
zrEG>u-m&iHW9?IpIT#!|FY=q)5pJlN*+Kz{oZwut`Tni4wKV%>zDU2nwNB%p;Veh8
zEfb39$L4cM;NxN?67WszjhvnqU+acx0Q=B2{zC6hCG^<tNqc$Gv}DWOIp>$2RX<sX
zwRP%k%sZj@Qo+|8Mepd_;F+7pZc`yU@sVKSgU4rU7ki|NT$?Lh?ptWr{ZM2@6FO;B
zx|`jG(>Z(1dW*;99ZI%5*Baov$)f9;yk?Ss0qwUFZlv&!YVH{29T&WE>Fw0M`JT4j
zL6A7U6;kNho<Tc#-Cz2eQ_vE?Y&4n$;o(eq&Va7gF61>oBgJu@--4~f8<_1+TIrgE
z985Hw54={SFKHK}Er-68pYu{_TD?D=Gjv?9f~>>U?_<noW^ZEVj@7hs@>&B3H#9rd
z{zx=xrx?J|BmHK~^1Q&vZhe~`Z(+>TC4vMl1twp|4HzDI%jA1=?%QvW8B2rTs9Z8M
zgX86LJ_9b7Pd!*!Y;(=~73GnKs(s42w2)4?q3yy?XIG6nFk|m;?b6tm(Q!N~c1MoS
zF$MWtt+e9tp=ENMJ)Lg-HGGkw&Huf01Z==ImRnoV5wWG-C>04WapbJv^;<Or5?<|h
zU`o#Qx$XXgIu>$h<FkrK{3FuM0ezXD1_Du?F>t;V)sQYokrk6uEzZB&Ck_|i1q)h<
zqtf5o+$t$4Z8h`B4g|yL_TA?6Xoa}HUh8^u`=p$?A&W+)ckYNg8y;@4ufSed5R>cX
zDa(4z*q)EK$a=tS<ZAevpYm2$yrP?orS~jwTlF^CV<a(Oi-hCzVymCGkv+cYkbBO|
z4fW)XIrDUe2}=#Bb`u2NuWrn@Kll6QeE-=DN`QLUWS8#0@-Bb|Z?CR~weGlP((&^2
zWlR>i*6sIKq|}1Wu4jGkDy3XQhoF7F&&&jCeO*F3Sg7KOB;*b;(ec6}+9~ZnFb~#W
zm;nD7!e-#{aOzi%km2F~!<GTgGDpf;-|ML6V77+)ZNVFxp{*V)#CEb0)5CB5jzD;i
zn;~1VK=L<KadC0geZ%X6@wr!SuII)bZ2GOqe1rP#IsMaC(Y<|xH;i73*u5+5+>+-E
zHgSn3+M0SLe9An1Ko@buwhT2<QIqk}Wx(W52%b(!n*fDiE^_l6L#|uwU$!EJ;xqjw
z+hFf2H0LDa^(c3FMI83^TF`^yA&N2Bd^pE*-XWL2C@Y!wElFG|=wINA&UZ6!T0Cm4
zi30d=wgcK;RMW$Hs<sQFqi<x%dNl&-@z}ln#i!E+vTh0Bab}RziAuXgCFk{@f9)<j
zFN4Dqu!{3D?9Pg!Aa6veBS{MeBmS`lrmWN;$xml=)ic<w=ybied+t8^)n$x%p4>99
zgFR^ZJ%dm!X?P8Y<t0#FJ8Q5xHY7$}Pi==9sW(5@#SxMrY2+Z>fH6!mNkqqCR77}X
z-)AxvX)|=_%qSG;`w*e9iK+e3<V*KA7Y%~Wq1JjQPxqjghVGr-eh<>LZv7a=<B@Rz
zjQ4<nyBLs3?LNKlHJGnYz(O=%l<*clAQs@go1C{%ejmBK7^MQv<K{+|AvV!#?!|WJ
zQnh9F={l|GI*mJA^Wwhbbr|x-dGK(tnN;gNB7E!7FdX#x(ls~jbjB@JX9mYbnSD=i
z$(4QLxsLY52*XI`1wrQD4*f@)({hiAcLvKY(NT4{>g&rBnse<PO=?}Vy&T7qYfLHc
zr#KMUiS$U0yN2TxBlUqUZOJDW_R6@H%I>&Xk`X68fn=!Fa&2>Gmj#K(diU?Jx)V$>
zFoQ1pfpEc9w1aaa@Au2^J(@p=v~F<6{GJM9NRl3X#2462#<O|`0_kw;1E;e*xzTAQ
zdnUIj8Gz{!mg(M(?KX@9YaexzUXcZb%41nOYYdXNY7Gd1OjXnm`oKDKhZ6RQb)epY
z<8A+}1OH+B>Aa%?^LXiWauWR0;}uQX1>P7Mv!C1w<OZ(9M3h{-;zTt#3q-o@J>5v6
zNA1C9Kw12@T0pejET3gS(kd4DXnMOeK1JyMI&ur<1-ZetTf+{Aw2Ir>k9!EdCLKJe
zj{E1%89_js9ln`fMG4Bh2Ll9`Nt+XNnh=CgVx0bRGE(M3wR!&Vc)Xhw^MJH+yN`!_
zztJ1!$M-D2;c)}`hKdrk%2(Q4>C9`~57+p*XC8x$74frh0Ofr{SSqyj7&RXEO>XAB
zve8c=k}f$-lX=`Dy~^E@$V9Zpcbk68J~NXNhWr#p*VFT%xQ?&oNcMF<QXK7@zl|<9
z2a+JY1YQ=p3G~BGiNW&gM6zdZz42OV3-&p^R-`N(OW-NUnP@NP9@Cri`E})#9Lx!f
zV=IzA4KzwHbA!>kUpV_CI&7toUT9lykWO5{fNP$yvql*cu2=P@3Ep1U8x<o#x%=%<
z+q((;-Q`lBR=r(jK~?wWZN%?L)MOmxZ3LpVt5bg_BY!Ks#p+wFEA4{*i9627<=cu$
z0FTR@liSL=T<wwPip#1^d>U_<GbU}{$at^L!rG6Ay$P-LG#Sd_;V}dELx!K8H;x`U
z@qwK_U=4O<lI>DuY<#VAHx<X{T3sl1o1=aT8Zyv}qST(G-DV7^{)R%oNy9k(3S5XX
z+h9l#yg6h5NVTfj5~U+O)Vr?8tgp@dX<i#I^co`p0_6Wm2ZoQ2Puyni*>vB!U<CXG
z{34hPirKqkrD|1U>43%s2}HdQo70P8?{t9><$xUbX`Mql)-pJ}2IOnqQ6c?B|2H%3
zav(u=bpnq2X{7s!BMDp()b;!xt>EP^jP7F3^NQ!on~`(9SITwb-2`EeMu#$+!C{BW
z`bDB8<ac1Kh+Jqohl<$viuXogB?1{mXHCL$w0xa4^6mHvd%EzI;WSy+xLv8UM@^<j
z?}PF7TI(z3_JK|tA(ViqPda4Oc?8X=v!ud8fQ^3q4;G)8fM}~s4md$HpwAnXWNHpD
z#AG|@UK-gw+;rxo<Gu0fe;njAx80|mm2T{M2;DizJlMJObh;n#G~Gcvmu9rro?lQ&
zw#cYTXwtJDybr|{1fIkPDgUGuiGe!m>;w~tEgM$vT(5QWC3b(hSp@3UC+~})?Yytm
zI;_*SZyw}a4$!f!$=AqhVaXXZ&#O(w*Rg+`c`C0Q!B_+3DY!`j<hfJxGHV2erorR!
zSibKLujek&g{IqJ<gHMES^LF0^G^_F1_MvOgl1GfpZPpUUK-&Exj|Xveqonk+jQbU
z1Kc**3O|<MpIVx0W9K3ly!K9LbNa#4=wJ#8gAePxf0ljSJ7#!1tlAcUfv~<Amgne}
zFBO&Ex>`?RazEqaUXxWnxY}>8R~b)+q$=xnTrRy>uGd(!*TqrX?EfVB5bz5qZHiil
z<MLI0d`qF~J4T_g4C~!eLpP4x_cht<O@dB2RRx-3qOkCrRD`g)KRPN)XFYdtC;NG0
zlSOjkf}8r)LV*M*FLTz<Vl#J8tlO3a=#tg6e32wzYI)XW@syJb9$8Vg6>mvS#ywfM
z#RCE}RQf)XU2k;Q@VL6usC5TXZ&CH%7>rj=$g5_zn{AP1DInjs*t2kXI`CZ1N|&NT
z*{^WkZlg9@z+cp3TBrMfVXr2oo_R2Hv7W4`Z3@gwY2OBj0Kvz`0MAJU!Yy&q?0l&)
z?JQ?6Z6-CUcMK`G&msrZ!C_!5;Jd)qtTh6C0It)Iv-KlS`*P{v@U$7;%cOHwJ`oZV
zr{yrN`0g!UwSMlhuO+JOjePlA7FcAp<z+-nOxxIX>v{mI`5ilc(&u3i4kR3hAJhHL
zqL(S?AlvlXF@E41Sk<?ZKT8+aj&Y>rU*$}cABur$yY~UFnb*_T{m)EjGD8x!Om~_k
z;e;E;ccle8M&yBt!ynf#Y$|m-^T^+soo7vElmQelMu%haEnJr?t9+VvAT4jBZcya^
ztL@7Fp?bggXfR2(7GknQQJ5?#YpA4>87Yh*ktND9VaD3Xgr+PBm8|*D&=`!djI1-1
zb!=hmW6PF3VJzW$`y;;h`SIS@>$&GV=f2PTyq|OLEq?TOv*4u+9e(nPS3nKUYd2I<
zw7d9S-9#f#bhWMu#Z*xkVA9uH?WEP<I)NX1#Lqr>Aha?;Jp%j1r;Tc^Xg+!%YzOz0
z)wEOj`ci)jk3YIiyT*}~h^BA0f1u3243c7qQolXglL^1?-de`K=cb0{CXO0gFLp$E
zj#?u)KZs4`^Kt-UvQcLX(xk@f$4{eL5|Hh%-kt6p!HN)@WxT)Jgy7xgutaJto}JR}
zxi#JW{-`tx`P|Lsn^xoJ>=AAG>-yj~I|{^SKH;T|pYHn@>D`XzrR}C}7+gFDMYbeD
z0(k7^`LqW_=XVXlqtzpLIVbL>jP~<>>b`NCe7h`vYfGM4lp}HY6Hh<`T6X)PEeK@H
z${*9jcfr#0#^wd)^$!fM$04NTgSLZCe}M$Vj`_0t!9GPx29&fS|5<pk&KBgAY!Zeo
zE*<}+Krcqpwy32*ir&+cF=UA)E-QRL>{2{1OzaAUANyN$(7kqO-E)pJ_BfFB(K{j{
zr+)T{u`wqOs^8W8P4A=kk(4>E2eJ-JuPSZ7syW`|bPoGB9FMrKxw{(b$2L-fS9BZX
zmy&dz52Lmh<HP(73LP8bj=op^QcNITFEUN4cHFjgdmYVtlb48T)pD<;HF$<AODJ;h
zivzu1O7*iICcs=8(#@79W((+pHoBJ?<VkP;+mxL(x97MYkhuA6L1-WKc86*oXN#mE
zMQlygTl1~2k-VORjso;|T4r|oqYuDL9%2oqv#Z`lN$Ol(18$`(pVMV4K-1UOyG|#8
zKVx>KkN=i0$#ID!>c=MxUdxRg%&n3dvs|l!Ogfk0N*#R$Lr?VyEMIUlCAWRjEA-t>
zvgiCQ+@<YU>Gd_iGB?=JE`bw&76%;dY>~~|(UlqytRF_YTnqZ!VJ`|xJl}Va3%GHu
zGkVswh0t7zecIz7J!Q<($xx9Gh}2s9`gA4tNPnyGzE4)EyWTre^Pj_6`(Dm5M57Q$
zD4HY|^NaWM#@F;|P<YL$smA~ClI$C>%_g>{H7TTLO2ybvXhpH(pwNa)62%LF8>i{Y
zdM$H;0P*5!;(Dd!)Cd#3G`nm+u~|b&<4NIEZ!V;&%>5ZoIwjhPy3(zQrR=v!pd-B)
z>~xcXk;io}m$Kvyy*Y<l?4;)w_Xwd<W7Voqz0(R%KA8Y^=4-Pxx?a<>tugBTMBtZn
ztSqz3IfA<k>EYtI(clcnsm&zXnmo<f+K;(ks_|toO6PEN#n_PwE;EJ$q=b98ZrV-I
zXtoz;0f`6V(~)-eY$g!xwVt<136stXbJ_aWb|4T}y2~?~YwR0MJ2eg2FHU{?cCj<W
zhvgc<8{bv>>BWVsO}|(7_17@t2Asd%$)2?u&-!Z>D`h77M8hiU*OU!21-?Iz*2RDe
zbZpFgL7hZ_d&+jD?km6or|Fs2Va$y!gjQO{6ivv4_s^msIPMFW(P}Wo^kdL&G_wNu
z+SagKN%qiGmJV$mgKxNRVgK%!&hu#*#L0d?+Jf8beX9Cil)u>X;-(7Vjr6vDXXK(J
z`gfx_Zv_|ir>FJlGc-83{L;LfnPNGcfkJm3J`fbjS?yVQmwK2X144piG-DT7TXCfS
z{9_L<UO1)7pa+-f_eoT2h!32Xnay-JwiNdU^b;-bm7LWCLWqx*m6g;!b<Lr+QrdI$
zD|UyPeJIL0Qj+QI+E;mT=a@~a)4{?xtu&`PWd5Gfd%UW8-q~(z&^%v9EVkP#<+sS6
z*9fWX-d2p~4WX3+wY&H0j`|c;v{Plj2!lN8&n`3;TkcM-)N&3>cH*k+9TZ$02wwQK
zN_&>}7bkSdd_Ocif#MZ8<IecXP->UDI`F&N<^2r8!pbsz+Hdi4&7*Rsj+a$f`hBCR
zA<!Maw=Gul3y#y<sT}#=qE=n+-dwV|O#jefM+mxU(L0Cx{*=}HZ8*)YrKB5NrT*2V
zSFu|OrWEc7{jJ<tY)KWa-+v-8xS#E=!Y|%g=4(xnszsLZXMnZ#1*aBu?AoylU1i|$
zzYZ(>NA{kE;KlYn?Xpq#yvK#??*)$UpR*4u&e=#)GQfp)CHr2PAvd83vFTfnm-mV$
zROkjJa{lW}qbXc?9-m9gZ&;Q@s}gQ2Uko^&>jMd&WAP1SlNLMo-}+OgxxCP?Claz5
zkN|-;h#8=23xu6%<~TyApc5!@Tb4aQx}3TS$zBoza-VJc80qXv9((a)v!fRoqrwZz
zjo8V9iwy5)x-D2O#HKGhuqACK(5GOq`BQ$bPkKRKo<4TrdlIe@VRdqAI_I0NzI8eC
zI1a==w*Vph5G<_bd|N<RB0I(4>Zkz0q_!UdU!PEVW?*)rvbB%ME9ScaK=H+wjx+~i
zSn&m{;T?cbZ6sHvhHZzA7s~u=Pb_XxK@aFQ2G(LdP}f!sem>@noN&zRrZTu_Sc;~z
zb1R*5OPb|WkU$7@+IU?|f&_SLkrasz4{rv8qMh_l7`lQMme;TJC&0J1kLz@s3yvKN
zy?}k*KYHC@sY~G1C7EJ}%WYh#Cz$6KK3u7u#`QdnmO8f740>NscN~ax|A@DV`bcU?
ziuX`qhO~8=K`RaOcg|`{*`e6L!#!eGmw$3Wh^*?OgxOg3uzY|LYwZX;kSM39{^mun
zAR;>MoOMu_<PT4tWbj1el0U8+o(x9PG=65ilw1!D`o;=a?{K*a;GH@bDLk2G)PCB-
z|Beq(1*8zUKRlUTdpm6ybH3$C7Oc$-g}-N>1YkI~Z7wP1sDdBm(h3ovN6gQ(_2YrW
zS>CFPAxOQok-5ZSKYmzt)*iyEA86LIQ8q~!Dkw0M08B}InK;*#9~j&HP|X1BP;?gq
z&ebKiXY}6HoocvJdqK9ma&USbC<`Ikp#XR#pFE``A^R@GwPX<LOLs4#FJVmh>rqQ<
zmBdQ`6B&M`NHzmtXF@5(PpG-sd7h9HS#@1=>@l6~Ihx!s-}&#k;C<kp0|}s9QDGNS
zkcV_KP0?Im+fy*$F7w2k2!aM=6;lU>sax6vcY>=)x&VJ0k?g7JH|F(GX9e5S6$D;P
z0Zn2jS-Ke_VbRluw<4X0FG&f6a}jx~LF*ujUPF=XTYReNhW^EzJ7mBbuFj^n6c>SC
zlMhFd&#m^ez*Tx$xdruN50dz^TE%5%b6qO9SdvKBPO;TJ9PW0fZ4E2l?lQx@8G2+#
zR!%#~hzX0b&wyrV)Vsl&;w=M}?q*N5*rn;^VNEqIGj_g8AD2=1b5H~ZfyMG>-*JNN
z0edqK4`~naKUoJY^K?#KBE7FmxEdA6a~83!&JG=}5h0r?4WaVO3lVuLHVLVKqWD_V
z^0Y!FH+4Jg+SSMRH%)>=l<*eo4+C}#Z4`v=v8N)TJ>aSdVX`X&I%$^w-plYZ#m=KS
z<s5P3qrpgBc|Ks&Go{s%!AWOeCxsU@TK1@d3k?@4jjF?}s-gpJP?bTUNKt!MDVa*J
zu@5oBQ$@CD@LZvym=hNKuKB6sB_d_HI;KGKK2)aD@b0w2y<iuTpyMDdb20_UVA-Cd
z!Gi!N369J#9%8}~@(Thxc(zSRCahZ^fXOyV#m)lGUCj>i1N<-5n`;|SK0?*63|skY
z{j-H-YbpK8>yDveyT=*(FX6rHCGCHy;^Z~BJCH0)m9_?wc~MjCfi~!j1OjP6RV5h!
zO|e=evqX2&Ij=5$MgYpUS%#_LD%CqPg22_QHflG%oXH<iq7i}IDoW}-l>^!A9lw#7
z^>)={$!q250H2+q75C@8gUnJFg?Sl_OXNS0yFSkP;G;I_oL;l%?*82~OVg3|1G8F4
zQxlVjy(_fh*}B{omp}#UwRl6drGD$MLzm%){DcvF%?Ge=9zPQXfMhG(U}}ykH8yp%
zi?F6~-h*UT%b!=<uj@&>r>}9Wnk*pPFD%I(xJ5>d4@6k>uA6fNz3b5MaF%Fh7;8fq
zkh+Kdl&ekz`KYg4VPY%ry%+iBqJA(ehaoj=L>8+z3mbDsI>wqCkk>>>R%emUYUl~P
z=D!PP?i>3uxKzSth8jw0e*BU<5(UtedRZd#*TGp}Y@Yb%P&L9YHcO-v7{dSG(~Nzv
XHcdB>Cni=N1RS@nBa8~JI=uKFHPWAd

literal 52806
zcma(2b9CNOvjz+&jcu#3t;T8WG`88;Mq}HyZQFL5q_J)Dz0;@XJ8OMwz0Z5{XV&kY
zz4y#qGuNIy6Y@hw6b>328VCpoPFze#9ta571qkTN7f5ixe+I@E(}94#0*MQKS9H-n
z)q-$97slwwe^^J6fJAh==zyXM4uuSMC@*F~dqP7(qRAGM%l9k3g`ai5VC8rFLYQzX
z;C7v*CS^)lSJzgzk#w3FN6c6?;qH7s3HVc_q@khlcPdHrnXmql9|%g!MF^aNfd7@8
z2hJ4>Yj|Rq|Gh70*z*yQO{t8CmFUYLIyysr^{<)&((sCMU5lS!%qAwu92`B1Md;<`
zE@g}G6Se~*zXC@>6~?Hrdv2(WSJrHN#ua@1Vz80@<Et4|TiW_oCh!*NCK(u5d}C6U
zcL)^hG1F3dr^jKR)YOJ2Mn$xp$gXQ^L%pG|VWQD7{OXfc^M{1`8Uxua%ocntD^{vY
zjzCV1Ssz({+~hlBO*51@lcJzii(KZ;l4^hBA^IXm9!dDz&zQ``(KA1a%|=I8P1b*Y
z433Ez%&r~^?utoFl7)>IQQxd;SWrMr%?OOI)!NgcV4~`(lrWKGEauIettanoPR?c*
zu{mHIF2Ku0i6loZ`}O%zZr8-5ui-m!^I{nUvxWw=rK@nQd@Pdt3%tJdOV9K?EWTD7
zjG?ue33(OqM5>Gle_y^#l4#8)i*FKRgP|d6r#TnCW+&+HK)5aSD&F#83N6vf`ee-h
z^_GZlU1>Hy7r<GcJHRDnW${8}U<5;8O_LRg%AO4rh+VME64DaEKNhH?PcNcYcyxYw
z!mVXJ$iTu0UvBwTS8V`w=B*=XubQd+)4e1m?F^*0#61w``yDwEJpM1)2YegrS)p9k
z_v4x0m4v&)dWt7+L}mzhlYBrEd8Ys^Qo2jrEoO^ch8Ki!dBgwSpZp#%sr9476GDW#
zHP7kcmeN0qGr%}YI?#ShxfLZD9m)}$MM}P?bQaPKbn3_P=AC(r-3$8hgF6~{U?42I
zgF?YqdW0q?3qQ}D!b_}gs_cIAxm1iG*kr7_@$tYBo5I`MqYoQBy`#|U8JuDB^8{DZ
zC_^y`DIvxRowHfl)VBH9WYo4-V?SF(F5{QJj^W8hd_eMQwe>7F(G?`VhYqZ@_*E;A
zPusp<Ffgz!ZUicB4zo%rZ*GsyvqWrCB8xY|G~eDO75{!fOIFFf+erxtX|8idP@j0k
z7ct&PO_>#PF#;GUP#nAbC#Y;p0dZbn&O)-Yo;*|%vT;$t)^%3dwB<n7|KEo?GKqB3
zAK002I6XZ>L1bBI@??Y*kTdVj)A}n-XtkctixhBizXHWM=gmNML^6ln^z#c9gN>pc
zY$&us+g(^4>;y8J8XB(U?J0$I`gV6te<srqh-3F8#pWg7m>}8fb}?L3YDF>Gc%Gmu
zdfz!Vo1N?``S=Hp9L!bf)ml&hq)K>2hT{e<UUZV5_I!RC9hVt-L!Fp&aNN}pUmOh#
z7dJ(&)t3*zL)-RSUQmq9KFe|Es%X8Huu5}_0S@d5yFi_fAC;SeW2q-LnIwHs;K;0f
zUc{#4@I;9%L5|mkitf>Axk82}hOc;3*g(VCpBaaJ1RDp3`G9CDVc5@~)CG!1Y?g>`
z_9To!Zq!0WK(vcjC@h20f84O!r8e;YZVFOvEG(PVhKt)P(&{rD;g}V<oZ8*nf7RJi
zpTlXS%J7PhPYo?@{>D<QROX>rMiS%jK=)duBiMn!>swY<CLyPY-;@9qhn12tJT?|o
z(U4I5#XNZ)G8391NEB8$?O|QzZ11?0$DPrAk4kf;8a@!(+R$lc3gP3$kr$pu;|mCq
zD8#;@;pXcsY4y7)?n?bn!2}iQU>=YJ;5c$REs?5+b$S{33;44d{Xy7o%X1mrg?jSD
zk9O{=R&Ja!;hqS1<X-BP<?>%N;PHE7rPHdduLyF*RHV3_^Kz$uK8p2|lIinTVN~zG
zsO5TQJi4-t54A^uPo(y&uWN_9ODhY3Q^Alq<8ejShr>Ep&tW4l*D<_~RZUkr(Y{{Y
zDJqu82T&PclV!=qu?gP@$;kWq+L+ILsmJ84mEuS8O}{?jrpb7RE2pKky^G{qyjTmn
z7>Ys>Su=M!^^b``3cPj2V!XOaejU@aSoH>?gNJ{7DI%C|5r*k`@AY2nU0+0RR9036
zU^no=9nAIV=}XVWn?a23N&ntha*ZitqUQ@-dq=y?<Em?T>T?7CWYxoAq^m;bud+Pi
z^P$1*Kf>OdZ$8%gFI&XT7<dsIMP8)+52p!nX<?VcV*bJ+`jevzxuTc->rZH7F&hOq
zn#b(?e&BG$oY`a~ydVi+aZ|>|f42G_J<r@uby}03#g#wZ(dfRqIBp2Z{TA}LYqm;?
zgGqMDZd&*CZ3n?ru8X&jPBl17<s&4Ur)_KRICTBO`<JXJtY}gqZ2%yy7)vwi9sX%P
zCiq1d*VTR0^&8S{$NLpZlFh0Y=4@qaZxU}yBM&@Qeh$=kqsx#{M!S=UyYc+ll2F@p
z17378Ybbk)%wVYZsaUB3TiNPQptsXS&w?}#B0gF`VAUPQ_WOBUl%BptxbylUg5=FC
zI}}VvaQEgE+0JXLw@}okwbe!_>QpI1$#0+xPDkV^%~WtDa4H-!ad~JMm;kTsv!j3u
z^6<P-6r@>(5+sil-4+&e@Y9U+&4t!i*F6Mdk07=PY(3MBPSdwV#8oJ`fm8zH9NB|O
zo6~8iEr@%<w=F>jf;afrM(coxg}fw@U1R=X=anFWUrU$wxBVCfA{ax$g{F(|Z4hxH
zu%c0n7mz|51xk`z7ebwZMG)(rJ8*`3yO6RFRZ(fbPBhqw2|2LN*6{<W)7Y|0|K#~~
z<`MK8?7Y7*FtQ0a$<S$^Eh@P{Q?&YCto3PRdG`oiK1^oyWlY;F-FbrHaXMt<8_7K=
zOC!zzlHPTHjYNRB{Cz<h+fEr6Oja)w94;i;h4Ddmz8VZ%+y|*tTJ94)l1bMiDqY12
z(OsiX3$aUX?ad+MDTgaEvG!R|m($tc;cuP3q#F#~`}`2h`>rZ~xw}b&p&FN+!J_>+
zD4)2abU41Lo~4w!>G|In1hCku;Tsh}@GyB8c5q%t!sVH)3XjgpPK}o={FO`opn9Q&
zY8|cBEX+guuJ%Y-@g%EKkjsDmEJ4~Ct{AWMZfu#Fkgo!fMPUWBuCLc3zD`(bAYq~f
zNP&Q~zn@8cYi^sn{Vp9y1Y)@UHu&1YP+RM3e}k?ln}7xuXIL5wYdHD(hLQTaN;IZo
zh={$>s^_em|Ivd9SUQ!(r=g*N;w_Y-9Etmvh9r7Vp)u{!{N-SUFwBhpW3ZjM^!}FT
z%RS2eg39<Kx|T)*vdA@CV&dVS1{hufR%Ea5Jua53E~~4JVEe|#z7uMaNl=Dd&esQD
zq9uu3m`pzA@<Uu+!YGp;1`M~r`SCSgJh|Zw)?M(b953EAJq%giX?l`=LsBZR7<MvO
z*{c}l7ZAU6YuDp*U@vI9wQwh`Y>bU`cXYTT*6Yz?M`eK?7*AZ8!gp>P#BRP6B~aIx
zu7TrfHllW}vkDmm=wAE8!7$CvU2gAE+SuA6S?1+ZD!TbbeRBaS$>}k@d{+%ttBFoa
z3$n@^f~02-6PaL6q5*s2xH>Sax0**Zly;AM2e~{GH3*n-x$J<f$9_e3dT#{kSZSh<
z*$h*j!BuSqO|n`O7}6uIKK*lqc`u=(cWiw7d#?KBVPm>h4<tXoXy>8f<g&|o1IY@z
z9yBW}i~evO9%>+HW1@cxZA{n9g2?QQQLRRoMV|#$YGQL|$8Y}4JsKOA1~G2HTR{k|
zqK;xYGl-F~xn@&k>G3i9J^3M2O9@>H{VwB<Z%U-j?JhbYfp)jMs5Gfs*Jq!qcX#dW
z<wuvWWIg^hTZDQ*V#z#c7BaH$A4!ayHQ6pyjHlt@9Md<tHBJ{MY;px+Ll&7tJ0yW~
zKCf+sITCgdziE?G(cXCImf_&^atFfeIOD1BAOr;At~)bha&|F$`n!ydbE{ba7+Jz6
zek0O8?crJtmTe3T3Jx7t0<tt8PMo>;-26>)2AS7d*mfhs9X(}Le0K)~<TBm<dJZ~;
zv8+P}iFAQihY$XfDn&AQdiC+Rs1#DPE>1__S?moRW~M2`hI8OT_<W&*J7m3;kr(!6
zfP9uuPov(oRniz&v_oEmJ2rYymn^0Bfxs#A3fq|Qhzk*0B_VzJvf+W(!EWge&CZT7
z8DxKVTwSG}(CD2=Eh;izf`!#Pwot3w5O03S2V6VO$V`osxNkh4hok<7#csE(M?<Bm
zw^{=M69*^Hc4ts_!WrCBH7I$G9IUstLMd&~upnL>3JTpS*b0v`=RUhhV!|hI<a$dE
znQST?|6TKgZbN<`wzwWtR=af3+xpbr`SGz#1+mdJuMtBU>s#03gU;~J6<lzoGALOr
z(u&-X;85g3+*1!vIqP{Yw6fpB)2Uo#iNwnrI?1!Ox0e)ixd7=X+Q?*ceSKN(0`z~S
z$AjwJ$~PRtbV!u%A3<ehuaD99&8oSJ-&pw08W`9(4#8u>VH3TENX<B$F4fFy+dgcp
zK`z(IePt>llcrX_&@+{Oy)*AEUOR~JDPAw4ZvcafD<~?Zk>Y)djNn{G6RVy@;+F0i
z@h}~~GB8!0gpfspgqW9Z>9nMtZ7=PumeJC?JwH7Sce@+ao=l8OrHW1s$-u+*X7X84
z5k?_Vpj{pj@12<3?J6j*x148Cb1NL}Gjs*vT){rf(<~r*jMXkpRIcv>aL~I?4%%Dv
z{;X=sp+6}j+4qz%rpJ9f6CV~562gC8?>-}h#}}B^MbE!;g|fAtbM5hl?fFb%HU5DH
z$M-Dc0zBdNGueaJzCM}8QX;Vd{W({q1hO+fsk8u%>b}=?b*%wJ`nfBIzCn?DvMh~_
zC{IQUbJ69tCO#klOufm9cGOz$yAQw9lUj-?ixp8g^(7q3#g^dK$iVctW^;)WQjLL$
zxcCCYlZSG@uDsL-2ACNhdL;|!lpRD@rw3&?Gt=f=OC5Ytw5;j(p-3V+dIInYe9Ikv
z<*E5ft+XeD*ygb$8~dKBVje?^(mSsZS>kVQElu9^Up}5BlOt_^UYV9banQlVMb%ND
z$LVKo?iDA{Efu4J(i_2_AMVP^l^IDk&sXNb+{u#$E&+Li>U2Q+CE<6Wl7Px8Pl<I{
z(QEkDUo!YWPEdCz1*O>90!-Q($bQ`Q;^J*z;_4=^(?`-BDxT_WW49<_sezWcS%A($
zNC>RLix<Uau<lc$wD;!^5j86qhH_QlRqzl_Zc1uu@9*Cj@bK`po9vX`I$wpW@aek`
z;NEzs7!AkBR{1=BG^;JYEGCe$lVZ&<P{PH@gL{OcDG~OerEc!Ik-)%1^7miBOy_Tu
zRhJ7vNSpNYbvI~n$rb2$D?VM=+t$*|&ds5$%UY<DVX*lvzWFWLn*=<WrKR%Pr6{e+
zn3)D&YWFl)a?N{%O&wfelNIR28jUL3ex=;Z7C>oFr&p@f?hN-I=*n^WeQr~xqvIog
zm^gB%;RVTSiyP<{gx-ZqGDc)+X&I359N#)id;w#4G@T86%zHJT9nV+d^!A|{(y!6v
zpB9^Nuv3v-uu?Gdn*mC%gpQhQZx<rft%OiP4@x_P>-K1_D5k?5LNh%>uI<ka7iXy)
zKdA>eKCeGSNC?B>-R+oc%l_I=efW(A6um!9(EUeCsx3Is(ln$pajVUA9wjGlX5RBZ
zuH2#E;!ZDocinnT1`rWCpv5mGCTh@7Q8#A`B!|B_e%VLZo_@T0XJBF5mm{a+y|%Zr
z@f;&FY<2C<e%eVOFf?GXx3{miSeCyXk(K{4B_ob5a$_7BX?lzFHo`0KF?$%>@Tvv{
z)vL`_=;RP2Ft=nB^B<#Z%+$<>7s&(=yA;5P+*j~ApX25>S^6mTYbjc90JCx)e~5Bz
z0T|EgEhXl|5rm)FLKvgiWB@7g1DoZ_4+1Y5_Fu$N_(=Ds<o?Ht+RvkSi;wz~ndnyE
z49$Pa;<@=!_Zkj%amgVfYvwSxKAd7<cFe2DNl~$WH5^DucS8%^bmg(rN_{%ZL-69}
zj&a{dy{^;|uE6KnnkjEdZ`jhOz8*CKCEx|!F{b@-cpTVnuA)18F{9k;zhr4)F<mT2
zOji@Xm;aSsHW`_6cmgeWy*Rwicn_Y9o>}42QrD113JdGUxh$PCuF*1aGL6MF<nkmP
z8gyLAJ$x{SJ9uXwK3;DgDp^AE?4H`ktcMbX@4?k9$?JyJaA=s|nw$Y5Hg@RYq3Nz+
zK8T4-j)WqKhkF-jP%5iqPNUIaG$OL^uQzw#sZ#!z$YOncqTz!KZuq68?s8#j7gyID
z5x6Vz6N=@><}eJ<+B-a6WF?)$ihSxGr~aNdNYy&^=91=m<cEdI?Vh)T>|BG`bUPz`
zYly1I4733fg!j#W5F$Rbz)jaxpAqON^Ez*#p{Fji-y!AV_cu2vk@M7IG6D%FzoRjb
zL6gAYHkXST%h$%%p%YDd6!LNr9d9_dt=4>zo@~m*nH6h1z2G?xvRI4x^pM-JS$459
zDRi0=Uwv+0kiJ}{a&d*t79dS}T=F-^0LneWeh+;4a&p3jwYsy`TORG#XRwOa#jA59
zRaiio{3VE>Q|9nzk3knXci|}v^m;g3(b0%PA|kv*&p}wj2(bKU*Kuhe4}lT>1orOk
znGI+jMr5Rf$NO;o(P_~kP|%(yz15NQrO7FLXfUoZ5?;gD&ImZ>n#pWvTJNf(Jlc%#
zap$Y(V$Eh%7;-m`Pxr9UYmHz?5cg2*2rq7}9VCET6J~!rec3Hn`!#X2iogX_rpou>
z;F&_>38o^j;Sp(IVBoKLZr9d!F>;>YfAJw=0vX`osIIK^uFs(?T3PiTu6IxWXbg>Y
zJ+4nS%@-CWW~4$+Dfu}pE)6`q*y-q@r>k-e7uYW5=-`0bDMR`}mzpXD2e)uEV=lKn
zoJnt+L<j9}LA(W0K7YxuMOrF3rd)h;&#-))8&8<(6A>tWwOlk(=2CWSddS*y<Cag<
z_9%?U<!c=GA*xg`J}%`S5CA14D>C5f>KZl7O9&i*u>AuQBa8}RI~oH6Mgan1soA}I
zaYD<*)x^RWoY)SP;HfI*DQ{z9JUS^MV6~iP*T@L^V{**n)?LpFKQ=Ef8XJxFl+|i?
z+gHFuMbXywJDLdw=C^N&n9NT^3EY<7I5?nm3Q|*2c*va{?-4E!SMVw;2rL;2$5h<<
zdGuH=mWo3d_~`G6Zcd@tEBT&vOUzhnj#u{#rm_U*LkvvspHQhbu*phh6>0hnMpZP0
zEN0!LFS)ftqZ_t%r*|+Gtxz+zR#!Fq2M2lGkkaBnYK>b=4Rs95zY=PHef6zp!Q>qW
z8vc3Bu}nd-n<4F0t7mHI_gb&0$jB;;rogPo$P6Ym4#cd0s;Zh3+R(s%2p%b8G$<yP
zv1&8SdybEfZ{z4l`yln(PY^u!<+w}laYIsdMtrjzvC*DuSX90jLLT*|0m_R#K#uE4
zb);>>JU!3IJ}E0Bf;cZ|C%`+CH$QbSHBda2h9`EbhyHe^TKt%{=cct!JNX{X3=aQG
z&@<c;(`yzw)_1fR9zr#Nd;i;?m0@#TB4tM#Gr_#%f{6(+KQWlpot>RA#4<eUh1^Nk
zI|BfPy&1Pb8g;aVz1lcruvxM;1vcCl@sg{@w<{bb1A~AxpOOx4oT4k!_CRso<Xu+5
zY!c(!*iF}on3yEX-D&Wa0|NqHkKp=xmi)p(B2rSY-3KCMy3|S6+QWKK9Tov{S*TqG
zcrGq3RSgXozFp_VuyI=)HPzu~qBvG`Mz@D3+`%)Wuz)qZwUtI{<p>UE<)x0=cdm=R
zGErGZGNmNAwN|y{+%jgv;_@2PWEzf)_Vud~^>Om>BfOp)2^TX}idXcvz<c|Bs)U!K
zQ)5Fz$o#B~3^=A0@;rBe``wu5@%X73yFnT~vw&A`J7$XK-uP(Frw>C#nZ_$pL#vW*
zN^uk3EdM|QzQBm4^QtRvrkdS83W5Dys6Y=N32=yAsL<$6pG-^U?@krB8tss0CLg(a
z$UyW`*VsR(<P<xITr#7iM2EtKURrK+)q6Q@NulKurL~e_NM3r=Q&@o4l*{+mJk(y-
z)EhA$5Kb`?6{#E%gJ^sb^>&Aokq*B(14~(0CO9cozKsToYb*5bk!k1u(njK@|FNd|
zjQ~CZN0RfanjzjO>cPVKwSFYG7itK*RrU<|&KSx<N>`k8&+sv}q%#7`qb`jVt+s#o
zA%&he>2kl6P9+Y^K~IUTf{VjZDGH&Ah}5w}+5iy0HDu;*JeKEq@qVq=Ut}n}XmO&#
zMvhRbzYpHNBqdgCRYKsD2b?Vhwz)gO7@lADtF(kPy@JkG-OCfqdsKAgHpKP0+>W3G
zx7k5S56Z^&rPHuc5tF%2ejS!40do6(*}mUxH#cXyy@N1qaJON%r-IJaI-eru2OotS
zI@v`VSd)-Ia~AhUY-O#jxki^RJ(Z1qJ-?KMz{k6)$FD4D#$}a6RmHpAuW<EBtR^Wg
zF;HP=F!!ajD?d3#tEpB$_BR)Q3v}TP=oE8~Ns&k7^F=$vAN7X4(JC4zhYIEbP>8Mj
z>jKk<9bB~)@*<>~d@ToN8>_`Hj)Cw=%&2M>8E@On^WGOAOV9JM1DTp4RLo?qaNhtl
zR0f56N;Eh7&OCr#+!Gu&p17)ZWx8Qf2pgl;m3Vj&vH=1irlF#I5MR1&T(BWY+c?z;
zYONFP;r{())dAj|+wL%i*$hrf%HjI!^=Kr(l7sTL`E#ICFhb(M?~s~x*p|j`6s%dH
zhc}~sOPf>PtYD6TQT`p)S~aD$qkLYroWRC=9updgJ0?2AquBXk2IB9|{Fx#v<FDWI
z$p~!W;-0Sx$|jMyr?_@=^sIAEW)n0KVi4!x92=Np{1_rT*s*y&)X57uYDZ#ud;z(r
zmfd?Hv%|0s$Mz8DRiy$^<fhVcWz<+DJV#IvBJbpSp_f;v)#Yb0sLLcnwLU*NROSKh
z?*^Uy?g~%$<_3ieistLkqOy#Te(A`XFb;cgX}-7icH`muhwZ2&XlQ?gL|AEQqdG0a
z;L`^I<(1+qx%q}HZ(og}Nm)-%YIhJ)?0JSK3Lowbq}q6?1ISF1-r=Itk@u#t)hd6|
z61$T_I};+yJB@loC&!b%GIxZQwD<Im*+zmNqqbL#;1^!qMV>(jL>vr=aD1;~C1fM|
zDu8l2%QbFvC~c+;62MfM<^4kGY1b(Xta&F%mCj_bd`wDn_d{8F``P1#TD{=<F#AwN
z><JA%$?^>(>^0-f--Ox8#w3D=TIh?iPh$5ZSOwYI05w_}(kV(KM&Wr%-vg-Bxwyf+
zD}V9o%EGjhtSlO$srF#tskqvo59iy1?Jb84&b(zI@^_(4K=|yykrCKqR#}VLvl=j2
zso&tG$vq1(US?FBq!RtHw8ldw5do(9%CXwhKPh8<|FI~%84qeB(9bb4A_ZX;Z%EHW
zB=D#ka)*eZzKu>zjtg&h(|U=lT-o>i^+OYi8G>9-$IY{uikfV!6mAL&Qa$_-wC5(h
zPomis#Bgjud1E|#BIelcc{W8Xm(Gg|j`am0ntRsE0d@myi&}wl=#o;YeZCry*2{5+
zUIui!0xvWE%v_%wNd!>0t&IkYr;=QI1c{+U9fMAB5ki1>_+*;1kGi2#N#_;}A1ato
z4Nnc_5Q5B@_n{Y(Q9DMnDKMZ)*x^ohc<XxKs&`>2!NO8-9|wvV_2w^y-{4j!Vx*OV
zPQAqJk0LN{Eu089*PE(oYdaiYJOiM=y-lan`v&qd{pzhCymz%YJMh({EVcyUnn_8g
zavTD|f2KV_MQJ7|Ug!OtOVRzx=o`Cr4*dk$b~#P5AuaS2<w32!V#21Y@9ughk64$t
z&XT#v23@9WEH%4f6*e_Jy-)jS+cupxBIK;|5~N<2lV=AJ{5eEQ7CAdbl5)kECHV5u
zwVo90afDZqrkWN?@nLd2@kVPj@d9M#0bZm-t|W624A<A=odOtsy%C({l)An7qiP#_
zYPk%lgJ^oWkswKb)Ci$;v@v7^1iWiU`WCgAxm>Zd;dc>IEi5^?=Ib3P2leV;QPtX)
z;^O3ZX1R6~3W-oHG~WXrQOE5#gqiEHpVc<bNp)VU7DwhLR40SjuD6g@wC`^-t|e!V
z57hdLL__Huw1_+$WYcvT4+rDvkB6T1>1-hAm6hdmiVJfZQX--|vk%PEu3H3}*F!IO
zJ9QD;GMDW*G{&XBBnPn456w-8q&=O?!g1f64c@DIe@aB~Vh=^by~(#cy?lw59tTtm
zRXtvbIUrX{)!`IRD!S(6(4gWZh(jNK-H+Vckh-i#(UjA_#M3pazC5p{h-rjrTk(ZQ
z3M@5Nd|BpTvm#=HbED3(*=e;=xbdp!V$gE@7$#)-*p}?DM1X3~)s6k_3zMlZTZ+Uj
z`$J5tvPiNc%49v>)Y)y<Gd=S%#6~ESxAR9lHMz4gT_2!`Ijy%Ypz7*2Vx)}5^&BZ4
z%d#$6xG;>>gv5Qpm8?myT0HBXX<G`;uxrN7QBQQgs-}1`hrwtvb+`awY`2#^JQ-kJ
z*xO-XvbxrRQfc`o=U&5l?94Zf$8*q7F4o2ScGw-<uRac@=O)uH_9f2Ms-qB9^m!>|
zn2?Gc;}v@9oF`0{WVVTxXt$h;gOQ4!r{htzJDN7l=Hv4F7HQoIL}7Kk0s*6%JeR9M
z>;sqB092;4U;OHAXaVtXPM&qf(S0qc7z~17o-In225GKrTKk9`mp(BoH>_6|E&ofF
zx92Fyaz-o-N<-yV#PdZbeG(U)(=A+_5orKBnJc^t8mS8_zIbE@AGl>#7H#=#F-20R
zLm`9}8#?y?^a3Q&LrH>|BVdJ^b?8trzCG7V*J(a-JWq<%f4JgHot;XsxLSW`gI2t0
zG!tIC9g#O!KKqKNI>jo<9CW6KS4t{R2agf;nUAW=`5wT1$%K#{mN$|hZod)3Qm#=2
z)PSlbNa(2*9-D`jW^1KTp6#YXm$>6eyl<MGY)qFhGqu_he$ufM3ntGpu`pvOV;wzr
zvb08u*EA@A#BtjdV*;3`AR3x{MBYxnZ?IA(1fr@z7^fGkVFf!O=>vR5@x)=DT*!O`
zr7*+uEr4n?1E>aH0h_SH@I<T!@#ahcbpyWjcdbDZb2=A;*df>;BG4)O$PiS8v%V}f
zVBxZ&unbCaR;A=f#+nA<9a*wzwmnJ?ExyzA61fk`7^J6=nv0yFtPh5imKvMP>Ly-S
zD06*-K0`rqQmy`c+_Sw1@q!JxQJG5#2u*pUf5~=!Yypxbd%j`P;a_zSP>?cP2`_{q
z9gR+4^D$S>n<ytpu{<o@ZuyWFS(~}&u5`lNM;zh3+9fTY!T|{|Dr|K)!Y11rjlfP;
zwBx6t?zwT<b!m(yOk>XlyoP@=gt9?S6HygT1rdjM22b6ClQ6fu-DO}#(>HZJLAoqp
z5J$R;a$qn^RR|CekjHk8;Dvq#H)my9Q9J%$Hi8Yem(c@-io~tH;w5Jk;yQ4E`a%IM
zU==zy2^+*=ZRRtt^gN*q$3e1-_C&~MxD!PC<9vqSRvKlE<t-dsd-i%bCM{>9*dzsv
z0{!pi%DHFdSrn{?{g8_z@yQxNGQ~WHw49`11rES*&};~1y7D3Eqav3QYd)h?+goyd
z)2=;4m>L??YUT@;)N(E>BBT&t&~u=fTCF2&M4pSzfVb1(#a<re4{4ml$x%FPUQjIz
z`k<JA03yafi<Mu)JE8$Cu9S0p@_q^^aq<R5GgH!%eId36GX@JfEZeoi6pSE5Fg?^9
zL5k}8l~XTZbhH|M9mH>=aB8L5zDNz6a~Wu3{34P5QWAgWv??8hvN$QzdsYm;yoI8)
zc#IhxtgLd_nE%nfI*S@%8{aK7S13b2j*>e7!f9ZjRH-mME%p&_+0c_9b7=v|73aq4
zAz5$s5y=WKLi+8FwVrX*vq1gDXCC_&y|imSNaNj#E*&9gFe0D`%(HD?RaBad4rZlV
zxfz&?-F%YOsGV`7!B+Mgz}fBKlSz?0%uFF)(dh+Vmb+}m_?Bf~$Mc~M8}(V)v&^`*
zms5r%=T~o8d{_WIGtKO8hsiOfe9qce>qn~~x;Dl8zgrC5!dAm0D#`;Mh}-EhlXn*i
zXJ0>eTi8yD)Q&C8d-FuXg8RZ~(QaO<<!trty7#nwTeY>EN6yXZxV6}5f>#h2&}%(o
zZOUg-X~r1r=<z&vWy)=ZTwbPvQAU;KF+Z{s%<TbLQRq#cHc<<E)k~5z7{4P#D>WKp
zVC<W80#97{%je^jw7tFb=^00V{#IK#Qeck6Cn@V%9|};Fa77@<o&3``ilX#(0qk87
z7!rZkuHz|vr|Pm8RYbpl0>cj{HF`Ch5VE<KPMk}ty?v$usojNMVKSbpRKj4_&WS?L
z#}YtjpQQw-Dz$N*5<t&9#t_BrUPQf!!spH`$pXl`bdt%N%X2L4cVsxN|Glx2sOPFA
zJx40A^hi32ZPXW$B6RXVuBlY|<djgBL3J$bETp(R<xqk?g)(~_IMu(paYi&#F&Rpf
z?f>$zu~-sA`<UX~Q{&6*bRcR0x~{9UHN3THznlWEBoxQ`5k};~s$Ci@rJZp@%+2W>
zV4l{fiBd*A>EcMH?PYr7=5_qx55jbMvY4l|MV90;hR}oaJMXTEx#fvw3Tf*3>Q+g+
z&Gnt<{*^;0<6EF{mh9FMx(S(gXdpp&fV4D$oR{#Y^&-AC6O`oS0N&Jsa<P?T{9X4l
zk_c8-E_vl6*yxCy-%se}Ooo3f{Vt;yk(N`-yxTdFoXKaz>}uFWSeh>nDW$(Po;Fs|
z8{uH>DZ7$qz4?wyCzTdT=S^cYB>^^VNJ%4E=lX<%g2ORXzu4VlV><mKJT<qrmD97o
z&WqcVQe8@9XNb=O0bmUOmO7X`uq!hfdaV*j?NQw5M`P~AZ>;YIEE(Lw7qZz&u^_o)
zWz1LC#AF1mk9KdXNjll*!!y-oJJf}gp<~zO1hP7z<dHq!0ZCgk?Twgo@+0DVnwIb>
z*R&m!cKP@F>8!<DorW*Qbacft2WTx)#}#<m86imoH37|!XDsuld_VwF9Hx|@^$utq
zX>PJcQ1^IhIBhJz-u*OD{=P8f+oiWNAvGPmqiBTOsBnnW0BrLZiA#fa>7Y(q=;a#M
zjNLK2CQ4D+e{9shuNJ}6Dj6mhQ6jP8arL>s`ZE>5^VxB0xjbt=@dKjje(9Il1}R_i
zv2GVntOrBlh3m0cQ+&?9E=j}D_Sz?<r-Mrg5nlc1DNlaB4W>svWSr$mxDZeD%zZL6
zmqauYJ5#LgA-vNh<*QN_Z1$8;vtOIKoq(Y2r5c+DQ&wV%Fm3!Z3zzfn*SIZmvw`X@
z*;i#q?Xd|-BW%)ydo}}O2$JQ1!VOZZYaW$syztfW@z_G{<6rEcw_nc7QDd-pvHBi_
zfQsm_1Q@cs#beX+(bO1|l5DOf#mzX5K%+aVIsCgHD;p(Ar-EO89+kyXMM0!ObNX=s
zQd`>a$8#YiNkIwIfXkC!gwn(rm7To2joIus2c0W&^T*JWzuE~Um&pZbu=~EFLhKSU
zu$LpFAjYx1xfjH$%-R$x(`t|7WBwtMcF}19r(?_W*A=h&#T~Mh=}ceEK<R6mx#xdE
zQ;OoYzg7>rz5UMGnr)?B<#I4&?J0NuxFjTjc+T4jB4GaWLp|mb%<`Pp@@HiUFxXw#
zJ(3l45T2<5qe$TNeC0LZ6*@2=#Ke!Vn8RkiYO+c9p7a$+pBlulpZP{v`k$ZJfAK+O
zX9<Yc?-EN&B3M+-lfe~zZJ;*gj@+1W5U$aFI&yb$ynq5wc(pzi&8WXCa@!)~75`h2
zh7Q5;b47^H6$?SZw(ds(7ymw7Wt4F@@*!{k{kSgwf+F%dxB@iS&p1|aL$=WQ&v^64
zcGE?a`M7$Q*L~RLRwCe^35m8Vbr7)KsQt3<#yd=ufAPRnAj-&Ww&y!oC2|>>pvBt<
z*l-`t=ZgD<MLYdN1ldE!U24({Cr55pVtp=y!~gY&_H(l~`m3t9s&^P=P{ur3QxPJU
z;{^%j#prB*Ezr_Fijxi4mfYWM$*5z?MBs#-1Nz631wO46hDP6hJ3k5*p%by`n#1o)
zkSZX-pi@3NhG1T9<|SQv(lR4*Sza7lS@cg{M`x(Ur@Zff<vB?(O-iNyvZ7Y5OVwSR
zyIVB{ozhev2{qI6`#fIkSXn#pr$WI#k7rCyzB6uuGHux+a!I-u{i%KZ0T_Cof8M1{
z5xp5y7>zuBGJz`XB#%5PmFaIaraUsEDaYorz_0jY3i2jArih-BV=JfZKmIiZ0*vfA
zjVhlD^BoW&7gg(!QEaV7O%7WfNdKb@xQpi_LEhvrT6wvDZg0rAfcR-9+be*X%2M5X
zPu#3nd`*NC9C#Y4|9bh+ozm(T016>}|08nS_I!-;u+@;`|Da!E4{kcC3}3o1R$qF`
zpug@(t?hDD@*n@Y5%2*8WVLwRPSu1@*~|p}TfOxqhu1^$pB~nliDUWS)HgV=)q7iV
zSSv>C0{AYJ=;?0$nEf*jBz3LVYUBeBCF2S}@|~Uq4c$a?;A9uQ9sp)Ve@*!R>Jle?
zOPHFejCdK|I^&<f`fZ<w#BKkRl)5wk?k@`Is;<FJ0T4$0gzz&1Cw5Y2md_;2hweYw
zkeMy@v1kju;GZr;nxx_i0yrTtG$7a+Oaw>vCR~{0&h-kHlO^9d@UUa|FefS3=Bh9K
zjd#1(RMx)=qwR!xKHcsAckj(c@(}0v8{bv0dL?E5W4KHVXp+Yq%6!n9fzr>Nq#|L3
zP}g;d7Cm+SkLwY;?9WOlE5hLX)rqF|9vr|mA}Kzj8|#}FXyqF>4&DLnXXyFV$$#0m
zbX0J6LrdMvl}f~B10}XH>PS_Qa#zl0h<?3GTqF7n(SH$gg!Euzc|LXcc=F}{V8Ft)
zwlJKV{oKCQr~iXGemeKr8uV~GJR0Hu9~{rj1@qNQ<JUdk$LRmJ6;rX%!MlWEroAHn
zI}kC-u0Lbh{}#k+|AG9!X_}M-v?+;Bpe@Vmf4uL%X&MS@@T?$g=DaBDU&I4ok*>l}
z_#YNW_LSCv0O}6@i$y?FxQ+XheEo|p{Qp5E5<d{Fsx(8L_)I}{<l+CuYvuOKS%rVO
zGvEu7*LIaoUxSWu-uj{Q)^Y<*C^VMqDaCoYW?*5KOrSzsArZ}N$ShFcWGs{Xh!60k
zP6x7O*M~S3gpumP-6{o-uL?}uD$K;@4_b@Ql$x27&8-OEen(b{iQPNh58CqcCqrYS
zh?f&QG|csk`5Kw9KsInVQ6yyq83bsz_k=`!Mgf5C5xcN5h(p0C4g5p13L16+7XpAo
ze{x3#`YP4p&=@2$INb2ms;(Tdd6r*t{fq@O`G8i2O0@{KI<NfsXjv%$Y;PemmsCLF
zu9bdpNdAkzqYGNKd!MgEU)h_MB7I^QwN;zsYS(6Ar-4Km4^RUE&xs<ND_t}DZ5NdJ
zduTIvtCwG0w*A=2_9}9j7U%zi>4cIN8s#ipMoJ#H17SpY<UAyg<>kDiOZn@MQ;JLo
zvVy@e!7R~rNi&GQN#rZPZ&WT)+-#n+=hw&nKTU}3UbN~{$)tpN7Nsm1ArrM8>h1cw
zA>vQ9dFiCuuHKDcpKw*FJg-$n7rDY&%vsECLQQk0hmHqlsAUPA5!<Ha+v*THu{L2+
z*Hr<en9KI>H~l2;1CKxdg{Yf8;J6~+c5cA?5*M}?13LKNpcI>g!faE4^?x`NvAXn!
z%p&(RX5Nt$i_>nrT$z`IzWn6tWo^NKvf303Si$2+Xjf?YqvWu36u<T$&#no1&Q~s|
zCyo({VQ~>J8R+p-oUhbJ=&;fjdb;`$f(l%i$=|xC=kY}nmGmr>;EX3}_4X;eEZcc$
zJtYAp)f^4>yajgVW|fFSW?Ka4U&wa~IB{mXa-p*ST$?fhtt2hMM)2!R`D56yn+=lM
zm5Q#J3W71)ZV_84CT8FC5;(ZXA_GgK+pV?1wYB-~L1E5UcDSdOlHn<7QQ#+QZER>5
zyO;#*;PQB`VHvnzDF)2R98G~K_SDH74gM*Dc}#ipMFrN_J$yP6C3kbeQlY2HrD1c3
z70BObKN(=iIG-Lf*Abh%?}vcd^aevsDZBwQM)LAw?|38KxW!4H1RBUP5e3aSMldh+
z6MXILmzcCWAPy{NJq>qE3y;9w`A+SS&Re4+joye8NWjZQMWH9P#-u6Sj02gvhTT|5
zMHa8F{5dY=Puc$fMB8WdfG1o;;*w7cPTjBfm1fDU9TX=@n}N+)p<82_%wC*k<|PKZ
z1wkpCR#(Fv)WWO-j@bUUzVP}OqgovQetMs?mFQSi(PzL1m~woOlxlWfc7uVEkyLZx
zUj{Pr|AK`@x}F|(>)xh&@`P-$>fSTHs3L+eD`iyhNK6_U{idy|<P8TO!RJ@9miKt8
zcck&!PzJftfkIp4MNEqXy8`gio^lJSf(6+uMoJAkRJQzo+(+>0rVbg&+3E|E!BlU<
zdr`H68L6L=k#s)ax2Wbne0{4O%$h5ceQP{HEwn?1mTIpH)Q}r>IR8Te3z->llD=Op
z7lfe!#~CvE@M`{pDKZkO^A-%rhT4}Tw;er|hAbiT*M+!?Gye1skEJKC;N-CLP@19m
zG9`pc?Vb*vwiyB9#{>E2-PwW1G6iZ-va^$@0Q)k6UEe5uC(~eMsDn>LnT&g=KROBF
zd!bA^^8PZYhzVDA5T)fcB}Mj4>dQMoS5-MF<MQD_8u0`4S6y`T)<142o?ih>cmADc
z=SN>YC)$tyWKxrEq1S?+!=W4?Q^s{a2D*cLe631RcMrZ^A15(996}eNzaF%VjY+KT
zNj7`y5~P}gerT4mNF@g0@4d?i)=Rh)eJ0M~@r{iSXsL<SEzJYZnAB(D_ph4>ySx2;
zb-$f5pgGTHg;)6;fF_DO26zBZz5P7JAGl`8iqtnzum4c4pr7}Z9z`$BV@uu{w|uQt
z&g`g4)$CS}8}b!o-TJw&ds>kk8`=5l%Q*pu|GtjL2oF9$4i{j$qMcd0mhT_xpu<sj
z^S9Q|=`Kx~@W{|JQL)hkNyv%6$gy_`HguBf>RObz<>}L>i_X^&o3cH5uNveWNpbrD
zy0meU=S41Ii+?vvqTVK<v~yMX#gu>un%`;!c)+<o+(OP{W0$!J>i=(Rz&YS?c{lS~
z9`6{L3}BA#06NFQU~l*C^%GXrmU<IY@qr)WQ9L2}#T~`Z*Ir6EsP6AHxiabebyHoN
z_(6f<=alqwIhDHd#4g~PhY}`kHhR#dhDCiPixh#%iZlt$zY2Z@5NoR6@X=LK#4#RB
z67A1JvAmUEBew^R482KU02<4=L8gwr^b`eH3aWQY=&ftD;TwH@-Nvvn<HlEJ)s`bA
zWi*i`-XF(edAqege`l4lljTSdY+wZZP$?x7eKz3psKo7D*8VXeULJH4(Z(}Wu4-41
zyjN_;k--=h)IkE{DRaRb&fwDIN;1B`8J@U9=LZ3u`>;G3mcFu3ssTY;T$}5U=7ERQ
zjiVi73Nc0-AdZ|KgB>|DMY4qFy&Nnl!y8S2qwW<t6_Ww9R75vt@V$Xc;jpmv(&8FV
zs=}N}NT)`rR^AWM=_i$@HaCK(sAy$G1g|HuEe2ioNWW~$vr-)j2CHJ9;Ss3{N}QR#
zUm$sd<K@&Q8IL|fY~`DODeZwBIg+O>rkgPhzABtR+In1bAg<>%=ys*1K-`tbTj_F0
zh&5pFq)&=gsx$;HVsmV0z#ds{D6nU;g^LCko7q$aJ|Wzn8WLs|>HvOh>-hO`6R|*p
z!14Oqc9rILKvQLc(_Ok}>SVs+4>Y_uz~ly?3mO8)T=H{hgEGPlFel;?XjihF^5yqZ
zU(uK`rt)-BnfOSF>FN#b>bH9MdnY#71>oyi6eJIeuky!df@y4)$rjZV!WrKpAI(*!
zT{QQI9z#P%UgT;HuLs>BJ8&qwdj>{;U*6Sz8Alw41_r4ECS9~0O6LExlk;&w5uTW5
z%Ty7=%AGVyC@Zr)cinK@<8u%@kbIz|r9frY&wJ}&kUU#_?+~fbv$mcpxRM)+B77fY
zWqCLJg5fR8DQ7+{7sGf&fEyXXg`mImD@jk!DsVY$QFo_Ou-V=NrJROV=(j4I6ySQ_
zDs_zHVY~{~pXmX?x>ALV=jh}F&zr&tF@du%u*f57bJ_1Ih0le{%=-aUSV;EGX`kty
zfGez%hf9BCLt{%}4Ms=S1LDsEULVed6#6UD)6cl|fPw%HFSS?pZIrmHwOs^VLqq@h
zdWZIxCz^2lRfH6^<z_GHAJMdK`J_&jYta4dvaekxI7p~&2uD~5GuHD(u_BlKR+k|;
z!3}AUTvhO<)7d_U9yJs~_*|hvT{xz<S1#y|;+$qk9>PPral%kh!2)T##3>L2fZ{d4
zPF4lVCPWZMCZH7oqH|ced6O>5A&c};h+?iIr}TP8dXW!ZkN5=e1iz+uaRVpX5OyXW
zIuS*t6v)GUT2d&}@y-}e<9;r+pOPy+IP~=&*@H1{H0s0W8tlk57!ka(nKKPWdZ766
zy~=;RuNX5Srl9$9*VZ1=hT)u-T7)xv*gg=}cX?BP<x=7v#AHBjp8?l~(A%O_MiQ|}
zOy?ai+?zPua1tSt!5K1%5hk!ZLoC*Q79>ItVIY^3pQk6!A%%`+yw{4C+@MSP8fo#X
zr6uLit;7c~dnKGC-ht$?J>kl)4vO0z6dc(aZ1|DRhew+>k8#U>#_1nG&AxfKKd{vJ
zfZ6%{6Uhp1?Q8V6mi6aLNe7EHRDuX>idUI^5~vbU?PVAQc9ZlL7d$*|Jim3VKZF#g
z_?38?Fy_>fsOadq2iY|)B^vHq`?iPuu3N?eoPj<*z=`j5aJx!MGFJHNER|t&XX>a;
zLH*0S0fezoyo3(40{Di+V|rgX9S(s61qEj~P|6TpZyAuSH$?KHc#+De)U;`Rt6-B!
z23lOs5*he8+piEDE{2^7Yp_3OymHJ-7E<!VH=%6V4%rZK&_8}iU8-0=8@$%**jS7q
zTRc5LqQA9>12GV8#aclMvo+FX`H{gLL#DWUUq7fmKPYRiwiPbX0Xld_O_rK}HhWqS
zuVcR?@Zax>d@l?oo6@`-7IkX0v3EHesH{bK?U2+Vg06@*`5;PV`T51%+&oYsOrgd5
z5iu6zZRWBsYJhU|YsIH6GP|~e8a+kz@7j+r8Kd8t#aKT>vfzPy8MAoG1r5;w?U-@i
zPr;1?kxPvST+h(W5sGxFw)WKyLB`^d+erJqOi123JYLpzL|k;A6+CSWi@T#`q(3U}
zn%vLi?<==>l;e9@oi2F45h?=G09#n5!|u^py&<<KuNY0Bm;U<r_@jSGnm@<L^YQt)
zcVHl38NFirtq&pw7c)4Jz)Pr%C@nou+=$`nB1hqn%j1hvWoDR)n`5FP{eLz(GJh-;
zrA*_JCsWmzn@5Ko6Ngc-D}4NR_)TwN^n({Gz&Ws;OzJl`hc7uideyQohj)38k7HNg
z#DJVj&GS^FXD^G4lT791FsD;LP&n>w=;g&by>p*)93M@j<z1i_ChL`k2d~pNV_8~n
z?Npi=DRD{BqTd?>02w_CBf#+Yjk$j$P+uP$MJ(<je&wKfczA5??F|@;hRgTofQZ4t
zi})c7hRVeW1Nt6clSvf9=waW*T*&X<r{BL`)IbBfv~s{G#OVJ$P5Tm6iOV1%6st`H
zh)1ghatC~;sgUQ6(+}IQBJbx+AZ;c-Y2}u3%`OGZfVd+RyS=@=tv@Ye4EF2LTh8<d
zD(S0@unQfljPEB|NM3yEE+rECr*E%*GsQ2ur*9^}+NbxX*3Y>}of|W7rkf`U#)V;4
z{7oQ&VSAhnKgrq&5V^dy>-WDE4zdw8aylN{VD*UNa{rp2)@5<&x<>R69yFZk^)vBt
zclu3LZ#g4|YF`}i3EG6Cm}>Pr(rvEeC9x$=N8bVi1-TeL4v3BNoT^Ks%oMCOwZflA
zSibE`Gc2xORNE{GP{hN`R+)RTu9A>;yHG|ZvwD`6Fe7l-_n9CFY;_6b`}$@!I}q~y
zr}E46V(Bas;Nr}#(cs7$I!rTrEZzEfNwi<^7u4S+f(}3Ohj)x78mpisasM=#5lJKo
ze<NkZb8>9ko(>c~oGD=qgEG$8oFn);sn1|XqYf!c+^#&c`lk!w=%H8cV{KIU5}Rx+
zsPr>8b-u1}lYh52(PxmXKyGc}<;L*_Q8-bb=M=iUj^HXj(^8rplT;7d?JLp%&gmV+
zHrNpzqjS|%qXdTRxP{wpPlP%jMwK3l#B*&P?09pJ@w&hV^yl+_CaW0+HLp=>VgPlZ
zC&1toy`=nZ9*td(q?G14hUht<+~R&DDU^p+TkZ~>=WJqPGGC?=C7E||_Q&t`<w5Qv
z<DvO+jub##)Z9iE`ag+_mfYD4G8BhR1d5rHHUzN(L?F7N6q;Qsk6I|YhC$slKMD$p
z&#LR0u)Xs|mkVG@%*|kZFH;vTZdE~M?}sHIDatAp76mxuFc$<|@b^Y+{K#8~f~74^
zrph_s6AZVt-c@Zx!#35^^I5ETn)ujQtHVJs(Enk5%e9J9t{3Y*T7p{|0Wf{ZXudnB
zED<yxFOqRUip|X)pT413S}xU$Gddwv0pid5J}^GRJE^mkh8CJA8ndM}Z|5C7O+Z6R
zX*y_?-u2JmlP{m7GaF9}lNK$&(_9cju_CNSuJ?a>0hoc<tY$lF4aEE=i}QsDgoUQz
z``f%!a8U?dYTW`4(B3cT3<m~s&Wjnj*PuID0L;)e1>O<tlV5?ytuT$)*`!5B|AJ`q
zlq<X8V_>58rUqI&2A|CvnF#-WIWiMm(V4T9TvAd}&Ew+-vhjej)#gM*&4}+P8lJe$
z5QA>Y87CGuzKu=h2oVRU33jU{aiT!+ksPww(Zl&Wk6|%1luk|)y(x}Jzz8nw9R)jP
zz+fgrMtmJ3;^E=hIy;-_kON5kO3jD_khp!W(MR$SpLF=+_g~IS2k6?1A=7NLLn`!o
z+tU6ZUUKd1o~C+}7jNw%n0c2(JZL~JzBZ-S1x!*bE-Eka$VX6H960TgkoP%1ik+W-
z^57?Xct@nqt!)ZmaH0Gh1Pn9i*?Uu^r<-+m@P5#mW66)?BRiV&A|n&WY+m0fJe!TT
z@nP{VMV<kgr2{V*A~wUWbM<0B+Okc!5<VY;RMPw~zWacIfi*iEA&2KB^>t1Y0DuMr
zB6vkU6>Kx2R1dh_Y+;ZSk7Ogwo~~2fOGkpSu(OMfCDMkmOYC4Tc~1&7Sqp2saUR2Z
z*2e}N2+yUs3@YqO_T{(!yO}IZ3Z)9%+wuVh6~>7>ebk<zzAa#b6|KA`oiXM&NF_XW
z7X%|{hmbs6#8_TE3gOkxkzlnn{hTX&d{t@joLhnU-*;P6CBwKm21*U861XFfzr6gw
z;Jenjl(5{onw3B3hG4anD%ef_giQrI@cqIIbG@=wLVlYDqPsgj6CQXk#Tku!IyvFg
z>5LEQzj1_^<_e7jvlx-f0u#2I9#VfiT%Ue3NnNb2a(&%dFQ9Sc_wN=JLkG-<fO&sk
zlf$!T{!8GpalQE~CjIT$=%ftTm;M2UsZRKZK%MT<y_uxUR*!<AjPJJ-S<yciamC>Y
za;Lj-*=)Ore%F&RS?ZuEk3|b|o6Q&JFi$|PwPLxdsTDIDQamI(;KhkIeegTY!f`u%
z;Lgm<pn=3O{4!VN>wiAQIIal$ODL$1-2lx`(64jgyw+=?cItGmudn_kIDP4mONEv`
z;w!eQ?ze%03%m?X?hZgrbebt6P0=nFI{CsEf{l*s`77-q9tKm})8h&cz29!YXIBfe
z_4)$;4#Zc7833lppujjdir*IhtnSP@N{J8<fZ0DxR+lkD8)kS2cN-@7!hQ>a6H1@z
z>b=dT)BmKUmBl9+;$I)Ta5ry^8DJ;yJx@^pbBM#kVm^m4NuW3Ng4LtnK>K=ws&Cw|
z?v-?WLjtacR(R6R)5BlHLYMq@hk1s}^aEhWGKcHWLj?MYqK=92hAGHlBd<2{&NX~s
zl@zo|4R1tHclUDcHwj0%+z0(C4VWAx1znsp5EOy}qpXA7BE|iDS-u5y!OhXB1Q-xH
z-pPN~2O5-E!i%Av|Ddf~ul|Z@F|P@Def0nZ1%)K0_&aCN;kxo&6}gt(-mfG8ryLLG
zZ*9r)Brnv5(ExO+3=L36puU5zjlK9vdxc(0Fi6Blz0W7_4g5q#x}iH9rpTmDu2TeF
z_5X1777krC+xIZtA<`|~-7O&?-QC?O(jeX4EhXLE-3`*MbbjcT_wYR4d%wT;A2@Sn
zX2;rV?U|_&J2f0(W}fYs7beNz{8o-vB5-hlK)f8U9!&z2`E<$VFBm(fBnM1<_tB#s
zj8Gke1ui6!FB@W~xiwaW$)i>ON)G(0@HyBBddERWRoMYGyH^EiX=!2A)y#eeBg3hg
z9kj9DU%4aeAPwTt!RAgr;+R2qcekfAM;TkHqrwDJGBY>&<<@W@McEpFHho9VA6hH{
zD(+K{?<++YcI+lV#>KfIrqQ@6#NzsSUGWZcUVMrUV{(%9j<eUgOldL^O!(iK0|C<O
zwl?0LmifDChvWWK+})r4T()2c2ny0<_eJr~%zNZSI?wOt^?5X{E^p8hf*&rL+wvK#
zkXxz<icP9zMC)0b-6x^m7*||2;@S;-)h7bKFqgxell{FtQcg}ax5K1_1hPoM2=Uub
zc2TvW(6d~_5kZbV5J-r#1`4St0nh9zBl3{LF}awrIVd<<`P0*Q&@gJ$%+=zZewa?k
zS&9Zbw6X5lmdmTK@06&x2x?>6LPB75bajKU)#deS_9@}H7(&DoaM<!QwWfnzdU?Ha
zxL|4a3oyn2{>)S1l}DzX2fGFLZhPgcT?@$pI;Hb$@4E|o*Lx%sx+YyKgyMhoB{otr
z6JuMI(+*h5#)cC5STq&1W%PIo6M4y;JtySDAdU0&0pO~X1B{VaQ&SU!;K+sb^>t_^
zDq@DDuZ6+o5-aPcpp#C$NPNax;p4^L?qN7VNEoM!y8`sTERr}8F4FN)RnMS#b@97Y
z7R}g~pGR1Va<AGx(g7oxi66vHd~pRK1NvLHXsiCR!En&qYYRjfhE_~IN#lJXsBy{3
z!9Rbh6ciMEd)9-x&pXVd>T`nkhDI%|!W2I@)%`^F<udUj%J1sBx&YwBH%Qc{sKrT1
z^j%F8wiis$bf|L@yw)8ml8nsO)nJCs%X{;`D}=PX6;R4V_$>_iDMFGZwLCrtV!y2q
zP2E|dMK;-g<fLFVl%F4r19pvZF(w`2FIgBl47a)hb*8(}J+7D?)x^rm3N<@5ISGTS
z88;(9;&~})>s^EzU;5TY)dqSUnfQKys66X8oQQ~<lwj)xpQf#)#oBljr?rLWd5?q;
zlv~n4&gVo2kak|;S9J;RYI7-%kmTd})&b(o9rw-<_mc6wHz(qfGD3nT{34pS7kB%U
zeoBX}6J7y{7S9Xjavs3$@f+{;H8y<nEGlGnw(7C)(~J7D1x(C8Ojg!|0zUrk_SWAx
zf6Cx+UfLh?K^5}#0Z|+as~Bh;y2NK1B9%4&MTGG!@(DK9;mTaa^AL>dZg~Velz$18
zV-rc?C)EQl*X=cI@x=<orx!_%%D<bWu?`}%-CnUH8t3t9pf%+UEp$g^^bVp8#&WQ_
z#f)e*;suEBoR#~sI)&8Ncasd}G|6}7$mSF}qSqI3pfg`t#hf(9{db;UA*|Xx<P?RJ
zq5x)Gg_z=S?oG;Jx#CYjzx2}ja46Z<21x@>w>@9>%%e7V%~AsWrvpY@O|AF=?^VFp
zf)`ympPY7G2t;e+Ez#HdSoWS_rc5YOAOIG?dpADj2T3^OmdU=XsY$w@{>nr(Yj=N6
zQHIQv4G(9sW*|CN)^!QD)~q<`*X}d@(lgM4+W55c7GkL%Kk!JxJU8G`a()H*+;E_5
zWPcT&OKXOO{@_*tTiWFTKbTCkwq`CyB+`3Bta!RB8vZyQ%IhCk#->;?h4%lfm2URc
z&%4{}K;s0O>g$scoC-G%j?nyeYRHB1VBpws`x9`ZjZ@)56!+<wTmck)h<a7lZj#LG
z=Db^1_j_jKnc5`=`H(k7f7i4ou}k9Q9P-J-*if|sH6PleA@s%DQ2!iKL-km?id<1C
zO5*iW<o4AWbDV%c;Wwtw9NH(AnJ+&sf2BN~Tges{2HSnqT2gbnb@O`Hwq{FqJA3{T
zQNS0W&~Vo!m6|f~<8P!kPCF;|LT+r3=xq(Y%pV!<v+rH;{9t2ssr_0pIM#M4wf(v;
zmCD1NJ4p93ik|dx&Yt!8Ytb%_%CV`N(-y6Xc+NM^6xDD}9tJNyC4aTP<Dk><$2cpU
z|7=2QTnJ3}iaE1QJ1n!-cl8KfPNd}Q4g>9s&ClYk_iiU$R?y=*Ituwybk`#ZpW}b9
zjqHT4AWd2JQUyr0z5wT|B<%=&ilUP~F>`!DpY7%BtsA1ma<Sw6kDD@w@?T<=m)!+K
z#a!~?i|2Tu?g0{!`kla_#XuR&19;TE1(D^NW&;5hqh0Yv$fk;_VmS~O8g$D&th{5B
z9gI;f*?w=$nxR-9r~rp*k3a4`3A9z^$E!<A{+$9ECO}dG{S&s<biQC;PSPBi8!Mng
zV1DD|n<^*#Mt9?!qOe}qY$3q1vn&2nD-N=<qe1gEg+V~P+FCOT&fN8$RFj&<i^b$4
z(p{uJk|=e=%S$@SC-;7n{n^X}ANz4q+Zsc%&T+&MudN)hJHO?YKoVql30IK^kRMa3
zu{JZ#^aBl+2HV?yM@%%YMo-IN0IpX$WgMwY&*;7AHFoMoFd5AD^W4YeSEgG@`FCU6
z51a&*LV0ckWe79+Iyasou@2^mbpF7omg01mJaAo0u}X$72dlxj?xr_)c+r%%w=0|u
zq>LpcX@3Lu;Ixk3)5`9cz;h2BXLZ3(G(aB1)@e3tU|6mhrYSlC^M-7``9B8aVm#@E
zq`cZ%Z4Y93v(vz1Arc`zG{y?wJoR{CrNvJ2_6{5P@={gNh7G2XX<kQ4;P<&BW((YX
zKEK!$v}fxj*u4awVE8sSyvl0TVl1fr6-4NLPFlj48_Qur#L;mXrpqWECnW5&sC8B+
zihvK-0zh8am#5oR<p<J2K}K_j4NH0H{6}C6DK5%c2wC&@mP+w%-L!1;(Q1*ryim!i
zPrZ%FwdTJmH=Z$pgt@hHtNyt~NlWuTmip+pFBFp7f=GbxI|;;AhGk!x;YkmZJE;xz
zgFP6~Ne$YMTV%I3pUKUN!U#j<e3;VP(lw}@tb>r@`~bx(WFb|n-edgOz~j2O975ET
zg*sJBstRSiyut<w@#r_FHe!7Yr00RG3$MY<O!pZ9#*m$uhca3Gh<I07UBMPFXb?nh
z&!7pFk=~$i1N~<eXYLDSQ2I-zrXDd~(gKm*@%is6@0i}TFWZp@x}ASzW8ApDtAV0)
zVlVP_y}%Q4p=KA2{#2TWpTLnas0^(Jg$DCo%KOwgVn9V?IXU*F)_3}((b`r<mZ|*$
zhu9QNTHhZrsQ-WkTr%KbcTwSH8jZ&;Rwl;%ue8NKCI2vYb|xa#t>kvIGJwO-rnMIk
z5h@^n#i7?WY$rx3+a=@^qMOAFI=b+e!8)9n{zB<tJxku#)D&nPGSE9@Z>7`TSfyr7
z2UEkN`tP=4YfrrHxL4Y2Hwai;mVos2pj|d;OvV$vtbBZ*VcLMc+4+FY%Jfe&!0aEi
zv>GWIj?r3Mi1<Bif=avvK4lQN8nPnEW^FB*)aLmV;Hm#LmU6}^j$f$8a@#!vG{t{L
zX$CC{OG*Tc=)?c)og;25bP4je-NY_@fUyPeih){vI3vFzbX8UKk+)p;QfuqM{Qz}w
z%Ywd4=HIwtMEekE^Q$6gSQb9e`YGtmduo3%1)NCyet9(YpunY=&%W}O0U>TFbdm74
z(fAIJ)*S*`DeI4R73Eft9QlF0xm%YbzWCl`IA_`-tf~@z?tc?%!K&{EzC)Nb-siU*
z&cJtwMT&|lHUZvrkYtjm;yEwQ((}qmjDn2cS7*(It1V$3{)25sGoG>#u`C@zO*{8?
zl?8yv@e8R=^~Q4EV9G;3dNtu%y-NOr^r)77d02@v13Zg%-~JnbNN6=pQ~*Spr5m9x
zxotf*^4I_8fMQ>r^e%;)?mc6VZwt8B&<^~nIko%6qmh~wKA>-w#>8J+0^NmEsSk<W
zLUCx`P(-?aOzJ;YCEqdQ8Lp=1->%L8VMMz0Vb?@a*^d4mQ%*LcFW(tEO<TQ_Cw)?-
z6Vvj2E6CJQ*oV{qPrcvyfsJKU?sPP-AVl)nx}ml?R8YMK>3`yQvn0G;L}chX=%6tf
zNY?3$Cli%>8&m^OLa*xF9QG(Na!CnW#Ns*K0b|OF9p~^KpkewE^oaIGvDkFdw}>i=
z-$NJI!)o&**iKAq$!wd=r?ASuogV7N6n0ZlQ>u-2zLT-sqFK<FQ764A(6eZA?drQ4
zl}~MM7?&>^%F0*UC&as3Y@QwW=_Wi0)mn13f8v5Th#nI<7ONB41QEOnyOBlfUD1!*
z6?2X|Vy4lbH||~Cg{Icct|#P-?yQo4!Q!qZT9RIZK4^H}g~(0_zm4i6C&f&9+Xa{7
z*AqU}Z9Rowf~@!-o3(rFSpV>(s(#v$G2_q8(Xih=&o5k@y5;+V%UH46+YwNkGh8Q#
z5>Zy{b{LDyp?Fg$%3M=Iqo+w3Ro;&uD#(igl!LJ&Mu%pkw|AIo(;BM3ef?8X2WQ?@
z;CR;8zBzHx#2%Z|A=*>y7i*%@&gK|koQ7_WuOM6u6rj1nF`QMZ%mv0m5xsIE3$m&4
zbbFyQAhIHl4WK;^=xaXjnp2RPC^P)TO&&J;NLex7>>Mh<2hO1<K$S4S3g=^Qzr>Xe
zMOU>E{uKY~<9`BaEp8leyWNYYisu7!KD48i@N0A5(+wSStpj!ubv}EQE|fIl!wQr0
z)<UPi+KQ^6zkF90@n^36yd&u+)AC|BWn4vxSO*u%(i<L9J<Wo_4&S!Enq?IY572A1
ztV}Vx7~LRI1^ru1W?A<TNpOydOmf_z*f52bs^Q5dPOmF_I+0WP!isNq%GX<=>v<T3
zX6g5XEsUK;ivQ1%491>$Ps^^1qK6Y=(dHBOXIHFTt8?F7&X>%Nwl==LmH`=!<}2S4
z#vhLVHx!tiX!d941me9+vH~W6^~SDx+60$)d%vw<(fYby;<qHwQG=*>+4Yag$p?6%
zEWW-5Sw0VnG;&Mc1er=HcIVfRLQ9XGzzvx%iC>f}ZL_u2L(Xkr7df2`&qlj8b}4_s
zga1{}S(3csw|MOHr3Jr`>QAKeaF|DGwBk)sI8l7^beW6+9jsvjM?$6SBP9_5G*<9g
z@mDMJCkcqX2fv(38z*(W+`qYDtW1x_cS@=mrj{wx_0>8OtG{G@eI9(W!mO`1>h<|5
zAr7YM=HrbzQ_s?@s1Bq_Y$xv%tlO7Ul*I*GlWNLIC?JWN$LaBMk-c|ytrxE#iMy6U
z_<Xq*Kx1Q#-t4Lg$u>lZ&>&7!_a7(b*y{ja>JSjvTH2A;@VMNhy&J*!KbSo-%~-wd
zat;-Av_Z&NL5mGY=Jpa&(^hUB)mZ}Wtd^H+l-k(0>$#utk!NO?(C9?px}j?{U*rY(
zc);RdpK|vyz~3fuIGS#dO{FQ2kxM5u>90Pe=U}-krE_T#`vZu;%``JmQ&+xY){s*v
z9VGb2aGPnVOA9ni^s2A_scGPlH~9F)iSWRzb9$;Th`MoV_^qrM7uzoTWZZ5%&=?u+
ziB%=$(so8bS88Xc?!w&j!?Ovmia}H2=&l#OK&z0S@!TuT{F+f)YqeA4kGQ|nXUC)$
zrsNWUaCL2vsAwX^VF*?JFWmJ^<^GgbIRCu0cZmwr4T}*Dl_pSCh{P?JJ=C`+ZaCVD
zfuemEtYpXT&OO#03NQ1{%#GJdYbhA8fVmI&ShoJ{HQDIH3ADAQCGhJ09WMC5IG&~5
zS9#XPzm{|;S|Pv3G?ngW#dH_s%=U*a3_w}$gSK1l5M`ftOjw+jnsnFiEcz)%pk98%
zoG(`O4EM^$6BZ`@ZRo)*%SpkEsg`w7^wi*g^V%Bo!Jef?ECRep^rGT#^;#Kvy6GH{
z9C~MnMN(oQ04c|Qb*18Ot5W_R|4UY!kPu<4l&QCILE&PQlmp_`DR3&okD1*Wqhv%q
zGuR?2H1rJtMW#(neHI>WwJK&K4SI`sy1a&Z6}Hw)6VF&2kGBEJb7sHdsRGz#&EtC}
zoGFc_WCLqVIk?%=iv!(fIM0cXP_=V%dn=Qr^!<ESy7w!dnAvL-SCYt|{$qfJ48xwG
z-@7um_>M^4CV|T6OGXg4_wyOwF&shiYU4+4F?>pAMl{}wUI5T|h)`c@lK{9-*!Q!u
zBe;Dvp<ci*P|_(HsEjrvs_mJ<)l~IW@>=AVku*$6_(||_G^x*|!y*5=>EI~V-u{Oz
zdAgs3S$!75nOZ=77?+cUl(HZcuB`G=t0Mn5<K#UIhyF3@(BQL>7trE@P=E(cC#&cw
zMvH_bo5aktvbVmj3zP{k^lM2%s$;%EHO${ijST2{<+2g}Gbc%EdU~;L1jwJ>MX_(u
zTdeD0SQatJy6xc?24=k4Z?eRQO*zqtKag8X#Wf-owCnW1^6?dy_h$eJ0t!eFiL2~&
z9iY>StrbJG@vNj*Ea6j8JBx$@7*0u>e^Nw+5xmnMI;3qrT3FzGFoj00vTSP|)H1yK
z)`BB^mVd93Ne0Zn7*)woK4wCl(_bD%BW!$0+2OoBUORfsx&L@jPa_uAX;^lh#eFxZ
z;BnJ3R4weo8+u?Ox#E}CBpre@6C?7MSmbz5nk>(8cuQ(R_0Ut%NBR(%Y<viunNoD_
z{>aT~(?4MzN0vTG?yA62B>1hwSb1B8Ot;0&+p7R^|J~f44zkTKt3MTC>HPJ%#VSok
zrk2kD=Lds^q-vCn?j@=6QVaL&5U)9?lo59>+4pn6QPaGCPu|2*ifNkuJm@!E)#~n;
zQvw?IVjCEgA}_QuvU3uGV_k><gOrtO*7-93iw>`A1x^nF%8ke{<*O^U5=3%u*&-u6
z+F04BXY_S%eU*YW=pFY@`w#Y_)a4hHZX4%r)Jh*hL0YZFd)RaJEecnMa>;1?_6lWL
z%r!yCkE_rd_V+ypufPS-i5Q<2J2I{&_cGad_6eY%&|))%70~LaKVOS}5`$J5mrBfZ
zo~+)<<l4`4HFtiNziEYQ&h=<*^9c5R%oMoyzS`)h(z{zLsRWJo`&H4|d$RJ2s?E9~
z@%OB%)50#?v{rfX5`+Jy>~2MS5|!8R#SWjXB)yqk1>rfVmaZ1Pw;QJQhLU3lj;`#K
z`cp5r`>7;!W0~L&x{{@?NuBYF4QS@GEvjC(aZfF$hoKbnY}G{2{+0naTEua>)3z**
zCRd2dZ>|C8O32gKgl==8XK0FL)a{?U*pw}WBqgQvkeV4p>=luNI<Zl_^WFBvBwBv<
z)S^>fjOx8^!C|2c*&u>1C@@&rUb^n9*yd|sC6K=aPGIcyO9-5L7rs+J5M+9m$A$l*
zS)<Dt|I}STQ;mXT)O$w`e{9Zrcw&;ua~Di%z<SlV@JT~4J!E*o4lXs5%3a2E6sMo?
z1b&l+CEgjH!r;Zm!V@HNj#KEn!zt8!Cj=oHL|hnhWLA!flN(k~ek}N2KE`hf^u)gB
zZ_DV*3M-tT7o=+N-GIImth}rL$N}cOj>kyTpo*P~;6ehn*HwjkQ+r@7`=%}z(@ngI
z+e(70`F0ta>{vXWt+rA~e)U7L^e3jNoPh5%RlT%Z4_Iysrpy-S9AoCONb(ff1mHPn
zsFr;R6LNGQer2YA7UCdlVr$JBJ<_&7KZW7WZ_#C!@~bb`Qj<24a*>_a+|cTu%l2hB
z4;S9@=j9ww-(?zb*<HjneooI-VO_g3c_HK&SL3hpHc3GN@QuE6sbzA-YE40Wc^H|#
zvMdu!hlqUFreNo$B<9A1PC@ripE)H7Z@+zBh9Je-<hZ#ES@T2UoDjqye#Y&Wb`}!<
zeOM*Bz0bt6SO>+fPg&zX+TMnN`H9Bipjw4qQqe)<%v)iIr>Hf4_;Ps~p`AL0l~8hg
z1I6K_9)c2OmKcIT-LEQ`H4eK4dUQ#^;k2WWM7bwNKm7^~uS*aTLH}@{e+T2fKOx^>
zTL2<iFdu4PMg}a|9_y23N}R``w;OT`y%{=r&nyD}RQ+fYbG9MrS6}R<rYEc)a=Q1e
zr6yAz#%Qv!h3;{oLTjj<`DB*k(91gMY=}|%Iq*SMRUZgcGc^Sh%16OL6QVxPh9*K9
z;CJ9553QGt>O-bID@6R~s~T;PV@wILu_LUEZ3~DkdD`@hE_8(2b7pFM9!!(jK|k2c
zdS~|^Fz>^E$%xsZe(dg-!HU6PLNUFT+Yz_(*WS!(e^y~(l;n*X*VgYgp0-q7OM4tH
zRA+BrVQ~YGfjFK!n?D5YQq5txHWS-qctf!@`9RbzS04|=2z{JOJMW!cZ8J2EW3cFy
zF;dtYA{M?4Al?$(3dM2AGujci`6&F1)_lG4f!5B}02+QM*4>_lUyq-XCq)55ZECR2
zaTa6+t=GLCCB*t}L3Sg!<>@0h^>t-Ag20S~ifx*Yt>71=al=I?L49?-TWq06FxgEX
z>}0*Es&4bO$M-wTxKE8I5zic7*qlWEh$%k0RDz}dRQFjEHW7NnJbOWvlBK}O5x0O&
z_zCf`uME=-JWZbamKDQq&T#vo77W8f-Gwkib?`*k?p~|8qdKIMg;ql^^+qrq=nA0c
z?@$3@?TK8Oz8_RL&2q3|#_+4^>vgVvo0!S^E4WEWiE$CJ*gyrc3~n2COK#crf_>GF
zjtIPl0RGhA=YNKC<=XCdp!OQ->Gf=W8!j2Y>>wXPV;;GM`B;G6_fAy9O-dh6B#8+<
zCv)DktkT|+d?Ru-LQyq&>eMs#aWrBB+;j)4`F5RzBgw!EFBelL@3cocuJ@4zT|UY$
zXkS6&G1^dM(rH~_6DG+1OYmKF#x$49-m#P|@pDg`#lyA)v+LdWTePv*ft2R*58ySP
ze7*KM{u+i6;R!x3=m!UBy_NG+dA}B5k^zlnbjceqaZM-2TqyeNs1>7v?fKg+=(Y8N
zIdp?PK`?|acnF09UE@2KVDFGZW|tG0^ZvD3Yp(zF0u09wIH-bP&%f`6)ES<gO%|)Z
z&Q5!!1;P|YE+acRrK}>h1&MtAHRYt7(VAtTrZ1w&kFVvIvJ+QH%>HnqlFIEGqS~!O
zdEyxI*xfkbmD+M^*gF(L{(FH`MHQp3^ORK3uH7bJ(-)ROC>`0kX<vD3u5uzE+mFIV
zd-8V@w%Q<l%sZ8#D~sdNI<+l#K|d#oNb^*k2R-zs#%ctQtg14pTOi`~w9d$+dLk)}
z=t~tn2j&lVHW8dL5hX=Z-gh+3INj=`wzYm9B-u~lK2y+NYD`6BTkITPl@Lw+V)h<8
zqu2L+RLci^7d{ic)d1`-d^ukiF#P0OKv<FG_<gMx+N6!0cE$bZWCq)OFv%Nash|rI
zL&yG=2UqjFn>A==XUA>ybm~U>?2&30g!|~Ifb3k6#MA*8!-r>6p?h4477~Y}=enhd
zcZ4wmb&A^4|N3AP-_5Kib2Z3McJ2=9`*d3^(N$4Q`AR&7sI%_{6cU5?eXG)Pj;}eT
z)|5UN+y1`%7Dw(Mo-r=TWNFqCqE3%Ui$FE%5VftsVFSoiOLam2>@akj4B!4hfrn>n
z<{Ep{vhRz)pHh70=fT6;sOp|IXV+J!eR4i;4{N*vy4&l%(77BTh#fIG+VxXn^b>!R
zu98)0iS464GhkY3d_*#1>>w|iYJVc64WHeb-sT%=34Aa4Vgu(+*&yHs?wWE_pm8+d
zYVaNIn{0wBlo&&n^+Jc~2bW_)KE{N=oi%N?>D#&>W|uGVP+fuwC0+dmPI-Po*f!~%
zQ|-3(f%IiXwK~r7t3D(mbcv#?0V$*b$Ob?3Uom(+f~&1>XwYx#%j$B?O<-5C>e7H&
z(8vgeT;n5dJ<RfSR;t|YZ+Jl33Ozymh>ljdHNyMM04k?TD2>NYhFvpRdnQm-O{%uP
zYN5?#y@`8Ves|di_!puZhQ=Z?NzwDc!9ic;jX6YK@}%lf`i;4HXY?&1c29qgaI5%F
zKl+;#Zj%NQ2&#Q&LKv40jcnmeA8+t4*O7*cR(`ENemm+Y3BB3(A=+?z9TX-7kAp>5
z;Ag1v2Ng?|pV5>Kr*+8U3$iMXRg3#48CCf&*bxRsuU_!&KM3TpYet~6MJxNdWgb7D
z)t5PcH#dP?#c~$&jqZo}3FMN<e{zY)5zD^$?~&G5ve86Ehm&ivO@*{&s+_Fe`5|>E
z8MLgclgLAhE(>^>lM}HaJ2-_=b5^P^nBhuHy)93r!M(9J&dIx_nrG>l=_)iiQIAIX
z+w&+haLsMy(CX-%z9vG?m=w!*0Q^x0PpeqJ8ONWSalCksvnr?$k@Nl;CelW`uXP4L
z56E~Qllvr(I=^p?w9mp-q~7JiL<FnTfgo6!3RCB?k|}@g$6gxjvDwRr4h?MfE-k2a
z>ncwq?Tr=Sv3{TYv}3g*M#(R#en@8FQCK>$vzziiDCYh!Vo1MRmwVbX<|y&HJr4hX
z_~}r6d+n5oQgP>#Z2+qWEZ1PgWQvOUP`3Mv>KC0_j6qJ$@eHQ<l+*@?()8xhTCZ58
zK|ke7)u6526fYlMnG?QVS_@t#A)d%W4^BKQMC7VQ*i8kj;|G2!8|3i#sh*Z0ytfQA
zy7V%P{DN-xay!R2Vt`v$#6ZyYJUM@ecE$U$qVna>SDwi7ih;nw-n<7^MQ{OQmBg>m
zB`F(0i?MX2&1_dROj4rPlRrQ?v4eqZ{{wgEf+XZh0{F-SVnBMh53bdi+NYl?CO5<&
zCz9C9vfpL_HGeBEbWJ+CdAz=+IcUFz#nIIKycuea1Ekkds6rYJ_2JKQJF)Hn8Z2c`
zXp)~jbYyn+g-7UeZ1>jWlf1EE|A~U9SJBOtIN%{T6|sU~dd&#nIa;uwjRs~4oWsSv
zUS|j9js&D+rH<vyY)<H`lvgmafh#f)JsmrOJBCy(G0DXa9SHYA5)P@s{?~|NHHZjY
zI!E!Rpc5{zyBIYyZwdS3URd+KxZOAHP2IPYFyc2<f^F7qec<9jg-b78dq#F~jdPFG
z#YFp5VhNlhe?Y*YT~gOBcwjA=)o>9AzF2O=FkjmmHTFbp%avkte<CL!9!#QW1mO*?
zrZfboOo@x0e&3!)@DkN5-*<K@(6Bp@YQ9;edYc9L6S(Bmpm{%}2UQxq=ps&^uMx_Z
zo2X9_TR(q>9kl*Z$I;RV4gQQMc4eA3P+C()PxtX&92QEBX6tx#t&@3|A3*&f`&(Bs
z&A($hp^nAb49+gz|FbXr`0N+c!0fUq6I_;dhKR*)127$k9W=lYI;<`A$bX^U1)Lv9
zz71=9=lUDPoYUoqQVWWzNKWhyv#WQD2kpLhhi$mI<sDJLWN0#3$u|vxgG-Z>3kjI+
z){!S>SK<$<31WSPXj(JF*<g9V^xD6TW0Plt(GYL3fCAs(fl>*}S9|UIDCs=c_z~8d
zOIT*+t8cP(sA3UYJBjcIf3AQRN4T(&6R<+}#>662jf*~0I3}@p#^QHk*)g4LugWBy
z%s;q|n&XoX)CniBzZt@uNi7Qgf&epC5hc9jkaDGaT!wIPwT`Df7UFv<su+no{ntRh
zv^0y<`i}rU)+)zq>rWsv+!jDc79@LUWo<IotrEQb=(^OT38lP$HoiKVq7ZH#Kne5r
z+l)Z=`*v+zx6O0!|2Bh?GLBh^*=kcuJE&hVDBsSDLxZDe802K|Lb8GD_d82y3Paq?
zfPp$~;<VeFw{ewV_13F0W0R<*x{&tm=+Xl5>Z;HQ_~=8zjHxKSL?jE`I4yqV0&B%D
zOL<&PBh?oEQ`)}IdRX<%M^#l-;dBclz8|Vy%du*O>t-JH_tzXe>{}gVq%zxMPNam%
zE9?&7hHel+y@ug>t(nwKcvM4}wxBtjwEKTXV)0z*sTr#RGT>04JY3k)6pSrBd%Koj
z(S#Yp*8$w7Sg${-Zm4Y(U_m+72UcYF@{<9T*=Rx%xaGf5I=TtvjP@S=sZXX7y6dvP
zV|zfdo_hs^$J2Ayzlu|1B>7%fCOe$fU=21hl$`9c=b>rQ`~m{(KYMPzE_!+B2qN;4
z2SX5A{0|f$d1}~tCWUS)mmBIP_{y+<<x(;Kr$3P8pv8&dI%+`M<1;=EFeR*rCDXNM
z2vyZxAaOwxb1mCw5_6L6wm=wBDV~@Ia0>pjGiG&IZSk4!$ccy%a^grJ6z*H%{pC0M
z>_j&cUs?))Vfyvl9lf3{uJvBHt|OPaIsl+{zax>b;GXccM$kaeNgHhKiTGPC={I>T
z(;CdD<?pso$W>|pA*~saMQ}XJVQExZ{sFDVbG6T2C+{2m>#>K|8uhha8@NaCNp!<l
zRAgZ9A~uKqkMviDdf{z+f^C6k#%tN79Hug<6B=x@-r-i7a{MWkfvhI^9W~<SE;oqa
zWWl!>HVp(BmcKz}EU_k3V2RMj*a-SN$ay}o;*_HTVe<g#+>k5R{%E`^S6(B9Hfil_
z-q=_o?|d^uK~rziCNGHq-NMK|=0pP3aK4x&d~R;$caxB+9ik)sSd7HUpGgotJ`-F>
zq4VW(3A5uFO4+v(84EJbwmxUjCqSuY+eQ}=A*&Yw9bXpyyI*597t|iEblk4m$i{7I
z5Txe&=?*8R)DT5|y;r75pP44opoipi-_^LV;dOCB*1+E8jyZ7-VFj1#1~rp~<d#)U
zy;Qqh`=SXe7nQ7G{Tgl!j{9!#>L~YLxK)qifNW$jt3Vz#&ADWNiDco{08u4kWUVtA
zF^kqw$MQ^7fcSBHAFr*7?Szj$sKnUZCz@5$d`&B`G~5WFJqw(mTzxd6>yOpJYk5^*
zt8G^ZD)z(K99I<-+!f=RZy(I5ndo;GHk+O{v8%5yY=<j0rsgUqgR<i=ZM4TR1N&xq
zwwDa3A@oCn_6;cOw~tS^1X!US2Tx+mcUC{*<?cp&HkN;@XVPUB43!n*1BNT~;DDRz
z-W+4CXQSG-0Sv%^4?LqL4C2TM<87`E$88kF)Qo$<X6YSQL<B1?1`DK01GV%_s4&2@
z6dhJs270n9!TNI=3oO>NRxChW^F00E3eDU*5*ME1&%p-`u5@_k7~!`Cr&V)@X6@0^
zRD(G<%6nbNI>7_`U@}45Ps9s0<;Mh1luhCnQc)Lpz65oEtHo*?@{V<ZPg-;_)hVO<
z%gyq+)?NnH|9={qivA#%WH_$|u{S3SMDNQ55yB##Z$A^5)?*oe>ObAxB)OUW#9e>>
zO^sMcpgt}xHEKMOfVvJrK}W$qzE>#`Bd&`z5$pA-DlUxV?iC*ozjwHQ>!NGtm5Y@l
zuqF+S-e%n3*an&}#Wx0;ypKI)f9liFfHV~9RN`K+AAQ_4AtvQ-!fp8pkKc;Jw2%OA
z6&PI!{%U~h`Q`#7e_ddgo0;eE8Y;B~^;@sK|F_}g)^HZ#6rW>CJKr`a!MP2Qv|hrJ
z8eGYUDG@UzPI_AggL5tKcTIkA;7CX}EkfS;N4~_bxVYcT3y@3;cVGV`CFZy9`KBcL
zB?b&j0#BZq3EJqEZynen!lGJh;3V}GmI!^hzJ{V;;xZyb_=Vb2xF{~nU7n>`B~1m}
z1S?k-7#)pr{Nr*jA5ClHI|j->@lw*no3fl(OqSO+8_6(kLJo7F<O5ywB`Ifj=?v0R
z(?cfjanPty;CiI6lM3zS6!FIrdv%Q!O%X$L@SqBc@)P>+`E;FdDr#z^T%wvUDWCsb
zD#mKVO^HuB+&YSVw3bgzojWg<ZQ~?vF)V9QrG~*0oMx*H4qBv}<}lEIOyzx$#}T)2
z3fPYwV`g?%9>_|OS2cweS;Qf=&;l+DX^FH9R105vb1Ek0E0Qu~G;SVZUJo12%>q3y
zSeS6IC3bfSgPqy7go`^+RP^hPI5sb@hr`h$KE3zQg0!BZo*yWq2CfAwsQjl+^F4R(
zz$y_IC)V`bT#_J&7e`XZT@zX|TJDpQ3LaM?`p*sgKNaoYS3l~sY#$4s5z@$iE2ULY
zP44zJN*;{t3#n-GJ0FHSz*X;}`RuNmj7{d%feBHBCH<KUk27jIT>KX5-CLZ6HWU0(
zf%`mEB)s@dHtO=<5@!hWVm2`1XZ}cg8&WZCP^BNm+9R=liE@gTXiR5LcbLaoK6&#a
zPtU**_*ceR#PCvg8ToM$B^BEDWJ=rf{g{5X9oy^mw?uY^mzv}R`2M4{Iv<DLH8Sj5
z$PnVi=S*`@t^r3KJFk=Y>7<fE*G~MujYz55BP$Ex<tCASc*`q@<Lyfnj`#>6E;B{J
zzj7b=zf|y)jv{`~w+GTp?yLJmm!}{`T+?qbLc(S@zV78!KNz(NoA|uB=4=7Y;`7B>
z$ca`#UC}}r+<@XN*%tl-JdF<qPT5)mn+nV()bXlmN8#}{v0)DYpNAY&h?O%3c!J+Q
z6p_K6rv2~-38?s+JCxHDxX8>bPraX<<T<{`s;2JpVPZR3+&W9H=#7&L7C$$zA0Ho2
z{NqDQ+RF)ID#c0ZC}6Wf>VxgCjw){F(JwuwITX5Eo~-QDi+|`O?FN0A;?bP%{YCpf
z%<eD83>!6#Kv@F)?VnPHjY+%$Q;_71_9@^xSUQ9iw5weew?!0jS44oI+;^Zem^^Pq
z5%3mZx7vqQmOj*f(xm$Sp(+;rakNzG3;qIDG*Kg*t~EHMv;2Kz^As<Euva-M6<V8Q
z*7reW?m0LHXe4{|w*|hEJDx*9%MjS&;l_d4BZ7!KSgRv`@rxhN01Of~D<EAX$wWx(
zF-zZ(%Za=RilsP<*oI)f>qp1*bzJsy{&8G&ZPQ1#oC)CFFu}-jh@f898*^QPs4oV;
zP;LXyQ*nNrsw72<Tc{3HPR0D4*&rp6AjwW}g{bf)P4o4;PSb4EDuvZ0iO<bG&w^{u
znOi4??#3q~t2qQ&!GWO|^~BRiXMUyX3mAAIw0|ggawYlyuyXnK{)+#_uTS&)2LN>L
zE&ug3#Z}1d$6i6R4p!FeipUM{MZr}l@yW@Ty%E^Z)|79zFIv@Ps>(m;B<%aDf?&07
z?8<+j{o$ftkWfxG5fb?|qQ1rUD^7eTRNSJ_0`6b0$S#j`IBkFy=ahveooS&nz9ZrK
z0(ik`zH{vI(Lt+$9hZ@Uwjm~tsa<gKHL&#`CFEgWC>J_)R8&~ex)GEaKfJ8ixS@1@
zfY9oDH=yYn=j8$6`XQWBhh2p36W`w$QGQ&9{l9{&d$`c0s<^m+;T)y6Eeux2o8$LS
zQcJc=c3#}dFz>`~EX1hsCRCNFwltFb;I$rO##`_#hR6N1lg;q8#u)?{`S93L(^514
zlx2wHUgOzc9ZoLkWKLG$#qyk)WO$|s%}#ml`LhC$)J%r<SAyDR91Z9+G-{T?C`H+z
zm1*m)93McoGMe0x+KL60*vCzSdG&OX9oLNQ!8(eIiTs%VeE!|P?#X`)$sImhMRwDR
z<c8eA$n12u_L|xO{X+HC-r=e93z`KA>jMjaCk;*&lcBRxJZ;)Y#2SR@2~qRyMqW6d
zeNJzpL4kh8ScTkNV8q+9!~P9Mw;xgM##&08QT-&poKa}r#kqMPc?Fm4YaI~^5d`@n
zGHJXDX+V5-9l~oQEsV}T8#26ad%@#O?jfc6!V#_%(1NT*U+G^kH{5;$%@31hCQOwY
z@PBw&zch32S=s*;S$=U5=RRNeISy0~yUS{>F<}Q{^z{0NJ!_`fra#@OFCpDrSlZt9
z>3_Us;dXflipdylOlO@^nFGLzDi7`r_ur85I|k{SOTwMunc&9{@3Y!k&n^*L@Pa~D
zYb-Vz&~!!X)m}%sqvr0Wn*)f|>t(Vk$J;h@^Qe(g2s@46tNA>Wm;j{Q86*nJHoDXs
zB;>KWDtd#2-Q#tFks9S>ASli!8ds&+yXn%p1Ht-^)aqBJ8aex}KoYj6?omDO=&P~j
z2Of3l5P3ph5-$1wvBd9i%sSr;j`=NpVy8X?qE~&~=JV6Mpk4^dv6!v1eK2IVIvyhI
z&Fu&@1zto&y{if|T080K{U&y8rklsh<N=!)r@gh}8WLI&ixLiOl)>L0qsk_LMm$HW
zzQ(0^7dDwiK!e>Xm7;mL5S%9kCqGaK*))^e^)<yxv?cH5x!3R5Vr2|_Vx?rr0sC0g
zOrvTgw}Z)Lc?PaR0p;{v6b5cVw+ycUk=Yq!E(l-VkRclWSh?UR!ejHis2M$lV9jR0
zG7}5B#1R*+i#W{C{w5$S>^X@uVM;b2%-CE5TF%(Xb@)&nI&5fb)>!~uFqd4*Z$C}A
z<^3R=%q0KA2}UaKT_CAJIPDqGi&mlB?P^1CjkH@an3|RuKxRFazxwV*`yp4!Xny$c
zXLJPU@K@-W_YRYJteX`*J-@yksQ6RO?2w1%kLl*!SvovD;E%i8=!Qs^fNG<Km++DD
zG8v4!a~oouexey6Zbf<xsXvH<ghdbylF}tagybBRhsR0*?VgsNKO}T@n0Fdb5TKT)
z_t#G4fx`3iKb+~;Q1NgiC4(P2Zs_6*6Nc;evIy3WGNeszJ;u|xI2vwYki`&E!geIl
z_RXOS9ZMLR$|Pb@t}PA+yk2eGx!y&MwT%>K4nj+uPjF^-Hk?K^dag|DE&q2FZho~f
zE8O?|7-=hQF55wG5P+*>I`NBBjg|Ui#61v1`TJ<QZRLHp5qTX-q;!bA$hK|h86<BX
zaEd_W$73$QLj-xZQ82q4jgrI2@-@gXb^yErK;n6sC^Jp@`=ue;q))sL6+547^*6PR
zTSr9s<Yhsd{?+5r!SYeff&qWDy8|(onuGr1M{Rj_%h>`F=Mlk}jdi@qb+z85$_5hx
zd5F3V4T^e2z*-aYIeq^PGF~h5JOBdovyI>Z64bi!t&6{L$S$+viP$-L?QV<iqJnBJ
z<T>R^Efi_dEsM@|fLlRfQEx{BA@Cd~aJwvIN%7Hu>C0fM`;)aw;%-mw`eJQ;3KLD#
z^yNT7&6^>=75g=xyE?&mJqD|-8vy6+@cdt)ahN66xOO*0)9e;e$M3ZMg9GRv_$a4`
z;-i0qsD}q)HR}T2F+n-)na%0+%c>y!^T(Mj9ZEIk4*hAWGkxmCb#8Ei<-AXRx<UDF
zC<m>)H&3Me{>8K2V&y$u=M$zL(FQdQLr+n}p7HUdZ070rKLIRHFYasRJEP;H{flFr
z{kH<zJUaUJLP&({NFAQnyMjW#7xWuBPn@i*Y@lC=0ia#~Dnono7-@B;Uu!{Z2XpyM
zoOb%C@~%wne7_+Nj*bvUJ+!=FM9x3;<_93BbJ`*Rhrfm0N_i!0E&}(zI|Ed|3Z{RG
z{@?_Yf~x8y=EeUTi}j*ISpH9Sl&`+--KYLE{X<?kRTF_2|Ie2h{^t&N2CCGFboQb4
zAmZPO2cqqqrZB-s1mUX3uOdcD5RH}V17Ul~g!tRLhmh*nTskdZ;p+t5QB&k}LL%zu
ztf~dGUU;;cYyyHJu)F8_5QTiM5T(YXYRq1wt`Ala&3>3IwHuQ~XY)t?_MG~jR|`Q#
zg%Xre#<!8fgQ&TzsR7#6ks)A%P8gE?1S)iP``uxwap%dwb+O)H&$sV+@)NE7p~rd+
zb%xKr9o3l3IFd*(nr}pE_!DI<6JZDZrrs^+?k*%EBH|r)l6N21QlIC&=t0I(S!B<U
zVzeB3&V6<Rz@m}dyFC1j^K5oZ;;Nd0C#wutfU##g7;$5C{stu3%#F_`V_8B(qHWme
z5&pbSb($6gOE}7d>h=XZZeN5J>~wB4rpfZjn0+2CGM8Mj_RRJ&WpzXdjDF|E#id2x
z?RN$UWT57$UM;v`9Zz<wYFw|2*l5<Fdw6&h7Z-!|NPm_U*AT<;(Y`^KI~9s4&!mq`
z<%Tjx(G3i8cNu}c6h%KE?jQK%u&yh>Y<Mk}n3(v1K>%6VTyD#YNe6z=RfuuBUr%3O
zKQZ&?x6Dmn%t}J~ZQw1p?(UC@HI_Xhi|IYSUU*-Smk2gUhpMS;8LjGovWw&%5EV#0
z6H}dJ;3%@P!PxG=74BufM=E)-v3P>S_(wp9hct_D&yNh&HJ0;VD~E^(@dv_~(3Eur
z1R`@d5nRtU2ba*$4Xlj=a$a@(UbJJryU$@|z7q<=M8}T8J(nNKB^*M-L=O`TXmb{N
zUtnH2KGhe89>Tqb?`pTzlq4kZhvb9fPlG5TK`hZBwJwH2^8!avb`!XvpZ!pDzIsD9
zXE~AT<u;4gTizZkj@H}S4OSFb>`Va5#|xLKMspt(n5+^Vgjio=39Tpj<IhFXF}7mT
z^sdG%#n4`<xpUoXjIslkB~o@w_ok;C_LX2x6j_^`Qy+a&QqloeJ$5pao?=;d0x>MB
zmk89KA|aox!DXSGu26Kk*$86xT4E~DVcH>%z%FK{fY;%Lb}t`sS6E}kit+3cP3rR?
zcO)SX8dE1TNGJy0{dcU$Rtw908=8ZyIW%x%#Fw)*%_IqxSb0--mfl5e5(lfA4+Mgf
zPV@qM=$mzoPKTJtRX|P{&Vv3h1T^Ij<XB11JghG&YN9Br&4AGEQ=4(x9~Z=IbXt(*
zqUDx69k>LajuLo1LGlRvxVJoR*I+(Rf8-NWQhtYQCjZ_^GmhCrf{AtmU+25)?*0?t
zc(Q|LmwFH(kL7HS)pmEj73{z8+JeiF-r&!wAI5R~`ioLIfGH<MY-@xzJ@FcYo3nAt
zYWB;)wD8v4=w?SAIewhB_d8~qjIO$HA}1Rn6&97rC~=FRt;JpGH~PjeZOZ2wR*KcW
zx8#`kEppFQdLap*!!B{YroMTKXOE#IoV0L4bnjx%tNjH8)FZ6X+HjaoVn{S$H(>r3
zi}KdlczGnhe-}{k?bm58b@)=5^L;;$;CA}OjB?KJHz+I%qQ^qJU(WFvj@nNkdO9fS
zL&GK>dx%$M=Q>~Op3$YsRnTz!{TPwr(^HY0_VUN;WUUPueMqhcxV&Dt)GdBwy#?`g
zg6BfN^Ijse!vSXXtF1dhl}1S?K7l`LAB2WyTF>w>To!MQJ{H{&INQj+en6PFrv`Kf
zr5Y{8KrT>xK)eYD07M&8#G!c^G@qWC3DG^Cf)cN4<y#){I2{(4q11X1kI%^H3+o7j
z?^5MAiRTc~hi7BEdX)){*K?nMqI<BP&3`pLBwm}ApZKKq3j-Uw?`OZtHT=A}v%|$S
zvWDAX-}oe)nwpx$axKLsJA5P41hT~Qj30;)lMyEZ>ti&8Pkqh2nZz552uPqbwGv@8
z5|+v?OK?iD>VdzHnfSRHEF@90BI^=1n!D`5ddd2lZ|+Up3zz7Osfih&h}#iD_ROZa
zW&_H~=$cgGZ&WkgVMolVdY+Q_#*25Udl(8F-#~=GUns@o#Fkj|w6)?{_XeegS!%Sk
zzf*DQ`j@1!tUYI`T7|Uo#Lcsqba-d8Vt;MCg+s9Dx7i)8YY9b`6%)~c$ke88-p%Ul
z?5r&hV3KN!{3(47FzlvgO%XRFydwCNDS7}G6=DIkq01AEJ?3-G2Ut*F$?-WvKK5RA
zQhbDHS%Y~E!kE!E!5rg%dI3&1iW>C;o$;k{(vF=e5F{D!SY`SiX(f4s#<e51SPn4Q
ztQLk05NvUPDtlMK#X=I$3)z^4z<XK@j}>CQ5Eum(;3M^#`Diq^P7c8&Q2DkEw4fLv
zX=)DPeBZ$@HqQIY(SDBS06G248;Riqo6U6q-fdo9H}sC}m=3mt&NheHmBN`~=DB*l
z7ajHiv8}-pC=KXR<g^!8D2Si?Tjx~JK13WQ;-rOdt#eIVe#nptFdD3^)aZGt>KWaH
z`@tE!MoS6{3kwB3qKwDOWQCtN!?(3!j$ij>fEX9-nDV@D%^QqOjzsLAn9vBzv@;1o
zEy*1`?kT-}@r%Vz^7_nVT<C9Y>KZ@o^mN$=XLSr4q<e$qds^rL<1~Ba@bt^u?Mv<U
zN6D%Vm*a)ntO?qoRim|B!D?F;VzWwb6?t+|`8Vo?;4kbFp0zaDc!VGdkV6#9b4~dz
zQP_FlG<#Wncb9O$;s3&G`&e!nygOoxy|p3-F3RR@=bsYU)?{&U&MLc5G3;}XFI9Wq
zTQX)pUTlndy+!*uo%haQkR}kQum4YoV3L6se{5(05dhEKhHZ5GPcXZdd#}C0dk4mH
z7eD<&oh>XaTmSx;>Re>A@qIGmV2tN^flPI#d9B&Hc5tmfIrmqcLHdiDC*Ho!KBZLN
zTBeEbQe*%Thq)H)^;TvBnk)XjPPD1Xr^Cfq4@1iKU_Er4j^?wrSAGb(AP%pLni70Q
zyX(umPis-aYI2k({(mZ#EbQ!}8*O(5VmN*;q!gD@2YIhDrBP6u$@6i4eZZu=Jxz5)
zAOWNnlKT~+c8ulxe)`E~zn!b9KF=j&Db#JV{}!&B*eH~wB8rM=U!UDDWLKek7c{f`
zXvAz#*oq?y==qz8VD6${83V{O%0ip*@zwA4c3Wrv+iPNsCGuZ!=fw4_bXF4JZN}4e
z;D6&%n(Jk{V2>10b$j0Hs;;SC(o95se4YUZB13L`SE3vZ4b9Ti3+^@kCbGw)hmw*2
z_R_BDE_dex1OzO%pdBijYpwPC%*E!beC6N|Jr7iX>a4bWB&vIt_mwlqx{86hwnVT;
zdY!4|Iy_jNPmBz7NHgLS*q;EjL-mur8J!cxx4ak>w`&mEWK~zhWWY-I?2pH9D5p1@
zNIPb<j)&8-_g!0HgzHChIm4Bzq$l9uy%Eh}an3vlzMpJS1CJ4(3`{7dz^S~h#L4Qt
zSS(N8s2ur(5f7Uk>OmF7%&_58aJbY|8fK5fwJN=i@DPb#+na0nXW*9v98|i;fn-BL
zl%&6WklI_91!2g_%*MyZO^986Yh9dv29fNBt?ToHi%Ju3hnao*NLH^DDEx0)Vp1Ob
zaAqKXA037U;5R)@y-?82SGY_q$#e36-4^HlST{P@<UIuT;{x0c7A(tFR~D#Ie}3+U
zYOnBU8>^#@jz^G#OUn*5{=1sx0PQ3*gR@*l%VI7Rz<KgW{;jdyd4i=&OKH(srHF;+
z=%B@!D)>sKaR>+^BjG5**=T1>W83LO3Tzn&d6x^Vetn0vKKC6XNXX_xyQ|b~8&z8?
zuRPdYQpM|>!39(_kxdo0@TD0zhV{9gDPSk)K+jH(#K)I;Dq`n0D6jA(5OMb{A?2K6
zTRUC{2e_Bci9L^(yJN$jCneOx(7f>6y9XrxjEF8+exM-CBOdG>ox=Ii_`1Qyx+izE
zGUlj-E{kG>`X$6W;}f%s*`1m2hFph4@W)LJwj+FCP}$0dm49?<d$pXJD(Xp*ov%Vr
zGUM+<`=<nKvM9WUC_het4i~+As87m?`Q5%<CnAxrPkb^(n=TLqv&mXkmoQoUW%VO+
z$A-U|0LELHaEXf}q|@*0_q$;$T%Z)GR4QoI1H{qZnz3`{8uPnb%tkrz%^JsPHkD#)
zt?clBh@roHTxXt2*zg1+TxvPS+wfiiWKHbKn_|u$eU6TfAACn6MN9%QdY6V%`7Wn)
zdd^iSebVBGc!i3<P%8s-n+tHhMvWWhF}u;eQ!*Z0Une9YIue*9Xvl|Gw-_HzUyo5Z
z&|<rfkq@Zs>B{KbX^Hq!&MqPy(*M6Tx8{+{q7oLfyYL_S&IS}t@0TDN&z6^$;gFGc
zqdUgr8H6A6y_R^i^BqILaBz-*mK%u1+F7T{q3pDD<R|exW>@A%R74*A2H<_^+T;)4
zZ9R6d?3+<}p+ynxwXl1>rn5gw;z^U$`zI(Ng8j>db(Yo=<XT6fu~+DPcrSEUd@AhV
zZHO9KzC%Mc#<WsYF*Y`K0ooSb+1>SfcD2(%yHu7o{B95DDumtqXf>(*S$6C_sZ#8_
zxWL+Q)>J-Rk!`!n9E>;;Txn@(JIUb44(ncup$wy8DMBc@GL<&?{noQLg3qz)A5v9h
zZv+yTy+aC$+#~d0y<%(4mLu|1Ylg2Rtx&1NYb}FHq)LV%n6(6|B`nC{wkD)4hwWtj
zk1kcE*)|yi3HrtMXUVY1Z@u#vSd8M;4$t<M;G`#%l$3BtNKhqA`JdI7coFZTW&N{B
zGL)uOlQ7|QjYGd%V&WxGzPS?1KdwXqXeda{9EZHE@-cPcV7gRd<DGI2C)EU$(dqhm
zTx@LUhK7bZ_MLfo5GL-XdPZo8p9`r+X@VlE$aK6jn{{g*VJ>gHK5P25mqU<?Q<AZ;
zM)Ae=^)AC9G`-#~j6{)jd?7tEQ7^5ic>JR<f0r3tJ}a^H)9B!!7FV#WoLcyvR~o8Q
zi*$EULd6D94wFE{%y0QIBK83gFhDt}(7G=xT?eEJ&#<It2KGyhT3~D`8%o_{{%MJc
zP?zdjTH&>|ta1lq(sVpEOp~+{c2XoV43RAXpUO`$6_zxeUMq_3&POq7AgZXVz-TC9
zGjhegdN4Y%CQ_?miEi7#kXZ{*>&SjLzt`8R{gEZ}J-#reva-_Q>q2D1TElKdX)RK&
zwG3b#GUfH0p~{-cF`y_pxXk#??-i{$Z^~ZHKSgWc_*jhz%b($o8eH!9duNcJEc`r#
zV~M<-oLGmu3b187ZdqdDV-w;d#800UGnIqm+Yu6Xl5;<_1)_Vyx@z0i#R3u^m*&_D
zZk#XjpNEuZd&tD3L_e9pWI*97uRqE0eSO%ZFfA@F|EMK`6`nZ2T*v8O(+d`y?7`f~
z+8tnRSnXWvFOmP6toK2{<$X~{hXB<PC+9pBa7sy4F+Jk{E9))8>e!m5;RFc~9D=*M
z26uNSxNCw3cL=a?cPF^JyK8WV;O_4JPR?`WzP^wDduCX(x>t8~Rn6ciK0rSoF2w>!
zV1#+Vki+Ej)+Z^E|3N{alM%ISVArAzCO(_qVgJ{3YlF}W8AQy@spm`h>t2Yp!EraX
zZ`MW``dmfMhZS|TgMVF8e@RezQ;Act^WLV*%q|5pRVAk!r1H)1!M}!g%=)VEQecs(
z{8CT>&Woy(q<+{lxY^NT6^vXY5h5kt;x(&+FcgXCI$T*<x$btfeLS;wK+PZ{c6~Z`
zPVjT2RAWc<0HFP2zM@Vg+kPYi%7HB0KOM7QT+(*@l>36!ekzxu8#H@t4s_gkp^Esu
z=P5dzOB;z@eAD3Q=#Hv7l5JV3v08Z+us;Xp^?EZ8cpJ$goSdArcf_aMz40riS|xf3
zPNCK&qeoK2<sw5?me9SnVt~?v><`Zy?k{d0A6w+Y_J?tzL<9ZZd};`rj_s>y1H(0B
zRl#Z3C-W3xDa#Mm8I6%X({6kSZIzWs#%OYKatIXn+m*=7A|wg>sHG_c$kkv0v^JzI
za(>RsBJ+vAd%A?L0`;-o5Vkqg^JTC?7yMQ>*vad&&S!S*|0xK%jfe+KqvAqsdL)p0
z!+ZG8=JWg-3@i<URNHXomu7r@!J_zyZ&^|6jH?sE!skmTh)Ns=At)cx;HqXy9f;b#
zGjnQw7L*c6r!`|?^>j--2}eZ~P@Q&gQEd0C)L1#ot}OvZ4{X5b!9*0sk#8iwob=D0
zh5@L;A6uc5BbU+N-MvET7wS7p2>*_c%=)_dZfTbwbOP)qV4>ESf8M>J`YS+9X}2^k
z*aesn`eEt35^b^MLJs~zU!!d8i5iSjW>sQPeS5crH$F3i(DL;0|FE9_PQIdp9y1aB
z0CN&tZ0_ccQ8d#HF52rwxjZIUr$oLFq{3ZV8mEn`MG(eBP!gGG{kZ$?gWL%M4b&**
zb^f93Xe2-A7>d8gvy(`L$mI#`Um8wiLxncNA3Waj?*up5qS@Iru*O(#a`!vqKa`TV
zR=|^}oS-A}SBMla2Gh3kZS~kkfD6B#Y({JW)3#&L#cD%sicVdhbEf$GxEYp8cqN^S
z-<to|a7pX0;gZnq4rNh_<C%LLT5ng?*4<y1tf%7-Tg~C_9-Gy)@|6i4?`=w-XWD#u
zHAjv8<g*=6AuhPd)OfAU0O?VdBx<G><#wP0C=0s7lqr$_v`>YjKmU{<#KyW2)$bQ0
zy~HJVtvDQCbbvUd5YbiTyM1x`h|1@xaRT=IG|cO=lkUaX;PxtoH&4p_G)X`?)CyBj
z?#(#tZSV^cnEk+ycVYb5%l{iURZlHl?JI^!T#h-{NY)8B_2|YZBTWOE8~WxU-}fw`
zFYRF`cXsB?F$~T#a4KtA#jmW#&opZ6TFHJfRnc5;{BK+&=FrRN&Ztu6ICs^JtE%*<
zx_7Mb6NnE8(rp}DRXA0Vi{@_}PPSlj)l~fMBUcr`YQV@Tru});TG{*&C6eT7tl=Ef
zCGF3~_-D`G--2BPKJ_#&1~NJuv6GjCt%NR5%zi&=Py<$gKt$1tsoujGTAANl^u_my
zB3tF>X(z~)p=a>R%Xps(S@6L;zfVL4)v=~$c1Vj9pIzy)BGm*%+W!my4EqW2{xAg%
zPP?qB^aQ(^j90ZjMq)%NiWO;?63u4|_OCD9+2q&z=y7^L%^@T}f9pA|B}o{PXnTGS
zH^QSoeGG0|3y|vv;dNjdyq^BQnL?g}@6*ROs>*Zh;y;<9d)r>3qv~A-L;BW92@HZ(
zBEHbtMf&Wc{^@luZQ7z68VNscCJfaMo{`i!4r8?y{E?W=`K`*VU_@SWalhsk#ozrp
zXjSK3Fok$`xBDkrPqC06Vo-{4Uhn`<v)f{yl?w{KS}H<rV8^e4>G%X=hVL+)CL-%7
zYVP~>vrW8o9b&uByVx-q-((9t%4Z5D3n|@gbV{SU&bm8v(=?&rKZ_%7_4;?XNEQrq
zjl7UiKKBO$cgYIoe%;snkhb7}jPFAa{VnGeDkM-l6fF7s32#1$)fG!W{Y5Xd`hA2?
z-W{|l)84-tk<NcMG$6zQW>39wIR!bvqRHQ;BoQ{%pC0I2>s>yDH)$?BGkvAW_htoi
zd%VP>pcEzE=J-PXA9<H5g%l<q;Q!~Vl!GqduBu!wo6LaG1YAj{S+UUhEe(x?!0~Ft
zIZk5dl3F^R^-p*~18X9#l8xVY&6l^W<-w8M3#d+I7~L}uYs{lc{M?*G-r1BdTxl&Y
zRIKse?*G96K}%^UJm6yWbOtNm0-(P+Affdo2QB0O_z|4!fPigScX9OMa!{ACtWlC;
zXHu}UF_>bH$-PG=3zJMemehu~zF-C^gUh9`7-|sra*h#a%nwpd)a(6W<SPjDMG!)N
z`XXdz263y~U)5kB8wY{)I51?*Onf951FA;XM<QJ>;VT4`wWlS?+LQTD<?RuN(K5){
zz_AB6*2dPg5U`>&Tl&PGErSJ6)A&Osz}S%f<Tuj4UzlAfMtO0u$UdN!ll|&!oDN-7
zjIp`je06TI1G%<)s-zqoL14>`u6TzsVPl9fS+xTewtNVChY{H|F_owRo$Q>LolOae
zfS17h|Eme)TexuC#GC*KLkoh%EhuU>06HygeAa*dx}-4^bAVl^dwt%`%u@OG%@zBF
z!V&O6+g(GnL+xhgvNv(RkxfrtL6xQTlLZ!mH0qzMMz=zGT<Mr_j+gq5S9p})Wz)5=
zsyw3Z$e(A`z+0=!*#Yi4tQ6FFemUCs09jo8%V2F6R@ci8`wx5M;x8T*Xry56p1{Gu
z!C?N;n>ce)7-aJuba&n|!9MwHyT)&7({&AGS$X+HzW3&)l4IsNF9-Ck?IQLGE^~=O
zoU2Hz7rD$p1-z;F7bOrndA#ukt(f|w!P+ei^29z7alK2o{RAg45uD;K%GzmLXWY)+
z%UY_eH^;>5h#EU-{ebh8hUMgVd|Yv~w1k=lskt9XaGE+vEWyc<{;pqt$&g-Im&h1+
zMGzhIdjD6=x+<;KW|M*=oOGbQ5634qcSq9JTL331A#|f)t<~=M#t_gxi-A68`qwQk
znXjtOB9)UE^<EIDHl|}jl*owLTL|^5V<J=amu7}*^!0baQcY_hjH<vg0g%-252Y43
zug9AkaE-U3jRto9EQ-jP`4HZ{f#p)ns^lmw$yqParX230{9&<abP@hoblqMPGc4aI
ziw&!SY{_uw6jECa6+lfa%76xZc^KNDz+nj%SUlw+ZCtg1{17tu_kmY~{|u^LX5?^s
zl>~MKG-t%e+{lQrOIO;tJjuSP!)9qf;24!&+HPdHZ=EZl`X4#;6O5u8<{$j)<KHXN
zG$tO-y#QNZ#^;wDYD!P%fe)%I9}u7RZXC3p0%*$sT_g*74aqGCfPA`o+j&cUb#t6!
z7Gr?<ICS*?Z6>~d6%f>aUfee22T=l@o`k^pG+_m90vC2iiv{%_TH>>QqD@ucU!NPv
zqEJF4|35ax7|Yer*MjeLHlN-rCtZFd`fC>R_Y4X&viA>zMx6o-n^&YeSS|BB{T-~$
z4ewle`P{ZCrR{pfXH0$@Mo&N15v5p)NLb}Dl9%5eE(m<%EJu<6WHjRW?voelzgPZi
z%EQBGPr{Z(`1(%U&1!RlY?<ZY+6CYOg1T*5zccnjj}O~*KThQj4f9{2Mi4)(+5tq`
zxP#be7dw`DgQ{z+(Kt2eWFQ%u%Kx1Vb!VI?a~gn?*GYxw%VlhiOqG-m-_{pZ&4{|U
zCI9($FFrPi*+f*?GPH`Y#qj0xj*Z)HYbI+>)&TPM_+Nji0*SB>#Vf3Zo7&;*zEpi8
z(s5a>zn%wvLe~|AQ-ut95x72Ok%QTghE4JhskC4hZUw+C9Kl>L|MWf?;zCEvqX24K
z9n;_T_WsX%m@4;x;6<eX1`$E4lJK-@Ue$Q9e0U#)jlfxh#C{`%z)Dvh9D%#s3~x-K
z1czmyUINPBiteT*Jz|o1L=5k3QJ{;$*ga)n-a!)rfUAGWyU@vr7OhICM@~GgD8aQ0
zaM!qfr${i!)>VW-%3Ab2ee*tAOu1BQbAD))!{I-S_RwU6Be-W0X_N&Jp625I0y+SN
zi0V2}cnVHY8Lw(WL<$y&2;>9~Hnw4^m^@V4Gyszm(_z^)+|JIT6@#732Q)@A<zxUA
zH#+iT+T9YYrLSHxS=I0jiNWQl)$3+SSODj3l#0n8<NfzV|Akd<`Di40ARMrxcV6Y$
z^R$9eO;?`qO(1Q*AK$lqXZ!$Ng@|hVrUdapb~+9Cl#dzb`JNfe88SqqfK%P9e=q&~
zlEHENSmjyer~HU?f6(|0P!RG=)BVxoJ}k6S-k>N|ctBSqG8BExiqX66SyPDd#E{eR
zQXcwQH+|(&if4tudcq;p6ynu)Y=sCM89lvOyjJEW4YAS{Ko|?N5cA;MojeZ1YlQ+D
z2kkB<$Brq~>hGpcDq+w1KbixnH9WKu@r2f@(hZKfPv60-;E<@vCjAFc6k&7O|HUGt
z{JT}(9C06PZGk8cON^s3y3M3yRVNv%-~regttpLN9r32~<rtTZpw%ETp>H1_!;VNH
z0)lOR*F7-So4uFTtH+5zkq`H`DuHCIx9-kOH;e*$5KNwN!#}8)E@&hXBag)GtI@r@
z1O|{gvpKHVBu)^{)U5v~c{HN5g7En9d$z{|esz}X##vyTb{A@Z8<-oE>iY1a%Kj_<
zwN&HwFKh5W8)V$aS}Jz*%7BabLx_U=Ydie%_=mAe-%_^{ztab;XXD>l)JI$=gq;NY
zWZkW85Q5Ij@}!T#RBeBBE&K^1E_+(~P^U*P;>xRpdKfqWJ_%0$>Xl&q4EHC)Vg9u&
zajs1f<Dm=3@5j5k7#Z)7ipVy*zo@8e+(kC5kLDTmLCz`E7XPAt=KBh}`Yh*prKp<}
z2CVT0KVPz0!tmu5QcDNTbALb64w}@TAoz!_Bmo40tJ?C0SEbc0^2qXI@C=Hrf%Q*U
zkdO%z7vfx+<Y(K@=X$m4ZS4AHRuQ`^;CcB<FnZ;lctEcKsF<yQUZYrP*^U$71^q4m
z$sLI`F(Hr8(I0Abu-SbfP|!$$dYb$B*M(V3Ml_aH=OYt-Y6a;43r)(J9xKuD0C{~q
zYB2pQoM7g|eERMqs(feFG@^{Ff6QNOBS4iO0(aRt@-G>!yGI&#`p>{PMVAaADTva5
z-3aN962^1DVk{pGIaQBgrs@V`eR>4mi*D9J1sO{TRws{U_$ux{VOpuRA0^M9DVf-x
zDcMND2#wSgQqv;*``9Z`XW@29x#+<E^j&#QyyJ3a7s(tAS6pJPYkFlV$^Z3zBU>TM
zyHIzp;`)W>Mq_j!g@0%^O*P~9F)+kWPSW~^y|+nhO$lamiOrz%FUvfx1PtT*B!&S$
z847tj(gdC`QhWLa1g)^i2M)2OTx8Sr$*TU8C+taoolB;CN2|<Hd7(~ae8|Z02-HVi
z@|5F|fx>|{2e_p5!~++sXXx)D2{D3`Supr^1&Q%>gF8FbW^>r&r;>-3joWZ3Ks%tf
z@a(v&kzv%(i|c>mVUFf}9^ETMY+5(4sio!9#cZ&o3pj<WPhKR0vTl}fya^=q+WwDD
zDoCNMFPA{=hT$frs@<f*S#dn0jjMqXR#n4V;FhiZ@Ed5}Kgb=y(73}k39Y;A@bQoX
zfc-+9?jT-cnWUQT7gC`&-B2gk4r6R5FApC4vd0?1RX4~C5!~l4?sFX04|3_vj8>g}
zi#6+$-tU$lTRY>_C^df1E&@CvKdaEizi!XPjnzL#msIh?g?V9GtD<vg2_gKq#T;U-
z6b#1x^|>9y)Mm|ueXd7eos#bws681L=-H?%S&N$hvju_6hxrZO;{fw_%&uf<JQ0mK
z;u8-`CNd-vO%Csom+CW*?)X^;moht1K}*B!eod)3&tf$zX|`_-dYL%|f#enA-ztd?
z4Kop1q(7h03o9Oq0+dKNJYM1aA}T8CzJQ8bgWuW6GOn!2#}yAtOgrAf2Kv3$7%W2=
z8qOJjPzaFy$jza~0eR_fS@vYo(*64QnxcxLPrgliAIok~S!(pps2>S6eEFMsC@#LA
zsyt~fw>ArXiWaECHY4!_yANXbuWy_`%^e!VI9cIe!_gWn*=1P1-x0O`a4^d4^cZ|l
zT|*OiCa@+zVD)G&S4FvKJ;mQUAF%>n{KM%bl?m1#cR@GC6H!j*&9}-5*0gmTB_55G
z*vZBnkd(#IeQ57Z-1UTO(DhtjjkGfPQl4|N@xCMa8gji5GK17-yyX2_?(El}IQS96
zu)B5@Lg*Q~hC<Q-Xia@MfEZP1tyh;B0b9SizOgtPVpq2(8Q1uEAgwIvbryR6;Aj$5
zP)9@~A@!^3_DaXa>Vi@dNKbJArS8&A4cwxgUjRB_Y+U3Ao|oTXn3T^3XpG7I+N!Co
zN#C>qGX*YsO)&os{%Q3uc+`7j=eeTB-`~0e&$5Rv2@Foh%3onz@rbuBbs69TEEsO|
z+|*KV0`7Adx}3jYPD5p}RcBvY{Na^KT@f2B8RCC>MFpDrSARz1yxpuP8Y{9c?+n55
z)5ee7YB($hq_5cLn_*gMl>oyxP_`ygfBM-7(D@E#jQRGW5{iSn!SN8e)51eWxjd2@
zBH{}a*d*BX^p}=D-*af+pYu9sv<v0+(YHdj=Nohpw8C~M<|NAl?vpzd`&c+x7q#;m
zJL)DGX%i~iHbYHM)bUKc4zxpFK_lFHIgAISmYO4efCjo3wAa6?=T*Z_Yc(R;_wx2G
zAvFs^LzByERev%imB9H2>TSrBw%o#w`m4I0QTJ=T@7X@4^-dy}9-`W7a7YXai@Wsl
znY6H#T$76r4))n&+ac7?654Z8jwW)wEd&A~rE?93=fl(hJJP4Up*>x{B54MoIUmB8
zmVIXeDLL4D#X5+HluSW5Ozoe*8PSXpS&74h$(Wb=yH<G`jI;I;7u)%K13?Vg&V>Kb
z57kLnln~I1=O#!a4i#hlrKVRpi}<}GzuTFoh3Eo@Nx7YHe!D}ijEXvODcn3X(+my4
z`T=SGA1(k4&-=0rk8sgp4a-ExT~NU0VK?M*BhPRa@v8Gjf&ci>MVs`=0P}`uaL(Z}
z#d2jE&-z|$meWs%A5VC%t88Q2ghHcroclYVvna=J56!Z<*;$zZ%BrYvr|n3%u4w$0
zEZ-9jCaVd^;DRWOI<&Es*GxwPYw-ZF!Km*~{-OG4gY}1dCnjs%%RRC4#>K{9@;{X6
zbwqmWN532~_q8g=o0u%io?|_J)OIVp`w$!?TfUrI;*(sGM1=%TbF^w_ec!)q#7J@N
z(Mv=|4vulR)=P6%_;tu|GN$+4w*f@)NlzCoj>hTqZz2IJ5;i(mHLz@>rncVAkNI%K
zD&fA*NTSv^LY=v|v+pon$TE1t_jy~I#&XKvx8#-NPAow(U-P=rrf~%;XUcy^Y$so{
zlWj+NZQ*};2X1fAlERhVb)uH;`^6J3O|=LeRok)d53`!$T8wQJXdn6RuvaD=jZa)5
zYA<}{Ki6|-;Dkt{@<%q}1s1y7?z30Dx``QgvmBi&0l1@mn`23*8f$h_^b*+m>f1Xw
zwD;y%XF04iiWz!8OwU>eSlS0-i`FWBG^M(%kxW9gljAIJ9}P}^KOAw|qe<S7Yw|$G
zYu6sR?ms7@VUQBN9@_<U&c6m^(X{}zvGJ+~oQ^Q$d=9&Pndbr_0}a8G7q>sm&sJLL
zv~iMyHNDe~)qs(**Co_(pqd2u5?MBzaH+clUCXj<#fo#z{4rxPpkxdFAyr!#PxNxY
z@J9}hyT^V)S}4oqA(Sau6C-OMOg_k(;SFK8{MfnOl;17rD3nip&nB^FM1?m{XfTGg
z+I_-(fle3EN4p;~n4$^a6L5)PC$czrxki|^Zz=ETpG1*uDf}8KQ{D=*(FRCXT$3O6
zxoY8|lr?lAm_cFzh5#w}JFgQ-YQ7L<(vvCR1Z2!HR5Z*m(u6}y8k?MGIxe&X`R3=C
z(+{5<`sjK;H%f_Qz#L!HiOLLw;E-K@XbnGTEok!l>733?DiON+e`NAtNGeW*A`BsN
z<IvAGw!Cg7nFocG6`jB2oz}x`_MPV>@%Qb81jee;FC{IudG7IZ=dGuYh2<7*!dNQm
z+qvdbB>B7%qPgp{rW=L<Ux420gQm7?9P6!ohRF0H5Ae8LC_PjN_J?N2&&?hkz7LI8
z=>&;AgTJr^V+$@vVNjp`M{Ii@EGon%9gW|{Y|0)YQ;@yjK+M%jxu)t|^*c|F!+&TG
z$#(PezM4o^(+iI}yO(l$_ZFV?AT=)_Rr8OaZ-EzL5ez8R3Xe&{t#ye!nFK{rC=Z1B
zDG$i8WEESI6m`ZHUZQR`B^%6f>%lmWytYZSc)_3W>*d<{<~of02h~uSk#?0+j`b$%
z<#*2>5;jC+Tpv2Z*W#psNK<DJ{}}c(e=udd^Tv2$J1{)ltAO^2TTv_T*~c-zpM9hI
zA-r^Zjy>XZDuIO&8d|fu$JJ&im(NU)?V6xaJ~Uqnb!U5(+PD8a%ACZ-&F-+4?49us
za3^6;Z5l($+l(C?w-2<2iwRod@@_XD--ebs+I*5L!?{Lme8WJ1MMUJlyllF=ElzCM
zN%6p{ymdPSyEg?y{Y?Us&}@-1gZDe|&xi{wPXdle(Y&y+u}wtFbN2i`vZ(b}m_r!8
z$aVJI^NS{qlB<5+)kMaZvm>+cuVKRoi5Tdcn`s)*nA|=OhxjQt$^WQIW36m_$?Kaf
z>pk3&UdWyO!*e#PV3H+BwyuG;u@S#5Ul!uy5R~3p^|On$vJ#+D2c8dr&N6(5WPWu8
zk76*np)cvgc`PZVdIB0L0BP^68)su$7wIAd!)Z4mX@C}9>lOJVqlv_vteF%Sgihcg
zazq@0r|d(4EN;E_@iL{`ZI5PyoS!itAp$yyQ8I2j7zXA491!H{PPJupRVp`yV!q#b
zVCuS+-Hrl+YMdtgHlHR6itEzxLX|w(Qjd@+di!p<*Bv%;R?iOI!x!%~p<&(d4gB-k
z`<f6nv<zkwT0=yqz_lcGm1VLE7@ZD;KCFWg$b@OU53xm#WZ_Mnu>#v^9^t=hV3VEC
zGFQI-l)fZ{d9QM}QqF3%boV4#dpiBe`ZeN)jh+9Lkm5RbffL!y9<lx?)PEVa%5$h4
zta>CGZV1Vs;TlU)6qz6;Z0V~o<Nb~9m)k@APwidEfU}g)TJGzfpGxUG-y570omQ9o
zAfsv=E}$JWxfz?O+9LZYqeA0D(KRE}?xcGQPRqlSOr8P#d~%j(w{=O5aA=>+E9u*O
z<}@lX(qB}T$aL6)QFNvO3{imDa@=I46{p@wF}4!B2&AwbCKs|3bGcjsXA0Nlns2+~
z0ns(y8dm+-p^js8F2%+I5}>`^nL8TxM9a_LoJ!MJ{^ny<vn$iHL9WdInCZqmtJ2O%
zrQvoiZ<;d0b&JOo^045NtTYrp9BUF6ftRaO+`Bgfj6emiPZNL<X!k&P@=0(w#>V6z
z<omJ*f>x!Nmv_m)7=`hHmL1DtCF#WWYiZ0E&q^`J4F+I%VApM}pXEkDe(m-NrF(kf
ztEITAtU_?$NXK8~d^}f+*gN7J2m|1gy3_2#jm+e<44mZ3v*l24#sa_@6@zK*c?aKc
z#HzmxkuWaMrhVAFRHvX3W;Kjp@Jq-*`tH|9l*XZj<#Wg730cP`!y8SKvR^$4o|XN~
zfa`_3_Pw;YnjTu=+kNS)B}M<JD@?zsCHvOI2fZkVkI4<_fYO3W6JzMOo2^{jK&qPd
z%40)|EsK#;GNJ1AHwv{oa8goQU$U}&08D{M7Q-uGIn3t~jCtLH>VJClr?t=vF?*%I
z?5hDrX@zV|I?LX$`RM)M7Hgs@nN$*X?1kBllk;S!5jm>nKj)WZQ%b!f_W43kS_Oxe
z$C*}1^W1wzyUcTglqZ_E&rz5sp%@CB5UM}U!x5m<lnC()LnP)qw4qb;N7p}FHikeK
zw?vO+=QXgi6KByU{)Xm}l=!tH9kfs_nUG$A)nL7OI?iuLCKPTpo0H$veB$(Sk~5lg
zv4Sb-L>3FrCvr^J8laL$Q-7_JcqWl<`{yyjO2Q;SD<h)K!4n}NQl)7P@HQUYVkeg<
zbv0Dl?pD!`8kUM~T<oi>&uxeX^S&pM`lH6hZ;cn`tjp5)pXyLtP@>XeEApC}v^^jC
zr}g}VTM*1IM3oX($`LC>G9@&^*gW%AaD}{Pf+ld5>NoojEZANO`$pe2Zk^#1ly0#5
zpgO7M*;L@QAlm!GU^^=OB<R?-pVr@8(3k^nRj$w#988H{c4^7VBbyc%#li^<B^c&U
z)>O-xm0Py}Ba5xz>k;p6l74Zl%4<wz?;zrpWZ1>2J~Ws9Z*V0ssZBisA9}a3!|v8I
zl`slY(Y;2nPRsZ-Uret?dnR}^3uQsO#dgNSr{2>UM(u2fwUfKIF;Q%f$*#tmkh%+c
z_Rqd9`F?tvs4lx5j@s@@B0+bfTC;a?i*^|0vB5KVZk=dy?38~Qu3-h4!LmJeCv9-J
zNgX;7!|9V2^u0E@;fIYJSyiHagM~0oDyi8ye<n~dG~#=jn9);Qqpw;Hs5berp3(_x
zc;QkUtNKjmT3Y)pJiT)G&$VIq$nJ*A|1BbHSk);%>fdAlw1*ID8xHOtd&6R%0W>Z*
zvk$7K7lei<T?Uy^t2#C`e~mM5`*x={`LLA7SY40I`{40@=l6-*_gM{=lWnN+{>#|~
z2C0rQ7*EN$^h3Ko6j(Z{NokPIcyBPOll|R$51T~N+sQjrBs;o~407=epPcrwQSaqP
ze9QTk=-x<+`ZP2eS)PPh(jO3xwbbTM3|wtvi}?7epDWL;3Vy@#m>~hhfveFCfPm1i
zv3;y&7#i#DTO`Oj2urTCnLfX8^c|#3BVlXmv>$ZDOlne4hh<kZ-P>9oJHlkq;T>zG
z8x3Cv@$ow`u#3s}s+E>hw>G+Yyu322yR^a`nbzoAPRr1`OnygrcEsitcl^;Llu@I$
z1&B{|jsTA*(>Ix@!%D=rXZZAXvYpOF>*wO)LV@$ZGdt<xS+g@4Ps9W<Xdbh7oR0pM
zPbaO{?z=$g@D^Ty(e-OwZ))?o_G71A!_jCgqJpMUL<IP3$*#Mr?FV+TpD*hJz*^Dm
zm3S<$6xqsyc-bv)_-_nM1;^E2+3TA#psEr}rudwD=}!)E_puf`>mi?ZMz)c%S_h%a
zQAm$MX*bAW8Jp?#vg!-^W)o1uk?&L1chWq_&^F?jn7;7_zJSJJ*&}zX=dFejbME#d
zD(zLqV?o8#!zIILYq}%wOAEDxJ0S<F)`MNxA`8;hXZGFJD=y>~D+<93bbPVyCD<2y
zOIPaunYAcVSrf^zCwf3i+YsC{m5WFlmS@PU1k(?DAx%MOc(BT?OC~f9seQ$`kHi|_
zF*BPlU*GuE(Rgzi5aKPpQ;m?zu|*y;E*}UuzQri+{X1Q#G{!Xqvv<@x^?+AS<eS|I
zDYM|$i^VM!1nG#c#i2Sm7N&NyBjU9G4oqA-hL^@+D@pkU8;ji5!umWwaRsju#mi|M
zTxw(U{2Pv=)`|jJ8ttoWvP@Zt6*kp*F4H!ysEJH1Ew^6i=g*Dvb-OklP%WxuDz4Td
z7twAFM{TeMg|sCip&5eNy~7_#**$pK<>dbqn7mZyq7jlM8Xa=|5y6$I3&Z>c+2(TA
z>0ZzP!q0NBT|o`O&=E9xdXDRX{9*UB^%;a&u+|*>)KR)V*MPHBy|&>2I7$H46|+G@
zGkd_&_yM&6+4FqIBN$sacF$fsvQUPRV7pSeC|~0xT#6ISkFO-nM2Ld$(VZGtEd<Hz
z7}=$ikZAsrk@FQtsl{tUx*n+nSA_3@ENHM^GF6c;$-@MO-fpCSFnY=vx!i=uNfbFD
z7H~<lY<viHMyUS`(3us^z--`o*|C@WD$EwPhUU-O1N{pQ(VnoSzUcf6wEEqdK0_=H
zpPrJG`}?HXybD3*e%k~y8M8PAfAJZxDFxDbv>WoSZbc?71K1Aag?6Ow#(>v1`C}0P
z8`hs@hdMvRm^y`BzkT<K6d;B$SEVXY;2&_tUP-+SM11Yn5WaR{zIpnoznh(mmr4<v
ze*va9odjF6>NievdF(-EgOcT4u@M1gq?1yc|6&MKB~n9z02#x@HK3JS;=!xuPZnbU
zPxdI|Q{P(a2C~*&BhzDd+|@E>TfR*3T)ZD|M}|No@`?Tl;i$I4f99y|4T5A(N_jC_
zYxpcCDYU$M+v`_Bzsr(ii^g}5Mr*=j>@Vvm>B6~38g>E+dT!r-w;-HThL*ipuU)SS
z{}90T5!hEjLKCfkglJO}6@;Mi4e1m`hWM0MsC}JHNPR-ATKt?%ESif6Aw)?<N<`#1
z?Nl>-yYiN-fdWlxeAJ-Fw#GBgN5#D};`((h-DWJ!ernl1@BDK02|0=d%?l5YJ%rg6
zLLUQXc_Ii?-D14-2Wc(4Z%fCAvq2&{C+W+qn9pvat76SL1sfr*BadnvMq}j;0-sZ_
z2VbXfhGK8Vkm_dnisgO^?TXXvzc^J?R;nIxw}7$ctH$N*!R<Y$aA=9SKVBu_dGu@t
zU#KW5{J5S^?kJEpzPH%$z#fe_xYmcia!zPCYRYjfq%H3Xx_CL!Pz$SNDl}oyQW{N0
zM2fq_U8xFvE|nKCoSB`*<AqmS-l{9v2w8N0dlAcfeH~>Iae{M{Jg@R4m_}wjhLsSW
z)`=inWSuuo7hH3N)#g*R2Y2yhs?#}M$066SJ%+Y>+ruAMBL<f|FG*0DT507D`P{1W
z8ByoQkiJ;OQab9>O0wI;m!CqiyLN?AUiphLzV59b@%6SRkY<yI%L8b<?#&xFT>>AC
zvM-9(#{C$!iL8?BZ8+lzyzpZ(Ss)zUS9hj4>I|t`Nphm@?;#Q+9k<?*=O732_9p!<
zht80hTj`&_<VPg=I!vB&r?NlVD$RM}B<t00c^61-WP{$Oxo~EE+jtmjk;PIKQ2(LJ
z?6Xdcy5F)?_C|>C6JhS2Hoy+J_1*p$w#|8zMZFZb5BSZX4HrAP#fM}xQ1D%RB8FPb
zD3~i2v{sZ<RR57v^VKjY5L0;xuZvw~!O#OhG>Cd|bx_$FI+Rq!uG()icrm()%ENQK
za=u5nwKV(kSgNkiesIK?Q!vDMaBfRcH_C0((O8j-exoav?|}7T89^yu@E_tSML!G(
z8S9tOa(++N!2`O#z&J)5Dt4Ov%4}=?@O0g}!cE*=%r;gk5>^Dc<dtb4&(r3zjOAhf
zBmMO|WNS|L^5%ooHYeYk?4kesftTs$QSQx?L(9v`8$aV2D(vz3mlhteU>%esV+(eK
zc{QC?3m7#^1&wYrXY8%-KgSL`7cqBA5d{*x(F6&dM$2%S&wNjo6dVt2u2VZEG|VfD
z2;^Dw>z9Cy*Slin(N_5?{q4wn(*Ci8jZQ+GM(^yTSWT_FkUo%wqpZ(b^7u}e-<Yt-
zhKDzMh)?myQva=}HuGm^-@3Xzs;YSmk0qD(F$|`y2yYsl5}HV@ZnXJ~JVjb?R0__I
z;VUOPK8lkWiqHp4sC-p9#|b5M0ow_wEG(ZSQOWC7XUWcfYBxi?>NMAzjepTXo2GX<
zhnFJiSKCYyA@06_0Ml~Z`TkNZ3>AI1qUxrnOBl_u{Id>^#ib?2ekY`7eC^V*y<OFx
z?(EEWQa^hI76kTeKi5Vd=_-Wcj$}Ab!=PyB?AYpT;pl9{o6Zv`R`mt_ET8*v9lv5>
zDSqW7%_q9O9olix0(s6E*%<4p6Ez4qg>T$C*?M*&Q*~>wbbjLIXJiwZaO#kLX7o2y
z3LgKU*JFvk0~AsAX|on$7iMo2Nto~h8HqW(j0$59JH7U^)GOq;DGx?kwI6z}9tel9
z-XK90P^H%yQRCA!df;NKF~z4@sYgD^$-OXrqiwSv16wOB<V=Uih8QlQ3Wi^$4a4Uc
z84GC+BHC}4DH6W-@xG0IyMz^ID&}f}R-r&Ae2lR9mb8uFd}eL+%c)Jzo(+~1WjiyE
zW*xO}M0x$jSIOuwZQhI?#yQL;aVl-0a0S`J?{wMBgNzwBl^r7*94cqavwXZFxrHh%
zzZF~_qDB$YhZF(^wOCVItl;+NKoxJo7fW!lf~<MyfpRHx^Xkm9Axk)9eP(kUaPNoy
z7e5qk98?SSE6&e2j=<v;BoZ>3edKL7Af5})!Q8Qq0IRa^v=rH1kL<#L>f&E*GC%}W
zp#moTw%6Y7RjkDhZg`iy+LbQ@P6jeolCCES>%l^W7p%-vbW99`_j?`BxNdnUX49q|
zp0;{xS@rZdc~AKM?d|W#+rT`c`Lo3=L3#sFDR^p%IlXf`?)&bMW4I?17h(B_5Fef4
zvRjsafPx(w=*M;EG4G`bP57iTOX76wZ~3q9`zdzIfz+7l#e{OEAbxhlK6nZ(1`(V6
z^R&|AAhsJrS<m;}OFAt-Wh9<J2p99mc0q=d=FfTukqE<JhL6*13|hv<+14%OF4_7h
zb#l=^&)CKR%bBNW`EpA-o%ij7OkdOI(BU|<iI}!!xgbfqRwi9XhR{<j)r}<&&$n9x
zHIM51?&AC06`J2*kPKrX^1BO*GFxuy@xk+1{Ri#Ywc*v$1cFy-43Vsat_^19xaby=
z+c1&E^P8`J`VJ(5dGHyY{eJ%wbFUYd*}U$$mDg+8MFbINHKkbl@^$TuK~P`FS1YHr
z+1Sv@;rA&_#{S4kznY0HayY}9cb6dqxlYT+!m_fyoi#7PMB8~V(?y>PS=nMa`uwj0
z>G(V!qHVNmbavCJ!CVC9Ge$esQgA^6)Dh#p8hVJ(y+}b|$esfY=fQTKE=zO9Mu#tt
z(%h7ju{zvDZt27r)kZZ)u1kAzwo}y@ImZ>xg}l8DTYf?KRg?6NQP-|`Vk_W7j*>R!
z<3EM_HyaLITWn-XbzZop3cHe0uD6w;&*t01is%l)N$yKhnoK=(-giXI4ScpW7F=Dp
z-N&gx=5^rM6kC&CBi7^DR%|%avLT^dtg=7H8BiK#5Xzwh>FPkntj!dvb?2&eeQUJ4
zDZo}*!~7OUh6LT#iSZync<m#w4Q^+pND1#VNb^bey$<1xO>sp^X*`QFg&rZKe!!yT
zkHtcN0bG~i8t<=%F~G+#XMTY89WS*p%j0|pFi2Y8+@WP$PZJEyKS3%CU!{jc*WcoX
z+%1RiFR}M5jWK8$a`0Y^30-@bkas_67^3MsnqmBkd=7pey6PBuDEVBJ^Jd-A|0QC*
zOxr0?FV*M13bCc{Dn7`?dIcMkRrA`#7Q33=%fB0M33-NYmPj~W%oYY)lyAn-bwZoW
zDcI&ys|N|;4Gd%?!w&(<JP<9CR40a}SIiq0JT@l0W>Wbpsds7^c9N{vw=c|v@n{p&
z!&F1k;4Mns^9e5>qMbQFx{63{;>tNBt{48gs@dzVv*zO!f;&}eom;^MQ}c>Brr#=>
zShm5aWQ<5}A_HgE+Mi*zecws;Pd;Q-u>_1HtI!Z#UkLu19&dzfoDzmoXf(q4z;Na9
zCuNVEtfx*UwS-rYb-V>gw>WoMGW+1JLASOt?zio*kr7T%GYIS2Aze-hBf0wvkly+y
z+EC`UM_<n_$BSxV$P0VcEJB1=gJGL+&PZWhYoa-%m_zi!i3?mSNO&ZBYd1L4mzyWP
zSus1@_`j1`zYtl6A!Wp2JrBWwrCX~Q)z77+@2_It>-@g+(Q}H-qITL3k;wG^q+Dr*
z?uo4bOSnux?ZL<sNux<O8^SMS57>`2n0gGvFE^ZQ#WNR&+oq#Ujuwip&y+G;cqfd8
z6G+!?v(-x$Mf<FE3URORT@T*7k)j~2!oSZNLXv#J!}!&Ye~rz#T@4#GJmyCc#TL`1
zfbz{qK0`%EOE0Xs8?TUI5vr#AgVLFT$gM}#sJ@8d;1^tODZ!1<-XKhtq|;?lKE5#U
zJ}hM|HBRyKh6!YiLC&|O!K6JJCY0!!(ciFp2M9~K9SN2`6rVP4>-5-CnL>`|O0JxR
z$hhCXRepg0kqI6Sdmt4ge35jzL$BtC?Kt;>K7D>i+CIYFR{LuET?byiQ-UIKtMf`Z
zrBvGPYS@^0a=Euxb$f)OCt-r{C+ucv((|^+SkmubF+0%hXpl^19<1M3@3(d^vdT*Q
z6o~y5EBqGq8=JLIvU&<z%(!X-3}>hmZC_~$kE)RuADr$X7M=4CxinjvzMAL|QPZFL
zseNY`$(6|!(~_sp08KtPTG&1`=ow6DWl&2tBKoMq*|93&VuF_VbWbiz+GmouoY7Yt
zqTl&yH`RUM@NKa3SJ*mA3Pfg&ORnrOCK|r7Q%HBkcI4z_QNVJA!++@eKy7PsOFo1C
z5)w2<f`r+Xk#wS3jOw_PTu8Ybnc1iaEpN!zR9$Dsr8GXx_?z7fOhOw=QlAhE1qC@~
z4)#3^%=y{OA~LJSO2X%S&9dVD5Ztb%%$jL}vLDVMcOJbVC~0LfKS}L~m{<a0T5C!n
zZn#=OHz(CHYChlMY<}eFCzX5uJClMaHmSTqj?-vNNKrWfi79C4wxkaD_!?Id78R8=
zrrG|wLFCr(kM;!@DhVxUDZlN5WSb*(t*+w?nXwe?3@}=Kr;$<^+hyfLdj=oQUtV5Y
zpk-vT<tMbOWWj+4%4g6_#nxlD$vkMkhx5myA9F!eDq`>ELZ}knte?!SK1bYl!0x@Z
zmG5>Cuj@6~F8q*M-(f0~KC`c|vy9Bs!5*=G(yOkbDTR8A(qO6P)}9i^wM~!~5j57&
z#XveKXSO8wxrr91I=d&R<AmfKPbPPCrj#=*t-?%HkS}5^eH2R>?+cyyIRf=We7{=k
z>&K9YadC%DUL@(I@fX|lW^}S9_etAMp+lA7-EM<zk1#1<fW0wxg4ucu&L+G@ZoCD(
z3d7j+>ptb`XgWy#Cv?_AO$7=Yl#gzS$i_jqMB|n{1>trxJx5qtC^FCjsS%x+jD4QP
zDoG%5`TDJj>A3QWM=vy@BYb_(`W!yQIR<1^k@}dzGo!joSpL&OX^68J8G)oT8Pm4^
zi@4hM=n1E<bGBT%i3izT!Gl<nxVE3emo_wi?|0b>BBV7(<vf9ttj2hKLD<TA$zrj7
zEFuLC4lCbJ=&;wJSBGe_y6(BoUv`{0e^CC4%z3@k?IjI&sy4Q2Xz?wzf)4kF_Coel
zXM#b<Nj0d%AVE1h*vGMFyzWt9X~9-YD|sKWo?bHEzxtZ?@DaYiykw7tclv}EMku-=
zl+?m~1=~StJ3~D(PEoH?$mOp~K#`cstkn6Le%=bPVCh6|wYZjYw;H=QXU4X*J}Hn$
zf8=rT@QR&0qCXpm59zs{gHuZ}&)i>@`zBH(aeSgHPKl6{pk`{18U4Nc>wKwL1JyX|
z1=dDb(TGPkunbihMSDkmJh|hK?0AwHiJ@CIZ9Z{B%E;~m>9S%SF5f>G#)=7V;vE_m
z{now1Rw28raUvr2BoY!@PAp9ADcq@>#uX#oA%#(z^PX&h-k*wRdwptiMoNksam{Bw
zXWE9&cu%H=%O8*?dsMV%F`2P4xLWJ8TaA0M*xWxEA5WpEe9pVs9Bv?xUC-Iur>v!D
za_s+}1mAubf+I{*?I|4d<R=#vmp?90@lSm#^d3nH*p`e%UTx4jO1EXjoqGptx{`@z
z1njViR~=Ns@u7UGF}F50SR&r3Z%}y!YDA2+B&{z-rH724X)w|^v)9kgEL1$@3v-KU
z!~}^u3R>R1gYT0R5&W`h26A*qKt>)JXt6=WEc#-O2`2^tvCvRnJ|Lm47@<r+>nE5e
zB%s9X8H4vYNsV0@Ni*{82Z@X6HC)W$@ussD(bE$|7&bf}D`g(eBZEiaYsS?uY42S!
zTvp+Ygy*&}=FeNgdha$c@Ta<Tg|30m)r?o8@e6O$U)R_4y(>R_@RRdj4r9oK_P_`K
z09TnGtbF9cEcS$$-g$DzyHr>)=?vc=zzU0uZI}vmbAxFx@08LK|0%|axzw4!0qYLh
z!-$&$4Wqm!fwdEv2fSo!9d=wut>PQ$Z2%FZ64eKWH>4PSz3mfk7)kH~4YF{t9MPXk
z<oYiKuoDf=>?OY&Ym_$fl;AKqk>jhed6;kMEgv@VTA(vVHlBYHWX*j=QBs;l{`9GL
zp*GAdPu!^1^X~l&jY=cn{9gD4``O|WM?(4}q^@MOmQxzFt5B2u!=X*P|G}Z@?jtJ$
z0(7Spf%h*=rxRDgh;=N1w+ero4Jk9M+DopKi~d4Y_6Tg=XD0{GP2IS!FBs|WntLO{
z(0q=aBnyu_C{pK|WeCHn*1fHLC1xE*e93{qk!x!b*-K6*12xlYc@WaC4DlgVmXi+m
zk8Z-MDxn%zuYMJ5XMkFJNJ8!yG|<21_jHOc_4H`6#>B&9f^YS7?niPl6tWlujo7sl
z^Rcz*8>?;_GydAyLZEb?iF(Z?{QbiUuBu?cbk4dG%q6T;<+fkN@oE>U>!n<&xW5@D
z7y#k1vc|u^rWGzcy5zym!9ja?xm~NYyP3cDyemLjz+{TocQC7X7oZ(uysR{ckio$s
z2?n--hv(;IL#Geda?67xeh!yip;q**eKuuex{xmx1}L_BU*AjU-Lrf#fkKLPs8E?&
zmN>WHt>|u8^6I;#qfw}66@qz~#UL06RVL_?cSqc6x1GM|*)@r4bw1?`LMvh066$w8
zzfCY);8ot&czxznR#4Fi#L)F5VBq;2QU7vtXN39GOMCp_MTXMcYjC2*Z`hOY^ZV_+
z>L+b#QNu@d>a!R~20>c%jYUbLjjicRWaZU9LmnOjbh+26#Zx?w$tFC?vPgg3m@tE$
zq@i-rT}lRC2$KV^$bq1dSxYvf=hzzLH7ayzj5f>Jl-BmCywa1wR~xnwY&;KuO_olT
zD=rT~UeHL!*)WQFp7{Z{s|8C&MT3eZCHBWHvyfrw@HYqEF6Xm3|I^)$wZ>0vQ!)FN
zx5vC;SoVCGB0L6%TA0fn6#2Y&l%5qEjUXfs6<NH12)7SS6yD!h=3>&l?&9ccUq3U@
z3GGEpx>#TKOnh^oq^aok-1<7f05z3>i<-_`kA`PRC-(XBHQ~%FK%Eq%S}>609VXzh
zw;%?;r%T)22vdVce18}Nr%gL2Kq5I1MI>yws`DGx*|F=?$p?9I{BXRZ=lG!{Mc*QH
z6<Ul_gLNVh(clw_ma!#+Bd71z_frwa2t!s-LQ^0IKi}sA%RxEU!NQ?yaJK<)hV`0w
zdz|npkTK37!NU>U>eG4&dE^FYW_mh?@nHz+pox=e2W|E`C;)fk-o@QuV4grgRmXk0
zaeHBR4VEt}fb)`t(Rr6NmsDqX{s7Lm!@(Nr*P)R?RDR~y@r?7UD<g=mTi?lM_@x63
z_kN%7{n!k{MC%p*Xq|317m|o|jdztKdo3V=p>S+F)!%fBD6W_58y!ps{teNN4m25F
zwnSp9bBN01ny2&ZQTz`=g;BHm_xnYI+&4yBiw_+c8KGI=?i>D8TTG7|iA;{0m|>p!
z+p?O?uc6r+p?Rz-Tw6ip>_)uQBf<vgqC`|wFdG{iW$;IFcf5EccC=Tgmkj4W<r_9T
zGgz-V##cA#!;a(UW0!0p#=#s;nzAMVdxsWUp<X6M1NC;74=kE^y!?2atpw=p7r1Oz
zFToil6;BH&c6WKn(g*TF=V0#%4tnqh3Zuc9UbDCb!>UU7mO>&E$Fskl=bnJ5Y&P}?
z_{HA%ilS)Z)SKL3cSqgwFI@H>DFPF|n6Y3JCDPd53h`yQnlT}~w4$R_EtI#+Z3l?u
zxqx*hW=bd02ZgseL2OG=^5W${O3$sIkXf9+<mc@J{tV{f3B@%Q9<(5#EZJg53^6vC
zMLBAFh;fumt0p7QEmlc8T)VTzgZrai4K5rz<$z@;BC#*kpGhKDl=JEG8}y-*88n*_
z_9DE6olhYB$y_{FrH)se;iPvvf^M{&lu2j~{Ayo3Uf5(j7wy!3#$6bl=FWeXmNL1<
z9K`me;JyQ0=i@gIuO<7;=kprG-r}69t4WY6O-ahg7+XTgL);jL>3Vr$z1VfMg90J7
z{LgNzmcyfEVT<v;>_TUd5hj{?h5cAZIESh97T44&$!t(AzY`)=0~9UNq=sC|)ie~K
zx23V!+H#>ROP0!*wV{aijYktda|r_TI&?lhrBrA8u`d<X<<L!w1w<GTKO{(nG&Qk}
zzMdQ7<BFB#99V~GCRTdRt^@aSp)n~?u)pB$&EsN6mz`_k0lvI2PF}-veYJ<lRfs|6
zW!HLjRUy9r@X`ePFoSG%wHLZ9wM{1&<9uoH<<MP-A}CK!PG&Wmh}jmi?$yASU93!c
zq22sD#5i&56=GY+K1ea@5yUA=?br3=cv(71Wwy(hnW)TN2=&h1j(b;05$kYUN(2Oz
zBW|vi%8QXseoV(TMM?AhV#Io|H{pBNc97}5Lg;7oSpS|v6RR3X67qTQrGZW83{mLW
zc-$Y^+k~4+rS>j{(fjlmdFRInaWqC*$mA0%?&|88N=nBq{d+-`xMFk`k#v}xz7+*^
zJJ1;>L8fn)EX~&$&{_AUiQWmpzmhoI%E)q*^R^|q^3`ecx5tcWQ;sNx4IDmSTlNH1
z^$lJ6aQJ@361ds%&MMZY;BxkkGKp!DPkSCAP$-uJ$t^^G+&DQ2e|>psktGDmL6vc~
zu;qFVbv8!vb6Rjvkg|&%UM?6KF*l+?mcvNMmjrJlGG>xEA!$q~J9ly-BA>~l=+V)n
zp8XWng%IQ#n)vh_AmZe-qi&Wg9fHone<(<&)ZD6XSL1%#`6*U+t{I^zbiREH2RJDs
zcRGbFRLU(=fs3D?&b-nAE=1*GCjCeIzwfAmdT&kU4Gv~XQKTzW2=98yzetg@%q2>Y
zvhWCg|6Zx$+1QK{i2TH4cZ03({)XFCgP9fTx;UZp$gtV+299Fm6orj?I8|7z5Osq}
z4RHs~6Pn7?gpP%Z>Nl2N0m)z_lrY!7&S=OlR%Wn2bOwZ%or8Qj&-<$5&mxXk5t--4
z3DQT6E_G;o3JGse)S{7KJbWh;o9Q?LIpWn--!ZEQNZ878$c=%Q2}8%t(ZA6XxKXeg
zUOAy4b)BIpb?GJU=tyS{a%N2?P90m(n&J&acDE$Sczme*stdGJIjjLoNQg6GVQ|p#
zfykusSw;;|oftuw3Ehr8$zfcdOs#~=*ideKuls#mc<@_WTPGT9^jba(G|3(2^V<Kp
zd;T0)YX1gwhU~XxA#@b>-Tld&b&JdOiWh#66J}6lW0#f4V?tjX8lITS1=CFMX@Dxy
zyn6KZdou33_uwBYnH_}eKW{RcUky(J-xNgl!0}@N+$%o%gYh+!L>+!cUUY@<&33D+
z(s;*eLZKMlL4a+`F!&&=jD})(cXuZqiO>6cxizR0SIi29E%H+e$vqpig_jrKuV23e
z3~iv2BLqT}L@1Ua*9e_f7|rDBex-QC?Y@A)8!8SHKzyz^P(*E_6OM6lI5hSaBVrTy
zWzhTK69*QDuT74{kL9khU%#@6ydm?s?nzJ$J^7x6m632~@pQcsL>4S54<DJoB${Nk
zAM!YKmn)o4>2E_VlVWq)pRKlW3keA=5Z3oFf5+r36)FdZ0xH#3zmE>iSD_dT*}1tO
z6kZv%b(0bQNKPoB416EtBIpnqe|7A^MnK+8XZ~wEyZjP2%#<mv72+F2FymFOtT9op
zobGl6w`A8|uz$}Ws-hK+{U&s~)w+W;mE_p;@v&tT9?3)cr|ObKZ2NViF@J$=s3Ns@
z&%W7&H{qZ}8&Ve!pJ`KTW-I|iAB(u1!U{TnRb@m!x%X%c$k>8lVb8lA`awkT$8*8X
z)DJ7Muz}GOIm4?>Kmh4lS|-Spspe#6{y^bfM2j^hh&v8vMM^e7ip4NS!lWjOf|xYI
zCGZxy6@msSJ#NC1g?Geugny9T8aAF_d$nf6%8W@AE~5=p)Pl-kgwq5Gj@Pt?`R?-C
z3}JD*{sv59@^p)o%%<_$Mq{mw;5ov6W9nOJYe%dvar_t!u9!bkR8$m%ui{FNFtsyZ
zSY)5UNGT>_86sqy7w&BV<Eu?b)PT*<fK6gqm+sb|`t`2;lW7J7`6ZZZa2ESh=irrJ
z2EhlCx4EyopqU{Igy1cFJiPFrAZXQm2xB{{@0d(QC%4?_;^+7gyo*e1QM^PNLbsr6
z9i2fHal2z7r$2X(n+cvqQL~<V7l_<It(^ySwK{nk=(p}WztCpp=cnDT?V516&px17
zbBtAq9|z!Zxk?cZae#q?Z|v=f>uuYVt5>{7AUSgEo3+#dAdH4`lF0Hbr6S4$i#pAy
zbkfBY)M^TGXi())C~jHQTP%a$2SjC|!|gX?HM#D46z02&jVZWhLm<|hgi20w#^0d8
XIdqGt)pvZ}0e_OBaw6qI`o8}Ugd!g}

diff --git a/doc/frameworks/broker/cluster-layout.xml b/doc/frameworks/broker/cluster-layout.xml
index d0fe32437f..4269c6723f 100644
--- a/doc/frameworks/broker/cluster-layout.xml
+++ b/doc/frameworks/broker/cluster-layout.xml
@@ -1,2 +1,2 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<mxfile userAgent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36" version="8.5.2" editor="www.draw.io" type="device"><diagram name="Page-1" id="42789a77-a242-8287-6e28-9cd8cfd52e62">7Vxdc6M2FP01flwPkpCAx0022T60MzuTTrt9lEGx2cXIg0ns9NdXGAkjAbExH3a6+CXWRRIgnXN075WcGbpf778mdLP6gwcsmkEr2M/QlxkUH9cRfzLLW25xLDs3LJMwyE3gaHgK/2XSaEnrSxiwrVYx5TxKw41u9HkcMz/VbDRJ+E6v9swj/a4bumQVw5NPo6r17zBIV9IKLOt44TcWLlfy1i6WFxbU/7lM+Ess7zeD6PnwyS+vqepL1t+uaMB3JRN6mKH7hPM0/7be37MoG1s1bHm7x4arxXMnLE7PasAoAo7jWQH0qeeiTwDlXbzS6IWpdzg8afqmRocFYrBkMeax+HN3eGWWdQpEaZWuI/k1ogsW3RWjcs8jnhybbVOapJ+zCTNsj2GU9WCpsoQIFmUWB6qFH9HtNvT/XIVxfkE2A3mp1OgHS9M3WaYvKRcmnqQrvuQxjX7nfCNbbdOE/2TqKcXsecRBn0lxRaEhq/vM4/SRrsMoA/lfLAloTKVZ3glAWS51aB0+wh7zh9I4Hh55H6bfs7eeY1n6R47B8Vll1eo8y6nf8pfEZ02TK6lEkyVLG+p4eZ1sjksdS/R8ZXzN0uRNVEhYRNPwVScMlbxbFvVkUzFj9K1UYcPDON2Wev6WGUQFJSGKaVJAkAN1HJv1ERSDVm5h23a5hfiSP4MqlV7maDqw41ym2BNTfmmmoJtgCiDtmAKgMzpTKkRZCwAsWTKDJBKje7fIvi3TYrbKDIoisehnaN+twpQ9behhznbC79Dpc+TVgQpqXc0u+Xwd+vLCKZbVgJo2gFowqFSTgQAzpzvYaRQu44yxAq9ihN4B8CtLUrZ/F3rqKtJnHCl13R2dG0+aViW3RkGrDqwluLRDA6yRzRwG2w2NFRA2Cd+/fYJ1CMkt4r7l+rcGnMDxFpZ1DnCenxnx/dsEDoQ6cACuAsfBVeDgIYBT55lWgRPxpVCWTHM+Bk7IguCzBEYEEfBWceLpa5BNrggTrwITCYka92ya+x4WFw9fbfKnYFUD1BfHu2tadLoBp3C4S+52/uBixr6XC8oRrzrtDa654T+399XhGb56L655xZe2CZp7jo0wsICNXAc5GhM8OEeQeBhjghwM9d7zV5IdvhfZemBORC8WcsQdsHLWixXZtudZ7454S2IDixi3yUelcpvmKEOjXjvHvy4gbvLswOTZdVXtikTXUKdRtY2ocUzHDk+iPa5oq4xJRbSt0UTbvppGE2jkRxC5TIix8jZUR8ToaEypJROHRuJQwZU5shyNL3OL1FKmPjlZS6ZDZ99YEoqpz5T9MJTDMcwbhGHINhgG8GUMs1HfDGtIgVpGxAK0TbLOCVBnIufIUUmFaSXaEtdgLTxvoeuRmxeFLGgYsiJX55jlXEZW5OgdAWh01BNZIR6WrEo4S+TU44YSE5uj3YvJcediG9eToy7mzpE+mJvmVXFpDwJDc3/XNrcaGmDYWuqhHi57PYOHtFN2E0+nHPRRcDYmmoZxSdqiAiEj+rWMUzIn6qsweKj6vWuc2w2mx8UUjyp8lWX9qlCFwygh0dfR7krYIaxEoBtQavSshJmqos07OZaTppU1xMzondI00lKjOtbvW9Oq23x1yeYdT37mW38fNNu8aMa4mW12fXar2eYi6TvGhjCsQcYUfl9jU9Ca26a/MG7gfU5SbIqzNToOJNfTufLb2fWZE2Jmsj9ITmyYBDZRbm+RwHYv4yp29Y4ANNazvnJi7sA5MVzh5gU+/yCh4fhbl4CcAcxhYkPXzJKBgfCk9kQHypI57aS+AWHVPOiVIscGEB4eaUCMDeOoAAtqc4/71qxT8eipePLM671roNcPaN/bmholmzaqMPayWzBMasvqZz6N2bwtCfqYAnRiK6inRa5tzr9luqtT9d6jrbrzQY3ZsY97FvP/kR0b89cSdWnTXzgMf0eFB0qOXXVnYpgjltA4T3XxEUvbPElmQr6vA2DGT1aMtaC771j9xevEslGTXa1cqDnKkKLlwwrPvKdk1znu1TDkLE5jKlfDMzh1LjmLnwgoF8fsqC9ykl7JKYrHf6eSVz/+zxr08B8=</diagram></mxfile>
\ No newline at end of file
+<mxfile userAgent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.84 Safari/537.36" version="9.0.3-1" editor="www.draw.io" type="device"><diagram name="Page-1" id="42789a77-a242-8287-6e28-9cd8cfd52e62">7VxLc6M4EP41Po4LSUjAcZJJZg+7VVOVrd3ZowwKZgYjFyaxvb9+hZEwEhA/eITs2JdYrZYE0ve1ultyZuh+tfua0vXyDx6weAatYDdDX2ZQfDxL/Mkl+0Li2G4hCNMoKETgKHiK/mVSKNuFL1HANppixnmcRWtd6PMkYX6myWia8q2u9sxjfdQ1DVlN8OTTuC79OwqypZQCyzpW/MaicCmHdrGsWFD/Z5jyl0SON4Po+fApqldU9SX1N0sa8G1FhB5m6D7lPCu+rXb3LM7nVk1b0e6xpbZ87pQl2VkNGEXAcTwrgD71XPQJoKKLVxq/MPUOhyfN9mp2WCAmSxYTnog/d4dXZnmnQJSW2SqWX2O6YPFdOSv3PObpsdkmo2n2OV8wQ/YYxXkPlipLiGBRZkmgWvgx3Wwi/89llBQVshkoSpVGP1iW7WWZvmRciHiaLXnIExr/zvlattpkKf/J1FOK1fOIgz6TskahIdd95kn2SFdRnIP8L5YGNKFSLEcCUJYrHVqHj5An/KEyj4dH3kXZ9/yt51iW/pFzcHxWqVpfZ7n0G/6S+qxtcSWVaBqyrEXHK3TyNa50LNHzlfEVy9K9UEhZTLPoVScMlbwLSz3ZVKwY3VcU1jxKsk2l52+5QCgoE6KYJg0IcqCOY1MfQTFp1Ra2bVdbiC/FM6hS5WWOogM7zmWKfWPKL80UNAmmAHIZUwB0RmdKjSgrAYCQpTNIYjG7d4v8W5iVq1VlUByLTT9H+3YZZexpTQ9rthV+h06fI68OVFD7al7l81Xky4pTLGsANW0BtWBQRZOBADOnO9hpHIVJzliBVzFDbwD4laUZ270JPVWL9BVHyrpuj86NctmWFbdGQasJrBW4XIYG2GA2Cxhs1jRRQFinfLf/BJsQUkjEuFX9qQEncLyFZZ0DnOdnRnx/msCBUAcOwHXgOLgOHDwEcJo80zpwYh4Ky5LbnI+BE7Ig+CwDI4IIOFWcePoeZJN3hIlXg4mERIN7dlv7HjYXD7/b4t+CVQ1QXxzvrm3T6Qac0uGuuNvFg4sV+14tKEe87rT35JrDM1xzMIhrXvOlbYLmnmMjDCxgI9dBjsYED84RJB7GmCAHQ7334h1lh29Fth6YE9GLhRwxAlbOerkj2/Y8790Rr01sYBFjmGKaasO0Rxka9S5z/JsC4jbPDtw8u3e12kbUOKZjh29Ge1yjrTImNaNtDWW07enYaAKN/Agi1xlirLwN1RExOhrT1JIbh0biUMmVObIcjS9zizRSpjk52UimQ2ffWBqJpc8t+2Eqe2PYMKn8GjGQbTAM4OsYZqO+GdaSArWMiAVoh2SdE6DOjZwjRyU1plVoS1yDtfC8je56bl4VsgxzmlAnK3J1jlnOdWRFjt4RgEZHPZEV4mHJqixphZx63FBhYnu0ezU57lxs42ZyNMXcBdL7ctO8Oi7tcWBonu/a5lFDCwwvNvVQD5e9nsFDLrPsJp5OOeij4GxANE30dgFCRvRrGbdkTuirMHgo/d5tnNsNpsfNFI9q+Grb+phQhSNZQqLvo90tYYewEoFuQGmwZxXM1C3avJNjORGbNo17IMjM6J2yaeRCG9VR37BpdR4YUSS2+7WB9WPBpuT0lqc/i6PCD5qdXrRzwsxOuz6bana6TBKPcYAMG5BxC9ff4xDRmtumfzFooH5OEu0WlzeP4wwblt/uoU/nlGhOiJn5nmYObaSEN1Fucpnwdq/jKnb1jgA09rO+cmjuwDk0XOPmFTHCIKHk4EedgJwBzJFiSdfMqoGB8KTOUAfKqjmXmfoWhNXzpu8UabaA8PBI/WFsJOMHjPN0bOYrumLsVPx6Kv48s/5UPFp7z57jURWQdgX5W0dfo2TrhjSkw5xGDJM6s/pZT2M1p2WyejVYI0VW4NRRU0+b4qVnChem0zqp9x6dNd0/as2mfdy7nv+PbNqYv8ZoSrP+wmH7G1Z4oGTamCcfI13hhMZ9rauvcNrmTTUT8n1dMDN+EmPsBd19x/ovam8sGzU5dpELNUc5UrT8WemZX5ccO8e9Gomc5W1P5Wp4BqfOJWf5EwTl4pgd9UVO0is5RfH471oK9eP/xEEP/wE=</diagram></mxfile>
\ No newline at end of file
diff --git a/doc/frameworks/geoip.rst b/doc/frameworks/geoip.rst
index d826aabff6..cd41c6f54c 100644
--- a/doc/frameworks/geoip.rst
+++ b/doc/frameworks/geoip.rst
@@ -102,7 +102,7 @@ following order by default:
 
 If you see an error message similar to "Bro was not configured for GeoIP
 support", then you either need to rebuild Bro and make sure it is linked
-against libmaxminddb or else set the :bro:see:`mmdb_dir`` value
+against libmaxminddb or else set the :bro:see:`mmdb_dir` value
 correctly.  Normally, if libmaxminddb is installed correctly then it
 should automatically be found when building Bro.  If this doesn't
 happen, then you may need to specify the path to the libmaxminddb
diff --git a/scripts/base/init-bare.bro b/scripts/base/init-bare.bro
index b39490ed7e..8febc9dae3 100644
--- a/scripts/base/init-bare.bro
+++ b/scripts/base/init-bare.bro
@@ -872,7 +872,7 @@ type geo_location: record {
 	longitude: double &optional;	##< Longitude.
 } &log;
 
-## The directory containing MaxMind DB (*.mmdb) files to use for GeoIP support.
+## The directory containing MaxMind DB (.mmdb) files to use for GeoIP support.
 const mmdb_dir: string = "" &redef;
 
 ## Computed entropy values. The record captures a number of measures that are
diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_scripting_data_struct_vector_declaration_bro/output b/testing/btest/Baseline/doc.sphinx.include-doc_scripting_data_struct_vector_declaration_bro/output
index 4f1260e4ed..22790f45fe 100644
--- a/testing/btest/Baseline/doc.sphinx.include-doc_scripting_data_struct_vector_declaration_bro/output
+++ b/testing/btest/Baseline/doc.sphinx.include-doc_scripting_data_struct_vector_declaration_bro/output
@@ -7,10 +7,10 @@ event bro_init()
     local v1: vector of count;
     local v2 = vector(1, 2, 3, 4);
     
-    v1[|v1|] = 1;
-    v1[|v1|] = 2;
-    v1[|v1|] = 3;
-    v1[|v1|] = 4;
+    v1 += 1;
+    v1 += 2;
+    v1 += 3;
+    v1 += 4;
     
     print fmt("contents of v1: %s", v1);
     print fmt("length of v1: %d", |v1|);
diff --git a/testing/btest/doc/sphinx/include-doc_scripting_data_struct_vector_declaration_bro.btest b/testing/btest/doc/sphinx/include-doc_scripting_data_struct_vector_declaration_bro.btest
index 4f1260e4ed..22790f45fe 100644
--- a/testing/btest/doc/sphinx/include-doc_scripting_data_struct_vector_declaration_bro.btest
+++ b/testing/btest/doc/sphinx/include-doc_scripting_data_struct_vector_declaration_bro.btest
@@ -7,10 +7,10 @@ event bro_init()
     local v1: vector of count;
     local v2 = vector(1, 2, 3, 4);
     
-    v1[|v1|] = 1;
-    v1[|v1|] = 2;
-    v1[|v1|] = 3;
-    v1[|v1|] = 4;
+    v1 += 1;
+    v1 += 2;
+    v1 += 3;
+    v1 += 4;
     
     print fmt("contents of v1: %s", v1);
     print fmt("length of v1: %d", |v1|);

From 7b12fd8c4aa66ed3d160812ad1872a798a265a71 Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@icir.org>
Date: Wed, 8 Aug 2018 13:17:26 -0700
Subject: [PATCH 609/631] Updating submodule(s).

 [nomail]
---
 aux/bifcl    | 2 +-
 aux/binpac   | 2 +-
 aux/bro-aux  | 2 +-
 aux/broccoli | 2 +-
 aux/broctl   | 2 +-
 aux/broker   | 2 +-
 cmake        | 2 +-
 7 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/aux/bifcl b/aux/bifcl
index 08142075ee..e99152c00a 160000
--- a/aux/bifcl
+++ b/aux/bifcl
@@ -1 +1 @@
-Subproject commit 08142075ee48e0db5897bd6e7d5a03f1e9eb8084
+Subproject commit e99152c00aad8f81c684a01bc4d40790a295f85c
diff --git a/aux/binpac b/aux/binpac
index 08cbe758a5..74cf55ace0 160000
--- a/aux/binpac
+++ b/aux/binpac
@@ -1 +1 @@
-Subproject commit 08cbe758a5d6d2d404dcd552e246180827d0257b
+Subproject commit 74cf55ace0de2bf061bbbf285ccf47cba122955f
diff --git a/aux/bro-aux b/aux/bro-aux
index b9de0fc0d1..53aae82024 160000
--- a/aux/bro-aux
+++ b/aux/bro-aux
@@ -1 +1 @@
-Subproject commit b9de0fc0d1d9c65bfbfa8fca68f5f668e4f54203
+Subproject commit 53aae820242c02790089e384a9fe2d3174799ab1
diff --git a/aux/broccoli b/aux/broccoli
index f061c47c1d..edf754ea6e 160000
--- a/aux/broccoli
+++ b/aux/broccoli
@@ -1 +1 @@
-Subproject commit f061c47c1db058339aa8d273d2d9cc1b27d8518d
+Subproject commit edf754ea6e89a84ad74eff69a454c5e285c4b81b
diff --git a/aux/broctl b/aux/broctl
index b1f127c7d2..70a8b2e151 160000
--- a/aux/broctl
+++ b/aux/broctl
@@ -1 +1 @@
-Subproject commit b1f127c7d25522ddf25f6677f5914e467b5f86d7
+Subproject commit 70a8b2e15105f4c238765a882151718162e46208
diff --git a/aux/broker b/aux/broker
index 398d8f9dad..d94e2c0e3c 160000
--- a/aux/broker
+++ b/aux/broker
@@ -1 +1 @@
-Subproject commit 398d8f9dad05a6a71b3bbbceb65243b2ab56350e
+Subproject commit d94e2c0e3cf00b19eb210b151a41fd238c6d9eeb
diff --git a/cmake b/cmake
index f5265a1ea8..4cc3e344cf 160000
--- a/cmake
+++ b/cmake
@@ -1 +1 @@
-Subproject commit f5265a1ea8b5631aaf00164452ba718f8635db22
+Subproject commit 4cc3e344cf2698010a46684d32a2907a943430e3

From ff22230a73f79b120ae2e02c5a2f6593d55f2369 Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@icir.org>
Date: Wed, 8 Aug 2018 13:25:06 -0700
Subject: [PATCH 610/631] Update submodule

 [nomail]
---
 aux/broker | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/aux/broker b/aux/broker
index d94e2c0e3c..3ab9b647ee 160000
--- a/aux/broker
+++ b/aux/broker
@@ -1 +1 @@
-Subproject commit d94e2c0e3cf00b19eb210b151a41fd238c6d9eeb
+Subproject commit 3ab9b647eedf6be674067198551d57b2b17e86d1

From 5d3ef4daf4504d60dcfff8d39967317d5bffce84 Mon Sep 17 00:00:00 2001
From: Daniel Thayer <dnthayer@illinois.edu>
Date: Thu, 9 Aug 2018 13:58:43 -0500
Subject: [PATCH 611/631] Improve the travis-job script to work outside of
 Travis

Improved the travis-job test script so that it works outside of Travis.
This can be useful to test changes to the docker container config before
pushing to master, for testing changes on a branch, or for debugging
some problem with the tests running on Travis.  This required the
following changes:
-The script no longer requires the TRAVIS env. variable to be set.
-Added an "all" command as a more convenient way to run all steps in a
 build.
-Added a "coverity" command-line option to do a coverity build.
-Before building Bro or downloading coverity tools, do a cleanup from any
 previous build.

Also other minor improvements (code comments, reorganization, etc.).
---
 testing/scripts/travis-job | 200 ++++++++++++++++++++++++++-----------
 1 file changed, 140 insertions(+), 60 deletions(-)

diff --git a/testing/scripts/travis-job b/testing/scripts/travis-job
index 92d8d6d53d..01065900dd 100644
--- a/testing/scripts/travis-job
+++ b/testing/scripts/travis-job
@@ -2,58 +2,82 @@
 #
 # This script (along with the .travis.yml file) is used by Travis CI to
 # build Bro and run the tests.
+#
+# This script can also be used outside of Travis (the "all" build step is
+# especially convenient in this case).  Note that if you use this script
+# outside of Travis then you will need to fetch the private tests manually
+# (if you don't, then the private tests will be skipped).
+
+usage() {
+    echo "usage: $0 CMD DISTRO"
+    echo "  CMD is a build step:"
+    echo "    install: install prereqs"
+    echo "    build: build bro"
+    echo "    run: run the tests"
+    echo "    all: do all of the above"
+    echo "  DISTRO is a Linux distro, 'travis' to run without docker, or 'coverity' to run a coverity scan"
+}
 
 if [ $# -ne 2 ]; then
-    echo "usage: $0 CMD DISTRO"
-    echo "  CMD is a build step (install, build, or run)"
-    echo "  DISTRO is a Linux distro, or 'travis' to run in Travis without docker"
+    usage
     exit 1
 fi
 
 step=$1
 distro=$2
 
-# Build Bro with the coverity tools.
-build_coverity() {
-    # Get the coverity tools
-    set -e
+case $step in
+    install) ;;
+    build) ;;
+    run) ;;
+    all) ;;
+    *) echo "Error: unknown build step: $step"; usage; exit 1 ;;
+esac
 
-    if [ -z "${COV_TOKEN}" ]; then
-        echo "Error: COV_TOKEN is not defined (should be defined in environment variables section of Travis settings for this repo)"
-        exit 1
-    fi
 
+# Install the coverity tools.
+install_coverity() {
+    rm -rf coverity_tool.tgz coverity-tools cov-analysis*
+
+    echo "Downloading coverity tools..."
     wget -nv https://scan.coverity.com/download/cxx/linux64 --post-data "token=${COV_TOKEN}&project=Bro" -O coverity_tool.tgz
     tar xzf coverity_tool.tgz
-    mv cov-analysis* coverity-tools
     rm coverity_tool.tgz
+    mv cov-analysis* coverity-tools
+}
 
-    # Configure Bro
-    ./configure --prefix=`pwd`/build/root --enable-debug --disable-perftools
 
-    # Build Bro with coverity tools
+# Build Bro with the coverity tools.
+build_coverity() {
+    # Cleanup any previous build (this is really only necessary if running this
+    # outside of Travis).
+    make distclean > /dev/null
+
+    ./configure --prefix=`pwd`/build/root --enable-debug --disable-perftools --disable-broker-tests --disable-python --disable-broctl
+
     export PATH=`pwd`/coverity-tools/bin:$PATH
     cd build
     cov-build --dir cov-int make -j 4
+    cd ..
 }
 
+
 # Create a tar file and send it to coverity.
 run_coverity() {
-    set -e
-
     EMAIL=bro-commits-internal@bro.org
-    FILE=myproject.bz2
+    FILE=myproject.tgz
     VER=`cat VERSION`
     DESC=`git rev-parse HEAD`
 
     cd build
-    tar cjf ${FILE} cov-int
+    echo "Creating tar file and sending to coverity..."
+    tar czf ${FILE} cov-int
     curl --form token=${COV_TOKEN} --form email=${EMAIL} --form file=@${FILE} --form "version=${VER}" --form "description=${DESC}" https://scan.coverity.com/builds?project=Bro
 }
 
 
-# Setup a docker container.
-setup_docker() {
+# Create a docker container, and install all packages needed to build Bro.
+install_in_docker() {
     case $distro in
         centos_7)
         distro_cmds="yum -y install cmake make gcc gcc-c++ flex bison libpcap-devel openssl-devel git openssl which"
@@ -83,20 +107,24 @@ setup_docker() {
 
 
 # Build bro in a docker container.
-build_docker() {
-    docker exec -e TRAVIS brotest sh testing/scripts/travis-job $step travis
+build_in_docker() {
+    docker exec brotest sh testing/scripts/travis-job build travis
 }
 
 
 # Run Bro tests in a docker container.
-run_docker() {
+run_in_docker() {
     prepare_env
-    docker exec -t -e TRAVIS -e TRAVIS_PULL_REQUEST -e trav_key -e trav_iv brotest sh testing/scripts/travis-job $step travis
+    docker exec -t -e TRAVIS -e TRAVIS_PULL_REQUEST -e trav_key -e trav_iv brotest sh testing/scripts/travis-job run travis
 }
 
 
 # Build Bro.
 build() {
+    # Cleanup any previous build (this is really only necessary if running this
+    # outside of Travis).
+    make distclean > /dev/null
+
     # Skip building broker tests, python bindings, and broctl, as these are
     # not needed by the bro tests.
     ./configure --build-type=Release --disable-broker-tests --disable-python --disable-broctl && make -j 2
@@ -107,6 +135,9 @@ build() {
 # hard-coded multiple times in this script.
 prepare_env() {
     if [ -z "$trav_key" ]; then
+        # This hash value is found by logging into the Travis CI website,
+        # and looking at the settings in the bro repo (look in the
+        # "Environment Variables" section).
         hash=6a6fe747ff7b
         eval "trav_key=\$encrypted_${hash}_key"
         eval "trav_iv=\$encrypted_${hash}_iv"
@@ -117,27 +148,15 @@ prepare_env() {
 }
 
 
-# Run Bro tests.
-run() {
-    echo
-    echo "Running unit tests ##################################################"
-    echo
-    cd testing/btest
-    # Must specify a value for "-j" option, otherwise Travis uses a huge value.
-    ../../aux/btest/btest -j 4 -d
-    ret=$?
-
-    echo
-    echo "Getting external tests ##############################################"
-    echo
-    cd ../external
-
-    set -e
-
-    make init
+# Get the private tests.
+get_private_tests() {
     prepare_env
 
-    if [ -n "$trav_key" ] && [ -n "$trav_iv" ]; then
+    if [ "${TRAVIS}" != "true" ]; then
+        # When not running in the Travis environment, just skip trying to get
+        # the private tests.
+        echo "Note: skipping private tests (to run them, do a git clone of the private testing repo in the 'testing/external' directory before running this script)."
+    elif [ -n "$trav_key" ] && [ -n "$trav_iv" ]; then
         curl https://www.bro.org/static/travis-ci/travis_key.enc -o travis_key.enc
         openssl aes-256-cbc -K $trav_key -iv $trav_iv -in travis_key.enc -out travis_key -d
         chmod 600 travis_key
@@ -154,6 +173,34 @@ run() {
         echo "Error: cannot get private tests because encrypted env. variables are not defined."
         exit 1
     fi
+}
+
+
+# Run Bro tests.
+run() {
+    echo
+    echo "Running unit tests ##################################################"
+    echo
+    cd testing/btest
+
+    set +e
+    # Must specify a value for "-j" option, otherwise Travis uses a huge value.
+    ../../aux/btest/btest -j 4 -d
+    ret=$?
+    set -e
+
+    echo
+    echo "Getting external tests ##############################################"
+    echo
+    cd ../external
+
+    if [ ! -d bro-testing ]; then
+        make init
+    fi
+
+    if [ ! -d bro-testing-private ]; then
+        get_private_tests
+    fi
 
     echo
     echo "Running external tests ##############################################"
@@ -164,9 +211,8 @@ run() {
     exit $ret
 }
 
-# Output the contents of diag.log when a test fails.
+# Show failed tests (not skipped tests) from diag.log when a test fails.
 showdiag() {
-    # Show failed tests only, not skipped tests.
     f=bro-testing/diag.log
 
     grep -qs '... failed$' $f && \
@@ -178,18 +224,22 @@ showdiag() {
     exit 1
 }
 
-if [ "$step" != "install" ] && [ "$step" != "build" ] && [ "$step" != "run" ]; then
-    echo "Error: unknown build step: $step"
+# Remove the docker container.
+remove_container() {
+    echo "Removing the docker container..."
+    docker rm -f brotest > /dev/null
+}
+
+
+if [ ! -f testing/scripts/travis-job ]; then
+    echo "Error: must change directory to root of bro source tree before running this script."
     exit 1
 fi
 
-if [ "${TRAVIS}" != "true" ]; then
-    echo "$0: this script is intended for Travis CI"
-    exit 1
-fi
+set -e
 
 if [ "${TRAVIS_EVENT_TYPE}" = "cron" ]; then
-    # Run the coverity scan from a Travis CI cron job.
+    # This is a Travis CI cron job, so check the job number.
 
     # Extract second component of the job number.
     if [ -z "${TRAVIS_JOB_NUMBER}" ]; then
@@ -204,14 +254,35 @@ if [ "${TRAVIS_EVENT_TYPE}" = "cron" ]; then
         echo "Coverity scan is performed only in the first job of this build"
         exit 0
     fi
+fi
 
-    # This is split up into two steps because the build outputs thousands of
-    # lines (which are conveniently collapsed into a single line in the
-    # "Job log" on the Travis CI web site).
-    if [ "$step" = "build" ]; then
+
+if [ "${TRAVIS_EVENT_TYPE}" = "cron" ] || [ "$distro" = "coverity" ]; then
+    # Run coverity scan when this script is run from a Travis cron job, or
+    # if the user specifies the "coverity" distro.
+
+    # Check if the project token is available (this is a secret value and
+    # should not be hard-coded in this script).  This value can be found by
+    # logging into the coverity scan web site and looking in the project
+    # settings.
+    if [ -z "${COV_TOKEN}" ]; then
+        echo "Error: COV_TOKEN is not defined (should be defined in environment variables section of Travis settings for this repo)"
+        exit 1
+    fi
+
+    # The "build" and "run" steps are split up into separate steps because the
+    # build outputs thousands of lines (which are conveniently collapsed into
+    # a single line when viewing the "Job log" on the Travis CI web site).
+    if [ "$step" = "install" ]; then
+        install_coverity
+    elif [ "$step" = "build" ]; then
         build_coverity
     elif [ "$step" = "run" ]; then
         run_coverity
+    elif [ "$step" = "all" ]; then
+        install_coverity
+        build_coverity
+        run_coverity
     fi
 elif [ "$distro" = "travis" ]; then
     # Build bro and run tests.
@@ -223,15 +294,24 @@ elif [ "$distro" = "travis" ]; then
         build
     elif [ "$step" = "run" ]; then
         run
+    elif [ "$step" = "all" ]; then
+        build
+        run
     fi
 else
     # Build bro and run tests in a docker container.
 
     if [ "$step" = "install" ]; then
-        setup_docker
+        install_in_docker
     elif [ "$step" = "build" ]; then
-        build_docker
+        build_in_docker
     elif [ "$step" = "run" ]; then
-        run_docker
+        run_in_docker
+    elif [ "$step" = "all" ]; then
+        install_in_docker
+        build_in_docker
+        run_in_docker
+        # If all tests pass, then remove the docker container.
+        remove_container
     fi
 fi

From 116079a9ad5e4e9d096be36e97879b69f036b4a2 Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@corelight.com>
Date: Thu, 18 Jan 2018 11:09:12 -0800
Subject: [PATCH 612/631] Make parsing of booleans a little bit more lenient.

This makes the input framework (and everything else that uses the Ascii
parser) accept 0 and 1 as valid values for booleans.
---
 src/threading/formatters/Ascii.cc                            | 4 ++--
 .../btest/Baseline/scripts.base.frameworks.input.basic/out   | 2 +-
 testing/btest/scripts/base/frameworks/input/basic.bro        | 5 +++--
 testing/btest/scripts/base/frameworks/input/reread.bro       | 2 +-
 4 files changed, 7 insertions(+), 6 deletions(-)

diff --git a/src/threading/formatters/Ascii.cc b/src/threading/formatters/Ascii.cc
index e96290e793..6491063585 100644
--- a/src/threading/formatters/Ascii.cc
+++ b/src/threading/formatters/Ascii.cc
@@ -227,9 +227,9 @@ threading::Value* Ascii::ParseValue(const string& s, const string& name, TypeTag
 		}
 
 	case TYPE_BOOL:
-		if ( s == "T" )
+		if ( s == "T" || s == "1" )
 			val->val.int_val = 1;
-		else if ( s == "F" )
+		else if ( s == "F" || s == "0" )
 			val->val.int_val = 0;
 		else
 			{
diff --git a/testing/btest/Baseline/scripts.base.frameworks.input.basic/out b/testing/btest/Baseline/scripts.base.frameworks.input.basic/out
index 3f288d5c54..5cc19d85a2 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.input.basic/out
+++ b/testing/btest/Baseline/scripts.base.frameworks.input.basic/out
@@ -1,5 +1,5 @@
 {
-[-42] = [b=T, e=SSH::LOG, c=21, p=123/unknown, pp=5/icmp, sn=10.0.0.0/24, a=1.2.3.4, d=3.14, t=1315801931.273616, iv=100.0, s=hurz, ns=4242, sc={
+[-42] = [b=T, bt=T, e=SSH::LOG, c=21, p=123/unknown, pp=5/icmp, sn=10.0.0.0/24, a=1.2.3.4, d=3.14, t=1315801931.273616, iv=100.0, s=hurz, ns=4242, sc={
 2,
 4,
 1,
diff --git a/testing/btest/scripts/base/frameworks/input/basic.bro b/testing/btest/scripts/base/frameworks/input/basic.bro
index e77a418f0d..356b87d70b 100644
--- a/testing/btest/scripts/base/frameworks/input/basic.bro
+++ b/testing/btest/scripts/base/frameworks/input/basic.bro
@@ -7,9 +7,9 @@ redef exit_only_after_terminate = T;
 @TEST-START-FILE input.log
 #separator \x09
 #path	ssh
-#fields	b	i	e	c	p	pp	sn	a	d	t	iv	s	sc	ss	se	vc	ve	ns
+#fields	b	bt	i	e	c	p	pp	sn	a	d	t	iv	s	sc	ss	se	vc	ve	ns
 #types	bool	int	enum	count	port	port	subnet	addr	double	time	interval	string	table	table	table	vector	vector	string
-T	-42	SSH::LOG	21	123	5/icmp	10.0.0.0/24	1.2.3.4	3.14	1315801931.273616	100.000000	hurz	2,4,1,3	CC,AA,BB	EMPTY	10,20,30	EMPTY	4242
+T	1	-42	SSH::LOG	21	123	5/icmp	10.0.0.0/24	1.2.3.4	3.14	1315801931.273616	100.000000	hurz	2,4,1,3	CC,AA,BB	EMPTY	10,20,30	EMPTY	4242
 @TEST-END-FILE
 
 @load base/protocols/ssh
@@ -26,6 +26,7 @@ type Idx: record {
 
 type Val: record {
 	b: bool;
+	bt: bool;
 	e: Log::ID;
 	c: count;
 	p: port;
diff --git a/testing/btest/scripts/base/frameworks/input/reread.bro b/testing/btest/scripts/base/frameworks/input/reread.bro
index 4199093543..e4bb09df39 100644
--- a/testing/btest/scripts/base/frameworks/input/reread.bro
+++ b/testing/btest/scripts/base/frameworks/input/reread.bro
@@ -43,7 +43,7 @@ T	-42	SSH::LOG	21	123	10.0.0.0/24	1.2.3.4	3.14	1315801931.273616	100.000000	hurz
 F	-43	SSH::LOG	21	123	10.0.0.0/24	1.2.3.4	3.14	1315801931.273616	100.000000	hurz	2,4,1,3	CC,AA,BB	EMPTY	10,20,30	EMPTY	SSH::foo\x0a{ \x0aif (0 < SSH::i) \x0a\x09return (Foo);\x0aelse\x0a\x09return (Bar);\x0a\x0a}
 F	-44	SSH::LOG	21	123	10.0.0.0/24	1.2.3.4	3.14	1315801931.273616	100.000000	hurz	2,4,1,3	CC,AA,BB	EMPTY	10,20,30	EMPTY	SSH::foo\x0a{ \x0aif (0 < SSH::i) \x0a\x09return (Foo);\x0aelse\x0a\x09return (Bar);\x0a\x0a}
 F	-45	SSH::LOG	21	123	10.0.0.0/24	1.2.3.4	3.14	1315801931.273616	100.000000	hurz	2,4,1,3	CC,AA,BB	EMPTY	10,20,30	EMPTY	SSH::foo\x0a{ \x0aif (0 < SSH::i) \x0a\x09return (Foo);\x0aelse\x0a\x09return (Bar);\x0a\x0a}
-F	-46	SSH::LOG	21	123	10.0.0.0/24	1.2.3.4	3.14	1315801931.273616	100.000000	hurz	2,4,1,3	CC,AA,BB	EMPTY	10,20,30	EMPTY	SSH::foo\x0a{ \x0aif (0 < SSH::i) \x0a\x09return (Foo);\x0aelse\x0a\x09return (Bar);\x0a\x0a}
+0	-46	SSH::LOG	21	123	10.0.0.0/24	1.2.3.4	3.14	1315801931.273616	100.000000	hurz	2,4,1,3	CC,AA,BB	EMPTY	10,20,30	EMPTY	SSH::foo\x0a{ \x0aif (0 < SSH::i) \x0a\x09return (Foo);\x0aelse\x0a\x09return (Bar);\x0a\x0a}
 F	-47	SSH::LOG	21	123	10.0.0.0/24	1.2.3.4	3.14	1315801931.273616	100.000000	hurz	2,4,1,3	CC,AA,BB	EMPTY	10,20,30	EMPTY	SSH::foo\x0a{ \x0aif (0 < SSH::i) \x0a\x09return (Foo);\x0aelse\x0a\x09return (Bar);\x0a\x0a}
 F	-48	SSH::LOG	21	123	10.0.0.0/24	1.2.3.4	3.14	1315801931.273616	100.000000	hurz	2,4,1,3	CC,AA,BB	EMPTY	10,20,30	EMPTY	SSH::foo\x0a{ \x0aif (0 < SSH::i) \x0a\x09return (Foo);\x0aelse\x0a\x09return (Bar);\x0a\x0a}
 @TEST-END-FILE

From 26ea1999ec7b3a7b4ecf2cecdcb8c09dc827b537 Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@corelight.com>
Date: Fri, 10 Aug 2018 11:23:33 -0700
Subject: [PATCH 613/631] Ascii formatter: do not complain about port text.

The ascii formatter already was happy to read ports in the form
"42/tcp"; however it emitted a warning message for each line.

This patch fixes this and adds a bit more testing for the existing
behavior.
---
 src/threading/formatters/Ascii.cc             | 14 ++++++
 .../bro..stderr                               |  1 +
 .../bro.config.log                            | 34 +++++++-------
 .../bro..stderr                               |  2 +
 .../bro..stdout                               |  4 ++
 .../scripts/base/frameworks/config/basic.bro  |  5 +++
 .../base/frameworks/input/port-embedded.bro   | 44 +++++++++++++++++++
 7 files changed, 88 insertions(+), 16 deletions(-)
 create mode 100644 testing/btest/Baseline/scripts.base.frameworks.config.basic/bro..stderr
 create mode 100644 testing/btest/Baseline/scripts.base.frameworks.input.port-embedded/bro..stderr
 create mode 100644 testing/btest/Baseline/scripts.base.frameworks.input.port-embedded/bro..stdout
 create mode 100644 testing/btest/scripts/base/frameworks/input/port-embedded.bro

diff --git a/src/threading/formatters/Ascii.cc b/src/threading/formatters/Ascii.cc
index 6491063585..76b1ba4b04 100644
--- a/src/threading/formatters/Ascii.cc
+++ b/src/threading/formatters/Ascii.cc
@@ -261,8 +261,10 @@ threading::Value* Ascii::ParseValue(const string& s, const string& name, TypeTag
 		break;
 
 	case TYPE_PORT:
+		{
 		val->val.port_val.proto = TRANSPORT_UNKNOWN;
 		pos = s.find('/');
+		string numberpart;
 		if ( pos != std::string::npos && s.length() > pos + 1 )
 			{
 			auto proto = s.substr(pos+1);
@@ -272,10 +274,22 @@ threading::Value* Ascii::ParseValue(const string& s, const string& name, TypeTag
 				val->val.port_val.proto = TRANSPORT_UDP;
 			else if ( strtolower(proto) == "icmp" )
 				val->val.port_val.proto = TRANSPORT_ICMP;
+			else if ( strtolower(proto) == "unknown" )
+				val->val.port_val.proto = TRANSPORT_UNKNOWN;
+			else
+				GetThread()->Warning(GetThread()->Fmt("Port '%s' contained unknown protocol '%s'", s.c_str(), proto.c_str()));
+			}
+
+			// make the string end at the position of "/";
+		if ( pos != std::string::npos && pos > 0 )
+			{
+			numberpart = s.substr(0, pos);
+			start = numberpart.c_str();
 			}
 		val->val.port_val.port = strtoull(start, &end, 10);
 		if ( CheckNumberError(start, end) )
 			goto parse_error;
+		}
 		break;
 
 	case TYPE_SUBNET:
diff --git a/testing/btest/Baseline/scripts.base.frameworks.config.basic/bro..stderr b/testing/btest/Baseline/scripts.base.frameworks.config.basic/bro..stderr
new file mode 100644
index 0000000000..977e8fc37a
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.config.basic/bro..stderr
@@ -0,0 +1 @@
+received termination signal
diff --git a/testing/btest/Baseline/scripts.base.frameworks.config.basic/bro.config.log b/testing/btest/Baseline/scripts.base.frameworks.config.basic/bro.config.log
index b1e03411e5..0d96d0f111 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.config.basic/bro.config.log
+++ b/testing/btest/Baseline/scripts.base.frameworks.config.basic/bro.config.log
@@ -3,21 +3,23 @@
 #empty_field	(empty)
 #unset_field	-
 #path	config
-#open	2017-10-11-20-23-11
+#open	2018-08-10-18-16-52
 #fields	ts	id	old_value	new_value	location
 #types	time	string	string	string	string
-1507753391.587107	testbool	T	F	../configfile
-1507753391.587107	testcount	0	1	../configfile
-1507753391.587107	testcount	1	2	../configfile
-1507753391.587107	testint	0	-1	../configfile
-1507753391.587107	testenum	SSH::LOG	Conn::LOG	../configfile
-1507753391.587107	testport	42/tcp	45/unknown	../configfile
-1507753391.587107	testaddr	127.0.0.1	127.0.0.1	../configfile
-1507753391.587107	testaddr	127.0.0.1	2607:f8b0:4005:801::200e	../configfile
-1507753391.587107	testinterval	1.0 sec	60.0	../configfile
-1507753391.587107	testtime	0.0	1507321987.0	../configfile
-1507753391.587107	test_set	(empty)	b,c,a,d,erdbeerschnitzel	../configfile
-1507753391.587107	test_vector	(empty)	1,2,3,4,5,6	../configfile
-1507753391.587107	test_set	b,c,a,d,erdbeerschnitzel	(empty)	../configfile
-1507753391.587107	test_set	(empty)	\x2d	../configfile
-#close	2017-10-11-20-23-11
+1533925012.140634	testbool	T	F	../configfile
+1533925012.140634	testcount	0	1	../configfile
+1533925012.140634	testcount	1	2	../configfile
+1533925012.140634	testint	0	-1	../configfile
+1533925012.140634	testenum	SSH::LOG	Conn::LOG	../configfile
+1533925012.140634	testport	42/tcp	45/unknown	../configfile
+1533925012.140634	testporttcp	40/udp	42/tcp	../configfile
+1533925012.140634	testportudp	40/tcp	42/udp	../configfile
+1533925012.140634	testaddr	127.0.0.1	127.0.0.1	../configfile
+1533925012.140634	testaddr	127.0.0.1	2607:f8b0:4005:801::200e	../configfile
+1533925012.140634	testinterval	1.0 sec	60.0	../configfile
+1533925012.140634	testtime	0.0	1507321987.0	../configfile
+1533925012.140634	test_set	(empty)	b,c,a,d,erdbeerschnitzel	../configfile
+1533925012.140634	test_vector	(empty)	1,2,3,4,5,6	../configfile
+1533925012.140634	test_set	b,c,a,d,erdbeerschnitzel	(empty)	../configfile
+1533925012.140634	test_set	(empty)	\x2d	../configfile
+#close	2018-08-10-18-16-52
diff --git a/testing/btest/Baseline/scripts.base.frameworks.input.port-embedded/bro..stderr b/testing/btest/Baseline/scripts.base.frameworks.input.port-embedded/bro..stderr
new file mode 100644
index 0000000000..fee70a8699
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.input.port-embedded/bro..stderr
@@ -0,0 +1,2 @@
+warning: ../input.log/Input::READER_ASCII: Port '50/trash' contained unknown protocol 'trash'
+received termination signal
diff --git a/testing/btest/Baseline/scripts.base.frameworks.input.port-embedded/bro..stdout b/testing/btest/Baseline/scripts.base.frameworks.input.port-embedded/bro..stdout
new file mode 100644
index 0000000000..d1d886b370
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.input.port-embedded/bro..stdout
@@ -0,0 +1,4 @@
+[i=1.2.3.4], [p=80/tcp]
+[i=1.2.3.5], [p=52/udp]
+[i=1.2.3.6], [p=30/unknown]
+[i=1.2.3.7], [p=50/unknown]
diff --git a/testing/btest/scripts/base/frameworks/config/basic.bro b/testing/btest/scripts/base/frameworks/config/basic.bro
index 3b72f6572d..f5a02983fd 100644
--- a/testing/btest/scripts/base/frameworks/config/basic.bro
+++ b/testing/btest/scripts/base/frameworks/config/basic.bro
@@ -1,6 +1,7 @@
 # @TEST-EXEC: btest-bg-run bro bro -b %INPUT
 # @TEST-EXEC: btest-bg-wait 10
 # @TEST-EXEC: btest-diff bro/config.log
+# @TEST-EXEC: btest-diff bro/.stderr
 
 @load base/frameworks/config
 @load base/protocols/conn
@@ -16,6 +17,8 @@ testcount 2
 testint		-1
 testenum Conn::LOG
 testport 45
+testporttcp 42/tcp
+testportudp 42/udp
 testaddr 127.0.0.1
 testaddr 2607:f8b0:4005:801::200e
 testinterval 60
@@ -35,6 +38,8 @@ export {
 	option testint: int = 0;
 	option testenum = SSH::LOG;
 	option testport = 42/tcp;
+	option testporttcp = 40/udp;
+	option testportudp = 40/tcp;
 	option testaddr = 127.0.0.1;
 	option testtime = network_time();
 	option testinterval = 1sec;
diff --git a/testing/btest/scripts/base/frameworks/input/port-embedded.bro b/testing/btest/scripts/base/frameworks/input/port-embedded.bro
new file mode 100644
index 0000000000..8aab733069
--- /dev/null
+++ b/testing/btest/scripts/base/frameworks/input/port-embedded.bro
@@ -0,0 +1,44 @@
+# @TEST-EXEC: btest-bg-run bro bro -b %INPUT
+# @TEST-EXEC: btest-bg-wait 10
+# @TEST-EXEC: btest-diff bro/.stdout
+# @TEST-EXEC: btest-diff bro/.stderr
+
+@TEST-START-FILE input.log
+#fields	i	p
+1.2.3.4	80/tcp
+1.2.3.5	52/udp
+1.2.3.6	30/unknown
+1.2.3.7	50/trash
+@TEST-END-FILE
+
+redef exit_only_after_terminate = T;
+
+redef InputAscii::empty_field = "EMPTY";
+
+module A;
+
+type Idx: record {
+	i: addr;
+};
+
+type Val: record {
+	p: port;
+};
+
+global servers: table[addr] of Val = table();
+
+event line(description: Input::TableDescription, tpe: Input::Event, left: Idx, right: Val)
+	{
+	print left, right;
+	}
+
+event bro_init()
+	{
+	Input::add_table([$source="../input.log", $name="input", $idx=Idx, $val=Val, $ev=line, $destination=servers]);
+	}
+
+event Input::end_of_data(name: string, source: string)
+	{
+	Input::remove("input");
+	terminate();
+	}

From c34fbee0d1a766dd7e864b28dbbf6380360ec990 Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@corelight.com>
Date: Fri, 10 Aug 2018 11:45:37 -0700
Subject: [PATCH 614/631] Make options redef-able by default.

---
 src/ID.cc                                        | 16 ++++++++++++++++
 src/ID.h                                         |  2 +-
 testing/btest/Baseline/core.option-redef/.stdout |  1 +
 testing/btest/core/option-redef.bro              |  4 ++++
 4 files changed, 22 insertions(+), 1 deletion(-)

diff --git a/src/ID.cc b/src/ID.cc
index 4216422225..a68abb6264 100644
--- a/src/ID.cc
+++ b/src/ID.cc
@@ -294,6 +294,22 @@ void ID::RemoveAttr(attr_tag a)
 		}
 	}
 
+void ID::SetOption()
+	{
+	if ( is_option )
+		return;
+
+	is_option = true;
+
+	// option implied redefinable
+	if ( ! IsRedefinable() )
+		{
+		attr_list* attr = new attr_list;
+		attr->append(new Attr(ATTR_REDEF));
+		AddAttrs(new Attributes(attr, Type(), false));
+		}
+	}
+
 void ID::EvalFunc(Expr* ef, Expr* ev)
 	{
 	Expr* arg1 = new ConstExpr(val->Ref());
diff --git a/src/ID.h b/src/ID.h
index 442a13dfcc..18754584df 100644
--- a/src/ID.h
+++ b/src/ID.h
@@ -60,7 +60,7 @@ public:
 	void SetConst()			{ is_const = true; }
 	bool IsConst() const		{ return is_const; }
 
-	void SetOption()			{ is_option = true; }
+	void SetOption();
 	bool IsOption() const		{ return is_option; }
 
 	void SetEnumConst()		{ is_enum_const = true; }
diff --git a/testing/btest/Baseline/core.option-redef/.stdout b/testing/btest/Baseline/core.option-redef/.stdout
index 1e8b314962..baf1966653 100644
--- a/testing/btest/Baseline/core.option-redef/.stdout
+++ b/testing/btest/Baseline/core.option-redef/.stdout
@@ -1 +1,2 @@
 6
+7
diff --git a/testing/btest/core/option-redef.bro b/testing/btest/core/option-redef.bro
index 05706ab48b..3d67a9a755 100644
--- a/testing/btest/core/option-redef.bro
+++ b/testing/btest/core/option-redef.bro
@@ -2,11 +2,15 @@
 # @TEST-EXEC: btest-diff .stdout
 
 # options are allowed to be redef-able.
+# And they are even redef-able by default.
 
 option testopt = 5 &redef;
 redef testopt = 6;
+option anotheropt = 6;
+redef anotheropt = 7;
 
 event bro_init() {
 	print testopt;
+	print anotheropt;
 }
 

From 7b44a6499433aa1817a5c1b21b46f4e864621dae Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@icir.org>
Date: Fri, 10 Aug 2018 14:28:17 -0700
Subject: [PATCH 615/631] Fix test that fails now that options are
 automatically redefable.

---
 testing/btest/Baseline/core.option-errors-4/.stderr | 1 -
 testing/btest/core/option-errors.bro                | 5 -----
 2 files changed, 6 deletions(-)
 delete mode 100644 testing/btest/Baseline/core.option-errors-4/.stderr

diff --git a/testing/btest/Baseline/core.option-errors-4/.stderr b/testing/btest/Baseline/core.option-errors-4/.stderr
deleted file mode 100644
index b443da2eb9..0000000000
--- a/testing/btest/Baseline/core.option-errors-4/.stderr
+++ /dev/null
@@ -1 +0,0 @@
-error in /Users/johanna/corelight/bro/testing/btest/.tmp/core.option-errors-4/option-errors.bro, line 2 and /Users/johanna/corelight/bro/testing/btest/.tmp/core.option-errors-4/option-errors.bro, line 3: already defined (testopt)
diff --git a/testing/btest/core/option-errors.bro b/testing/btest/core/option-errors.bro
index 6a53598650..6a9a8f1db6 100644
--- a/testing/btest/core/option-errors.bro
+++ b/testing/btest/core/option-errors.bro
@@ -11,8 +11,3 @@ option testbool : bool;
 
 option testopt = 5;
 testopt = 6;
-
-@TEST-START-NEXT
-
-option testopt = 5;
-redef testopt = 6;

From 9f12b56105be226d26c29c92e7ccb2758d1f8436 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Fri, 10 Aug 2018 16:58:27 -0500
Subject: [PATCH 616/631] Misc. unit test improvements

---
 .../Baseline/bifs.hll_large_estimate/out      |  2 +-
 .../logger-1..stdout                          |  6 ++++
 .../manager-1..stdout                         |  1 +
 .../proxy-1..stdout                           |  1 +
 .../proxy-2..stdout                           |  1 +
 .../worker-1..stdout                          |  1 +
 .../worker-2..stdout                          |  1 +
 testing/btest/bifs/hll_large_estimate.bro     |  2 +-
 .../frameworks/cluster/start-it-up-logger.bro | 32 ++++++++++++-------
 .../base/frameworks/config/updates.bro        |  6 ++--
 testing/external/scripts/diff-all             |  2 +-
 11 files changed, 38 insertions(+), 17 deletions(-)

diff --git a/testing/btest/Baseline/bifs.hll_large_estimate/out b/testing/btest/Baseline/bifs.hll_large_estimate/out
index 6897673f4e..c0bbe2b31d 100644
--- a/testing/btest/Baseline/bifs.hll_large_estimate/out
+++ b/testing/btest/Baseline/bifs.hll_large_estimate/out
@@ -1,3 +1,3 @@
 Ok error
-171249.90868
+167377.950902
 Ok error
diff --git a/testing/btest/Baseline/scripts.base.frameworks.cluster.start-it-up-logger/logger-1..stdout b/testing/btest/Baseline/scripts.base.frameworks.cluster.start-it-up-logger/logger-1..stdout
index e10770a5cc..15baa652c9 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.cluster.start-it-up-logger/logger-1..stdout
+++ b/testing/btest/Baseline/scripts.base.frameworks.cluster.start-it-up-logger/logger-1..stdout
@@ -2,4 +2,10 @@ Connected to a peer
 Connected to a peer
 Connected to a peer
 Connected to a peer
+got fully_connected event from, worker-1
 Connected to a peer
+got fully_connected event from, proxy-1
+got fully_connected event from, proxy-2
+got fully_connected event from, manager-1
+got fully_connected event from, worker-2
+termination condition met: shutting down
diff --git a/testing/btest/Baseline/scripts.base.frameworks.cluster.start-it-up-logger/manager-1..stdout b/testing/btest/Baseline/scripts.base.frameworks.cluster.start-it-up-logger/manager-1..stdout
index e10770a5cc..b7b8f3e3b6 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.cluster.start-it-up-logger/manager-1..stdout
+++ b/testing/btest/Baseline/scripts.base.frameworks.cluster.start-it-up-logger/manager-1..stdout
@@ -3,3 +3,4 @@ Connected to a peer
 Connected to a peer
 Connected to a peer
 Connected to a peer
+sent fully_connected event
diff --git a/testing/btest/Baseline/scripts.base.frameworks.cluster.start-it-up-logger/proxy-1..stdout b/testing/btest/Baseline/scripts.base.frameworks.cluster.start-it-up-logger/proxy-1..stdout
index 7c8eb5ee83..328d7c91a3 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.cluster.start-it-up-logger/proxy-1..stdout
+++ b/testing/btest/Baseline/scripts.base.frameworks.cluster.start-it-up-logger/proxy-1..stdout
@@ -2,3 +2,4 @@ Connected to a peer
 Connected to a peer
 Connected to a peer
 Connected to a peer
+sent fully_connected event
diff --git a/testing/btest/Baseline/scripts.base.frameworks.cluster.start-it-up-logger/proxy-2..stdout b/testing/btest/Baseline/scripts.base.frameworks.cluster.start-it-up-logger/proxy-2..stdout
index 7c8eb5ee83..328d7c91a3 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.cluster.start-it-up-logger/proxy-2..stdout
+++ b/testing/btest/Baseline/scripts.base.frameworks.cluster.start-it-up-logger/proxy-2..stdout
@@ -2,3 +2,4 @@ Connected to a peer
 Connected to a peer
 Connected to a peer
 Connected to a peer
+sent fully_connected event
diff --git a/testing/btest/Baseline/scripts.base.frameworks.cluster.start-it-up-logger/worker-1..stdout b/testing/btest/Baseline/scripts.base.frameworks.cluster.start-it-up-logger/worker-1..stdout
index 7c8eb5ee83..328d7c91a3 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.cluster.start-it-up-logger/worker-1..stdout
+++ b/testing/btest/Baseline/scripts.base.frameworks.cluster.start-it-up-logger/worker-1..stdout
@@ -2,3 +2,4 @@ Connected to a peer
 Connected to a peer
 Connected to a peer
 Connected to a peer
+sent fully_connected event
diff --git a/testing/btest/Baseline/scripts.base.frameworks.cluster.start-it-up-logger/worker-2..stdout b/testing/btest/Baseline/scripts.base.frameworks.cluster.start-it-up-logger/worker-2..stdout
index 7c8eb5ee83..328d7c91a3 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.cluster.start-it-up-logger/worker-2..stdout
+++ b/testing/btest/Baseline/scripts.base.frameworks.cluster.start-it-up-logger/worker-2..stdout
@@ -2,3 +2,4 @@ Connected to a peer
 Connected to a peer
 Connected to a peer
 Connected to a peer
+sent fully_connected event
diff --git a/testing/btest/bifs/hll_large_estimate.bro b/testing/btest/bifs/hll_large_estimate.bro
index 2059e47568..b17b50678d 100644
--- a/testing/btest/bifs/hll_large_estimate.bro
+++ b/testing/btest/bifs/hll_large_estimate.bro
@@ -8,7 +8,7 @@
 
 event bro_init()
 	{
-	local cp: opaque of cardinality = hll_cardinality_init(0.1, 0.99);
+	local cp: opaque of cardinality = hll_cardinality_init(0.1, 1.0);
 	local base: count = 2130706432; # 127.0.0.0
 	local i: count = 0;
 	while ( ++i < 170000 )
diff --git a/testing/btest/scripts/base/frameworks/cluster/start-it-up-logger.bro b/testing/btest/scripts/base/frameworks/cluster/start-it-up-logger.bro
index 6bb9dcbc03..b973705c97 100644
--- a/testing/btest/scripts/base/frameworks/cluster/start-it-up-logger.bro
+++ b/testing/btest/scripts/base/frameworks/cluster/start-it-up-logger.bro
@@ -1,13 +1,13 @@
 # @TEST-SERIALIZE: comm
 #
-# @TEST-EXEC: btest-bg-run logger-1  CLUSTER_NODE=logger-1 BROPATH=$BROPATH:.. bro %INPUT
+# @TEST-EXEC: btest-bg-run logger-1  CLUSTER_NODE=logger-1  BROPATH=$BROPATH:.. bro %INPUT
 # @TEST-EXEC: btest-bg-run manager-1 CLUSTER_NODE=manager-1 BROPATH=$BROPATH:.. bro %INPUT
-# @TEST-EXEC: btest-bg-run proxy-1   CLUSTER_NODE=proxy-1 BROPATH=$BROPATH:.. bro %INPUT
-# @TEST-EXEC: btest-bg-run proxy-2   CLUSTER_NODE=proxy-2 BROPATH=$BROPATH:.. bro %INPUT
-# @TEST-EXEC: btest-bg-run worker-1  CLUSTER_NODE=worker-1 BROPATH=$BROPATH:.. bro %INPUT
-# @TEST-EXEC: btest-bg-run worker-2  CLUSTER_NODE=worker-2 BROPATH=$BROPATH:.. bro %INPUT
+# @TEST-EXEC: btest-bg-run proxy-1   CLUSTER_NODE=proxy-1   BROPATH=$BROPATH:.. bro %INPUT
+# @TEST-EXEC: btest-bg-run proxy-2   CLUSTER_NODE=proxy-2   BROPATH=$BROPATH:.. bro %INPUT
+# @TEST-EXEC: btest-bg-run worker-1  CLUSTER_NODE=worker-1  BROPATH=$BROPATH:.. bro %INPUT
+# @TEST-EXEC: btest-bg-run worker-2  CLUSTER_NODE=worker-2  BROPATH=$BROPATH:.. bro %INPUT
 # @TEST-EXEC: btest-bg-wait 30
-# @TEST-EXEC: btest-diff logger-1/.stdout
+# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-sort btest-diff logger-1/.stdout
 # @TEST-EXEC: btest-diff manager-1/.stdout
 # @TEST-EXEC: btest-diff proxy-1/.stdout
 # @TEST-EXEC: btest-diff proxy-2/.stdout
@@ -30,20 +30,27 @@ redef Cluster::retry_interval = 1sec;
 redef Broker::default_listen_retry = 1sec;
 redef Broker::default_connect_retry = 1sec;
 
-global fully_connected: event();
-
 global peer_count = 0;
 
 global fully_connected_nodes = 0;
 
-event fully_connected()
+event fully_connected(n: string)
 	{
 	++fully_connected_nodes;
 
 	if ( Cluster::node == "logger-1" )
 		{
+		print "got fully_connected event from", n;
+
 		if ( peer_count == 5 && fully_connected_nodes == 5 )
+			{
+			print "termination condition met: shutting down";
 			terminate();
+			}
+		}
+	else
+		{
+		print "sent fully_connected event";
 		}
 	}
 
@@ -60,17 +67,20 @@ event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
 	if ( Cluster::node == "logger-1" )
 		{
 		if ( peer_count == 5 && fully_connected_nodes == 5 )
+			{
+			print "termination condition met: shutting down";
 			terminate();
+			}
 		}
 	else if ( Cluster::node == "manager-1" )
 		{
 		if ( peer_count == 5 )
-			event fully_connected();
+			event fully_connected(Cluster::node);
 		}
 	else
 		{
 		if ( peer_count == 4 )
-			event fully_connected();
+			event fully_connected(Cluster::node);
 		}
 	}
 
diff --git a/testing/btest/scripts/base/frameworks/config/updates.bro b/testing/btest/scripts/base/frameworks/config/updates.bro
index 1e523c752f..a4ee557e27 100644
--- a/testing/btest/scripts/base/frameworks/config/updates.bro
+++ b/testing/btest/scripts/base/frameworks/config/updates.bro
@@ -1,11 +1,11 @@
 # @TEST-EXEC: btest-bg-run bro bro -b %INPUT
-# @TEST-EXEC: $SCRIPTS/wait-for-file bro/got1 5 || (btest-bg-wait -k 1 && false)
+# @TEST-EXEC: $SCRIPTS/wait-for-file bro/got1 10 || (btest-bg-wait -k 1 && false)
 # @TEST-EXEC: mv configfile2 configfile
 # @TEST-EXEC: touch configfile
-# @TEST-EXEC: $SCRIPTS/wait-for-file bro/got2 5 || (btest-bg-wait -k 1 && false)
+# @TEST-EXEC: $SCRIPTS/wait-for-file bro/got2 10 || (btest-bg-wait -k 1 && false)
 # @TEST-EXEC: mv configfile3 configfile
 # @TEST-EXEC: touch configfile
-# @TEST-EXEC: $SCRIPTS/wait-for-file bro/got3 5 || (btest-bg-wait -k 1 && false)
+# @TEST-EXEC: $SCRIPTS/wait-for-file bro/got3 10 || (btest-bg-wait -k 1 && false)
 # @TEST-EXEC: mv configfile4 configfile
 # @TEST-EXEC: touch configfile
 # @TEST-EXEC: btest-bg-wait 10
diff --git a/testing/external/scripts/diff-all b/testing/external/scripts/diff-all
index e84416c088..d51f3b294f 100755
--- a/testing/external/scripts/diff-all
+++ b/testing/external/scripts/diff-all
@@ -22,7 +22,7 @@ files_cwd=`ls $@`
 files_baseline=`cd $TEST_BASELINE && ls $@`
 
 for i in `echo $files_cwd $files_baseline | sort | uniq`; do
-    if [[ "$i" != "loaded_scripts.log" && "$i" != "prof.log" && "$i" != "debug.log" && "$i" != "stats.log" ]]; then
+    if [[ "$i" != "loaded_scripts.log" && "$i" != "prof.log" && "$i" != "debug.log" && "$i" != "stats.log" && "$i" != broker_*.log ]]; then
 
         if [[ "$i" == "reporter.log" ]]; then
             # Do not diff the reporter.log if it only complains about missing

From 083947af4111b0437b1061f74ffc95d14b74c167 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Fri, 10 Aug 2018 17:08:26 -0500
Subject: [PATCH 617/631] Update default broker threading configuration

Now defaults to a max of 4 threads typically indepedent of core
count (previously could go up to a hard cap of 8).  Also now allow
controlling this setting via BRO_BROKER_MAX_THREADS environment
variable.
---
 scripts/base/frameworks/broker/main.bro |  8 +++---
 src/broker/Manager.cc                   | 35 +++++++++++++++----------
 2 files changed, 26 insertions(+), 17 deletions(-)

diff --git a/scripts/base/frameworks/broker/main.bro b/scripts/base/frameworks/broker/main.bro
index 0fdf289ee6..fb73f78d3c 100644
--- a/scripts/base/frameworks/broker/main.bro
+++ b/scripts/base/frameworks/broker/main.bro
@@ -56,9 +56,11 @@ export {
 	## control mechanisms).
 	const congestion_queue_size = 200 &redef;
 
-	## Max number of threads to use for Broker/CAF functionality.
-	## Using zero will cause this to be automatically determined
-	## based on number of available CPUs.
+	## Max number of threads to use for Broker/CAF functionality.  Setting to
+	## zero implies using the value of BRO_BROKER_MAX_THREADS environment
+	## variable, if set, or else typically defaults to 4 (actually 2 threads
+	## when simply reading offline pcaps as there's not expected to be any
+	## communication and more threads just adds more overhead).
 	const max_threads = 0 &redef;
 
 	## Max number of microseconds for under-utilized Broker/CAF
diff --git a/src/broker/Manager.cc b/src/broker/Manager.cc
index 9712516b74..1d3696efa0 100644
--- a/src/broker/Manager.cc
+++ b/src/broker/Manager.cc
@@ -184,22 +184,29 @@ void Manager::InitPostScript()
 		config.set("scheduler.max-threads", max_threads);
 	else
 		{
-		// On high-core-count systems, spawning one thread per core
-		// can lead to significant performance problems even if most
-		// threads are under-utilized.  Related:
-		// https://github.com/actor-framework/actor-framework/issues/699
-		if ( reading_pcaps )
-			config.set("scheduler.max-threads", 2u);
+		auto max_threads_env = getenv("BRO_BROKER_MAX_THREADS");
+
+		if ( max_threads_env )
+			config.set("scheduler.max-threads", atoi(max_threads_env));
 		else
 			{
-			auto hc = std::thread::hardware_concurrency();
-
-			if ( hc > 8u )
-				hc = 8u;
-			else if ( hc < 4u)
-				hc = 4u;
-
-			config.set("scheduler.max-threads", hc);
+			// On high-core-count systems, letting CAF spawn a thread per core
+			// can lead to significant performance problems even if most
+			// threads are under-utilized.  Related:
+			// https://github.com/actor-framework/actor-framework/issues/699
+			if ( reading_pcaps )
+				config.set("scheduler.max-threads", 2u);
+			else
+				// If the goal was to map threads to actors, 4 threads seems
+				// like a minimal default that could make sense -- the main
+				// actors that should be doing work are (1) the core,
+				// (2) the subscriber, (3) data stores (actually made of
+				// a frontend + proxy actor).  Number of data stores may
+				// actually vary, but lumped togather for simplicity.  A (4)
+				// may be CAF's multiplexing or other internals...
+				// 4 is also the minimum number that CAF uses by default,
+				// even for systems with less than 4 cores.
+				config.set("scheduler.max-threads", 4u);
 			}
 		}
 

From 67524f26d583d375ccdebb1cb7b927241a19e3c5 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Fri, 10 Aug 2018 17:12:53 -0500
Subject: [PATCH 618/631] Immediately apply broker subscriptions made during
 bro_init()

Otherwise that's begging for unit test failures due to races
---
 CHANGES                                 | 10 ++++++++++
 VERSION                                 |  2 +-
 aux/broker                              |  2 +-
 scripts/base/frameworks/broker/main.bro |  5 ++++-
 src/broker/Manager.cc                   |  5 +++--
 src/broker/Manager.h                    |  4 ++++
 src/main.cc                             |  1 +
 7 files changed, 24 insertions(+), 5 deletions(-)

diff --git a/CHANGES b/CHANGES
index fabb87ba43..325632239d 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,14 @@
 
+2.5-831 | 2018-08-10 17:12:53 -0500
+
+  * Immediately apply broker subscriptions made during bro_init()
+    (Jon Siwek, Corelight)
+
+  * Update default broker threading configuration to use 4 threads and allow
+    tuning via BRO_BROKER_MAX_THREADS env. variable (Jon Siwek, Corelight)
+
+  * Misc. unit test improvements (Jon Siwek, Corelight)
+
 2.5-826 | 2018-08-08 13:09:27 -0700
 
   * Add support for code coverage statistics for bro source files after running btest
diff --git a/VERSION b/VERSION
index ca5b6f51d7..e6f8b2c2ac 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.5-826
+2.5-831
diff --git a/aux/broker b/aux/broker
index 3ab9b647ee..e0f9f6504d 160000
--- a/aux/broker
+++ b/aux/broker
@@ -1 +1 @@
-Subproject commit 3ab9b647eedf6be674067198551d57b2b17e86d1
+Subproject commit e0f9f6504db9285a48e0be490abddf959999a404
diff --git a/scripts/base/frameworks/broker/main.bro b/scripts/base/frameworks/broker/main.bro
index fb73f78d3c..645c2b4382 100644
--- a/scripts/base/frameworks/broker/main.bro
+++ b/scripts/base/frameworks/broker/main.bro
@@ -261,7 +261,8 @@ export {
 	global publish_id: function(topic: string, id: string): bool;
 
 	## Register interest in all peer event messages that use a certain topic
-	## prefix.
+	## prefix.  Note that subscriptions may not be altered immediately after
+	## calling (except during :bro:see:`bro_init`).
 	##
 	## topic_prefix: a prefix to match against remote message topics.
 	##               e.g. an empty prefix matches everything and "a" matches
@@ -271,6 +272,8 @@ export {
 	global subscribe: function(topic_prefix: string): bool;
 
 	## Unregister interest in all peer event messages that use a topic prefix.
+	## Note that subscriptions may not be altered immediately after calling
+	## (except during :bro:see:`bro_init`).
 	##
 	## topic_prefix: a prefix previously supplied to a successful call to
 	##               :bro:see:`Broker::subscribe`.
diff --git a/src/broker/Manager.cc b/src/broker/Manager.cc
index 1d3696efa0..ca5ac53c96 100644
--- a/src/broker/Manager.cc
+++ b/src/broker/Manager.cc
@@ -137,6 +137,7 @@ Manager::Manager(bool arg_reading_pcaps)
 	{
 	bound_port = 0;
 	reading_pcaps = arg_reading_pcaps;
+	after_bro_init = false;
 	peer_count = 0;
 	log_topic_func = nullptr;
 	vector_of_data_type = nullptr;
@@ -847,14 +848,14 @@ RecordVal* Manager::MakeEvent(val_list* args, Frame* frame)
 bool Manager::Subscribe(const string& topic_prefix)
 	{
 	DBG_LOG(DBG_BROKER, "Subscribing to topic prefix %s", topic_prefix.c_str());
-	bstate->subscriber.add_topic(topic_prefix);
+	bstate->subscriber.add_topic(topic_prefix, ! after_bro_init);
 	return true;
 	}
 
 bool Manager::Unsubscribe(const string& topic_prefix)
 	{
 	DBG_LOG(DBG_BROKER, "Unsubscribing from topic prefix %s", topic_prefix.c_str());
-	bstate->subscriber.remove_topic(topic_prefix);
+	bstate->subscriber.remove_topic(topic_prefix, ! after_bro_init);
 	return true;
 	}
 
diff --git a/src/broker/Manager.h b/src/broker/Manager.h
index b5faaee345..415dd00a2c 100644
--- a/src/broker/Manager.h
+++ b/src/broker/Manager.h
@@ -66,6 +66,9 @@ public:
 	 */
 	void InitPostScript();
 
+	void BroInitDone()
+		{ after_bro_init = true; }
+
 	/**
 	 * Shuts Broker down at termination.
 	 */
@@ -404,6 +407,7 @@ private:
 
 	uint16_t bound_port;
 	bool reading_pcaps;
+	bool after_bro_init;
 	int peer_count;
 
 	Func* log_topic_func;
diff --git a/src/main.cc b/src/main.cc
index 2e9a89ddd1..757b09351f 100644
--- a/src/main.cc
+++ b/src/main.cc
@@ -1182,6 +1182,7 @@ int main(int argc, char** argv)
 	// Drain the event queue here to support the protocols framework configuring DPM
 	mgr.Drain();
 
+	broker_mgr->BroInitDone();
 	analyzer_mgr->DumpDebug();
 
 	have_pending_timers = ! reading_traces && timer_mgr->Size() > 0;

From a2f8d81fb6449d27aae74da6c80d7c139f6733f4 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Mon, 13 Aug 2018 10:20:58 -0500
Subject: [PATCH 619/631] Fix validate-certs.bro comments

---
 scripts/policy/protocols/ssl/validate-certs.bro | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/scripts/policy/protocols/ssl/validate-certs.bro b/scripts/policy/protocols/ssl/validate-certs.bro
index 451388da24..3f0d18a1c5 100644
--- a/scripts/policy/protocols/ssl/validate-certs.bro
+++ b/scripts/policy/protocols/ssl/validate-certs.bro
@@ -50,11 +50,11 @@ export {
 	## and is thus disabled by default.
 	global ssl_store_valid_chain: bool = F &redef;
 
-	## Event from a worker to the manager that it has encountered a new
-	## valid intermediate.
+	## Event from a manager to workers when encountering a new, valid
+	## intermediate.
 	global intermediate_add: event(key: string, value: vector of opaque of x509);
 
-	## Event from the manager to the workers that a new intermediate chain
+	## Event from workers to the manager when a new intermediate chain
 	## is to be added.
 	global new_intermediate: event(key: string, value: vector of opaque of x509);
 }

From 5821c16490e731a68c0efc9c1aaba2d7aec28f48 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Mon, 13 Aug 2018 17:40:06 -0500
Subject: [PATCH 620/631] Fix SumStats::observe key normalization logic

The loop over Reducers in SumStats::observe performs a key normalization
and inadvertently modifies the key used for subsequent iterations.

Reported by Jim Mellander.
---
 CHANGES                                   | 5 +++++
 VERSION                                   | 2 +-
 scripts/base/frameworks/sumstats/main.bro | 5 ++---
 3 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/CHANGES b/CHANGES
index 04b025c23b..7013e2a931 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,9 @@
 
+2.5-840 | 2018-08-13 17:40:06 -0500
+
+  * Fix SumStats::observe key normalization logic
+    (reported by Jim Mellander and fixed by Jon Siwek, Corelight)
+
 2.5-839 | 2018-08-13 10:51:43 -0500
 
   * Make options redef-able by default. (Johanna Amann, Corelight)
diff --git a/VERSION b/VERSION
index 7960a61cb9..446a694de2 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.5-839
+2.5-840
diff --git a/scripts/base/frameworks/sumstats/main.bro b/scripts/base/frameworks/sumstats/main.bro
index f704dbcdd2..69a853fd5a 100644
--- a/scripts/base/frameworks/sumstats/main.bro
+++ b/scripts/base/frameworks/sumstats/main.bro
@@ -399,7 +399,7 @@ function create(ss: SumStat)
 	schedule ss$epoch { SumStats::finish_epoch(ss) };
 	}
 
-function observe(id: string, key: Key, obs: Observation)
+function observe(id: string, orig_key: Key, obs: Observation)
 	{
 	if ( id !in reducer_store )
 		return;
@@ -407,8 +407,7 @@ function observe(id: string, key: Key, obs: Observation)
 	# Try to add the data to all of the defined reducers.
 	for ( r in reducer_store[id] )
 		{
-		if ( r?$normalize_key )
-			key = r$normalize_key(copy(key));
+		local key = r?$normalize_key ? r$normalize_key(copy(orig_key)) : orig_key;
 
 		# If this reducer has a predicate, run the predicate
 		# and skip this key if the predicate return false.

From 0e6913fba021bd849fc24a651dd87d04133dd518 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Tue, 14 Aug 2018 16:45:09 -0500
Subject: [PATCH 621/631] BIT-1798: fix PPTP GRE tunnel decapsulation

---
 CHANGES                                           |   4 ++++
 VERSION                                           |   2 +-
 src/Sessions.cc                                   |   4 ++--
 .../btest/Baseline/core.tunnels.gre-pptp/conn.log |  10 ++++++++++
 .../btest/Baseline/core.tunnels.gre-pptp/dns.log  |  10 ++++++++++
 .../Baseline/core.tunnels.gre-pptp/tunnel.log     |  11 +++++++++++
 testing/btest/Traces/tunnels/gre-pptp.pcap        | Bin 0 -> 521 bytes
 testing/btest/core/tunnels/gre-pptp.test          |   4 ++++
 8 files changed, 42 insertions(+), 3 deletions(-)
 create mode 100644 testing/btest/Baseline/core.tunnels.gre-pptp/conn.log
 create mode 100644 testing/btest/Baseline/core.tunnels.gre-pptp/dns.log
 create mode 100644 testing/btest/Baseline/core.tunnels.gre-pptp/tunnel.log
 create mode 100644 testing/btest/Traces/tunnels/gre-pptp.pcap
 create mode 100644 testing/btest/core/tunnels/gre-pptp.test

diff --git a/CHANGES b/CHANGES
index 7013e2a931..32b7c8cbc2 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,8 @@
 
+2.5-841 | 2018-08-14 16:45:09 -0500
+
+  * BIT-1798: fix PPTP GRE tunnel decapsulation (Jon Siwek, Corelight)
+
 2.5-840 | 2018-08-13 17:40:06 -0500
 
   * Fix SumStats::observe key normalization logic
diff --git a/VERSION b/VERSION
index 446a694de2..7a93a5255d 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.5-840
+2.5-841
diff --git a/src/Sessions.cc b/src/Sessions.cc
index 9dc569daa7..876988361d 100644
--- a/src/Sessions.cc
+++ b/src/Sessions.cc
@@ -532,7 +532,7 @@ void NetSessions::DoNextPacket(double t, const Packet* pkt, const IP_Hdr* ip_hdr
 		// If a carried packet has ethernet, this will help skip it.
 		unsigned int eth_len = 0;
 		unsigned int gre_len = gre_header_len(flags_ver);
-		unsigned int ppp_len = gre_version == 1 ? 1 : 0;
+		unsigned int ppp_len = gre_version == 1 ? 4 : 0;
 
 		if ( gre_version != 0 && gre_version != 1 )
 			{
@@ -598,7 +598,7 @@ void NetSessions::DoNextPacket(double t, const Packet* pkt, const IP_Hdr* ip_hdr
 
 		if ( gre_version == 1 )
 			{
-			int ppp_proto = *((uint8*)(data + gre_len));
+			uint16 ppp_proto = ntohs(*((uint16*)(data + gre_len + 2)));
 
 			if ( ppp_proto != 0x0021 && ppp_proto != 0x0057 )
 				{
diff --git a/testing/btest/Baseline/core.tunnels.gre-pptp/conn.log b/testing/btest/Baseline/core.tunnels.gre-pptp/conn.log
new file mode 100644
index 0000000000..20c0dc7317
--- /dev/null
+++ b/testing/btest/Baseline/core.tunnels.gre-pptp/conn.log
@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	conn
+#open	2018-08-14-21-42-31
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
+#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
+1417577703.821897	C4J4Th3PJpwUYZZ6gc	172.16.44.3	40768	8.8.8.8	53	udp	dns	0.213894	71	146	SF	-	-	0	Dd	1	99	1	174	ClEkJM2Vm5giqnMf4h
+#close	2018-08-14-21-42-31
diff --git a/testing/btest/Baseline/core.tunnels.gre-pptp/dns.log b/testing/btest/Baseline/core.tunnels.gre-pptp/dns.log
new file mode 100644
index 0000000000..01875c2ff9
--- /dev/null
+++ b/testing/btest/Baseline/core.tunnels.gre-pptp/dns.log
@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	dns
+#open	2018-08-14-21-42-31
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	trans_id	rtt	query	qclass	qclass_name	qtype	qtype_name	rcode	rcode_name	AA	TC	RD	RA	Z	answers	TTLs	rejected
+#types	time	string	addr	port	addr	port	enum	count	interval	string	count	string	count	string	count	string	bool	bool	bool	bool	count	vector[string]	vector[interval]	bool
+1417577703.821897	C4J4Th3PJpwUYZZ6gc	172.16.44.3	40768	8.8.8.8	53	udp	42540	-	xqt-detect-mode2-97712e88-167a-45b9-93ee-913140e76678	1	C_INTERNET	28	AAAA	3	NXDOMAIN	F	F	T	F	0	-	-	F
+#close	2018-08-14-21-42-31
diff --git a/testing/btest/Baseline/core.tunnels.gre-pptp/tunnel.log b/testing/btest/Baseline/core.tunnels.gre-pptp/tunnel.log
new file mode 100644
index 0000000000..780ea33f59
--- /dev/null
+++ b/testing/btest/Baseline/core.tunnels.gre-pptp/tunnel.log
@@ -0,0 +1,11 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	tunnel
+#open	2018-08-14-21-42-31
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	tunnel_type	action
+#types	time	string	addr	port	addr	port	enum	enum
+1417577703.821897	CHhAvVGS1DHFjwGM9	2402:f000:1:8e01::5555	0	2607:fcd0:100:2300::b108:2a6b	0	Tunnel::IP	Tunnel::DISCOVER
+1417577703.821897	ClEkJM2Vm5giqnMf4h	16.0.0.200	0	192.52.166.154	0	Tunnel::GRE	Tunnel::DISCOVER
+#close	2018-08-14-21-42-31
diff --git a/testing/btest/Traces/tunnels/gre-pptp.pcap b/testing/btest/Traces/tunnels/gre-pptp.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..45216c7f7adc9c2b7fa0f7f2288e88b4e0165135
GIT binary patch
literal 521
zcmca|c+)~A1{MYw`2U}Qff2}g-clFR*~P<f6v&3*rXvhOa-R}y8yOf<+U_QRv~;t4
zQ(^i5)Y1pi1O%a>YV3b5Ffu5Ec^f&jvR#3yde$>AIOv!D6JTICalmBREQ7`lZiaO6
z1_rkNjSL)CW&fEO6oKlJfvOm61jEwT2<R|#0Kt3*22%!qUFBsuK;xk{m{t^)=%%EW
zq$Zc>=H{oQ8tGb^n;ROXT3F~Bnwcl+nwTb8>RKA7rs`T68XKAzq?((VnOiV0$S^Rz
z0D9_tHv<C?&?p#Av}KTFd)9QM5#gyzESBh=K=&ljv6tGeI{-ap-4F5*$YTbKKu>LA
z5CnQ?2h>CBnAsQ@j0ES3fjk596oV<yOS5+0TBg(34E7MvB@}pwfq@NV3e#5x2gXF6
zqWt_4-Qv`uvecqt=DgGr2G+ddlAIJCAV0G>Gd)i?9VnihpUY6e%gM>Wz|O(Iz}&*X
LY1P2M7}x*+<->hB

literal 0
HcmV?d00001

diff --git a/testing/btest/core/tunnels/gre-pptp.test b/testing/btest/core/tunnels/gre-pptp.test
new file mode 100644
index 0000000000..a5fa8c0d19
--- /dev/null
+++ b/testing/btest/core/tunnels/gre-pptp.test
@@ -0,0 +1,4 @@
+# @TEST-EXEC: bro -r $TRACES/tunnels/gre-pptp.pcap
+# @TEST-EXEC: btest-diff conn.log
+# @TEST-EXEC: btest-diff tunnel.log
+# @TEST-EXEC: btest-diff dns.log

From f336c8c710bdeb41eb0aba88967ee90da24848b2 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Wed, 15 Aug 2018 11:00:20 -0500
Subject: [PATCH 622/631] Fix seg fault on trying to type-cast invalid/nil
 Broker::Data

This situation now throws a runtime expression exception instead of
crashing on null pointer access.
---
 CHANGES                                                  | 5 +++++
 VERSION                                                  | 2 +-
 src/Expr.cc                                              | 9 ++++++++-
 src/Val.cc                                               | 8 ++++++++
 .../Baseline/language.type-cast-error-dynamic/output     | 6 ++++--
 testing/btest/language/type-cast-error-dynamic.bro       | 2 ++
 6 files changed, 28 insertions(+), 4 deletions(-)

diff --git a/CHANGES b/CHANGES
index 32b7c8cbc2..af9f1b88f5 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,9 @@
 
+2.5-842 | 2018-08-15 11:00:20 -0500
+
+  * Fix seg fault on trying to type-cast invalid/nil Broker::Data
+    (Jon Siwek, Corelight)
+
 2.5-841 | 2018-08-14 16:45:09 -0500
 
   * BIT-1798: fix PPTP GRE tunnel decapsulation (Jon Siwek, Corelight)
diff --git a/VERSION b/VERSION
index 7a93a5255d..4744b3cd09 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.5-841
+2.5-842
diff --git a/src/Expr.cc b/src/Expr.cc
index f958c63ecf..07034db1a8 100644
--- a/src/Expr.cc
+++ b/src/Expr.cc
@@ -16,6 +16,8 @@
 #include "Trigger.h"
 #include "IPAddr.h"
 
+#include "broker/Data.h"
+
 const char* expr_name(BroExprTag t)
 	{
 	static const char* expr_names[int(NUM_EXPRS)] = {
@@ -5503,11 +5505,16 @@ Val* CastExpr::Eval(Frame* f) const
 		}
 
 	ODesc d;
-	d.Add("cannot cast value of type '");
+	d.Add("invalid cast of value with type '");
 	v->Type()->Describe(&d);
 	d.Add("' to type '");
 	Type()->Describe(&d);
 	d.Add("'");
+
+	if ( same_type(v->Type(), bro_broker::DataVal::ScriptDataType()) &&
+		 ! v->AsRecordVal()->Lookup(0) )
+		d.Add(" (nil $data field)");
+
 	Unref(v);
 	reporter->ExprRuntimeError(this, "%s", d.Description());
 	return 0;  // not reached.
diff --git a/src/Val.cc b/src/Val.cc
index 1024251418..7879d282b2 100644
--- a/src/Val.cc
+++ b/src/Val.cc
@@ -3632,6 +3632,10 @@ Val* cast_value_to_type(Val* v, BroType* t)
 	if ( same_type(v->Type(), bro_broker::DataVal::ScriptDataType()) )
 		{
 		auto dv = v->AsRecordVal()->Lookup(0);
+
+		if ( ! dv )
+			return 0;
+
 		return static_cast<bro_broker::DataVal *>(dv)->castTo(t);
 		}
 
@@ -3654,6 +3658,10 @@ bool can_cast_value_to_type(const Val* v, BroType* t)
 	if ( same_type(v->Type(), bro_broker::DataVal::ScriptDataType()) )
 		{
 		auto dv = v->AsRecordVal()->Lookup(0);
+
+		if ( ! dv )
+			return false;
+
 		return static_cast<const bro_broker::DataVal *>(dv)->canCastTo(t);
 		}
 
diff --git a/testing/btest/Baseline/language.type-cast-error-dynamic/output b/testing/btest/Baseline/language.type-cast-error-dynamic/output
index 10d92ac199..8ebf0cc90e 100644
--- a/testing/btest/Baseline/language.type-cast-error-dynamic/output
+++ b/testing/btest/Baseline/language.type-cast-error-dynamic/output
@@ -1,2 +1,4 @@
-expression error in /home/robin/bro/lang-ext/testing/btest/.tmp/language.type-cast-error-dynamic/type-cast-error-dynamic.bro, line 11: cannot cast value of type 'count' to type 'string' [a as string]
-expression error in /home/robin/bro/lang-ext/testing/btest/.tmp/language.type-cast-error-dynamic/type-cast-error-dynamic.bro, line 11: cannot cast value of type 'record { a:addr; b:port; }' to type 'string' [a as string]
+expression error in /Users/jon/projects/bro/bro/testing/btest/.tmp/language.type-cast-error-dynamic/type-cast-error-dynamic.bro, line 11: invalid cast of value with type 'count' to type 'string' [a as string]
+expression error in /Users/jon/projects/bro/bro/testing/btest/.tmp/language.type-cast-error-dynamic/type-cast-error-dynamic.bro, line 11: invalid cast of value with type 'record { a:addr; b:port; }' to type 'string' [a as string]
+expression error in /Users/jon/projects/bro/bro/testing/btest/.tmp/language.type-cast-error-dynamic/type-cast-error-dynamic.bro, line 11: invalid cast of value with type 'record { data:opaque of Broker::Data; }' to type 'string' (nil $data field) [a as string]
+data is string, F
diff --git a/testing/btest/language/type-cast-error-dynamic.bro b/testing/btest/language/type-cast-error-dynamic.bro
index 45f1d1fb5f..91fa212ce4 100644
--- a/testing/btest/language/type-cast-error-dynamic.bro
+++ b/testing/btest/language/type-cast-error-dynamic.bro
@@ -18,6 +18,8 @@ event bro_init()
 
 	cast_to_string(42);
 	cast_to_string(x);
+	cast_to_string(Broker::Data());
+	print "data is string", Broker::Data() is string;
 	}
 
 

From 05b10fe2e78d40f827a34fc932fce7be6d1c7daa Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Wed, 15 Aug 2018 18:01:56 -0500
Subject: [PATCH 623/631] BIT-1544: allow NULs in file analysis handles

---
 CHANGES                             |  4 ++++
 VERSION                             |  2 +-
 src/file_analysis/Manager.cc        | 11 ++++++++++-
 src/file_analysis/Manager.h         |  6 ++++--
 src/file_analysis/file_analysis.bif |  4 +++-
 5 files changed, 22 insertions(+), 5 deletions(-)

diff --git a/CHANGES b/CHANGES
index af9f1b88f5..b088383e2c 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,8 @@
 
+2.5-843 | 2018-08-15 18:01:56 -0500
+
+  * BIT-1544: allow NULs in file analysis handles (Jon Siwek, Corelight)
+
 2.5-842 | 2018-08-15 11:00:20 -0500
 
   * Fix seg fault on trying to type-cast invalid/nil Broker::Data
diff --git a/VERSION b/VERSION
index 4744b3cd09..e13a35390e 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.5-842
+2.5-843
diff --git a/src/file_analysis/Manager.cc b/src/file_analysis/Manager.cc
index 177f5446dd..b095315de8 100644
--- a/src/file_analysis/Manager.cc
+++ b/src/file_analysis/Manager.cc
@@ -104,7 +104,16 @@ void Manager::SetHandle(const string& handle)
 	if ( handle.empty() )
 		return;
 
-	DBG_LOG(DBG_FILE_ANALYSIS, "Set current handle to %s", handle.c_str());
+#ifdef DEBUG
+	if ( debug_logger.IsEnabled(DBG_FILE_ANALYSIS) )
+		{
+		BroString tmp{handle};
+		auto rendered = tmp.Render();
+		DBG_LOG(DBG_FILE_ANALYSIS, "Set current handle to %s", rendered);
+		delete [] rendered;
+		}
+#endif
+
 	current_file_id = HashHandle(handle);
 	}
 
diff --git a/src/file_analysis/Manager.h b/src/file_analysis/Manager.h
index b6d3658f9e..fe3328b679 100644
--- a/src/file_analysis/Manager.h
+++ b/src/file_analysis/Manager.h
@@ -70,7 +70,8 @@ public:
 
 	/**
 	 * Creates a file identifier from a unique file handle string.
-	 * @param handle a unique string which identifies a single file.
+	 * @param handle a unique string (may contain NULs) which identifies
+	 * a single file.
 	 * @return a prettified MD5 hash of \a handle, truncated to *bits_per_uid* bits.
 	 */
 	string HashHandle(const string& handle) const;
@@ -78,7 +79,8 @@ public:
 	/**
 	 * Take in a unique file handle string to identify next piece of
 	 * incoming file data/information.
-	 * @param handle a unique string which identifies a single file.
+	 * @param handle a unique string (may contain NULs) which identifies
+	 * a single file.
 	 */
 	void SetHandle(const string& handle);
 
diff --git a/src/file_analysis/file_analysis.bif b/src/file_analysis/file_analysis.bif
index f445a9cf6a..d2c6c43394 100644
--- a/src/file_analysis/file_analysis.bif
+++ b/src/file_analysis/file_analysis.bif
@@ -105,7 +105,9 @@ module GLOBAL;
 ## .. bro:see:: get_file_handle
 function set_file_handle%(handle: string%): any
 	%{
-	file_mgr->SetHandle(handle->CheckString());
+	auto bytes = reinterpret_cast<const char*>(handle->Bytes());
+	auto h = std::string(bytes, handle->Len());
+	file_mgr->SetHandle(h);
 	return 0;
 	%}
 

From da9f91fc193c5f2e6c5db37360841183226241e0 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Thu, 16 Aug 2018 12:13:16 -0500
Subject: [PATCH 624/631] Add env. variables to override Broker listen/connect
 retry intervals

And use them to default retries to 1sec for all unit tests.
---
 CHANGES                                       |  6 ++++
 VERSION                                       |  2 +-
 scripts/base/frameworks/broker/main.bro       | 31 ++++++++++++++-----
 scripts/base/frameworks/cluster/main.bro      |  2 ++
 src/broker/Manager.cc                         |  5 +++
 src/broker/Manager.h                          |  3 +-
 testing/btest/broker/connect-on-retry.bro     |  5 +--
 testing/btest/broker/disconnect.bro           |  4 ---
 testing/btest/broker/error.bro                |  2 --
 testing/btest/broker/remote_event.bro         |  4 ---
 testing/btest/broker/remote_event_any.bro     |  4 ---
 testing/btest/broker/remote_event_auto.bro    |  4 ---
 .../btest/broker/remote_event_ssl_auth.bro    |  4 ---
 testing/btest/broker/remote_log.bro           |  2 --
 testing/btest/broker/remote_log_late_join.bro |  2 --
 testing/btest/broker/remote_log_types.bro     |  2 --
 .../broker/remote_publish_and_relay_event.bro |  6 ----
 testing/btest/broker/remote_relay_event.bro   |  6 ----
 testing/btest/broker/ssl_auth_failure.bro     |  4 ---
 testing/btest/broker/unpeer.bro               |  4 ---
 testing/btest/btest.cfg                       |  2 ++
 testing/btest/core/leaks/basic-cluster.bro    |  4 ---
 testing/btest/core/leaks/hll_cluster.bro      |  4 ---
 .../cluster/custom_pool_exclusivity.bro       |  4 ---
 .../frameworks/cluster/custom_pool_limits.bro |  4 ---
 .../frameworks/cluster/log_distribution.bro   |  4 ---
 .../frameworks/cluster/start-it-up-logger.bro |  4 ---
 .../base/frameworks/cluster/start-it-up.bro   |  4 ---
 .../frameworks/cluster/topic_distribution.bro |  4 ---
 .../cluster/topic_distribution_bifs.bro       |  4 ---
 .../control/configuration_update.bro          |  4 ---
 .../intel/read-file-dist-cluster.bro          |  4 ---
 .../logging/field-extension-cluster-error.bro |  4 ---
 .../logging/field-extension-cluster.bro       |  3 --
 .../frameworks/netcontrol/basic-cluster.bro   |  4 ---
 .../base/frameworks/notice/cluster.bro        |  4 ---
 .../frameworks/notice/suppression-cluster.bro |  4 ---
 .../base/frameworks/openflow/log-cluster.bro  |  3 --
 .../frameworks/sumstats/basic-cluster.bro     |  4 ---
 .../sumstats/cluster-intermediate-update.bro  |  4 ---
 .../frameworks/sumstats/on-demand-cluster.bro |  4 ---
 .../frameworks/sumstats/sample-cluster.bro    |  3 --
 .../base/frameworks/sumstats/topk-cluster.bro |  3 --
 43 files changed, 43 insertions(+), 145 deletions(-)

diff --git a/CHANGES b/CHANGES
index b088383e2c..51705feb5f 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,10 @@
 
+2.5-844 | 2018-08-16 12:13:16 -0500
+
+  * Add env. variables to override Broker listen/connect retry intervals
+    And use them to default retries to 1sec for all unit tests.
+    (Jon Siwek, Corelight)
+
 2.5-843 | 2018-08-15 18:01:56 -0500
 
   * BIT-1544: allow NULs in file analysis handles (Jon Siwek, Corelight)
diff --git a/VERSION b/VERSION
index e13a35390e..2f415d4be9 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.5-843
+2.5-844
diff --git a/scripts/base/frameworks/broker/main.bro b/scripts/base/frameworks/broker/main.bro
index 645c2b4382..0db239fb88 100644
--- a/scripts/base/frameworks/broker/main.bro
+++ b/scripts/base/frameworks/broker/main.bro
@@ -8,7 +8,9 @@ export {
 	const default_port = 9999/tcp &redef;
 
 	## Default interval to retry listening on a port if it's currently in
-	## use already.
+	## use already.  Use of the BRO_DEFAULT_LISTEN_RETRY environment variable
+	## (set as a number of seconds) will override this option and also
+	## any values given to :bro:see:`Broker::listen`.
 	const default_listen_retry = 30sec &redef;
 
 	## Default address on which to listen.
@@ -16,8 +18,11 @@ export {
 	## .. bro:see:: Broker::listen
 	const default_listen_address = getenv("BRO_DEFAULT_LISTEN_ADDRESS") &redef;
 
-	## Default interval to retry connecting to a peer if it cannot be made to work
-	## initially, or if it ever becomes disconnected.
+	## Default interval to retry connecting to a peer if it cannot be made to
+	## work initially, or if it ever becomes disconnected.  Use of the
+	## BRO_DEFAULT_CONNECT_RETRY environment variable (set as number of
+	## seconds) will override this option and also any values given to
+	## :bro:see:`Broker::peer`.
 	const default_connect_retry = 30sec &redef;
 
 	## If true, do not use SSL for network connections. By default, SSL will
@@ -194,7 +199,9 @@ export {
 	##    the next available free port.
 	##
 	## retry: If non-zero, retries listening in regular intervals if the port cannot be
-	##        acquired immediately. 0 disables retries.
+	##        acquired immediately. 0 disables retries.  If the
+	##        BRO_DEFAULT_LISTEN_RETRY environment variable is set (as number
+	##        of seconds), it overrides any value given here.
 	##
 	## Returns: the bound port or 0/? on failure.
 	##
@@ -210,7 +217,9 @@ export {
 	##
 	## retry: an interval at which to retry establishing the
 	##        connection with the remote peer if it cannot be made initially, or
-	##        if it ever becomes disconnected.
+	##        if it ever becomes disconnected.  If the
+	##        BRO_DEFAULT_CONNECT_RETRY environment variable is set (as number
+	##        of seconds), it overrides any value given here.
 	##
 	## Returns: true if it's possible to try connecting with the peer and
 	##          it's a new peer. The actual connection may not be established
@@ -319,8 +328,16 @@ function listen(a: string, p: port, retry: interval): port
 	{
 	local bound = __listen(a, p);
 
-	if ( bound == 0/tcp && retry != 0secs )
-		schedule retry { retry_listen(a, p, retry) };
+	if ( bound == 0/tcp )
+		{
+		local e = getenv("BRO_DEFAULT_LISTEN_RETRY");
+
+		if ( e != "" )
+			retry = double_to_interval(to_double(e));
+
+		if ( retry != 0secs )
+			schedule retry { retry_listen(a, p, retry) };
+		}
 
 	return bound;
 	}
diff --git a/scripts/base/frameworks/cluster/main.bro b/scripts/base/frameworks/cluster/main.bro
index 779f0c159a..25c0f4f63e 100644
--- a/scripts/base/frameworks/cluster/main.bro
+++ b/scripts/base/frameworks/cluster/main.bro
@@ -210,6 +210,8 @@ export {
 	const node = getenv("CLUSTER_NODE") &redef;
 
 	## Interval for retrying failed connections between cluster nodes.
+	## If set, the BRO_DEFAULT_CONNECT_RETRY (given in number of seconds)
+	## overrides this option.
 	const retry_interval = 1min &redef;
 
 	## When using broker-enabled cluster framework, nodes broadcast this event
diff --git a/src/broker/Manager.cc b/src/broker/Manager.cc
index ca5ac53c96..6aef1e06cf 100644
--- a/src/broker/Manager.cc
+++ b/src/broker/Manager.cc
@@ -320,6 +320,11 @@ void Manager::Peer(const string& addr, uint16_t port, double retry)
 	DBG_LOG(DBG_BROKER, "Starting to peer with %s:%" PRIu16,
 		addr.c_str(), port);
 
+	auto e = getenv("BRO_DEFAULT_CONNECT_RETRY");
+
+	if ( e )
+		retry = atoi(e);
+
 	if ( retry > 0.0 && retry < 1.0 )
 		// Ensure that it doesn't get turned into zero.
 		retry = 1.0;
diff --git a/src/broker/Manager.h b/src/broker/Manager.h
index 415dd00a2c..a42cb495e6 100644
--- a/src/broker/Manager.h
+++ b/src/broker/Manager.h
@@ -101,7 +101,8 @@ public:
 	 * @param addr an address to connect to, e.g. "localhost" or "127.0.0.1".
 	 * @param port the TCP port on which the remote side is listening.
 	 * @param retry If non-zero, the time after which to retry if
-	 * connection cannot be established, or breaks.
+	 * connection cannot be established, or breaks.  BRO_DEFAULT_CONNECT_RETRY
+	 * environment variable overrides this value.
 	 */
 	void Peer(const std::string& addr, uint16_t port, double retry = 10.0);
 
diff --git a/testing/btest/broker/connect-on-retry.bro b/testing/btest/broker/connect-on-retry.bro
index 0ce6950712..13cb2d629a 100644
--- a/testing/btest/broker/connect-on-retry.bro
+++ b/testing/btest/broker/connect-on-retry.bro
@@ -9,8 +9,7 @@
 
 @TEST-START-FILE send.bro
 
-redef Broker::default_connect_retry=1secs;
-redef Broker::default_listen_retry=1secs;
+# Using btest's environment settings for connect/listen retry of 1sec.
 redef exit_only_after_terminate = T;
 
 global event_count = 0;
@@ -52,8 +51,6 @@ event pong(msg: string, n: count)
 
 @TEST-START-FILE recv.bro
 
-redef Broker::default_connect_retry=1secs;
-redef Broker::default_listen_retry=1secs;
 redef exit_only_after_terminate = T;
 
 const events_to_recv = 5;
diff --git a/testing/btest/broker/disconnect.bro b/testing/btest/broker/disconnect.bro
index 6a5201627d..3daed6a6b7 100644
--- a/testing/btest/broker/disconnect.bro
+++ b/testing/btest/broker/disconnect.bro
@@ -17,8 +17,6 @@
 
 @TEST-START-FILE send.bro
 
-redef Broker::default_connect_retry=1secs;
-redef Broker::default_listen_retry=1secs;
 redef exit_only_after_terminate = T;
 
 global peers = 0;
@@ -55,8 +53,6 @@ event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
 
 @TEST-START-FILE recv.bro
 
-redef Broker::default_connect_retry=1secs;
-redef Broker::default_listen_retry=1secs;
 redef exit_only_after_terminate = T;
 
 const test_topic = "bro/test/my_topic";
diff --git a/testing/btest/broker/error.bro b/testing/btest/broker/error.bro
index a379e99ea8..af94e28019 100644
--- a/testing/btest/broker/error.bro
+++ b/testing/btest/broker/error.bro
@@ -6,8 +6,6 @@
 
 @TEST-START-FILE send.bro
 
-redef Broker::default_connect_retry=1secs;
-redef Broker::default_listen_retry=1secs;
 redef exit_only_after_terminate = T;
 
 event do_terminate()
diff --git a/testing/btest/broker/remote_event.bro b/testing/btest/broker/remote_event.bro
index 94aac2ca20..c5f072c16c 100644
--- a/testing/btest/broker/remote_event.bro
+++ b/testing/btest/broker/remote_event.bro
@@ -9,8 +9,6 @@
 
 @TEST-START-FILE send.bro
 
-redef Broker::default_connect_retry=1secs;
-redef Broker::default_listen_retry=1secs;
 redef exit_only_after_terminate = T;
 
 global event_count = 0;
@@ -57,8 +55,6 @@ event pong(msg: string, n: count)
 
 @TEST-START-FILE recv.bro
 
-redef Broker::default_connect_retry=1secs;
-redef Broker::default_listen_retry=1secs;
 redef exit_only_after_terminate = T;
 
 const events_to_recv = 5;
diff --git a/testing/btest/broker/remote_event_any.bro b/testing/btest/broker/remote_event_any.bro
index 9e5c8ea8de..7053a8b4c7 100644
--- a/testing/btest/broker/remote_event_any.bro
+++ b/testing/btest/broker/remote_event_any.bro
@@ -9,8 +9,6 @@
 
 @TEST-START-FILE send.bro
 
-redef Broker::default_connect_retry=1secs;
-redef Broker::default_listen_retry=1secs;
 redef exit_only_after_terminate = T;
 
 global event_count = 0;
@@ -60,8 +58,6 @@ event pong(msg: string, n: any)
 
 @TEST-START-FILE recv.bro
 
-redef Broker::default_connect_retry=1secs;
-redef Broker::default_listen_retry=1secs;
 redef exit_only_after_terminate = T;
 
 const events_to_recv = 5;
diff --git a/testing/btest/broker/remote_event_auto.bro b/testing/btest/broker/remote_event_auto.bro
index fc1b9922a5..c209d6dbe3 100644
--- a/testing/btest/broker/remote_event_auto.bro
+++ b/testing/btest/broker/remote_event_auto.bro
@@ -9,8 +9,6 @@
 
 @TEST-START-FILE send.bro
 
-redef Broker::default_connect_retry=1secs;
-redef Broker::default_listen_retry=1secs;
 redef exit_only_after_terminate = T;
 
 global event_count = 0;
@@ -52,8 +50,6 @@ event pong(msg: string, n: count)
 
 @TEST-START-FILE recv.bro
 
-redef Broker::default_connect_retry=1secs;
-redef Broker::default_listen_retry=1secs;
 redef exit_only_after_terminate = T;
 
 const events_to_recv = 5;
diff --git a/testing/btest/broker/remote_event_ssl_auth.bro b/testing/btest/broker/remote_event_ssl_auth.bro
index 6135fd15be..4a62ff2259 100644
--- a/testing/btest/broker/remote_event_ssl_auth.bro
+++ b/testing/btest/broker/remote_event_ssl_auth.bro
@@ -164,8 +164,6 @@ vq+Zqu15QV9T4BVWKHv0
 
 @TEST-START-FILE send.bro
 
-redef Broker::default_connect_retry=1secs;
-redef Broker::default_listen_retry=1secs;
 redef exit_only_after_terminate = T;
 
 redef Broker::ssl_cafile = "../ca.pem";
@@ -214,8 +212,6 @@ event pong(msg: string, n: count)
 
 @TEST-START-FILE recv.bro
 
-redef Broker::default_connect_retry=1secs;
-redef Broker::default_listen_retry=1secs;
 redef exit_only_after_terminate = T;
 
 redef Broker::ssl_cafile = "../ca.pem";
diff --git a/testing/btest/broker/remote_log.bro b/testing/btest/broker/remote_log.bro
index 409fbba7e3..2b784bc5f2 100644
--- a/testing/btest/broker/remote_log.bro
+++ b/testing/btest/broker/remote_log.bro
@@ -11,8 +11,6 @@
 
 @TEST-START-FILE common.bro
 
-redef Broker::default_connect_retry=1secs;
-redef Broker::default_listen_retry=1secs;
 redef exit_only_after_terminate = T;
 
 module Test;
diff --git a/testing/btest/broker/remote_log_late_join.bro b/testing/btest/broker/remote_log_late_join.bro
index bb452fc84d..c8ca0285a1 100644
--- a/testing/btest/broker/remote_log_late_join.bro
+++ b/testing/btest/broker/remote_log_late_join.bro
@@ -11,8 +11,6 @@
 
 @TEST-START-FILE common.bro
 
-redef Broker::default_connect_retry=1secs;
-redef Broker::default_listen_retry=1secs;
 redef exit_only_after_terminate = T;
 
 module Test;
diff --git a/testing/btest/broker/remote_log_types.bro b/testing/btest/broker/remote_log_types.bro
index 2b76bb05c4..f514c7f86d 100644
--- a/testing/btest/broker/remote_log_types.bro
+++ b/testing/btest/broker/remote_log_types.bro
@@ -14,8 +14,6 @@
 
 @TEST-START-FILE common.bro
 
-redef Broker::default_connect_retry=1secs;
-redef Broker::default_listen_retry=1secs;
 redef exit_only_after_terminate = T;
 
 global quit_receiver: event();
diff --git a/testing/btest/broker/remote_publish_and_relay_event.bro b/testing/btest/broker/remote_publish_and_relay_event.bro
index 493e673af2..444b454f80 100644
--- a/testing/btest/broker/remote_publish_and_relay_event.bro
+++ b/testing/btest/broker/remote_publish_and_relay_event.bro
@@ -11,8 +11,6 @@
 
 @TEST-START-FILE one.bro
 
-redef Broker::default_connect_retry=1secs;
-redef Broker::default_listen_retry=1secs;
 redef exit_only_after_terminate = T;
 
 event my_event(s: string)
@@ -52,8 +50,6 @@ event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string)
 
 @TEST-START-FILE two.bro
 
-redef Broker::default_connect_retry=1secs;
-redef Broker::default_listen_retry=1secs;
 redef exit_only_after_terminate = T;
 
 global peers_added = 0;
@@ -96,8 +92,6 @@ event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string)
 
 @TEST-START-FILE three.bro
 
-redef Broker::default_connect_retry=1secs;
-redef Broker::default_listen_retry=1secs;
 redef exit_only_after_terminate = T;
 
 event my_event(s: string)
diff --git a/testing/btest/broker/remote_relay_event.bro b/testing/btest/broker/remote_relay_event.bro
index ae40c10a4c..c65265bdb5 100644
--- a/testing/btest/broker/remote_relay_event.bro
+++ b/testing/btest/broker/remote_relay_event.bro
@@ -11,8 +11,6 @@
 
 @TEST-START-FILE one.bro
 
-redef Broker::default_connect_retry=1secs;
-redef Broker::default_listen_retry=1secs;
 redef exit_only_after_terminate = T;
 
 event my_event(s: string)
@@ -52,8 +50,6 @@ event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string)
 
 @TEST-START-FILE two.bro
 
-redef Broker::default_connect_retry=1secs;
-redef Broker::default_listen_retry=1secs;
 redef exit_only_after_terminate = T;
 
 global peers_added = 0;
@@ -97,8 +93,6 @@ event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string)
 
 @TEST-START-FILE three.bro
 
-redef Broker::default_connect_retry=1secs;
-redef Broker::default_listen_retry=1secs;
 redef exit_only_after_terminate = T;
 
 event my_event(s: string)
diff --git a/testing/btest/broker/ssl_auth_failure.bro b/testing/btest/broker/ssl_auth_failure.bro
index 3bc259327f..03b14aaab3 100644
--- a/testing/btest/broker/ssl_auth_failure.bro
+++ b/testing/btest/broker/ssl_auth_failure.bro
@@ -88,8 +88,6 @@ BTdqMbieumB/zL97iK5baHUFEJ4VRtLQhh/SOXgew/BF8ccpilI=
 
 @TEST-START-FILE send.bro
 
-redef Broker::default_connect_retry=1secs;
-redef Broker::default_listen_retry=1secs;
 redef exit_only_after_terminate = T;
 
 redef Broker::ssl_cafile = "../ca.pem";
@@ -134,8 +132,6 @@ event Broker::error(code: Broker::ErrorCode, msg: string)
 
 @TEST-START-FILE recv.bro
 
-redef Broker::default_connect_retry=1secs;
-redef Broker::default_listen_retry=1secs;
 redef exit_only_after_terminate = T;
 
 # No cert here.
diff --git a/testing/btest/broker/unpeer.bro b/testing/btest/broker/unpeer.bro
index 5786ab0e1a..541bc824d9 100644
--- a/testing/btest/broker/unpeer.bro
+++ b/testing/btest/broker/unpeer.bro
@@ -14,8 +14,6 @@
 
 @TEST-START-FILE send.bro
 
-redef Broker::default_connect_retry=1secs;
-redef Broker::default_listen_retry=1secs;
 redef exit_only_after_terminate = T;
 
 event do_terminate()
@@ -55,8 +53,6 @@ event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
 
 @TEST-START-FILE recv.bro
 
-redef Broker::default_connect_retry=1secs;
-redef Broker::default_listen_retry=1secs;
 redef exit_only_after_terminate = T;
 
 event do_terminate()
diff --git a/testing/btest/btest.cfg b/testing/btest/btest.cfg
index 6671d70b64..1c93c9cb6b 100644
--- a/testing/btest/btest.cfg
+++ b/testing/btest/btest.cfg
@@ -26,4 +26,6 @@ BRO_PROFILER_FILE=%(testbase)s/.tmp/script-coverage/XXXXXX
 BTEST_RST_FILTER=$SCRIPTS/rst-filter
 BRO_DNS_FAKE=1
 BRO_DEFAULT_LISTEN_ADDRESS=127.0.0.1
+BRO_DEFAULT_LISTEN_RETRY=1
+BRO_DEFAULT_CONNECT_RETRY=1
 BRO_DISABLE_BROXYGEN=1
diff --git a/testing/btest/core/leaks/basic-cluster.bro b/testing/btest/core/leaks/basic-cluster.bro
index 8ea5d9c6dc..57552c54af 100644
--- a/testing/btest/core/leaks/basic-cluster.bro
+++ b/testing/btest/core/leaks/basic-cluster.bro
@@ -18,10 +18,6 @@ redef Cluster::nodes = {
 };
 @TEST-END-FILE
 
-redef Cluster::retry_interval = 1sec;
-redef Broker::default_listen_retry = 1sec;
-redef Broker::default_connect_retry = 1sec;
-
 redef Log::default_rotation_interval = 0secs;
 
 global n = 0;
diff --git a/testing/btest/core/leaks/hll_cluster.bro b/testing/btest/core/leaks/hll_cluster.bro
index 6a92f1a2e7..8b96c991b3 100644
--- a/testing/btest/core/leaks/hll_cluster.bro
+++ b/testing/btest/core/leaks/hll_cluster.bro
@@ -23,10 +23,6 @@ redef Cluster::nodes = {
 };
 @TEST-END-FILE
 
-redef Cluster::retry_interval = 1sec;
-redef Broker::default_listen_retry = 1sec;
-redef Broker::default_connect_retry = 1sec;
-
 redef Log::default_rotation_interval = 0secs;
 
 global hll_data: event(data: opaque of cardinality);
diff --git a/testing/btest/scripts/base/frameworks/cluster/custom_pool_exclusivity.bro b/testing/btest/scripts/base/frameworks/cluster/custom_pool_exclusivity.bro
index c94b594daf..224b259e20 100644
--- a/testing/btest/scripts/base/frameworks/cluster/custom_pool_exclusivity.bro
+++ b/testing/btest/scripts/base/frameworks/cluster/custom_pool_exclusivity.bro
@@ -16,10 +16,6 @@ redef Cluster::nodes = {
 };
 @TEST-END-FILE
 
-redef Cluster::retry_interval = 1sec;
-redef Broker::default_listen_retry = 1sec;
-redef Broker::default_connect_retry = 1sec;
-
 global my_pool_spec: Cluster::PoolSpec =
 		Cluster::PoolSpec(
 			$topic = "bro/cluster/pool/my_pool",
diff --git a/testing/btest/scripts/base/frameworks/cluster/custom_pool_limits.bro b/testing/btest/scripts/base/frameworks/cluster/custom_pool_limits.bro
index cb099bc715..f5a9fed5b3 100644
--- a/testing/btest/scripts/base/frameworks/cluster/custom_pool_limits.bro
+++ b/testing/btest/scripts/base/frameworks/cluster/custom_pool_limits.bro
@@ -16,10 +16,6 @@ redef Cluster::nodes = {
 };
 @TEST-END-FILE
 
-redef Cluster::retry_interval = 1sec;
-redef Broker::default_listen_retry = 1sec;
-redef Broker::default_connect_retry = 1sec;
-
 global my_pool_spec: Cluster::PoolSpec =
 		Cluster::PoolSpec(
 			$topic = "bro/cluster/pool/my_pool",
diff --git a/testing/btest/scripts/base/frameworks/cluster/log_distribution.bro b/testing/btest/scripts/base/frameworks/cluster/log_distribution.bro
index 5e710016ba..bfdddc9497 100644
--- a/testing/btest/scripts/base/frameworks/cluster/log_distribution.bro
+++ b/testing/btest/scripts/base/frameworks/cluster/log_distribution.bro
@@ -20,10 +20,6 @@ redef Cluster::nodes = {
 
 @TEST-END-FILE
 
-redef Cluster::retry_interval = 1sec;
-redef Broker::default_listen_retry = 1sec;
-redef Broker::default_connect_retry = 1sec;
-
 redef Log::default_rotation_interval = 0sec;
 
 module Test;
diff --git a/testing/btest/scripts/base/frameworks/cluster/start-it-up-logger.bro b/testing/btest/scripts/base/frameworks/cluster/start-it-up-logger.bro
index b973705c97..164eb0c1cb 100644
--- a/testing/btest/scripts/base/frameworks/cluster/start-it-up-logger.bro
+++ b/testing/btest/scripts/base/frameworks/cluster/start-it-up-logger.bro
@@ -26,10 +26,6 @@ redef Cluster::nodes = {
 };
 @TEST-END-FILE
 
-redef Cluster::retry_interval = 1sec;
-redef Broker::default_listen_retry = 1sec;
-redef Broker::default_connect_retry = 1sec;
-
 global peer_count = 0;
 
 global fully_connected_nodes = 0;
diff --git a/testing/btest/scripts/base/frameworks/cluster/start-it-up.bro b/testing/btest/scripts/base/frameworks/cluster/start-it-up.bro
index be974c074f..aa4bcb45e4 100644
--- a/testing/btest/scripts/base/frameworks/cluster/start-it-up.bro
+++ b/testing/btest/scripts/base/frameworks/cluster/start-it-up.bro
@@ -22,10 +22,6 @@ redef Cluster::nodes = {
 };
 @TEST-END-FILE
 
-redef Cluster::retry_interval = 1sec;
-redef Broker::default_listen_retry = 1sec;
-redef Broker::default_connect_retry = 1sec;
-
 global fully_connected: event();
 
 global peer_count = 0;
diff --git a/testing/btest/scripts/base/frameworks/cluster/topic_distribution.bro b/testing/btest/scripts/base/frameworks/cluster/topic_distribution.bro
index e360ac55ef..0116d6c231 100644
--- a/testing/btest/scripts/base/frameworks/cluster/topic_distribution.bro
+++ b/testing/btest/scripts/base/frameworks/cluster/topic_distribution.bro
@@ -16,10 +16,6 @@ redef Cluster::nodes = {
 };
 @TEST-END-FILE
 
-redef Cluster::retry_interval = 1sec;
-redef Broker::default_listen_retry = 1sec;
-redef Broker::default_connect_retry = 1sec;
-
 global proxy_count = 0;
 
 event go_away()
diff --git a/testing/btest/scripts/base/frameworks/cluster/topic_distribution_bifs.bro b/testing/btest/scripts/base/frameworks/cluster/topic_distribution_bifs.bro
index 9e79081906..b9dd87e560 100644
--- a/testing/btest/scripts/base/frameworks/cluster/topic_distribution_bifs.bro
+++ b/testing/btest/scripts/base/frameworks/cluster/topic_distribution_bifs.bro
@@ -18,10 +18,6 @@ redef Cluster::nodes = {
 };
 @TEST-END-FILE
 
-redef Cluster::retry_interval = 1sec;
-redef Broker::default_listen_retry = 1sec;
-redef Broker::default_connect_retry = 1sec;
-
 global proxy_count = 0;
 global q = 0;
 
diff --git a/testing/btest/scripts/base/frameworks/control/configuration_update.bro b/testing/btest/scripts/base/frameworks/control/configuration_update.bro
index 77badfcf2e..d6f229d7a7 100644
--- a/testing/btest/scripts/base/frameworks/control/configuration_update.bro
+++ b/testing/btest/scripts/base/frameworks/control/configuration_update.bro
@@ -5,10 +5,6 @@
 # @TEST-EXEC: btest-bg-wait 10
 # @TEST-EXEC: btest-diff controllee/.stdout
 
-redef Cluster::retry_interval = 1sec;
-redef Broker::default_listen_retry = 1sec;
-redef Broker::default_connect_retry = 1sec;
-
 const test_var = "ORIGINAL VALUE (this should be printed out first)" &redef;
 
 @TEST-START-FILE test-redef.bro
diff --git a/testing/btest/scripts/base/frameworks/intel/read-file-dist-cluster.bro b/testing/btest/scripts/base/frameworks/intel/read-file-dist-cluster.bro
index b34e273d54..be1a526f1c 100644
--- a/testing/btest/scripts/base/frameworks/intel/read-file-dist-cluster.bro
+++ b/testing/btest/scripts/base/frameworks/intel/read-file-dist-cluster.bro
@@ -25,10 +25,6 @@ e@mail.com	Intel::EMAIL	source1	Phishing email source	http://some-data-distribut
 @TEST-END-FILE
 
 @load base/frameworks/control
-redef Cluster::retry_interval = 1sec;
-redef Broker::default_listen_retry = 1sec;
-redef Broker::default_connect_retry = 1sec;
-
 redef Log::default_rotation_interval=0sec;
 
 module Intel;
diff --git a/testing/btest/scripts/base/frameworks/logging/field-extension-cluster-error.bro b/testing/btest/scripts/base/frameworks/logging/field-extension-cluster-error.bro
index 03108505d5..9c776fd974 100644
--- a/testing/btest/scripts/base/frameworks/logging/field-extension-cluster-error.bro
+++ b/testing/btest/scripts/base/frameworks/logging/field-extension-cluster-error.bro
@@ -20,10 +20,6 @@ redef Cluster::nodes = {
 redef exit_only_after_terminate = T;
 @endif
 
-redef Cluster::retry_interval = 1sec;
-redef Broker::default_listen_retry = 1sec;
-redef Broker::default_connect_retry = 1sec;
-
 redef Log::default_rotation_interval = 0secs;
 
 redef Log::default_scope_sep="_";
diff --git a/testing/btest/scripts/base/frameworks/logging/field-extension-cluster.bro b/testing/btest/scripts/base/frameworks/logging/field-extension-cluster.bro
index 3c464311f5..9ad0f526be 100644
--- a/testing/btest/scripts/base/frameworks/logging/field-extension-cluster.bro
+++ b/testing/btest/scripts/base/frameworks/logging/field-extension-cluster.bro
@@ -19,9 +19,6 @@ redef Cluster::nodes = {
 redef exit_only_after_terminate = T;
 @endif
 
-redef Cluster::retry_interval = 1sec;
-redef Broker::default_listen_retry = 1sec;
-redef Broker::default_connect_retry = 1sec;
 redef Log::default_rotation_interval = 0secs;
 
 redef Log::default_scope_sep="_";
diff --git a/testing/btest/scripts/base/frameworks/netcontrol/basic-cluster.bro b/testing/btest/scripts/base/frameworks/netcontrol/basic-cluster.bro
index fc9a308297..0193e780d4 100644
--- a/testing/btest/scripts/base/frameworks/netcontrol/basic-cluster.bro
+++ b/testing/btest/scripts/base/frameworks/netcontrol/basic-cluster.bro
@@ -18,10 +18,6 @@ redef Cluster::nodes = {
 };
 @TEST-END-FILE
 
-redef Cluster::retry_interval = 1sec;
-redef Broker::default_listen_retry = 1sec;
-redef Broker::default_connect_retry = 1sec;
-
 redef Log::default_rotation_interval = 0secs;
 #redef exit_only_after_terminate = T;
 
diff --git a/testing/btest/scripts/base/frameworks/notice/cluster.bro b/testing/btest/scripts/base/frameworks/notice/cluster.bro
index 9bb80422b1..9e04764d68 100644
--- a/testing/btest/scripts/base/frameworks/notice/cluster.bro
+++ b/testing/btest/scripts/base/frameworks/notice/cluster.bro
@@ -14,10 +14,6 @@ redef Cluster::nodes = {
 };
 @TEST-END-FILE
 
-redef Cluster::retry_interval = 1sec;
-redef Broker::default_listen_retry = 1sec;
-redef Broker::default_connect_retry = 1sec;
-
 redef Log::default_rotation_interval = 0secs;
 
 redef enum Notice::Type += {
diff --git a/testing/btest/scripts/base/frameworks/notice/suppression-cluster.bro b/testing/btest/scripts/base/frameworks/notice/suppression-cluster.bro
index 6c9e429bc9..a201c5f976 100644
--- a/testing/btest/scripts/base/frameworks/notice/suppression-cluster.bro
+++ b/testing/btest/scripts/base/frameworks/notice/suppression-cluster.bro
@@ -16,10 +16,6 @@ redef Cluster::nodes = {
 };
 @TEST-END-FILE
 
-redef Cluster::retry_interval = 1sec;
-redef Broker::default_listen_retry = 1sec;
-redef Broker::default_connect_retry = 1sec;
-
 redef Log::default_rotation_interval = 0secs;
 
 redef enum Notice::Type += {
diff --git a/testing/btest/scripts/base/frameworks/openflow/log-cluster.bro b/testing/btest/scripts/base/frameworks/openflow/log-cluster.bro
index de957e720e..5742a49d1d 100644
--- a/testing/btest/scripts/base/frameworks/openflow/log-cluster.bro
+++ b/testing/btest/scripts/base/frameworks/openflow/log-cluster.bro
@@ -12,9 +12,6 @@ redef Cluster::nodes = {
 };
 @TEST-END-FILE
 
-redef Cluster::retry_interval = 1sec;
-redef Broker::default_listen_retry = 1sec;
-redef Broker::default_connect_retry = 1sec;
 redef Log::default_rotation_interval = 0secs;
 #redef exit_only_after_terminate = T;
 
diff --git a/testing/btest/scripts/base/frameworks/sumstats/basic-cluster.bro b/testing/btest/scripts/base/frameworks/sumstats/basic-cluster.bro
index e02b3143c5..9f665ef960 100644
--- a/testing/btest/scripts/base/frameworks/sumstats/basic-cluster.bro
+++ b/testing/btest/scripts/base/frameworks/sumstats/basic-cluster.bro
@@ -15,10 +15,6 @@ redef Cluster::nodes = {
 };
 @TEST-END-FILE
 
-redef Cluster::retry_interval = 1sec;
-redef Broker::default_listen_retry = 1sec;
-redef Broker::default_connect_retry = 1sec;
-
 redef Log::default_rotation_interval = 0secs;
 
 global n = 0;
diff --git a/testing/btest/scripts/base/frameworks/sumstats/cluster-intermediate-update.bro b/testing/btest/scripts/base/frameworks/sumstats/cluster-intermediate-update.bro
index 18df7fe768..5d8bff1e03 100644
--- a/testing/btest/scripts/base/frameworks/sumstats/cluster-intermediate-update.bro
+++ b/testing/btest/scripts/base/frameworks/sumstats/cluster-intermediate-update.bro
@@ -14,10 +14,6 @@ redef Cluster::nodes = {
 };
 @TEST-END-FILE
 
-redef Cluster::retry_interval = 1sec;
-redef Broker::default_listen_retry = 1sec;
-redef Broker::default_connect_retry = 1sec;
-
 redef Log::default_rotation_interval = 0secs;
 
 event bro_init() &priority=5
diff --git a/testing/btest/scripts/base/frameworks/sumstats/on-demand-cluster.bro b/testing/btest/scripts/base/frameworks/sumstats/on-demand-cluster.bro
index adf61ffb82..14027f95ad 100644
--- a/testing/btest/scripts/base/frameworks/sumstats/on-demand-cluster.bro
+++ b/testing/btest/scripts/base/frameworks/sumstats/on-demand-cluster.bro
@@ -16,10 +16,6 @@ redef Cluster::nodes = {
 };
 @TEST-END-FILE
 
-redef Cluster::retry_interval = 1sec;
-redef Broker::default_listen_retry = 1sec;
-redef Broker::default_connect_retry = 1sec;
-
 redef Log::default_rotation_interval = 0secs;
 
 global n = 0;
diff --git a/testing/btest/scripts/base/frameworks/sumstats/sample-cluster.bro b/testing/btest/scripts/base/frameworks/sumstats/sample-cluster.bro
index 52fce96dba..811cad3b96 100644
--- a/testing/btest/scripts/base/frameworks/sumstats/sample-cluster.bro
+++ b/testing/btest/scripts/base/frameworks/sumstats/sample-cluster.bro
@@ -14,9 +14,6 @@ redef Cluster::nodes = {
 };
 @TEST-END-FILE
 
-redef Cluster::retry_interval = 1sec;
-redef Broker::default_listen_retry = 1sec;
-redef Broker::default_connect_retry = 1sec;
 redef Log::default_rotation_interval = 0secs;
 
 event bro_init() &priority=5
diff --git a/testing/btest/scripts/base/frameworks/sumstats/topk-cluster.bro b/testing/btest/scripts/base/frameworks/sumstats/topk-cluster.bro
index 3ab90e91b8..6f371ba815 100644
--- a/testing/btest/scripts/base/frameworks/sumstats/topk-cluster.bro
+++ b/testing/btest/scripts/base/frameworks/sumstats/topk-cluster.bro
@@ -15,9 +15,6 @@ redef Cluster::nodes = {
 };
 @TEST-END-FILE
 
-redef Cluster::retry_interval = 1sec;
-redef Broker::default_listen_retry = 1sec;
-redef Broker::default_connect_retry = 1sec;
 redef Log::default_rotation_interval = 0secs;
 
 

From 15dc5d1ddaa423674ef83da598a372cf255dfc35 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Thu, 16 Aug 2018 14:09:03 -0500
Subject: [PATCH 625/631] BIT-1850: add missing DCE/RPC PDU type enum values

---
 src/analyzer/protocol/dce-rpc/dce_rpc-protocol.pac | 2 ++
 src/analyzer/protocol/dce-rpc/types.bif            | 2 ++
 2 files changed, 4 insertions(+)

diff --git a/src/analyzer/protocol/dce-rpc/dce_rpc-protocol.pac b/src/analyzer/protocol/dce-rpc/dce_rpc-protocol.pac
index 40e4c4c6c2..e610efcadc 100644
--- a/src/analyzer/protocol/dce-rpc/dce_rpc-protocol.pac
+++ b/src/analyzer/protocol/dce-rpc/dce_rpc-protocol.pac
@@ -17,9 +17,11 @@ enum dce_rpc_ptype {
 	DCE_RPC_BIND_NAK,
 	DCE_RPC_ALTER_CONTEXT,
 	DCE_RPC_ALTER_CONTEXT_RESP,
+	DCE_RPC_AUTH3,
 	DCE_RPC_SHUTDOWN,
 	DCE_RPC_CO_CANCEL,
 	DCE_RPC_ORPHANED,
+	DCE_RPC_RTS,
 };
 
 type uuid = bytestring &length = 16;
diff --git a/src/analyzer/protocol/dce-rpc/types.bif b/src/analyzer/protocol/dce-rpc/types.bif
index 251b53f952..abc6b110dc 100644
--- a/src/analyzer/protocol/dce-rpc/types.bif
+++ b/src/analyzer/protocol/dce-rpc/types.bif
@@ -18,9 +18,11 @@ enum PType %{
 	BIND_NAK,
 	ALTER_CONTEXT,
 	ALTER_CONTEXT_RESP,
+	AUTH3,
 	SHUTDOWN,
 	CO_CANCEL,
 	ORPHANED,
+	RTS,
 %}
 
 enum IfID %{

From 81a8961f16d72354022a97b51e0dd566f87232d6 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Thu, 16 Aug 2018 14:11:02 -0500
Subject: [PATCH 626/631] BIT-1858: fix logged-names for DNS RR types 44 and 45

---
 CHANGES                               | 6 ++++++
 VERSION                               | 2 +-
 scripts/base/protocols/dns/consts.bro | 4 ++--
 3 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/CHANGES b/CHANGES
index 51705feb5f..d4e7fff78b 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,10 @@
 
+2.5-846 | 2018-08-16 14:11:02 -0500
+
+  * BIT-1858: fix logged-names for DNS RR types 44 and 45 (Jon Siwek, Corelight)
+
+  * BIT-1850: add missing DCE/RPC PDU type enum values (Jon Siwek, Corelight)
+
 2.5-844 | 2018-08-16 12:13:16 -0500
 
   * Add env. variables to override Broker listen/connect retry intervals
diff --git a/VERSION b/VERSION
index 2f415d4be9..6a9fd73a7d 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.5-844
+2.5-846
diff --git a/scripts/base/protocols/dns/consts.bro b/scripts/base/protocols/dns/consts.bro
index 026588f777..dfcbc4031f 100644
--- a/scripts/base/protocols/dns/consts.bro
+++ b/scripts/base/protocols/dns/consts.bro
@@ -21,8 +21,8 @@ export {
 		[29] = "LOC", [30] = "EID", [31] = "NIMLOC", [32] = "NB",
 		[33] = "SRV", [34] = "ATMA", [35] = "NAPTR", [36] = "KX",
 		[37] = "CERT", [38] = "A6", [39] = "DNAME", [40] = "SINK",
-	 	[EDNS] = "EDNS", [42] = "APL", [43] = "DS", [44] = "SINK",
-		[45] = "SSHFP", [46] = "RRSIG", [47] = "NSEC", [48] = "DNSKEY",
+		[EDNS] = "EDNS", [42] = "APL", [43] = "DS", [44] = "SSHFP",
+		[45] = "IPSECKEY", [46] = "RRSIG", [47] = "NSEC", [48] = "DNSKEY",
 		[49] = "DHCID", [99] = "SPF", [100] = "DINFO", [101] = "UID",
 		[102] = "GID", [103] = "UNSPEC", [249] = "TKEY", [250] = "TSIG",
 		[251] = "IXFR", [252] = "AXFR", [253] = "MAILB", [254] = "MAILA",

From 7fdf621a1dca5a3e2cb5d427f50b5a97fec6b2d8 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Thu, 16 Aug 2018 16:07:14 -0500
Subject: [PATCH 627/631] BIT-1924: add DHCP port to software.log for
 completeness

---
 CHANGES                                    |  5 +++++
 VERSION                                    |  2 +-
 scripts/base/protocols/dhcp/main.bro       |  9 +++++++++
 scripts/policy/protocols/dhcp/software.bro | 11 ++++++-----
 4 files changed, 21 insertions(+), 6 deletions(-)

diff --git a/CHANGES b/CHANGES
index d4e7fff78b..b2dbd0714d 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,9 @@
 
+2.5-847 | 2018-08-16 16:07:14 -0500
+
+  * BIT-1924: add DHCP port to software.log for completeness
+    (Jon Siwek, Corelight)
+
 2.5-846 | 2018-08-16 14:11:02 -0500
 
   * BIT-1858: fix logged-names for DNS RR types 44 and 45 (Jon Siwek, Corelight)
diff --git a/VERSION b/VERSION
index 6a9fd73a7d..2903be358d 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.5-846
+2.5-847
diff --git a/scripts/base/protocols/dhcp/main.bro b/scripts/base/protocols/dhcp/main.bro
index ae102e6085..2f0bb6c933 100644
--- a/scripts/base/protocols/dhcp/main.bro
+++ b/scripts/base/protocols/dhcp/main.bro
@@ -41,6 +41,13 @@ export {
 		## IP address.
 		server_addr:    addr        &log &optional;
 
+		## Client port number seen at time of server handing out IP (expected
+		## as 68/udp).
+		client_port:    port             &optional;
+		## Server port number seen at time of server handing out IP (expected
+		## as 67/udp).
+		server_port:    port             &optional;
+
 		## Client's hardware address.
 		mac:            string      &log &optional;
 
@@ -224,6 +231,8 @@ event DHCP::aggregate_msgs(ts: time, id: conn_id, uid: string, is_orig: bool, ms
 		     id$resp_h != 255.255.255.255 )
 			{
 			log_info$server_addr = id$resp_h;
+			log_info$server_port = id$resp_p;
+			log_info$client_port = id$orig_p;
 			}
 
 		# Only use the client hardware address from the server
diff --git a/scripts/policy/protocols/dhcp/software.bro b/scripts/policy/protocols/dhcp/software.bro
index 6509550622..111de0bfd8 100644
--- a/scripts/policy/protocols/dhcp/software.bro
+++ b/scripts/policy/protocols/dhcp/software.bro
@@ -42,21 +42,22 @@ event DHCP::log_dhcp(rec: DHCP::Info)
 	if ( rec?$assigned_addr && rec?$server_addr &&
 	     (rec?$client_software || rec?$server_software) )
 		{
-		# Not quite right to just blindly use 67 and 68 as the ports
-		local id: conn_id = [$orig_h=rec$assigned_addr, $orig_p=68/udp,
-		                     $resp_h=rec$server_addr, $resp_p=67/udp];
+		local id: conn_id = [$orig_h=rec$assigned_addr,
+		                     $orig_p=rec$client_port,
+		                     $resp_h=rec$server_addr,
+		                     $resp_p=rec$server_port];
 
 		if ( rec?$client_software && rec$assigned_addr != 255.255.255.255 )
 			{
 			Software::found(id, [$unparsed_version=rec$client_software,
-			                     $host=rec$assigned_addr,
+			                     $host=rec$assigned_addr, $host_p=id$orig_p,
 			                     $software_type=DHCP::CLIENT]);
 			}
 
 		if ( rec?$server_software )
 			{
 			Software::found(id, [$unparsed_version=rec$server_software,
-			                     $host=rec$server_addr,
+			                     $host=rec$server_addr, $host_p=id$resp_p,
 			                     $software_type=DHCP::SERVER]);
 			}
 		}

From a04c76c0358c5da3e8dfcccb34c94e0a82d22231 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Thu, 16 Aug 2018 17:21:28 -0500
Subject: [PATCH 628/631] Enable SMB by default by moving scripts from policy/
 to base/

---
 CHANGES                                       |   5 +
 NEWS                                          |   3 +
 VERSION                                       |   2 +-
 scripts/base/init-default.bro                 |   2 -
 scripts/base/protocols/smb/README             |   2 +-
 scripts/base/protocols/smb/__load__.bro       |   7 +
 .../{policy => base}/protocols/smb/dpd.sig    |   0
 .../{policy => base}/protocols/smb/files.bro  |   0
 .../{policy => base}/protocols/smb/main.bro   |   4 +-
 .../protocols/smb/smb1-main.bro               |   0
 .../protocols/smb/smb2-main.bro               |   0
 scripts/policy/protocols/smb/README           |   1 -
 scripts/policy/protocols/smb/__load__.bro     |   8 -
 scripts/site/local.bro                        |   4 -
 scripts/test-all-policy.bro                   |   5 -
 .../Baseline/core.print-bpf-filters/output2   |  10 +-
 .../canonified_loaded_scripts.log             |   4 +
 testing/btest/Baseline/plugins.hooks/output   | 542 ++++++++++--------
 .../dce_rpc.log                               |  28 +-
 .../ntlm.log                                  |   8 +-
 .../all-events.log                            | 440 +++++++-------
 .../smtp-events.log                           |  88 +--
 .../base/protocols/krb/smb_gssapi.test        |   2 +-
 .../base/protocols/smb/disabled-dce-rpc.test  |   2 +-
 .../scripts/base/protocols/smb/raw-ntlm.test  |   2 +-
 .../smb/smb1-transaction-dcerpc.test          |   2 +-
 .../smb/smb1-transaction-request.test         |   2 +-
 .../smb/smb1-transaction-response.test        |   2 +-
 .../smb1-transaction-secondary-request.test   |   2 +-
 .../smb/smb1-transaction2-request.test        |   2 +-
 .../smb1-transaction2-secondary-request.test  |   2 +-
 .../scripts/base/protocols/smb/smb1.test      |   2 +-
 .../scripts/base/protocols/smb/smb2.test      |   2 +-
 33 files changed, 633 insertions(+), 552 deletions(-)
 rename scripts/{policy => base}/protocols/smb/dpd.sig (100%)
 rename scripts/{policy => base}/protocols/smb/files.bro (100%)
 rename scripts/{policy => base}/protocols/smb/main.bro (99%)
 rename scripts/{policy => base}/protocols/smb/smb1-main.bro (100%)
 rename scripts/{policy => base}/protocols/smb/smb2-main.bro (100%)
 delete mode 100644 scripts/policy/protocols/smb/README
 delete mode 100644 scripts/policy/protocols/smb/__load__.bro

diff --git a/CHANGES b/CHANGES
index b2dbd0714d..5cbec754f4 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,9 @@
 
+2.5-848 | 2018-08-16 17:21:28 -0500
+
+  * Enable SMB by default by moving scripts from policy/ to base/
+    (Jon Siwek, Corelight)
+
 2.5-847 | 2018-08-16 16:07:14 -0500
 
   * BIT-1924: add DHCP port to software.log for completeness
diff --git a/NEWS b/NEWS
index 6251fa5071..1809cd4bd6 100644
--- a/NEWS
+++ b/NEWS
@@ -239,6 +239,9 @@ New Functionality
 
 - Added new NFS events: nfs_proc_symlink, nfs_proc_link, nfs_proc_sattr
 
+- The SMB scripts in policy/protocols/smb are now moved into base/protocols/smb
+  and loaded/enabled by default.
+
 - Added new SMB events: smb1_transaction_secondary_request,
   smb1_transaction2_secondary_request, smb1_transaction_response
 
diff --git a/VERSION b/VERSION
index 2903be358d..3c34b2649e 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.5-847
+2.5-848
diff --git a/scripts/base/init-default.bro b/scripts/base/init-default.bro
index d0db0a0330..463f5c2942 100644
--- a/scripts/base/init-default.bro
+++ b/scripts/base/init-default.bro
@@ -62,8 +62,6 @@
 @load base/protocols/rfb
 @load base/protocols/sip
 @load base/protocols/snmp
-# This DOES NOT enable the SMB analyzer.  It's just some base support
-# for other protocols.
 @load base/protocols/smb
 @load base/protocols/smtp
 @load base/protocols/socks
diff --git a/scripts/base/protocols/smb/README b/scripts/base/protocols/smb/README
index 6e41fd1a28..d10322faad 100644
--- a/scripts/base/protocols/smb/README
+++ b/scripts/base/protocols/smb/README
@@ -1 +1 @@
-Definitions of constants used by the SMB protocol.
+Support for SMB protocol analysis.
diff --git a/scripts/base/protocols/smb/__load__.bro b/scripts/base/protocols/smb/__load__.bro
index 975d204851..d1ed8cdfe9 100644
--- a/scripts/base/protocols/smb/__load__.bro
+++ b/scripts/base/protocols/smb/__load__.bro
@@ -1,3 +1,10 @@
 @load ./consts
 @load ./const-dos-error
 @load ./const-nt-status
+
+@load ./main
+@load ./smb1-main
+@load ./smb2-main
+@load ./files
+
+@load-sigs ./dpd.sig
diff --git a/scripts/policy/protocols/smb/dpd.sig b/scripts/base/protocols/smb/dpd.sig
similarity index 100%
rename from scripts/policy/protocols/smb/dpd.sig
rename to scripts/base/protocols/smb/dpd.sig
diff --git a/scripts/policy/protocols/smb/files.bro b/scripts/base/protocols/smb/files.bro
similarity index 100%
rename from scripts/policy/protocols/smb/files.bro
rename to scripts/base/protocols/smb/files.bro
diff --git a/scripts/policy/protocols/smb/main.bro b/scripts/base/protocols/smb/main.bro
similarity index 99%
rename from scripts/policy/protocols/smb/main.bro
rename to scripts/base/protocols/smb/main.bro
index 51aab775c0..a2226ded33 100644
--- a/scripts/policy/protocols/smb/main.bro
+++ b/scripts/base/protocols/smb/main.bro
@@ -1,4 +1,6 @@
-@load base/protocols/smb
+@load ./consts
+@load ./const-dos-error
+@load ./const-nt-status
 
 module SMB;
 
diff --git a/scripts/policy/protocols/smb/smb1-main.bro b/scripts/base/protocols/smb/smb1-main.bro
similarity index 100%
rename from scripts/policy/protocols/smb/smb1-main.bro
rename to scripts/base/protocols/smb/smb1-main.bro
diff --git a/scripts/policy/protocols/smb/smb2-main.bro b/scripts/base/protocols/smb/smb2-main.bro
similarity index 100%
rename from scripts/policy/protocols/smb/smb2-main.bro
rename to scripts/base/protocols/smb/smb2-main.bro
diff --git a/scripts/policy/protocols/smb/README b/scripts/policy/protocols/smb/README
deleted file mode 100644
index d10322faad..0000000000
--- a/scripts/policy/protocols/smb/README
+++ /dev/null
@@ -1 +0,0 @@
-Support for SMB protocol analysis.
diff --git a/scripts/policy/protocols/smb/__load__.bro b/scripts/policy/protocols/smb/__load__.bro
deleted file mode 100644
index 31c8469c60..0000000000
--- a/scripts/policy/protocols/smb/__load__.bro
+++ /dev/null
@@ -1,8 +0,0 @@
-@load base/protocols/smb
-
-@load ./main
-@load ./smb1-main
-@load ./smb2-main
-@load ./files
-
-@load-sigs ./dpd.sig
diff --git a/scripts/site/local.bro b/scripts/site/local.bro
index 5064d6a330..605b5ab75d 100644
--- a/scripts/site/local.bro
+++ b/scripts/site/local.bro
@@ -99,7 +99,3 @@
 # Uncomment the following line to enable logging of link-layer addresses. Enabling
 # this adds the link-layer address for each connection endpoint to the conn.log file.
 # @load policy/protocols/conn/mac-logging
-
-# Uncomment the following line to enable the SMB analyzer.  The analyzer
-# is currently considered a preview and therefore not loaded by default.
-# @load policy/protocols/smb
diff --git a/scripts/test-all-policy.bro b/scripts/test-all-policy.bro
index 3389942fe5..e0268a7c62 100644
--- a/scripts/test-all-policy.bro
+++ b/scripts/test-all-policy.bro
@@ -80,11 +80,6 @@
 @load protocols/modbus/track-memmap.bro
 @load protocols/mysql/software.bro
 @load protocols/rdp/indicate_ssl.bro
-@load protocols/smb/__load__.bro
-@load protocols/smb/files.bro
-@load protocols/smb/main.bro
-@load protocols/smb/smb1-main.bro
-@load protocols/smb/smb2-main.bro
 @load protocols/smtp/blocklists.bro
 @load protocols/smtp/detect-suspicious-orig.bro
 @load protocols/smtp/entities-excerpt.bro
diff --git a/testing/btest/Baseline/core.print-bpf-filters/output2 b/testing/btest/Baseline/core.print-bpf-filters/output2
index af9ccda1ae..26a4b5fa85 100644
--- a/testing/btest/Baseline/core.print-bpf-filters/output2
+++ b/testing/btest/Baseline/core.print-bpf-filters/output2
@@ -1,6 +1,7 @@
 2 1080
 1 135
 1 137
+1 139
 1 143
 1 1434
 1 161
@@ -19,6 +20,7 @@
 1 3544
 1 4011
 2 443
+1 445
 1 502
 1 5060
 1 5072
@@ -52,8 +54,8 @@
 1 992
 1 993
 1 995
-59 and
-58 or
-59 port
-40 tcp
+61 and
+60 or
+61 port
+42 tcp
 19 udp
diff --git a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
index 4742280a26..ebe22c1b91 100644
--- a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
+++ b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
@@ -327,6 +327,10 @@ scripts/base/init-default.bro
         scripts/base/protocols/smb/consts.bro
         scripts/base/protocols/smb/const-dos-error.bro
         scripts/base/protocols/smb/const-nt-status.bro
+        scripts/base/protocols/smb/main.bro
+        scripts/base/protocols/smb/smb1-main.bro
+        scripts/base/protocols/smb/smb2-main.bro
+        scripts/base/protocols/smb/files.bro
   scripts/base/protocols/pop3/__load__.bro
   scripts/base/protocols/radius/__load__.bro
     scripts/base/protocols/radius/main.bro
diff --git a/testing/btest/Baseline/plugins.hooks/output b/testing/btest/Baseline/plugins.hooks/output
index a8ebd497b9..0fadde65a5 100644
--- a/testing/btest/Baseline/plugins.hooks/output
+++ b/testing/btest/Baseline/plugins.hooks/output
@@ -40,6 +40,8 @@
 0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_RADIUS, 1812/udp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_RDP, 3389/tcp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_SIP, 5060/udp)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_SMB, 139/tcp)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_SMB, 445/tcp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_SMTP, 25/tcp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_SMTP, 587/tcp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_SNMP, 161/udp)) -> <no result>
@@ -103,6 +105,8 @@
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_RADIUS, 1812/udp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_RDP, 3389/tcp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_SIP, 5060/udp)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_SMB, 139/tcp)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_SMB, 445/tcp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_SMTP, 25/tcp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_SMTP, 587/tcp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_SNMP, 161/udp)) -> <no result>
@@ -142,6 +146,7 @@
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_RADIUS, {1812/udp})) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_RDP, {3389/tcp})) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_SIP, {5060/udp})) -> <no result>
+0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_SMB, {139<...>/tcp})) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_SMTP, {587<...>/tcp})) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_SNMP, {162<...>/udp})) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_SOCKS, {1080/tcp})) -> <no result>
@@ -174,6 +179,7 @@
 0.000000   MetaHookPost  CallFunction(Files::register_protocol, <frame>, (Analyzer::ANALYZER_IRC_DATA, [get_file_handle=IRC::get_file_handle{ return (cat(Analyzer::ANALYZER_IRC_DATA, IRC::c$start_time, IRC::c$id, IRC::is_orig))}, describe=anonymous-function{ return ()}])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Files::register_protocol, <frame>, (Analyzer::ANALYZER_KRB, [get_file_handle=KRB::get_file_handle{ return ()}, describe=KRB::describe_file{ <init> KRB::cid{ if (KRB::f$source != KRB_TCP && KRB::f$source != KRB) return ()if (!KRB::f?$info || !KRB::f$info?$x509 || !KRB::f$info$x509?$certificate) return ()for ([KRB::cid] in KRB::f$conns) { if (KRB::f$conns[KRB::cid]?$krb) { KRB::c = KRB::f$conns[KRB::cid]return (cat(KRB::c$id$resp_h, :, KRB::c$id$resp_p))}}return (cat(Serial: , KRB::f$info$x509$certificate$serial,  Subject: , KRB::f$info$x509$certificate$subject,  Issuer: , KRB::f$info$x509$certificate$issuer))}}])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Files::register_protocol, <frame>, (Analyzer::ANALYZER_KRB_TCP, [get_file_handle=KRB::get_file_handle{ return ()}, describe=KRB::describe_file{ <init> KRB::cid{ if (KRB::f$source != KRB_TCP && KRB::f$source != KRB) return ()if (!KRB::f?$info || !KRB::f$info?$x509 || !KRB::f$info$x509?$certificate) return ()for ([KRB::cid] in KRB::f$conns) { if (KRB::f$conns[KRB::cid]?$krb) { KRB::c = KRB::f$conns[KRB::cid]return (cat(KRB::c$id$resp_h, :, KRB::c$id$resp_p))}}return (cat(Serial: , KRB::f$info$x509$certificate$serial,  Subject: , KRB::f$info$x509$certificate$subject,  Issuer: , KRB::f$info$x509$certificate$issuer))}}])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Files::register_protocol, <frame>, (Analyzer::ANALYZER_SMB, [get_file_handle=SMB::get_file_handle{ if (!(SMB::c$smb_state?$current_file && (SMB::c$smb_state$current_file?$name || SMB::c$smb_state$current_file?$path))) { return ()}SMB::current_file = SMB::c$smb_state$current_fileSMB::path_name = SMB::current_file?$path ? SMB::current_file$path : SMB::file_name = SMB::current_file?$name ? SMB::current_file$name : SMB::last_mod = cat(SMB::current_file?$times ? SMB::current_file$times$modified : double_to_time(0.0))return (hexdump(cat(Analyzer::ANALYZER_SMB, SMB::c$id$orig_h, SMB::c$id$resp_h, SMB::path_name, SMB::file_name, SMB::last_mod)))}, describe=SMB::describe_file{ <init> SMB::cid{ if (SMB::f$source != SMB) return ()for ([SMB::cid] in SMB::f$conns) { SMB::info = SMB::f$conns[SMB::cid]if (SMB::info?$smb_state && SMB::info$smb_state?$current_file && SMB::info$smb_state$current_file?$name) return (SMB::info$smb_state$current_file$name)}return ()}}])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Files::register_protocol, <frame>, (Analyzer::ANALYZER_SMTP, [get_file_handle=SMTP::get_file_handle{ return (cat(Analyzer::ANALYZER_SMTP, SMTP::c$start_time, SMTP::c$smtp$trans_depth, SMTP::c$smtp_state$mime_depth))}, describe=SMTP::describe_file{ <init> SMTP::cid{ if (SMTP::f$source != SMTP) return ()for ([SMTP::cid] in SMTP::f$conns) { SMTP::c = SMTP::f$conns[SMTP::cid]return (SMTP::describe(SMTP::c$smtp))}return ()}}])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Files::register_protocol, <frame>, (Analyzer::ANALYZER_SSL, [get_file_handle=SSL::get_file_handle{ return ()}, describe=SSL::describe_file{ <init> SSL::cid{ if (SSL::f$source != SSL || !SSL::f?$info || !SSL::f$info?$x509 || !SSL::f$info$x509?$certificate) return ()for ([SSL::cid] in SSL::f$conns) { if (SSL::f$conns[SSL::cid]?$ssl) { SSL::c = SSL::f$conns[SSL::cid]return (cat(SSL::c$id$resp_h, :, SSL::c$id$resp_p))}}return (cat(Serial: , SSL::f$info$x509$certificate$serial,  Subject: , SSL::f$info$x509$certificate$subject,  Issuer: , SSL::f$info$x509$certificate$issuer))}}])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__add_filter, <frame>, (Broker::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=broker, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
@@ -207,6 +213,9 @@
 0.000000   MetaHookPost  CallFunction(Log::__add_filter, <frame>, (RFB::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=rfb, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__add_filter, <frame>, (Reporter::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=reporter, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__add_filter, <frame>, (SIP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=sip, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::__add_filter, <frame>, (SMB::CMD_LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=smb_cmd, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::__add_filter, <frame>, (SMB::FILES_LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=smb_files, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::__add_filter, <frame>, (SMB::MAPPING_LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=smb_mapping, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__add_filter, <frame>, (SMTP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=smtp, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__add_filter, <frame>, (SNMP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=snmp, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__add_filter, <frame>, (SOCKS::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=socks, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
@@ -251,6 +260,9 @@
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (RFB::LOG, [columns=<no value description>, ev=RFB::log_rfb, path=rfb])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (Reporter::LOG, [columns=<no value description>, ev=<uninitialized>, path=reporter])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (SIP::LOG, [columns=<no value description>, ev=SIP::log_sip, path=sip])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (SMB::CMD_LOG, [columns=<no value description>, ev=<uninitialized>, path=smb_cmd])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (SMB::FILES_LOG, [columns=<no value description>, ev=<uninitialized>, path=smb_files])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (SMB::MAPPING_LOG, [columns=<no value description>, ev=<uninitialized>, path=smb_mapping])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (SMTP::LOG, [columns=<no value description>, ev=SMTP::log_smtp, path=smtp])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (SNMP::LOG, [columns=<no value description>, ev=SNMP::log_snmp, path=snmp])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (SOCKS::LOG, [columns=<no value description>, ev=SOCKS::log_socks, path=socks])) -> <no result>
@@ -264,7 +276,7 @@
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1528475846.472749, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1534455885.275568, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (Broker::LOG)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (Cluster::LOG)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (Config::LOG)) -> <no result>
@@ -296,6 +308,9 @@
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (RFB::LOG)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (Reporter::LOG)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (SIP::LOG)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (SMB::CMD_LOG)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (SMB::FILES_LOG)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (SMB::MAPPING_LOG)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (SMTP::LOG)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (SNMP::LOG)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (SOCKS::LOG)) -> <no result>
@@ -340,6 +355,9 @@
 0.000000   MetaHookPost  CallFunction(Log::add_filter, <frame>, (RFB::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_filter, <frame>, (Reporter::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_filter, <frame>, (SIP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::add_filter, <frame>, (SMB::CMD_LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::add_filter, <frame>, (SMB::FILES_LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::add_filter, <frame>, (SMB::MAPPING_LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_filter, <frame>, (SMTP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_filter, <frame>, (SNMP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_filter, <frame>, (SOCKS::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
@@ -384,6 +402,9 @@
 0.000000   MetaHookPost  CallFunction(Log::add_stream_filters, <frame>, (RFB::LOG, default)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_stream_filters, <frame>, (Reporter::LOG, default)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_stream_filters, <frame>, (SIP::LOG, default)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::add_stream_filters, <frame>, (SMB::CMD_LOG, default)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::add_stream_filters, <frame>, (SMB::FILES_LOG, default)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::add_stream_filters, <frame>, (SMB::MAPPING_LOG, default)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_stream_filters, <frame>, (SMTP::LOG, default)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_stream_filters, <frame>, (SNMP::LOG, default)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_stream_filters, <frame>, (SOCKS::LOG, default)) -> <no result>
@@ -428,6 +449,9 @@
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (RFB::LOG, [columns=<no value description>, ev=RFB::log_rfb, path=rfb])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (Reporter::LOG, [columns=<no value description>, ev=<uninitialized>, path=reporter])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (SIP::LOG, [columns=<no value description>, ev=SIP::log_sip, path=sip])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (SMB::CMD_LOG, [columns=<no value description>, ev=<uninitialized>, path=smb_cmd])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (SMB::FILES_LOG, [columns=<no value description>, ev=<uninitialized>, path=smb_files])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (SMB::MAPPING_LOG, [columns=<no value description>, ev=<uninitialized>, path=smb_mapping])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (SMTP::LOG, [columns=<no value description>, ev=SMTP::log_smtp, path=smtp])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (SNMP::LOG, [columns=<no value description>, ev=SNMP::log_snmp, path=snmp])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (SOCKS::LOG, [columns=<no value description>, ev=SOCKS::log_socks, path=socks])) -> <no result>
@@ -441,7 +465,7 @@
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1528475846.472749, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1534455885.275568, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
 0.000000   MetaHookPost  CallFunction(NetControl::check_plugins, <frame>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(NetControl::init, <null>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(Notice::want_pp, <frame>, ()) -> <no result>
@@ -669,6 +693,8 @@
 0.000000   MetaHookPost  LoadFile(0, .<...>/sftp.bro) -> -1
 0.000000   MetaHookPost  LoadFile(0, .<...>/shunt.bro) -> -1
 0.000000   MetaHookPost  LoadFile(0, .<...>/site.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/smb1-main.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/smb2-main.bro) -> -1
 0.000000   MetaHookPost  LoadFile(0, .<...>/sqlite.bro) -> -1
 0.000000   MetaHookPost  LoadFile(0, .<...>/stats.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(0, .<...>/std-dev.bro) -> -1
@@ -843,6 +869,8 @@
 0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_RADIUS, 1812/udp))
 0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_RDP, 3389/tcp))
 0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_SIP, 5060/udp))
+0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_SMB, 139/tcp))
+0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_SMB, 445/tcp))
 0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_SMTP, 25/tcp))
 0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_SMTP, 587/tcp))
 0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_SNMP, 161/udp))
@@ -906,6 +934,8 @@
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_RADIUS, 1812/udp))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_RDP, 3389/tcp))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_SIP, 5060/udp))
+0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_SMB, 139/tcp))
+0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_SMB, 445/tcp))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_SMTP, 25/tcp))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_SMTP, 587/tcp))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_SNMP, 161/udp))
@@ -945,6 +975,7 @@
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_RADIUS, {1812/udp}))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_RDP, {3389/tcp}))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_SIP, {5060/udp}))
+0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_SMB, {139<...>/tcp}))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_SMTP, {587<...>/tcp}))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_SNMP, {162<...>/udp}))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_SOCKS, {1080/tcp}))
@@ -977,6 +1008,7 @@
 0.000000   MetaHookPre   CallFunction(Files::register_protocol, <frame>, (Analyzer::ANALYZER_IRC_DATA, [get_file_handle=IRC::get_file_handle{ return (cat(Analyzer::ANALYZER_IRC_DATA, IRC::c$start_time, IRC::c$id, IRC::is_orig))}, describe=anonymous-function{ return ()}]))
 0.000000   MetaHookPre   CallFunction(Files::register_protocol, <frame>, (Analyzer::ANALYZER_KRB, [get_file_handle=KRB::get_file_handle{ return ()}, describe=KRB::describe_file{ <init> KRB::cid{ if (KRB::f$source != KRB_TCP && KRB::f$source != KRB) return ()if (!KRB::f?$info || !KRB::f$info?$x509 || !KRB::f$info$x509?$certificate) return ()for ([KRB::cid] in KRB::f$conns) { if (KRB::f$conns[KRB::cid]?$krb) { KRB::c = KRB::f$conns[KRB::cid]return (cat(KRB::c$id$resp_h, :, KRB::c$id$resp_p))}}return (cat(Serial: , KRB::f$info$x509$certificate$serial,  Subject: , KRB::f$info$x509$certificate$subject,  Issuer: , KRB::f$info$x509$certificate$issuer))}}]))
 0.000000   MetaHookPre   CallFunction(Files::register_protocol, <frame>, (Analyzer::ANALYZER_KRB_TCP, [get_file_handle=KRB::get_file_handle{ return ()}, describe=KRB::describe_file{ <init> KRB::cid{ if (KRB::f$source != KRB_TCP && KRB::f$source != KRB) return ()if (!KRB::f?$info || !KRB::f$info?$x509 || !KRB::f$info$x509?$certificate) return ()for ([KRB::cid] in KRB::f$conns) { if (KRB::f$conns[KRB::cid]?$krb) { KRB::c = KRB::f$conns[KRB::cid]return (cat(KRB::c$id$resp_h, :, KRB::c$id$resp_p))}}return (cat(Serial: , KRB::f$info$x509$certificate$serial,  Subject: , KRB::f$info$x509$certificate$subject,  Issuer: , KRB::f$info$x509$certificate$issuer))}}]))
+0.000000   MetaHookPre   CallFunction(Files::register_protocol, <frame>, (Analyzer::ANALYZER_SMB, [get_file_handle=SMB::get_file_handle{ if (!(SMB::c$smb_state?$current_file && (SMB::c$smb_state$current_file?$name || SMB::c$smb_state$current_file?$path))) { return ()}SMB::current_file = SMB::c$smb_state$current_fileSMB::path_name = SMB::current_file?$path ? SMB::current_file$path : SMB::file_name = SMB::current_file?$name ? SMB::current_file$name : SMB::last_mod = cat(SMB::current_file?$times ? SMB::current_file$times$modified : double_to_time(0.0))return (hexdump(cat(Analyzer::ANALYZER_SMB, SMB::c$id$orig_h, SMB::c$id$resp_h, SMB::path_name, SMB::file_name, SMB::last_mod)))}, describe=SMB::describe_file{ <init> SMB::cid{ if (SMB::f$source != SMB) return ()for ([SMB::cid] in SMB::f$conns) { SMB::info = SMB::f$conns[SMB::cid]if (SMB::info?$smb_state && SMB::info$smb_state?$current_file && SMB::info$smb_state$current_file?$name) return (SMB::info$smb_state$current_file$name)}return ()}}]))
 0.000000   MetaHookPre   CallFunction(Files::register_protocol, <frame>, (Analyzer::ANALYZER_SMTP, [get_file_handle=SMTP::get_file_handle{ return (cat(Analyzer::ANALYZER_SMTP, SMTP::c$start_time, SMTP::c$smtp$trans_depth, SMTP::c$smtp_state$mime_depth))}, describe=SMTP::describe_file{ <init> SMTP::cid{ if (SMTP::f$source != SMTP) return ()for ([SMTP::cid] in SMTP::f$conns) { SMTP::c = SMTP::f$conns[SMTP::cid]return (SMTP::describe(SMTP::c$smtp))}return ()}}]))
 0.000000   MetaHookPre   CallFunction(Files::register_protocol, <frame>, (Analyzer::ANALYZER_SSL, [get_file_handle=SSL::get_file_handle{ return ()}, describe=SSL::describe_file{ <init> SSL::cid{ if (SSL::f$source != SSL || !SSL::f?$info || !SSL::f$info?$x509 || !SSL::f$info$x509?$certificate) return ()for ([SSL::cid] in SSL::f$conns) { if (SSL::f$conns[SSL::cid]?$ssl) { SSL::c = SSL::f$conns[SSL::cid]return (cat(SSL::c$id$resp_h, :, SSL::c$id$resp_p))}}return (cat(Serial: , SSL::f$info$x509$certificate$serial,  Subject: , SSL::f$info$x509$certificate$subject,  Issuer: , SSL::f$info$x509$certificate$issuer))}}]))
 0.000000   MetaHookPre   CallFunction(Log::__add_filter, <frame>, (Broker::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=broker, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}]))
@@ -1010,6 +1042,9 @@
 0.000000   MetaHookPre   CallFunction(Log::__add_filter, <frame>, (RFB::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=rfb, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}]))
 0.000000   MetaHookPre   CallFunction(Log::__add_filter, <frame>, (Reporter::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=reporter, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}]))
 0.000000   MetaHookPre   CallFunction(Log::__add_filter, <frame>, (SIP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=sip, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::__add_filter, <frame>, (SMB::CMD_LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=smb_cmd, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::__add_filter, <frame>, (SMB::FILES_LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=smb_files, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::__add_filter, <frame>, (SMB::MAPPING_LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=smb_mapping, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}]))
 0.000000   MetaHookPre   CallFunction(Log::__add_filter, <frame>, (SMTP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=smtp, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}]))
 0.000000   MetaHookPre   CallFunction(Log::__add_filter, <frame>, (SNMP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=snmp, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}]))
 0.000000   MetaHookPre   CallFunction(Log::__add_filter, <frame>, (SOCKS::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=socks, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}]))
@@ -1054,6 +1089,9 @@
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (RFB::LOG, [columns=<no value description>, ev=RFB::log_rfb, path=rfb]))
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (Reporter::LOG, [columns=<no value description>, ev=<uninitialized>, path=reporter]))
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (SIP::LOG, [columns=<no value description>, ev=SIP::log_sip, path=sip]))
+0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (SMB::CMD_LOG, [columns=<no value description>, ev=<uninitialized>, path=smb_cmd]))
+0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (SMB::FILES_LOG, [columns=<no value description>, ev=<uninitialized>, path=smb_files]))
+0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (SMB::MAPPING_LOG, [columns=<no value description>, ev=<uninitialized>, path=smb_mapping]))
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (SMTP::LOG, [columns=<no value description>, ev=SMTP::log_smtp, path=smtp]))
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (SNMP::LOG, [columns=<no value description>, ev=SNMP::log_snmp, path=snmp]))
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (SOCKS::LOG, [columns=<no value description>, ev=SOCKS::log_socks, path=socks]))
@@ -1067,7 +1105,7 @@
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird]))
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509]))
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql]))
-0.000000   MetaHookPre   CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1528475846.472749, node=bro, filter=ip or not ip, init=T, success=T]))
+0.000000   MetaHookPre   CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1534455885.275568, node=bro, filter=ip or not ip, init=T, success=T]))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (Broker::LOG))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (Cluster::LOG))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (Config::LOG))
@@ -1099,6 +1137,9 @@
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (RFB::LOG))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (Reporter::LOG))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (SIP::LOG))
+0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (SMB::CMD_LOG))
+0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (SMB::FILES_LOG))
+0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (SMB::MAPPING_LOG))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (SMTP::LOG))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (SNMP::LOG))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (SOCKS::LOG))
@@ -1143,6 +1184,9 @@
 0.000000   MetaHookPre   CallFunction(Log::add_filter, <frame>, (RFB::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}]))
 0.000000   MetaHookPre   CallFunction(Log::add_filter, <frame>, (Reporter::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}]))
 0.000000   MetaHookPre   CallFunction(Log::add_filter, <frame>, (SIP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::add_filter, <frame>, (SMB::CMD_LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::add_filter, <frame>, (SMB::FILES_LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::add_filter, <frame>, (SMB::MAPPING_LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}]))
 0.000000   MetaHookPre   CallFunction(Log::add_filter, <frame>, (SMTP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}]))
 0.000000   MetaHookPre   CallFunction(Log::add_filter, <frame>, (SNMP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}]))
 0.000000   MetaHookPre   CallFunction(Log::add_filter, <frame>, (SOCKS::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}]))
@@ -1187,6 +1231,9 @@
 0.000000   MetaHookPre   CallFunction(Log::add_stream_filters, <frame>, (RFB::LOG, default))
 0.000000   MetaHookPre   CallFunction(Log::add_stream_filters, <frame>, (Reporter::LOG, default))
 0.000000   MetaHookPre   CallFunction(Log::add_stream_filters, <frame>, (SIP::LOG, default))
+0.000000   MetaHookPre   CallFunction(Log::add_stream_filters, <frame>, (SMB::CMD_LOG, default))
+0.000000   MetaHookPre   CallFunction(Log::add_stream_filters, <frame>, (SMB::FILES_LOG, default))
+0.000000   MetaHookPre   CallFunction(Log::add_stream_filters, <frame>, (SMB::MAPPING_LOG, default))
 0.000000   MetaHookPre   CallFunction(Log::add_stream_filters, <frame>, (SMTP::LOG, default))
 0.000000   MetaHookPre   CallFunction(Log::add_stream_filters, <frame>, (SNMP::LOG, default))
 0.000000   MetaHookPre   CallFunction(Log::add_stream_filters, <frame>, (SOCKS::LOG, default))
@@ -1231,6 +1278,9 @@
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (RFB::LOG, [columns=<no value description>, ev=RFB::log_rfb, path=rfb]))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (Reporter::LOG, [columns=<no value description>, ev=<uninitialized>, path=reporter]))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (SIP::LOG, [columns=<no value description>, ev=SIP::log_sip, path=sip]))
+0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (SMB::CMD_LOG, [columns=<no value description>, ev=<uninitialized>, path=smb_cmd]))
+0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (SMB::FILES_LOG, [columns=<no value description>, ev=<uninitialized>, path=smb_files]))
+0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (SMB::MAPPING_LOG, [columns=<no value description>, ev=<uninitialized>, path=smb_mapping]))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (SMTP::LOG, [columns=<no value description>, ev=SMTP::log_smtp, path=smtp]))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (SNMP::LOG, [columns=<no value description>, ev=SNMP::log_snmp, path=snmp]))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (SOCKS::LOG, [columns=<no value description>, ev=SOCKS::log_socks, path=socks]))
@@ -1244,7 +1294,7 @@
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird]))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509]))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql]))
-0.000000   MetaHookPre   CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1528475846.472749, node=bro, filter=ip or not ip, init=T, success=T]))
+0.000000   MetaHookPre   CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1534455885.275568, node=bro, filter=ip or not ip, init=T, success=T]))
 0.000000   MetaHookPre   CallFunction(NetControl::check_plugins, <frame>, ())
 0.000000   MetaHookPre   CallFunction(NetControl::init, <null>, ())
 0.000000   MetaHookPre   CallFunction(Notice::want_pp, <frame>, ())
@@ -1472,6 +1522,8 @@
 0.000000   MetaHookPre   LoadFile(0, .<...>/sftp.bro)
 0.000000   MetaHookPre   LoadFile(0, .<...>/shunt.bro)
 0.000000   MetaHookPre   LoadFile(0, .<...>/site.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/smb1-main.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/smb2-main.bro)
 0.000000   MetaHookPre   LoadFile(0, .<...>/sqlite.bro)
 0.000000   MetaHookPre   LoadFile(0, .<...>/stats.bif.bro)
 0.000000   MetaHookPre   LoadFile(0, .<...>/std-dev.bro)
@@ -1646,6 +1698,8 @@
 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_RADIUS, 1812/udp)
 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_RDP, 3389/tcp)
 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_SIP, 5060/udp)
+0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_SMB, 139/tcp)
+0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_SMB, 445/tcp)
 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_SMTP, 25/tcp)
 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_SMTP, 587/tcp)
 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_SNMP, 161/udp)
@@ -1709,6 +1763,8 @@
 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_RADIUS, 1812/udp)
 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_RDP, 3389/tcp)
 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_SIP, 5060/udp)
+0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_SMB, 139/tcp)
+0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_SMB, 445/tcp)
 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_SMTP, 25/tcp)
 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_SMTP, 587/tcp)
 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_SNMP, 161/udp)
@@ -1748,6 +1804,7 @@
 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_RADIUS, {1812/udp})
 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_RDP, {3389/tcp})
 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_SIP, {5060/udp})
+0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_SMB, {139<...>/tcp})
 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_SMTP, {587<...>/tcp})
 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_SNMP, {162<...>/udp})
 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_SOCKS, {1080/tcp})
@@ -1779,6 +1836,7 @@
 0.000000 | HookCallFunction Files::register_protocol(Analyzer::ANALYZER_IRC_DATA, [get_file_handle=IRC::get_file_handle{ return (cat(Analyzer::ANALYZER_IRC_DATA, IRC::c$start_time, IRC::c$id, IRC::is_orig))}, describe=anonymous-function{ return ()}])
 0.000000 | HookCallFunction Files::register_protocol(Analyzer::ANALYZER_KRB, [get_file_handle=KRB::get_file_handle{ return ()}, describe=KRB::describe_file{ <init> KRB::cid{ if (KRB::f$source != KRB_TCP && KRB::f$source != KRB) return ()if (!KRB::f?$info || !KRB::f$info?$x509 || !KRB::f$info$x509?$certificate) return ()for ([KRB::cid] in KRB::f$conns) { if (KRB::f$conns[KRB::cid]?$krb) { KRB::c = KRB::f$conns[KRB::cid]return (cat(KRB::c$id$resp_h, :, KRB::c$id$resp_p))}}return (cat(Serial: , KRB::f$info$x509$certificate$serial,  Subject: , KRB::f$info$x509$certificate$subject,  Issuer: , KRB::f$info$x509$certificate$issuer))}}])
 0.000000 | HookCallFunction Files::register_protocol(Analyzer::ANALYZER_KRB_TCP, [get_file_handle=KRB::get_file_handle{ return ()}, describe=KRB::describe_file{ <init> KRB::cid{ if (KRB::f$source != KRB_TCP && KRB::f$source != KRB) return ()if (!KRB::f?$info || !KRB::f$info?$x509 || !KRB::f$info$x509?$certificate) return ()for ([KRB::cid] in KRB::f$conns) { if (KRB::f$conns[KRB::cid]?$krb) { KRB::c = KRB::f$conns[KRB::cid]return (cat(KRB::c$id$resp_h, :, KRB::c$id$resp_p))}}return (cat(Serial: , KRB::f$info$x509$certificate$serial,  Subject: , KRB::f$info$x509$certificate$subject,  Issuer: , KRB::f$info$x509$certificate$issuer))}}])
+0.000000 | HookCallFunction Files::register_protocol(Analyzer::ANALYZER_SMB, [get_file_handle=SMB::get_file_handle{ if (!(SMB::c$smb_state?$current_file && (SMB::c$smb_state$current_file?$name || SMB::c$smb_state$current_file?$path))) { return ()}SMB::current_file = SMB::c$smb_state$current_fileSMB::path_name = SMB::current_file?$path ? SMB::current_file$path : SMB::file_name = SMB::current_file?$name ? SMB::current_file$name : SMB::last_mod = cat(SMB::current_file?$times ? SMB::current_file$times$modified : double_to_time(0.0))return (hexdump(cat(Analyzer::ANALYZER_SMB, SMB::c$id$orig_h, SMB::c$id$resp_h, SMB::path_name, SMB::file_name, SMB::last_mod)))}, describe=SMB::describe_file{ <init> SMB::cid{ if (SMB::f$source != SMB) return ()for ([SMB::cid] in SMB::f$conns) { SMB::info = SMB::f$conns[SMB::cid]if (SMB::info?$smb_state && SMB::info$smb_state?$current_file && SMB::info$smb_state$current_file?$name) return (SMB::info$smb_state$current_file$name)}return ()}}])
 0.000000 | HookCallFunction Files::register_protocol(Analyzer::ANALYZER_SMTP, [get_file_handle=SMTP::get_file_handle{ return (cat(Analyzer::ANALYZER_SMTP, SMTP::c$start_time, SMTP::c$smtp$trans_depth, SMTP::c$smtp_state$mime_depth))}, describe=SMTP::describe_file{ <init> SMTP::cid{ if (SMTP::f$source != SMTP) return ()for ([SMTP::cid] in SMTP::f$conns) { SMTP::c = SMTP::f$conns[SMTP::cid]return (SMTP::describe(SMTP::c$smtp))}return ()}}])
 0.000000 | HookCallFunction Files::register_protocol(Analyzer::ANALYZER_SSL, [get_file_handle=SSL::get_file_handle{ return ()}, describe=SSL::describe_file{ <init> SSL::cid{ if (SSL::f$source != SSL || !SSL::f?$info || !SSL::f$info?$x509 || !SSL::f$info$x509?$certificate) return ()for ([SSL::cid] in SSL::f$conns) { if (SSL::f$conns[SSL::cid]?$ssl) { SSL::c = SSL::f$conns[SSL::cid]return (cat(SSL::c$id$resp_h, :, SSL::c$id$resp_p))}}return (cat(Serial: , SSL::f$info$x509$certificate$serial,  Subject: , SSL::f$info$x509$certificate$subject,  Issuer: , SSL::f$info$x509$certificate$issuer))}}])
 0.000000 | HookCallFunction Log::__add_filter(Broker::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=broker, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])
@@ -1812,6 +1870,9 @@
 0.000000 | HookCallFunction Log::__add_filter(RFB::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=rfb, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])
 0.000000 | HookCallFunction Log::__add_filter(Reporter::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=reporter, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])
 0.000000 | HookCallFunction Log::__add_filter(SIP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=sip, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])
+0.000000 | HookCallFunction Log::__add_filter(SMB::CMD_LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=smb_cmd, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])
+0.000000 | HookCallFunction Log::__add_filter(SMB::FILES_LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=smb_files, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])
+0.000000 | HookCallFunction Log::__add_filter(SMB::MAPPING_LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=smb_mapping, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])
 0.000000 | HookCallFunction Log::__add_filter(SMTP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=smtp, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])
 0.000000 | HookCallFunction Log::__add_filter(SNMP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=snmp, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])
 0.000000 | HookCallFunction Log::__add_filter(SOCKS::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=socks, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])
@@ -1856,6 +1917,9 @@
 0.000000 | HookCallFunction Log::__create_stream(RFB::LOG, [columns=<no value description>, ev=RFB::log_rfb, path=rfb])
 0.000000 | HookCallFunction Log::__create_stream(Reporter::LOG, [columns=<no value description>, ev=<uninitialized>, path=reporter])
 0.000000 | HookCallFunction Log::__create_stream(SIP::LOG, [columns=<no value description>, ev=SIP::log_sip, path=sip])
+0.000000 | HookCallFunction Log::__create_stream(SMB::CMD_LOG, [columns=<no value description>, ev=<uninitialized>, path=smb_cmd])
+0.000000 | HookCallFunction Log::__create_stream(SMB::FILES_LOG, [columns=<no value description>, ev=<uninitialized>, path=smb_files])
+0.000000 | HookCallFunction Log::__create_stream(SMB::MAPPING_LOG, [columns=<no value description>, ev=<uninitialized>, path=smb_mapping])
 0.000000 | HookCallFunction Log::__create_stream(SMTP::LOG, [columns=<no value description>, ev=SMTP::log_smtp, path=smtp])
 0.000000 | HookCallFunction Log::__create_stream(SNMP::LOG, [columns=<no value description>, ev=SNMP::log_snmp, path=snmp])
 0.000000 | HookCallFunction Log::__create_stream(SOCKS::LOG, [columns=<no value description>, ev=SOCKS::log_socks, path=socks])
@@ -1869,7 +1933,7 @@
 0.000000 | HookCallFunction Log::__create_stream(Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird])
 0.000000 | HookCallFunction Log::__create_stream(X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509])
 0.000000 | HookCallFunction Log::__create_stream(mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql])
-0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1528475846.472749, node=bro, filter=ip or not ip, init=T, success=T])
+0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1534455885.275568, node=bro, filter=ip or not ip, init=T, success=T])
 0.000000 | HookCallFunction Log::add_default_filter(Broker::LOG)
 0.000000 | HookCallFunction Log::add_default_filter(Cluster::LOG)
 0.000000 | HookCallFunction Log::add_default_filter(Config::LOG)
@@ -1901,6 +1965,9 @@
 0.000000 | HookCallFunction Log::add_default_filter(RFB::LOG)
 0.000000 | HookCallFunction Log::add_default_filter(Reporter::LOG)
 0.000000 | HookCallFunction Log::add_default_filter(SIP::LOG)
+0.000000 | HookCallFunction Log::add_default_filter(SMB::CMD_LOG)
+0.000000 | HookCallFunction Log::add_default_filter(SMB::FILES_LOG)
+0.000000 | HookCallFunction Log::add_default_filter(SMB::MAPPING_LOG)
 0.000000 | HookCallFunction Log::add_default_filter(SMTP::LOG)
 0.000000 | HookCallFunction Log::add_default_filter(SNMP::LOG)
 0.000000 | HookCallFunction Log::add_default_filter(SOCKS::LOG)
@@ -1945,6 +2012,9 @@
 0.000000 | HookCallFunction Log::add_filter(RFB::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])
 0.000000 | HookCallFunction Log::add_filter(Reporter::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])
 0.000000 | HookCallFunction Log::add_filter(SIP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])
+0.000000 | HookCallFunction Log::add_filter(SMB::CMD_LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])
+0.000000 | HookCallFunction Log::add_filter(SMB::FILES_LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])
+0.000000 | HookCallFunction Log::add_filter(SMB::MAPPING_LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])
 0.000000 | HookCallFunction Log::add_filter(SMTP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])
 0.000000 | HookCallFunction Log::add_filter(SNMP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])
 0.000000 | HookCallFunction Log::add_filter(SOCKS::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])
@@ -1989,6 +2059,9 @@
 0.000000 | HookCallFunction Log::add_stream_filters(RFB::LOG, default)
 0.000000 | HookCallFunction Log::add_stream_filters(Reporter::LOG, default)
 0.000000 | HookCallFunction Log::add_stream_filters(SIP::LOG, default)
+0.000000 | HookCallFunction Log::add_stream_filters(SMB::CMD_LOG, default)
+0.000000 | HookCallFunction Log::add_stream_filters(SMB::FILES_LOG, default)
+0.000000 | HookCallFunction Log::add_stream_filters(SMB::MAPPING_LOG, default)
 0.000000 | HookCallFunction Log::add_stream_filters(SMTP::LOG, default)
 0.000000 | HookCallFunction Log::add_stream_filters(SNMP::LOG, default)
 0.000000 | HookCallFunction Log::add_stream_filters(SOCKS::LOG, default)
@@ -2033,6 +2106,9 @@
 0.000000 | HookCallFunction Log::create_stream(RFB::LOG, [columns=<no value description>, ev=RFB::log_rfb, path=rfb])
 0.000000 | HookCallFunction Log::create_stream(Reporter::LOG, [columns=<no value description>, ev=<uninitialized>, path=reporter])
 0.000000 | HookCallFunction Log::create_stream(SIP::LOG, [columns=<no value description>, ev=SIP::log_sip, path=sip])
+0.000000 | HookCallFunction Log::create_stream(SMB::CMD_LOG, [columns=<no value description>, ev=<uninitialized>, path=smb_cmd])
+0.000000 | HookCallFunction Log::create_stream(SMB::FILES_LOG, [columns=<no value description>, ev=<uninitialized>, path=smb_files])
+0.000000 | HookCallFunction Log::create_stream(SMB::MAPPING_LOG, [columns=<no value description>, ev=<uninitialized>, path=smb_mapping])
 0.000000 | HookCallFunction Log::create_stream(SMTP::LOG, [columns=<no value description>, ev=SMTP::log_smtp, path=smtp])
 0.000000 | HookCallFunction Log::create_stream(SNMP::LOG, [columns=<no value description>, ev=SNMP::log_snmp, path=snmp])
 0.000000 | HookCallFunction Log::create_stream(SOCKS::LOG, [columns=<no value description>, ev=SOCKS::log_socks, path=socks])
@@ -2046,7 +2122,7 @@
 0.000000 | HookCallFunction Log::create_stream(Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird])
 0.000000 | HookCallFunction Log::create_stream(X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509])
 0.000000 | HookCallFunction Log::create_stream(mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql])
-0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1528475846.472749, node=bro, filter=ip or not ip, init=T, success=T])
+0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1534455885.275568, node=bro, filter=ip or not ip, init=T, success=T])
 0.000000 | HookCallFunction NetControl::check_plugins()
 0.000000 | HookCallFunction NetControl::init()
 0.000000 | HookCallFunction Notice::want_pp()
@@ -2282,6 +2358,8 @@
 0.000000 | HookLoadFile  .<...>/sftp.bro
 0.000000 | HookLoadFile  .<...>/shunt.bro
 0.000000 | HookLoadFile  .<...>/site.bro
+0.000000 | HookLoadFile  .<...>/smb1-main.bro
+0.000000 | HookLoadFile  .<...>/smb2-main.bro
 0.000000 | HookLoadFile  .<...>/sqlite.bro
 0.000000 | HookLoadFile  .<...>/stats.bif.bro
 0.000000 | HookLoadFile  .<...>/std-dev.bro
@@ -2402,7 +2480,7 @@
 0.000000 | HookLoadFile  base<...>/x509
 0.000000 | HookLoadFile  base<...>/xmpp
 0.000000 | HookLogInit   packet_filter 1/1 {ts (time), node (string), filter (string), init (bool), success (bool)}
-0.000000 | HookLogWrite  packet_filter [ts=1528475846.472749, node=bro, filter=ip or not ip, init=T, success=T]
+0.000000 | HookLogWrite  packet_filter [ts=1534455885.275568, node=bro, filter=ip or not ip, init=T, success=T]
 0.000000 | HookQueueEvent NetControl::init()
 0.000000 | HookQueueEvent bro_init()
 0.000000 | HookQueueEvent filter_change_tracking()
@@ -2412,11 +2490,11 @@
 1362692526.869344   MetaHookPost  CallFunction(addr_to_subnet, <frame>, (141.142.228.5)) -> <no result>
 1362692526.869344   MetaHookPost  CallFunction(filter_change_tracking, <null>, ()) -> <no result>
 1362692526.869344   MetaHookPost  CallFunction(get_net_stats, <frame>, ()) -> <no result>
-1362692526.869344   MetaHookPost  CallFunction(new_connection, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.0, service={}, history=, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])) -> <no result>
+1362692526.869344   MetaHookPost  CallFunction(new_connection, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.0, service={}, history=, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])) -> <no result>
 1362692526.869344   MetaHookPost  DrainEvents() -> <void>
 1362692526.869344   MetaHookPost  QueueEvent(ChecksumOffloading::check()) -> false
 1362692526.869344   MetaHookPost  QueueEvent(filter_change_tracking()) -> false
-1362692526.869344   MetaHookPost  QueueEvent(new_connection([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.0, service={}, history=, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])) -> false
+1362692526.869344   MetaHookPost  QueueEvent(new_connection([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.0, service={}, history=, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])) -> false
 1362692526.869344   MetaHookPost  SetupAnalyzerTree(1362692526.869344(1362692526.869344) TCP 141.142.228.5:59856 -> 192.150.187.43:80) -> <void>
 1362692526.869344   MetaHookPost  UpdateNetworkTime(1362692526.869344) -> <void>
 1362692526.869344   MetaHookPre   BroObjDtor(<void ptr>)
@@ -2425,11 +2503,11 @@
 1362692526.869344   MetaHookPre   CallFunction(addr_to_subnet, <frame>, (141.142.228.5))
 1362692526.869344   MetaHookPre   CallFunction(filter_change_tracking, <null>, ())
 1362692526.869344   MetaHookPre   CallFunction(get_net_stats, <frame>, ())
-1362692526.869344   MetaHookPre   CallFunction(new_connection, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.0, service={}, history=, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]))
+1362692526.869344   MetaHookPre   CallFunction(new_connection, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.0, service={}, history=, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]))
 1362692526.869344   MetaHookPre   DrainEvents()
 1362692526.869344   MetaHookPre   QueueEvent(ChecksumOffloading::check())
 1362692526.869344   MetaHookPre   QueueEvent(filter_change_tracking())
-1362692526.869344   MetaHookPre   QueueEvent(new_connection([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.0, service={}, history=, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]))
+1362692526.869344   MetaHookPre   QueueEvent(new_connection([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.0, service={}, history=, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]))
 1362692526.869344   MetaHookPre   SetupAnalyzerTree(1362692526.869344(1362692526.869344) TCP 141.142.228.5:59856 -> 192.150.187.43:80)
 1362692526.869344   MetaHookPre   UpdateNetworkTime(1362692526.869344)
 1362692526.869344  | HookBroObjDtor
@@ -2439,31 +2517,31 @@
 1362692526.869344 | HookCallFunction addr_to_subnet(141.142.228.5)
 1362692526.869344 | HookCallFunction filter_change_tracking()
 1362692526.869344 | HookCallFunction get_net_stats()
-1362692526.869344 | HookCallFunction new_connection([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.0, service={}, history=, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])
+1362692526.869344 | HookCallFunction new_connection([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.0, service={}, history=, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])
 1362692526.869344 | HookDrainEvents
 1362692526.869344 | HookQueueEvent ChecksumOffloading::check()
 1362692526.869344 | HookQueueEvent filter_change_tracking()
-1362692526.869344 | HookQueueEvent new_connection([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.0, service={}, history=, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])
+1362692526.869344 | HookQueueEvent new_connection([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.0, service={}, history=, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])
 1362692526.869344 | HookSetupAnalyzerTree 1362692526.869344(1362692526.869344) TCP 141.142.228.5:59856 -> 192.150.187.43:80
 1362692526.869344 | RequestObjDtor ChecksumOffloading::check()
 1362692526.939084   MetaHookPost  CallFunction(NetControl::catch_release_seen, <frame>, (141.142.228.5)) -> <no result>
 1362692526.939084   MetaHookPost  CallFunction(addr_to_subnet, <frame>, (141.142.228.5)) -> <no result>
-1362692526.939084   MetaHookPost  CallFunction(connection_established, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=4, num_pkts=1, num_bytes_ip=64, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.06974, service={}, history=Sh, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])) -> <no result>
+1362692526.939084   MetaHookPost  CallFunction(connection_established, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=4, num_pkts=1, num_bytes_ip=64, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.06974, service={}, history=Sh, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])) -> <no result>
 1362692526.939084   MetaHookPost  DrainEvents() -> <void>
-1362692526.939084   MetaHookPost  QueueEvent(connection_established([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=4, num_pkts=1, num_bytes_ip=64, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.06974, service={}, history=Sh, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])) -> false
+1362692526.939084   MetaHookPost  QueueEvent(connection_established([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=4, num_pkts=1, num_bytes_ip=64, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.06974, service={}, history=Sh, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])) -> false
 1362692526.939084   MetaHookPost  UpdateNetworkTime(1362692526.939084) -> <void>
 1362692526.939084   MetaHookPre   CallFunction(NetControl::catch_release_seen, <frame>, (141.142.228.5))
 1362692526.939084   MetaHookPre   CallFunction(addr_to_subnet, <frame>, (141.142.228.5))
-1362692526.939084   MetaHookPre   CallFunction(connection_established, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=4, num_pkts=1, num_bytes_ip=64, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.06974, service={}, history=Sh, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]))
+1362692526.939084   MetaHookPre   CallFunction(connection_established, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=4, num_pkts=1, num_bytes_ip=64, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.06974, service={}, history=Sh, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]))
 1362692526.939084   MetaHookPre   DrainEvents()
-1362692526.939084   MetaHookPre   QueueEvent(connection_established([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=4, num_pkts=1, num_bytes_ip=64, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.06974, service={}, history=Sh, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]))
+1362692526.939084   MetaHookPre   QueueEvent(connection_established([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=4, num_pkts=1, num_bytes_ip=64, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.06974, service={}, history=Sh, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]))
 1362692526.939084   MetaHookPre   UpdateNetworkTime(1362692526.939084)
 1362692526.939084  | HookUpdateNetworkTime 1362692526.939084
 1362692526.939084 | HookCallFunction NetControl::catch_release_seen(141.142.228.5)
 1362692526.939084 | HookCallFunction addr_to_subnet(141.142.228.5)
-1362692526.939084 | HookCallFunction connection_established([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=4, num_pkts=1, num_bytes_ip=64, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.06974, service={}, history=Sh, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])
+1362692526.939084 | HookCallFunction connection_established([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=4, num_pkts=1, num_bytes_ip=64, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.06974, service={}, history=Sh, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])
 1362692526.939084 | HookDrainEvents
-1362692526.939084 | HookQueueEvent connection_established([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=4, num_pkts=1, num_bytes_ip=64, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.06974, service={}, history=Sh, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])
+1362692526.939084 | HookQueueEvent connection_established([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=4, num_pkts=1, num_bytes_ip=64, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.06974, service={}, history=Sh, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])
 1362692526.939378   MetaHookPost  DrainEvents() -> <void>
 1362692526.939378   MetaHookPost  UpdateNetworkTime(1362692526.939378) -> <void>
 1362692526.939378   MetaHookPre   DrainEvents()
@@ -2472,118 +2550,118 @@
 1362692526.939378 | HookDrainEvents
 1362692526.939527   MetaHookPost  CallFunction(Analyzer::__name, <frame>, (Analyzer::ANALYZER_HTTP)) -> <no result>
 1362692526.939527   MetaHookPost  CallFunction(Analyzer::name, <frame>, (Analyzer::ANALYZER_HTTP)) -> <no result>
-1362692526.939527   MetaHookPost  CallFunction(HTTP::get_file_handle, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <no result>
-1362692526.939527   MetaHookPost  CallFunction(HTTP::new_http_session, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={HTTP}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=[pending={}, current_request=1, current_response=0, trans_depth=0], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])) -> <no result>
-1362692526.939527   MetaHookPost  CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <no result>
-1362692526.939527   MetaHookPost  CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <no result>
-1362692526.939527   MetaHookPost  CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=0, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <no result>
-1362692526.939527   MetaHookPost  CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <no result>
-1362692526.939527   MetaHookPost  CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={HTTP}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=[pending={}, current_request=1, current_response=0, trans_depth=0], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <no result>
+1362692526.939527   MetaHookPost  CallFunction(HTTP::get_file_handle, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <no result>
+1362692526.939527   MetaHookPost  CallFunction(HTTP::new_http_session, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={HTTP}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=[pending={}, current_request=1, current_response=0, trans_depth=0], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])) -> <no result>
+1362692526.939527   MetaHookPost  CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <no result>
+1362692526.939527   MetaHookPost  CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <no result>
+1362692526.939527   MetaHookPost  CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=0, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <no result>
+1362692526.939527   MetaHookPost  CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <no result>
+1362692526.939527   MetaHookPost  CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={HTTP}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=[pending={}, current_request=1, current_response=0, trans_depth=0], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <no result>
 1362692526.939527   MetaHookPost  CallFunction(cat, <frame>, (Analyzer::ANALYZER_HTTP, 1362692526.869344, T, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80)) -> <no result>
 1362692526.939527   MetaHookPost  CallFunction(fmt, <frame>, (%s:%d > %s:%d, 141.142.228.5, 59856<...>/tcp)) -> <no result>
 1362692526.939527   MetaHookPost  CallFunction(fmt, <frame>, (-%s, HTTP)) -> <no result>
-1362692526.939527   MetaHookPost  CallFunction(get_file_handle, <null>, (Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <no result>
-1362692526.939527   MetaHookPost  CallFunction(http_begin_entity, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=0, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <no result>
-1362692526.939527   MetaHookPost  CallFunction(http_end_entity, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <no result>
+1362692526.939527   MetaHookPost  CallFunction(get_file_handle, <null>, (Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <no result>
+1362692526.939527   MetaHookPost  CallFunction(http_begin_entity, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=0, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <no result>
+1362692526.939527   MetaHookPost  CallFunction(http_end_entity, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <no result>
 1362692526.939527   MetaHookPost  CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/*)) -> <no result>
 1362692526.939527   MetaHookPost  CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0))) -> <no result>
-1362692526.939527   MetaHookPost  CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, CONNECTION, Keep-Alive)) -> <no result>
-1362692526.939527   MetaHookPost  CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, HOST, bro.org)) -> <no result>
-1362692526.939527   MetaHookPost  CallFunction(http_message_done, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, [start=1362692526.939527, interrupted=F, finish_msg=message ends normally, body_length=0, content_gap_length=0, header_length=124])) -> <no result>
+1362692526.939527   MetaHookPost  CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, CONNECTION, Keep-Alive)) -> <no result>
+1362692526.939527   MetaHookPost  CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, HOST, bro.org)) -> <no result>
+1362692526.939527   MetaHookPost  CallFunction(http_message_done, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, [start=1362692526.939527, interrupted=F, finish_msg=message ends normally, body_length=0, content_gap_length=0, header_length=124])) -> <no result>
 1362692526.939527   MetaHookPost  CallFunction(http_request, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, 1.1)) -> <no result>
 1362692526.939527   MetaHookPost  CallFunction(id_string, <frame>, ([orig_h=141.142.228.5, orig_p=59856<...>/tcp])) -> <no result>
 1362692526.939527   MetaHookPost  CallFunction(network_time, <frame>, ()) -> <no result>
-1362692526.939527   MetaHookPost  CallFunction(protocol_confirmation, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], Analyzer::ANALYZER_HTTP, 3)) -> <no result>
+1362692526.939527   MetaHookPost  CallFunction(protocol_confirmation, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], Analyzer::ANALYZER_HTTP, 3)) -> <no result>
 1362692526.939527   MetaHookPost  CallFunction(set_file_handle, <frame>, (Analyzer::ANALYZER_HTTP1362692526.869344T11141.142.228.5:59856 > 192.150.187.43:80)) -> <no result>
 1362692526.939527   MetaHookPost  CallFunction(split_string1, <frame>, (bro.org, <...>/)) -> <no result>
 1362692526.939527   MetaHookPost  DrainEvents() -> <void>
-1362692526.939527   MetaHookPost  QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> false
-1362692526.939527   MetaHookPost  QueueEvent(http_begin_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> false
-1362692526.939527   MetaHookPost  QueueEvent(http_end_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> false
+1362692526.939527   MetaHookPost  QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> false
+1362692526.939527   MetaHookPost  QueueEvent(http_begin_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> false
+1362692526.939527   MetaHookPost  QueueEvent(http_end_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> false
 1362692526.939527   MetaHookPost  QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/*)) -> false
 1362692526.939527   MetaHookPost  QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0))) -> false
-1362692526.939527   MetaHookPost  QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, CONNECTION, Keep-Alive)) -> false
-1362692526.939527   MetaHookPost  QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, HOST, bro.org)) -> false
-1362692526.939527   MetaHookPost  QueueEvent(http_message_done([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, [start=1362692526.939527, interrupted=F, finish_msg=message ends normally, body_length=0, content_gap_length=0, header_length=124])) -> false
+1362692526.939527   MetaHookPost  QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, CONNECTION, Keep-Alive)) -> false
+1362692526.939527   MetaHookPost  QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, HOST, bro.org)) -> false
+1362692526.939527   MetaHookPost  QueueEvent(http_message_done([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, [start=1362692526.939527, interrupted=F, finish_msg=message ends normally, body_length=0, content_gap_length=0, header_length=124])) -> false
 1362692526.939527   MetaHookPost  QueueEvent(http_request([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, 1.1)) -> false
-1362692526.939527   MetaHookPost  QueueEvent(protocol_confirmation([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], Analyzer::ANALYZER_HTTP, 3)) -> false
+1362692526.939527   MetaHookPost  QueueEvent(protocol_confirmation([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], Analyzer::ANALYZER_HTTP, 3)) -> false
 1362692526.939527   MetaHookPost  UpdateNetworkTime(1362692526.939527) -> <void>
 1362692526.939527   MetaHookPre   CallFunction(Analyzer::__name, <frame>, (Analyzer::ANALYZER_HTTP))
 1362692526.939527   MetaHookPre   CallFunction(Analyzer::name, <frame>, (Analyzer::ANALYZER_HTTP))
-1362692526.939527   MetaHookPre   CallFunction(HTTP::get_file_handle, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
-1362692526.939527   MetaHookPre   CallFunction(HTTP::new_http_session, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={HTTP}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=[pending={}, current_request=1, current_response=0, trans_depth=0], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]))
-1362692526.939527   MetaHookPre   CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
-1362692526.939527   MetaHookPre   CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
-1362692526.939527   MetaHookPre   CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=0, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
-1362692526.939527   MetaHookPre   CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
-1362692526.939527   MetaHookPre   CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={HTTP}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=[pending={}, current_request=1, current_response=0, trans_depth=0], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
+1362692526.939527   MetaHookPre   CallFunction(HTTP::get_file_handle, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
+1362692526.939527   MetaHookPre   CallFunction(HTTP::new_http_session, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={HTTP}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=[pending={}, current_request=1, current_response=0, trans_depth=0], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]))
+1362692526.939527   MetaHookPre   CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
+1362692526.939527   MetaHookPre   CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
+1362692526.939527   MetaHookPre   CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=0, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
+1362692526.939527   MetaHookPre   CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
+1362692526.939527   MetaHookPre   CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={HTTP}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=[pending={}, current_request=1, current_response=0, trans_depth=0], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
 1362692526.939527   MetaHookPre   CallFunction(cat, <frame>, (Analyzer::ANALYZER_HTTP, 1362692526.869344, T, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80))
 1362692526.939527   MetaHookPre   CallFunction(fmt, <frame>, (%s:%d > %s:%d, 141.142.228.5, 59856<...>/tcp))
 1362692526.939527   MetaHookPre   CallFunction(fmt, <frame>, (-%s, HTTP))
-1362692526.939527   MetaHookPre   CallFunction(get_file_handle, <null>, (Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
-1362692526.939527   MetaHookPre   CallFunction(http_begin_entity, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=0, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
-1362692526.939527   MetaHookPre   CallFunction(http_end_entity, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
+1362692526.939527   MetaHookPre   CallFunction(get_file_handle, <null>, (Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
+1362692526.939527   MetaHookPre   CallFunction(http_begin_entity, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=0, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
+1362692526.939527   MetaHookPre   CallFunction(http_end_entity, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
 1362692526.939527   MetaHookPre   CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/*))
 1362692526.939527   MetaHookPre   CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0)))
-1362692526.939527   MetaHookPre   CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, CONNECTION, Keep-Alive))
-1362692526.939527   MetaHookPre   CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, HOST, bro.org))
-1362692526.939527   MetaHookPre   CallFunction(http_message_done, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, [start=1362692526.939527, interrupted=F, finish_msg=message ends normally, body_length=0, content_gap_length=0, header_length=124]))
+1362692526.939527   MetaHookPre   CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, CONNECTION, Keep-Alive))
+1362692526.939527   MetaHookPre   CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, HOST, bro.org))
+1362692526.939527   MetaHookPre   CallFunction(http_message_done, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, [start=1362692526.939527, interrupted=F, finish_msg=message ends normally, body_length=0, content_gap_length=0, header_length=124]))
 1362692526.939527   MetaHookPre   CallFunction(http_request, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, 1.1))
 1362692526.939527   MetaHookPre   CallFunction(id_string, <frame>, ([orig_h=141.142.228.5, orig_p=59856<...>/tcp]))
 1362692526.939527   MetaHookPre   CallFunction(network_time, <frame>, ())
-1362692526.939527   MetaHookPre   CallFunction(protocol_confirmation, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], Analyzer::ANALYZER_HTTP, 3))
+1362692526.939527   MetaHookPre   CallFunction(protocol_confirmation, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], Analyzer::ANALYZER_HTTP, 3))
 1362692526.939527   MetaHookPre   CallFunction(set_file_handle, <frame>, (Analyzer::ANALYZER_HTTP1362692526.869344T11141.142.228.5:59856 > 192.150.187.43:80))
 1362692526.939527   MetaHookPre   CallFunction(split_string1, <frame>, (bro.org, <...>/))
 1362692526.939527   MetaHookPre   DrainEvents()
-1362692526.939527   MetaHookPre   QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
-1362692526.939527   MetaHookPre   QueueEvent(http_begin_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
-1362692526.939527   MetaHookPre   QueueEvent(http_end_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
+1362692526.939527   MetaHookPre   QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
+1362692526.939527   MetaHookPre   QueueEvent(http_begin_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
+1362692526.939527   MetaHookPre   QueueEvent(http_end_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
 1362692526.939527   MetaHookPre   QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/*))
 1362692526.939527   MetaHookPre   QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0)))
-1362692526.939527   MetaHookPre   QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, CONNECTION, Keep-Alive))
-1362692526.939527   MetaHookPre   QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, HOST, bro.org))
-1362692526.939527   MetaHookPre   QueueEvent(http_message_done([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, [start=1362692526.939527, interrupted=F, finish_msg=message ends normally, body_length=0, content_gap_length=0, header_length=124]))
+1362692526.939527   MetaHookPre   QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, CONNECTION, Keep-Alive))
+1362692526.939527   MetaHookPre   QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, HOST, bro.org))
+1362692526.939527   MetaHookPre   QueueEvent(http_message_done([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, [start=1362692526.939527, interrupted=F, finish_msg=message ends normally, body_length=0, content_gap_length=0, header_length=124]))
 1362692526.939527   MetaHookPre   QueueEvent(http_request([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, 1.1))
-1362692526.939527   MetaHookPre   QueueEvent(protocol_confirmation([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], Analyzer::ANALYZER_HTTP, 3))
+1362692526.939527   MetaHookPre   QueueEvent(protocol_confirmation([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], Analyzer::ANALYZER_HTTP, 3))
 1362692526.939527   MetaHookPre   UpdateNetworkTime(1362692526.939527)
 1362692526.939527  | HookUpdateNetworkTime 1362692526.939527
 1362692526.939527 | HookCallFunction Analyzer::__name(Analyzer::ANALYZER_HTTP)
 1362692526.939527 | HookCallFunction Analyzer::name(Analyzer::ANALYZER_HTTP)
-1362692526.939527 | HookCallFunction HTTP::get_file_handle([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
-1362692526.939527 | HookCallFunction HTTP::new_http_session([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={HTTP}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=[pending={}, current_request=1, current_response=0, trans_depth=0], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])
-1362692526.939527 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
-1362692526.939527 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
-1362692526.939527 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=0, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
-1362692526.939527 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
-1362692526.939527 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={HTTP}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=[pending={}, current_request=1, current_response=0, trans_depth=0], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
+1362692526.939527 | HookCallFunction HTTP::get_file_handle([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
+1362692526.939527 | HookCallFunction HTTP::new_http_session([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={HTTP}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=[pending={}, current_request=1, current_response=0, trans_depth=0], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])
+1362692526.939527 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
+1362692526.939527 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
+1362692526.939527 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=0, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
+1362692526.939527 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
+1362692526.939527 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={HTTP}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=[pending={}, current_request=1, current_response=0, trans_depth=0], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
 1362692526.939527 | HookCallFunction cat(Analyzer::ANALYZER_HTTP, 1362692526.869344, T, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80)
 1362692526.939527 | HookCallFunction fmt(%s:%d > %s:%d, 141.142.228.5, 59856<...>/tcp)
 1362692526.939527 | HookCallFunction fmt(-%s, HTTP)
-1362692526.939527 | HookCallFunction get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
-1362692526.939527 | HookCallFunction http_begin_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=0, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
-1362692526.939527 | HookCallFunction http_end_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
+1362692526.939527 | HookCallFunction get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
+1362692526.939527 | HookCallFunction http_begin_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=0, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
+1362692526.939527 | HookCallFunction http_end_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
 1362692526.939527 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/*)
 1362692526.939527 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0))
-1362692526.939527 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, CONNECTION, Keep-Alive)
-1362692526.939527 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, HOST, bro.org)
-1362692526.939527 | HookCallFunction http_message_done([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, [start=1362692526.939527, interrupted=F, finish_msg=message ends normally, body_length=0, content_gap_length=0, header_length=124])
+1362692526.939527 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, CONNECTION, Keep-Alive)
+1362692526.939527 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, HOST, bro.org)
+1362692526.939527 | HookCallFunction http_message_done([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, [start=1362692526.939527, interrupted=F, finish_msg=message ends normally, body_length=0, content_gap_length=0, header_length=124])
 1362692526.939527 | HookCallFunction http_request([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, 1.1)
 1362692526.939527 | HookCallFunction id_string([orig_h=141.142.228.5, orig_p=59856<...>/tcp])
 1362692526.939527 | HookCallFunction network_time()
-1362692526.939527 | HookCallFunction protocol_confirmation([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], Analyzer::ANALYZER_HTTP, 3)
+1362692526.939527 | HookCallFunction protocol_confirmation([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], Analyzer::ANALYZER_HTTP, 3)
 1362692526.939527 | HookCallFunction set_file_handle(Analyzer::ANALYZER_HTTP1362692526.869344T11141.142.228.5:59856 > 192.150.187.43:80)
 1362692526.939527 | HookCallFunction split_string1(bro.org, <...>/)
 1362692526.939527 | HookDrainEvents
-1362692526.939527 | HookQueueEvent get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
-1362692526.939527 | HookQueueEvent http_begin_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
-1362692526.939527 | HookQueueEvent http_end_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
+1362692526.939527 | HookQueueEvent get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
+1362692526.939527 | HookQueueEvent http_begin_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
+1362692526.939527 | HookQueueEvent http_end_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
 1362692526.939527 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/*)
 1362692526.939527 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0))
-1362692526.939527 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, CONNECTION, Keep-Alive)
-1362692526.939527 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, HOST, bro.org)
-1362692526.939527 | HookQueueEvent http_message_done([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, [start=1362692526.939527, interrupted=F, finish_msg=message ends normally, body_length=0, content_gap_length=0, header_length=124])
+1362692526.939527 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, CONNECTION, Keep-Alive)
+1362692526.939527 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, HOST, bro.org)
+1362692526.939527 | HookQueueEvent http_message_done([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, [start=1362692526.939527, interrupted=F, finish_msg=message ends normally, body_length=0, content_gap_length=0, header_length=124])
 1362692526.939527 | HookQueueEvent http_request([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, 1.1)
-1362692526.939527 | HookQueueEvent protocol_confirmation([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], Analyzer::ANALYZER_HTTP, 3)
+1362692526.939527 | HookQueueEvent protocol_confirmation([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], Analyzer::ANALYZER_HTTP, 3)
 1362692527.008509   MetaHookPost  DrainEvents() -> <void>
 1362692527.008509   MetaHookPost  UpdateNetworkTime(1362692527.008509) -> <void>
 1362692527.008509   MetaHookPre   DrainEvents()
@@ -2592,142 +2670,142 @@
 1362692527.008509 | HookDrainEvents
 1362692527.009512   MetaHookPost  CallFunction(Files::__enable_reassembly, <frame>, (FakNcS1Jfe01uljb3)) -> <no result>
 1362692527.009512   MetaHookPost  CallFunction(Files::__set_reassembly_buffer, <frame>, (FakNcS1Jfe01uljb3, 524288)) -> <no result>
-1362692527.009512   MetaHookPost  CallFunction(Files::enable_reassembly, <frame>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>])) -> <no result>
-1362692527.009512   MetaHookPost  CallFunction(Files::set_info, <frame>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>])) -> <no result>
-1362692527.009512   MetaHookPost  CallFunction(Files::set_info, <frame>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>])) -> <no result>
-1362692527.009512   MetaHookPost  CallFunction(Files::set_reassembly_buffer_size, <frame>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>], 524288)) -> <no result>
+1362692527.009512   MetaHookPost  CallFunction(Files::enable_reassembly, <frame>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>])) -> <no result>
+1362692527.009512   MetaHookPost  CallFunction(Files::set_info, <frame>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>])) -> <no result>
+1362692527.009512   MetaHookPost  CallFunction(Files::set_info, <frame>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>])) -> <no result>
+1362692527.009512   MetaHookPost  CallFunction(Files::set_reassembly_buffer_size, <frame>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>], 524288)) -> <no result>
 1362692527.009512   MetaHookPost  CallFunction(HTTP::code_in_range, <frame>, (200, 100, 199)) -> <no result>
-1362692527.009512   MetaHookPost  CallFunction(HTTP::get_file_handle, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <no result>
-1362692527.009512   MetaHookPost  CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <no result>
-1362692527.009512   MetaHookPost  CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <no result>
-1362692527.009512   MetaHookPost  CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <no result>
+1362692527.009512   MetaHookPost  CallFunction(HTTP::get_file_handle, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <no result>
+1362692527.009512   MetaHookPost  CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <no result>
+1362692527.009512   MetaHookPost  CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <no result>
+1362692527.009512   MetaHookPost  CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <no result>
 1362692527.009512   MetaHookPost  CallFunction(cat, <frame>, (Analyzer::ANALYZER_HTTP, 1362692526.869344, F, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80)) -> <no result>
-1362692527.009512   MetaHookPost  CallFunction(file_new, <null>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>])) -> <no result>
-1362692527.009512   MetaHookPost  CallFunction(file_over_new_connection, <null>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <no result>
+1362692527.009512   MetaHookPost  CallFunction(file_new, <null>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>])) -> <no result>
+1362692527.009512   MetaHookPost  CallFunction(file_over_new_connection, <null>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <no result>
 1362692527.009512   MetaHookPost  CallFunction(fmt, <frame>, (%s:%d > %s:%d, 141.142.228.5, 59856<...>/tcp)) -> <no result>
-1362692527.009512   MetaHookPost  CallFunction(get_file_handle, <null>, (Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <no result>
-1362692527.009512   MetaHookPost  CallFunction(http_begin_entity, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <no result>
-1362692527.009512   MetaHookPost  CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ACCEPT-RANGES, bytes)) -> <no result>
-1362692527.009512   MetaHookPost  CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONNECTION, Keep-Alive)) -> <no result>
-1362692527.009512   MetaHookPost  CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONTENT-LENGTH, 4705)) -> <no result>
-1362692527.009512   MetaHookPost  CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, DATE, Thu, 07 Mar 2013 21:43:07 GMT)) -> <no result>
-1362692527.009512   MetaHookPost  CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ETAG, "1261-4c870358a6fc0")) -> <no result>
-1362692527.009512   MetaHookPost  CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, KEEP-ALIVE, timeout=5, max=100)) -> <no result>
-1362692527.009512   MetaHookPost  CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, LAST-MODIFIED, Wed, 29 Aug 2012 23:49:27 GMT)) -> <no result>
+1362692527.009512   MetaHookPost  CallFunction(get_file_handle, <null>, (Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <no result>
+1362692527.009512   MetaHookPost  CallFunction(http_begin_entity, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <no result>
+1362692527.009512   MetaHookPost  CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ACCEPT-RANGES, bytes)) -> <no result>
+1362692527.009512   MetaHookPost  CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONNECTION, Keep-Alive)) -> <no result>
+1362692527.009512   MetaHookPost  CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONTENT-LENGTH, 4705)) -> <no result>
+1362692527.009512   MetaHookPost  CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, DATE, Thu, 07 Mar 2013 21:43:07 GMT)) -> <no result>
+1362692527.009512   MetaHookPost  CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ETAG, "1261-4c870358a6fc0")) -> <no result>
+1362692527.009512   MetaHookPost  CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, KEEP-ALIVE, timeout=5, max=100)) -> <no result>
+1362692527.009512   MetaHookPost  CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, LAST-MODIFIED, Wed, 29 Aug 2012 23:49:27 GMT)) -> <no result>
 1362692527.009512   MetaHookPost  CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/2.4.3 (Fedora))) -> <no result>
 1362692527.009512   MetaHookPost  CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain; charset=UTF-8)) -> <no result>
-1362692527.009512   MetaHookPost  CallFunction(http_reply, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], 1.1, 200, OK)) -> <no result>
+1362692527.009512   MetaHookPost  CallFunction(http_reply, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], 1.1, 200, OK)) -> <no result>
 1362692527.009512   MetaHookPost  CallFunction(id_string, <frame>, ([orig_h=141.142.228.5, orig_p=59856<...>/tcp])) -> <no result>
 1362692527.009512   MetaHookPost  CallFunction(set_file_handle, <frame>, (Analyzer::ANALYZER_HTTP1362692526.869344F11141.142.228.5:59856 > 192.150.187.43:80)) -> <no result>
 1362692527.009512   MetaHookPost  CallFunction(split_string_all, <frame>, (HTTP, <...>/)) -> <no result>
 1362692527.009512   MetaHookPost  DrainEvents() -> <void>
-1362692527.009512   MetaHookPost  QueueEvent(file_new([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>])) -> false
-1362692527.009512   MetaHookPost  QueueEvent(file_over_new_connection([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> false
-1362692527.009512   MetaHookPost  QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> false
-1362692527.009512   MetaHookPost  QueueEvent(http_begin_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> false
-1362692527.009512   MetaHookPost  QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ACCEPT-RANGES, bytes)) -> false
-1362692527.009512   MetaHookPost  QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONNECTION, Keep-Alive)) -> false
-1362692527.009512   MetaHookPost  QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONTENT-LENGTH, 4705)) -> false
-1362692527.009512   MetaHookPost  QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, DATE, Thu, 07 Mar 2013 21:43:07 GMT)) -> false
-1362692527.009512   MetaHookPost  QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ETAG, "1261-4c870358a6fc0")) -> false
-1362692527.009512   MetaHookPost  QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, KEEP-ALIVE, timeout=5, max=100)) -> false
-1362692527.009512   MetaHookPost  QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, LAST-MODIFIED, Wed, 29 Aug 2012 23:49:27 GMT)) -> false
+1362692527.009512   MetaHookPost  QueueEvent(file_new([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>])) -> false
+1362692527.009512   MetaHookPost  QueueEvent(file_over_new_connection([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> false
+1362692527.009512   MetaHookPost  QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> false
+1362692527.009512   MetaHookPost  QueueEvent(http_begin_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> false
+1362692527.009512   MetaHookPost  QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ACCEPT-RANGES, bytes)) -> false
+1362692527.009512   MetaHookPost  QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONNECTION, Keep-Alive)) -> false
+1362692527.009512   MetaHookPost  QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONTENT-LENGTH, 4705)) -> false
+1362692527.009512   MetaHookPost  QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, DATE, Thu, 07 Mar 2013 21:43:07 GMT)) -> false
+1362692527.009512   MetaHookPost  QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ETAG, "1261-4c870358a6fc0")) -> false
+1362692527.009512   MetaHookPost  QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, KEEP-ALIVE, timeout=5, max=100)) -> false
+1362692527.009512   MetaHookPost  QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, LAST-MODIFIED, Wed, 29 Aug 2012 23:49:27 GMT)) -> false
 1362692527.009512   MetaHookPost  QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/2.4.3 (Fedora))) -> false
 1362692527.009512   MetaHookPost  QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain; charset=UTF-8)) -> false
-1362692527.009512   MetaHookPost  QueueEvent(http_reply([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], 1.1, 200, OK)) -> false
+1362692527.009512   MetaHookPost  QueueEvent(http_reply([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], 1.1, 200, OK)) -> false
 1362692527.009512   MetaHookPost  UpdateNetworkTime(1362692527.009512) -> <void>
 1362692527.009512   MetaHookPre   CallFunction(Files::__enable_reassembly, <frame>, (FakNcS1Jfe01uljb3))
 1362692527.009512   MetaHookPre   CallFunction(Files::__set_reassembly_buffer, <frame>, (FakNcS1Jfe01uljb3, 524288))
-1362692527.009512   MetaHookPre   CallFunction(Files::enable_reassembly, <frame>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]))
-1362692527.009512   MetaHookPre   CallFunction(Files::set_info, <frame>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]))
-1362692527.009512   MetaHookPre   CallFunction(Files::set_info, <frame>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]))
-1362692527.009512   MetaHookPre   CallFunction(Files::set_reassembly_buffer_size, <frame>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>], 524288))
+1362692527.009512   MetaHookPre   CallFunction(Files::enable_reassembly, <frame>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]))
+1362692527.009512   MetaHookPre   CallFunction(Files::set_info, <frame>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]))
+1362692527.009512   MetaHookPre   CallFunction(Files::set_info, <frame>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]))
+1362692527.009512   MetaHookPre   CallFunction(Files::set_reassembly_buffer_size, <frame>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>], 524288))
 1362692527.009512   MetaHookPre   CallFunction(HTTP::code_in_range, <frame>, (200, 100, 199))
-1362692527.009512   MetaHookPre   CallFunction(HTTP::get_file_handle, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
-1362692527.009512   MetaHookPre   CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
-1362692527.009512   MetaHookPre   CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
-1362692527.009512   MetaHookPre   CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
+1362692527.009512   MetaHookPre   CallFunction(HTTP::get_file_handle, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
+1362692527.009512   MetaHookPre   CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
+1362692527.009512   MetaHookPre   CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
+1362692527.009512   MetaHookPre   CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
 1362692527.009512   MetaHookPre   CallFunction(cat, <frame>, (Analyzer::ANALYZER_HTTP, 1362692526.869344, F, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80))
-1362692527.009512   MetaHookPre   CallFunction(file_new, <null>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]))
-1362692527.009512   MetaHookPre   CallFunction(file_over_new_connection, <null>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
+1362692527.009512   MetaHookPre   CallFunction(file_new, <null>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]))
+1362692527.009512   MetaHookPre   CallFunction(file_over_new_connection, <null>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
 1362692527.009512   MetaHookPre   CallFunction(fmt, <frame>, (%s:%d > %s:%d, 141.142.228.5, 59856<...>/tcp))
-1362692527.009512   MetaHookPre   CallFunction(get_file_handle, <null>, (Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
-1362692527.009512   MetaHookPre   CallFunction(http_begin_entity, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
-1362692527.009512   MetaHookPre   CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ACCEPT-RANGES, bytes))
-1362692527.009512   MetaHookPre   CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONNECTION, Keep-Alive))
-1362692527.009512   MetaHookPre   CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONTENT-LENGTH, 4705))
-1362692527.009512   MetaHookPre   CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, DATE, Thu, 07 Mar 2013 21:43:07 GMT))
-1362692527.009512   MetaHookPre   CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ETAG, "1261-4c870358a6fc0"))
-1362692527.009512   MetaHookPre   CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, KEEP-ALIVE, timeout=5, max=100))
-1362692527.009512   MetaHookPre   CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, LAST-MODIFIED, Wed, 29 Aug 2012 23:49:27 GMT))
+1362692527.009512   MetaHookPre   CallFunction(get_file_handle, <null>, (Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
+1362692527.009512   MetaHookPre   CallFunction(http_begin_entity, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
+1362692527.009512   MetaHookPre   CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ACCEPT-RANGES, bytes))
+1362692527.009512   MetaHookPre   CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONNECTION, Keep-Alive))
+1362692527.009512   MetaHookPre   CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONTENT-LENGTH, 4705))
+1362692527.009512   MetaHookPre   CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, DATE, Thu, 07 Mar 2013 21:43:07 GMT))
+1362692527.009512   MetaHookPre   CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ETAG, "1261-4c870358a6fc0"))
+1362692527.009512   MetaHookPre   CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, KEEP-ALIVE, timeout=5, max=100))
+1362692527.009512   MetaHookPre   CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, LAST-MODIFIED, Wed, 29 Aug 2012 23:49:27 GMT))
 1362692527.009512   MetaHookPre   CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/2.4.3 (Fedora)))
 1362692527.009512   MetaHookPre   CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain; charset=UTF-8))
-1362692527.009512   MetaHookPre   CallFunction(http_reply, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], 1.1, 200, OK))
+1362692527.009512   MetaHookPre   CallFunction(http_reply, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], 1.1, 200, OK))
 1362692527.009512   MetaHookPre   CallFunction(id_string, <frame>, ([orig_h=141.142.228.5, orig_p=59856<...>/tcp]))
 1362692527.009512   MetaHookPre   CallFunction(set_file_handle, <frame>, (Analyzer::ANALYZER_HTTP1362692526.869344F11141.142.228.5:59856 > 192.150.187.43:80))
 1362692527.009512   MetaHookPre   CallFunction(split_string_all, <frame>, (HTTP, <...>/))
 1362692527.009512   MetaHookPre   DrainEvents()
-1362692527.009512   MetaHookPre   QueueEvent(file_new([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]))
-1362692527.009512   MetaHookPre   QueueEvent(file_over_new_connection([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
-1362692527.009512   MetaHookPre   QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
-1362692527.009512   MetaHookPre   QueueEvent(http_begin_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
-1362692527.009512   MetaHookPre   QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ACCEPT-RANGES, bytes))
-1362692527.009512   MetaHookPre   QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONNECTION, Keep-Alive))
-1362692527.009512   MetaHookPre   QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONTENT-LENGTH, 4705))
-1362692527.009512   MetaHookPre   QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, DATE, Thu, 07 Mar 2013 21:43:07 GMT))
-1362692527.009512   MetaHookPre   QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ETAG, "1261-4c870358a6fc0"))
-1362692527.009512   MetaHookPre   QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, KEEP-ALIVE, timeout=5, max=100))
-1362692527.009512   MetaHookPre   QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, LAST-MODIFIED, Wed, 29 Aug 2012 23:49:27 GMT))
+1362692527.009512   MetaHookPre   QueueEvent(file_new([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]))
+1362692527.009512   MetaHookPre   QueueEvent(file_over_new_connection([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
+1362692527.009512   MetaHookPre   QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
+1362692527.009512   MetaHookPre   QueueEvent(http_begin_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
+1362692527.009512   MetaHookPre   QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ACCEPT-RANGES, bytes))
+1362692527.009512   MetaHookPre   QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONNECTION, Keep-Alive))
+1362692527.009512   MetaHookPre   QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONTENT-LENGTH, 4705))
+1362692527.009512   MetaHookPre   QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, DATE, Thu, 07 Mar 2013 21:43:07 GMT))
+1362692527.009512   MetaHookPre   QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ETAG, "1261-4c870358a6fc0"))
+1362692527.009512   MetaHookPre   QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, KEEP-ALIVE, timeout=5, max=100))
+1362692527.009512   MetaHookPre   QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, LAST-MODIFIED, Wed, 29 Aug 2012 23:49:27 GMT))
 1362692527.009512   MetaHookPre   QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/2.4.3 (Fedora)))
 1362692527.009512   MetaHookPre   QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain; charset=UTF-8))
-1362692527.009512   MetaHookPre   QueueEvent(http_reply([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], 1.1, 200, OK))
+1362692527.009512   MetaHookPre   QueueEvent(http_reply([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], 1.1, 200, OK))
 1362692527.009512   MetaHookPre   UpdateNetworkTime(1362692527.009512)
 1362692527.009512  | HookUpdateNetworkTime 1362692527.009512
 1362692527.009512 | HookCallFunction Files::__enable_reassembly(FakNcS1Jfe01uljb3)
 1362692527.009512 | HookCallFunction Files::__set_reassembly_buffer(FakNcS1Jfe01uljb3, 524288)
-1362692527.009512 | HookCallFunction Files::enable_reassembly([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>])
-1362692527.009512 | HookCallFunction Files::set_info([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>])
-1362692527.009512 | HookCallFunction Files::set_info([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>])
-1362692527.009512 | HookCallFunction Files::set_reassembly_buffer_size([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>], 524288)
+1362692527.009512 | HookCallFunction Files::enable_reassembly([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>])
+1362692527.009512 | HookCallFunction Files::set_info([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>])
+1362692527.009512 | HookCallFunction Files::set_info([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>])
+1362692527.009512 | HookCallFunction Files::set_reassembly_buffer_size([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>], 524288)
 1362692527.009512 | HookCallFunction HTTP::code_in_range(200, 100, 199)
-1362692527.009512 | HookCallFunction HTTP::get_file_handle([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
-1362692527.009512 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
-1362692527.009512 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
-1362692527.009512 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
+1362692527.009512 | HookCallFunction HTTP::get_file_handle([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
+1362692527.009512 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
+1362692527.009512 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
+1362692527.009512 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
 1362692527.009512 | HookCallFunction cat(Analyzer::ANALYZER_HTTP, 1362692526.869344, F, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80)
-1362692527.009512 | HookCallFunction file_new([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>])
-1362692527.009512 | HookCallFunction file_over_new_connection([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
+1362692527.009512 | HookCallFunction file_new([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>])
+1362692527.009512 | HookCallFunction file_over_new_connection([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
 1362692527.009512 | HookCallFunction fmt(%s:%d > %s:%d, 141.142.228.5, 59856<...>/tcp)
-1362692527.009512 | HookCallFunction get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
-1362692527.009512 | HookCallFunction http_begin_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
-1362692527.009512 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ACCEPT-RANGES, bytes)
-1362692527.009512 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONNECTION, Keep-Alive)
-1362692527.009512 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONTENT-LENGTH, 4705)
-1362692527.009512 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, DATE, Thu, 07 Mar 2013 21:43:07 GMT)
-1362692527.009512 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ETAG, "1261-4c870358a6fc0")
-1362692527.009512 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, KEEP-ALIVE, timeout=5, max=100)
-1362692527.009512 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, LAST-MODIFIED, Wed, 29 Aug 2012 23:49:27 GMT)
+1362692527.009512 | HookCallFunction get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
+1362692527.009512 | HookCallFunction http_begin_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
+1362692527.009512 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ACCEPT-RANGES, bytes)
+1362692527.009512 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONNECTION, Keep-Alive)
+1362692527.009512 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONTENT-LENGTH, 4705)
+1362692527.009512 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, DATE, Thu, 07 Mar 2013 21:43:07 GMT)
+1362692527.009512 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ETAG, "1261-4c870358a6fc0")
+1362692527.009512 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, KEEP-ALIVE, timeout=5, max=100)
+1362692527.009512 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, LAST-MODIFIED, Wed, 29 Aug 2012 23:49:27 GMT)
 1362692527.009512 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/2.4.3 (Fedora))
 1362692527.009512 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain; charset=UTF-8)
-1362692527.009512 | HookCallFunction http_reply([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], 1.1, 200, OK)
+1362692527.009512 | HookCallFunction http_reply([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], 1.1, 200, OK)
 1362692527.009512 | HookCallFunction id_string([orig_h=141.142.228.5, orig_p=59856<...>/tcp])
 1362692527.009512 | HookCallFunction set_file_handle(Analyzer::ANALYZER_HTTP1362692526.869344F11141.142.228.5:59856 > 192.150.187.43:80)
 1362692527.009512 | HookCallFunction split_string_all(HTTP, <...>/)
 1362692527.009512 | HookDrainEvents
-1362692527.009512 | HookQueueEvent file_new([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>])
-1362692527.009512 | HookQueueEvent file_over_new_connection([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
-1362692527.009512 | HookQueueEvent get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
-1362692527.009512 | HookQueueEvent http_begin_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
-1362692527.009512 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ACCEPT-RANGES, bytes)
-1362692527.009512 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONNECTION, Keep-Alive)
-1362692527.009512 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONTENT-LENGTH, 4705)
-1362692527.009512 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, DATE, Thu, 07 Mar 2013 21:43:07 GMT)
-1362692527.009512 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ETAG, "1261-4c870358a6fc0")
-1362692527.009512 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, KEEP-ALIVE, timeout=5, max=100)
-1362692527.009512 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, LAST-MODIFIED, Wed, 29 Aug 2012 23:49:27 GMT)
+1362692527.009512 | HookQueueEvent file_new([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>])
+1362692527.009512 | HookQueueEvent file_over_new_connection([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
+1362692527.009512 | HookQueueEvent get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
+1362692527.009512 | HookQueueEvent http_begin_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
+1362692527.009512 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ACCEPT-RANGES, bytes)
+1362692527.009512 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONNECTION, Keep-Alive)
+1362692527.009512 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONTENT-LENGTH, 4705)
+1362692527.009512 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, DATE, Thu, 07 Mar 2013 21:43:07 GMT)
+1362692527.009512 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ETAG, "1261-4c870358a6fc0")
+1362692527.009512 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, KEEP-ALIVE, timeout=5, max=100)
+1362692527.009512 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, LAST-MODIFIED, Wed, 29 Aug 2012 23:49:27 GMT)
 1362692527.009512 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/2.4.3 (Fedora))
 1362692527.009512 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain; charset=UTF-8)
-1362692527.009512 | HookQueueEvent http_reply([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], 1.1, 200, OK)
+1362692527.009512 | HookQueueEvent http_reply([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], 1.1, 200, OK)
 1362692527.009721   MetaHookPost  DrainEvents() -> <void>
 1362692527.009721   MetaHookPost  UpdateNetworkTime(1362692527.009721) -> <void>
 1362692527.009721   MetaHookPre   DrainEvents()
@@ -2743,8 +2821,8 @@
 1362692527.009775   MetaHookPost  CallFunction(Files::set_info, <frame>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FakNcS1Jfe01uljb3], resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>])) -> <no result>
 1362692527.009775   MetaHookPost  CallFunction(Files::set_info, <frame>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>])) -> <no result>
 1362692527.009775   MetaHookPost  CallFunction(HTTP::code_in_range, <frame>, (200, 100, 199)) -> <no result>
-1362692527.009775   MetaHookPost  CallFunction(HTTP::get_file_handle, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <no result>
-1362692527.009775   MetaHookPost  CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <no result>
+1362692527.009775   MetaHookPost  CallFunction(HTTP::get_file_handle, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <no result>
+1362692527.009775   MetaHookPost  CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <no result>
 1362692527.009775   MetaHookPost  CallFunction(Log::__write, <frame>, (Files::LOG, [ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CHhAvVGS1DHFjwGM9}, source=HTTP, depth=0, analyzers={}, mime_type=text/plain, filename=<uninitialized>, duration=262.0 usecs, local_orig=<uninitialized>, is_orig=F, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>])) -> <no result>
 1362692527.009775   MetaHookPost  CallFunction(Log::__write, <frame>, (HTTP::LOG, [ts=1362692526.939527, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1])) -> <no result>
 1362692527.009775   MetaHookPost  CallFunction(Log::write, <frame>, (Files::LOG, [ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CHhAvVGS1DHFjwGM9}, source=HTTP, depth=0, analyzers={}, mime_type=text/plain, filename=<uninitialized>, duration=262.0 usecs, local_orig=<uninitialized>, is_orig=F, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>])) -> <no result>
@@ -2753,9 +2831,9 @@
 1362692527.009775   MetaHookPost  CallFunction(file_sniff, <null>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain]], inferred=T])) -> <no result>
 1362692527.009775   MetaHookPost  CallFunction(file_state_remove, <null>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>])) -> <no result>
 1362692527.009775   MetaHookPost  CallFunction(fmt, <frame>, (%s:%d > %s:%d, 141.142.228.5, 59856<...>/tcp)) -> <no result>
-1362692527.009775   MetaHookPost  CallFunction(get_file_handle, <null>, (Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <no result>
-1362692527.009775   MetaHookPost  CallFunction(http_end_entity, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <no result>
-1362692527.009775   MetaHookPost  CallFunction(http_message_done, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, [start=1362692527.009512, interrupted=F, finish_msg=message ends normally, body_length=4705, content_gap_length=0, header_length=280])) -> <no result>
+1362692527.009775   MetaHookPost  CallFunction(get_file_handle, <null>, (Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <no result>
+1362692527.009775   MetaHookPost  CallFunction(http_end_entity, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <no result>
+1362692527.009775   MetaHookPost  CallFunction(http_message_done, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, [start=1362692527.009512, interrupted=F, finish_msg=message ends normally, body_length=4705, content_gap_length=0, header_length=280])) -> <no result>
 1362692527.009775   MetaHookPost  CallFunction(id_string, <frame>, ([orig_h=141.142.228.5, orig_p=59856<...>/tcp])) -> <no result>
 1362692527.009775   MetaHookPost  CallFunction(set_file_handle, <frame>, (Analyzer::ANALYZER_HTTP1362692526.869344F11141.142.228.5:59856 > 192.150.187.43:80)) -> <no result>
 1362692527.009775   MetaHookPost  DrainEvents() -> <void>
@@ -2765,15 +2843,15 @@
 1362692527.009775   MetaHookPost  LogWrite(Log::WRITER_ASCII, default, http(1362692527.009775,0.0,0.0), 29, {ts (time), uid (string), id.orig_h (addr), id.orig_p (port), id.resp_h (addr), id.resp_p (port), trans_depth (count), method (string), host (string), uri (string), referrer (string), version (string), user_agent (string), request_body_len (count), response_body_len (count), status_code (count), status_msg (string), info_code (count), info_msg (string), tags (set[enum]), username (string), password (string), proxied (set[string]), orig_fuids (vector[string]), orig_filenames (vector[string]), orig_mime_types (vector[string]), resp_fuids (vector[string]), resp_filenames (vector[string]), resp_mime_types (vector[string])}, <void ptr>) -> true
 1362692527.009775   MetaHookPost  QueueEvent(file_sniff([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain]], inferred=T])) -> false
 1362692527.009775   MetaHookPost  QueueEvent(file_state_remove([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>])) -> false
-1362692527.009775   MetaHookPost  QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> false
-1362692527.009775   MetaHookPost  QueueEvent(http_end_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> false
-1362692527.009775   MetaHookPost  QueueEvent(http_message_done([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, [start=1362692527.009512, interrupted=F, finish_msg=message ends normally, body_length=4705, content_gap_length=0, header_length=280])) -> false
+1362692527.009775   MetaHookPost  QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> false
+1362692527.009775   MetaHookPost  QueueEvent(http_end_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> false
+1362692527.009775   MetaHookPost  QueueEvent(http_message_done([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, [start=1362692527.009512, interrupted=F, finish_msg=message ends normally, body_length=4705, content_gap_length=0, header_length=280])) -> false
 1362692527.009775   MetaHookPost  UpdateNetworkTime(1362692527.009775) -> <void>
 1362692527.009775   MetaHookPre   CallFunction(Files::set_info, <frame>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FakNcS1Jfe01uljb3], resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]))
 1362692527.009775   MetaHookPre   CallFunction(Files::set_info, <frame>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]))
 1362692527.009775   MetaHookPre   CallFunction(HTTP::code_in_range, <frame>, (200, 100, 199))
-1362692527.009775   MetaHookPre   CallFunction(HTTP::get_file_handle, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
-1362692527.009775   MetaHookPre   CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
+1362692527.009775   MetaHookPre   CallFunction(HTTP::get_file_handle, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
+1362692527.009775   MetaHookPre   CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
 1362692527.009775   MetaHookPre   CallFunction(Log::__write, <frame>, (Files::LOG, [ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CHhAvVGS1DHFjwGM9}, source=HTTP, depth=0, analyzers={}, mime_type=text/plain, filename=<uninitialized>, duration=262.0 usecs, local_orig=<uninitialized>, is_orig=F, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]))
 1362692527.009775   MetaHookPre   CallFunction(Log::__write, <frame>, (HTTP::LOG, [ts=1362692526.939527, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]))
 1362692527.009775   MetaHookPre   CallFunction(Log::write, <frame>, (Files::LOG, [ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CHhAvVGS1DHFjwGM9}, source=HTTP, depth=0, analyzers={}, mime_type=text/plain, filename=<uninitialized>, duration=262.0 usecs, local_orig=<uninitialized>, is_orig=F, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]))
@@ -2782,9 +2860,9 @@
 1362692527.009775   MetaHookPre   CallFunction(file_sniff, <null>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain]], inferred=T]))
 1362692527.009775   MetaHookPre   CallFunction(file_state_remove, <null>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]))
 1362692527.009775   MetaHookPre   CallFunction(fmt, <frame>, (%s:%d > %s:%d, 141.142.228.5, 59856<...>/tcp))
-1362692527.009775   MetaHookPre   CallFunction(get_file_handle, <null>, (Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
-1362692527.009775   MetaHookPre   CallFunction(http_end_entity, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
-1362692527.009775   MetaHookPre   CallFunction(http_message_done, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, [start=1362692527.009512, interrupted=F, finish_msg=message ends normally, body_length=4705, content_gap_length=0, header_length=280]))
+1362692527.009775   MetaHookPre   CallFunction(get_file_handle, <null>, (Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
+1362692527.009775   MetaHookPre   CallFunction(http_end_entity, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
+1362692527.009775   MetaHookPre   CallFunction(http_message_done, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, [start=1362692527.009512, interrupted=F, finish_msg=message ends normally, body_length=4705, content_gap_length=0, header_length=280]))
 1362692527.009775   MetaHookPre   CallFunction(id_string, <frame>, ([orig_h=141.142.228.5, orig_p=59856<...>/tcp]))
 1362692527.009775   MetaHookPre   CallFunction(set_file_handle, <frame>, (Analyzer::ANALYZER_HTTP1362692526.869344F11141.142.228.5:59856 > 192.150.187.43:80))
 1362692527.009775   MetaHookPre   DrainEvents()
@@ -2794,16 +2872,16 @@
 1362692527.009775   MetaHookPre   LogWrite(Log::WRITER_ASCII, default, http(1362692527.009775,0.0,0.0), 29, {ts (time), uid (string), id.orig_h (addr), id.orig_p (port), id.resp_h (addr), id.resp_p (port), trans_depth (count), method (string), host (string), uri (string), referrer (string), version (string), user_agent (string), request_body_len (count), response_body_len (count), status_code (count), status_msg (string), info_code (count), info_msg (string), tags (set[enum]), username (string), password (string), proxied (set[string]), orig_fuids (vector[string]), orig_filenames (vector[string]), orig_mime_types (vector[string]), resp_fuids (vector[string]), resp_filenames (vector[string]), resp_mime_types (vector[string])}, <void ptr>)
 1362692527.009775   MetaHookPre   QueueEvent(file_sniff([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain]], inferred=T]))
 1362692527.009775   MetaHookPre   QueueEvent(file_state_remove([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]))
-1362692527.009775   MetaHookPre   QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
-1362692527.009775   MetaHookPre   QueueEvent(http_end_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
-1362692527.009775   MetaHookPre   QueueEvent(http_message_done([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, [start=1362692527.009512, interrupted=F, finish_msg=message ends normally, body_length=4705, content_gap_length=0, header_length=280]))
+1362692527.009775   MetaHookPre   QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
+1362692527.009775   MetaHookPre   QueueEvent(http_end_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
+1362692527.009775   MetaHookPre   QueueEvent(http_message_done([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, [start=1362692527.009512, interrupted=F, finish_msg=message ends normally, body_length=4705, content_gap_length=0, header_length=280]))
 1362692527.009775   MetaHookPre   UpdateNetworkTime(1362692527.009775)
 1362692527.009775  | HookUpdateNetworkTime 1362692527.009775
 1362692527.009775 | HookCallFunction Files::set_info([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FakNcS1Jfe01uljb3], resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>])
 1362692527.009775 | HookCallFunction Files::set_info([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>])
 1362692527.009775 | HookCallFunction HTTP::code_in_range(200, 100, 199)
-1362692527.009775 | HookCallFunction HTTP::get_file_handle([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
-1362692527.009775 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
+1362692527.009775 | HookCallFunction HTTP::get_file_handle([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
+1362692527.009775 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
 1362692527.009775 | HookCallFunction Log::__write(Files::LOG, [ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CHhAvVGS1DHFjwGM9}, source=HTTP, depth=0, analyzers={}, mime_type=text/plain, filename=<uninitialized>, duration=262.0 usecs, local_orig=<uninitialized>, is_orig=F, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>])
 1362692527.009775 | HookCallFunction Log::__write(HTTP::LOG, [ts=1362692526.939527, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1])
 1362692527.009775 | HookCallFunction Log::write(Files::LOG, [ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CHhAvVGS1DHFjwGM9}, source=HTTP, depth=0, analyzers={}, mime_type=text/plain, filename=<uninitialized>, duration=262.0 usecs, local_orig=<uninitialized>, is_orig=F, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>])
@@ -2812,9 +2890,9 @@
 1362692527.009775 | HookCallFunction file_sniff([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain]], inferred=T])
 1362692527.009775 | HookCallFunction file_state_remove([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>])
 1362692527.009775 | HookCallFunction fmt(%s:%d > %s:%d, 141.142.228.5, 59856<...>/tcp)
-1362692527.009775 | HookCallFunction get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
-1362692527.009775 | HookCallFunction http_end_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
-1362692527.009775 | HookCallFunction http_message_done([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, [start=1362692527.009512, interrupted=F, finish_msg=message ends normally, body_length=4705, content_gap_length=0, header_length=280])
+1362692527.009775 | HookCallFunction get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
+1362692527.009775 | HookCallFunction http_end_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
+1362692527.009775 | HookCallFunction http_message_done([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, [start=1362692527.009512, interrupted=F, finish_msg=message ends normally, body_length=4705, content_gap_length=0, header_length=280])
 1362692527.009775 | HookCallFunction id_string([orig_h=141.142.228.5, orig_p=59856<...>/tcp])
 1362692527.009775 | HookCallFunction set_file_handle(Analyzer::ANALYZER_HTTP1362692526.869344F11141.142.228.5:59856 > 192.150.187.43:80)
 1362692527.009775 | HookDrainEvents
@@ -2824,9 +2902,9 @@
 1362692527.009775 | HookLogWrite  http [ts=1362692526.939527, uid=CHhAvVGS1DHFjwGM9, id.orig_h=141.142.228.5, id.orig_p=59856, id.resp_h=192.150.187.43, id.resp_p=80, trans_depth=1, method=GET, host=bro.org, uri=<...>/plain]
 1362692527.009775 | HookQueueEvent file_sniff([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain]], inferred=T])
 1362692527.009775 | HookQueueEvent file_state_remove([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>])
-1362692527.009775 | HookQueueEvent get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
-1362692527.009775 | HookQueueEvent http_end_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
-1362692527.009775 | HookQueueEvent http_message_done([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, [start=1362692527.009512, interrupted=F, finish_msg=message ends normally, body_length=4705, content_gap_length=0, header_length=280])
+1362692527.009775 | HookQueueEvent get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
+1362692527.009775 | HookQueueEvent http_end_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
+1362692527.009775 | HookQueueEvent http_message_done([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, [start=1362692527.009512, interrupted=F, finish_msg=message ends normally, body_length=4705, content_gap_length=0, header_length=280])
 1362692527.009855   MetaHookPost  DrainEvents() -> <void>
 1362692527.009855   MetaHookPost  UpdateNetworkTime(1362692527.009855) -> <void>
 1362692527.009855   MetaHookPre   DrainEvents()
@@ -2852,20 +2930,20 @@
 1362692527.080828  | HookUpdateNetworkTime 1362692527.080828
 1362692527.080828 | HookDrainEvents
 1362692527.080972   MetaHookPost  CallFunction(ChecksumOffloading::check, <null>, ()) -> <no result>
-1362692527.080972   MetaHookPost  CallFunction(Conn::conn_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], tcp)) -> <no result>
-1362692527.080972   MetaHookPost  CallFunction(Conn::determine_service, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])) -> <no result>
-1362692527.080972   MetaHookPost  CallFunction(Conn::set_conn, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <no result>
-1362692527.080972   MetaHookPost  CallFunction(HTTP::get_file_handle, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <no result>
-1362692527.080972   MetaHookPost  CallFunction(KRB::do_log, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])) -> <no result>
-1362692527.080972   MetaHookPost  CallFunction(KRB::fill_in_subjects, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])) -> <no result>
+1362692527.080972   MetaHookPost  CallFunction(Conn::conn_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], tcp)) -> <no result>
+1362692527.080972   MetaHookPost  CallFunction(Conn::determine_service, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])) -> <no result>
+1362692527.080972   MetaHookPost  CallFunction(Conn::set_conn, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <no result>
+1362692527.080972   MetaHookPost  CallFunction(HTTP::get_file_handle, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <no result>
+1362692527.080972   MetaHookPost  CallFunction(KRB::do_log, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])) -> <no result>
+1362692527.080972   MetaHookPost  CallFunction(KRB::fill_in_subjects, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])) -> <no result>
 1362692527.080972   MetaHookPost  CallFunction(Log::__write, <frame>, (Conn::LOG, [ts=1362692526.869344, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=<uninitialized>])) -> <no result>
 1362692527.080972   MetaHookPost  CallFunction(Log::write, <frame>, (Conn::LOG, [ts=1362692526.869344, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=<uninitialized>])) -> <no result>
 1362692527.080972   MetaHookPost  CallFunction(bro_done, <null>, ()) -> <no result>
 1362692527.080972   MetaHookPost  CallFunction(cat, <frame>, (Analyzer::ANALYZER_HTTP, 1362692526.869344, T, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80)) -> <no result>
-1362692527.080972   MetaHookPost  CallFunction(connection_state_remove, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])) -> <no result>
+1362692527.080972   MetaHookPost  CallFunction(connection_state_remove, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])) -> <no result>
 1362692527.080972   MetaHookPost  CallFunction(filter_change_tracking, <null>, ()) -> <no result>
 1362692527.080972   MetaHookPost  CallFunction(fmt, <frame>, (%s:%d > %s:%d, 141.142.228.5, 59856<...>/tcp)) -> <no result>
-1362692527.080972   MetaHookPost  CallFunction(get_file_handle, <null>, (Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <no result>
+1362692527.080972   MetaHookPost  CallFunction(get_file_handle, <null>, (Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <no result>
 1362692527.080972   MetaHookPost  CallFunction(get_net_stats, <frame>, ()) -> <no result>
 1362692527.080972   MetaHookPost  CallFunction(get_port_transport_proto, <frame>, (80/tcp)) -> <no result>
 1362692527.080972   MetaHookPost  CallFunction(id_string, <frame>, ([orig_h=141.142.228.5, orig_p=59856<...>/tcp])) -> <no result>
@@ -2880,25 +2958,25 @@
 1362692527.080972   MetaHookPost  LogWrite(Log::WRITER_ASCII, default, conn(1362692527.080972,0.0,0.0), 21, {ts (time), uid (string), id.orig_h (addr), id.orig_p (port), id.resp_h (addr), id.resp_p (port), proto (enum), service (string), duration (interval), orig_bytes (count), resp_bytes (count), conn_state (string), local_orig (bool), local_resp (bool), missed_bytes (count), history (string), orig_pkts (count), orig_ip_bytes (count), resp_pkts (count), resp_ip_bytes (count), tunnel_parents (set[string])}, <void ptr>) -> true
 1362692527.080972   MetaHookPost  QueueEvent(ChecksumOffloading::check()) -> false
 1362692527.080972   MetaHookPost  QueueEvent(bro_done()) -> false
-1362692527.080972   MetaHookPost  QueueEvent(connection_state_remove([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])) -> false
+1362692527.080972   MetaHookPost  QueueEvent(connection_state_remove([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])) -> false
 1362692527.080972   MetaHookPost  QueueEvent(filter_change_tracking()) -> false
-1362692527.080972   MetaHookPost  QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> false
+1362692527.080972   MetaHookPost  QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> false
 1362692527.080972   MetaHookPost  UpdateNetworkTime(1362692527.080972) -> <void>
 1362692527.080972   MetaHookPre   CallFunction(ChecksumOffloading::check, <null>, ())
-1362692527.080972   MetaHookPre   CallFunction(Conn::conn_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], tcp))
-1362692527.080972   MetaHookPre   CallFunction(Conn::determine_service, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]))
-1362692527.080972   MetaHookPre   CallFunction(Conn::set_conn, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
-1362692527.080972   MetaHookPre   CallFunction(HTTP::get_file_handle, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
-1362692527.080972   MetaHookPre   CallFunction(KRB::do_log, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]))
-1362692527.080972   MetaHookPre   CallFunction(KRB::fill_in_subjects, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]))
+1362692527.080972   MetaHookPre   CallFunction(Conn::conn_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], tcp))
+1362692527.080972   MetaHookPre   CallFunction(Conn::determine_service, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]))
+1362692527.080972   MetaHookPre   CallFunction(Conn::set_conn, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
+1362692527.080972   MetaHookPre   CallFunction(HTTP::get_file_handle, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
+1362692527.080972   MetaHookPre   CallFunction(KRB::do_log, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]))
+1362692527.080972   MetaHookPre   CallFunction(KRB::fill_in_subjects, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]))
 1362692527.080972   MetaHookPre   CallFunction(Log::__write, <frame>, (Conn::LOG, [ts=1362692526.869344, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=<uninitialized>]))
 1362692527.080972   MetaHookPre   CallFunction(Log::write, <frame>, (Conn::LOG, [ts=1362692526.869344, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=<uninitialized>]))
 1362692527.080972   MetaHookPre   CallFunction(bro_done, <null>, ())
 1362692527.080972   MetaHookPre   CallFunction(cat, <frame>, (Analyzer::ANALYZER_HTTP, 1362692526.869344, T, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80))
-1362692527.080972   MetaHookPre   CallFunction(connection_state_remove, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]))
+1362692527.080972   MetaHookPre   CallFunction(connection_state_remove, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]))
 1362692527.080972   MetaHookPre   CallFunction(filter_change_tracking, <null>, ())
 1362692527.080972   MetaHookPre   CallFunction(fmt, <frame>, (%s:%d > %s:%d, 141.142.228.5, 59856<...>/tcp))
-1362692527.080972   MetaHookPre   CallFunction(get_file_handle, <null>, (Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
+1362692527.080972   MetaHookPre   CallFunction(get_file_handle, <null>, (Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
 1362692527.080972   MetaHookPre   CallFunction(get_net_stats, <frame>, ())
 1362692527.080972   MetaHookPre   CallFunction(get_port_transport_proto, <frame>, (80/tcp))
 1362692527.080972   MetaHookPre   CallFunction(id_string, <frame>, ([orig_h=141.142.228.5, orig_p=59856<...>/tcp]))
@@ -2913,26 +2991,26 @@
 1362692527.080972   MetaHookPre   LogWrite(Log::WRITER_ASCII, default, conn(1362692527.080972,0.0,0.0), 21, {ts (time), uid (string), id.orig_h (addr), id.orig_p (port), id.resp_h (addr), id.resp_p (port), proto (enum), service (string), duration (interval), orig_bytes (count), resp_bytes (count), conn_state (string), local_orig (bool), local_resp (bool), missed_bytes (count), history (string), orig_pkts (count), orig_ip_bytes (count), resp_pkts (count), resp_ip_bytes (count), tunnel_parents (set[string])}, <void ptr>)
 1362692527.080972   MetaHookPre   QueueEvent(ChecksumOffloading::check())
 1362692527.080972   MetaHookPre   QueueEvent(bro_done())
-1362692527.080972   MetaHookPre   QueueEvent(connection_state_remove([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]))
+1362692527.080972   MetaHookPre   QueueEvent(connection_state_remove([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]))
 1362692527.080972   MetaHookPre   QueueEvent(filter_change_tracking())
-1362692527.080972   MetaHookPre   QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
+1362692527.080972   MetaHookPre   QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
 1362692527.080972   MetaHookPre   UpdateNetworkTime(1362692527.080972)
 1362692527.080972  | HookUpdateNetworkTime 1362692527.080972
 1362692527.080972 | HookCallFunction ChecksumOffloading::check()
-1362692527.080972 | HookCallFunction Conn::conn_state([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], tcp)
-1362692527.080972 | HookCallFunction Conn::determine_service([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])
-1362692527.080972 | HookCallFunction Conn::set_conn([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
-1362692527.080972 | HookCallFunction HTTP::get_file_handle([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
-1362692527.080972 | HookCallFunction KRB::do_log([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])
-1362692527.080972 | HookCallFunction KRB::fill_in_subjects([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])
+1362692527.080972 | HookCallFunction Conn::conn_state([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], tcp)
+1362692527.080972 | HookCallFunction Conn::determine_service([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])
+1362692527.080972 | HookCallFunction Conn::set_conn([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
+1362692527.080972 | HookCallFunction HTTP::get_file_handle([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
+1362692527.080972 | HookCallFunction KRB::do_log([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])
+1362692527.080972 | HookCallFunction KRB::fill_in_subjects([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])
 1362692527.080972 | HookCallFunction Log::__write(Conn::LOG, [ts=1362692526.869344, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=<uninitialized>])
 1362692527.080972 | HookCallFunction Log::write(Conn::LOG, [ts=1362692526.869344, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=<uninitialized>])
 1362692527.080972 | HookCallFunction bro_done()
 1362692527.080972 | HookCallFunction cat(Analyzer::ANALYZER_HTTP, 1362692526.869344, T, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80)
-1362692527.080972 | HookCallFunction connection_state_remove([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])
+1362692527.080972 | HookCallFunction connection_state_remove([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])
 1362692527.080972 | HookCallFunction filter_change_tracking()
 1362692527.080972 | HookCallFunction fmt(%s:%d > %s:%d, 141.142.228.5, 59856<...>/tcp)
-1362692527.080972 | HookCallFunction get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
+1362692527.080972 | HookCallFunction get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
 1362692527.080972 | HookCallFunction get_net_stats()
 1362692527.080972 | HookCallFunction get_port_transport_proto(80/tcp)
 1362692527.080972 | HookCallFunction id_string([orig_h=141.142.228.5, orig_p=59856<...>/tcp])
@@ -2947,6 +3025,6 @@
 1362692527.080972 | HookLogWrite  conn [ts=1362692526.869344, uid=CHhAvVGS1DHFjwGM9, id.orig_h=141.142.228.5, id.orig_p=59856, id.resp_h=192.150.187.43, id.resp_p=80, proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=<uninitialized>]
 1362692527.080972 | HookQueueEvent ChecksumOffloading::check()
 1362692527.080972 | HookQueueEvent bro_done()
-1362692527.080972 | HookQueueEvent connection_state_remove([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])
+1362692527.080972 | HookQueueEvent connection_state_remove([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])
 1362692527.080972 | HookQueueEvent filter_change_tracking()
-1362692527.080972 | HookQueueEvent get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
+1362692527.080972 | HookQueueEvent get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
diff --git a/testing/btest/Baseline/scripts.base.protocols.dce-rpc.mapi/dce_rpc.log b/testing/btest/Baseline/scripts.base.protocols.dce-rpc.mapi/dce_rpc.log
index 578ac1c0d3..1efbd46b3c 100644
--- a/testing/btest/Baseline/scripts.base.protocols.dce-rpc.mapi/dce_rpc.log
+++ b/testing/btest/Baseline/scripts.base.protocols.dce-rpc.mapi/dce_rpc.log
@@ -3,19 +3,19 @@
 #empty_field	(empty)
 #unset_field	-
 #path	dce_rpc
-#open	2016-10-08-03-48-34
+#open	2018-08-16-22-09-39
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	rtt	named_pipe	endpoint	operation
 #types	time	string	addr	port	addr	port	interval	string	string	string
-1056991898.891148	CmES5u32sYpV7JYN	192.168.0.173	1066	192.168.0.2	135	0.000375	135	epmapper	ept_map
-1056991898.895146	CP5puj4I8PtEU4qzYg	192.168.0.173	1067	192.168.0.2	4997	0.000749	4997	nspi	NspiBind
-1056991898.902393	C37jN32gN3y3AZzyf6	192.168.0.173	1068	192.168.0.2	4997	0.026606	4997	nspi	NspiBind
-1056991898.931248	C3eiCBGOLw3VtHfOj	192.168.0.173	1069	192.168.0.2	135	0.000500	135	epmapper	ept_lookup
-1056991899.586840	C0LAHyvtKSQHyJxIl	192.168.0.173	1072	192.168.0.2	135	0.000374	135	epmapper	ept_map
-1056991899.594336	CFLRIC3zaTU1loLGxh	192.168.0.173	1073	192.168.0.2	1032	0.031980	1032	exchange_mapi	EcDoConnect
-1056991899.626566	CFLRIC3zaTU1loLGxh	192.168.0.173	1073	192.168.0.2	1032	0.024359	1032	exchange_mapi	EcDoRpc
-1056991899.652798	CFLRIC3zaTU1loLGxh	192.168.0.173	1073	192.168.0.2	1032	0.001374	1032	exchange_mapi	EcDoRpc
-1056991899.655922	CFLRIC3zaTU1loLGxh	192.168.0.173	1073	192.168.0.2	1032	0.000999	1032	exchange_mapi	EcDoRpc
-1056991899.658670	CFLRIC3zaTU1loLGxh	192.168.0.173	1073	192.168.0.2	1032	0.001624	1032	exchange_mapi	EcDoRpc
-1056991899.660794	CFLRIC3zaTU1loLGxh	192.168.0.173	1073	192.168.0.2	1032	0.003998	1032	exchange_mapi	EcRRegisterPushNotification
-1056991899.707516	CFLRIC3zaTU1loLGxh	192.168.0.173	1073	192.168.0.2	1032	0.003998	1032	exchange_mapi	EcRRegisterPushNotification
-#close	2016-10-08-03-48-34
+1056991898.891148	C37jN32gN3y3AZzyf6	192.168.0.173	1066	192.168.0.2	135	0.000375	135	epmapper	ept_map
+1056991898.895146	C3eiCBGOLw3VtHfOj	192.168.0.173	1067	192.168.0.2	4997	0.000749	4997	nspi	NspiBind
+1056991898.902393	CwjjYJ2WqgTbAqiHl6	192.168.0.173	1068	192.168.0.2	4997	0.026606	4997	nspi	NspiBind
+1056991898.931248	CFLRIC3zaTU1loLGxh	192.168.0.173	1069	192.168.0.2	135	0.000500	135	epmapper	ept_lookup
+1056991899.586840	Ck51lg1bScffFj34Ri	192.168.0.173	1072	192.168.0.2	135	0.000374	135	epmapper	ept_map
+1056991899.594336	C9mvWx3ezztgzcexV7	192.168.0.173	1073	192.168.0.2	1032	0.031980	1032	exchange_mapi	EcDoConnect
+1056991899.626566	C9mvWx3ezztgzcexV7	192.168.0.173	1073	192.168.0.2	1032	0.024359	1032	exchange_mapi	EcDoRpc
+1056991899.652798	C9mvWx3ezztgzcexV7	192.168.0.173	1073	192.168.0.2	1032	0.001374	1032	exchange_mapi	EcDoRpc
+1056991899.655922	C9mvWx3ezztgzcexV7	192.168.0.173	1073	192.168.0.2	1032	0.000999	1032	exchange_mapi	EcDoRpc
+1056991899.658670	C9mvWx3ezztgzcexV7	192.168.0.173	1073	192.168.0.2	1032	0.001624	1032	exchange_mapi	EcDoRpc
+1056991899.660794	C9mvWx3ezztgzcexV7	192.168.0.173	1073	192.168.0.2	1032	0.003998	1032	exchange_mapi	EcRRegisterPushNotification
+1056991899.707516	C9mvWx3ezztgzcexV7	192.168.0.173	1073	192.168.0.2	1032	0.003998	1032	exchange_mapi	EcRRegisterPushNotification
+#close	2018-08-16-22-09-39
diff --git a/testing/btest/Baseline/scripts.base.protocols.dce-rpc.mapi/ntlm.log b/testing/btest/Baseline/scripts.base.protocols.dce-rpc.mapi/ntlm.log
index ffe3248400..7087b0c7dd 100644
--- a/testing/btest/Baseline/scripts.base.protocols.dce-rpc.mapi/ntlm.log
+++ b/testing/btest/Baseline/scripts.base.protocols.dce-rpc.mapi/ntlm.log
@@ -3,9 +3,9 @@
 #empty_field	(empty)
 #unset_field	-
 #path	ntlm
-#open	2016-10-08-03-48-34
+#open	2018-08-16-22-12-09
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	username	hostname	domainname	success	status
 #types	time	string	addr	port	addr	port	string	string	string	bool	string
-1056991898.902392	C37jN32gN3y3AZzyf6	192.168.0.173	1068	192.168.0.2	4997	ALeonard	ALEONARD-XP	CNAMIS	-	-
-1056991899.594334	CFLRIC3zaTU1loLGxh	192.168.0.173	1073	192.168.0.2	1032	ALeonard	ALEONARD-XP	CNAMIS	-	-
-#close	2016-10-08-03-48-34
+1056991898.902392	CwjjYJ2WqgTbAqiHl6	192.168.0.173	1068	192.168.0.2	4997	ALeonard	ALEONARD-XP	CNAMIS	-	-
+1056991899.594334	C9mvWx3ezztgzcexV7	192.168.0.173	1073	192.168.0.2	1032	ALeonard	ALEONARD-XP	CNAMIS	-	-
+#close	2018-08-16-22-12-09
diff --git a/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events.log b/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events.log
index 70ed522a0d..87acb7a49c 100644
--- a/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events.log
+++ b/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events.log
@@ -4,60 +4,60 @@
 1254722767.492060 ChecksumOffloading::check
 1254722767.492060 filter_change_tracking
 1254722767.492060 new_connection
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.49206, duration=0.0, service={\x0a\x0a}, history=D, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.49206, duration=0.0, service={\x0a\x0a}, history=D, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1254722767.492060 dns_message
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.49206, duration=0.0, service={\x0a\x0a}, history=D, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.49206, duration=0.0, service={\x0a\x0a}, history=D, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] msg: dns_msg       = [id=31062, opcode=0, rcode=0, QR=F, AA=F, TC=F, RD=T, RA=F, Z=0, num_queries=1, num_answers=0, num_auth=0, num_addl=0]
                   [3] len: count         = 34
 
 1254722767.492060 dns_request
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.49206, duration=0.0, service={\x0a\x0a}, history=D, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=[ts=1254722767.49206, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, rtt=<uninitialized>, query=<uninitialized>, qclass=<uninitialized>, qclass_name=<uninitialized>, qtype=<uninitialized>, qtype_name=<uninitialized>, rcode=<uninitialized>, rcode_name=<uninitialized>, AA=F, TC=F, RD=F, RA=F, Z=0, answers=<uninitialized>, TTLs=<uninitialized>, rejected=F, total_answers=<uninitialized>, total_replies=<uninitialized>, saw_query=F, saw_reply=F], dns_state=[pending_queries={\x0a\x09[31062] = [initialized=T, vals={\x0a\x09\x09[0] = [ts=1254722767.49206, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, rtt=<uninitialized>, query=<uninitialized>, qclass=<uninitialized>, qclass_name=<uninitialized>, qtype=<uninitialized>, qtype_name=<uninitialized>, rcode=<uninitialized>, rcode_name=<uninitialized>, AA=F, TC=F, RD=F, RA=F, Z=0, answers=<uninitialized>, TTLs=<uninitialized>, rejected=F, total_answers=<uninitialized>, total_replies=<uninitialized>, saw_query=F, saw_reply=F]\x0a\x09}, settings=[max_len=<uninitialized>], top=1, bottom=0, size=0]\x0a}, pending_replies={\x0a\x0a}], ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.49206, duration=0.0, service={\x0a\x0a}, history=D, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=[ts=1254722767.49206, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, rtt=<uninitialized>, query=<uninitialized>, qclass=<uninitialized>, qclass_name=<uninitialized>, qtype=<uninitialized>, qtype_name=<uninitialized>, rcode=<uninitialized>, rcode_name=<uninitialized>, AA=F, TC=F, RD=F, RA=F, Z=0, answers=<uninitialized>, TTLs=<uninitialized>, rejected=F, total_answers=<uninitialized>, total_replies=<uninitialized>, saw_query=F, saw_reply=F], dns_state=[pending_queries={\x0a\x09[31062] = [initialized=T, vals={\x0a\x09\x09[0] = [ts=1254722767.49206, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, rtt=<uninitialized>, query=<uninitialized>, qclass=<uninitialized>, qclass_name=<uninitialized>, qtype=<uninitialized>, qtype_name=<uninitialized>, rcode=<uninitialized>, rcode_name=<uninitialized>, AA=F, TC=F, RD=F, RA=F, Z=0, answers=<uninitialized>, TTLs=<uninitialized>, rejected=F, total_answers=<uninitialized>, total_replies=<uninitialized>, saw_query=F, saw_reply=F]\x0a\x09}, settings=[max_len=<uninitialized>], top=1, bottom=0, size=0]\x0a}, pending_replies={\x0a\x0a}], ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] msg: dns_msg       = [id=31062, opcode=0, rcode=0, QR=F, AA=F, TC=F, RD=T, RA=F, Z=0, num_queries=1, num_answers=0, num_auth=0, num_addl=0]
                   [2] query: string      = mail.patriots.in
                   [3] qtype: count       = 1
                   [4] qclass: count      = 1
 
 1254722767.492060 protocol_confirmation
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.49206, duration=0.0, service={\x0a\x0a}, history=D, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=[ts=1254722767.49206, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, rtt=<uninitialized>, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=<uninitialized>, rcode_name=<uninitialized>, AA=F, TC=F, RD=T, RA=F, Z=0, answers=<uninitialized>, TTLs=<uninitialized>, rejected=F, total_answers=<uninitialized>, total_replies=<uninitialized>, saw_query=F, saw_reply=F], dns_state=[pending_queries={\x0a\x09[31062] = [initialized=T, vals={\x0a\x09\x09[0] = [ts=1254722767.49206, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, rtt=<uninitialized>, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=<uninitialized>, rcode_name=<uninitialized>, AA=F, TC=F, RD=T, RA=F, Z=0, answers=<uninitialized>, TTLs=<uninitialized>, rejected=F, total_answers=<uninitialized>, total_replies=<uninitialized>, saw_query=F, saw_reply=F]\x0a\x09}, settings=[max_len=<uninitialized>], top=1, bottom=0, size=0]\x0a}, pending_replies={\x0a\x0a}], ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.49206, duration=0.0, service={\x0a\x0a}, history=D, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=[ts=1254722767.49206, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, rtt=<uninitialized>, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=<uninitialized>, rcode_name=<uninitialized>, AA=F, TC=F, RD=T, RA=F, Z=0, answers=<uninitialized>, TTLs=<uninitialized>, rejected=F, total_answers=<uninitialized>, total_replies=<uninitialized>, saw_query=F, saw_reply=F], dns_state=[pending_queries={\x0a\x09[31062] = [initialized=T, vals={\x0a\x09\x09[0] = [ts=1254722767.49206, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, rtt=<uninitialized>, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=<uninitialized>, rcode_name=<uninitialized>, AA=F, TC=F, RD=T, RA=F, Z=0, answers=<uninitialized>, TTLs=<uninitialized>, rejected=F, total_answers=<uninitialized>, total_replies=<uninitialized>, saw_query=F, saw_reply=F]\x0a\x09}, settings=[max_len=<uninitialized>], top=1, bottom=0, size=0]\x0a}, pending_replies={\x0a\x0a}], ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] atype: enum        = Analyzer::ANALYZER_DNS
                   [2] aid: count         = 3
 
 1254722767.492060 dns_end
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.49206, duration=0.0, service={\x0aDNS\x0a}, history=D, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=[ts=1254722767.49206, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, rtt=<uninitialized>, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=<uninitialized>, rcode_name=<uninitialized>, AA=F, TC=F, RD=T, RA=F, Z=0, answers=<uninitialized>, TTLs=<uninitialized>, rejected=F, total_answers=<uninitialized>, total_replies=<uninitialized>, saw_query=F, saw_reply=F], dns_state=[pending_queries={\x0a\x09[31062] = [initialized=T, vals={\x0a\x09\x09[0] = [ts=1254722767.49206, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, rtt=<uninitialized>, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=<uninitialized>, rcode_name=<uninitialized>, AA=F, TC=F, RD=T, RA=F, Z=0, answers=<uninitialized>, TTLs=<uninitialized>, rejected=F, total_answers=<uninitialized>, total_replies=<uninitialized>, saw_query=F, saw_reply=F]\x0a\x09}, settings=[max_len=<uninitialized>], top=1, bottom=0, size=0]\x0a}, pending_replies={\x0a\x0a}], ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.49206, duration=0.0, service={\x0aDNS\x0a}, history=D, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=[ts=1254722767.49206, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, rtt=<uninitialized>, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=<uninitialized>, rcode_name=<uninitialized>, AA=F, TC=F, RD=T, RA=F, Z=0, answers=<uninitialized>, TTLs=<uninitialized>, rejected=F, total_answers=<uninitialized>, total_replies=<uninitialized>, saw_query=F, saw_reply=F], dns_state=[pending_queries={\x0a\x09[31062] = [initialized=T, vals={\x0a\x09\x09[0] = [ts=1254722767.49206, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, rtt=<uninitialized>, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=<uninitialized>, rcode_name=<uninitialized>, AA=F, TC=F, RD=T, RA=F, Z=0, answers=<uninitialized>, TTLs=<uninitialized>, rejected=F, total_answers=<uninitialized>, total_replies=<uninitialized>, saw_query=F, saw_reply=F]\x0a\x09}, settings=[max_len=<uninitialized>], top=1, bottom=0, size=0]\x0a}, pending_replies={\x0a\x0a}], ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] msg: dns_msg       = [id=31062, opcode=0, rcode=0, QR=F, AA=F, TC=F, RD=T, RA=F, Z=0, num_queries=1, num_answers=0, num_auth=0, num_addl=0]
 
 1254722767.526085 dns_message
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=1, num_bytes_ip=62, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=100, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.49206, duration=0.034025, service={\x0aDNS\x0a}, history=Dd, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=[ts=1254722767.49206, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, rtt=<uninitialized>, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=<uninitialized>, rcode_name=<uninitialized>, AA=F, TC=F, RD=T, RA=F, Z=0, answers=<uninitialized>, TTLs=<uninitialized>, rejected=F, total_answers=<uninitialized>, total_replies=<uninitialized>, saw_query=T, saw_reply=F], dns_state=[pending_queries={\x0a\x09[31062] = [initialized=T, vals={\x0a\x09\x09[0] = [ts=1254722767.49206, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, rtt=<uninitialized>, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=<uninitialized>, rcode_name=<uninitialized>, AA=F, TC=F, RD=T, RA=F, Z=0, answers=<uninitialized>, TTLs=<uninitialized>, rejected=F, total_answers=<uninitialized>, total_replies=<uninitialized>, saw_query=T, saw_reply=F]\x0a\x09}, settings=[max_len=<uninitialized>], top=1, bottom=0, size=0]\x0a}, pending_replies={\x0a\x0a}], ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=1, num_bytes_ip=62, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=100, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.49206, duration=0.034025, service={\x0aDNS\x0a}, history=Dd, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=[ts=1254722767.49206, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, rtt=<uninitialized>, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=<uninitialized>, rcode_name=<uninitialized>, AA=F, TC=F, RD=T, RA=F, Z=0, answers=<uninitialized>, TTLs=<uninitialized>, rejected=F, total_answers=<uninitialized>, total_replies=<uninitialized>, saw_query=T, saw_reply=F], dns_state=[pending_queries={\x0a\x09[31062] = [initialized=T, vals={\x0a\x09\x09[0] = [ts=1254722767.49206, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, rtt=<uninitialized>, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=<uninitialized>, rcode_name=<uninitialized>, AA=F, TC=F, RD=T, RA=F, Z=0, answers=<uninitialized>, TTLs=<uninitialized>, rejected=F, total_answers=<uninitialized>, total_replies=<uninitialized>, saw_query=T, saw_reply=F]\x0a\x09}, settings=[max_len=<uninitialized>], top=1, bottom=0, size=0]\x0a}, pending_replies={\x0a\x0a}], ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] msg: dns_msg       = [id=31062, opcode=0, rcode=0, QR=T, AA=F, TC=F, RD=T, RA=T, Z=0, num_queries=1, num_answers=2, num_auth=2, num_addl=0]
                   [3] len: count         = 100
 
 1254722767.526085 dns_CNAME_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=1, num_bytes_ip=62, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=100, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.49206, duration=0.034025, service={\x0aDNS\x0a}, history=Dd, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=[ts=1254722767.49206, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, rtt=<uninitialized>, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=0, rcode_name=NOERROR, AA=F, TC=F, RD=T, RA=F, Z=0, answers=<uninitialized>, TTLs=<uninitialized>, rejected=F, total_answers=2, total_replies=4, saw_query=T, saw_reply=F], dns_state=[pending_queries={\x0a\x0a}, pending_replies={\x0a\x0a}], ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=1, num_bytes_ip=62, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=100, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.49206, duration=0.034025, service={\x0aDNS\x0a}, history=Dd, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=[ts=1254722767.49206, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, rtt=<uninitialized>, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=0, rcode_name=NOERROR, AA=F, TC=F, RD=T, RA=F, Z=0, answers=<uninitialized>, TTLs=<uninitialized>, rejected=F, total_answers=2, total_replies=4, saw_query=T, saw_reply=F], dns_state=[pending_queries={\x0a\x0a}, pending_replies={\x0a\x0a}], ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] msg: dns_msg       = [id=31062, opcode=0, rcode=0, QR=T, AA=F, TC=F, RD=T, RA=T, Z=0, num_queries=1, num_answers=2, num_auth=2, num_addl=0]
                   [2] ans: dns_answer    = [answer_type=1, query=mail.patriots.in, qtype=5, qclass=1, TTL=3.0 hrs 27.0 secs]
                   [3] name: string       = patriots.in
 
 1254722767.526085 dns_A_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=1, num_bytes_ip=62, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=100, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.49206, duration=0.034025, service={\x0aDNS\x0a}, history=Dd, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=[ts=1254722767.49206, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, rtt=34.0 msecs 24.0 usecs, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=0, rcode_name=NOERROR, AA=F, TC=F, RD=T, RA=T, Z=0, answers=[patriots.in], TTLs=[3.0 hrs 27.0 secs], rejected=F, total_answers=2, total_replies=4, saw_query=T, saw_reply=F], dns_state=[pending_queries={\x0a\x0a}, pending_replies={\x0a\x0a}], ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=1, num_bytes_ip=62, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=100, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.49206, duration=0.034025, service={\x0aDNS\x0a}, history=Dd, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=[ts=1254722767.49206, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, rtt=34.0 msecs 24.0 usecs, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=0, rcode_name=NOERROR, AA=F, TC=F, RD=T, RA=T, Z=0, answers=[patriots.in], TTLs=[3.0 hrs 27.0 secs], rejected=F, total_answers=2, total_replies=4, saw_query=T, saw_reply=F], dns_state=[pending_queries={\x0a\x0a}, pending_replies={\x0a\x0a}], ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] msg: dns_msg       = [id=31062, opcode=0, rcode=0, QR=T, AA=F, TC=F, RD=T, RA=T, Z=0, num_queries=1, num_answers=2, num_auth=2, num_addl=0]
                   [2] ans: dns_answer    = [answer_type=1, query=patriots.in, qtype=1, qclass=1, TTL=3.0 hrs 28.0 secs]
                   [3] a: addr            = 74.53.140.153
 
 1254722767.526085 dns_end
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=1, num_bytes_ip=62, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=100, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.49206, duration=0.034025, service={\x0aDNS\x0a}, history=Dd, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=[ts=1254722767.49206, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, rtt=34.0 msecs 24.0 usecs, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=0, rcode_name=NOERROR, AA=F, TC=F, RD=T, RA=T, Z=0, answers=[patriots.in, 74.53.140.153], TTLs=[3.0 hrs 27.0 secs, 3.0 hrs 28.0 secs], rejected=F, total_answers=2, total_replies=4, saw_query=T, saw_reply=F], dns_state=[pending_queries={\x0a\x0a}, pending_replies={\x0a\x0a}], ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=1, num_bytes_ip=62, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=100, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.49206, duration=0.034025, service={\x0aDNS\x0a}, history=Dd, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=[ts=1254722767.49206, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, rtt=34.0 msecs 24.0 usecs, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=0, rcode_name=NOERROR, AA=F, TC=F, RD=T, RA=T, Z=0, answers=[patriots.in, 74.53.140.153], TTLs=[3.0 hrs 27.0 secs, 3.0 hrs 28.0 secs], rejected=F, total_answers=2, total_replies=4, saw_query=T, saw_reply=F], dns_state=[pending_queries={\x0a\x0a}, pending_replies={\x0a\x0a}], ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] msg: dns_msg       = [id=31062, opcode=0, rcode=0, QR=T, AA=F, TC=F, RD=T, RA=T, Z=0, num_queries=1, num_answers=2, num_auth=2, num_addl=0]
 
 1254722767.529046 new_connection
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=0.0, service={\x0a\x0a}, history=, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=0.0, service={\x0a\x0a}, history=, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1254722767.875996 connection_established
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=0, state=4, num_pkts=1, num_bytes_ip=48, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=0, state=4, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=0.34695, service={\x0a\x0a}, history=Sh, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=0, state=4, num_pkts=1, num_bytes_ip=48, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=0, state=4, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=0.34695, service={\x0a\x0a}, history=Sh, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1254722768.219663 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=0, state=4, num_pkts=2, num_bytes_ip=88, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=181, state=4, num_pkts=1, num_bytes_ip=48, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=0.690617, service={\x0a\x0a}, history=ShAd, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=0, state=4, num_pkts=2, num_bytes_ip=88, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=181, state=4, num_pkts=1, num_bytes_ip=48, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=0.690617, service={\x0a\x0a}, history=ShAd, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 220
                   [3] cmd: string        = >
@@ -65,7 +65,7 @@
                   [5] cont_resp: bool    = T
 
 1254722768.219663 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=0, state=4, num_pkts=2, num_bytes_ip=88, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=181, state=4, num_pkts=1, num_bytes_ip=48, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=0.690617, service={\x0a\x0a}, history=ShAd, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=<uninitialized>, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 xc90.websitewelcome.com ESMTP Exim 4.69 #1 Mon, 05 Oct 2009 01:05:54 -0500 , path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=<uninitialized>, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=0, state=4, num_pkts=2, num_bytes_ip=88, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=181, state=4, num_pkts=1, num_bytes_ip=48, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=0.690617, service={\x0a\x0a}, history=ShAd, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=<uninitialized>, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 xc90.websitewelcome.com ESMTP Exim 4.69 #1 Mon, 05 Oct 2009 01:05:54 -0500 , path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=<uninitialized>, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 220
                   [3] cmd: string        = >
@@ -73,7 +73,7 @@
                   [5] cont_resp: bool    = T
 
 1254722768.219663 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=0, state=4, num_pkts=2, num_bytes_ip=88, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=181, state=4, num_pkts=1, num_bytes_ip=48, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=0.690617, service={\x0a\x0a}, history=ShAd, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=<uninitialized>, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 We do not authorize the use of this system to transport unsolicited, , path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=<uninitialized>, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=0, state=4, num_pkts=2, num_bytes_ip=88, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=181, state=4, num_pkts=1, num_bytes_ip=48, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=0.690617, service={\x0a\x0a}, history=ShAd, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=<uninitialized>, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 We do not authorize the use of this system to transport unsolicited, , path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=<uninitialized>, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 220
                   [3] cmd: string        = >
@@ -81,18 +81,18 @@
                   [5] cont_resp: bool    = F
 
 1254722768.224809 protocol_confirmation
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=2, num_bytes_ip=88, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=181, state=4, num_pkts=2, num_bytes_ip=269, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=0.695763, service={\x0a\x0a}, history=ShAdD, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=<uninitialized>, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 and/or bulk e-mail., path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=<uninitialized>, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=2, num_bytes_ip=88, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=181, state=4, num_pkts=2, num_bytes_ip=269, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=0.695763, service={\x0a\x0a}, history=ShAdD, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=<uninitialized>, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 and/or bulk e-mail., path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=<uninitialized>, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] atype: enum        = Analyzer::ANALYZER_SMTP
                   [2] aid: count         = 7
 
 1254722768.224809 smtp_request
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=2, num_bytes_ip=88, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=181, state=4, num_pkts=2, num_bytes_ip=269, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=0.695763, service={\x0aSMTP\x0a}, history=ShAdD, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=<uninitialized>, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 and/or bulk e-mail., path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=<uninitialized>, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=2, num_bytes_ip=88, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=181, state=4, num_pkts=2, num_bytes_ip=269, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=0.695763, service={\x0aSMTP\x0a}, history=ShAdD, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=<uninitialized>, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 and/or bulk e-mail., path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=<uninitialized>, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] command: string    = EHLO
                   [3] arg: string        = GP
 
 1254722768.566183 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=1.037137, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 and/or bulk e-mail., path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=1.037137, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 and/or bulk e-mail., path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 250
                   [3] cmd: string        = EHLO
@@ -100,7 +100,7 @@
                   [5] cont_resp: bool    = T
 
 1254722768.566183 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=1.037137, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 xc90.websitewelcome.com Hello GP [122.162.143.157], path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=1.037137, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 xc90.websitewelcome.com Hello GP [122.162.143.157], path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 250
                   [3] cmd: string        = EHLO
@@ -108,7 +108,7 @@
                   [5] cont_resp: bool    = T
 
 1254722768.566183 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=1.037137, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 SIZE 52428800, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=1.037137, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 SIZE 52428800, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 250
                   [3] cmd: string        = EHLO
@@ -116,7 +116,7 @@
                   [5] cont_resp: bool    = T
 
 1254722768.566183 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=1.037137, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 PIPELINING, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=1.037137, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 PIPELINING, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 250
                   [3] cmd: string        = EHLO
@@ -124,7 +124,7 @@
                   [5] cont_resp: bool    = T
 
 1254722768.566183 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=1.037137, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 AUTH PLAIN LOGIN, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=1.037137, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 AUTH PLAIN LOGIN, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 250
                   [3] cmd: string        = EHLO
@@ -132,7 +132,7 @@
                   [5] cont_resp: bool    = T
 
 1254722768.566183 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=1.037137, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 STARTTLS, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=1.037137, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 STARTTLS, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 250
                   [3] cmd: string        = EHLO
@@ -140,13 +140,13 @@
                   [5] cont_resp: bool    = F
 
 1254722768.568729 smtp_request
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=21, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=318, state=4, num_pkts=4, num_bytes_ip=486, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=1.039683, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 HELP, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=21, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=318, state=4, num_pkts=4, num_bytes_ip=486, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=1.039683, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 HELP, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] command: string    = AUTH
                   [3] arg: string        = LOGIN
 
 1254722768.911081 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=21, state=4, num_pkts=4, num_bytes_ip=189, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=336, state=4, num_pkts=4, num_bytes_ip=486, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=1.382035, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 HELP, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=21, state=4, num_pkts=4, num_bytes_ip=189, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=336, state=4, num_pkts=4, num_bytes_ip=486, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=1.382035, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 HELP, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 334
                   [3] cmd: string        = AUTH
@@ -154,13 +154,13 @@
                   [5] cont_resp: bool    = F
 
 1254722768.911655 smtp_request
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=51, state=4, num_pkts=4, num_bytes_ip=189, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=336, state=4, num_pkts=5, num_bytes_ip=544, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=1.382609, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=334 VXNlcm5hbWU6, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=51, state=4, num_pkts=4, num_bytes_ip=189, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=336, state=4, num_pkts=5, num_bytes_ip=544, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=1.382609, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=334 VXNlcm5hbWU6, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] command: string    = **
                   [3] arg: string        = Z3VycGFydGFwQHBhdHJpb3RzLmlu
 
 1254722769.253544 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=51, state=4, num_pkts=5, num_bytes_ip=259, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=354, state=4, num_pkts=5, num_bytes_ip=544, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=1.724498, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=334 VXNlcm5hbWU6, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=51, state=4, num_pkts=5, num_bytes_ip=259, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=354, state=4, num_pkts=5, num_bytes_ip=544, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=1.724498, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=334 VXNlcm5hbWU6, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 334
                   [3] cmd: string        = AUTH_ANSWER
@@ -168,13 +168,13 @@
                   [5] cont_resp: bool    = F
 
 1254722769.254118 smtp_request
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=69, state=4, num_pkts=5, num_bytes_ip=259, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=354, state=4, num_pkts=6, num_bytes_ip=602, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=1.725072, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=334 UGFzc3dvcmQ6, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=69, state=4, num_pkts=5, num_bytes_ip=259, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=354, state=4, num_pkts=6, num_bytes_ip=602, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=1.725072, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=334 UGFzc3dvcmQ6, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] command: string    = **
                   [3] arg: string        = cHVuamFiQDEyMw==
 
 1254722769.613798 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=69, state=4, num_pkts=6, num_bytes_ip=317, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=384, state=4, num_pkts=6, num_bytes_ip=602, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=2.084752, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=334 UGFzc3dvcmQ6, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=69, state=4, num_pkts=6, num_bytes_ip=317, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=384, state=4, num_pkts=6, num_bytes_ip=602, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=2.084752, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=334 UGFzc3dvcmQ6, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 235
                   [3] cmd: string        = AUTH_ANSWER
@@ -182,13 +182,13 @@
                   [5] cont_resp: bool    = F
 
 1254722769.614414 smtp_request
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=105, state=4, num_pkts=6, num_bytes_ip=317, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=384, state=4, num_pkts=7, num_bytes_ip=672, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=2.085368, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=235 Authentication succeeded, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=105, state=4, num_pkts=6, num_bytes_ip=317, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=384, state=4, num_pkts=7, num_bytes_ip=672, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=2.085368, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=235 Authentication succeeded, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] command: string    = MAIL
                   [3] arg: string        = FROM: <gurpartap@patriots.in>
 
 1254722769.956765 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=105, state=4, num_pkts=7, num_bytes_ip=393, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=392, state=4, num_pkts=7, num_bytes_ip=672, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=2.427719, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=235 Authentication succeeded, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=105, state=4, num_pkts=7, num_bytes_ip=393, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=392, state=4, num_pkts=7, num_bytes_ip=672, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=2.427719, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=235 Authentication succeeded, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 250
                   [3] cmd: string        = MAIL
@@ -196,13 +196,13 @@
                   [5] cont_resp: bool    = F
 
 1254722769.957250 smtp_request
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=144, state=4, num_pkts=7, num_bytes_ip=393, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=392, state=4, num_pkts=8, num_bytes_ip=720, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=2.428204, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 OK, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=144, state=4, num_pkts=7, num_bytes_ip=393, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=392, state=4, num_pkts=8, num_bytes_ip=720, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=2.428204, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 OK, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] command: string    = RCPT
                   [3] arg: string        = TO: <raj_deol2002in@yahoo.co.in>
 
 1254722770.319708 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=144, state=4, num_pkts=8, num_bytes_ip=472, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=406, state=4, num_pkts=8, num_bytes_ip=720, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=2.790662, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 OK, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=144, state=4, num_pkts=8, num_bytes_ip=472, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=406, state=4, num_pkts=8, num_bytes_ip=720, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=2.790662, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 OK, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 250
                   [3] cmd: string        = RCPT
@@ -210,16 +210,16 @@
                   [5] cont_resp: bool    = F
 
 1254722770.320203 smtp_request
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=150, state=4, num_pkts=8, num_bytes_ip=472, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=406, state=4, num_pkts=9, num_bytes_ip=774, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=2.791157, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Accepted, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=150, state=4, num_pkts=8, num_bytes_ip=472, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=406, state=4, num_pkts=9, num_bytes_ip=774, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=2.791157, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Accepted, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] command: string    = DATA
                   [3] arg: string        = 
 
 1254722770.320203 mime_begin_entity
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=150, state=4, num_pkts=8, num_bytes_ip=472, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=406, state=4, num_pkts=9, num_bytes_ip=774, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=2.791157, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Accepted, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=150, state=4, num_pkts=8, num_bytes_ip=472, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=406, state=4, num_pkts=9, num_bytes_ip=774, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=2.791157, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Accepted, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1254722770.661679 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=150, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=9, num_bytes_ip=774, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.132633, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Accepted, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=150, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=9, num_bytes_ip=774, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.132633, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Accepted, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 354
                   [3] cmd: string        = DATA
@@ -227,243 +227,243 @@
                   [5] cont_resp: bool    = F
 
 1254722770.692743 mime_one_header
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] h: mime_header_rec = [name=FROM, value="Gurpartap Singh" <gurpartap@patriots.in>]
 
 1254722770.692743 mime_one_header
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=<uninitialized>, from="Gurpartap Singh" <gurpartap@patriots.in>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=<uninitialized>, from="Gurpartap Singh" <gurpartap@patriots.in>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] h: mime_header_rec = [name=TO, value=<raj_deol2002in@yahoo.co.in>]
 
 1254722770.692743 mime_one_header
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=<uninitialized>, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=<uninitialized>, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] h: mime_header_rec = [name=SUBJECT, value=SMTP]
 
 1254722770.692743 mime_one_header
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=<uninitialized>, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=<uninitialized>, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] h: mime_header_rec = [name=DATE, value=Mon, 5 Oct 2009 11:36:07 +0530]
 
 1254722770.692743 mime_one_header
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] h: mime_header_rec = [name=MESSAGE-ID, value=<000301ca4581$ef9e57f0$cedb07d0$@in>]
 
 1254722770.692743 mime_one_header
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] h: mime_header_rec = [name=MIME-VERSION, value=1.0]
 
 1254722770.692743 mime_one_header
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] h: mime_header_rec = [name=CONTENT-TYPE, value=multipart/mixed;\x09boundary="----=_NextPart_000_0004_01CA45B0.095693F0"]
 
 1254722770.692743 mime_one_header
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] h: mime_header_rec = [name=X-MAILER, value=Microsoft Office Outlook 12.0]
 
 1254722770.692743 mime_one_header
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] h: mime_header_rec = [name=THREAD-INDEX, value=AcpFgem9BvjjZEDeR1Kh8i+hUyVo0A==]
 
 1254722770.692743 mime_one_header
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] h: mime_header_rec = [name=CONTENT-LANGUAGE, value=en-us]
 
 1254722770.692743 mime_one_header
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] h: mime_header_rec = [name=X-CR-HASHEDPUZZLE, value=SeA= AAR2 ADaH BpiO C4G1 D1gW FNB1 FPkR Fn+W HFCP HnYJ JO7s Kum6 KytW LFcI LjUt;1;cgBhAGoAXwBkAGUAbwBsADIAMAAwADIAaQBuAEAAeQBhAGgAbwBvAC4AYwBvAC4AaQBuAA==;Sosha1_v1;7;{CAA37F59-1850-45C7-8540-AA27696B5398};ZwB1AHIAcABhAHIAdABhAHAAQABwAGEAdAByAGkAbwB0AHMALgBpAG4A;Mon, 05 Oct 2009 06:06:01 GMT;UwBNAFQAUAA=]
 
 1254722770.692743 mime_one_header
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] h: mime_header_rec = [name=X-CR-PUZZLEID, value={CAA37F59-1850-45C7-8540-AA27696B5398}]
 
 1254722770.692743 mime_begin_entity
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1254722770.692743 mime_one_header
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=2], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=2], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] h: mime_header_rec = [name=CONTENT-TYPE, value=multipart/alternative;\x09boundary="----=_NextPart_001_0005_01CA45B0.095693F0"]
 
 1254722770.692743 mime_begin_entity
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=2], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=2], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1254722770.692743 mime_one_header
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] h: mime_header_rec = [name=CONTENT-TYPE, value=text/plain;\x09charset="us-ascii"]
 
 1254722770.692743 mime_one_header
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] h: mime_header_rec = [name=CONTENT-TRANSFER-ENCODING, value=7bit]
 
 1254722770.692743 get_file_handle
                   [0] tag: enum          = Analyzer::ANALYZER_SMTP
-                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = T
 
 1254722770.692743 file_new
-                  [0] f: fa_file         = [id=Fel9gs4OtNEV6gUJZ5, parent_id=<uninitialized>, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a\x09}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a\x09}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a\x09}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1254722770.692743, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=Fel9gs4OtNEV6gUJZ5, parent_id=<uninitialized>, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a\x09}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a\x09}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a\x09}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1254722770.692743, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
 
 1254722770.692743 file_over_new_connection
-                  [0] f: fa_file         = [id=Fel9gs4OtNEV6gUJZ5, parent_id=<uninitialized>, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a\x09}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a\x09}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a\x09}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1254722770.692743, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1254722770.692743, fuid=Fel9gs4OtNEV6gUJZ5, tx_hosts={\x0a\x0a}, rx_hosts={\x0a\x0a}, conn_uids={\x0a\x0a}, source=SMTP, depth=0, analyzers={\x0a\x0a}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=T, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
-                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] f: fa_file         = [id=Fel9gs4OtNEV6gUJZ5, parent_id=<uninitialized>, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a\x09}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a\x09}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a\x09}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1254722770.692743, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1254722770.692743, fuid=Fel9gs4OtNEV6gUJZ5, tx_hosts={\x0a\x0a}, rx_hosts={\x0a\x0a}, conn_uids={\x0a\x0a}, source=SMTP, depth=0, analyzers={\x0a\x0a}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=T, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = T
 
 1254722770.692743 mime_end_entity
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1254722770.692743 get_file_handle
                   [0] tag: enum          = Analyzer::ANALYZER_SMTP
-                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = T
 
 1254722770.692743 file_sniff
-                  [0] f: fa_file         = [id=Fel9gs4OtNEV6gUJZ5, parent_id=<uninitialized>, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a\x09}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a\x09}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a\x09}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1254722770.692743, seen_bytes=77, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=Hello\x0d\x0a\x0d\x0a \x0d\x0a\x0d\x0aI send u smtp pcap file \x0d\x0a\x0d\x0aFind the attachment\x0d\x0a\x0d\x0a \x0d\x0a\x0d\x0aGPS\x0d\x0a\x0d\x0a, info=[ts=1254722770.692743, fuid=Fel9gs4OtNEV6gUJZ5, tx_hosts={\x0a\x0910.10.1.4\x0a}, rx_hosts={\x0a\x0974.53.140.153\x0a}, conn_uids={\x0aClEkJM2Vm5giqnMf4h\x0a}, source=SMTP, depth=3, analyzers={\x0a\x0a}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=T, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=Fel9gs4OtNEV6gUJZ5, parent_id=<uninitialized>, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a\x09}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a\x09}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a\x09}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1254722770.692743, seen_bytes=77, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=Hello\x0d\x0a\x0d\x0a \x0d\x0a\x0d\x0aI send u smtp pcap file \x0d\x0a\x0d\x0aFind the attachment\x0d\x0a\x0d\x0a \x0d\x0a\x0d\x0aGPS\x0d\x0a\x0d\x0a, info=[ts=1254722770.692743, fuid=Fel9gs4OtNEV6gUJZ5, tx_hosts={\x0a\x0910.10.1.4\x0a}, rx_hosts={\x0a\x0974.53.140.153\x0a}, conn_uids={\x0aClEkJM2Vm5giqnMf4h\x0a}, source=SMTP, depth=3, analyzers={\x0a\x0a}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=T, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
                   [1] meta: fa_metadata  = [mime_type=text/plain, mime_types=[[strength=-20, mime=text/plain]], inferred=T]
 
 1254722770.692743 file_state_remove
-                  [0] f: fa_file         = [id=Fel9gs4OtNEV6gUJZ5, parent_id=<uninitialized>, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a\x09}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a\x09}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a\x09}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1254722770.692743, seen_bytes=77, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=Hello\x0d\x0a\x0d\x0a \x0d\x0a\x0d\x0aI send u smtp pcap file \x0d\x0a\x0d\x0aFind the attachment\x0d\x0a\x0d\x0a \x0d\x0a\x0d\x0aGPS\x0d\x0a\x0d\x0a, info=[ts=1254722770.692743, fuid=Fel9gs4OtNEV6gUJZ5, tx_hosts={\x0a\x0910.10.1.4\x0a}, rx_hosts={\x0a\x0974.53.140.153\x0a}, conn_uids={\x0aClEkJM2Vm5giqnMf4h\x0a}, source=SMTP, depth=3, analyzers={\x0a\x0a}, mime_type=text/plain, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=T, seen_bytes=77, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=Fel9gs4OtNEV6gUJZ5, parent_id=<uninitialized>, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a\x09}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a\x09}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a\x09}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1254722770.692743, seen_bytes=77, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=Hello\x0d\x0a\x0d\x0a \x0d\x0a\x0d\x0aI send u smtp pcap file \x0d\x0a\x0d\x0aFind the attachment\x0d\x0a\x0d\x0a \x0d\x0a\x0d\x0aGPS\x0d\x0a\x0d\x0a, info=[ts=1254722770.692743, fuid=Fel9gs4OtNEV6gUJZ5, tx_hosts={\x0a\x0910.10.1.4\x0a}, rx_hosts={\x0a\x0974.53.140.153\x0a}, conn_uids={\x0aClEkJM2Vm5giqnMf4h\x0a}, source=SMTP, depth=3, analyzers={\x0a\x0a}, mime_type=text/plain, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=T, seen_bytes=77, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
 
 1254722770.692743 get_file_handle
                   [0] tag: enum          = Analyzer::ANALYZER_SMTP
-                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = F
 
 1254722770.692743 mime_begin_entity
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1254722770.692743 mime_one_header
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] h: mime_header_rec = [name=CONTENT-TYPE, value=text/html;\x09charset="us-ascii"]
 
 1254722770.692743 mime_one_header
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] h: mime_header_rec = [name=CONTENT-TRANSFER-ENCODING, value=quoted-printable]
 
 1254722770.692743 get_file_handle
                   [0] tag: enum          = Analyzer::ANALYZER_SMTP
-                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = T
 
 1254722770.692743 file_new
-                  [0] f: fa_file         = [id=Ft4M3f2yMvLlmwtbq9, parent_id=<uninitialized>, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a\x09}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a\x09}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a\x09}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1254722770.692743, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=Ft4M3f2yMvLlmwtbq9, parent_id=<uninitialized>, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a\x09}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a\x09}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a\x09}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1254722770.692743, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
 
 1254722770.692743 file_over_new_connection
-                  [0] f: fa_file         = [id=Ft4M3f2yMvLlmwtbq9, parent_id=<uninitialized>, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a\x09}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a\x09}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a\x09}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1254722770.692743, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1254722770.692743, fuid=Ft4M3f2yMvLlmwtbq9, tx_hosts={\x0a\x0a}, rx_hosts={\x0a\x0a}, conn_uids={\x0a\x0a}, source=SMTP, depth=0, analyzers={\x0a\x0a}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=T, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
-                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] f: fa_file         = [id=Ft4M3f2yMvLlmwtbq9, parent_id=<uninitialized>, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a\x09}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a\x09}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a\x09}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1254722770.692743, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1254722770.692743, fuid=Ft4M3f2yMvLlmwtbq9, tx_hosts={\x0a\x0a}, rx_hosts={\x0a\x0a}, conn_uids={\x0a\x0a}, source=SMTP, depth=0, analyzers={\x0a\x0a}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=T, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = T
 
 1254722770.692804 mime_end_entity
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163758, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163758, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1254722770.692804 get_file_handle
                   [0] tag: enum          = Analyzer::ANALYZER_SMTP
-                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163758, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163758, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = T
 
 1254722770.692804 file_sniff
-                  [0] f: fa_file         = [id=Ft4M3f2yMvLlmwtbq9, parent_id=<uninitialized>, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163758, service={\x0aSMTP\x0a\x09}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a\x09}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a\x09}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1254722770.692804, seen_bytes=1868, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">\x0d\x0a\x0d\x0a<head>\x0d\x0a<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">\x0d\x0a<meta name=Generator content="Microsoft Word 12 (filtered medium)">\x0d\x0a<style>\x0d\x0a<!--\x0d\x0a /* Font Definitions */\x0d\x0a @font-face\x0d\x0a\x09{font-family:"Cambria Math";\x0d\x0a\x09panose-1:2 4 5 3 5 4 6 3 2 4;}\x0d\x0a@font-face\x0d\x0a\x09{font-family:Calibri;\x0d\x0a\x09panose-1:2 15 5 2 2 2 4 3 2 4;}\x0d\x0a /* Style Definitions */\x0d\x0a p.MsoNormal, li.MsoNormal, div.MsoNormal\x0d\x0a\x09{margin:0in;\x0d\x0a\x09margin-bottom:.0001pt;\x0d\x0a\x09font-size:11.0pt;\x0d\x0a\x09font-family:"Calibri","sans-serif";}\x0d\x0aa:link, span.MsoHyperlink\x0d\x0a\x09{mso-style-priority:99;\x0d\x0a\x09color:blue;\x0d\x0a\x09text-decoration:underline;}\x0d\x0aa:visited, span.MsoHyperlinkFollowed\x0d\x0a\x09{mso-style-priority:99;\x0d\x0a\x09color:purple;\x0d\x0a\x09text-decoration:underline;}\x0d\x0aspan.EmailStyle17\x0d\x0a\x09{mso-style-type:personal-compose;\x0d\x0a\x09font-family:"Calibri","sans-serif";\x0d\x0a\x09color:windowtext;}\x0d\x0a.MsoChpDefault\x0d\x0a\x09{mso-style-type:export-only;}\x0d\x0a@page Section1\x0d\x0a\x09{size:8.5in 11.0in;\x0d\x0a\x09margin:1.0in 1.0in 1.0in 1.0in;}\x0d\x0adiv.Section1\x0d\x0a\x09{page:Section1;}\x0d\x0a-->\x0d\x0a</style>\x0d\x0a<!--[if gte mso 9]><xml>\x0d\x0a <o:shapedefaults v:ext="edit" spidmax="1026" />\x0d\x0a</xml><![endif]--><!--[if gte mso 9]><xml>\x0d\x0a <o:shapelayout v:ext="edit">\x0d\x0a  <o:idmap v:ext="edit" data="1" />\x0d\x0a </o:shapelayout></xml><![endif]-->\x0d\x0a</head>\x0d\x0a\x0d\x0a<body lang=EN-US link=blue vlink=purple>\x0d\x0a\x0d\x0a<div class=Section1>\x0d\x0a\x0d\x0a<p class=MsoNormal>Hello<o:p></o:p></p>\x0d\x0a\x0d\x0a<p class=MsoNormal><o:p>&nbsp;</o:p></p>\x0d\x0a\x0d\x0a<p class=MsoNormal>I send u smtp pcap file <o:p></o:p></p>\x0d\x0a\x0d\x0a<p class=MsoNormal>Find the attachment<o:p></o:p></p>\x0d\x0a\x0d\x0a<p class=MsoNormal><o:p>&nbsp;</o:p></p>\x0d\x0a\x0d\x0a<p class=MsoNormal>GPS<o:p></o:p></p>\x0d\x0a\x0d\x0a</div>\x0d\x0a\x0d\x0a</body>\x0d\x0a\x0d\x0a</html>\x0d\x0a\x0d\x0a, info=[ts=1254722770.692743, fuid=Ft4M3f2yMvLlmwtbq9, tx_hosts={\x0a\x0910.10.1.4\x0a}, rx_hosts={\x0a\x0974.53.140.153\x0a}, conn_uids={\x0aClEkJM2Vm5giqnMf4h\x0a}, source=SMTP, depth=4, analyzers={\x0a\x0a}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=T, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=Ft4M3f2yMvLlmwtbq9, parent_id=<uninitialized>, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163758, service={\x0aSMTP\x0a\x09}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a\x09}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a\x09}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1254722770.692804, seen_bytes=1868, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">\x0d\x0a\x0d\x0a<head>\x0d\x0a<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">\x0d\x0a<meta name=Generator content="Microsoft Word 12 (filtered medium)">\x0d\x0a<style>\x0d\x0a<!--\x0d\x0a /* Font Definitions */\x0d\x0a @font-face\x0d\x0a\x09{font-family:"Cambria Math";\x0d\x0a\x09panose-1:2 4 5 3 5 4 6 3 2 4;}\x0d\x0a@font-face\x0d\x0a\x09{font-family:Calibri;\x0d\x0a\x09panose-1:2 15 5 2 2 2 4 3 2 4;}\x0d\x0a /* Style Definitions */\x0d\x0a p.MsoNormal, li.MsoNormal, div.MsoNormal\x0d\x0a\x09{margin:0in;\x0d\x0a\x09margin-bottom:.0001pt;\x0d\x0a\x09font-size:11.0pt;\x0d\x0a\x09font-family:"Calibri","sans-serif";}\x0d\x0aa:link, span.MsoHyperlink\x0d\x0a\x09{mso-style-priority:99;\x0d\x0a\x09color:blue;\x0d\x0a\x09text-decoration:underline;}\x0d\x0aa:visited, span.MsoHyperlinkFollowed\x0d\x0a\x09{mso-style-priority:99;\x0d\x0a\x09color:purple;\x0d\x0a\x09text-decoration:underline;}\x0d\x0aspan.EmailStyle17\x0d\x0a\x09{mso-style-type:personal-compose;\x0d\x0a\x09font-family:"Calibri","sans-serif";\x0d\x0a\x09color:windowtext;}\x0d\x0a.MsoChpDefault\x0d\x0a\x09{mso-style-type:export-only;}\x0d\x0a@page Section1\x0d\x0a\x09{size:8.5in 11.0in;\x0d\x0a\x09margin:1.0in 1.0in 1.0in 1.0in;}\x0d\x0adiv.Section1\x0d\x0a\x09{page:Section1;}\x0d\x0a-->\x0d\x0a</style>\x0d\x0a<!--[if gte mso 9]><xml>\x0d\x0a <o:shapedefaults v:ext="edit" spidmax="1026" />\x0d\x0a</xml><![endif]--><!--[if gte mso 9]><xml>\x0d\x0a <o:shapelayout v:ext="edit">\x0d\x0a  <o:idmap v:ext="edit" data="1" />\x0d\x0a </o:shapelayout></xml><![endif]-->\x0d\x0a</head>\x0d\x0a\x0d\x0a<body lang=EN-US link=blue vlink=purple>\x0d\x0a\x0d\x0a<div class=Section1>\x0d\x0a\x0d\x0a<p class=MsoNormal>Hello<o:p></o:p></p>\x0d\x0a\x0d\x0a<p class=MsoNormal><o:p>&nbsp;</o:p></p>\x0d\x0a\x0d\x0a<p class=MsoNormal>I send u smtp pcap file <o:p></o:p></p>\x0d\x0a\x0d\x0a<p class=MsoNormal>Find the attachment<o:p></o:p></p>\x0d\x0a\x0d\x0a<p class=MsoNormal><o:p>&nbsp;</o:p></p>\x0d\x0a\x0d\x0a<p class=MsoNormal>GPS<o:p></o:p></p>\x0d\x0a\x0d\x0a</div>\x0d\x0a\x0d\x0a</body>\x0d\x0a\x0d\x0a</html>\x0d\x0a\x0d\x0a, info=[ts=1254722770.692743, fuid=Ft4M3f2yMvLlmwtbq9, tx_hosts={\x0a\x0910.10.1.4\x0a}, rx_hosts={\x0a\x0974.53.140.153\x0a}, conn_uids={\x0aClEkJM2Vm5giqnMf4h\x0a}, source=SMTP, depth=4, analyzers={\x0a\x0a}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=T, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
                   [1] meta: fa_metadata  = [mime_type=text/html, mime_types=[[strength=100, mime=text/html], [strength=20, mime=text/html], [strength=-20, mime=text/plain]], inferred=T]
 
 1254722770.692804 file_state_remove
-                  [0] f: fa_file         = [id=Ft4M3f2yMvLlmwtbq9, parent_id=<uninitialized>, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163758, service={\x0aSMTP\x0a\x09}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a\x09}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a\x09}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1254722770.692804, seen_bytes=1868, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">\x0d\x0a\x0d\x0a<head>\x0d\x0a<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">\x0d\x0a<meta name=Generator content="Microsoft Word 12 (filtered medium)">\x0d\x0a<style>\x0d\x0a<!--\x0d\x0a /* Font Definitions */\x0d\x0a @font-face\x0d\x0a\x09{font-family:"Cambria Math";\x0d\x0a\x09panose-1:2 4 5 3 5 4 6 3 2 4;}\x0d\x0a@font-face\x0d\x0a\x09{font-family:Calibri;\x0d\x0a\x09panose-1:2 15 5 2 2 2 4 3 2 4;}\x0d\x0a /* Style Definitions */\x0d\x0a p.MsoNormal, li.MsoNormal, div.MsoNormal\x0d\x0a\x09{margin:0in;\x0d\x0a\x09margin-bottom:.0001pt;\x0d\x0a\x09font-size:11.0pt;\x0d\x0a\x09font-family:"Calibri","sans-serif";}\x0d\x0aa:link, span.MsoHyperlink\x0d\x0a\x09{mso-style-priority:99;\x0d\x0a\x09color:blue;\x0d\x0a\x09text-decoration:underline;}\x0d\x0aa:visited, span.MsoHyperlinkFollowed\x0d\x0a\x09{mso-style-priority:99;\x0d\x0a\x09color:purple;\x0d\x0a\x09text-decoration:underline;}\x0d\x0aspan.EmailStyle17\x0d\x0a\x09{mso-style-type:personal-compose;\x0d\x0a\x09font-family:"Calibri","sans-serif";\x0d\x0a\x09color:windowtext;}\x0d\x0a.MsoChpDefault\x0d\x0a\x09{mso-style-type:export-only;}\x0d\x0a@page Section1\x0d\x0a\x09{size:8.5in 11.0in;\x0d\x0a\x09margin:1.0in 1.0in 1.0in 1.0in;}\x0d\x0adiv.Section1\x0d\x0a\x09{page:Section1;}\x0d\x0a-->\x0d\x0a</style>\x0d\x0a<!--[if gte mso 9]><xml>\x0d\x0a <o:shapedefaults v:ext="edit" spidmax="1026" />\x0d\x0a</xml><![endif]--><!--[if gte mso 9]><xml>\x0d\x0a <o:shapelayout v:ext="edit">\x0d\x0a  <o:idmap v:ext="edit" data="1" />\x0d\x0a </o:shapelayout></xml><![endif]-->\x0d\x0a</head>\x0d\x0a\x0d\x0a<body lang=EN-US link=blue vlink=purple>\x0d\x0a\x0d\x0a<div class=Section1>\x0d\x0a\x0d\x0a<p class=MsoNormal>Hello<o:p></o:p></p>\x0d\x0a\x0d\x0a<p class=MsoNormal><o:p>&nbsp;</o:p></p>\x0d\x0a\x0d\x0a<p class=MsoNormal>I send u smtp pcap file <o:p></o:p></p>\x0d\x0a\x0d\x0a<p class=MsoNormal>Find the attachment<o:p></o:p></p>\x0d\x0a\x0d\x0a<p class=MsoNormal><o:p>&nbsp;</o:p></p>\x0d\x0a\x0d\x0a<p class=MsoNormal>GPS<o:p></o:p></p>\x0d\x0a\x0d\x0a</div>\x0d\x0a\x0d\x0a</body>\x0d\x0a\x0d\x0a</html>\x0d\x0a\x0d\x0a, info=[ts=1254722770.692743, fuid=Ft4M3f2yMvLlmwtbq9, tx_hosts={\x0a\x0910.10.1.4\x0a}, rx_hosts={\x0a\x0974.53.140.153\x0a}, conn_uids={\x0aClEkJM2Vm5giqnMf4h\x0a}, source=SMTP, depth=4, analyzers={\x0a\x0a}, mime_type=text/html, filename=<uninitialized>, duration=61.0 usecs, local_orig=<uninitialized>, is_orig=T, seen_bytes=1868, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=Ft4M3f2yMvLlmwtbq9, parent_id=<uninitialized>, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163758, service={\x0aSMTP\x0a\x09}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a\x09}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a\x09}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1254722770.692804, seen_bytes=1868, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">\x0d\x0a\x0d\x0a<head>\x0d\x0a<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">\x0d\x0a<meta name=Generator content="Microsoft Word 12 (filtered medium)">\x0d\x0a<style>\x0d\x0a<!--\x0d\x0a /* Font Definitions */\x0d\x0a @font-face\x0d\x0a\x09{font-family:"Cambria Math";\x0d\x0a\x09panose-1:2 4 5 3 5 4 6 3 2 4;}\x0d\x0a@font-face\x0d\x0a\x09{font-family:Calibri;\x0d\x0a\x09panose-1:2 15 5 2 2 2 4 3 2 4;}\x0d\x0a /* Style Definitions */\x0d\x0a p.MsoNormal, li.MsoNormal, div.MsoNormal\x0d\x0a\x09{margin:0in;\x0d\x0a\x09margin-bottom:.0001pt;\x0d\x0a\x09font-size:11.0pt;\x0d\x0a\x09font-family:"Calibri","sans-serif";}\x0d\x0aa:link, span.MsoHyperlink\x0d\x0a\x09{mso-style-priority:99;\x0d\x0a\x09color:blue;\x0d\x0a\x09text-decoration:underline;}\x0d\x0aa:visited, span.MsoHyperlinkFollowed\x0d\x0a\x09{mso-style-priority:99;\x0d\x0a\x09color:purple;\x0d\x0a\x09text-decoration:underline;}\x0d\x0aspan.EmailStyle17\x0d\x0a\x09{mso-style-type:personal-compose;\x0d\x0a\x09font-family:"Calibri","sans-serif";\x0d\x0a\x09color:windowtext;}\x0d\x0a.MsoChpDefault\x0d\x0a\x09{mso-style-type:export-only;}\x0d\x0a@page Section1\x0d\x0a\x09{size:8.5in 11.0in;\x0d\x0a\x09margin:1.0in 1.0in 1.0in 1.0in;}\x0d\x0adiv.Section1\x0d\x0a\x09{page:Section1;}\x0d\x0a-->\x0d\x0a</style>\x0d\x0a<!--[if gte mso 9]><xml>\x0d\x0a <o:shapedefaults v:ext="edit" spidmax="1026" />\x0d\x0a</xml><![endif]--><!--[if gte mso 9]><xml>\x0d\x0a <o:shapelayout v:ext="edit">\x0d\x0a  <o:idmap v:ext="edit" data="1" />\x0d\x0a </o:shapelayout></xml><![endif]-->\x0d\x0a</head>\x0d\x0a\x0d\x0a<body lang=EN-US link=blue vlink=purple>\x0d\x0a\x0d\x0a<div class=Section1>\x0d\x0a\x0d\x0a<p class=MsoNormal>Hello<o:p></o:p></p>\x0d\x0a\x0d\x0a<p class=MsoNormal><o:p>&nbsp;</o:p></p>\x0d\x0a\x0d\x0a<p class=MsoNormal>I send u smtp pcap file <o:p></o:p></p>\x0d\x0a\x0d\x0a<p class=MsoNormal>Find the attachment<o:p></o:p></p>\x0d\x0a\x0d\x0a<p class=MsoNormal><o:p>&nbsp;</o:p></p>\x0d\x0a\x0d\x0a<p class=MsoNormal>GPS<o:p></o:p></p>\x0d\x0a\x0d\x0a</div>\x0d\x0a\x0d\x0a</body>\x0d\x0a\x0d\x0a</html>\x0d\x0a\x0d\x0a, info=[ts=1254722770.692743, fuid=Ft4M3f2yMvLlmwtbq9, tx_hosts={\x0a\x0910.10.1.4\x0a}, rx_hosts={\x0a\x0974.53.140.153\x0a}, conn_uids={\x0aClEkJM2Vm5giqnMf4h\x0a}, source=SMTP, depth=4, analyzers={\x0a\x0a}, mime_type=text/html, filename=<uninitialized>, duration=61.0 usecs, local_orig=<uninitialized>, is_orig=T, seen_bytes=1868, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
 
 1254722770.692804 get_file_handle
                   [0] tag: enum          = Analyzer::ANALYZER_SMTP
-                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163758, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163758, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = F
 
 1254722770.692804 mime_end_entity
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163758, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163758, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1254722770.692804 get_file_handle
                   [0] tag: enum          = Analyzer::ANALYZER_SMTP
-                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163758, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163758, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = T
 
 1254722770.692804 get_file_handle
                   [0] tag: enum          = Analyzer::ANALYZER_SMTP
-                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163758, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163758, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = F
 
 1254722770.692804 mime_begin_entity
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163758, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163758, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1254722770.692804 mime_one_header
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163758, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163758, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] h: mime_header_rec = [name=CONTENT-TYPE, value=text/plain;\x09name="NEWS.txt"]
 
 1254722770.692804 mime_one_header
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163758, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163758, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] h: mime_header_rec = [name=CONTENT-TRANSFER-ENCODING, value=quoted-printable]
 
 1254722770.692804 mime_one_header
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163758, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163758, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] h: mime_header_rec = [name=CONTENT-DISPOSITION, value=attachment;\x09filename="NEWS.txt"]
 
 1254722770.692804 get_file_handle
                   [0] tag: enum          = Analyzer::ANALYZER_SMTP
-                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163758, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163758, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = T
 
 1254722770.692804 file_new
-                  [0] f: fa_file         = [id=FL9Y0d45OI4LpS6fmh, parent_id=<uninitialized>, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163758, service={\x0aSMTP\x0a\x09}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a\x09}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a\x09}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1254722770.692804, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=FL9Y0d45OI4LpS6fmh, parent_id=<uninitialized>, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163758, service={\x0aSMTP\x0a\x09}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a\x09}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a\x09}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1254722770.692804, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
 
 1254722770.692804 file_over_new_connection
-                  [0] f: fa_file         = [id=FL9Y0d45OI4LpS6fmh, parent_id=<uninitialized>, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163758, service={\x0aSMTP\x0a\x09}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a\x09}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a\x09}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1254722770.692804, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1254722770.692804, fuid=FL9Y0d45OI4LpS6fmh, tx_hosts={\x0a\x0a}, rx_hosts={\x0a\x0a}, conn_uids={\x0a\x0a}, source=SMTP, depth=0, analyzers={\x0a\x0a}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=T, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
-                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163758, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] f: fa_file         = [id=FL9Y0d45OI4LpS6fmh, parent_id=<uninitialized>, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163758, service={\x0aSMTP\x0a\x09}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a\x09}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a\x09}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1254722770.692804, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1254722770.692804, fuid=FL9Y0d45OI4LpS6fmh, tx_hosts={\x0a\x0a}, rx_hosts={\x0a\x0a}, conn_uids={\x0a\x0a}, source=SMTP, depth=0, analyzers={\x0a\x0a}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=T, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163758, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = T
 
 1254722770.695115 new_connection
-                  [0] c: connection      = [id=[orig_h=192.168.1.1, orig_p=3/icmp, resp_h=10.10.1.4, resp_p=4/icmp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:1f:33:d9:81:60], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], start_time=1254722770.695115, duration=0.0, service={\x0a\x0a}, history=, uid=C4J4Th3PJpwUYZZ6gc, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.1.1, orig_p=3/icmp, resp_h=10.10.1.4, resp_p=4/icmp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:1f:33:d9:81:60], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], start_time=1254722770.695115, duration=0.0, service={\x0a\x0a}, history=, uid=C4J4Th3PJpwUYZZ6gc, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1254722771.494181 file_sniff
-                  [0] f: fa_file         = [id=FL9Y0d45OI4LpS6fmh, parent_id=<uninitialized>, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163758, service={\x0aSMTP\x0a\x09}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a\x09}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a\x09}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1254722771.494181, seen_bytes=4027, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=Version 4.9.9.1\x0d\x0a* Many bug fixes\x0d\x0a* Improved editor\x0d\x0a\x0d\x0aVersion 4.9.9.0\x0d\x0a* Support for latest Mingw compiler system builds\x0d\x0a* Bug fixes\x0d\x0a\x0d\x0aVersion 4.9.8.9\x0d\x0a* New code tooltip display\x0d\x0a* Improved Indent/Unindent and Remove Comment\x0d\x0a* Improved automatic indent\x0d\x0a* Added support for the "interface" keyword\x0d\x0a* WebUpdate should now report installation problems from PackMan\x0d\x0a* New splash screen and association icons\x0d\x0a* Improved installer\x0d\x0a* Many bug fixes\x0d\x0a\x0d\x0aVersion 4.9.8.7\x0d\x0a* Added support for GCC > 3.2\x0d\x0a* Debug variables are now resent during next debug session\x0d\x0a* Watched Variables not in correct context are now kept and updated when it is needed\x0d\x0a* Added new compiler/linker options: \x0d\x0a  - Strip executable\x0d\x0a  - Generate instructions for a specific machine (i386, i486, i586, i686, pentium, pentium-mmx, pentiumpro, pentium2, pentium3, pentium4, \x0d\x0a    k6, k6-2, k6-3, athlon, athlon-tbird, athlon-4, athlon-xp, athlon-mp, winchip-c6, winchip2, k8, c3 and c3-2)\x0d\x0a  - Enable use of processor specific built-in functions (mmmx, sse, sse2, pni, 3dnow)\x0d\x0a* "Default" button in Compiler Options is back\x0d\x0a* Error messages parsing improved\x0d\x0a* Bug fixes\x0d\x0a\x0d\x0aVersion 4.9.8.5\x0d\x0a* Added the possibility to modify the value of a variable during debugging (right click on a watch variable and select "Modify value")\x0d\x0a* During Dev-C++ First Time COnfiguration window, users can now choose between using or not class browser and code completion features.\x0d\x0a* Many bug fixes\x0d\x0a\x0d\x0aVersion 4.9.8.4\x0d\x0a* Added the possibility to specify an include directory for the code completion cache to be created at Dev-C++ first startup\x0d\x0a* Improved code completion cache\x0d\x0a* WebUpdate will now backup downloaded DevPaks in Dev-C++\Packages directory, and Dev-C++ executable in devcpp.exe.BACKUP\x0d\x0a* Big speed up in function parameters listing while editing\x0d\x0a* Bug fixes\x0d\x0a\x0d\x0aVersion 4.9.8.3\x0d\x0a* On Dev-C++ first time configuration dialog, a code completion cache of all the standard \x0d\x0a  include files can now be generated.\x0d\x0a* Improved WebUpdate module\x0d\x0a* Many bug fixes\x0d\x0a\x0d\x0aVersion 4.9.8.2\x0d\x0a* New debug feature for DLLs: attach to a running process\x0d\x0a* New project option: Use custom Makefile. \x0d\x0a* New WebUpdater module.\x0d\x0a* Allow user to specify an alternate configuration file in Environment Options \x0d\x0a  (still can be overriden by using "-c" command line parameter).\x0d\x0a* Lots of bug fixes.\x0d\x0a\x0d\x0aVersion 4.9.8.1\x0d\x0a* When creating a DLL, the created static lib respects now the project-defined output directory\x0d\x0a\x0d\x0aVersion 4.9.8.0\x0d\x0a* Changed position of compiler/linker parameters in Project Options.\x0d\x0a* Improved help file\x0d\x0a* Bug fixes\x0d\x0a\x0d\x0aVersion 4.9.7.9\x0d\x0a* Resource errors are now reported in the Resource sheet\x0d\x0a* Many bug fixes\x0d\x0a\x0d\x0aVersion 4.9.7.8\x0d\x0a* Made whole bottom report control floating instead of only debug output.\x0d\x0a* Many bug fixes\x0d\x0a\x0d\x0aVersion 4.9.7.7\x0d\x0a* Printing settings are now saved\x0d\x0a* New environment options : "watch variable under mouse" and "Report watch errors"\x0d\x0a* Bug fixes\x0d\x0a\x0d\x0aVersion 4.9.7.6\x0d\x0a* Debug variable browser\x0d\x0a* Added possibility to include in a Template the Project's directories (include, libs and ressources)\x0d\x0a* Changed tint of Class browser pictures colors to match the New Look style\x0d\x0a* Bug fixes\x0d\x0a\x0d\x0aVersion 4.9.7.5\x0d\x0a* Bug fixes\x0d\x0a\x0d\x0aVersion 4.9.7.4\x0d\x0a* When compiling with debugging symbols, an extra definition is passed to the\x0d\x0a  compiler: -D__DEBUG__\x0d\x0a* Each project creates a <project_name>_private.h file containing version\x0d\x0a  information definitions\x0d\x0a* When compiling the current file only, no dependency checks are performed\x0d\x0a* ~300% Speed-up in class parser\x0d\x0a* Added "External programs" in Tools/Environment Options (for units "Open with")\x0d\x0a* Added "Open with" in project units context menu\x0d\x0a* Added "Classes" toolbar\x0d\x0a* Fixed pre-compilation dependency checks to work correctly\x0d\x0a* Added new file menu entry: Save Project As\x0d\x0a* Bug-fix for double quotes in devcpp.cfg file read by vUpdate\x0d\x0a* Other bug fixes\x0d\x0a\x0d\x0aVersion 4.9.7.3\x0d\x0a* When adding debugging symbols on request, remove "-s" option from linker\x0d\x0a* Compiling progress window\x0d\x0a* Environment options : "Show progress window" and "Auto-close progress , info=[ts=1254722770.692804, fuid=FL9Y0d45OI4LpS6fmh, tx_hosts={\x0a\x0910.10.1.4\x0a}, rx_hosts={\x0a\x0974.53.140.153\x0a}, conn_uids={\x0aClEkJM2Vm5giqnMf4h\x0a}, source=SMTP, depth=5, analyzers={\x0a\x0a}, mime_type=<uninitialized>, filename=NEWS.txt, duration=0 secs, local_orig=<uninitialized>, is_orig=T, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=FL9Y0d45OI4LpS6fmh, parent_id=<uninitialized>, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163758, service={\x0aSMTP\x0a\x09}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a\x09}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a\x09}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1254722771.494181, seen_bytes=4027, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=Version 4.9.9.1\x0d\x0a* Many bug fixes\x0d\x0a* Improved editor\x0d\x0a\x0d\x0aVersion 4.9.9.0\x0d\x0a* Support for latest Mingw compiler system builds\x0d\x0a* Bug fixes\x0d\x0a\x0d\x0aVersion 4.9.8.9\x0d\x0a* New code tooltip display\x0d\x0a* Improved Indent/Unindent and Remove Comment\x0d\x0a* Improved automatic indent\x0d\x0a* Added support for the "interface" keyword\x0d\x0a* WebUpdate should now report installation problems from PackMan\x0d\x0a* New splash screen and association icons\x0d\x0a* Improved installer\x0d\x0a* Many bug fixes\x0d\x0a\x0d\x0aVersion 4.9.8.7\x0d\x0a* Added support for GCC > 3.2\x0d\x0a* Debug variables are now resent during next debug session\x0d\x0a* Watched Variables not in correct context are now kept and updated when it is needed\x0d\x0a* Added new compiler/linker options: \x0d\x0a  - Strip executable\x0d\x0a  - Generate instructions for a specific machine (i386, i486, i586, i686, pentium, pentium-mmx, pentiumpro, pentium2, pentium3, pentium4, \x0d\x0a    k6, k6-2, k6-3, athlon, athlon-tbird, athlon-4, athlon-xp, athlon-mp, winchip-c6, winchip2, k8, c3 and c3-2)\x0d\x0a  - Enable use of processor specific built-in functions (mmmx, sse, sse2, pni, 3dnow)\x0d\x0a* "Default" button in Compiler Options is back\x0d\x0a* Error messages parsing improved\x0d\x0a* Bug fixes\x0d\x0a\x0d\x0aVersion 4.9.8.5\x0d\x0a* Added the possibility to modify the value of a variable during debugging (right click on a watch variable and select "Modify value")\x0d\x0a* During Dev-C++ First Time COnfiguration window, users can now choose between using or not class browser and code completion features.\x0d\x0a* Many bug fixes\x0d\x0a\x0d\x0aVersion 4.9.8.4\x0d\x0a* Added the possibility to specify an include directory for the code completion cache to be created at Dev-C++ first startup\x0d\x0a* Improved code completion cache\x0d\x0a* WebUpdate will now backup downloaded DevPaks in Dev-C++\Packages directory, and Dev-C++ executable in devcpp.exe.BACKUP\x0d\x0a* Big speed up in function parameters listing while editing\x0d\x0a* Bug fixes\x0d\x0a\x0d\x0aVersion 4.9.8.3\x0d\x0a* On Dev-C++ first time configuration dialog, a code completion cache of all the standard \x0d\x0a  include files can now be generated.\x0d\x0a* Improved WebUpdate module\x0d\x0a* Many bug fixes\x0d\x0a\x0d\x0aVersion 4.9.8.2\x0d\x0a* New debug feature for DLLs: attach to a running process\x0d\x0a* New project option: Use custom Makefile. \x0d\x0a* New WebUpdater module.\x0d\x0a* Allow user to specify an alternate configuration file in Environment Options \x0d\x0a  (still can be overriden by using "-c" command line parameter).\x0d\x0a* Lots of bug fixes.\x0d\x0a\x0d\x0aVersion 4.9.8.1\x0d\x0a* When creating a DLL, the created static lib respects now the project-defined output directory\x0d\x0a\x0d\x0aVersion 4.9.8.0\x0d\x0a* Changed position of compiler/linker parameters in Project Options.\x0d\x0a* Improved help file\x0d\x0a* Bug fixes\x0d\x0a\x0d\x0aVersion 4.9.7.9\x0d\x0a* Resource errors are now reported in the Resource sheet\x0d\x0a* Many bug fixes\x0d\x0a\x0d\x0aVersion 4.9.7.8\x0d\x0a* Made whole bottom report control floating instead of only debug output.\x0d\x0a* Many bug fixes\x0d\x0a\x0d\x0aVersion 4.9.7.7\x0d\x0a* Printing settings are now saved\x0d\x0a* New environment options : "watch variable under mouse" and "Report watch errors"\x0d\x0a* Bug fixes\x0d\x0a\x0d\x0aVersion 4.9.7.6\x0d\x0a* Debug variable browser\x0d\x0a* Added possibility to include in a Template the Project's directories (include, libs and ressources)\x0d\x0a* Changed tint of Class browser pictures colors to match the New Look style\x0d\x0a* Bug fixes\x0d\x0a\x0d\x0aVersion 4.9.7.5\x0d\x0a* Bug fixes\x0d\x0a\x0d\x0aVersion 4.9.7.4\x0d\x0a* When compiling with debugging symbols, an extra definition is passed to the\x0d\x0a  compiler: -D__DEBUG__\x0d\x0a* Each project creates a <project_name>_private.h file containing version\x0d\x0a  information definitions\x0d\x0a* When compiling the current file only, no dependency checks are performed\x0d\x0a* ~300% Speed-up in class parser\x0d\x0a* Added "External programs" in Tools/Environment Options (for units "Open with")\x0d\x0a* Added "Open with" in project units context menu\x0d\x0a* Added "Classes" toolbar\x0d\x0a* Fixed pre-compilation dependency checks to work correctly\x0d\x0a* Added new file menu entry: Save Project As\x0d\x0a* Bug-fix for double quotes in devcpp.cfg file read by vUpdate\x0d\x0a* Other bug fixes\x0d\x0a\x0d\x0aVersion 4.9.7.3\x0d\x0a* When adding debugging symbols on request, remove "-s" option from linker\x0d\x0a* Compiling progress window\x0d\x0a* Environment options : "Show progress window" and "Auto-close progress , info=[ts=1254722770.692804, fuid=FL9Y0d45OI4LpS6fmh, tx_hosts={\x0a\x0910.10.1.4\x0a}, rx_hosts={\x0a\x0974.53.140.153\x0a}, conn_uids={\x0aClEkJM2Vm5giqnMf4h\x0a}, source=SMTP, depth=5, analyzers={\x0a\x0a}, mime_type=<uninitialized>, filename=NEWS.txt, duration=0 secs, local_orig=<uninitialized>, is_orig=T, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
                   [1] meta: fa_metadata  = [mime_type=text/plain, mime_types=[[strength=-20, mime=text/plain]], inferred=T]
 
 1254722771.858334 mime_end_entity
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=4.329288, service={\x0aSMTP\x0a}, history=ShAdDaT, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=4.329288, service={\x0aSMTP\x0a}, history=ShAdDaT, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1254722771.858334 get_file_handle
                   [0] tag: enum          = Analyzer::ANALYZER_SMTP
-                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=4.329288, service={\x0aSMTP\x0a}, history=ShAdDaT, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=4.329288, service={\x0aSMTP\x0a}, history=ShAdDaT, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = T
 
 1254722771.858334 file_state_remove
-                  [0] f: fa_file         = [id=FL9Y0d45OI4LpS6fmh, parent_id=<uninitialized>, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=4.329288, service={\x0aSMTP\x0a\x09}, history=ShAdDaT, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a\x09}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a\x09}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1254722771.858316, seen_bytes=10809, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=Version 4.9.9.1\x0d\x0a* Many bug fixes\x0d\x0a* Improved editor\x0d\x0a\x0d\x0aVersion 4.9.9.0\x0d\x0a* Support for latest Mingw compiler system builds\x0d\x0a* Bug fixes\x0d\x0a\x0d\x0aVersion 4.9.8.9\x0d\x0a* New code tooltip display\x0d\x0a* Improved Indent/Unindent and Remove Comment\x0d\x0a* Improved automatic indent\x0d\x0a* Added support for the "interface" keyword\x0d\x0a* WebUpdate should now report installation problems from PackMan\x0d\x0a* New splash screen and association icons\x0d\x0a* Improved installer\x0d\x0a* Many bug fixes\x0d\x0a\x0d\x0aVersion 4.9.8.7\x0d\x0a* Added support for GCC > 3.2\x0d\x0a* Debug variables are now resent during next debug session\x0d\x0a* Watched Variables not in correct context are now kept and updated when it is needed\x0d\x0a* Added new compiler/linker options: \x0d\x0a  - Strip executable\x0d\x0a  - Generate instructions for a specific machine (i386, i486, i586, i686, pentium, pentium-mmx, pentiumpro, pentium2, pentium3, pentium4, \x0d\x0a    k6, k6-2, k6-3, athlon, athlon-tbird, athlon-4, athlon-xp, athlon-mp, winchip-c6, winchip2, k8, c3 and c3-2)\x0d\x0a  - Enable use of processor specific built-in functions (mmmx, sse, sse2, pni, 3dnow)\x0d\x0a* "Default" button in Compiler Options is back\x0d\x0a* Error messages parsing improved\x0d\x0a* Bug fixes\x0d\x0a\x0d\x0aVersion 4.9.8.5\x0d\x0a* Added the possibility to modify the value of a variable during debugging (right click on a watch variable and select "Modify value")\x0d\x0a* During Dev-C++ First Time COnfiguration window, users can now choose between using or not class browser and code completion features.\x0d\x0a* Many bug fixes\x0d\x0a\x0d\x0aVersion 4.9.8.4\x0d\x0a* Added the possibility to specify an include directory for the code completion cache to be created at Dev-C++ first startup\x0d\x0a* Improved code completion cache\x0d\x0a* WebUpdate will now backup downloaded DevPaks in Dev-C++\Packages directory, and Dev-C++ executable in devcpp.exe.BACKUP\x0d\x0a* Big speed up in function parameters listing while editing\x0d\x0a* Bug fixes\x0d\x0a\x0d\x0aVersion 4.9.8.3\x0d\x0a* On Dev-C++ first time configuration dialog, a code completion cache of all the standard \x0d\x0a  include files can now be generated.\x0d\x0a* Improved WebUpdate module\x0d\x0a* Many bug fixes\x0d\x0a\x0d\x0aVersion 4.9.8.2\x0d\x0a* New debug feature for DLLs: attach to a running process\x0d\x0a* New project option: Use custom Makefile. \x0d\x0a* New WebUpdater module.\x0d\x0a* Allow user to specify an alternate configuration file in Environment Options \x0d\x0a  (still can be overriden by using "-c" command line parameter).\x0d\x0a* Lots of bug fixes.\x0d\x0a\x0d\x0aVersion 4.9.8.1\x0d\x0a* When creating a DLL, the created static lib respects now the project-defined output directory\x0d\x0a\x0d\x0aVersion 4.9.8.0\x0d\x0a* Changed position of compiler/linker parameters in Project Options.\x0d\x0a* Improved help file\x0d\x0a* Bug fixes\x0d\x0a\x0d\x0aVersion 4.9.7.9\x0d\x0a* Resource errors are now reported in the Resource sheet\x0d\x0a* Many bug fixes\x0d\x0a\x0d\x0aVersion 4.9.7.8\x0d\x0a* Made whole bottom report control floating instead of only debug output.\x0d\x0a* Many bug fixes\x0d\x0a\x0d\x0aVersion 4.9.7.7\x0d\x0a* Printing settings are now saved\x0d\x0a* New environment options : "watch variable under mouse" and "Report watch errors"\x0d\x0a* Bug fixes\x0d\x0a\x0d\x0aVersion 4.9.7.6\x0d\x0a* Debug variable browser\x0d\x0a* Added possibility to include in a Template the Project's directories (include, libs and ressources)\x0d\x0a* Changed tint of Class browser pictures colors to match the New Look style\x0d\x0a* Bug fixes\x0d\x0a\x0d\x0aVersion 4.9.7.5\x0d\x0a* Bug fixes\x0d\x0a\x0d\x0aVersion 4.9.7.4\x0d\x0a* When compiling with debugging symbols, an extra definition is passed to the\x0d\x0a  compiler: -D__DEBUG__\x0d\x0a* Each project creates a <project_name>_private.h file containing version\x0d\x0a  information definitions\x0d\x0a* When compiling the current file only, no dependency checks are performed\x0d\x0a* ~300% Speed-up in class parser\x0d\x0a* Added "External programs" in Tools/Environment Options (for units "Open with")\x0d\x0a* Added "Open with" in project units context menu\x0d\x0a* Added "Classes" toolbar\x0d\x0a* Fixed pre-compilation dependency checks to work correctly\x0d\x0a* Added new file menu entry: Save Project As\x0d\x0a* Bug-fix for double quotes in devcpp.cfg file read by vUpdate\x0d\x0a* Other bug fixes\x0d\x0a\x0d\x0aVersion 4.9.7.3\x0d\x0a* When adding debugging symbols on request, remove "-s" option from linker\x0d\x0a* Compiling progress window\x0d\x0a* Environment options : "Show progress window" and "Auto-close progress , info=[ts=1254722770.692804, fuid=FL9Y0d45OI4LpS6fmh, tx_hosts={\x0a\x0910.10.1.4\x0a}, rx_hosts={\x0a\x0974.53.140.153\x0a}, conn_uids={\x0aClEkJM2Vm5giqnMf4h\x0a}, source=SMTP, depth=5, analyzers={\x0a\x0a}, mime_type=text/plain, filename=NEWS.txt, duration=801.0 msecs 376.0 usecs, local_orig=<uninitialized>, is_orig=T, seen_bytes=4027, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=FL9Y0d45OI4LpS6fmh, parent_id=<uninitialized>, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=4.329288, service={\x0aSMTP\x0a\x09}, history=ShAdDaT, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a\x09}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a\x09}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1254722771.858316, seen_bytes=10809, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=Version 4.9.9.1\x0d\x0a* Many bug fixes\x0d\x0a* Improved editor\x0d\x0a\x0d\x0aVersion 4.9.9.0\x0d\x0a* Support for latest Mingw compiler system builds\x0d\x0a* Bug fixes\x0d\x0a\x0d\x0aVersion 4.9.8.9\x0d\x0a* New code tooltip display\x0d\x0a* Improved Indent/Unindent and Remove Comment\x0d\x0a* Improved automatic indent\x0d\x0a* Added support for the "interface" keyword\x0d\x0a* WebUpdate should now report installation problems from PackMan\x0d\x0a* New splash screen and association icons\x0d\x0a* Improved installer\x0d\x0a* Many bug fixes\x0d\x0a\x0d\x0aVersion 4.9.8.7\x0d\x0a* Added support for GCC > 3.2\x0d\x0a* Debug variables are now resent during next debug session\x0d\x0a* Watched Variables not in correct context are now kept and updated when it is needed\x0d\x0a* Added new compiler/linker options: \x0d\x0a  - Strip executable\x0d\x0a  - Generate instructions for a specific machine (i386, i486, i586, i686, pentium, pentium-mmx, pentiumpro, pentium2, pentium3, pentium4, \x0d\x0a    k6, k6-2, k6-3, athlon, athlon-tbird, athlon-4, athlon-xp, athlon-mp, winchip-c6, winchip2, k8, c3 and c3-2)\x0d\x0a  - Enable use of processor specific built-in functions (mmmx, sse, sse2, pni, 3dnow)\x0d\x0a* "Default" button in Compiler Options is back\x0d\x0a* Error messages parsing improved\x0d\x0a* Bug fixes\x0d\x0a\x0d\x0aVersion 4.9.8.5\x0d\x0a* Added the possibility to modify the value of a variable during debugging (right click on a watch variable and select "Modify value")\x0d\x0a* During Dev-C++ First Time COnfiguration window, users can now choose between using or not class browser and code completion features.\x0d\x0a* Many bug fixes\x0d\x0a\x0d\x0aVersion 4.9.8.4\x0d\x0a* Added the possibility to specify an include directory for the code completion cache to be created at Dev-C++ first startup\x0d\x0a* Improved code completion cache\x0d\x0a* WebUpdate will now backup downloaded DevPaks in Dev-C++\Packages directory, and Dev-C++ executable in devcpp.exe.BACKUP\x0d\x0a* Big speed up in function parameters listing while editing\x0d\x0a* Bug fixes\x0d\x0a\x0d\x0aVersion 4.9.8.3\x0d\x0a* On Dev-C++ first time configuration dialog, a code completion cache of all the standard \x0d\x0a  include files can now be generated.\x0d\x0a* Improved WebUpdate module\x0d\x0a* Many bug fixes\x0d\x0a\x0d\x0aVersion 4.9.8.2\x0d\x0a* New debug feature for DLLs: attach to a running process\x0d\x0a* New project option: Use custom Makefile. \x0d\x0a* New WebUpdater module.\x0d\x0a* Allow user to specify an alternate configuration file in Environment Options \x0d\x0a  (still can be overriden by using "-c" command line parameter).\x0d\x0a* Lots of bug fixes.\x0d\x0a\x0d\x0aVersion 4.9.8.1\x0d\x0a* When creating a DLL, the created static lib respects now the project-defined output directory\x0d\x0a\x0d\x0aVersion 4.9.8.0\x0d\x0a* Changed position of compiler/linker parameters in Project Options.\x0d\x0a* Improved help file\x0d\x0a* Bug fixes\x0d\x0a\x0d\x0aVersion 4.9.7.9\x0d\x0a* Resource errors are now reported in the Resource sheet\x0d\x0a* Many bug fixes\x0d\x0a\x0d\x0aVersion 4.9.7.8\x0d\x0a* Made whole bottom report control floating instead of only debug output.\x0d\x0a* Many bug fixes\x0d\x0a\x0d\x0aVersion 4.9.7.7\x0d\x0a* Printing settings are now saved\x0d\x0a* New environment options : "watch variable under mouse" and "Report watch errors"\x0d\x0a* Bug fixes\x0d\x0a\x0d\x0aVersion 4.9.7.6\x0d\x0a* Debug variable browser\x0d\x0a* Added possibility to include in a Template the Project's directories (include, libs and ressources)\x0d\x0a* Changed tint of Class browser pictures colors to match the New Look style\x0d\x0a* Bug fixes\x0d\x0a\x0d\x0aVersion 4.9.7.5\x0d\x0a* Bug fixes\x0d\x0a\x0d\x0aVersion 4.9.7.4\x0d\x0a* When compiling with debugging symbols, an extra definition is passed to the\x0d\x0a  compiler: -D__DEBUG__\x0d\x0a* Each project creates a <project_name>_private.h file containing version\x0d\x0a  information definitions\x0d\x0a* When compiling the current file only, no dependency checks are performed\x0d\x0a* ~300% Speed-up in class parser\x0d\x0a* Added "External programs" in Tools/Environment Options (for units "Open with")\x0d\x0a* Added "Open with" in project units context menu\x0d\x0a* Added "Classes" toolbar\x0d\x0a* Fixed pre-compilation dependency checks to work correctly\x0d\x0a* Added new file menu entry: Save Project As\x0d\x0a* Bug-fix for double quotes in devcpp.cfg file read by vUpdate\x0d\x0a* Other bug fixes\x0d\x0a\x0d\x0aVersion 4.9.7.3\x0d\x0a* When adding debugging symbols on request, remove "-s" option from linker\x0d\x0a* Compiling progress window\x0d\x0a* Environment options : "Show progress window" and "Auto-close progress , info=[ts=1254722770.692804, fuid=FL9Y0d45OI4LpS6fmh, tx_hosts={\x0a\x0910.10.1.4\x0a}, rx_hosts={\x0a\x0974.53.140.153\x0a}, conn_uids={\x0aClEkJM2Vm5giqnMf4h\x0a}, source=SMTP, depth=5, analyzers={\x0a\x0a}, mime_type=text/plain, filename=NEWS.txt, duration=801.0 msecs 376.0 usecs, local_orig=<uninitialized>, is_orig=T, seen_bytes=4027, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
 
 1254722771.858334 get_file_handle
                   [0] tag: enum          = Analyzer::ANALYZER_SMTP
-                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=4.329288, service={\x0aSMTP\x0a}, history=ShAdDaT, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=4.329288, service={\x0aSMTP\x0a}, history=ShAdDaT, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = F
 
 1254722771.858334 mime_end_entity
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=4.329288, service={\x0aSMTP\x0a}, history=ShAdDaT, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=4.329288, service={\x0aSMTP\x0a}, history=ShAdDaT, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1254722771.858334 get_file_handle
                   [0] tag: enum          = Analyzer::ANALYZER_SMTP
-                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=4.329288, service={\x0aSMTP\x0a}, history=ShAdDaT, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=4.329288, service={\x0aSMTP\x0a}, history=ShAdDaT, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = T
 
 1254722771.858334 get_file_handle
                   [0] tag: enum          = Analyzer::ANALYZER_SMTP
-                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=4.329288, service={\x0aSMTP\x0a}, history=ShAdDaT, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=4.329288, service={\x0aSMTP\x0a}, history=ShAdDaT, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = F
 
 1254722771.858334 get_file_handle
                   [0] tag: enum          = Analyzer::ANALYZER_SMTP
-                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=4.329288, service={\x0aSMTP\x0a}, history=ShAdDaT, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=4.329288, service={\x0aSMTP\x0a}, history=ShAdDaT, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = T
 
 1254722771.858334 get_file_handle
                   [0] tag: enum          = Analyzer::ANALYZER_SMTP
-                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=4.329288, service={\x0aSMTP\x0a}, history=ShAdDaT, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=4.329288, service={\x0aSMTP\x0a}, history=ShAdDaT, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = F
 
 1254722771.858334 smtp_request
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=4.329288, service={\x0aSMTP\x0a}, history=ShAdDaT, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=4.329288, service={\x0aSMTP\x0a}, history=ShAdDaT, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] command: string    = .
                   [3] arg: string        = .
 
 1254722772.248789 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=24, num_bytes_ip=21507, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=490, state=4, num_pkts=21, num_bytes_ip=1310, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=4.719743, service={\x0aSMTP\x0a}, history=ShAdDaT, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=24, num_bytes_ip=21507, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=490, state=4, num_pkts=21, num_bytes_ip=1310, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=4.719743, service={\x0aSMTP\x0a}, history=ShAdDaT, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 250
                   [3] cmd: string        = .
@@ -471,13 +471,13 @@
                   [5] cont_resp: bool    = F
 
 1254722774.763825 smtp_request
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14705, state=4, num_pkts=25, num_bytes_ip=21547, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=490, state=4, num_pkts=22, num_bytes_ip=1378, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=7.234779, service={\x0aSMTP\x0a}, history=ShAdDaT, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722772.248789, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=2, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=<uninitialized>, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=1, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14705, state=4, num_pkts=25, num_bytes_ip=21547, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=490, state=4, num_pkts=22, num_bytes_ip=1378, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=7.234779, service={\x0aSMTP\x0a}, history=ShAdDaT, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722772.248789, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=2, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=<uninitialized>, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=1, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] command: string    = QUIT
                   [3] arg: string        = 
 
 1254722775.105467 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14705, state=5, num_pkts=27, num_bytes_ip=21633, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=538, state=4, num_pkts=22, num_bytes_ip=1378, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=7.576421, service={\x0aSMTP\x0a}, history=ShAdDaTF, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722772.248789, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=2, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=<uninitialized>, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=1, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14705, state=5, num_pkts=27, num_bytes_ip=21633, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=538, state=4, num_pkts=22, num_bytes_ip=1378, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=7.576421, service={\x0aSMTP\x0a}, history=ShAdDaTF, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722772.248789, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=2, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=<uninitialized>, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=1, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 221
                   [3] cmd: string        = QUIT
@@ -485,36 +485,36 @@
                   [5] cont_resp: bool    = F
 
 1254722776.690444 new_connection
-                  [0] c: connection      = [id=[orig_h=10.10.1.20, orig_p=138/udp, resp_h=10.10.1.255, resp_p=138/udp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:02:3f:ec:61:11], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=ff:ff:ff:ff:ff:ff], start_time=1254722776.690444, duration=0.0, service={\x0a\x0a}, history=, uid=CtPZjS20MLrsMUOJi2, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.20, orig_p=138/udp, resp_h=10.10.1.255, resp_p=138/udp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:02:3f:ec:61:11], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=ff:ff:ff:ff:ff:ff], start_time=1254722776.690444, duration=0.0, service={\x0a\x0a}, history=, uid=CtPZjS20MLrsMUOJi2, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1437831776.764391 ChecksumOffloading::check
 1437831776.764391 connection_state_remove
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=1, num_bytes_ip=62, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=100, state=1, num_pkts=1, num_bytes_ip=128, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.49206, duration=0.034025, service={\x0aDNS\x0a}, history=Dd, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=[pending_queries={\x0a\x0a}, pending_replies={\x0a\x0a}], ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=1, num_bytes_ip=62, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=100, state=1, num_pkts=1, num_bytes_ip=128, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.49206, duration=0.034025, service={\x0aDNS\x0a}, history=Dd, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=[pending_queries={\x0a\x0a}, pending_replies={\x0a\x0a}], ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1437831776.764391 connection_state_remove
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14705, state=5, num_pkts=28, num_bytes_ip=21673, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=538, state=5, num_pkts=25, num_bytes_ip=1546, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=7.576953, service={\x0aSMTP\x0a}, history=ShAdDaTFf, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722772.248789, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=2, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=221 xc90.websitewelcome.com closing connection, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=1, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14705, state=5, num_pkts=28, num_bytes_ip=21673, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=538, state=5, num_pkts=25, num_bytes_ip=1546, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=7.576953, service={\x0aSMTP\x0a}, history=ShAdDaTFf, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722772.248789, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=2, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=221 xc90.websitewelcome.com closing connection, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=1, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1437831776.764391 connection_state_remove
-                  [0] c: connection      = [id=[orig_h=192.168.1.1, orig_p=3/icmp, resp_h=10.10.1.4, resp_p=4/icmp], orig=[size=2192, state=1, num_pkts=4, num_bytes_ip=2304, flow_label=0, l2_addr=00:1f:33:d9:81:60], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], start_time=1254722770.695115, duration=0.001519, service={\x0a\x0a}, history=, uid=C4J4Th3PJpwUYZZ6gc, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.1.1, orig_p=3/icmp, resp_h=10.10.1.4, resp_p=4/icmp], orig=[size=2192, state=1, num_pkts=4, num_bytes_ip=2304, flow_label=0, l2_addr=00:1f:33:d9:81:60], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], start_time=1254722770.695115, duration=0.001519, service={\x0a\x0a}, history=, uid=C4J4Th3PJpwUYZZ6gc, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1437831776.764391 connection_state_remove
-                  [0] c: connection      = [id=[orig_h=10.10.1.20, orig_p=138/udp, resp_h=10.10.1.255, resp_p=138/udp], orig=[size=201, state=1, num_pkts=1, num_bytes_ip=229, flow_label=0, l2_addr=00:02:3f:ec:61:11], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=ff:ff:ff:ff:ff:ff], start_time=1254722776.690444, duration=0.0, service={\x0a\x0a}, history=D, uid=CtPZjS20MLrsMUOJi2, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.20, orig_p=138/udp, resp_h=10.10.1.255, resp_p=138/udp], orig=[size=201, state=1, num_pkts=1, num_bytes_ip=229, flow_label=0, l2_addr=00:02:3f:ec:61:11], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=ff:ff:ff:ff:ff:ff], start_time=1254722776.690444, duration=0.0, service={\x0a\x0a}, history=D, uid=CtPZjS20MLrsMUOJi2, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1437831776.764391 filter_change_tracking
 1437831776.764391 new_connection
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49285/tcp, resp_h=66.196.121.26, resp_p=5050/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831776.764391, duration=0.0, service={\x0a\x0a}, history=, uid=CUM0KZ3MLUfNB0cl11, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49285/tcp, resp_h=66.196.121.26, resp_p=5050/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831776.764391, duration=0.0, service={\x0a\x0a}, history=, uid=CUM0KZ3MLUfNB0cl11, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1437831777.107399 partial_connection
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49285/tcp, resp_h=66.196.121.26, resp_p=5050/tcp], orig=[size=41, state=3, num_pkts=1, num_bytes_ip=93, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=3, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831776.764391, duration=0.343008, service={\x0a\x0a}, history=Da, uid=CUM0KZ3MLUfNB0cl11, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49285/tcp, resp_h=66.196.121.26, resp_p=5050/tcp], orig=[size=41, state=3, num_pkts=1, num_bytes_ip=93, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=3, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831776.764391, duration=0.343008, service={\x0a\x0a}, history=Da, uid=CUM0KZ3MLUfNB0cl11, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1437831787.856895 new_connection
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.0, service={\x0a\x0a}, history=, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.0, service={\x0a\x0a}, history=, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1437831787.861602 connection_established
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=0, state=4, num_pkts=1, num_bytes_ip=64, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=4, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.004707, service={\x0a\x0a}, history=Sh, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=0, state=4, num_pkts=1, num_bytes_ip=64, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=4, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.004707, service={\x0a\x0a}, history=Sh, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1437831787.867142 smtp_reply
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=0, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=35, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.010247, service={\x0a\x0a}, history=ShAd, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=0, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=35, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.010247, service={\x0a\x0a}, history=ShAd, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 220
                   [3] cmd: string        = >
@@ -522,18 +522,18 @@
                   [5] cont_resp: bool    = F
 
 1437831787.883306 protocol_confirmation
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=24, state=4, num_pkts=3, num_bytes_ip=168, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=35, state=4, num_pkts=2, num_bytes_ip=147, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.026411, service={\x0a\x0a}, history=ShAdD, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=<uninitialized>, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 uprise ESMTP SubEthaSMTP null, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=<uninitialized>, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=24, state=4, num_pkts=3, num_bytes_ip=168, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=35, state=4, num_pkts=2, num_bytes_ip=147, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.026411, service={\x0a\x0a}, history=ShAdD, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=<uninitialized>, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 uprise ESMTP SubEthaSMTP null, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=<uninitialized>, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] atype: enum        = Analyzer::ANALYZER_SMTP
                   [2] aid: count         = 21
 
 1437831787.883306 smtp_request
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=24, state=4, num_pkts=3, num_bytes_ip=168, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=35, state=4, num_pkts=2, num_bytes_ip=147, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.026411, service={\x0aSMTP\x0a}, history=ShAdD, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=<uninitialized>, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 uprise ESMTP SubEthaSMTP null, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=<uninitialized>, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=24, state=4, num_pkts=3, num_bytes_ip=168, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=35, state=4, num_pkts=2, num_bytes_ip=147, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.026411, service={\x0aSMTP\x0a}, history=ShAdD, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=<uninitialized>, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 uprise ESMTP SubEthaSMTP null, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=<uninitialized>, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] command: string    = EHLO
                   [3] arg: string        = [192.168.133.100]
 
 1437831787.886281 smtp_reply
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=24, state=4, num_pkts=4, num_bytes_ip=244, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=85, state=4, num_pkts=3, num_bytes_ip=199, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.029386, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 uprise ESMTP SubEthaSMTP null, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=24, state=4, num_pkts=4, num_bytes_ip=244, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=85, state=4, num_pkts=3, num_bytes_ip=199, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.029386, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 uprise ESMTP SubEthaSMTP null, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 250
                   [3] cmd: string        = EHLO
@@ -541,7 +541,7 @@
                   [5] cont_resp: bool    = T
 
 1437831787.886281 smtp_reply
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=24, state=4, num_pkts=4, num_bytes_ip=244, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=85, state=4, num_pkts=3, num_bytes_ip=199, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.029386, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 uprise, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=24, state=4, num_pkts=4, num_bytes_ip=244, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=85, state=4, num_pkts=3, num_bytes_ip=199, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.029386, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 uprise, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 250
                   [3] cmd: string        = EHLO
@@ -549,7 +549,7 @@
                   [5] cont_resp: bool    = T
 
 1437831787.886281 smtp_reply
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=24, state=4, num_pkts=4, num_bytes_ip=244, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=85, state=4, num_pkts=3, num_bytes_ip=199, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.029386, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 8BITMIME, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=24, state=4, num_pkts=4, num_bytes_ip=244, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=85, state=4, num_pkts=3, num_bytes_ip=199, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.029386, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 8BITMIME, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 250
                   [3] cmd: string        = EHLO
@@ -557,7 +557,7 @@
                   [5] cont_resp: bool    = T
 
 1437831787.886281 smtp_reply
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=24, state=4, num_pkts=4, num_bytes_ip=244, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=85, state=4, num_pkts=3, num_bytes_ip=199, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.029386, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 AUTH LOGIN, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=24, state=4, num_pkts=4, num_bytes_ip=244, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=85, state=4, num_pkts=3, num_bytes_ip=199, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.029386, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 AUTH LOGIN, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 250
                   [3] cmd: string        = EHLO
@@ -565,13 +565,13 @@
                   [5] cont_resp: bool    = F
 
 1437831787.887031 smtp_request
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=56, state=4, num_pkts=5, num_bytes_ip=296, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=85, state=4, num_pkts=4, num_bytes_ip=301, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.030136, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=56, state=4, num_pkts=5, num_bytes_ip=296, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=85, state=4, num_pkts=4, num_bytes_ip=301, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.030136, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] command: string    = MAIL
                   [3] arg: string        = FROM:<albert@example.com>
 
 1437831787.889785 smtp_reply
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=56, state=4, num_pkts=6, num_bytes_ip=380, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=93, state=4, num_pkts=4, num_bytes_ip=301, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.03289, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=56, state=4, num_pkts=6, num_bytes_ip=380, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=93, state=4, num_pkts=4, num_bytes_ip=301, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.03289, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 250
                   [3] cmd: string        = MAIL
@@ -579,13 +579,13 @@
                   [5] cont_resp: bool    = F
 
 1437831787.890232 smtp_request
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=88, state=4, num_pkts=7, num_bytes_ip=432, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=93, state=4, num_pkts=5, num_bytes_ip=361, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.033337, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=88, state=4, num_pkts=7, num_bytes_ip=432, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=93, state=4, num_pkts=5, num_bytes_ip=361, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.033337, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] command: string    = RCPT
                   [3] arg: string        = TO:<ericlim220@yahoo.com>
 
 1437831787.892986 smtp_reply
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=88, state=4, num_pkts=8, num_bytes_ip=516, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=101, state=4, num_pkts=5, num_bytes_ip=361, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.036091, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0aericlim220@yahoo.com\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=88, state=4, num_pkts=8, num_bytes_ip=516, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=101, state=4, num_pkts=5, num_bytes_ip=361, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.036091, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0aericlim220@yahoo.com\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 250
                   [3] cmd: string        = RCPT
@@ -593,13 +593,13 @@
                   [5] cont_resp: bool    = F
 
 1437831787.893587 smtp_request
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=121, state=4, num_pkts=9, num_bytes_ip=568, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=101, state=4, num_pkts=6, num_bytes_ip=421, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.036692, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0aericlim220@yahoo.com\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=121, state=4, num_pkts=9, num_bytes_ip=568, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=101, state=4, num_pkts=6, num_bytes_ip=421, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.036692, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0aericlim220@yahoo.com\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] command: string    = RCPT
                   [3] arg: string        = TO:<felica4uu@hotmail.com>
 
 1437831787.897624 smtp_reply
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=121, state=4, num_pkts=10, num_bytes_ip=653, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=109, state=4, num_pkts=6, num_bytes_ip=421, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.040729, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=121, state=4, num_pkts=10, num_bytes_ip=653, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=109, state=4, num_pkts=6, num_bytes_ip=421, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.040729, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 250
                   [3] cmd: string        = RCPT
@@ -607,13 +607,13 @@
                   [5] cont_resp: bool    = F
 
 1437831787.898413 smtp_request
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=156, state=4, num_pkts=11, num_bytes_ip=705, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=109, state=4, num_pkts=7, num_bytes_ip=481, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.041518, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=156, state=4, num_pkts=11, num_bytes_ip=705, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=109, state=4, num_pkts=7, num_bytes_ip=481, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.041518, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] command: string    = RCPT
                   [3] arg: string        = TO:<davis_mark1@outlook.com>
 
 1437831787.901069 smtp_reply
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=156, state=4, num_pkts=12, num_bytes_ip=792, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=117, state=4, num_pkts=7, num_bytes_ip=481, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.044174, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=156, state=4, num_pkts=12, num_bytes_ip=792, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=117, state=4, num_pkts=7, num_bytes_ip=481, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.044174, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 250
                   [3] cmd: string        = RCPT
@@ -621,16 +621,16 @@
                   [5] cont_resp: bool    = F
 
 1437831787.901697 smtp_request
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=162, state=4, num_pkts=13, num_bytes_ip=844, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=117, state=4, num_pkts=8, num_bytes_ip=541, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.044802, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=162, state=4, num_pkts=13, num_bytes_ip=844, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=117, state=4, num_pkts=8, num_bytes_ip=541, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.044802, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] command: string    = DATA
                   [3] arg: string        = 
 
 1437831787.901697 mime_begin_entity
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=162, state=4, num_pkts=13, num_bytes_ip=844, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=117, state=4, num_pkts=8, num_bytes_ip=541, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.044802, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=162, state=4, num_pkts=13, num_bytes_ip=844, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=117, state=4, num_pkts=8, num_bytes_ip=541, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.044802, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1437831787.904758 smtp_reply
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=162, state=4, num_pkts=14, num_bytes_ip=902, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=8, num_bytes_ip=541, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.047863, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=162, state=4, num_pkts=14, num_bytes_ip=902, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=8, num_bytes_ip=541, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.047863, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 354
                   [3] cmd: string        = DATA
@@ -638,104 +638,104 @@
                   [5] cont_resp: bool    = F
 
 1437831787.905375 mime_one_header
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.04848, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.04848, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] h: mime_header_rec = [name=CONTENT-TYPE, value=text/plain; charset=us-ascii]
 
 1437831787.905375 mime_one_header
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.04848, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.04848, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] h: mime_header_rec = [name=MIME-VERSION, value=1.0 (Mac OS X Mail 8.2 \(2102\))]
 
 1437831787.905375 mime_one_header
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.04848, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.04848, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] h: mime_header_rec = [name=SUBJECT, value=Re: Bro SMTP CC Header]
 
 1437831787.905375 mime_one_header
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.04848, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=Re: Bro SMTP CC Header, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.04848, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=Re: Bro SMTP CC Header, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] h: mime_header_rec = [name=FROM, value=Albert Zaharovits <albert@example.com>]
 
 1437831787.905375 mime_one_header
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.04848, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a}, date=<uninitialized>, from=Albert Zaharovits <albert@example.com>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=Re: Bro SMTP CC Header, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.04848, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a}, date=<uninitialized>, from=Albert Zaharovits <albert@example.com>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=Re: Bro SMTP CC Header, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] h: mime_header_rec = [name=IN-REPLY-TO, value=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>]
 
 1437831787.905375 mime_one_header
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.04848, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a}, date=<uninitialized>, from=Albert Zaharovits <albert@example.com>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>, subject=Re: Bro SMTP CC Header, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.04848, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a}, date=<uninitialized>, from=Albert Zaharovits <albert@example.com>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>, subject=Re: Bro SMTP CC Header, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] h: mime_header_rec = [name=DATE, value=Sat, 25 Jul 2015 16:43:07 +0300]
 
 1437831787.905375 mime_one_header
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.04848, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a}, date=Sat, 25 Jul 2015 16:43:07 +0300, from=Albert Zaharovits <albert@example.com>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>, subject=Re: Bro SMTP CC Header, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.04848, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a}, date=Sat, 25 Jul 2015 16:43:07 +0300, from=Albert Zaharovits <albert@example.com>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>, subject=Re: Bro SMTP CC Header, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] h: mime_header_rec = [name=CC, value=felica4uu@hotmail.com, davis_mark1@outlook.com]
 
 1437831787.905375 mime_one_header
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.04848, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a}, date=Sat, 25 Jul 2015 16:43:07 +0300, from=Albert Zaharovits <albert@example.com>, to=<uninitialized>, cc={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com\x0a}, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>, subject=Re: Bro SMTP CC Header, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.04848, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a}, date=Sat, 25 Jul 2015 16:43:07 +0300, from=Albert Zaharovits <albert@example.com>, to=<uninitialized>, cc={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com\x0a}, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>, subject=Re: Bro SMTP CC Header, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] h: mime_header_rec = [name=CONTENT-TRANSFER-ENCODING, value=7bit]
 
 1437831787.905375 mime_one_header
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.04848, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a}, date=Sat, 25 Jul 2015 16:43:07 +0300, from=Albert Zaharovits <albert@example.com>, to=<uninitialized>, cc={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com\x0a}, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>, subject=Re: Bro SMTP CC Header, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.04848, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a}, date=Sat, 25 Jul 2015 16:43:07 +0300, from=Albert Zaharovits <albert@example.com>, to=<uninitialized>, cc={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com\x0a}, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>, subject=Re: Bro SMTP CC Header, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] h: mime_header_rec = [name=MESSAGE-ID, value=<A6202DF2-8E58-4E41-BE0B-C8D3989A4AEE@example.com>]
 
 1437831787.905375 mime_one_header
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.04848, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a}, date=Sat, 25 Jul 2015 16:43:07 +0300, from=Albert Zaharovits <albert@example.com>, to=<uninitialized>, cc={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com\x0a}, reply_to=<uninitialized>, msg_id=<A6202DF2-8E58-4E41-BE0B-C8D3989A4AEE@example.com>, in_reply_to=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>, subject=Re: Bro SMTP CC Header, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.04848, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a}, date=Sat, 25 Jul 2015 16:43:07 +0300, from=Albert Zaharovits <albert@example.com>, to=<uninitialized>, cc={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com\x0a}, reply_to=<uninitialized>, msg_id=<A6202DF2-8E58-4E41-BE0B-C8D3989A4AEE@example.com>, in_reply_to=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>, subject=Re: Bro SMTP CC Header, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] h: mime_header_rec = [name=REFERENCES, value=<FA60128E-63CF-4C4E-8241-C5805EA0F66E@example.com> <9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>]
 
 1437831787.905375 mime_one_header
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.04848, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a}, date=Sat, 25 Jul 2015 16:43:07 +0300, from=Albert Zaharovits <albert@example.com>, to=<uninitialized>, cc={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com\x0a}, reply_to=<uninitialized>, msg_id=<A6202DF2-8E58-4E41-BE0B-C8D3989A4AEE@example.com>, in_reply_to=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>, subject=Re: Bro SMTP CC Header, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.04848, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a}, date=Sat, 25 Jul 2015 16:43:07 +0300, from=Albert Zaharovits <albert@example.com>, to=<uninitialized>, cc={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com\x0a}, reply_to=<uninitialized>, msg_id=<A6202DF2-8E58-4E41-BE0B-C8D3989A4AEE@example.com>, in_reply_to=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>, subject=Re: Bro SMTP CC Header, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] h: mime_header_rec = [name=TO, value=ericlim220@yahoo.com]
 
 1437831787.905375 mime_one_header
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.04848, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a}, date=Sat, 25 Jul 2015 16:43:07 +0300, from=Albert Zaharovits <albert@example.com>, to={\x0aericlim220@yahoo.com\x0a}, cc={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com\x0a}, reply_to=<uninitialized>, msg_id=<A6202DF2-8E58-4E41-BE0B-C8D3989A4AEE@example.com>, in_reply_to=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>, subject=Re: Bro SMTP CC Header, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.04848, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a}, date=Sat, 25 Jul 2015 16:43:07 +0300, from=Albert Zaharovits <albert@example.com>, to={\x0aericlim220@yahoo.com\x0a}, cc={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com\x0a}, reply_to=<uninitialized>, msg_id=<A6202DF2-8E58-4E41-BE0B-C8D3989A4AEE@example.com>, in_reply_to=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>, subject=Re: Bro SMTP CC Header, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] h: mime_header_rec = [name=X-MAILER, value=Apple Mail (2.2102)]
 
 1437831787.905375 get_file_handle
                   [0] tag: enum          = Analyzer::ANALYZER_SMTP
-                  [1] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.04848, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a}, date=Sat, 25 Jul 2015 16:43:07 +0300, from=Albert Zaharovits <albert@example.com>, to={\x0aericlim220@yahoo.com\x0a}, cc={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com\x0a}, reply_to=<uninitialized>, msg_id=<A6202DF2-8E58-4E41-BE0B-C8D3989A4AEE@example.com>, in_reply_to=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>, subject=Re: Bro SMTP CC Header, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=Apple Mail (2.2102), tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.04848, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a}, date=Sat, 25 Jul 2015 16:43:07 +0300, from=Albert Zaharovits <albert@example.com>, to={\x0aericlim220@yahoo.com\x0a}, cc={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com\x0a}, reply_to=<uninitialized>, msg_id=<A6202DF2-8E58-4E41-BE0B-C8D3989A4AEE@example.com>, in_reply_to=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>, subject=Re: Bro SMTP CC Header, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=Apple Mail (2.2102), tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = T
 
 1437831787.905375 file_new
-                  [0] f: fa_file         = [id=FKX8fw2lEHCTK8syM3, parent_id=<uninitialized>, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.04848, service={\x0aSMTP\x0a\x09}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a\x09}, date=Sat, 25 Jul 2015 16:43:07 +0300, from=Albert Zaharovits <albert@example.com>, to={\x0aericlim220@yahoo.com\x0a\x09}, cc={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com\x0a\x09}, reply_to=<uninitialized>, msg_id=<A6202DF2-8E58-4E41-BE0B-C8D3989A4AEE@example.com>, in_reply_to=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>, subject=Re: Bro SMTP CC Header, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=Apple Mail (2.2102), tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831787.905375, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=FKX8fw2lEHCTK8syM3, parent_id=<uninitialized>, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.04848, service={\x0aSMTP\x0a\x09}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a\x09}, date=Sat, 25 Jul 2015 16:43:07 +0300, from=Albert Zaharovits <albert@example.com>, to={\x0aericlim220@yahoo.com\x0a\x09}, cc={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com\x0a\x09}, reply_to=<uninitialized>, msg_id=<A6202DF2-8E58-4E41-BE0B-C8D3989A4AEE@example.com>, in_reply_to=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>, subject=Re: Bro SMTP CC Header, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=Apple Mail (2.2102), tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831787.905375, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
 
 1437831787.905375 file_over_new_connection
-                  [0] f: fa_file         = [id=FKX8fw2lEHCTK8syM3, parent_id=<uninitialized>, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.04848, service={\x0aSMTP\x0a\x09}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a\x09}, date=Sat, 25 Jul 2015 16:43:07 +0300, from=Albert Zaharovits <albert@example.com>, to={\x0aericlim220@yahoo.com\x0a\x09}, cc={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com\x0a\x09}, reply_to=<uninitialized>, msg_id=<A6202DF2-8E58-4E41-BE0B-C8D3989A4AEE@example.com>, in_reply_to=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>, subject=Re: Bro SMTP CC Header, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=Apple Mail (2.2102), tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831787.905375, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1437831787.905375, fuid=FKX8fw2lEHCTK8syM3, tx_hosts={\x0a\x0a}, rx_hosts={\x0a\x0a}, conn_uids={\x0a\x0a}, source=SMTP, depth=0, analyzers={\x0a\x0a}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=T, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
-                  [1] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.04848, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a}, date=Sat, 25 Jul 2015 16:43:07 +0300, from=Albert Zaharovits <albert@example.com>, to={\x0aericlim220@yahoo.com\x0a}, cc={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com\x0a}, reply_to=<uninitialized>, msg_id=<A6202DF2-8E58-4E41-BE0B-C8D3989A4AEE@example.com>, in_reply_to=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>, subject=Re: Bro SMTP CC Header, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=Apple Mail (2.2102), tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] f: fa_file         = [id=FKX8fw2lEHCTK8syM3, parent_id=<uninitialized>, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.04848, service={\x0aSMTP\x0a\x09}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a\x09}, date=Sat, 25 Jul 2015 16:43:07 +0300, from=Albert Zaharovits <albert@example.com>, to={\x0aericlim220@yahoo.com\x0a\x09}, cc={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com\x0a\x09}, reply_to=<uninitialized>, msg_id=<A6202DF2-8E58-4E41-BE0B-C8D3989A4AEE@example.com>, in_reply_to=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>, subject=Re: Bro SMTP CC Header, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=Apple Mail (2.2102), tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831787.905375, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1437831787.905375, fuid=FKX8fw2lEHCTK8syM3, tx_hosts={\x0a\x0a}, rx_hosts={\x0a\x0a}, conn_uids={\x0a\x0a}, source=SMTP, depth=0, analyzers={\x0a\x0a}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=T, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [1] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.04848, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a}, date=Sat, 25 Jul 2015 16:43:07 +0300, from=Albert Zaharovits <albert@example.com>, to={\x0aericlim220@yahoo.com\x0a}, cc={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com\x0a}, reply_to=<uninitialized>, msg_id=<A6202DF2-8E58-4E41-BE0B-C8D3989A4AEE@example.com>, in_reply_to=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>, subject=Re: Bro SMTP CC Header, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=Apple Mail (2.2102), tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = T
 
 1437831787.905375 mime_end_entity
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.04848, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a}, date=Sat, 25 Jul 2015 16:43:07 +0300, from=Albert Zaharovits <albert@example.com>, to={\x0aericlim220@yahoo.com\x0a}, cc={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com\x0a}, reply_to=<uninitialized>, msg_id=<A6202DF2-8E58-4E41-BE0B-C8D3989A4AEE@example.com>, in_reply_to=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>, subject=Re: Bro SMTP CC Header, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=Apple Mail (2.2102), tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[FKX8fw2lEHCTK8syM3]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.04848, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a}, date=Sat, 25 Jul 2015 16:43:07 +0300, from=Albert Zaharovits <albert@example.com>, to={\x0aericlim220@yahoo.com\x0a}, cc={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com\x0a}, reply_to=<uninitialized>, msg_id=<A6202DF2-8E58-4E41-BE0B-C8D3989A4AEE@example.com>, in_reply_to=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>, subject=Re: Bro SMTP CC Header, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=Apple Mail (2.2102), tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[FKX8fw2lEHCTK8syM3]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1437831787.905375 get_file_handle
                   [0] tag: enum          = Analyzer::ANALYZER_SMTP
-                  [1] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.04848, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a}, date=Sat, 25 Jul 2015 16:43:07 +0300, from=Albert Zaharovits <albert@example.com>, to={\x0aericlim220@yahoo.com\x0a}, cc={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com\x0a}, reply_to=<uninitialized>, msg_id=<A6202DF2-8E58-4E41-BE0B-C8D3989A4AEE@example.com>, in_reply_to=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>, subject=Re: Bro SMTP CC Header, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=Apple Mail (2.2102), tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[FKX8fw2lEHCTK8syM3]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.04848, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a}, date=Sat, 25 Jul 2015 16:43:07 +0300, from=Albert Zaharovits <albert@example.com>, to={\x0aericlim220@yahoo.com\x0a}, cc={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com\x0a}, reply_to=<uninitialized>, msg_id=<A6202DF2-8E58-4E41-BE0B-C8D3989A4AEE@example.com>, in_reply_to=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>, subject=Re: Bro SMTP CC Header, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=Apple Mail (2.2102), tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[FKX8fw2lEHCTK8syM3]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = T
 
 1437831787.905375 file_sniff
-                  [0] f: fa_file         = [id=FKX8fw2lEHCTK8syM3, parent_id=<uninitialized>, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.04848, service={\x0aSMTP\x0a\x09}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a\x09}, date=Sat, 25 Jul 2015 16:43:07 +0300, from=Albert Zaharovits <albert@example.com>, to={\x0aericlim220@yahoo.com\x0a\x09}, cc={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com\x0a\x09}, reply_to=<uninitialized>, msg_id=<A6202DF2-8E58-4E41-BE0B-C8D3989A4AEE@example.com>, in_reply_to=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>, subject=Re: Bro SMTP CC Header, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=Apple Mail (2.2102), tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[FKX8fw2lEHCTK8syM3]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831787.905375, seen_bytes=204, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=\x0d\x0a> On 25 Jul 2015, at 16:38, Albert Zaharovits <albert@example.com> wrote:\x0d\x0a> \x0d\x0a> \x0d\x0a>> On 25 Jul 2015, at 16:21, Albert Zaharovits <albert@example.com> wrote:\x0d\x0a>> \x0d\x0a>> Bro SMTP CC Header\x0d\x0a>> TEST\x0d\x0a> \x0d\x0a\x0d\x0a, info=[ts=1437831787.905375, fuid=FKX8fw2lEHCTK8syM3, tx_hosts={\x0a\x09192.168.133.100\x0a}, rx_hosts={\x0a\x09192.168.133.102\x0a}, conn_uids={\x0aCmES5u32sYpV7JYN\x0a}, source=SMTP, depth=1, analyzers={\x0a\x0a}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=T, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=FKX8fw2lEHCTK8syM3, parent_id=<uninitialized>, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.04848, service={\x0aSMTP\x0a\x09}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a\x09}, date=Sat, 25 Jul 2015 16:43:07 +0300, from=Albert Zaharovits <albert@example.com>, to={\x0aericlim220@yahoo.com\x0a\x09}, cc={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com\x0a\x09}, reply_to=<uninitialized>, msg_id=<A6202DF2-8E58-4E41-BE0B-C8D3989A4AEE@example.com>, in_reply_to=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>, subject=Re: Bro SMTP CC Header, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=Apple Mail (2.2102), tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[FKX8fw2lEHCTK8syM3]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831787.905375, seen_bytes=204, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=\x0d\x0a> On 25 Jul 2015, at 16:38, Albert Zaharovits <albert@example.com> wrote:\x0d\x0a> \x0d\x0a> \x0d\x0a>> On 25 Jul 2015, at 16:21, Albert Zaharovits <albert@example.com> wrote:\x0d\x0a>> \x0d\x0a>> Bro SMTP CC Header\x0d\x0a>> TEST\x0d\x0a> \x0d\x0a\x0d\x0a, info=[ts=1437831787.905375, fuid=FKX8fw2lEHCTK8syM3, tx_hosts={\x0a\x09192.168.133.100\x0a}, rx_hosts={\x0a\x09192.168.133.102\x0a}, conn_uids={\x0aCmES5u32sYpV7JYN\x0a}, source=SMTP, depth=1, analyzers={\x0a\x0a}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=T, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
                   [1] meta: fa_metadata  = [mime_type=text/plain, mime_types=[[strength=-20, mime=text/plain]], inferred=T]
 
 1437831787.905375 file_state_remove
-                  [0] f: fa_file         = [id=FKX8fw2lEHCTK8syM3, parent_id=<uninitialized>, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.04848, service={\x0aSMTP\x0a\x09}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a\x09}, date=Sat, 25 Jul 2015 16:43:07 +0300, from=Albert Zaharovits <albert@example.com>, to={\x0aericlim220@yahoo.com\x0a\x09}, cc={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com\x0a\x09}, reply_to=<uninitialized>, msg_id=<A6202DF2-8E58-4E41-BE0B-C8D3989A4AEE@example.com>, in_reply_to=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>, subject=Re: Bro SMTP CC Header, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=Apple Mail (2.2102), tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[FKX8fw2lEHCTK8syM3]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831787.905375, seen_bytes=204, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=\x0d\x0a> On 25 Jul 2015, at 16:38, Albert Zaharovits <albert@example.com> wrote:\x0d\x0a> \x0d\x0a> \x0d\x0a>> On 25 Jul 2015, at 16:21, Albert Zaharovits <albert@example.com> wrote:\x0d\x0a>> \x0d\x0a>> Bro SMTP CC Header\x0d\x0a>> TEST\x0d\x0a> \x0d\x0a\x0d\x0a, info=[ts=1437831787.905375, fuid=FKX8fw2lEHCTK8syM3, tx_hosts={\x0a\x09192.168.133.100\x0a}, rx_hosts={\x0a\x09192.168.133.102\x0a}, conn_uids={\x0aCmES5u32sYpV7JYN\x0a}, source=SMTP, depth=1, analyzers={\x0a\x0a}, mime_type=text/plain, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=T, seen_bytes=204, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=FKX8fw2lEHCTK8syM3, parent_id=<uninitialized>, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.04848, service={\x0aSMTP\x0a\x09}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a\x09}, date=Sat, 25 Jul 2015 16:43:07 +0300, from=Albert Zaharovits <albert@example.com>, to={\x0aericlim220@yahoo.com\x0a\x09}, cc={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com\x0a\x09}, reply_to=<uninitialized>, msg_id=<A6202DF2-8E58-4E41-BE0B-C8D3989A4AEE@example.com>, in_reply_to=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>, subject=Re: Bro SMTP CC Header, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=Apple Mail (2.2102), tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[FKX8fw2lEHCTK8syM3]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831787.905375, seen_bytes=204, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=\x0d\x0a> On 25 Jul 2015, at 16:38, Albert Zaharovits <albert@example.com> wrote:\x0d\x0a> \x0d\x0a> \x0d\x0a>> On 25 Jul 2015, at 16:21, Albert Zaharovits <albert@example.com> wrote:\x0d\x0a>> \x0d\x0a>> Bro SMTP CC Header\x0d\x0a>> TEST\x0d\x0a> \x0d\x0a\x0d\x0a, info=[ts=1437831787.905375, fuid=FKX8fw2lEHCTK8syM3, tx_hosts={\x0a\x09192.168.133.100\x0a}, rx_hosts={\x0a\x09192.168.133.102\x0a}, conn_uids={\x0aCmES5u32sYpV7JYN\x0a}, source=SMTP, depth=1, analyzers={\x0a\x0a}, mime_type=text/plain, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=T, seen_bytes=204, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
 
 1437831787.905375 get_file_handle
                   [0] tag: enum          = Analyzer::ANALYZER_SMTP
-                  [1] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.04848, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a}, date=Sat, 25 Jul 2015 16:43:07 +0300, from=Albert Zaharovits <albert@example.com>, to={\x0aericlim220@yahoo.com\x0a}, cc={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com\x0a}, reply_to=<uninitialized>, msg_id=<A6202DF2-8E58-4E41-BE0B-C8D3989A4AEE@example.com>, in_reply_to=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>, subject=Re: Bro SMTP CC Header, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=Apple Mail (2.2102), tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[FKX8fw2lEHCTK8syM3]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.04848, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a}, date=Sat, 25 Jul 2015 16:43:07 +0300, from=Albert Zaharovits <albert@example.com>, to={\x0aericlim220@yahoo.com\x0a}, cc={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com\x0a}, reply_to=<uninitialized>, msg_id=<A6202DF2-8E58-4E41-BE0B-C8D3989A4AEE@example.com>, in_reply_to=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>, subject=Re: Bro SMTP CC Header, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=Apple Mail (2.2102), tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[FKX8fw2lEHCTK8syM3]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = F
 
 1437831787.905375 get_file_handle
                   [0] tag: enum          = Analyzer::ANALYZER_SMTP
-                  [1] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.04848, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a}, date=Sat, 25 Jul 2015 16:43:07 +0300, from=Albert Zaharovits <albert@example.com>, to={\x0aericlim220@yahoo.com\x0a}, cc={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com\x0a}, reply_to=<uninitialized>, msg_id=<A6202DF2-8E58-4E41-BE0B-C8D3989A4AEE@example.com>, in_reply_to=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>, subject=Re: Bro SMTP CC Header, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=Apple Mail (2.2102), tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[FKX8fw2lEHCTK8syM3]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.04848, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a}, date=Sat, 25 Jul 2015 16:43:07 +0300, from=Albert Zaharovits <albert@example.com>, to={\x0aericlim220@yahoo.com\x0a}, cc={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com\x0a}, reply_to=<uninitialized>, msg_id=<A6202DF2-8E58-4E41-BE0B-C8D3989A4AEE@example.com>, in_reply_to=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>, subject=Re: Bro SMTP CC Header, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=Apple Mail (2.2102), tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[FKX8fw2lEHCTK8syM3]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = T
 
 1437831787.905375 get_file_handle
                   [0] tag: enum          = Analyzer::ANALYZER_SMTP
-                  [1] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.04848, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a}, date=Sat, 25 Jul 2015 16:43:07 +0300, from=Albert Zaharovits <albert@example.com>, to={\x0aericlim220@yahoo.com\x0a}, cc={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com\x0a}, reply_to=<uninitialized>, msg_id=<A6202DF2-8E58-4E41-BE0B-C8D3989A4AEE@example.com>, in_reply_to=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>, subject=Re: Bro SMTP CC Header, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=Apple Mail (2.2102), tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[FKX8fw2lEHCTK8syM3]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.04848, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a}, date=Sat, 25 Jul 2015 16:43:07 +0300, from=Albert Zaharovits <albert@example.com>, to={\x0aericlim220@yahoo.com\x0a}, cc={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com\x0a}, reply_to=<uninitialized>, msg_id=<A6202DF2-8E58-4E41-BE0B-C8D3989A4AEE@example.com>, in_reply_to=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>, subject=Re: Bro SMTP CC Header, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=Apple Mail (2.2102), tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[FKX8fw2lEHCTK8syM3]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = F
 
 1437831787.905375 smtp_request
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.04848, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a}, date=Sat, 25 Jul 2015 16:43:07 +0300, from=Albert Zaharovits <albert@example.com>, to={\x0aericlim220@yahoo.com\x0a}, cc={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com\x0a}, reply_to=<uninitialized>, msg_id=<A6202DF2-8E58-4E41-BE0B-C8D3989A4AEE@example.com>, in_reply_to=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>, subject=Re: Bro SMTP CC Header, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=Apple Mail (2.2102), tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[FKX8fw2lEHCTK8syM3]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.04848, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a}, date=Sat, 25 Jul 2015 16:43:07 +0300, from=Albert Zaharovits <albert@example.com>, to={\x0aericlim220@yahoo.com\x0a}, cc={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com\x0a}, reply_to=<uninitialized>, msg_id=<A6202DF2-8E58-4E41-BE0B-C8D3989A4AEE@example.com>, in_reply_to=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>, subject=Re: Bro SMTP CC Header, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=Apple Mail (2.2102), tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[FKX8fw2lEHCTK8syM3]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] command: string    = .
                   [3] arg: string        = .
 
 1437831787.914113 smtp_reply
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=16, num_bytes_ip=1813, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=162, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.057218, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a}, date=Sat, 25 Jul 2015 16:43:07 +0300, from=Albert Zaharovits <albert@example.com>, to={\x0aericlim220@yahoo.com\x0a}, cc={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com\x0a}, reply_to=<uninitialized>, msg_id=<A6202DF2-8E58-4E41-BE0B-C8D3989A4AEE@example.com>, in_reply_to=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>, subject=Re: Bro SMTP CC Header, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=Apple Mail (2.2102), tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[FKX8fw2lEHCTK8syM3]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=16, num_bytes_ip=1813, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=162, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.057218, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a}, date=Sat, 25 Jul 2015 16:43:07 +0300, from=Albert Zaharovits <albert@example.com>, to={\x0aericlim220@yahoo.com\x0a}, cc={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com\x0a}, reply_to=<uninitialized>, msg_id=<A6202DF2-8E58-4E41-BE0B-C8D3989A4AEE@example.com>, in_reply_to=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>, subject=Re: Bro SMTP CC Header, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=Apple Mail (2.2102), tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[FKX8fw2lEHCTK8syM3]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 250
                   [3] cmd: string        = .
@@ -743,65 +743,65 @@
                   [5] cont_resp: bool    = F
 
 1437831798.533593 new_connection
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49336/tcp, resp_h=74.125.71.189, resp_p=443/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831798.533593, duration=0.0, service={\x0a\x0a}, history=^, uid=CP5puj4I8PtEU4qzYg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49336/tcp, resp_h=74.125.71.189, resp_p=443/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831798.533593, duration=0.0, service={\x0a\x0a}, history=^, uid=CP5puj4I8PtEU4qzYg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1437831798.533765 partial_connection
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49336/tcp, resp_h=74.125.71.189, resp_p=443/tcp], orig=[size=0, state=3, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=85, state=3, num_pkts=3, num_bytes_ip=411, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831798.533593, duration=0.000172, service={\x0a\x0a}, history=^dA, uid=CP5puj4I8PtEU4qzYg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49336/tcp, resp_h=74.125.71.189, resp_p=443/tcp], orig=[size=0, state=3, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=85, state=3, num_pkts=3, num_bytes_ip=411, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831798.533593, duration=0.000172, service={\x0a\x0a}, history=^dA, uid=CP5puj4I8PtEU4qzYg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1437831799.262632 new_connection
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49153/tcp, resp_h=17.172.238.21, resp_p=5223/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.262632, duration=0.0, service={\x0a\x0a}, history=, uid=C37jN32gN3y3AZzyf6, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49153/tcp, resp_h=17.172.238.21, resp_p=5223/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.262632, duration=0.0, service={\x0a\x0a}, history=, uid=C37jN32gN3y3AZzyf6, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1437831799.410135 partial_connection
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49153/tcp, resp_h=17.172.238.21, resp_p=5223/tcp], orig=[size=714, state=3, num_pkts=1, num_bytes_ip=766, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=3, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.262632, duration=0.147503, service={\x0a\x0a}, history=Da, uid=C37jN32gN3y3AZzyf6, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49153/tcp, resp_h=17.172.238.21, resp_p=5223/tcp], orig=[size=714, state=3, num_pkts=1, num_bytes_ip=766, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=3, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.262632, duration=0.147503, service={\x0a\x0a}, history=Da, uid=C37jN32gN3y3AZzyf6, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1437831799.461152 new_connection
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.0, service={\x0a\x0a}, history=, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.0, service={\x0a\x0a}, history=, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1437831799.610433 connection_established
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=0, state=4, num_pkts=1, num_bytes_ip=64, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=4, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.149281, service={\x0a\x0a}, history=Sh, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=0, state=4, num_pkts=1, num_bytes_ip=64, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=4, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.149281, service={\x0a\x0a}, history=Sh, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1437831799.611764 ssl_extension_server_name
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=2, num_bytes_ip=104, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=52, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.150612, service={\x0a\x0a}, history=ShAD, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=2, num_bytes_ip=104, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=52, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.150612, service={\x0a\x0a}, history=ShAD, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] names: vector of string = [p31-keyvalueservice.icloud.com]
 
 1437831799.611764 ssl_extension
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=2, num_bytes_ip=104, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=52, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.150612, service={\x0a\x0a}, history=ShAD, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=<uninitialized>, version=<uninitialized>, cipher=<uninitialized>, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fuids=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fuids=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=2, num_bytes_ip=104, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=52, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.150612, service={\x0a\x0a}, history=ShAD, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=<uninitialized>, version=<uninitialized>, cipher=<uninitialized>, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fuids=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fuids=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] code: count        = 0
                   [3] val: string        = \x00!\x00\x00\x1ep31-keyvalueservice.icloud.com
 
 1437831799.611764 ssl_extension
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=2, num_bytes_ip=104, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=52, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.150612, service={\x0a\x0a}, history=ShAD, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=<uninitialized>, version=<uninitialized>, cipher=<uninitialized>, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fuids=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fuids=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=2, num_bytes_ip=104, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=52, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.150612, service={\x0a\x0a}, history=ShAD, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=<uninitialized>, version=<uninitialized>, cipher=<uninitialized>, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fuids=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fuids=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] code: count        = 10
                   [3] val: string        = \x00\x06\x00\x17\x00\x18\x00\x19
 
 1437831799.611764 ssl_extension
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=2, num_bytes_ip=104, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=52, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.150612, service={\x0a\x0a}, history=ShAD, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=<uninitialized>, version=<uninitialized>, cipher=<uninitialized>, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fuids=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fuids=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=2, num_bytes_ip=104, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=52, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.150612, service={\x0a\x0a}, history=ShAD, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=<uninitialized>, version=<uninitialized>, cipher=<uninitialized>, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fuids=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fuids=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] code: count        = 11
                   [3] val: string        = \x01\x00
 
 1437831799.611764 ssl_extension
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=2, num_bytes_ip=104, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=52, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.150612, service={\x0a\x0a}, history=ShAD, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=<uninitialized>, version=<uninitialized>, cipher=<uninitialized>, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fuids=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fuids=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=2, num_bytes_ip=104, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=52, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.150612, service={\x0a\x0a}, history=ShAD, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=<uninitialized>, version=<uninitialized>, cipher=<uninitialized>, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fuids=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fuids=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] code: count        = 13
                   [3] val: string        = \x00\x0a\x05\x01\x04\x01\x02\x01\x04\x03\x02\x03
 
 1437831799.611764 ssl_extension
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=2, num_bytes_ip=104, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=52, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.150612, service={\x0a\x0a}, history=ShAD, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=<uninitialized>, version=<uninitialized>, cipher=<uninitialized>, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fuids=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fuids=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=2, num_bytes_ip=104, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=52, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.150612, service={\x0a\x0a}, history=ShAD, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=<uninitialized>, version=<uninitialized>, cipher=<uninitialized>, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fuids=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fuids=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] code: count        = 13172
                   [3] val: string        = 
 
 1437831799.611764 protocol_confirmation
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=2, num_bytes_ip=104, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=52, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.150612, service={\x0a\x0a}, history=ShAD, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=<uninitialized>, version=<uninitialized>, cipher=<uninitialized>, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fuids=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fuids=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=2, num_bytes_ip=104, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=52, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.150612, service={\x0a\x0a}, history=ShAD, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=<uninitialized>, version=<uninitialized>, cipher=<uninitialized>, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fuids=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fuids=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] atype: enum        = Analyzer::ANALYZER_SSL
                   [2] aid: count         = 35
 
 1437831799.611764 ssl_client_hello
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=2, num_bytes_ip=104, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=52, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.150612, service={\x0aSSL\x0a}, history=ShAD, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=<uninitialized>, version=<uninitialized>, cipher=<uninitialized>, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fuids=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fuids=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=2, num_bytes_ip=104, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=52, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.150612, service={\x0aSSL\x0a}, history=ShAD, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=<uninitialized>, version=<uninitialized>, cipher=<uninitialized>, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fuids=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fuids=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] version: count     = 771
                   [2] possible_ts: time  = 1437831799.0
                   [3] client_random: string = \xd4\xda\xbe{\xfa\xaa\x16\xb2\xe7\x92\x9d\xbf\xe1c\x97\xde\xdca7\x92\x90\xf6\x967\xf7\xec\x1e\xe6
@@ -809,19 +809,19 @@
                   [5] ciphers: vector of count = [255, 49188, 49187, 49162, 49161, 49160, 49192, 49191, 49172, 49171, 49170, 49190, 49189, 49157, 49156, 49155, 49194, 49193, 49167, 49166, 49165, 107, 103, 57, 51, 22, 61, 60, 53, 47, 10, 49159, 49169, 49154, 49164, 5, 4]
 
 1437831799.611764 ssl_handshake_message
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=2, num_bytes_ip=104, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=52, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.150612, service={\x0aSSL\x0a}, history=ShAD, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=<uninitialized>, version=<uninitialized>, cipher=<uninitialized>, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fuids=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fuids=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=2, num_bytes_ip=104, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=52, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.150612, service={\x0aSSL\x0a}, history=ShAD, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=<uninitialized>, version=<uninitialized>, cipher=<uninitialized>, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fuids=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fuids=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] msg_type: count    = 1
                   [3] length: count      = 192
 
 1437831799.764576 ssl_extension
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=<uninitialized>, version=<uninitialized>, cipher=<uninitialized>, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fuids=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fuids=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=<uninitialized>, version=<uninitialized>, cipher=<uninitialized>, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fuids=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fuids=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 65281
                   [3] val: string        = \x00
 
 1437831799.764576 ssl_server_hello
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=<uninitialized>, version=<uninitialized>, cipher=<uninitialized>, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fuids=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fuids=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=<uninitialized>, version=<uninitialized>, cipher=<uninitialized>, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fuids=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fuids=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] version: count     = 771
                   [2] possible_ts: time  = 1437831799.0
                   [3] server_random: string = \xe2RB\xdds\x11\xa9\xd4\x1d\xbc\x8e\xe2]\x09\xc5\xfc\xb1\xedl\xed\x17\xb2?a\xac\x81QM
@@ -830,209 +830,209 @@
                   [6] comp_method: count = 0
 
 1437831799.764576 ssl_handshake_message
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fuids=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fuids=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fuids=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fuids=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] msg_type: count    = 2
                   [3] length: count      = 77
 
 1437831799.764576 file_new
-                  [0] f: fa_file         = [id=F1vce92FT1oRjKI328, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fuids=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fuids=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=F1vce92FT1oRjKI328, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fuids=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fuids=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
 
 1437831799.764576 file_over_new_connection
-                  [0] f: fa_file         = [id=F1vce92FT1oRjKI328, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fuids=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fuids=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0a}, rx_hosts={\x0a\x0a}, conn_uids={\x0a\x0a}, source=SSL, depth=0, analyzers={\x0a\x0a}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
-                  [1] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fuids=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fuids=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] f: fa_file         = [id=F1vce92FT1oRjKI328, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fuids=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fuids=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0a}, rx_hosts={\x0a\x0a}, conn_uids={\x0a\x0a}, source=SSL, depth=0, analyzers={\x0a\x0a}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [1] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fuids=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fuids=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = F
 
 1437831799.764576 file_sniff
-                  [0] f: fa_file         = [id=F1vce92FT1oRjKI328, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fuids=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fuids=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0a\x0a}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=F1vce92FT1oRjKI328, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fuids=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fuids=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0a\x0a}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
                   [1] meta: fa_metadata  = [mime_type=application/x-x509-user-cert, mime_types=<uninitialized>, inferred=F]
 
 1437831799.764576 file_hash
-                  [0] f: fa_file         = [id=F1vce92FT1oRjKI328, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=F1vce92FT1oRjKI328, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
                   [1] kind: string       = sha1
                   [2] hash: string       = f5ccb1a724133607548b00d8eb402efca3076d58
 
 1437831799.764576 x509_certificate
-                  [0] f: fa_file         = [id=F1vce92FT1oRjKI328, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=F1vce92FT1oRjKI328, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
                   [1] cert_ref: opaque of x509 = <no value description>
                   [2] cert: X509::Certificate = [version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>]
 
 1437831799.764576 x509_extension
-                  [0] f: fa_file         = [id=F1vce92FT1oRjKI328, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=F1vce92FT1oRjKI328, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
                   [1] ext: X509::Extension = [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a]
 
 1437831799.764576 x509_extension
-                  [0] f: fa_file         = [id=F1vce92FT1oRjKI328, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09]], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a]], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=F1vce92FT1oRjKI328, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09]], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a]], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
                   [1] ext: X509::Extension = [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB]
 
 1437831799.764576 x509_extension
-                  [0] f: fa_file         = [id=F1vce92FT1oRjKI328, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB]], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB]], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=F1vce92FT1oRjKI328, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB]], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB]], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
                   [1] ext: X509::Extension = [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE]
 
 1437831799.764576 x509_ext_basic_constraints
-                  [0] f: fa_file         = [id=F1vce92FT1oRjKI328, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE]], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE]], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=F1vce92FT1oRjKI328, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE]], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE]], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
                   [1] ext: X509::BasicConstraints = [ca=F, path_len=<uninitialized>]
 
 1437831799.764576 x509_extension
-                  [0] f: fa_file         = [id=F1vce92FT1oRjKI328, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=F1vce92FT1oRjKI328, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
                   [1] ext: X509::Extension = [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a]
 
 1437831799.764576 x509_extension
-                  [0] f: fa_file         = [id=F1vce92FT1oRjKI328, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=F1vce92FT1oRjKI328, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
                   [1] ext: X509::Extension = [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a]
 
 1437831799.764576 x509_extension
-                  [0] f: fa_file         = [id=F1vce92FT1oRjKI328, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=F1vce92FT1oRjKI328, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
                   [1] ext: X509::Extension = [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a]
 
 1437831799.764576 x509_extension
-                  [0] f: fa_file         = [id=F1vce92FT1oRjKI328, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=F1vce92FT1oRjKI328, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
                   [1] ext: X509::Extension = [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment]
 
 1437831799.764576 x509_extension
-                  [0] f: fa_file         = [id=F1vce92FT1oRjKI328, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=F1vce92FT1oRjKI328, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
                   [1] ext: X509::Extension = [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication]
 
 1437831799.764576 x509_extension
-                  [0] f: fa_file         = [id=F1vce92FT1oRjKI328, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=F1vce92FT1oRjKI328, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
                   [1] ext: X509::Extension = [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]
 
 1437831799.764576 x509_ext_subject_alternative_name
-                  [0] f: fa_file         = [id=F1vce92FT1oRjKI328, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=F1vce92FT1oRjKI328, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
                   [1] ext: X509::SubjectAlternativeName = [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]
 
 1437831799.764576 file_hash
-                  [0] f: fa_file         = [id=F1vce92FT1oRjKI328, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=F1vce92FT1oRjKI328, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
                   [1] kind: string       = md5
                   [2] hash: string       = 1bf9696d9f337805383427e88781d001
 
 1437831799.764576 file_state_remove
-                  [0] f: fa_file         = [id=F1vce92FT1oRjKI328, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=F1vce92FT1oRjKI328, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
 
 1437831799.764576 file_new
-                  [0] f: fa_file         = [id=Fxp53s3wA5G3zdEJg8, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=Fxp53s3wA5G3zdEJg8, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
 
 1437831799.764576 file_over_new_connection
-                  [0] f: fa_file         = [id=Fxp53s3wA5G3zdEJg8, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0a}, rx_hosts={\x0a\x0a}, conn_uids={\x0a\x0a}, source=SSL, depth=0, analyzers={\x0a\x0a}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
-                  [1] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] f: fa_file         = [id=Fxp53s3wA5G3zdEJg8, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0a}, rx_hosts={\x0a\x0a}, conn_uids={\x0a\x0a}, source=SSL, depth=0, analyzers={\x0a\x0a}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [1] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = F
 
 1437831799.764576 file_sniff
-                  [0] f: fa_file         = [id=Fxp53s3wA5G3zdEJg8, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0a\x0a}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=Fxp53s3wA5G3zdEJg8, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0a\x0a}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
                   [1] meta: fa_metadata  = [mime_type=application/x-x509-ca-cert, mime_types=<uninitialized>, inferred=F]
 
 1437831799.764576 file_hash
-                  [0] f: fa_file         = [id=Fxp53s3wA5G3zdEJg8, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=Fxp53s3wA5G3zdEJg8, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
                   [1] kind: string       = sha1
                   [2] hash: string       = 8e8321ca08b08e3726fe1d82996884eeb5f0d655
 
 1437831799.764576 x509_certificate
-                  [0] f: fa_file         = [id=Fxp53s3wA5G3zdEJg8, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=Fxp53s3wA5G3zdEJg8, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
                   [1] cert_ref: opaque of x509 = <no value description>
                   [2] cert: X509::Certificate = [version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>]
 
 1437831799.764576 x509_extension
-                  [0] f: fa_file         = [id=Fxp53s3wA5G3zdEJg8, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=Fxp53s3wA5G3zdEJg8, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
                   [1] ext: X509::Extension = [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a]
 
 1437831799.764576 x509_extension
-                  [0] f: fa_file         = [id=Fxp53s3wA5G3zdEJg8, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09]], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a]], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=Fxp53s3wA5G3zdEJg8, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09]], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a]], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
                   [1] ext: X509::Extension = [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29]
 
 1437831799.764576 x509_extension
-                  [0] f: fa_file         = [id=Fxp53s3wA5G3zdEJg8, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29]], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29]], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=Fxp53s3wA5G3zdEJg8, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29]], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29]], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
                   [1] ext: X509::Extension = [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0]
 
 1437831799.764576 x509_ext_basic_constraints
-                  [0] f: fa_file         = [id=Fxp53s3wA5G3zdEJg8, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0]], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0]], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=Fxp53s3wA5G3zdEJg8, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0]], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0]], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
                   [1] ext: X509::BasicConstraints = [ca=T, path_len=0]
 
 1437831799.764576 x509_extension
-                  [0] f: fa_file         = [id=Fxp53s3wA5G3zdEJg8, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=Fxp53s3wA5G3zdEJg8, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
                   [1] ext: X509::Extension = [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign]
 
 1437831799.764576 x509_extension
-                  [0] f: fa_file         = [id=Fxp53s3wA5G3zdEJg8, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=Fxp53s3wA5G3zdEJg8, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
                   [1] ext: X509::Extension = [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a]
 
 1437831799.764576 x509_extension
-                  [0] f: fa_file         = [id=Fxp53s3wA5G3zdEJg8, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a\x09]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=Fxp53s3wA5G3zdEJg8, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a\x09]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
                   [1] ext: X509::Extension = [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a]
 
 1437831799.764576 x509_extension
-                  [0] f: fa_file         = [id=Fxp53s3wA5G3zdEJg8, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a\x09], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a\x09]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=Fxp53s3wA5G3zdEJg8, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a\x09], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a\x09]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
                   [1] ext: X509::Extension = [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]
 
 1437831799.764576 file_hash
-                  [0] f: fa_file         = [id=Fxp53s3wA5G3zdEJg8, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a\x09], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a\x09]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=Fxp53s3wA5G3zdEJg8, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a\x09], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a\x09]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
                   [1] kind: string       = md5
                   [2] hash: string       = 48f0e38385112eeca5fc9ffd402eaecd
 
 1437831799.764576 file_state_remove
-                  [0] f: fa_file         = [id=Fxp53s3wA5G3zdEJg8, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a\x09], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a\x09]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=Fxp53s3wA5G3zdEJg8, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a\x09], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a\x09]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
 
 1437831799.764576 ssl_handshake_message
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] msg_type: count    = 11
                   [3] length: count      = 2507
 
 1437831799.764576 ssl_handshake_message
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] msg_type: count    = 14
                   [3] length: count      = 0
 
 1437831799.838196 ssl_handshake_message
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=468, state=4, num_pkts=5, num_bytes_ip=425, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=3, num_bytes_ip=2733, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.377044, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=468, state=4, num_pkts=5, num_bytes_ip=425, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=3, num_bytes_ip=2733, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.377044, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] msg_type: count    = 16
                   [3] length: count      = 258
 
 1437831799.838197 ssl_change_cipher_spec
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=474, state=4, num_pkts=6, num_bytes_ip=732, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=3, num_bytes_ip=2733, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.377045, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=474, state=4, num_pkts=6, num_bytes_ip=732, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=3, num_bytes_ip=2733, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.377045, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
 
 1437831800.045701 ssl_change_cipher_spec
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=511, state=4, num_pkts=8, num_bytes_ip=855, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2644, state=4, num_pkts=6, num_bytes_ip=2853, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.584549, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=511, state=4, num_pkts=8, num_bytes_ip=855, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2644, state=4, num_pkts=6, num_bytes_ip=2853, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.584549, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
 
 1437831800.045701 ssl_established
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=511, state=4, num_pkts=8, num_bytes_ip=855, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2644, state=4, num_pkts=6, num_bytes_ip=2853, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.584549, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=511, state=4, num_pkts=8, num_bytes_ip=855, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2644, state=4, num_pkts=6, num_bytes_ip=2853, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.584549, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1437831800.217854 net_done
                   [0] t: time            = 1437831800.217854
 
 1437831800.217854 filter_change_tracking
 1437831800.217854 connection_pending
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49285/tcp, resp_h=66.196.121.26, resp_p=5050/tcp], orig=[size=41, state=3, num_pkts=1, num_bytes_ip=93, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=3, num_pkts=1, num_bytes_ip=52, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831776.764391, duration=0.343008, service={\x0a\x0a}, history=Da, uid=CUM0KZ3MLUfNB0cl11, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49285/tcp, resp_h=66.196.121.26, resp_p=5050/tcp], orig=[size=41, state=3, num_pkts=1, num_bytes_ip=93, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=3, num_pkts=1, num_bytes_ip=52, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831776.764391, duration=0.343008, service={\x0a\x0a}, history=Da, uid=CUM0KZ3MLUfNB0cl11, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1437831800.217854 connection_state_remove
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49285/tcp, resp_h=66.196.121.26, resp_p=5050/tcp], orig=[size=41, state=3, num_pkts=1, num_bytes_ip=93, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=3, num_pkts=1, num_bytes_ip=52, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831776.764391, duration=0.343008, service={\x0a\x0a}, history=Da, uid=CUM0KZ3MLUfNB0cl11, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49285/tcp, resp_h=66.196.121.26, resp_p=5050/tcp], orig=[size=41, state=3, num_pkts=1, num_bytes_ip=93, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=3, num_pkts=1, num_bytes_ip=52, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831776.764391, duration=0.343008, service={\x0a\x0a}, history=Da, uid=CUM0KZ3MLUfNB0cl11, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1437831800.217854 connection_pending
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49153/tcp, resp_h=17.172.238.21, resp_p=5223/tcp], orig=[size=714, state=3, num_pkts=1, num_bytes_ip=766, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=3, num_pkts=1, num_bytes_ip=52, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.262632, duration=0.147503, service={\x0a\x0a}, history=Da, uid=C37jN32gN3y3AZzyf6, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49153/tcp, resp_h=17.172.238.21, resp_p=5223/tcp], orig=[size=714, state=3, num_pkts=1, num_bytes_ip=766, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=3, num_pkts=1, num_bytes_ip=52, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.262632, duration=0.147503, service={\x0a\x0a}, history=Da, uid=C37jN32gN3y3AZzyf6, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1437831800.217854 connection_state_remove
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49153/tcp, resp_h=17.172.238.21, resp_p=5223/tcp], orig=[size=714, state=3, num_pkts=1, num_bytes_ip=766, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=3, num_pkts=1, num_bytes_ip=52, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.262632, duration=0.147503, service={\x0a\x0a}, history=Da, uid=C37jN32gN3y3AZzyf6, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49153/tcp, resp_h=17.172.238.21, resp_p=5223/tcp], orig=[size=714, state=3, num_pkts=1, num_bytes_ip=766, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=3, num_pkts=1, num_bytes_ip=52, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.262632, duration=0.147503, service={\x0a\x0a}, history=Da, uid=C37jN32gN3y3AZzyf6, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1437831800.217854 connection_pending
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=17, num_bytes_ip=1865, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=162, state=4, num_pkts=10, num_bytes_ip=690, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.05732, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.914113, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=2, helo=[192.168.133.100], mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=<uninitialized>, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=1, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=17, num_bytes_ip=1865, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=162, state=4, num_pkts=10, num_bytes_ip=690, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.05732, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.914113, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=2, helo=[192.168.133.100], mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=<uninitialized>, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=1, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1437831800.217854 connection_state_remove
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=17, num_bytes_ip=1865, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=162, state=4, num_pkts=10, num_bytes_ip=690, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.05732, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.914113, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=2, helo=[192.168.133.100], mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=<uninitialized>, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=1, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=17, num_bytes_ip=1865, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=162, state=4, num_pkts=10, num_bytes_ip=690, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.05732, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.914113, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=2, helo=[192.168.133.100], mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=<uninitialized>, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=1, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1437831800.217854 connection_pending
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49336/tcp, resp_h=74.125.71.189, resp_p=443/tcp], orig=[size=0, state=3, num_pkts=3, num_bytes_ip=156, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=85, state=3, num_pkts=3, num_bytes_ip=411, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831798.533593, duration=0.000221, service={\x0a\x0a}, history=^dA, uid=CP5puj4I8PtEU4qzYg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49336/tcp, resp_h=74.125.71.189, resp_p=443/tcp], orig=[size=0, state=3, num_pkts=3, num_bytes_ip=156, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=85, state=3, num_pkts=3, num_bytes_ip=411, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831798.533593, duration=0.000221, service={\x0a\x0a}, history=^dA, uid=CP5puj4I8PtEU4qzYg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1437831800.217854 connection_state_remove
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49336/tcp, resp_h=74.125.71.189, resp_p=443/tcp], orig=[size=0, state=3, num_pkts=3, num_bytes_ip=156, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=85, state=3, num_pkts=3, num_bytes_ip=411, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831798.533593, duration=0.000221, service={\x0a\x0a}, history=^dA, uid=CP5puj4I8PtEU4qzYg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49336/tcp, resp_h=74.125.71.189, resp_p=443/tcp], orig=[size=0, state=3, num_pkts=3, num_bytes_ip=156, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=85, state=3, num_pkts=3, num_bytes_ip=411, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831798.533593, duration=0.000221, service={\x0a\x0a}, history=^dA, uid=CP5puj4I8PtEU4qzYg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1437831800.217854 connection_pending
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=2249, state=4, num_pkts=15, num_bytes_ip=2873, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=3653, state=4, num_pkts=13, num_bytes_ip=4185, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.756702, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=T, logged=T, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=2249, state=4, num_pkts=15, num_bytes_ip=2873, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=3653, state=4, num_pkts=13, num_bytes_ip=4185, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.756702, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=T, logged=T, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1437831800.217854 connection_state_remove
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=2249, state=4, num_pkts=15, num_bytes_ip=2873, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=3653, state=4, num_pkts=13, num_bytes_ip=4185, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.756702, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=T, logged=T, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=2249, state=4, num_pkts=15, num_bytes_ip=2873, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=3653, state=4, num_pkts=13, num_bytes_ip=4185, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.756702, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=T, logged=T, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1437831800.217854 bro_done
 1437831800.217854 ChecksumOffloading::check
diff --git a/testing/btest/Baseline/scripts.policy.misc.dump-events/smtp-events.log b/testing/btest/Baseline/scripts.policy.misc.dump-events/smtp-events.log
index ee7ec709a2..1f69e86325 100644
--- a/testing/btest/Baseline/scripts.policy.misc.dump-events/smtp-events.log
+++ b/testing/btest/Baseline/scripts.policy.misc.dump-events/smtp-events.log
@@ -1,5 +1,5 @@
 1254722768.219663 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=0, state=4, num_pkts=2, num_bytes_ip=88, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=181, state=4, num_pkts=1, num_bytes_ip=48, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=0.690617, service={\x0a\x0a}, history=ShAd, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=0, state=4, num_pkts=2, num_bytes_ip=88, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=181, state=4, num_pkts=1, num_bytes_ip=48, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=0.690617, service={\x0a\x0a}, history=ShAd, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 220
                   [3] cmd: string        = >
@@ -7,7 +7,7 @@
                   [5] cont_resp: bool    = T
 
 1254722768.219663 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=0, state=4, num_pkts=2, num_bytes_ip=88, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=181, state=4, num_pkts=1, num_bytes_ip=48, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=0.690617, service={\x0a\x0a}, history=ShAd, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=<uninitialized>, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 xc90.websitewelcome.com ESMTP Exim 4.69 #1 Mon, 05 Oct 2009 01:05:54 -0500 , path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=<uninitialized>, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=0, state=4, num_pkts=2, num_bytes_ip=88, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=181, state=4, num_pkts=1, num_bytes_ip=48, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=0.690617, service={\x0a\x0a}, history=ShAd, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=<uninitialized>, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 xc90.websitewelcome.com ESMTP Exim 4.69 #1 Mon, 05 Oct 2009 01:05:54 -0500 , path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=<uninitialized>, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 220
                   [3] cmd: string        = >
@@ -15,7 +15,7 @@
                   [5] cont_resp: bool    = T
 
 1254722768.219663 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=0, state=4, num_pkts=2, num_bytes_ip=88, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=181, state=4, num_pkts=1, num_bytes_ip=48, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=0.690617, service={\x0a\x0a}, history=ShAd, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=<uninitialized>, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 We do not authorize the use of this system to transport unsolicited, , path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=<uninitialized>, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=0, state=4, num_pkts=2, num_bytes_ip=88, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=181, state=4, num_pkts=1, num_bytes_ip=48, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=0.690617, service={\x0a\x0a}, history=ShAd, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=<uninitialized>, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 We do not authorize the use of this system to transport unsolicited, , path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=<uninitialized>, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 220
                   [3] cmd: string        = >
@@ -23,13 +23,13 @@
                   [5] cont_resp: bool    = F
 
 1254722768.224809 smtp_request
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=2, num_bytes_ip=88, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=181, state=4, num_pkts=2, num_bytes_ip=269, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=0.695763, service={\x0aSMTP\x0a}, history=ShAdD, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=<uninitialized>, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 and/or bulk e-mail., path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=<uninitialized>, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=2, num_bytes_ip=88, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=181, state=4, num_pkts=2, num_bytes_ip=269, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=0.695763, service={\x0aSMTP\x0a}, history=ShAdD, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=<uninitialized>, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 and/or bulk e-mail., path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=<uninitialized>, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] command: string    = EHLO
                   [3] arg: string        = GP
 
 1254722768.566183 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=1.037137, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 and/or bulk e-mail., path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=1.037137, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 and/or bulk e-mail., path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 250
                   [3] cmd: string        = EHLO
@@ -37,7 +37,7 @@
                   [5] cont_resp: bool    = T
 
 1254722768.566183 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=1.037137, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 xc90.websitewelcome.com Hello GP [122.162.143.157], path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=1.037137, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 xc90.websitewelcome.com Hello GP [122.162.143.157], path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 250
                   [3] cmd: string        = EHLO
@@ -45,7 +45,7 @@
                   [5] cont_resp: bool    = T
 
 1254722768.566183 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=1.037137, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 SIZE 52428800, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=1.037137, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 SIZE 52428800, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 250
                   [3] cmd: string        = EHLO
@@ -53,7 +53,7 @@
                   [5] cont_resp: bool    = T
 
 1254722768.566183 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=1.037137, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 PIPELINING, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=1.037137, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 PIPELINING, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 250
                   [3] cmd: string        = EHLO
@@ -61,7 +61,7 @@
                   [5] cont_resp: bool    = T
 
 1254722768.566183 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=1.037137, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 AUTH PLAIN LOGIN, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=1.037137, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 AUTH PLAIN LOGIN, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 250
                   [3] cmd: string        = EHLO
@@ -69,7 +69,7 @@
                   [5] cont_resp: bool    = T
 
 1254722768.566183 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=1.037137, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 STARTTLS, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=1.037137, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 STARTTLS, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 250
                   [3] cmd: string        = EHLO
@@ -77,13 +77,13 @@
                   [5] cont_resp: bool    = F
 
 1254722768.568729 smtp_request
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=21, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=318, state=4, num_pkts=4, num_bytes_ip=486, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=1.039683, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 HELP, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=21, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=318, state=4, num_pkts=4, num_bytes_ip=486, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=1.039683, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 HELP, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] command: string    = AUTH
                   [3] arg: string        = LOGIN
 
 1254722768.911081 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=21, state=4, num_pkts=4, num_bytes_ip=189, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=336, state=4, num_pkts=4, num_bytes_ip=486, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=1.382035, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 HELP, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=21, state=4, num_pkts=4, num_bytes_ip=189, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=336, state=4, num_pkts=4, num_bytes_ip=486, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=1.382035, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 HELP, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 334
                   [3] cmd: string        = AUTH
@@ -91,13 +91,13 @@
                   [5] cont_resp: bool    = F
 
 1254722768.911655 smtp_request
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=51, state=4, num_pkts=4, num_bytes_ip=189, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=336, state=4, num_pkts=5, num_bytes_ip=544, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=1.382609, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=334 VXNlcm5hbWU6, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=51, state=4, num_pkts=4, num_bytes_ip=189, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=336, state=4, num_pkts=5, num_bytes_ip=544, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=1.382609, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=334 VXNlcm5hbWU6, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] command: string    = **
                   [3] arg: string        = Z3VycGFydGFwQHBhdHJpb3RzLmlu
 
 1254722769.253544 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=51, state=4, num_pkts=5, num_bytes_ip=259, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=354, state=4, num_pkts=5, num_bytes_ip=544, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=1.724498, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=334 VXNlcm5hbWU6, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=51, state=4, num_pkts=5, num_bytes_ip=259, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=354, state=4, num_pkts=5, num_bytes_ip=544, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=1.724498, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=334 VXNlcm5hbWU6, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 334
                   [3] cmd: string        = AUTH_ANSWER
@@ -105,13 +105,13 @@
                   [5] cont_resp: bool    = F
 
 1254722769.254118 smtp_request
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=69, state=4, num_pkts=5, num_bytes_ip=259, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=354, state=4, num_pkts=6, num_bytes_ip=602, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=1.725072, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=334 UGFzc3dvcmQ6, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=69, state=4, num_pkts=5, num_bytes_ip=259, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=354, state=4, num_pkts=6, num_bytes_ip=602, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=1.725072, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=334 UGFzc3dvcmQ6, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] command: string    = **
                   [3] arg: string        = cHVuamFiQDEyMw==
 
 1254722769.613798 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=69, state=4, num_pkts=6, num_bytes_ip=317, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=384, state=4, num_pkts=6, num_bytes_ip=602, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=2.084752, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=334 UGFzc3dvcmQ6, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=69, state=4, num_pkts=6, num_bytes_ip=317, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=384, state=4, num_pkts=6, num_bytes_ip=602, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=2.084752, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=334 UGFzc3dvcmQ6, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 235
                   [3] cmd: string        = AUTH_ANSWER
@@ -119,13 +119,13 @@
                   [5] cont_resp: bool    = F
 
 1254722769.614414 smtp_request
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=105, state=4, num_pkts=6, num_bytes_ip=317, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=384, state=4, num_pkts=7, num_bytes_ip=672, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=2.085368, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=235 Authentication succeeded, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=105, state=4, num_pkts=6, num_bytes_ip=317, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=384, state=4, num_pkts=7, num_bytes_ip=672, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=2.085368, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=235 Authentication succeeded, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] command: string    = MAIL
                   [3] arg: string        = FROM: <gurpartap@patriots.in>
 
 1254722769.956765 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=105, state=4, num_pkts=7, num_bytes_ip=393, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=392, state=4, num_pkts=7, num_bytes_ip=672, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=2.427719, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=235 Authentication succeeded, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=105, state=4, num_pkts=7, num_bytes_ip=393, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=392, state=4, num_pkts=7, num_bytes_ip=672, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=2.427719, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=235 Authentication succeeded, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 250
                   [3] cmd: string        = MAIL
@@ -133,13 +133,13 @@
                   [5] cont_resp: bool    = F
 
 1254722769.957250 smtp_request
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=144, state=4, num_pkts=7, num_bytes_ip=393, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=392, state=4, num_pkts=8, num_bytes_ip=720, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=2.428204, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 OK, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=144, state=4, num_pkts=7, num_bytes_ip=393, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=392, state=4, num_pkts=8, num_bytes_ip=720, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=2.428204, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 OK, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] command: string    = RCPT
                   [3] arg: string        = TO: <raj_deol2002in@yahoo.co.in>
 
 1254722770.319708 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=144, state=4, num_pkts=8, num_bytes_ip=472, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=406, state=4, num_pkts=8, num_bytes_ip=720, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=2.790662, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 OK, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=144, state=4, num_pkts=8, num_bytes_ip=472, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=406, state=4, num_pkts=8, num_bytes_ip=720, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=2.790662, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 OK, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 250
                   [3] cmd: string        = RCPT
@@ -147,13 +147,13 @@
                   [5] cont_resp: bool    = F
 
 1254722770.320203 smtp_request
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=150, state=4, num_pkts=8, num_bytes_ip=472, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=406, state=4, num_pkts=9, num_bytes_ip=774, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=2.791157, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Accepted, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=150, state=4, num_pkts=8, num_bytes_ip=472, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=406, state=4, num_pkts=9, num_bytes_ip=774, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=2.791157, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Accepted, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] command: string    = DATA
                   [3] arg: string        = 
 
 1254722770.661679 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=150, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=9, num_bytes_ip=774, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.132633, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Accepted, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=150, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=9, num_bytes_ip=774, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.132633, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Accepted, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 354
                   [3] cmd: string        = DATA
@@ -161,13 +161,13 @@
                   [5] cont_resp: bool    = F
 
 1254722771.858334 smtp_request
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=4.329288, service={\x0aSMTP\x0a}, history=ShAdDaT, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=4.329288, service={\x0aSMTP\x0a}, history=ShAdDaT, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] command: string    = .
                   [3] arg: string        = .
 
 1254722772.248789 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=24, num_bytes_ip=21507, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=490, state=4, num_pkts=21, num_bytes_ip=1310, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=4.719743, service={\x0aSMTP\x0a}, history=ShAdDaT, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=24, num_bytes_ip=21507, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=490, state=4, num_pkts=21, num_bytes_ip=1310, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=4.719743, service={\x0aSMTP\x0a}, history=ShAdDaT, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 250
                   [3] cmd: string        = .
@@ -175,13 +175,13 @@
                   [5] cont_resp: bool    = F
 
 1254722774.763825 smtp_request
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14705, state=4, num_pkts=25, num_bytes_ip=21547, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=490, state=4, num_pkts=22, num_bytes_ip=1378, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=7.234779, service={\x0aSMTP\x0a}, history=ShAdDaT, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722772.248789, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=2, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=<uninitialized>, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=1, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14705, state=4, num_pkts=25, num_bytes_ip=21547, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=490, state=4, num_pkts=22, num_bytes_ip=1378, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=7.234779, service={\x0aSMTP\x0a}, history=ShAdDaT, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722772.248789, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=2, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=<uninitialized>, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=1, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] command: string    = QUIT
                   [3] arg: string        = 
 
 1254722775.105467 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14705, state=5, num_pkts=27, num_bytes_ip=21633, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=538, state=4, num_pkts=22, num_bytes_ip=1378, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=7.576421, service={\x0aSMTP\x0a}, history=ShAdDaTF, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722772.248789, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=2, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=<uninitialized>, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=1, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14705, state=5, num_pkts=27, num_bytes_ip=21633, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=538, state=4, num_pkts=22, num_bytes_ip=1378, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=7.576421, service={\x0aSMTP\x0a}, history=ShAdDaTF, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722772.248789, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=2, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=<uninitialized>, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=1, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 221
                   [3] cmd: string        = QUIT
@@ -189,7 +189,7 @@
                   [5] cont_resp: bool    = F
 
 1437831787.867142 smtp_reply
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=0, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=35, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.010247, service={\x0a\x0a}, history=ShAd, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=0, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=35, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.010247, service={\x0a\x0a}, history=ShAd, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 220
                   [3] cmd: string        = >
@@ -197,13 +197,13 @@
                   [5] cont_resp: bool    = F
 
 1437831787.883306 smtp_request
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=24, state=4, num_pkts=3, num_bytes_ip=168, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=35, state=4, num_pkts=2, num_bytes_ip=147, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.026411, service={\x0aSMTP\x0a}, history=ShAdD, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=<uninitialized>, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 uprise ESMTP SubEthaSMTP null, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=<uninitialized>, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=24, state=4, num_pkts=3, num_bytes_ip=168, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=35, state=4, num_pkts=2, num_bytes_ip=147, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.026411, service={\x0aSMTP\x0a}, history=ShAdD, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=<uninitialized>, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 uprise ESMTP SubEthaSMTP null, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=<uninitialized>, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] command: string    = EHLO
                   [3] arg: string        = [192.168.133.100]
 
 1437831787.886281 smtp_reply
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=24, state=4, num_pkts=4, num_bytes_ip=244, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=85, state=4, num_pkts=3, num_bytes_ip=199, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.029386, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 uprise ESMTP SubEthaSMTP null, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=24, state=4, num_pkts=4, num_bytes_ip=244, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=85, state=4, num_pkts=3, num_bytes_ip=199, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.029386, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 uprise ESMTP SubEthaSMTP null, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 250
                   [3] cmd: string        = EHLO
@@ -211,7 +211,7 @@
                   [5] cont_resp: bool    = T
 
 1437831787.886281 smtp_reply
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=24, state=4, num_pkts=4, num_bytes_ip=244, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=85, state=4, num_pkts=3, num_bytes_ip=199, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.029386, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 uprise, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=24, state=4, num_pkts=4, num_bytes_ip=244, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=85, state=4, num_pkts=3, num_bytes_ip=199, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.029386, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 uprise, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 250
                   [3] cmd: string        = EHLO
@@ -219,7 +219,7 @@
                   [5] cont_resp: bool    = T
 
 1437831787.886281 smtp_reply
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=24, state=4, num_pkts=4, num_bytes_ip=244, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=85, state=4, num_pkts=3, num_bytes_ip=199, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.029386, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 8BITMIME, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=24, state=4, num_pkts=4, num_bytes_ip=244, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=85, state=4, num_pkts=3, num_bytes_ip=199, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.029386, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 8BITMIME, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 250
                   [3] cmd: string        = EHLO
@@ -227,7 +227,7 @@
                   [5] cont_resp: bool    = T
 
 1437831787.886281 smtp_reply
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=24, state=4, num_pkts=4, num_bytes_ip=244, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=85, state=4, num_pkts=3, num_bytes_ip=199, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.029386, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 AUTH LOGIN, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=24, state=4, num_pkts=4, num_bytes_ip=244, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=85, state=4, num_pkts=3, num_bytes_ip=199, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.029386, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 AUTH LOGIN, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 250
                   [3] cmd: string        = EHLO
@@ -235,13 +235,13 @@
                   [5] cont_resp: bool    = F
 
 1437831787.887031 smtp_request
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=56, state=4, num_pkts=5, num_bytes_ip=296, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=85, state=4, num_pkts=4, num_bytes_ip=301, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.030136, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=56, state=4, num_pkts=5, num_bytes_ip=296, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=85, state=4, num_pkts=4, num_bytes_ip=301, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.030136, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] command: string    = MAIL
                   [3] arg: string        = FROM:<albert@example.com>
 
 1437831787.889785 smtp_reply
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=56, state=4, num_pkts=6, num_bytes_ip=380, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=93, state=4, num_pkts=4, num_bytes_ip=301, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.03289, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=56, state=4, num_pkts=6, num_bytes_ip=380, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=93, state=4, num_pkts=4, num_bytes_ip=301, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.03289, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 250
                   [3] cmd: string        = MAIL
@@ -249,13 +249,13 @@
                   [5] cont_resp: bool    = F
 
 1437831787.890232 smtp_request
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=88, state=4, num_pkts=7, num_bytes_ip=432, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=93, state=4, num_pkts=5, num_bytes_ip=361, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.033337, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=88, state=4, num_pkts=7, num_bytes_ip=432, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=93, state=4, num_pkts=5, num_bytes_ip=361, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.033337, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] command: string    = RCPT
                   [3] arg: string        = TO:<ericlim220@yahoo.com>
 
 1437831787.892986 smtp_reply
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=88, state=4, num_pkts=8, num_bytes_ip=516, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=101, state=4, num_pkts=5, num_bytes_ip=361, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.036091, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0aericlim220@yahoo.com\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=88, state=4, num_pkts=8, num_bytes_ip=516, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=101, state=4, num_pkts=5, num_bytes_ip=361, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.036091, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0aericlim220@yahoo.com\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 250
                   [3] cmd: string        = RCPT
@@ -263,13 +263,13 @@
                   [5] cont_resp: bool    = F
 
 1437831787.893587 smtp_request
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=121, state=4, num_pkts=9, num_bytes_ip=568, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=101, state=4, num_pkts=6, num_bytes_ip=421, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.036692, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0aericlim220@yahoo.com\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=121, state=4, num_pkts=9, num_bytes_ip=568, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=101, state=4, num_pkts=6, num_bytes_ip=421, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.036692, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0aericlim220@yahoo.com\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] command: string    = RCPT
                   [3] arg: string        = TO:<felica4uu@hotmail.com>
 
 1437831787.897624 smtp_reply
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=121, state=4, num_pkts=10, num_bytes_ip=653, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=109, state=4, num_pkts=6, num_bytes_ip=421, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.040729, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=121, state=4, num_pkts=10, num_bytes_ip=653, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=109, state=4, num_pkts=6, num_bytes_ip=421, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.040729, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 250
                   [3] cmd: string        = RCPT
@@ -277,13 +277,13 @@
                   [5] cont_resp: bool    = F
 
 1437831787.898413 smtp_request
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=156, state=4, num_pkts=11, num_bytes_ip=705, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=109, state=4, num_pkts=7, num_bytes_ip=481, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.041518, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=156, state=4, num_pkts=11, num_bytes_ip=705, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=109, state=4, num_pkts=7, num_bytes_ip=481, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.041518, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] command: string    = RCPT
                   [3] arg: string        = TO:<davis_mark1@outlook.com>
 
 1437831787.901069 smtp_reply
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=156, state=4, num_pkts=12, num_bytes_ip=792, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=117, state=4, num_pkts=7, num_bytes_ip=481, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.044174, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=156, state=4, num_pkts=12, num_bytes_ip=792, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=117, state=4, num_pkts=7, num_bytes_ip=481, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.044174, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 250
                   [3] cmd: string        = RCPT
@@ -291,13 +291,13 @@
                   [5] cont_resp: bool    = F
 
 1437831787.901697 smtp_request
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=162, state=4, num_pkts=13, num_bytes_ip=844, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=117, state=4, num_pkts=8, num_bytes_ip=541, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.044802, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=162, state=4, num_pkts=13, num_bytes_ip=844, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=117, state=4, num_pkts=8, num_bytes_ip=541, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.044802, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] command: string    = DATA
                   [3] arg: string        = 
 
 1437831787.904758 smtp_reply
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=162, state=4, num_pkts=14, num_bytes_ip=902, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=8, num_bytes_ip=541, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.047863, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=162, state=4, num_pkts=14, num_bytes_ip=902, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=8, num_bytes_ip=541, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.047863, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 354
                   [3] cmd: string        = DATA
@@ -305,13 +305,13 @@
                   [5] cont_resp: bool    = F
 
 1437831787.905375 smtp_request
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.04848, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a}, date=Sat, 25 Jul 2015 16:43:07 +0300, from=Albert Zaharovits <albert@example.com>, to={\x0aericlim220@yahoo.com\x0a}, cc={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com\x0a}, reply_to=<uninitialized>, msg_id=<A6202DF2-8E58-4E41-BE0B-C8D3989A4AEE@example.com>, in_reply_to=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>, subject=Re: Bro SMTP CC Header, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=Apple Mail (2.2102), tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[FKX8fw2lEHCTK8syM3]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.04848, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a}, date=Sat, 25 Jul 2015 16:43:07 +0300, from=Albert Zaharovits <albert@example.com>, to={\x0aericlim220@yahoo.com\x0a}, cc={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com\x0a}, reply_to=<uninitialized>, msg_id=<A6202DF2-8E58-4E41-BE0B-C8D3989A4AEE@example.com>, in_reply_to=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>, subject=Re: Bro SMTP CC Header, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=Apple Mail (2.2102), tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[FKX8fw2lEHCTK8syM3]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] command: string    = .
                   [3] arg: string        = .
 
 1437831787.914113 smtp_reply
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=16, num_bytes_ip=1813, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=162, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.057218, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a}, date=Sat, 25 Jul 2015 16:43:07 +0300, from=Albert Zaharovits <albert@example.com>, to={\x0aericlim220@yahoo.com\x0a}, cc={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com\x0a}, reply_to=<uninitialized>, msg_id=<A6202DF2-8E58-4E41-BE0B-C8D3989A4AEE@example.com>, in_reply_to=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>, subject=Re: Bro SMTP CC Header, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=Apple Mail (2.2102), tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[FKX8fw2lEHCTK8syM3]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=16, num_bytes_ip=1813, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=162, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.057218, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a}, date=Sat, 25 Jul 2015 16:43:07 +0300, from=Albert Zaharovits <albert@example.com>, to={\x0aericlim220@yahoo.com\x0a}, cc={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com\x0a}, reply_to=<uninitialized>, msg_id=<A6202DF2-8E58-4E41-BE0B-C8D3989A4AEE@example.com>, in_reply_to=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>, subject=Re: Bro SMTP CC Header, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=Apple Mail (2.2102), tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[FKX8fw2lEHCTK8syM3]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 250
                   [3] cmd: string        = .
diff --git a/testing/btest/scripts/base/protocols/krb/smb_gssapi.test b/testing/btest/scripts/base/protocols/krb/smb_gssapi.test
index f4995cd2f6..95e5660812 100644
--- a/testing/btest/scripts/base/protocols/krb/smb_gssapi.test
+++ b/testing/btest/scripts/base/protocols/krb/smb_gssapi.test
@@ -8,4 +8,4 @@
 # @TEST-EXEC: btest-diff-rst scripts.base.protocols.krb
 
 @load base/protocols/krb
-@load policy/protocols/smb
+@load base/protocols/smb
diff --git a/testing/btest/scripts/base/protocols/smb/disabled-dce-rpc.test b/testing/btest/scripts/base/protocols/smb/disabled-dce-rpc.test
index 7ac2789280..627e396517 100644
--- a/testing/btest/scripts/base/protocols/smb/disabled-dce-rpc.test
+++ b/testing/btest/scripts/base/protocols/smb/disabled-dce-rpc.test
@@ -1,7 +1,7 @@
 # @TEST-EXEC: bro -C -r $TRACES/smb/dssetup_DsRoleGetPrimaryDomainInformation_standalone_workstation.cap %INPUT
 # @TEST-EXEC: [ ! -f dce_rpc.log ]
 
-@load policy/protocols/smb
+@load base/protocols/smb
 
 # The DCE_RPC analyzer is a little weird since it's instantiated
 # by the SMB analyzer directly in some cases.  Care needs to be
diff --git a/testing/btest/scripts/base/protocols/smb/raw-ntlm.test b/testing/btest/scripts/base/protocols/smb/raw-ntlm.test
index 8d5f91b881..9cf9aa35c4 100644
--- a/testing/btest/scripts/base/protocols/smb/raw-ntlm.test
+++ b/testing/btest/scripts/base/protocols/smb/raw-ntlm.test
@@ -2,7 +2,7 @@
 #@TEST-EXEC: btest-diff .stdout
 
 @load base/protocols/ntlm
-@load policy/protocols/smb
+@load base/protocols/smb
 
 # Just verify that the session key is grabbed correctly from NTLM
 # carried raw over SMB.
diff --git a/testing/btest/scripts/base/protocols/smb/smb1-transaction-dcerpc.test b/testing/btest/scripts/base/protocols/smb/smb1-transaction-dcerpc.test
index 359b050670..52f05c57b4 100644
--- a/testing/btest/scripts/base/protocols/smb/smb1-transaction-dcerpc.test
+++ b/testing/btest/scripts/base/protocols/smb/smb1-transaction-dcerpc.test
@@ -2,4 +2,4 @@
 # @TEST-EXEC: btest-diff dce_rpc.log
 
 @load base/protocols/dce-rpc
-@load policy/protocols/smb
+@load base/protocols/smb
diff --git a/testing/btest/scripts/base/protocols/smb/smb1-transaction-request.test b/testing/btest/scripts/base/protocols/smb/smb1-transaction-request.test
index 9334230e84..1573eb93b8 100644
--- a/testing/btest/scripts/base/protocols/smb/smb1-transaction-request.test
+++ b/testing/btest/scripts/base/protocols/smb/smb1-transaction-request.test
@@ -2,7 +2,7 @@
 #@TEST-EXEC: btest-diff .stdout
 
 @load base/protocols/smb
-@load policy/protocols/smb
+@load base/protocols/smb
 
 # Check that smb1_transaction requests are parsed correctly
 
diff --git a/testing/btest/scripts/base/protocols/smb/smb1-transaction-response.test b/testing/btest/scripts/base/protocols/smb/smb1-transaction-response.test
index ef00ed3772..6e826445e9 100644
--- a/testing/btest/scripts/base/protocols/smb/smb1-transaction-response.test
+++ b/testing/btest/scripts/base/protocols/smb/smb1-transaction-response.test
@@ -2,7 +2,7 @@
 #@TEST-EXEC: btest-diff .stdout
 
 @load base/protocols/smb
-@load policy/protocols/smb
+@load base/protocols/smb
 
 # Check that smb1_transaction_response requests are parsed correctly
 
diff --git a/testing/btest/scripts/base/protocols/smb/smb1-transaction-secondary-request.test b/testing/btest/scripts/base/protocols/smb/smb1-transaction-secondary-request.test
index 03bddf7bf5..e186ee7b22 100644
--- a/testing/btest/scripts/base/protocols/smb/smb1-transaction-secondary-request.test
+++ b/testing/btest/scripts/base/protocols/smb/smb1-transaction-secondary-request.test
@@ -2,7 +2,7 @@
 #@TEST-EXEC: btest-diff .stdout
 
 @load base/protocols/smb
-@load policy/protocols/smb
+@load base/protocols/smb
 
 # Check that smb1_transaction_secondary requests are parsed correctly
 
diff --git a/testing/btest/scripts/base/protocols/smb/smb1-transaction2-request.test b/testing/btest/scripts/base/protocols/smb/smb1-transaction2-request.test
index 9cd7c996f7..d216d41c32 100644
--- a/testing/btest/scripts/base/protocols/smb/smb1-transaction2-request.test
+++ b/testing/btest/scripts/base/protocols/smb/smb1-transaction2-request.test
@@ -2,7 +2,7 @@
 #@TEST-EXEC: btest-diff .stdout
 
 @load base/protocols/smb
-@load policy/protocols/smb
+@load base/protocols/smb
 
 # Check that smb1_transaction2 requests are parsed correctly
 
diff --git a/testing/btest/scripts/base/protocols/smb/smb1-transaction2-secondary-request.test b/testing/btest/scripts/base/protocols/smb/smb1-transaction2-secondary-request.test
index 48c7f8c197..e8c462dd0d 100644
--- a/testing/btest/scripts/base/protocols/smb/smb1-transaction2-secondary-request.test
+++ b/testing/btest/scripts/base/protocols/smb/smb1-transaction2-secondary-request.test
@@ -2,7 +2,7 @@
 #@TEST-EXEC: btest-diff .stdout
 
 @load base/protocols/smb
-@load policy/protocols/smb
+@load base/protocols/smb
 
 # Check that smb1_transaction2_secondary requests are parsed correctly
 
diff --git a/testing/btest/scripts/base/protocols/smb/smb1.test b/testing/btest/scripts/base/protocols/smb/smb1.test
index e151d48ada..61727754dc 100644
--- a/testing/btest/scripts/base/protocols/smb/smb1.test
+++ b/testing/btest/scripts/base/protocols/smb/smb1.test
@@ -1,4 +1,4 @@
 # @TEST-EXEC: bro -b -r $TRACES/smb/smb1.pcap %INPUT
 # @TEST-EXEC: btest-diff smb_files.log
 
-@load policy/protocols/smb
+@load base/protocols/smb
diff --git a/testing/btest/scripts/base/protocols/smb/smb2.test b/testing/btest/scripts/base/protocols/smb/smb2.test
index 67539b5e5a..c4c6e78224 100644
--- a/testing/btest/scripts/base/protocols/smb/smb2.test
+++ b/testing/btest/scripts/base/protocols/smb/smb2.test
@@ -6,7 +6,7 @@
 # @TEST-EXEC: test ! -f weird.log
 # @TEST-EXEC: btest-diff .stdout
 
-@load policy/protocols/smb
+@load base/protocols/smb
 
 # Add some tests for SMB2 create request and response.
 event smb2_create_request(c: connection, hdr: SMB2::Header, request: SMB2::CreateRequest)

From fc7d3cd98120bcf2396d7e3cef272eb167dba257 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Fri, 17 Aug 2018 10:29:58 -0500
Subject: [PATCH 629/631] Fix possible race in netcontrol acld/broker plugins

Best to subscribe before connecting
---
 CHANGES                                               | 4 ++++
 VERSION                                               | 2 +-
 scripts/base/frameworks/netcontrol/plugins/acld.bro   | 2 +-
 scripts/base/frameworks/netcontrol/plugins/broker.bro | 2 +-
 4 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/CHANGES b/CHANGES
index 5cbec754f4..4e8d2ada45 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,8 @@
 
+2.5-849 | 2018-08-17 10:29:58 -0500
+
+  * Fix possible race in netcontrol acld/broker plugins (Jon Siwek, Corelight)
+
 2.5-848 | 2018-08-16 17:21:28 -0500
 
   * Enable SMB by default by moving scripts from policy/ to base/
diff --git a/VERSION b/VERSION
index 3c34b2649e..0eef8063da 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.5-848
+2.5-849
diff --git a/scripts/base/frameworks/netcontrol/plugins/acld.bro b/scripts/base/frameworks/netcontrol/plugins/acld.bro
index 38466cdf41..99a9166ce9 100644
--- a/scripts/base/frameworks/netcontrol/plugins/acld.bro
+++ b/scripts/base/frameworks/netcontrol/plugins/acld.bro
@@ -270,8 +270,8 @@ function acld_remove_rule_fun(p: PluginState, r: Rule, reason: string) : bool
 
 function acld_init(p: PluginState)
 	{
-	Broker::peer(cat(p$acld_config$acld_host), p$acld_config$acld_port);
 	Broker::subscribe(p$acld_config$acld_topic);
+	Broker::peer(cat(p$acld_config$acld_host), p$acld_config$acld_port);
 	}
 
 event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
diff --git a/scripts/base/frameworks/netcontrol/plugins/broker.bro b/scripts/base/frameworks/netcontrol/plugins/broker.bro
index f4b8715c38..4bfb231c94 100644
--- a/scripts/base/frameworks/netcontrol/plugins/broker.bro
+++ b/scripts/base/frameworks/netcontrol/plugins/broker.bro
@@ -164,8 +164,8 @@ function broker_remove_rule_fun(p: PluginState, r: Rule, reason: string) : bool
 
 function broker_init(p: PluginState)
 	{
-	Broker::peer(cat(p$broker_config$host), p$broker_config$bport);
 	Broker::subscribe(p$broker_config$topic);
+	Broker::peer(cat(p$broker_config$host), p$broker_config$bport);
 	}
 
 event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)

From fcabd72b928dc067d2c99cc343ab066f4c2b7b40 Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Fri, 17 Aug 2018 11:12:53 -0500
Subject: [PATCH 630/631] BIT-1815: move SMB::write_cmd_log functionality into
 policy/ script

The option is removed, but same functionality is now enabled simply
by loading policy/protocols/smb/log-cmds.bro
---
 CHANGES                                     |  7 ++
 NEWS                                        |  4 +
 VERSION                                     |  2 +-
 scripts/base/protocols/smb/main.bro         | 20 -----
 scripts/base/protocols/smb/smb1-main.bro    | 30 +-------
 scripts/base/protocols/smb/smb2-main.bro    | 27 +++----
 scripts/policy/protocols/smb/log-cmds.bro   | 82 +++++++++++++++++++++
 scripts/test-all-policy.bro                 |  1 +
 testing/btest/Baseline/plugins.hooks/output | 32 ++------
 9 files changed, 115 insertions(+), 90 deletions(-)
 create mode 100644 scripts/policy/protocols/smb/log-cmds.bro

diff --git a/CHANGES b/CHANGES
index 4e8d2ada45..c51cd00bbf 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,11 @@
 
+2.5-850 | 2018-08-17 11:12:53 -0500
+
+  * BIT-1815: move SMB::write_cmd_log functionality into policy/ script
+
+    The option is removed, but same functionality is now enabled simply
+    by loading policy/protocols/smb/log-cmds.bro (Jon Siwek, Corelight)
+
 2.5-849 | 2018-08-17 10:29:58 -0500
 
   * Fix possible race in netcontrol acld/broker plugins (Jon Siwek, Corelight)
diff --git a/NEWS b/NEWS
index 1809cd4bd6..e5f5b28054 100644
--- a/NEWS
+++ b/NEWS
@@ -384,6 +384,10 @@ Changed Functionality
 
   - smb1_transaction2_request now has an additional "args" record argument
 
+- The SMB::write_cmd_log option has been removed and the corresponding
+  logic moving to policy/protocols/smb/log-cmds.bro which can simply
+  be loaded to produce the same effect of toggling the old flag on.
+
 - SSL event argument changes:
 
   - event ssl_server_signature now has an additional argument
diff --git a/VERSION b/VERSION
index 0eef8063da..3e949de53a 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.5-849
+2.5-850
diff --git a/scripts/base/protocols/smb/main.bro b/scripts/base/protocols/smb/main.bro
index a2226ded33..7e8969594d 100644
--- a/scripts/base/protocols/smb/main.bro
+++ b/scripts/base/protocols/smb/main.bro
@@ -6,7 +6,6 @@ module SMB;
 
 export {
 	redef enum Log::ID += { 
-		CMD_LOG,
 		AUTH_LOG,
 		MAPPING_LOG,
 		FILES_LOG
@@ -43,11 +42,6 @@ export {
 		PRINT_CLOSE,
 	} &redef;
 
-	## The server response statuses which are *not* logged.
-	const ignored_command_statuses: set[string] = {
-		"MORE_PROCESSING_REQUIRED",
-	} &redef;
-	
 	## This record is for the smb_files.log
 	type FileInfo: record {
 		## Time when the file was first discovered.
@@ -159,25 +153,12 @@ export {
 		recent_files : set[string] &default=string_set() &read_expire=3min;
 	};
 
-	## Optionally write out the SMB commands log.  This is 
-	## primarily useful for debugging so is disabled by default.
-	const write_cmd_log = F &redef;
-
 	## Everything below here is used internally in the SMB scripts.
 
 	redef record connection += {
 		smb_state : State &optional;
 	};
 	
-	## Internal use only.
-	## Some commands shouldn't be logged by the smb1_message event.
-	const deferred_logging_cmds: set[string] = {
-		"NEGOTIATE",
-		"READ_ANDX",
-		"SESSION_SETUP_ANDX",
-		"TREE_CONNECT_ANDX",
-	};
-
 	## This is an internally used function.
 	const set_current_file: function(smb_state: State, file_id: count) &redef;
 
@@ -198,7 +179,6 @@ redef likely_server_ports += { ports };
 
 event bro_init() &priority=5
 	{
-	Log::create_stream(SMB::CMD_LOG, [$columns=SMB::CmdInfo, $path="smb_cmd"]);
 	Log::create_stream(SMB::FILES_LOG, [$columns=SMB::FileInfo, $path="smb_files"]);
 	Log::create_stream(SMB::MAPPING_LOG, [$columns=SMB::TreeInfo, $path="smb_mapping"]);
 
diff --git a/scripts/base/protocols/smb/smb1-main.bro b/scripts/base/protocols/smb/smb1-main.bro
index 6b23fe91db..44210e88f0 100644
--- a/scripts/base/protocols/smb/smb1-main.bro
+++ b/scripts/base/protocols/smb/smb1-main.bro
@@ -68,17 +68,10 @@ event smb1_message(c: connection, hdr: SMB1::Header, is_orig: bool) &priority=5
 
 event smb1_message(c: connection, hdr: SMB1::Header, is_orig: bool) &priority=-5
 	{
-	# Is this a response?
-	if ( !is_orig )
-		{
-		if ( SMB::write_cmd_log &&
-		     c$smb_state$current_cmd$status !in SMB::ignored_command_statuses &&
-		     c$smb_state$current_cmd$command !in SMB::deferred_logging_cmds )
-			{
-			Log::write(SMB::CMD_LOG, c$smb_state$current_cmd);
-			}
-		delete c$smb_state$pending_cmds[hdr$mid];
-		}
+	if ( is_orig )
+		return;
+
+	delete c$smb_state$pending_cmds[hdr$mid];
 	}
 
 
@@ -325,18 +318,3 @@ event smb_pipe_request(c: connection, hdr: SMB1::Header, op_num: count)
 
 	c$smb_state$current_cmd$argument = arg;
 	}
-
-event smb1_error(c: connection, hdr: SMB1::Header, is_orig: bool)
-	{
-	if ( ! is_orig )
-		{
-		# This is for deferred commands only.
-		# The more specific messages won't fire for errors
-		if ( SMB::write_cmd_log &&
-		     c$smb_state$current_cmd$status !in SMB::ignored_command_statuses &&
-		     c$smb_state$current_cmd$command in SMB::deferred_logging_cmds )
-			{
-			Log::write(SMB::CMD_LOG, c$smb_state$current_cmd);
-			}
-		}
-	}
diff --git a/scripts/base/protocols/smb/smb2-main.bro b/scripts/base/protocols/smb/smb2-main.bro
index 2411502815..ab453f8829 100644
--- a/scripts/base/protocols/smb/smb2-main.bro
+++ b/scripts/base/protocols/smb/smb2-main.bro
@@ -65,25 +65,16 @@ event smb2_message(c: connection, hdr: SMB2::Header, is_orig: bool) &priority=5
 
 event smb2_message(c: connection, hdr: SMB2::Header, is_orig: bool) &priority=-5
 	{
-	# Is this a response?
-	if ( !is_orig )
-		{
-		# If the command that is being looked at right now was
-		# marked as PENDING, then we'll skip all of this and wait
-		# for a reply that isn't marked pending.
-		if ( c$smb_state$current_cmd$status == "PENDING" )
-			{
-			return;
-			}
+	if ( is_orig )
+		return;
 
-		if ( SMB::write_cmd_log &&
-		     c$smb_state$current_cmd$status !in SMB::ignored_command_statuses &&
-		     c$smb_state$current_cmd$command !in SMB::deferred_logging_cmds )
-			{
-			Log::write(SMB::CMD_LOG, c$smb_state$current_cmd);
-			}
-		delete c$smb_state$pending_cmds[hdr$message_id];
-		}
+	# If the command that is being looked at right now was
+	# marked as PENDING, then we'll skip all of this and wait
+	# for a reply that isn't marked pending.
+	if ( c$smb_state$current_cmd$status == "PENDING" )
+		return;
+
+	delete c$smb_state$pending_cmds[hdr$message_id];
 	}
 
 event smb2_negotiate_request(c: connection, hdr: SMB2::Header, dialects: index_vec) &priority=5
diff --git a/scripts/policy/protocols/smb/log-cmds.bro b/scripts/policy/protocols/smb/log-cmds.bro
new file mode 100644
index 0000000000..6890535c3b
--- /dev/null
+++ b/scripts/policy/protocols/smb/log-cmds.bro
@@ -0,0 +1,82 @@
+##! Load this script to generate an SMB command log, smb_cmd.log.
+##! This is primarily useful for debugging.
+
+@load base/protocols/smb
+
+module SMB;
+
+export {
+	redef enum Log::ID += {
+		CMD_LOG,
+	};
+
+	## The server response statuses which are *not* logged.
+	const ignored_command_statuses: set[string] = {
+		"MORE_PROCESSING_REQUIRED",
+	} &redef;
+}
+
+## Internal use only.
+## Some commands shouldn't be logged by the smb1_message event.
+const deferred_logging_cmds: set[string] = {
+	"NEGOTIATE",
+	"READ_ANDX",
+	"SESSION_SETUP_ANDX",
+	"TREE_CONNECT_ANDX",
+};
+
+event bro_init() &priority=5
+	{
+	Log::create_stream(SMB::CMD_LOG, [$columns=SMB::CmdInfo, $path="smb_cmd"]);
+	}
+
+event smb1_message(c: connection, hdr: SMB1::Header, is_orig: bool) &priority=-5
+	{
+	if ( is_orig )
+		return;
+
+	if ( c$smb_state$current_cmd$status in SMB::ignored_command_statuses )
+		return;
+	
+	if ( c$smb_state$current_cmd$command in SMB::deferred_logging_cmds )
+		return;
+
+	Log::write(SMB::CMD_LOG, c$smb_state$current_cmd);
+	}
+
+event smb1_error(c: connection, hdr: SMB1::Header, is_orig: bool)
+	{
+	if ( is_orig )
+		return;
+
+	# This is for deferred commands only.
+	# The more specific messages won't fire for errors
+
+	if ( c$smb_state$current_cmd$status in SMB::ignored_command_statuses )
+		return;
+
+	if ( c$smb_state$current_cmd$command !in SMB::deferred_logging_cmds )
+		return;
+
+	Log::write(SMB::CMD_LOG, c$smb_state$current_cmd);
+	}
+
+event smb2_message(c: connection, hdr: SMB2::Header, is_orig: bool) &priority=-5
+	{
+	if ( is_orig )
+		return;
+
+	# If the command that is being looked at right now was
+	# marked as PENDING, then we'll skip all of this and wait
+	# for a reply that isn't marked pending.
+	if ( c$smb_state$current_cmd$status == "PENDING" )
+		return;
+
+	if ( c$smb_state$current_cmd$status in SMB::ignored_command_statuses )
+		return;
+
+	if ( c$smb_state$current_cmd$command in SMB::deferred_logging_cmds )
+		return;
+
+	Log::write(SMB::CMD_LOG, c$smb_state$current_cmd);
+	}
diff --git a/scripts/test-all-policy.bro b/scripts/test-all-policy.bro
index e0268a7c62..7bdd2d4997 100644
--- a/scripts/test-all-policy.bro
+++ b/scripts/test-all-policy.bro
@@ -80,6 +80,7 @@
 @load protocols/modbus/track-memmap.bro
 @load protocols/mysql/software.bro
 @load protocols/rdp/indicate_ssl.bro
+@load protocols/smb/log-cmds.bro
 @load protocols/smtp/blocklists.bro
 @load protocols/smtp/detect-suspicious-orig.bro
 @load protocols/smtp/entities-excerpt.bro
diff --git a/testing/btest/Baseline/plugins.hooks/output b/testing/btest/Baseline/plugins.hooks/output
index 0fadde65a5..20e01df16f 100644
--- a/testing/btest/Baseline/plugins.hooks/output
+++ b/testing/btest/Baseline/plugins.hooks/output
@@ -213,7 +213,6 @@
 0.000000   MetaHookPost  CallFunction(Log::__add_filter, <frame>, (RFB::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=rfb, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__add_filter, <frame>, (Reporter::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=reporter, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__add_filter, <frame>, (SIP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=sip, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__add_filter, <frame>, (SMB::CMD_LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=smb_cmd, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__add_filter, <frame>, (SMB::FILES_LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=smb_files, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__add_filter, <frame>, (SMB::MAPPING_LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=smb_mapping, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__add_filter, <frame>, (SMTP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=smtp, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
@@ -260,7 +259,6 @@
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (RFB::LOG, [columns=<no value description>, ev=RFB::log_rfb, path=rfb])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (Reporter::LOG, [columns=<no value description>, ev=<uninitialized>, path=reporter])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (SIP::LOG, [columns=<no value description>, ev=SIP::log_sip, path=sip])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (SMB::CMD_LOG, [columns=<no value description>, ev=<uninitialized>, path=smb_cmd])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (SMB::FILES_LOG, [columns=<no value description>, ev=<uninitialized>, path=smb_files])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (SMB::MAPPING_LOG, [columns=<no value description>, ev=<uninitialized>, path=smb_mapping])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (SMTP::LOG, [columns=<no value description>, ev=SMTP::log_smtp, path=smtp])) -> <no result>
@@ -276,7 +274,7 @@
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1534455885.275568, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1534522064.090237, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (Broker::LOG)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (Cluster::LOG)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (Config::LOG)) -> <no result>
@@ -308,7 +306,6 @@
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (RFB::LOG)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (Reporter::LOG)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (SIP::LOG)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (SMB::CMD_LOG)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (SMB::FILES_LOG)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (SMB::MAPPING_LOG)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (SMTP::LOG)) -> <no result>
@@ -355,7 +352,6 @@
 0.000000   MetaHookPost  CallFunction(Log::add_filter, <frame>, (RFB::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_filter, <frame>, (Reporter::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_filter, <frame>, (SIP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::add_filter, <frame>, (SMB::CMD_LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_filter, <frame>, (SMB::FILES_LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_filter, <frame>, (SMB::MAPPING_LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_filter, <frame>, (SMTP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
@@ -402,7 +398,6 @@
 0.000000   MetaHookPost  CallFunction(Log::add_stream_filters, <frame>, (RFB::LOG, default)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_stream_filters, <frame>, (Reporter::LOG, default)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_stream_filters, <frame>, (SIP::LOG, default)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::add_stream_filters, <frame>, (SMB::CMD_LOG, default)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_stream_filters, <frame>, (SMB::FILES_LOG, default)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_stream_filters, <frame>, (SMB::MAPPING_LOG, default)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_stream_filters, <frame>, (SMTP::LOG, default)) -> <no result>
@@ -449,7 +444,6 @@
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (RFB::LOG, [columns=<no value description>, ev=RFB::log_rfb, path=rfb])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (Reporter::LOG, [columns=<no value description>, ev=<uninitialized>, path=reporter])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (SIP::LOG, [columns=<no value description>, ev=SIP::log_sip, path=sip])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (SMB::CMD_LOG, [columns=<no value description>, ev=<uninitialized>, path=smb_cmd])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (SMB::FILES_LOG, [columns=<no value description>, ev=<uninitialized>, path=smb_files])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (SMB::MAPPING_LOG, [columns=<no value description>, ev=<uninitialized>, path=smb_mapping])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (SMTP::LOG, [columns=<no value description>, ev=SMTP::log_smtp, path=smtp])) -> <no result>
@@ -465,7 +459,7 @@
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1534455885.275568, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1534522064.090237, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
 0.000000   MetaHookPost  CallFunction(NetControl::check_plugins, <frame>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(NetControl::init, <null>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(Notice::want_pp, <frame>, ()) -> <no result>
@@ -1042,7 +1036,6 @@
 0.000000   MetaHookPre   CallFunction(Log::__add_filter, <frame>, (RFB::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=rfb, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}]))
 0.000000   MetaHookPre   CallFunction(Log::__add_filter, <frame>, (Reporter::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=reporter, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}]))
 0.000000   MetaHookPre   CallFunction(Log::__add_filter, <frame>, (SIP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=sip, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}]))
-0.000000   MetaHookPre   CallFunction(Log::__add_filter, <frame>, (SMB::CMD_LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=smb_cmd, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}]))
 0.000000   MetaHookPre   CallFunction(Log::__add_filter, <frame>, (SMB::FILES_LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=smb_files, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}]))
 0.000000   MetaHookPre   CallFunction(Log::__add_filter, <frame>, (SMB::MAPPING_LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=smb_mapping, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}]))
 0.000000   MetaHookPre   CallFunction(Log::__add_filter, <frame>, (SMTP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=smtp, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}]))
@@ -1089,7 +1082,6 @@
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (RFB::LOG, [columns=<no value description>, ev=RFB::log_rfb, path=rfb]))
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (Reporter::LOG, [columns=<no value description>, ev=<uninitialized>, path=reporter]))
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (SIP::LOG, [columns=<no value description>, ev=SIP::log_sip, path=sip]))
-0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (SMB::CMD_LOG, [columns=<no value description>, ev=<uninitialized>, path=smb_cmd]))
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (SMB::FILES_LOG, [columns=<no value description>, ev=<uninitialized>, path=smb_files]))
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (SMB::MAPPING_LOG, [columns=<no value description>, ev=<uninitialized>, path=smb_mapping]))
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (SMTP::LOG, [columns=<no value description>, ev=SMTP::log_smtp, path=smtp]))
@@ -1105,7 +1097,7 @@
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird]))
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509]))
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql]))
-0.000000   MetaHookPre   CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1534455885.275568, node=bro, filter=ip or not ip, init=T, success=T]))
+0.000000   MetaHookPre   CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1534522064.090237, node=bro, filter=ip or not ip, init=T, success=T]))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (Broker::LOG))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (Cluster::LOG))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (Config::LOG))
@@ -1137,7 +1129,6 @@
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (RFB::LOG))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (Reporter::LOG))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (SIP::LOG))
-0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (SMB::CMD_LOG))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (SMB::FILES_LOG))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (SMB::MAPPING_LOG))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (SMTP::LOG))
@@ -1184,7 +1175,6 @@
 0.000000   MetaHookPre   CallFunction(Log::add_filter, <frame>, (RFB::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}]))
 0.000000   MetaHookPre   CallFunction(Log::add_filter, <frame>, (Reporter::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}]))
 0.000000   MetaHookPre   CallFunction(Log::add_filter, <frame>, (SIP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}]))
-0.000000   MetaHookPre   CallFunction(Log::add_filter, <frame>, (SMB::CMD_LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}]))
 0.000000   MetaHookPre   CallFunction(Log::add_filter, <frame>, (SMB::FILES_LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}]))
 0.000000   MetaHookPre   CallFunction(Log::add_filter, <frame>, (SMB::MAPPING_LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}]))
 0.000000   MetaHookPre   CallFunction(Log::add_filter, <frame>, (SMTP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}]))
@@ -1231,7 +1221,6 @@
 0.000000   MetaHookPre   CallFunction(Log::add_stream_filters, <frame>, (RFB::LOG, default))
 0.000000   MetaHookPre   CallFunction(Log::add_stream_filters, <frame>, (Reporter::LOG, default))
 0.000000   MetaHookPre   CallFunction(Log::add_stream_filters, <frame>, (SIP::LOG, default))
-0.000000   MetaHookPre   CallFunction(Log::add_stream_filters, <frame>, (SMB::CMD_LOG, default))
 0.000000   MetaHookPre   CallFunction(Log::add_stream_filters, <frame>, (SMB::FILES_LOG, default))
 0.000000   MetaHookPre   CallFunction(Log::add_stream_filters, <frame>, (SMB::MAPPING_LOG, default))
 0.000000   MetaHookPre   CallFunction(Log::add_stream_filters, <frame>, (SMTP::LOG, default))
@@ -1278,7 +1267,6 @@
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (RFB::LOG, [columns=<no value description>, ev=RFB::log_rfb, path=rfb]))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (Reporter::LOG, [columns=<no value description>, ev=<uninitialized>, path=reporter]))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (SIP::LOG, [columns=<no value description>, ev=SIP::log_sip, path=sip]))
-0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (SMB::CMD_LOG, [columns=<no value description>, ev=<uninitialized>, path=smb_cmd]))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (SMB::FILES_LOG, [columns=<no value description>, ev=<uninitialized>, path=smb_files]))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (SMB::MAPPING_LOG, [columns=<no value description>, ev=<uninitialized>, path=smb_mapping]))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (SMTP::LOG, [columns=<no value description>, ev=SMTP::log_smtp, path=smtp]))
@@ -1294,7 +1282,7 @@
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird]))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509]))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql]))
-0.000000   MetaHookPre   CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1534455885.275568, node=bro, filter=ip or not ip, init=T, success=T]))
+0.000000   MetaHookPre   CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1534522064.090237, node=bro, filter=ip or not ip, init=T, success=T]))
 0.000000   MetaHookPre   CallFunction(NetControl::check_plugins, <frame>, ())
 0.000000   MetaHookPre   CallFunction(NetControl::init, <null>, ())
 0.000000   MetaHookPre   CallFunction(Notice::want_pp, <frame>, ())
@@ -1870,7 +1858,6 @@
 0.000000 | HookCallFunction Log::__add_filter(RFB::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=rfb, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])
 0.000000 | HookCallFunction Log::__add_filter(Reporter::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=reporter, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])
 0.000000 | HookCallFunction Log::__add_filter(SIP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=sip, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])
-0.000000 | HookCallFunction Log::__add_filter(SMB::CMD_LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=smb_cmd, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])
 0.000000 | HookCallFunction Log::__add_filter(SMB::FILES_LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=smb_files, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])
 0.000000 | HookCallFunction Log::__add_filter(SMB::MAPPING_LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=smb_mapping, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])
 0.000000 | HookCallFunction Log::__add_filter(SMTP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=smtp, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])
@@ -1917,7 +1904,6 @@
 0.000000 | HookCallFunction Log::__create_stream(RFB::LOG, [columns=<no value description>, ev=RFB::log_rfb, path=rfb])
 0.000000 | HookCallFunction Log::__create_stream(Reporter::LOG, [columns=<no value description>, ev=<uninitialized>, path=reporter])
 0.000000 | HookCallFunction Log::__create_stream(SIP::LOG, [columns=<no value description>, ev=SIP::log_sip, path=sip])
-0.000000 | HookCallFunction Log::__create_stream(SMB::CMD_LOG, [columns=<no value description>, ev=<uninitialized>, path=smb_cmd])
 0.000000 | HookCallFunction Log::__create_stream(SMB::FILES_LOG, [columns=<no value description>, ev=<uninitialized>, path=smb_files])
 0.000000 | HookCallFunction Log::__create_stream(SMB::MAPPING_LOG, [columns=<no value description>, ev=<uninitialized>, path=smb_mapping])
 0.000000 | HookCallFunction Log::__create_stream(SMTP::LOG, [columns=<no value description>, ev=SMTP::log_smtp, path=smtp])
@@ -1933,7 +1919,7 @@
 0.000000 | HookCallFunction Log::__create_stream(Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird])
 0.000000 | HookCallFunction Log::__create_stream(X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509])
 0.000000 | HookCallFunction Log::__create_stream(mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql])
-0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1534455885.275568, node=bro, filter=ip or not ip, init=T, success=T])
+0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1534522064.090237, node=bro, filter=ip or not ip, init=T, success=T])
 0.000000 | HookCallFunction Log::add_default_filter(Broker::LOG)
 0.000000 | HookCallFunction Log::add_default_filter(Cluster::LOG)
 0.000000 | HookCallFunction Log::add_default_filter(Config::LOG)
@@ -1965,7 +1951,6 @@
 0.000000 | HookCallFunction Log::add_default_filter(RFB::LOG)
 0.000000 | HookCallFunction Log::add_default_filter(Reporter::LOG)
 0.000000 | HookCallFunction Log::add_default_filter(SIP::LOG)
-0.000000 | HookCallFunction Log::add_default_filter(SMB::CMD_LOG)
 0.000000 | HookCallFunction Log::add_default_filter(SMB::FILES_LOG)
 0.000000 | HookCallFunction Log::add_default_filter(SMB::MAPPING_LOG)
 0.000000 | HookCallFunction Log::add_default_filter(SMTP::LOG)
@@ -2012,7 +1997,6 @@
 0.000000 | HookCallFunction Log::add_filter(RFB::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])
 0.000000 | HookCallFunction Log::add_filter(Reporter::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])
 0.000000 | HookCallFunction Log::add_filter(SIP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])
-0.000000 | HookCallFunction Log::add_filter(SMB::CMD_LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])
 0.000000 | HookCallFunction Log::add_filter(SMB::FILES_LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])
 0.000000 | HookCallFunction Log::add_filter(SMB::MAPPING_LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])
 0.000000 | HookCallFunction Log::add_filter(SMTP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])
@@ -2059,7 +2043,6 @@
 0.000000 | HookCallFunction Log::add_stream_filters(RFB::LOG, default)
 0.000000 | HookCallFunction Log::add_stream_filters(Reporter::LOG, default)
 0.000000 | HookCallFunction Log::add_stream_filters(SIP::LOG, default)
-0.000000 | HookCallFunction Log::add_stream_filters(SMB::CMD_LOG, default)
 0.000000 | HookCallFunction Log::add_stream_filters(SMB::FILES_LOG, default)
 0.000000 | HookCallFunction Log::add_stream_filters(SMB::MAPPING_LOG, default)
 0.000000 | HookCallFunction Log::add_stream_filters(SMTP::LOG, default)
@@ -2106,7 +2089,6 @@
 0.000000 | HookCallFunction Log::create_stream(RFB::LOG, [columns=<no value description>, ev=RFB::log_rfb, path=rfb])
 0.000000 | HookCallFunction Log::create_stream(Reporter::LOG, [columns=<no value description>, ev=<uninitialized>, path=reporter])
 0.000000 | HookCallFunction Log::create_stream(SIP::LOG, [columns=<no value description>, ev=SIP::log_sip, path=sip])
-0.000000 | HookCallFunction Log::create_stream(SMB::CMD_LOG, [columns=<no value description>, ev=<uninitialized>, path=smb_cmd])
 0.000000 | HookCallFunction Log::create_stream(SMB::FILES_LOG, [columns=<no value description>, ev=<uninitialized>, path=smb_files])
 0.000000 | HookCallFunction Log::create_stream(SMB::MAPPING_LOG, [columns=<no value description>, ev=<uninitialized>, path=smb_mapping])
 0.000000 | HookCallFunction Log::create_stream(SMTP::LOG, [columns=<no value description>, ev=SMTP::log_smtp, path=smtp])
@@ -2122,7 +2104,7 @@
 0.000000 | HookCallFunction Log::create_stream(Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird])
 0.000000 | HookCallFunction Log::create_stream(X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509])
 0.000000 | HookCallFunction Log::create_stream(mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql])
-0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1534455885.275568, node=bro, filter=ip or not ip, init=T, success=T])
+0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1534522064.090237, node=bro, filter=ip or not ip, init=T, success=T])
 0.000000 | HookCallFunction NetControl::check_plugins()
 0.000000 | HookCallFunction NetControl::init()
 0.000000 | HookCallFunction Notice::want_pp()
@@ -2480,7 +2462,7 @@
 0.000000 | HookLoadFile  base<...>/x509
 0.000000 | HookLoadFile  base<...>/xmpp
 0.000000 | HookLogInit   packet_filter 1/1 {ts (time), node (string), filter (string), init (bool), success (bool)}
-0.000000 | HookLogWrite  packet_filter [ts=1534455885.275568, node=bro, filter=ip or not ip, init=T, success=T]
+0.000000 | HookLogWrite  packet_filter [ts=1534522064.090237, node=bro, filter=ip or not ip, init=T, success=T]
 0.000000 | HookQueueEvent NetControl::init()
 0.000000 | HookQueueEvent bro_init()
 0.000000 | HookQueueEvent filter_change_tracking()

From 95c72f37172262a9c5fc6da27e9bcc3bdd7e64be Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@icir.org>
Date: Fri, 17 Aug 2018 11:25:58 -0700
Subject: [PATCH 631/631] Update submodule

 [nomail]
---
 src/3rdparty | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/3rdparty b/src/3rdparty
index 02c5b1d6a3..6cdefdd1d4 160000
--- a/src/3rdparty
+++ b/src/3rdparty
@@ -1 +1 @@
-Subproject commit 02c5b1d6a3990ca989377798bc7e89eacf4713aa
+Subproject commit 6cdefdd1d45465ca09aba9e05c7ca12e1484ccc0